[cut-n-paste from sophos.com]
Name W32/Rbot-FWY
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Drops more malware
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Prevalence (1-5) 2
Description
W32/Rbot-FWY is a worm for the Windows platform that include IRC
Backdoor functionality.
W32/Rbot-FWY spreads to other computers by exploiting common buffer
overflow vulnerabilities like SRVSVC(MS06-040) and via network shares
protected by weak passwords.
W32/Rbot-FWY runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
Advanced
W32/Rbot-FWY is a worm for the Windows platform that include IRC
Backdoor functionality.
W32/Rbot-FWY spreads to other computers by exploiting common buffer
overflow vulnerabilities like SRVSVC(MS06-040) and via network shares
protected by weak passwords.
W32/Rbot-FWY runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
When first run W32/Rbot-FWY copies itself to \2x32.exe and
creates the file \a.bat.
The file a.bat is detected as Troj/Batten-A.
The following registry entries are created to run 2x32.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Numerical Xterm Agents
2x32.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Numerical Xterm Agents
2x32.exe
W32/Rbot-FWY sets the following registry entries, disabling the
automatic
startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\wuauserv
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4
Note: disabling autostart for the SharedAccess service deactivates the
Microsoft
Internet Connection Firewall (ICF).
Registry entries are set as follows:
HKCU\Software\Microsoft\OLE
Numerical Xterm Agents
2x32.exe
HKLM\SOFTWARE\Microsoft\Ole
EnableRemoteConnect
N
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MaxConnectionsPer1_0Server
50
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MaxConnectionsPerServer
50
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1
Registry entries are created under:
HKCR\.key\
Name Troj/NtRootK-AX
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
Prevalence (1-5) 2
Description
Troj/NtRootK-AX is a backdoor Trojan with rootkit functionality. When
run Troj/NtRootK-AX creates a service with a name identical to the
base filename of the Trojan file.
Troj/NtRootK-AX installs two drivers, xHide.sys and GxNdisHook.sys.
The purpose of the drivers is to hide the presence of malicious
files, registry entries and TCP ports used by malware.
Troj/NtRootK-AX provides the attacker with an interface for the
remote control over the machine.
Name W32/Stratio-BV
Type
* Worm
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
Prevalence (1-5) 2
Description
W32/Stratio-BV is a worm for the Windows platform.
Advanced
W32/Stratio-BV is a worm for the Windows platform.
When run W32/Stratio-BV copies itself to \.exe. The file D.tmp is also created. This file can be
safely deleted.
W32/Stratio-BV includes functionality to download, install and run
new software.The downloaded file is currently detected as
W32/Strati-Gen.
Name Troj/Zlob-WQ
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Reduces system security
Prevalence (1-5) 2
Description
Troj/Zlob-WQ is a Trojan for the Windows platform.
Troj/Zlob-WQ includes functionality to access the internet and
communicate with a remote server via HTTP.
Advanced
Troj/Zlob-WQ is a Trojan for the Windows platform.
Troj/Zlob-WQ includes functionality to access the internet and
communicate with a remote server via HTTP.
Registry entries are created under:
HKCU\Software\Internet Security\
Name Troj/Agent-DSF
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Installs itself in the Registry
* Leaves non-infected files on computer
Prevalence (1-5) 2
Description
Troj/Agent-DSF is a Trojan for the Windows platform.
Troj/Agent-DSF includes functionality to access the internet and
communicate
with a remote server via HTTP.
Advanced
Troj/Agent-DSF is a Trojan for the Windows platform.
Troj/Agent-DSF includes functionality to access the internet and
communicate
with a remote server via HTTP.
When first run Troj/Agent-DSF copies itself to \scvhost.exe
and
creates the file \mswinsck.ocx.
The file mswinsck.ocx is clean and can be deleted.
