Text 54, 2052 rader
Skriven 2005-05-14 12:53:00 av KURT WISMER (1:123/140)
Ärende: News, May 14 2005
=========================
[cut-n-paste from sophos.com]
Name W32/Bagz-D
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Sends itself to email addresses found on the infected computer
* Forges the sender's email address
* Uses its own emailing engine
* Downloads code from the internet
Aliases
* I-Worm.Bagz.d
Prevalence (1-5) 3
Description
W32/Bagz-D is mass mailing network worm that also contains a backdoor
which allows an intruder to download and install further components.
W32/Bagz-D will attempt to harvest email addresses from TXT, HTM, DBX,
TBI and TBB files, which it will use for both the to and from addresses
of emails that it sends.
The worm will also attempt to terminate anti-virus software.
Advanced
W32/Bagz-D is mass mailing network worm that also contains a backdoor
which allows an intruder to download and install further components.
W32/Bagz-D will attempt to harvest email addresses from TXT, HTM, DBX,
TBI and TBB files, which it will use for both the to and from addresses
of emails that it sends.
The sent email will have the following characteristics:
Subject line:
ASAP
please responce
Read this
urgent
toxic
contract
Money
office
Have a nice day
Hello
Russian's
Amirecans
attachments
attach
waiting
best regards
Administrator
Warning
text
Vasia
re: Andrey
re: please
re: order
Allert!
Attachment (ZIP format):
backup.zip
admin.zip
archivator.zip
about.zip
readme.zip
help.zip
photos.zip
payment.zip
archives.zip
manual.zip
inbox.zip
outbox.zip
save.zip
rar.zip
zip.zip
ataches.zip
documentation.zip
docs.zip
Attachment (EXE format):
backup.doc (spaces) .exe
admin.doc (spaces) .exe
archivator.doc (spaces) .exe
about.doc (spaces) .exe
readme.doc (spaces) .exe
help.doc (spaces) .exe
photos.doc (spaces) .exe
payment.doc (spaces) .exe
archives.doc (spaces) .exe
manual.doc (spaces) .exe
inbox.doc (spaces) .exe
outbox.doc (spaces) .exe
save.doc (spaces) .exe
rar.doc (spaces) .exe
zip.doc (spaces) .exe
ataches.doc (spaces) .exe
documentation.doc (spaces) .exe
docs.doc (spaces) .exe
sysboot.doc (spaces) .exe
W32/Bagz-D will keep a copy of the files that it sends in the Windows
system32 folder. The worm also drops the following components in to that
folder:
run32.exe (Detected as component of W32/Bagz-C)
rpc32.exe
ipdb.dll
wdate.dll
jobdb.dll
W32/Bagz-D will also modify the %system32%/drivers/etc/hosts file in
order to prevent access to major virus vendors websites.
The worm will install itself as a service called RPC32.
Name W32/Bagz-B
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Sends itself to email addresses found on the infected computer
* Forges the sender's email address
* Uses its own emailing engine
* Downloads code from the internet
* Installs itself in the Registry
Aliases
* I-Worm.Bagz.b
* W32/Bagz.b@MM
Prevalence (1-5) 2
Description
W32/Bagz-B is mass mailing network worm. It also contains a backdoor
which allows an intruder to instruct it to download and install further
components.
W32/Bagz-B may also try to disable the Windows default firewall on
startup.
W32/Bagz-B will attempt to harvest email addresses from the "Document
and setting" folder on the local machine with names such as *.txt,
*.htm, *.htm, *,dbx, *.tbi, *.tbb.
Advanced
The email it sends will contain an attachment either in ZIP format or in
a binary file. It will contain the following subject lines:
"last request before refunding"
"re: user id update"
"fwd: your funds are eligible for withdrawal"
"find a solution with this customer"
"no subject"
"re: help desk registration"
"failure notice"
"fwd: password"
"when should i call you?"
"re: re: a question"
"knowledge base article"
"open invoices"
"returned mail: see transcript for details"
"building maintenance"
"[fwd: broken link]"
"winxp"
"troubles are back again"
"questions"
"order approval"
"units available"
"progress news"
"big announcements"
"need help pls"
"you have recieved an ecard!"
"what is this ????"
"deactivation notice"
"message recieved, please confirm"
"my funny stories"
"cost inquiry"
"re: payment"
"referrences"
"webmail invite"
"re: quote request"
Attachments can use the following names:
arch.doc<spaces>.exe
arch.zip
archive.doc<spaces>.exe
archive.zip
atach.doc<spaces>.exe
atach.zip
att.doc<spaces>.exe
att.zip
contact.doc<spaces>.exe
contact.zip
db.doc<spaces>.exe
db.zip
dl.exe
doc.doc<spaces>.exe
doc.zip
documents.doc<spaces>.exe
documents.zip
file.doc<spaces>.exe
file.zip
ipdb.dll
jobdb.dll
mail.doc<spaces>.exe
mail.zip
message.doc<spaces>.exe
message.zip
messages.doc<spaces>.exe
messages.zip
msg.doc<spaces>.exe
msg.zip
read.doc<spaces>.exe
read.zip
readme.doc<spaces>.exe
readme.zip
support.doc<spaces>.exe
support.zip
syslogin.exe
tutorial.doc<spaces>.exe
warning.doc<spaces>.exe
warning.zip
W32/Bagz-B will keep a copy of the above files in the folder %system32%.
