Tillbaka till svenska Fidonet
English   Information   Debug  
TREK   0/755
TUB   0/290
UFO   0/40
UNIX   0/1316
USA_EURLINK   0/102
USR_MODEMS   0/1
VATICAN   0/2740
VIETNAM_VETS   0/14
VIRUS   0/378
VIRUS_INFO   0/201
VISUAL_BASIC   0/473
WHITEHOUSE   0/5187
WIN2000   0/101
WIN32   0/30
WIN95   0/4289
WIN95_OLD1   0/70272
WINDOWS   0/1517
WWB_SYSOP   0/419
WWB_TECH   0/810
ZCC-PUBLIC   0/1
ZEC   4

 
4DOS   0/134
ABORTION   0/7
ALASKA_CHAT   0/506
ALLFIX_FILE   0/1313
ALLFIX_FILE_OLD1   0/7997
ALT_DOS   0/152
AMATEUR_RADIO   0/1039
AMIGASALE   0/14
AMIGA   0/331
AMIGA_INT   0/1
AMIGA_PROG   0/20
AMIGA_SYSOP   0/26
ANIME   0/15
ARGUS   0/924
ASCII_ART   0/340
ASIAN_LINK   0/651
ASTRONOMY   0/417
AUDIO   0/92
AUTOMOBILE_RACING   0/105
BABYLON5   0/17862
BAG   135
BATPOWER   0/361
BBBS.ENGLISH   0/382
BBSLAW   0/109
BBS_ADS   0/5290
BBS_INTERNET   0/507
BIBLE   0/3563
BINKD   0/1119
BINKLEY   0/215
BLUEWAVE   0/2173
CABLE_MODEMS   0/25
CBM   0/46
CDRECORD   0/66
CDROM   0/20
CLASSIC_COMPUTER   0/378
COMICS   0/15
CONSPRCY   0/899
COOKING   33421
COOKING_OLD1   0/24719
COOKING_OLD2   0/40862
COOKING_OLD3   0/37489
COOKING_OLD4   0/35496
COOKING_OLD5   9370
C_ECHO   0/189
C_PLUSPLUS   0/31
DIRTY_DOZEN   0/201
DOORGAMES   0/2065
DOS_INTERNET   0/196
duplikat   6002
ECHOLIST   0/18295
EC_SUPPORT   0/318
ELECTRONICS   0/359
ELEKTRONIK.GER   1534
ENET.LINGUISTIC   0/13
ENET.POLITICS   0/4
ENET.SOFT   0/11701
ENET.SYSOP   33945
ENET.TALKS   0/32
ENGLISH_TUTOR   0/2000
EVOLUTION   0/1335
FDECHO   0/217
FDN_ANNOUNCE   0/7068
FIDONEWS   24159
FIDONEWS_OLD1   0/49742
FIDONEWS_OLD2   0/35949
FIDONEWS_OLD3   0/30874
FIDONEWS_OLD4   0/37224
FIDO_SYSOP   12852
FIDO_UTIL   0/180
FILEFIND   0/209
FILEGATE   0/212
FILM   0/18
FNEWS_PUBLISH   4436
FN_SYSOP   41707
FN_SYSOP_OLD1   71952
FTP_FIDO   0/2
FTSC_PUBLIC   0/13613
FUNNY   0/4886
GENEALOGY.EUR   0/71
GET_INFO   105
GOLDED   0/408
HAM   0/16074
HOLYSMOKE   0/6791
HOT_SITES   0/1
HTMLEDIT   0/71
HUB203   466
HUB_100   264
HUB_400   39
HUMOR   0/29
IC   0/2851
INTERNET   0/424
INTERUSER   0/3
IP_CONNECT   719
JAMNNTPD   0/233
JAMTLAND   0/47
KATTY_KORNER   0/41
