Tillbaka till svenska Fidonet
English   Information   Debug  
TREK   0/755
TUB   0/290
UFO   0/40
UNIX   0/1316
USA_EURLINK   0/102
USR_MODEMS   0/1
VATICAN   0/2740
VIETNAM_VETS   0/14
VIRUS   0/378
VIRUS_INFO   0/201
VISUAL_BASIC   0/473
WHITEHOUSE   0/5187
WIN2000   0/101
WIN32   0/30
WIN95   0/4289
WIN95_OLD1   0/70272
WINDOWS   0/1517
WWB_SYSOP   0/419
WWB_TECH   0/810
ZCC-PUBLIC   0/1
ZEC   4

 
4DOS   0/134
ABORTION   0/7
ALASKA_CHAT   0/506
ALLFIX_FILE   0/1313
ALLFIX_FILE_OLD1   0/7997
ALT_DOS   0/152
AMATEUR_RADIO   0/1039
AMIGASALE   0/14
AMIGA   0/331
AMIGA_INT   0/1
AMIGA_PROG   0/20
AMIGA_SYSOP   0/26
ANIME   0/15
ARGUS   0/924
ASCII_ART   0/340
ASIAN_LINK   0/651
ASTRONOMY   0/417
AUDIO   0/92
AUTOMOBILE_RACING   0/105
BABYLON5   0/17862
BAG   135
BATPOWER   0/361
BBBS.ENGLISH   0/382
BBSLAW   0/109
BBS_ADS   0/5290
BBS_INTERNET   0/507
BIBLE   0/3563
BINKD   0/1119
BINKLEY   0/215
BLUEWAVE   0/2173
CABLE_MODEMS   0/25
CBM   0/46
CDRECORD   0/66
CDROM   0/20
CLASSIC_COMPUTER   0/378
COMICS   0/15
CONSPRCY   0/899
COOKING   33421
COOKING_OLD1   0/24719
COOKING_OLD2   0/40862
COOKING_OLD3   0/37489
COOKING_OLD4   0/35496
COOKING_OLD5   9370
C_ECHO   0/189
C_PLUSPLUS   0/31
DIRTY_DOZEN   0/201
DOORGAMES   0/2065
DOS_INTERNET   0/196
duplikat   6002
ECHOLIST   0/18295
EC_SUPPORT   0/318
ELECTRONICS   0/359
ELEKTRONIK.GER   1534
ENET.LINGUISTIC   0/13
ENET.POLITICS   0/4
ENET.SOFT   0/11701
ENET.SYSOP   33945
ENET.TALKS   0/32
ENGLISH_TUTOR   0/2000
EVOLUTION   0/1335
FDECHO   0/217
FDN_ANNOUNCE   0/7068
FIDONEWS   24159
FIDONEWS_OLD1   0/49742
FIDONEWS_OLD2   0/35949
FIDONEWS_OLD3   0/30874
FIDONEWS_OLD4   0/37224
FIDO_SYSOP   12852
FIDO_UTIL   0/180
FILEFIND   0/209
FILEGATE   0/212
FILM   0/18
FNEWS_PUBLISH   4436
FN_SYSOP   41707
FN_SYSOP_OLD1   71952
FTP_FIDO   0/2
FTSC_PUBLIC   0/13613
FUNNY   0/4886
GENEALOGY.EUR   0/71
GET_INFO   105
GOLDED   0/408
HAM   0/16074
HOLYSMOKE   0/6791
HOT_SITES   0/1
HTMLEDIT   0/71
HUB203   466
HUB_100   264
HUB_400   39
HUMOR   0/29
IC   0/2851
INTERNET   0/424
INTERUSER   0/3
IP_CONNECT   719
JAMNNTPD   0/233
JAMTLAND   0/47
KATTY_KORNER   0/41
LAN   0/16
LINUX-USER   0/19
LINUXHELP   0/1155
LINUX   0/22112
LINUX_BBS   0/957
mail   18.68
mail_fore_ok   249
MENSA   0/341
MODERATOR   0/102
MONTE   0/992
MOSCOW_OKLAHOMA   0/1245
MUFFIN   0/783
MUSIC   0/321
N203_STAT   930
N203_SYSCHAT   313
NET203   321
NET204   69
NET_DEV   0/10
NORD.ADMIN   0/101
NORD.CHAT   0/2572
NORD.FIDONET   189
NORD.HARDWARE   0/28
NORD.KULTUR   0/114
NORD.PROG   0/32
NORD.SOFTWARE   0/88
NORD.TEKNIK   0/58
NORD   0/453
OCCULT_CHAT   0/93
OS2BBS   0/787
OS2DOSBBS   0/580
OS2HW   0/42
OS2INET   0/37
OS2LAN   0/134
OS2PROG   0/36
OS2REXX   0/113
OS2USER-L   207
OS2   0/4786
OSDEBATE   0/18996
PASCAL   0/490
PERL   0/457
PHP   0/45
POINTS   0/405
POLITICS   0/29554
POL_INC   0/14731
PSION   103
R20_ADMIN   1123
R20_AMATORRADIO   0/2
R20_BEST_OF_FIDONET   13
R20_CHAT   0/893
R20_DEPP   0/3
R20_DEV   399
R20_ECHO2   1379
R20_ECHOPRES   0/35
R20_ESTAT   0/719
R20_FIDONETPROG...
...RAM.MYPOINT
  0/2
R20_FIDONETPROGRAM   0/22
R20_FIDONET   0/248
R20_FILEFIND   0/24
R20_FILEFOUND   0/22
R20_HIFI   0/3
R20_INFO2   3249
R20_INTERNET   0/12940
R20_INTRESSE   0/60
R20_INTR_KOM   0/99
R20_KANDIDAT.CHAT   42
R20_KANDIDAT   28
R20_KOM_DEV   112
R20_KONTROLL   0/13300
R20_KORSET   0/18
R20_LOKALTRAFIK   0/24
R20_MODERATOR   0/1852
R20_NC   76
R20_NET200   245
R20_NETWORK.OTH...
...ERNETS
  0/13
R20_OPERATIVSYS...
...TEM.LINUX
  0/44
R20_PROGRAMVAROR   0/1
R20_REC2NEC   534
R20_SFOSM   0/341
R20_SF   0/108
R20_SPRAK.ENGLISH   0/1
R20_SQUISH   107
R20_TEST   2
R20_WORST_OF_FIDONET   12
RAR   0/9
RA_MULTI   106
RA_UTIL   0/162
REGCON.EUR   0/2056
REGCON   0/13
SCIENCE   0/1206
SF   0/239
SHAREWARE_SUPPORT   0/5146
SHAREWRE   0/14
SIMPSONS   0/169
STATS_OLD1   0/2539.065
STATS_OLD2   0/2530
STATS_OLD3   0/2395.095
STATS_OLD4   0/1692.25
SURVIVOR   0/495
SYSOPS_CORNER   0/3
SYSOP   0/84
TAGLINES   0/112
TEAMOS2   0/4530
TECH   0/2617
TEST.444   0/105
TRAPDOOR   0/19
Möte VIRUS_INFO, 201 texter
 lista första sista föregående nästa
Text 80, 1968 rader
Skriven 2005-10-10 12:44:00 av KURT WISMER (1:123/140)
Ärende: News, October 10 2005
=============================
[cut-n-paste from sophos.com]

