Text 325, 727 rader
Skriven 2007-08-18 15:19:00 av KURT WISMER (1:123/140)
Ärende: News, August 18 2007
============================
[cut-n-paste from sophos.com]

Name   W32/Rbot-GSS

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Downloads code from the internet
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities
    * Used in DOS attacks

Prevalence (1-5) 2

Description
W32/Rbot-GSS is a worm with IRC backdoor functionality for the Windows 
platform.

Advanced
W32/Rbot-GSS is a worm with IRC backdoor functionality for the Windows 
platform.

W32/Rbot-GSS runs continuously in the background, providing a backdoor 
server which allows a remote intruder to gain access and control over 
the computer via IRC channels.

W32/Rbot-GSS spreads to other network computers:
- to computers vulnerable to common exploits, including: IMAIL Server, 
ASN.1 (MS04-007) and Symantec (SYM06-010)
- to network shares protected by weak passwords

When first run W32/Rbot-GSS copies itself to <System>\wuauclt11.exe and 
creates the following registry entries in order to run on startup:

The following registry entry is set to run W32/Rbot-GSS on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Xordate
wuauclt11.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Xordate
wuauclt11.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Xordate
wuauclt11.exe

W32/Rbot-GSS includes functionality to:
- download code from the internet
- steal information
- perform port scanning
- perform DDoS attacks





Name   W32/Sdbot-DGY

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Installs itself in the Registry

Aliases  
    * not-a-virus:Downloader.Win32.WinFixer.u

Prevalence (1-5) 2

Description
W32/Sdbot-DGY is a worm with IRC backdoor functionality for the Windows 
platform.

Advanced
W32/Sdbot-DGY is a worm with IRC backdoor functionality for the Windows 
platform.

W32/Sdbot-DGY runs continuously in the background, providing a backdoor 
server which allows a remote intruder to gain access and control over 
the computer via IRC channels.

When first run W32/Sdbot-DGY copies itself to <System>\svshost.exe.

The file svshost.exe is registered as a new system driver using a 
random service and display name, and a startup type of automatic, so 
that it is started automatically during system startup. Registry 
entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\

W32/Sdbot-DGY sets the following registry entries, disabling the 
automatic startup of other software:

HKLM\SYSTEM\CurrentControlSet\Services\Messenger
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
Start
4

Registry entries are set as follows:

HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
EnableFirewall
0

HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile
EnableFirewall
0

HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DoNotAllowXPSP2
1

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N

Registry entries are created under:

HKLM\SOFTWARE\Microsoft\Security Center





Name   Troj/Dorf-P

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Installs itself in the Registry

Aliases  
    * Packed.Win32.Tibs.ap
    * W32/Nuwar.sys

Prevalence (1-5) 2

Description
Troj/Dorf-P is a malware component for the Windows platform.

Advanced
Troj/Dorf-P is a malware component for the Windows platform.





Name   W32/Kukoo-A

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Installs itself in the Registry

Aliases  
    * W32/Generic.worm.ac

Prevalence (1-5) 2

Description
W32/Kukoo-A is a network worm for the Windows platform.

Advanced
W32/Kukoo-A is a network worm for the Windows platform.

When first run W32/Kukoo-A copies itself to:

<User>\Application Data\lsass.exe
<Windows>\inf\smss.exe
<System>\Sexy Girls.scr

The following registry entries are created to run W32/Kukoo-A on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
NT_Authority
<User>\Application Data\lsass.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
FrameWorkService
<Windows>\Inf\smss.exe I'm so ugly, I hate myself and I want to die

Registry entries are set as follows:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
DisallowRun
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFolderOptions
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoRun
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFind
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Disallow
Run
1
cmd.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Disallow
Run
2
mmc.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Disallow
Run
3
rstrui.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Disallow
Run
4
regedit.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Disallow
Run
5
regedt32.exe





Name   W32/Sohana-AE

Type  
    * Worm

How it spreads  
    * Removable storage devices
    * Network shares
    * Chat programs

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Downloads code from the internet
    * Reduces system security
    * Installs itself in the Registry

Aliases  
    * Win32/Autoit.E worm
    * W32/IMworm.BP
    * W32/YahLover.worm

Prevalence (1-5) 2

Description
W32/Sohana-AE is a worm for the Windows platform.

