Tillbaka till svenska Fidonet
English   Information   Debug  
TRAPDOOR   0/19
TREK   0/755
TUB   0/290
UFO   0/40
UNIX   0/1316
USA_EURLINK   0/102
USR_MODEMS   0/1
VATICAN   0/2740
VIETNAM_VETS   0/14
VIRUS   0/378
VIRUS_INFO   0/201
VISUAL_BASIC   0/473
WHITEHOUSE   0/5187
WIN2000   0/101
WIN32   0/30
WIN95   0/4288
WIN95_OLD1   0/70272
WINDOWS   0/1517
WWB_SYSOP   0/419
WWB_TECH   0/810
ZCC-PUBLIC   0/1
ZEC   4

 
4DOS   0/134
ABORTION   0/7
ALASKA_CHAT   0/506
ALLFIX_FILE   0/1313
ALLFIX_FILE_OLD1   0/7997
ALT_DOS   0/152
AMATEUR_RADIO   0/1039
AMIGASALE   0/14
AMIGA   0/331
AMIGA_INT   0/1
AMIGA_PROG   0/20
AMIGA_SYSOP   0/26
ANIME   0/15
ARGUS   0/924
ASCII_ART   0/340
ASIAN_LINK   0/651
ASTRONOMY   0/417
AUDIO   0/92
AUTOMOBILE_RACING   0/105
BABYLON5   0/17862
BAG   135
BATPOWER   0/361
BBBS.ENGLISH   0/382
BBSLAW   0/109
BBS_ADS   0/5290
BBS_INTERNET   0/507
BIBLE   0/3563
BINKD   0/1119
BINKLEY   0/215
BLUEWAVE   0/2173
CABLE_MODEMS   0/25
CBM   0/46
CDRECORD   0/66
CDROM   0/20
CLASSIC_COMPUTER   0/378
COMICS   0/15
CONSPRCY   0/899
COOKING   32953
COOKING_OLD1   0/24719
COOKING_OLD2   0/40862
COOKING_OLD3   0/37489
COOKING_OLD4   0/35496
COOKING_OLD5   9370
C_ECHO   0/189
C_PLUSPLUS   0/31
DIRTY_DOZEN   0/201
DOORGAMES   0/2061
DOS_INTERNET   0/196
duplikat   6002
ECHOLIST   0/18295
EC_SUPPORT   0/318
ELECTRONICS   0/359
ELEKTRONIK.GER   1534
ENET.LINGUISTIC   0/13
ENET.POLITICS   0/4
ENET.SOFT   0/11701
ENET.SYSOP   33903
ENET.TALKS   0/32
ENGLISH_TUTOR   0/2000
EVOLUTION   0/1335
FDECHO   0/217
FDN_ANNOUNCE   0/7068
FIDONEWS   24128
FIDONEWS_OLD1   0/49742
FIDONEWS_OLD2   0/35949
FIDONEWS_OLD3   0/30874
FIDONEWS_OLD4   0/37224
FIDO_SYSOP   12852
FIDO_UTIL   0/180
FILEFIND   0/209
FILEGATE   0/212
FILM   0/18
FNEWS_PUBLISH   4408
FN_SYSOP   41679
FN_SYSOP_OLD1   71952
FTP_FIDO   0/2
FTSC_PUBLIC   0/13599
FUNNY   0/4886
GENEALOGY.EUR   0/71
GET_INFO   105
GOLDED   0/408
HAM   0/16070
HOLYSMOKE   0/6791
HOT_SITES   0/1
HTMLEDIT   0/71
HUB203   466
HUB_100   264
HUB_400   39
HUMOR   0/29
IC   0/2851
INTERNET   0/424
INTERUSER   0/3
IP_CONNECT   719
JAMNNTPD   0/233
JAMTLAND   0/47
KATTY_KORNER   0/41
LAN   0/16
LINUX-USER   0/19
LINUXHELP   0/1155
LINUX   0/22093
LINUX_BBS   0/957
mail   18.68
mail_fore_ok   249
MENSA   0/341
MODERATOR   0/102
MONTE   0/992
MOSCOW_OKLAHOMA   0/1245
MUFFIN   0/783
MUSIC   0/321
N203_STAT   926
N203_SYSCHAT   313
NET203   321
NET204   69
NET_DEV   0/10
NORD.ADMIN   0/101
NORD.CHAT   0/2572
NORD.FIDONET   189
NORD.HARDWARE   0/28
NORD.KULTUR   0/114
NORD.PROG   0/32
NORD.SOFTWARE   0/88
NORD.TEKNIK   0/58
NORD   0/453
OCCULT_CHAT   0/93
OS2BBS   0/787
OS2DOSBBS   0/580
OS2HW   0/42
OS2INET   0/37
OS2LAN   0/134
OS2PROG   0/36
OS2REXX   0/113
OS2USER-L   207
OS2   0/4786
OSDEBATE   0/18996
PASCAL   0/490
PERL   0/457
PHP   0/45
POINTS   0/405
POLITICS   0/29554
POL_INC   0/14731
PSION   103
R20_ADMIN   1121
R20_AMATORRADIO   0/2
R20_BEST_OF_FIDONET   13
R20_CHAT   0/893
R20_DEPP   0/3
R20_DEV   399
R20_ECHO2   1379
R20_ECHOPRES   0/35
R20_ESTAT   0/719
R20_FIDONETPROG...
...RAM.MYPOINT
  0/2
R20_FIDONETPROGRAM   0/22
R20_FIDONET   0/248
R20_FILEFIND   0/24
R20_FILEFOUND   0/22
R20_HIFI   0/3
R20_INFO2   3221
R20_INTERNET   0/12940
R20_INTRESSE   0/60
R20_INTR_KOM   0/99
R20_KANDIDAT.CHAT   42
R20_KANDIDAT   28
R20_KOM_DEV   112
R20_KONTROLL   0/13273
R20_KORSET   0/18
R20_LOKALTRAFIK   0/24
R20_MODERATOR   0/1852
R20_NC   76
R20_NET200   245
R20_NETWORK.OTH...
...ERNETS
  0/13
R20_OPERATIVSYS...
...TEM.LINUX
  0/44
R20_PROGRAMVAROR   0/1
R20_REC2NEC   534
R20_SFOSM   0/340
R20_SF   0/108
R20_SPRAK.ENGLISH   0/1
R20_SQUISH   107
R20_TEST   2
R20_WORST_OF_FIDONET   12
RAR   0/9
RA_MULTI   106
RA_UTIL   0/162
REGCON.EUR   0/2056
REGCON   0/13
SCIENCE   0/1206
SF   0/239
SHAREWARE_SUPPORT   0/5146
SHAREWRE   0/14
SIMPSONS   0/169
STATS_OLD1   0/2539.065
STATS_OLD2   0/2530
STATS_OLD3   0/2395.095
STATS_OLD4   0/1692.25
SURVIVOR   0/495
SYSOPS_CORNER   0/3
SYSOP   0/84
TAGLINES   0/112
TEAMOS2   0/4530
TECH   0/2617
TEST.444   0/105
Möte VIRUS, 378 texter
 lista första sista föregående nästa
Text 72, 1721 rader
Skriven 2004-11-13 12:34:00 av KURT WISMER (1:123/140)
Ärende: News, Nov. 13 2004
==========================
[cut-n-paste from sophos.com]

