Tillbaka till svenska Fidonet
English   Information   Debug  
TRAPDOOR   0/19
TREK   0/755
TUB   0/290
UFO   0/40
UNIX   0/1316
USA_EURLINK   0/102
USR_MODEMS   0/1
VATICAN   0/2740
VIETNAM_VETS   0/14
VIRUS   0/378
VIRUS_INFO   0/201
VISUAL_BASIC   0/473
WHITEHOUSE   0/5187
WIN2000   0/101
WIN32   0/30
WIN95   0/4289
WIN95_OLD1   0/70272
WINDOWS   0/1517
WWB_SYSOP   0/419
WWB_TECH   0/810
ZCC-PUBLIC   0/1
ZEC   4

 
4DOS   0/134
ABORTION   0/7
ALASKA_CHAT   0/506
ALLFIX_FILE   0/1313
ALLFIX_FILE_OLD1   0/7997
ALT_DOS   0/152
AMATEUR_RADIO   0/1039
AMIGASALE   0/14
AMIGA   0/331
AMIGA_INT   0/1
AMIGA_PROG   0/20
AMIGA_SYSOP   0/26
ANIME   0/15
ARGUS   0/924
ASCII_ART   0/340
ASIAN_LINK   0/651
ASTRONOMY   0/417
AUDIO   0/92
AUTOMOBILE_RACING   0/105
BABYLON5   0/17862
BAG   135
BATPOWER   0/361
BBBS.ENGLISH   0/382
BBSLAW   0/109
BBS_ADS   0/5290
BBS_INTERNET   0/507
BIBLE   0/3563
BINKD   0/1119
BINKLEY   0/215
BLUEWAVE   0/2173
CABLE_MODEMS   0/25
CBM   0/46
CDRECORD   0/66
CDROM   0/20
CLASSIC_COMPUTER   0/378
COMICS   0/15
CONSPRCY   0/899
COOKING   33421
COOKING_OLD1   0/24719
COOKING_OLD2   0/40862
COOKING_OLD3   0/37489
COOKING_OLD4   0/35496
COOKING_OLD5   9370
C_ECHO   0/189
C_PLUSPLUS   0/31
DIRTY_DOZEN   0/201
DOORGAMES   0/2065
DOS_INTERNET   0/196
duplikat   6002
ECHOLIST   0/18295
EC_SUPPORT   0/318
ELECTRONICS   0/359
ELEKTRONIK.GER   1534
ENET.LINGUISTIC   0/13
ENET.POLITICS   0/4
ENET.SOFT   0/11701
ENET.SYSOP   33945
ENET.TALKS   0/32
ENGLISH_TUTOR   0/2000
EVOLUTION   0/1335
FDECHO   0/217
FDN_ANNOUNCE   0/7068
FIDONEWS   24159
FIDONEWS_OLD1   0/49742
FIDONEWS_OLD2   0/35949
FIDONEWS_OLD3   0/30874
FIDONEWS_OLD4   0/37224
FIDO_SYSOP   12852
FIDO_UTIL   0/180
FILEFIND   0/209
FILEGATE   0/212
FILM   0/18
FNEWS_PUBLISH   4436
FN_SYSOP   41707
FN_SYSOP_OLD1   71952
FTP_FIDO   0/2
FTSC_PUBLIC   0/13613
FUNNY   0/4886
GENEALOGY.EUR   0/71
GET_INFO   105
GOLDED   0/408
HAM   0/16074
HOLYSMOKE   0/6791
HOT_SITES   0/1
HTMLEDIT   0/71
HUB203   466
HUB_100   264
HUB_400   39
HUMOR   0/29
IC   0/2851
INTERNET   0/424
INTERUSER   0/3
IP_CONNECT   719
JAMNNTPD   0/233
JAMTLAND   0/47