The following registry entries are created to run scvhost.exe on
startup:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
run
\scvhost.exe
HKLM\SOFTWARE\Microsoft\Active Setup\Installed
Components\(B1B5B0BF-A20B-A600-E040-F0F90BCC201C)
StubPath
\scvhost.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RUNSERVICES
Windows Update
\scvhost.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RUNSERVICES
msconfig
\scvhost.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RUNSERVICES
icq lite
\scvhost.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RUNSERVICES
Update Checker
\scvhost.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RUNSERVICES
AntiVir
\scvhost.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RUNSERVICES
(default)
\scvhost.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows Update
\scvhost.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
msconfig
\scvhost.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
icq lite
\scvhost.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Update Checker
\scvhost.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
AntiVir
\scvhost.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
(default)
\scvhost.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Windows Update
\scvhost.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
msconfig
\scvhost.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
icq lite
\scvhost.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Update Checker
\scvhost.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
AntiVir
\scvhost.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
(default)
\scvhost.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
Windows Update
\scvhost.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
msconfig
\scvhost.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
icq lite
\scvhost.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
Update Checker
\scvhost.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
AntiVir
\scvhost.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
(default)
\scvhost.exe
The following registry entry is changed to run scvhost.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe scvhost.exe
(the default value for this registry entry is "Explorer.exe" which
causes the
Microsoft file \Explorer.exe to be run on startup).
The file mswinsck.ocx is registered as a COM object, creating
registry entries
under:
HKCR\CLSID\(248DD896-BB45-11CF-9ABC-0080C7E7B78D)
HKCR\CLSID\(248DD897-BB45-11CF-9ABC-0080C7E7B78D)
HKCR\Interface\(248DD892-BB45-11CF-9ABC-0080C7E7B78D)
HKCR\Interface\(248DD893-BB45-11CF-9ABC-0080C7E7B78D)
HKCR\MSWinsock.Winsock\
HKCR\MSWinsock.Winsock.1\
HKCR\TypeLib\(248DD890-BB45-11CF-9ABC-0080C7E7B78D)
The following registry entries are set, disabling the registry editor
(regedit)
and the Windows task manager (taskmgr):
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
DisableTaskMgr
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
DisableRegistryTools
1
Name Troj/Dloadr-AQN
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
Aliases
* Downloader-AAP
* Win32/TrojanDownloader.Nurech.H
Prevalence (1-5) 2
Description
Troj/Dloadr-AQN is a Trojan for the Windows platform.
Troj/Dloadr-AQN includes functionality to access the internet and
communicate with a remote server via HTTP.
Troj/Dloadr-AQN includes functionality to download, install and run
new software.
Advanced
Troj/Dloadr-AQN is a Trojan for the Windows platform.
Troj/Dloadr-AQN includes functionality to access the internet and
communicate with a remote server via HTTP.
Troj/Dloadr-AQN includes functionality to download, install and run
new software.
Registry entries are created under:
HKCU\Software\unker\\main\
Name W32/Stration-CD
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Sends itself to email addresses found on the infected computer
* Installs itself in the Registry
Aliases
* Email-Worm.Win32.Warezov.dq
* W32/Stration{at}MM
* Win32/Stration
* W32.Stration{at}mm
Prevalence (1-5) 2
Description
W32/Stration-CD is a mass-mailing worm for the Windows platform.
Advanced
W32/Stration-CD is a mass-mailing worm for the Windows platform.
When W32/Stration-CD is installed the following files are created:
\brwconf.exe
\brwmgr32.dll
\brwperf.exe
\brwprf32.dll
\brwstat.dll
\confbrw.dll
The following registry entries are created to run code exported by
brwmgr32.dll
on startup:
HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\brwmgr
DllName
brwmgr32.dll
HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\brwmgr
Impersonate
0
HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\brwmgr
Startup
WlxStartup
Name W32/Looked-BA
Type
* Virus
How it spreads
* Network shares
* Infected files
Affected operating systems
* Windows
Side effects
* Modifies data on the computer
* Drops more malware
* Downloads code from the internet
* Installs itself in the Registry
* Leaves non-infected files on computer
Prevalence (1-5) 2
Description
W32/Looked-BA is a virus.
W32/Looked-BA infects EXE files found on the infected computer and
attempts to spread to remote network shares with weak passwords.
