Tillbaka till svenska Fidonet
English   Information   Debug  
TREK   0/755
TUB   0/290
UFO   0/40
UNIX   0/1316
USA_EURLINK   0/102
USR_MODEMS   0/1
VATICAN   0/2740
VIETNAM_VETS   0/14
VIRUS   0/378
VIRUS_INFO   0/201
VISUAL_BASIC   0/473
WHITEHOUSE   0/5187
WIN2000   0/101
WIN32   0/30
WIN95   0/4289
WIN95_OLD1   0/70272
WINDOWS   0/1517
WWB_SYSOP   0/419
WWB_TECH   0/810
ZCC-PUBLIC   0/1
ZEC   4

 
4DOS   0/134
ABORTION   0/7
ALASKA_CHAT   0/506
ALLFIX_FILE   0/1313
ALLFIX_FILE_OLD1   0/7997
ALT_DOS   0/152
AMATEUR_RADIO   0/1039
AMIGASALE   0/14
AMIGA   0/331
AMIGA_INT   0/1
AMIGA_PROG   0/20
AMIGA_SYSOP   0/26
ANIME   0/15
ARGUS   0/924
ASCII_ART   0/340
ASIAN_LINK   0/651
ASTRONOMY   0/417
AUDIO   0/92
AUTOMOBILE_RACING   0/105
BABYLON5   0/17862
BAG   135
BATPOWER   0/361
BBBS.ENGLISH   0/382
BBSLAW   0/109
BBS_ADS   0/5290
BBS_INTERNET   0/507
BIBLE   0/3563
BINKD   0/1119
BINKLEY   0/215
BLUEWAVE   0/2173
CABLE_MODEMS   0/25
CBM   0/46
CDRECORD   0/66
CDROM   0/20
CLASSIC_COMPUTER   0/378
COMICS   0/15
CONSPRCY   0/899
COOKING   33421
COOKING_OLD1   0/24719
COOKING_OLD2   0/40862
COOKING_OLD3   0/37489
COOKING_OLD4   0/35496
COOKING_OLD5   9370
C_ECHO   0/189
C_PLUSPLUS   0/31
DIRTY_DOZEN   0/201
DOORGAMES   0/2065
DOS_INTERNET   0/196
duplikat   6002
ECHOLIST   0/18295
EC_SUPPORT   0/318
ELECTRONICS   0/359
ELEKTRONIK.GER   1534
ENET.LINGUISTIC   0/13
ENET.POLITICS   0/4
ENET.SOFT   0/11701
ENET.SYSOP   33945
ENET.TALKS   0/32
ENGLISH_TUTOR   0/2000
EVOLUTION   0/1335
FDECHO   0/217
FDN_ANNOUNCE   0/7068
FIDONEWS   24159
FIDONEWS_OLD1   0/49742
FIDONEWS_OLD2   0/35949
FIDONEWS_OLD3   0/30874
FIDONEWS_OLD4   0/37224
FIDO_SYSOP   12852
FIDO_UTIL   0/180
FILEFIND   0/209
FILEGATE   0/212
FILM   0/18
FNEWS_PUBLISH   4436
FN_SYSOP   41707
FN_SYSOP_OLD1   71952
FTP_FIDO   0/2
FTSC_PUBLIC   0/13613
FUNNY   0/4886
GENEALOGY.EUR   0/71
GET_INFO   105
GOLDED   0/408
HAM   0/16074
HOLYSMOKE   0/6791
HOT_SITES   0/1
HTMLEDIT   0/71
HUB203   466
HUB_100   264
HUB_400   39
HUMOR   0/29
IC   0/2851
INTERNET   0/424
INTERUSER   0/3
IP_CONNECT   719
JAMNNTPD   0/233
JAMTLAND   0/47
KATTY_KORNER   0/41
LAN   0/16
LINUX-USER   0/19
LINUXHELP   0/1155
LINUX   0/22112
LINUX_BBS   0/957
mail   18.68
mail_fore_ok   249
MENSA   0/341
MODERATOR   0/102
MONTE   0/992
MOSCOW_OKLAHOMA   0/1245
MUFFIN   0/783
MUSIC   0/321
N203_STAT   930
N203_SYSCHAT   313
NET203   321
NET204   69
NET_DEV   0/10
NORD.ADMIN   0/101
NORD.CHAT   0/2572
NORD.FIDONET   189
NORD.HARDWARE   0/28
NORD.KULTUR   0/114
NORD.PROG   0/32
NORD.SOFTWARE   0/88
NORD.TEKNIK   0/58
NORD   0/453
OCCULT_CHAT   0/93
OS2BBS   0/787
OS2DOSBBS   0/580
OS2HW   0/42
OS2INET   0/37
OS2LAN   0/134
OS2PROG   0/36
OS2REXX   0/113
OS2USER-L   207
OS2   0/4786
OSDEBATE   0/18996
PASCAL   0/490
PERL   0/457
PHP   0/45
POINTS   0/405
POLITICS   0/29554
POL_INC   0/14731
PSION   103
R20_ADMIN   1123
R20_AMATORRADIO   0/2
R20_BEST_OF_FIDONET   13
R20_CHAT   0/893
R20_DEPP   0/3
R20_DEV   399
R20_ECHO2   1379
R20_ECHOPRES   0/35
R20_ESTAT   0/719
R20_FIDONETPROG...
...RAM.MYPOINT
  0/2
R20_FIDONETPROGRAM   0/22
R20_FIDONET   0/248
R20_FILEFIND   0/24
R20_FILEFOUND   0/22
R20_HIFI   0/3
R20_INFO2   3249
R20_INTERNET   0/12940
R20_INTRESSE   0/60
R20_INTR_KOM   0/99
R20_KANDIDAT.CHAT   42
R20_KANDIDAT   28
R20_KOM_DEV   112
R20_KONTROLL   0/13300
R20_KORSET   0/18
R20_LOKALTRAFIK   0/24
R20_MODERATOR   0/1852
R20_NC   76
R20_NET200   245
R20_NETWORK.OTH...
...ERNETS
  0/13
R20_OPERATIVSYS...
...TEM.LINUX
  0/44
R20_PROGRAMVAROR   0/1
R20_REC2NEC   534
R20_SFOSM   0/341
R20_SF   0/108
R20_SPRAK.ENGLISH   0/1
R20_SQUISH   107
R20_TEST   2
R20_WORST_OF_FIDONET   12
RAR   0/9
RA_MULTI   106
RA_UTIL   0/162
REGCON.EUR   0/2056
REGCON   0/13
SCIENCE   0/1206
SF   0/239
SHAREWARE_SUPPORT   0/5146
SHAREWRE   0/14
SIMPSONS   0/169
STATS_OLD1   0/2539.065
STATS_OLD2   0/2530
STATS_OLD3   0/2395.095
STATS_OLD4   0/1692.25
SURVIVOR   0/495
SYSOPS_CORNER   0/3
SYSOP   0/84
TAGLINES   0/112
TEAMOS2   0/4530
TECH   0/2617
TEST.444   0/105
TRAPDOOR   0/19
Möte VIRUS_INFO, 201 texter
 lista första sista föregående nästa
Text 138, 1563 rader
Skriven 2006-09-09 15:41:00 av KURT WISMER (1:123/140)
Ärende: News, September 9 2006
==============================
[cut-n-paste from sophos.com]