Name   W32/Sober-P

Type  
    * Worm

Affected operating systems  
    * Windows

Side effects  
    * Sends itself to email addresses found on the infected computer
    * Installs itself in the Registry

Aliases  
    * Trojan-Dropper.Win32.VB.iv
    * W32/Sober.r.dr

Prevalence (1-5) 4

Description
W32/Sober-P is a mass-mailing worm.

When first run, a message box may be displayed with title 'Ms Paint' 
and containing the text 'Graphic Decoder not found'.

The email sent by W32/Sober-P depends on the recipient address. 
Emails sent to recipients whose email address is in the .de, .ch, .at, 
.li domains or contains the string "gmx." will receive an email as 
follows:

Subject line: Fwd: Klassentreffen

Message text:
hi,
ich hoffe jetzt mal das ich endlich die richtige person erwischt habe!
ich habe jedenfalls mal unser klassenfoto von damals mit angehngt.
wenn du dich dort wiedererkennst, dann schreibe unbedingt zurck!!

wenn ich aber wieder mal die falsche person erwischt habe, dann sorry 
fr die belstigung ;)

liebe gr
Hannelore

Attached file: KlassenFoto.zip

Email sent to other addresses will have the following characteristics:

Subject line: Your new Password

Message text:
Your password was successfully changed!
Please see the attached file for detailed information.

Attached file: pword_change.zip

W32/Sober-P harvests email addresses from files on the computer.

When W32/Sober-P is installed the following files are created:

C:/vbbfgdtd.exe
<Windows>\ConnectionStatus\services.exe

These files are detected as W32/Sober-O.

Advanced
W32/Sober-P is a mass-mailing worm.

When first run, a message box may be displayed with title 'Ms Paint' 
and containing the text 'Graphic Decoder not found'.

W32/Sober-P creates a base64 encoded ZIP archived copy of itself in 
<Windows>\ConnectionStatus\netslot.nst.

The email sent by W32/Sober-P depends on the recipient address. 
Emails sent to recipients whose email address is in the .de, .ch, .at, 
.li domains or contains the string "gmx." will receive an email as 
follows:

Subject line: Fwd: Klassentreffen

Message text:
hi,
ich hoffe jetzt mal das ich endlich die richtige person erwischt habe!
ich habe jedenfalls mal unser klassenfoto von damals mit angehngt.
wenn du dich dort wiedererkennst, dann schreibe unbedingt zurck!!

wenn ich aber wieder mal die falsche person erwischt habe, dann sorry 
fr die belstigung ;)

liebe gr
Hannelore

Attached file: KlassenFoto.zip

Email sent to other addresses will have the following characteristics:

Subject line: Your new Password

Message text:
Your password was successfully changed!
Please see the attached file for detailed information.

Attached file: pword_change.zip

W32/Sober-P harvests email addresses from files with the following 
strings in their filenames:

pmr phtm stm slk inbox imb csv bak imh xhtml imm imh cms nws vcf ctl 
dhtm cgi pp ppt msg jsp oft vbs uin ldb abc pst cfg mdw mbx mdx mda 
adp nab fdb vap dsp ade sln dsw mde frm bas adr cls ini ldif log mdb 
xml wsh tbb abx abd adb pl rtf mmf doc ods nch xls nsf txt wab eml 
hlp mht nfo php asp shtml dbx

When W32/Sober-P is installed the following files are created:

C:/vbbfgdtd.exe
<Windows>\ConnectionStatus\services.exe

These files are detected as W32/Sober-O.

The following registry entry is created to run services.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
WinINet
<Windows>\ConnectionStatus\services.exe





Name   W32/Sober-L

Type  
    * Worm

How it spreads  
    * Email attachments

Affected operating systems  
    * Windows

Side effects  
    * Sends itself to email addresses found on the infected computer
    * Forges the sender's email address
    * Uses its own emailing engine
    * Leaves non-infected files on computer

Prevalence (1-5) 3

Description
W32/Sober-L is a mass-mailing worm for the Windows platform.

Emails sent by the worm will have the following characteristics:

Subject line:

Ich habe Ihre E-Mail bekommen!

or

Your Password & Account number

Message text:

Hallo,
jemand schickt ihre privaten Mails auf meinem Account.
Ich schaetze mal, das es ein Fehler vom Provider ist.

Insgesamt waren es jetzt schon 6 Mails!
Ich habe alle Mail-Texte im Texteditor kopiert und gezippt.

Wenn es doch kein Fehler vom Provider ist, sorge dafuer das diese 
Dinger nicht mehr auf meinem Account landen, es Nervt naemlich.

Gruss

or

hi,

i've got an admin mail with a Password and Account info!
but the mail recipient are you! it's probably an esmtp error, i think.

i've copied the full mail text in the Windows text-editor & zipped.

ok, cya...

Attached file:

MailTexte.zip

or

acc_text.zip

Advanced
W32/Sober-L is a mass-mailing worm which sends itself to addresses 
harvested from the infected computer.

