Tillbaka till svenska Fidonet
English   Information   Debug  
TREK   0/755
TUB   0/290
UFO   0/40
UNIX   0/1316
USA_EURLINK   0/102
USR_MODEMS   0/1
VATICAN   0/2740
VIETNAM_VETS   0/14
VIRUS   0/378
VIRUS_INFO   0/201
VISUAL_BASIC   0/473
WHITEHOUSE   0/5187
WIN2000   0/101
WIN32   0/30
WIN95   0/4288
WIN95_OLD1   0/70272
WINDOWS   0/1517
WWB_SYSOP   0/419
WWB_TECH   0/810
ZCC-PUBLIC   0/1
ZEC   4

 
4DOS   0/134
ABORTION   0/7
ALASKA_CHAT   0/506
ALLFIX_FILE   0/1313
ALLFIX_FILE_OLD1   0/7997
ALT_DOS   0/152
AMATEUR_RADIO   0/1039
AMIGASALE   0/14
AMIGA   0/331
AMIGA_INT   0/1
AMIGA_PROG   0/20
AMIGA_SYSOP   0/26
ANIME   0/15
ARGUS   0/924
ASCII_ART   0/340
ASIAN_LINK   0/651
ASTRONOMY   0/417
AUDIO   0/92
AUTOMOBILE_RACING   0/105
BABYLON5   0/17862
BAG   135
BATPOWER   0/361
BBBS.ENGLISH   0/382
BBSLAW   0/109
BBS_ADS   0/5290
BBS_INTERNET   0/507
BIBLE   0/3563
BINKD   0/1119
BINKLEY   0/215
BLUEWAVE   0/2173
CABLE_MODEMS   0/25
CBM   0/46
CDRECORD   0/66
CDROM   0/20
CLASSIC_COMPUTER   0/378
COMICS   0/15
CONSPRCY   0/899
COOKING   32953
COOKING_OLD1   0/24719
COOKING_OLD2   0/40862
COOKING_OLD3   0/37489
COOKING_OLD4   0/35496
COOKING_OLD5   9370
C_ECHO   0/189
C_PLUSPLUS   0/31
DIRTY_DOZEN   0/201
DOORGAMES   0/2061
DOS_INTERNET   0/196
duplikat   6002
ECHOLIST   0/18295
EC_SUPPORT   0/318
ELECTRONICS   0/359
ELEKTRONIK.GER   1534
ENET.LINGUISTIC   0/13
ENET.POLITICS   0/4
ENET.SOFT   0/11701
ENET.SYSOP   33903
ENET.TALKS   0/32
ENGLISH_TUTOR   0/2000
EVOLUTION   0/1335
FDECHO   0/217
FDN_ANNOUNCE   0/7068
FIDONEWS   24128
FIDONEWS_OLD1   0/49742
FIDONEWS_OLD2   0/35949
FIDONEWS_OLD3   0/30874
FIDONEWS_OLD4   0/37224
FIDO_SYSOP   12852
FIDO_UTIL   0/180
FILEFIND   0/209
FILEGATE   75/212
FILM   0/18
FNEWS_PUBLISH   4408
FN_SYSOP   41679
FN_SYSOP_OLD1   71952
FTP_FIDO   0/2
FTSC_PUBLIC   0/13599
FUNNY   0/4886
GENEALOGY.EUR   0/71
GET_INFO   105
GOLDED   0/408
HAM   0/16070
HOLYSMOKE   0/6791
HOT_SITES   0/1
HTMLEDIT   0/71
HUB203   466
HUB_100   264
HUB_400   39
HUMOR   0/29
IC   0/2851
INTERNET   0/424
INTERUSER   0/3
IP_CONNECT   719
JAMNNTPD   0/233
JAMTLAND   0/47
KATTY_KORNER   0/41
LAN   0/16
LINUX-USER   0/19
LINUXHELP   0/1155
LINUX   0/22093
LINUX_BBS   0/957
mail   18.68
mail_fore_ok   249
MENSA   0/341
MODERATOR   0/102
MONTE   0/992
MOSCOW_OKLAHOMA   0/1245
MUFFIN   0/783
MUSIC   0/321
N203_STAT   926
N203_SYSCHAT   313
NET203   321
NET204   69
NET_DEV   0/10
NORD.ADMIN   0/101
NORD.CHAT   0/2572
