Text 10, 964 rader
Skriven 2004-09-13 23:04:00 av KURT WISMER (1:123/140)
Ärende: News, Sept. 13 2004
===========================
[cut-n-paste from sophos.com]
Name Troj/Psyme-AS
Type
* Trojan
How it spreads
* Web browsing
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
Aliases
* TrojanDownloader.VBS.Psyme-based
Prevalence (1-5) 2
Description
Troj/Psyme-AS is a JavaScript downloader Trojan which exploits the ADODB
stream vulnerability associated with Microsoft Internet Explorer to
silently download a file from a remote server to:
%Program Files%\Windows Media Player\wmplayer.exe,
replacing any existing file.
Advanced
Troj/Psyme-AS is a JavaScript downloader Trojan which exploits the ADODB
stream vulnerability associated with Microsoft Internet Explorer to
silently download a file from a remote server to:
%Program Files%\Windows Media Player\wmplayer.exe,
replacing any existing file.
Troj/Psyme-AS can arrive on the computer by browsing websites whose HTML
pages contain the script or by visiting a HTML page that contains a SRC=
link to an infected page. For example an HTML page may contain:
SRC='http:/psyme.com/exploit.chm::/exploit.htm
where exploit.chm is a compiled HTML help file containing Index.html and
exploit.htm is a HTML file containing the Troj/Psyme-AS script.
Name W32/Nyxem-C
Type
* Worm
How it spreads
* Email messages
* Email attachments
* Network shares
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Sends itself to email addresses found on the infected computer
* Deletes files off the computer
* Uses its own emailing engine
* Installs itself in the Registry
Aliases
* W32/MyWife.c@MM
* I-Worm.Nyxem.d
Prevalence (1-5) 2
Description
W32/Nyxem-C is an internet worm which spreads via network shares and by
sending itself to contacts in the Outlook address book, to Yahoo
Messenger and Yahoo Pager contacts and to email addresses found within
files that have an extension of HTM or DBX.
Advanced
W32/Nyxem-C is an internet worm which spreads via network shares and by
sending itself to contacts in the Outlook address book, to Yahoo
Messenger and Yahoo Pager contacts and to email addresses found within
files that have an extension of HTM or DBX.
Message subject lines include:
"Beethoven's Symphony No", "New_Stories HighwayBlues", "Ohhh", "hi",
"For You", "Free Pic's Video", "none", "[none]", "help me", "you",
"Please Read", "Important" and "reactive now".
W32/Nyxem-C is attached to messages as moderater.baT, The_Members.BaT or
as part of a ZIP archive whose filename contains one of the following
strings:
"Download.3gpzip.z", "The_movie_3zip.z", "Nokia_6600zip.z", "part_4Zip",
"Video_Live.zip", "Beethoven's Symphony No", "New_Stories HighwayBlues",
"_DVD_Viedo.Zip.z", "_Audio_XP.GZ", "_Zipped_File.Z", ".XP2002.Zip.scr"
or ".DvD_Xp.scr".
Harmless files may be included in the zip attachment with filenames such
as Vide01.jpg.
The following spoof addresses may be used in the message:
Thomas, <thomas_gay6@iopus.com>
vip, <sandra@oxygen.com>
Lola Ashton, <linda200@gmail.com>
Bad Love, <user377@worldsex.com>
Ralph, <fack_back06@mail.com>
Genius, <gustes@msn.com>
Sweet Women, <admin@newmovies.com>
Sara GL, <hot_woman2362@freevideos.net>
The Moon, <lost_love705@yahoo.com>
Binnn MT, <King_sexy@hotmal.com>
W32/Nyxem-C copies itself to network shares as "Good music.scr" or with
filenames beginning "Beethoven's Symphony No" or 'New_Stories
HighwayBlues'.
When run W32/Nyxem-C tries to mask its true purpose by launching the
Microsoft Media Player executable.