LAN   0/16
LINUX-USER   0/19
LINUXHELP   0/1155
LINUX   0/22112
LINUX_BBS   0/957
mail   18.68
mail_fore_ok   249
MENSA   0/341
MODERATOR   0/102
MONTE   0/992
MOSCOW_OKLAHOMA   0/1245
MUFFIN   0/783
MUSIC   0/321
N203_STAT   930
N203_SYSCHAT   313
NET203   321
NET204   69
NET_DEV   0/10
NORD.ADMIN   0/101
NORD.CHAT   0/2572
NORD.FIDONET   189
NORD.HARDWARE   0/28
NORD.KULTUR   0/114
NORD.PROG   0/32
NORD.SOFTWARE   0/88
NORD.TEKNIK   0/58
NORD   0/453
OCCULT_CHAT   0/93
OS2BBS   0/787
OS2DOSBBS   0/580
OS2HW   0/42
OS2INET   0/37
OS2LAN   0/134
OS2PROG   0/36
OS2REXX   0/113
OS2USER-L   207
OS2   0/4786
OSDEBATE   0/18996
PASCAL   0/490
PERL   0/457
PHP   0/45
POINTS   0/405
POLITICS   0/29554
POL_INC   0/14731
PSION   103
R20_ADMIN   1123
R20_AMATORRADIO   0/2
R20_BEST_OF_FIDONET   13
R20_CHAT   0/893
R20_DEPP   0/3
R20_DEV   399
R20_ECHO2   1379
R20_ECHOPRES   0/35
R20_ESTAT   0/719
R20_FIDONETPROG...
...RAM.MYPOINT
  0/2
R20_FIDONETPROGRAM   0/22
R20_FIDONET   0/248
R20_FILEFIND   0/24
R20_FILEFOUND   0/22
R20_HIFI   0/3
R20_INFO2   3249
R20_INTERNET   0/12940
R20_INTRESSE   0/60
R20_INTR_KOM   0/99
R20_KANDIDAT.CHAT   42
R20_KANDIDAT   28
R20_KOM_DEV   112
R20_KONTROLL   0/13300
R20_KORSET   0/18
R20_LOKALTRAFIK   0/24
R20_MODERATOR   0/1852
R20_NC   76
R20_NET200   245
R20_NETWORK.OTH...
...ERNETS
  0/13
R20_OPERATIVSYS...
...TEM.LINUX
  0/44
R20_PROGRAMVAROR   0/1
R20_REC2NEC   534
R20_SFOSM   0/341
R20_SF   0/108
R20_SPRAK.ENGLISH   0/1
R20_SQUISH   107
R20_TEST   2
R20_WORST_OF_FIDONET   12
RAR   0/9
RA_MULTI   106
RA_UTIL   0/162
REGCON.EUR   0/2056
REGCON   0/13
SCIENCE   0/1206
SF   0/239
SHAREWARE_SUPPORT   0/5146
SHAREWRE   0/14
SIMPSONS   0/169
STATS_OLD1   0/2539.065
STATS_OLD2   0/2530
STATS_OLD3   0/2395.095
STATS_OLD4   0/1692.25
SURVIVOR   0/495
SYSOPS_CORNER   0/3
SYSOP   0/84
TAGLINES   0/112
TEAMOS2   0/4530
TECH   0/2617
TEST.444   0/105
TRAPDOOR   0/19
Möte VIRUS_INFO, 201 texter
 lista första sista föregående nästa
Text 119, 1200 rader
Skriven 2006-05-27 23:49:00 av KURT WISMER (1:123/140)
Ärende: News, May 27 2006
=========================
[cut-n-paste from sophos.com]

