Text 310, 954 rader
Skriven 2007-07-02 23:37:00 av KURT WISMER (1:123/140)
Ärende: News, July 2 2007
=========================
[cut-n-paste from sophos.com]
Name Troj/Sera-C
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Installs itself in the Registry
* Leaves non-infected files on computer
Prevalence (1-5) 2
Description
Troj/Sera-C is a downloader Trojan for the Windows platform.
Advanced
Troj/Sera-C is a downloader Trojan for the Windows platform.
When run Troj/Sera-C creates the file <Root>\JCT\NET.html and saves
the screen captures into that folder with the filename 00<continuous
numbers>.bmp. (This folder and the files under it can be safely
removed.)
Troj/Sera-C also includes functionality to access the internet and
communicate with a remote server.
Registry entries are created under:
HKCR\MSWinsock.Winsock
Name Troj/Cimuz-CK
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Drops more malware
* Downloads code from the internet
* Reduces system security
* Installs itself in the Registry
Prevalence (1-5) 2
Description
Troj/Cimuz-CK is a Trojan for the Windows platform.
Advanced
Troj/Cimuz-CK is a Trojan for the Windows platform.
When Troj/Cimuz-CK is installed it creates the file
<System>\ipv6monl.dll.
The file ipv6monl.dll is detected as Mal/Behav-018.
The file ipv6monl.dll is registered as a COM object and Browser
Helper Object (BHO) for Microsoft Internet Explorer, creating
registry entries under:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\browser
helper objects\
(36DBC179-A19F-48F2-B16A-6A3E19B42A87)
HKCR\CLSID\(36DBC179-A19F-48F2-B16A-6A3E19B42A87)
The following registry entry is set, affecting internet security:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\Firewall
Policy\StandardProfile\AuthorizedApplications\List
<Program Files>\Internet Explorer\IEXPLORE.EXE
<Program Files>\Internet Explorer\IEXPLORE.EXE:*:Enabled:Internet
Explorer
The following registry entry is set:
HKCU\Software\Microsoft\Internet Explorer\Main
Enable Browser Extensions
yes
Name Troj/Dorf-K
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Drops more malware
* Downloads code from the internet
* Installs itself in the Registry
Aliases
* Trojan-Downloader.Win32.Tibs.ll
Prevalence (1-5) 2
Description
Troj/Dorf-K is a Trojan for the Windows platform.
Advanced
Troj/Dorf-K is a Trojan for the Windows platform.
When Troj/Dorf-K is installed it creates the file <System>\windev-<4
random characters>-<4 random characters >.sys, detected as Mal/EncPk-K.
This dropped file is registered as a new system driver service with
the same service and display name as the file, and a startup type of
automatic so that it is started automatically during system startup.
Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\windev-<4 random
characters>-<4 random characters>
Troj/Dorf-K may attempts to download and execute files from a remote
location
Name W32/Poebot-MG
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Downloads code from the internet
* Installs itself in the Registry
* Exploits system or software vulnerabilities
* Scans network for vulnerabilities
* Scans network for weak passwords
Prevalence (1-5) 2
Description
W32/Poebot-MG is a worm with backdoor functionality for the Windows
platform.
Advanced
W32/Poebot-MG is a worm with backdoor functionality for the Windows
platform.
W32/Poebot-MG spreads to other network computers by exploiting common
buffer overflow vulnerabilities, including:
LSASS (MS04-011)
SRVSVC (MS06-040)
RPC-DCOM (MS04-012)
PNP (MS05-039)
The worm may also spread via networks shares protected by weak
passwords.
When first run W32/Poebot-MG copies itself to <System>\winamp.exe and
creates the following registry entries to run winamp.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Winamp Agent
<path of worm executable>
Name W32/VB-DWI
Type
* Worm
How it spreads
* Removable storage devices
Affected operating systems
* Windows
Side effects
* Installs itself in the Registry
* Leaves non-infected files on computer
Prevalence (1-5) 2
Description
W32/VB-DWI is a worm for the Windows platform.
W32/VB-DWI contains functionality to spread via removable storage
devices.
