Tillbaka till svenska Fidonet
English   Information   Debug  
TREK   0/755
TUB   0/290
UFO   0/40
UNIX   0/1316
USA_EURLINK   0/102
USR_MODEMS   0/1
VATICAN   0/2740
VIETNAM_VETS   0/14
VIRUS   0/378
VIRUS_INFO   0/201
VISUAL_BASIC   0/473
WHITEHOUSE   0/5187
WIN2000   0/101
WIN32   0/30
WIN95   0/4289
WIN95_OLD1   0/70272
WINDOWS   0/1517
WWB_SYSOP   0/419
WWB_TECH   0/810
ZCC-PUBLIC   0/1
ZEC   4

 
4DOS   0/134
ABORTION   0/7
ALASKA_CHAT   0/506
ALLFIX_FILE   0/1313
ALLFIX_FILE_OLD1   0/7997
ALT_DOS   0/152
AMATEUR_RADIO   0/1039
AMIGASALE   0/14
AMIGA   0/331
AMIGA_INT   0/1
AMIGA_PROG   0/20
AMIGA_SYSOP   0/26
ANIME   0/15
ARGUS   0/924
ASCII_ART   0/340
ASIAN_LINK   0/651
ASTRONOMY   0/417
AUDIO   0/92
AUTOMOBILE_RACING   0/105
BABYLON5   0/17862
BAG   135
BATPOWER   0/361
BBBS.ENGLISH   0/382
BBSLAW   0/109
BBS_ADS   0/5290
BBS_INTERNET   0/507
BIBLE   0/3563
BINKD   0/1119
BINKLEY   0/215
BLUEWAVE   0/2173
CABLE_MODEMS   0/25
CBM   0/46
CDRECORD   0/66
CDROM   0/20
CLASSIC_COMPUTER   0/378
COMICS   0/15
CONSPRCY   0/899
COOKING   33421
COOKING_OLD1   0/24719
COOKING_OLD2   0/40862
COOKING_OLD3   0/37489
COOKING_OLD4   0/35496
COOKING_OLD5   9370
C_ECHO   0/189
C_PLUSPLUS   0/31
DIRTY_DOZEN   0/201
DOORGAMES   0/2065
DOS_INTERNET   0/196
duplikat   6002
ECHOLIST   0/18295
EC_SUPPORT   0/318
ELECTRONICS   0/359
ELEKTRONIK.GER   1534
ENET.LINGUISTIC   0/13
ENET.POLITICS   0/4
ENET.SOFT   0/11701
ENET.SYSOP   33945
ENET.TALKS   0/32
ENGLISH_TUTOR   0/2000
EVOLUTION   0/1335
FDECHO   0/217
FDN_ANNOUNCE   0/7068
FIDONEWS   24159
FIDONEWS_OLD1   0/49742
FIDONEWS_OLD2   0/35949
FIDONEWS_OLD3   0/30874
FIDONEWS_OLD4   0/37224
FIDO_SYSOP   12852
FIDO_UTIL   0/180
FILEFIND   0/209
FILEGATE   0/212
FILM   0/18
FNEWS_PUBLISH   4436
FN_SYSOP   41707
FN_SYSOP_OLD1   71952
FTP_FIDO   0/2
FTSC_PUBLIC   0/13613
FUNNY   0/4886
GENEALOGY.EUR   0/71
GET_INFO   105
GOLDED   0/408
HAM   0/16074
HOLYSMOKE   0/6791
HOT_SITES   0/1
HTMLEDIT   0/71
HUB203   466
HUB_100   264
HUB_400   39
HUMOR   0/29
IC   0/2851
INTERNET   0/424
INTERUSER   0/3
IP_CONNECT   719
JAMNNTPD   0/233
JAMTLAND   0/47
KATTY_KORNER   0/41
LAN   0/16
LINUX-USER   0/19
LINUXHELP   0/1155
LINUX   0/22112
LINUX_BBS   0/957
mail   18.68
mail_fore_ok   249
MENSA   0/341
MODERATOR   0/102
MONTE   0/992
MOSCOW_OKLAHOMA   0/1245
MUFFIN   0/783
MUSIC   0/321
N203_STAT   930
N203_SYSCHAT   313
NET203   321
NET204   69
NET_DEV   0/10
NORD.ADMIN   0/101
NORD.CHAT   0/2572
NORD.FIDONET   189
NORD.HARDWARE   0/28
NORD.KULTUR   0/114
NORD.PROG   0/32
NORD.SOFTWARE   0/88
NORD.TEKNIK   0/58
NORD   0/453
OCCULT_CHAT   0/93
OS2BBS   0/787
OS2DOSBBS   0/580
OS2HW   0/42
OS2INET   0/37
OS2LAN   0/134
OS2PROG   0/36
OS2REXX   0/113
OS2USER-L   207
OS2   0/4786
OSDEBATE   0/18996
PASCAL   0/490
PERL   0/457
PHP   0/45
POINTS   0/405
POLITICS   0/29554
POL_INC   0/14731
PSION   103
R20_ADMIN   1123
R20_AMATORRADIO   0/2
R20_BEST_OF_FIDONET   13
R20_CHAT   0/893
R20_DEPP   0/3
R20_DEV   399
R20_ECHO2   1379
R20_ECHOPRES   0/35
R20_ESTAT   0/719
R20_FIDONETPROG...
...RAM.MYPOINT
  0/2
R20_FIDONETPROGRAM   0/22
R20_FIDONET   0/248
R20_FILEFIND   0/24
R20_FILEFOUND   0/22
R20_HIFI   0/3
R20_INFO2   3249
R20_INTERNET   0/12940
R20_INTRESSE   0/60
R20_INTR_KOM   0/99
R20_KANDIDAT.CHAT   42
R20_KANDIDAT   28
R20_KOM_DEV   112
R20_KONTROLL   0/13300
R20_KORSET   0/18
R20_LOKALTRAFIK   0/24
R20_MODERATOR   0/1852
R20_NC   76
R20_NET200   245
R20_NETWORK.OTH...
...ERNETS
  0/13
R20_OPERATIVSYS...
...TEM.LINUX
  0/44
R20_PROGRAMVAROR   0/1
R20_REC2NEC   534
R20_SFOSM   0/341
R20_SF   0/108
R20_SPRAK.ENGLISH   0/1
R20_SQUISH   107
R20_TEST   2
R20_WORST_OF_FIDONET   12
RAR   0/9
RA_MULTI   106
RA_UTIL   0/162
REGCON.EUR   0/2056
REGCON   0/13
SCIENCE   0/1206
SF   0/239
SHAREWARE_SUPPORT   0/5146
SHAREWRE   0/14
SIMPSONS   0/169
STATS_OLD1   0/2539.065
STATS_OLD2   0/2530
STATS_OLD3   0/2395.095
STATS_OLD4   0/1692.25
SURVIVOR   0/495
SYSOPS_CORNER   0/3
SYSOP   0/84
TAGLINES   0/112
TEAMOS2   0/4530
TECH   0/2617
TEST.444   0/105
TRAPDOOR   0/19
Möte VIRUS_INFO, 201 texter
 lista första sista föregående nästa
Text 52, 1724 rader
Skriven 2005-04-23 14:11:00 av KURT WISMER (1:123/140)
Ärende: News, April 23 2005
===========================
[cut-n-paste from sophos.com]

