Text 133, 1603 rader
Skriven 2006-08-12 18:15:00 av KURT WISMER (1:123/140)
Ärende: News, August 12 2006
============================
[cut-n-paste from sophos.com]
Name Troj/Agent-CST
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Steals information
* Installs itself in the Registry
Aliases
* BackDoor-CVT
* TROJ_AGENT.CST
Prevalence (1-5) 2
Description
Troj/Agent-CST is a Trojan for the Windows platform.
Advanced
Troj/Agent-CST is a Trojan for the Windows platform.
Troj/Agent-CST is installed to the Windows system folder as
win???32.dll where ? is a random character a-z.
The following registry entries are created to run code exported by
Troj/Agent-CST on startup:
HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\win???32
DllName
win???32.dll
HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\win???32
Impersonate
0
HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\win???32
Startup
EvtStartup
Registry entries are created under:
HKCR\MezziaCodec.Chl\CLSID
HKLM\SOFTWARE\Microsoft\MSSMGR
Name Troj/DwnLdr-DPC
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
Aliases
* Trojan.Win32.VB.arm
Prevalence (1-5) 2
Description
Troj/DwnLdr-DPC is a downloader Trojan for the Windows platform.
Advanced
Troj/DwnLdr-DPC is a downloader Trojan for the Windows platform.
When run Troj/DwnLdr-DPC copies itself to <System>\mschkdsk.ex as a
hidden, system file.
Troj/DwnLdr-DPC includes functionality to:
- download code from the internet
- change Internet Explorer settings
Troj/DwnLdr-DPC also attempts to create or change registry entries
under:
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
The following registry entry is set:
HKCU\AppEvents\Schemes\Apps\Explorer\Navigating\.Current
(default)
<Windows>\Media\start.wav
Name Troj/Goldun-DS
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Steals credit card details
* Steals information
* Installs itself in the Registry
Aliases
* Trojan-Spy.Win32.Goldun.lm
Prevalence (1-5) 2
Description
Troj/Goldun-DS is a Trojan for the Windows platform.
Troj/Goldun-DS monitors browser activity in an attempt to steal
passwords when users browse to certain websites, including
www.e-gold.com. The Trojan may attempt to modify browser settings in
order to force users to re-type passwords.
Advanced
Troj/Goldun-DS is a Trojan for the Windows platform.
Troj/Goldun-DS monitors browser activity in an attempt to steal
passwords when users browse to certain websites, including
www.e-gold.com. The Trojan may attempt to modify browser settings in
order to force users to re-type passwords.
The file vmmdiag3.exe can be created in order to run the Trojan -
this file should be deleted. The following registry entry is created
in order to run the Trojan automatically on login:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe vmmdiag32.exe
(this is Explorer.exe by default)
Name W32/Brontok-BG
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Sends itself to email addresses found on the infected computer
* Drops more malware
* Forges the sender's email address
* Uses its own emailing engine
* Installs itself in the Registry
* Leaves non-infected files on computer
Aliases
* Email-Worm.Win32.Brontok.o
* W32/Rontokbro.gen@MM
* Win32/Pazetus.C
* W32.Rontokbro@mm
Prevalence (1-5) 2
Description
W32/Brontok-BG is a mass-mailing worm for the Windows platform.
W32/Brontok-BG sends itself to email addresses found on the infected
computer.
Emails sent by the worm have the following characteristics:
If the recipient's address is Indonesian:
Subject: Foto Liburanku di Bali
Message text:
Halo Sobat,
Ini fotoku saat liburan di Bali.
Semoga kamu jadi ingat aku terus.
Terima kasih,
For all other addresses:
Subject: My Photo on Paris
Message text:
This photo was taken from my vacation on Paris, last week.
Wishing you always remember me.
Regards,
Attachment name: Picture.zip
The zip file contains Picture.bmp and View-Picture.bat.
View-Picture.bat runs Picture.bmp.
Picture.bmp is an executable which attempts to download and execute a
copy of the worm from a preconfigured website.
Advanced
W32/Brontok-BG is a mass-mailing worm for the Windows platform.
W32/Brontok-BG sends itself to email addresses found on the infected
computer.
Emails sent by the worm have the following characteristics:
If the recipient's address is Indonesian:
Subject: Foto Liburanku di Bali
Message text:
Halo Sobat,
Ini fotoku saat liburan di Bali.
Semoga kamu jadi ingat aku terus.
Terima kasih,
For all other addresses:
Subject: My Photo on Paris
Message text:
This photo was taken from my vacation on Paris, last week.
Wishing you always remember me.
Regards,
Attachment name: Picture.zip
The zip file contains Picture.bmp and View-Picture.bat.
View-Picture.bat runs Picture.bmp.
Picture.bmp is an executable which attempts to download and execute a
copy of the worm from a preconfigured website.