Advanced
W32/VB-DWI is a worm for the Windows platform.
W32/VB-DWI contains functionality to spread via removable storage
devices.
When first run W32/VB-DWI copies itself to:
<Root>\BootEx.exe
<Root>\log.exe
<Windows>\ErrorReport.exe
<Windows>\MonitorSetup.exe
<Windows>\NowAndForever.exe
<Windows>\SystemMonitor.exe
<Windows>\Win System.exe
<Windows>\WinSystem
<Windows>\WinSystem.exe
<Windows>\WinSystem32.exe
<Windows>\regedif.exe
<System>\WindowsUpadate.exe
<System>\mscomfig.exe
<System>\msiexece.exe
<System>\rundlI.exe
<System>\WindowsProtection.exe
<System>\msidlI.exe
<System>\msiexee.exe
<System>\regedif32.exe
<System>\scconfig.exe
<System>\winlocon.exe
<System>\wpa.bdlx
<Windows>\windows.exe
and creates the following clean files:
<Current Folder>\Log.txt
<System>\oeminfo.ini
<System>\oemlogo.bmp
The following registry entries are created to run BootEx.exe and
WinSystem.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SysMonitor
<Windows>\WinSystem.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
explores
<Root>\BootEx.exe
Registry entries are set as follows:
HKCR\Folder\shell\Scan for Virus\Command
(default)
<Windows>\MonitorSetup.exe
HKCR\exedfile\DefaultIcon
(default)
<Windows>\windows.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder
\Hidden\SHOWALL
RegPath
Software\Microsoft\Windows\CurrentVersions\Explorer\Advanced
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder
\HideFileExt
RegPath
Software\Microsoft\Windows\CurrentVersions\Explorer\Advanced
HKCR\Word.Document.8
(default)
<Windows>\windows.exe
Registry entries are created under:
HKCU\Software\KyrentSoft
HKCR\.bin
HKCR\.cfg
HKCR\.cvd
HKCR\.dat
HKCR\.exed
HKCR\cfgfile
HKCR\excfile
HKCR\exedfile
Name W32/Hairy-A
Type
* Worm
How it spreads
* Removable storage devices
Affected operating systems
* Windows
Side effects
* Installs itself in the Registry
Prevalence (1-5) 2
Description
W32/Hairy-A is a worm for the Windows platform.
Advanced
W32/Hairy-A is a worm for the Windows platform.
W32/Hairy-A will attempt to copy itself and create autorun.inf to
removable drives.
When W32/Hairy-A is installed the following files are created:
<Root>\HarryPotter-TheDeathlyHallows.doc
<Root>\autorun.inf
<Root>\harry potter.txt
<Windows>\Tempt\talk.bat
The following registry entry is created to run talk.bat on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
talk
<Windows>\Tempt\talk.bat
W32/Hairy-A changes settings for Microsoft Internet Explorer by
modifying values under:
HKCU\Software\Microsoft\Internet Explorer\Main\
HKCU\Software\Microsoft\Internet Explorer\Main\Start Page
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page
The following registry entries are set, affecting internet security:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\Firewall
Policy\StandardProfile
EnableFirewall
0
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\Firewall
Policy\StandardProfile
DoNotAllowExceptions
0
The following registry entries are set, disabling system software:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
DisableTaskMgr
1
Registry entries are set as follows:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFolderOptions
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoViewContextMenu
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoShellSearchButton
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFind
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoRun
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HideClock
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoTrayContextMenu
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoTrayItemsDisplay
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoViewContextMenu
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder
\Hidden\SHOWALL
CheckedValue
0
Name Troj/BHO-CO
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Installs itself in the Registry
Prevalence (1-5) 2
Description
Troj/BHO-CO is a Trojan for the Windows platform.
Advanced
Troj/BHO-CO is a Trojan for the Windows platform.
Troj/BHO-CO includes functionality to access the internet and
communicate with a remote server via HTTP.