Name   Troj/Banker-FA

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Steals credit card details
    * Downloads code from the internet
    * Installs itself in the Registry

Aliases  
    * Trojan-Spy.Win32.Banker.fa
    * PWS-Bancban.gen.b

Prevalence (1-5) 2

Description
Troj/Banker-FA is a password-stealing Trojan aimed at customers of a 
Brazilian bank.

Troj/Banker-FA will monitor a user's internet access. When certain 
internet banking sites are visited, the Trojan will display a fake login 
screen in order to trick the user into entering their details.

Troj/Banker-FA will then send the stolen details to a Brazilian email 
address.

Troj/Banker-FA may also download and install further related software.

When run, Troj/Banker-FA copies itself to the Windows system folder as 
CARTAO.EXE.

Advanced
Troj/Banker-FA is a password-stealing Trojan aimed at customers of a
Brazilian bank.

Troj/Banker-FA will monitor a user's internet access. When certain 
internet banking sites are visited, the Trojan will display a fake login 
screen in order to trick the user into entering their details.

Troj/Banker-FA will then send the stolen details to a Brazilian email 
address.

Troj/Banker-FA may also download and install further related software.

When run, Troj/Banker-FA copies itself to the Windows system folder as 
CARTAO.EXE and sets the following registry entry in order to be run on 
system startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
cartao<system>\cartao.exe





Name   W32/Forbot-CI

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Allows others to access the computer
    * Steals information
    * Downloads code from the internet
    * Reduces system security
    * Records keystrokes

Aliases  
    * WORM_WOOTBOT.CJ

Prevalence (1-5) 2

Description
W32/Forbot-CI is an IRC backdoor Trojan and network worm for the Windows 
platform.

Advanced
W32/Forbot-CI is an IRC backdoor Trojan and network worm for the Windows 
platform.

In order to run automatically when Windows starts up the worm moves 
itself to the Windows system folder as svshost.exe and creates the 
following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Windows Update = svshost.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\
Microsoft Windows Update = svshost.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Microsoft Windows Update = svshost.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Windows Update = svshost.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\
Microsoft Windows Update = svshost.exe

W32/Forbot-CI also creates its own service named "Microsoft Update", 
with the display name "Microsoft Windows Update".

Once installed, W32/Forbot-CI connects to a preconfigured IRC server and 
joins a channel from which an attacker can issue further commands. These 
commands can cause the infected machine to perform any of the following 
actions:

flood a remote host (by either ping or HTTP)
start a SOCKS4 proxy server
start an HTTP server
start an FTP server
portscan randomly-chosen IP addresses
execute arbitrary commands
steal information such as passwords and product keys
upload/download files

The worm can spread to unpatched machines affected by the LSASS 
vulnerability (see MS04-011) and through backdoors left open by the 
Troj/Optix Trojans.





Name   W32/Rbot-PS

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Allows others to access the computer
    * Steals information
    * Downloads code from the internet
    * Reduces system security
    * Records keystrokes

Prevalence (1-5) 2

Description
W32/Rbot-PS is a network worm and IRC backdoor Trojan for the Windows 
platform.

W32/Rbot-PS spreads using a variety of techniques including exploiting 
weak passwords on computers and SQL servers, exploiting operating system
vulnerabilites (including DCOM-RPC, LSASS, WebDAV and UPNP) and using 
backdoors opened by other worms or Trojans.

Patches for the operating system vulnerabilities exploited by 
W32/Rbot-PS can be obtained from Microsoft at:

http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx
http://www.microsoft.com/technet/security/bulletin/ms03-039.mspx
http://www.microsoft.com/technet/security/bulletin/ms03-007.mspx
http://www.microsoft.com/technet/security/bulletin/ms01-059.mspx

Advanced
W32/Rbot-PS is a network worm and IRC backdoor Trojan for the Windows 
platform.

The worm copies itself to a file named rundll24.exe in the Windows 
system folder and creates the following registry entries:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Update Module
"rundll24.exe"

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Microsoft Update Module
"rundll24.exe"

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
Microsoft Update Module
"rundll24.exe"

W32/Rbot-PS spreads using a variety of techniques including exploiting 
weak password on computers and SQL servers, exploiting operating system 
vulnerabilites (including DCOM-RPC, LSASS, WebDAV and UPNP) and using 
backdoors opened by other worms or Trojans.

W32/Rbot-PS can be controlled by a remote attacker over IRC channels. 
The backdoor component of W32/Rbot-PS can be instructed by a remote 
attacker to perform the following functions:

start an FTP server
start a Proxy server
start a web server
take part in distributed denial of service (DDoS) attacks
log keypresses
capture screen/webcam images
packet sniffing
port scanning
download/execute arbitrary files
start a remote shell (RLOGIN)

Patches for the operating system vulnerabilities exploited by 
W32/Rbot-PS can be obtained from Microsoft at:

http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx
http://www.microsoft.com/technet/security/bulletin/ms03-039.mspx
http://www.microsoft.com/technet/security/bulletin/ms03-007.mspx
http://www.microsoft.com/technet/security/bulletin/ms01-059.mspx





Name   Troj/Krepper-L

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet

Aliases  
    * Trojan.Win32.Krepper.ab

Prevalence (1-5) 2

Description
Troj/Krepper-L is a Trojan which attempts to download further components 
through Internet Explorer address space. As a result, this may create 
various pop-ups and drop various links on the host computer.

Advanced
Troj/Krepper-L is a Trojan which attempts to download further components 
through Internet Explorer address space. As a result, this may create 
various pop-ups and drop various links on the host computer.

