TIP: Click on subject to list as thread!

ANSI

echo:	dirty_dozen
to:	ALL
from:	KURT WISMER
date:	2005-03-05 15:22:00
subject:	News, March 5 2005
[cut-n-paste from sophos.com] Name Troj/BagleDl-M Type * Trojan Affected operating systems * Windows Side effects * Downloads code from the internet * Installs itself in the Registry Prevalence (1-5) 3 Description Troj/BagleDl-M is a Trojan for the Windows platform. Advanced Troj/BagleDl-M is a Trojan for the Windows platform. The Trojan copies itself to the Windows system folder as winshost.exe and creates the following registry entries in order to run each time a user logs on: HKLM\Software\Microsoft\Windows\CurrentVersion\Run winshost.exe \winshost.exe HKCU\Software\Microsoft\Windows\CurrentVersion\Run winshost.exe \winshost.exe The Trojan also drops a file to the Windows system folder as wiwshost.exe. Troj/BagleDl-M may alter registry values under the following: HKLM\Software\Microsoft\DownloadManager HKLM\SYSTEM\CurrentControlSet\Services\Alerter Start dword:00000004 (disabled) HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess Start dword:00000004 (disabled) HKLM\SYSTEM\CurrentControlSet\Services\wuauserv Start dword:00000004 (disabled) Troj/BagleDl-M attempts to disable other applications by removing the following registry values: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Symantec NetDriver Monitor HKLM\Software\Microsoft\Windows\CurrentVersion\Run ccApp HKLM\Software\Microsoft\Windows\CurrentVersion\Run NAV CfgWiz HKLM\Software\Microsoft\Windows\CurrentVersion\Run SSC_UserPrompt HKLM\Software\Microsoft\Windows\CurrentVersion\Run McAfee Guardian HKCU\Software\Microsoft\Windows\CurrentVersion\Run McAfee.InstantUpdate.Monitor HKLM\Software\Microsoft\Windows\CurrentVersion\Run APVXDWIN HKLM\Software\Microsoft\Windows\CurrentVersion\Run KAV50 HKLM\Software\Microsoft\Windows\CurrentVersion\Run avg7_cc HKLM\Software\Microsoft\Windows\CurrentVersion\Run avg7_emc HKLM\Software\Microsoft\Windows\CurrentVersion\Run Zone Labs Client HKLM\Software\Symantec HKLM\Software\McAfee HKLM\Software\KasperskyLab HKLM\Software\Agnitum HKLM\Software\Panda Software HKLM\Software\Zone Labs Troj/BagleDl-M searches for the following files and renames them to similar names in an attempt to avoid them being run by other processes: AUPDATE.EXE av.dll Avconsol.exe avgcc.exe avgemc.exe Avsynmgr.exe cafix.exe ccApp.exe CCEVTMGR.EXE ccl30.dll CCSETMGR.EXE ccvrtrst.dll CMGrdian.exe isafe.exe KAV.exe kavmm.exe LUALL.EXE LUINSDLL.DLL Luupdate.exe Mcshield.exe NAVAPSVC.EXE NPFMNTOR.EXE outpost.exe RuLaunch.exe SNDSrvc.exe SPBBCSvc.exe symlcsvc.exe Up2Date.exe vetredir.dll Vshwin32.exe VsStat.exe vsvault.dll zatutor.exe zlavscan.dll zlclient.exe zonealarm.exe For example, if the Trojan finds a file named zonealarm.exe it renames the file to zo3nealarm.exe. Troj/BagleDl-M writes the following data to the HOSTS file (typically located in \drivers\etc\) in an attempt to restrict access to several URLs: 127.0.0.1 ad.doubleclick.net 127.0.0.1 ad.fastclick.net 127.0.0.1 ads.fastclick.net 127.0.0.1 ar.atwola.com 127.0.0.1 atdmt.com 127.0.0.1 avp.ch 127.0.0.1 avp.com 127.0.0.1 avp.com 127.0.0.1 avp.ru 127.0.0.1 awaps.net 127.0.0.1 banner.fastclick.net 127.0.0.1 banners.fastclick.net 127.0.0.1 ca.com 127.0.0.1 ca.com 127.0.0.1 click.atdmt.com 127.0.0.1 clicks.atdmt.com 127.0.0.1 customer.symantec.com 127.0.0.1 dispatch.mcafee.com 127.0.0.1 dispatch.mcafee.com 127.0.0.1 download.mcafee.com 127.0.0.1 download.mcafee.com 127.0.0.1 download.mcafee.com 127.0.0.1 download.microsoft.com 127.0.0.1 downloads.microsoft.com 127.0.0.1 downloads1.kaspersky-labs.com 127.0.0.1 downloads2.kaspersky-labs.com 127.0.0.1 downloads3.kaspersky-labs.com 127.0.0.1 downloads4.kaspersky-labs.com 127.0.0.1 engine.awaps.net 127.0.0.1 f-secure.com 127.0.0.1 f-secure.com 127.0.0.1 fastclick.net 127.0.0.1 ftp.f-secure.com 127.0.0.1 ftp.sophos.com 127.0.0.1 ftp://downloads1.kaspersky-labs.com/updates/ 127.0.0.1 ftp://ftp.avp.ch/updates/ 127.0.0.1 ftp://ftp.kasperskylab.ru/updates/ 127.0.0.1 ftp://updates3.kaspersky-labs.com/updates/ 127.0.0.1 go.microsoft.com 127.0.0.1 http://downloads1.kaspersky-labs.com/updates/ 127.0.0.1 http://updates1.kaspersky-labs.com/updates/ 127.0.0.1 http://updates2.kaspersky-labs.com/updates/ 127.0.0.1 http://updates3.kaspersky-labs.com/updates/ 127.0.0.1 http://updates4.kaspersky-labs.com/updates/ 127.0.0.1 http://updates5.kaspersky-labs.com/updates/ 127.0.0.1 http://www.kaspersky-labs.com/updates/ 127.0.0.1 http://www.kaspersky.ru/updates/ 127.0.0.1 ids.kaspersky-labs.com 127.0.0.1 kaspersky-labs.com 127.0.0.1 kaspersky.com 127.0.0.1 liveupdate.symantec.com 127.0.0.1 liveupdate.symantec.com 127.0.0.1 liveupdate.symantec.com 127.0.0.1 liveupdate.symantecliveupdate.com 127.0.0.1 liveupdate.symantecliveupdate.com 127.0.0.1 localhost 127.0.0.1 mast.mcafee.com 127.0.0.1 mast.mcafee.com 127.0.0.1 mcafee.com 127.0.0.1 mcafee.com 127.0.0.1 media.fastclick.net 127.0.0.1 msdn.microsoft.com 127.0.0.1 my-etrust.com 127.0.0.1 my-etrust.com 127.0.0.1 nai.com 127.0.0.1 nai.com 127.0.0.1 networkassociates.com 127.0.0.1 networkassociates.com 127.0.0.1 office.microsoft.com 127.0.0.1 phx.corporate-ir.net 127.0.0.1 rads.mcafee.com 127.0.0.1 secure.nai.com 127.0.0.1 secure.nai.com 127.0.0.1 securityresponse.symantec.com 127.0.0.1 securityresponse.symantec.com 127.0.0.1 service1.symantec.com 127.0.0.1 sophos.com 127.0.0.1 sophos.com 127.0.0.1 spd.atdmt.com 127.0.0.1 support.microsoft.com 127.0.0.1 symantec.com 127.0.0.1 symantec.com 127.0.0.1 trendmicro.com 127.0.0.1 update.symantec.com 127.0.0.1 update.symantec.com 127.0.0.1 update.symantec.com 127.0.0.1 updates.symantec.com 127.0.0.1 updates.symantec.com 127.0.0.1 us.mcafee.com 127.0.0.1 us.mcafee.com 127.0.0.1 vil.nai.com 127.0.0.1 viruslist.com 127.0.0.1 viruslist.ru 127.0.0.1 windowsupdate.microsoft.com 127.0.0.1 www.avp.ch 127.0.0.1 www.avp.com 127.0.0.1 www.avp.com 127.0.0.1 www.avp.ru 127.0.0.1 www.awaps.net 127.0.0.1 www.ca.com 127.0.0.1 www.ca.com 127.0.0.1 www.f-secure.com 127.0.0.1 www.f-secure.com 127.0.0.1 www.fastclick.net 127.0.0.1 www.grisoft.com 127.0.0.1 www.kaspersky.com 127.0.0.1 www.kaspersky.ru 127.0.0.1 www.mcafee.com 127.0.0.1 www.mcafee.com 127.0.0.1 www.my-etrust.com 127.0.0.1 www.my-etrust.com 127.0.0.1 www.nai.com 127.0.0.1 www.nai.com 127.0.0.1 www.networkassociates.com 127.0.0.1 www.networkassociates.com 127.0.0.1 www.sophos.com 127.0.0.1 www.sophos.com 127.0.0.1 www.symantec.com 127.0.0.1 www.symantec.com 127.0.0.1 www.trendmicro.com 127.0.0.1 www.trendmicro.com 127.0.0.1 www.viruslist.com 127.0.0.1 www.viruslist.ru 127.0.0.1 www3.ca.com The Trojan may arrive via email as either dddd.exe or .rar Troj/BagleDl-M attempts to download files from several remote sites and then run them. Name W32/Rbot-UC Type * Worm How it spreads * Network shares Affected operating systems * Windows Side effects * Allows others to access the computer * Steals information * Downloads code from the internet * Reduces system security * Records keystrokes * Installs itself in the Registry Aliases * Backdoor.Win32.Rbot.ex Prevalence (1-5) 2 Description W32/Rbot-UC is a network worm and IRC backdoor Trojan for the Windows platform. W32/Rbot-UC spreads using a variety of techniques including exploiting