Text 72, 1721 rader
Skriven 2004-11-13 12:34:00 av KURT WISMER (1:123/140)
Ärende: News, Nov. 13 2004
==========================
[cut-n-paste from sophos.com]
Name Troj/Banker-FA
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Steals credit card details
* Downloads code from the internet
* Installs itself in the Registry
Aliases
* Trojan-Spy.Win32.Banker.fa
* PWS-Bancban.gen.b
Prevalence (1-5) 2
Description
Troj/Banker-FA is a password-stealing Trojan aimed at customers of a
Brazilian bank.
Troj/Banker-FA will monitor a user's internet access. When certain
internet banking sites are visited, the Trojan will display a fake login
screen in order to trick the user into entering their details.
Troj/Banker-FA will then send the stolen details to a Brazilian email
address.
Troj/Banker-FA may also download and install further related software.
When run, Troj/Banker-FA copies itself to the Windows system folder as
CARTAO.EXE.
Advanced
Troj/Banker-FA is a password-stealing Trojan aimed at customers of a
Brazilian bank.
Troj/Banker-FA will monitor a user's internet access. When certain
internet banking sites are visited, the Trojan will display a fake login
screen in order to trick the user into entering their details.
Troj/Banker-FA will then send the stolen details to a Brazilian email
address.
Troj/Banker-FA may also download and install further related software.
When run, Troj/Banker-FA copies itself to the Windows system folder as
CARTAO.EXE and sets the following registry entry in order to be run on
system startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
cartao<system>\cartao.exe
Name W32/Forbot-CI
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Steals information
* Downloads code from the internet
* Reduces system security
* Records keystrokes
Aliases
* WORM_WOOTBOT.CJ
Prevalence (1-5) 2
Description
W32/Forbot-CI is an IRC backdoor Trojan and network worm for the Windows
platform.
Advanced
W32/Forbot-CI is an IRC backdoor Trojan and network worm for the Windows
platform.
In order to run automatically when Windows starts up the worm moves
itself to the Windows system folder as svshost.exe and creates the
following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Windows Update = svshost.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\
Microsoft Windows Update = svshost.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Microsoft Windows Update = svshost.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Windows Update = svshost.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\
Microsoft Windows Update = svshost.exe
W32/Forbot-CI also creates its own service named "Microsoft Update",
with the display name "Microsoft Windows Update".
Once installed, W32/Forbot-CI connects to a preconfigured IRC server and
joins a channel from which an attacker can issue further commands. These
commands can cause the infected machine to perform any of the following
actions:
flood a remote host (by either ping or HTTP)
start a SOCKS4 proxy server
start an HTTP server
start an FTP server
portscan randomly-chosen IP addresses
execute arbitrary commands
steal information such as passwords and product keys
upload/download files
The worm can spread to unpatched machines affected by the LSASS
vulnerability (see MS04-011) and through backdoors left open by the
Troj/Optix Trojans.
Name W32/Rbot-PS
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Steals information
* Downloads code from the internet
* Reduces system security
* Records keystrokes
Prevalence (1-5) 2
Description
W32/Rbot-PS is a network worm and IRC backdoor Trojan for the Windows
platform.
W32/Rbot-PS spreads using a variety of techniques including exploiting
weak passwords on computers and SQL servers, exploiting operating system
vulnerabilites (including DCOM-RPC, LSASS, WebDAV and UPNP) and using
backdoors opened by other worms or Trojans.
Patches for the operating system vulnerabilities exploited by
W32/Rbot-PS can be obtained from Microsoft at:
http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx
http://www.microsoft.com/technet/security/bulletin/ms03-039.mspx
http://www.microsoft.com/technet/security/bulletin/ms03-007.mspx
http://www.microsoft.com/technet/security/bulletin/ms01-059.mspx
Advanced
W32/Rbot-PS is a network worm and IRC backdoor Trojan for the Windows
platform.
The worm copies itself to a file named rundll24.exe in the Windows
system folder and creates the following registry entries:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Update Module
"rundll24.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Microsoft Update Module
"rundll24.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
Microsoft Update Module
"rundll24.exe"
W32/Rbot-PS spreads using a variety of techniques including exploiting
weak password on computers and SQL servers, exploiting operating system
vulnerabilites (including DCOM-RPC, LSASS, WebDAV and UPNP) and using
backdoors opened by other worms or Trojans.
W32/Rbot-PS can be controlled by a remote attacker over IRC channels.
The backdoor component of W32/Rbot-PS can be instructed by a remote
attacker to perform the following functions:
start an FTP server
start a Proxy server
start a web server
take part in distributed denial of service (DDoS) attacks
log keypresses
capture screen/webcam images
packet sniffing
port scanning
download/execute arbitrary files
start a remote shell (RLOGIN)
Patches for the operating system vulnerabilities exploited by
W32/Rbot-PS can be obtained from Microsoft at:
http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx
http://www.microsoft.com/technet/security/bulletin/ms03-039.mspx
http://www.microsoft.com/technet/security/bulletin/ms03-007.mspx
http://www.microsoft.com/technet/security/bulletin/ms01-059.mspx
Name Troj/Krepper-L
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
Aliases
* Trojan.Win32.Krepper.ab
Prevalence (1-5) 2
Description
Troj/Krepper-L is a Trojan which attempts to download further components
through Internet Explorer address space. As a result, this may create
various pop-ups and drop various links on the host computer.