NORD.FIDONET   189
NORD.HARDWARE   0/28
NORD.KULTUR   0/114
NORD.PROG   0/32
NORD.SOFTWARE   0/88
NORD.TEKNIK   0/58
NORD   0/453
OCCULT_CHAT   0/93
OS2BBS   0/787
OS2DOSBBS   0/580
OS2HW   0/42
OS2INET   0/37
OS2LAN   0/134
OS2PROG   0/36
OS2REXX   0/113
OS2USER-L   207
OS2   0/4786
OSDEBATE   0/18996
PASCAL   0/490
PERL   0/457
PHP   0/45
POINTS   0/405
POLITICS   0/29554
POL_INC   0/14731
PSION   103
R20_ADMIN   1121
R20_AMATORRADIO   0/2
R20_BEST_OF_FIDONET   13
R20_CHAT   0/893
R20_DEPP   0/3
R20_DEV   399
R20_ECHO2   1379
R20_ECHOPRES   0/35
R20_ESTAT   0/719
R20_FIDONETPROG...
...RAM.MYPOINT
  0/2
R20_FIDONETPROGRAM   0/22
R20_FIDONET   0/248
R20_FILEFIND   0/24
R20_FILEFOUND   0/22
R20_HIFI   0/3
R20_INFO2   3221
R20_INTERNET   0/12940
R20_INTRESSE   0/60
R20_INTR_KOM   0/99
R20_KANDIDAT.CHAT   42
R20_KANDIDAT   28
R20_KOM_DEV   112
R20_KONTROLL   0/13273
R20_KORSET   0/18
R20_LOKALTRAFIK   0/24
R20_MODERATOR   0/1852
R20_NC   76
R20_NET200   245
R20_NETWORK.OTH...
...ERNETS
  0/13
R20_OPERATIVSYS...
...TEM.LINUX
  0/44
R20_PROGRAMVAROR   0/1
R20_REC2NEC   534
R20_SFOSM   0/340
R20_SF   0/108
R20_SPRAK.ENGLISH   0/1
R20_SQUISH   107
R20_TEST   2
R20_WORST_OF_FIDONET   12
RAR   0/9
RA_MULTI   106
RA_UTIL   0/162
REGCON.EUR   0/2056
REGCON   0/13
SCIENCE   0/1206
SF   0/239
SHAREWARE_SUPPORT   0/5146
SHAREWRE   0/14
SIMPSONS   0/169
STATS_OLD1   0/2539.065
STATS_OLD2   0/2530
STATS_OLD3   0/2395.095
STATS_OLD4   0/1692.25
SURVIVOR   0/495
SYSOPS_CORNER   0/3
SYSOP   0/84
TAGLINES   0/112
TEAMOS2   0/4530
TECH   0/2617
TEST.444   0/105
TRAPDOOR   0/19
Möte VIRUS_INFO, 201 texter
 lista första sista föregående nästa
Text 190, 1173 rader
Skriven 2007-05-26 15:05:00 av KURT WISMER
Ärende: News, May 26 2007
=========================
[cut-n-paste from sophos.com]

Name   W32/Poebot-LO

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Downloads code from the internet
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities

Aliases  
    * Backdoor.Win32.VanBot.ax
    * BKDR_POEBOT.MJ

Prevalence (1-5) 2

Description
W32/Poebot-LO is an IRC worm with backdoor functionality which allows 
a remote intruder to gain access and control over the computer.

W32/Poebot-LO includes functionality to download, install and run new 
software.

W32/Poebot-LO spreads to other network computers by exploiting common 
vulnerabilities, including LSASS (MS04-011), SRVSVC (MS06-040), 
RPC-DCOM (MS04-012) and PNP (MS05-039) .

