Text 151, 2047 rader
Skriven 2006-10-14 13:58:00 av KURT WISMER (1:123/140)
Ärende: News, October 14 2006
=============================
[cut-n-paste from sophos.com]
Name Troj/Arbin-A
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
Aliases
* Downloader-AYT
Prevalence (1-5) 3
Description
Troj/Arbin-A is a downloader Trojan for the Windows platform.
Advanced
Troj/Arbin-A is a downloader Trojan for the Windows platform.
Troj/Arbin-A attempts to download and execute a file from a remote
website to the following locations in the same folder as itself:
1file.tmp
2file.tmp
3file.tmp
4file.tmp
5file.tmp
This file is currently detected as Troj/PWS-ACN.
Troj/Arbin-A may drop the file <System>\sf2e32.bat in order to delete
itself.
Name Troj/Nebuler-J
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Steals information
Aliases
* Trojan.Win32.Agent.vg
* W32/Nebuler.B
Prevalence (1-5) 2
Description
Troj/Nebuler-J is a Trojan for the Windows platform.
Troj/Nebuler-J may gather details relating to dialup services and
send collected information to a remote site via HTTP. The Trojan may
inject code into other processes in an attempt to remain hidden.
Name W32/Agobot-AHP
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Downloads code from the internet
Prevalence (1-5) 2
Description
W32/Agobot-AHP is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Agobot-AHP runs continuously in the background, providing a
backdoor server
which allows a remote intruder to gain access and control over the
computer via
IRC channels.
Advanced
W32/Agobot-AHP is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Agobot-AHP runs continuously in the background, providing a
backdoor server
which allows a remote intruder to gain access and control over the
computer via
IRC channels.
When first run W32/Agobot-AHP copies itself to <System>\erv.exe.
The following registry entries are created to run erv.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
RPC Service
erv.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
RPC Service
erv.exe
Registry entries are set as follows:
HKCU\Software\Microsoft\OLE
RPC Service
erv.exe
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1
Registry entries are created under:
HKCR\.key\
Name W32/Mytob-JG
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Sends itself to email addresses found on the infected computer
* Forges the sender's email address
* Uses its own emailing engine
* Downloads code from the internet
* Reduces system security
* Installs itself in the Registry
Aliases
* WORM_MYTOB.OD
* W32.Mytob.FI
* Net-Worm.Win32.Mytob.bi
Prevalence (1-5) 2
Description
W32/Mytob-JG is a mass-mailing worm and backdoor Trojan that can be
controlled
through the Internet Relay Chat (IRC) network.
W32/Mytob-JG runs continuously in the background, providing a
backdoor server
which allows a remote intruder to gain access and control over the
computer via
IRC channels.
Emails sent by W32/Mytob-JG sends emails in the following format,
with details
filled in to make the email look more authentic:
Subject line chosen from:
Your password has been updated
Your password has been successfully updated
You have successfully updated your password
Your new account password is approved
Your Account is Suspended
*DETECTED* Online User Violation
Your Account is Suspended For Security Reasons
Warning Message: Your services near to be closed.
Important Notification
Members Support
Security measures
Email Account Suspension
Notice of account limitation
<random characters>
Message text chosen from (the worm will insert the username and the
email
domain of the addressee into the email):
'Dear user <UserName>,
You have successfully updated the password of your <domain> account.
If you did not authorize this change or if you need assistance with
your
account, please contact <domain> customer service at: <sender@domain>
Thank you for using <domain>!
The <domain> Support Team
+++ Attachment: No Virus (Clean)
+++ <domain> Antivirus - www.<domain>'
'Dear user <UserName>,
It has come to our attention that your <domain> User Profile ( x )
records are
out of date. For further details see the attached document.
Thank you for using <domain>!
The <domain> Support Team
+++ Attachment: No Virus (Clean)
+++ <domain> Antivirus - www.<domain>'
'Dear <domain> Member,
We have temporarily suspended your email account <UserEmailAddress>.
This might be due to either of the following reasons:
1. A recent change in your personal information (i.e. change of
address).
2. Submiting invalid information during the initial sign up process.
3. An innability to accurately verify your selected option of
subscription due
to an internal error within our processors.
See the details to reactivate your <domain> account.
Sincerely,The <domain> Support Team
+++ Attachment: No Virus (Clean)
+++ <domain> Antivirus - www.<domain>'
'Dear <domain> Member,
Your e-mail account was used to send a huge amount of unsolicited
spam messages
during the recent week. If you could please take 5-10 minutes out of
your
online experience and confirm the attached document so you will not
run into
any future problems with the online service.
If you choose to ignore our request, you leave us no choice but to
cancel your
membership.
Virtually yours,
The <domain> Support Team
+++ Attachment: No Virus found
+++ <domain> Antivirus - www.<domain>'
The attached file consists of a base name followed by the extension
ZIP. The
worm may optionally create double extensions where the first
extension is DOC,
TXT or HTM and the final extension is BAT, CMD, PIF, SCR, EXE or ZIP.
The base
filenames are randomly chosen from:
updated-password
email-password
new-password
password
approved-password
account-password
accepted-password
important-details
account-details
email-details
account-info
document
readme
account-report
<random characters>
The zip file will contain the worm with double extension. The first
extension
will be one of DOC, HTM, TXT followed by spaces and the second
extension is
EXE, SCR or PIF.
