Tillbaka till svenska Fidonet
English   Information   Debug  
TREK   0/755
TUB   0/290
UFO   0/40
UNIX   0/1316
USA_EURLINK   0/102
USR_MODEMS   0/1
VATICAN   0/2740
VIETNAM_VETS   0/14
VIRUS   0/378
VIRUS_INFO   0/201
VISUAL_BASIC   0/473
WHITEHOUSE   0/5187
WIN2000   0/101
WIN32   0/30
WIN95   0/4289
WIN95_OLD1   0/70272
WINDOWS   0/1517
WWB_SYSOP   0/419
WWB_TECH   0/810
ZCC-PUBLIC   0/1
ZEC   4

 
4DOS   0/134
ABORTION   0/7
ALASKA_CHAT   0/506
ALLFIX_FILE   0/1313
ALLFIX_FILE_OLD1   0/7997
ALT_DOS   0/152
AMATEUR_RADIO   0/1039
AMIGASALE   0/14
AMIGA   0/331
AMIGA_INT   0/1
AMIGA_PROG   0/20
AMIGA_SYSOP   0/26
ANIME   0/15
ARGUS   0/924
ASCII_ART   0/340
ASIAN_LINK   0/651
ASTRONOMY   0/417
AUDIO   0/92
AUTOMOBILE_RACING   0/105
BABYLON5   2064/17862
BAG   135
BATPOWER   0/361
BBBS.ENGLISH   0/382
BBSLAW   0/109
BBS_ADS   0/5290
BBS_INTERNET   0/507
BIBLE   0/3563
BINKD   0/1119
BINKLEY   0/215
BLUEWAVE   0/2173
CABLE_MODEMS   0/25
CBM   0/46
CDRECORD   0/66
CDROM   0/20
CLASSIC_COMPUTER   0/378
COMICS   0/15
CONSPRCY   0/899
COOKING   33421
COOKING_OLD1   0/24719
COOKING_OLD2   0/40862
COOKING_OLD3   0/37489
COOKING_OLD4   0/35496
COOKING_OLD5   9370
C_ECHO   0/189
C_PLUSPLUS   0/31
DIRTY_DOZEN   0/201
DOORGAMES   0/2065
DOS_INTERNET   0/196
duplikat   6002
ECHOLIST   0/18295
EC_SUPPORT   0/318
ELECTRONICS   0/359
ELEKTRONIK.GER   1534
ENET.LINGUISTIC   0/13
ENET.POLITICS   0/4
ENET.SOFT   0/11701
ENET.SYSOP   33945
ENET.TALKS   0/32
ENGLISH_TUTOR   0/2000
EVOLUTION   0/1335
FDECHO   0/217
FDN_ANNOUNCE   0/7068
FIDONEWS   24159
FIDONEWS_OLD1   0/49742
FIDONEWS_OLD2   0/35949
FIDONEWS_OLD3   0/30874
FIDONEWS_OLD4   0/37224
FIDO_SYSOP   12852
FIDO_UTIL   0/180
FILEFIND   0/209
FILEGATE   0/212
FILM   0/18
FNEWS_PUBLISH   4436
FN_SYSOP   41707
FN_SYSOP_OLD1   71952
FTP_FIDO   0/2
FTSC_PUBLIC   0/13613
FUNNY   0/4886
GENEALOGY.EUR   0/71
GET_INFO   105
GOLDED   0/408
HAM   0/16074
HOLYSMOKE   0/6791
HOT_SITES   0/1
HTMLEDIT   0/71
HUB203   466
HUB_100   264
HUB_400   39
HUMOR   0/29
IC   0/2851
INTERNET   0/424
INTERUSER   0/3
IP_CONNECT   719
JAMNNTPD   0/233
JAMTLAND   0/47
KATTY_KORNER   0/41
LAN   0/16
LINUX-USER   0/19
LINUXHELP   0/1155
LINUX   0/22112
LINUX_BBS   0/957
mail   18.68
mail_fore_ok   249
MENSA   0/341
MODERATOR   0/102
MONTE   0/992
MOSCOW_OKLAHOMA   0/1245
MUFFIN   0/783
MUSIC   0/321
N203_STAT   930
N203_SYSCHAT   313
NET203   321
NET204   69
NET_DEV   0/10
NORD.ADMIN   0/101
NORD.CHAT   0/2572
NORD.FIDONET   189
NORD.HARDWARE   0/28
NORD.KULTUR   0/114
NORD.PROG   0/32
NORD.SOFTWARE   0/88
NORD.TEKNIK   0/58
NORD   0/453
OCCULT_CHAT   0/93
OS2BBS   0/787
OS2DOSBBS   0/580
OS2HW   0/42
OS2INET   0/37
OS2LAN   0/134
OS2PROG   0/36
OS2REXX   0/113
OS2USER-L   207
OS2   0/4786
OSDEBATE   0/18996
PASCAL   0/490
PERL   0/457
PHP   0/45
POINTS   0/405
POLITICS   0/29554
POL_INC   0/14731
PSION   103
R20_ADMIN   1123
R20_AMATORRADIO   0/2
R20_BEST_OF_FIDONET   13
R20_CHAT   0/893
R20_DEPP   0/3
R20_DEV   399
R20_ECHO2   1379
R20_ECHOPRES   0/35
R20_ESTAT   0/719
R20_FIDONETPROG...
...RAM.MYPOINT
  0/2
R20_FIDONETPROGRAM   0/22
R20_FIDONET   0/248
R20_FILEFIND   0/24
R20_FILEFOUND   0/22
R20_HIFI   0/3
R20_INFO2   3249
R20_INTERNET   0/12940
R20_INTRESSE   0/60
R20_INTR_KOM   0/99
R20_KANDIDAT.CHAT   42
R20_KANDIDAT   28
R20_KOM_DEV   112
R20_KONTROLL   0/13300
R20_KORSET   0/18
R20_LOKALTRAFIK   0/24
R20_MODERATOR   0/1852
R20_NC   76
R20_NET200   245
R20_NETWORK.OTH...
...ERNETS
  0/13
R20_OPERATIVSYS...
...TEM.LINUX
  0/44
R20_PROGRAMVAROR   0/1
R20_REC2NEC   534
R20_SFOSM   0/341
R20_SF   0/108
R20_SPRAK.ENGLISH   0/1
R20_SQUISH   107
R20_TEST   2
R20_WORST_OF_FIDONET   12
RAR   0/9
RA_MULTI   106
RA_UTIL   0/162
REGCON.EUR   0/2056
REGCON   0/13
SCIENCE   0/1206
SF   0/239
SHAREWARE_SUPPORT   0/5146
SHAREWRE   0/14
SIMPSONS   0/169
STATS_OLD1   0/2539.065
STATS_OLD2   0/2530
STATS_OLD3   0/2395.095
STATS_OLD4   0/1692.25
SURVIVOR   0/495
SYSOPS_CORNER   0/3
SYSOP   0/84
TAGLINES   0/112
TEAMOS2   0/4530
TECH   0/2617
TEST.444   0/105
TRAPDOOR   0/19
Möte VIRUS_INFO, 201 texter
 lista första sista föregående nästa
Text 126, 1354 rader
Skriven 2006-07-01 15:01:00 av KURT WISMER (1:123/140)
Ärende: News, July 1 2006
=========================
[cut-n-paste from sophos.com]

