Text 336, 466 rader
Skriven 2007-11-04 17:01:00 av KURT WISMER (1:123/140)
Ärende: News, November 4 2007
=============================
[cut-n-paste from sophos.com]
Name W32/Virut-Q
Type
* Virus
How it spreads
* Infected files
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
Aliases
* Virus.Win32.Virut.ao
* PE_VIRUT.YC
* Win32/Virut.X
Prevalence (1-5) 2
Description
W32/Virut-Q is a virus for the Windows platform.
Advanced
W32/Virut-Q is a virus for the Windows platform.
W32/Virut-Q attempts to hook the operating system and infect files with
an EXE or SCR extension.
W32/Virut-Q may also attempt to connect to a remote IRC server, and may
download and execute further files if instructed to do so.
W32/Virut-Q may modify the following registry entry in order to bypass
the Windows firewall:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPo
licy\
StandardProfile\AuthorizedApplications\List
Name Troj/BagleDl-DB
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
Aliases
* Trojan-Downloader.Win32.Bagle.ff
* Win32/Bagle.KQ
Prevalence (1-5) 2
Description
Troj/BagleDl-DB is a Trojan for the Windows platform.
Advanced
Troj/BagleDl-DB is a Trojan for the Windows platform.
Troj/BagleDl-DB includes functionality to access the internet and
communicate with a remote server via http.
Troj/BagleDl-DB attempts to download files from a number of
pre-specified URLs to a file <Windows folder\exefld\<random number>.exe
and run it.
Troj/BagleDl-DB copies itself to <Windows system
folder>\drivers\hidr2.exe and creates the following file <Windows
system folder>\drivers\srosa.sys. This file is also detected as
Troj/BagleDl-DB.
The file srosa.sys is registered as a new system driver service named
"srosa", with a display name of "srosa". Registry entries are created
under:
HKLM\SYSTEM\CurrentControlSet\Services\srosa\
The Trojan will search for various security applications, such as
firewalls and anti-virus and attempt to delete them.
Troj/BagleDl-DB changes the following registry entries:
HKLM\SYSTEM\CurrentControlSet\Services\Alerter
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\Ndisuio
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\wuauserv
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\wscsvc
Start
4
Troj/BagleDl-DB also sets the following registry entry:
HKCU\Software\FirstRRRun
FirstRRRun
Troj/BagleDl-DB deletes entries under:
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot
Name Troj/Conhook-AI
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Drops more malware
* Downloads code from the internet
* Installs itself in the Registry
Prevalence (1-5) 2
Description
Troj/Conhook-AI is a Trojan for the Windows platform.
Advanced
Troj/Conhook-AI is a Trojan for the Windows platform.
When Troj/Conhook-AI is installed the following files are created:
<Temp>\<Random FileName 1>.sys
<System>\<Random FileName 2>.dll
<System>\<Random FileName 3>.exe
<System>\drivers\<Random FileName 3>.sys
The following registry entries are created to run code exported by
<Random FileName 2>.dll on startup:
HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\<Random Letters>
DLLName
<Random FileName 2>.dll
HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\<Random Letters>
Impersonate
0
The file <Random FileName 2>.dll is registered as a new service named
"<Random Letters>". Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\<Random Letters>
The file <Random FileName 3>.sys is registered as a new system driver
service named "<Random Letters>", with a display name of "Microsoft RPC
API Helper". Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\<Random Letters>
The file <Random FileName 2>.dll is registered as a COM object and
Browser Helper Object (BHO) for Microsoft Internet Explorer, creating
registry entries under:
HKCR\CLSID\(447E6663-81F1-44AC-90E2-4B106EED6D1D)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper
Objects\
(447E6663-81F1-44AC-90E2-4B106EED6D1D)
Registry entries are set as follows:
HKCR\<Random FileName>\CLSID
(default)
(447E6663-81F1-44AC-90E2-4B106EED6D1D)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\OptimalLayout
File
<System>\drivers\<Random FileName 3>.sys
Name Mal/Bifrose-F
Type
* Malicious Behavior
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
Aliases
* BackDoor-CEP.svr
* Backdoor.Win32.Bifrose.aqy
Prevalence (1-5) 2
Description
Mal/Bifrose-F is a malicious program for the Windows platform.
Detection for members of Mal/Bifrose-F is behavior based. It is
extremely important that customers report detections of Mal/Bifrose-F
to Sophos and send a sample for analysis.
