TIP: Click on subject to list as thread!

ANSI

echo:	virus_info
to:	ALL
from:	KURT WISMER
date:	2006-08-12 18:15:00
subject:	News, August 12 2006
[cut-n-paste from sophos.com] Name Troj/Agent-CST Type * Spyware Trojan Affected operating systems * Windows Side effects * Steals information * Installs itself in the Registry Aliases * BackDoor-CVT * TROJ_AGENT.CST Prevalence (1-5) 2 Description Troj/Agent-CST is a Trojan for the Windows platform. Advanced Troj/Agent-CST is a Trojan for the Windows platform. Troj/Agent-CST is installed to the Windows system folder as win???32.dll where ? is a random character a-z. The following registry entries are created to run code exported by Troj/Agent-CST on startup: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\win???32 DllName win???32.dll HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\win???32 Impersonate 0 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\win???32 Startup EvtStartup Registry entries are created under: HKCR\MezziaCodec.Chl\CLSID HKLM\SOFTWARE\Microsoft\MSSMGR Name Troj/DwnLdr-DPC Type * Trojan Affected operating systems * Windows Side effects * Downloads code from the internet Aliases * Trojan.Win32.VB.arm Prevalence (1-5) 2 Description Troj/DwnLdr-DPC is a downloader Trojan for the Windows platform. Advanced Troj/DwnLdr-DPC is a downloader Trojan for the Windows platform. When run Troj/DwnLdr-DPC copies itself to \mschkdsk.ex as a hidden, system file. Troj/DwnLdr-DPC includes functionality to: - download code from the internet - change Internet Explorer settings Troj/DwnLdr-DPC also attempts to create or change registry entries under: HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ The following registry entry is set: HKCU\AppEvents\Schemes\Apps\Explorer\Navigating\.Current (default) \Media\start.wav Name Troj/Goldun-DS Type * Spyware Trojan Affected operating systems * Windows Side effects * Steals credit card details * Steals information * Installs itself in the Registry Aliases * Trojan-Spy.Win32.Goldun.lm Prevalence (1-5) 2 Description Troj/Goldun-DS is a Trojan for the Windows platform. Troj/Goldun-DS monitors browser activity in an attempt to steal passwords when users browse to certain websites, including www.e-gold.com. The Trojan may attempt to modify browser settings in order to force users to re-type passwords. Advanced Troj/Goldun-DS is a Trojan for the Windows platform. Troj/Goldun-DS monitors browser activity in an attempt to steal passwords when users browse to certain websites, including www.e-gold.com. The Trojan may attempt to modify browser settings in order to force users to re-type passwords. The file vmmdiag3.exe can be created in order to run the Trojan - this file should be deleted. The following registry entry is created in order to run the Trojan automatically on login: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell Explorer.exe vmmdiag32.exe (this is Explorer.exe by default) Name W32/Brontok-BG Type * Worm How it spreads * Email attachments Affected operating systems * Windows Side effects * Turns off anti-virus applications * Sends itself to email addresses found on the infected computer * Drops more malware * Forges the sender's email address * Uses its own emailing engine * Installs itself in the Registry * Leaves non-infected files on computer Aliases * Email-Worm.Win32.Brontok.o * W32/Rontokbro.gen{at}MM * Win32/Pazetus.C * W32.Rontokbro{at}mm Prevalence (1-5) 2 Description W32/Brontok-BG is a mass-mailing worm for the Windows platform. W32/Brontok-BG sends itself to email addresses found on the infected computer. Emails sent by the worm have the following characteristics: If the recipient's address is Indonesian: Subject: Foto Liburanku di Bali Message text: Halo Sobat, Ini fotoku saat liburan di Bali. Semoga kamu jadi ingat aku terus. Terima kasih, For all other addresses: Subject: My Photo on Paris Message text: This photo was taken from my vacation on Paris, last week. Wishing you always remember me. Regards, Attachment name: Picture.zip The zip file contains Picture.bmp and View-Picture.bat. View-Picture.bat runs Picture.bmp. Picture.bmp is an executable which attempts to download and execute a copy of the worm from a preconfigured website. Advanced W32/Brontok-BG is a mass-mailing worm for the Windows platform. W32/Brontok-BG sends itself to email addresses found on the infected computer. Emails sent by the worm have the following characteristics: If the recipient's address is