[cut-n-paste from sophos.com]

JS/Scob-A

Aliases
JS/Exploit-DialogArg.b trojan, Trojan.JS.Scob.a

Type
Trojan

Detection
At the time of writing, Sophos has received just one report of this 
Trojan from the wild.

Description
JS/Scob-A is a Java script trojan that is reported to be appended to 
HTML files on IIS machines.

JS/Scob-A downloads a file from a Russian website, this website is no 
longer accessible.





W32/NetskyP-Dam

Aliases
WORM_NETSKY.DAM

Type
Win32 worm

Detection
Sophos has received several reports of this worm from the wild.

Description
Sophos Anti-Virus detects as W32/NetskyP-Dam damaged, non-working 
samples of W32/Netsky-P.





W32/Korgo-R

Type
Win32 worm

Detection
At the time of writing, Sophos has received just one report of this worm 
from the wild.

Description
W32/Korgo-R is a network worm using the LSASS exploit to propagate 
(MS04-011). When executed the worm copies itself to the Windows system 
folder using a randomly generate name and creates the following registry 
entry so that the worm starts when a user logs on:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Windows Update = \.exe

During infection the worm will also use the temporary registry value
HKLM\Software\Microsoft\Wireless\Client = 1ID = 

W32/Korgo-R scans random IP addresses attempting to exploit them, and
sending the results to a remote PHP script. Infected machines run a
basic web server on ports TCP/2000-8191 and will serve the worms content
upon connection.

W32/Korgo-R includes a backdoor component which can be used to upload 
and run files on the infected computer.





W32/Sdbot-JB

Aliases
W32.Randex.gen, WORM_SDBOT.CT

Type
Win32 worm

Detection
At the time of writing, Sophos has received just one report of this worm 
from the wild.

Description
W32/Sdbot-JB is a worm which attempts to spread to remote network shares. 
It also contains backdoor Trojan functionality, allowing unauthorised 
remote access to the infected computer via IRC channels while running in 
the background as a service process.

W32/Sdbot-JB copies itself to the Windows system folder as WINUPDATE.EXE
and creates entries in the registry at the following locations so as to 
run itself on system startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

W32/Sdbot-JB attempts to spread to network shares with weak passwords.

W32/Sdbot-JB also sits in the background as a service process waiting 
for commands from a remote user.





W32/Korgo-M

Aliases
Worm.Win32.Padobot.k, W32/Korgo.worm.t, Win32/Korgo.S, W32.Korgo.N

Type
Win32 worm

Detection
At the time of writing, Sophos has received just one report of this worm 
from the wild.

Description
W32/Korgo-M is a network worm which uses the LSASS exploit to propagate. 
When executed the worm copies itself to the Windows system folder using 
a randomly generated name and creates the following registry entry so 
that the worm starts when a user logs on:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Windows Update = \.exe

During infection the worm will also use the registry value
HKLM\Software\Microsoft\Wireless\ID = 

W32/Korgo-M deletes the file FTPUPD.EXE, if it exists. The worm also 
attempts to terminate processes such as SysTray, WinUpdate and 
avserve.exe and deletes the corresponding entries in the registry, if 
they exist at the following location:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

W32/Korgo-M scans random IP addresses attempting to exploit them, the 
results of the scans being transmitted to one of several IRC servers and 
channels.





W32/Agobot-KC

Aliases
Backdoor.Agobot.gen, W32/Gaobot.worm.gen.f, W32.HLLW.Gaobot.gen

Type
Win32 worm

Detection
At the time of writing, Sophos has received just one report of this worm 
from the wild.

Description
W32/Agobot-KC is a backdoor worm which spreads to computers protected
by weak passwords.

When first run W32/Agobot-KC moves itself to the Windows system folder
as wmmon32.exe and creates the following registry entries to run itself 
on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
WSSAConfiguration= "wmmon32.exe"

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
WSSAConfiguration= "wmmon32.exe"

Each time the worm is run it attempts to connect to a remote IRC server
and join a specific channel. The worm then runs continuously in the
background, allowing a remote intruder to access and control the 
computer via IRC channels.

W32/Agobot-KC attempts to terminate and disable various anti-virus and
security-related programs. The worm also modifies the HOSTS file in the
Drivers\etc subfolder of the Windows system folder, preventing access to
many anti-virus web sites.

Additionally, the worm may attempt to delete local network shares, and 
to steal registration keys for software products installed on the user's
computer.





W32/Korgo-P

Aliases
Worm.Win32.Padobot.g

Type
Win32 worm

Detection
At the time of writing, Sophos has received just one report of this worm 
from the wild.

Description
W32/Korgo-P is a network worm that uses the LSASS exploit to propagate
(see Microsoft Security Bulletin MS04-011 for more details).

W32/Korgo-P copies itself to the Windows system folder with a randomly-
generated filename between 5 and 8 characters long and creates the 
following registry entry so as to run itself on system startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update

W32/Korgo-P attempts to send itself to random IP addresses by HTTP with
the filename X.EXE.

W32/Korgo-P sends encrypted reports to a number of remote websites and
may be instructed to download and run further files from them to a 
random 6-letter filename in the Windows system folder.

W32/Korgo-P attempts to delete the file FTPUPD.EXE. The worm also tries
to terminate certain process including SysTray, WinUpdate and Disk
Defragmenter, also deleting the corresponding entries in the registry at 
the following location in order to prevent them from running on system 
startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

W32/Korgo-P sets the following registry entry temporarily during 
infection:

HKLM\Software\Microsoft\Wireless\Client = 1

W32/Korgo-P sets the following registry entry to a random string:

HKLM\SOFTWARE\Microsoft\Wireless\ID





W32/Rbot-BL

Aliases
W32/Sdbot.worm.gen.g

Type
Win32 worm

Detection
At the time of writing, Sophos has received just one report of this worm 
from the wild.

Description
W32/Rbot-BL is a worm which attempts to spread to remote network shares. 
It also contains backdoor Trojan functionality, allowing unauthorised 
remote access to the infected computer via IRC channels while running in 
the background as a service process.

W32/Rbot-BL spreads to network shares with weak passwords as a result of
the backdoor Trojan element receiving the appropriate command from a 
remote user.

W32/Rbot-BL copies itself to the Windows system folder as WUAMGRD.EXE
and creates entries at the following locations in the registry so as to 
run itself on system startup, trying to reset them every minute:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

W32/Rbot-BL sets the following registry entries, trying to reset them 
every 2 minutes.

HKLM\SOFTWARE\Microsoft\Ole\EnableDCOM = "N"
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous = "1"

W32/Rbot-BL tries to delete the C$, D$, E$, IPC$ and ADMIN$ network 
shares on the host computer every 2 minutes.

W32/Rbot-BL attempts to terminate certain processes related to 
anti-virus and security programs including REGEDIT.EXE, MSCONFIG.EXE and 
NETSTAT.EXE.

 
--- MultiMail/Win32 v0.43