[cut-n-paste from sophos.com]
Name W32/Bagle-KG
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Sends itself to email addresses found on the infected computer
* Forges the sender's email address
* Uses its own emailing engine
* Downloads code from the internet
Aliases
* W32.Beagle.FD{at}mm
* Email-Worm.Win32.Bagle.gk
Prevalence (1-5) 2
Description
W32/Bagle-KG is a mass-mailing worm for the Windows platform.
W32/Bagle-KG includes functionality to access the internet and
communicate with a remote server via HTTP.
When W32/Bagle-KG is installed it attempts to mail a zipped file of
the W32/Bagle-KF worm.
Advanced
W32/Bagle-KG is a mass-mailing worm for the Windows platform.
W32/Bagle-KG includes functionality to access the internet and
communicate with a remote server via HTTP.
When W32/Bagle-KG is installed the worm attempts to email an
attachment of a zipped file containing the W32/Bagle-KF worm.
W32/Bagle-KG may create the file C:\WINDOWS\elist.xpt. This file can
be deleted.
Registry entries may also be created under:
HKCU\Software\FirstRun648
Name Troj/Bancos-API
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Steals information
Prevalence (1-5) 2
Description
Troj/Bancos-API is a Trojan for the Windows platform.
Advanced
Troj/Bancos-API is a Trojan for the Windows platform.
The Troj/Bancos-API is registered as a COM object, creating registry
entries under:
HKCR\CLSID\(1E6CE4CD-161B-4847-B8BF-E2EF72299D69)
HKCR\Interface\(4EFDDEB1-BF39-4F20-B90C-747B99B6EB84)
HKCR\TypeLib\(14A5F3E7-B235-4D98-9264-5C67D2657BC4)
HKCR\ib.CBrowserHelper\
Name Troj/Dloadr-AHR
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
Prevalence (1-5) 2
Description
Troj/Dloadr-AHR is a Trojan for the Windows platform.
Troj/Dloadr-AHR attempts to download further malicious code
Advanced
Troj/Dloadr-AHR is a Trojan for the Windows platform.
Troj/Dloadr-AHR attempts to download further malicious code.
The Trojan creates the following registry entry:
HKCU\Software\Microsoft\Windows
L
L
Name W32/Sixem-A
Type
* Worm
How it spreads
* Email attachments
* Web downloads
Affected operating systems
* Windows
Side effects
* Sends itself to email addresses found on the infected computer
* Uses its own emailing engine
* Downloads code from the internet
* Reduces system security
Prevalence (1-5) 2
Description
W32/Sixem-A is an email worm for the Windows platform.
The worm harvests email addresses from files on the infected computer
and sends itself as an email attachment. Email sent by the worm has
the following characteristics:
Sender (randomly chosen from):
hotnews{at}cnn.com
kellyjast{at}hotmail.com
lindasal{at}gmail.com
mr.robs{at}yahoo.com
newsreader{at}hotmail.com
todaynews{at}cnn.com
Subject line (randomly chosen from):
Soccer fans killed five teens
Crazy soccer fans
Please reply me Tomas
My tricks for you
Naked World Cup game set
My sister whores, shit i dont know
Message text (randomly chosen from):
Soccer fans killed five teens, watch what they make on photos. Please
report on this all who know.
Crazy soccer fans killed two teens, watch what they make on photos.
Please report on this all who know.
Halo Markus, i sent my nude pics. Please reply me with you nude
photos ;). Best regard You Sweet Kitty
I wait you photos from New York. I sent my pics where i naked for
you. Please reply me. Linda Salivan
Nudists are organising their own tribute to the world cup, by staging
their own nude soccer game, though it is not clear how the teams will
tell each other apart. Good photos ;)
Emily Carr was an artist known for her prudery, but now the Portrait
Gallery of Canada has acquired a nude self-portrait. View photos.
Attached file (randomly chosen from):
soccer_fans.jpg.exe
soccer_pics.jpg.exe
kelly_nude_imgs.jpg.exe
linda_bigtit.gif.exe
soccer_nudist.bmp.exe
emily_selfphoto.jpg.exe
Advanced
W32/Sixem-A is an email worm for the Windows platform.
The worm harvests email addresses from files on the infected computer
and sends itself as an email attachment. Email sent by the worm has
the following characteristics:
Sender (randomly chosen from):
hotnews{at}cnn.com
kellyjast{at}hotmail.com
lindasal{at}gmail.com
mr.robs{at}yahoo.com
newsreader{at}hotmail.com
todaynews{at}cnn.com
Subject line (randomly chosen from):
Soccer fans killed five teens
Crazy soccer fans
Please reply me Tomas
My tricks for you
Naked World Cup game set
My sister whores, shit i dont know
Message text (randomly chosen from):
Soccer fans killed five teens, watch what they make on photos. Please
report on this all who know.
Crazy soccer fans killed two teens, watch what they make on photos.
Please report on this all who know.
Halo Markus, i sent my nude pics. Please reply me with you nude
photos ;). Best regard You Sweet Kitty
I wait you photos from New York. I sent my pics where i naked for
you. Please reply me. Linda Salivan
Nudists are organising their own tribute to the world cup, by staging
their own nude soccer game, though it is not clear how the teams will
tell each other apart. Good photos ;)
Emily Carr was an artist known for her prudery, but now the Portrait
Gallery of Canada has acquired a nude self-portrait. View photos.