W32/Nyxem-C copies itself to the following locations:
%Program Files%\Internet Explorer\Media Player.exe
%WINDOWS%\Task.exe
%SYSTEM%\Connection.exe
%SYSTEM%\Downloading.DVD_____________________________________.exe
%SYSTEM%\File-04-Music.DVD_____________________________________.scr
%SYSTEM%\SoundTrack01.CD_____________________________________.exe
%SYSTEM%\The_Members.BaT
%SYSTEM%\moderater.baT
%SYSTEM%\movie009.pif
%SYSTEM%\new-video977.DVD____________________________________.scr
%SYSTEM%\reactive_group.bAt
W32/Nyxem-C also copies itself to the system folder using the name of an
existing executable file, but with an ending of 'm.exe' replacing the
original extension, for example W32/Nyxem-C may copy itself to the
system folder as NOTEPADm.exe, twunk_16m.exe or winhlp32m.exe.
W32/Nyxem-C also creates a new sub-folder of the Windows folder named
VOLUME\ with the hidden attributes set and copies itself to this folder
using the name of an existing file. The pathname of this copy is added
to new sub-keys of the following registry entries so that it is run on
startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
The following harmless files are created:
%SYSTEM%\About_BlackWorm.C.txt
%SYSTEM%\Beethoven's_Symphony_No.rm
%SYSTEM%\New_Stories__Highway_Blues.rm
%SYSTEM%\Vide01.jpg
%SYSTEM%\about.txt
The library DLL OSSMTP.DLL is dropped to the system folder and
registered as a COM object creating registry entries under:
HKCR\CLSID\{BB81FA79-DCD7-48A6-A710-A85BD5ED9640}
HKCR\Interface\{3EC61E06-D128-41E3-8BBD-D8048BF6F2EC}
HKCR\Interface\{4F0A64F5-9E1E-42DB-9A58-34AEC4AA15DC}
HKCR\Interface\{7735921B-5977-4FE9-B28E-4DBE5E98C6A3}
HKCR\Interface\{98416333-DC4C-4F02-9A5B-F33C7580380E}
HKCR\Interface\{9ABAF239-5028-47C1-8B05-D9C50EE0CAC1}
HKCR\Interface\{CCD12224-C0E1-407C-A023-5FBB7DBA32BC}
HKCR\TypeLib\{AA987BF8-E849-4996-9335-413DF4A8158A}
HKCR\OSSMTP.SMTPSession
OSSMTP.DLL is a legitimate COM library for Microsoft Visual Basic,
providing functionality to send emails. To de-register OSSMTP.DLL run:
regsvr32 /U OSSMTP.DLL
W32/Nyxem-C also sets the following registry entries:
HKCU\Identities\Email
HKCU\Identities\Outlook Express
HKCU\Software\Nico Mak Computing\WinZip\
WinIni\Name = "BlackWorm"
HKCU\Software\Nico Mak Computing\WinZip\
WinIni\SN = "2AD00ED6"
HKCU\Software\Nico Mak Computing\WinZip\
caution\NoBetaMessage = "1"
HKCU\Software\Nico Mak Computing\WinZip\
filemenu\filemenu1 = "C:\WINDOWS\system32\2.zip"
HKCU\Software\Nico Mak Computing\WinZip\
filemenu\filemenu2 = "C:\WINDOWS\system32\3.zip"
HKCU\Software\Nico Mak Computing\WinZip\
filemenu\filemenu3 = "C:\WINDOWS\system32\1.zip"
HKCU\Software\Nico Mak Computing\WinZip\
filemenu\filemenu4 = "C:\WINDOWS\system32\4.zip"
HKCR\.chm\Num = 2
HKCR\.chm\1 = "Beethoven's Symphony No"
HKCR\.chm\2 = "New Stories Highway Blues "
HKLM\SYSTEM\ControlSet001\Services\TlntSvr\Start = 2
HKLM\SOFTWARE\Microsoft\Active Setup\
Security = <pathname of W32/Nyxem-C executable>
W32/Nyxem-C tries to terminate and remove selected anti-virus and
security related applications and deletes selected sub-keys of the
following registry entries to prevent applications from running on
startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Sub-keys include: NPROTECT, ccApp, ScriptBlocking, MCUpdateExe,
VirusScan Online, MCAgentExe, VSOCheckTask, McRegWiz, McVsRte,
PCClient.exe, PCCClient.exe, PCCIOMON.exe, pccguide.exe, PccPfw,
tmproxy, McAfeeVirusScanService, NAV Agent, SSDPSRV, rtvscn95, defwatch,
vptray, Taskmon, KasperskyAv, system., msgsrv32, Windows Services Host,
Explorer, Sentry, ssate.exe, winupd.exe, au.exe, OLE, gigabit.exe,
Norton Antivirus AV, reg_key, Windows Update, _Hazafibb, win_upd.exe,
JavaVM, Services, winupdt, Traybar, key, erthgdr, wersds.exe and Task.