Troj/Krepper-L may create a folder in:

<Application Data>/fast regs great two/Bait Soft Start

in which it will store files downloaded from the predefined location.





Name   Troj/Mastseq-H

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Reduces system security
    * Leaves non-infected files on computer

Prevalence (1-5) 2

Description
Troj/Mastseq-H is a backdoor Trojan which runs continuously in the 
background providing various services to a remote intruder.

Troj/Mastseq-H injects its code into a new instance of Microsoft 
Internet Explorer, in order to be less obvious in the process list and 
to possibly gain trusted application status.

Advanced
Troj/Mastseq-H is a backdoor Trojan which runs continuously in the 
background providing various services to a remote intruder.

Troj/Mastseq-H injects its code into a new instance of Microsoft 
Internet Explorer, in order to be less obvious in the process list and 
to possibly gain trusted application status.

Troj/Mastseq-H sends data to a remote location via port 80 (HTTP).

Troj/Mastseq-H deletes the following registry entry (if it exists), 
including all sub-keys:

HKLM\Software\Numega

Harmless data files named emapi.dat, jwplay.rom and lspdf.ax may be 
created in the Windows system folder.





Name   W32/Bofra-D

Type  
    * Worm

How it spreads  
    * Email messages

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Sends itself to email addresses found on the infected computer
    * Forges the sender's email address
    * Uses its own emailing engine

Aliases  
    * Worm/MyDoom.AH
    * I-Worm.Bofra.b
    * W32/Mydoom.gen@MM
    * Worm.Mydoom.AD

Prevalence (1-5) 2

Description
W32/Bofra-D is a mass-mailing worm for the Windows platform.

W32/Bofra-D harvests email addresses from files on the infected 
computer.

W32/Bofra-D uses its own SMTP engine to send emails to these harvested 
addresses, enticing the recipient to click on a hyperlink. This link 
makes use of an exploit in Internet Explorer to download W32/Bofra-D 
from the infected machine. The download will take place without any 
notification from Windows.

The email distributed by W32/Bofra-D has the following characteristics:

From field: An address found on the infected computer, or one 
constructed randomly from strings within the worm such as:

exchange-robot@paypal.com
palux@yahoo.com

Subject line: Blank or one of the following:

Hi!
HI!
Hey!
HEY!
Confirmation
CONFIRMATION

Message body:

Congratulations! PayPal has successfully charged $175 to your credit 
card. Your order tracking number is A866DEC0, and your item will be 
shipped within three business days.
To see details please click this link.
DO NOT REPLY TO THIS MESSAGE VIA EMAIL! This email is being sent by an 
automated message system and the reply will not be received.
Thank you for using PayPal.

Hi! I am looking for new friends. I am from Miami, FL. You can see my 
homepage with my last webcam photos! Hello!

Hi! I am looking for new friends.
My name is Jane, I am from Miami, FL.
See my homepage with my weblog and last webcam photos!
See you!

W32/Bofra-D also contains IRC backdoor functionality.

Advanced
W32/Bofra-D is a mass-mailing worm for the Windows platform.

W32/Bofra-D tries to copy itself either to the Windows system folder or 
to the Temp folder, copying itself to a filename comprising of between 3 
and 8 random characters followed by 32.EXE (eg EOFJNF32.EXE). 
W32/Bofra-D then creates an entry in the registry at one of the 
following locations so as to be run when a user logs on:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Reactor8

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Reactor8

W32/Bofra-D attempts to harvest email addresses from the Outlook address 
book and from files with the following extensions:

TXT, HTM, SHT, PHP, ASP, DBX, TBB, ADB, PL, WAB

W32/Bofra-D wil not harvest addresses containing the following strings:

.gov, .mil, accoun, acketst, admin, anyone, arin., avp, berkeley, 
borlan, bsd, bugs, ca, certific, contact, example, feste, fido, foo., 
fsf., gnu, gold-certs, google, gov., help, hotmail, iana, ibm.com, 
icrosof, icrosoft, ietf, info, inpris, isc.o, isi.e, kernel, linux, 
listserv, math, me, mit.e, mozilla, msn., mydomai, no, nobody, nodomai, 
noone, not, nothing, ntivi, page, panda, pgp, postmaster, privacy, 
rating, rfc-ed, ripe., root, ruslis, samples, secur, sendmail, service, 
site, soft, somebody, someone, sopho, submit, support, syma, tanford.e, 
the.bat, unix, usenet, utgers.ed, webmaster, you, your

W32/Bofra-D uses its own SMTP engine to send emails to these harvested 
addresses, enticing the recipient to click on a hyperlink. This link 
makes use of an exploit in Internet Explorer to download W32/Bofra-D 
from the infected machine. The download will take place without any 
notification from Windows. In order to allow this download to take place 
the infected machine listens on ports higher than 1639 for download 
requests.

The email distributed by W32/Bofra-D creates fake email headers to 
pretend it was created by a number of different legitimate email clients 
and also that it has been checked for viruses. The email itself has the 
following characteristics:

From field: An address found on the infected computer, or one 
constructed randomly from strings within the worm such as:

exchange-robot@paypal.com
palux@yahoo.com

Subject line: Blank or one of the following:

Hi!
HI!
Hey!
HEY!
Confirmation
CONFIRMATION

Message body:

Congratulations! PayPal has successfully charged $175 to your credit 
card. Your order tracking number is A866DEC0, and your item will be 
shipped within three business days.
To see details please click this link.
DO NOT REPLY TO THIS MESSAGE VIA EMAIL! This email is being sent by an 
automated message system and the reply will not be received.
Thank you for using PayPal.

Hi! I am looking for new friends. I am from Miami, FL. You can see my 
homepage with my last webcam photos! Hello!

Hi! I am looking for new friends.
My name is Jane, I am from Miami, FL.
See my homepage with my weblog and last webcam photos!
See you!

W32/Bofra-D also contains IRC backdoor functionality and may download 
and execute files from remote website to files with random filenames in 
the Windows system folder if instructed to do so.

W32/Bofra-D attempts to delete the following registry entries to prevent 
other variants of W32/Bofra running when a user logs on:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
center

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
reactor

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Rhino

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Reactor3

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Reactor4

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Reactor5

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Reactor6





Name   W32/Rbot-PJ

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Allows others to access the computer
    * Steals information
    * Downloads code from the internet
    * Reduces system security
    * Records keystrokes

Aliases  
    * Backdoor.Win32.Rbot.gen

Prevalence (1-5) 2

Description
W32/Rbot-PJ is a network worm which attempts to spread via network 
shares. The worm contains backdoor Trojan functions that allow 
unauthorised remote access to the infected computer via IRC channels 
while running in the background.

