TIP: Click on subject to list as thread!

ANSI

echo:	virus_info
to:	ALL
from:	KURT WISMER
date:	2006-12-31 17:40:00
subject:	News, December 31 2006
[cut-n-paste from sophos.com] Name W32/Rbot-FZE Type * Spyware Worm How it spreads * Network shares Affected operating systems * Windows Side effects * Allows others to access the computer * Steals information * Downloads code from the internet * Reduces system security * Records keystrokes * Installs itself in the Registry * Exploits system or software vulnerabilities * Used in DOS attacks Aliases * Backdoor.Win32.Rbot.bng Prevalence (1-5) 2 Description W32/Rbot-FZE is a worm with IRC backdoor functionality for the Windows platform. W32/Rbot-FZE spreads to other network computers by: - exploiting common buffer overflow vulnerabilities, including LSASS (MS04-011), SRVSVC (MS06-040), RPC-DCOM (MS04-012), PNP (MS05-039), ASN.1 (MS04-007) and RealVNC (CVE-2006-2369) and - networks protected by weak passwords Advanced W32/Rbot-FZE is a worm with IRC backdoor functionality for the Windows platform. W32/Rbot-FZE spreads to other network computers by: - exploiting common buffer overflow vulnerabilities, including LSASS (MS04-011), SRVSVC (MS06-040), RPC-DCOM (MS04-012), PNP (MS05-039), ASN.1 (MS04-007) and RealVNC (CVE-2006-2369) and - networks protected by weak passwords W32/Rbot-FZE runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels. When run W32/Rbot-FZE copies itself to \winlogz2.exe and sets the following registry entries to run itself on startup: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Windows Services Layer \winlogz2.exe HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices Windows Services Layer \winlogz2.exe HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Windows Services Layer \winlogz2.exe W32/Rbot-FZE also sets the following registry entry: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\ Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List \winlogz2.exe \winlogz2.exe::Enabled:Windows Services Layer W32/Rbot-FZE includes functionality to: - access the internet and communicate with a remote server via HTTP - setup a SOCKS4 server - record keystrokes - perform DDoS attacks - steal information Name Troj/StraDl-B Type Trojan Affected operating systems * Windows Side effects * Downloads code from the internet Prevalence (1-5) 2 Description Troj/StraDl-B is a downloader Trojan for the Windows platform. When run Troj/StraDl-B attempts to download a file from a remote website and run it. This file is currently detected as W32/Strati-Gen. Name Troj/StraDl-C Type * Trojan Affected operating systems * Windows Side effects * Downloads code from the internet Aliases * Email-Worm.Win32.Warezov.jj Prevalence (1-5) 2 Description Troj/StraDl-C is a downloader Trojan for the Windows platform. Troj/StraDl-C includes functionality to download, install and run new software. Name W32/Fujacks-A Type * Virus How it spreads * Network shares * Infected files * Peer-to-peer Affected operating systems * Windows Side effects * Downloads code from the internet * Installs itself in the Registry Aliases * Worm.Win32.Delf.bd * W32/Fujacks Prevalence (1-5) 2 Description W32/Fujacks-A is a prepending virus for the Windows platform. The virus can also spread to network shares and has backdoor functionality. Advanced W32/Fujacks-A is a prepending virus for the Windows platform. The virus can also spread to network shares and has backdoor functionality. W32/Fujacks-A runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer. W32/Fujacks-A includes functionality to access the internet and communicate with a remote server via HTTP. When first run W32/Fujacks-A copies itself to \drivers\spoclsv.exe. The following registry entry is created to run spoclsv.exe on startup: HKCU\Software\Microsoft\Windows\CurrentVersion\Run svcshare \drivers\spoclsv.exe The following registry entry is set: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder \Hidden\SHOWALL CheckedValue 0 Name W32/Rbot-FZO Type * Worm How it spreads * Network shares Affected operating systems * Windows Side effects * Allows others to access the computer * Downloads code from the internet * Installs itself in the Registry * Exploits system or software vulnerabilities * Scans network for vulnerabilities * Scans network for weak passwords * Scans network for open ports Prevalence (1-5) 2 Description W32/Rbot-FZO is a worm for the Windows platform. W32/Rbot-FZO runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels. W32/Rbot-FZO spreads to computers vulnerable to common exploits, including: RPC-DCOM (MS04-012), ASN.1 (MS04-007), and via network shares. Advanced W32/Rbot-FZO is a worm for the Windows platform. W32/Rbot-FZO runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels. W32/Rbot-FZO spreads to computers vulnerable to common exploits, including: RPC-DCOM (MS04-012), ASN.1 (MS04-007), and via network shares. When first run W32/Rbot-FZO copies itself to \jamesbond.exe. The following registry entries are created to run jamesbond.exe on startup: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Casino Royale \jamesbond.exe HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices Casino Royale \jamesbond.exe The following registry entry is set, affecting internet security: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\ FirewallPolicy\StandardProfile\AuthorizedApplications\List \System32\jamesbond.exe \jamesbond.exe::Enabled:Casino Royale The following registry entry is set: HKCU\Software\Microsoft\OLE Casino Royale \jamesbond.exe Name W32/Rbot-FZQ Type Worm How it spreads * Network shares Affected operating systems * Windows Side effects * Turns off anti-virus applications * Allows others to access the computer * Downloads code from the internet * Reduces system security * Installs itself in the Registry * Exploits system or software vulnerabilities Prevalence (1-5) 2 Description W32/Rbot-FZQ is a network worm for the Windows platform. W32/Rbot-FZQ spreads - to computers vulnerable to common exploits, including: LSASS (MS04-011), SRVSVC (MS06-040), RPC-DCOM (MS04-012), PNP (MS05-039), ASN.1 (MS04-007) and RealVNC (CVE-2006-2369) - to network shares protected by weak passwords W32/Rbot-FZQ runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels. Advanced W32/Rbot-FZQ is a network worm for the Windows platform. W32/Rbot-FZQ spreads - to computers vulnerable to common exploits, including: LSASS (MS04-011), SRVSVC (MS06-040), RPC-DCOM (MS04-012), PNP (MS05-039), ASN.1 (MS04-007) and RealVNC (CVE-2006-2369) - to network shares protected by weak passwords W32/Rbot-FZQ runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels. When first run W32/Rbot-FZQ copies itself to \winl0g0.exe. The following registry entries are created to run winl0g0.exe on startup: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Windows Services Layer \winl0g0.exe HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Windows Services Layer \winl0g0.exe HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices Windows Services Layer \winl0g0.exe The following registry entry is set, affecting internet security: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\Firewall Policy\StandardProfile\AuthorizedApplications\List \winl0g0.exe \winl0g0.exe::Enabled:Windows Services Layer Name Troj/FeebDl-AA Type Trojan Affected operating systems * Windows Side effects * Turns off anti-virus applications * Downloads code from the internet Aliases * JS/Feebs.gen.p{at}MM Prevalence (1-5) 2 Description Troj/FeebDl-AA is a downloader Trojan for the Windows platform. Advanced Troj/FeebDl-AA is a downloader Trojan for the Windows platform. Troj/FeebDl-AA attempts to download and execute a number of files from remote websites to C:\Recycled\userinit.exe, sometimes also copying it to the startup folder. These files are currently detected as Mal/Packer. Troj/FeebDl-AA attempts to set the following registry entry: HKLM\Active Setup\Installed Components\{CD5AC91B-AE7B-E83A-0C4C-E616075972F3} Stubpath C:\Recycled\userinit.exe Troj/FeebDl-AA attempts to terminate a number of services related to security and anti-virus applications. Troj/FeebDl-AA has been seen sent in spam containing a "pump and dump" stock GIF image and random message text. Name W32/Dref-U Type * Virus How it spreads * Email attachments * Infected files Affected operating systems * Windows Side effects * Turns off anti-virus applications * Sends itself to email addresses found on the infected computer * Drops more malware * Forges the sender's email address * Uses its own emailing engine * Downloads code from the internet * Installs itself in the Registry Prevalence (1-5) 2 Description W32/Dref-U is a virus with mass-mailing capability for the Windows platform. W32/Dref-U spreads to other network computers and via email. W32/Dref-U includes functionality to access the internet and communicate with a remote server via HTTP. Advanced W32/Dref-U is a virus with