When Troj/BHO-CO is installed the following files are created:
<Temporary Internet Files>\Content.IE5\<Random Name>.htm
<Windows>\media\910f41.dll
The following registry entry is set:
HKCU\Software\Microsoft\Internet Explorer\Main
Enable Browser Extensions
yes
Name Troj/Dloadr-BBJ
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
Prevalence (1-5) 2
Description
Troj/Dloadr-BBJ is a Trojan for the Windows platform.
The Trojan includes functionality to download, install and run new
software.
Name Troj/Onlineg-D
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Steals information
Prevalence (1-5) 2
Description
Troj/Onlineg-D is a Trojan for the Windows platform.
Name Troj/Pharmoxy-A
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Modifies data on the computer
* Steals information
* Uses its own emailing engine
* Downloads code from the internet
* Reduces system security
* Records keystrokes
* Installs itself in the Registry
* Monitors browser activity
Aliases
* Trojan-Proxy.Win32.Delf.an
* Win32/TrojanProxy.Delf.AN
* TROJ_DELF.BET
Prevalence (1-5) 2
Description
Troj/Pharmoxy-A is a Trojan for the Windows platform.
Advanced
Troj/Pharmoxy-A is a Trojan for the Windows platform.
Troj/Pharmoxy-A include the functionality to:
- access the internet and communicate with remote servers via HTTP
and SMTP.
- monitor local browser activity by acting as an http proxy
- act as a mail relay
- download and execute additional malware
Troj/Pharmoxy-A may be found in the following locations:
<System>\mswsock.dll
<System>\mswsock.bak
<System>\mswsock.bak0
<System>\dllcache\mswsock.dll
<System>\ServicePackFiles\i386\mswsock.dll
Troj/Pharmoxy-A may effect the following registry entries and their
sub-entries:
SYSTEM\CurrentControlSet\Services\NetBT\Linkage
System\CurrentControlSet\Services\Winsock\Parameters
System\CurrentControlSet\Services
System\CurrentControlSet\Services\Tcpip\ServiceProvider
SYSTEM\CurrentControlSet\Control\ServiceProvider\ServiceTypes\
System\CurrentControlSet\Services\Nla\Parameters
Name Troj/Ranky-BC
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Installs itself in the Registry
Prevalence (1-5) 2
Description
Troj/Ranky-BC is a backdoor Trojan which allows a remote intruder to
gain access and control of an infected computer.
Advanced
Troj/Ranky-BC is a backdoor Trojan which allows a remote intruder to
gain access and control of an infected computer.
The following registry entry is created to run Troj/Ranky-BC on
startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Advanced DHTML Enable
<pathname of the Trojan executable>
Name JS/Dload-H
Type
* Trojan
How it spreads
* Web browsing
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
Prevalence (1-5) 2
Description
JS/Dload-H is a malicious Javascript Trojan embedded within a web page.
Advanced
JS/Dload-H is a malicious Javascript Trojan embedded within a web page.
JS/Dload-H is intended to download further remote content when a
malicious web page is viewed.
Name Troj/Banloa-CB
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
Aliases
* Trojan-Downloader.Win32.Banload.aku
Prevalence (1-5) 2
Description
Troj/Banloa-CB is a downloading Trojan for the Windows platform.
Advanced
Troj/Banloa-CB is a downloading Trojan for the Windows platform.
When Troj/Banloa-CB is installed it creates the file
<System>\winnampis.exe.
Troj/Banloa-CB downloads the following file from a predefined location:
dddi.exe
When installed, Troj/Banloa-CB copies itself to itself to
<System>\winnampis.exe.
The following registry entry is created to run winnampis.exe on
startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MSWinupd
<System>\winnampis.exe
Name W32/Rbot-GRY
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Installs itself in the Registry
* Exploits system or software vulnerabilities
* Used in DOS attacks
Prevalence (1-5) 2
Description
W32/Rbot-GRY is a worm with IRC backdoor functionality for the
Windows platform.
Advanced
W32/Rbot-GRY is a worm with IRC backdoor functionality for the
Windows platform.