When first run, W32/Sober-L will open Notepad and display a body of 
text that starts:

Mail-Text:
Unzip failed

W32/Sober-L will copy itself to a subfolder of the Windows folder 
named \MSAGENT\SYSTEM with the filename SMSS.EXE. In order to run 
automatically each time a user logs on, W32/Sober-L will continually 
set the following registry entries:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
" Services.dll"
<Windows folder>\msagent\system\smss.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
_Services.dll
<Windows folder>\msagent\system\smss.exe

W32/Sober-L also creates the following data files:

\msagent\win32\emdata.mmx
\msagent\win32\zipzip.zab
\read.me
\nonrunso.ber
\stopruns.zhz
\xcvfpokd.tqa

The READ.ME file contains the following text:

test test test

In diesem Sinne:
Odin alias Anon

W32/Sober-L will attempt to terminate processes with names containing 
the following strings:

gcas, gcip, giantanti, stinger, hijackthis

W32/Sober-L harvests email addresses from files with the following 
strings in their filenames:

pmr phtm stm slk inbox imb csv bak imh xhtml imm imh cms nws vcf ctl 
dhtm cgi pp ppt msg jsp oft vbs uin ldb abc pst cfg mdw mbx mdx mda 
adp nab fdb vap dsp ade sln dsw mde frm bas adr cls ini ldif log mdb 
xml wsh tbb abx abd adb pl rtf mmf doc ods nch xls nsf txt wab eml 
hlp mht nfo php asp shtml dbx

W32/Sober-L avoids sending email to addresses that contain any of the 
following strings:

ntp- ntp@ ntp. test@ office @www @from. support smtp- @smtp. 
gold-certs ftp. .dial. .ppp. anyone subscribe announce @gmetref sql. 
someone nothing you@ user@ reciver@ somebody secure whatever@ whoever@ 
anywhere yourname mustermann@ .kundenserver. mailer-daemon variabel 
password noreply -dav law2 .sul.t- .qmail@ t-ipconnect t-dialin 
ipt.aol time postmas service freeav @ca. abuse winrar domain. host. 
viren bitdefender spybot detection ewido. emsisoft linux google @foo. 
winzip @example. bellcore. @arin mozilla @iana @avp icrosoft. @sophos 
@panda @kaspers free-av antivir virus verizon. @ikarus. @nai. 
@messagelab nlpmail01. clock

The email sent by W32/Sober-L depends on the recipient address. 
Emails sent to recipients whose email address is in the .de, .ch, .at, 
.li domains or contains the string "gmx." will receive an email as 
follows:

Subject line:

Ich habe Ihre E-Mail bekommen!

Message text:

Hallo,
jemand schickt ihre privaten Mails auf meinem Account.
Ich schaetze mal, das es ein Fehler vom Provider ist.

Insgesamt waren es jetzt schon 6 Mails!
Ich habe alle Mail-Texte im Texteditor kopiert und gezippt.

Wenn es doch kein Fehler vom Provider ist, sorge dafuer das diese 
Dinger nicht mehr auf meinem Account landen, es Nervt naemlich.

Gruss

Attached file:

MailTexte.zip

Email sent to other addresses will have the following characteristics:

Subject line:

Your Password & Account number

Message text:

hi,

i've got an admin mail with a Password and Account info!
but the mail recipient are you! it's probably an esmtp error, i think.

i've copied the full mail text in the Windows text-editor & zipped.

ok, cya...

Attached file:

acc_text.zip

The ZIP file will contain an executable file named 
mail_text-data.txt.pif

The From address line will be faked.





Name   W32/Rbot-APW

Type  
    * Spyware Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Allows others to access the computer
    * Steals information
    * Records keystrokes
    * Installs itself in the Registry

Prevalence (1-5) 2

Description
W32/Rbot-APW is a worm and IRC backdoor Trojan for the Windows 
platform.

W32/Rbot-APW spreads to other network computers by exploiting common 
buffer overflow vulnerabilities, including LSASS (MS04-011), WKS 
(MS03-049), RPC-DCOM (MS04-012) and PNP (MS05-039).

W32/Rbot-APW runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

W32/Rbot-APW includes functionality to:

- perform port scanning
- carry out DDoS flooder attacks
- silently download, install and run new software
- steal information

Advanced
W32/Rbot-APW is a worm and IRC backdoor Trojan for the Windows 
platform.

W32/Rbot-APW spreads to other network computers by exploiting common 
buffer overflow vulnerabilities, including LSASS (MS04-011), WKS 
(MS03-049), RPC-DCOM (MS04-012) and PNP (MS05-039).

W32/Rbot-APW runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

W32/Rbot-APW includes functionality to:

- perform port scanning
- carry out DDoS flooder attacks
- silently download, install and run new software
- steal information

When first run W32/Rbot-APW copies itself to <System>\winsass.exe.

The following registry entries are created to run mame.exe on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft Windows WinSaSS Management
winsass.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft Windows WinSaSS Management
winsass.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
Microsoft Windows WinSaSS Management
winsass.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Microsoft Windows WinSaSS Management
winsass.exe

Registry entries are set as follows:

HKCU\SYSTEM\CurrentControlSet\Control\Lsa
Microsoft Windows WinSaSS Management
winsass.exe

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
Microsoft Windows WinSaSS Management
winsass.exe

HKCU\Software\Microsoft\OLE
Microsoft Windows WinSaSS Management
winsass.exe

HKLM\SOFTWARE\Microsoft\Ole
Microsoft Windows WinSaSS Management
winsass.exe

W32/Rbot-APW modifies the HOSTS file to prevent access to anti-virus 
and security related sites.

The following patches for the operating system vulnerabilities 
exploited by W32/Rbot-APW can be obtained from the Microsoft website:

MS03-049
MS04-011
MS04-012
MS05-039





Name   Troj/Badparty-A

Type  
    * Trojan

Prevalence (1-5) 2

Description
Troj/Badparty-A displays a message box containing the text 'Press OK 
to install the party invitation...'.

When the user clicks on OK the Trojan deletes the partition table in 
the master boot sector and the contents of the FAT. The Trojan then 
attempts to create a new partition table.

The Trojan creates the following files, which are all copies of 
legitimate utilities:
ginst0.dll in the Windows temp folder
int86_16.dll, int86_32.dll, playme.exe and party.ini in the Windows 
folder





Name   Troj/Banker-DV

Type  
    * Spyware Trojan

Affected operating systems  
    * Windows

Side effects  
    * Steals credit card details
    * Steals information
    * Reduces system security
    * Records keystrokes
    * Installs itself in the Registry

Aliases  
    * Trojan-Spy.Win32.Banker.cv

Prevalence (1-5) 2

Description
Troj/Banker-DV is a password-stealing Trojan targeted at customers of 
Brazilian banks.

