| TIP: Click on subject to list as thread! | ANSI |
| echo: | |
|---|---|
| to: | |
| from: | |
| date: | |
| subject: | News, Nov. 20 2004 |
[cut-n-paste from sophos.com]
Name W32/Bofra-H
Type
* Worm
How it spreads
* Email attachments
* Web downloads
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Forges the sender's email address
* Uses its own emailing engine
* Downloads code from the internet
* Reduces system security
Aliases
* I-Worm.Bofra.b
* W32.Mydoom.ah{at}MM
* WORM_BOFRA.E
* W32/Mydoom.gen{at}MM
Prevalence (1-5) 2
Description
W32/Bofra-H is a mass-mailing worm for the Windows platform.
W32/Bofra-H includes a backdoor, allowing a remote attacker to control
the infected computer.
W32/Bofra-H spreads by exploiting an IFrame vulnerability in Internet
Explorer.
Advanced
W32/Bofra-H is a mass-mailing worm for the Windows platform.
W32/Bofra-H tries to copy itself either to the Windows system folder or
to the Temp folder, copying itself to a filename comprising of between 3
and 8 random characters followed by 32.EXE (eg EOFJNF32.EXE).
W32/Bofra-H then creates an entry in the registry at one of the
following locations so as to be run when a user logs on:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Reactor7
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Reactor7
W32/Bofra-H attempts to harvest email addresses from the Outlook address
book and from files with the following extensions:
TXT, HTM, SHT, PHP, ASP, DBX, TBB, ADB, PL, WAB
W32/Bofra-H wil not harvest addresses containing the following strings:
.gov, .mil, accoun, acketst, admin, anyone, arin., avp, berkeley, borlan,
bsd, bugs, ca, certific, contact, example, feste, fido, foo., fsf., gnu,
gold-certs, google, gov., help, hotmail, iana, ibm.com, icrosof,
icrosoft, ietf, info, inpris, isc.o, isi.e, kernel, linux, listserv,
math, me, mit.e, mozilla, msn., mydomai, no, nobody, nodomai, noone, not,
nothing, ntivi, page, panda, pgp, postmaster, privacy, rating, rfc-ed,
ripe., root, ruslis, samples, secur, sendmail, service, site, soft,
somebody, someone, sopho, submit, support, syma, tanford.e, the.bat,
unix, usenet, utgers.ed, webmaster, you, your
W32/Bofra-H uses its own SMTP engine to send emails to these harvested
addresses, enticing the recipient to click on a hyperlink. This link
makes use of an exploit in Internet Explorer to download W32/Bofra-H
from the infected machine. The download will take place without any
notification from Windows. In order to allow this download to take place
the infected machine listens on ports higher than 1639 for download
requests.
The email distributed by W32/Bofra-H creates fake email headers to
pretend it was created by a number of different legitimate email clients
and also that it has been checked for viruses. The email itself has the
following characteristics:
From field: An address found on the infected computer, or one
constructed randomly from strings within the worm such as:
exchange-robot{at}paypal.com
palux{at}yahoo.com
Subject line: Blank or one of the following:
Hi!
HI!
Hey!
HEY!
Confirmation
CONFIRMATION
Message body:
Congratulations! PayPal has successfully charged $175 to your credit
card. Your order tracking number is A866DEC0, and your item will be
shipped within three business days.
To see details please click this link.
DO NOT REPLY TO THIS MESSAGE VIA EMAIL! This email is being sent by an
automated message system and the reply will not be received.
Thank you for using PayPal.
Hi! I am looking for new friends. I am from Miami, FL. You can see my
homepage with my last webcam photos! Hello!
Hi! I am looking for new friends.
My name is Jane, I am from Miami, FL.
See my homepage with my weblog and last webcam photos!
See you!
W32/Bofra-H also contains IRC backdoor functionality and may download
and execute files from remote websites to files with random filenames in
the Windows system folder if instructed to do so.
The worm may inject itself into other processes in order to make itself
more difficult to remove.
W32/Bofra-H attempts to delete the following registry entries to prevent
other variants of W32/Bofra running when a user logs on:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
center
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
reactor
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Rhino
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Reactor3
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Reactor4
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Reactor5
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Reactor6
Name Troj/Narod-D
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Drops more malware
* Records keystrokes
* Installs itself in the Registry
Aliases
* Trojan.Win32.Starter
* Trojan.StartPage
* PWS-NAROD
Prevalence (1-5) 2
Description
Troj/Narod-D is a password stealing Trojan for the Windows platform.
