TIP: Click on subject to list as thread!

ANSI

echo:	virus_info
to:	ALL
from:	KURT WISMER
date:	2007-05-20 18:53:00
subject:	News, May 20 2007
[cut-n-paste from sophos.com] Name Troj/ConHook-AE Type * Spyware Trojan Affected operating systems * Windows Side effects * Steals information * Drops more malware * Installs itself in the Registry * Monitors browser activity * Installs a browser helper object Aliases * TROJ_AGENT.AAFS Prevalence (1-5) 3 Description Troj/ConHook-AE is a Trojan for the Windows platform. Advanced Troj/ConHook-AE is a Trojan for the Windows platform. Troj/ConHook-AE includes functionality to access the internet and communicate with a remote server via HTTP. When Troj/ConHook-AE is installed it creates the file \.dll The DLL is detected as Troj/ConHook-AD. The following registry entries are created to run code exported by ..dll on startup: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ Dllname HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ Impersonate 0 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ Startup NotifyStartup The DLL is registered as a COM object and Browser Helper Object (BHO) for Microsoft Internet Explorer, creating registry entries under: HKCR\CLSID\d3d60adf-7d3b-491c-9a78-0f1b085593f6 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\d3d60adf-7d3b-491c-9a78-0f1b085593f6 The following registry entry is set: HKLM\SOFTWARE\Microsoft\DNIdent (default) d3d60adf-7d3b-491c-9a78-0f1b085593f6 Registry entries are created under: HKLM\SOFTWARE\Microsoft\afc3c84e3b Name Troj/Zlobmi-B Type * Trojan Affected operating systems * Windows Side effects * Drops more malware * Downloads code from the internet * Installs itself in the Registry Prevalence (1-5) 2 Description Troj/Zlobmi-B is a Trojan for the Windows platform. Advanced Troj/Zlobmi-B is a Trojan for the Windows platform. When Troj/Zlobmi-B is installed the following files are created: \bpmini.exe \bpvol.dll The following registry entry is created to run Troj/Zlobmi-B on startup: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run user32.dll The file bpvol.dll is registered as a COM object and Browser Helper Object (BHO) for Microsoft Internet Explorer, creating registry entries under: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FC80E00-41B0-4F74-BC16-2C83ED49CAC9 Troj/Zlobmi-B changes search settings for Microsoft Internet Explorer by modifying values under: HKCU\Software\Microsoft\Internet Explorer\Search\ Name Troj/Banker-EGG Type * Spyware Trojan Affected operating systems * Windows Side effects * Steals information Prevalence (1-5) 2 Description Troj/Banker-EGG is an internet banking Trojan for the Windows platform. Advanced Troj/Banker-EGG is an internet banking Trojan for the Windows platform. When first run Troj/Banker-EGG copies itself to the Windows system folder. Name W32/Stration-FW Type * Worm How it spreads * Email messages Affected operating systems * Windows Side effects * Turns off anti-virus applications * Drops more malware * Downloads code from the internet * Reduces system security * Installs itself in the Registry Prevalence (1-5) 2 Description W32/Stration-FW is a worm for the Windows platform. Advanced W32/Stration-FW is a worm for the Windows platform. When W32/Stration-FW is installed the following files are created: \diagisr.dll \isrprf32.dll \isrprov.exe The file diagisr.dll is detected as W32/Strati-Gen. The following registry entries are created to run W32/Stration-FW on startup: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run himem.exe -s HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SoundMnEx32 The following registry entry is set, affecting internet security: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\Firewall Policy\StandardProfile\AuthorizedApplications\List \::Enabled:SystemVersion Name W32/Dundun-A Type Virus How it spreads * Infected files Affected operating systems * Windows Prevalence (1-5) 2 Description W32/Dundun-A is a parasitic virus for the Windows platform. When run the virus will attempt to infect executable files as they are launched. Name W32/Stap-C Type * Worm How it spreads * Email messages * Network shares Affected operating systems * Windows Side effects * Sends itself to email addresses found on the infected computer * Uses its own emailing engine * Installs itself in the Registry Aliases * Net-Worm.Win32.Stap.d * WORM_YOURIP.E Prevalence (1-5) 2 Description W32/Stap-C is a worm for the Windows platform. W32/Stap-C has the functionalities to: - spread by network shares - send mail to email addresses found on the infected computer Advanced W32/Stap-C is a worm for the Windows platform. W32/Stap-C has the functionalities to: - spread by network shares - send mail to email addresses found on the infected computer When first run W32/Stap-C copies itself to: \Chikka.exe \Office_viewer.exe \Versekulo\readme.exe \Versekulo\src.dll \Versekulo\verse.exe \Versekulo\wers.ocx \msdtc.exe \kernel32.exe \Yahoo Mgr 2.0_zip.exe \Star Wars_zip \Pictures_zip \Yahoo Mgr 2.0_zip \Zuma DEluxe 1.0_zip \The Mystery_zip and creates the file \plog.tmp. This file can be deleted. The following registry entry is created to run kernel32.exe on startup: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Mstask \kernel32.exe Registry entries are created under: HKLM\SOFTWARE\Microsoft Name Troj/Glibma-A Type * Trojan Affected operating systems * Windows Side effects * Modifies data on the computer * Drops more malware Aliases * Virus.VBS.Small.g Prevalence (1-5) 2 Description Troj/Glibma-A is a Trojan for the Windows platform. Advanced Troj/Glibma-A is a Trojan for the Windows platform. When Troj/Glibma-A is installed it creates the following files in the \system folder: cscript.exe Hd.vbs gm.BAT gm.vbe The file cscript.exe is a clean executable file, while the other files are all also detected as Troj/Glibma-A. Troj/Glibma-A attempts to find and modify files with the following extensions: ASP HTML HTM PHP Modified files are detected as Troj/Glibif-A and will attempt to run a script from a remote location. Name W32/Rbot-GQK Type * Spyware Worm How it spreads * Network shares Affected operating systems * Windows Side effects * Allows others to access the computer * Steals information * Downloads code from the internet * Installs itself in the Registry * Exploits system or software vulnerabilities * Used in DOS attacks Prevalence (1-5) 2 Description W32/Rbot-GQK is a worm and IRC backdoor for the Windows platform. Advanced W32/Rbot-GQK is a worm and IRC backdoor for the Windows platform. W32/Rbot-GQK spreads to other network computers by exploiting common buffer overflow vulnerabilities, including: LSASS (MS04-011) and RPC-DCOM (MS04-012). W32/Rbot-GQK runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels. When first run W32/Rbot-GQK copies itself to \pwjbvphi.exe. The following registry entry is created to run \pwjbvphi.exe on startup: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Microsoft Windows pwjbvphi.exe HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices Microsoft Windows pwjbvphi.exe HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Microsoft Windows pwjbvphi.exe Name W32/Sdbot-DES Type * Worm How it spreads * Network shares Affected operating systems * Windows Side effects * Allows others to access the computer * Installs itself in the Registry * Exploits system or software vulnerabilities Aliases * Backdoor.Win32.SdBot.bib Prevalence (1-5) 2 Description W32/Sdbot-DES is a worm with IRC backdoor functionality for the Windows platform. W32/Sdbot-DES runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels. Advanced W32/Sdbot-DES is a worm with IRC backdoor functionality for the Windows platform. W32/Sdbot-DES runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels. When first run W32/Sdbot-DES copies itself to \sysvrs32.exe and creates the file \uia3.tmp. The file sysvrs32.exe is registered as a new system driver service named "Server VSS System", with a display name of "Server VSS System" and a startup type of automatic, so that it is started automatically during system startup. Registry entries are created under: HKLM\SYSTEM\CurrentControlSet\Services\Server VSS System Name W32/Sohana-W Type * Worm How it spreads * Removable storage devices * Network shares Affected operating systems * Windows Side effects * Allows others to access the computer * Downloads code from the internet * Reduces system security * Installs itself in the Registry Aliases * IM-Worm.Win32.Sohanad.ao * W32/YahLover.worm * WORM_SOHANAD.BA Prevalence (1-5) 2 Description W32/Sohana-W is a worm for the Windows platform. Advanced W32/Sohana-W is a worm for the Windows platform. W32/Sohana-W spreads to other network computers and by copying itself to removable storage devices. W32/Sohana-W includes functionality to access the internet and communicate with a remote server via HTTP. The worm also includes functionality to download, install and run new software. When first run W32/Sohana-W copies itself to: \SSCVIHOST.exe \SSCVIHOST.exe \blastclnnn.exe and creates the following files: \autorun.ini - Also detected as W32/Sohana-W \setting.ini - dat file, may simply be deleted \Tasks\At1.job - dat file, may simply be deleted W32/Sohana-W may also attempt to download and execute the following files: example.eex - detected as Troj/Havar-A nhatquanglan15.exe - detected as Perfect Keylogger test.exe - detected as Troj/VB-DUW The following registry entry is created to run SSCVIHOST.exe on startup: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Yahoo Messengger \SSCVIHOST.exe The following registry entry is changed to run SSCVIHOST.exe on startup: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell Explorer.exe SSCVIHOST.exe The following registry entries are set, disabling system software: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System DisableTaskMgr 1 HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System DisableRegistryTools 1 The following registry entries are set: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer NofolderOptions 1 HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\WorkgroupCrawle r\Shares shared \New Folder.exe Name W32/Stration-NZ Type * Worm How it spreads * Email messages * Email attachments Affected operating systems * Windows Side effects * Sends itself to email addresses found on the infected computer * Uses its own emailing engine * Downloads code from the internet * Installs itself