[cut-n-paste from sophos.com]
Name Troj/BagleDl-AB
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Installs itself in the Registry
Prevalence (1-5) 3
Description
Troj/BagleDl-AB is a Trojan for the Windows platform.
When first run Troj/BagleDl-AB copies itself to
\hloader_exe.exe and creates the file
\hloader_dll.dll. Both these files are detected as
Troj/BagleDl-AB.
Advanced
Troj/BagleDl-AB is a Trojan for the Windows platform.
When first run Troj/BagleDl-AB copies itself to
\hloader_exe.exe and creates the file
\hloader_dll.dll. Both these files are detected as
Troj/BagleDl-AB.
Troj/BagleDl-AB attempts to inject the dropped file hloader_dll.dll
into the process explorer.exe.
The following registry entries are created to run hloader_exe.exe on
startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
auto__hloader__key
\hloader_exe.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
auto__hloader__key
\hloader_exe.exe
Troj/BagleDl-AB attempts to download and execute files from a number
of remote websites.
Name Troj/BagleDl-Y
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Drops more malware
* Downloads code from the internet
* Installs itself in the Registry
Aliases
* W32/Bagle.gen
Prevalence (1-5) 3
Description
Troj/BagleDl-Y downloads files from a number of remote websites and
executes them.
Advanced
Troj/BagleDl-Y is a downloading Trojan for the Windows platform.
When first run Troj/BagleDl-Y copies itself to
\hloader_exe.exe and creates the file
\hleader_dll.dll. Both these files are detected as
Troj/BagleDl-Y.
The following registry entries are created to run hloader_exe.exe on
startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
auto__hloader__key
\hloader_exe.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
auto__hloader__key
\hloader_exe.exe
Troj/BagleDl-Y attempts to download and execute files from a number
of remote websites.
Name Troj/BagleDl-AA
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Deletes files off the computer
* Reduces system security
* Installs itself in the Registry
* Dropped by malware
Aliases
* Email-Worm.Win32.Bagle.eh
* W32/Bagle.gen
Prevalence (1-5) 3
Description
Troj/BagleDl-AA is a Trojan for the Windows platform.
Troj/BagleDl-AA attempts to terminate processes and services, delete
files and registry entries, and block access to URLs related to
anti-virus and security programs.
Advanced
Troj/BagleDl-AA is a Trojan for the Windows platform.
When first run Troj/BagleDl-AA copies itself to
\antiav_exe.exe and creates the file \antiav_dll.dll.
Both these files are detected as Troj/BagleDl-AA.
Troj/BagleDl-AA attempts to inject the dropped file antiav_dll.dll
into the process explorer.exe.
The following registry entries are created to run antiav_exe.exe on
startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
auto__antiav__key
\antiav_exe.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
auto__antiav__key
\antiav_exe.exe
Troj/BagleDl-AA attempts to terminate several processes and services
related to anti-virus and security programs, to delete related files,
to modify C:\boot.ini to delete related files on system startup, to
block access to related websites, to delete related registry entries,
and to delete registry entries at the folling location to stop
related files from running on system startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run
HKCU\Software\Microsoft\Windows\CurrentVersion\
Run
Name Troj/BagleDl-Z
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Drops more malware
* Downloads code from the internet
* Installs itself in the Registry
Aliases
* W32/Bagle.gen
Prevalence (1-5) 3
Description
Troj/BagleDl-Z downloads files from a number of remote websites and
executes them.
Advanced
Troj/BagleDl-Z is a downloading Trojan for the Windows platform.
When first run Troj/BagleDl-Z copies itself to
\hloader_exe.exe and creates the file
\hleader_dll.dll. Both these files are detected as
Troj/BagleDl-Z.
The following registry entries are created to run hloader_exe.exe on
startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
auto__hloader__key
\hloader_exe.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
auto__hloader__key
\hloader_exe.exe
Troj/BagleDl-Z attempts to download and execute files from a number
of remote websites.
Name W32/Mytob-FH
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Modifies data on the computer
* Forges the sender's email address
* Uses its own emailing engine
* Reduces system security
Prevalence (1-5) 3
Description
W32/Mytob-FH is a mass-mailing worm and IRC backdoor Trojan for the
Windows platform.
W32/Mytob-FH runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
Emails sent by the worm have characteristics from the following:
Subject line:
Your password has been updated
Your password has been successfully updated
You have successfully updated your password
Your new account password is approved
Your Account is Suspended
*DETECTED* Online User Violation
Your Account is Suspended For Security Reasons
Warning Message: Your services near to be closed.
Important Notification
Members Support
Security measures
Email Account Suspension
Notice of account limitation
Message text - a formatted version of one of the following:
Dear user ,
You have successfully updated the password of your
account.
If you did not authorize this change or if you need assistance with
your account, please contact customer service
at:
Thank you for using !
The Support Team
+++ Attachment: No Virus (Clean)
+++ Antivirus - www.
Dear user ,
It has come to our attention that your User
Profile ( x ) records are out of date. For further details see the
attached document.
Thank you for using !
The Support Team
+++ Attachment: No Virus (Clean)
+++ Antivirus - www.
Dear Member,
We have temporarily suspended your email account .
This might be due to either of the following reasons:
1. A recent change in your personal information (i.e. change of
address).
2. Submiting invalid information during the initial sign up process.
3. An innability to accurately verify your selected option of
subscription due to an internal error within our processors.
See the details to reactivate your account.
Sincerely,The Support Team
+++ Attachment: No Virus (Clean)
+++ Antivirus - www.
Dear Member,
Your e-mail account was used to send a huge amount of unsolicited
spam messages during the recent week. If you could please take 5-10
minutes out of your online experience and confirm the attached
document so you will not run into any future problems with the online
service.
If you choose to ignore our request, you leave us no choice but to
cancel your membership.
Virtually yours,
The Support Team
+++ Attachment: No Virus found
+++ Antivirus - www.
Attachment name:
updated-password
email-password
new-password
password
approved-password
account-password
accepted-password
important-details
account-details
email-details
account-info
document
readme
account-report
First extension (of attachment or of file inside zip):
doc
htm
txt
Second extension (of attachment or of file inside zip):
pif
scr
exe
cmd
bat
If the attachment is a zip file it will have the same base name as
the double-extension file inside.
