[cut-n-paste from sophos.com]
Name W32/Forbot-GI
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
Prevalence (1-5) 2
Description
W32/Forbot-GI is a worm and backdoor for the Windows platform.
W32/Forbot-GI includes functionality to access the internet and
communicate with a remote server via HTTP.
Advanced
W32/Forbot-GI is a worm and backdoor for the Windows platform.
W32/Forbot-GI includes functionality to access the internet and
communicate with a remote server via HTTP.
When first run W32/Forbot-GI copies itself to \drivers\ntndis.exe and creates the file \drivers\ntndis.sys.
The following registry entry is changed to run ntndis.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe \drivers\ntndis.exe
(the default value for this registry entry is "Explorer.exe" which
causes the
Microsoft file \Explorer.exe to be run on startup).
The file ntndis.sys is a rootkit detected by Sophos's anti-virus
products as Troj/RKProc-F. Ntndis.sys is registered as a new system
driver service named "ntndis", with a display name of
"ntndis" and a
startup type of automatic, so that it is started automatically during
system startup. Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\ntndis\
Name W32/Bagle-GY
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Uses its own emailing engine
* Installs itself in the Registry
Prevalence (1-5) 2
Description
W32/Bagle-GY is a mass-mailing worm for the Windows platform.
W32/Bagle-GY may send email messages with blank message text and
non-Roman subject lines.
Advanced
W32/Bagle-GY is a mass-mailing worm for the Windows platform.
W32/Bagle-GY may send email messages with blank message text and
non-Roman subject lines.
W32/Bagle-GY includes functionality to access the internet and
communicate with a remote server via HTTP.
When first run W32/Bagle-GY copies itself to \csrss.exe and
creates the file \Message.hta.
The following registry entry is changed to run W32/Bagle-GY on startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\explorer.exe
Debugger
\csrss.exe
Name Troj/BankSnif-J
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Downloads code from the internet
* Installs itself in the Registry
Aliases
* Trojan-Spy.Win32.Banker.atw
Prevalence (1-5) 2
Description
Troj/BankSnif-J is a Trojan for the Windows platform.
Troj/BankSnif-J includes functionality to access the internet and
communicate with a remote server via HTTP.
Advanced
Troj/BankSnif-J is a Trojan for the Windows platform.
Troj/BankSnif-J includes functionality to access the internet and
communicate with a remote server via HTTP.
When first run Troj/BankSnif-J copies itself to \order_????.exe
and creates the file \order_????.bin where ???? is a sequence
of randomly chosen four letters.
The following registry entry is created to run order_????.exe on
startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
order_Shell
\order_????.exe
Name W32/Kassbot-O
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
Prevalence (1-5) 2
Description
W32/Kassbot-O is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Kassbot-O runs continuously in the background, providing a
backdoor server
which allows a remote intruder to gain access and control over the
computer via IRC channels.
Advanced
W32/Kassbot-O is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Kassbot-O runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
When first run W32/Kassbot-O copies itself to \
The following registry entries are created to run the worm on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft Anti-Virus
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Microsoft Anti-Virus
Registry entries are set as follows:
HKCU\Software\Microsoft\OLE
Microsoft Anti-Virus
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1
Name Troj/Bdoor-AAB
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
Aliases
* Backdoor.Win32.Delf.nz
Prevalence (1-5) 2
Description
Troj/Bdoor-AAB is a backdoor Trojan for the Windows platform.
Name W32/Brontok-AI
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Sends itself to email addresses found on the infected computer
* Reduces system security
* Installs itself in the Registry
Aliases
* Email-Worm.Win32.Brontok.n
* W32/Rontokbro.gen{at}MM
* Win32/Pazetus.L
* W32.Rontokbro.Z{at}mm
* WORM_RONTKBR.GEN
Prevalence (1-5) 2
Description
W32/Brontok-AI is a mass-mailing worm for the Windows platform.
W32/Brontok-AI sends itself to email addresses found on the infected
computer.