Other than the above, it will also drop the following components:
%system32%/dl.exe
%system32%/syslogin.exe
%system32%/ipdb.dll
%system32%/jobdb.dll
And also create the following autorun registry entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
syslogin.exe = syslogin.exe
Name W32/Forbot-AR
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Reduces system security
* Installs itself in the Registry
Aliases
* Backdoor.Win32.Wootbot.gen
* W32/Gaobot.worm.gen.q
* WORM_WOOTBOT.K
Prevalence (1-5) 2
Description
W32/Forbot-AR is a worm which attempts to spread to remote network
shares.
W32/Forbot-AR also contains backdoor Trojan functionality, allowing
unauthorised remote access to the infected computer via IRC channels
while running in the background as a service process.
Advanced
W32/Forbot-AR is a worm which attempts to spread to remote network
shares.
W32/Forbot-AR also contains backdoor Trojan functionality, allowing
unauthorised remote access to the infected computer via IRC channels
while running in the background as a service process.
W32/Forbot-AR copies itself to the Windows system folder as
securitychk.exe and creates entries in the registry at the following
locations to run itself on system startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Secure Messenger.NET Service
securitychk.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\Win32 USB2 Driver
Microsoft Secure Messenger.NET Service
securitychk.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32 USB2
Driver
Microsoft Secure Messenger.NET Service
securitychk.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Win32 USB2 Driver
Microsoft Secure Messenger.NET Service
securitychk.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\Win32 USB2 Driver
Microsoft Secure Messenger.NET Service
securitychk.exe
W32/Forbot-AR also creates its own service named
"Microsoft Secure Messenger.NET Service".
Name W32/Mytob-CA
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Sends itself to email addresses found on the infected computer
* Modifies data on the computer
* Steals information
Prevalence (1-5) 2
Description
W32/Mytob-CA is a mass-mailing worm and backdoor Trojan that can be
controlled through the Internet Relay Chat (IRC) network.
W32/Mytob-CA also appends to the HOSTS file to deny access to security
related websites.
W32/Mytob-CA is capable of spreading through email. Email sent by
W32/Mytob-CA has the following properties:
Subject line:
Error
hello
Here is your documents.
Mail Delivery System
Mail Transaction Failed
Re: Thank you for delivery
something for you
Status
Message text:
'Mail transaction failed. Partial message is available.'
'Mail transaction failed. Partial message is available.'
'The message cannot be represented in 7-bit ASCII encoding and has been
sent as a binary attachment.'
'The message cannot be represented in 7-bit ASCII encoding and has been
sent as a binary attachment.'
'The message contains Unicode characters and has been sent as a binary
attachment.'
'The message contains Unicode characters and has been sent as a binary
attachment.'
'The original message was included as an attachment.'
'The original message was included as an attachment.'
Advanced
W32/Mytob-CA is a mass-mailing worm and backdoor Trojan that can be
controlled through the Internet Relay Chat (IRC) network.
When first run W32/Mytob-CA copies itself to the Windows system folder
as shell.exe and creates the following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Windows Shell
"shell.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Windows Shell
"shell.exe"
W32/Mytob-CA also appends the following to the HOSTS file to deny access
to security related websites:
127.0.0.1 avp.com
127.0.0.1 ca.com
127.0.0.1 customer.symantec.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 download.mcafee.com
127.0.0.1 f-secure.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 kaspersky.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 mast.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 nai.com
127.0.0.1 networkassociates.com
127.0.0.1 rads.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 sophos.com
127.0.0.1 symantec.com
127.0.0.1 trendmicro.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 www.avp.com
127.0.0.1 www.ca.com
127.0.0.1 www.grisoft.com
127.0.0.1 www.kaspersky.com
127.0.0.1 www.mcafee.com
127.0.0.1 www.microsoft.com
127.0.0.1 www.my-etrust.com
127.0.0.1 www.nai.com
127.0.0.1 www.networkassociates.com
127.0.0.1 www.sophos.com
127.0.0.1 www.symantec.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.viruslist.com
W32/Mytob-CA is capable of spreading through email. Email sent by
W32/Mytob-CA has the following properties:
Subject line:
Error
hello
Here is your documents.
Mail Delivery System
Mail Transaction Failed
Re: Thank you for delivery
something for you
Status
Message text:
'Mail transaction failed. Partial message is available.'
'Mail transaction failed. Partial message is available.'
'The message cannot be represented in 7-bit ASCII encoding and has been
sent as a binary attachment.'
'The message cannot be represented in 7-bit ASCII encoding and has been
sent as a binary attachment.'
'The message contains Unicode characters and has been sent as a binary
attachment.'
'The message contains Unicode characters and has been sent as a binary
attachment.'
'The original message was included as an attachment.'
'The original message was included as an attachment.'
