[cut-n-paste from sophos.com]
Name Troj/Clagger-AB
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Installs itself in the Registry
* Leaves non-infected files on computer
Prevalence (1-5) 3
Description
Troj/Clagger-AB is a downloader Trojan for the Windows platform.
Advanced
Troj/Clagger-AB is a downloader Trojan for the Windows platform.
Troj/Clagger-AB attempts to download and execute files from remote
websites according to a clean configuration file it downloads to
\drivers\winut.dat.
When first run Troj/Clagger-AB copies itself to \ipf.exe.
The following registry entry is created to run ipf.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ifp
\ipf.exe
Name W32/Vanebot-G
Type
* Worm
How it spreads
* Network shares
* Chat programs
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Downloads code from the internet
* Reduces system security
* Installs itself in the Registry
* Exploits system or software vulnerabilities
* Scans network for vulnerabilities
* Scans network for weak passwords
Prevalence (1-5) 2
Description
W32/Vanebot-G is a worm for the Windows platform.
W32/Vanebot-G spreads to other network computers by exploiting common
buffer overflow vulnerabilities, including: SRVSVC
(http://www.microsoft.com/technet/security/bulletin/ms06-040.mspx),
Psyme, PNP
(http://www.microsoft.com/technet/security/bulletin/ms05-039.mspx)
and ASN.1
(http://www.microsoft.com/technet/security/bulletin/ms04-007.mspx)
and by copying itself to network shares protected by weak passwords.
W32/Vanebot-G runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
The worm may display the following fake error message:
Can't run on Windows
To run this file you must use an Linux emulator
Error code: (-2394)
Error discription: LLIBKCUF / File has remove his self.
W32/Vanebot-G may download updates, steal information and terminate
anti-virus applications.
Advanced
W32/Vanebot-G is a worm for the Windows platform.
W32/Vanebot-G spreads to other network computers by exploiting common
buffer overflow vulnerabilities, including: SRVSVC
(http://www.microsoft.com/technet/security/bulletin/ms06-040.mspx),
Psyme, PNP
(http://www.microsoft.com/technet/security/bulletin/ms05-039.mspx)
and ASN.1
(http://www.microsoft.com/technet/security/bulletin/ms04-007.mspx)
and by copying itself to network shares protected by weak passwords.
W32/Vanebot-G runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
The worm may display the following fake error message:
Can't run on Windows
To run this file you must use an Linux emulator
Error code: (-2394)
Error discription: LLIBKCUF / File has remove his self.
W32/Vanebot-G may download updates, steal information and terminate
anti-virus applications.
When first run W32/Vanebot-G copies itself to \winservnt32.exe.
The following registry entries are created to run winservnt32.exe on
startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
Ms Update WinServices NT/XP
winservnt32.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Ms Update WinServices NT/XP
winservnt32.exe
The following registry entry is changed to run winservnt32.exe on
startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe winservnt32.exe
(the default value for this registry entry is "Explorer.exe" which
causes the Microsoft file \Explorer.exe to be run on
startup).
W32/Vanebot-G sets the following registry entries, disablingthe
automatic startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\wuauserv
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4
Note: disabling autostart for the SharedAccess service deactivates
the Microsoft Internet Connection Firewall (ICF).
Registry entries are set as follows:
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
\userinit.exe,winservnt32.exe
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
lmcompatibilitylevel
1
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1
HKCU\Software\Microsoft\Windows
WinServ
rBot v2 a.k.a. the next generation (working on winXP SP2)
Name Troj/Torpig-BH
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Steals information
* Uses its own emailing engine
* Installs itself in the Registry
Prevalence (1-5) 2
Description
Troj/Torpig-BH is a Trojan for the Windows platform.
Advanced
Troj/Torpig-BH is a Trojan for the Windows platform.
The Trojan has the functionalities to
- communicate with a remote server via HTTP and email
- steal information
When run, the Trojan creates the following files:
\Microsoft Shared\Web Folders\ibm00001.dll (Detected as
Troj/Torpig-BH)
\Microsoft Shared\Web Folders\ibm00001.exe (Detected as
Troj/Torpig-BH)
\Microsoft Shared\Web Folders\ibm00002.dll (Detected as
Troj/Torpig-BH)
\Microsoft Shared\Web Folders\ibm00003.exe (Detected as
Troj/Torpig-BH)
The following registry entry is created to run ibm00001.exe on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
shell
\Microsoft Shared\Web Folders\ibm00001.exe
Name W32/Womble-B
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Forges the sender's email address
* Uses its own emailing engine
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* Email-Worm.Win32.Womble.a
* W32/Womble{at}MM
Prevalence (1-5) 2
Description
W32/Womble-B is a mass-mailing worm for the Windows platform.
