TIP: Click on subject to list as thread! ANSI
echo: virus_info
to: ALL
from: KURT WISMER
date: 2004-04-25 17:35:00
subject: News, April 25 2004
[cut-n-paste from sophos.com]

Troj/Banker-S

Type
Trojan

Detection
At the time of writing, Sophos has received just one report of this 
Trojan from the wild.

Description
Troj/Banker-S is a password stealing Trojan that attempts to capture 
keylogs associated with web browsing.

Troj/Banker-S creates the following files which are all detected by this
identity:

\dllreg.exe
\sock64.dll
\rundllw.exe
\load32.exe
\vxdmgr32.exe

In order to run on system restart Troj/Banker-S creates the following
registry entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\load32

Troj/Banker-S adds the name of one of the copies of itself to the Run= 
line of win.ini and the shell= line of system.ini.

Troj/Banker-S uses it's own SMTP engine to send results of the keylogger 
to a russian email address.





Troj/StartPa-AE

Aliases
Trojan.WinREG.StartPage

Type
Trojan

Detection
At the time of writing, Sophos has received just one report of this 
Trojan from the wild.

Description
Troj/StartPa-AE changes browser settings for Microsoft Internet Explorer 
each time Windows is started.

Troj/StartPa-AE is simply a text file (typically named sysdll.reg) which 
can be used as an input to Regedit to set the following registry entries:

HKCU\Software\Microsoft\Internet Explorer\Main\Start Page
HKCU\Software\Microsoft\Internet Explorer\Main\HOMEOldSP
HKCU\Software\Microsoft\Internet Explorer\Main\Search Bar
HKCU\Software\Microsoft\Internet Explorer\Main\Search Page
HKCU\Software\Microsoft\Internet Explorer\Search\SearchAssistant
HKLM\Software\Microsoft\Internet Explorer\Main\Start Page
HKLM\Software\Microsoft\Internet Explorer\Main\HOMEOldSP
HKLM\Software\Microsoft\Internet Explorer\Main\Search Bar
HKLM\Software\Microsoft\Internet Explorer\Main\Search Page
HKLM\Software\Microsoft\Internet Explorer\Search\SearchAssistant

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
sys = "regedit -s sysdll.reg"

The last of these registry entries causes the registry to be updated 
using Troj/StartPa-AE each time Windows is started.

Troj/StartPa-AE may be installed on the computer by Troj/AdClick-AE.





Troj/Legmir-K

Aliases
PSW.QQpass.ak, Lemir-Gen, Legmir-AH

Type
Trojan

Detection
At the time of writing, Sophos has received just one report of this 
Trojan from the wild.

Description
Troj/LegMir-K is a password-stealing Trojan.

In order to run automatically when Windows starts up the Trojan copies
itself to the file intrenat.exe in the Windows folder and adds the 
following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Intrenat = C:\WINDOWS\intrenat.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Intrenat = C:\WINDOWS\intrenat.exe

Troj/LegMir-K also creates the file exp1orer.dll in the Windows folder. 
This file is already detected as Troj/LegMir-E.

To avoid detection, Troj/LegMir-K attempts to terminate the following 
processes:

EGHOST.EXE
MAILMON.EXE
KAVPFW.EXE
RAVTIMER.EXE
RAVMON.EXE
CCENTER.EXE
NAVAPW32.EXE

Troj/LegMir-K stores stolen passwords in the HKCR section of the registry
and sends them to the author via email. The destination email address and
the exact location in the registry can both be configured by the author.





W32/Agobot-EV

Aliases
W32/Gaobot.worm.gen.g virus, Win32/Agobot.IH trojan, W32.HLLW.Gaobot.gen

Type
Win32 worm

Detection
At the time of writing, Sophos has received just one report of this worm 
from the wild.

Description
W32/Agobot-EV is an IRC backdoor Trojan and peer-to-peer (P2P) worm 
which opens TCP ports to listen for and process commands received from a 
remote intruder.

This worm will move itself into the Windows System32 folder under the
filename regsvc32.exe and create the following registry entries so that 
it can execute automatically on system restart:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Generic Service Process = regsvc32.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Generic Service Process = regsvc32.exe

W32/Agobot-EV will attempt to terminate anti-virus and software firewall
processes, in addition to other viruses, worms or Trojans.

This worm will search for shared folders on the internet with weak 
passwords and copy itself into them.

W32/Agobot-EV can sniff HTTP, VULN, FTP and IRC network traffic and 
steal data from them. This worm can also exploit the DCOM vulnerability 
on unpatched systems and manipulate registry keys.

This worm will attempt to test the available bandwidth by posting data 
to the following sites:

yahoo.co.jp
www.nifty.com
www.d1asia.com
www.st.lib.keio.ac.jp
www.lib.nthu.edu.tw
www.above.net
www.level3.com
nitro.ucsc.edu
www.burst.net
www.cogentco.com
www.rit.edu
www.nocster.com
www.verio.com
www.stanford.edu
www.xo.net
de.yahoo.com
www.belwue.de
www.switch.ch
www.1und1.de
verio.fr
www.utwente.nl
www.schlund.net

W32/Agobot-EV can also be used to initiate denial-of-service (DoS) and
synflood/httpflood/udpflood attacks against remote systems.

This worm can redirect TCP and GRE data and steal the Windows Product ID
and keys from several computer games.

W32/Agobot-EV maps several anti-virus and security-related websites to
localhost within the windows hosts file so that they appear unreachable
when a user tries to access them.





W32/Netsky-Z

Type
Win32 worm

Detection
Sophos has received many reports of this worm from the wild.

Description
W32/Netsky-Z is an internet worm which spreads by emailing itself to 
addresses found within files on the local computer.

When first run W32/Netsky-Z copies itself to the Windows folder as 
Jammer2nd.exe and creates the following registry entry so that 
Jammer2nd.exe is run automatically each time Windows is started:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Jammer2nd = \Jammer2nd.exe

Copies of the worm in Base64 encoded and ZIP form are created in the 
Windows folder with names matching pk_zip?.log where '?' is a number.

The emails use a subject and message randomly selected from the 
following:

Subject lines:

Information
Hi
Document
Important

Message texts:

Important bill!
Important notice!
Important document!
Important data!
Important textfile!
Important details!
Important informations!
Important!
Important notice!