The attached file consists of a base name followed by the extentions
PIF, SCR, EXE or ZIP. The base names will be one of the following:
DOCUMENT
README
ATTACHMENT
creditcard
LETTER
PayPal
W32/Mytob-CA harvests email addresses from files on the infected
computer and from the Windows address book. The worm avoids sending
email to addresses that contain the following:
.gov
.mil
accoun
acketst
admin
anyone
arin.
avp
berkeley
borlan
bsd
bsd
bugs
ca
certific
contact
example
feste
fido
foo.
fsf.
gnu
gold-certs
google
google
gov.
help
iana
ibm.com
icrosof
icrosoft
ietf
info
inpris
isc.o
isi.e
kernel
linux
linux
listserv
math
me
mit.e
mozilla
mydomai
no
nobody
nodomai
noone
not
nothing
ntivi
page
panda
pgp
postmaster
privacy
rating
rfc-ed
ripe.
root
ruslis
samples
secur
sendmail
service
site
soft
somebody
someone
sopho
submit
support
syma
tanford.e
the.bat
unix
unix
usenet
utgers.ed
webmaster
you
your
W32/Mytob-CA may produce the file helllogger.txt which is a harmless
text file used to log the activity of the user.
Name W32/Mytob-CH
Type
* Worm
How it spreads
* Email attachments
* Network shares
Affected operating systems
* Windows
Side effects
* Sends itself to email addresses found on the infected computer
* Modifies data on the computer
* Drops more malware
* Forges the sender's email address
* Uses its own emailing engine
Aliases
* WORM_MYTOB.DA
Prevalence (1-5) 2
Description
W32/Mytob-CH is a mass-mailing worm and backdoor Trojan that can be
controlled through the Internet Relay Chat (IRC) network.
W32/Mytob-CH copies itself to the root folder as:
funny_pic.scr
my_photo2005.scr
see_this!!.scr
and drops a file called hellmsn.exe (detected by Sophos as W32/Mytob-D)
in the same location. This component attempts to spread the worm by
sending the aforementioned SCR files through Windows Messenger to all
online contacts.
W32/Mytob-CH is capable of spreading through email and through the LSASS
(MS04-011) operating system vulnerability.
W32/Mytob-CH harvests email addresses from files on the infected
computer and from the Windows address book as well as the Microsoft
Internet Account Manager.
The following patch for the operating system vulnerability exploited by
W32/Mytob-CH can be obtained from the Microsoft website:
LSASS (MS04-011) security vulnerability
Advanced
W32/Mytob-CH is a mass-mailing worm and backdoor Trojan that can be
controlled through the Internet Relay Chat (IRC) network.
When first run W32/Mytob-CH copies itself to the Windows system folder
as iexplorer.exe and creates the following registry entries:
HKLM\SOFTWARE\Microsoft\Ole
WINTASK
iexplorer.exe
HKCU\Software\Microsoft\Ole
WINTASK
iexplorer.exe
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
WINTASK
iexplorer.exe
HKCU\SYSTEM\CurrentControlSet\Control\Lsa
WINTASK
iexplorer.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
WINTASK
iexplorer.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
WINTASK
iexplorer.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
WINTASK
iexplorer.exe
W32/Mytob-CH copies itself to the root folder as:
funny_pic.scr
my_photo2005.scr
see_this!!.scr
and drops a file called hellmsn.exe (detected by Sophos as W32/Mytob-D)
in the same location. This component attempts to spread the worm by
sending the aforementioned SCR files through Windows Messenger to all
online contacts.
W32/Mytob-CH also appends the following to the HOSTS file to deny access
to security related websites:
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.microsoft.com
127.0.0.1 www.trendmicro.com
W32/Mytob-CH is capable of spreading through email and through the LSASS
(MS04-011) operating system vulnerability.
Email sent by W32/Mytob-CH has the following properties:
Subject line chosen from:
Good day
hello
Mail Delivery System
Mail Transaction Failed
Server Report
Status
Error
Message text chosen from:
'Mail transaction failed. Partial message is available.'
'The message contains Unicode characters and has been sent as a binary
attachment.'
'The message cannot be represented in 7-bit ASCII encoding and has been
sent as a binary attachment.'
'The original message was included as an attachment.'
'Here are your banks documents.'
The attached file consists of a base name followed by the extentions
PIF, SCR, EXE or ZIP. The worm may optionally create double extensions
where the first extension is DOC, TXT or HTM and the final extension is
PIF, SCR, EXE or ZIP.
W32/Mytob-CH harvests email addresses from files on the infected
computer and from the Windows address book as well as the Microsoft
Internet Account Manager.
The following patch for the operating system vulnerability exploited by
W32/Mytob-CH can be obtained from the Microsoft website:
LSASS (MS04-011) security vulnerability
Name Troj/Sqdrop-A
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Drops more malware
Prevalence (1-5) 2
Description
Troj/Sqdrop-A is a dropper Trojan for the Windows platform.
Troj/Sqdrop-A will drop two files to the Windows system folder as
divxenc.exe and msld.dll. The Trojan will then execute divxenc.exe.
Advanced
Troj/Sqdrop-A is a dropper Trojan for the Windows platform.
Troj/Sqdrop-A will drop two files to the Windows system folder as
divxenc.exe and msld.dll. The Trojan will then execute divxenc.exe.
