Tillbaka till svenska Fidonet
English   Information   Debug  
TREK   0/755
TUB   0/290
UFO   0/40
UNIX   0/1316
USA_EURLINK   0/102
USR_MODEMS   0/1
VATICAN   0/2740
VIETNAM_VETS   0/14
VIRUS   0/378
VIRUS_INFO   0/201
VISUAL_BASIC   0/473
WHITEHOUSE   0/5187
WIN2000   0/101
WIN32   0/30
WIN95   0/4289
WIN95_OLD1   0/70272
WINDOWS   0/1517
WWB_SYSOP   0/419
WWB_TECH   0/810
ZCC-PUBLIC   0/1
ZEC   4

 
4DOS   0/134
ABORTION   0/7
ALASKA_CHAT   0/506
ALLFIX_FILE   0/1313
ALLFIX_FILE_OLD1   0/7997
ALT_DOS   0/152
AMATEUR_RADIO   0/1039
AMIGASALE   0/14
AMIGA   0/331
AMIGA_INT   0/1
AMIGA_PROG   0/20
AMIGA_SYSOP   0/26
ANIME   0/15
ARGUS   0/924
ASCII_ART   0/340
ASIAN_LINK   0/651
ASTRONOMY   0/417
AUDIO   0/92
AUTOMOBILE_RACING   0/105
BABYLON5   0/17862
BAG   135
BATPOWER   0/361
BBBS.ENGLISH   0/382
BBSLAW   0/109
BBS_ADS   0/5290
BBS_INTERNET   0/507
BIBLE   0/3563
BINKD   0/1119
BINKLEY   0/215
BLUEWAVE   0/2173
CABLE_MODEMS   0/25
CBM   0/46
CDRECORD   0/66
CDROM   0/20
CLASSIC_COMPUTER   0/378
COMICS   0/15
CONSPRCY   0/899
COOKING   33421
COOKING_OLD1   0/24719
COOKING_OLD2   0/40862
COOKING_OLD3   0/37489
COOKING_OLD4   0/35496
COOKING_OLD5   9370
C_ECHO   0/189
C_PLUSPLUS   0/31
DIRTY_DOZEN   0/201
DOORGAMES   0/2065
DOS_INTERNET   0/196
duplikat   6002
ECHOLIST   0/18295
EC_SUPPORT   0/318
ELECTRONICS   0/359
ELEKTRONIK.GER   1534
ENET.LINGUISTIC   0/13
ENET.POLITICS   0/4
ENET.SOFT   0/11701
ENET.SYSOP   33945
ENET.TALKS   0/32
ENGLISH_TUTOR   0/2000
EVOLUTION   0/1335
FDECHO   0/217
FDN_ANNOUNCE   0/7068
FIDONEWS   24159
FIDONEWS_OLD1   0/49742
FIDONEWS_OLD2   0/35949
FIDONEWS_OLD3   0/30874
FIDONEWS_OLD4   0/37224
FIDO_SYSOP   12852
FIDO_UTIL   0/180
FILEFIND   0/209
FILEGATE   0/212
FILM   0/18
FNEWS_PUBLISH   4436
FN_SYSOP   41707
FN_SYSOP_OLD1   71952
FTP_FIDO   0/2
FTSC_PUBLIC   0/13613
FUNNY   0/4886
GENEALOGY.EUR   0/71
GET_INFO   105
GOLDED   0/408
HAM   0/16074
HOLYSMOKE   0/6791
HOT_SITES   0/1
HTMLEDIT   0/71
HUB203   466
HUB_100   264
HUB_400   39
HUMOR   0/29
IC   0/2851
INTERNET   0/424
INTERUSER   0/3
IP_CONNECT   719
JAMNNTPD   0/233
JAMTLAND   0/47
KATTY_KORNER   0/41