in the Registry Aliases * Email-Worm.Win32.Warezov.nz * W32/Warezov.gen4 Prevalence (1-5) 2 Description W32/Stration-NZ is a worm for the Windows platform which spreads via email. Advanced W32/Stration-NZ is a worm for the Windows platform which spreads via email. W32/Stration-NZ includes functionality to silently download, install and run new software. When W32/Stration-NZ is installed the following files are created: \certmsje.dll \dpl1npwm.dat \dpl1npwm.dll \dpl1npwm.exe \psapuman.exe \psnppack.dll The files certmsje.dll, psapuman.exe and psnppack.dll are detected as W32/Strati-Gen. The following registry entries are created to run code exported by dpl1npwm.dll on startup: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dpl1npwm DllName \dpl1npwm.dll HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dpl1npwm Startup WlxStartupEvent HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dpl1npwm Impersonate 0 Name W32/Fujacks-AJ Type * Worm How it spreads * Removable storage devices * Network shares Affected operating systems * Windows Side effects * Turns off anti-virus applications * Allows others to access the computer * Drops more malware * Downloads code from the internet * Reduces system security * Installs itself in the Registry * Leaves non-infected files on computer Aliases * Worm.Win32.Fujack.a * Win32/Fujacks.L * WORM_FUJACKS.AT Prevalence (1-5) 2 Description W32/Fujacks-AJ is a worm for the Windows platform. W32/Fujacks-AJ spreads to network shares and removable storage devices with the filename setup.exe. W32/Fujacks-AJ also creates the file autorun.inf to ensure that the file setup.exe is executed. Advanced W32/Fujacks-AJ is a worm for the Windows platform. W32/Fujacks-AJ spreads to network shares and removable storage devices with the filename setup.exe. W32/Fujacks-AJ also creates the file autorun.inf to ensure that the file setup.exe is executed. W32/Fujacks-AJ runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer. W32/Fujacks-AJ includes functionality to access the internet and communicate with a remote server via HTTP. W32/Fujacks-AJ appends an HTML Iframe tag to HTML and ASP files. These modified files are detected as Troj/Fujif-Gen. W32/Fujacks-AJ may drop the file Desktop_.ini (which may simply be deleted) in various folders. When first run W32/Fujacks-AJ copies itself to \drivers\CTMONTv.exe. The following registry entry is created to run W32/Fujacks-AJ on startup: HKCU\Software\Microsoft\Windows\CurrentVersion\Run svcshare \drivers\CTMONTv.exe The following registry entry is modified to hide W32/Fujacks-AJ, in an attempt to make removal difficult: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ Advanced\Folder\Hidden\SHOWALL CheckedValue 0 The following registry entry tree is removed by W32/Fujacks-AJ in order to reduce system security: HKLM\SYSTEM\CurrentControlSet\Services\wscsvc\ Name W32/Whld-C Type * Virus How it spreads * Network shares * Infected files * Web downloads Affected operating systems * Windows Side effects * Modifies data on the computer * Reduces system security Prevalence (1-5) 2 Description W32/Whld-C is a virus for the Windows platform. W32/Whld-C spreads by infecting Windows executable files and copying itself to network shares. Advanced W32/Whld-C is a virus for the Windows platform. W32/Whld-C spreads by infecting Windows executable files and copying itself to network shares. When first run W32/Whld-C may create the files \Server.exe and \IME\svchost.exe which are also detected as W32/Whld-C. W32/Whld-C attempts to turn off System File Checking to prevent infected Windows files being reported. Name W32/VB-DUX Type * Worm How it spreads * Removable storage devices Affected operating systems * Windows Aliases * Virus.Win32.VB.dx Prevalence (1-5) 2 Description W32/VB-DUX is a worm for the Windows platform. Name W32/Looked-DE Type * Virus How it spreads * Network shares * Infected files Affected operating systems * Windows Side effects * Allows others to access the computer * Modifies data on the computer * Drops more malware * Downloads code from the internet * Installs itself in the Registry Prevalence (1-5) 2 Description W32/Looked-DE is a virus for the Windows platform. Advanced W32/Looked-DE is a virus for the Windows platform. W32/Looked-DE spreads by infecting executable files and copying itself to network shares protected by weak passwords. When W32/Looked-DE is installed the following files are created: \RichDll.dll \uninstall\rundl132.exe These files are also detected as W32/Looked-DE. The following registry entry is created to run rundl132.exe on startup: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run load \uninstall\rundl132.exe Name Troj/Hiload-E Type * Spyware Trojan Affected operating systems * Windows Side effects * Steals information * Drops more malware * Downloads code from the internet * Reduces system security Prevalence (1-5) 2 Description Troj/Hiload-E is a Trojan for the Windows platform. Advanced Troj/Hiload-E is a Trojan for the Windows platform. Troj/Hiload-E includes functionality to access the internet and communicate with a remote server via HTTP, and attempts to download and execute further files. Troj/Hiload-E attempts to steal password information