Advanced
Troj/Krepper-L is a Trojan which attempts to download further components
through Internet Explorer address space. As a result, this may create
various pop-ups and drop various links on the host computer.
Troj/Krepper-L may create a folder in:
<Application Data>/fast regs great two/Bait Soft Start
in which it will store files downloaded from the predefined location.
Name Troj/Mastseq-H
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Reduces system security
* Leaves non-infected files on computer
Prevalence (1-5) 2
Description
Troj/Mastseq-H is a backdoor Trojan which runs continuously in the
background providing various services to a remote intruder.
Troj/Mastseq-H injects its code into a new instance of Microsoft
Internet Explorer, in order to be less obvious in the process list and
to possibly gain trusted application status.
Advanced
Troj/Mastseq-H is a backdoor Trojan which runs continuously in the
background providing various services to a remote intruder.
Troj/Mastseq-H injects its code into a new instance of Microsoft
Internet Explorer, in order to be less obvious in the process list and
to possibly gain trusted application status.
Troj/Mastseq-H sends data to a remote location via port 80 (HTTP).
Troj/Mastseq-H deletes the following registry entry (if it exists),
including all sub-keys:
HKLM\Software\Numega
Harmless data files named emapi.dat, jwplay.rom and lspdf.ax may be
created in the Windows system folder.
Name W32/Bofra-D
Type
* Worm
How it spreads
* Email messages
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Sends itself to email addresses found on the infected computer
* Forges the sender's email address
* Uses its own emailing engine
Aliases
* Worm/MyDoom.AH
* I-Worm.Bofra.b
* W32/Mydoom.gen@MM
* Worm.Mydoom.AD
Prevalence (1-5) 2
Description
W32/Bofra-D is a mass-mailing worm for the Windows platform.
W32/Bofra-D harvests email addresses from files on the infected
computer.
W32/Bofra-D uses its own SMTP engine to send emails to these harvested
addresses, enticing the recipient to click on a hyperlink. This link
makes use of an exploit in Internet Explorer to download W32/Bofra-D
from the infected machine. The download will take place without any
notification from Windows.
The email distributed by W32/Bofra-D has the following characteristics:
From field: An address found on the infected computer, or one
constructed randomly from strings within the worm such as:
exchange-robot@paypal.com
palux@yahoo.com
Subject line: Blank or one of the following:
Hi!
HI!
Hey!
HEY!
Confirmation
CONFIRMATION
Message body:
Congratulations! PayPal has successfully charged $175 to your credit
card. Your order tracking number is A866DEC0, and your item will be
shipped within three business days.
To see details please click this link.
DO NOT REPLY TO THIS MESSAGE VIA EMAIL! This email is being sent by an
automated message system and the reply will not be received.
Thank you for using PayPal.
Hi! I am looking for new friends. I am from Miami, FL. You can see my
homepage with my last webcam photos! Hello!
Hi! I am looking for new friends.
My name is Jane, I am from Miami, FL.
See my homepage with my weblog and last webcam photos!
See you!
W32/Bofra-D also contains IRC backdoor functionality.
Advanced
W32/Bofra-D is a mass-mailing worm for the Windows platform.
W32/Bofra-D tries to copy itself either to the Windows system folder or
to the Temp folder, copying itself to a filename comprising of between 3
and 8 random characters followed by 32.EXE (eg EOFJNF32.EXE).
W32/Bofra-D then creates an entry in the registry at one of the
following locations so as to be run when a user logs on:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Reactor8
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Reactor8
W32/Bofra-D attempts to harvest email addresses from the Outlook address
book and from files with the following extensions:
TXT, HTM, SHT, PHP, ASP, DBX, TBB, ADB, PL, WAB
W32/Bofra-D wil not harvest addresses containing the following strings:
.gov, .mil, accoun, acketst, admin, anyone, arin., avp, berkeley,
borlan, bsd, bugs, ca, certific, contact, example, feste, fido, foo.,
fsf., gnu, gold-certs, google, gov., help, hotmail, iana, ibm.com,
icrosof, icrosoft, ietf, info, inpris, isc.o, isi.e, kernel, linux,
listserv, math, me, mit.e, mozilla, msn., mydomai, no, nobody, nodomai,
noone, not, nothing, ntivi, page, panda, pgp, postmaster, privacy,
rating, rfc-ed, ripe., root, ruslis, samples, secur, sendmail, service,
site, soft, somebody, someone, sopho, submit, support, syma, tanford.e,
the.bat, unix, usenet, utgers.ed, webmaster, you, your
W32/Bofra-D uses its own SMTP engine to send emails to these harvested
addresses, enticing the recipient to click on a hyperlink. This link
makes use of an exploit in Internet Explorer to download W32/Bofra-D
from the infected machine. The download will take place without any
notification from Windows. In order to allow this download to take place
the infected machine listens on ports higher than 1639 for download
requests.
The email distributed by W32/Bofra-D creates fake email headers to
pretend it was created by a number of different legitimate email clients
and also that it has been checked for viruses. The email itself has the
following characteristics:
From field: An address found on the infected computer, or one
constructed randomly from strings within the worm such as:
exchange-robot@paypal.com
palux@yahoo.com
Subject line: Blank or one of the following:
Hi!
HI!
Hey!
HEY!
Confirmation
CONFIRMATION
Message body:
Congratulations! PayPal has successfully charged $175 to your credit
card. Your order tracking number is A866DEC0, and your item will be
shipped within three business days.
