Tillbaka till svenska Fidonet
English   Information   Debug  
TREK   0/755
TUB   0/290
UFO   0/40
UNIX   0/1316
USA_EURLINK   0/102
USR_MODEMS   0/1
VATICAN   0/2740
VIETNAM_VETS   0/14
VIRUS   0/378
VIRUS_INFO   0/201
VISUAL_BASIC   0/473
WHITEHOUSE   0/5187
WIN2000   0/101
WIN32   0/30
WIN95   0/4289
WIN95_OLD1   0/70272
WINDOWS   0/1517
WWB_SYSOP   0/419
WWB_TECH   0/810
ZCC-PUBLIC   0/1
ZEC   4

 
4DOS   0/134
ABORTION   0/7
ALASKA_CHAT   0/506
ALLFIX_FILE   0/1313
ALLFIX_FILE_OLD1   0/7997
ALT_DOS   0/152
AMATEUR_RADIO   0/1039
AMIGASALE   0/14
AMIGA   0/331
AMIGA_INT   0/1
AMIGA_PROG   0/20
AMIGA_SYSOP   0/26
ANIME   0/15
ARGUS   0/924
ASCII_ART   0/340
ASIAN_LINK   0/651
ASTRONOMY   0/417
AUDIO   0/92
AUTOMOBILE_RACING   0/105
BABYLON5   0/17862
BAG   135
BATPOWER   0/361
BBBS.ENGLISH   0/382
BBSLAW   0/109
BBS_ADS   0/5290
BBS_INTERNET   0/507
BIBLE   0/3563
BINKD   0/1119
BINKLEY   0/215
BLUEWAVE   0/2173
CABLE_MODEMS   0/25
CBM   0/46
CDRECORD   0/66
CDROM   0/20
CLASSIC_COMPUTER   0/378
COMICS   0/15
CONSPRCY   0/899
COOKING   33421
COOKING_OLD1   0/24719
COOKING_OLD2   0/40862
COOKING_OLD3   0/37489
COOKING_OLD4   0/35496
COOKING_OLD5   9370
C_ECHO   0/189
C_PLUSPLUS   0/31
DIRTY_DOZEN   0/201
DOORGAMES   0/2065
DOS_INTERNET   0/196
duplikat   6002
ECHOLIST   0/18295
EC_SUPPORT   0/318
ELECTRONICS   0/359
ELEKTRONIK.GER   1534
ENET.LINGUISTIC   0/13
ENET.POLITICS   0/4
ENET.SOFT   0/11701
ENET.SYSOP   33945
ENET.TALKS   0/32
ENGLISH_TUTOR   0/2000
EVOLUTION   0/1335
FDECHO   0/217
FDN_ANNOUNCE   0/7068
FIDONEWS   24159
FIDONEWS_OLD1   0/49742
FIDONEWS_OLD2   0/35949
FIDONEWS_OLD3   0/30874
FIDONEWS_OLD4   0/37224
FIDO_SYSOP   12852
FIDO_UTIL   0/180
FILEFIND   0/209
FILEGATE   0/212
FILM   0/18
FNEWS_PUBLISH   4436
FN_SYSOP   41707
FN_SYSOP_OLD1   71952
FTP_FIDO   0/2
FTSC_PUBLIC   0/13613
FUNNY   0/4886
GENEALOGY.EUR   0/71
GET_INFO   105
GOLDED   0/408
HAM   0/16074
HOLYSMOKE   0/6791
HOT_SITES   0/1
HTMLEDIT   0/71
HUB203   466
HUB_100   264
HUB_400   39
HUMOR   0/29
IC   0/2851
INTERNET   0/424
INTERUSER   0/3
IP_CONNECT   719
JAMNNTPD   0/233
JAMTLAND   0/47
KATTY_KORNER   0/41
LAN   0/16
LINUX-USER   0/19
LINUXHELP   0/1155
LINUX   0/22112
LINUX_BBS   0/957
mail   18.68
mail_fore_ok   249
MENSA   0/341
MODERATOR   0/102
MONTE   0/992
MOSCOW_OKLAHOMA   0/1245
MUFFIN   0/783
MUSIC   0/321
N203_STAT   930
N203_SYSCHAT   313
NET203   321
NET204   69
NET_DEV   0/10
NORD.ADMIN   0/101
NORD.CHAT   0/2572
NORD.FIDONET   189
NORD.HARDWARE   0/28
NORD.KULTUR   0/114
NORD.PROG   0/32
NORD.SOFTWARE   0/88
NORD.TEKNIK   0/58
NORD   0/453
OCCULT_CHAT   0/93
OS2BBS   0/787
OS2DOSBBS   0/580
OS2HW   0/42
OS2INET   0/37
OS2LAN   0/134
OS2PROG   0/36
OS2REXX   0/113
OS2USER-L   207
OS2   0/4786
OSDEBATE   0/18996
PASCAL   0/490
PERL   0/457
PHP   0/45
POINTS   0/405
POLITICS   0/29554
POL_INC   0/14731
PSION   103
R20_ADMIN   1123
R20_AMATORRADIO   0/2
R20_BEST_OF_FIDONET   13
R20_CHAT   0/893
R20_DEPP   0/3
R20_DEV   399
R20_ECHO2   1379
R20_ECHOPRES   0/35
R20_ESTAT   0/719
R20_FIDONETPROG...
...RAM.MYPOINT
  0/2
R20_FIDONETPROGRAM   0/22
R20_FIDONET   0/248
R20_FILEFIND   0/24
R20_FILEFOUND   0/22
R20_HIFI   0/3
R20_INFO2   3249
R20_INTERNET   0/12940
R20_INTRESSE   0/60
R20_INTR_KOM   0/99
R20_KANDIDAT.CHAT   42
R20_KANDIDAT   28
R20_KOM_DEV   112
R20_KONTROLL   0/13300
R20_KORSET   0/18
R20_LOKALTRAFIK   0/24
R20_MODERATOR   0/1852
R20_NC   76
R20_NET200   245
R20_NETWORK.OTH...
...ERNETS
  0/13
R20_OPERATIVSYS...
...TEM.LINUX
  0/44
R20_PROGRAMVAROR   0/1
R20_REC2NEC   534
R20_SFOSM   0/341
R20_SF   0/108
R20_SPRAK.ENGLISH   0/1
R20_SQUISH   107
R20_TEST   2
R20_WORST_OF_FIDONET   12
RAR   0/9
RA_MULTI   106
RA_UTIL   0/162
REGCON.EUR   0/2056
REGCON   0/13
SCIENCE   0/1206
SF   0/239
SHAREWARE_SUPPORT   0/5146
SHAREWRE   0/14
SIMPSONS   0/169
STATS_OLD1   0/2539.065
STATS_OLD2   0/2530
STATS_OLD3   0/2395.095
STATS_OLD4   0/1692.25
SURVIVOR   0/495
SYSOPS_CORNER   0/3
SYSOP   0/84
TAGLINES   0/112
TEAMOS2   0/4530
TECH   0/2617
TEST.444   0/105
TRAPDOOR   0/19
Möte VIRUS_INFO, 201 texter
 lista första sista föregående nästa
Text 139, 1817 rader
Skriven 2006-09-17 01:53:00 av KURT WISMER (1:123/140)
Ärende: News, September 17 2006
===============================
[cut-n-paste from sophos.com]