Emails sent by the worm have the following characteristics:
From:
angelina_ph{at}
or
jennifer_sh{at}
If the recipient's address is Indonesian:
Subject line:
Fotoku yg Paling Cantik
Message text:
Hi,
Aku lg iseng aja pengen kirim foto ke kamu
Jangan lupain aku ya !.
Thanks
For all other addresses:
Subject:
My Best Photo
Message text:
Hi,
I want to share my photo with you.
Wishing you all the best.
Regards,
Attached file:
Photo.zip
The zip file contains Photo.bmp and View-Photo.bat. View-Photo.bat
runs Photo.bmp. Photo.bmp is an executable (currently detected as
Troj/Dloadr-ADW) which attempts to download and execute a copy of the
worm from a preconfigured website. At the time of writing, this
website was unavailable.
Advanced
W32/Brontok-AI is a mass-mailing worm for the Windows platform.
W32/Brontok-AI sends itself to email addresses found on the infected
computer.
Emails sent by the worm have the following characteristics:
From:
angelina_ph{at}
or
jennifer_sh{at}
If the recipient's address is Indonesian:
Subject line:
Fotoku yg Paling Cantik
Message text:
Hi,
Aku lg iseng aja pengen kirim foto ke kamu
Jangan lupain aku ya !.
Thanks
For all other addresses:
Subject:
My Best Photo
Message text:
Hi,
I want to share my photo with you.
Wishing you all the best.
Regards,
Attached file:
Photo.zip
The zip file contains Photo.bmp and View-Photo.bat. View-Photo.bat
runs Photo.bmp. Photo.bmp is an executable (currently detected as
Troj/Dloadr-ADW) which attempts to download and execute a copy of the
worm from a preconfigured website. At the time of writing, this
website is unavailable.
When W32/Brontok-AI is installed it copies itself to the following
locations:
\Local Settings\Application Data\dv\yesbron.com
\Local Settings\Application Data\jalak--bali.com
\n\b.exe
\n\c.bron.tok.txt
\n\csrss.exe
\n\lsass.exe
\n\services.exe
\n\smss.exe
\n\svr.exe
\n\winlogon.exe
\c_.com
\j.exe
\o.exe
\_default.pif
\\ib.exe
where etc. are randomly-chosen numbers.
W32/Brontok-AI installs the following files:
\Baca Bro !!!.txt
\Tasks\At1.job
\Tasks\At2.job
The .job files each contain a scheduled task, instructing Windows to
execute the installed copies of the worm once per day.
The .txt file, when opened, will cause the worm to display the
following message:
######################### BRONTOK.C[22] #########################
-- Hentikanlah kebobrokan di negeri ini --
1. Penjarakan Koruptor, Penyelundup, Tukang Suap, & Bandar NARKOBA
( Send To NUSAKAMBANGAN )
2. Stop Free Sex, Aborsi, & Prostitusi
( Go To HELL )
3. Stop Pencemaran Alam, Pembakaran Hutan & Perburuan Liar.
4. SAY NO TO DRUGS !!!
-- Spizaetus Cirrhatus --
[ By JowoBot ]
+++++0000++++00000++++0000+++0+++++0++0000000+++0000+++0+++0+++++
+++++0++++0++0++++0++0++++0++00++++0+++++0+++++0++++0++0++0++++++
+++++0++++0++0++++0++0++++0++0+0+++0+++++0+++++0++++0++0+0+++++++
+++++00000+++00000+++0++++0++0++0++0+++++0+++++0++++0++00++++++++
+++++0++++0++0++0++++0++++0++0+++0+0+++++0+++++0++++0++0+0+++++++
+++++0++++0++0+++0+++0++++0++0++++00+++++0+++++0++++0++0++0++++++
+++++0000++++0++++0+++0000+++0+++++0+++++0++++++0000+++0+++0+++++
~~ Sedikit Jawaban u/ Membungkam Mulut Sesumbar 'Mereka' ~~
Nobron & Romdil = Otak Kosong, Mulut Besar, Cuma Bisa
Nobron = Satria Dungu = Nothing !!!
Romdil = Tukang Jiplak = Nothing !!!