Advanced
W32/Sohana-AE is a worm for the Windows platform.

W32/Sohana-AE spreads via
 - network shares.
 - removable storage devices.
 - Yahoo Messenger.

W32/Sohana-R includes functionality to access the internet and 
communicate with a remote server via HTTP and download, install and run 
new software.

When first run W32/Sohana-AE copies itself to:

<Windows>\SVICHOOST.exe
<System>\SVICHOOST.exe

and creates the following files:

<System>\setting.ini - dat file, may simply be deleted
<Windows>\Tasks\At1.job - dat file, may simply be deleted

The following registry entry is created to run SVICHOOST.exe on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Yahoo Messengger
<System>\SVICHOOST.exe

The following registry entry is changed to run SVICHOOST.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe SVICHOOST.exe

The following registry entries are created to prevent disinfection of 
W32/Sohana-AE:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NofolderOptions
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\WorkgroupCrawler\
Shared
shared
\NewFolder.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
GlobalUserOffline
0

The following registry entry is set:

HKLM\SYSTEM\CurrentControlSet\Services\Schedule
AtTaskMaxHours
0





Name   Troj/Dloadr-BDA

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Drops more malware
    * Downloads code from the internet

Prevalence (1-5) 2

Description
Troj/Dloadr-BDA is a Trojan for the Windows platform.

When first run Troj/Dloadr-BDA copies itself to <Windows>\svchost.exe 
and creates the following files:

<Common Files>\winctl.dll - Detected as Troj/Dloadr-BDA.
<Root>\oops.dll - Detected as Troj/Dloadr-BDA.
<Root>\pagefile.sys - Detected as Troj/Dloadr-BDA.





Name   W32/Looked-DS

Type  
    * Virus

How it spreads  
    * Network shares
    * Infected files

Affected operating systems  
    * Windows

Side effects  
    * Modifies data on the computer
    * Drops more malware
    * Downloads code from the internet
    * Reduces system security
    * Leaves non-infected files on computer

Prevalence (1-5) 2

Description
W32/Looked-DS is a virus and network worm for the Windows platform.

Advanced
W32/Looked-DS is a virus and network worm for the Windows platform.

W32/Looked-DS infects files found on the local computer. W32/Looked-DS 
also copies itself to remote network shares and may infect files found 
on those shares.

W32/Looked-DS includes functionality to access the internet and 
communicate with a remote server via HTTP. W32/Looked-DS may attempt to 
download and execute additional files from a remote location.

When W32/Looked-DS is installed the following files are created:

<Windows>\RichDll.dll - detected as W32/Looked-DS.

W32/Looked-DS may also create many files with the name "_desktop.ini" 
in various folders on the infected computer. These files are harmless 
text files and can be deleted.





Name   Troj/Mailbot-CG

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Reduces system security
    * Installs itself in the Registry

Aliases  
    * SpamTool.Win32.Agent.u
    * Spam-Xarvester trojan
    * Spammer:Win32/Agent.U

Prevalence (1-5) 2

Description
Troj/Mailbot-CG is a backdoor Trojan for the Windows platform.

Advanced
Troj/Mailbot-CG is a backdoor Trojan for the Windows platform.

The Trojan gives a remote intruder access to a compromised computer, 
allows them to send arbitrary emails.

When Troj/Mailbot-CG is installed it creates the file <Root>\fwdrv.sys. 
This file is also detected as Troj/Mailbot-CG.

The file fwdrv.sys is registered as a new system driver service named 
"fwdrv.sys", with a display name of "fwdrv.sys". Registry entries are 
created under:

HKLM\SYSTEM\CurrentControlSet\Services\fwdrv.sys





Name   W32/Kies-A

Type  
    * Virus

How it spreads  
    * Network shares
    * Infected files

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet

Aliases  
    * Virus.Win32.Kies.b
    * Win32/Agent.NKN
    * PE_KIES.A

Prevalence (1-5) 2

Description
W32/Kies-A is a virus and network worm for the Windows platform.

