Text 5, 1106 rader
Skriven 2004-08-29 20:32:00 av KURT WISMER (1:123/140)
Ärende: News, Aug. 29 2004
==========================
[cut-n-paste from sophos.com]
Name W32/Tzet-B
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Drops more malware
* Installs itself in the Registry
* Leaves non-infected files on computer
Aliases
* Worm.Win32.Tzet
* W32/Tzet.worm.e
* Win32/Tzet.A.dropper
Prevalence (1-5) 2
Description
W32/Tzet-B is a network worm.
W32/Tzet-B searches the local network for computers with weak or no
passwords on the administrator or admin accounts to which it can copy
itself.
Advanced
W32/Tzet-B is a network worm. When run the worm creates the following
files in the folder C:\<Windows>\System32:
AUTHEXEC.BAT - A batch file used by the worm and detected as W32/Tzet-A.
IGLMTRAY.EXE - Detected by Sophos Anti-Virus as Troj/Flood-DP
IGLXTRAY.EXE - Detected by Sophos Anti-Virus as Troj/Flood-DP
LRSS.INI - A mIRC config file used by the worm and detected as W32/Tzet-A.
MDDE32.EXE - A clean utility for terminating processes.
NNA.EXE - A Trojan downloaded detected bp Sophos Anti-Virus as Troj/Apher-H.
PRINTF_CORE.EXE - Detected by Sophos Anti-Virus as Troj/Delsha-C
VIDRIV.EXE - A clean utility to hide/show windows.
WMPT.EXE - A clean utility called PSExec.
WSUBSYS.WAV - The main component of this worm.
XCOPY.DLL - A text file containing a list of IP domains.
The worm adds the following registry entry to run the file iglmtray.exe
when Windows starts up:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\WUPD
W32/Tzet-B searches the local network for computers with weak or no
passwords on the administrator or admin accounts to which it can copy
itself.
Name W32/Forbot-L
Type
* Worm
How it spreads
* Network shares
* Chat programs
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Sends itself to email addresses found on the infected computer
* Steals information
* Reduces system security
Prevalence (1-5) 2
Description
W32/Forbot-L is a worm which attempts to spread to remote network shares.
It also contains backdoor Trojan functionality, allowing unauthorised
remote access to the infected computer via IRC channels while running in
the background as a service process.
W32/Forbot-L copies itself to the Windows system folder as w32usb2.exe
and creates entries in the registry to run itself on system startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Win32 USB2.0 Driver
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\Win32 USB2.0
Driver
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32 USB2.0
Driver
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Win32 USB2.0 Driver
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\Win32 USB2.0
Driver
W32/Forbot-L attempts to terminate several processes related to security
and anti-virus programs.
W32/Forbot-L attempts to spread to network machines using various
exploits including the LSASS vulnerability (see MS04-011) and through
backdoors left open by other Trojans.
Name W32/Sdbot-OC
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Uses its own emailing engine
* Downloads code from the internet
* Records keystrokes
Aliases
* Worm.Win32.Donk.d
* WORM_SDBOT.SE
Prevalence (1-5) 2
Description
W32/Sdbot-OC is a network worm which contains IRC backdoor Trojan
functionality, allowing unauthorised remote access to the infected
computer.
Advanced
W32/Sdbot-OC is a worm which attempts to spread to remote network shares.
It also contains backdoor Trojan functionality, allowing unauthorised
remote access to the infected computer via IRC channels while running in
the background as a service process.
W32/Sdbot-OC copies itself to the Windows system folder as NTSYSMGR.EXE
and as COOL.EXE and creates entries in the registry at the following
locations with the value Microsoft System Checkup so as to run itself on
system startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
W32/Sdbot-OC also sets the following registry entry so as to run a file
called SYSLOG32.EXE on system startup, though no file of that name is
dropped explicitly:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NT Logging Service
W32/Sdbot-OC spreads to network shares with weak passwords as a result
of the backdoor Trojan element receiving the appropriate command from a
remote user.
W32/Sdbot-OC may attempt to download and execute several files, dropping
temporary files to the Temp folder called KSPD32A.EXE and FSYS.TMP, and
to the Windows system folder called MARKER32A.VXD.
W32/Sdbot-OC attempts to terminate and disable various anti-virus and
security related programs and services.
