Text 41, 1911 rader
Skriven 2005-02-20 23:47:00 av KURT WISMER (1:123/140)
Ärende: News, Feb. 20 2005
==========================
[cut-n-paste from sophos.com]
Name W32/MyDoom-O
Type
* Worm
How it spreads
* Email messages
Affected operating systems
* Windows
Aliases
* WORM_MYDOOM.M
* I-Worm.Mydoom.m
* W32/Mydoom.bb
Prevalence (1-5) 4
Description
W32/MyDoom-O is an email worm. When first run, the worm copies itself to
either the Windows or Temp folders as java.exe, and adds one of the
following registry entries to ensure that the copy is run each time
Windows starts:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\JavaVM
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\JavaVM
W32/MyDoom-O also creates a file named services.exe in the Windows or
Temp folder and runs the file. Services.exe is a backdoor component.
W32/MyDoom-O searches the hard disk email addresses. The worm searches
files with the extensions PL*, PH*, TX*, HT*, ASP, TBB, SHT*, WAB, ADB
and DBX and the Windows address book. In addition the worm may use an
internet search engine to find more email addresses. The worm will send
a query to the search engine using domain names from email addresses
found on the hard disk and then examine the query results, searching for
more addresses. The internet search engines used by W32/MyDoom-O and the
percentage chance that each is used are:
www.google.com (45%)
search.lycos.com (22.5%)
search.yahoo.com (20%)
www.altavista.com (12.5%)
When choosing addresses to send itself to W32/MyDoom-O will avoid
addresses which contain any of the following strings:
mailer-d
spam
abuse
master
sample
accoun
privacycertific
bugs
listserv
submit
ntivi
support
admin
page
the.bat
gold-certs
ca
feste
not
help
foo
no
soft
site
rating
me
you
your
someone
anyone
nothing
nobody
noone
info
winrar
winzip
rarsoft
sf.net
sourceforge
ripe.
arin.
google
gnu.
gmail
seclist
secur
bar.
foo.com
trend
update
uslis
domain
example
sophos
yahoo
spersk
panda
hotmail
msn.
msdn.
microsoft
sarc.
syma
avp
The email sent by the worm has a spoofed sender.
The subject line may be blank or one of the following:
hello
hi
error
status
test
report
delivery failed
Message could not be delivered
Mail System Error - Returned Mail
Delivery reports about your e-mail
Returned mail: see transcript for details
Returned mail: Data format error
The message text of the email is constructed from a set of optional
strings within the worm. The message sent is blank or similar to one of
the following messages:
Dear user of <domain>
Mail server administrator of <domain> would like to inform you that We
have detected that your e-mail account has been used to send a large
amount of unsolicited e-mail messages during this recent week. We
suspect that your computer had been compromised by a recent virus and
now runs a trojan proxy server. Please follow our instructions in the
attachment file in order to keep your computer safe. Virtually yours
<domain> user support team.
The message could not be delivered
The original message was included as attachment
The original message was received at <time> from <address>
----- The following addresses had permanent fatal errors -----
<address>
----- Transcript of the session follows -----
... while talking to host <hostname>:>>> MAIL From:<address><<< 501 User
unknown Session aborted>>> RCPT To:<address><<< 550 MAILBOX NOT FOUND
The message was undeliverable due to the following reason(s):
Your message was not delivered because the destination computer was not
reachable within the allowed queue period. The amount of time a message
is queued before it is returned depends on local configuration
parameters. Most likely there is a network problem that prevented
delivery, but it is also possible that the computer is turned off, or
does not have a mail system running right now.
Your message was not delivered within <number> days: Mail server
<hostname> is not responding. The following recipients did not receive
this message: <address> Please reply to postmaster@<domain> if you feel
this message to be in error.
The attached file may be named similarly to the recipient's username or
domain or using one of the following names:
readme
instruction
transcript
mail
letter
file
text
attachment
document
message
with an optional extension of DOC, TXT, HTM, HTML and a final extension
of EXE, COM, BAT, CMD, SCR or PIF. The attached file may also be a zip
file containing a file named as described.
Name W32/MyDoom-BC
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Sends itself to email addresses found on the infected computer
* Forges the sender's email address
* Uses its own emailing engine
* Installs itself in the Registry
Aliases
* Email-Worm.Win32.Mydoom.am
* W32/Mydoom.bc@MM
* W32/Mydoom.db@MM
* Worm.Mydoom.M-2
Prevalence (1-5) 2
Description
W32/MyDoom-BC is an email worm for the Windows platform.