Name   W32/Poebot-IU

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities

Aliases  
    * Backdoor.Win32.PoeBot.c
    * Win32/Poebot
    * W32.Linkbot

Prevalence (1-5) 2

Description
W32/Poebot-IU is a worm and IRC backdoor for the Windows platform.

W32/Poebot-IU spreads to other network computers by exploiting common 
buffer overflow vulnerabilities, including: LSASS (MS04-011), 
RPC-DCOM (MS04-012), PNP (MS05-039), WKS (MS03-049) (CAN-2003-0812) 
and ASN.1 (MS04-007).

W32/Poebot-IU runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

Advanced
W32/Poebot-IU is a worm and IRC backdoor for the Windows platform.

W32/Poebot-IU spreads to other network computers by exploiting common 
buffer overflow vulnerabilities, including: LSASS (MS04-011), 
RPC-DCOM (MS04-012), PNP (MS05-039), WKS (MS03-049) (CAN-2003-0812) 
and ASN.1 (MS04-007).

W32/Poebot-IU runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

When first run W32/Poebot-IU copies itself to <System>\logon.exe.

The following registry entry is created to run logon.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows Logon Application
<System>\logon.exe





Name   Troj/QQPass-AFN

Type  
    * Spyware Trojan

Affected operating systems  
    * Windows

Side effects  
    * Steals information
    * Downloads code from the internet
    * Installs itself in the Registry

Aliases  
    * Trojan-Downloader.Win32.Small.czl

Prevalence (1-5) 2

Description
Troj/QQPass-AFN is a Trojan for the Windows platform.

Advanced
Troj/QQPass-AFN is a Trojan for the Windows platform.

When run Troj/QQPass-AFN copies itself to <System>\mswdm.exe and 
creates the following registry to run itself on startup:

HKLM\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
CheckFaultKernel
<System>\mswdm.exe

Troj/QQPass-AFN includes functionality to keylog information.





Name   W32/Vanebot-Gen

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Reduces system security
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities
    * Used in DOS attacks

Aliases  
    * Backdoor.Win32.Rbot.bgu

Prevalence (1-5) 2

Description
W32/Vanebot-Gen is a family of worms for the Windows platform.

Vanebot worms provide backdoor Trojan functionality via IRC channels.

Vanebot worms typically spread to other network computers by 
exploiting common buffer overflow vulnerabilities, including SRVSVC 
(MS06-040), Psyme, PNP (MS05-039) and ASN.1 (MS04-007) The worms also 
attempt to spread by copying themselves to network shares protected 
by weak passwords.

Vanebot worms run continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

Advanced
W32/Vanebot-Gen is a family of worms for the Windows platform.

Vanebot worms provide backdoor Trojan functionality via IRC channels.

Vanebot worms typically spread to other network computers by 
exploiting common buffer overflow vulnerabilities, including SRVSVC 
(MS06-040), Psyme, PNP (MS05-039) and ASN.1 (MS04-007) The worms also 
attempt to spread by copying themselves to network shares protected 
by weak passwords.

