[cut-n-paste from sophos.com]
Name W32/Loosky-S
Type
* Spyware Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Steals credit card details
* Allows others to access the computer
* Sends itself to email addresses found on the infected computer
* Steals information
* Downloads code from the internet
* Reduces system security
* Records keystrokes
* Installs itself in the Registry
* Leaves non-infected files on computer
Aliases
* Email-Worm.Win32.Locksky.r
* W32/Loosky.dr
Prevalence (1-5) 2
Description
W32/Loosky-S is a multi-component email worm with Trojan
functionality for the Windows platform.
W32/Loosky-S attempts to bypass the Windows firewall.
W32/Loosky-S will steal user passwords, window text and website
information related to certain banking sites.
W32/Loosky-S acts as a proxy, rerouting information through the
infected computer.
W32/Loosky-S attempts to send itself to email addresses harvested
from the infected computer. Emails sent have the following
characteristics:
Subject line: Your mail Account is Suspended
Message text:
We regret to inform you that your account has been suspended due to
the violation of our site policy, more info is attached.
Attachment name: acc_inf19.exe
W32/Loosky-S notifies a remote site and will attempt to download and
execute update files.
Advanced
W32/Loosky-S is a multi-component email worm with Trojan
functionality for the Windows platform.
When first run W32/Loosky-S copies itself to \sachostx.exe
and creates some of the following files:
\attrib.ini - clean log file
\hard.lck - clean zero-byte file
\msvcrl.dll - stealthing component, also steals website
information
\sachostc.exe - tcp redirecting component
\sachostm.exe - log-mailing component
\sachostp.exe - password-stealing component
\sachosts.exe - socks proxy component
\sachostw.exe - main email worm component
\temp.bak - a temporary copy of sachostw.exe
All files except the clean files attrib.ini and hard.lck are detected
as W32/Loosky-S.
The following registry entry is created to run sachostx.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HostSrv
\sachostx.exe
W32/Loosky-S uses netsh to attempt to bypass the Windows firewall for
several of the dropped files.
W32/Loosky-S will steal user passwords and window text, and website
information related to certain banking sites, and stores it in the
file attrib.ini. This file will periodically be sent by email to
erwaderrruio{at}list.ru as if from the address vasya{at}mail.ru.
W32/Loosky-S acts as a proxy, rerouting information through the
infected computer.
W32/Loosky-S attempts to send itself to email addresses harvested
from the infected computer. Emails sent have the following
characteristics:
Subject line: Your mail Account is Suspended
Message text:
We regret to inform you that your account has been suspended due to
the violation of our site policy, more info is attached.
Attachment name: acc_inf19.exe
W32/Loosky-S attempts to contact a script at a remote site to notify
it of the infected computer, and will attempt to download and execute
update files from the same site to a file in the Temp folder starting
tmx.
Name W32/Rbot-BJH
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Downloads code from the internet
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* Backdoor.Win32.Rbot.amr
* W32/Sdbot.worm.gen.h
Prevalence (1-5) 2
Description
W32/Rbot-BJH is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Rbot-BJH spreads to other network computers by exploiting common
buffer overflow vulnerabilities, including: RPC-DCOM
(http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx),
PNP
(http://www.microsoft.com/technet/security/bulletin/MS05-039.mspx)
and ASN.1
(http://www.microsoft.com/technet/security/bulletin/MS04-007.mspx).
W32/Rbot-BJH runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
Advanced
W32/Rbot-BJH is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Rbot-BJH spreads to other network computers by exploiting common
buffer overflow vulnerabilities, including: RPC-DCOM
(http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx),
PNP
(http://www.microsoft.com/technet/security/bulletin/MS05-039.mspx)
and ASN.1
(http://www.microsoft.com/technet/security/bulletin/MS04-007.mspx).
W32/Rbot-BJH runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
When first run W32/Rbot-BJH copies itself to \usbcontrol.exe
and creates the file \SoftWareProtector\vnc.pr.
The following registry entries are created to run usbcontrol.exe on
startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft
usbcontrol.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft
usbcontrol.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Microsoft
usbcontrol.exe
Registry entries are set as follows:
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1
Name Troj/Zlob-DV
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
Aliases
* Trojan-Downloader.Win32.Zlob.dv
Prevalence (1-5) 2
Description
Troj/Zlob-DV is a Trojan for the Windows platform.
