Text 73, 613 rader
Skriven 2004-11-28 19:40:00 av KURT WISMER (1:123/140)
Ärende: News, Nov. 28 2004
==========================
[cut-n-paste from sophos.com]
Name Troj/Bancban-AH
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Steals credit card details
* Uses its own emailing engine
* Installs itself in the Registry
Aliases
* TrojanSpy.Win32.Banker.di
* PWS-Bancban.gen.b
Prevalence (1-5) 2
Description
Troj/Bancban-AH is a password-stealing Trojan targeted at customers of
certain Brazilian banks.
Troj/Bancban-AH attempts to log keypresses entered into certain
websites. The Trojan displays fake user interfaces in order to persuade
the user to enter confidential details. Stolen information is sent by
email to a remote user.
Advanced
Troj/Bancban-AH is a password-stealing Trojan targeted at customers of
certain Brazilian banks.
Troj/Bancban-AH attempts to log keypresses entered into certain
websites. The Trojan displays fake user interfaces in order to persuade
the user to enter confidential details. Stolen information is sent by
email to a remote user.
Troj/Bancban-AH may be dropped by a self-extracting archive as LOGIN.EXE
in the Windows folder, along with a text file LOGIN.REG. When dropped in
this manner, the archive also attempts to run Internet Explorer from the
following location:
C:\Arquivos de programas\Internet Explorer\iexplore.exe
The following registry entry may be created in order to run the Trojan
on system startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Login
C:\Windows\Login.exe
The user may be prompted to accept the above registry change, which is
contained in the file LOGIN.REG.
Name W32/Netsky-AE
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Sends itself to email addresses found on the infected computer
* Forges the sender's email address
* Uses its own emailing engine
* Installs itself in the Registry
* Used in DOS attacks
Aliases
* I-Worm.NetSky.aa
* W32/Netsky.z@MM
* WORM_NETSKY.Z
Prevalence (1-5) 2
Description
W32/Netsky-AE is a mass-mailing worm of the Netsky family.
W32/Netsky-AE is a mass-mailing worm that uses its own SMTP engine to
email itself to addresses harvested from files on local drives.
Advanced
W32/Netsky-AE is a mass-mailing worm of the Netsky family.
W32/Netsky-AE is a mass-mailing worm that uses its own SMTP engine to
email itself to addresses harvested from files on local drives.
In order to run automatically the worm copies itself to the file
Jammer2nd.exe in the Windows folder and creates the following registry
entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Jammer2nd
%WINDOWS%\Jammer2nd.exe
Name W32/Delf-IV
Type
* Worm
How it spreads
* Peer-to-peer
Affected operating systems
* Windows
Side effects
* Installs itself in the Registry
Aliases
* P2P-Worm.Win32.Delf.ad
Prevalence (1-5) 2
Description
W32/Delf-IV is a peer-to-peer worm for the Windows platform.
W32/Delf-IV spreads by copying itself to a Kazaa folder if one exists.
W32/Delf-IV also moves existing applications to a new folder and copies
itself in place of the original files.
Advanced
W32/Delf-IV is a peer-to-peer worm and Trojan for the windows platform.
When first run, W32/Delf-IV copies itself to the folder SYSTEM in the
Windows folder with the filename Rundll~.exe and installs itself in the
registry with the following entry to run itself automatically on log-on:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Rundll = "C:\\WINDOWS\\System\\Rundll~.exe /out"
W32/Delf-IV also creates a number of registry entries under the new
entry :
HKCU\Software\MouseMX\
W32/Delf-IV spreads by altering the location of the Kazaa local content
folder, if this exists, and copying itself to the new location using one of
the following filenames:
GTA San Andreas Crack
Norton AntyVirus 2005 full
Half Life 2 Crack - multiplayer
Sims 2 crack
Directx10 v2.3 fullversion
GaduReader 3.5
Partition Magic 8.6
Partition Magic 9
Half Life 2 dodatek
Roller Coaster Tycoon 3 crack
W32/Delf-IV also moves existing executable files on the computer to a
new folder called MouseMX and copies itself into the place of the
original files.
Name W32/Anzae-C
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Drops more malware
* Uses its own emailing engine
* Installs itself in the Registry
* Exploits system or software vulnerabilities
* Leaves non-infected files on computer
Aliases
* IWorm.Pawur.b
Prevalence (1-5) 2
Description
W32/Anzae-C is a Spanish mass-mailing worm.
W32/Anzae-C spreads as a zip file attached to email. The email generated
by the worm has characteristics such as:
Subject line:
FW:Impresiona!!!!
FW:Pero si es cierto!!!
FW:Miralo!!!!
Message text:
Si tu me vieras....
