| TIP: Click on subject to list as thread! | ANSI |
| echo: | |
|---|---|
| to: | |
| from: | |
| date: | |
| subject: | News, July 16 2005 |
[cut-n-paste from sophos.com]
Name W32/Mytob-DJ
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Sends itself to email addresses found on the infected computer
* Steals information
* Uses its own emailing engine
Aliases
* Trojan-Downloader.Win32.Agent.mg
* W32/Mytob.gen{at}MM
Prevalence (1-5) 2
Description
W32/Mytob-DJ is a mass-mailing worm with backdoor functionality that can
be controlled through the Internet Relay Chat (IRC) network.
Emails sent by W32/Mytob-DJ have message text in the following format,
with details filled in to make the email look more authentic:
"Dear Member,
You have successfully updated the password of your acccount.
If you did not authorize this change or if you need assistance with your
account, please contact customer service
Thank you for using !
The Support Team
+++ Attachment: No Virus (Clean)
+++ %s Antivirus - www."
"Dear user ,
It has come to our attention that your User Profile ( x ) records
are out of date. For further details see the attached document.
Thank you for using .
The Support Team
+++ Attachment: No Virus (Clean)
+++ %s Antivirus - www."
"Dear Member,
We have temporarily suspended your email account .
This might be due to either of the following reasons:
1. A recent change in your personal information (i.e. change of address).
2. Submiting invalid information during the initial sign up process.
3. An innability to accurately verify your selected option of
subscription due to an internal error within our processors.
Sincerely,The Support Team
+++ Attachment: No Virus (Clean)
+++ %s Antivirus - www."
"Dear Member,
Your e-mail account was used to send a huge amount of unsolicited spam
messages during the recent week. If you could please take 5-10 minutes
out of your online experience and confirm the attached document so you
will not run into any future problems with the online service.
If you choose to ignore our request, you leave us no choice but to
cancel your membership.
Virtually yours,
The Support Team
+++ Attachment: No Virus (Clean)
+++ %s Antivirus - www."
W32/Mytob-DJ harvests email addresses from files on the infected
computer and from the Windows address book as well as the Microsoft
Internet Account Manager.
Advanced
W32/Mytob-DJ is a mass-mailing worm with backdoor functionality that can
be controlled through the Internet Relay Chat (IRC) network.
When first run W32/Mytob-DJ copies itself to
\winsvc32.exe.
The following registry entries are created to run winsvc32.exe on
startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
WINDOWS SYSTEM
winsvc32.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
WINDOWS SYSTEM
winsvc32.exe
W32/Mytob-DJ terminates system and anti-virus related processes
including CMD.EXE, TASKMON.EXE and REGEDIT.EXE.
W32/Mytob-DJ also appends the following mappings to the HOSTS file to
deny access to trading, financial and security related websites:
127.0.0.1 avp.com
127.0.0.1 ca.com
127.0.0.1 customer.symantec.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 download.mcafee.com
127.0.0.1 ebay.com
127.0.0.1 f-secure.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 kaspersky.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 mast.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 microsoft.com
127.0.0.1 moneybookers.com
127.0.0.1 my-etrust.com
127.0.0.1 nai.com
127.0.0.1 networkassociates.com
127.0.0.1 pandasoftware.com
127.0.0.1 paypal.com
127.0.0.1 rads.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 sophos.com
127.0.0.1 symantec.com
127.0.0.1 trendmicro.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 virustotal.com
127.0.0.1 www.amazon.ca
127.0.0.1 www.amazon.co.uk
127.0.0.1 www.amazon.com
127.0.0.1 www.amazon.fr
127.0.0.1 www.avp.com
127.0.0.1 www.ca.com
127.0.0.1 www.ebay.com
127.0.0.1 www.f-secure.com
127.0.0.1 www.grisoft.com
127.0.0.1 www.kaspersky.com
127.0.0.1 www.mcafee.com
127.0.0.1 www.microsoft.com
127.0.0.1 www.moneybookers.com
127.0.0.1 www.my-etrust.com
127.0.0.1 www.nai.com
127.0.0.1 www.networkassociates.com
127.0.0.1 www.pandasoftware.com
127.0.0.1 www.paypal.com
127.0.0.1 www.sophos.com
127.0.0.1 www.symantec.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.viruslist.com
127.0.0.1 www.virustotal.com
Emails sent by W32/Mytob-DJ have message text in the following format,
with details filled in to make the email look more authentic:
"Dear Member,
You have successfully updated the password of your acccount.