KATTY_KORNER   0/41
LAN   0/16
LINUX-USER   0/19
LINUXHELP   0/1155
LINUX   0/22112
LINUX_BBS   0/957
mail   18.68
mail_fore_ok   249
MENSA   0/341
MODERATOR   0/102
MONTE   0/992
MOSCOW_OKLAHOMA   0/1245
MUFFIN   0/783
MUSIC   0/321
N203_STAT   930
N203_SYSCHAT   313
NET203   321
NET204   69
NET_DEV   0/10
NORD.ADMIN   0/101
NORD.CHAT   0/2572
NORD.FIDONET   189
NORD.HARDWARE   0/28
NORD.KULTUR   0/114
NORD.PROG   0/32
NORD.SOFTWARE   0/88
NORD.TEKNIK   0/58
NORD   0/453
OCCULT_CHAT   0/93
OS2BBS   0/787
OS2DOSBBS   0/580
OS2HW   0/42
OS2INET   0/37
OS2LAN   0/134
OS2PROG   0/36
OS2REXX   0/113
OS2USER-L   207
OS2   0/4786
OSDEBATE   0/18996
PASCAL   0/490
PERL   0/457
PHP   0/45
POINTS   0/405
POLITICS   0/29554
POL_INC   0/14731
PSION   103
R20_ADMIN   1123
R20_AMATORRADIO   0/2
R20_BEST_OF_FIDONET   13
R20_CHAT   0/893
R20_DEPP   0/3
R20_DEV   399
R20_ECHO2   1379
R20_ECHOPRES   0/35
R20_ESTAT   0/719
R20_FIDONETPROG...
...RAM.MYPOINT
  0/2
R20_FIDONETPROGRAM   0/22
R20_FIDONET   0/248
R20_FILEFIND   0/24
R20_FILEFOUND   0/22
R20_HIFI   0/3
R20_INFO2   3249
R20_INTERNET   0/12940
R20_INTRESSE   0/60
R20_INTR_KOM   0/99
R20_KANDIDAT.CHAT   42
R20_KANDIDAT   28
R20_KOM_DEV   112
R20_KONTROLL   0/13300
R20_KORSET   0/18
R20_LOKALTRAFIK   0/24
R20_MODERATOR   0/1852
R20_NC   76
R20_NET200   245
R20_NETWORK.OTH...
...ERNETS
  0/13
R20_OPERATIVSYS...
...TEM.LINUX
  0/44
R20_PROGRAMVAROR   0/1
R20_REC2NEC   534
R20_SFOSM   0/341
R20_SF   0/108
R20_SPRAK.ENGLISH   0/1
R20_SQUISH   107
R20_TEST   2
R20_WORST_OF_FIDONET   12
RAR   0/9
RA_MULTI   106
RA_UTIL   0/162
REGCON.EUR   0/2056
REGCON   0/13
SCIENCE   0/1206
SF   0/239
SHAREWARE_SUPPORT   0/5146
SHAREWRE   0/14
SIMPSONS   0/169
STATS_OLD1   0/2539.065
STATS_OLD2   0/2530
STATS_OLD3   0/2395.095
STATS_OLD4   0/1692.25
SURVIVOR   0/495
SYSOPS_CORNER   0/3
SYSOP   0/84
TAGLINES   0/112
TEAMOS2   0/4530
TECH   0/2617
TEST.444   0/105
Möte VIRUS, 378 texter
 lista första sista föregående nästa
Text 284, 1093 rader
Skriven 2007-04-08 20:22:00 av KURT WISMER (1:123/140)
Ärende: News, April 8 2007
==========================
[cut-n-paste from sophos.com]

