Text 326, 1609 rader
Skriven 2007-08-30 20:50:00 av KURT WISMER (1:123/140)
Ärende: News, August 30 2007
============================
[cut-n-paste from sophos.com]
Name Troj/SpamToo-AW
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Forges the sender's email address
* Uses its own emailing engine
* Downloads code from the internet
* Leaves non-infected files on computer
Prevalence (1-5) 2
Description
Troj/SpamToo-AW is a spamming Trojan tool for the Windows platform.
Advanced
Troj/SpamToo-AW is a spamming Trojan tool for the Windows platform.
When run Troj/SpamToo-AW runs and sets up the default Microsoft service
"Windows Socket 2.0 Non-IFS Service Provider Support Environment".
Registry entries may be created under:
HKLM\SYSTEM\CurrentControlSet\Services\WS2IFSL\
Once installed Troj/SpamToo-AW creates the file <System>\rsvp322.dll.
Troj/SpamToo-AW then proceeds to create multiple duplicate copies of
the file <System>\rsvp322.dll as <System>\rsvp322.dll<random
characters>. These files are detected as Troj/SpamToo-AR.
Troj/SpamToo-AW also creates the file <System>\sporder.dll. This file
is not malicious.
Troj/SpamToo-AW provides functionality to act as an email spam proxy.
Name W32/Spelit-A
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Sends itself to email addresses found on the infected computer
* Downloads code from the internet
* Reduces system security
* Installs itself in the Registry
Prevalence (1-5) 2
Description
W32/Spelit-A is a mass-mailing worm and IRC backdoor Trojan for the
Windows platform.
Advanced
W32/Spelit-A is a mass-mailing worm and IRC backdoor Trojan for the
Windows platform.
When run W32/Spelit-A copies itself to <System>\wsçntfy.exe and creates
the following registry entries to run itself on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows Security Alert
<System>\wsçntfy.exe
Registry entries are also created under:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion
VersionNumber
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Winsock
TcpNumConnections
Once installed, W32/Spelit-A injects code into the file TCPIP.SYS in
order to silently stealth itself in transporting code
Name W32/VBLame-D
Type
* Worm
How it spreads
* Removable storage devices
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Reduces system security
* Installs itself in the Registry
Prevalence (1-5) 2
Description
W32/VBLame-D is a worm.
Advanced
W32/VBLame-D is a worm.
When W32/VBLame-D is installed it copies itself to the following
locations:
\Terlalu indah.exe
\Documents and Settings\Administrator\Application Data\Kau dan aku.exe
\Documents and Settings\Administrator\Local Settings\Cinta membawamu
kembali.exe
\Documents and Settings\Administrator\Local Settings\Application
Data\Di balas dengan dusta.exe
\Documents and Settings\Administrator\My Documents\Tercipta untukmu.exe
\Documents and Settings\Administrator\My Documents\My
Pictures\Cintailah cinta.exe
<User>\Application Data\Intrik cinta.exe
<User>\Documents\Kau pilih dia.exe
<User>\Documents\My Pictures\Ada apa dengan cinta.exe
<Startup>\Loadme.pif
<System>\Bitch.exe
<System>\Liar.exe
<System>\Svseehost.exe
The following registry entries are created to run Bitch.exe, Liar.exe
and Svseehost.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
BITCH
<System>\Bitch.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
LIAR
<System>\Liar.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SVSEEHOST
<System>\Svseehost.exe
Registry entries are set as follows:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
2
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden
0
W32/VBLame-D attempts to periodically copy itself to removeable drives,
including floppy drives and USB keys.
Name W32/Vetor-C
Type
* Virus
How it spreads
* Infected files
* Chat programs
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
Prevalence (1-5) 2
Description
W32/Vetor-C is a virus for the Windows platform.
W32/Vetor-C may connect to IRC networks in an attempt to spread itself
over the internet.
Name W32/Agent-GAT
Type
* Worm
How it spreads
* Email messages
Affected operating systems
* Windows
Side effects
* Installs itself in the Registry
Aliases
* Email-Worm.Win32.Agent.h
Prevalence (1-5) 2
Description
W32/Agent-GAT is a worm for the Windows platform.
Advanced
W32/Agent-GAT is a worm for the Windows platform.