Advanced
W32/Poebot-LO is an IRC worm with backdoor functionality which allows 
a remote intruder to gain access and control over the computer.

W32/Poebot-LO includes functionality to download, install and run new 
software.

W32/Poebot-LO spreads to other network computers by exploiting common 
vulnerabilities, including LSASS (MS04-011), SRVSVC (MS06-040), 
RPC-DCOM (MS04-012) and PNP (MS05-039) .

When first run W32/Poebot-LO copies itself to <System32>\iexplore.exe 
and creates the non-malicious file 'jbikuyoy.bat'.

The following registry entry is created to run iexplore.exe:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Internet 
Explorer = <System32>\iexplore.exe





Name   W32/Brontok-DG

Type  
    * Worm

How it spreads  
    * Removable storage devices

Affected operating systems  
    * Windows

Side effects  
    * Drops more malware
    * Reduces system security
    * Installs itself in the Registry

Prevalence (1-5) 2

Description
W32/Brontok-DG is a worm for the Windows platform.

Advanced
W32/Brontok-DG is a worm for the Windows platform.

When first run W32/Brontok-DG copies itself to:

<Root>\Backup\WMP_10 for XP.exe
<Startup>\user32.exe
<Startup>\_default.exe
<System>\x-executor.exe
<System>\vergon1885.exe

and creates the file <System>\man.bat.

The following registry entry is created to run vergon1885.exe on 
startup:
            
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
wmplayer
<System>\vergon1885.exe
           
The following registry entries are changed to run W32/Brontok-DG on 
startup:
            
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe "<System>\vergon1885.exe"

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
<System>\userinit.exe,"<System>\vergon1885.exe"

W32/Brontok-DG attempts to periodically copy itself to removeable 
drives, including floppy drives and USB keys. The worm will attempt 
to create hidden folders on the logical drive and copy itself to them.





Name   Troj/LegMir-AQX

Type  
    * Spyware Trojan

Affected operating systems  
    * Windows

Side effects  
    * Steals information
    * Installs itself in the Registry

Aliases  
    * Trojan-PSW.Win32.OnLineGames.nw

Prevalence (1-5) 2

Description
Troj/LegMir-AQX is a password-stealing Trojan for the Windows platform.

Advanced
Troj/LegMir-AQX is a password-stealing Trojan for the Windows platform.

When first run Troj/LegMir-AQX copies itself to:

<System>\alg32.dat
<System>\alg32.exe

and creates the following files:

<Windows>\MirSet.ini
<System>\Winhttps.dat
<System>\Winhttps.dll

The files Winhttps.dat and Winhttps.dll are also detected as 
Troj/LegMir-AQX.





Name   SB/BadBunny-A

Type  
    * Worm

How it spreads  
    * Infected files
    * Chat programs

Side effects  
    * Modifies data on the computer
    * Used in DOS attacks

Aliases  
    * IRC-Worm.StarOffice.Badbunny.a

Prevalence (1-5) 2

Description
SB/BadBunny-A is a multi-platform worm written in several scripting 
languages and distributed as an OpenOffice.org document containing a 
StarBasic macro.

Advanced
SB/BadBunny-A is a multi-platform worm written in several scripting 
languages and distributed as an OpenOffice.org document containing a 
StarBasic macro.

SB/BadBunny-A spreads by dropping malicious script files that affect 
the behavior of the popular IRC programs mIRC and X-Chat, causing 
them send SB/BadBunny-A to other users. These malicious script files 
are named badbunny.py (for XChat) and script.ini (for mIRC, 
overwriting the existing mIRC file) and are also detected as 
SB/BadBunny-A.

SB/BadBunny-A drops different additional components depending on the 
platform on which it is running:
 - On Windows, it drops a file named badbunny.js that is a JavaScript 
file infector also detected as SB/BadBunny-A.
 - On Linux, it drops a file named badbunny.pl that is a Perl file 
infector also detected as SB/BadBunny-A.
 - On MacOS, it drops one of two possible files named badbunny.rb and 
badbunnya.rb that are Ruby file infectors also detected as 
SB/BadBunny-A.

