Text 69, 2074 rader
Skriven 2005-08-20 16:18:00 av KURT WISMER (1:123/140)
Ärende: News, August 20 2005
============================
[cut-n-paste from sophos.com]
Name W32/Zotob-A
Type
* Worm
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Reduces system security
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* Net-Worm.Win32.Mytob.cd
* W32/Zotob.worm
* WORM_ZOTOB.A
Prevalence (1-5) 2
Description
W32/Zotob-A is a worm and backdoor Trojan for the Windows platform.
W32/Zotob-A spreads to other network computers by exploiting common
buffer overflow vulnerabilites, including LSASS (MS04-011) and PnP
(MS05-039).
W32/Zotob-A runs continuously in the background, providing a backdoor
server which allows a remote intruder to gain access and control over
the computer.
Advanced
W32/Zotob-A is a worm and backdoor Trojan for the Windows platform.
W32/Zotob-A spreads to other network computers by exploiting common
buffer overflow vulnerabilites, including LSASS (MS04-011) and PnP
(MS05-039).
W32/Zotob-A runs continuously in the background, providing a backdoor
server which allows a remote intruder to gain access and control over
the computer.
When first run W32/Zotob-A copies itself to <System>\botzor.exe.
The following registry entries are created to run botzor.exe on
startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
WINDOWS SYSTEM
botzor.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
WINDOWS SYSTEM
botzor.exe
W32/Zotob-A also sets the following registry entry
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4
The worm may drop a file 2pac.txt. This is a text file that may be
safely deleted.
W32/Zotob-A also appends the following to the system HOSTS file in
order to prevent access to certain websites:
Botzor2005 Made By .... Greetz to good friend Coder. Based On HellBot3
MSG to avs: the first av who detect this worm will be the first
killed in the next 24hours!!!
n127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 pandasoftware.com
127.0.0.1 www.pandasoftware.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.grisoft.com
127.0.0.1 www.microsoft.com
127.0.0.1 microsoft.com
127.0.0.1 www.virustotal.com
127.0.0.1 virustotal.com
127.0.0.1 www.amazon.com
127.0.0.1 www.amazon.co.uk
127.0.0.1 www.amazon.ca
127.0.0.1 www.amazon.fr
127.0.0.1 www.paypal.com
127.0.0.1 paypal.com
127.0.0.1 moneybookers.com
127.0.0.1 www.moneybookers.com
127.0.0.1 www.ebay.com
127.0.0.1 ebay.com
Patches for the operating system vulnerabilities exploited by
W32/Zotob-A can be obtained from Microsoft at:
MS04-011
MS05-039
Name W32/Antix-A
Type
* Spyware Worm
How it spreads
* Chat programs
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Steals information
* Downloads code from the internet
Aliases
* Backdoor.Win32.VBbot.i
* W32.Kelvir
Prevalence (1-5) 2
Description
W32/Antix-A is an MSN Messenger worm with backdoor functionality for
the Windows platform.
W32/Antix-A sends a message to all MSN Messenger contacts with a link
to a site that contains a copy of the worm.
The message will be one of the following:
Hej, did you download the new MSN yet? :D
lol check out MSN Plus...it ownz! :o
Automessage : Download MSN Plus:
lol, this is awsome...:|
Want more msn emotions? :D
MSN 8.0 Beta released....get it here :D
Hej, wanna update your Messenger :D ?
dude, this is awesome... a must see! :D
lol I just updated my Messenger and I must say IT ROCKS!!
Check this out mate, it roxxx :D !!
Advanced
W32/Antix-A is a worm with backdoor functionality for the Windows
platform that spreads through the MSN Messenger Service as a result
of the backdoor command.
W32/Antix-A sends a message to all MSN Messenger contacts with a link
to a site that contains a copy of the worm.
The message will be one of the following:
Hej, did you download the new MSN yet? :D
lol check out MSN Plus...it ownz! :o
Automessage : Download MSN Plus:
lol, this is awsome...:|
Want more msn emotions? :D
MSN 8.0 Beta released....get it here :D
Hej, wanna update your Messenger :D ?
dude, this is awesome... a must see! :D
lol I just updated my Messenger and I must say IT ROCKS!!
Check this out mate, it roxxx :D !!
When first run W32/Antix-A copies itself to
<System>\<newfolder>\kernel32.exe where <newfolder> is a folder
created by the worm with the name constructed from the randomly
chosen characters similar to the <bpzjkwrdd>.
W32/Antix-A will attempt to disable Anti-virus and firewall processes
and services.
W32/Antix-A includes functionality to silently download, install and
run new software including an update of itself, initiate a proxy
server on the infected computer, steal passwords, act as a flooder.
Name W32/Rbot-ALA
Type
* Spyware Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Deletes files off the computer
* Steals information
* Drops more malware
Prevalence (1-5) 2
Description
W32/Rbot-ALA is a network worm with backdoor Trojan functionality for
the Windows platform.
