[cut-n-paste from sophos.com]

W32/Agobot-JM

Aliases
Backdoor.Agobot.gen, W32/Gaobot.worm.gen.d, W32.HLLW.Gaobot.gen

Type
Win32 worm

Detection
At the time of writing, Sophos has received just one report of this worm 
from the wild.

Description
W32/Agobot-JM is a member of the W32/Agobot family of network worms and 
backdoor Trojans that exploits a number of known vulnerabilities and is 
also able to function as an IRC bot.

For more information about these Windows vulnerabilities, please refer 
to the following Microsoft Web pages:

Microsoft Security Bulletin MS03-001
Microsoft Security Bulletin MS03-007
Microsoft Security Bulletin MS03-026

When executed W32/Agobot-JM copies itself to the Windows system folder 
with the filename svchostt.exe and sets the following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

W32/Agobot-JM attempts to terminate a number processes, especially those 
related to anti-virus and security software (e.g. SWEEP95.EXE, 
BLACKICE.EXE, ZONEALARM.EXE and REGEDIT.EXE).

W32/Agobot-JM modifies the HOSTS file located at 
Windows system\Drivers\etc\HOSTS.

Selected anti-virus websites are mapped to the loopback address 
127.0.0.1 in an attempt to prevent access to these sites. Typically the 
following mappings will be appended to the HOSTS file:

127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.trendmicro.com

W32/Agobot-JM can also test the available bandwidth by attempting to GET 
or POST data to the following websites:

yahoo.co.jp
www.nifty.com
www.d1asia.com
www.st.lib.keio.ac.jp
www.lib.nthu.edu.tw
www.above.net
www.level3.com
nitro.ucsc.edu
www.burst.net
www.cogentco.com
www.rit.edu
www.nocster.com
www.verio.com
www.stanford.edu
www.xo.net
de.yahoo.com
www.belwue.de
www.switch.ch
www.1und1.de
verio.fr
www.utwente.nl
www.schlund.net

W32/Agobot-JM may initiate denial-of-service (DoS) and distributed 
denial-of-service (DDoS) synflood/httpflood/fraggle/smurf attacks 
against remote systems.

W32/Agobot-JM steals the Windows Product ID and keys from several 
computer applications or games including:

AOL Instant Messenger
Battlefield 1942
Battlefield 1942: Secret Weapons Of WWII
Battlefield 1942: The Road To Rome
Battlefield 1942: Vietnam
Black and White
Call of Duty
Command and Conquer: Generals
Command and Conquer: Generals: Zero Hour
Command and Conquer: Red Alert2
Command and Conquer: Tiberian Sun
Counter-Strike
FIFA 2002
FIFA 2003
Freedom Force
Global Operations
Gunman Chronicles
Half-Life
Hidden and Dangerous 2
Industry Giant 2
IGI2: Covert Strike
James Bond 007: Nightfire
Medal of Honor: Allied Assault
Medal of Honor: Allied Assault: Breakthrough
Medal of Honor: Allied Assault: Spearhead
Nascar Racing 2002
Nascar Racing 2003
NHL 2002
NHL 2003
Need For Speed: Hot Pursuit 2
Need For Speed: Underground
Neverwinter Nights
Ravenshield
Shogun Total War - Warlord Edition
Soldiers Of Anarchy
Soldier of Fortune II - Double Helix
The Gladiators
Unreal Tournament 2003
Unreal Tournament 2004
Windows Messenger





W32/Korgo-D

Type
Win32 worm

Detection
At the time of writing, Sophos has received just one report of this worm 
from the wild.

Description
W32/Korgo-D is a variant of the W32/Korgo-C network worm and backdoor 
that propagates by using the LSASS exploit.

For details see Microsoft Security Bulletin MS04-011.

When executed W32/Korgo-D copies itself to the Windows system folder 
with the random filename and sets the registry entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\System Restore 
Service

with the path to the copy to make sure the worm runs at the restart.