Attached file (randomly chosen from):
soccer_fans.jpg.exe
soccer_pics.jpg.exe
kelly_nude_imgs.jpg.exe
linda_bigtit.gif.exe
soccer_nudist.bmp.exe
emily_selfphoto.jpg.exe
When run, the worm copies itself to the Windows system folder as
"msctools.exe" and sets the following registry entries in order to
run each time a user logs on:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Nsdevice
"\msctools.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Nsdevice
"\msctools.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Nsdevice
"\msctools.exe"
The worm downloads an additional component (also detected as
W32/Sixem-A) to the Windows system folder as "vmonts.exe". The
vmonts.exe file sets the following registry entries:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
"0"
HKLM\SOFTWARE\Microsoft\Security Center
FirewallOverride
dword:00000001
HKLM\SOFTWARE\Microsoft\Security Center
FirewallDisableNotify
dword:00000001
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\URL
dnk
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
EnableFirewall
dword:00000000
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile
EnableFirewall
dword:00000000
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
msverify
"\vmonts.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
msverify
"\vmonts.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
msverify
"\vmonts.exe"
Name W32/Rbot-EGJ
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* Backdoor.Win32.Rbot.gen
* W32/Sdbot.worm.gen.x
Prevalence (1-5) 2
Description
W32/Rbot-EGJ is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Rbot-EGJ spreads:
- to other network computers infected with: Troj/Kuang, Troj/Sub7,
Troj/NetDevil, W32/MyDoom, W32/Bagle and Troj/Optix
- to other network computers by exploiting common buffer overflow
vulnerabilities, including: LSASS (MS04-011), RPC-DCOM (MS04-012),
WKS (MS03-049) (CAN-2003-0812), WebDav (MS03-007), IIS5SSL (ms04-011)
(CAN-2003-0719), UPNP (MS01-059), Veritas (CAN-2004-1172), Dameware
(CAN-2003-1030) and ASN.1 (MS04-007)
- by copying itself to network shares protected by weak passwords
W32/Rbot-EGJ runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
Advanced
W32/Rbot-EGJ is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Rbot-EGJ spreads:
- to other network computers infected with: Troj/Kuang, Troj/Sub7,
Troj/NetDevil, W32/MyDoom, W32/Bagle and Troj/Optix
- to other network computers by exploiting common buffer overflow
vulnerabilities, including: LSASS (MS04-011), RPC-DCOM (MS04-012),
WKS (MS03-049) (CAN-2003-0812), WebDav (MS03-007), IIS5SSL (ms04-011)
(CAN-2003-0719), UPNP (MS01-059), Veritas (CAN-2004-1172), Dameware
(CAN-2003-1030) and ASN.1 (MS04-007)
- by copying itself to network shares protected by weak passwords
W32/Rbot-EGJ runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
When first run W32/Rbot-EGJ copies itself to \zwdomsgemw.exe.
The following registry entries are created to run zwdomsgemw.exe on
startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows Recylinder Check
zwdomsgemw.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Windows Recylinder Check
zwdomsgemw.exe
Registry entries are set as follows:
HKCU\Software\Microsoft\OLE
Windows Recylinder Check
zwdomsgemw.exe
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1
Name W32/Mytob-IT
Type
* Worm
How it spreads
* Email messages
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Uses its own emailing engine
* Installs itself in the Registry
Aliases
* Win32/Mytob.UB
Prevalence (1-5) 2
Description
W32/Mytob-IT is a mass-mailing worm with IRC backdoor Trojan
functionality.
W32/Mytob-IT runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
The worm may download further malicious code.
W32/Mytob-IT spreads by sending emails with the following
characteristics:
From: abuse{at}
Subject line: "Account Alert" or a randomly generated string.
Message text:
Dear Valued Member,
According to our terms of services, you will have to confirm your
e-mail by the following link, or your account will be suspended
within 24 hours for security reasons.
After following the instructions in the sheet, your account will not
be interrupted and will continue as normal.
Thank you for your attention to this request. We apologize for any
inconvenience.
Sincerely, Abuse Department
Advanced
W32/Mytob-IT is a mass-mailing worm with IRC backdoor Trojan
functionality.
W32/Mytob-IT runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
The worm may download further malicious code.
W32/Mytob-IT spreads by sending emails with the following
characteristics:
From: abuse{at}
Subject line: "Account Alert" or a randomly generated string.
Message text:
Dear Valued Member,
According to our terms of services, you will have to confirm your
e-mail by the following link, or your account will be suspended
within 24 hours for security reasons.
After following the instructions in the sheet, your account will not
be interrupted and will continue as normal.
Thank you for your attention to this request. We apologize for any
inconvenience.
Sincerely, Abuse Department
The worm creates the following registry entries in an attempt to run
itself on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft Task Manager
scvhost.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Microsoft Task Manager
scvhost.exe
The following registry entry is set:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
4
Name W32/Bagle-KL
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Sends itself to email addresses found on the infected computer
* Downloads code from the internet
* Installs itself in the Registry
Aliases
* Email-Worm.Win32.Bagle.al
Prevalence (1-5) 2
Description
W32/Bagle-KL is an email worm for the Windows platform.
W32/Bagle-KL harvests email addresses from the infected computer and
sends itself in an email to one address as if from another address.