Troj/Banker-DV may display a fake error message containing the 
following text:

Erro de aplicativo
Aplicativo nao inicializado corretamente (0xc0000005). Clique em OK 
para finalizar a execucao

Advanced
Troj/Banker-DV is a password-stealing Trojan targeted at customers of 
Brazilian banks.

Troj/Banker-DV will monitor a user's internet access. When certain 
internet banking sites are visited, the Trojan will display a fake login screen
in order to trick the user into inputting their details.

Troj/Banker-DV will then send the stolen details to a remote location.

Troj/Banker-DV may display a fake error message containing the 
following text:

Erro de aplicativo
Aplicativo nao inicializado corretamente (0xc0000005). Clique em OK 
para finalizar a execucao

When first run, Troj/Banker-DV will copy itself to <System>\winlogin.exe
In order to run automatically each time a user logs in, Troj/Banker-DV 
will set the following registry entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Windows Update
<System>\winlogin.exe





Name   Troj/Bandler-D

Type  
    * Spyware Trojan

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Allows others to access the computer
    * Steals information
    * Downloads code from the internet
    * Records keystrokes

Aliases  
    * Trojan-Spy.Win32.Banbra.dm
    * PWSteal.Banpaes

Prevalence (1-5) 2

Description
Troj/Bandler-D is a Trojan for the Windows platform.

Troj/Bandler-D includes functionality to download, install and run 
new software.

When first run Troj/Bandler-D copies itself to <Windows>\smss.exe.

Troj/Bandler-D will also attempt to terminate Anti-virus and security 
related applications.

Advanced
Troj/Bandler-D is a Trojan for the Windows platform.

Troj/Bandler-D includes functionality to download, install and run 
new software.

When first run Troj/Bandler-D copies itself to <Windows>\smss.exe.

The following registry entry is created to run smss.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
zsmss
<Windows>\smss.exe

Troj/Bandler-D will also attempt to terminate Anti-virus and security 
related applications.





Name   W32/Opanki-AB

Type  
    * Spyware Worm

How it spreads  
    * Chat programs

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Steals information
    * Downloads code from the internet
    * Reduces system security
    * Installs itself in the Registry

Aliases  
    * IM-Worm.Win32.Opanki.ab

Prevalence (1-5) 2

Description
W32/Opanki-AB is a worm and IRC backdoor Trojan for the Windows 
platform.

W32/Opanki-AB runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

W32/Opanki-AB may also attempt to monitor AOL Instant Messenger (AIM) 
windows and send data to online contacts.

The backdoor component of W32/Opanki-AB can be instructed to download 
and execute further files.

Advanced
W32/Opanki-AB is a worm and IRC backdoor Trojan for the Windows 
platform.

W32/Opanki-AB runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

When first run W32/Opanki-AB copies itself to <Windows>\nether.exe

The following registry entry is created to run nether.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows System Configuration
<Windows>\nether.exe

W32/Opanki-AB may also attempt to monitor AOL Instant Messenger (AIM) 
windows and send data to online contacts.

The backdoor component of W32/Opanki-AB can be instructed to download 
and execute further files.





Name   W32/Rbot-LT

Type  
    * Spyware Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Downloads code from the internet
    * Reduces system security
    * Records keystrokes
    * Installs itself in the Registry

Aliases  
    * Backdoor.Win32.Rbot.cd

Prevalence (1-5) 2

Description
W32/Rbot-LT is a network worm which contains IRC backdoor Trojan 
functionality, allowing unauthorised remote access to the infected 
computer.

Advanced
W32/Rbot-LT is a worm which attempts to spread to remote network 
shares. It also contains backdoor Trojan functionality, allowing 
unauthorised remote access to the infected computer via IRC channels 
while running in the background as a service process.

W32/Rbot-LT spreads to network shares with weak passwords and via 
network security exploits as a result of the backdoor Trojan element 
receiving the appropriate command from a remote user.

W32/Rbot-LT copies itself to the Windows system folder as LSSRV.EXE 
and creates entries at the following locations in the registry with 
the value Microsoft Services so as to run itself on system startup, 
resetting them multiple times every minute:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

W32/Rbot-LT also sets the following registry entry with the same 
value to point to itself:

HKCU\Software\Microsoft\OLE

W32/Rbot-LT may attempt to sets the following registry entries:

HKLM\SOFTWARE\Microsoft\Ole\EnableDCOM = "N"
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous = "1"

W32/Rbot-LT may attempt to delete network shares on the host computer.

W32/Rbot-LT may attempt to log keystrokes to the file KEY32.TXT in 
the Windows system folder.





Name   W32/Rbot-AQF

Type  
    * Worm

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities

Aliases  
    * Backdoor.Win32.Rbot.gen
    * W32/Sdbot.worm.gen.bh

Prevalence (1-5) 2

Description
W32/Rbot-AQF is a worm and IRC backdoor Trojan for the Windows 
platform.

W32/Rbot-AQF spreads:

- to other network computers infected with: Troj/Kuang, Troj/Sub7, 
Troj/NetDevil, W32/MyDoom, W32/Bagle and Troj/Optix
- to other network computers by exploiting common buffer overflow 
vulnerabilities, including: LSASS (MS04-011), RPC-DCOM (MS04-012), 
WKS (MS03-049) (CAN-2003-0812), WebDav (MS03-007), IIS5SSL (MS04-011) 
(CAN-2003-0719), UPNP (MS01-059), Veritas (CAN-2004-1172), Dameware 
(CAN-2003-1030), PNP (MS05-039) and ASN.1 (MS04-007)
- by copying itself to network shares protected by weak passwords

W32/Rbot-AQF runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

Advanced
W32/Rbot-AQF is a worm and IRC backdoor Trojan for the Windows 
platform.

W32/Rbot-AQF spreads:

- to other network computers infected with: Troj/Kuang, Troj/Sub7, 
Troj/NetDevil, W32/MyDoom, W32/Bagle and Troj/Optix
- to other network computers by exploiting common buffer overflow 
vulnerabilities, including: LSASS (MS04-011), RPC-DCOM (MS04-012), 
WKS (MS03-049) (CAN-2003-0812), WebDav (MS03-007), IIS5SSL (MS04-011) 
(CAN-2003-0719), UPNP (MS01-059), Veritas (CAN-2004-1172), Dameware 
(CAN-2003-1030), PNP (MS05-039) and ASN.1 (MS04-007)
- by copying itself to network shares protected by weak passwords

W32/Rbot-AQF runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

When first run W32/Rbot-AQF copies itself to <System>\msnwindows.exe.

