Text 348, 513 rader
Skriven 2008-01-27 19:42:00 av KURT WISMER (1:123/140)
Ärende: News, January 27 2008
=============================
[cut-n-paste from sophos.com]
Name W32/Expiro-C
Type
* Virus
How it spreads
* Infected files
Affected operating systems
* Windows
Prevalence (1-5) 2
Description
W32/Expiro-C is a virus for the Windows platform.
Name Troj/Tanto-H
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Downloads code from the internet
* Installs itself in the Registry
Prevalence (1-5) 2
Description
Troj/Tanto-H is a backdoor Trojan which allows a remote intruder to
gain access and control over the computer.
Advanced
Troj/Tanto-H is a backdoor Trojan which allows a remote intruder to
gain access and control over the computer.
Troj/Tanto-H includes functionality to download, install and run new
software.
When first run Troj/Tanto-H copies itself to <Windows>\wscntfy.exe.
The file wscntfy.exe is registered as a new system driver service named
"Microsoft wscntfy Service", with a display name of "Microsoft wscntfy
Service" and a startup type of automatic, so that it is started
automatically during system startup. Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\Microsoft wscntfy Service
Troj/Tanto-H sets the following registry entries, disabling the
automatic startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\Messenger
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
Start
4
Registry entries are set as follows:
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
EnableFirewall
0
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile
EnableFirewall
0
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DoNotAllowXPSP2
1
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
Registry entries are created under:
HKLM\SOFTWARE\Microsoft\Security Center
Name Troj/DllLoad-E
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Drops more malware
Prevalence (1-5) 2
Description
Troj/DllLoad-E is a Trojan dropper for the Windows platform.
When run the Trojan will decrypt and drop a DLL which it will then
attempt to load.
Name Troj/DwnLdr-HAL
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Installs itself in the Registry
Aliases
* Trojan-Downloader.Win32.Small.hqo
Prevalence (1-5) 2
Description
Troj/DwnLdr-HAL is a Trojan for the Windows platform.
Advanced
Troj/DwnLdr-HAL includes functionality to access the internet and
communicate with a remote server via HTTP.
When Troj/DwnLdr-HAL is installed the following files are created:
<System>\<random>.exe
At the time of this writing the above file is detected by Sophos as
W32/Sality-AM.
The following registry entry is created to run Troj/DwnLdr-HAL on
startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
IpSec
<pathname of the Trojan executable>
Name Troj/ByteVer-AB
Type
* Trojan
Affected operating systems
* Windows
Prevalence (1-5) 2
Description
Troj/ByteVer-AB is a Java Trojan.
Advanced
Troj/ByteVer-AB is a Java Trojan.
Troj/ByteVer-AB creates a file in <temp>\q319243.com.
q319243.com is detected as Troj/Dropper-RY.
Name Troj/Keylog-JW
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Steals credit card details
* Steals information
* Downloads code from the internet
* Records keystrokes
* Installs itself in the Registry
Aliases
* TR/Keylog.1EF32979
* TR/PSW.Steal.53248.18
Prevalence (1-5) 2
Description
Troj/Keylog-JW is a keylogger Trojan for the Windows platform.
Advanced
Troj/Keylog-JW is a keylogger Trojan for the Windows platform.
Troj/Keylog-JW runs silently in the background logging keystrokes, in
an attempt to capture information such as passwords and visited URLs.
Troj/Keylog-JW may be installed by a downloader Trojan such as
Troj/Dwnldr-HAJ.
When Troj/Keylog-JW is installed the following files are typically
created:
<Windows>\pages.sys (a harmless log file)
<System>\cftmon.exe
<System>\ctfmmmm.exe
<System>\mam.exe
<System>\mam2.exe
<System>\mscontig3.exe
<System>\st.img (a harmless log file)
The following registry entry is changed to run cftmon.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
explorer.exe <System>\cftmon.exe
Name Troj/Bagle-TL
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Installs itself in the Registry
Aliases
* Trojan-Downloader.Win32.Bagle.ik
Prevalence (1-5) 2
Description
Troj/Bagle-TL is a Trojan for the Windows platform.
Advanced
Troj/Bagle-TL is a Trojan for the Windows platform.
The following registry entry is set:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
EnableLUA
0
Registry entries are created under:
HKCU\Software\FirstRRRun
Name Troj/Psyme-HI
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
Aliases
* Trojan-PSW.Win32.OnLineGames.ifz
Prevalence (1-5) 2
Description
Troj/Psyme-HI is a Javascript-based Trojan downloader.
Advanced
Troj/Psyme-HI is a Javascript-based Trojan downloader.