Email sent by the worm has characteristics similar to the following
examples:
Subject line:
hi
error
test
Message could not be delivered
Message body:
Dear user of <domain>
Mail server administrator of <domain> would like to inform you that
We have detected that your e-mail account has been used to send a large
amount of unsolicited e-mail messages during this recent week.
We suspect that your computer had been compromised by a recent virus and now
runs a trojan proxy server.
Please follow our instructions in the attachment file
in order to keep your computer safe.
Virtually yours
<domain> user support team.
Attached file:
attachment.com
letter.zip
<username>.exe
Advanced
W32/MyDoom-BC is an email worm. When first run, the worm copies itself
to either the Windows or Temp folders as java.exe, and adds one of the
following registry entries to ensure that the copy is run each time
Windows starts:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\JavaVM
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\JavaVM
W32/MyDoom-BC also creates a file named services.exe in the Windows or
Temp folder and runs the file. Services.exe is a backdoor component.
W32/MyDoom-BC searches the hard disk email addresses. The worm searches
files with the extensions PL*, PH*, TX*, HT*, ASP, TBB, SHT*, WAB, ADB
and DBX and the Windows address book. In addition the worm may use an
internet search engine to find more email addresses. The worm will send
a query to the search engine using domain names from email addresses
found on the hard disk and then examine the query results, searching for
more addresses. The internet search engines used by W32/MyDoom-BC and
the percentage chance that each is used are:
www.google.com (45%)
search.lycos.com (22.5%)
search.yahoo.com (20%)
www.altavista.com (12.5%)
When choosing addresses to send itself to W32/MyDoom-BC will avoid
addresses which contain any of the following strings:
abuse
accoun
admin
anyone
arin.
avp
bar.
bugs
ca
domain
example
feste
foo
foo.com
gmail
gnu.
gold-certs
google
help
hotmail
info
listserv
mailer-d
master
me
microsoft
msdn.
msn.
no
nobody
noone
not
nothing
ntivi
page
panda
privacycertific
rarsoft
rating
ripe.
sample
sarc.
seclist
secur
sf.net
site
soft
someone
sophos
sourceforge
spam
spersk
submit
support
syma
the.bat
trend
update
uslis
winrar
winzip
yahoo
you
your
The email sent by the worm has a spoofed sender.
The subject line may be blank or one of the following:
hello
hi
error
status
test
report
delivery failed
Message could not be delivered
Mail System Error - Returned Mail
Delivery reports about your e-mail
Returned mail: see transcript for details
Returned mail: Data format error
The message text of the email is constructed from a set of optional
strings within the worm. The message sent is blank or similar to one of
the following messages:
Dear user of <domain>
Mail server administrator of <domain> would like to inform you that
We have detected that your e-mail account has been used to send a large
amount of unsolicited e-mail messages during this recent week.
We suspect that your computer had been compromised by a recent virus and now
runs a trojan proxy server.
Please follow our instructions in the attachment file
in order to keep your computer safe.
Virtually yours
<domain> user support team.
The message could not be delivered
The original message was included as attachment
The original message was received at <time> from <address>
----- The following addresses had permanent fatal errors -----
<address>
----- Transcript of the session follows -----
... while talking to host <hostname>:
>>> MAIL From:<address>
<<< 501 User unknown
Session aborted
>>> RCPT To:<address>
<<< 550 MAILBOX NOT FOUND
The message was undeliverable due to the following reason(s):
Your message was not delivered because the destination computer was
not reachable within the allowed queue period. The amount of time
a message is queued before it is returned depends on local configura-
tion parameters.
Most likely there is a network problem that prevented delivery, but
it is also possible that the computer is turned off, or does not
have a mail system running right now.
Your message was not delivered within <number> days:
Mail server <hostname> is not responding.
The following recipients did not receive this message:
<address>
Please reply to postmaster@<domain>
if you feel this message to be in error.
The attached file may be named similarly to the recipient's username or
domain or using one of the following names:
attachment
document
file
instruction
letter
mail
message
readme
text
transcript
with an optional extension of DOC, TXT, HTM, HTML followed by a number
of spaces and a final extension of EXE, COM, BAT, CMD, SCR or PIF. The
attached file may also be a zip file containing a file named as
described.
W32/MyDoom-BC drops a file named services.exe in the Windows or Temp
folder and runs the file.
Services.exe adds the following registry entry
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
services
<Windows or Temp folder>\services.exe
W32/MyDoom-BC also attempts to download and run files from several
websites.
Name W32/Rbot-WF
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Modifies data on the computer
* Deletes files off the computer
* Steals information
Prevalence (1-5) 2
Description
W32/Rbot-WF is a worm with backdoor Trojan functionality.
W32/Rbot-WF is capable of spreading to computers on the local network
protected by weak passwords after receiving the appropriate backdoor
command. The worm can also spread by exploiting a number of software
vulnerabilities.