Indonesian: Subject: Foto Liburanku di Bali Message text: Halo Sobat, Ini fotoku saat liburan di Bali. Semoga kamu jadi ingat aku terus. Terima kasih, For all other addresses: Subject: My Photo on Paris Message text: This photo was taken from my vacation on Paris, last week. Wishing you always remember me. Regards, Attachment name: Picture.zip The zip file contains Picture.bmp and View-Picture.bat. View-Picture.bat runs Picture.bmp. Picture.bmp is an executable which attempts to download and execute a copy of the worm from a preconfigured website. When first run W32/Brontok-BG copies itself to: \Local Settings\Application Data\dv\yesbron.com \Local Settings\Application Data\jalak.com \_default.pif \j.exe \o.exe \sa\ib.exe \c.com \n\b.exe \n\csrss.exe \n\lsass.exe \n\services.exe \n\smss.exe \n\sv.exe \n\winlogon.exe where is a sequence of randomly generated numbers. and creates the following files: Baca Bro !!!.txt \Tasks\At1.job \Tasks\At2.job \n5817\c.bron.tok.txt These files can be deleted. The .job files each contain a scheduled task, instructing Windows to execute the installed copies of the worm once per day. W32/Brontok-BG may install a new version of the file \msvbvm60.dll. The following registry entries are created to run yesbron.com, _default.pif, j.exe and sv.exe on startup: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run \Local Settings\Application Data\dv\yesbron.com HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run \_default.pif HKCU\Software\Microsoft\Windows\CurrentVersion\Run \\sv.exe HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run \.exe The following registry entries are changed to run j.exe and o.exe on startup: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell Explorer.exe "\.exe" (the default value for this registry entry is "Explorer.exe" which causes the Microsoft file \Explorer.exe to be run on startup). HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit \userinit.exe,\.exe (the default value for this registry entry is "\System32\userinit.exe,"). The following registry entry is set, disabling the registry editor (regedit): HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System DisableRegistryTools 1 Registry entries are set as follows: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Hidden 0 HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced HideFileExt 1 HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ShowSuperHidden 0 W32/Brontok-BG also overwrites the HOSTS file with the following mappings: 127.0.0.19 mcafee.com 127.0.0.19 www.mcafee.com 127.0.0.19 mcafee.net 127.0.0.19 www.mcafee.net 127.0.0.19 mcafee.org 127.0.0.19 www.mcafee.org 127.0.0.19 mcafeesecurity.com 127.0.0.19 www.mcafeesecurity.com 127.0.0.19 mcafeesecurity.net 127.0.0.19 www.mcafeesecurity.net 127.0.0.19 mcafeesecurity.org 127.0.0.19 www.mcafeesecurity.org 127.0.0.19 mcafeeb2b.com 127.0.0.19 www.mcafeeb2b.com 127.0.0.19 mcafeeb2b.net 127.0.0.19 www.mcafeeb2b.net 127.0.0.19 mcafeeb2b.org 127.0.0.19 www.mcafeeb2b.org 127.0.0.19 nai.com 127.0.0.19 www.nai.com 127.0.0.19 nai.net 127.0.0.19 www.nai.net 127.0.0.19 nai.org 127.0.0.19 www.nai.org 127.0.0.19 vil.nai.com 127.0.0.19 www.vil.nai.com 127.0.0.19 vil.nai.net 127.0.0.19 www.vil.nai.net 127.0.0.19 vil.nai.org 127.0.0.19 www.vil.nai.org 127.0.0.19 grisoft.com 127.0.0.19 www.grisoft.com 127.0.0.19 grisoft.net 127.0.0.19 www.grisoft.net 127.0.0.19 grisoft.org 127.0.0.19 www.grisoft.org 127.0.0.19 kaspersky-labs.com 127.0.0.19 www.kaspersky-labs.com 127.0.0.19 kaspersky-labs.net 127.0.0.19 www.kaspersky-labs.net 127.0.0.19 kaspersky-labs.org 127.0.0.19 www.kaspersky-labs.org 127.0.0.19 kaspersky.com 127.0.0.19 www.kaspersky.com 127.0.0.19 kaspersky.net 127.0.0.19 www.kaspersky.net 127.0.0.19 kaspersky.org 127.0.0.19 www.kaspersky.org 127.0.0.19 downloads1.kaspersky-labs.com 127.0.0.19 www.downloads1.kaspersky-labs.com 127.0.0.19 downloads1.kaspersky-labs.net 127.0.0.19 www.downloads1.kaspersky-labs.net 127.0.0.19 downloads1.kaspersky-labs.org 127.0.0.19 www.downloads1.kaspersky-labs.org 127.0.0.19 downloads2.kaspersky-labs.com 127.0.0.19 www.downloads2.kaspersky-labs.com 127.0.0.19 downloads2.kaspersky-labs.net 127.0.0.19 www.downloads2.kaspersky-labs.net 127.0.0.19 downloads2.kaspersky-labs.org 127.0.0.19 www.downloads2.kaspersky-labs.org 127.0.0.19 downloads3.kaspersky-labs.com 127.0.0.19 www.downloads3.kaspersky-labs.com 127.0.0.19 downloads3.kaspersky-labs.net 127.0.0.19 www.downloads3.kaspersky-labs.net 127.0.0.19 