W32/Rbot-ALA spreads using a variety of techniques including
exploiting weak passwords on computers through exploiting various
operating system vulnerabilities.
Advanced
W32/Rbot-ALA is a network worm with backdoor Trojan functionality for
the Windows platform.
When run, the worm connects to a predetermined IRC server and awaits
commands from remote attackers. The backdoor component of
W32/Rbot-ALA can be instructed by a remote user to perform various
tasks. The worm attempts to determine the external IP address of the
infected computer by connecting to several websites capable of
determining the the presence of HTTP proxies and the level of
anonymity.
W32/Rbot-ALA spreads using a variety of techniques including
exploiting weak passwords on computers through exploiting various
operating system vulnerabilities.
The worm may create and load a system driver named winmon.sys. The
driver file is detected by Sophos's anti-virus products as
Troj/Rootkit-Y.
Name W32/Tilebot-F
Type
* Spyware Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Downloads code from the internet
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* Backdoor.Win32.SdBot.acf
Prevalence (1-5) 2
Description
W32/Tilebot-F is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Tilebot-F spreads to other network computers by exploiting common
buffer overflow vulnerabilites, including LSASS (MS04-011) and PnP
(MS05-039).
W32/Tilebot-F runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Tilebot-F includes functionality to:
- carry out DDoS flooder attacks
- silently download, install and run new software
- access the internet and communicate with a remote server via HTTP
- steal information from the computer including user account passwords from the
protected storage areas
When first run W32/Tilebot-F copies itself to <Windows>\smsc.exe and
creates the file <System>\rdriv.sys.
The file rdriv.sys is detected as Troj/Rootkit-W.
The following patches for the operating system vulnerabilities
exploited by W32/Tilebot-F can be obtained from the Microsoft website:
MS04-011
MS05-039
Advanced
W32/Tilebot-F is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Tilebot-F spreads to other network computers by exploiting common
buffer overflow vulnerabilites, including LSASS (MS04-011) and PnP
(MS05-039).
W32/Tilebot-F runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Tilebot-F includes functionality to:
- carry out DDoS flooder attacks
- silently download, install and run new software
- access the internet and communicate with a remote server via HTTP
- steal information from the computer including user account passwords from the
protected storage areas
When first run W32/Tilebot-F copies itself to <Windows>\smsc.exe and
creates the file <System>\rdriv.sys.
The file rdriv.sys is detected as Troj/Rootkit-W.
The file smsc.exe is registered as a new system driver service named
"WINSMSC", with a display name of "System Messenger Service" and a
startup type of automatic, so that it is started automatically during
system startup. Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\WINSMSC
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINSMSC
The file rdriv.sys is registered as a new system driver service named
"rdriv", with a display name of "rdriv". Registry entries are created
under:
HKLM\SYSTEM\CurrentControlSet\Services\rdriv\
W32/Tilebot-F attempts to terminate services with the following names
in order to disrupt various security processes including the Windows
firewall and Windows critical updates:
Tlntsvr
RemoteRegistry
Messenger
wscsvc
W32/Tilebot-F sets the following registry entries, disabling the
automatic startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\Messenger
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\wscsvc
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
Start
4
Registry entries are set as follows:
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DoNotAllowXPSP2
1
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1
HKLM\SYSTEM\CurrentControlSet\Hardware Profiles\Current\Software\
Microsoft\windows\CurrentVersion\Internet Settings
ProxyEnable
1
Registry entries are created under:
HKLM\SOFTWARE\Microsoft\Security Center\
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\
The following patches for the operating system vulnerabilities
exploited by W32/Tilebot-F can be obtained from the Microsoft website:
MS04-011
MS05-039
Name W32/Rbot-ALI
Type
* Spyware Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Downloads code from the internet
* Records keystrokes
* Installs itself in the Registry
* Used in DOS attacks
Aliases
* Backdoor.Win32.Rbot.yp
Prevalence (1-5) 2
Description
W32/Rbot-ALI is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Rbot-ALI spreads by copying itself to network shares protected by
weak passwords.
W32/Rbot-ALI runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Rbot-ALI includes functionality to:
- add/delete network shared folders
- steal confidential information
- carry out DDoS flooder attacks
- provide a proxy server
- access the internet and communicate with a remote server via HTTP
Advanced
W32/Rbot-ALI is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Rbot-ALI spreads by copying itself to network shares protected by
weak passwords.
W32/Rbot-ALI runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Rbot-ALI includes functionality to:
- add/delete network shared folders
- steal confidential information
- carry out DDoS flooder attacks
- provide a proxy server
- access the internet and communicate with a remote server via HTTP
When first run W32/Rbot-ALI moves itself to <System>\windir32.exe.
The following registry entries are created to run the worm on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft Windows DLL Services Configuration
windir32.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Microsoft Windows DLL Services Configuration
windir32.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft Windows DLL Services Configuration
windir32.exe
Name Troj/RKPort-Fam
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Reduces system security
Prevalence (1-5) 2
Description
Troj/RKPort-Fam is a family of kernel-mode driver rootkits.