Attached file(Zip archive):

Bill.zip
Notice.zip
Important.zip
Data.zip
Textfile.zip
Details.zip
Part-2.zip
Informations.zip

W32/Netsky-Z also opens a listening port on TCP 665

The worm will launch a denial of service attack on the following sites 
between the 2nd and the 5th May 2004:

www.educa.ch
www.medinfo.ufl.edu
www.nibis.de





W32/Mimail-V

Aliases
I-Worm.Mimail.r, VBS/Inor, Win32/Moba.A, W32.Opasa{at}mm, HTML_MOBA.A

Type
Win32 worm

Detection
At the time of writing, Sophos has received just one report of this worm from
the wild.

Description
W32/Mimail-V is a Windows worm that spreads via email and filesharing
networks. W32/Mimail-V also has a backdoor component that allows a 
malicious user remote access to an infected computer.

In order to run automatically when Windows starts up W32/Mimail-V copies 
itself to the Windows system folder using a random filename and creates 
registry entries pointing to this file under the following keys:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

W32/Mimail-V also creates the log file xxxx.txt in the folder from which 
it was run.

The worm attempts to copy itself to the following folders of popular P2P
applications:

C:\Program Files\WinMX\Shared\
C:\Program Files\Tesla\Files\
C:\Program Files\LimeWire\Shared\
C:\Program Files\Morpheus\My Shared Folder\
C:\Program Files\eMule\Incoming\
C:\Program Files\eDonkey2000\Incoming\
C:\Program Files\Bearshare\Shared\
C:\Program Files\Grokster\My Grokster\
C:\Program Files\ICQ\Shared Folder\
C:\Program Files\Kazaa Lite K++\My Shared Folder\
C:\Program Files\Kazaa Lite\My Shared Folder\
C:\Program Files\Kazaa\My Shared Folder\

When copying itself the worm uses the following filenames:

Microsoft Office 2004 downloader.exe
WinRar 2004.exe
WinZip 2004.exe
WinRar 3.30.exe
All Windows Service Packs.exe
Windows 2003 all service packs.exe
Zone Alarm 2004 firewall.exe
Kaspersky Anti-Hacker 2004.exe
Kaspersky Antivirus 2004 downloader.exe
World Trade Center Photos.exe
World Trade Center.exe
Website Hacker.exe
Keylogger.exe
AOL Password Cracker.exe
ICQ Hacker.exe
AOL Instant Messenger (AIM) Hacker.exe
MSN Password Cracker.exe
Microsoft Windows KeyGen.exe
Microsoft Office KeyGen.exe
Outlook Password Cracker.exe
Windows 9x_nt_xp_2k Password Hacker.exe
Last Exploits.exe
Serials collection 2004.exe
ICQ Cracker.exe
Hotmail Cracker.exe
Hotmail Hacker.exe
Yahoo Hacker.exe
Yahoo Cracker.exe
FTP Cracker.exe
Password Cracker.exe
Windows 2003 full downloader.exe
Email Cracker.exe
Windows Longhorn downloader.exe
Last Porn Collection.exeAll stars porn collection.exe
2004 Child Porn.exe
Britney Spears mp3.exe
Britney Naked.exe
Britney Porn.exe
Britney Spears.exe

W32/Mimail-V also spreads via email. The subject lines and message texts
are constructed randomly from the following building blocks.

Subject Line:

Re:|Re[2]:
your|important|very important request|file|document|bill|payment 
options|payment details|details| account details|info|information 
successfully changed|corrected|modified

Message Text:
hi|hellothere.|!|,
|

|
this important|very important text|word|excel|ms word|ms 
excel|microsoft word|microsoft excel|html 
file|document|message|files|documents|messages cannot|could not|couldn't 
be represented|delivered|interpreted as plain|simple|pure text|message 
and|, that's why|, thats why|and i have sent|i've sent|we have 
sent|we've sent|our administrator has sent| my network administrator 
has sent it|this file|this document|this message as 
binary|archived|compressed file|attachment|message.|!

The attachment is either an HTML file containing the embedded worm 
binary or a ZIP file containing the HTML page. In the latter case the 
HTML file has the FOLDER extension which results in it being displayed 
by explorer or WinZip as a subfolder. When the user clicks on the icon 
to enter the folder the worm is dropped and executed.

The worm collects email addresses by scanning files on the system.

W32/Mimail-V attempts to terminate running processes of anti-virus and
monitoring programs as well as of other worms such as W32/Bagle.

W32/Mimail-V has functionality to hide its process id and therefore will 
not appear in the process list.

When run W32/Mimail-V attempts to connect to a remote IRC server and 
join a channel via which a malicious user can control a compromized 
computer.

W32/Mimail-V also listens on port 6667 and waits for a URL string 
pointing to a file which the worm then downloads and executes.





W32/Agobot-QF

Aliases
W32/Gaobot.worm.gen.e virus, W32.HLLW.Gaobot.gen, WORM_AGOBOT.QF

Type
Win32 worm

Detection
Sophos has received several reports of this worm from the wild.

Description
W32/Agobot-QF is an IRC backdoor Trojan and network worm which 
establishes an IRC channel to a remote server in order to grant an 
intruder access to the compromised machine.

This worm will move itself into the Windows System32 folder under the 
filename EXPLORED.EXE and may create the following registry entries so 
that it can execute automatically on system restart:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Windows Login = explored.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Windows Login = explored.exe

This worm will also attempt to glean email addresses from the Windows 
Address Book and send itself to these email addresses using its own SMTP 
engine with itself included as an executable attachment.

W32/Agobot-QF will attempt to terminate anti-virus and software firewall 
processes, in addition to other viruses, worms or Trojans.

