| TIP: Click on subject to list as thread! | ANSI |
| echo: | |
|---|---|
| to: | |
| from: | |
| date: | |
| subject: | News, Feb. 20 2005 |
[cut-n-paste from sophos.com]
Name W32/MyDoom-O
Type
* Worm
How it spreads
* Email messages
Affected operating systems
* Windows
Aliases
* WORM_MYDOOM.M
* I-Worm.Mydoom.m
* W32/Mydoom.bb
Prevalence (1-5) 4
Description
W32/MyDoom-O is an email worm. When first run, the worm copies itself to
either the Windows or Temp folders as java.exe, and adds one of the
following registry entries to ensure that the copy is run each time
Windows starts:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\JavaVM
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\JavaVM
W32/MyDoom-O also creates a file named services.exe in the Windows or
Temp folder and runs the file. Services.exe is a backdoor component.
W32/MyDoom-O searches the hard disk email addresses. The worm searches
files with the extensions PL*, PH*, TX*, HT*, ASP, TBB, SHT*, WAB, ADB
and DBX and the Windows address book. In addition the worm may use an
internet search engine to find more email addresses. The worm will send
a query to the search engine using domain names from email addresses
found on the hard disk and then examine the query results, searching for
more addresses. The internet search engines used by W32/MyDoom-O and the
percentage chance that each is used are:
www.google.com (45%)
search.lycos.com (22.5%)
search.yahoo.com (20%)
www.altavista.com (12.5%)
When choosing addresses to send itself to W32/MyDoom-O will avoid
addresses which contain any of the following strings:
mailer-d
spam
abuse
master
sample
accoun
privacycertific
bugs
listserv
submit
ntivi
support
admin
page
the.bat
gold-certs
ca
feste
not
help
foo
no
soft
site
rating
me
you
your
someone
anyone
nothing
nobody
noone
info
winrar
winzip
rarsoft
sf.net
sourceforge
ripe.
arin.
google
gnu.
gmail
seclist
secur
bar.
foo.com
trend
update
uslis
domain
example
sophos
yahoo
spersk
panda
hotmail
msn.
msdn.
microsoft
sarc.
syma
avp
The email sent by the worm has a spoofed sender.
The subject line may be blank or one of the following:
hello
hi
error
status
test
report
delivery failed
Message could not be delivered
Mail System Error - Returned Mail
Delivery reports about your e-mail
Returned mail: see transcript for details
Returned mail: Data format error
The message text of the email is constructed from a set of optional
strings within the worm. The message sent is blank or similar to one of
the following messages:
Dear user of
Mail server administrator of would like to inform you that We
have detected that your e-mail account has been used to send a large
amount of unsolicited e-mail messages during this recent week. We
suspect that your computer had been compromised by a recent virus and
now runs a trojan proxy server. Please follow our instructions in the
attachment file in order to keep your computer safe. Virtually yours
user support team.
The message could not be delivered
The original message was included as attachment
The original message was received at from
----- The following addresses had permanent fatal errors -----
----- Transcript of the session follows -----
... while talking to host :>>> MAIL
From:<<< 501 User
unknown Session aborted>>> RCPT To:<<< 550
MAILBOX NOT FOUND
The message was undeliverable due to the following reason(s):
Your message was not delivered because the destination computer was not
reachable within the allowed queue period. The amount of time a message
is queued before it is returned depends on local configuration
parameters. Most likely there is a network problem that prevented
delivery, but it is also possible that the computer is turned off, or
does not have a mail system running right now.
Your message was not delivered within days: Mail server
is not responding. The following recipients did not receive
this message: Please reply to postmaster{at} if you feel
this message to be in error.
The attached file may be named similarly to the recipient's username or
domain or using one of the following names:
readme
instruction
transcript
mail
letter
file
text
attachment
document
message
with an optional extension of DOC, TXT, HTM, HTML and a final extension
of EXE, COM, BAT, CMD, SCR or PIF. The attached file may also be a zip
file containing a file named as described.
Name W32/MyDoom-BC
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Sends itself to email addresses found on the infected computer
* Forges the sender's email address
* Uses its own emailing engine
* Installs itself in the Registry
Aliases
* Email-Worm.Win32.Mydoom.am
* W32/Mydoom.bc{at}MM
* W32/Mydoom.db{at}MM
* Worm.Mydoom.M-2
Prevalence (1-5) 2
Description
W32/MyDoom-BC is an email worm for the Windows platform.