Advanced
W32/Looked-BA is a virus.
W32/Looked-BA infects EXE files found on the infected computer and
attempts to spread to remote network shares with weak passwords.
The virus includes functionality to access the internet and
communicate with a remote server via HTTP.
When run W32/Looked-BA copies itself to \rundl132.exe and
creates the file \Dll.dll, which is detected as W32/Looked-AP.
Many files with the name "_desktop.ini" are also created, in various
folders on the infected computer. These files are harmless text files.
The following registry entry is created to run rundl132.exe on startup:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
load
\rundl132.exe
Registry entries are created under:
HKLM\SOFTWARE\Soft\DownloadWWW\
Name Troj/Zlob-WT
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
Prevalence (1-5) 2
Description
Troj/Zlob-WT is a downloader Trojan for the Windows platform.
Advanced
Troj/Zlob-WT is a downloader Trojan for the Windows platform.
Registry entries are created under:
HKCU\Software\Internet Security
The folder \Brain Codec may also be created.
Name W32/RJump-H
Type
* Spyware Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Downloads code from the internet
* Installs itself in the Registry
Prevalence (1-5) 2
Description
W32/RJump-H is a worm for the Windows platform.
W32/RJump-H spreads by coping itself to the available mapped drives
and creating create an "autorun.inf" file which will attempt to load
the worm automatically when the infected drive is accessed.
W32/RJump-H also creates a backdoor, enabling a remote user control
over the infected computer.
Advanced
W32/RJump-H is a worm for the Windows platform.
W32/RJump-H spreads by coping itself to the available mapped drives
and creating create an "autorun.inf" file which will attempt to load
the worm automatically when the infected drive is accessed.
W32/RJump-H also creates a backdoor, enabling a remote user control
over the infected computer.
W32/RJump-H may copy itself to the following filename:
\RavMonE.exe
When installed, W32/RJump-H may create the following registry entry,
enabling it to run automatically on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
RavAV
\RavMonE.exe
Name W32/Sohana-B
Type
* Worm
How it spreads
* Chat programs
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Downloads code from the internet
* Installs itself in the Registry
Aliases
* IM-Worm.Win32.Sohanad.e
* W32/YahLover.worm
Prevalence (1-5) 2
Description
W32/Sohana-B is a worm for the Windows platform.
W32/Sohana-B may attempt to spread via instant messaging clients.
W32/Sohana-B includes functionality to download, install and run new
software.
Advanced
W32/Sohana-B is a worm for the Windows platform.
W32/Sohana-B may attempt to spread via instant messaging clients.
W32/Sohana-B includes functionality to download, install and run new
software.
When W32/Sohana-B is installed the following files are created:
\svchost32.exe
\svhost.exe
The following registry entries are created to run svchost32.exe and
svhost.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Task Manager
\svchost32.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SVCHOST
\svhost.exe
W32/Sohana-B changes the Start Page for Microsoft Internet Explorer
by setting the registry entry:
HKCU\Software\Microsoft\Internet Explorer\Main\Start Page
The following registry entries are set, disabling the registry editor
(regedit) and the Windows task manager (taskmgr):
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1
Registry entries are set as follows:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoRun
1
HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel
Homepage
1
Registry entries are created under the following that help the worm
spread via Yahoo Messenger :
HKCU\Software\Yahoo\Pager\View\YMSGR_Launchcast\
HKCU\Software\Yahoo\Pager\View\YMSGR_buzz\
Name W32/Newurg-A
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Sends itself to email addresses found on the infected computer
* Drops more malware
* Forges the sender's email address
* Uses its own emailing engine
* Downloads code from the internet
* Reduces system security
* Installs itself in the Registry
Aliases
* Trojan-Downloader.Win32.Small.dam
Prevalence (1-5) 2
Description
W32/Newurg-A is a worm for the Windows platform.
W32/Newurg-A includes functionality to access the internet and
communicate with a remote server via HTTP.
Advanced
W32/Newurg-A is a worm for the Windows platform.
W32/Newurg-A includes functionality to access the internet and
communicate with a remote server via HTTP.
