Text 190, 1173 rader
Skriven 2007-05-26 15:05:00 av KURT WISMER
Ärende: News, May 26 2007
=========================
[cut-n-paste from sophos.com]
Name W32/Poebot-LO
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Downloads code from the internet
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* Backdoor.Win32.VanBot.ax
* BKDR_POEBOT.MJ
Prevalence (1-5) 2
Description
W32/Poebot-LO is an IRC worm with backdoor functionality which allows
a remote intruder to gain access and control over the computer.
W32/Poebot-LO includes functionality to download, install and run new
software.
W32/Poebot-LO spreads to other network computers by exploiting common
vulnerabilities, including LSASS (MS04-011), SRVSVC (MS06-040),
RPC-DCOM (MS04-012) and PNP (MS05-039) .
Advanced
W32/Poebot-LO is an IRC worm with backdoor functionality which allows
a remote intruder to gain access and control over the computer.
W32/Poebot-LO includes functionality to download, install and run new
software.
W32/Poebot-LO spreads to other network computers by exploiting common
vulnerabilities, including LSASS (MS04-011), SRVSVC (MS06-040),
RPC-DCOM (MS04-012) and PNP (MS05-039) .
When first run W32/Poebot-LO copies itself to <System32>\iexplore.exe
and creates the non-malicious file 'jbikuyoy.bat'.
The following registry entry is created to run iexplore.exe:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Internet
Explorer = <System32>\iexplore.exe
Name W32/Brontok-DG
Type
* Worm
How it spreads
* Removable storage devices
Affected operating systems
* Windows
Side effects
* Drops more malware
* Reduces system security
* Installs itself in the Registry
Prevalence (1-5) 2
Description
W32/Brontok-DG is a worm for the Windows platform.
Advanced
W32/Brontok-DG is a worm for the Windows platform.
When first run W32/Brontok-DG copies itself to:
<Root>\Backup\WMP_10 for XP.exe
<Startup>\user32.exe
<Startup>\_default.exe
<System>\x-executor.exe
<System>\vergon1885.exe
and creates the file <System>\man.bat.
The following registry entry is created to run vergon1885.exe on
startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
wmplayer
<System>\vergon1885.exe
The following registry entries are changed to run W32/Brontok-DG on
startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe "<System>\vergon1885.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
<System>\userinit.exe,"<System>\vergon1885.exe"
W32/Brontok-DG attempts to periodically copy itself to removeable
drives, including floppy drives and USB keys. The worm will attempt
to create hidden folders on the logical drive and copy itself to them.
Name Troj/LegMir-AQX
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Steals information
* Installs itself in the Registry
Aliases
* Trojan-PSW.Win32.OnLineGames.nw
Prevalence (1-5) 2
Description
Troj/LegMir-AQX is a password-stealing Trojan for the Windows platform.
Advanced
Troj/LegMir-AQX is a password-stealing Trojan for the Windows platform.
When first run Troj/LegMir-AQX copies itself to:
<System>\alg32.dat
<System>\alg32.exe
and creates the following files:
<Windows>\MirSet.ini
<System>\Winhttps.dat
<System>\Winhttps.dll
The files Winhttps.dat and Winhttps.dll are also detected as
Troj/LegMir-AQX.
Name SB/BadBunny-A
Type
* Worm
How it spreads
* Infected files
* Chat programs
Side effects
* Modifies data on the computer
* Used in DOS attacks
Aliases
* IRC-Worm.StarOffice.Badbunny.a
Prevalence (1-5) 2
Description
SB/BadBunny-A is a multi-platform worm written in several scripting
languages and distributed as an OpenOffice.org document containing a
StarBasic macro.
Advanced
SB/BadBunny-A is a multi-platform worm written in several scripting
languages and distributed as an OpenOffice.org document containing a
StarBasic macro.