Name   Troj/Cimuz-AS

Type  
    * Spyware Trojan

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Steals information
    * Reduces system security
    * Records keystrokes
    * Installs itself in the Registry

Aliases  
    * Spy-Agent.ak

Prevalence (1-5) 3

Description
Troj/Cimuz-AS is a keylogging Trojan with backdoor functionality.

Advanced
Troj/Cimuz-AS is a keylogging Trojan with backdoor functionality.

Troj/Cimuz-AS includes functionality to access the internet and 
communicate with a remote server via HTTP.

When Troj/Cimuz-AS is installed the following files are created:

<System>\hook.dll
<System>\ipv6monl.dll
<System>\msn.exe

These files are also detected as Troj/Cimuz-AS.

The following registry entry is created to run msn.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MSN
<System>\msn.exe" /INITSERVICE

The file ipv6monl.dll is registered as a COM object and Browser 
Helper Object (BHO) for Microsoft Internet Explorer, creating 
registry entries under:

HKCR\CLSID\(73364D99-1240-4dff-B11A-67E448373048)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\browser 
helper obJects\(73364D99-1240-4dff-B11A-67E448373048)

The following registry entries are set, affecting internet security:

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\ 
FirewallPolicy\StandardProfile\AuthorizedApplications\List\
<Program Files>\Internet Explorer\IEXPLORE.EXE
<Program Files>\Internet Explorer\IEXPLORE.EXE:*:Enabled:Internet 
Explorer





Name   Troj/Horst-EX

Type  
    * Trojan

Affected operating systems  
    * Windows

Aliases  
    * Trojan-Proxy.Win32.Horst.hz

Prevalence (1-5) 2

Description
Troj/Horst-EX is a Trojan for the Windows platform.

Troj/Horst-EX includes functionality to access the internet and 
communicate with a remote server via HTTP.





Name   W32/Sdbot-CPM

Type  
    * Worm

How it spreads  
    * Network shares
    * Chat programs

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities
    * Used in DOS attacks

Aliases  
    * Backdoor.Win32.VanBot.e

Prevalence (1-5) 2

Description
W32/Sdbot-CPM is worm and IRC backdoor for the Windows platform.

W32/Sdbot-CPM spreads
to network shares
via MSN Messenger
via Yahoo Instant Messenger
by exploiting common buffer overflow vulnerabilities, including: 
SRVSVC (MS06-040) and ASN.1 (MS04-007)

W32/Sdbot-CPM runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

Advanced
W32/Sdbot-CPM is worm and IRC backdoor for the Windows platform.

W32/Sdbot-CPM spreads
to network shares
via MSN Messenger
via Yahoo Instant Messenger
by exploiting common buffer overflow vulnerabilities, including: 
SRVSVC (MS06-040) and ASN.1 (MS04-007)

W32/Sdbot-CPM runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

When first run W32/Sdbot-CPM copies itself to <Windows system 
folder>\dllcache\thesims2.exe.

The file thesims2.exe is registered as a new system driver service 
named "The Sims 2", with a display name of "The Sims 2" and a startup 
type of automatic, so that it is started automatically during system 
startup. Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\The Sims 2\

W32/Sdbot-CPM sets the following registry entries, disabling the 
automatic
startup of other software:

HKLM\SYSTEM\CurrentControlSet\Services\wuauserv
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4

Note: disabling autostart for the SharedAccess service deactivates 
the Microsoft Internet Connection Firewall (ICF).

