Text 3, 866 rader
Skriven 2004-08-22 18:47:00 av KURT WISMER (1:123/140)
Ärende: News, Aug. 22 2004
==========================
[cut-n-paste from sophos.com's new, less convenient format... i won't be
doing any with a prevalence indicator of 1 as that seems to correspond
with 'no reports of users affected by this {whatever}' and if it isn't
in the wild, the 'public service announcement' value just isn't there]
Name W32/Agobot-MF
Type
* Worm
How it spreads
* Network shares
* Web browsing
* Web downloads
* Chat programs
Vulnerable operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Steals information
* Downloads code from the internet
* Reduces system security
* Records keystrokes
Aliases
* Backdoor.Agobot.gen
Prevalence (1-5) 2
Description
W32/Agobot-MF is an IRC backdoor Trojan and network worm that is capable
of spreading to computers on the local network protected by weak
passwords.
Advanced
W32/Agobot-MF is an IRC backdoor Trojan and network worm.
W32/Agobot-MF is capable of spreading to computers on the local network
protected by weak passwords.
When first run W32/Agobot-MF moves itself to the Windows system folder
as syxstem32.exe and creates the following registry entries to run
itself on system logon:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
WSAConfiguration = syxtem32.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
WSAConfiguration = syxtem32.exe
On NT-based versions of Windows the worm creates a new service named
"WSAConfiguration" with the startup property set to automatic, so that
the service starts automatically each time Windows is started.
Each time W32/Agobot-MF is run it attempts to connect to a remote IRC
server and join a specific channel. The worm then runs continuously in
the background, allowing a remote intruder to access and control the
computer via IRC channels.
W32/Agobot-MF attempts to terminate and disable various anti-virus and
security related programs.
W32/Agobot-MF attempts to restrict access to several anti-virus and
security related websites by appending the following to the HOSTS file:
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.trendmicro.com
Name W32/Rbot-GR
Type
* Worm
How it spreads
* Network shares
Vulnerable operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Uses its own emailing engine
* Reduces system security
* Records keystrokes
* Installs itself in the Registry
Aliases
* Backdoor.Rbot.gen
* W32/Sdbot.worm.gen.g
* W32.Spybot.Worm
Prevalence (1-5) 2
Description
W32/Rbot-GR is a worm with backdoor Trojan functionality.
W32/Rbot-GR is capable of spreading to computers on the local network
protected by weak passwords after receiving the appropriate backdoor
command. The worm may also spread by exploiting a number of
vulnerabilities.
W32/Rbot-GR may be used to steal passwords and product keys from a
number of games and applications.
Advanced
W32/Rbot-GR is a worm with backdoor Trojan functionality.
W32/Rbot-GR is capable of spreading to computers on the local network
protected by weak passwords after receiving the appropriate backdoor
command.
W32/Rbot-GR may also spread by exploiting the following vulnerabilities:
WebDav (MS03-007)
DCOM (MS03-039, MS04-012)
UPNP (MS01-059)
Microsoft SQL servers with weak passwords.
Buffer overflow in certain versions of DameWare (CAN-2003-1030)
Backdoors left open by other worms and Trojans such as W32/MyDoom,
Troj/Optix, Troj/Kuang and Troj/NetDevil.
When first run, W32/Rbot-GR copies itself to the Windows system folder
as SYSTEMC32.EXE and runs this copy of the worm. The copy will then
attempt to delete the original file. In order to run each time Windows
is started, W32/Rbot-GR will set the following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Updates = systemc32.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Microsoft Updates = systemc32.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Updates = systemc32.exe
The worm runs continuously in the background providing backdoor access
to the infected computer.
The backdoor component of W32/Rbot-GR may be used to:
* Initiate distributed denial-of-service (DDOS) attacks using ICMP,
SYN and UDP.
* Redirect TCP and SOCKS4 traffic.
* Provide a remote login shell.