When first run W32/Brontok-BG copies itself to:
<User>\Local Settings\Application Data\dv<random>\yesbron.com
<User>\Local Settings\Application Data\jalak<random>.com
<Windows folder>\_default<random>.pif
<Windows folder>\j<random>.exe
<Windows folder>\o<random>.exe
<Windows folder>\sa<random>\ib<random>.exe
<Windows system folder>\c<random>.com
<Windows system folder>\n<random>\b<random>.exe
<Windows system folder>\n<random>\csrss.exe
<Windows system folder>\n<random>\lsass.exe
<Windows system folder>\n<random>\services.exe
<Windows system folder>\n<random>\smss.exe
<Windows system folder>\n<random>\sv<random>.exe
<Windows system folder>\n<random>\winlogon.exe
where <random> is a sequence of randomly generated numbers.
and creates the following files:
Baca Bro !!!.txt
<Windows folder>\Tasks\At1.job
<Windows folder>\Tasks\At2.job
<Windows system folder>\n5817\c.bron.tok.txt
These files can be deleted.
The .job files each contain a scheduled task, instructing Windows to
execute the installed copies of the worm once per day.
W32/Brontok-BG may install a new version of the file <Windows system
folder>\msvbvm60.dll.
The following registry entries are created to run yesbron.com,
_default<random>.pif, j<random>.exe and sv<random>.exe on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run
<random characters>
<User>\Local Settings\Application Data\dv<random>\yesbron.com
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run
<random characters>
<Windows folder>\_default<random>.pif
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
<random characters>
<Windows system folder>\<random>\sv<random>.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
<random characters>
<Windows folder>\<random>.exe
The following registry entries are changed to run j<random>.exe and
o<random>.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe "<Windows folder>\<random>.exe"
(the default value for this registry entry is "Explorer.exe" which
causes the Microsoft file <Windows folder>\Explorer.exe to be run on
startup).
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
<Windows system folder>\userinit.exe,<Windows folder>\<random>.exe
(the default value for this registry entry is "<Windows
folder>\System32\userinit.exe,").
The following registry entry is set, disabling the registry editor
(regedit):
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1
Registry entries are set as follows:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden
0
W32/Brontok-BG also overwrites the HOSTS file with the following
mappings:
127.0.0.19 mcafee.com
127.0.0.19 www.mcafee.com
127.0.0.19 mcafee.net
127.0.0.19 www.mcafee.net
127.0.0.19 mcafee.org
127.0.0.19 www.mcafee.org
127.0.0.19 mcafeesecurity.com
127.0.0.19 www.mcafeesecurity.com
127.0.0.19 mcafeesecurity.net
127.0.0.19 www.mcafeesecurity.net
127.0.0.19 mcafeesecurity.org
127.0.0.19 www.mcafeesecurity.org
127.0.0.19 mcafeeb2b.com
127.0.0.19 www.mcafeeb2b.com
127.0.0.19 mcafeeb2b.net
127.0.0.19 www.mcafeeb2b.net
127.0.0.19 mcafeeb2b.org
127.0.0.19 www.mcafeeb2b.org
127.0.0.19 nai.com
127.0.0.19 www.nai.com
127.0.0.19 nai.net
127.0.0.19 www.nai.net
127.0.0.19 nai.org
127.0.0.19 www.nai.org
127.0.0.19 vil.nai.com
127.0.0.19 www.vil.nai.com
127.0.0.19 vil.nai.net
127.0.0.19 www.vil.nai.net
127.0.0.19 vil.nai.org
127.0.0.19 www.vil.nai.org
127.0.0.19 grisoft.com
127.0.0.19 www.grisoft.com
127.0.0.19 grisoft.net
127.0.0.19 www.grisoft.net
127.0.0.19 grisoft.org
127.0.0.19 www.grisoft.org
127.0.0.19 kaspersky-labs.com
127.0.0.19 www.kaspersky-labs.com
127.0.0.19 kaspersky-labs.net
127.0.0.19 www.kaspersky-labs.net
127.0.0.19 kaspersky-labs.org
127.0.0.19 www.kaspersky-labs.org
127.0.0.19 kaspersky.com
127.0.0.19 www.kaspersky.com
127.0.0.19 kaspersky.net
127.0.0.19 www.kaspersky.net
127.0.0.19 kaspersky.org