LAN   0/16
LINUX-USER   0/19
LINUXHELP   0/1155
LINUX   0/22112
LINUX_BBS   0/957
mail   18.68
mail_fore_ok   249
MENSA   0/341
MODERATOR   0/102
MONTE   0/992
MOSCOW_OKLAHOMA   0/1245
MUFFIN   0/783
MUSIC   0/321
N203_STAT   930
N203_SYSCHAT   313
NET203   321
NET204   69
NET_DEV   0/10
NORD.ADMIN   0/101
NORD.CHAT   0/2572
NORD.FIDONET   189
NORD.HARDWARE   0/28
NORD.KULTUR   0/114
NORD.PROG   0/32
NORD.SOFTWARE   0/88
NORD.TEKNIK   0/58
NORD   0/453
OCCULT_CHAT   0/93
OS2BBS   0/787
OS2DOSBBS   0/580
OS2HW   0/42
OS2INET   0/37
OS2LAN   0/134
OS2PROG   0/36
OS2REXX   0/113
OS2USER-L   207
OS2   0/4786
OSDEBATE   0/18996
PASCAL   0/490
PERL   0/457
PHP   0/45
POINTS   0/405
POLITICS   0/29554
POL_INC   0/14731
PSION   103
R20_ADMIN   1123
R20_AMATORRADIO   0/2
R20_BEST_OF_FIDONET   13
R20_CHAT   0/893
R20_DEPP   0/3
R20_DEV   399
R20_ECHO2   1379
R20_ECHOPRES   0/35
R20_ESTAT   0/719
R20_FIDONETPROG...
...RAM.MYPOINT
  0/2
R20_FIDONETPROGRAM   0/22
R20_FIDONET   0/248
R20_FILEFIND   0/24
R20_FILEFOUND   0/22
R20_HIFI   0/3
R20_INFO2   3249
R20_INTERNET   0/12940
R20_INTRESSE   0/60
R20_INTR_KOM   0/99
R20_KANDIDAT.CHAT   42
R20_KANDIDAT   28
R20_KOM_DEV   112
R20_KONTROLL   0/13300
R20_KORSET   0/18
R20_LOKALTRAFIK   0/24
R20_MODERATOR   0/1852
R20_NC   76
R20_NET200   245
R20_NETWORK.OTH...
...ERNETS
  0/13
R20_OPERATIVSYS...
...TEM.LINUX
  0/44
R20_PROGRAMVAROR   0/1
R20_REC2NEC   534
R20_SFOSM   0/341
R20_SF   0/108
R20_SPRAK.ENGLISH   0/1
R20_SQUISH   107
R20_TEST   2
R20_WORST_OF_FIDONET   12
RAR   0/9
RA_MULTI   106
RA_UTIL   0/162
REGCON.EUR   0/2056
REGCON   0/13
SCIENCE   0/1206
SF   0/239
SHAREWARE_SUPPORT   0/5146
SHAREWRE   0/14
SIMPSONS   0/169
STATS_OLD1   0/2539.065
STATS_OLD2   0/2530
STATS_OLD3   0/2395.095
STATS_OLD4   0/1692.25
SURVIVOR   0/495
SYSOPS_CORNER   0/3
SYSOP   0/84
TAGLINES   0/112
TEAMOS2   0/4530
TECH   0/2617
TEST.444   0/105
TRAPDOOR   0/19
Möte VIRUS_INFO, 201 texter
 lista första sista föregående nästa
Text 111, 1357 rader
Skriven 2006-04-02 20:21:00 av KURT WISMER (1:123/140)
Ärende: News, April 2 2006
==========================
[cut-n-paste from sophos.com]