Name   Troj/CashGrab-B

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Steals credit card details
    * Allows others to access the computer
    * Deletes files off the computer
    * Steals information
    * Drops more malware
    * Downloads code from the internet

Aliases  
    * Trojan-Dropper.Win32.Agent.hp
    * Trojan.Win32.Agent.cc

Prevalence (1-5) 2

Description
Troj/CashGrab-B is a password-stealing Trojan aimed at customers of 
banking websites.

Troj/CashGrab-B will spy on a user's browsing habits for banking URLS. 
The Trojan will then attempt to steal login information.

Troj/CashGrab-B will connect to a remote site to download further files 
and data.

Advanced
Troj/CashGrab-B is a password-stealing Trojan aimed at customers of 
banking websites.

Troj/CashGrab-B will spy on a user's browsing habits for banking URLS. 
The Trojan will then attempt to steal login information.

Troj/CashGrab-B will connect to a remote site to download further files 
and data.

When first run, Troj/CashGrab-B will drop the following files:

BOB.CMD - DOS batch file, used to delete Trojan installation files
<Windows system folder>\IA.DATA - Text file containing data
<Windows system folder>\WINDOWS.IDN - Text file containing data
<Windows system folder>\IA.DLL - Troj/CashGrab-B
<Windows system folder>\IAINST.EXE - Troj/CashGrab-B

In order to run automatically each time Internet Explorer starts, 
Troj/CashGrab-B will install IA.DLL as a Browser Helper Object. The 
following registry branches will be created:

HKCR\CLSID\{3A4E6FF3-BF59-446E-9DC8-731BCE2F349A}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper 
Objects\{3A4E6FF3-BF59-446E-9DC8-731BCE2F349A}

HKCR\IA.IEHelperOP

In particular, the following registry entry will be created:

HKCR\CLSID\{3A4E6FF3-BF59-446E-9DC8-731BCE2F349A}\InprocServer32
(default)
<Windows system folder>\IA.dll





Name   W32/LegMir-AD

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Modifies data on the computer
    * Steals information
    * Drops more malware
    * Uses its own emailing engine
    * Installs itself in the Registry

Aliases  
    * Trojan.Win32.VB.kj
    * TROJ_LEGMIR.B

Prevalence (1-5) 2

Description
W32/LegMir-AD is a network worm with password stealing functionality.

W32/LegMir-AD tries to copy itself to all logical drives connected to 
the computer as folder.exe.

W32/LegMir-AD steals password information and emails it to a 
preconfigured email address.

The worm may also create a keylogger DLL that is detected by Sophos as 
Troj/Legmir-E.

Advanced
W32/LegMir-AD is a network worm with password stealing functionality.

W32/LegMir-AD copies itself to:

\folder.exe
%WINDOWS%\~aTNr.exe
%WINDOWS%\cih.exe
%WINDOWS%\hh.exe
%WINDOWS%\intrenat.exe
%WINDOWS%\notepad.exe
%WINDOWS%\winhlp32.exe
%SYSTEM%\cih.exe
%SYSTEM%\lc_res.exe
%SYSTEM%\Winsocks.dll

The files notepad.exe and hh.exe are first copied to the files Note.dll 
and hh.dll respectively before they are overwritten with a copy of the 
worm.

W32/LegMir-AD tries to copy itself to all logical drives connected to 
the computer as folder.exe.

W32/LegMir-AD creates the following registry entries to ensure it is run 
at system logon:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Intrenat
%WINDOWS%\intrenat.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Intrenat
%WINDOWS%\intrenat.exe

W32/LegMir-AD creates the file AUTORUN.INF in the root folder which can 
be deleted.

W32/LegMir-AD steals password information and emails it to a 
preconfigured email address.

The worm may also create a keylogger DLL that is detected by Sophos as 
Troj/Legmir-E.





Name   Troj/CashGrab-A

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Deletes files off the computer
    * Steals information
    * Drops more malware
    * Downloads code from the internet
    * Reduces system security

Aliases  
    * Trojan.Win32.Agent.cw
    * PWS-Cashgrabber
    * TROJ_AGENT.DLA

Prevalence (1-5) 2

Description
Troj/CashGrab-A is a password-stealing Trojan aimed at customers of 
banking websites.

Troj/CashGrab-A will spy on a user's browsing habits for banking URLS. 
The Trojan will then attempt to steal login information.

Troj/CashGrab-A will connect to a remote site to download further files 
and data.

Advanced
Troj/CashGrab-A is a password-stealing Trojan aimed at customers of 
banking websites.

