[cut-n-paste from sophos.com]

Name   W32/Datom-B

Type  
    * Spyware Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Steals information
    * Forges the sender's email address
    * Uses its own emailing engine
    * Leaves non-infected files on computer

Aliases  
    * W32.Clunk.A
    * Worm.Win32.Datom.d
    * WORM_DATOM.B

Prevalence (1-5) 2

Description
W32/Datom-B is an information-stealing networm worm for the Windows 
platform.

Advanced
W32/Datom-B is an information-stealing networm worm for the Windows 
platform.

W32/Datom-B takes screenshots of browser applications and submits the 
resulting images to the author by email.





Name   W32/Zotob-L

Type  
    * Worm

How it spreads  
    * Email attachments

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Sends itself to email addresses found on the infected computer
    * Forges the sender's email address
    * Uses its own emailing engine
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities

Aliases  
    * Net-Worm.Win32.Mytob.dy
    * W32/Mytob.gen{at}MM

Prevalence (1-5) 2

Description
W32/Zotob-L is a worm and IRC backdoor Trojan for the Windows platform.

W32/Zotob-L spreads to other network computers by exploiting common 
buffer overflow vulnerabilities, including: PNP (MS05-039) and ASN.1 
(MS04-007).

W32/Zotob-L sends itself in emails with the following characteristics:

Subject: chosen from a list including

Warning Message: Your services near to be closed.
Your Account is Suspended
*DETECTED* Online User Violation
Your Account is Suspended For Security Reasons

Message text: one of four paragraphs claiming that the recipient has 
abused their account

Advanced
W32/Zotob-L is a worm and IRC backdoor Trojan for the Windows platform.

W32/Zotob-L spreads to other network computers by exploiting common 
buffer overflow vulnerabilities, including: PNP (MS05-039) and ASN.1 
(MS04-007).

W32/Zotob-L sends itself in emails with the following characteristics:

Subject: one of

Warning Message: Your services near to be closed.
Your Account is Suspended
*DETECTED* Online User Violation
Your Account is Suspended For Security Reasons
Important Notification
Members Support
Security measures
Email Account Suspension
Notice of account limitation

Message text: one of

Dear user ,
You have successfully updated the password of your  account.
If you did not authorize this change or if you need assistance with 
your account, please contact  customer service at: 
Thank you for using !
The  Support Team
+++ Attachment: No Virus (Clean)
+++  Antivirus - www.

Dear user ,
It has come to our attention that your  User Profile ( x ) 
records are out of date. For further details see the attached document.
Thank you for using !
The  Support Team
+++ Attachment: No Virus (Clean)
+++  Antivirus - www.

Dear  Member,
We have temporarily suspended your email account .
This might be due to either of the following reasons:
1. A recent change in your personal information (i.e. change of 
address).
2. Submiting invalid information during the initial sign up
process.
3. An innability to accurately verify your selected option of 
subscription due to an internal error within our processors.
See the details to reactivate your  account.
Sincerely,The  Support Team
+++ Attachment: No Virus (Clean)
+++  Antivirus - www.

Dear  Member,
Your e-mail account was used to send a huge amount of unsolicited 
spam messages during the recent week. If you could please take 5-10 
minutes out of your online experience and confirm the attached 
document so you will not run into any future problems with the online 
service.
If you choose to ignore our request, you leave us no choice but to 
cancel your membership.
Virtually yours,
The  Support Team
+++ Attachment: No Virus found
+++  Antivirus - www.

W32/Zotob-L runs continuously in the background, providing a backdoor 
server which allows a remote intruder to gain access and control over 
the computer via IRC channels.

When first run W32/Zotob-L copies itself to \windows.exe.

The file windows.exe is registered as a new system driver service 
named "Microsoft Windows System", with a display name of "Microsoft 
Windows System" and a startup type of automatic, so that it is 
started automatically during system startup. Registry entries are 
created under:

HKLM\SYSTEM\CurrentControlSet\Services\Microsoft Windows System\





Name   Troj/Crybot-B

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Allows others to access the computer
    * Downloads code from the internet
    * Reduces system security
    * Installs itself in the Registry

Prevalence (1-5) 2

Description
Troj/Crybot-B is a backdoor Trojan which allows a remote intruder to 
gain access and control over the computer through IRC channels.