For example:

'_AVPM.EXE'
'_AVPCC.EXE'
'_AVP32.EXE'
'ZONEALARM.EXE'
'ZONALM2601.EXE'
'ZATUTOR.EXE'
'ZAPSETUP3001.EXE'
'ZAPRO.EXE'
'XPF202EN.EXE'
'WYVERNWORKSFIREWALL.EXE'
'WUPDT.EXE'
'WUPDATER.EXE'
'WSBGATE.EXE'
'WRCTRL.EXE'
'WRADMIN.EXE'
'WNT.EXE'
'WNAD.EXE'
'WKUFIND.EXE'
'WINUPDATE.EXE'
'WINTSK32.EXE'
'WINSTART001.EXE'
'WINSTART.EXE'
'WINSSK32.EXE'
'WINSERVN.EXE'
'WINRECON.EXE'
'WINPPR32.EXE'
'WINNET.EXE'
'WINMAIN.EXE'
'WINLOGIN.EXE'
'WININITX.EXE'
'WININIT.EXE'
'WININETD.EXE'
'WINDOWS.EXE'
'WINDOW.EXE'
'WINACTIVE.EXE'
'WIN32US.EXE'
'WIN32.EXE'
'WIN-BUGSFIX.EXE'
'WIMMUN32.EXE'
'WHOSWATCHINGME.EXE'
'WGFE95.EXE'
'WFINDV32.EXE'
'WEBTRAP.EXE'
'WEBSCANX.EXE'
'WEBDAV.EXE'
'WATCHDOG.EXE'
'W9X.EXE'
'W32DSM89.EXE'
'VSWINPERSE.EXE'
'VSWINNTSE.EXE'
'VSWIN9XE.EXE'
'VSSTAT.EXE'
'VSMON.EXE'
'VSMAIN.EXE'
'VSISETUP.EXE'
'VSHWIN32.EXE'
'VSECOMR.EXE'
'VSCHED.EXE'
'VSCENU6.02D30.EXE'
'VSCAN40.EXE'
'VPTRAY.EXE'
'VPFW30S.EXE'
'VPC42.EXE'
'VPC32.EXE'
'VNPC3000.EXE'
'VNLAN300.EXE'
'VIRUSMDPERSONALFIREWALL.EXE'
'VIR-HELP.EXE'
'VFSETUP.EXE'
'VETTRAY.EXE'
'VET95.EXE'
'VET32.EXE'
'VCSETUP.EXE'
'VBWINNTW.EXE'
'VBWIN9X.EXE'
'VBUST.EXE'
'VBCONS.EXE'
'VBCMSERV.EXE'
'UTPOST.EXE'
'UPGRAD.EXE'
'UPDAT.EXE'
'UNDOBOOT.EXE'
'TVTMD.EXE'
'TVMD.EXE'
'TSADBOT.EXE'
'TROJANTRAP3.EXE'
'TRJSETUP.EXE'
'TRJSCAN.EXE'
'TRICKLER.EXE'
'TRACERT.EXE'
'TITANINXP.EXE'
'TITANIN.EXE'
'TGBOB.EXE'
'TFAK5.EXE'
'TFAK.EXE'
'TEEKIDS.EXE'
'TDS2-NT.EXE'
'TDS2-98.EXE'
'TDS-3.EXE'
'TCM.EXE'
'TCA.EXE'
'TC.EXE'
'TBSCAN.EXE'
'TAUMON.EXE'
'TASKMON.EXE'
'TASKMO.EXE'
'TASKMG.EXE'
'SYSUPD.EXE'
'SYSTEM32.EXE'
'SYSTEM.EXE'
'SYSEDIT.EXE'
'SYMTRAY.EXE'
'SYMPROXYSVC.EXE'
'SWEEPNET.SWEEPSRV.SYS.SWNETSUP.EXE'
'SWEEP95.EXE'
'SVSHOST.EXE'
'SVCHOSTS.EXE'
'SVCHOSTC.EXE'
'SVC.EXE'
'SUPPORTER5.EXE'
'SUPPORT.EXE'
'SUPFTRL.EXE'
'STCLOADER.EXE'
'START.EXE'
'ST2.EXE'
'SSGRATE.EXE'
'SS3EDIT.EXE'
'SRNG.EXE'
'SREXE.EXE'
'SPYXX.EXE'
'SPOOLSV32.EXE'
'SPOOLCV.EXE'
'SPOLER.EXE'
'SPHINX.EXE'
'SPF.EXE'
'SPERM.EXE'
'SOFI.EXE'
'SOAP.EXE'
'SMSS32.EXE'
'SMS.EXE'
'SMC.EXE'
'SHOWBEHIND.EXE'
'SHN.EXE'
'UPDATE.EXE'
'SHELLSPYINSTALL.EXE'
'SH.EXE'
'SGSSFW32.EXE'
'SFC.EXE'
'SETUP_FLOWPROTECTOR_US.EXE'
'SETUPVAMEEVAL.EXE'
'SERVLCES.EXE'
'SERVLCE.EXE'
'SERVICE.EXE'
'SERV95.EXE'
'SD.EXE'
'SCVHOST.EXE'
'SCRSVR.EXE'
'SCRSCAN.EXE'
'SCANPM.EXE'
'SCAN95.EXE'
'SCAN32.EXE'
'SCAM32.EXE'
'SC.EXE'
'SBSERV.EXE'
'SAVENOW.EXE'
'SAVE.EXE'
'SAHAGENT.EXE'
'SAFEWEB.EXE'
'RUXDLL32.EXE'
'RUNDLL16.EXE'
'RUNDLL.EXE'
'RUN32DLL.EXE'
'RULAUNCH.EXE'
'RTVSCN95.EXE'
'RTVSCAN.EXE'
'RSHELL.EXE'
'RRGUARD.EXE'
'RESCUE32.EXE'
'RESCUE.EXE'
'REGEDT32.EXE'
'REGEDIT.EXE'
'REGED.EXE'
'REALMON.EXE'
'RCSYNC.EXE'
'RB32.EXE'
'RAY.EXE'
'RAV8WIN32ENG.EXE'
'RAV7WIN.EXE'
'RAV7.EXE'
'RAPAPP.EXE'
'QSERVER.EXE'
'QCONSOLE.EXE'
'PVIEW95.EXE'
'PUSSY.EXE'
'PURGE.EXE'
'PSPF.EXE'
'PROTECTX.EXE'
'PROPORT.EXE'