Mirame!, jajaja
Te pongo a 100,jajaja
Miralo y me comentas luego,jajajaja
Attached file:
Las_cosas_cambian.zip
No_me_lo_creo.zip
Claro_que_lo_se.zip
Con_mas_amor.zip
Advanced
W32/Anzae-C is a Spanish mass-mailing worm.
When first run the worm copies itself to the Windows system folder with
the names svchosl.pif and paula.pif.
The worm then drops four more files called ss.exe, sw.exe, sx.exe and
sz.exe. Ss.exe is a joke program. Sz.exe is a simple ZIP program that is
non- malicious. Sx.exe and sw.exe are components of the mailing worm.
Sophos's anti-virus products detect the sx.exe component as W32/Anzae-B.
W32/Anzae-C spreads by sending the ZIP file it has created as an email
attachment. The email message has characteristics chosen from the
following lists:
Subject line:
FW:Impresiona!!!!
FW:Pero si es cierto!!!
FW:Miralo!!!!
FW:Venga que lo disfrutes ;) jajaja
FW:Podr
FW:El amor,el amor,jajaja
FW:Como el aire...xD
Message text:
s de los mismo, pero vale la pena...
s te quise yo :P,jajaja
s dormir??jajaja
:Pero que cosasssssss ,jajajaja
Si tu me vieras....
Mirame!, jajaja
Te pongo a 100,jajaja
Miralo y me comentas luego,jajajaja
Pa q tu vea!jajaja
jajajaja,no pue ser!
Pero que cosasssss!
Esto no me lo creo,joeee , jajajaj
Miralo y reenvia!!!!!jajajaja,comparte le
No comment,xDD ,Nos vemos!!
Attached file:
Las_cosas_cambian.zip
No_me_lo_creo.zip
Claro_que_lo_se.zip
Con_mas_amor.zip
Lo_que_ves.zip
Basta_YA.zip
Nunca_estamos.zip
Siempre_estas_ahi.zip
Para_ti_mas.zip
Lo_que_te_mereces.zip
W32/Anzae-C sets the following registry entry in order to run itself
automatically on log-on:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Svchost
<Windows system folder>svchosl.pif
W32/Anzae-C also attempts to delete files from the computer it is
running on. The following file extensions are at risk from deletion:
.asm
.htm
.html
.php
.asp
.css
.nfm
.dpr
.bdsproj
.pas
.reg
.mp3
.rar
.iso
.nrg
.wav
.doc
.xls
.mdb
.ppt
.rpt
.pdf
.bmp
.jpg
.jpeg
.gif
.pcx
.txt
.bat
.vbs
.log
.msi
.inf
.ini
.dot
.h
.c
Name W32/Agobot-OD
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Steals information
* Reduces system security
* Installs itself in the Registry
Prevalence (1-5) 2
Description
W32/Agobot-OD is a network worm which also allows unauthorised remote
access to the computer via IRC channels. It sets registry entries to
ensure it is run on system restart.
W32/Agobot-OD may gather system information and attempt to kill
processes.
Advanced
W32/Agobot-OD is a network worm which also allows unauthorised remote
access to the computer via IRC channels.
W32/Agobot-OD copies itself to the Windows system folder as svchostt.exe
and attempts to create entries in the registry at the following
locations to run itself on system restart:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
and
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
W32/Agobot-OD also attempts to kill over four hundred anti-virus and
security-related processes, including:
Sweep95.EXE
SweepNet.SWEEPSRV.SYS.SWNETSUP.EXE
Mcshield.EXE
avpm.EXE
f-stopw.EXE
BlackICE.EXE
W32/Agobot-OD may attempt to copy itself to network shares with weak
passwords and to spread to computers using the DCOM RPC and the RPC
locator vulnerabilities.
These vulnerabilities may allow the worm to execute its code on target
computers with System level privileges. For further information on these
vulnerabilities and for details on how to protect/patch the computer
against such attacks please see Microsoft security bulletins MS03-026
and MS03-001.
The worm also attempts to terminate processes related to W32/Blaster-A
and its variants, e.g. MSBLAST.EXE, PENIS32.EXE and DLLHOST.EXE.
W32/Agobot-OD may attempt to access information about programs that
could be on the machine (such as installation keys) by scanning the
registry.
W32/Agobot-OD may attempt various Distributed Denial of Service attacks.
Name W32/Favsin-A
Type
* Worm
How it spreads
* Email attachments
* Peer-to-peer
Affected operating systems
* Windows
Side effects
* Sends itself to email addresses found on the infected computer
* Drops more malware
* Forges the sender's email address
* Uses its own emailing engine
* Installs itself in the Registry
Prevalence (1-5) 2
Description
W32/Favsin-A is a peer-to-peer and email worm for the Windows platform.
When first run W32/Favsin-A copies itself to the Windows system folder
with the filenames NvCpl.exe and Dong_Shi.exe.
W32/Favsin-A harvests email addresses from the Windows address book and
from files on the hard disk.