Registry entries are set as follows:

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
lmcompatibilitylevel
1

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1





Name   W32/Rbot-FMX

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Downloads code from the internet
    * Installs itself in the Registry

Aliases  
    * Backdoor.Win32.Rbot.aus

Prevalence (1-5) 2

Description
W32/Rbot-FMX is a worm and IRC backdoor Trojan for the Windows 
platform.

Advanced
W32/Rbot-FMX is a worm and IRC backdoor Trojan for the Windows 
platform.

W32/Rbot-FMX spreads to other network computers by:

- exploiting common buffer overflow vulnerabilities, including: WKS 
(MS03-049) (CAN-2003-0812), MSSQL (MS02-039) (CAN-2002-0649) and 
Realcast

- networks protected by weak passwords

W32/Rbot-FMX runs continuously in the background, providing a 
backdoor server wh
ich allows a remote intruder to gain access and control over the 
computer via IRC channels.

W32/Rbot-FMX includes functionality to:

- access the internet and communicate with a remote server via HTTP
- act as a proxy redirecting internet traffic
- terminate processes

When first run W32/Rbot-FMX copies itself to <System>\WinSock32.exe.

The following registry entries are created to run W32/Rbot-FMX on 
startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Windows Socket Procedure
WinSock32.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows Socket Procedure
WinSock32.exe

The following registry entries are set:

HKCU\Software\Microsoft\OLE
Windows Socket Procedure
WinSock32.exe

HKLM\SOFTWARE\Microsoft\Ole
EnableRemoteConnect
N

HKLM\SYSTEM\CurrentControlSet\Services\wscsvc
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\NetBT\Parameters
TransportBindName

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\wuauserv
Start
4

HKLM\SYSTEM\ControlSet1\Services\wscsvc
Start
4

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N

HKLM\SOFTWARE\Microsoft\Ole
EnableRemoteConnect
N

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\
SCHANNEL\Protocols\PCT1.0\Server
Enabled

HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
AutoShareWks
0

HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
AutoShareServer
0

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MaxConnectionsPer1_0Server
50

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MaxConnectionsPerServer
50

Registry entries are also set under:

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters





Name   W32/Rbot-FMZ

Type  
    * Spyware Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Allows others to access the computer
    * Steals information
    * Downloads code from the internet
    * Records keystrokes
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities
    * Used in DOS attacks

Aliases  
    * Backdoor.Win32.Rbot.adf
    * W32/Sdbot.worm.gen.ax
    * WORM_RBOT.ASY

Prevalence (1-5) 2

Description
W32/Rbot-FMZ is a worm and IRC backdoor Trojan for the Windows 
platform.

W32/Rbot-FMZ spreads to other network computers by exploiting common 
buffer overflow vulnerabilities, including: LSASS (MS04-011), 
RPC-DCOM (MS04-012), WKS (MS03-049) (CAN-2003-0812) and ASN.1 
(MS04-007) and by copying itself to network shares protected by weak 
passwords.

W32/Rbot-FMZ runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

W32/Rbot-FMZ may modify the system HOSTS file, preventing access to 
certain websites.

The worm also contains functionality to download updates, participate 
in denial-of-service attacks, kill processes, log keypresses and 
monitor network traffic. The worm also provides a remote command shell.

Advanced
W32/Rbot-FMZ is a worm and IRC backdoor Trojan for the Windows 
platform.

W32/Rbot-FMZ spreads to other network computers by exploiting common 
buffer overflow vulnerabilities, including: LSASS (MS04-011), 
RPC-DCOM (MS04-012), WKS (MS03-049) (CAN-2003-0812) and ASN.1 
(MS04-007) and by copying itself to network shares protected by weak 
passwords.

W32/Rbot-FMZ runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

W32/Rbot-FMZ may modify the system HOSTS file, preventing access to 
certain websites.

The worm also contains functionality to download updates, participate 
in denial-of-service attacks, kill processes, log keypresses and 
monitor network traffic. The worm also provides a remote command shell.

When first run W32/Rbot-FMZ copies itself to <System>\svchosl.exe.

The following registry entries are created to run svchosl.exe on 
startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft Corp. Host Services
svchosl.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft Corp. Host Services
svchosl.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
Microsoft Corp. Host Services
svchosl.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Microsoft Corp. Host Services
svchosl.exe

Registry entries are set as follows:

HKCU\SYSTEM\CurrentControlSet\Control\Lsa
Microsoft Corp. Host Services
svchosl.exe

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
Microsoft Corp. Host Services
svchosl.exe

HKCU\Software\Microsoft\OLE
Microsoft Corp. Host Services
svchosl.exe

HKLM\SOFTWARE\Microsoft\Ole
Microsoft Corp. Host Services
svchosl.exe

The following lines may be added to the system HOSTS file:

127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 pandasoftware.com
127.0.0.1 www.pandasoftware.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.grisoft.com
127.0.0.1 www.microsoft.com
127.0.0.1 microsoft.com
127.0.0.1 www.virustotal.com
127.0.0.1 virustotal.com





Name   Troj/WowPWS-W

Type  
    * Spyware Trojan

Affected operating systems  
    * Windows

Side effects  
    * Steals information
    * Reduces system security
    * Installs itself in the Registry

Aliases  
    * Trojan-PSW.Win32.WOW.hh
    * PWS-WoW
    * TSPY_WOW.DJ
    * Win32/PSW.Legendmir

Prevalence (1-5) 2

Description
Troj/WowPWS-W is a password-stealing Trojan for the Windows platform.