Troj/Sqdrop-A will then create or modify the following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
divx
<Windows system folder>\divxenc.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
divx
<Windows system folder>\divxenc.exe
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon Shell
Explorer.exe
<Windows system folder>\divxenc.exe
Name W32/Eyeveg-F
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Sends itself to email addresses found on the infected computer
* Steals information
* Forges the sender's email address
* Uses its own emailing engine
Aliases
* Worm.Win32.Eyeveg.f
* W32/Eyeveg.worm.gen
Prevalence (1-5) 2
Description
W32/Eyeveg-F is a worm for the Windows platform with backdoor
capabilities.
W32/Eyeveg-F will send itself to email addresses found on the infected
computer as a ZIP file.
W32/Eyeveg-F will also attempt to contact a predefined URL in order to
get commands. The tasks that the worm can be instructed to perform are:
Keylogging
Monitoring web traffic
Sending email
Stealing passwords from infected computer
Advanced
W32/Eyeveg-F is a worm for the Windows platform with backdoor
capabilities.
W32/Eyeveg-F will send itself to email addresses found on the infected
computer as a ZIP file. The executable in the ZIP file will have one of
the following names:
Details.doc .scr
Girls.jpg .scr
Image.jpg .scr
Love.jpg .scr
Message.txt .scr
Music.mp3 .scr
News.doc .scr
Photo.jpg .scr
Pic.jpg .scr
Resume.doc .scr
Screensaver .scr
Song.wav .scr
Video.avi .scr
The ZIP file's name and the subject will be the same as the name above
without an extension.
W32/Eyeveg-F will also attempt to contact a predefined URL in order to
get commands. The tasks that the worm can be instructed to perform are:
Keylogging
Monitoring web traffic
Sending email
Stealing passwords from infected computer
W32/Eyeveg-F will avoid sending email to addresses containing the
following strings:
abuse
admin
hostmaster
localdomain
localhost
mcafee
messagelab
microsoft
noreply
postmaster
recipients
reports
root
spam
symantec
webmaster
W32/Eyeveg-F will copy itself to the Windows system folder with a random
name. W32/Eyeveg-F will then create the following registry entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
<random>
<random>.exe
Name W32/Kelvir-Gen
Type
* Worm
How it spreads
* Chat programs
Affected operating systems
* Windows
Prevalence (1-5) 2
Description
W32/Kelvir-Gen is a family of instant-messenging worms.
Members of W32/Kelvir-Gen spread by sending a message through Windows
Messenger to the infected user's contacts. The message encourages the
recipient to visit a web page to download a file that is often itself a
member of W32/Kelvir-Gen.
Some members of W32/Kelvir-Gen also attempt to download and execute
files from remote websites.
Name Troj/Goldun-T
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Steals credit card details
* Steals information
* Reduces system security
* Installs itself in the Registry
Aliases
* Trojan-Dropper.Win32.Agent.ku
* Trojan-Spy.Win32.Goldun.ar
* Trojan-Spy.Win32.Goldun.aq
Prevalence (1-5) 2
Description
Troj/Goldun-T is a password-stealing Trojan targeted at users of the
e-gold online services.
The main dropper for Troj/Goldun-T usually pretends to be part of a new
security system to allow secure access to the e-gold website and has
been seen as an attachment to an email with the following message body:
Dear E-gold payment system users,
The recent cases of fraud, unauthorized withdrawal of cash from our
clients' accounts and recurred attempts of hackers to access our server
forced us to implement a new security system. The special program will
ensure safe connection of your computer to our server by means of a
unique
encoded key, specially generated for each account. Only the combination
of
your login, password and the key will allow you to access the system. The
program is enclosed to the message and doesn't need any installation. By
one click you will be connected to the server and the program will
generate
the key. After that you will enter your account from Internet Explorer,
which is absolutely safe. You will be signed out of the program
automatically after closing the window. See the detailed operational
instruction enclosed to the program.
We have to warn you, that if you want to be the user of our system in
future, you'll have to accept our rules and to use this program.
Otherwise
please call the numbers below to withdraw your funds. For the detailed
information please enter our site or use our hot line to contact us by
phone.
Our Contacts:
Phone (Worldwide) +1 321-951-1200
FAX (Worldwide) +1 321-956-0790
Best regards, E-gold.
Advanced
Troj/Goldun-T is a password-stealing Trojan targeted at users of the
e-gold online services.
Troj/Goldun-T drops the files BOSKGJE.EXE and PINCH.EXE to the Windows
temp folder. BOSKGJE.EXE is also detected as Troj/Goldun-T, and
PINCH.EXE is detected as Troj/LdPinch-AZ.
The file dropped as BOSKGJE.EXE will drop the file IDMAS.DLL to the
Windows system folder, also detected as Troj/Goldun-T. Before dropping
and running the file DELT.BAT in the Windows temp folder in order to
delete itself, it creates an entry in the registry at
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
Browser Helper Objects\[68363724-9abc-def0-0fed-fad682644311]
and also entries in the registry under the following location to point
to the dropped DLL:
HKCR\CLSID\[68363724-9abc-def0-0fed-fad682644311]\
The file dropped as IDMAS.DLL monitors access to www.e-gold.com and
steals information about the user's account, sending it to a script at
http://65.75.191.79.