W32/Korgo-D marks the infection by setting the registry entry:

HKLM\SOFTWARE\Microsoft\Wireless\

W32/Korgo-D scans random IP addresses attempting to exploit them, the 
results of the scans being transmitted to a specific irc servers from 
the following list:

'K{at}1irc.kar.net'
'gaspode.zanet.org.za'
'lia.zanet.net'
'irc.tsk.ru'
'london.uk.eu.undernet.org'
'washington.dc.us.undernet.org'
'los-angeles.ca.us.undernet.org'
'brussels.be.eu.undernet.org'
'caen.fr.eu.undernet.org'
'flanders.be.eu.undernet.org'
'graz.at.eu.undernet.org'
'gaz-prom.ru'
'moscow-advokat.ru'

As a part of payload W32/Korgo-D attempts to delete ftpupd.exe file and 
the registry entries that have the following values

'avserve2.exe'
'avserve.exe'
'WinUpdate'
'SysTray'
'Bot Loader'
'System Service Manager'
'Windows Security Manager





W32/Rbot-Y

Aliases
Backdoor.Rbot.b, W32.Spybot.Worm

Type
Win32 worm

Detection
At the time of writing, Sophos has received just one report of this worm 
from the wild.

Description
W32/Rbot-Y is a worm which attempts to spread to remote network shares. 
It also contains backdoor Trojan functionality, allowing unauthorised 
remote access to the infected computer via IRC channels while running in 
the background as a service process.

W32/Rbot-Y spreads to network shares with weak passwords as a result of 
the backdoor Trojan element receiving the appropriate command from a 
remote user.

W32/Rbot-Y copies itself to the Windows system folder as PIDSERV.EXE and
creates registry entries PROCESS SESSION MANAGER under the following
keys so as to run itself on system startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

W32/Rbot-Y may set the following registry entries:

HKLM\SOFTWARE\Microsoft\Ole\EnableDCOM = "N"
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous = "1"

W32/Rbot-Y may try to delete the C$, D$, E$, IPC$ and ADMIN$ network 
shares on the host computer.





W32/Dumaru-AK

Aliases
TrojanDropper.Win32.Mudrop.h, Worm.Win32.Plexus.a, W32.Explet.A{at}mm, 
W32/Plexus{at}MM virus, I-Worm.Plexus.a

Type
Win32 worm

Detection
At the time of writing, Sophos has received just one report of this worm 
from the wild.

Description
W32/Dumaru-AK consists of a dropper and a number of dropped files.

The dropper copies itself to the filename UPU.EXE in the Windows system 
folder. The dropper also drops the files SETUPEX.EXE to the same folder 
and SVCHOST.EXE to the Windows folder, running them both.

The dropper may display one of the following fake error messages:

CRC checksum failed.
Pace method not implemented.
Could not initialize installation. File size expected=26523, size 
returned=26344 File is corrupted.

SETUPEX.EXE runs as a service process, copying itself to SWCHOST.EXE and 
SVOHOST.EXE in the Windows system folder. It sets the following registry 
entry so as to run the SWCHOST.EXE copy on system startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\load32

SETUPEX.EXE sets an entry in the BOOT section of SYSTEM.INI with the key 
name SHELL in order to run the SWCHOST.EXE copy on system startup.

SETUPEX.EXE copies itself as SVCHOST.EXE to the folder found in the 
following registry entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell 
Folders\Startup

and writes loopback values to the HOSTS file to block access to various 
anti-virus websites.

SETUPEX.EXE sets the following registry entries:

HKCU\Software\SARS\SocksPort
HKLM\System\CurrentControlSet\Services\SharedAccess\Start = 3
HKCU\Software\Microsoft\Internet Explorer\Main\AllowWindowReuse = 0

SETUPEX.EXE logs key strokes and window titles to a file in the Windows 
folder called PRNTK.LOG and logs info about certain files to RUNDLLN.SYS 
in the Windows folder.

SETUPEX.EXE drops PRNTSVR.DLL in the Windows folder. PRNTSVR.DLL is a 
backdoor program detected by Sophos Anti-Virus as Troj/Dumaru-B.

The SVCHOST.EXE file dropped by the dropper is an email and network 
share worm which also spreads by exploting RPC and LSASS vulnerabilities.

The email sent by the worm has characteristics chosen from the following 
lists.

Subject line :
RE: order
For you
Hi, Mike
Good offer.
RE:

Message text :
Hi.
Here is the archive with those information, you asked me.
And don't forget, it is strongly confidencial!!!
Seya, man.
P.S. Don't forget my fee ;)

Hi, my darling :)
Look at my new screensaver. I hope you will enjoy...
Your Liza

My friend gave me this account generator for http://www.pantyola.com I 
wanna share it with you :)
And please do not distribute it. It's private.