W32/Mytob-JG harvests email addresses from files on the infected
computer and
from the Windows address book.
Advanced
W32/Mytob-JG is a mass-mailing worm and backdoor Trojan that can be
controlled
through the Internet Relay Chat (IRC) network.
W32/Mytob-JG runs continuously in the background, providing a
backdoor server
which allows a remote intruder to gain access and control over the
computer via
IRC channels.
When first run W32/Mytob-JG copies itself to <System>\winds.exe
The following registry entries are created to run smsks.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
MICROSOFT WINDOWS SYSTEM 2
winds.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MICROSOFT WINDOWS SYSTEM 2
winds.exe
W32/Mytob-JG sets the following registry entries, disabling the
automatic
startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4
Note: disabling autostart for the SharedAccess service deactivates the
Microsoft Internet Connection Firewall (ICF).
Emails sent by W32/Mytob-JG sends emails in the following format,
with details
filled in to make the email look more authentic:
Subject line chosen from:
Your password has been updated
Your password has been successfully updated
You have successfully updated your password
Your new account password is approved
Your Account is Suspended
*DETECTED* Online User Violation
Your Account is Suspended For Security Reasons
Warning Message: Your services near to be closed.
Important Notification
Members Support
Security measures
Email Account Suspension
Notice of account limitation
<random characters>
Message text chosen from (the worm will insert the username and the
email
domain of the addressee into the email):
'Dear user <UserName>,
You have successfully updated the password of your <domain> account.
If you did not authorize this change or if you need assistance with
your
account, please contact <domain> customer service at: <sender@domain>
Thank you for using <domain>!
The <domain> Support Team
+++ Attachment: No Virus (Clean)
+++ <domain> Antivirus - www.<domain>'
'Dear user <UserName>,
It has come to our attention that your <domain> User Profile ( x )
records are
out of date. For further details see the attached document.
Thank you for using <domain>!
The <domain> Support Team
+++ Attachment: No Virus (Clean)
+++ <domain> Antivirus - www.<domain>'
'Dear <domain> Member,
We have temporarily suspended your email account <UserEmailAddress>.
This might be due to either of the following reasons:
1. A recent change in your personal information (i.e. change of
address).
2. Submiting invalid information during the initial sign up process.
3. An innability to accurately verify your selected option of
subscription due
to an internal error within our processors.
See the details to reactivate your <domain> account.
Sincerely,The <domain> Support Team
+++ Attachment: No Virus (Clean)
+++ <domain> Antivirus - www.<domain>'
'Dear <domain> Member,
Your e-mail account was used to send a huge amount of unsolicited
spam messages
during the recent week. If you could please take 5-10 minutes out of
your
online experience and confirm the attached document so you will not
run into
any future problems with the online service.
If you choose to ignore our request, you leave us no choice but to
cancel your
membership.
Virtually yours,
The <domain> Support Team
+++ Attachment: No Virus found
+++ <domain> Antivirus - www.<domain>'
The attached file consists of a base name followed by the extension
ZIP. The
worm may optionally create double extensions where the first
extension is DOC,
TXT or HTM and the final extension is BAT, CMD, PIF, SCR, EXE or ZIP.
The base
filenames are randomly chosen from:
updated-password
email-password
new-password
password
approved-password
account-password
accepted-password
important-details
account-details
email-details
account-info
document
readme
account-report
<random characters>
The zip file will contain the worm with double extension. The first
extension
will be one of DOC, HTM, TXT followed by spaces and the second
extension is
EXE, SCR or PIF.
W32/Mytob-JG harvests email addresses from files on the infected
computer and
from the Windows address book.
W32/Mytob-JG modifies the file <System>\drivers\etc\host by appending
the
following information:
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 pandasoftware.com
127.0.0.1 www.pandasoftware.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.grisoft.com
127.0.0.1 www.microsoft.com
127.0.0.1 microsoft.com
127.0.0.1 www.virustotal.com
127.0.0.1 virustotal.com
127.0.0.1 www.amazon.com
127.0.0.1 www.amazon.co.uk
127.0.0.1 www.amazon.ca
127.0.0.1 www.amazon.fr
127.0.0.1 www.paypal.com
127.0.0.1 paypal.com
127.0.0.1 moneybookers.com
127.0.0.1 www.moneybookers.com
127.0.0.1 www.ebay.com
127.0.0.1 ebay.com
Name Troj/Zlob-UT
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Dropped by malware
Aliases
* Win32/TrojanDownloader.Zlob
Prevalence (1-5) 2
Description
Troj/Zlob-UT is a Trojan for the Windows platform.
Advanced
Troj/Zlob-UT is a Trojan for the Windows platform.
The Troj/Zlob-UT DLL is registered as a COM object, creating registry
entries under:
HKCR\CLSID\(d869742a-e5d2-4624-96c7-aae26170665e)
Name Troj/DwnLdr-FUM
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Installs itself in the Registry
* Leaves non-infected files on computer
Aliases
* TROJ_DLOADER.ETK
* Trojan-Downloader.Win32.Tibs.if
Prevalence (1-5) 2
Description
Troj/DwnLdr-FUM is a Trojan for the Windows platform.