Advanced
W32/Mytob-FH is a mass-mailing worm and IRC backdoor Trojan for the
Windows platform.
W32/Mytob-FH runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
Emails sent by the worm have characteristics from the following:
Subject line:
Your password has been updated
Your password has been successfully updated
You have successfully updated your password
Your new account password is approved
Your Account is Suspended
*DETECTED* Online User Violation
Your Account is Suspended For Security Reasons
Warning Message: Your services near to be closed.
Important Notification
Members Support
Security measures
Email Account Suspension
Notice of account limitation
Message text - a formatted version of one of the following:
Dear user ,
You have successfully updated the password of your
account.
If you did not authorize this change or if you need assistance with
your account, please contact customer service at:
Thank you for using !
The Support Team
+++ Attachment: No Virus (Clean)
+++ Antivirus - www.
Dear user ,
It has come to our attention that your User
Profile ( x ) records are out of date. For further details see the
attached document.
Thank you for using !
The Support Team
+++ Attachment: No Virus (Clean)
+++ Antivirus - www.
Dear Member,
We have temporarily suspended your email account .
This might be due to either of the following reasons:
1. A recent change in your personal information (i.e. change of
address).
2. Submiting invalid information during the initial sign up process.
3. An innability to accurately verify your selected option of
subscription due to an internal error within our processors.
See the details to reactivate your account.
Sincerely,The Support Team
+++ Attachment: No Virus (Clean)
+++ Antivirus - www.
Dear Member,
Your e-mail account was used to send a huge amount of unsolicited
spam messages during the recent week. If you could please take 5-10
minutes out of your online experience and confirm the attached
document so you will not run into any future problems with the online
service.
If you choose to ignore our request, you leave us no choice but to
cancel your membership.
Virtually yours,
The Support Team
+++ Attachment: No Virus found
+++ Antivirus - www.
Attachment name:
updated-password
email-password
new-password
password
approved-password
account-password
accepted-password
important-details
account-details
email-details
account-info
document
readme
account-report
First extension (of attachment or of file inside zip):
doc
htm
txt
Second extension (of attachment or of file inside zip):
pif
scr
exe
cmd
bat
If the attachment is a zip file it will have the same base name as
the double-extension file inside.
Example attachment names include document.txt.pif and
information.doc.cmd, usually with a large number of spaces between
the extensions.
The following registry entries are created:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NAMEDPIPE SYSTEM
\namedpipe.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
NAMEDPIPE SYSTEM
\namedpipe.exe
W32/Mytob-FH sets the following registry entries, disabling the
automatic startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4
Note: disabling autostart for the SharedAccess service deactivates
the Microsoft Internet Connection Firewall (ICF).
W32/Mytob-FH modifies the HOSTS file, changing the URL-to-IP mappings
for selected websites, therefore preventing normal access to these
sites. The new HOSTS file will typically contain the following:
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 pandasoftware.com
127.0.0.1 www.pandasoftware.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.grisoft.com
127.0.0.1 www.microsoft.com
127.0.0.1 microsoft.com
127.0.0.1 www.virustotal.com
127.0.0.1 virustotal.com
127.0.0.1 www.amazon.com
127.0.0.1 www.amazon.co.uk
127.0.0.1 www.amazon.ca
127.0.0.1 www.amazon.fr
127.0.0.1 www.paypal.com
127.0.0.1 paypal.com
127.0.0.1 moneybookers.com
127.0.0.1 www.moneybookers.com
127.0.0.1 www.ebay.com
127.0.0.1 ebay.com
Name Troj/BagleDl-W
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Installs itself in the Registry
Prevalence (1-5) 3
Description
Troj/BagleDl-W is a Trojan for the Windows platform.
Advanced
Troj/BagleDl-W is a Trojan for the Windows platform.
When first run Troj/BagleDl-W copies itself to
\hloader_exe.exe and creates the file
\hloader_dll.dll. Both these files are
detected as Troj/BagleDl-W.
Troj/BagleDl-W attempts to inject the dropped file hloader_dll.dll
into the process explorer.exe.
The following registry entries are created to run hloader_exe.exe on
startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
auto__hloader__key
\hloader_exe.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
auto__hloader__key
\hloader_exe.exe
Troj/BagleDl-W attempts to download and execute files from a number
of remote websites.
Name W32/Mytob-FF
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Sends itself to email addresses found on the infected computer
* Forges the sender's email address
* Uses its own emailing engine
* Downloads code from the internet
Prevalence (1-5) 3
Description
W32/Mytob-FF is a mass-mailing worm and IRC backdoor Trojan.
W32/Mytob-FF runs continuously in the background, providing a backdoor server
which allows a remote intruder to gain access and control over the computer via
IRC channels, including the ability to download and execute files on the
infected computer.
W32/Mytob-FF can spread by sending itself as an email attachment to
email addresses it harvests from the infected computer, either as an
attachment with a double-extension or as a zip file containing a file
with a double-extension. W32/Mytob-FF avoids sending emails to
addresses containing certain strings in them.
W32/Mytob-FF processes the emails it has harvested by splitting them
into name and domain. Once it has sent itself to the emails it has
harvested, it uses a predefined list of names with the harvested
domains. W32/Mytob-FF spoofs the sender, sending emails as if from
one of the following at the same domain as the recipient:
support
administrator
mail
service
admin
info
register
webmaster
For example if sending itself to name{at}example.com, W32/Mytob-FF might
send the email as if from admin{at}example.com.
Emails sent by the worm have characteristics from the following:
Subject line:
Your password has been updated
Your password has been successfully updated
You have successfully updated your password
Your new account password is approved
Your Account is Suspended
*DETECTED* Online User Violation
Your Account is Suspended For Security Reasons
Warning Message: Your services near to be closed.
Important Notification
Members Support
Security measures
Email Account Suspension
Notice of account limitation
Message text - a formatted version of one of the following:
Dear user ,
You have successfully updated the password of your
account.
If you did not authorize this change or if you need assistance with
your account, please contact customer service at:
Thank you for using !
The Support Team
+++ Attachment: No Virus (Clean)
+++ Antivirus - www.