Name   Troj/Puper-EY

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet
    * Installs itself in the Registry

Prevalence (1-5) 2

Description
Troj/Puper-EY is a downloader Trojan for the Windows platform.

Advanced
Troj/Puper-EY is a downloader Trojan for the Windows platform.

Troj/Puper-EY creates the files :

<system>\dfrgsrv.exe
<system>\ld???.tmp (where ??? is a random number)

Both files are detected as Troj/Puper-EY.

The Trojan creates the following registry entry to run dfrgsrv.exe on 
startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run
wininet.dll
dfrgsrv.exe





Name   W32/Rbot-CTJ

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities

Aliases  
    * Backdoor.Win32.Rbot.aie

Prevalence (1-5) 2

Description
W32/Rbot-CTJ is a worm and IRC backdoor Trojan for the Windows 
platform.

W32/Rbot-CTJ runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

Advanced
W32/Rbot-CTJ is a worm and IRC backdoor Trojan for the Windows 
platform.

W32/Rbot-CTJ spreads:

- to other network computers infected with: Troj/Kuang, Troj/Sub7, 
Troj/NetDevil, W32/MyDoom, W32/Bagle and Troj/Optix
- to other network computers by exploiting common buffer overflow 
vulnerabilities, including: LSASS (MS04-011), RPC-DCOM (MS04-012), 
WKS (MS03-049) (CAN-2003-0812), WebDav (MS03-007), IIS5SSL (ms04-011) 
(CAN-2003-0719), UPNP (MS01-059), Veritas (CAN-2004-1172), Dameware 
(CAN-2003-1030) and ASN.1 (MS04-007)
- by copying itself to network shares protected by weak passwords

W32/Rbot-CTJ runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

When first run W32/Rbot-CTJ copies itself to <System>\windinit.exe 
and creates the file <Temp>\C27D8FEF-D7AE-42c0-82E6-F30598265639.exe.

The following registry entries are created to run windinit.exe on 
startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsotufed Update 32
windinit.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Microsotufed Update 32
windinit.exe

Registry entries are set as follows:

HKCU\Software\Microsoft\OLE
Microsotufed Update 32
windinit.exe

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1





Name   W32/Agobot-TA

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities

Aliases  
    * W32/Gaobot.worm.gen.bj
    * WORM_SDBOT.BDK

Prevalence (1-5) 2

Description
W32/Agobot-TA is a worm with backdoor functionality for the Windows 
platform.

W32/Agobot-TA runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer.

Advanced
W32/Agobot-TA is a worm with backdoor functionality for the Windows 
platform.

W32/Agobot-TA runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer.

When first run W32/Agobot-TA copies itself to <Windows system 
folder>\windowsfw.exe.

The following registry entries are created to run windowsfw.exe on 
startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windowsfw
windowsfw.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Windowsfw
windowsfw.exe





Name   Troj/Bdoor-XD

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Installs itself in the Registry

Aliases  
    * Backdoor.Win32.IRCBot.nw
    * BackDoor-CMQ

Prevalence (1-5) 2

Description
Troj/Bdoor-XD is a Trojan for the Windows platform.

Troj/Bdoor-XD may install itself as the service "Windows Log".





Name   W32/Brontok-Z

Type  
    * Worm

How it spreads  
    * Email attachments

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Sends itself to email addresses found on the infected computer
    * Forges the sender's email address
    * Uses its own emailing engine
    * Installs itself in the Registry
    * Leaves non-infected files on computer

Aliases  
    * Email-Worm.Win32.Brontok.n
    * W32/Rontokbro.gen@MM
    * W32.Rontokbro.X@mm

Prevalence (1-5) 2

Description
W32/Brontok-Z is a mass-mailing worm for the Windows platform.

W32/Brontok-Z sends itself to email addresses found on the infected 
computer.

Emails sent by the worm have the following characteristics:

From: angelina_ph@<recipient's domain>
or jennifer_sh@<recipient's domain>

If the recipient's address is Indonesian:

Subject: Fotoku yg Paling Cantik

Message text:

Hi,
Aku lg iseng aja pengen kirim foto ke kamu
Jangan lupain aku ya !.

Thanks

For all other addresses:

Subject: My Best Photo

Message text:

Hi,
I want to share my photo with you.
Wishing you all the best.

Regards,

Attachment name: Photo.zip

Advanced
W32/Brontok-Z is a mass-mailing worm for the Windows platform.

W32/Brontok-Z sends itself to email addresses found on the infected 
computer.

Emails sent by the worm have the following characteristics:

From: angelina_ph@<recipient's domain>
or jennifer_sh@<recipient's domain>

If the recipient's address is Indonesian:

Subject: Fotoku yg Paling Cantik

Message text:

Hi,
Aku lg iseng aja pengen kirim foto ke kamu
Jangan lupain aku ya !.

Thanks

For all other addresses:

Subject: My Best Photo

Message text:

Hi,
I want to share my photo with you.
Wishing you all the best.

Regards,

Attachment name: Photo.zip

The zip file contains Photo.bmp and View-Photo.bat. View-Photo.bat 
runs Photo.bmp. Photo.bmp is an executable (currently detected as 
Troj/Dloadr-ADW) which attempts to download and execute a copy of the 
worm from a preconfigured website. At the time of writing, this 
website is unavailable.