W32/Rbot-WF will attempt to terminate a number of anti-virus and
security related applications, along with other malware.
Advanced
W32/Rbot-WF is a worm with backdoor Trojan functionality.
W32/Rbot-WF is capable of spreading to computers on the local network
protected by weak passwords after receiving the appropriate backdoor
command.
W32/Rbot-WF will attempt to spread by exploiting the following
vulnerabilities:
DCOM (MS04-012)
LSASS and IIS5SSL (MS04-011)
WebDav (MS03-007)
UPNP (MS01-059)
Buffer overflow in certain versions of DameWare (CAN-2003-1030)
Microsoft SQL servers with weak passwords
Backdoors left open by other malware
When first run, W32/Rbot-WF copies itself to the Windows system folder
as SVCHOSTDLL.EXE and runs this copy of the worm. The copy will then
attempt to delete the original file. In order to run each time a user
logs in, W32/Rbot-WF will set the following registry entries:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
MSN Beta
SVCHOSTdll.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
MSN Beta
SVCHOSTdll.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
MSN Beta
SVCHOSTdll.exe
The worm runs continuously in the background providing backdoor access
to the infected computer over IRC channels.
W32/Rbot-WF will set the following registry entries in order to disable
DCOM and close restrictions on IPC$ shares:
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1
W32/Rbot-WF can add and delete network shares and users on the infected
computer.
W32/Rbot-WF will attempt to terminate the following processes:
bbeagle.exe
d3dupdate.exe
i11r54n4.exe
irun4.exe
msblast.exe,
MSBLAST.exe
msconfig.exe
mscvb32.exe
navapw32.exe
navw32.exe
netstat.exe
PandaAVEngine.exe
Penis32.exe
rate.exe
regedit.exe
ssate.exe
sysinfo.exe
SysMonXP.exe
teekids.exe
wincfg32.exe
taskmon.exe
winsys.exe
winupd.exe
zapro.exe
zonealarm.exe
Name Troj/Lineage-D
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Steals information
* Records keystrokes
* Leaves non-infected files on computer
Prevalence (1-5) 2
Description
Troj/Lineage-D is a password-stealing Trojan for the Windows platform.
Troj/Lineage-D logs keystrokes for the game Lineage II and emails the
author with the results.
Advanced
Troj/Lineage-D is a password-stealing Trojan for the Windows platform.
Troj/Lineage-D logs keystrokes for the game Lineage II and emails the
author with the results.
Troj/Lineage-D copies itself to the Windows system folder as
"ttplorer.exe" and creates a DLL keylogging component "ttinject.dll" as
well as the text file "ttdata32.dll" to keep the keylog results.
Troj/Lineage-D creates the following registry entry to run itself
automatically on system login or startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Scvhost
<Windows system>\ttplorer.exe
Name W32/Assiral-A
Type
* Worm
How it spreads
* Email attachments
* Network shares
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Sends itself to email addresses found on the infected computer
* Installs itself in the Registry
* Leaves non-infected files on computer
Prevalence (1-5) 2
Description
W32/Assiral-A is a mass mailing worm which attempts to spread itself by
sending emails with the following characteristics to addresses found in
the victim's address book:
Subject: Re: LOV YA!
Body: Kindly read and reply to my LOVE LETTER in the attachments :-)
Attachment: LOVE_LETTER.TXT.exe
W32/Assiral-A will attempt to copy itself to floppy drives and network
shares.
On opening the attachment, W32/Assiral-A will open a web page through
Internet Explorer at geocities.com. W32/Assiral-A will attempt to modify
Internet Explorer's homepage to the same page.
It will also attempt to kill off various security related applications
and disable various capabilities of Windows.
Advanced
W32/Assiral-A will drop the following files into the system:
C:\message.txt
%Windows%\SpoolMgr.exe
%Windows%\love_letter.txt.exe
%System32%\MS_LARISSA.exe
C:\windows\winvbs_32.vbs
C:\windows\system32\reg_32.vbs
C:\larissa_anti_bropia.html
It will attempt to autostart itself with the following registry entries:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
MS_LARISSA = %system32%\MS_LARISSA.exe
HKLM\software\microsoft\windows\currentversion\run
spoolsv manager = %windows%\SpoolMgr.exe
And set the following registry entries:
HKCR\software\microsoft\windows\currentversion\policies\system\
noadminpage = 1
HKCR\software\microsoft\windows\currentversion\policies\explorer\
dword:03ffffff
HKCR\software\microsoft\windows\currentversion\policies\system\
disableregistrytools = 1
HKCR\software\microsoft\windows\currentversion\policies\explorer\
norun = 1
HKCR\software\microsoft\windows\currentversion\policies\winoldapp\
disabled = 1
HKCU\Software\Microsoft\WAB\
Contacts = <number of contact in outlook address book>
which will disable various administration functions in Windows.