Vanebot worms run continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

A fake error message such as the following may be displayed:

Can't run on Windows
To run this file you must use an Linux emulator
Error code: (-2394)
Error discription: LLIBKCUF / File has remove his self.

Vanebot worms install themselves in the system registry in order to 
run themselves on startup and may attempt to disable the Microsoft 
Internet Connection Firewall (ICF).





Name   Troj/Bombka-L

Type  
    * Spyware Trojan

Affected operating systems  
    * Windows

Side effects  
    * Steals information
    * Downloads code from the internet
    * Installs itself in the Registry
    * Displays pop-up advertising
    * Monitors browser activity

Aliases  
    * Trojan-Downloader.Win32.Bomka.o
    * AdClicker-DW
    * Win32/TrojanClicker.Bomka.NAA
    * Trojan.Adclicker
    * TROJ_BOMKA.AX

Prevalence (1-5) 2

Description
Troj/Bombka-L is a Trojan for the Windows platform.

Troj/Bombka-L is capable of spying on a user's browsing habits, 
modifying Microsoft Internet Explorer settings, harvesting email 
addresses from an infected computer, downloading further executables 
and displaying popup advertisements.

Advanced
Troj/Bombka-L is a Trojan for the Windows platform.

Troj/Bombka-L is capable of spying on a user's browsing habits, 
modifying Microsoft Internet Explorer settings, harvesting email 
addresses from an infected computer, downloading further executables 
and displaying popup advertisements.

When Troj/Bombka-L is installed it creates the file 
<System>\kaboom.dll.

The file kaboom.dll is registered as a COM object and Browser Helper 
Object (BHO) for Microsoft Internet Explorer, creating registry 
entries under:

HKCR\CLSID\(clsid)
HKCR\Interface\(clsid)
HKCR\TypeLib\(clsid)
HKCR\Kb.Intense\
HKCR\Kb.Intense.1\
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
Browser Helper Objects\(clsid)

Registry entries may be created under the following locations:

HKLM\SOFTWARE\Microsoft\Sims\
HKLM\SOFTWARE\Microsoft\Zeal\
HKLM\SOFTWARE\Microsoft\SUW\
HKLM\SOFTWARE\Microsoft\IEAgent\





Name   Troj/Dowdec-D

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Drops more malware
    * Downloads code from the internet
    * Installs itself in the Registry

Prevalence (1-5) 2

Description
Troj/Dowdec-D is a Trojan for the Windows platform.

Troj/Dowdec-D has been seen in ZIP files attached to spam messages.

Advanced
Troj/Dowdec-D is a Trojan for the Windows platform.

When Troj/Dowdec-D is installed the following files are created:

<Temp>\gfdr.bat
<Temp>\screen.bmp
<System>\msvoid.dll

The file msvoid.dll is detected as Troj/Dowdec-Gen.

The file msvoid.dll is registered as a COM object and Browser Helper 
Object (BHO) for Microsoft Internet Explorer, creating registry 
entries under:

HKCR\CLSID\{CE37A1AC-E254-C6DE-8E3D-85387140521A}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser 
Helper Objects\{CE37A1AC-E254-C6DE-8E3D-85387140521A}

Troj/Dowdec-D has been seen in ZIP files attached to spam messages.





Name   W32/VBSilly-C

Type  
    * Worm

Affected operating systems  
    * Windows

Side effects  
    * Installs itself in the Registry

Prevalence (1-5) 2

Description
W32/VBSilly-C is a worm for the windows platform.

W32/VBSilly-C may periodically attempt to copy itself to the floppy 
drive.

Advanced
W32/VBSilly-C is a worm for the windows platform.

W32/VBSilly-C may periodically attempt to copy itself to the floppy 
drive.

W32/VBSilly-C may also copy itself to:

C:\Windows\SaveTheWorld.exe
D:\SaveTheWorld.exe

W32/VBSilly-C may also create an entry under the following registry 
entry to run itself on Windows startup:

HKLM\SOFTWARE\Microsoft\WINDOWS\CurrentVersion\Run





Name   W32/Narcha-A

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Installs itself in the Registry

Prevalence (1-5) 2

Description
W32/Narcha-A is a peer-to-peer worm for the Windows platform.

Advanced
W32/Narcha-A is a peer-to-peer worm for the Windows platform.

When run, the worm copies itself to <System>\SVCH0ST.exe and sets the 
following registry entry:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft Agent
<System>\SVCH0ST.exe

and

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Explorer.exe, <System>\SVCH0ST.exe
Shell

W32/Narcha-A may also set or modify the following registry entries to 
ensure it is run on startup:

HKLM\SOFTWARE\Microsoft\Windows\Currentversion\runservices
HKLM\SOFTWARE\Microsoft\Windows\Currentversion\runonceex
HKLM\SOFTWARE\Microsoft\Windows\Currentversion\runservicesonce
HKLM\SOFTWARE\Microsoft\Windows\Currentversion\runservicesonceex

HKCR\exefile\shell\open\command
HKCR\comfile\shell\open\command
HKCR\batfile\shell\open\command
HKCR\htafile\shell\open\command
HKCR\piffile\shell\open\command

The worm also periodically copies itself to all drives on the 
infected computer with the following file names:

Backup Folder.exe
Briefcase Documets.exe
Chernobyl April 26.exe
Common Files.exe
Desktop.exe
Downloads.exe
eBooks.exe
Fine Pictures.exe
Folder.exe
Funny Jokes.exe
Game Folder.exe
Important Letters.exe
Microsoft Common Shared Files.exe
Music Folder.exe
My Documents.exe
My Shared Documents.exe
New Folder.exe
Office Documents.exe
Picture Collection.exe
Pictures.exe
PowerPoint Documents.exe
Private Pictures.exe
Project Report(s).exe
README.exe
Received Pictures.exe
Screensaver Collection.scr
Shared Documets.exe
Shared Network Folder.exe
Shortcut to Shared Folder.pif
Text Files.exe
Unread Emails.exe
Wallpapers.scr
WinAmp Files.exe
WINFOLDER.exe
Wma Files.exe
Zipped Folder.exe

The worm also copies itself to peer-to-peer application shared 
folders with the following filenames:

3000+ Sexy Girl's Full Site Access USERNAME,PASSOWRD Generator For 
Free Hot+s
Adult PACMAN 2 Game [FULL].exe
Basic emails hacking tricks.Documents.pif
Blog on LSD,Marijuana,Hashish,Drugs Making.html.exe
Britney,Madonna,Pink,girls,www.MilfHunter.com Porn 
Exposed+hot+sex+pictures.pi
Common Wallpapers.exe
CRACK.com
Default folder .exe
DivX JetAudio All Version Working Patch.exe
Downloaded eBooks.exe
Explorer.Zip.scr
FIFA_ALL_TIME_PATCH.com
Folder Locker Setup 2.01 [FULL Patched].exe
Folder.exe
FunLove.com
Funny Folder.scr
Funny Screensavers.scr
Google Earth Pro FULL Regestry Patch.exe
Hot+Fun+BeachBabes Flash Game.exe
Hottest Blog on Pornography Sex Icons [Advisory].txt.com
Internet Explorer + Mozilla Firefox Parental Adult Passsword Filter 
Remover .e
Macfee + Norton AntiVirus GoLive Regestry Patch.reg.exe
Macromedia Collection.exe
More Information.exe
MSN Hotmail Password cracker.com
Nokia,Samsung,Sony Mobile Hacks Secret unlock codes CHEATBOOK 
[FULL].msi.exe
Pictures.exe
README.com
Saddams Birthday Video [Flash Movie].exe
ScreenSaver.exe
Shared Files.exe
Shared Pictures.exe
Shortcut to Flash Games.pif
Shortcut to Music Folder.pif
Shortcut to Private Folder.pif
Shortcut to Shared Items.pif
Shortcuts to XXX FULL PASS SITES.pif
Text Files.exe
UPDATE.exe
Updated Downloads.exe
Wallpaper Collection.exe
Windows XP Secrets [README Document].com
WINFOLDER.exe
WinRAR Working Patch.exe
Winzip 10.00 + WinRAR 5.1 + WinAce 7.00 ALL in ONE Ultimate Patch 
[From CoRe]
Women's Tennis Goes Nude [Flash Game].exe
www.Amazone.com.com
www.VirtualGirl.com Serial Key Generator + Patch.exe
Yahoo Msn Password Generator.com.com





Name   W32/Tilebot-GO

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Allows others to access the computer
    * Reduces system security
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities
    * Used in DOS attacks

Aliases  
    * Backdoor.Win32.SdBot.aad
    * W32/Sdbot.worm.gen.g

Prevalence (1-5) 2

Description
W32/Tilebot-GO is a worm and IRC backdoor for the Windows platform.

W32/Tilebot-GO spreads to other network computers by exploiting 
common buffer overflow vulnerabilities, including: LSASS 
(http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx), 
SRVSVC 
(http://www.microsoft.com/technet/security/bulletin/ms06-040.mspx), 
RPC-DCOM 
(http://www.microsoft.com/technet/security/bulletin/ms04-012.mspx), 
WKS 
(http://www.microsoft.com/technet/security/bulletin/ms03-049.mspx) 
(CAN-2003-0812), PNP 
(http://www.microsoft.com/technet/security/bulletin/ms03-049.mspx) 
and ASN.1 
(http://www.microsoft.com/technet/security/bulletin/ms04-007.mspx) 
and by copying itself to network shares protected by weak passwords.

W32/Tilebot-GO runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

W32/Tilebot-GO includes functionality to access the internet and 
communicate with a remote server via HTTP. The worm may also attempt 
to scan for and terminate certain anti-virus applications.

Advanced
W32/Tilebot-GO is a worm and IRC backdoor for the Windows platform.

W32/Tilebot-GO spreads to other network computers by exploiting 
common buffer overflow vulnerabilities, including: LSASS 
(http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx), 
SRVSVC 
(http://www.microsoft.com/technet/security/bulletin/ms06-040.mspx), 
RPC-DCOM 
(http://www.microsoft.com/technet/security/bulletin/ms04-012.mspx), 
WKS 
(http://www.microsoft.com/technet/security/bulletin/ms03-049.mspx) 
(CAN-2003-0812), PNP 
(http://www.microsoft.com/technet/security/bulletin/ms03-049.mspx) 
and ASN.1 
(http://www.microsoft.com/technet/security/bulletin/ms04-007.mspx) 
and by copying itself to network shares protected by weak passwords.