When first run W32/Agent-GAT copies itself to <System>\dmupdate.exe.
The following registry entry is created to run dmupdate.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
dmupdate
<System>\dmupdate.exe
Name Troj/VB-DXD
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
Aliases
* Generic Downloader.s
* Trojan-Proxy.Win32.VB.x
* W32/Downldr2.AIRK
Prevalence (1-5) 2
Description
Troj/VB-DXD is a backdoor Trojan which allows a remote intruder to gain
access and control over the computer.
Advanced
Troj/VB-DXD is a backdoor Trojan which allows a remote intruder to gain
access and control over the computer.
Troj/VB-DXD includes functionality to access the internet and
communicate with a remote server via HTTP, and may download and execute
further files.
When first run Troj/VB-DXD copies itself to <Windows>\svhost.exe.
The following registry entry is created to run svhost.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
svhost
<Windows>\svhost.exe
Name W32/Delf-EXT
Type
* Worm
How it spreads
* Peer-to-peer
Affected operating systems
* Windows
Side effects
* Installs itself in the Registry
Prevalence (1-5) 2
Description
W32/Delf-EXT is an MSN worm and backdoor Trojan for the Windows platform.
Advanced
W32/Delf-EXT is an MSN worm and backdoor Trojan for the Windows platform.
When run W32/Delf-EXT copies itself to <Windows>\winsyshp.exe and
creates the following registry entry to run itself on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft Visual Application
winsyshp.exe
W32/Delf-EXT also creates a zip copy of itself to the location
<Windows>\img317.zip. This file is also detected as W32/Delf-EXT.
Name Troj/Dload-L
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
Prevalence (1-5) 2
Description
Troj/Dload-L is a downloader Trojan for the Windows platform.
Name Troj/QHost-B
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Installs itself in the Registry
Prevalence (1-5) 2
Description
Troj/QHost-B is a Trojan for the Windows platform.
Advanced
Troj/QHost-B is a Trojan for the Windows platform.
Troj/QHost-B includes functionality to access the internet and
communicate with a remote server via HTTP.
When first run Troj/QHost-B copies itself to <System>\inetsrv\servcs.exe.
The following registry entries are created to run servcs.exe on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Services Managements
<System>\inetsrv\servcs.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Services Managements
<System>\inetsrv\servcs.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Services Managements
<System>\inetsrv\servcs.exe
The following registry entry is set, affecting internet security:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPo
licy\
StandardProfile\AuthorizedApplications\List
<System>\inetsrv\servcs.exe
<System>\inetsrv\servcs.exe:*:Enabled:Services Managements
Registry entries are set as follows:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
DisallowRun
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Disallow
Run
Protected system files1
avgupsvc.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Disallow
Run
Protected system files2
avgamsvr.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Disallow
Run
Protected system files3
avgcc.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Disallow
Run
Protected system files4
nod32kui.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Disallow
Run
Protected system files5
nod32krn.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Disallow
Run
Protected system files6
ccSetMgr.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Disallow
Run
Protected system files7
ccEvtMgr.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Disallow
Run
Protected system files8
DefWatch.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Disallow
Run
Protected system files9
SavRoam.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Disallow
Run
Protected system files10
Rtvscan.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Disallow
Run
Protected system files11
VPTray.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Disallow
Run
Protected system files12
ccApp.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Disallow
Run
Protected system files13
AluSchedulerSvc.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Disallow
Run
Protected system files14
nod32.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Disallow
Run
Protected system files15
nod32ra.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Disallow
Run
Protected system files16
UpdaterUI.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Disallow
Run
Protected system files17
tbmon.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Disallow
Run
Protected system files18
Mcshield.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Disallow
Run
Protected system files19
SHSTAT.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Disallow
Run
Protected system files20
ashMaiSv.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Disallow
Run
Protected system files21
ashServ.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Disallow
Run
Protected system files22
ashWebSv.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Disallow
Run
Protected system files23
aswUpdSv.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Disallow
Run
Protected system files24
AVGUARD.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Disallow
Run
Protected system files25
AVWUPSRV.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Disallow
Run
Protected system files26
avscan.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Disallow
Run
Protected system files27
guardgui.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Disallow
Run
Protected system files28
VxMon.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Disallow
Run
Protected system files29
AVGNT.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Disallow
Run
Protected system files30
avgemc.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Disallow
Run
Protected system files31
avp.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Disallow
Run
Protected system files32
avp.com
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
Name Troj/Swizic-A
Type
* Trojan
Affected operating systems
* Windows
Aliases
* INFECTED Trojan.Win32.Obfuscated.en
Prevalence (1-5) 2
Description
Troj/Swizic-A is a Trojan for the Windows platform.