When first run Troj/Narod-D copies itself to the Windows system folder
as systemp.exe and drops two DLL components to the same folder. The DLL
components have the filenames sysp.dll and systemp.dll. A copy of the
Trojan is also created with the filename sp.dat.
Troj/Narod-D may also open a backdoor and await commands from a remote
attacker.
Advanced
Troj/Narod-D is a password stealing Trojan for the Windows platform.
When first run Troj/Narod-D copies itself to the Windows system folder
as systemp.exe and drops two DLL components to the same folder. The DLL
components have the filenames sysp.dll and systemp.dll. A copy of the
Trojan is also created with the filename sp.dat.
Troj/Narod-D creates the following registry entries in order to run as a
service process:
HKCR\CLSID\\InProcServer32\
default
systemp.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
systemp
Where is randomly generated.
Troj/Narod-D may also open a backdoor on port 3128 and await commands
from a remote user.
Name W32/Forbot-CP
Type
* Worm
How it spreads
* Network shares
* Chat programs
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Reduces system security
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* Backdoor.Win32.Wootbot.gen
* W32/Sdbot.worm.gen.t
Prevalence (1-5) 2
Description
W32/Forbot-CP is a worm which attempts to spread to remote network
shares. It also contains backdoor Trojan functionality, allowing
unauthorised remote access to the infected computer via IRC channels
while running in the background as a service process.
W32/Forbot-CP copies itself to the Windows system folder as IEXPLORE.EXE.
W32/Forbot-CP also creates its own service named "NDIS TCP Layer
Transport Device", with the display name "Zonealarm".
W32/Forbot-CP attempts to spread to network machines using various
exploits including the LSASS vulnerability (see MS04-011). The worm may
also spread via IRC channels.
W32/Forbot-CP may act as a proxy, delete network shares and steal keys
for various software products.
Advanced
W32/Forbot-CP is a worm which attempts to spread to remote network
shares. It also contains backdoor Trojan functionality, allowing
unauthorised remote access to the infected computer via IRC channels
while running in the background as a service process.
W32/Forbot-CP copies itself to the Windows system folder as IEXPLORE.EXE
and creates the following registry entries in order to run itself on
system startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Zonealarm
iexplore.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
Zonealarm
iexplore.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Zonealarm
iexplore.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Zonealarm
iexplore.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
Zonealarm
iexplore.exe
W32/Forbot-CP also creates its own service named "NDIS TCP Layer
Transport Device", with the display name "Zonealarm".
W32/Forbot-CP attempts to spread to network machines using various
exploits including the LSASS vulnerability (see MS04-011). The worm may
also spread via IRC channels.
W32/Forbot-CP may act as a proxy, delete network shares and steal keys
for various software products.
Name W32/Sober-I
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Sends itself to email addresses found on the infected computer
* Drops more malware
* Uses its own emailing engine
* Reduces system security
* Installs itself in the Registry
Aliases
* W32/Sober.j
Prevalence (1-5) 3
Description
W32/Sober-I is a variant of the W32/Sober mass mailing worms family for
the Windows platform.
W32/Sober-I harvests email addresses from system files, and may arrive
in an email with various subject lines and message texts.
