| TIP: Click on subject to list as thread! | ANSI |
| echo: | |
|---|---|
| to: | |
| from: | |
| date: | |
| subject: | News, May 12 2007 |
[cut-n-paste from sophos.com]
Name Troj/WLHack-C
Type
* Trojan
Affected operating systems
* Windows
Aliases
* Trojan.Win32.Patched.q
* Win32/Agent.NHJ
Prevalence (1-5) 2
Description
Troj/WLHack-C is a Trojan for the Windows platform.
Advanced
Troj/WLHack-C is a Trojan for the Windows platform.
Troj/WLHack-C is a hacked version of \winlogon.exe which is a
legitimate Windows system file.
When executed on startup as a replacement to the original
winlogon.exe Troj/WLHack-C attempts to load malicious code from
mstscex.dll.
On NTFS systems the DLL may reside in an Alternate Data Stream within
the folder.
Name W32/Culler-C
Type
* Worm
How it spreads
* Chat programs
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Installs itself in the Registry
Prevalence (1-5) 2
Description
W32/Culler-C is a worm for the Windows platform that spreads via MSN
Messenger.
Advanced
W32/Culler-C is a worm for the Windows platform that spreads via MSN
Messenger.
W32/Culler-C includes functionality to access the internet and
communicate with a remote server via HTTP.
W32/Culler-C attempts to terminate and disable various security
software applications and Windows processes such as Task Manager.
When first run, W32/Culler-C will display the following error message:
"Component "COMDLG32.OCX" or one of its dependencies no correctly
registered a file is missing or invalid."
It then copies itself to:
\Cfreer.exe
\Nzil.exe
\Juegs.exe
\Negdo.exe
W32/Culler-C attempts to download and execute files from a remote
location. At the time of writing, these files were unavailable for
download.
The worm sets the following registry entries to run at system startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Windows
\Cfreer.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
WindowsUpdate
\Nzil.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
System
\Juegs.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
SystemUpdate
\Negdo.exe
W32/Culler-C sets the following registry entry:
HKCU\Software\VB and VBA Program Settings\SysUpdate\sistema
Marcar
1
Name W32/Culler-D
Type
* Spyware Worm
How it spreads
* Chat programs
Affected operating systems
* Windows
Side effects
* Steals information
* Downloads code from the internet
* Installs itself in the Registry
Prevalence (1-5) 2
Description
W32/Culler-D is a worm for the Windows platform that spreads via MSN
Messenger.
Advanced
W32/Culler-D is a worm for the Windows platform that spreads via MSN
Messenger.
W32/Culler-D includes functionality to access the internet and
communicate with a remote server via HTTP.
When first run W32/Culler-D copies itself to:
\Strad.exe
\Zser.exe
\Xeyu.exe
\Xsfr.exe
and creates the file \~dfffea.tmp.
The following registry entries are created to run Strad.exe,
Zser.exe, Xeyu.exe and Xsfr.exe on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
WindowsUpdate
\Strad.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Windows
\Zser.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
SystemUpdate
\Xeyu.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
System
\Xsfr.exe
Registry entries are created under:
HKCU\Software\VB and VBA Program Settings\SysUpdate\sistema
HKCU\Software\VB and VBA Program Settings\Sys\Baja
Name Mal/Zlob-A
Type
* Malicious Behavior
Affected operating systems
* Windows
Prevalence (1-5) 2
Description
Mal/Zlob-A is the name given by Sophos anti-virus products for the
Zlob family of Trojans.
Name Troj/Dloadr-AYE
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Downloads code from the internet
Prevalence (1-5) 2
Description
Troj/Dloadr-AYE is a downloading Trojan for the Windows platform.
Troj/Dloadr-AYE contains functionality to communicate with a remote
server using HTTP.
Troj/Dloadr-AYE may attempt to turn off anti-virus applications.
Name W32/Pardona-K
Type
* Virus
How it spreads
* Infected files
Affected operating systems
* Windows
Side effects
* Modifies data on the computer
* Downloads code from the internet
Prevalence (1-5) 2
Description
W32/Pardona-K is a virus for the Windows platform.
Advanced
W32/Pardona-K is a virus for the Windows platform.
W32/Pardona-K includes functionality to access the internet and
communicate with a
remote server via HTTP.