'PROGRAMAUDITOR.EXE'
'PROCEXPLORERV1.0.EXE'
'PROCESSMONITOR.EXE'
'PROCDUMP.EXE'
'PRMVR.EXE'
'PRMT.EXE'
'PRIZESURFER.EXE'
'PPVSTOP.EXE'
'PPTBC.EXE'
'PPINUPDT.EXE'
'POWERSCAN.EXE'
'PORTMONITOR.EXE'
'PORTDETECTIVE.EXE'
'POPSCAN.EXE'
'POPROXY.EXE'
'POP3TRAP.EXE'
'PLATIN.EXE'
'PINGSCAN.EXE'
'PGMONITR.EXE'
'PFWADMIN.EXE'
'PF2.EXE'
'PERSWF.EXE'
'PERSFW.EXE'
'PERISCOPE.EXE'
'PENIS.EXE'
'PDSETUP.EXE'
'PCSCAN.EXE'
'PCFWALLICON.EXE'
'PCDSETUP.EXE'
'PCCWIN98.EXE'
'PCCWIN97.EXE'
'PCCNTMON.EXE'
'PCCIOMON.EXE'
'PAVW.EXE'
'PAVSCHED.EXE'
'PAVPROXY.EXE'
'PAVCL.EXE'
'PATCH.EXE'
'PANIXK.EXE'
'PADMIN.EXE'
'OUTPOSTPROINSTALL.EXE'
'OUTPOSTINSTALL.EXE'
'OTFIX.EXE'
'OSTRONET.EXE'
'OPTIMIZE.EXE'
'ONSRVR.EXE'
'OLLYDBG.EXE'
'NWTOOL16.EXE'
'NWSERVICE.EXE'
'NWINST4.EXE'
'NVSVC32.EXE'
'NVC95.EXE'
'NVARCH16.EXE'
'NUI.EXE'
'NTXconfig.EXE'
'NTVDM.EXE'
'NTRTSCAN.EXE'
'NT.EXE'
'NSUPDATE.EXE'
'NSTASK32.EXE'
'NSSYS32.EXE'
'NSCHED32.EXE'
'NPSSVC.EXE'
'NPSCHECK.EXE'
'NPROTECT.EXE'
'NPFMESSENGER.EXE'
'NPF40_TW_98_NT_ME_2K.EXE'
'NOTSTART.EXE'
'NORTON_INTERNET_SECU_3.0_407.EXE'
'NORMIST.EXE'
'NOD32.EXE'
'NMAIN.EXE'
'NISUM.EXE'
'NISSERV.EXE'
'NETUTILS.EXE'
'NETSTAT.EXE'
'NETSPYHUNTER-1.2.EXE'
'NETSCANPRO.EXE'
'NETMON.EXE'
'NETINFO.EXE'
'NETD32.EXE'
'NETARMOR.EXE'
'NEOWATCHLOG.EXE'
'NEOMONITOR.EXE'
'NDD32.EXE'
'NCINST4.EXE'
'NAVWNT.EXE'
'NAVW32.EXE'
'NAVSTUB.EXE'
'NAVNT.EXE'
'NAVLU32.EXE'
'NAVENGNAVEX15.NAVLU32.EXE'
'NAVDX.EXE'
'NAVAPW32.EXE'
'NAVAPSVC.EXE'
'NAVAP.NAVAPSVC.EXE'
'AUTO-PROTECT.NAV80TRY.EXE'
'NAV.EXE'
'OUTPOST.EXE'
'NUPGRADE.EXE'
'N32SCANW.EXE'
'MWATCH.EXE'
'MU0311AD.EXE'
'MSVXD.EXE'
'MSSYS.EXE'
'MSSMMC32.EXE'
'MSMSGRI32.EXE'
'MSMGT.EXE'
'MSLAUGH.EXE'
'MSINFO32.EXE'
'MSIEXEC16.EXE'
'MSDOS.EXE'
'MSDM.EXE'
'MSCONFIG.EXE'
'MSCMAN.EXE'
'MSCCN32.EXE'
'MSCACHE.EXE'
'MSBLAST.EXE'
'MSBB.EXE'
'MSAPP.EXE'
'MRFLUX.EXE'
'MPFTRAY.EXE'
'MPFSERVICE.EXE'
'MPFAGENT.EXE'
'MOSTAT.EXE'
'MOOLIVE.EXE'
'MONITOR.EXE'
'MMOD.EXE'
'MINILOG.EXE'
'MGUI.EXE'
'MGHTML.EXE'
'MGAVRTE.EXE'
'MGAVRTCL.EXE'
'MFWENG3.02D30.EXE'
'MFW2EN.EXE'
'MFIN32.EXE'
'MD.EXE'
'MCVSSHLD.EXE'
'MCVSRTE.EXE'
'MCTOOL.EXE'
'MCSHIELD.EXE'
'MCMNHDLR.EXE'
'MCAGENT.EXE'
'MAPISVC32.EXE'
'LUSPT.EXE'
'LUINIT.EXE'
'LUCOMSERVER.EXE'
'LUAU.EXE'
'LSETUP.EXE'
'LORDPE.EXE'
'LOOKOUT.EXE'
'LOCKDOWN2000.EXE'
'LOCKDOWN.EXE'
'LOCALNET.EXE'
'LOADER.EXE'
'LNETINFO.EXE'
'LDSCAN.EXE'
'LDPROMENU.EXE'
'LDPRO.EXE'
'LDNETMON.EXE'
'LAUNCHER.EXE'
'KILLPROCESSSETUP161.EXE'
'KERNEL32.EXE'
'KERIO-WRP-421-EN-WIN.EXE'
'KERIO-WRL-421-EN-WIN.EXE'
'KERIO-PF-213-EN-WIN.EXE'
'KEENVALUE.EXE'
'KAZZA.EXE'
'KAVPF.EXE'
'KAVPERS40ENG.EXE'
'KAVLITE40ENG.EXE'
'JEDI.EXE'
'JDBGMRG.EXE'
'JAMMER.EXE'
'ISTSVC.EXE'
'MCUPDATE.EXE'
'LUALL.EXE'
'ISRV95.EXE'
'ISASS.EXE'
'IRIS.EXE'
'IPARMOR.EXE'
'IOMON98.EXE'
'INTREN.EXE'
'INTDEL.EXE'
'INIT.EXE'
'INFWIN.EXE'
'INFUS.EXE'
'INETLNFO.EXE'
