Tillbaka till svenska Fidonet
English   Information   Debug  
TREK   0/755
TUB   0/290
UFO   0/40
UNIX   0/1316
USA_EURLINK   0/102
USR_MODEMS   0/1
VATICAN   0/2740
VIETNAM_VETS   0/14
VIRUS   0/378
VIRUS_INFO   0/201
VISUAL_BASIC   0/473
WHITEHOUSE   0/5187
WIN2000   0/101
WIN32   0/30
WIN95   0/4289
WIN95_OLD1   0/70272
WINDOWS   0/1517
WWB_SYSOP   0/419
WWB_TECH   0/810
ZCC-PUBLIC   0/1
ZEC   4

 
4DOS   0/134
ABORTION   0/7
ALASKA_CHAT   0/506
ALLFIX_FILE   0/1313
ALLFIX_FILE_OLD1   0/7997
ALT_DOS   0/152
AMATEUR_RADIO   0/1039
AMIGASALE   0/14
AMIGA   0/331
AMIGA_INT   0/1
AMIGA_PROG   0/20
AMIGA_SYSOP   0/26
ANIME   0/15
ARGUS   0/924
ASCII_ART   0/340
ASIAN_LINK   0/651
ASTRONOMY   0/417
AUDIO   0/92
AUTOMOBILE_RACING   0/105
BABYLON5   0/17862
BAG   135
BATPOWER   0/361
BBBS.ENGLISH   0/382
BBSLAW   0/109
BBS_ADS   0/5290
BBS_INTERNET   0/507
BIBLE   0/3563
BINKD   0/1119
BINKLEY   0/215
BLUEWAVE   0/2173
CABLE_MODEMS   0/25
CBM   0/46
CDRECORD   0/66
CDROM   0/20
CLASSIC_COMPUTER   0/378
COMICS   0/15
CONSPRCY   0/899
COOKING   33421
COOKING_OLD1   0/24719
COOKING_OLD2   0/40862
COOKING_OLD3   0/37489
COOKING_OLD4   0/35496
COOKING_OLD5   9370
C_ECHO   0/189
C_PLUSPLUS   0/31
DIRTY_DOZEN   0/201
DOORGAMES   0/2065
DOS_INTERNET   0/196
duplikat   6002
ECHOLIST   0/18295
EC_SUPPORT   0/318
ELECTRONICS   0/359
ELEKTRONIK.GER   1534
ENET.LINGUISTIC   0/13
ENET.POLITICS   0/4
ENET.SOFT   0/11701
ENET.SYSOP   33945
ENET.TALKS   0/32
ENGLISH_TUTOR   0/2000
EVOLUTION   0/1335
FDECHO   0/217
FDN_ANNOUNCE   0/7068
FIDONEWS   24159
FIDONEWS_OLD1   0/49742
FIDONEWS_OLD2   0/35949
FIDONEWS_OLD3   0/30874
FIDONEWS_OLD4   0/37224
FIDO_SYSOP   12852
FIDO_UTIL   0/180
FILEFIND   0/209
FILEGATE   0/212
FILM   0/18
FNEWS_PUBLISH   4436
FN_SYSOP   41707
FN_SYSOP_OLD1   71952
FTP_FIDO   0/2
FTSC_PUBLIC   0/13613
FUNNY   0/4886
GENEALOGY.EUR   0/71
GET_INFO   105
GOLDED   0/408
HAM   0/16074
HOLYSMOKE   0/6791
HOT_SITES   0/1
HTMLEDIT   0/71
HUB203   466
HUB_100   264
HUB_400   39
HUMOR   0/29
IC   0/2851
INTERNET   0/424
INTERUSER   0/3
IP_CONNECT   719
JAMNNTPD   0/233
JAMTLAND   0/47
KATTY_KORNER   0/41
LAN   0/16
LINUX-USER   0/19
LINUXHELP   0/1155
LINUX   0/22112
LINUX_BBS   0/957
mail   18.68
mail_fore_ok   249
MENSA   0/341
MODERATOR   0/102
MONTE   0/992
MOSCOW_OKLAHOMA   0/1245
MUFFIN   0/783
MUSIC   0/321
N203_STAT   930
N203_SYSCHAT   313
NET203   321
NET204   69
NET_DEV   0/10
NORD.ADMIN   0/101
NORD.CHAT   0/2572
NORD.FIDONET   189
NORD.HARDWARE   0/28
NORD.KULTUR   0/114
NORD.PROG   0/32
NORD.SOFTWARE   0/88
NORD.TEKNIK   0/58
NORD   0/453
OCCULT_CHAT   0/93
OS2BBS   0/787
OS2DOSBBS   0/580
OS2HW   0/42
OS2INET   0/37
OS2LAN   0/134
OS2PROG   0/36
OS2REXX   0/113
OS2USER-L   207
OS2   0/4786
OSDEBATE   0/18996
PASCAL   0/490
PERL   0/457
PHP   0/45
POINTS   0/405
POLITICS   0/29554
POL_INC   0/14731
PSION   103
R20_ADMIN   1123
R20_AMATORRADIO   0/2
R20_BEST_OF_FIDONET   13
R20_CHAT   0/893
R20_DEPP   0/3
R20_DEV   399
R20_ECHO2   1379
R20_ECHOPRES   0/35
R20_ESTAT   0/719
R20_FIDONETPROG...
...RAM.MYPOINT
  0/2
R20_FIDONETPROGRAM   0/22
R20_FIDONET   0/248
R20_FILEFIND   0/24
R20_FILEFOUND   0/22
R20_HIFI   0/3
R20_INFO2   3249
R20_INTERNET   0/12940
R20_INTRESSE   0/60
R20_INTR_KOM   0/99
R20_KANDIDAT.CHAT   42
R20_KANDIDAT   28
R20_KOM_DEV   112
R20_KONTROLL   0/13300
R20_KORSET   0/18
R20_LOKALTRAFIK   0/24
R20_MODERATOR   0/1852
R20_NC   76
R20_NET200   245
R20_NETWORK.OTH...
...ERNETS
  0/13
R20_OPERATIVSYS...
...TEM.LINUX
  0/44
R20_PROGRAMVAROR   0/1
R20_REC2NEC   534
R20_SFOSM   0/341
R20_SF   0/108
R20_SPRAK.ENGLISH   0/1
R20_SQUISH   107
R20_TEST   2
R20_WORST_OF_FIDONET   12
RAR   0/9
RA_MULTI   106
RA_UTIL   0/162
REGCON.EUR   0/2056
REGCON   0/13
SCIENCE   0/1206
SF   0/239
SHAREWARE_SUPPORT   0/5146
SHAREWRE   0/14
SIMPSONS   0/169
STATS_OLD1   0/2539.065
STATS_OLD2   0/2530
STATS_OLD3   0/2395.095
STATS_OLD4   0/1692.25
SURVIVOR   0/495
SYSOPS_CORNER   0/3
SYSOP   0/84
TAGLINES   0/112
TEAMOS2   0/4530
TECH   0/2617
TEST.444   0/105
TRAPDOOR   0/19
Möte VIRUS_INFO, 201 texter
 lista första sista föregående nästa
Text 124, 2287 rader
Skriven 2006-06-25 17:00:00 av KURT WISMER (1:123/140)
Ärende: News, June 25 2006
==========================
[cut-n-paste from sophos.com]