If you did not authorize this change or if you need assistance with your
account, please contact customer service
Thank you for using !
The Support Team
+++ Attachment: No Virus (Clean)
+++ %s Antivirus - www."
"Dear user ,
It has come to our attention that your User Profile ( x ) records
are out of date. For further details see the attached document.
Thank you for using .
The Support Team
+++ Attachment: No Virus (Clean)
+++ %s Antivirus - www."
"Dear Member,
We have temporarily suspended your email account .
This might be due to either of the following reasons:
1. A recent change in your personal information (i.e. change of address).
2. Submiting invalid information during the initial sign up process.
3. An innability to accurately verify your selected option of
subscription due to an internal error within our processors.
Sincerely,The Support Team
+++ Attachment: No Virus (Clean)
+++ %s Antivirus - www."
"Dear Member,
Your e-mail account was used to send a huge amount of unsolicited spam
messages during the recent week. If you could please take 5-10 minutes
out of your online experience and confirm the attached document so you
will not run into any future problems with the online service.
If you choose to ignore our request, you leave us no choice but to
cancel your membership.
Virtually yours,
The Support Team
+++ Attachment: No Virus (Clean)
+++ %s Antivirus - www."
W32/Mytob-DJ harvests email addresses from files on the infected
computer and from the Windows address book as well as the Microsoft
Internet Account Manager.
W32/Mytob-DJ may also attempt to download files from the Internet and
steal system information.
Name Troj/RNWatch-A
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
Prevalence (1-5) 2
Description
Troj/RNWatch-A is a backdoor Trojan for the Windows platforms.
Advanced
Troj/RNWatch-A is a backdoor Trojan for the Windows platforms.
Once executed Troj/RNWatch-A copies itself to the Windows system folder
with the filenames winierun.exe and bfwinier.exe, and in order to be
able to run automatically when Windows starts up sets the registry
entries:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
WinIeRun
"winierun.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
WinIeRun
"winierun.exe"
Name W32/Sdbot-AAL
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Drops more malware
* Downloads code from the internet
* Reduces system security
* Installs itself in the Registry
Aliases
* Backdoor.Win32.SdBot.yx
* WORM_RBOT.GEN
Prevalence (1-5) 2
Description
W32/Sdbot-AAL is a worm and IRC backdoor Trojan for the Windows platform.
W32/Sdbot-AAL spreads to network shares with weak passwords and via
network security exploits as a result of the backdoor Trojan element
receiving the appropriate command from a remote user.
W32/Sdbot-AAL drops and runs the file msdirectx.sys which is detected as
Troj/NtRootK-F.
Advanced
W32/Sdbot-AAL is a worm and IRC backdoor Trojan for the Windows platform.
W32/Sdbot-AAL spreads to network shares with weak passwords and via
network security exploits as a result of the backdoor Trojan element
receiving the appropriate command from a remote user.
W32/Sdbot-AAL runs continuously in the background, providing a backdoor
server which allows a remote intruder to gain access and control over
the computer via IRC channels.
When first run W32/Sdbot-AAL copies itself to \msnup32.exe.
W32/Sdbot-AAL drops and runs the file msdirectx.sys which is detected as
Troj/NtRootK-F. This is installed using the Service Control Manager with
a Service Name and Display Name of msdirectx.
The following registry entries are created to run msnup32.exe on startup
and these values are reset multiple times each minute:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Windows ms Drivers
msnup32.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows ms Drivers
msnup32.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
Windows ms Drivers
msnup32.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Windows ms Drivers
msnup32.exe
W32/Sdbot-AAL sets the following registry entries, disabling the
automatic startup of other software, and these are reset every 2
minutes:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\wuauserv
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\wscsvc
Start
4
Registry entries are set every 2 minutes as follows:
HKCU\SYSTEM\CurrentControlSet\Control\Lsa
Windows ms Drivers
msnup32.exe
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
Windows ms Drivers
msnup32.exe
HKCU\Software\Microsoft\OLE
Windows ms Drivers
msnup32.exe
HKLM\SOFTWARE\Microsoft\Ole
Windows ms Drivers
msnup32.exe
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1
W32/Sdbot-AAL also attempts to delete network shares every 2 minutes.