W32/Tilebot-GO runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

W32/Tilebot-GO includes functionality to access the internet and 
communicate with a remote server via HTTP. The worm may also attempt 
to scan for and terminate certain anti-virus applications.

When first run W32/Tilebot-GO copies itself to <Windows 
folder>\register.exe.

W32/Tilebot-GO modifies the following files, affecting the system 
file checker and command line file transfers:

<Windows system folder>\sfc_os.dll
<Windows system folder>\ftp.exe
<Windows system folder>\tftp.exe

These files should be restored from a clean system backup.

The file register.exe is registered as a new system driver service 
named "Windows Register Control", with a display name of "Windows 
Register Control" and a startup type of automatic, so that it is 
started automatically during system startup. Registry entries are 
created under:

HKLM\SYSTEM\CurrentControlSet\Services\Windows Register Control\

Registry entries are set as follows:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
SFCScan
0

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
SFCDisable
ffffff9d





Name   Troj/Dloadr-AMJ

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet

Aliases  
    * Trojan-Downloader.Win32.Small.dqn

Prevalence (1-5) 2

Description
Troj/Dloadr-AMJ is a Trojan for the Windows platform.

Troj/Dloadr-AMJ includes functionality to download, install and run 
new software.





Name   W32/Vanebot-J

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities

Prevalence (1-5) 2

Description
W32/Vanebot-J is a worm and IRC backdoor Trojan for the Windows 
platform.

W32/Vanebot-J spreads to other network computers by exploiting common 
buffer overflow vulnerabilities, including: SRVSVC (MS06-040), Psyme, 
PNP (MS05-039) and ASN.1 (MS04-007) and by copying itself to network 
shares protected by weak passwords.

W32/Vanebot-J runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

Advanced
W32/Vanebot-J is a worm and IRC backdoor Trojan for the Windows 
platform.

W32/Vanebot-J spreads to other network computers by exploiting common 
buffer overflow vulnerabilities, including: SRVSVC (MS06-040), Psyme, 
PNP (MS05-039) and ASN.1 (MS04-007) and by copying itself to network 
shares protected by weak passwords.

W32/Vanebot-J runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

When first run W32/Vanebot-J copies itself to <System>\glossary.exe.

The following registry entries are created to run glossary.exe on 
startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
RBot v2 with NetAPI exploit traded with billgates I gave my mother 
Greetz - OG - Bluehell Irc Server
<System>\glossary.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
RBot v2 with NetAPI exploit traded with billgates I gave my mother 
Greetz - OG - Bluehell Irc Server
<System>\glossary.exe

The following registry entries are changed to run glossary.exe on 
startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe <System>\glossary.exe

(the default value for this registry entry is "Explorer.exe" which 
causes the Microsoft file <Windows>\Explorer.exe to be run on startup).

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
<System>\userinit.exe,<System>\glossary.exe

(the default value for this registry entry is 
"<Windows>\System32\userinit.exe,").

W32/Vanebot-J sets the following registry entries, disabling the 
automatic startup of other software:

HKLM\SYSTEM\CurrentControlSet\Services\wuauserv
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4

Note: disabling autostart for the SharedAccess service deactivates 
the Microsoft Internet Connection Firewall (ICF).

Registry entries are set as follows:

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
lmcompatibilitylevel
1

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1





Name   W32/Stration-R

Type  
    * Worm

How it spreads  
    * Email attachments

Affected operating systems  
    * Windows

Side effects  
    * Sends itself to email addresses found on the infected computer
    * Installs itself in the Registry

Prevalence (1-5) 2

Description
W32/Stration-R is a mass-mailing worm and backdoor Trojan for the 
Windows platform.

W32/Stration-R spreads by sending emails with itself as an attachment 
to email addresses harvested from the Windows Address Book (WAB). 
Emails sent by the worm have the following characteristics:

Subject line chosen from:

hello
picture
Server Report
Status
test
Good Day
Error
Mail Delivery System
Mail Transaction Failed

Message text chosen from:

'Mail transaction failed. Partial message is available.'

'The message contains Unicode characters and has been sentas a binary 
attachment.'

'The message cannot be represented in 7-bit ASCII encodingand has 
been sent as a binary attachment'

The worm is included as a file attachment. The file attachment 
filename starts with one of the following names:

body
data
doc
docs
document
file
message
readme
test
text

The filenames have a double file extension, with a large number of 
spaces between the two file extensions. For instance, a typical 
filename might be:

file.txt .exe

The second file extension is usually a format ending with the names 
.BAT, .PIF, .CMD, .EXE or .SCR.

Advanced
W32/Stration-R is a mass-mailing worm and backdoor Trojan for the 
Windows platform.

W32/Stration-R spreads by sending emails with itself as an attachment 
to email addresses harvested from the Windows Address Book (WAB). 
Emails sent by the worm have the following characteristics:

Subject line chosen from:

hello
picture
Server Report
Status
test
Good Day
Error
Mail Delivery System
Mail Transaction Failed

Message text chosen from:

'Mail transaction failed. Partial message is available.'

'The message contains Unicode characters and has been sentas a binary 
attachment.'

