Text 138, 1563 rader
Skriven 2006-09-09 15:41:00 av KURT WISMER (1:123/140)
Ärende: News, September 9 2006
==============================
[cut-n-paste from sophos.com]
Name W32/Poebot-IU
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* Backdoor.Win32.PoeBot.c
* Win32/Poebot
* W32.Linkbot
Prevalence (1-5) 2
Description
W32/Poebot-IU is a worm and IRC backdoor for the Windows platform.
W32/Poebot-IU spreads to other network computers by exploiting common
buffer overflow vulnerabilities, including: LSASS (MS04-011),
RPC-DCOM (MS04-012), PNP (MS05-039), WKS (MS03-049) (CAN-2003-0812)
and ASN.1 (MS04-007).
W32/Poebot-IU runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
Advanced
W32/Poebot-IU is a worm and IRC backdoor for the Windows platform.
W32/Poebot-IU spreads to other network computers by exploiting common
buffer overflow vulnerabilities, including: LSASS (MS04-011),
RPC-DCOM (MS04-012), PNP (MS05-039), WKS (MS03-049) (CAN-2003-0812)
and ASN.1 (MS04-007).
W32/Poebot-IU runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
When first run W32/Poebot-IU copies itself to <System>\logon.exe.
The following registry entry is created to run logon.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows Logon Application
<System>\logon.exe
Name Troj/QQPass-AFN
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Steals information
* Downloads code from the internet
* Installs itself in the Registry
Aliases
* Trojan-Downloader.Win32.Small.czl
Prevalence (1-5) 2
Description
Troj/QQPass-AFN is a Trojan for the Windows platform.
Advanced
Troj/QQPass-AFN is a Trojan for the Windows platform.
When run Troj/QQPass-AFN copies itself to <System>\mswdm.exe and
creates the following registry to run itself on startup:
HKLM\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
CheckFaultKernel
<System>\mswdm.exe
Troj/QQPass-AFN includes functionality to keylog information.
Name W32/Vanebot-Gen
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Reduces system security
* Installs itself in the Registry
* Exploits system or software vulnerabilities
* Used in DOS attacks
Aliases
* Backdoor.Win32.Rbot.bgu
Prevalence (1-5) 2
Description
W32/Vanebot-Gen is a family of worms for the Windows platform.
Vanebot worms provide backdoor Trojan functionality via IRC channels.
Vanebot worms typically spread to other network computers by
exploiting common buffer overflow vulnerabilities, including SRVSVC
(MS06-040), Psyme, PNP (MS05-039) and ASN.1 (MS04-007) The worms also
attempt to spread by copying themselves to network shares protected
by weak passwords.
Vanebot worms run continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
Advanced
W32/Vanebot-Gen is a family of worms for the Windows platform.
Vanebot worms provide backdoor Trojan functionality via IRC channels.
Vanebot worms typically spread to other network computers by
exploiting common buffer overflow vulnerabilities, including SRVSVC
(MS06-040), Psyme, PNP (MS05-039) and ASN.1 (MS04-007) The worms also
attempt to spread by copying themselves to network shares protected
by weak passwords.
Vanebot worms run continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
A fake error message such as the following may be displayed:
Can't run on Windows
To run this file you must use an Linux emulator
Error code: (-2394)
Error discription: LLIBKCUF / File has remove his self.
Vanebot worms install themselves in the system registry in order to
run themselves on startup and may attempt to disable the Microsoft
Internet Connection Firewall (ICF).
Name Troj/Bombka-L
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Steals information
* Downloads code from the internet
* Installs itself in the Registry
* Displays pop-up advertising
* Monitors browser activity
Aliases
* Trojan-Downloader.Win32.Bomka.o
* AdClicker-DW
* Win32/TrojanClicker.Bomka.NAA
* Trojan.Adclicker
* TROJ_BOMKA.AX
Prevalence (1-5) 2
Description
Troj/Bombka-L is a Trojan for the Windows platform.
Troj/Bombka-L is capable of spying on a user's browsing habits,
modifying Microsoft Internet Explorer settings, harvesting email
addresses from an infected computer, downloading further executables
and displaying popup advertisements.