Name Troj/Bancban-NM
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Steals information
* Uses its own emailing engine
Aliases
* Trojan-Spy.Win32.Banker.ahy
* PWS-Banker.gen.h
Prevalence (1-5) 2
Description
Troj/Bancban-NM is an internet banking Trojan for the Windows platform.
Advanced
Troj/Bancban-NM is an internet banking Trojan for the Windows platform.
Troj/Bancban-NM includes functionality to send notification messages
to remote locations.
When first run Troj/Bancban-NM copies itself to \wupdmgr.exe.
Name Troj/Bandler-K
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Steals credit card details
* Steals information
* Installs itself in the Registry
Aliases
* Trojan-Spy.Win32.Banker.zp
Prevalence (1-5) 2
Description
Troj/Bandler-K is a password stealing Trojan for the Windows platform.
Troj/Bandler-K targets the customers of certain Brazilian online
banking websites by displaying fake user interfaces and recording any
entered details.
Advanced
Troj/Bandler-K is a password stealing Trojan for the Windows platform.
Troj/Bandler-K targets the customers of certain Brazilian online
banking websites by displaying fake user interfaces and recording any
entered details.
Troj/Bandler-K includes functionality to access the internet and
communicate with a remote server via HTTP.
When first run Troj/Bandler-K copies itself to \smss.exe.
Name W32/PPDoor-R
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Modifies data on the computer
* Installs itself in the Registry
Aliases
* Backdoor.Win32.PPdoor.bq
Prevalence (1-5) 2
Description
W32/PPdoor-R is a worm with backdoor functionality for the Windows
platform.
Advanced
W32/PPdoor-R is a worm with backdoor functionality for the Windows
platform.
W32/PPdoor-R spreads by copying itself to network shares protected by
weak passwords.
The backdoor component of W32/PPDoor-R listens for further commands
from a remote user. W32/PPdoor-R may also act as a SOCKS, mail and
P2P proxy.
W32/PPdoor-R includes functionality to access the internet and
communicate with a remote server via HTTP.
When W32/PPdoor-R is installed the following files are created:
\arpo412.exe
\mqadonfg.dll
\winrpmsg.dll
\wndfxyfi.dll
\hgakheg.dll
\vjoytl32.dll
Arpo412.exe, mqadonfg.dll and winrpmsg.dll are detected as
W32/PPdoor-R. wndfxyfi.dll, hgakheg.dll and vjoytl32.dll are harmless
data file that may be safely deleted.
The following registry entries are created to run arpo412.exe on
startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Shedule Connection
\arpo412.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Shedule Connection
\arpo412.exe
The following registry entry is changed to run arpo412.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
\userinit.exe,\arpo412.exe
(the default value for this registry entry is "\System32\userinit.exe,").
The following registry entry is created to run code exported by the
Trojan library on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
ShellServiceObjectDelayLoad
Shedule WebControl
{542B4183-DA4E-478D-9C92-211A13EDFAEA}
The file mqadonfg.dll is registered as a COM object, creating
registry entries under:
HKCR\CLSID\{542B4183-DA4E-478D-9C92-211A13EDFAEA}
The following registry entry is set:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe,arpo412.exe
Name W32/Floppy-E
Type
* Worm
How it spreads
* Network shares
* Peer-to-peer
Affected operating systems
* Windows
Side effects
* Installs itself in the Registry
Aliases
* WORM_GATECOLL.A
Prevalence (1-5) 2
Description
W32/Floppy-E is a worm for the Windows platform.
W32/Floppy-E spreads via file sharing on Peer-to-peer networks.
Advanced
W32/Floppy-E is a worm for the Windows platform.
W32/Floppy-E spreads via file sharing on Peer-to-peer networks.
When first run W32/Floppy-E copies itself to:
\calc.exe
\config_.com
\mscalc.exe
\windows.exe
\winnt.exe
\config_.com
\Recent\New Folder.exe
\SendTo\New Folder.exe
\startupFolder.com
\calc.exe
\new folder.exe
In addition to the above list, W32/Floppy-E will also create a copy
of itself as an EXE file named the same as the parent folder in
sub-folders of:
\Nethood\
Note that all sub-folders of the above locations will be used even if
the parent folder has the hidden or system attributes.
W32/Floppy-E will create the file \autorun.inf.
W32/Floppy-E will create a copy of itself in the root of all
removable drives along with the file autorun.inf to run the replicant
upon insertion / connection.
