Text 188, 1058 rader
Skriven 2007-05-06 12:03:00 av KURT WISMER
Ärende: News, May 6 2007
========================
[cut-n-paste from sophos.com]
Name W32/Lovelet-AD
Type
* Worm
How it spreads
* Removable storage devices
* Email attachments
* Infected files
* Chat programs
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Modifies data on the computer
* Forges the sender's email address
* Uses its own emailing engine
* Downloads code from the internet
* Reduces system security
* Installs itself in the Registry
Aliases
* Win32/VB.BP
Prevalence (1-5) 2
Description
W32/Lovelet-AD is a worm for the Windows platform.
W32/Lovelet-AD spreads by:
- Copying itself to autorun.inf into any writable drive
- Email attachments
- Infected files
- Replacing PIF files with a copy of W32/Lovelet-AD
- Yahoo Instant Messenger
W32/Lovelet-AD includes functionality to access the internet and
communicate with a remote server via HTTP.
Advanced
W32/Lovelet-AD is a worm for the Windows platform.
W32/Lovelet-AD spreads by:
- Copying itself to autorun.inf into any writable drive
- Email attachments
- Infected files
- Replacing PIF files with a copy of W32/Lovelet-AD
- Yahoo Instant Messenger
W32/Lovelet-AD includes functionality to access the internet and
communicate with a remote server via HTTP.
When first run W32/Lovelet-AD copies itself to:
<Desktop>\Microsoft Word Document.scr
<Root>\autorun.inf
<Start Menu>\New Microsoft Word Document.scr
<Start Menu>\Programs\Microsoft Word Document.scr
as well as numerous locations (more than 1000 files) and sub folders
in:
<Application Data>\Microsoft\CD Burning\
<My Documents>\
<Profile>\
<Root>\
<Start Menu>\
<System>\
<Windows>\
<Windows>\Prefetch\
<Windows>\gorgle\
The following registry entries are created to run W32/Lovelet-AD on
startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
Run
<System>\mskernel.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion
Run
<Windows>\lsass.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion
Run
WinRun
<Windows>\AutoRun.ini
as well as the following modification of existing entries:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
explorer.exe <Windows>\services.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
<System>\userinit.exe,<Windows>\gorgle\csrss.exe
The following registry entries are created to make removal of
W32/Lovelet-AD difficult for the user:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\HideFileExt
CheckedValue
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1
The following registry entries are set or modified, so that
W32/Lovelet-AD is run when files with extensions of PIF are
opened/launched:
HKCR\AVIFile\shell\open\command
(default)
<Windows>\setup\mskernel.exe %1
HKCR\piffile\shell\open\command
(default)
<Windows>\setup\mskernel.exe %1
Name Troj/Starter-F
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Installs itself in the Registry
* Leaves non-infected files on computer
Prevalence (1-5) 2
Description
Troj/Starter-F is a Trojan for the Windows platform.
Advanced
Troj/Starter-F is a Trojan for the Windows platform.
When run, it copies itself to <System>\FLASH32.COM and creates the
file <System>\BLOCKS.EXE. The file BLOCKS.exe is not malicious.
The following registry entry is created to run FLASH32.COM on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Flash32
<System>\FLASH32.COM -s
The following registry entry is set:
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Run
Flash32
<System>\FLASH32.COM -s
Name Troj/Agent-EOL
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
Aliases
* Trojan-Downloader.Win32.Agent.bls
* TROJ_AGENT.NEV
Prevalence (1-5) 2
Description
Troj/Agent-EOL is a downloading Trojan for the Windows platform.
Name W32/Alman-B
Type
* Virus
How it spreads
* Infected files
Affected operating systems
* Windows
Prevalence (1-5) 2
Description
W32/Alman-B is a virus for the Windows platform.
Advanced
W32/Alman-B is a virus for the Windows platform.
W32/Alman-B searches for and infects files with EXE extension.
