Tillbaka till svenska Fidonet
English   Information   Debug  
TREK   0/755
TUB   0/290
UFO   0/40
UNIX   0/1316
USA_EURLINK   0/102
USR_MODEMS   0/1
VATICAN   0/2740
VIETNAM_VETS   0/14
VIRUS   0/378
VIRUS_INFO   0/201
VISUAL_BASIC   0/473
WHITEHOUSE   0/5187
WIN2000   0/101
WIN32   0/30
WIN95   0/4288
WIN95_OLD1   0/70272
WINDOWS   0/1517
WWB_SYSOP   0/419
WWB_TECH   0/810
ZCC-PUBLIC   0/1
ZEC   4

 
4DOS   0/134
ABORTION   0/7
ALASKA_CHAT   0/506
ALLFIX_FILE   0/1313
ALLFIX_FILE_OLD1   0/7997
ALT_DOS   0/152
AMATEUR_RADIO   0/1039
AMIGASALE   0/14
AMIGA   0/331
AMIGA_INT   0/1
AMIGA_PROG   0/20
AMIGA_SYSOP   0/26
ANIME   0/15
ARGUS   0/924
ASCII_ART   0/340
ASIAN_LINK   0/651
ASTRONOMY   0/417
AUDIO   0/92
AUTOMOBILE_RACING   0/105
BABYLON5   0/17862
BAG   135
BATPOWER   0/361
BBBS.ENGLISH   0/382
BBSLAW   0/109
BBS_ADS   0/5290
BBS_INTERNET   0/507
BIBLE   0/3563
BINKD   0/1119
BINKLEY   0/215
BLUEWAVE   0/2173
CABLE_MODEMS   0/25
CBM   0/46
CDRECORD   0/66
CDROM   0/20
CLASSIC_COMPUTER   0/378
COMICS   0/15
CONSPRCY   0/899
COOKING   32953
COOKING_OLD1   0/24719
COOKING_OLD2   0/40862
COOKING_OLD3   0/37489
COOKING_OLD4   0/35496
COOKING_OLD5   9370
C_ECHO   0/189
C_PLUSPLUS   0/31
DIRTY_DOZEN   0/201
DOORGAMES   0/2061
DOS_INTERNET   0/196
duplikat   6002
ECHOLIST   0/18295
EC_SUPPORT   0/318
ELECTRONICS   0/359
ELEKTRONIK.GER   1534
ENET.LINGUISTIC   0/13
ENET.POLITICS   0/4
ENET.SOFT   0/11701
ENET.SYSOP   33903
ENET.TALKS   0/32
ENGLISH_TUTOR   0/2000
EVOLUTION   0/1335
FDECHO   0/217
FDN_ANNOUNCE   0/7068
FIDONEWS   24128
FIDONEWS_OLD1   0/49742
FIDONEWS_OLD2   0/35949
FIDONEWS_OLD3   0/30874
FIDONEWS_OLD4   0/37224
FIDO_SYSOP   12852
FIDO_UTIL   0/180
FILEFIND   0/209
FILEGATE   0/212
FILM   0/18
FNEWS_PUBLISH   4408
FN_SYSOP   41679
FN_SYSOP_OLD1   71952
FTP_FIDO   0/2
FTSC_PUBLIC   0/13599
FUNNY   4223/4886
GENEALOGY.EUR   0/71
GET_INFO   105
GOLDED   0/408
HAM   0/16070
HOLYSMOKE   0/6791
HOT_SITES   0/1
HTMLEDIT   0/71
HUB203   466
HUB_100   264
HUB_400   39
HUMOR   0/29
IC   0/2851
INTERNET   0/424
INTERUSER   0/3
IP_CONNECT   719
JAMNNTPD   0/233
JAMTLAND   0/47
KATTY_KORNER   0/41
LAN   0/16
LINUX-USER   0/19
LINUXHELP   0/1155
LINUX   0/22093
LINUX_BBS   0/957
mail   18.68
mail_fore_ok   249
MENSA   0/341
MODERATOR   0/102
MONTE   0/992
MOSCOW_OKLAHOMA   0/1245
MUFFIN   564/783
MUSIC   0/321
N203_STAT   926
N203_SYSCHAT   313
NET203   321
NET204   69
NET_DEV   0/10
NORD.ADMIN   0/101
NORD.CHAT   0/2572
NORD.FIDONET   189
NORD.HARDWARE   0/28
NORD.KULTUR   0/114
NORD.PROG   0/32
NORD.SOFTWARE   0/88
NORD.TEKNIK   0/58
NORD   0/453
OCCULT_CHAT   0/93
OS2BBS   0/787
OS2DOSBBS   0/580
OS2HW   0/42
OS2INET   0/37
OS2LAN   0/134
OS2PROG   0/36
OS2REXX   0/113
OS2USER-L   207
OS2   0/4786
OSDEBATE   0/18996
PASCAL   0/490
PERL   119/457
PHP   0/45
POINTS   0/405
POLITICS   0/29554
POL_INC   0/14731
PSION   103
R20_ADMIN   1121
R20_AMATORRADIO   0/2
R20_BEST_OF_FIDONET   13
R20_CHAT   0/893
R20_DEPP   0/3
R20_DEV   399
R20_ECHO2   1379
R20_ECHOPRES   0/35
R20_ESTAT   0/719
R20_FIDONETPROG...
...RAM.MYPOINT
  0/2
R20_FIDONETPROGRAM   0/22
R20_FIDONET   0/248
R20_FILEFIND   0/24
R20_FILEFOUND   0/22
R20_HIFI   0/3
R20_INFO2   3221
R20_INTERNET   0/12940
R20_INTRESSE   0/60
R20_INTR_KOM   0/99
R20_KANDIDAT.CHAT   42
R20_KANDIDAT   28
R20_KOM_DEV   112
R20_KONTROLL   0/13273
R20_KORSET   0/18
R20_LOKALTRAFIK   0/24
R20_MODERATOR   0/1852
R20_NC   76
R20_NET200   245
R20_NETWORK.OTH...
...ERNETS
  0/13
R20_OPERATIVSYS...
...TEM.LINUX
  0/44
R20_PROGRAMVAROR   0/1
R20_REC2NEC   534
R20_SFOSM   0/340
R20_SF   0/108
R20_SPRAK.ENGLISH   0/1
R20_SQUISH   107
R20_TEST   2
R20_WORST_OF_FIDONET   12
RAR   0/9
RA_MULTI   106
RA_UTIL   0/162
REGCON.EUR   0/2056
REGCON   0/13
SCIENCE   0/1206
SF   0/239
SHAREWARE_SUPPORT   0/5146
SHAREWRE   0/14
SIMPSONS   0/169
STATS_OLD1   0/2539.065
STATS_OLD2   0/2530
STATS_OLD3   0/2395.095
STATS_OLD4   0/1692.25
SURVIVOR   0/495
SYSOPS_CORNER   0/3
SYSOP   0/84
TAGLINES   0/112
TEAMOS2   0/4530
TECH   0/2617
TEST.444   0/105
TRAPDOOR   0/19
Möte VIRUS_INFO, 201 texter
 lista första sista föregående nästa
Text 151, 2047 rader
Skriven 2006-10-14 13:58:00 av KURT WISMER (1:123/140)
Ärende: News, October 14 2006
=============================
[cut-n-paste from sophos.com]