Nobron & Romdil -->> Kicked by The Amazing Brontok
[ By JowoBot ]
W32/Brontok-AI closes windows whose titles contain any of the
following:
ahnlab
alwil
anti
avg
avira
b.e
bitdef
BROWNIES
bugil
cewe
cillin
CLEANER
cmd.exe
command prompt
commander
computer management
ertanto
folder option
group policy
hijack
kaspersky
killbox
killer
mcafee
movzx
naked
nod32
norman
norton
pc-media
pcmedia
peid
porn
PROCESS EXP
registry
REMOVER
robknot
rontok
rontox
scheduled task
sex
symantec
SYSINTERNAL
system configuration
task manager
task view
telanjang
trendmicro
trojan
virus
washer
windows script
wintask
worm
W32/Brontok-AI adds entries to the system HOSTS file to prevent
access to security-related domains.
W32/Brontok-AI may install a new version of the file \msvbvm60.dll.
The following registry entries are created to run the installed
copies of the worm on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run
\Local Settings\Application Data\dv\yesbron.com
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run
\_default.pif
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
\n\svr.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
\j.exe
The following registry entries are changed to run j6321422.exe and
o4321427.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe "\o.exe"
(the default value for this registry entry is "Explorer.exe" which
causes the Microsoft file \Explorer.exe to be run on
startup).
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
\userinit.exe,\.exe
(the default value for this registry entry is
"\System32\userinit.exe,").
The following registry entry is set, disabling the registry editor
(regedit):
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1
Registry entries are set as follows:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden
0
Registry entries are created under:
HKCU\Software\Brontok\
Name W32/Feebs-T
Type
* Worm
How it spreads
* Peer-to-peer
Affected operating systems
* Windows
Side effects
* Installs itself in the Registry
Aliases
* Worm.Win32.Feebs.dh
* Infection:
Prevalence (1-5) 2
Description
W32/Feebs-T is a worm for the Windows platform.
Advanced
W32/Feebs-T is a worm for the Windows platform.
When run, W32/Feebs-T will create the file C:\Recycled\userinit.exe
which is detected as W32/Feebs-Gen.
Name W32/Tilebot-EO
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* Backdoor.Win32.SdBot.xd
Prevalence (1-5) 2
Description
W32/Tilebot-EO is a worm and IRC backdoor for the Windows platform.
W32/Tilebot-EO spreads to other network computers by exploiting
common buffer overflow vulnerabilities, including: LSASS
(http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx),
RPC-DCOM
(http://www.microsoft.com/technet/security/bulletin/ms04-012.mspx),
WKS
(http://www.microsoft.com/technet/security/bulletin/ms03-049.mspx)
(CAN-2003-0812), PNP
(http://www.microsoft.com/technet/security/bulletin/ms05-039.mspx)
and ASN.1
(http://www.microsoft.com/technet/security/bulletin/ms04-007.mspx)
and by copying itself to network shares protected by weak passwords.
W32/Tilebot-EO runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
The following patches for the operating system vulnerabilities
exploited by W32/Tilebot-EO are available from Microsoft:
http://www.microsoft.com/technet/security/bulletin/ms03-049.mspxhttp://www.microsoft.com/technet/security/bulletin/ms04-007.mspxhttp://www.microsoft.com/technet/security/bulletin/ms04-011.mspxhttp://www.microsoft.com/technet/security/bulletin/ms04-012.mspxhttp://www.microsoft.com/technet/security/bulletin/ms05-039.mspx
Advanced
W32/Tilebot-EO is a worm and IRC backdoor for the Windows platform.
W32/Tilebot-EO spreads to other network computers by exploiting
common buffer overflow vulnerabilities, including: LSASS
(http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx),
RPC-DCOM
(http://www.microsoft.com/technet/security/bulletin/ms04-012.mspx),
WKS
(http://www.microsoft.com/technet/security/bulletin/ms03-049.mspx)
(CAN-2003-0812), PNP
(http://www.microsoft.com/technet/security/bulletin/ms05-039.mspx)
and ASN.1
(http://www.microsoft.com/technet/security/bulletin/ms04-007.mspx)
and by copying itself to network shares protected by weak passwords.
W32/Tilebot-EO runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
When first run W32/Tilebot-EO copies itself to \eltsass.exe.