When executed, W32/Sober-I displays a fake error message with the header
"WinZip Self-Extractor", followed by the message text
"WinZip_Data_Module is missing ~Error:...", and at the same time creates
the following files in the Windows system folder, some of which are used
for storing harvested information and others which are encrypted and/or
packed worm copies:
Odin-Anon.Ger
clonzips.ssc text-ascii
clsobern.isc text-ascii
cvqaikxt.apk
dgssxy.yoi
diagdatacrypt.exe win-pack-hackupx
expolerlog.exe win-pack-hackupx
nonzipsr.noz
sysmms32.lla
winroot64.dal
winsend32.dal
zippedsr.piz text-ascii
W32/Sober-I copies itself to the Windows system folder as an EXE file
with a name that is constructed from the following strings:
sys, host, dir, expolrer, win, run, log, 32, disc, crypt, data, diag,
spool,service,smss32
Advanced
W32/Sober-I is a variant of the W32/Sober mass mailing worms family for
the Windows platform that harvests email addresses from files with the
following extensions:
PMR STM SLK INBOX IMB CSV BAK IMH XHTML IMM IMH CMS NWS VC CTL DHTM CGI
PP PPT MSG JSP OFT VBS UIN LDB ABC PST CFG MDW MBX MDX MDA ADP NAB FDB
VAP DSP ADE SLN DSW MDE FRM BAS ADR CLS INI LDIF LOG MDB XML WSH TBB ABX
ABD ADB PL RTF MMF DOC ODS NCH XLS NSF TXT WAB EML HLP MHT NFO PHP ASP
SHTML DBX
When executed, W32/Sober-I displays a fake error message with the header
"WinZip Self-Extractor", followed by the message text
"WinZip_Data_Module is missing ~Error:...", and at the same time creates
the following files in the Windows system folder, some of which are used
for storing harvested information, and others which are encrypted and/or
packed worm copies:
Odin-Anon.Ger
clonzips.ssc text-ascii
clsobern.isc text-ascii
cvqaikxt.apk
dgssxy.yoi
diagdatacrypt.exe win-pack-hackupx
expolerlog.exe win-pack-hackupx
nonzipsr.noz
sysmms32.lla
winroot64.dal
winsend32.dal
zippedsr.piz text-ascii
(where text-ascii files contain a base64 coded encrypted ZIP packed worm
copy and win-pack-hackupx is packed with a modified UPX worm.)
W32/Sober-I copies itself to the Windows system folder as an EXE file
with a name that is constructed from the following strings:
sys, host, dir, expolrer, win, run, log, 32, disc, crypt, data, diag,
spool, service,smss32
In order to be able to run automatically when Windows starts up,
W32/Sober-I sets the following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ =
(where is a string constructed from the list above and
corresponds to the worm copy filename.)
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\MSAntiVirus =
%1
(where corresponds to the currently executed file.)
W32/Sober-I checks the country origin by comparing the domain extension
with ones from the following list:
.de, .ch, .at, .li, .gmx
In cases where the domain extension matches a German variant, the email
language will be German, otherwise it will be English based.
W32/Sober-I may arrive in an email with the following characteristics:
Subject line: constructed from:
FwD:
Re:
Oh God
Registration Confirmation
Confirmation
Your Password
Your mail password
Delivery_failure_notice
Faulty_mail delivery
Mail delivery_failed
Mail Error
illegal signs in your mail
invalid mail
Mail_Delivery_failure
mail delivery system
Key:
SMTP:
ESMTP:
Info von
Mailzustellung fehlgeschlagen
Fehler in E-Mail
Ihre E-Mail wurde verweigert
Mailer Error
Ungueltige Zeichen in Ihrer E-Mail
Mail- Verbindung wurde abgebrochen
Mailer-Fehler
Betr.-Ihr Account
Ihre neuen Account-Daten
Auftragsbestaetigung
Lieferung-Bescheid
Message Text (English): subject dependent
Message Text for Subject 'Oh God':
I was surprised, too!
Who_could_suspect_something_like_that? shityiiiii
Message Text for delivery failure subject lines:contructed from
This mail was generated automatically.
More info about ---- under: http://www. URL>
# :
The original mail is attached.
Auto_Mail.System: []
Possible error messages 1:
_does_not_like_recipient.
_does_not_like_sender.
Possible error messages 2:
This_account_has_been_discontinued_[#144].
mailbox_unavailable
Remote_host_said:_delivery_error
Giving_up_on_53.32.183.90.
MAILBOX NOT FOUND
Fake anti-virus message:
*-*-* Mail_Scanner: No Virus
*-*-* - Anti_Virus Service
*-*-* http://www. URL>
(See attached file: .zip)
Message Text (German): chosen from
Message Text 1:constructed from:
Diese E-Mail wurde automatisch generiert.
Mehr Informationen erhalten Sie unter http://www. URL>
Folgende Fehler wurden aufgezeichnet:
# :
STOP mailer
The original mail is attached.
Auto_Mail.System: []
Possible error message 1:
Remote_host_said: _Requested_action_not_taken
_delivery_error
Possible error message 2:
mailbox_unavailable
Giving_up_on_
This_account_has_been_ disabled
This_account_has_been_ discontinued
Mailbox unavailable
Giving up on
... does not like
Fake anti-virus message:
Anti_Virus: Es wurde kein Virus gefunden
Anti_Virus Service
Message Text 2: constructed from
Da Sie uns Ihre Persoenlichen Daten sugesandt haben ist das Password
Ihr Geburts-Datum Viel Vergnuegen mit unserem Angebot!
