| TIP: Click on subject to list as thread! | ANSI |
| echo: | |
|---|---|
| to: | |
| from: | |
| date: | |
| subject: | News, October 10 2005 |
[cut-n-paste from sophos.com]
Name W32/Sober-P
Type
* Worm
Affected operating systems
* Windows
Side effects
* Sends itself to email addresses found on the infected computer
* Installs itself in the Registry
Aliases
* Trojan-Dropper.Win32.VB.iv
* W32/Sober.r.dr
Prevalence (1-5) 4
Description
W32/Sober-P is a mass-mailing worm.
When first run, a message box may be displayed with title 'Ms Paint'
and containing the text 'Graphic Decoder not found'.
The email sent by W32/Sober-P depends on the recipient address.
Emails sent to recipients whose email address is in the .de, .ch, .at,
.li domains or contains the string "gmx." will receive an email as
follows:
Subject line: Fwd: Klassentreffen
Message text:
hi,
ich hoffe jetzt mal das ich endlich die richtige person erwischt habe!
ich habe jedenfalls mal unser klassenfoto von damals mit angehngt.
wenn du dich dort wiedererkennst, dann schreibe unbedingt zurck!!
wenn ich aber wieder mal die falsche person erwischt habe, dann sorry
fr die belstigung ;)
liebe gr
Hannelore
Attached file: KlassenFoto.zip
Email sent to other addresses will have the following characteristics:
Subject line: Your new Password
Message text:
Your password was successfully changed!
Please see the attached file for detailed information.
Attached file: pword_change.zip
W32/Sober-P harvests email addresses from files on the computer.
When W32/Sober-P is installed the following files are created:
C:/vbbfgdtd.exe
\ConnectionStatus\services.exe
These files are detected as W32/Sober-O.
Advanced
W32/Sober-P is a mass-mailing worm.
When first run, a message box may be displayed with title 'Ms Paint'
and containing the text 'Graphic Decoder not found'.
W32/Sober-P creates a base64 encoded ZIP archived copy of itself in
\ConnectionStatus\netslot.nst.
The email sent by W32/Sober-P depends on the recipient address.
Emails sent to recipients whose email address is in the .de, .ch, .at,
.li domains or contains the string "gmx." will receive an email as
follows:
Subject line: Fwd: Klassentreffen
Message text:
hi,
ich hoffe jetzt mal das ich endlich die richtige person erwischt habe!
ich habe jedenfalls mal unser klassenfoto von damals mit angehngt.
wenn du dich dort wiedererkennst, dann schreibe unbedingt zurck!!
wenn ich aber wieder mal die falsche person erwischt habe, dann sorry
fr die belstigung ;)
liebe gr
Hannelore
Attached file: KlassenFoto.zip
Email sent to other addresses will have the following characteristics:
Subject line: Your new Password
Message text:
Your password was successfully changed!
Please see the attached file for detailed information.
Attached file: pword_change.zip
W32/Sober-P harvests email addresses from files with the following
strings in their filenames:
pmr phtm stm slk inbox imb csv bak imh xhtml imm imh cms nws vcf ctl
dhtm cgi pp ppt msg jsp oft vbs uin ldb abc pst cfg mdw mbx mdx mda
adp nab fdb vap dsp ade sln dsw mde frm bas adr cls ini ldif log mdb
xml wsh tbb abx abd adb pl rtf mmf doc ods nch xls nsf txt wab eml
hlp mht nfo php asp shtml dbx
When W32/Sober-P is installed the following files are created:
C:/vbbfgdtd.exe
\ConnectionStatus\services.exe
These files are detected as W32/Sober-O.
The following registry entry is created to run services.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
WinINet
\ConnectionStatus\services.exe
Name W32/Sober-L
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Sends itself to email addresses found on the infected computer
* Forges the sender's email address
* Uses its own emailing engine
* Leaves non-infected files on computer
Prevalence (1-5) 3
Description
W32/Sober-L is a mass-mailing worm for the Windows platform.
Emails sent by the worm will have the following characteristics:
Subject line:
Ich habe Ihre E-Mail bekommen!
or
Your Password & Account number
Message text:
Hallo,
jemand schickt ihre privaten Mails auf meinem Account.
Ich schaetze mal, das es ein Fehler vom Provider ist.
Insgesamt waren es jetzt schon 6 Mails!
Ich habe alle Mail-Texte im Texteditor kopiert und gezippt.
Wenn es doch kein Fehler vom Provider ist, sorge dafuer das diese
Dinger nicht mehr auf meinem Account landen, es Nervt naemlich.
Gruss
or
hi,
i've got an admin mail with a Password and Account info!
but the mail recipient are you! it's probably an esmtp error, i think.
i've copied the full mail text in the Windows text-editor & zipped.
ok, cya...
Attached file:
MailTexte.zip
or
acc_text.zip
Advanced
W32/Sober-L is a mass-mailing worm which sends itself to addresses
harvested from the infected computer.
When first run, W32/Sober-L will open Notepad and display a body of
text that starts:
Mail-Text:
Unzip failed
W32/Sober-L will copy itself to a subfolder of the Windows folder
named \MSAGENT\SYSTEM with the filename SMSS.EXE. In order to run
automatically each time a user logs on, W32/Sober-L will continually
set the following registry entries:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
" Services.dll"
\msagent\system\smss.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
_Services.dll
\msagent\system\smss.exe
W32/Sober-L also creates the following data files:
\msagent\win32\emdata.mmx
\msagent\win32\zipzip.zab
\read.me
\nonrunso.ber
\stopruns.zhz
\xcvfpokd.tqa
The READ.ME file contains the following text:
test test test
In diesem Sinne:
Odin alias Anon
W32/Sober-L will attempt to terminate processes with names containing
the following strings:
gcas, gcip, giantanti, stinger, hijackthis
W32/Sober-L harvests email addresses from files with the following
strings in their filenames:
pmr phtm stm slk inbox imb csv bak imh xhtml imm imh cms nws vcf ctl
dhtm cgi pp ppt msg jsp oft vbs uin ldb abc pst cfg mdw mbx mdx mda
adp nab fdb vap dsp ade sln dsw mde frm bas adr cls ini ldif log mdb
xml wsh tbb abx abd adb pl rtf mmf doc ods nch xls nsf txt wab eml
hlp mht nfo php asp shtml dbx
W32/Sober-L avoids sending email to addresses that contain any of the
following strings:
ntp- ntp{at} ntp. test{at} office {at}www {at}from. support smtp- {at}smtp.
gold-certs ftp. .dial. .ppp. anyone subscribe announce {at}gmetref sql.
someone nothing you{at} user{at} reciver{at} somebody secure whatever{at} whoever{at}
anywhere yourname mustermann{at} .kundenserver. mailer-daemon variabel
password noreply -dav law2 .sul.t- .qmail{at} t-ipconnect t-dialin
ipt.aol time postmas service freeav {at}ca. abuse winrar domain. host.
viren bitdefender spybot detection ewido. emsisoft linux google {at}foo.
winzip {at}example. bellcore. {at}arin mozilla {at}iana {at}avp icrosoft. {at}sophos
{at}panda {at}kaspers free-av antivir virus verizon. {at}ikarus. {at}nai.
