TIP: Click on subject to list as thread!

ANSI

echo:	virus_info
to:	ALL
from:	KURT WISMER
date:	2006-02-25 12:15:00
subject:	News, February 25 2006
[cut-n-paste from sophos.com] Name Troj/Bdoor-QD Type * Trojan Affected operating systems * Windows Side effects * Allows others to access the computer * Installs itself in the Registry Aliases * Trojan-Proxy.Win32.Agent.bh * Backdoor.Trojan * BackDoor-COS * TROJ_AGENT.EQ Prevalence (1-5) 2 Description Troj/Bdoor-QD is a backdoor Trojan for the Windows platform. Troj/Bdoor-QD provides unauthorized remote access to the infected computer. Advanced Troj/Bdoor-QD is a backdoor Trojan for the Windows platform. Troj/Bdoor-QD provides unauthorized remote access to the infected computer. When first run Troj/Bdoor-QD copies itself to \.exe. The following registry entries are created to run .exe on startup: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run DllLoader32 \.exe HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce DllLoader32 \.exe Name W32/Rbot-CGC Type * Worm How it spreads * Network shares Affected operating systems * Windows Side effects * Turns off anti-virus applications * Allows others to access the computer * Downloads code from the internet * Reduces system security * Installs itself in the Registry * Exploits system or software vulnerabilities Aliases * Backdoor.Win32.Rbot.aie * W32/Sdbot.OLP Prevalence (1-5) 2 Description W32/Rbot-CGC is a worm and IRC backdoor Trojan for the Windows platform. W32/Rbot-CGC spreads to other network computers infected with: Troj/Kuang, Troj/Sub7, Troj/NetDevil, W32/MyDoom, W32/Bagle and Troj/Optix and to other network computers by exploiting common buffer overflow vulnerabilities, including: LSASS (MS04-011), RPC-DCOM (MS04-012), WKS (MS03-049) (CAN-2003-0812), WebDav (MS03-007), IIS5SSL (ms04-011) (CAN-2003-0719), UPNP (MS01-059), Veritas (CAN-2004-1172), Dameware (CAN-2003-1030) and ASN.1 (MS04-007). W32/Rbot-CGC runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels. Advanced W32/Rbot-CGC is a worm and IRC backdoor Trojan for the Windows platform. W32/Rbot-CGC spreads to other network computers infected with: Troj/Kuang, Troj/Sub7, Troj/NetDevil, W32/MyDoom, W32/Bagle and Troj/Optix and to other network computers by exploiting common buffer overflow vulnerabilities, including: LSASS (MS04-011), RPC-DCOM (MS04-012), WKS (MS03-049) (CAN-2003-0812), WebDav (MS03-007), IIS5SSL (ms04-011) (CAN-2003-0719), UPNP (MS01-059), Veritas (CAN-2004-1172), Dameware (CAN-2003-1030) and ASN.1 (MS04-007). W32/Rbot-CGC runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels. When first run W32/Rbot-CGC copies itself to \msupdate33e.exe. The following registry entries are created to run secsvc.exe on startup: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Intec Services Drivers msupdate22e.exe HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices Intec Services Drivers msupdate22e.exe Registry entries are set as follows: HKCU\Software\Microsoft\OLE Intec Services Drivers msupdate22e.exe HKLM\SOFTWARE\Microsoft\Ole EnableDCOM N HKLM\SYSTEM\CurrentControlSet\Control\Lsa restrictanonymous 1 The following patches for the operating system vulnerabilities exploited by W32/Rbot-CGC can be obtained from the Microsoft website: http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx http://www.microsoft.com/technet/security/bulletin/MS03-049.mspx http://www.microsoft.com/technet/security/bulletin/MS03-007.mspx http://www.microsoft.com/technet/security/bulletin/MS04-007.mspx http://www.microsoft.com/technet/security/bulletin/MS01-059.mspx Name W32/Brontok-W Type * Worm Affected operating systems * Windows Side effects * Sends itself to email addresses found on the infected computer * Forges the sender's email address * Uses its own emailing engine * Installs itself in the Registry Aliases * Email-Worm.Win32.Brontok.c * W32/Rontokbro.gen{at}MM * W32/Brontok-Fam * W32.Rontokbro{at}mm * WORM_RONTKBR.GEN Prevalence (1-5) 2 Description W32/Brontok-W is an email worm for the Windows platform. W32/Brontok-W attempts to send itself to email addresses harvested from the computer. The worm will also attempt to modify various Windows Explorer settings. Advanced W32/Brontok-W is an email worm for the Windows platform. W32/Brontok-W attempts to send itself to email addresses harvested from the computer. The worm will also attempt to modify various Windows Explorer settings. When first run W32/Brontok-W copies itself to: \Local Settings\Application Data\csrss.exe \Local Settings\Application Data\inetinfo.exe \Local Settings\Application Data\lsass.exe \Local Settings\Application Data\services.exe \Local Settings\Application Data\smss.exe \Start Menu\Programs\Startup\empty.gif \ShellNew\sempalong.exe \eksplorasi.exe The following registry entries are created to run W32/Brontok-W on startup: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus \Local Settings\Application Data\smss.exe HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus \ShellNew\sempalong.exe The following registry entry is changed to run eksplorasi.exe on startup: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell Explorer.exe "\eksplorasi.exe" (the default value for this registry entry is "Explorer.exe" which causes the Microsoft file \Explorer.exe to be run on startup). The following registry entry is set, disabling the registry editor (regedit): HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System DisableRegistryTools 1 Registry entries are set as follows: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer NoFolderOptions 1 HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System DisableCMD 0 HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Hidden 0 HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced HideFileExt 1 HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ShowSuperHidden 0 Name Troj/Goldun-BX Type * Spyware Trojan Affected operating systems * Windows Side effects * Steals information * Drops more malware * Installs itself in the Registry Aliases * Trojan-Spy.Win32.Goldun.hp Prevalence (1-5) 2 Description Troj/Goldun-BX is a Trojan for the Windows platform. The Trojan attempts to steal login details and block access to anti-virus related web and FTP sites. Advanced Troj/Goldun-BX is a Trojan for the Windows platform. The Trojan attempts to steal login details and block access to anti-virus related web and FTP sites. When Troj/Goldun-BX is installed the following files are created: \directout.sys \directut.dll The file directout.sys is detected as Troj/Haxdor-Gen and the file directut.dll is detected as Troj/Goldun-BX. The following registry entries are created to run code exported by directut.dll on startup: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\directut DllName directut.dll HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\directut Startup directut HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\directut Impersonate 1 Name Troj/Bancos-QG Type * Spyware Trojan Affected operating systems * Windows Side effects * Steals information * Records keystrokes * Installs itself in the Registry Aliases * PWSteal.Bancos Prevalence (1-5) 2 Description Troj/Bancos-QG is an Internet Banking Trojan for the Windows platform. Troj/Bancos-QG has the functionalities to: - display fake screens - record keystrokes - communicate with a remote server Advanced Troj/Bancos-QG is an Internet Banking Trojan for the Windows platform. Troj/Bancos-QG has the functionalities to: - display fake screens - record keystrokes - communicate with a remote server When run, Troj/Bancos-QG copies itself to \tasklist32.exe Troj/Bancos-QG sets the following registry entry: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run TaskList \tasklist32.exe Name Troj/Banker-AKW Type * Trojan Affected operating systems * Windows Side effects * Installs itself in the Registry Aliases * Trojan-Spy.Win32.Agent.ch Prevalence (1-5) 2 Description Troj/Banker-AKW is a Trojan for the Windows platform. Advanced Troj/Banker-AKW is a Trojan for the Windows platform. When first run Troj/Banker-AKW copies itself to \iewq32.exe and creates the folder \IEDW. The following registry entry is created to run iewq32.exe on startup: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run iewq32.exe \iewq32.exe The following registry entry is set: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion pname iewq32.exe Name W32/Sdbot-AXP Type * Worm How it spreads * Network shares Affected operating systems * Windows Side effects * Turns off anti-virus applications * Allows others to access the computer * Installs itself in the Registry * Exploits system or software vulnerabilities Aliases * Backdoor.Win32.Rbot.gen Prevalence (1-5) 2 Description W32/Sdbot-AXP is a worm and IRC backdoor Trojan for the Windows platform. W32/Sdbot-AXP spreads to other network computers by exploiting common buffer overflow vulnerabilities, including: RPC-DCOM (http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx), WKS (http://www.microsoft.com/technet/security/bulletin/MS03-049.mspx) (CAN-2003-0812), PNP (http://www.microsoft.com/technet/security/bulletin/MS05-039.mspx) and ASN.1 (http://www.microsoft.com/technet/security/bulletin/MS04-007.mspx). W32/Sdbot-AXP runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels. Advanced W32/Sdbot-AXP is a worm and IRC backdoor Trojan for the Windows platform. W32/Sdbot-AXP spreads to other network computers by exploiting common buffer overflow vulnerabilities, including: RPC-DCOM (http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx), WKS (http://www.microsoft.com/technet/security/bulletin/MS03-049.mspx) (CAN-2003-0812), PNP (http://www.microsoft.com/technet/security/bulletin/MS05-039.mspx) and ASN.1 (http://www.microsoft.com/technet/security/bulletin/MS04-007.mspx). W32/Sdbot-AXP runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels. When first run W32/Sdbot-AXP copies itself to \sxrose.exe. W32/Sdbot-AXP