Name   Troj/Stinx-V

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Downloads code from the internet
    * Installs itself in the Registry

Aliases  
    * Trojan.Brepibot.U

Prevalence (1-5) 3

Description
Troj/Stinx-V is an IRC backdoor Trojan for the Windows platform.

Advanced
Troj/Stinx-V is an IRC backdoor Trojan for the Windows platform.

When first run, Troj/Stinx-V copies itself to the Windows system 
folder with the name cmssr.exe and creates the following registry 
entry to run itself automatically:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
ATD Direct CD
<System>\cmssr.exe

Troj/Stinx-V connects to a preconfigured IRC server and joins a 
specific channel. A remote attacker can then gain access and control 
over the infected computer.





Name   Troj/Opnis-C

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Installs itself in the Registry

Aliases  
    * Trojan.Win32.Opnis.g

Prevalence (1-5) 2

Description
Troj/Opnis-C is a Trojan for the Windows platform.

Advanced
Troj/Opnis-C is a Trojan for the Windows platform.

When Troj/Opnis-C is installed the following files are created:

<Windows system folder>\[Random1].dll
<Windows system folder>\[Random2].exe
<Windows system folder>\vsre446EC7DB.exe

The following registry entry is created to run [Random2].exe on 
startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
[Random2]
<Windows system folder>\[Random2].exe

The following registry entries are created to run code exported by 
[Random1].dll on startup:

HKLM\SOFTWARE\Microsoft\Windows 
NT\CurrentVersion\Winlogon\Notify\[Random1]
DllName
<Windows system folder>\[Random1].dll

HKLM\SOFTWARE\Microsoft\Windows 
NT\CurrentVersion\Winlogon\Notify\[Random1]
Startup
WlxStartupEvent

HKLM\SOFTWARE\Microsoft\Windows 
NT\CurrentVersion\Winlogon\Notify\[Random1]
Impersonate
0





Name   Troj/Tometa-E

Type  
    * Trojan

Affected operating systems  
    * Windows

Aliases  
    * Win32/Bifrose

Prevalence (1-5) 2

Description
Troj/Tometa-E is a Trojan for the Windows platform.

Advanced
Troj/Tometa-E is a Trojan for the Windows platform.

When first run Troj/Tometa-E copies itself to &ltSystem>\kb32.com.

The following registry entry is created to run kb32.com on startup:

HKLM\SOFTWARE\Microsoft\Active Setup\Installed 
Components\{686BC654-BC45-D597-22DC-CA34BD693002}
StUbPaTh
<System>\kb32.com s

Registry entries are created as follows:

HKCU\Software\Wget
KLG
hex:00

HKLM\SOFTWARE\Wget
NCK
hex:f7,11,26,35,57,32,2d,60,b4,3c,2a,5e,33,34,72,00,a3,78,26,35,57,32,2
d,60,b4,3c,2a,5e,33,34,72,00





Name   W32/Sality-U

Type  
    * Worm

How it spreads  
    * Infected files

Affected operating systems  
    * Windows

Aliases  
    * Virus.Win32.Sality.o

Prevalence (1-5) 2

Description
W32/Sality-U is a parasitic virus for the Windows platform.

Advanced
W32/Sality-U is a parasitic virus for the Windows platform.

When run the virus drops the file <System>\wdmfmc32.dll. This file is 
also detected as W32/Sality-U.





Name   W32/Mytob-HX

Type  
    * Spyware Worm

How it spreads  
    * Email attachments

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Allows others to access the computer
    * Sends itself to email addresses found on the infected computer
    * Steals information
    * Uses its own emailing engine
    * Downloads code from the internet
    * Reduces system security
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities

Prevalence (1-5) 2

Description
W32/Mytob-HX is a worm for the Windows platform.

The worm harvests email addresses from files on the infected computer 
and sends itself as an attachment to each address found.

Email sent by W32/Mytob-HX has the following message text:

Dear Valued Member,
According to our terms of services, you will have to confirm your 
e-mail by the following link, or your account will be suspended 
within 24 hours for security reasons.
After following the instructions in the sheet, your account will not 
be interrupted and will continue as normal.
Thanks for your attention to this request. We apologize for any 
inconvenience.

Sincerely, %s Abuse Department
<a 
href="http://<BLOCKED>/Confirmation_Sheet.pif">http://www.%s/confirm.ph
p?account=%s</a>

where "%s" is an excerpt from the recipient's email address.

The worm connects to an IRC server and joins a predefined channel 
where it then awaits commands from remote attackers.

Advanced
W32/Mytob-HX is a worm for the Windows platform.

When run, W32/Mytob-HX copies itself to the Windows system folder as 
"windows.exe"

The worm harvests email addresses from files on the infected computer 
and sends itself as an attachment to each address found.