Troj/Crybot-B includes functionality to access the internet and 
communicate with a remote server via HTTP.

Advanced
Troj/Crybot-B is a backdoor Trojan which allows a remote intruder to 
gain access and control over the computer through IRC channels.

Troj/Crybot-B includes functionality to access the internet and 
communicate with a remote server via HTTP.

Troj/Crybot-B is registered as a new system driver service named 
"DirectService", with a display name of "DirectX Service" and a 
startup type of automatic, so that it is started automatically during 
system startup. Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\DirectService\

Registry entries are created under:

HKLM\SOFTWARE\Microsoft\DirectHimc\

The Trojan uses the system utility netsh.exe to adjust Windows 
firewall settings in order to make connection to remote servers.





Name   W32/Forbot-GR

Type  
    * Spyware Worm

How it spreads  
    * Email attachments
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Allows others to access the computer
    * Sends itself to email addresses found on the infected computer
    * Steals information
    * Drops more malware
    * Forges the sender's email address
    * Uses its own emailing engine
    * Downloads code from the internet
    * Reduces system security
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities
    * Used in DOS attacks

Aliases  
    * Backdoor.Win32.Agobot.aee

Prevalence (1-5) 2

Description
W32/Forbot-GR is a network worm with backdoor functionality for the 
Windows platform.

Once installed, W32/Forbot-GR connects to a preconfigured IRC server 
and joins a channel from which an attacker can issue further commands.

W32/Forbot-GR also has the ability to spread via email. The email 
sent by W32/Forbot-GR may have the following properties:

Subject line:

'Security measures'
'Members Support'
'*WARNING* Your email account is suspended'
'You are banned!!!'
'Important Notification'
'*DETECTED* Online User Violation'
'Your Account is Suspended For Security Reasons'
'Your Account is Suspended'
'Warning Message: Your services near to be closed.'
'We have suspended your account'
'Email Account Suspension'
'Notice of account limitation'

Message text:

Dear  Member,
We have temporarily suspended your email account .
This might be due to either of the following reasons:
1. A recent change in your personal information (i.e. change of 
address).
2. Submiting invalid information during the initial sign up process.
3. An innability to accurately verify your selected option of 
subscription due
to an internal error within our processors.
See the attached details to reactivate your  account.
Sincerely,The  Support Team
Your e-mail account was used to send a huge amount of unsolicited 
spam messages
during the recent week. If you could please take 5-10 minutes out of 
your
online experience and confirm the attached document so you will not 
run into
any future problems with the online service.

Virtually yours,
The  Support Team

Some information about your  account is attached.
The  Support Team

Attached file:
The mail may contain an attached file with one of the following 
filenames
followed by the ZIP file extension:

account-details
account-info
account-report
accounts
administrator
document
email-details
important-details
information
readme
register

The file inside the ZIP may have several spaces before a final 
extension of CMD,EXE,PIF or BAT.

Advanced
W32/Forbot-GR is a network worm with backdoor functionality for the 
Windows platform.

When first run, W32/Forbot-GR copies itself to the Windows system 
folder as svchosts.exe and sets the following registry entries in 
order to run each time a user logs on:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Win32 Driver
"svchosts.exe"

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Win32 Driver
"svchosts.exe"

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Win32 Driver
"svchosts.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Win32 Driver
"svchosts.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
Win32 Driver
"svchosts.exe"

W32/Forbot-GR also creates its own service named "SHIT", with the 
display name "Win32 Driver".

Once installed, W32/Forbot-GR connects to a preconfigured IRC server 
and joins a channel from which an attacker can issue further 
commands. These commands can cause the infected computer to perform 
any of the following actions:

flood a remote host (by either ping or HTTP)
start a SOCKS4 proxy server
start an HTTP server
start an FTP server
portscan randomly-chosen IP addresses
execute arbitrary commands
steal information such as passwords and product keys
upload/download files

The worm can spread to unpatched computers affected by the operating 
system vulnerabilities LSASS (MS04-011), WKS (MS03-049) 
(CAN-2003-0812) and ASN.1 (MS04-007).