The following registry entries are created to run msnwindows.exe on 
startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
System Service
msnwindows.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
System Service
msnwindows.exe

Registry entries are set as follows:

HKCU\Software\Microsoft\OLE
System Service
msnwindows.exe

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1





Name   Troj/Small-QJ

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet
    * Reduces system security
    * Installs itself in the Registry

Aliases  
    * TROJ_SMALL.QI

Prevalence (1-5) 2

Description
Troj/Small-QJ is a Trojan for the Windows platform.

Troj/Small-QJ includes functionality to access the internet and 
communicate with a remote server via HTTP.

Troj/Small-QJ downloads and executes several files from a remote site.

Advanced
Troj/Small-QJ is a Trojan for the Windows platform.

Troj/Small-QJ includes functionality to access the internet and 
communicate with a remote server via HTTP.

When first run Troj/Small-QJ copies itself to the Windows system 
folder and creates the file <CurrentFolder>\winhlp32.dll (also 
detected as Troj/Small-QJ).

The following registry entry is created to run Troj/Small-QJ on 
startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
down
<original Trojan filename>

Troj/Small-QJ downloads and executes several files from a remote site.





Name   Troj/Vanti-E

Type  
    * Trojan

Affected operating systems  
    * Windows

Aliases  
    * Rootkit.Win32.Vanti.e

Prevalence (1-5) 2

Description
Troj/Vanti-E is used by malicious software to hide its presence on an 
infected system.





Name   W32/Tilebot-W

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Downloads code from the internet
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities

Aliases  
    * Backdoor.Win32.Agobot.afk
    * WORM_RBOT.CHY

Prevalence (1-5) 2

Description
W32/Tilebot-W is a worm and IRC backdoor Trojan for the Windows 
platform.

W32/Tilebot-W spreads to other network computers by exploiting common 
buffer overflow vulnerabilities, including RPC-DCOM (MS04-012).

W32/Tilebot-W runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

W32/Tilebot-W includes functionality to access the internet and 
communicate with a remote server via HTTP.

When first run W32/Tilebot-W copies itself to <Windows>\csrss.exe.

Advanced
W32/Tilebot-W is a worm and IRC backdoor Trojan for the Windows 
platform.

W32/Tilebot-W spreads to other network computers by exploiting common 
buffer overflow vulnerabilities, including RPC-DCOM (MS04-012).

W32/Tilebot-W runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

W32/Tilebot-W includes functionality to access the internet and 
communicate with a remote server via HTTP.

When first run W32/Tilebot-W copies itself to <Windows>\csrss.exe.

The file csrss.exe is registered as a new system driver service named 
"wservtime", with a display name of "Windows Time Sync" and a startup 
type of automatic, so that it is started automatically during system 
startup. Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\wservtime\

W32/Tilebot-W sets the following registry entries, disabling the 
automatic startup of other software:

HKLM\SYSTEM\CurrentControlSet\Services\Messenger
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
Start
4

Registry entries are set as follows:

HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DoNotAllowXPSP2
1

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1

Registry entries are created under:

HKLM\SOFTWARE\Microsoft\Security Center\
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\





Name   W32/Kassbot-I

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Modifies data on the computer
    * Reduces system security
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities

Aliases  
    * Backdoor.Win32.Nanspy.c
    * BackDoor-CPV

Prevalence (1-5) 2

Description
W32/Kassbot-I is a worm and backdoor Trojan for the Windows platform.

W32/Kassbot-I spreads to other network computers by exploiting common 
buffer overflow vulnerabilities, including LSASS (MS04-011).

W32/Kassbot-I runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer.

Advanced
W32/Kassbot-I is a worm and backdoor Trojan for the Windows platform.

W32/Kassbot-I spreads to other network computers by exploiting common 
buffer overflow vulnerabilities, including LSASS (MS04-012).

W32/Kassbot-I runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer.

W32/Kassbot-I includes functionality to access the internet and 
communicate with a remote server via HTTP.

W32/Kassbot-I will append the following to the HOSTS file in order to 
redirect internet traffic aimed at sercurity related URLs to an 
alternate URL.

<alternate url> d-ru-1f.kaspersky-labs.com
<alternate url> d-ru-1h.kaspersky-labs.com
<alternate url> d-ru-2f.kaspersky-labs.com
<alternate url> d-ru-2h.kaspersky-labs.com
<alternate url> d-eu-2f.kaspersky-labs.com
<alternate url> d-eu-2h.kaspersky-labs.com
<alternate url> d-eu-1f.kaspersky-labs.com
<alternate url> d-eu-1h.kaspersky-labs.com
<alternate url> d-us-1f.kaspersky-labs.com
<alternate url> d-us-1h.kaspersky-labs.com
<alternate url> downloads1.kaspersky.ru
<alternate url> downloads2.kaspersky.ru
<alternate url> downloads3.kaspersky.ru
<alternate url> downloads4.kaspersky.ru
<alternate url> downloads5.kaspersky.ru
<alternate url> www.kaspersky.ru
<alternate url> kaspersky.ru
<alternate url> kaspersky-labs.com
<alternate url> www.kaspersky-labs.com

When first run W32/Kassbot-I copies itself to <System>\spools.exe and 
creates the file <System>\xbccd.log, which is a harmless text file.

The following registry entry is created to run spools.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Spools Service Controller
<System>\spools.exe





Name   W32/Tilebot-X

Type  
    * Spyware Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Steals information
    * Drops more malware
    * Downloads code from the internet
    * Reduces system security
    * Installs itself in the Registry

Aliases  
    * Backdoor.Win32.Aimbot.af
    * W32/Sdbot.worm.gen.by

Prevalence (1-5) 2

Description
W32/Tilebot-X is a worm and IRC backdoor Trojan for the Windows 
platform.

W32/Tilebot-X spreads to other network computers by exploiting common 
buffer overflow vulnerabilities, including: LSASS (MS04-011), RPC-DCOM 
(MS04-012), PNP (MS05-039) and ASN.1 (MS04-007) and by copying itself 
to network shares protected by weak passwords.

W32/Tilebot-X runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

W32/Tilebot-X includes functionality to :

- setup a SOCKS4 server
- enumerate all drives and processes on the infected computer
- access the internet and communicate with a remote server via HTTP
- create new AOL Instant Messenger profiles
- perform port scanning
- steal information including POP3, Hotmail usernames and passwords 
as well as tfrom the Protected Storage area

W32/Tilebot-X createsalso the file \rofl.sys. The file rofl.sys is 
detected as Troj/RKPort-Fam.