W32/Womble-B spreads by sending emails with itself as an attachment.
The subject line may be any of the following:
Bush
FIFA
Helo
Incredible!!
Kiss
Laura and John
Lola
Look at this!!!
Miss Khan
Ola
Olympus
Olympus
Paula
pics
private pics
RE:
Re: hi
Re: info
RE: pic
read this
Sex
Emails have a message text chosen from the following:
There is some info in the attached file !!!
Zip P A S S :
Emails with the first of these message texts have attached a ZIP file
containing a copy of the worm. Emails with the second of these
message texts have attached a password-protected ZIP file containing
a WMF file detected as Exp/WMF-A. These files use an exploit to drop
a copy of the worm.
W32/Womble-B attempts to disable firewall software.
Advanced
W32/Womble-B is a mass-mailing worm for the Windows platform.
W32/Womble-B spreads by sending emails with itself as an attachment.
The subject line may be any of the following:
Bush
FIFA
Helo
Incredible!!
Kiss
Laura and John
Lola
Look at this!!!
Miss Khan
Ola
Olympus
Olympus
Paula
pics
private pics
RE:
Re: hi
Re: info
RE: pic
read this
Sex
Emails have a message text chosen from the following:
There is some info in the attached file !!!
Zip P A S S :
Emails with the first of these message texts have attached a ZIP file
containing a copy of the worm. Emails with the second of these
message texts have attached a password-protected ZIP file containing
a WMF file detected as Exp/WMF-A. These files use an exploit to drop
a copy of the worm.
W32/Womble-B attempts to disable firewall software.
When first run W32/Womble-B copies itself to the Windows system folder.
The following registry entries are created to run W32/Womble-B on
startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
ms_net_update
\
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ms_net_update
\
The following registry entries are changed to run W32/Womble-B on
startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe \
(The default value for this registry entry is "Explorer.exe" which
causes the Microsoft file \Explorer.exe to be run on
startup.)
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
\userinit.exe \
(The default value for this registry entry is "\userinit.exe".)
Name Troj/GWGhost-BH
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
Prevalence (1-5) 2
Description
Troj/GWGhost-BH is a Trojan for the Windows platform.
Advanced
Troj/GWGhost-BH is a Trojan for the Windows platform.
The Trojan has the functionalities to :
- communicate with a remote server via port 8086
- inject itself into other process memory
When run the Trojan copies itself to the Windows system folder and
creates the file \wzsml.dll. This file is detected as
Troj/GWGhost-BH.
The following registry entry is created to run the Trojan on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
HotKeysSml
\
The following registry entry is set:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
Smlnm
Name Troj/SmDldr-N
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
Aliases
* Trojan-Downloader.Win32.Agent.avg
* Win32/TrojanDownloader.Small.ARF
* Trojan.Gobrena
* TROJ_GOBRENA.V
Prevalence (1-5) 2
Description
Troj/SmDldr-N is a downloading Trojan for the Windows platform.
Advanced
Troj/SmDldr-N is a downloading Trojan for the Windows platform.
Troj/SmDldr-N attempts to download a file from a preconfigured URL to
C:\kernel32.exe and then execute it. This file is currently detected
as Troj/Haxdor-Gen.
Name Troj/Dowdec-B
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Drops more malware
* Downloads code from the internet
* Installs a browser helper object
Prevalence (1-5) 2
Description
Troj/Dowdec-B is a downloader Trojan for the Windows platform.
Troj/Dowdec-B may arrive as the following email:
Dear ,
Please read the following message carefully.
We notify that your order was approved and shipped to you via FedEx
2Day Service, track .
The amount of $499.95 USD was recieved from your e-gold account.
The details of this transaction and specification of chosen product
we send to you in self-extracting compressed-zip file.
Read it carefully to make sure that there's no mistakes in
characteristics of chosen product.
We appreciate your choice!
According our rules, refund must be based on your original method of
payment.
Any requests to refund using e-gold are not accepted, if the payment
method was credit card.
Digital Camera For Your, Yahoo Shopping.
Attached to the emails is a file called OrderTrack.zip.
Advanced
Troj/Dowdec-B is a downloader Trojan for the Windows platform.
Troj/Dowdec-B may arrive as the following email:
Dear ,
Please read the following message carefully.
