[cut-n-paste from sophos.com]
Name Troj/Harnig-P
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
Aliases
* Trojan-Downloader.Win32.Harnig.bh
Prevalence (1-5) 2
Description
Troj/Harnig-P is a Trojan for the Windows platform.
Troj/Harnig-P includes functionality to access the internet and
communicate with a remote server via HTTP.
Advanced
Troj/Harnig-P is a Trojan for the Windows platform.
Troj/Harnig-P includes functionality to access the internet and
communicate with a remote server via HTTP.
When Troj/Harnig-P is installed the following files are downloaded:
\paytime.exe
\secure32.html
\country.exe
\kl1.exe
\ms1.exe
\tool1.exe
\tool2.exe
\tool3.exe
\tool4.exe
\tool5.exe
\toolbar.exe
\uniq
\hosts
Name Troj/Cosiam-G
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Downloads code from the internet
* Installs itself in the Registry
Aliases
* Trojan-Proxy.Win32.Small.bo
Prevalence (1-5) 2
Description
Troj/Cosiam-G is a backdoor Trojan which allows a remote intruder to
gain access and control over the computer.
Troj/Cosiam-G includes functionality to access the internet and
communicate with a remote server via HTTP.
Advanced
Troj/Cosiam-G is a backdoor Trojan which allows a remote intruder to
gain access and control over the computer.
Troj/Cosiam-G includes functionality to access the internet and
communicate with a remote server via HTTP.
When first run Troj/Cosiam-G copies itself to \eventwvr.exe
and creates the file \bin29a.log.
The following registry entries are created to run eventwvr.exe on
startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
eventwvr
\eventwvr.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
eventwvr
\eventwvr.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
eventwvr
\eventwvr.exe
Registry entries are created under:
HKLM\SOFTWARE\Microsoft\
Name W32/Bagle-GO
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Sends itself to email addresses found on the infected computer
* Downloads code from the internet
* Reduces system security
* Installs itself in the Registry
* Leaves non-infected files on computer
Aliases
* Trojan-PSW.Win32.LdPinch.hk
* W32.Areses.A{at}mm
* WORM_ARESES.C
* Trojan-Dropper.Win32.Agent.ami
* WORM_ARESES.GEN
Prevalence (1-5) 2
Description
W32/Bagle-GO is a mass-mailing worm for the Windows platform.
Messages sent by the worm will have the following characteristics:
Subject: chosen randomly from
=?koi8-r?Q?=F0=D2=C9=D7=C5=D4=2C=CB=C1=CB=C9=C5_
=CE=CF=D7=CF=D3=D4=C9=3F?=
=?koi8-r?Q?=F4=D9_=D3=C5=C7=CF=C4=CE=D1_=CB=CF_
=CD=CE=C5_=D0=D2=C9=C5=C4?=
=?koi8-r?Q?=C5=DB=D8=3F?=
=?koi8-r?Q?=F1_=D4=C5=C2=D1_=D3=C5=C7=CF=C4=CE=D1_ =D7=C9=C4=C5=CC=C1?=
Message text: non-Latin characters
Attachment name: chosen randomly from
new.cab
me.cab
you.cab
cool.cab
Re.cab
The attachment contains a file with a random basename and one of the
following double extensions:
.cab .cpl
.doc .cpl
.txt .cpl
.avi .cpl
.mpeg .cpl
W32/Bagle-GO contains functionality to download and install updated
versions of itself from preconfigured URLs.
Advanced
W32/Bagle-GO is a mass-mailing worm for the Windows platform.
Messages sent by the worm will have the following characteristics:
Subject: chosen randomly from
=?koi8-r?Q?=F0=D2=C9=D7=C5=D4=2C=CB=C1=CB=C9=C5_
=CE=CF=D7=CF=D3=D4=C9=3F?=
=?koi8-r?Q?=F4=D9_=D3=C5=C7=CF=C4=CE=D1_=CB=CF_
=CD=CE=C5_=D0=D2=C9=C5=C4?=
=?koi8-r?Q?=C5=DB=D8=3F?=
=?koi8-r?Q?=F1_=D4=C5=C2=D1_=D3=C5=C7=CF=C4=CE=D1_ =D7=C9=C4=C5=CC=C1?=
Message text: non-Latin characters
Attachment name: chosen randomly from
new.cab
me.cab
you.cab
cool.cab
Re.cab
The attachment is a CAB archive detected as W32/Bagle-GN, and
contains a file with a random basename and one of the following
double extensions:
.cab .cpl
.doc .cpl
.txt .cpl
.avi .cpl
.mpeg .cpl
This CPL file is also detected as W32/Bagle-GO.