Name   W32/Bagle-KG

Type  
    * Worm

How it spreads  
    * Email attachments

Affected operating systems  
    * Windows

Side effects  
    * Sends itself to email addresses found on the infected computer
    * Forges the sender's email address
    * Uses its own emailing engine
    * Downloads code from the internet

Aliases  
    * W32.Beagle.FD@mm
    * Email-Worm.Win32.Bagle.gk

Prevalence (1-5) 2

Description
W32/Bagle-KG is a mass-mailing worm for the Windows platform.

W32/Bagle-KG includes functionality to access the internet and 
communicate with a remote server via HTTP.

When W32/Bagle-KG is installed it attempts to mail a zipped file of 
the W32/Bagle-KF worm.

Advanced
W32/Bagle-KG is a mass-mailing worm for the Windows platform.

W32/Bagle-KG includes functionality to access the internet and 
communicate with a remote server via HTTP.

When W32/Bagle-KG is installed the worm attempts to email an 
attachment of a zipped file containing the W32/Bagle-KF worm.

W32/Bagle-KG may create the file C:\WINDOWS\elist.xpt. This file can 
be deleted.

Registry entries may also be created under:

HKCU\Software\FirstRun648





Name   Troj/Bancos-API

Type  
    * Spyware Trojan

Affected operating systems  
    * Windows

Side effects  
    * Steals information

Prevalence (1-5) 2

Description
Troj/Bancos-API is a Trojan for the Windows platform.

Advanced
Troj/Bancos-API is a Trojan for the Windows platform.

The Troj/Bancos-API is registered as a COM object, creating registry 
entries under:

HKCR\CLSID\(1E6CE4CD-161B-4847-B8BF-E2EF72299D69)
HKCR\Interface\(4EFDDEB1-BF39-4F20-B90C-747B99B6EB84)
HKCR\TypeLib\(14A5F3E7-B235-4D98-9264-5C67D2657BC4)
HKCR\ib.CBrowserHelper\





Name   Troj/Dloadr-AHR

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet

Prevalence (1-5) 2

Description
Troj/Dloadr-AHR is a Trojan for the Windows platform.

Troj/Dloadr-AHR attempts to download further malicious code

Advanced
Troj/Dloadr-AHR is a Trojan for the Windows platform.

Troj/Dloadr-AHR attempts to download further malicious code.

The Trojan creates the following registry entry:

HKCU\Software\Microsoft\Windows
L
L





Name   W32/Sixem-A

Type  
    * Worm

How it spreads  
    * Email attachments
    * Web downloads

Affected operating systems  
    * Windows

Side effects  
    * Sends itself to email addresses found on the infected computer
    * Uses its own emailing engine
    * Downloads code from the internet
    * Reduces system security

Prevalence (1-5) 2

Description
W32/Sixem-A is an email worm for the Windows platform.

The worm harvests email addresses from files on the infected computer 
and sends itself as an email attachment. Email sent by the worm has 
the following characteristics:

Sender (randomly chosen from):

hotnews@cnn.com
kellyjast@hotmail.com
lindasal@gmail.com
mr.robs@yahoo.com
newsreader@hotmail.com
todaynews@cnn.com

Subject line (randomly chosen from):

Soccer fans killed five teens
Crazy soccer fans
Please reply me Tomas
My tricks for you
Naked World Cup game set
My sister whores, shit i dont know

Message text (randomly chosen from):

Soccer fans killed five teens, watch what they make on photos. Please 
report on this all who know.

Crazy soccer fans killed two teens, watch what they make on photos. 
Please report on this all who know.

Halo Markus, i sent my nude pics. Please reply me with you nude 
photos ;). Best regard You Sweet Kitty

I wait you photos from New York. I sent my pics where i naked for 
you. Please reply me. Linda Salivan

Nudists are organising their own tribute to the world cup, by staging 
their own nude soccer game, though it is not clear how the teams will 
tell each other apart. Good photos ;)

Emily Carr was an artist known for her prudery, but now the Portrait 
Gallery of Canada has acquired a nude self-portrait. View photos.

Attached file (randomly chosen from):

soccer_fans.jpg.exe
soccer_pics.jpg.exe
kelly_nude_imgs.jpg.exe
linda_bigtit.gif.exe
soccer_nudist.bmp.exe
emily_selfphoto.jpg.exe

Advanced
W32/Sixem-A is an email worm for the Windows platform.

The worm harvests email addresses from files on the infected computer 
and sends itself as an email attachment. Email sent by the worm has 
the following characteristics:

Sender (randomly chosen from):

hotnews@cnn.com
kellyjast@hotmail.com
lindasal@gmail.com
mr.robs@yahoo.com
newsreader@hotmail.com
todaynews@cnn.com

Subject line (randomly chosen from):

Soccer fans killed five teens
Crazy soccer fans
Please reply me Tomas
My tricks for you
Naked World Cup game set
My sister whores, shit i dont know

Message text (randomly chosen from):

Soccer fans killed five teens, watch what they make on photos. Please 
report on this all who know.

Crazy soccer fans killed two teens, watch what they make on photos. 
Please report on this all who know.

Halo Markus, i sent my nude pics. Please reply me with you nude 
photos ;). Best regard You Sweet Kitty

I wait you photos from New York. I sent my pics where i naked for 
you. Please reply me. Linda Salivan

Nudists are organising their own tribute to the world cup, by staging 
their own nude soccer game, though it is not clear how the teams will 
tell each other apart. Good photos ;)

Emily Carr was an artist known for her prudery, but now the Portrait 
Gallery of Canada has acquired a nude self-portrait. View photos.