Name W32/Forbot-Q
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Installs itself in the Registry
* Exploits system or software vulnerabilities
* Used in DOS attacks
Aliases
* Backdoor.Win32.Wootbot.gen
* W32/Gaobot.worm.gen.g1
Prevalence (1-5) 2
Description
W32/Forbot-Q is a worm and backdoor for the Windows platform.
W32/Forbot-Q spreads to networks shares and by exploiting the LSASS
(MS04-011) vulnerability and backdoors opened by other malware.
Advanced
W32/Forbot-Q is a worm and backdoor for the Windows platform.
W32/Forbot-Q spreads to networks shares and by exploiting the LSASS
(MS04-011) vulnerability and backdoors opened by other malware.
When run W32/Forbot-Q copies itself to the Windows system folder as
ssvchost.exe. The worm adds the following registry entries to ensure
that the copy is run each time Windows is started.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
window2 = "ssvchost.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
window2 = "ssvchost.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
window2 = "ssvchost.exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
window2 = "ssvchost.exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
window2 = "ssvchost.exe"
The backdoor component of W32/Forbot-Q may be used to launch distributed
denial of service attacks, run a Socks proxy server or obtain
information about the infected computer.
W32/Forbot-Q attempts to disable other worms, such as members of the
W32/Bagle family.
Name W32/Rbot-IT
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Reduces system security
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* Backdoor.Rbot.gen
* W32/Sdbot.worm.gen.i
Prevalence (1-5) 2
Description
W32/Rbot-IT is a worm which attempts to spread to remote network shares
and allows unauthorised remote access to the computer via IRC channels.
Advanced
W32/Rbot-IT is a worm which attempts to spread to remote network shares
and allows unauthorised remote access to the computer via IRC channels.
W32/Rbot-IT spreads to network shares with weak passwords and via
network security exploits as a result of the backdoor Trojan element
receiving the appropriate command from a remote user.
W32/Rbot-IT copies itself to the file mswinc.exe in the Windows system
folder and creates entries at the following locations in the registry so
that the worm is run when a user logs on to Windows:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Remote Procedure Calls = mswinc.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Remote Procedure Calls = mswinc.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Remote Procedure Calls = mswinc.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
Remote Procedure Calls = mswinc.exe
Name W32/Sdbot-OY
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Reduces system security
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* Backdoor.SdBot.gen
* W32/Sdbot.worm.gen.h1
* WORM.SDBOT.QR
Prevalence (1-5) 2
Description
W32/Sdbot-OY is a worm which attempts to spread to remote network shares.
It also contains backdoor Trojan functionality, allowing unauthorised
remote access to the infected computer via IRC channels while running in
the background as a service process.
Advanced
W32/Sdbot-OY is a worm which attempts to spread to remote network shares.
It also contains backdoor Trojan functionality, allowing unauthorised
remote access to the infected computer via IRC channels while running in
the background as a service process.