W32/Floppy-E creates the following registry entry to run a copy of
itself at startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Explorer5
\config_.com
Name W32/Alcra-E
Type
* Worm
How it spreads
* Peer-to-peer
Affected operating systems
* Windows
Side effects
* Drops more malware
* Downloads code from the internet
* Reduces system security
* Installs itself in the Registry
* Used in DOS attacks
Aliases
* Trojan-Dropper.Win32.WinAD.h
* W32.Alcra.D
* TROJ_DROPPER.OX
Prevalence (1-5) 2
Description
W32/Alcra-E is a worm for the Windows platform which may arrive
disguised as a Windows Media Player file.
W32/Alcra-E spreads via file sharing on P2P networks.
W32/Alcra-E includes functionality to download, install and run new
malware executables.
Once executed W32/Alcra-E displays the following fake error message:
Title: Windows media player
Message text: Codec Error : 60034 Please Check Codec Exists
W32/Alcra-E also drops W32/Rbot-BJU.
Advanced
W32/Alcra-E is a worm for the Windows platform which may arrive
disguised as a Windows Media Player file.
W32/Alcra-E spreads via file sharing on P2P networks.
W32/Alcra-E includes functionality to download, install and run new
malware executables.
Once executed W32/Alcra-E displays the following fake error message:
Title: Windows media player
Message text: Codec Error : 60034 Please Check Codec Exists
When first run W32/Alcra-E copies itself to \MsMovies\MsMovies.exe and \MsMovies\v.tmp and
creates the following files:
\MsMovies\p.zip
\winlogi.ex
\cmd.com
\netstat.com
\ping.com
\regedit.com
\taskkill.com
\tasklist.com
\tracert.com
where p.zip is a zipped copy of the Trojan, winlogi.exe is detected
as W32/Rbot-BJU and the rest files are used to prevent execution of
the applications with the corresponded name.
The following registry entry is created to run MsMovies.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MsMovies
\MsMovies\MsMovies.exe /auto
Name W32/Rbot-BKA
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Downloads code from the internet
* Reduces system security
* Installs itself in the Registry
* Exploits system or software vulnerabilities
* Used in DOS attacks
Aliases
* WORM_OPANKI.BE
Prevalence (1-5) 2
Description
W32/Rbot-BKA is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Rbot-BKA runs continuously in the background, providing a
backdoor server
which allows a remote intruder to gain access and control over the
computer via
IRC channels.
Advanced
W32/Rbot-BKA is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Rbot-BKA runs continuously in the background, providing a
backdoor server
which allows a remote intruder to gain access and control over the
computer via
IRC channels.
When first run W32/Rbot-BKA copies itself to \outlook.exe.
The following registry entries are created to run outlook.exe on
startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Outlook Mail Services
outlook.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Outlook Mail Services
outlook.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Outlook Mail Services
outlook.exe
The worm spreads through network shares, TFTP servers and through AOL
Instant
Messenger (AIM).
Name Troj/Bifrose-DB
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
* Leaves non-infected files on computer
Aliases
* Backdoor.Win32.Bifrose.dc
* BackDoor-CEP
Prevalence (1-5) 2
Description
Troj/Bifrose-DB is a backdoor Trojan for the Windows platform that
provides unauthorized remote access to the infected computer.
Troj/Bifrose-DB includes functionality to access the internet and
communicate with a remote server via HTTP.
Advanced
Troj/Bifrose-DB is a backdoor Trojan for the Windows platform that
provides unauthorized remote access to the infected computer.
Troj/Bifrose-DB includes functionality to access the internet and
communicate with a remote server via HTTP.
When first run Troj/Bifrose-DB copies itself to \server.exe
with the hidden file attributes.
The following registry entries are created to run server on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
startkey
server.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
startkey
server.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
startkey
server.exe
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\
stubpath
server.exe s
Registry entries are set as follows:
HKCU\Sotware\Wget
Klg
01
HKLM\SOFTWARE\Wget
nck
1
Troj/Bifrose-DB inserts itself into the Internet Explorer process
space.
Name Troj/FeebDl-A
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
Aliases
* Worm.Win32.Feebs.h
* JS/Kmax.gen{at}MM
Prevalence (1-5) 2
Description
Troj/FeebDl-A is a downloader Trojan for the Windows platform.
Advanced
Troj/FeebDl-A is a downloader Trojan for the Windows platform.
Troj/FeebDl-A attempts to download one of several encoded executable
files and decode it to C:/recycled/userinit.exe.