The emails sent have the following characteristics:
The subject line is one of the following:
Ales
Alice
Alyce
Andrew
Androw
Androwe
Ann
Anna
Anne
Annes
Anthonie
Anthony
Anthonye
Avice
Avis
Bennet
Bennett
Christean
Christian
Constance
Cybil
Daniel
Danyell
Dorithie
Dorothee
Dorothy
Edmond
Edmonde
Edmund
Edward
Edwarde
Elizabeth
Elizabethe
Ellen
Ellyn
Emanual
Emanuel
Emanuell
Ester
Frances
Francis
Fraunces
Gabriell
Geoffraie
George
Grace
Harry
Harrye
Henrie
Henry
Henrye
Hughe
Humphrey
Humphrie
Isabel
Isabell
James
Jane
Jeames
Jeffrey
Jeffrye
Joane
Johen
John
Josias
Judeth
Judith
Judithe
Katherine
Katheryne
Leonard
Leonarde
Margaret
Margarett
Margerie
Margerye
Margret
Margrett
Marie
Martha
Mary
Marye
Michael
Mychaell
Nathaniel
Nathaniell
Nathanyell
Nicholas
Nicholaus
Nycholas
Peter
Ralph
Rebecka
Richard
Richarde
Robert
Roberte
Roger
Rose
Rycharde
Samuell
Sara
Sidney
Sindony
Stephen
Susan
Susanna
Suzanna
Sybell
Sybyll
Syndony
Thomas
Valentyne
William
Winifred
Wynefrede
Wynefreed
Wynnefreede
The message body starting one of the following, or a blank line:
To the beloved
I love you
The message body then continues with one of the following:
The password is
Password --
Use password to open archive.
Password is
Zip password:
archive password:
Password -
Password:
The image file displays a 5 digit password.
Advanced
W32/Bagle-KL is an email worm for the Windows platform.
W32/Bagle-KL harvests email addresses from the infected computer and
sends itself in an email to one address as if from another address.
The emails sent have the following characteristics:
The subject line is one of the following:
Ales
Alice
Alyce
Andrew
Androw
Androwe
Ann
Anna
Anne
Annes
Anthonie
Anthony
Anthonye
Avice
Avis
Bennet
Bennett
Christean
Christian
Constance
Cybil
Daniel
Danyell
Dorithie
Dorothee
Dorothy
Edmond
Edmonde
Edmund
Edward
Edwarde
Elizabeth
Elizabethe
Ellen
Ellyn
Emanual
Emanuel
Emanuell
Ester
Frances
Francis
Fraunces
Gabriell
Geoffraie
George
Grace
Harry
Harrye
Henrie
Henry
Henrye
Hughe
Humphrey
Humphrie
Isabel
Isabell
James
Jane
Jeames
Jeffrey
Jeffrye
Joane
Johen
John
Josias
Judeth
Judith
Judithe
Katherine
Katheryne
Leonard
Leonarde
Margaret
Margarett
Margerie
Margerye
Margret
Margrett
Marie
Martha
Mary
Marye
Michael
Mychaell
Nathaniel
Nathaniell
Nathanyell
Nicholas
Nicholaus
Nycholas
Peter
Ralph
Rebecka
Richard
Richarde
Robert
Roberte
Roger
Rose
Rycharde
Samuell
Sara
Sidney
Sindony
Stephen
Susan
Susanna
Suzanna
Sybell
Sybyll
Syndony
Thomas
Valentyne
William
Winifred
Wynefrede
Wynefreed
Wynnefreede
The message body starting one of the following, or a blank line:
To the beloved
I love you
The message body then continues with one of the following:
The password is
Password --
Use password to open archive.
Password is
Zip password:
archive password:
Password -
Password:
The image file displays a 5 digit password.
Emails sent by W32/Bagle-KL invite the user to open the Zip file
using a password
Emails sent by W32/Bagle-KL invite the user to open the Zip file
using a password.
The main attachment is a file with a ZIP extension and a filename
picked from one of the same list as the subject line, though it will
not necessarily be the same name as in the subject line. This zip is
encrypted with the password given in the image file, and when
unzipped will be detected as W32/Bagle-KL.
W32/Bagle-KL copies itself to the file \hidn\hidn.exe and drops the
file \hidn\m_hook.sys, also detected as W32/Bagle-KL, which it uses
to stealth itself from certain processes.
The first time it is run, W32/Bagle-KL drops the clean file
C:\error.gif and opens it. This is an image of the word "Error".
W32/Bagle-KL drops the file C:\temp.zip which contains an encrypted
zip of itself.
W32/Bagle-KL attempts to download a file from a number of remote
websites to \re_file.exe and then execute it.
W32/Bagle-KL attempts to terminate and disable a number of services
related to security and anti-virus applications.
W32/Bagle-KL attempts to delete the following registry entry in order
to disrupt booting into Safe Mode:
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot
W32/Bagle-KL creates the following registry entry the first time it
is run:
HKCU\Software\FirstRuxzx
FirstRun
1
Name W32/Bagle-KM
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Sends itself to email addresses found on the infected computer
* Modifies data on the computer
* Drops more malware
* Uses its own emailing engine
* Downloads code from the internet
* Reduces system security
* Installs itself in the Registry
* Leaves non-infected files on computer
Aliases
* Email-Worm.Win32.Bagle.fy
Prevalence (1-5) 2
Description
W32/Bagle-KM is an email worm for the Windows platform.
W32/Bagle-KM harvests email addresses from the infected computer and
sends itself in an email to one address as if from another address.
