| TIP: Click on subject to list as thread! | ANSI |
| echo: | |
|---|---|
| to: | |
| from: | |
| date: | |
| subject: | News, April 10 2005 |
[cut-n-paste from sophos.com]
Name W32/Mytob-R
Type
* Worm
How it spreads
* Email attachments
* Network shares
Affected operating systems
* Windows
Side effects
* Sends itself to email addresses found on the infected computer
* Modifies data on the computer
* Drops more malware
* Forges the sender's email address
* Uses its own emailing engine
Aliases
* WORM_MYTOB.X
* Net-Worm.Win32.Mytob.p
* Net-Worm.Win32.Mytob.q
* Worm.Mytob.H-3
Prevalence (1-5) 3
Description
W32/Mytob-R is a mass-mailing worm and backdoor Trojan that targets
users of Internet Relay Chat programs.
W32/Mytob-R is capable of spreading through various operating system
vulnerabilities such as LSASS (MS04-011).
W32/Mytob-R also drops a file C:\hellmsn.exe. This file is being
detected by Sophos as W32/Mytob-D.
Advanced
W32/Mytob-R is a mass-mailing worm and backdoor Trojan that targets
users of Internet Relay Chat programs.
W32/Mytob-R is capable of spreading through various operating system
vulnerabilities such as LSASS (MS04-011).
When first run, W32/Mytob-R copies itself to the Windows system folder
as taskgmr.exe, bingoo.exe and nethell.exe and creates the following
registry entries:
HKCU\SYSTEM\CurrentControlSet\Control\Lsa
WINTASK
taskgmr.exe
HKCU\Software\Microsoft\OLE
WINTASK
taskgmr.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
WINTASK
taskgmr.exe
HKLM\SOFTWARE\Microsoft\Ole
WINTASK
taskgmr.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
WINTASK
taskgmr.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
WINTASK
taskgmr.exe
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
WINTASK
taskgmr.exe
W32/Mytob-R copies itself to the drive C root folder as:
my_photo2005.scr
see_this!!.scr
funny_pic.scr
The worm also appends the following to the HOSTS file to deny access to
security-related websites:
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.microsoft.com
127.0.0.1 www.trendmicro.com
Emails sent by W32/Mytob-R have the following characteristics:
Subject line:
Error
Status
Server Report
Mail Transaction Failed
Mail Delivery System
hello
thanks!
read it immediately
Message text:
Here are your banks documents.
Mail transaction failed. Partial message is available.
The message contains Unicode characters and has been sent as a binary
attachment.
The message cannot be represented in 7-bit ASCII encoding and has been
sent as a binary attachment
The original message was included as an attachment.
Here are your banks documents.
The attached file consists of a base name followed by the extentions BAT,
CMD, PIF, SCR, EXE or ZIP. The worm may optionally create double
extensions where the first extension is DOC, TXT or HTM and the final
extension is PIF, SCR, EXE or ZIP.
W32/Mytob-R harvests email addresses from files on the infected computer
and from the Windows address book.
The worm also drops a batch file %SYSTEM%\2pac.txt. This file can be
safely deleted.
W32/Mytob-R also drops a file C:\hellmsn.exe. This file is being
detected by Sophos as W32/Mytob-D.
Name W32/Mytob-Q
Type
* Worm
How it spreads
* Email attachments
* Chat programs
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Modifies data on the computer
* Steals information
* Drops more malware
Aliases
* WORM_MYTOB.Q
Prevalence (1-5) 2
Description
W32/Mytob-Q is a mass-mailing worm and backdoor Trojan that targets
users of Internet Relay Chat programs.
W32/Mytob-Q is capable of spreading through email and through various
operating system vulnerabilities such as LSASS (MS04-011).
W32/Mytob-Q harvests email addresses from files on the infected computer
and from the Windows address book.
Advanced
W32/Mytob-Q is a mass-mailing worm and backdoor Trojan that targets
users of Internet Relay Chat programs.
When first run W32/Mytob-Q copies itself to the Windows system folder as
msnmsgs.exe and creates the following registry entries:
HKCU\System\CurrentControlSet\Control\Lsa
MSN MESSENGER
msnmsgs.exe
HKCU\Software\Microsoft\OLE
MSN MESSENGER
msnmsgs.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
MSN MESSENGER
msnmsgs.exe
HKLM\Software\Microsoft\Ole
MSN MESSENGER
msnmsgs.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
MSN MESSENGER
msnmsgs.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
MSN MESSENGER
msnmsgs.exe
HKLM\System\CurrentControlSet\Control\Lsa
MSN MESSENGER
msnmsgs.exe
W32/Mytob-Q copies itself to the root folder as:
funny pic.scr
photo album.scr
eminem vs 2pac.scr
and creates the helper file hellmsn.exe (detected by Sophos as
W32/Mytob-H) in the same location.
W32/Mytob-Q also appends the following to the HOSTS file to deny access
to security related websites:
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.microsoft.com
127.0.0.1 www.trendmicro.com
W32/Mytob-Q is capable of spreading through email and through various
operating system vulnerabilities such as LSASS (MS04-011). Email sent by
W32/Mytob-Q has the following properties:
Subject line:
Hello
thanks!
read it immediately
Message text:
This is a multi-part message in MIME format
Mail transaction failed. Partial message is available.
The message contains Unicode characters and has been sent as a binary
attachment.
The message cannot be represented in 7-bit ASCII encoding and has been
sent as a binary attachment.
The original message was included as an attachment.
I have received your document. The corrected document is attached.
The attached file consists of a base name followed by the extentions
PIF, SCR, EXE or ZIP. The worm may optionally create double extensions
where the first extension is DOC, TXT or HTM and the final extension is
PIF, SCR, EXE or ZIP.
W32/Mytob-Q harvests email addresses from files on the infected computer
and from the Windows address book.
Name W32/Rbot-ZQ
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Modifies data on the computer
* Steals information
* Downloads code from the internet
Aliases
* Backdoor.Win32.Rbot.gen
Prevalence (1-5) 2
Description
W32/Rbot-ZQ is an IRC backdoor and network worm.
W32/Rbot-ZQ may spread to remote network shares protected by weak
passwords and computers vulnerable to common exploits. The worm also
opens up a backdoor, allowing unauthorised remote access to infected
computers via the IRC network, while running in the background as a
service process. The worm exploits the following vulnerabilities:
RPC-DCOM (MS04-12), LSASS (MS04-11) and WKS (MS03-049). For patches for
these vulnerabilities, see:
http://www.microsoft.com/technet/security/bulletin/MS03-049.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx
W32/Rbot-ZQ can receive commands from a remote intruder to delete
network shares, log keypresses, participate in DDoS attacks, scan other
computers for vulnerabilities, steal passwords, steal registration keys
for computer games, create administrator accounts, terminate firewall
and anti-virus processes and capture video from webcameras attached to
the computer.
The worm creates numerous registry entries in order to alter system
security.
Advanced
W32/Rbot-ZQ is an IRC backdoor and network worm.
W32/Rbot-ZQ may spread to remote network shares protected by weak
passwords and computers vulnerable to common exploits. The worm also
opens up a backdoor, allowing unauthorised remote access to infected
computers via the IRC network, while running in the background as a
service process. The worm exploits the following vulnerabilities:
RPC-DCOM (MS04-12), LSASS (MS04-11) and WKS (MS03-049). For patches for
these vulnerabilities, see:
http://www.microsoft.com/technet/security/bulletin/MS03-049.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx
W32/Rbot-ZQ can receive commands from a remote intruder to delete
network shares, log keypresses, participate in DDoS attacks, scan other
computers for vulnerabilities, steal passwords, steal registration keys
for computer games, create administrator accounts, terminate firewall
and anti-virus processes and capture video from webcameras attached to
the computer.
W32/Rbot-ZQ copies itself to the Windows system folder with a random
filename and creates the following registry entries in order to alter
system security:
HKLM\SYSTEM\CurrentControlSet\Services\wscsvc
Start =
4
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM =
"N"
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start =
4
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous =
1
HKLM\SYSTEM\CurrentControlSet\Services\NetBT\Parameters
TransportBindName =
""
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MaxConnectionsPer1_0Server =
50
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MaxConnectionsPerServer =
50
HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
AutoShareWks =
0
HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
AutoShareServer =
0
The worm also creates a number of new registry entries under
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Name W32/Sdbot-WS
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Reduces system security
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* Trojan.SdBot-447
* W32/Sdbot.worm.gen.y
Prevalence (1-5) 2
Description
W32/Sdbot-WS is a member of the W32/Sdbot family of network worms. The
worm can spread to weakly protected network shares, and to computers
already infected with W32/MyDoom.
The worm has a backdoor component that connects to a preconfigured IRC
mchannel, allowing an attacker to issue instructions to the worm, thus
giving access to an infected computer.
W32/Sdbot-WS can be instructed to harvest product keys; scan for remote
computers to infect; upload, download and execute files; as well as
retrieve information about an infected system.
Advanced
W32/Sdbot-WS is a member of the W32/Sdbot family of network worms. The
worm can spread to weakly protected network shares, and to computers
already infected with W32/MyDoom.
In order to run automatically when Windows starts up the worm copies
itself to the folder as winupdate.exe and creates the following
registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Windows Update
winupdate.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Windows Update
winupdate.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Windows Update
winupdate.exe
Once installed, W32/Sdbot-WS connects to a preconfigured IRC server and
joins a channel from which an attacker can issue further commands. These
commands can cause the infected computer to perform any of the following
actions:
Scan for remote computers to infect
Steal product keys
Upload, download and execute files
Retrieve information about an infected system
The worm can be instructed to secure an infected computer, and does this
by attempting to delete the C$, D$, IPC$ and ADMIN$ network shares, and
disable DCOM by setting the following registry entry:
HKLM\Software\Microsoft\OLE
EnableDCOM
N
Name Troj/StartPa-FM
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Modifies data on the computer
Aliases
* Trojan.Win32.StartPage.sr
* Trojan.Startpage-220
Prevalence (1-5) 2
Description
Troj/StartPa-FM is a Windows Trojan which changes the default Internet
settings.
When run the Trojan quietly changes the default Internet Explorer Start
Page and the Internet zone settings.
Troj/StartPa-FM also drops a file ~D2.TMP in the %TEMP% folder and runs
it. This file is a key generator application and is not malicious.
