Text 180, 1149 rader
Skriven 2007-03-25 18:48:00 av KURT WISMER
Ärende: News, March 25 2007
===========================
[cut-n-paste from sophos.com]
Name Troj/SpyAge-B
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Steals information
* Installs itself in the Registry
Aliases
* Win32/Wigon.D
* Spy-Agent.bv.dr
* Trojan.Win32.Agent.ady
Prevalence (1-5) 3
Description
Troj/SpyAge-B is a Trojan for the Windows platform.
Advanced
Troj/SpyAge-B is a Trojan for the Windows platform.
When Troj/SpyAge-B is installed the following files are created:
<System>\main.sys
<System>\reg.sys
The file reg.sys is also detected as Troj/SpyAge-B. The file main.sys
is detected as Troj/Devspy-Fam.
The file main.sys is registered as a new system driver service named
"EXAMPLE". Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\EXAMPLE
Name W32/Looked-CP
Type
* Virus
How it spreads
* Infected files
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Installs itself in the Registry
Prevalence (1-5) 2
Description
W32/Looked-CP is a prepending virus for the Windows platform.
Advanced
W32/Looked-CP is a prepending virus for the Windows platform.
When first run, W32/Looked-CP copies itself to
<Windows>\uninstall\rundl132.exe and <Windows>\Logo1_.exe.
W32/Looked-CP creates the following registry entry in order to be run
itself on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
load
<Windows>\uninstall\rundl132.exe
W32/Looked-CP also creates the file <Windows>\RichDll.dll. This file
is also detected as W32/Looked-CP.
Name W32/TrigXF-A
Type
* Worm
How it spreads
* Chat programs
Affected operating systems
* Windows
Prevalence (1-5) 2
Description
W32/TrigXF-A is an instant messaging worm for the Windows platform.
Advanced
W32/TrigXF-A is an instant messaging worm for the Windows platform.
W32/TrigXF-A includes functionality to access the internet and
communicate with a remote server via HTTP.
When W32/TrigXF-A is installed the following files are created:
<Windows>\instr32.exe
<Windows>\windebug.log
<Windows>\windebug2.log
Name W32/Sality-AI
Type
* Virus
How it spreads
* Infected files
Affected operating systems
* Windows
Side effects
* Drops more malware
Aliases
* Virus.Win32.Sality.l
* W32/Sality.K
* W32/Sality.n
* Win32/Sality.NAE
* W32.HLLP.Sality.O
Prevalence (1-5) 2
Description
W32/Sality-AI is a virus for the Windows platform.
Advanced
W32/Sality-AI is a virus for the Windows platform.
When W32/Sality-AI is installed the file <System>\wmimgr32.dll is
created. This file is detected as W32/Sality-I.
Name W32/Brontok-DB
Type
* Worm
How it spreads
* Email messages
* Network shares
Affected operating systems
* Windows
Side effects
* Sends itself to email addresses found on the infected computer
* Uses its own emailing engine
* Installs itself in the Registry
Aliases
* Win32/Brontok.G worm
* W32/Rontokbro.gen@MM
* Email-Worm.Win32.Brontok.q
* WORM_RONTOKBRO.H
Prevalence (1-5) 2
Description
W32/Brontok-DB is a worm for the Windows platform.
Advanced
W32/Brontok-DB is a worm for the Windows platform.
When first run W32/Brontok-DB copies itself to:
<User>\Local Settings\Application Data\csrss.exe
<User>\Local Settings\Application Data\inetinfo.exe
<User>\Local Settings\Application Data\lsass.exe
<User>\Local Settings\Application Data\services.exe
<User>\Local Settings\Application Data\smss.exe
<Windows>\ShellNew\bronstab.exe
<Windows>\eksplorasi.exe
The following registry entries are created to run W32/Brontok-DB on
startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Tok-Cirrhatus
<User>\Local Settings\Application Data\smss.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Bron-Spizaetus
<Windows>\ShellNew\bronstab.exe
The following registry entry is changed to run eksplorasi.exe on
startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe "<Windows>\eksplorasi.exe"
The following registry entry is set, disabling system software:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1
W32/Brontok-DB will restart the computer whenever the user opens a
command prompt.
Registry entries are set as follows:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFolderOptions
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableCMD
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden
0
Name W32/Feebs-BK
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Sends itself to email addresses found on the infected computer
* Drops more malware
* Forges the sender's email address
* Uses its own emailing engine
Prevalence (1-5) 2
Description
W32/Feebs-BK is an email worm for the Windows platform.
