[cut-n-paste from sophos.com]
Name Troj/Dorf-Fam
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Downloads code from the internet
* Reduces system security
Prevalence (1-5) 5 [not a typo]
Description
Troj/Dorf-Fam is a family of backdoor Trojans for the Windows platform.
Advanced
Troj/Dorf-Fam is a family of backdoor Trojans for the Windows platform.
Troj/Dorf-Fam attempts to drop the file \wincom32.sys, also
detected as Troj/Dorf-Fam. This file is registered as a service with
a Display Name of "wincom32", with registry entries set at the
following location:
HKLM\SYSTEM\CurrentControlSet\Services\wincom32
Troj/Dorf-Fam then attempts to inject another file into services.exe.
This file is also detected as Troj/Dorf-Fam, and may create the clean
file \peers.ini, as well as download and execute code from
the internet, and provide backdoor functionality to allow access to
the computer by a remote user.
Name Troj/DwnLdr-FYB
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
Aliases
* Win32/TrojanDownloader.Tiny.NCA
Prevalence (1-5) 3
Description
Troj/DwnLdr-FYB is a Trojan for the Windows platform.
Troj/DwnLdr-FYB includes functionality to download, install and run
new software.
At the time of writing, Troj/DwnLdr-FYB attempts to download and
execute a file that is detected by Sophos as Mal/Packer.
Name Troj/Lineag-AIQ
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Steals information
Prevalence (1-5) 2
Description
Troj/Lineag-AIQ is a password stealing Trojan for the Windows platform.
Advanced
When first run Troj/Lineag-AIQ copies itself to \wsvbs.exe
and creates
the file \wsvbs.dll.
The following registry entry is created to run wsvbs.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
wsvbs
\wsvbs.exe
Name W32/Rbot-GAW
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* Backdoor.Win32.Rbot.gen
Prevalence (1-5) 2
Description
W32/Rbot-GAW is a worm with IRC backdoor functionality for the
Windows platform.
W32/Rbot-GAW spreads to other network computers by exploiting common
buffer overflow vulnerabilities, including: LSASS (MS04-011), SRVSVC
(MS06-040), RPC-DCOM (MS04-012), PNP (MS05-039), ASN.1 (MS04-007) and
RealVNC (CVE-2006-2369) and by copying itself to network shares
protected by weak passwords.
W32/Rbot-GAW runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
Advanced
W32/Rbot-GAW is a worm with IRC backdoor functionality for the
Windows platform.
W32/Rbot-GAW spreads to other network computers by exploiting common
buffer overflow vulnerabilities, including: LSASS (MS04-011), SRVSVC
(MS06-040), RPC-DCOM (MS04-012), PNP (MS05-039), ASN.1 (MS04-007) and
RealVNC (CVE-2006-2369) and by copying itself to network shares
protected by weak passwords.
W32/Rbot-GAW runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
When first run W32/Rbot-GAW copies itself to \msvchost.exe.
The following registry entries are created to run W32/Rbot-GAW on
startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft
msvchost.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Microsoft
msvchost.exe
Registry entries are set as follows:
HKCU\Software\Microsoft\OLE
Microsoft
msvchost.exe
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
Name W32/Rbot-GAY
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Downloads code from the internet
* Installs itself in the Registry
* Exploits system or software vulnerabilities
* Used in DOS attacks
Prevalence (1-5) 2
Description
W32/Rbot-GAY is a network worm with IRC backdoor functionality for
the Windows platform.
W32/Rbot-GAY spreads to other network computers by:
- exploiting common buffer overflow vulnerabilities, including: LSASS
(MS04-011), SRVSVC (MS06-040), RPC-DCOM (MS04-012), PNP (MS05-039),
ASN.1 (MS04-007) and RealVNC (CVE-2006-2369)
- networks protected by weak passwords
Advanced
W32/Rbot-GAY is a network worm with IRC backdoor functionality for
the Windows platform.
W32/Rbot-GAY spreads to other network computers by:
- exploiting common buffer overflow vulnerabilities, including: LSASS
(MS04-011), SRVSVC (MS06-040), RPC-DCOM (MS04-012), PNP (MS05-039),
ASN.1 (MS04-007) and RealVNC (CVE-2006-2369)
- networks protected by weak passwords
W32/Rbot-GAY runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Rbot-GAY includes functionality to:
- access the internet and communicate with a remote server via HTTP
- setup a SOCKS4 proxy server
- act as a proxy server redirecting HTTP requests
- perform DDoS attacks
When first run W32/Rbot-GAY copies itself to \.exe.
