Text 289, 1136 rader
Skriven 2007-04-22 17:24:00 av KURT WISMER
Ärende: News, April 22 2007
===========================
[cut-n-paste from sophos.com]
Name W32/Jambu-A
Type
* Worm
How it spreads
* Removable storage devices
* Email messages
* Peer-to-peer
Affected operating systems
* Windows
Side effects
* Modifies data on the computer
* Forges the sender's email address
* Reduces system security
* Installs itself in the Registry
Prevalence (1-5) 2
Description
W32/Jambu-A is a mass mailer for the Windows platform that also
targets peer-to-peer file sharing networks and local shares.
Advanced
W32/Jambu-A is a mass mailer for the Windows platform that also
targets peer-to-peer file sharing networks and local shares.
W32/Jambu-A may arrive via email with variable subjects, messages and
attachment names.
When executed W32/Jambu-A copies itself to the following locations:
<System>\w32sys.exe
<System>\Flash_8_Player.exe
<System>\6666.com
<System>\Flash Player.exe
<Shared>\MSN.msn
<Shared>\AVRSYS.EXE
<Start>\Flash Games.exe
<Start>\<random>.exe
W32/Jambu-A also spreads via removeable shared drives by creating the
file autorun.inf and a copy of the worm to Macromedia_Setup.exe on
the removeable drive. The file autorun.inf is subsequently set to run
the worm component upon connecting the removeable drive to another
computer.
The following registry entries are created:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
W32SYS
<System>\w32sys.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Macromedia 8
<System>\Flash Player.exe
Registry entries are modified under:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFolderOptions
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFind
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoRun
1
HKCU\Software\Microsoft\Windows\System
DisableCMD
2
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1
HKCU\Software\Microsoft\Windows NT\CurrentVersion\WinLogon
Shell
Explorer.exe"<System>\6666.com
Name W32/Rbot-GMB
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
Aliases
* Backdoor.Win32.Rbot.bwe
Prevalence (1-5) 2
Description
W32/Rbot-GMB is a worm with IRC backdoor functionality for the
Windows platform.
Advanced
W32/Rbot-GMB is a worm with IRC backdoor functionality for the
Windows platform.
W32/Rbot-GMB runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
When first run W32/Rbot-GMB copies itself to <System>\wuauclt14.exe.
The following registry entries are created to run wuauclt14.exe on
startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
StreamAppliance
wuauclt14.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
StreamAppliance
wuauclt14.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
StreamAppliance
wuauclt14.exe
Name W32/Rbot-GMF
Type
* Spyware Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Steals information
* Exploits system or software vulnerabilities
* Used in DOS attacks
* Enables remote access
* Scans network for vulnerabilities
* Scans network for weak passwords
Aliases
* Backdoor.Win32.Rbot.gen
Prevalence (1-5) 2
Description
W32/Rbot-GMF is a worm and IRC backdoor Trojan for the Windows
platform.
Advanced
W32/Rbot-GMF is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Rbot-GMF spreads:
- by copying itself to network shares protected by weak passwords
- to other network computers by exploiting common buffer overflow
vulnerabilities, including: LSASS (MS04-011), SRVSVC (MS06-040),
RPC-DCOM (MS04-012), Veritas (CAN-2004-1172), ASN.1 (MS04-007),
RealVNC (CVE-2006-2369) and Symantec (SYM06-010)
- to other network computers infected with certain types of malware
W32/Rbot-GMF runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Rbot-GMF includes functionality to:
- steal confidential information
- carry out DDoS flooder attacks
- disable other software, including anti-virus, firewall and
security related applications
When first run W32/Rbot-GMF copies itself to <System>\alserv32.exe.
Name W32/Alman-A
Type
* Virus
How it spreads
* Infected files
Affected operating systems
* Windows
Prevalence (1-5) 2
Description
W32/Alman-A is a virus for the Windows platform.
Advanced
W32/Alman-A is a virus for the Windows platform.
W32/Alman-A searches for and infects files with EXE extension.
When first run W32/Alman-A creates the following files :
<Windows>\linkinfo.dll
<system>\DKIS6.sys
These files are detected as Troj/NtRootk-BN.
