Text 14, 634 rader
Skriven 2004-09-26 19:04:00 av KURT WISMER (1:123/140)
Ärende: News, Sept 26 2004
==========================
[cut-n-paste from sophos.com]
Name W32/Xbot-C
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Downloads code from the internet
* Reduces system security
* Installs itself in the Registry
* Used in DOS attacks
Aliases
* Sdbot.worm.gen.j
Prevalence (1-5) 2
Description
W32/Xbot-C is a network worm with IRC backdoor capability.
W32/Xbot-C spreads using network services protected by weak passwords.
An infected machine can be remotely controlled by an attacker through
IRC channels.
Advanced
W32/Xbot-C is a network worm with IRC backdoor capability.
In order to run automatically when Windows starts up the worm creates
the files dhcp\csrss.exe and Webchecks.dll in the Windows system folder.
The worm may also create the following (harmless) files beneath the
Windows system folder:
msvcp60.dll (if it doesn't already exist)
dhcp\msadm.dll
dhcp\msusr.dll
dhcp\mspwd.dll
dhcp\msdb.dll
updater.exe
W32/Xbot-C attempts to spread via network shares and SQL services
protected by weak passwords.
W32/Xbot-C connects to a preconfigured IRC server and joins a channel in
which it can await instructions from a remote attacker. These
instructions can start any of the following actions:
flood another machine with ping packets
execute arbitrary files/commands
download an updated version of the bot
close network services that have commonly-exploited vulnerabilities
kill security-related processes
The worm creates the following registry entry:
HKCR\CLSID\(E6FB5E20-DE35-11CF-9C87-00AA005127ED)\InProcServer32\
@ = "C:\Windows\System32\webchecks.dll"
Name W32/Noomy-A
Type
* Worm
How it spreads
* Email attachments
* Chat programs
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Sends itself to email addresses found on the infected computer
* Stops the computer from booting
* Deletes files off the computer
* Steals information
Prevalence (1-5) 2
Description
W32/Noomy-A is a mass mailing worm which will attempt to send itself to
email addresses harvested from dbx, htm, html and php files. When first
executed W32/Noomy-A will display the fake error message: "CRC error:
5418#223 Close file", and continue running in background.
Advanced
W32/Noomy-A will attempt to send emails using the Winsock interface. If
the required mswinsck.ocx is not found, it will then attempt to download
the file from a predefined location on interent.
The email sent will be from a fake email address and have any of the
following subject lines:
Re: eCard Delivery Error:
Re: VoiceMail to
- Delivery Error You`ve got 1 new eCard!
bad request server not found!
One new VoiceMail! ID:
One new eCard! ID:
New eCard in your inbox!
You got one VoiceMail! See online!
Num: One new eCard from
Num: One new voicemail from
Mail Delivery (error )
Re: Message Error! mail:
Bad Request Server not found!
Re: Mail System Error - Returned Mail
Extended mail system error:
Re: Mail Delivery Error!
Protected Mail Server invalid!
Re: Mail Delivery: - Error
Re: mail error num:
- Returned mail: see transcript for details
Warning!!!
Why you SPAM?
Last notice!
Re: Regard ! Please read...
This is not OK !
Don't spam!!!!!
Question about YOUR SPAM!!
Information!You spam this email:
Last chance!STOP SPAM THIS EMAIL:
W32/Noomy-A copies itself to %windows%/Sysconf32.exe and to the folder
%windows%/Systembck with various filenames.
In order to run automatically when Windows starts up W32/Noomy-A creates
the following registry entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Windows HTML file reader=%WINDOWS%\Sysconf32.exe.
W32/Noomy-A can also spread by sending spam messages via Email or the
IRC service, to instruct users to download files from the backdoor HTML
server. This server will be accessed from the %windows%/Systembck folder,
in which all files are copies of W32/Noomy-A.
A specific URL of the backdoor HTML server will allow an intruder to log
on and view various aspects of the host. There is also an option to
remove *.sys files from the root folder which will prevent the system
from booting. The intruder will also be able to install new malware on
the system.
W32/Noomy-A may drop a batch file pingme.bat in the root folder. This
file will attempt to carry out ICMP DOS against www.Microsoft.com,
www.sophos.com and www.kaspersky.com website.
The worm will keep a copy of the email addresses in %Windows%\emls.tmp.
The following two files will also be created in the root folder:
ReAd_ThiS_ShiT.txt
StpLogs.vbs
Name W32/Forbot-AJ
Type
* Worm
How it spreads
* Network shares
* Chat programs
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Reduces system security
* Installs itself in the Registry
* Exploits system or software vulnerabilities
* Used in DOS attacks
Prevalence (1-5) 2
Description
W32/Forbot-AJ is a network worm and backdoor Trojan for the Windows
platform.
Advanced
W32/Forbot-AJ is a network worm and backdoor Trojan for the Windows
platform.