Advanced
Troj/Bombka-L is a Trojan for the Windows platform.
Troj/Bombka-L is capable of spying on a user's browsing habits,
modifying Microsoft Internet Explorer settings, harvesting email
addresses from an infected computer, downloading further executables
and displaying popup advertisements.
When Troj/Bombka-L is installed it creates the file
<System>\kaboom.dll.
The file kaboom.dll is registered as a COM object and Browser Helper
Object (BHO) for Microsoft Internet Explorer, creating registry
entries under:
HKCR\CLSID\(clsid)
HKCR\Interface\(clsid)
HKCR\TypeLib\(clsid)
HKCR\Kb.Intense\
HKCR\Kb.Intense.1\
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
Browser Helper Objects\(clsid)
Registry entries may be created under the following locations:
HKLM\SOFTWARE\Microsoft\Sims\
HKLM\SOFTWARE\Microsoft\Zeal\
HKLM\SOFTWARE\Microsoft\SUW\
HKLM\SOFTWARE\Microsoft\IEAgent\
Name Troj/Dowdec-D
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Drops more malware
* Downloads code from the internet
* Installs itself in the Registry
Prevalence (1-5) 2
Description
Troj/Dowdec-D is a Trojan for the Windows platform.
Troj/Dowdec-D has been seen in ZIP files attached to spam messages.
Advanced
Troj/Dowdec-D is a Trojan for the Windows platform.
When Troj/Dowdec-D is installed the following files are created:
<Temp>\gfdr.bat
<Temp>\screen.bmp
<System>\msvoid.dll
The file msvoid.dll is detected as Troj/Dowdec-Gen.
The file msvoid.dll is registered as a COM object and Browser Helper
Object (BHO) for Microsoft Internet Explorer, creating registry
entries under:
HKCR\CLSID\{CE37A1AC-E254-C6DE-8E3D-85387140521A}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser
Helper Objects\{CE37A1AC-E254-C6DE-8E3D-85387140521A}
Troj/Dowdec-D has been seen in ZIP files attached to spam messages.
Name W32/VBSilly-C
Type
* Worm
Affected operating systems
* Windows
Side effects
* Installs itself in the Registry
Prevalence (1-5) 2
Description
W32/VBSilly-C is a worm for the windows platform.
W32/VBSilly-C may periodically attempt to copy itself to the floppy
drive.
Advanced
W32/VBSilly-C is a worm for the windows platform.
W32/VBSilly-C may periodically attempt to copy itself to the floppy
drive.
W32/VBSilly-C may also copy itself to:
C:\Windows\SaveTheWorld.exe
D:\SaveTheWorld.exe
W32/VBSilly-C may also create an entry under the following registry
entry to run itself on Windows startup:
HKLM\SOFTWARE\Microsoft\WINDOWS\CurrentVersion\Run
Name W32/Narcha-A
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Installs itself in the Registry
Prevalence (1-5) 2
Description
W32/Narcha-A is a peer-to-peer worm for the Windows platform.
Advanced
W32/Narcha-A is a peer-to-peer worm for the Windows platform.