W32/Assiral-A may periodically create a pop-up window to display the
contents of C:\larissa_anti_bropia.html.
Name W32/MyDoom-AS
Type
* Worm
How it spreads
* Email attachments
* Peer-to-peer
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Sends itself to email addresses found on the infected computer
* Forges the sender's email address
* Uses its own emailing engine
* Installs itself in the Registry
Aliases
* W32/Mydoom.ba@MM
Prevalence (1-5) 2
Description
W32/MyDoom-AS is a mass-mailing and peer-to-peer worm which emails
itself as an attachment to addresses found on the infected computer.
When run W32/MyDoom-AS will launch Notepad with garbage which serves as
a decoy.
W32/MyDoom-AS may also create a file hserv.sys in the Windows system
folder. This file is non-malicious and can be safely deleted.
Advanced
W32/MyDoom-AS is a mass-mailing and peer-to-peer worm which emails
itself as an attachment to addresses found on the infected computer.
When run the W32/MyDoom-AS will launch Notepad with garbage which serves
as a decoy.
When first run the worm copies itself to the Windows system folder as
lsasrv.exe and creates the following registry entry so as to auto-start
on computer reboot:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
lsass
%SYSTEM%\lsasrv.exe
On Windows 2000 and Windows XP systems the worm will also modify the
Explorer shell association by changing the following registry entry
from:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
explorer
to:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
explorer %SYSTEM%\lsasrv.exe
W32/MyDoom-AS may also create a file hserv.sys in the Windows system
folder. This file is non-malicious and can be safely deleted.
W32/MyDoom-AS will attempt to copy itself to peer-to-peer folders of
KaZaa, Morpheus, iMesh, eDonkey2000 and LimeWire using the following
filenames (with an extension chosen from: PIF, SCR, EXE OR BAT):
activation_crack
Ad-awareref01R349
adultpasswds
avpprokey
dcom_patches
icq2004-final
K-LiteCodecPack2.34a
NeroBROM6.3.1.27
winamp5
winxp_patch
The worm also attempts to remove previous startup registry entries of
other malware which may be installed, terminate various anti-virus and
security applications and prevent access to related websites by
modifying the HOSTS file with the following entries:
127.0.0.1 grisoft.com
127.0.0.1 www.grisoft.com
127.0.0.1 www.trendmicro.com
127.0.0.1 rads.mcafee.com
127.0.0.1 customer.symantec.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 updates.symantec.com
127.0.0.1 update.symantec.com
127.0.0.1 www.nai.com
127.0.0.1 secure.nai.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 download.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 mast.mcafee.com
127.0.0.1 ca.com
127.0.0.1 www.ca.com
127.0.0.1 www.networkassociates.com
127.0.0.1 www.kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 kaspersky.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 viruslist.com
127.0.0.1 www.viruslist.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 mcafee.com
127.0.0.1 www.mcafee.com
127.0.0.1 sophos.com
127.0.0.1 www.sophos.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 www.symantec.com
W32/MyDoom-AS will harvest email addresses from files found on the
infected computer with the following extensions:
ADB
ASA
ASC
ASM
ASP
CGI
CONF
CSP
DBX
DLT
DWT
EDM
HTA
HTC
HTM
INC
JS TPL
JSP
LBI
PHP
PL
RDF
RSS
SHT
SSI
STM
TBB
TXT
VB
VBS
WAB
WML
XHT
XML
XSD
XST
Emails generated by the worm have the following characteristics:
Subject lines are chosen from:
Good day
Do not reply to this email
hello
Mail Delivery System
Attention!!!
Mail Transaction Failed
Server Report
Status
Error
Message text is one of:
"Mail transaction failed. Partial message is available."
"The message contains Unicode characters and has been sent as
a binary attachment."
"The message cannot be represented in 7-bit ASCII encoding and
has been sent as a binary attachment."
"Do not visit these sites!!!"
"You have visited illegal websites.
I have a big list of the websites you surfed."
"You think it's funny? You are stupid idiot!!! I'll send
the attachment to your ISP and then I'll be watching
how you will go to jail, punk!!!"
"Your credit card was charged for $500 USD. For additional in
formation see the attachment"
"ESMTP [Secure Mail System #334]: Secure message is attached."
"Encrypted message is available."
"Delivered message is attached."
"Can you confirm it?"
"Binary message is available."
"am shocked about your document!"
"Are you a spammer? (I found your email on a spammer website!?!"
