Text 189, 1093 rader
Skriven 2007-05-20 18:53:00 av KURT WISMER
Ärende: News, May 20 2007
=========================
[cut-n-paste from sophos.com]
Name Troj/ConHook-AE
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Steals information
* Drops more malware
* Installs itself in the Registry
* Monitors browser activity
* Installs a browser helper object
Aliases
* TROJ_AGENT.AAFS
Prevalence (1-5) 3
Description
Troj/ConHook-AE is a Trojan for the Windows platform.
Advanced
Troj/ConHook-AE is a Trojan for the Windows platform.
Troj/ConHook-AE includes functionality to access the internet and
communicate with a remote server via HTTP.
When Troj/ConHook-AE is installed it creates the file
<System>\<random>.dll
The DLL is detected as Troj/ConHook-AD.
The following registry entries are created to run code exported by
<random>..dll on startup:
HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\<random>
Dllname
<random>
HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\<random>
Impersonate
0
HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\<random>
Startup
NotifyStartup
The DLL is registered as a COM object and Browser Helper Object (BHO)
for Microsoft Internet Explorer, creating registry entries under:
HKCR\CLSID\d3d60adf-7d3b-491c-9a78-0f1b085593f6
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser
Helper Objects\d3d60adf-7d3b-491c-9a78-0f1b085593f6
The following registry entry is set:
HKLM\SOFTWARE\Microsoft\DNIdent
(default)
d3d60adf-7d3b-491c-9a78-0f1b085593f6
Registry entries are created under:
HKLM\SOFTWARE\Microsoft\afc3c84e3b
Name Troj/Zlobmi-B
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Drops more malware
* Downloads code from the internet
* Installs itself in the Registry
Prevalence (1-5) 2
Description
Troj/Zlobmi-B is a Trojan for the Windows platform.
Advanced
Troj/Zlobmi-B is a Trojan for the Windows platform.
When Troj/Zlobmi-B is installed the following files are created:
<Current Folder>\bpmini.exe
<Current Folder>\bpvol.dll
The following registry entry is created to run Troj/Zlobmi-B on
startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run
user32.dll
<pathname of the Trojan executable>
The file bpvol.dll is registered as a COM object and Browser Helper
Object (BHO) for Microsoft Internet Explorer, creating registry
entries under:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser
Helper Objects\{1FC80E00-41B0-4F74-BC16-2C83ED49CAC9
Troj/Zlobmi-B changes search settings for Microsoft Internet Explorer
by modifying values under:
HKCU\Software\Microsoft\Internet Explorer\Search\
Name Troj/Banker-EGG
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Steals information
Prevalence (1-5) 2
Description
Troj/Banker-EGG is an internet banking Trojan for the Windows platform.
Advanced
Troj/Banker-EGG is an internet banking Trojan for the Windows platform.
When first run Troj/Banker-EGG copies itself to the Windows system
folder.
Name W32/Stration-FW
Type
* Worm
How it spreads
* Email messages
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Drops more malware
* Downloads code from the internet
* Reduces system security
* Installs itself in the Registry
Prevalence (1-5) 2
Description
W32/Stration-FW is a worm for the Windows platform.
Advanced
W32/Stration-FW is a worm for the Windows platform.
When W32/Stration-FW is installed the following files are created:
<System>\diagisr.dll
<System>\isrprf32.dll
<System>\isrprov.exe
The file diagisr.dll is detected as W32/Strati-Gen.
The following registry entries are created to run W32/Stration-FW on
startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
himem.exe
<pathname of the worm executable> -s
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SoundMnEx32
<pathname of the worm executable>
The following registry entry is set, affecting internet security:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\Firewall
Policy\StandardProfile\AuthorizedApplications\List
<pathname of the worm executable>
<Current Folder>\<original filename>:*:Enabled:SystemVersion
Name W32/Dundun-A
Type
* Virus
How it spreads
* Infected files
Affected operating systems
* Windows
Prevalence (1-5) 2
Description
W32/Dundun-A is a parasitic virus for the Windows platform.