creates the following registry entries to run on startup: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Compaq Service Drivers sxrose.exe HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices\Compaq Service Drivers sxrose.exe HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Compaq Service Drivers sxrose.exe HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\Compaq Service Drivers sxrose.exe W32/Sdbot-AXP also creates the following registry entries: HKLM\SOFTWARE\Microsoft\Ole\Compaq Service Drivers sxrose.exe HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Compaq Service Drivers sxrose.exe HKCU\Software\Microsoft\OLE\Compaq Service Drivers sxrose.exe HKCU\SYSTEM\CurrentControlSet\Control\Lsa\Compaq Service Drivers sxrose.exe HKLM\SOFTWARE\Microsoft\Ole\EnableDCOM N HKLM\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous 0x00000001 HKLM\SYSTEM\CurrentControlSet\Services\kmixer\Enum\Count 0x00000000 HKLM\SYSTEM\CurrentControlSet\Services\kmixer\Enum\NextInstance 0x00000000 HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Start 0x00000004 HKLM\SYSTEM\CurrentControlSet\Services\wuauserv\Start 0x00000004 Name Troj/Torpig-AI Type * Spyware Trojan Affected operating systems * Windows Side effects * Steals information * Downloads code from the internet * Reduces system security * Records keystrokes * Installs itself in the Registry Aliases * Trojan-Dropper.Win32.Small.amd Prevalence (1-5) 2 Description Troj/Torpig-AI is a Trojan for the Windows platform. Troj/Torpig-AI includes functionality to - capture keystrokes - steal email login information - steals information from protected storage areas - access the internet and communicate with a remote server via HTTP. Advanced Troj/Torpig-AI is a Trojan for the Windows platform. Troj/Torpig-AI includes functionality to - capture keystrokes - steal email login information - steals information from protected storage areas - access the internet and communicate with a remote server via HTTP. When Troj/Torpig-AI is installed the following files are created: \Microsoft Shared\Web Folders\ibm00001.dll \Microsoft Shared\Web Folders\ibm00001.exe \Microsoft Shared\Web Folders\ibm00002.dll These files are also detected as Troj/Torpig-AI. The following registry entry is created to run ibm00001.exe on startup: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Shell \Microsoft Shared\Web Folders\ibm00001.exe The following registry entry is changed to run ibm00001.exe on startup: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell explorer.exe "\Microsoft Shared\Web Folders\ibm00001.exe" (the default value for this registry entry is "Explorer.exe" which causes the Microsoft file \Explorer.exe to be run on startup). The following registry entries are also set: HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_RASMAN\0000\Control\ HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_TAPISRV\0000\Control\ HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RASMAN\0000\Control\ HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TAPISRV\0000\Control\ Name Troj/FeebDl-G Type * Trojan Affected operating systems * Windows Side effects * Downloads code from the internet * Reduces system security * Installs itself in the Registry Aliases * JS/Feebs.gen.d{at}MM Prevalence (1-5) 2 Description Troj/FeebDl-G is an HTML file which acts as a downloader Trojan for the Windows Platform. Troj/FeebDl-G attempts to download one of several encoded executable files, and to decode and execute it. Advanced Troj/FeebDl-G is an HTML file which acts as a downloader Trojan for the Windows Platform. Troj/FeebDl-G attempts to download one of several encoded executable files and decode it to \userinit.exe. At the time of writing this file is detected by Sophos as W32/Feebs-Gen. Troj/FeebDl-G attempts to set the following registry entries: HKCU\Software\Microsoft\Internet Explorer mal Troj/FeebDl-G attempts to delete the following registry entries: HKLM\SYSTEM\CurrentControlSet\Services\KmxFile HKLM\SYSTEM\CurrentControlSet\Services\pcipim HKLM\SYSTEM\CurrentControlSet\Services\pcIPPsC HKLM\SYSTEM\CurrentControlSet\Services\RapDrv HKLM\SYSTEM\CurrentControlSet\Services\FirePM Troj/FeebDl-G attempts to set the following registry entry in order to automatically start the file it has downloaded on system start: HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\ {CD5AC91B-AE7B-E83A-0C4C-E616075972F3} Stubpath C:\recycled\userinit.exe Name Troj/Clagger-H Type * Trojan Affected operating systems * Windows Side effects * Downloads code from the internet * Reduces system security Aliases * Trojan-Downloader.Win32.Small.ckw * Downloader-ATM Prevalence (1-5) 2 Description Troj/Clagger-H is a Trojan for the Windows platform. Troj/Clagger-H includes functionality to download, install and run new software. The Trojan horse has been seen spammed out in emails with the following characteristics: Subject: Notification: Your Account Temporally Limited Message body: Dear