When first run, W32/Forbot-AJ copies itself to the Windows system folder
as videosd32.exe. In order to run on system startup, the worm creates
the following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Win32 Configuration = videosd32.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\
Win32 Configuration = videosd32.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Win32 Configuration = videosd32.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Win32 Configuration = videosd32.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\
Win32 Configuration = videosd32.exe
W32/Forbot-AJ registers itself as a service process and connects to an
IRC channel where it awaits commands from a remote user.
The backdoor component can be used to perform the following functions:
execute arbitrary commands (remote shell)
download and execute files from the internet
harvest product registration keys from the system registry
socks4 proxy server
port scanner
start/stop system service processes
DDoS (Distributed Denial of Service) attacks
W32/Forbot-AJ spreads through the network via the LSASS exploit and
through backdoors left open by the Optix family of backdoor Trojans.
Name W32/Agobot-MX
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Steals information
* Reduces system security
* Installs itself in the Registry
* Exploits system or software vulnerabilities
* Used in DOS attacks
Aliases
* Backdoor.Agobot.bh
Prevalence (1-5) 2
Description
W32/Agobot-MX is a network worm with backdoor functionality. When run
the worm will attempt to copy itself to the Windows system folder as
services21.exe and register itself as a service process.
Advanced
W32/Agobot-MX is a network worm with backdoor functionality. When run
the worm will attempt to copy itself to the Windows system folder as
services21.exe and register itself as a service process.
The worm will create the following registry entries so as to auto-start
on user logon or computer restart:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Windows Startup = %SYSTEM%\services21.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Windows Startup = %SYSTEM%\services21.exe
W32/Agobot-MX will also attempt to copy itself to the Windows system
folder as winhlpp32.exe, tftpd.exe, dllhost.exe, winppr32.exe,
mspatch.exe, penis32.exe and msblast.exe. The worm will also attempt to
copy itself to network shares, utilizing an inbuilt dictionary to try to
guess weak passwords.
The worm will also attempt to connect to an IRC server from where it may
receive further commands, scan the local drives for game CD keys, scan
the network for vulnerable computers, and terminate various anti-virus
and security related processes.
When instructed W32/Agobot-MX can also start a DoS attack, exploit
vulnerable computers and act as a proxy or FTP server.
Name W32/Zusha-A
Type
* Worm
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* Worm.Win32.Zusha.a
* WORM_ZUSHA.B
Prevalence (1-5) 2
Description
W32/Zusha-A is a worm for the Windows platform.
W32/Zusha-A spreads by exploiting the LSASS (MS04-011) vulnerability,
causing vulnerable computers to download a copy of the worm from an FTP
site.
Advanced
W32/Zusha-A is a worm for the Windows platform.
W32/Zusha-A spreads by exploiting the LSASS (MS04-011) vulnerability,
causing vulnerable computers to download a copy of the worm from an FTP
site.
When run W32/Zusha-A copies itself to aux32.exe in the Windows system
folder and adds the following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
auxAudioDevice = "<Windows system folder>\aux32.exe"
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\List\
<Windows system folder>\aux32.exe =
"<Windows system folder>aux32.exe:*:Enabled:aux32.exe"
W32/Zusha-A also contacts a website. If the website returns the string
"AnyoneElseWangSomeZu" the worm will remove its registry entries.
Name W32/Rbot-KJ
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Uses its own emailing engine
* Downloads code from the internet
* Reduces system security
* Records keystrokes
Aliases
* Backdoor.Rbot.gen
Prevalence (1-5) 2
Description
W32/Rbot-KJ is a network worm with IRC backdoor functionality.
W32/Rbot-KJ attempts to spread by exploiting the Universal PNP
(MS01-059), WebDav (MS03-007), RPC DCOM (MS03-026, MS04-012), LSASS
(MS04-011), DameWare (CAN-2003-1030) or IIS5 SSL (CAN-2003-0719)
vulnerabilities.
W32/Rbot-KJ allows a remote attacker to control the infected computer
via IRC channels.
Advanced
W32/Rbot-KJ is a network worm with IRC backdoor functionality.
In order to run automatically when Windows starts up the worm copies
itself to the file Msloader32.exe in the Windows system folder.
Once installed, W32/Rbot-KJ connects to a preconfigured IRC server,
joins a channel and awaits further instructions. These instructions can
cause the bot to perform any of the following actions:
flood a specified host with UDP, TCP, SYN, ICMP or ping packets
start a webserver offering the contents of the local drive
start a socks4 proxy server
redirect TCP connections
start a TFTP, rlogind or command shell server
send emails
search for product keys
download and install an updated version of itself
show statistics about the infected system
show/flush the DNS cache
list/terminate running processes
scan randomly- or sequentially-chosen IPs for infectable machines
start a keylogger
search for passwords in files, running processes and network traffic
read the contents of the clipboard
capture images from the screen or any attacked webcam
close down vulnerable services in order to secure the machine
The worm spreads to machines affected by known vulnerabilities, running
network services protected by weak passwords or infected by common
backdoor Trojans.