"Bad Gateway: The message has been attached."
"Attention! New self-spreading virus!
Be careful, a new self-spreading virus called 'RTSW.Smash' spreading
very fast via e-mail and P2P networks. It's about two million people
infected and it will be more.
To avoid your infection by this virus and to stop it we provide you with
full information how to protect yourself against it and also including
free remover. Your can find it in the attachment.
2004 Networks Associates Technology, Inc. All Rights Reserved"
"New terms and conditions for credit card holders
Here a new terms and conditions for credit card holders using a credit
cards for making purchase in the Internet in the attachment. Please,
read it carefully. If you are not agree with new terms and conditions do
not use your credit card in the World Wide Web.
Thank you,
The World Bank Group
2004 The World Bank Group, All Rights Reserved"
"Thank you for registering at WORLDXXXPASS.COM
All your payment info, login and password you can find in the attachment
file. It's a real good choise to go to WORLDXXXPASS.COM"
"Attention! Your IP was logged by The Internet Fraud Complaint Center
Your IP was logged by The Internet Fraud Complaint Center. There was a
fraud attempt logged by The Internet Fraud Complaint Center from your
IP. This is a serious crime, so all records was sent to the FBI. All
information you can find in the attachment. Your IP was flagged and if
there will be anover attemption you will be busted.
This message is brought to you by the Federal Bureau of Investigation
and the National White Collar Crime Center"
"Here is your documents you are requested."
Attachment filenames are chosen from the following and can take one of
these extensions (pif, scr, exe, cmd, bat, zip):
document
readme
doc
rules
file
data
docs
message
body
Name W32/Poebot-H
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Steals information
* Reduces system security
* Installs itself in the Registry
* Used in DOS attacks
Aliases
* Backdoor.Win32.PoeBot.a
Prevalence (1-5) 2
Description
W32/Poebot-H is a worm which attempts to spread to remote network shares
with weak passwords. It also contains backdoor functionality allowing
unauthorised remote access to the infected computer via IRC channels.
Advanced
W32/Poebot-H is a worm which attempts to spread to remote network shares
with weak passwords. It also contains backdoor functionality allowing
unauthorised remote access to the infected computer via IRC channels.
W32/Poebot-H allows a remote attacker to:
steal passwords.
download and execute files on the infected computer.
flood other computers with network packets.
retrieve system information.
execute arbitrary commands.
When run, the worm copies itself to the system folder as lssas.exe and
sets the following registry entry in order to run when a user logs on:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Local Security Authority Service
<Windows system folder>\lssas.exe
Name W32/Kipis-I
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Sends itself to email addresses found on the infected computer
* Forges the sender's email address
* Uses its own emailing engine
* Installs itself in the Registry
Aliases
* Email-Worm.Win32.Kipis.k
Prevalence (1-5) 2
Description
W32/Kipis-I is an email worm for the Windows platform.
The worm harvests email addresses from files with the following file
extensions:
ADB
DBX
DOC
EML
HTM
HTML
TBB
TXT
UIN
XLS
XML
The email sent by W32/Kipis-I has the following properties:
Subjects:
Valentine's day
Present
your
Happy day
Happy Valentine's day
your love
here
hi
you my love..
Re: My porno
Message texts:
With the coming Valentine's day! I very much love you. Please see
my flash present.
I congratulate on the coming Valentine's day! My gift to you.
love you! :),congratulate!"
Thank you!!!
----Original Message----
From: <random address>
To: <random address>
Sent: <time/date>
Subject: My porno
Attached file:
your present
present
flash love
love
Valentine
porn
porno_03
Joke
nude
My nude_04
Attachment extension:
.scr
.exe
From:
<current user>
adam
alex
anna
brenda
dana
dave
linda
liza
maria
mary
mike
rosa
sandra
stan
stiv
Note: The "from" field consists of one of the above names and "@<domain
names found when harvesting email addresses>"
W32/Kipis-I will not send emails to addresses which contain any of the
following strings:
.edu
.gov
abuse
accoun
antivir
bitdefen
borlan
bugs
cafee
contact
drweb
e-trust-
f-prot
foo.
help
icrosoft
info
iruslis
kaspersky
klamav
listserv
mailer
messagelab
news
newviru
nod32
nodomai
norman
panda
podpiska
privacy
rar
rating
register
ripe.
sales
secur
sendmail
service
soft
software.
sopho
support
sybari
symante
virus
webmaster
winrar
winzip
W32/Kipis-I also opens a backdoor to download remote files.
Advanced
W32/Kipis-I is an email worm for the Windows platform.