Email sent by the worm has characteristics similar to the following
examples:
Subject line:
hi
error
test
Message could not be delivered
Message body:
Dear user of
Mail server administrator of would like to inform you that
We have detected that your e-mail account has been used to send a large
amount of unsolicited e-mail messages during this recent week.
We suspect that your computer had been compromised by a recent virus and now
runs a trojan proxy server.
Please follow our instructions in the attachment file
in order to keep your computer safe.
Virtually yours
user support team.
Attached file:
attachment.com
letter.zip
.exe
Advanced
W32/MyDoom-BC is an email worm. When first run, the worm copies itself
to either the Windows or Temp folders as java.exe, and adds one of the
following registry entries to ensure that the copy is run each time
Windows starts:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\JavaVM
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\JavaVM
W32/MyDoom-BC also creates a file named services.exe in the Windows or
Temp folder and runs the file. Services.exe is a backdoor component.
W32/MyDoom-BC searches the hard disk email addresses. The worm searches
files with the extensions PL*, PH*, TX*, HT*, ASP, TBB, SHT*, WAB, ADB
and DBX and the Windows address book. In addition the worm may use an
internet search engine to find more email addresses. The worm will send
a query to the search engine using domain names from email addresses
found on the hard disk and then examine the query results, searching for
more addresses. The internet search engines used by W32/MyDoom-BC and
the percentage chance that each is used are:
www.google.com (45%)
search.lycos.com (22.5%)
search.yahoo.com (20%)
www.altavista.com (12.5%)
When choosing addresses to send itself to W32/MyDoom-BC will avoid
addresses which contain any of the following strings:
abuse
accoun
admin
anyone
arin.
avp
bar.
bugs
ca
domain
example
feste
foo
foo.com
gmail
gnu.
gold-certs
google
help
hotmail
info
listserv
mailer-d
master
me
microsoft
msdn.
msn.
no
nobody
noone
not
nothing
ntivi
page
panda
privacycertific
rarsoft
rating
ripe.
sample
sarc.
seclist
secur
sf.net
site
soft
someone
sophos
sourceforge
spam
spersk
submit
support
syma
the.bat
trend
update
uslis
winrar
winzip
yahoo
you
your
The email sent by the worm has a spoofed sender.
The subject line may be blank or one of the following:
hello
hi
error
status
test
report
delivery failed
Message could not be delivered
Mail System Error - Returned Mail
Delivery reports about your e-mail
Returned mail: see transcript for details
Returned mail: Data format error
The message text of the email is constructed from a set of optional
strings within the worm. The message sent is blank or similar to one of
the following messages:
Dear user of
Mail server administrator of would like to inform you that
We have detected that your e-mail account has been used to send a large
amount of unsolicited e-mail messages during this recent week.
We suspect that your computer had been compromised by a recent virus and now
runs a trojan proxy server.
Please follow our instructions in the attachment file
in order to keep your computer safe.
Virtually yours
user support team.
The message could not be delivered
The original message was included as attachment
The original message was received at from
----- The following addresses had permanent fatal errors -----
----- Transcript of the session follows -----
... while talking to host :
>>> MAIL From:
<<< 501 User unknown
Session aborted
>>> RCPT To:
<<< 550 MAILBOX NOT FOUND
The message was undeliverable due to the following reason(s):
Your message was not delivered because the destination computer was
not reachable within the allowed queue period. The amount of time
a message is queued before it is returned depends on local configura-
tion parameters.
Most likely there is a network problem that prevented delivery, but
it is also possible that the computer is turned off, or does not
have a mail system running right now.
Your message was not delivered within days:
Mail server is not responding.
The following recipients did not receive this message:
Please reply to postmaster{at}
if you feel this message to be in error.
The attached file may be named similarly to the recipient's username or
domain or using one of the following names:
attachment
document
file
instruction
letter
mail
message
readme
text
transcript
with an optional extension of DOC, TXT, HTM, HTML followed by a number
of spaces and a final extension of EXE, COM, BAT, CMD, SCR or PIF. The
attached file may also be a zip file containing a file named as
described.
W32/MyDoom-BC drops a file named services.exe in the Windows or Temp
folder and runs the file.
Services.exe adds the following registry entry
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
services
\services.exe
W32/MyDoom-BC also attempts to download and run files from several
websites.
Name W32/Rbot-WF
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Modifies data on the computer
* Deletes files off the computer
* Steals information
Prevalence (1-5) 2
Description
W32/Rbot-WF is a worm with backdoor Trojan functionality.
W32/Rbot-WF is capable of spreading to computers on the local network
protected by weak passwords after receiving the appropriate backdoor
command. The worm can also spread by exploiting a number of software
vulnerabilities.