from the infected computer. When first run Troj/Hiload-E copies itself to \.exe and creates the following files: \new_drv.sys The file new_drv.sys is detected as Troj/RKProc-Fam and is used to stealth files, processes and registry entries related to Troj/Hiload-E. Troj/Hiload-E attempts to inject code into other processes in order to download and execute files from remote locations. Name W32/Rbot-GPM Type * Spyware Worm How it spreads * Network shares Affected operating systems * Windows Side effects * Allows others to access the computer * Steals information * Downloads code from the internet * Installs itself in the Registry * Exploits system or software vulnerabilities Prevalence (1-5) 2 Description W32/Rbot-GPM is a worm with IRC backdoor functionality for the Windows platform. Advanced W32/Rbot-GPM is a worm with IRC backdoor functionality for the Windows platform. W32/Rbot-GPM runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels. When first run W32/Rbot-GPM copies itself to \msnserver.exe. The following registry entries are created to run msnserver.exe on startup: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Microsoft Svchost local services msnserver.exe HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices Microsoft Svchost local services msnserver.exe The following registry entry is set: HKCU\Software\Microsoft\OLE Microsoft Svchost local services msnserver.exe Name W32/Brontok-DI Type * Worm How it spreads * Email messages Affected operating systems * Windows Side effects * Sends itself to email addresses found on the infected computer * Forges the sender's email address * Uses its own emailing engine * Downloads code from the internet * Reduces system security * Installs itself in the Registry Prevalence (1-5) 2 Description W32/Brontok-DI is a worm for the Windows platform. Advanced W32/Brontok-DI is a worm for the Windows platform. When first run W32/Brontok-DI copies itself to: \Empty.pif \FuckD3w4.exe \FuckD3w4.exe \IExplorer.exe \MrHelloween.scr \shell.exe and creates the file \PuisiKu.txt. The following registry entry is created to run FuckD3w4.exe on startup: HKCU\Software\Microsoft\Windows\CurrentVersion\Run FuckD3w4 \FuckD3w4.exe The following registry entries are changed to run W32/Brontok-DI on startup: HKCU\Control Panel\Desktop SCRNSAVE.EXE \MRHELL~1.SCR HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell Explorer.exe "\IExplorer.exe" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit \userinit.exe,\IExplorer.exe The following registry entries are set or modified, so that shell.exe is run when files with extensions of BAT, COM, EXE and PIF are opened/launched: HKCR\lnkfile\shell\open\command (default) \shell.exe" "%1" %* HKCR\batfile\shell\open\command (default) \shell.exe" "%1" %* HKCR\comfile\shell\open\command (default) \shell.exe" "%1" %* HKCR\exefile\shell\open\command (default) \shell.exe" "%1" %* HKCR\piffile\shell\open\command (default) \shell.exe" "%1" %* Registry entries are set as follows: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer NoFolderOptions 0 HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System DisableCMD 0 HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System DisableTaskMgr 0 HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System DisableRegistryTools 0 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer NoFolderOptions 0 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system DisableTaskMgr 0 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system DisableRegistryTools 0 HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore DisableConfig 0 HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore DisableSR 0 HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer LimitSystemRestoreCheckpointing 0 HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer DisableMSI 0 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug Debugger \Shell.exe Name W32/SillyFD-AC Type * Worm Affected operating systems * Windows Side effects * Drops more malware * Installs itself in the Registry Aliases * Worm.Win32.Delf.bs Prevalence (1-5) 2 Description W32/SillyFD-AC is a worm for the Windows platform. Advanced W32/SillyFD-AC is a worm for the Windows platform. W32/SillyFD-AC includes functionality to download, install and run new software. When first run W32/SillyFD-AC copies itself to \servet.exe and creates the file \Deleteme.bat. The file servet.exe is registered as a new system driver service named "WindowsDown", with a display name of "Windows Ins" and a startup type of automatic, so that it is started automatically during system startup. Registry entries are created under: HKLM\SYSTEM\CurrentControlSet\Services\WindowsDown W32/SillyFD-AC spreads via removeable shared drives by creating the file autorun.inf and a copy of the worm (named servet.exe) on the removeable drive. --- MultiMail/Win32 v0.43 * Origin: Doc's Place BBS Fido Since 1991 docsplace.tzo.com (1:123/140) SEEN-BY: 633/267 @PATH: 123/140 500 379/1 633/267
SOURCE: echomail via fidonet.ozzmosis.com

Email questions or comments to sysop@ipingthereforeiam.com
All parts of this website painstakingly hand-crafted in the U.S.A.!
IPTIA BBS/MUD/Terminal/Game Server List, © 2025 IPTIA Consulting™.