Advanced
W32/Feebs-BK is an email worm for the Windows platform.
W32/Feebs-BK includes functionality to access the internet and
communicate with a remote server via HTTP.
When run, the worm creates the files
<Windows>\<random>.exe (Detected as Mal/Packer)
<Windows>\<random.dll (Detected as Mal/Packer)
Name Troj/Agent-EFO
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Installs itself in the Registry
Aliases
* Trojan-Spy.Win32.Agent.ph W32/Trojan.LSP
Prevalence (1-5) 2
Description
Troj/Agent-EFO is a Trojan for the Windows platform.
Advanced
Troj/Agent-EFO is a Trojan for the Windows platform.
When first run Troj/Agent-EFO copies itself to <System>\iexplore.exe
The following registry entry is created to run iexplore.exe on startup:
HKLM\SOFTWARE\Microsoft\Active Setup\Installed
Components\{1D08B3E4-1F0A-0DF8-0605-050600040806}\
StubPath
<System>\iexplore.exe
Troj/Agent-EFO may attempt to create a network connection from local
port 1044 or 1045 to remote port 3460.
Name W32/VB-DOS
Type
* Worm
How it spreads
* Removable storage devices
Affected operating systems
* Windows
Side effects
* Installs itself in the Registry
Aliases
* W32/Backdoor.AFPP
* Generic BackDoor.k
* Backdoor.Win32.VB.azk
Prevalence (1-5) 2
Description
W32/VB-DOS is a worm for the Windows platform which allows
unauthorised remote access to the computer.
W32/VB-DOS includes functionality to access the internet and
communicate with a remote server via HTTP.
Advanced
W32/VB-DOS is a worm for the Windows platform which allows
unauthorised remote access to the computer.
W32/VB-DOS includes functionality to access the internet and
communicate with a remote server via HTTP.
When first run W32/VB-DOS copies itself to:
<Windows>\svchost.exe
<System>\svchost.exe
<System>\NetDebug.exe
and creates the following files:
<Windows>\1.dat
<Windows>\ini.dat
<Windows>\small.dat
<System>\autorun.inf
These files may be safely deleted.
The file NetDebug.exe is registered as a new system driver service
named "SerND", with a display name of "Server Network Debug" and a
startup type of automatic, so that it is started automatically during
system startup. Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\SerND
Name W32/Silov-A
Type
* Virus
How it spreads
* Infected files
Affected operating systems
* Windows
Prevalence (1-5) 2
Description
W32/Silov-A is an overwriting virus. When run, it copies itseld into
the Windows system folder as cvir.exe.
Advanced
W32/Silov-A is an overwriting virus. When run, it copies itseld into
the Windows system folder as cvir.exe.
W32/Silov-A overwrites all files in the current and root drive
folders with a copy of itself, adding the file extension EXE to the
filename of the original file. It is likely that the infection
process will render the computer unbootable.
The following registry entry is created to run cvir.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
go
<System>\cvir.exe
Name W32/Yayin-A
Type
* Worm
How it spreads
* Removable storage devices
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Modifies data on the computer
* Downloads code from the internet
* Installs itself in the Registry
* Leaves non-infected files on computer
Aliases
* Win32/TrojanDownloader.Agent.AWF
* QLowZones-42 trojan
* Trojan-Clicker.Win32.Agent.jh
* W32/Agent.BUX
Prevalence (1-5) 2
Description
W32/Yayin-A is a worm for the Windows platform.
W32/Yayin-A moves files on the infected computer and replaces them
with a copy of itself.
Advanced
W32/Yayin-A is a worm for the Windows platform.
W32/Yayin-A searches for files on the infected computer that are set
to run using entries under the following registry entry:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
W32/Yayin-A then moves them to a new folder called "bak" and replaces
them with a copy of itself.
When first run, W32/Yayin-A copies itself to the file
<System>\lsasss.exe, and sets the following registry entry to run
itself on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Lexmark_X79-55
<System>\lsasss.exe
W32/Yayin-A may also move itself to the file <Temp>\win321123.dat
temporarily.
When W32/Yayin-A is installed it creates the clean data file
<Temp>\abc123.pid.
W32/Yayin-A attempts to set the following registry entries:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs
" "
W32/Yayin-A attempts to download and execute files from a remote
location.
