TIP: Click on subject to list as thread!

ANSI

echo:	dirty_dozen
to:	ALL
from:	KURT WISMER
date:	2006-11-18 13:08:00
subject:	News, November 18 2006
[cut-n-paste from sophos.com] Name Troj/Pitkom-C Type * Trojan Affected operating systems * Windows Side effects * Allows others to access the computer * Reduces system security * Installs itself in the Registry Prevalence (1-5) 2 Description Troj/Pitkom-C is a Trojan for the Windows platform. Advanced Troj/Pitkom-C is a Trojan for the Windows platform. When first run Troj/Pitkom-C copies itself to: \Local Settings\Application Data\Recycle\Maniez.EXE \ch.bin \CHMOD.exe \NiceGirl.scr \Updated.exe \debug.cmd \setup_.com \sysint.exe \user.cmd and creates the non-malicious file \Maniez.htm. The following registry entry is created to run sysint.exe on startup: HKCU\Software\Microsoft\Windows\CurrentVersion\Run WINDOWS Maniez \sysint.exe The following registry entries are changed to run CHMOD.exe, NiceGirl.scr, sysint.exe and user.cmd on startup: HKCU\Control Panel\Desktop SCRNSAVE.EXE \NiceGirl.SCR HKLM\Software\Microsoft\Windows NT\CurrentVersion\ Image File Execution Options\hijackthis.exe Debugger \user.cmd HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon Shell Explorer.exe "\CHMOD.exe" (the default value for this registry entry is "Explorer.exe" which causes the Microsoft file \Explorer.exe to be run on startup). HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit \userinit.exe,\sysint.exe (the default value for this registry entry is "\System32\userinit.exe,"). The following registry entries are set or modified, so that sysint.exe is run when files with extensions of BAT and COM are opened/launched: HKCR\batfile\shell\open\command (default) \sysint.exe" "%1" %* HKCR\comfile\shell\open\command (default) \sysint.exe" "%1" %* Troj/Pitkom-C changes settings for Microsoft Internet Explorer by modifying values under: HKCU\Software\Microsoft\Internet Explorer\Main\ Registry entries are set as follows: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run\Windows load \setup_.com HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug Debugger \user.cmd HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon ReportBootOk 000 HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon SFCDisable ť HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon SFCScan 000 HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ShowSuperHidden 000 HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer NoFolderOptions 0 HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore DisableConfig 0 HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore DisableSR 000 HKLM\Software\Policies\Microsoft\Windows\Installer LimitSystemRestoreCheckpointing 0 HKLM\Software\Policies\Microsoft\Windows\Installer DisableMSI 0 HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Hidden 0 HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced HideFileExt 0 Registry entries are created under: HKCU\Control Panel\Desktop\ HKCU\Control Panel\International\ Name W32/Levona-B Type * Worm How it spreads * Email attachments * Network shares Affected operating systems * Windows Side effects * Turns off anti-virus applications * Allows others to access the computer * Sends itself to email addresses found on the infected computer * Forges the sender's email address * Uses its own emailing engine * Reduces system security * Installs itself in the Registry Aliases * Email-Worm.Win32.Levona.a * W32/Avon{at}MM Prevalence (1-5) 2 Description W32/Levona-B is a worm and backdoor Trojan for the Windows platform. Advanced W32/Levona-B is a mass-mailing worm and backdoor Trojan for the Windows platform. W32/Levona-B spreads to other network computers. W32/Levona-B runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer. When first run W32/Levona-B copies itself to: \Renova.exe \regedit.exe \Mstry.exe \msconfig.exe \Alisa.exe \Emma.exe \Nova.exe \regedit.exe The worm will search for logical drives on the computer. If any are found, W32/Levona-B will copy itself as New Folder.exe. The worm also searches the logical drives for DOC files and will copy itself as .doc. W32/Levona-B includes the functionality to disable or minimize many applications by searching for certain words or phrases in the Windows Title Bar, including the following security related ones: ADVANCED REGISTRY TRACER CASTLECOPS CILLIN CLEANER COMPACTBYTEAV EARTHLINK PROTECTION F-SECURE GRISOFT HACKER HIJACK KASPERSKY KILLBOX MACHINE MCAFEE NORMAN NORTON PROCESS EXPLORER - SYSINTERNALS PROCEXP REGISTRYFIX REMOVER SECUNIA SOPHOS SYMANTEC VAKSIN WASHER The following registry entries are created to run Renova.exe and Nova.exe on startup: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Shell \Renova.exe HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Renova Nova.exe The following registry entries are changed to run Renova.exe and Mstry.exe on startup: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Msrun.exe Debugger \Mstry.