Name W32/Rbot-ZN
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Modifies data on the computer
* Deletes files off the computer
* Steals information
Aliases
* Backdoor.Win32.Rbot.gen
Prevalence (1-5) 2
Description
W32/Rbot-ZN is a worm with backdoor Trojan functionality.
W32/Rbot-ZN is capable of spreading to computers on the local network
protected by weak passwords after receiving the appropriate backdoor
command. The worm can also spread by exploiting a number of software
vulnerabilities.
Advanced
W32/Rbot-ZN is a worm with backdoor Trojan functionality.
W32/Rbot-ZN is capable of spreading to computers on the local network
protected by weak passwords after receiving the appropriate backdoor
command.
W32/Rbot-ZN will attempt to spread by exploiting the following
vulnerabilities:
DCOM (MS04-012)
LSASS and IIS5SSL (MS04-011)
Microsoft SQL servers with weak passwords
When first run, W32/Rbot-ZN moves itself to the Windows system folder as
INIT3.EXE. In order to run automatically each time a user logs in,
W32/Rbot-ZN will set the following registry entries:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Unix File Support
init3.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
Unix File Support
init3.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Unix File Support
init3.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Unix File Support
init3.exe
W32/Rbot-ZN will also set the following registry entries:
HKCU\Software\Microsoft\OLE
Unix File Support
init3.exe
HKCU\SYSTEM\CurrentControlSet\Control\Lsa
Unix File Support
init3.exe
The worm runs continuously in the background, providing backdoor access
to the infected computer over IRC channels.
W32/Rbot-ZN will modify the following registry entries in order to
disable DCOM and close restrictions on IPC$ shares:
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1
W32/Rbot-ZN will attempt to terminate the following processes:
_AVP32.EXE, _AVPCC.EXE, _AVPM.EXE, ACKWIN32.EXE, ADAWARE.EXE,
ADVXDWIN.EXE, AGENTSVR.EXE, AGENTW.EXE, ALERTSVC.EXE, ALEVIR.EXE,
ALOGSERV.EXE, AMON9X.EXE, ANTI-TROJAN.EXE, ANTIVIRUS.EXE, ANTS.EXE,
APIMONITOR.EXE, APLICA32.EXE, APVXDWIN.EXE, ARR.EXE, ATCON.EXE,
ATGUARD.EXE, ATRO55EN.EXE, ATUPDATER.EXE, ATWATCH.EXE, AU.EXE,
AUPDATE.EXE, AUTO-PROTECT.NAV80TRY.EXE, AUTODOWN.EXE, AUTOTRACE.EXE,
AUTOUPDATE.EXE, AVCONSOL.EXE, AVE32.EXE, AVGCC32.EXE, AVGCTRL.EXE,
AVGNT.EXE, AVGSERV.EXE, AVGSERV9.EXE, AVGUARD.EXE, AVGW.EXE, AVKPOP.EXE,
AVKSERV.EXE, AVKSERVICE.EXE, AVKWCTl9.EXE, AVLTMAIN.EXE, AVNT.EXE,
AVP.EXE, AVP32.EXE, AVPCC.EXE, AVPDOS32.EXE, AVPM.EXE, AVPTC32.EXE,
AVPUPD.EXE, AVSCHED32.EXE, AVSYNMGR.EXE, AVWIN95.EXE, AVWINNT.EXE,
AVWUPD.EXE, AVWUPD32.EXE, AVWUPSRV.EXE, AVXMONITOR9X.EXE,
AVXMONITORNT.EXE, AVXQUAR.EXE, BACKWEB.EXE, BARGAINS.EXE, bbeagle.exe,
BD_PROFESSIONAL.EXE, BEAGLE.EXE, BELT.EXE, BIDEF.EXE, BIDSERVER.EXE,
BIPCP.EXE, BIPCPEVALSETUP.EXE, BISP.EXE, BLACKD.EXE, BLACKICE.EXE,
BLSS.EXE, BOOTCONF.EXE, BOOTWARN.EXE, BORG2.EXE, BPC.EXE, BRASIL.EXE,
BS120.EXE, BUNDLE.EXE, BVT.EXE, CCAPP.EXE, CCEVTMGR.EXE, CCPXYSVC.EXE,
CDP.EXE, CFD.EXE, CFGWIZ.EXE, CFIADMIN.EXE, CFIAUDIT.EXE, CFINET.EXE,
CFINET32.EXE, Claw95.EXE, CLAW95CF.EXE, CLEAN.EXE, CLEANER.EXE,
CLEANER3.EXE, CLEANPC.EXE, CLICK.EXE, CMD32.EXE, CMESYS.EXE,
CMGRDIAN.EXE, CMON016.EXE, CONNECTIONMONITOR.EXE, CPD.EXE, CPF9X206.EXE,
CPFNT206.EXE, CTRL.EXE, CV.EXE, CWNB181.EXE, CWNTDWMO.EXE,
d3dupdate.exe, DATEMANAGER.EXE, DCOMX.EXE, DEFALERT.EXE, DEFSCANGUI.EXE,
DEFWATCH.EXE, DEPUTY.EXE, DIVX.EXE, DLLCACHE.EXE, DLLREG.EXE, DOORS.EXE,
DPF.EXE, DPFSETUP.EXE, DPPS2.EXE, DRWATSON.EXE, DRWEB32.EXE,
DRWEBUPW.EXE, DSSAGENT.EXE, DVP95.EXE, DVP95_0.EXE, ECENGINE.EXE,
EFPEADM.EXE, EMSW.EXE, ENT.EXE, ESAFE.EXE, ESCANH95.EXE, ESCANHNT.EXE,
ESCANV95.EXE, ESPWATCH.EXE, ETHEREAL.EXE, ETRUSTCIPE.EXE, EVPN.EXE,
EXANTIVIRUS-CNET.EXE, EXE.AVXW.EXE, EXPERT.EXE, EXPLORE.EXE,
F-AGNT95.EXE, F-AGOBOT.EXE, F-PROT.EXE, F-PROT95.EXE, F-STOPW.EXE,
FAMEH32.EXE, FAST.EXE, FCH32.EXE, FIH32.EXE, FINDVIRU.EXE, FIREWALL.EXE,
FLOWPROTECTOR.EXE, FNRB32.EXE, FP-WIN.EXE, FP-WIN_TRIAL.EXE, FPROT.EXE,
FRW.EXE, FSAA.EXE, FSAV.EXE, FSAV32.EXE, FSAV530STBYB.EXE,
FSAV530WTBYB.EXE, FSAV95.EXE, FSGK32.EXE, FSM32.EXE, FSMA32.EXE,
FSMB32.EXE, GATOR.EXE, GBMENU.EXE, GBPOLL.EXE, GENERICS.EXE, GMT.EXE,
GUARD.EXE, GUARDDOG.EXE, HACKTRACERSETUP.EXE, HBINST.EXE, HBSRV.EXE,
HIJACKTHIS.EXE, HOTACTIO.EXE, HOTPATCH.EXE, HTLOG.EXE, HTPATCH.EXE,
HWPE.EXE, HXDL.EXE, HXIUL.EXE, i11r54n4.exe, IAMAPP.EXE, IAMSERV.EXE,
IAMSTATS.EXE, IBMASN.EXE, IBMAVSP.EXE, ICLOAD95.EXE, ICLOADNT.EXE,
ICMON.EXE, ICSUPP95.EXE, ICSUPPNT.EXE, IDLE.EXE, IEDLL.EXE,
IEDRIVER.EXE, IEXPLORER.EXE, IFACE.EXE, IFW2000.EXE, INETLNFO.EXE,
INFUS.EXE, INFWIN.EXE, INIT.EXE, INTDEL.EXE, INTREN.EXE, IOMON98.EXE,
IPARMOR.EXE, IRIS.EXE, irun4.exe, ISASS.EXE, ISRV95.EXE, ISTSVC.EXE,
JAMMER.EXE, JDBGMRG.EXE, JEDI.EXE, KAVLITE40ENG.EXE, KAVPERS40ENG.EXE,
KAVPF.EXE, KAZZA.EXE, KEENVALUE.EXE, KERIO-PF-213-EN-WIN.EXE,
KERIO-WRL-421-EN-WIN.EXE, KERIO-WRP-421-EN-WIN.EXE, KERNEL32.EXE,
KILLPROCESSSETUP161.EXE, LAUNCHER.EXE, LDNETMON.EXE, LDPRO.EXE,
LDPROMENU.EXE, LDSCAN.EXE, LNETINFO.EXE, LOADER.EXE, LOCALNET.EXE,
LOCKDOWN.EXE, LOCKDOWN2000.EXE, LOOKOUT.EXE, LORDPE.EXE, LSETUP.EXE,
LUALL.EXE, LUAU.EXE, LUCOMSERVER.EXE, LUINIT.EXE, LUSPT.EXE,
MAPISVC32.EXE, MCAGENT.EXE, MCMNHDLR.EXE, MCSHIELD.EXE, MCTOOL.EXE,
MCUPDATE.EXE, MCVSRTE.EXE, MCVSSHLD.EXE, MD.EXE, MFIN32.EXE, MFW2EN.EXE,
MFWENG3.02D30.EXE, MGAVRTCL.EXE, MGAVRTE.EXE, MGHTML.EXE, MGUI.EXE,
MINILOG.EXE, MMOD.EXE, MONITOR.EXE, MOOLIVE.EXE, MOSTAT.EXE,
MPFAGENT.EXE, MPFSERVICE.EXE, MPFTRAY.EXE, MRFLUX.EXE, MSAPP.EXE,
MSBB.EXE, MSBLAST.EXE, MSCACHE.EXE, MSCCN32.EXE, MSCMAN.EXE,
MSCONFIG.EXE, mscvb32.exe, MSDM.EXE, MSDOS.EXE, MSIEXEC16.EXE,
MSINFO32.EXE, MSLAUGH.EXE, MSMGT.EXE, MSMSGRI32.EXE, MSSMMC32.EXE,
MSSYS.EXE, MSVXD.EXE, MU0311AD.EXE, MWATCH.EXE, N32SCANW.EXE, NAV.EXE,
NAVAP.NAVAPSVC.EXE, NAVAPSVC.EXE, NAVAPW32.EXE, NAVDX.EXE,
NAVENGNAVEX15.NAVLU32.EXE, NAVLU32.EXE, NAVNT.EXE, NAVSTUB.EXE,
NAVW32.EXE, NAVWNT.EXE, NC2000.EXE, NCINST4.EXE, NDD32.EXE,
