Text 113, 1098 rader
Skriven 2006-04-22 18:38:00 av KURT WISMER (1:123/140)
Ärende: News, April 22 2006
===========================
[cut-n-paste from sophos.com]
Name Troj/Harnig-P
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
Aliases
* Trojan-Downloader.Win32.Harnig.bh
Prevalence (1-5) 2
Description
Troj/Harnig-P is a Trojan for the Windows platform.
Troj/Harnig-P includes functionality to access the internet and
communicate with a remote server via HTTP.
Advanced
Troj/Harnig-P is a Trojan for the Windows platform.
Troj/Harnig-P includes functionality to access the internet and
communicate with a remote server via HTTP.
When Troj/Harnig-P is installed the following files are downloaded:
<Program Files>\paytime.exe
<Program Files>\secure32.html
\country.exe
\kl1.exe
\ms1.exe
\tool1.exe
\tool2.exe
\tool3.exe
\tool4.exe
\tool5.exe
\toolbar.exe
\uniq
<Windows folder>\hosts
Name Troj/Cosiam-G
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Downloads code from the internet
* Installs itself in the Registry
Aliases
* Trojan-Proxy.Win32.Small.bo
Prevalence (1-5) 2
Description
Troj/Cosiam-G is a backdoor Trojan which allows a remote intruder to
gain access and control over the computer.
Troj/Cosiam-G includes functionality to access the internet and
communicate with a remote server via HTTP.
Advanced
Troj/Cosiam-G is a backdoor Trojan which allows a remote intruder to
gain access and control over the computer.
Troj/Cosiam-G includes functionality to access the internet and
communicate with a remote server via HTTP.
When first run Troj/Cosiam-G copies itself to <System>\eventwvr.exe
and creates the file <System>\bin29a.log.
The following registry entries are created to run eventwvr.exe on
startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
eventwvr
<System>\eventwvr.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
eventwvr
<System>\eventwvr.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
eventwvr
<System>\eventwvr.exe
Registry entries are created under:
HKLM\SOFTWARE\Microsoft\
Name W32/Bagle-GO
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Sends itself to email addresses found on the infected computer
* Downloads code from the internet
* Reduces system security
* Installs itself in the Registry
* Leaves non-infected files on computer
Aliases
* Trojan-PSW.Win32.LdPinch.hk
* W32.Areses.A@mm
* WORM_ARESES.C
* Trojan-Dropper.Win32.Agent.ami
* WORM_ARESES.GEN
Prevalence (1-5) 2
Description
W32/Bagle-GO is a mass-mailing worm for the Windows platform.
Messages sent by the worm will have the following characteristics:
Subject: chosen randomly from
=?koi8-r?Q?=F0=D2=C9=D7=C5=D4=2C=CB=C1=CB=C9=C5_
=CE=CF=D7=CF=D3=D4=C9=3F?=
=?koi8-r?Q?=F4=D9_=D3=C5=C7=CF=C4=CE=D1_=CB=CF_
=CD=CE=C5_=D0=D2=C9=C5=C4?=
=?koi8-r?Q?=C5=DB=D8=3F?=
=?koi8-r?Q?=F1_=D4=C5=C2=D1_=D3=C5=C7=CF=C4=CE=D1_ =D7=C9=C4=C5=CC=C1?=
Message text: non-Latin characters
Attachment name: chosen randomly from
new.cab
me.cab
you.cab
cool.cab
Re.cab
The attachment contains a file with a random basename and one of the
following double extensions:
.cab .cpl
.doc .cpl
.txt .cpl
.avi .cpl
.mpeg .cpl
W32/Bagle-GO contains functionality to download and install updated
versions of itself from preconfigured URLs.
Advanced
W32/Bagle-GO is a mass-mailing worm for the Windows platform.
Messages sent by the worm will have the following characteristics:
Subject: chosen randomly from
=?koi8-r?Q?=F0=D2=C9=D7=C5=D4=2C=CB=C1=CB=C9=C5_
=CE=CF=D7=CF=D3=D4=C9=3F?=
=?koi8-r?Q?=F4=D9_=D3=C5=C7=CF=C4=CE=D1_=CB=CF_
=CD=CE=C5_=D0=D2=C9=C5=C4?=
=?koi8-r?Q?=C5=DB=D8=3F?=
=?koi8-r?Q?=F1_=D4=C5=C2=D1_=D3=C5=C7=CF=C4=CE=D1_ =D7=C9=C4=C5=CC=C1?=
Message text: non-Latin characters
Attachment name: chosen randomly from
new.cab
me.cab
you.cab
cool.cab
Re.cab
The attachment is a CAB archive detected as W32/Bagle-GN, and
contains a file with a random basename and one of the following
double extensions:
.cab .cpl
.doc .cpl
.txt .cpl
.avi .cpl
.mpeg .cpl
This CPL file is also detected as W32/Bagle-GO.
