TIP: Click on subject to list as thread! ANSI
echo: virus_info
to: ALL
from: KURT WISMER
date: 2007-11-04 17:01:00
subject: News, November 4 2007
[cut-n-paste from sophos.com]

Name   W32/Virut-Q

Type  
    * Virus

How it spreads  
    * Infected files

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer

Aliases  
    * Virus.Win32.Virut.ao
    * PE_VIRUT.YC
    * Win32/Virut.X

Prevalence (1-5) 2

Description
W32/Virut-Q is a virus for the Windows platform.

Advanced
W32/Virut-Q is a virus for the Windows platform.

W32/Virut-Q attempts to hook the operating system and infect files with 
an EXE or SCR extension.

W32/Virut-Q may also attempt to connect to a remote IRC server, and may 
download and execute further files if instructed to do so.

W32/Virut-Q may modify the following registry entry in order to bypass 
the Windows firewall:

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPo
licy\
StandardProfile\AuthorizedApplications\List





Name   Troj/BagleDl-DB

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet

Aliases  
    * Trojan-Downloader.Win32.Bagle.ff
    * Win32/Bagle.KQ

Prevalence (1-5) 2

Description
Troj/BagleDl-DB is a Trojan for the Windows platform.

Advanced
Troj/BagleDl-DB is a Trojan for the Windows platform.

Troj/BagleDl-DB includes functionality to access the internet and 
communicate with a remote server via http.

Troj/BagleDl-DB attempts to download files from a number of 
pre-specified URLs to a file .exe 
and run it.

Troj/BagleDl-DB copies itself to \drivers\hidr2.exe and creates the following file \drivers\srosa.sys. This file is also detected as 
Troj/BagleDl-DB.

The file srosa.sys is registered as a new system driver service named 
"srosa", with a display name of "srosa". Registry
entries are created 
under:

HKLM\SYSTEM\CurrentControlSet\Services\srosa\

The Trojan will search for various security applications, such as 
firewalls and anti-virus and attempt to delete them.

Troj/BagleDl-DB changes the following registry entries:

HKLM\SYSTEM\CurrentControlSet\Services\Alerter
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\Ndisuio
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\wuauserv
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\wscsvc
Start
4

Troj/BagleDl-DB also sets the following registry entry:

HKCU\Software\FirstRRRun
FirstRRRun

Troj/BagleDl-DB deletes entries under:

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot





Name   Troj/Conhook-AI

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Drops more malware
    * Downloads code from the internet
    * Installs itself in the Registry

Prevalence (1-5) 2

Description
Troj/Conhook-AI is a Trojan for the Windows platform.

Advanced
Troj/Conhook-AI is a Trojan for the Windows platform.

When Troj/Conhook-AI is installed the following files are created:

\.sys
\.dll
\.exe
\drivers\.sys

The following registry entries are created to run code exported by 
.dll on startup:

HKLM\SOFTWARE\Microsoft\Windows 
NT\CurrentVersion\Winlogon\Notify\
DLLName
.dll

HKLM\SOFTWARE\Microsoft\Windows 
NT\CurrentVersion\Winlogon\Notify\
Impersonate
0

The file .dll is registered as a new service named 
"". Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\

The file .sys is registered as a new system driver 
service named "", with a display name of
"Microsoft RPC 
API Helper". Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\

The file .dll is registered as a COM object and 
Browser Helper Object (BHO) for Microsoft Internet Explorer, creating 
registry entries under:

HKCR\CLSID\(447E6663-81F1-44AC-90E2-4B106EED6D1D)

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper 
Objects\
(447E6663-81F1-44AC-90E2-4B106EED6D1D)

Registry entries are set as follows:

HKCR\\CLSID
(default)
(447E6663-81F1-44AC-90E2-4B106EED6D1D)

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\OptimalLayout
File
\drivers\.sys





Name   Mal/Bifrose-F

Type  
    * Malicious Behavior

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer

Aliases  
    * BackDoor-CEP.svr
    * Backdoor.Win32.Bifrose.aqy

Prevalence (1-5) 2

Description
Mal/Bifrose-F is a malicious program for the Windows platform.

Detection for members of Mal/Bifrose-F is behavior based. It is 
extremely important that customers report detections of Mal/Bifrose-F 
to Sophos and send a sample for analysis.





Name   Troj/BatKill-B

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Deletes files off the computer
    * Reduces system security

Prevalence (1-5) 2

Description
Troj/BatKill-B is a Trojan for the Windows platform.

Advanced
Troj/BatKill-B is a Trojan for the Windows platform.

When Troj/BatKill-B is run, it deletes the file \javaws.exe.