'The message cannot be represented in 7-bit ASCII encodingand has 
been sent as a binary attachment'

The worm is included as a file attachment. The file attachment 
filename starts with one of the following names:

body
data
doc
docs
document
file
message
readme
test
text

The filenames have a double file extension, with a large number of 
spaces between the two file extensions. For instance, a typical 
filename might be:

file.txt .exe

The second file extension is usually a format ending with the names 
.BAT, .PIF, .CMD, .EXE or .SCR.

When first run W32/Stration-R copies itself to <Windows>\rsmb.exe and 
the file <Windows>\rsmb.dll. The file <Windows>\rsmb.dll is also 
detected as W32/Stration-R.

W32/Stration-R then proceeds to open the file <Current Folder>\D.TMP 
with the Windows Notepad application.

The following registry entry is created to run W32/Stration-R on 
startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
rsmb
<Windows>\rsmb.exe s

W32/Stration-R attempts to disable processes and applications related 
to the following services:

Sygate Personal Firewall
Zone Labs ZoneAlarm
Kaspersky Anti-Virus Personal
McAfee Personal Firewall
Agnitum Outpost Firewall
Symantec Internet Security
Kerio WinRoute
Sygate Personal Firewall

The worm also interferes with the following process:

wscsvc

W32/Stration-R also includes functionality to download, install and 
run new software. The downloaded file is detected as W32/Stration-Q. 
When the downloaded file is run, the following files are created:

<Windows>\rsmbx.dll
<System>\cmut449c14b7.dll
<System>\hpzl449c14b7.exe
<System>\msji449c14b7.dll

These files are also detected as W32/Stration-R.

The following registry entry is set:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs
msji449c14b7.dl





Name   W32/Rbot-FMO

Type  
    * Worm

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Downloads code from the internet
    * Reduces system security
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities

Aliases  
    * Backdoor.Win32.Rbot.aus

Prevalence (1-5) 2

Description
W32/Rbot-FMO is a worm and IRC backdoor Trojan for the Windows 
platform.

W32/Rbot-FMO runs continuously in the background, providing a 
backdoor server
which allows a remote intruder to gain access and control over the 
computer via
IRC channels.

W32/Rbot-FMO spreads
- to computers vulnerable to common exploits, including: WKS 
(MS03-049), MSSQL
(MS02-039), SRVSVC (MS06-040) and Realcast
- to network shares protected by weak passwords

The following patches for the operating system vulnerabilities 
exploited by the
worm can be obtained from the Microsoft website:

http://www.microsoft.com/technet/security/bulletin/MS03-049.mspx
http://www.microsoft.com/technet/security/bulletin/MS02-039.mspx
http://www.microsoft.com/technet/security/bulletin/MS06-040.mspx

Advanced
W32/Rbot-FMO is a worm and IRC backdoor Trojan for the Windows 
platform.

W32/Rbot-FMO runs continuously in the background, providing a 
backdoor server
which allows a remote intruder to gain access and control over the 
computer via
IRC channels.

W32/Rbot-FMO spreads
- to computers vulnerable to common exploits, including: WKS 
(MS03-049), MSSQL
(MS02-039), SRVSVC (MS06-040) and Realcast
- to network shares protected by weak passwords

When first run W32/Rbot-FMO copies itself to <System>\WinIp32.exe.

The following registry entries are created to run WinIp32.exe on 
startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows Sound Verifier
WinIp32.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Windows Sound Verifier
WinIp32.exe

W32/Rbot-FMO sets the following registry entries, disabling the 
automatic
startup of other software:

HKLM\SYSTEM\CurrentControlSet\Services\wuauserv
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4

Note: disabling autostart for the SharedAccess service deactivates 
the Microsoft
Internet Connection Firewall (ICF).

Registry entries are set as follows:

HKCU\Software\Microsoft\OLE
Windows Sound Verifier
WinIp32.exe

HKLM\SOFTWARE\Microsoft\Ole
EnableRemoteConnect
N

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1

Registry entries are created under:

HKCR\.key\

The following patches for the operating system vulnerabilities 
exploited by the
worm can be obtained from the Microsoft website:

http://www.microsoft.com/technet/security/bulletin/MS03-049.mspx
http://www.microsoft.com/technet/security/bulletin/MS02-039.mspx
http://www.microsoft.com/technet/security/bulletin/MS06-040.mspx





Name   W32/Rbot-FMP

Type  
    * Spyware Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Allows others to access the computer
    * Steals information
    * Downloads code from the internet
    * Reduces system security
    * Records keystrokes
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities
    * Used in DOS attacks
    * Scans network for vulnerabilities
    * Scans network for weak passwords

Aliases  
    * Backdoor.Win32.Rbot.awf
    * W32/Sdbot.UCG

Prevalence (1-5) 2

Description
W32/Rbot-FMP is a worm and IRC backdoor for the Windows platform.

W32/Rbot-FMP spreads to other network computers by exploiting common 
buffer overflow vulnerabilities, including: LSASS (MS04-011), 
RPC-DCOM (MS04-012), WKS (MS03-049) (CAN-2003-0812), WebDav 
(MS03-007), IIS5SSL (ms04-011) (CAN-2003-0719), UPNP (MS01-059), 
Veritas (CAN-2004-1172), Dameware (CAN-2003-1030), and ASN.1 
(MS04-007). The worm also spreads via network shares and MSSQL 
servers protected by weak passwords and using backdoors opened by 
other worms or Trojans.