Name   W32/Spybot-NO

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Reduces system security
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities
    * Scans network for vulnerabilities

Prevalence (1-5) 2

Description
W32/Spybot-NO is a worm with IRC backdoor functionality for the 
Windows platform.

Advanced
W32/Spybot-NO is a worm with IRC backdoor functionality for the 
Windows platform.

W32/Spybot-NO spreads to other network computers by exploiting common 
buffer overflow vulnerabilities, including RealVNC (CVE-2006-2369).

W32/Spybot-NO runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

When first run W32/Spybot-NO copies itself to 
<System>\dllcache\upnt.exe.

The file upnt.exe is registered as a new system driver service named 
"Universal Printer NT Service", with a display name of "Universal 
Printer NT Service" and a startup type of automatic, so that it is 
started automatically during system startup. Registry entries are 
created under:

HKLM\SYSTEM\CurrentControlSet\Services\Universal Printer NT Service

W32/Spybot-NO sets the following registry entries, disabling the 
automatic startup of other software:

HKLM\SYSTEM\CurrentControlSet\Services\wuauserv
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4

Note: disabling autostart for the SharedAccess service deactivates 
the Microsoft Internet Connection Firewall (ICF).

The following registry entry is set:

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N





Name   W32/Delfer-C

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet

Aliases  
    * Generic Downloader.d
    * Worm.Win32.Delf.br

Prevalence (1-5) 2

Description
W32/Delfer-C is a worm for the Windows platform.

W32/Delfer-C includes functionality to access the internet and 
communicate with a remote server via HTTP.

Advanced
W32/Delfer-C is a worm for the Windows platform.

W32/Delfer-C includes functionality to access the internet and 
communicate with a remote server via HTTP.

Upon execution W32/Delfer-C attempts to copy itself to the available 
C shares with the filename setup.exe. W32/Delfer-C also creates the 
file Autoexec.bat, this file maybe safely deleted.





Name   Troj/Renos-T

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet

Aliases  
    * Trojan-Downloader.Win32.Agent.bkd
    * Win32/Hoax.Renos.NAT

Prevalence (1-5) 2

Description
Troj/Renos-T is a downloader Trojan for the Windows platform.

Advanced
Troj/Renos-T is a downloader Trojan for the Windows platform.

Once installed, Troj/Renos-T will display fake system error and fake 
virus messages.





Name   Troj/QQPass-JDD

Type  
    * Spyware Trojan

How it spreads  
    * Web browsing

Affected operating systems  
    * Windows

Side effects  
    * Steals information
    * Downloads code from the internet
    * Records keystrokes
    * Installs itself in the Registry
    * Monitors browser activity
    * Installs adware

Aliases  
    * Win32.Troj.QQPass.dg

Prevalence (1-5) 2

Description
Troj/QQPass-JDD is a password stealing Trojan for the Windows platform.

Troj/QQPass-JDD can arrive as a result of web browsing. Visiting 
certain web sites may initiate the download process. Certain web 
pages may exploit vulnerabilities associated with Microsoft Internet 
Explorer to silently download and install/run the Trojan without user 
interaction.

Advanced
Troj/QQPass-JDD is a password stealing Trojan for the Windows platform.

Troj/QQPass-JDD can arrive as a result of web browsing. Visiting 
certain web sites may initiate the download process. Certain web 
pages may exploit vulnerabilities associated with Microsoft Internet 
Explorer to silently download and install/run the Trojan without user 
interaction.

When Troj/QQPass-JDD is installed the following files are typically 
created:

<Common Files>\Microsoft Shared\MSInfo\SysInfo1.dll
<Common Files>\System\icwres.ocx
<Common Files>\System\isignup.dll
<Common Files>\System\isignup.sys
<Windows>\winform.exe
<System>\winform.dll

Note: some of the above files will have the hidden and system 
attributes set.

The files icwres.ox and isignup.sy are detected seperately as 
Troj/QQSpy-Gen. The file SysInfo1.dl is detected seperately as 
Mal/QQPass-B.

The following registry entry is created to run winform.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
winform
<Windows>\winform.exe

The file SysInfo1.dll is registered as a COM object and ShellExecute 
hook, creating registry entries under:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHoo
ks
HKCR\CLSID\{7F4D1081-25FD-44F5-99C6-FF271CFB7EC2}

Registry entries are created under:

HKCU\Software\Microsoft\qqjdd





Name   W32/Chinegan-A

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Downloads code from the internet
    * Reduces system security
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities
    * Scans network for vulnerabilities
    * Scans network for weak passwords

Aliases  
    * Backdoor.Win32.Agent.aly
    * Win32/AGbot

Prevalence (1-5) 2

Description
W32/Chinegan-A is a worm for the Windows platform.

Advanced
W32/Chinegan-A is a worm for the Windows platform.

W32/Chinegan-A spreads to other network computers by exploiting 
Symantec (SYM06-010) and by copying itself to network shares 
protected by weak passwords.