Troj/CashGrab-A will spy on a user's browsing habits for banking URLS. 
The Trojan will then attempt to steal login information.

Troj/CashGrab-A will connect to a remote site to download further files 
and data.

When first run, Troj/CashGrab-A will drop the following files:

UPDATE.SYS - Text file containing a URL
SETUP.CMD - DOS batch file, used to delete Trojan installation files
%SYSTEM%\WINDOWS.IDN - Text file containing data
%SYSTEM%\WINST.MSI - Text file containing a URL
%SYSTEM%\MSUPDATE.DLL - Troj/CashGrab-A
%SYSTEM%\WINSETUP.EXE - Troj/CashGrab-A

In order to run automatically each time Internet Explorer starts, 
Troj/CashGrab-A will install MSUPDATE.DLL as a Browser Helper Object. 
The following registry branches will be created:

HKCR\CLSID\(3A4E6FF3-BF59-446E-9DC8-731BCE2F349A)

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper 
Objects\(3A4E6FF3-BF59-446E-9DC8-731BCE2F349A)

HKCR\msupdate.IEHelperOP

In particular, the following registry entry will be created:

HKCR\CLSID\(3A4E6FF3-BF59-446E-9DC8-731BCE2F349A)\InprocServer32
(default)
%SYSTEM%\msupdate.dll





Name   Troj/Kelvir-R

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Steals information
    * Reduces system security

Aliases  
    * IM-Worm.Win32.Prex.d

Prevalence (1-5) 2

Description
Troj/Kelvir-R is a Trojan for the Windows platform.

The Trojan monitors the status of MSN Messenger contacts and sends the 
following text to all online contacts:

hey
its you!
http://<domain>/friends/pictures.php?email=<recipient's email address>





Name   Troj/Dloader-MN

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet

Aliases  
    * Downloader-YS

Prevalence (1-5) 2

Description
Troj/Dloader-MN is a downloader Trojan for the Windows platform.

The Trojan injects code to Internet Explorer, which attempts to download 
a file from a predefined website in the background and run it.





Name   W32/Mytob-AG

Type  
    * Worm

How it spreads  
    * Email attachments

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Sends itself to email addresses found on the infected computer
    * Forges the sender's email address
    * Uses its own emailing engine

Aliases  
    * Net-Worm.Win32.Mytob.af
    * WORM_MYTOB.CA

Prevalence (1-5) 2

Description
W32/Mytob-AG is a mass-mailing network worm with IRC backdoor 
functionality.

W32/Mytob-AG connects to a preconfigured IRC server and joins a channel 
in which it can await further instructions.

W32/Mytob-AG attempts to spread to randomly-chosen IP addresses by 
exploiting the LSASS vulnerability (MS04-011). The patch for this 
vulnerability can be obtained from the Microsoft website:

MS04-011.

Advanced
W32/Mytob-AG is a mass-mailing network worm with IRC backdoor 
functionality.

W32/Mytob-AG copies itself to the file w32NTupdt.exe in the Windows 
system folder and creates the following registry entries in order to run 
at logon:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
A New Windows Updater
w32NTupdt.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
A New Windows Updater
w32NTupdt.exe

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
A New Windows Updater
w32NTupdt.exe

HKLM\Software\Microsoft\OLE
A New Windows Updater
w32NTupdt.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
A New Windows Updater
w32NTupdt.exe

HKCU\SYSTEM\CurrentControlSet\Control\Lsa
A New Windows Updater
w32NTupdt.exe

HKCU\Software\Microsoft\OLE
A New Windows Updater
w32NTupdt.exe

Emails sent by W32/Mytob-AG will have the following characteristics:

Subject: one of

Good day
hello
Mail Delivery System
Mail Transaction Failed
Server Report
Status
Error
<random text>

Body: one of

Here are your banks documents.

The message cannot be represented in 7-bit ASCII encoding and has been 
sent as a binary attachment. The original message was included as an 
attachment.

The message contains Unicode characters and has been sent as a binary 
attachment.

Mail transaction failed. Partial message is available.

Attachment name: one of

document
readme
doc
text
file
data
test
message
body
<random text>

Attachment extension: one of

pif
scr
exe
cmd
bat

The attached file may have a double extension.

W32/Mytob-AG connects to a preconfigured IRC server and joins a channel 
in which it can await further instructions.

W32/Mytob-AG attempts to spread to randomly-chosen IP addresses by 
exploiting the LSASS vulnerability (MS04-011). The patch for this 
vulnerability can be obtained from the Microsoft website:

MS04-011.





Name   W32/Nopir-B

Type  
    * Worm

How it spreads  
    * Peer-to-peer

Affected operating systems  
    * Windows

Side effects  
    * Deletes files off the computer
    * Installs itself in the Registry

Prevalence (1-5) 2

Description
W32/Nopir-B is a worm for the Windows platform.

W32/Nopir-B will display an anti-piracy image on the screen when run. 
The worm will then delete all COM and MP3 files from the computer. The 
worm will also disable taskmanager, registry tools, and access to the 
control panel. W32/Nopir-B will also check for debuggers and may attempt 
to disable any such software that it finds.

W32/Nopir-B copies itself to <Program Files>\Projects Visual 
Studio.NET\Nctrup.exe, <Program Files>\Restore\<random name>.exe, 
<Program Files>\eMule\Incoming\AnyDVD 5.1.0.1 Crack+Keygen By Razor.exe.

Advanced
W32/Nopir-B is a worm for the Windows platform.

W32/Nopir-B will display an anti-piracy image on the screen when run, as 
seen here:


The image displayed by the Nopir-B worm
The image displayed by the Nopir-B worm.

The worm will then delete all COM and MP3 files from the computer. The 
worm will also disable taskmanager, registry tools, and access to the 
control panel. W32/Nopir-B will also check for debuggers and may attempt 
to disable any such software that it finds.