When first run, W32/Forbot-GR creates a randomly named file in the 
Temp folder and an additional randomly named file in the Windows 
system folder. The file created in the Temp folder is detected as 
W32/Bobax-X while the file created in the Windows system folder is 
detected as W32/Bobax-S.

W32/Forbot-GR also has the ability to spread via email. The email 
sent by W32/Forbot-GR may have the following properties:

Subject line:

'Security measures'
'Members Support'
'*WARNING* Your email account is suspended'
'You are banned!!!'
'Important Notification'
'*DETECTED* Online User Violation'
'Your Account is Suspended For Security Reasons'
'Your Account is Suspended'
'Warning Message: Your services near to be closed.'
'We have suspended your account'
'Email Account Suspension'
'Notice of account limitation'

Message text:

Dear  Member,
We have temporarily suspended your email account .
This might be due to either of the following reasons:
1. A recent change in your personal information (i.e. change of 
address).
2. Submiting invalid information during the initial sign up process.
3. An innability to accurately verify your selected option of 
subscription due
to an internal error within our processors.
See the attached details to reactivate your  account.
Sincerely,The  Support Team
Your e-mail account was used to send a huge amount of unsolicited 
spam messages
during the recent week. If you could please take 5-10 minutes out of 
your
online experience and confirm the attached document so you will not 
run into
any future problems with the online service.

Virtually yours,
The  Support Team

Some information about your  account is attached.
The  Support Team

Attached file:
The mail may contain an attached file with one of the following 
filenames
followed by the ZIP file extension:

account-details
account-info
account-report
accounts
administrator
document
email-details
important-details
information
readme
register

The file inside the ZIP may have several spaces before a final 
extension of CMD,EXE,PIF or BAT.





Name   W32/Opanki-AJ

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Reduces system security
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities

Aliases  
    * Backdoor.Win32.SdBot.ahj
    * W32.Spybot.Worm
    * W32/Opanki.worm

Prevalence (1-5) 2

Description
W32/Opanki-AJ is a worm and IRC backdoor for the Windows platform.

Advanced
W32/Opanki-AJ is a worm and IRC backdoor for the Windows platform.

W32/Opanki-AJ spreads through AOL Instant Messenger, network shares 
and by exploiting the LSASS (MS04-011), RPC-DCOM(MS04-12), WKS 
(MS03-049) (CAN-2003-0812), PNP (MS05-039) and ASN.1 (MS04-007) 
software vulnerabilities.

W32/Opanki-AJ runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

When run W32/Opanki-AJ copies itself to \scvhost.exe

W32/Opanki-AJ sets the following registry entries:

HKLM\SOFTWARE\Microsoft\Security Center
AntiVirusDisableNotify
1

HKLM\SOFTWARE\Microsoft\Security Center
AntiVirusOverride
1

HKLM\SOFTWARE\Microsoft\Security Center
FirewallDisableNotify
1

HKLM\SOFTWARE\Microsoft\Security Center
FirewallOverride
1

HKLM\SOFTWARE\Microsoft\Security Center
UpdatesDisableNotify
1

HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
EnableFirewall
0

HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile
EnableFirewall
0

HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DoNotAllowXPSP2
1

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1

HKLM\SYSTEM\CurrentControlSet\Services\Messenger
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
Start
4





Name   Troj/Flat-G

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet
    * Installs itself in the Registry

Prevalence (1-5) 2

Description
Troj/Flat-G is a Trojan for the Windows platform.

Troj/Flat-G includes functionality to access the internet and 
communicate with a remote server via HTTP.

Advanced
Troj/Flat-G is a Trojan for the Windows platform.

Troj/Flat-G includes functionality to access the internet and 
communicate with a remote server via HTTP.

Troj/Flat-G copies itself to the Windows system folder as 
jusched.exe, and the Trojan also copies itself to Start Menu folder 
as CFTM0N.EXE.

