[cut-n-paste from sophos.com]

Name   W32/SillyFDC-AW

Type  
    * Worm

How it spreads  
    * Removable storage devices

Affected operating systems  
    * Windows

Side effects  
    * Installs itself in the Registry

Prevalence (1-5) 2

Description
W32/SillyFDC-AW is a worm for the Windows platform.

Advanced
W32/SillyFDC-AW is a worm for the Windows platform.

When run W32/SillyFDC-AW creates the files:

\svchost.exe - detected as W32/SillyFDC-AW
\wmiprvse.exe - detected as W32/SillyFDC-AW
\mgrShell.exe - detected as W32/SillyFDC-AW
\bclogsvr.ini - can be safely deleted

W32/SillyFDC-AW spreads via removable drives. It does this by copying 
itself to the removable drive as \Desktop.exe and creates the 
file \autorun.inf (also detected as W32/SillyFDC-AW) to run the 
worm when the removable drive is connected to an uninfected computer.

W32/SillyFDC-AW sets the following registry entries to run itself on 
startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
scApp
\wmiprvse.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
PolicyRun
\svchost.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
\svchost.exe





Name   W32/Rbot-GTG

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Installs itself in the Registry

Aliases  
    * Backdoor.Win32.Rbot.gen

Prevalence (1-5) 2

Description
W32/Rbot-GTG is a worm with IRC backdoor functionality for the Windows 
platform.

Advanced
W32/Rbot-GTG is a worm with IRC backdoor functionality for the Windows 
platform.

W32/Rbot-GTG spreads to other network computers by exploiting common 
buffer overflow vulnerabilities, including: ASN.1 (MS04-007), RealVNC 
(CVE-2006-2369) and Symantec (SYM06-010) and by copying itself to 
network shares protected by weak passwords.

W32/Rbot-GTG runs continuously in the background, providing a backdoor 
server which allows a remote intruder to gain access and control over 
the computer via IRC channels.

When first run W32/Rbot-GTG copies itself to \Realteks.exe.

The following registry entries are created to run Realteks.exe on 
startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Windows Network Service
Realteks.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows Network Service
Realteks.exe

The following registry entry is set:

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N





Name   W32/Ahah-A

Type  
    * Worm

How it spreads  
    * Removable storage devices

Affected operating systems  
    * Windows

Side effects  
    * Modifies browser settings

Aliases  
    * Virus.JS.RyInf.a

Prevalence (1-5) 2

Description
W32/Ahah-A is a worm for the Windows.platform.

Advanced
W32/Ahah-A is a worm for the Windows.platform.

W32/Ahah-A is a java script that attempts to spread through available 
drives with the filename Haha.js using Autorun.inf in order to make 
sure that the worm runs automatically once the drive is accessed.

When installed the worm creates the following files:

\Haha.js
Haha.js
Autorun.inf

where Haha.js is a copy of the worm.

W32/Ahah-A sets the following registry entry:

HKCU\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title
Haha





Name   W32/SillyFDC-AX

Type  
    * Worm

How it spreads  
    * Removable storage devices

Affected operating systems  
    * Windows

Side effects  
    * Drops more malware
    * Reduces system security
    * Installs itself in the Registry
    * Leaves non-infected files on computer

Prevalence (1-5) 2

Description
W32/SillyFDC-AX is a worm for the Windows platform.

Advanced
W32/SillyFDC-AX is a worm for the Windows platform.

W32/SillyFDC-AX attempts to spread via removable drives.

When first run W32/SillyFDC-AX copies itself to the Windows folder and 
creates the following files:

\LittleRedRidingHood.rtf - Contains the story of little red riding 
hood. May be deleted.
\autorun.inf - Detected as Mal/AutoInf-A.
\readme.html - May be safely deleted.
\dtsystra.exe - Detected as W32/SillyFDC-AX.
\syshost.exe - Detected as W32/SillyFDC-AX.
\dlctrl.exe - Detected as W32/SillyFDC-AX.
\drivers\mssrc.exe - Detected as W32/SillyFDC-AX.
\promon.exe - Detected as W32/SillyFDC-AX.
\winapp.exe - Detected as W32/SillyFDC-AX.





Name   W32/Looked-DU

Type  
    * Virus

How it spreads  
    * Infected files

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet
    * Installs itself in the Registry

Aliases  
    * PE_LOOKED.R-O
    * Worm.Win32.Viking.k
    * W32/HLLP.Philis.an
    * Win32/Viking.NAF

Prevalence (1-5) 2

Description
W32/Looked-DU is a virus for the Windows platform.

Advanced
W32/Looked-DU is a virus for the Windows platform.

W32/Looked-DU includes functionality to access the internet and 
communicate with a remote server via HTTP.