The emails sent have the following characteristics:
The subject line is one of the following:
Ales
Alice
Alyce
Andrew
Androw
Androwe
Ann
Anna
Anne
Annes
Anthonie
Anthony
Anthonye
Avice
Avis
Bennet
Bennett
Christean
Christian
Constance
Cybil
Daniel
Danyell
Dorithie
Dorothee
Dorothy
Edmond
Edmonde
Edmund
Edward
Edwarde
Elizabeth
Elizabethe
Ellen
Ellyn
Emanual
Emanuel
Emanuell
Ester
Frances
Francis
Fraunces
Gabriell
Geoffraie
George
Grace
Harry
Harrye
Henrie
Henry
Henrye
Hughe
Humphrey
Humphrie
Isabel
Isabell
James
Jane
Jeames
Jeffrey
Jeffrye
Joane
Johen
John
Josias
Judeth
Judith
Judithe
Katherine
Katheryne
Leonard
Leonarde
Margaret
Margarett
Margerie
Margerye
Margret
Margrett
Marie
Martha
Mary
Marye
Michael
Mychaell
Nathaniel
Nathaniell
Nathanyell
Nicholas
Nicholaus
Nycholas
Peter
Ralph
Rebecka
Richard
Richarde
Robert
Roberte
Roger
Rose
Rycharde
Samuell
Sara
Sidney
Sindony
Stephen
Susan
Susanna
Suzanna
Sybell
Sybyll
Syndony
Thomas
Valentyne
William
Winifred
Wynefrede
Wynefreed
Wynnefreede
The message text starting one of the following, or a blank line:
To the beloved
I love you
The message text then continues with one of the following:
The password is
Password --
Use password to open archive.
Password is
Zip password:
archive password:
Password -
Password:
The image file displays a 5 digit password.
The main attachment is a file with a ZIP extension and a filename
picked from one of the same list as the subject line, though it will
not necessarily be the same name as in the subject line. This zip is
encrypted with the password given in the image file, and when
unzipped will be detected as W32/Bagle-KM. This zip is encrypted with
the password given in the image file, and when unzipped will be
detected as W32/Bagle-KM.
Advanced
W32/Bagle-KM is an email worm for the Windows platform.
W32/Bagle-KM harvests email addresses from the infected computer and
sends itself in an email to one address as if from another address.
The emails sent have the following characteristics:
The subject line is one of the following:
Ales
Alice
Alyce
Andrew
Androw
Androwe
Ann
Anna
Anne
Annes
Anthonie
Anthony
Anthonye
Avice
Avis
Bennet
Bennett
Christean
Christian
Constance
Cybil
Daniel
Danyell
Dorithie
Dorothee
Dorothy
Edmond
Edmonde
Edmund
Edward
Edwarde
Elizabeth
Elizabethe
Ellen
Ellyn
Emanual
Emanuel
Emanuell
Ester
Frances
Francis
Fraunces
Gabriell
Geoffraie
George
Grace
Harry
Harrye
Henrie
Henry
Henrye
Hughe
Humphrey
Humphrie
Isabel
Isabell
James
Jane
Jeames
Jeffrey
Jeffrye
Joane
Johen
John
Josias
Judeth
Judith
Judithe
Katherine
Katheryne
Leonard
Leonarde
Margaret
Margarett
Margerie
Margerye
Margret
Margrett
Marie
Martha
Mary
Marye
Michael
Mychaell
Nathaniel
Nathaniell
Nathanyell
Nicholas
Nicholaus
Nycholas
Peter
Ralph
Rebecka
Richard
Richarde
Robert
Roberte
Roger
Rose
Rycharde
Samuell
Sara
Sidney
Sindony
Stephen
Susan
Susanna
Suzanna
Sybell
Sybyll
Syndony
Thomas
Valentyne
William
Winifred
Wynefrede
Wynefreed
Wynnefreede
The message text starting one of the following, or a blank line:
To the beloved
I love you
The message text then continues with one of the following:
The password is
Password --
Use password to open archive.
Password is
Zip password:
archive password:
Password -
Password:
The image file displays a 5 digit password.
The main attachment is a file with a ZIP extension and a filename
picked from one of the same list as the subject line, though it will
not necessarily be the same name as in the subject line. This zip is
encrypted with the password given in the image file, and when
unzipped will be detected as W32/Bagle-KM. This zip is encrypted with
the password given in the image file, and when unzipped will be
detected as W32/Bagle-KM.
W32/Bagle-KM copies itself to the file \hidn\hidn.exe and drops the file \hidn\m_hook.sys, detected as W32/Bagle-KL, which it uses to
stealth itself from certain processes.
The first time it is run, W32/Bagle-KM drops the clean file
C:\error.gif and opens it. This is an image of the word "Error".
W32/Bagle-KM drops the file C:\temp.zip which contains an encrypted
zip of itself.
W32/Bagle-KM attempts to download a file from a number of remote
websites to \re_file.exe and then execute it.
W32/Bagle-KM attempts to terminate and disable a number of services
related to security and anti-virus applications.
W32/Bagle-KM attempts to delete the following registry entry in order
to disrupt booting into Safe Mode:
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot
Name W32/Rbot-EHK
Type
* Spyware Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Downloads code from the internet
* Records keystrokes
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* Backdoor.Win32.Rbot.bbt
* W32/Gaobot.worm.gen.t
* WORM_AGOBOT.AQN
Prevalence (1-5) 2
Description
W32/Rbot-EHK is a worm with backdoor functionality For the Windows
platform.
W32/Rbot-EHK attempts to steal confidential information and send it
to a remote location via HTTP or email.