Name   Troj/Arbin-A

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet

Aliases  
    * Downloader-AYT

Prevalence (1-5) 3

Description
Troj/Arbin-A is a downloader Trojan for the Windows platform.

Advanced
Troj/Arbin-A is a downloader Trojan for the Windows platform.

Troj/Arbin-A attempts to download and execute a file from a remote 
website to the following locations in the same folder as itself:

1file.tmp
2file.tmp
3file.tmp
4file.tmp
5file.tmp

This file is currently detected as Troj/PWS-ACN.

Troj/Arbin-A may drop the file <System>\sf2e32.bat in order to delete 
itself.





Name   Troj/Nebuler-J

Type  
    * Spyware Trojan

Affected operating systems  
    * Windows

Side effects  
    * Steals information

Aliases  
    * Trojan.Win32.Agent.vg
    * W32/Nebuler.B

Prevalence (1-5) 2

Description
Troj/Nebuler-J is a Trojan for the Windows platform.

Troj/Nebuler-J may gather details relating to dialup services and 
send collected information to a remote site via HTTP. The Trojan may 
inject code into other processes in an attempt to remain hidden.





Name   W32/Agobot-AHP

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Downloads code from the internet

Prevalence (1-5) 2

Description
W32/Agobot-AHP is a worm and IRC backdoor Trojan for the Windows 
platform.

W32/Agobot-AHP runs continuously in the background, providing a 
backdoor server
which allows a remote intruder to gain access and control over the 
computer via
IRC channels.

Advanced
W32/Agobot-AHP is a worm and IRC backdoor Trojan for the Windows 
platform.

W32/Agobot-AHP runs continuously in the background, providing a 
backdoor server
which allows a remote intruder to gain access and control over the 
computer via
IRC channels.

When first run W32/Agobot-AHP copies itself to <System>\erv.exe.

The following registry entries are created to run erv.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
RPC Service
erv.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
RPC Service
erv.exe

Registry entries are set as follows:

HKCU\Software\Microsoft\OLE
RPC Service
erv.exe

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1

Registry entries are created under:

HKCR\.key\





Name   W32/Mytob-JG

Type  
    * Worm

How it spreads  
    * Email attachments

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Allows others to access the computer
    * Sends itself to email addresses found on the infected computer
    * Forges the sender's email address
    * Uses its own emailing engine
    * Downloads code from the internet
    * Reduces system security
    * Installs itself in the Registry

Aliases  
    * WORM_MYTOB.OD
    * W32.Mytob.FI
    * Net-Worm.Win32.Mytob.bi

Prevalence (1-5) 2

Description
W32/Mytob-JG is a mass-mailing worm and backdoor Trojan that can be 
controlled
through the Internet Relay Chat (IRC) network.

W32/Mytob-JG runs continuously in the background, providing a 
backdoor server
which allows a remote intruder to gain access and control over the 
computer via
IRC channels.

Emails sent by W32/Mytob-JG sends emails in the following format, 
with details
filled in to make the email look more authentic:

Subject line chosen from:

Your password has been updated
Your password has been successfully updated
You have successfully updated your password
Your new account password is approved
Your Account is Suspended
*DETECTED* Online User Violation
Your Account is Suspended For Security Reasons
Warning Message: Your services near to be closed.
Important Notification
Members Support
Security measures
Email Account Suspension
Notice of account limitation
<random characters>

Message text chosen from (the worm will insert the username and the 
email
domain of the addressee into the email):

'Dear user <UserName>,

You have successfully updated the password of your <domain> account.

If you did not authorize this change or if you need assistance with 
your
account, please contact <domain> customer service at: <sender@domain>
Thank you for using <domain>!
The <domain> Support Team

+++ Attachment: No Virus (Clean)
+++ <domain> Antivirus - www.<domain>'

'Dear user <UserName>,

It has come to our attention that your <domain> User Profile ( x ) 
records are
out of date. For further details see the attached document.
Thank you for using <domain>!
The <domain> Support Team

+++ Attachment: No Virus (Clean)
+++ <domain> Antivirus - www.<domain>'

'Dear <domain> Member,

We have temporarily suspended your email account <UserEmailAddress>.

This might be due to either of the following reasons:

1. A recent change in your personal information (i.e. change of 
address).
2. Submiting invalid information during the initial sign up process.
3. An innability to accurately verify your selected option of 
subscription due
to an internal error within our processors.
See the details to reactivate your <domain> account.

Sincerely,The <domain> Support Team

+++ Attachment: No Virus (Clean)
+++ <domain> Antivirus - www.<domain>'

'Dear <domain> Member,

Your e-mail account was used to send a huge amount of unsolicited 
spam messages
during the recent week. If you could please take 5-10 minutes out of 
your
online experience and confirm the attached document so you will not 
run into
any future problems with the online service.
If you choose to ignore our request, you leave us no choice but to 
cancel your
membership.

Virtually yours,
The <domain> Support Team

+++ Attachment: No Virus found
+++ <domain> Antivirus - www.<domain>'

The attached file consists of a base name followed by the extension 
ZIP. The
worm may optionally create double extensions where the first 
extension is DOC,
TXT or HTM and the final extension is BAT, CMD, PIF, SCR, EXE or ZIP. 
The base
filenames are randomly chosen from:

updated-password
email-password
new-password
password
approved-password
account-password
accepted-password
important-details
account-details
email-details
account-info
document
readme
account-report
<random characters>

The zip file will contain the worm with double extension. The first 
extension
will be one of DOC, HTM, TXT followed by spaces and the second 
extension is
EXE, SCR or PIF.

