[cut-n-paste from sophos.com]
Name Troj/Maran-AE
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Steals information
* Drops more malware
* Installs itself in the Registry
Prevalence (1-5) 2
Description
Troj/Maran-AE is a Trojan for the Windows platform.
Advanced
Troj/Maran-AE is a Trojan for the Windows platform.
When Troj/Maran-AE is installed the following files are created:
\svchost.exe
\tj7viewer.dll
The files svchost.exe and tj7viewer.dll are detected as Troj/Maran-AC.
The file \svchost.exe is registered as a new system driver
service named "ADIDown", with a display name of "Power
Adapter" and a
startup type of automatic, so that it is started automatically during
system startup. Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\ADIDown
Name Troj/Goldun-FQ
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Steals information
* Installs itself in the Registry
Prevalence (1-5) 2
Description
Troj/Goldun-FQ is a Trojan for the Windows platform.
Advanced
Troj/Goldun-FQ is a Trojan for the Windows platform.
When run the Trojan creates the file \ipv6mons.dll. This file
is detected as Troj/Goldun-FQ.
The file ipv6mons.dll is registered as a COM object, creating
registry entries under:
HKCR\CLSID\{73364D99-1240-4dff-B12A-67E448373148}
Name Troj/SITDlr-A
Type
* Trojan
How it spreads
* Web browsing
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
Prevalence (1-5) 2
Description
Troj/SITDlr-A is a downloader script which attemtps to exploit the
mk:{at}MSITStore vulnerability associated with certain versions of
Microsoft Internet Explorer to download a remote executable.
Troj/SITDlr-A arrives on the computer by browsing web pages
containing the Troj/SITDlr-A script.
Name W32/Rbot-GMJ
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Drops more malware
Aliases
* WORM_RBOT.DKM
* W32/Backdoor.RHJ
Prevalence (1-5) 2
Description
W32/Rbot-GMJ is a worm for the Windows platform which allows
unauthorized remote access to the computer via IRC channels.
Advanced
W32/Rbot-GMJ is a worm for the Windows platform which allows
unauthorized remote access to the computer via IRC channels.
W32/Rbot-GMJ spreads to other network computers by exploiting common
buffer overflow vulnerabilities, including: LSASS (MS04-011),
RPC-DCOM (MS04-012), WKS (MS03-049) (CAN-2003-0812), MSSQL (MS02-039)
(CAN-2002-0649) and Realcast.
When first run W32/Rbot-GMJ copies itself to \winlogom.exe
and creates the file \a.bat.
The file a.bat is detected as Troj/Batten-A.
Name W32/Resik-C
Type
* Worm
How it spreads
* Removable storage devices
Affected operating systems
* Windows
Side effects
* Installs itself in the Registry
Prevalence (1-5) 2
Description
W32/Resik-C is a worm for the Windows platform.
Advanced
W32/Resik-C is a worm for the Windows platform.
When installed, the worm may copy itself to \inetsrv.exe.
W32/Resik-C attempts to periodically copy itself to removeable
drives, including floppy drives and USB keys. The worm will attempt
to create a hidden file Autorun.inf on the removeable drive and copy
itself to the same location as the filename \DriveInfo.exe.
The file Autorun.inf is designed to start the worm once the
removeable drive is connected to a uninfected computer.
W32/Resik-C sets the following registry entry.
HKLM\SOFTWARE\Microsoft\CurrentVersion\Run
inetsrv
\inetsrv.exe
Name W32/Gampass-P
Type
* Spyware Worm
How it spreads
* Removable storage devices
Affected operating systems
* Windows
Side effects
* Steals information
* Installs itself in the Registry
Prevalence (1-5) 2
Description
W32/Gampass-P is a worm for the Windows platform.
Advanced
W32/Gampass-P is a worm for the Windows platform.
W32/Gampass-P attempts to steal login credentials for various online
games.
