[cut-n-paste from sophos.com]
Name Troj/Nebuler-K
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Steals information
* Installs itself in the Registry
Aliases
* Trojan.Win32.Agent.vg
* BackDoor-CVT
Prevalence (1-5) 2
Description
Troj/Nebuler-K is a Trojan for the Windows platform.
Advanced
Troj/Nebuler-K is a Trojan for the Windows platform.
Troj/Nebuler-K gathers details relating to dialup services and sends
collected information to a remote site via HTTP. The Trojan may
inject code into other processes in an attempt to remain hidden.
When Troj/Nebuler-K is installed the following files are created:
\win32.dll
Where are random letters.
The following registry entries are created to run code exported by
win32.dll on startup:
HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\win32
DllName
win32.dll
HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\win32
Impersonate
0
HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\win32
Startup
EvtStartup
Registry entries are created under:
HKCR\MezziaCodec.Chl\CLSID\
HKLM\SOFTWARE\Microsoft\MSSMGR\
Name W32/Brontok-BY
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Sends itself to email addresses found on the infected computer
* Reduces system security
* Installs itself in the Registry
* Leaves non-infected files on computer
Prevalence (1-5) 2
Description
W32/Brontok-BY is a worm for the Windows platform.
Advanced
W32/Brontok-BY is a worm for the Windows platform.
When first run W32/Brontok-BY copies itself to:
\Empty.pif
\Local Settings\Application Data\windows\csrss.exe
\Local Settings\Application Data\windows\lsass.exe
\Local Settings\Application Data\windows\services.exe
\Local Settings\Application Data\windows\smss.exe
\Local Settings\Application Data\windows\winlogon.exe
\kERe.exe
\kERe.exe
\IExplorer.exe
\MrBugs.scr
\shell.exe
and creates the file \Pesan.txt. This file can be safely removed.
The following registry entries are created to run W32/Brontok-BY on
startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
kERe
\kERe.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Servicesara
\Local Settings\Application Data\WINDOWS\SERVICES.EXE
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Logonsara
\Local Settings\Application Data\WINDOWS\CSRSS.EXE
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
System Monitoring
\Local Settings\Application Data\WINDOWS\LSASS.EXE
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
MSMSGS
\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
The following registry entries are changed to run W32/Brontok-BY on
startup:
HKCU\Control Panel\Desktop
SCRNSAVE.EXE
\MRBugs.scr
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe "\IExplorer.exe"
(the default value for this registry entry is "Explorer.exe" which
causes the Microsoft file \Explorer.exe to be run on startup).
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
\userinit.exe,\IExplorer.exe
(the default value for this registry entry is
"\System32\userinit.exe,").
The following registry entries are set or modified, so that shell.exe
is run when files with extensions of BAT, COM, EXE and PIF are
opened/launched:
HKCR\lnkfile\shell\open\command
(default)
\shell.exe" "%1" %*
HKCR\batfile\shell\open\command
(default)
\shell.exe" "%1" %*
HKCR\comfile\shell\open\command
(default)
\shell.exe" "%1" %*
HKCR\exefile\shell\open\command
(default)
\shell.exe" "%1" %*
HKCR\piffile\shell\open\command
(default)
\shell.exe" "%1" %*
The following registry entries are set, disabling the registry editor
(regedit), the Windows task manager (taskmgr), the command prompt and
system restore:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableCMD
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
DisableTaskMgr
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
DisableRegistryTools
1
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
DisableConfig
1
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
DisableSR
1
Registry entries are set as follows:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFolderOptions
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoFolderOptions
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoViewContextMenu
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\WinOldApp
Disabled
1
HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer
LimitSystemRestoreCheckpointing
1
HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer
DisableMSI
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden
0
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug
Debugger
\Shell.exe
HKCR\exefile
(default)
File Folder
Name W32/Brontok-BY
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Sends itself to email addresses found on the infected computer
* Reduces system security
* Installs itself in the Registry
* Leaves non-infected files on computer
Prevalence (1-5) 2
Description
W32/Brontok-BY is a worm for the Windows platform.
Advanced
W32/Brontok-BY is a worm for the Windows platform.