Dear user ,
It has come to our attention that your User
Profile ( x ) records are out of date. For further details see the
attached document.
Thank you for using !
The Support Team
+++ Attachment: No Virus (Clean)
+++ Antivirus - www.
Dear Member,
We have temporarily suspended your email account .
This might be due to either of the following reasons:
1. A recent change in your personal information (i.e. change of
address).
2. Submiting invalid information during the initial sign up process.
3. An innability to accurately verify your selected option of
subscription due to an internal error within our processors.
See the details to reactivate your account.
Sincerely,The Support Team
+++ Attachment: No Virus (Clean)
+++ Antivirus - www.
Dear Member,
Your e-mail account was used to send a huge amount of unsolicited
spam messages during the recent week. If you could please take 5-10
minutes out of your online experience and confirm the attached
document so you will not run into any future problems with the online
service.
If you choose to ignore our request, you leave us no choice but to
cancel your membership.
Virtually yours,
The Support Team
+++ Attachment: No Virus found
+++ Antivirus - www.
Attachment name:
updated-password
email-password
new-password
password
approved-password
account-password
accepted-password
important-details
account-details
email-details
account-info
document
readme
account-report
First extension (of attachment or of file inside zip):
doc
htm
txt
Second extension (of attachment or of file inside zip):
pif
scr
exe
cmd
bat
If the attachment is a zip file it will have the same base name as
the double-extension file inside.
Example attachment names include document.txt.pif and
information.doc.cmd, usually with a large number of spaces between
the extensions.
W32/Mytob-FF modifies the Windows hosts file in order to block access
to certain security-related websites.
Advanced
W32/Mytob-FF is a mass-mailing worm and IRC backdoor Trojan.
W32/Mytob-FF runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels, including the ability to
download and execute files on the infected computer.
When first run W32/Mytob-FF attempts to copy itself to
\pipe.exe.
The following registry entries are created to run pipe.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
PIPE SYSTEM
pipe.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
PIPE SYSTEM
pipe.exe
W32/Mytob-FF sets the following registry entries, disabling the
automatic startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4
Note: disabling autostart for the SharedAccess service deactivates
the Microsoft Internet Connection Firewall (ICF).
W32/Mytob-FF can spread by sending itself as an email attachment to
email addresses it harvests from the infected computer, either as an
attachment with a double-extension or as a zip file containing a file
with a double-extension. W32/Mytob-FF avoids sending emails to
addresses containing certain strings in them.
W32/Mytob-FF processes the emails it has harvested by splitting them
into name and domain. Once it has sent itself to the emails it has
harvested, it uses a predefined list of names with the harvested
domains. W32/Mytob-FF spoofs the sender, sending emails as if from
one of the following at the same domain as the recipient:
support
administrator
mail
service
admin
info
register
webmaster
For example if sending itself to name{at}example.com, W32/Mytob-FF might
send the email as if from admin{at}example.com.
Emails sent by the worm have characteristics from the following:
Subject line:
Your password has been updated
Your password has been successfully updated
You have successfully updated your password
Your new account password is approved
Your Account is Suspended
*DETECTED* Online User Violation
Your Account is Suspended For Security Reasons
Warning Message: Your services near to be closed.
Important Notification
Members Support
Security measures
Email Account Suspension
Notice of account limitation
Message text - a formatted version of one of the following:
Dear user ,
You have successfully updated the password of your
account.
If you did not authorize this change or if you need assistance with
your account, please contact customer service at:
Thank you for using !
The Support Team
+++ Attachment: No Virus (Clean)
+++ Antivirus - www.
Dear user ,
It has come to our attention that your User
Profile ( x ) records are out of date. For further details see the
attached document.
Thank you for using !
The Support Team
+++ Attachment: No Virus (Clean)
+++ Antivirus - www.
Dear Member,
We have temporarily suspended your email account .
This might be due to either of the following reasons:
1. A recent change in your personal information (i.e. change of
address).
2. Submiting invalid information during the initial sign up process.
3. An innability to accurately verify your selected option of
subscription due to an internal error within our processors.
See the details to reactivate your account.
Sincerely,The Support Team
+++ Attachment: No Virus (Clean)
+++ Antivirus - www.
Dear Member,
Your e-mail account was used to send a huge amount of unsolicited
spam messages during the recent week. If you could please take 5-10
minutes out of your online experience and confirm the attached
document so you will not run into any future problems with the online
service.
If you choose to ignore our request, you leave us no choice but to
cancel your membership.
Virtually yours,
The Support Team
+++ Attachment: No Virus found
+++ Antivirus - www.
Attachment name:
updated-password
email-password
new-password
password
approved-password
account-password
accepted-password
important-details
account-details
email-details
account-info
document
readme
account-report
First extension (of attachment or of file inside zip):
doc
htm
txt
Second extension (of attachment or of file inside zip):
pif
scr
exe
cmd
bat
If the attachment is a zip file it will have the same base name as
the double-extension file inside.
Example attachment names include document.txt.pif and
information.doc.cmd, usually with a large number of spaces between
the extensions.
W32/Mytob-FF attempts to terminate a large number of processes
related to security and anti-virus programs including REGEDIT.EXE,
MSCONFIG.EXE and NETSTAT.EXE.
W32/Mytob-FF modifies the Windows hosts file in order to block access
to the following security-related websites:
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 pandasoftware.com
127.0.0.1 www.pandasoftware.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.grisoft.com
127.0.0.1 www.microsoft.com
127.0.0.1 microsoft.com
127.0.0.1 www.virustotal.com
127.0.0.1 virustotal.com
127.0.0.1 www.amazon.com
127.0.0.1 www.amazon.co.uk
127.0.0.1 www.amazon.ca
127.0.0.1 www.amazon.fr
127.0.0.1 www.paypal.com
127.0.0.1 paypal.com
127.0.0.1 moneybookers.com
127.0.0.1 www.moneybookers.com
127.0.0.1 www.ebay.com
127.0.0.1 ebay.com
Name Troj/Dagonit-A
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Drops more malware
* Installs itself in the Registry
Aliases
* Trojan.Win32.Agent.jh
Prevalence (1-5) 2
Description
Troj/Dagonit-A is a multicomponent backdoor Trojan for the Windows
platform that allows unauthorized remote access through the randomly
open TCP port.