downloads3.kaspersky-labs.org 127.0.0.19 www.downloads3.kaspersky-labs.org 127.0.0.19 downloads4.kaspersky-labs.com 127.0.0.19 www.downloads4.kaspersky-labs.com 127.0.0.19 downloads4.kaspersky-labs.net 127.0.0.19 www.downloads4.kaspersky-labs.net 127.0.0.19 downloads4.kaspersky-labs.org 127.0.0.19 www.downloads4.kaspersky-labs.org 127.0.0.19 download.mcafee.com 127.0.0.19 www.download.mcafee.com 127.0.0.19 download.mcafee.net 127.0.0.19 www.download.mcafee.net 127.0.0.19 download.mcafee.org 127.0.0.19 www.download.mcafee.org 127.0.0.19 norton.com 127.0.0.19 www.norton.com 127.0.0.19 norton.net 127.0.0.19 www.norton.net 127.0.0.19 norton.org 127.0.0.19 www.norton.org 127.0.0.19 symantec.com 127.0.0.19 www.symantec.com 127.0.0.19 symantec.net 127.0.0.19 www.symantec.net 127.0.0.19 symantec.org 127.0.0.19 www.symantec.org 127.0.0.19 liveupdate.symantecliveupdate.com 127.0.0.19 www.liveupdate.symantecliveupdate.com 127.0.0.19 liveupdate.symantecliveupdate.net 127.0.0.19 www.liveupdate.symantecliveupdate.net 127.0.0.19 liveupdate.symantecliveupdate.org 127.0.0.19 www.liveupdate.symantecliveupdate.org 127.0.0.19 liveupdate.symantec.com 127.0.0.19 www.liveupdate.symantec.com 127.0.0.19 liveupdate.symantec.net 127.0.0.19 www.liveupdate.symantec.net 127.0.0.19 liveupdate.symantec.org 127.0.0.19 www.liveupdate.symantec.org 127.0.0.19 update.symantec.com 127.0.0.19 www.update.symantec.com 127.0.0.19 update.symantec.net 127.0.0.19 www.update.symantec.net 127.0.0.19 update.symantec.org 127.0.0.19 www.update.symantec.org 127.0.0.19 securityresponse.symantec.com 127.0.0.19 www.securityresponse.symantec.com 127.0.0.19 securityresponse.symantec.net 127.0.0.19 www.securityresponse.symantec.net 127.0.0.19 securityresponse.symantec.org 127.0.0.19 www.securityresponse.symantec.org 127.0.0.19 sarc.com 127.0.0.19 www.sarc.com 127.0.0.19 sarc.net 127.0.0.19 www.sarc.net 127.0.0.19 sarc.org 127.0.0.19 www.sarc.org 127.0.0.19 vaksin.com 127.0.0.19 www.vaksin.com 127.0.0.19 vaksin.net 127.0.0.19 www.vaksin.net 127.0.0.19 vaksin.org 127.0.0.19 www.vaksin.org 127.0.0.19 forum.vaksin.com 127.0.0.19 www.forum.vaksin.com 127.0.0.19 forum.vaksin.net 127.0.0.19 www.forum.vaksin.net 127.0.0.19 forum.vaksin.org 127.0.0.19 www.forum.vaksin.org 127.0.0.19 norman.com 127.0.0.19 www.norman.com 127.0.0.19 norman.net 127.0.0.19 www.norman.net 127.0.0.19 norman.org 127.0.0.19 www.norman.org 127.0.0.19 trendmicro.com 127.0.0.19 www.trendmicro.com 127.0.0.19 trendmicro.net 127.0.0.19 www.trendmicro.net 127.0.0.19 trendmicro.org 127.0.0.19 www.trendmicro.org 127.0.0.19 trendmicro-europe.com 127.0.0.19 www.trendmicro-europe.com 127.0.0.19 trendmicro-europe.net 127.0.0.19 www.trendmicro-europe.net 127.0.0.19 trendmicro-europe.org 127.0.0.19 www.trendmicro-europe.org 127.0.0.19 ae.trendmicro-europe.com 127.0.0.19 www.ae.trendmicro-europe.com 127.0.0.19 ae.trendmicro-europe.net 127.0.0.19 www.ae.trendmicro-europe.net 127.0.0.19 ae.trendmicro-europe.org 127.0.0.19 www.ae.trendmicro-europe.org 127.0.0.19 it.trendmicro-europe.com 127.0.0.19 www.it.trendmicro-europe.com 127.0.0.19 it.trendmicro-europe.net 127.0.0.19 www.it.trendmicro-europe.net 127.0.0.19 it.trendmicro-europe.org 127.0.0.19 www.it.trendmicro-europe.org 127.0.0.19 secunia.com 127.0.0.19 www.secunia.com 127.0.0.19 secunia.net 127.0.0.19 www.secunia.net 127.0.0.19 secunia.org 127.0.0.19 www.secunia.org 127.0.0.19 winantivirus.com 127.0.0.19 www.winantivirus.com 127.0.0.19 winantivirus.net 127.0.0.19 www.winantivirus.net 127.0.0.19 winantivirus.org 127.0.0.19 www.winantivirus.org 127.0.0.19 pandasoftware.com 127.0.0.19 www.pandasoftware.com 127.0.0.19 pandasoftware.net 127.0.0.19 www.pandasoftware.net 127.0.0.19 pandasoftware.org 127.0.0.19 www.pandasoftware.org 127.0.0.19 esafe.com 127.0.0.19 www.esafe.com 127.0.0.19 esafe.net 127.0.0.19 www.esafe.net 127.0.0.19 esafe.org 127.0.0.19 www.esafe.org 127.0.0.19 f-secure.com 127.0.0.19 www.f-secure.com 127.0.0.19 f-secure.net 127.0.0.19 www.f-secure.net 127.0.0.19 f-secure.org 127.0.0.19 www.f-secure.org 127.0.0.19 europe.f-secure.com 127.0.0.19 www.europe.f-secure.com 127.0.0.19 europe.f-secure.net 127.0.0.19 www.europe.f-secure.net 127.0.0.19 europe.f-secure.org 127.0.0.19 www.europe.f-secure.org 127.0.0.19 bhs.com 127.0.0.19 www.bhs.com 127.0.0.19 bhs.net 127.0.0.19 www.bhs.net 127.0.0.19 bhs.org 127.0.0.19 www.bhs.org 127.0.0.19 datafellows.com 127.0.0.19 www.datafellows.com 127.0.0.19 datafellows.net 127.0.0.19 www.datafellows.net 127.0.0.19 