The worm spreads to network shares with weak passwords and by using the 
following exploits:

- LSASS exploit (MS04-011)
- RPC-DCOM exploit (MS03-039)


Advanced
W32/Rbot-PJ is a network worm which attempts to spread via network 
shares. The worm contains backdoor Trojan functions that allow 
unauthorised remote access to the infected computer via IRC channels 
while running in the background.

The worm spreads to network shares with weak passwords and by using the 
following exploits:

- LSASS exploit (MS04-011)
- RPC-DCOM exploit (MS03-039)

When run W32/Rbot-PJ moves itself to the Windows System folder as a 
read-only, hidden and system file named msn.exe.

The worm then creates the following registry entries so as to run itself 
either on user logon or computer restart:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
MSN = msn.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
MSN = msn.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
MSN = msn.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices\
MSN = msn.exe

W32/Rbot-PJ also creates the following registry entries:

HKCU\SYSTEM\CurrentControlSet\Control\Lsa\
MSN = msn.exe

HKCU\Software\Microsoft\OLE\
MSN = msn.exe

HKLM\SOFTWARE\Microsoft\Ole\
MSN = msn.exe

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\
MSN = msn.exe

Once installed, W32/Rbot-PJ will attempt to perform the following 
actions when instructed to do so by a remote attacker:

- setup a HTTP proxy
- setup a SOCKS4 server
- add or delete connections to network shares
- download and run files from the Internet
- perform port scanning
- scan IP addresses
- search files on the infected computer
- capture screen information and images
- terminate processes
- steal computer system information (computer name, available
memory, drive types)
- capture clipboard data
- terminate anti-virus and security applications
- partake in SYN flooding using a variety of attacks
comprising TCP/IP, UDP and ICMP (Ping) commands





Name   W32/Rbot-PH

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Steals information
    * Downloads code from the internet
    * Records keystrokes
    * Installs itself in the Registry

Aliases  
    * Backdoor.Win32.Rbot.gen

Prevalence (1-5) 2

Description
W32/Rbot-PH is a worm which attempts to spread to remote network shares 
and contains backdoor Trojan functionality allowing unauthorised remote 
access to the infected computer.

Advanced
W32/Rbot-PH is a worm which attempts to spread to remote network shares. 
It also contains backdoor Trojan functionality allowing unauthorised 
remote access to the infected computer via IRC channels while running in 
the background as a service process.

W32/Rbot-PH moves itself to the Windows system folder as msnmsgr7.exe 
and creates the following registry entries to ensure it is run at system 
logon:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
MSN Start = msnmsgr7.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
MSN Start = msnmsgr7.exe

The worm also creates the following registry entry:

HKCU\Software\Microsoft\OLE\
MSN Start = msnmsgr7.exe

W32/Rbot-PH spreads to network shares with weak passwords and via 
exploiting vulnerabilities including the RPC-DCOM(MS04-012), 
IIS5SSL(MS04-011) and LSASS(MS04-011) vulnerabilities.

W32/Rbot-PH will also download and execute remote files on the infected 
computer, log key strokes, retrieve information such as CD keys for 
various games and flood other computers with network packets.





Name   Troj/StartPa-DO

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Installs itself in the Registry

Aliases  
    * Trojan.Win32.StartPage.ix

Prevalence (1-5) 2

Description
Troj/StartPa-DO is a browser hijacking Trojan.

Troj/StartPa-DO changes settings for Internet Explorer and sets the 
start page to a file dropped by the Trojan.

When installed, Troj/StartPa-DO drops the new start page as a file 
sp.html in the Temp directory.

Troj/StartPa-DO can be uninstalled via the Add or Remove Programs dialog 
in the Windows Control Panel by selecting the entry "Search Assistant 
Uninstall".

Advanced
Troj/StartPa-DO is a browser hijacking Trojan.

Troj/StartPa-DO changes settings for Internet Explorer and sets the 
start page to a file dropped by the Trojan.

When installed, Troj/StartPa-DO drops the new start page as a file 
sp.html in the Temp directory. The Trojan then sets the following 
registry entries:

HKCU\Software\Microsoft\Internet Explorer\Main\
Start Pageabout:blank

HKLM\Software\Microsoft\Internet Explorer\Main\
Start Pageabout:blank

HKCU\Software\Microsoft\Internet Explorer\Main\
HOMEOldSPabout:blank

HKLM\Software\Microsoft\Internet Explorer\Main\
HOMEOldSPabout:blank

HKCU\Software\Microsoft\Internet Explorer\Main\
Search Bar<Temp>\sp.html

HKLM\Software\Microsoft\Internet Explorer\Main\
Search Bar<Temp>\sp.html

HKCU\Software\Microsoft\Internet Explorer\Search\
Search Assistant<Temp>\sp.html

HKCU\Software\Microsoft\Internet Explorer\Main\
Use Custom Search URL1

HKLM\Software\Microsoft\Internet Explorer\Main\
Use Custom Search URL1

HKCU\Software\Microsoft\Internet Explorer\Main\
Use Search Asstno

HKLM\Software\Microsoft\Internet Explorer\Main\
Use Search Asstno

The Trojan creates two entries in

HKCR\CLSID

where the CLSID values are randomly chosen. The Trojan also creates an 
entry in

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
Browser Helper Objects

corresponding to one of these CLSID values.

Troj/StartPa-DO can be uninstalled via the Add or Remove Programs dialog 
in the Windows Control Panel by selecting the entry "Search Assistant 
Uninstall".





Name   W32/Rbot-PG

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Steals information
    * Reduces system security
    * Records keystrokes
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities

Prevalence (1-5) 2

Description
W32/Rbot-PG is a network worm and backdoor Trojan for the Windows 
platform.

W32/Rbot-PG allows a malicious user remote access to an infected 
computer.

W32/Rbot-PG spreads using a variety of techniques including exploiting 
weak passwords on computers and SQL servers, exploiting operating system 
vulnerabilites (including DCOM-RPC, LSASS, WebDAV and UPNP) and using 
backdoors opened by other worms or Trojans.

W32/Rbot-PG can be controlled by a remote attacker over IRC channels.

