Text 338, 795 rader
Skriven 2007-11-18 23:47:00 av KURT WISMER (1:123/140)
Ärende: News, November 18 2007
==============================
[cut-n-paste from sophos.com]

Name   W32/Rbot-GVC

Type  
    * Worm

Affected operating systems  
    * Windows

Prevalence (1-5) 2

Description
W32/Rbot-GVC is a worm for the Windows platform.

Advanced
W32/Rbot-GVC is a worm for the Windows platform.

When first run W32/Rbot-GVC copies itself to <System>\nod64.exe and 
creates the file <Root>\a.bat.

The file a.bat is detected as Troj/Batten-A.





Name   Troj/VBDrop-D

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Drops more malware
    * Leaves non-infected files on computer

Prevalence (1-5) 2

Description
Troj/VBDrop-D is a Trojan for the Windows platform.

Advanced
Troj/VBDrop-D is a Trojan for the Windows platform.

When Troj/VBDrop-D is installed the following files are created:

<Temp>\WindowsXP-KB923810-x86-ENU.exe
<Temp>\kb923810.exe

The file kb923810.exe is detected as Mal/Basine-C.
The file WindowsXP-KB923810-x86-ENU.exe is a legitimate Windows XP 
security update.





Name   Troj/Wixud-B

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet
    * Reduces system security
    * Installs itself in the Registry
    * Modifies browser settings

Prevalence (1-5) 2

Description
Troj/Wixud-B is a Trojan for the Windows platform.

Advanced
Troj/Wixud-B is a Trojan for the Windows platform.

The following registry entry is created to run Troj/Wixud-B on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
clkhost
<pathname of the Trojan executable>

Troj/Wixud-B changes settings for Microsoft Internet Explorer by 
setting the following registry entries:

HKCU\Software\Microsoft\Internet Explorer\Main
Play_Animations
no

HKCU\Software\Microsoft\Internet Explorer\Main
Play_Background_Sounds
no

HKCU\Software\Microsoft\Internet Explorer\Main
Display Inline Videos
no

HKCU\Software\Microsoft\Internet Explorer\New Windows
PopupMgr
yes

HKCU\Software\Microsoft\Internet Explorer\New Windows
PlaySound
0



The following registry entries are set, affecting internet security:

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
1809
0

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
1809
0

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
1809
0

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
1809
0

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
1809
0

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
WarnonZoneCrossing
0

Registry settings are also modified under the following locations:

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet 
Settings\5.0\Cache\Extensible Cache

HKLM\SOFTWARE\Microsoft\Internet Explorer\Download





Name   W32/Sdbot-DIT

Type  
    * Worm

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Installs itself in the Registry

Aliases  
    * W32/Sdbot.worm.gen.z virus

Prevalence (1-5) 2

Description
W32/Sdbot-DIT is a worm with IRC backdoor functionality for the Windows 
platform.

Advanced
W32/Sdbot-DIT is a worm with IRC backdoor functionality for the Windows 
platform.

When first run W32/Sdbot-DIT copies itself to <System>\dllcache\mlqm.exe.

The file mlqm.exe is registered as a new system driver service named 
"Logitech QuickCam Manager", with a display name of "Logitech QuickCam 
Manager" and a startup type of automatic, so that it is started 
automatically during system startup. Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\Logitech QuickCam Manager

W32/Sdbot-DIT sets the following registry entries, disabling the 
automatic startup of other software:

HKLM\SYSTEM\CurrentControlSet\Services\wuauserv
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4

Note: disabling autostart for the SharedAccess service deactivates the 
Microsoft Internet Connection Firewall (ICF).

The following registry entry is set:

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N





Name   W32/IRCBot-ZA

Type  
    * Worm

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Installs itself in the Registry

Aliases  
    * Backdoor.Win32.IRCBot.amk
    * W32/Sdbot.worm.gen.a
    * Worm:Win32/Pushbot.gen

Prevalence (1-5) 2

Description
W32/IRCBot-ZA is a worm for the Windows platform that also includes 
backdoor functionality.

Advanced
W32/IRCBot-ZA is a worm for the Windows platform that also includes 
backdoor functionality.

W32/IRCBot-ZA runs continuously in the background, providing a backdoor 
server which allows a remote intruder to gain access and control over 
the computer via IRC channels.

When W32/IRCBot-ZA is installed the following files are created:

<Windows>\img4851.zip
<Windows>\sfhgj.exe
<System>\STemp_01.exe

These files are also detected as W32/IRCBot-ZA.

The following registry entry is created to run sfhgj.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Audio Device Manager
sfhgj.exe





Name   W32/Sdbot-DIS

Type  
    * Worm

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Reduces system security
    * Installs itself in the Registry

Aliases  
    * W32/Sdbot.worm.gen.ci

Prevalence (1-5) 2

Description
W32/Sdbot-DIS is a worm with IRC backdoor functionality for the Windows 
platform.