Name W32/Fujacks-AE
Type
* Virus
How it spreads
* Removable storage devices
* Network shares
* Infected files
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Modifies data on the computer
* Downloads code from the internet
* Reduces system security
* Installs itself in the Registry
Prevalence (1-5) 2
Description
W32/Fujacks-AE is a prepending virus and worm with backdoor
functionality for the Windows platform.
Advanced
W32/Fujacks-AE is a prepending virus and worm with backdoor
functionality for the Windows platform.
W32/Fujacks-AE spreads to other network computers through available
network shares and removeable storage devices with the filename
setup.exe. W32/Fujacks-AE also creates the file autorun.inf to insure
that the file setup.exe is executed.
W32/Fujacks-AE runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer.
W32/Fujacks-AE includes functionality to access the internet and
communicate with a remote server via HTTP.
When first run W32/Fujacks-AE copies itself to
<System>\drivers\spoclsv.exe.
The following registry entry is created to run spoclsv.exe on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
svcshare
<System>\drivers\spoclsv.exe
The following registry entry is set:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
\Folder\Hidden\SHOWALL
CheckedValue
0
Name W32/Brontok-DA
Type
* Worm
Affected operating systems
* Windows
Side effects
* Installs itself in the Registry
Aliases
* WORM_RONTKBR.GEN
* W32/Rontokbro.gen@MM
* Email-Worm.Win32.Brontok.a
* Win32/Brontok.EA worm
Prevalence (1-5) 2
Description
W32/Brontok-DA is a worm for the Windows platform.
Advanced
W32/Brontok-DA is a worm for the Windows platform.
When first run W32/Brontok-DA copies itself to:
<User>\Local Settings\Application Data\csrss.exe
<User>\Local Settings\Application Data\inetinfo.exe
<User>\Local Settings\Application Data\lsass.exe
<User>\Local Settings\Application Data\services.exe
<User>\Local Settings\Application Data\smss.exe
<Windows>\ShellNew\bronstab.exe
<Windows>\eksplorasi.pif
The following registry entries are created to run W32/Brontok-DA on
startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Tok-Cirrhatus
<User>\Local Settings\Application Data\smss.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Bron-Spizaetus
<Windows>\ShellNew\bronstab.exe
The following registry entry is changed to run eksplorasi.pif on
startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe "<Windows>\eksplorasi.pif"
The following registry entry is set, disabling system software:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1
Registry entries are set as follows:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFolderOptions
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableCMD
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden
0
Name W32/Bobandy-I
Type
* Worm
How it spreads
* Removable storage devices
* Email attachments
* Peer-to-peer
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Forges the sender's email address
* Uses its own emailing engine
* Downloads code from the internet
* Reduces system security
* Installs itself in the Registry
* Leaves non-infected files on computer
Prevalence (1-5) 2
Description
W32/Bobandy-I is a mass-mailing worm for the Windows platform.
Advanced
W32/Bobandy-I is a mass-mailing worm for the Windows platform.
W32/Bobandy-I spreads by emailing itself to the email addresses
harvested from the infected computer.
W32/Bobandy-I also attempts to spread by coping itself to the
available folders popular used by Peer to Peer (P2P) filesharing
applications.
When first run W32/Bobandy-I copies itself to:
<My Documents>\<My Music>\My Music.exe
<My Documents>\<My Pictures>\My Pictures.exe
<Windows>\lsass.exe
<Windows>\QSF7N0S.exe
<Windows>\VDM2H2G.exe
<Windows>\NTC4D7O\<random characters>.com
<Windows>\NTC4D70\regedit.cmd
<Windows>\NTC4D70\service.exe
<Windows>\NTC4D70\smss.exe
<Windows>\NTC4D70\system.exe
<Windows>\NTC4D70\winlogon.exe
<Windows>\NTC4D70\XPV6I4O.exe
<System>\<random characters>\CTS3C8U.cmd
<System>\<random characters>.exe
and creates the following files:
<Windows>\cypreg.dll
<Windows>\MoonLight.txt
<System>\MSWINSCK.ocx531
<System>\systear.dll
<System>\msvbvm60.dl
<Windows>\onceinabluemoon.mid
These files are not malicious.
