Text 51, 982 rader
Skriven 2005-04-16 23:07:00 av KURT WISMER (1:123/140)
Ärende: News, April 16 2005
===========================
[cut-n-paste from sophos.com]
Name Troj/DoomSend-A
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Exploits system or software vulnerabilities
Aliases
* Backdoor.Win32.Naninf.c
Prevalence (1-5) 2
Description
Troj/DoomSend-A is a Trojan for the Windows platform.
Troj/DoomSend-A is capable of exploiting a backdoor in the W32/MyDoom
series of worms. The Trojan may be used by other Trojans or worms as a
helper component.
Troj/DoomSend-A may arrive as an email attachment named "Screenshot of
Site.zip" along with the following email text:
Hello,
I noticed whilst browsing your site that there were problems with some
of your links, when I tried again with Internet Explorer the problems
were not there so I assume that they were caused by me using the Mozilla
browser.
As more people are turning to alternative browsers now it may be of help
for you to know this. I have enclosed a screen capture of the problem so
your team can get it fixed if you deem it an issue.
Name W32/Tirbot-D
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Deletes files off the computer
* Downloads code from the internet
* Reduces system security
Prevalence (1-5) 2
Description
W32/Tirbot-D is a network worm with backdoor functionality for the
Windows platform.
The worm spreads to network computers vulnerable to the LSASS
vulnerability (MS04-011) and through network shares protected by weak
passwords.
The backdoor component joins one of 4 predetermined IRC channels and
awaits further commands from remote users. The backdoor component can
then be instructed to perform the following:
Take part in distributed denial of service (DDoS) attacks
Upload/download files
Execute files
Serve as a proxy server
Harvest information from the system registry
Report filesystem information
List running processes
Scan for the presence anti-virus software
Terminate running processes
Remove registry entries
Advanced
W32/Tirbot-D is a network worm with backdoor functionality for the
Windows platform.
The worm spreads to network computers vulnerable to the LSASS
vulnerability (MS04-011) and through network shares protected by weak
passwords.
The backdoor component joins one of 4 predetermined IRC channels and
awaits further commands from remote users. The backdoor component can
then be instructed to perform the following:
Take part in distributed denial of service (DDoS) attacks
Upload/download files
Execute files
Serve as a proxy server
Harvest information from the system registry
Report filesystem information
List running processes
Scan for the presence anti-virus software
Terminate running processes
Remove registry entries
W32/Tirbot-D will attempt to report the infection to a predefined URL.
When first run, W32/Tirbot-D copies itself to the Windows system folder
as MSDTCs.exe and sets the following registry entry in order to run each
time a user logs on:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
IECheck
<Windows system folder>\MSDTCs.exe
A patch is available from Microsoft for the LSASS vulnerability
exploited by W32/Tirbot-D:
http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx
Name W32/Kelvir-J
Type
* Worm
How it spreads
* Chat programs
Affected operating systems
* Windows
Side effects
* Drops more malware
Aliases
* W32/Kelvir.worm.gen
* W32.Kelvir.T
Prevalence (1-5) 2
Description
W32/Kelvir-J is an instant messaging worm.
W32/Kelvir-J spreads by sending a message through Windows Messenger to
all of the infected user's contacts.
W32/Kelvir-J encourages the recipient to visit a website to download a
file which is usually a copy of the worm. The message text is "it's you
<URL>".
W32/Kelvir-J may also drop a file detected by Sophos as W32/Sdbot-XE.
Name Troj/BagleDl-N
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Drops more malware
Aliases
* Email-Worm.Win32.Bagle.pac
Prevalence (1-5) 2
Description
Troj/BagleDl-N is a Trojan dropper.
Troj/BagleDl-N creates two randomly named files in the user's temp
folder. One file has an extension of TXT and contains the text 'Sorry.'
The other file has an extension of EXE and is a Trojan detected by
Sophos's anti-virus products as Troj/BagDl-Gen.
Troj/BagleDl-N has been distributed as a RAR archive attached to email.
Name W32/Sdbot-XC
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Drops more malware
* Reduces system security
* Records keystrokes
* Installs itself in the Registry
Aliases
* Backdoor.Win32.Agobot.abl
* W32/Sdbot.worm.gen.w
Prevalence (1-5) 2
Description
W32/Sdbot-XC is a network worm with backdoor functionality for the
Windows platform.
The worm spreads through network shares protected by weak passwords,
MS-SQL servers and through various operating system vulnerabilities.
Patches for the vulnerabilities exploited by W32/Sdbot-XC can be
obtained from Microsoft at:
http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx
http://www.microsoft.com/technet/security/bulletin/ms04-012.mspx
http://www.microsoft.com/technet/security/bulletin/ms03-039.mspx
Advanced
W32/Sdbot-XC is a network worm with backdoor functionality for the
Windows platform.