127.0.0.19 www.kaspersky.org
127.0.0.19 downloads1.kaspersky-labs.com
127.0.0.19 www.downloads1.kaspersky-labs.com
127.0.0.19 downloads1.kaspersky-labs.net
127.0.0.19 www.downloads1.kaspersky-labs.net
127.0.0.19 downloads1.kaspersky-labs.org
127.0.0.19 www.downloads1.kaspersky-labs.org
127.0.0.19 downloads2.kaspersky-labs.com
127.0.0.19 www.downloads2.kaspersky-labs.com
127.0.0.19 downloads2.kaspersky-labs.net
127.0.0.19 www.downloads2.kaspersky-labs.net
127.0.0.19 downloads2.kaspersky-labs.org
127.0.0.19 www.downloads2.kaspersky-labs.org
127.0.0.19 downloads3.kaspersky-labs.com
127.0.0.19 www.downloads3.kaspersky-labs.com
127.0.0.19 downloads3.kaspersky-labs.net
127.0.0.19 www.downloads3.kaspersky-labs.net
127.0.0.19 downloads3.kaspersky-labs.org
127.0.0.19 www.downloads3.kaspersky-labs.org
127.0.0.19 downloads4.kaspersky-labs.com
127.0.0.19 www.downloads4.kaspersky-labs.com
127.0.0.19 downloads4.kaspersky-labs.net
127.0.0.19 www.downloads4.kaspersky-labs.net
127.0.0.19 downloads4.kaspersky-labs.org
127.0.0.19 www.downloads4.kaspersky-labs.org
127.0.0.19 download.mcafee.com
127.0.0.19 www.download.mcafee.com
127.0.0.19 download.mcafee.net
127.0.0.19 www.download.mcafee.net
127.0.0.19 download.mcafee.org
127.0.0.19 www.download.mcafee.org
127.0.0.19 norton.com
127.0.0.19 www.norton.com
127.0.0.19 norton.net
127.0.0.19 www.norton.net
127.0.0.19 norton.org
127.0.0.19 www.norton.org
127.0.0.19 symantec.com
127.0.0.19 www.symantec.com
127.0.0.19 symantec.net
127.0.0.19 www.symantec.net
127.0.0.19 symantec.org
127.0.0.19 www.symantec.org
127.0.0.19 liveupdate.symantecliveupdate.com
127.0.0.19 www.liveupdate.symantecliveupdate.com
127.0.0.19 liveupdate.symantecliveupdate.net
127.0.0.19 www.liveupdate.symantecliveupdate.net
127.0.0.19 liveupdate.symantecliveupdate.org
127.0.0.19 www.liveupdate.symantecliveupdate.org
127.0.0.19 liveupdate.symantec.com
127.0.0.19 www.liveupdate.symantec.com
127.0.0.19 liveupdate.symantec.net
127.0.0.19 www.liveupdate.symantec.net
127.0.0.19 liveupdate.symantec.org
127.0.0.19 www.liveupdate.symantec.org
127.0.0.19 update.symantec.com
127.0.0.19 www.update.symantec.com
127.0.0.19 update.symantec.net
127.0.0.19 www.update.symantec.net
127.0.0.19 update.symantec.org
127.0.0.19 www.update.symantec.org
127.0.0.19 securityresponse.symantec.com
127.0.0.19 www.securityresponse.symantec.com
127.0.0.19 securityresponse.symantec.net
127.0.0.19 www.securityresponse.symantec.net
127.0.0.19 securityresponse.symantec.org
127.0.0.19 www.securityresponse.symantec.org
127.0.0.19 sarc.com
127.0.0.19 www.sarc.com
127.0.0.19 sarc.net
127.0.0.19 www.sarc.net
127.0.0.19 sarc.org
127.0.0.19 www.sarc.org
127.0.0.19 vaksin.com
127.0.0.19 www.vaksin.com
127.0.0.19 vaksin.net
127.0.0.19 www.vaksin.net
127.0.0.19 vaksin.org
127.0.0.19 www.vaksin.org
127.0.0.19 forum.vaksin.com
127.0.0.19 www.forum.vaksin.com
127.0.0.19 forum.vaksin.net
127.0.0.19 www.forum.vaksin.net
127.0.0.19 forum.vaksin.org
127.0.0.19 www.forum.vaksin.org
127.0.0.19 norman.com
127.0.0.19 www.norman.com
127.0.0.19 norman.net
127.0.0.19 www.norman.net
127.0.0.19 norman.org
127.0.0.19 www.norman.org
127.0.0.19 trendmicro.com
127.0.0.19 www.trendmicro.com
127.0.0.19 trendmicro.net
127.0.0.19 www.trendmicro.net
127.0.0.19 trendmicro.org
127.0.0.19 www.trendmicro.org
127.0.0.19 trendmicro-europe.com
127.0.0.19 www.trendmicro-europe.com
127.0.0.19 trendmicro-europe.net
127.0.0.19 www.trendmicro-europe.net
127.0.0.19 trendmicro-europe.org
127.0.0.19 www.trendmicro-europe.org
127.0.0.19 ae.trendmicro-europe.com
127.0.0.19 www.ae.trendmicro-europe.com
127.0.0.19 ae.trendmicro-europe.net
127.0.0.19 www.ae.trendmicro-europe.net
127.0.0.19 ae.trendmicro-europe.org
127.0.0.19 www.ae.trendmicro-europe.org
127.0.0.19 it.trendmicro-europe.com
127.0.0.19 www.it.trendmicro-europe.com