When run, a filename with the same name as itself but without the CPL
extension containing non-Latin characters may dropped to the current
folder and opened.
When first run W32/Bagle-GO copies itself to <Windows>\csrss.exe and
to <Temp>\ntsys.exe.
The following registry entry is changed to run W32/Bagle-GO on startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File
Execution Options\explorer.exe
Debugger
<Windows>\csrss.exe
W32/Bagle-GO creates registry entries for its own use beneath
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Devices
W32/Bagle-GO contains functionality to download and install updated
versions of itself from preconfigured URLs.
Name Troj/Agent-BFZ
Type
* Trojan
Side effects
* Downloads code from the internet
* Reduces system security
Prevalence (1-5) 2
Description
Troj/Agent-BFZ is a Trojan for the Windows platform.
Troj/Agent-BFZ includes functionality to access the internet and
communicate with a remote server via HTTP.
Name Troj/Loot-R
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Reduces system security
Aliases
* Trojan-Proxy.Win32.Horst.ai
Prevalence (1-5) 2
Description
Troj/Loot-R is a Trojan for the Windows platform.
The Trojan opens a backdoor and allows remote attackers the ability
to route email anonymously through the infected computer.
The Trojan terminates security related applications and services
including:
KAVPersonal50
kavsvc
mcafee personal firewall plus
navapsvc
SAVScan
SharedAccess
Sygate Personal Firewall Pro
Symantec Core LC
wscsvc
wuauserv
Name Troj/Banloa-ABL
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Installs itself in the Registry
Aliases
* Trojan-Downloader.Win32.Banload.ade
* TROJ_DLOADER.CXE
* Generic Downloader.y
Prevalence (1-5) 2
Description
Troj/Banloa-ABL is a Trojan for the Windows platform.
Troj/Banloa-ABL includes functionality to access the internet and
communicate with a remote server via HTTP.
Troj/Banloa-ABL also includes functionality to download, install and
run new software.
Advanced
Troj/Banloa-ABL is a Trojan for the Windows platform.
Troj/Banloa-ABL includes functionality to access the internet and
communicate with a remote server via HTTP.
Troj/Banloa-ABL also includes functionality to download, install and
run new software.
When first run Troj/Banloa-ABL copies itself to <Windows>\svchost.com.
The following registry entry is created to run svchost.com on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
svchost
<Windows>\svchost.com
Name Troj/Polbot-A
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
Aliases
* Backdoor.Win32.Medbot.y
Prevalence (1-5) 2
Description
Troj/Polbot-A is a backdoor Trojan which allows a remote intruder to
gain access and control over the computer.
Troj/Polbot-A includes functionality to access the internet and
communicate with a remote server via HTTP.
Advanced
Troj/Polbot-A is a backdoor Trojan which allows a remote intruder to
gain access and control over the computer.
Troj/Polbot-A includes functionality to access the internet and
communicate with a remote server via HTTP.
When first run Troj/Polbot-A copies itself to <Windows system
folder>\smss.exe and creates the file <Windows system
folder>\nvsvcd.exe.
The following registry entry is created to run Troj/Polbot-A on
startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
.nvsvc
<Windows system folder>\smss.exe /w
The file nvsvcd.exe is registered as a new system driver service
named "Windows Log", with a display name of "Windows Log" and a
startup type of automatic, so that it is started automatically during
system startup. Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\Windows Log\
Name W32/Sdbot-BMG
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
* Exploits system or software vulnerabilities
* Used in DOS attacks
Aliases
* Backdoor.Win32.SdBot.aad
Prevalence (1-5) 2
Description
W32/Sdbot-BMG is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Sdbot-BMG spreads to other network computers by exploiting common
buffer overflow vulnerabilities, including: LSASS (MS04-011),
RPC-DCOM (MS04-012), WKS (MS03-049) (CAN-2003-0812), PNP (MS05-039)
and ASN.1 (MS04-007) and by copying itself to network shares
protected by weak passwords.
W32/Sdbot-BMG runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Sdbot-BMG includes functionality to access the internet and
communicate with a remote server via HTTP.