W32/Chinegan-A includes the following functionality:

- Download and execute code from a remote server via HTTP
- File transfers using FTP
- Exploits VNC servers with weak or no passwords
- Automatically adds itself to Windows Firewall Policy

When first run W32/Chinegan-A copies itself to:

<Program Files>\Common Files\inst32\inst32.exe

and creates the following registry entries:

HKLM\SYSTEM\CurrentControlSet\Services\inst32

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_INST32

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\Firewall
Policy\StandardProfile\AuthorizedApplications\List\<Program 
Files>\Common Files\inst32
inst32.exe
<Program Files>\Common Files\inst32\inst32.exe:*:Enabled:inst32





Name   W32/Looked-CZ

Type  
    * Virus

How it spreads  
    * Network shares
    * Infected files

Affected operating systems  
    * Windows

Side effects  
    * Steals information
    * Downloads code from the internet
    * Installs itself in the Registry

Prevalence (1-5) 2

Description
W32/Looked-CZ is a virus and network worm for the Windows platform.

Advanced
W32/Looked-CZ is a virus and network worm for the Windows platform.
          
W32/Looked-CZ infects files found on the local computer. 
W32/Looked-CZ also copies itself to remote network shares and may 
infect files found on those shares.
            
W32/Looked-CZ includes functionality to access the internet and 
communicate with a remote server via HTTP. W32/Looked-CZ may attempt 
to download and execute additional files from a remote location.
            
When first run W32/Looked-CZ drops the file <Windows>\RichDll.dll 
which is also detected as W32/Looked-CZ.
            
W32/Looked-CZ may also create many files with the name "_desktop.ini" 
in various folders on the infected computer. These files are harmless 
text files and can be deleted.





Name   W32/Vanebot-AK

Type  
    * Spyware Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Steals information
    * Reduces system security
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities
    * Scans network for vulnerabilities
    * Scans network for weak passwords

Prevalence (1-5) 2

Description
W32/Vanebot-AK is a worm with IRC backdoor functionality for the 
Windows platform.

Advanced
W32/Vanebot-AK is a worm with IRC backdoor functionality for the 
Windows platform.

W32/Vanebot-AK spreads to other network computers by exploiting 
common buffer overflow vulnerabilities, including: LSASS (MS04-011), 
SRVSVC (MS06-040), RPC-DCOM (MS04-012), PNP (MS05-039), ASN.1 
(MS04-007), RealVNC (CVE-2006-2369) and Symantec (SYM06-010).

W32/Vanebot-AK runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

W32/Vanebot-AK includes functionality to access the internet and 
communicate with a remote server via HTTP.

When first run W32/Vanebot-AK copies itself to <System>\system.exe.

The file system.exe is registered as a new system driver service 
named "SYSTEMSVC", with a display name of "Windows System Service" 
and a startup type of automatic, so that it is started automatically 
during system startup. Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\SYSTEMSVC

W32/Vanebot-AK sets the following registry entries, disabling the 
automatic startup of other software:

HKLM\SYSTEM\CurrentControlSet\Services\Messenger
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
Start
4

Registry entries are set as follows:

HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
EnableFirewall
0

HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile
EnableFirewall
0

HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DoNotAllowXPSP2
1

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N

Registry entries are created under:

HKLM\SOFTWARE\Microsoft\Security Center





Name   Troj/Dloadr-AWT

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet

Aliases  
    * BackDoor-DJD.dldr

Prevalence (1-5) 2

Description
Troj/Dloadr-AWT is a downloading Trojan for the Windows platform.

Advanced
Troj/Dloadr-AWT is a downloading Trojan for the Windows platform.

Troj/Dloadr-AWT will attempt to download the file sysdrv.exe to the 
shell folder defined by the following registry entry:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Common Templates

Troj/Dloadr-AWT will then execute the downloaded file.





Name   W32/Rbot-GLK

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Installs itself in the Registry
    * Downloads updates
    * Enables remote access
    * Scans network for vulnerabilities
    * Scans network for weak passwords

Aliases  
    * Backdoor.Win32.IRCBot.wt

Prevalence (1-5) 2

Description
W32/Rbot-GLK is a network worm with IRC backdoor functionality for 
the Windows platform.