NEOMONITOR.EXE, NEOWATCHLOG.EXE, NETARMOR.EXE, NETD32.EXE, NETINFO.EXE,
NETMON.EXE, NETSCANPRO.EXE, NETSPYHUNTER-1.2.EXE, NETSTAT.EXE,
NETUTILS.EXE, NISSERV.EXE, NISUM.EXE, NMAIN.EXE, NOD32.EXE, NORMIST.EXE,
NORTON_INTERNET_SECU_3.0_407.EXE, NOTSTART.EXE,
NPF40_TW_98_NT_ME_2K.EXE, NPFMESSENGER.EXE, NPROTECT.EXE, NPSCHECK.EXE,
NPSSVC.EXE, NSCHED32.EXE, NSSYS32.EXE, NSTASK32.EXE, NSUPDATE.EXE,
NT.EXE, NTRTSCAN.EXE, NTVDM.EXE, NTXconfig.EXE, NUI.EXE, NUPGRADE.EXE,
NVARCH16.EXE, NVC95.EXE, NVSVC32.EXE, NWINST4.EXE, NWSERVICE.EXE,
NWTOOL16.EXE, OLLYDBG.EXE, ONSRVR.EXE, OPTIMIZE.EXE, OSTRONET.EXE,
OTFIX.EXE, OUTPOST.EXE, OUTPOSTINSTALL.EXE, OUTPOSTPROINSTALL.EXE,
PADMIN.EXE, PandaAVEngine.exe, PANIXK.EXE, PATCH.EXE, PAVCL.EXE,
PAVPROXY.EXE, PAVSCHED.EXE, PAVW.EXE, PCC2002S902.EXE,
PCC2K_76_1436.EXE, PCCIOMON.EXE, PCCNTMON.EXE, PCCWIN97.EXE,
PCCWIN98.EXE, PCDSETUP.EXE, PCFWALLICON.EXE, PCIP10117_0.EXE,
PCSCAN.EXE, PDSETUP.EXE, PENIS.EXE, Penis32.exe, PERISCOPE.EXE,
PERSFW.EXE, PERSWF.EXE, PF2.EXE, PFWADMIN.EXE, PGMONITR.EXE,
PINGSCAN.EXE, PLATIN.EXE, POP3TRAP.EXE, POPROXY.EXE, POPSCAN.EXE,
PORTDETECTIVE.EXE, PORTMONITOR.EXE, POWERSCAN.EXE, PPINUPDT.EXE,
PPTBC.EXE, PPVSTOP.EXE, PRIZESURFER.EXE, PRMT.EXE, PRMVR.EXE,
PROCDUMP.EXE, PROCESSMONITOR.EXE, PROCEXPLORERV1.0.EXE,
PROGRAMAUDITOR.EXE, PROPORT.EXE, PROTECTX.EXE, PSPF.EXE, PURGE.EXE,
PUSSY.EXE, PVIEW95.EXE, QCONSOLE.EXE, QSERVER.EXE, RAPAPP.EXE, rate.exe,
RAV7.EXE, RAV7WIN.EXE, RAV8WIN32ENG.EXE, RAY.EXE, RB32.EXE, RCSYNC.EXE,
REALMON.EXE, REGED.EXE, REGEDIT.EXE, REGEDT32.EXE, RESCUE.EXE,
RESCUE32.EXE, RRGUARD.EXE, RSHELL.EXE, RTVSCAN.EXE, RTVSCN95.EXE,
RULAUNCH.EXE, RUN32DLL.EXE, RUNDLL.EXE, RUNDLL16.EXE, RUXDLL32.EXE,
SAFEWEB.EXE, SAHAGENT.EXE, SAVE.EXE, SAVENOW.EXE, SBSERV.EXE, SC.EXE,
SCAM32.EXE, SCAN32.EXE, SCAN95.EXE, SCANPM.EXE, SCRSCAN.EXE, SCRSVR.EXE,
SCVHOST.EXE, SD.EXE, SERV95.EXE, SERVICE.EXE, SERVLCE.EXE, SERVLCES.EXE,
SETUP_FLOWPROTECTOR_US.EXE, SETUPVAMEEVAL.EXE, SFC.EXE, SGSSFW32.EXE,
SH.EXE, SHELLSPYINSTALL.EXE, SHN.EXE, SHOWBEHIND.EXE, SMC.EXE, SMS.EXE,
SMSS32.EXE, SOAP.EXE, SOFI.EXE, SPERM.EXE, SPF.EXE, SPHINX.EXE,
SPOLER.EXE, SPOOLCV.EXE, SPOOLSV32.EXE, SPYXX.EXE, SREXE.EXE, SRNG.EXE,
SS3EDIT.EXE, ssate.exe, SSG_4104.EXE, SSGRATE.EXE, ST2.EXE, START.EXE,
STCLOADER.EXE, SUPFTRL.EXE, SUPPORT.EXE, SUPPORTER5.EXE, SVC.EXE,
SVCHOSTC.EXE, SVCHOSTS.EXE, SVSHOST.EXE, SWEEP95.EXE,
SWEEPNET.SWEEPSRV.SYS.SWNETSUP.EXE, SYMPROXYSVC.EXE, SYMTRAY.EXE,
SYSEDIT.EXE, sysinfo.exe, SysMonXP.exe, SYSTEM.EXE, SYSTEM32.EXE,
SYSUPD.EXE, TASKMG.EXE, TASKMO.EXE, TASKMON.EXE, TAUMON.EXE, TBSCAN.EXE,
TC.EXE, TCA.EXE, TCM.EXE, TDS-3.EXE, TDS2-98.EXE, TDS2-NT.EXE,
TEEKIDS.EXE, TFAK.EXE, TFAK5.EXE, TGBOB.EXE, TITANIN.EXE, TITANINXP.EXE,
TRACERT.EXE, TRICKLER.EXE, TRJSCAN.EXE, TRJSETUP.EXE, TROJANTRAP3.EXE,
TSADBOT.EXE, TVMD.EXE, TVTMD.EXE, UNDOBOOT.EXE, UPDAT.EXE, UPDATE.EXE,
UPGRAD.EXE, UTPOST.EXE, VBCMSERV.EXE, VBCONS.EXE, VBUST.EXE,
VBWIN9X.EXE, VBWINNTW.EXE, VCSETUP.EXE, VET32.EXE, VET95.EXE,
VETTRAY.EXE, VFSETUP.EXE, VIR-HELP.EXE, VIRUSMDPERSONALFIREWALL.EXE,
VNLAN300.EXE, VNPC3000.EXE, VPC32.EXE, VPC42.EXE, VPFW30S.EXE,
VPTRAY.EXE, VSCAN40.EXE, VSCENU6.02D30.EXE, VSCHED.EXE, VSECOMR.EXE,
VSHWIN32.EXE, VSISETUP.EXE, VSMAIN.EXE, VSMON.EXE, VSSTAT.EXE,
VSWIN9XE.EXE, VSWINNTSE.EXE, VSWINPERSE.EXE, W32DSM89.EXE, W9X.EXE,
WATCHDOG.EXE, WEBDAV.EXE, WEBSCANX.EXE, WEBTRAP.EXE, WFINDV32.EXE,
WGFE95.EXE, WHOSWATCHINGME.EXE, WIMMUN32.EXE, WIN-BUGSFIX.EXE,
WIN32.EXE, WIN32US.EXE, WINACTIVE.EXE, WINDOW.EXE, WINDOWS.EXE,
WININETD.EXE, WININIT.EXE, WININITX.EXE, WINLOGIN.EXE, WINMAIN.EXE,
WINNET.EXE, WINPPR32.EXE, WINRECON.EXE, WINSERVN.EXE, WINSSK32.EXE,
WINSTART.EXE, WINSTART001.EXE, winsys.exe, WINTSK32.EXE, winupd.exe,
WINUPDATE.EXE, WKUFIND.EXE, WNAD.EXE, WNT.EXE, WRADMIN.EXE, WRCTRL.EXE,
WSBGATE.EXE, WUPDATER.EXE, WUPDT.EXE, WYVERNWORKSFIREWALL.EXE,
XPF202EN.EXE, ZAPRO.EXE, ZAPSETUP3001.EXE, ZATUTOR.EXE, ZONALM2601.EXE,
ZONEALARM.EXE
Name Troj/Bdoor-ZAT
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Modifies data on the computer
* Reduces system security
* Installs itself in the Registry
Prevalence (1-5) 2
Description
Troj/Bdoor-ZAT is a backdoor Trojan for the Windows platform.
The Trojan opens a backdoor on port 63714 and listens for connections
from remote intruders. The Trojan then can offer a remote shell to the
intruder.
Advanced
Troj/Bdoor-ZAT is a backdoor Trojan for the Windows platform.
The Trojan opens a backdoor on port 63714 and listens for connections
from remote intruders. The Trojan then can offer a remote shell to the
intruder. The Trojan remains active by hooking into the explorer
process.
Troj/Bdoor-ZAT installs itself in the Windows system folder as
explorer.exe and userinit.dll.
Name Troj/Agent-CZ
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Installs itself in the Registry
Aliases
* Trojan-Proxy.Win32.Small.bh
Prevalence (1-5) 2
Description
Troj/Agent-CZ is a Trojan for the Windows platform.
The Trojan attempts to redirect network traffic and download files from
the internet while running in the background as a process.
Advanced
Troj/Agent-CZ is a Trojan for the Windows platform.
The Trojan attempts to redirect network traffic and download files from
the internet while running in the background as a process.
Troj/Agent-CZ copies itself to the Windows folder as csrss.exe.
The Trojan creates the following registry entry to run itself
automatically on user logon:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
System
%WINDOWS\csrss.exe
Troj/Agent-CZ also creates the following registry entry:
HKLM\SOFTWARE\Microsoft\Windows\Port
{at}
7423
Name W32/Codbot-Gen
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Installs itself in the Registry
Prevalence (1-5) 2
Description
Sophos Anti-Virus products detect members of the W32/Codbot family of
worms as W32/Codbot-Gen.
Worms detected as W32/Codbot-Gen provide backdoor Trojan functionality
to a remote attacker via IRC channels. Such worms may spread to remote
network shares with weak passwords in response to a command from a
remote attacker.