When first run W32/Alman-B creates the following files :
<Windows>\c_121.nls
<Windows>\AppPatch\deamon.dll
These files are also detected as W32/Alman-B.
Name W32/Rbot-GMZ
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Reduces system security
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Prevalence (1-5) 2
Description
W32/Rbot-GMZ is a worm for the Windows platform which attempts to
spread via network shares.
W32/Rbot-GMZ spreads to computers vulnerable to common exploits,
including: IIS5SSL (MS03-007).
Advanced
W32/Rbot-GMZ is a worm for the Windows platform which attempts to
spread via network shares.
W32/Rbot-GMZ contains backdoor functions that allows unauthorized
remote acces to the infected computer via IRC channels.
W32/Rbot-GMZ spreads to computers vulnerable to common exploits,
including: IIS5SSL (MS03-007).
The following patch for the operating system vulnerability exploited
by the worm can be obtained from the Microsoft website:
MS04-011
When first run W32/Rbot-GMZ copies itself as a randomly named exe to:
<System>\<random>.exe
W32/Rbot-GMZ may create the following registry entries:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows LoL Layer
azypbrx.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Windows LoL Layer
azypbrx.exe
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\Firewall
Policy
\StandardProfile\AuthorizedApplications\List\
<System>\azypbrx.exe:*:Disabled:azypbrx
HKCU\.DEFAULT\Software\Microsoft\Windows\ShellNoRoam\MUICache\
<System>\azypbrx.exe
azypbrx
Name W32/KillFil-BP
Type
* Worm
How it spreads
* Network shares
* Peer-to-peer
Affected operating systems
* Windows
Prevalence (1-5) 2
Description
W32/KillFil-BP is a worm for the Windows platform.
Advanced
W32/KillFil-BP is a worm for the Windows platform.
Name VBS/Solow-D
Type
* Worm
How it spreads
* Removable storage devices
Affected operating systems
* Windows
Side effects
* Installs itself in the Registry
* Leaves non-infected files on computer
Aliases
* Worm.VBS.Solow.a
* VBS/IE-Title
* VBS/Butsur.B
* VBS_SOLOW.A
Prevalence (1-5) 2
Description
VBS/Solow-D is a worm for the Windows platform.
Advanced
VBS/Solow-D is a worm for the Windows platform.
VBS/Solow-D attempts to spread through removable storage devices.
When installed VBS/Solow-D copies itself to the
<Windows>\MS32DLL.dll.vbs.
The following registry entry is created to run the file
MS32DLL.dll.vbs at startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MS32DLL
<Windows>\MS32DLL.dll.VBS
The following registry entry is set:
HKCU\Software\Microsoft\Internet Explorer\Main
Windows Title
'Hacked by <email address>'
Every 200 seconds VBS/Solow-D enumerates available removable devices
and attempts to copy itself to each with the filename
MS32DLL.dll.vbs. The worm also creates the file autorun.inf that
contains instructions to autorun the copy of the worm once the
infected drive is accessed.
Name Troj/Dloadr-AXU
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
Prevalence (1-5) 2
Description
Troj/Dloadr-AXU is a Trojan downloader for the Windows platform.
Advanced
Troj/Dloadr-AXU is a Trojan downloader for the Windows platform.
Troj/Dloadr-AXU will attempt to download and execute a file detected
as Troj/TinyDl-G.
When first run Troj/Dloadr-AXU copies itself to
<System>\1916435341.exe.
The following registry entry is created to run 1916435341.exe on
startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
1916435341.exe
<System>\1916435341.exe
Name W32/Stando-B
Type
* Worm
How it spreads
* Removable storage devices
* Network shares
Affected operating systems
* Windows
Side effects
* Drops more malware
* Installs itself in the Registry
Aliases
* TROJ_AGENT.MRW
Prevalence (1-5) 2
Description
W32/Stando-B is a worm for the Windows platform.
W32/Stando-B spreads to other network computers.