Troj/Swizic-A may pretend to be part of a package for installing a file
downloading application.
Name W32/IRCBot-XL
Type
* Spyware Worm
How it spreads
* Chat programs
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Downloads code from the internet
* Installs itself in the Registry
* Leaves non-infected files on computer
Aliases
* Backdoor.Win32.IRCBot.acd
Prevalence (1-5) 2
Description
W32/IRCBot-XL is a worm with IRC backdoor functionality for the Windows
platform.
W32/IRCBot-XL runs continuously in the background, providing a backdoor
server which allows a remote intruder to gain access and control over
the computer via IRC channels.
This worm can be ordered to spread via MSN and to steal login
credentials from the Protected Storage Area in Internet Explorer.
Advanced
W32/IRCBot-XL is a worm with IRC backdoor functionality for the Windows
platform.
W32/IRCBot-XL runs continuously in the background, providing a backdoor
server which allows a remote intruder to gain access and control over
the computer via IRC channels.
This worm can be ordered to spread via MSN and to steal login
credentials from the Protected Storage Area in Internet Explorer.
W32/IRCBot-XL can be ordered to spread via MSN with one of the
following messages:
Qus usted piensa de este cuadro?
Consegu a nuevo cuadro de m la toma una mirada
algunos cuadros de la semana pasada, consideran si usted tiene gusto en
ellos.
tiene usted visto este picure todavaa?
Haha, es que usted?
Debo utilizar este cuadro en msn?
Qus usted piensa en esto?
Was denken Sie an diese?
was denken Sie an dieses picure? ich glaube, da ich hlich schaue :/
sind hier eine neue Abbildung von mir
einige Abbildungen von der letzten Woche, sehen, wenn Sie sie m
Haha, diese sind Sie auf dieser Abbildung?
sollte ich diese Abbildung auf msn benutzen?
Was denken Sie an dieses?
Wat denkt u aan dit picure? ik vind ik lelijk kijk
Een paar beelden van vorige week, zien of houdt u hier van em nieuwe
pic van me. :)
Hebt u dit picure nog gezien?:p
Hebt u dit picure nog gezien? :p
Haha, bent u dat op dat beeld? :)
Zou ik dit beeld op msn moeten gebruiken?
Wat denkt u over dit?
que pensez-vous ce picure ? je me sens que je semble laid :/
Voici un nouveau pic de moi
Quelques images de la semaine dernire, voient si vous les aimez
Avez-vous vu ce picure encore ?
Haha, est-vous ce sur cette image ?
Si j'emploient cette image sur le msn ?
Que pensez-vous mon image ?
What do you think of this picure? i feel i look ugly :/
Here's a new pic of me
some pictures from my holyday :p
have u seen this picture? if not, se..
Haha, is that you on that picture?
lol, picture off a friend naked, just found it on a website, do you
know here?
How do i look at this picture?
The attachment will be the file myphotos2007.zip
When W32/IRCBot-XL is installed the following files are created:
<User>\new.txt
<Windows>\myphotos2007.zip
<System>\newsystem25.dll
The file egos.txt, is where information taken from the clipboard and
from the keylogging component is stored. This file may be safely deleted.
Both the files myphotos2007.zip and newsystem25.dll are detected as
W32/IRCBot-XL
The following registry entry is created to run code exported by
{D098C278-C8E7-4256-AB37-619EC764AF56} on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoa
d
prodigy1
{D098C278-C8E7-4256-AB37-619EC764AF56}
The file newsystem25.dll is registered as a COM object, creating
registry entries under:
HKCR\CLSID\{D098C278-C8E7-4256-AB37-619EC764AF56
Name W32/Rbot-GSW
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Downloads code from the internet
* Reduces system security
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* Backdoor.Win32.Rbot.byz
* WORM_RBOT.FCQ
Prevalence (1-5) 2
Description
W32/Rbot-GSW is a worm for the Windows platform that contains IRC
backdoor functionality.