When first run W32/Newurg-A copies itself to \.exe and creates the file \.exe.
The file \.exe is detected as
Troj/Dloadr-AQQ.
The following registry entries are created to run nordsys.exe on
startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Nord
\.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Nord
\.exe
W32/Newurg-A sets the following registry entries, disabling the
automatic startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4
Note: disabling autostart for the SharedAccess service deactivates
the Microsoft Internet Connection Firewall (ICF).
Name W32/Stratio-CF
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Drops more malware
Prevalence (1-5) 2
Description
W32/Stratio-CF is a worm for the Windows platform.
When run W32/Stratio-CF creates a file with a random filename in the
Windows System folder. This file is currently detected as
W32/Strati-Gen.
Name Troj/Dloadr-AQS
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Steals information
* Downloads code from the internet
* Installs itself in the Registry
* Leaves non-infected files on computer
Prevalence (1-5) 2
Description
Troj/Dloadr-AQS is a downloader Trojan for the Windows platform.
Advanced
Troj/Dloadr-AQS is a downloader Trojan for the Windows platform.
Troj/Dloadr-AQS may create the following filename:
\gkjnr.conf - this may be deleted
When first run Troj/Dloadr-AQS may inject code into "services.exe"
and set the following registry entry:
Software\Microsoft\Windows\CurrentVersion\Run
WinUpdate
Name Troj/Bckdr-PQP
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Installs itself in the Registry
* Used in DOS attacks
* Leaves non-infected files on computer
Aliases
* Backdoor.Win32.Delf.we
* Backdoor.Win32.Agent.fs
Prevalence (1-5) 2
Description
Troj/Bckdr-PQP is a backdoor Trojan for the Windows platform.
Advanced
Troj/Bckdr-PQP is a backdoor Trojan for the Windows platform.
When first run Troj/Bckdr-PQP copies itself to \msvce.exe and
creates the following files:
\Deleteme.bat
\dllhosts.dll
The file \dllhosts.dll is also detected as Troj/Bckdr-PQP.
The Trojan inserts this file into Iexplore.exe process space.
The file \Deleteme.bat is a batch script that contains
instructions to delete the Trojan host once it is installed. This
file may be safely deleted.
The following registry entry is changed to run msvce.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe \msvce.exe
(the default value for this registry entry is "Explorer.exe" which
causes the Microsoft file \Explorer.exe to be run on startup).
Name W32/Bagle-QS
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Sends itself to email addresses found on the infected computer
* Forges the sender's email address
* Uses its own emailing engine
* Downloads code from the internet
Prevalence (1-5) 2
Description
W32/Bagle-QS is a worm for the Windows platform.
W32/Bagle-QS emails itself in an encrypted zip file to addresses
found on the users computer.
Emails sent by the worm have the following characteristics:
Subject line chosen from:
new
price
price_
price_new
Message text chosen from:
It Is Protected
Passwrd:
thank you !!!
Passwrd:
New year's discounts
Passwrd:
The attached file is named:
new_price.zip
price_list.zip
latest_price.zip
is the date the email was sent in the following format
30-Nov-2006.
The zip file is detected as W32/Bagle-Zip.
Advanced
W32/Bagle-QS is a worm for the Windows platform.
W32/Bagle-QS emails itself in an encrypted zip file to addresses
found on the users computer.
Emails sent by the worm have the following characteristics:
Subject line chosen from:
new
price
price_
price_new
Message text chosen from:
It Is Protected
Passwrd:
thank you !!!
Passwrd:
New year's discounts
Passwrd:
The attached file is named:
new_price.zip
price_list.zip
latest_price.zip
is the date the email was sent in the following format
30-Nov-2006.
The zip file is detected as W32/Bagle-Zip.
The zip file is password protected with a 6 digit password which is
embedded in the email as an image.
When first run W32/Bagle-QS copies itself to:
\Application Data\hidn\hidn2.exe
\Application Data\hidn\hldrrr.exe
W32/Bagle-QS attempts to disable anti-virus and security software and
contains functionality to download and run further software.