Name   WM97/Kukudro-A

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Drops more malware

Prevalence (1-5) 3

Description
WM97/Kukudro-A is a Trojan dropping Word document.

WM97/Kukudro-A drops and runs a file detected by Sophos as Troj/Kuku-A.

Sophos has seen the Trojan horse spammed out in email messages with 
the following characteristics:

Subject: "worth to see", "prices", "Hi", or "Hello".

Message body:
Hello <name>

--
Regards, <name> <email address>

Where <name> and <email address> are changing.

Attached to the email is a zip file (variously called prices.zip, 
apple_prices.zip or sony_prices.zip) containing an infected Microsoft 
Word document entitled my_Notebook.doc.

The Word document secretly installs a Trojan horse onto the PC

The Word document secretly installs the Troj/Kuku-A Trojan horse onto 
the PC.





Name   Troj/Zlob-PG

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Installs itself in the Registry

Prevalence (1-5) 2

Description
Troj/Zlob-PG is a Trojan for the Windows platform.

Advanced
Troj/Zlob-PG is a Trojan for the Windows platform.

When first run Troj/Zlob-PG copies itself to:

<User>\Local Settings\Application Data\<random filename>.exe
<System>\<random filename>.exe

The following registry entries are created to run <random 
filename>.exe on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
<random filename>.exe
<User>\Local Settings\Application Data\<random filename>.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
<random filename>.exe
<System>\<random filename>.exe





Name   Troj/Backdr-D

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Downloads code from the internet
    * Installs itself in the Registry

Aliases  
    * Backdoor.Win32.Small.ld

Prevalence (1-5) 2

Description
Troj/Backdr-D is a backdoor Trojan for the Windows platform.

Troj/Backdr-D includes functionality to silently download files from 
predefinded URLs and act as a Proxy server.

Advanced
Troj/Backdr-D is a backdoor Trojan for the Windows platform.