127.0.0.19 it.trendmicro-europe.net
127.0.0.19 www.it.trendmicro-europe.net
127.0.0.19 it.trendmicro-europe.org
127.0.0.19 www.it.trendmicro-europe.org
127.0.0.19 secunia.com
127.0.0.19 www.secunia.com
127.0.0.19 secunia.net
127.0.0.19 www.secunia.net
127.0.0.19 secunia.org
127.0.0.19 www.secunia.org
127.0.0.19 winantivirus.com
127.0.0.19 www.winantivirus.com
127.0.0.19 winantivirus.net
127.0.0.19 www.winantivirus.net
127.0.0.19 winantivirus.org
127.0.0.19 www.winantivirus.org
127.0.0.19 pandasoftware.com
127.0.0.19 www.pandasoftware.com
127.0.0.19 pandasoftware.net
127.0.0.19 www.pandasoftware.net
127.0.0.19 pandasoftware.org
127.0.0.19 www.pandasoftware.org
127.0.0.19 esafe.com
127.0.0.19 www.esafe.com
127.0.0.19 esafe.net
127.0.0.19 www.esafe.net
127.0.0.19 esafe.org
127.0.0.19 www.esafe.org
127.0.0.19 f-secure.com
127.0.0.19 www.f-secure.com
127.0.0.19 f-secure.net
127.0.0.19 www.f-secure.net
127.0.0.19 f-secure.org
127.0.0.19 www.f-secure.org
127.0.0.19 europe.f-secure.com
127.0.0.19 www.europe.f-secure.com
127.0.0.19 europe.f-secure.net
127.0.0.19 www.europe.f-secure.net
127.0.0.19 europe.f-secure.org
127.0.0.19 www.europe.f-secure.org
127.0.0.19 bhs.com
127.0.0.19 www.bhs.com
127.0.0.19 bhs.net
127.0.0.19 www.bhs.net
127.0.0.19 bhs.org
127.0.0.19 www.bhs.org
127.0.0.19 datafellows.com
127.0.0.19 www.datafellows.com
127.0.0.19 datafellows.net
127.0.0.19 www.datafellows.net
127.0.0.19 datafellows.org
127.0.0.19 www.datafellows.org
127.0.0.19 cheyenne.com
127.0.0.19 www.cheyenne.com
127.0.0.19 cheyenne.net
127.0.0.19 www.cheyenne.net
127.0.0.19 cheyenne.org
127.0.0.19 www.cheyenne.org
127.0.0.19 ontrack.com
127.0.0.19 www.ontrack.com
127.0.0.19 ontrack.net
127.0.0.19 www.ontrack.net
127.0.0.19 ontrack.org
127.0.0.19 www.ontrack.org
127.0.0.19 sands.com
127.0.0.19 www.sands.com
127.0.0.19 sands.net
127.0.0.19 www.sands.net
127.0.0.19 sands.org
127.0.0.19 www.sands.org
127.0.0.19 sophos.com
127.0.0.19 www.sophos.com
127.0.0.19 sophos.net
127.0.0.19 www.sophos.net
127.0.0.19 sophos.org
127.0.0.19 www.sophos.org
127.0.0.19 icubed.com
127.0.0.19 www.icubed.com
127.0.0.19 icubed.net
127.0.0.19 www.icubed.net
127.0.0.19 icubed.org
127.0.0.19 www.icubed.org
127.0.0.19 perantivirus.com
127.0.0.19 www.perantivirus.com
127.0.0.19 perantivirus.net
127.0.0.19 www.perantivirus.net
127.0.0.19 perantivirus.org
127.0.0.19 www.perantivirus.org
127.0.0.19 castlecops.com
127.0.0.19 www.castlecops.com
127.0.0.19 castlecops.net
127.0.0.19 www.castlecops.net
127.0.0.19 castlecops.org
127.0.0.19 www.castlecops.org
127.0.0.19 virustotal.com
127.0.0.19 www.virustotal.com
127.0.0.19 virustotal.net
127.0.0.19 www.virustotal.net
127.0.0.19 virustotal.org
127.0.0.19 www.virustotal.org
127.0.0.19 free-av.com
127.0.0.19 www.free-av.com
127.0.0.19 free-av.net
127.0.0.19 www.free-av.net
127.0.0.19 free-av.org
127.0.0.19 www.free-av.org
127.0.0.19 antivirus.com
127.0.0.19 www.antivirus.com
127.0.0.19 antivirus.net
127.0.0.19 www.antivirus.net
127.0.0.19 antivirus.org
127.0.0.19 www.antivirus.org
127.0.0.19 anti-virus.com
127.0.0.19 www.anti-virus.com
127.0.0.19 anti-virus.net
127.0.0.19 www.anti-virus.net
127.0.0.19 anti-virus.org
127.0.0.19 www.anti-virus.org
127.0.0.19 ca.com
127.0.0.19 www.ca.com
127.0.0.19 ca.net
127.0.0.19 www.ca.net
127.0.0.19 ca.org
127.0.0.19 www.ca.org
127.0.0.19 fajarweb.com
127.0.0.19 www.fajarweb.com
127.0.0.19 fajarweb.net
127.0.0.19 www.fajarweb.net
127.0.0.19 fajarweb.org
127.0.0.19 www.fajarweb.org
127.0.0.19 jasakom.com
127.0.0.19 www.jasakom.com
127.0.0.19 jasakom.net
127.0.0.19 www.jasakom.net
127.0.0.19 jasakom.org
127.0.0.19 www.jasakom.org
127.0.0.19 backup.grisoft.com
127.0.0.19 www.backup.grisoft.com
127.0.0.19 backup.grisoft.net
127.0.0.19 www.backup.grisoft.net
127.0.0.19 backup.grisoft.org
127.0.0.19 www.backup.grisoft.org