When first run, W32/Kipis-I copies itself to the following locations:
<Windows folder>/regedit.com
<Windows system folder>/Microsoft/svchost.exe
<Windows system folder>/netstat.com
Note: The trick used here by W32/Kipis-I takes advantage of the way the
operating system searches for files. When a user types "netstat" at a
command prompt, Windows will first look for netstat.com, netstat.exe and
then other possible file extensions. This fact causes the worm copy to
run instead of the intended file.
W32/Kipis-I creates the following registry entry in order to run each
time a program is loaded on the computer:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
"Explorer.exe <Windows system folder>\Microsoft\svchost.exe"
The worm harvests email addresses from files with the following file
extensions:
ADB
DBX
DOC
EML
HTM
HTML
TBB
TXT
UIN
XLS
XML
The email sent by W32/Kipis-I has the following properties:
Subjects:
Valentine's day
Present
your
Happy day
Happy Valentine's day
your love
here
hi
you my love..
Re: My porno
Message texts:
With the coming Valentine's day! I very much love you. Please see
my flash present.
I congratulate on the coming Valentine's day! My gift to you.
love you! :),congratulate!"
Thank you!!!
----Original Message----
From: <random address>
To: <random address>
Sent: <time/date>
Subject: My porno
Attached file:
your present
present
flash love
love
Valentine
porn
porno_03
Joke
nude
My nude_04
Attachment extension:
.scr
.exe
From:
<current user>
adam
alex
anna
brenda
dana
dave
linda
liza
maria
mary
mike
rosa
sandra
stan
stiv
Note: The "from" field consists of one of the above names and "@<domain
names found when harvesting email addresses>"
W32/Kipis-I will not send emails to addresses which contain any of the
following strings:
.edu
.gov
abuse
accoun
antivir
bitdefen
borlan
bugs
cafee
contact
drweb
e-trust-
f-prot
foo.
help
icrosoft
info
iruslis
kaspersky
klamav
listserv
mailer
messagelab
news
newviru
nod32
nodomai
norman
panda
podpiska
privacy
rar
rating
register
ripe.
sales
secur
sendmail
service
soft
software.
sopho
support
sybari
symante
virus
webmaster
winrar
winzip
W32/Kipis-I also opens a backdoor on port 1988 and listens for incoming
connections. The backdoor can be used to download remote files.
Name W32/Rbot-WB
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Downloads code from the internet
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* Backdoor.Win32.SdBot.ve
* W32/Sdbot.worm.gen.y
Prevalence (1-5) 2
Description
W32/Rbot-WB is a worm with backdoor Trojan functionality.
W32/Rbot-WB is capable of spreading to computers on the local network
protected by weak passwords after receiving the appropriate backdoor
command.
W32/Rbot-WB may also spread by exploiting the following vulnerabilities:
LSASS (MS04-011)
DCOM (MS04-012)
Microsoft SQL servers with weak passwords.
Advanced
When first run, W32/Rbot-WB copies itself to the Windows system folder
as RPC.EXE and runs this copy of the worm. The copy will then attempt to
delete the original file. In order to run each time Windows is started,
W32/Rbot-WB will set the following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Microsofts MediaScope = winmep.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Microsofts MediaScope = winmep.exe
W32/Rbot-WB may also set the following registry entry:
HKCU\Software\Microsoft\OLE\
Microsofts MediaScope = winmep.exe
The worm runs continuously in the background providing backdoor access
to the infected computer.
The backdoor component of W32/Rbot-WB can be used to:
Initiate distributed denial-of-service (DDOS) attacks using ICMP, SYN,
UDP, PING, ACK and TCP flooding.
Redirect TCP and SOCKS4 traffic.
Provide a remote login shell.
Download, upload, delete and execute files.
Set up an HTTP, TFTP and FTP file server.
Steal passwords (including PayPal account information).
Log key presses.
Capture screenshots.
Capture webcam pictures and videos.
List and kill processes.
Stop, start, pause and delete services.
Open and close vulnerabilities.
Port scan for vulnerabilities on other remote computers.
Send emails as specified by the remote user.
Flush the DNS and ARP caches.
Shut down and reboot the computer.
Add and delete network shares and users.
Sniff network traffic for passwords.
W32/Rbot-WB may be used to steal registration and key details from
various computer games and applications.
W32/Rbot-WB may alter the following registry entries in order to
enable/disable DCOM and open/close restrictions on IPC$ shares:
HKLM\SOFTWARE\Microsoft\Ole\EnableDCOM
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous
HKLM\SYSTEM\ControlSet\Control\Lsa\restrictanonymous
W32/Rbot-WB may add and delete network shares and users on the infected
computer.