When run, a filename with the same name as itself but without the CPL
extension containing non-Latin characters may dropped to the current
folder and opened.
When first run W32/Bagle-GO copies itself to \csrss.exe and
to \ntsys.exe.
The following registry entry is changed to run W32/Bagle-GO on startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File
Execution Options\explorer.exe
Debugger
\csrss.exe
W32/Bagle-GO creates registry entries for its own use beneath
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Devices
W32/Bagle-GO contains functionality to download and install updated
versions of itself from preconfigured URLs.
Name Troj/Agent-BFZ
Type
* Trojan
Side effects
* Downloads code from the internet
* Reduces system security
Prevalence (1-5) 2
Description
Troj/Agent-BFZ is a Trojan for the Windows platform.
Troj/Agent-BFZ includes functionality to access the internet and
communicate with a remote server via HTTP.
Name Troj/Loot-R
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Reduces system security
Aliases
* Trojan-Proxy.Win32.Horst.ai
Prevalence (1-5) 2
Description
Troj/Loot-R is a Trojan for the Windows platform.
The Trojan opens a backdoor and allows remote attackers the ability
to route email anonymously through the infected computer.
The Trojan terminates security related applications and services
including:
KAVPersonal50
kavsvc
mcafee personal firewall plus
navapsvc
SAVScan
SharedAccess
Sygate Personal Firewall Pro
Symantec Core LC
wscsvc
wuauserv
Name Troj/Banloa-ABL
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Installs itself in the Registry
Aliases
* Trojan-Downloader.Win32.Banload.ade
* TROJ_DLOADER.CXE
* Generic Downloader.y
Prevalence (1-5) 2
Description
Troj/Banloa-ABL is a Trojan for the Windows platform.
Troj/Banloa-ABL includes functionality to access the internet and
communicate with a remote server via HTTP.
Troj/Banloa-ABL also includes functionality to download, install and
run new software.
Advanced
Troj/Banloa-ABL is a Trojan for the Windows platform.
Troj/Banloa-ABL includes functionality to access the internet and
communicate with a remote server via HTTP.
Troj/Banloa-ABL also includes functionality to download, install and
run new software.
When first run Troj/Banloa-ABL copies itself to \svchost.com.
The following registry entry is created to run svchost.com on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
svchost
\svchost.com
Name Troj/Polbot-A
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
Aliases
* Backdoor.Win32.Medbot.y
Prevalence (1-5) 2
Description
Troj/Polbot-A is a backdoor Trojan which allows a remote intruder to
gain access and control over the computer.
Troj/Polbot-A includes functionality to access the internet and
communicate with a remote server via HTTP.
Advanced
Troj/Polbot-A is a backdoor Trojan which allows a remote intruder to
gain access and control over the computer.
Troj/Polbot-A includes functionality to access the internet and
communicate with a remote server via HTTP.
When first run Troj/Polbot-A copies itself to \smss.exe and creates the file \nvsvcd.exe.
The following registry entry is created to run Troj/Polbot-A on
startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
.nvsvc
\smss.exe /w
The file nvsvcd.exe is registered as a new system driver service
named "Windows Log", with a display name of "Windows Log" and a
startup type of automatic, so that it is started automatically during
system startup. Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\Windows Log\
Name W32/Sdbot-BMG
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
* Exploits system or software vulnerabilities
* Used in DOS attacks
Aliases
* Backdoor.Win32.SdBot.aad
Prevalence (1-5) 2
Description
W32/Sdbot-BMG is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Sdbot-BMG spreads to other network computers by exploiting common
buffer overflow vulnerabilities, including: LSASS (MS04-011),
RPC-DCOM (MS04-012), WKS (MS03-049) (CAN-2003-0812), PNP (MS05-039)
and ASN.1 (MS04-007) and by copying itself to network shares
protected by weak passwords.
W32/Sdbot-BMG runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Sdbot-BMG includes functionality to access the internet and
communicate with a remote server via HTTP.