Name Troj/Dokum-B
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Modifies data on the computer
* Drops more malware
* Installs itself in the Registry
* Monitors browser activity
Prevalence (1-5) 2
Description
Troj/Dokum-B is a Trojan for the Windows platform.
Advanced
Troj/Dokum-B is a Trojan for the Windows platform.
When Troj/Dokum-B is installed the following files are created:
<Root>\sys.flat2\smrtknsetupper.exe - detected as Troj/Dokum-B
<Root>\sys.flat2\svchost.exe - detected as Troj/Dokum-B
<System>\drivers\etc\smrtkn2\svchost.exe - detected as Troj/Dokum-B
<Root>\sys.flat2\Dokuman.txt - not malicious and can be safely removed
<Root>\sys.flat2\reg.exe - not malicious and can be safely removed
<System>\drivers\etc\smrtkn2\reg.exe - not malicious and can be
safely removed
When run Troj/Dokum-B opens the file Dokuman.txt using NOTEPAD.EXE.
Troj/Dokum-B includes functionality to modify the HOSTS file to
reroute the addresses of banking websites to a remote IP address.
The following registry entry is created to run Troj/Dokum-B on startup:
Registry entries are created under:
HKCU\Software\WinRAR SFX
Name W32/Delbot-AI
Type
* Spyware Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Downloads code from the internet
* Installs itself in the Registry
* Exploits system or software vulnerabilities
* Scans network for vulnerabilities
Aliases
* W32.Rinbot.A
* Backdoor.Win32.VanBot.bx
* W32/Nirbot.worm
Prevalence (1-5) 2
Description
W32/Delbot-AI is an IRC worm with backdoor functionality which allows
a remote intruder to gain access and control over the computer.
Advanced
W32/Delbot-AI is an IRC worm with backdoor functionality which allows
a remote intruder to gain access and control over the computer.
W32/Delbot-AI includes functionality to download, install and run new
software.
W32/Delbot-AI spreads to other network computers by:
-scanning network shares for weak passwords
-exploiting common buffer overflow vulnerabilities, including
Symantec (SYM06-010).
- Microsoft Security Advisory (935964): Vulnerability in RPC on
Windows DNS Server Could Allow Remote Code Execution.
When first run W32/Delbot-AI copies itself to <System>\mdnex.exe. The
following registry entry is created to run it on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft DNSx
<System>\mdnex.exe
Name W32/Delbot-AJ
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Downloads code from the internet
* Installs itself in the Registry
* Scans network for vulnerabilities
* Scans network for weak passwords
* Scans network for open ports
Aliases
* Backdoor.Win32.IRCBot.aba
* W32/Nirbot.worm!RpcDns
Prevalence (1-5) 2
Description
W32/Delbot-AJ is a worm with backdoor functionality for the Windows
platform.
W32/Delbot-AJ spreads to other network computers by:
- Scanning network shares for weak passwords
- Exploiting common buffer overflow vulnerabilities
- Symantec (SYM06-010)
- Microsoft Security Advisory (935964): Vulnerability in RPC on
Windows DNS Server Could Allow Remote Code Execution.
Advanced
W32/Delbot-AJ is a worm with backdoor functionality for the Windows
platform.
W32/Delbot-AJ spreads to other network computers by:
- Scanning network shares for weak passwords
- Exploiting common buffer overflow vulnerabilities
- Symantec (SYM06-010)
- Microsoft Security Advisory (935964): Vulnerability in RPC on
Windows DNS Server Could Allow Remote Code Execution.
W32/Delbot-AJ runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer.
W32/Delbot-AJ includes functionality to download, install and run new
software.
When first run W32/Delbot-AJ copies itself to <System>\mozila.exe and
attempts to download a file to <Root>\radi.exe. At the time of
writing, the download was not available.
The following registry entry is created to run mozila.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Mozila
<System>\mozila.exe
Name W32/Delbot-AK
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Downloads code from the internet
* Installs itself in the Registry
* Scans network for vulnerabilities
* Scans network for weak passwords
* Scans network for open ports
Prevalence (1-5) 2
Description
W32/Delbot-AK is a worm with backdoor functionality for the Windows
platform.
W32/Delbot-AK spreads to other network computers by:
- Scanning network shares for weak passwords
- Exploiting common buffer overflow vulnerabilities
- Symantec (SYM06-010)
- Microsoft Security Advisory (935964): Vulnerability in RPC on
Windows DNS Server Could Allow Remote Code Execution.