When first run, W32/Sdbot-XC copies itself to the Windows system folder
as systeminfos.exe and creates the following registry entries in order
to run each time a user logs on:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Compaq Service Drivers
systeminfos.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Compaq Service Drivers
systeminfos.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Compaq Service Drivers
systeminfos.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices\
Compaq Service Drivers
systeminfos.exe
The worm spreads through network shares protected by weak passwords,
MS-SQL servers and through various operating system vulnerabilities.
W32/Sdbot-XC connects to a predetermined IRC channel and awaits further
commands from remote users. The backdoor component of W32/Sdbot-XC can
be instructed to perform the following functions:
scan networks for vulnerabilities
download/execute arbitrary files
start an ftp server
Patches for the vulnerabilities exploited by W32/Sdbot-XC can be
obtained from Microsoft at:
http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx
http://www.microsoft.com/technet/security/bulletin/ms04-012.mspx
http://www.microsoft.com/technet/security/bulletin/ms03-039.mspx
W32/Sdbot-XC also drops a file to the current folder as msdirectx.sys.
The dropped file is detected by Sophos's anti-virus products as
Troj/NtRootK-F.
W32/Sdbot-XC terminates a number of processes including ones related to
various AV and security applications as well as TASKMGR.EXE and
REGEDIT.EXE.
Name Troj/Agent-DI
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Modifies data on the computer
* Records keystrokes
* Installs itself in the Registry
Prevalence (1-5) 2
Description
Troj/Agent-DI is a backdoor Trojan for the Windows platform.
Troj/Agent-DI allows unauthorised remote access to the infected
computer, running in the background waiting for commands from a remote
intruder. The Trojan can be instructed to download and run arbitrary
files.
Troj/Agent-DI may disable the Windows Firewall and turn off notification
of lack of Anti-virus software on the computer. The Trojan may also
download configuration data from:
http://bn.inf3ct3d.info
Advanced
Troj/Agent-DI is a backdoor Trojan for the Windows platform.
Troj/Agent-DI allows unauthorised remote access to the infected
computer, running in the background waiting for commands from a remote
intruder. The Trojan can be instructed to download and run arbitrary
files.
Troj/Agent-DI may disable the Windows Firewall and turn off notification
of lack of Anti-virus software on the computer. The Trojan may also
download configuration data from:
http://bn.inf3ct3d.info
Troj/Agent-DI copies itself to the Windows system folder as
"svchost.exe" and creates a DLL file named "svchost.dll". The Trojan
sets the following registry entry in order to run automatically on
computer login:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
WindowsUpdate =
%System%\svchost.exe /s
Troj/Agent-DI creates registry entries for its own use under:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellBot
The Trojan attempts to reduce system security by altering the following
registry entries:
HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters
\FirewallPolicy\StandardProfile\EnableFireWall
HKLM\SOFTWARE\Microsoft\Security Center\FireWallDisableNotify
HKLM\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify
Name W32/Codbot-K
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Downloads code from the internet
* Reduces system security
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* Backdoor.Win32.Codbot.z
* W32/Gaobot.worm.gen.q
* W32.Randex
Prevalence (1-5) 2
Description
W32/Codbot-K is a network worm with backdoor functionality for the
Windows platform.
The worm connects to an IRC channel and listens for backdoor commands
from a remote attacker. The backdoor functionality of the worm includes
the ability to sniff packets, download further malicious code and steal
passwords and other system information.
Advanced
W32/Codbot-K is a network worm with backdoor functionality for the
Windows platform.
The worm connects to an IRC channel and listens for backdoor commands
from a remote attacker. The backdoor functionality of the worm includes
the ability to sniff packets, download further malicious code and steal
passwords and other system information.
When first run, W32/Codbot-K copies itself to the Windows system folder
as SCardClnt.exe and installs itself as a service with these attributes:
servicename = SCardClnt
displayname = "Smart Card Client"
imagepath = <Windows system folder>SCardClnt.exe
W32/Codbot-K may make the following change to the system registry:
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
W32/Codbot-K may attempt to exploit a number of vulnerabilities,
including the LSASS vulnerability (MS04-011).
Patche for the operating system vulnerability exploited by W32/Codbot-K
can be obtained from Microsoft at:
http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx
Name Troj/Bancos-CD
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Steals information
* Forges the sender's email address
* Uses its own emailing engine
* Reduces system security
* Records keystrokes
* Installs itself in the Registry
Aliases
* Trojan-Spy.Win32.Bancos.cr
* TROJ_BANCOS.XZ
Prevalence (1-5) 2
Description
Troj/Bancos-CD is a password stealing Trojan for the Windows platform
that targets customers of Brazilian banks.