Troj/WowPWS-W targets the online game World of Warcraft, and attempts 
to steal account details.

Advanced
Troj/WowPWS-W is a password-stealing Trojan for the Windows platform.

Troj/WowPWS-W targets the online game World of Warcraft, and attempts 
to steal account details.

When first run Troj/WowPWS-W copies itself to:

<Common Files>\iexplore.pif
<Program Files>\Internet Explorer\iexplore.com
<Windows folder>\Debug\DebugProgram.exe
<Windows system folder>\dxdiag.com
<Windows system folder>\msconfig.com
<Windows system folder>\regedit.com
<Windows system folder>\command.pif
<Windows system folder>\finder.com
<Windows system folder>\rundll32.com
<Windows folder>\1.com
<Windows folder>\BOOT.BIN.BAK
<Windows folder>\ExERoute.exe
<Windows folder>\explorer.com
<Windows folder>\finder.com
<Windows folder>\SMSS.EXE

The following registry entry is created to run lsass.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
TProgram
<Windows folder>\smss.exe

Troj/WowPWS-W changes settings for Microsoft Internet Explorer by 
setting the following registry entries:

HKCR\.bfc\ShellNew
Command
<Windows system folder>\rundll32.com 
<System>\syncui.dll,Briefcase_Create %2!d! %1

HKCR\.lnk\ShellNew
Command
rundll32.com appwiz.cpl,NewLinkHere %1

HKCR\Applications\iexplore.exe\shell\open\command
(default)
<Program Files>\Internet Explorer\iexplore.com %1

HKCR\cplfile\shell\cplopen\command
(default)
rundll32.com shell32.dll,Control_RunDLL %1,%*

HKCR\Drive\shell\find\command
(default)
<Windows folder>\explorer.com

HKCR\dunfile\shell\open\command
(default)
<Windows system folder>\rundll32.com NETSHELL.DLL,InvokeDunFile %1

HKCR\ftp\shell\open\command
(default)
<Program Files>\Internet Explorer\iexplore.com %1

HKCR\htmlfile\shell\open\command
(default)
<Program Files>\Internet Explorer\iexplore.com -nohome

HKCR\htmlfile\shell\opennew\command\
- "C:\Program Files\Internet Explorer\iexplore.exe" %1
<Common Files>\iexplore.pif %1

HKCR\htmlfile\shell\print\command\
(default)
rundll32.com <Windows system folder>\mshtml.dll,PrintHTML "%1"

HKCR\http\shell\open\command
(default)
<Common Files>\iexplore.pif -nohome

HKCR\inffile\shell\Install\command
(default)
<Windows system folder>\rundll32.com setupapi,InstallHinfSection 
DefaultInstall 132 %1

HKCR\InternetShortcut\shell\open\command
(default)
finder.com shdocvw.dll,OpenURL %l

HKCR\scrfile\shell\install\command\
(default)
finder.com desk.cpl,InstallScreenSaver %l

HKCR\scriptletfile\Shell\Generate Typelib\command
(default)
<Windows system folder>\finder.com 
<System>\scrobj.dll,GenerateTypeLib "%1"

HKCR\telnet\shell\open\command
(default)
finder.com url.dll,TelnetProtocolHandler %l

HKCR\Unknown\shell\openas\command
(default)
<Windows system folder>\finder.com <System>\shell32.dll,OpenAs_RunDLL 
%1

HKLM\SOFTWARE\Clients\StartMenuInternet
(default)
iexplore.pif

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
(default)
Explorer.exe 1

HKCU\Software\Microsoft\Internet Explorer\Main\Check_Associations
(default)
No





Name   W32/Rbot-FNA

Type  
    * Spyware Worm

How it spreads  
    * Network shares
    * Chat programs

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Steals information
    * Downloads code from the internet
    * Reduces system security
    * Records keystrokes
    * Installs itself in the Registry
    * Used in DOS attacks
    * Enables remote access
    * Scans network for vulnerabilities
    * Scans network for weak passwords

Prevalence (1-5) 2

Description
W32/Rbot-FNA is a worm and IRC backdoor for the Windows platform.

W32/Rbot-FNA spreads using a variety of techniques including 
exploiting weak passwords on computers and SQL servers, exploiting 
operating system vulnerabilities (including SRVSVC (MS06-040) and 
ASN.1 (MS04-007).) and by MSN Messenger and Yahoo Instant Messenger

W32/Rbot-FNA runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

W32/Rbot-FNA includes functionality to:

- set up an FTP server
- set up a proxy server
- log keypresses
- port scanning
- packet sniffing
- access the internet and communicate with a remote server via HTTP
- harvest information Protected Storage
- take part in Distributed Denial of Service (DDoS) attacks

Advanced
W32/Rbot-FNA is a worm and IRC backdoor for the Windows platform.