To see details please click this link.
DO NOT REPLY TO THIS MESSAGE VIA EMAIL! This email is being sent by an
automated message system and the reply will not be received.
Thank you for using PayPal.
Hi! I am looking for new friends. I am from Miami, FL. You can see my
homepage with my last webcam photos! Hello!
Hi! I am looking for new friends.
My name is Jane, I am from Miami, FL.
See my homepage with my weblog and last webcam photos!
See you!
W32/Bofra-D also contains IRC backdoor functionality and may download
and execute files from remote website to files with random filenames in
the Windows system folder if instructed to do so.
W32/Bofra-D attempts to delete the following registry entries to prevent
other variants of W32/Bofra running when a user logs on:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
center
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
reactor
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Rhino
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Reactor3
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Reactor4
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Reactor5
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Reactor6
Name W32/Rbot-PJ
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Steals information
* Downloads code from the internet
* Reduces system security
* Records keystrokes
Aliases
* Backdoor.Win32.Rbot.gen
Prevalence (1-5) 2
Description
W32/Rbot-PJ is a network worm which attempts to spread via network
shares. The worm contains backdoor Trojan functions that allow
unauthorised remote access to the infected computer via IRC channels
while running in the background.
The worm spreads to network shares with weak passwords and by using the
following exploits:
- LSASS exploit (MS04-011)
- RPC-DCOM exploit (MS03-039)
Advanced
W32/Rbot-PJ is a network worm which attempts to spread via network
shares. The worm contains backdoor Trojan functions that allow
unauthorised remote access to the infected computer via IRC channels
while running in the background.
The worm spreads to network shares with weak passwords and by using the
following exploits:
- LSASS exploit (MS04-011)
- RPC-DCOM exploit (MS03-039)
When run W32/Rbot-PJ moves itself to the Windows System folder as a
read-only, hidden and system file named msn.exe.
The worm then creates the following registry entries so as to run itself
either on user logon or computer restart:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
MSN = msn.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
MSN = msn.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
MSN = msn.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices\
MSN = msn.exe
W32/Rbot-PJ also creates the following registry entries:
HKCU\SYSTEM\CurrentControlSet\Control\Lsa\
MSN = msn.exe
HKCU\Software\Microsoft\OLE\
MSN = msn.exe
HKLM\SOFTWARE\Microsoft\Ole\
MSN = msn.exe
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\
MSN = msn.exe
Once installed, W32/Rbot-PJ will attempt to perform the following
actions when instructed to do so by a remote attacker:
- setup a HTTP proxy
- setup a SOCKS4 server
- add or delete connections to network shares
- download and run files from the Internet
- perform port scanning
- scan IP addresses
- search files on the infected computer
- capture screen information and images
- terminate processes
- steal computer system information (computer name, available
memory, drive types)
- capture clipboard data
- terminate anti-virus and security applications
- partake in SYN flooding using a variety of attacks
comprising TCP/IP, UDP and ICMP (Ping) commands
Name W32/Rbot-PH
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Downloads code from the internet
* Records keystrokes
* Installs itself in the Registry
Aliases
* Backdoor.Win32.Rbot.gen
Prevalence (1-5) 2
Description
W32/Rbot-PH is a worm which attempts to spread to remote network shares
and contains backdoor Trojan functionality allowing unauthorised remote
access to the infected computer.
Advanced
W32/Rbot-PH is a worm which attempts to spread to remote network shares.
It also contains backdoor Trojan functionality allowing unauthorised
remote access to the infected computer via IRC channels while running in
the background as a service process.
W32/Rbot-PH moves itself to the Windows system folder as msnmsgr7.exe
and creates the following registry entries to ensure it is run at system
logon:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
MSN Start = msnmsgr7.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
MSN Start = msnmsgr7.exe
The worm also creates the following registry entry:
HKCU\Software\Microsoft\OLE\
MSN Start = msnmsgr7.exe
W32/Rbot-PH spreads to network shares with weak passwords and via
exploiting vulnerabilities including the RPC-DCOM(MS04-012),
IIS5SSL(MS04-011) and LSASS(MS04-011) vulnerabilities.
W32/Rbot-PH will also download and execute remote files on the infected
computer, log key strokes, retrieve information such as CD keys for
various games and flood other computers with network packets.
Name Troj/StartPa-DO
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Installs itself in the Registry
Aliases
* Trojan.Win32.StartPage.ix
Prevalence (1-5) 2
Description
Troj/StartPa-DO is a browser hijacking Trojan.
Troj/StartPa-DO changes settings for Internet Explorer and sets the
start page to a file dropped by the Trojan.
When installed, Troj/StartPa-DO drops the new start page as a file
sp.html in the Temp directory.
Troj/StartPa-DO can be uninstalled via the Add or Remove Programs dialog
in the Windows Control Panel by selecting the entry "Search Assistant
Uninstall".
Advanced
Troj/StartPa-DO is a browser hijacking Trojan.
Troj/StartPa-DO changes settings for Internet Explorer and sets the
start page to a file dropped by the Trojan.