The Trojan creates a user account with the name Service thas is used
by the intruder to take over a control of the infected computer.
Advanced
Troj/Dagonit-A is a multicomponent backdoor Trojan for the Windows
platform that allows unauthorized remote access through the randomly
open TCP port.
The Trojan creates a user account with the name Service thas is used
by the intruder to take over a control of the infected computer.
When Troj/Dagonit-A is installed the following files are created:
\dali.reg
\dalia2.exe
\system.bat
\winspool.exe
\wpap.exe
where wpap.exe is detected as Troj/Wpap-A.
Troj/Dagonit-A may attempt to replace an original winspool.exe with
the Trojan file.
Troj/Dagonit-A sets a number of registry entries including the
following:
HKLM\System\CurrentControlSet\Services\RDSessMgr
Start
2
HKLM\System\CurrentControlSet\Services\TermService
Start
2
HKLM\System\CurrentControlSet\Services\TlntSvr
Start
2
HKLM\System\CurrentControlSet\Services\lanmanserver
Start
2
Thus making sure that the following services are started at the
restart:
Remote Desktop Help Session Manager
Terminal Services
Telnet
Server
Also the Trojan sets the following registry entries in attempt to
modify security settings:
HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
fDenyTSConnections
0
TSAdvertise
1
IdleWinStationPoolCount
1
TSAppCompat
1
TSEnabled
1
TSUserEnabled
1
HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\Licensing Core
EnableConcurrentSessions
0
HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\Licensing Core
\WinStations\RDP-Tcp
fEnableWinStation
1
MaxInstanceCount
-1
Troj/Dagonit-A may attempt to delete the following files:
\dllcashe\winlogon.exe
\dllcashe\termsrv.dll
\dllcashe\mstscax.dll
Name W32/Rbot-AUQ
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* Backdoor.Win32.Rbot.ahj
* WORM_SDBOT.CFL
Prevalence (1-5) 2
Description
W32/Rbot-AUQ is a worm and IRC backdoor for the Windows platform.
W32/Rbot-AUQ runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Rbot-AUQ may spread to network shares protected by weak passwords
or by exploiting the following system vulnerabilities: LSASS
(MS04-011), RPC-DCOM (MS04-012), WKS (MS03-049), PNP (MS05-039), ASN.1
(MS04-007).
Advanced
W32/Rbot-AUQ is a worm and IRC backdoor for the Windows platform.
W32/Rbot-AUQ runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Rbot-AUQ may spread to network shares protected by weak passwords
or by exploiting the following system vulnerabilities: LSASS
(MS04-011), RPC-DCOM (MS04-012), WKS (MS03-049), PNP (MS05-039), ASN.1
(MS04-007).
When first run W32/Rbot-AUQ copies itself to
\winsv.exe.
The following registry entries are created to run winsv.exe on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Windows Spools SV
winsv.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows Spools SV
winsv.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
Windows Spools SV
winsv.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Windows Spools SV
winsv.exe
Registry entries are set as follows:
HKCU\SYSTEM\CurrentControlSet\Control\Lsa
Windows Spools SV
winsv.exe
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
Windows Spools SV
winsv.exe
HKCU\Software\Microsoft\OLE
Windows Spools SV
winsv.exe
HKLM\SOFTWARE\Microsoft\Ole
Windows Spools SV
winsv.exe
Name W32/Poebot-P
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* Backdoor.Win32.SdBot.aho
* W32.Linkbot.M
* WORM_RBOT.CFU
Prevalence (1-5) 2
Description
W32/Poebot-P is a worm for the Windows platform.
Advanced
W32/Poebot-P is a worm for the Windows platform.
When first run W32/Poebot-P copies itself to \iexplore.exe
and creates the file jotji.bat in the current folder. The file
jotji.bat harmless on its own and can be safely removed.
W32/Poebot-P will attempt to connect to a remote URL and may spread
through network shares protected by weak passwords and other exploits
including:
LSASS (MS04-011)
RPC-DCOM (MS04-012)
WKS (MS03-049) (CAN-2003-0812)
WebDav (MS03-007)
Veritas (CAN-2004-1172)
Dameware (CAN-2003-1030)
PNP (MS05-039)
ASN.1 (MS04-007)
The following registry entry is created to run iexplore.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft Internet Explorer
\iexplore.exe
Name Troj/ParDrop-A
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Drops more malware
Aliases
* Trojan.Win32.Small.da
* Trojan.Win32.Small.cz
* TROJ_SMALL.RX
Prevalence (1-5) 2
Description
Troj/ParDrop-A is a dropper Trojan for the Windows platform.
When first run, Troj/ParDrop-A creates the following files (these
files have their read-only, hidden file attributes set):
\explore.exe - detected as Troj/ParDrop-A
\.tmp - detected as Troj/ParDrop-A
\inetinfo.exe - detected as W32/Parite-B
\svids.dll - data file which may be safely deleted
Troj/ParDrop-A then attempts to load the W32/Parite-B virus by
running the file \inetinfo.exe.
Advanced
Troj/ParDrop-A is a dropper Trojan for the Windows platform.
When first run, Troj/ParDrop-A creates the following files (these
files have their read-only, hidden file attributes set):
\explore.exe - detected as Troj/ParDrop-A
\.tmp - detected as Troj/ParDrop-A
\inetinfo.exe - detected as W32/Parite-B
\svids.dll - data file which may be safely deleted
Troj/ParDrop-A then attempts to load the W32/Parite-B virus by
running the file \inetinfo.exe.
Troj/ParDrop-A also sets the following registry entry to run the
W32/Parite-B virus:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
System
\inetinfo.exe
Name Troj/Goldun-AK
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Drops more malware
* Reduces system security
* Records keystrokes
* Installs itself in the Registry
Prevalence (1-5) 2
Description
Troj/Goldun-AK is a Trojan for the Windows platform.
The Trojan steals login credentials entered into web forms related to
certain financial institutions.
Advanced
Troj/Goldun-AK is a Trojan for the Windows platform.