SB/BadBunny-A spreads by dropping malicious script files that affect
the behavior of the popular IRC programs mIRC and X-Chat, causing
them send SB/BadBunny-A to other users. These malicious script files
are named badbunny.py (for XChat) and script.ini (for mIRC,
overwriting the existing mIRC file) and are also detected as
SB/BadBunny-A.
SB/BadBunny-A drops different additional components depending on the
platform on which it is running:
- On Windows, it drops a file named badbunny.js that is a JavaScript
file infector also detected as SB/BadBunny-A.
- On Linux, it drops a file named badbunny.pl that is a Perl file
infector also detected as SB/BadBunny-A.
- On MacOS, it drops one of two possible files named badbunny.rb and
badbunnya.rb that are Ruby file infectors also detected as
SB/BadBunny-A.
SB/BadBunny-A will also attempt a ping of death attack against the
following anti-virus sites:-
www.ikarus.at
www.aladdin.com
www.norman.no
www.norman.com
www.kaspersky.com
www.kaspersky.ru
www.kaspersky.pl
www.grisoft.cz
www.symantec.com
www.proantivirus.com
www.f-secure.com
www.sophos.com
www.arcabit.pl
www.arcabit.com
www.avira.com
www.avira.de
www.avira.ro
www.avast.com
www.virusbuster.hu
www.trendmicro.com
www.bitdefender.com
www.pandasoftware.comm [sic]
www.drweb.com
www.drweb.ru
www.viruslist.com
Name W32/Rbot-GPL
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Prevalence (1-5) 2
Description
W32/Rbot-GPL is a network worm and IRC backdoor for the Windows
platform.
W32/Rbot-GPL spreads
- to computers vulnerable to common exploits, including: SRVSVC
(MS06-040), RPC
-DCOM (MS04-012), ASN.1 (MS04-007), RealVNC (CVE-2006-2369) and
Symantec (SYM06-010)
- to MSSQL servers protected by weak passwords
- to network shares protected by weak passwords
The following patches for the operating system vulnerabilities
exploited by the
worm can be obtained from the Microsoft website:
http://www.microsoft.com/technet/security/bulletin/MS06-040.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-007.mspx
Advanced
W32/Rbot-GPL is a network worm and IRC backdoor for the Windows
platform.
W32/Rbot-GPL spreads
- to computers vulnerable to common exploits, including: SRVSVC
(MS06-040), RPC
-DCOM (MS04-012), ASN.1 (MS04-007), RealVNC (CVE-2006-2369) and
Symantec (SYM06-010)
- to MSSQL servers protected by weak passwords
- to network shares protected by weak passwords
The following patches for the operating system vulnerabilities
exploited by the
worm can be obtained from the Microsoft website:
http://www.microsoft.com/technet/security/bulletin/MS06-040.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-007.mspx
W32/Rbot-GPL runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
When W32/Rbot-GPL is installed it creates the file
<System>\WinSecUp.exe.
The following registry entries are created to run WinSecUp.exe on
startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft
WinSecUp.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Microsoft
WinSecUp.exe
Name W32/Rbot-GQN
Type
* Spyware Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Downloads code from the internet
* Records keystrokes
* Installs itself in the Registry
* Exploits system or software vulnerabilities
* Used in DOS attacks
Prevalence (1-5) 2
Description
W32/Rbot-GQN is a worm for the Windows platform.
Advanced
W32/Rbot-GQN is a worm for the Windows platform.
W32/Rbot-GQN runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
When first run W32/Rbot-GQN copies itself to <System>\wlimyc.exe.
The following registry entries are created to run wlimyc.exe on
startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft Update Machine
wlimyc.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft Update Machine
wlimyc.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Microsoft Update Machine
wlimyc.exe
Name Troj/Clickr-AC
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Opens links to websites
Prevalence (1-5) 2
Description
Troj/Clickr-AC is a Trojan for the Windows platform.
Advanced
Troj/Clickr-AC is a Trojan for the Windows platform.
Troj/Clickr-AC may display browser popups.
