TIP: Click on subject to list as thread!

ANSI

echo:	virus_info
to:	ALL
from:	KURT WISMER
date:	2005-06-05 20:01:00
subject:	News, May 5 2005
[cut-n-paste from sophos.com] Name W32/Mytob-P Type * Worm How it spreads * Email attachments Affected operating systems * Windows Side effects * Turns off anti-virus applications * Allows others to access the computer * Sends itself to email addresses found on the infected computer * Steals information * Forges the sender's email address Aliases * Net-Worm.Win32.Mytob.bd Prevalence (1-5) 5 Description W32/Mytob-P is a mass-mailing worm and IRC backdoor Trojan. W32/Mytob-P spreads by sending itself as an email attachment to email addresses it harvests from the infected computer. The worm sets up an IRC backdoor allowing remote intruders unauthorised control of the infected computer. W32/Mytob-P sends emails with the following characteristics: Subject line: Notice: Last Warning DETECTED Online User Violation Your Email Account is Suspended For Security Reasons Account Alert Important Notification WARNING Your Email Account Will Be Closed Security measures Email Account Suspension Notice of account limitation Message text: Once you have completed the form in the attached file , your account records will not be interrupted and will continue as normal. The original message has been included as an attachment. We regret to inform you that your account has been suspended due to the violation of our site policy, more info is attached. We attached some important information regarding your account. Please read the attached document and follow it's instructions. Advanced W32/Mytob-P is a mass-mailing worm and IRC backdoor Trojan. W32/Mytob-P spreads by sending itself as an email attachment to email addresses it harvests from the infected computer. The worm sets up an IRC backdoor allowing remote intruders unauthorised control of the infected computer. W32/Mytob-P sends emails with the following characteristics: Subject line: Notice: Last Warning DETECTED Online User Violation Your Email Account is Suspended For Security Reasons Account Alert Important Notification WARNING Your Email Account Will Be Closed Security measures Email Account Suspension Notice of account limitation Message text: Once you have completed the form in the attached file , your account records will not be interrupted and will continue as normal. The original message has been included as an attachment. We regret to inform you that your account has been suspended due to the violation of our site policy, more info is attached. We attached some important information regarding your account. Please read the attached document and follow it's instructions. When first run W32/Mytob-P copies itself to \Lientjeuh.exe. The following registry entries are created to run Lientjeuh.exe on startup: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run http://www.lienvandekelder.be Lientjeuh.exe HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices http://www.lienvandekelder.be Lientjeuh.exe W32/Mytob-P sets the following registry entries, disabling the automatic startup of other software: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess Start 4 W32/Mytob-P modifies the HOSTS file, changing the URL-to-IP mappings for selected websites, therefore preventing normal access to these sites: 127.0.0.1 www.symantec.com 127.0.0.1 securityresponse.symantec.com 127.0.0.1 symantec.com 127.0.0.1 www.sophos.com 127.0.0.1 sophos.com 127.0.0.1 www.mcafee.com 127.0.0.1 mcafee.com 127.0.0.1 liveupdate.symantecliveupdate.com 127.0.0.1 www.viruslist.com 127.0.0.1 viruslist.com 127.0.0.1 viruslist.com 127.0.0.1 f-secure.com 127.0.0.1 www.f-secure.com 127.0.0.1 kaspersky.com 127.0.0.1 kaspersky-labs.com 127.0.0.1 www.avp.com 127.0.0.1 www.kaspersky.com 127.0.0.1 avp.com 127.0.0.1 www.networkassociates.com 127.0.0.1 networkassociates.com 127.0.0.1 www.ca.com 127.0.0.1 ca.com 127.0.0.1 mast.mcafee.com 127.0.0.1 my-etrust.com 127.0.0.1 www.my-etrust.com 127.0.0.1 download.mcafee.com 127.0.0.1 dispatch.mcafee.com 127.0.0.1 secure.nai.com 127.0.0.1 nai.com 127.0.0.1 www.nai.com 127.0.0.1 update.symantec.com 127.0.0.1 updates.symantec.com 127.0.0.1 us.mcafee.com 127.0.0.1 liveupdate.symantec.com 127.0.0.1 customer.symantec.com 127.0.0.1 rads.mcafee.com 127.0.0.1 trendmicro.com 127.0.0.1 www.trendmicro.com 127.0.0.1 www.grisoft.com 127.0.0.1 www.microsoft.com 127.0.0.1 microsoft.com 127.0.0.1 www.msn.com 127.0.0.1 www.virustotal.com 127.0.0.1 virustotal.com 127.0.0.1 www.oxyd.fr 127.0.0.1 oxyd.fr 127.0.0.1 www.t35.com 127.0.0.1 t35.com 127.0.0.1 www.t35.net 127.0.0.1 t35.net W32/Mytob-P terminates the following applications and security-related processes: ACKWIN32.EXE ADAWARE.EXE ADVXDWIN.EXE AGENTSVR.EXE AGENTW.EXE ALERTSVC.EXE ALEVIR.EXE ALOGSERV.EXE AMON9X.EXE ANTI-TROJAN.EXE ANTIVIRUS.EXE ANTS.EXE APIMONITOR.EXE APLICA32.EXE APVXDWIN.EXE ARR.EXE ATCON.EXE ATGUARD.EXE ATRO55EN.EXE ATUPDATER.EXE ATUPDATER.EXE ATWATCH.EXE AU.EXE AUPDATE.EXE AUPDATE.EXE AUTO-PROTECT.NAV80TRY.EXE AUTODOWN.EXE AUTODOWN.EXE AUTOTRACE.EXE AUTOTRACE.EXE AUTOUPDATE.EXE AUTOUPDATE.EXE AVCONSOL.EXE AVE32.EXE AVGCC32.EXE AVGCTRL.EXE AVGNT.EXE AVGSERV.EXE AVGSERV9.EXE AVGUARD.EXE AVGW.EXE AVKPOP.EXE AVKSERV.EXE AVKSERVICE.EXE AVKWCTl9.EXE AVLTMAIN.EXE AVNT.EXE AVP.EXE AVP32.EXE AVPCC.EXE AVPDOS32.EXE AVPM.EXE AVPTC32.EXE AVPUPD.EXE AVPUPD.EXE AVSCHED32.EXE AVSYNMGR.EXE AVWINNT.EXE AVWUPD.EXE AVWUPD32.EXE AVWUPD32.EXE AVWUPSRV.EXE AVXMONITOR9X.EXE AVXMONITORNT.EXE AVXQUAR.EXE AVXQUAR.EXE BACKWEB.EXE BARGAINS.EXE BD_PROFESSIONAL.EXE BEAGLE.EXE BELT.EXE BIDEF.EXE BIDSERVER.EXE BIPCP.EXE BIPCPEVALSETUP.EXE BISP.EXE BLACKD.EXE BLACKICE.EXE BLSS.EXE BOOTCONF.EXE BOOTWARN.EXE BORG2.EXE BPC.EXE BRASIL.EXE BS120.EXE BUNDLE.EXE BVT.EXE CCAPP.EXE CCEVTMGR.EXE CCPXYSVC.EXE CDP.EXE CFD.EXE CFGWIZ.EXE CFIADMIN.EXE CFIAUDIT.EXE CFIAUDIT.EXE CFINET.EXE CFINET32.EXE CLAW95CF.EXE CLEAN.EXE CLEANER.EXE CLEANER3.EXE CLEANPC.EXE CLICK.EXE CMD.EXE CMD32.EXE CMESYS.EXE CMGRDIAN.EXE CMON016.EXE CONNECTIONMONITOR.EXE CPD.EXE CPF9X206.EXE CPFNT206.EXE CTRL.EXE CV.EXE CWNB181.EXE CWNTDWMO.EXE DATEMANAGER.EXE DCOMX.EXE DEFALERT.EXE DEFSCANGUI.EXE DEFWATCH.EXE DEPUTY.EXE DIVX.EXE DLLCACHE.EXE DLLREG.EXE DOORS.EXE DPF.EXE DPFSETUP.EXE DPPS2.EXE DRWATSON.EXE DRWEB32.EXE DRWEBUPW.EXE DSSAGENT.EXE DVP95.EXE DVP95_0.EXE ECENGINE.EXE EFPEADM.EXE EMSW.EXE ENT.EXE ESAFE.EXE ESCANHNT.EXE ESCANV95.EXE ESPWATCH.EXE ETHEREAL.EXE ETRUSTCIPE.EXE EVPN.EXE EXANTIVIRUS-CNET.EXE EXE.AVXW.EXE EXPERT.EXE EXPLORE.EXE F-PROT.EXE F-PROT95.EXE F-STOPW.EXE FAMEH32.EXE FAST.EXE FCH32.EXE FIH32.EXE FINDVIRU.EXE FIREWALL.EXE FNRB32.EXE FP-WIN.EXE FP-WIN_TRIAL.EXE FPROT.EXE FRW.EXE FSAA.EXE FSAV.EXE FSAV32.EXE FSAV530STBYB.EXE FSAV530WTBYB.EXE FSAV95.EXE FSGK32.EXE FSM32.EXE FSMA32.EXE FSMB32.EXE GATOR.EXE GBMENU.EXE GBPOLL.EXE GENERICS.EXE GMT.EXE GUARD.EXE GUARDDOG.EXE HACKTRACERSETUP.EXE HBINST.EXE HBSRV.EXE HOTACTIO.EXE HOTPATCH.EXE HTLOG.EXE HTPATCH.EXE HWPE.EXE HXDL.EXE HXIUL.EXE IAMAPP.EXE IAMSERV.EXE IAMSTATS.EXE IBMASN.EXE IBMAVSP.EXE ICLOADNT.EXE ICMON.EXE ICSUPP95.EXE ICSUPPNT.EXE IDLE.EXE IEDLL.EXE IEDRIVER.EXE IEXPLORER.EXE IFACE.EXE IFW2000.EXE INETLNFO.EXE INFUS.EXE INFWIN.EXE INIT.EXE INTDEL.EXE INTREN.EXE IOMON98.EXE ISTSVC.EXE JAMMER.EXE JDBGMRG.EXE JEDI.EXE KAVLITE40ENG.EXE KAVPERS40ENG.EXE KAVPF.EXE KAZZA.EXE KEENVALUE.EXE KERIO-PF-213-EN-WIN.EXE KERIO-WRL-421-EN-WIN.EXE KERIO-WRP-421-EN-WIN.EXE KERNEL32.EXE KILLPROCESSSETUP161.EXE LAUNCHER.EXE LDNETMON.EXE LDPRO.EXE LDPROMENU.EXE LDSCAN.EXE LNETINFO.EXE LOADER.EXE LOCALNET.EXE LOCKDOWN.EXE LOCKDOWN2000.EXE LOOKOUT.EXE LORDPE.EXE LSETUP.EXE LUALL.EXE LUALL.EXE LUAU.EXE LUCOMSERVER.EXE LUINIT.EXE LUSPT.EXE MAPISVC32.EXE MCAGENT.EXE MCMNHDLR.EXE MCSHIELD.EXE MCTOOL.EXE MCUPDATE.EXE MCUPDATE.EXE MCVSRTE.EXE MCVSSHLD.EXE MD.EXE MFIN32.EXE MFW2EN.EXE MFWENG3.02D30.EXE MGAVRTCL.EXE MGAVRTE.EXE MGHTML.EXE MGUI.EXE MINILOG.EXE MMOD.EXE MONITOR.EXE MOOLIVE.EXE MOSTAT.EXE MPFAGENT.EXE MPFSERVICE.EXE MPFTRAY.EXE MRFLUX.EXE MSAPP.EXE MSBB.EXE MSBLAST.EXE MSCACHE.EXE MSCCN32.EXE MSCMAN.EXE MSCONFIG.EXE MSDM.EXE MSDOS.EXE MSIEXEC16.EXE MSINFO32.EXE MSLAUGH.EXE MSMGT.EXE MSMSGRI32.EXE MSSMMC32.EXE MSSYS.EXE MSVXD.EXE MU0311AD.EXE MWATCH.EXE N32SCANW.EXE NAV.EXE NAVAP.NAVAPSVC.EXE NAVAPSVC.EXE NAVAPW32.EXE NAVDX.EXE NAVLU32.EXE NAVNT.EXE NAVSTUB.EXE NAVW32.EXE NAVWNT.EXE NC2000.EXE NCINST4.EXE NDD32.EXE NEOMONITOR.EXE NEOWATCHLOG.EXE NETARMOR.EXE NETD32.EXE NETINFO.EXE NETMON.EXE NETSCANPRO.EXE NETSPYHUNTER-1.2.EXE NETSTAT.EXE NETUTILS.EXE NISSERV.EXE NISUM.EXE NMAIN.EXE NOD32.EXE NORMIST.EXE NORTON_INTERNET_SECU_3.0_407.EXE NOTSTART.EXE NPF40_TW_98_NT_ME_2K.EXE NPFMESSENGER.EXE NPROTECT.EXE NPSCHECK.EXE NPSSVC.EXE NSCHED32.EXE NSSYS32.EXE NSTASK32.EXE NSUPDATE.EXE NT.EXE NTRTSCAN.EXE NTVDM.EXE NTXconfig.EXE NUI.EXE NUPGRADE.EXE NUPGRADE.EXE NVARCH16.EXE NVC95.EXE NVSVC32.EXE NWINST4.EXE NWSERVICE.EXE NWTOOL16.EXE OLLYDBG.EXE ONSRVR.EXE OPTIMIZE.EXE OSTRONET.EXE OTFIX.EXE OUTPOST.EXE OUTPOST.EXE OUTPOSTINSTALL.EXE OUTPOSTPROINSTALL.EXE PADMIN.EXE PANIXK.EXE PATCH.EXE PAVCL.EXE PAVPROXY.EXE PAVSCHED.EXE PAVW.EXE PCFWALLICON.EXE PCIP10117_0.EXE PCSCAN.EXE PDSETUP.EXE PERISCOPE.EXE PERSFW.EXE PERSWF.EXE PF2.EXE PFWADMIN.EXE PGMONITR.EXE PINGSCAN.EXE PLATIN.EXE POP3TRAP.EXE POPROXY.EXE POPSCAN.EXE PORTDETECTIVE.EXE PORTMONITOR.EXE POWERSCAN.EXE PPINUPDT.EXE PPTBC.EXE PPVSTOP.EXE PRIZESURFER.EXE PRMT.EXE PRMVR.EXE PROCDUMP.EXE PROCESSMONITOR.EXE PROCEXPLORERV1.0.EXE PROGRAMAUDITOR.EXE PROPORT.EXE PROTECTX.EXE PSPF.EXE PURGE.EXE QCONSOLE.EXE QSERVER.EXE RAPAPP.EXE RAV7.EXE RAV7WIN.EXE RAV8WIN32ENG.EXE RAY.EXE RB32.EXE RCSYNC.EXE REALMON.EXE REGED.EXE REGEDIT.EXE REGEDT32.EXE RESCUE.EXE RESCUE32.EXE RRGUARD.EXE RSHELL.EXE RTVSCAN.EXE RTVSCN95.EXE RULAUNCH.EXE RUN32DLL.EXE RUNDLL.EXE RUNDLL16.EXE RUXDLL32.EXE SAFEWEB.EXE SAHAGENT.EXE SAVE.EXE SAVENOW.EXE SBSERV.EXE SC.EXE SCAM32.EXE SCAN32.EXE SCAN95.EXE SCANPM.EXE SCRSCAN.EXE SETUPVAMEEVAL.EXE SETUP_FLOWPROTECTOR_US.EXE SFC.EXE SGSSFW32.EXE SH.EXE SHELLSPYINSTALL.EXE SHN.EXE SHOWBEHIND.EXE SMC.EXE SMS.EXE SMSS32.EXE SOAP.EXE SOFI.EXE SPERM.EXE SPF.EXE SPHINX.EXE SPOLER.EXE SPOOLCV.EXE SPOOLSV32.EXE SPYXX.EXE SREXE.EXE SRNG.EXE SS3EDIT.EXE SSGRATE.EXE SSG_4104.EXE ST2.EXE START.EXE STCLOADER.EXE SUPFTRL.EXE SUPPORT.EXE SUPPORTER5.EXE SVC.EXE SVCHOSTC.EXE SVCHOSTS.EXE SVSHOST.EXE SWEEP95.EXE SWEEPNET.SWEEPSRV.SYS.SWNETSUP.EXE SYMPROXYSVC.EXE SYMTRAY.EXE SYSEDIT.EXE SYSTEM.EXE SYSTEM32.EXE SYSUPD.EXE TASKMG.EXE TASKMGR.EXE TASKMO.EXE TASKMON.EXE TAUMON.EXE TBSCAN.EXE TC.EXE TCA.EXE TCM.EXE TDS-3.EXE TDS2-NT.EXE TEEKIDS.EXE TFAK.EXE TFAK5.EXE TGBOB.EXE TITANIN.EXE TITANINXP.EXE TRACERT.EXE TRICKLER.EXE TRJSCAN.EXE TRJSETUP.EXE TROJANTRAP3.EXE TSADBOT.EXE TVMD.EXE TVTMD.EXE UNDOBOOT.EXE UPDAT.EXE UPDATE.EXE UPDATE.EXE UPGRAD.EXE UTPOST.EXE VBCMSERV.EXE VBCONS.EXE VBUST.EXE VBWIN9X.EXE VBWINNTW.EXE VCSETUP.EXE VET32.EXE VET95.EXE VETTRAY.EXE VFSETUP.EXE VIR-HELP.EXE VIRUSMDPERSONALFIREWALL.EXE VNLAN300.EXE VNPC3000.EXE VPC32.EXE VPC42.EXE VPFW30S.EXE VPTRAY.EXE VSCAN40.EXE VSCENU6.02D30.EXE VSCHED.EXE VSECOMR.EXE VSHWIN32.EXE VSISETUP.EXE VSMAIN.EXE VSMON.EXE VSSTAT.EXE VSWIN9XE.EXE VSWINNTSE.EXE VSWINPERSE.EXE W32DSM89.EXE W9X.EXE WATCHDOG.EXE WEBDAV.EXE WEBSCANX.EXE WEBTRAP.EXE WFINDV32.EXE WHOSWATCHINGME.EXE WIMMUN32.EXE WIN-BUGSFIX.EXE WIN32.EXE WIN32US.EXE WINACTIVE.EXE WINDOW.EXE WINDOWS.EXE WININETD.EXE WININIT.EXE WININITX.EXE WINLOGIN.EXE WINMAIN.EXE WINNET.EXE WINPPR32.EXE WINRECON.EXE WINSERVN.EXE WINSSK32.EXE WINSTART.EXE WINSTART001.EXE WINTSK32.EXE WINUPDATE.EXE WKUFIND.EXE WNAD.EXE WNT.EXE WRADMIN.EXE WRCTRL.EXE WSBGATE.EXE WUPDATER.EXE WUPDT.EXE WYVERNWORKSFIREWALL.EXE XPF202EN.EXE ZAPRO.EXE ZAPSETUP3001.EXE ZATUTOR.EXE ZONALM2601.EXE ZONEALARM.EXE _AVP32.EXE _AVPCC.EXE _AVPM.EXE Name W32/Mytob-CV Type * Worm How it spreads * Email messages * Email attachments * Network shares Affected operating systems * Windows Side effects * Turns off anti-virus applications * Allows others to access the computer * Sends itself to email addresses found on the infected computer * Records keystrokes * Installs itself in the Registry Aliases * Net-Worm.Win32.Mytob.bd Prevalence (1-5) 3 Description W32/Mytob-CV is an email worm and IRC backdoor Trojan for the Windows platform. W32/Mytob-CV includes functionality to modify the HOSTS file. When first run W32/Mytob-CV copies itself to \We Love Lien Van de Kelder.exe. The following registry entries are created to run We Love Lien Van de Kelder.exe on startup: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run http://www.lienvandekelder.be We Love Lien Van de Kelder.exe HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices http://www.lienvandekelder.be We Love Lien Van de Kelder.exe W32/Mytob-CV sets the following registry entries, disabling the automatic startup of other software: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess Start 4 W32/Mytob-CV send itself to emails harvested from files on the hard disk with the following extensions: TXT, HTM, SHT, JSP, CGI, XML, PHP, ASP, DBX, TBB, ADB, WAB, PL Emails have the following characteristics: Subject lines: Notice: Last Warning DETECTED* Online User Violation Your Email Account is Suspended For Security Reasons Account Alert Important Notification WARNING Your Email Account Will Be Closed Email Account Suspension Notice of account limitation Message texts: "Once you have completed the form in the attached file , your account records will not be interrupted and will continue as normal." "The original message has been included as an attachment." "We regret to inform you that your account has been suspended due to the violation of our site policy, more info is attached." "We attached some important information regarding your account." "Please read the attached document and follow it's instructions." Advanced W32/Mytob-CV is an email worm and IRC backdoor Trojan for the Windows platform. W32/Mytob-CV includes functionality to modify the HOSTS file. When first run W32/Mytob-CV copies itself to \We Love Lien Van de Kelder.exe. The following registry entries are created to run We Love Lien Van de Kelder.exe on startup: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run http://www.lienvandekelder.be We Love Lien Van de Kelder.exe HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices http://www.lienvandekelder.be We Love Lien Van de Kelder.exe W32/Mytob-CV sets the following registry entries, disabling the automatic startup of other software: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess Start 4 W32/Mytob-CV send itself to emails harvested from files on the hard disk with the following extensions: TXT, HTM, SHT, JSP, CGI, XML, PHP, ASP, DBX, TBB, ADB, WAB, PL Emails have the following characteristics: Subject lines: Notice: Last Warning DETECTED* Online User Violation Your Email Account is Suspended For Security Reasons Account Alert Important Notification WARNING Your Email Account Will Be Closed Email Account Suspension Notice of account limitation Message texts: "Once you have completed the form in the attached file , your account records will not be interrupted and will continue as normal." "The original message has been included as an attachment." "We regret to inform you that your account has been suspended due to the violation of our site policy, more info is attached." "We attached some important information regarding your account." "Please read the attached document and follow it's instructions." The attached file consists of a base name followed by the extentions PIF, SCR, EXE or ZIP. The worm may optionally create double extensions where the first extension is DOC, TXT or HTM and the final extension is PIF, SCR, EXE or ZIP. W32/Mytob-CV modifies the HOSTS file, changing the URL-to-IP mappings for selected websites, therefore preventing normal access to the the following sites: www.symantec.com securityresponse.symantec.com symantec.com www.sophos.com sophos.com www.mcafee.com mcafee.com liveupdate.symantecliveupdate.com www.viruslist.com viruslist.com viruslist.com f-secure.com www.f-secure.com kaspersky.com kaspersky-labs.com www.avp.com www.kaspersky.com avp.com www.networkassociates.com networkassociates.com www.ca.com ca.com mast.mcafee.com www.lycos-vds.com my-etrust.com www.my-etrust.com download.mcafee.com dispatch.mcafee.com secure.nai.com nai.com www.nai.com update.symantec.com updates.symantec.com us.mcafee.com liveupdate.symantec.com customer.symantec.com rads.mcafee.com trendmicro.com www.trendmicro.com www.grisoft.com www.microsoft.com microsoft.com www.msn.com www.virustotal.com virustotal.com www.oxyd.fr oxyd.fr www.t35.com t35.com www.t35.net t35.net W32/Mytob-CV also terminates the following processes: _AVP32.EXE _AVPCC.EXE _AVPM.EXE ACKWIN32.EXE ADAWARE.EXE ADVXDWIN.EXE AGENTSVR.EXE AGENTW.EXE ALERTSVC.EXE ALEVIR.EXE ALOGSERV.EXE AMON9X.EXE ANTI-TROJAN.EXE ANTIVIRUS.EXE ANTS.EXE APIMONITOR.EXE APLICA32.EXE APVXDWIN.EXE ARR.EXE ATCON.EXE ATGUARD.EXE ATRO55EN.EXE ATUPDATER.EXE ATUPDATER.EXE ATWATCH.EXE AU.EXE AUPDATE.EXE AUPDATE.EXE AUTO-PROTECT.NAV80TRY.EXE AUTODOWN.EXE AUTODOWN.EXE AUTOTRACE.EXE AUTOTRACE.EXE AUTOUPDATE.EXE AUTOUPDATE.EXE AVCONSOL.EXE AVE32.EXE AVGCC32.EXE AVGCTRL.EXE AVGNT.EXE AVGSERV.EXE AVGSERV9.EXE AVGUARD.EXE AVGW.EXE AVKPOP.EXE AVKSERV.EXE AVKSERVICE.EXE AVKWCTl9.EXE AVLTMAIN.EXE AVNT.EXE AVP.EXE AVP32.EXE AVPCC.EXE AVPDOS32.EXE AVPM.EXE AVPTC32.EXE AVPUPD.EXE AVPUPD.EXE AVSCHED32.EXE AVSYNMGR.EXE AVWINNT.EXE AVWUPD.EXE AVWUPD32.EXE AVWUPD32.EXE AVWUPSRV.EXE AVXMONITOR9X.EXE AVXMONITORNT.EXE AVXQUAR.EXE AVXQUAR.EXE BACKWEB.EXE BARGAINS.EXE BD_PROFESSIONAL.EXE BEAGLE.EXE BELT.EXE BIDEF.EXE BIDSERVER.EXE BIPCP.EXE BIPCPEVALSETUP.EXE BISP.EXE BLACKD.EXE BLACKICE.EXE BLSS.EXE BOOTCONF.EXE BOOTWARN.EXE BORG2.EXE BPC.EXE BRASIL.EXE BS120.EXE BUNDLE.EXE BVT.EXE CCAPP.EXE CCEVTMGR.EXE CCPXYSVC.EXE CDP.EXE CFD.EXE CFGWIZ.EXE CFIADMIN.EXE CFIAUDIT.EXE CFIAUDIT.EXE CFINET.EXE CFINET32.EXE CLAW95CF.EXE CLEAN.EXE CLEANER.EXE CLEANER3.EXE CLEANPC.EXE CLICK.EXE CMD.EXE CMD32.EXE CMESYS.EXE CMGRDIAN.EXE CMON016.EXE CONNECTIONMONITOR.EXE CPD.EXE CPF9X206.EXE CPFNT206.EXE CTRL.EXE CV.EXE CWNB181.EXE CWNTDWMO.EXE DATEMANAGER.EXE DCOMX.EXE DEFALERT.EXE DEFSCANGUI.EXE DEFWATCH.EXE DEPUTY.EXE DIVX.EXE DLLCACHE.EXE DLLREG.EXE DOORS.EXE DPF.EXE DPFSETUP.EXE DPPS2.EXE DRWATSON.EXE DRWEB32.EXE DRWEBUPW.EXE DSSAGENT.EXE DVP95.EXE DVP95_0.EXE ECENGINE.EXE EFPEADM.EXE EMSW.EXE ENT.EXE ESAFE.EXE ESCANHNT.EXE ESCANV95.EXE ESPWATCH.EXE ETHEREAL.EXE ETRUSTCIPE.EXE EVPN.EXE EXANTIVIRUS-CNET.EXE EXE.AVXW.EXE EXPERT.EXE EXPLORE.EXE F-PROT.EXE F-PROT95.EXE F-STOPW.EXE FAMEH32.EXE FAST.EXE FCH32.EXE FIH32.EXE FINDVIRU.EXE FIREWALL.EXE FNRB32.EXE FP-WIN.EXE FP-WIN_TRIAL.EXE FPROT.EXE FRW.EXE FSAA.EXE FSAV.EXE FSAV32.EXE FSAV530STBYB.EXE FSAV530WTBYB.EXE FSAV95.EXE FSGK32.EXE FSM32.EXE FSMA32.EXE FSMB32.EXE GATOR.EXE GBMENU.EXE GBPOLL.EXE GENERICS.EXE GMT.EXE GUARD.EXE GUARDDOG.EXE HACKTRACERSETUP.EXE HBINST.EXE HBSRV.EXE HOTACTIO.EXE HOTPATCH.EXE HTLOG.EXE HTPATCH.EXE HWPE.EXE HXDL.EXE HXIUL.EXE IAMAPP.EXE IAMSERV.EXE IAMSTATS.EXE IBMASN.EXE IBMAVSP.EXE ICLOADNT.EXE ICMON.EXE ICSUPP95.EXE ICSUPPNT.EXE IDLE.EXE IEDLL.EXE IEDRIVER.EXE IEXPLORER.EXE IFACE.EXE IFW2000.EXE INETLNFO.EXE INFUS.EXE INFWIN.EXE INIT.EXE INTDEL.EXE INTREN.EXE IOMON98.EXE ISTSVC.EXE JAMMER.EXE JDBGMRG.EXE JEDI.EXE KAVLITE40ENG.EXE KAVPERS40ENG.EXE KAVPF.EXE KAZZA.EXE KEENVALUE.EXE KERIO-PF-213-EN-WIN.EXE KERIO-WRL-421-EN-WIN.EXE KERIO-WRP-421-EN-WIN.EXE KERNEL32.EXE KILLPROCESSSETUP161.EXE LAUNCHER.EXE LDNETMON.EXE LDPRO.EXE LDPROMENU.EXE LDSCAN.EXE LNETINFO.EXE LOADER.EXE LOCALNET.EXE LOCKDOWN.EXE LOCKDOWN2000.EXE LOOKOUT.EXE LORDPE.EXE LSETUP.EXE LUALL.EXE LUALL.EXE LUAU.EXE LUCOMSERVER.EXE LUINIT.EXE LUSPT.EXE MAPISVC32.EXE MCAGENT.EXE MCMNHDLR.EXE MCSHIELD.EXE MCTOOL.EXE MCUPDATE.EXE MCUPDATE.EXE MCVSRTE.EXE MCVSSHLD.EXE MD.EXE MFIN32.EXE MFW2EN.EXE MFWENG3.02D30.EXE MGAVRTCL.EXE MGAVRTE.EXE MGHTML.EXE MGUI.EXE MINILOG.EXE MMOD.EXE MONITOR.EXE MOOLIVE.EXE MOSTAT.EXE MPFAGENT.EXE MPFSERVICE.EXE MPFTRAY.EXE MRFLUX.EXE MSAPP.EXE MSBB.EXE MSBLAST.EXE MSCACHE.EXE MSCCN32.EXE MSCMAN.EXE MSCONFIG.EXE MSDM.EXE MSDOS.EXE MSIEXEC16.EXE MSINFO32.EXE MSLAUGH.EXE MSMGT.EXE MSMSGRI32.EXE MSSMMC32.EXE MSSYS.EXE MSVXD.EXE MU0311AD.EXE MWATCH.EXE N32SCANW.EXE NAV.EXE NAVAP.NAVAPSVC.EXE NAVAPSVC.EXE NAVAPW32.EXE NAVDX.EXE NAVLU32.EXE NAVNT.EXE NAVSTUB.EXE NAVW32.EXE NAVWNT.EXE NCINST4.EXE NDD32.EXE NEOMONITOR.EXE NEOWATCHLOG.EXE NETARMOR.EXE NETD32.EXE NETINFO.EXE NETMON.EXE NETSCANPRO.EXE NETSPYHUNTER-1.2.EXE NETSTAT.EXE NETUTILS.EXE NISSERV.EXE NISUM.EXE NMAIN.EXE NOD32.EXE NORMIST.EXE NORTON_INTERNET_SECU_3.0_407.EXE NOTSTART.EXE NPF40_TW_98_NT_ME_2K.EXE NPFMESSENGER.EXE NPROTECT.EXE NPSCHECK.EXE NPSSVC.EXE NSCHED32.EXE NSSYS32.EXE NSTASK32.EXE NSUPDATE.EXE NT.EXE NTRTSCAN.EXE NTVDM.EXE NTXconfig.EXE NUI.EXE NUPGRADE.EXE NUPGRADE.EXE NVARCH16.EXE NVC95.EXE NVSVC32.EXE NWINST4.EXE NWSERVICE.EXE NWTOOL16.EXE OLLYDBG.EXE ONSRVR.EXE OPTIMIZE.EXE OSTRONET.EXE OTFIX.EXE OUTPOST.EXE OUTPOST.EXE OUTPOSTINSTALL.EXE OUTPOSTPROINSTALL.EXE PADMIN.EXE PANIXK.EXE PATCH.EXE PAVCL.EXE PAVPROXY.EXE PAVSCHED.EXE PAVW.EXE PCFWALLICON.EXE PCSCAN.EXE PDSETUP.EXE PERISCOPE.EXE PERSFW.EXE PERSWF.EXE PF2.EXE PFWADMIN.EXE PGMONITR.EXE PINGSCAN.EXE PLATIN.EXE POP3TRAP.EXE POPROXY.EXE POPSCAN.EXE PORTDETECTIVE.EXE PORTMONITOR.EXE POWERSCAN.EXE PPINUPDT.EXE PPTBC.EXE PPVSTOP.EXE PRIZESURFER.EXE PRMT.EXE PRMVR.EXE PROCDUMP.EXE PROCESSMONITOR.EXE PROCEXPLORERV1.0.EXE PROGRAMAUDITOR.EXE PROPORT.EXE PROTECTX.EXE PSPF.EXE PURGE.EXE QCONSOLE.EXE QSERVER.EXE RAPAPP.EXE RAV7.EXE RAV7WIN.EXE RAV8WIN32ENG.EXE RAY.EXE RB32.EXE RCSYNC.EXE REALMON.EXE REGED.EXE REGEDIT.EXE REGEDT32.EXE RESCUE.EXE RESCUE32.EXE RRGUARD.EXE RSHELL.EXE RTVSCAN.EXE RTVSCN95.EXE RULAUNCH.EXE RUN32DLL.EXE RUNDLL.EXE RUNDLL16.EXE RUXDLL32.EXE SAFEWEB.EXE SAHAGENT.EXE SAVE.EXE SAVENOW.EXE SBSERV.EXE SC.EXE SCAM32.EXE SCAN32.EXE SCAN95.EXE SCANPM.EXE SCRSCAN.EXE SETUP_FLOWPROTECTOR_US.EXE SETUPVAMEEVAL.EXE SFC.EXE SGSSFW32.EXE SH.EXE SHELLSPYINSTALL.EXE SHN.EXE SHOWBEHIND.EXE SMC.EXE SMS.EXE SMSS32.EXE SOAP.EXE SOFI.EXE SPERM.EXE SPF.EXE SPHINX.EXE SPOLER.EXE SPOOLCV.EXE SPOOLSV32.EXE SPYXX.EXE SREXE.EXE SRNG.EXE SS3EDIT.EXE SSGRATE.EXE ST2.EXE START.EXE STCLOADER.EXE SUPFTRL.EXE SUPPORT.EXE SUPPORTER5.EXE SVC.EXE SVCHOSTC.EXE SVCHOSTS.EXE SVSHOST.EXE SWEEP95.EXE SWEEPNET.SWEEPSRV.SYS.SWNETSUP.EXE SYMPROXYSVC.EXE SYMTRAY.EXE SYSEDIT.EXE SYSTEM.EXE SYSTEM32.EXE SYSUPD.EXE TASKMG.EXE TASKMGR.EXE TASKMO.EXE TASKMON.EXE TAUMON.EXE TBSCAN.EXE TC.EXE TCA.EXE TCM.EXE TDS-3.EXE TDS2-NT.EXE TEEKIDS.EXE TFAK.EXE TFAK5.EXE TGBOB.EXE TITANIN.EXE TITANINXP.EXE TRACERT.EXE TRICKLER.EXE TRJSCAN.EXE TRJSETUP.EXE TROJANTRAP3.EXE TSADBOT.EXE TVMD.EXE TVTMD.EXE UNDOBOOT.EXE UPDAT.EXE UPDATE.EXE UPDATE.EXE UPGRAD.EXE UTPOST.EXE VBCMSERV.EXE VBCONS.EXE VBUST.EXE VBWIN9X.EXE VBWINNTW.EXE VCSETUP.EXE VET32.EXE VET95.EXE VETTRAY.EXE VFSETUP.EXE VIR-HELP.EXE VIRUSMDPERSONALFIREWALL.EXE VNLAN300.EXE VNPC3000.EXE VPC32.EXE VPC42.EXE VPFW30S.EXE VPTRAY.EXE VSCAN40.EXE VSCENU6.02D30.EXE VSCHED.EXE VSECOMR.EXE VSHWIN32.EXE VSISETUP.EXE VSMAIN.EXE VSMON.EXE VSSTAT.EXE VSWIN9XE.EXE VSWINNTSE.EXE VSWINPERSE.EXE W32DSM89.EXE W9X.EXE WATCHDOG.EXE WEBDAV.EXE WEBSCANX.EXE WEBTRAP.EXE WFINDV32.EXE WHOSWATCHINGME.EXE WIMMUN32.EXE WIN-BUGSFIX.EXE WIN32.EXE WIN32US.EXE WINACTIVE.EXE WINDOW.EXE WINDOWS.EXE WININETD.EXE WININIT.EXE WININITX.EXE WINLOGIN.EXE WINMAIN.EXE WINNET.EXE WINPPR32.EXE WINRECON.EXE WINSERVN.EXE WINSSK32.EXE WINSTART.EXE WINSTART001.EXE WINTSK32.EXE WINUPDATE.EXE WKUFIND.EXE WNAD.EXE WNT.EXE WRADMIN.EXE WRCTRL.EXE WSBGATE.EXE WUPDATER.EXE WUPDT.EXE WYVERNWORKSFIREWALL.EXE XPF202EN.EXE ZAPRO.EXE ZAPSETUP3001.EXE ZATUTOR.EXE ZONALM2601.EXE ZONEALARM.EXE Name W32/Mytob-BE Type * Worm How it spreads * Email attachments * Network shares Affected operating systems * Windows Side effects * Turns off anti-virus applications * Allows others to access the computer * Sends itself to email addresses found on the infected computer * Modifies data on the computer Aliases * Net-Worm.Win32.Mytob.be Prevalence (1-5) 3 Description