Advanced
W32/Sdbot-DIS is a worm with IRC backdoor functionality for the Windows 
platform.

W32/Sdbot-DIS runs continuously in the background, providing a backdoor 
server which allows a remote intruder to gain access and control over 
the computer via IRC channels.

When first run W32/Sdbot-DIS copies itself to <System>\msnpla.exe.

The following registry entries are created to run msnpla.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Current32
<System>\msnpla.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Current32
<System>\msnpla.exe

The following registry entry is set, affecting internet security:

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPo
licy\StandardProfile\AuthorizedApplications\List
<System>\msnpla.exe
<System>\msnpla.exe:*:Enabled:Current32

The following registry entry is set:

HKCU\Software\Microsoft\OLE
Current32
<System>\msnpla.exe





Name   Troj/Hupigon-SU

Type  
    * Spyware Trojan

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Steals information
    * Installs itself in the Registry

Aliases  
    * Backdoor.Win32.Hupigon.czj

Prevalence (1-5) 2

Description
Troj/Hupigon-SU is a Trojan for the Windows platform.

Troj/Hupigon-SU includes functionality to access the internet and 
communicate with a remote server via HTTP.

Advanced
Troj/Hupigon-SU is a Trojan for the Windows platform.

Troj/Hupigon-SU includes functionality to access the internet and 
communicate with a remote server via HTTP.

When first run Troj/Hupigon-SU copies itself to <Windows>\system34.exe 
and creates the following files:

<Windows>\DEWEFDDSFS.BAT
<Windows>\SYSTEM34KEY.DLL
<Windows>\system34.dll

The file system34.exe is registered as a new system driver service 
named "Fast User Switching Compatibi", with a display name of "Fast 
User Switching Compatibi" and a startup type of automatic, so that it 
is started automatically during system startup. Registry entries are 
created under:

HKLM\SYSTEM\CurrentControlSet\Services\Fast User Switching Compatibi

Troj/Hupigon-SU changes settings for Microsoft Internet Explorer by 
modifying values under:

HKCU\Software\Microsoft\Internet Explorer\Main\

The following registry entry is set:

HKCU\Software\Microsoft\Internet Explorer\Toolbar
Locked
1

Sophos's anti-virus products include Behavioral Genotype® Protection 
and Genotype® detection technologies, which can proactively guard 
against new threats without requiring an update. Sophos customers have 
been proactively protected against all three components of 
Troj/Hupigon-SU as follows:

The main executable, <Windows>\system34.exe, has been detected as 
Troj/GrayBr-Gen since version 4.14.

The dll component <Windows>\system34.dll has been detected as 
Mal/Packer since version 4.14.

The dll component <Windows>\SYSTEM34KEY.DLL has been detected as 
Mal/GrayBird since version 4.15.





Name   W32/Unubot-B

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Installs itself in the Registry

Prevalence (1-5) 2

Description
W32/Unubot-B is a worm with IRC backdoor functionality for the Windows 
platform.

W32/Unubot-B runs continuously in the background, providing a backdoor 
server which allows a remote intruder to gain access and control over 
the computer via IRC channels.

Advanced
W32/Unubot-B is a worm with IRC backdoor functionality for the Windows 
platform.

W32/Unubot-B runs continuously in the background, providing a backdoor 
server which allows a remote intruder to gain access and control over 
the computer via IRC channels.

When first run W32/Unubot-B copies itself to <System>\mdm.exe with the 
system and hidden attributes set and creates the following registry 
entries to run mdm.exe on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft Office
<System>\mdm.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft Office
<System>\mdm.exe

The following registry entries are set:

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1

The following registry entries are set:

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1





Name   Troj/PDrop-B

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Dropped by malware

Prevalence (1-5) 2

Description
Troj/PDrop-B is a Trojan for the windows platform.

Advanced
Troj/PDrop-B is a Trojan for the windows platform.

Troj/PDrop-B is dropped by Troj/PDrop-A





Name   W32/Unubot-A

Type  
    * Worm

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Reduces system security
    * Installs itself in the Registry

Prevalence (1-5) 2

Description
W32/Unubot-A is a worm with IRC backdoor functionality for the Windows 
platform.

Advanced
W32/Unubot-A is a worm with IRC backdoor functionality for the Windows 
platform.

W32/Unubot-A runs continuously in the background, providing a backdoor 
server which allows a remote intruder to gain access and control over 
the computer via IRC channels.

When first run W32/Unubot-A copies itself to <System>\mdm.exe and 
creates the following files:

<Temp>\WER1.tmp.dir00\appcompat.txt
<Temp>\wer1.tmp

The following registry entries are created to run mdm.exe on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft Office
<System>\mdm.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft Office
<System>\mdm.exe

The following registry entry is set:

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N





Name   Troj/Banker-EJR

Type  
    * Spyware Trojan

Affected operating systems  
    * Windows

Side effects  
    * Steals information
    * Uses its own emailing engine
    * Installs itself in the Registry

Aliases  
    * TSPY_BANKER.MEW

Prevalence (1-5) 2

Description
Troj/Banker-EJR is a Trojan for the Windows platform.