When W32/Brontok-Z is installed it copies itself to the following 
locations:

<User>\Local Settings\Application Data\dv<random1>\yesbron.com
<User>\Local Settings\Application Data\jalak-<random2>-bali.com
<Windows system folder>\n<random3>\b6108.exe
<Windows system folder>\n<random3>\c.bron.tok.txt
<Windows system folder>\n<random3>\csrss.exe
<Windows system folder>\n<random3>\lsass.exe
<Windows system folder>\n<random3>\services.exe
<Windows system folder>\n<random3>\smss.exe
<Windows system folder>\n<random3>\sv<random4>r.exe
<Windows system folder>\n<random3>\winlogon.exe
<Windows system folder>\c_<random5>.com
<Windows folder>\j<random6>.exe
<Windows folder>\o<random7>.exe
<Windows folder>\_default<random8>.pif
<Windows folder>\<random9>\ib<random10>.exe

where <random1> etc. are randomly-chosen numbers

W32/Brontok-Z installs the following files:

\Baca Bro !!!.txt
<Windows folder>\Tasks\At1.job
<Windows folder>\Tasks\At2.job

The .job files each contain a scheduled task, instructing Windows to 
execute the installed copies of the worm once per day.

The .txt file, when opened, will cause the worm to display the 
following message:

######################### BRONTOK.C[22] #########################

-- Hentikanlah kebobrokan di negeri ini --

1. Penjarakan Koruptor, Penyelundup, Tukang Suap, & Bandar NARKOBA
( Send To NUSAKAMBANGAN )

2. Stop Free Sex, Aborsi, & Prostitusi
( Go To HELL )

3. Stop Pencemaran Alam, Pembakaran Hutan & Perburuan Liar.

4. SAY NO TO DRUGS !!!

-- Spizaetus Cirrhatus --

[ By JowoBot ]

+++++0000++++00000++++0000+++0+++++0++0000000+++0000+++0+++0+++++
+++++0++++0++0++++0++0++++0++00++++0+++++0+++++0++++0++0++0++++++
+++++0++++0++0++++0++0++++0++0+0+++0+++++0+++++0++++0++0+0+++++++
+++++00000+++00000+++0++++0++0++0++0+++++0+++++0++++0++00++++++++
+++++0++++0++0++0++++0++++0++0+++0+0+++++0+++++0++++0++0+0+++++++
+++++0++++0++0+++0+++0++++0++0++++00+++++0+++++0++++0++0++0++++++
+++++0000++++0++++0+++0000+++0+++++0+++++0++++++0000+++0+++0+++++

~~ Sedikit Jawaban u/ Membungkam Mulut Sesumbar 'Mereka' ~~

Nobron & Romdil = Otak Kosong, Mulut Besar, Cuma Bisa

Nobron = Satria Dungu = Nothing !!!

Romdil = Tukang Jiplak = Nothing !!!

Nobron & Romdil -->> Kicked by The Amazing Brontok

[ By JowoBot ]

W32/Brontok-Z closes windows whose titles contain any of the following:

task manager
registry
command prompt
system configuration
group policy
cmd.exe
computer management
scheduled task
killbox
hijack
SYSINTERNAL
PROCESS EXP
REMOVER
CLEANER
anti
washer
ertanto
BROWNIES
movzx
killer
pcmedia
pc-media
rontok
rontox
robknot
commander
windows script
norman
norton
symantec
cillin
trendmicro
bitdef
kaspersky
avg
avira
virus
trojan
worm
mcafee
b.e
folder option
wintask
alwil
sex
porn
naked
cewe
bugil
telanjang
nod32
task view
peid
ahnlab

W32/Brontok-Z adds entries to the system HOSTS file to prevent access 
to security-related domains.

W32/Brontok-Z may install a new version of the file <Windows system 
folder>\msvbvm60.dll.