Advanced
Troj/DwnLdr-FUM is a Trojan for the Windows platform.
When run Troj/DwnLdr-FUM copies itself to <System>\kernels8.exe and
creates the file <System>\dlh9jkdq8.exe. The file
<System>\dlh9jkdq8.exe can be safely deleted.
The following registry entry is set to run itself on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
System
<System>\kernels8.exe
Name Troj/Tiny-BP
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
Prevalence (1-5) 2
Description
Troj/Tiny-BP is a downloader Trojan for the Windows platform.
Advanced
Troj/Tiny-BP is a downloader Trojan for the Windows platform.
When run the Trojan attempts to download a component from the web
into <Temp>\services.exe and execute it.
The following registry entry is also created:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
WinMedia
<PathToTrojan executable>
Name W32/Sdbot-CSD
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Installs itself in the Registry
* Exploits system or software vulnerabilities
* Scans network for vulnerabilities
* Scans network for weak passwords
Aliases
* W32/Sdbot.worm.gen.g
Prevalence (1-5) 2
Description
W32/Sdbot-CSD is a worm for the Windows platform.
Advanced
W32/Sdbot-CSD is a worm for the Windows platform.
When first run W32/Sdbot-CSD copies itself to <System>\btserv.exe and
creates the file <Temp>\sysremove.bat.
The file btserv.exe is registered as a new system driver service
named "Btnfserv", with a display name of "Bluetooth Notification
Service" and a startup type of automatic, so that it is started
automatically during system startup. Registry entries are created
under:
HKLM\SYSTEM\CurrentControlSet\Services\Btnfserv\
Exploit code for the following vulnerabilities is in the file:
SRVSVC (MS06-040)
RPC-DCOM (MS04-012)
WKS (MS03-049) (CAN-2003-0812)
ASN.1 (MS04-007)
Name W32/Sality-AC
Type
* Virus
How it spreads
* Infected files
Affected operating systems
* Windows
Side effects
* Modifies data on the computer
* Downloads code from the internet
Aliases
* W32/Sality.x
Prevalence (1-5) 2
Description
W32/Sality-AC is a parasitic virus for the Windows platform that also
acts as a keylogger.
Advanced
W32/Sality-AC is a parasitic virus for the Windows platform that also
acts as a keylogger.
W32/Sality-AC drops <System>\vcdgcw32.dll <System>\vcdgcw32.dl_, also
detected as W32/Sality-AC, which it uses to log keystrokes to certain
windows, as well as information about the infected computer. This
logged data is periodically sent by email to a remote website.
Name W32/Levona-A
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Reduces system security
* Installs itself in the Registry
Aliases
* Trojan.Win32.Agent.qj
* W32/Avon@MM
* Win32/Levona.NAA
* WORM_RENOV.A
Prevalence (1-5) 2
Description
W32/Levona-A is a worm for the Windows platform.
W32/Levona-A spreads to network shares and removable drives.
W32/Levona-A includes the functionality to disable or minimize many
applications.
Advanced
W32/Levona-A is a worm for the Windows platform.
W32/Levona-A spreads to network shares and removable drives.
When first run W32/Levona-A copies itself to:
<Common Files>\Renova.exe
<System>\Alisa.exe
<System>\Emma.exe
<System>\Nova.exe
The worm will search for logical drives on the computer. If any are
found, W32/Levona-A will copy itself as New Folder.exe. The worm also
searches the logical drives for DOC files and will copy itself as
<document name>.doc.
W32/Levona-A includes the functionality to disable or minimize many
applications by searching for certain words or phrases in the Windows
Title Bar, including the following security related ones:
ADVANCED REGISTRY TRACER
CASTLECOPS
CILLIN
CLEANER
COMPACTBYTEAV
EARTHLINK PROTECTION
F-SECURE
GRISOFT
HACKER
HIJACK
KASPERSKY
KILLBOX
MACHINE
MCAFEE
NORMAN
NORTON
PROCESS EXPLORER - SYSINTERNALS
PROCEXP
REGISTRYFIX
REMOVER
SECUNIA
SOPHOS
SYMANTEC
VAKSIN
WASHER
The following registry entries are created to run Renova.exe and
Nova.exe on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Shell
<Common Files>\Renova.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Renova
Nova.exe
The following registry entries are changed to run Renova.exe on
startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
explorer.exe "<Common Files>\Renova.exe"
(the default value for this registry entry is "Explorer.exe" which
causes the Microsoft file <Windows>\Explorer.exe to be run on startup).
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
explorer.exe "<Common Files>\Renova.exe"
(the default value for this registry entry is
"<Windows>\System32\userinit.exe,").
The following registry entries are set, disabling system restore:
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
DisableConfig
1
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
DisableSR
1
Registry entries are set as follows:
HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy
Objects\LocalUser\Software\
Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoSaveSettings
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFolderOptions
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFind
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoRun
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoControlPanel
0
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoFolderOptions
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoControlPanel
0
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoFind
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoRun
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisabletaskMgr
0
HKCU\Software\Policies\Microsoft\Windows\System
DisableCMD
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
2
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt
1
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot
AlternateShell
<Common Files>\Renova.exe
Name W32/Brontok-BU
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Sends itself to email addresses found on the infected computer
* Reduces system security
* Installs itself in the Registry
Aliases
* Worm.Win32.VB.dt
* W32/Rontokbro.gen@MM
* Win32/VB.DA
Prevalence (1-5) 2
Description
W32/Brontok-BU is a worm for the Windows platform.
