[cut-n-paste from sophos.com]
Name W32/Spybot-NO
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Reduces system security
* Installs itself in the Registry
* Exploits system or software vulnerabilities
* Scans network for vulnerabilities
Prevalence (1-5) 2
Description
W32/Spybot-NO is a worm with IRC backdoor functionality for the
Windows platform.
Advanced
W32/Spybot-NO is a worm with IRC backdoor functionality for the
Windows platform.
W32/Spybot-NO spreads to other network computers by exploiting common
buffer overflow vulnerabilities, including RealVNC (CVE-2006-2369).
W32/Spybot-NO runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
When first run W32/Spybot-NO copies itself to
\dllcache\upnt.exe.
The file upnt.exe is registered as a new system driver service named
"Universal Printer NT Service", with a display name of "Universal
Printer NT Service" and a startup type of automatic, so that it is
started automatically during system startup. Registry entries are
created under:
HKLM\SYSTEM\CurrentControlSet\Services\Universal Printer NT Service
W32/Spybot-NO sets the following registry entries, disabling the
automatic startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\wuauserv
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4
Note: disabling autostart for the SharedAccess service deactivates
the Microsoft Internet Connection Firewall (ICF).
The following registry entry is set:
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
Name W32/Delfer-C
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
Aliases
* Generic Downloader.d
* Worm.Win32.Delf.br
Prevalence (1-5) 2
Description
W32/Delfer-C is a worm for the Windows platform.
W32/Delfer-C includes functionality to access the internet and
communicate with a remote server via HTTP.
Advanced
W32/Delfer-C is a worm for the Windows platform.
W32/Delfer-C includes functionality to access the internet and
communicate with a remote server via HTTP.
Upon execution W32/Delfer-C attempts to copy itself to the available
C shares with the filename setup.exe. W32/Delfer-C also creates the
file Autoexec.bat, this file maybe safely deleted.
Name Troj/Renos-T
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
Aliases
* Trojan-Downloader.Win32.Agent.bkd
* Win32/Hoax.Renos.NAT
Prevalence (1-5) 2
Description
Troj/Renos-T is a downloader Trojan for the Windows platform.
Advanced
Troj/Renos-T is a downloader Trojan for the Windows platform.
Once installed, Troj/Renos-T will display fake system error and fake
virus messages.
Name Troj/QQPass-JDD
Type
* Spyware Trojan
How it spreads
* Web browsing
Affected operating systems
* Windows
Side effects
* Steals information
* Downloads code from the internet
* Records keystrokes
* Installs itself in the Registry
* Monitors browser activity
* Installs adware
Aliases
* Win32.Troj.QQPass.dg
Prevalence (1-5) 2
Description
Troj/QQPass-JDD is a password stealing Trojan for the Windows platform.
Troj/QQPass-JDD can arrive as a result of web browsing. Visiting
certain web sites may initiate the download process. Certain web
pages may exploit vulnerabilities associated with Microsoft Internet
Explorer to silently download and install/run the Trojan without user
interaction.
Advanced
Troj/QQPass-JDD is a password stealing Trojan for the Windows platform.
Troj/QQPass-JDD can arrive as a result of web browsing. Visiting
certain web sites may initiate the download process. Certain web
pages may exploit vulnerabilities associated with Microsoft Internet
Explorer to silently download and install/run the Trojan without user
interaction.
When Troj/QQPass-JDD is installed the following files are typically
created:
\Microsoft Shared\MSInfo\SysInfo1.dll
\System\icwres.ocx
\System\isignup.dll
\System\isignup.sys
\winform.exe
\winform.dll
Note: some of the above files will have the hidden and system
attributes set.
The files icwres.ox and isignup.sy are detected seperately as
Troj/QQSpy-Gen. The file SysInfo1.dl is detected seperately as
Mal/QQPass-B.