Name Troj/BatKill-B
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Deletes files off the computer
* Reduces system security
Prevalence (1-5) 2
Description
Troj/BatKill-B is a Trojan for the Windows platform.
Advanced
Troj/BatKill-B is a Trojan for the Windows platform.
When Troj/BatKill-B is run, it deletes the file <System>\javaws.exe.
Troj/BatKill-B will also attempt to stop system services that have the
following names:
norton antivirus server
mcshield
f-secure gatekeeper handler starter
f-secure network request broker
f-secure automatic update
symantec antivirus
Symantec AntiVirus Definition Watcher
Symantec Event Manager
Symantec Settings Manager
symantec central quarantine
Network Associates McShield
McAfee Framework Service
Name W32/Mypis-B
Type
* Virus
How it spreads
* Infected files
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
Aliases
* Virus.Win32.Downloader.r
Prevalence (1-5) 2
Description
W32/Mypis-B is a virus for the Windows platform.
Advanced
W32/Mypis-B is a virus for the Windows platform.
The virus may attempt to download and execute additional files. At the
time of writing, W32/Mypis-B created the file
<System>\dllcache\svchost.exe. This file is detected as Mal/PWS-K.
W32/Mypis-B may also create the file <System>\system.log. This file may
be safely deleted.
Name Troj/Zlob-AFI
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Installs itself in the Registry
Prevalence (1-5) 2
Description
Troj/Zlob-AFI is a Trojan for the Windows platform.
Advanced
Troj/Zlob-AFI is a Trojan for the Windows platform.
Name Troj/ConHook-AH
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Installs itself in the Registry
* Monitors browser activity
* Installs a browser helper object
Aliases
* TROJ_CONHOOK.FM
Prevalence (1-5) 2
Description
Troj/ConHook-AH is a Trojan for the Windows platform.
Troj/ConHook-AH includes functionality to access the internet and
communicate with a remote server via HTTP.
Advanced
Troj/ConHook-AH is a Trojan for the Windows platform.
Troj/ConHook-AH includes functionality to access the internet and
communicate with a remote server via HTTP.
The Troj/ConHook-AH DLL is registered as a COM object and Browser
Helper Object (BHO) for Microsoft Internet Explorer, creating registry
entries under:
HKCR\CLSID\{8A06A1A7-9E64-4359-8556-B6EA03D69814}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper
Objects\{8A06A1A7-9E64-4359-8556-B6EA03D69814}
Name W32/Rbot-GUP
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Prevalence (1-5) 2
Description
W32/Rbot-GUP is a worm with IRC backdoor functionality for the Windows
platform.
Advanced
W32/Rbot-GUP is a worm with IRC backdoor functionality for the Windows
platform.
W32/Rbot-GUP spreads to other network computers by exploiting common
buffer overflow vulnerabilities, including: LSASS (MS04-011), RPC-DCOM
(MS04-012), WKS (MS03-049) (CAN-2003-0812), WebDav (MS03-007), IIS5SSL
(ms04-011) (CAN-2003-0719), Veritas (CAN-2004-1172), WINS (MS04-045),
PNP (MS05-039), IMAIL Server, ASN.1 (MS04-007) and RealVNC
(CVE-2006-2369) and by copying itself to network shares protected by
weak passwords.
W32/Rbot-GUP runs continuously in the background, providing a backdoor
server which allows a remote intruder to gain access and control over
the computer via IRC channels.
When first run W32/Rbot-GUP copies itself to <Windows>\Msnhelper.exe
and creates the file <Windows>\images.zip. images.zip contains a copy
of the worm executable with the PIF extension.
The following registry entry is created to run Msnhelper.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MSN
Msnhelper.exe
Name Troj/TmDrop-A
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Steals information
Prevalence (1-5) 2
Description
Troj/TmDrop-A is a Trojan for the Windows platform.
Name Mal/Dropper-X
Type
* Malicious Behavior
Affected operating systems
* Windows
Prevalence (1-5) 2
Description
Mal/Dropper-X is a Trojan which installs and executes other malicious
files.
Detection for members of Mal/Dropper-X is behavior based. It is
extremely important that customers report detections of Mal/Dropper-X
to Sophos and send a sample for analysis.
--- MultiMail/Win32 v0.43
* Origin: Doc's Place BBS Fido Since 1991 docsplace.tzo.com (1:123/140)
|