The following registry entries are created to run the installed 
copies of the worm on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run
<random>
<User>\Local Settings\Application Data\dv<random1>\yesbron.com

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run
<random>
<Windows folder>\_default<random8>.pif

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
<random>
<Windows system folder>\n<random3>\sv<random4>r.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
<random>
<Windows folder>\j<random6>.exe

The following registry entries are changed to run j6321422.exe and 
o4321427.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe "<Windows folder>\o<random7>.exe"

(the default value for this registry entry is "Explorer.exe" which 
causes the Microsoft file <Windows folder>\Explorer.exe to be run on 
startup).

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
<Windows system folder>\userinit.exe,<Windows folder>\<random6>.exe

(the default value for this registry entry is "<Windows 
folder>\System32\userinit.exe,").

The following registry entry is set, disabling the registry editor 
(regedit):

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1

Registry entries are set as follows:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
0

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden
0

Registry entries are created under:

HKCU\Software\Brontok\





Name   Troj/Hearse-A

Type  
    * Spyware Trojan

Affected operating systems  
    * Windows

Side effects  
    * Steals information
    * Drops more malware
    * Installs itself in the Registry

Aliases  
    * TROJ_HEARSE.A
    * Trojan.Goldun.K
    * Trojan-Spy.Win32.Goldun.im

Prevalence (1-5) 2

Description
Troj/Hearse-A is a Trojan for the Windows platform.

The Trojan creates two files detected as members of the Haxdoor 
family of password stealing Trojans.

Advanced
Troj/Hearse-A is a Trojan for the Windows platform.

When run the Trojan creates the following files:

<Windows system folder>\zopenssl.dll
<Windows system folder>\zopenssld.sys

The file zopenssl.dll is detected as Troj/Haxdor-Fam and the file 
zopenssld.sys is detected as Troj/Haxdor-Gen.

The following registry entries are created in order to load the 
zopenssl.dll file each time a user logs on:

HKLM\SOFTWARE\Microsoft\Windows 
NT\CurrentVersion\Winlogon\Notify\zopenssl
Asynchronous
dword:00000001

HKLM\SOFTWARE\Microsoft\Windows 
NT\CurrentVersion\Winlogon\Notify\zopenssl
DllName
zopenssl.dll

HKLM\SOFTWARE\Microsoft\Windows 
NT\CurrentVersion\Winlogon\Notify\zopenssl
Impersonate
dword:00000001

HKLM\SOFTWARE\Microsoft\Windows 
NT\CurrentVersion\Winlogon\Notify\zopenssl
MaxWait
dword:00000001

HKLM\SOFTWARE\Microsoft\Windows 
NT\CurrentVersion\Winlogon\Notify\zopenssl
nk48id
"[88BF38A86A50D1EAA]"

HKLM\SOFTWARE\Microsoft\Windows 
NT\CurrentVersion\Winlogon\Notify\zopenssl
Startup
"zopenssl"





Name   Troj/Singu-AK

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer

Prevalence (1-5) 2

Description
Troj/Singu-AK is a Trojan for the Windows platform.

Advanced
Troj/Singu-AK is a Trojan for the Windows platform.

When Troj/Singu-AK is installed the following files are created:

<Temp>\Win32en.bat
<System>\taskmone.exe
<System>\winscket.dll

Taskmone.exe and winscket.dll are detected by Sophos's anti-virus 
products as Troj/Singu-AK.
Win32en.bat may be safely deleted.

The following registry entry is created to run taskmone.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
taskmone
<System>\taskmone.exe

The file winscket.dll is registered as a COM object and Browser 
Helper Object (BHO) for Microsoft Internet Explorer, creating 
registry entries under:

HKCR\CLSID\{EA806E03-A6B1-205A-117C-138934661726}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser 
Helper Objects\{EA806E03-A6B1-205A-117C-138934661726}





Name   Troj/Drsmartl-X

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet

Aliases  
    * Trojan-Downloader.Win32.Adload.ah

Prevalence (1-5) 2

Description
Troj/Drsmartl-X is a Trojan for the Windows platform.

Troj/Drsmartl-X includes functionality to download, install and run 
new software without notification that it is doing so.





Name   W32/Alcra-F

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Drops more malware
    * Installs itself in the Registry

Aliases  
    * Email-Worm.Win32.VB.an
    * W32.Spybot.Worm
    * TROJ_MULDROP.CV

Prevalence (1-5) 2

Description
W32/Alcra-F is a worm for the windows platform.