The following registry entries are set to run W32/Rbot-GAY on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft
.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Microsoft
.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft
.exe
Name W32/Levona-C
Type
* Worm
How it spreads
* Removable storage devices
* Email attachments
* Network shares
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Sends itself to email addresses found on the infected computer
* Forges the sender's email address
* Uses its own emailing engine
* Reduces system security
* Installs itself in the Registry
Aliases
* Email-Worm.Win32.Levona.c
Prevalence (1-5) 2
Description
W32/Levona-C is a worm and backdoor Trojan for the Windows platform.
Advanced
W32/Levona-C is a worm and backdoor Trojan for the Windows platform.
W32/Levona-C spreads to other network computers.
W32/Levona-C runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer.
When first run W32/Levona-C copies itself to:
\Renova.exe
\regedit.exe
\Mstry.exe
\msconfig.exe
\Alisa.exe
\Emma.exe
\Nova.exe
\regedit.exe
The worm will search for logical drives on the computer. If any are
found, W32/Levona-C will copy itself as New Folder.exe. The worm also
searches the logical drives for DOC files and will copy itself as
.doc.
W32/Levona-C includes the functionality to disable or minimize many
applications by searching for certain words or phrases in the Windows
Title Bar, including the following security related ones:
ADVANCED REGISTRY TRACER
CASTLECOPS
CILLIN
CLEANER
COMPACTBYTEAV
EARTHLINK PROTECTION
F-SECURE
GRISOFT
HACKER
HIJACK
KASPERSKY
KILLBOX
MACHINE
MCAFEE
NORMAN
NORTON
PROCESS EXPLORER - SYSINTERNALS
PROCEXP
REGISTRYFIX
REMOVER
SECUNIA
SOPHOS
SYMANTEC
VAKSIN
WASHER
The following registry entries are created to run Renova.exe and
Nova.exe on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Shell
\Renova.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Renova
Nova.exe
The following registry entries are changed to run Renova.exe and
Mstry.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File
Execution Options\Msrun.exe
Debugger
\Mstry.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
explorer.exe "\Renova.exe"
(the default value for this registry entry is "Explorer.exe" which
causes the Microsoft file \Explorer.exe to be run on startup).
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
explorer.exe "\Renova.exe"
(the default value for this registry entry is
"\System32\userinit.exe,").
The following registry entries are set, disabling the registry editor
(regedit), the Windows task manager (taskmgr) and system restore:
HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\
LocalUser\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisabletaskMgr
1
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
DisableConfig
1
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
DisableSR
1
Registry entries are set as follows:
HKCU\Software\Microsoft\Windows\CurrentVersion
RegisteredOrganization
XENOVA
HKCU\Software\Microsoft\Windows\CurrentVersion
RegisteredOwner
RENOVA
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoSaveSettings
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFolderOptions
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFind
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoRun
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoControlPanel
0
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoFolderOptions
0
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoControlPanel
0
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoFind
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoRun
0
HKCU\Software\Policies\Microsoft\Windows\System
DisableCMD
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
2
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt
1
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion
RegisteredOrganization
XENOVA
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion
RegisteredOwner
RENOVA
Registry entries are created under:
HKCU\Identities\(D5A9171C-33E5-45AA-8DA6-0CA3468699C7)\
Software\Microsoft\Outlook Express\5.0\Mail\
Name Troj/ShipUp-B
Type
* Trojan
Affected operating systems
* Windows
Aliases
* Trojan.Win32.ShipUp.c
Prevalence (1-5) 2
Description
Troj/ShipUp-B is a Trojan for the Windows platform.
Advanced
Troj/ShipUp-B is a Trojan for the Windows platform.
When first run, Troj/ShipUp-B copies itself to \SP00LSV.EXE.