W32/Nopir-B copies itself to <Program Files>\Projects Visual 
Studio.NET\Nctrup.exe, <Program Files>\Restore\<random name>.exe, 
<Program Files>\eMule\Incoming\AnyDVD 5.1.0.1 Crack+Keygen By Razor.exe.

W32/Nopir-B will create the following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Verif
<Program Files>\Restore\<random name>.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
securw
<Program Files>\Projects Visual Studio.NET\Nctrup.exe

HKCR\exefile\Shell\open\command

<Program Files>\Projects Visual Studio.NET\Nctrup.exe

HKCR\batfile\Shell\open\command

<Program Files>\Projects Visual Studio.NET\Nctrup.exe

HKCR\comfile\Shell\open\command

<Program Files>\Projects Visual Studio.NET\Nctrup.exe

HKCR\scrfile\Shell\open\command

<Program Files>\Projects Visual Studio.NET\Nctrup.exe

HKCR\piffile\Shell\open\command

<Program Files>\Projects Visual Studio.NET\Nctrup.exe

HKCR\vbsfile\Shell\open\command

<Program Files>\Projects Visual Studio.NET\Nctrup.exe

HKCR\vbefile\Shell\open\command

<Program Files>\Projects Visual Studio.NET\Nctrup.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoControlPanel
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1





Name   W32/Rbot-AAY

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Allows others to access the computer
    * Steals information
    * Downloads code from the internet
    * Modifies passwords
    * Records keystrokes

Prevalence (1-5) 2

Description
W32/Rbot-AAY is an IRC backdoor Trojan and network worm.

W32/Rbot-AAY may spread to remote network shares protected by weak 
passwords and computers vulnerable to common exploits. The worm also 
opens up a backdoor, allowing unauthorised remote access to infected 
computers via the IRC network, while running in the background as a 
service process.

The following patches for the operating system vulnerabilities exploited 
by W32/Rbot-AAY can be obtained from the Microsoft website:

MS04-012
MS04-011
MS03-049

W32/Rbot-AAY can receive commands from a remote intruder to delete 
network shares, log keypresses, participate in DDoS attacks, scan other 
computers for vulnerabilities, steal passwords, steal registration keys 
for computer games, create administrator accounts, terminate firewall 
and anti-virus processes and capture video from webcameras attached to 
the computer.

Advanced
W32/Rbot-AAY is an IRC backdoor Trojan and network worm.

W32/Rbot-AAY may spread to remote network shares protected by weak 
passwords and computers vulnerable to common exploits. The worm also 
opens up a backdoor, allowing unauthorised remote access to infected 
computers via the IRC network, while running in the background as a 
service process.

The following patches for the operating system vulnerabilities exploited 
by W32/Rbot-AAY can be obtained from the Microsoft website:

MS04-012
MS04-011
MS03-049

W32/Rbot-AAY can receive commands from a remote intruder to delete 
network shares, log keypresses, participate in DDoS attacks, scan other 
computers for vulnerabilities, steal passwords, steal registration keys 
for computer games, create administrator accounts, terminate firewall 
and anti-virus processes and capture video from webcameras attached to 
the computer.

W32/Rbot-AAY copies itself to the Windows system folder as "msaol32.exe" 
and creates the following registry entries in order to run automatically 
on computer login:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft AOL Instant Messenger
MSAOL32.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Microsoft AOL Instant Messenger
MSAOL32.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
Microsoft AOL Instant Messenger
MSAOL32.exe





Name   W32/Sdbot-XH

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Allows others to access the computer
    * Steals information
    * Drops more malware
    * Downloads code from the internet
    * Reduces system security

Aliases  
    * WORM_SDBOT.BHU
    * W32.Spybot.Worm

Prevalence (1-5) 2

Description
W32/Sdbot-XH is a network worm with backdoor Trojan functionality for 
the Windows platform, that spreads through network shares protected by 
weak passwords, MS-SQL servers and through various operating system 
vulnerabilities.

W32/Sdbot-XH connects to a predetermined IRC channel and awaits further 
commands from remote users. The backdoor component of W32/Sdbot-XH can 
be instructed to perform the following functions:

scan networks for vulnerabilities
download/execute arbitrary files
start an ftp server

Patches for the vulnerabilities exploited by W32/Sdbot-XH can be 
obtained from Microsoft at:

http://www.microsoft.com/technet/security/bulletin/MS02-039.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx

Advanced
W32/Sdbot-XH is a network worm with backdoor Trojan functionality for 
the Windows platform.

When first run, W32/Sdbot-XH copies itself to the Windows system folder 
as windesktop.exe, and in order to be able to run automatically when 
Windows starts up sets the following registry entries in order to run 
each time a user logs on:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Windows Desktop Controler
windesktop.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Windows Desktop Controler
windesktop.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices\
Windows Desktop Controler
windesktop.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
Windows Desktop Controler
windesktop.exe

The worm sets the following registry entries, disabling the automatic 
startup of other software:

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\wuauserv\
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\wuauserv\
Start
4

Registry entries are also created under:

HKCU\Software\Microsoft\OLE\
HKLM\SOFTWARE\Microsoft\Ole\

The worm spreads through network shares protected by weak passwords, 
MS-SQL servers and through various operating system vulnerabilities.

W32/Sdbot-XH connects to a predetermined IRC channel and awaits further 
commands from remote users. The backdoor component of W32/Sdbot-XH can 
be instructed to perform the following functions:

scan networks for vulnerabilities
download/execute arbitrary files
start an ftp server

Patches for the vulnerabilities exploited by W32/Sdbot-XH can be 
obtained from Microsoft at:

http://www.microsoft.com/technet/security/bulletin/MS02-039.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx

W32/Sdbot-XH also drops a file to the current folder as msdirectx.sys. 
The dropped file is detected by Sophos's anti-virus products as 
Troj/NtRootK-F.