The information that W32/Rbot-EHK attempts to gather includes:
- keypresses (with the aid of a dropped keylogger DLL)
- computer details
- drive and volume information
- hostname and IP address
- information (including passwords and usernames) relating to
selected applications installed on the computer, including: Miranda
ICQ, mirabilis ICQ, The Bat!, Trillian, Windows Commander and Total
Commander
- passwords and confidential information stored by the system in
'Protected Storage'
- POP3 and IMAP server information, usernames and passwords
- FTP usernames and passwords
- RAS dial-up settings
W32/Rbot-EHK provides a backdoor server on a pre-configured port (the
default is 2050). A remote intruder will be able to connect to this
port and receive command shell access.
Advanced
W32/Rbot-EHK is a worm with backdoor functionality For the Windows
platform.
W32/Rbot-EHK attempts to steal confidential information and send it
to a remote location via HTTP or email.
The information that W32/Rbot-EHK attempts to gather includes:
- keypresses (with the aid of a dropped keylogger DLL)
- computer details
- drive and volume information
- hostname and IP address
- information (including passwords and usernames) relating to
selected applications installed on the computer, including: Miranda
ICQ, mirabilis ICQ, The Bat!, Trillian, Windows Commander and Total
Commander
- passwords and confidential information stored by the system in
'Protected Storage'
- POP3 and IMAP server information, usernames and passwords
- FTP usernames and passwords
- RAS dial-up settings
W32/Rbot-EHK provides a backdoor server on a pre-configured port (the
default is 2050). A remote intruder will be able to connect to this
port and receive command shell access.
W32/Rbot-EHK can arrive as a result of web browsing. Certain web
pages may exploit vulnerabilities associated with Microsoft Internet
Explorer to silently download and install/run the worm without user
interaction.
W32/Rbot-EHK runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Rbot-EHK includes functionality to steal confidential information.
When first run W32/Rbot-EHK copies itself to \gamo.exe.
The following registry entries are created to run gamo.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows ASN4 Services
gamo.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Windows ASN4 Services
gamo.exe
Registry entries are set as follows:
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1
Name Troj/ConHook-K
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Installs itself in the Registry
Aliases
* Trojan-Downloader.Win32.ConHook.aa
Prevalence (1-5) 2
Description
Troj/ConHook-K is a Trojan for the Windows platform.
Advanced
Troj/ConHook-K is a Trojan for the Windows platform.
The following registry entries are created to run code exported by
the Trojan on startup:
HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\atlS32
The Trojan is registered as a COM and Browser Help Object, creating
the following registry entries to run itself on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
RunDll32.exe ",Setup"
HKCR\CLSID\(4b1d0751-cb48-4265-a975-878be45145c6)\InprocServer32
(default)
Name W32/Akbot-AA
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Downloads code from the internet
* Installs itself in the Registry
* Used in DOS attacks
Aliases
* Backdoor.Win32.Agent.vc
* BKDR_AGENT.RO
Prevalence (1-5) 2
Description
W32/Akbot-AA is a worm and IRC backdoor for the Windows platform.
The worm attempts to spread by copying itself to remote network
shares or by exploiting common buffer overflow vulnerabilities,
including: LSASS
(http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx)
and ASN.1
(http://www.microsoft.com/technet/security/bulletin/ms04-007.mspx).
W32/Akbot-AA connects to an IRC channel and listens for backdoor
commands from a remote attacker. Backdoor functionality of the worm
includes the ability to download further code and to carry out
denial-of-service attacks.
Advanced
W32/Akbot-AA is a worm and IRC backdoor for the Windows platform.
The worm attempts to spread by copying itself to remote network
shares or by exploiting common buffer overflow vulnerabilities,
including: LSASS
(http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx)
and ASN.1
(http://www.microsoft.com/technet/security/bulletin/ms04-007.mspx).
W32/Akbot-AA connects to an IRC channel and listens for backdoor
commands from a remote attacker. Backdoor functionality of the worm
includes the ability to download further code and to carry out
denial-of-service attacks.
When first run W32/Akbot-AA copies itself to \fstsvc.dll.
The following registry entry is created to run code exported by
fstsvc.dll on
startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
fstsvc
rundll32.exe \fstsvc.dll,start
Name W32/Mytob-II
Type
* Worm
How it spreads
* Email messages
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Forges the sender's email address
* Uses its own emailing engine
Aliases
* Net-Worm.Win32.Mytob.eo
* Win32/Mytob.TY
* W32.Mytob.QA{at}mm
Prevalence (1-5) 2
Description
W32/Mytob-II is a mass-mailing worm and IRC backdoor Trojan for the
Windows platform.
Messages sent by the worm will have the following characteristics.
Subject title chosen from:
Account alert
Message text:
'Dear Valued Member,
According to our terms of services, you will have to confirm your
e-mail by the following link, or your account will be suspended
within 24 hours for security reasons.
After following the instructions in the sheet, your account will not
be interrupted and will continue as normal.
Thanks for your attention to this request. We apologize for any
inconvenience.
Sincerely Department'
Advanced
W32/Mytob-II is a mass-mailing worm and IRC backdoor Trojan for the
Windows platform.
W32/Mytob-II runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
The following registry entries are created to run scvhost.exe on
startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Microsoft Task Manager
\scvhost.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft Task Manager
\scvhost.exe
Messages sent by the worm will have the following characteristics.
Subject title chosen from:
Account alert
Message text:
'Dear Valued Member,
According to our terms of services, you will have to confirm your
e-mail by the following link, or your account will be suspended
within 24 hours for security reasons.
After following the instructions in the sheet, your account will not
be interrupted and will continue as normal.
Thanks for your attention to this request. We apologize for any
inconvenience.
