Text 37, 1365 rader
Skriven 2004-09-19 14:46:00 av KURT WISMER (1:123/140)
Ärende: News, Sept. 19 2004
===========================
[cut-n-paste from sophos.com]
Name W32/Mydoom-Y
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Sends itself to email addresses found on the infected computer
* Stops the computer from booting
* Forges the sender's email address
Aliases
* Win32.Evaman.D@mm
* W32/Evaman.e@MM
* I-Worm.Mydoom.w
Prevalence (1-5) 2
Description
W32/MyDoom-Y is a mass-mailing internet worm for the Windows platform.
When executed W32/MyDoom-Y will attempt to connect to the URL
After 1am December 1st 2004 W32/MyDoom-Y will shut down the machine
whenever it is started.
Advanced
W32/MyDoom-Y is a mass-mailing internet worm for the Windows platform.
When executed W32/MyDoom-Y will attempt to connect to the URL
http://www.microsucks.com.
W32/MyDoom-Y will then copy itself to the default SYSTEM folder as the
file SYSHOSTS.EXE and will set one of the following registry entries to
run itself on system restart:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\MS Updates
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\MS Updates
The registry entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SYSHOSTS
will be created to act as an infection marker for the worm.
W32/MyDoom-Y will attempt to send itself as an email attachment to
messages with the following characteristics:
Subject: This field will be either "album" or "You've got a virtual
postcard!"
Body: This field will either be
"My pics...*sexy*. Heheh! ;)"
or
"You have just received a new postcard from Fleshecard.com!
From: <sender name>
To pick up your postcard follow this web address
http://www.flashecard.com.viewcard.main.ecard.php2342
or click the attached link. We hope you enjoy your postcard, and if
you do, please take a moment to send a few yourself!
http://www.flashecard.com
(Your message will be available for 30 days.)
Please visit our site for more information."
Attachment: the attachment name will either be "Photos_album" or
"www.flashecard.com?postcard=viewcard?download" followed by either one
of the extensions SCR or HTML.SCR
W32/MyDoom-Y will reference the registry entry
HKCU\Software\Microsoft\WAB\WAB4\WAB File Name
to obtain the windows address book file it will then attempt to send
itself to all contacts listed in the file before searching files with
the following extensions found in the Temporary Internet Files folder:
htmb
htmbl
shtl
phpq
emll
msgq
aspd
dbxn
tbbg
adbh
wab
W32/MyDoom-Y will not send emails out to addresses that include any of
the following strings in their names:
syma
msn
hotmail
anda
opho
borlan
npris
xample
mydom
@domai
ruslis
.gov
.mil
@foo
berkley
unix
math
bsd
mit.e
gnu
fsf
ibm
oogle
kernel
linux
fido
senet
@iana
ripe
isi.e
arin
rfc-ed
isc.o
ecur
acketst
pgp
tanford.e
utgers.ed
ample
info
root@
ostmaster@
ebmaster@
you
ugs@
ating@
ontact@
soft
rivacy
ervice
help
ubmit@
feste
cert
page
upport
ntivi
istser
ertific
ccoun
spm
Spam
SPAM
spam
abuse
cafee
@messagelab
@avp
kasp
winzip
winrar
pdate
irus
ahoo
buse@
sale
W32/MyDoom-Y will spoof the senders email address to appear to have
originated from any of the following domains:
@aol.com
@hotmail.com
@yahoo.com
@msn.com
@excite.com
@mail.com
The senders name will be selected at random from the list:
Jennifer
Barbara
Linda
Susan
Eric
Kevin
Mary
Robert
John
Maria
Alex
Pamela
Anna
Andrew
Fred
Jack
James
Julie
Debby
Claudia
Matt
Brent
W32/MyDoom-Y will attempt to terminate any running processes found which
include the following strings as part of their name
task
msconfig
AV
MC
ieframe
nti
iru
ire
cc
ecu
can
scn
kv
fr
regedit
W32/MyDoom-Y will create a Mutex with the label hola_back_bitches.
After 1am December 1st 2004 W32/MyDoom-Y will shut down the machine
whenever it is started.