W32/Sdbot-OC attempts to delete the files SYSMGR.EXE, WNETLOGIN.EXE,
KEYMGR.EXE, INETMAN.EXE, WSOCK32.EXE, DBNETLIB.EXE, WNETMGR.EXE and
WNETLIB.EXE from the following locations to prevent them from runnin on
system startup:
C:\Documents and Settings\All Users\Startup
C:\WINDOWS\Start Menu\Programs\Startup\
C:\WINNT\Profiles\All Users\Start Menu\Programs\Startup
W32/Sdbot-OC also modifies the HOSTS file located in the subfolder
drivers\etc\hosts of the Windows system folder,mapping selected
anti-virus websites to the loopback address 127.0.0.1 in an attempt to
prevent access to these sites. Typically the following mappings will be
appended to the HOSTS file:
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.trendmicro.com
Name Troj/Agent-BX
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Modifies data on the computer
* Steals information
* Drops more malware
* Records keystrokes
* Installs itself in the Registry
Aliases
* BackDoor.Agent.bx
Prevalence (1-5) 2
Description
Troj/Agent-BX is a backdoor Trojan for the Windows platform.
Advanced
Troj/Agent-BX is a backdoor Trojan for the Windows platform.
When first run, Troj/Agent-BX creates a DLL file in the Windows system
folder with the name msoleapi.dll and a backup copy named msextapi.dll.
The Trojan registers the DLL files as system services that act as
Browser Helper Objects for Internet Explorer. The Trojan collects
information from the system and emails it to a remote user. The backdoor
component of Troj/Agent-BX then awaits commands from a remote user.
The Trojan may also attempt to initiate dialup sessions. The following
registry entries may be created or modified:
HKCC\Software\Microsoft\windows\CurrentVersion\Internet Settings\
EnableAutodial
HKU\.Default\Software\Microsoft\Windows\CurrentVersion\Internet Settings
EnableAutodial
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
EnableAutodial
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
EnableAutodial
Name W32/Rbot-X
Type
* Worm
Prevalence (1-5) 2
Description
W32/Rbot-X is an IRC backdoor Trojan and network worm.
When first run W32/Rbot-X copies itself to the Windows system folder as
MSlti32.exe and creates the following registry entries to run
MSlti32.exe automatically on startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft AUT Update = MSlti32.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Microsoft AUT Update = MSlti32.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft AUT Update = MSlti32.exe
Each time W32/Rbot-X is run it attempts to connect to a remote IRC
server and join a specific channel. The worm then runs continuously in
the background listening on the channel for instructions.
W32/Rbot-X attempts to logon to network shares protected by weak
passwords by brute force using a list of common passwords and then
copies itself to the Windows system folder of the remote computer.
Name W32/Wukill-C
Type
* Worm
How it spreads
* Email messages
* Email attachments
* Network shares
Affected operating systems
* Windows
Side effects
* Sends itself to email addresses found on the infected computer
* Installs itself in the Registry
Aliases
* W32/Wukill.worm
* W32.Wullik@mm
* WORM_WUKILL.D
Prevalence (1-5) 2
Description
W32/Wukill-C is an internet worm which attempts to email itself via MAPI
to contacts found in the Microsoft Outlook address book.
Advanced
W32/Wukill-C is an internet worm which attempts to email itself via MAPI
to contacts found in the Microsoft Outlook address book.
The worm may display a message box upon execution:
"Warning"
"This File Has Been Damage!".
The worm copies itself to the Windows folder as MSTRAY.EXE and creates
the following registry entry so that it is run on system logon:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
RavTimeXP = %lt;Windows>\MSTRAY.EXE
The worm may copy itself to the drives A:, D: and E: and the root folder
as winfile.exe
W32/Wukill-C drops the following files with hidden and system attributes
into the root folder:
COMMENT.HTT - HTML file containing embedded VBS used by the worm
DESKTOP.INI - a file which attempts to invoke comment.htt
Emails would have subject line "MS", no message text and an attached
file called mshelp.exe.
W32/Wukill-C sets the following registry entries so that hidden files
and known file extensions are not displayed within an explorer window:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
Hidden = 0
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
HideFileExt = 1
The worm also sets the following registry entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\CabinetState\
FullPath = 1
Name W32/Forbot-E
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Steals information
* Reduces system security
* Installs itself in the Registry
Aliases
* WORM_SDBOT.SR
* Backdoor.Win32.Agent.cf
Prevalence (1-5) 2
Description
W32/Forbot-E is a worm which attempts to spread to remote network shares.