{at}messagelab nlpmail01. clock
The email sent by W32/Sober-L depends on the recipient address.
Emails sent to recipients whose email address is in the .de, .ch, .at,
.li domains or contains the string "gmx." will receive an email as
follows:
Subject line:
Ich habe Ihre E-Mail bekommen!
Message text:
Hallo,
jemand schickt ihre privaten Mails auf meinem Account.
Ich schaetze mal, das es ein Fehler vom Provider ist.
Insgesamt waren es jetzt schon 6 Mails!
Ich habe alle Mail-Texte im Texteditor kopiert und gezippt.
Wenn es doch kein Fehler vom Provider ist, sorge dafuer das diese
Dinger nicht mehr auf meinem Account landen, es Nervt naemlich.
Gruss
Attached file:
MailTexte.zip
Email sent to other addresses will have the following characteristics:
Subject line:
Your Password & Account number
Message text:
hi,
i've got an admin mail with a Password and Account info!
but the mail recipient are you! it's probably an esmtp error, i think.
i've copied the full mail text in the Windows text-editor & zipped.
ok, cya...
Attached file:
acc_text.zip
The ZIP file will contain an executable file named
mail_text-data.txt.pif
The From address line will be faked.
Name W32/Rbot-APW
Type
* Spyware Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Steals information
* Records keystrokes
* Installs itself in the Registry
Prevalence (1-5) 2
Description
W32/Rbot-APW is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Rbot-APW spreads to other network computers by exploiting common
buffer overflow vulnerabilities, including LSASS (MS04-011), WKS
(MS03-049), RPC-DCOM (MS04-012) and PNP (MS05-039).
W32/Rbot-APW runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Rbot-APW includes functionality to:
- perform port scanning
- carry out DDoS flooder attacks
- silently download, install and run new software
- steal information
Advanced
W32/Rbot-APW is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Rbot-APW spreads to other network computers by exploiting common
buffer overflow vulnerabilities, including LSASS (MS04-011), WKS
(MS03-049), RPC-DCOM (MS04-012) and PNP (MS05-039).
W32/Rbot-APW runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Rbot-APW includes functionality to:
- perform port scanning
- carry out DDoS flooder attacks
- silently download, install and run new software
- steal information
When first run W32/Rbot-APW copies itself to \winsass.exe.
The following registry entries are created to run mame.exe on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft Windows WinSaSS Management
winsass.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft Windows WinSaSS Management
winsass.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
Microsoft Windows WinSaSS Management
winsass.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Microsoft Windows WinSaSS Management
winsass.exe
Registry entries are set as follows:
HKCU\SYSTEM\CurrentControlSet\Control\Lsa
Microsoft Windows WinSaSS Management
winsass.exe
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
Microsoft Windows WinSaSS Management
winsass.exe
HKCU\Software\Microsoft\OLE
Microsoft Windows WinSaSS Management
winsass.exe
HKLM\SOFTWARE\Microsoft\Ole
Microsoft Windows WinSaSS Management
winsass.exe
W32/Rbot-APW modifies the HOSTS file to prevent access to anti-virus
and security related sites.
The following patches for the operating system vulnerabilities
exploited by W32/Rbot-APW can be obtained from the Microsoft website:
MS03-049
MS04-011
MS04-012
MS05-039
Name Troj/Badparty-A
Type
* Trojan
Prevalence (1-5) 2
Description
Troj/Badparty-A displays a message box containing the text 'Press OK
to install the party invitation...'.
When the user clicks on OK the Trojan deletes the partition table in
the master boot sector and the contents of the FAT. The Trojan then
attempts to create a new partition table.
The Trojan creates the following files, which are all copies of
legitimate utilities:
ginst0.dll in the Windows temp folder
int86_16.dll, int86_32.dll, playme.exe and party.ini in the Windows
folder
Name Troj/Banker-DV
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Steals credit card details
* Steals information
* Reduces system security
* Records keystrokes
* Installs itself in the Registry
Aliases
* Trojan-Spy.Win32.Banker.cv
Prevalence (1-5) 2
Description
Troj/Banker-DV is a password-stealing Trojan targeted at customers of
Brazilian banks.
Troj/Banker-DV may display a fake error message containing the
following text:
Erro de aplicativo
Aplicativo nao inicializado corretamente (0xc0000005). Clique em OK
para finalizar a execucao
Advanced
Troj/Banker-DV is a password-stealing Trojan targeted at customers of
Brazilian banks.
Troj/Banker-DV will monitor a user's internet access. When certain
internet banking sites are visited, the Trojan will display a fake login screen
in order to trick the user into inputting their details.
Troj/Banker-DV will then send the stolen details to a remote location.
Troj/Banker-DV may display a fake error message containing the
following text:
Erro de aplicativo
Aplicativo nao inicializado corretamente (0xc0000005). Clique em OK
para finalizar a execucao
When first run, Troj/Banker-DV will copy itself to \winlogin.exe
In order to run automatically each time a user logs in, Troj/Banker-DV
will set the following registry entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Windows Update
\winlogin.exe
Name Troj/Bandler-D
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Steals information
* Downloads code from the internet
* Records keystrokes
Aliases
* Trojan-Spy.Win32.Banbra.dm
* PWSteal.Banpaes
Prevalence (1-5) 2
Description
Troj/Bandler-D is a Trojan for the Windows platform.
Troj/Bandler-D includes functionality to download, install and run
new software.
When first run Troj/Bandler-D copies itself to \smss.exe.
Troj/Bandler-D will also attempt to terminate Anti-virus and security
related applications.
Advanced
Troj/Bandler-D is a Trojan for the Windows platform.
Troj/Bandler-D includes functionality to download, install and run
new software.
When first run Troj/Bandler-D copies itself to \smss.exe.
The following registry entry is created to run smss.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
zsmss
\smss.exe
Troj/Bandler-D will also attempt to terminate Anti-virus and security
related applications.
Name W32/Opanki-AB
Type
* Spyware Worm
How it spreads
* Chat programs
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Downloads code from the internet
* Reduces system security
* Installs itself in the Registry
Aliases
* IM-Worm.Win32.Opanki.ab
Prevalence (1-5) 2
Description
W32/Opanki-AB is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Opanki-AB runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Opanki-AB may also attempt to monitor AOL Instant Messenger (AIM)
windows and send data to online contacts.
The backdoor component of W32/Opanki-AB can be instructed to download
and execute further files.
Advanced
W32/Opanki-AB is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Opanki-AB runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
When first run W32/Opanki-AB copies itself to \nether.exe
The following registry entry is created to run nether.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows System Configuration
\nether.exe
W32/Opanki-AB may also attempt to monitor AOL Instant Messenger (AIM)
windows and send data to online contacts.
The backdoor component of W32/Opanki-AB can be instructed to download
and execute further files.