When first run W32/Pardona-K copies itself to:
\MediaSups.exe
and creates many of the following files:
\
Name W32/Brontok-DF
Type
* Worm
How it spreads
* Removable storage devices
* Network shares
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Reduces system security
* Installs itself in the Registry
* Leaves non-infected files on computer
Prevalence (1-5) 2
Description
W32/Brontok-DF is a worm for the Windows platform.
Advanced
W32/Brontok-DF is a worm for the Windows platform.
W32/Brontok-DF will attempt to copy itself to network and removable
drives. The worm will also create an autorun.inf file so that it is
automatically run when the drive is accessed.
W32/Brontok-DF contains the functionality to terminate security
related appilcations and restart an infected computer.
When first run W32/Brontok-DF copies itself to:
\Empty.pif
\emirate.exe
\emirate.exe
and creates the following files:
\autorun.inf - may be deleted.
\Autorun.inf - may be deleted.
The following registry entries are changed to run emirate.exe on
startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe "\emirate.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
\userinit.exe,\emirate.exe
The following registry entries are set or modified, so that
emirate.exe is run when files with extensions of BAT, COM and PIF are
opened/launched:
HKCR\lnkfile\shell\open\command
(default)
\emirate.exe" "%1" %*
HKCR\batfile\shell\open\command
(default)
\emirate.exe" "%1" %*
HKCR\comfile\shell\open\command
(default)
\emirate.exe" "%1" %*
HKCR\piffile\shell\open\command
(default)
\emirate.exe" "%1" %*
Registry entries are set as follows:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoClose
00
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Nofolderoptions
00
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableCMD
00
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
00
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
NoDispCPL
00
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
00
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\WinOldApp
Disable
00
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoFolderOptions
00
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
DisableTaskMgr
00
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
DisableRegistryTools
00
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
DisableConfig
00
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
DisableSR
00
HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer
LimitSystemRestoreCheckpointing
00
HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer
DisableMSI
00
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
000
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt
00
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden
000
Name Virtumundo
Type
* PUA
Affected operating systems
* Windows
Side effects
* Installs itself in the Registry
Prevalence (1-5) 2
Description
Virtumundo is an adware application for the Windows platform.
Name W32/Mytob-KH
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Sends itself to email addresses found on the infected computer
* Forges the sender's email address
* Uses its own emailing engine
* Downloads code from the internet
* Reduces system security
* Installs itself in the Registry
Aliases
* Net-Worm.Win32.Mytob.bf
* Win32/Mytob.IH worm
* W32.Mytob.EE{at}mm
Prevalence (1-5) 2
Description
W32/Mytob-KH is a mass-mailing worm and IRC backdoor Trojan for the
Windows platform.
Advanced
W32/Mytob-KH is a mass-mailing worm and IRC backdoor Trojan for the
Windows platform.
W32/Mytob-KH runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
When first run W32/Mytob-KH copies itself to the Windows system
folder as efefefe.exe and creates the following registry entries:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
WINDOWS SYSTEM
efefefe.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
WINDOWS SYSTEM
efefefe.exe
W32/Mytob-KH sets the following registry entries, disabling the
automatic startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4
Note: disabling autostart for the SharedAccess service deactivates
the Microsoft Internet Connection Firewall (ICF).
W32/Mytob-KH also includes functionality to silently download,
install and run new software.
W32/Mytob-KH modifies the HOSTS file by appending the following
lines, preventing access to the sites specified:
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 pandasoftware.com
127.0.0.1 www.pandasoftware.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.grisoft.com
127.0.0.1 www.microsoft.com
127.0.0.1 microsoft.com
127.0.0.1 www.virustotal.com
127.0.0.1 virustotal.com
127.0.0.1 www.amazon.com
127.0.0.1 www.amazon.co.uk
127.0.0.1 www.amazon.ca
127.0.0.1 www.amazon.fr
127.0.0.1 www.paypal.com
127.0.0.1 paypal.com
127.0.0.1 moneybookers.com
127.0.0.1 www.moneybookers.com
127.0.0.1 www.ebay.com
127.0.0.1 ebay.com
W32/Mytob-KH is capable of spreading through email. Email sent by
W32/Mytob-KH has the following properties:
Subject line chosen from:
Your Account is Suspended
*DETECTED* Online User Violation
Your Account is Suspended For Security Reasons
Warning Message: Your services near to be closed.