*****
Im I-Net unter: http://www. URL>
Message Text 3: constructed from:
Aus Datenshutzrechtlichen Gruenden darf die vollstaendige E-Mail incl.
Daten nur angehaengt werden
da unsere Datenbank leider durch einen Programm Fehler zerstoert wurde,
mussten wir leider eine Aenderung bezueglich Ihrer Nutzungs-Daten
vornehmen. Ihre geanderten Account Daten befinden sich im beigefuegten
Dokument.
Weitere Informationen befinden sich im Anhang dieser Mail.
The attached file may have an extension chosen from the following:
ZIP, PIF, SCR, BAT, COM.
Name W32/Rbot-QE
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Downloads code from the internet
* Reduces system security
* Records keystrokes
* Installs itself in the Registry
Aliases
* Backdoor.Win32.Rbot.gen
* W32/Sdbot.worm.gen.p
Prevalence (1-5) 2
Description
W32/Rbot-QE is a network worm which attempts to spread via network
shares. The worm contains backdoor functions that allows unauthorised
remote access to the infected computer via IRC channels while running in
the background.
W32/Rbot-QE spreads to network shares with weak passwords and by using
the LSASS security exploit (MS04-011).
Advanced
W32/Rbot-QE is a network worm which attempts to spread via network
shares. The worm contains backdoor functions that allows unauthorised
remote access to the infected computer via IRC channels while running in
the background.
W32/Rbot-QE spreads to network shares with weak passwords and by using
the LSASS security exploit (MS04-011).
When run the worm moves itself to the Windows System folder as a
read-only, hidden and system file named XPUpdate.exe.
W32/Rbot-QE then creates the following registry entries so as to run
itself either on user logon or computer restart:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft Update
XPUpdate.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Microsoft Update
XPUpdate.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft Update
XPUpdate.exe
Once installed, W32/Rbot-QE will attempt to log keystrokes, partake in
distributed denial of service (DDoS) attacks, download and run files
from the Internet, steal CD keys, login to MS SQL servers and send EXEC
commands to open a command shell on the server when instructed to do so
by a remote attacker.
Name W32/Agobot-OC
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Steals information
* Downloads code from the internet
* Reduces system security
Aliases
* WORM_AGOBOT.ABH
* W32/Gaobot.worm.gen.f
Prevalence (1-5) 2
Description
W32/Agobot-OC is an IRC backdoor Trojan and network worm. W32/Agobot-OC
is capable of spreading to computers on the local network protected by
weak passwords.
W32/Agobot-OC runs continuously in the background providing backdoor
access to the computer through IRC channels.
The worm attempts to terminate and disable various anti-virus and
security related programs.
Advanced
W32/Agobot-OC is an IRC backdoor Trojan and network worm.
W32/Agobot-OC is capable of spreading to computers on the local network
protected by weak passwords.
When first run, W32/Agobot-OC copies itself to the Windows system folder
as halflife2.exe and creates the following registry entries to run
itself on user logon:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Halflife = "halflife2.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Halflife = "halflife2.exe"
W32/Agobot-OC runs continuously in the background providing backdoor
access to the computer through IRC channels.
W32/Agobot-OC attempts to terminate and disable various anti-virus and
security related programs and modifies the HOSTS file located at
%SYSTEM%\Drivers\etc\HOSTS, mapping selected anti-virus websites to the
loopback address 127.0.0.1 in an attempt to prevent access to these
sites. Typically the following mappings will be appended to the HOSTS
file:
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.trendmicro.com
Name W32/Primat-C
Type
* Worm
How it spreads
* Network shares
* Infected files
* Peer-to-peer
Affected operating systems
* Windows
Aliases
* Worm.P2P.Primat.c
* W32/HLLP.20606c
Prevalence (1-5) 2
Description
W32/Primat-C is a prepending virus and network worm.
Advanced
W32/Primat-C is a prepending virus which spreads via P2P (peer-to-peer)
networks and unprotected network shares.
The virus attempts to infect files with the extensions EXE, SCR or PIF
in any of the following folders:
Network shares named "C" on randomly-chosen IP addresses
The Kazaa "DownloadDir"
The top folder of any valid drives
W32/Primat-C specifically tries to infect the following files in any
available shares named "C\Windows":
Rundll32.exe
Scanregw.exe
The virus makes a copy of itself named msdis.dll in the Windows
temporary folder.