When first run W32/Brontok-BY copies itself to:
\Empty.pif
\Local Settings\Application Data\windows\csrss.exe
\Local Settings\Application Data\windows\lsass.exe
\Local Settings\Application Data\windows\services.exe
\Local Settings\Application Data\windows\smss.exe
\Local Settings\Application Data\windows\winlogon.exe
\kERe.exe
\kERe.exe
\IExplorer.exe
\MrBugs.scr
\shell.exe
and creates the file \Pesan.txt. This file can be safely removed.
The following registry entries are created to run W32/Brontok-BY on
startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
kERe
\kERe.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Servicesara
\Local Settings\Application Data\WINDOWS\SERVICES.EXE
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Logonsara
\Local Settings\Application Data\WINDOWS\CSRSS.EXE
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
System Monitoring
\Local Settings\Application Data\WINDOWS\LSASS.EXE
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
MSMSGS
\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
The following registry entries are changed to run W32/Brontok-BY on
startup:
HKCU\Control Panel\Desktop
SCRNSAVE.EXE
\MRBugs.scr
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe "\IExplorer.exe"
(the default value for this registry entry is "Explorer.exe" which
causes the Microsoft file \Explorer.exe to be run on startup).
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
\userinit.exe,\IExplorer.exe
(the default value for this registry entry is
"\System32\userinit.exe,").
The following registry entries are set or modified, so that shell.exe
is run when files with extensions of BAT, COM, EXE and PIF are
opened/launched:
HKCR\lnkfile\shell\open\command
(default)
\shell.exe" "%1" %*
HKCR\batfile\shell\open\command
(default)
\shell.exe" "%1" %*
HKCR\comfile\shell\open\command
(default)
\shell.exe" "%1" %*
HKCR\exefile\shell\open\command
(default)
\shell.exe" "%1" %*
HKCR\piffile\shell\open\command
(default)
\shell.exe" "%1" %*
The following registry entries are set, disabling the registry editor
(regedit), the Windows task manager (taskmgr), the command prompt and
system restore:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableCMD
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
DisableTaskMgr
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
DisableRegistryTools
1
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
DisableConfig
1
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
DisableSR
1
Registry entries are set as follows:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFolderOptions
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoFolderOptions
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoViewContextMenu
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\WinOldApp
Disabled
1
HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer
LimitSystemRestoreCheckpointing
1
HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer
DisableMSI
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden
0
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug
Debugger
\Shell.exe
HKCR\exefile
(default)
File Folder
Name Troj/Psyme-DH
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Exploits system or software vulnerabilities
Aliases
* Trojan-Downloader.JS.gen
* VBS/Psyme
* HTML/Exploit.IESlice
* EXPL_SSLICE.GEN
Prevalence (1-5) 2
Description
Troj/Psyme-DH is a downloader Trojan for the Windows platform.
Troj/Psyme-DH attempts to download a file to C:\autoexec.exe and
execute the downloaded file.
Name W32/Looked-AI
Type
* Virus
How it spreads
* Network shares
* Infected files
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Installs itself in the Registry
Aliases
* Worm.Win32.Viking.an
* Win32/Viking.AZ
* PE_LOOKED.GP
Prevalence (1-5) 2
Description
W32/Looked-AI is a virus for the Windows platform.
W32/Looked-AI includes functionality to access the internet and
communicate with a remote server via HTTP.
W32/Looked-AI also may spread through available network shares
Advanced
W32/Looked-AI is a virus for the Windows platform.
W32/Looked-AI includes functionality to access the internet and
communicate with a remote server via HTTP.
W32/Looked-AI also may spread through available network shares.
Upon execution W32/Looked-AI creates the following files:
\Dll.dll
\Logo1_.exe
\rundl132.exe
where Logo1_.exe and rundl132.exe are copies of the virus host, and
Dll.dll is a downloading component of the virus.
These files are also detected as W32/Looked-AI.
The following registry entry is created to run rundl132.exe on startup:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
load
\rundl132.exe
Registry entries are created under:
HKLM\SOFTWARE\Soft\DownloadWWW\
The virus infects PE EXE files found on the infected computer.
Many files with the name "_desktop.ini" are created, in various
folders on the infected computer. These files are harmless text files.
