Text 108, 916 rader
Skriven 2006-03-18 13:44:00 av KURT WISMER (1:123/140)
Ärende: News, March 18 2006
===========================
[cut-n-paste from sophos.com]
Name Troj/Dloadr-NB
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Drops more malware
* Downloads code from the internet
* Installs itself in the Registry
Prevalence (1-5) 2
Description
Troj/Dloadr-NB is a Trojan for the Windows platform.
Troj/Dloadr-NB includes functionality to access the internet and
communicate with a remote server via HTTP in order to download and
execute files.
Advanced
Troj/Dloadr-NB is a Trojan for the Windows platform.
Troj/Dloadr-NB includes functionality to access the internet and
communicate with a remote server via HTTP in order to download and
execute files.
When Troj/Dloadr-NB is installed it creates the file
msdirect.sys(detected as Troj/RKFu-C) in the current folder.
The following registry entry is created to run Troj/Dloadr-NB on
startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
R
<pathname of the Trojan executable>
Name W32/Sdbot-BAY
Type
* Worm
How it spreads
* Network shares
* Chat programs
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* Backdoor.Win32.SdBot.xd
Prevalence (1-5) 2
Description
W32/Sdbot-BAY is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Sdbot-BAY spreads to other network computers by exploiting common
buffer overflow vulnerabilities, including: LSASS (MS04-011),
RPC-DCOM (MS04-012), WKS (MS03-049) (CAN-2003-0812), PNP (MS05-039)
and ASN.1 (MS04-007) and by copying itself to network shares
protected by weak passwords.
W32/Sdbot-BAY runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Sdbot-BAY includes functionality to access the internet and
communicate with a remote server via HTTP.
Advanced
W32/Sdbot-BAY is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Sdbot-BAY spreads to other network computers by exploiting common
buffer overflow vulnerabilities, including: LSASS (MS04-011),
RPC-DCOM (MS04-012), WKS (MS03-049) (CAN-2003-0812), PNP (MS05-039)
and ASN.1 (MS04-007) and by copying itself to network shares
protected by weak passwords.
W32/Sdbot-BAY runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Sdbot-BAY includes functionality to access the internet and
communicate with a remote server via HTTP.
When first run W32/Sdbot-BAY copies itself to <Windows>\msput.exe.
The file msput.exe is registered as a new system driver service named
"Microsoft Startup Manager", with a display name of "Microsoft
Startup Manager." and a startup type of automatic, so that it is
started automatically during system startup. Registry entries are
created under:
HKLM\SYSTEM\CurrentControlSet\Services\Microsoft Startup Manager\
W32/Sdbot-BAY sets the following registry entries, disabling the
automatic startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\Messenger
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
Start
4
Registry entries are set as follows:
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DoNotAllowXPSP2
1
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1
Registry entries are created under:
HKLM\SOFTWARE\Microsoft\Security Center\
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\
Name Troj/Sickbt-D
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Installs itself in the Registry
Aliases
* Trojan-Downloader.Win32.Agent.agi
Prevalence (1-5) 2
Description
Troj/Sickbt-D is a Trojan for the Windows platform that attempts to
download further malicious code.
Advanced
Troj/Sickbt-D is a Trojan for the Windows platform that attempts to
download further malicious code.
When Troj/Sickbt-D is installed it creates the file
<System>\sysldr.dll.
The following registry entry is created to run code exported by the
Trojan library on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
ShellServiceObjectDelayLoad
sysldr
(17D5051E-F88D-4870-92B6-481DA21215D6)
The file sysldr.dll is registered as a COM object, creating registry
entries under:
HKCR\CLSID\(17D5051E-F88D-4870-92B6-481DA21215D6)
Name W32/Sdbot-BBA
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Reduces system security
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* Backdoor.Win32.Rbot.asp
* W32/Sdbot.worm.gen.h
* WORM_RBOT.EFI
Prevalence (1-5) 2
Description
W32/Sdbot-BBA is a worm with backdoor functionality for the Windows
platform.
W32/Sdbot-BBA runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Sdbot-BBA attempts to spread by copying itself to remote network
shares or by exploiting any of the following vulnerabilities:
RPC-DCOM (MS04-012), PNP (MS05-039), ASN.1 (MS04-007).
W32/Sdbot-BBA may modify the system HOSTS file in order to prevent
access to certain websites.
Advanced
W32/Sdbot-BBA is a worm with backdoor functionality for the Windows
platform.