Attached file (randomly chosen from):

soccer_fans.jpg.exe
soccer_pics.jpg.exe
kelly_nude_imgs.jpg.exe
linda_bigtit.gif.exe
soccer_nudist.bmp.exe
emily_selfphoto.jpg.exe

When run, the worm copies itself to the Windows system folder as 
"msctools.exe" and sets the following registry entries in order to 
run each time a user logs on:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Nsdevice
"<Windows system folder>\msctools.exe"

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Nsdevice
"<Windows system folder>\msctools.exe"

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Nsdevice
"<Windows system folder>\msctools.exe"

The worm downloads an additional component (also detected as 
W32/Sixem-A) to the Windows system folder as "vmonts.exe". The 
vmonts.exe file sets the following registry entries:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
"0"

HKLM\SOFTWARE\Microsoft\Security Center
FirewallOverride
dword:00000001

HKLM\SOFTWARE\Microsoft\Security Center
FirewallDisableNotify
dword:00000001

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\URL
dnk

HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
EnableFirewall
dword:00000000

HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile
EnableFirewall
dword:00000000

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
msverify
"<Windows system folder>\vmonts.exe"

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
msverify
"<Windows system folder>\vmonts.exe"

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
msverify
"<Windows system folder>\vmonts.exe"





Name   W32/Rbot-EGJ

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities

Aliases  
    * Backdoor.Win32.Rbot.gen
    * W32/Sdbot.worm.gen.x

Prevalence (1-5) 2

Description
W32/Rbot-EGJ is a worm and IRC backdoor Trojan for the Windows 
platform.

W32/Rbot-EGJ spreads:

- to other network computers infected with: Troj/Kuang, Troj/Sub7, 
Troj/NetDevil, W32/MyDoom, W32/Bagle and Troj/Optix
- to other network computers by exploiting common buffer overflow 
vulnerabilities, including: LSASS (MS04-011), RPC-DCOM (MS04-012), 
WKS (MS03-049) (CAN-2003-0812), WebDav (MS03-007), IIS5SSL (ms04-011) 
(CAN-2003-0719), UPNP (MS01-059), Veritas (CAN-2004-1172), Dameware 
(CAN-2003-1030) and ASN.1 (MS04-007)
- by copying itself to network shares protected by weak passwords

W32/Rbot-EGJ runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

Advanced
W32/Rbot-EGJ is a worm and IRC backdoor Trojan for the Windows 
platform.

W32/Rbot-EGJ spreads:

- to other network computers infected with: Troj/Kuang, Troj/Sub7, 
Troj/NetDevil, W32/MyDoom, W32/Bagle and Troj/Optix
- to other network computers by exploiting common buffer overflow 
vulnerabilities, including: LSASS (MS04-011), RPC-DCOM (MS04-012), 
WKS (MS03-049) (CAN-2003-0812), WebDav (MS03-007), IIS5SSL (ms04-011) 
(CAN-2003-0719), UPNP (MS01-059), Veritas (CAN-2004-1172), Dameware 
(CAN-2003-1030) and ASN.1 (MS04-007)
- by copying itself to network shares protected by weak passwords

W32/Rbot-EGJ runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

When first run W32/Rbot-EGJ copies itself to <System>\zwdomsgemw.exe.

The following registry entries are created to run zwdomsgemw.exe on 
startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows Recylinder Check
zwdomsgemw.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Windows Recylinder Check
zwdomsgemw.exe

Registry entries are set as follows:

HKCU\Software\Microsoft\OLE
Windows Recylinder Check
zwdomsgemw.exe

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1





Name   W32/Mytob-IT

Type  
    * Worm

How it spreads  
    * Email messages

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Allows others to access the computer
    * Uses its own emailing engine
    * Installs itself in the Registry

Aliases  
    * Win32/Mytob.UB

Prevalence (1-5) 2

Description
W32/Mytob-IT is a mass-mailing worm with IRC backdoor Trojan 
functionality.

W32/Mytob-IT runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.
The worm may download further malicious code.

W32/Mytob-IT spreads by sending emails with the following 
characteristics:

From: abuse@<harvested domain>

Subject line: "Account Alert" or a randomly generated string.

Message text:

Dear Valued Member,

According to our terms of services, you will have to confirm your 
e-mail by the following link, or your account will be suspended 
within 24 hours for security reasons.

<spoofed link pointing to a copy of the worm>

After following the instructions in the sheet, your account will not 
be interrupted and will continue as normal.

Thank you for your attention to this request. We apologize for any 
inconvenience.

Sincerely, <Harvested domain> Abuse Department

Advanced
W32/Mytob-IT is a mass-mailing worm with IRC backdoor Trojan 
functionality.

W32/Mytob-IT runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.
The worm may download further malicious code.

W32/Mytob-IT spreads by sending emails with the following 
characteristics:

From: abuse@<harvested domain>

Subject line: "Account Alert" or a randomly generated string.

Message text:

Dear Valued Member,

According to our terms of services, you will have to confirm your 
e-mail by the following link, or your account will be suspended 
within 24 hours for security reasons.

<spoofed link pointing to a copy of the worm>

After following the instructions in the sheet, your account will not 
be interrupted and will continue as normal.

Thank you for your attention to this request. We apologize for any 
inconvenience.

Sincerely, <Harvested domain> Abuse Department

The worm creates the following registry entries in an attempt to run 
itself on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft Task Manager
scvhost.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Microsoft Task Manager
scvhost.exe

The following registry entry is set:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
4





Name   W32/Bagle-KL

Type  
    * Worm

How it spreads  
    * Email attachments

Affected operating systems  
    * Windows

Side effects  
    * Sends itself to email addresses found on the infected computer
    * Downloads code from the internet
    * Installs itself in the Registry

Aliases  
    * Email-Worm.Win32.Bagle.al

Prevalence (1-5) 2

Description
W32/Bagle-KL is an email worm for the Windows platform.