Name W32/Poebot-A
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Modifies data on the computer
* Steals information
* Downloads code from the internet
* Reduces system security
Aliases
* Backdoor.Win32.PoeBot.a
Prevalence (1-5) 2
Description
W32/Poebot-A is a network worm with backdoor Trojan functionality for
the Windows platform.
The worm spreads through network shares protected by weak passwords.
The backdoor component joins a predetermined IRC channel and awaits
further commands from a remote user.
Advanced
W32/Poebot-A is a network worm with backdoor Trojan functionality for
the Windows platform.
The worm spreads through network shares protected by weak passwords.
When first run, W32/Poebot-A copies itself to the Windows system folder
as lssas.exe and creates the following registry entries in order to run
each time a user logs on:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Local Security Authority Service
"<Windows system folder>\lssas.exe"
The backdoor component joins a predetermined IRC channel and awaits
further commands from a remote user.
Name W32/Sdbot-VH
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Steals information
* Downloads code from the internet
* Reduces system security
Prevalence (1-5) 2
Description
W32/Sdbot-VH is a network worm with backdoor functionality for the
Windows platform.
The worm spreads through network shares protected by weak passwords,
MS-SQL servers and through various operating system vulnerabilities.
W32/Sdbot-VH connects to a predetermined IRC channel and awaits further
commands from remote users.
Advanced
W32/Sdbot-VH is a network worm with backdoor functionality for the
Windows platform.
When first run, W32/Sdbot-VH copies itself to the Windows system folder
as "svhost.exe" and creates the following registry entries in order to
run each time a user logs on:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Win32 Loader
svhost.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Win32 Loader
svhost.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Win32 Loader
svhost.exe
The worm spreads through network shares protected by weak passwords,
MS-SQL servers and through various operating system vulnerabilities.
W32/Sdbot-VH connects to a predetermined IRC channel and awaits further
commands from remote users. The backdoor component of W32/Sdbot-VH can
be instructed to perform the following functions:
scan networks for vulnerabilities
download/execute arbitrary files
start an ftp server
take part in distributed denial of service (DDoS) attacks
Patches for the vulnerabilities exploited by W32/Sdbot-VH can be
obtained from Microsoft at:
http://www.microsoft.com/technet/security/bulletin/ms03-039.mspx
http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx
http://www.microsoft.com/technet/security/bulletin/ms04-012.mspx
Name W32/Sdbot-SB
Type
* Worm
Affected operating systems
* Windows
Side effects
* Installs itself in the Registry
* Exploits system or software vulnerabilities
* Dropped by malware
Prevalence (1-5) 2
Description
W32/Sdbot-SB is a member of the W32/Sdbot family of worms with a
backdoor component.
Advanced
W32/Sdbot-SB is a member of the W32/Sdbot family of worms with a
backdoor component.
In order to run automatically when Windows starts up the worm copies
itself to the file winprotect.exe in the Windows system folderand adds
the following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\winprotect
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\winprotect
W32/Sdbot-SB is dropped by Troj/Wurmark-B.
Name W32/Codbot-C
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Downloads code from the internet
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* W32/Sdbot.worm.gen.j
Prevalence (1-5) 2
Description
W32/Codbot-C is a backdoor Trojan containing functionality to spread via
network shares.
The worm connects to an IRC channel and listens for backdoor commands
from a remote attacker. The backdoor functionality of the worm includes
the ability to sniff packets, download further malicious code and steal
passwords and other system information.
W32/Codbot-C may attempt to exploit a number of vulnerabilities,
including the LSASS vulnerability (MS04-011).
Advanced
W32/Codbot-C is a backdoor Trojan containing functionality to spread via
network shares.
The worm connects to an IRC channel and listens for backdoor commands
from a remote attacker. The backdoor functionality of the worm includes
the ability to sniff packets, download further malicious code and steal
passwords and other system information.
When first run, W32/Codbot-C copies itself to the Windows system folder
as MAPI32.EXE and installs itself as a service with service name
"Extended MAPI Function Handler" and display name "Handling the loading
of the MAPI API."
W32/Codbot-C may make the following change to the system registry:
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
"N"
W32/Codbot-C may attempt to exploit a number of vulnerabilities,
including the LSASS vulnerability (MS04-011).
Name Troj/PurScan-V
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
Prevalence (1-5) 2
Description
Troj/PurScan-V is a downloader for an advertising-related application.
The Trojan connects to a preconfigured website and downloads files
relevant to a specific advertising campaign.
Name W32/Forbot-EC
Type
* Worm
How it spreads
* Chat programs
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Downloads code from the internet
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* Backdoor.Win32.PdPinch.gen
* WORM_WOOTBOT.GEN
Prevalence (1-5) 2
Description
W32/Forbot-EC is a network worm with backdoor functionality for the
Windows platform. The worm allows unauthorised remote access to the
infected system via IRC channels while running in the background as a
service process. The worm may also spread by DCC.