W32/Rbot-FNA spreads using a variety of techniques including 
exploiting weak passwords on computers and SQL servers, exploiting 
operating system vulnerabilities (including SRVSVC (MS06-040) and 
ASN.1 (MS04-007).) and by MSN Messenger and Yahoo Instant Messenger

W32/Rbot-FNA runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

W32/Rbot-FNA includes functionality to:

- set up an FTP server
- set up a proxy server
- log keypresses
- port scanning
- packet sniffing
- access the internet and communicate with a remote server via HTTP
- harvest information Protected Storage
- take part in Distributed Denial of Service (DDoS) attacks

When first run W32/Rbot-FNA copies itself to 
<System>\dllcache\mshcp.exe.

The file mshcp.exe is registered as a new system driver service named 
"Microsoft DHCPA Service", with a display name of "Microsoft DHCPA 
Service" and a startup type of automatic, so that it is started 
automatically during system startup. Registry entries are created 
under:

HKLM\SYSTEM\CurrentControlSet\Services\Microsoft DHCPA Service\

W32/Rbot-FNA sets the following registry entries, disabling the 
automatic startup of other software:

HKLM\SYSTEM\CurrentControlSet\Services\wuauserv
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4

Note: disabling autostart for the SharedAccess service deactivates 
the Microsoft Internet Connection Firewall (ICF).

Registry entries are set as follows:

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
lmcompatibilitylevel
1

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1





Name   Troj/Banworm-H

Type  
    * Spyware Trojan

Affected operating systems  
    * Windows

Side effects  
    * Steals information
    * Installs itself in the Registry
    * Leaves non-infected files on computer

Prevalence (1-5) 2

Description
Troj/Banworm-H is a Trojan for the Windows platform.

Advanced
Troj/Banworm-H is a Trojan for the Windows platform.

Troj/Banworm-H includes functionality to:

- access the internet and communicate with a remote server via HTTP
- steal information

Troj/Banworm-H may modify the HOSTS file which maps the URLs of 
selected websites to a loopback IP address or to its own IP 
addresses, in order to prevent access to certain sites and to 
control/hijack browsing. By this technique Troj/Banworm-H tries to 
block access to several security related sites and hijack a number of 
banking related sites.

When Troj/Banworm-H is installed the following files are created:

<Windows>\tmp.log
<Windows>\uid.id

These files can be safely removed.

Registry entries are set as follows:

HKLM\SOFTWARE\Microsoft\Windows 
NT\CurrentVersion\Winlogon\Notify\crypt32net
DllName
crypt32net.dll

HKLM\SOFTWARE\Microsoft\Windows 
NT\CurrentVersion\Winlogon\Notify\crypt32net
Logon
ChainWlxLogoffEvent

HKLM\SOFTWARE\Microsoft\Windows 
NT\CurrentVersion\Winlogon\Notify\crypt32net
Asynchronous
1

HKLM\SOFTWARE\Microsoft\Windows 
NT\CurrentVersion\Winlogon\Notify\crypt32net
Impersonate
0





Name   Troj/Bankem-Z

Type  
    * Spyware Trojan

Affected operating systems  
    * Windows

Side effects  
    * Steals credit card details
    * Records keystrokes
    * Installs itself in the Registry

Aliases  
    * PWS-Banker.gen.i

Prevalence (1-5) 2

Description
Troj/Bankem-Z is a is a password stealing Trojan aimed at customers 
of Brazilian banks.

Troj/Bankem-Z monitors a user's internet access in attempt to steal 
confidential information.

Troj/Bankem-Z will then send the stolen details to a remote address.

The Trojan displays fake login screens to a number of Brazilian banks 
that offer online services in an attempt to steal bank account details.

Advanced
Troj/Bankem-Z is a is a password stealing Trojan aimed at customers 
of Brazilian banks.

Troj/Bankem-Z monitors a user's internet access in attempt to steal 
confidential information.

Troj/Bankem-Z will then send the stolen details to a remote address.

The Trojan displays fake login screens to a number of Brazilian banks 
that offer online services in an attempt to steal bank account details.

The Troj/Bankem-Z is registered as a COM object, creating registry 
entries under:

HKCR\CLSID\(041D5395-99FA-4EAC-8104-77366E7CA528)
HKCR\Interface\(0B59858A-0550-463B-909E-5071A3F14355)
HKCR\MixMessenger.MIXSVRMSG\
HKCR\TypeLib\(BA85609E-B9F0-4E0B-BCDF-80A74CBD5642)

Registry entries are created under:

HKCR\Component Categories\(13E85B3C-9508-11D2-AB63-00C04FA35CFA)\





Name   W32/Tufik-D

Type  
    * Virus

How it spreads  
    * Infected files

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet

Aliases  
    * Virus.Win32.Tufik.c
    * W95/Tufik.C
    * PE_TUFIK.D

Prevalence (1-5) 2

Description
W32/Tufik-D is a appending virus for the Windows platform.

W32/Tufik-D infects EXE files, and can spread to drives F: to Z:. The 
virus can be disinfected.

W32/Tufik-D can upload log files to a remote location. The virus 
makes contact with a preconfigured internet site to report successful 
infection.





Name   Troj/Zlob-SA

Type  
    * Trojan

Affected operating systems  
    * Windows

Aliases  
    * Win32/TrojanProxy.Horst.HD

Prevalence (1-5) 2

Description
Troj/Zlob-SA is a Trojan for the Windows platform.





