Text 196, 752 rader
Skriven 2007-07-14 13:35:00 av KURT WISMER
Ärende: News, July 14 2007
==========================
[cut-n-paste from sophos.com]
Name Troj/DwnLdr-GWQ
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Installs itself in the Registry
* Leaves non-infected files on computer
Prevalence (1-5) 2
Description
Troj/DwnLdr-GWQ is a downloader Trojan for the Windows platform.
Advanced
Troj/DwnLdr-GWQ is a downloader Trojan for the Windows platform.
When run Troj/DwnLdr-GWQ copies itself to <System>\olpr.exe and creates the
following registry entry to run itself on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
olpr
olpr.exe
Registry entries may also be created under:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\vvv
Troj/DwnLdr-GWQ also creates the file <System>\drivers\c656.tx. This file can
be safely removed.
Name W32/Punya-B
Type
* Worm
How it spreads
* Removable storage devices
* Network shares
Affected operating systems
* Windows
Side effects
* Installs itself in the Registry
Prevalence (1-5) 2
Description
W32/Punya-B is a worm for the Windows platform.
Advanced
W32/Punya-B is a worm for the Windows platform.
The worm has the functionality to spread via network shares and removable
storage.
When run, the worm copies itself to:
\evanta44.cuex44
\Punya Administrator.exe
\WINDOWS.exe
\dago\baru.exe
\Documents and Settings\<user>Nitip.exe
\Documents and Settings\<user>\Desktop\punya.exe
<AppData>\WINDOWS\CSRSS.EXE
<AppData>\WINDOWS\LSASS.EXE
<AppData>\WINDOWS\SERVICES.EXE
<AppData>\WINDOWS\SMSS.EXE
<AppData>\WINDOWS\WINLOGON.EXE
<Startup>\adobe.com
<Windows>\debug.cmd
<Windows>\evanta44.scr
<Windows>\fad.bin
<Windows>\Dago\CueX44.exe
<Windows>\Dago\Dago.exe
<Windows>\Firewall\Firewall.com
<Windows>\Media\Windows.cmd
<System>\oledb32.exe
<System>\server.exe
<System>\system.dll
<System>\config\systemprofile\Local Settings\Application Data\fault.exe
<System>\config\systemprofile\Local Settings\Application Data\Micro.exe
<System>\config\systemprofile\Local Settings\Application Data\tic.exe
<System>\config\systemprofile\Local Settings\Application Data\Word.exe
<User>\.exe
The following files are created:
\dasar cewek.htm
<System>\Oeminfo.ini
<Windows>\sys.bat
These files are detected as W32/Punya-B.
The following registry entries are created:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
ServicesAdministrator
C:\Documents and Settings\Administrator\Local Settings\Application
Data\WINDOWS\SERVICES.EXE
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
SQL
<System>\server.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
User
<User>\.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Winlogon
C:\Documents and Settings\Administrator\Local Settings\Application
Data\WINDOWS\WINLOGON.EXE
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Administrator di Dago
<Windows>\Dago\Dago.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Csrss
C:\Documents and Settings\Administrator\Local Settings\Application
Data\WINDOWS\CSRSS.EXE
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
CueX44
<Windows>\Dago\Dago.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Lsass
C:\Documents and Settings\Administrator\Local Settings\Application
Data\WINDOWS\LSASS.EXE
$NAME changes settings for Microsoft Internet Explorer, including the Start
Page, by modifying values under:
HKCU\Software\Microsoft\Internet Explorer\Main\
HKCU\Software\Microsoft\Internet Explorer\Main\Start Page
The following registry entries are set, disabling the registry editor
(regedit), the Windows task manager (taskmgr) and the command prompt:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableCMD
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
DisableRegistryTools
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
DisableTaskMgr
1
Registry entries are set as follows:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFolderOptions
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoFolderOptions
1
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe "<System>\\config\systemprofile\Local Settings\Application
Data\tic.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
<System>\userinit.exe,<System>\\Media\Windows.cmd
Name W32/Rbot-GSB
Type
* Worm
How it spreads
* Network shares
* Web browsing
Affected operating systems
* Windows
Side effects
* Reduces system security
* Installs itself in the Registry
* Exploits system or software vulnerabilities
* Enables remote access
* Scans network for vulnerabilities
* Scans network for weak passwords
Prevalence (1-5) 2
Description
W32/Rbot-GSB is a worm for the Windows platform.
Advanced
W32/Rbot-GSB is a worm for the Windows platform.