W32/Forbot-EC exploits various vulnerabilities, including the LSASS
vulnerability (see MS04-011).
The backdoor functionality of the worm includes being able to act as a
proxy, sniff packets, download updates, delete network shares and steal
keys for various software products.
Advanced
W32/Forbot-EC is a network worm with backdoor functionality for the
Windows platform. The worm allows unauthorised remote access to the
infected system via IRC channels while running in the background as a
service process. The worm may also spread by DCC.
W32/Forbot-EC copies itself to the Windows system folder as EMP32.EXE
and creates the following registry entries in order to run itself on
system startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Help Temp Files
emp32.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
Help Temp Files
emp32.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Help Temp Files
emp32.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Help Temp Files
emp32.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
Help Temp Files
emp32.exe
W32/Forbot-EC also registers itself as a service named
"addicted-to.druggs.info" with the display name "Help Temp Files".
W32/Forbot-EC exploits various vulnerabilities, including the LSASS
vulnerability (see MS04-011).
The backdoor functionality of the worm includes being able to act as a
proxy, sniff packets, download updates, delete network shares and steal
keys for various software products.
Name W32/Codbot-B
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Exploits system or software vulnerabilities
* Used in DOS attacks
Prevalence (1-5) 2
Description
W32/Codbot-B is a backdoor which contains functionality to spread via
network shares.
W32/Codbot-B contains backdoor functionality which includes packet
sniffing and downloading further code,gathering system information and
killing processes.
W32/Codbot-B may create Run and RunServices registry entries in order to
run itself on system startup.
W32/Codbot-B may attempt to exploit a number of vulnerabilities.
Advanced
W32/Codbot-B is a backdoor which contains functionality to spread via
network shares.
When first run, W32/Codbot-B copies itself to the Windows system folder
as LSPOOL.EXE and installs this file as a service with servicename
"Local Network Spooler" and display name " Loads files to memory for
later outputing over the endpoint". The worm attempts to connect to an
IRC channel and listens for backdoor commands from a remote attacker.
W32/Codbot-B contains backdoor functionality which includes packet
sniffing and downloading further code,gathering system information and
killing processes.
W32/Codbot-B may create Run and RunServices registry entries in order
to run itself on system startup.
W32/Codbot-B may attempt to exploit a number of vulnerabilities.
Name W32/Dopbot-A
Type
* Worm
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Downloads code from the internet
* Reduces system security
* Installs itself in the Registry
Aliases
* Backdoor.Win32.IRCBot.q
* WORM_DOPBOT.A
Prevalence (1-5) 2
Description
W32/Dopbot-A is a network worm with backdoor functionality for the
Windows platform.
W32/Dopbot-A spreads to remote network shares, computers already
compromised by the Optix Trojan and computers vulnerable to the LSASS
exploit - for more information see:
http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx
W32/Dopbot-A allows unauthorised remote access to the infected computer
via IRC channels. Remote attackers can command W32/Dopbot-A to perform
actions including:
download and run arbitrary files
scan other computers for vulnerabilities
flood other computers over the network
terminate processes (including firewall and Anti-virus processes)
W32/Dopbot-A also hardens the computer against further attacks by
downloading a patch for the LSASS exploit from the Microsoft website and
changing security settings.
Advanced
W32/Dopbot-A is a network worm with backdoor functionality for the
Windows platform.
W32/Dopbot-A spreads to remote network shares, computers already
compromised by the Optix Trojan and computers vulnerable to the LSASS
exploit - for more information see:
http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx
W32/Dopbot-A allows unauthorised remote access to the infected computer
via IRC channels. Remote attackers can command W32/Dopbot-A to perform
actions including:
download and run arbitrary files
scan other computers for vulnerabilities
flood other computers over the network
terminate processes (including firewall and Anti-virus processes)
When first run, W32/Dopbot-A copies itself to the Windows system folder
as "rund1132.exe" and creates the following registry entries in order to
run automatically on computer startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
rund1132
<Windows system folder>\rund1132.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
rund1132
<Windows system folder>\rund1132.exe
W32/Dopbot-A also hardens the computer against further attacks by
downloading a patch for the LSASS exploit from the Microsoft website and
setting the following registry entries if they are not already set:
HKLM\SOFTWARE\Microsoft\Ole\
EnableDCOM
N
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\
restrictanonymous
2
--- MultiMail/Win32 v0.43
* Origin: Try Our Web Based QWK: DOCSPLACE.ORG (1:123/140)
|