Greets! I offer you full base of accounts with passwords of mail server
yahoo.com. Here is archive with small part of it . You can see that all
information is real. If you want to b uy full base, please reply me...

Hi, Nick. In this archive you can find all those things, you asked me.
See you. Steve

Attached file :

release.exe
demo.exe
AGen1.03.exe
AtlantI.exe
SecUNCE.exe

The worm copies itself into the KaZaA transfer folder and available 
shared folders with the following filenames:

AVP5.xcrack.exe
InternetOptimizer1.05b.exe
Shrek_2.exe
UnNukeit9xNTICQ04noimageCrk.exe
YahooDBMails.exe
hx00def.exe
ICQBomber.exe

The worm adds the following registry entry so that it is run each time 
Windows starts:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NvClipRsv

The worm also modifies the HOSTS files in an attempt to prevent 
anti-virus updates.

The worm listens on port 1250 for incoming connections which may contain 
updated copies of the worm or other files to install on the infected 
computer.





W32/Agobot-SG

Type
Win32 worm

Detection
At the time of writing, Sophos has received just one report of this worm 
from the wild.

Description
W32/Agobot-SG is a backdoor Trojan and network worm which can spread by 
copying itself to network shares with weak passwords and may attempt to
spread using the DCOM RPC and/or RPC locator vulnerabilities.

When first run, the worm/Trojan copies itself to the Windows System 
folder using the filename WMON16.EXE and may create sub-keys of the 
following registry entries, so that it is run automatically each time 
Windows is started:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

On NT-based versions of Windows a new service may be created with the 
same name as the new registry sub-keys and with the startup property set 
to automatic, so that the service starts automatically each time Windows 
is started.

W32/Agobot-SG runs continuously in the background as a service process 
and allows unauthorised remote access and control over the computer.

W32/Agobot-SG may also terminate selected processes related to 
anti-virus and security software (e.g. SWEEP95.EXE, BLACKICE.EXE, 
ZONEALARM.EXE and REGEDIT.EXE).





W32/Rbot-X

Type
Win32 worm

Detection
At the time of writing, Sophos has received just one report of this worm 
from the wild.

Description
W32/Rbot-X is an IRC backdoor Trojan and network worm.

When first run W32/Rbot-X copies itself to the Windows system folder as 
MSlti32.exe and creates the following registry entries to run 
MSlti32.exe automatically on startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft AUT Update = MSlti32.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Microsoft AUT Update = MSlti32.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft AUT Update = MSlti32.exe

Each time W32/Rbot-X is run it attempts to connect to a remote IRC 
server and join a specific channel. The worm then runs continuously in 
the background listening on the channel for instructions.

W32/Rbot-X attempts to logon to network shares protected by weak 
passwords by brute force using a list of common passwords and then 
copies itself to the Windows system folder of the remote computer.





Troj/Orifice-G

Aliases
Backdoor.BO2K.n, Orifice2K trojan, BO2K.Trojan Variant

Type
Trojan

Detection
At the time of writing, Sophos has received just one report of this 
Trojan from the wild.

Description
Troj/Orifice-G is a member of the 'Back Orifice 2000' series of backdoor 
Trojans.





W32/Rbot-V

Aliases
Backdoor.Spyboter.bx, W32/Sdbot.worm.gen.i, Win32/Spyboter.BX, 
W32.Randex.gen, WORM_SDBOT.JT

Type
Win32 worm

Detection
At the time of writing, Sophos has received just one report of this worm 
from the wild.

Description
W32/Rbot-V is a worm which attempts to spread to remote network shares. 
It also contains backdoor Trojan functionality, allowing unauthorised 
remote access to the infected computer via IRC channels while running in 
the background as a service process.

W32/Rbot-V spreads to network shares with weak passwords as a result of 
the backdoor Trojan element receiving the appropriate command from a 
remote user.

W32/Rbot-V copies itself to the Windows system folder as mssmgrd.exe and 
creates entries at the following locations in the registry so as to run 
itself on system startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Update
= mssmgrd.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Microsoft 
Update = mssmgrd.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Update
= mssmgrd.exe

W32/Rbot-V may set the following registry entries:

HKLM\Software\Microsoft\Ole\EnableDCOM = "N"
HKLM\System\CurrentControlSet\Control\Lsa\restrictanonymous = "1"

 
--- MultiMail/Win32 v0.43