W32/Sdbot-BBA runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Sdbot-BBA attempts to spread by copying itself to remote network
shares or by exploiting any of the following vulnerabilities:
RPC-DCOM (MS04-012), PNP (MS05-039), ASN.1 (MS04-007).
W32/Sdbot-BBA may modify the system HOSTS file in order to prevent
access to certain websites.
When first run W32/Sdbot-BBA copies itself to <Windows
folder>\winhost32.exe.
The following registry entries are created to run winhost32.exe on
startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft Command C
winhost32.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft Command C
winhost32.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
Microsoft Command C
winhost32.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Microsoft Command C
winhost32.exe
W32/Sdbot-BBA sets the following registry entries, disabling the
automatic startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\wuauserv
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4
Note: disabling autostart for the SharedAccess service deactivates
the Microsoft Internet Connection Firewall (ICF).
Registry entries are set as follows:
HKCU\SYSTEM\CurrentControlSet\Control\Lsa
Microsoft Command C
winhost32.exe
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
Microsoft Command C
winhost32.exe
HKCU\Software\Microsoft\OLE
Microsoft Command C
winhost32.exe
HKLM\SOFTWARE\Microsoft\Ole
Microsoft Command C
winhost32.exe
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1
Name Troj/IRCBot-FP
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Drops more malware
* Reduces system security
* Installs itself in the Registry
Aliases
* Backdoor.Win32.IRCBot.nw
Prevalence (1-5) 2
Description
Troj/IRCBot-FP is a backdoor Trojan for the Windows platform.
Troj/IRCBot-FP has the functionalities to:
- disable Anti-Virus applications
- access the internet and communicate with a remote server via HTTP
- allow unauthorized access to the infected computer via IRC
- hide processes
Advanced
Troj/IRCBot-FP is a backdoor Trojan for the Windows platform.
Troj/IRCBot-FP has the functionalities to:
- disable Anti-Virus applications
- access the internet and communicate with a remote server via HTTP
- allow unauthorized access to the infected computer via IRC
- hide processes
When run Troj/IRCBot-FP copies itself to <System>\smss.exe and
creates the following files:
<System>\netf.dll
<System>\nvsvcd.exe
The file netf.dll and nvsvcd.exe is detected as Troj/IRCBot-FP.
Troj/IRCBot-FP sets the following registry entry:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
.nvsvc
<System>\smss.exe /w
Troj/IRCBot-FP creates a service named "Windows Log" and sets
registry entries under:
HKLM\System\CurrentControlSet\Services\Windows Log
Name Troj/Zapchas-AS
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
Prevalence (1-5) 2
Description
Troj/Zapchas-AS is a backdoor Trojan which allows a remote intruder
to gain access and control over the computer.
Troj/Zapchas-AS includes functionality to access the internet and
communicate with a remote server via HTTP.
Advanced
Troj/Zapchas-AS is a backdoor Trojan which allows a remote intruder
to gain access and control over the computer.
Troj/Zapchas-AS includes functionality to access the internet and
communicate with a remote server via HTTP.