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell explorer.exe "\Renova.exe" (the default value for this registry entry is "Explorer.exe" which causes the Microsoft file \Explorer.exe to be run on startup). HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit explorer.exe "\Renova.exe" (the default value for this registry entry is "\System32\userinit.exe,"). The following registry entries are set, disabling the registry editor (regedit), the Windows task manager (taskmgr) and system restore: HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\ LocalUser\Software\Microsoft\Windows\CurrentVersion\Policies\System DisableRegistryTools 1 HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System DisableRegistryTools 1 HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System DisabletaskMgr 1 HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore DisableConfig 1 HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore DisableSR 1 Registry entries are set as follows: HKCU\Software\Microsoft\Windows\CurrentVersion RegisteredOrganization XENOVA HKCU\Software\Microsoft\Windows\CurrentVersion RegisteredOwner RENOVA HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer NoSaveSettings 0 HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer NoFolderOptions 0 HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer NoFind 1 HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer NoRun 0 HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer NoControlPanel 0 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer NoFolderOptions 0 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer NoControlPanel 0 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer NoFind 1 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer NoRun 0 HKCU\Software\Policies\Microsoft\Windows\System DisableCMD 0 HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Hidden 2 HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced HideFileExt 1 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization XENOVA HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner RENOVA Registry entries are created under: HKCU\Identities\(D5A9171C-33E5-45AA-8DA6-0CA3468699C7)\ Software\Microsoft\Outlook Express\5.0\Mail\ Name Troj/Dropper-MA Type * Trojan Affected operating systems * Windows Side effects * Drops more malware Prevalence (1-5) 2 Description Troj/Dropper-MA is a Trojan for the Windows platform. The file dropped by the Trojan is detected as Troj/Lineag-AEG. Name W32/Pardona-A Type * Virus How it spreads * Email messages * Network shares * Infected files Affected operating systems * Windows Side effects * Downloads code from the internet * Reduces system security * Installs itself in the Registry * Exploits system or software vulnerabilities Aliases * Win32/Pardona.B * Email-Worm.Win32.Small.f Prevalence (1-5) 2 Description W32/Pardona-A is a virus for the Windows platform. The virus attempts to infect EXE files, and to modify HTM and ASP files so that they silently download from a remote webiste. W32/Pardona-A may spread to other network computers and may also spread via email. W32/Pardona-A also includes functionality to download, install and run new software. Advanced W32/Pardona-A is a virus for the Windows platform. The virus attempts to infect EXE files, and to modify HTM and ASP files so that they silently download from a remote webiste. W32/Pardona-A may spread to other network computers and may also spread via email. W32/Pardona-A also includes functionality to download, install and run new software. When first run W32/Pardona-A copies itself to \ePower.exe and to several files of the form \ Each of these files is either identical to, or slight variants of, the original file. All will be detected as W32/Pardona-A. The virus also creates the file C:\WINDOWS\System32\.sys This SYS file is registered as a new system driver service named "SysDrver", with a display name of "System SSDP Services". Registry entries are created under: HKLM\SYSTEM\CurrentControlSet\Services\SysDrver\ The SYS file, which is detected as Troj/Pardot-A, uses stealth functionality to hide processes creates by W32/Pardona-A. The virus attempts to download and execute a file to the following location: C:\tool.exe Name W32/Tilebot-HX Type * Spyware Worm How it spreads * Network shares * Chat programs Affected operating systems * Windows Side effects * Allows others to access the computer * Steals information * Downloads code from the internet * Records keystrokes * Installs itself in the Registry * Exploits system or software vulnerabilities * Used in DOS attacks * Scans network for vulnerabilities * Scans network for weak passwords Aliases * Backdoor.Win32.SdBot.aad * PAK_Generic.001 Prevalence (1-5) 2 Description W32/Tilebot-HX is a worm for the Windows platform. W32/Tilebot-HX spreads to other network computers by exploiting common buffer overflow vulnerabilities, including: LSASS (MS04-011), RPC-DCOM (MS04-012), PNP (MS05-039) and ASN.1 (MS04-007). The worm may also spreads via network shares protected by weak passwords. W32/Tilebot-HX runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels. W32/Tilebot-HX