When run the virus will attempt to infect executable files as they
are launched.
Name W32/Stap-C
Type
* Worm
How it spreads
* Email messages
* Network shares
Affected operating systems
* Windows
Side effects
* Sends itself to email addresses found on the infected computer
* Uses its own emailing engine
* Installs itself in the Registry
Aliases
* Net-Worm.Win32.Stap.d
* WORM_YOURIP.E
Prevalence (1-5) 2
Description
W32/Stap-C is a worm for the Windows platform.
W32/Stap-C has the functionalities to:
- spread by network shares
- send mail to email addresses found on the infected computer
Advanced
W32/Stap-C is a worm for the Windows platform.
W32/Stap-C has the functionalities to:
- spread by network shares
- send mail to email addresses found on the infected computer
When first run W32/Stap-C copies itself to:
<Root>\Chikka.exe
<Startup>\Office_viewer.exe
<Program Files>\Versekulo\readme.exe
<Program Files>\Versekulo\src.dll
<Program Files>\Versekulo\verse.exe
<Program Files>\Versekulo\wers.ocx
<Program Files>\msdtc.exe
<Root>\kernel32.exe
<Root>\Yahoo Mgr 2.0_zip.exe
<Root>\Star Wars_zip
<Root>\Pictures_zip
<Root>\Yahoo Mgr 2.0_zip
<Root>\Zuma DEluxe 1.0_zip
<Root>\The Mystery_zip
and creates the file <Root>\plog.tmp. This file can be deleted.
The following registry entry is created to run kernel32.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Mstask
<Root>\kernel32.exe
Registry entries are created under:
HKLM\SOFTWARE\Microsoft
Name Troj/Glibma-A
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Modifies data on the computer
* Drops more malware
Aliases
* Virus.VBS.Small.g
Prevalence (1-5) 2
Description
Troj/Glibma-A is a Trojan for the Windows platform.
Advanced
Troj/Glibma-A is a Trojan for the Windows platform.
When Troj/Glibma-A is installed it creates the following files in the
<Windows>\system folder:
cscript.exe
Hd.vbs
gm.BAT
gm.vbe
The file cscript.exe is a clean executable file, while the other
files are all also detected as Troj/Glibma-A.
Troj/Glibma-A attempts to find and modify files with the following
extensions:
ASP
HTML
HTM
PHP
Modified files are detected as Troj/Glibif-A and will attempt to run
a script from a remote location.
Name W32/Rbot-GQK
Type
* Spyware Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Downloads code from the internet
* Installs itself in the Registry
* Exploits system or software vulnerabilities
* Used in DOS attacks
Prevalence (1-5) 2
Description
W32/Rbot-GQK is a worm and IRC backdoor for the Windows platform.
Advanced
W32/Rbot-GQK is a worm and IRC backdoor for the Windows platform.
W32/Rbot-GQK spreads to other network computers by exploiting common
buffer overflow vulnerabilities, including: LSASS (MS04-011) and
RPC-DCOM (MS04-012).
W32/Rbot-GQK runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
When first run W32/Rbot-GQK copies itself to <System>\pwjbvphi.exe.
The following registry entry is created to run <System>\pwjbvphi.exe
on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft Windows
pwjbvphi.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Microsoft Windows
pwjbvphi.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft Windows
pwjbvphi.exe
Name W32/Sdbot-DES
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* Backdoor.Win32.SdBot.bib
Prevalence (1-5) 2
Description
W32/Sdbot-DES is a worm with IRC backdoor functionality for the
Windows platform.
W32/Sdbot-DES runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
Advanced
W32/Sdbot-DES is a worm with IRC backdoor functionality for the
Windows platform.
W32/Sdbot-DES runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
When first run W32/Sdbot-DES copies itself to <Windows>\sysvrs32.exe
and creates the file <Temp>\uia3.tmp.