Name W32/Stratio-CF
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Drops more malware
Prevalence (1-5) 2
Description
W32/Stratio-CF is a worm for the Windows platform.
When run W32/Stratio-CF creates a file with a random filename in the
Windows System folder. This file is currently detected as
W32/Strati-Gen.
Name W32/Looked-BB
Type
* Virus
How it spreads
* Infected files
Affected operating systems
* Windows
Side effects
* Installs itself in the Registry
Prevalence (1-5) 2
Description
W32/Looked-BB is a prepending virus and worm for the Windows platform.
Advanced
W32/Looked-BB is a prepending virus and worm for the Windows platform.
W32/Looked-BB spreads to other network computers.
W32/Looked-BB includes functionality to access the internet and
communicate with a remote server via HTTP. W32/Looked-BB may attempt
to download and execute additional files from a remote location.
When first run W32/Looked-BB copies itself to
\uninstall\rundl132.exe and creates the file
\RichDll.dll. The file RichDll.dll is also detected as
W32/Looked-BB.
W32/Looked-BB may also create many files with the name "_desktop.ini"
are created, in various folders on the infected computer. These files
are harmless text files and can be deleted.
The following registry entry is created to run rundl132.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
load
\uninstall\rundl132.exe
Registry entries are created under:
HKLM\SOFTWARE\Soft\DownloadWWW\
Name Troj/QQRob-ABD
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Steals information
* Uses its own emailing engine
* Reduces system security
* Records keystrokes
* Installs itself in the Registry
Aliases
* Trojan-PSW.Win32.QQRob.il
* BackDoor-AWQ
Prevalence (1-5) 2
Description
Troj/QQRob-ABD is a password stealing Trojan for the Windows platform.
Troj/QQRob-ABD includes functionality to
- send notification messages to remote locations.
- terminate processes related to anti-virus software.
Advanced
Troj/QQRob-ABD is a password stealing Trojan for the Windows platform.
Troj/QQRob-ABD includes functionality to
- send notification messages to remote locations.
- terminate processes related to anti-virus software.
When first run Troj/QQRob-ABD copies itself to:
\Microsoft Shared\msinfo\.dat
\help\wshmcepts.chm
and creates the file \Microsoft
Shared\msinfo\.dll
where is a random 8-character string. This file is also
detected as Troj/QQRob-ABD.
The file .dll is registered as a COM object and
ShellExecute hook,
creating registry entries under:
HKCR\CLSID\
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
ShellExecuteHooks
Name W32/Bagle-QT
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Sends itself to email addresses found on the infected computer
* Forges the sender's email address
* Uses its own emailing engine
* Downloads code from the internet
* Reduces system security
* Installs itself in the Registry
* Leaves non-infected files on computer
Aliases
* Win32/Bagle
* Bloodhound.Beagle
Prevalence (1-5) 2
Description
W32/Bagle-QT is an email worm for the Windows platform.
W32/Bagle-QT emails itself in an encrypted zip file to addresses
found on the users computer.
Emails sent by the worm have the following characteristics:
Subject line chosen from:
new
price
price_
price_new
Message text chosen from:
It Is Protected
Passwrd:
thank you !!!
Passwrd:
New year's discounts
Passwrd:
The attached file is named:
new_price.zip
price_list.zip
latest_price.zip
is the date the email was sent in the following format
01-Dec-2006.
Advanced
W32/Bagle-QT is an email worm for the Windows platform.
W32/Bagle-QT emails itself in an encrypted zip file to addresses
found on the user's computer.
Emails sent by the worm have the following characteristics:
Subject line chosen from:
new
price
price_
price_new
Message text chosen from:
It Is Protected
Passwrd:
thank you !!!
Passwrd:
New year's discounts
Passwrd:
The attached file is named:
new_price.zip
price_list.zip
latest_price.zip
is the date the email was sent in the following format
01-Dec-2006.
The zip file is detected as W32/Bagle-Zip.
The zip file is password protected with a 6 digit password which is
embedded in the email as an image. The image file displays a 5 digit
password.