W32/Alcra-F uses file sharing applications to spread.

W32/Alcra-F typically arrives with the filename Setup.exe.

Advanced
W32/Alcra-F is a worm for the windows platform.

W32/Alcra-F uses file sharing applications to spread.

W32/Alcra-F typically arrives with the filename Setup.exe.

When first run W32/Alcra-F displays a dialog box with the text 
"Setup", "Welcome to the Setup Wizard ...".

The dialog then gives a fake error message, before closing.

W32/Alcra-F creates the folder <Program Files>\winsupdater and copies 
itself to this folder as

a.temp
winsupdater.exe

winsupdater.exe has the hidden file attribute and similarly the
<Program Files>\winsupdater\ folder is a hidden folder.

W32/Alcra-F creates the following files:

<root folder>\at.exe
<Program Files>\winsupdater\a.zip

Where the a.zip file contains a copy of the Setup.exe.
The file at.exe is detected as W32/Rbot-CVY.

When first run, W32/Alcra-F creates the following registry entry to 
ensure that it is run when an infected system starts:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
winsupdater
<Program Files>\winsupdater\winsupdater.exe /auto





Name   Troj/RKDepo-A

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet
    * Reduces system security
    * Installs itself in the Registry

Prevalence (1-5) 2

Description
Troj/RKDepo-A is a Trojan rootkit downloader for the Windows platform.

Troj/RKDepo-A attempts to hide information about its files and 
registry entries.

Troj/RKDepo-A periodically attempts to download and execute files 
from a number of websites.

Advanced
Troj/RKDepo-A is a Trojan rootkit downloader for the Windows platform.

Troj/RKDepo-A attempts to hide information about its files and 
registry entries, providing stealthing by directly manipulating 
structures in the system kernel.

When first run Troj/RKDepo-A copies itself to <System>\sxlntr.exe and 
creates the clean log file <Temp>\dgkmldgmdfgdf.tjh.

Troj/RKDepo-A attempts to set the following registry entries to run 
itself on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
hdloker
<path to Trojan>

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
hdloker
<path to Trojan>

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
load
<path to Trojan>

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
run
<path to Trojan>

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
hdloker
<path to Trojan>

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
hdloker
<path to Trojan>

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
load
<path to Trojan>

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
run
<path to Trojan>

The following registry entry is set to run sxlntr.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
explorer.exe <path to Trojan>

(the default value for this registry entry is "Explorer.exe" which 
causes the Microsoft file <Windows>\Explorer.exe to be run on startup).

Troj/RKDepo-A creates the following registy entry with a unique 
number to identify the infected computer:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer
WINID

Troj/RKDepo-A periodically attempts to download and execute files 
from a number of websites to <Temp>\<randum numbers>.exe.





Name   Troj/DNSBust-L

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Installs itself in the Registry

Aliases  
    * DNSChanger.a

Prevalence (1-5) 2

Description
Troj/DNSBust-L is a Trojan for the Windows platform.

Troj/DNSBust-L includes functionality to access the internet and 
communicate with a remote server via HTTP.

Advanced
Troj/DNSBust-L is a Trojan for the Windows platform.

Troj/DNSBust-L includes functionality to access the internet and 
communicate with a remote server via HTTP.

When first run Troj/DNSBust-L copies itself to <System>\hgqhp.exe.

The following registry entry is created to run hgqhp.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
hgqhp.exe
<System>\hgqhp.exe





Name   Troj/BankAsh-P

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet
    * Installs itself in the Registry

Prevalence (1-5) 2

Description
Troj/BankAsh-P is a Trojan for the Windows platform.

Troj/BankAsh-P includes functionality to access the internet and 
communicate with a remote server via HTTP.

Troj/BankAsh-P contains functionality to download, install and run 
new software.

Advanced
Troj/BankAsh-P is a Trojan for the Windows platform.

Troj/BankAsh-P includes functionality to access the internet and 
communicate with a remote server via HTTP.

Troj/BankAsh-P contains functionality to download, install and run 
new software.

When first run Troj/BankAsh-P copies itself to <System>\[Num1]c.exe 
and also creates <System>\dyna[Num2].dll

(Where Num1 and Num2 are randomly generated values containing three 
numbers.)