W32/Rbot-GSB includes functionality to access the internet and communicate with
a remote server via HTTP.
When first run W32/Rbot-GSB copies itself to the Windows folder as
navapsvc.exe. The worm installs itself as a service with the name navapsvc, set
to start automatically on startup. Configuration details are stored within the
following Registry entry:
HKLM\SYSTEM\CurrentControlSet\Services\navapsvc
Name Troj/Bond-B
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
Prevalence (1-5) 2
Description
Troj/Bond-B is a downloading Trojan for the Windows platform.
Name Troj/Dloadr-BBT
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
Prevalence (1-5) 2
Description
Troj/Dloadr-BBT is a Trojan for the Windows platform.
The Trojan includes functionality to access the internet and communicate with a
remote server via HTTP.
Name Troj/Dropper-QL
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Steals information
* Drops more malware
* Downloads code from the internet
* Installs itself in the Registry
Prevalence (1-5) 2
Description
Troj/Dropper-QL is a Trojan for the Windows platform.
Advanced
Troj/Dropper-QL is a Trojan for the Windows platform.
Troj/Dropper-QL includes functionality to access the internet and communicate
with a remote server via HTTP.
When Troj/Dropper-QL is installed the following files are created:
<System>\rsvp32_2.dll- detected as Troj/SpamToo-AR.
<System>\sporder.dll - Clean File
<Windows>\zupacha.exe - detected as Troj/SpamToo-AR.
The following registry entry is created to run zupacha.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\<Root>\WINDOWS
zupacha.exe
<Windows>\zupacha.exe
Name W32/SmallVBS-A
Type
* Worm
How it spreads
* Removable storage devices
* Network shares
Affected operating systems
* Windows
Side effects
* Drops more malware
* Installs itself in the Registry
Aliases
* Virus.VBS.Small.a
* VBS/Autorun.C@troj
* VBS/Small.NAB
* VBS_SMALL.JAJ
Prevalence (1-5) 2
Description
W32/SmallVBS-A is a Visual Basic Script worm for the Windows platform.
Advanced
W32/SmallVBS-A is a Visual Basic Script worm for the Windows platform.
When first run W32/SmallVBS-A copies the following files the Windows System
folder:
-autorun.bat
-autorun.vbs
-autorun.inf
-autorun.reg
A file called sxs.exe is also copied into System folder. At the the time of
writing, this file was unavailable.
The following registry entry is created to run sxs.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
autorun
sxs.exe
The following registry entry is created to run W32/SmallVBS-A on startup:
HKLMACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
userinit.exe,autorun.bat
The following registry entries are also created to hide W32/SmallVBS-A:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden
dword:00000000
Hidden
dword:00000002
W32/SmallVBS-A spreads itself via removeable drives.
Name W32/Stap-E
Type
* Worm
How it spreads
* Email messages
* Network shares
Affected operating systems
* Windows
Side effects
* Uses its own emailing engine
* Installs itself in the Registry
Aliases
* W32.Yourip
* Email-Worm.Win32.VB.ao
* Win32/VB.NCQ
* WORM_VB.SH
Prevalence (1-5) 2
Description
W32/Stap-E is a worm for the Windows platform.
W32/Stap-E has the functionalities to:
- spread by network shares
- send mail to email addresses found on the infected computer
Advanced
W32/Stap-E is a worm for the Windows platform.
W32/Stap-E has the functionalities to:
- spread by network shares
- send mail to email addresses found on the infected computer
When run, W32/Stap-E copies itself as the following files:
<Startup>\Office_viewer.exe
<Program files>\StartUp\readme.exe
<Program files>\StartUp\net.exe
<Program files>\StartUp\biblezip.exe
<Program files>\MSDTC.exe
<Startup>\MSDTC.exe
virusdefupdate_zip
LANdriver_zip
chikka_zip
yahoomgr_zip
pictures_zip
winupdate_zip
A:\documents_zip.exe
When run, W32/Stap-E creates the following files:
C:\clog.tmp
C:\plog.tmp
C:\yourip.tmp
The files clog.tmp, plog.tmp and yourip.tmp can be deleted safely.
When run, W32/Stap-E sets the following registry entries:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
rundll32
<Program files>\MSDTC.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Common Startup
<Startup>\Office_viewer.exe
HKLM\SOFTWARE\Microsoft
micro
<Date and time of worm execution>
Name W32/VB-DWP
Type
* Worm
How it spreads
* Removable storage devices
Affected operating systems
* Windows
Aliases
* Trojan.Win32.VB.axf
* destructive program named W32/Trojan.ALGE
Prevalence (1-5) 2
Description
W32/VB-DWP is a worm for the Windows platform.
