Tillbaka till svenska Fidonet
English   Information   Debug  
TREK   0/755
TUB   0/290
UFO   0/40
UNIX   0/1316
USA_EURLINK   0/102
USR_MODEMS   0/1
VATICAN   0/2740
VIETNAM_VETS   0/14
VIRUS   0/378
VIRUS_INFO   0/201
VISUAL_BASIC   0/473
WHITEHOUSE   0/5187
WIN2000   0/101
WIN32   0/30
WIN95   0/4289
WIN95_OLD1   0/70272
WINDOWS   0/1517
WWB_SYSOP   0/419
WWB_TECH   0/810
ZCC-PUBLIC   0/1
ZEC   4

 
4DOS   0/134
ABORTION   0/7
ALASKA_CHAT   0/506
ALLFIX_FILE   0/1313
ALLFIX_FILE_OLD1   0/7997
ALT_DOS   0/152
AMATEUR_RADIO   0/1039
AMIGASALE   0/14
AMIGA   0/331
AMIGA_INT   0/1
AMIGA_PROG   0/20
AMIGA_SYSOP   0/26
ANIME   0/15
ARGUS   0/924
ASCII_ART   0/340
ASIAN_LINK   0/651
ASTRONOMY   0/417
AUDIO   0/92
AUTOMOBILE_RACING   0/105
BABYLON5   0/17862
BAG   135
BATPOWER   0/361
BBBS.ENGLISH   0/382
BBSLAW   0/109
BBS_ADS   0/5290
BBS_INTERNET   0/507
BIBLE   0/3563
BINKD   0/1119
BINKLEY   0/215
BLUEWAVE   0/2173
CABLE_MODEMS   0/25
CBM   0/46
CDRECORD   0/66
CDROM   0/20
CLASSIC_COMPUTER   0/378
COMICS   0/15
CONSPRCY   0/899
COOKING   33421
COOKING_OLD1   0/24719
COOKING_OLD2   0/40862
COOKING_OLD3   0/37489
COOKING_OLD4   0/35496
COOKING_OLD5   9370
C_ECHO   0/189
C_PLUSPLUS   0/31
DIRTY_DOZEN   0/201
DOORGAMES   0/2065
DOS_INTERNET   0/196
duplikat   6002
ECHOLIST   0/18295
EC_SUPPORT   0/318
ELECTRONICS   0/359
ELEKTRONIK.GER   1534
ENET.LINGUISTIC   0/13
ENET.POLITICS   0/4
ENET.SOFT   0/11701
ENET.SYSOP   33945
ENET.TALKS   0/32
ENGLISH_TUTOR   0/2000
EVOLUTION   0/1335
FDECHO   0/217
FDN_ANNOUNCE   0/7068
FIDONEWS   24159
FIDONEWS_OLD1   0/49742
FIDONEWS_OLD2   0/35949
FIDONEWS_OLD3   0/30874
FIDONEWS_OLD4   0/37224
FIDO_SYSOP   12852
FIDO_UTIL   0/180
FILEFIND   0/209
FILEGATE   0/212
FILM   0/18
FNEWS_PUBLISH   4436
FN_SYSOP   41706
FN_SYSOP_OLD1   71952
FTP_FIDO   0/2
FTSC_PUBLIC   0/13613
FUNNY   0/4886
GENEALOGY.EUR   0/71
GET_INFO   105
GOLDED   0/408
HAM   0/16074
HOLYSMOKE   0/6791
HOT_SITES   0/1
HTMLEDIT   0/71
HUB203   466
HUB_100   264
HUB_400   39
HUMOR   0/29
IC   0/2851
INTERNET   0/424
INTERUSER   0/3
IP_CONNECT   719
JAMNNTPD   0/233
JAMTLAND   0/47
KATTY_KORNER   0/41