Email sent by W32/Mytob-HX has the following message text:

Dear Valued Member,
According to our terms of services, you will have to confirm your 
e-mail by the following link, or your account will be suspended 
within 24 hours for security reasons.
After following the instructions in the sheet, your account will not 
be interrupted and will continue as normal.
Thanks for your attention to this request. We apologize for any 
inconvenience.

Sincerely, %s Abuse Department
<a 
href="http://<BLOCKED>/Confirmation_Sheet.pif">http://www.%s/confirm.ph
p?account=%s</a>

where "%s" is an excerpt from the recipient's email address.

The worm connects to an IRC server and joins a predefined channel 
where it then awaits commands from remote attackers.

The following registry entries are created in order to run the worm 
each time a user logs on:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows System
"windows.exe"

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Windows System
"windows.exe"





Name   W32/Bobandy-A

Type  
    * Worm

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Allows others to access the computer
    * Sends itself to email addresses found on the infected computer
    * Forges the sender's email address
    * Uses its own emailing engine
    * Downloads code from the internet
    * Installs itself in the Registry
    * Leaves non-infected files on computer

Prevalence (1-5) 2

Description
W32/Bobandy-A is a mass-mailing worm for the Windows platform.

Emails sent by W32/Bobandy-A have the following characteristics:

Subject line:

Registration Confirmation
Cek This
hello
RE:bla bla bla
RE:HeLLO GuYs

Message text:

hi please see this file
For security reasons attached file is password protected.
The password is 55132098

hot babe high quality porn
For security reasons attached file is password protected.
The password is 55132098
free screen saver romance for you

Please Visit Our Web Site:http://www.moonLight.com
For security reasons attached file is password protected.
The password is 55132098

hey free brontok, small_kl & more removal
For security reasons attached file is password protected.
The password is 55132098

thank's for you register
For security reasons attached file is password protected.
The password is 55132098

your acount details are attached
For security reasons attached file is password protected.
The password is 55132098

Advanced
W32/Bobandy-A is a mass-mailing worm for the Windows platform.

Emails sent by W32/Bobandy-A have the following characteristics:

Subject line:

Registration Confirmation
Cek This
hello
RE:bla bla bla
RE:HeLLO GuYs

Message text:

hi please see this file
For security reasons attached file is password protected.
The password is 55132098

hot babe high quality porn
For security reasons attached file is password protected.
The password is 55132098
free screen saver romance for you

Please Visit Our Web Site:http://www.moonLight.com
For security reasons attached file is password protected.
The password is 55132098

hey free brontok, small_kl & more removal
For security reasons attached file is password protected.
The password is 55132098

thank's for you register
For security reasons attached file is password protected.
The password is 55132098

your acount details are attached
For security reasons attached file is password protected.
The password is 55132098

When first run W32/Bobandy-A copies itself to:

<Startup>\MySqld-nt Start.cmd
<Windows>\Brico.cmd
<Windows>\Systask.exe
<Windows>\command.com
<Windows>\java\clases\bin\csrss.exe
<System>\MySqld-nt.cmd
<System>\;applog\Sys\Winlogon.exe
<System>\dllcache\(CLSID)\msowcf.cmd
<System>\remotesp.cmd
<System>\run32dll.exe

and creates the following harmless files:

<User>\My Documents\Mo0nLighT.A.txt
<System>\MoonLigHT.rtf

W32/Bobandy-A creates the following registry entries:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
MooNlight
MySqld-nt.cmd

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
ObjectDock
Brico.cmd

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
explorer.exe, COMMAND\SETRAMD.cmd

Registry entries are created under:

HKCU\Software\VB and VBA Program Settings\untukmu\version\
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File 
Execution Options\

W32/Bobandy-A attempts to copy itself to the root folders of all 
mapped drives.

The attached file will take one of the following names:

mypic.zip
dataKU.zip
attach.zip
Update.zip
Doc.uu
file.zip
thisfile.uu
pic.zip

The attached file is detected as Troj/BobanDl-A

W32/Bobandy-A harvests email addresses from files on the infected 
computer.