W32/Mytob-JG harvests email addresses from files on the infected 
computer and
from the Windows address book.

Advanced
W32/Mytob-JG is a mass-mailing worm and backdoor Trojan that can be 
controlled
through the Internet Relay Chat (IRC) network.

W32/Mytob-JG runs continuously in the background, providing a 
backdoor server
which allows a remote intruder to gain access and control over the 
computer via
IRC channels.

When first run W32/Mytob-JG copies itself to <System>\winds.exe

The following registry entries are created to run smsks.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
MICROSOFT WINDOWS SYSTEM 2
winds.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MICROSOFT WINDOWS SYSTEM 2
winds.exe

W32/Mytob-JG sets the following registry entries, disabling the 
automatic
startup of other software:

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4

Note: disabling autostart for the SharedAccess service deactivates the
Microsoft Internet Connection Firewall (ICF).

Emails sent by W32/Mytob-JG sends emails in the following format, 
with details
filled in to make the email look more authentic:

Subject line chosen from:

Your password has been updated
Your password has been successfully updated
You have successfully updated your password
Your new account password is approved
Your Account is Suspended
*DETECTED* Online User Violation
Your Account is Suspended For Security Reasons
Warning Message: Your services near to be closed.
Important Notification
Members Support
Security measures
Email Account Suspension
Notice of account limitation
<random characters>

Message text chosen from (the worm will insert the username and the 
email
domain of the addressee into the email):

'Dear user <UserName>,

You have successfully updated the password of your <domain> account.

If you did not authorize this change or if you need assistance with 
your
account, please contact <domain> customer service at: <sender@domain>
Thank you for using <domain>!
The <domain> Support Team

+++ Attachment: No Virus (Clean)
+++ <domain> Antivirus - www.<domain>'

'Dear user <UserName>,

It has come to our attention that your <domain> User Profile ( x ) 
records are
out of date. For further details see the attached document.
Thank you for using <domain>!
The <domain> Support Team

+++ Attachment: No Virus (Clean)
+++ <domain> Antivirus - www.<domain>'

'Dear <domain> Member,

We have temporarily suspended your email account <UserEmailAddress>.

This might be due to either of the following reasons:

1. A recent change in your personal information (i.e. change of 
address).
2. Submiting invalid information during the initial sign up process.
3. An innability to accurately verify your selected option of 
subscription due
to an internal error within our processors.
See the details to reactivate your <domain> account.

Sincerely,The <domain> Support Team

+++ Attachment: No Virus (Clean)
+++ <domain> Antivirus - www.<domain>'

'Dear <domain> Member,

Your e-mail account was used to send a huge amount of unsolicited 
spam messages
during the recent week. If you could please take 5-10 minutes out of 
your
online experience and confirm the attached document so you will not 
run into
any future problems with the online service.
If you choose to ignore our request, you leave us no choice but to 
cancel your
membership.

Virtually yours,
The <domain> Support Team

+++ Attachment: No Virus found
+++ <domain> Antivirus - www.<domain>'

The attached file consists of a base name followed by the extension 
ZIP. The
worm may optionally create double extensions where the first 
extension is DOC,
TXT or HTM and the final extension is BAT, CMD, PIF, SCR, EXE or ZIP. 
The base
filenames are randomly chosen from:

updated-password
email-password
new-password
password
approved-password
account-password
accepted-password
important-details
account-details
email-details
account-info
document
readme
account-report
<random characters>

The zip file will contain the worm with double extension. The first 
extension
will be one of DOC, HTM, TXT followed by spaces and the second 
extension is
EXE, SCR or PIF.

W32/Mytob-JG harvests email addresses from files on the infected 
computer and
from the Windows address book.

W32/Mytob-JG modifies the file <System>\drivers\etc\host by appending 
the
following information:

127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 pandasoftware.com
127.0.0.1 www.pandasoftware.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.grisoft.com
127.0.0.1 www.microsoft.com
127.0.0.1 microsoft.com
127.0.0.1 www.virustotal.com
127.0.0.1 virustotal.com
127.0.0.1 www.amazon.com
127.0.0.1 www.amazon.co.uk
127.0.0.1 www.amazon.ca
127.0.0.1 www.amazon.fr
127.0.0.1 www.paypal.com
127.0.0.1 paypal.com
127.0.0.1 moneybookers.com
127.0.0.1 www.moneybookers.com
127.0.0.1 www.ebay.com
127.0.0.1 ebay.com





Name   Troj/Zlob-UT

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Dropped by malware

Aliases  
    * Win32/TrojanDownloader.Zlob

Prevalence (1-5) 2

Description
Troj/Zlob-UT is a Trojan for the Windows platform.

Advanced
Troj/Zlob-UT is a Trojan for the Windows platform.

The Troj/Zlob-UT DLL is registered as a COM object, creating registry 
entries under:

HKCR\CLSID\(d869742a-e5d2-4624-96c7-aae26170665e)





Name   Troj/DwnLdr-FUM

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Installs itself in the Registry
    * Leaves non-infected files on computer

Aliases  
    * TROJ_DLOADER.ETK
    * Trojan-Downloader.Win32.Tibs.if

Prevalence (1-5) 2

Description
Troj/DwnLdr-FUM is a Trojan for the Windows platform.

Advanced
Troj/DwnLdr-FUM is a Trojan for the Windows platform.

When run Troj/DwnLdr-FUM copies itself to <System>\kernels8.exe and 
creates the file <System>\dlh9jkdq8.exe. The file 
<System>\dlh9jkdq8.exe can be safely deleted.

The following registry entry is set to run itself on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
System
<System>\kernels8.exe





Name   Troj/Tiny-BP

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet

Prevalence (1-5) 2

Description
Troj/Tiny-BP is a downloader Trojan for the Windows platform.

Advanced
Troj/Tiny-BP is a downloader Trojan for the Windows platform.

When run the Trojan attempts to download a component from the web 
into <Temp>\services.exe and execute it.