weak passwords on computers and SQL servers, exploiting operating system vulnerabilities (including DCOM-RPC, LSASS, WebDAV and UPNP) and using backdoors opened by other worms or Trojans. W32/Rbot-UC can be controlled by a remote attacker over IRC channels. The backdoor component of W32/Rbot-UC can be instructed by a remote user to perform a predefined set of functions. Advanced W32/Rbot-UC is a network worm and IRC backdoor Trojan for the Windows platform. W32/Rbot-UC spreads using a variety of techniques including exploiting weak passwords on computers and SQL servers, exploiting operating system vulnerabilities (including DCOM-RPC, LSASS, WebDAV and UPNP) and using backdoors opened by other worms or Trojans. W32/Rbot-UC can be controlled by a remote attacker over IRC channels. The backdoor component of W32/Rbot-UC can be instructed by a remote user to perform the following functions: start an FTP server start a Proxy server start a web server take part in distributed denial of service (DDoS) attacks log keypresses capture screen/webcam images packet sniffing port scanning download/execute arbitrary files start a remote shell (RLOGIN) The worm moves itself to MSDIAG32.EXE in the Windows system folder and creates the following registry entries: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Microsoft Diagnostic msdiag32.exe HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices Microsoft Diagnostic msdiag32.exe W32/Rbot-UC will also set the following registry entry: HKCU\Software\Microsoft\OLE Microsoft Diagnostic msdiag32.exe Patches for the operating system vulnerabilities exploited by W32/Rbot-UC can be obtained from Microsoft at: http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx http://www.microsoft.com/technet/security/bulletin/ms03-039.mspx http://www.microsoft.com/technet/security/bulletin/ms03-007.mspx http://www.microsoft.com/technet/security/bulletin/ms01-059.mspx Name W32/Bropia-S Type * Worm How it spreads * Chat programs Affected operating systems * Windows Side effects * Drops more malware * Reduces system security Aliases * IM-Worm.Win32.Bropia.h * W32/Bropia.worm.t Prevalence (1-5) 2 Description W32/Bropia-S is a worm for the Windows platform that spreads using the MSN Messenger application. W32/Bropia-S monitors the status of MSN Messenger and sends a copy of itself to Messenger contacts. W32/Bropia-S drops and runs a copy of the worm W32/Forbot-EK. Advanced W32/Bropia-S is a worm for the Windows platform that spreads using the MSN Messenger application. When first run W32/Bropia-S creates and runs the following files in the current folder: bot.exe - detected by Sophos anti-virus as W32/Bropia-S. botz.exe - detected by Sophos anti-virus as W32/Forbot-EK. The file botz.exe will only appear in the current folder momentarily after which the action of the W32/Forbot-EK worm will move the file to the windows system folder with the filename doit.exe. W32/Bropia-S may display an error message that reads "Enkele bestanden konden niet gemaakt worden. Sluit alle toepassingen, start Windows opnieuw op en start deze installatie opnieuw op". A WinRAR application window will appear after the error message has been accepted. W32/Bropia-S monitors the status of MSN Messenger and sends a copy of itself to Messenger contacts. Name W32/Forbot-CW Type * Worm How it spreads * Network shares Affected operating systems * Windows Side effects * Allows others to access the computer * Steals information * Reduces system security * Installs itself in the Registry * Exploits system or software vulnerabilities * Used in DOS attacks Aliases * Backdoor.Win32.Wootbot.gen Prevalence (1-5) 2 Description W32/Forbot-CW is a worm which attempts to spread to remote network shares and computers vulnerable to common exploits. W32/Forbot-CW contains backdoor Trojan functionality, allowing unauthorised remote access to the infected computer via the IRC network. W32/Forbot-CW connects to a preconfigured IRC channel and awaits commands from a remote intruder. These include commands to steal information, delete network shares, reduce system security, start a proxy server, participate in DDoS attacks, exploit vulnerabilities, steal registration keys for computer games and harvest email addresses from the Windows address book and Instant Messenger configuration files. Advanced W32/Forbot-CW copies itself to the Windows system folder and creates the following registry entries to run itself automatically on log-on: HKLM\Software\Microsoft\Windows\CurrentVersion\Run ScManager scman.exe HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce ScManager scman.exe HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices ScManager scman.exe HKCU\Software\Microsoft\Windows\CurrentVersion\Run ScManager scman.exe HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce ScManager scman.exe W32/Forbot-CW also creates a number of entries in the registry under the following entries: HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_USBFIRE\ HKLM\SYSTEM\ControlSet001\Services\USBFire\ HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_USBFIRE\ HKLM\SYSTEM\CurrentControlSet\Services\USBFire\ Name W32/Agobot-QL Type * Worm How it spreads * Network shares Affected operating systems * Windows Side effects * Allows others to access the computer * Modifies data on the computer * Downloads code from the internet * Reduces system security * Installs itself in the Registry Aliases * Backdoor.Win32.Agobot.yt Prevalence (1-5) 2 Description W32/Agobot-QL is worm which attempts to spread to remote network shares. It also contains backdoor Trojan functionality, allowing unauthorised remote access to the infected computer via IRC channels. Advanced W32/Agobot-QL is worm which attempts to spread to remote network shares. It also contains backdoor Trojan functionality, allowing unauthorised remote access to the infected computer via IRC channels. W32/Agobot-QL copies itself to the Windows system folder with the filename IEXPL0RE.EXE and sets the following entries in the registry so as to run itself on system startup: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ IEXPL0RER = "IEXPL0RER.EXE" HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\ IEXPL0RER = "IEXPL0RER.EXE" W32/Agobot-QL spreads to network shares with weak passwords and via network security exploits as a result of the backdoor Trojan element receiving the appropriate command from a remote user. W32/Agobot-QL attempts to modify the HOSTS file found in the drivers\etc subfolder of the Windows system folder, preventing access to certain websites by mapping them to the loopback address as follows: 127.0.0.1 www.symantec.com 127.0.0.1 securityresponse.symantec.com 127.0.0.1 symantec.com 127.0.0.1 www.sophos.com 127.0.0.1 sophos.com 127.0.0.1 www.mcafee.com 127.0.0.1 mcafee.com 127.0.0.1 liveupdate.symantecliveupdate.com 127.0.0.1 www.viruslist.com 127.0.0.1 viruslist.com 127.0.0.1 viruslist.com 127.0.0.1 f-secure.com 127.0.0.1 www.f-secure.com 127.0.0.1 kaspersky.com 127.0.0.1 www.avp.com 127.0.0.1 www.kaspersky.com 127.0.0.1 avp.com 127.0.0.1 www.networkassociates.com 127.0.0.1 networkassociates.com 127.0.0.1 www.ca.com 127.0.0.1 ca.com 127.0.0.1 mast.mcafee.com 127.0.0.1 my-etrust.com 127.0.0.1 www.my-etrust.com 