W32/Gampass-P may attempt to set runkeys under:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
W32/Gampass-P attempts to periodically copy itself to removeable
drives, including floppy drives and USB keys. The worm will attempt
to create a hidden file Autorun.inf on the removeable drive and copy
itself to the same location as the filename Explorer.exe. The file
Autorun.inf is designed to start the worm once the removeable drive
is connected to a uninfected computer.
Name Troj/WowPWS-KA
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Steals information
* Downloads code from the internet
* Installs itself in the Registry
Prevalence (1-5) 2
Description
Troj/WowPWS-KA is an information stealing Trojan for the Windows
platform.
Advanced
Troj/WowPWS-KA is an information stealing Trojan for the Windows
platform.
When run Troj/WowPWS-KA copies itself to \gewow.exe and
creates the file \.dll. The file
\.dll is also detected as Troj/WowPWS-KA.
The following registry entry is created to run gewow.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
wow
\gewow.exe
Troj/WowPWS-KA includes functionality to:
- download code from the internet
- steal information relating to the game World of Warcraft
Name Troj/Bckdr-QHR
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Downloads code from the internet
* Installs itself in the Registry
Prevalence (1-5) 2
Description
Troj/Bckdr-QHR is a Trojan for the Windows platform.
Advanced
Troj/Bckdr-QHR is a backdoor Trojan for the Windows platform.
Troj/Bckdr-QHR includes functionality to access the internet and
communicate with a remote server via HTTP.
When first run Troj/Bckdr-QHR copies itself to:
\svhst32.exe
\updates.exe
\wandrv.exe
The following registry entries are created to run svhst32.exe and
wandrv.exe on startup:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
run
\wandrv.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft Server Process
\svhst32.exe -a
Name W32/Liji-A
Type
* Virus
How it spreads
* Removable storage devices
* Network shares
* Infected files
* Web downloads
Affected operating systems
* Windows
Side effects
* Modifies data on the computer
* Downloads code from the internet
* Installs itself in the Registry
Prevalence (1-5) 2
Description
W32/Liji-A is a virus for the Windows platform.
Advanced
W32/Liji-A is a virus for the Windows platform.
When run W32/Liji-A creates the file \.bmw.
This file is also detected as W32/Liji-A.
Once installed W32/Liji-A attempts to infect file executables. The
infected files will then attempt to download files from a remote
website and run it. The infected files are also detected as W32/Liji-A.
W32/Liji-A also attempts to spread by copying itself via:
- network shares protected by weak passwords, as the filename
krdown.exe
- removeable shared drives, as the filename \autorunx.exe. It
does this by creating the file \autorun.inf that contains
instructions to run the virus when the removeable drive is connected
to an uninfected computer.
W32/Liji-A also copies itself to \spool\svchost.exe and
creates the following registry entry to run itself on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
wlinles
\spool\svchost.exe
Name W32/Rbot-GMM
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Drops more malware
* Downloads code from the internet
* Reduces system security
* Installs itself in the Registry
* Exploits system or software vulnerabilities
* Used in DOS attacks
Aliases
* Backdoor.Win32.Rizo.b
Prevalence (1-5) 2
Description
W32/Rbot-GMM is a worm for the Windows Platform.
Advanced
W32/Rbot-GMM is a worm for the Windows Platform.
W32/Rbot-GMM can spread to other computers by using exploits.
W32/Rbot-GMM runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
When first run W32/Rbot-GMM copies itself to \alg32.exe.
The following registry entries are created to run alg32.exe on startup.
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Office Monitor
\alg32.exe
W32/Rbot-GMM also alters the following registry entries:
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKCU\Software\Microsoft\OLE
Windows APCI Verifier
Name W32/Delbot-AN
Type
* Trojan
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Prevalence (1-5) 2
Description
W32/Delbot-AN is a worm for the Windows platform which also allows a
remote intruder to gain access and control over the computer.
Advanced
W32/Delbot-AN is a worm for the Windows platform which also allows a
remote intruder to gain access and control over the computer.