The following registry entry is also created:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
WinMedia
<PathToTrojan executable>





Name   W32/Sdbot-CSD

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities
    * Scans network for vulnerabilities
    * Scans network for weak passwords

Aliases  
    * W32/Sdbot.worm.gen.g

Prevalence (1-5) 2

Description
W32/Sdbot-CSD is a worm for the Windows platform.

Advanced
W32/Sdbot-CSD is a worm for the Windows platform.

When first run W32/Sdbot-CSD copies itself to <System>\btserv.exe and 
creates the file <Temp>\sysremove.bat.

The file btserv.exe is registered as a new system driver service 
named "Btnfserv", with a display name of "Bluetooth Notification 
Service" and a startup type of automatic, so that it is started 
automatically during system startup. Registry entries are created 
under:

HKLM\SYSTEM\CurrentControlSet\Services\Btnfserv\

Exploit code for the following vulnerabilities is in the file:

SRVSVC (MS06-040)
RPC-DCOM (MS04-012)
WKS (MS03-049) (CAN-2003-0812)
ASN.1 (MS04-007)





Name   W32/Sality-AC

Type  
    * Virus

How it spreads  
    * Infected files

Affected operating systems  
    * Windows

Side effects  
    * Modifies data on the computer
    * Downloads code from the internet

Aliases  
    * W32/Sality.x

Prevalence (1-5) 2

Description
W32/Sality-AC is a parasitic virus for the Windows platform that also 
acts as a keylogger.

Advanced
W32/Sality-AC is a parasitic virus for the Windows platform that also 
acts as a keylogger.

W32/Sality-AC drops <System>\vcdgcw32.dll <System>\vcdgcw32.dl_, also 
detected as W32/Sality-AC, which it uses to log keystrokes to certain 
windows, as well as information about the infected computer. This 
logged data is periodically sent by email to a remote website.





Name   W32/Levona-A

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Reduces system security
    * Installs itself in the Registry

Aliases  
    * Trojan.Win32.Agent.qj
    * W32/Avon@MM
    * Win32/Levona.NAA
    * WORM_RENOV.A

Prevalence (1-5) 2

Description
W32/Levona-A is a worm for the Windows platform.

W32/Levona-A spreads to network shares and removable drives.

W32/Levona-A includes the functionality to disable or minimize many 
applications.

Advanced
W32/Levona-A is a worm for the Windows platform.

W32/Levona-A spreads to network shares and removable drives.

When first run W32/Levona-A copies itself to:

<Common Files>\Renova.exe
<System>\Alisa.exe
<System>\Emma.exe
<System>\Nova.exe

The worm will search for logical drives on the computer. If any are 
found, W32/Levona-A will copy itself as New Folder.exe. The worm also 
searches the logical drives for DOC files and will copy itself as 
<document name>.doc.

W32/Levona-A includes the functionality to disable or minimize many 
applications by searching for certain words or phrases in the Windows 
Title Bar, including the following security related ones:

ADVANCED REGISTRY TRACER
CASTLECOPS
CILLIN
CLEANER
COMPACTBYTEAV
EARTHLINK PROTECTION
F-SECURE
GRISOFT
HACKER
HIJACK
KASPERSKY
KILLBOX
MACHINE
MCAFEE
NORMAN
NORTON
PROCESS EXPLORER - SYSINTERNALS
PROCEXP
REGISTRYFIX
REMOVER
SECUNIA
SOPHOS
SYMANTEC
VAKSIN
WASHER

The following registry entries are created to run Renova.exe and 
Nova.exe on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Shell
<Common Files>\Renova.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Renova
Nova.exe

The following registry entries are changed to run Renova.exe on 
startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
explorer.exe "<Common Files>\Renova.exe"

(the default value for this registry entry is "Explorer.exe" which 
causes the Microsoft file <Windows>\Explorer.exe to be run on startup).

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
explorer.exe "<Common Files>\Renova.exe"

(the default value for this registry entry is 
"<Windows>\System32\userinit.exe,").

The following registry entries are set, disabling system restore:

HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
DisableConfig
1

HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
DisableSR
1

Registry entries are set as follows:

HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy 
Objects\LocalUser\Software\ 
Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
0

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoSaveSettings
0

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFolderOptions
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFind
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoRun
0

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoControlPanel
0

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoFolderOptions
1

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoControlPanel
0

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoFind
1

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoRun
0

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
0

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisabletaskMgr
0

HKCU\Software\Policies\Microsoft\Windows\System
DisableCMD
0

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
2

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt
1

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot
AlternateShell
<Common Files>\Renova.exe





Name   W32/Brontok-BU

Type  
    * Worm

How it spreads  
    * Email attachments

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Sends itself to email addresses found on the infected computer
    * Reduces system security
    * Installs itself in the Registry

Aliases  
    * Worm.Win32.VB.dt
    * W32/Rontokbro.gen@MM
    * Win32/VB.DA

Prevalence (1-5) 2

Description
W32/Brontok-BU is a worm for the Windows platform.

Advanced
W32/Brontok-BU is a worm for the Windows platform.

When first run W32/Brontok-BU copies itself to:

<Startup>\Empty.pif
<User>\Local Settings\Application Data\windows\csrss.exe
<User>\Local Settings\Application Data\windows\lsass.exe
<User>\Local Settings\Application Data\windows\services.exe
<User>\Local Settings\Application Data\windows\smss.exe
<User>\Local Settings\Application Data\windows\winlogon.exe
\RosTika.exe
<Windows>\RosTika.exe
<System>\shell.exe

and creates the file <Windows>\biakKITE.txt.

The following registry entries are created to run W32/Brontok-BU on 
startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
RosTika
<Windows>\RosTika.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Servicerepclient1
<User>\Local Settings\Application Data\WINDOWS\SERVICES.EXE

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Logonrepclient1
<User>\Local Settings\Application Data\WINDOWS\CSRSS.EXE

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
System Monitoring
<User>\Local Settings\Application Data\WINDOWS\LSASS.EXE

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
MSMSGS
<User>\Local Settings\Application Data\WINDOWS\WINLOGON.EXE

The following registry entries are set or modified, so that shell.exe 
is run when files with extensions of BAT, COM and PIF are 
opened/launched:

HKCR\lnkfile\shell\open\command
(default)
<System>\shell.exe" "%1" %*

HKCR\batfile\shell\open\command
(default)
<System>\shell.exe" "%1" %*

HKCR\comfile\shell\open\command
(default)
<System>\shell.exe" "%1" %*

HKCR\piffile\shell\open\command
(default)
<System>\shell.exe" "%1" %*

The following registry entries are set, disabling the Windows task 
manager (taskmgr) and the command prompt:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableCMD
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
1

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
DisableTaskMgr
1

Registry entries are set as follows:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
0

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden
0





Name   W32/Mobler-C

Type  
    * Worm

How it spreads  
    * Network shares
    * Peer-to-peer

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet
    * Installs itself in the Registry

Aliases  
    * Virus.Win32.VB.bj

Prevalence (1-5) 2

Description
W32/Mobler-C is a worm for the Windows platform.