Advanced
W32/Sdbot-BMG is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Sdbot-BMG spreads to other network computers by exploiting common
buffer overflow vulnerabilities, including: LSASS (MS04-011),
RPC-DCOM (MS04-012), WKS (MS03-049) (CAN-2003-0812), PNP (MS05-039)
and ASN.1 (MS04-007) and by copying itself to network shares
protected by weak passwords.
W32/Sdbot-BMG runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Sdbot-BMG includes functionality to access the internet and
communicate with a remote server via HTTP.
When first run W32/Sdbot-BMG copies itself to \svchost.exe.
The file \svchost.exe is registered as a new system driver
service named "NetDDEdsma", with a display name of "Network
DDE DSMA"
and a startup type of automatic, so that it is started automatically
during system startup. Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\NetDDEdsma\
W32/Sdbot-BMG sets the following registry entries, disabling the
automatic startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\Messenger
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
Start
4
Registry entries are set as follows:
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DoNotAllowXPSP2
1
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1
Registry entries are created under:
HKLM\SOFTWARE\Microsoft\Security Center\
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\
Name W32/Tilebot-EM
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Drops more malware
* Downloads code from the internet
* Installs itself in the Registry
* Exploits system or software vulnerabilities
* Leaves non-infected files on computer
Aliases
* WORM_KELVIR.DU
Prevalence (1-5) 2
Description
W32/Tilebot-EM is a network worm and backdoor Trojan for the Windows
platform.
Advanced
W32/Tilebot-EM is a network worm and backdoor Trojan for the Windows
platform.
W32/Tilebot-EM spreads to remote network shares protected by weak
passwords and to computers vulnerable to common exploits, including
LSASS (MS04-011), RPC-DCOM (MS04-012) and ASN.1 (MS04-007).
W32/Tilebot-EM includes functionality to access the internet and
communicate with a remote server via HTTP.
When first run W32/Tilebot-EM copies itself to \emape.exe and creates
the following files:
\aspr_keys.ini
\rofl.sys
The file rofl.sys is detected as Troj/RKPort-A. The file
aspr_keys.ini may be deleted.
The file emape.exe is registered as a new system driver service named
"EMAP Service", with a display name of "EMAP Service"
and a startup
type of automatic, so that it is started automatically during system
startup. Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\EMAP Service\
The file rofl.sys is registered as a new system driver service named
"rofl", with a display name of "rofl". Registry entries
are created
under:
HKLM\SYSTEM\CurrentControlSet\Services\rofl\
W32/Tilebot-EM sets the following registry entries, disabling the
automatic startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\Messenger
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
Start
4
Registry entries are set as follows:
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DoNotAllowXPSP2
1
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1
Registry entries are created under:
HKLM\SOFTWARE\Microsoft\Security Center\
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\
Name W32/Tilebot-EN
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Reduces system security
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* Backdoor.Win32.SdBot.xd
Prevalence (1-5) 2
Description
W32/Tilebot-EN is a worm with backdoor functionality for the Windows
platform.
W32/Tilebot-EN spreads to other network computers by exploiting
common buffer overflow vulnerabilities, including: LSASS (MS04-011),
RPC-DCOM (MS04-012), WKS (MS03-049) (CAN-2003-0812), PNP (MS05-039)
and ASN.1 (MS04-007) and by copying itself to network shares
protected by weak passwords.
W32/Tilebot-EN runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Tilebot-EN includes functionality to access the internet and
communicate with a remote server via HTTP.
Advanced
W32/Tilebot-EN is a worm with backdoor functionality for the Windows
platform.
W32/Tilebot-EN spreads to other network computers by exploiting
common buffer overflow vulnerabilities, including: LSASS (MS04-011),
RPC-DCOM (MS04-012), WKS (MS03-049) (CAN-2003-0812), PNP (MS05-039)
and ASN.1 (MS04-007) and by copying itself to network shares
protected by weak passwords.
W32/Tilebot-EN runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Tilebot-EN includes functionality to access the internet and
communicate with a remote server via HTTP.
When first run W32/Tilebot-EN copies itself to \ssms.exe.