When run, the worm copies itself to <System>\SVCH0ST.exe and sets the
following registry entry:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft Agent
<System>\SVCH0ST.exe
and
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Explorer.exe, <System>\SVCH0ST.exe
Shell
W32/Narcha-A may also set or modify the following registry entries to
ensure it is run on startup:
HKLM\SOFTWARE\Microsoft\Windows\Currentversion\runservices
HKLM\SOFTWARE\Microsoft\Windows\Currentversion\runonceex
HKLM\SOFTWARE\Microsoft\Windows\Currentversion\runservicesonce
HKLM\SOFTWARE\Microsoft\Windows\Currentversion\runservicesonceex
HKCR\exefile\shell\open\command
HKCR\comfile\shell\open\command
HKCR\batfile\shell\open\command
HKCR\htafile\shell\open\command
HKCR\piffile\shell\open\command
The worm also periodically copies itself to all drives on the
infected computer with the following file names:
Backup Folder.exe
Briefcase Documets.exe
Chernobyl April 26.exe
Common Files.exe
Desktop.exe
Downloads.exe
eBooks.exe
Fine Pictures.exe
Folder.exe
Funny Jokes.exe
Game Folder.exe
Important Letters.exe
Microsoft Common Shared Files.exe
Music Folder.exe
My Documents.exe
My Shared Documents.exe
New Folder.exe
Office Documents.exe
Picture Collection.exe
Pictures.exe
PowerPoint Documents.exe
Private Pictures.exe
Project Report(s).exe
README.exe
Received Pictures.exe
Screensaver Collection.scr
Shared Documets.exe
Shared Network Folder.exe
Shortcut to Shared Folder.pif
Text Files.exe
Unread Emails.exe
Wallpapers.scr
WinAmp Files.exe
WINFOLDER.exe
Wma Files.exe
Zipped Folder.exe
The worm also copies itself to peer-to-peer application shared
folders with the following filenames:
3000+ Sexy Girl's Full Site Access USERNAME,PASSOWRD Generator For
Free Hot+s
Adult PACMAN 2 Game [FULL].exe
Basic emails hacking tricks.Documents.pif
Blog on LSD,Marijuana,Hashish,Drugs Making.html.exe
Britney,Madonna,Pink,girls,www.MilfHunter.com Porn
Exposed+hot+sex+pictures.pi
Common Wallpapers.exe
CRACK.com
Default folder .exe
DivX JetAudio All Version Working Patch.exe
Downloaded eBooks.exe
Explorer.Zip.scr
FIFA_ALL_TIME_PATCH.com
Folder Locker Setup 2.01 [FULL Patched].exe
Folder.exe
FunLove.com
Funny Folder.scr
Funny Screensavers.scr
Google Earth Pro FULL Regestry Patch.exe
Hot+Fun+BeachBabes Flash Game.exe
Hottest Blog on Pornography Sex Icons [Advisory].txt.com
Internet Explorer + Mozilla Firefox Parental Adult Passsword Filter
Remover .e
Macfee + Norton AntiVirus GoLive Regestry Patch.reg.exe
Macromedia Collection.exe
More Information.exe
MSN Hotmail Password cracker.com
Nokia,Samsung,Sony Mobile Hacks Secret unlock codes CHEATBOOK
[FULL].msi.exe
Pictures.exe
README.com
Saddams Birthday Video [Flash Movie].exe
ScreenSaver.exe
Shared Files.exe
Shared Pictures.exe
Shortcut to Flash Games.pif
Shortcut to Music Folder.pif
Shortcut to Private Folder.pif
Shortcut to Shared Items.pif
Shortcuts to XXX FULL PASS SITES.pif
Text Files.exe
UPDATE.exe
Updated Downloads.exe
Wallpaper Collection.exe
Windows XP Secrets [README Document].com
WINFOLDER.exe
WinRAR Working Patch.exe
Winzip 10.00 + WinRAR 5.1 + WinAce 7.00 ALL in ONE Ultimate Patch
[From CoRe]
Women's Tennis Goes Nude [Flash Game].exe
www.Amazone.com.com
www.VirtualGirl.com Serial Key Generator + Patch.exe
Yahoo Msn Password Generator.com.com
Name W32/Tilebot-GO
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Reduces system security
* Installs itself in the Registry
* Exploits system or software vulnerabilities
* Used in DOS attacks
Aliases
* Backdoor.Win32.SdBot.aad
* W32/Sdbot.worm.gen.g
Prevalence (1-5) 2
Description
W32/Tilebot-GO is a worm and IRC backdoor for the Windows platform.
W32/Tilebot-GO spreads to other network computers by exploiting
common buffer overflow vulnerabilities, including: LSASS
(http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx),
SRVSVC
(http://www.microsoft.com/technet/security/bulletin/ms06-040.mspx),
RPC-DCOM
(http://www.microsoft.com/technet/security/bulletin/ms04-012.mspx),
WKS
(http://www.microsoft.com/technet/security/bulletin/ms03-049.mspx)
(CAN-2003-0812), PNP
(http://www.microsoft.com/technet/security/bulletin/ms03-049.mspx)
and ASN.1
(http://www.microsoft.com/technet/security/bulletin/ms04-007.mspx)
and by copying itself to network shares protected by weak passwords.