Troj/FeebDl-A attempts to delete the following registry entries:
HKLM\SYSTEM\CurrentControlSet\Services\KmxFile
HKLM\SYSTEM\CurrentControlSet\Services\pcipim
HKLM\SYSTEM\CurrentControlSet\Services\pcIPPsC
HKLM\SYSTEM\CurrentControlSet\Services\RapDrv
HKLM\SYSTEM\CurrentControlSet\Services\FirePM
Troj/FeebDl-A attempts to set the following registry entry in order
to automatically start the file it has downloaded on system start:
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\
{CD5AC91B-AE7B-E83A-0C4C-E616075972F3}
Stubpath
C:/recycled/userinit.exe
Name Troj/Nethell-A
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Steals information
* Downloads code from the internet
* Installs itself in the Registry
* Leaves non-infected files on computer
Prevalence (1-5) 2
Description
Troj/Nethell-A is a downloader Trojan for the windows platform.
The Trojan contains functionality to download code from remote sites.
Troj/Nethell-A attempts to redirect and intercept web traffic in
order to steal login information and passwords.
Advanced
Troj/Nethell-A is a downloader Trojan for the windows platform.
The Trojan contains functionality to download code from remote sites.
Troj/Nethell-A attempts to redirect and intercept web traffic in
order to steal login information and passwords.
Troj/Nethell-A may create the following files:
\nethelper.xml
\nethelper2.xml
\commandhelper.xml
\log.txt
These files are harmless and may be deleted.
The Trojan is registered as a COM object, creating registry entries
under:
HKCR\CLSID\(1593C741-C011-46FE-99FC-3805C28328BA)
HKCR\Interface\(54DCBD5A-3FDC-490F-B9AE-5B9DBAA39BEC)
HKCR\NetHelper.Hook\
HKCR\NetHelper.Hook.1\
HKCR\TypeLib\(0324D9F1-2199-4424-98C7-A0E8CC45743B)
The following registry entries are set:
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
FGID
Troj/Nethell-A may modify the windows hosts file.
Name W32/Tilebot-CX
Type
* Worm
How it spreads
* Network shares
Side effects
* Allows others to access the computer
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* Backdoor.Win32.Aimbot.bo
* WORM_AGOBOT.BAJ
* W32/Opanki.worm
* W32.HLLW.Gaobot
Prevalence (1-5) 2
Description
W32/Tilebot-CX is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Tilebot-CX runs continuously in the background, providing a
backdoor server
which allows a remote intruder to gain access and control over the
computer via
IRC channels.
W32/Tilebot-CX can spread via the LSASS
(http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx),
RPC-DCOM
(http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx), PNP
(http://www.microsoft.com/technet/security/bulletin/MS05-039.mspx),
and ASN.1
(http://www.microsoft.com/technet/security/bulletin/MS04-007.mspx)
vulnerabilities, as well as to weakly protected network shares.
W32/Tilebot-CX includes functionality to access the internet and
communicate
with a remote server via HTTP.
Advanced
W32/Tilebot-CX is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Tilebot-CX runs continuously in the background, providing a
backdoor server
which allows a remote intruder to gain access and control over the
computer via
IRC channels.
W32/Tilebot-CX can spread via the LSASS
(http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx),
RPC-DCOM
(http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx), PNP
(http://www.microsoft.com/technet/security/bulletin/MS05-039.mspx),
and ASN.1
(http://www.microsoft.com/technet/security/bulletin/MS04-007.mspx)
vulnerabilities, as well as to weakly protected network shares.
W32/Tilebot-CX includes functionality to access the internet and
communicate
with a remote server via HTTP.
When first run W32/Tilebot-CX copies itself to \shell32.exe.
The file shell32.exe is registered as a new system driver service named
"Shell32Extender", with a display name of "Microsoft Windows Explorer
Shell
Subsystem" and a startup type of automatic, so that it is started
automatically
during system startup. Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\Shell32Extender\
W32/Tilebot-CX sets the following registry entries, disabling the
automatic
startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\Messenger
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
Start
4
Registry entries are set as follows:
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DoNotAllowXPSP2
1
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1
Registry entries are created under:
HKLM\SOFTWARE\Microsoft\Security Center\
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\
Name W32/Rbot-BJR
Type
* Spyware Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Downloads code from the internet
* Reduces system security
* Records keystrokes
* Installs itself in the Registry
* Exploits system or software vulnerabilities
* Used in DOS attacks
Aliases
* Backdoor.Win32.Rbot.gen
* W32/Sdbot.worm.gen.ar
Prevalence (1-5) 2
Description
W32/Rbot-BJR is a worm with backdoor functionality for the Windows
platform.