Advanced
W32/Rbot-PG is a network worm and backdoor Trojan for the Windows 
platform.

W32/Rbot-PG allows a malicious user remote access to an infected 
computer.

The worm copies itself to a file named wuanclt.exe in the Windows system 
folder and creates the following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
*windows update = wuanclt.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
*windows update = wuanclt.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
*windows update = wuanclt.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
*windows update = wuanclt.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
*windows update = wuanclt.exe

W32/Rbot-PG spreads using a variety of techniques including exploiting 
weak passwords on computers and SQL servers, exploiting operating system 
vulnerabilites (including DCOM-RPC, LSASS, WebDAV and UPNP) and using 
backdoors opened by other worms or Trojans.

W32/Rbot-PG can be controlled by a remote attacker over IRC channels.

Patches for the operating system vulnerabilities exploited by 
W32/Rbot-PG can be obtained from Microsoft at:

http://www.microsoft.com/technet/security/bulletins/ms04-011.mspx
http://www.microsoft.com/technet/security/bulletins/ms03-026.mspx
http://www.microsoft.com/technet/security/bulletins/ms03-007.mspx
http://www.microsoft.com/technet/security/bulletins/ms01-059.mspx





Name   W32/Bofra-B

Type  
    * Worm

How it spreads  
    * Email messages

Affected operating systems  
    * Windows

Side effects  
    * Sends itself to email addresses found on the infected computer
    * Forges the sender's email address
    * Uses its own emailing engine
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities

Aliases  
    * W32/Mydoom.AI@mm
    * W32/Mydoom.ah@MM
    * W32.Mydoom.AH@mm
    * Win32/Mydoom.AH@mm

Prevalence (1-5) 2

Description
W32/Bofra-B is a worm for the Windows platform that arrives via email.

The email distributed by W32/Bofra-B creates fake email headers to 
pretend it was created by a number of different legitimate email clients 
and also that it has been checked for viruses. The email itself has the 
following characteristics:

FROM: This field will be one entry from the following list
Becky
joanna
KETTY
jane
sindy
exchange-robot@paypal.com (for emails pretending to be from PayPal)

SUBJECT: This field will be one entry from the following list
Hi!
Hey!
Confirmation

BODY: This field will be one entry from the following list, and the 
colour and text formatting may vary

Hi! I am looking for new friends.
My name is Jane, I am from Miami, FL.
See my homepage with my weblog and last webcam photos!
See you!

Congratulations! PayPal has successfully charged $175 to your credit 
card.
Your order tracking number is A866DEC0 and your item will be shipped 
within three business days.
To See details please click this link,
DO NOT REPLY TO THIS MESSAGE VIA EMAIL! This email is being sent by an 
automated message system and the reply will not be received.
Thank you for using PayPal.

Further information:

How does the Bofra worm infect your PC?
Bofra worms spread via unpatched Internet Explorer security hole

Advanced
W32/Bofra-B is a mass-mailing worm for the Windows platform.

W32/Bofra-B tries to copy itself either to the Windows system folder or 
to the Temp folder, copying itself to a filename comprising of between 2 
and 8 random characters followed by 32.EXE (eg EOFJNF32.EXE). 
W32/Bofra-B then creates an entry in the registry at one of the 
following locations so as to be run on system startup:

HKLM
Software\Microsoft\Windows\CurrentVersion\Run
Reactor5

HKCU
Software\Microsoft\Windows\CurrentVersion\Run
Reactor5

W32/Bofra-B attempts to harvest email addresses from the Outlook address 
book and from files with the following extensions:

TXT, HTMB, SHTL, PHPQ, ASPD, DBXN, TBBG, ADBH, PL, WAB

W32/Bofra-B wil not harvest addresses containing the following strings:

avp, syma, icrosof, msn., hotmail, panda, sopho, borlan, inpris, example, 
mydomai, nodomai, ruslis, .gov, gov., .mil, foo., root, info, samples, 
postmaster, webmaster, noone, nobody, nothing, anyone, someone, your, 
you, me, bugs, rating, site, contact, soft, no, somebody, privacy, 
service, help, not, submit, feste, ca, gold-certs, the.bat, page, spm, 
spam, www, secur, abuse, admin, icrosoft, support, ntivi, unix, bsd, 
linux, listserv, certific, google, accoun, berkeley, unix, math, bsd, 
mit.e, gnu, fsf., ibm.com, google, kernel, linux, fido, usenet, iana, 
ietf, rfc-ed, sendmail, arin., ripe., isi.e, isc.o, secur, acketst, pgp, 
tanford.e, utgers.ed, mozilla

W32/Bofra-B will use its own SMTP engine to send emails to these 
harvested addresses, enticing the recipient to click on a hyperlink. 
This link makes use of an exploit in Internet Explorer to download 
W32/Bofra-B from the infected computer, saving the infected file to the 
Desktop with the filename VV.DAT. The download will take place without 
any notification from Windows. In order to allow this download to take 
place the infected machine listens on ports higher than 1639 for 
download requests.

The email distributed by W32/Bofra-B creates fake email headers to 
pretend it was created by a number of different legitimate email clients 
and also that it has been checked for viruses. The email itself has the 
following characteristics:

FROM: This field will be one entry from the following list
Becky
joanna
KETTY
jane
sindy
exchange-robot@paypal.com (for emails pretending to be from PayPal)

SUBJECT: This field will be one entry from the following list
Hi!
Hey!
Confirmation

BODY: This field will be one entry from the following list, and the 
colour and text formatting may vary

Hi! I am looking for new friends.
My name is Jane, I am from Miami, FL.
See my homepage with my weblog and last webcam photos!
See you!

Congratulations! PayPal has successfully charged $175 to your credit 
card.
Your order tracking number is A866DEC0 and your item will be shipped 
within three business days.
To See details please click this link,
DO NOT REPLY TO THIS MESSAGE VIA EMAIL! This email is being sent by an 
automated message system and the reply will not be received.
Thank you for using PayPal.

W32/Bofra-B also contains IRC backdoor Trojan functionality and may 
download and execute files from remote website to files with random 
filenames in the Windows system folder if instructed to do so.