W32/Rbot-GSW spreads
- to computers vulnerable to common exploits, including: LSASS
(MS04-011) and RPC-DCOM (MS04-012)
- to MSSQL servers protected by weak passwords
- to network shares
Advanced
W32/Rbot-GSW is a worm for the Windows platform that contains IRC
backdoor functionality.
W32/Rbot-GSW spreads
- to computers vulnerable to common exploits, including: LSASS
(MS04-011) and RPC-DCOM (MS04-012)
- to MSSQL servers protected by weak passwords
- to network shares
W32/Rbot-GSW usually spreads using the filename yahoo.exe.
W32/Rbot-GSW runs continuously in the background, providing a backdoor
server which allows a remote intruder to gain access and control over
the computer via IRC channels.
W32/Rbot-GSW copies itself to the file <System>\<random characters>.exe
and creates the following registry entries to run itself on startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft Update Machine
<path to worm>
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Microsoft Update Machine
<path to worm>
Name W32/Sohana-AH
Type
* Spyware Worm
How it spreads
* Chat programs
Affected operating systems
* Windows
Side effects
* Steals information
* Downloads code from the internet
* Reduces system security
* Installs itself in the Registry
Prevalence (1-5) 2
Description
W32/Sohana-AH is a worm for the Windows platform.
Advanced
W32/Sohana-AH is a worm for the Windows platform.
When W32/Sohana-AH is installed it copies itself to the following
locations:
<Windows>\hinhem.scr
<Windows>\scvhosts.exe
<System>\blastclnnn.exe
<System>\scvhosts.exe
W32/Sohana-AH also creates the file <System>\autorun.ini, which can be
deleted.
The following registry entry is created to run scvhosts.exe on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Yahoo Messengger
<System>\scvhosts.exe
The pathname of scvhosts.exe is appended to the shell line in the boot
section of System.ini, so that it is run on startup.
The following registry entries are set, disabling the registry editor
(regedit) and the Windows task manager (taskmgr):
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
1
The following registry entry is set:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NofolderOptions
1
Name Troj/KillAV-EA
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Steals information
* Drops more malware
Aliases
* Trojan.Win32.Obfuscated.en; Trojan.Win32.KillAV.ka; TROJ_KILLAV.DY
Prevalence (1-5) 2
Description
Troj/KillAV-EA is a Trojan for the Windows platform.
Advanced
Troj/KillAV-EA is a Trojan for the Windows platform.
Troj/KillAV-EA may appear in the form of an installer for "3wPlayer"
application. When Troj/KillAV-EA is executed, the following files are
installed in addition to the media player:
<Program Files>\gridhopefirst\bib dent real.exe - detected as
Troj/Swizzor-NJ
<Program Files>\gridhopefirst\dkptivyh.exe - detected as Troj/KillAV-EA
<Program Files>\gridhopefirst\minime.exe - detected as Troj/KillAV-EA
<Program Files>\gridhopefirst\savepeak.exe - detected as Troj/KillAV-EA
<Program Files>\3wPlayer\minime.exe - detected as Troj/KillAV-EA
<System>\drivers\iinipn.sys - detected as Troj/KillAV-DW
<System>\wmfptc32.dl_ - detected as Troj/KillAV-DW
Name W32/Dzan-D
Type
* Virus
How it spreads
* Infected files
Affected operating systems
* Windows
Side effects
* Drops more malware
* Downloads code from the internet
* Installs itself in the Registry
Prevalence (1-5) 2
Description
W32/Dzan-D is a virus for the Windows platform.
Advanced
W32/Dzan-D is a virus for the Windows platform.
W32/Dzan-D includes functionality to access the internet and
communicate with a remote server via HTTP.
W32/Dzan-D spreads itself via infected executable files.
When first run W32/Dzan-D copies itself to:
\rvhost.exe
\rvhost.exe
and creates the following files:
\inetinfo.exe
\1021\services.exe
\setting.ini
The file services.exe is detected as W32/Dzan-C.