Important Notification
Members Support
Security measures
Email Account Suspension
Notice of account limitation
Your password has been updated
Your password has been successfully updated
You have successfully updated your password
Your new account password is approved
Message text chosen from:
Dear Member,
We have temporarily suspended your email account .
This might be due to either of the following reasons:
1. A recent change in your personal information (i.e. change of
address).
2. Submiting invalid information during the initial sign up process.
3. An innability to accurately verify your selected option of
subscription due to an internal error within our processors.
See the details to reactivate your account.
Sincerely,The Support Team
+++ Attachment: No Virus (Clean)
+++ Antivirus -
Dear Member,
Your e-mail account was used to send a huge amount of unsolicited
spam messages during the recent week. If you could please take 5-10
minutes out of your online experience and confirm the attached
document so you will not run into any future problems with the online
service.
If you choose to ignore our request, you leave us no choice but to
cancel your membership.
Virtually yours,
The Support Team
+++ Attachment: No Virus found
+++ Antivirus -
Dear user ,
You have successfully updated the password of your
account.
If you did not authorize this change or if you need assistance with
your account, please contact customer service at:
Thank you for using !The Support Team
+++ Attachment: No Virus (Clean)
+++ Antivirus -
Dear user ,
It has come to our attention that your User Profile
( x ) records are out of date. For further details see the attached
document.
Thank you for using !
The Support Team
+++ Attachment: No Virus (Clean)
+++ Antivirus -
The attached file consists of any of the following base names
followed by the extension ZIP:
important-details
account-details
email-details
account-info
document
readme
account-report
updated-password
email-password
new-password
password
approved-password
account-password
accepted-password
The worm may optionally create double extensions where the first
extension is DOC, TXT or HTM and the final extension is PIF, SCR, EXE
or ZIP.
W32/Mytob-KH harvests email addresses from files on the infected
computer and from the Windows address book.
Name W32/Lovgate-AM
Type
* Worm
How it spreads
* Email messages
* Email attachments
* Network shares
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Sends itself to email addresses found on the infected computer
* Drops more malware
* Forges the sender's email address
* Uses its own emailing engine
* Downloads code from the internet
* Reduces system security
* Installs itself in the Registry
Prevalence (1-5) 2
Description
W32/Lovgate-AM is a variant of the W32/Lovgate family of worms that
spread via email, network shares and filesharing networks.
Advanced
W32/Lovgate-AM is a variant of the W32/Lovgate family of worms that
spread via email, network shares and filesharing networks.
When first run W32/Lovgate-AM copies itself to:
\KaZaA\My Shared Folder\Cnffjner5.3.scr
\command.exe
\hxdef.exe
\iexplore.exe
\kernel66.dll
\ravmond.exe
\systra.exe
and creates the following files:
\autorun.inf
\bak.zip
\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{DAD0BA63
-4226-428F-A872-E81552BC6D27}.crmlog
\Logfiles\w3svc1\ex010509.log
\NetMeeting.exe
\msjdbc11.dll
\mssign30.dll
\odbc16.dll
The files bak.zp, msjdbc11.dll, mssign30.dll, NetMeeting.exe and
odbc16.dll are detected as W32/Lovgate-AM.
In addition W32/Lovgate-AM copies itself to the file COMMAND.EXE in
the root folder and creates the file autorun.inf there, containing an
entry to run the dropped file upon system startup.
W32/Lovgate-AM spreads by email. Email addresses are harvested from
WAB, TXT, HTM, SHT, PHP, ASP, DBX, TBB, ADB and PL files found on the
system. This worm will spoof the sender's email address.
Emails have the following characteristics:
Subject line:
test
hi
hello
Mail Delivery System
Mail Transaction Failed
Server Report
Status
Error
Message text:
It's the long-awaited film version of the Broadway hit. The message
sent as a binary attachment.
The message contains Unicode characters and has been sent as a binary
attachment.
Mail failed. For further assistance, please contact!
Attached file:
document
readme
doc
text
file
data
test
message
body
followed by ZIP, EXE, PIF or SCR.
W32/Lovgate-AM also enables sharing of the Windows Media folder and
copies itself there using various filenames.