The worm changes the Windows HOSTS file in attempt to prevent access to 
sites from the following list:

avp.com
ca.com
customer.symantec.com
dispatch.mcafee.com
download.mcafee.com
f-secure.com
kaspersky.com
kaspersky-labs.com
liveupdate.symantec.com
liveupdate.symantecliveupdate.com
mast.mcafee.com
mcafee.com
my-etrust.com
nai.com
networkassociates.com
rads.mcafee.com
secure.nai.com
securityresponse.symantec.com
sophos.com
symantec.com
trendmicro.com
update.symantec.com
updates.symantec.com
us.mcafee.com
viruslist.com
www.avp.com
www.ca.com
www.f-secure.com
www.grisoft.com
www.kaspersky.com
www.mcafee.com
www.my-etrust.com
www.nai.com
www.networkassociates.com
www.sophos.com
www.symantec.com
www.trendmicro.com
www.viruslist.com

W32/Sdbot-XH terminates a number of processes including those related to 
various AV and security applications as well as system tools and other 
Worms and Trojans.





Name   W32/Sober-M

Type  
    * Worm

How it spreads  
    * Email attachments

Affected operating systems  
    * Windows

Side effects  
    * Sends itself to email addresses found on the infected computer
    * Forges the sender's email address
    * Uses its own emailing engine
    * Installs itself in the Registry

Prevalence (1-5) 2

Description
W32/Sober-M is a mass-mailing worm.

The email sent by W32/Sober-M depends on the recipient address. Emails 
sent to recipients whose email address is in the .de, .ch, .at, .li 
domains or contains the string "gmx." will receive an email as follows:

Subject line: FwD: Ich bin's nochmal

Message text:
Verdammt,,,,
ich hatte vergessen Dir meinen Text mitzuschicken.

Aber bitte nicht woanders darueber Reden, ich wuerde mich dann zu Tode 
blamieren!

Ich melde mich.
Bis bald ;)

Attached file: Private-Texte.zip

Email sent to other addresses will have the following characteristics:

Subject line: I've_got your EMail on my_account!

Message text:
Hello,
First, Very Sorry for my bad English.

Someone is sending your private e-mails on my address.
It's probably an e-mail provider error!
At time, I've got over 10 mails on my account, but the recipient are you.

I have copied all the mail text in the windows text-editor for you & 
zipped then.
Make sure, that this mails don't come in my mail-box again.

bye

Attached file: your_text.zip

W32/Sober-M harvests email addresses from files with the following 
strings in their filenames:

pmr phtm stm slk inbox imb csv bak imh xhtml imm imh cms nws vcf ctl 
dhtm cgi pp ppt msg jsp oft vbs uin ldb abc pst cfg mdw mbx mdx mda adp 
nab fdb vap dsp ade sln dsw mde frm bas adr cls ini ldif log mdb xml wsh 
tbb abx abd adb pl rtf mmf doc ods nch xls nsf txt wab eml hlp mht nfo 
php asp shtml dbx

W32/Sober-M avoids sending email to addresses that contain any of the 
following strings:

@www @from. smtp- @smtp. ftp. .dial. .ppp. anyone @gmetref sql. someone 
nothing you@ user@ reciver@ somebody secure whatever@ whoever@ anywhere 
yourname mustermann@ mailer-daemon variabel noreply -dav law2 .qmail@ 
freeav @ca. abuse winrar domain. host. viren bitdefender spybot 
detection ewido. emsisoft linux @foo. winzip @example. bellcore. @arin 
@iana @avp icrosoft. @sophos @panda @kaspers free-av antivir virus 
verizon. @ikarus. @nai. @messagelab nlpmail01. clock

Advanced
W32/Sober-M is a mass-mailing worm.

When first run, W32/Sober-M opens Notepad and displays a body of text 
that starts:

UnPack failed

W32/Sober-M copies itself to the following location:

%WINDOWS%\Config\system\services.exe

and creates the following registry entries to ensure it is run at system 
logon:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
_SystemCheck
%WINDOWS%\Config\system\services.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SystemCheck
%WINDOWS%\Config\system\services.exe

W32/Sober-M creates a base64 encoded ZIP archived copy of itself in the 
following location:

%WINDOWS%\Config\system\zipped.wrm

as well as the harmless data file maddys.xyz which can be deleted.

W32/Sober-M also creates the following data files:

%SYSTEM%\adcmmmmq.hjg
%SYSTEM%\langeinf.lin
%SYSTEM%\nonrunso.ber
%SYSTEM%\xcvfpokd.tqa

The email sent by W32/Sober-M depends on the recipient address. Emails 
sent to recipients whose email address is in the .de, .ch, .at, .li 
domains or contains the string "gmx." will receive an email as follows:

Subject line: FwD: Ich bin's nochmal

Message text:
Verdammt,,,,
ich hatte vergessen Dir meinen Text mitzuschicken.

Aber bitte nicht woanders darueber Reden, ich wuerde mich dann zu Tode 
blamieren!

Ich melde mich.
Bis bald ;)

Attached file: Private-Texte.zip

Email sent to other addresses will have the following characteristics:

Subject line: I've_got your EMail on my_account!

Message text:
Hello,
First, Very Sorry for my bad English.

Someone is sending your private e-mails on my address.
It's probably an e-mail provider error!
At time, I've got over 10 mails on my account, but the recipient are you.