W32/Rbot-FMP can be controlled by a remote attacker over IRC 
channels. The backdoor component of W32/Rbot-FMP can be instructed by 
a remote user to perform the following functions:

start an FTP server
start a Proxy server
start a web server
steal passwords
take part in distributed denial of service (DDoS) attacks
log keypresses
capture screen/webcam images
packet sniffing
port scanning
download/execute arbitrary files
start a remote shell (RLOGIN)
steal product registration information from certain software
terminate anti-virus and other security software

Advanced
W32/Rbot-FMP is a worm and IRC backdoor for the Windows platform.

W32/Rbot-FMP spreads to other network computers by exploiting common 
buffer overflow vulnerabilities, including: LSASS (MS04-011), 
RPC-DCOM (MS04-012), WKS (MS03-049) (CAN-2003-0812), WebDav 
(MS03-007), IIS5SSL (ms04-011) (CAN-2003-0719), UPNP (MS01-059), 
Veritas (CAN-2004-1172), Dameware (CAN-2003-1030), and ASN.1 
(MS04-007). The worm also spreads via network shares and MSSQL 
servers protected by weak passwords and using backdoors opened by 
other worms or Trojans.

W32/Rbot-FMP can be controlled by a remote attacker over IRC 
channels. The backdoor component of W32/Rbot-FMP can be instructed by 
a remote user to perform the following functions:

start an FTP server
start a Proxy server
start a web server
steal passwords
take part in distributed denial of service (DDoS) attacks
log keypresses
capture screen/webcam images
packet sniffing
port scanning
download/execute arbitrary files
start a remote shell (RLOGIN)
steal product registration information from certain software
terminate anti-virus and other security software

When first run W32/Rbot-FMP copies itself to <System>\msnmsgsm.exe.

The following registry entries are created to run msnmsgsm.exe on 
startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MSN messanger
msnmsgsm.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
MSN messanger
msnmsgsm.exe

Registry entries are set as follows:

HKCU\Software\Microsoft\OLE
MSN messanger
msnmsgsm.exe

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1





Name   W32/Looked-M

Type  
    * Virus

How it spreads  
    * Network shares
    * Peer-to-peer

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Modifies data on the computer
    * Steals information
    * Downloads code from the internet

Aliases  
    * Worm.Win32.Viking.y
    * W32/HLLP.Philis.at

Prevalence (1-5) 2

Description
W32/Looked-M is a virus, worm and backdoor Trojan for the Windows 
platform.

W32/Looked-M runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer.

W32/Looked-M includes functionality to access the internet and 
communicate with a remote server via HTTP.

Advanced
W32/Looked-M is a virus, worm and backdoor Trojan for the Windows 
platform.

W32/Looked-M runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer.

W32/Looked-M includes functionality to access the internet and 
communicate with a remote server via HTTP.

When first run W32/Looked-M copies itself to <Windows>\rundl132.exe 
and creates the following files:

<Windows>\Dll.dll

Registry entries are created under:

HKLM\SOFTWARE\Soft\DownloadWWW\





Name   Troj/Nebuler-H

Type  
    * Spyware Trojan

Affected operating systems  
    * Windows

Side effects  
    * Steals credit card details
    * Downloads code from the internet
    * Installs itself in the Registry

Aliases  
    * BackDoor-CVT
    * TROJ_NEBULER.C

Prevalence (1-5) 2

Description
Troj/Nebuler-H is a Trojan for the Windows platform.

Troj/Nebuler-H gathers details relating to dialup services and sends 
collected information to a remote site via HTTP. The Trojan may 
inject code into other processes in an attempt to remain hidden.

Troj/Nebuler-H may download and run further software.

Advanced
Troj/Nebuler-H is a Trojan for the Windows platform.

Troj/Nebuler-H gathers details relating to dialup services and sends 
collected information to a remote site via HTTP. The Trojan may 
inject code into other processes in an attempt to remain hidden.

Troj/Nebuler-H may download and run further software.

When Troj/Nebuler-H is installed the following file is created:

<System>\winsis32.dll

The following registry entries are created to run code exported by 
winsis32.dll
on startup:

HKLM\SOFTWARE\Microsoft\Windows 
NT\CurrentVersion\Winlogon\Notify\winsis32
DllName
winsis32.dll

HKLM\SOFTWARE\Microsoft\Windows 
NT\CurrentVersion\Winlogon\Notify\winsis32
Impersonate
0

HKLM\SOFTWARE\Microsoft\Windows 
NT\CurrentVersion\Winlogon\Notify\winsis32
Startup
EvtStartup





Name   Troj/Zapchas-U

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Installs itself in the Registry
    * Leaves non-infected files on computer

Prevalence (1-5) 2

Description
Troj/Zapchas-U is a backdoor Trojan which allows a remote intruder to 
gain access and control over the computer.

Advanced
Troj/Zapchas-U is a backdoor Trojan which allows a remote intruder to 
gain access and control over the computer.