W32/Stando-B includes functionality to access the internet and
communicate with a remote server via HTTP.
Advanced
W32/Stando-B is a worm for the Windows platform.
W32/Stando-B spreads to other network computers.
W32/Stando-B includes functionality to access the internet and
communicate with a remote server via HTTP.
When first run W32/Stando-B copies itself to
<Temp>\suchost.exe
<Temp>\mgrShell.exe
and creates the file <System>\activeds.exe.
The file activeds.exe is detected as Troj/Bckdr-QIA.
Registry entries are set as follows to run the worm copy on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
scApp
<Root>\DOCUME~1\REPCLI~1\LOCALS~1\Temp\suchost.exe
W32/Stando-B copies itself to the root folder of available disk
drives with the filename sys.exe and creates the hidden file
autorun.inf containing the following text:
[autorun]
open=sys.exe
W32/Stando-B may attempt to write to the end of files with a DOC
extension, and may modify files in the root drive or internet cache
folder called ~Thumbs.db or in the internet cache folder called
~RSW114.tmp.
W32/Stando-B may set the following registry entry to allow Autoplay
on removable, fixed, CD-ROM and RAM drives:
HKCU\Software\Microsoft\CurrentVersion\Policies\Explorer
NoDriveTypeAutoRun
91
W32/Stando-B may set the following registry entries to prevent hidden
files from being shown, including files related to itself:
HKCU\Software\Microsoft\CurrentVersion\Explorer\Advanced
SuperHidden
1
HKCU\Software\Microsoft\CurrentVersion\Explorer\Advanced
ShowSuperHidden
0
Name Troj/BHO-BQ
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Installs a browser helper object
Prevalence (1-5) 2
Description
Troj/BHO-BQ is a Trojan for the Windows platform.
Advanced
Troj/BHO-BQ is a Trojan for the Windows platform.
Troj/BHO-BQ will attempt to install itself as a browser helper object
and redirect typed URLs and search queries to another website.
Name W32/SillyFD-AA
Type
* Worm
How it spreads
* Removable storage devices
Affected operating systems
* Windows
Side effects
* Installs itself in the Registry
* Leaves non-infected files on computer
Aliases
* Worm.Win32.VB.fw
* W32/Sillyworm.WR
* W32/Archiles.worm
* WORM_VB.CNG
Prevalence (1-5) 2
Description
W32/SillyFD-AA is a worm for the Windows platform.
Advanced
W32/SillyFD-AA is a worm for the Windows platform.
Once installed W32/SillyFD-AA spreads through removable storage
devices, including floppy drives and USB keys. The worm attempts to
create a hidden file Autorun.inf on the removeable drive and copy
itself to the removeable drive with the hidden filename
<Root>\handydriver.exe.
The file <Root>\Autorun.inf is designed to start the worm once the
removable drive is connected to a uninfected computer.
W32/SillyFD-AA copies itself to the following locations:
<Root>\kerneldrive.exe
<Windows>\regedit.exe
<Windows>\pchealth\helpctr\Binaries\msconfig.exe
<System>\systeminit.exe
<System>\wininit.exe
<System>\winsystem.exe
<System>\cmd.exe
<System>\taskmgr.exe
W32/SillyFD-AA also creates the following file <Root>\autorun.inf.
The following registry entries are set to run W32/SillyFD-AA to run
itself on startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
<System>\userinit.exe,<System>\systeminit.exe,
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
wininit
<System>\wininit.exe
The following registry entries are also set:
HKCU\Software\Microsoft\Internet Explorer\Main
Window Title
Hacked by 1BYTE
HKCU\Software\Microsoft
ServicePack
1.2
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer
SearchHidden
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer
SearchSystemDirs
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFolderOptions
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegedit
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
1
HKCU\Software\Microsoft
nFlag
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
SuperHidden
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoDriveTypeAutoRun
0
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
1
Name Troj/Dloadr-AYA
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Opens links to websites
Aliases
* W32/Downloader.APBK
* Trojan-Downloader.Win32.Delf.kc
* TROJ_DLOADER.GXJ
Prevalence (1-5) 2
Description
Troj/Dloadr-AYA is a Trojan for the Windows platform.