The file ssms.exe is registered as a new system driver service named
"explorer", with a display name of "windows file explorer" and a
startup type of automatic, so that it is started automatically during
system startup. Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\explorer\
W32/Tilebot-EN sets the following registry entries, disabling the
automatic startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\Messenger
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
Start
4
Registry entries are set as follows:
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DoNotAllowXPSP2
1
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1
Registry entries are created under:
HKLM\SOFTWARE\Microsoft\Security Center\
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\
Name W32/Banker-BIX
Type
* Spyware Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Modifies data on the computer
* Uses its own emailing engine
* Reduces system security
* Records keystrokes
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* Net-Worm.Win32.Banker.a
Prevalence (1-5) 2
Description
W32/Banker-BIX is a worm for the Windows platform.
The worm monitors internet sessions and display fake login pages for
certain banking web sites. W32/Banker-BIX steals information entered
into web forms and sends stolen credentials to a remote attacker via
email.
W32/Banker-BIX spreads to network computers via open network shares.
Advanced
W32/Banker-BIX is a worm for the Windows platform.
The worm monitors internet sessions and display fake login pages for
certain banking web sites. W32/Banker-BIX steals information entered
into web forms and sends stolen credentials to a remote attacker via
email.
W32/Banker-BIX spreads to network computers via open network shares.
When first run, W32/Banker-BIX copies itself to the Windows folder as
"system.exe" and sets the following registry entry in order to run
each time a user logs on:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
""
The following data files may also be created:
C:\Windows\maq.txt
C:\Windows\okey.txt
C:\Windows\system.bat
C:\Windows\view.txt
These files may be safely deleted.
The worm may also download additional configuration data which
defines further behaviors.
Name Troj/BankDl-AW
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
Aliases
* Trojan-Downloader.Win32.Banload.aeg
* Win32/TrojanDownloader.Delf.PQ
Prevalence (1-5) 2
Description
Troj/BankDl-AW is a downloader Trojan for the Windows platform.
Advanced
Troj/BankDl-AW is a downloader Trojan for the Windows platform.
Troj/BankDl-AW includes functionality to access the internet and
communicate with a remote server via HTTP.
When Troj/BankDl-AW is installed it creates the file
\boby.exe. This file is detected as Troj/BankDl-AW.
Name Troj/Zapchas-BD
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
* Leaves non-infected files on computer
Prevalence (1-5) 2
Description
Troj/Zapchas-BD is a Trojan for the Windows platform.
Troj/Zapchas-BD runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
Troj/Zapchas-BD includes functionality to access the internet and
communicate with a remote server via HTTP.
Advanced
Troj/Zapchas-BD is a Trojan for the Windows platform.
Troj/Zapchas-BD runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
Troj/Zapchas-BD includes functionality to access the internet and
communicate with a remote server via HTTP.
When Troj/Zapchas-BD is installed the following files are created:
\drivers\shellz\aliases.ini
\drivers\shellz\away.txt
\drivers\shellz\ftpop.txt
\drivers\shellz\fullinfo.bat
\drivers\shellz\fullinfo.lnk
\drivers\shellz\fullinfo2.bat
\drivers\shellz\fullinfo2.lnk
\drivers\shellz\fullname.txt
\drivers\shellz\hidewndw.exe
\drivers\shellz\ident.txt
\drivers\shellz\ipconf.bat
\drivers\shellz\ipconf.lnk
\drivers\shellz\kill.exe
\drivers\shellz\memorat.txt
\drivers\shellz\mirc.ini
\drivers\shellz\mirc2.ini
\drivers\shellz\msasw.bat
\drivers\shellz\msasw.lnk
\drivers\shellz\muta.bat
\drivers\shellz\muta.lnk
\drivers\shellz\netinfo.bat
\drivers\shellz\netinfo.lnk
\drivers\shellz\nicks.txt
\drivers\shellz\postcards.jpg
\drivers\shellz\procese.bat
\drivers\shellz\procese.lnk
\drivers\shellz\procese.txt
\drivers\shellz\remote.ini
\drivers\shellz\remote2.ini
\drivers\shellz\script.ini
\drivers\shellz\servers.ini
\drivers\shellz\servers2.ini
\drivers\shellz\setup.lnk
\drivers\shellz\sup.bat
\drivers\shellz\sup.reg
\drivers\shellz\sup2.bat
\drivers\shellz\sup2.lnk
\drivers\shellz\users.ini
\drivers\shellz\winspector.exe
\drivers\shellz\winspector.lnk
The following registry entries are set or modified, so that
winspector.exe is run when files with extensions of CHA and IRC are
opened/launched:
HKCR\ChatFile\Shell\open\command
(default)
\drivers\shellz\winspector.exe" -noconnect
HKCR\irc\Shell\open\command
(default)
\drivers\shellz\winspector.exe" -noconnect
Registry entries are set as follows:
HKCR\ChatFile\DefaultIcon
(default)
\drivers\shellz\winspector.exe
HKCR\irc\DefaultIcon
(default)
\drivers\shellz\winspector.exe
Registry entries are created under:
HKCU\Software\Microsoft\Microsoft Agent\
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mIRC\
Name Troj/Dloadr-HAA
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Modifies data on the computer
* Downloads code from the internet
* Reduces system security
Prevalence (1-5) 2
Description
Troj/Dloadr-HAA is a Trojan for the Windows platform.
