Text 328, 670 rader
Skriven 2007-09-09 19:31:00 av KURT WISMER (1:123/140)
Ärende: News, September 9 2007
==============================
[cut-n-paste from sophos.com]
Name Troj/Fakevir-AH
Type
* Trojan
Affected operating systems
* Windows
Aliases
* Win32.Renos.ig
Prevalence (1-5) 2
Description
Troj/Fakevir-AH is a Trojan for the Windows platform.
Advanced
Troj/Fakevir-AH is a Trojan for the Windows platform.
When Troj/Fakevir-AH is installed it creates the file
<System>\nusrmgr.exe.
Name W32/SillyFDC-AT
Type
* Spyware Worm
How it spreads
* Removable storage devices
* Network shares
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Steals information
* Installs itself in the Registry
Aliases
* Worm.Win32.Agent.o
* W32/USBAgent.dll
* WORM_AGENT.LOL
Prevalence (1-5) 2
Description
W32/SillyFDC-AT is a multi-component worm for the Windows platform.
Advanced
W32/SillyFDC-AT is a multi-component worm for the Windows platform.
W32/SillyFDC-AT spreads through removable storage devices, including
floppy drives and USB keys. The worm attempts to create a hidden file
Autorun.inf on the removable drive and copy itself to the removable
drive with the filename autorun.exe
The file Autorun.inf is designed to start the worm once the removable
drive is connected to an uninfected computer.
When first run W32/SillyFDC-AT copies itself to:
<Windows>\java\classes\java.dll
<System>\kernel32.sys
<System>\mfc48.dll
The following registry entry is set to run the file kernel32.sys on
startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs
kernel32.sys
The worm also sets the following registry entries:
HKCR\CLSID\{Random CLSID}\InprocServer32
<Windows>\java\classes\java.dll
HKCR\CLSID\\InprocServer32
<Windows>\java\classes\java.dll
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
Browser Helper Objects\
Name W32/Forbot-GS
Type
* Spyware Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Reduces system security
* Installs itself in the Registry
* Scans network for vulnerabilities
Aliases
* Backdoor.Win32.Wootbot.da
* W32/Sdbot.worm.gen
Prevalence (1-5) 2
Description
W32/Forbot-GS is a worm with IRC backdoor functionality for the Windows
platform.
W32/Forbot-GS spreads to other network computers by exploiting common
buffer overflow vulnerabilities, including ASN.1 (MS04-007).
Advanced
W32/Forbot-GS is a worm with IRC backdoor functionality for the Windows
platform.
W32/Forbot-GS spreads to other network computers by exploiting common
buffer overflow vulnerabilities, including ASN.1 (MS04-007).
W32/Forbot-GS runs continuously in the background, providing a backdoor
server which allows a remote intruder to gain access and control over
the computer via IRC channels.
When first run W32/Forbot-GS copies itself to <System>\kbx.exe and
creates the following files:
<Temp>\C27D8FEF-D7AE-42c0-82E6-F30598265639.exe
<Temp>\WER1.tmp.dir00\appcompat.txt
<Temp>\wer1.tmp
The following registry entries are created to run kbx.exe on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
XP HOT FIS
KBX.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
XP HOT FIS
KBX.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
XP HOT FIS
KBX.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
XP HOT FIS
KBX.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
XP HOT FIS
KBX.exe
The file KBX.exe is registered as a new file system driver service
named "updating.microsoft.com", with a display name of "XP HOT FIS".
Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\updating.microsoft.com
Name W32/Stration-AV
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Prevalence (1-5) 2
Description
W32/Stration-AV is a worm for the Windows platform which attempts to
spread by sending itself in an email with an attachment called
Video_fragment.zip.
Name Troj/Agent-GCD
Type
* Trojan
Affected operating systems
* Windows
Prevalence (1-5) 2
Description
Troj/Agent-GCD is a Trojan for the Windows platform.
Advanced
Troj/Agent-GCD is a Trojan for the Windows platform.
Troj/Agent-GCD copies itself to the following locations:
<System>\poison.sys
<Temp>\svchost.exe
Troj/Agent-GCD has functionality to inject code into explorer.exe.