When installed, Troj/StartPa-DO drops the new start page as a file
sp.html in the Temp directory. The Trojan then sets the following
registry entries:
HKCU\Software\Microsoft\Internet Explorer\Main\
Start Pageabout:blank
HKLM\Software\Microsoft\Internet Explorer\Main\
Start Pageabout:blank
HKCU\Software\Microsoft\Internet Explorer\Main\
HOMEOldSPabout:blank
HKLM\Software\Microsoft\Internet Explorer\Main\
HOMEOldSPabout:blank
HKCU\Software\Microsoft\Internet Explorer\Main\
Search Bar<Temp>\sp.html
HKLM\Software\Microsoft\Internet Explorer\Main\
Search Bar<Temp>\sp.html
HKCU\Software\Microsoft\Internet Explorer\Search\
Search Assistant<Temp>\sp.html
HKCU\Software\Microsoft\Internet Explorer\Main\
Use Custom Search URL1
HKLM\Software\Microsoft\Internet Explorer\Main\
Use Custom Search URL1
HKCU\Software\Microsoft\Internet Explorer\Main\
Use Search Asstno
HKLM\Software\Microsoft\Internet Explorer\Main\
Use Search Asstno
The Trojan creates two entries in
HKCR\CLSID
where the CLSID values are randomly chosen. The Trojan also creates an
entry in
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
Browser Helper Objects
corresponding to one of these CLSID values.
Troj/StartPa-DO can be uninstalled via the Add or Remove Programs dialog
in the Windows Control Panel by selecting the entry "Search Assistant
Uninstall".
Name W32/Rbot-PG
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Reduces system security
* Records keystrokes
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Prevalence (1-5) 2
Description
W32/Rbot-PG is a network worm and backdoor Trojan for the Windows
platform.
W32/Rbot-PG allows a malicious user remote access to an infected
computer.
W32/Rbot-PG spreads using a variety of techniques including exploiting
weak passwords on computers and SQL servers, exploiting operating system
vulnerabilites (including DCOM-RPC, LSASS, WebDAV and UPNP) and using
backdoors opened by other worms or Trojans.
W32/Rbot-PG can be controlled by a remote attacker over IRC channels.
Advanced
W32/Rbot-PG is a network worm and backdoor Trojan for the Windows
platform.
W32/Rbot-PG allows a malicious user remote access to an infected
computer.
The worm copies itself to a file named wuanclt.exe in the Windows system
folder and creates the following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
*windows update = wuanclt.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
*windows update = wuanclt.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
*windows update = wuanclt.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
*windows update = wuanclt.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
*windows update = wuanclt.exe
W32/Rbot-PG spreads using a variety of techniques including exploiting
weak passwords on computers and SQL servers, exploiting operating system
vulnerabilites (including DCOM-RPC, LSASS, WebDAV and UPNP) and using
backdoors opened by other worms or Trojans.
W32/Rbot-PG can be controlled by a remote attacker over IRC channels.
Patches for the operating system vulnerabilities exploited by
W32/Rbot-PG can be obtained from Microsoft at:
http://www.microsoft.com/technet/security/bulletins/ms04-011.mspx
http://www.microsoft.com/technet/security/bulletins/ms03-026.mspx
http://www.microsoft.com/technet/security/bulletins/ms03-007.mspx
http://www.microsoft.com/technet/security/bulletins/ms01-059.mspx
Name W32/Bofra-B
Type
* Worm
How it spreads
* Email messages
Affected operating systems
* Windows
Side effects
* Sends itself to email addresses found on the infected computer
* Forges the sender's email address
* Uses its own emailing engine
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* W32/Mydoom.AI@mm
* W32/Mydoom.ah@MM
* W32.Mydoom.AH@mm
* Win32/Mydoom.AH@mm
Prevalence (1-5) 2
Description
W32/Bofra-B is a worm for the Windows platform that arrives via email.
The email distributed by W32/Bofra-B creates fake email headers to
pretend it was created by a number of different legitimate email clients
and also that it has been checked for viruses. The email itself has the
following characteristics:
FROM: This field will be one entry from the following list
Becky
joanna
KETTY
jane
sindy
exchange-robot@paypal.com (for emails pretending to be from PayPal)
SUBJECT: This field will be one entry from the following list
Hi!
Hey!
Confirmation
BODY: This field will be one entry from the following list, and the
colour and text formatting may vary
Hi! I am looking for new friends.
My name is Jane, I am from Miami, FL.
See my homepage with my weblog and last webcam photos!
See you!
Congratulations! PayPal has successfully charged $175 to your credit
card.
Your order tracking number is A866DEC0 and your item will be shipped
within three business days.
To See details please click this link,
DO NOT REPLY TO THIS MESSAGE VIA EMAIL! This email is being sent by an
automated message system and the reply will not be received.
Thank you for using PayPal.
Further information:
How does the Bofra worm infect your PC?
Bofra worms spread via unpatched Internet Explorer security hole
Advanced
W32/Bofra-B is a mass-mailing worm for the Windows platform.
W32/Bofra-B tries to copy itself either to the Windows system folder or
to the Temp folder, copying itself to a filename comprising of between 2
and 8 random characters followed by 32.EXE (eg EOFJNF32.EXE).
