[cut-n-paste from sophos.com]
Name Troj/Baglet-F
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Steals information
Aliases
* SpamTool.Win32.Small.s
Prevalence (1-5) 2
Description
Troj/Baglet-F is an email address harvesting Trojan for the Windows
platform.
Advanced
Troj/Baglet-F is an email address harvesting Trojan for the Windows
platform.
Troj/Baglet-F scans all drives for files with one of the following
extensions and extracts email addresses from them:
WAB TXT MSG HTM SHTM STM XML DBX MBX MDX EML NCH MMF ODS
CFG ASP PHP PL WSH ADB TBB SHT XLS OFT UIN CGI MHT DHTM JSP
Troj/Baglet-F then sends the addresses it finds to a preconfigured
internet location.
Name Troj/WowPWS-E
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Installs itself in the Registry
Aliases
* Trojan-PSW.Win32.WOW.ac
* BackDoor-CQJ
* Win32/PSW.Agent.I
Prevalence (1-5) 2
Description
Troj/WowPWS-E is a Trojan for the Windows platform.
Advanced
Troj/WowPWS-E is a Trojan for the Windows platform.
When first run Troj/WowPWS-E copies itself to
\ShellExt\svchs0t.exe.
The following registry entry is created to run svchs0t.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
shoket
\SHELLEXT\svchs0t.exe
Name Troj/Nethell-B
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Modifies data on the computer
* Steals information
* Reduces system security
* Installs itself in the Registry
Aliases
* PWS.j
* Trojan.Win32.BHO.d
Prevalence (1-5) 2
Description
Troj/Nethell-B is a Trojan for the Windows platform.
Troj/Nethell-B contains functionality to download code from remote
sites.
Troj/Nethell-B attempts to redirect and intercept web traffic in
order to steal login information and passwords.
Advanced
Troj/Nethell-B is a Trojan for the Windows platform.
Troj/Nethell-B contains functionality to download code from remote
sites.
Troj/Nethell-B attempts to redirect and intercept web traffic in
order to steal login information and passwords.
The Troj/Nethell-B is registered as a COM object, creating registry
entries under:
HKCR\CLSID\{1593C741-C011-46FE-99FC-3805C28328BA}
HKCR\Interface\{54DCBD5A-3FDC-490F-B9AE-5B9DBAA39BEC}
HKCR\NetHelper.Hook\
HKCR\NetHelper.Hook.1\
HKCR\TypeLib\{0324D9F1-2199-4424-98C7-A0E8CC45743B}
The following registry entry is set:
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
FGID
Troj/Nethell-B may modify the windows hosts file.
Name W32/Mytob-HT
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Sends itself to email addresses found on the infected computer
* Modifies data on the computer
* Forges the sender's email address
* Uses its own emailing engine
* Reduces system security
* Installs itself in the Registry
Prevalence (1-5) 2
Description
W32/Mytob-HT is a mass-mailing worm and IRC backdoor Trojan.
W32/Mytob-HT runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels, including the ability to
download and execute files on the infected computer.
W32/Mytob-HT spreads by sending itself as an email attachment to
email addresses it harvests from the infected computer, as a zip file
containing a file with a double-extension. Emails sent have the
following properties.
The subject line is either a string of randomly chosen characters or
one of the following:
Your Account is Suspended
*DETECTED* Online User Violation
Your Account is Suspended For Security Reasons
Warning Message: Your services near to be closed.
Important Notification
Members Support
Security measures
Email Account Suspension
Notice of account limitation
Your password has been updated
Your password has been successfully updated
You have successfully updated your password
Your new account password is approved
The message text takes one of the following forms:
Dear user ,
You have successfully updated the password of your account.
If you did not authorize this change or if you need assistance with
your account, please contact customer service
at:
Thank you for using !
The Support Team
+++ Attachment: No Virus (Clean)
+++ Antivirus - www.
Dear user ,
It has come to our attention that your User
Profile ( x ) records are out of date. For further details see the
attached document.
Thank you for using !
The Support Team
+++ Attachment: No Virus (Clean)
+++ Antivirus - www.
Dear Member,
We have temporarily suspended your email account .
This might be due to either of the following reasons:
1. A recent change in your personal information (i.e. change of
address).