W32/Mobler-C spreads by coping itself to the available network shares 
including floppies, fixed drives, USB devices.

Advanced
W32/Mobler-C is a worm for the Windows platform.

W32/Mobler-C spreads by coping itself to the available network shares 
including floppies, fixed drives, USB devices.

When first run W32/Mobler-C copies itself to:

<User>\Documents\My Pictures\Sample Pictures\Blue hills.jpg.exe
<User>\Documents\My Pictures\Sample Pictures\Sunset.jpg.exe
<User>\Documents\My Pictures\Sample Pictures\Water lilies.jpg.exe
<User>\Documents\My Pictures\Sample Pictures\Winter.jpg.exe
<Common Files>\Microsoft Shared\Grphflt\MS.JPG.exe
<Common Files>\Microsoft Shared\Stationery\Clear Day Bkgrd.jpg.exe
<Common Files>\Microsoft Shared\Stationery\Fiesta Bkgrd.jpg.exe
<Common Files>\Microsoft Shared\Stationery\Glacier Bkgrd.jpg.exe
<Common Files>\Microsoft Shared\Stationery\Leaves Bkgrd.jpg.exe
<Common Files>\Microsoft Shared\Stationery\Maize Bkgrd.jpg.exe
<Common Files>\Microsoft Shared\Stationery\Nature Bkgrd.jpg.exe
<Common Files>\Microsoft Shared\Stationery\Pie Charts Bkgrd.jpg.exe
<Common Files>\Microsoft Shared\Stationery\Sunflower Bkgrd.jpg.exe
<Program Files>\Microsoft Office\Templates\Access\100.JPG.exe
<Program Files>\Microsoft Office\Templates\Access\GRAY.JPG.exe
<Program Files>\Microsoft Office\Templates\Access\GRAYST.JPG.exe
<Program Files>\Microsoft Office\Templates\Access\MC.JPG.exe
<Program Files>\Microsoft Office\Templates\Access\MCST.JPG.exe
<Program Files>\Microsoft Office\Templates\Access\MSACCESS.JPG.exe
<Program Files>\Microsoft Office\Templates\Access\SKY.JPG.exe
<Program Files>\Microsoft Office\Templates\Access\STONES.JPG.exe
<Program Files>\Microsoft Office\Templates\Access\TILES.JPG.exe
<Program Files>\Microsoft Office\Templates\Access\ZIGZAG.JPG.exe
\nia_ramadani.exe
<Windows>\Web\Wallpaper\Ascent.jpg.exe
<Windows>\Web\Wallpaper\Autumn.jpg.exe
<Windows>\Web\Wallpaper\Azul.jpg.exe
<Windows>\Web\Wallpaper\Crystal.jpg.exe
<Windows>\Web\Wallpaper\Follow.jpg.exe
<Windows>\Web\Wallpaper\Friend.jpg.exe
<Windows>\Web\Wallpaper\Home.jpg.exe
<Windows>\Web\Wallpaper\Moon flower.jpg.exe
<Windows>\Web\Wallpaper\Peace.jpg.exe
<Windows>\Web\Wallpaper\Power.jpg.exe
<Windows>\Web\Wallpaper\Purple flower.jpg.exe
<Windows>\Web\Wallpaper\Radiance.jpg.exe
<Windows>\Web\Wallpaper\Red moon desert.jpg.exe
<Windows>\Web\Wallpaper\Ripple.jpg.exe
<Windows>\Web\Wallpaper\Stonehenge.jpg.exe
<Windows>\Web\Wallpaper\Tulips.jpg.exe
<Windows>\Web\Wallpaper\Vortec space.jpg.exe
<Windows>\Web\Wallpaper\Wind.jpg.exe
<Windows>\Web\Wallpaper\Windows XP.jpg.exe
<Windows>\host.exe
<Windows>\pchealth\helpctr\System\DVDUpgrd\stripe.jpg.exe
<Windows>\pchealth\helpctr\System\sysinfo\graphics\greendot.jpg.exe
<System>\oobe\html\mouse\images\bulzano.jpg.exe
<System>\oobe\html\mouse\images\bulzanom.jpg.exe
<System>\oobe\html\mouse\images\heidelb.jpg.exe
<System>\oobe\html\mouse\images\heidelbm.jpg.exe
<System>\oobe\html\mouse\images\paris.jpg.exe
<System>\oobe\html\mouse\images\parism.jpg.exe
<System>\oobe\html\mouse\images\pisa.jpg.exe
<System>\oobe\html\mouse\images\pisam.jpg.exe
<System>\oobe\html\mouse\images\prague.jpg.exe
<System>\oobe\html\mouse\images\praguem.jpg.exe
<System>\oobe\html\mouse\images\tyrol.jpg.exe
<System>\oobe\html\mouse\images\tyrolm.jpg.exe
<System>\oobe\html\mouse\images\venice.jpg.exe
<System>\oobe\html\mouse\images\venicem.jpg.exe
<System>\oobe\html\mouse\images\verona.jpg.exe
<System>\oobe\html\mouse\images\veronam.jpg.exe
<System>\oobe\images\backdown.jpg.exe
<System>\oobe\images\backoff.jpg.exe
<System>\oobe\images\backover.jpg.exe
<System>\oobe\images\backup.jpg.exe
<System>\oobe\images\mslogo.jpg.exe
<System>\oobe\images\newbtm1.jpg.exe
<System>\oobe\images\newbtm8.jpg.exe
<System>\oobe\images\newmark1.jpg.exe
<System>\oobe\images\newmark8.jpg.exe
<System>\oobe\images\newtop1.jpg.exe
<System>\oobe\images\newtop8.jpg.exe
<System>\oobe\images\nextdown.jpg.exe
<System>\oobe\images\nextoff.jpg.exe
<System>\oobe\images\nextover.jpg.exe
<System>\oobe\images\nextup.jpg.exe
<System>\oobe\images\oemcoa.jpg.exe
<System>\oobe\images\skipdown.jpg.exe
<System>\oobe\images\skipoff.jpg.exe
<System>\oobe\images\skipover.jpg.exe
<System>\oobe\images\skipup.jpg.exe
<System>\oobe\images\wpaback.jpg.exe
<System>\oobe\images\wpabtm.jpg.exe
<System>\oobe\images\wpaflag.jpg.exe
<System>\oobe\images\wpakey.jpg.exe
<System>\oobe\images\wpatop.jpg.exe