Name   W32/Brontok-BO

Type  
    * Worm

How it spreads  
    * Email attachments

Affected operating systems  
    * Windows

Side effects  
    * Sends itself to email addresses found on the infected computer
    * Installs itself in the Registry

Aliases  
    * Email-Worm.Win32.Brontok.w

Prevalence (1-5) 2

Description
W32/Brontok-BO is a worm for the Windows platform.

Advanced
W32/Brontok-BO is a worm for the Windows platform.

When first run W32/Brontok-BO copies itself to:

\Data sara.exe
<Startup>\Empty.pif
<User>\Local Settings\Application Data\windows\csrss.exe
<User>\Local Settings\Application Data\windows\lsass.exe
<User>\Local Settings\Application Data\windows\services.exe
<User>\Local Settings\Application Data\windows\smss.exe
<User>\Local Settings\Application Data\windows\winlogon.exe
\Kr0n1C.exe
\Kr0n1C\New Folder.exe
<Windows>\Kr0n1C.exe
<System>\IExplorer.exe
<System>\MrHelloween.scr
<System>\shell.exe

and creates the following files:

\Kr0n1C\Folder.htt
\Puisi.txt

The following registry entries are created to run W32/Brontok-BO on 
startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Kr0n1C
<Windows>\Kr0n1C.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Servicesara
<User>\Local Settings\Application Data\WINDOWS\SERVICES.EXE

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Logonsara
<User>\Local Settings\Application Data\WINDOWS\CSRSS.EXE

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
System Monitoring
<User>\Local Settings\Application Data\WINDOWS\LSASS.EXE

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
MSMSGS
<User>\Local Settings\Application Data\WINDOWS\WINLOGON.EXE

The following registry entries are changed to run W32/Brontok-BO on 
startup:

HKCU\Control Panel\Desktop
SCRNSAVE.EXE
<System>\MRHELL~1.SCR

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe "<System>\IExplorer.exe"

(the default value for this registry entry is "Explorer.exe" which 
causes the Microsoft file <Windows>\Explorer.exe to be run on startup).

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
<System>\userinit.exe,<System>\IExplorer.exe

(the default value for this registry entry is 
"<Windows>\System32\userinit.exe,").

The following registry entries are set or modified, so that shell.exe 
is run when files with extensions of BAT, COM, EXE and PIF are 
opened/launched:

HKCR\lnkfile\shell\open\command
(default)
<System>\shell.exe" "%1" %*

HKCR\batfile\shell\open\command
(default)
<System>\shell.exe" "%1" %*

HKCR\comfile\shell\open\command
(default)
<System>\shell.exe" "%1" %*

HKCR\exefile\shell\open\command
(default)
<System>\shell.exe" "%1" %*

HKCR\piffile\shell\open\command
(default)
<System>\shell.exe" "%1" %*

The following registry entries are set, disabling the registry editor 
(regedit), the Windows task manager (taskmgr), the command prompt and 
system restore:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableCMD
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
DisableTaskMgr
1

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
DisableRegistryTools
1

HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
DisableConfig
1

HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
DisableSR
1

Registry entries are set as follows:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFolderOptions
1

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoFolderOptions
1

HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer
LimitSystemRestoreCheckpointing
1

HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer
DisableMSI
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
0

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden
0

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug
Debugger
<System>\Shell.exe

HKCR\exefile
(default)
File Folder





Name   W32/Rbot-FMW

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Reduces system security
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities

Prevalence (1-5) 2

Description
W32/Rbot-FMW is a backdoor worm for the Windows platform.

Advanced
W32/Rbot-FMW is a backdoor worm for the Windows platform.

The worm spreads to other network computers by exploiting common 
buffer overflow vulnerabilities, including: LSASS (MS04-011), 
RPC-DCOM (MS04-012), WKS (MS03-049) (CAN-2003-0812) and MSSQL 
(MS02-039) (CAN-2002-0649).

The worm runs continuously in the background, providing a backdoor 
server which allows a remote intruder to gain access and control over 
the computer via IRC channels.

When run the worm copies itself to <System>\FrameWork.exe.

The following registry entries are created to run FrameWork.exe on 
startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
FrameWork 2.5
FrameWork.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
FrameWork 2.5
FrameWork.exe

The worm sets the following registry entries, disabling the automatic 
startup of other software:

HKLM\SYSTEM\CurrentControlSet\Services\wuauserv
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\wscsvc
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4

Note: disabling autostart for the SharedAccess service deactivates 
the Microsoft Internet Connection Firewall (ICF).

Registry entries are set as follows:

HKCU\Software\Microsoft\OLE
FrameWork 2.5
FrameWork.exe

HKLM\SOFTWARE\Microsoft\Ole
EnableRemoteConnect
N

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N





Name   W32/Stration-X

Type  
    * Worm

How it spreads  
    * Email attachments

Affected operating systems  
    * Windows

Side effects  
    * Sends itself to email addresses found on the infected computer
    * Forges the sender's email address
    * Uses its own emailing engine
    * Downloads code from the internet
    * Installs itself in the Registry

Aliases  
    * W32/Station@MM
    * Win32/Stration

Prevalence (1-5) 2

Description
W32/Stration-X is a mass-mailing worm for the Windows platform.

Mails sent by the worm have the following characteristics:

Subject line: chosen from a list including
Mail server report.
Mail Transaction Failed
Error
Status
hello.