The following patches for the operating system vulnerabilities 
exploited by W32/Tilebot-X can be obtained from the Microsoft website:

MS04-011
MS04-012
MS05-039
MS04-007

Advanced
W32/Tilebot-X is a worm and IRC backdoor Trojan for the Windows 
platform.

W32/Tilebot-X spreads to other network computers by exploiting common 
buffer overflow vulnerabilities, including: LSASS (MS04-011), RPC-DCOM 
(MS04-012), PNP (MS05-039) and ASN.1 (MS04-007) and by copying itself 
to network shares protected by weak passwords.

W32/Tilebot-X runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

W32/Tilebot-X includes functionality to :

- setup a SOCKS4 server
- enumerate all drives and processes on the infected computer
- access the internet and communicate with a remote server via HTTP
- create new AOL Instant Messenger profiles
- perform port scanning
- steal information including POP3, Hotmail usernames and passwords 
as well as tfrom the Protected Storage area

When first run W32/Tilebot-X copies itself to <Windows>\smrss.exe and 
creates the file <System>\rofl.sys.

The file rofl.sys is detected as Troj/RKPort-Fam.

The file smrss.exe is registered as a new system driver service named 
"Windows Smrss Service", with a display name of 
"Windows Smrss Service" and a startup type of automatic, so that it 
is started automatically during system startup. Registry entries are 
created under:

HKLM\SYSTEM\CurrentControlSet\Services\Windows Smrss Service\
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_SMRSS_SERVICE\
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ROFL

The file rofl.sys is registered as a new system driver service named 
"rofl", with a display name of "rofl". Registry entries are created 
under:

HKLM\SYSTEM\CurrentControlSet\Services\rofl\

W32/Tilebot-X sets the following registry entries, disabling the 
automatic startup of other software:

HKLM\SYSTEM\CurrentControlSet\Services\Messenger
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
Start
4

Registry entries are set as follows:

HKLM\SOFTWARE\Microsoft\Security Center
AntiVirusDisableNotify
1

HKLM\SOFTWARE\Microsoft\Security Center
AntiVirusOverride
1

HKLM\SOFTWARE\Microsoft\Security Center
FirewallDisableNotify
1

HKLM\SOFTWARE\Microsoft\Security Center
FirewallOverride
1

HKLM\SOFTWARE\Microsoft\Security Center
UpdatesDisableNotify
1

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update
AUOptions
1

HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
EnableFirewall
0

HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile
EnableFirewall
0

HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DoNotAllowXPSP2
1

HKLM\SYSTEM\CurrentControlSet\Services\wscsvc
Start
4

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1

HKLM\SYSTEM\CurrentControlSet\Control\ServiceCurrent
(default)
8

The following patches for the operating system vulnerabilities 
exploited by W32/Tilebot-X can be obtained from the Microsoft website:

MS04-011
MS04-012
MS05-039
MS04-007





Name   W32/Bagle-AN

Type  
    * Worm

How it spreads  
    * Email attachments

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Downloads code from the internet
    * Installs itself in the Registry

Aliases  
    * W32/Bagle.df@MM
    * mail-Worm.Win32.Bagle.dx

Prevalence (1-5) 2

Description
W32/Bagle-AN is a worm for the Windows platform.

W32/Bagle-AN spreads via file sharing on Peer-to-peer networks and 
via email.

W32/Bagle-AN includes functionality to download, install and run new 
software.

W32/Bagle-AN then creates copies of itself in all folders containing 
the substring SHAR on all drives.

W32/Bagle-AN also spreads by email. The email addresses are collected 
from files on the system containing the following file extensions:

WAB, TXT, MSG, HTM, SHTM, STM, XML, DBX, MBX, MDX, EML, NCH, MMF, ODS, 
CFG, ASP, PHP, PL, WSH, ADB, TBB, SHT, XLS, OFT, UIN, CGI, MHT, DHTM, 
JSP.

The worm arrives as an attachment to an HTML email message.

The basename of the attachment is choosen from the following list:

Information
Details
text_document
Updates
Readme
Document
Info
Details
MoreInfo
Message

The email message has the following characteristics:

Subject line:

Re: Msg reply
Re: Hello
Re: Yahoo!
Re: Thank you!
Re: Thanks :)
RE: Text message
Re: Document
Incoming message
Re: Incoming Message
RE: Incoming Msg
RE: Message Notify
Notification
Changes..
Update
Fax Message
Protected message
RE: Protected message
Forum notify
Site changes
Re: Hi
Encrypted document

Message text:

Read the attach.
Your file is attached.
More info is in attach
See attach.
Please, have a look at the attached file.
Your document is attached.
Please, read the document.
Attach tells everything.
Attached file tells everything.
Check attached file for details.
Check attached file.
Pay attention at the attach.
See the attached file for details.
Message is in attach
Here is the file.

Advanced
W32/Bagle-AN is a worm for the Windows platform.

W32/Bagle-AN spreads via file sharing on Peer-to-peer networks and 
via email.

W32/Bagle-AN includes functionality to download, install and run new 
software.

When first run, W32/Bagle-AN copies itself to <System>\winhost.exe 
and creates the following registry entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
winhost.exe
<System>\winhost.exe

W32/Bagle-AN then creates copies of itself in all folders containing 
the substring SHAR on all drives.

The worm uses the following filesnames:

"Microsoft Office 2003 Crack, Working!.exe"
"Microsoft Windows XP, WinXP Crack, working Keygen.exe"
"Norton Antivirus, working Keygen.exe"
"Microsoft Office XP working Crack, Keygen.exe"
"Porno, sex, oral, anal cool, awesome!!.exe"
"Porno Screensaver.scr"
"Serials.txt.exe"
"Kaspersky Antivirus 5.0"
"Porno pics arhive, xxx.exe"
"Windows Sourcecode update.doc.exe"
"Ahead Nero 7.exe"
"Windown Longhorn Beta Leak.exe"
"Opera 8 New!.exe"
"XXX hardcore images.exe"
"WinAmp 6 New!.exe"
"WinAmp 5 Pro Keygen Crack Update.exe"
"Adobe Photoshop 9 full.exe"
"Matrix 3 Revolution English Subtitles.exe"
"Doom3_nocd.exe"
"HalfLife2_noCD.exe"
"12 year old Katia sucks and fucks me in lots of positions. (teen 
preteen anal cumshot sex young whore school lolita.avi .exe"

W32/Bagle-AN spreads by email. The email addresses are collected from 
files on the system containing the following file extensions:

WAB, TXT, MSG, HTM, SHTM, STM, XML, DBX, MBX, MDX, EML, NCH, MMF, ODS, 
CFG, ASP, PHP, PL, WSH, ADB, TBB, SHT, XLS, OFT, UIN, CGI, MHT, DHTM, 
JSP.