Sincerely Department'
Name W32/Mytob-IF
Type
* Worm
How it spreads
* Email messages
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Sends itself to email addresses found on the infected computer
* Downloads code from the internet
* Installs itself in the Registry
Prevalence (1-5) 2
Description
W32/Mytob-IF is a worm and IRC backdoor Trojan for the Windows
platform.
The worm connects to an IRC channel and listens for commands from a
remote attacker. The worm may download further malicious code.
W32/Mytob-IF spreads by sending emails with the following
characteristics:
From: abuse{at}
Subject line: "Account Alert" or a randomly generated string.
Message text:
Dear Valued Member,
According to our terms of services, you will have to confirm your
e-mail by the following link, or your account will be suspended
within 24 hours for security reasons.
After following the instructions in the sheet, your account will not
be interrupted and will continue as normal.
Thanks for your attention to this request. We apologize for any
inconvenience.
Sincerely, Abuse Department
Advanced
W32/Mytob-IF is a worm and IRC backdoor Trojan for the Windows
platform.
The worm connects to an IRC channel and listens for commands from a
remote attacker. The worm may download further malicious code.
W32/Mytob-IF spreads by sending emails with the following
characteristics:
From: abuse{at}
Subject line: "Account Alert" or a randomly generated string.
Message text:
Dear Valued Member,
According to our terms of services, you will have to confirm your
e-mail by the following link, or your account will be suspended
within 24 hours for security reasons.
After following the instructions in the sheet, your account will not
be interrupted and will continue as normal.
Thanks for your attention to this request. We apologize for any
inconvenience.
Sincerely, Abuse Department
When first run W32/Mytob-IF will copy itself to the Windows system
folder as lspool.exe and to the folder as temp.exe
The worm creates the following registry entries in an attempt to run
itself on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Local Spooler
lspool.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Local Spooler
lspool.exe
Name W32/Bagle-KN
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Forges the sender's email address
* Downloads code from the internet
* Installs itself in the Registry
* Leaves non-infected files on computer
Prevalence (1-5) 2
Description
W32/Bagle-KN is a mass-mailing worm and downloader Trojan for the
Windows platform.
Emails sent by the worm have the following characteristics:
The sender's email address is spoofed.
Message text chosen from:
To the beloved
I love you
And appended with any of the following strings:
archive password:
The password is
Password --
Use password to open archive.
Password is
Zip password:
archive password:
Password -
Password:
The email comes with 2 file attachments:
.GIF
.ZIP
The file .GIF contains a GIF image which contains
the password to unzip the ZIP file.
The file .ZIP when unzipped contains 2 files:
\.dll - this file may be safely
deleted
.exe - detected as W32/Bagle-KN
Advanced
W32/Bagle-KN is a mass-mailing worm and downloader Trojan for the
Windows platform.
When run W32/Bagle-KN creates the file \Application
Data\hidn\m_hook.sys. This file is also detected as W32/Bagle-KN and
includes functionality to terminate anti-virus and system-related
processes and to hide processes.
The file m_hook.sys is registered as a new system driver service
named "m_hook", with a display name of "Empty" and a
startup type of
automatic, so that it is started automatically during system startup.
Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_M_HOOK\
HKLM\SYSTEM\CurrentControlSet\Services\m_hook\
The following registry entry is also set:
HKCU\Software\FirstRuxzx
FirstRun
1
W32/Bagle-KN also creates the file C:\error.gif. This is a GIF file
which is also subsequently run and can be safely deleted.
Emails sent by the worm have the following characteristics:
The sender's email address is spoofed.
Message text chosen from:
To the beloved
I love you
And appended with any of the following strings:
archive password:
The password is
Password --
Use password to open archive.
Password is
Zip password:
archive password:
Password -
Password:
The email comes with 2 file attachments:
.GIF
.ZIP
The file .GIF contains a GIF image which contains
the password to unzip the ZIP file.
The file .ZIP when unzipped contains 2 files:
\.dll - this file may be safely
deleted
.exe - detected as W32/Bagle-KN
W32/Bagle-KN may also copy itself to \Application
Data\hidn\hidn1.exe and sets the following registry entry to run
hidn1.exe on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
drv_st_key
Name Troj/Zlob-OX
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Installs itself in the Registry
Aliases
* Trojan-Downloader.Win32.Zlob.uo
* Puper
Prevalence (1-5) 2
Description
Troj/Zlob-OX is a Trojan for the Windows platform.
Advanced
Troj/Zlob-OX is a Trojan for the Windows platform.
When Troj/Zlob-OX is installed the following file is created:
\stdole3.tlb
(This file is not malicious and can be deleted.)
The following registry entry is created to run Troj/Zlob-OX on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run
kernel32.dll
Name W32/Rbot-EMH
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* clickspringinsta_HmWhs26R.html
Prevalence (1-5) 2
Description
W32/Rbot-EMH is a worm and IRC backdoor for the Windows platform.
W32/Rbot-EMH spreads:
to other network computers infected with: Troj/Kuang, Troj/Sub7,
Troj/NetDevil, W32/MyDoom, W32/Bagle and Troj/Optix to other network
computers by exploiting common buffer overflow vulnerabilities,
including: LSASS
(http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx),
RPC-DCOM
(http://www.microsoft.com/technet/security/bulletin/ms04-012.mspx),
WKS
(http://www.microsoft.com/technet/security/bulletin/ms03-049.mspx)
(CAN-2003-0812), WebDav
(http://www.microsoft.com/technet/security/bulletin/ms03-007.mspx),
IIS5SSL
(http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx)
(CAN-2003-0719), UPNP
(http://www.microsoft.com/technet/security/bulletin/ms01-059.mspx),
Veritas (CAN-2004-1172), Dameware (CAN-2003-1030) and ASN.1
(http://www.microsoft.com/technet/security/bulletin/ms04-007.mspx) by
copying itself to network shares protected by weak passwords
W32/Rbot-EMH runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
Advanced
W32/Rbot-EMH is a worm and IRC backdoor for the Windows platform.