W32/Tilebot-GO runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Tilebot-GO includes functionality to access the internet and
communicate with a remote server via HTTP. The worm may also attempt
to scan for and terminate certain anti-virus applications.
Advanced
W32/Tilebot-GO is a worm and IRC backdoor for the Windows platform.
W32/Tilebot-GO spreads to other network computers by exploiting
common buffer overflow vulnerabilities, including: LSASS
(http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx),
SRVSVC
(http://www.microsoft.com/technet/security/bulletin/ms06-040.mspx),
RPC-DCOM
(http://www.microsoft.com/technet/security/bulletin/ms04-012.mspx),
WKS
(http://www.microsoft.com/technet/security/bulletin/ms03-049.mspx)
(CAN-2003-0812), PNP
(http://www.microsoft.com/technet/security/bulletin/ms03-049.mspx)
and ASN.1
(http://www.microsoft.com/technet/security/bulletin/ms04-007.mspx)
and by copying itself to network shares protected by weak passwords.
W32/Tilebot-GO runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Tilebot-GO includes functionality to access the internet and
communicate with a remote server via HTTP. The worm may also attempt
to scan for and terminate certain anti-virus applications.
When first run W32/Tilebot-GO copies itself to <Windows
folder>\register.exe.
W32/Tilebot-GO modifies the following files, affecting the system
file checker and command line file transfers:
<Windows system folder>\sfc_os.dll
<Windows system folder>\ftp.exe
<Windows system folder>\tftp.exe
These files should be restored from a clean system backup.
The file register.exe is registered as a new system driver service
named "Windows Register Control", with a display name of "Windows
Register Control" and a startup type of automatic, so that it is
started automatically during system startup. Registry entries are
created under:
HKLM\SYSTEM\CurrentControlSet\Services\Windows Register Control\
Registry entries are set as follows:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
SFCScan
0
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
SFCDisable
ffffff9d
Name Troj/Dloadr-AMJ
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
Aliases
* Trojan-Downloader.Win32.Small.dqn
Prevalence (1-5) 2
Description
Troj/Dloadr-AMJ is a Trojan for the Windows platform.
Troj/Dloadr-AMJ includes functionality to download, install and run
new software.
Name W32/Vanebot-J
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Prevalence (1-5) 2
Description
W32/Vanebot-J is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Vanebot-J spreads to other network computers by exploiting common
buffer overflow vulnerabilities, including: SRVSVC (MS06-040), Psyme,
PNP (MS05-039) and ASN.1 (MS04-007) and by copying itself to network
shares protected by weak passwords.
W32/Vanebot-J runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
Advanced
W32/Vanebot-J is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Vanebot-J spreads to other network computers by exploiting common
buffer overflow vulnerabilities, including: SRVSVC (MS06-040), Psyme,
PNP (MS05-039) and ASN.1 (MS04-007) and by copying itself to network
shares protected by weak passwords.
W32/Vanebot-J runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
When first run W32/Vanebot-J copies itself to <System>\glossary.exe.
The following registry entries are created to run glossary.exe on
startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
RBot v2 with NetAPI exploit traded with billgates I gave my mother
Greetz - OG - Bluehell Irc Server
<System>\glossary.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
RBot v2 with NetAPI exploit traded with billgates I gave my mother
Greetz - OG - Bluehell Irc Server
<System>\glossary.exe
The following registry entries are changed to run glossary.exe on
startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe <System>\glossary.exe
(the default value for this registry entry is "Explorer.exe" which
causes the Microsoft file <Windows>\Explorer.exe to be run on startup).
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
<System>\userinit.exe,<System>\glossary.exe
(the default value for this registry entry is
"<Windows>\System32\userinit.exe,").
W32/Vanebot-J sets the following registry entries, disabling the
automatic startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\wuauserv
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4
Note: disabling autostart for the SharedAccess service deactivates
the Microsoft Internet Connection Firewall (ICF).
