Text 345, 608 rader
Skriven 2008-01-06 19:30:00 av KURT WISMER (1:123/140)
Ärende: News, January 6 2008
============================
[cut-n-paste from sophos.com]
Name Troj/Dload-AE
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Exploits system or software vulnerabilities
Prevalence (1-5) 2
Description
Troj/Dload-AE is a multi-component downloader Trojan for the Windows
platform.
Troj/Dload-AE may be installed via infected web pages which use the
ADODB stream vulnerability to silently download and execute code.
Name Troj/Lineag-CW
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Steals information
* Installs itself in the Registry
Prevalence (1-5) 2
Description
Troj/Lineag-CW is a Trojan for the Windows platform.
Advanced
Troj/Lineag-CW is a Trojan for the Windows platform.
When first run Troj/Lineag-CW copies itself to
<Windows>\help\F3C74E3FA248.exe and creates the following files:
<Current Folder>\2.bat
<Windows>\1.bat
<Windows>\help\F3C74E3FA248.dll
The file F3C74E3FA248.dll is detected as Mal/LineDLL-B.
The .bat files may be deleted.
The file F3C74E3FA248.dll is registered as a COM object and shell
extension, creating registry entries under:
HKCR\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
\{1DBD6574-D6D0-4782-94C3-69619E719765}
Name Troj/Bckdr-QKU
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
Prevalence (1-5) 2
Description
Troj/Bckdr-QKU is a Trojan for the Windows platform.
Advanced
Troj/Bckdr-QKU is a Trojan for the Windows platform.
Troj/Bckdr-QKU includes functionality to access the internet and
communicate with a remote server via HTTP.
When Troj/Bckdr-QKU is installed the following files are created:
<Temp>\_check32.bat - can be safely removed
<Windows>\s32.txt - can be safely removed
<System>\aspimgr.exe - detected as Troj/Bckdr-QKU
<Windows>\ws386.ini - can be safely removed
The file aspimgr.exe is registered as a new system driver service named
"aspimgr", with a display name of "Microsoft ASPI Manager" and a
startup type of automatic, so that it is started automatically during
system startup. Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\aspimgr
Registry entries are created under:
HKLM\SOFTWARE\Microsoft\Sft
Name W32/Rbot-GVR
Type
* Worm
How it spreads
* Peer-to-peer
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Downloads code from the internet
* Installs itself in the Registry
Prevalence (1-5) 2
Description
W32/Rbot-GVR is a worm and IRC backdoor Trojan for the Windows platform.
Advanced
W32/Rbot-GVR is a worm and IRC backdoor Trojan for the Windows platform.
When run W32/Rbot-GVR copies itself to <Windows>\servidevice.exe and
creates the file <Windows>\Chirstmas-2007.zip which is also detected as
W32/Rbot-GVR. The zipfile contains a copy of the worm with the filename
img2007-12.JPEG.scr.
W32/Rbot-GVR sets the following registry entry to run itself on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ryan1918
servidevice.exe
W32/Rbot-GVR spreads via MSN Messenger. It will attempt to send a copy
of the worm with any of the following messages:
'Christmas photo! :D'
'Hey i que hace el ßlbum de foto! Si vea el loL del em'
'vengo de fi este foto ßlbum'
'xmas photo!: D'
'haha :D'
'lol, christmas pictures off me'
'hola, My Christmas picture for you :)'
Name W32/Weird-L
Type
* Virus
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
Prevalence (1-5) 2
Description
W32/Weird-L is a parasitic virus and backdoor.
Advanced
W32/Weird-L is a parasitic virus and backdoor.
The virus infects Windows PE executables in the current, Windows and
Program
Files folders and runs in the background as a server process allowing a
remote
intruder to gain access and control over the computer.
The remote intruder will be able to download, run, find, delete and
update
files.
Infected files carry some simple code to drop and run the virus
dropper. The virus dropper then infects other executables.
When an infected file is run it creates a copy of the virus dropper in
the
Windows folder using the filename "stray.exe" and creates the following
registry entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
stray.exe
This entry ensures that the virus is run automatically each time the
computer is restarted.
Name W32/VB-DYF
Type
* Worm
How it spreads
* Removable storage devices
Affected operating systems
* Windows
Side effects
* Installs itself in the Registry
Aliases
* Win32/VB.NIR
* Virus.Win32.AutoRun.nw
Prevalence (1-5) 2
Description
W32/VB-DYF is a worm for the Windows platform.
Advanced
W32/VB-DYF is a worm for the Windows platform.
W32/VB-DYF spreads by copying itself to removable drives.