Advanced
Troj/Banker-EJR is a Trojan for the Windows platform.

Troj/Banker-EJR includes functionality to transmit stolen banking 
details via SMTP to a remote location.

When first run Troj/Banker-EJR copies itself to <Windows>\helper.exe 
and creates the file <Windows>\Helper.bak.

The file Helper.bak can be safely deleted.

The following registry entry is created to run helper.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ServicePack32
<Windows>\Helper.exe





Name   Troj/Zlob-AGB

Type  
    * Trojan

Affected operating systems  
    * Windows

Prevalence (1-5) 2

Description
Troj/Zlob-AGB is a Trojan for the Windows platform.

Advanced
Troj/Zlob-AGB is a Trojan for the Windows platform.

When Troj/Zlob-AGB is installed the following files are created:

<Temp>\key.lky
<Temp>\setup1.exe.dat
<Temp>\setup2.exe.dat
<Temp>\setup3.exe.dat





Name   W32/Bagle-TC

Type  
    * Worm

How it spreads  
    * Peer-to-peer

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Downloads code from the internet
    * Reduces system security
    * Installs itself in the Registry

Prevalence (1-5) 2

Description
W32/Bagle-TC is a worm for the Windows platform.

W32/Bagle-TC may attempt to spread via the eMule P2P network.

Advanced
W32/Bagle-TC is a worm for the Windows platform.

W32/Bagle-TC may attempt to spread via the eMule P2P network.

W32/Bagle-TC includes functionality to access the internet and 
communicate with a remote server via HTTP.

When first run W32/Bagle-TC copies itself to <Application 
Data>\m\flec006.exe.

The following registry entry is created to run flec006.exe on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
mule_st_key
<Application Data>\m\flec006.exe

W32/Bagle-TC may also create other files in the same folder.

W32/Bagle-TC may create the following folder:

<Application Data>\m\shared\

W32/Bagle-TC may create registry entries under the following location:

HKCU\Software\MuleAppData

W32/Bagle-TC attempts to download and execute a file from a number of 
remote websites.





Name   Troj/MedPlg-A

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet
    * Exploits system or software vulnerabilities

Aliases  
    * Trojan-Downloader.JS.Agent.nw
    * JS/Agent.BK

Prevalence (1-5) 2

Description
Troj/MedPlg-A is a Trojan for the Windows platform.

Advanced
Troj/MedPlg-A is a downloader Trojan for the Windows platform.

Troj/MedPlg-A attempts to exploit a vulnerbility (MS06-006) to download 
and execute a remote file to C:\U.exe. This file is currently 
unavailable.





Name   W32/Nuwar-D

Type  
    * Worm

Affected operating systems  
    * Windows

Prevalence (1-5) 2

Description
W32/Nuwar-D is a worm for the Windows platform.





Name   Troj/Jardo-A

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet

Aliases  
    * Trojan.Java.ClassLoader.as
    * Java/ClassLoader trojan

Prevalence (1-5) 2

Description
Troj/Jardo-A is a Trojan for the Windows platform.

Advanced
Troj/Jardo-A is a Trojan for the Windows platform.

Troj/Jardo-A attempts to download an executable file from a location 
given to it to one following locations:

C:\ms<random numbers>.exe
<Startup>\MSwin-<random numbers>.exe

Troj/Jardo-A has been used by scripts including Troj/Psyme-FP.





Name   Troj/Kango-D

Type  
    * Spyware Trojan

Affected operating systems  
    * Windows

Side effects  
    * Steals information
    * Drops more malware
    * Records keystrokes
    * Installs itself in the Registry

Prevalence (1-5) 2

Description
Troj/Kango-D is a Trojan for the Windows platform.

Troj/Kango-D includes functionality to access the internet and 
communicate with a remote server via HTTP.

Advanced
Troj/Kango-D is a Trojan for the Windows platform.

Troj/Kango-D includes functionality to access the internet and 
communicate with a remote server via HTTP.

When run Troj/Kango-D generates the fake error message:
"Microsoft Word has generated an error and will be closed!"

Troj/Kango-D installs the following files:

<System>\drivers\kbd.dll - detected as Troj/Kango-D
<System>\drivers\svchost.exe - detected as Mal/Behav-009
<System>\drivers\test.dll - detected as Troj/Kango-D

The following registry entry is created to run Troj/Kango-D on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
service
<System>\drivers\svchost.exe

 
--- MultiMail/Win32 v0.43
 * Origin: Doc's Place BBS Fido Since 1991 docsplace.tzo.com (1:123/140)