Name W32/Agobot-TA
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* W32/Gaobot.worm.gen.bj
* WORM_SDBOT.BDK
Prevalence (1-5) 2
Description
W32/Agobot-TA is a worm with backdoor functionality for the Windows
platform.
W32/Agobot-TA runs continuously in the background, providing a backdoor
server which allows a remote intruder to gain access and control over
the computer.
Advanced
W32/Agobot-TA is a worm with backdoor functionality for the Windows
platform.
W32/Agobot-TA runs continuously in the background, providing a backdoor
server which allows a remote intruder to gain access and control over
the computer.
When first run W32/Agobot-TA copies itself to
\windowsfw.exe.
The following registry entries are created to run windowsfw.exe on
startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windowsfw
windowsfw.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Windowsfw
windowsfw.exe
Name Troj/Fishnat-A
Type
* Trojan
How it spreads
* Web browsing
Affected operating systems
* OS/2
* Windows
* Macintosh
* Unix
Side effects
* Steals information
Prevalence (1-5) 2
Description
Troj/Fishnat-A is a phishing Trojan.
The Trojan appears to be a login page for a prominent banking site. The
login details are sent to a remote user via email.
Name Troj/BindFil-G
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Steals information
* Records keystrokes
* Installs itself in the Registry
Aliases
* Backdoor.Win32.PcClient.bb
Prevalence (1-5) 2
Description
Troj/BindFil-G is a Trojan for the Windows platform.
Troj/BindFil-G can steal information and passwords and send stolen
information to a remote location.
Advanced
Troj/BindFil-G is a Trojan for the Windows platform.
Troj/BindFil-G can steal information and passwords and send stolen
information to a remote location.
When Troj/BindFil-G is installed it creates the file
\winapi.dll.
The file winapi.dll is registered as a COM object and Browser Helper
Object (BHO) for Microsoft Internet Explorer, creating registry entries
under:
HKCR\CLSID\(3050F4D8-6D62-11CE-AF61-013309406392)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper
Objects\(3050F4D8-6D62-11CE-AF61-013309406392)
Name W32/Francette-T
Type
* Spyware Worm
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* WORM_TUMBI.B
* W32/Tumbi.worm.gen.b
Prevalence (1-5)
Description
W32/Francette-T is a network worm and IRC backdoor Trojan.
W32/Francette-T exploits the RPC-DCOM (MS04-012) vulnerability.
Advanced
W32/Francette-T is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Francette-T spreads to other network computers by exploiting common
buffer overflow vulnerabilites, including RPC-DCOM (MS04-012).
W32/Francette-T runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
The following registry entry is created to run W32/Francette-T on
startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft IIS
W32/Francette-T attempts to steal login details for the following
internet banking sites:
halifax-online.co.uk
barclays.co.uk
lloydstsb.co.uk
hsbc.co.uk
nwolb.com
banesto.es
bccbrescia.it
rbsdigital.com
cajamadrid.es
caixapenedes.com
postbank.de
deutsche-bank.de
abbeynational.co.uk
cahoot.com
openplan.co.uk
Name W32/Lebreat-A
Type
* Worm
How it spreads
* Email attachments
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Forges the sender's email address
* Uses its own emailing engine
* Downloads code from the internet
* Reduces system security
Aliases
* Net-Worm.Win32.Lebreat.gen
* W32/Reatle.gen{at}MM
Prevalence (1-5) 2
Description
W32/Lebreat-A is a worm with a backdoor component for the Windows
platform.
W32/Lebreat-A spreads by exploiting the LSASS vulnerablity.
W32/Lebreat-A will send itself to email addresses harvested from the
infected computer. These emails will have the following properties:
Subject:
**WARNING** Your Account Currently Disabled.
Email
Error
Hello
Importnat Information
info
Mail Delivery System
Message could not be delivered
Password
Message text:
Your credit card was charged for $500 USD. For additional information
see the attachment.
Binary message is available.
The message contains Unicode characters and has been sent as a binary
attachment.