W32/Rbot-BJR spreads:
- to other network computers infected with W32/MyDoom and W32/Bagle
- to other network computers by exploiting common buffer overflow
vulnerabilities, including: LSASS (MS04-011), RPC-DCOM (MS04-012) and
WebDav (MS03-007)
- to netowrk shares protected by weak passwords
W32/Rbot-BJR can be controlled by a remote attacker over IRC
channels. The backdoor component of W32/Rbot-BJR can be instructed by
a remote user to perform the following functions:
start an FTP server
start a Proxy server
start a web server
take part in distributed denial of service (DDoS) attacks
log keypresses
capture screen/webcam images
packet sniffing
port scanning
download/execute arbitrary files
start a remote shell (RLOGIN)
Advanced
W32/Rbot-BJR is a worm with backdoor functionality for the Windows
platform.
W32/Rbot-BJR spreads:
- to other network computers infected with W32/MyDoom and W32/Bagle
- to other network computers by exploiting common buffer overflow
vulnerabilities, including: LSASS (MS04-011), RPC-DCOM (MS04-012) and
WebDav (MS03-007)
- to netowrk shares protected by weak passwords
W32/Rbot-BJR can be controlled by a remote attacker over IRC
channels. The backdoor component of W32/Rbot-BJR can be instructed by
a remote user to perform the following functions:
start an FTP server
start a Proxy server
start a web server
take part in distributed denial of service (DDoS) attacks
log keypresses
capture screen/webcam images
packet sniffing
port scanning
download/execute arbitrary files
start a remote shell (RLOGIN)
W32/Rbot-BJR also attempts to steal product registration information
from the following gaming software:
Battlefield 1942
Battlefield 1942 (Road To Rome)
Battlefield 1942 (Secret Weapons of WWII)
Battlefield Vietnam
Black and White
Chrome
Command and Conquer: Generals
Command and Conquer: Generals (Zero Hour)
Command and Conquer: Red Alert
Command and Conquer: Red Alert 2
Command and Conquer: Tiberian Sun
Counter-Strike (Retail)
FIFA 2002
FIFA 2003
Freedom Force
Global Operations
Gunman Chronicles
Half-Life
Hidden & Dangerous 2
IGI 2: Covert Strike
Industry Giant 2
James Bond 007: Nightfire
Legends of Might and Magic
Medal of Honor: Allied Assault
Medal of Honor: Allied Assault: Breakthrough
Medal of Honor: Allied Assault: Spearhead
Nascar Racing 2002
Nascar Racing 2003
Need For Speed Hot Pursuit 2
Need For Speed: Underground
Neverwinter Nights
Neverwinter Nights (Hordes of the Underdark)
Neverwinter Nights (Shadows of Undrentide)
NHL 2002
NHL 2003
Rainbow Six III RavenShield
Shogun: Total War: Warlord Edition
Soldier of Fortune II - Double Helix
Soldiers Of Anarchy
The Gladiators
Unreal Tournament 2003
Unreal Tournament 2004
When first run W32/Rbot-BJR copies itself to
\Firewall-UpdateV9.exe.
The following registry entries are created to run
Firewall-UpdateV9.exe on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Personal Firewall V9
Firewall-UpdateV9.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Personal Firewall V9
Firewall-UpdateV9.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Personal Firewall V9
Firewall-UpdateV9.exe
Registry entries are set as follows:
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1
Name W32/Codbot-K
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Downloads code from the internet
* Reduces system security
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* Backdoor.Win32.Codbot.z
* W32/Gaobot.worm.gen.q
* W32.Randex
Prevalence (1-5) 2
Description
W32/Codbot-K is a network worm with backdoor functionality for the
Windows platform.
The worm connects to an IRC channel and listens for backdoor commands
from a remote attacker. The backdoor functionality of the worm
includes the ability to sniff packets, download further malicious
code and steal passwords and other system information.
Advanced
W32/Codbot-K is a network worm with backdoor functionality for the
Windows platform.
The worm connects to an IRC channel and listens for backdoor commands
from a remote attacker. The backdoor functionality of the worm
includes the ability to sniff packets, download further malicious
code and steal passwords and other system information.
When first run, W32/Codbot-K copies itself to the Windows system
folder as SCardClnt.exe and installs itself as a service with these
attributes:
servicename = SCardClnt
displayname = "Smart Card Client"
imagepath = SCardClnt.exe
W32/Codbot-K may make the following change to the system registry:
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
W32/Codbot-K may attempt to exploit a number of vulnerabilities,
including the LSASS vulnerability (MS04-011).