It also contains backdoor Trojan functionality, allowing unauthorised
remote access to the infected computer via IRC channels while running in
the background as a service process.
Advanced
W32/Forbot-E copies itself to the Windows system folder as SVXHOST.EXE
and creates entries in the registry at the following locations so as to
run itself on system startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SVX Control Service
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\SVX Control
Service
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\SVX Control
Service
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\SVX Control Service
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\SVX Control
Service
W32/Forbot-E also creates its own service named "Microsoft Config", with
the display name "SVX Control Service".
W32/Forbot-E attempts to terminate several processes related to security
and anti-virus programs.
W32/Forbot-E attempts to spread to network machines using various
exploits including the LSASS vulnerability (see MS04-011).
Name W32/Rbot-HE
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Downloads code from the internet
* Records keystrokes
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* Backdoor.Rbot.gen
Prevalence (1-5) 2
Description
W32/Rbot-HE is a network worm which contains IRC backdoor functionality,
allowing unauthorised remote access to the infected computer.
Advanced
W32/Rbot-HE is a worm which attempts to spread to remote network shares.
The worm also contains backdoor functionality, allowing unauthorised
remote access to the infected computer via IRC channels while running in
the background as a service process.
W32/Rbot-HE spreads to network shares with weak passwords and via
network security exploits as a result of the backdoor Trojan element
receiving the appropriate command from a remote user.
W32/Rbot-HE copies itself to the Windows system folder as WUAMGRD.EXE
and creates entries at the following locations in the registry so as to
run itself on system startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Update Machine
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Microsoft Update Machine
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Update Machine
W32/Rbot-HE may set the following registry entries:
HKLM\SOFTWARE\Microsoft\Ole\EnableDCOM = "N"
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous = "1"
W32/Rbot-HE may attempt to delete network shares on the host computer.
W32/Rbot-HE may attempt to log the user's keystrokes to a file
SYSTEM.TXT in the Windows system folder.
Name W32/Rbot-HC
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Downloads code from the internet
* Records keystrokes
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* Backdoor.Rbot.gen
Prevalence (1-5) 2
Description
W32/Rbot-HC is a network worm which contains IRC backdoor Trojan
functionality, allowing unauthorised remote access to the infected
computer.
Advanced
W32/Rbot-HC is a worm which attempts to spread to remote network shares.
It also contains backdoor Trojan functionality, allowing unauthorised
remote access to the infected computer via IRC channels while running in
the background as a service process.
W32/Rbot-HC spreads to network shares with weak passwords and via
network security exploits as a result of the backdoor Trojan element
receiving the appropriate command from a remote user. Some of these
exploits copy the file across a network with the name BLING.EXE.
W32/Rbot-HC copies itself to the Windows system folder as WINSMC.EXE and
creates entries at the following locations in the registry with the
value Windows System Manager Proc so as to run itself on system startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
HKCU\Software\Microsoft\OLE
W32/Rbot-HC may set the following registry entries:
HKLM\SOFTWARE\Microsoft\Ole\EnableDCOM = "N"
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous = "1"
W32/Rbot-HC may attempt to delete network shares on the host computer.
W32/Rbot-HC may attempt to log the user's keystrokes to a file KEY.TXT
in the Windows system folder.
Name W32/Rbot-HB
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* Backdoor.Rbot.gen
* WORM_SDBOT.NP
Prevalence (1-5) 2
Description
W32/Rbot-HB is a worm which attempts to spread to remote network shares
and allows unauthorised remote access to the computer via IRC channels.
Advanced
W32/Rbot-HB is a worm which attempts to spread to remote network shares
and allows unauthorised remote access to the computer via IRC channels
while running in the background as a service process.
W32/Rbot-HB spreads to network shares with weak passwords and via
network security exploits as a result of the backdoor Trojan element
receiving the appropriate command from a remote user.