When Troj/Backdr-D is installed it creates the file 
<System>\svrmsg.dll.

The file svrmsg.dll is registered as a new file system driver service 
named "Ias", with a startup type of automatic, so that it is started 
automatically during system startup. Registry entries are created 
under:

HKLM\SYSTEM\CurrentControlSet\Services\Ias\

Troj/Backdr-D includes functionality to silently download files from 
predefinded URLs and act as a Proxy server.





Name   W32/Bagle-KJ

Type  
    * Worm

How it spreads  
    * Email attachments

Affected operating systems  
    * Windows

Prevalence (1-5) 2

Description
W32/Bagle-KJ is an email worm for the Windows platform.

W32/Bagle-KJ searches an infected computer for email addresses to 
send itself
to. Emails have the following characteristsics:

Subject line: <Random name of a person>

Message text chosen from:

To the beloved
I love you

Attachment filename: <Random name of a person>

Advanced
W32/Bagle-KJ is an email worm for the Windows platform.

W32/Bagle-KJ searches an infected computer for email addresses to 
send itself
to. Emails have the following characteristsics:

Subject line: <Random name of a person>

Message text chosen from:

To the beloved
I love you

Attachment filename: <Random name of a person>

When first run, W32/Bagle-KJ copies itself to the following location:

<Current user>\Application Data\hidn\hidn2.exe

and drops a file named m_hook.sys to the same location.

The following registry entry is created in order to automatically start
W32/Bagle-KJ when an infected computer starts:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
drv_st_key
<Path to worm>

The file m_hook.sys is a device driver used to hide the worm on an 
infected
computer, and also attempt to terminate any security programs running 
on the
system. It is also detected as W32/Bagle-KJ.

m_hook.sys is registered as a service, creating entries under:

HKLM\SYSTEM\CurrentControlSet\Services\m_hook

W32/Bagle-KJ deletes the following registry entries, affecting the 
safe-mode
boot configurations:

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network





Name   W32/Tilebot-FR

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Reduces system security
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities

Prevalence (1-5) 2

Description
W32/Tilebot-FR is an IRC backdoor worm for the Windows platform.

W32/Tilebot-FR runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

W32/Tilebot-FR may also attempt to spread to other computers via 
network shares protected by weak passwords, as well as by using the 
exploiting the following vulnerabilities :

LSASS 
(http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx)
RPC-DCOM 
(http://www.microsoft.com/technet/security/bulletin/ms04-012.mspx)
WKS 
(http://www.microsoft.com/technet/security/bulletin/ms03-049.mspx) 
(CAN-2003-0812)
PNP (http://www.microsoft.com/technet/security/bulletin/ms05-039.mspx)
ASN.1 
(http://www.microsoft.com/technet/security/bulletin/ms04-007.mspx)

W32/Tilebot-FR includes functionality to access the internet and 
communicate with a remote server via HTTP.

Advanced
W32/Tilebot-FR is an IRC backdoor worm for the Windows platform.

W32/Tilebot-FR runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

W32/Tilebot-FR may also attempt to spread to other computers via 
network shares protected by weak passwords, as well as by using the 
exploiting the following vulnerabilities :

LSASS 
(http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx)
RPC-DCOM 
(http://www.microsoft.com/technet/security/bulletin/ms04-012.mspx)
WKS 
(http://www.microsoft.com/technet/security/bulletin/ms03-049.mspx) 
(CAN-2003-0812)
PNP (http://www.microsoft.com/technet/security/bulletin/ms05-039.mspx)
ASN.1 
(http://www.microsoft.com/technet/security/bulletin/ms04-007.mspx)

W32/Tilebot-FR includes functionality to access the internet and 
communicate with a remote server via HTTP.

When first run W32/Tilebot-FR copies itself to <Windows 
folder>\winlogon.exe.

The file <Windows folder>\winlogon.exe is registered as a new system 
driver service named "Windows Spooler Service", with a display name 
of "Microsoft Windows Spooler Service" and a startup type of 
automatic, so that it is started automatically during system startup. 
Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\Windows Spooler Service\

W32/Tilebot-FR sets the following registry entries, disabling the 
automatic startup of other software:

HKLM\SYSTEM\CurrentControlSet\Services\Messenger
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
Start
4

Registry entries are set as follows:

HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DoNotAllowXPSP2
1

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1

Registry entries are created under:

HKLM\SOFTWARE\Microsoft\Security Center\
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\





Name   W32/Rbot-EMO

Type  
    * Spyware Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Steals information
    * Reduces system security
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities
    * Used in DOS attacks

Aliases  
    * Backdoor.Win32.Rbot.gen
    * W32.Spybot.Worm

Prevalence (1-5) 2

Description
W32/Rbot-EMO is a network worm with backdoor functionality for the 
Windows platform.