The following registry entry is created to run rvhost.exe on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Yahoo Messengger
\RVHOST.exe
The following registry entry is changed to run rvhost.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe RVHOST.exe
The file \1021\services.exe is registered as a new system driver
service named "services", with a display name of "Themes Plug and Play"
and a startup type of automatic, so that it is started automatically
during system startup. Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\services
The following registry entries are set, disabling system software:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1
The following registry entry is set:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NofolderOptions
1
Name W32/SillyFDC-AS
Type
* Worm
How it spreads
* Removable storage devices
* Network shares
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Downloads code from the internet
* Installs itself in the Registry
* Leaves non-infected files on computer
Aliases
* Virus.Win32.AutoRun.al
Prevalence (1-5) 2
Description
W32/SillyFDC-AS is a worm for the Windows platform.
W32/SillyFDC-AS attempts to copy itself to other removable and fixed
drives.
Advanced
W32/SillyFDC-AS is a worm for the Windows platform.
W32/SillyFDC-AS attempts to copy itself to other removable and fixed
drives, also creating the file autorun.inf in order to run the copy
automatically.
W32/SillyFDC-AS includes functionality to download, install and run new
software.
When first run W32/SillyFDC-AS copies itself to the following
locations, with configurable filenames:
<Common Files>\Microsoft Shared\<configurable filename>.exe
<Common Files>\system\<configurable filename>.exe
<Program Files>\<configurable filename>.exe
and creates some of the following files:
<Program Files>\1.hiv
<Program Files>\2.hiv
<Program Files>\3.hiv
<Program Files>\4.hiv
<Program Files>\ReadDown.txt
<Program Files>\<configurable filename>.inf
W32/SillyFDC-AS attempts to terminate certain processes, services and
windows, many of them related to security and anti-virus software.
W32/SillyFDC-AS may set registry entries under the following location:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\
W32/SillyFDC-AS sets some of the following registry entries
periodically in order to disable certain services:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\helpsvc
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\wscsvc
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\wuauserv
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\RSPPSYS
Start
4
HKLM\SYSTEM\ControlSet001\Services\wscsvc
Start
4
HKLM\SYSTEM\ControlSet001\Services\wuauserv
Start
4
W32/SillyFDC-AS also sets the following registry entries periodically:
HKLM\software\microsoft\windows\currentversion\explorer\advanced\folder\h
idden\showall
CheckedValue
0
HKU\S-1-5-21-1409082233-115176313-682003330-1003\Software\Microsoft\Windo
ws\CurrentVersion\Explorer\Advanced
Hidden
2
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun
91
Name Troj/Zlob-ADT
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Installs itself in the Registry
Aliases
* Win32/Hoax.Renos.NCQ application
Prevalence (1-5) 2
Description
Troj/Zlob-ADT is a Trojan for the Windows platform.
Advanced
Troj/Zlob-ADT is a Trojan for the Windows platform that pretends to be
an uninstaller for other software.
When Troj/Zlob-ADT is installed it creates the file
<System>\fwjgtk.dll, which is registered as a COM object, creating
registry entries under:
HKCR\CLSID\{6747456b-cea8-463d-ad2a-50d67ae73d30}
The following registry entries are created to run code exported by
fwjgtk.dll, including on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskSchedul
er
{6747456b-cea8-463d-ad2a-50d67ae73d30}
cakewalks
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoa
d
{6747456b-cea8-463d-ad2a-50d67ae73d30}
cakewalks
Registry entries are created under:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Windows Safety
Alert
Troj/Zlob-ADT provides an uninstall option which can be accessed via
the Add or Remove Programs dialog in the Windows Control Panel. The
software is listed as "Windows Safety Alert". If this option is
selected, a message box will be displayed with the title "Windows
Safety Alert" and the text "Are you sure you want to uninstall Windows
Safety Alert from your computer?". If the user agrees then some but not
all of the components and registry entries will be deleted, and a
message box will be displayed with the title "Windows Safety Alert" and
the text "You need to reboot your computer prior to uninstallation.
Reboot now?".
The file fwjgtk.dll may cause fake system popups with the title "
System Alert! " and text including "System has detected a number of
active spyware applications that may impact the performance of your
computer. Click the icon to get rid of unwanted spyware by downloading
an up-to-date antispyware solution." and "Virus Activity!!! The your
system on computer is damaged.". The file may also display remote
websites, and may attempt to download and execute further files. The
file also contains strings related to pornographic websites.
