Text 330, 548 rader
Skriven 2007-09-24 00:03:00 av KURT WISMER (1:123/140)
Ärende: News, September 24 2007
===============================
[cut-n-paste from sophos.com]
Name W32/SillyFDC-AW
Type
* Worm
How it spreads
* Removable storage devices
Affected operating systems
* Windows
Side effects
* Installs itself in the Registry
Prevalence (1-5) 2
Description
W32/SillyFDC-AW is a worm for the Windows platform.
Advanced
W32/SillyFDC-AW is a worm for the Windows platform.
When run W32/SillyFDC-AW creates the files:
<Windows>\svchost.exe - detected as W32/SillyFDC-AW
<System>\wmiprvse.exe - detected as W32/SillyFDC-AW
<System>\mgrShell.exe - detected as W32/SillyFDC-AW
<System>\bclogsvr.ini - can be safely deleted
W32/SillyFDC-AW spreads via removable drives. It does this by copying
itself to the removable drive as <Root>\Desktop.exe and creates the
file <Root>\autorun.inf (also detected as W32/SillyFDC-AW) to run the
worm when the removable drive is connected to an uninfected computer.
W32/SillyFDC-AW sets the following registry entries to run itself on
startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
scApp
<System32>\wmiprvse.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
PolicyRun
<Windows>\svchost.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
<Windows>\svchost.exe
Name W32/Rbot-GTG
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
Aliases
* Backdoor.Win32.Rbot.gen
Prevalence (1-5) 2
Description
W32/Rbot-GTG is a worm with IRC backdoor functionality for the Windows
platform.
Advanced
W32/Rbot-GTG is a worm with IRC backdoor functionality for the Windows
platform.
W32/Rbot-GTG spreads to other network computers by exploiting common
buffer overflow vulnerabilities, including: ASN.1 (MS04-007), RealVNC
(CVE-2006-2369) and Symantec (SYM06-010) and by copying itself to
network shares protected by weak passwords.
W32/Rbot-GTG runs continuously in the background, providing a backdoor
server which allows a remote intruder to gain access and control over
the computer via IRC channels.
When first run W32/Rbot-GTG copies itself to <System>\Realteks.exe.
The following registry entries are created to run Realteks.exe on
startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Windows Network Service
Realteks.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows Network Service
Realteks.exe
The following registry entry is set:
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
Name W32/Ahah-A
Type
* Worm
How it spreads
* Removable storage devices
Affected operating systems
* Windows
Side effects
* Modifies browser settings
Aliases
* Virus.JS.RyInf.a
Prevalence (1-5) 2
Description
W32/Ahah-A is a worm for the Windows.platform.
Advanced
W32/Ahah-A is a worm for the Windows.platform.
W32/Ahah-A is a java script that attempts to spread through available
drives with the filename Haha.js using Autorun.inf in order to make
sure that the worm runs automatically once the drive is accessed.
When installed the worm creates the following files:
\Haha.js
Haha.js
Autorun.inf
where Haha.js is a copy of the worm.
W32/Ahah-A sets the following registry entry:
HKCU\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title
Haha
Name W32/SillyFDC-AX
Type
* Worm
How it spreads
* Removable storage devices
Affected operating systems
* Windows
Side effects
* Drops more malware
* Reduces system security
* Installs itself in the Registry
* Leaves non-infected files on computer
Prevalence (1-5) 2
Description
W32/SillyFDC-AX is a worm for the Windows platform.
Advanced
W32/SillyFDC-AX is a worm for the Windows platform.
W32/SillyFDC-AX attempts to spread via removable drives.
When first run W32/SillyFDC-AX copies itself to the Windows folder and
creates the following files:
\LittleRedRidingHood.rtf - Contains the story of little red riding
hood. May be deleted.
\autorun.inf - Detected as Mal/AutoInf-A.
\readme.html - May be safely deleted.
\dtsystra.exe - Detected as W32/SillyFDC-AX.
\syshost.exe - Detected as W32/SillyFDC-AX.
\dlctrl.exe - Detected as W32/SillyFDC-AX.
\drivers\mssrc.exe - Detected as W32/SillyFDC-AX.
\promon.exe - Detected as W32/SillyFDC-AX.
\winapp.exe - Detected as W32/SillyFDC-AX.
Name W32/Looked-DU
Type
* Virus
How it spreads
* Infected files
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Installs itself in the Registry
Aliases
* PE_LOOKED.R-O
* Worm.Win32.Viking.k
* W32/HLLP.Philis.an
* Win32/Viking.NAF
Prevalence (1-5) 2
Description
W32/Looked-DU is a virus for the Windows platform.
Advanced
W32/Looked-DU is a virus for the Windows platform.
W32/Looked-DU includes functionality to access the internet and
communicate with a remote server via HTTP.