LAN   0/16
LINUX-USER   0/19
LINUXHELP   0/1155
LINUX   0/22112
LINUX_BBS   0/957
mail   18.68
mail_fore_ok   249
MENSA   0/341
MODERATOR   0/102
MONTE   0/992
MOSCOW_OKLAHOMA   0/1245
MUFFIN   0/783
MUSIC   0/321
N203_STAT   930
N203_SYSCHAT   313
NET203   321
NET204   69
NET_DEV   0/10
NORD.ADMIN   0/101
NORD.CHAT   0/2572
NORD.FIDONET   189
NORD.HARDWARE   0/28
NORD.KULTUR   0/114
NORD.PROG   0/32
NORD.SOFTWARE   0/88
NORD.TEKNIK   0/58
NORD   0/453
OCCULT_CHAT   0/93
OS2BBS   0/787
OS2DOSBBS   0/580
OS2HW   0/42
OS2INET   0/37
OS2LAN   0/134
OS2PROG   0/36
OS2REXX   0/113
OS2USER-L   207
OS2   0/4786
OSDEBATE   0/18996
PASCAL   0/490
PERL   0/457
PHP   0/45
POINTS   0/405
POLITICS   0/29554
POL_INC   0/14731
PSION   103
R20_ADMIN   1123
R20_AMATORRADIO   0/2
R20_BEST_OF_FIDONET   13
R20_CHAT   0/893
R20_DEPP   0/3
R20_DEV   399
R20_ECHO2   1379
R20_ECHOPRES   0/35
R20_ESTAT   0/719
R20_FIDONETPROG...
...RAM.MYPOINT
  0/2
R20_FIDONETPROGRAM   0/22
R20_FIDONET   0/248
R20_FILEFIND   0/24
R20_FILEFOUND   0/22
R20_HIFI   0/3
R20_INFO2   3249
R20_INTERNET   0/12940
R20_INTRESSE   0/60
R20_INTR_KOM   0/99
R20_KANDIDAT.CHAT   42
R20_KANDIDAT   28
R20_KOM_DEV   112
R20_KONTROLL   0/13300
R20_KORSET   0/18
R20_LOKALTRAFIK   0/24
R20_MODERATOR   0/1852
R20_NC   76
R20_NET200   245
R20_NETWORK.OTH...
...ERNETS
  0/13
R20_OPERATIVSYS...
...TEM.LINUX
  0/44
R20_PROGRAMVAROR   0/1
R20_REC2NEC   534
R20_SFOSM   0/341
R20_SF   0/108
R20_SPRAK.ENGLISH   0/1
R20_SQUISH   107
R20_TEST   2
R20_WORST_OF_FIDONET   12
RAR   0/9
RA_MULTI   106
RA_UTIL   0/162
REGCON.EUR   0/2056
REGCON   0/13
SCIENCE   0/1206
SF   0/239
SHAREWARE_SUPPORT   0/5146
SHAREWRE   0/14
SIMPSONS   0/169
STATS_OLD1   0/2539.065
STATS_OLD2   0/2530
STATS_OLD3   0/2395.095
STATS_OLD4   0/1692.25
SURVIVOR   0/495
SYSOPS_CORNER   0/3
SYSOP   0/84
TAGLINES   0/112
TEAMOS2   0/4530
TECH   0/2617
TEST.444   0/105
TRAPDOOR   0/19
Möte VIRUS_INFO, 201 texter
 lista första sista föregående nästa
Text 14, 634 rader
Skriven 2004-09-26 19:04:00 av KURT WISMER (1:123/140)
Ärende: News, Sept 26 2004
==========================
[cut-n-paste from sophos.com]