Name W32/Looked-AJ
Type
* Virus
How it spreads
* Infected files
Affected operating systems
* Windows
Side effects
* Modifies data on the computer
* Drops more malware
* Downloads code from the internet
* Installs itself in the Registry
* Leaves non-infected files on computer
Prevalence (1-5) 2
Description
W32/Looked-AJ is a virus for the Windows platform.
Advanced
W32/Looked-AJ is a virus for the Windows platform.
When first run the virus copies itself to \rundl132.exe and
creates a file \Dll.dll, detected as W32/Looked-AH. This
file attempts to download further executable code.
The virus sets the following registry entry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
load
\rundl132.exe
The virus infects EXE files found on the infected computer.
Many files with the name "_desktop.ini" are created, in various
folders on the infected computer. These files are harmless text files.
Name Troj/Xorpix-X
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Installs itself in the Registry
Aliases
* Trojan-Proxy.Win32.Xorpix.ar
* TROJ_XORPIX.AU
Prevalence (1-5) 2
Description
Troj/Xorpix-X is a proxy Trojan for the Windows platform.
Advanced
Troj/Xorpix-X is a proxy Trojan for the Windows platform.
Troj/Xorpix-X includes functionality to connect to the internet and
communicate with a remote server using HTTP.
Troj/Xorpix-X allows a remote attacker to route internet traffic
through the infected computer.
When first run Troj/Xorpix-X creates the file \All Users\Documents\Settings\winsys2freg.dll. This file is
also detected as Troj/Xorpix-X.
The Trojan also creates the following file \All Users\Documents\Settings\Desktop.ini.
This file may be safely deleted.
Registry entries are created under the following in order to run code
exported by winsys2freg.dll on startup:
HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\winsys2freg\
Troj/Xorpix-X stops and removes the "SharedAccess" and "wscsvc"
services, affecting system security.
Name Troj/Redplut-B
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Downloads code from the internet
* Reduces system security
* Installs itself in the Registry
Prevalence (1-5) 2
Description
Troj/Redplut-B is a Trojan for the Windows platform.
Advanced
Troj/Redplut-B is a Trojan for the Windows platform.
Troj/Redplut-B copies itself to the following locations:
\servlogon.exe
\smhost.exe
Troj/Redplut-B sets the following registry entries:
HKCU\SOFTWARE\Microsoft\Command Processor
AutoRun
echo off|\servlogon.exe|cls
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
RPCall_
\smhost.exe /register
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
SFCScan
0
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SystemFileProtection
ShowPopups
0
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
RPCall_
\smhost.exe /register
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Run
System handler
\servlogon.exe /register
Troj/Redplut-B may also modify the following registy entries as shown:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Windows
load
\smhost.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
explorer.exe \smhost.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
System
\smhost.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
\userinit.exe,\servlogon.exe,
Name Troj/VB-CRJ
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Reduces system security
* Installs itself in the Registry
Aliases
* Trojan.Win32.VB.amm
* Win32/VB.AMM
* Generic VB.b
* TROJ_VB.BLD
Prevalence (1-5) 2
Description
Troj/VB-CRJ is a Trojan for the Windows platform.
Advanced
Troj/VB-CRJ is a Trojan for the Windows platform.
When first run Troj/VB-CRJ copies itself to:
\My Documents\dlhost.exe
\lodctr32.exe
\note.exe
and creates the file \My Documents\about.html.
The following registry entry is changed to run lodctr32.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
explorer.exe lodctr32.exe
(the default value for this registry entry is "Explorer.exe" which
causes the Microsoft file \Explorer.exe to be run on startup).
The following registry entry is set or modified, so that note.exe is
run when files with extensions of TXT are opened/launched:
HKCR\txtfile\shell\open\command
(default)
\NOTE.EXE %1
The following registry entries are set, disabling the registry editor
(regedit):
HKCU\Software\Microsoft\Windows\CurrentVersion\
Group Policy Objects\LocalUser\Software\Microsoft\Windows\
CurrentVersion\Policies\System
DisableRegistryTools
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
Group Policy Objects\LocalUser\Software\Microsoft\Windows\
CurrentVersion\Policies\System
DisableRegistryTools
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
DisableRegistryTools
1
Registry entries are set as follows:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFind
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoRun
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer
NoFind
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer
NoRun
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ClassicViewState
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
SuperHidden
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden
0
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
DisableCAD
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ClassicViewState
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden
0
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion
RegisteredOrganization
.BoRaX.BoRaX.BoRaX.BoRaX.BoRaX.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion
RegisteredOwner
.BoRaX.BoRaX.BoRaX.BoRaX.BoRaX.