The following registry entry is created to run host.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
Run
<Windows>\host.exe

The following registry entry is set, disabling the registry editor 
(regedit):

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1

Registry entries are set as follows:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFolderOptions
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
0

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt
1

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
Folder\Hidden\SHOWALL
DefaultValue
1





Name   W32/Mytob-JF

Type  
    * Spyware Worm

How it spreads  
    * Email attachments

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Allows others to access the computer
    * Modifies data on the computer
    * Steals information
    * Downloads code from the internet
    * Reduces system security
    * Installs itself in the Registry

Prevalence (1-5) 2

Description
W32/Mytob-JF is a mass-mailing worm and backdoor Trojan that can be 
controlled through the Internet Relay Chat (IRC) network.

Emails sent by W32/Mytob-JF sends emails in the following format, 
with details filled in to make the email look more authentic:

Subject line chosen from:

Your password has been updated
Your password has been successfully updated
You have successfully updated your password
Your new account password is approved
Your Account is Suspended
*DETECTED* Online User Violation
Your Account is Suspended For Security Reasons
Warning Message: Your services near to be closed.
Important Notification
Members Support
Security measures
Email Account Suspension
Notice of account limitation
<random characters>

Message text chosen from (the worm will insert the username and the 
email domain of the addressee into the email):

'Dear user <UserName>,

You have successfully updated the password of your <domain> account.

If you did not authorize this change or if you need assistance with 
your account, please contact <domain> customer service at: 
<sender@domain>
Thank you for using <domain>!
The <domain> Support Team

+++ Attachment: No Virus (Clean)
+++ <domain> Antivirus - www.<domain>'

'Dear user <UserName>,

It has come to our attention that your <domain> User Profile ( x ) 
records are out of date. For further details see the attached document.
Thank you for using <domain>!
The <domain> Support Team

+++ Attachment: No Virus (Clean)
+++ <domain> Antivirus - www.<domain>'

'Dear <domain> Member,

We have temporarily suspended your email account <UserEmailAddress>.

This might be due to either of the following reasons:

1. A recent change in your personal information (i.e. change of 
address).
2. Submiting invalid information during the initial sign up process.
3. An innability to accurately verify your selected option of 
subscription due to an internal error within our processors.
See the details to reactivate your <domain> account.

Sincerely,The <domain> Support Team

+++ Attachment: No Virus (Clean)
+++ <domain> Antivirus - www.<domain>'

'Dear <domain> Member,

Your e-mail account was used to send a huge amount of unsolicited 
spam messages during the recent week. If you could please take 5-10 
minutes out of your online experience and confirm the attached 
document so you will not run into any future problems with the online 
service.
If you choose to ignore our request, you leave us no choice but to 
cancel your membership.

Virtually yours,
The <domain> Support Team

+++ Attachment: No Virus found
+++ <domain> Antivirus - www.<domain>'

The attached file consists of a base name followed by the extension 
ZIP. The worm may optionally create double extensions where the first 
extension is DOC, TXT or HTM and the final extension is BAT, CMD, 
PIF, SCR, EXE or ZIP. The base filenames are randomly chosen from:

updated-password
email-password
new-password
password
approved-password
account-password
accepted-password
important-details
account-details
email-details
account-info
document
readme
account-report
<random characters>

The zip file will contain the worm with double extension. The first 
extension will be one of DOC, HTM, TXT followed by spaces and the 
second extension is EXE, SCR or PIF.

W32/Mytob-JF harvests email addresses from files on the infected 
computer and from the Windows address book.

Advanced
W32/Mytob-JF is a mass-mailing worm and backdoor Trojan that can be 
controlled through the Internet Relay Chat (IRC) network.

W32/Mytob-JF runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

When first run W32/Mytob-JF copies itself to <System>\service5.exe

The following registry entries are created to run smsks.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
WINDOWS SYSTEM
service5.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
WINDOWS SYSTEM
service5.exe

W32/Mytob-JF sets the following registry entries, disabling the 
automatic startup of other software:

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4

Note: disabling autostart for the SharedAccess service deactivates 
the Microsoft Internet Connection Firewall (ICF).

Emails sent by W32/Mytob-JF sends emails in the following format, 
with details filled in to make the email look more authentic:

Subject line chosen from:

Your password has been updated
Your password has been successfully updated
You have successfully updated your password
Your new account password is approved
Your Account is Suspended
*DETECTED* Online User Violation
Your Account is Suspended For Security Reasons
Warning Message: Your services near to be closed.
Important Notification
Members Support
Security measures
Email Account Suspension
Notice of account limitation
<random characters>

Message text chosen from (the worm will insert the username and the 
email domain of the addressee into the email):

'Dear user <UserName>,

You have successfully updated the password of your <domain> account.

If you did not authorize this change or if you need assistance with 
your account, please contact <domain> customer service at: 
<sender@domain>
Thank you for using <domain>!
The <domain> Support Team

+++ Attachment: No Virus (Clean)
+++ <domain> Antivirus - www.<domain>'

'Dear user <UserName>,

It has come to our attention that your <domain> User Profile ( x ) 
records are out of date. For further details see the attached document.
Thank you for using <domain>!
The <domain> Support Team

+++ Attachment: No Virus (Clean)
+++ <domain> Antivirus - www.<domain>'

'Dear <domain> Member,

We have temporarily suspended your email account <UserEmailAddress>.

This might be due to either of the following reasons:

1. A recent change in your personal information (i.e. change of 
address).
2. Submiting invalid information during the initial sign up process.
3. An innability to accurately verify your selected option of 
subscription due to an internal error within our processors.
See the details to reactivate your <domain> account.