Members of W32/Codbot family typically attempt to exploit
vulnerabilities, such as the LSASS vulnerability (MS04-011).
Advanced
Sophos Anti-Virus products detect members of the W32/Codbot family of
worms as W32/Codbot-Gen.
Worms detected as W32/Codbot-Gen provide backdoor Trojan functionality
to a remote attacker via IRC channels. Such worms may spread to remote
network shares with weak passwords in response to a command from a
remote attacker.
Members of W32/Codbot family may copy themselves to the Windows system
folder and create entries in the following registry entries to run
themselves when the user logs on:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal
This backdoor functionality typically includes the ability to sniff
packets, download further malicious code and steal passwords and other
system information.
W32/Codbot worms may register themselves as service processes.
Members of W32/Codbot family typically attempt to exploit
vulnerabilities, such as the LSASS vulnerability (MS04-011).
Name W32/Mytob-W
Type
* Worm
How it spreads
* Email attachments
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Sends itself to email addresses found on the infected computer
* Drops more malware
* Uses its own emailing engine
* Reduces system security
Aliases
* Net-Worm.Win32.Mytob.q
* WORM_MYTOB.W
Prevalence (1-5) 2
Description
W32/Mytob-W is a mass-mailing network worm with backdoor functionality
that targets users of Internet Relay Chat programs.
Emails sent by W32/Mytob-W have the following characteristics:
The subject line is one of the following:
Error
Good day
Hello
Mail Delivery System
Mail Transaction Failed
Server Report
Status
The message text is one of the following lines:
Mail transaction failed. Partial message is available.
The message contains Unicode characters and has been sent as a binary
attachment.
The message cannot be represented in 7-bit ASCII encoding and has been
sent as a binary attachment.
The original message was included as an attachment.
Here are your banks documents
The worm is included as an attachment to the message, either as an
executable file (with CMD, BAT, DOC, HTM, PIF, SCR, TMP, TXT, EXE or COM
extension) or as a ZIP file containing the executable. The filename
(excluding file extension) is chosen from the following list:
BODY
DATA
DOC
DOCUMENT
FILE
MESSAGE
README
TEST
TEXT
Advanced
W32/Mytob-W is a mass-mailing network worm with backdoor functionality
that targets users of Internet Relay Chat programs.
W32/Mytob-W spreads attached to the email messages or by exploiting
known vulnerabilities. For details about these vulnerabilities see
MS04-012 and MS04-011 as for LSASS and RPC/DCOM vulnerability
correspondingly.
W32/Mytob-W attempts to harvest email addresses from the infected
system. Emails sent by W32/Mytob-W have the following characteristics:
The subject line is one of the following:
Error
Good day
Hello
Mail Delivery System
Mail Transaction Failed
Server Report
Status
The message text is one of the following lines:
Mail transaction failed. Partial message is available.
The message contains Unicode characters and has been sent as a binary
attachment.
The message cannot be represented in 7-bit ASCII encoding and has been
sent as a binary attachment.
The original message was included as an attachment.
Here are your banks documents
The worm is included as an attachment to the message, either as an
executable file (with CMD, BAT, DOC, HTM, PIF, SCR, TMP, TXT, EXE or COM
extension) or as a ZIP file containing the executable. The filename
(excluding file extension) is chosen from the following list:
BODY
DATA
DOC
DOCUMENT
FILE
MESSAGE
README
TEST
TEXT
Once executed W32/Mytob-W copies itself to the Windows system folder
with the filenames NETHELL.EXE and TASKGMR.EXE, and in order to be able
to run automatically when Windows starts up sets the registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
WINTASK
taskgmr.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
WINTASK
taskgmr.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
WINTASK
taskgmr.exe
Also W32/Mytob-W modifies the following registry entries:
HKCU\SYSTEM\CurrentControlSet\Control\Lsa
WINTASK
taskgmr.exe
HKCU\Software\Microsoft\OLE
WINTASK
taskgmr.exe
HKLM\SOFTWARE\Microsoft\Ole
WINTASK
taskgmr.exe
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
WINTASK
taskgmr.exe
W32/Mytob-W also creates a hellmsn.exe file in the root folder that is
detected by the W32/Mytob-D and copies itself to the root folder using
following filenames:
funny_pic.scr
my_photo2005.scr
see_this!!.scr
W32/Mytob-W modifies the system HOSTS file in order to prevent access to
the following web addresses:
avp.com
ca.com
customer.symantec.com
dispatch.mcafee.com
download.mcafee.com
f-secure.com
kaspersky.com
liveupdate.symantec.com
liveupdate.symantecliveupdate.com
mast.mcafee.com
mcafee.com
my-etrust.com
nai.com
networkassociates.com
rads.mcafee.com
secure.nai.com
securityresponse.symantec.com
sophos.com
symantec.com
trendmicro.com
update.symantec.com
updates.symantec.com
us.mcafee.com
viruslist.com
viruslist.com
www.avp.com
www.ca.com
www.f-secure.com
www.kaspersky.com
www.mcafee.com
www.microsoft.com
www.my-etrust.com
www.nai.com
www.networkassociates.com
www.sophos.com
www.symantec.com
www.trendmicro.com
www.viruslist.com
Name W32/Reper-A
Type
* Worm
Affected operating systems
* Windows
Side effects
* Installs itself in the Registry
* Leaves non-infected files on computer
Aliases
* Virus.Win32.Repka.a
* W32/Sautor.worm.gen
* W32.Reper.A
* WORM_REPER.A
Prevalence (1-5) 2
Description
W32/Reper-A is a Windows worm.
Advanced
W32/Reper-A is a Windows worm.
When run the worm attempts to copy itself to any logical drives as
reper.exe and create or overwrite the file autorun.inf which references
the executable such that it is automatically run.
W32/Reper-A will also copy itself to the Windows folder as viewer.exe
and to the %WINDOWS%\System32 folder as N0TEPAD.exe (the digit zero
being used instead of the letter 'O'.)
The following registry entry is created by the worm:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
runreper
%WINDOWS%\viewer.exe
W32/Reper-A also modifies the associated text viewer key from:
HKCR\txtfile\shell\open\command
%SystemRoot%\system32\NOTEPAD.EXE %1
to (again substituting the letter 'O' in NOTEPAD with the digit zero):
HKCR\txtfile\shell\open\command
%WINDOWS%\System32\N0TEPAD.EXE %1
The worm will also attempt to terminate regedit.exe, cmd.exe and
taskmgr.exe.
Name W32/Rbot-AAC
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Modifies data on the computer
* Steals information
* Drops more malware
Prevalence (1-5) 2
Description
W32/Rbot-AAC is a network worm which attempts to spread via network
shares. The worm contains backdoor functions that allows unauthorised
remote access to the infected computer via IRC channels while running in
the background.
The worm spreads to network shares with weak passwords and also by using
the RPC-DCOM security exploit (MS03-039).
W32/Rbot-AAC drops the file C:\hellmsn.exe and runs it. This file is
currently being detected by Sophos as W32/Mytob-H.
Advanced
W32/Rbot-AAC is a network worm which attempts to spread via network
shares. The worm contains backdoor functions that allows unauthorised
remote access to the infected computer via IRC channels while running in
the background.
The worm spreads to network shares with weak passwords and also by using
the RPC-DCOM security exploit (MS03-039).
When run W32/Rbot-AAC moves itself to the Windows System folder as a
hidden, read-only, system file named msnmsgs.exe. The worm then copies
itself to the following filenames:
C:\eminem vs 2pac.scr
C:\funny pic.scr
C:\photo album.scr
The above 3 files have their read-only, hidden, system and archive file
attributes set.
W32/Rbot-AAC then creates the following registry entries so as to run
itself on computer logon:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
MSN MESSENGER
msnmsgs.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
MSN MESSENGER
msnmsgs.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
MSN MESSENGER
msnmsgs.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MSN MESSENGER
msnmsgs.exe
The worm also creates the following registry entries:
HKCU\SYSTEM\CurrentControlSet\Control\Lsa
MSN MESSENGER
msnmsgs.exe
HKCU\Software\Microsoft\Ole
MSN MESSENGER
msnmsgs.exe
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
MSN MESSENGER
msnmsgs.exe
HKLM\SOFTWARE\Microsoft\Ole
MSN MESSENGER
msnmsgs.exe
The worm changes the following registry entry as follows:
from:
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
Y
to:
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
from:
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
dword:00000000
to:
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
dword:00000001
Once installed, W32/Rbot-AAC will attempt to perform the following
actions when instructed to do so by a remote attacker:
scan ports
create an HTTPD server
create a SOCKS4 server
participate in distributed denial of service (DDoS) attacks
download and run files from the Internet
log keystrokes to the file %SYSTEM%\keys.txt
capture clipboard information
terminates anti-virus, security and Windows applications and processes
The worm also prevents accesses to anti-virus and security related
websites by appending the HOSTS file in the %SYSTEM%\drivers\etc folder
with the following mappings:
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.microsoft.com
127.0.0.1 www.trendmicro.com
W32/Rbot-AAC drops the file C:\hellmsn.exe and runs it. This file is
currently being detected by Sophos as W32/Mytob-H.
Name Troj/Nuclear-F
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Reduces system security
* Records keystrokes
* Installs itself in the Registry
Aliases
* Backdoor.Win32.Nuclear.b
Prevalence (1-5) 2
Description
Troj/Nuclear-F is a configurable backdoor Trojan for the Windows
platform which allows full remote access capabilities via a remote
client. The Client application allows the creation of server applets
which act as the backdoor when installed on the infected computer.
Advanced
Troj/Nuclear-F is a configurable backdoor Trojan for the Windows
platform which allows full remote access capabilities via a remote
client. The Client application allows the creation of server applets
which act as the backdoor when installed on the infected computer.
The generated Trojan component can be customised upon creation.
Troj/Nuclear-F may copy itself to a new folder under the Windows folder
as well as create a helper dll of the same name.
The following registry entry may also be created:
HKLM\Softwae\Classes\dllfile\shell\open\command\
Troj/Nuclear-F may create a number of files including an IP logger
script and initial script as follows:
logger.php
settings.in
The Trojan is capable of logging keystrokes, monitoring attached media
devices such as webcams and microphones and interacting with the
desktop.