127.0.0.1 download.mcafee.com 127.0.0.1 dispatch.mcafee.com 127.0.0.1 secure.nai.com 127.0.0.1 nai.com 127.0.0.1 www.nai.com 127.0.0.1 update.symantec.com 127.0.0.1 updates.symantec.com 127.0.0.1 us.mcafee.com 127.0.0.1 liveupdate.symantec.com 127.0.0.1 customer.symantec.com 127.0.0.1 rads.mcafee.com 127.0.0.1 trendmicro.com 127.0.0.1 www.trendmicro.com Name W32/Agobot-OV Type * Worm How it spreads * Network shares Affected operating systems * Windows Side effects * Turns off anti-virus applications * Allows others to access the computer * Steals information * Downloads code from the internet * Reduces system security * Records keystrokes Aliases * Backdoor.Win32.Agobot.gen Prevalence (1-5) 2 Description W32/Agobot-OV is a network worm with IRC backdoor functionality. Once installed, W32/Agobot-OV connects to a preconfigured IRC server, joins a channel and awaits further instructions. These instructions can cause the bot to perform any of the following actions: start a UDP, TCP, ICMP, syn, http or ping flood start a socks4, socks5, http or https proxy server redirect TCP or GRE connections start an FTP server start a command shell server show statistics about the infected system reboot/shutdown the infected machine kill anti-virus and security processes list/terminate running processes scan randomly- or sequentially-chosen IPs for infectable machines make local drives network-shareable close down vulnerable services in order to secure the machine search for product keys search local drives for AOL user details sniff network traffic in order to find passwords start a keylogger download and install an updated version of itself install bot plugins for additional functionality The worm spreads to machines affected by known vulnerabilities, running network services protected by weak passwords or infected by common backdoor Trojans. W32/Agobot-OV adds 127.0.0.1 (loopback) entries to the Windows HOSTS file in order to prevent access to the security-related websites. Advanced W32/Agobot-OV is a network worm with IRC backdoor functionality. In order to run automatically when Windows starts up the worm copies itself to the file fnksvc32.exe in the Windows system folder Once installed, W32/Agobot-OV connects to a preconfigured IRC server, joins a channel and awaits further instructions. These instructions can cause the bot to perform any of the following actions: start a UDP, TCP, ICMP, syn, http or ping flood start a socks4, socks5, http or https proxy server redirect TCP or GRE connections start an FTP server start a command shell server show statistics about the infected system reboot/shutdown the infected machine kill anti-virus and security processes list/terminate running processes scan randomly- or sequentially-chosen IPs for infectable machines make local drives network-shareable close down vulnerable services in order to secure the machine search for product keys search local drives for AOL user details sniff network traffic in order to find passwords start a keylogger download and install an updated version of itself install bot plugins for additional functionality The worm spreads to machines affected by known vulnerabilities, running network services protected by weak passwords or infected by common backdoor Trojans. Vulnerabilities: Universal PNP (MS01-059) WebDav (MS03-007) RPC DCOM (MS03-026, MS04-012) WorKStation service (MS03-049) LSASS (MS04-011) DameWare (CAN-2003-1030) Services: NetBios MS SQL Backdoors: W32/Bagle W32/MyDoom Troj/Optix W32/Sasser W32/Agobot-OV creates or modifies the following registry entries: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ ?ekio Startups ?nksvc32.exe HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\ ?ekio Startups ?nksvc32.exe where ? is a random character. W32/Agobot-OV adds 127.0.0.1 (loopback) entries to the Windows HOSTS file in order to prevent access to the following websites: 127.0.0.1 www.trendmicro.com 127.0.0.1 trendmicro.com 127.0.0.1 rads.mcafee.com 127.0.0.1 customer.symantec.com 127.0.0.1 liveupdate.symantec.com 127.0.0.1 us.mcafee.com 127.0.0.1 updates.symantec.com 127.0.0.1 update.symantec.com 127.0.0.1 www.nai.com 127.0.0.1 nai.com 127.0.0.1 secure.nai.com 127.0.0.1 dispatch.mcafee.com 127.0.0.1 download.mcafee.com 127.0.0.1 www.my-etrust.com 127.0.0.1 my-etrust.com 127.0.0.1 mast.mcafee.com 127.0.0.1 ca.com 127.0.0.1 www.ca.com 127.0.0.1 networkassociates.com 127.0.0.1 www.networkassociates.com 127.0.0.1 avp.com 127.0.0.1 www.kaspersky.com 127.0.0.1 www.avp.com 127.0.0.1 kaspersky.com 127.0.0.1 www.f-secure.com 127.0.0.1 f-secure.com 127.0.0.1 viruslist.com 127.0.0.1 www.viruslist.com 127.0.0.1 liveupdate.symantecliveupdate.com 127.0.0.1 mcafee.com 127.0.0.1 www.mcafee.com 127.0.0.1 sophos.com 127.0.0.1 www.sophos.com 127.0.0.1 symantec.com 127.0.0.1 securityresponse.symantec.com 127.0.0.1 www.symantec.com The worm terminates the following processes: _AVP32.EXE _AVPCC.EXE _AVPM.EXE ACKWIN32.EXE ADAWARE.EXE ADVXDWIN.EXE AGENTSVR.EXE AGENTW.EXE ALERTSVC.EXE ALEVIR.EXE ALOGSERV.EXE AMON9X.EXE ANTI-TROJAN.EXE ANTIVIRUS.EXE ANTS.EXE APIMONITOR.EXE APLICA32.EXE APVXDWIN.EXE ARR.EXE ATCON.EXE ATGUARD.EXE ATRO55EN.EXE ATUPDATER.EXE ATWATCH.EXE AU.EXE AUPDATE.EXE AUTO-PROTECT.NAV80TRY.EXE AUTODOWN.EXE AUTOTRACE.EXE AUTOUPDATE.EXE AVCONSOL.EXE AVE32.EXE AVGCC32.EXE AVGCTRL.EXE AVGNT.EXE AVGSERV.EXE AVGSERV9.EXE AVGUARD.EXE AVGW.EXE AVKPOP.EXE AVKSERV.EXE AVKSERVICE.EXE AVKWCTl9.EXE AVLTMAIN.EXE AVNT.EXE AVP.EXE AVP32.EXE AVPCC.EXE AVPDOS32.EXE AVPM.EXE AVPTC32.EXE AVPUPD.EXE AVSCHED32.EXE AVSYNMGR.EXE AVWIN95.EXE AVWINNT.EXE AVWUPD.EXE AVWUPD32.EXE AVWUPSRV.EXE AVXMONITOR9X.EXE AVXMONITORNT.EXE AVXQUAR.EXE BACKWEB.EXE BARGAINS.EXE BD_PROFESSIONAL.EXE BEAGLE.EXE BELT.EXE BIDEF.EXE BIDSERVER.EXE BIPCP.EXE BIPCPEVALSETUP.EXE BISP.EXE BLACKD.EXE BLACKICE.EXE BLSS.EXE BOOTCONF.EXE BOOTWARN.EXE BORG2.EXE BPC.EXE BRASIL.EXE BS120.EXE BUNDLE.EXE BVT.EXE CCAPP.EXE CCEVTMGR.EXE CCPXYSVC.EXE CDP.EXE CFD.EXE CFGWIZ.EXE CFIADMIN.EXE CFIAUDIT.EXE CFINET.EXE CFINET32.EXE Claw95.EXE CLAW95CF.EXE CLEAN.EXE CLEANER.EXE CLEANER3.EXE CLEANPC.EXE CLICK.EXE CMD32.EXE CMESYS.EXE CMGRDIAN.EXE CMON016.EXE CONNECTIONMONITOR.EXE CPD.EXE CPF9X206.EXE CPFNT206.EXE CTRL.EXE CV.EXE CWNB181.EXE CWNTDWMO.EXE DATEMANAGER.EXE DCOMX.EXE DEFALERT.EXE DEFSCANGUI.EXE DEFWATCH.EXE DEPUTY.EXE DIVX.EXE DLLCACHE.EXE DLLREG.EXE DOORS.EXE DPF.EXE DPFSETUP.EXE DPPS2.EXE DRWATSON.EXE DRWEB32.EXE DRWEBUPW.EXE DSSAGENT.EXE DVP95.EXE DVP95_0.EXE ECENGINE.EXE EFPEADM.EXE EMSW.EXE ENT.EXE ESAFE.EXE ESCANH95.EXE ESCANHNT.EXE ESCANV95.EXE ESPWATCH.EXE ETHEREAL.EXE ETRUSTCIPE.EXE EVPN.EXE EXANTIVIRUS-CNET.EXE EXE.AVXW.EXE EXPERT.EXE EXPLORE.EXE F-AGNT95.EXE F-AGOBOT.EXE F-PROT.EXE F-PROT95.EXE F-STOPW.EXE FAMEH32.EXE FAST.EXE FCH32.EXE FIH32.EXE FINDVIRU.EXE FIREWALL.EXE FLOWPROTECTOR.EXE FNRB32.EXE FP-WIN.EXE FP-WIN_TRIAL.EXE FPROT.EXE FRW.EXE FSAA.EXE FSAV.EXE FSAV32.EXE FSAV530STBYB.EXE FSAV530WTBYB.EXE FSAV95.EXE FSGK32.EXE FSM32.EXE FSMA32.EXE FSMB32.EXE GATOR.EXE GBMENU.EXE GBPOLL.EXE GENERICS.EXE GMT.EXE GUARD.EXE GUARDDOG.EXE HACKTRACERSETUP.EXE HBINST.EXE HBSRV.EXE HIJACKTHIS.EXE HOTACTIO.EXE HOTPATCH.EXE HTLOG.EXE HTPATCH.EXE HWPE.EXE HXDL.EXE HXIUL.EXE IAMAPP.EXE IAMSERV.EXE IAMSTATS.EXE IBMASN.EXE IBMAVSP.EXE ICLOAD95.EXE ICLOADNT.EXE