Name Troj/Baray-A
Type
* Spyware Trojan
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Downloads code from the internet
* Records keystrokes
* Installs itself in the Registry
* Used in DOS attacks
Prevalence (1-5) 2
Description
Troj/Baray-A is a backdoor Trojan for the Windows platform.
Troj/Baray-A runs continuously in the background, providing a backdoor
server which allows a remote intruder to gain access and control over
the computer via IRC channels.
Advanced
Troj/Baray-A is a backdoor Trojan for the Windows platform.
Troj/Baray-A runs continuously in the background, providing a backdoor
server which allows a remote intruder to gain access and control over
the computer via IRC channels.
Troj/Baray-A includes functionality to:
- spread by copying itself to network shares protected by weak
passwords.
- log keystrokes
- steal passwords
- carry out DDoS flooder attacks
- silently download, install and run new software, including updates
of its software
- send data and notification messages to remote locations
When first run the application copies itself to the Windows system
folder with a randomly generated filename.
The following registry entries are created to run Troj/Baray-A on
startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Microsoft Updates
<Troj/Baray-A filename>
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft Updates
<Troj/Baray-A filename>
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft Updates
<Troj/Baray-A filename>
Name Troj/Gina-AJ
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Steals information
* Reduces system security
Prevalence (1-5) 2
Description
Troj/Gina-AJ is a password-stealing Trojan for the Windows platform.
Advanced
Troj/Gina-AJ is a password-stealing Trojan for the Windows platform.
Troj/Gina-AJ attempts to steal information about users and store it in
the clean dara file <Windows>\system32\drivers\usb.sys. This
information will be sent periodically to a remote user by email.
Troj/Gina-AJ may attempt to replace the clean file
<Windows>\system32\msgina.dll with a copy of itself, saving the new
location of this file to the following registry entry:
HKLM\SOFTWARE\Microsoft\TelnetServer\1.0
OldG
Name W32/AntiHost-A
Type
* Spyware Worm
How it spreads
* Removable storage devices
Affected operating systems
* Windows
Side effects
* Records keystrokes
* Installs itself in the Registry
Aliases
* Worm.Win32.Delf.ca
* W32/Worm.DSO
* W32/Autorun.worm.f
Prevalence (1-5) 2
Description
W32/AntiHost-A is a worm for the Windows platform.
Advanced
W32/AntiHost-A is a worm for the Windows platform.
When first run W32/AntiHost-A copies itself to <System>\ahr.exe.
The following registry entry is created to run ahr.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
antihost
<System>\ahr.exe
W32/AntiHost-A spreads by copying itself with the hidden filename
antihost.exe to any mounted removable media. The hidden file
autorun.inf is also created so that W32/AntiHost-A is automatically
executed. This file can be safely deleted.
Name Mal/Zlob-D
Type
* Malicious Behavior
How it spreads
* Web browsing
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Installs itself in the Registry
Aliases
* Trojan-Downloader.Win32.Zlob.byq
Prevalence (1-5) 2
Description
Mal/Zlob-D detects the Zlob family of Trojans.
Name Mal/Traxg-A
Type
* Malicious Behavior
How it spreads
* Email messages
Affected operating systems
* Windows
Side effects
* Reduces system security
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Prevalence (1-5) 2
Description
Mal/Traxg-A is a family of mass mailing worms for the Windows platform.
Traxg worms may drop a file that exploits the "Microsoft VM ActiveX
Component vulnerability". For further information see Microsoft
security bulletin MS00-085.
Advanced
Mal/Traxg-A is a family of mass mailing worms for the Windows platform.
Traxg worms may drop a file that exploits the "Microsoft VM ActiveX
Component vulnerability". For further information see Microsoft
security bulletin MS00-085.
Members of the Mal/Traxg-A familiy typically copy themselves to random
locations and create a registry entry in the following location in
order to run automatically on startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Name Troj/Zlob-ADW
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Installs itself in the Registry
Aliases
* PAK_Generic.001
Prevalence (1-5) 2
Description
Troj/Zlob-ADW is a Trojan for the Windows platform.
Advanced
Troj/Zlob-ADW is a Trojan for the Windows platform.