W32/Rbot-WF will attempt to terminate a number of anti-virus and
security related applications, along with other malware.
Advanced
W32/Rbot-WF is a worm with backdoor Trojan functionality.
W32/Rbot-WF is capable of spreading to computers on the local network
protected by weak passwords after receiving the appropriate backdoor
command.
W32/Rbot-WF will attempt to spread by exploiting the following
vulnerabilities:
DCOM (MS04-012)
LSASS and IIS5SSL (MS04-011)
WebDav (MS03-007)
UPNP (MS01-059)
Buffer overflow in certain versions of DameWare (CAN-2003-1030)
Microsoft SQL servers with weak passwords
Backdoors left open by other malware
When first run, W32/Rbot-WF copies itself to the Windows system folder
as SVCHOSTDLL.EXE and runs this copy of the worm. The copy will then
attempt to delete the original file. In order to run each time a user
logs in, W32/Rbot-WF will set the following registry entries:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
MSN Beta
SVCHOSTdll.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
MSN Beta
SVCHOSTdll.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
MSN Beta
SVCHOSTdll.exe
The worm runs continuously in the background providing backdoor access
to the infected computer over IRC channels.
W32/Rbot-WF will set the following registry entries in order to disable
DCOM and close restrictions on IPC$ shares:
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1
W32/Rbot-WF can add and delete network shares and users on the infected
computer.
W32/Rbot-WF will attempt to terminate the following processes:
bbeagle.exe
d3dupdate.exe
i11r54n4.exe
irun4.exe
msblast.exe,
MSBLAST.exe
msconfig.exe
mscvb32.exe
navapw32.exe
navw32.exe
netstat.exe
PandaAVEngine.exe
Penis32.exe
rate.exe
regedit.exe
ssate.exe
sysinfo.exe
SysMonXP.exe
teekids.exe
wincfg32.exe
taskmon.exe
winsys.exe
winupd.exe
zapro.exe
zonealarm.exe
Name Troj/Lineage-D
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Steals information
* Records keystrokes
* Leaves non-infected files on computer
Prevalence (1-5) 2
Description
Troj/Lineage-D is a password-stealing Trojan for the Windows platform.
Troj/Lineage-D logs keystrokes for the game Lineage II and emails the
author with the results.
Advanced
Troj/Lineage-D is a password-stealing Trojan for the Windows platform.
Troj/Lineage-D logs keystrokes for the game Lineage II and emails the
author with the results.
Troj/Lineage-D copies itself to the Windows system folder as
"ttplorer.exe" and creates a DLL keylogging component
"ttinject.dll" as
well as the text file "ttdata32.dll" to keep the keylog results.
Troj/Lineage-D creates the following registry entry to run itself
automatically on system login or startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Scvhost
\ttplorer.exe
Name W32/Assiral-A
Type
* Worm
How it spreads
* Email attachments
* Network shares
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Sends itself to email addresses found on the infected computer
* Installs itself in the Registry
* Leaves non-infected files on computer
Prevalence (1-5) 2
Description
W32/Assiral-A is a mass mailing worm which attempts to spread itself by
sending emails with the following characteristics to addresses found in
the victim's address book:
Subject: Re: LOV YA!
Body: Kindly read and reply to my LOVE LETTER in the attachments :-)
Attachment: LOVE_LETTER.TXT.exe
W32/Assiral-A will attempt to copy itself to floppy drives and network
shares.
On opening the attachment, W32/Assiral-A will open a web page through
Internet Explorer at geocities.com. W32/Assiral-A will attempt to modify
Internet Explorer's homepage to the same page.
It will also attempt to kill off various security related applications
and disable various capabilities of Windows.
Advanced
W32/Assiral-A will drop the following files into the system:
C:\message.txt
%Windows%\SpoolMgr.exe
%Windows%\love_letter.txt.exe
%System32%\MS_LARISSA.exe
C:\windows\winvbs_32.vbs
C:\windows\system32\reg_32.vbs
C:\larissa_anti_bropia.html
It will attempt to autostart itself with the following registry entries:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
MS_LARISSA = %system32%\MS_LARISSA.exe
HKLM\software\microsoft\windows\currentversion\run
spoolsv manager = %windows%\SpoolMgr.exe
And set the following registry entries:
HKCR\software\microsoft\windows\currentversion\policies\system\
noadminpage = 1
HKCR\software\microsoft\windows\currentversion\policies\explorer\
dword:03ffffff
HKCR\software\microsoft\windows\currentversion\policies\system\
disableregistrytools = 1
HKCR\software\microsoft\windows\currentversion\policies\explorer\
norun = 1
HKCR\software\microsoft\windows\currentversion\policies\winoldapp\
disabled = 1
HKCU\Software\Microsoft\WAB\
Contacts =
which will disable various administration functions in Windows.