Registry entries are set as follows:
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
lmcompatibilitylevel
1
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1
Name W32/Stration-R
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Sends itself to email addresses found on the infected computer
* Installs itself in the Registry
Prevalence (1-5) 2
Description
W32/Stration-R is a mass-mailing worm and backdoor Trojan for the
Windows platform.
W32/Stration-R spreads by sending emails with itself as an attachment
to email addresses harvested from the Windows Address Book (WAB).
Emails sent by the worm have the following characteristics:
Subject line chosen from:
hello
picture
Server Report
Status
test
Good Day
Error
Mail Delivery System
Mail Transaction Failed
Message text chosen from:
'Mail transaction failed. Partial message is available.'
'The message contains Unicode characters and has been sentas a binary
attachment.'
'The message cannot be represented in 7-bit ASCII encodingand has
been sent as a binary attachment'
The worm is included as a file attachment. The file attachment
filename starts with one of the following names:
body
data
doc
docs
document
file
message
readme
test
text
The filenames have a double file extension, with a large number of
spaces between the two file extensions. For instance, a typical
filename might be:
file.txt .exe
The second file extension is usually a format ending with the names
.BAT, .PIF, .CMD, .EXE or .SCR.
Advanced
W32/Stration-R is a mass-mailing worm and backdoor Trojan for the
Windows platform.
W32/Stration-R spreads by sending emails with itself as an attachment
to email addresses harvested from the Windows Address Book (WAB).
Emails sent by the worm have the following characteristics:
Subject line chosen from:
hello
picture
Server Report
Status
test
Good Day
Error
Mail Delivery System
Mail Transaction Failed
Message text chosen from:
'Mail transaction failed. Partial message is available.'
'The message contains Unicode characters and has been sentas a binary
attachment.'
'The message cannot be represented in 7-bit ASCII encodingand has
been sent as a binary attachment'
The worm is included as a file attachment. The file attachment
filename starts with one of the following names:
body
data
doc
docs
document
file
message
readme
test
text
The filenames have a double file extension, with a large number of
spaces between the two file extensions. For instance, a typical
filename might be:
file.txt .exe
The second file extension is usually a format ending with the names
.BAT, .PIF, .CMD, .EXE or .SCR.
When first run W32/Stration-R copies itself to <Windows>\rsmb.exe and
the file <Windows>\rsmb.dll. The file <Windows>\rsmb.dll is also
detected as W32/Stration-R.
W32/Stration-R then proceeds to open the file <Current Folder>\D.TMP
with the Windows Notepad application.
The following registry entry is created to run W32/Stration-R on
startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
rsmb
<Windows>\rsmb.exe s
W32/Stration-R attempts to disable processes and applications related
to the following services:
Sygate Personal Firewall
Zone Labs ZoneAlarm
Kaspersky Anti-Virus Personal
McAfee Personal Firewall
Agnitum Outpost Firewall
Symantec Internet Security
Kerio WinRoute
Sygate Personal Firewall
The worm also interferes with the following process:
wscsvc
W32/Stration-R also includes functionality to download, install and
run new software. The downloaded file is detected as W32/Stration-Q.
When the downloaded file is run, the following files are created:
<Windows>\rsmbx.dll
<System>\cmut449c14b7.dll
<System>\hpzl449c14b7.exe
<System>\msji449c14b7.dll
These files are also detected as W32/Stration-R.
The following registry entry is set:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs
msji449c14b7.dl
Name W32/Rbot-FMO
Type
* Worm
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Downloads code from the internet
* Reduces system security
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* Backdoor.Win32.Rbot.aus
Prevalence (1-5) 2
Description
W32/Rbot-FMO is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Rbot-FMO runs continuously in the background, providing a
backdoor server
which allows a remote intruder to gain access and control over the
computer via
IRC channels.
W32/Rbot-FMO spreads
- to computers vulnerable to common exploits, including: WKS
(MS03-049), MSSQL
(MS02-039), SRVSVC (MS06-040) and Realcast
- to network shares protected by weak passwords
The following patches for the operating system vulnerabilities
exploited by the
worm can be obtained from the Microsoft website:
http://www.microsoft.com/technet/security/bulletin/MS03-049.mspx
http://www.microsoft.com/technet/security/bulletin/MS02-039.mspx
http://www.microsoft.com/technet/security/bulletin/MS06-040.mspx
Advanced
W32/Rbot-FMO is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Rbot-FMO runs continuously in the background, providing a
backdoor server
which allows a remote intruder to gain access and control over the
computer via
IRC channels.