W32/Bagle-KL harvests email addresses from the infected computer and 
sends itself in an email to one address as if from another address. 
The emails sent have the following characteristics:

The subject line is one of the following:

Ales
Alice
Alyce
Andrew
Androw
Androwe
Ann
Anna
Anne
Annes
Anthonie
Anthony
Anthonye
Avice
Avis
Bennet
Bennett
Christean
Christian
Constance
Cybil
Daniel
Danyell
Dorithie
Dorothee
Dorothy
Edmond
Edmonde
Edmund
Edward
Edwarde
Elizabeth
Elizabethe
Ellen
Ellyn
Emanual
Emanuel
Emanuell
Ester
Frances
Francis
Fraunces
Gabriell
Geoffraie
George
Grace
Harry
Harrye
Henrie
Henry
Henrye
Hughe
Humphrey
Humphrie
Isabel
Isabell
James
Jane
Jeames
Jeffrey
Jeffrye
Joane
Johen
John
Josias
Judeth
Judith
Judithe
Katherine
Katheryne
Leonard
Leonarde
Margaret
Margarett
Margerie
Margerye
Margret
Margrett
Marie
Martha
Mary
Marye
Michael
Mychaell
Nathaniel
Nathaniell
Nathanyell
Nicholas
Nicholaus
Nycholas
Peter
Ralph
Rebecka
Richard
Richarde
Robert
Roberte
Roger
Rose
Rycharde
Samuell
Sara
Sidney
Sindony
Stephen
Susan
Susanna
Suzanna
Sybell
Sybyll
Syndony
Thomas
Valentyne
William
Winifred
Wynefrede
Wynefreed
Wynnefreede

The message body starting one of the following, or a blank line:

To the beloved
I love you

The message body then continues with one of the following:

The password is <image file>
Password -- <image file>
Use password <image file> to open archive.
Password is <image file>
Zip password: <image file>
archive password: <image file>
Password - <image file>
Password: <image file>

The image file displays a 5 digit password.

Advanced
W32/Bagle-KL is an email worm for the Windows platform.

W32/Bagle-KL harvests email addresses from the infected computer and 
sends itself in an email to one address as if from another address. 
The emails sent have the following characteristics:

The subject line is one of the following:

Ales
Alice
Alyce
Andrew
Androw
Androwe
Ann
Anna
Anne
Annes
Anthonie
Anthony
Anthonye
Avice
Avis
Bennet
Bennett
Christean
Christian
Constance
Cybil
Daniel
Danyell
Dorithie
Dorothee
Dorothy
Edmond
Edmonde
Edmund
Edward
Edwarde
Elizabeth
Elizabethe
Ellen
Ellyn
Emanual
Emanuel
Emanuell
Ester
Frances
Francis
Fraunces
Gabriell
Geoffraie
George
Grace
Harry
Harrye
Henrie
Henry
Henrye
Hughe
Humphrey
Humphrie
Isabel
Isabell
James
Jane
Jeames
Jeffrey
Jeffrye
Joane
Johen
John
Josias
Judeth
Judith
Judithe
Katherine
Katheryne
Leonard
Leonarde
Margaret
Margarett
Margerie
Margerye
Margret
Margrett
Marie
Martha
Mary
Marye
Michael
Mychaell
Nathaniel
Nathaniell
Nathanyell
Nicholas
Nicholaus
Nycholas
Peter
Ralph
Rebecka
Richard
Richarde
Robert
Roberte
Roger
Rose
Rycharde
Samuell
Sara
Sidney
Sindony
Stephen
Susan
Susanna
Suzanna
Sybell
Sybyll
Syndony
Thomas
Valentyne
William
Winifred
Wynefrede
Wynefreed
Wynnefreede

The message body starting one of the following, or a blank line:

To the beloved
I love you

The message body then continues with one of the following:

The password is <image file>
Password -- <image file>
Use password <image file> to open archive.
Password is <image file>
Zip password: <image file>
archive password: <image file>
Password - <image file>
Password: <image file>

The image file displays a 5 digit password.

Emails sent by W32/Bagle-KL invite the user to open the Zip file 
using a password

Emails sent by W32/Bagle-KL invite the user to open the Zip file 
using a password.

The main attachment is a file with a ZIP extension and a filename 
picked from one of the same list as the subject line, though it will 
not necessarily be the same name as in the subject line. This zip is 
encrypted with the password given in the image file, and when 
unzipped will be detected as W32/Bagle-KL.

W32/Bagle-KL copies itself to the file \hidn\hidn.exe and drops the 
file \hidn\m_hook.sys, also detected as W32/Bagle-KL, which it uses 
to stealth itself from certain processes.

The first time it is run, W32/Bagle-KL drops the clean file 
C:\error.gif and opens it. This is an image of the word "Error".

W32/Bagle-KL drops the file C:\temp.zip which contains an encrypted 
zip of itself.

W32/Bagle-KL attempts to download a file from a number of remote 
websites to \re_file.exe and then execute it.

W32/Bagle-KL attempts to terminate and disable a number of services 
related to security and anti-virus applications.

W32/Bagle-KL attempts to delete the following registry entry in order 
to disrupt booting into Safe Mode:

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot

W32/Bagle-KL creates the following registry entry the first time it 
is run:

HKCU\Software\FirstRuxzx
FirstRun
1





Name   W32/Bagle-KM

Type  
    * Worm

How it spreads  
    * Email attachments

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Sends itself to email addresses found on the infected computer
    * Modifies data on the computer
    * Drops more malware
    * Uses its own emailing engine
    * Downloads code from the internet
    * Reduces system security
    * Installs itself in the Registry
    * Leaves non-infected files on computer

Aliases  
    * Email-Worm.Win32.Bagle.fy

Prevalence (1-5) 2

Description
W32/Bagle-KM is an email worm for the Windows platform.

W32/Bagle-KM harvests email addresses from the infected computer and 
sends itself in an email to one address as if from another address. 
The emails sent have the following characteristics:

The subject line is one of the following:

Ales
Alice
Alyce
Andrew
Androw
Androwe
Ann
Anna
Anne
Annes
Anthonie
Anthony
Anthonye
Avice
Avis
Bennet
Bennett
Christean
Christian
Constance
Cybil
Daniel
Danyell
Dorithie
Dorothee
Dorothy
Edmond
Edmonde
Edmund
Edward
Edwarde
Elizabeth
Elizabethe
Ellen
Ellyn
Emanual
Emanuel
Emanuell
Ester
Frances
Francis
Fraunces
Gabriell
Geoffraie
George
Grace
Harry
Harrye
Henrie
Henry
Henrye
Hughe
Humphrey
Humphrie
Isabel
Isabell
James
Jane
Jeames
Jeffrey
Jeffrye
Joane
Johen
John
Josias
Judeth
Judith
Judithe
Katherine
Katheryne
Leonard
Leonarde
Margaret
Margarett
Margerie
Margerye
Margret
Margrett
Marie
Martha
Mary
Marye
Michael
Mychaell
Nathaniel
Nathaniell
Nathanyell
Nicholas
Nicholaus
Nycholas
Peter
Ralph
Rebecka
Richard
Richarde
Robert
Roberte
Roger
Rose
Rycharde
Samuell
Sara
Sidney
Sindony
Stephen
Susan
Susanna
Suzanna
Sybell
Sybyll
Syndony
Thomas
Valentyne
William
Winifred
Wynefrede
Wynefreed
Wynnefreede

The message text starting one of the following, or a blank line:

To the beloved
I love you

The message text then continues with one of the following:

The password is <image file>
Password -- <image file>
Use password <image file> to open archive.
Password is <image file>
Zip password: <image file>
archive password: <image file>
Password - <image file>
Password: <image file>

The image file displays a 5 digit password.