The following registry entry is created to run winform.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
winform
\winform.exe
The file SysInfo1.dll is registered as a COM object and ShellExecute
hook, creating registry entries under:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHoo
ks
HKCR\CLSID\{7F4D1081-25FD-44F5-99C6-FF271CFB7EC2}
Registry entries are created under:
HKCU\Software\Microsoft\qqjdd
Name W32/Chinegan-A
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Downloads code from the internet
* Reduces system security
* Installs itself in the Registry
* Exploits system or software vulnerabilities
* Scans network for vulnerabilities
* Scans network for weak passwords
Aliases
* Backdoor.Win32.Agent.aly
* Win32/AGbot
Prevalence (1-5) 2
Description
W32/Chinegan-A is a worm for the Windows platform.
Advanced
W32/Chinegan-A is a worm for the Windows platform.
W32/Chinegan-A spreads to other network computers by exploiting
Symantec (SYM06-010) and by copying itself to network shares
protected by weak passwords.
W32/Chinegan-A includes the following functionality:
- Download and execute code from a remote server via HTTP
- File transfers using FTP
- Exploits VNC servers with weak or no passwords
- Automatically adds itself to Windows Firewall Policy
When first run W32/Chinegan-A copies itself to:
\Common Files\inst32\inst32.exe
and creates the following registry entries:
HKLM\SYSTEM\CurrentControlSet\Services\inst32
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_INST32
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\Firewall
Policy\StandardProfile\AuthorizedApplications\List\\Common Files\inst32
inst32.exe
\Common Files\inst32\inst32.exe:*:Enabled:inst32
Name W32/Looked-CZ
Type
* Virus
How it spreads
* Network shares
* Infected files
Affected operating systems
* Windows
Side effects
* Steals information
* Downloads code from the internet
* Installs itself in the Registry
Prevalence (1-5) 2
Description
W32/Looked-CZ is a virus and network worm for the Windows platform.
Advanced
W32/Looked-CZ is a virus and network worm for the Windows platform.
W32/Looked-CZ infects files found on the local computer.
W32/Looked-CZ also copies itself to remote network shares and may
infect files found on those shares.
W32/Looked-CZ includes functionality to access the internet and
communicate with a remote server via HTTP. W32/Looked-CZ may attempt
to download and execute additional files from a remote location.
When first run W32/Looked-CZ drops the file \RichDll.dll
which is also detected as W32/Looked-CZ.
W32/Looked-CZ may also create many files with the name "_desktop.ini"
in various folders on the infected computer. These files are harmless
text files and can be deleted.
Name W32/Vanebot-AK
Type
* Spyware Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Reduces system security
* Installs itself in the Registry
* Exploits system or software vulnerabilities
* Scans network for vulnerabilities
* Scans network for weak passwords
Prevalence (1-5) 2
Description
W32/Vanebot-AK is a worm with IRC backdoor functionality for the
Windows platform.
Advanced
W32/Vanebot-AK is a worm with IRC backdoor functionality for the
Windows platform.
W32/Vanebot-AK spreads to other network computers by exploiting
common buffer overflow vulnerabilities, including: LSASS (MS04-011),
SRVSVC (MS06-040), RPC-DCOM (MS04-012), PNP (MS05-039), ASN.1
(MS04-007), RealVNC (CVE-2006-2369) and Symantec (SYM06-010).
W32/Vanebot-AK runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Vanebot-AK includes functionality to access the internet and
communicate with a remote server via HTTP.
When first run W32/Vanebot-AK copies itself to \system.exe.
The file system.exe is registered as a new system driver service
named "SYSTEMSVC", with a display name of "Windows System
Service"
and a startup type of automatic, so that it is started automatically
during system startup. Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\SYSTEMSVC
W32/Vanebot-AK sets the following registry entries, disabling the
automatic startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\Messenger
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
Start
4
Registry entries are set as follows:
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
EnableFirewall
0
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile
EnableFirewall
0
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DoNotAllowXPSP2
1
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
Registry entries are created under:
HKLM\SOFTWARE\Microsoft\Security Center
Name Troj/Dloadr-AWT
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
Aliases
* BackDoor-DJD.dldr
Prevalence (1-5) 2
Description
Troj/Dloadr-AWT is a downloading Trojan for the Windows platform.