Name W32/Forbot-AE
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Exploits system or software vulnerabilities
Aliases
* Backdoor.Win32.Wootbot.gen
* W32/Gaobot.worm.gen.f
Prevalence (1-5) 2
Description
W32/Forbot-AE is a member of the W32/Forbot family of internet worms
that spread by scanning for and exploiting known vulnerabilities of
Windows operating systems.
The worm connects to a remote IRC server and allows a malicious user to
remotely control an infected computer.
Advanced
W32/Forbot-AE is a member of the W32/Forbot family of internet worms
that spread by scanning for and exploiting known vulnerabilities of
Windows operating systems.
In order to run automatically when Windows starts up the worm copies
itself to the file videosd32.exe in the Windows system folder and adds
the following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Win32 Configuration
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\Win32
Configuration
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32
Configuration
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Win32 Configuration
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\Win32
Configuration.
The worm also adds an entry
HKCU\Software\Microsoft\Internet Explorer\Explorer
Bars\<clsid>\FilesNamedMRU
pointing to itself where CLSID is a randomly generated classid value.
In addition W32/Forbot-AE registers itself to run as the service Windows
Manage with the display name Win32 Configuration.
The worm connects to a remote IRC server and allows a malicious user to
remotely control an infected computer.
Name W32/Squirrel-A
Type
* Virus
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Modifies data on the computer
Prevalence (1-5) 2
Description
W32/Squirrel-A is an appending virus.
Advanced
W32/Squirrel-A is an appending virus.
W32/Squirrel-A attempts to infect Windows executable files with file
extension 'exe', 'EXE', or 'scr'. The virus searches drives C: to Z: for
such files, as well as available network resources.
W32/Squirrel-A deletes appended data from files it infects. This means
certain files will not be fully recoverable by disinfection.
Name W32/Sdbot-PJ
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Downloads code from the internet
* Installs itself in the Registry
* Used in DOS attacks
Aliases
* Backdoor.SdBot.gen
Prevalence (1-5) 2
Description
W32/Sdbot-PJ is a worm which attempts to spread to remote network shares
protected by weak passwords.
Advanced
W32/Sdbot-PJ is a worm which attempts to spread to remote network shares
protected by weak passwords.
W32/Sdbot-PJ contains backdoor Trojan functionality allowing unauthorised
remote access to the infected computer via IRC channels while running in
the background as a service process.
W32/Sdbot-PJ copies itself to the Windows system folder as msnmngr.exe
and creates the following registry entries to ensure it is run at system
logon:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Microsofts Help Services = msnmngr.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Microsofts Help Services = msnmngr.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Microsofts Help Services = msnmngr.exe
W32/Sdbot-PJ can also download and execute remote files on the infected
computer and flood other computers with network packets.
Name W32/Sdbot-PI
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Installs itself in the Registry
* Used in DOS attacks
Aliases
* Trojan.Win32.Pakes
Prevalence (1-5) 2
Description
W32/Sdbot-PI is a network worm and backdoor for the Windows platform.
The worm spreads to shared folders with weak passwords.
The backdoor component connects to a predefined IRC server and waits for
commands from a remote attacker.
Advanced
W32/Sdbot-PI is a network worm and backdoor for the Windows platform.
The worm spreads to shared folders with weak passwords.
The backdoor component connects to a predefined IRC server and waits for
commands from a remote attacker.
When run W32/Sdbot-PI copies itself to the Windows system folder as
ntlogin32.exe. The worm ensures that the copy is run each time Windows
starts by adding the registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Windows NT Login = "ntlogin32.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Windows NT Login = "ntlogin32.exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Windows NT Login = "ntlogin32.exe"
The backdoor component allows a remote attacker to:
transfer files to and from the infected computer
steal CD keys for certain game software
use the infected computer as a proxy server
launch distributed denial of service attacks
Name W32/MyDoom-Z
Type
* Worm
How it spreads
* Email messages
* Chat programs
* Peer-to-peer
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Sends itself to email addresses found on the infected computer
* Drops more malware
* Forges the sender's email address
Aliases
* I-Worm.Mydoom.y
Prevalence (1-5) 2
Description
W32/MyDoom-Z is a network and email worm which also contains backdoor
functionality. The worm spreads by emailing itself and copying itself
into Kazaa shared folders.