Emails sent by W32/Bobandy-I have the following characteristics:
Subject lines chosen from:
hey Indonesian porn
Agnes Monica pic's
Fucking With Me :D
please read again what i have written to you
miss Indonesian
Cek This
Japannes Porn
Aku Mencari Wanita yang aku Cintai
dan cara menggunakan email mass
ini adalah cara terakhirku ,di lampiran ini terdapat
foto dan data Wanita tsb Thank's
NB:Mohon di teruskan kesahabat anda
aku mahasiswa BSI Margonda smt 4
yah aku sedang membutuhkan pekerjaan
CoolMan
oh ya aku tahu anda dr milis ilmu komputer
di lampiran ini terdapat curriculum vittae dan foto saya
File attachments may arrive as:
Doc 4166354.zip
need you 6243883.zip
need you 6381956.zip
video 9534116.zip
W32/Bobandy-I attempts to copy itself to the root folders of all
mapped drives.
W32/Bobandy-I harvests email addresses from files on the infected
computer and includes functionality to terminate security and
anti-virus related processes and record keystrokes.
The following registry entries are set to run W32/Bobandy-I on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
<random characters>
<System>\<random characters>.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
explorer.exe, <Windows>\<random characters>.exe
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot
AlternateShell
<random characters>.exe
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
load
<Windows>\NTC4D7O\<random characters>.com
The following registry entries are set:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden
0
HKCR\exefile
(default)
File Folder
HKCR\scrfile
(default)
File Folder
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder
\SuperHidden
UncheckedValue
0
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
0
Name W32/Acid-F
Type
* Worm
How it spreads
* Email messages
Affected operating systems
* Windows
Side effects
* Forges the sender's email address
* Uses its own emailing engine
* Installs itself in the Registry
Prevalence (1-5) 2
Description
W32/Acid-F is an email-worm for the Windows platform.
Advanced
W32/Acid-F is an email-worm for the Windows platform.
When first run W32/Acid-F copies itself to:
<CurrentFolder>\SysManage.exe
<System>\lgm.exe
and creates the file <Current Folder>\outputt.txt.
The following registry entry is created to run lgm.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
lgm
<System>\lgm.exe
Name W32/Looked-CO
Type
* Virus
How it spreads
* Network shares
* Infected files
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Downloads code from the internet
* Installs itself in the Registry
* Leaves non-infected files on computer
Aliases
* Worm.Win32.Viking.jg
* W32/HLLP.Philis.ig
Prevalence (1-5) 2
Description
W32/Looked-CO is a prepending virus for the Windows platform.
Advanced
W32/Looked-CO is a prepending virus for the Windows platform.
The virus infects EXE files found on the infected computer. The virus
also attempts to copy itself to remote network shares.
W32/Looked-CO includes functionality to access the internet and
communicate with a remote server via HTTP. W32/Looked-CO may attempt
to download and execute additional files from a remote location.
When first run W32/Looked-CO copies itself to <Windows>\Logo_1.exe
and to <Windows>\uninstall\rundl132.exe and creates the following
files:
<Windows>\RichDll.dll (also detected as W32/Looked-CO)
W32/Looked-CO may also create many files with the name "_desktop.ini"
are created, in various folders on the infected computer. These files
are harmless text files and can be deleted.
The following registry entry is created to run rundl132.exe on startup:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
load
<Windows>\uninstall\rundl132.exe
Registry entries are created under:
HKLM\SOFTWARE\Soft\DownloadWWW\
Name W32/Looked-CN
Type
* Virus
How it spreads
* Network shares
* Infected files
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Downloads code from the internet
* Installs itself in the Registry
* Leaves non-infected files on computer
Aliases
* W32/HLLP.Philis.hy
* Worm.Win32.Viking.ja
* W32/Viking.CY
* Win32/Viking.CH
Prevalence (1-5) 2
Description
W32/Looked-CN is a prepending virus for the Windows platform.
Advanced
W32/Looked-CN is a prepending virus for the Windows platform.
The virus infects EXE files found on the infected computer. The virus
also attempts to copy itself to remote network shares.
W32/Looked-CN includes functionality to access the internet and
communicate with a remote server via HTTP. W32/Looked-CN may attempt
to download and execute additional files from a remote location.
When first run W32/Looked-CN copies itself to <Windows>\Logo_1.exe
and to <Windows>\uninstall\rundl132.exe and creates the following file:
<Windows>\RichDll.dll
The file RichDll.dll is also detected as W32/Looked-CN.
W32/Looked-CN may also create many files with the name "_desktop.ini"
are created, in various folders on the infected computer. These files
are harmless text files and can be deleted.