The following registry entry is created to run [Num1]c.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
vthi
<System>\[Num1]c.exe dummy





Name   W32/Rbot-CWU

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Installs itself in the Registry

Prevalence (1-5) 2

Description
W32/Rbot-CWU is a worm with backdoor functionality for the Windows 
platform.

W32/Rbot-CWU runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

Advanced
W32/Rbot-CWU is a worm with backdoor functionality for the Windows 
platform.

W32/Rbot-CWU runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

When first run W32/Rbot-CWU copies itself to <Windows system 
folder>\mskiks.exe and creates the following files:

<Windows system folder>\kikrun.kik
<Windows system folder>\winzipk.zip

The file winzipk.zip contains thefile.exe which is a copy of 
W32/Rbot-CWU.

The following registry entry is created to run mskiks.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft WinXP Spooler SubSystem
<Windows system folder>\mskiks.exe





Name   Troj/Sdbot-BEI

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer

Aliases  
    * Backdoor.Win32.SdBot.fg

Prevalence (1-5) 2

Description
Troj/Sdbot-BEI is an IRC backdoor Trojan for the Windows platform.





Name   Troj/BankDl-AN

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet

Aliases  
    * Trojan-Downloader.Win32.Banload.ael
    * Win32/TrojanDownloader.VB.NAW

Prevalence (1-5) 2

Description
Troj/BankDl-AN is a Trojan for the Windows platform.

Troj/BankDl-AN includes functionality to download, install and run 
new software.





Name   Troj/BagleDl-BP

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet
    * Installs itself in the Registry

Aliases  
    * W32/Bagle.ew

Prevalence (1-5) 2

Description
Troj/BagleDl-BP is a Trojan for the Windows platform.

Troj/BagleDl-BP pretends to be a hacking tool, opening a dialog box 
with the title "Select file to crack". Whichever file is selected, 
the Trojan displays the message "Incorrect file version".

The Trojan attempts to download further malicious code.

Advanced
Troj/BagleDl-BP is a Trojan for the Windows platform.

Troj/BagleDl-BP pretends to be a hacking tool, opening a dialog box 
with the title "Select file to crack". Whichever file is selected, 
the Trojan displays the message "Incorrect file version".

The Trojan attempts to download further malicious code.

When Troj/BagleDl-BP is installed the following file is created:

<System>\ldr64.dll

This file is also detected as Troj/BagleDl-BP.

The following registry entries are created to run code exported by 
ldr64.dll on startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ldr64
DllName
ldr64.dll

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ldr64
Impersonate
0

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ldr64
Startup
Startup





Name   Troj/IRCBot-GW

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Downloads code from the internet
    * Installs itself in the Registry

Prevalence (1-5) 2

Description
Troj/IRCBot-GW is a backdoor Trojan for the Windows platform.

Advanced
Troj/IRCBot-GW is a backdoor Trojan for the Windows platform.

When first run Troj/IRCBot-GW copies itself to <System>\vmmon32.exe. 
The following registry entries are created to run vmmon32.exe on 
startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Printer
<System>\vmmon32.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Printer
<System>\vmmon32.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Printer
<System>\vmmon32.exe

Registry entries are set as follows:

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1





Name   W32/Feebs-P

Type  
    * Worm

How it spreads  
    * Peer-to-peer

Affected operating systems  
    * Windows

Side effects  
    * Installs itself in the Registry

Aliases  
    * Worm.Win32.Feebs.gen
    * JS/Feebs.gen.f@MM
    * JS_FEEBS.GEN-4

Prevalence (1-5) 2

Description
W32/Feebs-P is a worm for the Windows platform.

W32/Feebs-P spreads via file sharing on P2P networks.

Advanced
W32/Feebs-P is a worm for the Windows platform.

W32/Feebs-P spreads via file sharing on P2P networks.

When first run W32/Feebs-P copies itself to:

<System>\msdf.exe
<System>\msld

and creates the following files:

<System>\msqn32.dll
<Root folder>\b

These files are also detected as W32/Feebs-P.

The worm also copies itself to shared folders for various 
peer-to-peer applications.

