TIP: Click on subject to list as thread!

ANSI

echo:	virus_info
to:	ALL
from:	KURT WISMER
date:	2007-12-10 19:03:00
subject:	News, December 10 2007
[cut-n-paste from sophos.com] Name W32/Sohana-AP Type * Worm How it spreads * Network shares * Chat programs Affected operating systems * Windows Side effects * Allows others to access the computer * Downloads code from the internet * Installs itself in the Registry * Modifies browser settings Aliases * IM-Worm.Win32.Sohanad.dm Prevalence (1-5) 2 Description W32/Sohana-AP is a worm for the Windows platform. Advanced W32/Sohana-AP is a worm for the Windows platform. W32/Sohana-AP spreads via - network shares - Yahoo Messenger W32/Sohana-AP will attempt to spread via Yahoo Messenger by sending the following messages with a link to a malicious website to contacts in they user's friends list: "This is my new Picture. :P " "Beauty Nude pics. ;) " "Britney Spear is in nude. :D " "I think, you are interested in this infomation. ;) " "Nothing is free, me too. :) " "Total is good for you. ;) " "Careful! Virus warning, how to clean it. x-( " "New speacial Paris Hilton video. :D " "Youtube bed room star, show her solo action. ;) " "Bin Laden is still alive. x-( " W32/Sohana-AP includes functionality to access the internet and communicate with a remote server via HTTP and download, install and run new software. When first run W32/Sohana-AP attempts to download a file from a remote location and install it as: \taskmng.exe The following registry entry is created to run SVICHOOST.exe on startup: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Task Manager \taskmng.exe W32/Sohana-AP changes settings for Microsoft Internet Explorer by modifying values under: HKCU\Software\Microsoft\Internet Explorer\Main\ HKCU\Software\Microsoft\Internet Explorer\Main\Start Page The following registry entry is set, disabling system software: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System DisableRegistryTools 1 Registry entries are set as follows: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System DisableTaskMgr 0 HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel Homepage 0 Registry entries are created under: HKCU\Software\Yahoo\Pager\View\YMSGR_Launchcast HKCU\Software\Yahoo\Pager\View\YMSGR_buzz Name Troj/Dropper-SR Type * Trojan Affected operating systems * Windows Side effects * Drops more malware Prevalence (1-5) 2 Description Troj/Dropper-SR is a dropper Trojan for the Windows platform. Name Troj/Bckdr-QKK Type * Trojan Affected operating systems * Windows Side effects * Allows others to access the computer * Downloads code from the internet * Installs itself in the Registry Aliases * Win32/DelfInject.gen!K Prevalence (1-5) 2 Description Troj/Bckdr-QKK is a Trojan for the Windows platform. Advanced Troj/Bckdr-QKK is a Trojan for the Windows platform. Troj/Bckdr-QKK runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels. Troj/Bckdr-QKK includes functionality to download, install and run new software. When first run Troj/Bckdr-QKK copies itself to \msn32.exe and creates the file \dl91687.exe. The following registry entries are created to run msn32.exe on startup: HKCU\Software\Microsoft\Windows\CurrentVersion\Run OfficeWord Monitor \msn32.exe HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OfficeWord Monitor \msn32.exe The following registry entry is set: HKLM\SOFTWARE\Microsoft\Ole EnableDCOM N Name Troj/Wiepaz-A Type * Trojan Affected operating systems * Windows Side effects * Installs itself in the Registry * Installs a browser helper object Prevalence (1-5) 2 Description Troj/Wiepaz-A is a Trojan for the Windows platform. Advanced Troj/Wiepaz-A is a Trojan for the Windows platform. Troj/Wiepaz-A is registered as a COM object and Browser Helper Object (BHO) for Microsoft Internet Explorer, creating registry entries under: HKCR\CLSID\ HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ The following registry entry is set: HKCR\.IEHelper\Clsid (default) Name W32/Smit-A Type * Worm How it spreads * Removable storage devices * Network shares Affected operating systems * Windows Side effects * Turns off anti-virus applications * Deletes files off the computer * Installs itself in the Registry Aliases * Worm.Win32.VB.hl * Worm/VB.HL * W32/Worm.GVE Prevalence (1-5) 2 Description W32/Smit-A is a worm for the Windows platform. W32/Smit-A spreads by copying itself to the network shares, removable devices and the Personal and Startup folders, using the following filenames: 3882HK.exe Akui Anak Band.exe Cerita Cinta.exe Cerita