W32/Mytob-BE is a mass-mailing worm and backdoor Trojan that can be controlled through the Internet Relay Chat (IRC) network. W32/Mytob-BE is capable of spreading through email and through various operating system vulnerabilities such as the LSASS (MS04-011) vulnerability. W32/Mytob-BE harvests email addresses from files on the infected computer and from the Windows address book. Advanced W32/Mytob-BE is a mass-mailing worm and backdoor Trojan that can be controlled through the Internet Relay Chat (IRC) network. W32/Mytob-BE is capable of spreading through email and through various operating system vulnerabilities such as the LSASS (MS04-011) vulnerability. Email sent by W32/Mytob-BE has the following properties: Subject: Notice: Last Warning DETECTED Online User Violation Your Email Account is Suspended For Security Reasons Account Alert Important Notification WARNING Your Email Account Will Be Closed Security measures Email Account Suspension Notice of account limitation Body: Once you have completed the form in the attached file , your account records will not be interrupted and will continue as normal. The original message has been included as an attachment. We regret to inform you that your account has been suspended due to the violation of our site policy, more info is attached. We attached some important information regarding your account. Please read the attached document and follow it's instructions. The attached file consists of a base name followed by the extentions CMD, PIF, SCR, EXE or ZIP. The worm may optionally create double extensions where the first extension is DOC, TXT or HTM and the final extension is BAT, CMD, PIF, SCR, EXE or ZIP. The base filenames are randomly chosen from: account-details document email-doc email-info info-text information information instructions W32/Mytob-BE harvests email addresses from files on the infected computer and from the Windows address book. The worm avoids sending email to addresses that contain the following: .gov .mil accoun acketst admin anyone arin. avp berkeley borlan bsd bsd bugs ca certific contact example feste fido foo. fsf. gnu gold-certs google google gov. help iana ibm.com icrosof icrosoft ietf info inpris isc.o isi.e kernel linux linux listserv math me mit.e mozilla mydomai no nobody nodomai noone not nothing ntivi page panda pgp postmaster privacy rating rfc-ed ripe. root ruslis samples secur sendmail service site soft somebody someone sopho submit support syma tanford.e the.bat unix unix usenet utgers.ed webmaster you your When run, W32/Mytob-BE copies itself to the Windows system folder as beta.exe and sets the following registry entries in order to run each time a user logs on: HKLM\Software\Microsoft\Windows\CurrentVersion\Run WINDOWS SYSTEM "beta.exe" HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices WINDOWS SYSTEM "beta.exe" W32/Mytob-BE sets the following registry entries, disabling the automatic startup of other software: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess Start 4 W32/Mytob-BE modifies the HOSTS file, changing the URL-to-IP mappings for selected websites, therefore preventing normal access to these sites: 127.0.0.1 www.symantec.com 127.0.0.1 securityresponse.symantec.com 127.0.0.1 symantec.com 127.0.0.1 www.sophos.com 127.0.0.1 sophos.com 127.0.0.1 www.mcafee.com 127.0.0.1 mcafee.com 127.0.0.1 liveupdate.symantecliveupdate.com 127.0.0.1 www.viruslist.com 127.0.0.1 viruslist.com 127.0.0.1 viruslist.com 127.0.0.1 f-secure.com 127.0.0.1 www.f-secure.com 127.0.0.1 kaspersky.com 127.0.0.1 kaspersky-labs.com 127.0.0.1 www.avp.com 127.0.0.1 www.kaspersky.com 127.0.0.1 avp.com 127.0.0.1 www.networkassociates.com 127.0.0.1 networkassociates.com 127.0.0.1 www.ca.com 127.0.0.1 ca.com 127.0.0.1 mast.mcafee.com 127.0.0.1 my-etrust.com 127.0.0.1 www.my-etrust.com 127.0.0.1 download.mcafee.com 127.0.0.1 dispatch.mcafee.com 127.0.0.1 secure.nai.com 127.0.0.1 nai.com 127.0.0.1 www.nai.com 127.0.0.1 update.symantec.com 127.0.0.1 updates.symantec.com 127.0.0.1 us.mcafee.com 127.0.0.1 liveupdate.symantec.com 127.0.0.1 customer.symantec.com 127.0.0.1 rads.mcafee.com 127.0.0.1 trendmicro.com 127.0.0.1 www.trendmicro.com 127.0.0.1 www.grisoft.com 127.0.0.1 www.microsoft.com 127.0.0.1 microsoft.com 127.0.0.1 www.msn.com 127.0.0.1 www.virustotal.com 127.0.0.1 virustotal.com 127.0.0.1 www.oxyd.fr 127.0.0.1 oxyd.fr 127.0.0.1 www.t35.com 127.0.0.1 t35.com 127.0.0.1 www.t35.net 127.0.0.1 t35.net W32/Mytob-BE terminates the following applications and security-related processes: ACKWIN32.EXE ADAWARE.EXE ADVXDWIN.EXE AGENTSVR.EXE AGENTW.EXE ALERTSVC.EXE ALEVIR.EXE ALOGSERV.EXE AMON9X.EXE ANTI-TROJAN.EXE ANTIVIRUS.EXE ANTS.EXE APIMONITOR.EXE APLICA32.EXE APVXDWIN.EXE ARR.EXE ATCON.EXE ATGUARD.EXE ATRO55EN.EXE ATUPDATER.EXE ATUPDATER.EXE ATWATCH.EXE AU.EXE AUPDATE.EXE AUPDATE.EXE AUTO-PROTECT.NAV80TRY.EXE AUTODOWN.EXE AUTODOWN.EXE AUTOTRACE.EXE AUTOTRACE.EXE AUTOUPDATE.EXE AUTOUPDATE.EXE AVCONSOL.EXE AVE32.EXE AVGCC32.EXE AVGCTRL.EXE AVGNT.EXE AVGSERV.EXE AVGSERV9.EXE AVGUARD.EXE AVGW.EXE AVKPOP.EXE AVKSERV.EXE AVKSERVICE.EXE AVKWCTl9.EXE AVLTMAIN.EXE AVNT.EXE AVP.EXE AVP32.EXE AVPCC.EXE AVPDOS32.EXE AVPM.EXE AVPTC32.EXE AVPUPD.EXE AVPUPD.EXE AVSCHED32.EXE AVSYNMGR.EXE AVWINNT.EXE AVWUPD.EXE AVWUPD32.EXE AVWUPD32.EXE AVWUPSRV.EXE AVXMONITOR9X.EXE AVXMONITORNT.EXE AVXQUAR.EXE AVXQUAR.EXE BACKWEB.EXE BARGAINS.EXE BD_PROFESSIONAL.EXE BEAGLE.EXE BELT.EXE BIDEF.EXE BIDSERVER.EXE BIPCP.EXE BIPCPEVALSETUP.EXE BISP.EXE BLACKD.EXE BLACKICE.EXE BLSS.EXE BOOTCONF.EXE BOOTWARN.EXE BORG2.EXE BPC.EXE BRASIL.EXE BS120.EXE BUNDLE.EXE BVT.EXE CCAPP.EXE CCEVTMGR.EXE CCPXYSVC.EXE CDP.EXE CFD.EXE CFGWIZ.EXE CFIADMIN.EXE CFIAUDIT.EXE CFIAUDIT.EXE CFINET.EXE CFINET32.EXE CLAW95CF.EXE CLEAN.EXE CLEANER.EXE CLEANER3.EXE CLEANPC.EXE CLICK.EXE CMD.EXE CMD32.EXE CMESYS.EXE CMGRDIAN.EXE CMON016.EXE CONNECTIONMONITOR.EXE CPD.EXE CPF9X206.EXE CPFNT206.EXE CTRL.EXE CV.EXE CWNB181.EXE CWNTDWMO.EXE DATEMANAGER.EXE DCOMX.EXE DEFALERT.EXE DEFSCANGUI.EXE DEFWATCH.EXE DEPUTY.EXE DIVX.EXE DLLCACHE.EXE DLLREG.EXE DOORS.EXE DPF.EXE DPFSETUP.EXE DPPS2.EXE DRWATSON.EXE DRWEB32.EXE DRWEBUPW.EXE DSSAGENT.EXE DVP95.EXE DVP95_0.EXE ECENGINE.EXE EFPEADM.EXE EMSW.EXE ENT.EXE ESAFE.EXE ESCANHNT.EXE ESCANV95.EXE ESPWATCH.EXE ETHEREAL.EXE ETRUSTCIPE.EXE EVPN.EXE EXANTIVIRUS-CNET.EXE EXE.AVXW.EXE EXPERT.EXE EXPLORE.EXE F-PROT.EXE F-PROT95.EXE F-STOPW.EXE FAMEH32.EXE FAST.EXE FCH32.EXE FIH32.EXE FINDVIRU.EXE FIREWALL.EXE FNRB32.EXE FP-WIN.EXE FP-WIN_TRIAL.EXE FPROT.EXE FRW.EXE FSAA.EXE FSAV.EXE FSAV32.EXE FSAV530STBYB.EXE FSAV530WTBYB.EXE FSAV95.EXE FSGK32.EXE FSM32.EXE FSMA32.EXE FSMB32.EXE GATOR.EXE GBMENU.EXE GBPOLL.EXE GENERICS.EXE GMT.EXE GUARD.EXE GUARDDOG.EXE HACKTRACERSETUP.EXE HBINST.EXE HBSRV.EXE HOTACTIO.EXE HOTPATCH.EXE HTLOG.EXE HTPATCH.EXE HWPE.EXE HXDL.EXE HXIUL.EXE IAMAPP.EXE IAMSERV.EXE IAMSTATS.EXE IBMASN.EXE IBMAVSP.EXE ICLOADNT.EXE ICMON.EXE ICSUPP95.EXE ICSUPPNT.EXE IDLE.EXE IEDLL.EXE IEDRIVER.EXE IEXPLORER.EXE IFACE.EXE IFW2000.EXE INETLNFO.EXE INFUS.EXE INFWIN.EXE INIT.EXE INTDEL.EXE INTREN.EXE IOMON98.EXE ISTSVC.EXE JAMMER.EXE JDBGMRG.EXE JEDI.EXE KAVLITE40ENG.EXE KAVPERS40ENG.EXE KAVPF.EXE KAZZA.EXE KEENVALUE.EXE KERIO-PF-213-EN-WIN.EXE KERIO-WRL-421-EN-WIN.EXE KERIO-WRP-421-EN-WIN.EXE KERNEL32.EXE KILLPROCESSSETUP161.EXE LAUNCHER.EXE LDNETMON.EXE LDPRO.EXE LDPROMENU.EXE LDSCAN.EXE LNETINFO.EXE LOADER.EXE LOCALNET.EXE LOCKDOWN.EXE LOCKDOWN2000.EXE LOOKOUT.EXE LORDPE.EXE LSETUP.EXE LUALL.EXE LUALL.EXE LUAU.EXE LUCOMSERVER.EXE LUINIT.EXE LUSPT.EXE MAPISVC32.EXE MCAGENT.EXE MCMNHDLR.EXE MCSHIELD.EXE MCTOOL.EXE MCUPDATE.EXE MCUPDATE.EXE MCVSRTE.EXE MCVSSHLD.EXE MD.EXE MFIN32.EXE MFW2EN.EXE MFWENG3.02D30.EXE MGAVRTCL.EXE MGAVRTE.EXE MGHTML.EXE MGUI.EXE MINILOG.EXE MMOD.EXE MONITOR.EXE MOOLIVE.EXE MOSTAT.EXE MPFAGENT.EXE MPFSERVICE.EXE MPFTRAY.EXE MRFLUX.EXE MSAPP.EXE MSBB.EXE MSBLAST.EXE MSCACHE.EXE MSCCN32.EXE MSCMAN.EXE MSCONFIG.EXE MSDM.EXE MSDOS.EXE MSIEXEC16.EXE MSINFO32.EXE MSLAUGH.EXE MSMGT.EXE MSMSGRI32.EXE MSSMMC32.EXE MSSYS.EXE MSVXD.EXE MU0311AD.EXE MWATCH.EXE N32SCANW.EXE NAV.EXE NAVAP.NAVAPSVC.EXE NAVAPSVC.EXE NAVAPW32.EXE NAVDX.EXE NAVLU32.EXE NAVNT.EXE NAVSTUB.EXE NAVW32.EXE NAVWNT.EXE NC2000.EXE NCINST4.EXE NDD32.EXE NEOMONITOR.EXE NEOWATCHLOG.EXE NETARMOR.EXE NETD32.EXE NETINFO.EXE NETMON.EXE NETSCANPRO.EXE NETSPYHUNTER-1.2.EXE NETSTAT.EXE NETUTILS.EXE NISSERV.EXE NISUM.EXE NMAIN.EXE NOD32.EXE NORMIST.EXE NORTON_INTERNET_SECU_3.0_407.EXE NOTSTART.EXE NPF40_TW_98_NT_ME_2K.EXE NPFMESSENGER.EXE NPROTECT.EXE NPSCHECK.EXE NPSSVC.EXE NSCHED32.EXE NSSYS32.EXE NSTASK32.EXE NSUPDATE.EXE NT.EXE NTRTSCAN.EXE NTVDM.EXE NTXconfig.EXE NUI.EXE NUPGRADE.EXE NUPGRADE.EXE NVARCH16.EXE NVC95.EXE NVSVC32.EXE NWINST4.EXE NWSERVICE.EXE NWTOOL16.EXE OLLYDBG.EXE ONSRVR.EXE OPTIMIZE.EXE OSTRONET.EXE OTFIX.EXE OUTPOST.EXE OUTPOST.EXE OUTPOSTINSTALL.EXE OUTPOSTPROINSTALL.EXE PADMIN.EXE PANIXK.EXE PATCH.EXE PAVCL.EXE PAVPROXY.EXE PAVSCHED.EXE PAVW.EXE PCFWALLICON.EXE PCIP10117_0.EXE PCSCAN.EXE PDSETUP.EXE PERISCOPE.EXE PERSFW.EXE PERSWF.EXE PF2.EXE PFWADMIN.EXE PGMONITR.EXE PINGSCAN.EXE PLATIN.EXE POP3TRAP.EXE POPROXY.EXE POPSCAN.EXE PORTDETECTIVE.EXE PORTMONITOR.EXE POWERSCAN.EXE PPINUPDT.EXE PPTBC.EXE PPVSTOP.EXE PRIZESURFER.EXE PRMT.EXE PRMVR.EXE PROCDUMP.EXE PROCESSMONITOR.EXE PROCEXPLORERV1.0.EXE PROGRAMAUDITOR.EXE PROPORT.EXE PROTECTX.EXE PSPF.EXE PURGE.EXE QCONSOLE.EXE QSERVER.EXE RAPAPP.EXE RAV7.EXE RAV7WIN.EXE RAV8WIN32ENG.EXE RAY.EXE RB32.EXE RCSYNC.EXE REALMON.EXE REGED.EXE REGEDIT.EXE REGEDT32.EXE RESCUE.EXE RESCUE32.EXE RRGUARD.EXE RSHELL.EXE RTVSCAN.EXE RTVSCN95.EXE RULAUNCH.EXE RUN32DLL.EXE RUNDLL.EXE RUNDLL16.EXE RUXDLL32.EXE SAFEWEB.EXE SAHAGENT.EXE SAVE.EXE SAVENOW.EXE SBSERV.EXE SC.EXE SCAM32.EXE SCAN32.EXE SCAN95.EXE SCANPM.EXE SCRSCAN.EXE SETUPVAMEEVAL.EXE SETUP_FLOWPROTECTOR_US.EXE SFC.EXE SGSSFW32.EXE SH.EXE SHELLSPYINSTALL.EXE SHN.EXE SHOWBEHIND.EXE SMC.EXE SMS.EXE SMSS32.EXE SOAP.EXE SOFI.EXE SPERM.EXE SPF.EXE SPHINX.EXE SPOLER.EXE SPOOLCV.EXE SPOOLSV32.EXE SPYXX.EXE SREXE.EXE SRNG.EXE SS3EDIT.EXE SSGRATE.EXE SSG_4104.EXE ST2.EXE START.EXE STCLOADER.EXE SUPFTRL.EXE SUPPORT.EXE SUPPORTER5.EXE SVC.EXE SVCHOSTC.EXE SVCHOSTS.EXE SVSHOST.EXE SWEEP95.EXE SWEEPNET.SWEEPSRV.SYS.SWNETSUP.EXE SYMPROXYSVC.EXE SYMTRAY.EXE SYSEDIT.EXE SYSTEM.EXE SYSTEM32.EXE SYSUPD.EXE TASKMG.EXE TASKMGR.EXE TASKMO.EXE TASKMON.EXE TAUMON.EXE TBSCAN.EXE TC.EXE TCA.EXE TCM.EXE TDS-3.EXE TDS2-NT.EXE TEEKIDS.EXE TFAK.EXE TFAK5.EXE TGBOB.EXE TITANIN.EXE TITANINXP.EXE TRACERT.EXE TRICKLER.EXE TRJSCAN.EXE TRJSETUP.EXE TROJANTRAP3.EXE TSADBOT.EXE TVMD.EXE TVTMD.EXE UNDOBOOT.EXE UPDAT.EXE UPDATE.EXE UPDATE.EXE UPGRAD.EXE UTPOST.EXE VBCMSERV.EXE VBCONS.EXE VBUST.EXE VBWIN9X.EXE VBWINNTW.EXE VCSETUP.EXE VET32.EXE VET95.EXE VETTRAY.EXE VFSETUP.EXE VIR-HELP.EXE VIRUSMDPERSONALFIREWALL.EXE VNLAN300.EXE VNPC3000.EXE VPC32.EXE VPC42.EXE VPFW30S.EXE VPTRAY.EXE VSCAN40.EXE VSCENU6.02D30.EXE VSCHED.EXE VSECOMR.EXE VSHWIN32.EXE VSISETUP.EXE VSMAIN.EXE VSMON.EXE VSSTAT.EXE VSWIN9XE.EXE VSWINNTSE.EXE VSWINPERSE.EXE W32DSM89.EXE W9X.EXE WATCHDOG.EXE WEBDAV.EXE WEBSCANX.EXE WEBTRAP.EXE WFINDV32.EXE WHOSWATCHINGME.EXE WIMMUN32.EXE WIN-BUGSFIX.EXE WIN32.EXE WIN32US.EXE WINACTIVE.EXE WINDOW.EXE WINDOWS.EXE WININETD.EXE WININIT.EXE WININITX.EXE WINLOGIN.EXE WINMAIN.EXE WINNET.EXE WINPPR32.EXE WINRECON.EXE WINSERVN.EXE WINSSK32.EXE WINSTART.EXE WINSTART001.EXE WINTSK32.EXE WINUPDATE.EXE WKUFIND.EXE WNAD.EXE WNT.EXE WRADMIN.EXE WRCTRL.EXE WSBGATE.EXE WUPDATER.EXE WUPDT.EXE WYVERNWORKSFIREWALL.EXE XPF202EN.EXE ZAPRO.EXE ZAPSETUP3001.EXE ZATUTOR.EXE ZONALM2601.EXE ZONEALARM.EXE _AVP32.EXE _AVPCC.EXE _AVPM.EXE Name W32/Mytob-CZ Type * Worm How it spreads * Email attachments * Network shares Affected operating systems * Windows Side effects * Turns off anti-virus applications * Allows others to access the computer * Modifies data on the computer * Steals information * Downloads code from the internet Prevalence (1-5) 3 Description W32/Mytob-CZ is a mass-mailing worm with backdoor functionality that can be controlled through the Internet Relay Chat (IRC) network. W32/Mytob-CZ is capable of spreading through email and through various operating system vulnerabilities such as LSASS (MS04-011). Advanced W32/Mytob-CZ is a mass-mailing worm with backdoor functionality that can be controlled through the Internet Relay Chat (IRC) network. When first run W32/Mytob-CZ copies itself to the Windows system folder as Lien.exe and creates the following registry entries: HKLM\Software\Microsoft\Windows\CurrentVersion\Run http://www.lienvandekelder.be "Lien.exe" HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices http://www.lienvandekelder.be "Lien.exe" W32/Mytob-CZ also appends the following to the HOSTS file to deny access to security related websites: 127.0.0.1 avp.com 127.0.0.1 ca.com 127.0.0.1 customer.symantec.com 127.0.0.1 dispatch.mcafee.com 127.0.0.1 download.mcafee.com 127.0.0.1 f-secure.com 127.0.0.1 kaspersky.com 127.0.0.1 liveupdate.symantec.com 127.0.0.1 liveupdate.symantecliveupdate.com 127.0.0.1 mast.mcafee.com 127.0.0.1 mcafee.com 127.0.0.1 my-etrust.com 127.0.0.1 nai.com 127.0.0.1 networkassociates.com 127.0.0.1 rads.mcafee.com 127.0.0.1 secure.nai.com 127.0.0.1 securityresponse.symantec.com 127.0.0.1 sophos.com 127.0.0.1 symantec.com 127.0.0.1 trendmicro.com 127.0.0.1 update.symantec.com 127.0.0.1 updates.symantec.com 127.0.0.1 us.mcafee.com 127.0.0.1 viruslist.com 127.0.0.1 viruslist.com 127.0.0.1 www.avp.com 127.0.0.1 www.ca.com 127.0.0.1 www.f-secure.com 127.0.0.1 www.kaspersky.com 127.0.0.1 www.mcafee.com 127.0.0.1 www.microsoft.com 127.0.0.1 www.my-etrust.com 127.0.0.1 www.nai.com 127.0.0.1 www.networkassociates.com 127.0.0.1 www.sophos.com 127.0.0.1 www.symantec.com 127.0.0.1 www.trendmicro.com 127.0.0.1 www.viruslist.com W32/Mytob-CZ is capable of spreading through email and through various operating system vulnerabilities such as LSASS (MS04-011). Email sent by W32/Mytob-CZ has the following properties: Subject line: DETECTED Online User Violation WARNING Your Email Account Will Be Closed Account Alert Email Account Suspension Important Notification Notice of account limitation Notice: Last Warning Security measures Your Email Account is Suspended For Security Reasons Message text: Once you have completed the form in the attached file , your account records will not be interrupted and will continue as normal. The original message has been included as an attachment. We regret to inform you that your account has been suspended due to the violation of our site policy, more info is attached. We attached some important information regarding your account. Please read the attached document and follow it's instructions. The attached file consists of a base name followed by the extentions PIF, SCR, EXE or ZIP. The worm may optionally create double extensions where the first extension is DOC, TXT or HTM and the final extension is PIF, SCR, EXE or ZIP. The base filenames are randomly chosen from: account-details document email-doc email-info info-text information information instructions W32/Mytob-CZ harvests email addresses from files on the infected computer and from the Windows address book. The worm avoids sending email to addresses that contain the following: .gov .mil accoun acketst admin anyone arin. avp berkeley borlan bsd bsd bugs ca certific contact example feste fido foo. fsf. gnu gold-certs google google gov. help iana ibm.com icrosof icrosoft ietf info inpris isc.o isi.e kernel linux linux listserv math me mit.e mozilla mydomai no nobody nodomai noone not nothing ntivi page panda pgp postmaster privacy rating rfc-ed ripe. root ruslis samples secur sendmail service site soft somebody someone sopho submit support syma tanford.e the.bat unix unix usenet utgers.ed webmaster you your Name W32/Mytob-M Type * Worm How it spreads * Email attachments Affected operating systems * Windows Side effects * Turns off anti-virus applications * Allows others to access the computer * Sends itself to email addresses found on the infected computer * Uses its own emailing engine Aliases * Net-Worm.Win32.Mytob.bd * W32/Mydoom.gen{at}MM * Worm.Mytob.AS Prevalence (1-5) 3 Description W32/Mytob-M is a mass-mailing worm and IRC backdoor Trojan. W32/Mytob-M runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels, including the ability to download and execute files on the infected computer. W32/Mytob-M can spread by sending itself as an email attachment to email addresses it harvests from the infected computer, either as an attachment with a double-extension or as a ZIP file containing a file with a double-extension. Emails sent by the worm have the following characteristics: Subject line: Notice: Last Warning DETECTED Online User Violation Your Email Account is Suspended For Security Reasons Account Alert Important Notification WARNING Your Email Account Will Be Closed Security measures Email Account Suspension Notice of account limitation Message body: Once you have completed the form in the attached file , your account records will not be interrupted and will continue as normal. The original message has been included as an attachment. We regret to inform you that your account has been suspended due to the violation of our site policy, more info is attached. We attached some important information regarding your account. Please read the attached document and follow it's instructions. Attachment base name: email-info email-doc information account-details document INFO instructions info-text information First extension (of attachment or of file inside ZIP): doc htm txt Second extension (of attachment or of file inside ZIP): pif scr exe cmd bat If the attachment is a ZIP file it will have the same base name as the double-extension file inside. Example attachment names include document.txt.pif and information.doc.cmd, usually with a large number of spaces between the extensions. Advanced W32/Mytob-M is a mass-mailing worm and IRC backdoor Trojan. W32/Mytob-M runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels, including the ability to download and execute files on the infected computer. W32/Mytob-M can spread by sending itself as an email attachment to email addresses it harvests from the infected computer, either as an attachment with a double-extension or as a ZIP file containing a file with a double-extension. Emails sent by the worm have the following characteristics: Subject line: Notice: Last Warning DETECTED Online User Violation Your Email Account is Suspended For Security Reasons Account Alert Important Notification WARNING Your Email Account Will Be Closed Security measures Email Account Suspension Notice of account limitation Message body: Once you have completed the form in the attached file , your account records will not be interrupted and will continue as normal. The original message has been included as an attachment. We regret to inform you that your account has been suspended due to the violation of our site policy, more info is attached. We attached some important information regarding your account. Please read the attached document and follow it's instructions. Attachment base name: email-info email-doc information account-details document INFO instructions info-text information First extension (of attachment or of file inside ZIP): doc htm txt Second extension (of attachment or of file inside ZIP): pif scr exe cmd bat If the attachment is a ZIP file it will have the same base name as the double-extension file inside. Example attachment names include document.txt.pif and information.doc.cmd, usually with a large number of spaces between the extensions. W32/Mytob-M copies itself to the Window system folder with the filename "Lien vd Kelder.exe" and sets the following registry entries to run itself on system startup: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run http://www.lienvandekelder.be "Lien vd Kelder.exe" HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices http://www.lienvandekelder.be "Lien vd Kelder.exe" W32/Mytob-M sets the following registry entries, disabling the automatic startup of other software: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess Start 4 W32/Mytob-M attempts to terminate a large number of processes related to security and anti-virus programs including REGEDIT.EXE, MSCONFIG.EXE and NETSTAT.EXE. W32/Mytob-M modifies the Windows hosts file in order to block access to the following security-related websites: 127.0.0.1 www.symantec.com 127.0.0.1 securityresponse.symantec.com 127.0.0.1 symantec.com 127.0.0.1 www.sophos.com 127.0.0.1 sophos.com 127.0.0.1 www.mcafee.com 127.0.0.1 mcafee.com 127.0.0.1 liveupdate.symantecliveupdate.com 127.0.0.1 www.viruslist.com 127.0.0.1 viruslist.com 127.0.0.1 viruslist.com 127.0.0.1 f-secure.com 127.0.0.1 www.f-secure.com 127.0.0.1 kaspersky.com 127.0.0.1 kaspersky-labs.com 127.0.0.1 www.avp.com 127.0.0.1 www.kaspersky.com 127.0.0.1 avp.com 127.0.0.1 www.networkassociates.com 127.0.0.1 networkassociates.com 127.0.0.1 www.ca.com 127.0.0.1 ca.com 127.0.0.1 mast.mcafee.com 127.0.0.1 my-etrust.com 127.0.0.1 www.my-etrust.com 127.0.0.1 download.mcafee.com 127.0.0.1 dispatch.mcafee.com 127.0.0.1 secure.nai.com 127.0.0.1 nai.com 127.0.0.1 www.nai.com 127.0.0.1 update.symantec.com 127.0.0.1 updates.symantec.com 127.0.0.1 us.mcafee.com 127.0.0.1 liveupdate.symantec.com 127.0.0.1 customer.symantec.com 127.0.0.1 rads.mcafee.com 127.0.0.1 trendmicro.com 127.0.0.1 www.trendmicro.com 127.0.0.1 www.grisoft.com 127.0.0.1 www.microsoft.com 127.0.0.1 microsoft.com 127.0.0.1 www.msn.com 127.0.0.1 www.virustotal.com 127.0.0.1 virustotal.com 127.0.0.1 www.oxyd.fr 127.0.0.1 oxyd.fr 127.0.0.1 www.t35.com 127.0.0.1 t35.com 127.0.0.1 www.t35.net 127.0.0.1 t35.net Name Troj/BagleDl-Q Type * Trojan Affected operating systems * Windows Side effects * Turns off anti-virus applications * Deletes files off the computer * Drops more malware * Downloads code from the internet * Reduces system security Aliases * TROJ_BAGLE.GEN * Troj.Tooso.B Prevalence (1-5) 3 Description Troj/BagleDl-Q is a downloading Trojan for the Windows platform. Troj/BagleDl-Q attempts to download a file from one of several preconfigured URLs and execute it. Advanced Troj/BagleDl-Q is a downloading Trojan for the Windows platform. The Trojan attempts to download a file named osa.gif from 153 separate websites. When first run the Trojan copies itself to the Windows system folder as winshost.exe and drops a component wiwshost.exe also into the Windows system folder. The dropped component is injected into the explorer.exe process in order to avoid being terminated. The following registry entries are also created by the Trojan so as to auto-start on logon: HKLM\Software\Microsoft\Windows\CurrentVersion\Run winshost.exe \winshost.exe HKCU\Software\Microsoft\Windows\CurrentVersion\Run winshost.exe \winshost.exe The downloaded file is saved as ile.exe in the Windows folder. If the download was successful, this file is then executed. The Trojan terminates the following processes: AVExch32Service AVPCC AVUPDService Ahnlab task Scheduler AlertManger AvgCore AvgFsh AvgServ AvxIni BackWeb Client - 7681197 BlackICE CAISafe DefWatch F-Secure Gatekeeper Handler Starter F-Secure Gatekeeper Handler Starter FSDFWD FSMA FSMA KAVMonitorService KAVMonitorService KLBLMain MCVSRte McAfee Firewall McAfeeFramework McShield McTaskManager MonSvcNT NISSERV NISUM NOD32ControlCenter NOD32Service NPFMntor NProtectService NSCTOP NVCScheduler NWService Network Associates Log Service Norman NJeeves Norman ZANDA Norton Antivirus Server Outbreak Manager Outpost Firewall OutpostFirewall PASSRV PAVFNSVR PAVSRV PCCPFW PREVSRV PSIMSVC PavPrSrv PavProt Pavkre PersFW SAVFMSE SAVScan SAVScan SAVScan SBService SNDSrvc SPBBCSvc SWEEPSRV.SYS SharedAccess SmcService SweepNet Symantec AntiVirus Client Symantec Core LC Symantec Core LC Symantec Core LC Tmntsrv V3MonNT V3MonSvc VexiraAntivirus VisNetic AntiVirus Plug-in XCOMM alerter avg7alrt avg7updsvc avpcc awhost32 backweb client - 4476822 backweb client-4476822 ccEvtMgr ccEvtMgr ccPwdSvc ccSetMgr ccSetMgr.exe dvpapi dvpinit fsbwsys fsdfwd kavsvc mcupdmgr.exe navapsvc