* Download, upload, delete and execute files.
* Set up an HTTP and TFTP file server.
* Steal passwords (including PayPal account information).
* Log key presses.
* Capture screenshots.
* Capture webcam screenshots and videos.
* List and kill processes.
* Open and close vulnerabilities.
* Port scan for vulnerabilities on other remote machines.
* Send emails as specified by the remote user.
* Flush the DNS and ARP caches.
* Shut down the machine.
W32/Rbot-GR may be used to steal registration and key details from
several computer games including:
Counter-Strike
The Gladiators
Gunman Chronicles
Half-Life
Industry Giant 2
Legends of Might and Magic
Soldiers Of Anarchy
Microsoft Windows Product ID
Unreal Tournament 2003
Unreal Tournament 2004
IGI 2: Covert Strike
Freedom Force
Battlefield 1942
Battlefield 1942 (Road To Rome)
Battlefield 1942 (Secret Weapons of WWII)
Battlefield Vietnam
Black and White
Command and Conquer: Generals (Zero Hour)
James Bond 007: Nightfire
Command and Conquer: Generals
Global Operations
Medal of Honor: Allied Assault
Medal of Honor: Allied Assault: Breakthrough
Medal of Honor: Allied Assault: Spearhead
Need For Speed Hot Pursuit 2
Need For Speed: Underground
Shogun: Total War: Warlord Edition
FIFA 2002
FIFA 2003
NHL 2002
NHL 2003
Nascar Racing 2002
Nascar Racing 2003
Rainbow Six III RavenShield
Command and Conquer: Tiberian Sun
Command and Conquer: Red Alert
Command and Conquer: Red Alert 2
Chrome
NOX
Hidden & Dangerous 2
Soldier of Fortune II - Double Helix
Neverwinter Nights
Neverwinter Nights (Shadows of Undrentide)
Neverwinter Nights (Hordes of the Underdark)
W32/Rbot-GR may alter the following registry entries:
HKLM\SOFTWARE\Microsoft\Ole\EnableDCOM = N
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous = 1
W32/Rbot-GR may create and delete network shares on the infected
computer.
Name W32/Rbot-GP
Type
* Worm
How it spreads
* Network shares
Vulnerable operating systems
* Windows
Side effects
* Allows others to access the computer
* Downloads code from the internet
* Installs itself in the Registry
* Exploits known vulnerabilites
Aliases
* Backdoor.Rbot.gen
* W32/Sdbot.worm.gen.n
* W32.Spybot.Worm
Prevalence (1-5) 2
Description
W32/Rbot-GP is a worm which attempts to spread to remote network shares
and also contains backdoor Trojan functionality allowing unauthorised
access to an infected computer.
Advanced
W32/Rbot-GP is a worm which attempts to spread to remote network shares.
It also contains backdoor Trojan functionality, allowing unauthorised
remote access to the infected computer via IRC channels while running in
the background as a service process.
W32/Rbot-GP moves itself to the Windows system folder as wuamgrd.exe and
creates the following registry entries to ensure it is run at system
logon:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Update = wuamgrd.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Update = wuamgrd.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Microsoft Update = wuamgrd.exe
W32/Rbot-GP speads to network shares with weak passwords and via network
security exploits.
W32/Rbot-GP will also download and execute remote files on the infected
computer, log key strokes, retrieve information such as CD keys for
various games and flood other computers with network packets.
Name W32/Rbot-GS
Type
* Worm
How it spreads
* Network shares
Vulnerable operating systems
* Windows
Side effects
* Allows others to access the computer
* Reduces system security
* Records keystrokes
* Installs itself in the Registry
* Exploits known vulnerabilites
* Used in DOS attacks
Aliases
* Backdoor.Rbot.gen
Prevalence (1-5) 2
Description
W32/Rbot-GS spreads by exploiting vulnerabilities, network services with
weak passwords and backdoors opened by other worms.