When run, Troj/Goldun-AK creates the file mside.dll. The file
mside.dll is registered as a COM object and Browser Helper Object
(BHO) for Microsoft Internet Explorer, creating registry entries under:
HKCR\CLSID\{13146842-6251-5625-3072-548536364311}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper
Objects\{13146842-6251-5625-3072-548536364311}
The Trojan steals login credentials entered into web forms related to
certain financial institutions.
Name W32/Rbot-AWB
Type
* Spyware Worm
How it spreads
* Network shares
* Chat programs
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Modifies data on the computer
* Deletes files off the computer
* Steals information
* Downloads code from the internet
Prevalence (1-5) 2
Description
W32/Rbot-AWB is a network worm with backdoor Trojan functionality for
the Windows platform.
W32/Rbot-AWB can be controlled by a remote attacker over IRC channels.
The backdoor component of W32/Rbot-AWB can be instructed by a
remote user to perform various functions.
W32/Rbot-AWB spreads using a variety of techniques including:
-exploiting weak passwords on computers and SQL servers
-exploiting operating system vulnerabilities (including PnP [MS05-039])
and using backdoors opened by other worms or Trojans.
-by sending download links through the AOL Instant Messenger (AIM)
client to online "buddies"
Advanced
W32/Rbot-AWB is a network worm with backdoor Trojan functionality for
the Windows platform.
The worm copies itself to a file named msniu.exe in the Windows
system folder and creates the following registry entries:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
MSN Messenger 32
"msniu.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MSN Messenger 32
"msniu.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
MSN Messenger 32
"msniu.exe"
W32/Rbot-AWB can be controlled by a remote attacker over IRC channels.
The backdoor component of W32/Rbot-AWB can be instructed by a remote
user to perform the following functions:
start an FTP server
start a Proxy server
start a web server
take part in distributed denial of service (DDoS) attacks
log keypresses
capture screen/webcam images
packet sniffing
port scanning
download/execute arbitrary files
start a remote shell (RLOGIN)
steal product registration information from certain software
W32/Rbot-AWB spreads using a variety of techniques including:
-exploiting weak passwords on computers and SQL servers
-exploiting operating system vulnerabilities (including PnP [MS05-039])
and using backdoors opened by other worms or Trojans.
-by sending download links through the AOL Instant Messenger (AIM)
client to online "buddies"
Name W32/Oscabot-N
Type
* Worm
How it spreads
* Chat programs
Affected operating systems
* Windows
Prevalence (1-5)
Description
W32/Oscabot-N is an instant messaging worm that can exploit users of
AOL Instant Messaging clients.
W32/Oscabot-N will attempt to locate the Aim application and use it
to send web links to other users.
Name W32/Tilebot-AP
Type
* Spyware Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Modifies data on the computer
* Deletes files off the computer
* Steals information
Prevalence (1-5) 2
Description
W32/Tilebot-AP is a worm which attempts to spread to remote network
shares. It also contains backdoor Trojan functionality, allowing
unauthorized remote access to the infected computer via IRC channels.
W32/Tilebot-AP spreads to network shares with weak passwords as a
result of the backdoor Trojan element receiving the appropriate
command from a remote user. The worm can spread to unpatched
computers vulnerable to the following exploits:
ASN.1 (MS04-007)
LSASS (MS04-011)
PNP (MS05-039)
RPC-DCOM (MS04-012)
W32/Tilebot-AP attempts to remove network shares from the infected
computer, as well as changing the policy for SeNetworkLogonRight for
the computer.
W32/Tilebot-AP may attempt to contact scripts on remote sites.
Advanced
W32/Tilebot-AP is a worm which attempts to spread to remote network
shares. It also contains backdoor Trojan functionality, allowing
unauthorized remote access to the infected computer via IRC channels.
W32/Tilebot-AP spreads to network shares with weak passwords as a
result of the backdoor Trojan element receiving the appropriate
command from a remote user. The worm can spread to unpatched
computers vulnerable to the following exploits:
ASN.1 (MS04-007)
LSASS (MS04-011)
PNP (MS05-039)
RPC-DCOM (MS04-012)
W32/Tilebot-AP copies itself to the Windows folder with the filename
ipconfig32.exe and creates a service named "IPtable" with a start up
type of automatic, causing the service to be run each time Windows
starts.
W32/Tilebot-AP allows a remote user to perform a wide range of
actions on the infected computer including downloading further files,
setting registry entries and stealing information from the computer
including from protected storage areas.
W32/Tilebot-AP attempts to terminate services with the following
names in order to disrupt various security processes including the
Windows firewall and Windows critical updates:
Tlntsvr
RemoteRegistry
Messenger
SharedAccess
wscsvc
W32/Tilebot-AP attempts to set the following registry entries to
disrupt various security processes:
HKLM\SOFTWARE\Microsoft\Security Center
UpdatesDisableNotify
1
HKLM\SOFTWARE\Microsoft\Security Center
AntiVirusDisableNotify
1
HKLM\SOFTWARE\Microsoft\Security Center
FirewallDisableNotify
1
HKLM\SOFTWARE\Microsoft\Security Center
AntiVirusOverride
1
HKLM\SOFTWARE\Microsoft\Security Center
FirewallOverride
1
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
EnableFirewall
0
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile
EnableFirewall
0
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\
AutoUpdate
AUOptions
1
HKLM\SYSTEM\CurrentControlSet\Services\wscsvc
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\Messenger
Start
4
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restictanonymous
1
HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
AutoShareWks
0
HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
AutoShareServer
0
HKLM\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters
AutoShareWks
0
HKLM\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters
AutoShareServer
0
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DoNotAlloxXPSP2
1
HKLM\SOFTWARE\Microsoft\OLE
EnableDCOM
"N"
W32/Tilebot-AP may also set entries in the registry at the following
locations:
HKLM\SYSTEM\CurrentControlSet\Control\
WaitToKillServiceTimeout
W32/Tilebot-AP attempts to remove network shares from the infected
computer, as well as changing the policy for SeNetworkLogonRight for
the computer.
W32/Tilebot-AP may attempt to contact scripts on remote sites.
The following registry entries are created as a result of registering
the system service:
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IPTABLE
HKLM\SYSTEM\CurrentControlSet\Services\IPtable
Name W32/Esbot-B
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
Aliases
* Backdoor.Win32.IRCBot.es
* W32/IRCbot.worm.gen
* Backdoor.Trojan
Prevalence (1-5) 2
Description
W32/Esbot-B is a worm and IRC backdoor Trojan for the Windows platform.