Advanced
W32/Rbot-GLK is a network worm with IRC backdoor functionality for 
the Windows platform.

W32/Rbot-GLK spreads by exploiting common network vulnerabilities.

W32/Rbot-GLK allows a remote attacker to gain access and control over 
the infected computer using IRC channels.

When first run W32/Rbot-GLK copies itself to <System>\algose32.exe 
and creates the following registry entries to run algose32.exe on 
startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Offices Monitorse
<System>\algose32.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Offices Monitorse
<System>\algose32.exe

W32/Rbot-GLK sets the following registry entries in order to secure 
the infected computer against further exploits:

HKLM\SOFTWARE\Microsoft\Ole\
EnableDCOM
N

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\
restrictanonymous
1





Name   Troj/PWS-AME

Type  
    * Spyware Trojan

Affected operating systems  
    * Windows

Side effects  
    * Steals information
    * Installs itself in the Registry

Prevalence (1-5) 2

Description
Troj/PWS-AME is a password stealing Trojan for the Windows platform.

Advanced
Troj/PWS-AME is a password stealing Trojan for the Windows platform.

When first run Troj/PWS-AME copies itself to <Windows>\mppds.exe and 
creates the file <System>\mppds.dll.

The file mppds.dll is detected as Troj/PWS-AKZ.

The following registry entry is created to run mppds.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
mppds
<Windows>\mppds.exe





Name   W32/Delbot-AF

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities

Aliases  
    * W32/Nirbot.worm

Prevalence (1-5) 2

Description
W32/Delbot-AF is a worm for the Windows platform with IRC backdoor 
functionality.

W32/Delbot-AF runs continuously in the background, providing a 
backdoor service through which a remote user can access the computer.

Advanced
W32/Delbot-AF is a worm for the Windows platform with IRC backdoor 
functionality.

W32/Delbot-AF runs continuously in the background, providing a 
backdoor service through which a remote user can access the computer.

W32/Delbot-AF spreads
 - to computers vulnerable to common exploits, including: RPC-DCOM 
(MS04-012) and Symantec (SYM06-010)
 - to MSSQL servers protected by weak passwords
 - to network shares

W32/Delbot-AF includes functionality to download, install and run new 
software.

When first run W32/Delbot-AF copies itself to <System>\stdafx.exe and 
downloads the file \ertg.exe

The following registry entry is created to run stdafx.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
StdAFX
<System>\stdafx.exe





Name   Troj/Hiphop-G

Type  
    * Spyware Trojan

Affected operating systems  
    * Windows

Side effects  
    * Steals information
    * Downloads code from the internet
    * Records keystrokes
    * Installs itself in the Registry

Aliases  
    * Trojan-Spy.Win32.Agent.pn
    * TSPY_AGENT.JPI

Prevalence (1-5) 2

Description
Troj/Hiphop-G is a data stealing Trojan for the Windows platform.

Advanced
Troj/Hiphop-G is a data stealing Trojan for the Windows platform.

Troj/Hiphop-G includes functionality to silently download, install 
and run new software.

When Troj/Hiphop-G is installed the following files are created:

<Windows>\mywinsys.ini
<System>\AlxRes070307.exe
<System>\scrsys070307.scr
<System>\scrsys16_070307.scr
<System>\winsys16_070307.dll
<System>\winsys32_070307.dll

The following registry entry is created to run code exported by 
winsys16_070307.dll on startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
<System>\userinit.exe,rundll32.exe <System>\winsys16_070307.dll start





Name   W32/Lovgate-AL

Type  
    * Worm

How it spreads  
    * Network shares
    * Peer-to-peer

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Installs itself in the Registry

Prevalence (1-5) 2

Description
W32/Lovgate-AL is a worm with backdoor functionality that spreads via 
email, network shares with weak passwords and filesharing networks.

Advanced
W32/Lovgate-AL is a worm with backdoor functionality that spreads via 
email, network shares with weak passwords and filesharing networks.

W32/Lovgate-AL may arrive in the email with various characteristics.

