TIP: Click on subject to list as thread! ANSI
echo: virus_info
to: ALL
from: KURT WISMER
date: 2007-10-21 18:37:00
subject: News, October 21 2007
[cut-n-paste from sophos.com]

Name   W32/Diazom-C

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer

Aliases  
    * Net-Worm.Win32.Agent.f
    * Win32/Diazom.L

Prevalence (1-5) 2

Description
W32/Diazom-C is a worm for the Windows platform.





Name   W32/Sdbot-DIE

Type  
    * Worm

How it spreads  
    * Network shares
    * Chat programs

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Drops more malware
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities
    * Used in DOS attacks

Aliases  
    * W32/Sdbot.worm.gen.ci

Prevalence (1-5) 2

Description
W32/Sdbot-DIE is a worm with IRC backdoor functionality for the Windows 
platform.

Advanced
W32/Sdbot-DIE is a worm with IRC backdoor functionality for the Windows 
platform.

W32/Sdbot-DIE runs continuously in the background, providing a backdoor 
server which allows a remote intruder to gain access and control over 
the computer via IRC channels.

W32/Sdbot-DIE includes functionality to access the internet and 
communicate with a remote server via HTTP.

When first run W32/Sdbot-DIE copies itself to \windowsys.com 
and creates the file \rdriv.sys.

The file rdriv.sys is detected as Mal/RootKit-A.

The file rdriv.sys is registered as a new system driver service named 
"rdriv", with a display name of "rdriv". Registry
entries are created 
under:

HKLM\SYSTEM\CurrentControlSet\Services\rdriv

The file windowsys.com is registered as a new system driver service 
named "windowsys", with a display name of "system32
master" and a 
startup type of automatic, so that it is started automatically during 
system startup. Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\windowsys

W32/Sdbot-DIE sets the following registry entries, disabling the 
automatic startup of other software:

HKLM\SYSTEM\CurrentControlSet\Services\Messenger
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
Start
4

Registry entries are set as follows:

HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
EnableFirewall
0

HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile
EnableFirewall
0

HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DoNotAllowXPSP2
1

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N

Registry entries are created under:

HKLM\SOFTWARE\Microsoft\Security Center





Name   Troj/Fakevir-AI

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet
    * Installs itself in the Registry
    * Leaves non-infected files on computer

Prevalence (1-5) 2

Description
Troj/Fakevir-AI is a Trojan for the Windows platform.

Advanced
Troj/Fakevir-AI is a Trojan for the Windows platform.

When first run Troj/Fakevir-AI creates files in:

\AVG\AntivirusGold 5.1\

Troj/Fakevir-AI creates the following registry entry to start itself:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
AntivirusGold 5.1
\AVG\AntivirusGold 5.1\AntivirusGold 5.1.exe /h

The above mentioned EXE file is also detected as Troj/Fakevir-AI.





Name   W32/Vetor-F

Type  
    * Virus

How it spreads  
    * Infected files

Affected operating systems  
    * Windows

Prevalence (1-5) 2

Description
W32/Vetor-F is an executable file virus for the Windows platform.





Name   Troj/Squatbot-D

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet
    * Installs itself in the Registry

Aliases  
    * Trojan.Win32.Agent.ccq

Prevalence (1-5) 2

Description
Troj/Squatbot-D is a Trojan for the Windows platform.

Advanced
Troj/Squatbot-D is a Trojan for the Windows platform.

When first run Troj/Squatbot-D runs a setup program and installs the 
following files:

\cchost.ini - text file, may be deleted safely.
\cchost\unins000.dat - log file, may be deleted safely.
\cchost\unins000.exe
\cchost\cchost.exe - also detected as Troj/Squatbot-D

After the files are created, the file cchost.exe then downloads a file 
containing German IP addresses and domains. The Trojan queries port 43, 
performing whois look-ups. When Troj/Squatbot-D finds an expired 
domain, it reports the information back to a remote user.

Troj/Squatbot-D creates the following registry entries:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion
Run
cchost.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\cchost_is1\

Troj/Squatbot-D provides an uninstall option which can be accessed via 
the Add or Remove Programs dialog in the Windows Control Panel. The 
Trojan is listed as "cchost version 2.0". However, the uninstaller does 
not actually remove the Trojan.





Name   Troj/Zlob-AFF

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet

Aliases  
    * Trojan-Downloader.Win32.Zlob.dlg
    * Win32/TrojanDownloader.Zlob.BGY trojan

Prevalence (1-5) 2

Description
Troj/Zlob-AFF is a Trojan for the Windows platform.





Name   Troj/Zlob-AFG

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Drops more malware
    * Downloads code from the internet

Aliases  
    * TR/Dldr.Zlob.NMO

Prevalence (1-5) 2

Description
Troj/Zlob-AFG is a Trojan for the Windows platform.





Name   Mal/VBWorm-C

Type  
    * Worm

How it spreads  
    * Removable storage devices

Affected operating systems  
    * Windows

Side effects  
    * Installs itself in the Registry

Prevalence (1-5) 2

Description
Mal/VBWorm-C is a worm for the Windows platform.





Name   W32/Feebs-BX

Type  
    * Worm

How it spreads  
    * Email attachments

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Sends itself to email addresses found on the infected computer
    * Uses its own emailing engine
    * Installs itself in the Registry

Aliases  
    * Worm.Win32.Feebs.la
    * W32/Feebs.dr

Prevalence (1-5) 2

Description
W32/Feebs-BX is a worm for the Windows platform.

W32/Feebs-BX spreads via file sharing on P2P networks.