Troj/Flat-G creates entries in the registry at the following 
locations to run itself on system restart:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sun


When Troj/Flat-G is installed it creates the file \Content.IE5\od6fwfox\overheardintheuk[1].htm.

Registry entries are created under:

HKCR\MSWinsock.Winsock\
HKCR\MSWinsock.Winsock.1\





Name   Troj/Zlob-FV

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Drops more malware

Aliases  
    * Trojan-Downloader.Win32.Zlob.fe

Prevalence (1-5) 2

Description
Troj/Zlob-FV is a Trojan for the Windows platform.

Advanced
Troj/Zlob-FV is a Trojan for the Windows platform.

Troj/Zlob-FV creates the file \ld.tmp, 
also detected as Troj/Zlob-FV.

The following registry entry is set to autorun Troj/Zlob-FV at system 
startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run
wininet.dll
mscornet.exe





Name   Troj/WowPWS-C

Type  
    * Spyware Trojan

Affected operating systems  
    * Windows

Side effects  
    * Steals information

Aliases  
    * Trojan-PSW.Win32.WOW.a

Prevalence (1-5) 2

Description
Troj/WowPWS-C is a password stealing Trojan for the Windows platform.

Troj/WowPWS-C targets the online game World of Warcraft, and attempts 
to steal
account details.

Advanced
Troj/WowPWS-C is a password stealing Trojan for the Windows platform.

Troj/WowPWS-C targets the online game World of Warcraft, and attempts 
to steal
account details.

When first run Troj/WowPWS-C copies itself to:

\iexplore.pif
\Internet Explorer\iexplore.com
\1.com
\Debug\DebugProgram.exe
\ExERoute.exe
\explorer.com
\finder.com
\smss.exe
\command.pif
\dxdiag.com
\finder.com
\msconfig.com
\regedit.com
\rundll32.com

The file iexplore.com is registered as a COM object, creating 
registry entries
under:

HKCR\CLSID\(871C5380-42A0-1069-A2EA-08002B30309D)

Troj/WowPWS-C changes settings for Microsoft Internet Explorer by 
modifying
values under:

HKCU\Software\Microsoft\Internet Explorer\Main\

Registry entries are set as follows:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe 1

HKCR\.bfc\ShellNew
Command
\rundll32.com syncui.dll,Briefcase_Create %1!d! %2

HKCR\Drive\shell\find\command
(default)
\explorer.com

HKCR\Unknown\shell\openas\command
(default)
\finder.com \shell32.dll,OpenAs_RunDLL %1

HKCR\cplfile\shell\cplopen\command
(default)
rundll32.com shell32.dll,Control_RunDLL %1,%*

HKCR\htmlfile\shell\opennew\command
(default)
\iexplore.pif" %1

HKCR\htmlfile\shell\print\command
(default)
rundll32.com \mshtml.dll,PrintHTML "%1"

HKCR\inffile\shell\Install\command
(default)
\rundll32.com setupapi,InstallHinfSection DefaultInstall 132 %1

HKCR\scrfile\shell\install\command
(default)
finder.com desk.cpl,InstallScreenSaver %l

HKCR\scriptletfile\Shell\Generate Typelib\command
(default)
\finder.com" \scrobj.dll,GenerateTypeLib "%1





Name   Troj/PWS-EM

Type  
    * Spyware Trojan

Affected operating systems  
    * Windows

Side effects  
    * Steals information
    * Downloads code from the internet
    * Reduces system security
    * Leaves non-infected files on computer

Aliases  
    * Trojan-PSW.Win32.Agent.ej

Prevalence (1-5) 2

Description
Troj/PWS-EM is a Trojan toolkit that creates password stealing 
Trojans for the Windows platform.

Advanced
Troj/PWS-EM is a Trojan toolkit that creates password stealing 
Trojans for the Windows platform.

The created Trojans are also detected as Troj/PWS-EM.

The created Trojans include functionality to:

- harvest and send stolen passwords to a remote location
- display fake error messages
- access the internet and communicate with a remote server via HTTP

When Troj/PWS-EM is installed it creates the file sendhmtl.htm.