Registry entries are created under :
HKLM\SOFTWARE\Microsoft\ShipTr
Name W32/Levona-D
Type
* Worm
How it spreads
* Removable storage devices
* Network shares
Affected operating systems
* Windows
Side effects
* Reduces system security
* Installs itself in the Registry
Aliases
* Email-Worm.Win32.Levona.e
Prevalence (1-5) 2
Description
W32/Levona-D is a worm for the Windows platform.
W32/Levona-D spreads to network shares and removable drives.
The worm will search for logical drives on the computer and copy
itself to any found/
W32/Levona-D includes the functionality to disable or minimize many
applications
by searching for certain words or phrases in the Windows Title Bar.
Advanced
W32/Levona-D is a worm for the Windows platform.
W32/Levona-D spreads to network shares and removable drives.
The worm will search for logical drives on the computer. If any are
found, it
will copy itself as Emma.scr.
W32/Levona-D includes the functionality to disable or minimize many
applications
by searching for certain words or phrases in the Windows Title Bar,
including
the following security related ones:
ADVANCED REGISTRY TRACER
CASTLECOPS
CILLIN
CLEANER
COMPACTBYTEAV
EARTHLINK PROTECTION
F-SECURE
GRISOFT
HACKER
HIJACK
KASPERSKY
KILLBOX
MACHINE
MCAFEE
NORMAN
NORTON
PROCESS EXPLORER - SYSINTERNALS
PROCEXP
REGISTRYFIX
REMOVER
SECUNIA
SOPHOS
SYMANTEC
VAKSIN
WASHER
When first run W32/Levona-D copies itself to:
\_Renova.exe
\_Alisa.exe
\_Emma.exe
\regedit.exe
\msconfig.exe
\Alisa.exe
\Emma.exe
\Renova.exe
\regdt32.exe
The following registry entries are created to run Renova.exe and
Emma.exe on
startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Emira
\Emma.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Renova
\Renova.exe
The following registry entries are changed to run _Emma.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
explorer.exe "\_Emma.exe"
(the default value for this registry entry is "Explorer.exe" which
causes the
Microsoft file \Explorer.exe to be run on startup).
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
explorer.exe "\_Emma.exe"
(the default value for this registry entry is
"\System32\userinit.exe,").
The following registry entries are set, disabling system restore:
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
DisableConfig
1
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
DisableSR
1
Registry entries are set as follows:
HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy
Objects\LocalUser\Software\
Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoSaveSettings
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFolderOptions
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFind
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoRun
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoControlPanel
0
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoFolderOptions
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoControlPanel
0
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoFind
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoRun
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisabletaskMgr
0
HKCU\Software\Policies\Microsoft\Windows\System
DisableCMD
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
2
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt
1
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot
AlternateShell
\Renova.exe
Name W32/Puce-T
Type
* Virus
How it spreads
* Infected files
* Peer-to-peer
Affected operating systems
* Windows
Side effects
* Installs itself in the Registry
Aliases
* W32.Ecup
* P2P-Worm.Win32.SpyBot.gz
Prevalence (1-5) 2
Description
W32/Puce-T is a virus for the Windows platform.
The virus infects ZIP archives found in specific folders on the
computer.
Advanced
W32/Puce-T is a virus for the Windows platform.
The virus infects ZIP archives found in specific folders on the
computer.
When run the virus will attempt to copy itself to \svchost.exe
and create the following registry entry so as to auto-start:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
WindowsServicesStartup
\svchost.exe 1
W32/Puce-T will then search drives C, D and E for the below listed
folders infecting any ZIP archives found there by inserting itself as
Setup.exe, Install.exe or _Run_Me_First.exe
\Program files\emule\incoming
\Download
\TTlTchargement
\Archivos de programa\emule\incoming
\Program Files\Kazaa Lite K++\My Shared Folder
\Program files\KMD\My Shared Folder
\Program files\KaZaA Lite\My Shared Folder
\Program files\Morpheus\My Shared Folder
\Program files\BearShare\Shared
\Program files\Edonkey2000\Incoming
\My Downloads
\My Shared Folder
\Program files\appleJuice\incoming
\Program files\Gnucleus\Downloads
\Program files\Grokster\My Grokster
\Program files\ICQ\shared files
\Program files\KaZaA\My Shared Folder
\Program files\LimeWire\Shared
\Program files\Overnet\incoming
\Program files\Shareaza\Downloads
\Program files\Swaptor\Download
\Program files\WinMX\My Shared Folder
\Program files\Tesla\Files
\Program files\XoloX\Downloads
\Program files\Rapigator\Share
Other folder that are searched for archives to infect are:
C:\Incoming
D:\Incoming
E:\Incoming
F:\Incoming
G:\Incoming
The infected archive may also be copied to another location and
renamed to " updated-fixed -.zip".