Advanced
W32/Brontok-BU is a worm for the Windows platform.
When first run W32/Brontok-BU copies itself to:
<Startup>\Empty.pif
<User>\Local Settings\Application Data\windows\csrss.exe
<User>\Local Settings\Application Data\windows\lsass.exe
<User>\Local Settings\Application Data\windows\services.exe
<User>\Local Settings\Application Data\windows\smss.exe
<User>\Local Settings\Application Data\windows\winlogon.exe
\RosTika.exe
<Windows>\RosTika.exe
<System>\shell.exe
and creates the file <Windows>\biakKITE.txt.
The following registry entries are created to run W32/Brontok-BU on
startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
RosTika
<Windows>\RosTika.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Servicerepclient1
<User>\Local Settings\Application Data\WINDOWS\SERVICES.EXE
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Logonrepclient1
<User>\Local Settings\Application Data\WINDOWS\CSRSS.EXE
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
System Monitoring
<User>\Local Settings\Application Data\WINDOWS\LSASS.EXE
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
MSMSGS
<User>\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
The following registry entries are set or modified, so that shell.exe
is run when files with extensions of BAT, COM and PIF are
opened/launched:
HKCR\lnkfile\shell\open\command
(default)
<System>\shell.exe" "%1" %*
HKCR\batfile\shell\open\command
(default)
<System>\shell.exe" "%1" %*
HKCR\comfile\shell\open\command
(default)
<System>\shell.exe" "%1" %*
HKCR\piffile\shell\open\command
(default)
<System>\shell.exe" "%1" %*
The following registry entries are set, disabling the Windows task
manager (taskmgr) and the command prompt:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableCMD
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
DisableTaskMgr
1
Registry entries are set as follows:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden
0
Name W32/Mobler-C
Type
* Worm
How it spreads
* Network shares
* Peer-to-peer
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Installs itself in the Registry
Aliases
* Virus.Win32.VB.bj
Prevalence (1-5) 2
Description
W32/Mobler-C is a worm for the Windows platform.
W32/Mobler-C spreads by coping itself to the available network shares
including floppies, fixed drives, USB devices.
Advanced
W32/Mobler-C is a worm for the Windows platform.
W32/Mobler-C spreads by coping itself to the available network shares
including floppies, fixed drives, USB devices.
When first run W32/Mobler-C copies itself to:
<User>\Documents\My Pictures\Sample Pictures\Blue hills.jpg.exe
<User>\Documents\My Pictures\Sample Pictures\Sunset.jpg.exe
<User>\Documents\My Pictures\Sample Pictures\Water lilies.jpg.exe
<User>\Documents\My Pictures\Sample Pictures\Winter.jpg.exe
<Common Files>\Microsoft Shared\Grphflt\MS.JPG.exe
<Common Files>\Microsoft Shared\Stationery\Clear Day Bkgrd.jpg.exe
<Common Files>\Microsoft Shared\Stationery\Fiesta Bkgrd.jpg.exe
<Common Files>\Microsoft Shared\Stationery\Glacier Bkgrd.jpg.exe
<Common Files>\Microsoft Shared\Stationery\Leaves Bkgrd.jpg.exe
<Common Files>\Microsoft Shared\Stationery\Maize Bkgrd.jpg.exe
<Common Files>\Microsoft Shared\Stationery\Nature Bkgrd.jpg.exe
<Common Files>\Microsoft Shared\Stationery\Pie Charts Bkgrd.jpg.exe
<Common Files>\Microsoft Shared\Stationery\Sunflower Bkgrd.jpg.exe
<Program Files>\Microsoft Office\Templates\Access\100.JPG.exe
<Program Files>\Microsoft Office\Templates\Access\GRAY.JPG.exe
<Program Files>\Microsoft Office\Templates\Access\GRAYST.JPG.exe
<Program Files>\Microsoft Office\Templates\Access\MC.JPG.exe
<Program Files>\Microsoft Office\Templates\Access\MCST.JPG.exe
<Program Files>\Microsoft Office\Templates\Access\MSACCESS.JPG.exe
<Program Files>\Microsoft Office\Templates\Access\SKY.JPG.exe
<Program Files>\Microsoft Office\Templates\Access\STONES.JPG.exe
<Program Files>\Microsoft Office\Templates\Access\TILES.JPG.exe
<Program Files>\Microsoft Office\Templates\Access\ZIGZAG.JPG.exe
\nia_ramadani.exe
<Windows>\Web\Wallpaper\Ascent.jpg.exe
<Windows>\Web\Wallpaper\Autumn.jpg.exe
<Windows>\Web\Wallpaper\Azul.jpg.exe
<Windows>\Web\Wallpaper\Crystal.jpg.exe
<Windows>\Web\Wallpaper\Follow.jpg.exe
<Windows>\Web\Wallpaper\Friend.jpg.exe
<Windows>\Web\Wallpaper\Home.jpg.exe
<Windows>\Web\Wallpaper\Moon flower.jpg.exe
<Windows>\Web\Wallpaper\Peace.jpg.exe
<Windows>\Web\Wallpaper\Power.jpg.exe
<Windows>\Web\Wallpaper\Purple flower.jpg.exe