127.0.0.19 infokomputer.com
127.0.0.19 www.infokomputer.com
127.0.0.19 infokomputer.net
127.0.0.19 www.infokomputer.net
127.0.0.19 infokomputer.org
127.0.0.19 www.infokomputer.org
127.0.0.19 playboy.com
127.0.0.19 www.playboy.com
127.0.0.19 playboy.net
127.0.0.19 www.playboy.net
127.0.0.19 playboy.org
127.0.0.19 www.playboy.org
127.0.0.19 sex-mission.com
127.0.0.19 www.sex-mission.com
127.0.0.19 sex-mission.net
127.0.0.19 www.sex-mission.net
127.0.0.19 sex-mission.org
127.0.0.19 www.sex-mission.org
127.0.0.19 pornstargals.com
127.0.0.19 www.pornstargals.com
127.0.0.19 pornstargals.net
127.0.0.19 www.pornstargals.net
127.0.0.19 pornstargals.org
127.0.0.19 www.pornstargals.org
127.0.0.19 kaskus.com
127.0.0.19 www.kaskus.com
127.0.0.19 kaskus.net
127.0.0.19 www.kaskus.net
127.0.0.19 kaskus.org
127.0.0.19 www.kaskus.org
127.0.0.19 17tahun.com
127.0.0.19 www.17tahun.com
127.0.0.19 17tahun.net
127.0.0.19 www.17tahun.net
127.0.0.19 17tahun.org
127.0.0.19 www.17tahun.org
Name W32/Sdbot-CNH
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Downloads code from the internet
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* Backdoor.Win32.Aimbot.en
Prevalence (1-5) 2
Description
W32/Sdbot-CNH is a worm and IRC backdoor for the Windows platform.
W32/Sdbot-CNH runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Sdbot-CNH includes functionality to silently download, install
and run new software, including updates of its software.
Advanced
W32/Sdbot-CNH is a worm and IRC backdoor for the Windows platform.
W32/Sdbot-CNH runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Sdbot-CNH includes functionality to silently download, install
and run new software, including updates of its software.
W32/Sdbot-CNH spreads to other network computers by exploiting common
buffer overflow vulnerabilities, including: LSASS (MS04-011),
RPC-DCOM (MS04-012), WKS (MS03-049) (CAN-2003-0812), PNP (MS05-039)
and ASN.1 (MS04-007) and by copying itself to network shares
protected by weak passwords.
When first run W32/Sdbot-CNH moves itself to <WINDOWS>\win64tyt.exe.
The file win64tyt.exe is registered as a new service named
"Win32Export", with a display name of "Windows Updater" and a startup
type of automatic, so that it is started automatically during system
startup. Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\Win32Export\
W32/Sdbot-CNH will set the following registry entries in an attempt
to circumvent Microsoft Windows security measures:
HKLM\SOFTWARE\Microsoft\Security Center
AntiVirusDisableNotify
1
HKLM\SOFTWARE\Microsoft\Security Center
AntiVirusOverride
1
HKLM\SOFTWARE\Microsoft\Security Center
FirewallDisableNotify
1
HKLM\SOFTWARE\Microsoft\Security Center
FirewallOverride
1
HKLM\SOFTWARE\Microsoft\Security Center
UpdatesDisableNotify
1
Name W32/Looked-F
Type
* Worm
How it spreads
* Infected files
* Peer-to-peer
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Installs itself in the Registry
Aliases
* Worm.Win32.Viking.i
* Win32/Viking.NAB
* W32.Looked.P
* PE_LOOKED.M
Prevalence (1-5) 2
Description
W32/Looked-F is a virus and backdoor for the Windows platform.
W32/Looked-F runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer.
W32/Looked-F attempts to copy itself to network shares and infect EXE
files.
W32/Looked-F includes functionality to access the internet and
communicate with a remote server via HTTP.
Advanced
W32/Looked-F is a virus and backdoor for the Windows platform.
W32/Looked-F runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer.
W32/Looked-F attempts to copy itself to network shares and infect EXE
files.
W32/Looked-F includes functionality to access the internet and
communicate with a remote server via HTTP.
When first run W32/Looked-F copies itself to <Windows>\rundl132.exe
and creates the file vDll.dll.