2. Submiting invalid information during the initial sign up process.
3. An innability to accurately verify your selected option of
subscription due to an internal error within our processors.
See the details to reactivate your account.
Sincerely,The Support Team
+++ Attachment: No Virus (Clean)
+++ Antivirus - www.
Dear Member,
Your e-mail account was used to send a huge amount of unsolicited
spam messages during the recent week. If you could please take 5-10
minutes out of your online experience and confirm the attached
document so you will not run into any future problems with the online
service.
If you choose to ignore our request, you leave us no choice but to
cancel your membership.
Virtually yours,
The Support Team
+++ Attachment: No Virus found
+++ Antivirus - www.
The ZIP file attachment has one of the following names with a ZIP
extension:
accepted-password
account-details
account-info
account-password
account-report
approved-password
document
email-details
email-password
important-details
new-password
password
readme
updated-password
Advanced
W32/Mytob-HT is a mass-mailing worm and IRC backdoor Trojan.
W32/Mytob-HT runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels, including the ability to
download and execute files on the infected computer.
W32/Mytob-HT spreads by sending itself as an email attachment to
email addresses it harvests from the infected computer, as a zip file
containing a file with a double-extension. Emails sent have the
following properties.
The subject line is either a string of randomly chosen characters or
one of the following:
Your Account is Suspended
*DETECTED* Online User Violation
Your Account is Suspended For Security Reasons
Warning Message: Your services near to be closed.
Important Notification
Members Support
Security measures
Email Account Suspension
Notice of account limitation
Your password has been updated
Your password has been successfully updated
You have successfully updated your password
Your new account password is approved
The message text takes one of the following forms:
Dear user ,
You have successfully updated the password of your account.
If you did not authorize this change or if you need assistance with
your account, please contact customer service
at:
Thank you for using !
The Support Team
+++ Attachment: No Virus (Clean)
+++ Antivirus - www.
Dear user ,
It has come to our attention that your User
Profile ( x ) records are out of date. For further details see the
attached document.
Thank you for using !
The Support Team
+++ Attachment: No Virus (Clean)
+++ Antivirus - www.
Dear Member,
We have temporarily suspended your email account .
This might be due to either of the following reasons:
1. A recent change in your personal information (i.e. change of
address).
2. Submiting invalid information during the initial sign up process.
3. An innability to accurately verify your selected option of
subscription due to an internal error within our processors.
See the details to reactivate your account.
Sincerely,The Support Team
+++ Attachment: No Virus (Clean)
+++ Antivirus - www.
Dear Member,
Your e-mail account was used to send a huge amount of unsolicited
spam messages during the recent week. If you could please take 5-10
minutes out of your online experience and confirm the attached
document so you will not run into any future problems with the online
service.
If you choose to ignore our request, you leave us no choice but to
cancel your membership.
Virtually yours,
The Support Team
+++ Attachment: No Virus found
+++ Antivirus - www.
The ZIP file attachment has one of the following names with a ZIP
extension:
accepted-password
account-details
account-info
account-password
account-report
approved-password
document
email-details
email-password
important-details
new-password
password
readme
updated-password
The file inside the zip has the same base name, but with a double
extension. The first extension is either DOC, HTM or TXT. The second
extension is either EXE, SCR or PIF. The two extensions are separated
by a large number of spaces.
Example attachment names include password.txt.pif and readme.doc.scr,
with a large number of spaces between the extensions.
Email addresses are harvested from files with the following file
extensions:
adb
asp
cgi
dbx
htm
htm
html
jsp
php
pl
sht
tbb
wab
xml
The worm appends text to the HOSTS file in order to prevent access to
the following websites:
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 pandasoftware.com
127.0.0.1 www.pandasoftware.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.grisoft.com
127.0.0.1 www.microsoft.com
127.0.0.1 microsoft.com
127.0.0.1 www.virustotal.com
127.0.0.1 virustotal.com
127.0.0.1 www.amazon.com
127.0.0.1 www.amazon.co.uk
127.0.0.1 www.amazon.ca
127.0.0.1 www.amazon.fr
127.0.0.1 www.paypal.com
127.0.0.1 paypal.com
127.0.0.1 moneybookers.com
127.0.0.1 www.moneybookers.com
127.0.0.1 www.ebay.com
127.0.0.1 ebay.com
When first run W32/Mytob-HT copies itself to \wupdate.exe.