W32/Sdbot-OY spreads to network shares with weak passwords and via
network security exploits as a result of the backdoor Trojan element
receiving the appropriate command from a remote user.
W32/Sdbot-OY copies itself to the Windows system folder as sload32.exe
and creates the following registry entries so that the worm is run when
a user logs on to Windows:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
sload = sload32.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
sload = sload32.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
sload = sload32.exe
Name W32/Rbot-IO
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
Aliases
* Backdoor.Rbot.gen
Prevalence (1-5) 2
Description
W32/Rbot-IO is an IRC backdoor Trojan and network worm which can
propagate by copying itself into the shared folders of network drives.
W32/Rbot-IO can also set registry entries to ensure that it is executed
automatically upon restart.
Advanced
W32/Rbot-IO is a worm which attempts to spread to remote network shares.
It also contains backdoor Trojan functionality, allowing unauthorised
remote access to the infected computer via IRC channels while running in
the background as a service process.
W32/Rbot-IO spreads to network shares with weak passwords as a result of
the backdoor Trojan element receiving the appropriate command from a
remote user.
W32/Rbot-IO moves itself to the Windows system folder as WUAMGDR.EXE and
creates registry entries at the following locations to run itself
automatically on system startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Update Machine = wuamgdr.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Microsoft Update Machine = wuamgdr.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Update Machine = wuamgdr.exe
Name W32/Rbot-IL
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Reduces system security
* Installs itself in the Registry
* Exploits system or software vulnerabilities
* Used in DOS attacks
Aliases
* WORM_RBOT.OA
Prevalence (1-5) 2
Description
W32/Rbot-IL is a worm which attempts to spread to remote network shares.
It also contains backdoor Trojan functionality, allowing unauthorised
remote access to the infected computer via IRC channels while running in
the background as a service process.
Advanced
W32/Rbot-IL spreads to network shares with weak passwords as a result of
the backdoor Trojan element receiving the appropriate command from a
remote user.
W32/Rbot-IL copies itself to the Windows system folder as a random file
name and creates the following registry entries so as to run itself on
system startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Update
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Microsoft
Update
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Update
W32/Rbot-IL may set the following registry entries:
HKLM\SOFTWARE\Microsoft\Ole\EnableDCOM = "N"
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous = "1"
W32/Rbot-IL may delete the C$, D$, E$, IPC$ and ADMIN$ network shares on
the host computer.
Name W32/Rbot-IK
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Steals information
* Uses its own emailing engine
* Downloads code from the internet
Aliases
* Backdoor.Rbot.gen
Prevalence (1-5) 2
Description
W32/Rbot-IK is a network worm with IRC backdoor functionality.
W32/Rbot-IK spreads to other machines affected by the Universal PNP
(MS01-059), WebDav (MS03-007), RPC DCOM (MS03-026, MS04-012), LSASS
(MS04-011) or DameWare (CAN-2003-1030) vulnerabilities, infected by one
of several backdoors or running network services protected by weak
passwords.
Advanced
W32/Rbot-IK is a network worm with backdoor functionality.
In order to run automatically when Windows starts up the worm copies
itself to a file in the Windows system folder. The name of this file is
either explore32 or a series of randomly chosen letters. The file
extension is always EXE.
Once installed, W32/Rbot-IK connects to a preconfigured IRC server,
joins a channel and awaits further instructions. These instructions can
cause the bot to perform any of the following actions:
flood a specified host with UDP, TCP, SYN, ICMP or ping packets
start a webserver offering the contents of the local drive
start a socks4 proxy server
redirect TCP connections
start a TFTP server
start a command shell server
search for product keys
download and install an updated version of itself
show statistics about the infected system
kill antivirus and security processes
list/terminate running processes
scan randomly- or sequentially-chosen IPs for infectable machines
start a keylogger
close down vulnerable services in order to secure the machine
take screenshots
capture images from any detected webcam
show/flush the DNS cache
list/modify network shares/services
send emails
The worm spreads to machines affected by known vulnerabilities, running
the network services protected by weak passwords or infected by common
backdoor Trojans.