The file sysvrs32.exe is registered as a new system driver service
named "Server VSS System", with a display name of "Server VSS System"
and a startup type of automatic, so that it is started automatically
during system startup. Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\Server VSS System
Name W32/Sohana-W
Type
* Worm
How it spreads
* Removable storage devices
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Downloads code from the internet
* Reduces system security
* Installs itself in the Registry
Aliases
* IM-Worm.Win32.Sohanad.ao
* W32/YahLover.worm
* WORM_SOHANAD.BA
Prevalence (1-5) 2
Description
W32/Sohana-W is a worm for the Windows platform.
Advanced
W32/Sohana-W is a worm for the Windows platform.
W32/Sohana-W spreads to other network computers and by copying itself
to removable storage devices.
W32/Sohana-W includes functionality to access the internet and
communicate with a remote server via HTTP. The worm also includes
functionality to download, install and run new software.
When first run W32/Sohana-W copies itself to:
<Windows>\SSCVIHOST.exe
<System>\SSCVIHOST.exe
<System>\blastclnnn.exe
and creates the following files:
<System>\autorun.ini - Also detected as W32/Sohana-W
<System>\setting.ini - dat file, may simply be deleted
<Windows>\Tasks\At1.job - dat file, may simply be deleted
W32/Sohana-W may also attempt to download and execute the following
files:
example.eex - detected as Troj/Havar-A
nhatquanglan15.exe - detected as Perfect Keylogger
test.exe - detected as Troj/VB-DUW
The following registry entry is created to run SSCVIHOST.exe on
startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Yahoo Messengger
<System>\SSCVIHOST.exe
The following registry entry is changed to run SSCVIHOST.exe on
startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe SSCVIHOST.exe
The following registry entries are set, disabling system software:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1
The following registry entries are set:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NofolderOptions
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\WorkgroupCrawle
r\Shares
shared
\New Folder.exe
Name W32/Stration-NZ
Type
* Worm
How it spreads
* Email messages
* Email attachments
Affected operating systems
* Windows
Side effects
* Sends itself to email addresses found on the infected computer
* Uses its own emailing engine
* Downloads code from the internet
* Installs itself in the Registry
Aliases
* Email-Worm.Win32.Warezov.nz
* W32/Warezov.gen4
Prevalence (1-5) 2
Description
W32/Stration-NZ is a worm for the Windows platform which spreads via
email.
Advanced
W32/Stration-NZ is a worm for the Windows platform which spreads via
email.
W32/Stration-NZ includes functionality to silently download, install
and run new software.
When W32/Stration-NZ is installed the following files are created:
<System>\certmsje.dll
<System>\dpl1npwm.dat
<System>\dpl1npwm.dll
<System>\dpl1npwm.exe
<System>\psapuman.exe
<System>\psnppack.dll
The files certmsje.dll, psapuman.exe and psnppack.dll are detected as
W32/Strati-Gen.
The following registry entries are created to run code exported by
dpl1npwm.dll on startup:
HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\dpl1npwm
DllName
<System>\dpl1npwm.dll
HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\dpl1npwm
Startup
WlxStartupEvent
HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\dpl1npwm
Impersonate
0
Name W32/Fujacks-AJ
Type
* Worm
How it spreads
* Removable storage devices
* Network shares
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Drops more malware
* Downloads code from the internet
* Reduces system security
* Installs itself in the Registry
* Leaves non-infected files on computer
Aliases
* Worm.Win32.Fujack.a
* Win32/Fujacks.L
* WORM_FUJACKS.AT
Prevalence (1-5) 2
Description
W32/Fujacks-AJ is a worm for the Windows platform.
W32/Fujacks-AJ spreads to network shares and removable storage
devices with the filename setup.exe. W32/Fujacks-AJ also creates the
file autorun.inf to ensure that the file setup.exe is executed.