PayPal customer! As part of our security measures, we regularly screen activity in the PayPal system. We recently contacted you after noticing an issue on your account.We requested information from you for the following reason: We recently received a report of credit card use associated with this account. As a precaution, we have limited access to your PayPal account in order to protect against future unauthorized transactions.You can check your transaction details in attachment. Case ID Number: RR-0922-014 If, after reviewing your transaction information, you seek further clarification regarding your account access, please contact PayPal by visiting the Help Center and clicking "Contact Us". We thank you for your prompt attention to this matter. Please understand that this is a security measure intended to help protect you and your account. We apologize for any inconvenience. Sincerely, PayPal Account Review Department PayPal Email ID RR-0922 Advanced Troj/Clagger-H is a Trojan for the Windows platform. Troj/Clagger-H includes functionality to download, install and run new software. The Trojan horse has been seen spammed out in emails with the following characteristics: Subject: Notification: Your Account Temporally Limited Message body: Dear PayPal customer! As part of our security measures, we regularly screen activity in the PayPal system. We recently contacted you after noticing an issue on your account.We requested information from you for the following reason: We recently received a report of credit card use associated with this account. As a precaution, we have limited access to your PayPal account in order to protect against future unauthorized transactions.You can check your transaction details in attachment. Case ID Number: RR-0922-014 If, after reviewing your transaction information, you seek further clarification regarding your account access, please contact PayPal by visiting the Help Center and clicking "Contact Us". We thank you for your prompt attention to this matter. Please understand that this is a security measure intended to help protect you and your account. We apologize for any inconvenience. Sincerely, PayPal Account Review Department PayPal Email ID RR-0922 Troj/Clagger-H attempts to download to the Windows folder and run the suhoy.exe file which is detected as Troj/CashGrab-N. The following registry entries are set, affecting internet security: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FiREWaLL policy\StAnDaRDPrOFiLe\AUtHorizedapplications\List \::ENABLED:_ Name Troj/Spywad-AE Type Trojan Affected operating systems * Windows Side effects * Installs itself in the Registry Aliases * Downloader-AFH Prevalence (1-5) 2 Description Troj/Spywad-AE is a Trojan for the Windows platform. Troj/Spywad-AE includes functionality to access the internet and communicate with a remote server via HTTP. Advanced Troj/Spywad-AE is a Trojan for the Windows platform. Troj/Spywad-AE includes functionality to access the internet and communicate with a remote server via HTTP. When first run Troj/Spywad-AE copies itself to \winstall.exe and creates the file \Application Data\Install.dat. The following registry entries are created to run Troj/Spywad-AE on startup: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Windows installer C:\winstall.exe HKCU\Software\Microsoft\Windows\CurrentVersion\Run pro Registry entries are created under: HKCU\Software\Install\ Name W32/Maslan-J Type * Worm How it spreads * Email messages * Infected files Affected operating systems * Windows Side effects * Sends itself to email addresses found on the infected computer * Drops more malware * Uses its own emailing engine * Exploits system or software vulnerabilities * Leaves non-infected files on computer Aliases * Net-Worm.Win32.Maslan.a * W32/Maslan.b{at}MM Prevalence (1-5) 2 Description W32/Maslan-J is a overwriting virus and mass mailing worm for the Windows platform. W32/Maslan-J also drops a backdoor Trojan that is detect by Sophos as Troj/Sdbot-RV. Advanced W32/Maslan-J is a overwriting virus and mass mailing worm for the Windows platform. When first run W32/Maslan-J copies itself to \___u W32/Maslan-J copies its code by overwriting executable files in folders containing the following strings: distr download setup share W32/Maslan-J also creates the following files: \___j.dll \___n.exe \___r.exe \___AlaScan \___Prior \___e \___m \___t The file ___j.dll is detected as W32/Maslan-A, the file ___n.exe is detected as Troj/Sdbot-RV and the file ___r.exe is detected as W32/Maslan-B. The other files are text files which can safely be deleted. --- MultiMail/Win32 v0.43 * Origin: Try Our Web Based QWK: DOCSPLACE.ORG (1:123/140) SEEN-BY: 633/267 270 @PATH: 123/140 500 106/2000 633/267
SOURCE: echomail via fidonet.ozzmosis.com

Email questions or comments to sysop@ipingthereforeiam.com
All parts of this website painstakingly hand-crafted in the U.S.A.!
IPTIA BBS/MUD/Terminal/Game Server List, © 2025 IPTIA Consulting™.