Troj/Dloadr-HAA includes functionality to access the internet and
communicate
with a remote server via HTTP.
Advanced
Troj/Dloadr-HAA is a Trojan for the Windows platform.
Troj/Dloadr-HAA includes functionality to access the internet and
communicate
with a remote server via HTTP.
The Trojan deregisters the system file shdocvw.dll from the
URLSearchHooks settings of Internet Explorer by deleting the
following registry entry:
HKCU\Software\Microsoft\Internet
Explorer\URLSearchHooks\(CFBFAE00-17A6-11D0-99CB-00C04FD64497)
The Trojan then downloads and installs additional files from a remote
site.
Name Troj/Agent-BHO
Type
* Trojan
Affected operating systems
* Windows
Aliases
* Trojan.Win32.Agent.oh
Prevalence (1-5) 2
Description
Troj/Agent-BHO is a Trojan for the Windows platform.
Troj/Agent-BHO can be used in conjunction with other malware to
terminate services and create and delete files.
Name W32/Bagle-GT
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Sends itself to email addresses found on the infected computer
* Downloads code from the internet
* Installs itself in the Registry
Prevalence (1-5) 2
Description
W32/Bagle-GT is a mass-mailing worm for the Windows platform.
Messages sent by the worm will have the following characteristics:
The message text and subject both consist of non-latin characters.
The attachment name also consist of non-latin characters, with a file
extension of .hta.
W32/Bagle-GT includes functionality to access the internet and
communicate with a remote server via HTTP.
Advanced
W32/Bagle-GT is a mass-mailing worm for the Windows platform.
Messages sent by the worm will have the following characteristics:
The message text and subject both consist of non-latin characters.
The attachment name also consist of
non-latin characters, with a file extension of .hta.
When run, this attachment, detected as W32/Bagle-GT, drops and runs a
file also detected as W32/Bagle-GT.
When this file is run it copies itself to \csrss.exe.
The following registry entry is changed to run W32/Bagle-GT on startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File
Execution Options\explorer.exe
Debugger
\csrss.exe
W32/Bagle-GT then creates the file \Message.hta which is a new
dropper that will be mailed to email
addresses found on the infected computer. This file is also detected
as W32/Bagle-GT.
W32/Bagle-GT includes functionality to access the internet and
communicate with a remote server via HTTP.
Name W32/Bagle-GU
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Uses its own emailing engine
* Downloads code from the internet
* Installs itself in the Registry
* Opens links to websites
Prevalence (1-5) 2
Description
W32/Bagle-GU is a mass-mailing worm for the Windows platform.
W32/Bagle-GU may send email messages with blank message text and
non-roman subject lines.
Advanced
W32/Bagle-GU is a mass-mailing worm for the Windows platform.
W32/Bagle-GU may send email messages with blank message text and
non-roman subject lines.
W32/Bagle-GU includes functionality to access the internet and
communicate with a remote server via HTTP.
When first run W32/Bagle-GU copies itself to \csrss.exe and
creates the file \Message.hta.
The following registry entry is changed to run W32/Bagle-GU on startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\explorer.exe
Debugger
\csrss.exe
--- MultiMail/Win32 v0.43
* Origin: Try Our Web Based QWK: DOCSPLACE.ORG (1:123/140)
SEEN-BY: 633/267 270
@PATH: 123/140 500 106/2000 633/267
|