Name W32/Rbot-LT
Type
* Spyware Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Downloads code from the internet
* Reduces system security
* Records keystrokes
* Installs itself in the Registry
Aliases
* Backdoor.Win32.Rbot.cd
Prevalence (1-5) 2
Description
W32/Rbot-LT is a network worm which contains IRC backdoor Trojan
functionality, allowing unauthorised remote access to the infected
computer.
Advanced
W32/Rbot-LT is a worm which attempts to spread to remote network
shares. It also contains backdoor Trojan functionality, allowing
unauthorised remote access to the infected computer via IRC channels
while running in the background as a service process.
W32/Rbot-LT spreads to network shares with weak passwords and via
network security exploits as a result of the backdoor Trojan element
receiving the appropriate command from a remote user.
W32/Rbot-LT copies itself to the Windows system folder as LSSRV.EXE
and creates entries at the following locations in the registry with
the value Microsoft Services so as to run itself on system startup,
resetting them multiple times every minute:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
W32/Rbot-LT also sets the following registry entry with the same
value to point to itself:
HKCU\Software\Microsoft\OLE
W32/Rbot-LT may attempt to sets the following registry entries:
HKLM\SOFTWARE\Microsoft\Ole\EnableDCOM = "N"
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous = "1"
W32/Rbot-LT may attempt to delete network shares on the host computer.
W32/Rbot-LT may attempt to log keystrokes to the file KEY32.TXT in
the Windows system folder.
Name W32/Rbot-AQF
Type
* Worm
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* Backdoor.Win32.Rbot.gen
* W32/Sdbot.worm.gen.bh
Prevalence (1-5) 2
Description
W32/Rbot-AQF is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Rbot-AQF spreads:
- to other network computers infected with: Troj/Kuang, Troj/Sub7,
Troj/NetDevil, W32/MyDoom, W32/Bagle and Troj/Optix
- to other network computers by exploiting common buffer overflow
vulnerabilities, including: LSASS (MS04-011), RPC-DCOM (MS04-012),
WKS (MS03-049) (CAN-2003-0812), WebDav (MS03-007), IIS5SSL (MS04-011)
(CAN-2003-0719), UPNP (MS01-059), Veritas (CAN-2004-1172), Dameware
(CAN-2003-1030), PNP (MS05-039) and ASN.1 (MS04-007)
- by copying itself to network shares protected by weak passwords
W32/Rbot-AQF runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
Advanced
W32/Rbot-AQF is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Rbot-AQF spreads:
- to other network computers infected with: Troj/Kuang, Troj/Sub7,
Troj/NetDevil, W32/MyDoom, W32/Bagle and Troj/Optix
- to other network computers by exploiting common buffer overflow
vulnerabilities, including: LSASS (MS04-011), RPC-DCOM (MS04-012),
WKS (MS03-049) (CAN-2003-0812), WebDav (MS03-007), IIS5SSL (MS04-011)
(CAN-2003-0719), UPNP (MS01-059), Veritas (CAN-2004-1172), Dameware
(CAN-2003-1030), PNP (MS05-039) and ASN.1 (MS04-007)
- by copying itself to network shares protected by weak passwords
W32/Rbot-AQF runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
When first run W32/Rbot-AQF copies itself to \msnwindows.exe.
The following registry entries are created to run msnwindows.exe on
startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
System Service
msnwindows.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
System Service
msnwindows.exe
Registry entries are set as follows:
HKCU\Software\Microsoft\OLE
System Service
msnwindows.exe
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1
Name Troj/Small-QJ
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Reduces system security
* Installs itself in the Registry
Aliases
* TROJ_SMALL.QI
Prevalence (1-5) 2
Description
Troj/Small-QJ is a Trojan for the Windows platform.
Troj/Small-QJ includes functionality to access the internet and
communicate with a remote server via HTTP.
Troj/Small-QJ downloads and executes several files from a remote site.
Advanced
Troj/Small-QJ is a Trojan for the Windows platform.
Troj/Small-QJ includes functionality to access the internet and
communicate with a remote server via HTTP.
When first run Troj/Small-QJ copies itself to the Windows system
folder and creates the file \winhlp32.dll (also
detected as Troj/Small-QJ).
The following registry entry is created to run Troj/Small-QJ on
startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
down
Troj/Small-QJ downloads and executes several files from a remote site.
Name Troj/Vanti-E
Type
* Trojan
Affected operating systems
* Windows
Aliases
* Rootkit.Win32.Vanti.e
Prevalence (1-5) 2
Description
Troj/Vanti-E is used by malicious software to hide its presence on an
infected system.
Name W32/Tilebot-W
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Downloads code from the internet
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* Backdoor.Win32.Agobot.afk
* WORM_RBOT.CHY
Prevalence (1-5) 2
Description
W32/Tilebot-W is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Tilebot-W spreads to other network computers by exploiting common
buffer overflow vulnerabilities, including RPC-DCOM (MS04-012).
W32/Tilebot-W runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Tilebot-W includes functionality to access the internet and
communicate with a remote server via HTTP.
When first run W32/Tilebot-W copies itself to \csrss.exe.
Advanced
W32/Tilebot-W is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Tilebot-W spreads to other network computers by exploiting common
buffer overflow vulnerabilities, including RPC-DCOM (MS04-012).
W32/Tilebot-W runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Tilebot-W includes functionality to access the internet and
communicate with a remote server via HTTP.
When first run W32/Tilebot-W copies itself to \csrss.exe.
The file csrss.exe is registered as a new system driver service named
"wservtime", with a display name of "Windows Time Sync"
and a startup
type of automatic, so that it is started automatically during system
startup. Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\wservtime\
W32/Tilebot-W sets the following registry entries, disabling the
automatic startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\Messenger
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
Start
4
Registry entries are set as follows:
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DoNotAllowXPSP2
1
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1
Registry entries are created under:
HKLM\SOFTWARE\Microsoft\Security Center\
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\
Name W32/Kassbot-I
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Modifies data on the computer
* Reduces system security
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* Backdoor.Win32.Nanspy.c
* BackDoor-CPV
Prevalence (1-5) 2
Description
W32/Kassbot-I is a worm and backdoor Trojan for the Windows platform.
W32/Kassbot-I spreads to other network computers by exploiting common
buffer overflow vulnerabilities, including LSASS (MS04-011).
W32/Kassbot-I runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer.
Advanced
W32/Kassbot-I is a worm and backdoor Trojan for the Windows platform.
W32/Kassbot-I spreads to other network computers by exploiting common
buffer overflow vulnerabilities, including LSASS (MS04-012).
W32/Kassbot-I runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer.
W32/Kassbot-I includes functionality to access the internet and
communicate with a remote server via HTTP.