Name Troj/Cimuz-BK
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Reduces system security
* Installs itself in the Registry
* Installs a browser helper object
Aliases
* TSPY_BZUB.CJ
* Spy-Agent.ba
Prevalence (1-5) 2
Description
Troj/Cimuz-BK is a Trojan for the Windows platform.
Advanced
Troj/Cimuz-BK is a Trojan for the Windows platform.
When Troj/Cimuz-BK is installed it creates the file
\ipv6monl.dll.The file ipv6monl.dll is registered as a COM
object and Browser Helper Object (BHO) for Microsoft Internet
Explorer, creating registry entries under:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\browser
helper objects\{21384D29-1240-2d4f-A15C-17E42823D523}
HKCR\CLSID\{21384D29-1240-2d4f-A15C-17E42823D523}
The following registry entry is set, affecting internet security:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\Firewall
Policy\ StandardProfile\AuthorizedApplications\List
\Internet Explorer\IEXPLORE.EXE
\Internet Explorer\IEXPLORE.EXE:*:Enabled:Internet
Explorer
The following registry entry is set:
HKCU\Software\Microsoft\Internet Explorer\MainEnable Browser Extensions
yes
Name Troj/Rustok-N
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Reduces system security
Aliases
* Trojan-Clicker.Win32.Costrat.ae
* Win32/Rustock.NBF
Prevalence (1-5) 2
Description
Troj/Rustok-N is a Trojan for the Windows platform.
Advanced
Troj/Rustok-N is a Trojan for the Windows platform.
The Trojan uses stealth techniques in order to hide files, processes
and registry entries.
Troj/Rustok-N can be installed in an alternative datastream (ADS) as
system:lzx32.sys.
Name W32/Rbot-GBX
Type
* Spyware Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Drops more malware
* Downloads code from the internet
* Reduces system security
* Records keystrokes
* Installs itself in the Registry
* Exploits system or software vulnerabilities
* Used in DOS attacks
* Scans network for vulnerabilities
* Scans network for weak passwords
* Scans network for open ports
Aliases
* Backdoor.Win32.Rbot.gen
Prevalence (1-5) 2
Description
W32/Rbot-GBX is a worm and IRC backdoor for the Windows platform.
W32/Rbot-GBX spreads to other network computers by exploiting common
buffer overflow vulnerabilities, including: LSASS (MS04-011), SRVSVC
(MS06-040), RPC-DCOM (MS04-012), RealVNC (CVE-2006-2369), Veritas
(CAN-2004-1172) and ASN.1 (MS04-007). The worm may also spread via
networks shares and MSSQL servers protected by weak passwords.
W32/Rbot-GBX runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Rbot-GBX includes functionality to:
start an FTP server
start a Proxy server
start a web server
set or remove network shares
take part in distributed denial of service (DDoS) attacks
log keypresses
capture screen/webcam images
packet sniffing
port scanning
download/execute arbitrary files
terminate and disable various anti-virus and security related programs
start a remote shell (RLOGIN)
steal product registration information from certain software
Advanced
W32/Rbot-GBX is a worm and IRC backdoor for the Windows platform.
W32/Rbot-GBX spreads to other network computers by exploiting common
buffer overflow vulnerabilities, including: LSASS (MS04-011), SRVSVC
(MS06-040), RPC-DCOM (MS04-012), RealVNC (CVE-2006-2369), Veritas
(CAN-2004-1172) and ASN.1 (MS04-007). The worm may also spread via
networks shares and MSSQL servers protected by weak passwords.
W32/Rbot-GBX runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Rbot-GBX includes functionality to:
start an FTP server
start a Proxy server
start a web server
set or remove network shares
take part in distributed denial of service (DDoS) attacks
log keypresses
capture screen/webcam images
packet sniffing
port scanning
download/execute arbitrary files
terminate and disable various anti-virus and security related programs
start a remote shell (RLOGIN)
steal product registration information from certain software
When first run W32/Rbot-GBX copies itself to \updatees.exe
and creates the file \a.bat.