The following registry entry is set, affecting internet security:

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet 
Settings\Zones\3
1601
0





Name   W32/Bagle-CJ

Type  
    * Worm

How it spreads  
    * Email attachments

Affected operating systems  
    * Windows

Side effects  
    * Sends itself to email addresses found on the infected computer
    * Drops more malware
    * Uses its own emailing engine
    * Installs itself in the Registry

Aliases  
    * Email-Worm.Win32.Bagle.fm

Prevalence (1-5) 2

Description
W32/Bagle-CJ is a worm for the Windows platform.

W32/Bagle-CJ spreads via file sharing on P2P networks and via email.

W32/Bagle-CJ includes functionality to access the internet and 
communicate with a remote server via HTTP.

W32/Bagle-CJ will attempt to copy itself to folders whose name 
contains the word 'shar' using the following filenames:

Adobe Photoshop 9 full.exe
Ahead Nero 10.exe
anna benson sex video.exe
barrett jackson nude photos, movies, porn video.exe
Britney Spears sex photos.exe
IE beta 7.exe
jenna elfman sex anal deepthroat.exe
kate beckinsale nude pictures.exe
miss america Porno, sex, oral, anal cool, awesome!!.exe
paris hilton Porno pics arhive, xxx.exe
Porno Screensaver.scr
Serials 2005 database.exe
Serials.txt.exe
Windown Vista Beta Leak.exe
Windows Sourcecode update.doc.exe
XXX hardcore images.exe

W32/Bagle-CJ will attempt to harvest email addresses from the 
infected computer and then mail itself to those addresses as an 
attachment.

The subject line will be chosen at random, and the message text will 
contain one of the following:

"Billing department, order -

Dear Sir or Madam,

This notification is just a friendly reminder (not a bill or a second 
charge) that on 15-JAN-06, you placed an order from Symantec Store. 
This order was paid using your Visa, whose last 4 digits are 
************2346, and will be appearing on your billing statement 
shortly. The charge will appear as DR *Symantec. This is just a 
reminder to help you recognize the charge. You will not be charged 
again.
You antivirus definition file is attached to this email, please 
install it to be perfectly protected from the latest viruses and 
other internet threats.

"******************************************************************

Details about your reciept attached with this email. You have to use 
Adobe Acrobat Reader to open it.

Transaction Number: 
This is your receipt for your $1490 purchase of a 1.0 months 
subscription which will appear on your statement as --.
Your membership will automatically renew per the terms and conditions.

Should you ever have any problems whatsoever, please don't hesitate 
to contact our live technical support staff - available 24 hours a 
day 7 days a week. We can be reached by phone toll free in the US at 
800-534-8593. Rather use email? Drop us a line at bill{at}gmail.com and 
we'll always get back to you within an hour.

Enjoy the service!
Support

******************************************************************"

"Your email %s has exceeded its bandwidth quota in the period 
beginning on 2006-01-01. Your quota is set to 10485760 bytes (10.0 
MB), and your email has consumed 559189702 bytes (533.285 MB) beyond 
that quota.

Our over-bandwidth charges are

Additional Bandwidth/Month Monthly Cost
100 Mb $200.00
200 MB $360.00
300 MB $480.00
400 MB $624.00
500 Mb $740.00 <- your over-usage
600 Mb $850.00

Our automatically generated bill is attached with this email.

Sincerely,
Sales Manager."

Attachments will have one of the folloiwng names:

Generated_bill
Order_details
Service_receipt

Advanced
W32/Bagle-CJ is a worm for the Windows platform.

W32/Bagle-CJ spreads via file sharing on P2P networks and via email.

W32/Bagle-CJ includes functionality to access the internet and 
communicate with a remote server via HTTP.

When first run W32/Bagle-CJ copies itself to \regmaping.exe and creates the following the file \winresw.exe, which is detected as W32/Bagle-CF.