datafellows.org 127.0.0.19 www.datafellows.org 127.0.0.19 cheyenne.com 127.0.0.19 www.cheyenne.com 127.0.0.19 cheyenne.net 127.0.0.19 www.cheyenne.net 127.0.0.19 cheyenne.org 127.0.0.19 www.cheyenne.org 127.0.0.19 ontrack.com 127.0.0.19 www.ontrack.com 127.0.0.19 ontrack.net 127.0.0.19 www.ontrack.net 127.0.0.19 ontrack.org 127.0.0.19 www.ontrack.org 127.0.0.19 sands.com 127.0.0.19 www.sands.com 127.0.0.19 sands.net 127.0.0.19 www.sands.net 127.0.0.19 sands.org 127.0.0.19 www.sands.org 127.0.0.19 sophos.com 127.0.0.19 www.sophos.com 127.0.0.19 sophos.net 127.0.0.19 www.sophos.net 127.0.0.19 sophos.org 127.0.0.19 www.sophos.org 127.0.0.19 icubed.com 127.0.0.19 www.icubed.com 127.0.0.19 icubed.net 127.0.0.19 www.icubed.net 127.0.0.19 icubed.org 127.0.0.19 www.icubed.org 127.0.0.19 perantivirus.com 127.0.0.19 www.perantivirus.com 127.0.0.19 perantivirus.net 127.0.0.19 www.perantivirus.net 127.0.0.19 perantivirus.org 127.0.0.19 www.perantivirus.org 127.0.0.19 castlecops.com 127.0.0.19 www.castlecops.com 127.0.0.19 castlecops.net 127.0.0.19 www.castlecops.net 127.0.0.19 castlecops.org 127.0.0.19 www.castlecops.org 127.0.0.19 virustotal.com 127.0.0.19 www.virustotal.com 127.0.0.19 virustotal.net 127.0.0.19 www.virustotal.net 127.0.0.19 virustotal.org 127.0.0.19 www.virustotal.org 127.0.0.19 free-av.com 127.0.0.19 www.free-av.com 127.0.0.19 free-av.net 127.0.0.19 www.free-av.net 127.0.0.19 free-av.org 127.0.0.19 www.free-av.org 127.0.0.19 antivirus.com 127.0.0.19 www.antivirus.com 127.0.0.19 antivirus.net 127.0.0.19 www.antivirus.net 127.0.0.19 antivirus.org 127.0.0.19 www.antivirus.org 127.0.0.19 anti-virus.com 127.0.0.19 www.anti-virus.com 127.0.0.19 anti-virus.net 127.0.0.19 www.anti-virus.net 127.0.0.19 anti-virus.org 127.0.0.19 www.anti-virus.org 127.0.0.19 ca.com 127.0.0.19 www.ca.com 127.0.0.19 ca.net 127.0.0.19 www.ca.net 127.0.0.19 ca.org 127.0.0.19 www.ca.org 127.0.0.19 fajarweb.com 127.0.0.19 www.fajarweb.com 127.0.0.19 fajarweb.net 127.0.0.19 www.fajarweb.net 127.0.0.19 fajarweb.org 127.0.0.19 www.fajarweb.org 127.0.0.19 jasakom.com 127.0.0.19 www.jasakom.com 127.0.0.19 jasakom.net 127.0.0.19 www.jasakom.net 127.0.0.19 jasakom.org 127.0.0.19 www.jasakom.org 127.0.0.19 backup.grisoft.com 127.0.0.19 www.backup.grisoft.com 127.0.0.19 backup.grisoft.net 127.0.0.19 www.backup.grisoft.net 127.0.0.19 backup.grisoft.org 127.0.0.19 www.backup.grisoft.org 127.0.0.19 infokomputer.com 127.0.0.19 www.infokomputer.com 127.0.0.19 infokomputer.net 127.0.0.19 www.infokomputer.net 127.0.0.19 infokomputer.org 127.0.0.19 www.infokomputer.org 127.0.0.19 playboy.com 127.0.0.19 www.playboy.com 127.0.0.19 playboy.net 127.0.0.19 www.playboy.net 127.0.0.19 playboy.org 127.0.0.19 www.playboy.org 127.0.0.19 sex-mission.com 127.0.0.19 www.sex-mission.com 127.0.0.19 sex-mission.net 127.0.0.19 www.sex-mission.net 127.0.0.19 sex-mission.org 127.0.0.19 www.sex-mission.org 127.0.0.19 pornstargals.com 127.0.0.19 www.pornstargals.com 127.0.0.19 pornstargals.net 127.0.0.19 www.pornstargals.net 127.0.0.19 pornstargals.org 127.0.0.19 www.pornstargals.org 127.0.0.19 kaskus.com 127.0.0.19 www.kaskus.com 127.0.0.19 kaskus.net 127.0.0.19 www.kaskus.net 127.0.0.19 kaskus.org 127.0.0.19 www.kaskus.org 127.0.0.19 17tahun.com 127.0.0.19 www.17tahun.com 127.0.0.19 17tahun.net 127.0.0.19 www.17tahun.net 127.0.0.19 17tahun.org 127.0.0.19 www.17tahun.org Name W32/Sdbot-CNH Type * Worm How it spreads * Network shares Affected operating systems * Windows Side effects * Allows others to access the computer * Downloads code from the internet * Installs itself in the Registry * Exploits system or software vulnerabilities Aliases * Backdoor.Win32.Aimbot.en Prevalence (1-5) 2 Description W32/Sdbot-CNH is a worm and IRC backdoor for the Windows platform. W32/Sdbot-CNH runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels. W32/Sdbot-CNH includes functionality to silently download, install and run new software, including updates of its software. Advanced W32/Sdbot-CNH is a worm and IRC backdoor for the Windows platform. W32/Sdbot-CNH runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels. W32/Sdbot-CNH includes functionality to silently download, install and run new software, including updates of its software. W32/Sdbot-CNH spreads to other network computers by exploiting common buffer overflow vulnerabilities, including: LSASS (MS04-011), RPC-DCOM (MS04-012), WKS (MS03-049) (CAN-2003-0812), PNP (MS05-039) and ASN.1 (MS04-007) and by copying itself to