SB/BadBunny-A will also attempt a ping of death attack against the 
following anti-virus sites:-
 www.ikarus.at
 www.aladdin.com
 www.norman.no
 www.norman.com
 www.kaspersky.com
 www.kaspersky.ru
 www.kaspersky.pl
 www.grisoft.cz
 www.symantec.com
 www.proantivirus.com
 www.f-secure.com
 www.sophos.com
 www.arcabit.pl
 www.arcabit.com
 www.avira.com
 www.avira.de
 www.avira.ro
 www.avast.com
 www.virusbuster.hu
 www.trendmicro.com
 www.bitdefender.com
 www.pandasoftware.comm [sic]
 www.drweb.com
 www.drweb.ru
 www.viruslist.com

 
 
 
 
Name   W32/Rbot-GPL

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities

Prevalence (1-5) 2

Description
W32/Rbot-GPL is a network worm and IRC backdoor for the Windows 
platform.

W32/Rbot-GPL spreads
 - to computers vulnerable to common exploits, including: SRVSVC 
(MS06-040), RPC
 -DCOM (MS04-012), ASN.1 (MS04-007), RealVNC (CVE-2006-2369) and 
Symantec (SYM06-010)
 - to MSSQL servers protected by weak passwords
 - to network shares protected by weak passwords

The following patches for the operating system vulnerabilities 
exploited by the
worm can be obtained from the Microsoft website:

http://www.microsoft.com/technet/security/bulletin/MS06-040.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-007.mspx

Advanced
W32/Rbot-GPL is a network worm and IRC backdoor for the Windows 
platform.

W32/Rbot-GPL spreads
 - to computers vulnerable to common exploits, including: SRVSVC 
(MS06-040), RPC
 -DCOM (MS04-012), ASN.1 (MS04-007), RealVNC (CVE-2006-2369) and 
Symantec (SYM06-010)
 - to MSSQL servers protected by weak passwords
 - to network shares protected by weak passwords

The following patches for the operating system vulnerabilities 
exploited by the
worm can be obtained from the Microsoft website:

http://www.microsoft.com/technet/security/bulletin/MS06-040.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-007.mspx

W32/Rbot-GPL runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

When W32/Rbot-GPL is installed it creates the file 
<System>\WinSecUp.exe.

The following registry entries are created to run WinSecUp.exe on 
startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft
WinSecUp.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Microsoft
WinSecUp.exe





Name   W32/Rbot-GQN

Type  
    * Spyware Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Steals information
    * Downloads code from the internet
    * Records keystrokes
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities
    * Used in DOS attacks

Prevalence (1-5) 2

Description
W32/Rbot-GQN is a worm for the Windows platform.

Advanced
W32/Rbot-GQN is a worm for the Windows platform.

W32/Rbot-GQN runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

When first run W32/Rbot-GQN copies itself to <System>\wlimyc.exe.

The following registry entries are created to run wlimyc.exe on 
startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft Update Machine
wlimyc.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft Update Machine
wlimyc.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Microsoft Update Machine
wlimyc.exe





Name   Troj/Clickr-AC

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Opens links to websites

Prevalence (1-5) 2

Description
Troj/Clickr-AC is a Trojan for the Windows platform.

Advanced
Troj/Clickr-AC is a Trojan for the Windows platform.

Troj/Clickr-AC may display browser popups.