Name WM97/Xaler-A
Type
* Virus
How it spreads
* Infected files
Affected operating systems
* Windows
Aliases
* Virus.MSWord.Xaler.a
* W97M.Lexar.A
Prevalence (1-5) 2
Description
WM97/Xaler-A is a macro virus for Microsoft Word.
On predefined days WM97/Xaler-A will display a message telling the user
to relax while all of the files on the computer are deleted, although no
files are actually deleted.
Name W32/Wurmark-F
Type
* Worm
How it spreads
* Email messages
* Email attachments
Affected operating systems
* Windows
Side effects
* Sends itself to email addresses found on the infected computer
* Drops more malware
* Uses its own emailing engine
Aliases
* Email-Worm.Win32.Wurmark.g
* W32/Mugly.h{at}MM
* WORM_MUGLY.H
Prevalence (1-5) 2
Description
W32/Wurmark-F is a mass mailing worm which sends itself as a zip
attachment to email addresses found on the infected computer.
When run the worm displays the image uglym.jpg as it installs itself on
the computer.
The image displayed by the Wurmark-F worm
The image displayed by the Wurmark-F worm.
W32/Wurmark-F drops several files to the Windows system folder.
W32/Wurmark-F will drop attached.zip, which is a zip file containing
W32/Wurmark-F, and xxz.tmp, which is a copy of the worm. W32/Wurmark-F
will also drop the following clean files:
ANSMTP.DLL
bszip.dll
uglym.jpg
W32/Wurmark-F will drop a file belonging to the W32/Rbot family of worms
filename svchosts.exe.
W32/Wurmark-F harvests email addresses from files with the extensions:
WAB
ADB
TBB
DBX
ASP
PHP
HTM
HTML
SHT
TXT
DOC
The worm will skip email addresses containing the following strings:
.gov
ada
avg
gri
icro
lavat
mcae
nod
panda
rsky
soph
sophos
symac
The zip file containing W32/Wurmark-F called attached.zip is attached to
emails sent by the worm appearing to originate from the listed addresses
containing those below and taking the following forms along with others:
adead_poet{at}hotmail.com
alex_edwards2000{at}msn.com
romeorichard{at}google.com
apiffany{at}cnet.com
Subject: Hhahahah lol!!!!
Body:
i found this on my computer from ages ago
download it and see if you can remember it
lol i was lauging like mad when i saw it! :D
email me back haha...
Subject: Your Pic On A Website!!
Body:
I was looking at a website and came across
this pic they look just like you! infact im sure
it is lol , did you send this pic into them ? or
is it someonce else :S ? Ive Added the pic in
a zip so download it and check & email me back!
The file within the attachment can have one of the following
names:
Pic_001.jpg.scr
Sexy_09.jpg.scr
Scan_04.jpg.scr
Advanced
W32/Wurmark-F is a mass mailing worm which sends itself as a zip
attachment to email addresses found on the infected computer.
When run the worm displays the image uglym.jpg as it installs itself on
the computer.
The image displayed by the Wurmark-F worm
The image displayed by the Wurmark-F worm.
W32/Wurmark-F drops several files to the Windows system folder.
W32/Wurmark-F will drop attached.zip, which is a zip file containing
W32/Wurmark-F, and xxz.tmp, which is a copy of the worm. W32/Wurmark-F
will also drop the following clean files:
ANSMTP.DLL
bszip.dll
uglym.jpg
W32/Wurmark-F will drop a file belonging to the W32/Rbot family of worms
filename svchosts.exe.
W32/Wurmark-F harvests email addresses from files with the extensions:
WAB
ADB
TBB
DBX
ASP
PHP
HTM
HTML
SHT
TXT
DOC
The worm will skip email addresses containing the following strings:
.gov
ada
avg
gri
icro
lavat
mcae
nod
panda
rsky
soph
sophos
symac
The zip file containing W32/Wurmark-F called attached.zip is attached to
emails sent by the worm appearing to originate from the listed addresses
below and taking the following forms:
adead_poet{at}hotmail.com
alex_edwards2000{at}msn.com
romeorichard{at}google.com
apiffany{at}cnet.com
sexy_lil_thing{at}no-ip.com
cutie_pie{at}ogrish.com
easy_lay666{at}lovenet.com
hunk_hogan78{at}hallmark.com
britany_slut56{at}sex.com
tit_fuck_909{at}gmail.com
good_fuck12{at}yahoo.com
blowjob_lips666{at}romance.com
tit_fuck_909{at}paltalk.com
sexy_guy88{at}aol.com
mucle_bound_hunk892{at}download.com
Subject: Hhahahah lol!!!!
Body:
i found this on my computer from ages ago
download it and see if you can remember it
lol i was lauging like mad when i saw it! :D
email me back haha...
Subject: Your Pic On A Website!!
Body:
I was looking at a website and came across
this pic they look just like you! infact im sure
it is lol , did you send this pic into them ? or
is it someonce else :S ? Ive Added the pic in
a zip so download it and check & email me back!
Subject: Rate My Pic.......
Body:
Hi ive sent 5 emails now and nobody will rate
my pic!! :( please download and tell me what you
think out of 10 , dont worry if you dont like it
just say i wont be offended p.s i was drunk when
it was taken :P
Subject: You have an Admirer
Body:
Someone has asked us on there behalf to send
you this email and tell you they think you are
wonderfull!!! All the The mystery persons details
you need are enclosed in the attachment :)
please download and respond telling us if you
would like to make further contact with this
person.
Regards Hallmark Admirer Mail Admin.
The file within the attachment can have one of the following
names:
Pic_001.jpg.scr
Sexy_09.jpg.scr
Scan_04.jpg.scr
Photo_01.jpg.scr
admire_001.jpg.scr
is_this_you.jpg.scr
love_04.jpg.scr
for_you.pif
Name W32/Agobot-RJ
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Modifies data on the computer
* Deletes files off the computer
* Steals information
Prevalence (1-5) 2
Description
W32/Agobot-RJ is a network worm with backdoor functionality for the
Windows platform.
W32/Agobot-RJ is capable of spreading to computers on the local network
protected by weak passwords.
The backdoor component runs continuously in the background providing
backdoor access to the computer through IRC channels.
Advanced
W32/Agobot-RJ is a network worm with backdoor functionality for the
Windows platform.
W32/Agobot-RJ is capable of spreading to computers on the local network
protected by weak passwords.
When first run, W32/Agobot-RJ copies itself to the Windows system folder
as updateXPSPC.exe and creates the following registry entries to run
itself each time a user logs on:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
USB 2.0 Driver
updateXPSPC.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
USB 2.0 Driver
updateXPSPC.exe
The backdoor component runs continuously in the background providing
backdoor access to the computer through IRC channels. The backdoor
component can be instructed to perform the following functions:
harvest email addresses
steal product registration information for certain software
take part in Distributed Denial of Service (DDoS) attacks
scan networks for vulnerabilities
download/execute arbitrary files
start a proxy server (SOCKS4/SOCKS5)
start/stop system services
monitor network communications (packet sniffing)
add/remove network shares
send email
log keypresses
W32/Agobot-RJ attempts to terminate and disable various anti-virus and
security related programs and modifies the HOSTS file located at
\Drivers\etc\HOSTS, mapping selected anti-virus
websites to the loopback address 127.0.0.1 in an attempt to prevent
access to these sites. Typically the following mappings will be appended
to the HOSTS file:
127.0.0.1 avp.com
127.0.0.1 ca.com
127.0.0.1 customer.symantec.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 download.mcafee.com