W32/Bofra-B then creates an entry in the registry at one of the
following locations so as to be run on system startup:
HKLM
Software\Microsoft\Windows\CurrentVersion\Run
Reactor5
HKCU
Software\Microsoft\Windows\CurrentVersion\Run
Reactor5
W32/Bofra-B attempts to harvest email addresses from the Outlook address
book and from files with the following extensions:
TXT, HTMB, SHTL, PHPQ, ASPD, DBXN, TBBG, ADBH, PL, WAB
W32/Bofra-B wil not harvest addresses containing the following strings:
avp, syma, icrosof, msn., hotmail, panda, sopho, borlan, inpris, example,
mydomai, nodomai, ruslis, .gov, gov., .mil, foo., root, info, samples,
postmaster, webmaster, noone, nobody, nothing, anyone, someone, your,
you, me, bugs, rating, site, contact, soft, no, somebody, privacy,
service, help, not, submit, feste, ca, gold-certs, the.bat, page, spm,
spam, www, secur, abuse, admin, icrosoft, support, ntivi, unix, bsd,
linux, listserv, certific, google, accoun, berkeley, unix, math, bsd,
mit.e, gnu, fsf., ibm.com, google, kernel, linux, fido, usenet, iana,
ietf, rfc-ed, sendmail, arin., ripe., isi.e, isc.o, secur, acketst, pgp,
tanford.e, utgers.ed, mozilla
W32/Bofra-B will use its own SMTP engine to send emails to these
harvested addresses, enticing the recipient to click on a hyperlink.
This link makes use of an exploit in Internet Explorer to download
W32/Bofra-B from the infected computer, saving the infected file to the
Desktop with the filename VV.DAT. The download will take place without
any notification from Windows. In order to allow this download to take
place the infected machine listens on ports higher than 1639 for
download requests.
The email distributed by W32/Bofra-B creates fake email headers to
pretend it was created by a number of different legitimate email clients
and also that it has been checked for viruses. The email itself has the
following characteristics:
FROM: This field will be one entry from the following list
Becky
joanna
KETTY
jane
sindy
exchange-robot@paypal.com (for emails pretending to be from PayPal)
SUBJECT: This field will be one entry from the following list
Hi!
Hey!
Confirmation
BODY: This field will be one entry from the following list, and the
colour and text formatting may vary
Hi! I am looking for new friends.
My name is Jane, I am from Miami, FL.
See my homepage with my weblog and last webcam photos!
See you!
Congratulations! PayPal has successfully charged $175 to your credit
card.
Your order tracking number is A866DEC0 and your item will be shipped
within three business days.
To See details please click this link,
DO NOT REPLY TO THIS MESSAGE VIA EMAIL! This email is being sent by an
automated message system and the reply will not be received.
Thank you for using PayPal.
W32/Bofra-B also contains IRC backdoor Trojan functionality and may
download and execute files from remote website to files with random
filenames in the Windows system folder if instructed to do so.
W32/Bofra-B attempts to delete the following registry entries to prevent
files created by other variants of the worm from running on system
startup:
HKLM
Software\Microsoft\Windows\CurrentVersion\Run
center
HKLM
Software\Microsoft\Windows\CurrentVersion\Run
reactor
HKLM
Software\Microsoft\Windows\CurrentVersion\Run
Rhino
HKLM
Software\Microsoft\Windows\CurrentVersion\Run
Reactor3
HKLM
Software\Microsoft\Windows\CurrentVersion\Run
Reactor4
W32/Bofra-B attempts to inject itself into Explorer in order to make it
more difficult to be removed.
W32/Bofra-B will not run on dates past December 15th.
Further information:
How does the Bofra worm infect your PC?
Bofra worms spread via unpatched Internet Explorer security hole
Name W32/Forbot-CF
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Steals information
* Reduces system security
* Records keystrokes
* Installs itself in the Registry
Prevalence (1-5) 2
Description
W32/Forbot-CF is a network worm and IRC backdoor Trojan for the Windows
platform.
W32/Forbot-CF spreads through network shares and by exploiting the LSASS
(MS04-011) software vulnerability. The worm may also spread through
backdoors left open by other malware.
The backdoor component of W32/Forbot-CF can be used to:
start an FTP and HTTP server.
delete network shares.
start a SOCKS4, SOCKS5, HTTP, TCP and GRE proxy.
list and stop existing processes and services.
download, run and delete files.
modify the registry.
add and delete services.
steal the product keys of popular games and applications.
scan other computers for open ports and attempt to exploit them.
take part in distributed denial of service (DDoS) attacks.
flush the DNS cache.
logoff, reboot and shut down the computer.
Advanced
W32/Forbot-CF is a network worm and IRC backdoor Trojan for the Windows
platform.
W32/Forbot-CF spreads through network shares and by exploiting the LSASS
(MS04-011) software vulnerability. The worm may also spread through
backdoors left open by other malware.
When first run, W32/Forbot-CF copies itself to the Windows System folder
as svcshost.exe. In order to run automatically each time Windows is
started, W32/Forbot-CF sets the following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Windows Update = "svcshost.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\
Microsoft Windows Update = "svcshost.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Microsoft Windows Update = "svcshost.exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Windows Update = "svcshost.exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\
Microsoft Windows Update = "svcshost.exe"
W32/Forbot-CF creates a service named "Microsoft Update" with the
display name "Microsoft Windows Update".
The worm runs continuously in the background providing backdoor access
to the infected computer through IRC channels.
The backdoor component of W32/Forbot-CF can be used to:
start an FTP and HTTP server.
delete network shares.
start a SOCKS4, SOCKS5, HTTP, TCP and GRE proxy.
list and stop existing processes and services.
download, run and delete files.
modify the registry.
add and delete services.
steal the product keys of popular games and applications.
scan other computers for open ports and attempt to exploit them.
take part in distributed denial of service (DDOS) attacks.
flush the DNS cache.
logoff, reboot and shut down the computer.