Message text: chosen from a list including

The message contains Unicode characters and has been sent as a binary 
attachment.

The message cannot be represented in 7-bit ASCII encoding and has 
been sent as a binary attachment.

Mail transaction failed. Partial message is available.

Advanced
W32/Stration-X is a mass-mailing worm for the Windows platform.

Mails sent by the worm have the following characteristics:

Subject line: one of
Mail server report.
Mail Transaction Failed
Error
Status
hello.
Good day

Message text: one of

Mail server report.
Our fireweall determined the e-mails containing worm copies are being 
sent from your computer.
Nowadays it happens from many computers, because this is a new virus 
type (Network Worms).
Using the new bug in Windows, these viruses infect the computer 
unnoticeably.
After penetrating into the computer the virus harvest all the e-mail 
addresses and sends the copies of itself to these e-mail addresses
Please install updates for worm elimination and your computer 
restoring.
Best regards,
Customers support service

The message contains Unicode characters and has been sent as a binary 
attachment.

The message cannot be represented in 7-bit ASCII encoding and has 
been sent as a binary attachment.

Mail transaction failed. Partial message is available.

W32/Stration-X includes functionality to download, install and run 
new software.

When first run W32/Stration-X copies itself to <Windows 
folder>\tsrv.exe and creates
the following files:

<Windows system folder>\<random>.dll
<Windows system folder>\<random>.exe
<Windows system folder>\<random>.dll
<Windows folder>\tsrv.dll

These four files are also detected as W32/Stration-X.

The following registry entries are created to run tsrv.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
tsrv
<Windows folder>\tsrv.exe s

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\
AppInit_DLLs
<path to one of the randomly-named DLLs>

When first run, W32/Stration-X displays the following message:

Title: Information
Message: Update successfully installed.





Name   W32/Looked-Q

Type  
    * Virus

How it spreads  
    * Infected files

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet

Prevalence (1-5) 2

Description
W32/Looked-Q is a virus for the Windows platform.

Advanced
W32/Looked-Q is a virus for the Windows platform.

When first run the virus copies itself to <Windows>\rundl132.exe and 
creates a file <Windows>\Dll.dll, also detected as W32/Looked-Q. This 
file attempts to download further executable code.

The virus infects EXE files found on the infected computer.

Many files with the name "_desktop.ini" are created, in various 
folders on the infected computer. These files are harmless text files.





Name   W32/IRCBot-RJ

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities
    * Used in DOS attacks

Aliases  
    * Backdoor.Win32.Rbot.bed
    * W32/Ircbot.NX

Prevalence (1-5) 2

Description
W32/IRCBot-RJ is a worm and IRC backdoor for the Windows platform.

W32/IRCbor-RJ spreads
- to computers vulnerable to common exploits, including: ASN.1 
(MS04-007)
- to network shares protected by weak passwords

W32/IRCBot-RJ runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

Advanced
W32/IRCBot-RJ is a worm and IRC backdoor for the Windows platform.

W32/IRCBot-RJ spreads
- to computers vulnerable to common exploits, including: ASN.1 
(MS04-007)
- to network shares protected by weak passwords

W32/IRCBot-RJ runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

When first run W32/IRCBot-RJ copies itself to <Windows system 
folder>\Googlesetup.exe.

The following registry entries are created to run Googlesetup.exe on 
startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Google service
Googlesetup.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Google service
Googlesetup.exe

The following registry entry is set:

HKCU\Software\Microsoft\OLE
Google service
Googlesetup.exe





Name   W32/Tilebot-GW

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities

Aliases  
    * Backdoor.Win32.SdBot.avu
    * W32/Gaobot.worm.gen.e
    * W32.Spybot.Worm
    * WORM_SPYBOT.KJ

Prevalence (1-5) 2

Description
W32/Tilebot-GW is a worm and IRC backdoor Trojan for the Windows 
platform.

W32/Tilebot-GW spreads to other network computers by exploiting 
common buffer overflow vulnerabilities, including: LSASS (MS04-011), 
SRVSVC (MS06-040), RPC-DCOM (MS04-012), PNP (MS05-039) and ASN.1 
(MS04-007).

W32/Tilebot-GW runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

W32/Tilebot-GW includes functionality to access the internet and 
communicate with a remote server via HTTP.

Advanced
W32/Tilebot-GW is a worm and IRC backdoor Trojan for the Windows 
platform.

W32/Tilebot-GW spreads to other network computers by exploiting 
common buffer overflow vulnerabilities, including: LSASS (MS04-011), 
SRVSVC (MS06-040), RPC-DCOM (MS04-012), PNP (MS05-039) and ASN.1 
(MS04-007).

W32/Tilebot-GW runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

W32/Tilebot-GW includes functionality to access the internet and 
communicate with a remote server via HTTP.

When first run W32/Tilebot-GW copies itself to <Windows>\smsc.exe.