ICMON.EXE ICSUPP95.EXE ICSUPPNT.EXE IDLE.EXE IEDLL.EXE IEDRIVER.EXE IEXPLORER.EXE IFACE.EXE IFW2000.EXE INETLNFO.EXE INFUS.EXE INFWIN.EXE INIT.EXE INTDEL.EXE INTREN.EXE IOMON98.EXE IPARMOR.EXE IRIS.EXE ISASS.EXE ISRV95.EXE ISTSVC.EXE JAMMER.EXE JDBGMRG.EXE JEDI.EXE KAVLITE40ENG.EXE KAVPERS40ENG.EXE KAVPF.EXE KAZZA.EXE KEENVALUE.EXE KERIO-PF-213-EN-WIN.EXE KERIO-WRL-421-EN-WIN.EXE KERIO-WRP-421-EN-WIN.EXE KERNEL32.EXE KILLPROCESSSETUP161.EXE LAUNCHER.EXE LDNETMON.EXE LDPRO.EXE LDPROMENU.EXE LDSCAN.EXE LNETINFO.EXE LOADER.EXE LOCALNET.EXE LOCKDOWN.EXE LOCKDOWN2000.EXE LOOKOUT.EXE LORDPE.EXE LSETUP.EXE LUALL.EXE LUAU.EXE LUCOMSERVER.EXE LUINIT.EXE LUSPT.EXE MAPISVC32.EXE MCAGENT.EXE MCMNHDLR.EXE MCSHIELD.EXE MCTOOL.EXE MCUPDATE.EXE MCVSRTE.EXE MCVSSHLD.EXE MD.EXE MFIN32.EXE MFW2EN.EXE MFWENG3.02D30.EXE MGAVRTCL.EXE MGAVRTE.EXE MGHTML.EXE MGUI.EXE MINILOG.EXE MMOD.EXE MONITOR.EXE MOOLIVE.EXE MOSTAT.EXE MPFAGENT.EXE MPFSERVICE.EXE MPFTRAY.EXE MRFLUX.EXE MSAPP.EXE MSBB.EXE MSBLAST.EXE MSCACHE.EXE MSCCN32.EXE MSCMAN.EXE MSCONFIG.EXE MSDM.EXE MSDOS.EXE MSIEXEC16.EXE MSINFO32.EXE MSLAUGH.EXE MSMGT.EXE MSMSGRI32.EXE MSSMMC32.EXE MSSYS.EXE MSVXD.EXE MU0311AD.EXE MWATCH.EXE N32SCANW.EXE NAV.EXE NAVAP.NAVAPSVC.EXE NAVAPSVC.EXE NAVAPW32.EXE NAVDX.EXE NAVENGNAVEX15.NAVLU32.EXE NAVLU32.EXE NAVNT.EXE NAVSTUB.EXE NAVW32.EXE NAVWNT.EXE NC2000.EXE NCINST4.EXE NDD32.EXE NEOMONITOR.EXE NEOWATCHLOG.EXE NETARMOR.EXE NETD32.EXE NETINFO.EXE NETMON.EXE NETSCANPRO.EXE NETSPYHUNTER-1.2.EXE NETSTAT.EXE NETUTILS.EXE NISSERV.EXE NISUM.EXE NMAIN.EXE NOD32.EXE NORMIST.EXE NORTON_INTERNET_SECU_3.0_407.EXE NOTSTART.EXE NPF40_TW_98_NT_ME_2K.EXE NPFMESSENGER.EXE NPROTECT.EXE NPSCHECK.EXE NPSSVC.EXE NSCHED32.EXE NSSYS32.EXE NSTASK32.EXE NSUPDATE.EXE NT.EXE NTRTSCAN.EXE NTVDM.EXE NTXconfig.EXE NUI.EXE NUPGRADE.EXE NVARCH16.EXE NVC95.EXE NVSVC32.EXE NWINST4.EXE NWSERVICE.EXE NWTOOL16.EXE OLLYDBG.EXE ONSRVR.EXE OPTIMIZE.EXE OSTRONET.EXE OTFIX.EXE OUTPOST.EXE OUTPOSTINSTALL.EXE OUTPOSTPROINSTALL.EXE PADMIN.EXE PANIXK.EXE PATCH.EXE PAVCL.EXE PAVPROXY.EXE PAVSCHED.EXE PAVW.EXE PCC2002S902.EXE PCC2K_76_1436.EXE PCCIOMON.EXE PCCNTMON.EXE PCCWIN97.EXE PCCWIN98.EXE PCDSETUP.EXE PCFWALLICON.EXE PCIP10117_0.EXE PCSCAN.EXE PDSETUP.EXE PENIS.EXE PERISCOPE.EXE PERSFW.EXE PERSWF.EXE PF2.EXE PFWADMIN.EXE PGMONITR.EXE PINGSCAN.EXE PLATIN.EXE POP3TRAP.EXE POPROXY.EXE POPSCAN.EXE PORTDETECTIVE.EXE PORTMONITOR.EXE POWERSCAN.EXE PPINUPDT.EXE PPTBC.EXE PPVSTOP.EXE PRIZESURFER.EXE PRMT.EXE PRMVR.EXE PROCDUMP.EXE PROCESSMONITOR.EXE PROCEXPLORERV1.0.EXE PROGRAMAUDITOR.EXE PROPORT.EXE PROTECTX.EXE PSPF.EXE PURGE.EXE PUSSY.EXE PVIEW95.EXE QCONSOLE.EXE QSERVER.EXE RAPAPP.EXE RAV7.EXE RAV7WIN.EXE RAV8WIN32ENG.EXE RAY.EXE RB32.EXE RCSYNC.EXE REALMON.EXE REGED.EXE REGEDIT.EXE REGEDT32.EXE RESCUE.EXE RESCUE32.EXE RRGUARD.EXE RSHELL.EXE RTVSCAN.EXE RTVSCN95.EXE RULAUNCH.EXE RUN32DLL.EXE RUNDLL.EXE RUNDLL16.EXE RUXDLL32.EXE SAFEWEB.EXE SAHAGENT.EXE SAVE.EXE SAVENOW.EXE SBSERV.EXE SC.EXE SCAM32.EXE SCAN32.EXE SCAN95.EXE SCANPM.EXE SCRSCAN.EXE SCRSVR.EXE SCVHOST.EXE SD.EXE SERV95.EXE SERVICE.EXE SERVLCE.EXE SERVLCES.EXE SETUP_FLOWPROTECTOR_US.EXE SETUPVAMEEVAL.EXE SFC.EXE SGSSFW32.EXE SH.EXE SHELLSPYINSTALL.EXE SHN.EXE SHOWBEHIND.EXE SMC.EXE SMS.EXE SMSS32.EXE SOAP.EXE SOFI.EXE SPERM.EXE SPF.EXE SPHINX.EXE SPOLER.EXE SPOOLCV.EXE SPOOLSV32.EXE SPYXX.EXE SREXE.EXE SRNG.EXE SS3EDIT.EXE SSG_4104.EXE SSGRATE.EXE ST2.EXE START.EXE STCLOADER.EXE SUPFTRL.EXE SUPPORT.EXE SUPPORTER5.EXE SVC.EXE SVCHOSTC.EXE SVCHOSTS.EXE SVSHOST.EXE SWEEP95.EXE SWEEPNET.SWEEPSRV.SYS.SWNETSUP.EXE SYMPROXYSVC.EXE SYMTRAY.EXE SYSEDIT.EXE SYSTEM.EXE SYSTEM32.EXE SYSUPD.EXE TASKMG.EXE TASKMO.EXE TASKMON.EXE TAUMON.EXE TBSCAN.EXE TC.EXE TCA.EXE TCM.EXE TDS-3.EXE TDS2-98.EXE TDS2-NT.EXE TEEKIDS.EXE TFAK.EXE TFAK5.EXE TGBOB.EXE TITANIN.EXE TITANINXP.EXE TRACERT.EXE TRICKLER.EXE TRJSCAN.EXE TRJSETUP.EXE TROJANTRAP3.EXE TSADBOT.EXE TVMD.EXE TVTMD.EXE UNDOBOOT.EXE UPDAT.EXE UPDATE.EXE UPGRAD.EXE UTPOST.EXE VBCMSERV.EXE VBCONS.EXE VBUST.EXE VBWIN9X.EXE VBWINNTW.EXE VCSETUP.EXE VET32.EXE VET95.EXE VETTRAY.EXE VFSETUP.EXE VIR-HELP.EXE VIRUSMDPERSONALFIREWALL.EXE VNLAN300.EXE VNPC3000.EXE VPC32.EXE VPC42.EXE VPFW30S.EXE VPTRAY.EXE VSCAN40.EXE VSCENU6.02D30.EXE VSCHED.EXE VSECOMR.EXE VSHWIN32.EXE VSISETUP.EXE VSMAIN.EXE VSMON.EXE VSSTAT.EXE VSWIN9XE.EXE VSWINNTSE.EXE VSWINPERSE.EXE W32DSM89.EXE W9X.EXE WATCHDOG.EXE WEBDAV.EXE WEBSCANX.EXE WEBTRAP.EXE WFINDV32.EXE WGFE95.EXE WHOSWATCHINGME.EXE WIMMUN32.EXE WIN-BUGSFIX.EXE WIN32.EXE WIN32US.EXE WINACTIVE.EXE WINDOW.EXE WINDOWS.EXE WININETD.EXE WININIT.EXE WININITX.EXE WINLOGIN.EXE WINMAIN.EXE WINNET.EXE WINPPR32.EXE WINRECON.EXE WINSERVN.EXE WINSSK32.EXE WINSTART.EXE WINSTART001.EXE WINTSK32.EXE WINUPDATE.EXE WKUFIND.EXE WNAD.EXE WNT.EXE WRADMIN.EXE WRCTRL.EXE WSBGATE.EXE WUPDATER.EXE WUPDT.EXE WYVERNWORKSFIREWALL.EXE XPF202EN.EXE ZAPRO.EXE ZAPSETUP3001.EXE ZATUTOR.EXE ZONALM2601.EXE ZONEALARM.EXE Name Troj/Kelebek-G Type * Trojan Affected operating systems * Windows Side effects * Allows others to access the computer * Reduces system security * Installs itself in the Registry * Leaves non-infected files on computer Aliases * Backdoor.IRC.Kelebek.g Prevalence (1-5) 2 Description Troj/Kelebek-G is a backdoor Trojan for the Windows platform. The Trojan contacts a number of predefined IRC servers and waits for instructions from a remote attacker. Advanced Troj/Kelebek-G is a backdoor Trojan for the Windows platform. The Trojan contacts a number of predefined IRC servers and waits for instructions from a remote attacker. The Trojan creates the following files in the Windows system folder asfsip.dll bnsnbrgndglhrgnsvdm.dll mirc.ini myuv.dll nrdsn.dll qwssd.dll remote.ini servers.ini svhost.dll term.dll truse.dll vga11k.dll wdinfo.dll Svhost.dll is detected as Troj/Flood-I and bnsnbrgndglhrgnsvdm.dll is detected as Troj/Kirsun-A. The other files are detected as Troj/Kelebek-G. Troj/Kelebek-G also creates the following non-malicious files in the Windows system folder: ?.exe (where ? is ASCII character 255) bos.txt channels.txt general.dll mtime.dll my.dll nrshu.dll puprn.vbs timer.txt colors/e.dll colors/i.dll colors/n.dll These files may be safely deleted. To ensure that the Trojan is run each time a user logs on it adds the following registry entry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run WinMsgServices ?.exe (where ? is ASCII character 255) Name W32/Assiral-B Type * Worm How it spreads * Email attachments Affected operating systems * Windows Side effects * Turns off anti-virus applications * Sends itself to email addresses found on the infected computer * Deletes files off the computer * Uses its own emailing engine * Reduces system security Prevalence (1-5) 2 Description W32/Assiral-B is a mass-mailing worm. W32/Assiral-B sends itself to the addresses it finds on the infected computer in emails with the following characteristics: From address: MSLarissa{at}Admin.com Subject line from the following list: Re: Message Re: Letter Re: Information I LOVE YOU Re: Your Documents Re: Account Info Windows Update Re: My Letter Re: Docs Re: Your Email Info Message text from the following list: The message is located in the attachments. The letter you requested is in the attachments. Information attached. Kindly read and