W32/Rbot-EMH spreads:
to other network computers infected with: Troj/Kuang, Troj/Sub7,
Troj/NetDevil, W32/MyDoom, W32/Bagle and Troj/Optix
to other network computers by exploiting common buffer overflow
vulnerabilities, including: LSASS
(http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx),
RPC-DCOM
(http://www.microsoft.com/technet/security/bulletin/ms04-012.mspx),
WKS
(http://www.microsoft.com/technet/security/bulletin/ms03-049.mspx)
(CAN-2003-0812), WebDav
(http://www.microsoft.com/technet/security/bulletin/ms03-007.mspx),
IIS5SSL
(http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx)
(CAN-2003-0719), UPNP
(http://www.microsoft.com/technet/security/bulletin/ms01-059.mspx),
Veritas (CAN-2004-1172), Dameware (CAN-2003-1030) and ASN.1
(http://www.microsoft.com/technet/security/bulletin/ms04-007.mspx)
by copying itself to network shares protected by weak passwords
W32/Rbot-EMH runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
When first run W32/Rbot-EMH copies itself to a randomly named file in
the Windows system folder.
The following registry entries are created to run to copy on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows Recycler
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Windows Recycler
Registry entries are set as follows:
HKCU\Software\Microsoft\OLE
Windows Recycler
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1
Name Troj/Dloadr-YD
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Installs itself in the Registry
Prevalence (1-5) 2
Description
Troj/Dloadr-YD is a Trojan for the Windows platform.
Advanced
Troj/Dloadr-YD is a Trojan for the Windows platform.
When first run Troj/Dloadr-YD copies itself to:
\Local Settings\Application Data\
\
The following registry entries are created to run Troj/Dloadr-YD on
startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
\Local Settings\Application Data\
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
\
Name W32/Sdbot-BZD
Type
* Spyware Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Modifies data on the computer
* Steals information
* Downloads code from the internet
* Reduces system security
* Records keystrokes
* Installs itself in the Registry
* Exploits system or software vulnerabilities
* Used in DOS attacks
* Downloads updates
* Monitors system activity
* Scans network for weak passwords
Aliases
* Backdoor.Win32.SdBot.iz
Prevalence (1-5) 2
Description
W32/Sdbot-BZD is a worm for the Windows platform.
The worm spreads to network shares protected by weak passwords.
The worm contains a backdoor component that connects to an IRC server
and awaits commands from remote attackers.
Advanced
W32/Sdbot-BZD is a worm for the Windows platform.
The worm spreads to network shares protected by weak passwords.
When run, the worm copies itself to the Windows system folder as
iop.exe and sets the following registry entries in order to run each
time a user logs on:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
ioco
"\iop.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ioco
"\iop.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
ioco
"\iop.exe"
W32/Sdbot-BZD modifies the HOSTS file (typically located in \drivers\etc) redirecting requests for security related
websites to alternate locations.
The worm contains a backdoor component that connects to an IRC server
and awaits commands from remote attackers.
W32/Sdbot-BZD modifies the Windows firewall settings by creating the
following registry entry:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications
List
"%windir%\system32\iop.exe:*:Enabled:{at}xpsp2res.dll,-22019"
Name W32/Tilebot-FO
Type
* Worm
How it spreads
* Network shares
* Chat programs
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Downloads code from the internet
* Reduces system security
* Installs itself in the Registry
* Exploits system or software vulnerabilities
* Used in DOS attacks
Aliases
* Backdoor.Win32.SdBot.aoz
Prevalence (1-5) 2
Description
W32/Tilebot-FO is a worm with backdoor functionality for the Windows
platform.
W32/Tilebot-FO spreads to other network computers by exploiting
common buffer
overflow vulnerabilities, including: WKS (MS03-049) (CAN-2003-0812),
PNP
(MS05-039) and ASN.1 (MS04-007). The worm may also spreads via
network shares
and MSSQL servers protected by weak passwords.
W32/Tilebot-FO runs continuously in the background, providing a
backdoor server
which allows a remote intruder to gain access and control over the
computer via
IRC channels.
W32/Tilebot-FO includes functionality to:
- set up an FTP server
- set up a proxy server
- spread via AOL Instant Messager by sending messages automatically
- change Internet Explorer start page
- set or remove network shares
- port scanning
- packet sniffing
- access the internet and communicate with a remote server via HTTP
- harvest information from clipboard
- take part in Distributed Denial of Service (DDoS) attacks
Advanced
W32/Tilebot-FO is a worm with backdoor functionality for the Windows
platform.
W32/Tilebot-FO spreads to other network computers by exploiting
common buffer
overflow vulnerabilities, including: WKS (MS03-049) (CAN-2003-0812),
PNP
(MS05-039) and ASN.1 (MS04-007). The worm may also spreads via
network shares
and MSSQL servers protected by weak passwords.
W32/Tilebot-FO runs continuously in the background, providing a
backdoor server
which allows a remote intruder to gain access and control over the
computer via
IRC channels.