Name   Troj/Clagger-S

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet
    * Reduces system security

Prevalence (1-5) 2

Description
Troj/Clagger-S is a Trojan that downloads further malicious code.

Advanced
Troj/Clagger-S is a Trojan that downloads further malicious code.

The Trojan downloads a file to <Windows>\suhoy330.exe and runs it.

The following registry entry is created in an attempt to bypass the 
Windows firewall:

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
FiREWaLLpolicy\StAnDaRDPrOFiLe\AUtHorizedapplications\List
<pathname of Trojan executable>
<pathname of Trojan executable>:*:ENABLED:0





Name   W32/Zasran-C

Type  
    * Spyware Worm

How it spreads  
    * Email attachments

Affected operating systems  
    * Windows

Side effects  
    * Sends itself to email addresses found on the infected computer
    * Modifies data on the computer
    * Steals information
    * Drops more malware
    * Uses its own emailing engine

Aliases  
    * Email-Worm.Win32.Banwarum.c

Prevalence (1-5) 2

Description
W32/Zasran-C is a worm for the Windows platform.

W32/Zasran-C spreads via email. Email sent by W32/Zasran-C contains a 
message text written in German.

Attached files have the ZIP file extension with one of the following 
randomly chosen base names:

Abbild-Der-Rechnung
Anhang
Anhang-Tickets
archiv
Auszahlungen
bank-kontoauszuge
Desktop
Kontoauszug
Neuer Ordner
New Folder
Postbank
Postbank-Ueberweisungen
Rechnung
Rechnung-Anhang
Tickets
Ueberweisung
Weltmeisterschaft
WM-Anhang
WM-Tickets

Advanced
W32/Zasran-C is a worm for the Windows platform.

The worm creates the file <System>\mszsrn32.dll and injects code into 
the winlogon.exe process in an attempt to hide some actions.

The worm downloads configuration data from a remote site that defines 
further behaviors.

W32/Zasran-C spreads via email. Email sent by W32/Zasran-C contains a 
message text written in German.

Attached files have the ZIP file extension with one of the following 
randomly chosen base names:

Abbild-Der-Rechnung
Anhang
Anhang-Tickets
archiv
Auszahlungen
bank-kontoauszuge
Desktop
Kontoauszug
Neuer Ordner
New Folder
Postbank
Postbank-Ueberweisungen
Rechnung
Rechnung-Anhang
Tickets
Ueberweisung
Weltmeisterschaft
WM-Anhang
WM-Tickets





Name   W32/Tilebot-FA

Type  
    * Spyware Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Steals information
    * Downloads code from the internet
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities
    * Used in DOS attacks

Aliases  
    * Backdoor.Win32.SdBot.xd
    * W32/Sdbot.worm.gen.g

Prevalence (1-5) 2

Description
W32/Tilebot-FA is a worm with backdoor functionality for the Windows 
platform.

W32/Tilebot-FA spreads to other network computers by exploiting 
common buffer overflow vulnerabilities, including: WKS (MS03-049) 
(CAN-2003-0812), PNP (MS05-039) and ASN.1 (MS04-007). The worm may 
also spreads via network shares and MSSQL servers protected by weak 
passwords.

W32/Tilebot-FA runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

W32/Tilebot-FA includes functionality to:

- set up an FTP server
- set up a proxy server
- spread via AOL Instant Messager by sending messages automatically
- change Internet Explorer start page
- set or remove network shares
- port scanning
- packet sniffing
- access the internet and communicate with a remote server via HTTP
- harvest information from clipboard
- take part in Distributed Denial of Service (DDoS) attacks

Advanced
W32/Tilebot-FA is a worm with backdoor functionality for the Windows 
platform.

W32/Tilebot-FA spreads to other network computers by exploiting 
common buffer overflow vulnerabilities, including: WKS (MS03-049) 
(CAN-2003-0812), PNP (MS05-039) and ASN.1 (MS04-007). The worm may 
also spreads via network shares and MSSQL servers protected by weak 
passwords.