W32/Delbot-AN spreads
- to computers vulnerable to common exploits, including: Symantec
(SYM06-010)
- to MSSQL servers protected by weak passwords
When first run W32/Delbot-AN copies itself to \zmon.exe.
The following registry entry is created to run zmon.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Z
\zmon.exe
Name Troj/Raser-AT
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Uses its own emailing engine
* Downloads code from the internet
* Reduces system security
Aliases
* SpamTool.Win32.Agent.u
* Win32/Spabot.NAC
Prevalence (1-5) 2
Description
Troj/Raser-AT is an email spamming Trojan for the Windows platform.
Advanced
Troj/Raser-AT is an email spamming Trojan for the Windows platform.
Troj/Raser-AT includes functionality to access the internet and
communicate with a remote server via HTTP.
Troj/Raser-AT also attempts to send commands to circumvent the
Windows Firewall to allow the Trojan to spam.
Name Troj/Torpig-BT
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Reduces system security
* Records keystrokes
* Installs itself in the Registry
Aliases
* Trojan-PSW.Win32.Sinowal.co
* Win32/PSW.Sinowal.NAL
Prevalence (1-5) 2
Description
Troj/Torpig-BT is a Trojan for the Windows platform.
Advanced
Troj/Torpig-BT is a Trojan for the Windows platform.
When first run Troj/Torpig-BT may create some or all of the following
files in:
\Common Files\Microsoft Shared\Web Folders
or
\..\temp
ibm00000.exe
ibm00001.dll
ibm00001.exe
ibm00002.dll
tmp.tmp
Registry entries may be set at the following locations to run
ibm00001.exe on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
An entry may be added to the file SYSTEM.INI in the "boot" section to
attempt to run ibm00001.exe on startup.
The Trojan attempts to steal passwords, log keystrokes, and capture
open window titles to text files and periodically send the collected
information to a remote user via HTTP.
The Trojan downloads and executes additional files from a remote
site. Configuration files may also be downloaded which define further
actions.
Troj/Torpig-BT automatically closes security warning messages
displayed by common anti-virus and security-related applications.
Name W32/Brontok-DD
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Sends itself to email addresses found on the infected computer
* Modifies data on the computer
* Forges the sender's email address
* Uses its own emailing engine
* Reduces system security
* Installs itself in the Registry
* Leaves non-infected files on computer
Aliases
* Trojan.Win32.Patched.b
* W32/Bobax.be
* PE_BOBAX.AT
Prevalence (1-5) 2
Description
W32/Brontok-DD is an email worm for the Windows platform.
Advanced
W32/Brontok-DD is an email worm for the Windows platform.
When first run W32/Brontok-DD copies itself to:
\Local Settings\Application Data\csrss.exe
\Local Settings\Application Data\inetinfo.exe
\Local Settings\Application Data\lsass.exe
\Local Settings\Application Data\services.exe
\Local Settings\Application Data\smss.exe
\ShellNew\sempalong.exe
\eksplorasi.exe
C:\!Submit\winword.exe
C:\!Submit\xpshare.exe
C:\Windows\Systray.exe
\Administrator\Templates\Brengkolang.com
\Origrams\Startup\Empty.pif
\Administrator's Setting.scr
and creates the file \~dfb25a.tmp. This file can be safely
removed.
The following registry entries are created to run W32/Brontok-DD on
startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Tok-Cirrhatus
\Local Settings\Application Data\smss.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Bron-Spizaetus
\ShellNew\sempalong.exe
The following registry entry is changed to run eksplorasi.exe on
startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe "\eksplorasi.exe"
The following registry entry is set, disabling system software:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1
Registry entries are set as follows:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFolderOptions
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableCMD
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden
0
W32/Brontok-DD includes functionality to:
- modify the HOSTS file
- insert a scheduled job into the Scheduled Tasks to run the file
\Administrator\Templates\Brengkolang.com
every 6 hours
Name Troj/PWS-AML
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Steals information
* Downloads code from the internet
* Installs itself in the Registry
Prevalence (1-5) 2
Description
Troj/PWS-AML is a password stealing Trojan for the Windows platform.