Advanced
W32/Delbot-AK is a worm with backdoor functionality for the Windows
platform.
W32/Delbot-AK spreads to other network computers by:
- Scanning network shares for weak passwords
- Exploiting common buffer overflow vulnerabilities
- Symantec (SYM06-010)
- Microsoft Security Advisory (935964): Vulnerability in RPC on
Windows DNS Server Could Allow Remote Code Execution.
When first run W32/Delbot-AK copies itself to <System>\ntoepad.exe
and attempts to download and execute a file from a remote location to
<Root>\radi.exe. At the time of writing, this file was unavailable
for download
The following registry entry is created to run ntoepad.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Notepad
<System>\ntoepad.exe
Name W32/Delbot-AL
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Downloads code from the internet
* Installs itself in the Registry
Prevalence (1-5) 2
Description
W32/Delbot-AL is a worm with backdoor functionality for the Windows
platform.
Advanced
W32/Delbot-AL is a worm with backdoor functionality for the Windows
platform.
W32/Delbot-AL spreads to other network computers by scanning network
shares for weak passwords, and by exploiting common buffer overflow
vulnerabilities, including:
- Symantec (SYM06-010)
- Microsoft Security Advisory (935964): Vulnerability in RPC on
Windows DNS Server Could Allow Remote Code Execution.
W32/Delbot-AL runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer, and includes functionality to download,
install and run new software.
When first run W32/Delbot-AL copies itself to <System>\cnen.exe and
attempts to download a file to <Root>\site.exe. At the time of
writing this downloaded file is detected as Troj/Delback-B.
The following registry entry is created to run cnen.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
nClient
<System>\cnen.exe
Name W32/Agobot-AHZ
Type
* Spyware Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Downloads code from the internet
* Installs itself in the Registry
* Exploits system or software vulnerabilities
* Scans network for vulnerabilities
* Scans network for weak passwords
Prevalence (1-5) 2
Description
W32/Agobot-AHZ is a worm with backdoor functionality which allows a
remote intruder to gain access and control over the computer.
Advanced
W32/Agobot-AHZ is a worm with backdoor functionality which allows a
remote intruder to gain access and control over the computer.
W32/Agobot-AHZ spreads to other network computers by exploiting
common buffer overflow vulnerabilities, including:
LSASS (MS04-011)
SRVSVC (MS06-040)
RPC-DCOM (MS04-012)
WKS (MS03-049) (CAN-2003-0812)
WebDav (MS03-007)
UPNP (MS01-059)
Dameware (CAN-2003-1030)
When first run W32/Agobot-AHZ copies itself to <System>\nundll32.exe.
The following registry entries are created to run nundll32.exe on
startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft Installshield
nundll32.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Microsoft Installshield
nundll32.exe
Name W32/SillyFDC-Y
Type
* Worm
How it spreads
* Removable storage devices
Affected operating systems
* Windows
Side effects
* Installs itself in the Registry
Prevalence (1-5) 2
Description
W32/SillyFDC-Y is a worm for the windows platform.
Advanced
W32/SillyFDC-Y is a worm for the windows platform.
When run W32/SillyFDC-Y copies itself to
<Windows>\WinLogon.exe
<Program Files>\Windows NT\lsass.exe
<LocalService>\services.exe
<System>\Drivers\smss.exe
The following registry entry is created to run WinLogon.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
WinLogon
<Windows>\WinLogon.exe
W32/SillyFDC-Y attempts to periodically copy itself to removeable
drives, including floppy drives and USB keys. The worm will attempt
to create a hidden file Autorun.inf on the removeable drive and copy
itself to the following locations on the removeable drive:
Recycler.exe
<Random>.exe
service.exe
game.exe
Gwen(ISU) Scandal.exe
Sex Video.exe
Winlogon.exe
smss.exe
The file Autorun.inf is designed to start the Recycler.exe once the
removeable drive is connected to a uninfected computer.
Name W32/ExDns-Fam
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Downloads code from the internet
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Prevalence (1-5) 2
Description
W32/ExDns-Fam is a family of worms for the Windows platform.
Advanced
W32/ExDns-Fam is a family of worms for the Windows platform.
