Text 347, 701 rader
Skriven 2008-01-20 17:44:00 av KURT WISMER (1:123/140)
Ärende: News, January 20 2008
=============================
[cut-n-paste from sophos.com]
Name Troj/Agent-GMU
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
Aliases
* Backdoor.Win32.Agent.dgr
Prevalence (1-5) 2
Description
Troj/Agent-GMU is a backdoor Trojan which allows a remote intruder to
gain access and control over the computer.
Advanced
Troj/Agent-GMU is a backdoor Trojan which allows a remote intruder to
gain access and control over the computer.
When first run Troj/Agent-GMU copies itself to <System>\<random
characters>.exe.
The following registry entry is created to run <random characters>.exe
on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
<random characters>
<System>\<random characters>.exe
The file <random characters>.exe is registered as a new system driver
service named <random characters>, with a display name of "Print
Spooler Service" and a startup type of automatic, so that it is started
automatically during system startup. Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\<random characters>
Name VBS/Edibara-A
Type
* Virus
Affected operating systems
* Windows
Side effects
* Modifies data on the computer
* Steals information
* Downloads code from the internet
Aliases
* VBS/Edibara@M virus
* VBS/Envary.A virus
* Trojan-Dropper.VBS.Small.w
Prevalence (1-5) 2
Description
VBS/Edibara-A is a visual basic script virus.
VBS/Edibara-A will attempt to modify files with htm and html extensions
and include a segment of VBScript which will drop a copy of the virus
on computer which read the infected htm/html file.
VBS/Edibara-A will also obtain your email address from Yahoo! Pager
information and send an email to your account, with the subject line
"Hello", prompting you to visit certain website.
Advanced
VBS/Edibara-A is a visual basic script virus.
VBS/Edibara-A will attempt to modify files with htm and html extensions
and include a segment of VBScript which will drop a copy of the virus
on computer which read the infected htm/html file.
The script will also drop the following files:
<system32>/TPS32E.dll
<system32>/TPS32V.dll
<system32>/Systemv.dll
<system32>/Kernel.exe
<system32>/Kernel.vbs
All of which are detected by VBS/Edibara-A.
VBS/Edibara-A will autostart itself by setting the following registry
entries:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Windows
<system32>\Kernel.vbs
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Microsoft Windows
<system32>\Kernel.exe
VBS/Edibara-A will also obtain your email address from Yahoo! Pager
information and send an email to your account, with the subject line
"Hello", prompting you to visit certain website.
Kernel.exe is a component which will download and execute a file from
remote server.
Name VBS/Solow-H
Type
* Worm
How it spreads
* Removable storage devices
Affected operating systems
* Windows
Prevalence (1-5) 2
Description
VBS/Solow-H is a VisualBasic Script worm for the Windows platform.
Advanced
VBS/Solow-H is a VisualBasic Script worm for the Windows platform.
Name Troj/Dloadr-BHH
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Installs itself in the Registry
Aliases
* Trojan-Downloader.Win32.Obfuscated.cw
Prevalence (1-5) 2
Description
Troj/Dloadr-BHH is a Trojan downloader for the Windows platform.
Advanced
Troj/Dloadr-BHH is a Trojan downloader for the Windows platform.
When Troj/Dloadr-BHH is installed it creates the file <Root>\xp2008.dat.
The file xp2008.dat is registered as a COM object and Browser Helper
Object (BHO) for Microsoft Internet Explorer, creating registry entries
under:
HKCR\CLSID\{A941CC19-7623-4F26-AC15-4DBD0314ACCA}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper
Objects\{A941CC19-7623-4F26-AC15-4DBD0314ACCA
Name Troj/KillJWS-A
Type
* Trojan
How it spreads
* Web browsing
Affected operating systems
* Windows
Side effects
* Installs itself in the Registry
Prevalence (1-5) 2
Description
Troj/KillJWS-A is a Trojan for the Windows platform. The Trojan targets
the software commonly used for Windows accessibility by blind people.
The Trojan is reportedly distributed as a crack program for the popular
screen reader program JAWS version 9.
Advanced
Troj/KillJWS-A is a Trojan for the Windows platform.