The file eltsass.exe is registered as a new system driver service
named "Windows Internet Services", with a display name of "Windows
Internet Services" and a startup type of automatic, so that it is
started automatically during system startup. Registry entries are
created under:
HKLM\SYSTEM\CurrentControlSet\Services\Windows Internet Services\
W32/Tilebot-EO sets the following registry entries, disabling the
automatic startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\Messenger
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
Start
4
Registry entries are set as follows:
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DoNotAllowXPSP2
1
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1
Registry entries are created under:
HKLM\SOFTWARE\Microsoft\Security Center\
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\
The following patches for the operating system vulnerabilities
exploited by W32/Tilebot-EO are available from Microsoft:
http://www.microsoft.com/technet/security/bulletin/ms03-049.mspxhttp://www.microsoft.com/technet/security/bulletin/ms04-007.mspxhttp://www.microsoft.com/technet/security/bulletin/ms04-011.mspxhttp://www.microsoft.com/technet/security/bulletin/ms04-012.mspxhttp://www.microsoft.com/technet/security/bulletin/ms05-039.mspx
Name Troj/Tibs-Z
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Installs itself in the Registry
Aliases
* Packed.Win32.Tibs
Prevalence (1-5) 2
Description
Troj/Tibs-Z is a Trojan for the Windows platform.
Troj/Tibs-Z includes functionality to access the internet and
communicate with a
remote server via HTTP to download and install software.
Advanced
Troj/Tibs-Z is a Trojan for the Windows platform.
Troj/Tibs-Z includes functionality to access the internet and
communicate with a
remote server via HTTP to download and install software.
When first run Troj/Tibs-Z copies itself to \kernels8.exe and
creates
the following files:
\1.dlb
\4.dlb
The following registry entry is created to run kernels8.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
System
\kernels8.exe
The following registry entry is set, disabling the Windows task manager
(taskmgr):
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
1
Name Troj/BagleDL-BQ
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Installs itself in the Registry
Aliases
* Trojan-Downloader.Win32.Bagle.ak
Prevalence (1-5) 2
Description
Troj/BagleDL-BQ is a Trojan for the Windows platform.
Troj/BagleDL-BQ includes functionality to communicate with a remote
server via http.
Advanced
Troj/BagleDL-BQ is a Trojan for the Windows platform.
Troj/BagleDL-BQ includes functionality to communicate with a remote
server via http.
When run, Troj/BagleDL-BQ modifies registry entries under:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
Name W32/Rbot-DDF
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* Backdoor.Win32.Aimbot.dl
Prevalence (1-5) 2
Description
W32/Rbot-DDF is a worm and IRC backdoor for the Windows platform.
The worm attempts to spread by copying itself to remote network
shares or by exploiting any of the following vulnerabilities: LSASS
(http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx),
RPC-DCOM
(http://www.microsoft.com/technet/security/bulletin/ms04-012.mspx),
ASN.1
(http://www.microsoft.com/technet/security/bulletin/ms04-007.mspx).
W32/Rbot-DDF runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Rbot-DDF includes functionality to access the internet and
communicate with a remote server via HTTP.
The following patches for the operating systems vulnerabilities
exploited by W32/Rbot-DDF are available from Microsoft:
http://www.microsoft.com/technet/security/bulletin/ms04-007.mspxhttp://www.microsoft.com/technet/security/bulletin/ms04-011.mspxhttp://www.microsoft.com/technet/security/bulletin/ms04-012.mspx
Advanced
W32/Rbot-DDF is a worm and IRC backdoor for the Windows platform.
The worm attempts to spread by copying itself to remote network
shares or by exploiting any of the following vulnerabilities: LSASS
(http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx),
RPC-DCOM
(http://www.microsoft.com/technet/security/bulletin/ms04-012.mspx),
ASN.1
(http://www.microsoft.com/technet/security/bulletin/ms04-007.mspx).
W32/Rbot-DDF runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Rbot-DDF includes functionality to access the internet and
communicate with a remote server via HTTP.
When first run W32/Rbot-DDF copies itself to \algsys.exe.