W32/Rbot-EMO spreads using a variety of techniques including 
exploiting weak passwords on computers and SQL servers, exploiting 
operating system vulnerabilities (including RPC-DCOM, WKS, LSASS, 
Veritas (CAN-2004-1172) and ASN.1) and using backdoors opened by 
other worms or Trojans.

W32/Rbot-EMO can be controlled by a remote attacker over IRC 
channels. The backdoor component of W32/Rbot-EMO can be instructed by 
a remote user to perform the following functions:

start an FTP server
start a Proxy server
start a web server
take part in distributed denial of service (DDoS) attacks
log keypresses
capture screen/webcam images
packet sniffing
port scanning
download/execute arbitrary files
start a remote shell (RLOGIN)
steal product registration information from certain software

Advanced
W32/Rbot-EMO is a network worm with backdoor functionality for the 
Windows platform.

W32/Rbot-EMO spreads using a variety of techniques including 
exploiting weak passwords on computers and SQL servers, exploiting 
operating system vulnerabilities (including RPC-DCOM, WKS, LSASS, 
Veritas (CAN-2004-1172) and ASN.1) and using backdoors opened by 
other worms or Trojans.

W32/Rbot-EMO can be controlled by a remote attacker over IRC 
channels. The backdoor component of W32/Rbot-EMO can be instructed by 
a remote user to perform the following functions:

start an FTP server
start a Proxy server
start a web server
take part in distributed denial of service (DDoS) attacks
log keypresses
capture screen/webcam images
packet sniffing
port scanning
download/execute arbitrary files
start a remote shell (RLOGIN)
steal product registration information from certain software

The worm copies itself to a file named HIMENSYST.EXE in the Windows 
system folder and creates the following registry entries:

HKCU\Software\Microsoft\OLE
Windows File Migration Wizard
"HIMENSYST.EXE"

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Windows File Migration Wizard
"HIMENSYST.EXE"

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows File Migration Wizard
"HIMENSYST.EXE"

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Windows File Migration Wizard
"HIMENSYST.EXE"





Name   W32/Brontok-AZ

Type  
    * Worm

How it spreads  
    * Email attachments

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Modifies data on the computer
    * Installs itself in the Registry

Aliases  
    * Email-Worm.Win32.Brontok.n

Prevalence (1-5) 2

Description
W32/Brontok-AZ is a mass-mailing worm for the Windows platform.

Advanced
W32/Brontok-AZ is a mass-mailing worm for the Windows platform.

W32/Brontok-AZ sends itself to email addresses found on the infected 
computer.

Emails sent by the worm have the following characteristics:

From: angelina_ph@<recipient's domain>
or jennifer_sh@<recipient's domain>

If the recipient's address is Indonesian:

Subject: Fotoku yg Paling Cantik

Message text:

Hi,
Aku lg iseng aja pengen kirim foto ke kamu
Jangan lupain aku ya !.

Thanks

For all other addresses:

Subject: My Best Photo

Message text:

Hi,
I want to share my photo with you.
Wishing you all the best.

Regards,

Attachment name: Photo.zip

The zip file contains Photo.bmp and View-Photo.bat. View-Photo.bat 
runs Photo.bmp. Photo.bmp is an executable (Detected by Sophos as 
Troj/Dloadr-ADW) which attempts to download and execute a copy of the 
worm from a preconfigured website. At the time of writing, this 
website is unavailable.

When installed W32/Brontok-AZ copies itself to the following files:

<User>\Local Settings\Application Data\dv<random1>\yesbron.com
<User>\Local Settings\Application Data\jalak-<random2>-bali.com
<Windows>\_default<random3>.pif
<Windows>\j<random4>.exe
<Windows>\o<random5>.exe
<Windows>\><radnom6>\ib<random7>.exe
<System>\c_32142k.com
<System>\n<random8>\b6108.exe
<System>\n<random8>\c.bron.tok.txt
<System>\n<random8>\csrss.exe
<System>\n<random8>\lsass.exe
<System>\n<random8>\services.exe
<System>\n<random8>\smss.exe
<System>\n<random8>\sv<random9>r.exe
<System>\n<random8>\winlogon.exe

where <random1> etc. are randomly-chosen numbers

Also W32/Brontok-AZ creates the following text files that may be 
safely deleted:

<System>\n<random8>\c.bron.tok.txt
\Baca Bro !!!.txt
<Windows>\Tasks\At1.job
<Windows>\Tasks\At2.job

The .job files each contain a scheduled task, instructing Windows to 
execute the installed copies of the worm once per day.