When Troj/Zapchas-AS is installed the following files are created:
<System>\Lavan\DFind.exe (clean, may be safely deleted)
<System>\Lavan\IpcScan.exe (clean, may be safely deleted)
<System>\Lavan\Libparse.exe (clean, may be safely deleted)
<System>\Lavan\ServUDaemon.ini (clean, may be safely deleted)
<System>\Lavan\ServUStartUpLog.txt (clean, may be safely deleted)
<System>\Lavan\bot.dll (clean, may be safely deleted)
<System>\Lavan\control.ini (clean, may be safely deleted)
<System>\Lavan\devcheck.exe (clean, may be safely deleted)
<System>\Lavan\devcheck2.exe (clean, may be safely deleted)
<System>\Lavan\edit.bat (clean, may be safely deleted)
<System>\Lavan\iL.dbx (Detected as Troj/Zapchas-AS)
<System>\Lavan\ipcpass.dic (clean, may be safely deleted)
<System>\Lavan\ir.conf (Detected as Troj/Zapchas-AS)
<System>\Lavan\kahol.bat (clean, may be safely deleted)
<System>\Lavan\lavan.bat (clean, may be safely deleted)
<System>\Lavan\lock.bat (clean, may be safely deleted)
<System>\Lavan\lsass.exe (a clean mIRC application)
<System>\Lavan\mainhq.dbx (clean, may be safely deleted)
<System>\Lavan\mdx.dll (clean, may be safely deleted)
<System>\Lavan\mirc.ini (Detected as Troj/Zapchas-AS)
<System>\Lavan\on.txt (clean, may be safely deleted)
<System>\Lavan\osql.exe (clean, may be safely deleted)
<System>\Lavan\psexec.exe (clean, may be safely deleted)
<System>\Lavan\random.dbx (clean, may be safely deleted)
<System>\Lavan\rdate (clean, may be safely deleted)
<System>\Lavan\remote.ini (Detected as Troj/Zapchas-AS)
<System>\Lavan\scansql.exe (clean, may be safely deleted)
<System>\Lavan\scvhost.exe (A ServU client, used for backdoor access)
<System>\Lavan\sqlpass.dic (clean, may be safely deleted)
<System>\Lavan\sysscan.bat (clean, may be safely deleted)
<System>\Lavan\views.mdx (clean, may be safely deleted)
<System>\Lavan\wget.exe (clean, may be safely deleted)
<System>\Lavan\xsys.dll (clean, may be safely deleted)
The following registry entry is created to run lsass.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
WinXPService
<System>\Lavan\lsass.exe
The following registry entries are set or modified, so that lsass.exe
is run when files with extensions of CHA and IRC are opened/launched:
HKCR\ChatFile\Shell\open\command
(default)
<System>\Lavan\lsass.exe" -noconnect
HKCR\irc\Shell\open\command
(default)
<System>\Lavan\lsass.exe" -noconnect
Registry entries are set as follows:
HKCR\ChatFile\DefaultIcon
(default)
<System>\Lavan\lsass.exe
HKCR\irc\DefaultIcon
(default)
<System>\Lavan\lsass.exe
Registry entries are created under:
HKCU\Software\Microsoft\Microsoft Agent\
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mIRC\
Troj/Zapchas-AS provides an uninstall option which can be accessed
via the Add or Remove Programs dialog in the Windows Control Panel.
The software is listed as "mIRC".
Name W32/Nafbot-A
Type
* Worm
How it spreads
* Peer-to-peer
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Reduces system security
* Installs itself in the Registry
Aliases
* Trojan.Win32.VB.abp
Prevalence (1-5) 2
Description
W32/Nafbot-A is a worm for the Windows platform.
W32/Nafbot-A spreads via file sharing on P2P networks and to other
network
computers.
Advanced
W32/Nafbot-A is a worm for the Windows platform.
W32/Nafbot-A spreads via file sharing on P2P networks and to other
network
computers.
When first run W32/Nafbot-A copies itself to:
\autoexec.bat
\autoexec.cam
\sex.scr
\sys_recover.pif
<Windows>\Jwintask.com
<Windows>\services.exe
<Windows>\temper\services.exe