Name Troj/BagleDl-CX
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Downloads code from the internet
* Installs itself in the Registry
Prevalence (1-5) 2
Description
Troj/BagleDl-CX is a downloader Trojan for the Windows platform.
Troj/BagleDl-CX masquerades as a file cracking utility but contains
functionality to communicated with a remote server via HTTP.
Troj/BagleDl-CX attempts to terminate anti-virus and security-related
processes.
Name W32/SillyFDC-AU
Type
* Spyware Worm
How it spreads
* Removable storage devices
Affected operating systems
* Windows
Side effects
* Steals information
* Downloads code from the internet
* Installs itself in the Registry
Prevalence (1-5) 2
Description
W32/SillyFDC-AU is a worm for the Windows platform.
Advanced
W32/SillyFDC-AU is a worm for the Windows platform.
When W32/SillyFDC-AU is installed it copies itself to the following
locations:
<Windows>\hinhem.scr
<Windows>\scvhost.exe
<System>\blastclnnn.exe
<System>\scvhost.exe
W32/SillyFDC-AU also creates the following files:
<System>\autorun.ini - also detected as W32/SillyFDC-AU.
The following registry entry is created to run scvhost.exe on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Yahoo Messengger
<System>\scvhost.exe
The following registry entry is changed to run scvhost.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe scvhost.exe
(the default value for this registry entry is "Explorer.exe" which
causes the Microsoft file <Windows>\Explorer.exe to be run on startup).
The pathname of scvhost.exe is appended to the "shell=" line in the
<boot> section of System.ini, so that it is run on startup.
The following registry entries are set, disabling the registry editor
(regedit) and the Windows task manager (taskmgr):
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
1
The following registry entry is set:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NofolderOptions
1
W32/SillyFDC-AU attempts to periodically copy itself to removeable
drives, including floppy drives and USB keys. The worm will attempt to
create a hidden file Autorun.inf on the removeable drive and copy
itself to the same location. The file Autorun.inf is designed to start
the worm once the removeable drive is connected to a uninfected computer.
Name W32/Traxg-L
Type
* Worm
How it spreads
* Removable storage devices
Affected operating systems
* Windows
Side effects
* Installs itself in the Registry
Prevalence (1-5) 2
Description
W32/Traxg-L is a worm for the Windows platform.
Advanced
W32/Traxg-L is a worm for the Windows platform.
When the W32/Traxg-L is installed it copies itself to
<Windows>\Fonts\379EF.com.
The following registry entry is created to run 379EF.com on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
TempCom
<Windows>\FONTS\379EF.com
Registry entries are set as follows:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt
1
W32/Traxg-L attempts to periodically copy itself to removeable drives,
including floppy drives and USB keys.
Name Troj/BeastPWS-H
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Records keystrokes
* Installs itself in the Registry
Aliases
* Trojan.Win32.Delf.aeu
Prevalence (1-5) 2
Description
Troj/BeastPWS-H is a keylogging Trojan for the Windows platform.
Advanced
Troj/BeastPWS-H is a keylogging Trojan for the Windows platform.
When first run Troj/BeastPWS-H copies itself to <Windows>\mpayy.exe and
creates the following files:
<Windows>\mpayy.dll
<Windows>\qnudj.hed
The file mpayy.dll is also detected as Troj/BeastPWS-H. The file
qnudj.hed is not malicious and may be deleted.
The following registry entry is created to run mpayy.exe on startup:
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\
{ilgpnuwy-ewxn-ddkl-oaiw-pehmlkjtqwam}
StubPath
<Windows>\mpayy.exe
Additional registry entries are set as follows:
HKCU\Software\Adobe\FRZC
FRQ
<Windows>\mpayy.exe
HKCU\Software\Adobe\FRZC
FRM
<Windows>\qnudj.hed
Name Troj/Haoba-A
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Installs itself in the Registry
Prevalence (1-5) 2
Description
Troj/Haoba-A is a Trojan for the Windows platform.
Advanced
Troj/Haoba-A is a Trojan for the Windows platform.
Troj/Haoba-A includes functionality to access the internet and
communicate with a remote server via HTTP.