The main dropper for Troj/Goldun-T usually pretends to be part of a new
security system to allow secure access to the e-gold website and will
display a fake message box entitled "E-gold security connect" with an
e-gold image and "Connect" and "Exit" buttons. If the "Connect" button
is pressed the box displays "Connecting", then "Runing", and finally
attempts to open Microsoft Internet Explorer at the legitimate e-gold
login page.
The main dropper for Troj/Goldun-T has been seen as an attachment to an
email with the following message body:
Dear E-gold payment system users,
The recent cases of fraud, unauthorized withdrawal of cash from our
clients' accounts and recurred attempts of hackers to access our server
forced us to implement a new security system. The special program will
ensure safe connection of your computer to our server by means of a
unique
encoded key, specially generated for each account. Only the combination
of
your login, password and the key will allow you to access the system. The
program is enclosed to the message and doesn't need any installation. By
one click you will be connected to the server and the program will
generate
the key. After that you will enter your account from Internet Explorer,
which is absolutely safe. You will be signed out of the program
automatically after closing the window. See the detailed operational
instruction enclosed to the program.
We have to warn you, that if you want to be the user of our system in
future, you'll have to accept our rules and to use this program.
Otherwise
please call the numbers below to withdraw your funds. For the detailed
information please enter our site or use our hot line to contact us by
phone.
Our Contacts:
Phone (Worldwide) +1 321-951-1200
FAX (Worldwide) +1 321-956-0790
Best regards, E-gold.
Name W32/Rbot-AAY
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Steals information
* Downloads code from the internet
* Modifies passwords
* Records keystrokes
Prevalence (1-5) 2
Description
W32/Rbot-AAY is an IRC backdoor Trojan and network worm.
W32/Rbot-AAY may spread to remote network shares protected by weak
passwords and computers vulnerable to common exploits. The worm also
opens up a backdoor, allowing unauthorised remote access to infected
computers via the IRC network, while running in the background as a
service process.
The following patches for the operating system vulnerabilities exploited
by W32/Rbot-AAY can be obtained from the Microsoft website:
MS04-012
MS04-011
MS03-049
W32/Rbot-AAY can receive commands from a remote intruder to delete
network shares, log keypresses, participate in DDoS attacks, scan other
computers for vulnerabilities, steal passwords, steal registration keys
for computer games, create administrator accounts, terminate firewall
and anti-virus processes and capture video from webcameras attached to
the computer.
Advanced
W32/Rbot-AAY is an IRC backdoor Trojan and network worm.
W32/Rbot-AAY may spread to remote network shares protected by weak
passwords and computers vulnerable to common exploits. The worm also
opens up a backdoor, allowing unauthorised remote access to infected
computers via the IRC network, while running in the background as a
service process.
The following patches for the operating system vulnerabilities exploited
by W32/Rbot-AAY can be obtained from the Microsoft website:
MS04-012
MS04-011
MS03-049
W32/Rbot-AAY can receive commands from a remote intruder to delete
network shares, log keypresses, participate in DDoS attacks, scan other
computers for vulnerabilities, steal passwords, steal registration keys
for computer games, create administrator accounts, terminate firewall
and anti-virus processes and capture video from webcameras attached to
the computer.
W32/Rbot-AAY copies itself to the Windows system folder as "msaol32.exe"
and creates the following registry entries in order to run automatically
on computer login:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft AOL Instant Messenger
MSAOL32.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Microsoft AOL Instant Messenger
MSAOL32.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
Microsoft AOL Instant Messenger
MSAOL32.exe
Name W32/Agobot-SE
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* Backdoor.Win32.Agobot.ace
Prevalence (1-5) 2
Description
W32/Agobot-SE is a network worm with backdoor functionality for the
Windows platform.
W32/Agobot-SE connects to an IRC channel and listens for commands from a
remote attacker. The worm may spread to remote network shares with weak
passwords.
The following patches for the operating system vulnerabilities exploited
by W32/Agobot-SE can be obtained from the Microsoft website:
MS04-011
MS04-012
MS03-049
MS02-039
Advanced
W32/Agobot-SE is a network worm with backdoor functionality for the
Windows platform.
W32/Agobot-SE connects to an IRC channel and listens for commands from a
remote attacker. The worm may spread to remote network shares with weak
passwords.
The following patches for the operating system vulnerabilities exploited
by W32/Agobot-SE can be obtained from the Microsoft website:
MS04-011
MS04-012
MS03-049
MS02-039
When first run the worm copies itself to the Windows system folder as
system.exe. The following registry entries are created to run system.exe
on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows
system.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Windows
system.exe
Registry entries are also set as follows:
HKCU\SOFTWARE\Microsoft\Ole
Windows
system.exe
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1
Name Troj/Whistler-F
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Modifies data on the computer
* Deletes files off the computer
* Installs itself in the Registry
* Leaves non-infected files on computer
Aliases
* Trojan.Win32.Dire.c
* QDel247
* Win32/Dire.C
* TROJ_QDEL247.A
Prevalence (1-5) 2
Description
Troj/Whistler-F is a destructive Trojan for the Windows platform.