The main attachment is a file with a ZIP extension and a filename 
picked from one of the same list as the subject line, though it will 
not necessarily be the same name as in the subject line. This zip is 
encrypted with the password given in the image file, and when 
unzipped will be detected as W32/Bagle-KM. This zip is encrypted with 
the password given in the image file, and when unzipped will be 
detected as W32/Bagle-KM.

Advanced
W32/Bagle-KM is an email worm for the Windows platform.

W32/Bagle-KM harvests email addresses from the infected computer and 
sends itself in an email to one address as if from another address. 
The emails sent have the following characteristics:

The subject line is one of the following:

Ales
Alice
Alyce
Andrew
Androw
Androwe
Ann
Anna
Anne
Annes
Anthonie
Anthony
Anthonye
Avice
Avis
Bennet
Bennett
Christean
Christian
Constance
Cybil
Daniel
Danyell
Dorithie
Dorothee
Dorothy
Edmond
Edmonde
Edmund
Edward
Edwarde
Elizabeth
Elizabethe
Ellen
Ellyn
Emanual
Emanuel
Emanuell
Ester
Frances
Francis
Fraunces
Gabriell
Geoffraie
George
Grace
Harry
Harrye
Henrie
Henry
Henrye
Hughe
Humphrey
Humphrie
Isabel
Isabell
James
Jane
Jeames
Jeffrey
Jeffrye
Joane
Johen
John
Josias
Judeth
Judith
Judithe
Katherine
Katheryne
Leonard
Leonarde
Margaret
Margarett
Margerie
Margerye
Margret
Margrett
Marie
Martha
Mary
Marye
Michael
Mychaell
Nathaniel
Nathaniell
Nathanyell
Nicholas
Nicholaus
Nycholas
Peter
Ralph
Rebecka
Richard
Richarde
Robert
Roberte
Roger
Rose
Rycharde
Samuell
Sara
Sidney
Sindony
Stephen
Susan
Susanna
Suzanna
Sybell
Sybyll
Syndony
Thomas
Valentyne
William
Winifred
Wynefrede
Wynefreed
Wynnefreede

The message text starting one of the following, or a blank line:

To the beloved
I love you

The message text then continues with one of the following:

The password is <image file>
Password -- <image file>
Use password <image file> to open archive.
Password is <image file>
Zip password: <image file>
archive password: <image file>
Password - <image file>
Password: <image file>

The image file displays a 5 digit password.

The main attachment is a file with a ZIP extension and a filename 
picked from one of the same list as the subject line, though it will 
not necessarily be the same name as in the subject line. This zip is 
encrypted with the password given in the image file, and when 
unzipped will be detected as W32/Bagle-KM. This zip is encrypted with 
the password given in the image file, and when unzipped will be 
detected as W32/Bagle-KM.

W32/Bagle-KM copies itself to the file <Application 
Data>\hidn\hidn.exe and drops the file <Application 
Data>\hidn\m_hook.sys, detected as W32/Bagle-KL, which it uses to 
stealth itself from certain processes.

The first time it is run, W32/Bagle-KM drops the clean file 
C:\error.gif and opens it. This is an image of the word "Error".

W32/Bagle-KM drops the file C:\temp.zip which contains an encrypted 
zip of itself.

W32/Bagle-KM attempts to download a file from a number of remote 
websites to <Windows system folder>\re_file.exe and then execute it.

W32/Bagle-KM attempts to terminate and disable a number of services 
related to security and anti-virus applications.

W32/Bagle-KM attempts to delete the following registry entry in order 
to disrupt booting into Safe Mode:

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot





Name   W32/Rbot-EHK

Type  
    * Spyware Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Steals information
    * Downloads code from the internet
    * Records keystrokes
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities

Aliases  
    * Backdoor.Win32.Rbot.bbt
    * W32/Gaobot.worm.gen.t
    * WORM_AGOBOT.AQN

Prevalence (1-5) 2

Description
W32/Rbot-EHK is a worm with backdoor functionality For the Windows 
platform.

W32/Rbot-EHK attempts to steal confidential information and send it 
to a remote location via HTTP or email.

The information that W32/Rbot-EHK attempts to gather includes:

- keypresses (with the aid of a dropped keylogger DLL)
- computer details
- drive and volume information
- hostname and IP address
- information (including passwords and usernames) relating to 
selected applications installed on the computer, including: Miranda 
ICQ, mirabilis ICQ, The Bat!, Trillian, Windows Commander and Total 
Commander
- passwords and confidential information stored by the system in 
'Protected Storage'
- POP3 and IMAP server information, usernames and passwords
- FTP usernames and passwords
- RAS dial-up settings

W32/Rbot-EHK provides a backdoor server on a pre-configured port (the 
default is 2050). A remote intruder will be able to connect to this 
port and receive command shell access.

Advanced
W32/Rbot-EHK is a worm with backdoor functionality For the Windows 
platform.

W32/Rbot-EHK attempts to steal confidential information and send it 
to a remote location via HTTP or email.

The information that W32/Rbot-EHK attempts to gather includes:

- keypresses (with the aid of a dropped keylogger DLL)
- computer details
- drive and volume information
- hostname and IP address
- information (including passwords and usernames) relating to 
selected applications installed on the computer, including: Miranda 
ICQ, mirabilis ICQ, The Bat!, Trillian, Windows Commander and Total 
Commander
- passwords and confidential information stored by the system in 
'Protected Storage'
- POP3 and IMAP server information, usernames and passwords
- FTP usernames and passwords
- RAS dial-up settings

W32/Rbot-EHK provides a backdoor server on a pre-configured port (the 
default is 2050). A remote intruder will be able to connect to this 
port and receive command shell access.

W32/Rbot-EHK can arrive as a result of web browsing. Certain web 
pages may exploit vulnerabilities associated with Microsoft Internet 
Explorer to silently download and install/run the worm without user 
interaction.

W32/Rbot-EHK runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

W32/Rbot-EHK includes functionality to steal confidential information.

When first run W32/Rbot-EHK copies itself to <Windows system 
folder>\gamo.exe.