W32/Favsin-A displays a popup window with the text "No Windows. Yes
doors and holes."
The worm drops a file named YanZi.vbs into the current folder and runs
it. Several JPG files are dropped into the current user's temp folder
with filenames SuN<digit>.JPG and SuN<digit>.tmp. The VBS file creates
and runs a file named SUN.EXE which displays one of the JPG images.
Advanced
W32/Favsin-A is a peer-to-peer and email worm for the Windows platform.
When first run W32/Favsin-A copies itself to the Windows system folder
with the filenames NvCpl.exe and Dong_Shi.exe and creates the following
registry entry in order to run itself when a user logs on:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
NvCpl = "<Windows system folder>\NvCpl.exe"
The worm also creates copies of itself into any folder with a path that
contains "shar" (eg C:\My Shared Folder\) with filenames from the
following:
Sun_YanZi-Huai_Tian_Qi.mpg.exe
Sun_YanZi-I_am_not_sad.mp3.exe
Sun_YanZi-Leave_me_alone.mp3.exe
Sun_YanZi-Mei_You_Ren_De_Fang_Xiang.avi.exe
Sun_YanZi-Shen_Qi.exe
Sun_YanZi-Tao_Wang.mpeg.exe
SunYanZi.mp3.exe
YanZi.Mp3.exe
YanZi_SuN-forever.mp3.exe
W32/Favsin-A harvests email addresses from the Windows address book and
from files with the following file extensions:
ADB
ASP
DBX
DOC
HTM
HTML
JSP
RTF
TXT
XML
The email sent by W32/Favsin-A has the following characteristics:
Subject lines:
Great_Asia_Singer
Sun_YanZi
Sun_YanZi_HayranI
Asia_Singer
Sun-YanZi
Sun_Yan_Zi
Stefanie Sun Yanzi
Hoscakal
Sun_YanZi_Hayrani
Sun-YanZi-Mp3-Archive
I_hate_Spyware
SuN_YanZi_innocent
Forever Sun Yanzi
Message bodies:
You must to listen Sun Yanzi. I am enjoying to listen Sun YanZi.
I want to meet Sun YanZi. I am loving Sun-YanZi's Magic. Call me YanZi.
But you don't contact me(Turkiye).
My Favourite Singer is Stefanie Sun Yanzi
I want to see Sun YanZi. Call me Sun Yan Zi ;)
I can not contact you. Because, I am far to you(Turkiye)
Please listen to me Stefanie Sun Yanzi.
Attachment filenames: (with extensions PIF, SCR or ZIP)
Sun_YanZi
Huai_Tian_Qi
Sun_Yanzi_Mp3
Great_Asia_Singer
World_Tour_Sun_YanZi
W32/Favsin-A displays a popup window with the text "No Windows. Yes
doors and holes."
The worm drops a file named YanZi.vbs into the current folder and runs
it. Several JPG files are dropped into the current user's temp folder
with filenames SuN<digit>.JPG and SuN<digit>.tmp. The VBS file creates
and runs a file named SUN.EXE which displays one of the JPG images.
Name Troj/Swizzor-BQ
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
Aliases
* TrojanDownloader.Win32.Swizzor.bo
Prevalence (1-5) 2
Description
Troj/Swizzor-BQ is a downloader Trojan.
Troj/Swizzor-BQ attempts to download and run executable files without
the user's consent.
Troj/Swizzor-BQ installs itself as a Browser Help Object (BHO).
Advanced
Troj/Swizzor-BQ is a downloader Trojan.
Troj/Swizzor-BQ attempts to download and run executable files without
the user's consent.
In order to run automatically when Internet Explorer starts,
Troj/Swizzor-BQ installs itself as a Browser Help Object and sets the
following registry entries:
HKCR\CLSID\(CLSID)\InprocServer32
(Default)
<path to Trojan DLL>
HKCR\CLSID\(CLSID)\InprocServer32
ThreadingModel
Apartment
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
Browser Helper Objects
(CLSID)
where the CLSID value is based on the infected computer.
Name Troj/Banker-AM
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Steals credit card details
* Steals information
* Reduces system security
* Installs itself in the Registry
Prevalence (1-5) 2
Description
Troj/Banker-AM is a Trojan that steals bank details.
Advanced
Troj/Banker-AM is a Trojan that steals bank details.
In order to run automatically on login the Trojan copies itself to the
file svhost.exe in the Windows folder and adds the following registry
entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Shell =
C:\Windows\svhost.exe
Troj/Banker-AM installs itself as an Internet Explorer plugin in order
to monitor the URLs visited by the user. When one of a specific set of
banking-related URLs is visited, the Trojan logs all inputted details
and submits them to the author using a PHP script on a preconfigured web
site.
--- MultiMail/Win32 v0.43
* Origin: Try Our Web Based QWK: DOCSPLACE.ORG (1:123/140)
|