When first run W32/Looked-DU copies itself to <Windows>\rundl132.exe
and creates the file <Current Folder>\vDll.dll. The DLL is also
detected as W32/Looked-DU
The following registry entry is created to run rundl132.exe on startup:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
load
<Windows>\rundl132.exe
Registry entries are created under:
HKLM\SOFTWARE\Soft\DownloadWWW
Name Troj/DwnLdr-GXU
Type
* Trojan
Affected operating systems
* Windows
Prevalence (1-5) 2
Description
Troj/DwnLdr-GXU is a Trojan for the Windows platform.
Name Troj/Oanamg-A
Type
* Trojan
Affected operating systems
* Windows
Prevalence (1-5) 2
Description
Troj/Oanamg-A is a Trojan for the Windows platform.
Name W32/VB-DXN
Type
* Worm
How it spreads
* Chat programs
Affected operating systems
* Windows
Side effects
* Installs itself in the Registry
Aliases
* W32/Generic.a@MM
* Email-Worm.Win32.generic
Prevalence (1-5) 2
Description
W32/VB-DXN is a worm for the Windows platform.
W32/VB-DXN attempts to spread through the instant messaging application
Yahoo! Messenger.
Advanced
W32/VB-DXN is a worm for the Windows platform.
W32/VB-DXN attempts to spread through the instant messaging application
Yahoo! Messenger.
When first run W32/VB-DXN copies itself to:
<Windows>\Help\Other.exe
<Windows>\dc.exe
<Windows>\inf\Other.exe
<Windows>\sviq.exe
<System>\Fun.exe
<System>\WinSit.exe
<System>\config\Win.exe
and creates the file <Windows>\wininit.ini.
The following registry entries are created to run dc.exe, Other.exe,
sviq.exe, Fun.exe and Win.exe on startup:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
run
<System>\config\Win.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
dc2k5
<Windows>\SVIQ.EXE
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Fun
<System>\Fun.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
dc
<Windows>\dc.exe
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
load
<Windows>\inf\Other.exe
The following registry entry is changed to run WinSit.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe <System>\WinSit.exe
Name Troj/Qova-A
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
Aliases
* TrojanDownloader:Win32/Small.FC
* BDS/PoisonIvy.j
* Backdoor.Win32.PoisonIvy.j
Prevalence (1-5) 2
Description
Troj/Qova-A is a Trojan for the Windows platform.
Advanced
Troj/Qova-A is a Trojan for the Windows platform.
When first run Troj/Qova-A copies itself to the Windows system folder
with the filename ver.exe.
Troj/Qova-A injects its code into a new hidden instance of Microsoft
Internet Explorer.
Name Troj/LdPinch-QY
Type
* Trojan
Affected operating systems
* Windows
Prevalence (1-5) 2
Description
Troj/LdPinch-QY is a password-stealing Trojan for the Windows platform.
Advanced
Troj/LdPinch-QY is a password-stealing Trojan that will search the host
for information related to the following applications/services:
Password stored in BatMail and The Bat FTP client
Mirabilis ICQ
Trillian
Remote Access Service (RAS)
CuteFTP
WS_FTP
Opera/Mozilla
Internet Explorer password manager
Windows NT username
Local phone book information
The Trojan submits this information to a preconfigured email address.
Name Troj/Dropper-RK
Type
* Trojan
Affected operating systems
* Windows
Prevalence (1-5) 2
Description
Troj/Dropper-RK is a Trojan for the Windows platform.
Name Troj/WoW-KA
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Drops more malware
* Installs itself in the Registry
* Leaves non-infected files on computer
Aliases
* PWS-WoW trojan
* TROJ_NSPM.ZZ
Prevalence (1-5) 2
Description
Troj/WoW-KA is a Trojan for the Windows platform.
Advanced
Troj/WoW-KA is a Trojan for the Windows platform.
When first run Troj/WoW-KA copies itself to <System>\avpo.exe and
creates the following files:
<Temp>\b88d9jce.sys
<Temp>\zjtxwj.dll
<System>\avpo0.dll
The file b88d9jce.sys is detected as Mal/RootKit-A. The rest are
detected as Troj/WoW-KA.
The following registry entry is created to run avpo.exe on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
avpa
<System>\avpo.exe
Name Troj/AdClick-EJ
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Installs a browser helper object
Aliases
* AdClicker-FC
Prevalence (1-5) 2
Description
Troj/AdClick-EJ is a Trojan for the Windows platform.
Advanced
Troj/AdClick-EJ is a Trojan for the Windows platform.
Troj/AdClick-EJ is a Browser Helper Object which has the functionality
to communicate with a remote server via HTTP.
Name Troj/Bckdr-QJO
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
Prevalence (1-5) 2
Description
Troj/Bckdr-QJO is a backdoor Trojan for the Windows platform.
--- MultiMail/Win32 v0.43
* Origin: Doc's Place BBS Fido Since 1991 docsplace.tzo.com (1:123/140)
|