navapsvc navapsvc navapsvc nvcoas nwclntc nwclntd nwclnte nwclntf nwclntg nwclnth ravmon8 schscnt sharedaccess vsmon vsmon wuauserv wuauserv Troj/BagleDl-Q deletes registry entries from the following locations: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Symantec NetDriver Monitor HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ccApp HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run NAV CfgWiz HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SSC_UserPrompt HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run McAfee Guardian HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run McAfee.InstantUpdate.Monitor HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run APVXDWIN HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run KAV50 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run avg7_cc HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run avg7_emc HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Zone Labs Client HKLM\SOFTWARE\Symantec HKLM\SOFTWARE\McAfee HKLM\SOFTWARE\KasperskyLab HKLM\SOFTWARE\Agnitum HKLM\SOFTWARE\Panda Software HKLM\SOFTWARE\Zone Labs Troj/BagleDl-Q attempts to delete or rename files with any of the following names from all fixed drives: AUPDATE.EXE av.dll Avconsol.exe avgcc.exe avgemc.exe Avsynmgr.exe cafix.exe ccApp.exe CCEVTMGR.EXE ccl30.dll CCSETMGR.EXE ccvrtrst.dll CMGrdian.exe isafe.exe KAV.exe kavmm.exe LUALL.EXE LUINSDLL.DLL Luupdate.exe Mcshield.exe NAVAPSVC.EXE NPFMNTOR.EXE outpost.exe RuLaunch.exe SNDSrvc.exe SPBBCSvc.exe symlcsvc.exe Up2Date.exe vetredir.dll Vshwin32.exe VsStat.exe vsvault.dll zatutor.exe zlavscan.dll zlclient.exe zonealarm.exe Name W32/Mytob-CP Type * Worm How it spreads * Email messages Affected operating systems * Windows Side effects * Turns off anti-virus applications * Allows others to access the computer * Sends itself to email addresses found on the infected computer * Forges the sender's email address Aliases * Net-Worm.Win32.Mytob.bb * Worm.Mytob.AS Prevalence (1-5) 3 Description W32/Mytob-CP is an email worm and IRC backdoor Trojan for the Windows platform. The Trojan component allows unauthorised remote access to the computer via a network. W32/Mytob-CP includes functionality to modify the HOSTS file. Advanced W32/Mytob-CP is an email worm and IRC backdoor Trojan for the Windows platform. W32/Mytob-CP includes functionality to modify the HOSTS file. When first run W32/Mytob-CP copies itself to \Lien Van de Kelder.exe. The following registry entries are created to run Lien Van de Kelder.exe on startup: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run http://www.lienvandekelder.be Lien Van de Kelder.exe HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices http://www.lienvandekelder.be Lien Van de Kelder.exe W32/Mytob-CP sets the following registry entries, disabling the automatic startup of other software: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess Start 4 W32/Mytob-CP send itself to emails harvested from files on the hard disk with the following extensions: TXT, HTMB, SHTL, JSPL, CGIL, XMLS, PHPQ, ASPD, DBXN, TBBG, ADBH, WAB, PL Emails have the following characteristics: Subject lines: Notice: Last Warning DETECTED* Online User Violation Your Email Account is Suspended For Security Reasons Account Alert Important Notification WARNING Your Email Account Will Be Closed Email Account Suspension Notice of account limitation Message texts: "Once you have completed the form in the attached file , your account records will not be interrupted and will continue as normal." "The original message has been included as an attachment." "We regret to inform you that your account has been suspended due to the violation of our site policy, more info is attached." "We attached some important information regarding your account." "Please read the attached document and follow its instructions." The attached file consists of a base name followed by the extentions PIF, SCR, EXE or ZIP. The worm may optionally create double extensions where the first extension is DOC, TXT or HTM and the final extension is PIF, SCR, EXE or ZIP. W32/Mytob-CP modifies the HOSTS file, changing the URL-to-IP mappings for selected websites, therefore preventing normal access to the the following sites: 127.0.0.1 avp.com 127.0.0.1 ca.com 127.0.0.1 customer.symantec.com 127.0.0.1 dispatch.mcafee.com 127.0.0.1 download.mcafee.com 127.0.0.1 f-secure.com 127.0.0.1 kaspersky-labs.com 127.0.0.1 kaspersky.com 127.0.0.1 liveupdate.symantec.com 127.0.0.1 liveupdate.symantecliveupdate.com 127.0.0.1 mast.mcafee.com 127.0.0.1 mcafee.com 127.0.0.1 microsoft.com 127.0.0.1 my-etrust.com 127.0.0.1 nai.com 127.0.0.1 networkassociates.com 127.0.0.1 oxyd.fr 127.0.0.1 rads.mcafee.com 127.0.0.1 secure.nai.com 127.0.0.1 securityresponse.symantec.com 127.0.0.1 sophos.com 127.0.0.1 symantec.com 127.0.0.1 t35.com 127.0.0.1 t35.net 127.0.0.1 trendmicro.com 127.0.0.1 update.symantec.com 127.0.0.1 updates.symantec.com 127.0.0.1 us.mcafee.com 127.0.0.1 viruslist.com 127.0.0.1 viruslist.com 127.0.0.1 virustotal.com 127.0.0.1 www.avp.com 127.0.0.1 www.ca.com 127.0.0.1 www.f-secure.com 127.0.0.1 www.grisoft.com 127.0.0.1 www.kaspersky.com 127.0.0.1 www.mcafee.com 127.0.0.1 www.microsoft.com 127.0.0.1 www.msn.com 127.0.0.1 www.my-etrust.com 127.0.0.1 www.nai.com 127.0.0.1 www.networkassociates.com 127.0.0.1 www.oxyd.fr 127.0.0.1 www.sophos.com 127.0.0.1 www.symantec.com 127.0.0.1 www.t35.com 127.0.0.1 www.t35.net 127.0.0.1 www.trendmicro.com 127.0.0.1 www.viruslist.com 127.0.0.1 www.virustotal.com W32/Mytob-CP also terminates the following processes: _AVP32.EXE _AVPCC.EXE _AVPM.EXE ACKWIN32.EXE ADAWARE.EXE ADVXDWIN.EXE AGENTSVR.EXE AGENTW.EXE ALERTSVC.EXE ALEVIR.EXE ALOGSERV.EXE AMON9X.EXE ANTI-TROJAN.EXE ANTIVIRUS.EXE ANTS.EXE APIMONITOR.EXE APLICA32.EXE APVXDWIN.EXE ARR.EXE ATCON.EXE ATGUARD.EXE ATRO55EN.EXE ATUPDATER.EXE ATUPDATER.EXE ATWATCH.EXE AU.EXE AUPDATE.EXE AUPDATE.EXE AUTO-PROTECT.NAV80TRY.EXE AUTODOWN.EXE AUTODOWN.EXE AUTOTRACE.EXE AUTOTRACE.EXE AUTOUPDATE.EXE AUTOUPDATE.EXE AVCONSOL.EXE AVE32.EXE AVGCC32.EXE AVGCTRL.EXE AVGNT.EXE AVGSERV.EXE AVGSERV9.EXE AVGUARD.EXE AVGW.EXE AVKPOP.EXE AVKSERV.EXE AVKSERVICE.EXE AVKWCTl9.EXE AVLTMAIN.EXE AVNT.EXE AVP.EXE AVP32.EXE AVPCC.EXE AVPDOS32.EXE AVPM.EXE AVPTC32.EXE AVPUPD.EXE AVPUPD.EXE AVSCHED32.EXE AVSYNMGR.EXE AVWINNT.EXE AVWUPD.EXE AVWUPD32.EXE AVWUPD32.EXE AVWUPSRV.EXE AVXMONITOR9X.EXE AVXMONITORNT.EXE AVXQUAR.EXE AVXQUAR.EXE BACKWEB.EXE BARGAINS.EXE BD_PROFESSIONAL.EXE BEAGLE.EXE BELT.EXE BIDEF.EXE BIDSERVER.EXE BIPCP.EXE BIPCPEVALSETUP.EXE BISP.EXE BLACKD.EXE BLACKICE.EXE BLSS.EXE BOOTCONF.EXE BOOTWARN.EXE BORG2.EXE BPC.EXE BRASIL.EXE BS120.EXE BUNDLE.EXE BVT.EXE CCAPP.EXE CCEVTMGR.EXE CCPXYSVC.EXE CDP.EXE CFD.EXE CFGWIZ.EXE CFIADMIN.EXE CFIAUDIT.EXE CFIAUDIT.EXE CFINET.EXE CFINET32.EXE CLAW95CF.EXE CLEAN.EXE CLEANER.EXE CLEANER3.EXE CLEANPC.EXE CLICK.EXE CMD.EXE CMD32.EXE CMESYS.EXE CMGRDIAN.EXE CMON016.EXE CONNECTIONMONITOR.EXE CPD.EXE CPF9X206.EXE CPFNT206.EXE CTRL.EXE CV.EXE CWNB181.EXE CWNTDWMO.EXE DATEMANAGER.EXE DCOMX.EXE DEFALERT.EXE DEFSCANGUI.EXE DEFWATCH.EXE DEPUTY.EXE DIVX.EXE DLLCACHE.EXE DLLREG.EXE DOORS.EXE DPF.EXE DPFSETUP.EXE DPPS2.EXE DRWATSON.EXE DRWEB32.EXE DRWEBUPW.EXE DSSAGENT.EXE DVP95.EXE DVP95_0.EXE ECENGINE.EXE EFPEADM.EXE EMSW.EXE ENT.EXE ESAFE.EXE ESCANHNT.EXE ESCANV95.EXE ESPWATCH.EXE ETHEREAL.EXE ETRUSTCIPE.EXE EVPN.EXE EXANTIVIRUS-CNET.EXE EXE.AVXW.EXE EXPERT.EXE EXPLORE.EXE F-PROT.EXE F-PROT95.EXE F-STOPW.EXE FAMEH32.EXE FAST.EXE FCH32.EXE FIH32.EXE FINDVIRU.EXE FIREWALL.EXE FNRB32.EXE FP-WIN.EXE FP-WIN_TRIAL.EXE FPROT.EXE FRW.EXE FSAA.EXE FSAV.EXE FSAV32.EXE FSAV530STBYB.EXE FSAV530WTBYB.EXE FSAV95.EXE FSGK32.EXE FSM32.EXE FSMA32.EXE FSMB32.EXE GATOR.EXE GBMENU.EXE GBPOLL.EXE GENERICS.EXE GMT.EXE GUARD.EXE GUARDDOG.EXE HACKTRACERSETUP.EXE HBINST.EXE HBSRV.EXE HOTACTIO.EXE HOTPATCH.EXE HTLOG.EXE HTPATCH.EXE HWPE.EXE HXDL.EXE HXIUL.EXE IAMAPP.EXE IAMSERV.EXE IAMSTATS.EXE IBMASN.EXE IBMAVSP.EXE ICLOADNT.EXE ICMON.EXE ICSUPP95.EXE ICSUPPNT.EXE IDLE.EXE IEDLL.EXE IEDRIVER.EXE IEXPLORER.EXE IFACE.EXE IFW2000.EXE INETLNFO.EXE INFUS.EXE INFWIN.EXE INIT.EXE INTDEL.EXE INTREN.EXE IOMON98.EXE ISTSVC.EXE JAMMER.EXE JDBGMRG.EXE JEDI.EXE KAVLITE40ENG.EXE KAVPERS40ENG.EXE KAVPF.EXE KAZZA.EXE KEENVALUE.EXE KERIO-PF-213-EN-WIN.EXE KERIO-WRL-421-EN-WIN.EXE KERIO-WRP-421-EN-WIN.EXE KERNEL32.EXE KILLPROCESSSETUP161.EXE LAUNCHER.EXE LDNETMON.EXE LDPRO.EXE LDPROMENU.EXE LDSCAN.EXE LNETINFO.EXE LOADER.EXE LOCALNET.EXE LOCKDOWN.EXE LOCKDOWN2000.EXE LOOKOUT.EXE LORDPE.EXE LSETUP.EXE LUALL.EXE LUALL.EXE LUAU.EXE LUCOMSERVER.EXE LUINIT.EXE LUSPT.EXE MAPISVC32.EXE MCAGENT.EXE MCMNHDLR.EXE MCSHIELD.EXE MCTOOL.EXE MCUPDATE.EXE MCUPDATE.EXE MCVSRTE.EXE MCVSSHLD.EXE MD.EXE MFIN32.EXE MFW2EN.EXE MFWENG3.02D30.EXE MGAVRTCL.EXE MGAVRTE.EXE MGHTML.EXE MGUI.EXE MINILOG.EXE MMOD.EXE MONITOR.EXE MOOLIVE.EXE MOSTAT.EXE MPFAGENT.EXE MPFSERVICE.EXE MPFTRAY.EXE MRFLUX.EXE MSAPP.EXE MSBB.EXE MSBLAST.EXE MSCACHE.EXE MSCCN32.EXE MSCMAN.EXE MSCONFIG.EXE MSDM.EXE MSDOS.EXE MSIEXEC16.EXE MSINFO32.EXE MSLAUGH.EXE MSMGT.EXE MSMSGRI32.EXE MSSMMC32.EXE MSSYS.EXE MSVXD.EXE MU0311AD.EXE MWATCH.EXE N32SCANW.EXE NAV.EXE NAVAP.NAVAPSVC.EXE NAVAPSVC.EXE NAVAPW32.EXE NAVDX.EXE NAVLU32.EXE NAVNT.EXE NAVSTUB.EXE NAVW32.EXE NAVWNT.EXE NCINST4.EXE NDD32.EXE NEOMONITOR.EXE NEOWATCHLOG.EXE NETARMOR.EXE NETD32.EXE NETINFO.EXE NETMON.EXE NETSCANPRO.EXE NETSPYHUNTER-1.2.EXE NETSTAT.EXE NETUTILS.EXE NISSERV.EXE NISUM.EXE NMAIN.EXE NOD32.EXE NORMIST.EXE NORTON_INTERNET_SECU_3.0_407.EXE NOTSTART.EXE NPF40_TW_98_NT_ME_2K.EXE NPFMESSENGER.EXE NPROTECT.EXE NPSCHECK.EXE NPSSVC.EXE NSCHED32.EXE NSSYS32.EXE NSTASK32.EXE NSUPDATE.EXE NT.EXE NTRTSCAN.EXE NTVDM.EXE NTXconfig.EXE NUI.EXE NUPGRADE.EXE NUPGRADE.EXE NVARCH16.EXE NVC95.EXE NVSVC32.EXE NWINST4.EXE NWSERVICE.EXE NWTOOL16.EXE OLLYDBG.EXE ONSRVR.EXE OPTIMIZE.EXE OSTRONET.EXE OTFIX.EXE OUTPOST.EXE OUTPOST.EXE OUTPOSTINSTALL.EXE OUTPOSTPROINSTALL.EXE PADMIN.EXE PANIXK.EXE PATCH.EXE PAVCL.EXE PAVPROXY.EXE PAVSCHED.EXE PAVW.EXE PCFWALLICON.EXE PCSCAN.EXE PDSETUP.EXE PERISCOPE.EXE PERSFW.EXE PERSWF.EXE PF2.EXE PFWADMIN.EXE PGMONITR.EXE PINGSCAN.EXE PLATIN.EXE POP3TRAP.EXE POPROXY.EXE POPSCAN.EXE PORTDETECTIVE.EXE PORTMONITOR.EXE POWERSCAN.EXE PPINUPDT.EXE PPTBC.EXE PPVSTOP.EXE PRIZESURFER.EXE PRMT.EXE PRMVR.EXE PROCDUMP.EXE PROCESSMONITOR.EXE PROCEXPLORERV1.0.EXE PROGRAMAUDITOR.EXE PROPORT.EXE PROTECTX.EXE PSPF.EXE PURGE.EXE QCONSOLE.EXE QSERVER.EXE RAPAPP.EXE RAV7.EXE RAV7WIN.EXE RAV8WIN32ENG.EXE RAY.EXE RB32.EXE RCSYNC.EXE REALMON.EXE REGED.EXE REGEDIT.EXE REGEDT32.EXE RESCUE.EXE RESCUE32.EXE RRGUARD.EXE RSHELL.EXE RTVSCAN.EXE RTVSCN95.EXE RULAUNCH.EXE RUN32DLL.EXE RUNDLL.EXE RUNDLL16.EXE RUXDLL32.EXE SAFEWEB.EXE SAHAGENT.EXE SAVE.EXE SAVENOW.EXE SBSERV.EXE SC.EXE SCAM32.EXE SCAN32.EXE SCAN95.EXE SCANPM.EXE SCRSCAN.EXE SETUP_FLOWPROTECTOR_US.EXE SETUPVAMEEVAL.EXE SFC.EXE SGSSFW32.EXE SH.EXE SHELLSPYINSTALL.EXE SHN.EXE SHOWBEHIND.EXE SMC.EXE SMS.EXE SMSS32.EXE SOAP.EXE SOFI.EXE SPERM.EXE SPF.EXE SPHINX.EXE SPOLER.EXE SPOOLCV.EXE SPOOLSV32.EXE SPYXX.EXE SREXE.EXE SRNG.EXE SS3EDIT.EXE SSGRATE.EXE ST2.EXE START.EXE STCLOADER.EXE SUPFTRL.EXE SUPPORT.EXE SUPPORTER5.EXE SVC.EXE SVCHOSTC.EXE SVCHOSTS.EXE SVSHOST.EXE SWEEP95.EXE SWEEPNET.SWEEPSRV.SYS.SWNETSUP.EXE SYMPROXYSVC.EXE SYMTRAY.EXE SYSEDIT.EXE SYSTEM.EXE SYSTEM32.EXE SYSUPD.EXE TASKMG.EXE TASKMGR.EXE TASKMO.EXE TASKMON.EXE TAUMON.EXE TBSCAN.EXE TC.EXE TCA.EXE TCM.EXE TDS-3.EXE TDS2-NT.EXE TEEKIDS.EXE TFAK.EXE TFAK5.EXE TGBOB.EXE TITANIN.EXE TITANINXP.EXE TRACERT.EXE TRICKLER.EXE TRJSCAN.EXE TRJSETUP.EXE TROJANTRAP3.EXE TSADBOT.EXE TVMD.EXE TVTMD.EXE UNDOBOOT.EXE UPDAT.EXE UPDATE.EXE UPDATE.EXE UPGRAD.EXE UTPOST.EXE VBCMSERV.EXE VBCONS.EXE VBUST.EXE VBWIN9X.EXE VBWINNTW.EXE VCSETUP.EXE VET32.EXE VET95.EXE VETTRAY.EXE VFSETUP.EXE VIR-HELP.EXE VIRUSMDPERSONALFIREWALL.EXE VNLAN300.EXE VNPC3000.EXE VPC32.EXE VPC42.EXE VPFW30S.EXE VPTRAY.EXE VSCAN40.EXE VSCENU6.02D30.EXE VSCHED.EXE VSECOMR.EXE VSHWIN32.EXE VSISETUP.EXE VSMAIN.EXE VSMON.EXE VSSTAT.EXE VSWIN9XE.EXE VSWINNTSE.EXE