Here are your banks documents
The original message was included as an attachment.
We have temporarily suspended your email account checkout the attachment
for more info.
You have successfully updated the password of your domain account
checkout the attachment for more info.
Important Notification checkout the attachment for more info.
Your Account Suspended checkout the document.
Your password has been updated checkout the document.
checkout the attachment.
Hello,
I was in a hurry and I forgot to attach an important
document. Please see attached.
Advanced
W32/Lebreat-A is a worm with a backdoor component for the Windows
platform.
W32/Lebreat-A spreads by exploiting the LSASS vulnerablity.
W32/Lebreat-A will send itself to email addresses harvested from the
infected computer. These emails will have the following properties:
Subject:
**WARNING** Your Account Currently Disabled.
Email
Error
Hello
Importnat Information
info
Mail Delivery System
Message could not be delivered
Password
Message text:
Your credit card was charged for $500 USD. For additional information
see the attachment.
Binary message is available.
The message contains Unicode characters and has been sent as a binary
attachment.
Here are your banks documents
The original message was included as an attachment.
We have temporarily suspended your email account checkout the attachment
for more info.
You have successfully updated the password of your domain account
checkout the attachment for more info.
Important Notification checkout the attachment for more info.
Your Account Suspended checkout the document.
Your password has been updated checkout the document.
checkout the attachment.
Hello,
I was in a hurry and I forgot to attach an important
document. Please see attached.
The attachment will have one of the following names:
about.cpl
about.doc.bat
about.scr
account-report.exe
admin.bat
archive.cpl
archive.exe
box.bat
box.scr
data.bat
data.scr
doc.pif
docs.cpl
docs.scr
document.cpl
document.exe
file.cpl
help.doc.exe
inbox.cpl
inbox.exe
order.cpl
order.exe
payment.doc.scr
read.cpl
read.exe
readme.cpl
readme.scr
The email will appear to come from a combination of one of these
usernames:
adam
admin
alerts
alex
brenda
brent
david
fred
helen
jack
jane
jerry
john
josh
linda
mary
matt
michael
mike
paul
robert
root
sales
steve
support
and these domains:
antivirus.com
aol.com
arcor.com
ca.com
gmail.com
google.com
hotmail.com
matrix.com
mcafee.com
microsoft.com
msn.com
nai.com
support.com
symantec.com
trendmicro.com
yahoo.com
W32/Lebreat-A will avoid sending to email addresses containing the
following strings:
icrosof
.gov
panda
f-secur
icrosoft
winrar
winzip
{at}mcafee
{at}trendmicro
{at}noreply
{at}sopho
{at}norman
{at}virusli
{at}norton
{at}fsecure
{at}panda
{at}avp
{at}microsoft
{at}symantec
W32/Lebreat-A will also open a ftp backdoor on port 8885 and attempt to
perform a Distributed Denial of Service attack on www.symantec.com.
W32/Lebreat-A will copy itself to the Windows system folder as ccapp.exe
and attach.tmp and create the following registry entries:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Symantec
\ccapp.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
Symantec
\ccapp.exe
W32/Lebreat-A will also create or modify the following registry entries:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
DisableRegistryTools
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
DisableTaskMgr
1
W32/Lebreat-A may create a file named xzy6.tmp in the Windows folder
which is a list of the collected email addresses. This file can be
safely removed and is harmless.
W32/Lebreat-A will attempt to download and execute the file update3.exe
from a predefined URL.
Microsoft provides a patch for the LSASS vulnerablity at the following
URL:
MS04-011
Name Troj/DlDial-A
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
Prevalence (1-5) 2
Description
Troj/DlDial-A is a downloading Trojan with dialer functionality.
Advanced
Troj/DlDial-A is a downloading Trojan with dialer functionality.
Troj/DlDial-A terminates any current dialup connections and reconnects
using a premium-rate number. The Trojan will then download a file from a
preconfigured URL to C:\dtemp2.exe and execute it. At the time of
writing, this file was unavailable for download.
Name W32/Kalel-D
Type
* Worm
How it spreads
* Email attachments
* Peer-to-peer
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Sends itself to email addresses found on the infected computer
* Forges the sender's email address
* Uses its own emailing engine
Aliases
* Net-Worm.Win32.Afire.c
* W32.Kalel.B{at}mm
Prevalence (1-5) 2
Description
W32/Kalel-D is a worm and backdoor Trojan for the Windows platform that
targets peer-to-peer file sharing utilities.