and creates the file <Windows>\ouch55.txt. The file ouch55.txt is
harmless and
may be safely deleted.
W32/Nafbot-A may also attempt to copy itself into the Shared Folder
of many
peer to peer programs such as KaZaa with the following names:
\Metaa\16 Year Old Fuck - Young Girl Takes Huge Dick Secret
Film.mov.jpg.exe
\Metaa\Active Sync 3.7 Full Version.exe
\Metaa\Active Sync 4.1 Installer.exe
\Metaa\Adobe keygen.exe
\Metaa\Adobe Photoshop 9 Full.exe
\Metaa\Ahead Nero Buning Rom7.exe
\Metaa\Avi Preview Setup.exe
\Metaa\Bikini Babes 2004 Screensaver.scr
\Metaa\Brintey Spears Naked - NO JOKE.jpg.mov.mp3.exe
\Metaa\Britney sex xxx.jpg.mov.exe
\Metaa\Britney Spears and Eminem porn.jpg.exe
\Metaa\Britney Spears blowjob.jpg.exe
\Metaa\Britney Spears cumshot.jpg.exe
\Metaa\Britney Spears fuck.jpg.exe
\Metaa\Britney Spears full album.mp3.exe
\Metaa\Britney Spears porn.jpg.exe
\Metaa\Britney Spears Sexy archive.doc.exe
\Metaa\Britney Spears Song text archive.doc.exe
\Metaa\Clone CD and DVD 6.exe
\Metaa\Clone CD Setup + crack.exe
\Metaa\DivX 6.0 Bundle final.exe
\Metaa\Divx Bundle 5.exe
\Metaa\Divx Pro Bundle 7.exe
\Metaa\Dress Up Britney Spears Game.jpg.exe
\Metaa\E-Book Archive2.rtf.exe
\Metaa\Eminem and Britney Spears porn.jpg.exe
\Metaa\Eminem blowjob.jpg.exe
\Metaa\Eminem full album.mp3.exe
\Metaa\Eminem Poster.jpg.exe
\Metaa\Eminem Sexy archive.doc.exe
\Metaa\Eminem Song Lyrics archive.txt.exe
\Metaa\Fifa 2004 Crack.exe
\Metaa\Football Game.exe
\Metaa\Full album all.mp3.pif
\Metaa\Future_Dream.mpg.exe
\Metaa\Games Serials 2004.exe
\Metaa\Generic Crack.exe
\Metaa\Gimp 1.8 Full with Key.exe
\Metaa\GTA 4 downloader.exe
\Metaa\GTA3 Full Setup + Crack.pif
\Metaa\GTA3 No CD.exe
\Metaa\Harry Potter Full Movie.mpg.exe
\Metaa\Harry Potter game.exe
\Metaa\Hot Babes 2004.scr
\Metaa\Hotmail Hacker Gold.exe
\Metaa\How to hack new.doc.exe
\Metaa\Internet Download Accelerator Full Setup.exe
\Metaa\Internet Explorer 9 setup.exe
\Metaa\Kazaa Booster.exe
\Metaa\Kazaa Lite 3.0 new.exe
\Metaa\Kazoom Full Setup.exe
\Metaa\Kazoom Setup Full.exe
\Metaa\Learn Programming 2004.doc.exe
\Metaa\Macromedia Keygen.exe
\Metaa\Massive xxx porn pics archive , lesbian blowjob hardcore sex.exe
\Metaa\Microsoft Office 2003 Crack - IT WORKS.exe
\Metaa\Microsoft Office 2003 Crack, Working.exe
\Metaa\Microsoft OfficeXP working Crack, Keygen.exe
\Metaa\Microsoft Windows XP, WinXP Crack,works.exe
\Metaa\Microsoft WinXP Crack full.exe
\Metaa\MicrSoft Service Pack 4.exe
\Metaa\msblast source code.scr
\Metaa\MSN Password Hacker and Stealer.exe
\Metaa\My Ex-Girlfreind Strips then sucks - blowjob movie.mpg.exe
\Metaa\netsky source code.scr
\Metaa\Opera 8 New.exe
\Metaa\Over 20000 Products Keygen.exe
\Metaa\PC Gamer full cheatbook 2004 edition.exe
\Metaa\Photoshop crack.exe
\Metaa\Porno pics arhive xxx.exe
\Metaa\Sabrina Shower Scene 03/12/99.mov.exe
\Metaa\Setup.exe
\Metaa\Sex + BlowJob In car.mov.exe
\Metaa\sexy babes.scr
\Metaa\Sexy Strip Show.scr
\Metaa\Song Lyrcis Update 2004.exe
\Metaa\Super DVD Ripper 7.exe
\Metaa\WindowsXp Crack.pif
\Metaa\Winzip 9 Full Version.exe
\Metaa\Winzip crack, all versions tested on winzip 9.exe
\Metaa\Worms 5 Setup.exe
\Metaa\XXX Archive Updated 2004.exe
\Metaa\xxx harcore babes screensaver.mpg.scr
\Metaa\XXX hardcore sex pics.jpg.exe
W32/Nafbot-A will attempt to spread to network drives and to the
machine's
floppy drive.
W32/Nafbot-A may modify the HOSTS file located at
<System>\Drivers\etc\HOSTS,
mapping selected websites to the loopback address 127.0.0.1 in an
attempt to
prevent access to these sites.