Troj/Clickr-AC is registered as a COM object and Browser Helper
Object (BHO) for Microsoft Internet Explorer, creating registry
entries under:
HKCR\CLSID\{89731480-D47D-4DC4-8A36-BAAE55E094C5}
HKCR\Interface\{1E293881-F1AA-4580-9EA4-4C714E71162A}
HKCR\TypeLib\{08DFED4C-5BEB-490A-8AFA-331AC1AE5C0D}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser
Helper Objects\{89731480-D47D-4DC4-8A36-BAAE55E094C5}
Registry entries are set as follows:
HKCR\Explorer.MExplorer.1\CLSID
(default)
{89731480-D47D-4DC4-8A36-BAAE55E094C5}
HKCR\Explorer.MExplorer\CLSID
(default)
{89731480-D47D-4DC4-8A36-BAAE55E094C5}
Registry entries are created under:
HKCR\Explorer.MExplorer
Name Troj/DwnLdr-GUW
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
Prevalence (1-5) 2
Description
Troj/DwnLdr-GUW is a downloader Trojan for the Windows platform.
Advanced
Troj/DwnLdr-GUW is a downloader Trojan for the Windows platform.
Troj/DwnLdr-GUW includes functionality to access the internet and
communicate with a remote server via HTTP.
When Troj/DwnLdr-GUW is installed the following files are created:
<Current Folder>\test.txt
<Current Folder>\test2.txt
These files contain downloaded components. At the time of writing,
the site hosting these components was unavailable.
Name W32/Vizim-A
Type
* Worm
How it spreads
* Removable storage devices
Affected operating systems
* Windows
Side effects
* Leaves non-infected files on computer
* Installs a browser helper object
Aliases
* W32/Vizim.worm
* Virus.Win32.AutoRun.m
Prevalence (1-5) 2
Description
W32/Vizim-A is a worm for the Windows platform.
Advanced
W32/Vizim-A is a worm for the Windows platform.
When first run W32/Vizim-A copies itself to the root and Windows
system folders and creates the following files:
<Root>\autorun.inf
<Windows>\autorun.inf
The file autorun.inf is designed to start the worm once the
removeable drive is connected to a uninfected computer. The file
autorun.inf can be safely deleted.
Registry entries are set as follows:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
LegalNoticeCaption
PROMISE???
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
LegalNoticeText
I am still waiting for the strawberry coming from my Baguio! Pls..
Help!
Name W32/Mypis-A
Type
* Virus
How it spreads
* Infected files
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
Prevalence (1-5) 2
Description
W32/Mypis-A is a virus for the Windows platform.
Advanced
W32/Mypis-A is a virus for the Windows platform.
The virus may create the file <Program Files>\Common
Files\System\svchost.exe and this file is detected as Mal/Basine-C.
Name W32/AHKHeap-A
Type
* Worm
How it spreads
* Removable storage devices
Affected operating systems
* Windows
Side effects
* Installs itself in the Registry
* Leaves non-infected files on computer
Prevalence (1-5) 2
Description
W32/AHKHeap-A is a worm for the Windows platform.
Advanced
W32/AHKHeap-A is a worm for the Windows platform.
When run, W32/AHKHeap-A creates the following files:
<Temp>\MicrosoftPowerPoint\2.mp3 - can be safely removed
<Temp>\MicrosoftPowerPoint\drivelist.txt - can be safely removed
<Temp>\MicrosoftPowerPoint\Icon.ico - can be safely removed
<Temp>\MicrosoftPowerPoint\Install.txt - detected as W32/AHKHeap-A
<Temp>\MicrosoftPowerPoint\pathlist.txt - can be safely removed
<Temp>\MicrosoftPowerPoint\svchost.exe - can be safely removed
C:\heap41a\2.mp3 - can be safely removed
C:\heap41a\drivelist.txt - can be safely removed
C:\heap41a\Icon.ico - can be safely removed
C:\heap41a\reproduce.txt - detected as W32/AHKHeap-A
C:\heap41a\script1.txt - detected as W32/AHKHeap-A
C:\heap41a\std.txt - detected as W32/AHKHeap-A
C:\heap41a\svchost.exe - can be safely removed
C:\heap41a\offspring\autorun.inf - detected as W32/AHKHeap-A
W32/AHKHeap-A attempts to periodically copy itself to removeable
drives and USB keys. The worm will attempt to create a hidden file
Autorun.inf on the removeable drive and copy itself to the removeable
drive as MicrosoftPowerPoint.exe.