W32/Kalel-D may arrive in an email with the following characteristics:
Subject line:
Subject: **NOTICE** Mailbox Limitation
Message text:
This message was created automatically by "Mail Guard" software (MSG) -
do not reply.
In order to safeguard your mailbox from unexpected termination,
follow the instructions in the attached document.
++ Attachment: No Virus found
++ Norton AntiVirusÖ http://www.symantec.com
Attachment:
mailbox_rules.zip
that contains a copy of the worm executable with the one of the
following filenames:
readme.pif
readme.scr
readme.txt(many spaces).scr
where (many spaces) is a number of the space characters between first
and second file extensions.
Advanced
W32/Kalel-D is a worm and backdoor Trojan for the Windows platform that
targets peer-to-peer file sharing utilities.
W32/Kalel-D may arrive in an email with the following characteristics:
Subject line:
Subject: **NOTICE** Mailbox Limitation
Message text:
This message was created automatically by "Mail Guard" software (MSG) -
do not reply.
In order to safeguard your mailbox from unexpected termination,
follow the instructions in the attached document.
++ Attachment: No Virus found
++ Norton AntiVirusÖ http://www.symantec.com
Attachment:
mailbox_rules.zip
that contains a copy of the worm executable with the one of the
following filenames:
readme.pif
readme.scr
readme.txt(many spaces).scr
where (many spaces) is a number of the space characters between first
and second file extensions.
W32/Kalel-D runs continuously in the background, providing a backdoor
server which allows a remote intruder to gain access and control over
the computer.
Once executed W32/Kalel-D displays the "Fatal Error: Exception
Code=C00000004" fake error message and copies itself to the Windows
system folder with the following filenames:
csrss.exe
lsass.exe
services.exe
In order to be able to run automatically when Windows starts up the worm
sets the following registry entries:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft Service Controller
"services.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft Authority Service
"lsass.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Microsoft Session Manager Subsystem
"smss.exe"
W32/Kalel-D may create a number of files in the Windows system folder
including the following:
bluetooth16.ref
bluetooth32.ref
irdav1.ref
where bluetooth16.ref bluetooth32.ref and irdav1.ref are uuencoded text
files that contain mailbox_rules.zip file.
W32/Kalel-D capable of logging keys.
Name W32/Forbot-FD
Type
* Worm
How it spreads
* Email attachments
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Forges the sender's email address
* Uses its own emailing engine
* Reduces system security
* Installs itself in the Registry
Aliases
* Net-Worm.Win32.Mytob.bw
Prevalence (1-5) 2
Description
W32/Forbot-FD is a worm and IRC backdoor Trojan for the Windows platform.
W32/Forbot-FD spreads to other network computers by exploiting common
buffer overflow vulnerabilites, including: LSASS (MS04-011) and WKS
(MS03-049) (CAN-2003-0812).
W32/Forbot-FD runs continuously in the background, providing a backdoor
server which allows a remote intruder to gain access and control over
the computer via IRC channels.
W32/Forbot-FD also has mass-mailing functionality allowing it to spread
through email. Email with the following characteristics is sent to
addresses harvested from the infected computer:
Subject line:
*DETECTED* Online User Violation
*WARNING* Your email account is suspended
Email Account Suspension
Important Notification
Members Support
Notice of account limitation
Security measures
Warning Message: Your services near to be closed.
We have suspended your account
You are banned!!!
Your Account is Suspended
Your Account is Suspended For Security Reasons
Message text:
Some information about your account is attached.
The Support Team
Dear Member,
We have temporarily suspended your email account .
This might be due to either of the following reasons:
1. A recent change in your personal information (i.e. change of address).
2. Submiting invalid information during the initial sign up process.
3. An innability to accurately verify your selected option of
subscription due to an internal error within our processors.
See the attached details to reactivate your account.
Sincerely,The Support Team
Dear Member,
Your e-mail account was used to send a huge amount of unsolicited spam
messages during the recent week. If you could please take 5-10 minutes
out of your online experience and confirm the attached document so you
will not run into any future problems with the online service.