includes functionality to: - set up an FTP server - set up a proxy server - spread via AOL Instant Messager by sending messages automatically - change Internet Explorer start page - set or remove network shares - port scanning - packet sniffing - start a remote shell (RLOGIN) - access the internet and communicate with a remote server via HTTP - harvest information from clipboard - take part in Distributed Denial of Service (DDoS) attacks Advanced W32/Tilebot-HX is a worm for the Windows platform. W32/Tilebot-HX spreads to other network computers by exploiting common buffer overflow vulnerabilities, including: LSASS (MS04-011), RPC-DCOM (MS04-012), PNP (MS05-039) and ASN.1 (MS04-007). The worm may also spreads via network shares protected by weak passwords. W32/Tilebot-HX runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels. W32/Tilebot-HX includes functionality to: - set up an FTP server - set up a proxy server - spread via AOL Instant Messager by sending messages automatically - change Internet Explorer start page - set or remove network shares - port scanning - packet sniffing - start a remote shell (RLOGIN) - access the internet and communicate with a remote server via HTTP - harvest information from clipboard - take part in Distributed Denial of Service (DDoS) attacks When first run W32/Tilebot-HX copies itself to \vcmon.exe. The file vcmon.exe is registered as a new system driver service named "Remote TCP Services", with a display name of "Remote TCP Services" and a startup type of automatic, so that it is started automatically during system startup. Registry entries are created under: HKLM\SYSTEM\CurrentControlSet\Services\Remote TCP Services\ W32/Tilebot-HX sets the following registry entries, disabling the automatic startup of other software: HKLM\SYSTEM\CurrentControlSet\Services\Messenger Start 4 HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry Start 4 HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr Start 4 Registry entries are set as follows: HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotAllowXPSP2 1 HKLM\SOFTWARE\Microsoft\Ole EnableDCOM N HKLM\SYSTEM\CurrentControlSet\Control\Lsa restrictanonymous 1 Registry entries are created under: HKLM\SOFTWARE\Microsoft\Security Center\ HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\ HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\ Name Troj/Clagger-AJ Type * Trojan Affected operating systems * Windows Side effects * Downloads code from the internet Prevalence (1-5) 2 Description Troj/Clagger-AJ is a Trojan for the Windows platform. Troj/Clagger-AJ includes functionality to access the internet and communicate with a remote server via HTTP. Troj/Clagger-AJ attempts to download and execute files from remote websites. Advanced Troj/Clagger-AJ is a Trojan for the Windows platform. Troj/Clagger-AJ includes functionality to access the internet and communicate with a remote server via HTTP. Troj/Clagger-AJ attempts to download and execute files from remote websites. When Troj/Clagger-AJ is installed it creates the file \drivers\winut.dat which contains downloading links. This file is not malicious on its own and may be safely deleted. Troj/Clagger-AJ displays a fake error message with a title the same as its filename and the following text: Acrobat 6 - Error "Warning" 20225 Troj/Clagger-AJ also sets the following registry entry: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion windowsshell 1 Name Troj/Proxy-EU Type * Trojan Affected operating systems * Windows Side effects * Allows others to access the computer * Uses its own emailing engine * Installs itself in the Registry Aliases * BackDoor-DIZ * BKDR_HACDEF.DW Prevalence (1-5) 2 Description Troj/Proxy-EU is a Trojan for the Windows platform. Troj/Proxy-EU allows a remote attacker to route internet traffic through the infected computer, including unsolicited commercial emails. Advanced Troj/Proxy-EU is a Trojan for the Windows platform. Troj/Proxy-EU allows a remote attacker to route internet traffic through the infected computer, including unsolicited commercial emails. When first run, Troj/Proxy-EU installs itself as a new system driver service with a randomly-generated name, a display name of "Print Spooler Service" and a startup type of automatic, so that it is started automatically during system startup. Name Troj/WinSpy-L Type * Trojan Affected operating systems * Windows Side effects * Downloads code from the internet * Installs itself in the Registry Prevalence (1-5) 2 Description Troj/WinSpy-L is a Trojan for the Windows platform. Troj/WinSpy-L includes functionality to access the internet and communicate with a remote server via HTTP. Advanced Troj/WinSpy-L is a Trojan for the Windows platform. Troj/WinSpy-L includes functionality to access the internet and communicate with a remote server via HTTP. When Troj/WinSpy-L is installed it creates the file \regscan.exe. The following registry entry is created to run regscan.exe on startup: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Regscan \regscan.exe Registry entries are