The following registry entry is created to run rundl132.exe on startup:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
load
<Windows>\rundl132.exe
Registry entries are created under:
HKLM\SOFTWARE\Soft\DownloadWWW\
Name Troj/DelSpy-E
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Uses its own emailing engine
* Reduces system security
* Installs itself in the Registry
Prevalence (1-5) 2
Description
Troj/DelSpy-E is a Trojan for the Windows platform.
Troj/DelSpy-E may inject code into other processes and includes
functionality to steal passwords and email the information it steals
to a remote user. The Trojan may also include backdoor functionality,
allowing a remote user to gain a command prompt on the compromised
computer.
Advanced
Troj/DelSpy-E is a Trojan for the Windows platform.
Troj/DelSpy-E may inject code into other processes and includes
functionality to steal passwords and email the information it steals
to a remote user. The Trojan may also include backdoor functionality,
allowing a remote user to gain a command prompt on the compromised
computer.
When first run Troj/DelSpy-E copies itself to <System>\msjwer.exe and
creates the following files:
<Windows>\msjwer.dll - also detected as Troj/DelSpy-E
<System>\msjwer.hts
The following registry entry is created to run msjwer.exe on startup:
HKLM\SOFTWARE\Microsoft\Active Setup\Installed
Components\52ED14AE-AB22-2CCA-CD3A-1AA4221E022C)
StubPath
<System>\msjwer.exe
Troj/DelSpy-E sets the following registry entries, disabling the
automatic startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\srservice
Start
4
The following registry entry is set:
HKCU\Software\Adobe\GGZE
GGD
msjwer.hts
The file <System>\msjwer.hts is a text file which can safely be
deleted after the above registry entry is removed.
Name W32/Looked-G
Type
* Virus
How it spreads
* Network shares
* Infected files
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Downloads code from the internet
* Installs itself in the Registry
* Leaves non-infected files on computer
Aliases
* Worm.Win32.Viking.r
* W32/HLLP.Philis.ao
* Win32/Viking.NAP
* PE_LOOKED.AP
Prevalence (1-5) 2
Description
W32/Looked-G is a virus and backdoor for the Windows platform.
W32/Looked-G runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer.
W32/Looked-G attempts to copy itself to network shares and infect EXE
files.
W32/Looked-G includes functionality to access the internet and
communicate with a remote server via HTTP.
Advanced
W32/Looked-G is a virus and backdoor for the Windows platform.
W32/Looked-G runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer.
W32/Looked-G attempts to copy itself to network shares and infect EXE
files.
W32/Looked-G includes functionality to access the internet and
communicate with a remote server via HTTP.
When first run W32/Looked-G copies itself to <Windows>\rundl132.exe
and creates the file \%CurrentFolder%\viDll.dll.
The following registry entry is created to run rundl132.exe on startup:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
load
<Windows>\rundl132.exe
Registry entries are created under:
HKLM\SOFTWARE\Soft\DownloadWWW\
The virus may create files named "_desktop.ini" in folders it
searches - these are harmless and can be deleted.
Name W32/Bobandy-B
Type
* Worm
How it spreads
* Email attachments
* Network shares
* Peer-to-peer
Affected operating systems
* Windows
Side effects
* Sends itself to email addresses found on the infected computer
* Installs itself in the Registry
* Leaves non-infected files on computer
Prevalence (1-5) 2
Description
W32/Bobandy-B is a mass-mailing worm for the Windows platform.
Emails sent by W32/Bobandy-B have the following characteristics:
Subject line:
Registration Confirmation
Cek This
hello
RE:bla bla bla
RE:HeLLO GuYs
Message text:
hi please see this file
For security reasons attached file is password protected.
The password is 55132098
hey Indonesian porn
Tiara lestari pic's
For security reasons attached file is password protected.
The password is 55132098
free screen saver romance for you
Please Visit Our Web Site
For security reasons attached file is password protected.
The password is 55132098
please read again what i have written to you
For security reasons attached file is password protected.
The password is 55132098
thank's for you register, your acount details are attached
For security reasons attached file is password protected.
The password is 55132098
The attached file will take one of the following names:
MYpIC.zip
curriculum vittae.zip
USE_RAR_To_Extract.ace
ZIPPED.zip
FILEATTACH.bz2
Doc.gz
file.bz2
thisfile.gz
4TITTA'S Picture.jar
Advanced
W32/Bobandy-B is a mass-mailing worm for the Windows platform.
Emails sent by W32/Bobandy-B have the following characteristics:
Subject line:
Registration Confirmation
Cek This
hello
RE:bla bla bla
RE:HeLLO GuYs
Message text:
hi please see this file
For security reasons attached file is password protected.
The password is 55132098
hey Indonesian porn
Tiara lestari pic's
For security reasons attached file is password protected.
The password is 55132098
free screen saver romance for you
Please Visit Our Web Site
For security reasons attached file is password protected.
The password is 55132098
please read again what i have written to you
For security reasons attached file is password protected.