The following registry entry is created to run rundl132.exe on startup:
HKLM\SOFTWARE\Microsoft\CurrentVersion\Run
load
<Windows>\uninstall\rundl132.exe
Registry entries are created under:
HKLM\SOFTWARE\Soft\DownloadWWW
Name W32/Mytob-KB
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
Aliases
* W32/Sdbot.worm.gen.ce
* W32/Backdoor.AGHM
* Backdoor.Win32.Mytobor.c
Prevalence (1-5) 2
Description
W32/Mytob-KB is a worm with IRC backdoor functionality for the
Windows platform.
Advanced
W32/Mytob-KB is a worm with IRC backdoor functionality for the
Windows platform.
W32/Mytob-KB spreads to other network computers by exploiting common
buffer overflow vulnerabilities, including RealVNC (CVE-2006-2369).
W32/Mytob-KB runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
When first run W32/Mytob-KB copies itself to
<System>\dllcache\seagatecom.exe.
The file seagatecom.exe is registered as a new system driver service
named "Seagate Communication", with a display name of "Seagate
Communication" and a startup type of automatic, so that it is started
automatically during system startup. Registry entries are created
under:
HKLM\SYSTEM\CurrentControlSet\Services\Seagate Communication
Name W32/Looked-CM
Type
* Virus
How it spreads
* Network shares
* Infected files
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Downloads code from the internet
* Installs itself in the Registry
* Leaves non-infected files on computer
Aliases
* Worm.Win32.Viking.ix
* W32/HLLP.Philis.ic
* W32.Looked.BK
Prevalence (1-5) 2
Description
W32/Looked-CM is a prepending virus for the Windows platform.
Advanced
W32/Looked-CM is a prepending virus for the Windows platform.
The virus infects EXE files found on the infected computer. The virus
also attempts to copy itself to remote network shares.
W32/Looked-CM includes functionality to access the internet and
communicate with a remote server via HTTP. W32/Looked-CM may attempt
to download and execute additional files from a remote location.
When first run W32/Looked-CM copies itself to <Windows>\Logo_1.exe
and to <Windows>\uninstall\rundl132.exe and creates the following
files:
<Windows>\RichDll.dll
RichDll.dll is also detected as W32/Looked-CM.
W32/Looked-CM may also create many files with the name "_desktop.ini"
in various folders on the infected computer. These files are harmless
text files and can be deleted.
The following registry entry is created to run rundl132.exe on startup:
HKLM\SOFTWARE\Microsoft\CurrentVersion\Run
load
<Windows>\uninstall\rundl132.exe
Registry entries are created under:
HKLM\SOFTWARE\Soft\DownloadWWW
Name W32/Poebot-KL
Type
* Spyware Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Downloads code from the internet
* Installs itself in the Registry
* Exploits system or software vulnerabilities
* Used in DOS attacks
Prevalence (1-5) 2
Description
W32/Poebot-KL is a worm with IRC backdoor functionality for the
Windows platform.
W32/Poebot-KL runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IC channels.
W32/Poebot-KL spreads to other network computers:
- by exploiting common buffer overflow vulnerabilities, including:
LSASS (MS04-011), SRVSVC (MS06-040), RPC-DCOM (MS04-012), WKS
(MS03-049) (CAN-2003-0812), Dameware (CAN-2003-1030) and PNP (MS05-039)
- networks protected by weak passwords
Advanced
W32/Poebot-KL is a worm with IRC backdoor functionality for the
Windows platform.
W32/Poebot-KL runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IC channels.
W32/Poebot-KL spreads to other network computers:
- by exploiting common buffer overflow vulnerabilities, including:
LSASS (MS04-011), SRVSVC (MS06-040), RPC-DCOM (MS04-012), WKS
(MS03-049) (CAN-2003-0812), Dameware (CAN-2003-1030) and PNP (MS05-039)
- networks protected by weak passwords
When first run W32/Poebot-KL copies itself to <System>\spooIsv.exe.
The following registry entries are created to run spooIsv.exe on
startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Spooler SubSystem App
<System>\spooIsv.exe
W32/Poebot-KL includes functionality to:
- download code from the internet
- perform port scanning
- perform DDoS attacks
- steal information including computer game keys
- setup a SOCKS4 proxy server
--- MultiMail/Win32 v0.43
* Origin: Doc's Place BBS Fido Since 1991 docsplace.tzo.com (1:123/140)
|