'IFW2000.EXE'
'IFACE.EXE'
'IEXPLORER.EXE'
'IEDRIVER.EXE'
'IEDLL.EXE'
'IDLE.EXE'
'ICSUPPNT.EXE'
'ICMON.EXE'
'ICLOADNT.EXE'
'ICLOAD95.EXE'
'IBMAVSP.EXE'
'IBMASN.EXE'
'IAMSTATS.EXE'
'IAMSERV.EXE'
'IAMAPP.EXE'
'HXIUL.EXE'
'HXDL.EXE'
'HWPE.EXE'
'HTPATCH.EXE'
'HTLOG.EXE'
'HOTPATCH.EXE'
'HOTACTIO.EXE'
'HBSRV.EXE'
'HBINST.EXE'
'HACKTRACERSETUP.EXE'
'GUARDDOG.EXE'
'GUARD.EXE'
'GMT.EXE'
'GENERICS.EXE'
'GBPOLL.EXE'
'GBMENU.EXE'
'GATOR.EXE'
'FSMB32.EXE'
'FSMA32.EXE'
'FSM32.EXE'
'FSGK32.EXE'
'FSAV95.EXE'
'FSAV530WTBYB.EXE'
'FSAV530STBYB.EXE'
'FSAV32.EXE'
'FSAV.EXE'
'FSAA.EXE'
'FRW.EXE'
'FPROT.EXE'
'FP-WIN_TRIAL.EXE'
'FP-WIN.EXE'
'FNRB32.EXE'
'FLOWPROTECTOR.EXE'
'FIREWALL.EXE'
'FINDVIRU.EXE'
'FIH32.EXE'
'FCH32.EXE'
'FAST.EXE'
'FAMEH32.EXE'
'F-STOPW.EXE'
'F-PROT95.EXE'
'F-PROT.EXE'
'F-AGNT95.EXE'
'EXPLORE.EXE'
'EXPERT.EXE'
'EXE.AVXW.EXE'
'EXANTIVIRUS-CNET.EXE'
'EVPN.EXE'
'ETRUSTCIPE.EXE'
'ETHEREAL.EXE'
'ESPWATCH.EXE'
'ESCANV95.EXE'
'ICSUPP95.EXE'
'ESCANHNT.EXE'
'ESCANH95.EXE'
'ESAFE.EXE'
'ENT.EXE'
'EMSW.EXE'
'EFPEADM.EXE'
'ECENGINE.EXE'
'DVP95_0.EXE'
'DVP95.EXE'
'DSSAGENT.EXE'
'DRWEBUPW.EXE'
'DRWEB32.EXE'
'DRWATSON.EXE'
'DPPS2.EXE'
'DPFSETUP.EXE'
'DPF.EXE'
'DOORS.EXE'
'DLLREG.EXE'
'DLLCACHE.EXE'
'DIVX.EXE'
'DEPUTY.EXE'
'DEFWATCH.EXE'
'DEFSCANGUI.EXE'
'DEFALERT.EXE'
'DCOMX.EXE'
'DATEMANAGER.EXE'
'Claw95.EXE'
'CWNTDWMO.EXE'
'CWNB181.EXE'
'CV.EXE'
'CTRL.EXE'
'CPFNT206.EXE'
'CPF9X206.EXE'
'CPD.EXE'
'CONNECTIONMONITOR.EXE'
'CMON016.EXE'
'CMGRDIAN.EXE'
'CMESYS.EXE'
'CMD32.EXE'
'CLICK.EXE'
'CLEANPC.EXE'
'CLEANER3.EXE'
'CLEANER.EXE'
'CLEAN.EXE'
'CFINET32.EXE'
'CFINET.EXE'
'CFIADMIN.EXE'
'CFGWIZ.EXE'
'CFD.EXE'
'CDP.EXE'
'CCPXYSVC.EXE'
'CCEVTMGR.EXE'
'CCAPP.EXE'
'BVT.EXE'
'BUNDLE.EXE'
'BS120.EXE'
'BRASIL.EXE'
'BPC.EXE'
'BORG2.EXE'
'BOOTWARN.EXE'
'BOOTCONF.EXE'
'BLSS.EXE'
'BLACKICE.EXE'
'BLACKD.EXE'
'BISP.EXE'
'BIPCPEVALSETUP.EXE'
'BIPCP.EXE'
'BIDSERVER.EXE'
'BIDEF.EXE'
'BELT.EXE'
'BEAGLE.EXE'
'BD_PROFESSIONAL.EXE'
'BARGAINS.EXE'
'BACKWEB.EXE'
'CLAW95CF.EXE'
'CFIAUDIT.EXE'
'AVXMONITORNT.EXE'
'AVXMONITOR9X.EXE'
'AVWUPSRV.EXE'
'AVWUPD.EXE'
'AVWINNT.EXE'
'AVWIN95.EXE'
'AVSYNMGR.EXE'
'AVSCHED32.EXE'
'AVPTC32.EXE'
'AVPM.EXE'
'AVPDOS32.EXE'
'AVPCC.EXE'
'AVP32.EXE'
'AVP.EXE'
'AVNT.EXE'
'AVLTMAIN.EXE'
'AVKWCTl9.EXE'
'AVKSERVICE.EXE'
'AVKSERV.EXE'
'AVKPOP.EXE'
'AVGW.EXE'
'AVGUARD.EXE'
'AVGSERV9.EXE'
'AVGSERV.EXE'
'AVGNT.EXE'
'AVGCTRL.EXE'
'AVGCC32.EXE'
'AVE32.EXE'
'AVCONSOL.EXE'
'AU.EXE'
'ATWATCH.EXE'
'ATRO55EN.EXE'
'ATGUARD.EXE'
'ATCON.EXE'
'ARR.EXE'
'APVXDWIN.EXE'
'APLICA32.EXE'
'APIMONITOR.EXE'
'ANTS.EXE'
'ANTIVIRUS.EXE'
'ANTI-TROJAN.EXE'
'AMON9X.EXE'
'ALOGSERV.EXE'
'ALEVIR.EXE'
'ALERTSVC.EXE'
'AGENTW.EXE'
'AGENTSVR.EXE'
'ADVXDWIN.EXE'
'ADAWARE.EXE'
'AVXQUAR.EXE'
'ACKWIN32.EXE'
'AVWUPD32.EXE'
'AVPUPD.EXE'
'AUTOUPDATE.EXE'
'AUTOTRACE.EXE'
'AUTODOWN.EXE'
'AUPDATE.EXE'
'ATUPDATER.EXE'