127.0.0.1 f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 mast.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 nai.com
127.0.0.1 networkassociates.com
127.0.0.1 rads.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 sophos.com
127.0.0.1 symantec.com
127.0.0.1 trendmicro.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 www.avp.com
127.0.0.1 www.ca.com
127.0.0.1 www.f-secure.com
127.0.0.1 www.kaspersky.com
127.0.0.1 www.mcafee.com
127.0.0.1 www.my-etrust.com
127.0.0.1 www.nai.com
127.0.0.1 www.networkassociates.com
127.0.0.1 www.sophos.com
127.0.0.1 www.symantec.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.viruslist.com
W32/Agobot-RJ attempts to terminate the following processes:
_AVP32.EXE
_AVPCC.EXE
_AVPM.EXE
ACKWIN32.EXE
ADAWARE.EXE
ADVXDWIN.EXE
AGENTSVR.EXE
AGENTW.EXE
ALERTSVC.EXE
ALEVIR.EXE
ALOGSERV.EXE
AMON9X.EXE
ANTI-TROJAN.EXE
ANTIVIRUS.EXE
ANTS.EXE
APIMONITOR.EXE
APLICA32.EXE
APVXDWIN.EXE
ARR.EXE
ATCON.EXE
ATGUARD.EXE
ATRO55EN.EXE
ATUPDATER.EXE
ATWATCH.EXE
AU.EXE
AUPDATE.EXE
AUTO-PROTECT.NAV80TRY.EXE
AUTODOWN.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
AVCONSOL.EXE
AVE32.EXE
AVGCC32.EXE
AVGCTRL.EXE
AVGNT.EXE
AVGSERV.EXE
AVGSERV9.EXE
AVGUARD.EXE
AVGW.EXE
AVKPOP.EXE
AVKSERV.EXE
AVKSERVICE.EXE
AVKWCTl9.EXE
AVLTMAIN.EXE
AVNT.EXE
AVP.EXE
AVP32.EXE
AVPCC.EXE
AVPDOS32.EXE
AVPM.EXE
AVPTC32.EXE
AVPUPD.EXE
AVSCHED32.EXE
AVSYNMGR.EXE
AVWIN95.EXE
AVWINNT.EXE
AVWUPD.EXE
AVWUPD32.EXE
AVWUPSRV.EXE
AVXMONITOR9X.EXE
AVXMONITORNT.EXE
AVXQUAR.EXE
BACKWEB.EXE
BARGAINS.EXE
BD_PROFESSIONAL.EXE
BEAGLE.EXE
BELT.EXE
BIDEF.EXE
BIDSERVER.EXE
BIPCP.EXE
BIPCPEVALSETUP.EXE
BISP.EXE
BLACKD.EXE
BLACKICE.EXE
BLSS.EXE
BOOTCONF.EXE
BOOTWARN.EXE
BORG2.EXE
BPC.EXE
BRASIL.EXE
BS120.EXE
BUNDLE.EXE
BVT.EXE
CCAPP.EXE
CCEVTMGR.EXE
CCPXYSVC.EXE
CDP.EXE
CFD.EXE
CFGWIZ.EXE
CFIADMIN.EXE
CFIAUDIT.EXE
CFINET.EXE
CFINET32.EXE
Claw95.EXE
CLAW95CF.EXE
CLEAN.EXE
CLEANER.EXE
CLEANER3.EXE
CLEANPC.EXE
CLICK.EXE
CMD32.EXE
CMESYS.EXE
CMGRDIAN.EXE
CMON016.EXE
CONNECTIONMONITOR.EXE
CPD.EXE
CPF9X206.EXE
CPFNT206.EXE
CTRL.EXE
CV.EXE
CWNB181.EXE
CWNTDWMO.EXE
DATEMANAGER.EXE
DCOMX.EXE
DEFALERT.EXE
DEFSCANGUI.EXE
DEFWATCH.EXE
DEPUTY.EXE
DIVX.EXE
DLLCACHE.EXE
DLLREG.EXE
DOORS.EXE
DPF.EXE
DPFSETUP.EXE
DPPS2.EXE
DRWATSON.EXE
DRWEB32.EXE
DRWEBUPW.EXE
DSSAGENT.EXE
DVP95.EXE
DVP95_0.EXE
ECENGINE.EXE
EFPEADM.EXE
EMSW.EXE
ENT.EXE
ESAFE.EXE
ESCANH95.EXE
ESCANHNT.EXE
ESCANV95.EXE
ESPWATCH.EXE
ETHEREAL.EXE
ETRUSTCIPE.EXE
EVPN.EXE
EXANTIVIRUS-CNET.EXE
EXE.AVXW.EXE
EXPERT.EXE
EXPLORE.EXE
F-AGNT95.EXE
F-AGOBOT.EXE
F-PROT.EXE
F-PROT95.EXE
F-STOPW.EXE
FAMEH32.EXE
FAST.EXE
FCH32.EXE
FIH32.EXE
FINDVIRU.EXE
FIREWALL.EXE
FLOWPROTECTOR.EXE
FNRB32.EXE
FP-WIN.EXE
FP-WIN_TRIAL.EXE
FPROT.EXE
FRW.EXE
FSAA.EXE
FSAV.EXE
FSAV32.EXE
FSAV530STBYB.EXE
FSAV530WTBYB.EXE
FSAV95.EXE
FSGK32.EXE
FSM32.EXE
FSMA32.EXE
FSMB32.EXE
GATOR.EXE
GBMENU.EXE
GBPOLL.EXE
GENERICS.EXE
GMT.EXE
GUARD.EXE
GUARDDOG.EXE
HACKTRACERSETUP.EXE
HBINST.EXE
HBSRV.EXE
HIJACKTHIS.EXE
HOTACTIO.EXE
HOTPATCH.EXE
HTLOG.EXE
HTPATCH.EXE
HWPE.EXE
HXDL.EXE
HXIUL.EXE
IAMAPP.EXE
IAMSERV.EXE
IAMSTATS.EXE
IBMASN.EXE
IBMAVSP.EXE
ICLOAD95.EXE
ICLOADNT.EXE
ICMON.EXE
ICSUPP95.EXE
ICSUPPNT.EXE
IDLE.EXE
IEDLL.EXE
IEDRIVER.EXE
IEXPLORER.EXE
IFACE.EXE
IFW2000.EXE
INETLNFO.EXE
INFUS.EXE
INFWIN.EXE
INIT.EXE
INTDEL.EXE
INTREN.EXE
IOMON98.EXE
IPARMOR.EXE
IRIS.EXE
ISASS.EXE
ISRV95.EXE
ISTSVC.EXE
JAMMER.EXE
JDBGMRG.EXE
JEDI.EXE
KAVLITE40ENG.EXE
KAVPERS40ENG.EXE
KAVPF.EXE
KAZZA.EXE
KEENVALUE.EXE
KERIO-PF-213-EN-WIN.EXE
KERIO-WRL-421-EN-WIN.EXE
KERIO-WRP-421-EN-WIN.EXE
KERNEL32.EXE
KILLPROCESSSETUP161.EXE
LAUNCHER.EXE
LDNETMON.EXE
LDPRO.EXE
LDPROMENU.EXE
LDSCAN.EXE
LNETINFO.EXE
LOADER.EXE
LOCALNET.EXE
LOCKDOWN.EXE
LOCKDOWN2000.EXE
LOOKOUT.EXE
LORDPE.EXE
LSETUP.EXE
LUALL.EXE
LUAU.EXE
LUCOMSERVER.EXE
LUINIT.EXE
LUSPT.EXE
MAPISVC32.EXE
MCAGENT.EXE
MCMNHDLR.EXE
MCSHIELD.EXE
MCTOOL.EXE
MCUPDATE.EXE
MCVSRTE.EXE
MCVSSHLD.EXE
MD.EXE
MFIN32.EXE
MFW2EN.EXE
MFWENG3.02D30.EXE
MGAVRTCL.EXE
MGAVRTE.EXE
MGHTML.EXE
MGUI.EXE
MINILOG.EXE
MMOD.EXE
MONITOR.EXE
MOOLIVE.EXE
MOSTAT.EXE
MPFAGENT.EXE
MPFSERVICE.EXE
MPFTRAY.EXE
MRFLUX.EXE
MSAPP.EXE
MSBB.EXE
MSBLAST.EXE
MSCACHE.EXE
MSCCN32.EXE
MSCMAN.EXE
MSCONFIG.EXE
MSDM.EXE
MSDOS.EXE
MSIEXEC16.EXE
MSINFO32.EXE
MSLAUGH.EXE
MSMGT.EXE
MSMSGRI32.EXE
MSSMMC32.EXE
MSSYS.EXE
MSVXD.EXE
MU0311AD.EXE
MWATCH.EXE
N32SCANW.EXE
NAV.EXE
NAVAP.NAVAPSVC.EXE
NAVAPSVC.EXE
NAVAPW32.EXE
NAVDX.EXE
NAVENGNAVEX15.NAVLU32.EXE
NAVLU32.EXE
NAVNT.EXE
NAVSTUB.EXE
NAVW32.EXE
NAVWNT.EXE
NC2000.EXE
NCINST4.EXE
NDD32.EXE
NEOMONITOR.EXE
NEOWATCHLOG.EXE
NETARMOR.EXE
NETD32.EXE
NETINFO.EXE
NETMON.EXE
NETSCANPRO.EXE
NETSPYHUNTER-1.2.EXE
NETSTAT.EXE
NETUTILS.EXE
NISSERV.EXE
NISUM.EXE
NMAIN.EXE
NOD32.EXE
NORMIST.EXE
NORTON_INTERNET_SECU_3.0_407.EXE
NOTSTART.EXE
NPF40_TW_98_NT_ME_2K.EXE
NPFMESSENGER.EXE
NPROTECT.EXE
NPSCHECK.EXE
NPSSVC.EXE
NSCHED32.EXE
NSSYS32.EXE
NSTASK32.EXE
NSUPDATE.EXE
NT.EXE
NTRTSCAN.EXE
NTVDM.EXE
NTXconfig.EXE
NUI.EXE
NUPGRADE.EXE
NVARCH16.EXE
NVC95.EXE
NVSVC32.EXE
NWINST4.EXE
NWSERVICE.EXE
NWTOOL16.EXE
OLLYDBG.EXE
ONSRVR.EXE
OPTIMIZE.EXE
OSTRONET.EXE
OTFIX.EXE
OUTPOST.EXE
OUTPOSTINSTALL.EXE
OUTPOSTPROINSTALL.EXE
PADMIN.EXE
PANIXK.EXE
PATCH.EXE
PAVCL.EXE
PAVPROXY.EXE
PAVSCHED.EXE
PAVW.EXE
PCC2002S902.EXE
PCC2K_76_1436.EXE
PCCIOMON.EXE
PCCNTMON.EXE
PCCWIN97.EXE
PCCWIN98.EXE
PCDSETUP.EXE
PCFWALLICON.EXE
PCIP10117_0.EXE
PCSCAN.EXE
PDSETUP.EXE
PENIS.EXE
PERISCOPE.EXE
PERSFW.EXE
PERSWF.EXE
PF2.EXE
PFWADMIN.EXE
PGMONITR.EXE
PINGSCAN.EXE
PLATIN.EXE
POP3TRAP.EXE
POPROXY.EXE
POPSCAN.EXE
PORTDETECTIVE.EXE
PORTMONITOR.EXE
POWERSCAN.EXE
PPINUPDT.EXE
PPTBC.EXE
PPVSTOP.EXE
PRIZESURFER.EXE
PRMT.EXE
PRMVR.EXE
PROCDUMP.EXE
PROCESSMONITOR.EXE
PROCEXPLORERV1.0.EXE
PROGRAMAUDITOR.EXE
PROPORT.EXE
PROTECTX.EXE
PSPF.EXE
PURGE.EXE
PUSSY.EXE
PVIEW95.EXE
QCONSOLE.EXE
QSERVER.EXE
RAPAPP.EXE
RAV7.EXE
RAV7WIN.EXE
RAV8WIN32ENG.EXE
RAY.EXE
RB32.EXE
RCSYNC.EXE
REALMON.EXE
REGED.EXE
REGEDIT.EXE
REGEDT32.EXE
RESCUE.EXE
RESCUE32.EXE
RRGUARD.EXE
RSHELL.EXE
RTVSCAN.EXE
RTVSCN95.EXE
RULAUNCH.EXE
RUN32DLL.EXE
RUNDLL.EXE
RUNDLL16.EXE
RUXDLL32.EXE
SAFEWEB.EXE
SAHAGENT.EXE
SAVE.EXE
SAVENOW.EXE
SBSERV.EXE
SC.EXE
SCAM32.EXE
SCAN32.EXE
SCAN95.EXE
SCANPM.EXE
SCRSCAN.EXE
SCRSVR.EXE
SCVHOST.EXE
SD.EXE
SERV95.EXE
SERVICE.EXE
SERVLCE.EXE
SERVLCES.EXE
SETUP_FLOWPROTECTOR_US.EXE
SETUPVAMEEVAL.EXE
SFC.EXE
SGSSFW32.EXE
SH.EXE
SHELLSPYINSTALL.EXE
SHN.EXE
SHOWBEHIND.EXE
SMC.EXE
SMS.EXE
SMSS32.EXE
SOAP.EXE
SOFI.EXE
SPERM.EXE
SPF.EXE
SPHINX.EXE
SPOLER.EXE
SPOOLCV.EXE
SPOOLSV32.EXE
SPYXX.EXE
SREXE.EXE
SRNG.EXE
SS3EDIT.EXE
SSG_4104.EXE
SSGRATE.EXE
ST2.EXE
START.EXE
STCLOADER.EXE
SUPFTRL.EXE
SUPPORT.EXE
SUPPORTER5.EXE
SVC.EXE
SVCHOSTC.EXE
SVCHOSTS.EXE
SVSHOST.EXE
SWEEP95.EXE
SWEEPNET.SWEEPSRV.SYS.SWNETSUP.EXE
SYMPROXYSVC.EXE
SYMTRAY.EXE
SYSEDIT.EXE
SYSTEM.EXE
SYSTEM32.EXE
SYSUPD.EXE
TASKMG.EXE
TASKMO.EXE
TASKMON.EXE
TAUMON.EXE
TBSCAN.EXE
TC.EXE
TCA.EXE
TCM.EXE
TDS-3.EXE
TDS2-98.EXE
TDS2-NT.EXE
TEEKIDS.EXE
TFAK.EXE
TFAK5.EXE
TGBOB.EXE
TITANIN.EXE
TITANINXP.EXE
TRACERT.EXE
TRICKLER.EXE
TRJSCAN.EXE
TRJSETUP.EXE
TROJANTRAP3.EXE
TSADBOT.EXE
TVMD.EXE
TVTMD.EXE
UNDOBOOT.EXE
UPDAT.EXE
UPDATE.EXE
UPGRAD.EXE
UTPOST.EXE
VBCMSERV.EXE
VBCONS.EXE
VBUST.EXE
VBWIN9X.EXE
VBWINNTW.EXE
VCSETUP.EXE
VET32.EXE
VET95.EXE
VETTRAY.EXE
VFSETUP.EXE
VIR-HELP.EXE
VIRUSMDPERSONALFIREWALL.EXE
VNLAN300.EXE
VNPC3000.EXE
VPC32.EXE
VPC42.EXE
VPFW30S.EXE
VPTRAY.EXE
VSCAN40.EXE
VSCENU6.02D30.EXE
VSCHED.EXE
VSECOMR.EXE
VSHWIN32.EXE
VSISETUP.EXE
VSMAIN.EXE
VSMON.EXE
VSSTAT.EXE
VSWIN9XE.EXE
VSWINNTSE.EXE
VSWINPERSE.EXE
W32DSM89.EXE
W9X.EXE
WATCHDOG.EXE
WEBDAV.EXE
WEBSCANX.EXE
WEBTRAP.EXE