The following registry entries are created to run wupdate.exe on
startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
WINDOWS SYSTEM
wupdate.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
WINDOWS SYSTEM
wupdate.exe
W32/Mytob-HT makes the following registry change, disabling the
automatic startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4
Name Troj/Clagger-Q
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
Aliases
* TROJ_SMALL.BQP
* Trojan-Downloader.Win32.Agent.aju
Prevalence (1-5) 2
Description
Troj/Clagger-Q is a downloader Trojan for the Windows platform.
Troj/Clagger-Q includes functionality to access the internet and
communicate with a remote server via HTTP.
Advanced
Troj/Clagger-Q is a downloader Trojan for the Windows platform.
Troj/Clagger-Q includes functionality to access the internet and
communicate with a remote server via HTTP.
When Troj/Clagger-Q is installed the following files are created:
\1.bat
\1.exe
The following registry entries are set, affecting internet security:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FiREWaLL
policy\
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FiREWaLL
policy\
StAnDaRDPrOFiLe\
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FiREWaLL
policy\
StAnDaRDPrOFiLe\AUtHorizedapplications\
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FiREWaLL
policy\
StAnDaRDPrOFiLe\AUtHorizedapplications\List\
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FiREWaLL
policy\
StAnDaRDPrOFiLe\AUtHorizedapplications\List
:*:ENABLED:0
Name Troj/Dloadr-UZ
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Installs itself in the Registry
Aliases
* AdClicker-DW
Prevalence (1-5) 2
Description
Troj/Dloadr-UZ is a Trojan for the Windows platform.
Troj/Dloadr-UZ includes functionality to download, install and run
new software.
Advanced
Troj/Dloadr-UZ is a Trojan for the Windows platform.
Troj/Dloadr-UZ includes functionality to download, install and run
new software.
When Troj/Dloadr-UZ is installed it creates the file
\pio12.dll.
The following registry entry is created to run code exported by
pio12.dll on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
pst
\rundll32.exe \pio12.dll DllDownload
The file pio12.dll is registered as a COM object and Browser Helper
Object (BHO) for Microsoft Internet Explorer, creating registry
entries under:
HKCR\CLSID\(C7DDEE9F-CD4B-40fb-9030-E1709644F4BD)
HKCR\CLSID\(E701C9CF-325D-49f6-9049-61C870155526)
HKCR\TypeLib\(1549F421-FB0A-4394-8D57-3886BE7E481A)
HKCR\wave.Downloader\
HKCR\wave.Downloader.1\
HKCR\wave.ShDl\
HKCR\wave.ShDl.1\
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser
Helper Objects\(C7DDEE9F-CD4B-40fb-9030-E1709644F4BD)
The following registry entry is set:
HKCR\*\shellex\ContextMenuHandlers\ShellDownload
(default)
(E701C9CF-325D-49f6-9049-61C870155526)
Registry entries are created under:
HKLM\SOFTWARE\Microsoft\Jet\
Troj/Dloadr-UZ may come in an archive claiming to be an installer for
a video codec.
Name W32/Rbot-CHE
Type
* Worm
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* Backdoor.Win32.Rbot.aie
* W32/Sdbot.worm.gen.ae
* WORM_RBOT.EAR
* W32.Spybot.Worm
Prevalence (1-5) 2
Description
W32/Rbot-CHE is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Rbot-CHE spreads to other network computers infected with:
Troj/Kuang, Troj/Sub7, Troj/NetDevil, W32/MyDoom, W32/Bagle and
Troj/Optix and to other network computers by exploiting common buffer
overflow vulnerabilities, including: LSASS (MS04-011), RPC-DCOM
(MS04-012), WKS (MS03-049) (CAN-2003-0812), WebDav (MS03-007),
IIS5SSL (ms04-011) (CAN-2003-0719), UPNP (MS01-059), Veritas
(CAN-2004-1172), Dameware (CAN-2003-1030) and ASN.1 (MS04-007).