reply to my LOVE LETTER in the attachments :-) The documents you requested are in the attachments. Info reguarding your Email account is in the attachments. Dear Windows User, Please download the windows updated included in the attachments. My letter is in the attachments. Please read the documents included in the attachments Your email account is about to expire, please check the attachments for details. Attachment name from the following list: Message.exe Letter.exe Information.exe LOVE_LETTER_FOR_YOU.exe Documents.exe Attached_Message.exe Microsoft_Update.exe Private_Letter.exe Private_Document.exe Important_Message.exe W32/Assiral-B attempts to terminate a number of processes related to security and anti-virus programs. W32/Assiral-B attempts to delete all DLL and EXE files from the folders C:\WINDOWS\System32, C:\WINDOWS\System and C:\WINDOWS W32/Assiral-B may display fake error message boxes with the title "System Error" and the text "Invalid memory address: Program terminating." W32/Assiral-B drops 3 files, C:\MESSAGE_TO_USER.txt, C:\MESSAGE_TO_AVs.txt and MESSAGE_TO_BROPIA.txt containing messages from the virus author. Advanced W32/Assiral-B is a mass-mailing worm. W32/Assiral-B copies itself to the Windows system folder with the filenames CmdPrompt32.pif and MSLARISSA.pif, and to the Windows folder with the filename SP00Lsv32.pif. W32/Assiral-B then sets the following entries in the registry so as to run the copies on system startup: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ MSLARISSA HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ Cinnabd Prompt32 HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ (L4r1$$4) (4nt1) (V1ruz) W32/Assiral-B also attempts to copy itself to removable, fixed and remote drives with the filename LOVE_LETTER_FOR_YOU.pif. W32/Assiral-B searches for email addresses in files of type .HT in the current folder, in the Windows folder, and in the folder found at the following registry entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Personal W32/Assiral-B sends itself to the addresses it finds in emails with the following characteristics: From address: MSLarissa{at}Admin.com Subject line from the following list: Re: Message Re: Letter Re: Information I LOVE YOU Re: Your Documents Re: Account Info Windows Update Re: My Letter Re: Docs Re: Your Email Info Message text from the following list: The message is located in the attachments. The letter you requested is in the attachments. Information attached. Kindly read and reply to my LOVE LETTER in the attachments :-) The documents you requested are in the attachments. Info reguarding your Email account is in the attachments. Dear Windows User, Please download the windows updated included in the attachments. My letter is in the attachments. Please read the documents included in the attachments Your email account is about to expire, please check the attachments for details. Attachment name from the following list: Message.exe Letter.exe Information.exe LOVE_LETTER_FOR_YOU.exe Documents.exe Attached_Message.exe Microsoft_Update.exe Private_Letter.exe Private_Document.exe Important_Message.exe W32/Assiral-B attempts to terminate a number of processes related to security and anti-virus programs. W32/Assiral-B drops and runs a file C:\WINDOWS\WinVBS.vbs, also detected as W32/Assiral-B, which attempts to set the following registry entries in restrict the user's activity on the infected machine: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ NoRun = 1 HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\ DisableRegistryTools = 1 HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ NoDrives = 67108863 HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\WinOldApp\ Disabled = 1 HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\ NoAdminPage = 1 W32/Assiral-B attempts to load a hidden instance of Microsoft Internet Explorer and to load a file at http://www.geocities.com/mslarissac. W32/Assiral-B attempts to delete all DLL and EXE files from the folders C:\WINDOWS\System32, C:\WINDOWS\System and C:\WINDOWS W32/Assiral-B may display fake error message boxes with the title "System Error" and the text "Invalid memory address: Program terminating." W32/Assiral-B drops 3 files, C:\MESSAGE_TO_USER.txt, C:\MESSAGE_TO_AVs.txt and MESSAGE_TO_BROPIA.txt. C:\MESSAGE_TO_USER.txt contains the following text: Greetz to infected user! I will survive, In this moment in time. Your computer will crash, So, you will be mine. I will not crash, I will not fail. So, in this moment in time, I will survive... - LARISSA AUTHOR : 2-24-05 C:\MESSAGE_TO_AVs.txt contains the following text: Greetz to AVs! I wanna be in AV industry when I grow up :-) ---------------------------------------- - LARISSA AUTHOR : 2-24-05 MESSAGE_TO_BROPIA.txt contains the following text: Hey Bropia.. stop making MSN worms it's stupid... ... lol -- Larissa Anti Bropia... -- Saving the world from BROPIA!!! - LARISSA AUTHOR : 2-24-05 Name W32/Francette-Q Type * Worm How it spreads * Network shares Affected operating systems * Windows Side effects * Allows others to access the computer * Steals information * Reduces system security * Records keystrokes * Installs itself in the Registry * Exploits system or software vulnerabilities Aliases * Net-Worm.Win32.Francette.q * W32/Kvdbot.worm Prevalence (1-5) 2 Description W32/Francette-Q is network worm with keylogging and backdoor functionality for the Windows platform. W32/Francette-Q attempts to log details from banking applications. W32/Francette-Q contains IRC backdoor functionality, allowing remote intruders unauthorised access to infected computers. Advanced W32/Francette-Q is network worm with keylogging and backdoor functionality for the Windows platform. W32/Francette-Q attempts to log details from banking applications. W32/Francette-Q contains IRC backdoor functionality, allowing remote intruders unauthorised access to infected computers. W32/Francette-Q spreads by exploiting the RPC-DCOM vulnerability, http://www.microsoft.com/technet/security/bulletin/ms04-012.mspx W32/Francette-Q sets the following registry entry to run itself automatically each time a user logs on: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Microsoft IIS W32/Francette-Q also overwrites the Hosts file, directing access to the following websites to the local computer: banesnet.banesto.es extranet.banesto.es ibank.barclays.co.uk online-business.lloydstsb.co.uk online.lloydstsb.co.uk www.halifax-online.co.uk www.nwolb.com www.ukpersonal.hsbc.co.uk Name VBS/Speery-A Type * Worm How it spreads * Email attachments * Network shares * Chat programs Affected operating systems * Windows Side effects * Modifies data on the computer * Drops more malware * Uses its own emailing engine * Reduces system security * Installs itself in the Registry Aliases * Email-Worm.VBS.Speery.a Prevalence (1-5) 2 Description VBS/Speery-A is a worm for the Windows platform. VBS/Speery-A drops two helper files named underground.ico and wini.ico. These files contain the functionality to spread the worm via email and through all available drives and subfolders. The worm overwrites all files with the VBS or VBE file extensions with copies of itself. If VBS/Speery-A finds the folder C:\mirc, then it creates