TIP: Click on subject to list as thread!

ANSI

echo:	virus_info
to:	ALL
from:	KURT WISMER
date:	2006-07-23 17:53:00
subject:	News, July 23 2006
[cut-n-paste from sophos.com] Name Troj/Agent-CIG Type * Spyware Trojan Affected operating systems * Windows Side effects * Steals information * Installs itself in the Registry Aliases * Spy-Agent.at * Trojan.Win32.Agent.vp * Win32/Agent.NBR Prevalence (1-5) 2 Description Troj/Agent-CIG is a Trojan for the Windows platform. Troj/Agent-CIG will attempt to communicate with several different web addresses. Advanced Troj/Agent-CIG is a Trojan for the Windows platform. When executed Troj/Agent-CIG will create a copy of itself with a random name in the folder and will create registry entries under HKCR\CLSID\(2ee25147-37d4-4640-832c-fccfac8b21d9) and HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects Troj/Agent-CIG will attempt to communicate with several different web addresses. Name Troj/Banker-CZP Type * Spyware Trojan Affected operating systems * Windows Side effects * Steals information * Installs itself in the Registry Aliases * Trojan-Spy.Win32.Banker.anv * PWS-Banker.gen.aa Prevalence (1-5) 2 Description Troj/Banker-CZP is a Trojan for the Windows platform. Troj/Banker-CZP includes functionality to send notification messages to remote locations. Advanced Troj/Banker-CZP is a Trojan for the Windows platform. Troj/Banker-CZP includes functionality to send notification messages to remote locations. When first run Troj/Banker-CZP copies itself to: \msnmsgr.exe \Config\msnmsgr.exe The following registry entry is created to run msnmsgr.exe on startup: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run msnmsgr \Config\msnmsgr.exe Name W32/Feebs-AX Type * Worm How it spreads * Email attachments Affected operating systems * Windows Side effects * Drops more malware * Forges the sender's email address * Uses its own emailing engine * Installs itself in the Registry Aliases * Worm.Win32.Feebs.hc * W32/Feebs.DW * JS/TrojanDropper.Tivso.gen Prevalence (1-5) 2 Description W32/Feebs-AX is a worm for the Windows platform. W32/Feebs-AX spreads by sending itself to email address harvested from the infected computer and via file sharing on P2P networks. Emails sent by the worm have the following text: You have received To read the message open the attached file. User ID: Password: Keep your password in a safe place. Advanced W32/Feebs-AX is a worm for the Windows platform. W32/Feebs-AX spreads by sending itself to email address harvested from the infected computer and via file sharing on P2P networks. Emails sent by the worm have the following text: You have received To read the message open the attached file. User ID: Password: Keep your password in a safe place. When first run W32/Feebs-AX drops the file C:\Recycled\userinit.exe, detected as W32/Feebs-Gen. This file also copies itself to \ms??.exe and drops the file \ms??32.dll, detected as W32/Feebs-AT, where ?? are randomly chosen characters. This dropped file also copies itself to P2P folders with the following filenames: 3dsmax_9_(3D_Studio_Max)_new!_full+crack.zip ACDSee_9_new!_full+crack.zip Adobe_Photoshop_10_(CS3)_new!_full+crack.zip Adobe_Premiere_9_(2.0_pro)_new!_full+crack.zip Ahead_Nero_8_new!_full+crack.zip DivX_7.0_new!_full+crack.zip ICQ_2006_new!_full+crack.zip Internet_Explorer_7_new!_full+crack.zip Kazaa_4_new!_full+crack.zip Longhorn_new!_full+crack.zip Microsoft_Office_2006_new!_full+crack.zip winamp_5.2_new!