HKCR\Directory\DefaultIcon
(default)
\lodctr32.exe
HKCR\Folder\DefaultIcon
(default)
\lodctr32.exe
Registry entries are created under:
HKLM\SOFTWARE\Microsoft\Security Center\
Name W32/Looked-AK
Type
* Virus
How it spreads
* Network shares
* Infected files
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
* Leaves non-infected files on computer
Aliases
* Worm.Win32.Viking.bb
* W32/HLLP.Philis.bd
* W32/HLLP.Philis.dll
* Win32/Viking.BM
Prevalence (1-5) 2
Description
W32/Looked-AK is a worm and prepending virus for the Windows platform.
W32/Looked-AK spreads via file sharing on P2P networks.
Advanced
W32/Looked-AK is a worm and prepending virus for the Windows platform.
W32/Looked-AK spreads via file sharing on P2P networks.
W32/Looked-AK runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer.
W32/Looked-AK includes functionality to access the internet and
communicate with a remote server via HTTP.
When first run W32/Looked-AK copies itself to \windows\rundl132.exe.
The worm changes the following registry entry in order to be run
automatically on startup:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\
load
\rundl132.exe
Name Troj/Mdrop-BLO
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Installs itself in the Registry
* Leaves non-infected files on computer
Prevalence (1-5) 2
Description
Troj/Mdrop-BLO is a Trojan for the Windows platform.
Troj/Mdrop-BLO will appear to be a legitimate winrar installation
program, which it does install but will also silenty install the
potentially unwanted application "Ardamax Keylogger".
Advanced
Troj/Mdrop-BLO is a Trojan for the Windows platform.
Troj/Mdrop-BLO will appear to be a legitimate winrar installation
program, which it does install but will also silenty install the
potentially unwanted application "Ardamax Keylogger".
When Troj/Mdrop-BLO is installed the following files are created:
\wrar361.exe - detected as Troj/Mdrop-BLO
\Sys\Explorer.001
\Sys\Explorer.002
\Sys\Explorer.006
\Sys\Explorer.007
\Sys\Explorer.exe
The files created within the \Sys folder are detected as the
potentially unwanted application "Ardamax Keylogger".
Name Troj/Spammit-H
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Steals information
* Forges the sender's email address
* Uses its own emailing engine
* Installs itself in the Registry
* Enables remote access
Aliases
* SpamTool.Win32.Delf.m
Prevalence (1-5) 2
Description
Troj/Spammit-H is a Trojan for the Windows platform.
Advanced
Troj/Spammit-H is a Trojan for the Windows platform.
Troj/Spammit-H includes functionality to:
- access the internet and communicate with a remote server via HTTP
- send notification messages to remote locations
When first run Troj/Spammit-H copies itself to:
\Media\Call32.exe
\Outlook Express.exe
and creates the following files:
\win.ini
\netaps2.txt
\ftpd.dll
The following registry entries are created to run Call32.exe and
Outlook Express.exe on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Outlook
\Outlook Express.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Call32
\MEDIA\Call32.exe
Name Troj/Clagger-AG
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Installs itself in the Registry
Aliases
* Downloader-AAP
Prevalence (1-5) 2
Description
Troj/Clagger-AG is a Trojan for the Windows platform.
Troj/Clagger-AG attempts to download further executable code.
The Trojan may arrive as an attachment to spam email messages.
When first run the Trojan displays the following fake error message:
Acrobat 6 - Error "Warning" 20225
Advanced
Troj/Clagger-AG is a Trojan for the Windows platform.
Troj/Clagger-AG attempts to download further executable code.
The Trojan may arrive as an attachment to spam email messages.
When first run the Trojan displays the following fake error message:
Acrobat 6 - Error "Warning" 20225
The Trojan copies itself to \ipf.exe and creates the
following registry entry in order to run itself on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ifp
\ipf.exe
The Trojan drops a file \drivers\winut.dat. This is a
harmless text file.