VSWINPERSE.EXE W32DSM89.EXE W9X.EXE WATCHDOG.EXE WEBDAV.EXE WEBSCANX.EXE WEBTRAP.EXE WFINDV32.EXE WHOSWATCHINGME.EXE WIMMUN32.EXE WIN-BUGSFIX.EXE WIN32.EXE WIN32US.EXE WINACTIVE.EXE WINDOW.EXE WINDOWS.EXE WININETD.EXE WININIT.EXE WININITX.EXE WINLOGIN.EXE WINMAIN.EXE WINNET.EXE WINPPR32.EXE WINRECON.EXE WINSERVN.EXE WINSSK32.EXE WINSTART.EXE WINSTART001.EXE WINTSK32.EXE WINUPDATE.EXE WKUFIND.EXE WNAD.EXE WNT.EXE WRADMIN.EXE WRCTRL.EXE WSBGATE.EXE WUPDATER.EXE WUPDT.EXE WYVERNWORKSFIREWALL.EXE XPF202EN.EXE ZAPRO.EXE ZAPSETUP3001.EXE ZATUTOR.EXE ZONALM2601.EXE ZONEALARM.E Name Troj/Bancsde-E Type * Trojan Affected operating systems * Windows Side effects * Allows others to access the computer * Steals information * Reduces system security * Records keystrokes * Installs itself in the Registry * Dropped by malware Aliases * Trojan-Dropper.Win32.Small.zz * Backdoor.Win32.Bancodor.z Prevalence (1-5) 3 Description Troj/Bancsde-E is a data-stealing Trojan for the Windows platform which attempts to capture online banking details for accounts related to certain banks in Germany. Troj/Bancsde-E comprises of the dropper file, the main executable and the dll component. The main Trojan executable attempts to capture data contained within internet banking web pages and may display fake login pages in an attempt to capture account information. Advanced Troj/Bancsde-E is a data-stealing Trojan for the Windows platform which attempts to capture online banking details for accounts related to certain banks in Germany. Troj/Bancsde-E comprises of the dropper file, the main executable and the dll component. Once executed the dropper, that may arrive with the filename xx.exe, drops to the Windows folder and runs the main executable with the filename xxsrsrv.exe that extracts the dll component with the filename iexml.dll. In order to be able to run automatically when Windows starts up Troj/Bancsde-E sets the registry entry: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ xxsrSrv32 "xxsrsrv.exe" where xx are random two letters. When Troj/Bancsde-E is active this registry entry is refreshed at intervals, in an attempt to prevent deletion. Troj/Bancsde-E creates the following registry entries: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ WarnOnPostRedirect 0 HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ WarnOnZoneCrossing 0 Also Troj/Bancsde-E reduces the system security by setting the following registry entries: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 1609 0 HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 1609 0 HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 1609 0 HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 1609 0 HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 1609 0 The main Trojan executable attempts to capture data contained within internet banking web pages and may display fake login pages in an attempt to capture account information. Troj/Bancsde-E injects the dll component into the process space of iexplore.exe. This DLL is used to relay stolen information to a remote PHP script. Name W32/Nanpy-A Type * Worm Affected operating systems * Windows Side effects * Modifies data on the computer * Installs itself in the Registry * Exploits system or software vulnerabilities Prevalence (1-5) 2 Description W32/Nanpy-A is a worm for the Windows platform. It may spread to vulnerable computers via the RPC-DCOM exploit, and attempt to redirect access to various banking websites. Advanced W32/Nanpy-A is a worm for the Windows platform. It may spread to vulnerable computers via the RPC-DCOM exploit, and attempt to redirect access to various banking websites. When first run W32/Nanpy-A copies itself to \mmsvc32.exe. The following registry entry is created to run mmsvc32.exe on startup: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Microsoft Network Services Controller \mmsvc32.exe W32/Nanpy-A modifies the HOSTS file, mapping the URLs of banking websites to a remote IP. At the time of writing, this IP address is not functional. lloydstsb.co.uk online.lloydstsb.co.uk www.lloydstsb.co.uk www.lloydstsb.com personal.barclays.co.uk barclays.co.uk ibank.barclays.co.uk www.barclays.co.uk www.nwolb.com nwolb.com hsbc.co.uk www.hsbc.co.uk abbey.com www.abbey.com www.abbey.co.uk abbey.co.uk cahoot.com www.cahoot.com www.cahoot.co.uk cahoot.co.uk www.co-operativebank.co.uk co-operativebank.co.uk www.co-operativebank.com co-operativebank.com welcome2.co-operativebankonline.co.uk welcome6.co-operativebankonline.co.uk welcome8.co-operativebankonline.co.uk welcome10.co-operativebankonline.co.uk www.smile.co.uk smile.co.uk Name W32/Agobot-SV Type * Worm How it spreads * Network shares Affected operating systems * Windows Side effects * Turns off anti-virus applications * Allows others to access the computer * Deletes files off the computer * Steals information * Downloads code from the internet Aliases * Backdoor.Win32.Agobot.gen Prevalence (1-5) 2 Description W32/Agobot-SV spreads by coping itself to the weakly protected network shares and by exploiting the following vulnerabilities: Remote Procedure Call (RPC) vulnerability. Distributed Component Object Model (DCOM) vulnerability. RPC Locator vulnerability. IIS5/WEBDAV Buffer Overflow vulnerability. For more information about these Windows vulnerabilities, please refer to the following Microsoft Security Bulletins: MS03-001 MS03-007 MS04-012 Advanced W32/Agobot-SV is a network worm with backdoor functionality which establishes an IRC channel to a remote server in order to grant an intruder access to the compromised machine. W32/Agobot-SV spreads by coping itself to the weakly protected network shares and by exploiting the following vulnerabilities: Remote Procedure Call (RPC) vulnerability. Distributed Component Object Model (DCOM) vulnerability. RPC Locator vulnerability. IIS5/WEBDAV Buffer Overflow vulnerability. For more information about these Windows vulnerabilities, please refer to the following Microsoft Security Bulletins: MS03-001 MS03-007 MS04-012 W32/Agobot-SV moves itself to the Windows system folder with the filename WMMNDIR.EXE, and in order to be able to run automatically when Windwos starts up sets the following registry entries: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ USBConfigration2 wmmndir.exe HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\ USBConfigration2 wmmndir.exe W32/Agobot-SV may also be used to terminate the following services on remote computers: Ati HotKey Poller AudioSrv Browser CryptSvc Dhcp dmserver Dnscache ERSvc Eventlog EventSystem FastUserSwitchingCompatibility helpsvc lanmanserver lanmanworkstation LmHosts MDM Messenger Netman Nla PlugPlay PolicyAgent ProtectedStorage RasMan RpcSs SamSs Schedule seclogon SENS ShellHWDetection Spooler srservice SSDPSRV stisvc TapiSrv TermService Themes TrkWks uploadmgr W32Time WebClient winmgmt wuauserv WZCSVC W32/Agobot-SV modifies a Windows HOSTS files in attempt to prevent access to the following websites: avp.com ca.com cafee.com customer.symantec.com dispatch.mcafee.com download.mcafee.com f-secure.com kaspersky.com liveupdate.symantec.com liveupdate.symantecliveupdate.com mast.mcafee.com my-etrust.com nai.com networkassociates.com rads.mcafee.com secure.nai.com securityresponse.symantec.com sophos.com symantec.com trendmicro.com update.symantec.com updates.symantec.com us.mcafee.com viruslist.com viruslist.com www.avp.com www.ca.com www.f-secure.com www.kaspersky.com www.mcafee.com www.my-etrust.com www.nai.com www.networkassociates.com www.sophos.com www.symantec.com www.trendmicro.com www.viruslist.com W32/Agobot-SV terminates a number of the anti-virus and other security-related processes, in addition to other viruses, worms or Trojans from the following list: _AVP32 _AVPCC _AVPM ACKWIN32 ADAWARE ADVXDWIN AGENTSVR AGENTW ALERTSVC ALEVIR ALOGSERV AMON9X ANTI-TROJAN ANTIVIRUS ANTS APIMONITOR APLICA32 APVXDWIN ARR ATCON ATGUARD ATRO55EN ATUPDATER ATWATCH AU AUPDATE AUTO-PROTECT.NAV80TRY AUTODOWN AUTOTRACE AUTOUPDATE AVCONSOL AVE32 AVGCC32 AVGCTRL AVGNT AVGSERV AVGSERV9 AVGUARD AVGW AVKPOP AVKSERV AVKSERVICE AVKWCTl9 AVLTMAIN AVNT AVP AVP32 AVPCC AVPDOS32 AVPM AVPTC32 AVPUPD AVSCHED32 AVSYNMGR AVWIN95 AVWINNT AVWUPD AVWUPD32 AVWUPSRV AVXMONITOR9X AVXMONITORNT AVXQUAR BACKWEB BARGAINS BD_PROFESSIONAL BEAGLE BELT BIDEF BIDSERVER BIPCP BIPCPEVALSETUP BISP BLACKD BLACKICE BLSS BOOTCONF BOOTWARN BORG2 BPC BRASIL BS120 BUNDLE BVT CCAPP CCEVTMGR CCPXYSVC CDP CFD CFGWIZ CFIADMIN CFIAUDIT CFINET CFINET32 Claw95 CLAW95CF CLEAN CLEANER CLEANER3 CLEANPC CLICK CMD32 CMESYS CMGRDIAN CMON016 CONNECTIONMONITOR CPD CPF9X206 CPFNT206 CTRL CV CWNB181 CWNTDWMO DATEMANAGER DCOMX DEFALERT DEFSCANGUI DEFWATCH DEPUTY DIVX DLLCACHE DLLREG DOORS DPF DPFSETUP DPPS2 DRWATSON DRWEB32 DRWEBUPW DSSAGENT DVP95 DVP95_0 ECENGINE EFPEADM EMSW ENT ESAFE ESCANH95 ESCANHNT ESCANV95 ESPWATCH ETHEREAL ETRUSTCIPE EVPN EXANTIVIRUS-CNET EXE.AVXW EXPERT EXPLORE F-AGNT95 F-PROT F-PROT95 F-STOPW FAMEH32 FAST FCH32 FIH32 FINDVIRU FIREWALL FLOWPROTECTOR FNRB32 FP-WIN FP-WIN_TRIAL FPROT FRW FSAA FSAV FSAV32 FSAV530STBYB FSAV530WTBYB FSAV95 FSGK32 FSM32 FSMA32 FSMB32 GATOR GBMENU GBPOLL GENERICS GMT GUARD GUARDDOG HACKTRACERSETUP HBINST HBSRV HOTACTIO HOTPATCH HTLOG HTPATCH HWPE HXDL HXIUL IAMAPP IAMSERV IAMSTATS IBMASN IBMAVSP ICLOAD95 ICLOADNT ICMON ICSUPP95 ICSUPPNT IDLE IEDLL IEDRIVER IEXPLORER IFACE IFW2000 INETLNFO INFUS INFWIN INIT INTDEL INTREN IOMON98 IPARMOR IRIS ISASS ISRV95 ISTSVC JAMMER JDBGMRG JEDI KAVLITE40ENG KAVPERS40ENG KAVPF KAZZA KEENVALUE KERIO-PF-213-EN-WIN KERIO-WRL-421-EN-WIN KERIO-WRP-421-EN-WIN KERNEL32 KILLPROCESSSETUP161 LAUNCHER LDNETMON LDPRO LDPROMENU LDSCAN LNETINFO LOADER LOCALNET LOCKDOWN LOCKDOWN2000 LOOKOUT LORDPE LSETUP LUALL LUAU LUCOMSERVER LUINIT LUSPT MAPISVC32 MCAGENT MCMNHDLR MCSHIELD MCTOOL MCUPDATE MCVSRTE MCVSSHLD MD MFIN32 MFW2EN MFWENG3.02D30 MGAVRTCL MGAVRTE MGHTML MGUI MINILOG MMOD MONITOR MOOLIVE MOSTAT MPFAGENT MPFSERVICE MPFTRAY MRFLUX MSAPP MSBB MSBLAST MSCACHE MSCCN32 MSCMAN MSCONFIG MSDM MSDOS MSIEXEC16 MSINFO32 MSLAUGH MSMGT MSMSGRI32 MSSMMC32 MSSYS MSVXD MU0311AD MWATCH N32SCANW NAV NAVAP.NAVAPSVC NAVAPSVC NAVAPW32 NAVDX NAVENGNAVEX15.NAVLU32 NAVLU32 NAVNT NAVSTUB NAVW32 NAVWNT NC2000 NCINST4 NDD32 NEOMONITOR NEOWATCHLOG NETARMOR NETD32 NETINFO NETMON NETSCANPRO NETSPYHUNTER-1.2 NETSTAT NETUTILS NISSERV NISUM NMAIN NOD32 NORMIST NORTON_INTERNET_SECU_3.0_407 NOTSTART NPF40_TW_98_NT_ME_2K NPFMESSENGER NPROTECT NPSCHECK NPSSVC NSCHED32 NSSYS32 NSTASK32 NSUPDATE NT NTRTSCAN NTVDM NTXconfig NUI NUPGRADE NVARCH16 NVC95 NVSVC32 NWINST4 NWSERVICE NWTOOL16 OLLYDBG ONSRVR OPTIMIZE OSTRONET OTFIX OUTPOST OUTPOSTINSTALL OUTPOSTPROINSTALL PADMIN PANIXK PATCH PAVCL PAVPROXY PAVSCHED PAVW PCC2002S902 PCC2K_76_1436 PCCIOMON PCCNTMON PCCWIN97 PCCWIN98 PCDSETUP PCFWALLICON PCIP10117_0 PCSCAN PDSETUP PENIS PERISCOPE PERSFW PERSWF PF2 PFWADMIN PGMONITR PINGSCAN PLATIN POP3TRAP POPROXY POPSCAN PORTDETECTIVE PORTMONITOR POWERSCAN PPINUPDT PPTBC PPVSTOP PRIZESURFER PRMT PRMVR PROCDUMP PROCESSMONITOR PROCEXPLORERV1.0 PROGRAMAUDITOR PROPORT PROTECTX PSPF PURGE PUSSY PVIEW95 QCONSOLE QSERVER RAPAPP RAV7 RAV7WIN RAV8WIN32ENG RAY RB32 RCSYNC REALMON REGED REGEDIT REGEDT32 RESCUE RESCUE32 RRGUARD RSHELL RTVSCAN RTVSCN95 RULAUNCH RUN32DLL RUNDLL RUNDLL16 RUXDLL32 SAFEWEB SAHAGENT SAVE SAVENOW SBSERV SC SCAM32 SCAN32 SCAN95 SCANPM SCRSCAN SCRSVR SCVHOST SD SERV95 SERVICE SERVLCE SERVLCES SETUP_FLOWPROTECTOR_US SETUPVAMEEVAL SFC SGSSFW32 SH SHELLSPYINSTALL SHN SHOWBEHIND SMC SMS SMSS32 SOAP SOFI SPERM SPF SPHINX SPOLER SPOOLCV SPOOLSV32 SPYXX SREXE SRNG SS3EDIT SSG_4104 SSGRATE ST2 START STCLOADER SUPFTRL SUPPORT SUPPORTER5 SVC SVCHOSTC SVCHOSTS SVSHOST SWEEP95 SWEEPNET.SWEEPSRV.SYS.SWNETSUP SYMPROXYSVC SYMTRAY SYSEDIT SYSTEM SYSTEM32 SYSUPD TASKMG TASKMO TASKMON TAUMON TBSCAN TC TCA TCM TDS-3 TDS2-98 TDS2-NT TEEKIDS TFAK TFAK5 TGBOB TITANIN TITANINXP TRACERT TRICKLER TRJSCAN TRJSETUP TROJANTRAP3 TSADBOT TVMD TVTMD UNDOBOOT UPDAT UPDATE UPGRAD UTPOST VBCMSERV VBCONS VBUST VBWIN9X VBWINNTW VCSETUP VET32 VET95 