Members of Troj/RKPort-Fam are capable of hiding information about
activity on certain ports, providing stealthing by patching the
kernel service descriptor table.
Name W32/Tilebot-Z
Type
* Spyware Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Steals information
* Drops more malware
* Downloads code from the internet
* Reduces system security
Aliases
* Backdoor.Win32.SdBot.aad
Prevalence (1-5) 2
Description
W32/Tilebot-Z is a worm which attempts to spread to remote network
shares. It also contains backdoor Trojan functionality, allowing
unauthorized remote access to the infected computer via IRC channels.
W32/Tilebot-Z spreads to network shares with weak passwords as a
result of the backdoor Trojan element receiving the appropriate
command from a remote user.
W32/Tilebot-Z allows a remote user to perform a wide range of actions
on the infected computer including downloading further files, setting
registry entries and stealing information from the computer including
from protected storage areas.
Advanced
W32/Tilebot-Z is a worm which attempts to spread to remote network
shares. It also contains backdoor Trojan functionality, allowing
unauthorized remote access to the infected computer via IRC channels.
W32/Tilebot-Z spreads to network shares with weak passwords as a
result of the backdoor Trojan element receiving the appropriate
command from a remote user.
W32/Tilebot-Z copies itself to the Windows folder with the filename
sounddv.exe and creates a service named "WIN32SOUND" in order to run
itself on system startup, to which it gives the fake description
"WIN32 Sound Drivers."
W32/Tilebot-Z allows a remote user to perform a wide range of actions
on the infected computer including downloading further files, setting
registry entries and stealing information from the computer including
from protected storage areas.
W32/Tilebot-Z attempts to terminate services with the following names
in order to disrupt various security processes including the Windows
firewall and Windows critical updates:
Tlntsvr
RemoteRegistry
Messenger
SharedAccess
wscsvc
W32/Tilebot-Z attempts to set the following registry entries to
disrupt various security processes:
HKLM\SOFTWARE\Microsoft\Security Center
UpdatesDisableNotify
1
HKLM\SOFTWARE\Microsoft\Security Center
AntiVirusDisableNotify
1
HKLM\SOFTWARE\Microsoft\Security Center
FirewallDisableNotify
1
HKLM\SOFTWARE\Microsoft\Security Center
AntiVirusOverride
1
HKLM\SOFTWARE\Microsoft\Security Center
FirewallOverride
1
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
EnableFirewall
0
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile
EnableFirewall
0
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\
AutoUpdate
AUOptions
1
HKLM\SYSTEM\CurrentControlSet\Services\wscsvc
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\Messenger
Start
4
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restictanonymous
1
HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
AutoShareWks
0
HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
AutoShareServer
0
HKLM\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters
AutoShareWks
0
HKLM\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters
AutoShareServer
0
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DoNotAlloxXPSP2
1
HKLM\SOFTWARE\Microsoft\OLE
EnableDCOM
"N"
W32/Tilebot-Z may also set entries in the registry at the following
locations:
HKLM\SYSTEM\CurrentControlSet\Control\
WaitToKillServiceTimeout
W32/Tilebot-Z attempts to remove network shares from the infected
computer, as well as changing the policy for SeNetworkLogonRight for
the computer.
W32/Tilebot-Z may attempt to contact scripts at the following
addresses:
http://cgi14.plala.or.jp
http://hpcgi1.nifty.com
http://www.age.ne.jp
http://www.kinchan.net
http://www2.dokidoki.ne.jp
http://yia.s22.xrea.com
W32/Tilebot-Z may create the file hpr34k8.sys and set up a service
for it named HPR34K8. This file is currently detected Troj/Rootkit-AA.
Name W32/Tpbot-A
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Downloads code from the internet
* Reduces system security
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* W32.Zotob.E
* WORM_RBOT.CBQ
* Net-Worm.Win32.Small.d
* Net_Worm.Win32.Bozori.A
Prevalence (1-5) 2
Description
W32/Tpbot-A is a network worm with backdoor Trojan functionality for
the Windows platform.
W32/Tpbot-A spreads using a variety of techniques including the
exploitation of operating system vulnerabilities such as LSASS
(MS04-011) and PnP (MS05-039).
W32/Tpbot-A may attempt to download and execute additional files.
Patches for the operating system vulnerabilities exploited by
W32/Tpbot-A can be obtained from Microsoft at:
MS04-011
MS05-039
Advanced
W32/Tpbot-A is a network worm with backdoor Trojan functionality for
the Windows platform.
When run, W32/Tpbot-A copies itself to the Windows system folder as
wintbp.exe and creates the following registry entry in order to run
each time a user logs on:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
wintbp.exe
"wintbp.exe"
W32/Tpbot-A spreads using a variety of techniques including the
exploitation of operating system vulnerabilities such as LSASS
(MS04-011) and PnP (MS05-039).