W32/Rbot-HB copies itself to the file soundblaster.exe in the Windows
system folder and creates entries at the following locations in the
registry so that the worm is run when a user logs on to Windows:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Micr Update = soundblaster.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Micr Update = soundblaster.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Micr Update = soundblaster.exe
Name W32/Forbot-K
Type
* Worm
How it spreads
* Network shares
* Web downloads
* Chat programs
Affected operating systems
* Windows
Side effects
* Steals information
* Downloads code from the internet
* Reduces system security
* Installs itself in the Registry
* Exploits system or software vulnerabilities
* Used in DOS attacks
Aliases
* Backdoor.Win32.ForBot.k
* W32/Sdbot.worm.gen
* WORM_SDBOT.OU
Prevalence (1-5) 2
Description
W32/Forbot-K is a network worm and IRC backdoor Trojan.
Advanced
W32/Forbot-K is a network worm with backdoor functionality.
In order to run automatically when Windows starts up the worm copies
itself to the Windows system folder as svxhost.exe and creates the
following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
SVX Control Service = svxhost.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\
SVX Control Service = svxhost.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
SVX Control Service = svxhost.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
SVX Control Service = svxhost.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\
SVX Control Service = svxhost.exe
Once installed, W32/Forbot-K connects to a preconfigured IRC server and
joins a channel from which an attacker can issue further commands. These
commands can cause the infected machine to perform any of the following
actions:
* flood a remote host (by either ping or HTTP)
* start a SOCKS4 proxy server
* start an FTP server
* portscan randomly-chosen IP addresses
* execute arbitrary commands
* steal information such as passwords and product keys
* upload/download files
* manipulate the local filesystem
* edit the system registry
The worm can spread to unpatched machines affected by the LSASS
vulnerability (see MS04-011) and machines infected by any of the
Troj/Optix family of backdoor Trojans.
Name W32/Sdbot-NR
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Downloads code from the internet
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* Backdoor.IRCBot.gen
* WORM_IRCBOT.C
Prevalence (1-5) 2
Description
W32/Sdbot-NR is a network worm which also contains IRC backdoor Trojan
functionality, allowing unauthorised remote access to the infected
computer.
Advanced
W32/Sdbot-NR is a worm which attempts to spread to remote network shares.
It also contains backdoor Trojan functionality, allowing unauthorised
remote access to the infected computer via IRC channels while running in
the background as a service process.
W32/Sdbot-NR copies itself to the Windows system folder as WINCAT32.EXE
and creates entries in the registry at the following locations with the
value Security Fixers so as to run itself on system startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
W32/Sdbot-NR spreads to network shares with weak passwords and via
network security exploits as a result of the backdoor Trojan element
receiving the appropriate command from a remote user, copying itself to
WINCAT32.DAT at the same time.
Name W32/Rbot-FC
Type
* Worm
Aliases
* Backdoor.Rbot.gen
Prevalence (1-5) 2
Description
W32/Rbot-FC is a worm which attempts to spread to remote network shares.
It also contains backdoor Trojan functionality, allowing unauthorised
remote access to the infected computer via IRC channels while running in
the background as a service process.
W32/Rbot-FC spreads to network shares with weak passwords as a result of
the backdoor Trojan element receiving the appropriate command from a
remote user.
W32/Rbot-FC copies itself to the Windows System folder as WINSYST32.EXE
and creates entries at the following locations in the registry so as to
run itself on system startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft IT Update = winsyst32.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Microsoft IT Update = winsyst32.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft IT Update = winsyst32.exe
W32/Rbot-FC may try to delete network shares and also try to log
keystrokes and window text to a file with a CRF extension in the root
folder.
W32/Rbot-FC can collect the CD keys of several popular computer games
and applications.
Name W32/Sdbot-NQ
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Downloads code from the internet
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* Backdoor.SdBot.gen
* WORM_RBOT.ID
Prevalence (1-5) 2
Description
W32/Sdbot-NQ is a network worm which contains IRC backdoor Trojan
functionality, allowing unauthorised remote access to the infected
computer.
Advanced
W32/Sdbot-NQ is a worm which attempts to spread to remote network shares.
It also contains backdoor Trojan functionality, allowing unauthorised
remote access to the infected computer via IRC channels while running in
the background as a service process.
W32/Sdbot-NQ copies itself to the Windows system folder as
MSNSERVICES.EXE and creates entries in the registry at the following
locations with the value Microsoft Service Information so as to run
itself on system startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
W32/Sdbot-NQ spreads to network shares with weak passwords and via
network security exploits as a result of the backdoor Trojan element
receiving the appropriate command from a remote user, copying itself to
APPLOAD.DAT at the same time.