W32/Esbot-B will connect to an IRC channel and wait for instructions.
Advanced
W32/Esbot-B is a worm and IRC backdoor Trojan for the Windows platform.
W32/Esbot-B will connect to an IRC channel and wait for instructions.
When first run W32/Esbot-B copies itself to \services32.exe.
The file services32.exe is registered as a new system driver service
named "Content List Management Sub System", with a display name of
"services32" and a startup type of automatic, so that it is started
automatically during system startup. Registry entries are created
under:
HKLM\SYSTEM\CurrentControlSet\Services\Content List Management Sub System\
The following registry entry is set:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions
Melt
Name W32/Bagle-BS
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Forges the sender's email address
* Uses its own emailing engine
* Downloads code from the internet
* Installs itself in the Registry
Prevalence (1-5) 2
Description
W32/Bagle-BS is a worm for the Windows platform.
W32/Bagle-BS sends a ZIP file as an email attachment. The ZIP file
contains an executable detected as Troj/BagleDl-W. When run, this
executable attempts to download further files, which may include
copies of the original worm W32/Bagle-BS.
W32/Bagle-BS may download and run further malicious code, storing the
downloaded file as re_file.exe in the Windows system folder.
Messages sent by W32/Bagle-BS have the following characteristics. The
subject line is blank. The message text is chosen to be one of the
following lines:
info
texte
The password is
Password:
The attachment name is chosen from the following:
Business.zip
Business_dealing.zip
Health_and_knowledge.zip
Info_prices.zip
max.zip
sms_text.zip
text_sms.zip
The_new_prices.zip
The worm will avoid sending emails to addresses containing any of the
following strings:
{at}derewrdgrs
{at}eerswqe
{at}messagelab
{at}microsoft
anyone{at}
certific
contract{at}
f-secur
free-av
gold-certs{at}
google
icrosoft
listserv
nobody{at}
noone{at}
noreply
postmaster{at}
rating{at}
samples
support
update
winrar
winzip
Advanced
W32/Bagle-BS is a worm for the Windows platform.
W32/Bagle-BS sends a ZIP file as an email attachment. The ZIP file
contains an executable detected as Troj/BagleDl-W. When run, this
executable attempts to download further files, which may include
copies of the original worm W32/Bagle-BS.
W32/Bagle-BS may download and run further malicious code, storing the
downloaded file as re_file.exe in the Windows system folder.
Messages sent by W32/Bagle-BS have the following characteristics. The
subject line is blank. The message text is chosen to be one of the
following lines:
info
texte
The password is
Password:
The attachment name is chosen from the following:
Business.zip
Business_dealing.zip
Health_and_knowledge.zip
Info_prices.zip
max.zip
sms_text.zip
text_sms.zip
The_new_prices.zip
The worm will avoid sending emails to addresses containing any of the
following strings:
{at}derewrdgrs
{at}eerswqe
{at}messagelab
{at}microsoft
anyone{at}
certific
contract{at}
f-secur
free-av
gold-certs{at}
google
icrosoft
listserv
nobody{at}
noone{at}
noreply
postmaster{at}
rating{at}
samples
support
update
winrar
winzip
When first run W32/Bagle-BS copies itself to \windll2.exe.
The following registry entries are created:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru1n
erthegdr
\windll2.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Ru1n
erthegdr
\windll2.exe
W32/Bagle-BS attempts to delete registry entries from the following
locations:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru1n
HKCU\Software\Microsoft\Windows\CurrentVersion\Ru1n
Entries are deleted if they have any of the following names:
9XHtProtect
Antivirus
EasyAV
FirewallSvr
HtProtect
ICQ Net
ICQNet
Jammer2nd
KasperskyAVEng
MsInfo
My AV
Norton Antivirus AV
PandaAVEngine
service
SkynetsRevenge
Special Firewall Service
SysMonXP
Tiny AV
Zone Labs Client Ex
W32/Bagle-BS terminates the following processes:
1t1epad.exe
t1es1t.exe
Name Troj/WowPWS-A
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Steals information
* Installs itself in the Registry
Aliases
* PWSteal.Wowcraft.B
* BackDoor-CUQ
Prevalence (1-5) 2
Description
Troj/WowPWS-A is a password stealing Trojan for the Windows platform.
Troj/WowPWS-A targets the online game World of Warcraft, and attempts
to steal account details.
Advanced
Troj/WowPWS-A is a password stealing Trojan for the Windows platform.
Troj/WowPWS-A targets the online game World of Warcraft, and attempts
to steal account details.
When first run Troj/WowPWS-A copies itself to the following locations:
\smss.exe
\finder.com
\explorer.com
\exeroute.exe
\1.com
\msconfig.com
\rundll32.com
\command.pif
\dxdiag.com
\regedit.com
\finder.com
Debug\DebugProgram.exe
\Internet Explorer\iexplor.com
\Common Files\iexplore.pif
Troj/WowPWS-A sets the following registry entries to start the
various copies of itself:
HKCR\winfiles\Shell\Open\Command
\exeroute.exe "%1" %*
HKLM\SOFTWARE\Clients\StartMenuInternet\iexplore.pif
LocalizedString
iexplore
HKLM\SOFTWARE\Clients\StartMenuInternet\iexplore.pif\shell\open\command
\Common Files\iexplore.pif
HKLM\SOFTWARE\Windows\CurrentVersion\Run
Torjan Program
\smss.exe
Name W32/Mytob-FI
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Sends itself to email addresses found on the infected computer
* Forges the sender's email address
Aliases
* Net-Worm.Win32.Mytob.bm
* W32.Mytob.EE{at}mm
Prevalence (1-5) 2
Description
W32/Mytob-FI is a mass-mailing worm and backdoor Trojan that can be
controlled through the Internet Relay Chat (IRC) network.