also created under: HKCU\Software\Microsoft\Internet Explorer\Settings\ Name W32/Mona-B Type * Worm How it spreads * Email attachments * Chat programs Affected operating systems * Windows Side effects * Sends itself to email addresses found on the infected computer * Forges the sender's email address * Uses its own emailing engine * Downloads code from the internet * Installs itself in the Registry Aliases * IM-Worm.Win32.VB.al * WORM_VB.ARO Prevalence (1-5) 2 Description W32/Mona-B is an instant messenger and email worm for the Windows platform. Advanced W32/Mona-B is an instant messenger and email worm for the Windows platform. The worm contains various functionality including: - downloading components - editing the registry - checking for MSN - sending email When first run W32/Mona-B copies itself to: \svchost.exe \explorer.exe \winnt.exe The following registry entries are also created by the worm: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run winnt \winnt.exe HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Shell \explorer.exe HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run svchost \svchost.exe Name W32/Looked-AV Type * Virus How it spreads * Network shares * Infected files Affected operating systems * Windows Side effects * Allows others to access the computer * Downloads code from the internet * Installs itself in the Registry * Leaves non-infected files on computer Aliases * Trojan-Downloader.Win32.Delf.bbp * W32/HLLP.Philis.bk Prevalence (1-5) 2 Description W32/Looked-AV is a virus which can also spread via network shares. W32/Looked-AV runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer. W32/Looked-AV includes functionality to access the internet and communicate with a remote server via HTTP. Advanced W32/Looked-AV is a virus which can also spread via network shares. W32/Looked-AV runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer. W32/Looked-AV includes functionality to access the internet and communicate with a remote server via HTTP. When first run W32/Looked-AV copies itself to \uninstall\rundl132.exe and creates the following files: \Dll.dll Dll.dll is also detected as W32/Looked-AV. The following registry entry is created to run rundl132.exe on startup: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run load \uninstall\rundl132.exe Registry entries are created under: HKLM\SOFTWARE\Soft\DownloadWWW\ Name Troj/QQPass-AKL Type * Spyware Trojan Affected operating systems * Windows Side effects * Turns off anti-virus applications * Steals information * Downloads code from the internet * Installs itself in the Registry Aliases * Trojan-PSW.Win32.QQPass.mt Prevalence (1-5) 2 Description Troj/QQPass-AKL is a password stealing Trojan for the Windows platform. Troj/QQPass-AKL includes functionality to - download, install and run new software - communicate with a remote server via http - send notification messages to remote locations - terminate anti-virus processes Advanced Troj/QQPass-AKL is a password stealing Trojan for the Windows platform. Troj/QQPass-AKL includes functionality to - download, install and run new software - communicate with a remote server via http - send notification messages to remote locations - terminate anti-virus processes When first run Troj/QQPass-AKL copies itself to: \QQhx.dat \vipbkv.exe and creates the file \vipbkv.dll. The following registry entry is created to run Troj/QQPass-AKL on startup- HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ J3D5D5 \vipbkv.exe Troj/QQPass-AKL sets the following registry entries, disabling the automatic startup of other software: HKLM\SYSTEM\CurrentControlSet\Services\srservice Start 4 Registry entries are set as follows: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer NoDriveTypeAutoRun bd HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder \Hidden SHOWALL CheckedValue 0 Name W32/Pardona-B Type * Virus How it spreads * Email messages * Network shares * Infected files * Web downloads Affected operating systems * Windows Side effects * Uses its own emailing engine * Downloads code from the internet Aliases * Trojan-Dropper.Win32.Delf.abf Prevalence (1-5) 2 Description W32/Pardona-B is a virus for the Windows platform. The virus attempts to infect EXE files, and to modify HTM and ASP files so that they silently download from a remote webiste. W32/Pardona-B may spread to other network computers and may also spread via email. W32/Pardona-B also includes functionality to download, install and run new software. Advanced W32/Pardona-B is a virus for the Windows platform. The virus attempts to infect EXE files, and to modify HTM and ASP files so that they silently download from a remote webiste. W32/Pardona-B may spread to other network computers and may also spread via email. W32/Pardona-B also includes functionality to download, install and run new software. When first run W32/Pardona-B copies itself to \ePower.exe and to several files of the form \ Each of these files is either identical to, or slight variants of, the original file. All will be detected as W32/Pardona-B. The