<Windows>\Web\Wallpaper\Radiance.jpg.exe
<Windows>\Web\Wallpaper\Red moon desert.jpg.exe
<Windows>\Web\Wallpaper\Ripple.jpg.exe
<Windows>\Web\Wallpaper\Stonehenge.jpg.exe
<Windows>\Web\Wallpaper\Tulips.jpg.exe
<Windows>\Web\Wallpaper\Vortec space.jpg.exe
<Windows>\Web\Wallpaper\Wind.jpg.exe
<Windows>\Web\Wallpaper\Windows XP.jpg.exe
<Windows>\host.exe
<Windows>\pchealth\helpctr\System\DVDUpgrd\stripe.jpg.exe
<Windows>\pchealth\helpctr\System\sysinfo\graphics\greendot.jpg.exe
<System>\oobe\html\mouse\images\bulzano.jpg.exe
<System>\oobe\html\mouse\images\bulzanom.jpg.exe
<System>\oobe\html\mouse\images\heidelb.jpg.exe
<System>\oobe\html\mouse\images\heidelbm.jpg.exe
<System>\oobe\html\mouse\images\paris.jpg.exe
<System>\oobe\html\mouse\images\parism.jpg.exe
<System>\oobe\html\mouse\images\pisa.jpg.exe
<System>\oobe\html\mouse\images\pisam.jpg.exe
<System>\oobe\html\mouse\images\prague.jpg.exe
<System>\oobe\html\mouse\images\praguem.jpg.exe
<System>\oobe\html\mouse\images\tyrol.jpg.exe
<System>\oobe\html\mouse\images\tyrolm.jpg.exe
<System>\oobe\html\mouse\images\venice.jpg.exe
<System>\oobe\html\mouse\images\venicem.jpg.exe
<System>\oobe\html\mouse\images\verona.jpg.exe
<System>\oobe\html\mouse\images\veronam.jpg.exe
<System>\oobe\images\backdown.jpg.exe
<System>\oobe\images\backoff.jpg.exe
<System>\oobe\images\backover.jpg.exe
<System>\oobe\images\backup.jpg.exe
<System>\oobe\images\mslogo.jpg.exe
<System>\oobe\images\newbtm1.jpg.exe
<System>\oobe\images\newbtm8.jpg.exe
<System>\oobe\images\newmark1.jpg.exe
<System>\oobe\images\newmark8.jpg.exe
<System>\oobe\images\newtop1.jpg.exe
<System>\oobe\images\newtop8.jpg.exe
<System>\oobe\images\nextdown.jpg.exe
<System>\oobe\images\nextoff.jpg.exe
<System>\oobe\images\nextover.jpg.exe
<System>\oobe\images\nextup.jpg.exe
<System>\oobe\images\oemcoa.jpg.exe
<System>\oobe\images\skipdown.jpg.exe
<System>\oobe\images\skipoff.jpg.exe
<System>\oobe\images\skipover.jpg.exe
<System>\oobe\images\skipup.jpg.exe
<System>\oobe\images\wpaback.jpg.exe
<System>\oobe\images\wpabtm.jpg.exe
<System>\oobe\images\wpaflag.jpg.exe
<System>\oobe\images\wpakey.jpg.exe
<System>\oobe\images\wpatop.jpg.exe
The following registry entry is created to run host.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
Run
<Windows>\host.exe
The following registry entry is set, disabling the registry editor
(regedit):
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1
Registry entries are set as follows:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFolderOptions
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
Folder\Hidden\SHOWALL
DefaultValue
1
Name W32/Mytob-JF
Type
* Spyware Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Modifies data on the computer
* Steals information
* Downloads code from the internet
* Reduces system security
* Installs itself in the Registry
Prevalence (1-5) 2
Description
W32/Mytob-JF is a mass-mailing worm and backdoor Trojan that can be
controlled through the Internet Relay Chat (IRC) network.
Emails sent by W32/Mytob-JF sends emails in the following format,
with details filled in to make the email look more authentic:
Subject line chosen from:
Your password has been updated
Your password has been successfully updated
You have successfully updated your password
Your new account password is approved
Your Account is Suspended
*DETECTED* Online User Violation
Your Account is Suspended For Security Reasons
Warning Message: Your services near to be closed.
Important Notification
Members Support
Security measures
Email Account Suspension
Notice of account limitation
<random characters>
Message text chosen from (the worm will insert the username and the
email domain of the addressee into the email):
'Dear user <UserName>,
You have successfully updated the password of your <domain> account.
If you did not authorize this change or if you need assistance with
your account, please contact <domain> customer service at:
<sender@domain>
Thank you for using <domain>!
The <domain> Support Team
+++ Attachment: No Virus (Clean)
+++ <domain> Antivirus - www.<domain>'
'Dear user <UserName>,
It has come to our attention that your <domain> User Profile ( x )
records are out of date. For further details see the attached document.
Thank you for using <domain>!
The <domain> Support Team
+++ Attachment: No Virus (Clean)
+++ <domain> Antivirus - www.<domain>'
'Dear <domain> Member,
We have temporarily suspended your email account <UserEmailAddress>.