When Troj/Zapchas-U is installed the following files are created:

<Windows>\win.ini
<System>\drivers\nVIDIA\dll\control.ini
<System>\drivers\nVIDIA\dll\fullname.txt
<System>\drivers\nVIDIA\dll\hex.exe - detected as HideWindow
<System>\drivers\nVIDIA\dll\ident.ini
<System>\drivers\nVIDIA\dll\mirc.gid
<System>\drivers\nVIDIA\dll\mirc.ini
<System>\drivers\nVIDIA\dll\nicks.txt
<System>\drivers\nVIDIA\dll\regedit
<System>\drivers\nVIDIA\dll\remote.ini
<System>\drivers\nVIDIA\dll\rundll.exe - detected as Troj/Zapchas-U
<System>\drivers\nVIDIA\dll\script.ini
<System>\drivers\nVIDIA\dll\servers.txt

The following registry entry is created to run rundll.exe on startup:

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
run
<System>\drivers\nVIDIA\dll\rundll.exe

The following registry entries are set or modified, so that 
rundll.exe is run when files with extensions of CHA and IRC are 
opened/launched:

HKCR\ChatFile\Shell\open\command
(default)
<System>\drivers\nVIDIA\dll\rundll.exe" -noconnect

HKCR\irc\Shell\open\command
(default)
<System>\drivers\nVIDIA\dll\rundll.exe" -noconnect

Registry entries are set as follows:

HKCR\ChatFile\DefaultIcon
(default)
<System>\drivers\nVIDIA\dll\rundll.exe

HKCR\irc\DefaultIcon
(default)
<System>\drivers\nVIDIA\dll\rundll.exe

Registry entries are created under:

HKCU\Software\Microsoft\Microsoft Agent\
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mIRC\

Troj/Zapchas-U provides an uninstall option which can be accessed via 
the Add or Remove Programs dialog in the Windows Control Panel. The 
software is listed as "mIRC".





Name   Troj/QDial-AF

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Drops more malware
    * Installs itself in the Registry

Aliases  
    * Trojan.Win32.Agent.xj
    * QDial-45

Prevalence (1-5) 2

Description
Troj/QDial-AF is a Trojan for the Windows platform.

Advanced
It is likely to be installed by the download of a dropper file, which 
installs two files:

<Windows>\temp\<random>.tmp (detected as Troj/Hyder-B)
<Windows>\temp\<random>.exe (detected as Troj/QDial-AF)

The following registry entry is added to run the Trojan at startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
<random>.exe
<Windows>\temp\<random>.exe





Name   W32/Agobot-AHN

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Installs itself in the Registry

Aliases  
    * Backdoor.Win32.Agobot.agw
    * W32/Agobot.GBC

Prevalence (1-5) 2

Description
W32/Agobot-AHN is a worm and IRC backdoor for the Windows platform.

Advanced
W32/Agobot-AHN is a worm and IRC backdoor for the Windows platform.

When first run W32/Agobot-AHN copies itself to <System>\mssvcc.exe.

The following registry entries are created to run mssvcc.exe on 
startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
msconfig38
mssvcc.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
msconfig38
mssvcc.exe

Registry entries are set as follows:

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1





Name   Troj/DoS-AG

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Used in DOS attacks

Prevalence (1-5) 2

Description
Troj/DoS-AG is a denial-of-service Trojan for the Windows platform.

Advanced
Troj/DoS-AG is a denial-of-service Trojan for the Windows platform.

Troj/DoS-AG continually retrieves a page from a preconfigured website.





Name   Troj/Agent-CRY

Type  
    * Trojan

Affected operating systems  
    * Windows

Aliases  
    * Trojan.Win32.Agent.wd
    * Win32/Agent.WD

Prevalence (1-5) 2

Description
Troj/Agent-CRY is a Trojan for the Windows platform.

Advanced
Troj/Agent-CRY is a Trojan for the Windows platform.

When Troj/Agent-CRY is installed the following files are created:

<System>\<random>msqlc.exe
<System>\iedunper.exe
<System>\msessenger.dll
<System>\winadv.bmp

The file msessenger.dll is injected into explorer.exe, and creates 
copies of the file <random>msqlc.exe with different random characters 
prepended.

Registry entries are set as follows:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
0

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden
0

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
SuperHidden
0

Registry entries are created under:

HKCU\Software\Callagan\





Name   W32/Setrox-A

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Installs itself in the Registry

Aliases  
    * WORM_SETROX.A
    * Win32/VB.ALS
    * Trojan.Win32.VB.als

Prevalence (1-5) 2

Description
W32/Setrox-A is a worm for the Windows platform.

W32/Setrox-A may spread by copying itself to local drives.

W32/Setrox-A may shut down the infected computer.

Advanced
W32/Setrox-A is a worm for the Windows platform.

W32/Setrox-A may spread by copying itself to local drives.

W32/Setrox-A may shut down the infected computer.

When W32/Setrox-A is installed the following files are created:

<root folder>\autorun.inf
<Windows system folder>\run.reg
<Windows system folder>\systemdate.ini

The worm may also copy itself to the root folder of any local drive 
as rose.exe.

The file autorun.inf is a configuration file that may automatically 
run the file rose.exe.

The file run.reg is a registry file containing the following registry 
entry:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
dll
C:\system32\rose.exe

The file systemdate.ini is a harmless text file.

 
--- MultiMail/Win32 v0.43
 * Origin: Try Our Web Based QWK: DOCSPLACE.ORG (1:123/140)