VETTRAY VFSETUP VIR-HELP VIRUSMDPERSONALFIREWALL VNLAN300 VNPC3000 VPC32 VPC42 VPFW30S VPTRAY VSCAN40 VSCENU6.02D30 VSCHED VSECOMR VSHWIN32 VSISETUP VSMAIN VSMON VSSTAT VSWIN9XE VSWINNTSE VSWINPERSE W32DSM89 W9X WATCHDOG WEBDAV WEBSCANX WEBTRAP WFINDV32 WGFE95 WHOSWATCHINGME WIMMUN32 WIN-BUGSFIX WIN32 WIN32US WINACTIVE WINDOW WINDOWS WININETD WININIT WININITX WINLOGIN WINMAIN WINNET WINPPR32 WINRECON WINSERVN WINSSK32 WINSTART WINSTART001 WINTSK32 WINUPDATE WKUFIND WNAD WNT WRADMIN WRCTRL WSBGATE WUPDATER WUPDT WYVERNWORKSFIREWALL XPF202EN ZAPRO ZAPSETUP3001 ZATUTOR ZONALM2601 ZONEALARM W32/Agobot-SV tests the available bandwidth by attempting to GET or POST data to the following websites: de.yahoo.com nitro.ucsc.edu verio.fr www.1und1.de www.above.net www.belwue.de www.burst.net www.cogentco.com www.d1asia.com www.level3.com www.lib.nthu.edu.tw www.nifty.com www.nocster.com www.rit.edu www.schlund.net www.st.lib.keio.ac.jp www.stanford.edu www.switch.ch www.utwente.nl www.verio.com www.xo.net yahoo.co.jp W32/Agobot-SV can be used to initiate denial-of-service (DoS) and distributed denial-of-service (DDoS) synflood / httpflood / fraggle / smurf etc attacks against remote systems. This worm can steal the Windows Product ID and keys from several computer applications or games including: AOL Instant Messenger Battlefield 1942 Battlefield 1942: Secret Weapons Of WWII Battlefield 1942: The Road To Rome Battlefield 1942: Vietnam Black and White Call of Duty Command and Conquer: Generals Command and Conquer: Generals: Zero Hour Command and Conquer: Red Alert2 Command and Conquer: Tiberian Sun Counter-Strike FIFA 2002 FIFA 2003 Freedom Force Global Operations Gunman Chronicles Half-Life Hidden and Dangerous 2 Industry Giant 2 IGI2: Covert Strike James Bond 007: Nightfire Medal of Honor: Allied Assault Medal of Honor: Allied Assault: Breakthrough Medal of Honor: Allied Assault: Spearhead Nascar Racing 2002 Nascar Racing 2003 NHL 2002 NHL 2003 Need For Speed: Hot Pursuit 2 Need For Speed: Underground Neverwinter Nights Ravenshield Shogun Total War - Warlord Edition Soldiers Of Anarchy Soldier of Fortune II - Double Helix The Gladiators Unreal Tournament 2003 Unreal Tournament 2004 Windows Messenger Name W32/Sdbot-YW Type * Worm How it spreads * Network shares Affected operating systems * Windows Side effects * Allows others to access the computer * Downloads code from the internet * Installs itself in the Registry * Used in DOS attacks Aliases * Backdoor.Win32.SdBot.bh * W32/Sdbot.worm.gen.j * W32.Randex * BKDR_NICSHIZ.A Prevalence (1-5) 2 Description W32/Sdbot-YW is a worm with IRC backdoor functionality for the Windows platform. W32/Sdbot-YW allows unauthorised remote access to the infected computer via the IRC network. The worm joins a preconfigured IRC channel and waits for instructions from a remote intruder. The worm can be instructed to download updates and run arbitrary files, participate in DDoS attacks and spread to remote network shares. Advanced W32/Sdbot-YW is a worm with IRC backdoor functionality for the Windows platform. W32/Sdbot-YW allows unauthorised remote access to the infected computer via the IRC network. The worm joins a preconfigured IRC channel and waits for instructions from a remote intruder. The worm can be instructed to download updates and run arbitrary files, participate in DDoS attacks and spread to remote network shares. When first run the worm copies itself to \hmusvc32.exe. The following registry entries are created to run hmusvc32.exe on startup: HKCU\Software\Microsoft\Windows\CurrentVersion\Run HMV PowerSource hmusvc32.exe HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HMV PowerSource hmusvc32.exe Name Troj/Spyre-C Type * Trojan Affected operating systems * Windows Side effects * Modifies data on the computer * Drops more malware * Reduces system security * Installs itself in the Registry * Leaves non-infected files on computer Aliases * Spyre * TROJ_TOPANTSPY.C * Trojan.Win32.TopAntiSpyware.l Prevalence (1-5) 2 Description Troj/Spyre-C is a Trojan for the Windows platform. The Trojan displays advertisements and fake security warnings in an effort to promote traffic to a specific website. Advanced Troj/Spyre-C is a Trojan for the Windows platform. The Trojan displays advertisements and fake security warnings in an effort to promote traffic to a specific website. Troj/Spyre-C may create registry entries under HKLM\Software\AntivirusGold. Troj/Spyre-C copies itself to the Windows system folder as winnook.exe and sets the following registry entry in order to run each time a user logs on: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Intel system tool "\winnook.exe" The Trojan drops a file named desktop.html to the Windows folder which contains the fake security alerts and prompts to visit the remote website. The following text appears in the message: WARNING! YOU'RE IN DANGER! ALL YOU DO WITH COMPUTER IS STORED FOREVER IN YOUR HARD DISK. WHEN YOU VISIT SITES, SEND EMAILS... ALL YOUR ACTIONS ARE LOGGED. AND IT IS IMPOSSIBLE TO REMOVE THEM WITH STANDARD TOOLS. YOUR DATA IS STILL AVAILABLE FOR FORENSICS. AND IN SOME CASES FOR YOUR BOSS, YOUR FRIENDS, YOUR WIFE, YOUR CHILDREN. Troj/Spyre-C may also download and execute files from a remote site. Name W32/Sdbot-ZE Type * Worm How it spreads * Network shares Affected operating systems * Windows Side effects * Turns off anti-virus applications * Allows others to access the computer * Modifies data on the computer * Deletes files off the computer * Steals information Prevalence (1-5) 2 Description W32/Sdbot-ZE is a network worm with backdoor functionality for the Windows platform. The worm spreads through network shares protected by weak passwords, MS-SQL servers and through various operating system vulnerabilities. W32/Sdbot-ZE connects to a predetermined IRC channel and awaits further commands from remote users. Advanced W32/Sdbot-ZE is a network worm with backdoor functionality for the Windows platform. When first run, W32/Sdbot-ZE copies itself to the Windows system folder as hdsys.exe and creates the following registry entries in order to run each time a user logs on: HKLM\Software\Microsoft\OLE HP Service Drivers "hdsys.exe" HKLM\System\CurrentControlSet\Control\Lsa HP Service Drivers "hdsys.exe" HKLM\Software\Microsoft\Windows\CurrentVersion\Run HP Service Drivers "hdsys.exe" HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices HP Service Drivers "hdsys.exe" HKCU\Software\Microsoft\OLE HP Service Drivers "hdsys.exe" HKCU\System\CurrentControlSet\Control\Lsa HP Service Drivers "hdsys.exe" HKCU\Software\Microsoft\Windows\CurrentVersion\Run HP Service Drivers "hdsys.exe" HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices HP Service Drivers "hdsys.exe" The worm spreads through network shares protected by weak passwords, MS-SQL servers and through various operating system vulnerabilities. W32/Sdbot-ZE connects to a predetermined IRC channel and awaits further commands from remote users. The backdoor component of W32/Sdbot-ZE can be instructed to perform the following functions: scan networks for vulnerabilities download/execute arbitrary files start an ftp server take part in distributed denial of service (DDoS) attacks start a proxy server sniff network packets W32/Sdbot-ZE terminates the following processes: _AVP32.EXE _AVPCC.EXE _AVPM.EXE ACKWIN32.EXE ADAWARE.EXE ADVXDWIN.EXE AGENTSVR.EXE AGENTW.EXE ALERTSVC.EXE ALEVIR.EXE ALOGSERV.EXE AMON9X.EXE ANTI-TROJAN.EXE ANTIVIRUS.EXE ANTS.EXE APIMONITOR.EXE APLICA32.EXE APVXDWIN.EXE ARR.EXE ATCON.EXE ATGUARD.EXE ATRO55EN.EXE ATUPDATER.EXE ATWATCH.EXE AU.EXE AUPDATE.EXE AUTO-PROTECT.NAV80TRY.EXE AUTODOWN.EXE AUTOTRACE.EXE AUTOUPDATE.EXE AVCONSOL.EXE AVE32.EXE AVGCC32.EXE AVGCTRL.EXE AVGNT.EXE AVGSERV.EXE AVGSERV9.EXE AVGUARD.EXE AVGW.EXE AVKPOP.EXE AVKSERV.EXE AVKSERVICE.EXE AVKWCTl9.EXE AVLTMAIN.EXE AVNT.EXE AVP.EXE AVP32.EXE AVPCC.EXE AVPDOS32.EXE AVPM.EXE AVPTC32.EXE AVPUPD.EXE AVSCHED32.EXE AVSYNMGR.EXE AVWIN95.EXE AVWINNT.EXE AVWUPD.EXE AVWUPD32.EXE AVWUPSRV.EXE AVXMONITOR9X.EXE AVXMONITORNT.EXE AVXQUAR.EXE BACKWEB.EXE BARGAINS.EXE BD_PROFESSIONAL.EXE BEAGLE.EXE BELT.EXE BIDEF.EXE BIDSERVER.EXE BIPCP.EXE BIPCPEVALSETUP.EXE BISP.EXE BLACKD.EXE BLACKICE.EXE BLSS.EXE BOOTCONF.EXE BOOTWARN.EXE BORG2.EXE BPC.EXE BRASIL.EXE BS120.EXE BUNDLE.EXE BVT.EXE CCAPP.EXE CCEVTMGR.EXE CCPXYSVC.EXE CDP.EXE CFD.EXE CFGWIZ.EXE CFIADMIN.EXE CFIAUDIT.EXE CFINET.EXE CFINET32.EXE Claw95.EXE CLAW95CF.EXE CLEAN.EXE CLEANER.EXE CLEANER3.EXE CLEANPC.EXE CLICK.EXE CMD32.EXE CMESYS.EXE CMGRDIAN.EXE CMON016.EXE CONNECTIONMONITOR.EXE CPD.EXE CPF9X206.EXE CPFNT206.EXE CTRL.EXE CV.EXE CWNB181.EXE CWNTDWMO.EXE DATEMANAGER.EXE DCOMX.EXE DEFALERT.EXE DEFSCANGUI.EXE DEFWATCH.EXE DEPUTY.EXE DIVX.EXE DLLCACHE.EXE DLLREG.EXE DOORS.EXE DPF.EXE DPFSETUP.EXE DPPS2.EXE DRWATSON.EXE DRWEB32.EXE DRWEBUPW.EXE DSSAGENT.EXE DVP95.EXE DVP95_0.EXE ECENGINE.EXE EFPEADM.EXE EMSW.EXE ESAFE.EXE ESCANH95.EXE ESCANHNT.EXE ESCANV95.EXE ESPWATCH.EXE ETHEREAL.EXE ETRUSTCIPE.EXE EVPN.EXE EXANTIVIRUS-CNET.EXE EXE.AVXW.EXE EXPERT.EXE EXPLORE.EXE F-AGNT95.EXE F-AGOBOT.EXE F-PROT.EXE F-PROT95.EXE F-STOPW.EXE FAMEH32.EXE FAST.EXE FCH32.EXE FIH32.EXE FINDVIRU.EXE FIREWALL.EXE FLOWPROTECTOR.EXE FNRB32.EXE FP-WIN.EXE FP-WIN_TRIAL.EXE FPROT.EXE FRW.EXE FSAA.EXE FSAV.EXE FSAV32.EXE FSAV530STBYB.EXE FSAV530WTBYB.EXE FSAV95.EXE FSGK32.EXE FSM32.EXE FSMA32.EXE FSMB32.EXE GATOR.EXE GBMENU.EXE GBPOLL.EXE GENERICS.EXE GMT.EXE GUARD.EXE GUARDDOG.EXE HACKTRACERSETUP.EXE HBINST.EXE HBSRV.EXE HIJACKTHIS.EXE HOTACTIO.EXE HOTPATCH.EXE HTLOG.EXE HTPATCH.EXE HWPE.EXE HXDL.EXE HXIUL.EXE IAMAPP.EXE IAMSERV.EXE IAMSTATS.EXE IBMASN.EXE IBMAVSP.EXE ICLOAD95.EXE ICLOADNT.EXE ICMON.EXE ICSUPP95.EXE ICSUPPNT.EXE IDLE.EXE IEDLL.EXE IEDRIVER.EXE IEXPLORER.EXE IFACE.EXE IFW2000.EXE INETLNFO.EXE INFUS.EXE INFWIN.EXE INIT.EXE INTDEL.EXE INTREN.EXE IOMON98.EXE IPARMOR.EXE IRIS.EXE ISASS.EXE ISRV95.EXE ISTSVC.EXE JAMMER.EXE JDBGMRG.EXE JEDI.EXE KAVLITE40ENG.EXE KAVPERS40ENG.EXE KAVPF.EXE KAZZA.EXE KEENVALUE.EXE KERIO-PF-213-EN-WIN.EXE KERIO-WRL-421-EN-WIN.EXE KERIO-WRP-421-EN-WIN.EXE KERNEL32.EXE KILLPROCESSSETUP161.EXE LAUNCHER.EXE LDNETMON.EXE LDPRO.EXE LDPROMENU.EXE LDSCAN.EXE LNETINFO.EXE LOADER.EXE LOCALNET.EXE LOCKDOWN.EXE LOCKDOWN2000.EXE LOOKOUT.EXE LORDPE.EXE LSETUP.EXE LUALL.EXE LUAU.EXE LUCOMSERVER.EXE LUINIT.EXE LUSPT.EXE MAPISVC32.EXE MCAGENT.EXE MCMNHDLR.EXE MCSHIELD.EXE MCTOOL.EXE MCUPDATE.EXE MCVSRTE.EXE MCVSSHLD.EXE MD.EXE MFIN32.EXE MFW2EN.EXE MFWENG3.02D30.EXE MGAVRTCL.EXE MGAVRTE.EXE MGHTML.EXE MGUI.EXE MINILOG.EXE MMOD.EXE MONITOR.EXE MOOLIVE.EXE MOSTAT.EXE MPFAGENT.EXE MPFSERVICE.EXE MPFTRAY.EXE MRFLUX.EXE MSAPP.EXE MSBB.EXE MSBLAST.EXE MSCACHE.EXE MSCCN32.EXE MSCMAN.EXE MSCONFIG.EXE MSDM.EXE MSDOS.EXE MSIEXEC16.EXE MSINFO32.EXE MSLAUGH.EXE MSMGT.EXE MSMSGRI32.EXE MSSMMC32.EXE MSSYS.EXE MSVXD.EXE MU0311AD.EXE MWATCH.EXE N32SCANW.EXE NAV.EXE NAVAP.NAVAPSVC.EXE NAVAPSVC.EXE NAVAPW32.EXE NAVDX.EXE NAVENGNAVEX15.NAVLU32.EXE NAVLU32.EXE NAVNT.EXE NAVSTUB.EXE NAVW32.EXE NAVWNT.EXE NCINST4.EXE NDD32.EXE NEOMONITOR.EXE NEOWATCHLOG.EXE NETARMOR.EXE NETD32.EXE NETINFO.EXE NETMON.EXE NETSCANPRO.EXE NETSPYHUNTER-1.2.EXE NETSTAT.EXE NETUTILS.EXE NISSERV.EXE NISUM.EXE NMAIN.EXE NOD32.EXE NORMIST.EXE NORTON_INTERNET_SECU_3.0_407.EXE NOTSTART.EXE NPF40_TW_98_NT_ME_2K.EXE NPFMESSENGER.EXE NPROTECT.EXE NPSCHECK.EXE NPSSVC.EXE NSCHED32.EXE NSSYS32.EXE NSTASK32.EXE NSUPDATE.EXE NT.EXE NTRTSCAN.EXE NTVDM.EXE NTXconfig.EXE NUI.EXE NUPGRADE.EXE NVARCH16.EXE NVC95.EXE NVSVC32.EXE NWINST4.EXE NWSERVICE.EXE NWTOOL16.EXE OLLYDBG.EXE ONSRVR.EXE OPTIMIZE.EXE OSTRONET.EXE OTFIX.EXE OUTPOST.EXE OUTPOSTINSTALL.EXE OUTPOSTPROINSTALL.EXE PADMIN.EXE PANIXK.EXE PATCH.EXE PAVCL.EXE PAVPROXY.EXE PAVSCHED.EXE PAVW.EXE PCCIOMON.EXE PCCNTMON.EXE PCCWIN97.EXE PCCWIN98.EXE PCDSETUP.EXE PCFWALLICON.EXE PCSCAN.EXE PDSETUP.EXE PENIS.EXE PERISCOPE.EXE PERSFW.EXE PERSWF.EXE PF2.EXE PFWADMIN.EXE PGMONITR.EXE PINGSCAN.EXE PLATIN.EXE POP3TRAP.EXE POPROXY.EXE POPSCAN.EXE PORTDETECTIVE.EXE PORTMONITOR.EXE POWERSCAN.EXE PPINUPDT.EXE PPTBC.EXE