mass-mailing capability for the Windows platform. W32/Dref-U spreads to other network computers and via email. W32/Dref-U includes functionality to access the internet and communicate with a remote server via HTTP. When first run W32/Dref-U copies itself to \ppl.exe and creates the following registy keys: HKCU\Software\Microsoft\Windows\CurrentVersion\Run agent \ppl.exe HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run agent \ppl.exe W32/Dref-U sets the following registry entries, disabling the automatic startup of other software: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess Start 4 Note: disabling autostart for the SharedAccess service deactivates the Microsoft Internet Connection Firewall (ICF). W32/Dref-U may also attempt to drop a randomly named file into the current folder and run it. This file is detected by Sophos as Troj/Dloadr-ANE. Files infected by W32/Dref-U are detected by Sophos as W32/Dref-L. Name W32/Agobot-AHT Type * Worm Affected operating systems * Windows Side effects * Allows others to access the computer * Installs itself in the Registry Aliases * W32/Sdbot.worm.gen.t Prevalence (1-5) 2 Description W32/Agobot-AHT is a worm with IRC backdoor functionality for the Windows platform. W32/Agobot-AHT runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels. Advanced W32/Agobot-AHT is a worm with IRC backdoor functionality for the Windows platform. W32/Agobot-AHT runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels. When first run W32/Agobot-AHT copies itself to \wcsntfy.exe. The following registry entries are created to run wcsntfy.exe on startup: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Microsoft wcsntfy.exe HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Microsoft wcsntfy.exe HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices Microsoft wcsntfy.exe Name W32/Dref-V Type * Virus How it spreads * Email messages * Network shares * Infected files Affected operating systems * Windows Side effects * Turns off anti-virus applications * Sends itself to email addresses found on the infected computer * Drops more malware * Downloads code from the internet * Reduces system security * Installs itself in the Registry Aliases * Trojan-Downloader.Win32.Tibs.jy * Win32/Nuwar.M Prevalence (1-5) 2 Description W32/Dref-V is a virus for the Windows platform. W32/Dref-V spreads to other network computers and via email. W32/Dref-V includes functionality to access the internet and communicate with a remote server via HTTP. Advanced W32/Dref-V is a virus with mass-mailing capability for the Windows platform. Files infected by W32/Dref-V are detected by Sophos as W32/Dref-L. W32/Dref-V spreads to other network computers and via email. W32/Dref-V sends emails with a subject line of "Happy New Year!" and an attachment named postcard.exe. W32/Dref-V includes functionality to access the internet and communicate with a remote server via HTTP. When first run W32/Dref-V copies itself to \alsys.exe and creates the following registy keys: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Agent \alsys.exe HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Agent \alsys.exe W32/Dref-V sets the following registry entries, disabling the automatic startup of other software: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess Start 4 Note: disabling autostart for the SharedAccess service deactivates the Microsoft Internet Connection Firewall (ICF). W32/Dref-V may also attempt to drop a randomly named file into the current folder and run it. This file is detected by Sophos as W32/Dref-V. Name Troj/Agent-DYG Type * Trojan Affected operating systems * Windows Side effects * Installs itself in the Registry Prevalence (1-5) 2 Description Troj/Agent-DYG is a Trojan for the Windows platform. Advanced Troj/Agent-DYG is a Trojan for the Windows platform. When first run Troj/Agent-DYG copies itself to \logmen.exe. The following registry entry is created to run logmen.exe on startup: HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\(32E79AE2-96C6-7A4B-0407-050408030200) StubPath \logmen.exe --- MultiMail/Win32 v0.43 * Origin: Doc's Place BBS Fido Since 1991 www.docsplace.tzo.com (1:123/140) SEEN-BY: 633/267 270 @PATH: 123/140 500 379/1 633/267
SOURCE: echomail via fidonet.ozzmosis.com

Email questions or comments to sysop@ipingthereforeiam.com
All parts of this website painstakingly hand-crafted in the U.S.A.!
IPTIA BBS/MUD/Terminal/Game Server List, © 2025 IPTIA Consulting™.