W32/Rbot-GS allows unauthorised remote access to the infected computer.
The operating system vulnerabilities exploited by W32/Rbot-GS are
addressed by MS04-011, MS03-039, MS03-007 and MS01-059.
Advanced
W32/Rbot-GS is a network worm and backdoor Trojan for the Windows
platform.
W32/Rbot-GS allows a malicious user remote access to an infected
computer.
The worm copies itself to scvhost.exe in the Windows system folder and
creates the following registry entries to run itself on startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Update Machine = scvhost.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Microsoft Update Machine = scvhost.exe
HKCU\Software\MicrosoftWindows\CurrentVersion\Run\
Microsoft Update Machine = scvhost.exe
W32/Rbot-GS spreads using a variety of techniques including exploiting
weak passwords on computers and SQL servers, exploiting operating
system vulnerabilites (including DCOM-RPC, LSASS, WebDAV and UPNP) and
using backdoors opened by other worms or Trojans.
W32/Rbot-GS can be controlled by a remote attacker over IRC channels.
The infected computer can be used to perform any of the following
functions:
Proxy server (SOCKS4)
HTTP server
File system manipulation
Port scanner
DDoS floods (TCP,UDP,SYN)
Remote shell (RLOGIN)
Packet sniffer
Key logger
Patches for the operating system vulnerabilities exploited by
W32/Rbot-GS can be obtained from Microsoft at:
MS04-011
MS03-039
MS03-007
MS01-059
Name W32/Rbot-GO
Type
* Worm
How it spreads
* Network shares
Vulnerable operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Steals information
* Downloads code from the internet
* Reduces system security
Aliases
* Backdoor.Rbot.gen
Prevalence (1-5) 2
Description
W32/Rbot-GO is a worm which attempts to spread to remote network shares.
W32/Rbot-GO also contains backdoor Trojan functionality, allowing
unauthorised remote access to the infected computer via IRC channels.
Advanced
W32/Rbot-GO is a worm which attempts to spread to remote network shares.
It also contains backdoor Trojan functionality, allowing unauthorised
remote access to the infected computer via IRC channels while running in
the background as a service process.
W32/Rbot-GO spreads using a variety of techniques including exploiting
weak passwords on computers and SQL servers and exploiting operating
system vulnerabilites (including DCOM-RPC, LSASS, WebDAV and UPNP).
W32/Rbot-GO can be controlled by a remote attacker over IRC channels.
W32/Rbot-GO moves itself to the file MSNMSG.EXE in the Windows system
folder and creates entries at the following locations in the registry so
as to run itself on Windows login:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
msn = msnmsg.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices\
msn = msnmsg.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
msn = msnmsg.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
msn = msnmsg.exe
W32/Rbot-GO may also set the following registry entries:
HKLM\SOFTWARE\Microsoft\Ole\EnableDCOM = "N"
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous = "1"
W32/Rbot-GO attempts to terminate processes relating to the following
files:
regedit.exe
netstat.exe
msblast.exe
zapro.exe
navw32.exe
navapw32.exe
zonealarm.exe
taskmon_exe
wincfg32.exetaskmon.exe
PandaAVEngine.exe
sysinfo.exe
mscvb32.exe
MSBLAST.exe
teekids.exe
Penis32.exe
bbeagle.exe
SysMonXP.exe
winupd.exe
winsys.exe
ssate.exe
rate.exe
d3dupdate.exe
irun4.exe
i11r54n4.exe
Patches for the operating system vulnerabilities exploited by
W32/Rbot-GO can be obtained from Microsoft at:
MS04-011
MS03-026
MS03-007
MS01-059
Name Troj/Banker-K
Type
* Trojan
Vulnerable operating systems
* Windows
Side effects
* Steals credit card details
* Records keystrokes
Prevalence (1-5) 2
Description
Troj/Banker-K attempts to steal login credentials for Brazilian online
banking sites.