Advanced
Troj/Dloadr-AYA is a Trojan for the Windows platform.
Troj/Dloadr-AYA includes functionality to access the internet and
communicate with a remote server via HTTP.
When first run Troj/Dloadr-AYA copies itself to the root folder.
Name Troj/WLDrop-A
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Drops more malware
* Installs itself in the Registry
Aliases
* W32/Agent.CIP
* Spy-Agent.bv.dr
* Win32/Wigon.W
* Trojan.Win32.Agent.ady
Prevalence (1-5) 2
Description
Troj/WLDrop-A is a Trojan for the Windows platform.
Advanced
Troj/WLDrop-A is a Trojan for the Windows platform.
When Troj/WLDrop-A is installed it creates one of the following files:
<System>\main.sys
<Current folder>\systems.dll
The file main.sys is detected as Troj/NTRootK-BP. The file
systems.dll is detected as Mal/SpyAgent-A.
If the file main.sys is dropped, it is registered as a new system
driver service named "EXAMPLE". Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\EXAMPLE
If the file systems.dll is dropped, the following registry entry is
created to run it on system startup:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
rundll32 "<Current folder>\systems.dll" X4,explorer.exe
Name W32/Rising-B
Type
* Worm
How it spreads
* Removable storage devices
* Network shares
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Installs itself in the Registry
Aliases
* Worm.Win32.Agent.az
* WORM_AGENT.OQV
* Win32/Agent.NEO
Prevalence (1-5) 2
Description
W32/Rising-B is a worm for the Windows platform.
W32/Rising-B can spread to local drives, removable media and network
shares.
W32/Rising-B includes functionality to access the internet and
communicate with a remote server via HTTP.
Advanced
W32/Rising-B is a worm for the Windows platform.
W32/Rising-B can spread to local drives, removable media and network
shares.
W32/Rising-B includes functionality to access the internet and
communicate with a remote server via HTTP.
When first run W32/Rising-B copies itself to:
<Root>\rising.exe
<System>\<8 random letters>.exe
and drops the following files:
<Root>\autorun.inf - auto run script, may be deleted safely.
<System>\<8 random letters>.dll - also detected as W32/Rising-B
W32/Rising-B creates the following registry entries to start itself
as a service:
HKLM\SYSTEM\CurrentControlSet\Services\ERSvc\
HKLM\SYSTEM\CurrentControlSet\Services\<8 random characters>\
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_<8 random characters>\
HKCU\SYSTEM\CurrentControlSet\Services\<8 random characters>\
The <8 random characters> references above are all the same. The
characters randomize when the worm is propagated.
Name W32/Rbot-GOS
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Downloads code from the internet
* Installs itself in the Registry
* Exploits system or software vulnerabilities
* Used in DOS attacks
Aliases
* WORM_RBOT.FAY
Prevalence (1-5) 2
Description
W32/Rbot-GOS is a worm with IRC backdoor functionality for the
Windows platform.
Advanced
W32/Rbot-GOS is a worm with IRC backdoor functionality for the
Windows platform.
W32/Rbot-GOS runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Rbot-GOS spreads to other network computers:
- by exploiting common buffer overflow vulnerabilities, including:
LSASS (MS04-011), SRVSVC (MS06-040), RPC-DCOM (MS04-012), PNP
(MS05-039), ASN.1 (MS04-007), RealVNC (CVE-2006-2369) and Symantec
(SYM06-010)
- networks protected by weak passwords
When first run W32/Rbot-GOS copies itself to <System>\netsrv.exe. The
following registry entries are created to run W32/Rbot-GOS on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft
netsrv.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Microsoft
netsrv.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft
netsrv.exe
W32/Rbot-GOS includes functionality to:
- terminate security and anti-virus related processes
- download code from the internet
- perform port scanning
- perform DDoS attacks
- steal information including computer game keys
- setup a SOCKS4 proxy server
Name Troj/SpyAgent-E
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Drops more malware
* Dropped by malware
Aliases
* Trojan-Dropper.Win32.Agent.bge
* W32/Downloader2.BNE
Prevalence (1-5) 2
Description
Troj/SpyAgent-E is a dropper Trojan for the Windows platform.