W32/Bagle-QT copies itself to the hidden file \hidn\hidn.exe and drops the hidden file \hidn\m_hook.sys, also detected as W32/Bagle-QT, which it uses
to stealth itself from certain processes including AV applications.
The file \hidn\m_hook.sys is registered as a new
system driver service named "m_hook". Registry entries are created
under:
HKLM\SYSTEM\CurrentControlSet\Services\m_hook\
W32/Bagle-QT attempts to terminate and disable a number of services
related to security and anti-virus applications.
The first time it is run, W32/Bagle-QT drops the clean file
C:\error.gif and opens it. This is an image of the word "Error".
W32/Bagle-QT drops the file C:\temp.zip which contains an encrypted
zip of itself.
W32/Bagle-QT attempts to download a file from a number of remote
websites to \re_file.exe and then execute it.
W32/Bagle-QT attempts to delete the following registry entry in order
to disrupt booting into Safe Mode:
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot
W32/Bagle-QT creates the following registry entry the first time it
is run:
HKCU\Software\FirstRun
FirstRun
1
where will vary.
Name W32/Poebot-JD
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* Backdoor.Win32.PoeBot.j
* W32/Poebot.BO{at}bd
Prevalence (1-5) 2
Description
W32/Poebot-JD is a worm with IRC Backdoor functionality for the
Windows platform.
W32/Poebot-JD spreads
- to computers vulnerable to common exploits, including: LSASS
(MS04-011), RPC-DCOM (MS04-012), WKS (MS03-049), Dameware
(CAN-2003-1030) and PNP (MS05-039)
- to network shares protected by weak passwords
W32/Poebot-JD runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
Advanced
W32/Poebot-JD is a worm with IRC Backdoor functionality for the
Windows platform.
W32/Poebot-JD spreads
- to computers vulnerable to common exploits, including: LSASS
(MS04-011), RPC-DCOM (MS04-012), WKS (MS03-049), Dameware
(CAN-2003-1030) and PNP (MS05-039)
- to network shares protected by weak passwords
W32/Poebot-JD runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
When first run W32/Poebot-JD copies itself to \explorer.exe.
The following registry entry is created to run W32/Poebot-JD on
startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows Explorer
\explorer.exe
Name W32/Pardona-C
Type
* Virus
How it spreads
* Email messages
* Infected files
Affected operating systems
* Windows
Side effects
* Drops more malware
* Uses its own emailing engine
* Downloads code from the internet
Prevalence (1-5) 2
Description
W32/Pardona-C is a virus for the Windows platform.
The virus attempts to infect EXE files, and to modify HTM and ASP
files so that they silently download from a remote webiste.
W32/Pardona-C may spread to other network computers and may also
spread via email.
W32/Pardona-C also includes functionality to download, install and
run new software.
W32/Pardona-C installs a rootkit detected as Troj/Pardot-B.
Infected HTM and ASP files are detected as Troj/Psyme-DO.
Advanced
W32/Pardona-C is a virus for the Windows platform.
The virus attempts to infect EXE files, and to modify HTM and ASP
files so that they silently download from a remote webiste.
W32/Pardona-C may spread to other network computers and may also
spread via email.
W32/Pardona-C also includes functionality to download, install and
run new software.
When first run W32/Pardona-C copies itself to \ePower.exe and to
several files of the form
\
Each of these files is either identical to, or slight variants of,
the original file. All will be detected as W32/Pardona-C.
The virus also creates the file C:\WINDOWS\System32\.sys
This SYS file is registered as a new system driver service named
"SysDrver", with a display name of "System SSDP Services".
Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\SysDrver\
The SYS file, which is detected as Troj/Pardot-B, uses stealth
functionality to hide processes created by W32/Pardona-C.
Infected HTM and ASP files are detected as Troj/Psyme-DO.
--- MultiMail/Win32 v0.43
* Origin: Try Our Web Based QWK: DOCSPLACE.ORG (1:123/140)
SEEN-BY: 633/267 270
@PATH: 123/140 500 379/1 633/267
|