WFINDV32.EXE
WGFE95.EXE
WHOSWATCHINGME.EXE
WIMMUN32.EXE
WIN-BUGSFIX.EXE
WIN32.EXE
WIN32US.EXE
WINACTIVE.EXE
WINDOW.EXE
WINDOWS.EXE
WININETD.EXE
WININIT.EXE
WININITX.EXE
WINLOGIN.EXE
WINMAIN.EXE
WINNET.EXE
WINPPR32.EXE
WINRECON.EXE
WINSERVN.EXE
WINSSK32.EXE
WINSTART.EXE
WINSTART001.EXE
WINTSK32.EXE
WINUPDATE.EXE
WKUFIND.EXE
WNAD.EXE
WNT.EXE
WRADMIN.EXE
WRCTRL.EXE
WSBGATE.EXE
WUPDATER.EXE
WUPDT.EXE
WYVERNWORKSFIREWALL.EXE
XPF202EN.EXE
ZAPRO.EXE
ZAPSETUP3001.EXE
ZATUTOR.EXE
ZONALM2601.EXE
ZONEALARM.EXE
W32/Agobot-RJ will also hide all files which contain the string 'soun'.
Name W32/Rbot-AAF
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Downloads code from the internet
* Reduces system security
* Records keystrokes
* Installs itself in the Registry
Aliases
* Backdoor.Win32.Rbot.nf
* WORM_RBOT.BBP
Prevalence (1-5) 2
Description
W32/Rbot-AAF is a network worm which attempts to spread via network
shares. The worm contains backdoor functions that allows unauthorised
remote access to the infected computer via IRC channels while running in
the background.
The worm spreads to network shares with weak passwords and also by using
the LSASS security exploit (MS04-011), RPC-DCOM security exploit
(MS03-039) and the WebDav security exploit (MS03-007).
Once installed, W32/Rbot-AAF will attempt to partake in distributed
denial of service (DDoS) attacks, download and run files from the
Internet, steal CD keys, log keystrokes and login to MS SQL servers and
send EXEC commands to open a command shell when instructed to do so by a
remote attacker.
W32/Rbot-AAF may try to exploit backdoors and vulnerabilites used by the
MyDoom family of worms.
Advanced
W32/Rbot-AAF is a network worm which attempts to spread via network
shares. The worm contains backdoor functions that allows unauthorised
remote access to the infected computer via IRC channels while running in
the background.
The worm spreads to network shares with weak passwords and also by using
the LSASS security exploit (MS04-011), RPC-DCOM security exploit
(MS03-039) and the WebDav security exploit (MS03-007).
When run W32/Rbot-AAF moves itself to the Windows System folder as a
hidden, read-only, system file named wuanguard32.exe.
The worm then creates the following registry entries:
HKCU\Software\Microsoft\OLE
wuanguard
wuanguard32.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
wuanguard
wuanguard32.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
wuanguard
wuanguard32.exe
Once installed, W32/Rbot-AAF will attempt to partake in distributed
denial of service (DDoS) attacks, download and run files from the
internet, steal CD keys, log keystrokes and login to MS SQL servers and
send EXEC commands to open a command shell when instructed to do so by a
remote attacker.
W32/Rbot-AAF may try to exploit backdoors and vulnerabilites used by the
MyDoom family of worms.
Name W32/Rbot-DP
Type
* Worm
Prevalence (1-5) 2
Description
W32/Rbot-DP is an IRC backdoor Trojan with spreading capability.
W32/Rbot-DP copies itself into the Windows system folder and sets the
following registry entries to run itself automatically when Windows
starts up
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft DirectX
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft DirectX
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\Microsoft DirectX
W32/Rbot-DP logs onto a predefined IRC server and waits for backdoor
commands. When receives the appropriate backdoor command W32/Rbot-DP
will attempt to spread to other computers.
Name W32/Rbot-AAG
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Downloads code from the internet
* Reduces system security
* Records keystrokes
Aliases
* W32/Sdbot.worm.gen.g
* W32.Spybot.Worm
* WORM_SDBOT.ANJ
Prevalence (1-5) 2
Description
W32/Rbot-AAG is a worm which attempts to spread to remote network
shares. It also contains backdoor Trojan functionality, allowing
unauthorised remote access to the infected computer via IRC channels.
Advanced
W32/Rbot-AAG is a worm which attempts to spread to remote network
shares. It also contains backdoor Trojan functionality, allowing
unauthorised remote access to the infected computer via IRC channels.
W32/Rbot-AAG spreads to network shares with weak passwords and via
network security exploits as a result of the backdoor Trojan element
receiving the appropriate command from a remote user.
W32/Rbot-AAG copies itself to the Windows system folder with the
filename NTOKSRNL.EXE and creates entries at the following locations in
the registry with the value "NT Service" so as to run itself on system
startup, resetting these values multiple times every minute:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
W32/Rbot-AAG also sets the following registry entry with the same value
to point to itself:
HKCU\Software\Microsoft\OLE
W32/Rbot-AAG attempts to set the following registry entries every 2
minutes:
HKLM\Software\Microsoft\OLE
EnableDCOM
"N"
HKLM\System\CurrentControlSet\Control\Lsa
restrictanonymous
"1"
W32/Rbot-AAG attempts to delete network shares on the host computer
every 2 minutes.
W32/Rbot-AAG attempts to terminate a number of processes related to
security and anti-virus programs including REGEDIT.EXE, MSCONFIG.EXE and
NETSTAT.EXE.
W32/Rbot-AAG may attempt to log keystrokes to the file K.DAT in the
Windows system folder.
Name W32/Mytob-S
Type
* Worm
How it spreads
* Email attachments
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Sends itself to email addresses found on the infected computer
* Modifies data on the computer
* Steals information
* Drops more malware
Prevalence (1-5) 2
Description
W32/Mytob-S is a mass-mailing worm and backdoor Trojan that targets
users of Internet Relay Chat programs.
The worm drops the files msdirectx.sys (detected by Sophos's anti-virus
products as Troj/NtRootK-F), winsys.exe (detected by Sophos's anti-virus
products as Troj/Furoot-B) and coolbot.exe (detected by Sophos's
anti-virus products as W32/Mytob-H). Note that W32/Mytob-S uses the
filename "coolbot.exe" for both a copy of the original worm in the
Windows system folder and as the dropped file in the root folder, though
they are different files.
W32/Mytob-S is capable of spreading through email and through various
operating system vulnerabilities.
Advanced
W32/Mytob-S is a mass-mailing worm and backdoor Trojan that targets
users of Internet Relay Chat programs.
When first run W32/Mytob-S copies itself to the Windows system folder as
coolbot.exe and creates the following registry entries:
HKCU\System\CurrentControlSet\Control\Lsa
HELLBOT3
"coolbot.exe"
HKCU\Software\Microsoft\OLE
HELLBOT3
"coolbot.exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HELLBOT3
"coolbot.exe"
HKLM\Software\Microsoft\Ole
HELLBOT3
"coolbot.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HELLBOT3
"coolbot.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
HELLBOT3
"coolbot.exe"
HKLM\System\CurrentControlSet\Control\Lsa
HELLBOT3
"coolbot.exe"
W32/Mytob-S copies itself to the root folder as:
eminem vs 2pac.scr
funny pic.scr
photo album.scr
and drops the files msdirectx.sys (detected by Sophos's anti-virus
products as Troj/NtRootK-F), winsys.exe (detected by Sophos's anti-virus
products as Troj/Furoot-B) and coolbot.exe (detected by Sophos's
anti-virus products as W32/Mytob-H). Note that W32/Mytob-S uses the
filename "coolbot.exe" for both a copy of the original worm in the
Windows system folder and as the dropped file in the root folder, though
they are different files.