Advanced
W32/Sdbot-BMG is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Sdbot-BMG spreads to other network computers by exploiting common
buffer overflow vulnerabilities, including: LSASS (MS04-011),
RPC-DCOM (MS04-012), WKS (MS03-049) (CAN-2003-0812), PNP (MS05-039)
and ASN.1 (MS04-007) and by copying itself to network shares
protected by weak passwords.
W32/Sdbot-BMG runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Sdbot-BMG includes functionality to access the internet and
communicate with a remote server via HTTP.
When first run W32/Sdbot-BMG copies itself to <Windows>\svchost.exe.
The file <Windows>\svchost.exe is registered as a new system driver
service named "NetDDEdsma", with a display name of "Network DDE DSMA"
and a startup type of automatic, so that it is started automatically
during system startup. Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\NetDDEdsma\
W32/Sdbot-BMG sets the following registry entries, disabling the
automatic startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\Messenger
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
Start
4
Registry entries are set as follows:
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DoNotAllowXPSP2
1
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1
Registry entries are created under:
HKLM\SOFTWARE\Microsoft\Security Center\
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\
Name W32/Tilebot-EM
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Drops more malware
* Downloads code from the internet
* Installs itself in the Registry
* Exploits system or software vulnerabilities
* Leaves non-infected files on computer
Aliases
* WORM_KELVIR.DU
Prevalence (1-5) 2
Description
W32/Tilebot-EM is a network worm and backdoor Trojan for the Windows
platform.
Advanced
W32/Tilebot-EM is a network worm and backdoor Trojan for the Windows
platform.
W32/Tilebot-EM spreads to remote network shares protected by weak
passwords and to computers vulnerable to common exploits, including
LSASS (MS04-011), RPC-DCOM (MS04-012) and ASN.1 (MS04-007).
W32/Tilebot-EM includes functionality to access the internet and
communicate with a remote server via HTTP.
When first run W32/Tilebot-EM copies itself to \emape.exe and creates
the following files:
<CurrentFolder>\aspr_keys.ini
<System>\rofl.sys
The file rofl.sys is detected as Troj/RKPort-A. The file
aspr_keys.ini may be deleted.
The file emape.exe is registered as a new system driver service named
"EMAP Service", with a display name of "EMAP Service" and a startup
type of automatic, so that it is started automatically during system
startup. Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\EMAP Service\
The file rofl.sys is registered as a new system driver service named
"rofl", with a display name of "rofl". Registry entries are created
under:
HKLM\SYSTEM\CurrentControlSet\Services\rofl\
W32/Tilebot-EM sets the following registry entries, disabling the
automatic startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\Messenger
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
Start
4
Registry entries are set as follows:
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DoNotAllowXPSP2
1
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1
Registry entries are created under:
HKLM\SOFTWARE\Microsoft\Security Center\
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\
Name W32/Tilebot-EN
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Reduces system security
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* Backdoor.Win32.SdBot.xd
Prevalence (1-5) 2
Description
W32/Tilebot-EN is a worm with backdoor functionality for the Windows
platform.
W32/Tilebot-EN spreads to other network computers by exploiting
common buffer overflow vulnerabilities, including: LSASS (MS04-011),
RPC-DCOM (MS04-012), WKS (MS03-049) (CAN-2003-0812), PNP (MS05-039)
and ASN.1 (MS04-007) and by copying itself to network shares
protected by weak passwords.
W32/Tilebot-EN runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Tilebot-EN includes functionality to access the internet and
communicate with a remote server via HTTP.
Advanced
W32/Tilebot-EN is a worm with backdoor functionality for the Windows
platform.
W32/Tilebot-EN spreads to other network computers by exploiting
common buffer overflow vulnerabilities, including: LSASS (MS04-011),
RPC-DCOM (MS04-012), WKS (MS03-049) (CAN-2003-0812), PNP (MS05-039)
and ASN.1 (MS04-007) and by copying itself to network shares
protected by weak passwords.
W32/Tilebot-EN runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Tilebot-EN includes functionality to access the internet and
communicate with a remote server via HTTP.
When first run W32/Tilebot-EN copies itself to <Windows
folder>\ssms.exe.
The file ssms.exe is registered as a new system driver service named
"explorer", with a display name of "windows file explorer" and a
startup type of automatic, so that it is started automatically during
system startup. Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\explorer\
W32/Tilebot-EN sets the following registry entries, disabling the
automatic startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\Messenger
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
Start
4
Registry entries are set as follows:
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DoNotAllowXPSP2
1
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1
Registry entries are created under:
HKLM\SOFTWARE\Microsoft\Security Center\
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\
Name W32/Banker-BIX
Type
* Spyware Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Modifies data on the computer
* Uses its own emailing engine
* Reduces system security
* Records keystrokes
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* Net-Worm.Win32.Banker.a
Prevalence (1-5) 2
Description
W32/Banker-BIX is a worm for the Windows platform.