This worm will search for shared folders on the internet with weak 
passwords and copy itself into them. A text file named HOSTS may also be 
dropped into C:\\drivers\etc which may contain a list 
of anti-virus and other security related websites each bound to the IP 
loopback address of 127.0.0.1 which would effectively prevent access to 
these sites.

For example:

127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.trendmicro.com

W32/Agobot-QF can sniff HTTP, ICMP, FTP, VULN and IRC network traffic 
and steal data from them.

The following vulnerabilities can also be exploited to aid propagation 
on unpatched systems and manipulate registry keys:

Remote Procedure Call (RPC) vulnerability

Distributed Component Object Model (DCOM) vulnerability

RPC Locator vulnerability

IIS5/WEBDAV Buffer Overflow vulnerability

For more information about these Windows vulnerabilities, please refer 
to the following Microsoft Web pages:

Microsoft Security Bulletin MS03-001
Microsoft Security Bulletin MS03-007
Microsoft Security Bulletin MS03-026
(Microsoft Security Bulletin MS03-026 has been superseded by Microsoft 
Security Bulletin MS03-039).

W32/Agobot-QF can also polymorph on installation in order to evade 
detection and share/delete the admin$, ipc$ etc drives.

It can also test the available bandwidth by attempting to GET or POST 
data to the following websites:

'yahoo.co.jp'
'www.nifty.com'
'www.d1asia.com'
'www.st.lib.keio.ac.jp'
'www.lib.nthu.edu.tw'
'www.above.net'
'www.level3.com'
'nitro.ucsc.edu'
'www.burst.net'
'www.cogentco.com'
'www.rit.edu'
'www.nocster.com'
'www.verio.com'
'www.stanford.edu'
'www.xo.net'
'de.yahoo.com'
'www.belwue.de'
'www.switch.ch'
'www.1und1.de'
'verio.fr'
'www.utwente.nl'
'www.schlund.net'

W32/Agobot-QF can also be used to initiate denial-of-service (DoS) and
distributed denial-of-service (DDoS) synflood/httpflood/fraggle/smurf 
etc attacks against remote systems.

This worm can steal the Windows Product ID and keys from several 
computer applications or games including:

AOL Instant Messenger
Battlefield 1942
Battlefield 1942: Secret Weapons Of WWII
Battlefield 1942: The Road To Rome
Battlefield 1942: Vietnam
Black and White
Call of Duty
Command and Conquer: Generals
Command and Conquer: Generals: Zero Hour
Command and Conquer: Red Alert2
Command and Conquer: Tiberian Sun
Counter-Strike
FIFA 2002
FIFA 2003
Freedom Force
Global Operations
Gunman Chronicles
Half-Life
Hidden and Dangerous 2
Industry Giant 2
IGI2: Covert Strike
James Bond 007: Nightfire
Medal of Honor: Allied Assault
Medal of Honor: Allied Assault: Breakthrough
Medal of Honor: Allied Assault: Spearhead
Nascar Racing 2002
Nascar Racing 2003
NHL 2002
NHL 2003
Need For Speed: Hot Pursuit 2
Need For Speed: Underground
Neverwinter Nights
Ravenshield
Shogun Total War - Warlord Edition
Soldiers Of Anarchy
Soldier of Fortune II - Double Helix
The Gladiators
Unreal Tournament 2003
Unreal Tournament 2004
Windows Messenger

W32/Agobot-QF will delete all files named 'sound*.*' and the resident 
process will be very difficult to terminate.





Troj/DDosSmal-B

Type
Trojan

Detection
At the time of writing, Sophos has received just one report of this 
Trojan from the wild.

Description
Troj/DDosSmal-B is a Trojan which attempts a denial-of-service attack on 
a website.

Troj/DDosSmal-B repeatedly sends random TCP/IP packets to 
diana23.dyndns.org port 80 (HTTP). It does this for 10 minutes, then 
sets a timeout for 1 minute. After the timeout elapses, it goes back to 
the start (repeating the 10 minute flood).

In order to run automatically when Windows starts up the Trojan copies 
itself to the file winsys.exe in the Windows folder and adds the 
following registry entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\winsys





W32/Blaster-G

Aliases
Worm.Win32.Lovesan.f, W32/Blaster.worm.k, WORM_MSBLAST.I, 
W32.Blaster.T.Worm

Type
Win32 worm

Detection
Sophos has received several reports of this worm from the wild.

Description
W32/Blaster-G is a worm that uses the internet to exploit the DCOM 
vulnerability in the RPC (Remote Procedure Call) service as described 
in W32/Blaster-A.

W32/Blaster-G copies itself to the Windows system folder as eschlp.exe. 
The worm also creates a backdoor Trojan component in the Windows system 
folder using the name svchosthlp.exe. The following registry entries are 
created to ensure both components are run at system logon:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Helper = \eschlp.exe /fstart
MSUpdate = \svchosthlp.exe
SPUpdate = \svchosthlp.exe

The following registry entry is modified to change the default Microsoft 
Internet Explorer start page to point to the following:

HKCU\Software\Microsoft\Internet Explorer\Main\
Start Page = http://www.getgood.biz





W32/Netsky-X

Aliases
W32/Netsky.y{at}mm

Type
Win32 worm

Detection
Sophos has received several reports of this worm from the wild.

Description
W32/Netsky-X is an email worm with backdoor functionality similar to 
W32/Netsky-Y

The worm copies itself to the Windows folder using the name 
FirewallSvr.exe, creates a file called fuck_you_bagle.txt (a base64 
encoded form of the worm) and sets the following registry entry to 
autostart on user login:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
FirewallSvr= C:\\FirewallSvr.exe

The worm arrives in an email with the following characteristics:

Subject: Delivery failure notice (ID-)
Body text:
--- Mail Part Delivered ---
220 Welcome to [ recipient_domain_name ]
Mail type: multipart/related
--- text/html RFC 2504
MX [Mail Exchanger] mx.nt2.kl.recipient_domain_name
Exim Status OK
External or New or Delivered or Partial message is available.
Attachment: www.recipient_domain_name.recipient_username.session
--.com

W32/Netsky-X has a backdoor component listening for connections on TCP 
port 82 allowing an unauthorised program to download and execute 
arbitrary code on the infected computer.

The worm harvests email addresses from files on the local drives with 
the following extensions:

adb, asp, cfg, cgi, dbx, dhtm, doc, eml, htm, html, jsp, mbx,
mdx, mht, mmf, msg, nch, oft, php, pl, ppt, rtf, shtm, tbb, txt,
uin, vbs, wab, wsh, xls, xml.

W32/Netsky-X sends DNS queries for the following servers:

"212.185.252.73"
"212.185.252.73"
"212.185.253.70"
"212.185.252.136"
"194.25.2.129"
"194.25.2.130"
"195.20.224.234"
"217.5.97.137"
"194.25.2.129"
"193.193.144.12"
"212.7.128.162"
"212.7.128.165"
"193.193.158.10"
"194.25.2.131"
"194.25.2.132"
"194.25.2.133"
"194.25.2.134"
"193.141.40.42"
"145.253.2.171"
"193.189.244.205"
"213.191.74.19"
"151.189.13.35"
"195.185.185.195"
"195.185.185.195"
"212.44.160.8"

Between 27th and 31st April 2004 the worm will continuously request web
pages from the following sites:

"www.nibis.de"
"www.medinfo.ufl.edu"
"www.educa.ch"





W32/Netsky-V

Aliases
I-Worm.NetSky.w, W32/Netsky.v{at}MM, W32.Netsky.V{at}mm, HTML/Debeski

Type
Win32 worm

Detection
At the time of writing, Sophos has received just one report of this worm 
from the wild.