We notify that your order was approved and shipped to you via FedEx
2Day Service, track .
The amount of $499.95 USD was recieved from your e-gold account.
The details of this transaction and specification of chosen product
we send to you in self-extracting compressed-zip file.
Read it carefully to make sure that there's no mistakes in
characteristics of chosen product.
We appreciate your choice!
According our rules, refund must be based on your original method of
payment.
Any requests to refund using e-gold are not accepted, if the payment
method was credit card.
Digital Camera For Your, Yahoo Shopping.
Attached to the emails is a file called OrderTrack.zip.
When Troj/Dowdec-B is installed the following files are created:
\check.bmp - this file may be deleted
\gfdr.bat - this file may be deleted
\msvoid.dll - detected as Troj/Dowdec-Gen.
The file msvoid.dll is registered as a COM object and Browser Helper
Object (BHO) for Microsoft Internet Explorer, creating registry
entries under:
HKCR\CLSID\(BDE357AC-F3E4-C6DE-8EBD-692629635621)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ Browser
Helper Objects\
(BDE357AC-F3E4-C6DE-8EBD-692629635621)
Name W32/Looked-L
Type
* Virus
How it spreads
* Network shares
* Infected files
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Downloads code from the internet
* Installs itself in the Registry
* Leaves non-infected files on computer
Aliases
* Worm.Win32.Viking.x
Prevalence (1-5) 2
Description
W32/Looked-L is a virus for the Windows platform.
Advanced
W32/Looked-L is a virus for the Windows platform.
The virus includes functionalities to
- access the internet and communicate with a remote server via HTTP
- silently download, install and run new software
- terminate processes related to AV
When first run W32/Looked-L copies itself to \rundl132.exe
and \logo1_.exe and creates the file viDll.dll in the
current folder. This file is also detected as W32/Looked-L.
The virus infects EXE files found on the infected computer. The virus
also attempts to copy itself to remote network shares.
Many files with the name "_desktop.ini" are created, in various
folders on the infected computer. These files are harmless text files.
The following registry entry is created in order to run the virus on
startup:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
load
\rundl132.exe
W32/Looked-L terminates processes with the following process names:
EGHOST.EXE
IPARMOR.EXE
KAVPFW.EXE
MAILMON.EXE
mcshield.exe
RavMon.exe
Ravmond.EXE
regsvc.exe
Name Troj/DwnLdr-FFO
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
Prevalence (1-5) 2
Description
Troj/DwnLdr-FFO is a downloader Trojan for the Windows platform.
Advanced
Troj/DwnLdr-FFO is a downloader Trojan for the Windows platform.
Troj/DwnLdr-FFO may create the following filenames:
\commands.xml - harmless, may be deleted
\file.exe
Troj/DwnLdr-FFO may install itself as a BHO (Browser Helper Object)
in Internet Explorer with the CLSID
"2EA061B2-11B5-4C4B-B385-F378B4B48648".
Name Troj/Glupzy-A
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Reduces system security
* Installs itself in the Registry
Aliases
* Trojan.Win32.Disabler.i
* BackDoor-DIY
* Win32/Disabler.I
* Backdoor.Glupzy
* BKDR_GLUPZY.A
Prevalence (1-5) 2
Description
Troj/Glupzy-A is a backdoor Trojan for the Windows platform.
Troj/Glupzy-A runs a telnet server on the infected computer.
The Trojan also changes the password for user "administrator" to
"hacked".
Advanced
Troj/Glupzy-A is a backdoor Trojan for the Windows platform.
Troj/Glupzy-A runs a telnet server on the infected computer.
The Trojan also changes the password for user "administrator" to
"hacked".
When first run Troj/Glupzy-A copies itself to:
\systemID.pif
\Flashy.exe
The following registry entry is created to run Flashy.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Flashy Bot
\Flashy.exe
Troj/Glupzy-A sets the following registry entries, disabling the
automatic startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4
Note: disabling autostart for the SharedAccess service deactivates
the Microsoft Internet Connection Firewall (ICF).
Registry entries are set as follows:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFolderOptions
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
2
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt
1
Name W32/Kwbot-L
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Downloads code from the internet
* Installs itself in the Registry
* Used in DOS attacks
Aliases
* Net-Worm.Win32.SdBoter.l
* Win32/SdBoter.L
Prevalence (1-5) 2
Description
W32/Kwbot-L is a network worm and IRC backdoor for the Windows
platform.
Advanced
W32/Kwbot-L is a network worm and IRC backdoor for the Windows
platform.