Advanced
W32/MyDoom-Z is a network and email worm which also contains backdoor
functionality.
The worm forges the 'from' address on email that it sends. The email
will have a fake from address, apparently from a domain that provides
free email accounts.
The email has the following characteristics:
Subject line :
Fw: remember me?__
Fw: hi
Fw: hello sweety :>
Fw: my photos
Fw: that's me :-d
Fw: (no subject)
Fw: it's me
Fw: hi, it's me
Fw: 2 new photos
Fw: new photos
Fw: jenna's photos :)
Remember me?__
Hi
Hello sweety :>
My photos
That's me :-d
(no subject)
It's me
Hi, it's me
2 new photos
New photos
Look!_0
Fw: cool
:))
:)
Fw:
Re:
Re[2]:
Fw:cool
Re:cool
Re[2]:cool
Fw:cool!
Re:cool!
Re[2]:cool!
Fw:fun pictures
Re:fun pictures
Re[2]:fun pictures
Fw:fun pictures
Re:fun pictures
Re[2]:fun pictures
Re:fun pictures
Attached file:
Photos.arc.cpl
My.photos.cpl
Newphotos.cpl
New.photos.cpl
Photo.se.cpl
Foto.cpl
Fotos.cpl
My.foto.cpl
Arc.cpl
Photofile.cpl
Photoarchive.cpl
Myfoto.cpl
Photos.arc.exe
My.photos.exe
Myphotos.arc.exe
Newphotos.exe
New.photos.exe
Photo.se.exe
Photos.exe.safe
Foto.exe
Fotos.exe
My.foto.exe
Arc.exe
Photofile.exe
Photoarchive.exe
Photos.selfextracting.exe
Myfoto.exe
Julia038.jpg(lots of space).pif
Marie.dancing.jpg(lots of space).pif
Nude..jpg(lots of space).pif
Photo08.jpg(lots of space).pif
Sunny.jpg(lots of space).pif
With.flowers.jpg(lots of space).pif
2004042301.jpg(lots of space).pif
Me.01.jpg(lots of space).pif
Dcp.0002.jpg(lots of space).pif
Black.gif(lots of space).pif
Photo.jpg(lots of space).pif
Pic.jpg(lots of space).pif
Document.jpg(lots of space).pif
Flowers.jpg(lots of space).pif
Me.01.jpg(lots of space).pif
My.photo.jpg(lots of space).pif
The worm may also arrive in a ZIP file named:
Photos.zip
Myphotos.zip
My.photos.zip
Fotos.zip
Images.zip
New.photos.zip
Pic.zip
New.pic.zip
Arhive.zip
W32/MyDoom-Z also spreads via the Kazaa peer to peer network by dropping
copies of itself in the Kazaa shared folder. Also, the worm may send ICQ
messages to other users with the following lines:
"funy game http://www.scionicmusic.com/a"...
"i now play in game http://www.scionicmu"...
"my photos (archived) http://www.llc.uni"...
"http://www.llc.unibo.it/claroline142/ph"...
"http://www.llc.unibo.it/claroline142/ph"...
"http://65.110.51.150/icon/game.exe LOL!"...
"best game http://65.110.51.150/icon/gam"...
"http://64.40.98.94/icon/game.exe funny "...
"http://64.40.98.94/icon/game.exe :-):-)"...
"funn http://64.40.98.94/icon/game.exe :"...
When W32/MyDoom-Z is run it copies itself to services.exe in the Windows
folder or nb32ext.txt in the Windows system folder and creates the
following registry entry pointing to the above copies to ensure it is
run at system logon:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
RPCserv
HKLM\System\CurrentControlSet\Services\
NetBios ext
W32/MyDoom-Z will also disable registry editing tools by setting:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\
DisableRegistryTools = 0
The worm will also allow itself to bypass the firewall by modifying
registry entry in:
HKLM\System\CurrentControlSet???\Services\SharedAccress\
DomainProfile\AuthorizedApplications\LIst
W32/MyDoom-Z will also attempt to terminate any security related process
on the system and modify the host table in
<Windows system folder>\drivers\etc\hosts to prevent access to security
related websites.