Typcial members of W32/ExDns-Fam run continuously in the background,
providing a backdoor server which allows a remote intruder to gain
access and control over the computer, and include functionality to
download, install and run new software.
Members of W32/ExDns-Fam typically spread to other network computers
by scanning network shares for weak passwords, and by exploiting
common buffer overflow vulnerabilities, including:
- Symantec (SYM06-010)
- Microsoft Security Advisory (935964): Vulnerability in RPC on
Windows DNS Server Could Allow Remote Code Execution.
Name Troj/DllLoad-C
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Steals information
* Reduces system security
* Installs itself in the Registry
Prevalence (1-5) 2
Description
Troj/DllLoad-C is a Trojan DLL loader for the Windows platform.
Advanced
Troj/DllLoad-C is a Trojan DLL loader for the Windows platform.
Once installed Troj/DllLoad-C creates a service named "svcmngr" with
the display name "Services Manager" so as to run itself on computer
logon. Troj/DllLoad-C may also create the following files:
<Windows>\Config\config.exe - detected as Troj/DllLoad-C
<Windows>\Config\dhcp.dll
<Windows>\Config\log.dll
Troj/DllLoad-C attempts to load the configuration file DHCP.DLL which
determines which DLL is to be loaded. DHCP.DLL is a non-malicious
configuration file.
The Trojan may also attempt to steal user credentials and passwords,
which it will store in log.dll. This file may be deleted.
Name W32/Anis-F
Type
* Worm
How it spreads
* Removable storage devices
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Leaves non-infected files on computer
Prevalence (1-5) 2
Description
W32/Anis-F is a worm for the Windows platform.
Advanced
W32/Anis-F is a worm for the Windows platform.
The worm has functionality to download code from a remote server.
W32/Anis-F spreads by coping itself with the filename ie.exe to
removable drives.
In order to make sure that the file ie.exe is executed on drive
access W32/Anis-F creates the file autorun.inf.
When first run W32/Anis-F copies itself to <Program Files>\Internet
Explorer\iexp1ore.exe and creates the following files that can be
safely removed:
<User>\Application Data\Microsoft\Internet Explorer\Quick
Launch\Internet Explorer.lnk
<Desktop>\Internet Explorer.lnk
<Program Files>\Internet Explorer\IEKey.dll
<Program Files>\Internet Explorer\IEdate.dll
The file IEKey.dll is a text file that contains the full path to the
worm executable.
The file IEdate.dll is also a text file.
Name Troj/BankDL-CD
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
Prevalence (1-5) 2
Description
Troj/BankDL-CD is a downloader Trojan for the Windows platform.
The Trojan includes functionality to access the internet and
communicate with a remote server via HTTP.
Name Troj/Agent-EOA
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Installs itself in the Registry
Prevalence (1-5) 2
Description
Troj/Agent-EOA is a Trojan for the Windows platform.
Advanced
Troj/Agent-EOA is a Trojan for the Windows platform.
When first run Troj/Agent-EOA copies itself to <Windows>\mppds.exe
and creates the file <System>\mppds.dll.
The file mppds.dll is detected as Mal/DllHook-A.
The following registry entry is created to run mppds.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
mppds
<Windows>\mppds.exe
Name W32/Looked-DB
Type
* Virus
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Installs itself in the Registry
Aliases
* W32/HLLP.Philis.jn
* Worm.Win32.Viking.kr
* Win32/Viking.CH
Prevalence (1-5) 2
Description
W32/Looked-DB is a prepending virus and network worm for the Windows
platform.
Advanced
W32/Looked-DB is a prepending virus and network worm for the Windows
platform.
W32/Looked-DB spreads by infecting Windows executable files on the
computer and copying itself to network shares.
W32/Looked-DB attempts to turn off anti-virus applications.
When W32/Looked-DB is installed the following files are created:
<Windows>\Logo1_.exe
<Windows>\uninstall\rundl132.exe
The following registry entry is created to run rundl132.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
load
<Windows>\uninstall\rundl132.exe
Name W32/Nujama-A
Type
* Worm
How it spreads
* Network shares
* Peer-to-peer
Affected operating systems
* Windows
Side effects
* Deletes files off the computer
* Installs itself in the Registry
* Leaves non-infected files on computer
Aliases
* W32/Nujama.worm!p2p
* Win32/Nujama.A
* WORM_NUJAMA.A
Prevalence (1-5) 2
Description
W32/Nujama-A is a worm for the Windows platform.