The following registry entry is also created:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion
windowsshell
1
Name Troj/Bagle-QQ
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Installs itself in the Registry
* Dropped by malware
* Leaves non-infected files on computer
Aliases
* NTRootKit-W
* Win32/Bagle.GY
Prevalence (1-5) 2
Description
Troj/Bagle-QQ is a Trojan for the Windows platform.
Advanced
Troj/Bagle-QQ is a Trojan for the Windows platform.
Troj/Bagle-QQ is usually dropped by variant of the W32/Bagle worm to
the following location:
\Application Data\hidn\m_hook.sys.
The file m_hook.sys is registered as a new system driver service
named "m_hook", with a display name of "Empty".
Registry entries are
created under:
HKLM\SYSTEM\CurrentControlSet\Services\m_hook\
Troj/Bagle-QQ is used to stealth a dropper from certain processes.
Name W32/Stratio-AW
Type
* Worm
How it spreads
* Email attachments
* Web downloads
Affected operating systems
* Windows
Side effects
* Sends itself to email addresses found on the infected computer
* Forges the sender's email address
* Uses its own emailing engine
* Downloads code from the internet
* Installs itself in the Registry
Prevalence (1-5) 2
Description
W32/Stratio-AW is a worm for the Windows platform.
When run the worm will attempt to copy itself to \serv.exe
and download
components from a remote website which it will then run.
Advanced
W32/Stratio-AW is a worm for the Windows platform.
When run the worm will attempt to copy itself to \serv.exe
and download
components from a remote website which it will then run.
W32/Stratio-AW creates the following files:
\serrv.wax(Can be removed safely)
\e1.dll
\.exe(Detected as W32/Stratio-AW)
The following registry entry is created to run the worm on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
serrv
\serrv.exe s
The following registry entry is set:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs
e1.dll
The emails may have the following subject line:
Mail server report.
Server Report
test
Error
hello
picture
Mail Transaction Failed
Status
Mail Delivery System
Good day
The message body may have the following text:
Mail server report.
Our firewall determined the e-mails containing worm copies are being
sent from your computer.
Nowadays it happens from many computers, because this is a new virus
type (Network Worms).
Using the new bug in the Windows, these viruses infect the computer
unnoticeably.
After the penetrating into the computer the virus harvests all the
e-mail addresses and sends the copies of itself to these e-mail
addresses
Please install updates for worm elimination and your computer
restoring.
Best regards,
Customers support service
The message contains Unicode characters and has been sent
as a binary attachment.
Mail transaction failed. Partial message is available.
The message cannot be represented in 7-bit ASCII encoding and has
been sent as a binary attachment.
The attachments may have the following filenames with the extensions
of .zip, .cmd, .exe, .pif, .bat, .elm, .pdf:
Update-KB-x86
body
data
docs
file
docs
body
message
test
document
test
test
file
readme
Name Troj/Haxdoor-DI
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Installs itself in the Registry
Aliases
* Trojan-Spy.Win32.Haxspy.ax
* Win32/Spy.Goldun.HP
Prevalence (1-5) 2
Description
Troj/Haxdoor-DI is a backdoor Trojan for the Windows platform.
Troj/Haxdoor-DI includes functionality to:
- stealth its files, processes and registry entries
- inject its code into other processes
Advanced
Troj/Haxdoor-DI is a backdoor Trojan for the Windows platform.
Troj/Haxdoor-DI includes functionality to:
- stealth its files, processes and registry entries
- inject its code into other processes
When Troj/Haxdoor-DI is installed the following files are created:
\arprmdg0.dll
\arprmdg5.sys
\ksl48.bin
The following registry entries are created to run code exported by
arprmdg0.dll on startup:
HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\arprmdg0
DllName
arprmdg0.dll
HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\arprmdg0
Startup
arprmdg0
HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\arprmdg0
Impersonate
1
Name W32/Tilebot-HN
Type
* Spyware Worm
How it spreads
* Network shares
* Chat programs
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Downloads code from the internet
* Reduces system security
* Installs itself in the Registry
* Exploits system or software vulnerabilities
* Used in DOS attacks
* Scans network for weak passwords
* Scans network for open ports
Aliases
* Backdoor.Win32.SdBot.aad
* PAK_Generic.001
Prevalence (1-5) 2
Description
W32/Tilebot-HN is a worm for the Windows platform.