Vulnerabilities:
Universal PNP (MS01-059)
WebDav (MS03-007)
RPC DCOM (MS03-026, MS04-012)
LSASS (MS04-011)
DameWare (CAN-2003-1030)
IIS5 SSL (CAN-2003-0719)
Services:
NetBios
NTPass
MS SQL
Backdoors:
Troj/Kuang
Troj/Optix
Troj/NetDevil
W32/Bagle
Troj/Sub7
W32/MyDoom
W32/Rbot-KJ creates or modifies the following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
MS Config Service = "Msloader32.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
MS Config Service = "Msloader32.exe"
HKCU\Software\Microsoft\OLE
MS Config Service = "Msloader32.exe"
W32/Rbot-KJ searches for product keys for the following software:
Counter-Strike (Retail)
The Gladiators
Gunman Chronicles
Half-Life
Industry Giant 2
Legends of Might and Magic
Soldiers of Anarchy
Microsoft Windows
Unreal Tournament 2003
Unreal Tournament 2004
IGI 2: Covert Strike
Freedom Force
Battlefield 1942
Battlefield 1942 (Road to Rome)
Battlefield 1942 (Secret Weapons of WWII)
Battlefield Vietnam
Black and White
Command and Conquer: Generals (Zero Hour)
James Bond 007: Nightfire
Command and Conquer: Generals
Medal of Honor: Allied Assault
Medal of Honor: Allied Assault: Breakthrough
Medal of Honor: Allied Assault: Spearhead
Need for Speed Hot Pursuit 2
Need for Speed: Underground
Shogun: Total War: Warlord Edition
FIFA 2002
FIFA 2003
NHL 2002
NHL 2003
Nascar Racing 2002
Nascar Racing 2003
Rainbow Six III RavenShield
Command and Conquer: Tiberian Sun
Command and Conquer: Red Alert
Command and Conquer: Red Alert 2
NOX
Chrome
Hidden & Dangerous
Soldier of Fortune II - Double Helix
Neverwinter Nights
Neverwinter Nights (Shadows of Undrentide)
Neverwinter Nights (Hordes of the Underdark)
Name W32/Forbot-AG
Type
* Worm
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Reduces system security
* Installs itself in the Registry
* Exploits system or software vulnerabilities
* Used in DOS attacks
Aliases
* Backdoor.Win32.Wootbot.gen
Prevalence (1-5) 2
Description
W32/Forbot-AG is a worm and backdoor for the Windows platform.
The worm spread by exploiting operating system vulnerabilities and
backdoors opened by other worms. The vulnerabilities exploited by
W32/Forbot-AG are addressed by MS04-011.
The backdoor component contacts a predefined IRC server and waits for
commands from a remote attacker.
Advanced
W32/Forbot-AG is a worm and backdoor for the Windows platform.
The worm spread by exploiting operating system vulnerabilities and
backdoors opened by other worms. The vulnerabilities exploited by
W32/Forbot-AG are addressed by MS04-011.
The backdoor component contacts a predefined IRC server and waits for
commands from a remote attacker.
When run W32/Forbot-AG copies itself to the Windows system folder as
IEXPLORE.EXE and creates the following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft IE = "IEXPLORE.EXE"
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
Microsoft IE = "IEXPLORE.EXE"
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Microsoft IE = "IEXPLORE.EXE"
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft IE = "IEXPLORE.EXE"
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
Microsoft IE = "IEXPLORE.EXE"
The worm also installs itself as a service named "Microsoft IE".
The backdoor component allows a remote attacker to control the infected
computer and includes functionality to launch distributed denial of
service attacks or act as a proxy server.
Name W32/Myfip-C
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Steals information
* Reduces system security
* Installs itself in the Registry
Aliases
* Worm.Win32.Myfip.c
* W32/Myfip.worm
Prevalence (1-5) 2
Description
W32/Myfip-C is a worm from the W32/Myfip family that spreads using
network shares that are either unprotected or protected only by weak
passwords.
Advanced
W32/Myfip-C is a worm from the W32/Myfip family that spreads using
network shares that are either unprotected or protected only by weak
passwords.
The worm copies itself to the file kernel32dll.exe in the Windows
system folder on the local machine. Copies on network shares can be
called worm.txt.exe or dfsvc.exe.
W32/Myfip-C may also create files named temp.exe (detected by Sophos as
W32/Myfip-A) and temp.txt (harmless).
The worm attempts to register itself as a service process with the
ServiceName and DisplayName "Distributed Link Tracking Extensions".
W32/Myfip-C creates the following registry entry:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Distributed File System = "kernel32dll.exe"
W32/Myfip-C builds a list of all filenames whose path does not contain
any of the following strings:
Winnt
Windows
I386
Program Files
All Users
Recycler
System Volume Information
Inetpub
Documents and Settings
Wutemp
My Music
The worm then sends the contents of each file to a preconfigured IP
address.
--- MultiMail/Win32 v0.43
* Origin: Try Our Web Based QWK: DOCSPLACE.ORG (1:123/140)
|