When Troj/KillJWS-A is installed the following files are created:
<Windows>\config\svchost.exe
<Windows>\mci32.exe
<System>\securityService.dll
The following registry entries are created to run code exported by
securityService.dll on startup:
HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\securityService
DllName
securityService.dll
HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\securityService
impersonate
0
HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\securityService
Startup
startup
After 26 December 2007 Troj/KillJWS-A will terminate the following
processes related to popular speech synthesis and speech recognition
software:
jfw.exe
hal.exe
narrator.exe
wineyes
speech32
gwm32
kurzweil
Name Troj/Agent-GMO
Type
* Trojan
Affected operating systems
* Windows
Prevalence (1-5) 2
Description
Troj/Agent-GMO is a Trojan for the Windows platform.
Advanced
Troj/Agent-GMO is a Trojan for the Windows platform.
Troj/Agent-GMO may attempt to disable access to the registry and task
manager by setting the following registry entries:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\SYSTEM
DisableRegistryTools
1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\SYSTEM
DisableTaskMgr
1
Name Troj/Mdrop-BQD
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Drops more malware
* Installs itself in the Registry
Prevalence (1-5) 2
Description
Troj/Mdrop-BQD is a Trojan for the Windows platform.
Advanced
Troj/Mdrop-BQD is a Trojan for the Windows platform.
When Troj/Mdrop-BQD is run it creates the file
<Temp>\ixp000.tmp\server~1.exe.
The file server~1.exe is detected as Mal/Behav-043.
Name Troj/Bayrob-B
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Steals credit card details
* Steals information
* Reduces system security
Aliases
* Trojan-Dropper.Win32.Agent.dpo
Prevalence (1-5) 2
Description
Troj/Bayrob-B is an information-stealing Trojan for the Windows platform.
Advanced
Troj/Bayrob-B is an information-stealing Trojan for the Windows platform.
Troj/Bayrob-B includes functionality to act as a proxy as well as
change the user's proxy settings.
When first run Troj/Bayrob-A copies itself to <System>\fdihkchp.exe.
Troj/Bayrob-B attempts to drop a clean data file called "tst" to a
number of folders, including <System>\44682352, and drops files to the
Temp folder called CNQJ<random characters>.EXE. These are all detected
as Troj/Bayrob-A.
Troj/Bayrob-B adds itself to run on startup in three different ways:
- creates one of the following registry entries:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Tikbnqen
<System>\fdihkchp.exe
- adds itself as a service:
HKLM\SYSTEM\CurrentControlSet\Services\Bbonxhdz
- adds itself to the current user's Start Menu:
<Start Menu>\Programs\Startup\fdihkchp.exe.
Troj/Bayrob-B may modify the contents of the following files:
<System32>\drivers\etc\hosts
<AppData>\Mozilla\Firefox\Profiles\<username>\user.js
Troj/Bayrob-B attempts to redirect from sites including ebay.com in
order to steal information from the user.
Troj/Bayrob-B attempts to disguise itself by dropping a copy of "Kodak
Viewer Express" and loading an image, for example that of a motorcyle.
Name W32/Autorun-AN
Type
* Worm
Affected operating systems
* Windows
Aliases
* Win32/AutoRun.AC worm
* Virus.Win32.AutoRun.ia
* W32/Autorun.worm.r
Prevalence (1-5) 2
Description
W32/Autorun-AN is a worm for the Windows platform.
Advanced
W32/Autorun-AN is a worm for the Windows platform.
Name VBS/Edibara-B
Type
* Virus
Affected operating systems
* Windows
Side effects
* Modifies data on the computer
* Steals information
* Downloads code from the internet
Prevalence (1-5) 2
Description
VBS/Edibara-B is a Visual Basic script virus.
The virus attempts to modify htm, html and htt files on fixed and
remote drives to include a segment of Visual Basic script which infects
other systems which read the infected files.
VBS/Edibara-B will also obtain the email address from Yahoo! Pager
information on a system and send email.
Advanced
VBS/Edibara-B is a Visual Basic script virus.
The virus drops the following files:
<System32>\TPS32E.dll
<System32>\TPS32V.dll
<System32>\Systemv.dll
<System32>\config\Netlogon.vbs
<System32>\dd.txt
<System32>\se3gl9km.bat
<System32>\NetLogon.exe
The NetLogon.vbs script attempts to modify htm, html and htt files on
fixed and remote drives to include a segment of Visual Basic script
which infects other systems which read the infected files.