If run on the 18th day of any month, W32/Primat-C will attempt to
display a bitmap image
Name W32/Rbot-PY
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Downloads code from the internet
* Reduces system security
* Records keystrokes
* Installs itself in the Registry
Aliases
* Backdoor.Win32.Rbot.gen
* W32/Rbot-KW
* W32/Rbot-Fam
* WORM_RBOT.VE
Prevalence (1-5) 2
Description
W32/Rbot-PY is a network worm which contains IRC backdoor Trojan
functionality, allowing unauthorised remote access to the infected
computer.
Advanced
W32/Rbot-PY is a worm which attempts to spread to remote network shares.
It also contains backdoor Trojan functionality, allowing unauthorised
remote access to the infected computer via IRC channels while running in
the background as a service process.
W32/Rbot-PY spreads to network shares with weak passwords and via
network security exploits as a result of the backdoor Trojan element
receiving the appropriate command from a remote user.
W32/Rbot-PY copies itself to the Windows system folder as MCAFFEFLD.EXE
and creates entries at the following locations in the registry with the
value MCAFFE FLD LOADER so as to run itself on system startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
W32/Rbot-PY also sets the following registry entry with the same value
to point to itself:
HKCU\Software\Microsoft\OLE
W32/Rbot-PY may attempt to set the following registry entries:
HKLM\SOFTWARE\Microsoft\Ole\EnableDCOM = "N"
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous = "1"
W32/Rbot-PY may attempt to delete network shares on the host computer.
W32/Rbot-PY may attempt to log keystrokes to the file SYSZZY32.TXT in
the Windows system folder.
Name W32/Agobot-NZ
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Steals information
* Reduces system security
* Records keystrokes
* Installs itself in the Registry
Aliases
* Backdoor.Win32.Agobot.gen
Prevalence (1-5) 2
Description
W32/Agobot-NZ is a backdoor Trojan and worm which spreads to computers
protected by weak passwords.
Each time the Trojan is run it attempts to connect to a remote IRC
server and join a specific channel.
The Trojan then runs continuously in the background, allowing a remote
intruder to access and control the computer via IRC channels.
The Trojan attempts to terminate and disable various anti-virus and
security-related programs and modifies the HOSTS file.
Advanced
W32/Agobot-NZ is a backdoor Trojan and worm which spreads to computers
protected by weak passwords and to computers infected with variants of
W32/MyDoom.
When first run, W32/Agobot-NZ moves itself to the Windows system folder
as gmsvc32.exe and creates the following registry entries to run itself
on startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Gmsvc32
gmsvc32.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Gmsvc32
gmsvc32.exe
Each time the Trojan is run it attempts to connect to a remote IRC
server and join a specific channel.
The Trojan then runs continuously in the background, allowing a remote
intruder to access and control the computer via IRC channels.
The Trojan attempts to terminate and disable various anti-virus and
security-related programs and modifies the HOSTS file located at
%WINDOWS%\System32\Drivers\etc\HOSTS, mapping selected anti-virus
websites to the loopback address 127.0.0.1 in an attempt to prevent
access to these sites. Typically the following mappings will be appended
to the HOSTS file:
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.trendmicro.com
Name W32/Rbot-PX
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Steals information
* Downloads code from the internet
* Reduces system security
* Records keystrokes
Prevalence (1-5) 2
Description
W32/Rbot-PX is a network worm and IRC backdoor Trojan for the Windows
platform.
The worm copies itself to a file named crss.exe in the Windows system
folder.
W32/Rbot-PX spreads using a variety of techniques including exploiting
weak passwords on computers and SQL servers, exploiting operating system
vulnerabilities (including DCOM-RPC, LSASS, WebDAV and UPNP) and using
backdoors opened by other worms or Trojans.
W32/Rbot-PX can be controlled by a remote attacker over IRC channels.
Advanced
W32/Rbot-PX is a network worm and IRC backdoor Trojan for the Windows
platform.