127.0.0.1 customer.symantec.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 download.mcafee.com
127.0.0.1 f-secure.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 localsystem
127.0.0.1 mast.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 microsoft.com
127.0.0.1 my-etrust.com
127.0.0.1 nai.com
127.0.0.1 rads.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 sophos.com
127.0.0.1 symantec.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 v4.windowsupdate.microsoft.com
127.0.0.1 windowsupdate.microsoft.com
127.0.0.1 www.f-secure.com
127.0.0.1 www.mcafee.com
127.0.0.1 www.microsoft.com
127.0.0.1 www.my-etrust.com
127.0.0.1 www.nai.com
127.0.0.1 www.sophos.com
127.0.0.1 www.symantec.com
The following registry entries are created to run W32/Nafbot-A on
startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
winsrv3
<Windows>\services.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
upDpacketo
<Windows>\TEMPER\services.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
wintask32
<Windows>\Jwintask.com
W32/Nafbot-A changes the Start Page for Microsoft Internet Explorer
by setting
the registry entry:
HKCU\Software\Microsoft\Internet Explorer\Main\Start Page
Registry entries are set as follows:
HKCU\Software\Microsoft\Windows NT\CurrentVersion
RegisteredOwner
Kyle Dunwin
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableChangePassword
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableLockWorkstation
0
Name Troj/Drsmartl-R
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Reduces system security
* Installs itself in the Registry
* Installs adware
Aliases
* Trojan-Downloader.Win32.VB.vz
* Adware-DollarRevenue
Prevalence (1-5) 2
Description
Troj/Drsmartl-R is a downloader Trojan which will download, install
and run new software without notification that it is doing so.
Troj/Drsmartl-R typically installs advertising software.
Advanced
Troj/Drsmartl-R is a downloader Trojan which will download, install
and run new software without notification that it is doing so.
Troj/Drsmartl-R will typically be installed with the filename
drsmartload.exe. A file named drsmartload.dat is created in the
Windows folder and the following registry entry is created:
HKLM\SOFTWARE\Microsoft\drsmartload2
Troj/Drsmartl-R typically installs advertising software.
Name Troj/Drsmartl-S
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Installs itself in the Registry
Aliases
* Adware-DollarRevenue
Prevalence (1-5) 2
Description
Troj/Drsmartl-S is a Trojan for the Windows platform.
Troj/Drsmartl-S contains functionality to download further code.
Advanced
Troj/Drsmartl-S is a Trojan for the Windows platform.
Troj/Drsmartl-S contains functionality to download further code.
When Troj/Drsmartl-S is installed it creates the file
<Windows>\newname.dat.
The following registry entry is created to run Troj/Drsmartl-S on
startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
newname
<pathname of the application executable>
Name Troj/Bancban-OJ
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Installs itself in the Registry
Aliases
* Trojan-Spy.Win32.Banker.aya
Prevalence (1-5) 2
Description
Troj/Bancban-OJ is a Trojan for the Windows platform.
Advanced
Troj/Bancban-OJ is a Trojan for the Windows platform.
Troj/Bancban-OJ includes functionality to access the internet and
communicate with a remote server via HTTP.
When first run Troj/Bancban-OJ copies itself to <System>\taskmam.exe.
The following registry entry is created to run taskmam.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Shell
<System>\taskmam.exe
Name Troj/ServU-CE
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Leaves non-infected files on computer
Aliases
* Server-FTP.Win32.Serv-U.gen
* application
* Win32/ServU-Daemon
Prevalence (1-5) 2
Description
Troj/ServU-CE is a hacked version of a commercially available FTP
server.
Advanced
Troj/ServU-CE is a hacked version of a commercially available FTP
server.
Troj/ServU-CE reads configuration settings from a file called
mspaintfixd.tmp in the current folder. This file will be created if
it doesn't already exist.
By default, the Trojan runs an FTP server on port 43958.
Name Troj/Jubik-A
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Installs itself in the Registry
Aliases
* Trojan.Win32.Small.fb
Prevalence (1-5) 2
Description
Troj/Jubik-A is a Trojan for the Windows platform.
Troj/Jubik-A includes functionality to download files from the
internet. Troj/Jubik-A may inject code into other Windows processes
in an attempt to avoid detection.
Advanced
Troj/Jubik-A is a Trojan for the Windows platform.
Troj/Jubik-A includes functionality to download files from the
internet. Troj/Jubik-A may inject code into other Windows processes
in an attempt to avoid detection.
When first run Troj/Jubik-A copies itself to <System>\jb???.exe,
where ??? are 3 random letters.
The following registry entry is created to run jb???.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
jb???.exe
<System>\jb???.exe
Troj/Jubik-A modifies the following registry entry:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
\BrowseNewProcess
BrowseNewProcess
yes
--- MultiMail/Win32 v0.43
* Origin: Try Our Web Based QWK: DOCSPLACE.ORG (1:123/140)
|