Sincerely,The <domain> Support Team

+++ Attachment: No Virus (Clean)
+++ <domain> Antivirus - www.<domain>'

'Dear <domain> Member,

Your e-mail account was used to send a huge amount of unsolicited 
spam messages during the recent week. If you could please take 5-10 
minutes out of your online experience and confirm the attached 
document so you will not run into any future problems with the online 
service.
If you choose to ignore our request, you leave us no choice but to 
cancel your membership.

Virtually yours,
The <domain> Support Team

+++ Attachment: No Virus found
+++ <domain> Antivirus - www.<domain>'

The attached file consists of a base name followed by the extension 
ZIP. The worm may optionally create double extensions where the first 
extension is DOC, TXT or HTM and the final extension is BAT, CMD, 
PIF, SCR, EXE or ZIP. The base filenames are randomly chosen from:

updated-password
email-password
new-password
password
approved-password
account-password
accepted-password
important-details
account-details
email-details
account-info
document
readme
account-report
<random characters>

The zip file will contain the worm with double extension. The first 
extension will be one of DOC, HTM, TXT followed by spaces and the 
second extension is EXE, SCR or PIF.

W32/Mytob-JF harvests email addresses from files on the infected 
computer and from the Windows address book.

W32/Mytob-JF modifies the file <System>\drivers\etc\host by appending 
the following information:

127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 pandasoftware.com
127.0.0.1 www.pandasoftware.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.grisoft.com
127.0.0.1 www.microsoft.com
127.0.0.1 microsoft.com
127.0.0.1 www.virustotal.com
127.0.0.1 virustotal.com
127.0.0.1 www.amazon.com
127.0.0.1 www.amazon.co.uk
127.0.0.1 www.amazon.ca
127.0.0.1 www.amazon.fr
127.0.0.1 www.paypal.com
127.0.0.1 paypal.com
127.0.0.1 moneybookers.com
127.0.0.1 www.moneybookers.com
127.0.0.1 www.ebay.com
127.0.0.1 ebay.com





Name   Troj/Iefeat-BF

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet
    * Installs itself in the Registry

Aliases  
    * Trojan-Downloader.Win32.Small.bhu

Prevalence (1-5) 2

Description
Troj/Iefeat-BF is a downloader Trojan for the Windows platform.

Troj/Iefeat-BF attempts to download and execute files from remote 
websites.

Advanced
Troj/Iefeat-BF is a downloader Trojan for the Windows platform.

Troj/Iefeat-BF attempts to download and execute files from remote 
websites to the Temp, root or Windows folder.

Troj/Iefeat-BF sets the following registry entry to run itself on 
startup, though may delete it again later:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NAVNet
<pathname of the Trojan executable> /m





Name   W32/Bagle-PS

Type  
    * Worm

How it spreads  
    * Email attachments

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Sends itself to email addresses found on the infected computer
    * Forges the sender's email address
    * Uses its own emailing engine
    * Downloads code from the internet
    * Reduces system security
    * Installs itself in the Registry
    * Leaves non-infected files on computer

Aliases  
    * Email-Worm.Win32.Bagle.gn
    * Win32/Bagle.HA

Prevalence (1-5) 2

Description
W32/Bagle-PS is a mass-mailing worm for the Windows platform.

Messages sent by the worm have the following characteristics:

The subject line is one of the following:

Delivery service mail
Delivery by mail
Registration is accepted
Is delivered mail
You are made active
Thanks for use of our software.
Before use read the help

The message text is one of the following:

The password is <image file>
Password -- <image file>
Use password <image file> to open archive.
Password is <image file>
Zip password: <image file>
Zip archive password: <image file>
Password - <image file>
Password: <image file>
<image file>

The attachment may contain a damaged copy of the worm.

Advanced
W32/Bagle-PS is a mass-mailing worm for the Windows platform.

Messages sent by the worm have the following characteristics:

The subject line is one of the following:

Delivery service mail
Delivery by mail
Registration is accepted
Is delivered mail
You are made active
Thanks for use of our software.
Before use read the help

The message text is one of the following:

The password is <image file>
Password -- <image file>
Use password <image file> to open archive.
Password is <image file>
Zip password: <image file>
Zip archive password: <image file>
Password - <image file>
Password: <image file>
<image file>

There are two attachments: a password-protected ZIP file and an image 
(GIF) file. The ZIP file contains a damaged copy of the worm 
executable and a garbage text file with a DLL extension. The image 
file shows the password for the ZIP file.

The first time it is run, W32/Bagle-PS drops the clean file 
C:\error.gif and opens it. This is an image of the word "Error".

When first run W32/Bagle-PS copies itself to:

C:\Documents and Settings\user\Application Data\hidn\hidn2.exe
C:\Documents and Settings\user\Application Data\hidn\hldrrr.exe

W32/Bagle-PS may create the file C:\Documents and 
Settings\user\Application Data\hidn\m_hook.sys. This file is also 
detected as W32/Bagle-PS.

The file m_hook.sys is registered as a new system driver service 
named "m_hook", with a display name of "Empty". Registry entries are 
created under:

HKLM\SYSTEM\CurrentControlSet\Services\m_hook\

W32/Bagle-PS sets the following registry entries, disabling the 
automatic startup of other software:

HKLM\SYSTEM\CurrentControlSet\Services\Alerter
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\Ndisuio
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\wuauserv
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4

Note: disabling autostart for the SharedAccess service deactivates 
the Microsoft Internet Connection Firewall (ICF).

W32/Bagle-PS drops the file C:\temp.zip, which is included in 
messages sent by the worm.

W32/Bagle-PS attempts to download a file from a number of remote 
websites to <System>\re_file.exe and then execute it.

W32/Bagle-PS attempts to terminate and disable a number of services 
related to security and anti-virus applications.

W32/Bagle-PS attempts to delete the following registry entry in order 
to disrupt booting into Safe Mode:

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot

W32/Bagle-PS creates the following registry entry the first time it 
is run:

HKCU\Software\FirstRuxzx
FirstRun
1





Name   Troj/Haxdoor-DG

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Drops more malware
    * Reduces system security
    * Installs itself in the Registry

Prevalence (1-5) 2

Description
Troj/Haxdoor-DG is a Trojan for the Windows platform.

Advanced
Troj/Haxdoor-DG is a Trojan for the Windows platform.