In order to run automatically when Windows starts up the Trojan drops
the file svchost.exe into the Windows system folder and adds the
registry entry
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\svchost
pointing to this file.
Troj/Banker-K also drops the files bb.exe, bmb.exe, bnet.exe, bra.exe,
gf.exe and itau.exe into the Windows system folder.
Name W32/Lovgate-W
Type
* Worm
How it spreads
* Email messages
* Network shares
* Peer-to-peer
Vulnerable operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
Prevalence (1-5) 3
Description
W32/Lovgate-W is a worm with the backdoor functionality that spreads via
email, network shares with weak passwords and filesharing networks.
When executed W32/Lovgate-W creates a background process with the name
"LSASS.EXE", copies itself to the Windows system folder, sets registry
entries, extracts a backdoor component as a DLL file, harvests email
addresses from *.ht files and sends itself out.
In order to run automatically when Windows starts up W32/Lovgate-W
creates the following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
VFW Encoder/Decoder Settings = RUNDLL32.EXE MSSIGN30.DLL ondll_reg
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Program In Windows = C:\WINDOWS\System32\IEXPLORE.EXE
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Protected Storage = RUNDLL32.EXE MSSIGN30.DLL ondll_reg
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
SystemTra = C:\WINDOWS\SysTra.EXE.
where EXE is a worm copy and a DLL is a backdoor component.
W32/Lovgate-W copies itself to the available filesharing networks shared
folders and subfolders with a filename chosen from:
Are you looking for Love.doc.exe
The world of lovers.txt.exe
How To Hack Websites.exe
Panda Titanium Crack.zip.exe
Mafia Trainer!!!.exe
100 free essays school.pif
AN-YOU-SUCK-IT.txt.pif
Sex_For_You_Life.JPG.pif
CloneCD + crack.exe
Age of empires 2 crack.exe
MoviezChannelsInstaler.exe
Star Wars II Movie Full Downloader.exe
Name W32/Tzet-B
Type
* Worm
How it spreads
* Network shares
Vulnerable operating systems
* Windows
Side effects
* Drops more malware
* Installs itself in the Registry
* Leaves non-infected files on computer
Aliases
* Worm.Win32.Tzet
* W32/Tzet.worm.e
* Win32/Tzet.A.dropper
Prevalence (1-5) 2
Description
W32/Tzet-B is a network worm.
W32/Tzet-B searches the local network for computers with weak or no
passwords on the administrator or admin accounts to which it can copy
itself.
Advanced
W32/Tzet-B is a network worm. When run the worm creates the following
files in the folder C:\<Windows>\System32:
AUTHEXEC.BAT - A batch file used by the worm and detected as W32/Tzet-A.
IGLMTRAY.EXE - Detected by Sophos Anti-Virus as Troj/Flood-DP
IGLXTRAY.EXE - Detected by Sophos Anti-Virus as Troj/Flood-DP
LRSS.INI - A mIRC config file used by the worm and detected as W32/Tzet-A.
MDDE32.EXE - A clean utility for terminating processes.
NNA.EXE - A Trojan downloaded detected bp Sophos Anti-Virus as
Troj/Apher-H.
PRINTF_CORE.EXE - Detected by Sophos Anti-Virus as Troj/Delsha-C
VIDRIV.EXE - A clean utility to hide/show windows.
WMPT.EXE - A clean utility called PSExec.
WSUBSYS.WAV - The main component of this worm.
XCOPY.DLL - A text file containing a list of IP domains.
The worm adds the following registry entry to run the file iglmtray.exe
when Windows starts up:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\WUPD
W32/Tzet-B searches the local network for computers with weak or no
passwords on the administrator or admin accounts to which it can copy
itself.
Name W32/Agobot-ME
Type
* Worm
How it spreads
* Network shares
Vulnerable operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Installs itself in the Registry
Aliases
* Backdoor.Agobot.gen
Prevalence (1-5) 2
Description
W32/Agobot-ME is an IRC backdoor Trojan and network worm which also
terminates and disables various anti-virus and security related programs.