The password is 55132098
thank's for you register, your acount details are attached
For security reasons attached file is password protected.
The password is 55132098
The attached file will take one of the following names:
MYpIC.zip
curriculum vittae.zip
USE_RAR_To_Extract.ace
ZIPPED.zip
FILEATTACH.bz2
Doc.gz
file.bz2
thisfile.gz
4TITTA'S Picture.jar
When first run W32/Bobandy-B copies itself to:
<Startup>\sql.cmd
<User>\Templates\o<random digits>z\Tux<random characters>.exe
<User>\Templates\o<random digits>z\service.exe
<User>\Templates\o<random digits>z\winlogon.exe
<Windows>\Ti<random characters>ta.exe
<Windows>\m<random digits>\EmangEloh.exe
<Windows>\m<random digits>\Ja<random characters>bLay.com
<Windows>\m<random digits>\smss.exe
<Windows>\sa-<random digits>.exe
<System>\<random digits>l.exe
<System>\X<random digits>go\Z<random digits>cie.cmd
<Windows>\SoftwareDistribution\Download\Windows Vista setup
<Windows>\pchealth\UploadLB\Blink 182
<Windows>\ime\shared\Love Song
<Program Files>\Movie Maker\Shared\Gallery
<Windows>\Downloaded Program Files\RaHaslA
<Program Files>\Common Files\Microsoft Shared\Data DosenKu
and creates the following harmless files:
\[TheMoonlight].txt
W32/Bobandy-B creates the following registry entries:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
T
<Windows>\sa-<random digits>.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
TT4
<System>\<random digits>l.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
explorer.exe, <User>\Templates\o<random digits>z\Tux<random
characters>.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
userinit.exe, <Windows>\m<random digits>\Ja<random characters>bLay.com
Registry entries are created under:
HKCU\Software\VB and VBA Program Settings\untukmu\version\
HKLM\SOFTWARE\Microsoft\TUX\Path\
HKLM\SOFTWARE\Microsoft\TUX\biang\
W32/Bobandy-B attempts to copy itself to the root folders of all
mapped drives.
W32/Bobandy-B harvests email addresses from files on the infected
computer.
Name Troj/Bancos-ATA
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Steals credit card details
* Steals information
Aliases
* Trojan-Spy.Win32.Bancos.to
* Win32/Spy.Bancos.U
Prevalence (1-5) 2
Description
Troj/Bancos-ATA is a password-stealing Trojan for the Windows platform.
Troj/Bancos-ATA steals login information for certain online banking
applications.
Advanced
Troj/Bancos-ATA is a password-stealing Trojan for the Windows platform.
Troj/Bancos-ATA steals login information for certain online banking
applications.
When first run Troj/Bancos-ATA copies itself to
<System>\tasklist32.exe.
Name Troj/IRCBot-PF
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
Prevalence (1-5) 2
Description
Troj/IRCBot-PF is a Trojan for the Windows platform.
Troj/IRCBot-PF runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
Troj/IRCBot-PF includes functionality to access the internet and
communicate with a remote server via HTTP.
Advanced
Troj/IRCBot-PF is a Trojan for the Windows platform.
Troj/IRCBot-PF runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
Troj/IRCBot-PF includes functionality to access the internet and
communicate with a remote server via HTTP.
When first run Troj/IRCBot-PF copies itself to <Windows
folder>\lsass.exe.
The file lsass.exe is registered as a new system driver service named
"sdk", with a display name of "Microsoft sdk core" and a startup type
of automatic, so that it is started automatically during system
startup. Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\sdk\
Name Troj/Dloadr-ALC
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
Prevalence (1-5) 2
Description
Troj/Dloadr-ALC is an downloader Trojan for the Windows platform.
When installed, the Trojan includes functionality to connect to a
remote address and download a file to <Windows>\au.exe. It then
proceeds to execute the downloaded file.
The downloaded file was unavailable at the time of writing.
Name W32/Sdbot-DTM
Type
* Spyware Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Reduces system security
* Records keystrokes
* Installs itself in the Registry
* Exploits system or software vulnerabilities
* Used in DOS attacks
* Scans network for vulnerabilities
* Scans network for open ports
Aliases
* Backdoor.Win32.SdBot.ato
* W32/Sdbot.UFA
Prevalence (1-5) 2
Description
W32/Sdbot-DTM is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Sdbot-DTM spreads to other network computers via network shares
and by exploiting common buffer overflow vulnerabilities, including
ASN.1 (MS04-007).
W32/Sdbot-DTM runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Sdbot-DTM includes functionality to access the internet and
communicate with a remote server via HTTP, to log keypresses, and to
alter firewall security settings.
Advanced
W32/Sdbot-DTM is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Sdbot-DTM spreads to other network computers via network shares
and by exploiting common buffer overflow vulnerabilities, including
ASN.1 (MS04-007).
W32/Sdbot-DTM runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Sdbot-DTM includes functionality to access the internet and
communicate with a remote server via HTTP, to log keypresses, and to
alter firewall security settings.