The script creates the following registry entry:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
ComService
<pathname to NetLogon.vbs file>
The NetLogon.exe file is initially droped as <System32>\Demon and then
copied to <System32>\NetLogon.exe.
The NetLogon.exe file includes functionality to download, install and
run new software.
The following registry entries are created to run the NetLogon.exe file
on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
(default)
<pathname of NetLogon.exe file>
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
(default)
<pathname of NetLogon.exe file>
The NetLogon.exe file changes settings for Microsoft Internet Explorer
by modifying values under:
HKCU\Software\Microsoft\Internet Explorer\Main\
The NetLogon.exe file creates registry entries are set as follows:
HKCU\Software\Microsoft\Internet Explorer
Download Directory
<System>\drivers
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\H
idden\SHOWALL
(default)
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\H
idden\SHOWALL
CheckedValue
0
Name Troj/Dorf-AS
Type
* Trojan
Affected operating systems
* Windows
Prevalence (1-5) 2
Description
Troj/Dorf-AS is a Trojan for the Windows platform.
Name Troj/Dorf-AP
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Installs itself in the Registry
Prevalence (1-5) 2
Description
Troj/Dorf-AP is a Trojan for the Windows platform.
Advanced
Troj/Dorf-AP is a Trojan for the Windows platform.
Troj/Dorf-AP creates a file named <System>\burito.ini, this file is
harmless and should be deleted.
Name Troj/IRCbot-ZV
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
Prevalence (1-5) 2
Description
Troj/IRCbot-ZV is a backdoor Trojan for the Windows platform.
Name Troj/Dropin-A
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Drops more malware
* Dropped by malware
Aliases
* Trojan-Dropper.Win32.Agent.ben
* TR/Drop.Agent.ben
* TROJ_DROPPER.CUO
* TrojanDropper:Win32/Agent
Prevalence (1-5) 2
Description
Troj/Dropin-A is a Trojan for the Windows platform.
Advanced
Troj/Dropin-A is a Trojan for the Windows platform.
When first run Troj/Dropin-A copies itself to <System>\windoskey.exe
and creates the following files:
<System>\load.exe
<System>\wdoskey.exe
The file wdoskey.exe is detected as Mal/Behav-024, and the file
load.exe is detected as the hacking tool "Inject Loader" - load.exe is
used to inject wdoskey.exe into iexplore.exe.
The following registry entry is created to run windoskey.exe on startup:
HKLM\SOFTWARE\Microsoft\Active Setup\Installed
Components\{S-1-5-21-1635847982-2902227367-3824404516-500}
StubPath
windoskey.exe
Other entries are also created under HKLM\SOFTWARE\Microsoft\Active
Setup\Installed
Components\{S-1-5-21-1635847982-2902227367-3824404516-500}.
The following registry entry is set to try to allow iexplore.exe to
bypass the Windows firewall:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPo
licy\StandardProfile\AuthorizedApplications\List
<System>\..\..\Program Files\Internet Explorer\iexplore.exe
<System>\..\..\Program Files\Internet
Explorer\iexplore.exe:*:Enabled:IExplore
Troj/Dropin-A has been seen dropped by files detected as Mal/Emogen-Y.
Name Troj/IRCBot-ZS
Type
* Trojan
Affected operating systems
* Unix
Prevalence (1-5) 2
Description
Troj/IRCBot-ZS is a Trojan for Linux platforms.
Name W32/Autoit-F
Type
* Worm
How it spreads
* Removable storage devices
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Reduces system security
* Installs itself in the Registry
Prevalence (1-5) 2
Description
W32/Autoit-F is a worm for the Windows platform.
Advanced
W32/Autoit-F is a worm for the Windows platform.
When first run W32/Autoit-F copies itself to
<System>\Microsoft\msmsgs.exe.
The following registry entry is changed to run W32/Autoit-F on startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
<System>\userinit.exe,<System>\Microsoft\Msmsgs.exe
The following registry entries are set, disabling system software:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\system
DisableTaskMgr
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\system
DisableRegistryTools
1
Registry entries are set as follows:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFind
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFolderOptions
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
2
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
SuperHidden
0
--- MultiMail/Win32 v0.43
* Origin: Doc's Place BBS Fido Since 1991 docsplace.tzo.com (1:123/140)
|