The file Autorun.inf is designed to start the worm once the
removeable drive is connected to a uninfected computer.
The following registry entries are set to run W32/AHKHeap-A on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
status
present
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
winlogon
C:\heap41a\svchost.exe C:\heap41a\std.txt
The following registry entry is set:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder
\Hidden\SHOWALL
CheckedValue
0
Name W32/Tilebot-JQ
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
Aliases
* Backdoor.Win32.SdBot.bic
Prevalence (1-5) 2
Description
W32/Tilebot-JQ is a worm with IRC backdoor Trojan functionality.
W32/Tilebot-JQ runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Tilebot-JQ includes functionality to access the internet and
communicate with a remote server via HTTP.
Advanced
W32/Tilebot-JQ is a worm with IRC backdoor Trojan functionality.
W32/Tilebot-JQ runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Tilebot-JQ includes functionality to access the internet and
communicate with a remote server via HTTP.
When first run W32/Tilebot-JQ copies itself to <Windows>\wault.exe.
The file wault.exe is registered as a new system driver service named
"Windows Auto Update Tool", with a display name of "Windows Auto
Update Tool" and a startup type of automatic, so that it is started
automatically during system startup. Registry entries are created
under:
HKLM\SYSTEM\CurrentControlSet\Services\Windows Auto Update Tool
The file <System>\sfc_os.dll is modified in order to disable the
System File Checker. The modified version is detected as Disabled
System File Check DLL.
The files <System>\ftp.exe and <System>\tftp.exe are replaced by
non-functional versions of those applications.
Registry entries are set as follows:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
SFCScan
0
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
SFCDisable
ffffff9d
Name W32/Gatina-B
Type
* Spyware Worm
How it spreads
* Email messages
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Sends itself to email addresses found on the infected computer
* Steals information
* Forges the sender's email address
* Uses its own emailing engine
* Downloads code from the internet
* Reduces system security
* Installs itself in the Registry
Prevalence (1-5) 2
Description
W32/Gatina-B is an email and network worm.
Advanced
W32/Gatina-B is an email and network worm.
The emails sent by the worm have forged "From:" addresses and the
following characteristics:
Subject line:
"FILIPINO'S SECRETS"
"LYRICS OF BAMBOO AND OTHER BOY BAND"
"Philippines Government Top Secret"
"New Virus Information"
"Ukinnam Virus Information"
Message text:
"Hi! Look the Attach Document for more details about FILIPINOS..."
"HOY! PINOY AKO! BUO AKING LOOB MAY AGIMAT AKO... FOR MORE LYRICS
CHECK THE ATTACH FILE..."
"The Government of the Philippines revealed the truth. For more
information please read the Attach file..."
"Please read the attach file for more information about computer
virus..."
"If your computer has been infected by Ukinnam Virus. Open the
attach file and follow the instruction to remove the virus..."
Attached file:
README.DOC.exe
INFO.DOC.exe
TAETAE.TXT.exe
DATA.DOC.exe
W32/Gatina-B collects email addresses from files whose extension is
HTT, HTM, HTML, HTA, HTE, HTX, SHTML, STM, ASP, XML, DOC, RTF, TXT,
DBX, PHP, PHP3, PTHML, JSP, SQL, EML, INI, TBB or TBI.