Troj/Clickr-AC is registered as a COM object and Browser Helper 
Object (BHO) for Microsoft Internet Explorer, creating registry 
entries under:

HKCR\CLSID\{89731480-D47D-4DC4-8A36-BAAE55E094C5}
HKCR\Interface\{1E293881-F1AA-4580-9EA4-4C714E71162A}
HKCR\TypeLib\{08DFED4C-5BEB-490A-8AFA-331AC1AE5C0D}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser 
Helper Objects\{89731480-D47D-4DC4-8A36-BAAE55E094C5}

Registry entries are set as follows:

HKCR\Explorer.MExplorer.1\CLSID
(default)
{89731480-D47D-4DC4-8A36-BAAE55E094C5}

HKCR\Explorer.MExplorer\CLSID
(default)
{89731480-D47D-4DC4-8A36-BAAE55E094C5}

Registry entries are created under:

HKCR\Explorer.MExplorer





Name   Troj/DwnLdr-GUW

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet

Prevalence (1-5) 2

Description
Troj/DwnLdr-GUW is a downloader Trojan for the Windows platform.

Advanced
Troj/DwnLdr-GUW is a downloader Trojan for the Windows platform.

Troj/DwnLdr-GUW includes functionality to access the internet and 
communicate with a remote server via HTTP.

When Troj/DwnLdr-GUW is installed the following files are created:

<Current Folder>\test.txt
<Current Folder>\test2.txt

These files contain downloaded components. At the time of writing, 
the site hosting these components was unavailable.





Name   W32/Vizim-A

Type  
    * Worm

How it spreads  
    * Removable storage devices

Affected operating systems  
    * Windows

Side effects  
    * Leaves non-infected files on computer
    * Installs a browser helper object

Aliases  
    * W32/Vizim.worm
    * Virus.Win32.AutoRun.m

Prevalence (1-5) 2

Description
W32/Vizim-A is a worm for the Windows platform.

Advanced
W32/Vizim-A is a worm for the Windows platform.

When first run W32/Vizim-A copies itself to the root and Windows 
system folders and creates the following files:

<Root>\autorun.inf
<Windows>\autorun.inf

The file autorun.inf is designed to start the worm once the 
removeable drive is connected to a uninfected computer. The file 
autorun.inf can be safely deleted.

Registry entries are set as follows:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
LegalNoticeCaption
PROMISE???

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
LegalNoticeText
I am still waiting for the strawberry coming from my Baguio! Pls.. 
Help!





Name   W32/Mypis-A

Type  
    * Virus

How it spreads  
    * Infected files

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet

Prevalence (1-5) 2

Description
W32/Mypis-A is a virus for the Windows platform.

Advanced
W32/Mypis-A is a virus for the Windows platform.

The virus may create the file <Program Files>\Common 
Files\System\svchost.exe and this file is detected as Mal/Basine-C.





Name   W32/AHKHeap-A

Type  
    * Worm

How it spreads  
    * Removable storage devices

Affected operating systems  
    * Windows

Side effects  
    * Installs itself in the Registry
    * Leaves non-infected files on computer

Prevalence (1-5) 2

Description
W32/AHKHeap-A is a worm for the Windows platform.

Advanced
W32/AHKHeap-A is a worm for the Windows platform.

When run, W32/AHKHeap-A creates the following files:

<Temp>\MicrosoftPowerPoint\2.mp3 - can be safely removed
<Temp>\MicrosoftPowerPoint\drivelist.txt - can be safely removed
<Temp>\MicrosoftPowerPoint\Icon.ico - can be safely removed
<Temp>\MicrosoftPowerPoint\Install.txt - detected as W32/AHKHeap-A
<Temp>\MicrosoftPowerPoint\pathlist.txt - can be safely removed
<Temp>\MicrosoftPowerPoint\svchost.exe - can be safely removed
C:\heap41a\2.mp3 - can be safely removed
C:\heap41a\drivelist.txt - can be safely removed
C:\heap41a\Icon.ico - can be safely removed
C:\heap41a\reproduce.txt - detected as W32/AHKHeap-A
C:\heap41a\script1.txt - detected as W32/AHKHeap-A
C:\heap41a\std.txt - detected as W32/AHKHeap-A
C:\heap41a\svchost.exe - can be safely removed
C:\heap41a\offspring\autorun.inf - detected as W32/AHKHeap-A

W32/AHKHeap-A attempts to periodically copy itself to removeable 
drives and USB keys. The worm will attempt to create a hidden file 
Autorun.inf on the removeable drive and copy itself to the removeable 
drive as MicrosoftPowerPoint.exe.
            