The file a.bat is detected as Troj/Batten-A.
The following registry entries are created to run updatees.exe on
startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows Firewall Updater
updatees.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Windows Firewall Updater
updatees.exe
W32/Rbot-GBX sets the following registry entries, disabling the
automatic startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\wuauserv
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\wscsvc
Start
4
Note: disabling autostart for the SharedAccess service deactivates
the Microsoft Internet Connection Firewall (ICF).
Additional registry entries are set as follows:
HKCU\Software\Microsoft\OLE
Windows Firewall Updater
updatees.exe
HKLM\SOFTWARE\Microsoft\Ole
EnableRemoteConnect
N
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\Firewall
Policy\StandardProfile\AuthorizedApplications\List
|
|:*:Enabled:Windows Firewall Updater
HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
AutoShareServer
0
HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
AutoShareWks
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MaxConnectionsPer1_0Server
80
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MaxConnectionsPerServer
80
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1
Name Troj/Agent-DWW
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Steals information
Aliases
* TROJ_AGENT.JBH
Prevalence (1-5) 2
Description
Troj/Agent-DWW is a password stealing Trojan.
Name W32/Fujacks-I
Type
* Virus
How it spreads
* Network shares
* Web browsing
* Infected files
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Modifies data on the computer
* Steals information
* Drops more malware
* Downloads code from the internet
* Installs itself in the Registry
* Opens links to websites
* Enables remote access
Aliases
* Worm.Win32.Fujack.i
* W32/Fujacks.a
* Win32/Fujacks
* WORM_FUJACKS.OF
Prevalence (1-5) 2
Description
W32/Fujacks-I is a prepending virus for the Windows platform.
W32/Fujacks-I can also spread to network shares and has backdoor
functionality.
W32/Fujacks-I includes functionality to access the internet and
communicate with a remote server via HTTP.
W32/Fujacks-I attempts to download and run additional code and
executables.
Advanced
W32/Fujacks-I is a prepending virus for the Windows platform.
W32/Fujacks-I can also spread to network shares and has backdoor
functionality.
W32/Fujacks-I includes functionality to access the internet and
communicate with a remote server via HTTP.
W32/Fujacks-I attempts to download and run additional code and
executables.
W32/Fujacks-I searches the system for files with HTML and ASP
extensions and append code to them. These files are detected as
Troj/Psyme-DO.
When first run W32/Fujacks-I copies itself to
\drivers\spo0lsv.exe.
The following registry entry is created to run spo0lsv.exe on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
svcshare
\drivers\spo0lsv.exe
The following registry entry is set:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder
\Hidden\SHOWALL
CheckedValue
0
Name W32/SillyFDC-L
Type
* Worm
Affected operating systems
* Windows
Side effects
* Modifies data on the computer
Prevalence (1-5) 2
Description
W32/SillyFDC-L is a worm for the Windows platform.
Advanced
W32/SillyFDC-L is a worm for the Windows platform.
W32/SillyFDC-L attempts to periodically copy itself to removeable
drives, including floppy drives and USB keys. The worm will attempt
to create a hidden file Autorun.inf on the removeable drive and copy
itself to the removeable drive as autorun.exe
The file Autorun.inf is designed to start the worm once the removable
drive is connected to a uninfected computer.
Name Troj/DwnLdr-FYD
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Installs itself in the Registry
Aliases
* Trojan-Downloader.Win32.Small.dam
Prevalence (1-5) 2
Description
Troj/DwnLdr-FYD is a downloader Trojan for the Windows platform.
Advanced
Troj/DwnLdr-FYD is a downloader Trojan for the Windows platform.
When run Troj/DwnLdr-FYD creates the following files:
\peers.ini - this file can be safely deleted
\wincom32.sys - this file is detected as Troj/DwnLdr-FYD
Troj/DwnLdr-FYD is registered as a new system driver service named
"wincom32" with a display name of "wincom32" and a
startup type of
automatic, so that it is started automatically during system startup.
Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINCOM32\
HKLM\SYSTEM\CurrentControlSet\Services\wincom32\
Troj/DwnLdr-FYD includes functionality:
- to download code from the internet
- attach code to the process SERVICES.EXE
Name W32/Brontok-CI
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Sends itself to email addresses found on the infected computer
* Forges the sender's email address
* Uses its own emailing engine
* Reduces system security
* Installs itself in the Registry
Aliases
* Email-Worm.Win32.Brontok.n
* W32/Rontokbro.gen{at}MM
Prevalence (1-5) ? [probably 2 by the wording of the email alert]
Description
W32/Brontok-CI is a mass-mailing worm for the Windows platform.
W32/Brontok-CI sends itself to email addresses found on the infected
computer.
Emails sent by the worm have the following characteristics:
From: angelina_19{at}attglobal.net
ratna_19{at}rad.net.id
dewi_21{at}cbn.net.id
If the recipient's address is Indonesian:
Subject: Foto Liburanku di Bali
Message text:
Halo Sobat,
Ini fotoku saat liburan di Bali.
Semoga kamu jadi ingat aku terus.
Terima kasih,
For all other addresses:
Subject: My Photo on Paris
Message text:
This photo was taken from my vacation on Paris, last week.
Wishing you always remember me.
Regards,
Attachment name: Photo.zip
The zip file contains Photo.bmp and View-Photo.bat. View-Photo.bat
runs Photo.bmp. Photo.bmp is an executable (currently detected as
Troj/Dloadr-YX )
W32/Brontok-CI modifies the Windows HOST file in attempt to prevent
access to the security-related domains.
Advanced
W32/Brontok-CI is a mass-mailing worm for the Windows platform.
W32/Brontok-CI sends itself to email addresses found on the infected
computer.
Emails sent by the worm have the following characteristics:
From: angelina_19{at}attglobal.net
ratna_19{at}rad.net.id
dewi_21{at}cbn.net.id
If the recipient's address is Indonesian:
Subject: Foto Liburanku di Bali
Message text:
Halo Sobat,
Ini fotoku saat liburan di Bali.
Semoga kamu jadi ingat aku terus.
Terima kasih,
For all other addresses:
Subject: My Photo on Paris
Message text:
This photo was taken from my vacation on Paris, last week.
Wishing you always remember me.
Regards,
Attachment name: Photo.zip
The zip file contains Photo.bmp and View-Photo.bat. View-Photo.bat
runs Photo.bmp. Photo.bmp is an executable (currently detected as
Troj/Dloadr-YX )
W32/Brontok-CI modifies the Windows HOST file in attempt to prevent
access to the security-related domains.
When first run W32/Brontok-CI copies itself to:
\Local Settings\Application Data\dv6122400x\yesbron.com
\Local Settings\Application Data\jalak-931224015-bali.com
\_default32142.pif
\j6321422.exe
\o4321427.exe
\sa13188\ib6108.exe
\c_32142k.com
\n5817\b6108.exe
\n5817\csrss.exe
\n5817\lsass.exe
\n5817\services.exe
\n5817\smss.exe
\n5817\sv711224030r.exe
\n5817\winlogon.exe
and creates the following files that can be deleted :
\Baca Bro !!!.txt
\Application Data\Microsoft\Crypto\rsa\s-1-5-18\
d42cc0c3858a58db2db37658219e6400_b51db6e2-3a90-48f4-b2a9-edf389bedc4b
\Tasks\At1.job
\Tasks\At2.job
\Microsoft\Protect\s-1-5-18\User\Preferred
\Microsoft\Protect\s-1-5-18\User\b0f5e31a-8ed3-4a48-91a6-8f7f16
7668a0
\n5817\c.bron.tok.txt
W32/Brontok-CI may install a new version of the file
\msvbvm60.dll.