I have copied all the mail text in the windows text-editor for you & 
zipped then.
Make sure, that this mails don't come in my mail-box again.

bye

Attached file: your_text.zip

W32/Sober-M harvests email addresses from files with the following 
strings in their filenames:

pmr phtm stm slk inbox imb csv bak imh xhtml imm imh cms nws vcf ctl 
dhtm cgi pp ppt msg jsp oft vbs uin ldb abc pst cfg mdw mbx mdx mda adp 
nab fdb vap dsp ade sln dsw mde frm bas adr cls ini ldif log mdb xml wsh 
tbb abx abd adb pl rtf mmf doc ods nch xls nsf txt wab eml hlp mht nfo 
php asp shtml dbx

W32/Sober-M avoids sending email to addresses that contain any of the 
following strings:

@www @from. smtp- @smtp. ftp. .dial. .ppp. anyone @gmetref sql. someone 
nothing you@ user@ reciver@ somebody secure whatever@ whoever@ anywhere 
yourname mustermann@ mailer-daemon variabel noreply -dav law2 .qmail@ 
freeav @ca. abuse winrar domain. host. viren bitdefender spybot 
detection ewido. emsisoft linux @foo. winzip @example. bellcore. @arin 
@iana @avp icrosoft. @sophos @panda @kaspers free-av antivir virus 
verizon. @ikarus. @nai. @messagelab nlpmail01. clock





Name   Troj/Kelvir-P

Type  
    * Trojan

How it spreads  
    * Chat programs

Affected operating systems  
    * Windows

Side effects  
    * Modifies data on the computer

Prevalence (1-5) 2

Description
Troj/Kelvir-P is a Trojan for the Windows platform.

The Trojan monitors the status of Windows Messenger contacts and sends 
the following text to all online contacts:

Hey look at this
http://<domain>/profile.php?email=<infected user's email address>





Name   W32/Sdbot-XH

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Allows others to access the computer
    * Steals information
    * Drops more malware
    * Downloads code from the internet
    * Reduces system security

Aliases  
    * WORM_SDBOT.BHU
    * W32.Spybot.Worm

Prevalence (1-5) 2

Description
W32/Sdbot-XH is a network worm with backdoor Trojan functionality for 
the Windows platform, that spreads through network shares protected by 
weak passwords, MS-SQL servers and through various operating system 
vulnerabilities.

W32/Sdbot-XH connects to a predetermined IRC channel and awaits further 
commands from remote users. The backdoor component of W32/Sdbot-XH can 
be instructed to perform the following functions:

scan networks for vulnerabilities
download/execute arbitrary files
start an ftp server

Patches for the vulnerabilities exploited by W32/Sdbot-XH can be 
obtained from Microsoft at:

http://www.microsoft.com/technet/security/bulletin/MS02-039.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx

Advanced
W32/Sdbot-XH is a network worm with backdoor Trojan functionality for 
the Windows platform.

When first run, W32/Sdbot-XH copies itself to the Windows system folder 
as windesktop.exe, and in order to be able to run automatically when 
Windows starts up sets the following registry entries in order to run 
each time a user logs on:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Windows Desktop Controler
windesktop.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Windows Desktop Controler
windesktop.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices\
Windows Desktop Controler
windesktop.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
Windows Desktop Controler
windesktop.exe

The worm sets the following registry entries, disabling the automatic 
startup of other software:

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\wuauserv\
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\wuauserv\
Start
4

Registry entries are also created under:

HKCU\Software\Microsoft\OLE\
HKLM\SOFTWARE\Microsoft\Ole\

The worm spreads through network shares protected by weak passwords, 
MS-SQL servers and through various operating system vulnerabilities.

W32/Sdbot-XH connects to a predetermined IRC channel and awaits further 
commands from remote users. The backdoor component of W32/Sdbot-XH can 
be instructed to perform the following functions:

scan networks for vulnerabilities
download/execute arbitrary files
start an ftp server

Patches for the vulnerabilities exploited by W32/Sdbot-XH can be 
obtained from Microsoft at:

http://www.microsoft.com/technet/security/bulletin/MS02-039.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx

W32/Sdbot-XH also drops a file to the current folder as msdirectx.sys. 
The dropped file is detected by Sophos's anti-virus products as 
Troj/NtRootK-F.

The worm changes the Windows HOSTS file in attempt to prevent access to 
sites from the following list:

avp.com
ca.com
customer.symantec.com
dispatch.mcafee.com
download.mcafee.com
f-secure.com
kaspersky.com
kaspersky-labs.com
liveupdate.symantec.com
liveupdate.symantecliveupdate.com
mast.mcafee.com
mcafee.com
my-etrust.com
nai.com
networkassociates.com
rads.mcafee.com
secure.nai.com
securityresponse.symantec.com
sophos.com
symantec.com
trendmicro.com
update.symantec.com
updates.symantec.com
us.mcafee.com
viruslist.com
www.avp.com
www.ca.com
www.f-secure.com
www.grisoft.com
www.kaspersky.com
www.mcafee.com
www.my-etrust.com
www.nai.com
www.networkassociates.com
www.sophos.com
www.symantec.com
www.trendmicro.com
www.viruslist.com

W32/Sdbot-XH terminates a number of processes including those related to 
various AV and security applications as well as system tools and other 
Worms and Trojans.





Name   Troj/Delbot-B

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Allows others to access the computer
    * Drops more malware
    * Uses its own emailing engine
    * Downloads code from the internet

Prevalence (1-5) 2

Description
Troj/Delbot-B is a IRC backdoor Trojan for the Windows platform.

Troj/Delbot-B will connect to a preconfigured server and open up a 
backdoor, allowing unauthorised remote access to remote attackers. The 
Trojan can receive commands from the attacker to control the infected 
computer. The Trojan can be instructed to:

Download code
Participate in DDoS
Send email
Shutdown the infected system
Start and stop processes

Advanced
Troj/Delbot-B is a IRC backdoor Trojan for the Windows platform.