W32/Kassbot-I will append the following to the HOSTS file in order to
redirect internet traffic aimed at sercurity related URLs to an
alternate URL.
d-ru-1f.kaspersky-labs.com
d-ru-1h.kaspersky-labs.com
d-ru-2f.kaspersky-labs.com
d-ru-2h.kaspersky-labs.com
d-eu-2f.kaspersky-labs.com
d-eu-2h.kaspersky-labs.com
d-eu-1f.kaspersky-labs.com
d-eu-1h.kaspersky-labs.com
d-us-1f.kaspersky-labs.com
d-us-1h.kaspersky-labs.com
downloads1.kaspersky.ru
downloads2.kaspersky.ru
downloads3.kaspersky.ru
downloads4.kaspersky.ru
downloads5.kaspersky.ru
www.kaspersky.ru
kaspersky.ru
kaspersky-labs.com
www.kaspersky-labs.com
When first run W32/Kassbot-I copies itself to \spools.exe and
creates the file \xbccd.log, which is a harmless text file.
The following registry entry is created to run spools.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Spools Service Controller
\spools.exe
Name W32/Tilebot-X
Type
* Spyware Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Drops more malware
* Downloads code from the internet
* Reduces system security
* Installs itself in the Registry
Aliases
* Backdoor.Win32.Aimbot.af
* W32/Sdbot.worm.gen.by
Prevalence (1-5) 2
Description
W32/Tilebot-X is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Tilebot-X spreads to other network computers by exploiting common
buffer overflow vulnerabilities, including: LSASS (MS04-011), RPC-DCOM
(MS04-012), PNP (MS05-039) and ASN.1 (MS04-007) and by copying itself
to network shares protected by weak passwords.
W32/Tilebot-X runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Tilebot-X includes functionality to :
- setup a SOCKS4 server
- enumerate all drives and processes on the infected computer
- access the internet and communicate with a remote server via HTTP
- create new AOL Instant Messenger profiles
- perform port scanning
- steal information including POP3, Hotmail usernames and passwords
as well as tfrom the Protected Storage area
W32/Tilebot-X createsalso the file \rofl.sys. The file rofl.sys is
detected as Troj/RKPort-Fam.
The following patches for the operating system vulnerabilities
exploited by W32/Tilebot-X can be obtained from the Microsoft website:
MS04-011
MS04-012
MS05-039
MS04-007
Advanced
W32/Tilebot-X is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Tilebot-X spreads to other network computers by exploiting common
buffer overflow vulnerabilities, including: LSASS (MS04-011), RPC-DCOM
(MS04-012), PNP (MS05-039) and ASN.1 (MS04-007) and by copying itself
to network shares protected by weak passwords.
W32/Tilebot-X runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Tilebot-X includes functionality to :
- setup a SOCKS4 server
- enumerate all drives and processes on the infected computer
- access the internet and communicate with a remote server via HTTP
- create new AOL Instant Messenger profiles
- perform port scanning
- steal information including POP3, Hotmail usernames and passwords
as well as tfrom the Protected Storage area
When first run W32/Tilebot-X copies itself to \smrss.exe and
creates the file \rofl.sys.
The file rofl.sys is detected as Troj/RKPort-Fam.
The file smrss.exe is registered as a new system driver service named
"Windows Smrss Service", with a display name of
"Windows Smrss Service" and a startup type of automatic, so that it
is started automatically during system startup. Registry entries are
created under:
HKLM\SYSTEM\CurrentControlSet\Services\Windows Smrss Service\
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_SMRSS_SERVICE\
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ROFL
The file rofl.sys is registered as a new system driver service named
"rofl", with a display name of "rofl". Registry entries
are created
under:
HKLM\SYSTEM\CurrentControlSet\Services\rofl\
W32/Tilebot-X sets the following registry entries, disabling the
automatic startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\Messenger
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
Start
4
Registry entries are set as follows:
HKLM\SOFTWARE\Microsoft\Security Center
AntiVirusDisableNotify
1
HKLM\SOFTWARE\Microsoft\Security Center
AntiVirusOverride
1
HKLM\SOFTWARE\Microsoft\Security Center
FirewallDisableNotify
1
HKLM\SOFTWARE\Microsoft\Security Center
FirewallOverride
1
HKLM\SOFTWARE\Microsoft\Security Center
UpdatesDisableNotify
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update
AUOptions
1
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
EnableFirewall
0
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile
EnableFirewall
0
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DoNotAllowXPSP2
1
HKLM\SYSTEM\CurrentControlSet\Services\wscsvc
Start
4
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1
HKLM\SYSTEM\CurrentControlSet\Control\ServiceCurrent
(default)
8
The following patches for the operating system vulnerabilities
exploited by W32/Tilebot-X can be obtained from the Microsoft website:
MS04-011
MS04-012
MS05-039
MS04-007
Name W32/Bagle-AN
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Downloads code from the internet
* Installs itself in the Registry
Aliases
* W32/Bagle.df{at}MM
* mail-Worm.Win32.Bagle.dx
Prevalence (1-5) 2
Description
W32/Bagle-AN is a worm for the Windows platform.
W32/Bagle-AN spreads via file sharing on Peer-to-peer networks and
via email.
W32/Bagle-AN includes functionality to download, install and run new
software.
W32/Bagle-AN then creates copies of itself in all folders containing
the substring SHAR on all drives.
W32/Bagle-AN also spreads by email. The email addresses are collected
from files on the system containing the following file extensions:
WAB, TXT, MSG, HTM, SHTM, STM, XML, DBX, MBX, MDX, EML, NCH, MMF, ODS,
CFG, ASP, PHP, PL, WSH, ADB, TBB, SHT, XLS, OFT, UIN, CGI, MHT, DHTM,
JSP.
The worm arrives as an attachment to an HTML email message.
The basename of the attachment is choosen from the following list:
Information
Details
text_document
Updates
Readme
Document
Info
Details
MoreInfo
Message
The email message has the following characteristics:
Subject line:
Re: Msg reply
Re: Hello
Re: Yahoo!
Re: Thank you!
Re: Thanks :)
RE: Text message
Re: Document
Incoming message
Re: Incoming Message
RE: Incoming Msg
RE: Message Notify
Notification
Changes..
Update
Fax Message
Protected message
RE: Protected message
Forum notify
Site changes
Re: Hi
Encrypted document
Message text:
Read the attach.
Your file is attached.
More info is in attach
See attach.
Please, have a look at the attached file.
Your document is attached.
Please, read the document.
Attach tells everything.
Attached file tells everything.
Check attached file for details.
Check attached file.
Pay attention at the attach.
See the attached file for details.
Message is in attach
Here is the file.
Advanced
W32/Bagle-AN is a worm for the Windows platform.
W32/Bagle-AN spreads via file sharing on Peer-to-peer networks and
via email.
W32/Bagle-AN includes functionality to download, install and run new
software.
When first run, W32/Bagle-AN copies itself to \winhost.exe
and creates the following registry entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
winhost.exe
\winhost.exe
W32/Bagle-AN then creates copies of itself in all folders containing
the substring SHAR on all drives.