W32/Forbot-CF may delete the ADMIN$, IPC$, C$ and D$ network shares.
W32/Forbot-CF is capable of stealing product keys from games and
applications such as:
.NET Messenger Service
AOL Instant Messenger
Battlefield 1942
Battlefield 1942 (Road To Rome)
Battlefield 1942 (Secret Weapons of WWII)
Battlefield Vietnam
Black and White
Call of Duty
Command and Conquer: Generals
Command and Conquer: Generals (Zero Hour)
Command and Conquer: Red Alert 2
Command and Conquer: Tiberian Sun
Counter-Strike
FIFA 2002
FIFA 2003
Freedom Force
Global Operations
Gunman Chronicles
Half-Life
Hidden & Dangerous 2
IGI 2: Covert Strike
Industry Giant 2
James Bond 007: Nightfire
Medal of Honor: Allied Assault
Medal of Honor: Allied Assault: Breakthrough
Medal of Honor: Allied Assault: Spearhead
Microsoft Windows Product ID
Nascar Racing 2002
Nascar Racing 2003
Need For Speed Hot Pursuit 2
Need For Speed: Underground
Neverwinter Nights
NHL 2002
NHL 2003
Rainbow Six III RavenShield
Shogun: Total War: Warlord Edition
Soldier of Fortune II - Double Helix
Soldiers Of Anarchy
The Gladiators
Unreal Tournament 2003
Unreal Tournament 2004
Yahoo Pager
W32/Forbot-CF may alter the following registry entries in order to
enable/disable DCOM:
HKLM\Software\Microsoft\Ole\
EnableDCOM
W32/Forbot-CF will attempt to disable other malware, such as members of
the W32/Bagle family.
Name W32/Bofra-A
Type
* Worm
How it spreads
* Email messages
* Web downloads
* Chat programs
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Sends itself to email addresses found on the infected computer
* Uses its own emailing engine
* Downloads code from the internet
Aliases
* W32/Mydoom.ag@M
Prevalence (1-5) 2
Description
W32/Bofra-A is a Worm for the Windows platform that arrives via email.
The body of the email will try to entice the user to click on a
hyperlink to look at webcam images or to visit an adult website.
W32/Bofra-A attempts to harvest email addresses from the Outlook address
book and from other files on the infected machine.
W32/Bofra-A will not harvest addresses containing the following strings:
avp, syma, icrosof, msn., hotmail, panda, sopho, borlan, inpris, example,
mydomai, nodomai, ruslis, .gov, gov., .mil, foo., root, info, samples,
postmaster, webmaster, noone, nobody, nothing, anyone, someone, your,
you, me, bugs, rating, site, contact, soft, no, somebody, privacy,
service, help, not, submit, feste, ca, gold-certs, the.bat, page, spm,
spam, www, secur, abuse, admin, icrosoft, support, ntivi, unix, bsd,
linux, listserv, certific, google, accoun, berkeley, unix, math, bsd,
mit.e, gnu, fsf., ibm.com, google, kernel, linux, fido, usenet, iana,
ietf, rfc-ed, sendmail, arin., ripe., isi.e, isc.o, secur, acketst, pgp,
tanford.e, utgers.ed, mozilla
W32/Bofra-A will use its own SMTP engine to send emails to these
harvested addresses, enticing the recipient to click on a hyperlink
which downloads the worm from the host infected machine.
The email distributed by W32/Bofra-A creates fake email headers to
pretend it was created by a number of different legitimate email clients
and also that it has been checked for viruses. The email itself has the
following characteristics:
FROM: This field will be one entry from the following list
Becky
joanna
KETTY
jane
sindy
SUBJECT: This field will be one entry from the following list
hey!
Hello
funny photos :)
BODY: This field will be one entry from the following list
FREE ADULT VIDEO! SIGN UP NOW!
Look at my homepage with my last webcam photos
W32/Bofra-A also contains IRC backdoor Trojan functionality and may
download and execute files from remote website to files with random
filenames in the Windows system folder if instructed to do so.
W32/Bofra-A will not run on dates past December 15th.
Further information:
How does the Bofra worm infect your PC?
Bofra worms spread via unpatched Internet Explorer security hole
Advanced
W32/Bofra-A is a mass-mailing Worm for the Windows platform.
W32/Bofra-A tries to copy itself either to the Windows system folder or
to the Temp folder, copying itself to a filename comprising of between 2
and 8 random characters followed by 32.EXE (eg EOFJNF32.EXE).
W32/Bofra-A then creates an entry in the registry at one of the
following locations so as to be run on system startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Rhino
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Rhino
W32/Bofra-A attempts to harvest email addresses from the Outlook address
book and from files with the following extensions:
TXT, HTMB, SHTL, PHPQ, ASPD, DBXN, TBBG, ADBH, PL, WAB
W32/Bofra-A will not harvest addresses containing the following strings:
avp, syma, icrosof, msn., hotmail, panda, sopho, borlan, inpris, example,
mydomai, nodomai, ruslis, .gov, gov., .mil, foo., root, info, samples,
postmaster, webmaster, noone, nobody, nothing, anyone, someone, your,
you, me, bugs, rating, site, contact, soft, no, somebody, privacy,
service, help, not, submit, feste, ca, gold-certs, the.bat, page, spm,
spam, www, secur, abuse, admin, icrosoft, support, ntivi, unix, bsd,
linux, listserv, certific, google, accoun, berkeley, unix, math, bsd,
mit.e, gnu, fsf., ibm.com, google, kernel, linux, fido, usenet, iana,
ietf, rfc-ed, sendmail, arin., ripe., isi.e, isc.o, secur, acketst, pgp,
tanford.e, utgers.ed, mozilla
W32/Bofra-A will use its own SMTP engine to send emails to these
harvested addresses, enticing the recipient to click on a hyperlink.