When first run W32/Looked-DU copies itself to \rundl132.exe 
and creates the file \vDll.dll. The DLL is also 
detected as W32/Looked-DU

The following registry entry is created to run rundl132.exe on startup:

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
load
\rundl132.exe

Registry entries are created under:

HKLM\SOFTWARE\Soft\DownloadWWW





Name   Troj/DwnLdr-GXU

Type  
    * Trojan

Affected operating systems  
    * Windows

Prevalence (1-5) 2

Description
Troj/DwnLdr-GXU is a Trojan for the Windows platform.





Name   Troj/Oanamg-A

Type  
    * Trojan

Affected operating systems  
    * Windows

Prevalence (1-5) 2

Description
Troj/Oanamg-A is a Trojan for the Windows platform.





Name   W32/VB-DXN

Type  
    * Worm

How it spreads  
    * Chat programs

Affected operating systems  
    * Windows

Side effects  
    * Installs itself in the Registry

Aliases  
    * W32/Generic.a{at}MM
    * Email-Worm.Win32.generic

Prevalence (1-5) 2

Description
W32/VB-DXN is a worm for the Windows platform.

W32/VB-DXN attempts to spread through the instant messaging application 
Yahoo! Messenger.

Advanced
W32/VB-DXN is a worm for the Windows platform.

W32/VB-DXN attempts to spread through the instant messaging application 
Yahoo! Messenger.

When first run W32/VB-DXN copies itself to:

\Help\Other.exe
\dc.exe
\inf\Other.exe
\sviq.exe
\Fun.exe
\WinSit.exe
\config\Win.exe

and creates the file \wininit.ini.

The following registry entries are created to run dc.exe, Other.exe, 
sviq.exe, Fun.exe and Win.exe on startup:

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
run
\config\Win.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
dc2k5
\SVIQ.EXE

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Fun
\Fun.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
dc
\dc.exe

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
load
\inf\Other.exe

The following registry entry is changed to run WinSit.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe \WinSit.exe





Name   Troj/Qova-A

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet

Aliases  
    * TrojanDownloader:Win32/Small.FC
    * BDS/PoisonIvy.j
    * Backdoor.Win32.PoisonIvy.j

Prevalence (1-5) 2

Description
Troj/Qova-A is a Trojan for the Windows platform.

Advanced
Troj/Qova-A is a Trojan for the Windows platform.

When first run Troj/Qova-A copies itself to the Windows system folder 
with the filename ver.exe.

Troj/Qova-A injects its code into a new hidden instance of Microsoft 
Internet Explorer.





Name   Troj/LdPinch-QY

Type  
    * Trojan

Affected operating systems  
    * Windows

Prevalence (1-5) 2

Description
Troj/LdPinch-QY is a password-stealing Trojan for the Windows platform.

Advanced
Troj/LdPinch-QY is a password-stealing Trojan that will search the host 
for information related to the following applications/services:

Password stored in BatMail and The Bat FTP client
Mirabilis ICQ
Trillian
Remote Access Service (RAS)
CuteFTP
WS_FTP
Opera/Mozilla
Internet Explorer password manager
Windows NT username
Local phone book information

The Trojan submits this information to a preconfigured email address.





Name   Troj/Dropper-RK

Type  
    * Trojan

Affected operating systems  
    * Windows

Prevalence (1-5) 2

Description
Troj/Dropper-RK is a Trojan for the Windows platform.





Name   Troj/WoW-KA

Type  
    * Spyware Trojan

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Steals information
    * Drops more malware
    * Installs itself in the Registry
    * Leaves non-infected files on computer

Aliases  
    * PWS-WoW trojan
    * TROJ_NSPM.ZZ

Prevalence (1-5) 2

Description
Troj/WoW-KA is a Trojan for the Windows platform.

Advanced
Troj/WoW-KA is a Trojan for the Windows platform.

When first run Troj/WoW-KA copies itself to \avpo.exe and 
creates the following files:

\b88d9jce.sys
\zjtxwj.dll
\avpo0.dll

The file b88d9jce.sys is detected as Mal/RootKit-A. The rest are 
detected as Troj/WoW-KA.

The following registry entry is created to run avpo.exe on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
avpa
\avpo.exe





Name   Troj/AdClick-EJ

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet
    * Installs a browser helper object

Aliases  
    * AdClicker-FC

Prevalence (1-5) 2

Description
Troj/AdClick-EJ is a Trojan for the Windows platform.

Advanced
Troj/AdClick-EJ is a Trojan for the Windows platform.

Troj/AdClick-EJ is a Browser Helper Object which has the functionality 
to communicate with a remote server via HTTP.





Name   Troj/Bckdr-QJO

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Installs itself in the Registry

Prevalence (1-5) 2

Description
Troj/Bckdr-QJO is a backdoor Trojan for the Windows platform.

 
--- MultiMail/Win32 v0.43