Name   W32/Xbot-C

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Downloads code from the internet
    * Reduces system security
    * Installs itself in the Registry
    * Used in DOS attacks

Aliases  
    * Sdbot.worm.gen.j

Prevalence (1-5) 2

Description
W32/Xbot-C is a network worm with IRC backdoor capability.
W32/Xbot-C spreads using network services protected by weak passwords.
An infected machine can be remotely controlled by an attacker through 
IRC channels.

Advanced
W32/Xbot-C is a network worm with IRC backdoor capability.

In order to run automatically when Windows starts up the worm creates 
the files dhcp\csrss.exe and Webchecks.dll in the Windows system folder. 
The worm may also create the following (harmless) files beneath the 
Windows system folder:

msvcp60.dll (if it doesn't already exist)
dhcp\msadm.dll
dhcp\msusr.dll
dhcp\mspwd.dll
dhcp\msdb.dll
updater.exe

W32/Xbot-C attempts to spread via network shares and SQL services 
protected by weak passwords.

W32/Xbot-C connects to a preconfigured IRC server and joins a channel in 
which it can await instructions from a remote attacker. These 
instructions can start any of the following actions:

flood another machine with ping packets
execute arbitrary files/commands
download an updated version of the bot
close network services that have commonly-exploited vulnerabilities
kill security-related processes

The worm creates the following registry entry:

HKCR\CLSID\(E6FB5E20-DE35-11CF-9C87-00AA005127ED)\InProcServer32\
@ = "C:\Windows\System32\webchecks.dll"





Name   W32/Noomy-A

Type  
    * Worm

How it spreads  
    * Email attachments
    * Chat programs

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Sends itself to email addresses found on the infected computer
    * Stops the computer from booting
    * Deletes files off the computer
    * Steals information

Prevalence (1-5) 2

Description
W32/Noomy-A is a mass mailing worm which will attempt to send itself to 
email addresses harvested from dbx, htm, html and php files. When first 
executed W32/Noomy-A will display the fake error message: "CRC error: 
5418#223 Close file", and continue running in background.

Advanced
W32/Noomy-A will attempt to send emails using the Winsock interface. If 
the required mswinsck.ocx is not found, it will then attempt to download 
the file from a predefined location on interent.

The email sent will be from a fake email address and have any of the 
following subject lines:

Re: eCard Delivery Error:
Re: VoiceMail to
- Delivery Error You`ve got 1 new eCard!
bad request server not found!
One new VoiceMail! ID:
One new eCard! ID:
New eCard in your inbox!
You got one VoiceMail! See online!
Num: One new eCard from
Num: One new voicemail from
Mail Delivery (error )
Re: Message Error! mail:
Bad Request Server not found!
Re: Mail System Error - Returned Mail
Extended mail system error:
Re: Mail Delivery Error!
Protected Mail Server invalid!
Re: Mail Delivery: - Error
Re: mail error num:
- Returned mail: see transcript for details
Warning!!!
Why you SPAM?
Last notice!
Re: Regard ! Please read...
This is not OK !
Don't spam!!!!!
Question about YOUR SPAM!!
Information!You spam this email:
Last chance!STOP SPAM THIS EMAIL:

W32/Noomy-A copies itself to %windows%/Sysconf32.exe and to the folder 
%windows%/Systembck with various filenames.

In order to run automatically when Windows starts up W32/Noomy-A creates
the following registry entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Windows HTML file reader=%WINDOWS%\Sysconf32.exe.

W32/Noomy-A can also spread by sending spam messages via Email or the 
IRC service, to instruct users to download files from the backdoor HTML 
server. This server will be accessed from the %windows%/Systembck folder, 
in which all files are copies of W32/Noomy-A.

A specific URL of the backdoor HTML server will allow an intruder to log 
on and view various aspects of the host. There is also an option to 
remove *.sys files from the root folder which will prevent the system 
from booting. The intruder will also be able to install new malware on 
the system.

W32/Noomy-A may drop a batch file pingme.bat in the root folder. This 
file will attempt to carry out ICMP DOS against www.Microsoft.com, 
www.sophos.com and www.kaspersky.com website.

The worm will keep a copy of the email addresses in %Windows%\emls.tmp.

The following two files will also be created in the root folder:
ReAd_ThiS_ShiT.txt
StpLogs.vbs





Name   W32/Forbot-AJ

Type  
    * Worm

How it spreads  
    * Network shares
    * Chat programs

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Reduces system security
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities
    * Used in DOS attacks

Prevalence (1-5) 2

Description
W32/Forbot-AJ is a network worm and backdoor Trojan for the Windows 
platform.

Advanced
W32/Forbot-AJ is a network worm and backdoor Trojan for the Windows 
platform.

When first run, W32/Forbot-AJ copies itself to the Windows system folder 
as videosd32.exe. In order to run on system startup, the worm creates 
the following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Win32 Configuration = videosd32.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\
Win32 Configuration = videosd32.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Win32 Configuration = videosd32.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Win32 Configuration = videosd32.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\
Win32 Configuration = videosd32.exe

W32/Forbot-AJ registers itself as a service process and connects to an 
IRC channel where it awaits commands from a remote user.

The backdoor component can be used to perform the following functions:

execute arbitrary commands (remote shell)
download and execute files from the internet
harvest product registration keys from the system registry
socks4 proxy server
port scanner
start/stop system service processes
DDoS (Distributed Denial of Service) attacks

W32/Forbot-AJ spreads through the network via the LSASS exploit and 
through backdoors left open by the Optix family of backdoor Trojans.





Name   W32/Agobot-MX

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Steals information
    * Reduces system security
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities
    * Used in DOS attacks

Aliases  
    * Backdoor.Agobot.bh

Prevalence (1-5) 2

Description
W32/Agobot-MX is a network worm with backdoor functionality. When run 
the worm will attempt to copy itself to the Windows system folder as 
services21.exe and register itself as a service process.