W32/Brontok-AZ closes windows whose titles contain any of the 
following:

task manager
registry
command prompt
system configuration
group policy
cmd.exe
computer management
scheduled task
killbox
hijack
SYSINTERNAL
PROCESS EXP
REMOVER
CLEANER
anti
washer
ertanto
BROWNIES
movzx
killer
pcmedia
pc-media
rontok
rontox
robknot
commander
windows script
norman
norton
symantec
cillin
trendmicro
bitdef
kaspersky
avg
avira
virus
trojan
worm
mcafee
b.e
folder option
wintask
alwil
sex
porn
naked
cewe
bugil
telanjang
nod32
task view
peid
ahnlab

W32/Brontok-AZ may install a new version of the file 
<System>\msvbvm60.dll.

The following registry entries are created to run yesbron.com, 
_default<random3>.pif, j<random4>.exe and sv<random9>r.exe on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run
<random11>
<User>\Local Settings\Application Data\dv<random1>\yesbron.com

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run
<random12>
<Windows>\_default<random3>.pif

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
<random11>
<System>\n<random4>\sv<random9>r.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
<random12>
<Windows>\j<ramdom4>.exe

The following registry entries are changed to run j<random4>.exe and 
o<random5>.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe "<Windows>\o<random5>.exe"

(the default value for this registry entry is "Explorer.exe" which 
causes the Microsoft file <Windows>\Explorer.exe to be run on startup).

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
<System>\userinit.exe,<Windows>\j<random4>.exe

(the default value for this registry entry is 
"<Windows>\System32\userinit.exe,").

The following registry entry is set, disabling the registry editor 
(regedit):

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1

Registry entries are set as follows:

HKCU\Software\Brontok
Message
Look @ "C:\Baca Bro !!!.txt"

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
0

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden
0

Registry entries are created under:

HKCU\Software\Brontok\

W32/Brontok-AZ modifies the Windows HOST file in attempt to prevent 
access to the security-related domains.





Name   Troj/Zlob-PJ

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet
    * Installs itself in the Registry
    * Downloads updates

Prevalence (1-5) 2

Description
Troj/Zlob-PJ is a Trojan for the Windows platform.

The Trojan downloads and installs software from a remote site.

Advanced
Troj/Zlob-PJ is a Trojan for the Windows platform.

The Trojan downloads and installs software from a remote site.

Troj/Zlob-PJ creates the following registry entry in order to run 
each time a user logs on:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run
kernel32.dll
"<path to Trojan EXE>"





Name   Troj/LdPinc-LZ

Type  
    * Spyware Trojan

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Steals information
    * Drops more malware
    * Downloads code from the internet
    * Reduces system security
    * Records keystrokes
    * Installs itself in the Registry
    * Monitors browser activity
    * Monitors system activity
    * Enables remote access

Aliases  
    * Trojan-Spy.Win32.Agent.kd
    * PWS-LDPinch
    * Infostealer.Ldpinch

Prevalence (1-5) 2

Description
Troj/LdPinc-LZ is a password-stealing Trojan with backdoor 
functionality.

Troj/LdPinc-LZ attempts to steal confidential information and send it 
to a remote location via HTTP or email.

Advanced
Troj/LdPinc-LZ is a password-stealing Trojan with backdoor 
functionality.

Troj/LdPinc-LZ attempts to steal confidential information and send it 
to a remote location via HTTP or email.

The information that Troj/LdPinc-LZ attempts to gather includes:

- keypresses (with the aid of a dropped keylogger DLL)
- computer details
- drive and volume information
- hostname and IP address
- information (including passwords and usernames) relating to 
selected applications installed on the computer, including: Miranda 
ICQ, mirabilis ICQ, The Bat!, Trillian, Windows Commander and Total 
Commander
- passwords and confidential information stored by the system in 
'Protected Storage'
- POP3 and IMAP server information, usernames and passwords
- FTP usernames and passwords
- RAS dial-up settings

Troj/LdPinc-LZ provides a backdoor server on a pre-configured port 
(the default is 2050). A remote intruder will be able to connect to 
this port and receive command shell access.

Troj/LdPinc-LZ can arrive as a result of web browsing. Certain web 
pages may exploit vulnerabilities associated with Microsoft Internet 
Explorer to silently download and install/run the Trojan without user 
interaction.

Troj/LdPinc-LZ includes functionality to steal confidential 
information.

When first run Troj/LdPinc-LZ copies itself to <System>\mssync20.exe 
and creates the file <System>\mssync20.sys (also detected as 
Troj/LdPinc-LZ).