W32/Tilebot-FA runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

W32/Tilebot-FA includes functionality to:

- set up an FTP server
- set up a proxy server
- spread via AOL Instant Messager by sending messages automatically
- change Internet Explorer start page
- set or remove network shares
- port scanning
- packet sniffing
- access the internet and communicate with a remote server via HTTP
- harvest information from clipboard
- take part in Distributed Denial of Service (DDoS) attacks

When first run W32/Tilebot-FA copies itself to the Windows folder as 
services.exe. The file services.exe is registered as a new system 
driver service named "aolsoftwares", with a display name of 
"aolsoftwares" and a startup type of automatic, so that it is started 
automatically during system startup. Registry entries are created 
under:

HKLM\SYSTEM\CurrentControlSet\Services\aolsoftwares\

W32/Tilebot-FA sets the following registry entries, disabling the 
automatic
startup of other software:

HKLM\SYSTEM\CurrentControlSet\Services\Messenger
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\wscsvc
Start
4

Additional registry entries are set as follows:

HKCR\.key
(default)
regfile

HKLM\SOFTWARE\Microsoft\Security Center
AntiVirusDisableNotify
1

HKLM\SOFTWARE\Microsoft\Security Center
AntiVirusOverride
1

HKLM\SOFTWARE\Microsoft\Security Center
FirewallDisableNotify
1

HKLM\SOFTWARE\Microsoft\Security Center
FirewallOverride
1

HKLM\SOFTWARE\Microsoft\Security Center
UpdatesDisableNotify
1

HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DoNotAllowXPSP2
1

HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
EnableFirewall
0

HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile
EnableFirewall
0

HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
AutoShareServer
0

HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
AutoShareWks
0

HKLM\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters
AutoShareServer
0

HKLM\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters
AutoShareWks
0

HKLM\SYSTEM\CurrentControlSet\Control\
WaitToKillServiceTimeout
7000

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1





Name   W32/Rbot-DVC

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Allows others to access the computer
    * Modifies data on the computer
    * Downloads code from the internet
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities
    * Used in DOS attacks

Prevalence (1-5) 2

Description
W32/Rbot-DVC is a worm and IRC backdoor Trojan for the Windows 
platform.

Advanced
W32/Rbot-DVC is a worm and IRC backdoor Trojan for the Windows 
platform.

W32/Rbot-DVC runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

W32/Rbot-DVC spreads to other network computers by exploiting common 
buffer overflow vulnerabilities, including: LSASS (MS04-011), 
RPC-DCOM (MS04-012) and WKS (MS03-049) (CAN-2003-0812) and by copying 
itself to network shares protected by weak passwords.

When first run W32/Rbot-DVC copies itself to <System>\usaplug.exe.

The following registry entries are created to run usaplug.exe on 
startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft USA Plug
usaplug.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft USA Plug
usaplug.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
Microsoft USA Plug
usaplug.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Microsoft USA Plug
usaplug.exe

Registry entries are set as follows:

HKCU\SYSTEM\CurrentControlSet\Control\Lsa
Microsoft USA Plug
usaplug.exe

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
Microsoft USA Plug
usaplug.exe

HKCU\Software\Microsoft\OLE
Microsoft USA Plug
usaplug.exe

HKLM\SOFTWARE\Microsoft\Ole
Microsoft USA Plug
usaplug.exe

W32/Rbot-DVC includes functionality to:

- access the internet and communicate with a remote server via HTTP
- log keystrokes
- perform DDoS attacks
- setup a SOCKS4 server
- steal information

W32/Rbot-DVC also appends the following mappings to the HOSTS file, 
denying access to security and anti-virus related websites:

0.0.0.0 www.symantec.com
0.0.0.0 securityresponse.symantec.com
0.0.0.0 symantec.com
0.0.0.0 www.sophos.com
0.0.0.0 sophos.com
0.0.0.0 www.mcafee.com
0.0.0.0 mcafee.com
0.0.0.0 liveupdate.symantecliveupdate.com
0.0.0.0 www.viruslist.com
0.0.0.0 viruslist.com
0.0.0.0 viruslist.com
0.0.0.0 f-secure.com
0.0.0.0 www.f-secure.com
0.0.0.0 kaspersky.com
0.0.0.0 kaspersky-labs.com
0.0.0.0 www.avp.com
0.0.0.0 www.kaspersky.com
0.0.0.0 avp.com
0.0.0.0 www.networkassociates.com
0.0.0.0 networkassociates.com
0.0.0.0 www.ca.com
0.0.0.0 ca.com
0.0.0.0 mast.mcafee.com
0.0.0.0 my-etrust.com
0.0.0.0 www.my-etrust.com
0.0.0.0 download.mcafee.com
0.0.0.0 dispatch.mcafee.com
0.0.0.0 secure.nai.com
0.0.0.0 nai.com
0.0.0.0 www.nai.com
0.0.0.0 update.symantec.com
0.0.0.0 updates.symantec.com
0.0.0.0 us.mcafee.com
0.0.0.0 liveupdate.symantec.com
0.0.0.0 customer.symantec.com
0.0.0.0 rads.mcafee.com
0.0.0.0 trendmicro.com
0.0.0.0 pandasoftware.com
0.0.0.0 www.pandasoftware.com
0.0.0.0 www.trendmicro.com
0.0.0.0 www.grisoft.com
0.0.0.0 www.microsoft.com
0.0.0.0 microsoft.com
0.0.0.0 www.virustotal.com
0.0.0.0 virustotal.com
0.0.0.0 www.zango.com
0.0.0.0 zango.com





Name   W32/Mytob-HZ

Type  
    * Worm

How it spreads  
    * Email attachments
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Sends itself to email addresses found on the infected computer
    * Uses its own emailing engine
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities

Aliases  
    * Net-Worm.Win32.Domwoot.a
    * W32/Mytob.ii@MM
    * W32.Mytob@mm
    * Win32/Mytob.TN

Prevalence (1-5) 2
Description
W32/Mytob-HZ is a mass-mailing worm with backdoor functionality that 
can be controlled through the Internet Relay Chat (IRC) network.

W32/Mytob-HZ runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

W32/Mytob-HZ spreads to other network computers by exploiting common 
buffer overflow vulnerabilities, including: LSASS (MS04-011) and 
ASN.1 (MS04-007).

W32/Mytob-HZ runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

Emails sent by W32/Mytob-HZ sends emails in the following format, 
with details filled in to make the email look more authentic:

Subject line chosen from:

*DETECTED* Online User Violation
*WARNING* Your email account is suspended
Email Account Suspension
Important Notification
Members Support
Notice of account limitation
Security measures
Warning Message: Your services near to be closed.
We have suspended your account
You are banned!!!
Your Account is Suspended
Your Account is Suspended For Security Reasons
<random characters>

Message text chosen from (the worm will insert the username and the 
email domain of the addressee into the email):

Dear <domain> Member,

We have temporarily suspended your email account <domain>.

This might be due to either of the following reasons:
1. A recent change in your personal information (i.e. change of 
address).
2. Submiting invalid information during the initial sign up process.
3. An innability to accurately verify your selected option of 
subscription due to an internal error within our processors.

Sincerely,The <domain> Support Team

Some information about your <domain> account is attached.

The <domain> Support Team

Your e-mail account was used to send a huge amount of unsolicited 
spam messages during the recent week. If you could please take 5-10 
minutes out of your online experience and confirm the attached 
document so you will not run into any future problems with the online 
service.

Virtually yours,

The attached file consists of a base name followed by the extension 
ZIP. The worm may optionally create double extensions where the first 
extension is DOC, TXT or HTM and the final extension is BAT, CMD, 
PIF, SCR, EXE or ZIP. The base filenames are randomly chosen from:

updated-password
email-password
new-password
password
approved-password
account-password
accepted-password
important-details
account-details
email-details
account-info
document
readme
account-report
<random characters>

W32/Mytob-HZ harvests email addresses from files on the infected 
computer and from the Windows address book.

Advanced
W32/Mytob-HZ is a mass-mailing worm with backdoor functionality that 
can be controlled through the Internet Relay Chat (IRC) network.