The worm uses the following filesnames:
"Microsoft Office 2003 Crack, Working!.exe"
"Microsoft Windows XP, WinXP Crack, working Keygen.exe"
"Norton Antivirus, working Keygen.exe"
"Microsoft Office XP working Crack, Keygen.exe"
"Porno, sex, oral, anal cool, awesome!!.exe"
"Porno Screensaver.scr"
"Serials.txt.exe"
"Kaspersky Antivirus 5.0"
"Porno pics arhive, xxx.exe"
"Windows Sourcecode update.doc.exe"
"Ahead Nero 7.exe"
"Windown Longhorn Beta Leak.exe"
"Opera 8 New!.exe"
"XXX hardcore images.exe"
"WinAmp 6 New!.exe"
"WinAmp 5 Pro Keygen Crack Update.exe"
"Adobe Photoshop 9 full.exe"
"Matrix 3 Revolution English Subtitles.exe"
"Doom3_nocd.exe"
"HalfLife2_noCD.exe"
"12 year old Katia sucks and fucks me in lots of positions. (teen
preteen anal cumshot sex young whore school lolita.avi .exe"
W32/Bagle-AN spreads by email. The email addresses are collected from
files on the system containing the following file extensions:
WAB, TXT, MSG, HTM, SHTM, STM, XML, DBX, MBX, MDX, EML, NCH, MMF, ODS,
CFG, ASP, PHP, PL, WSH, ADB, TBB, SHT, XLS, OFT, UIN, CGI, MHT, DHTM,
JSP.
The worm arrives as an attachment to an HTML email message.
The basename of the attachment is choosen from the following list:
Information
Details
text_document
Updates
Readme
Document
Info
Details
MoreInfo
Message
The email message has the following characteristics:
Subject line:
Re: Msg reply
Re: Hello
Re: Yahoo!
Re: Thank you!
Re: Thanks :)
RE: Text message
Re: Document
Incoming message
Re: Incoming Message
RE: Incoming Msg
RE: Message Notify
Notification
Changes..
Update
Fax Message
Protected message
RE: Protected message
Forum notify
Site changes
Re: Hi
Encrypted document
Message text:
Read the attach.
Your file is attached.
More info is in attach
See attach.
Please, have a look at the attached file.
Your document is attached.
Please, read the document.
Attach tells everything.
Attached file tells everything.
Check attached file for details.
Check attached file.
Pay attention at the attach.
See the attached file for details.
Message is in attach
Here is the file.
W32/Bagle-AN also attempts to terminate security related processes on
an infected computer.
Registry entries are created under:
HKCU\Software\Timeout\
Name W32/Kassbot-H
Type
* Spyware Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Modifies data on the computer
* Deletes files off the computer
* Steals information
* Downloads code from the internet
Prevalence (1-5) 2
Description
W32/Kassbot-H is a worm and backdoor Trojan for the Windows platform.
W32/Kassbot-H runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer.
W32/Kassbot-H includes functionality to access the internet and
communicate with a remote server via HTTP and IRC.
W32/Kassbot-H may send an email to a pre-defined email address
containing system information from the infected computer.
W32/Kassbot-H will monitor a user's internet access. When certain
internet sites are accessed, the worm will redirect the user to a
website with fake login pages or email the stolen details to a
pre-specified email address.
W32/Kassbot-H will attempt to spread by exploiting the LSASS (MS04-011)
exploits. The following patch for the operating system vulnerability
exploited by W32/Kassbot-H can be obtained from the Microsoft website:
MS04-011
Advanced
W32/Kassbot-H is a worm and backdoor Trojan for the Windows platform.
W32/Kassbot-H runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer.
W32/Kassbot-H includes functionality to access the internet and
communicate with a remote server via HTTP and IRC.
When first run W32/Kassbot-H copies itself to \spools.exe and
creates the file \xbccd.log. The file xbccd.log may be deleted.
The following registry entry is created to run spools.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Spools Service Controller
\spools.exe
W32/Kassbot-H may send an email to a pre-defined email address
containing system information from the infected computer.
W32/Kassbot-H will monitor a user's internet access. When certain
internet sites are accessed, the worm will redirect the user to a
website with fake login pages or email the stolen details to a
pre-specified email address.
W32/Kassbot-H will attempt to spread by exploiting the LSASS (MS04-011)
exploits. The following patch for the operating system vulnerability
exploited by W32/Kassbot-H can be obtained from the Microsoft website:
MS04-011
W32/Kassbot-H will append the following lines to the HOSTS file in an
attempt to block access to anti-virus related websites:
d-ru-1f.kaspersky-labs.com
d-ru-1h.kaspersky-labs.com
d-ru-2f.kaspersky-labs.com
d-ru-2h.kaspersky-labs.com
d-eu-2f.kaspersky-labs.com
d-eu-2h.kaspersky-labs.com
d-eu-1f.kaspersky-labs.com
d-eu-1h.kaspersky-labs.com
d-us-1f.kaspersky-labs.com
d-us-1h.kaspersky-labs.com
downloads1.kaspersky.ru
downloads2.kaspersky.ru
downloads3.kaspersky.ru
downloads4.kaspersky.ru
downloads5.kaspersky.ru
www.kaspersky.ru
kaspersky.ru
kaspersky-labs.com
www.kaspersky-labs.com
Name Troj/GrayBrd-AC
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
Aliases
* Backdoor.Win32.Hupigon.hi
Prevalence (1-5) 2
Description
Troj/GrayBrd-AC is a Trojan for the Windows platform.
Troj/GrayBrd-AC includes functionality to access the internet and
communicate with a remote server via HTTP.
Advanced
Troj/GrayBrd-AC is a Trojan for the Windows platform.
Troj/GrayBrd-AC includes functionality to access the internet and
communicate with a remote server via HTTP.
When first run Troj/GrayBrd-AC copies itself to
\RavExt\winlogo.exe.
The file winlogo.exe is registered as a new system driver service
named "Internet", with a display name of "Windows
Internet/Server"
and a startup type of automatic, so that it is started automatically
during system startup. Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\Internet\
Name W32/Mytob-ET
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Sends itself to email addresses found on the infected computer
* Modifies data on the computer
Prevalence (1-5) 2
Description
W32/Mytob-ET is a mass-mailing worm and IRC backdoor Trojan.
W32/Mytob-ET runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Mytob-ET can spread by sending itself as an email attachment to
email addresses harvested from the infected computer.
Emails sent by the worm have characteristics from the following:
Subject lines:
Your password has been updated
Your password has been successfully updated
You have successfully updated your password
Your new account password is approved
Your Account is Suspended
*DETECTED* Online User Violation
Your Account is Suspended For Security Reasons
Warning Message: Your services near to be closed.
Important Notification
Members Support
Security measures
Email Account Suspension
Notice of account limitation
or random characters
Message text - one of the following:
The worm will insert the username and the email domain of the
adresssee into the email.
Dear user ,
You have successfully updated the password of your account.
If you did not authorize this change or if you need assistance with
your account, please contact customer service at:
Thank you for using !
The Support Team
+++ Attachment: No Virus (Clean)
+++ Antivirus - www.
Dear user ,
It has come to our attention that your User Profile ( x )
records are out of date. For further details see the attached document.