Advanced
Troj/Dloadr-AWT is a downloading Trojan for the Windows platform.
Troj/Dloadr-AWT will attempt to download the file sysdrv.exe to the
shell folder defined by the following registry entry:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Common Templates
Troj/Dloadr-AWT will then execute the downloaded file.
Name W32/Rbot-GLK
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
* Downloads updates
* Enables remote access
* Scans network for vulnerabilities
* Scans network for weak passwords
Aliases
* Backdoor.Win32.IRCBot.wt
Prevalence (1-5) 2
Description
W32/Rbot-GLK is a network worm with IRC backdoor functionality for
the Windows platform.
Advanced
W32/Rbot-GLK is a network worm with IRC backdoor functionality for
the Windows platform.
W32/Rbot-GLK spreads by exploiting common network vulnerabilities.
W32/Rbot-GLK allows a remote attacker to gain access and control over
the infected computer using IRC channels.
When first run W32/Rbot-GLK copies itself to \algose32.exe
and creates the following registry entries to run algose32.exe on
startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Offices Monitorse
\algose32.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Offices Monitorse
\algose32.exe
W32/Rbot-GLK sets the following registry entries in order to secure
the infected computer against further exploits:
HKLM\SOFTWARE\Microsoft\Ole\
EnableDCOM
N
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\
restrictanonymous
1
Name Troj/PWS-AME
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Steals information
* Installs itself in the Registry
Prevalence (1-5) 2
Description
Troj/PWS-AME is a password stealing Trojan for the Windows platform.
Advanced
Troj/PWS-AME is a password stealing Trojan for the Windows platform.
When first run Troj/PWS-AME copies itself to \mppds.exe and
creates the file \mppds.dll.
The file mppds.dll is detected as Troj/PWS-AKZ.
The following registry entry is created to run mppds.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
mppds
\mppds.exe
Name W32/Delbot-AF
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* W32/Nirbot.worm
Prevalence (1-5) 2
Description
W32/Delbot-AF is a worm for the Windows platform with IRC backdoor
functionality.
W32/Delbot-AF runs continuously in the background, providing a
backdoor service through which a remote user can access the computer.
Advanced
W32/Delbot-AF is a worm for the Windows platform with IRC backdoor
functionality.
W32/Delbot-AF runs continuously in the background, providing a
backdoor service through which a remote user can access the computer.
W32/Delbot-AF spreads
- to computers vulnerable to common exploits, including: RPC-DCOM
(MS04-012) and Symantec (SYM06-010)
- to MSSQL servers protected by weak passwords
- to network shares
W32/Delbot-AF includes functionality to download, install and run new
software.
When first run W32/Delbot-AF copies itself to \stdafx.exe and
downloads the file \ertg.exe
The following registry entry is created to run stdafx.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
StdAFX
\stdafx.exe
Name Troj/Hiphop-G
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Steals information
* Downloads code from the internet
* Records keystrokes
* Installs itself in the Registry
Aliases
* Trojan-Spy.Win32.Agent.pn
* TSPY_AGENT.JPI
Prevalence (1-5) 2
Description
Troj/Hiphop-G is a data stealing Trojan for the Windows platform.
Advanced
Troj/Hiphop-G is a data stealing Trojan for the Windows platform.
Troj/Hiphop-G includes functionality to silently download, install
and run new software.
When Troj/Hiphop-G is installed the following files are created:
\mywinsys.ini
\AlxRes070307.exe
\scrsys070307.scr
\scrsys16_070307.scr
\winsys16_070307.dll
\winsys32_070307.dll
The following registry entry is created to run code exported by
winsys16_070307.dll on startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
\userinit.exe,rundll32.exe \winsys16_070307.dll start
Name W32/Lovgate-AL
Type
* Worm
How it spreads
* Network shares
* Peer-to-peer
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
Prevalence (1-5) 2
Description
W32/Lovgate-AL is a worm with backdoor functionality that spreads via
email, network shares with weak passwords and filesharing networks.