Advanced
W32/VB-DWP is a worm for the Windows platform.
When first run W32/VB-DWP sets the following registry entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoDriveTypeAutoRun
ff
W32/VB-DWP also creates copies of itself on removable devices, as well as a
file named autorun.inf in order to launch itself automatically when the device
is connected to a new computer.
Name W32/Nafbot-B
Type
* Worm
How it spreads
* Removable storage devices
* Peer-to-peer
Affected operating systems
* Windows
Side effects
* Reduces system security
* Installs itself in the Registry
* Leaves non-infected files on computer
Prevalence (1-5) 2
Description
W32/Nafbot-B is a worm for the Windows platform.
Advanced
W32/Nafbot-B is a worm for the Windows platform.
W32/Nafbot-B spreads via Peer-to-Peer file sharing services and removable
floppy drives.
When first run W32/Nafbot-B copies itself to:
<Windows>\services.exe
<System>\DRIVERS32.com
<Windows>\temper\services.exe
and creates the following files:
<Root>\fsnapa.snp
<Root>\rsnapa.snp
<Windows>\ousr32.dll
These files may be safely deleted.
W32/Nafbot-B creates a number of registry entries in order to start itself on
startup.
W32/Nafbot-B changes settings for Microsoft Internet Explorer by modifying
values under:
HKCU\Software\Microsoft\Internet Explorer\Main\Start Page
Registry entries are set as follows:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableChangePassword
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableLockWorkstation
0
Registry entries are created under:
HKLM\SOFTWARE\Dark_syde_fish
Name Troj/TinyDl-L
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
Prevalence (1-5) 2
Description
Troj/TinyDl-L is a downloader Trojan for the Windows platform.
Name W32/Spybot-NY
Type
* Spyware Worm
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Reduces system security
* Installs itself in the Registry
Aliases
* P2P-Worm.Win32.SpyBot.gl
Prevalence (1-5) 2
Description
W32/Spybot-NY is a worm for the Windows platform.
Name Troj/Proxy-HV
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Installs itself in the Registry
* Enables remote access
Prevalence (1-5) 2
Description
Troj/Proxy-HV is a Trojan for the Windows platform.
Advanced
Troj/Proxy-HV is a Trojan for the Windows platform.
When Troj/Proxy-HV is installed it creates the file <System>\ntos.exe. The
following registry entry is changed to run ntos.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
<System>\userinit.exe,<System>\ntos.exe,
Name Troj/BHO-CR
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Installs itself in the Registry
Prevalence (1-5) 2
Description
Troj/BHO-CR is a Trojan for the Windows platform.
Advanced
Troj/BHO-CR is a Trojan for the Windows platform.
Troj/BHO-CR installs itself as a browser helper object.
Troj/BHO-CR creates the following registry tree to start itself:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
Browser Helper Objects\{00000000-0000-0000-0000-000000000000}
Name W32/Feebs-BT
Type
* Worm
How it spreads
* Email messages
Affected operating systems
* Windows
Side effects
* Installs itself in the Registry
Prevalence (1-5) 2
Description
W32/Feebs-BT is a worm for the Windows platform.
Advanced
W32/Feebs-BT is a worm for the Windows platform.
When first run W32/Feebs-BT copies itself to \mstc.exe and creates the file \s.
- detected as Mal/Packer.
The following registry entry is created to run mstc.exe on startup:
HKLM\SOFTWARE\Microsoft\Active Setup\Installed
Components\{316A0EE6-D4D0-97EE-01C5-8F0F00017C3F}
StubPath
\mstc.exe
Registry entries are created under:
HKLM\SOFTWARE\Microsoft\MSAE
Name Troj/Zlob-ADH
Type
* Trojan
Affected operating systems
* Windows
Aliases
* W32/new-malware!Maximus
* PAK_Generic.001
Prevalence (1-5) 2
Description
Troj/Zlob-ADH is a Trojan for the Windows platform.
Advanced
Troj/Zlob-ADH is a Trojan for the Windows platform.
Troj/Zlob-ADH includes functionality to connect to the internet and communicate
with a remote server using HTTP.
--- MultiMail/Win32 v0.43
* Origin: Doc's Place BBS Fido Since 1991 docsplace.tzo.com (1:123/140)
|