PPVSTOP.EXE PRIZESURFER.EXE PRMT.EXE PRMVR.EXE PROCDUMP.EXE PROCESSMONITOR.EXE PROCEXPLORERV1.0.EXE PROGRAMAUDITOR.EXE PROPORT.EXE PROTECTX.EXE PSPF.EXE PURGE.EXE PUSSY.EXE PVIEW95.EXE QCONSOLE.EXE QSERVER.EXE RAPAPP.EXE RAV7.EXE RAV7WIN.EXE RAV8WIN32ENG.EXE RAY.EXE RB32.EXE RCSYNC.EXE REALMON.EXE REGED.EXE REGEDIT.EXE REGEDT32.EXE RESCUE.EXE RESCUE32.EXE RRGUARD.EXE RSHELL.EXE RTVSCAN.EXE RTVSCN95.EXE RULAUNCH.EXE RUN32DLL.EXE RUNDLL.EXE RUNDLL16.EXE RUXDLL32.EXE SAFEWEB.EXE SAHAGENT.EXE SAVE.EXE SAVENOW.EXE SBSERV.EXE SC.EXE SCAM32.EXE SCAN32.EXE SCAN95.EXE SCANPM.EXE SCRSCAN.EXE SCRSVR.EXE SCVHOST.EXE SD.EXE SERV95.EXE SERVICE.EXE SERVLCE.EXE SERVLCES.EXE SETUP_FLOWPROTECTOR_US.EXE SETUPVAMEEVAL.EXE SFC.EXE SGSSFW32.EXE SH.EXE SHELLSPYINSTALL.EXE SHN.EXE SHOWBEHIND.EXE SMC.EXE SMS.EXE SMSS32.EXE SOAP.EXE SOFI.EXE SPERM.EXE SPF.EXE SPHINX.EXE SPOLER.EXE SPOOLCV.EXE SPOOLSV32.EXE SPYXX.EXE SREXE.EXE SRNG.EXE SS3EDIT.EXE SSGRATE.EXE ST2.EXE START.EXE STCLOADER.EXE SUPFTRL.EXE SUPPORT.EXE SUPPORTER5.EXE SVC.EXE SVCHOSTC.EXE SVCHOSTS.EXE SVSHOST.EXE SWEEP95.EXE SWEEPNET.SWEEPSRV.SYS.SWNETSUP.EXE SYMPROXYSVC.EXE SYMTRAY.EXE SYSEDIT.EXE SYSTEM.EXE SYSTEM32.EXE SYSUPD.EXE TASKMG.EXE TASKMGR.EXE TASKMO.EXE TASKMON.EXE TAUMON.EXE TBSCAN.EXE TC.EXE TCA.EXE TCM.EXE TDS-3.EXE TDS2-98.EXE TDS2-NT.EXE TEEKIDS.EXE TFAK.EXE TFAK5.EXE TGBOB.EXE TITANIN.EXE TITANINXP.EXE TRACERT.EXE TRICKLER.EXE TRJSCAN.EXE TRJSETUP.EXE TROJANTRAP3.EXE TSADBOT.EXE TVMD.EXE TVTMD.EXE UNDOBOOT.EXE UPDAT.EXE UPDATE.EXE UPGRAD.EXE UTPOST.EXE VBCMSERV.EXE VBCONS.EXE VBUST.EXE VBWIN9X.EXE VBWINNTW.EXE VCSETUP.EXE VET32.EXE VET95.EXE VETTRAY.EXE VFSETUP.EXE VIR-HELP.EXE VIRUSMDPERSONALFIREWALL.EXE VNLAN300.EXE VNPC3000.EXE VPC32.EXE VPC42.EXE VPFW30S.EXE VPTRAY.EXE VSCAN40.EXE VSCENU6.02D30.EXE VSCHED.EXE VSECOMR.EXE VSHWIN32.EXE VSISETUP.EXE VSMAIN.EXE VSMON.EXE VSSTAT.EXE VSWIN9XE.EXE VSWINNTSE.EXE VSWINPERSE.EXE W32DSM89.EXE W9X.EXE WATCHDOG.EXE WEBDAV.EXE WEBSCANX.EXE WEBTRAP.EXE WFINDV32.EXE WGFE95.EXE WHOSWATCHINGME.EXE WIMMUN32.EXE WIN-BUGSFIX.EXE WIN32.EXE WIN32US.EXE WINACTIVE.EXE WINDOW.EXE WINDOWS.EXE WININETD.EXE WININIT.EXE WININITX.EXE WINLOGIN.EXE WINMAIN.EXE WINNET.EXE WINPPR32.EXE WINRECON.EXE WINSERVN.EXE WINSSK32.EXE WINSTART.EXE WINSTART001.EXE WINTSK32.EXE WINUPDATE.EXE WKUFIND.EXE WNAD.EXE WNT.EXE WRADMIN.EXE WRCTRL.EXE WSBGATE.EXE WUPDATER.EXE WUPDT.EXE WYVERNWORKSFIREWALL.EXE XPF202EN.EXE ZAPRO.EXE ZAPSETUP3001.EXE ZATUTOR.EXE ZONALM2601.EXE ZONEALARM.EXE Patches for the vulnerabilities exploited by W32/Sdbot-ZE can be obtained from Microsoft at: MS02-039 MS04-011 MS04-012 Name W32/Mytob-CU Type * Worm How it spreads * Email attachments Affected operating systems * Windows Side effects * Turns off anti-virus applications * Allows others to access the computer * Sends itself to email addresses found on the infected computer * Forges the sender's email address * Reduces system security Prevalence (1-5) 2 Description W32/Mytob-CU is a mass-mailing worm and backdoor Trojan that can be controlled through the Internet Relay Chat (IRC) network. W32/Mytob-CU is capable of spreading through email and through various operating system vulnerabilities such as LSASS (MS04-011). Advanced W32/Mytob-CU is a mass-mailing worm and backdoor Trojan that can be controlled through the Internet Relay Chat (IRC) network. When first run W32/Mytob-CU copies itself to the Windows system folder as xxx.exe and creates the following registry entries: HKLM\Software\Microsoft\Windows\CurrentVersion\Run WINDOWS SYSTEM "xxx.exe" HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices WINDOWS SYSTEM "xxx.exe" W32/Mytob-CU also appends the following to the HOSTS file to deny access to security related websites: 127.0.0.1 www.symantec.com 127.0.0.1 securityresponse.symantec.com 127.0.0.1 symantec.com 127.0.0.1 www.sophos.com 127.0.0.1 sophos.com 127.0.0.1 www.mcafee.com 127.0.0.1 mcafee.com 127.0.0.1 liveupdate.symantecliveupdate.com 127.0.0.1 www.viruslist.com 127.0.0.1 viruslist.com 127.0.0.1 viruslist.com 127.0.0.1 f-secure.com 127.0.0.1 www.f-secure.com 127.0.0.1 kaspersky.com 127.0.0.1 www.avp.com 127.0.0.1 www.kaspersky.com 127.0.0.1 avp.com 127.0.0.1 www.networkassociates.com 127.0.0.1 networkassociates.com 127.0.0.1 www.ca.com 127.0.0.1 ca.com 127.0.0.1 mast.mcafee.com 127.0.0.1 my-etrust.com 127.0.0.1 www.my-etrust.com 127.0.0.1 download.mcafee.com 127.0.0.1 dispatch.mcafee.com 127.0.0.1 secure.nai.com 127.0.0.1 nai.com 127.0.0.1 www.nai.com 127.0.0.1 update.symantec.com 127.0.0.1 updates.symantec.com 127.0.0.1 us.mcafee.com 127.0.0.1 liveupdate.symantec.com 127.0.0.1 customer.symantec.com 127.0.0.1 rads.mcafee.com 127.0.0.1 trendmicro.com 127.0.0.1 www.microsoft.com 127.0.0.1 www.trendmicro.com W32/Mytob-CU is capable of spreading through email and through various operating system vulnerabilities such as LSASS (MS04-011). Email sent by W32/Mytob-CU has the following properties: Subject line: Notice: Last Warning DETECTED Online User Violation Your Email Account is Suspended For Security Reasons Account Alert Important Notification WARNING Your Email Account Will Be Closed Security measures Email Account Suspension Notice of account limitation Message text: Once you have completed the form in the attached file , your account records will not be interrupted and will continue as normal. The original message has been included as an attachment. We regret to inform you that your account has been suspended due to the violation of our site policy, more info is attached. We attached some important information regarding your account. Please read the attached document and follow it's instructions. The attached file consists of a base name followed by the extentions PIF, SCR, EXE or ZIP. The worm may optionally create double extensions where the first extension is DOC, TXT or HTM and the final extension is PIF, SCR, EXE or ZIP. The base filenames are randomly chosen from: email-info email-doc information account-details document instructions info-texg information W32/Mytob-CU harvests email addresses from files on the infected computer and from the Windows address book. The worm avoids sending email to addresses that contain the following: michael george andrew robert brenda claudia icrosof hotmail borlan inpris example mydomai nodomai ruslis berkeley ibm.com google kernel usenet rfc-ed sendmail acketst tanford.e utgers.ed mozilla be_loyal: samples postmaster webmaster nobody nothing anyone someone rating contact somebody privacy service submit gold-certs the.bat icrosoft support listserv certific google accoun administrator service register Name Troj/CashGrab-C Type * Trojan Affected operating systems * Windows Side effects * Steals information * Drops more malware * Reduces system security * Installs itself in the Registry Aliases * PWS-Cashgrabber * Trojan.Win32.Agent.cc * Trojan.Win32.Agent.cw Prevalence (1-5) 2 Description Troj/CashGrab-C is a password stealing Trojan for the Windows platform. Advanced Troj/CashGrab-C is a password stealing Trojan which attempts to steal confidential information and send it to a remote location. When the Trojan is installed the following files are created: \msupdate.dll \windows.idn \winsetup.exe \winst.msi msupdate.dll is also detected as Troj/CashGrab-C. winsetup.exe is detected as Troj/CashGrab-A. windows.idn and winst.msi are harmless text files. The file msupdate.dll is registered as a Browser Helper Object (BHO) for Microsoft Internet Explorer, creating registry entries under: HKCR\CLSID\{3A4E6FF3-BF59-446E-9DC8-731BCE2F349A}\ Troj/CashGrab-C monitors browser windows for content indicative of an internet banking site. Upon encountering such windows, the Trojan attempts to record any data entered into these windows and send it to the author via an HTTP form submission. Name W32/Rbot-AEJ Type * Worm How it spreads * Network shares Affected operating systems * Windows Side effects * Turns off anti-virus applications * Allows others to access the computer * Modifies data on the computer * Deletes files off the computer * Steals information Aliases * Trojan.Win32.Crypt.d Prevalence (1-5) 2 Description W32/Rbot-AEJ is a network worm with backdoor Trojan functionality for the Windows platform. W32/Rbot-AEJ can be controlled by a remote attacker over IRC channels. W32/Rbot-AEJ spreads using a variety of techniques including exploiting weak passwords on computers and SQL servers, exploiting operating system vulnerabilities (including DCOM-RPC, LSASS, WebDAV and UPNP) and using backdoors opened by other worms or Trojans. W32/Rbot-AEJ can also be instructed to spread through the AOL Instant Messaging (AIM) application. Patches for the operating system vulnerabilities exploited by W32/Rbot-AEJ can be obtained from Microsoft at: MS01-059 MS03-007 MS04-011 MS04-012 Advanced W32/Rbot-AEJ is a network worm with backdoor Trojan functionality for the Windows platform. The worm copies itself to a file named system.exe in the Windows system folder. W32/Rbot-AEJ spreads using a variety of techniques including exploiting weak passwords on computers and SQL servers, exploiting operating system vulnerabilities (including DCOM-RPC, LSASS, WebDAV and UPNP) and using backdoors opened by other worms or Trojans. W32/Rbot-AEJ can also be instructed to spread through the AOL Instant Messaging (AIM) application. W32/Rbot-AEJ can be controlled by a remote attacker over IRC channels. The backdoor component of W32/Rbot-AEJ can be instructed by a remote user to perform the following functions: start an FTP server start a Proxy server start a web server take part in distributed denial of service (DDoS) attacks log keypresses capture screen/webcam images packet sniffing port scanning download/execute arbitrary files start a remote shell (RLOGIN) steal product registration information from certain software Patches for the operating system vulnerabilities exploited by W32/Rbot-AEJ can be obtained from Microsoft at: MS01-059 MS03-007 MS04-011 MS04-012 Name Troj/Codebase-K Type * Trojan Affected operating systems * Windows Side effects * Downloads code from the internet * Exploits system or software vulnerabilities Aliases * Trojan-Downloader.JS.Istbar.j Prevalence (1-5) 2 Description Troj/Codebase-K exploits the CODEBASE vulnerability to run a remote executable file on the local computer. Advanced Troj/Codebase-K exploits the CODEBASE vulnerability associated with certain versions of Microsoft Internet Explorer to run an executable file on the local computer. Troj/Codebase-K is an HTML file containing an OBJECT element whose CODEBASE attribute points to an executable file. Name Troj/Bancb-Fam Type * Trojan Affected operating systems * Windows Side effects * Steals credit card details * Turns off anti-virus applications * Steals information * Uses its own emailing engine * Records keystrokes * Installs itself in the Registry Prevalence (1-5) 2 Description Troj/Bancb-Fam detects members of the Bancban family of Trojans. Members of this family typically attempt to steal confidential information when a user visits banking-related websites. Advanced Troj/Bancb-Fam detects members of the Bancban family of Trojans. Members of this family typically attempt to steal confidential information when a user visits banking-related websites. Trojans of this family typically monitor URLs entered into Internet Explorer. When certain websites are visited, the Trojan may display a fake user interface in order to trick the user into entering confidential details. Stolen information is sent by email to a remote user. Typically a registry entry is created in order to run the Trojan on system startup: HKLM\Software\Microsoft\Windows\CurrentVersion\Run --- MultiMail/Win32 v0.43 * Origin: Try Our Web Based QWK: DOCSPLACE.ORG (1:123/140) SEEN-BY: 633/267 270 @PATH: 123/140 500 106/2000 633/267
SOURCE: echomail via fidonet.ozzmosis.com

Email questions or comments to sysop@ipingthereforeiam.com
All parts of this website painstakingly hand-crafted in the U.S.A.!
IPTIA BBS/MUD/Terminal/Game Server List, © 2025 IPTIA Consulting™.