This link makes use of an exploit in Internet Explorer to download
W32/Bofra-A from the infected machine, saving the infected file to the
Desktop with the filename OLESERVER.EXE. The download will take place
without any notification from Windows. In order to allow this download
to take place the infected machine listens on ports higher than 1639 for
download requests.
The email distributed by W32/Bofra-A creates fake email headers to
pretend it was created by a number of different legitimate email clients
and also that it has been checked for viruses. The email itself has the
following characteristics:
FROM: This field will be one entry from the following list
Becky
joanna
KETTY
jane
sindy
SUBJECT: This field will be one entry from the following list
hey!
Hello
funny photos :)
BODY: This field will be one entry from the following list
FREE ADULT VIDEO! SIGN UP NOW!
Look at my homepage with my last webcam photos
W32/Bofra-A also contains IRC backdoor Trojan functionality and may
download and execute files from remote website to files with random
filenames in the Windows system folder if instructed to do so.
W32/Bofra-A attempts to delete the following registry entries to prevent
files created by other variants of the worm from running on system
startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
center
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
reactor
W32/Bofra-A attempts to inject itself into Explorer in order to make it
more difficult to be removed.
W32/Bofra-A will not run on dates past December 15th.
Further information:
How does the Bofra worm infect your PC?
Bofra worms spread via unpatched Internet Explorer security hole
Name Troj/Bancban-AC
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Steals credit card details
* Turns off anti-virus applications
* Steals information
* Uses its own emailing engine
* Installs itself in the Registry
Aliases
* PWS-Bancban.gen.b
Prevalence (1-5) 2
Description
Troj/Bancban-AC is a password-stealing Trojan targetted at customers of
certain Brazilian banks.
Troj/Bancban-AC attempts to log keypresses entered into certain websites.
The Trojan displays fake user interfaces in order to persuade the user
to enter confidential details. Stolen information is sent by email to a
remote user.
Troj/Bancban-AC also attempts to detect and delete files belonging to
Norton AntiVirus and Norton Personal Firewall.
Stolen data may be saved to a file USER.TXT. An image file BARRA.BMP may
also be dropped.
Advanced
Troj/Bancban-AC is a password-stealing Trojan targetted at customers of
certain Brazilian banks.
Troj/Bancban-AC attempts to log keypresses entered into certain websites.
The Trojan displays fake user interfaces in order to persuade the user
to enter confidential details. Stolen information is sent by email to a
remote user.
Troj/Bancban-AC copies itself as CSRSS.EXE to a subfolder SYSTEM of the
Windows system folder and creates the following registry entry in order
to run itself on system startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
KernellApps<Windows system>\System\csrss.exe
Troj/Bancban-AC also attempts to detect and delete files belonging to
Norton AntiVirus and Norton Personal Firewall.
Stolen data may be saved to a file USER.TXT. An image file BARRA.BMP may
also be dropped.
Name W32/Rbot-PE
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Downloads code from the internet
* Reduces system security
* Records keystrokes
* Installs itself in the Registry
Aliases
* WORM_RBOT.ZV
* Backdoor.Win32.Rbot.gen
* W32/Sdbot.worm.gen.i
Prevalence (1-5) 2
Description
W32/Rbot-PE is a worm which attempts to spread via remote network shares.
The worm contains backdoor Trojan functionality allowing unauthorised
remote access to the infected computer via IRC channels while running in
the background as a service process.
W32/Rbot-PE also has a backdoor component that allows a malicious
intruder remote access shell to an infected computer.
The worm spreads to network shares with weak passwords using the
following security exploits:
- LSASS exploit (MS04-011)
- RPC-DCOM exploit (MS04-012)
- WebDav exploit (MS03-007)
Advanced
W32/Rbot-PE is a worm which attempts to spread via remote network shares.
The worm contains backdoor Trojan functionality allowing unauthorised
remote access to the infected computer via IRC channels while running in
the background as a service process.
W32/Rbot-PE also has a backdoor component that allows a malicious
intruder remote access shell to an infected computer.
The worm spreads to network shares with weak passwords using the
following security exploits:
- LSASS exploit (MS04-011)
- RPC-DCOM exploit (MS04-012)
- WebDav exploit (MS03-007)
W32/Rbot-PE moves itself to the Windows system folder as vpc32.exe. The
worm then creates the following registry entries to run itself on
computer restart:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Update = vpc32.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Microsoft Update = vpc32.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Update = vpc32.exe
W32/Rbot-PE also sets the following registry entries:
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous = 1
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM = N
W32/Rbot-PE may attempt to perform the following actions when instructed
to do so by a remote attacker:
- steal CD keys
- partake in distributed denial of service (DDoS) attacks
- capture clipboard data
- scan IP addresses
- perform DNS cache flushes
- ping IP addresses
- download and run files from the Internet
- steal computer system information (computer name, available
memory, drive types)
- add and delete connections to network shared folders
- transfer files via TFTP
- capture screen images from web camera applications
- login to MS SQL servers and send EXEC commands to open a
command shell
- change the local security policy of a local or remote system
The worm may copy itself to shared folders of P2P applications like
Kazaa, Morpheus, eDonkey2000, LimeWire, iMesh.