W32/Rbot-GRY runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Rbot-GRY spreads to other network computers:
- by exploiting common buffer over flow vulnerabilities, including:
LSASS (MS04-011), SRVSVC (MS06-040), RPC-DCOM (MS04-012), ASN.1
(MS04-007) and Symantec (SYM06-010)
- by networks protected by weak passwords
When first run W32/Rbot-GRY copies itself to <System>\aim.exe
The following registry entry is set to run W32/Rbot-GRY on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Microsoft
aim.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft
aim.exe
The following registry entry is set:
HKCU\Software\ASProtect
Microsoft
aim.exe
W32/Rbot-GRY includes functionality to:
- download code from the internet
- steal information
- perform port scanning
- perform DDoS attacks
Name Troj/JSXor-Gen
Type
* Trojan
How it spreads
* Email messages
* Web browsing
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Exploits system or software vulnerabilities
Aliases
* JS_DLOADER.NUF
* Trojan-Downloader.JS.Agent.kd
Prevalence (1-5) 2
Description
Troj/JSXor-Gen is a JavaScript downloader Trojan which attempts to
exploit a buffer overflow vulnerabilty to download and run executable
code.
Advanced
Troj/JSXor-Gen is a JavaScript downloader Trojan which attempts to
exploit a buffer overflow vulnerabilty to download and run executable
code.
Troj/JSXor-Gen typically arrives via HTML content within spam email
messages, or by browsing websites whose HTML pages contain the
script, or link to the script.
The Troj/JSXor-Gen script first decodes an encrypted string and
writes it to the current page via document.write. This decoded
content is another JavaScript (detected seperately as JS/DlrShl-A and
Mal/JSShell-B) which attempts to exploit a vulnerability associated
with Windows Media Player to run executable code. See Microsoft
Security Bulletin MS06-006.
Name Troj/Maran-AV
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Steals information
* Drops more malware
* Downloads code from the internet
* Installs itself in the Registry
Prevalence (1-5) 2
Description
Troj/Maran-AV is a Trojan for the Windows platform.
Advanced
Troj/Maran-AV is a Trojan for the Windows platform.
Troj/Maran-AV includes functionality to download, install and run new
software.
When Troj/Maran-AV is installed the following files are created:
<Windows>\avp.exe
<System>\od6media.dll
The file avp.exe is registered as a new system driver service named
"VGADown", with a display name of "Audio Adapter" and a startup type
of automatic, so that it is started automatically during system
startup. Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\VGADown
Name Troj/Istbar-DG
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
Aliases
* Downloader-XZ trojan
* Trojan-Downloader.Win32.IstBar.gen
* W32/Istbar.gen10@dl
Prevalence (1-5) 2
Description
Troj/Istbar-DG is a downloader Trojan which will download, install
and run new software without notification that it is doing so.
Name W32/Nirbot-A
Type
* Worm
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
Aliases
* Backdoor.Win32.SdBot.bkq
* W32/Nirbot.worm
Prevalence (1-5) 2
Description
W32/Nirbot-A is a worm for the Windows platform
Advanced
W32/Nirbot-A is a worm with backdoor functionality for the Windows
platform.
W32/Nirbot-A runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer.
W32/Nirbot-A includes functionality to access the internet and
communicate with a remote server via HTTP.
When first run W32/Nirbot-A copies itself to <Windows>\tcpip.exe.
The file tcpip.exe is registered as a new system driver service named
"Windows TCPIP Service", with a display name of "Windows TCPIP
Service" and a startup type of automatic, so that it is started
automatically during system startup. Registry entries are created
under:
HKLM\SYSTEM\CurrentControlSet\Services\Windows TCPIP Service
The following registry entries are set, disabling system software:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1
W32/Nirbot-A sets the following registry entries, disabling the
automatic startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\Messenger
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
Start
4
Registry entries are set as follows:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
SFCScan
0
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
EnableFirewall
0
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile
EnableFirewall
0
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DoNotAllowXPSP2
1
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
SFCDisable
ffffff9d
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe %WINDIR%\tcpip.exe
Registry entries are created under:
HKLM\SOFTWARE\Microsoft\Security Center
HKLM\SOFTWARE\Symantec\LiveUpdate Admin
--- MultiMail/Win32 v0.43
* Origin: Doc's Place BBS Fido Since 1991 docsplace.tzo.com (1:123/140)
|