Troj/Whistler-F will attempt to delete files on the user's computer. The
Trojan will also create a file at C:\WXP and copy it over other files.
The file contains the message "You did a piracy, you deserve it."
Advanced
Troj/Whistler-F is a destructive Trojan for the Windows platform.
Troj/Whistler-F will attempt to delete files on the user's computer. The
Trojan will also create a file at C:\WXP and copy it over other files.
The file contains the message "You did a piracy, you deserve it."
When first run the Trojan copies itself to <SYSTEM>\whismng.exe.
The following registry entry is created to run whismng.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Whistler
<SYSTEM>\whismng.exe -n
Name W32/Rbot-ACC
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Steals information
* Downloads code from the internet
* Reduces system security
* Modifies passwords
Aliases
* W32/Rbot-ACC
Prevalence (1-5) 2
Description
W32/Rbot-ACC is a network worm with IRC backdoor functionality for the
Windows platform.
W32/Rbot-ACC may spread to remote network shares protected by weak
passwords and computers vulnerable to common exploits. The worm also
opens up a backdoor, allowing unauthorised remote access to infected
computers via the IRC network, while running in the background as a
service process. The worm exploits vulnerabilities including: RPC-DCOM
(MS04-12), LSASS (MS04-11) and WKS (MS03-049). The following patches for
the operating system vulnerabilities exploited by W32/Rbot-ACC can be
obtained from the Microsoft website:
MS02-039
MS04-011
MS04-012
W32/Rbot-ACC can receive commands from a remote intruder to delete
network shares, log keypresses, participate in DDoS attacks, scan other
computers for vulnerabilities, steal passwords, steal registration keys
for computer games, create administrator accounts, terminate firewall
and anti-virus processes and capture video from webcameras attached to
the computer.
Advanced
W32/Rbot-ACC is a network worm with IRC backdoor functionality for the
Windows platform.
W32/Rbot-ACC may spread to remote network shares protected by weak
passwords and computers vulnerable to common exploits. The worm also
opens up a backdoor, allowing unauthorised remote access to infected
computers via the IRC network, while running in the background as a
service process. The worm exploits vulnerabilities including: RPC-DCOM
(MS04-12), LSASS (MS04-11) and WKS (MS03-049). The following patches for
the operating system vulnerabilities exploited by W32/Rbot-ACC can be
obtained from the Microsoft website:
MS02-039
MS04-011
MS04-012
W32/Rbot-ACC can receive commands from a remote intruder to delete
network shares, log keypresses, participate in DDoS attacks, scan other
computers for vulnerabilities, steal passwords, steal registration keys
for computer games, create administrator accounts, terminate firewall
and anti-virus processes and capture video from webcameras attached to
the computer.
W32/Rbot-ACC copies itself to the Windows system folder as
"trmupdate.exe" and creates the following registry entries in order to
run automatically on computer log on:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
MS Unix Binary
trmupdate.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
MS Unix Binary
trmupdate.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
MS Unix Binary
trmupdate.exe
The worm alters system security by setting the following registry
entries:
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1
Name W32/Wurmark-K
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Sends itself to email addresses found on the infected computer
* Deletes files off the computer
* Drops more malware
* Forges the sender's email address
* Leaves non-infected files on computer
Aliases
* Email-Worm.Win32.Wurmark.j
Prevalence (1-5) 2
Description
W32/Wurmark-K is a mass-mailing worm.
W32/Wurmark-K emails itself as a ZIP file. When run, W32/Wurmark-K
displays a JPEG image of an albino gorilla while installing itself on
the computer.
The image displayed by the Wurmark-K worm
The image displayed by the Wurmark-K worm.
W32/Wurmark-K harvests email addresses from the infected computer and
drops another piece of malware detected as W32/Rbot-ABK.
Emails sent by the worm have the following characteristics:
Subject lines:
Hehehe LOL!!
Your Photo Is On A Webpage!!
Hey Rate My Pic Plz...
Someone admire's you!
Message text:
I just saw this on my computer from a while ago
download it and see if you can remember it
lol i was lauging like crazy when i saw it! :D
email me back hehe...
I was vieweing this website and came across
a picture they look just like you! infact im sure
it is haha , did you email this pic into them ? or
is it someonce else :S ? pic is attached
a zip so download it and check & email me back!
Hi ive sent 5 emails now and nobody will rate
my pic!! :( please download and tell me what you
think out of 10 , dont worry if you dont like it
just say i wont be offended p.s i was drunk when
it was taken :P
Someone has asked us on there behalf to send
you this email and tell you they think you are
wonderfull!!! All the The mystery persons details
you need are enclosed in the attachment :)
please download and respond telling us if you
would like to make further contact with this
person.
Regards Hallmark Admirer Mail Admin.
ZIP filename:
Download.zip
Attachment filenames within the ZIP:
Scanned_03.scr
Sexy_02.scr
IMG_001.scr
Admirer_005.scr
Photo_01.pif
Lover_01.scr
Your_Pic.scr
Just_For_You.pif
Advanced
W32/Wurmark-K is a mass-mailing worm.
W32/Wurmark-K emails itself as a ZIP file. When run, W32/Wurmark-K
displays a JPEG image of an albino gorilla while installing itself on
the computer.