The worm also attempts to reply to emails found in the user's inbox
using the following filenames as attachments:
the hardcore game-.pif
Sex in Office.rm.scr
Deutsch BloodPatch!.exe
s3msong.MP3.pif
Me_nude.AVI.pif
How to Crack all gamez.exe
Macromedia Flash.scr
SETUP.EXE
Shakira.zip.exe
dreamweaver MX (crack).exe
StarWars2 - CloneAttack.rm.scr
Industry Giant II.exe
DSL Modem Uncapper.rar.exe
joke.pif
Britney spears nude.exe.txt.exe
I am For u.doc.exe
The worm attempts to spread by copying itself to mounted shares using
one of
the following filenames:
mmc.exe
xcopy.exe
winhlp32.exe
i386.exe
client.exe
findpass.exe
autoexec.bat
MSDN.ZIP.pif
Cain.pif
WindowsUpdate.pif
Support Tools.exe
Windows Media Player.zip.exe
Microsoft Office.exe
Documents and Settings.txt.exe
Internet Explorer.bat
WinRAR.exe
W32/Lovgate-AM also attempts to spread via weakly protected remote
shares by connecting using a password from an internal dictionary and
copying itself as the file NETMANAGER.EXE to the system folder on the
admin$ share.
After successfully copying the file W32/Lovgate-AM attempts to start
it as the service "Windows Managment Network Service Extensions" on
the remote computer.
W32/Lovgate-AM starts a logging thread that listens on port 6000,
sends a notification email to an external address and logs received
data to the file C:\Netlog.txt.
W32/Lovgate-AM also overwrites EXE files on the system with copies of
itself. The original files are saved with a ZMX extension.
The following registry entries are created to run hxdef.exe,
iexplore.exe, ravmond.exe, systra.exe and NetMeeting.exe on startup:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
run
RAVMOND.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Hardware Profile
\hxdef.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft NetMeeting Associates, Inc.
NetMeeting.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Program In Windows
\IEXPLORE.EXE
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\runServices
SystemTra
\SysTra.EXE
The following registry entry is created to run code exported by
mssign30.dll on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
VFW Encoder/Decoder Settings
RUNDLL32.EXE MSSIGN30.DLL ondll_reg
The file Rundll32.exe msjdbc11.dll is registered as a new system
driver service named "_reg", with a display name of "_reg" and a
startup type of automatic, so that it is started automatically during
system startup. Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\_reg
W32/Lovgate-AM attempts to terminate processes containing the
following strings:
rising
SkyNet
Symantec
McAfee
Gate
Rfw.exe
RavMon.exe
kill
Nav
Duba
KAV
KV
Name Troj/DwnLdr-GUL
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
Prevalence (1-5) 2
Description
Troj/DwnLdr-GUL is a downloader Trojan for the Windows platform.
The Trojan includes functionality to access the internet and
communicate with a remote server via HTTP.
Name W32/Sdbot-DDS
Type
* Spyware Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Modifies data on the computer
* Steals information
* Downloads code from the internet
* Reduces system security
* Records keystrokes
* Installs itself in the Registry
* Exploits system or software vulnerabilities
* Used in DOS attacks
* Monitors system activity
* Scans network for vulnerabilities
* Scans network for weak passwords
Prevalence (1-5) 2
Description
W32/Sdbot-DDS is a worm with backdoor functionality for the Windows
platform.
Advanced
W32/Sdbot-DDS is a worm with backdoor functionality for the Windows
platform.
W32/Sdbot-DDS spreads to other network computers by exploiting common
buffer overflow vulnerabilities, including:
WKS (MS03-049) (CAN-2003-0812)
RealVNC (CVE-2006-2369)
W32/Sdbot-DDS can be instructed to perform the following functions:
start an FTP server
start a Proxy server
start a web server
start an IRC daemon
take part in distributed denial of service (DDoS) attacks
log keypresses (such as username password for Paypal)
capture screen/webcam images
packet sniffing
port scanning
download/execute arbitrary files
start a remote shell (RLOGIN)
steal product registration information from certain software
turn off security software such as anti-virus or firewall
The worm may also spread via networks shares protected by weak
passwords.