The following registry entry is created to run code exported by the 
worm library on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
ShellServiceObjectDelayLoad
msqn32.dll
(361495F2-1D75-80CC-AA2D-8C0479EF7FC0)

The file msqn32.dll is registered as a COM object, creating registry 
entries under:

HKCR\CLSID\(361495F2-1D75-80CC-AA2D-8C0479EF7FC0)

Registry entries are created under:

HKLM\SOFTWARE\Microsoft\MSAE





Name   W32/Tilebot-EH

Type  
    * Worm

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities

Aliases  
    * Backdoor.Win32.SdBot.xd
    * W32/Sdbot.OVU

Prevalence (1-5) 2

Description
W32/Tilebot-EH is a worm and IRC backdoor for the Windows platform.

W32/Tilebot-EH spreads to other network computers by exploiting 
common buffer overflow vulnerabilities, including: RPC-DCOM 
(http://www.microsoft.com/technet/security/bulletin/ms04-012.mspx), 
PNP 
(http://www.microsoft.com/technet/security/bulletin/ms05-039.mspx) 
and ASN.1 
(http://www.microsoft.com/technet/security/bulletin/ms04-007.mspx).

W32/Tilebot-EH runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

The following patches for the operating system vulnerabilities 
exploited by W32/Tilebot-EH are available from Microsoft:
http://www.microsoft.com/technet/security/bulletin/ms04-007.mspx
http://www.microsoft.com/technet/security/bulletin/ms04-012.mspx
http://www.microsoft.com/technet/security/bulletin/ms05-039.mspx

Advanced
W32/Tilebot-EH is a worm and IRC backdoor for the Windows platform.

W32/Tilebot-EH spreads to other network computers by exploiting 
common buffer overflow vulnerabilities, including: RPC-DCOM 
(http://www.microsoft.com/technet/security/bulletin/ms04-012.mspx), 
PNP 
(http://www.microsoft.com/technet/security/bulletin/ms05-039.mspx) 
and ASN.1 
(http://www.microsoft.com/technet/security/bulletin/ms04-007.mspx).

W32/Tilebot-EH runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

When first run W32/Tilebot-EH copies itself to <Windows 
folder>\wintray.exe.

The file wintray.exe is registered as a new system driver service 
named "WINTRAY", with a display name of "Windows System Tray" and a 
startup type of automatic, so that it is started automatically during 
system startup.
Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\WINTRAY\

W32/Tilebot-EH sets the following registry entries, disabling the 
automatic startup of other software:

HKLM\SYSTEM\CurrentControlSet\Services\Messenger
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
Start
4

Registry entries are set as follows:

HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DoNotAllowXPSP2
1

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1

Registry entries are created under:

HKLM\SOFTWARE\Microsoft\Security Center\
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\

The following patches for the operating system vulnerabilities 
exploited by W32/Tilebot-EH are available from Microsoft:
http://www.microsoft.com/technet/security/bulletin/ms04-007.mspx
http://www.microsoft.com/technet/security/bulletin/ms04-012.mspx
http://www.microsoft.com/technet/security/bulletin/ms05-039.mspx





Name   Troj/Dermon-I

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Drops more malware
    * Downloads code from the internet

Aliases  
    * Trojan-Spy.Win32.Agent.jt

Prevalence (1-5) 2

Description
Troj/Dermon-I is a password stealing Trojan for the Windows platform.

Advanced
Troj/Dermon-I is a password stealing Trojan for the Windows platform.

When first run Troj/Dermon-I copies itself to <System>\abrada.exe and 
creates
the following files:

<System>\abrada.dll - Troj/Dermon-I
<System>\abradaload.dll - Troj/Dermon-G

<System>\abrada.dll is a remote notification DLL component which 
sends stolen
information to a remote website.

<System>\abradaload.dll is a process injector DLL component which 
will attempt
to inject itself into other processes in order to stealth itself.

Troj/Dermon-I also attempts to create the following files:

<System>\abrada.ini
<System>\abrada.dat

These files may be deleted.

The following registry entries may be created to run abrada.exe on 
startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Abrada win32
<System>\abradaload.dll

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Abrada win32
<System>\abradaload.dll

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Abrada win32
<System>\abradaload.dll

 
--- MultiMail/Win32 v0.43
 * Origin: Try Our Web Based QWK: DOCSPLACE.ORG (1:123/140)