W32/Assiral-A may periodically create a pop-up window to display the
contents of C:\larissa_anti_bropia.html.
Name W32/MyDoom-AS
Type
* Worm
How it spreads
* Email attachments
* Peer-to-peer
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Sends itself to email addresses found on the infected computer
* Forges the sender's email address
* Uses its own emailing engine
* Installs itself in the Registry
Aliases
* W32/Mydoom.ba{at}MM
Prevalence (1-5) 2
Description
W32/MyDoom-AS is a mass-mailing and peer-to-peer worm which emails
itself as an attachment to addresses found on the infected computer.
When run W32/MyDoom-AS will launch Notepad with garbage which serves as
a decoy.
W32/MyDoom-AS may also create a file hserv.sys in the Windows system
folder. This file is non-malicious and can be safely deleted.
Advanced
W32/MyDoom-AS is a mass-mailing and peer-to-peer worm which emails
itself as an attachment to addresses found on the infected computer.
When run the W32/MyDoom-AS will launch Notepad with garbage which serves
as a decoy.
When first run the worm copies itself to the Windows system folder as
lsasrv.exe and creates the following registry entry so as to auto-start
on computer reboot:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
lsass
%SYSTEM%\lsasrv.exe
On Windows 2000 and Windows XP systems the worm will also modify the
Explorer shell association by changing the following registry entry
from:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
explorer
to:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
explorer %SYSTEM%\lsasrv.exe
W32/MyDoom-AS may also create a file hserv.sys in the Windows system
folder. This file is non-malicious and can be safely deleted.
W32/MyDoom-AS will attempt to copy itself to peer-to-peer folders of
KaZaa, Morpheus, iMesh, eDonkey2000 and LimeWire using the following
filenames (with an extension chosen from: PIF, SCR, EXE OR BAT):
activation_crack
Ad-awareref01R349
adultpasswds
avpprokey
dcom_patches
icq2004-final
K-LiteCodecPack2.34a
NeroBROM6.3.1.27
winamp5
winxp_patch
The worm also attempts to remove previous startup registry entries of
other malware which may be installed, terminate various anti-virus and
security applications and prevent access to related websites by
modifying the HOSTS file with the following entries:
127.0.0.1 grisoft.com
127.0.0.1 www.grisoft.com
127.0.0.1 www.trendmicro.com
127.0.0.1 rads.mcafee.com
127.0.0.1 customer.symantec.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 updates.symantec.com
127.0.0.1 update.symantec.com
127.0.0.1 www.nai.com
127.0.0.1 secure.nai.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 download.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 mast.mcafee.com
127.0.0.1 ca.com
127.0.0.1 www.ca.com
127.0.0.1 www.networkassociates.com
127.0.0.1 www.kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 kaspersky.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 viruslist.com
127.0.0.1 www.viruslist.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 mcafee.com
127.0.0.1 www.mcafee.com
127.0.0.1 sophos.com
127.0.0.1 www.sophos.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 www.symantec.com
W32/MyDoom-AS will harvest email addresses from files found on the
infected computer with the following extensions:
ADB
ASA
ASC
ASM
ASP
CGI
CONF
CSP
DBX
DLT
DWT
EDM
HTA
HTC
HTM
INC
JS TPL
JSP
LBI
PHP
PL
RDF
RSS
SHT
SSI
STM
TBB
TXT
VB
VBS
WAB
WML
XHT
XML
XSD
XST
Emails generated by the worm have the following characteristics:
Subject lines are chosen from:
Good day
Do not reply to this email
hello
Mail Delivery System
Attention!!!
Mail Transaction Failed
Server Report
Status
Error
Message text is one of:
"Mail transaction failed. Partial message is available."
"The message contains Unicode characters and has been sent as
a binary attachment."
"The message cannot be represented in 7-bit ASCII encoding and
has been sent as a binary attachment."
"Do not visit these sites!!!"
"You have visited illegal websites.
I have a big list of the websites you surfed."
"You think it's funny? You are stupid idiot!!! I'll send
the attachment to your ISP and then I'll be watching
how you will go to jail, punk!!!"
"Your credit card was charged for $500 USD. For additional in
formation see the attachment"
"ESMTP [Secure Mail System #334]: Secure message is attached."