When first run W32/Gatina-B copies itself to:
Startup>\MSKernell.bat
<Windows>\Exit to DosPrompt.pif
<Windows>\Mails\DATA.DOC.exe
<Windows>\Mails\DOCUMENT.DOC.exe
<Windows>\Mails\INFO.DOC.exe
<Windows>\Mails\README.DOC.exe
<Windows>\Mails\TAETAE.TXT.exe
<System>\AutoRun.bat
The following registry entries are created to run Exit to
DosPrompt.pif and AutoRun.bat on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NOYPI_KANG_ASTIG
<Windows>\Exit to DosPrompt.pif
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
taetae
<Windows>\Exit to DosPrompt.pif
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
TANG_INA_MO
<System>\AutoRun.bat
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
taengtae
<System>\AutoRun.bat
The following registry entries are set, disabling system software:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1
Registry entries are set as follows:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFind
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFolderOptions
1
HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions
NoFindFiles
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
2
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt
1
W32/Gatina-B closes applications whose title matches any of the
following:
Ad-aware 6.0 Personal
Ad-Aware SE Personal
Anti-Trojan - Infection Monitor
Anti-Virus
AntiViral Toolkit Pro
AVG E-Mail Server Edition - Advanced Interface
AVG E-Mail Server Edition - Basic Interface
AVG E-Mail Server Edition - Control Centerr
AVP
AVP Monitor
BitDefender
BitDefender Sheild
BlackICE
Command Prompt
Control Panel
eTrust Antivirus - Local Scanner
F-Secure Anti-Virus
HijackThis
Kaspersky Anti-Virus Monitor
Kaspersky Anti-Virus personal
Kaspersky Anti-Virus Scanner
My Computer
My Documents
NOD32 Antivirus Program
Norton
Norton Antivirus
Norton AntiVirus Porfessional
Pop3trap
Process Explorer
Registry Editor
Registry Monitor
Registry Monitor
Services
Sophos Anti-Virus - SWEEP
Spybot - Search & Destroy
Sygate Personal Firewall Pro
System Configuration Utility
System Restore
Windows Firewall
Windows Security Center
Windows Task Manager
WinPatrol
W32/Gatina-B also attempts to spread to other network computers via
network shares as a file named README.EXE.
W32/Gatina-B attempts to periodically copy itself to removeable
drives, including floppy drives and USB keys under the following names:
AutoRun.bat
Exit to DosPrompt.pif
ReadMe.scr
MSKernell.bat
Name Troj/DaMailer-B
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Sends itself to email addresses found on the infected computer
Prevalence (1-5) 2
Description
Troj/DaMailer-B is a Trojan for Windows platform.
Name Mal/Qbot-A
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Reduces system security
* Dropped by malware
Prevalence (1-5) 2
Description
Mal/Qbot-A is a family of components for IRC backdoor Trojans.
Advanced
Mal/Qbot-A is a family of components for IRC backdoor Trojans.
Name Troj/DNSChan-LT
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Modifies data on the computer
Aliases
* Trojan.Win32.DNSChanger.jb
Prevalence (1-5) 2
Description
Troj/DNSChan-LT is a Trojan for the Windows platform.
The Trojan includes functionality to modify the DNS setting, access
the internet and communicate with a remote server via HTTP.
Name Troj/Nofere-I
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Installs itself in the Registry
Aliases
* Trojan-PSW.Win32.Nilage.bei
* Win32/TrojanDownloader.Agent.NIG
Prevalence (1-5) 2
Description
Troj/Nofere-I is a Trojan for the Windows platform.
Troj/Nofere-I includes functionality to access the internet and
communicate with a remote server via HTTP.
Troj/Nofere-I may download and execute files from remote locations,
delete registry entries and kill specified processes.
Advanced
Troj/Nofere-I is a Trojan for the Windows platform.
Troj/Nofere-I includes functionality to access the internet and
communicate with a remote server via HTTP.
Troj/Nofere-I may download and execute files from remote locations,
delete registry entries and kill specified processes.