Name Troj/VidCach-B
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Installs itself in the Registry
* Dropped by malware
* Installs a browser helper object
Aliases
* not-a-virus:AdWare.Win32.Agent.el
* Trojan.Win32.Agent.aqj
* AdClicker-FC trojan
* TrojanDownloader:Win32/Zlob.gen!M
* TrojanDownloader:Win32/Zlob.gen!K
* Trojan:Win32/Agent.gen!L
Prevalence (1-5) 2
Description
Troj/VidCach-B is a Trojan for the Windows platform.
Advanced
Troj/VidCach-B is a Trojan for the Windows platform.
Some components of Troj/VidCach-B are registered as a COM object,
creating registry entries under locations including the following:
HKCR\CLSID\{150EA8E7-A97C-4816-AD02-4865EEF8C5FF}
HKCR\CLSID\{BABA5BDB-4EFF-48DB-B443-679651D37128}
HKCR\Interface\{B6A3935F-8FE4-49A4-B987-A1C09E53589F}
HKCR\Interface\{EF94A58F-599B-4602-9C34-99683C5859B1}
HKCR\TypeLib\{CDC0999C-999C-4EE1-875B-5C3542641768}
Some of the registry entries will refer to components of Troj/VidCach-B
as "NewMediaCodec" or "_DNewMediaCodec".
Registry entries are also created under the following locations:
HKCR\VAC.Video
HKLM\SOFTWARE\Microsoft\VideoPlugin
Name Troj/Bckdr-QJL
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
Prevalence (1-5) 2
Description
Troj/Bckdr-QJL is a backdoor Trojan which allows a remote intruder to
gain access and control over the computer.
Advanced
Troj/Bckdr-QJL is a backdoor Trojan which allows a remote intruder to
gain access and control over the computer.
Troj/Bckdr-QJL includes functionality to access the internet and
communicate with a remote server via HTTP.
Troj/Bckdr-QJL is registered as a new system driver service named
"DomainService", with a display name of "DomainService" and a startup
type of automatic, so that it is started automatically during system
startup. Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\DomainService
The following registry entry is set:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
SFCDisable
4
Registry entries are created under:
HKLM\SOFTWARE\Microsoft\DomainService
Name Troj/PWS-AOM
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Drops more malware
* Downloads code from the internet
* Installs itself in the Registry
Prevalence (1-5) 2
Description
Troj/PWS-AOM is a Trojan for the Windows platform.
Advanced
Troj/PWS-AOM is a Trojan for the Windows platform.
When the Trojan is installed the following files are created:
<Windows>\goods32.dll - detected as Troj/PWS-AOM.
<System>\goods.exe - copy of itself.
The following registry entry is set:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
\
(5D7ED61B-DB3E-44EC-BED5-40307384FF81)
Name Troj/Zapchas-DR
Type
* Trojan
Affected operating systems
* Windows
Prevalence (1-5) 2
Description
Troj/Zapchas-DR is a Trojan for the Windows platform.
Name Troj/Fakevir-AG
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
Prevalence (1-5) 2
Description
Troj/Fakevir-AG is a Trojan for the Windows platform.
Troj/Fakevir-AG includes functionality to access the internet and
communicate with a remote server via HTTP.
Advanced
Troj/Fakevir-AG is a Trojan for the Windows platform.
Troj/Fakevir-AG includes functionality to access the internet and
communicate with a remote server via HTTP.
When installed Troj/Fakevir-AG displays a fake virus alert such as:
Your computer is infected!
Windows has detected a spyware infection, however your spyware
protection is out of date. The spyware may cause damage to your
computer, or be used to send personal data through the internet to
criminal parties...
Click here to purchase an update!
Name Troj/Codebase-X
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Drops more malware
* Exploits system or software vulnerabilities
Prevalence (1-5) 2
Description
Troj/Codebase-X is a Trojan for the Windows platform.
Troj/Codebase-X attempts to exploit a vulnerability in order to drop
and run further malicious code.
Name Troj/Deldoc-E
Type
* Trojan
Affected operating systems
* Windows
Prevalence (1-5) 2
Description
Troj/Deldoc-E is a Trojan for the Windows platform.
--- MultiMail/Win32 v0.43
* Origin: Doc's Place BBS Fido Since 1991 docsplace.tzo.com (1:123/140)
|