When Troj/Haxdoor-DG is installed the following files are created:

<System>\kgctini.dat
<System>\lps.dat
<System>\qo.dll
<System>\qo.sys
<System>\ycsvgd.sys
<System>\ydsvgd.dll
<System>\ydsvgd.sys

The files qo.dll, qo.sys, ycsvgd.sys, ydsvgd.dll and ydsvgd.sys are 
detected as Troj/Haxdor-Fam.

The dat files are data files and can safely be deleted.

The following registry entries are created to run code exported by 
ydsvgd.dll on startup:

HKLM\SOFTWARE\Microsoft\Windows 
NT\CurrentVersion\Winlogon\Notify\ydsvgd
DllName
ydsvgd.dll

HKLM\SOFTWARE\Microsoft\Windows 
NT\CurrentVersion\Winlogon\Notify\ydsvgd
Startup
XWD33Sifix

HKLM\SOFTWARE\Microsoft\Windows 
NT\CurrentVersion\Winlogon\Notify\ydsvgd
Impersonate
1

The file ycsvgd.sys is registered as a new system driver service 
named "ycsvgd", with a display name of "PTA Adapter". Registry 
entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\ycsvgd\





Name   Troj/Agent-DJV

Type  
    * Trojan

Affected operating systems  
    * Windows

Aliases  
    * Trojan.Win32.Agent.rx
    * TROJ_AGENT.ECN

Prevalence (1-5) 2

Description
Troj/Agent-DJV is a Trojan for the Windows platform.

Advanced
Troj/Agent-DJV is a Trojan for the Windows platform.

Registry entries may be created under:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
gwiz

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders
SecurityProviders





Name   W32/Bustoy-A

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Prevalence (1-5) 2

Description
W32/Bustoy-A is a worm for the Windows platform.

Advanced
W32/Bustoy-A is a worm for the Windows platform.

When first run W32/Bustoy-A copies itself to:

<Startup>\systemnt.exe - This will cause the worm to autorun on 
Windows startup.
<System>\mslogon.exe

W32/Bustoy-A will also attempt to copy itself to removable drives as 
toy.exe. The worm also creates the file autorun.inf on the drive in 
an attempt to run itself automatically when the drive is connected.

W32/Bustoy-A may display the following message on the computer's 
screen:

<chinese characters> ( Compare And Cooperation ):
<chinese characters>BBS

In Memory Of C8C
?--2005
<chinese characters>

In the beginning God created the heaven and the earth.
And the earth was without form, and void.
And darkness was upon the face of the deep.
God said: Let there be light. And there was light.
Also There was another world.
Into the world of music, spirit and meditation.
And relax yourself , Let the rhythm be your guiding light!

BTW: Hei! You need to take care of your own file in Removable Disk.





Name   W32/Tilebot-HI

Type  
    * Spyware Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Steals information
    * Downloads code from the internet
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities
    * Used in DOS attacks
    * Enables remote access
    * Scans network for vulnerabilities
    * Scans network for weak passwords

Aliases  
    * Backdoor.Win32.SdBot.xd
    * W32/Sdbot.worm.gen.h

Prevalence (1-5) 2

Description
W32/Tilebot-HI is a worm with backdoor functionality for the Windows 
platform.

W32/Tilebot-HI spreads to other network computers by exploiting 
common buffer overflow vulnerabilities, including: SRVSVC (MS06-040), 
WKS (MS03-049) (CAN-2003-0812), PNP (MS05-039) and ASN.1 (MS04-007). 
The worm may also spreads via network shares protected by weak 
passwords.

W32/Tilebot-HI runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

W32/Tilebot-HI includes functionality to:

- set up an FTP server
- set up a proxy server
- spread via AOL Instant Messager by sending messages automatically
- change Internet Explorer start page
- set or remove network shares
- port scanning
- packet sniffing
- access the internet and communicate with a remote server via HTTP
- harvest information from clipboard
- take part in Distributed Denial of Service (DDoS) attacks

Advanced
W32/Tilebot-HI is a worm with backdoor functionality for the Windows 
platform.

W32/Tilebot-HI spreads to other network computers by exploiting 
common buffer overflow vulnerabilities, including: SRVSVC (MS06-040), 
WKS (MS03-049) (CAN-2003-0812), PNP (MS05-039) and ASN.1 (MS04-007). 
The worm may also spreads via network shares protected by weak 
passwords.

W32/Tilebot-HI runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

W32/Tilebot-HI includes functionality to:

- set up an FTP server
- set up a proxy server
- spread via AOL Instant Messager by sending messages automatically
- change Internet Explorer start page
- set or remove network shares
- port scanning
- packet sniffing
- access the internet and communicate with a remote server via HTTP
- harvest information from clipboard
- take part in Distributed Denial of Service (DDoS) attacks

When first run W32/Tilebot-HI copies itself to <Windows>\win32host.exe.

The file win32host.exe is registered as a new system driver service 
named "Win32Kernel", with a display name of "Win32 Kernel Update" and 
a startup type of automatic, so that it is started automatically 
during system startup. Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\Win32Kernel\

W32/Tilebot-HI sets the following registry entries, disabling the 
automatic startup of other software:

HKLM\SYSTEM\CurrentControlSet\Services\Messenger
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\wscsvc
Start
4

Additional registry entries are set as follows:

HKLM\SOFTWARE\Microsoft\Security Center
AntiVirusDisableNotify
1

HKLM\SOFTWARE\Microsoft\Security Center
AntiVirusOverride
1

HKLM\SOFTWARE\Microsoft\Security Center
FirewallDisableNotify
1

HKLM\SOFTWARE\Microsoft\Security Center
FirewallOverride
1

HKLM\SOFTWARE\Microsoft\Security Center
UpdatesDisableNotify
1

HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DoNotAllowXPSP2
1

HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
EnableFirewall
0

HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile
EnableFirewall
0

HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
AutoShareServer
0

HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
AutoShareWks
0

HKLM\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters
AutoShareServer
0

HKLM\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters
AutoShareWks
0

HKLM\SYSTEM\CurrentControlSet\Control\
WaitToKillServiceTimeout
7000

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1





Name   W32/Rungbu-B

Type  
    * Virus

How it spreads  
    * Email attachments
    * Infected files
    * Chat programs

Affected operating systems  
    * Windows

Side effects  
    * Sends itself to email addresses found on the infected computer
    * Modifies data on the computer
    * Installs itself in the Registry