Troj/BatKill-B will also attempt to stop system services that have the 
following names:

norton antivirus server
mcshield
f-secure gatekeeper handler starter
f-secure network request broker
f-secure automatic update
symantec antivirus
Symantec AntiVirus Definition Watcher
Symantec Event Manager
Symantec Settings Manager
symantec central quarantine
Network Associates McShield
McAfee Framework Service





Name   W32/Mypis-B

Type  
    * Virus

How it spreads  
    * Infected files

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet

Aliases  
    * Virus.Win32.Downloader.r

Prevalence (1-5) 2

Description
W32/Mypis-B is a virus for the Windows platform.

Advanced
W32/Mypis-B is a virus for the Windows platform.

The virus may attempt to download and execute additional files. At the 
time of writing, W32/Mypis-B created the file 
\dllcache\svchost.exe. This file is detected as Mal/PWS-K.

W32/Mypis-B may also create the file \system.log. This file may 
be safely deleted.





Name   Troj/Zlob-AFI

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet
    * Installs itself in the Registry

Prevalence (1-5) 2

Description
Troj/Zlob-AFI is a Trojan for the Windows platform.

Advanced
Troj/Zlob-AFI is a Trojan for the Windows platform.





Name   Troj/ConHook-AH

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Installs itself in the Registry
    * Monitors browser activity
    * Installs a browser helper object

Aliases  
    * TROJ_CONHOOK.FM

Prevalence (1-5) 2

Description
Troj/ConHook-AH is a Trojan for the Windows platform.

Troj/ConHook-AH includes functionality to access the internet and 
communicate with a remote server via HTTP.

Advanced
Troj/ConHook-AH is a Trojan for the Windows platform.

Troj/ConHook-AH includes functionality to access the internet and 
communicate with a remote server via HTTP.

The Troj/ConHook-AH DLL is registered as a COM object and Browser 
Helper Object (BHO) for Microsoft Internet Explorer, creating registry 
entries under:

HKCR\CLSID\{8A06A1A7-9E64-4359-8556-B6EA03D69814}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper 
Objects\{8A06A1A7-9E64-4359-8556-B6EA03D69814}





Name   W32/Rbot-GUP

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities

Prevalence (1-5) 2

Description
W32/Rbot-GUP is a worm with IRC backdoor functionality for the Windows 
platform.

Advanced
W32/Rbot-GUP is a worm with IRC backdoor functionality for the Windows 
platform.

W32/Rbot-GUP spreads to other network computers by exploiting common 
buffer overflow vulnerabilities, including: LSASS (MS04-011), RPC-DCOM 
(MS04-012), WKS (MS03-049) (CAN-2003-0812), WebDav (MS03-007), IIS5SSL 
(ms04-011) (CAN-2003-0719), Veritas (CAN-2004-1172), WINS (MS04-045), 
PNP (MS05-039), IMAIL Server, ASN.1 (MS04-007) and RealVNC 
(CVE-2006-2369) and by copying itself to network shares protected by 
weak passwords.

W32/Rbot-GUP runs continuously in the background, providing a backdoor 
server which allows a remote intruder to gain access and control over 
the computer via IRC channels.

When first run W32/Rbot-GUP copies itself to \Msnhelper.exe 
and creates the file \images.zip. images.zip contains a copy 
of the worm executable with the PIF extension.

The following registry entry is created to run Msnhelper.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MSN
Msnhelper.exe





Name   Troj/TmDrop-A

Type  
    * Spyware Trojan

Affected operating systems  
    * Windows

Side effects  
    * Steals information

Prevalence (1-5) 2

Description
Troj/TmDrop-A is a Trojan for the Windows platform.





Name   Mal/Dropper-X

Type  
    * Malicious Behavior

Affected operating systems  
    * Windows

Prevalence (1-5) 2

Description
Mal/Dropper-X is a Trojan which installs and executes other malicious 
files.
Detection for members of Mal/Dropper-X is behavior based. It is 
extremely important that customers report detections of Mal/Dropper-X 
to Sophos and send a sample for analysis.

 
--- MultiMail/Win32 v0.43
* Origin: Doc's Place BBS Fido Since 1991 docsplace.tzo.com (1:123/140)
SEEN-BY: 10/1 3 14/300 400 34/999 90/1 120/228 123/500 134/10 140/1 222/2
SEEN-BY: 226/0 249/303 261/20 38 100 1381 1404 1406 1418 266/1413 280/1027
SEEN-BY: 320/119 633/104 260 262 267 285 690/682 734 712/848 800/432 801/161
SEEN-BY: 801/189 2222/700 2320/105 200 2905/0
@PATH: 123/140 500 261/38 633/260 267
SOURCE: echomail via fidonet.ozzmosis.com

Email questions or comments to sysop@ipingthereforeiam.com
All parts of this website painstakingly hand-crafted in the U.S.A.!
IPTIA BBS/MUD/Terminal/Game Server List, © 2025 IPTIA Consulting™.