The worm monitors internet sessions and display fake login pages for
certain banking web sites. W32/Banker-BIX steals information entered
into web forms and sends stolen credentials to a remote attacker via
email.
W32/Banker-BIX spreads to network computers via open network shares.
Advanced
W32/Banker-BIX is a worm for the Windows platform.
The worm monitors internet sessions and display fake login pages for
certain banking web sites. W32/Banker-BIX steals information entered
into web forms and sends stolen credentials to a remote attacker via
email.
W32/Banker-BIX spreads to network computers via open network shares.
When first run, W32/Banker-BIX copies itself to the Windows folder as
"system.exe" and sets the following registry entry in order to run
each time a user logs on:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
<basename>
"<original name>"
The following data files may also be created:
C:\Windows\maq.txt
C:\Windows\okey.txt
C:\Windows\system.bat
C:\Windows\view.txt
These files may be safely deleted.
The worm may also download additional configuration data which
defines further behaviors.
Name Troj/BankDl-AW
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
Aliases
* Trojan-Downloader.Win32.Banload.aeg
* Win32/TrojanDownloader.Delf.PQ
Prevalence (1-5) 2
Description
Troj/BankDl-AW is a downloader Trojan for the Windows platform.
Advanced
Troj/BankDl-AW is a downloader Trojan for the Windows platform.
Troj/BankDl-AW includes functionality to access the internet and
communicate with a remote server via HTTP.
When Troj/BankDl-AW is installed it creates the file
<Windows>\boby.exe. This file is detected as Troj/BankDl-AW.
Name Troj/Zapchas-BD
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
* Leaves non-infected files on computer
Prevalence (1-5) 2
Description
Troj/Zapchas-BD is a Trojan for the Windows platform.
Troj/Zapchas-BD runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
Troj/Zapchas-BD includes functionality to access the internet and
communicate with a remote server via HTTP.
Advanced
Troj/Zapchas-BD is a Trojan for the Windows platform.
Troj/Zapchas-BD runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
Troj/Zapchas-BD includes functionality to access the internet and
communicate with a remote server via HTTP.
When Troj/Zapchas-BD is installed the following files are created:
<Windows system folder>\drivers\shellz\aliases.ini
<Windows system folder>\drivers\shellz\away.txt
<Windows system folder>\drivers\shellz\ftpop.txt
<Windows system folder>\drivers\shellz\fullinfo.bat
<Windows system folder>\drivers\shellz\fullinfo.lnk
<Windows system folder>\drivers\shellz\fullinfo2.bat
<Windows system folder>\drivers\shellz\fullinfo2.lnk
<Windows system folder>\drivers\shellz\fullname.txt
<Windows system folder>\drivers\shellz\hidewndw.exe
<Windows system folder>\drivers\shellz\ident.txt
<Windows system folder>\drivers\shellz\ipconf.bat
<Windows system folder>\drivers\shellz\ipconf.lnk
<Windows system folder>\drivers\shellz\kill.exe
<Windows system folder>\drivers\shellz\memorat.txt
<Windows system folder>\drivers\shellz\mirc.ini
<Windows system folder>\drivers\shellz\mirc2.ini
<Windows system folder>\drivers\shellz\msasw.bat
<Windows system folder>\drivers\shellz\msasw.lnk
<Windows system folder>\drivers\shellz\muta.bat
<Windows system folder>\drivers\shellz\muta.lnk
<Windows system folder>\drivers\shellz\netinfo.bat
<Windows system folder>\drivers\shellz\netinfo.lnk
<Windows system folder>\drivers\shellz\nicks.txt
<Windows system folder>\drivers\shellz\postcards.jpg
<Windows system folder>\drivers\shellz\procese.bat
<Windows system folder>\drivers\shellz\procese.lnk
<Windows system folder>\drivers\shellz\procese.txt
<Windows system folder>\drivers\shellz\remote.ini
<Windows system folder>\drivers\shellz\remote2.ini
<Windows system folder>\drivers\shellz\script.ini
<Windows system folder>\drivers\shellz\servers.ini
<Windows system folder>\drivers\shellz\servers2.ini
<Windows system folder>\drivers\shellz\setup.lnk
<Windows system folder>\drivers\shellz\sup.bat
<Windows system folder>\drivers\shellz\sup.reg
<Windows system folder>\drivers\shellz\sup2.bat
<Windows system folder>\drivers\shellz\sup2.lnk
<Windows system folder>\drivers\shellz\users.ini
<Windows system folder>\drivers\shellz\winspector.exe
<Windows system folder>\drivers\shellz\winspector.lnk
The following registry entries are set or modified, so that
winspector.exe is run when files with extensions of CHA and IRC are
opened/launched:
HKCR\ChatFile\Shell\open\command
(default)
<Windows system folder>\drivers\shellz\winspector.exe" -noconnect
HKCR\irc\Shell\open\command
(default)
<Windows system folder>\drivers\shellz\winspector.exe" -noconnect
Registry entries are set as follows:
HKCR\ChatFile\DefaultIcon
(default)
<Windows system folder>\drivers\shellz\winspector.exe
HKCR\irc\DefaultIcon
(default)
<Windows system folder>\drivers\shellz\winspector.exe
Registry entries are created under:
HKCU\Software\Microsoft\Microsoft Agent\
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mIRC\
Name Troj/Dloadr-HAA
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Modifies data on the computer
* Downloads code from the internet
* Reduces system security
Prevalence (1-5) 2
Description
Troj/Dloadr-HAA is a Trojan for the Windows platform.