network shares protected by weak passwords. When first run W32/Sdbot-CNH moves itself to \win64tyt.exe. The file win64tyt.exe is registered as a new service named "Win32Export", with a display name of "Windows Updater" and a startup type of automatic, so that it is started automatically during system startup. Registry entries are created under: HKLM\SYSTEM\CurrentControlSet\Services\Win32Export\ W32/Sdbot-CNH will set the following registry entries in an attempt to circumvent Microsoft Windows security measures: HKLM\SOFTWARE\Microsoft\Security Center AntiVirusDisableNotify 1 HKLM\SOFTWARE\Microsoft\Security Center AntiVirusOverride 1 HKLM\SOFTWARE\Microsoft\Security Center FirewallDisableNotify 1 HKLM\SOFTWARE\Microsoft\Security Center FirewallOverride 1 HKLM\SOFTWARE\Microsoft\Security Center UpdatesDisableNotify 1 Name W32/Looked-F Type * Worm How it spreads * Infected files * Peer-to-peer Affected operating systems * Windows Side effects * Downloads code from the internet * Installs itself in the Registry Aliases * Worm.Win32.Viking.i * Win32/Viking.NAB * W32.Looked.P * PE_LOOKED.M Prevalence (1-5) 2 Description W32/Looked-F is a virus and backdoor for the Windows platform. W32/Looked-F runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer. W32/Looked-F attempts to copy itself to network shares and infect EXE files. W32/Looked-F includes functionality to access the internet and communicate with a remote server via HTTP. Advanced W32/Looked-F is a virus and backdoor for the Windows platform. W32/Looked-F runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer. W32/Looked-F attempts to copy itself to network shares and infect EXE files. W32/Looked-F includes functionality to access the internet and communicate with a remote server via HTTP. When first run W32/Looked-F copies itself to \rundl132.exe and creates the file vDll.dll. The following registry entry is created to run rundl132.exe on startup: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows load \rundl132.exe Registry entries are created under: HKLM\SOFTWARE\Soft\DownloadWWW\ Name Troj/DelSpy-E Type * Spyware Trojan Affected operating systems * Windows Side effects * Allows others to access the computer * Steals information * Uses its own emailing engine * Reduces system security * Installs itself in the Registry Prevalence (1-5) 2 Description Troj/DelSpy-E is a Trojan for the Windows platform. Troj/DelSpy-E may inject code into other processes and includes functionality to steal passwords and email the information it steals to a remote user. The Trojan may also include backdoor functionality, allowing a remote user to gain a command prompt on the compromised computer. Advanced Troj/DelSpy-E is a Trojan for the Windows platform. Troj/DelSpy-E may inject code into other processes and includes functionality to steal passwords and email the information it steals to a remote user. The Trojan may also include backdoor functionality, allowing a remote user to gain a command prompt on the compromised computer. When first run Troj/DelSpy-E copies itself to \msjwer.exe and creates the following files: \msjwer.dll - also detected as Troj/DelSpy-E \msjwer.hts The following registry entry is created to run msjwer.exe on startup: HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\52ED14AE-AB22-2CCA-CD3A-1AA4221E022C) StubPath \msjwer.exe Troj/DelSpy-E sets the following registry entries, disabling the automatic startup of other software: HKLM\SYSTEM\CurrentControlSet\Services\srservice Start 4 The following registry entry is set: HKCU\Software\Adobe\GGZE GGD msjwer.hts The file \msjwer.hts is a text file which can safely be deleted after the above registry entry is removed. Name W32/Looked-G Type * Virus How it spreads * Network shares * Infected files Affected operating systems * Windows Side effects * Allows others to access the computer * Downloads code from the internet * Installs itself in the Registry * Leaves non-infected files on computer Aliases * Worm.Win32.Viking.r * W32/HLLP.Philis.ao * Win32/Viking.NAP * PE_LOOKED.AP Prevalence (1-5) 2 Description W32/Looked-G is a virus and backdoor for the Windows platform. W32/Looked-G runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer. W32/Looked-G attempts to copy itself to network shares and infect EXE files. W32/Looked-G includes functionality to access the internet and communicate with a remote server via HTTP. Advanced W32/Looked-G is a virus and backdoor for the Windows platform. W32/Looked-G runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer. W32/Looked-G attempts to copy itself to network shares and infect EXE files. W32/Looked-G includes functionality to access the internet and communicate with a remote server via HTTP. When first run W32/Looked-G copies itself to \rundl132.exe and creates the file \%CurrentFolder%\viDll.dll. The following registry entry is created to run rundl132.exe on startup: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows load \rundl132.exe Registry entries are created under: HKLM\SOFTWARE\Soft\DownloadWWW\ The virus may create files named "_desktop.ini" in folders it searches - these are harmless and can be deleted. Name W32/Bobandy-B Type * Worm How it spreads * Email attachments * Network shares * Peer-to-peer Affected operating systems * Windows Side effects * Sends itself to email addresses found on the infected computer * Installs itself in the Registry * Leaves non-infected files on computer Prevalence (1-5) 2 Description W32/Bobandy-B is a mass-mailing worm for the Windows platform. Emails sent by W32/Bobandy-B have the following characteristics: Subject line: Registration Confirmation Cek This hello RE:bla bla bla RE:HeLLO GuYs Message text: hi please see this file For security reasons attached file is password protected. The password is 55132098 hey Indonesian porn Tiara lestari pic's For security reasons attached file is password protected. The password is 55132098 free screen saver romance for you Please Visit Our Web Site For security reasons attached file is password protected. The password is 55132098 please read again what i have written to you For security reasons attached file is password protected. The password is 55132098 thank's for you register, your acount details are attached For security reasons attached file is password protected. The password is 55132098 The attached file will take one of the following names: MYpIC.zip curriculum vittae.zip USE_RAR_To_Extract.ace ZIPPED.zip FILEATTACH.bz2 Doc.gz file.bz2 thisfile.gz 4TITTA'S Picture.jar Advanced W32/Bobandy-B is a mass-mailing worm for the Windows platform. Emails sent by W32/Bobandy-B have the following characteristics: Subject line: Registration Confirmation Cek This hello RE:bla bla bla RE:HeLLO GuYs Message text: hi please see this file For security reasons attached file is password protected. The password is 55132098 hey Indonesian porn Tiara lestari pic's For security reasons attached file is password protected. The password is 55132098 free screen saver romance for you Please Visit Our Web Site For security reasons attached file is password protected. The password is 55132098 please read again what i have written to you For security reasons attached file is password protected. The password is 55132098 thank's for you register, your acount details are attached For security reasons attached file is password protected. The password is 55132098 The attached file will take one of the following names: MYpIC.zip curriculum vittae.zip USE_RAR_To_Extract.ace ZIPPED.zip FILEATTACH.bz2 Doc.gz file.bz2 thisfile.gz 4TITTA'S Picture.jar When first run W32/Bobandy-B copies itself to: \sql.cmd \Templates\oz\Tux.exe \Templates\oz\service.exe \Templates\oz\winlogon.exe \Tita.exe \m\EmangEloh.exe \m\JabLay.com \m\smss.exe \sa-.exe \l.exe \Xgo\Zcie.cmd \SoftwareDistribution\Download\Windows Vista setup \pchealth\UploadLB\Blink 182 \ime\shared\Love Song \Movie Maker\Shared\Gallery \Downloaded Program Files\RaHaslA \Common Files\Microsoft Shared\Data DosenKu and creates the following harmless files: \[TheMoonlight].txt W32/Bobandy-B creates the following registry entries: HKCU\Software\Microsoft\Windows\CurrentVersion\Run T \sa-.exe HKCU\Software\Microsoft\Windows\CurrentVersion\Run TT4 \l.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell explorer.exe, \Templates\oz\Tux.