Advanced
W32/Lovgate-AL is a worm with backdoor functionality that spreads via
email, network shares with weak passwords and filesharing networks.
W32/Lovgate-AL may arrive in the email with various characteristics.
When executed W32/Lovgate-AL creates a background process with the
name LSASS.EXE, copies itself to the Windows system folder, sets
registry entries, extracts a backdoor component as a DLL file,
harvests email addresses from *.ht files and sends itself out as an
email.
W32/Lovgate-AL copies itself to available share folders and
subfolders for filesharing networks with a filename chosen from:
Are you looking for Love.doc.exe
The world of lovers.txt.exe
How To Hack Websites.exe
Panda Titanium Crack.zip.exe
Mafia Trainer!!!.exe
100 free essays school.pif
AN-YOU-SUCK-IT.txt.pif
Sex_For_You_Life.JPG.pif
CloneCD + crack.exe
Age of empires 2 crack.exe
MoviezChannelsInstaler.exe
Star Wars II Movie Full Downloader.exe
Name Troj/Dazed-A
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Steals information
Aliases
* Possible_Infostl
Prevalence (1-5) 2
Description
Troj/Dazed-A is a Trojan component for the Windows platform.
Advanced
Troj/Dazed-A is a Trojan component for the Windows platform.
Troj/Dazed-A includes functionality to
take screenshots
log network traffic
Name W32/Rbot-GLQ
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Downloads code from the internet
* Installs itself in the Registry
* Exploits system or software vulnerabilities
* Used in DOS attacks
Prevalence (1-5) 2
Description
W32/Rbot-GLQ is a worm for the Windows platform with IRC backdoor
functionality.
W32/Rbot-GLQ runs continuously in the background providing a backdoor
service through which a remote user can access the computer.
Advanced
W32/Rbot-GLQ is a worm for the Windows platform with IRC backdoor
functionality.
W32/Rbot-GLQ runs continuously in the background providing a backdoor
service through which a remote user can access the computer.
W32/Rbot-GLQ spreads
- to computers vulnerable to common exploits, including: IMAIL
Server, ASN.1 (MS04-007) and Symantec (SYM06-010)
- to network shares protected by weak passwords
When first run W32/Rbot-GLQ copies itself to \wuauclt12.exe
and creates the following registry entries in order to run on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Xordate
wuauclt12.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Xordate
wuauclt12.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Xordate
wuauclt12.exe
Name Troj/Wheezer-A
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Steals information
* Downloads code from the internet
* Records keystrokes
* Installs itself in the Registry
Aliases
* Trojan.Win32.Small.mg
Prevalence (1-5) 2
Description
Troj/Wheezer-A is a Trojan for the Windows platform.
Troj/Wheezer-A includes functionality to access the internet and
communicate with a remote server via HTTP.
Troj/Wheezer-A runs continuously in the background, monitoring
browser activity and collecting password information.
Advanced
Troj/Wheezer-A is a Trojan for the Windows platform.
Troj/Wheezer-A includes functionality to access the internet and
communicate with a remote server via HTTP.
Troj/Wheezer-A runs continuously in the background, monitoring
browser activity and collecting password information.
Troj/Wheezer-A steals credentials for:
- POP3
- HTTPMail
- Protected Storage
- MSN Explorer signup
- IE Auto Complete fields
- Auto Complete passwords
- Password protected sites in Internet Explorer
- Outlook Express (including deleted accounts)
- Accounts stored in the Internet Account Managed
When first run Troj/Wheezer-A copies itself to \.exe.
Troj/Wheezer-A creates registry entries under this path to start as a
service:
HKLM\SYSTEM\CurrentControlSet\Services\SVC
Name Troj/Bckdr-QHH
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Installs itself in the Registry
Prevalence (1-5) 2
Description
Troj/Bckdr-QHH is a Trojan for the Windows platform.