The file mssync20.sys is registered as a new system driver service 
named "mssync2020", with a display name of "mssync2020" and a startup 
type of automatic, so that it is started automatically during system 
startup. Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\mssync2020\





Name   Troj/Opnis-E

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Installs itself in the Registry

Aliases  
    * Trojan.Win32.Agent.wc

Prevalence (1-5) 2

Description
Troj/Opnis-E is a Trojan for the Windows platform.

Advanced
Troj/Opnis-E is a Trojan for the Windows platform.

When Troj/Opnis-E is installed the following files are created:

<System>\cswiz.dll
<System>\drpr449BA67F.dll
<System>\mcas449BA67F.exe
<System>\msts449BA67F.dll
<System>\shdo449BA67F.dll

These files are also detected as Troj/Opnis-E.

The following registry entries are created to run code exported by 
cswiz.dll on startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cswiz
DllName
<System>\cswiz.dll

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cswiz
Startup
WlxStartupEvent

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cswiz
Impersonate
0





Name   Troj/Opnis-F

Type  
    * Trojan

Affected operating systems  
    * Windows

Aliases  
    * Trojan.Win32.Opnis.k

Prevalence (1-5) 2

Description
Troj/Opnis-F is a Trojan for the Windows platform.

When Troj/Opnis-F is installed it creates the file 
<System>\smwiz32.cmd. This file can be safely deleted.





Name   WM97/Kukudro-B

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Drops more malware

Prevalence (1-5) 2

Description
WM97/Kukudro-B is a Trojan dropping Word document.

WM97/Kukudro-B drops and runs a file detected by Sophos as Troj/Kuku-A.





Name   Troj/DwnLdr-DFE

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet
    * Installs itself in the Registry

Aliases  
    * Win32/TrojanDropper.Small.ALI

Prevalence (1-5) 2

Description
Troj/DwnLdr-DFE is a downloader Trojan for the Windows platform.

Troj/DwnLdr-DFE includes functionality to download, install and run 
new software.

Advanced
Troj/DwnLdr-DFE is a downloader Trojan for the Windows platform.

Troj/DwnLdr-DFE includes functionality to download, install and run 
new software.

Downloaded files have names in the format of a<random number>a.exe.

When first run Troj/DwnLdr-DFE copies itself to <Windows system 
folder>\q<random number>q.exe and creates the file <Windows system 
folder>\z<random number>z.dll.

The following registry entry is created to run the Trojan on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
tiwc
<Path to Trojan> sdcfsi





Name   WM97/Kukudr-Fam

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Drops more malware

Aliases  
    * CME-136
    * Trojan-Dropper.MSWord.Lafool.j
    * W97M/Kukudro.c

Prevalence (1-5) 2

Description
WM97/Kukudr-Fam is a Trojan dropping Word document.

WM97/Kukudr-Fam typically drops and runs a file detected by Sophos as 
Troj/Kuku-A.





Name   Troj/Clagger-U

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Modifies data on the computer
    * Downloads code from the internet
    * Reduces system security
    * Installs itself in the Registry

Prevalence (1-5) 2

Description
Troj/Clagger-U is a Trojan for the Windows platform.

Troj/Clagger-U attempts to download further malicious code. At the 
time of writing, none of the files the Trojan attempts to download 
were available.

Troj/Clagger-U has been seen attached to emails with the following 
characteristics:

Subject line:
EBAY
eBay AG Rechnung vom 29.06.2006
eBay International AG Rechnung vom 29 Juni 2006
eBay Rechnung
eBay Rechnung vom 29 Juni 2006
eBay Rechnung vom 29.06.2006

Attached file:
Ebay-Rechnung.pdf.zip containing Ebay-Rechnung.pdf.exe

Message text:
Guten Tag,
hier ist eine Zusammenfassung der Kontoaktivitaeten seit Ihrer 
letzten Rechnung

In der beigelegten PDF Datei finden Sie die genaue Auflistung ihrer 
Rechnung
-----------------------------------------------------------------------
--------

Rechnung vom 29 Juni 2006
Abrechnungszeitraum: 1.Juni 2006 - 1.Juli 2006 PST/PDT
Fortlaufende ID:
12-EU45783499-0
AG

eBay International AG
Helvetiastrasse 15/17
3005 Bern
Schweiz

Schweizer MwSt-Nummer: 508 508
EU - Umsatzsteuer-Identifikationsnummer:
EU528009572
Firmennummer:
CH-035.3.611.950-2

eBay-Kontonummer:
E137895093697-EUR
Rechnungsnummer:
045178-1394745185820

Letzte Rechnung: |0,00
Zahlungen und Gutschriften: |0,00

Faelliger Gesamtbetrag:
||%RND_FIRST_DIGIT41,64

Zahlungsmethode
Sie sind für das Lastschriftverfahren angemeldet. Der Rechnungsbetrag
wird innerhalb der nächsten fünf bis sieben Tage von Ihrem
Bankkonto abgebucht. (Der Abbuchungsbetrag kann von Ihrem
Rechnungsbetrag abweichen, wenn Sie im Zeitraum zwischen der
Rechnungserstellung und dem Abbuchungsdatum Zahlungen geleistet oder
Gutschriften erhalten haben.)