Troj/SpyAgent-E drops further malware detected as Troj/Pushu-B.
Troj/SpyAgent-E may be dropped by members of the Mal/SpyAgent-A family.
Name W32/Poebot-LL
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Prevalence (1-5) 2
Description
W32/Poebot-LL is a worm for the Windows platform.
W32/Poebot-LL spreads to other network computers by exploiting common
buffer overflow vulnerabilities, including: LSASS (MS04-011), SRVSVC
(MS06-040), RPC-DCOM (MS04-012) and PNP (MS05-039).
Advanced
W32/Poebot-LL is a worm for the Windows platform.
W32/Poebot-LL spreads to other network computers by exploiting common
buffer overflow vulnerabilities, including: LSASS (MS04-011), SRVSVC
(MS06-040), RPC-DCOM (MS04-012) and PNP (MS05-039).
When first run W32/Poebot-LL copies itself to <System>\spoolsvc.exe
and creates the file <Current Folder>\pzyhjvv.bat.
The following registry entry is created to run spoolsvc.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Spooler SubSystem App
<System>\spoolsvc.exe
Name Troj/Banker-EFM
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Steals credit card details
* Steals information
* Records keystrokes
* Installs itself in the Registry
Aliases
* Trojan-Spy.Win32.Banker.ciy
Prevalence (1-5) 2
Description
Troj/Banker-EFM is an internet banking Trojan for the Windows platform.
Advanced
Troj/Banker-EFM is an internet banking Trojan for the Windows platform.
When Troj/Banker-EFM is installed the following files are created:
<Root>\file.exe
<Root>\start.bat
<Startup>\wsnctfy.exe
<Windows>\svchost.exe
<Windows>\Tasks\startt.job
The following registry entry is changed to run Troj/Banker-EFM on
startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
explorer.exe <Windows>\svchost.exe
The file explorer <Windows>\svchost.exe is registered as a new
service named "GbpSv". Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\GbpSv
Name Troj/DownLd-ABF
Type
* Trojan
How it spreads
* Web browsing
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Installs itself in the Registry
Prevalence (1-5) 2
Description
Troj/DownLd-ABF is an advertising related downloader Trojan for the
Windows platform.
Troj/DownLd-ABF infects HTML files stored on the local computer with
IFRAME links to advertising related HTML pages.
Troj/DownLd-ABF can arrive as a result of web browsing. Visiting
certain web sites may initiate the download process.
Advanced
Troj/DownLd-ABF is an advertising related downloader Trojan for the
Windows platform.
Troj/DownLd-ABF infects all HTML files on the computer, appending a
SRC= link to a remote JavaScript file. This JavaScript simply uses
document.write to append a new IFRAME element to the HTML file, with
a SRC= link to a advertising related HTML page.
Troj/DownLd-ABF can arrive as a result of web browsing. Visiting
certain web sites may initiate the download process.
When Troj/DownLd-ABF is installed the following files are typically
created:
<Windows>\123.txt
<Windows>\1234.txt
<Windows>\edit.txt
<Windows>\ganran.txt
<System>\5640.exe
<System>\705.54755640.exe
<System>\winsock.exe
<Temporary Internet Files>\mh[1].exe
The following registry entry is created to run 5640.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
(Default)
<System>\5640.exe
--- MultiMail/Win32 v0.43
* Origin: Doc's Place BBS Fido Since 1991 docsplace.tzo.com (1:123/140)
|