The backdoor component connects to an IRC server and joins a
predetermined channel where it then awaits commands from attackers.
W32/Tpbot-A may attempt to download and execute additional files.
Patches for the operating system vulnerabilities exploited by
W32/Tpbot-A can be obtained from Microsoft at:
MS04-011
MS05-039
Name W32/Zotob-F
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* Net-Worm.Win32.Bozori.b
* W32.Zotob.F
Prevalence (1-5) 2
Description
W32/Zotob-F is a worm and IRC backdoor Trojan for the Windows platform.
W32/Zotob-F spreads to other network computers by exploiting common
buffer overflow vulnerabilites, including LSASS (MS04-011) and PnP
(MS05-039).
W32/Zotob-F runs continuously in the background, providing a backdoor
server which allows a remote intruder to gain access and control over
the computer via IRC channels.
Patches for the operating system vulnerabilities exploited by
W32/Zotob-F can be obtained from Microsoft at:
MS04-011
MS05-039
Advanced
W32/Zotob-F is a worm and IRC backdoor Trojan for the Windows platform.
W32/Zotob-F spreads to other network computers by exploiting common
buffer overflow vulnerabilites, including LSASS (MS04-011) and PnP
(MS05-039).
W32/Zotob-F runs continuously in the background, providing a backdoor
server which allows a remote intruder to gain access and control over
the computer via IRC channels.
When first run W32/Zotob-F copies itself to <System>\wintbpx.exe and
creates the following files:
<Temp>\387.bat
<Temp>\821.bat
These are batch files which attempt to remove the worm's file from
the current folder.
The following registry entry is created to run wintbpx.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
wintbpx.exe
wintbpx.exe
W32/Zotob-F attempts to terminate the following processes and delete
the corresponding files:
wintbp.exe
svnlitup32.exe
service32.exe
mousebm.exe
llsrv.exe
pnpsrv.exe
winpnp.exe
csm.exe
system32.exe
botzor.exe
upnp.exe
Patches for the operating system vulnerabilities exploited by
W32/Zotob-F can be obtained from Microsoft at:
MS04-011
MS05-039
Name Troj/BagleDl-R
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Modifies data on the computer
* Downloads code from the internet
* Installs itself in the Registry
Aliases
* Email-Worm.Win32.Bagle.bq
Prevalence (1-5) 2
Description
Troj/BagleDl-R is a downloader Trojan which will download, install
and run new software without notification that it is doing so.
Troj/BagleDl-R includes functionality to:
- inject its code into EXPLORER.EXE
- modify the HOSTS file
- disable other software, including anti-virus, firewall and security
related applications
Troj/BagleDl-R then attempts to download files from remote websites
and run them.
Troj/BagleDl-R may also run MSPAINT.EXE in an attempt to obfuscate
itself.
Advanced
Troj/BagleDl-R is a downloader Trojan which will download, install
and run new software without notification that it is doing so.
Troj/BagleDl-R includes functionality to:
- inject its code into EXPLORER.EXE
- modify the HOSTS file
- disable other software, including anti-virus, firewall and security
related applications
When first run Troj/BagleDl-R copies itself to <System>\winshost.exe
and creates the file <System>\wiwshost.exe. The file
<System>\wiwshost.exe is also detected by Sophos as Troj/BagleDl-R.
The following registry entries are created to run winshost.exe on
startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
winshost.exe
<System>\winshost.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
winshost.exe
<System>\winshost.exe
Registry entries are set as follows:
HKLM\SYSTEM\CurrentControlSet\Services\Alerter
Start
00000004
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
00000004
HKLM\SYSTEM\CurrentControlSet\Services\wuauserv
Start
00000004
Troj/BagleDl-R creates a new version of the HOSTS file. The new HOSTS
file will typically contain the following:
127.0.0.1 localhost
Troj/BagleDl-R also attempts to modify or delete the following
registry entries:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Symantec NetDriver Monitor
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ccApp
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NAV CfgWiz
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SSC_UserPrompt
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
McAfee Guardian
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
McAfee.InstantUpdate.Monitor
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
APVXDWIN
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
KAV50
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
avg7_cc
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
avg7_emc
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Zone Labs Client
HKLM\SOFTWARE\Symantec
HKLM\SOFTWARE\McAfee
HKLM\SOFTWARE\KasperskyLab
HKLM\SOFTWARE\Agnitum
HKLM\SOFTWARE\Panda Software
HKLM\SOFTWARE\Zone Labs
Troj/BagleDl-R then attempts to download files from remote websites
and run them.
Troj/BagleDl-R may also run MSPAINT.EXE in an attempt to obfuscate
itself.
Name W32/Hwbot-B
Type
* Worm
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Prevalence (1-5) 2
Description
W32/Hwbot-B is a network worm for the Windows platform.
W32/Hwbot-B connects to an IRC server and waits for instructions from
a remote user including to download and execute further code or to
spread via network security exploits.