Hinweis
Saeumnisgebuehren: Wenn Ihr eBay-Konto ueberfaellig ist faellt eine
Saeumnisgebuehr an. Um Naeheres zu diesem Thema zu erfahren, gehen
Sie bitte zu Rechnungen und Zahlungen.
(http://pages.ebay.de/help/account/payfees.html)

Mehr zum Thema eBay-Gebühren
(http://pages.ebay.de/help/sell/fees.html)

Mitteilungen

Hinweis: eBay fragt niemals per E-Mail nach vertraulichen oder
persoenlichen Daten (z.B. Kennwort, Kreditkarte, Kontonummer).
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

Hilfreiche Links

Zur Beantwortung Ihrer Fragen zu Ihrem eBay-Konto benutzen Sie bitte
den folgenden Link:
http://pages.ebay.de/help/account/selling-account-overview.html

Um Ihre Mitgliedsdaten zu aktualisieren, benutzen Sie bitte den
folgenden Link:
http://cgi4.ebay.de/aw-cgi/eBayISAPI.dll?ChangeRegistrationShow

Um eBay zu kontaktieren, verwenden Sie bitte den folgenden Link:
http://pages.ebay.de/help/contact_inline/index.html

Mit freundlichen Gruessen
eBay International AG

Zusaetzliche Mitteilungen
Die oben aufgeführten Leistungen beziehen sich ausschließlich auf Ihre
Anmeldung unter www.ebay.de.

Advanced
Troj/Clagger-U is a Trojan for the Windows platform.

Troj/Clagger-U attempts to download further malicious code. At the 
time of writing, none of the files the Trojan attempts to download 
were available.

When first run Troj/Clagger-U copies itself to <System>\ipf.exe and 
creates the file <System>\drivers\winut.dat.

The following registry entry is created to run ipf.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
IPF
<System>\ipf.exe

The following registry entries are set, affecting internet security:

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\List
<pathname of the Trojan executable>
<pathname of the Trojan executable>:*:Enabled:<Trojan filename>

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\List\
<System>\ipf.exe
<System>\ipf.exe:*:Enabled:ipf

Troj/Clagger-U has been seen attached to emails with the following 
characteristics:

Subject line:
EBAY
eBay AG Rechnung vom 29.06.2006
eBay International AG Rechnung vom 29 Juni 2006
eBay Rechnung
eBay Rechnung vom 29 Juni 2006
eBay Rechnung vom 29.06.2006

Attached file:
Ebay-Rechnung.pdf.zip containing Ebay-Rechnung.pdf.exe

Message text:
Guten Tag,
hier ist eine Zusammenfassung der Kontoaktivitaeten seit Ihrer 
letzten Rechnung

In der beigelegten PDF Datei finden Sie die genaue Auflistung ihrer 
Rechnung
-----------------------------------------------------------------------
--------

Rechnung vom 29 Juni 2006
Abrechnungszeitraum: 1.Juni 2006 - 1.Juli 2006 PST/PDT
Fortlaufende ID:
12-EU45783499-0
AG

eBay International AG
Helvetiastrasse 15/17
3005 Bern
Schweiz

Schweizer MwSt-Nummer: 508 508
EU - Umsatzsteuer-Identifikationsnummer:
EU528009572
Firmennummer:
CH-035.3.611.950-2

eBay-Kontonummer:
E137895093697-EUR
Rechnungsnummer:
045178-1394745185820

Letzte Rechnung: |0,00
Zahlungen und Gutschriften: |0,00

Faelliger Gesamtbetrag:
||%RND_FIRST_DIGIT41,64

Zahlungsmethode
Sie sind für das Lastschriftverfahren angemeldet. Der Rechnungsbetrag
wird innerhalb der nächsten fünf bis sieben Tage von Ihrem
Bankkonto abgebucht. (Der Abbuchungsbetrag kann von Ihrem
Rechnungsbetrag abweichen, wenn Sie im Zeitraum zwischen der
Rechnungserstellung und dem Abbuchungsdatum Zahlungen geleistet oder
Gutschriften erhalten haben.)