_full+crack.zip The following registry entry is created to run code exported by the worm library on startup: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayL oad ms??32.dll The file ms??32.dll is registered as a COM object, creating registry entries under: HKCR\CLSID\ Name Troj/Dloadr-AIZ Type * Trojan Affected operating systems * Windows Side effects * Downloads code from the internet Aliases * Trojan-Downloader.Win32.VB.me Prevalence (1-5) 2 Description Troj/Dloadr-AIZ is an downloader Trojan for the Windows platform. When executed, the Trojan may attempt to download a file from a remote address to C:\messenger.exe and execute it. The downloaded file was unavailable at the time of writing. Name Troj/Xorpix-H Type * Trojan Affected operating systems * Windows Side effects * Dropped by malware Aliases * Trojan-Proxy.Win32.Xorpix.ab Prevalence (1-5) 2 Description Troj/Xorpix-H is a Trojan for the Windows platform. Troj/Xorpix-H is dropped by Troj/Dropper-KT. Name W32/Tilebot-GC Type * Worm How it spreads * Network shares * Chat programs Affected operating systems * Windows Side effects * Allows others to access the computer * Installs itself in the Registry * Exploits system or software vulnerabilities Aliases * Backdoor.Win32.SdBot.aad * W32.Spybot.Worm Prevalence (1-5) 2 Description W32/Tilebot-GC is a worm and IRC backdoor for the Windows platform. W32/Tilebot-GC spreads to other network computers by exploiting common buffer overflow vulnerabilities, including: LSASS (http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx), RPC-DCOM (http://www.microsoft.com/technet/security/bulletin/ms04-012.mspx), WKS (http://www.microsoft.com/technet/security/bulletin/ms03-049.mspx) (CAN-2003-0812), PNP (http://www.microsoft.com/technet/security/bulletin/ms05-039.mspx) and ASN.1 (http://www.microsoft.com/technet/security/bulletin/ms04-007.mspx) and by copying itself to network shares protected by weak passwords. W32/Tilebot-GC runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels. Advanced W32/Tilebot-GC is a worm and IRC backdoor for the Windows platform. W32/Tilebot-GC spreads to other network computers by exploiting common buffer overflow vulnerabilities, including: LSASS (http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx), RPC-DCOM (http://www.microsoft.com/technet/security/bulletin/ms04-012.mspx), WKS (http://www.microsoft.com/technet/security/bulletin/ms03-049.mspx) (CAN-2003-0812), PNP (http://www.microsoft.com/technet/security/bulletin/ms05-039.mspx) and ASN.1 (http://www.microsoft.com/technet/security/bulletin/ms04-007.mspx) and by copying itself to network shares protected by weak passwords. W32/Tilebot-GC runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels. When first run W32/Tilebot-GC copies itself to \wincrypt32.exe. The file wincrypt32.exe is registered as a new system driver service named "wincrypt32.exe", with a display name of "Windows Decrypt manager" and a startup type of automatic, so that it is started automatically during system startup. Registry entries are created under: HKLM\SYSTEM\CurrentControlSet\Services\wincrypt32.exe\ W32/Tilebot-GC sets the following registry entries, disabling the automatic startup of other software: HKLM\SYSTEM\CurrentControlSet\Services\Messenger Start 4 HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry Start 4 HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr Start 4 Registry entries are set as follows: HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotAllowXPSP2 1 HKLM\SOFTWARE\Microsoft\Ole EnableDCOM N HKLM\SYSTEM\CurrentControlSet\Control\Lsa restrictanonymous 1 Registry entries are created under: HKLM\SOFTWARE\Microsoft\Security Center\ HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\ HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\ Name Troj/Servu-DD Type * Trojan Affected operating systems * Windows Side effects * Allows others to access the computer * Leaves non-infected files on computer Aliases * Backdoor.Win32.ServU-based * Serv-U.dr Prevalence (1-5) 2 Description Troj/Servu-DD is a hacked version of a commercially available FTP server that will listen on a port for incoming commands from a remote attacker. Troj/Servu-DD will create a text file called patch.dll in the current folder. Name Troj/Dloadr-AJG Type * Trojan Affected operating systems * Windows Side effects * Downloads code from the internet Aliases * Trojan-Downloader.Win32.Small.cxh Prevalence (1-5) 2 Description Troj/Dloadr-AJG is a Trojan for the Windows platform. Advanced Troj/Dloadr-AJG is a Trojan for the Windows platform. Troj/Dloadr-AJG has the functionality to silently download, install and run new software. When run, the Trojan may create the following files c:\ntldr1.exe (Detected as Troj/DwnLdr-BON) c:\ntldr2.exe (Detected as Troj/Prelo-A) c:\ntldr3.exe (Detected as Troj/DownLdr-QK) c:\ntldr4.exe (Detected as Troj/Harnig-AK) c:\ntldr5.exe (Not available at time of writing) Name Troj/Ranck-EP Type * Trojan Affected operating systems * Windows Side effects * Allows others to access the computer * Installs itself in the Registry Aliases * Trojan-Proxy.Win32.Ranky.fw Prevalence (1-5) 2 Description Troj/Ranck-EP is a proxy Trojan that allows a remote intruder to route HTTP traffic through the computer. Advanced Troj/Ranck-EP is a proxy Trojan that allows a remote intruder to route HTTP traffic through the computer. The following registry entry is created to run Troj/Ranck-EP on startup: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Services Troj/Ranck-EP runs continuously in the background listening on a port. Troj/Ranck-EP has been seen pretending to be a version of Google Toolbar. Name Troj/Dropper-KY Type * Trojan Affected operating systems * Windows Side effects * Drops more malware * Leaves non-infected files on computer Aliases * Trojan-Spy.Win32.Banbra.gi * PWS-Banker.gen.b Prevalence (1-5) 2 Description Troj/Dropper-KY is a Trojan dropper for the Windows platform. Advanced Troj/Dropper-KY is a Trojan dropper for the Windows platform. Troj/Dropper-KY creates temporary files in the current or Windows folder with filenames starting "SXE", often SXE1.TMP, SXE2.TMP and SXE3.TMP. Two files are related to a clean DLL, the third is detected as Troj/Banker-CZS. Name W32/Rbot-ETT Type * Worm How it spreads * Network shares Affected operating systems * Windows Side effects * Turns off anti-virus applications * Allows others to access the computer * Downloads code from the internet * Reduces system security * Installs itself in the Registry * Exploits system or software vulnerabilities Aliases * Backdoor.Win32.Rbot.aym * WORM_RBOT.NV Prevalence (1-5) 2 Description W32/Rbot-ETT is a worm and IRC backdoor for the Windows platform. W32/Rbot-ETT spreads to computers vulnerable to common exploits, including: RPC-ETTCOM (http://www.microsoft.com/technet/security/bulletin/ms04-012.mspx) and WKS (http://www.microsoft.com/technet/security/bulletin/ms03-049.mspx) to MSSQL servers protected by weak passwords to network shares W32/Rbot-ETT runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels. Advanced W32/Rbot-ETT is a worm and IRC backdoor for the Windows platform. W32/Rbot-ETT spreads to computers vulnerable to common exploits, including: RPC-ETTCOM (http://www.microsoft.com/technet/security/bulletin/ms04-012.mspx) and WKS (http://www.microsoft.com/technet/security/bulletin/ms03-049.mspx) to MSSQL servers protected by weak passwords to network shares W32/Rbot-ETT runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels. When first run W32/Rbot-ETT copies itself to \msconfigs.exe. The following registry entries are created to run msconfigs.exe on startup: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Microsoft Configoration Service msconfigs.exe HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Microsoft Configoration Service msconfigs.exe HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices Microsoft Configoration Service msconfigs.exe HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices Microsoft Configoration Service msconfigs.exe Registry entries are set as follows: HKCU\SYSTEM\CurrentControlSet\Control\Lsa Microsoft Configoration Service msconfigs.exe HKLM\SYSTEM\CurrentControlSet\Control\Lsa