W32/Tilebot-HN spreads to other network computers by exploiting
common buffer overflow vulnerabilities, including: LSASS (MS04-011),
RPC-DCOM (MS04-012), PNP (MS05-039) and ASN.1 (MS04-007). The worm
may also spreads via network shares protected by weak passwords.
W32/Tilebot-HN runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Tilebot-HN includes functionality to:
- set up an FTP server
- set up a proxy server
- spread via AOL Instant Messager by sending messages automatically
- set or remove network shares
- port scanning
- packet sniffing
- start a remote shell (RLOGIN)
- access the internet and communicate with a remote server via HTTP
- harvest information from clipboard
- take part in Distributed Denial of Service (DDoS) attacks
Advanced
W32/Tilebot-HN is a worm for the Windows platform.
W32/Tilebot-HN spreads to other network computers by exploiting
common buffer overflow vulnerabilities, including: LSASS (MS04-011),
RPC-DCOM (MS04-012), PNP (MS05-039) and ASN.1 (MS04-007). The worm
may also spreads via network shares protected by weak passwords.
W32/Tilebot-HN runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Tilebot-HN includes functionality to:
- set up an FTP server
- set up a proxy server
- spread via AOL Instant Messager by sending messages automatically
- set or remove network shares
- port scanning
- packet sniffing
- start a remote shell (RLOGIN)
- access the internet and communicate with a remote server via HTTP
- harvest information from clipboard
- take part in Distributed Denial of Service (DDoS) attacks
When first run W32/Tilebot-HN copies itself to \lsiss.exe.
The file lsiss.exe is registered as a new system driver service named
"System Restore Services", with a display name of "System Restore
Services" and a startup type of automatic, so that it is started
automatically during system startup. Registry entries are created
under:
HKLM\SYSTEM\CurrentControlSet\Services\System Restore Services\
W32/Tilebot-HN sets the following registry entries, disabling the
automatic startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\Messenger
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\wscsvc
Start
4
Additional registry entries are set as follows:
HKLM\SOFTWARE\Microsoft\Security Center
AntiVirusDisableNotify
1
HKLM\SOFTWARE\Microsoft\Security Center
AntiVirusOverride
1
HKLM\SOFTWARE\Microsoft\Security Center
FirewallDisableNotify
1
HKLM\SOFTWARE\Microsoft\Security Center
FirewallOverride
1
HKLM\SOFTWARE\Microsoft\Security Center
UpdatesDisableNotify
1
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DoNotAllowXPSP2
1
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
EnableFirewall
0
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile
EnableFirewall
0
HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
AutoShareServer
0
HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
AutoShareWks
0
HKLM\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters
AutoShareServer
0
HKLM\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters
AutoShareWks
0
HKLM\SYSTEM\CurrentControlSet\Control\
WaitToKillServiceTimeout
7000
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1
Name W32/Stratio-AY
Type
* Worm
How it spreads
* Email attachments
* Web downloads
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Sends itself to email addresses found on the infected computer
* Forges the sender's email address
* Uses its own emailing engine
* Downloads code from the internet
* Installs itself in the Registry
* Leaves non-infected files on computer
Prevalence (1-5) 2
Description
W32/Stratio-AY is a mass-mailing worm for the Windows platform.
When run the worm will attempt to download components from a remote
website which it will then run.
Advanced
W32/Stratio-AY is a mass-mailing worm for the Windows platform.
When run the worm will attempt to download components from a remote
website which it will then run.
W32/Stratio-AY creates the following files:
\sserrvv.wax(Can be removed safely)
\e1.dll
\sserrvv.exe
The following registry entry is created to run the worm on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
sserrvv
\sserrvv.exe s
The following registry entry is set:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs
e1.dll
The emails may have the following subject line:
Mail server report.
Server Report
test
Error
hello
picture
Mail Transaction Failed
Status
Mail Delivery System
Good day
The message body may have the following text:
Mail server report.