This might be due to either of the following reasons:
1. A recent change in your personal information (i.e. change of
address).
2. Submiting invalid information during the initial sign up process.
3. An innability to accurately verify your selected option of
subscription due to an internal error within our processors.
See the details to reactivate your <domain> account.
Sincerely,The <domain> Support Team
+++ Attachment: No Virus (Clean)
+++ <domain> Antivirus - www.<domain>'
'Dear <domain> Member,
Your e-mail account was used to send a huge amount of unsolicited
spam messages during the recent week. If you could please take 5-10
minutes out of your online experience and confirm the attached
document so you will not run into any future problems with the online
service.
If you choose to ignore our request, you leave us no choice but to
cancel your membership.
Virtually yours,
The <domain> Support Team
+++ Attachment: No Virus found
+++ <domain> Antivirus - www.<domain>'
The attached file consists of a base name followed by the extension
ZIP. The worm may optionally create double extensions where the first
extension is DOC, TXT or HTM and the final extension is BAT, CMD,
PIF, SCR, EXE or ZIP. The base filenames are randomly chosen from:
updated-password
email-password
new-password
password
approved-password
account-password
accepted-password
important-details
account-details
email-details
account-info
document
readme
account-report
<random characters>
The zip file will contain the worm with double extension. The first
extension will be one of DOC, HTM, TXT followed by spaces and the
second extension is EXE, SCR or PIF.
W32/Mytob-JF harvests email addresses from files on the infected
computer and from the Windows address book.
Advanced
W32/Mytob-JF is a mass-mailing worm and backdoor Trojan that can be
controlled through the Internet Relay Chat (IRC) network.
W32/Mytob-JF runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
When first run W32/Mytob-JF copies itself to <System>\service5.exe
The following registry entries are created to run smsks.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
WINDOWS SYSTEM
service5.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
WINDOWS SYSTEM
service5.exe
W32/Mytob-JF sets the following registry entries, disabling the
automatic startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4
Note: disabling autostart for the SharedAccess service deactivates
the Microsoft Internet Connection Firewall (ICF).
Emails sent by W32/Mytob-JF sends emails in the following format,
with details filled in to make the email look more authentic:
Subject line chosen from:
Your password has been updated
Your password has been successfully updated
You have successfully updated your password
Your new account password is approved
Your Account is Suspended
*DETECTED* Online User Violation
Your Account is Suspended For Security Reasons
Warning Message: Your services near to be closed.
Important Notification
Members Support
Security measures
Email Account Suspension
Notice of account limitation
<random characters>
Message text chosen from (the worm will insert the username and the
email domain of the addressee into the email):
'Dear user <UserName>,
You have successfully updated the password of your <domain> account.
If you did not authorize this change or if you need assistance with
your account, please contact <domain> customer service at:
<sender@domain>
Thank you for using <domain>!
The <domain> Support Team
+++ Attachment: No Virus (Clean)
+++ <domain> Antivirus - www.<domain>'
'Dear user <UserName>,
It has come to our attention that your <domain> User Profile ( x )
records are out of date. For further details see the attached document.
Thank you for using <domain>!
The <domain> Support Team
+++ Attachment: No Virus (Clean)
+++ <domain> Antivirus - www.<domain>'
'Dear <domain> Member,
We have temporarily suspended your email account <UserEmailAddress>.
This might be due to either of the following reasons:
1. A recent change in your personal information (i.e. change of
address).
2. Submiting invalid information during the initial sign up process.
3. An innability to accurately verify your selected option of
subscription due to an internal error within our processors.
See the details to reactivate your <domain> account.
Sincerely,The <domain> Support Team
+++ Attachment: No Virus (Clean)
+++ <domain> Antivirus - www.<domain>'
'Dear <domain> Member,
Your e-mail account was used to send a huge amount of unsolicited
spam messages during the recent week. If you could please take 5-10
minutes out of your online experience and confirm the attached
document so you will not run into any future problems with the online
service.
If you choose to ignore our request, you leave us no choice but to
cancel your membership.
Virtually yours,
The <domain> Support Team
+++ Attachment: No Virus found
+++ <domain> Antivirus - www.<domain>'
The attached file consists of a base name followed by the extension
ZIP. The worm may optionally create double extensions where the first
extension is DOC, TXT or HTM and the final extension is BAT, CMD,
PIF, SCR, EXE or ZIP. The base filenames are randomly chosen from:
updated-password
email-password
new-password
password
approved-password
account-password
accepted-password
important-details
account-details
email-details
account-info
document
readme
account-report
<random characters>
The zip file will contain the worm with double extension. The first
extension will be one of DOC, HTM, TXT followed by spaces and the
second extension is EXE, SCR or PIF.
W32/Mytob-JF harvests email addresses from files on the infected
computer and from the Windows address book.