The worm arrives as an attachment to an HTML email message.

The basename of the attachment is choosen from the following list:

Information
Details
text_document
Updates
Readme
Document
Info
Details
MoreInfo
Message

The email message has the following characteristics:

Subject line:

Re: Msg reply
Re: Hello
Re: Yahoo!
Re: Thank you!
Re: Thanks :)
RE: Text message
Re: Document
Incoming message
Re: Incoming Message
RE: Incoming Msg
RE: Message Notify
Notification
Changes..
Update
Fax Message
Protected message
RE: Protected message
Forum notify
Site changes
Re: Hi
Encrypted document

Message text:

Read the attach.
Your file is attached.
More info is in attach
See attach.
Please, have a look at the attached file.
Your document is attached.
Please, read the document.
Attach tells everything.
Attached file tells everything.
Check attached file for details.
Check attached file.
Pay attention at the attach.
See the attached file for details.
Message is in attach
Here is the file.

W32/Bagle-AN also attempts to terminate security related processes on 
an infected computer.

Registry entries are created under:

HKCU\Software\Timeout\





Name   W32/Kassbot-H

Type  
    * Spyware Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Modifies data on the computer
    * Deletes files off the computer
    * Steals information
    * Downloads code from the internet

Prevalence (1-5) 2

Description
W32/Kassbot-H is a worm and backdoor Trojan for the Windows platform.

W32/Kassbot-H runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer.

W32/Kassbot-H includes functionality to access the internet and 
communicate with a remote server via HTTP and IRC.

W32/Kassbot-H may send an email to a pre-defined email address 
containing system information from the infected computer.

W32/Kassbot-H will monitor a user's internet access. When certain 
internet sites are accessed, the worm will redirect the user to a 
website with fake login pages or email the stolen details to a 
pre-specified email address.

W32/Kassbot-H will attempt to spread by exploiting the LSASS (MS04-011)
exploits. The following patch for the operating system vulnerability 
exploited by W32/Kassbot-H can be obtained from the Microsoft website:

MS04-011

Advanced
W32/Kassbot-H is a worm and backdoor Trojan for the Windows platform.

W32/Kassbot-H runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer.

W32/Kassbot-H includes functionality to access the internet and 
communicate with a remote server via HTTP and IRC.

When first run W32/Kassbot-H copies itself to <System>\spools.exe and 
creates the file <System>\xbccd.log. The file xbccd.log may be deleted.

The following registry entry is created to run spools.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Spools Service Controller
<System>\spools.exe

W32/Kassbot-H may send an email to a pre-defined email address 
containing system information from the infected computer.

W32/Kassbot-H will monitor a user's internet access. When certain 
internet sites are accessed, the worm will redirect the user to a 
website with fake login pages or email the stolen details to a 
pre-specified email address.

W32/Kassbot-H will attempt to spread by exploiting the LSASS (MS04-011)
exploits. The following patch for the operating system vulnerability 
exploited by W32/Kassbot-H can be obtained from the Microsoft website:

MS04-011

W32/Kassbot-H will append the following lines to the HOSTS file in an 
attempt to block access to anti-virus related websites:

d-ru-1f.kaspersky-labs.com
d-ru-1h.kaspersky-labs.com
d-ru-2f.kaspersky-labs.com
d-ru-2h.kaspersky-labs.com
d-eu-2f.kaspersky-labs.com
d-eu-2h.kaspersky-labs.com
d-eu-1f.kaspersky-labs.com
d-eu-1h.kaspersky-labs.com
d-us-1f.kaspersky-labs.com
d-us-1h.kaspersky-labs.com
downloads1.kaspersky.ru
downloads2.kaspersky.ru
downloads3.kaspersky.ru
downloads4.kaspersky.ru
downloads5.kaspersky.ru
www.kaspersky.ru
kaspersky.ru
kaspersky-labs.com
www.kaspersky-labs.com





Name   Troj/GrayBrd-AC

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Installs itself in the Registry

Aliases  
    * Backdoor.Win32.Hupigon.hi

Prevalence (1-5) 2

Description
Troj/GrayBrd-AC is a Trojan for the Windows platform.

Troj/GrayBrd-AC includes functionality to access the internet and 
communicate with a remote server via HTTP.

Advanced
Troj/GrayBrd-AC is a Trojan for the Windows platform.

Troj/GrayBrd-AC includes functionality to access the internet and 
communicate with a remote server via HTTP.

When first run Troj/GrayBrd-AC copies itself to 
<System>\RavExt\winlogo.exe.

The file winlogo.exe is registered as a new system driver service 
named "Internet", with a display name of "Windows Internet/Server" 
and a startup type of automatic, so that it is started automatically 
during system startup. Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\Internet\





Name   W32/Mytob-ET

Type  
    * Worm

How it spreads  
    * Email attachments

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Allows others to access the computer
    * Sends itself to email addresses found on the infected computer
    * Modifies data on the computer

Prevalence (1-5) 2

Description
W32/Mytob-ET is a mass-mailing worm and IRC backdoor Trojan.

W32/Mytob-ET runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

W32/Mytob-ET can spread by sending itself as an email attachment to 
email addresses harvested from the infected computer.

Emails sent by the worm have characteristics from the following:

Subject lines:

Your password has been updated
Your password has been successfully updated
You have successfully updated your password
Your new account password is approved
Your Account is Suspended
*DETECTED* Online User Violation
Your Account is Suspended For Security Reasons
Warning Message: Your services near to be closed.
Important Notification
Members Support
Security measures
Email Account Suspension
Notice of account limitation

or random characters

Message text - one of the following:

The worm will insert the username and the email domain of the 
adresssee into the email.

Dear user <UserName>,

You have successfully updated the password of your <domain> account.