The worm copies itself to a file named crss.exe in the Windows system
folder and creates the following registry entries:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Sygate Personal Port = "crss.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Sygate Personal Port = "crss.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
Sygate Personal Port = "crss.exe"
W32/Rbot-PX may also set or modify the following registry entries:
HKLM\SOFTWARE\Microsoft\Ole\
EnableDCOM = "N"
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\
restrictanonymous = "dword:00000001"
HKLM\SYSTEM\ControlSet\Control\Lsa\
restrictanonymous = "dword:00000001"
W32/Rbot-PX spreads using a variety of techniques including exploiting
weak passwords on computers and SQL servers, exploiting operating system
vulnerabilites (including DCOM-RPC, LSASS, WebDAV and UPNP) and using
backdoors opened by other worms or Trojans.
W32/Rbot-PX can be controlled by a remote attacker over IRC channels.
The backdoor component of W32/Rbot-PX can be instructed by a remote user
to perform the following functions:
start an FTP server
start a Proxy server
start a web server
take part in distributed denial of service (DDoS) attacks
log keypresses
capture screen/webcam images
packet sniffing
port scanning
download/execute arbitrary files
start a remote shell (RLOGIN)
Patches for the operating system vulnerabilities exploited by
W32/Rbot-PX can be obtained from Microsoft at:
http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx
http://www.microsoft.com/technet/security/bulletin/ms03-039.mspx
http://www.microsoft.com/technet/security/bulletin/ms03-007.mspx
http://www.microsoft.com/technet/security/bulletin/ms01-059.mspx
Name W32/Mofei-E
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Drops more malware
* Downloads code from the internet
* Reduces system security
* Installs itself in the Registry
Aliases
* Worm.Win32.Aler.a
* W32/Golten.worm
* WORM_GOLTEN.A
* Backdoor.Win32.Small.bq
* BackDoor-CJV
Prevalence (1-5) 3
Description
W32/Mofei-E is a network worm with a backdoor component.
W32/Mofei-E will attempt to spread to network shares protected by weak
passwords.
W32/Mofei-E will attempt to hide itself from the user by injecting
itself into a number of Windows processes. W32/Mofei-E will install
itself as a service and modify the Alerter service path
Advanced
W32/Mofei-E is a network worm with a backdoor component.
W32/Mofei-E will attempt to spread to network shares protected by weak
passwords.
W32/Mofei-E will attempt to hide itself from the user by injecting
itself into a number of Windows processes. W32/Mofei-E will install
itself as a service and modify the Alerter service path.
When first run, W32/Mofei-E copies itself to the Windows system folder
as ALERTER.EXE. The worm will drop two files named SPC.EXE and
SPTRES.DLL, both detected as W32/Mofei-E. The worm will run SPC.EXE and
inject SPTRES.DLL into the EXPLORER.EXE process in order to stealth
itself from the user.
SPTRES.DLL will attempt to spread the main worm EXE to ADMIN$ and IPC$
shares protected by weak passwords.
When run, SPC.EXE will drop the following files into the Windows system
folder:
SCARDSER.EXE
COMSOCK.DLL - later renamed to COMWSOCK.DLL
SOCKUP.DLL - later renamed to DMSOCK.DLL
All of these files are detected as W32/Mofei-E.
SCARDSER.EXE is run as a service and injects COMWSOCK.DLL into the
LSASS.EXE process in order to stealth itself from the user. COMWSOCK.DLL
will then attempt to inject DMSOCK.DLL into one of the following
processes:
EXPLORER.EXE
IEXPLORE.EXE
INETINFO.EXE
LSASS.EXE
MSIMN.EXE
MSMSGS.EXE
MSNMSGR.EXE
OUTLOOK.EXE
QQ.EXE
SVCHOST.EXE
DMSOCK.DLL is the main backdoor component of the worm. This component
will also attempt to download and run further files.
W32/Mofei-E will also create the files INETCFG.H and MST.TLB in the
Windows system folder. These are both data files used by the worm and
can be deleted.
W32/Mofei-E will modify the path for the Alerter service to point to
itself. The following registry entry will be changed:
HKLM\SYSTEM\ControlSet\Services\Alerter\
ImagePath
\System32\Alerter.exe
Consequently, the following registry entry will also be changed:
HKLM\SYSTEM\CurrentControlSet\Services\Alerter\
ImagePath
\System32\Alerter.exe
W32/Mofei-E will register itself as a service process with name "netlog"
and display name "Net Login Helper" This ensures that the SCARDSER.EXE
service is automatically run.
Name W32/Protoride-W
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Reduces system security
* Installs itself in the Registry
* Used in DOS attacks
Aliases
* Worm.W32.Protoride.Gen
Prevalence (1-5) 2
Description
W32/Protoride-W is a Windows worm that spreads to computers via network
shares.