The following registry entries are created to run gamo.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows ASN4 Services
gamo.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Windows ASN4 Services
gamo.exe

Registry entries are set as follows:

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1





Name   Troj/ConHook-K

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet
    * Installs itself in the Registry

Aliases  
    * Trojan-Downloader.Win32.ConHook.aa

Prevalence (1-5) 2

Description
Troj/ConHook-K is a Trojan for the Windows platform.

Advanced
Troj/ConHook-K is a Trojan for the Windows platform.

The following registry entries are created to run code exported by 
the Trojan on startup:

HKLM\SOFTWARE\Microsoft\Windows 
NT\CurrentVersion\Winlogon\Notify\atlS32

The Trojan is registered as a COM and Browser Help Object, creating 
the following registry entries to run itself on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
<Trojan filename>
RunDll32.exe "<path to Trojan executable>,Setup"

HKCR\CLSID\(4b1d0751-cb48-4265-a975-878be45145c6)\InprocServer32
(default)
<path to Trojan executable>





Name   W32/Akbot-AA

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Downloads code from the internet
    * Installs itself in the Registry
    * Used in DOS attacks

Aliases  
    * Backdoor.Win32.Agent.vc
    * BKDR_AGENT.RO

Prevalence (1-5) 2

Description
W32/Akbot-AA is a worm and IRC backdoor for the Windows platform.

The worm attempts to spread by copying itself to remote network 
shares or by exploiting common buffer overflow vulnerabilities, 
including: LSASS 
(http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx) 
and ASN.1 
(http://www.microsoft.com/technet/security/bulletin/ms04-007.mspx).

W32/Akbot-AA connects to an IRC channel and listens for backdoor 
commands from a remote attacker. Backdoor functionality of the worm 
includes the ability to download further code and to carry out 
denial-of-service attacks.

Advanced
W32/Akbot-AA is a worm and IRC backdoor for the Windows platform.

The worm attempts to spread by copying itself to remote network 
shares or by exploiting common buffer overflow vulnerabilities, 
including: LSASS 
(http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx) 
and ASN.1 
(http://www.microsoft.com/technet/security/bulletin/ms04-007.mspx).

W32/Akbot-AA connects to an IRC channel and listens for backdoor 
commands from a remote attacker. Backdoor functionality of the worm 
includes the ability to download further code and to carry out 
denial-of-service attacks.

When first run W32/Akbot-AA copies itself to <Windows system 
folder>\fstsvc.dll.

The following registry entry is created to run code exported by 
fstsvc.dll on
startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
fstsvc
rundll32.exe <Windows system folder>\fstsvc.dll,start





Name   W32/Mytob-II

Type  
    * Worm

How it spreads  
    * Email messages

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Forges the sender's email address
    * Uses its own emailing engine

Aliases  
    * Net-Worm.Win32.Mytob.eo
    * Win32/Mytob.TY
    * W32.Mytob.QA@mm

Prevalence (1-5) 2

Description
W32/Mytob-II is a mass-mailing worm and IRC backdoor Trojan for the 
Windows platform.

Messages sent by the worm will have the following characteristics.

Subject title chosen from:

Account alert
<random characters>

Message text:

'Dear Valued Member,

According to our terms of services, you will have to confirm your 
e-mail by the following link, or your account will be suspended 
within 24 hours for security reasons.

<link to worm currently detected by Sophos as W32/Mytob-IF>

After following the instructions in the sheet, your account will not 
be interrupted and will continue as normal.

Thanks for your attention to this request. We apologize for any 
inconvenience.

Sincerely <random name> Department'

Advanced
W32/Mytob-II is a mass-mailing worm and IRC backdoor Trojan for the 
Windows platform.

W32/Mytob-II runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

The following registry entries are created to run scvhost.exe on 
startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Microsoft Task Manager
\scvhost.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft Task Manager
\scvhost.exe

Messages sent by the worm will have the following characteristics.

Subject title chosen from:

Account alert
<random characters>

Message text:

'Dear Valued Member,

According to our terms of services, you will have to confirm your 
e-mail by the following link, or your account will be suspended 
within 24 hours for security reasons.

<link to worm currently detected by Sophos as W32/Mytob-IF>

After following the instructions in the sheet, your account will not 
be interrupted and will continue as normal.

Thanks for your attention to this request. We apologize for any 
inconvenience.

Sincerely <random name> Department'





Name   W32/Mytob-IF

Type  
    * Worm

How it spreads  
    * Email messages

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Sends itself to email addresses found on the infected computer
    * Downloads code from the internet
    * Installs itself in the Registry

Prevalence (1-5) 2

Description
W32/Mytob-IF is a worm and IRC backdoor Trojan for the Windows 
platform.

The worm connects to an IRC channel and listens for commands from a 
remote attacker. The worm may download further malicious code.

W32/Mytob-IF spreads by sending emails with the following 
characteristics:

From: abuse@<harvested domain>

Subject line: "Account Alert" or a randomly generated string.

Message text:

Dear Valued Member,

According to our terms of services, you will have to confirm your 
e-mail by the following link, or your account will be suspended 
within 24 hours for security reasons.

<spoofed link pointing to a copy of the worm>

After following the instructions in the sheet, your account will not 
be interrupted and will continue as normal.

Thanks for your attention to this request. We apologize for any 
inconvenience.

Sincerely, <Harvested domain> Abuse Department

Advanced
W32/Mytob-IF is a worm and IRC backdoor Trojan for the Windows 
platform.

The worm connects to an IRC channel and listens for commands from a 
remote attacker. The worm may download further malicious code.

W32/Mytob-IF spreads by sending emails with the following 
characteristics:

From: abuse@<harvested domain>

Subject line: "Account Alert" or a randomly generated string.

Message text:

Dear Valued Member,

According to our terms of services, you will have to confirm your 
e-mail by the following link, or your account will be suspended 
within 24 hours for security reasons.

<spoofed link pointing to a copy of the worm>

After following the instructions in the sheet, your account will not 
be interrupted and will continue as normal.

Thanks for your attention to this request. We apologize for any 
inconvenience.

Sincerely, <Harvested domain> Abuse Department

When first run W32/Mytob-IF will copy itself to the Windows system 
folder as lspool.exe and to the <temp> folder as temp.exe

The worm creates the following registry entries in an attempt to run 
itself on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Local Spooler
lspool.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Local Spooler
lspool.exe





Name   W32/Bagle-KN

Type  
    * Worm

How it spreads  
    * Email attachments

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Forges the sender's email address
    * Downloads code from the internet
    * Installs itself in the Registry
    * Leaves non-infected files on computer

Prevalence (1-5) 2

Description
W32/Bagle-KN is a mass-mailing worm and downloader Trojan for the 
Windows platform.