The following registry entries are created to run yesbron.com,
_default32142.pif, j6321422.exe and sv711224030r.exe on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run
y1959sar
\Local Settings\Application Data\dv6122400x\yesbron.com
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run
A5118r
\_default32142.pif
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
y1959sar
\n5817\sv711224030r.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
A5118r
\j6321422.exe
The following registry entries are changed to run j6321422.exe and
o4321427.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe "\o4321427.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
\userinit.exe,\j6321422.exe
The following registry entry is set, disabling system software:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1
Registry entries are set as follows:
HKCU\Software\Brontok
Message
Look {at} "C:\Baca Bro !!!.txt"
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden
0
Registry entries are created under:
HKCU\Software\Brontok
Name W32/Tilebot-IK
Type
* Spyware Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Steals information
* Drops more malware
* Downloads code from the internet
* Reduces system security
* Installs itself in the Registry
* Exploits system or software vulnerabilities
* Used in DOS attacks
* Scans network for vulnerabilities
Aliases
* W32/Sdbot.worm.gen.ce
Prevalence (1-5) 2
Description
W32/Tilebot-IK is a worm with backdoor functionality for the Windows
platform.
W32/Tilebot-IK spreads to other network computers by exploiting
common buffer overflow vulnerabilities, including: LSASS (MS04-011),
SRVSVC (MS06-040), RPC-DCOM (MS04-012), RealVNC (CVE-2006-2369) and
ASN.1 (MS04-007). The worm may also spreads via network shares
protected by weak passwords.
W32/Tilebot-IK runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Tilebot-IK includes functionality to:
- set up an FTP server
- set up a proxy server
- spread via AOL Instant Messager by sending messages automatically
- change Internet Explorer start page
- set or remove network shares
- port scanning
- packet sniffing
- start a remote shell (RLOGIN)
- access the internet and communicate with a remote server via HTTP
- harvest information from clipboard
- take part in Distributed Denial of Service (DDoS) attacks
Advanced
W32/Tilebot-IK is a worm with backdoor functionality for the Windows
platform.
W32/Tilebot-IK spreads to other network computers by exploiting
common buffer overflow vulnerabilities, including: LSASS (MS04-011),
SRVSVC (MS06-040), RPC-DCOM (MS04-012), RealVNC (CVE-2006-2369) and
ASN.1 (MS04-007). The worm may also spreads via network shares
protected by weak passwords.
W32/Tilebot-IK runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Tilebot-IK includes functionality to:
- set up an FTP server
- set up a proxy server
- spread via AOL Instant Messager by sending messages automatically
- change Internet Explorer start page
- set or remove network shares
- port scanning
- packet sniffing
- start a remote shell (RLOGIN)
- access the internet and communicate with a remote server via HTTP
- harvest information from clipboard
- take part in Distributed Denial of Service (DDoS) attacks
When first run W32/Tilebot-IK copies itself to the Windows folder as
service.exe and may create the following files:
\rdriv.sys (Detected as Troj/Rootkit-W)
\a.bat (Detected as W32/Tilebot-IK)
The file service.exe is registered as a new system driver service
named "Service", with a display name of "Service" and a
startup type
of automatic, so that it is started automatically during system
startup. Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\Service\
The file rdriv.sys is registered as a new system driver service named
"Service", with a display name of "rofl". Registry entries are
created under:
HKLM\SYSTEM\CurrentControlSet\Services\rdriv\
W32/Tilebot-IK attempts to disable the system file checker by
modifying sfc_os.dll or sfc.dll and setting the following registry
entries:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
SFCScan
0
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
SFCDisable
ffffff9d
The modified sfc_os.dll or sfc.dll is detected as "Disabled System
File Check
DLL".
W32/Tilebot-IK replaces the following files with a program that does
nothing.
\ftp.exe
\tftp.exe
The original version of sfc_os.dll or sfc.dll is copied to
\trash.
The original version of ftp.exe is copied to
\Microsoft\backup.ftp.
The original version of tftp.exe is copied to
\Microsoft\backup.tftp.
W32/Tilebot-IK sets the following registry entries, disabling the
automatic
startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\Messenger
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\wscsvc
Start
4
Additional registry entries are set as follows:
HKLM\SOFTWARE\Microsoft\Security Center
AntiVirusDisableNotify
1
HKLM\SOFTWARE\Microsoft\Security Center
AntiVirusOverride
1
HKLM\SOFTWARE\Microsoft\Security Center
FirewallDisableNotify
1
HKLM\SOFTWARE\Microsoft\Security Center
FirewallOverride
1
HKLM\SOFTWARE\Microsoft\Security Center
UpdatesDisableNotify
1
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DoNotAllowXPSP2
1
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
EnableFirewall
0
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile
EnableFirewall
0
HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
AutoShareServer
0
HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
AutoShareWks
0
HKLM\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters
AutoShareServer
0
HKLM\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters
AutoShareWks
0
HKLM\SYSTEM\CurrentControlSet\Control\
WaitToKillServiceTimeout
7000
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1
Name W32/Looked-BO
Type
* Worm
How it spreads
* Network shares
* Infected files
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Installs itself in the Registry
* Leaves non-infected files on computer
Prevalence (1-5) 2
Description
W32/Looked-BO is a virus and network worm for the Windows platform.