When first run W32/Sdbot-DDS copies itself to \sys.exe and
creates the following registry entries to run sys.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ATI Video Driver Controls
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
ATI Video Driver Controls
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
ATI Video Driver Controls
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
ATI Video Driver Controls
W32/Sdbot-DDS sets the following registry entries in order to secure
the infected computer against further exploits:
HKLM\SOFTWARE\Microsoft\Ole\
ATI Video Driver Controls
HKCU\Software\Microsoft\OLE\
ATI Video Driver Controls
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\
ATI Video Driver Controls
HKCU\SYSTEM\CurrentControlSet\Control\Lsa\
ATI Video Driver Controls
W32/Sdbot-DDS will append the following to the HOSTS file in order to
block access to security related URLs:
127.0.0.1 ca.com
127.0.0.1 download.mcafee.com
127.0.0.1 f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 mcafee.com
127.0.0.1 pandasoftware.com
127.0.0.1 sophos.com
127.0.0.1 symantec.com
127.0.0.1 trendmicro.com
127.0.0.1 us.mcafee.com
127.0.0.1 www.ca.com
127.0.0.1 www.f-secure.com
127.0.0.1 www.kaspersky.com
127.0.0.1 www.mcafee.com
127.0.0.1 www.my-etrust.com
127.0.0.1 www.nai.com
127.0.0.1 www.pandasoftware.com
127.0.0.1 www.sarc.com
127.0.0.1 www.sophos.com
127.0.0.1 www.symantec.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.trendmicro.com
Some of the processes terminated by W32/Sdbot-DDS are:
ANTI-TROJAN.EXE
ANTIVIRUS.EXE
APIMONITOR.EXE
AVGW.EXE
AVGUARD.EXE
AVP32.EXE
AVP.EXE
DRWATSON.EXE
F-PROT95.EXE
F-PROT.EXE
KAVPF.EXE
KAVPERS40ENG.EXE
KAVLITE40ENG.EXE
N32SCANW.EXE
NOD32.EXE
REALMON.EXE
ZONEALARM.EXE
Name W32/Rbot-GOZ
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
Prevalence (1-5) 2
Description
W32/Rbot-GOZ is a worm for the Windows platform.
Advanced
W32/Rbot-GOZ is a worm for the Windows platform.
W32/Rbot-GOZ runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
When first run W32/Rbot-GOZ copies itself to \jkfrnz.exe.
The following registry entries are created to run jkfrnz.exe on
startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft Update Machine
jkfrnz.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft Update Machine
jkfrnz.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Microsoft Update Machine
jkfrnz.exe
Name Troj/Klone-M
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Installs itself in the Registry
* Installs a browser helper object
Aliases
* Packed.Win32.Klone.j
Prevalence (1-5) 2
Description
Troj/Klone-M is a Trojan for the Windows platform.
Advanced
Troj/Klone-M is a Trojan for the Windows platform.
The Troj/Klone-M DLL is registered as a COM object and Browser Helper
Object (BHO) for Microsoft Internet Explorer, creating registry
entries under:
HKCR\CLSID\
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
Browser Helper Objects\
Troj/Klone-M changes settings for Microsoft Internet Explorer by
modifying values under:
HKCU\Software\Microsoft\Internet Explorer\Main\
Name W32/SillyFDC-AA
Type
* Worm
How it spreads
* Removable storage devices
Affected operating systems
* Windows
Side effects
* Modifies data on the computer
* Installs itself in the Registry
Aliases
* Trojan.Win32.VB.awf
* W32/USBAgent
* TROJ_VB.DBR
Prevalence (1-5) 2
Description
W32/SillyFDC-AA is a worm for the Windows platform that spreads via
removable shared drives.
Advanced
W32/SillyFDC-AA is a worm for the Windows platform that spreads via
removable shared drives.
When run W32/SillyFDC-AA copies itself to:
\more.exe
\drwatson.exe
\.exe
W32/SillyFDC-AA spreads via removable shared drives by creating the
file \autorun.inf and a copy of the worm to \Hay.exe on
the removable drive. The file autorun.inf is subsequently set to run
the worm component upon connecting the removable drive to another
computer.
W32/SillyFDC-AA creates the following registry entry:
HKLM\SOFTWARE\Microsoft\Active Setup\
Installed Components\Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666
StubPath
\drwatson.exe
W32/SillyFDC-AA also makes modification to the default Windows folder
settings by dynamically creating or modifying the file desktop.ini
whenever a Windows folder is opened. The file desktop.ini will
contain the following entries:
BE098140-A513-11D0-A3A4-00C04FD706EC
IconArea_Text=33333
This results in the following message being appended to the title bar
text whenever a Windows folder is opened:
^_^ Hello, I'm a hot boy but I am very cool ^_^
Name Troj/Tibs-SC
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Installs itself in the Registry
Prevalence (1-5) 2
Description
Troj/Tibs-SC is a downloader Trojan for the Windows platform.