W32/Mytob-FI spreads through email. W32/Mytob-FI harvests email
addresses from files on the infected computer and from the Windows
address book. Email sent by W32/Mytob-FI has the following properties:
Subject line:
Your password has been updated
Your password has been successfully updated
You have successfully updated your passworq
Your new account password is approved
Your Account is Suspended
*DETECTED* Online User Violation
Your Account is Suspended For Security Reasons
Warning Message: Your services near to be closed.
Important Notification
Members Support
Security measures
Email Account Suspension
Notice of account limitation
Message text:
Dear user ,
You have successfully updated the password of your account.
If you did not authorize this change or if you need assistance with
your account, please contact customer service at:
Thank you for using !
The Support Team
+++ Attachment: No Virus (Clean)
+++ Antivirus - www.
Dear user ,
It has come to our attention that your User Profile ( x )
records are out of date. For further details see the attached document.
Thank you for using !
The Support Team
+++ Attachment: No Virus (Clean)
+++ Antivirus - www.
Dear Member,
We have temporarily suspended your email account .
This might be due to either of the following reasons:
1. A recent change in your personal information (i.e. change of
address).
2. Submiting invalid information during the initial sign up process.
3. An innability to accurately verify your selected option of
subscription due to an internal error within our processors.
See the details to reactivate your account.
Sincerely,The Support Team
+++ Attachment: No Virus (Clean)
+++ Antivirus - www.
Dear Member,
Your e-mail account was used to send a huge amount of unsolicited
spam messages during the recent week. If you could please take 5-10
minutes out of your online experience and confirm the attached
document so you will not run into any future problems with the online
service.
If you choose to ignore our request, you leave us no choice but to
cancel your membership.
Virtually yours,
The Support Team
+++ Attachment: No Virus found
+++ Antivirus - www.
In the above body text would be replaced with either the domain
or username from user's email address.
The attached file consists of a base name followed by the extentions
CMD, PIF, SCR, EXE or ZIP. The worm may optionally create double
extensions where the first extension is DOC, TXT or HTM and the final
extension is BAT, CMD, PIF, SCR, EXE or ZIP. The base filenames are
randomly chosen from:
updated-password
email-password
new-password
password
approved-password
account-password
accepted-password
important-details
account-details
email-details
account-info
document
readme
account-report
Advanced
W32/Mytob-FI is a mass-mailing worm and backdoor Trojan that can be
controlled through the Internet Relay Chat (IRC) network.
W32/Mytob-FI runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
When first run W32/Mytob-FI copies itself to \expI0rer.exe.
The following registry entries are created to run expI0rer.exe on
startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
WINDOWS SYSTEM
expI0rer.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
WINDOWS SYSTEM
expI0rer.exe
W32/Mytob-FI sets the following registry entries, disabling the
automatic startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4
Note: disabling autostart for the SharedAccess service deactivates
the Microsoft Internet Connection Firewall (ICF).
W32/Mytob-FI spreads through email. W32/Mytob-FI harvests email
addresses from files on the infected computer and from the Windows
address book. Email sent by W32/Mytob-FI has the following properties:
Subject line:
Your password has been updated
Your password has been successfully updated
You have successfully updated your passworq
Your new account password is approved
Your Account is Suspended
*DETECTED* Online User Violation
Your Account is Suspended For Security Reasons
Warning Message: Your services near to be closed.
Important Notification
Members Support
Security measures
Email Account Suspension
Notice of account limitation
Message text:
Dear user ,
You have successfully updated the password of your account.
If you did not authorize this change or if you need assistance with
your account, please contact customer service at:
Thank you for using !
The Support Team
+++ Attachment: No Virus (Clean)
+++ Antivirus - www.
Dear user ,
It has come to our attention that your User Profile ( x )
records are out of date. For further details see the attached document.
Thank you for using !
The Support Team
+++ Attachment: No Virus (Clean)
+++ Antivirus - www.
Dear Member,
We have temporarily suspended your email account .
This might be due to either of the following reasons:
1. A recent change in your personal information (i.e. change of
address).
2. Submiting invalid information during the initial sign up process.
3. An innability to accurately verify your selected option of
subscription due to an internal error within our processors.
See the details to reactivate your account.
Sincerely,The Support Team
+++ Attachment: No Virus (Clean)
+++ Antivirus - www.
Dear Member,
Your e-mail account was used to send a huge amount of unsolicited
spam messages during the recent week. If you could please take 5-10
minutes out of your online experience and confirm the attached
document so you will not run into any future problems with the online
service.
If you choose to ignore our request, you leave us no choice but to
cancel your membership.
Virtually yours,
The Support Team
+++ Attachment: No Virus found
+++ Antivirus - www.
In the above body text would be replaced with either the domain
or username from user's email address.
The attached file consists of a base name followed by the extentions
CMD, PIF, SCR, EXE or ZIP. The worm may optionally create double
extensions where the first extension is DOC, TXT or HTM and the final
extension is BAT, CMD, PIF, SCR, EXE or ZIP. The base filenames are
randomly chosen from:
updated-password
email-password
new-password
password
approved-password
account-password
accepted-password
important-details
account-details
email-details
account-info
document
readme
account-report
The worm avoids sending email to addresses that contain the following:
.gov
.mil
accoun
acketst
admin
anyone
arin.
avp
berkeley
borlan
bsd
bsd
bugs
ca
certific
contact
example
feste
fido
foo.
fsf.
gnu
gold-certs
google
google
gov.
help
iana
ibm.com
icrosof
icrosoft
ietf
info
inpris
isc.o
isi.e
kernel
linux
linux
listserv
math
me
mit.e
mozilla
mydomai
no
nobody
nodomai
noone
not
nothing
ntivi
page
panda
pgp
postmaster
privacy
rating
rfc-ed
ripe.
root
ruslis
samples
secur
sendmail
service
site
soft
somebody
someone
sopho
submit
support
syma
tanford.e
the.bat
unix
unix
usenet
utgers.ed
webmaster
you
your
W32/Mytob-FI modifies the HOSTS file, changing the URL-to-IP mappings
for selected websites, therefore preventing normal access to these
sites:
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 pandasoftware.com
127.0.0.1 www.pandasoftware.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.grisoft.com
127.0.0.1 www.microsoft.com
127.0.0.1 microsoft.com
127.0.0.1 www.virustotal.com
127.0.0.1 virustotal.com
127.0.0.1 www.amazon.com
127.0.0.1 www.amazon.co.uk
127.0.0.1 www.amazon.ca
127.0.0.1 www.amazon.fr
127.0.0.1 www.paypal.com
127.0.0.1 paypal.com
127.0.0.1 moneybookers.com
127.0.0.1 www.moneybookers.com
127.0.0.1 www.ebay.com
127.0.0.1 ebay.com
W32/Mytob-FI may also terminate applications and security-related
processes.