W32/Feebs-BX creates ZIP archives containing a copy of the worm in 
folders used by peer to peer applications. The zip files have the 
following names:

- ICQ_2007_new_full.zip
- winamp_7_new_full.zip
- 3dsmax_10_(3D_Studio_Max)_new_full.zip
- ACDSee_10_new_full.zip
- Adobe_Photoshop_11_(CS34)_new_full.zip
- Adobe_Premiere_10_(3.0_pro)_new_full.zip
- Ahead_Nero_8_new_full.zip
- DivX_8.0_new_full.zip
- Internet_Explorer_7_new_full.zip
- Kazaa_4_new_full.zip
- Microsoft_Office_2006_new_full.zip
- Vista_Final_new_full.zip

Advanced
W32/Feebs-BX is a worm for the Windows platform.

W32/Feebs-BX spreads via file sharing on P2P networks.

W32/Feebs-BX creates ZIP archives containing a copy of the worm in 
folders used by peer to peer applications. The zip files have the 
following names:

- ICQ_2007_new_full.zip
- winamp_7_new_full.zip
- 3dsmax_10_(3D_Studio_Max)_new_full.zip
- ACDSee_10_new_full.zip
- Adobe_Photoshop_11_(CS34)_new_full.zip
- Adobe_Premiere_10_(3.0_pro)_new_full.zip
- Ahead_Nero_8_new_full.zip
- DivX_8.0_new_full.zip
- Internet_Explorer_7_new_full.zip
- Kazaa_4_new_full.zip
- Microsoft_Office_2006_new_full.zip
- Vista_Final_new_full.zip

When first run W32/Feebs-BX copies itself to:

\ms??.exe

where ?? are randomly chosen characters.

The worm also creates the file

\ms??32.dll

which is detected as Mal/Packer.

The following registry entry is created to run code exported by the 
worm library on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
ShellServiceObjectDelayLoad
ms??32.dll
{985AB7AC-E655-FE30-01C8-17F9000E1AE6}

The file ms??32.dll is registered as a COM object, creating registry 
entries under:

HKCR\CLSID\{985AB7AC-E655-FE30-01C8-17F9000E1AE6}





Name   W32/Rbot-GUL

Type  
    * Worm

Affected operating systems  
    * Windows

Prevalence (1-5) 2

Description
W32/Rbot-GUL is a worm for the Windows platform.





Name   Troj/Dload-R

Type  
    * Trojan

Affected operating systems  
    * Windows

Prevalence (1-5) 2

Description
Troj/Dload-R is a Trojan for the Windows platform.

Advanced
Troj/Dload-R is a Trojan for the Windows platform.

When first run Troj/Dload-R copies itself to \~my.tmp.





Name   Troj/Lineag-CG

Type  
    * Spyware Trojan

Affected operating systems  
    * Windows

Side effects  
    * Steals information
    * Installs itself in the Registry

Aliases  
    * PWS:Win32/Gamania.gen!B

Prevalence (1-5) 2

Description
Troj/Lineag-CG is a password-stealing Trojan for the Windows platform.

Advanced
Troj/Lineag-CG is a password-stealing Trojan for the Windows platform.

When first run Troj/Lineag-CG copies itself to 
\help\2ACE4CFBAF2C.exe and creates the file 
\help\2ACE4CFBAF2C.dll

The file 2ACE4CFBAF2C.dll is also detected as Mal/EncPk-AP.

The file 2ACE4CFBAF2C.dll is registered as a COM object and shell 
extension, creating registry entries under:

HKCR\CLSID\{79FC744E-75CA-49B0-8F02-AEAE4CAACBE0}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
\ShellExecuteHooks\{79FC744E-75CA-49B0-8F02-AEAE4CAACBE0





Name   Troj/Zlobmi-C

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Drops more malware
    * Downloads code from the internet
    * Installs itself in the Registry

Prevalence (1-5) 2

Description
Troj/Zlobmi-C is a Trojan for the Windows platform.

Troj/Zlobmi-C includes functionality to access the internet and 
communicate with a remote server via HTTP.

Advanced
Troj/Zlobmi-C is a Trojan for the Windows platform.

Troj/Zlobmi-C includes functionality to access the internet and 
communicate with a remote server via HTTP.

When Troj/Zlobmi-C is installed it creates the file \icmntr.exe.

The file icmntr.exe is also detected as Troj/Zlobmi-C.

The following registry entry is created to run Troj/Zlobmi-C on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run
some


Troj/Zlobmi-C changes settings for Microsoft Internet Explorer by 
modifying values under:

HKCU\Software\Microsoft\Internet Explorer\Main\

Registry entries are created under:

HKCU\Software\Online Add-on





Name   Troj/Zlob-AFH

Type  
    * Trojan

How it spreads  
    * Web browsing

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet

Aliases  
    * Trojan-Downloader.Win32.Zlob.dqh

Prevalence (1-5) 2

Description
Troj/Zlob-AFH is a Trojan for the Windows platform.

 
--- MultiMail/Win32 v0.43
* Origin: Doc's Place BBS Fido Since 1991 docsplace.tzo.com (1:123/140)
SEEN-BY: 10/1 3 14/300 400 34/999 90/1 120/228 123/500 134/10 140/1 222/2
SEEN-BY: 226/0 229/4000 249/303 261/20 38 100 1381 1404 1406 1418 266/1413
SEEN-BY: 280/1027 320/119 633/104 260 262 267 285 690/682 734 712/848 800/432
SEEN-BY: 801/161 189 2222/700 2320/105 200 2905/0
@PATH: 123/140 500 261/38 633/260 267
SOURCE: echomail via fidonet.ozzmosis.com

Email questions or comments to sysop@ipingthereforeiam.com
All parts of this website painstakingly hand-crafted in the U.S.A.!
IPTIA BBS/MUD/Terminal/Game Server List, © 2025 IPTIA Consulting™.