The file algsys.exe is registered as a new system driver service
named "ALGS", with a display name of "Application Layer Gateway
System" and a startup type of automatic, so that it is started
automatically during system startup. Registry entries are created
under:
HKLM\SYSTEM\CurrentControlSet\Services\ALGS\
The following patches for the operating systems vulnerabilities
exploited by W32/Rbot-DDF are available from Microsoft:
http://www.microsoft.com/technet/security/bulletin/ms04-007.mspxhttp://www.microsoft.com/technet/security/bulletin/ms04-011.mspxhttp://www.microsoft.com/technet/security/bulletin/ms04-012.mspx
Name Troj/Agent-BIU
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Modifies data on the computer
* Downloads code from the internet
* Installs itself in the Registry
Prevalence (1-5) 2
Description
Troj/Agent-BIU is a Trojan for the Windows platform.
Troj/Agent-BIU includes functionality to access the internet and
communicate with a remote server via HTTP.
Advanced
Troj/Agent-BIU is a Trojan for the Windows platform.
Troj/Agent-BIU includes functionality to access the internet and
communicate with a remote server via HTTP.
When Troj/Agent-BIU is installed it creates the file
\mscom32.dll.
The file mscom32.dll is registered as a COM object and ShellExecute
hook, creating registry entries under:
HKCR\CLSID\(487166B7-DA1D-4ec0-966B-DFF858ECE8FD)
HKLM\SOFTWARE\Microsoft\Windows
\CurrentVersion\Explorer\ShellExecuteHooks\
Troj/Agent-BIU includes functionality to inject mscom32.dll code into
EXPLORER.EXE and modify the HOSTS file.
Troj/Agent-BIU modifies the HOSTS file, changing the URL-to-IP
mappings for selected websites, therefore preventing normal access to
these sites. The new HOSTS file will typically contain the following:
192.168.0.101 www.trendmicro.com
192.168.0.101 trendmicro.com
192.168.0.101 rads.mcafee.com
192.168.0.101 customer.symantec.com
192.168.0.101 liveupdate.symantec.com
192.168.0.101 us.mcafee.com
192.168.0.101 updates.symantec.com
192.168.0.101 update.symantec.com
192.168.0.101 www.nai.com
192.168.0.101 nai.com
192.168.0.101 secure.nai.com
192.168.0.101 dispatch.mcafee.com
192.168.0.101 download.mcafee.com
192.168.0.101 www.my-etrust.com
192.168.0.101 my-etrust.com
192.168.0.101 mast.mcafee.com
192.168.0.101 ca.com
192.168.0.101 www.ca.com
192.168.0.101 networkassociates.com
192.168.0.101 www.networkassociates.com
192.168.0.101 avp.com
192.168.0.101 www.kaspersky.com
192.168.0.101 www.avp.com
192.168.0.101 kaspersky.com
192.168.0.101 www.f-secure.com
192.168.0.101 f-secure.com
192.168.0.101 viruslist.com
192.168.0.101 www.viruslist.com
192.168.0.101 liveupdate.symantecliveupdate.com
192.168.0.101 mcafee.com
192.168.0.101 www.mcafee.com
192.168.0.101 sophos.com
192.168.0.101 www.sophos.com
192.168.0.101 symantec.com
Name Troj/Zlob-IK
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Installs itself in the Registry
Aliases
* Win32/TrojanDownloader.Zlob.MJ
Prevalence (1-5) 2
Description
Troj/Zlob-IK is a Trojan for the Windows platform.
Troj/Zlob-IK changes Start Page and search settings for Microsoft
Internet Explorer.
Advanced
Troj/Zlob-IK is a Trojan for the Windows platform.
When Troj/Zlob-IK is installed the following files are created:
\simpole.tlb
\hp.tmp
where is a randomly generated string of characters. These files
are also detected as Troj/Zlob-IK.