Virtually yours,
The Support Team
In the above message text samples will be replaced with text
aquired from the harvested email address.
Advanced
W32/Forbot-FD is a worm and IRC backdoor Trojan for the Windows platform.
W32/Forbot-FD spreads to other network computers by exploiting common
buffer overflow vulnerabilites, including: LSASS (MS04-011) and WKS
(MS03-049) (CAN-2003-0812).
W32/Forbot-FD runs continuously in the background, providing a backdoor
server which allows a remote intruder to gain access and control over
the computer via IRC channels.
W32/Forbot-FD also has mass-mailing functionality allowing it to spread
through email. Email is sent to address harvested from the infected
system with the following properties:
Subject line:
*DETECTED* Online User Violation
*WARNING* Your email account is suspended
Email Account Suspension
Important Notification
Members Support
Notice of account limitation
Security measures
Warning Message: Your services near to be closed.
We have suspended your account
You are banned!!!
Your Account is Suspended
Your Account is Suspended For Security Reasons
Message text:
Some information about your account is attached.
The Support Team
Dear Member,
We have temporarily suspended your email account .
This might be due to either of the following reasons:
1. A recent change in your personal information (i.e. change of address).
2. Submiting invalid information during the initial sign up process.
3. An innability to accurately verify your selected option of
subscription due to an internal error within our processors.
See the attached details to reactivate your account.
Sincerely,The Support Team
Dear Member,
Your e-mail account was used to send a huge amount of unsolicited spam
messages during the recent week. If you could please take 5-10 minutes
out of your online experience and confirm the attached document so you
will not run into any future problems with the online service.
Virtually yours,
The Support Team
In the above message text samples will be replaced with text
aquired from the harvested email address.
The attached file consists of a base name followed by the extensions
CMD, PIF, SCR, EXE or ZIP. The worm may optionally create double
extensions where the first extension is DOC, TXT or HTM and the final
extension is BAT, CMD, PIF, SCR, EXE or ZIP. The base filenames are
randomly chosen from:
account-details
account-info
account-report
accounts
administrator
document
email-details
important-details
information
readme
register
The worm avoids sending email to addresses that contain the following:
.gov
.mil
accoun
acketst
admin
anyone
arin.
avp
berkeley
borlan
bsd
bsd
bugs
ca
certific
contact
example
feste
fido
foo.
fsf.
gnu
gold-certs
google
google
gov.
help
iana
ibm.com
icrosof
icrosoft
ietf
info
inpris
isc.o
isi.e
kernel
linux
linux
listserv
math
me
mit.e
mozilla
mydomai
no
nobody
nodomai
noone
not
nothing
ntivi
page
panda
pgp
postmaster
privacy
rating
rfc-ed
ripe.
root
ruslis
samples
secur
sendmail
service
site
soft
somebody
someone
sopho
submit
support
syma
tanford.e
the.bat
unix
unix
usenet
utgers.ed
webmaster
you
your
When first run W32/Forbot-FD copies itself to \svchosts.exe.
The following registry entries are created to run svchosts.exe on
startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Win32 Driver
svchosts.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Win32 Driver
svchosts.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
Win32 Driver
svchosts.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Win32 Driver
svchosts.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Win32 Driver
svchosts.exe
The file svchosts.exe is registered as a new file system driver service
named "shit", with a display name of "Win32 Driver".
Registry entries
are created under:
HKLM\SYSTEM\CurrentControlSet\Services\shit\
A registry entry is set as follows:
HKLM\SYSTEM\CurrentControlSet\Hardware
Profiles\Current\Software\Microsoft\windows\CurrentVersion\Internet
Settings
ProxyEnable
1
--- MultiMail/Win32 v0.43
* Origin: Try Our Web Based QWK: DOCSPLACE.ORG (1:123/140)SEEN-BY: 633/267 270 @PATH: 123/140 500 106/2000 633/267 |
|
| SOURCE: echomail via fidonet.ozzmosis.com | |
Email questions or comments to sysop@ipingthereforeiam.com
All parts of this website painstakingly hand-crafted in the U.S.A.!
IPTIA BBS/MUD/Terminal/Game Server List, © 2025 IPTIA Consulting™.