Thank you for using !
The Support Team
+++ Attachment: No Virus (Clean)
+++ Antivirus - www.
Dear Member,
We have temporarily suspended your email account .
This might be due to either of the following reasons:
1. A recent change in your personal information (i.e. change of
address).
2. Submiting invalid information during the initial sign up process.
3. An innability to accurately verify your selected option of
subscription due to an internal error within our processors.
See the details to reactivate your account.
Sincerely,The Support Team
+++ Attachment: No Virus (Clean)
+++ Antivirus - www.
Dear Member,
Your e-mail account was used to send a huge amount of unsolicited
spam messages during the recent week. If you could please take 5-10
minutes out of your online experience and confirm the attached
document so you will not run into any future problems with the online
service.
If you choose to ignore our request, you leave us no choice but to
cancel your membership.
Virtually yours,
The Support Team
+++ Attachment: No Virus found
+++ Antivirus - www.
Attachment name:
updated-password
email-password
new-password
password
approved-password
account-password
accepted-password
important-details
account-details
email-details
account-info
document
readme
account-report
or random characters
The zip file will contain the worm with double extension. The first
extension will be one of doc, htm, txt followed by spaces and the
second extension is exe, scr or pif.
Advanced
W32/Mytob-ET is a mass-mailing worm and IRC backdoor Trojan.
W32/Mytob-ET runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
When first run W32/Mytob-ET copies itself to \hpmanager.exe.
The following registry entries are created to run hpmanager.exe on
startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Hewlett Packard Manager
hpmanager.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Hewlett Packard Manager
hpmanager.exe
W32/Mytob-ET sets the following registry entries, disabling the
automatic startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4
W32/Mytob-ET can spread by sending itself as an email attachment to
email addresses harvested from the infected computer.
Emails sent by the worm have characteristics from the following:
Subject lines:
Your password has been updated
Your password has been successfully updated
You have successfully updated your password
Your new account password is approved
Your Account is Suspended
*DETECTED* Online User Violation
Your Account is Suspended For Security Reasons
Warning Message: Your services near to be closed.
Important Notification
Members Support
Security measures
Email Account Suspension
Notice of account limitation
or random characters
Message text - one of the following:
The worm will insert the username and the email domain of the
adresssee into the email.
Dear user ,
You have successfully updated the password of your account.
If you did not authorize this change or if you need assistance with
your account, please contact customer service at:
Thank you for using !
The Support Team
+++ Attachment: No Virus (Clean)
+++ Antivirus - www.
Dear user ,
It has come to our attention that your User Profile ( x )
records are out of date. For further details see the attached document.
Thank you for using !
The Support Team
+++ Attachment: No Virus (Clean)
+++ Antivirus - www.
Dear Member,
We have temporarily suspended your email account .
This might be due to either of the following reasons:
1. A recent change in your personal information (i.e. change of
address).
2. Submiting invalid information during the initial sign up process.
3. An innability to accurately verify your selected option of
subscription due to an internal error within our processors.
See the details to reactivate your account.
Sincerely,The Support Team
+++ Attachment: No Virus (Clean)
+++ Antivirus - www.
Dear Member,
Your e-mail account was used to send a huge amount of unsolicited
spam messages during the recent week. If you could please take 5-10
minutes out of your online experience and confirm the attached
document so you will not run into any future problems with the online
service.
If you choose to ignore our request, you leave us no choice but to
cancel your membership.
Virtually yours,
The Support Team
+++ Attachment: No Virus found
+++ Antivirus - www.
Attachment name:
updated-password
email-password
new-password
password
approved-password
account-password
accepted-password
important-details
account-details
email-details
account-info
document
readme
account-report
or random characters
The zip file will contain the worm with double extension. The first
extension will be one of doc, htm, txt followed by spaces and the
second extension is exe, scr or pif.
W32/Mytob-ET attempts to terminate a large number of processes
related to security and anti-virus programs.
W32/Mytob-ET also modifies the Windows hosts file in order to block
access to the following websites:
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 pandasoftware.com
127.0.0.1 www.pandasoftware.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.grisoft.com
127.0.0.1 www.microsoft.com
127.0.0.1 microsoft.com
127.0.0.1 www.virustotal.com
127.0.0.1 virustotal.com
127.0.0.1 www.amazon.com
127.0.0.1 www.amazon.co.uk
127.0.0.1 www.amazon.ca
127.0.0.1 www.amazon.fr
127.0.0.1 www.paypal.com
127.0.0.1 paypal.com
127.0.0.1 moneybookers.com
127.0.0.1 www.moneybookers.com
127.0.0.1 www.ebay.com
127.0.0.1 ebay.com
Name Troj/Sisery-A
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Modifies data on the computer
* Deletes files off the computer
* Steals information
* Reduces system security
* Records keystrokes
* Installs itself in the Registry
Prevalence (1-5) 2
Description
Troj/Sisery-A is a Trojan for the Windows platform.
The Trojan is a nuisance program which modifies the default behaviors
of Microsoft Windows and several applications.
Advanced
Troj/Sisery-A is a Trojan for the Windows platform.
The Trojan is a nuisance program which modifies the default behaviors
of Microsoft Windows and several applications. Troj/Sisery-A may make
the following changes to the infected computer:
- offset the Desktop wallpaper to the lower right
- remove the "log off" option from the shutdown menu
- display a message box entitled "DANGER" on user login
- change the title of Internet Explorer
- create a folder in the root folder containing "WINDOWS" and
non-printable characters
- cause a long delay before the Start menu (and any sub-menus) appears
- disables the context menu
- disables the control panel and Windows Explorer
- changes the start page for Internet Explorer to a vulgar page from
the rotten.com domain
Troj/Sisery-A makes the following changes to the system registry:
HKCU\Control Panel\Desktop
WallpaperOriginX
"210"
HKCU\Control Panel\Desktop
WallpaperOriginY
"187"
HKCU\Software\Microsoft\Internet Explorer\Main
Window title
":::::::::: ::::::::::"
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer
NoViewContextMenu
dword:00000001
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Start_ShowRun
dword:00000000
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoDesktop
dword:00000001
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoActiveDesktop
dword:00000001
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoViewOnDrive
dword:00000018
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoClose
dword:00000001
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoControlPanel
dword:00000001
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
StartMenuLogoff
dword:00000001
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoDrives
dword:00000414
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoRun
dword:00000001
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFind
dword:00000001
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFavoritesMenu
dword:00000001
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoRecentDocsMenu
dword:00000001
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoSetFolders
dword:00000001
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoLogOff
dword:00000001
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoSaveSettings
dword:00000001
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoUserNameInStartMenu
dword:00000001
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoToolbarCustomize
dword:00000001
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoThemesTab
dword:00000001
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoSMHelp
dword:00000001
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoPrinterTabs
dword:00000001
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoPrinters
dword:00000001
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoNetHood
dword:00000001
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoManageMyComputerVerb
dword:00000001
HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
DiskSpaceThreshold
dword:00000099
HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
DiskSpaceThreshold
dword:00000099
HKCU\Control Panel\Desktop
MenuShowDelay
"9999"
HKCU\Control Panel\International
sTimeFormat
""
HKCU\Software\Microsoft\Internet Explorer\Main
Start Page
"[URL REMOVED]"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore
RPLifeInterval
dword:00000001
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
LegalNoticeCaption
"DANGER"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
LegalNoticeText
""
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\
NameSpace\DelegateFolders\{59031a47-3f72-44a7-89c5-5595fe6b30ee}
(default)
""
Name W32/Tilebot-AA
Type
* Spyware Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Modifies data on the computer
* Deletes files off the computer
* Steals information
Aliases
* Backdoor.Win32.SdBot.xd
Prevalence (1-5) 2
Description
W32/Tilebot-AA is a worm which attempts to spread to remote network
shares. It also contains backdoor Trojan functionality, allowing
unauthorized remote access to the infected computer via IRC channels.