Emails sent by the worm have the following characteristics:

The sender's email address is spoofed.

Message text chosen from:

To the beloved
I love you

And appended with any of the following strings:

archive password: <link to imagefile containing password>
The password is <link to imagefile containing password>
Password -- <link to imagefile containing password>
Use password <link to imagefile containing password> to open archive.
Password is <link to imagefile containing password>
Zip password: <link to imagefile containing password>
archive password: <link to imagefile containing password>
Password - <link to imagefile containing password>
Password: <link to imagefile containing password>

The email comes with 2 file attachments:
<random characters>.GIF
<random name>.ZIP

The file <random characters>.GIF contains a GIF image which contains 
the password to unzip the ZIP file.

The file <random name>.ZIP when unzipped contains 2 files:
<random characters>\<random characters>.dll - this file may be safely 
deleted
<random characters>.exe - detected as W32/Bagle-KN

Advanced
W32/Bagle-KN is a mass-mailing worm and downloader Trojan for the 
Windows platform.

When run W32/Bagle-KN creates the file <User>\Application 
Data\hidn\m_hook.sys. This file is also detected as W32/Bagle-KN and 
includes functionality to terminate anti-virus and system-related 
processes and to hide processes.

The file m_hook.sys is registered as a new system driver service 
named "m_hook", with a display name of "Empty" and a startup type of 
automatic, so that it is started automatically during system startup. 
Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_M_HOOK\
HKLM\SYSTEM\CurrentControlSet\Services\m_hook\

The following registry entry is also set:

HKCU\Software\FirstRuxzx
FirstRun
1

W32/Bagle-KN also creates the file C:\error.gif. This is a GIF file 
which is also subsequently run and can be safely deleted.

Emails sent by the worm have the following characteristics:

The sender's email address is spoofed.

Message text chosen from:

To the beloved
I love you

And appended with any of the following strings:

archive password: <link to imagefile containing password>
The password is <link to imagefile containing password>
Password -- <link to imagefile containing password>
Use password <link to imagefile containing password> to open archive.
Password is <link to imagefile containing password>
Zip password: <link to imagefile containing password>
archive password: <link to imagefile containing password>
Password - <link to imagefile containing password>
Password: <link to imagefile containing password>

The email comes with 2 file attachments:
<random characters>.GIF
<random name>.ZIP

The file <random characters>.GIF contains a GIF image which contains 
the password to unzip the ZIP file.

The file <random name>.ZIP when unzipped contains 2 files:
<random characters>\<random characters>.dll - this file may be safely 
deleted
<random characters>.exe - detected as W32/Bagle-KN

W32/Bagle-KN may also copy itself to <User>\Application 
Data\hidn\hidn1.exe and sets the following registry entry to run 
hidn1.exe on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
drv_st_key
<path to worm executable>





Name   Troj/Zlob-OX

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Installs itself in the Registry

Aliases  
    * Trojan-Downloader.Win32.Zlob.uo
    * Puper

Prevalence (1-5) 2

Description
Troj/Zlob-OX is a Trojan for the Windows platform.

Advanced
Troj/Zlob-OX is a Trojan for the Windows platform.

When Troj/Zlob-OX is installed the following file is created:
<System>\stdole3.tlb
(This file is not malicious and can be deleted.)

The following registry entry is created to run Troj/Zlob-OX on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run
kernel32.dll
<pathname of the Trojan executable>





Name   W32/Rbot-EMH

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities

Aliases  
    * clickspringinsta_HmWhs26R.html

Prevalence (1-5) 2

Description
W32/Rbot-EMH is a worm and IRC backdoor for the Windows platform.

W32/Rbot-EMH spreads:

to other network computers infected with: Troj/Kuang, Troj/Sub7, 
Troj/NetDevil, W32/MyDoom, W32/Bagle and Troj/Optix to other network 
computers by exploiting common buffer overflow vulnerabilities, 
including: LSASS 
(http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx), 
RPC-DCOM 
(http://www.microsoft.com/technet/security/bulletin/ms04-012.mspx), 
WKS 
(http://www.microsoft.com/technet/security/bulletin/ms03-049.mspx) 
(CAN-2003-0812), WebDav 
(http://www.microsoft.com/technet/security/bulletin/ms03-007.mspx), 
IIS5SSL 
(http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx) 
(CAN-2003-0719), UPNP 
(http://www.microsoft.com/technet/security/bulletin/ms01-059.mspx), 
Veritas (CAN-2004-1172), Dameware (CAN-2003-1030) and ASN.1 
(http://www.microsoft.com/technet/security/bulletin/ms04-007.mspx) by 
copying itself to network shares protected by weak passwords

W32/Rbot-EMH runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

Advanced
W32/Rbot-EMH is a worm and IRC backdoor for the Windows platform.

W32/Rbot-EMH spreads:

to other network computers infected with: Troj/Kuang, Troj/Sub7, 
Troj/NetDevil, W32/MyDoom, W32/Bagle and Troj/Optix
to other network computers by exploiting common buffer overflow 
vulnerabilities, including: LSASS 
(http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx), 
RPC-DCOM 
(http://www.microsoft.com/technet/security/bulletin/ms04-012.mspx), 
WKS 
(http://www.microsoft.com/technet/security/bulletin/ms03-049.mspx) 
(CAN-2003-0812), WebDav 
(http://www.microsoft.com/technet/security/bulletin/ms03-007.mspx), 
IIS5SSL 
(http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx) 
(CAN-2003-0719), UPNP 
(http://www.microsoft.com/technet/security/bulletin/ms01-059.mspx), 
Veritas (CAN-2004-1172), Dameware (CAN-2003-1030) and ASN.1 
(http://www.microsoft.com/technet/security/bulletin/ms04-007.mspx)
by copying itself to network shares protected by weak passwords

W32/Rbot-EMH runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

When first run W32/Rbot-EMH copies itself to a randomly named file in 
the Windows system folder.

The following registry entries are created to run to copy on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows Recycler
<random name>

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Windows Recycler
<random name>

Registry entries are set as follows:

HKCU\Software\Microsoft\OLE
Windows Recycler
<random name>

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1





Name   Troj/Dloadr-YD

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet
    * Installs itself in the Registry

Prevalence (1-5) 2

Description
Troj/Dloadr-YD is a Trojan for the Windows platform.

Advanced
Troj/Dloadr-YD is a Trojan for the Windows platform.