W32/Hwbot-B can spread to computers vulnerable to the UPnP exploit.
The following patches for the operating system vulnerabilities
exploited by W32/Hwbot-B can be obtained from the
Microsoft website:
MS05-039
Advanced
W32/Hwbot-B is a network worm for the Windows platform.
When first run W32/Hwbot-B copies itself to <System>\wpa.exe and
creates the file <Windows>\Debug\dcpromo.log.
The file wpa.exe is registered as a new system driver service named
"wpa", with a display name of "WindowsProduct Activation" and a
startup type of automatic, so that it is started automatically during
system startup.
Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\wpa\
W32/Hwbot-B connects to an IRC server and waits for instructions from
a remote user including to download and execute further code or to
spread via network security exploits.
W32/Hwbot-B can spread to computers vulnerable to the UPnP exploit.
The following patches for the operating system vulnerabilities
exploited by W32/Hwbot-B can be obtained from the
Microsoft website:
MS05-039
Registry entries are set as follows:
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
n
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1
Name Troj/Small-NY
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
Aliases
* Trojan-Downloader.Win32.Small.ny
Prevalence (1-5) 2
Description
Troj/Small-NY is a Trojan for the Windows platform.
Troj/Small-NY includes functionality to access the internet and
communicate with a remote server via HTTP.
Name W32/Tilebot-I
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Drops more malware
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* W32.Spybot.Worm
* Backdoor.Win32.SdBot.acf
Prevalence (1-5) 2
Description
W32/Tilebot-I is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Tilebot-I spreads to other network computers by exploiting common
buffer overflow vulnerabilities, including PNP (MS05-039).
W32/Tilebot-I runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Tilebot-I includes functionality to access the internet and
communicate with a remote server via HTTP.
W32/Tilebot-I drops a file detected as Troj/Rootkit-W.
Advanced
W32/Tilebot-I is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Tilebot-I spreads to other network computers by exploiting common
buffer overflow vulnerabilities, including PNP (MS05-039).
W32/Tilebot-I runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Tilebot-I includes functionality to access the internet and
communicate with a remote server via HTTP.
When first run W32/Tilebot-I copies itself to <Windows>\svehost32.exe
and creates the file <System>\rdriv.sys.
The file rdriv.sys is detected as Troj/Rootkit-W.
The file rdriv.sys is registered as a new system driver service named
"rdriv", with a display name of "rdriv". Registry entries are created
under:
HKLM\SYSTEM\CurrentControlSet\Services\rdriv\
The file svehost32.exe is registered as a new system driver service
named "svehost32", with a display name of "Microsoft New Game 2" and
a startup type of automatic, so that it is started automatically
during system startup. Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\svehost32\
W32/Tilebot-I sets the following registry entries, disabling the
automatic startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\Messenger
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
Start
4
Registry entries are set as follows:
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DoNotAllowXPSP2
1
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1
Registry entries are created under:
HKLM\SOFTWARE\Microsoft\Security Center\
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\
Name W32/Tilebot-J
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Drops more malware
* Downloads code from the internet
* Reduces system security
Aliases
* Backdoor.Win32.SdBot.aad
Prevalence (1-5) 2
Description
W32/Tilebot-J is a worm which attempts to spread to remote network
shares. It also contains backdoor Trojan functionality, allowing
unauthorized remote access to the infected computer via IRC channels.
W32/Tilebot-J spreads to network shares with weak passwords as a
result of the backdoor Trojan element receiving the appropriate
command from a remote user. The worm also spreads by exploiting the
PnP operating system vulnerability (MS05-039).
W32/Tilebot-J allows a remote user to perform a wide range of actions
on the infected computer including downloading further files, setting
registry entries and stealing information from the computer including
from protected storage areas.
Advanced
W32/Tilebot-J is a worm which attempts to spread to remote network
shares. It also contains backdoor Trojan functionality, allowing
unauthorized remote access to the infected computer via IRC channels.
W32/Tilebot-J spreads to network shares with weak passwords as a
result of the backdoor Trojan element receiving the appropriate
command from a remote user. The worm also spreads by exploiting the
PnP operating system vulnerability (MS05-039).
W32/Tilebot-J copies itself to the Windows folder with the filename
netinfo.exe and creates a service named "NETINFO" in order to run
itself on system startup, to which it gives the fake description
"Internet Info Service." The following registry branches are created:
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETINFO\
<several entries>
HKLM\SYSTEM\CurrentControlSet\Services\netinfo\
<several entries>
W32/Tilebot-J allows a remote user to perform a wide range of actions
on the infected computer including downloading further files, setting
registry entries and stealing information from the computer including
from protected storage areas.