W32/Bofra-B attempts to delete the following registry entries to prevent 
files created by other variants of the worm from running on system 
startup:

HKLM
Software\Microsoft\Windows\CurrentVersion\Run
center

HKLM
Software\Microsoft\Windows\CurrentVersion\Run
reactor

HKLM
Software\Microsoft\Windows\CurrentVersion\Run
Rhino

HKLM
Software\Microsoft\Windows\CurrentVersion\Run
Reactor3

HKLM
Software\Microsoft\Windows\CurrentVersion\Run
Reactor4

W32/Bofra-B attempts to inject itself into Explorer in order to make it 
more difficult to be removed.

W32/Bofra-B will not run on dates past December 15th.

Further information:

How does the Bofra worm infect your PC?
Bofra worms spread via unpatched Internet Explorer security hole





Name   W32/Forbot-CF

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Allows others to access the computer
    * Steals information
    * Reduces system security
    * Records keystrokes
    * Installs itself in the Registry

Prevalence (1-5) 2

Description
W32/Forbot-CF is a network worm and IRC backdoor Trojan for the Windows 
platform.

W32/Forbot-CF spreads through network shares and by exploiting the LSASS 
(MS04-011) software vulnerability. The worm may also spread through 
backdoors left open by other malware.

The backdoor component of W32/Forbot-CF can be used to:

start an FTP and HTTP server.
delete network shares.
start a SOCKS4, SOCKS5, HTTP, TCP and GRE proxy.
list and stop existing processes and services.
download, run and delete files.
modify the registry.
add and delete services.
steal the product keys of popular games and applications.
scan other computers for open ports and attempt to exploit them.
take part in distributed denial of service (DDoS) attacks.
flush the DNS cache.
logoff, reboot and shut down the computer.

Advanced
W32/Forbot-CF is a network worm and IRC backdoor Trojan for the Windows 
platform.

W32/Forbot-CF spreads through network shares and by exploiting the LSASS 
(MS04-011) software vulnerability. The worm may also spread through 
backdoors left open by other malware.

When first run, W32/Forbot-CF copies itself to the Windows System folder 
as svcshost.exe. In order to run automatically each time Windows is 
started, W32/Forbot-CF sets the following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Windows Update = "svcshost.exe"

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\
Microsoft Windows Update = "svcshost.exe"

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Microsoft Windows Update = "svcshost.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Windows Update = "svcshost.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\
Microsoft Windows Update = "svcshost.exe"

W32/Forbot-CF creates a service named "Microsoft Update" with the 
display name "Microsoft Windows Update".

The worm runs continuously in the background providing backdoor access 
to the infected computer through IRC channels.

The backdoor component of W32/Forbot-CF can be used to:

start an FTP and HTTP server.
delete network shares.
start a SOCKS4, SOCKS5, HTTP, TCP and GRE proxy.
list and stop existing processes and services.
download, run and delete files.
modify the registry.
add and delete services.
steal the product keys of popular games and applications.
scan other computers for open ports and attempt to exploit them.
take part in distributed denial of service (DDOS) attacks.
flush the DNS cache.
logoff, reboot and shut down the computer.

W32/Forbot-CF may delete the ADMIN$, IPC$, C$ and D$ network shares.

W32/Forbot-CF is capable of stealing product keys from games and 
applications such as:

.NET Messenger Service
AOL Instant Messenger
Battlefield 1942
Battlefield 1942 (Road To Rome)
Battlefield 1942 (Secret Weapons of WWII)
Battlefield Vietnam
Black and White
Call of Duty
Command and Conquer: Generals
Command and Conquer: Generals (Zero Hour)
Command and Conquer: Red Alert 2
Command and Conquer: Tiberian Sun
Counter-Strike
FIFA 2002
FIFA 2003
Freedom Force
Global Operations
Gunman Chronicles
Half-Life
Hidden & Dangerous 2
IGI 2: Covert Strike
Industry Giant 2
James Bond 007: Nightfire
Medal of Honor: Allied Assault
Medal of Honor: Allied Assault: Breakthrough
Medal of Honor: Allied Assault: Spearhead
Microsoft Windows Product ID
Nascar Racing 2002
Nascar Racing 2003
Need For Speed Hot Pursuit 2
Need For Speed: Underground
Neverwinter Nights
NHL 2002
NHL 2003
Rainbow Six III RavenShield
Shogun: Total War: Warlord Edition
Soldier of Fortune II - Double Helix
Soldiers Of Anarchy
The Gladiators
Unreal Tournament 2003
Unreal Tournament 2004
Yahoo Pager

W32/Forbot-CF may alter the following registry entries in order to 
enable/disable DCOM:

HKLM\Software\Microsoft\Ole\
EnableDCOM

W32/Forbot-CF will attempt to disable other malware, such as members of 
the W32/Bagle family.





Name   W32/Bofra-A

Type  
    * Worm

How it spreads  
    * Email messages
    * Web downloads
    * Chat programs

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Sends itself to email addresses found on the infected computer
    * Uses its own emailing engine
    * Downloads code from the internet

Aliases  
    * W32/Mydoom.ag@M

Prevalence (1-5) 2

Description
W32/Bofra-A is a Worm for the Windows platform that arrives via email.

The body of the email will try to entice the user to click on a 
hyperlink to look at webcam images or to visit an adult website.

W32/Bofra-A attempts to harvest email addresses from the Outlook address 
book and from other files on the infected machine.

W32/Bofra-A will not harvest addresses containing the following strings:

avp, syma, icrosof, msn., hotmail, panda, sopho, borlan, inpris, example, 
mydomai, nodomai, ruslis, .gov, gov., .mil, foo., root, info, samples, 
postmaster, webmaster, noone, nobody, nothing, anyone, someone, your, 
you, me, bugs, rating, site, contact, soft, no, somebody, privacy, 
service, help, not, submit, feste, ca, gold-certs, the.bat, page, spm, 
spam, www, secur, abuse, admin, icrosoft, support, ntivi, unix, bsd, 
linux, listserv, certific, google, accoun, berkeley, unix, math, bsd, 
mit.e, gnu, fsf., ibm.com, google, kernel, linux, fido, usenet, iana, 
ietf, rfc-ed, sendmail, arin., ripe., isi.e, isc.o, secur, acketst, pgp, 
tanford.e, utgers.ed, mozilla

W32/Bofra-A will use its own SMTP engine to send emails to these 
harvested addresses, enticing the recipient to click on a hyperlink 
which downloads the worm from the host infected machine.