The following registry entry is created to run regmaping.exe on 
startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Regmonitor
\regmaping.exe

W32/Bagle-CJ will attempt to copy itself to folders whose name 
contains the word 'shar' using the following filenames:

Adobe Photoshop 9 full.exe
Ahead Nero 10.exe
anna benson sex video.exe
barrett jackson nude photos, movies, porn video.exe
Britney Spears sex photos.exe
IE beta 7.exe
jenna elfman sex anal deepthroat.exe
kate beckinsale nude pictures.exe
miss america Porno, sex, oral, anal cool, awesome!!.exe
paris hilton Porno pics arhive, xxx.exe
Porno Screensaver.scr
Serials 2005 database.exe
Serials.txt.exe
Windown Vista Beta Leak.exe
Windows Sourcecode update.doc.exe
XXX hardcore images.exe

W32/Bagle-CJ will attempt to harvest email addresses from the 
infected computer and then mail itself to those addresses as an 
attachment.

The subject line will be chosen at random, and the message text will 
contain one of the following:

"Billing department, order -

Dear Sir or Madam,

This notification is just a friendly reminder (not a bill or a second 
charge) that on 15-JAN-06, you placed an order from Symantec Store. 
This order was paid using your Visa, whose last 4 digits are 
************2346, and will be appearing on your billing statement 
shortly. The charge will appear as DR *Symantec. This is just a 
reminder to help you recognize the charge. You will not be charged 
again.
You antivirus definition file is attached to this email, please 
install it to be perfectly protected from the latest viruses and 
other internet threats.

"******************************************************************

Details about your reciept attached with this email. You have to use 
Adobe Acrobat Reader to open it.

Transaction Number: 
This is your receipt for your $1490 purchase of a 1.0 months 
subscription which will appear on your statement as --.
Your membership will automatically renew per the terms and conditions.

Should you ever have any problems whatsoever, please don't hesitate 
to contact our live technical support staff - available 24 hours a 
day 7 days a week. We can be reached by phone toll free in the US at 
800-534-8593. Rather use email? Drop us a line at bill{at}gmail.com and 
we'll always get back to you within an hour.

Enjoy the service!
Support

******************************************************************"

"Your email %s has exceeded its bandwidth quota in the period 
beginning on 2006-01-01. Your quota is set to 10485760 bytes (10.0 
MB), and your email has consumed 559189702 bytes (533.285 MB) beyond 
that quota.

Our over-bandwidth charges are

Additional Bandwidth/Month Monthly Cost
100 Mb $200.00
200 MB $360.00
300 MB $480.00
400 MB $624.00
500 Mb $740.00 <- your over-usage
600 Mb $850.00

Our automatically generated bill is attached with this email.

Sincerely,
Sales Manager."

Attachments will have one of the folloiwng names:

Generated_bill
Order_details
Service_receipt





Name   Troj/Drsmartl-L

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet

Aliases  
    * Trojan-Downloader.Win32.VB.vz

Prevalence (1-5) 2

Description
Troj/Drsmartl-L is a Trojan for the Windows platform.

Troj/Drsmartl-L includes functionality to download, install and run 
new software.





Name   Troj/BackUrl-A

Type  
    * Trojan

Affected operating systems  
    * Windows

Prevalence (1-5) 2

Description
Troj/BackUrl-A is a downloading Trojan.





Name   Troj/Swizzor-AW

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet

Aliases  
    * AdWare.Win32.Lop.ag
    * Adware.Lop-130
    * Swizzor.gen

Prevalence (1-5) 2

Description
Troj/Swizzor-AW is a Trojan which downloads and installs advertising 
software.

Advanced
Troj/Swizzor-AW is a Trojan which downloads and installs advertising 
software.

Troj/Swizzor-AW injects its code into a new instance of iexplore.exe 
(hidden Window), connects to the internet and then downloads data 
and/or code via HTTP.

Troj/Swizzor-AW may download DLLs to the system folder and register 
them as ActiveX objects via regsvr32.