W32/Tilebot-J attempts to terminate services with the following names
in order to disrupt various security processes including the Windows
firewall and Windows critical updates:
Tlntsvr
RemoteRegistry
Messenger
SharedAccess
wscsvc
W32/Tilebot-J attempts to set the following registry entries to
disrupt various security processes:
HKLM\SOFTWARE\Microsoft\Security Center
UpdatesDisableNotify
1
HKLM\SOFTWARE\Microsoft\Security Center
AntiVirusDisableNotify
1
HKLM\SOFTWARE\Microsoft\Security Center
FirewallDisableNotify
1
HKLM\SOFTWARE\Microsoft\Security Center
AntiVirusOverride
1
HKLM\SOFTWARE\Microsoft\Security Center
FirewallOverride
1
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
EnableFirewall
0
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile
EnableFirewall
0
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\
AutoUpdate
AUOptions
1
HKLM\SYSTEM\CurrentControlSet\Services\wscsvc
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\Messenger
Start
4
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restictanonymous
1
HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
AutoShareWks
0
HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
AutoShareServer
0
HKLM\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters
AutoShareWks
0
HKLM\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters
AutoShareServer
0
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DoNotAlloxXPSP2
1
HKLM\SOFTWARE\Microsoft\OLE
EnableDCOM
"N"
W32/Tilebot-J may also set entries in the registry at the following
locations:
HKLM\SYSTEM\CurrentControlSet\Control\
WaitToKillServiceTimeout
W32/Tilebot-J attempts to remove network shares from the infected
computer, as well as changing the policy for SeNetworkLogonRight for
the computer.
W32/Tilebot-J may create the file orans.sys and set up a service for
it named ORANS. This file is currently detected Troj/Rootkit-AA. The
following registry branches are created:
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ORANS\
<several entries>
HKLM\SYSTEM\CurrentControlSet\Services\orans\
<several entries>
Name W32/Mytob-HM
Type
* Worm
How it spreads
* Email attachments
* Network shares
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Sends itself to email addresses found on the infected computer
* Modifies data on the computer
* Uses its own emailing engine
Aliases
* Net-Worm.Win32.Mytob.t
* WORM_MYTOB.HM
* W32/Mytob.GX@mm
Prevalence (1-5) 2
Description
W32/Mytob-HM is a mass-mailing worm and backdoor Trojan that can be
controlled through the Internet Relay Chat (IRC) network.
W32/Mytob-HM is capable of spreading through email and through
various operating system vulnerabilities such as LSASS (MS04-011).
Emails sent by W32/Mytob-HM have the following properties:
Subject line:
document
Good day
Hello
Mail Delivery System
Mail Transaction Failed
message
readme
Server Report
Status
Message text:
'This is a multi-part message in MIME format.'
'Mail transaction failed. Partial message is available.'
'The message contains Unicode characters and has been sent as a
binary attachment.'
'The message cannot be represented in 7-bit ASCII encoding and has
been sent as a binary attachment.'
'The original message was included as an attachment.'
'Here are your banks documents.'
The attached file consists of a base name followed by the extentions
PIF, SCR, EXE or ZIP. The worm may optionally create double
extensions where the first extension is DOC, TXT or HTM and the final
extension is PIF, SCR, EXE or ZIP.
Advanced
W32/Mytob-HM is a mass-mailing worm and backdoor Trojan that can be
controlled through the Internet Relay Chat (IRC) network.
When first run W32/Mytob-HM copies itself to the Windows system
folder as yahooicons.exe and creates the following registry entries:
HKCU\System\CurrentControlSet\Control\Lsa
WINTASK
"yahooicons.exe"
HKCU\Software\Microsoft\OLE
WINTASK
"yahooicons.exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
WINTASK
"yahooicons.exe"
HKLM\System\CurrentControlSet\Control\Lsa
WINTASK
"yahooicons.exe"
HKLM\Software\Microsoft\Ole
WINTASK
"yahooicons.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
WINTASK
"yahooicons.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
WINTASK
"yahooicons.exe"
W32/Mytob-HM copies itself to the root folder as:
funny_pic.scr
my_photo2005.scr
see_this!!.scr
and drops a file called hellmsn.exe (detected by Sophos as
W32/Mytob-D) in the same location. This component attempts to spread
the worm by sending the aforementioned SCR files through Windows
Messenger to all online contacts.
W32/Mytob-HM also appends the following to the HOSTS file to deny
access to security related websites:
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.microsoft.com
127.0.0.1 www.trendmicro.com
W32/Mytob-HM is capable of spreading through email and through
various operating system vulnerabilities such as LSASS (MS04-011).
Emails sent by W32/Mytob-HM have the following properties:
Subject line:
document
Good day
Hello
Mail Delivery System
Mail Transaction Failed
message
readme
Server Report
Status
Message text:
'This is a multi-part message in MIME format.'
'Mail transaction failed. Partial message is available.'
'The message contains Unicode characters and has been sent as a
binary attachment.'
'The message cannot be represented in 7-bit ASCII encoding and has
been sent as a binary attachment.'
'The original message was included as an attachment.'
'Here are your banks documents.'