Naga Chen.exe Cewek Sexy.exe Cinta Segitiga.exe Dongeng Anak.exe Dongeng Cinta.exe File Rahasia.exe Foto2 Artis.exe Foto2 Bugil Indo.exe Foto2 Bugil Kecik.exe Foto2 Hantu.exe Foto2 Tuyul.exe LoadGUI.exe LogSys.exe List Harga HP.exe Masak Ikan Buntal.exe Nama-nama pacar.exe Pic keren.exe Pic2 keren.exe Song of silent.exe Surat cinta.exe System64A.exe Video XXX.exe Advanced W32/Smit-A is a worm for the Windows platform. W32/Smit-A spreads by copying itself to the network shares, removable devices and the Personal and Startup folders, using the following filenames: 3882HK.exe Akui Anak Band.exe Cerita Cinta.exe Cerita Naga Chen.exe Cewek Sexy.exe Cinta Segitiga.exe Dongeng Anak.exe Dongeng Cinta.exe File Rahasia.exe Foto2 Artis.exe Foto2 Bugil Indo.exe Foto2 Bugil Kecik.exe Foto2 Hantu.exe Foto2 Tuyul.exe LoadGUI.exe LogSys.exe List Harga HP.exe Masak Ikan Buntal.exe Nama-nama pacar.exe Pic keren.exe Pic2 keren.exe Song of silent.exe Surat cinta.exe System64A.exe Video XXX.exe When first run W32/Smit-A copies itself to: \LogSys.exe \LoadGUI.exe \System64A.exe The following registry entry is created to run System64A.exe on startup: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run System64A \System64A.exe The following registry entry is set or modified, so that LoadGUI.exe is run when files with extensions of EXE are opened/launched: HKCR\exefile\shell\open\command (Default) loadGUI.exe %1 %* W32/Smit-A attempts to kill active processes whose main Windows contains any of the following text strings: anti av System Configuration Utility reg Windows Task Manager cmd vir When W32/Smit-A is run on the 13th day of any month it attempts to delete all files in the Personal folder and all sub-folders of the Personal folder and sets the volume label of the C: drive to "MSuri". Note: the path of the Personal folder can be found under: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Personal Name Mal/Accesso-A Type * Trojan Affected operating systems * Windows Side effects * Modifies browser settings * Dials a premium rate service Prevalence (1-5) 2 Description Mal/Accesso-A is a Trojan dialer for the Windows platform. Advanced Mal/Accesso-A is a Trojan dialer for the Windows platform. When first run, Mal/Accesso-A copies itself to \.exe and creates a shortcut to this file in \Accesso.lnk. Mal/Accesso-A changes the following registry entry, affecting the Microsoft Internet Explorer start page: HKCU\Software\Microsoft\Internet Explorer\Main Start Page http:// site>.com/ Name W32/Autorun-T Type * Spyware Worm How it spreads * Removable storage devices Affected operating systems * Windows Side effects * Steals information * Installs itself in the Registry Prevalence (1-5) 2 Description W32/Autorun-T is a worm for the Windows platform. Advanced W32/Autorun-T is a worm for the Windows platform. W32/Autorun-T contains functionality to spread via removable storage devices. When first run W32/Autorun-T copies itself to \Network Associates\VirusScan\McaUpdate.exe and creates the file \drivers\inc\sysdeb.ini. When a removable storage device is plugged into the computer, W32/Autorun-T will create the files \autorun.inf and \RECYCLER\RECYCLER\autorun.exe on the device. The following registry entry is created to run McaUpdate.exe on startup: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run McaFee virus detect program. \Network Associates\VirusScan\McaUpdate.exe Name Troj/StartP-W Type * Trojan Affected operating systems * Windows Prevalence (1-5) 2 Description Troj/StartP-W is a Trojan for the Windows platform. Advanced Troj/StartP-W is a Trojan for the Windows platform. When run Troj/StartP-W sets the following registry entries: HKCU\Software\Microsoft\Windows Script\Settings JITDebug 0 HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer NoClose 1 HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer NoFind 1 HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer NoLogOff 1 HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer NoRecentDocsMenu 1 HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer NoRun 1 HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System DisableTaskMgr 1 HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel HomePage 1 HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel HomePage 1 HKCU\Software\Microsoft\Internet Explorer\Main Start Page HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced HideFileExt 1 Registry entries are changed under: HKCU\Software\Microsoft\Internet Explorer\Main Window Title HKLM\SOFTWARE\Microsoft\Internet