W32/Rbot-CHE runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
Advanced
W32/Rbot-CHE is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Rbot-CHE spreads to other network computers infected with:
Troj/Kuang, Troj/Sub7, Troj/NetDevil, W32/MyDoom, W32/Bagle and
Troj/Optix and to other network computers by exploiting common buffer
overflow vulnerabilities, including: LSASS (MS04-011), RPC-DCOM
(MS04-012), WKS (MS03-049) (CAN-2003-0812), WebDav (MS03-007),
IIS5SSL (ms04-011) (CAN-2003-0719), UPNP (MS01-059), Veritas
(CAN-2004-1172), Dameware (CAN-2003-1030) and ASN.1 (MS04-007).
W32/Rbot-CHE runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
When first run W32/Rbot-CHE copies itself to \updatem.exe.
The following registry entries are created to run updatem.exe on
startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
windows update microsoft
updatem.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
windows update microsoft
updatem.exe
Registry entries are set as follows:
HKCU\Software\Microsoft\OLE
windows update microsoft
updatem.exe
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1
Name Troj/IRCBot-KJ
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
Aliases
* Win32/IRCBot.RX
Prevalence (1-5) 2
Description
Troj/IRCBot-KJ is a backdoor Trojan for the Windows platform.
The Trojan connects to an IRC channel and listens for backdoor
commands from a remote attacker.
Name Troj/Clagger-R
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
Aliases
* Trojan-Downloader.Win32.Small.cul
* Generic
Prevalence (1-5) 2
Description
Troj/Clagger-R is a Trojan for the Windows platform.
Troj/Clagger-R attempts to download further malicious code.
The Trojan attempts to bypass or disable firewall applications.
Advanced
Troj/Clagger-R is a Trojan for the Windows platform.
The Trojan downloads a file to \suhoy316.exe and runs it.
The following registry entry is set, affecting internet security:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
FiREWaLLpolicy\StAnDaRDPrOFiLe\AUtHorizedapplications\List
:*:ENABLED:0
Name Troj/Banloa-AIM
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
Aliases
* Trojan-Downloader.Win32.Banload.aim
* TROJ_BANLOAD.AAC
Prevalence (1-5) 2
Description
Troj/Banloa-AIM is a Trojan for the Windows platform.
Troj/Banloa-AIM includes functionality to access the internet and
communicate with a remote server via HTTP.
When Troj/Banloa-AIM is installed it creates the file
\cartao.htm.
Name Troj/CashGrab-P
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Steals information
* Installs itself in the Registry
Aliases
* Win32/Agent.CC
* Trojan.Win32.Agent.cc
Prevalence (1-5) 2
Description
Troj/CashGrab-P is a password-stealing Trojan for the Windows platform.
Troj/CashGrab-P is downloaded by Troj/Clagger-R.
Advanced
Troj/CashGrab-P is a password-stealing Trojan for the Windows platform.
Troj/CashGrab-P is downloaded by Troj/Clagger-R.
When Troj/CashGrab-P is installed the following files may be created:
\ierror.rep
\msiesetup.exe
\msupdate.dll
\sei.dll
\spi.dll
\suact\004.act
\suact\011.act
\suact\013.act
\suact\015.act
\suact\020.act
\suact\022_01.act
\suact\022_02.act
\suact\023_01.act
\suact\023_02.act
\suact\023_03.act
\sucontr\uver.ctr
\suskn\004.sns
\suskn\011.sns
\suskn\013.sns
\suskn\015.sns
\suskn\020.sns
\wint.ini
\winte.html
The files msiesetup.exe and msupdate.dll are also detected as
Troj/CashGrab-P. The other files are all harmless text files.
The file msupdate.dll is registered as a COM object and Browser
Helper Object (BHO) for Microsoft Internet Explorer, creating
registry entries under:
HKCR\CLSID\(3A4E6FF3-BF59-446E-9DC8-731BCE2F349A)
HKCR\msupdate.Microsoft Update Service\
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser
Helper Objects\(3A4E6FF3-BF59-446E-9DC8-731BCE2F349A)
Name Troj/Dloadr-VN
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
Prevalence (1-5) 2
Description
Troj/Dloadr-VN is a Trojan for the Windows platform.
When run, Troj/Dloadr-VN will cause media player to download and run
an executeable file. This file is detected as Troj/Dloadr-UZ.