W32/Protoride-W allows backdoor access to unauthorised remote intruders
who can send commands controlling the compromised computer.
Advanced
W32/Protoride-W is a Windows worm that spreads via network shares.
The worm also has a backdoor component that allows unauthorised remote
access to the computer through the IRC network.
W32/Protoride-W attempts to copy itself to the Windows system folder and
set the following registry entry to run itself prior to any EXE files
that are opened on the computer:
HKCR\exefile\Shell\open\
command\{at} = "msupdate.exe" %1 %*
W32/Protoride-W attempts to copy itself to msupdate.exe in the startup
folder of shared network drives.
W32/Protoride-W may also set the following registry entry:
HKLM\Software\BeyonD inDustries\ProtoType[v6.7.6]
W32/Protoride-W remains resident in memory, running in the background as
a service process and listening for commands from remote intruders
received via IRC channels.
Name Troj/Mirchack-D
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Reduces system security
Aliases
* IRC/Flood.cd.dr
* BKDR_IRCFLOOD.CD
Prevalence (1-5) 2
Description
Troj/Mirchack-D is a hacked version of the mIRC32 application.
Troj/Mirchack-D reads configuration data from a file DUAL.EXP.
Typically the Trojan is distributed with a malicious DUAL.EXP file as
part of a backdoor or flooding Trojan.
Name W32/Agobot-NX
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Modifies data on the computer
* Deletes files off the computer
* Steals information
Prevalence (1-5) 2
Description
W32/Agobot-NX is an IRC backdoor Trojan and network worm.
W32/Agobot-NX is capable of spreading to computers on the local network
protected by weak passwords.
When first run, W32/Agobot-NX copies itself to the Windows system folder
as bmsvc32.exe.
W32/Agobot-NX runs continuously in the background providing backdoor
access to the computer through IRC channels.
W32/Agobot-NX attempts to terminate and disable various anti-virus and
security related programs and modifies the HOSTS file located at
%WINDOWS%\System32\Drivers\etc\HOSTS, mapping selected anti-virus
websites to the loopback address 127.0.0.1 in an attempt to prevent
access to these sites.
Advanced
W32/Agobot-NX is an IRC backdoor Trojan and network worm.
W32/Agobot-NX is capable of spreading to computers on the local network
protected by weak passwords.
When first run, W32/Agobot-NX copies itself to the Windows system folder
as bmsvc32.exe and creates the following registry entries to run itself
on startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Bmsvc32 = "bmsvc32.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Bmsvc32 = "bmsvc32.exe"
The worm also sets or modifies the following registry entry:
HKCR\.key\
{at}="regfile"
W32/Agobot-NX runs continuously in the background providing backdoor
access to the computer through IRC channels.
W32/Agobot-NX attempts to terminate and disable various anti-virus and
security related programs and modifies the HOSTS file located at
%WINDOWS%\System32\Drivers\etc\HOSTS, mapping selected anti-virus
websites to the loopback address 127.0.0.1 in an attempt to prevent
access to these sites. Typically the following mappings will be appended
to the HOSTS file:
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.trendmicro.com
Name W32/Rbot-NK
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Steals information
* Downloads code from the internet
* Reduces system security
* Records keystrokes
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* Backdoor.Win32.Rbot.gen
Prevalence (1-5) 2
Description
W32/Rbot-NK is a worm which attempts to spread to remote network shares.
It also contains backdoor Trojan functionality, allowing unauthorised
remote access to the infected computer via IRC channels while running in
the background as a service process.
W32/Rbot-NK may be triggered to spread to network shares and via various
exploits including RPC-DCOM, LASSS and various backdoors opened by other
Trojans.
Advanced
W32/Rbot-NK's backdoor functionality may allow a remote intruder to:
- Access webcam
- Capture screeenshot
- Steal CD keys related to various software
- Capture Windows login information on Windows NT/2000
- Access files on Host computer
- Send Email messages to other hosts
- Download/Upload/Execute files on host
- Run Keylogger
- Sniff network traffic and carry out DDOS on target
W32/Rbot-NK copies itself to the Windows system folder as realplay.exe
and creates entries in the registry at the following locations to run
itself on system startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Realplayer One: "realplay.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Realplayer One: "realplay.exe"
When triggered, W32/Rbot-NK tries to set the following registry entry to
disable DCOM:
HKLM\Software\Microsoft\OLE\EnableDCOM = "N"
W32/Rbot-NK tries to set the following registry entry to restrict access
to the IPC$ share on the infected computer:
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous = "1"
Name W32/Ssik-A
Type
* Worm
Affected operating systems
* Windows
Side effects
* Reduces system security
* Installs itself in the Registry
Aliases
* WORM_SSIK.A
Prevalence (1-5) 2
Description
W32/Ssik-A is a worm for the Windows platform.