The attached file consists of a base name followed by the extentions
PIF, SCR, EXE or ZIP. The worm may optionally create double
extensions where the first extension is DOC, TXT or HTM and the final
extension is PIF, SCR, EXE or ZIP.
W32/Mytob-HM harvests email addresses from files on the infected
computer and from the Windows Address Book. The worm avoids sending
emails to addresses that contain the following:
.gov
.mil
accoun
acketst
admin
anyone
arin.
avp
berkeley
borlan
bsd
bsd
bugs
ca
certific
contact
example
feste
fido
foo.
fsf.
gnu
gold-certs
google
google
gov.
help
iana
ibm.com
icrosof
icrosoft
ietf
info
inpris
isc.o
isi.e
kernel
linux
linux
listserv
math
me
mit.e
mozilla
mydomai
no
nobody
nodomai
noone
not
nothing
ntivi
page
panda
pgp
postmaster
privacy
rating
rfc-ed
ripe.
root
ruslis
samples
secur
sendmail
service
site
soft
somebody
someone
sopho
submit
support
syma
tanford.e
the.bat
unix
unix
usenet
utgers.ed
webmaster
you
your
Name W32/Kassbot-H
Type
* Spyware Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Modifies data on the computer
* Deletes files off the computer
* Steals information
* Downloads code from the internet
Prevalence (1-5) 2
Description
W32/Kassbot-H is a worm and backdoor Trojan for the Windows platform.
W32/Kassbot-H runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer.
W32/Kassbot-H includes functionality to access the internet and
communicate with a remote server via HTTP and IRC.
W32/Kassbot-H may send an email to a pre-defined email address
containing system information from the infected computer.
W32/Kassbot-H will monitor a user's internet access. When certain
internet sites are accessed, the worm will redirect the user to a
website with fake login pages or email the stolen details to a
pre-specified email address.
W32/Kassbot-H will attempt to spread by exploiting the LSASS (MS04-011
) exploits. The following patch for the operating system
vulnerability exploited by W32/Kassbot-H can be obtained from the
Microsoft website:
MS04-011
Advanced
W32/Kassbot-H is a worm and backdoor Trojan for the Windows platform.
W32/Kassbot-H runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer.
W32/Kassbot-H includes functionality to access the internet and
communicate with a remote server via HTTP and IRC.
When first run W32/Kassbot-H copies itself to <System>\spools.exe and
creates the file <System>\xbccd.log. The file xbccd.log may be deleted.
The following registry entry is created to run spools.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Spools Service Controller
<System>\spools.exe
W32/Kassbot-H may send an email to a pre-defined email address
containing system information from the infected computer.
W32/Kassbot-H will monitor a user's internet access. When certain
internet sites are accessed, the worm will redirect the user to a
website with fake login pages or email the stolen details to a
pre-specified email address.
W32/Kassbot-H will attempt to spread by exploiting the LSASS
(MS04-011) exploits. The following patch for the operating system
vulnerability exploited by W32/Kassbot-H can be obtained from the
Microsoft website:
MS04-011
W32/Kassbot-H will append the following lines to the HOSTS file in an
attempt to block access to anti-virus related websites:
d-ru-1f.kaspersky-labs.com
d-ru-1h.kaspersky-labs.com
d-ru-2f.kaspersky-labs.com
d-ru-2h.kaspersky-labs.com
d-eu-2f.kaspersky-labs.com
d-eu-2h.kaspersky-labs.com
d-eu-1f.kaspersky-labs.com
d-eu-1h.kaspersky-labs.com
d-us-1f.kaspersky-labs.com
d-us-1h.kaspersky-labs.com
downloads1.kaspersky.ru
downloads2.kaspersky.ru
downloads3.kaspersky.ru
downloads4.kaspersky.ru
downloads5.kaspersky.ru
www.kaspersky.ru
kaspersky.ru
kaspersky-labs.com
www.kaspersky-labs.com
Name W32/Demotry-B
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Downloads code from the internet
* Installs itself in the Registry
Prevalence (1-5) 2
Description
W32/Demotry-B is a network worm for the Windows platform.
The worm scans network computers on port 445. W32/Demotry-B copies
itself through network shares and mapped logical drives.
In come cases, W32/Demotry-B may insert several spaces between the
filename and the EXE file extension. Other filenames may be used by
the worm which are randomly generated or include non-printable
characters.
Advanced
W32/Demotry-B is a network worm for the Windows platform.
When first run W32/Demotry-B copies itself to:
\iexplorer .exe
<Windows>\iexplorer .exe
<System>\iexplorer .exe
The following registry entry is created to run "iexplorer .exe" on
startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ALG.EXE
"iexplorer .exe"
The worm scans network computers on port 445. W32/Demotry-B copies
itself through network shares and mapped logical drives.
In come cases, W32/Demotry-B may insert several spaces between the
filename and the EXE file extension. Other filenames may be used by
the worm which are randomly generated or include non-printable
characters.