When first run Troj/Dloadr-YD copies itself to:

<User>\Local Settings\Application Data\<random filename>
<System>\<random filename>

The following registry entries are created to run Troj/Dloadr-YD on 
startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
<random filename>
<User>\Local Settings\Application Data\<random filename>

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
<System>\<random filename>





Name   W32/Sdbot-BZD

Type  
    * Spyware Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Modifies data on the computer
    * Steals information
    * Downloads code from the internet
    * Reduces system security
    * Records keystrokes
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities
    * Used in DOS attacks
    * Downloads updates
    * Monitors system activity
    * Scans network for weak passwords

Aliases  
    * Backdoor.Win32.SdBot.iz

Prevalence (1-5) 2

Description
W32/Sdbot-BZD is a worm for the Windows platform.

The worm spreads to network shares protected by weak passwords.

The worm contains a backdoor component that connects to an IRC server 
and awaits commands from remote attackers.

Advanced
W32/Sdbot-BZD is a worm for the Windows platform.

The worm spreads to network shares protected by weak passwords.

When run, the worm copies itself to the Windows system folder as 
iop.exe and sets the following registry entries in order to run each 
time a user logs on:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
ioco
"<Windows system folder>\iop.exe"

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ioco
"<Windows system folder>\iop.exe"

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
ioco
"<Windows system folder>\iop.exe"

W32/Sdbot-BZD modifies the HOSTS file (typically located in <Windows 
system folder>\drivers\etc) redirecting requests for security related 
websites to alternate locations.

The worm contains a backdoor component that connects to an IRC server 
and awaits commands from remote attackers.

W32/Sdbot-BZD modifies the Windows firewall settings by creating the 
following registry entry:

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\ 
FirewallPolicy\StandardProfile\AuthorizedApplications
List
"%windir%\system32\iop.exe:*:Enabled:@xpsp2res.dll,-22019"





Name   W32/Tilebot-FO

Type  
    * Worm

How it spreads  
    * Network shares
    * Chat programs

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Downloads code from the internet
    * Reduces system security
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities
    * Used in DOS attacks

Aliases  
    * Backdoor.Win32.SdBot.aoz

Prevalence (1-5) 2

Description
W32/Tilebot-FO is a worm with backdoor functionality for the Windows 
platform.

W32/Tilebot-FO spreads to other network computers by exploiting 
common buffer
overflow vulnerabilities, including: WKS (MS03-049) (CAN-2003-0812), 
PNP
(MS05-039) and ASN.1 (MS04-007). The worm may also spreads via 
network shares
and MSSQL servers protected by weak passwords.

W32/Tilebot-FO runs continuously in the background, providing a 
backdoor server
which allows a remote intruder to gain access and control over the 
computer via
IRC channels.

W32/Tilebot-FO includes functionality to:

- set up an FTP server
- set up a proxy server
- spread via AOL Instant Messager by sending messages automatically
- change Internet Explorer start page
- set or remove network shares
- port scanning
- packet sniffing
- access the internet and communicate with a remote server via HTTP
- harvest information from clipboard
- take part in Distributed Denial of Service (DDoS) attacks

Advanced
W32/Tilebot-FO is a worm with backdoor functionality for the Windows 
platform.

W32/Tilebot-FO spreads to other network computers by exploiting 
common buffer
overflow vulnerabilities, including: WKS (MS03-049) (CAN-2003-0812), 
PNP
(MS05-039) and ASN.1 (MS04-007). The worm may also spreads via 
network shares
and MSSQL servers protected by weak passwords.

W32/Tilebot-FO runs continuously in the background, providing a 
backdoor server
which allows a remote intruder to gain access and control over the 
computer via
IRC channels.

W32/Tilebot-FO includes functionality to:

- set up an FTP server
- set up a proxy server
- spread via AOL Instant Messager by sending messages automatically
- change Internet Explorer start page
- set or remove network shares
- port scanning
- packet sniffing
- access the internet and communicate with a remote server via HTTP
- harvest information from clipboard
- take part in Distributed Denial of Service (DDoS) attacks

When first run W32/Tilebot-FO copies itself to the Windows system 
folder as
netdrvr.exe.

The file netdrvr.exe is registered as a new system driver service 
named "NTDRV",
with a display name of "Network DRV" and a startup type of automatic, 
so that it
is started automatically during system startup. Registry entries are 
created
under:

HKLM\SYSTEM\CurrentControlSet\Services\NTDRV\

W32/Tilebot-FO sets the following registry entries, disabling the 
automatic
startup of other software:

HKLM\SYSTEM\CurrentControlSet\Services\Messenger
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\wscsvc
Start
4

Additional registry entries are set as follows:

HKLM\SOFTWARE\Microsoft\Security Center
AntiVirusDisableNotify
1

HKLM\SOFTWARE\Microsoft\Security Center
AntiVirusOverride
1

HKLM\SOFTWARE\Microsoft\Security Center
FirewallDisableNotify
1

HKLM\SOFTWARE\Microsoft\Security Center
FirewallOverride
1

HKLM\SOFTWARE\Microsoft\Security Center
UpdatesDisableNotify
1

HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DoNotAllowXPSP2
1

HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
EnableFirewall
0

HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile
EnableFirewall
0

HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
AutoShareServer
0

HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
AutoShareWks
0

HKLM\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters
AutoShareServer
0

HKLM\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters
AutoShareWks
0

HKLM\SYSTEM\CurrentControlSet\Control\
WaitToKillServiceTimeout
7000

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1





Name   W32/Tilebot-FP

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities

Aliases  
    * Backdoor.Win32.SdBot.aad

Prevalence (1-5) 2

Description
W32/Tilebot-FP is a worm and IRC backdoor Trojan for the Windows 
platform.

W32/Tilebot-FP spreads to other network computers by exploiting 
common buffer overflow vulnerabilities, including: LSASS 
(http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx), 
RPC-DCOM 
(http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx), 
WKS 
(http://www.microsoft.com/technet/security/bulletin/MS03-049.mspx) 
(CAN-2003-0812), PNP 
(http://www.microsoft.com/technet/security/bulletin/MS05-039.mspx) 
and ASN.1 
(http://www.microsoft.com/technet/security/bulletin/MS04-007.mspx) 
and by copying itself to network shares protected by weak passwords.

W32/Tilebot-FP runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

W32/Tilebot-FP includes functionality to access the internet and 
communicate with a remote server via HTTP.

Advanced
W32/Tilebot-FP is a worm and IRC backdoor Trojan for the Windows 
platform.

W32/Tilebot-FP spreads to other network computers by exploiting 
common buffe