When first run W32/VB-DYF copies itself to:
<User>\system.exe
<User>\winlogon.exe
<CurrentFolder>\explorer.exe
<Windows>\Network-IPv6\network.exe
<Windows>\astry.exe
<Windows>\scvhost.exe
<System>\scvhost.exe
The following registry entries are created to run W32/VB-DYF on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
UserLogon
<User>\winlogon.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
<System>\Userinit.exe,scvhost.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Network IPv6
<Windows>\Network-IPv6\network.exe
The following registry entry is changed to run scvhost.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
explorer.exe, scvhost.exe
Registry entries are set as follows:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\system
DisableRegistryTools
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\system
DisableRegedit
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\system
DisableTaskMgr
0
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\T
hickets
Text
Hidup bersama lo :
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\T
hickets
Bitmap
<System>\SHELL32.DLL,29
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\T
hickets\AUTO
Text
Bakalan susah
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\T
hickets\NOHIDE
Text
Biasa aza
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\T
hickets\NONE
Text
Bakalan senang
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder
Bitmap
<System>\SHELL32.DLL,11
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder
Text
Gue pikir2x lo itu:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\C
lassicViewState
Text
Adik lo banyak
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\C
ontrolPanelInMyComputer
Text
Pacar lo Banyak
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\D
esktopProcess
Text
Kurang taat ibadah
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\D
isableThumbCache
Text
Sok tau
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\F
olderSizeTip
Text
Babe lo galak
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\F
riendlyTree
CheckedValue
0
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\F
riendlyTree
Text
Gue kangen berat
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\H
idden
Bitmap
<System>\SHELL32.DLL,22
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\H
idden
Text
Semua tentang lo :
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\H
idden\NOHIDDEN
HKeyRoot
1010
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\H
idden\NOHIDDEN
Text
Akan gue lupakan semua
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\H
idden\SHOWALL
CheckedValue
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\H
idden\SHOWALL
DefaultValue
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\H
idden\SHOWALL
HKeyRoot
1018
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\H
idden\SHOWALL
Text
Akan gue ingat semua
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\H
ideFileExt
CheckedValue
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\H
ideFileExt
DefaultValue
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\H
ideFileExt
Text
Lo dugem terus
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\N
etCrawler
Text
Terlalu banyak nuntut
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\P
ersistBrowsers
Text
Lo gak romantis
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\S
howCompColor
Text
Otak lo mesum
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\S
howFullPath
Text
Lo bego
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\S
howFullPathAddress
Text
Gue pandang2x lo jelek
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\S
howInfoTip
Text
Jarang jajan
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\S
impleSharing
Text
Gak punya mobil
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\S
uperHidden
Text
gue ada pacar baru
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\W
ebViewBarricade
Text
Gue masih cinta lo
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
legalnoticecaption
Windows Update
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
legalnoticetext
Windows Update (6300-NGSRP-TMR521A-SMG-542PH-3180) . Check system
setting or upgrade system.Maybe your system not full patch .System
still safe. www.microsoft.com PATCH CODE : AS3-CTRKEA-SR.
Name Troj/Agent-GKH
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Installs itself in the Registry
* Leaves non-infected files on computer
Prevalence (1-5) 2
Description
Troj/Agent-GKH is a downloader Trojan for the Windows platform.
Advanced
Troj/Agent-GKH is a downloader Trojan for the Windows platform.
When Troj/Agent-GKH is installed the following files are created:
<System>\msdcom51.dll - detected as Troj/Agent-GKH
<System>\socrin.exe - detected as Troj/Agent-GKH
<System>\EIWGidg.ocx - non-malicious Browser Helper Object
The following registry entries are created to run socrin.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MSOLESTARTUP5.0
<System>\socrin.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
MSOLESTARTUP5.0
<System>\socrin.exe
The file EIWGidg.ocx is registered as a COM object, creating registry
entries under:
HKCR\CLSID\{580BA643-F606-469A-B633-7FC9B43A25F8}
HKCR\CLSID\{CA5EEA5B-9D3A-49DF-9792-04AD6B29C726}
HKCR\Interface\{49AEDA6A-768F-4AEF-ACE1-D8B9131A8AA3}
HKCR\Interface\{B2A91D16-11B7-4A3D-BC1B-01068E70090B}
HKCR\TypeLib\{697E3810-FBDA-4300-85F7-B21A098DD0E4}
The following registry entry is set:
HKCR\EIWGIDG.EIWGidgCtrl.1\CLSID
(default)
{CA5EEA5B-9D3A-49DF-9792-04AD6B29C726}
Registry entries are created under:
HKCR\EIWGIDG.EIWGidgCtrl.1
Name Troj/Dload-AF
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
Aliases
* TrojanDownloader:Win32/Agent.DMA
* Trojan-Downloader.Win32.Delf.djx
Prevalence (1-5) 2
Description
Troj/Dload-AF is a downloader Trojan for the Windows platform.
Troj/Dload-AF attempts to download and execute an EXE from a remote
URL. At the time of publishing the target EXE was detected as
Mal/Basine-C.
Name W32/VirtInf-A
Type
* Virus
How it spreads
* Infected files
Affected operating systems
* Windows
Prevalence (1-5) 2
Description
W32/VirtInf-A is a virus for the Windows platform.
Advanced
W32/VirtInf-A is a virus for the Windows platform.
When run W32/VirtInf-A creates a DLL in the system folder using a
random name. The DLL file is detected as W32/VirtInf-A.
W32/VirtInf-A also creates a file in the current folder with the same
name as the infected file except for an extra space character at the
end of the name. For example, if the viral file is named 'test.exe' the
dropped file is named 'test .exe'. The dropped file is a copy of the
original, uninfected file.
Name Troj/BBDoS-A
Type
* Trojan
Affected operating systems
* Unix
Side effects
* Used in DOS attacks
Prevalence (1-5) 2
Description
Troj/BBDoS-A is a Trojan for Unix platforms.
--- MultiMail/Win32 v0.43
* Origin: Doc's Place BBS Fido Since 1991 docsplace.tzo.com (1:123/140)
|