W32/Kwbot-L spreads to shared drives and network shares protected by
weak
passwords. When run the worm copies itself to the Windows system
folder as
mscidaemon.com and mscidaemon.exe and creates a file named
mscidaemon.dll,
also in the Windows system folder.
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\
(HKMLO03-II-DF45D-2FDFDG)
StubPath
\mscidaemon.com
Registry entries are created under:
HKLM\SOFTWARE\mno\
The worm then contacts a predefined IRC server and waits for commands
from
a remote attacker. The backdoor component may be commanded to :
steal passwords
terminate processes
start a Socks proxy server
launch a DOS attack
Name Troj/Crybot-C
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Downloads code from the internet
* Reduces system security
* Installs itself in the Registry
Aliases
* Backdoor.Win32.Rukap.bq
Prevalence (1-5) 2
Description
Troj/Crybot-C is a backdoor Trojan which allows a remote intruder to
gain access and control over the computer.
Troj/Crybot-C includes functionality to access the internet and
communicate with a remote server via HTTP.
Advanced
Troj/Crybot-C is a backdoor Trojan which allows a remote intruder to
gain access and control over the computer.
Troj/Crybot-C includes functionality to access the internet and
communicate with a remote server via HTTP.
Troj/Crybot-C is registered as a new system driver service named
"DirectLujp", with a display name of "DirectX Service"
and a startup
type of automatic, so that it is started automatically during system
startup. Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\DirectLujp\
Registry entries are created under:
HKLM\SOFTWARE\Microsoft\DirectLujp\
The Trojan uses the system utility netsh.exe to adjust Windows
firewall settings in order to make connection to remote servers.
Name W32/Vanebot-I
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Reduces system security
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* W32/Sdbot.worm!MS06-040
* Win32/IRCBot.TB
* W32.Randex.GEL
* WORM_IRCBOT.JD
Prevalence (1-5) 2
Description
W32/Vanebot-I is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Vanebot-I attempts to spread via MSN Messenger, by copying itself
to remote network shares with weak passwords and by exploiting any of
the following vulnerabilities: SRVSVC (MS06-040), Psyme, PNP
(MS05-039), ASN.1 (MS04-007).
W32/Vanebot-I runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
Advanced
W32/Vanebot-I is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Vanebot-I attempts to spread via MSN Messenger, by copying itself
to remote network shares with weak passwords and by exploiting any of
the following vulnerabilities: SRVSVC (MS06-040), Psyme, PNP
(MS05-039), ASN.1 (MS04-007).
W32/Vanebot-I runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
When first run W32/Vanebot-I copies itself to \msijavaup32.exe.
The following registry entries are created to run msijavaup32.exe on
startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
Ms Java for Windows NT
msijavaup32.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Ms Java for Windows NT
msijavaup32.exe
The following registry entry is changed to run msijavaup32.exe on
startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe msijavaup32.exe
(The default value for this registry entry is "Explorer.exe" which
causes the Microsoft file \Explorer.exe to be run on startup.)
W32/Vanebot-I sets the following registry entries, disabling the
automatic startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\wuauserv
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4
Note: disabling autostart for the SharedAccess service deactivates
the Microsoft Internet Connection Firewall (ICF).
Registry entries are set as follows:
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
\userinit.exe,msijavaup32.exe
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
lmcompatibilitylevel
1
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1
Name Troj/Banloa-AMU
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Installs itself in the Registry
Aliases
* Trojan-Downloader.Win32.Banload.bha
* TROJ_BANLOAD.BBQ
* Win32/TrojanDownloader.Agent.AUI
Prevalence (1-5) 2
Description
Troj/Banloa-AMU is a Trojan for the Windows platform.
Troj/Banloa-AMU includes functionality to access the internet and
communicate with a remote server via HTTP.
Troj/Banloa-AMU also contains functionality to download, install and
run new software.
Advanced
Troj/Banloa-AMU is a Trojan for the Windows platform.
Troj/Banloa-AMU includes functionality to access the internet and
communicate with a remote server via HTTP.
Troj/Banloa-AMU also contains functionality to download, install and
run new software.
When Troj/Banloa-AMU is installed it creates the file
\findx.exe.
The following registry entry is created to run findx.exe on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
win32Kernel
\findx.exe
--- MultiMail/Win32 v0.43
* Origin: Try Our Web Based QWK: DOCSPLACE.ORG (1:123/140)
SEEN-BY: 633/267 270
@PATH: 123/140 500 106/2000 633/267
|