W32/Mytob-S also appends the following to the HOSTS file to deny access
to security related websites:
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.microsoft.com
127.0.0.1 www.trendmicro.com
W32/Mytob-S is capable of spreading through email and through various
operating system vulnerabilities such as LSASS (MS04-011). Email sent by
W32/Mytob-S has the following properties:
Subject line:
Status
Server Report
Mail Transaction Failed
Mail Delivery System
thanks!
read it immediately
Message text:
This is a multi-part message in MIME format
Mail transaction failed. Partial message is available.
The message contains Unicode characters and has been sent as a binary
attachment.
The message cannot be represented in 7-bit ASCII encoding and has been
sent as a binary attachment.
The original message was included as an attachment.
I have received your document. The corrected document is attached.
The attached file consists of a base name followed by the extentions
PIF, SCR, EXE or ZIP. The worm may optionally create double extensions
where the first extension is DOC, TXT or HTM and the final extension is
PIF, SCR, EXE or ZIP.
W32/Mytob-S harvests email addresses from files on the infected computer
and from the Windows address book. The worm avoids sending email to
address that contain the following:
.gov
.mil
accoun
acketst
admin
anyone
arin.
avp
berkeley
borlan
bsd
bsd
bugs
ca
certific
contact
example
feste
fido
foo.
fsf.
gnu
gold-certs
google
google
gov.
help
iana
ibm.com
icrosof
icrosoft
ietf
info
inpris
isc.o
isi.e
kernel
linux
linux
listserv
math
me
mit.e
mozilla
mydomai
no
nobody
nodomai
noone
not
nothing
ntivi
page
panda
pgp
postmaster
privacy
rating
rfc-ed
ripe.
root
ruslis
samples
secur
sendmail
service
site
soft
somebody
someone
sopho
submit
support
syma
tanford.e
the.bat
unix
unix
usenet
utgers.ed
webmaster
you
your
Name W32/Sdranck-C
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Drops more malware
* Downloads code from the internet
* Reduces system security
* Installs itself in the Registry
Aliases
* WORM_SDBOT.DTR
Prevalence (1-5) 2
Description
W32/Sdranck-C is a Windows worm that spreads via network shares, drops
files and contains backdoor functions that allow unauthorised remote
access to the infected computer via IRC channels.
The worm will also try to download and run files from the internet,
terminate processes and add or delete network shares when instructed to
do so by a remote attacker.
When run, the delivery component of the worm drops the files
imaxavos.exe (the worm core) and ikusefote.exe into the
C:\WINNT\SYSTEM32 folder and then proceeds to run both files.
ikusefote.exe is detected by Sophos as Troj/Ranck-CP.
imaxavos.exe is being detected by Sophos as W32/Sdranck-C.
Advanced
W32/Sdranck-C is a Windows worm that spreads via network shares, drops
files and contains backdoor functions that allow unauthorised remote
access to the infected computer via IRC channels.
When run, the delivery component of the worm drops the files
imaxavos.exe (the worm core) and ikusefote.exe into the
C:\WINNT\SYSTEM32 folder and then proceeds to run both files.
ikusefote.exe is detected by Sophos as Troj/Ranck-CP.
imaxavos.exe is being detected by Sophos as W32/Sdranck-C.
When imaxavos.exe is executed it copies itself to the Windows System
folder as ihotunib.exe.
W32/Sdranck-C then creates the following registry entries so that it is
able to run on user logon:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Adiliwut
ihotunib.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Adiliwut
ihotunib.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Adiliwut
ihotunib.exe
The worm will also try to download and run files from the internet,
terminate processes and add or delete network shares when instructed to
do so by a remote attacker.
W32/Sdranck-C attempts to copy itself to network shares using the main
dropper component filename rudim.exe.
Name Troj/Ablank-P
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Installs itself in the Registry
* Dropped by malware
Aliases
* Trojan.Win32.StartPage.uz
* Trojan.Startpage-227
Prevalence (1-5) 2
Description
Troj/Ablank-P is a Trojan for the Windows platform.
Troj/Ablank-P is a DLL file that may be dropped by members of the
Troj/Ablank family of Trojans. Troj/Ablank-P may display pop-up
advertisements.
Advanced
Troj/Ablank-P is a Trojan for the Windows platform.
Troj/Ablank-P is a DLL file that may be dropped by members of the
Troj/Ablank family of Trojans. Troj/Ablank-P may display popup
advertisements.
When first run, Troj/Ablank-P will set the following registry entry in
order to run automatically each time a user logs in:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
sp
"rundll32 ,DllInstall"
Name Troj/Shed-A
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Modifies data on the computer
* Drops more malware
* Downloads code from the internet
* Reduces system security
* Installs itself in the Registry
Aliases
* Trojan-Clicker.Win32.Small.fb
Prevalence (1-5) 2
Description
Troj/Shed-A is a Trojan for the Windows platform.
Troj/Shed-A reduces internet security settings.
Advanced
Troj/Shed-A is a Trojan for the Windows platform.
Troj/Shed-A creates the following registry entries in order to run
itself automatically at logon:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
\bopotsvr.exe
HKCR\Classes\CLSID\\InProcServer32\
default)
C:\\WINDOWS\\System32\\c_12atex.dll
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
Shedule Address
where is a randomly-generated sequence and is a
combination of any two words from the following list:
Internet
Security
Protocol
Meeting
Shedule
Explorer
Messenger
Browser
Component
Windows
Media
Player
Address
Themes
Update
Connection
Agent
WebControl
Network
Remote
Access
Terminal
Client
If run with sufficient rights Troj/Shed-A will install itself as an
application authorised by Windows Firewall to communicate with the
outside world.
Troj/Shed-A may attempt to download configuration files specifying
further actions to take, including downloading and executing files.
Troj/Shed-A drops another file to the Windows temporary folder and runs
it. This file (also detected as Troj/Shed-A) opens a hidden Internet
Explorer window at a preconfigured URL after modifying internet security
settings by changing the following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
1001
0
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
1004
0
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
1201
0
Name W32/Forbot-BZ
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Steals information
* Downloads code from the internet
* Reduces system security
* Records keystrokes
Aliases
* WOOTBOT
Prevalence (1-5) 2
Description
W32/Forbot-BZ is a IRC backdoor Trojan and network worm for the Windows
platform.
Advanced
W32/Forbot-BZ is a IRC backdoor Trojan and network worm for the Windows
platform.
In order to run automatically when Windows starts up the worm moves
itself to the Windows system folder as mplayer.exe and creates the
following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Win32 Configuration = mplayer.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\
Win32 Configuration = mplayer.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Win32 Configuration = mplayer.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Win32 Configuration = mplayer.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\
Win32 Configuration = mplayer.exe
W32/Forbot-BZ also creates its own service named "Windows Manage", with
the display name "Win32 Configuration".
Once installed, W32/Forbot-BZ connects to a preconfigured IRC server and
joins a channel from which an attacker can issue further commands. These
commands can cause the infected machine to perform any of the following
actions:
flood a remote host (by either ping or HTTP)
start a SOCKS4 proxy server
start an HTTP server
start an FTP server
portscan randomly-chosen IP addresses
execute arbitrary commands
steal information such as passwords and product keys
upload/download files
The worm can spread to unpatched machines affected by the LSASS
vulnerability (see MS04-011) and through backdoors left open by the
Troj/Optix family of Trojans.
Name W32/MyDoom-AJ
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Sends itself to email addresses found on the infected computer
* Forges the sender's email address
* Uses its own emailing engine
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Prevalence (1-5) 2
Description
W32/MyDoom-AJ is a mass-mailing worm with IRC backdoor functionality
which can also infect computers vulnerable to the LSASS (MS04-011)
exploit.
Advanced
W32/MyDoom-AJ is a mass-mailing worm with IRC backdoor functionality
which can also infect computers vulnerable to the LSASS (MS04-011)
exploit.
When first run the worm copies itself to the Windows system folder as
mathchk.exe and creates the following registry entries so as to
auto-start:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
RealPlayer Ath Check=
mathchk.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
RealPlayer Ath Check=
mathchk.exe
HKLM\Software\Microsoft\OLE
RealPlayer Ath Check=
mathchk.exe
HKLM\System\CurrentControlSet\Control\Lsa\
RealPlayer Ath Check=
mathchk.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
RealPlayer Ath Check=
mathchk.exe
HKCU\Software\Microsoft\OLE
RealPlayer Ath Check=
mathchk.exe
HKCU\System\CurrentControlSet\Control\Lsa
RealPlayer Ath Check=
mathchk.exe
The worm will attempt to harvest email addresses from files on the local
hard disk.
Emails sent by W32/MyDoom-AJ have the following characteristics:
Subject line chosen from one of the following, possibly in all uppper
case or all in lower case:
Good day
Hello
Server Report
Status
Message text chosen from:
Mail transaction failed. Partial message is available.
The message cannot be represented in 7-bit ASCII encoding and has been
sent as a binary attachment.
The message contains Unicode characters and has been sent as a binary
attachment.
The original message was included as an attachment.
Attached filename chosen from the following with an extension chosen
from (bat cmd exe scr pif zip):
body
data
doc
document
file
message
readme
text
Name Troj/Istsvc-A
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Installs itself in the Registry
Prevalence (1-5) 2
Description
Troj/Istsvc-A is a Trojan downloader for the Windows platform.
Advanced
Troj/Istsvc-A is a Trojan downloader for the Windows platform.
When installed Troj/Istsvc-A periodically attempts to download and run
files from the Internet while running in the background as a service
process.
Troj/Istsvc-A then creates the following registry entry so as to run
itself on computer logon:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Troj/Istsvc-A also creates the following registry entry:
HKCU\Software\IST\
--- MultiMail/Win32 v0.43
* Origin: Try Our Web Based QWK: DOCSPLACE.ORG (1:123/140)SEEN-BY: 633/267 270 @PATH: 123/140 500 106/2000 633/267 |
|
| SOURCE: echomail via fidonet.ozzmosis.com | |
Email questions or comments to sysop@ipingthereforeiam.com
All parts of this website painstakingly hand-crafted in the U.S.A.!
IPTIA BBS/MUD/Terminal/Game Server List, © 2025 IPTIA Consulting™.