W32/Rbot-FMO spreads
- to computers vulnerable to common exploits, including: WKS
(MS03-049), MSSQL
(MS02-039), SRVSVC (MS06-040) and Realcast
- to network shares protected by weak passwords
When first run W32/Rbot-FMO copies itself to <System>\WinIp32.exe.
The following registry entries are created to run WinIp32.exe on
startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows Sound Verifier
WinIp32.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Windows Sound Verifier
WinIp32.exe
W32/Rbot-FMO sets the following registry entries, disabling the
automatic
startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\wuauserv
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4
Note: disabling autostart for the SharedAccess service deactivates
the Microsoft
Internet Connection Firewall (ICF).
Registry entries are set as follows:
HKCU\Software\Microsoft\OLE
Windows Sound Verifier
WinIp32.exe
HKLM\SOFTWARE\Microsoft\Ole
EnableRemoteConnect
N
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1
Registry entries are created under:
HKCR\.key\
The following patches for the operating system vulnerabilities
exploited by the
worm can be obtained from the Microsoft website:
http://www.microsoft.com/technet/security/bulletin/MS03-049.mspx
http://www.microsoft.com/technet/security/bulletin/MS02-039.mspx
http://www.microsoft.com/technet/security/bulletin/MS06-040.mspx
Name W32/Rbot-FMP
Type
* Spyware Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Steals information
* Downloads code from the internet
* Reduces system security
* Records keystrokes
* Installs itself in the Registry
* Exploits system or software vulnerabilities
* Used in DOS attacks
* Scans network for vulnerabilities
* Scans network for weak passwords
Aliases
* Backdoor.Win32.Rbot.awf
* W32/Sdbot.UCG
Prevalence (1-5) 2
Description
W32/Rbot-FMP is a worm and IRC backdoor for the Windows platform.
W32/Rbot-FMP spreads to other network computers by exploiting common
buffer overflow vulnerabilities, including: LSASS (MS04-011),
RPC-DCOM (MS04-012), WKS (MS03-049) (CAN-2003-0812), WebDav
(MS03-007), IIS5SSL (ms04-011) (CAN-2003-0719), UPNP (MS01-059),
Veritas (CAN-2004-1172), Dameware (CAN-2003-1030), and ASN.1
(MS04-007). The worm also spreads via network shares and MSSQL
servers protected by weak passwords and using backdoors opened by
other worms or Trojans.
W32/Rbot-FMP can be controlled by a remote attacker over IRC
channels. The backdoor component of W32/Rbot-FMP can be instructed by
a remote user to perform the following functions:
start an FTP server
start a Proxy server
start a web server
steal passwords
take part in distributed denial of service (DDoS) attacks
log keypresses
capture screen/webcam images
packet sniffing
port scanning
download/execute arbitrary files
start a remote shell (RLOGIN)
steal product registration information from certain software
terminate anti-virus and other security software
Advanced
W32/Rbot-FMP is a worm and IRC backdoor for the Windows platform.
W32/Rbot-FMP spreads to other network computers by exploiting common
buffer overflow vulnerabilities, including: LSASS (MS04-011),
RPC-DCOM (MS04-012), WKS (MS03-049) (CAN-2003-0812), WebDav
(MS03-007), IIS5SSL (ms04-011) (CAN-2003-0719), UPNP (MS01-059),
Veritas (CAN-2004-1172), Dameware (CAN-2003-1030), and ASN.1
(MS04-007). The worm also spreads via network shares and MSSQL
servers protected by weak passwords and using backdoors opened by
other worms or Trojans.
W32/Rbot-FMP can be controlled by a remote attacker over IRC
channels. The backdoor component of W32/Rbot-FMP can be instructed by
a remote user to perform the following functions:
start an FTP server
start a Proxy server
start a web server
steal passwords
take part in distributed denial of service (DDoS) attacks
log keypresses
capture screen/webcam images
packet sniffing
port scanning
download/execute arbitrary files
start a remote shell (RLOGIN)
steal product registration information from certain software
terminate anti-virus and other security software
When first run W32/Rbot-FMP copies itself to <System>\msnmsgsm.exe.