The file Autorun.inf is designed to start the worm once the 
removeable drive is connected to a uninfected computer.

The following registry entries are set to run W32/AHKHeap-A on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
status
present

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
winlogon
C:\heap41a\svchost.exe C:\heap41a\std.txt

The following registry entry is set:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder
\Hidden\SHOWALL
CheckedValue
0





Name   W32/Tilebot-JQ

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Installs itself in the Registry

Aliases  
    * Backdoor.Win32.SdBot.bic

Prevalence (1-5) 2

Description
W32/Tilebot-JQ is a worm with IRC backdoor Trojan functionality.

W32/Tilebot-JQ runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

W32/Tilebot-JQ includes functionality to access the internet and 
communicate with a remote server via HTTP.

Advanced
W32/Tilebot-JQ is a worm with IRC backdoor Trojan functionality.

W32/Tilebot-JQ runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

W32/Tilebot-JQ includes functionality to access the internet and 
communicate with a remote server via HTTP.

When first run W32/Tilebot-JQ copies itself to <Windows>\wault.exe.

The file wault.exe is registered as a new system driver service named 
"Windows Auto Update Tool", with a display name of "Windows Auto 
Update Tool" and a startup type of automatic, so that it is started 
automatically during system startup. Registry entries are created 
under:

HKLM\SYSTEM\CurrentControlSet\Services\Windows Auto Update Tool

The file <System>\sfc_os.dll is modified in order to disable the 
System File Checker. The modified version is detected as Disabled 
System File Check DLL.

The files <System>\ftp.exe and <System>\tftp.exe are replaced by 
non-functional versions of those applications.

Registry entries are set as follows:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
SFCScan
0

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
SFCDisable
ffffff9d





Name   W32/Gatina-B

Type  
    * Spyware Worm

How it spreads  
    * Email messages

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Sends itself to email addresses found on the infected computer
    * Steals information
    * Forges the sender's email address
    * Uses its own emailing engine
    * Downloads code from the internet
    * Reduces system security
    * Installs itself in the Registry

Prevalence (1-5) 2

Description
W32/Gatina-B is an email and network worm.

Advanced
W32/Gatina-B is an email and network worm.

The emails sent by the worm have forged "From:" addresses and the 
following characteristics:

Subject line:

  "FILIPINO'S SECRETS"

  "LYRICS OF BAMBOO AND OTHER BOY BAND"

  "Philippines Government Top Secret"

  "New Virus Information"

  "Ukinnam Virus Information"

Message text:

  "Hi! Look the Attach Document for more details about FILIPINOS..."

  "HOY! PINOY AKO! BUO AKING LOOB MAY AGIMAT AKO... FOR MORE LYRICS 
CHECK THE ATTACH FILE..."

  "The Government of the Philippines revealed the truth. For more 
information please read the Attach file..."

  "Please read the attach file for more information about computer 
virus..."

  "If your computer has been infected by Ukinnam Virus. Open the 
attach file and follow the instruction to remove the virus..."

Attached file:

  README.DOC.exe

  INFO.DOC.exe

  TAETAE.TXT.exe

  DATA.DOC.exe

W32/Gatina-B collects email addresses from files whose extension is 
HTT, HTM, HTML, HTA, HTE, HTX, SHTML, STM, ASP, XML, DOC, RTF, TXT, 
DBX, PHP, PHP3, PTHML, JSP, SQL, EML, INI, TBB or TBI.