Advanced
W32/Nujama-A is a worm for the Windows platform.
W32/Nujama-A spreads through network shares, common P2P applications
and removable shared drives.
When first run W32/Nujama-A copies itself to <Root>\Datos de
<Computer Name>.exe.
W32/Nujama-A also attempts to overwrite files on the infected
computer with copies of itself and also to P2P shared folders as any
of the following filenames:
\ACDSee 5.5.exe
\AOL Instant Messenger.exe
\AVP Antivirus Pro Key Crack.exe
\Age of Empires 2 crack.exe
\Ana Kournikova Sex Video.exe
\Animated Screen 7.0b.exe
\AquaNox2 Crack.exe
\Audiograbber 2.05.exe
\BabeFest 2007 ScreenSaver 1.5.exe
\Babylon 3.50b reg_crack.exe
\Battlefield1942_bloodpatch.exe
\Battlefield1942_keygen.exe
\Britney Spears Sex Video.exe
\Buffy Vampire Slayer Movie.exe
\Business Card Designer Plus 7.9.exe
\Clone CD 9.0.0.3 (crack).exe
\Clone CD 9.0.0.3.exe
\Coffee Cup Free zip 7.0b.exe
\Cool Edit Pro v2.55.exe
\Crack Passwords Mail.exe
\Crackeador de TODOS los programas.exe
\Credit Card Numbers generator(incl Visa,MasterCard,...).exe
\Cristina Aguilera Sex Video.exe
\DVD Copy Plus v5.0.exe
\DVD Region-Free 2.3.exe
\Diablo 2 Crack.exe
\DirectDVD 5.0.exe
\DirectX Buster (all versions).exe
\DirectX InfoTool.exe
\DivX Video Bundle 6.5.exe
\Download Accelerator Plus 6.1.exe
\Edonkey2000-Speed me up scotty.exe
\El rey de los huevones full divx - comprimida.exe
\FIFA2004 crack.exe
\Final Fantasy VII XP Patch 1.5.exe
\Flash MX crack (trial).exe
\FlashGet 1.5.exe
\FreeRAM XP Pro 1.9.exe
\GTA 3 Crack.exe
\GTA 3 Serial.exe
\Game Cube Real Emulator.exe
\GetRight 5.0a.exe
\Global DiVX Player 3.0.exe
\Gothic2 licence.exe
\Guitar Chords Library 5.5.exe
\Hentai Anime Girls Movie.exe
\Hitman_2_no_cd_crack.exe
\Hot Babes XXX Screen Saver.exe
\HotGirls.exe
\Hotmail Hacker 2007-Xss Exploit.exe
\ICQ Pro 2007a.exe
\ICQ Pro 2007b (new beta).exe
\IrfanView 4.5.exe
\Jenifer Lopez Sex Video.exe
\KaZaA Hack 2.5.0.exe
\KaZaA Speedup 3.6.exe
\Kazaa SDK + Xbit speedUp for 2.xx.exe
\Links 2007 Golf game (crack).exe
\Living Waterfalls 1.3.exe
\MSN Messenger 8.2.exe
\Macromedia all software key generator.exe
\Mafia_crack.exe
\Matrix Movie.exe
\Matrix Screensaver 1.5.exe
\Mcafee Antivirus Scan Crack.exe
\MediaPlayer Update.exe
\Metodo crackear hotmail actualizado 30-09-2006.exe
\Microsoft KeyGenerator-Allmost all microsoft stuff.exe
\Mision imposible 3 Game.exe
\NBA2007_crack.exe
\NHL 2004 crack.exe
\Need 4 Speed Most Wanted Full With Crack.exe
\Need 4 Speed crack.exe
\Nero Burning ROM crack.exe
\Netbios Nuker 2004.exe
\Netfast 1.8.exe
\Network Cable e ADSL Speed 2.0.5.exe
\Nimo CodecPack (new) 8.0.exe
\Norton Anvirus Key Crack.exe
\PS2 PlayStation Simulator.exe
\PalTalk 5.01b.exe
\Panda Antivirus Titanium Crack.exe
\PerAntivirus 8.9.exe
\Pop-Up Stopper 3.5.exe
\Popup Defender 6.5.exe
\Quick Time Key Crack.exe
\QuickTime_Pro_Crack.exe
\Sakura Card Captor Movie.exe
\Samsung ALL models unlocker.exe
\Screen saver christina aguilera naked.exe
\Screen saver christina aguilera.exe
\Security-2007-Update.exe