Advanced
Troj/Tibs-SC is a downloader Trojan for the Windows platform.
Troj/Tibs-SC includes functionality to access the internet and
communicate with a remote server via HTTP.
When first run Troj/Tibs-SC copies itself to \kernels32.exe.
The following registry entry is created to run kernels32.exe on
startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
System
\kernels32.exe
Name W32/Sdbot-DEE
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Installs itself in the Registry
* Enables remote access
Aliases
* W32/Sdbot.worm.gen.ax
* Backdoor.Win32.Rizo.a
Prevalence (1-5) 2
Description
W32/Sdbot-DEE is a worm for the Windows platform with IRC backdoor
capabilities.
Advanced
W32/Sdbot-DEE is a worm for the Windows platform with IRC backdoor
capabilities.
When run W32/Sdbot-DEE copies itself to the system folder as u.exe.
The following Registry entries are added to hook system startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Office Monitor Word Exel R
\u.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Office Monitor Word Exel R
\u.exe
Once running W32/Sdbot-DEE will attempt to connect to a remote server
and download additional malware. It also connects to a remote IRC
server in order to receive commands from the intruder.
W32/Sdbot-DEE also sets the following Registry entries:
HKLM\SOFTWARE\Microsoft\Ole\EnableDCOM
N
HKLM\SYSTEM\ControlSet001\Control\Lsa\restrictanonymous
1
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous
1
Name W32/Akbot-AR
Type
* Spyware Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Downloads code from the internet
* Reduces system security
* Installs itself in the Registry
* Exploits system or software vulnerabilities
* Used in DOS attacks
* Scans network for vulnerabilities
* Scans network for weak passwords
Prevalence (1-5) 2
Description
W32/Akbot-AR is a worm for the Windows platform.
W32/Akbot-AR spreads to other network computers infected with
W32/Sasser and to other network computers by exploiting common buffer
overflow vulnerabilities, including ASN.1 (MS04-007).
W32/Akbot-AR includes functionality to:
- download and execute arbitrary files
- take part in distributed denial of service (DDoS) attacks
- set up an FTP server
- start a remote shell (RLOGIN)
- port scanning
Advanced
W32/Akbot-AR is a worm for the Windows platform.
W32/Akbot-AR spreads to other network computers infected with
W32/Sasser and to other network computers by exploiting common buffer
overflow vulnerabilities, including ASN.1 (MS04-007).
W32/Akbot-AR includes functionality to:
- download and execute arbitrary files
- take part in distributed denial of service (DDoS) attacks
- set up an FTP server
- start a remote shell (RLOGIN)
- port scanning
When first run W32/Akbot-AR copies itself to \wincls.dll.
The following registry entry is created to run code exported by
wincls.dll on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
wincls
rundll32.exe \wincls.dll,start
W32/Akbot-AR may also modify the HOSTS file of an infected computer
to deny access to various security related websites.
Name W32/Uisgon-A
Type
* Worm
How it spreads
* Removable storage devices
* Network shares
Affected operating systems
* Windows
Side effects
* Installs itself in the Registry
* Leaves non-infected files on computer
Aliases
* Virus.BAT.Agent.b
Prevalence (1-5) 2
Description
W32/Uisgon-A is a worm for the Windows platform.
Advanced
W32/Uisgon-A is a worm for the Windows platform.
W32/Uisgon-A attempts to copy itself to the root folder and to drop
the following clean files:
\sleep.vbe
\inf.tem
\ubye.txt
\uishere-.txt
\.vbe
W32/Uisgon-A attempts to copy the following from a file in the same
folder as itself and run it:
\Beta3.exe
W32/Uisgon-A attempts to delete the following files:
\Anti-U.bat
\ReadMe.txt
\uda-.bat
\uda.exe
\uishere-*.txt
\zap.exe
\.bat
W32/Uisgon-A sets the following registry entry to run * Origin: Doc's Place BBS Fido Since 1991 docsplace.tzo.com (1:123/140)SEEN-BY: 633/267 @PATH: 123/140 500 379/1 633/267 |
|
| SOURCE: echomail via fidonet.ozzmosis.com | |
Email questions or comments to sysop@ipingthereforeiam.com
All parts of this website painstakingly hand-crafted in the U.S.A.!
IPTIA BBS/MUD/Terminal/Game Server List, © 2025 IPTIA Consulting™.