New internet shortcuts may be added to the Favorites folder or 
sub-folders of the Favorites folder with names such as:

Website Hosting.lnk
Bingo .lnk
Casino Online.lnk
Printer Cartridges.lnk
Card Games.lnk
Poker .lnk
Investing .lnk
Internet .lnk
Travel .lnk
Explore Internet.lnk
MP3 Downloads.lnk





Name   W32/Rbot-CCY

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Downloads code from the internet
    * Reduces system security
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities

Aliases  
    * Backdoor.Win32.Rbot.aqb
    * W32.Spybot.Worm

Prevalence (1-5) 2

Description
W32/Rbot-CCY is a network for the Windows platform.

W32/Rbot-CCY spreads:

- to computers vulnerable to common exploits, including: LSASS 
(MS04-011), RPC-DCOM (MS04-012), WKS (MS03-049), PNP (MS05-039) and 
ASN.1 (MS04-007)
- to MSSQL servers protected by weak passwords
- to network shares

W32/Rbot-CCY runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

W32/Rbot-CCY modifies the HOSTS file, preventing access to certain 
websites.

Advanced
W32/Rbot-CCY is a network for the Windows platform.

W32/Rbot-CCY spreads:

- to computers vulnerable to common exploits, including: LSASS 
(MS04-011), RPC-DCOM (MS04-012), WKS (MS03-049), PNP (MS05-039) and 
ASN.1 (MS04-007)
- to MSSQL servers protected by weak passwords
- to network shares

W32/Rbot-CCY runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

When first run W32/Rbot-CCY copies itself to \msnse.exe.

The following registry entries are created to run msnse.exe on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
ATI AS Filter
msnse.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ATI AS Filter
msnse.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
ATI AS Filter
msnse.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
ATI AS Filter
msnse.exe

Registry entries are set as follows:

HKCU\SYSTEM\CurrentControlSet\Control\Lsa
ATI AS Filter
msnse.exe

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
ATI AS Filter
msnse.exe

HKCU\Software\Microsoft\OLE
ATI AS Filter
msnse.exe

HKLM\SOFTWARE\Microsoft\Ole
ATI AS Filter
msnse.exe

W32/Rbot-CCY modifies the HOSTS file by appending the following 
lines, preventing access to the websites listed:

0.0.0.0 www.symantec.com
0.0.0.0 securityresponse.symantec.com
0.0.0.0 symantec.com
0.0.0.0 www.sophos.com
0.0.0.0 sophos.com
0.0.0.0 www.mcafee.com
0.0.0.0 mcafee.com
0.0.0.0 liveupdate.symantecliveupdate.com
0.0.0.0 www.viruslist.com
0.0.0.0 viruslist.com
0.0.0.0 viruslist.com
0.0.0.0 f-secure.com
0.0.0.0 www.f-secure.com
0.0.0.0 kaspersky.com
0.0.0.0 kaspersky-labs.com
0.0.0.0 www.avp.com
0.0.0.0 www.kaspersky.com
0.0.0.0 avp.com
0.0.0.0 www.networkassociates.com
0.0.0.0 networkassociates.com
0.0.0.0 www.ca.com
0.0.0.0 ca.com
0.0.0.0 mast.mcafee.com
0.0.0.0 my-etrust.com
0.0.0.0 www.my-etrust.com
0.0.0.0 download.mcafee.com
0.0.0.0 dispatch.mcafee.com
0.0.0.0 secure.nai.com
0.0.0.0 nai.com
0.0.0.0 www.nai.com
0.0.0.0 update.symantec.com
0.0.0.0 updates.symantec.com
0.0.0.0 us.mcafee.com
0.0.0.0 liveupdate.symantec.com
0.0.0.0 customer.symantec.com
0.0.0.0 rads.mcafee.com
0.0.0.0 trendmicro.com
0.0.0.0 pandasoftware.com
0.0.0.0 www.pandasoftware.com
0.0.0.0 www.trendmicro.com
0.0.0.0 www.grisoft.com
0.0.0.0 www.microsoft.com
0.0.0.0 microsoft.com
0.0.0.0 www.virustotal.com
0.0.0.0 virustotal.com
0.0.0.0 www.zango.com
0.0.0.0 zango.com

 
--- MultiMail/Win32 v0.43