When first run W32/Sdbot-DTM copies itself to <Windows>\lsass.exe.
The file lsass.exe is registered as a new system driver service named
"sdk", with a display name of "Microsoft sdk core" and a startup type
of automatic, so that it is started automatically during system
startup. Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\sdk\
Name W32/Brontok-BH
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Installs itself in the Registry
Aliases
* Trojan.Win32.VB.aqn
Prevalence (1-5) 2
Description
W32/Brontok-BH is a worm for the Windows platform.
W32/Brontok-BH may disable file extensions, and create copies of
itself with filenames matching any of the following extensions:
MP3
MP4
MPG
MPEG
AVI
DAT
WMV
4JPG
GIF
JPEG
PNG
ASX
WMA
MDB
XLS
Advanced
W32/Brontok-BH is a worm for the Windows platform.
W32/Brontok-BH may disable file extensions, and create copies of
itself with filenames matching any of the following extensions:
MP3
MP4
MPG
MPEG
AVI
DAT
WMV
4JPG
GIF
JPEG
PNG
ASX
WMA
MDB
XLS
When first run W32/Brontok-BH copies itself to:
\4k51k4.exe
<Startup>\Empty.pif
<User>\Local Settings\Application Data\windows\csrss.exe
<User>\Local Settings\Application Data\windows\lsass.exe
<User>\Local Settings\Application Data\windows\services.exe
<User>\Local Settings\Application Data\windows\smss.exe
<User>\Local Settings\Application Data\windows\winlogon.exe
<Windows folder>\4k51k4.exe
<Windows system folder>\IExplorer.exe
<Windows system folder>\MrHelloween.scr
<Windows system folder>\shell.exe
and creates the file \Puisi.txt.
The following registry entries are created to run W32/Brontok-BH on
startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
4k51k4
<Windows folder>\4k51k4.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Service<user>
<User>\Local Settings\Application Data\WINDOWS\SERVICES.EXE
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Logon<user>
<User>\Local Settings\Application Data\WINDOWS\CSRSS.EXE
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
System Monitoring
<User>\Local Settings\Application Data\WINDOWS\LSASS.EXE
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
MSMSGS
<User>\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
The following registry entries are changed to run W32/Brontok-BH on
startup:
HKCU\Control Panel\Desktop
SCRNSAVE.EXE
<Windows system folder>\MRHELL~1.SCR
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe "<Windows system folder>\IExplorer.exe"
(the default value for this registry entry is "Explorer.exe" which
causes the Microsoft file <Windows folder>\Explorer.exe to be run on
startup).
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
<Windows system folder>\userinit.exe,<System>\IExplorer.exe
(the default value for this registry entry is "<Windows
folder>\System32\userinit.exe,").
The following registry entries are set or modified, so that shell.exe
is run when files with extensions of BAT, COM, EXE and PIF are
opened/launched:
HKCR\lnkfile\shell\open\command
(default)
<Windows system folder>\shell.exe" "%1" %*
HKCR\batfile\shell\open\command
(default)
<Windows system folder>\shell.exe" "%1" %*
HKCR\comfile\shell\open\command
(default)
<Windows system folder>\shell.exe" "%1" %*
HKCR\exefile\shell\open\command
(default)
<Windows system folder>\shell.exe" "%1" %*
HKCR\piffile\shell\open\command
(default)
<Windows system folder>\shell.exe" "%1" %*
The following registry entries are set, disabling the registry editor
(regedit), the Windows task manager (taskmgr), the command prompt and
system restore:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableCMD
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
DisableTaskMgr
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
DisableRegistryTools
1
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
DisableConfig
1
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
DisableSR
1
Registry entries are set as follows:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFolderOptions
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoFolderOptions
1
HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer
LimitSystemRestoreCheckpointing
1
HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer
DisableMSI
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden
0
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug
Debugger
<Windows system folder>\Shell.exe
HKCR\exefile
(default)
File Folder
Name W32/Virut-A
Type
* Virus
How it spreads
* Infected files
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
Aliases
* W32/Virut.a
* Virus [PE_VIRUT.A]
Prevalence (1-5) 2
Description
W32/Virut-A is a virus and IRC backdoor for the Windows platform.
W32/Virut-A will also attempt to connect to an IRC channel and thus
serves as a backdoor with which a remote attacker may compromise the
system.
Advanced
W32/Virut-A is a virus and IRC backdoor for the Windows platform.
When a file infected with W32/Virut-A is run, the virus will become
resident in memory, and will attempt to infect any executable that is
accessed by any process running on the system. W32/Virut-A will thus
spread very quickly throughout the filesystem.
W32/Virut-A will also attempt to connect to an IRC channel and thus
serves as a backdoor with which a remote attacker may compromise the
system.
--- MultiMail/Win32 v0.43
* Origin: Try Our Web Based QWK: DOCSPLACE.ORG (1:123/140)
|