When executed W32/Lovgate-AL creates a background process with the 
name LSASS.EXE, copies itself to the Windows system folder, sets 
registry entries, extracts a backdoor component as a DLL file, 
harvests email addresses from *.ht files and sends itself out as an 
email.

W32/Lovgate-AL copies itself to available share folders and 
subfolders for filesharing networks with a filename chosen from:

Are you looking for Love.doc.exe
The world of lovers.txt.exe
How To Hack Websites.exe
Panda Titanium Crack.zip.exe
Mafia Trainer!!!.exe
100 free essays school.pif
AN-YOU-SUCK-IT.txt.pif
Sex_For_You_Life.JPG.pif
CloneCD + crack.exe
Age of empires 2 crack.exe
MoviezChannelsInstaler.exe
Star Wars II Movie Full Downloader.exe





Name   Troj/Dazed-A

Type  
    * Spyware Trojan

Affected operating systems  
    * Windows

Side effects  
    * Steals information

Aliases  
    * Possible_Infostl

Prevalence (1-5) 2

Description
Troj/Dazed-A is a Trojan component for the Windows platform.

Advanced
Troj/Dazed-A is a Trojan component for the Windows platform.

Troj/Dazed-A includes functionality to
  take screenshots
  log network traffic

  
  
  
  
Name   W32/Rbot-GLQ

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Downloads code from the internet
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities
    * Used in DOS attacks

Prevalence (1-5) 2

Description
W32/Rbot-GLQ is a worm for the Windows platform with IRC backdoor 
functionality.

W32/Rbot-GLQ runs continuously in the background providing a backdoor 
service through which a remote user can access the computer.

Advanced
W32/Rbot-GLQ is a worm for the Windows platform with IRC backdoor 
functionality.

W32/Rbot-GLQ runs continuously in the background providing a backdoor 
service through which a remote user can access the computer.

W32/Rbot-GLQ spreads
 - to computers vulnerable to common exploits, including: IMAIL 
Server, ASN.1 (MS04-007) and Symantec (SYM06-010)
 - to network shares protected by weak passwords

When first run W32/Rbot-GLQ copies itself to <System>\wuauclt12.exe 
and creates the following registry entries in order to run on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Xordate
wuauclt12.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Xordate
wuauclt12.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Xordate
wuauclt12.exe





Name   Troj/Wheezer-A

Type  
    * Spyware Trojan

Affected operating systems  
    * Windows

Side effects  
    * Steals information
    * Downloads code from the internet
    * Records keystrokes
    * Installs itself in the Registry

Aliases  
    * Trojan.Win32.Small.mg

Prevalence (1-5) 2

Description
Troj/Wheezer-A is a Trojan for the Windows platform.

Troj/Wheezer-A includes functionality to access the internet and 
communicate with a remote server via HTTP.

Troj/Wheezer-A runs continuously in the background, monitoring 
browser activity and collecting password information.

Advanced
Troj/Wheezer-A is a Trojan for the Windows platform.

Troj/Wheezer-A includes functionality to access the internet and 
communicate with a remote server via HTTP.

Troj/Wheezer-A runs continuously in the background, monitoring 
browser activity and collecting password information.

Troj/Wheezer-A steals credentials for:

- POP3
- HTTPMail
- Protected Storage
- MSN Explorer signup
- IE Auto Complete fields
- Auto Complete passwords
- Password protected sites in Internet Explorer
- Outlook Express (including deleted accounts)
- Accounts stored in the Internet Account Managed

When first run Troj/Wheezer-A copies itself to <System>\<worm 
filename>.exe.

Troj/Wheezer-A creates registry entries under this path to start as a 
service:

HKLM\SYSTEM\CurrentControlSet\Services\<random name>SVC





Name   Troj/Bckdr-QHH

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Installs itself in the Registry

Prevalence (1-5) 2

Description
Troj/Bckdr-QHH is a Trojan for the Windows platform.

Advanced
Troj/Bckdr-QHH is a Trojan for the Windows platform.