The file smsc.exe is registered as a new system driver service named 
"smsc", with a display name of "smsc" and a startup type of 
automatic, so that it is started automatically during system startup. 
Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\smsc\

W32/Tilebot-GW modifies the following files, affecting the command 
line file transfers:

<System>\ftp.exe
<System>\tftp.exe

W32/Tilebot-GW may modify the following file in order to prevent 
Windows File Protection from noticing the above modifications:

<System>\sfc_os.dll

The following registry entries are set, disabling the registry editor 
(regedit) and the Windows task manager (taskmgr):

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1

W32/Tilebot-GW sets the following registry entries, disabling the 
automatic startup of other software:

HKLM\SYSTEM\CurrentControlSet\Services\Messenger
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
Start
4

Registry entries are set as follows:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
SFCScan
0

HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DoNotAllowXPSP2
1

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
SFCDisable
ffffff9d

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1

Registry entries are created under:

HKLM\SOFTWARE\Microsoft\Security Center\
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\





Name   W32/Tilebot-GV

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Downloads code from the internet
    * Reduces system security
    * Installs itself in the Registry

Prevalence (1-5) 2

Description
W32/Tilebot-GV is a worm and IRC backdoor Trojan for the Windows 
platform.

W32/Tilebot-GV runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

Advanced
W32/Tilebot-GV is a worm and IRC backdoor Trojan for the Windows 
platform.

W32/Tilebot-GV runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

When first run W32/Tilebot-GV copies itself to <Windows>\sqldps.exe.

The file sqldps.exe is registered as a new system driver service 
named "sqldps", with a display name of "sqldps" and a startup type of 
automatic, so that it is started automatically during system startup. 
Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\sqldps\

W32/Tilebot-GV sets the following registry entries, disabling the 
automatic startup of other software:

HKLM\SYSTEM\CurrentControlSet\Services\Messenger
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
Start
4

Registry entries are set as follows:

HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DoNotAllowXPSP2
1

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1

Registry entries are created under:

HKLM\SOFTWARE\Microsoft\Security Center\
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\





Name   Troj/PcClien-ID

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Drops more malware
    * Installs itself in the Registry
    * Leaves non-infected files on computer

Aliases  
    * BackDoor-CKB
    * TROJ_AGENT.EAH
    * Win32/TrojanDropper.Agent.IL

Prevalence (1-5) 2

Description
Troj/PcClien-ID is a backdoor Trojan which allows a remote intruder 
to gain access and control over the computer.

Advanced
Troj/PcClien-ID is a backdoor Trojan which allows a remote intruder 
to gain access and control over the computer.

When first run Troj/PcClien-ID copies itself to <Temp>\@BEde.exe and 
creates the following files:

<current folder>\<original filename>.doc
<Windows>\offitems.log
<System>\drivers\updjsjas.sys
<System>\updjsjas.dll
<System>\updjsjas.drv
<System>\updjsjas.log

The file updjsjas.sys is detected as Troj/Agent-BSL. The document 
file is clean, and is opened by the Trojan when the Trojan is first 
executed.

The file updjsjas.dll is registered as a service named "SENS". 
Registry entries are created or modified under:

HKLM\SYSTEM\CurrentControlSet\Services\SENS\





Name   W32/Tilebot-DM

Type  
    * Worm

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Drops more malware
    * Downloads code from the internet
    * Installs itself in the Registry

Aliases  
    * MultiDropper-BU

Prevalence (1-5) 2

Description
W32/Tilebot-DM is a Trojan for the Windows platform.

W32/Tilebot-DM runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

W32/Tilebot-DM includes functionality to access the internet and 
communicate with a remote server via HTTP.

Advanced
W32/Tilebot-DM is a Trojan for the Windows platform.

W32/Tilebot-DM runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

W32/Tilebot-DM includes functionality to access the internet and 
communicate with a remote server via HTTP.

When first run W32/Tilebot-DM copies itself to <Windows>\svchost.exe.

The file ~zy1.tmp is detected as Troj/Drsmartl-G.

The file <Windows>\svchost.exe is registered as a new system driver 
service named "Generic Host Process", with a display name of "Generic 
Host Process For Win32 Services" and a startup type of automatic, so 
that it is started automatically during system startup. Registry 
entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\Generic Host Process\

W32/Tilebot-DM sets the following registry entries, disabling the 
automatic startup of other software:

HKLM\SYSTEM\CurrentControlSet\Services\Messenger
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
Start
4

Registry entries are set as follows:

HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DoNotAllowXPSP2
1

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1

Registry entries are created under:

HKCR\.key\
HKLM\SOFTWARE\Microsoft\Security Center\
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\





Name   Troj/Bancos-AVL

Type  
    * Spyware Trojan

Affected operating systems  
    * Windows

Side effects  
    * Steals credit card details
    * Records keystrokes
    * Installs itself in the Registry
    * Monitors browser activity

Aliases  
    * Trojan-Spy.Win32.Bancos.xp
    * Win32/Spy.Bancos.U

Prevalence (1-5) 2

Description
Troj/Bancos-AVL is a password stealing Trojan aimed at customers of 
Brazilian banks.

Troj/Bancos-AVL monitors a user's internet access in attempt to steal 
confidential information.

The Trojan will then send the stolen details to a remote address.

Advanced
Troj/Bancos-AVL is a password stealing Trojan aimed at customers of 
Brazilian banks.

Troj/Bancos-AVL monitors a user's internet access in attempt to steal 
confidential information.

The Trojan will then send the stolen details to a remote address.

When first run Troj/Bancos-AVL copies itself to <Windows system 
folder>\tasklist32.exe.

 
--- MultiMail/Win32 v0.43
 * Origin: Try Our Web Based QWK: DOCSPLACE.ORG (1:123/140)