Patches for the operating system vulnerability exploited by
W32/Codbot-K can be obtained from Microsoft at:
http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx
Name W32/Antiman-A
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Sends itself to email addresses found on the infected computer
* Forges the sender's email address
* Uses its own emailing engine
* Installs itself in the Registry
Aliases
* Email-Worm.Win32.Antiman.a
Prevalence (1-5) 2
Description
W32/Antiman-A is a mass-mailing worm for the Windows platform.
Emails sent by the worm can have the following features:
Subject line chosen from:
Faza cu camila
Sex in camin
Antivirus
Poza de la mare...
De ce mor mai repede curiosii...
Antimanele
Votati astazi!
Cu sau fara Manele ?
Pentru Ionel
Message text chosen from:
Ti-am trimis ultima poza de la mare. Asta e?
Asta e ultimul antivirus. Ar trebui sa rezolve toate problemele.
:)))))))
Nu deschide acest mesaj! E numai pentru persoanele prea curioase!
Daca sunteti nu mai suportati manelele la servici, tramvai, taxi,
metrou, etc., trimiteti acest mesaj la toti prietenii dvs. !
Va multumesc (din suflet).
Credeti ca ar fi mai bine ca Romania sa-si retraga trupele d in Irak
anul acesta?
Deschideti programul Vot, alegeti votul dvs. si vedeti rezul tatele.
Parerea dvs. conteaza!
Draga Ionel
Scuza-ma ca nu ti-am mai scris de mult timp, dar am avut ceva
probleme cu calculatorul
Ti-am promis ultima data pe chat o poza cu mine dezbracata... m-am
gandit mult la asta si cred ca pana la urma cel mai bine e sa-ti
trimit o poza.
Sper sa-ti placa. Daca nu o sa-mi mai scrii dupa mesajul asta, o sa
te inteleg...
Roxana,
Attached filename chosen from:
poza_roxana._JPG.exe
antimanele.exe
curiosii.exe
camila.exe
ioana_divx._AVI.exe
antivirus.exe
scan_picture_0001._JPG.exe
film_papa._avi._divx_.exe
Advanced
W32/Antiman-A is a mass-mailing worm for the Windows platform.
When run the worm copies itself to the Windows folder as funny.scr
and to the current users Startup folder as startwin.exe. The worm
will then modify the following registry entry so as to become the new
screen saver:
HKCU\Control Panel\desktop
SCRNSAVE.EXE
%WINDOWS%\funny.scr
Emails sent by the worm can have the following features:
Subject line chosen from:
Faza cu camila
Sex in camin
Antivirus
Poza de la mare...
De ce mor mai repede curiosii...
Antimanele
Votati astazi!
Cu sau fara Manele ?
Pentru Ionel
Message text chosen from:
Ti-am trimis ultima poza de la mare. Asta e?
Asta e ultimul antivirus. Ar trebui sa rezolve toate problemele.
:)))))))
Nu deschide acest mesaj! E numai pentru persoanele prea curioase!
Daca sunteti nu mai suportati manelele la servici, tramvai, taxi,
metrou, etc., trimiteti acest mesaj la toti prietenii dvs. !
Va multumesc (din suflet).
Credeti ca ar fi mai bine ca Romania sa-si retraga trupele d in Irak
anul acesta?
Deschideti programul Vot, alegeti votul dvs. si vedeti rezul tatele.
Parerea dvs. conteaza!
Draga Ionel
Scuza-ma ca nu ti-am mai scris de mult timp, dar am avut ceva
probleme cu calculatorul
Ti-am promis ultima data pe chat o poza cu mine dezbracata... m-am
gandit mult la asta si cred ca pana la urma cel mai bine e sa-ti
trimit o poza.
Sper sa-ti placa. Daca nu o sa-mi mai scrii dupa mesajul asta, o sa
te inteleg...
Roxana,
Attached filename chosen from:
poza_roxana._JPG.exe
antimanele.exe
curiosii.exe
camila.exe
ioana_divx._AVI.exe
antivirus.exe
scan_picture_0001._JPG.exe
film_papa._avi._divx_.exe
--- MultiMail/Win32 v0.43
* Origin: Try Our Web Based QWK: DOCSPLACE.ORG (1:123/140)
SEEN-BY: 633/267 270
@PATH: 123/140 500 106/2000 633/267
|