Description
W32/Netsky-V is a worm which uses a combination of email, HTTP and FTP 
to spread. The worm itself is a Windows program (EXE) file.

W32/Netsky-V searches your hard disk for email addresses and sends email 
directly to them. Note that these emails do not contain an attached copy 
of W32/Netsky-V. Instead, they contain HTML instructions to fetch a copy 
of the worm. The emails use a subject and message randomly selected from 
the following:

Subject line:
Mail Delivery Sytem failure
Mail delivery failed
Server Status failure
Gateway Status failure

Visible message text:
The processing of this message can take a few minutes...
Converting message. Please wait...
Please wait while loading failed message...
Please wait while converting the message...

W32/Netsky-V opens up two TCP ports on your computer. An HTTP service 
listens on port 5557 and an FTP service listens on port 5556. These 
ports are used to "serve up" the virus to downstream victims to whom you 
have sent copies of the email mentioned above.

Downstream victims can become infected simply by reading an email sent 
by the virus. Note, however, that this email relies on a bug in 
Microsoft Outlook for which a patch has already been published. If you 
have downloaded and applied up-to-date patches from Microsoft, then the 
exploit used by this email will not work and the email is harmless.

If your computer has an unpatched copy of Outlook, the W32/Netsky-V 
email makes an HTTP (web) connection back to port 5557 on the computer 
which sent you the email. This web connection is used to download a 
second HTML script. This script in turn exploits a second bug in Outlook 
to make an FTP connection back to port 5556. The FTP connection is used 
to download, install and run the W32/Netsky-V worm.

W32/Netsky-V is installed into your Windows folder with the name 
KasperskyAVEng.exe. The worm adds the registry value:

KasperskyAVEng

to the registry key:

HLKM\Software\Microsoft\Windows\CurrentVersion\Run

so that it runs automatically every time you logon to your computer.

Between 22 April 2004 and 28 April 2004, W32/Netsky-V mounts a denial of 
service attack against the following sites:

www.keygen.us
www.freemule.net
www.kazaa.com
www.emule.de
www.cracks.am

The denial of service consists of four redundant HTML requests to each 
of these sites every second.





W32/Agobot-ZY

Aliases
Backdoor.Agobot.ml, W32/Gaobot.worm.gen.k, Win32/Agobot.ML, 
WORM_AGOBOT.ZM

Type
Win32 worm

Detection
Sophos has received several reports of this worm from the wild.

Description
W32/Agobot-ZY is a network worm which also allows unauthorised remote
access to the computer via IRC channels.

When executed W32/Agobot-ZY moves itself to the Windows system folder
with the filename smssv.exe and sets the registry entries:

HKLM\SOFTWARE\Microsoft\RFC1156Agent\CurrentVersion\Parameters
"TrapPollTimeMilliSecs"=dword:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
"Audoi Device Loader"="smssv.exe"

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"Audoi Device Loader"="smssv.exe"





Troj/Loony-E

Aliases
Backdoor.SdBot.iw

Type
Trojan

Detection
At the time of writing, Sophos has received just one report of this 
Trojan from the wild.

Description
Troj/Loony-E is a backdoor Trojan that allows unauthorised access and 
control of the infected computer from a remote location via IRC 
channels.

Troj/Loony-E copies itself to the Windows system folder as SVSHOST.EXE 
and creates the following registry entry in order to run itself on 
system startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\svshostdriver





W32/Netsky-Y

Aliases
I-Worm.NetSky.y, Win32.HLLM.Netsky.based, W32/Netsky.gen{at}MM

Type
Win32 worm

Detection
Sophos has received many reports of this worm from the wild.

Description
W32/Netsky-Y is a mass mailing worm with a backdoor component.

The worm copies itself to the Windows folder using the name 
FirewallSvr.exe, creates a file called fuck_you_bagle.txt (a base64 
encoded form of the worm) and sets the following registry entry to 
autostart on user login:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
FirewallSvr= C:\\FirewallSvr.exe

W32/Netsky-Y has a backdoor component listening for connections on TCP 
port 1549 allowing an unauthorised program to download and execute 
arbitrary code on the infected computer.

The worm harvests email addresses from files on the local drives with 
the following extensions:

adb, asp, cfg, cgi, dbx, dhtm, doc, eml, htm, html, jsp, mbx,
mdx, mht, mmf, msg, nch, oft, php, pl, ppt, rtf, shtm, tbb, txt,
uin, vbs, wab, wsh, xls, xml.

Generated emails typically have the following form:

Subject lines:

Re: document
Re: dokument
Re: documento
Re: original
Re: documentet
Re: udokumentowac
Re: dokumentoida
Re: dokumenten
Re: belge

Message texts:

Please read the document.
Bitte lesen Sie das Dokument.
Veuillez lire le document.
Legga prego il documento.
Leia por favor o original.
Behage lese dokumentet.
Podobac sie przeczytac ten udokumentowac.
Haluta kuulua dokumentoida.
Behaga lősa dokumenten.
Mutlu etmek okumak belgili tanimlik belge

Attached file:

..pif

where name may be nothing or chosen from:

document
dokument
documento
original
dokumentet
udokumentowac
dokumentoida
dokumenten
belge

and the country code is chosen from:

xx, de, fr, it, pt, no, pl, fi, se, tc.

W32/Netsky-Y sends DNS queries for the following servers:

"212.185.252.73"
"212.185.252.73"
"212.185.253.70"
"212.185.252.136"
"194.25.2.129"
"194.25.2.130"
"195.20.224.234"
"217.5.97.137"
"194.25.2.129"
"193.193.144.12"
"212.7.128.162"
"212.7.128.165"
"193.193.158.10"
"194.25.2.131"
"194.25.2.132"
"194.25.2.133"
"194.25.2.134"
"193.141.40.42"
"145.253.2.171"
"193.189.244.205"
"213.191.74.19"
"151.189.13.35"
"195.185.185.195"
"195.185.185.195"
"212.44.160.8"

Between 27th and 31st April 2004 the worm will continuously request web
pages from the following sites:

"www.nibis.de"
"www.medinfo.ufl.edu"
"www.educa.ch"





W32/Zafi-A

Aliases
I-Worm.Zafi, W32/Zafi{at}MM, Win32/Zafi.A, W32.Erkez.A{at}mm

Type
Win32 worm

Detection
Sophos has received several reports of this worm from the wild.