Troj/Bancos-CD monitors a user's internet access, and when certain
internet banking sites are visited, the Trojan will display a fake login
screen in order to trick the user into inputting their details.
Advanced
Troj/Bancos-CD is a password stealing Trojan for the Windows platform
that targets customers of Brazilian banks.
Once executed Troj/Bancos-CD displays a fake error message, copies
itself to the root and to the Arquivos de programas folder on the C:
drive with the filename IExplorer.exe, and sets the following registry
entry in order to be able to run automatically when Windows starts up :
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
IExplorer
C:\Arquivos de programas\IExplorer.EXE
Troj/Bancos-CD monitors a user's internet access, and when certain
internet banking sites are visited, the Trojan will display a fake login
screen in order to trick the user into inputting their details.
Troj/Bancos-CD also creates an appstart32.inf data file in the Windows
inf folder.
Name W32/Mytob-E
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Modifies data on the computer
* Uses its own emailing engine
* Installs itself in the Registry
Aliases
* Net-Worm.Win32.Mytob.h
* W32/Mytob.gen@MM
* WORM_MYTOB.J
Prevalence (1-5) 2
Description
W32/Mytob-E is a mass-mailing worm and backdoor Trojan that targets
users of Internet Relay Chat programs.
Advanced
W32/Mytob-E is a mass-mailing worm and backdoor Trojan that targets
users of Internet Relay Chat programs.
When first run W32/Mytob-E copies itself to the Windows system folder as
taskgmr.exe and creates the following registry entries:
HKCU\Software\Microsoft\OLE
WINTASK
taskgmr.exe
HKCU\SYSTEM\CurrentControlSet\Control\Lsa
WINTASK
taskgmr.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
WINTASK
taskgmr.exe
HKLM\SOFTWARE\Microsoft\Ole
WINTASK
taskgmr.exe
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
WINTASK
taskgmr.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
WINTASK
taskgmr.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
WINTASK
taskgmr.exe
W32/Mytob-E copies itself to the root folder as:
funny_pic.scr
my_photo2005.scr
see_this!!.scr
and creates the helper file hellmsn.exe (detected by Sophos as
W32/Mytob-D) in the same location.
W32/Mytob-E also appends the following to the HOSTS file to deny access
to security related websites:
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.microsoft.com
127.0.0.1 www.trendmicro.com
Name W32/Mytob-AX
Type
* Worm
How it spreads
* Email attachments
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Sends itself to email addresses found on the infected computer
* Modifies data on the computer
* Deletes files off the computer
* Steals information
Aliases
* W32/Mytob.x@MM
Prevalence (1-5) 2
Description
W32/Mytob-AX is a mass-mailing worm and backdoor Trojan that targets
users of Internet Relay Chat programs.
W32/Mytob-AX is capable of spreading through email and through various
operating system vulnerabilities such as LSASS (MS04-011).
W32/Mytob-AX harvests email addresses from files on the infected
computer and from the Windows address book and sends itself as an
attachment to each address found.
Advanced
W32/Mytob-AX is a mass-mailing worm and backdoor Trojan that targets
users of Internet Relay Chat programs.
When first run W32/Mytob-AX copies itself to the Windows system folder
as hostdrvXP.exe and creates the following registry entries:
HKCU\Software\Microsoft\OLE
WINTASKMANAGER
hostdrvXP.exe
HKCU\System\CurrentControlSet\Control\Lsa
WINTASKMANAGER
hostdrvXP.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
WINTASKMANAGER
hostdrvXP.exe
HKLM\Software\Microsoft\Ole
WINTASKMANAGER
hostdrvXP.exe
HKLM\System\CurrentControlSet\Control\Lsa
WINTASKMANAGER
hostdrvXP.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
WINTASKMANAGER
hostdrvXP.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
WINTASKMANAGER
hostdrvXP.exe
W32/Mytob-AX copies itself to the root folder as:
funny_pic.scr
my_photo2005.scr
see_this!!.scr
and drops a file called hellmsn.exe (detected by Sophos as W32/Mytob-D)
in the same location. This component attempts to spread the worm by
sending the aforementioned SCR files through Windows Messenger to all
online contacts.
W32/Mytob-AX also appends the following to the HOSTS file to deny access
to security related websites:
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.microsoft.com
127.0.0.1 www.trendmicro.com
W32/Mytob-AX is capable of spreading through email and through various
operating system vulnerabilities such as LSASS (MS04-011). Email sent by
W32/Mytob-AX has the following properties:
Subject line:
document
Good day
Hello
Mail Delivery System
Mail Transaction Failed
message
readme
Server Report
Status
Message text:
Here are your banks documents.