Name Troj/Brospy-A
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Steals information
* Installs itself in the Registry
Aliases
* Trojan-Spy.Win32.Agent.dq
Prevalence (1-5) 2
Description
Troj/Brospy-A is a Trojan for the Windows platform.
Advanced
Troj/Brospy-A is a Trojan for the Windows platform.
When Troj/Brospy-A is installed it creates the file
<System>\appwiz.dll.
The file appwiz.dll is registered as a COM object and Browser Helper
Object (BHO) for Microsoft Internet Explorer, creating registry
entries under:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper
Objects\(78364D99-A640-4ddf-B91A-67EFF8373045)
HKCR\CLSID\(78364D99-A640-4ddf-B91A-67EFF8373045)
Troj/Brospy-A monitors browser activity, attempts to passwords that
are cached or in protected storage, and email usernames and passwords.
Troj/Brospy-A sends any harvested information to a pre-specified
email address.
The following registry entry is set:
HKCU\Software\Microsoft\Internet Explorer\Main
Enable Browser Extensions
yes
Name Troj/ByteVeri-M
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Exploits system or software vulnerabilities
Aliases
* Exploit-ByteVerify
* JAVA_BYTEVER.Q
* Trojan.Java.ClassLoader.ai
Prevalence (1-5) 2
Description
Troj/ByteVeri-M is a Java Applet that exploits a vulnerability in the
Byte Code Verify component of the Microsoft VM to download and run an
executable file.
Advanced
Troj/ByteVeri-M is a Java Applet that exploits a vulnerability in the
Byte Code Verify component of the Microsoft VM to download and run an
executable file.
Troj/ByteVeri-M arrives by browsing websites whose pages contain
applets that use the Troj/ByteVeri-M class.
For more information about this exploit see the Microsoft Security
Bulletin MS03-011.
Name W32/Dogbot-C
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Drops more malware
* Installs itself in the Registry
* Exploits system or software vulnerabilities
* Leaves non-infected files on computer
Aliases
* Backdoor.Win32.IRCBot.et
* W32.Zotob.G
Prevalence (1-5) 2
Description
W32/Dogbot-C is a network worm with IRC backdoor Trojan functionality
for the Windows platform.
W32/Dogbot-C spreads using a variety of techniques including the
exploitation of operating system vulnerabilities such as PnP
(MS05-039).
Advanced
W32/Dogbot-C is a network worm with IRC backdoor Trojan functionality
for the Windows platform.
When run, W32/Dogbot-C creates the folder <System>\usrnt\ and copies
itself to the new folder using the filename windrg32.exe. The
following registry entries are created in order to run the worm copy
each time a user logs on:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
WinDrg32
<System>\usrnt\windrg32.exe
W32/Dogbot-C may create the clean file newshashes.bin in this folder
as well.
W32/Dogbot-C spreads using a variety of techniques including the
exploitation of operating system vulnerabilities such as PnP
(MS05-039).
The backdoor component connects to an IRC server and joins a
predetermined channel where it then awaits commands from attackers.
W32/Dogbot-C may attempt to download and execute additional files.
W32/Dogbot-C attempts to disable and remove several adware related
applications.
Patches for the operating system vulnerabilities exploited by
W32/Dogbot-C can be obtained from Microsoft at:
MS05-039
Name Troj/Bancban-EM
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Steals information
* Uses its own emailing engine
* Records keystrokes
* Installs itself in the Registry
Aliases
* Trojan-Spy.Win32.Banker.ju
Prevalence (1-5) 2
Description
Troj/Bancban-EM is a password-stealing Trojan that attempts to steal
information related to certain banks.
Troj/Bancban-EM may display fake login screens when certain banking
websites are visited, in order to trick the user into entering
confidential details. Stolen information is sent by email to a remote
user.
Advanced
Troj/Bancban-EM is a password-stealing Trojan that attempts to steal
information related to certain banks.
Troj/Bancban-EM may display fake login screens when certain banking
websites are visited in order to trick the user into entering
confidential details. Stolen information is sent by email to a remote
user.
When first run the Trojan copies itself to <Windows>\svchosts.scr and
creates the following registry entry in order to run itself on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
svchosts.scr
<Windows>\svchosts.scr
Name Troj/Whistler-F
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Modifies data on the computer
* Deletes files off the computer
* Installs itself in the Registry
* Leaves non-infected files on computer
Aliases
* Trojan.Win32.Dire.c
* QDel247
* Win32/Dire.C
* TROJ_QDEL247.A
Prevalence (1-5) 2
Description
Troj/Whistler-F is a destructive Trojan for the Windows platform.
Troj/Whistler-F will attempt to delete files on the user's computer.
The Trojan will also create a file at C:\WXP and copy it over other
files. The file contains the message "You did a piracy, you deserve
it."
Advanced
Troj/Whistler-F is a destructive Trojan for the Windows platform.
Troj/Whi
|