Advanced
W32/Kies-A is a virus and network worm for the Windows platform.

W32/Kies-A spreads by infecting executable files on local drives and 
available network shares.

The virus downloads code from a preconfigured website and executes it.





Name   Troj/Agent-GAO

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Installs itself in the Registry

Prevalence (1-5) 2

Description
Troj/Agent-GAO is a Trojan for the Windows platform.

Advanced
Troj/Agent-GAO is a Trojan for the Windows platform.

When first run Troj/Agent-GAO copies itself to <System>\exeplorer.bat.

The following registry entry is created to run exeplorer.bat on startup:

HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\
(F68FD7CA-126B-D4E2-9B26-2833E596332D)
StubPath
<System>\exeplorer.bat





Name   Troj/DDos-AA

Type  
    * Trojan

Affected operating systems  
    * Windows

Prevalence (1-5) 2

Description
Troj/DDos-AA is a Trojan for the Windows platform.





Name   Troj/Banker-EIT

Type  
    * Spyware Trojan

Affected operating systems  
    * Windows

Side effects  
    * Steals information

Prevalence (1-5) 2

Description
Troj/Banker-EIT is a Trojan for the Windows platform.





Name   Troj/Virtum-P

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet
    * Installs itself in the Registry

Prevalence (1-5) 2

Description
Troj/Virtum-P is a Trojan for the Windows platform.

Advanced
Troj/Virtum-P is a Trojan for the Windows platform.

Troj/Virtum-P has the functionality to communicate with a remote server 
via HTTP.

The Trojan creates the following registry entries:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SystemOptimizer
rundll32.exe \"<path of Trojan executable>",forkonce"

HKLM\SOFTWARE\Microsoft\aoprndtws
(8E117458-09DB-45E8-B0AD-173997A6298F)

The following Regisrty entry is modified:

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings





Name   W32/Ickie-A

Type  
    * Worm

How it spreads  
    * Removable storage devices

Affected operating systems  
    * Windows

Side effects  
    * Installs itself in the Registry

Prevalence (1-5) 2

Description
W32/Ickie-A is a worm for the Windows platform.

Advanced
W32/Ickie-A is a worm for the Windows platform.

W32/Ickie-A spreads by copying itself to removable drives.

When first run, W32/Ickie-A copies itself to <Windows>\chiCkie.exe and 
creates the following registry entry in order to be run automatically:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
chiCkie
<Windows>\chiCkie.exe





Name   Troj/Small-EJY

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet

Aliases  
    * Trojan-Downloader.Win32.Small.emg
    * TROJ_SMALL.HGW

Prevalence (1-5) 2

Description
Troj/Small-EJY is a Trojan for the Windows platform.

Troj/Small-EJY includes functionality to access the internet and 
communicate with a remote server via HTTP.

Troj/Small-EJY includes functionality to download and execute files 
from a remote location.





Name   W32/MyDoom-BX

Type  
    * Worm

How it spreads  
    * Email attachments

Affected operating systems  
    * Windows

Side effects  
    * Sends itself to email addresses found on the infected computer
    * Uses its own emailing engine
    * Installs itself in the Registry

Aliases  
    * Email-Worm.Win32.Mydoom.bh

Prevalence (1-5) 2

Description
W32/MyDoom-BX is an email worm for the Windows platform.

Advanced
W32/MyDoom-BX is a email worm for the Windows platform.

When first run W32/MyDoom-BX copies itself to <System>\dvupdate.exe and 
creates the file <Temp>\<random_name>.bat.

The following registry entry is created to run dvupdate.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Driver Update
<System>\dvupdate.exe

 
--- MultiMail/Win32 v0.43
 * Origin: Doc's Place BBS Fido Since 1991 docsplace.tzo.com (1:123/140)