When first run Troj/Nofere-I copies itself to
C:\Progra~1\Eset\IEXPLORER.EXE. Troj/Nofere-I may also copy itself to
the Windows, Windows system or Temp folders.
The following registry entry is created to run IEXPLORER.EXE on
startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
ravshell
<Program Files>\Eset\IEXPLORER.EXE
Troj/Nofere-I may set a registry entries under the following location:
HKCR\ferefile
Name Troj/Yar-A
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
Prevalence (1-5) 2
Description
Troj/Yar-A is a Trojan for the Windows platform.
Advanced
Troj/Yar-A is a Trojan for the Windows platform.
Once installed Troj/Yar-A creates the files:
<Temp>\dld_2urls_dd3_nonpack_rpolycrypt.exe - detected as Troj/Yar-A.
<Temp>\pirate_alert.exe - non malicious file that can be safely
removed.
The file <Temp>\pirate_alert.exe is then run and will display a fake
error message with the title "Unsupported MPEG Codec Error: Pirates
of the Caribbean: At World's End" and the message "Unsupported MPEG
Codec Error: Pirates of the Caribbean: At World's End. Go to official
web site: <URL link>".
Troj/Yar-A may be spammed out via email as an zip attachment with the
subject lines:
"Pirates of the Caribbean: At World's End -- The Official Trailer"
"Pirates of the Caribbean 3"
<no subject line>
The message body may also contain a brief synopsis of the movie.
Name W32/Looked-DG
Type
* Virus
How it spreads
* Infected files
Affected operating systems
* Windows
Side effects
* Installs itself in the Registry
Aliases
* W32/HLLP.Philis.kl
* Worm.Win32.Viking.lm
Prevalence (1-5) 2
Description
W32/Looked-DG is a virus for the Windows platform.
Advanced
W32/Looked-DG is a virus for the Windows platform.
When W32/Looked-DG is installed the following files are created:
<Windows>\Logo1_.exe
<Windows>\uninstall\rundl132.exe
The following registry entry is created to run rundl132.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
load
<Windows>\uninstall\rundl132.exe
Name Troj/Maha-S
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Downloads code from the internet
* Installs itself in the Registry
Aliases
* Trojan-Spy.Win32.Delf.tl
* Win32/PSW.Maha.A trojan
Prevalence (1-5) 2
Description
Troj/Maha-S is a Trojan for the Windows platform.
Advanced
Troj/Maha-S is a Trojan for the Windows platform.
Troj/Maha-S includes functionality to access the internet and
communicate with a remote server via HTTP, and also contains
information-stealing and keylogging functionality.
When first run Troj/Maha-S copies itself to:
<Root>\me.mp3
<Windows>\testy.exe
and creates the file <Windows>\testy.dll, also detected as
Troj/Maha-S. The file me.mp3 will then be deleted by the Trojan.
Troj/Maha-S creates the folder <Windows>\system32\drivers\ssl\06.
The file testy.exe is registered as a new system driver service named
"Windows License ManagementA" and no display name. Registry entries
are created under:
HKLM\SYSTEM\CurrentControlSet\Services\Windows License ManagementA\
Troj/Maha-S may also create the file C:\ali.html.
Troj/Maha-S may create a message box with the text "STUPID KAV".
Name Troj/Dloadr-AYS
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Installs itself in the Registry
* Dropped by malware
Aliases
* Trojan-Downloader.Win32.Alphabet.gen
Prevalence (1-5) 2
Description
Troj/Dloadr-AYS is a Trojan for the Windows platform.
Advanced
Troj/Dloadr-AYS is a Trojan for the Windows platform.
Once run, Troj/Dloadr-AYS attempts to connect to a remote server and
download other content.
The following Registry entry is added to run the Trojan on system
restart:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
avp
(path and filename of executed Trojan)
--- MultiMail/Win32 v0.43
* Origin: Doc's Place BBS Fido Since 1991 docsplace.tzo.com (1:123/140)
|