The following registry entries are created to run msnmsgsm.exe on
startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MSN messanger
msnmsgsm.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
MSN messanger
msnmsgsm.exe
Registry entries are set as follows:
HKCU\Software\Microsoft\OLE
MSN messanger
msnmsgsm.exe
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1
Name W32/Looked-M
Type
* Virus
How it spreads
* Network shares
* Peer-to-peer
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Modifies data on the computer
* Steals information
* Downloads code from the internet
Aliases
* Worm.Win32.Viking.y
* W32/HLLP.Philis.at
Prevalence (1-5) 2
Description
W32/Looked-M is a virus, worm and backdoor Trojan for the Windows
platform.
W32/Looked-M runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer.
W32/Looked-M includes functionality to access the internet and
communicate with a remote server via HTTP.
Advanced
W32/Looked-M is a virus, worm and backdoor Trojan for the Windows
platform.
W32/Looked-M runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer.
W32/Looked-M includes functionality to access the internet and
communicate with a remote server via HTTP.
When first run W32/Looked-M copies itself to <Windows>\rundl132.exe
and creates the following files:
<Windows>\Dll.dll
Registry entries are created under:
HKLM\SOFTWARE\Soft\DownloadWWW\
Name Troj/Nebuler-H
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Steals credit card details
* Downloads code from the internet
* Installs itself in the Registry
Aliases
* BackDoor-CVT
* TROJ_NEBULER.C
Prevalence (1-5) 2
Description
Troj/Nebuler-H is a Trojan for the Windows platform.
Troj/Nebuler-H gathers details relating to dialup services and sends
collected information to a remote site via HTTP. The Trojan may
inject code into other processes in an attempt to remain hidden.
Troj/Nebuler-H may download and run further software.
Advanced
Troj/Nebuler-H is a Trojan for the Windows platform.
Troj/Nebuler-H gathers details relating to dialup services and sends
collected information to a remote site via HTTP. The Trojan may
inject code into other processes in an attempt to remain hidden.
Troj/Nebuler-H may download and run further software.
When Troj/Nebuler-H is installed the following file is created:
<System>\winsis32.dll
The following registry entries are created to run code exported by
winsis32.dll
on startup:
HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\winsis32
DllName
winsis32.dll
HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\winsis32
Impersonate
0
HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\winsis32
Startup
EvtStartup
Name Troj/Zapchas-U
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
* Leaves non-infected files on computer
Prevalence (1-5) 2
Description
Troj/Zapchas-U is a backdoor Trojan which allows a remote intruder to
gain access and control over the computer.
Advanced
Troj/Zapchas-U is a backdoor Trojan which allows a remote intruder to
gain access and control over the computer.
When Troj/Zapchas-U is installed the following files are created:
<Windows>\win.ini
<System>\drivers\nVIDIA\dll\control.ini
<System>\drivers\nVIDIA\dll\fullname.txt
<System>\drivers\nVIDIA\dll\hex.exe - detected as HideWindow
<System>\drivers\nVIDIA\dll\ident.ini
<System>\drivers\nVIDIA\dll\mirc.gid
<System>\drivers\nVIDIA\dll\mirc.ini
<System>\drivers\nVIDIA\dll\nicks.txt
<System>\drivers\nVIDIA\dll\regedit
<System>\drivers\nVIDIA\dll\remote.ini
<System>\drivers\nVIDIA\dll\rundll.exe - detected as Troj/Zapchas-U
<System>\drivers\nVIDIA\dll\script.ini
<System>\drivers\nVIDIA\dll\servers.txt
The following registry entry is created to run rundll.exe on startup:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
run
<System>\drivers\nVIDIA\dll\rundll.exe
The following registry entries are set or modified, so that
rundll.exe is run when files with extensions of CHA and IRC are
opened/launched:
HKCR\ChatFile\Shell\open\command
(default)
<System>\drivers\nVIDIA\dll\rundll.exe" -noconnect
HKCR\irc\Shell\open\command
(default)
<System>\drivers\nVIDIA\dll\rundll.exe" -noconnect
Registry entries are set as follows:
HKCR\ChatFile\DefaultIcon
(default)
<System>\drivers\nVIDIA\dll\rundll.exe
HKCR\irc\DefaultIcon
(default)
<System>\drivers\nVIDIA\dll\rundll.exe
Registry entries are created under:
HKCU\Software\Microsoft\Microsoft Agent\
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mIRC\
Troj/Zapchas-U provides an uninstall option which can be accessed via
the Add or Remove Programs dialog in the Windows Control Panel. The
software is listed as "mIRC".