W32/MyDoom-Z may also download further components from predefined
websites. These files contain W32/Surila-C.
Name W32/Rbot-JR
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Steals information
* Reduces system security
* Installs itself in the Registry
Aliases
* Backdoor.Rbot.gen
* WORM_RBOT.LU
Prevalence (1-5) 2
Description
W32/Rbot-JR is a member of the W32/Rbot family of worms with a backdoor
component.
When active W32/Rbot-JR attempts to connect to a remote IRC server and
enables a malicious user to remotely control the infected computer via a
specific IRC channel. It will also attempt to shut off any AV-related
program.
Advanced
W32/Rbot-JR is a member of the W32/Rbot family of worms with a backdoor
component.
When active W32/Rbot-JR attempts to connect to a remote IRC server and
enables a malicious user to remotely control the infected computer via a
specific IRC channel. It will also attempt to shut off any AV-related
program.
In order to run automatically when Windows starts up the worm copies
itself to the file lshost.exe in the Windows system folder and adds the
following registry entries pointing to this file:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Generic Host Service
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Generic Host Service
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Generic Host Service
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices\
Generic Host Service
The worm also adds the following registry entries:
HKLM\SOFTWARE\Microsoft\Ole\Generic Host Service = "lshost.exe"
HKCU\Software\Microsoft\OLE\Generic Host Service = "lshost.exe"
and sets the entries:
HKLM\SYSTEM\ControlSet001\Control\Lsa\restrictanonymous = 1
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous = 1
HKLM\SOFTWARE\Microsoft\Ole\EnableDCOM = "N"
W32/Rbot-JR is capable of the following when instructed by an intruder:
- Capture webcam feed
- Search for CDkeys related to games
- Open remote command prompt
- Download/Upload files
- Carry out DDos
- Capture Windows NT/2000 Login password
- Start Keylogger
- Sniff traffic on network
Name W32/Lovgate-X
Type
* Worm
Aliases
* I-Worm.LovGate.q
* Win32/Lovgate.X
* WORM_LOVGATE.Q
Prevalence (1-5) 2
Description
W32/Lovgate-X is a worm with the backdoor functionality that spreads via
email, network shares with weak passwords and filesharing networks.
W32/Lovgate-X may arrive in the email with the following characteristics:
Subject line: chosen from -
test
hi
hello
Mail Delivery System
Mail Transaction Failed
Server Report
Status
Error
Message text: chosen from -
It's the long-awaited film version of the Broadway hit. The message sent
as a binary attachment.
The message contains Unicode characters and has been sent as a binary
attachment.
Mail failed. For further assistance, please contact!
Attachment name: chosen from -
document
readme
doc
text
file
data
test
message
body
followed by .bat, .cmd, .exe, .pif or .scr
When executed W32/Lovgate-X creates the service "NetMeeting Remote
Sharing," copies itself to the Windows folder with the filename
Systra.exe and to the Windows system folder with the filenames
iexplore.exe, Winexe.exe, avmond.exe, WinHelp.exe and Kernel66.dll.
W32/Lovgate-X extracts the backdoor components to the Windows system
folder as ODBC16.DLL, msjdbc11.dll and MSSIGN30.DLL (detected as
W32/Lovgate-W).
In order to run automatically when Windows starts up W32/Lovgate-X
creates the following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\SystemTra
= C:\WINDOWS\SysTra.EXE
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
VFW Encoder/Decoder Settings = "RUNDLL32.EXE MSSIGN30.DLL ondll_reg"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Program In Windows
= "C:\\WINDOWS\\System32\\IEXPLORE.EXE"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Protected Storage
= "RUNDLL32.EXE MSSIGN30.DLL ondll_reg"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\runServices\
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\runServices\SystemTra
= "C:\\WINDOWS\\SysTra.EXE"
HKU\Software\Microsoft\Windows NT\CurrentVersion\Windows\run
= "RAVMOND.exe"
HKCR\exefile\shell\open\command
= C:\WINDOWS\System\winexe.exe
W32/Lovgate-X may change the win.ini file by adding path to the
Ravmond.exe to the 'run=' line.