Name W32/Tilebot-EV
Type
* Spyware Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Modifies data on the computer
* Steals information
* Downloads code from the internet
* Reduces system security
* Records keystrokes
* Installs itself in the Registry
* Exploits system or software vulnerabilities
* Used in DOS attacks
Aliases
* Backdoor.Win32.SdBot.aad
Prevalence (1-5) 2
Description
W32/Tilebot-EV is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Tilebot-EV spreads to other network computers by exploiting
common buffer overflow vulnerabilities.
W32/Tilebot-EV runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Tilebot-EV includes functionality to access the internet and
communicate with a remote server via HTTP.
Advanced
W32/Tilebot-EV is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Tilebot-EV spreads to other network computers by exploiting
common buffer overflow vulnerabilities, including: LSASS (MS04-011),
RPC-DCOM (MS04-012), WKS (MS03-049) (CAN-2003-0812), PNP (MS05-039)
and ASN.1 (MS04-007) and by copying itself to network shares
protected by weak passwords.
W32/Tilebot-EV runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Tilebot-EV includes functionality to access the internet and
communicate with a remote server via HTTP.
When first run W32/Tilebot-EV copies itself to \userinit.exe.
The file userinit.exe is registered as a new system driver service
named "UsrInitVerif", with a display name of "Userinit Logon
Verification" and a startup type of automatic, so that it is started
automatically during system startup. Registry entries are created
under:
HKLM\SYSTEM\CurrentControlSet\Services\UsrInitVerif\
W32/Tilebot-EV sets the following registry entries, disabling the
automatic startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\Messenger
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
Start
4
Registry entries are set as follows:
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DoNotAllowXPSP2
1
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1
Registry entries are created under:
HKLM\SOFTWARE\Microsoft\Security Center\
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\
Name Troj/Tibs-AK
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Drops more malware
* Downloads code from the internet
* Installs itself in the Registry
Aliases
* TROJ_ABWIZ.BC
* Packed.Win32.Tibs
* W32/Tibs.MX
* Downloader-ASH
Prevalence (1-5) 2
Description
Troj/Tibs-AK is a Trojan for the Windows platform.
Troj/Tibs-AK includes functionality to access the internet and
communicate with
a remote server via HTTP.
Advanced
Troj/Tibs-AK is a Trojan for the Windows platform.
Troj/Tibs-AK includes functionality to access the internet and
communicate with
a remote server via HTTP.
When first run Troj/Tibs-AK copies itself to \taskdir.exe and
creates
the following files:
\taskdir.dll
\zlbw.dll
The file taskdir.dll is detected as Troj/HideDl-A.
The file zlbw.dll is a clean compression library.
The following registry entry is created to run taskdir.exe on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
taskdir
\taskdir.exe
Name Troj/Banker-BIP
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Installs itself in the Registry
Aliases
* Trojan-Spy.Win32.Banker.ark
Prevalence (1-5) 2
Description
Troj/Banker-BIP is a Trojan for the Windows platform.
Advanced
Troj/Banker-BIP is a Trojan for the Windows platform.
Troj/Banker-BIP includes functionality to send notification messages
to remote locations.
When first run Troj/Banker-BIP copies itself to:
\system32.exe
\system32.exe
The following registry entry is created to run system32.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
system32
\system32.exe
Name Troj/Agent-BMS
Type
* Trojan
Affected operating systems
* Windows
Aliases
* Trojan-Clicker.Win32.Delf.dp
* MultiDropper-JD
Prevalence (1-5) 2
Description
Troj/Agent-BMS is a Trojan for the Windows platform.
Name W32/Tilebot-ER
Type
* Spyware Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Reduces system security
* Installs itself in the Registry
* Exploits system or software vulnerabilities
* Used in DOS attacks
Aliases
* Backdoor.Win32.SdBot.aoy
* W32/Sdbot.worm.gen.n
* WORM_SDBOT.AVT
Prevalence (1-5) 2
Description
W32/Tilebot-ER is a worm with backdoor functionality for the Windows
platform.