Name Troj/Haxdoor-AN
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Drops more malware
* Downloads code from the internet
* Reduces system security
* Installs itself in the Registry
Prevalence (1-5) 2
Description
Troj/Haxdoor-AN is a backdoor Trojan which allows a remote intruder
to gain access and control over the computer.
Troj/Haxdoor-AN includes functionality to access the internet and
communicate with a remote server via HTTP.
Troj/Haxdoor-AN attempts to disable certain services related to
security and anti-virus programs and may attempt to bypass the
Windows firewall.
Troj/Haxdoor-AN attempts to download and execute files from a remote
location.
Advanced
Troj/Haxdoor-AN is a backdoor Trojan which allows a remote intruder
to gain access and control over the computer.
Troj/Haxdoor-AN includes functionality to access the internet and
communicate with a remote server via HTTP.
When Troj/Haxdoor-AN is installed the following files are created:
\sks2drvr.sys
\sksdll.dll
Both these files are also detected as Troj/Haxdoor-AN. The file
sks2drvr.sys is a rootkit designed to stealth the presence of
Troj/Haxdoor-AN.
Some of the following registry entries are created to run code
exported by sksdll.dll on startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sksdll
DllName
sksdll.dll
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sksdll
Startup
sksdll
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sksdll
Impersonate
1
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sksdll
Asynchronous
1
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sksdll
MaxWaut
1
HKLM\System\CurrentControlSet\Control\MPRServices\TestService
DllName
sksdll.dll
HKLM\System\CurrentControlSet\Control\MPRServices\TestService
EntryPoint
sksdll
HKLM\System\CurrentControlSet\Control\MPRServices\TestService
StackSize
0
The file sks2drvr.sys is registered as a new system driver service
named "sks2drvr", with a display name of "USB
sks2drvr". Registry
entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\sks2drvr\
Troj/Haxdoor-AN attempts to disable certain services related to
security and anti-virus programs by deleting registry entries at the
following location:
HKLM\SYSTEM\CurrentControlSet\Services
Troj/Haxdoor-AN may add a registry entry at the following location in
order to bypass the Windows firewall:
HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\List\
Troj/Haxdoor-AN attempts to download and execute files from a remote
location.
Name W32/Ritdoor-B
Type
* Worm
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Drops more malware
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* Net-Worm.Win32.Mytob.db
Prevalence (1-5) 2
Description
W32/Ritdoor-B is a worm and backdoor for the Windows platform.
W32/Ritdoor-B spreads to other network computers by exploiting common
buffer overflow vulnerabilities, including: LSASS (MS04-011) and PNP
(MS05-039).
W32/Ritdoor-B runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer.
W32/Ritdoor-B includes functionality to download, install and run new
software.
Advanced
W32/Ritdoor-B is a worm and backdoor for the Windows platform.
W32/Ritdoor-B spreads to other network computers by exploiting common
buffer overflow vulnerabilities, including: LSASS (MS04-011) and PNP
(MS05-039).
W32/Ritdoor-B runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer.
W32/Ritdoor-B includes functionality to download, install and run new
software.
When first run W32/Ritdoor-B copies itself to:
\msdeff.exe
\winlogon.exe
and creates the file \mstempf.exe.
The following registry entry is created to run W32/Ritdoor-B on
startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
RPCserr32g
\winlogon.exe
W32/Ritdoor-B sets the following registry entries, disabling the
automatic startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4
Note: disabling autostart for the SharedAccess service deactivates
the Microsoft Internet Connection Firewall (ICF).
Registry entries are set as follows:
HKCU\Software\Microsoft\Internet Explorer
IEPfsgdc
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies
DisableRegistryTools
0
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies
DisableRegistryTools
0
Name Troj/Dloader-YF
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Installs itself in the Registry
Aliases
* Trojan-Downloader.Win32.Agent.yn
* Downloader-AAP
Prevalence (1-5) 2
Description
Troj/Dloader-YF is a Trojan for the Windows platform.
Troj/Dloader-YF includes functionality to access the internet and
communicate with a remote server via HTTP.
When first run Troj/Dloader-YF copies itself to \ipwf.exe and
creates the file \drivers\winut.dat.
Advanced
Troj/Dloader-YF is a Trojan for the Windows platform.
Troj/Dloader-YF includes functionality to access the internet and
communicate with a remote server via HTTP.
When first run Troj/Dloader-YF copies itself to \ipwf.exe and
creates the file \drivers\winut.dat.
The following registry entry is created to run ipwf.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
IPFW
\ipwf.exe
The Trojan makes registry changes in the following location,
registering both the original file and the copy as authorized
applications:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\List
Name Troj/GrayBir-AB
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
Aliases
* Backdoor.Win32.Hupigon.ly
Prevalence (1-5) 2
Description
Troj/GrayBir-AB is a backdoor Trojan for the Windows platform.
Advanced
Troj/GrayBir-AB is a backdoor Trojan for the Windows platform.
When first run Troj/GrayBir-AB copies itself to
\G_Server2.0.exe.
The file G_Server2.0.exe is registered as a new system driver service
named "GrayPigeonServer2.0", with a display name of
"Gray_Pigeon_Server2.0" and a startup type of automatic, so that it
is started automatically during system startup. Registry entries are
created under:
HKLM\SYSTEM\CurrentControlSet\Services\GrayPigeonServer2.0\
Name Troj/Dloader-YG
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
Prevalence (1-5) 2
Description
Troj/Dloader-YG is a Trojan for the Windows platform.
Troj/Dloader-YG attempts to download and install software from the
internet.
--- MultiMail/Win32 v0.43
* Origin: Try Our Web Based QWK: DOCSPLACE.ORG (1:123/140)
SEEN-BY: 633/267 270
@PATH: 123/140 500 106/2000 633/267
|