W32/Lovgate-X attempts to terminate a number of processes with names
that contains a string chosen from the following list:
KV
KAV
Duba
NAV
kill
RavMon.exe
Rfw.exe
Gate
McAfee
Symantec
SkyNet
rising
W32/Lovgate-X copies itself to the share folders of filesharing networks
with one of the following filenames:
Are you looking for Love.doc.exe
autoexec.bat
The world of lovers.txt.exe
How To Hack Websites.exe
Panda Titanium Crack.zip.exe
Mafia Trainer!!!.exe
100 free essays school.pif
AN-YOU-SUCK-IT.txt.pif
Sex_For_You_Life.JPG.pif
CloneCD + crack.exe
Age of empires 2 crack.exe
MoviezChannelsInstaler.exe
Star Wars II Movie Full Downloader.exe
Winrar + crack.exe
SIMS FullDownloader.zip.exe
MSN Password Hacker and Stealer.exe
W32/Lovgate-X copies itself to the share folder of the KaZaa network
with one of the following filenames:
wrar320sc
REALONE
BlackIcePCPSetup_creak
Passware5.3
word_pass_creak
HEROSOFT
orcard_original_creak
rainbowcrack-1.1-win
W32Dasm
setup
<any name>
follwed by .bat, .exe, .pif or .scr
Name W32/Forbot-C
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Reduces system security
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* Backdoor.Win32.Wootbot.c
* W32/Sdbot.worm.gen.h
Prevalence (1-5) 2
Description
W32/Forbot-C is a worm which attempts to spread to remote network shares.
The worm also contains backdoor Trojan functionality, allowing
unauthorised remote access to the infected computer via IRC channels
while running in the background as a service process.
Advanced
W32/Forbot-C is a worm which attempts to spread to remote network shares.
The worm also contains backdoor Trojan functionality, allowing
unauthorised remote access to the infected computer via IRC channels
while running in the background as a service process.
W32/Forbot-C moves itself to the Windows system folder as winitr32.exe
andcreates the following registry entries to run itself on system logon:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Win32 Wmls Driver = winitr32.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\
Win32 Wmls Driver = winitr32.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Win32 Wmls Driver = winitr32.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Win32 Wmls Driver = winitr32.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\
Win32 Wmls Driver = winitr32.exe
W32/Forbot-C attempts to spread to network machines using various
exploits including the LSASS vulnerability (please see MS04-011).
W32/Forbot-C attempts to terminate several processes related to
anti-virus and security related software.
Name W32/Myfip-A
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Steals information
* Reduces system security
* Installs itself in the Registry
Aliases
* W32/Myfip.worm
Prevalence (1-5) 2
Description
W32/Myfip-A is a worm that spreads via poorly-protected network shares.
W32/Myfip-A uploads the contents of selected files to a remote machine.
Advanced
W32/Myfip-A is a worm that spreads using network shares that are either
unprotected or protected only by weak passwords.
The worm copies itself to the file kernel32dll.exe in the Windows system
folder on the local machine. Copies on network shares can be called
worm.txt.exe or dfsvc.exe.
W32/Myfip-A may also create files named temp.exe (also detected as
W32/Myfip-A) and temp.txt (harmless).
The worm attempts to register itself as a service process with the
ServiceName and DisplayName "Distributed Link Tracking Extensions".
W32/Myfip-A creates the following registry entry:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Distributed File System = "kernel32dll.exe"
W32/Myfip-A builds a list of all filenames whose extension is one of
PDF, DOC, DWG, SCH, PCB, DWT, DWF and MAX and whose path does not
contain any of the following strings:
Winnt
Windows
I386
Program Files
All Users
Recycler
System Volume Information
Inetpub
Documents and Settings
Wutemp
My Music
The worm then sends the contents of each file to a preconfigured IP
address.
Name W32/Forbot-W
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Reduces system security
* Installs itself in the Registry
Prevalence (1-5) 2
Description
W32/Forbot-W is a worm which attempts to spread to remote network shares.
It also contains backdoor Trojan functionality, allowing unauthorised
remote access to the infected computer via IRC channels while running in
the background as a service process.