W32/Mytob-HZ runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

W32/Mytob-HZ spreads to other network computers by exploiting common 
buffer overflow vulnerabilities, including: LSASS (MS04-011) and 
ASN.1 (MS04-007).

W32/Mytob-HZ runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

When first run W32/Mytob-HZ copies itself to <Windows system 
folder>\svchosts.exe.

The following registry entries are created to run svchosts.exe on 
startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Win32 Cnfg32
svchosts.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Win32 Cnfg32
svchosts.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
Win32 Cnfg32
svchosts.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Win32 Cnfg32
svchosts.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Win32 Cnfg32
svchosts.exe

The file svchosts.exe is registered as a new file system driver 
service named "shit", with a display name of "shit". Registry entries 
are created under:

HKLM\SYSTEM\CurrentControlSet\Services\shit\

Emails sent by W32/Mytob-HZ sends emails in the following format, 
with details filled in to make the email look more authentic:

Subject line chosen from:

*DETECTED* Online User Violation
*WARNING* Your email account is suspended
Email Account Suspension
Important Notification
Members Support
Notice of account limitation
Security measures
Warning Message: Your services near to be closed.
We have suspended your account
You are banned!!!
Your Account is Suspended
Your Account is Suspended For Security Reasons
<random characters>

Message text chosen from (the worm will insert the username and the 
email domain of the addressee into the email):

Dear <domain> Member,

We have temporarily suspended your email account <domain>.

This might be due to either of the following reasons:
1. A recent change in your personal information (i.e. change of 
address).
2. Submiting invalid information during the initial sign up process.
3. An innability to accurately verify your selected option of 
subscription due to an internal error within our processors.

Sincerely,The <domain> Support Team

Some information about your <domain> account is attached.

The <domain> Support Team

Your e-mail account was used to send a huge amount of unsolicited 
spam messages during the recent week. If you could please take 5-10 
minutes out of your online experience and confirm the attached 
document so you will not run into any future problems with the online 
service.

Virtually yours,

The attached file consists of a base name followed by the extension 
ZIP. The worm may optionally create double extensions where the first 
extension is DOC, TXT or HTM and the final extension is BAT, CMD, 
PIF, SCR, EXE or ZIP. The base filenames are randomly chosen from:

updated-password
email-password
new-password
password
approved-password
account-password
accepted-password
important-details
account-details
email-details
account-info
document
readme
account-report
<random characters>

W32/Mytob-HZ harvests email addresses from files on the infected 
computer and from the Windows address book.





Name   W32/Sdbot-BSL

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Reduces system security
    * Installs itself in the Registry

Aliases  
    * W32/Sdbot.worm.gen.bp

Prevalence (1-5) 2

Description
W32/Sdbot-BSL is a worm and IRC backdoor Trojan for the Windows 
platform.

W32/Sdbot-BSL runs continuously in the background, providing a 
backdoor server
which allows a remote intruder to gain access and control over the 
computer via
IRC channels.

Advanced
W32/Sdbot-BSL is a worm and IRC backdoor Trojan for the Windows 
platform.

W32/Sdbot-BSL runs continuously in the background, providing a 
backdoor server
which allows a remote intruder to gain access and control over the 
computer via
IRC channels.

When first run W32/Sdbot-BSL copies itself to <Windows>\Msmgs.exe.

The file Msmgs.exe is registered as a new system driver service named 
"Windows
web messenger", with a display name of "Windows web messenger" and a 
startup
type of automatic, so that it is started automatically during system 
startup.
Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\Windows web messenger\

W32/Sdbot-BSL sets the following registry entries, disabling the 
automatic
startup of other software:

HKLM\SYSTEM\CurrentControlSet\Services\Messenger
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
Start
4

Registry entries are set as follows:

HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DoNotAllowXPSP2
1

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1

Registry entries are created under:

HKLM\SOFTWARE\Microsoft\Security Center\
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\

 
--- MultiMail/Win32 v0.43
 * Origin: Try Our Web Based QWK: DOCSPLACE.ORG (1:123/140)