W32/Looked-BO infects files found on the local computer.
W32/Looked-BO also copies itself to remote network shares and may
infect files found on those shares.
Advanced
W32/Looked-BO is a virus and network worm for the Windows platform.
W32/Looked-BO infects files found on the local computer.
W32/Looked-BO also copies itself to remote network shares and may
infect files found on those shares.
W32/Looked-BO includes functionality to access the internet and
communicate with a remote server via HTTP. W32/Looked-BO may attempt
to download and execute additional files from a remote location.
When first run W32/Looked-BO copies itself as to
\logo1_.exe, \command\rundl132.exe and drops the
file \RichDll.dll which is detected as W32/Looked-BN.
W32/Looked-BO may also create many files with the name "_desktop.ini"
in various folders on the infected computer. These files are harmless
text files and can be deleted.
The following registry entry is created to run rundl132.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
load
\command\rundl132.exe
Name W32/Fujacks-U
Type
* Virus
How it spreads
* Network shares
* Infected files
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
* Enables remote access
Aliases
* Worm.Win32.Fujack.k
* PE_FUJACKS.DI-O
Prevalence (1-5) 2
Description
W32/Fujacks-U is a prepending virus for the Windows platform.
Advanced
W32/Fujacks-U is a prepending virus for the Windows platform.
W32/Fujacks-U can also spread to network shares and has backdoor
functionality.
W32/Fujacks-U runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer.
W32/Fujacks-U includes functionality to access the internet and
communicate with a remote server via HTTP.
When first run W32/Fujacks-U copies itself to
\drivers\spcolsv.exe.
The following registry entry is created to run spcolsv.exe on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
svcshare
\drivers\spcolsv.exe
The following registry entry is set:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder
\Hidden\SHOWALL
CheckedValue
0
Name Troj/ServU-EJ
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
Aliases
* Backdoor.Win32.ServU-based.h
Prevalence (1-5) 2
Description
Troj/ServU-EJ is a modified version of a commercial FTP application.
Advanced
Troj/ServU-EJ is a modified version of a commercial FTP application.
Troj/ServU-EJ is modified to read configuration data from the file
\services.dll.
Name W32/Dref-W
Type
* Virus
How it spreads
* Email attachments
* Network shares
* Infected files
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Modifies data on the computer
* Uses its own emailing engine
* Downloads code from the internet
* Installs itself in the Registry
* Leaves non-infected files on computer
Prevalence (1-5) 2
Description
W32/Dref-W is a mass-mailing worm and parasitic virus with IRC
backdoor functionality for the Windows platform.
W32/Dref-W will attempt to infect SCR EXE and RAR files then email
itself as an attachment to email addresses harvested from the
infected computer.
Advanced
W32/Dref-W is a mass-mailing worm and parasitic virus with IRC
backdoor functionality for the Windows platform.
W32/Dref-W will attempt to infect SCR EXE and RAR files then email
itself as an attachment to email addresses harvested from the
infected computer.
When first run, the virus copies itself to \wservice.exe
The following registry entries are set:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
UpdateService
\wservice.exe
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
UpdateService
\wservice.exe
Files infected with the virus are detected as W32/Dref-L and can be
disinfected with W32/Dref-L.
The virus also creates a file \.exe and this
file is detected as Troj/Dloadr-ANE.
W32/Dref-W sets the following registry entries, disabling the
automatic startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4
Note: disabling autostart for the SharedAccess service deactivates
the Microsoft Internet Connection Firewall (ICF).
--- MultiMail/Win32 v0.43
* Origin: Doc's Place BBS Fido Since 1991 www.docsplace.tzo.com (1:123/140)
SEEN-BY: 633/267 270
@PATH: 123/140 500 379/1 633/267
|