Advanced
W32/Agobot-ME is an IRC backdoor Trojan and network worm.
W32/Agobot-ME is capable of spreading to computers on the local network
protected by weak passwords.
When first run W32/Agobot-ME moves itself to the Windows system folder
as mssvc32.exe and creates the following registry entries to run itself
on system logon:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
mssvc32 = mssvc32.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
mssvc32 = mssvc32.exe
On NT-based versions of Windows the worm creates a new service named
"mssvc32" with the startup property set to automatic, so that the
service starts automatically each time Windows is started.
Each time W32/Agobot-ME is run it attempts to connect to a remote IRC
server and join a specific channel. The worm then runs continuously in
the background, allowing a remote intruder to access and control the
computer via IRC channels.
W32/Agobot-ME attempts to terminate and disable various anti-virus and
security related programs.
W32/Agobot-ME attempts to restrict access to several anti-virus and
security related websites by appending the following to the HOSTS file:
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.trendmicro.com
Name Troj/Winflux-B
Type
* Trojan
Vulnerable operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Reduces system security
* Records keystrokes
* Installs itself in the Registry
Aliases
* Backdoor.Win32.Flux.d
* TrojanSpy.Win32.Flux.a
Prevalence (1-5) 2
Description
Troj/Winflux-B is backdoor Trojan for the Windows platform.
Troj/Winflux-B can be used by a remote attacker to control an infected
computer and steal information.
Advanced
Troj/Winflux-B is backdoor Trojan for the Windows platform.
Troj/Winflux-B can be used by a remote attacker to control an infected
computer and steal information.
When first run, Troj/Winflux-B may copy itself to the Windows or Windows
system folder. The Trojan may then delete the original file.
In order to hide from the user, Troj/Winflux-B may inject its code into
a running process such as Explorer, MSN Messenger or any other process
specified by the creator of the Trojan.
In order to run automatically each time Windows is started,
Troj/Winflux-B may set the following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\<Name> = <Trojan path>
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\*<Name> = <Trojan
path>
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\<Name> = <Trojan path>
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\*<Name> = <Trojan
path>
The Trojan has the ability to monitor these autostart entries and may
restore them if they are deleted.
Troj/Winflux-B may also set the following additional registry entries:
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\(CLASS ID)\
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\(CLASS ID)\
StubPath = <Trojan path> <Number>
where CLASS ID is a randomly generated Class ID number sequence.
Troj/Winflux-B gives remote attackers control of an infected computer.
The Trojan allows an attacker to:
* Create screen captures.
* Create Webcam captures.
* Log key presses.
* Log entered passwords.
* Download and execute files.
* Control an infected machine's Windows environment.
* Display message boxes.
* List and kill processes and tasks.
* Shut down, log off or reboot an infected machine.
* Update the server.
* Disconnect and reconnect an infected machine from the internet.
* Install a SOCKS4 proxy.
Name W32/Wort-A
Type
* Worm
Vulnerable operating systems
* Windows
Side effects
* Downloads code from the internet
* Exploits known vulnerabilites
Prevalence (1-5) 2
Description
W32/Wort-A is a networm worm which exploits the LSASS (MS04-011)
vulnerability.
W32/Wort-A may download files from the internet.
Advanced
W32/Wort-A is a worm which spreads by exploting the LSASS vulnerability.
The worm sets the following registry entry to ensure that it is run each
time Windows starts:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\WinLsass
W32/Wort-A randomly generates IPs to infect. The worm may also attempt
to download a file from the internet.
A patch for the vulnerability exploited by the worm is available from
Microsoft.
--- MultiMail/Win32 v0.43
* Origin: Try Our Web Based QWK: DOCSPLACE.ORG (1:123/140)
|