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit userinit.exe, \m\JabLay.com Registry entries are created under: HKCU\Software\VB and VBA Program Settings\untukmu\version\ HKLM\SOFTWARE\Microsoft\TUX\Path\ HKLM\SOFTWARE\Microsoft\TUX\biang\ W32/Bobandy-B attempts to copy itself to the root folders of all mapped drives. W32/Bobandy-B harvests email addresses from files on the infected computer. Name Troj/Bancos-ATA Type * Spyware Trojan Affected operating systems * Windows Side effects * Steals credit card details * Steals information Aliases * Trojan-Spy.Win32.Bancos.to * Win32/Spy.Bancos.U Prevalence (1-5) 2 Description Troj/Bancos-ATA is a password-stealing Trojan for the Windows platform. Troj/Bancos-ATA steals login information for certain online banking applications. Advanced Troj/Bancos-ATA is a password-stealing Trojan for the Windows platform. Troj/Bancos-ATA steals login information for certain online banking applications. When first run Troj/Bancos-ATA copies itself to \tasklist32.exe. Name Troj/IRCBot-PF Type * Trojan Affected operating systems * Windows Side effects * Allows others to access the computer * Installs itself in the Registry Prevalence (1-5) 2 Description Troj/IRCBot-PF is a Trojan for the Windows platform. Troj/IRCBot-PF runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels. Troj/IRCBot-PF includes functionality to access the internet and communicate with a remote server via HTTP. Advanced Troj/IRCBot-PF is a Trojan for the Windows platform. Troj/IRCBot-PF runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels. Troj/IRCBot-PF includes functionality to access the internet and communicate with a remote server via HTTP. When first run Troj/IRCBot-PF copies itself to \lsass.exe. The file lsass.exe is registered as a new system driver service named "sdk", with a display name of "Microsoft sdk core" and a startup type of automatic, so that it is started automatically during system startup. Registry entries are created under: HKLM\SYSTEM\CurrentControlSet\Services\sdk\ Name Troj/Dloadr-ALC Type * Trojan Affected operating systems * Windows Side effects * Downloads code from the internet Prevalence (1-5) 2 Description Troj/Dloadr-ALC is an downloader Trojan for the Windows platform. When installed, the Trojan includes functionality to connect to a remote address and download a file to \au.exe. It then proceeds to execute the downloaded file. The downloaded file was unavailable at the time of writing. Name W32/Sdbot-DTM Type * Spyware Worm How it spreads * Network shares Affected operating systems * Windows Side effects * Allows others to access the computer * Steals information * Reduces system security * Records keystrokes * Installs itself in the Registry * Exploits system or software vulnerabilities * Used in DOS attacks * Scans network for vulnerabilities * Scans network for open ports Aliases * Backdoor.Win32.SdBot.ato * W32/Sdbot.UFA Prevalence (1-5) 2 Description W32/Sdbot-DTM is a worm and IRC backdoor Trojan for the Windows platform. W32/Sdbot-DTM spreads to other network computers via network shares and by exploiting common buffer overflow vulnerabilities, including ASN.1 (MS04-007). W32/Sdbot-DTM runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels. W32/Sdbot-DTM includes functionality to access the internet and communicate with a remote server via HTTP, to log keypresses, and to alter firewall security settings. Advanced W32/Sdbot-DTM is a worm and IRC backdoor Trojan for the Windows platform. W32/Sdbot-DTM spreads to other network computers via network shares and by exploiting common buffer overflow vulnerabilities, including ASN.1 (MS04-007). W32/Sdbot-DTM runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels. W32/Sdbot-DTM includes functionality to access the internet and communicate with a remote server via HTTP, to log keypresses, and to alter firewall security settings. When first run W32/Sdbot-DTM copies itself to \lsass.exe. The file lsass.exe is registered as a new system driver service named "sdk", with a display name of "Microsoft sdk core" and a startup type of automatic, so that it is started automatically during system startup. Registry entries are created under: HKLM\SYSTEM\CurrentControlSet\Services\sdk\ Name W32/Brontok-BH Type * Worm How it spreads * Network shares Affected operating systems * Windows Side effects * Installs itself in the Registry Aliases * Trojan.Win32.VB.aqn Prevalence (1-5) 2 Description W32/Brontok-BH is a worm for the Windows platform. W32/Brontok-BH may disable file extensions, and create copies of itself with filenames matching any of the following extensions: MP3 MP4 MPG MPEG AVI DAT WMV 4JPG GIF JPEG PNG ASX WMA MDB XLS Advanced W32/Brontok-BH is a worm for the Windows platform. W32/Brontok-BH may disable file extensions, and create copies of itself with filenames matching any of the following extensions: MP3 MP4 MPG MPEG AVI DAT WMV 4JPG GIF JPEG PNG ASX WMA MDB XLS When first run W32/Brontok-BH copies itself to: \4k51k4.exe \Empty.pif \Local Settings\Application Data\windows\csrss.exe \Local Settings\Application