The original message was included as an attachment.
The message cannot be represented in 7-bit ASCII encoding and has been
sent as a binary attachment.
The message contains Unicode characters and has been sent as a binary
attachment.
Mail transaction failed. Partial message is available.
The message cannot be represented in 7-bit ASCII encoding and has been
sent as a binary attachment.
The attached file consists of a base name followed by the extentions
PIF, SCR, EXE or ZIP. The worm may optionally create double extensions
where the first extension is DOC, TXT or HTM and the final extension is
PIF, SCR, EXE or ZIP.
W32/Mytob-AX harvests email addresses from files on the infected
computer and from the Windows address book. The worm avoids sending
email to address that contain the following:
.gov
.mil
accoun
acketst
admin
anyone
arin.
avp
berkeley
borlan
bsd
bsd
bugs
ca
certific
contact
example
feste
fido
foo.
fsf.
gnu
gold-certs
google
google
gov.
help
iana
ibm.com
icrosof
icrosoft
ietf
info
inpris
isc.o
isi.e
kernel
linux
linux
listserv
math
me
mit.e
mozilla
mydomai
no
nobody
nodomai
noone
not
nothing
ntivi
page
panda
pgp
postmaster
privacy
rating
rfc-ed
ripe.
root
ruslis
samples
secur
sendmail
service
site
soft
somebody
someone
sopho
submit
support
syma
tanford.e
the.bat
unix
unix
usenet
utgers.ed
webmaster
you
your
Name W32/Rbot-AAJ
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Modifies data on the computer
* Deletes files off the computer
* Steals information
* Uses its own emailing engine
Aliases
* Backdoor.Win32.Rbot.gen
Prevalence (1-5) 2
Description
W32/Rbot-AAJ is a worm with backdoor Trojan functionality.
W32/Rbot-AAJ is capable of spreading to computers on the local network
protected by weak passwords after receiving the appropriate backdoor
command. W32/Rbot-AAJ will also attempt to spread by exploiting a number
of software vulnerabilities.
Advanced
W32/Rbot-AAJ is a worm with backdoor Trojan functionality.
W32/Rbot-AAJ is capable of spreading to computers on the local network
protected by weak passwords after receiving the appropriate backdoor
command.
W32/Rbot-AAJ will attempt to spread by exploiting the following
vulnerabilities:
DCOM (MS04-012)
LSASS (MS04-011)
Microsoft SQL servers with weak passwords
When first run, W32/Rbot-AAJ moves itself to the Windows system folder
as WINTSK32DLL.EXE. In order to run automatically each time a user logs
in, W32/Rbot-AAJ will set the following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
wintsk32dll
wintsk32dll.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
wintsk32dll
wintsk32dll.exe
W32/Rbot-AAJ will also set the following registry entry:
HKCU\Software\Microsoft\OLE
wintsk32dll
wintsk32dll.exe
The worm runs continuously in the background, providing backdoor access
to the infected computer over IRC channels.
W32/Rbot-AAJ may modify the following registry entries in order to
enable/disable DCOM and open/close restrictions on IPC$ shares:
HKLM\SOFTWARE\Microsoft\Ole\EnableDCOM
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous
Name Troj/Agent-DH
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Modifies data on the computer
* Downloads code from the internet
* Reduces system security
* Installs itself in the Registry
Aliases
* BackDoor-COC
* Trojan.Win32.Dialer.gq
Prevalence (1-5) 2
Description
Troj/Agent-DH is a backdoor Trojan.
Troj/Agent-DH will contact a preconfigured remote location to report
that the computer has been infected and will then await backdoor
commands. Troj/Agent-DH can be used to download, upload, modify and run
executable files. The Trojan can also be used to modify registry entries
and kill processes.
Advanced
Troj/Agent-DH is a backdoor Trojan.
Troj/Agent-DH will contact a preconfigured remote location to report
that the computer has been infected and will then await backdoor
commands. Troj/Agent-DH can be used to download, upload, modify and run
executable files. The Trojan can also be used to modify registry entries
and kill processes.
When first run, Troj/Agent-DH will copy itself to the user's Temporary
folder as DC.EXE. In order to run automatically each time a user logs
in, Troj/Agent-DH will set the following registry entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
BD
<path to Trojan>
Troj/Agent-DH will create a log file named BACKDOOR.LOG in the user's
Temporary folder.
--- MultiMail/Win32 v0.43
* Origin: Try Our Web Based QWK: DOCSPLACE.ORG (1:123/140)
|