Troj/Delbot-B will connect to a preconfigured server and open up a 
backdoor, allowing unauthorised remote access to remote attackers. The 
Trojan can receive commands from the attacker to control the infected 
computer. The Trojan can be instructed to:

Download code
Participate in DDoS
Send email
Shutdown the infected system
Start and stop processes

Troj/Delbot-B will copy itself to the windows folder as cftmon.exe and 
mirc.dll and perodically set the following registry entry in case it is 
removed:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
ctfmon
"<Windows folder>\cftmon.exe"

Troj/Delbot-B may attempt to terminate processes associated with the 
following executables:

'_AVPCC'
'ACKWIN32'
'AD-AWARE'
'ADMINTOOL'
'ADVXDWIN'
'AGENTA'
'AGENTSVR'
'ALERTSVC'
'ALOGSERV'
'AMON9X'
'ANTI-TROJAN'
'ANTITROJ'
'ANTIVIRUS'
'APIMONITOR'
'APLICA32'
'APVXDWIN'
'ASHDISP'
'ASHQUICK'
'ATGUARD'
'ATRO55EN'
'ATUPDATER'
'ATWATCH'
'AUTODOWN'
'AUTOTRACE'
'AVCONSOL'
'AVENGINE'
'AVGCC32'
'AVGCTRL'
'AVGSERV'
'AVGSERV9'
'AVGUARD'
'AVKPOP'
'AVKSERV'
'AVKSERVICE'
'AVKWCTL'
'AVKWCTL9'
'AVSCHED32'
'AVSYNMGR'
'AVWINNT'
'AVXGUI'
'AVXLIVE'
'AVXMONITOR9X'
'AVXMONITORNT'
'AVXQUAR'
'BD_PROFESSIONAL'
'BIDSERVER'
'BLACKD'
'BLACKICE'
'BOOTSCAN'
'BOOTWARN'
'CCEVTMGR'
'CFGINTPR'
'CFGWIZ'
'CFIADMIN'
'CFIAUDIT'
'CFINET'
'CFINET32'
'CLAW95'
'CLAW95CF'
'CLEANER'
'CLEANER3'
'CLEANPC'
'CMGRDIAN'
'CMON016'
'CONNECTIONMONITOR'
'CPFNT206'
'CWNB181'
'CWNTDWMO'
'DEFSCANGUI'
'DEFWATCH'
'DEPUTY'
'DPATROL'
'DRWEB32'
'DRWEBSCD'
'ECENGINE'
'EFPEADM'
'ESCANH95'
'ESCANHNT'
'ESCANV95'
'ESPWATCH'
'ETRUSTCIPE'
'EXANTIVIRUS-CNET'
'EXPERT'
'F-AGNT95'
'F-PROT'
'F-PROT95'
'F-STOPW'
'FAMEH32'
'FINDVIRU'
'FIREWALL'
'FLOWPROTECTOR'
'FNRB32'
'FP-WIN'
'FSAV32'
'FSAV530STBYB'
'FSAVSTRT'
'FSGK32'
'FSMA32'
'FSMB32'
'GBMENU'
'GBPOLL'
'GENERICS'
'GLADIATOR'
'GUARDDOG'
'GUARDER'
'HACKERELIMINATOR'
'HACKTRACERSETUP'
'IAMAPP'
'IAMSERV'
'IAMSTATS'
'IBMASN'
'IBMAVSP'
'ICLOAD95'
'ICLOADNT'
'ICSUPP95'
'ICSUPPNT'
'IOMON98'
'IPARMOR'
'ISRV95'
'JAMMER'
'KAVLITE40ENG'
'MCVSSHLD'
'MFW2EN'
'MGAVRTCL'
'MGAVRTE'
'MGHTML'
'MGUTIL'
'MINILOG'
'MONITOR'
'MOOLIVE'
'MPFTRAY'
'MSSMMC32'
'MWATCH'
'N32SCANW'
'NAVAPSVC'
'NAVAPW32'
'NAVLU32'
'NAVSTUB'
'NAVW32'
'NAVWNT'
'NEOWATCHLOG'
'NEOWATCHTRAY'
'NETARMOR'
'NETINFO'
'NETMON'
'NETSCANPRO'
'NETSPYHUNTER-1.2'
'NETUTILS'
'NISSERV'
'NORMIST'
'NPFMESSENGER'
'NPSSVC'
'NSCHED32'
'NTRTSCAN'
'NTXCONFIG'
'NVARCH16'
'NWSERVICE'
'NWTOOL16'
'OSTRONET'
'OUTPOST'
'PADMIN'
'PANIXK'
'PAVFIRES'
'PAVPROXY'
'PAVSRV51'
'PCCCLIENT'
'PCCGUIDE'
'PCCIOMON'
'PCCNTMON'
'PCCPFW'
'PCCWIN97'
'PCCWIN98'
'PCFWALLICON'
'PCSCAN'
'PERISCOPE'
'PERSFW'
'PFWADMIN'
'PINGSCAN'
'PLATIN'
'POP3TRAP'
'POPROXY'
'PORTDETECTIVE'
'PORTMONITOR'
'PPVSTOP'
'PRAZNA'
'PROCMAN'
'PROGRAMAUDITOR'
'PROPORT'
'PROTECTX'
'PVIEW95'
'QCONSOLE'
'QSERVER'
'QTTASK'
'RAPAPP'
'RAV7WIN'
'RAV8WIN32ENG'
'RAVMON'
'RAVWIN8'
'REALMON'
'RMVTRJAN'
'RRGUARD'
'RSHELL'
'RTVSCN95'
'RULAUNCH'
'SAFEWEB'
'SBSERV'
'SCAN32'
'SCANPM'
'SCRSCAN'
'SGSSFW32'
'SPHINX'
'SS3EDIT'
'SUPFTRL'
'SUPPORTER5'
'SWEEP95'
'SWNETSUP'
'SYMPROXYSVC'
'TASKALERT'
'TAUMON'
'TAUSCAN'
'TBSCAN'
'TDS2-NT'
'THGUARD'
'TITANIN'
'TITANINXP'
'TRJSCAN'
'TROJAN'
'TROJANHUNTER'
'TROJANTRAP3'
'TUCONF'
'TWEAK-XP'
'UMXAGENT'
'UMXLDRA'
'V530WTBYB'
'VBCMSERV'
'VBCONS'
'VBWIN9X'
'VBWINNTW'
'VETTRAY'
'VIR-HELP'
'VNLAN300'
'VPFW30S'
'VPTR AY'
'VPTRAY'
'VSCAN40'
'VSCHED'
'VSECOMR'
'VSHWIN32'
'VSMAIN'
'VSSTAT'
'WATCHDOG'
'WATCHER'
'WEBSCANX'
'WEBTRAP'
'WFINDV32'
'WGFE95'
'WIMMUN32'
'WINGATE'
'WINRECON'
'WINROUTE'
'WRADMIN'
'WRCTRL'
'WSBGATE'
'XCOMMSVR'
'XPF202EN'
'ZATUTOR'
'ZAUINST'
'ZONALM2601'
'ZONEALARM'

Troj/Delbot-B will also drop two files to the Windows folder, 
0.0(harmless) and br.dll(detected as Troj/Delbot-B).