Advanced
W32/Forbot-W is a worm which attempts to spread to remote network shares.
It also contains backdoor Trojan functionality, allowing unauthorised
remote access to the infected computer via IRC channels while running in
the background as a service process.
W32/Forbot-W copies itself to the Windows system folder as WINXPINIT.EXE
and creates entries in the registry at the following locations so as to
run itself on system startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Win32 USB2 Driver
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\Win32 USB2 Driver
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32 USB2
Driver
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Win32 USB2 Driver
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\Win32 USB2 Driver
W32/Forbot-W also creates its own service named "LOL", with the display
name "Win32 USB2 Driver".
Name W32/Forbot-V
Type
* Worm
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Downloads code from the internet
* Reduces system security
* Installs itself in the Registry
Aliases
* Backdoor.Win32.Wootbot.gen
Prevalence (1-5) 2
Description
W32/Forbot-V is a network worm with IRC backdoor functionality.
W32/Forbot-V attempts to spread by exploiting the LSASS (MS04-011)
vulnerability.
A machine infected by W32/Forbot-V can be remotely controlled by an
attacker using IRC channels.
Advanced
W32/Forbot-V is a network worm with IRC backdoor functionality.
In order to run automatically when Windows starts up the worm copies
itself to the file wuaucls.exe in the Windows system folder.
Once installed, W32/Forbot-V connects to a preconfigured IRC server,
joins a channel and awaits further instructions. These instructions can
cause the bot to perform any of the following actions:
start a SOCKS4, SOCKS5 or HTTP proxy server
start a TCP redirection server
start an FTP server
download and install an updated version of itself
scan IP addresses for infectable machines
show statistics about the infected system
secure the infected machine against further infection
search for product keys
send files via DCC
W32/Forbot-V attempts to spread to other machines affected by the LSASS
vulnerability (MS04-011) or infected by one of the Troj/Optix backdoors.
The worm creates the following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Windows Security Control = "wuaucls.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\
Windows Security Control = "wuaucls.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Windows Security Control = "wuaucls.exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Windows Security Control = "wuaucls.exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\
Windows Security Control = "wuaucls.exe"
W32/Forbot-V searches for product keys for the following software:
Battlefield 1942: Secret Weapons of WWII
Battlefield 1942: The Road to Rome
Battlefield 1942: Vietnam
Black and White
Command and Conquer: Generals
Command and Conquer: Generals: Zero Hour
Command and Conquer: Red Alert 2
Command and Conquer: Tiberian Sun
Counter-Strike
FIFA 2002
FIFA 2003
Freedom Force
Global Operations
Gunman Chronicles
Half-Life
Hidden and Dangerous 2
IGI2: Covert Strike
Industry Giant 2
James Bond 007: Nightfire
Medal of Honor: Allied Assault
Medal of Honor: Allied Assault: Breakthrough
Medal of Honor: Allied Assault: Spearhead
Nascar Racing 2002
Nascar Racing 2003
NHL 2002
NHL 2003
Need for Speed: Underground
Neverwinter Nights
Ravenshield
Shogun: Total War: Warlord Edition
Soldiers of Anarchy
Soldier of Fortune 2
The Gladiators
Unreal Tournament 2003
Unreal Tournament 2004
Name W32/Bagle-AM
Type
* Worm
How it spreads
* Email attachments
* Peer-to-peer
Affected operating systems
* Windows
Side effects
* Sends itself to email addresses found on the infected computer
* Forges the sender's email address
* Uses its own emailing engine
Prevalence (1-5) 2
Description
W32/Bagle-AM is a member of the W32/Bagle family of worms.