"Encrypted message is available."
"Delivered message is attached."
"Can you confirm it?"
"Binary message is available."
"am shocked about your document!"
"Are you a spammer? (I found your email on a spammer website!?!"
"Bad Gateway: The message has been attached."
"Attention! New self-spreading virus!
Be careful, a new self-spreading virus called 'RTSW.Smash' spreading
very fast via e-mail and P2P networks. It's about two million people
infected and it will be more.
To avoid your infection by this virus and to stop it we provide you with
full information how to protect yourself against it and also including
free remover. Your can find it in the attachment.
2004 Networks Associates Technology, Inc. All Rights Reserved"
"New terms and conditions for credit card holders
Here a new terms and conditions for credit card holders using a credit
cards for making purchase in the Internet in the attachment. Please,
read it carefully. If you are not agree with new terms and conditions do
not use your credit card in the World Wide Web.
Thank you,
The World Bank Group
2004 The World Bank Group, All Rights Reserved"
"Thank you for registering at WORLDXXXPASS.COM
All your payment info, login and password you can find in the attachment
file. It's a real good choise to go to WORLDXXXPASS.COM"
"Attention! Your IP was logged by The Internet Fraud Complaint Center
Your IP was logged by The Internet Fraud Complaint Center. There was a
fraud attempt logged by The Internet Fraud Complaint Center from your
IP. This is a serious crime, so all records was sent to the FBI. All
information you can find in the attachment. Your IP was flagged and if
there will be anover attemption you will be busted.
This message is brought to you by the Federal Bureau of Investigation
and the National White Collar Crime Center"
"Here is your documents you are requested."
Attachment filenames are chosen from the following and can take one of
these extensions (pif, scr, exe, cmd, bat, zip):
document
readme
doc
rules
file
data
docs
message
body
Name W32/Poebot-H
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Steals information
* Reduces system security
* Installs itself in the Registry
* Used in DOS attacks
Aliases
* Backdoor.Win32.PoeBot.a
Prevalence (1-5) 2
Description
W32/Poebot-H is a worm which attempts to spread to remote network shares
with weak passwords. It also contains backdoor functionality allowing
unauthorised remote access to the infected computer via IRC channels.
Advanced
W32/Poebot-H is a worm which attempts to spread to remote network shares
with weak passwords. It also contains backdoor functionality allowing
unauthorised remote access to the infected computer via IRC channels.
W32/Poebot-H allows a remote attacker to:
steal passwords.
download and execute files on the infected computer.
flood other computers with network packets.
retrieve system information.
execute arbitrary commands.
When run, the worm copies itself to the system folder as lssas.exe and
sets the following registry entry in order to run when a user logs on:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Local Security Authority Service
\lssas.exe
Name W32/Kipis-I
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Sends itself to email addresses found on the infected computer
* Forges the sender's email address
* Uses its own emailing engine
* Installs itself in the Registry
Aliases
* Email-Worm.Win32.Kipis.k
Prevalence (1-5) 2
Description
W32/Kipis-I is an email worm for the Windows platform.
The worm harvests email addresses from files with the following file
extensions:
ADB
DBX
DOC
EML
HTM
HTML
TBB
TXT
UIN
XLS
XML
The email sent by W32/Kipis-I has the following properties:
Subjects:
Valentine's day
Present
your
Happy day
Happy Valentine's day
your love
here
hi
you my love..
Re: My porno
Message texts:
With the coming Valentine's day! I very much love you. Please see
my flash present.
I congratulate on the coming Valentine's day! My gift to you.
love you! :),congratulate!"
Thank you!!!
----Original Message----
From:
To:
Sent:
Subject: My porno
Attached file:
your present
present
flash love
love
Valentine
porn
porno_03
Joke
nude
My nude_04
Attachment extension:
.scr
.exe
From:
adam
alex
anna
brenda
dana
dave
linda
liza
maria
mary
mike
rosa
sandra
stan
stiv
Note: The "from" field consists of one of the above names and
"{at} * Origin: Try Our Web Based QWK: DOCSPLACE.ORG (1:123/140)SEEN-BY: 633/267 270 @PATH: 123/140 500 106/2000 633/267 |
|
| SOURCE: echomail via fidonet.ozzmosis.com | |
Email questions or comments to sysop@ipingthereforeiam.com
All parts of this website painstakingly hand-crafted in the U.S.A.!
IPTIA BBS/MUD/Terminal/Game Server List, © 2025 IPTIA Consulting™.