The image displayed by the Wurmark-K worm
The image displayed by the Wurmark-K worm.
W32/Wurmark-K harvests email addresses from the infected computer and
drops another piece of malware detected as W32/Rbot-ABK.
Emails sent by the worm have the following characteristics:
Subject lines:
Hehehe LOL!!
Your Photo Is On A Webpage!!
Hey Rate My Pic Plz...
Someone admire's you!
Message text:
I just saw this on my computer from a while ago
download it and see if you can remember it
lol i was lauging like crazy when i saw it! :D
email me back hehe...
I was vieweing this website and came across
a picture they look just like you! infact im sure
it is haha , did you email this pic into them ? or
is it someonce else :S ? pic is attached
a zip so download it and check & email me back!
Hi ive sent 5 emails now and nobody will rate
my pic!! :( please download and tell me what you
think out of 10 , dont worry if you dont like it
just say i wont be offended p.s i was drunk when
it was taken :P
Someone has asked us on there behalf to send
you this email and tell you they think you are
wonderfull!!! All the The mystery persons details
you need are enclosed in the attachment :)
please download and respond telling us if you
would like to make further contact with this
person.
Regards Hallmark Admirer Mail Admin.
ZIP filename:
Download.zip
Attachment filenames within the ZIP:
Scanned_03.scr
Sexy_02.scr
IMG_001.scr
Admirer_005.scr
Photo_01.pif
Lover_01.scr
Your_Pic.scr
Just_For_You.pif
W32/Wurmark-K copies itself to the Windows system folder as "xtc.tmp",
creates the file "wini.exe" which is detected as W32/Rbot-ABK, and
creates the clean DLL files "ansmtp.dll" and "bszip.dll".
W32/Wurmark-K will create junk files with the following names,
overwriting the original files if these exist:
regedit.com
taskmgr.exe
tasklist.com
taskkill.com
netstat.com
tracert.com
ping.com
cmd.com
Name W32/Mytob-CF
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Sends itself to email addresses found on the infected computer
* Forges the sender's email address
* Uses its own emailing engine
Prevalence (1-5) 2
Description
W32/Mytob-CF is a mass-mailing worm and backdoor Trojan that can be
controlled through the Internet Relay Chat (IRC) network.
W32/Mytob-CF also modifies the HOSTS file to deny access to security
related websites.
Advanced
W32/Mytob-CF is a mass-mailing worm and backdoor Trojan that can be
controlled through the Internet Relay Chat (IRC) network.
When first run W32/Mytob-CF copies itself to the Windows system folder
as 1hellbot.exe and creates the following registry entries:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HELLBOT TEST
1hellbot.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
HELLBOT TEST
1hellbot.exe
W32/Mytob-CF also appends the following to the HOSTS file to deny access
to security related websites:
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.grisoft.com
127.0.0.1 www.microsoft.com
Email sent by W32/Mytob-CF has the following properties:
Subject line chosen from:
Your email account access is restricted
Notice:***Your email account will be suspended***
Notice: **Last Warning**
Security measures
*IMPORTANT* Please Validate Your Email Account
Your Email Account is Suspended For Security Reasons
Message text chosen from:
'We have suspended some of your email services, to resolve the problem
you should read the attached document.'
'Once you have completed the form in the attached file , your account
records will not be interrupted and will continue as normal.'
'To safeguard your email account from possible termination, please see
the attached file.'
'Follow the instructions in the attachment.'
'Account Information Are Attached!'
'To unblock your email account acces, please see the attachment.'
The attached file consists of a base name followed by the extentions
PIF, SCR, EXE or ZIP. The worm may optionally create double extensions
where the first extension is DOC, TXT or HTM and the final extension is
PIF, SCR, EXE or ZIP.
W32/Mytob-CF harvests email addresses from files on the infected
computer and from the Windows address book.
Name W32/Nopir-B
Type
* Worm
How it spreads
* Peer-to-peer
Affected operating systems
* Windows
Side effects
* Deletes files off the computer
* Installs itself in the Registry
Prevalence (1-5) 2
Description
W32/Nopir-B is a worm for the Windows platform.
W32/Nopir-B will display an anti-piracy image on the screen when run.
The worm will then delete all COM and MP3 files from the computer. The
worm will also disable taskmanager, registry tools, and access to the
control panel. W32/Nopir-B will also check for debuggers and may attempt
to disable any such software that it finds.
W32/Nopir-B copies itself to <Program Files>\Projects Visual
Studio.NET\Nctrup.exe, <Program Files>\Restore\<random name>.exe,
<Program Files>\eMule\Incoming\AnyDVD 5.1.0.1 Crack+Keygen By Razor.exe.
Advanced
W32/Nopir-B is a worm for the Windows platform.
W32/Nopir-B will display an anti-piracy image on the screen when run, as
seen here:
The image displayed by the Nopir-B worm
The image displayed by the Nopir-B worm.
The worm will then delete all COM and MP3 files from the computer. The
worm will also disable taskmanager, registry tools, and access to the
control panel. W32/Nopir-B will also check for debuggers and may attempt
to disable any such software that it finds.