a file named script.ini which causes the Internet Relay Chat (IRC) application mIRC to send a copy of the worm to joining users on the IRC network. Advanced VBS/Speery-A is a worm for the Windows platform. When first run, the worm displays a message box containing the following: I-Worm.Maxpeery by Spidey [SECTOR-S] Indonesia URL : The worm copies itself to the Windows folder as Christina_Aquilera.jpg.vbs and to the Windows system folder as gsw332.exe.vbs. In order to run each time a user logs on, the following registry entries are created: HKLM\Software\Microsoft\Windows\CurrentVersion\Run ccApp "\gsw332.exe.vbs" HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce AVPCC "\Christina_Aquilera.jpg.vbs" The worm may also alter the following registry entry: HKCU\Software\Microsoft\Windows Script Host\Settings Timeout If the folder C:\program files\winrar exists, the worm attempts to create the following files using the winrar application: Christina_aquilera.rar gsw332.rar VBS/Speery-A drops two helper files named underground.ico and wini.ico. These files contain the functionality to spread the worm via email and through all available drives and subfolders. The worm overwrites all files with the VBS or VBE file extensions with copies of itself. Email sent by VBS/Speery-A has the following properties: Subject line: Tolong dong... Attached file: VBS/Speery-A's current filename gsw332.rar Christina_Aquilera.rar Message text: Kenapa dari dulu hidupku seperti ini ?, kenapa ga ada perubahan yang berarti ? Tolong dong cariin aku kerjaan If the attached file is one of the files created by the Winrar application, then the following also appears in the message text: Password attachmentnya = sectors If VBS/Speery-A finds the folder C:\mirc, then it creates a file named script.ini which causes the Internet Relay Chat (IRC) application mIRC to send a copy of the worm to joining users on the IRC network. Sophos's anti-virus products detect the script.ini file created by VBS/Speery-A as mIRC/Simp-Fam. Name W32/Agobot-QO Type * Worm How it spreads * Network shares Affected operating systems * Windows Side effects * Allows others to access the computer * Modifies data on the computer * Downloads code from the internet * Reduces system security * Installs itself in the Registry Aliases * Backdoor.Win32.Agobot.yu * WORM_AGOBOT.AKW Prevalence (1-5) 2 Description W32/Agobot-QO is worm which attempts to spread to remote network shares. It also contains backdoor functionality, allowing unauthorised remote access to the infected computer via IRC channels. Advanced W32/Agobot-QO is worm which attempts to spread to remote network shares. It also contains backdoor functionality, allowing unauthorised remote access to the infected computer via IRC channels. W32/Agobot-QO copies itself to the Windows system folder with the filename IP.EXE and sets the following entries in the registry so as to run itself on system startup: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ IP IP.EXE HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\ IP IP.EXE W32/Agobot-QO spreads to network shares with weak passwords and via network security exploits as a result of the backdoor Trojan element receiving the appropriate command from a remote user. W32/Agobot-QO attempts to modify the HOSTS file found in the drivers\etc subfolder of the Windows system folder, preventing access to certain websites by mapping them to the loopback address as follows: 127.0.0.1 avp.com 127.0.0.1 ca.com 127.0.0.1 customer.symantec.com 127.0.0.1 dispatch.mcafee.com 127.0.0.1 download.mcafee.com 127.0.0.1 f-secure.com 127.0.0.1 kaspersky.com 127.0.0.1 liveupdate.symantec.com 127.0.0.1 liveupdate.symantecliveupdate.com 127.0.0.1 mast.mcafee.com 127.0.0.1 mcafee.com 127.0.0.1 my-etrust.com 127.0.0.1 nai.com 127.0.0.1 networkassociates.com 127.0.0.1 rads.mcafee.com 127.0.0.1 secure.nai.com 127.0.0.1 securityresponse.symantec.com 127.0.0.1 sophos.com 127.0.0.1 symantec.com 127.0.0.1 trendmicro.com 127.0.0.1 update.symantec.com 127.0.0.1 updates.symantec.com 127.0.0.1 us.mcafee.com 127.0.0.1 viruslist.com 127.0.0.1 viruslist.com 127.0.0.1 www.avp.com 127.0.0.1 www.ca.com 127.0.0.1 www.f-secure.com 127.0.0.1 www.kaspersky.com 127.0.0.1 www.mcafee.com 127.0.0.1 www.my-etrust.com 127.0.0.1 www.nai.com 127.0.0.1 www.networkassociates.com 127.0.0.1 www.sophos.com 127.0.0.1 www.symantec.com 127.0.0.1 www.trendmicro.com 127.0.0.1 www.viruslist.com Name W32/Myfip-G Type * Worm How it spreads * Network shares Affected operating systems * Windows Side effects * Steals information * Installs itself in the Registry Prevalence (1-5) 2 Description W32/Myfip-G is a worm that spreads using network shares that are either unprotected or protected only by weak passwords. W32/Myfip-G builds a list of all filenames whose extension is one of PDF, DOC, DWG, SCH, PCB, DWT, DWF and MAX and whose path does not contain any of the following strings: Winnt Windows I386 Program Files All Users Recycler System Volume Information Inetpub Documents and Settings Wutemp My Music The worm then sends the contents of each file to a preconfigured IP address. Advanced W32/Myfip-G is a worm that spreads using network shares that are either unprotected or protected only by weak passwords. The worm copies itself to the file kernel32dll.exe in the Windows system folder. Copies on network shares may be called worm.txt.exe or dfsvc.exe. The worm attempts to register itself as a service process with the ServiceName and DisplayName "Distributed Link Tracking Extensions". W32/Myfip-G creates the following registry entry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Distributed File System kernel32dll.exe W32/Myfip-G builds a list of all filenames whose extension is one of PDF, DOC, DWG, SCH, PCB, DWT, DWF and MAX and whose path does not contain any of the following strings: Winnt Windows I386 Program Files All Users Recycler System Volume Information Inetpub Documents and Settings Wutemp My Music The worm then sends the contents of each file to a preconfigured IP address. Name W32/Myfip-H Type * Worm Affected operating systems * Windows Side effects * Steals credit card details * Installs itself in the Registry Aliases * Worm.Win32.Myfip.i * W32/Myfip.worm.q * WORM_MYFIP.G Prevalence (1-5) 2 Description W32/Myfip-H is a worm that spreads using network shares that are either unprotected or protected only by weak passwords. W32/Myfip-H builds a list of all filenames whose extension is one of PDF, DOC, DWG, SCH, PCB, DWT, DWF and MAX and whose path does not contain any of the following strings: Winnt Windows I386 Program Files All Users Recycler System Volume Information Inetpub Documents and Settings Wutemp My Music The worm then sends the contents of each file to a preconfigured IP address. Advanced W32/Myfip-H is a worm that spreads using network shares that are either unprotected or protected only by weak passwords. The worm copies itself to the file kernel32dll.exe in the Windows system folder. The worm attempts to register itself as a service process with the ServiceName and DisplayName "Distributed Link Tracking Extensions". W32/Myfip-H creates the following registry entry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ Distributed File System kernel32dll.exe