Name W32/Rbot-GX
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Reduces system security
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* Backdoor.SdBot.ma
* Win32/Rbot.CP
* WORM_AGOBOT.LU
Prevalence (1-5) 2
Description
W32/Rbot-GX is a worm which attempts to spread to remote network shares
and allows unauthorised remote access to the computer via IRC channels
while running in the background as a service process.
Advanced
W32/Rbot-GX is a worm which attempts to spread to remote network shares
and allows unauthorised remote access to the computer via IRC channels
while running in the background as a service process.
W32/Rbot-GX spreads to network shares with weak passwords and via
network security exploits as a result of the backdoor element receiving
the appropriate command from a remote user.
W32/Rbot-GX copies itself to the file wuaddsff.exe in the Windows system
folder and creates entries at the following locations in the registry
with the value Microsoft Update Emulator to run itself on system logon:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
W32/Rbot-GX may set the following registry entries:
HKLM\SOFTWARE\Microsoft\Ole\EnableDCOM = "N"
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous = "1"
W32/Rbot-GX may attempt to delete network shares on the host computer.
Name W32/Sdbot-NO
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Installs itself in the Registry
Aliases
* Backdoor.SdBot.gen
Prevalence (1-5) 2
Description
W32/Sdbot-NO is a worm which spreads to remote network shares and also
contains backdoor Trojan functionality.
Advanced
W32/Sdbot-NO is a worm which attempts to spread to remote network shares.
It also contains backdoor Trojan functionality, allowing unauthorised
remote access to the infected computer via IRC channels while running in
the background as a service process.
W32/Sdbot-NO copies itself to the Windows system folder as Sersices.exe
and creates the following registry entries to ensure it is run at system
logon:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Windows Services = Sersices.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Windows Services = Sersices.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Microsoft Windows Services = Sersices.exe
W32/Sdbot-NO spreads to network shares with weak passwords as a result
of the backdoor Trojan element receiving the appropriate command from a
remote user.
W32/Sdbot-NO can also retrieve information such as CD keys for various
games and flood other computers with network packets.
Name Troj/LeechPie-A
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Drops more malware
* Reduces system security
* Leaves non-infected files on computer
Prevalence (1-5) 2
Description
Troj/LeechPie-A installs a number of software packages without the
user's consent, including a hacked remote server application. Most of
these tools are not inherently malicious, but it is likely they are
supplied in order to provide backdoor access to the user's computer.
Advanced
Troj/LeechPie-A installs a number of software packages without the
user's consent, including a hacked remote server application. Most of
these tools are not inherently malicious, but it is likely they are
supplied in order to provide backdoor access to the user's computer.
In particular, of the files installed, SERVICES.EXE is a hacked remote
server application (Troj/Servu-AF) and CSRSS.EXE is a legitimate remote
administration tool. An installation file sets some of these
applications to run as system processes on system startup, by creating
registry entries in the following locations:
HKLM\SYSTEM\CurrentControlSet\Services\NetDDEDaemon\
HKLM\SYSTEM\CurrentControlSet\Services\lanmandaemon\
HKLM\SYSTEM\ControlSet001\Services\LSServ
Other registry entries are set at the following locations:
HKLM\SYSTEM\Areser
HKLM\SOFTWARE\Cat Soft\Serv-u
An installation script install.cmd is dropped and run from a subfolder
RarSFX0 (or similar) of the Temp folder. After the script is run,
install.cmd may be overwritten by a file containing the text "I like pie".
Troj/LeechPie-A installs at least the following files. The exact paths
will vary depending on the version of Windows being run.