Advanced
W32/Ssik-A is a worm for the Windows platform.
The worm copies itself to the Windows system folder and creates the
following registry entry so that it will be run at login time:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Login = "%filename%"
(where %filename% is the name of the worm's executable file).
If the system date starts with "7/8" (this can happen on either 08 July
or 07 August, depending on the locale) W32/Ssik-A will create a message
box containing the following text:
LoRz reborn!!
In order to make itself harder to terminate, the worm copies taskmgr.exe
from the System folder to the Windows folder.
W32/Ssik-A periodically attempts to copy itself to the A:\ drive, if
present.
Name W32/Rbot-PU
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Reduces system security
* Installs itself in the Registry
Aliases
* Backdoor.Win32.Rbot.gen
* W32/Sdbot.worm.gen.p
Prevalence (1-5) 2
Description
W32/Rbot-PU is a worm which attempts to spread to remote network shares.
It also contains backdoor Trojan functionality, allowing unauthorised
remote access to the infected computer via IRC channels while running in
the background as a service process.
W32/Rbot-PU spreads to network shares with weak passwords as a result of
the backdoor Trojan element receiving the appropriate command from a
remote user.
Advanced
W32/Rbot-PU is a worm which attempts to spread to remote network shares.
It also contains backdoor Trojan functionality, allowing unauthorised
remote access to the infected computer via IRC channels.
W32/Rbot-PU spreads to network shares with weak passwords as a result of
the backdoor Trojan element receiving the appropriate command from a
remote user.
W32/Rbot-PU copies itself to the Windows System32 folder as
WUAMGRD32.EXE and creates the following registry entries in order to run
itself on system startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Update32 = wuamgrd32.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Microsoft Update32 = wuamgrd32.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Update32 = wuamgrd32.exe
Name W32/Forbot-CJ
Type
* Worm
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Reduces system security
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* Backdoor.Win32.Wootbot
Prevalence (1-5)
Description
W32/Forbot-CJ is a network worm that spreads by scanning for vulnerable
machines.
The worm uses a Microsoft exploit to automatically run. This can be
patched using Microsoft Security Bulletin MS04-011.
The worm has a backdoor component, and any machine that is infected can
be accessed by third parties.
Advanced
W32/Forbot-CJ is a network worm with backdoor functionality.
In order to run automatically when Windows starts up the worm moves
itself to the Windows system folder as regexpress.exe and creates the
following registry entries:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Windows Registry Express Loader
regexpress.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\
Windows Registry Express Loader
regexpress.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Windows Registry Express Loader
regexpress.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\
Windows Registry Express Loader
regexpress.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Windows Registry Express Loader
regexpress.exe
W32/Forbot-CJ also creates its own service named "Windows Registry
Express Loader".
Once installed, W32/Forbot-CJ connects to a preconfigured IRC server and
joins a channel from which an attacker can issue further commands. These
commands can cause the infected machine to perform any of the following
actions:
flood a remote host (by either ping or HTTP)
start a SOCKS4 proxy server
portscan randomly-chosen IP addresses
execute arbitrary commands
steal information such as passwords and product keys
upload/download files
The worm can spread to unpatched machines affected by the LSASS
vulnerability (see MS04-011) and machines infected by any of the
Troj/Optix family of backdoor Trojans.
--- MultiMail/Win32 v0.43
* Origin: Try Our Web Based QWK: DOCSPLACE.ORG (1:123/140)SEEN-BY: 633/267 270 @PATH: 123/140 500 106/2000 633/267 |
|
| SOURCE: echomail via fidonet.ozzmosis.com | |
Email questions or comments to sysop@ipingthereforeiam.com
All parts of this website painstakingly hand-crafted in the U.S.A.!
IPTIA BBS/MUD/Terminal/Game Server List, © 2025 IPTIA Consulting™.