Data\windows\lsass.exe \Local Settings\Application Data\windows\services.exe \Local Settings\Application Data\windows\smss.exe \Local Settings\Application Data\windows\winlogon.exe \4k51k4.exe \IExplorer.exe \MrHelloween.scr \shell.exe and creates the file \Puisi.txt. The following registry entries are created to run W32/Brontok-BH on startup: HKCU\Software\Microsoft\Windows\CurrentVersion\Run 4k51k4 \4k51k4.exe HKCU\Software\Microsoft\Windows\CurrentVersion\Run Service \Local Settings\Application Data\WINDOWS\SERVICES.EXE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Logon \Local Settings\Application Data\WINDOWS\CSRSS.EXE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run System Monitoring \Local Settings\Application Data\WINDOWS\LSASS.EXE HKCU\Software\Microsoft\Windows\CurrentVersion\Run MSMSGS \Local Settings\Application Data\WINDOWS\WINLOGON.EXE The following registry entries are changed to run W32/Brontok-BH on startup: HKCU\Control Panel\Desktop SCRNSAVE.EXE \MRHELL~1.SCR HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell Explorer.exe "\IExplorer.exe" (the default value for this registry entry is "Explorer.exe" which causes the Microsoft file \Explorer.exe to be run on startup). HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit \userinit.exe,\IExplorer.exe (the default value for this registry entry is "\System32\userinit.exe,"). The following registry entries are set or modified, so that shell.exe is run when files with extensions of BAT, COM, EXE and PIF are opened/launched: HKCR\lnkfile\shell\open\command (default) \shell.exe" "%1" %* HKCR\batfile\shell\open\command (default) \shell.exe" "%1" %* HKCR\comfile\shell\open\command (default) \shell.exe" "%1" %* HKCR\exefile\shell\open\command (default) \shell.exe" "%1" %* HKCR\piffile\shell\open\command (default) \shell.exe" "%1" %* The following registry entries are set, disabling the registry editor (regedit), the Windows task manager (taskmgr), the command prompt and system restore: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System DisableCMD 1 HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System DisableTaskMgr 1 HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System DisableRegistryTools 1 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system DisableTaskMgr 1 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system DisableRegistryTools 1 HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore DisableConfig 1 HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore DisableSR 1 Registry entries are set as follows: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer NoFolderOptions 1 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer NoFolderOptions 1 HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer LimitSystemRestoreCheckpointing 1 HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer DisableMSI 1 HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Hidden 0 HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced HideFileExt 1 HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ShowSuperHidden 0 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug Debugger \Shell.exe HKCR\exefile (default) File Folder Name W32/Virut-A Type * Virus How it spreads * Infected files Affected operating systems * Windows Side effects * Allows others to access the computer Aliases * W32/Virut.a * Virus [PE_VIRUT.A] Prevalence (1-5) 2 Description W32/Virut-A is a virus and IRC backdoor for the Windows platform. W32/Virut-A will also attempt to connect to an IRC channel and thus serves as a backdoor with which a remote attacker may compromise the system. Advanced W32/Virut-A is a virus and IRC backdoor for the Windows platform. When a file infected with W32/Virut-A is run, the virus will become resident in memory, and will attempt to infect any executable that is accessed by any process running on the system. W32/Virut-A will thus spread very quickly throughout the filesystem. W32/Virut-A will also attempt to connect to an IRC channel and thus serves as a backdoor with which a remote attacker may compromise the system. --- MultiMail/Win32 v0.43 * Origin: Try Our Web Based QWK: DOCSPLACE.ORG (1:123/140) SEEN-BY: 633/267 270 @PATH: 123/140 500 106/2000 633/267
SOURCE: echomail via fidonet.ozzmosis.com

Email questions or comments to sysop@ipingthereforeiam.com
All parts of this website painstakingly hand-crafted in the U.S.A.!
IPTIA BBS/MUD/Terminal/Game Server List, © 2025 IPTIA Consulting™.