If you did not authorize this change or if you need assistance with 
your account, please contact <domain> customer service at: 
<sender@domain>
Thank you for using <domain>!
The <domaim> Support Team

+++ Attachment: No Virus (Clean)
+++ <domain> Antivirus - www.<domain>

Dear user <UserName>,

It has come to our attention that your <domain> User Profile ( x ) 
records are out of date. For further details see the attached document.
Thank you for using <domain>!
The <domain> Support Team

+++ Attachment: No Virus (Clean)
+++ <domain> Antivirus - www.<domain>

Dear <domain> Member,

We have temporarily suspended your email account <UserEmailAddress>.

This might be due to either of the following reasons:

1. A recent change in your personal information (i.e. change of 
address).
2. Submiting invalid information during the initial sign up process.
3. An innability to accurately verify your selected option of 
subscription due to an internal error within our processors.
See the details to reactivate your <domain> account.

Sincerely,The <domain> Support Team

+++ Attachment: No Virus (Clean)
+++ <domain> Antivirus - www.<domain>

Dear <domain> Member,

Your e-mail account was used to send a huge amount of unsolicited 
spam messages during the recent week. If you could please take 5-10 
minutes out of your online experience and confirm the attached 
document so you will not run into any future problems with the online 
service.
If you choose to ignore our request, you leave us no choice but to 
cancel your membership.

Virtually yours,
The <domain> Support Team

+++ Attachment: No Virus found
+++ <domain> Antivirus - www.<domain>

Attachment name:

updated-password
email-password
new-password
password
approved-password
account-password
accepted-password
important-details
account-details
email-details
account-info
document
readme
account-report

or random characters

The zip file will contain the worm with double extension. The first 
extension will be one of doc, htm, txt followed by spaces and the 
second extension is exe, scr or pif.

Advanced
W32/Mytob-ET is a mass-mailing worm and IRC backdoor Trojan.

W32/Mytob-ET runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

When first run W32/Mytob-ET copies itself to <System>\hpmanager.exe.

The following registry entries are created to run hpmanager.exe on 
startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Hewlett Packard Manager
hpmanager.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Hewlett Packard Manager
hpmanager.exe

W32/Mytob-ET sets the following registry entries, disabling the 
automatic startup of other software:

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4

W32/Mytob-ET can spread by sending itself as an email attachment to 
email addresses harvested from the infected computer.

Emails sent by the worm have characteristics from the following:

Subject lines:

Your password has been updated
Your password has been successfully updated
You have successfully updated your password
Your new account password is approved
Your Account is Suspended
*DETECTED* Online User Violation
Your Account is Suspended For Security Reasons
Warning Message: Your services near to be closed.
Important Notification
Members Support
Security measures
Email Account Suspension
Notice of account limitation

or random characters

Message text - one of the following:

The worm will insert the username and the email domain of the 
adresssee into the email.

Dear user <UserName>,

You have successfully updated the password of your <domain> account.

If you did not authorize this change or if you need assistance with 
your account, please contact <domain> customer service at: 
<sender@domain>
Thank you for using <domain>!
The <domaim> Support Team

+++ Attachment: No Virus (Clean)
+++ <domain> Antivirus - www.<domain>

Dear user <UserName>,

It has come to our attention that your <domain> User Profile ( x ) 
records are out of date. For further details see the attached document.
Thank you for using <domain>!
The <domain> Support Team

+++ Attachment: No Virus (Clean)
+++ <domain> Antivirus - www.<domain>

Dear <domain> Member,

We have temporarily suspended your email account <UserEmailAddress>.

This might be due to either of the following reasons:

1. A recent change in your personal information (i.e. change of 
address).
2. Submiting invalid information during the initial sign up process.
3. An innability to accurately verify your selected option of 
subscription due to an internal error within our processors.
See the details to reactivate your <domain> account.

Sincerely,The <domain> Support Team

+++ Attachment: No Virus (Clean)
+++ <domain> Antivirus - www.<domain>

Dear <domain> Member,

Your e-mail account was used to send a huge amount of unsolicited 
spam messages during the recent week. If you could please take 5-10 
minutes out of your online experience and confirm the attached 
document so you will not run into any future problems with the online 
service.
If you choose to ignore our request, you leave us no choice but to 
cancel your membership.

Virtually yours,
The <domain> Support Team

+++ Attachment: No Virus found
+++ <domain> Antivirus - www.<domain>

Attachment name:

updated-password
email-password
new-password
password
approved-password
account-password
accepted-password
important-details
account-details
email-details
account-info
document
readme
account-report

or random characters

The zip file will contain the worm with double extension. The first 
extension will be one of doc, htm, txt followed by spaces and the 
second extension is exe, scr or pif.

W32/Mytob-ET attempts to terminate a large number of processes 
related to security and anti-virus programs.

W32/Mytob-ET also modifies the Windows hosts file in order to block 
access to the following websites:

127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 pandasoftware.com
127.0.0.1 www.pandasoftware.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.grisoft.com
127.0.0.1 www.microsoft.com
127.0.0.1 microsoft.com
127.0.0.1 www.virustotal.com
127.0.0.1 virustotal.com
127.0.0.1 www.amazon.com
127.0.0.1 www.amazon.co.uk
127.0.0.1 www.amazon.ca
127.0.0.1 www.amazon.fr
127.0.0.1 www.paypal.com
127.0.0.1 paypal.com
127.0.0.1 moneybookers.com
127.0.0.1 www.moneybookers.com
127.0.0.1 www.ebay.com
127.0.0.1 ebay.com





Name   Troj/Sisery-A

Type  
    * Spyware Trojan

Affected operating systems  
    * Windows

Side effects  
    * Modifies data on the computer
    * Deletes files off the computer
    * Steals information
    * Reduces system security
    * Records keystrokes
    * Installs itself in the Registry

Prevalence (1-5) 2

Description
Troj/Sisery-A is a Trojan for the Windows platform.

The Trojan is a nuisance program which modifies the default behaviors 
of Microsoft Windows and several applications.

Advanced
Troj/Sisery-A is a Trojan for the Windows platform.

The Trojan is a nuisance program which modifies the default behaviors 
of Microsoft Windows and several applications. Troj/Sisery-A may make 
the following changes to the infected computer:

- offset the Desktop wallpaper to the lower right
- remove the "log off" option from the shutdown menu
- display a message box entitled "DANGER" on user login
- change the title of Internet Explorer
- create a folder in the root folder containing "WINDOWS" and 
non-printable characters
- cause a long delay before the Start menu (and any sub-menus) appears
- disables the context menu
- disables the control panel