virus also creates the file C:\WINDOWS\System32\.sys This SYS file is registered as a new system driver service named "SysDrver", with a display name of "System SSDP Services". Registry entries are created under: HKLM\SYSTEM\CurrentControlSet\Services\SysDrver\ The SYS file, which is detected as Troj/Pardot-A, uses stealth functionality to hide processes creates by W32/Pardona-B. The virus attempts to download and execute files to the following location: C:\tool.exe Name Troj/BatKill-A Type * Trojan Affected operating systems * Windows Side effects * Stops the computer from booting * Modifies data on the computer * Deletes files off the computer Prevalence (1-5) 2 Description Troj/BatKill-A is a Trojan for the Windows platform. Advanced Troj/BatKill-A is a Trojan for the Windows platform. When Troj/BatKill-A is installed it may create the file \bt3333.bat, which is also detected as Troj/BatKill-A. Troj/BatKill-A attempt to remove the first four boot configurations from the boot.ini file, delete \hal.dll, copy itself to the folder and shutdown the computer. If successful this will make the infected computer unbootable. Troj/BatKill-A may also display a rude message in Romanian. Name Troj/DwnLdr-FVG Type * Trojan Affected operating systems * Windows Side effects * Downloads code from the internet Prevalence (1-5) 2 Description Troj/DwnLdr-FVG is a downloader Trojan for the Windows platform. Advanced Troj/DwnLdr-FVG is a downloader Trojan for the Windows platform. When run Troj/DwnLdr-FVG attempts to download a file from a remote website to the location \suhoy351.exe and run it. Name W32/Silly-E Type * Worm How it spreads * Network shares * Peer-to-peer Affected operating systems * Windows Side effects * Installs itself in the Registry Aliases * Worm.Win32.VB.cj * Infection: Prevalence (1-5) 2 Description W32/Silly-E is a worm for the Windows platform. W32/Silly-E spreads to other network computers. When spreading, W32/Silly-E may copy itself to filenames that match the parent folder name, e.g "temp\temp.exe" or "program files\program files.exe", it may also overwrite original executables. Advanced W32/Silly-E is a worm for the Windows platform. W32/Silly-E spreads to other network computers. When spreading, W32/Silly-E may copy itself to filenames that match the parent folder name, e.g "temp\temp.exe" or "program files\program files.exe", it may also overwrite original executables. When first run W32/Silly-E copies itself to \windows.exe. The following registry entry is created to run windows.exe on startup: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PROGRAM \WINDOWS.exe Registry entries are set as follows: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Hidden 2 HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced HideFileExt 1 Name W32/Rbot-FVZ Type * Worm How it spreads * Network shares Affected operating systems * Windows Side effects * Allows others to access the computer * Installs itself in the Registry * Exploits system or software vulnerabilities * Used in DOS attacks Aliases * Backdoor.Win32.SdBot.awk Prevalence (1-5) 2 Description W32/Rbot-FVZ is a worm with IRC backdoor functionality for the Windows platform. W32/Rbot-FVZ runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels. W32/Rbot-FVZ spreads - to computers vulnerable to common exploits, including: LSASS (http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx), RPC-DCOM (http://www.microsoft.com/technet/security/bulletin/ms04-012.mspx), WKS (http://www.microsoft.com/technet/security/bulletin/ms03-049.mspx) and ASN.1 (http://www.microsoft.com/technet/security/bulletin/ms04-007.mspx) - to network shares protected by weak passwords Advanced W32/Rbot-FVZ is a worm with IRC backdoor functionality for the Windows platform. W32/Rbot-FVZ runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels. W32/Rbot-FVZ spreads - to computers vulnerable to common exploits, including: LSASS (http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx), RPC-DCOM (http://www.microsoft.com/technet/security/bulletin/ms04-012.mspx), WKS (http://www.microsoft.com/technet/security/bulletin/ms03-049.mspx) and ASN.1 (http://www.microsoft.com/technet/security/bulletin/ms04-007.mspx) - to network shares protected by weak passwords When first run W32/Rbot-FVZ copies itself to \svcchost.exe. The following registry entries are created to run svcchost.exe on startup: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run msvcc25 svcchost.exe HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices msvcc25 svcchost.exe Registry entries are set as follows: HKLM\SOFTWARE\Microsoft\Ole EnableDCOM N HKLM\SYSTEM\CurrentControlSet\Control\Lsa restrictanonymous 1 --- MultiMail/Win32 v0.43 * Origin: Try Our Web Based QWK: DOCSPLACE.ORG (1:123/140) SEEN-BY: 633/267 270 @PATH: 123/140 500 379/1 633/267
SOURCE: echomail via fidonet.ozzmosis.com

Email questions or comments to sysop@ipingthereforeiam.com
All parts of this website painstakingly hand-crafted in the U.S.A.!
IPTIA BBS/MUD/Terminal/Game Server List, © 2025 IPTIA Consulting™.