Advanced
W32/Agobot-MX is a network worm with backdoor functionality. When run 
the worm will attempt to copy itself to the Windows system folder as 
services21.exe and register itself as a service process.

The worm will create the following registry entries so as to auto-start 
on user logon or computer restart:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Windows Startup = %SYSTEM%\services21.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Windows Startup = %SYSTEM%\services21.exe

W32/Agobot-MX will also attempt to copy itself to the Windows system 
folder as winhlpp32.exe, tftpd.exe, dllhost.exe, winppr32.exe, 
mspatch.exe, penis32.exe and msblast.exe. The worm will also attempt to 
copy itself to network shares, utilizing an inbuilt dictionary to try to 
guess weak passwords.

The worm will also attempt to connect to an IRC server from where it may 
receive further commands, scan the local drives for game CD keys, scan 
the network for vulnerable computers, and terminate various anti-virus 
and security related processes.

When instructed W32/Agobot-MX can also start a DoS attack, exploit 
vulnerable computers and act as a proxy or FTP server.





Name   W32/Zusha-A

Type  
    * Worm

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities

Aliases  
    * Worm.Win32.Zusha.a
    * WORM_ZUSHA.B

Prevalence (1-5) 2

Description
W32/Zusha-A is a worm for the Windows platform.

W32/Zusha-A spreads by exploiting the LSASS (MS04-011) vulnerability, 
causing vulnerable computers to download a copy of the worm from an FTP 
site.

Advanced
W32/Zusha-A is a worm for the Windows platform.

W32/Zusha-A spreads by exploiting the LSASS (MS04-011) vulnerability, 
causing vulnerable computers to download a copy of the worm from an FTP 
site.

When run W32/Zusha-A copies itself to aux32.exe in the Windows system 
folder and adds the following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
auxAudioDevice = "<Windows system folder>\aux32.exe"

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\List\
<Windows system folder>\aux32.exe =
"<Windows system folder>aux32.exe:*:Enabled:aux32.exe"

W32/Zusha-A also contacts a website. If the website returns the string 
"AnyoneElseWangSomeZu" the worm will remove its registry entries.





Name   W32/Rbot-KJ

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Steals information
    * Uses its own emailing engine
    * Downloads code from the internet
    * Reduces system security
    * Records keystrokes

Aliases  
    * Backdoor.Rbot.gen

Prevalence (1-5) 2

Description
W32/Rbot-KJ is a network worm with IRC backdoor functionality.

W32/Rbot-KJ attempts to spread by exploiting the Universal PNP 
(MS01-059), WebDav (MS03-007), RPC DCOM (MS03-026, MS04-012), LSASS 
(MS04-011), DameWare (CAN-2003-1030) or IIS5 SSL (CAN-2003-0719) 
vulnerabilities.

W32/Rbot-KJ allows a remote attacker to control the infected computer 
via IRC channels.

Advanced
W32/Rbot-KJ is a network worm with IRC backdoor functionality.

In order to run automatically when Windows starts up the worm copies 
itself to the file Msloader32.exe in the Windows system folder.

Once installed, W32/Rbot-KJ connects to a preconfigured IRC server, 
joins a channel and awaits further instructions. These instructions can 
cause the bot to perform any of the following actions:

flood a specified host with UDP, TCP, SYN, ICMP or ping packets
start a webserver offering the contents of the local drive
start a socks4 proxy server
redirect TCP connections
start a TFTP, rlogind or command shell server
send emails
search for product keys
download and install an updated version of itself
show statistics about the infected system
show/flush the DNS cache
list/terminate running processes
scan randomly- or sequentially-chosen IPs for infectable machines
start a keylogger
search for passwords in files, running processes and network traffic
read the contents of the clipboard
capture images from the screen or any attacked webcam
close down vulnerable services in order to secure the machine

The worm spreads to machines affected by known vulnerabilities, running 
network services protected by weak passwords or infected by common 
backdoor Trojans.