Hinweis
Saeumnisgebuehren: Wenn Ihr eBay-Konto ueberfaellig ist faellt eine
Saeumnisgebuehr an. Um Naeheres zu diesem Thema zu erfahren, gehen
Sie bitte zu Rechnungen und Zahlungen.
(http://pages.ebay.de/help/account/payfees.html)

Mehr zum Thema eBay-Gebühren
(http://pages.ebay.de/help/sell/fees.html)

Mitteilungen

Hinweis: eBay fragt niemals per E-Mail nach vertraulichen oder
persoenlichen Daten (z.B. Kennwort, Kreditkarte, Kontonummer).
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

Hilfreiche Links

Zur Beantwortung Ihrer Fragen zu Ihrem eBay-Konto benutzen Sie bitte
den folgenden Link:
http://pages.ebay.de/help/account/selling-account-overview.html

Um Ihre Mitgliedsdaten zu aktualisieren, benutzen Sie bitte den
folgenden Link:
http://cgi4.ebay.de/aw-cgi/eBayISAPI.dll?ChangeRegistrationShow

Um eBay zu kontaktieren, verwenden Sie bitte den folgenden Link:
http://pages.ebay.de/help/contact_inline/index.html

Mit freundlichen Gruessen
eBay International AG

Zusaetzliche Mitteilungen
Die oben aufgeführten Leistungen beziehen sich ausschließlich auf Ihre
Anmeldung unter www.ebay.de.





Name   Troj/Zlob-PH

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Drops more malware
    * Downloads code from the internet
    * Reduces system security
    * Installs itself in the Registry

Prevalence (1-5) 2

Description
Troj/Zlob-PH is a Trojan for the Windows platform.

Advanced
Troj/Zlob-PH is a Trojan for the Windows platform.

When Troj/Zlob-PH is installed it creates the file 
<System>\regperf.exe and <System>\ld100.tmp (both files detected as 
Troj/Zlob-PH). The file ld100.tmp is also detected as Troj/Zlobre-Gen.

The following registry entry is created to run regperf.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run
wininet.dll
regperf.exe





Name   W32/Akbot-AB

Type  
    * Worm

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities

Aliases  
    * Backdoor.Win32.Agent.vc
    * BKDR_AGENT.CQU

Prevalence (1-5) 2

Description
W32/Akbot-AB is a network worm and backdoor Trojan for the Windows 
platform.

W32/Akbot-AB may attempt to spread to other network computers by 
exploiting common buffer overflow vulnerabilities, including: LSASS 
(MS04-011) and ASN.1 (MS04-007).

Advanced
W32/Akbot-AB is a network worm and backdoor Trojan for the Windows 
platform.

W32/Akbot-AB may attempt to spread to other network computers by 
exploiting common buffer overflow vulnerabilities, including: LSASS 
(MS04-011) and ASN.1 (MS04-007).

When first run W32/Akbot-AB copies itself to <System>\utasvc.dll.

The following registry entry is created to run code exported by 
utasvc.dll on
startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
utasvc
rundll32.exe <System>\utasvc.dll,start

W32/Akbot-AB may also modify the HOSTS file of an infected computer 
to deny access to various security related websites.





Name   W32/Cuebot-K

Type  
    * Worm

How it spreads  
    * Chat programs

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Installs itself in the Registry

Aliases  
    * Backdoor.Win32.IRCBot.st
    * Win32/IRCBot.OO

Prevalence (1-5) 2

Description
W32/Cuebot-K is a instant messaging worm and backdoor for the Windows 
platform.

W32/Cuebot-K spreads via AOL Instant Messenger.

Advanced
W32/Cuebot-K is a instant messaging worm and backdoor for the Windows 
platform.

W32/Cuebot-K spreads via AOL Instant Messenger.

When first run W32/Cuebot-K copies itself to <Windows system 
folder>\wgavn.exe and creates the file <Windows 
folder>\Debug\dcpromo.log.

The file wgavn.exe is registered as a new system driver service named 
"wgavn", with a display name of "Windows Genuine Advantage Validation 
Notification" and a startup type of automatic, so that it is started 
automatically during system startup. Registry entries are created 
under:

HKLM\SYSTEM\CurrentControlSet\Services\wgavn\

W32/Cuebot-K sets the following registry entries, disabling the 
automatic startup of other software:

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4

Registry entries are set as follows:

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
n

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1

Registry entries are created under:

HKLM\SOFTWARE\Microsoft\security center\
HKLM\SOFTWARE\Policies\Microsoft\windowsfirewall\domainprofile\
HKLM\SOFTWARE\Policies\Microsoft\windowsfirewall\standardprofile\

 
--- MultiMail/Win32 v0.43
 * Origin: Try Our Web Based QWK: DOCSPLACE.ORG (1:123/140)