Microsoft Configoration Service msconfigs.exe HKCU\Software\Microsoft\OLE Microsoft Configoration Service msconfigs.exe HKLM\SOFTWARE\Microsoft\Ole Microsoft Configoration Service msconfigs.exe Name Troj/Hyder-A Type * Trojan Affected operating systems * Windows Side effects * Reduces system security * Installs itself in the Registry Aliases * Trojan.Win32.Agent.vp Prevalence (1-5) 2 Description Troj/Hyder-A is a Trojan for the Windows platform. Troj/Hyder-A includes functionality to access the internet and communicate with a remote server via HTTP. Advanced Troj/Hyder-A is a Trojan for the Windows platform. Troj/Hyder-A includes functionality to access the internet and communicate with a remote server via HTTP. When Troj/Hyder-A is installed, the Trojan creates a hidden local admin account on the compromised computer. It also creates the following file: \System\.exe, where is either lpt or com and a number. This file is also detected as Troj/Hyder-A. The file .exe is registered as a new system driver service named "", with a display name of "" and a startup type of automatic, so that it is started automatically during system startup. Registry entries are created under: HKLM\SYSTEM\CurrentControlSet\Services\\ After a certain amount of time, Troj/Hyder-A will attempt to download files from a remote location. At the time of writing, the files were unavailable for download. The following registry entry is set: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0 Name W32/VB-CAI Type * Worm How it spreads * Peer-to-peer Affected operating systems * Windows Side effects * Installs itself in the Registry Aliases * Virus.Win32.VB.p * Infection: * trojan Prevalence (1-5) 2 Description W32/VB-CAI is a Peer-to-peer worm for the Windows platform. Advanced W32/VB-CAI is a P2P worm for the Windows platform. When first run W32/VB-CAI copies itself into \config_.com and various file sharing folders under different names like for example \My Music\My Music.exe \My Shared Folder\My Shared Folder.exe \KaZaA\KaZaA.exe Files>\Kmd\Kmd.exe \Limewire\Limewire.exe and creates the file \Autorun.inf. This file can be deleted. W32/VB-CAI also copies itself to the startup folder, creating an entry under \startupFolder.com. The following registry entry is created to run config_.com on startup: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Explorer \config_.com Name Troj/Danmec-S Type * Trojan Affected operating systems * Windows Side effects * Turns off anti-virus applications * Allows others to access the computer Aliases * Win32/Spy.Gepost * W32.Mytob{at}mm Prevalence (1-5) 2 Description Troj/Danmec-S is a backdoor Trojan for the Windows platform. The Trojan provides functionality to a remote attacker including the ability to send emails, terminate security processes and modify the system HOSTS file. Name Troj/QQRob-QX Type * Spyware Trojan Affected operating systems * Windows Side effects * Turns off anti-virus applications * Steals information * Records keystrokes * Installs itself in the Registry Aliases * Trojan-PSW.Win32.QQRob.0708 * Win32/PSW.QQRob.NAC Prevalence (1-5) 2 Description Troj/QQRob-RX is a Trojan for the Windows platform. Troj/QQRob-RX steals passwords and may attempt to disable security applications. Troj/QQRob-RX includes functionality to access the internet and communicate with a remote server via HTTP. Advanced Troj/QQRob-RX is a Trojan for the Windows platform. Troj/QQRob-RX steals passwords and may attempt to disable security applications. Troj/QQRob-RX includes functionality to access the internet and communicate with a remote server via HTTP. When first run Troj/QQRob-RX copies itself to \NTdHcP.exe and creates the file \Deleteme.bat. The following registry entry is created to run NTdHcP.exe on startup: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run NTdhcp \NTdhcp.exe Name Troj/SrchSpy-C Type * Spyware Trojan Affected