Vulnerabilities:
Universal PNP (MS01-059)
WebDav (MS03-007)
RPC DCOM (MS03-026, MS04-012)
LSASS (MS04-011)
DameWare (CAN-2003-1030)
Services:
NetBios
NTPass
MS SQL
Backdoors:
W32/Bagle
Troj/Kuang
W32/MyDoom
Troj/NetDevil
Troj/Optix
Troj/Sub7
W32/Rbot-IK creates or modifies the following registry entries:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Update 32 = <filename>
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Update 32 = <filename>
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Microsoft Update 32 = <filename>
HKLM\SOFTWARE\Microsoft\Ole\
EnableDCOM = "N"
HKLM\SYSTEM\ControlSet001\Control\Lsa\
restrictanonymous = dword:00000001
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\
restrictanonymous = dword:00000001
The worm terminates the following processes
regedit.exe
msconfig.exe
netstat.exe
msblast.exe
zapro.exe
navw32.exe
navapw32.exe
zonealarm.exe
wincfg32.exetaskmon.exe (sic)
PandaAVEngine.exe
sysinfo.exe
mscvb32.exe
MSBLAST.exe
teekids.exe
Penis32.exe
bbeagle.exe
SysMonXP.exe
winupd.exe
winsys.exe
ssate.exe
rate.exe
d3dupdate.exe
irun4.exe
i11r54n4.exe
W32/Rbot-IK searches for product keys for the following software:
Counter-Strike (Retail)
The Gladiators
Gunman Chronicles
Half-Life
Industry Giant 2
Legends of Might and Magic
Soldiers of Anarchy
Microsoft Windows
Unreal Tournament 2003
Unreal Tournament 2004
IGI 2: Covert Strike
Freedom Force
Battlefield 1942
Battlefield 1942 (Road to Rome)
Battlefield 1942 (Secret Weapons of WWII)
Battlefield Vietnam
Black and White
Command and Conquer: Generals (Zero Hour)
James Bond 007: Nightfire
Command and Conquer: Generals
Global Operations
Medal of Honor: Allied Assault
Medal of Honor: Allied Assault: Breakthrough
Medal of Honor: Allied Assault: Spearhead
Need for Speed Hot Pursuit 2
Need for Speed: Underground
Shogun: Total War: Warlord Edition
FIFA 2002
FIFA 2003
NHL 2002
NHL 2003
Nascar Racing 2002
Nascar Racing 2003
Rainbow Six III RavenShield
Command and Conquer: Tiberian Sun
Command and Conquer: Red Alert
Command and Conquer: Red Alert 2
NOX
Chrome
Hidden & Dangerous 2
Soldier of Fortune II - Double Helix
Neverwinter Nights
Neverwinter Nights (Shadows of Undrentide)
Neverwinter Nights (Hordes of the Underdark)
Name W32/Sdbot-OV
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Installs itself in the Registry
* Used in DOS attacks
Aliases
* Backdoor.Win32.SdBot.ry
* W32/Sdbot.worm.gen.h
* WORM_RANDEX.L
Prevalence (1-5) 2
Description
W32/Sdbot-OV is a worm for the Windows platform. The worm includes some
backdoor functionality.
W32/Sdbot-OV spreads to shared folders on the local network.
Advanced
W32/Sdbot-OV is a worm for the Windows platform. The worm includes some
backdoor functionality.
W32/Sdbot-OV spreads to shared folders on the local network.
When run the worm copies itself to usb32.exe in the Windows system
folder and adds the following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Win32 Usb Driver = "usb32.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
Win32 Usb Driver = "usb32.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Win32 Usb Driver = "usb32.exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Win32 Usb Driver = "usb32.exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
Win32 Usb Driver = "usb32.exe"
W32/Sdbot-OV allows unauthorised access to the infected computer via IRC.