W32/Tilebot-FO includes functionality to:
- set up an FTP server
- set up a proxy server
- spread via AOL Instant Messager by sending messages automatically
- change Internet Explorer start page
- set or remove network shares
- port scanning
- packet sniffing
- access the internet and communicate with a remote server via HTTP
- harvest information from clipboard
- take part in Distributed Denial of Service (DDoS) attacks
When first run W32/Tilebot-FO copies itself to the Windows system
folder as
netdrvr.exe.
The file netdrvr.exe is registered as a new system driver service
named "NTDRV",
with a display name of "Network DRV" and a startup type of automatic,
so that it
is started automatically during system startup. Registry entries are
created
under:
HKLM\SYSTEM\CurrentControlSet\Services\NTDRV\
W32/Tilebot-FO sets the following registry entries, disabling the
automatic
startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\Messenger
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\wscsvc
Start
4
Additional registry entries are set as follows:
HKLM\SOFTWARE\Microsoft\Security Center
AntiVirusDisableNotify
1
HKLM\SOFTWARE\Microsoft\Security Center
AntiVirusOverride
1
HKLM\SOFTWARE\Microsoft\Security Center
FirewallDisableNotify
1
HKLM\SOFTWARE\Microsoft\Security Center
FirewallOverride
1
HKLM\SOFTWARE\Microsoft\Security Center
UpdatesDisableNotify
1
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DoNotAllowXPSP2
1
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
EnableFirewall
0
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile
EnableFirewall
0
HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
AutoShareServer
0
HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
AutoShareWks
0
HKLM\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters
AutoShareServer
0
HKLM\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters
AutoShareWks
0
HKLM\SYSTEM\CurrentControlSet\Control\
WaitToKillServiceTimeout
7000
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1
Name W32/Tilebot-FP
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* Backdoor.Win32.SdBot.aad
Prevalence (1-5) 2
Description
W32/Tilebot-FP is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Tilebot-FP spreads to other network computers by exploiting
common buffer overflow vulnerabilities, including: LSASS
(http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx),
RPC-DCOM
(http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx),
WKS
(http://www.microsoft.com/technet/security/bulletin/MS03-049.mspx)
(CAN-2003-0812), PNP
(http://www.microsoft.com/technet/security/bulletin/MS05-039.mspx)
and ASN.1
(http://www.microsoft.com/technet/security/bulletin/MS04-007.mspx)
and by copying itself to network shares protected by weak passwords.
W32/Tilebot-FP runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Tilebot-FP includes functionality to access the internet and
communicate with a remote server via HTTP.
Advanced
W32/Tilebot-FP is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Tilebot-FP spreads to other network computers by exploiting
common buffer overflow vulnerabilities, including: LSASS
(http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx),
RPC-DCOM
(http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx),
WKS
(http://www.microsoft.com/technet/security/bulletin/MS03-049.mspx)
(CAN-2003-0812), PNP
(http://www.microsoft.com/technet/security/bulletin/MS05-039.mspx)
and ASN.1
(http://www.microsoft.com/technet/security/bulletin/MS04-007.mspx)
and by copying itself to network shares protected by weak passwords.
W32/Tilebot-FP runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Tilebot-FP includes functionality to access the internet and
communicate with a remote server via HTTP.
When first run W32/Tilebot-FP copies itself to
\atigraphics.exe and creates the file \remon.sys.
The file remon.sys is detected as Troj/RKFu-A.
The file atigraphics.exe is registered as a new system driver service
named "ATIintergrated", with a display name of
"ATIintergrated" and a
startup type of automatic, so that it is started automatically during
system startup. Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\ATIintergrated\
The file remon.sys is registered as a new system driver service named
"remon", with a display name of "remon". Registry
entries are created
under:
HKLM\SYSTEM\CurrentControlSet\Services\remon\
The following registry entries are set, disabling the registry editor
(regedit) and the Windows task manager (taskmgr):
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1
W32/Tilebot-FP sets the following registry entries, disabling the
automatic startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\Messenger
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
Start
4
Registry entries are set as follows:
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DoNotAllowXPSP2
1
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1
Registry entries are created under:
HKLM\SOFTWARE\Microsoft\Security Center\
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\
Name Troj/Ranck-EN
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
Aliases
* Proxy-Piky
Prevalence (1-5) 2
Description
Troj/Ranck-EN is a HTTP proxy server Trojan.
Troj/Ranck-EN runs continuously in the background listening on a
randomly generated port and allows HTTP traffic to be relayed through
the computer.
The Troj/Ranck-EN proxy server may be used to forward spam.
When Troj/Ranck-EN becomes active it sends a notification message to
a remote location, specifying the IP address of the current computer
and the randomly generated port number which will typically be within
the range 10000 - 50000.
Troj/Ranck-EN includes functionality to provide a proxy server.
Advanced
Troj/Ranck-EN is a HTTP proxy server Trojan.
Troj/Ranck-EN runs continuously in the background listening on a
randomly generated port and allows HTTP traffic to be relayed through
the computer.
The Troj/Ranck-EN proxy server may be used to forward spam.
When Troj/Ranck-EN becomes active it sends a notification message to
a remote location, specifying the IP address of the current computer
and the randomly generated port number which will typically be within
the range 10000 - 50000.
Troj/Ranck-EN includes functionality to provide a proxy server.
When first run Troj/Ranck-EN copies itself to
\etc\services.exe.
Registry entries are set as follows:
HKLM\SOFTWARE\Tmp
Path
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden
0
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
SFCDisable
4
--- MultiMail/Win32 v0.43
* Origin: Try Our Web Based QWK: DOCSPLACE.ORG (1:123/140)
SEEN-BY: 633/267 270
@PATH: 123/140 500 106/2000 633/267
|