[cut-n-paste from sophos.com]
Name Troj/Dorf-X
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
Aliases
* Email-Worm.Win32.Zhelatin.kc
Prevalence (1-5) 2
Description
Troj/Dorf-X is a Trojan for the Windows platform.
Advanced
Troj/Dorf-X is a Trojan dropper that may download and install
additional malicious components.
When first run Troj/Dorf-X copies itself to \spooldr.exe and
creates the file \spooldr.sys.
The file spooldr.sys is also detected as Troj/Dorf-X.
Troj/Dorf-X also infects the file tcpip.sys with a code that loads the
Trojan driver spooldr.sys into memory and activates it. Spooldr.sys
contains code to hide the presence of the dropped malicious files.
Name Troj/Psyme-FJ
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
Prevalence (1-5) 2
Description
Troj/Psyme-FJ is a script Trojan which attempts to silently download
and execute a file from the internet.
Name W32/Rbot-GUE
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Downloads code from the internet
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* TROJ_STARTPA.OQ
* Win32/Rbot trojan
Prevalence (1-5) 2
Description
W32/Rbot-GUE is a worm with IRC backdoor functionality for the Windows
platform.
W32/Rbot-GUE spreads to computers vulnerable to common exploits,
including SRVSVC (MS06-040)
Advanced
W32/Rbot-GUE is a worm with IRC backdoor functionality for the Windows
platform.
W32/Rbot-GUE spreads to computers vulnerable to common exploits,
including SRVSVC (MS06-040).
W32/Rbot-GUE runs continuously in the background, providing a backdoor
server which allows a remote intruder to gain access and control over
the computer via IRC channels.
W32/Rbot-GUE includes functionality to download, install and run new
software.
When first run W32/Rbot-GUE copies itself to \msn32.exe and
attempts to download and execute a file from a remote website to
\dl.exe.
The following registry entries are created to run msn32.exe on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
OfficeWord Monitor
\msn32.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
OfficeWord Monitor
\msn32.exe
The following registry entry is set:
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
Name Troj/ServU-EX
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
Prevalence (1-5) 2
Description
Troj/ServU-EX is a modified version of a commercial FTP application.
Troj/ServU-EX runs continuously in the background providing an FTP
server.
When Troj/ServU-EX is installed it creates the file \Winlogon.dll. Winlogon.dll is a clean text file and can be
safely deleted.
Name Troj/DwnLdr-GYF
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Reduces system security
* Installs itself in the Registry
Prevalence (1-5) 2
Description
Troj/DwnLdr-GYF is a Trojan for the Windows platform.
Advanced
Troj/DwnLdr-GYF is a Trojan for the Windows platform.
Troj/DwnLdr-GYF includes functionality to download, install and run new
software.
When first run Troj/DwnLdr-GYF copies itself to \MSServx.exe
The following registry entry is created to run MSServx.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MicrosoftUpdate
\MSServx.exe
Name W32/Sdbot-DIB
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Installs itself in the Registry
Aliases
* Win32/IRCBot.YW
* destructive program named W32/Trojan.BUPP
* Backdoor.Win32.SdBot.blt
Prevalence (1-5) 2
Description
W32/Sdbot-DIB is a network worm with IRC backdoor functionality for the
Windows platform.
Advanced
W32/Sdbot-DIB is a network worm with IRC backdoor functionality for the
Windows platform.
When first run W32/Sdbot-DIB copies itself to \winsyshp.exe
and creates the file \img317.zip.
The following registry entry is created to run winsyshp.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft Visual Application
winsyshp.exe
Name W32/Vetor-E
Type
* Virus
How it spreads
* Infected files
Affected operating systems
* Windows
Aliases
* Virus.Win32.Virut.x
* W32/Virut.g
Prevalence (1-5) 2
Description
W32/Vetor-E is an executable file virus for the Windows platform.
Name Troj/Agent-GDZ
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Steals information
* Installs itself in the Registry
Aliases
* Trojan-Spy.Win32.Agent.nq
* W32/Trojan.AMLL
* PWS-FFantasy
* TSPY_AGENT.AASH
Prevalence (1-5) 2
Description
Troj/Agent-GDZ is a password stealing Trojan for the Windows platform.
Advanced
Troj/Agent-GDZ is a password stealing Trojan for the Windows platform.
When first run Troj/Agent-GDZ copies itself to \explorerf.exe
and creates the file \systemlf.dll.
The following registry entry is created to run explorerf.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
explorerf.exe
\explorerf.exe
Name W32/LCJump-B
Type
* Worm
How it spreads
* Removable storage devices
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Drops more malware
* Installs itself in the Registry
Aliases
* Win32/RJump.F
* WORM_AGENT.AAIN
* W32/DKR.worm
Prevalence (1-5) 2
Description
W32/LCJump-B is a worm for the Windows platform.
W32/LCJump-B attempts to copy itself to mapped drives with the filename
RavMon.exe and create a file autorun.inf which will attempt to load the
worm automatically when the infected drive is accessed.
Advanced
W32/LCJump-B is a worm for the Windows platform.
W32/LCJump-B attempts to copy itself to mapped drives with the filename
RavMon.exe and create a file autorun.inf which will attempt to load the
worm automatically when the infected drive is accessed.
W32/LCJump-B also creates a backdoor, enabling a remote user control
over the infected computer.
When run, W32/LCJump-B copies itself to \SVCHOST.EXE and
creates the file \MDM.exe. The file MDM.exe is detected as
Troj/Bckdr-PXR.
The following registry entries are set:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SVCHOST
\MDM.EXE
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
2
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\H
idden\SHOWALL
CheckedValue
0
Name W32/Tesla-A
Type
* Virus
How it spreads
* Infected files
Affected operating systems
* Windows
Side effects
* Modifies data on the computer
Prevalence (1-5) 2
Description
W32/Tesla-A is a virus for the Windows platform.
Name W32/Poebot-MW
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* Backdoor.Win32.EggDrop.v
* BDS/Eggdrop.V.188
* W32/Backdoor.BBWY
* Generic.dx trojan
* BKDR_EGGDROP.CU
* Exploit:Win32/MS06040.gen
Prevalence (1-5) 2
Description
W32/Poebot-MW is a network worm for the Windows platform.
Advanced
W32/Poebot-MW is a network worm for the Windows platform.
W32/Poebot-MW spreads by copying itself to network shares and by
exploiting common software vulnerabilities such as LSASS (MS04-011),
SRVSVC (MS06-040), RPC-DCOM (MS04-012), PNP (MS05-039).
W32/Poebot-MW allows a remote attacker to access the infected computer
through IRC channels.
When first run, the worm copies itself to explorer.exe in the Windows
system folder and creates the following registry entry in order to be
run automatically.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows Explorer
\explorer.exe
--- MultiMail/Win32 v0.43
* Origin: Doc's Place BBS Fido Since 1991 docsplace.tzo.com (1:123/140)
SEEN-BY: 10/1 3 14/300 400 34/999 90/1 120/228 123/500 134/10 140/1 222/2
SEEN-BY: 226/0 229/4000 249/303 261/20 38 100 1381 1404 1406 1418 266/1413
SEEN-BY: 280/1027 320/119 633/104 260 262 267 285 690/682 734 712/848 800/432
SEEN-BY: 801/161 189 2222/700 2320/105 200 2800/18 2905/0
@PATH: 123/140 500 261/38 633/260 267
|