\Serials 2004 v.8.0 Full.exe
\Sex Live Simulator.exe
\Sex Passwords.exe
\SmartFTP 2.0.0.exe
\SmartRipper v2.7.exe
\Space Invaders 1978.exe
\Spiderman Movie.exe
\Splinter_Cell_Crack.exe
\Starcraft serial.exe
\Start Wars Trilogy Movies.exe
\Steinberg_WaveLab_5_crack.exe
\Stripping MP3 dancer+crack.exe
\Thalia Sex Video.exe
\The Hacker Antivirus 5.7.exe
\Trillian 0.85 (free).exe
\TweakAll 3.8.exe
\UT2004_bloodpatch.exe
\UT2004_keygen.exe
\UT2004_no cd (crack).exe
\UT2004_patch.exe
\UT2007 full & crack.exe
\Unreal2_bloodpatch.exe
\Unreal2_crack.exe
\Virtua Girl (Full).exe
\VirtualSex.exe
\Visual Basic 6.0 Msdn Plugin.exe
\Visual basic 6.exe
\WarCraft_3_crack.exe
\WinOnCD 4 PE_crack.exe
\WinRar 3.xx Password Cracker.exe
\WinZip 9.0b.exe
\WinZipped Visual C++ Tutorial.exe
\Winamp 7.8.exe
\WindowBlinds 4.0.exe
\Windows Stearter Edition crack.exe
\Windows XP complete + serial.exe
\Windows Xp Exploit.exe
\Winzip KeyGenerator Crack.exe .exe
\XNuker 2004 2.93b.exe
\Yahoo Messenger 6.0.exe
\Zelda Classic 2.00.exe
\all microsoft software keygenerator.exe
\aol cracker.exe
\aol password cracker.exe
\cable modem ultility pack.exe
\counter-strike.exe
\cracker to ALL software.exe
\delphi.exe
\divx pro.exe
\divx_pro.exe
\hotmail_hack.exe
\iMesh 3.6.exe
\iMesh 3.7b (beta).exe
\mIRC 6.40.exe
\macromedia dreamweaver key generator.exe
\mp3Trim PRO 2.5.exe
\pamela_anderson.exe
\play station one two and three emulator.exe
\serials2007.exe
\subseven.exe
\vb6.exe
\virtua girl - adriana.exe
\virtua girl - bailey short skirt.exe
\warcraft 3 crack.exe
\warcraft 3 serials.exe
\winamp plugin pack.exe
\winzip full version key generator.exe
\xbox360 emulator.exe
The worm also creates the following files:
<Root>\Inetpub\mailroot\Badmail\000853316172004200700000001.BDP
<Root>\Inetpub\mailroot\Badmail\000853316172004200700000001.BDR
<Windows>\Web\Folder.htt
<System>\oeminfo.ini
The following registry entry is created to run SystemMonitor.exe on
startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sysmon
<System>\SystemMonitor.exe
The following registry entry is set:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt
1
Registry entries are created under:
HKCU\Software\Microsoft\Windows
Name W32/Delf-ESX
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Installs itself in the Registry
Aliases
* Worm.Win32.Delf.bs
* W32/Downloader-WebExe-based!Maximus
Prevalence (1-5) 2
Description
W32/Delf-ESX is an internet worm for the Windows platform.
Advanced
W32/Delf-ESX is an internet worm for the Windows platform.
W32/Delf-ESX spreads by copying itself to network shares.
W32/Delf-ESX includes functionality to download files from
preconfigured URLs and execute them.
When first run W32/Delf-ESX moves itself to <System>\servet.exe.
The file servet.exe is registered as a new service named
"WindowsDown", with a display name of "Windows SystemDown". Registry
entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\WindowsDown\
--- MultiMail/Win32 v0.43
* Origin: Doc's Place BBS Fido Since 1991 docsplace.tzo.com (1:123/140)
|