Vulnerabilities:

Universal PNP (MS01-059)
WebDav (MS03-007)
RPC DCOM (MS03-026, MS04-012)
LSASS (MS04-011)
DameWare (CAN-2003-1030)
IIS5 SSL (CAN-2003-0719)

Services:

NetBios
NTPass
MS SQL

Backdoors:

Troj/Kuang
Troj/Optix
Troj/NetDevil
W32/Bagle
Troj/Sub7
W32/MyDoom

W32/Rbot-KJ creates or modifies the following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
MS Config Service = "Msloader32.exe"

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
MS Config Service = "Msloader32.exe"

HKCU\Software\Microsoft\OLE
MS Config Service = "Msloader32.exe"

W32/Rbot-KJ searches for product keys for the following software:

Counter-Strike (Retail)
The Gladiators
Gunman Chronicles
Half-Life
Industry Giant 2
Legends of Might and Magic
Soldiers of Anarchy
Microsoft Windows
Unreal Tournament 2003
Unreal Tournament 2004
IGI 2: Covert Strike
Freedom Force
Battlefield 1942
Battlefield 1942 (Road to Rome)
Battlefield 1942 (Secret Weapons of WWII)
Battlefield Vietnam
Black and White
Command and Conquer: Generals (Zero Hour)
James Bond 007: Nightfire
Command and Conquer: Generals
Medal of Honor: Allied Assault
Medal of Honor: Allied Assault: Breakthrough
Medal of Honor: Allied Assault: Spearhead
Need for Speed Hot Pursuit 2
Need for Speed: Underground
Shogun: Total War: Warlord Edition
FIFA 2002
FIFA 2003
NHL 2002
NHL 2003
Nascar Racing 2002
Nascar Racing 2003
Rainbow Six III RavenShield
Command and Conquer: Tiberian Sun
Command and Conquer: Red Alert
Command and Conquer: Red Alert 2
NOX
Chrome
Hidden & Dangerous
Soldier of Fortune II - Double Helix
Neverwinter Nights
Neverwinter Nights (Shadows of Undrentide)
Neverwinter Nights (Hordes of the Underdark)





Name   W32/Forbot-AG

Type  
    * Worm

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Reduces system security
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities
    * Used in DOS attacks

Aliases  
    * Backdoor.Win32.Wootbot.gen

Prevalence (1-5) 2

Description
W32/Forbot-AG is a worm and backdoor for the Windows platform.

The worm spread by exploiting operating system vulnerabilities and 
backdoors opened by other worms. The vulnerabilities exploited by 
W32/Forbot-AG are addressed by MS04-011.

The backdoor component contacts a predefined IRC server and waits for 
commands from a remote attacker.

Advanced
W32/Forbot-AG is a worm and backdoor for the Windows platform.

The worm spread by exploiting operating system vulnerabilities and 
backdoors opened by other worms. The vulnerabilities exploited by 
W32/Forbot-AG are addressed by MS04-011.

The backdoor component contacts a predefined IRC server and waits for 
commands from a remote attacker.

When run W32/Forbot-AG copies itself to the Windows system folder as 
IEXPLORE.EXE and creates the following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft IE = "IEXPLORE.EXE"

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
Microsoft IE = "IEXPLORE.EXE"

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Microsoft IE = "IEXPLORE.EXE"

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft IE = "IEXPLORE.EXE"

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
Microsoft IE = "IEXPLORE.EXE"

The worm also installs itself as a service named "Microsoft IE".

The backdoor component allows a remote attacker to control the infected 
computer and includes functionality to launch distributed denial of 
service attacks or act as a proxy server.





Name   W32/Myfip-C

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Steals information
    * Reduces system security
    * Installs itself in the Registry

Aliases  
    * Worm.Win32.Myfip.c
    * W32/Myfip.worm

Prevalence (1-5) 2

Description
W32/Myfip-C is a worm from the W32/Myfip family that spreads using 
network shares that are either unprotected or protected only by weak 
passwords.

Advanced
W32/Myfip-C is a worm from the W32/Myfip family that spreads using 
network shares that are either unprotected or protected only by weak 
passwords.

The worm copies itself to the file kernel32dll.exe in the Windows 
system folder on the local machine. Copies on network shares can be 
called worm.txt.exe or dfsvc.exe.

W32/Myfip-C may also create files named temp.exe (detected by Sophos as 
W32/Myfip-A) and temp.txt (harmless).

The worm attempts to register itself as a service process with the 
ServiceName and DisplayName "Distributed Link Tracking Extensions".

W32/Myfip-C creates the following registry entry:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Distributed File System = "kernel32dll.exe"

W32/Myfip-C builds a list of all filenames whose path does not contain 
any of the following strings:

Winnt
Windows
I386
Program Files
All Users
Recycler
System Volume Information
Inetpub
Documents and Settings
Wutemp
My Music

The worm then sends the contents of each file to a preconfigured IP 
address.

 
--- MultiMail/Win32 v0.43
 * Origin: Try Our Web Based QWK: DOCSPLACE.ORG (1:123/140)