When first run W32/Gatina-B copies itself to:

Startup>\MSKernell.bat
<Windows>\Exit to DosPrompt.pif
<Windows>\Mails\DATA.DOC.exe
<Windows>\Mails\DOCUMENT.DOC.exe
<Windows>\Mails\INFO.DOC.exe
<Windows>\Mails\README.DOC.exe
<Windows>\Mails\TAETAE.TXT.exe
<System>\AutoRun.bat

The following registry entries are created to run Exit to 
DosPrompt.pif and AutoRun.bat on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NOYPI_KANG_ASTIG
<Windows>\Exit to DosPrompt.pif

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
taetae
<Windows>\Exit to DosPrompt.pif

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
TANG_INA_MO
<System>\AutoRun.bat

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
taengtae
<System>\AutoRun.bat

The following registry entries are set, disabling system software:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1

Registry entries are set as follows:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFind
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFolderOptions
1

HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions
NoFindFiles
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
2

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt
1

W32/Gatina-B closes applications whose title matches any of the 
following:

  Ad-aware 6.0 Personal
  Ad-Aware SE Personal
  Anti-Trojan - Infection Monitor
  Anti-Virus
  AntiViral Toolkit Pro
  AVG E-Mail Server Edition - Advanced Interface
  AVG E-Mail Server Edition - Basic Interface
  AVG E-Mail Server Edition - Control Centerr
  AVP
  AVP Monitor
  BitDefender
  BitDefender Sheild
  BlackICE
  Command Prompt
  Control Panel
  eTrust Antivirus - Local Scanner
  F-Secure Anti-Virus
  HijackThis
  Kaspersky Anti-Virus Monitor
  Kaspersky Anti-Virus personal
  Kaspersky Anti-Virus Scanner
  My Computer
  My Documents
  NOD32 Antivirus Program
  Norton
  Norton Antivirus
  Norton AntiVirus Porfessional
  Pop3trap
  Process Explorer
  Registry Editor
  Registry Monitor
  Registry Monitor
  Services
  Sophos Anti-Virus - SWEEP
  Spybot - Search & Destroy
  Sygate Personal Firewall Pro
  System Configuration Utility
  System Restore
  Windows Firewall
  Windows Security Center
  Windows Task Manager
  WinPatrol

W32/Gatina-B also attempts to spread to other network computers via 
network shares as a file named README.EXE.

W32/Gatina-B attempts to periodically copy itself to removeable 
drives, including floppy drives and USB keys under the following names:

  AutoRun.bat
  Exit to DosPrompt.pif
  ReadMe.scr
  MSKernell.bat

  
  
  
  
Name   Troj/DaMailer-B

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Sends itself to email addresses found on the infected computer

Prevalence (1-5) 2

Description
Troj/DaMailer-B is a Trojan for Windows platform.





Name   Mal/Qbot-A

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Reduces system security
    * Dropped by malware

Prevalence (1-5) 2

Description
Mal/Qbot-A is a family of components for IRC backdoor Trojans.

Advanced
Mal/Qbot-A is a family of components for IRC backdoor Trojans.





Name   Troj/DNSChan-LT

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Modifies data on the computer

Aliases  
    * Trojan.Win32.DNSChanger.jb

Prevalence (1-5) 2

Description
Troj/DNSChan-LT is a Trojan for the Windows platform.

The Trojan includes functionality to modify the DNS setting, access 
the internet and communicate with a remote server via HTTP.





Name   Troj/Nofere-I

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet
    * Installs itself in the Registry

Aliases  
    * Trojan-PSW.Win32.Nilage.bei
    * Win32/TrojanDownloader.Agent.NIG

Prevalence (1-5) 2

Description
Troj/Nofere-I is a Trojan for the Windows platform.

Troj/Nofere-I includes functionality to access the internet and 
communicate with a remote server via HTTP.

Troj/Nofere-I may download and execute files from remote locations, 
delete registry entries and kill specified processes.

Advanced
Troj/Nofere-I is a Trojan for the Windows platform.

Troj/Nofere-I includes functionality to access the internet and 
communicate with a remote server via HTTP.

Troj/Nofere-I may download and execute files from remote locations, 
delete registry entries and kill specified processes.

When first run Troj/Nofere-I copies itself to 
C:\Progra~1\Eset\IEXPLORER.EXE. Troj/Nofere-I may also copy itself to 
the Windows, Windows system or Temp folders.