W32/Rbot-PE may also log keystrokes and store the captured information
into the file %SYSTEM%\keys.txt.
Name W32/Rbot-PC
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Installs itself in the Registry
* Exploits system or software vulnerabilities
* Used in DOS attacks
Aliases
* Backdoor.Win32.Rbot.gen
* W32/Sdbot.worm.gen.i
* WORM_SPYBOT.GZ
Prevalence (1-5) 2
Description
W32/Rbot-PC is a member of the W32/Rbot family of worms with a backdoor
component that spread on weakly protected network shares on the Windows
platform.
The worm spreads as a result of receiving the appropriate command by
scanning random IP addresses for open SMB ports (445) and trying to copy
itself to the Windows system folder on the remote Admin$ and C$ shares.
W32/Rbot-PC uses an internal dictionary of common passwords to gain
access. The worm attempts to schedule the copied file for later
execution on the remote machine.
In addition the worm also has the ability to scan for and exploit common
vulnerabilities on the Windows platform such as the LSASS vulnerability
(MS04-012) as well as ports opened by other worms such as W32/Bagle or
W32/MyDoom.
W32/Rbot-PC also has a backdoor component that allows a malicious user
remote access to an infected computer.
When run the worm attempts to contact a remote IRC server and join a
specific channel to listen for commands.
Advanced
W32/Rbot-PC is a member of the W32/Rbot family of worms with a backdoor
component that spreads using weakly protected network shares on the
Windows platform.
The worm spreads as a result of receiving the appropriate command by
scanning Random IP addresses for open SMB ports (445) and trying to copy
itself to the Windows system folder on the remote Admin$ and C$ shares.
W32/Rbot-PC uses an internal dictionary of common passwords to gain
access. The worm attempts to schedule the copied file for later
execution on the remote machine.
In addition the worm also has the ability to scan for and exploit common
vulnerabilities on the Windows platform such as the LSASS vulnerability
(MS04-012) as well as ports opened by other worms such as W32/Bagle or
W32/MyDoom.
W32/Rbot-PC also has a backdoor component that allows a malicious user
remote access to an infected computer.
When run the worm attempts to contact a remote IRC server and join a
specific channel to listen for commands.
Besides the spreading functionality members of the W32/Rbot family also
allow a remote user to set up a proxy server, start a HTTP server on a
user specified port, collect system information, add or delete shares
and users, kill processes, download and execute files, send email,
remotely control a connected web cam, sniff network traffic, log
keystrokes, steal keys for certain games or launch various
denial-of-service attacks against an attacker-specified target.
In order to run automatically when Windows starts up W32/Rbot-PC copies
itself to the file csrse.exe in the Windows system folder and creates
the following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Registry
csrse.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Microsoft Registry
csrse.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Registry
csrse.exe.
Name W32/Forbot-CD
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Reduces system security
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* Backdoor.Win32.Wootbot.gen
Prevalence (1-5) 2
Description
W32/Forbot-CD is a network worm and IRC backdoor Trojan for the Windows
platform.
W32/Forbot-CD spreads through network shares and by exploiting the LSASS
(MS04-011) software vulnerability. The worm may also spread through
backdoors left open by other malware.
The worm runs continuously in the background providing backdoor access
to the infected computer through IRC channels.
The backdoor component of W32/Forbot-CD can be used to:
start an FTP and HTTP server.
delete network shares.
start a SOCKS4, SOCKS5, HTTP, TCP and GRE proxy.
list and stop existing processes and services.
download, run and delete files.
modify the registry.
add and delete services.
steal the product keys of popular games and applications.
scan other computers for open ports and attempt to exploit them.
take part in distributed denial of service (DDOS) attacks.
flush the DNS cache.
logoff, reboot and shut down the computer.
W32/Forbot-CD may attempt to disable other malware, such as members of
the W32/Bagle family.
Advanced
W32/Forbot-CD is a network worm and IRC backdoor Trojan for the Windows
platform.
W32/Forbot-CD spreads through network shares and by exploiting the LSASS
(MS04-011) software vulnerability. The worm may also spread through
backdoors left open by other malware.
When first run, W32/Forbot-CD copies itself to the Windows System folder
as svchosting.exe. In order to run automatically each time Windows is
started, W32/Forbot-CD sets the following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
NDIS Adapter
windows.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\
NDIS Adapter
windows.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
NDIS Adapter
windows.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
NDIS Adapter
windows.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\
NDIS Adapter
windows.exe
W32/Forbot-CD creates a service named "NDIS TCP Layer Transport Device"
with the display name "NDIS Adapter".
The worm runs continuously in the background providing backdoor access
to the infected computer through IRC channels.
The backdoor component of W32/Forbot-CD can be used to:
start an FTP and HTTP server.
delete network shares.
start a SOCKS4, SOCKS5, HTTP, TCP and GRE proxy.
list and stop existing processes and services.
download, run and delete files.
modify the registry.
add and delete services.
steal the product keys of popular games and applications.
scan other computers for open ports and attempt to exploit them.
take part in distributed denial of service (DDOS) attacks
|