W32/Nopir-B copies itself to <Program Files>\Projects Visual
Studio.NET\Nctrup.exe, <Program Files>\Restore\<random name>.exe,
<Program Files>\eMule\Incoming\AnyDVD 5.1.0.1 Crack+Keygen By Razor.exe.
W32/Nopir-B will create the following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Verif
<Program Files>\Restore\<random name>.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
securw
<Program Files>\Projects Visual Studio.NET\Nctrup.exe
HKCR\exefile\Shell\open\command
<Program Files>\Projects Visual Studio.NET\Nctrup.exe
HKCR\batfile\Shell\open\command
<Program Files>\Projects Visual Studio.NET\Nctrup.exe
HKCR\comfile\Shell\open\command
<Program Files>\Projects Visual Studio.NET\Nctrup.exe
HKCR\scrfile\Shell\open\command
<Program Files>\Projects Visual Studio.NET\Nctrup.exe
HKCR\piffile\Shell\open\command
<Program Files>\Projects Visual Studio.NET\Nctrup.exe
HKCR\vbsfile\Shell\open\command
<Program Files>\Projects Visual Studio.NET\Nctrup.exe
HKCR\vbefile\Shell\open\command
<Program Files>\Projects Visual Studio.NET\Nctrup.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoControlPanel
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1
Name W32/Mytob-BC
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Modifies data on the computer
* Forges the sender's email address
* Uses its own emailing engine
* Reduces system security
Aliases
* Net-Worm.Win32.Mytob.au
Prevalence (1-5) 2
Description
W32/Mytob-BC is a mass-mailing worm and IRC backdoor Trojan.
W32/Mytob-BC can harvest email addresses from files on the infected
computer and from the Windows address book.
Emails sent by the worm have the following characteristics:
Subject line:
Notice:***Your email account will be suspended***
YOUR EMAIL ACCOUNT ACCESS IS RESTRICTED
Your Email Account is Suspended For Security Reasons
Your email account access is restricted
Notice:**Last Warning**
Email Account Suspension
*IMPORTANT* Your Account Has Been Locked
Security Measures
*IMPORTANT* PLEASE VALIDATE YOUR EMAIL ACCOUNT
<random>
Message body:
Please see the attachment.
please look at attached document.
We have suspended some of your email services, to resolve the problem
you should read the attached document.
Once you have completed the form in the attached file , your account
records will not be interrupted and will continue as normal.
To unblock your email account acces, please see the attachment.
To safeguard your email account from possible termination, please see
the attached file.
Account Information Are Attached!
<random>
Advanced
W32/Mytob-BC is a mass-mailing worm and IRC backdoor Trojan.
W32/Mytob-BC can harvest email addresses from files on the infected
computer and from the Windows address book.
Emails sent by the worm have the following characteristics:
Subject line:
Notice:***Your email account will be suspended***
YOUR EMAIL ACCOUNT ACCESS IS RESTRICTED
Your Email Account is Suspended For Security Reasons
Your email account access is restricted
Notice:**Last Warning**
Email Account Suspension
*IMPORTANT* Your Account Has Been Locked
Security Measures
*IMPORTANT* PLEASE VALIDATE YOUR EMAIL ACCOUNT
<random>
Message body:
Please see the attachment.
please look at attached document.
We have suspended some of your email services, to resolve the problem
you should read the attached document.
Once you have completed the form in the attached file , your account
records will not be interrupted and will continue as normal.
To unblock your email account acces, please see the attachment.
To safeguard your email account from possible termination, please see
the attached file.
Account Information Are Attached!
<random>
When first run the worm copies itself to <SYSTEM>\1hellbot.exe.
The following registry entries are created to run 1hellbot.exe on
startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HELLBOT TEST
1hellbot.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
HELLBOT TEST
1hellbot.exe
The worm sets the following registry entry to reduce system security:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4
W32/Mytob-BC blocks access to security-related websites by writing the
folllowing entries to the Windows hosts file:
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.grisoft.com
127.0.0.1 www.microsoft.com
Name Troj/LanFilt-J
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Steals information
* Drops more malware
* Reduces system security
* Records keystrokes
* Installs itself in the Registry
Aliases
* Backdoor.Win32.Delf.zc
Prevalence (1-5) 2
Description
Troj/LanFilt-J is a Trojan for the Windows platform.
Troj/LanFilt-J can perform the following actions:
log keystrokes
steal information
steal passwords
terminate processes
capture screen-shots and webcam images
disable the Windows XP firewall
turn off System Restore
upload and download files
hide from view by stealthing
Troj/LanFilt-J sends stolen information to a remote website.
The Trojan may drop further applications in order to steal dial-up,
Instant Messenger and email account passwords.
Advanced
Troj/LanFilt-J is a Trojan for the Windows platform.
Troj/LanFilt-J can perform the following actions:
log keystrokes
steal information
steal passwords
terminate processes
capture screen-shots and webcam images
disable the Windows XP firewall
turn off System Restore
upload and download files
hide from view by stealthing
Troj/LanFilt-J sends stolen information to a remote website.
Troj/LanFilt-J copies itself to the Windows folder as "mshost.exe" and
creates a DLL named "xpcore.dll" in the same folder. These files may be
hidden from view as the Trojan is capable of stealth
|