The email distributed by W32/Bofra-A creates fake email headers to 
pretend it was created by a number of different legitimate email clients 
and also that it has been checked for viruses. The email itself has the 
following characteristics:

FROM: This field will be one entry from the following list

Becky
joanna
KETTY
jane
sindy

SUBJECT: This field will be one entry from the following list

hey!
Hello
funny photos :)

BODY: This field will be one entry from the following list

FREE ADULT VIDEO! SIGN UP NOW!
Look at my homepage with my last webcam photos

W32/Bofra-A also contains IRC backdoor Trojan functionality and may 
download and execute files from remote website to files with random 
filenames in the Windows system folder if instructed to do so.

W32/Bofra-A will not run on dates past December 15th.

Further information:

How does the Bofra worm infect your PC?
Bofra worms spread via unpatched Internet Explorer security hole

Advanced
W32/Bofra-A is a mass-mailing Worm for the Windows platform.

W32/Bofra-A tries to copy itself either to the Windows system folder or 
to the Temp folder, copying itself to a filename comprising of between 2 
and 8 random characters followed by 32.EXE (eg EOFJNF32.EXE). 
W32/Bofra-A then creates an entry in the registry at one of the 
following locations so as to be run on system startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Rhino

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Rhino

W32/Bofra-A attempts to harvest email addresses from the Outlook address 
book and from files with the following extensions:

TXT, HTMB, SHTL, PHPQ, ASPD, DBXN, TBBG, ADBH, PL, WAB

W32/Bofra-A will not harvest addresses containing the following strings:

avp, syma, icrosof, msn., hotmail, panda, sopho, borlan, inpris, example, 
mydomai, nodomai, ruslis, .gov, gov., .mil, foo., root, info, samples, 
postmaster, webmaster, noone, nobody, nothing, anyone, someone, your, 
you, me, bugs, rating, site, contact, soft, no, somebody, privacy, 
service, help, not, submit, feste, ca, gold-certs, the.bat, page, spm, 
spam, www, secur, abuse, admin, icrosoft, support, ntivi, unix, bsd, 
linux, listserv, certific, google, accoun, berkeley, unix, math, bsd, 
mit.e, gnu, fsf., ibm.com, google, kernel, linux, fido, usenet, iana, 
ietf, rfc-ed, sendmail, arin., ripe., isi.e, isc.o, secur, acketst, pgp, 
tanford.e, utgers.ed, mozilla

W32/Bofra-A will use its own SMTP engine to send emails to these 
harvested addresses, enticing the recipient to click on a hyperlink. 
This link makes use of an exploit in Internet Explorer to download 
W32/Bofra-A from the infected machine, saving the infected file to the 
Desktop with the filename OLESERVER.EXE. The download will take place 
without any notification from Windows. In order to allow this download 
to take place the infected machine listens on ports higher than 1639 for 
download requests.

The email distributed by W32/Bofra-A creates fake email headers to 
pretend it was created by a number of different legitimate email clients 
and also that it has been checked for viruses. The email itself has the 
following characteristics:

FROM: This field will be one entry from the following list

Becky
joanna
KETTY
jane
sindy

SUBJECT: This field will be one entry from the following list

hey!
Hello
funny photos :)

BODY: This field will be one entry from the following list

FREE ADULT VIDEO! SIGN UP NOW!
Look at my homepage with my last webcam photos

W32/Bofra-A also contains IRC backdoor Trojan functionality and may 
download and execute files from remote website to files with random 
filenames in the Windows system folder if instructed to do so.

W32/Bofra-A attempts to delete the following registry entries to prevent 
files created by other variants of the worm from running on system 
startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
center

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
reactor

W32/Bofra-A attempts to inject itself into Explorer in order to make it 
more difficult to be removed.

W32/Bofra-A will not run on dates past December 15th.

Further information:

How does the Bofra worm infect your PC?
Bofra worms spread via unpatched Internet Explorer security hole





Name   Troj/Bancban-AC

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Steals credit card details
    * Turns off anti-virus applications
    * Steals information
    * Uses its own emailing engine
    * Installs itself in the Registry

Aliases  
    * PWS-Bancban.gen.b

Prevalence (1-5) 2

Description
Troj/Bancban-AC is a password-stealing Trojan targetted at customers of 
certain Brazilian banks.

Troj/Bancban-AC attempts to log keypresses entered into certain websites. 
The Trojan displays fake user interfaces in order to persuade the user 
to enter confidential details. Stolen information is sent by email to a 
remote user.

Troj/Bancban-AC also attempts to detect and delete files belonging to 
Norton AntiVirus and Norton Personal Firewall.

Stolen data may be saved to a file USER.TXT. An image file BARRA.BMP may 
also be dropped.

Advanced
Troj/Bancban-AC is a password-stealing Trojan targetted at customers of 
certain Brazilian banks.

Troj/Bancban-AC attempts to log keypresses entered into certain websites. 
The Trojan displays fake user interfaces in order to persuade the user 
to enter confidential details. Stolen information is sent by email to a 
remote user.

Troj/Bancban-AC copies itself as CSRSS.EXE to a subfolder SYSTEM of the 
Windows system folder and creates the following registry entry in order 
to run itself on system startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
KernellApps<Windows system>\System\csrss.exe

Troj/Bancban-AC also attempts to detect and delete files belonging to 
Norton AntiVirus and Norton Personal Firewall.

Stolen data may be saved to a file USER.TXT. An image file BARRA.BMP may 
also be dropped.





Name   W32/Rbot-PE

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Steals information
    * Downloads code from the internet
    * Reduces system security
    * Records keystrokes
    * Installs itself in the Registry

Aliases  
    * WORM_RBOT.ZV
    * Backdoor.Win32.Rbot.gen
    * W32/Sdbot.worm.gen.i

Prevalence (1-5) 2

Description
W32/Rbot-PE is a worm which attempts to spread via remote network shares. 
The worm contains backdoor Trojan functionality allowing unauthorised 
remote access to the infected computer via IRC channels while running in 
the background as a service process.

W32/Rbot-PE also has a backdoor component that allows a malicious 
intruder remote access shell to an infected computer.

The worm spreads to network shares with weak passwords using the 
following security exploits:

- LSASS exploit (MS04-011)
- RPC-DCOM exploit (MS04-012)
- WebDav exploit (MS03-007)

Advanced
W32/Rbot-PE is a worm which attempts to spread via remote network shares. 
The worm contains backdoor Trojan functionality allowing unauthorised 
remote access to the infected computer via IRC channels while running in 
the background as a service process.

W32/Rbot-PE also has a backdoor component that allows a malicious 
intruder remote access shell to an infected computer.