Explorer\Main Start Page HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes www Name W32/SillyP2P-A Type * Worm How it spreads * Web browsing * Peer-to-peer Affected operating systems * Windows Side effects * Modifies data on the computer * Downloads code from the internet * Installs itself in the Registry * Leaves non-infected files on computer Prevalence (1-5) 2 Description W32/SillyP2P-A is a worm for the Windows platform. W32/SillyP2P-A spreads passively by placing itself in common P2P agent shared folders, and by altering a local webserver's index page to return a copy of W32/SillyP2P-A Advanced W32/SillyP2P-A is a worm for the Windows platform. W32/SillyP2P-A includes functionality to download, install and run new software. W32/SillyP2P-A attempts to download and install additional malware to: \WindowsUpdate.scr (The file downloaded is currently detected as Mal/DelpBanc-A and Mal/Behav-056.) W32/SillyP2P-A spreads passively by placing itself in common P2P agent shared folders, and by altering a local webserver's index page to return a copy of W32/SillyP2P-A When first run W32/SillyP2P-A copies itself to: \Inetpub\wwwroot\ti19.exe \My Downloads\hn86.exe \My Downloads\hw12.exe \My Downloads\ti19.exe \My Shared Folder\hn86.exe \My Shared Folder\hw12.exe \My Shared Folder\ti19.exe \BearShare\Shared\hn86.exe \BearShare\Shared\hw12.exe \BearShare\Shared\ti19.exe \KaZaA\My Shared Folder\hn86.exe \KaZaA\My Shared Folder\hw12.exe \KaZaA\My Shared Folder\ti19.exe \Kmd\My Shared Folder\hn86.exe \Kmd\My Shared Folder\hw12.exe \Kmd\My Shared Folder\ti19.exe \windows.exe The following file is created by W32/SillyP2P-A in an attempt to configure a local webserver,s index page to return a copy of W32/SillyP2P-A: \Inetpub\wwwroot\index.html The following registry entry is created to run windows.exe on startup: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run windows.exe \windows.exe Name Troj/PPntDrop-A Type * Trojan Affected operating systems * Windows Side effects * Drops more malware * Exploits system or software vulnerabilities Prevalence (1-5) 2 Description Troj/PPntDrop-A is Trojan for the Windows platform. Name W32/AutoRun-Y Type * Worm How it spreads * Network shares Affected operating systems * Windows Aliases * Win32/AutoRun.AQ worm * W32/Autorun.worm.m Prevalence (1-5) 2 Description W32/AutoRun-Y is a worm for the Windows platform. Advanced W32/AutoRun-Y is a worm for the Windows platform. W32/AutoRun-Y spreads to other network computers. Name Troj/Agent-GIL Type * Trojan Affected operating systems * Windows Prevalence (1-5) 2 Description Troj/Agent-GIL is a Trojan for the Windows platform. Name W32/Autorun-X Type * Worm How it spreads * Removable storage devices * Network shares Affected operating systems * Windows Side effects * Reduces system security * Installs itself in the Registry Aliases * Virus.Win32.VB.fe * W32/Downldr2.INA * W32/Autorun.worm.h Prevalence (1-5) 2 Description W32/Autorun-X is a worm for the Windows platform. Advanced W32/Autorun-X is a worm for the Windows platform. When first run W32/Autorun-X copies itself to: \commond.com \3xXx3.exe \3xXx31.exe \autorun.inf (May be safely deleted) The worm will then attempt to copy 3xXx3.exe, 3xXx31.exe, and autorun.inf to removable media or network shares mapped to letters D:\ though K:\ The following registry entries are set, disabling system software: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System DisableTaskmgr 1 HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System DisableRegistryTools 1 Registry entries are set as follows: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer NoFolderOptions 1 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell Explorer.exe \system32\commond.com Name W32/Sdbot-DJE Type * Worm Affected operating systems * Windows Prevalence (1-5) 2 Description W32/Sdbot-DJE is a network worm and IRC backdoor for the Windows platform. --- MultiMail/Win32 v0.43 * Origin: Doc's Place BBS Fido Since 1991 docsplace.tzo.com (1:123/140) SEEN-BY: 10/1 3 14/300 34/999 90/1 120/228 123/500 134/10 140/1 222/2 226/0 SEEN-BY: 249/303 261/20 38 100 1381 1404 1406 1418 266/1413 280/1027 320/119 SEEN-BY: 633/104 260 262 267 285 690/682 734 712/848 800/432 801/161 189 SEEN-BY: 2222/700 2320/100 105 200 2905/0 @PATH: 123/140 500 261/38 633/260 267
SOURCE: echomail via fidonet.ozzmosis.com

Email questions or comments to sysop@ipingthereforeiam.com
All parts of this website painstakingly hand-crafted in the U.S.A.!
IPTIA BBS/MUD/Terminal/Game Server List, © 2025 IPTIA Consulting™.