W32/Tilebot-AA spreads to network shares with weak passwords as a
result of the backdoor Trojan element receiving the appropriate
command from a remote user.
W32/Tilebot-AA allows a remote user to perform a wide range of
actions on the infected computer including downloading further files,
setting registry entries and stealing information from the computer
including from protected storage areas.
Advanced
W32/Tilebot-AA is a worm which attempts to spread to remote network
shares. It also contains backdoor Trojan functionality, allowing
unauthorized remote access to the infected computer via IRC channels.
W32/Tilebot-AA spreads to network shares with weak passwords as a
result of the backdoor Trojan element receiving the appropriate
command from a remote user. The worm can spread to unpatched
computers vulnerable to the following exploits:
ASN.1 (MS04-007)
LSASS (MS04-011)
PNP (MS05-039)
RPC-DCOM (MS04-012)
WKS (MS03-049) (CAN-2003-0812)
W32/Tilebot-AA copies itself to the Windows folder with the filename
yimsgr.exe and creates a service named "AOL Instant Messenger" with a
start up type of automatic, causing the service to be run each time
Windows starts.
W32/Tilebot-AA allows a remote user to perform a wide range of
actions on the infected computer including downloading further files,
setting registry entries and stealing information from the computer
including from protected storage areas.
W32/Tilebot-AA attempts to terminate services with the following
names in order to disrupt various security processes including the
Windows firewall and Windows critical updates:
Tlntsvr
RemoteRegistry
Messenger
SharedAccess
wscsvc
W32/Tilebot-AA attempts to set the following registry entries to
disrupt various security processes:
HKLM\SOFTWARE\Microsoft\Security Center
UpdatesDisableNotify
1
HKLM\SOFTWARE\Microsoft\Security Center
AntiVirusDisableNotify
1
HKLM\SOFTWARE\Microsoft\Security Center
FirewallDisableNotify
1
HKLM\SOFTWARE\Microsoft\Security Center
AntiVirusOverride
1
HKLM\SOFTWARE\Microsoft\Security Center
FirewallOverride
1
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
EnableFirewall
0
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile
EnableFirewall
0
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\
AutoUpdate
AUOptions
1
HKLM\SYSTEM\CurrentControlSet\Services\wscsvc
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\Messenger
Start
4
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restictanonymous
1
HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
AutoShareWks
0
HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
AutoShareServer
0
HKLM\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters
AutoShareWks
0
HKLM\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters
AutoShareServer
0
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DoNotAlloxXPSP2
1
HKLM\SOFTWARE\Microsoft\OLE
EnableDCOM
"N"
W32/Tilebot-AA may also set entries in the registry at the following
locations:
HKLM\SYSTEM\CurrentControlSet\Control\
WaitToKillServiceTimeout
W32/Tilebot-AA attempts to remove network shares from the infected
computer, as well as changing the policy for SeNetworkLogonRight for
the computer.
W32/Tilebot-AA may attempt to contact scripts at the following
addresses:
http://cgi14.plala.or.jp
http://hpcgi1.nifty.com
http://www.age.ne.jp
http://www.kinchan.net
http://www2.dokidoki.ne.jp
http://yia.s22.xrea.com
W32/Tilebot-AA creates the file pex.sys and sets up a service for it
named PEX. This file is currently detected Troj/RKFu-A.
The following registry entries are created as a result of registering
the system services:
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AOL_INSTANT_MESSENGER
HKLM\SYSTEM\CurrentControlSet\Services\AOL Instant Messenger
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PEX
HKLM\SYSTEM\CurrentControlSet\Services\pex
Name Troj/Bifrose-EO
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Installs itself in the Registry
* Dropped by malware
Aliases
* Backdoor.Win32.Bifrose.eo
Prevalence (1-5) 2
Description
Troj/Bifrose-EO is a Trojan for the Windows platform.
Advanced
Troj/Bifrose-EO is a Trojan for the Windows platform.
When first run Troj/Bifrose-EO copies itself to
\svch0st.exe and creates the file
\plugin1.dat.
Troj/Bifrose-EO may inject its code into a running process in order
to hide from the user.
The following registry entries are created to run svch0st.exe on
startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
SVCH0ST
\SVCH0ST.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SVCH0ST
\SVCH0ST.exe
HKLM\SOFTWARE\Microsoft\Active Setup\Installed
Components\{9B71D88C-C598-4935-C5D1-43AA4DB90836}
stubpath
\SVCH0ST.exe s
Registry entries are created under:
HKCU\Software\Wget\
Name W32/Agobot-TP
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Downloads code from the internet
* Reduces system security
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Prevalence (1-5) 2
Description
W32/Agobot-TP is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Agobot-TP spreads to other network computers by exploiting common
buffer overflow vulnerabilities, including: PNP (MS05-039) and ASN.1
(MS04-007) and by copying itself to network shares protected by weak
passwords.
W32/Agobot-TP runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Agobot-TP includes functionality to:
- setup a SOCKS4 server
- add/remove net shares on the infected computer
- access the internet and communicate with a remote server via HTTP
- perform port scanning
- carry out DDoS attacks
The following patches for the operating system vulnerabilities
exploited by W32/Agobot-TP can be obtained from the Microsoft website:
MS05-039
MS04-007
Advanced
W32/Agobot-TP is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Agobot-TP spreads to other network computers by exploiting common
buffer overflow vulnerabilities, including: PNP (MS05-039) and ASN.1
(MS04-007) and by copying itself to network shares protected by weak
passwords.
W32/Agobot-TP runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Agobot-TP includes functionality to:
- setup a SOCKS4 server
- add/remove net shares on the infected computer
- access the internet and communicate with a remote server via HTTP
- perform port scanning
- carry out DDoS attacks
When first run W32/Agobot-TP copies itself to \svchost32.exe.