The worm spreads to network shares with weak passwords using the 
following security exploits:

- LSASS exploit (MS04-011)
- RPC-DCOM exploit (MS04-012)
- WebDav exploit (MS03-007)

W32/Rbot-PE moves itself to the Windows system folder as vpc32.exe. The 
worm then creates the following registry entries to run itself on 
computer restart:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Update = vpc32.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Microsoft Update = vpc32.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Update = vpc32.exe

W32/Rbot-PE also sets the following registry entries:

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous = 1

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM = N

W32/Rbot-PE may attempt to perform the following actions when instructed 
to do so by a remote attacker:

- steal CD keys
- partake in distributed denial of service (DDoS) attacks
- capture clipboard data
- scan IP addresses
- perform DNS cache flushes
- ping IP addresses
- download and run files from the Internet
- steal computer system information (computer name, available
memory, drive types)
- add and delete connections to network shared folders
- transfer files via TFTP
- capture screen images from web camera applications
- login to MS SQL servers and send EXEC commands to open a
command shell
- change the local security policy of a local or remote system

The worm may copy itself to shared folders of P2P applications like 
Kazaa, Morpheus, eDonkey2000, LimeWire, iMesh.

W32/Rbot-PE may also log keystrokes and store the captured information 
into the file %SYSTEM%\keys.txt.





Name   W32/Rbot-PC

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Allows others to access the computer
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities
    * Used in DOS attacks

Aliases  
    * Backdoor.Win32.Rbot.gen
    * W32/Sdbot.worm.gen.i
    * WORM_SPYBOT.GZ

Prevalence (1-5) 2

Description
W32/Rbot-PC is a member of the W32/Rbot family of worms with a backdoor 
component that spread on weakly protected network shares on the Windows 
platform.

The worm spreads as a result of receiving the appropriate command by 
scanning random IP addresses for open SMB ports (445) and trying to copy 
itself to the Windows system folder on the remote Admin$ and C$ shares.

W32/Rbot-PC uses an internal dictionary of common passwords to gain 
access. The worm attempts to schedule the copied file for later 
execution on the remote machine.

In addition the worm also has the ability to scan for and exploit common 
vulnerabilities on the Windows platform such as the LSASS vulnerability 
(MS04-012) as well as ports opened by other worms such as W32/Bagle or 
W32/MyDoom.

W32/Rbot-PC also has a backdoor component that allows a malicious user 
remote access to an infected computer.

When run the worm attempts to contact a remote IRC server and join a 
specific channel to listen for commands.

Advanced
W32/Rbot-PC is a member of the W32/Rbot family of worms with a backdoor 
component that spreads using weakly protected network shares on the 
Windows platform.

The worm spreads as a result of receiving the appropriate command by 
scanning Random IP addresses for open SMB ports (445) and trying to copy 
itself to the Windows system folder on the remote Admin$ and C$ shares.

W32/Rbot-PC uses an internal dictionary of common passwords to gain 
access. The worm attempts to schedule the copied file for later 
execution on the remote machine.

In addition the worm also has the ability to scan for and exploit common 
vulnerabilities on the Windows platform such as the LSASS vulnerability 
(MS04-012) as well as ports opened by other worms such as W32/Bagle or 
W32/MyDoom.

W32/Rbot-PC also has a backdoor component that allows a malicious user 
remote access to an infected computer.

When run the worm attempts to contact a remote IRC server and join a 
specific channel to listen for commands.

Besides the spreading functionality members of the W32/Rbot family also 
allow a remote user to set up a proxy server, start a HTTP server on a 
user specified port, collect system information, add or delete shares 
and users, kill processes, download and execute files, send email, 
remotely control a connected web cam, sniff network traffic, log 
keystrokes, steal keys for certain games or launch various 
denial-of-service attacks against an attacker-specified target.

In order to run automatically when Windows starts up W32/Rbot-PC copies 
itself to the file csrse.exe in the Windows system folder and creates 
the following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Registry
csrse.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Microsoft Registry
csrse.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Registry
csrse.exe.





Name   W32/Forbot-CD

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Allows others to access the computer
    * Reduces system security
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities

Aliases  
    * Backdoor.Win32.Wootbot.gen

Prevalence (1-5) 2

Description
W32/Forbot-CD is a network worm and IRC backdoor Trojan for the Windows 
platform.

W32/Forbot-CD spreads through network shares and by exploiting the LSASS 
(MS04-011) software vulnerability. The worm may also spread through 
backdoors left open by other malware.

The worm runs continuously in the background providing backdoor access 
to the infected computer through IRC channels.

The backdoor component of W32/Forbot-CD can be used to:

start an FTP and HTTP server.
delete network shares.
start a SOCKS4, SOCKS5, HTTP, TCP and GRE proxy.
list and stop existing processes and services.
download, run and delete files.
modify the registry.
add and delete services.
steal the product keys of popular games and applications.
scan other computers for open ports and attempt to exploit them.
take part in distributed denial of service (DDOS) attacks.
flush the DNS cache.
logoff, reboot and shut down the computer.

W32/Forbot-CD may attempt to disable other malware, such as members of 
the W32/Bagle family.

Advanced
W32/Forbot-CD is a network worm and IRC backdoor Trojan for the Windows 
platform.

W32/Forbot-CD spreads through network shares and by exploiting the LSASS 
(MS04-011) software vulnerability. The worm may also spread through 
backdoors left open by other malware.

When first run, W32/Forbot-CD copies itself to the Windows System folder 
as svchosting.exe. In order to run automatically each time Windows is 
started, W32/Forbot-CD sets the following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
NDIS Adapter
windows.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\
NDIS Adapter
windows.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
NDIS Adapter
windows.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
NDIS Adapter
windows.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\
NDIS Adapter
windows.exe

W32/Forbot-CD creates a service named "NDIS TCP Layer Transport Device" 
with the display name "NDIS Adapter".

The worm runs continuously in the background providing backdoor access 
to the infected computer through IRC channels.

The backdoor component of W32/Forbot-CD can be used to:

start an FTP and HTTP server.
delete network shares.
start a SOCKS4, SOCKS5, HTTP, TCP and GRE proxy.
list and stop existing processes and services.
download, run and delete files.
modify the registry.
add and delete services.
steal the product keys of popular games and applications.
scan other computers for open ports and attempt to exploit them.
take part in distributed denial of service (DDOS) attacks