The following registry entry is created to run IEXPLORER.EXE on 
startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
ravshell
<Program Files>\Eset\IEXPLORER.EXE

Troj/Nofere-I may set a registry entries under the following location:

HKCR\ferefile





Name   Troj/Yar-A

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications

Prevalence (1-5) 2

Description
Troj/Yar-A is a Trojan for the Windows platform.

Advanced
Troj/Yar-A is a Trojan for the Windows platform.

Once installed Troj/Yar-A creates the files:

<Temp>\dld_2urls_dd3_nonpack_rpolycrypt.exe - detected as Troj/Yar-A.
<Temp>\pirate_alert.exe - non malicious file that can be safely 
removed.

The file <Temp>\pirate_alert.exe is then run and will display a fake 
error message with the title "Unsupported MPEG Codec Error: Pirates 
of the Caribbean: At World's End" and the message "Unsupported MPEG 
Codec Error: Pirates of the Caribbean: At World's End. Go to official 
web site: <URL link>".

Troj/Yar-A may be spammed out via email as an zip attachment with the 
subject lines:

"Pirates of the Caribbean: At World's End -- The Official Trailer"
"Pirates of the Caribbean 3"
<no subject line>

The message body may also contain a brief synopsis of the movie.





Name   W32/Looked-DG

Type  
    * Virus

How it spreads  
    * Infected files

Affected operating systems  
    * Windows

Side effects  
    * Installs itself in the Registry

Aliases  
    * W32/HLLP.Philis.kl
    * Worm.Win32.Viking.lm

Prevalence (1-5) 2

Description
W32/Looked-DG is a virus for the Windows platform.

Advanced
W32/Looked-DG is a virus for the Windows platform.

When W32/Looked-DG is installed the following files are created:

<Windows>\Logo1_.exe
<Windows>\uninstall\rundl132.exe

The following registry entry is created to run rundl132.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
load
<Windows>\uninstall\rundl132.exe





Name   Troj/Maha-S

Type  
    * Spyware Trojan

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Steals information
    * Downloads code from the internet
    * Installs itself in the Registry

Aliases  
    * Trojan-Spy.Win32.Delf.tl
    * Win32/PSW.Maha.A trojan

Prevalence (1-5) 2

Description
Troj/Maha-S is a Trojan for the Windows platform.

Advanced
Troj/Maha-S is a Trojan for the Windows platform.

Troj/Maha-S includes functionality to access the internet and 
communicate with a remote server via HTTP, and also contains 
information-stealing and keylogging functionality.

When first run Troj/Maha-S copies itself to:

<Root>\me.mp3
<Windows>\testy.exe

and creates the file <Windows>\testy.dll, also detected as 
Troj/Maha-S. The file me.mp3 will then be deleted by the Trojan.

Troj/Maha-S creates the folder <Windows>\system32\drivers\ssl\06.

The file testy.exe is registered as a new system driver service named 
"Windows License ManagementA" and no display name. Registry entries 
are created under:

HKLM\SYSTEM\CurrentControlSet\Services\Windows License ManagementA\

Troj/Maha-S may also create the file C:\ali.html.

Troj/Maha-S may create a message box with the text "STUPID KAV".





Name   Troj/Dloadr-AYS

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet
    * Installs itself in the Registry
    * Dropped by malware

Aliases  
    * Trojan-Downloader.Win32.Alphabet.gen

Prevalence (1-5) 2

Description
Troj/Dloadr-AYS is a Trojan for the Windows platform.

Advanced
Troj/Dloadr-AYS is a Trojan for the Windows platform.

Once run, Troj/Dloadr-AYS attempts to connect to a remote server and 
download other content.

The following Registry entry is added to run the Trojan on system 
restart:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
avp
(path and filename of executed Trojan)

 
--- MultiMail/Win32 v0.43
 * Origin: Doc's Place BBS Fido Since 1991 docsplace.tzo.com (1:123/140)