/windows/system/chg.dll
/windows/system/debug.dll
/windows/system/ntsvc.ocx
/windows/system/sig.dll
/windows/system32/admdll.dll
/windows/system32/raddrv.dll
/windows/system32/wbem/etc/0
/windows/system32/wbem/etc/1
/windows/system32/wbem/etc/2
/windows/system32/wbem/etc/3
/windows/system32/wbem/etc/4
/windows/system32/wbem/etc/5
/windows/system32/wbem/etc/6
/windows/system32/wbem/etc/7
/windows/system32/wbem/etc/8
/windows/system32/wbem/etc/9
/windows/system32/wbem/etc/GroupIdTable
/windows/system32/wbem/etc/Hosts.Rules
/windows/system32/wbem/etc/UserIdTable
/windows/system32/wbem/etc/admin.vfs
/windows/system32/wbem/etc/default.vfs
/windows/system32/wbem/etc/ioftpd.env
/windows/system32/wbem/groups/0
/windows/system32/wbem/groups/1
/windows/system32/wbem/groups/101
/windows/system32/wbem/groups/2
/windows/system32/wbem/groups/3
/windows/system32/wbem/groups/4
/windows/system32/wbem/groups/5
/windows/system32/wbem/groups/6
/windows/system32/wbem/groups/7
/windows/system32/wbem/groups/8
/windows/system32/wbem/groups/9
/windows/system32/wbem/groups/Default.Group
/windows/system32/wbem/scripts/exec.bat
/windows/system32/wbem/scripts/iozs/ioZS.exe
/windows/system32/wbem/scripts/iozs/ioZS.ini
/windows/system32/wbem/scripts/iozs/iozip.dll
/windows/system32/wbem/scripts/iozs/msvcr71.dll
/windows/system32/wbem/system/ioFTPD.ini
/windows/system32/wbem/system/smss.exe
/windows/system32/wbem/system/tcl84.dll
/windows/system32/wbem/system/uptime.exe
/windows/system32/wbem/text/ftp/alldn.body
/windows/system32/wbem/text/ftp/alldn.foot
/windows/system32/wbem/text/ftp/alldn.head
/windows/system32/wbem/text/ftp/allup.body
/windows/system32/wbem/text/ftp/allup.foot
/windows/system32/wbem/text/ftp/allup.head
/windows/system32/wbem/text/ftp/daydn.body
/windows/system32/wbem/text/ftp/daydn.foot
/windows/system32/wbem/text/ftp/daydn.head
/windows/system32/wbem/text/ftp/dayup.body
/windows/system32/wbem/text/ftp/dayup.foot
/windows/system32/wbem/text/ftp/dayup.head
/windows/system32/wbem/text/ftp/free.msg
/windows/system32/wbem/text/ftp/logout.msg
/windows/system32/wbem/text/ftp/monthdn.body
/windows/system32/wbem/text/ftp/monthdn.foot
/windows/system32/wbem/text/ftp/monthdn.head
/windows/system32/wbem/text/ftp/monthup.body
/windows/system32/wbem/text/ftp/monthup.foot
/windows/system32/wbem/text/ftp/monthup.head
/windows/system32/wbem/text/ftp/stat.msg
/windows/system32/wbem/text/ftp/stats.body
/windows/system32/wbem/text/ftp/stats.foot
/windows/system32/wbem/text/ftp/stats.head
/windows/system32/wbem/text/ftp/uinfo.msg
/windows/system32/wbem/text/ftp/welcome.msg
/windows/system32/wbem/text/ftp/who.bw
/windows/system32/wbem/text/ftp/who.download.body
/windows/system32/wbem/text/ftp/who.foot
/windows/system32/wbem/text/ftp/who.head
/windows/system32/wbem/text/ftp/who.idle.body
/windows/system32/wbem/text/ftp/who.upload.body
/windows/system32/wbem/text/ftp/wkdn.body
/windows/system32/wbem/text/ftp/wkdn.foot
/windows/system32/wbem/text/ftp/wkdn.head
/windows/system32/wbem/text/ftp/wkup.body
/windows/system32/wbem/text/ftp/wkup.foot
/windows/system32/wbem/text/ftp/wkup.head
/windows/system32/wbem/users/0
/windows/system32/wbem/users/10
/windows/system32/wbem/users/11
/windows/system32/wbem/users/12
/windows/system32/wbem/users/13
/windows/system32/wbem/users/14
/windows/system32/wbem/users/15
/windows/system32/wbem/users/16
/windows/system32/wbem/users/18
/windows/system32/wbem/users/19
/windows/system32/wbem/users/4
/windows/system32/wbem/users/5
/windows/system32/wbem/users/6
/windows/system32/wbem/users/7
/windows/system32/wbem/users/8
/windows/system32/wbem/users/9
/windows/system32/wbem/users/Default.User
--- MultiMail/Win32 v0.43
* Origin: Try Our Web Based QWK: DOCSPLACE.ORG (1:123/140)
|