Advanced
W32/Bagle-AM is a member of the W32/Bagle family of worms. When run the
worm copies itself to the Windows system folder as windll.exe to any
folder with the substring 'shar' in its name as the following filenames:
Microsoft Office 2003 Crack, Working!.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Microsoft Office XP working Crack, Keygen.exe
Porno, sex, oral, anal cool, awesome!!.exe
Porno Screensaver.scr
Serials.txt.exe
KAV 5.0
Kaspersky Antivirus 5.0
Porno pics arhive, xxx.exe
Windows Sourcecode update.doc.exe
Ahead Nero 7.exe
Windown Longhorn Beta Leak.exe
Opera 8 New!.exe
XXX hardcore images.exe
WinAmp 6 New!.exe
WinAmp 5 Pro Keygen Crack Update.exe
Adobe Photoshop 9 full.exe
Matrix 3 Revolution English Subtitles.exe
ACDSee 9.exe
The following registry entry is created:
HKCU\Software\Microsoft\Windows\CurrentVersion\Ru1n
erthgdr = %SYSTEM%\windll.exe
W32/Bagle-AM scans all fixed drives recursively for WAB, TXT, MSG, HTM,
SHTM, STM, XML, DBX, MBX, MDX, EML, NCH, MMF, ODS, CFG, ASP, PHP, PL,
WSH, ADB, TBB, SHT, XLS, OFT, UIN, CGI, MHT, DHTM and JSP files,
extracts email addresses from them and uses those addresses for the mass
mailing component of the worm.
The worm will email copies of a modified version of itself detected by
Sophos as W32/Bagle-AQ.
Name W32/MyDoom-X
Type
* Worm
How it spreads
* Email messages
* Network shares
Affected operating systems
* Windows
Side effects
* Sends itself to email addresses found on the infected computer
* Drops more malware
* Forges the sender's email address
* Installs itself in the Registry
Prevalence (1-5) 2
Description
W32/MyDoom-X is a worm for the Windows platform.
Advanced
W32/MyDoom-X is a worm for the Windows platform.
W32/MyDoom-X is a mass mailer that also spreads by coping itself to the
available shared folders.
W32/MyDoom-X spoofs the sender address on email sent by the worm.
It will use a sender name that is constructed from the predefined lists
with an email address that corresponds with the used last name or a
random part of one of those names with 1 or more random characters
appended, at one of the following domains:
cox.net
yahoo.com
msn.com
yahoo.co.uk
t-online.de
gmx.net
hotmail.com
aol.com
mail.com
dailymail.co.uk
W32/MyDoom-X will attempt to avoid sending itself to email addresses
containing any of the following strings:
'icrosof'
'borlan'
'inpris'
'example'
'mydomai'
'nodomai'
'ruslis'
'berkeley'
'ibm.com'
'kernel'
'usenet'
'rfc-ed'
'sendmail'
'acketst'
'tanford.e'
'utgers.ed'
'mozilla'
'be_loyal:'
'samples'
'postmaster'
'webmaster'
'nobody'
'nothing'
'anyone'
'someone'
'rating'
'contact'
'somebody'
'privacy'
'service'
'submit'
'gold-certs'
'the.bat'
'microsoft'
'support'
'listserv'
'certific'
'google'
'account'
The worm obtains email addresses to send itself to from files on the
local hard disk.
W32/MyDoom-X copies itself to the Windows folder with the filename
oz2.exe and to the Windows system folder with the filename oz11111.exe
and sets the registry entries correspondingly:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\oz2
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\www.symantec.com
W32/MyDoom-X also creates the following files in the Windows system
folder
\<Windows>\<system>\About_Mydoom.txt
\<Windows>\<system>\Doompic.jpg
\<Windows>\<system>\Downxz.bat
\<Windows>\<system>\log32zx.exe
\<Temp>\services.exe
where text file contains the worm info, downxz.bat is a variant of the
downloader Trojan detected by the Troj/Delf-FE, log32xz.bat is a Yahoo
key logger detected as Troj/Keylog-AA and services.exe is detected by
the W32/MyDoom-O worm.
In order to run them automatically when Windows starts up W32/MyDoom-X
creates the following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Downxz
with the path to the downxz.bat
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows
updaterD
with the path to the log32zx.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Services
with the path to the services.exe
W32/MyDoom-X checks for an internet connection and if www.symantec.com
host is available it initiates a DDOS attack starting on 29 September
2004 at 2.00.25pm until 29 October 2004 2.00.25pm.
--- MultiMail/Win32 v0.43
* Origin: Try Our Web Based QWK: DOCSPLACE.ORG (1:123/140)
|