Troj/PWS-AML includes functionality to access the internet and
communicate with a remote server via HTTP.
Advanced
Troj/PWS-AML is a Trojan for the Windows platform.
When Troj/PWS-AML is installed the following file is created:
\new_drv.sys
The file new_drv.sys is registered as a new system driver service
named "new_drv", with a display name of "!!!!" and a
startup type of
automatic, so that it is started automatically during system startup.
Registry entries are created under
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NEW_DRV\
HKLM\SYSTEM\CurrentControlSet\Services\new_drv\
Registry entries are created under:
HKCU\Software\Microsoft\InetData\k1
HKCU\Software\Microsoft\InetData\k2
Name Troj/Psyme-EH
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
Prevalence (1-5) 2
Description
Troj/Psyme-EH is a downloader Trojan for the Windows platform.
Advanced
Troj/Psyme-EH is a downloader Trojan for the Windows platform.
Name Troj/WLHack-B
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Modifies data on the computer
Aliases
* Tool-WPAKill
Prevalence (1-5) 2
Description
Troj/WLHack-B is a Trojan for the Windows platform.
Advanced
Troj/WLHack-B is a Trojan for the Windows platform.
Troj/WLHack-B facilitates the patching of OS file winlogon.exe in an
attempt to circumvent the activation requirements.
Name W32/DeadCat-A
Type
* Worm
How it spreads
* Email messages
* Network shares
* Web downloads
* Peer-to-peer
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Sends itself to email addresses found on the infected computer
* Forges the sender's email address
* Installs itself in the Registry
Aliases
* Net-Worm.Win32.Agent.e
Prevalence (1-5) 2
Description
W32/DeadCat-A is a worm for the Windows platform.
W32/DeadCat-A spreads to other network computers.
W32/DeadCat-A runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer.
Advanced
W32/DeadCat-A is a worm for the Windows platform.
W32/DeadCat-A spreads to other network computers.
W32/DeadCat-A runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer.
When first run W32/DeadCat-A copies itself to \DeadKitty.exe.
W32/DeadCat-A may create archives of itself under one or more of the
following filenames:
- Necronomikon.zip
- genetix.zip
- WarGame.zip
- DeadKitty.zip
- free0n.zip
whose contents unarchive to either ViewMe.exe or OpenMe.exe in .
Additionally W32/DeadCat-A may create archives of itself under one or
more of the following filenames:
- Freedom_for_Tibet.zip
- Fuck_Nazi.zip
- Fuck_Fascist.zip
- Fuck_Communist.zip
- Romano_Prodi_is_idiot.zip
whose contents unarchive to either ViewMe.exe or OpenMe.exe in
directories which have names containing the following strings:
*ownload
*omplete
*hare
*coming
W32/DeadCat-A may install one or more of the following files:
- DeadKittySpammer.vbs - also detected as W32/DeadCat-A
- Credit.html - clean html file, may simply be deleted
The following registry entry is created to run W32/DeadCat-A on
startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
DeadKitty
\DeadKitty.exe
Name W32/Hala-A
Type
* Virus
How it spreads
* Infected files
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
Prevalence (1-5) 2
Description
W32/Hala-A is an executable file virus for the Windows platform.
W32/Hala-A infects executable files found on the infected computer.
W32/Hala-A contains functionality to download further executable code.
Advanced
W32/Hala-A is an executable file virus for the Windows platform.
W32/Hala-A infects executable files found on the infected computer.
W32/Hala-A contains functionality to download further executable code.
When first run the virus drops the following files:
\d3d8xof.dll
\d9dx.dll
W32/Hala-A may modify registry entries in the following location:
HKLM\SOFTWARE\Google\
--- MultiMail/Win32 v0.43
* Origin: Doc's Place BBS Fido Since 1991 docsplace.tzo.com (1:123/140)
SEEN-BY: 633/267
@PATH: 123/140 500 379/1 633/267
|