The backdoor function include distributed denial of service attacks,
operating as a proxy server and stealing informatin relating to some
popular games.
Name W32/Sdbot-RY
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* Backdoor.Win32.SdBot.ry
* W32/Sdbot.worm.gen.h
Prevalence (1-5) 2
Description
W32/Sdbot-RY is a worm and backdoor for the Windows platform.
The worm component attempts to spread to remote network shares and the
backdoor allows a malicious user remote access to an infected computer
via IRC channels while running in the background as a service process.
Advanced
W32/Sdbot-RY is a worm and backdoor for the Windows platform.
The worm component attempts to spread to remote network shares and the
backdoor allows a malicious user remote access to an infected computer
via IRC channels while running in the background as a service process.
W32/Sdbot-RY copies itself to the Windows system folder with the
filename spoolsvc.exe and in order to run automatically when Windows
starts up creates the following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Win32 System Spool=spoolsvc.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\
Win32 System Spool=spoolsvc.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Win32 System Spool=spoolsvc.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Win32 System Spool=spoolsvc.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\
Win32 System Spool=spoolsvc.exe.
W32/Sdbot-RY attempts to spread to network machines using various
exploits including the LSASS vulnerability (see MS04-011).
W32/Sdbot-RY may function as a proxy server, delete network shares and
steal information related to popular games.
Name Troj/Delf-DU
Type
* Trojan
Aliases
* New
Prevalence (1-5) 2
Description
Troj/Delf-DU is a backdoor Trojan.
In order to run automatically when Windows starts up the Trojan copies
itself to the file services.exe in the Windows system folder and creates
the following registry entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Services = C:\Windows\system32\services.exe
Once installed Troj/Delf-DU connects to an IRC server and joins a
channel from which it can receive further instructions. These
instructions can cause the Trojan to kill specific processes or download
files from arbitrary URLs and execute them.
The Trojan automatically terminates any processes whose filenames
contain one the following patterns:
winnt35.exe
w.exe
mb.exe
~.exe
1.exe
2.exe
scan.exe
svshost.exe
Name W32/Neveg-C
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Sends itself to email addresses found on the infected computer
* Forges the sender's email address
* Uses its own emailing engine
* Installs itself in the Registry
Aliases
* W32/Neveg.c@MM
Prevalence (1-5) 2
Description
W32/Neveg-C is a mass-mailing worm.
Advanced
W32/Neveg-C is a mass-mailing worm. When started the worm copies itself
to the Windows system folder as services.exe and creates the following
registry entries in order to auto-start on user logon or computer
reboot:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
ccApps = <%SYSTEM%>\services.exe
The worm may also use any of the following instead of ccApps:
.Prog
FriendlyTypeName
TEXTCONV
Microsoft Visual SourceSafe
RegDone
BuildLab
Name W32/Rbot-IP
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Reduces system security
* Installs itself in the Registry
Prevalence (1-5) 2
Description
W32/Rbot-IP is a worm which attempts to spread to remote network shares.
It also contains backdoor Trojan functionality, allowing unauthorised
remote access to the infected computer
Advanced
W32/Rbot-IP is a worm which attempts to spread to remote network shares.
It also contains backdoor Trojan functionality, allowing unauthorised
remote access to the infected computer via IRC channels while running
in the background as a service process.
W32/Rbot-IP spreads to network shares with weak passwords as a result of
the backdoor Trojan element receiving the appropriate command from a
remote user.
W32/Rbot-IP moves itself to the Windows system folder as DVLDR.EXE and
creates entries in the registry at the following locations to run on
system startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Windows Automatic Updates = dvldr.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Windows Automatic Updates = dvldr.exe
HKCU\Software\Microsoft\OLE\
Windows Automatic Updates = dvldr.exe
--- MultiMail/Win32 v0.43
* Origin: Try Our Web Based QWK: DOCSPLACE.ORG (1:123/140)
|