W32/Tilebot-ER spreads to other network computers by exploiting
common buffer overflow vulnerabilities, including: LSASS (MS04-011),
RPC-DCOM (MS04-012), PNP (MS05-039) and ASN.1 (MS04-007). The worm
may also spreads via network shares protected by weak passwords.
W32/Tilebot-ER runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Tilebot-ER includes functionality to access the internet and
communicate with a remote server via HTTP.
Advanced
W32/Tilebot-ER is a worm with backdoor functionality for the Windows
platform.
W32/Tilebot-ER spreads to other network computers by exploiting
common buffer overflow vulnerabilities, including: LSASS (MS04-011),
RPC-DCOM (MS04-012), PNP (MS05-039) and ASN.1 (MS04-007). The worm
may also spreads via network shares protected by weak passwords.
W32/Tilebot-ER runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Tilebot-ER includes functionality to access the internet and
communicate with a remote server via HTTP.
When first run W32/Tilebot-ER copies itself to \winscntrl.exe.
The file winscntrl.exe is registered as a new system driver service
named "wins", with a display name of "wins(WINS)" and a
startup type
of automatic, so that it is started automatically during system
startup. Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\wins\
W32/Tilebot-ER sets the following registry entries, disabling the
automatic
startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\Messenger
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\wscsvc
Start
4
Additional registry entries are set as follows:
HKLM\SOFTWARE\Microsoft\Security Center
AntiVirusDisableNotify
1
HKLM\SOFTWARE\Microsoft\Security Center
AntiVirusOverride
1
HKLM\SOFTWARE\Microsoft\Security Center
FirewallDisableNotify
1
HKLM\SOFTWARE\Microsoft\Security Center
FirewallOverride
1
HKLM\SOFTWARE\Microsoft\Security Center
UpdatesDisableNotify
1
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DoNotAllowXPSP2
1
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
EnableFirewall
0
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile
EnableFirewall
0
HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
AutoShareServer
0
HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
AutoShareWks
0
HKLM\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters
AutoShareServer
0
HKLM\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters
AutoShareWks
0
HKLM\SYSTEM\CurrentControlSet\Control\
WaitToKillServiceTimeout
7000
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1
Name W32/Poebot-ET
Type
* Spyware Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Downloads code from the internet
* Installs itself in the Registry
* Exploits system or software vulnerabilities
* Leaves non-infected files on computer
Aliases
* Backdoor.Win32.PoeBot.c
* WORM_POEBOT.BJ
Prevalence (1-5) 2
Description
W32/Poebot-ET is a worm and IRC backdoor Trojan for the Windows
platform.
Advanced
W32/Poebot-ET is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Poebot-ET spreads to other network computers by exploiting common
buffer overflow vulnerabilities, including: LSASS (MS04-011),
RPC-DCOM (MS04-012), WKS (MS03-049) (CAN-2003-0812), WebDav
(MS03-007), Veritas (CAN-2004-1172), Dameware (CAN-2003-1030), PNP
(MS05-039) and ASN.1 (MS04-007) and by copying itself to network
shares protected by weak passwords.
W32/Poebot-ET runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Poebot-ET includes functionality to:
- steal passwords from online games including World Of Warcraft,
Steam and Conquer
- perform port scanning
- harvest computer information
- setup a SOCKS server
When first run W32/Poebot-ET copies itself to \iexplore.exe
and creates the file \rtmki.bat. The file rtmki.bat
can be deleted.
The following registry entry is created to run iexplore.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft Internet Explorer
\iexplore.exe
Name Troj/Banloa-ACJ
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
Aliases
* Trojan-Downloader.Win32.Pux.d
* Win32/TrojanDownloader.VB.LP
* Downloader.Trojan
Prevalence (1-5) 2
Description
Troj/Banloa-ACJ is a downloading Trojan for the Windows platform.
Troj/Banloa-ACJ includes functionality to access the internet and
communicate with a remote server via HTTP.
Troj/Banloa-ACJ downloads task.scr file detected as Troj/VBanker-B
and dllram.scr file detected as Troj/Banker-BIT from the predefined
location.
--- MultiMail/Win32 v0.43
* Origin: Try Our Web Based QWK: DOCSPLACE.ORG (1:123/140)
SEEN-BY: 633/267 270
@PATH: 123/140 500 106/2000 633/267
|