Description
W32/Zafi-A is a worm that will copy itself to the Windows System or 
System32 folder as a randomly named DLL and randomly named EXE file and 
sets the following registry entry to ensure that it will be run on 
system restart:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
 = C:\\

The following registry entry will also be created:

HKLM\Software\Microsoft\Hazafi\

This registry entry will have a value name beginning with an uppercase 
'R' followed by a number.

Other information stored in the registry at this location includes the 
name of the infected system and the default email address of the user.

This worm will test for the presence of an Internet connection by 
attempting to connect to Google.com. It will also record the URL of 
every website visited by the user in keys within the following registry 
branch:

HKCU\Software\Microsoft\Internet Explorer\TypedURLs\

W32/Zafi-A will also create other randomly named DLL files in the 
Windows System or System32 folder. This worm will glean email addresses 
from files which have the following extensions and save them into the 
randomly named DLL files: HTM, WAB, TXT, DBX, TBB, ASP, PHP, SHT, ADB, 
MBX, EML and PMR.

W32/Zafi-A attempts to include itself as an attachment in email 
messages sent to addresses in Hungary. The sender is either the user's 
default email address or kepeslapok{at}meglep.hu.

The subject of these emails is:

'kepeslap erkezett!'

The body text is in Hungarian and states that the recipient has received 
an ecard. The attachment may be named:

'link.matav.hu.viewcard.
index42ADR4502HHJeTYWYJDF334GSDEv25546.com'.

This worm will try to terminate several anti-virus and security related 
applications including:

'zonalarm.exe'
'vbsntw.exe'
'vbcons.exe'
'pccguide.exe'
'outpost.exe'
'regedit.exe'
'regedit32.exe'
'navapw32.exe'
'pcciomon.exe'
'navdx.exe'
'navstub.exe'
'navw32.exe'
'ndd32.exe'
'netmon.exe'
'netarmor.exe'
'netinfo.exe'
'nmain.exe'
'nprotect.exe'
'ntvdm.exe'
'ostronet.exe'
'vsmain.exe'
'vsmon.exe'
'vsstat.exe'
'vbust.exe'
'mcagent.exe'
'fsav32.exe'
'fssm32.exe'
'fsm32.exe'
'fsbwsys.exe'
'fsgk32.exe'
'dfw.exe'
'tnbutil.exe'
'taskmgr.exe'
'winlogon.exe'
'fvprotect.exe'

This worm will only work during April 2004.

W32/Zafi-A will display the following Hungarian text in a messagebox on 
screen if executed on the 1st May 2004:

Emberek! Magyarok szazezrei, millioi elnek naprol - napra, halnak ehen - 
szomjan, s szegenysegben hazankban! Mikozben jonehany felso parlamenti 
gazember millios vagyonokra tesz szert, mitsem torodve velunk.
Latszat emberek iranyitanak, kik emelik fizetesunk, s ketszer annyi adot 
vonnak le, kik igazsagszolgaltatasrol regelnek, mikor a bunozoket es a 
novekvo agressziot vedik torvenyeikkel, kik inkabb Forma1-re ocsekoljak 
a penzt, mialatt hajlektalanokhalnak meg naponta utcainkon, s korhazi 
betegek szenvednek szukseges muszerek nelkul.
Hogy - hogy nem latja ezt senki ???? Miert nincs egy igaz magyar, ki 
vegremar nem sajat erdekeit, hanem az orszag sulyos problemait helyezne 
eloterbe!!!
Nem eleg akarni, s beszelni, meg szonoklatni a szepet,s jot, 
tenni-tenni-tenni kell, egyarant mindenkinek - mindenkiert!

== HAZAFI == /Pecs,2004, (SNAF Team)/

This translates as;

People! Hundreds of thousands, millions of Hungarian people live day to 
day and die from starvation, thirst and poverty in our country. This is 
while many villainous MPs make millions, and don't even think about what 
is happening to us. Puppets are in control. They increase our salaries 
while doubling our taxes. They talk about justice while their laws 
protect criminals. They rather waste money on Formula 1 while homeless 
people die on the streets every day and patients
suffer in hospitals without the proper equipment. Why - why can nobody 
see this??? Why isn't there a true Hungarian patriot, who puts solving 
the severe problems of this country ahead his own benefits!!! It is not 
enough just to want, to talk, or to give speeches about the good and the 
nice. There must be action. Something must be done by everybody and for 
everybody!

== PATRIOT == /Pecs,2004, (SNAF Team)/





W32/Sdbot-CP

Aliases
Backdoor.IRCBot.gen, W32/Spybot.worm.gen.a, Win32/IRCBot.DG, 
W32.Randex.gen, WORM_RBOT.G

Type
Win32 worm

Detection
At the time of writing, Sophos has received just one report of this worm 
from the wild.

Description
W32/Sdbot-CP is an IRC backdoor Trojan and network worm.

W32/Sdbot-CP spreads to other computers on the local network protected 
by weak passwords.

When first run W32/Sdbot-CP copies itself to the Windows System folder 
as csrs32.exe and creates the following registry entries, so that 
csrs32.exe is run automatically each time Windows is started:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
System32-Driver = csrs32.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
System32-Driver = csrs32.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
System32-Driver = csrs32.exe

The Trojan sets the following registry entry, in order to disable the 
use of certain system programs such as Regedit.exe:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\
System\DisableRegistryTools = 1

Each time the Trojan runs it attempts to connect to a remote IRC server 
and join a specific channel. The Trojan then runs continuously in the 
background listening on the channel for commands to execute.

The Trojan attempts to terminate selected anti-virus and 
security-related programs.

 
--- MultiMail/Win32 v0.43
* Origin: Try Our Web Based QWK: DOCSPLACE.ORG (1:123/140)
SEEN-BY: 633/267 270
@PATH: 123/140 500 106/2000 633/267
SOURCE: echomail via fidonet.ozzmosis.com

Email questions or comments to sysop@ipingthereforeiam.com
All parts of this website painstakingly hand-crafted in the U.S.A.!
IPTIA BBS/MUD/Terminal/Game Server List, © 2025 IPTIA Consulting™.