W32/Mytob-JF modifies the file <System>\drivers\etc\host by appending
the following information:
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 pandasoftware.com
127.0.0.1 www.pandasoftware.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.grisoft.com
127.0.0.1 www.microsoft.com
127.0.0.1 microsoft.com
127.0.0.1 www.virustotal.com
127.0.0.1 virustotal.com
127.0.0.1 www.amazon.com
127.0.0.1 www.amazon.co.uk
127.0.0.1 www.amazon.ca
127.0.0.1 www.amazon.fr
127.0.0.1 www.paypal.com
127.0.0.1 paypal.com
127.0.0.1 moneybookers.com
127.0.0.1 www.moneybookers.com
127.0.0.1 www.ebay.com
127.0.0.1 ebay.com
Name Troj/Iefeat-BF
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Installs itself in the Registry
Aliases
* Trojan-Downloader.Win32.Small.bhu
Prevalence (1-5) 2
Description
Troj/Iefeat-BF is a downloader Trojan for the Windows platform.
Troj/Iefeat-BF attempts to download and execute files from remote
websites.
Advanced
Troj/Iefeat-BF is a downloader Trojan for the Windows platform.
Troj/Iefeat-BF attempts to download and execute files from remote
websites to the Temp, root or Windows folder.
Troj/Iefeat-BF sets the following registry entry to run itself on
startup, though may delete it again later:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NAVNet
<pathname of the Trojan executable> /m
Name W32/Bagle-PS
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Sends itself to email addresses found on the infected computer
* Forges the sender's email address
* Uses its own emailing engine
* Downloads code from the internet
* Reduces system security
* Installs itself in the Registry
* Leaves non-infected files on computer
Aliases
* Email-Worm.Win32.Bagle.gn
* Win32/Bagle.HA
Prevalence (1-5) 2
Description
W32/Bagle-PS is a mass-mailing worm for the Windows platform.
Messages sent by the worm have the following characteristics:
The subject line is one of the following:
Delivery service mail
Delivery by mail
Registration is accepted
Is delivered mail
You are made active
Thanks for use of our software.
Before use read the help
The message text is one of the following:
The password is <image file>
Password -- <image file>
Use password <image file> to open archive.
Password is <image file>
Zip password: <image file>
Zip archive password: <image file>
Password - <image file>
Password: <image file>
<image file>
The attachment may contain a damaged copy of the worm.
Advanced
W32/Bagle-PS is a mass-mailing worm for the Windows platform.
Messages sent by the worm have the following characteristics:
The subject line is one of the following:
Delivery service mail
Delivery by mail
Registration is accepted
Is delivered mail
You are made active
Thanks for use of our software.
Before use read the help
The message text is one of the following:
The password is <image file>
Password -- <image file>
Use password <image file> to open archive.
Password is <image file>
Zip password: <image file>
Zip archive password: <image file>
Password - <image file>
Password: <image file>
<image file>
There are two attachments: a password-protected ZIP file and an image
(GIF) file. The ZIP file contains a damaged copy of the worm
executable and a garbage text file with a DLL extension. The image
file shows the password for the ZIP file.
The first time it is run, W32/Bagle-PS drops the clean file
C:\error.gif and opens it. This is an image of the word "Error".
When first run W32/Bagle-PS copies itself to:
C:\Documents and Settings\user\Application Data\hidn\hidn2.exe
C:\Documents and Settings\user\Application Data\hidn\hldrrr.exe
W32/Bagle-PS may create the file C:\Documents and
Settings\user\Application Data\hidn\m_hook.sys. This file is also
detected as W32/Bagle-PS.
The file m_hook.sys is registered as a new system driver service
named "m_hook", with a display name of "Empty". Registry entries are
created under:
HKLM\SYSTEM\CurrentControlSet\Services\m_hook\
W32/Bagle-PS sets the following registry entries, disabling the
automatic startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\Alerter
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\Ndisuio
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\wuauserv
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4
Note: disabling autostart for the SharedAccess service deactivates
the Microsoft Internet Connection Firewall (ICF).
W32/Bagle-PS drops the file C:\temp.zip, which is included in
messages sent by the worm.
W32/Bagle-PS attempts to download a file from a number of remote
websites to <System>\re_file.exe and then execute it.
W32/Bagle-PS attempts to terminate and disable a number of services
related to security and anti-virus applications.
W32/Bagle-PS attempts to delete the following registry entry in order
to disrupt booting into Safe Mode:
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot
W32/Bagle-PS creates the following registry entry the first time it
is run:
HKCU\Software\FirstRuxzx
FirstRun
1
Name Troj/Haxdoor-DG
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Drops more malware
* Reduces system security
* Installs itself in the Registry
Prevalence (1-5) 2
Description
Troj/Haxdoor-DG is a Trojan for the Windows platform.
Advanced
Troj/Haxdoor-DG is a Trojan for the Windows platform.
When Troj/Haxdoor-DG is installed the following files are created:
<System>\kgctini.dat
<System>\lps.dat
<System>\qo.dll
<System>\qo.sys
<System>\ycsvgd.sys
<System>\ydsvgd.dll
<System>\ydsvgd.sys
The files qo.dll, qo.sys, ycsvgd.sys, ydsvgd.dll and ydsvgd.sys are
detected as Troj/Haxdor-Fam.
The dat files are data files and can safely be deleted.