Name Troj/QDial-AF
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Drops more malware
* Installs itself in the Registry
Aliases
* Trojan.Win32.Agent.xj
* QDial-45
Prevalence (1-5) 2
Description
Troj/QDial-AF is a Trojan for the Windows platform.
Advanced
It is likely to be installed by the download of a dropper file, which
installs two files:
<Windows>\temp\<random>.tmp (detected as Troj/Hyder-B)
<Windows>\temp\<random>.exe (detected as Troj/QDial-AF)
The following registry entry is added to run the Trojan at startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
<random>.exe
<Windows>\temp\<random>.exe
Name W32/Agobot-AHN
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
Aliases
* Backdoor.Win32.Agobot.agw
* W32/Agobot.GBC
Prevalence (1-5) 2
Description
W32/Agobot-AHN is a worm and IRC backdoor for the Windows platform.
Advanced
W32/Agobot-AHN is a worm and IRC backdoor for the Windows platform.
When first run W32/Agobot-AHN copies itself to <System>\mssvcc.exe.
The following registry entries are created to run mssvcc.exe on
startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
msconfig38
mssvcc.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
msconfig38
mssvcc.exe
Registry entries are set as follows:
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1
Name Troj/DoS-AG
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Used in DOS attacks
Prevalence (1-5) 2
Description
Troj/DoS-AG is a denial-of-service Trojan for the Windows platform.
Advanced
Troj/DoS-AG is a denial-of-service Trojan for the Windows platform.
Troj/DoS-AG continually retrieves a page from a preconfigured website.
Name Troj/Agent-CRY
Type
* Trojan
Affected operating systems
* Windows
Aliases
* Trojan.Win32.Agent.wd
* Win32/Agent.WD
Prevalence (1-5) 2
Description
Troj/Agent-CRY is a Trojan for the Windows platform.
Advanced
Troj/Agent-CRY is a Trojan for the Windows platform.
When Troj/Agent-CRY is installed the following files are created:
<System>\<random>msqlc.exe
<System>\iedunper.exe
<System>\msessenger.dll
<System>\winadv.bmp
The file msessenger.dll is injected into explorer.exe, and creates
copies of the file <random>msqlc.exe with different random characters
prepended.
Registry entries are set as follows:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
SuperHidden
0
Registry entries are created under:
HKCU\Software\Callagan\
Name W32/Setrox-A
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Installs itself in the Registry
Aliases
* WORM_SETROX.A
* Win32/VB.ALS
* Trojan.Win32.VB.als
Prevalence (1-5) 2
Description
W32/Setrox-A is a worm for the Windows platform.
W32/Setrox-A may spread by copying itself to local drives.
W32/Setrox-A may shut down the infected computer.
Advanced
W32/Setrox-A is a worm for the Windows platform.
W32/Setrox-A may spread by copying itself to local drives.
W32/Setrox-A may shut down the infected computer.
When W32/Setrox-A is installed the following files are created:
<root folder>\autorun.inf
<Windows system folder>\run.reg
<Windows system folder>\systemdate.ini
The worm may also copy itself to the root folder of any local drive
as rose.exe.
The file autorun.inf is a configuration file that may automatically
run the file rose.exe.
The file run.reg is a registry file containing the following registry
entry:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
dll
C:\system32\rose.exe
The file systemdate.ini is a harmless text file.
--- MultiMail/Win32 v0.43
* Origin: Try Our Web Based QWK: DOCSPLACE.ORG (1:123/140)
|