The following registry entries are created to run svchost32.exe on
startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SvcHost
svchost32.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
SvcHost
svchost32.exe
Registry entries are set as follows:
HKCU\Software\Policies\Microsoft\Windows\WindowsUpdate\AU
NoAutoUpdate
1
HKCU\Software\Policies\Microsoft\Windows\WindowsUpdate\AU
AUOptions
1
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
NoAutoUpdate
1
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
AUOptions
1
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
AUOptions
1
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
0
Registry entries are created under:
HKCU\Software\Microsoft\Security Center\
HKLM\SOFTWARE\Microsoft\Security Center\
The following patches for the operating system vulnerabilities
exploited by W32/Agobot-TP can be obtained from the Microsoft website:
MS05-039
MS04-007
Name W32/Kangaroo-B
Type
* Worm
Affected operating systems
* Windows
Side effects
* Installs itself in the Registry
Aliases
* Virus.Win32.VB.i
* Trojan.Kangenie
Prevalence (1-5) 2
Description
W32/Kangaroo-B is a worm for the Windows platform.
W32/Kangaroo-B monitors windows, looking for ones with title bars
containing text in the format (:) and attempts to copy
itself to these drives with the filename kangen.exe.
Advanced
W32/Kangaroo-B is a worm for the Windows platform.
When first run W32/Kangaroo-B copies itself to:
\ccApps.exe
\winlog
The following registry entry is created to run winword.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ccApps
\ccApps.exe
The following registry entries may be set, disabling the registry
editor (regedit) and the Windows task manager (taskmgr):
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
1
W32/Kangaroo-B repeatedly copies itself and sets these registry
entries.
W32/Kangaroo-B monitors windows, looking for ones with title bars
containing text in the format (:) and attempts to copy
itself to these drives with the filename kangen.exe.
If opened with a filename of "kangen", W32/Kangaroo-B will drop and
open the file kangen.doc to the Windows system folder which contains
the lyrics to a pop song in Indonesian in an html-formatted document.
W32/Kangaroo-B may set the following registry entry to prevent
certain files from running on system startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
LoadService =
"Rest In Peace"
Name W32/Erkez-G
Type
* Worm
How it spreads
* Email attachments
* Peer-to-peer
Affected operating systems
* Windows
Side effects
* Sends itself to email addresses found on the infected computer
* Installs itself in the Registry
Aliases
* Email-Worm.Win32.Zafi.g
* W32.Erkez.G{at}mm
Prevalence (1-5) 2
Description
W32/Erkez-G is an email and peer-to-peer worm for the Windows platform.
W32/Erkez-G sends emails in the following format, where the subject
and message are chosen depending upon the email address the worm is
being sent to:
Subject:
msn photo ecard,commercial ecard :))
broma :)),humor :))
rolig reklam :)),haha - rolig :))
witzig reklame :)),witzig bild :D
grappig beeld :)),een grappig reclame :D
blague :)),humour - reclame :))
cherzo :)),comico quadro :))
Message:
ImageFormat:
ImageSize:
Message: you need to see this :))
From:
Date:
AV-Control:
Cuadro/Format:
Cuadro/Medida:
Mensaje: Sexo y humor para pasar un buen rato! :))
Expedidor:
Data:
Control:
Bildform:
Bild/Omfattning:
Meddelande: rolig reklam!! :))
Post:
Datum:
Control:
BildFormat:
Bildabmessung:
Botschaft: eine witzig reklame foto :))
Absender:
Datum:
Kontrolle:
Beeldformaat:
Beeldmaat:
Boodschap: een ontroerend of grappig reclame :))
Afzender:
Datum:
Controle:
Image/Mode:
Image/Taille:
Message: le sexe d'une femme apres l'amour (humour, reclame) :))
Expediteur:
Date:
Verification:
Quadro/Forma:
Quadro/Proporzioni:
Messaggio: comico reclame!! :))
Mittente:
Data:
Controllare:
Attachment:
The attachment name will be created using the following words, with a
.zip file extension:
msn
messenger
commercial
reclame
reklame
reklam
humor
megasztar
humor
photo
pict
imag
dscn
Advanced
W32/Erkez-G is an email and peer-to-peer worm for the Windows platform.
When first run W32/Erkez-G copies itself to any folders it finds
containg the words "musi", "shar", or "uploa"
with a name of either
"Adobe Acrobat 8.0 Pro.exe" or "Windows Update
Crack.exe", as well as
to the following locations:
\AntiVirus Update.exe
\antivirus_update.exe
\foto5.jpz
The following registry entry is created to run "AntiVirus Update.exe"
on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Zi5
\AntiVirus Update.exe
The worm also creates several files in the Windows system folder with
names of the format .dll. Most of these are clean
data files, and contain logged email details. Some may be copies of
the worm.
The worm searches for email addresses in files with the following
file extenstions:
dbx
asp
txt
htm
mbx
wab
php
sht
adb
tbb
inb
pmr
fpt
eml
W32/Erkez-G sends emails in the following format, where the subject
and message are chosen depending upon the email address the worm is
being sent to:
Subject:
msn photo ecard,commercial ecard :))
broma :)),humor :))
rolig reklam :)),haha - rolig :))
witzig reklame :)),witzig bild :D
grappig beeld :)),een grappig reclame :D
blague :)),humour - reclame :))
cherzo :)),comico quadro :))
Message:
ImageFormat:
ImageSize:
Message: you need to see this :))
From:
Date:
AV-Control:
Cuadro/Format:
Cuadro/Medida:
Mensaje: Sexo y humor para pasar un buen rato! :))
Expedidor:
Data:
Control:
Bildform:
Bild/Omfattning:
Meddelande: rolig reklam!! :))
Post:
Datum:
Control:
BildFormat:
Bildabmessung:
Botschaft: eine witzig reklame foto :))
Absender:
Datum:
Kontrolle:
Beeldformaat:
Beeldmaat:
Boodschap: een ontroerend of grappig reclame :))
Afzender:
Datum:
Controle:
Image/Mode:
Image/Taille:
Message: le sexe d'une femme apres l'amour (humour, reclame) :))
Expediteur:
Date:
Verification:
Quadro/Forma:
Quadro/Proporzioni:
Messaggio: comico reclame!! :))
Mittente:
Data:
Controllare:
Attachment:
The attachment name will be created using the following words, with a
.zip file extension:
msn
messenger
commercial
reclame
reklame
reklam
humor
megasztar
humor
photo
pict
imag
dscn
Registry entries are created under the following branch:
HKLM\SOFTWARE\Microsoft\Zi5
The entries under this branch will locate the data and worm files
with the .dll extension.
The following files are also created:
\a.wsf
C:\z.m
C:\m
These are clean data files, and may safely be deleted.
--- MultiMail/Win32 v0.43
* Origin: Try Our Web Based QWK: DOCSPLACE.ORG (1:123/140)SEEN-BY: 633/267 270 @PATH: 123/140 500 106/2000 633/267 |
|
| SOURCE: echomail via fidonet.ozzmosis.com | |
Email questions or comments to sysop@ipingthereforeiam.com
All parts of this website painstakingly hand-crafted in the U.S.A.!
IPTIA BBS/MUD/Terminal/Game Server List, © 2025 IPTIA Consulting™.