When Troj/Haoba-A is installed the following files are created:
<System>\MISuvstm.exe - also detected as Troj/Haoba-A
<System>\msivsm32.dll - also detected as Troj/Haoba-A
The following registry entry is created to run MISuvstm.exe on startup:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
load
<System>\MISuvstm.exe
Name Troj/Lineag-BE
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Drops more malware
* Downloads code from the internet
* Installs itself in the Registry
Prevalence (1-5) 2
Description
Troj/Lineag-BE is a Trojan for the Windows platform.
Advanced
Troj/Lineag-BE is a Trojan for the Windows platform.
When first run Troj/Lineag-BE copies itself to <Program Files>\Windows
NT\services.exe and creates the following files:
<Temp>\f5lcmh0.sys - detected as Mal/RootKit-A
<Temp>\vnzn.dll - detected as Mal/EncPk-AH.
<System>\ACE.dll - detected as Troj/Lineag-Gen.
The following registry entry is changed to run Troj/Lineag-BE on startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
<System>\userinit.exe,<Program Files>\Windows NT\SERVICES.EXE,
Name Troj/Delf-EXV
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Reduces system security
* Installs itself in the Registry
Prevalence (1-5) 2
Description
Troj/Delf-EXV is a Trojan for the Windows platform.
Advanced
Troj/Delf-EXV is a Trojan for the Windows platform.
Troj/Delf-EXV includes functionality to access the internet and
communicate with a remote server via HTTP, and may attempt to download
and execute code from a remote website.
When Troj/Delf-EXV is installed it creates the files
<Windows>\logs1.txt and <Windows>\wini.reg.
The following registry entry is created to run Troj/Delf-EXV on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
services
<pathname of the Trojan executable>
Troj/Delf-EXV may attempt to terminate the process services.exe, which
may be a copy of itself.
Troj/Delf-EXV may attempt to modify registry entries at the following
location:
HKCU\Software\SimonTatham\PuTTY\SshHostKeys
Troj/Delf-EXV attempts to modify firewall permissions to allow it to
access the internet, and click on or close windows related to security
messages.
Name W32/IRCBot-XS
Type
* Worm
How it spreads
* Chat programs
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Installs itself in the Registry
Prevalence (1-5) 2
Description
W32/IRCBot-XS is a worm for the Windows platform.
W32/IRCBot-XS spreads via MSN Instant Messenger.
Advanced
W32/IRCBot-XS is a worm for the Windows platform.
W32/IRCBot-XS spreads via MSN Instant Messenger.
When first run W32/IRCBot-XS copies itself to:
<Windows>\winfp.exe
as well as archiving itself as a ZIP file as:
<Windows>\img<random numbers>.zip
W32/IRCBot-XS creates the following registry entry to start itself:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Audio Device Manager
winfp.exe
Name Troj/Ebbot-A
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
Prevalence (1-5) 2
Description
Troj/Ebbot-A is a Trojan for the Windows platform.
Advanced
Troj/Ebbot-A is a Trojan for the Windows platform.
Troj/Ebbot-A includes functionality to access the internet and
communicate with a remote server via HTTP.
Troj/Ebbot-A attempts to download username/password combinations, and
use these combinations in an attempt to brute force eBay account
credentials. Troj/Ebbot-A uses the eBay developer API to attempt to
connect over SSL to eBay servers.
Name Troj/PWS-AOR
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Steals information
* Installs itself in the Registry
Prevalence (1-5) 2
Description
Troj/PWS-AOR is a password stealing Trojan for the Windows platform.
Advanced
Troj/PWS-AOR is a password stealing Trojan for the Windows platform.
When run Troj/PWS-AOR copies itself to <Windows>\java\<random
filename>.exe and creates the following files:
<Windows>\1.bat - can be safely deleted.
<Windows>\java\<random filename>.dll - detected as Troj/PWS-AOR
The following registry entries will be created:
HKLM\CLSID\{C1858F70-62A3-4116-87A5-C0E1D998ED8C}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
\ {C1858F70-62A3-4116-87A5-C0E1D998ED8C}
--- MultiMail/Win32 v0.43
* Origin: Doc's Place BBS Fido Since 1991 docsplace.tzo.com (1:123/140)
|