Advanced
W32/Fujacks-AJ is a worm for the Windows platform.
W32/Fujacks-AJ spreads to network shares and removable storage
devices with the filename setup.exe. W32/Fujacks-AJ also creates the
file autorun.inf to ensure that the file setup.exe is executed.
W32/Fujacks-AJ runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer.
W32/Fujacks-AJ includes functionality to access the internet and
communicate with a remote server via HTTP.
W32/Fujacks-AJ appends an HTML Iframe tag to HTML and ASP files.
These modified files are detected as Troj/Fujif-Gen. W32/Fujacks-AJ
may drop the file Desktop_.ini (which may simply be deleted) in
various folders.
When first run W32/Fujacks-AJ copies itself to
<System>\drivers\CTMONTv.exe.
The following registry entry is created to run W32/Fujacks-AJ on
startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
svcshare
<System>\drivers\CTMONTv.exe
The following registry entry is modified to hide W32/Fujacks-AJ, in
an attempt to make removal difficult:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\Folder\Hidden\SHOWALL
CheckedValue
0
The following registry entry tree is removed by W32/Fujacks-AJ in
order to reduce system security:
HKLM\SYSTEM\CurrentControlSet\Services\wscsvc\
Name W32/Whld-C
Type
* Virus
How it spreads
* Network shares
* Infected files
* Web downloads
Affected operating systems
* Windows
Side effects
* Modifies data on the computer
* Reduces system security
Prevalence (1-5) 2
Description
W32/Whld-C is a virus for the Windows platform.
W32/Whld-C spreads by infecting Windows executable files and copying
itself to network shares.
Advanced
W32/Whld-C is a virus for the Windows platform.
W32/Whld-C spreads by infecting Windows executable files and copying
itself to network shares.
When first run W32/Whld-C may create the files <Current>\Server.exe
and <System>\IME\svchost.exe which are also detected as W32/Whld-C.
W32/Whld-C attempts to turn off System File Checking to prevent
infected Windows files being reported.
Name W32/VB-DUX
Type
* Worm
How it spreads
* Removable storage devices
Affected operating systems
* Windows
Aliases
* Virus.Win32.VB.dx
Prevalence (1-5) 2
Description
W32/VB-DUX is a worm for the Windows platform.
Name W32/Looked-DE
Type
* Virus
How it spreads
* Network shares
* Infected files
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Modifies data on the computer
* Drops more malware
* Downloads code from the internet
* Installs itself in the Registry
Prevalence (1-5) 2
Description
W32/Looked-DE is a virus for the Windows platform.
Advanced
W32/Looked-DE is a virus for the Windows platform.
W32/Looked-DE spreads by infecting executable files and copying
itself to network shares protected by weak passwords.
When W32/Looked-DE is installed the following files are created:
<Windows>\RichDll.dll
<Windows>\uninstall\rundl132.exe
These files are also detected as W32/Looked-DE.
The following registry entry is created to run rundl132.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
load
<Windows>\uninstall\rundl132.exe
Name Troj/Hiload-E
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Steals information
* Drops more malware
* Downloads code from the internet
* Reduces system security
Prevalence (1-5) 2
Description
Troj/Hiload-E is a Trojan for the Windows platform.
Advanced
Troj/Hiload-E is a Trojan for the Windows platform.
Troj/Hiload-E includes functionality to access the internet and
communicate with a remote server via HTTP, and attempts to download
and execute further files.
Troj/Hiload-E attempts to steal password information from the
infected computer.
When first run Troj/Hiload-E copies itself to <Windows>\<random
name>.exe and creates the following files:
<Windows>\new_drv.sys
The file new_drv.sys is detected as Troj/RKProc-Fam and is used to
stealth files, processes and registry entries related to Troj/Hiload-E.
Troj/Hiload-E attempts to inject code into other processes in order
to download and execute files from remote locations.