W32/Myfip-H builds a list of all filenames whose extension is one of PDF, DOC, DWG, SCH, PCB, DWT, DWF and MAX and whose path does not contain any of the following strings: Winnt Windows I386 Program Files All Users Recycler System Volume Information Inetpub Documents and Settings Wutemp My Music The worm then sends the contents of each file to a preconfigured IP address. Name W32/Rbot-WV Type * Worm How it spreads * Network shares Affected operating systems * Windows Side effects * Allows others to access the computer * Modifies data on the computer * Deletes files off the computer * Steals information * Uses its own emailing engine Aliases * Backdoor.Win32.Rbot.gen * W32/Sdbot.worm.gen.g * WORM_RBOT.ASC Prevalence (1-5) 2 Description W32/Rbot-WV is a network worm with backdoor functionality for the Windows platform. W32/Rbot-WV is capable of spreading to computers on the local network protected by weak passwords after receiving the appropriate backdoor command. The worm can also spread by exploiting a number of software vulnerabilities. Advanced W32/Rbot-WV is a network worm with backdoor functionality for the Windows platform. W32/Rbot-WV is capable of spreading to computers on the local network protected by weak passwords after receiving the appropriate backdoor command. W32/Rbot-WV will attempt to spread by exploiting the following vulnerabilities: DCOM (MS04-012) LSASS and IIS5SSL (MS04-011) UPNP (MS01-059) Workstation Service (MS03-049) Buffer overflow in certain versions of DameWare (CAN-2003-1030) Microsoft SQL servers with weak passwords Backdoors and vulnerabilities opened up by other malware When first run, W32/Rbot-WV copies itself to the Windows system folder as P3.EXE and runs this copy of the worm. The copy will then attempt to delete the original file. In order to run each time a user logs in, W32/Rbot-WV will set the following registry entries: HKCU\Software\Microsoft\Windows\CurrentVersion\Run MSPluginSrvc p3.exe HKLM\Software\Microsoft\Windows\CurrentVersion\Run MSPluginSrvc p3.exe HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices MSPluginSrvc p3.exe The worm runs continuously in the background, providing backdoor access to the infected computer over IRC channels. W32/Rbot-WV may modify the following registry entries in order to enable/disable DCOM and open/close restrictions on IPC$ shares: HKLM\SOFTWARE\Microsoft\Ole\EnableDCOM HKLM\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous W32/Rbot-WV is capable of altering the following registry entry in order to restrict anonymous enumeration of SAM accounts: HKLM\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymousSAM W32/Rbot-WV can add and delete network shares and users on the infected computer. The worm can also change the network logon rights of accounts in the local system policy. Name W32/Rbot-WW Type * Worm How it spreads * Network shares Affected operating systems * Windows Side effects * Allows others to access the computer * Modifies data on the computer * Steals information * Forges the sender's email address * Downloads code from the internet Prevalence (1-5) 2 Description W32/Rbot-WW is a network worm with backdoor Trojan functionality for the Windows platform. W32/Rbot-WW spreads using a variety of techniques including exploiting weak passwords on computers and SQL servers, exploiting operating system vulnerabilities (including DCOM-RPC, LSASS, WebDAV and UPNP) and using backdoors opened by other worms or Trojans. W32/Rbot-WW can be controlled by a remote attacker over IRC channels. Advanced W32/Rbot-WW is a network worm with backdoor Trojan functionality for the Windows platform. The worm copies itself to a file named npprotect.exe in the Windows system folder and creates the following registry entries: HKCU\Software\Microsoft\OLE Norton Protect "npprotect.exe" HKLM\Software\Microsoft\Windows\CurrentVersion\Run Norton Protect "npprotect.exe" HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices Norton Protect "npprotect.exe" W32/Rbot-WW spreads using a variety of techniques including exploiting weak passwords on computers and SQL servers, exploiting operating system vulnerabilities (including DCOM-RPC, LSASS, WebDAV and UPNP) and using backdoors opened by other worms or Trojans. W32/Rbot-WW can be controlled by a remote attacker over IRC channels. The backdoor component of W32/Rbot-WW can be instructed by a remote user to perform the following functions: start an FTP server start a Proxy server start a web server take part in distributed denial of service (DDoS) attacks log keypresses capture screen/webcam images packet sniffing port scanning download/execute arbitrary files start a remote shell (RLOGIN) steal product registration information from certain software Patches for the operating system vulnerabilities exploited by W32/Rbot-WW can be obtained from Microsoft at: http://www.microsoft.com/technet/security/bulletin/ms04-012.mspx http://www.microsoft.com/technet/security/bulletin/ms03-039.mspx http://www.microsoft.com/technet/security/bulletin/ms03-007.mspx http://www.microsoft.com/technet/security/bulletin/ms01-059.mspx Name W32/Wurmark-F Type * Worm How it spreads * Email messages * Email attachments Affected operating systems * Windows Side effects * Sends itself to email addresses found on the infected computer * Drops more malware * Uses its own emailing engine Aliases * Email-Worm.Win32.Wurmark.g * W32/Mugly.h{at}MM * WORM_MUGLY.H Prevalence (1-5) 2 Description W32/Wurmark-F is a mass mailing worm which sends itself as a zip attachment to email addresses found on the infected computer. When run the worm displays the image uglym.jpg as it installs itself on the computer. The image displayed by the Wurmark-F worm The image displayed by the Wurmark-F worm. W32/Wurmark-F drops several files to the Windows system folder. W32/Wurmark-F will drop attached.zip, which is a zip file containing W32/Wurmark-F, and xxz.tmp, which is a copy of the worm. W32/Wurmark-F will also drop the following clean files: ANSMTP.DLL bszip.dll uglym.jpg W32/Wurmark-F will drop a file belonging to the W32/Rbot family of worms filename svchosts.exe. W32/Wurmark-F harvests email addresses from files with the extensions: WAB ADB TBB DBX ASP PHP HTM HTML SHT TXT DOC The worm will skip email addresses containing the following strings: .gov ada avg gri icro lavat mcae nod panda rsky soph sophos symac The zip file containing W32/Wurmark-F called attached.zip is attached to emails sent by the worm appearing to originate from the listed addresses containing those below and taking the following forms along with others: adead_poet{at}hotmail.com alex_edwards2000{at}msn.com romeorichard{at}google.com apiffany{at}cnet.com Subject: Hhahahah lol!!!! Body: i found this on my computer from ages ago download it and see if you can remember it lol i was lauging like mad when i saw it! :D email me back haha... Subject: Your Pic On A Website!! Body: I was looking at a website and came across this pic they look just like you! infact im sure it is lol , did you send this pic into them ? or is it someonce else :S ? Ive Added the pic in a zip so download it and check & email me back! The file within the attachment can have one of the following names: Pic_001.jpg.scr Sexy_09.jpg.scr