When first run Troj/Bckdr-QHH copies itself to:

<System>\webpnt.exe
<System>\webprint.exe

The file webprint.exe is registered as a new system driver service 
named "WebPrint", with a display name of "WebPrint" and a startup 
type of automatic, so that it is started automatically during system 
startup. Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\WebPrint





Name   Troj/Lydra-AB

Type  
    * Spyware Trojan

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Steals information
    * Uses its own emailing engine
    * Records keystrokes
    * Installs itself in the Registry

Prevalence (1-5) 2

Description
Troj/Lydra-AB is a Trojan for the Windows platform.

The Trojan has the functionalities to:
 - steal information
 - communicate with a remote server via email

Advanced
Troj/Lydra-AB is a Trojan for the Windows platform.

The Trojan has the functionalities to:
 - steal information
 - communicate with a remote server via email

When Troj/Lydra-AB is installed the following files are created:

<Startup>\AdobeGammaLoader.scr
<Windows>\calc.exe
<Windows>\lsassv.exe
<Windows>\msrpc.exe
<Windows>\mui\rctfd.sys
<Windows>\regedit2.exe
<Windows>\winsys.exe

The Trojan renames the file <Windows>\regedit.exe to 
<Windows>\regedit2.exe and copies itself to <Windows>\regedit.exe.

The following registry entries are created to run lsassv.exe, 
msrpc.exe and winsys.exe on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
winsys
<Windows>\winsys.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
msrpc
<Windows>\msrpc.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
lsassv
<Windows>\lsassv.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
winsys
<Windows>\winsys.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
winsys
<Windows>\winsys.exe

The file winsys.exe is registered as a new system driver service 
named "winsys", with a display name of "TCPIP route manager" and a 
startup type of automatic, so that it is started automatically during 
system startup. Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\winsys

The following registry entry is set, affecting internet security:

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\Firewall
Policy\
StandardProfile\AuthorizedApplications\List
<pathname of the Trojan executable>
<Current Folder>\<original filename>:*:Enabled:System Update

The following registry entry is also set:

HKCR\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\





Name   W32/Virut-J

Type  
    * Virus

How it spreads  
    * Infected files

Affected operating systems  
    * Windows

Aliases  
    * Virus.Win32.Cheburgen.9272

Prevalence (1-5) 2

Description
W32/Virut-J is a virus for the Windows platform.





Name   W32/Dref-AF

Type  
    * Worm

How it spreads  
    * Email attachments

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Sends itself to email addresses found on the infected computer
    * Drops more malware
    * Forges the sender's email address
    * Uses its own emailing engine

Prevalence (1-5) 2

Description
W32/Dref-AF is an email worm for the Windows platform.

Advanced
W32/Dref-AF is an email worm for the Windows platform.

W32/Dref-AF harvests email addresses from the infected computer and 
attempts to send itself to them, though due to a bug in the code will 
usually send a file detected as W32/Dref-Dam.

W32/Dref-AF tries to send itself in an email from <random 
name>@yahoo.com with the following characteristics:

Subject line (one of the following):

  Iran Just Have Started World War III
  USA Just Have Started World War III
  Israel Just Have Started World War III
  Missle Strike: The USA kills more then 10000 Iranian citizens
  Missle Strike: The USA kills more then 1000 Iranian citizens
  Missle Strike: The USA kills more then 20000 Iranian citizens
  USA Missle Strike: Iran War just have started
  USA Declares War on Iran

Attachment filename (one of the following):

  Video.exe
  News.exe
  Movie.exe
  Read Me.exe
  Click Me.exe
  Click Here.exe
  Read More.exe
  More.exe

W32/Dref-AF attempts to drop a file with an EXE extension and a 
random 7-letter filename to the same folder as itself. This file is 
already detected as W32/Dref-AB.

W32/Dref-AF deletes the following registry entry to stop the file 
referenced from running on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Agent

W32/Dref-AF sets the following registry entry, disabling the 
automatic startup of the SharedAccess service:

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4

Note: disabling autostart for the SharedAccess service deactivates 
the Microsoft Internet Connection Firewall (ICF).

W32/Dref-AF terminates processes certain processes and windows 
related to security and anti-virus applications, including windows 
names "Registry Editor".

 
--- MultiMail/Win32 v0.43
 * Origin: Doc's Place BBS Fido Since 1991 docsplace.tzo.com (1:123/140)