Troj/Dloadr-HAA includes functionality to access the internet and
communicate
with a remote server via HTTP.
Advanced
Troj/Dloadr-HAA is a Trojan for the Windows platform.
Troj/Dloadr-HAA includes functionality to access the internet and
communicate
with a remote server via HTTP.
The Trojan deregisters the system file shdocvw.dll from the
URLSearchHooks settings of Internet Explorer by deleting the
following registry entry:
HKCU\Software\Microsoft\Internet
Explorer\URLSearchHooks\(CFBFAE00-17A6-11D0-99CB-00C04FD64497)
The Trojan then downloads and installs additional files from a remote
site.
Name Troj/Agent-BHO
Type
* Trojan
Affected operating systems
* Windows
Aliases
* Trojan.Win32.Agent.oh
Prevalence (1-5) 2
Description
Troj/Agent-BHO is a Trojan for the Windows platform.
Troj/Agent-BHO can be used in conjunction with other malware to
terminate services and create and delete files.
Name W32/Bagle-GT
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Sends itself to email addresses found on the infected computer
* Downloads code from the internet
* Installs itself in the Registry
Prevalence (1-5) 2
Description
W32/Bagle-GT is a mass-mailing worm for the Windows platform.
Messages sent by the worm will have the following characteristics:
The message text and subject both consist of non-latin characters.
The attachment name also consist of non-latin characters, with a file
extension of .hta.
W32/Bagle-GT includes functionality to access the internet and
communicate with a remote server via HTTP.
Advanced
W32/Bagle-GT is a mass-mailing worm for the Windows platform.
Messages sent by the worm will have the following characteristics:
The message text and subject both consist of non-latin characters.
The attachment name also consist of
non-latin characters, with a file extension of .hta.
When run, this attachment, detected as W32/Bagle-GT, drops and runs a
file also detected as W32/Bagle-GT.
When this file is run it copies itself to <Windows>\csrss.exe.
The following registry entry is changed to run W32/Bagle-GT on startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File
Execution Options\explorer.exe
Debugger
<Windows>\csrss.exe
W32/Bagle-GT then creates the file <Temp>\Message.hta which is a new
dropper that will be mailed to email
addresses found on the infected computer. This file is also detected
as W32/Bagle-GT.
W32/Bagle-GT includes functionality to access the internet and
communicate with a remote server via HTTP.
Name W32/Bagle-GU
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Uses its own emailing engine
* Downloads code from the internet
* Installs itself in the Registry
* Opens links to websites
Prevalence (1-5) 2
Description
W32/Bagle-GU is a mass-mailing worm for the Windows platform.
W32/Bagle-GU may send email messages with blank message text and
non-roman subject lines.
Advanced
W32/Bagle-GU is a mass-mailing worm for the Windows platform.
W32/Bagle-GU may send email messages with blank message text and
non-roman subject lines.
W32/Bagle-GU includes functionality to access the internet and
communicate with a remote server via HTTP.
When first run W32/Bagle-GU copies itself to <Windows>\csrss.exe and
creates the file <Temp>\Message.hta.
The following registry entry is changed to run W32/Bagle-GU on startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\explorer.exe
Debugger
<Windows>\csrss.exe
--- MultiMail/Win32 v0.43
* Origin: Try Our Web Based QWK: DOCSPLACE.ORG (1:123/140)
|