Scan_04.jpg.scr Advanced W32/Wurmark-F is a mass mailing worm which sends itself as a zip attachment to email addresses found on the infected computer. When run the worm displays the image uglym.jpg as it installs itself on the computer. The image displayed by the Wurmark-F worm The image displayed by the Wurmark-F worm. W32/Wurmark-F drops several files to the Windows system folder. W32/Wurmark-F will drop attached.zip, which is a zip file containing W32/Wurmark-F, and xxz.tmp, which is a copy of the worm. W32/Wurmark-F will also drop the following clean files: ANSMTP.DLL bszip.dll uglym.jpg W32/Wurmark-F will drop a file belonging to the W32/Rbot family of worms filename svchosts.exe. W32/Wurmark-F harvests email addresses from files with the extensions: WAB ADB TBB DBX ASP PHP HTM HTML SHT TXT DOC The worm will skip email addresses containing the following strings: .gov ada avg gri icro lavat mcae nod panda rsky soph sophos symac The zip file containing W32/Wurmark-F called attached.zip is attached to emails sent by the worm appearing to originate from the listed addresses below and taking the following forms: adead_poet{at}hotmail.com alex_edwards2000{at}msn.com romeorichard{at}google.com apiffany{at}cnet.com sexy_lil_thing{at}no-ip.com cutie_pie{at}ogrish.com easy_lay666{at}lovenet.com hunk_hogan78{at}hallmark.com britany_slut56{at}sex.com tit_fuck_909{at}gmail.com good_fuck12{at}yahoo.com blowjob_lips666{at}romance.com tit_fuck_909{at}paltalk.com sexy_guy88{at}aol.com mucle_bound_hunk892{at}download.com Subject: Hhahahah lol!!!! Body: i found this on my computer from ages ago download it and see if you can remember it lol i was lauging like mad when i saw it! :D email me back haha... Subject: Your Pic On A Website!! Body: I was looking at a website and came across this pic they look just like you! infact im sure it is lol , did you send this pic into them ? or is it someonce else :S ? Ive Added the pic in a zip so download it and check & email me back! Subject: Rate My Pic....... Body: Hi ive sent 5 emails now and nobody will rate my pic!! :( please download and tell me what you think out of 10 , dont worry if you dont like it just say i wont be offended p.s i was drunk when it was taken :P Subject: You have an Admirer Body: Someone has asked us on there behalf to send you this email and tell you they think you are wonderfull!!! All the The mystery persons details you need are enclosed in the attachment :) please download and respond telling us if you would like to make further contact with this person. Regards Hallmark Admirer Mail Admin. The file within the attachment can have one of the following names: Pic_001.jpg.scr Sexy_09.jpg.scr Scan_04.jpg.scr Photo_01.jpg.scr admire_001.jpg.scr is_this_you.jpg.scr love_04.jpg.scr for_you.pif Name Troj/Goldun-O Type * Trojan How it spreads * Email attachments Affected operating systems * Windows Side effects * Steals credit card details * Installs itself in the Registry Aliases * PWS-Banker.k.gen Prevalence (1-5) 2 Description Troj/Goldun-O is a password-stealing Trojan. Troj/Goldun-O monitors outgoing HTTP requests for traffic going to specific internet banking sites. On encountering such a request the Trojan will attempt to extract account details from the returned page and submit these details to the Trojan's autho using an HTTP form submission. Advanced Troj/Goldun-O is a password-stealing Trojan. Troj/Goldun-O monitors outgoing HTTP requests for traffic going to specific internet banking sites. On encountering such a request the Trojan will attempt to extract account details from the returned page and submit these details to the Trojan's autho using an HTTP form submission. The Trojan creates the file "csrss.dll" (also detected by Sophos as Troj/Goldun-O) in the Windows system folder and installs this as an Internet Explorer plugin by creating the following registry entries: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ Browser Helper Objects\{92617934-9abc-def0-0fed-fad48c654321} HKCR\CLSID\{92617934-9abc-def0-0fed-fad48c654321}\InprocServer32\ "" \csrss.dll The Trojan also creates a number of registry entries for its own use under HKCR\CLSID\{92617934-9abc-def0-0fed-fad48c654321} Name W32/Forbot-EP Type * Worm How it spreads * Network shares Affected operating systems * Windows Side effects * Turns off anti-virus applications * Allows others to access the computer * Records keystrokes * Installs itself in the Registry * Exploits system or software vulnerabilities Aliases * Backdoor.Win32.Wootbot.gen Prevalence (1-5) 2 Description W32/Forbot-EP is a worm which attempts to spread to remote network shares and computers vulnerable to common exploits. W32/Forbot-EP also contains backdoor Trojan functionality, allowing unauthorised remote access to the infected computer via the IRC network, while running in the background as a service process. W32/Forbot-EP connects to a preconfigured IRC channel and awaits commands from a remote intruder. These include commands to steal information, delete network shares, reduce system security, start a proxy server, participate in DDoS attacks, exploit vulnerabilities, steal registration keys for computer games and harvest email addresses from the Windows address book and Instant Messenger configuration files. Advanced W32/Forbot-EP is a worm which attempts to spread to remote network shares and computers vulnerable to common exploits. W32/Forbot-EP also contains backdoor Trojan functionality, allowing unauthorised remote access to the infected computer via the IRC network, while running in the background as a service process. W32/Forbot-EP connects to a preconfigured IRC channel and awaits commands from a remote intruder. These include commands to steal information, delete network shares, reduce system security, start a proxy server, participate in DDoS attacks, exploit vulnerabilities, steal registration keys for computer games and harvest email addresses from the Windows address book and Instant Messenger configuration files. W32/Forbot-EP copies itself to the Windows system folder and creates the following registry entries to run itself automatically on log-on: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ Windows Domain Name Drivers = windns.exe HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\ Windows Domain Name Drivers = windns.exe HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\ Windows Domain Name Drivers = windns.exe HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ Windows Domain Name Drivers = windns.exe HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\ Windows Domain Name Drivers = windns.exe On NT based versions of Windows (XP,2000,NT) windns.exe is run as a new service named "IEXPLORER-Drivers" with a display name of "Windows Domain Name Drivers". New registry entries are created under: HKLM\SYSTEM\CurrentControlSet\Services\IEXPLORER-Drivers --- MultiMail/Win32 v0.43 * Origin: Try Our Web Based QWK: DOCSPLACE.ORG (1:123/140) SEEN-BY: 633/267 270 @PATH: 123/140 500 106/2000 633/267
SOURCE: echomail via fidonet.ozzmosis.com

Email questions or comments to sysop@ipingthereforeiam.com
All parts of this website painstakingly hand-crafted in the U.S.A.!
IPTIA BBS/MUD/Terminal/Game Server List, © 2025 IPTIA Consulting™.