Name W32/Rbot-GPM
Type
* Spyware Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Downloads code from the internet
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Prevalence (1-5) 2
Description
W32/Rbot-GPM is a worm with IRC backdoor functionality for the
Windows platform.
Advanced
W32/Rbot-GPM is a worm with IRC backdoor functionality for the
Windows platform.
W32/Rbot-GPM runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
When first run W32/Rbot-GPM copies itself to <Windows>\msnserver.exe.
The following registry entries are created to run msnserver.exe on
startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft Svchost local services
msnserver.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Microsoft Svchost local services
msnserver.exe
The following registry entry is set:
HKCU\Software\Microsoft\OLE
Microsoft Svchost local services
msnserver.exe
Name W32/Brontok-DI
Type
* Worm
How it spreads
* Email messages
Affected operating systems
* Windows
Side effects
* Sends itself to email addresses found on the infected computer
* Forges the sender's email address
* Uses its own emailing engine
* Downloads code from the internet
* Reduces system security
* Installs itself in the Registry
Prevalence (1-5) 2
Description
W32/Brontok-DI is a worm for the Windows platform.
Advanced
W32/Brontok-DI is a worm for the Windows platform.
When first run W32/Brontok-DI copies itself to:
<Startup>\Empty.pif
<Root>\FuckD3w4.exe
<Windows>\FuckD3w4.exe
<System>\IExplorer.exe
<System>\MrHelloween.scr
<System>\shell.exe
and creates the file <Root>\PuisiKu.txt.
The following registry entry is created to run FuckD3w4.exe on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
FuckD3w4
<Windows>\FuckD3w4.exe
The following registry entries are changed to run W32/Brontok-DI on
startup:
HKCU\Control Panel\Desktop
SCRNSAVE.EXE
<System>\MRHELL~1.SCR
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe "<System>\IExplorer.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
<System>\userinit.exe,<System>\IExplorer.exe
The following registry entries are set or modified, so that shell.exe
is run when files with extensions of BAT, COM, EXE and PIF are
opened/launched:
HKCR\lnkfile\shell\open\command
(default)
<System>\shell.exe" "%1" %*
HKCR\batfile\shell\open\command
(default)
<System>\shell.exe" "%1" %*
HKCR\comfile\shell\open\command
(default)
<System>\shell.exe" "%1" %*
HKCR\exefile\shell\open\command
(default)
<System>\shell.exe" "%1" %*
HKCR\piffile\shell\open\command
(default)
<System>\shell.exe" "%1" %*
Registry entries are set as follows:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFolderOptions
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableCMD
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
0
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoFolderOptions
0
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
DisableTaskMgr
0
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
DisableRegistryTools
0
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
DisableConfig
0
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
DisableSR
0
HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer
LimitSystemRestoreCheckpointing
0
HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer
DisableMSI
0
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug
Debugger
<System>\Shell.exe
Name W32/SillyFD-AC
Type
* Worm
Affected operating systems
* Windows
Side effects
* Drops more malware
* Installs itself in the Registry
Aliases
* Worm.Win32.Delf.bs
Prevalence (1-5) 2
Description
W32/SillyFD-AC is a worm for the Windows platform.
Advanced
W32/SillyFD-AC is a worm for the Windows platform.
W32/SillyFD-AC includes functionality to download, install and run
new software.
When first run W32/SillyFD-AC copies itself to <System>\servet.exe
and creates the file <System>\Deleteme.bat.
The file servet.exe is registered as a new system driver service
named "WindowsDown", with a display name of "Windows Ins" and a
startup type of automatic, so that it is started automatically during
system startup. Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\WindowsDown
W32/SillyFD-AC spreads via removeable shared drives by creating the
file autorun.inf and a copy of the worm (named servet.exe) on the
removeable drive.
--- MultiMail/Win32 v0.43
* Origin: Doc's Place BBS Fido Since 1991 docsplace.tzo.com (1:123/140)
|