The following registry entries are created to run code exported by
ydsvgd.dll on startup:
HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\ydsvgd
DllName
ydsvgd.dll
HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\ydsvgd
Startup
XWD33Sifix
HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\ydsvgd
Impersonate
1
The file ycsvgd.sys is registered as a new system driver service
named "ycsvgd", with a display name of "PTA Adapter". Registry
entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\ycsvgd\
Name Troj/Agent-DJV
Type
* Trojan
Affected operating systems
* Windows
Aliases
* Trojan.Win32.Agent.rx
* TROJ_AGENT.ECN
Prevalence (1-5) 2
Description
Troj/Agent-DJV is a Trojan for the Windows platform.
Advanced
Troj/Agent-DJV is a Trojan for the Windows platform.
Registry entries may be created under:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
gwiz
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders
SecurityProviders
Name W32/Bustoy-A
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Prevalence (1-5) 2
Description
W32/Bustoy-A is a worm for the Windows platform.
Advanced
W32/Bustoy-A is a worm for the Windows platform.
When first run W32/Bustoy-A copies itself to:
<Startup>\systemnt.exe - This will cause the worm to autorun on
Windows startup.
<System>\mslogon.exe
W32/Bustoy-A will also attempt to copy itself to removable drives as
toy.exe. The worm also creates the file autorun.inf on the drive in
an attempt to run itself automatically when the drive is connected.
W32/Bustoy-A may display the following message on the computer's
screen:
<chinese characters> ( Compare And Cooperation ):
<chinese characters>BBS
In Memory Of C8C
?--2005
<chinese characters>
In the beginning God created the heaven and the earth.
And the earth was without form, and void.
And darkness was upon the face of the deep.
God said: Let there be light. And there was light.
Also There was another world.
Into the world of music, spirit and meditation.
And relax yourself , Let the rhythm be your guiding light!
BTW: Hei! You need to take care of your own file in Removable Disk.
Name W32/Tilebot-HI
Type
* Spyware Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Downloads code from the internet
* Installs itself in the Registry
* Exploits system or software vulnerabilities
* Used in DOS attacks
* Enables remote access
* Scans network for vulnerabilities
* Scans network for weak passwords
Aliases
* Backdoor.Win32.SdBot.xd
* W32/Sdbot.worm.gen.h
Prevalence (1-5) 2
Description
W32/Tilebot-HI is a worm with backdoor functionality for the Windows
platform.
W32/Tilebot-HI spreads to other network computers by exploiting
common buffer overflow vulnerabilities, including: SRVSVC (MS06-040),
WKS (MS03-049) (CAN-2003-0812), PNP (MS05-039) and ASN.1 (MS04-007).
The worm may also spreads via network shares protected by weak
passwords.
W32/Tilebot-HI runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Tilebot-HI includes functionality to:
- set up an FTP server
- set up a proxy server
- spread via AOL Instant Messager by sending messages automatically
- change Internet Explorer start page
- set or remove network shares
- port scanning
- packet sniffing
- access the internet and communicate with a remote server via HTTP
- harvest information from clipboard
- take part in Distributed Denial of Service (DDoS) attacks
Advanced
W32/Tilebot-HI is a worm with backdoor functionality for the Windows
platform.
W32/Tilebot-HI spreads to other network computers by exploiting
common buffer overflow vulnerabilities, including: SRVSVC (MS06-040),
WKS (MS03-049) (CAN-2003-0812), PNP (MS05-039) and ASN.1 (MS04-007).
The worm may also spreads via network shares protected by weak
passwords.
W32/Tilebot-HI runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Tilebot-HI includes functionality to:
- set up an FTP server
- set up a proxy server
- spread via AOL Instant Messager by sending messages automatically
- change Internet Explorer start page
- set or remove network shares
- port scanning
- packet sniffing
- access the internet and communicate with a remote server via HTTP
- harvest information from clipboard
- take part in Distributed Denial of Service (DDoS) attacks
When first run W32/Tilebot-HI copies itself to <Windows>\win32host.exe.
The file win32host.exe is registered as a new system driver service
named "Win32Kernel", with a display name of "Win32 Kernel Update" and
a startup type of automatic, so that it is started automatically
during system startup. Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\Win32Kernel\
W32/Tilebot-HI sets the following registry entries, disabling the
automatic startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\Messenger
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\wscsvc
Start
4
Additional registry entries are set as follows:
HKLM\SOFTWARE\Microsoft\Security Center
AntiVirusDisableNotify
1
HKLM\SOFTWARE\Microsoft\Security Center
AntiVirusOverride
1
HKLM\SOFTWARE\Microsoft\Security Center
FirewallDisableNotify
1
HKLM\SOFTWARE\Microsoft\Security Center
FirewallOverride
1
HKLM\SOFTWARE\Microsoft\Security Center
UpdatesDisableNotify
1
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DoNotAllowXPSP2
1
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
EnableFirewall
0
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile
EnableFirewall
0
HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
AutoShareServer
0
HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
AutoShareWks
0
HKLM\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters
AutoShareServer
0
HKLM\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters
AutoShareWks
0
HKLM\SYSTEM\CurrentControlSet\Control\
WaitToKillServiceTimeout
7000
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1
Name W32/Rungbu-B
Type
* Virus
How it spreads
* Email attachments
* Infected files
* Chat programs
Affected operating systems
* Windows
Side effects
* Sends itself to email addresses found on the infected computer
* Modifies data on the computer
* Installs itself in the Registry
|