operating systems * Windows Side effects * Steals information * Installs itself in the Registry Aliases * Trojan-Spy.Win32.Small.ez Prevalence (1-5) 2 Description Troj/SrchSpy-C is a Trojan for the Windows platform. Troj/SrchSpy-C monitors Internet Explorer activity, and may retrieve information about browsing habits as well as inspecting and modifying search queries. Advanced Troj/SrchSpy-C is a Trojan for the Windows platform. Troj/SrchSpy-C monitors Internet Explorer activity, and may retrieve information about browsing habits as well as inspecting and modifying search queries. When first run, Troj/SrchSpy-C creates the following files: \IEFilter.dll \Service.exe On NT based systems, Service.exe is registered as a service with a display name of Service, creating registry entries under the following: HKLM\SYSTEM\CurrentControlSet\Services\Service\ The following registry entry is created to run code exported by the Trojan IEFilter.dll: HKCR\CLSID\(3DCE4CF1-0504-402C-9860-ADCADE4B32C1)\InprocServer32 \IEFilter.dll HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ ShellServiceObjectDelayLoad IEFilter (3DCE4CF1-0504-402C-9860-ADCADE4B32C1) Registry entries are also created under: HKLM\SOFTWARE\Microsoft\Filter\ Name W32/Sdbot-CCR Type * Worm How it spreads * Network shares Affected operating systems * Windows Side effects * Allows others to access the computer * Installs itself in the Registry * Exploits system or software vulnerabilities Aliases * Backdoor.Win32.SdBot.yx * W32/Sdbot.worm.gen.z Prevalence (1-5) 2 Description W32/Sdbot-CCR is a worm and IRC backdoor Trojan for the Windows platform. W32/Sdbot-CCR spreads to other network computers by exploiting common buffer overflow vulnerabilities, including: RPC-DCOM (MS04-012), PNP (MS05-039) and ASN.1 (MS04-007) and by copying itself to network shares protected by weak passwords. W32/Sdbot-CCR runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels. Advanced W32/Sdbot-CCR is a worm and IRC backdoor Trojan for the Windows platform. W32/Sdbot-CCR spreads to other network computers by exploiting common buffer overflow vulnerabilities, including: RPC-DCOM (MS04-012), PNP (MS05-039) and ASN.1 (MS04-007) and by copying itself to network shares protected by weak passwords. W32/Sdbot-CCR runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels. When first run W32/Sdbot-CCR copies itself to \Mscfg.exe. The following registry entries are created to run Mscfg.exe on startup: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Ms System Config Mscfg.exe HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Ms System Config Mscfg.exe HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices Ms System Config Mscfg.exe HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices Ms System Config Mscfg.exe W32/Sdbot-CCR sets the following registry entries, disabling the automatic startup of other software: HKLM\SYSTEM\CurrentControlSet\Services\wuauserv Start 4 HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess Start 4 Note: disabling autostart for the SharedAccess service deactivates the Microsoft Internet Connection Firewall (ICF). Registry entries are set as follows: HKCU\SYSTEM\CurrentControlSet\Control\Lsa Ms System Config Mscfg.exe HKLM\SYSTEM\CurrentControlSet\Control\Lsa Ms System Config Mscfg.exe HKCU\Software\Microsoft\OLE Ms System Config Mscfg.exe HKLM\SOFTWARE\Microsoft\Ole Ms System Config Mscfg.exe HKLM\SOFTWARE\Microsoft\Ole EnableDCOM N HKLM\SYSTEM\CurrentControlSet\Control\Lsa restrictanonymous 1 --- MultiMail/Win32 v0.43 * Origin: Try Our Web Based QWK: DOCSPLACE.ORG (1:123/140) SEEN-BY: 633/267 270 @PATH: 123/140 500 106/2000 633/267
SOURCE: echomail via fidonet.ozzmosis.com

Email questions or comments to sysop@ipingthereforeiam.com
All parts of this website painstakingly hand-crafted in the U.S.A.!
IPTIA BBS/MUD/Terminal/Game Server List, © 2025 IPTIA Consulting™.