Advanced
Troj/Bckdr-QHH is a Trojan for the Windows platform.
When first run Troj/Bckdr-QHH copies itself to:
\webpnt.exe
\webprint.exe
The file webprint.exe is registered as a new system driver service
named "WebPrint", with a display name of "WebPrint" and
a startup
type of automatic, so that it is started automatically during system
startup. Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\WebPrint
Name Troj/Lydra-AB
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Steals information
* Uses its own emailing engine
* Records keystrokes
* Installs itself in the Registry
Prevalence (1-5) 2
Description
Troj/Lydra-AB is a Trojan for the Windows platform.
The Trojan has the functionalities to:
- steal information
- communicate with a remote server via email
Advanced
Troj/Lydra-AB is a Trojan for the Windows platform.
The Trojan has the functionalities to:
- steal information
- communicate with a remote server via email
When Troj/Lydra-AB is installed the following files are created:
\AdobeGammaLoader.scr
\calc.exe
\lsassv.exe
\msrpc.exe
\mui\rctfd.sys
\regedit2.exe
\winsys.exe
The Trojan renames the file \regedit.exe to
\regedit2.exe and copies itself to \regedit.exe.
The following registry entries are created to run lsassv.exe,
msrpc.exe and winsys.exe on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
winsys
\winsys.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
msrpc
\msrpc.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
lsassv
\lsassv.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
winsys
\winsys.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
winsys
\winsys.exe
The file winsys.exe is registered as a new system driver service
named "winsys", with a display name of "TCPIP route
manager" and a
startup type of automatic, so that it is started automatically during
system startup. Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\winsys
The following registry entry is set, affecting internet security:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\Firewall
Policy\
StandardProfile\AuthorizedApplications\List
\:*:Enabled:System Update
The following registry entry is also set:
HKCR\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\
Name W32/Virut-J
Type
* Virus
How it spreads
* Infected files
Affected operating systems
* Windows
Aliases
* Virus.Win32.Cheburgen.9272
Prevalence (1-5) 2
Description
W32/Virut-J is a virus for the Windows platform.
Name W32/Dref-AF
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Sends itself to email addresses found on the infected computer
* Drops more malware
* Forges the sender's email address
* Uses its own emailing engine
Prevalence (1-5) 2
Description
W32/Dref-AF is an email worm for the Windows platform.
Advanced
W32/Dref-AF is an email worm for the Windows platform.
W32/Dref-AF harvests email addresses from the infected computer and
attempts to send itself to them, though due to a bug in the code will
usually send a file detected as W32/Dref-Dam.
W32/Dref-AF tries to send itself in an email from {at}yahoo.com with the following characteristics:
Subject line (one of the following):
Iran Just Have Started World War III
USA Just Have Started World War III
Israel Just Have Started World War III
Missle Strike: The USA kills more then 10000 Iranian citizens
Missle Strike: The USA kills more then 1000 Iranian citizens
Missle Strike: The USA kills more then 20000 Iranian citizens
USA Missle Strike: Iran War just have started
USA Declares War on Iran
Attachment filename (one of the following):
Video.exe
News.exe
Movie.exe
Read Me.exe
Click Me.exe
Click Here.exe
Read More.exe
More.exe
W32/Dref-AF attempts to drop a file with an EXE extension and a
random 7-letter filename to the same folder as itself. This file is
already detected as W32/Dref-AB.
W32/Dref-AF deletes the following registry entry to stop the file
referenced from running on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Agent
W32/Dref-AF sets the following registry entry, disabling the
automatic startup of the SharedAccess service:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4
Note: disabling autostart for the SharedAccess service deactivates
the Microsoft Internet Connection Firewall (ICF).
W32/Dref-AF terminates processes certain processes and windows
related to security and anti-virus applications, including windows
names "Registry Editor".
--- MultiMail/Win32 v0.43
* Origin: Doc's Place BBS Fido Since 1991 docsplace.tzo.com (1:123/140)
SEEN-BY: 633/267
@PATH: 123/140 500 379/1 633/267
|