The file hp.tmp is registered as a COM object and Browser Helper
Object (BHO) for Microsoft Internet Explorer, creating registry
entries under:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper
Objects\{b0398eca-0bcd-4645-8261-5e9dc70248d0}
HKCR\CLSID\{B0398ECA-0BCD-4645-8261-5E9DC70248D0}
Troj/Zlob-IK changes Start Page and search settings for Microsoft
Internet
Explorer by modifying values under:
HKCU\Software\Microsoft\Internet Explorer\Search\
HKCU\Software\Microsoft\Internet Explorer\Main\Start Page
Registry entries are set as follows:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper
Objects\{b0398eca-0bcd-4645-8261-5e9dc70248d0}\
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper
Objects\{b0398eca-0bcd-4645-8261-5e9dc70248d0}\(default)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run
dcomcfg.exe
dcomcfg.exe
Name W32/Mytob-HR
Type
* Worm
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Sends itself to email addresses found on the infected computer
* Forges the sender's email address
* Uses its own emailing engine
* Downloads code from the internet
* Installs itself in the Registry
Aliases
* Net-Worm.Win32.Mytob.el
Prevalence (1-5) 2
Description
W32/Mytob-HR is a mass-mailing worm with IRC backdoor Trojan
functionality.
The worm spreads by sending emails containing links to a copy of the
worm. Email addresses are harvested from files on the infected
computer.
W32/Mytob-HR contains functionality to download and run further
malicious code.
Emails sent by the worm take the following form.
FROM:
abuse{at}
SUBJECT LINE:
Either a string of randomly chosen characters or one of the following:
Account Alert
ACCOUNT ALERT
MESSAGE TEXT:
Dear Valued Member,
According to our terms of services, you will have to confirm your
e-mail by the following link, or your account will be suspended
within 24 hours for security reasons.
After following the instructions in the sheet, your account will not
be interrupted and will continue as normal.
Thanks for your attention to this request. We apologize for any
inconvenience.
Sincerely, Abuse Department.
W32/Mytob-HR attempts to terminate a number of processes, most of
these corresponding to common anti-virus and security products.
W32/Mytob-HR modifies the system HOSTS file in order to prevent
access to certain anti-virus websites.
Advanced
W32/Mytob-HR is a mass-mailing worm with IRC backdoor Trojan
functionality.
The worm spreads by sending emails containing links to a copy of the
worm. Email addresses are harvested from files on the infected
computer.
W32/Mytob-HR contains functionality to download and run further
malicious code.
Emails sent by the worm take the following form.
FROM:
abuse{at}
SUBJECT LINE:
Either a string of randomly chosen characters or one of the following:
Account Alert
ACCOUNT ALERT
MESSAGE TEXT:
Dear Valued Member,
According to our terms of services, you will have to confirm your
e-mail by the following link, or your account will be suspended
within 24 hours for security reasons.
After following the instructions in the sheet, your account will not
be interrupted and will continue as normal.
Thanks for your attention to this request. We apologize for any
inconvenience.
Sincerely, Abuse Department.
W32/Mytob-HR attempts to terminate a number of processes, most of
these corresponding to common anti-virus and security products.
W32/Mytob-HR modifies the system HOSTS file in order to prevent
access to certain anti-virus websites.
The following registry entries are created in an attempt to run the
worm on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows Task Manager
taskgmr.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Windows Task Manager
taskgmr.exe
Name Troj/VB-BAN
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Installs itself in the Registry
Aliases
* Trojan-Clicker.Win32.VB.mo
* Win32/TrojanClicker.VB.LI
* TROJ_CLICKER.IT
Prevalence (1-5) 2
Description
Troj/VB-BAN is a Trojan for the Windows platform.
Troj/VB-BAN includes functionality to access the internet and
communicate with a remote server via HTTP.
Advanced
Troj/VB-BAN is a Trojan for the Windows platform.
Troj/VB-BAN includes functionality to access the internet and
communicate with a remote server via HTTP.
The following registry entry is created to run Troj/VB-BAN on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
mousepad
Troj/VB-BAN may hijack web-browsing and web-searches, redirecting
URLs entered in Microsoft Internet Explorer to alternative websites.
--- MultiMail/Win32 v0.43
* Origin: Try Our Web Based QWK: DOCSPLACE.ORG (1:123/140) SEEN-BY: 633/267 270 @PATH: 123/140 500 106/2000 633/267