Text 341, 415 rader
Skriven 2007-12-02 14:38:00 av KURT WISMER (1:123/140)
Ärende: News, December 2 2007
=============================
[cut-n-paste from sophos.com]
Name W32/Hupigon-SV
Type
* Worm
How it spreads
* Removable storage devices
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Drops more malware
* Downloads code from the internet
* Installs itself in the Registry
* Leaves non-infected files on computer
Prevalence (1-5) 2
Description
W32/Hupigon-SV is a worm for the Windows platform.
Advanced
W32/Hupigon-SV is a Trojan for the Windows platform.
W32/Hupigon-SV will attempt to spread by copying itself to every active
drive. This means that it will also spread to any currently connected
removable storage devices, as well as any mapped network drives that
have write access enabled.
W32/Hupigon-SV will also copy an autorun.inf file so that the worm will
be activated every time the folder is viewed in Windows Explorer. This
file is also detected as W32/Hupigon-SV.
W32/Hupigon-SV includes functionality to access the internet and
communicate with a remote server via HTTP.
When first run W32/Hupigon-SV copies itself to:
<Common Files>\Microsoft Shared\msinfo\inetin.exe
<Root>\inetin.exe
<System>\_inetin.exe
and creates the following file:
<Common Files>\Microsoft Shared\msinfo\ReDelBat.bat - May be safely
deleted.
The file inetin.exe is registered as a new system driver service named
"IIS Admin", with a display name of "IIS Admin Service" and a startup
type of automatic, so that it is started automatically during system
startup. Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\IIS Admin
Name Troj/Torpig-BY
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Steals information
* Installs itself in the Registry
* Dropped by malware
Prevalence (1-5) 2
Description
Troj/Torpig-BY is a Trojan for the Windows platform.
Advanced
Troj/Torpig-BY is a Trojan for the Windows platform.
Troj/Torpig-BY is usually installed by another member of the Torpig
family of Trojans, usually to one of the folders C:\Program
Files\Common Files\Microsoft Shared\Web Folders or <System>\..\temp,
and the following files are usually created in this folder:
ibm00000.exe
ibm00001.dll
ibm00001.exe
ibm00002.dll
tmp.tmp
All files starting ibm are typically executables in the Torpig family
of Trojans. tmp.tmp is a clean data file. Troj/Torpig-BY may attempt to
delete files with the same name if they already exist.
Registry entries may be set at the following locations to run
ibm00001.exe on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
An entry may be added to the file SYSTEM.INI in the "boot" section to
attempt to run ibm00001.exe on startup.
The Trojan attempts to steal passwords, as well as logging keypresses
and open window titles to text files and periodically sends the
collected information to a remote user via HTTP.
The Trojan downloads and executes additional files from a remote site.
Configuration files may also be downloaded which define further actions.
Troj/Torpig-BY automatically closes security warning messages displayed
by common anti-virus and security-related applications.
Name Troj/Goopo-A
Type
* Trojan
How it spreads
* Web downloads
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
Prevalence (1-5) 2
Description
Troj/Goopo-A is a malicious script that redirects the visitor from the
malicious website to another malicious web page which installs
additional malicious files.
Name VBS/Nutpea-A
Type
* Worm
How it spreads
* Removable storage devices
Affected operating systems
* Windows
Side effects
* Installs itself in the Registry
Prevalence (1-5) 2
Description
VBS/Nutpea-A is a VBS worm for the Windows platform.
Advanced
VBS/Nutpea-A is a VBS worm for the Windows platform.
When run the worm will attempt to copy itself and its components to any
removable and fixed drives.
Name Troj/Zlob-AGJ
Type
* Trojan
Affected operating systems
* Windows
Prevalence (1-5) 2
Description
Troj/Zlob-AGJ is a Trojan for the Windows platform.
Name W32/OnlineG-Z
Type
* Spyware Worm
How it spreads
* Removable storage devices
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Steals information
* Drops more malware
* Records keystrokes
* Installs itself in the Registry
Prevalence (1-5) 2
Description
W32/OnlineG-Z is a worm for the Windows platform.
W32/OnlineG-Z spreads by copying itself to removable storage devices.
Advanced
W32/OnlineG-Z is a worm for the Windows platform.
W32/OnlineG-Z spreads by copying itself to removable storage devices.
W32/OnlineG-Z contains functionality to steal credentials for certain
online games.
When first run W32/OnlineG-Z copies itself to <System>\avpo.exe and
creates the following files:
<Temp>\ckxf0zhc.sys
<Temp>\ddjxa7.dll
<System>\avpo0.dll
The file ckxf0zhc.sys is detected as Mal/RootKit-A.
The following registry entry is created to run avpo.exe on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
avpa
<System>\avpo.exe
Name Troj/Dload-AA
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
Prevalence (1-5) 2
Description
Troj/Dload-AA is a Trojan for the Windows platform.
Name W32/Mabezat-B
Type
* Virus
How it spreads
* Removable storage devices
* Network shares
* Infected files
Affected operating systems
* Windows
Aliases
* W32/Mabezat.a
* Win32/Mabezat.A
* Worm.Win32.Mabezat.b
Prevalence (1-5) 2
Description
W32/Mabezat-B is a virus for the Windows platform which also spreads by
copying itself to network shares and removable devices.
Advanced
W32/Mabezat-B is a virus for the Windows platform which also spreads by
copying itself to network shares and removable devices.
W32/Mabezat-B copies itself to removable devices with one or more of
the following filenames:
"My documents .exe"
"Readme.doc .exe"
"tazebama.exe"
When W32/Mabezat-B is installed the following files are created:
<Root>\Documents and Settings\hook.dl_
<Root>\Documents and Settings\tazebama.dl_
<Root>\Documents and Settings\tazebama.dll
Name Troj/Agent-GHN
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Steals information
Prevalence (1-5) 2
Description
Troj/Agent-GHN is a Trojan for the Windows platform.
Name Troj/Agent-GHM
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Installs itself in the Registry
Prevalence (1-5) 2
Description
Troj/Agent-GHM is a Trojan for the Windows platform.
Advanced
Troj/Agent-GHM is a Trojan for the Windows platform.
Troj/Agent-GHM includes functionality to access the internet and
communicate with a remote server via HTTP.
When first run Troj/Agent-GHM copies itself to:
<Root>\auto.exe
<System>\86affa28.exe
and creates the following files:
<Root>\autorun.inf
<System>\318f153a.dll
<System>\delme.bat
The file autorun.if is detected as W32/SillyFD-G and the file
318f153a.dll is detected as Mal/Behav-027.
The file 86AFFA28.EXE is registered as a new service named "6AD13D8A",
with a display name of "6AD13D8A". Registry entries are created under:
HKCU\SYSTEM\CurrentControlSet\Services\6AD13D8A
The file 86AFFA28.EXE is registered as a new system driver service
named "6AD13D8A", with a display name of "6AD13D8A" and a startup type
of automatic, so that it is started automatically during system
startup. Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\6AD13D8A
The following registry entry is set:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\H
idden\SHOWALL
CheckedValue
0
Registry entries are created under:
HKLM\SOFTWARE\Microsoft\Windows NT
Name Troj/DrProt-Gen
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
Prevalence (1-5) 2
Description
Troj/DrProt-Gen is a Trojan for the Windows platform.
Troj/DrProt-Gen pretends to be an anti-spyware application.
Troj/DrProt-Gen will attempt to silently download and run more malware.
--- MultiMail/Win32 v0.43
* Origin: Doc's Place BBS Fido Since 1991 docsplace.tzo.com (1:123/140)
|