Name   W32/Agobot-RN

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Installs itself in the Registry

Prevalence (1-5) 2

Description
W32/Agobot-RN is a network worm with backdoor functionality for the 
Windows platform.

The worm allows a remote intruder to gain access and control over the 
computer via IRC channels.

Advanced
W32/Agobot-RN is a network worm with backdoor functionality for the 
Windows platform.

The worm allows a remote intruder to gain access and control over the 
computer via IRC channels.

The worm also modifies the system HOSTS file in order to prevent access 
to certain websites.

When first run the worm copies itself to ip7.exe in the Windows system 
folder.

The following registry entries are created to run ip7.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Configuration Loader10
ip7.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Configuration Loader10
ip7.exe

Registry entries are also created under:

HKCR\CLSID\{279816C0-3158-13D1-B2E4-0060975B8649}





Name   Troj/Dloader-LW

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet

Aliases  
    * Trojan-Downloader.Win32.Delf.le

Prevalence (1-5) 2

Description
Troj/Dloader-LW is a downloader Trojan for the Windows platform.

The Trojan copies itself to %SYSTEM%\service.exe and runs in the 
background.

Troj/Dloader-LW attempts to download files to %SYSTEM%\tcpimon.dll from 
predefined websites and open Internet Explorer with a URL obtained from 
the downloaded files.





Name   Troj/Banker-CH

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Uses its own emailing engine
    * Records keystrokes
    * Installs itself in the Registry

Aliases  
    * Trojan-Spy.Win32.Banker.oq

Prevalence (1-5) 2

Description
Troj/Banker-CH is a password stealing Trojan for the Windows platform.

Troj/Banker-CH monitors which URLs are visited by the web browser and 
creates fake web pages for certain Brazilian banking sites in order to 
log account information. The logged information is sent to remote users 
via email.

Advanced
Troj/Banker-CH is a password stealing Trojan for the Windows platform.

Troj/Banker-CH creates the following registry entry using the name of 
the file when executed to ensure it is run at system logon:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
<filename>
<path and filename>

Troj/Banker-CH monitors which URLs are visited by the web browser and 
creates fake web pages for certain Brazilian banking sites in order to 
log account information. The logged information is sent to remote users 
via email.





Name   W32/Agobot-RM

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Allows others to access the computer
    * Steals information
    * Reduces system security
    * Installs itself in the Registry

Aliases  
    * Backdoor.Win32.Agobot.abq

Prevalence (1-5) 2

Description
W32/Agobot-RM is a network worm with a backdoor Trojan component.

W32/Agobot-RM is capable of spreading to computers on the local network 
protected by weak passwords after receiving the appropriate backdoor 
command.

W32/Agobot-RM can also spread by exploiting the following 
vulnerabilities:

DCOM (MS04-012)
LSASS (MS04-011)
UPNP (MS01-059)
Workstation Service (MS03-049)
WebDav (MS03-007)
DameWare (CAN-2003-1030)
Microsoft SQL servers with weak passwords.
Backdoors left open by other worms and Trojans.

Advanced
When first run, W32/Agobot-RM copies itself to the Windows system folder 
as CRSS.EXE and runs this copy of the worm. The copy will then attempt 
to delete the original file. In order to run each time a user logs on, 
W32/Agobot-RM will set the following registry entries:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
CRSS
CRSS.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
CRSS
CRSS.exe

The worm runs continuously in the background providing backdoor access 
to the computer.

W32/Agobot-RM will append entries to the HOSTS file in the 
<SYSTEM>\drivers\etc folder. The file contains a list of websites each 
bound to the IP loopback address. This prevents access to a list of 
anti-virus and security related websites. For example,

127.0.0.1 sophos.com
127.0.0.1 www.sophos.com

The backdoor component of W32/Agobot-RM may be used to:

Initiate Denial-RM-Service (DOS) attacks.
Redirect GRE, TCP, HTTP, HTTPS, SOCKS4 and SOCKS5 traffic.
Download, upload, delete and execute files.
Set up an FTP file server.
Steal passwords (including PayPal account information).
List and kill processes.
Stop, start, pause and delete services.
Modify the registry.
Open and close vulnerabilities.
Port scan for vulnerabilities on other remote computers.
Flush the DNS cache.
Log keyboard presses.
Shut down and reboot the computer.
Add and delete network shares, groups and users.
Sniff network traffic for passwords.
Steal email addresses from the computer.

W32/Agobot-RM may alter the following registry entry in order to 
enable/disable DCOM:

HKLM\SOFTWARE\Microsoft\Ole\EnableDCOM

W32/Agobot-RM is capable of adding and deleting the C$, D$, E$, IPC$ and 
ADMIN$ network shares.

W32/Agobot-RM may steal the Windows Product ID and keys from several 
computer applications or games.

W32/Agobot-RM can be instructed to harvest email addresses from the 
infected computer by searching the Windows Address Book, used by 
Microsoft Outlook and Outlook Express. The worm can also harvest email 
addresses from Microsoft Messenger.

W32/Agobot-RM will attempt to terminate a number of anti-virus and 
security-related processes in addition to other viruses, worms and 
Trojans.

 
--- MultiMail/Win32 v0.43
 * Origin: Try Our Web Based QWK: DOCSPLACE.ORG (1:123/140)