Troj/Psyme-HI downloads an EXE file and runs it. At the time of
writing, the EXE file is detected as Mal/Dropper-Y.
Name Troj/Bishin-A
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Installs itself in the Registry
Prevalence (1-5) 2
Description
Troj/Bishin-A is a Trojan for the Windows platform.
Advanced
Troj/Bishin-A is a .NET Trojan for the Windows platform.
If run before 31st Jan 2008, Troj/Bishin-A copies itself to
<Application Data>\MVScvs\svchost.exe and creates the following
registry entry in order to be run automatically:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
MVSvcs
<Application Data>\MVScvs\svchost.exe
Troj/Bishin-A also displays the first JPG file found in the current
folder, if any exist.
Name Troj/Clicker-EP
Type
* Trojan
Affected operating systems
* Windows
Prevalence (1-5) 2
Description
Troj/Clicker-EP is a Trojan for the Windows platform.
Advanced
Troj/Clicker-EP is a Trojan for the Windows platform.
Troj/Clicker-EP includes functionality to access the internet and
communicate with a remote server via HTTP.
Troj/Clicker-EP changes settings for Microsoft Internet Explorer by
modifying values under:
HKCU\Software\Microsoft\Internet Explorer\Main\
Registry entries are set as follows:
HKLM\SOFTWARE\Microsoft\Internet Explorer\Download
1
6008DE3FD507060001001400040023002900EC02
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
WarnonZoneCrossing
0
Name W32/IRCBot-ZZ
Type
* Spyware Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Steals information
* Downloads code from the internet
* Reduces system security
* Records keystrokes
* Installs itself in the Registry
* Scans network for vulnerabilities
* Scans network for weak passwords
Aliases
* Backdoor.Win32.IRCBot.bep
Prevalence (1-5) 2
Description
W32/IRCBot-ZZ is a worm for the Windows platform.
W32/IRCBot-ZZ spreads
- to computers vulnerable to common exploits, including: SRVSVC
(MS06-040), RealVNC (CVE-2006-2369) and Symantec (SYM06-010)
- to MSSQL servers protected by weak passwords
- to network shares protected by weak passwords
The following patch for the operating system vulnerability exploited by
the worm can be obtained from the Microsoft website:
http://www.microsoft.com/technet/security/bulletin/MS06-040.mspx
W32/IRCBot-ZZ can be controlled by a remote attacker over IRC channels.
The backdoor component of W32/IRCBot-ZZ can be instructed by a remote
user to perform the following functions:
- start an FTP server
- start a Proxy server
- start a web server
- log keypresses
- harvest information from clipboard
- packet sniffing
- port scanning
- download/execute arbitrary files
- start a remote shell (RLOGIN)
Advanced
W32/IRCBot-ZZ is a worm for the Windows platform.
W32/IRCBot-ZZ spreads
- to computers vulnerable to common exploits, including: SRVSVC
(MS06-040), RealVNC (CVE-2006-2369) and Symantec (SYM06-010)
- to MSSQL servers protected by weak passwords
- to network shares protected by weak passwords
The following patch for the operating system vulnerability exploited by
the worm can be obtained from the Microsoft website:
http://www.microsoft.com/technet/security/bulletin/MS06-040.mspx
W32/IRCBot-ZZ can be controlled by a remote attacker over IRC channels.
The backdoor component of W32/IRCBot-ZZ can be instructed by a remote
user to perform the following functions:
- start an FTP server
- start a Proxy server
- start a web server
- log keypresses
- harvest information from clipboard
- packet sniffing
- port scanning
- download/execute arbitrary files
- start a remote shell (RLOGIN)
When first run W32/IRCBot-ZZ creates the following files
<System>\system32.exe (also detected as W32/IRCBot-ZZ)
<Temp>\c980da7d.tmp (not malicious. can be deleted)
The following registry entries are created to run system32.exe on
startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft
system32.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Microsoft
system32.exe
The following registry entry is set:
HKCR\CLSID\{random CLSID}
HKCU\Software\ASProtect
Microsoft
system32.exe
Name VBS/Autorun-AU
Type
* Worm
How it spreads
* Removable storage devices
Affected operating systems
* Windows
Side effects
* Installs itself in the Registry
Prevalence (1-5) 2
Description
VBS/Autorun-AU is a Visual Basic worm for the Windows platform.
Advanced
VBS/Autorun-AU is a Visual Basic worm for the Windows platform.
--- MultiMail/Win32 v0.43
* Origin: Doc's Place BBS Fido Since 1991 docsplace.tzo.com (1:123/140)
|