Our firewall determined the e-mails containing worm copies are being
sent from your computer.
Nowadays it happens from many computers, because this is a new virus
type (Network Worms).
Using the new bug in the Windows, these viruses infect the computer
unnoticeably.
After the penetrating into the computer the virus harvests all the
e-mail addresses and sends the copies of itself to these e-mail
addresses
Please install updates for worm elimination and your computer
restoring.
Best regards,
Customers support service
The message contains Unicode characters and has been sent
as a binary attachment.
Mail transaction failed. Partial message is available.
The message cannot be represented in 7-bit ASCII encoding and has
been sent as a binary attachment.
The attachments may have the following filenames with the extensions
of .zip, .cmd, .exe, .pif, .bat, .elm, .pdf:
Update-KB-x86
body
data
docs
file
docs
body
message
test
document
test
test
file
readme
Name Troj/BankDl-BK
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
Aliases
* Trojan-Downloader.Win32.Banload.adw
Prevalence (1-5) 2
Description
Troj/BankDl-BK ia an downloader Trojan for the Windows platform.
Troj/BankDl-BK includes functionality to access the internet and
communicate with a remote server via HTTP.
The downloaded file was detected as Mal/DelpBanc-A.
Name W32/Tilebot-HO
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Prevalence (1-5) 2
Description
W32/Tilebot-HO is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Tilebot-HO attempts to spread by copying itself to remote network
shares or by exploiting any of the following vulnerabilities: SRVSVC
(MS06-040), RPC-DCOM (MS04-012), WKS (MS03-049) (CAN-2003-0812),
ASN.1 (MS04-007).
Advanced
W32/Tilebot-HO is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Tilebot-HO attempts to spread by copying itself to remote network
shares or by exploiting any of the following vulnerabilities: SRVSVC
(MS06-040), RPC-DCOM (MS04-012), WKS (MS03-049) (CAN-2003-0812),
ASN.1 (MS04-007).
When first run W32/Tilebot-HO copies itself to \cpstorage.exe
and creates the file \sysremove.bat.
The file cpstorage.exe is registered as a new system driver service
named "CryptProtectedService", with a display name of "Cryptic
Protected Storage" and a startup type of automatic, so that it is
started automatically during system startup. Registry entries are
created under:
HKLM\SYSTEM\CurrentControlSet\Services\CryptProtectedService\
Name W32/Looked-AL
Type
* Virus
How it spreads
* Network shares
* Infected files
* Peer-to-peer
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
Aliases
* Worm.Win32.Viking.ax
* W32/HLLP.Philis.dll
* Win32/Viking.BC
Prevalence (1-5) 2
Description
W32/Looked-AL is a worm and prepending virus for the Windows platform.
W32/Looked-AL spreads via file sharing on P2P networks.
W32/Looked-AL runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer.
W32/Looked-AL includes functionality to access the internet and
communicate with a remote server via HTTP.
Advanced
W32/Looked-AL is a worm and prepending virus for the Windows platform.
W32/Looked-AL spreads via file sharing on P2P networks.
W32/Looked-AL runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer.
W32/Looked-AL includes functionality to access the internet and
communicate with a remote server via HTTP.
When W32/Looked-AL is installed the following files are created:
\Logo1_.exe
\rundl132.exe
Both of these are detected as W32/Looked-AL.
The worm changes the following registry entry in order to be run
automatically on startup:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\
load
C:\WINDOWS\rundl132.exe
Name W32/Rbot-FSK
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
* Exploits system or software vulnerabilities
* Enables remote access
Aliases
* Backdoor.Win32.EggDrop.v
Prevalence (1-5) 2
Description
W32/Rbot-E is a worm and IRC backdoor Trojan for the Windows platform.
W32/Rbot-E spreads to other network computers by exploiting common
buffer overflow vulnerabilities, including: RPC-DCOM (MS04-012) and
ASN.1 (MS04-007).
W32/Rbot-E runs continuously in the background, providing a backdoor
server which allows a remote intruder to gain access and control over
the computer via IRC channels.
Advanced
W32/Rbot-E is a worm and IRC backdoor Trojan for the Windows platform.
W32/Rbot-E spreads to other network computers by exploiting common
buffer overflow vulnerabilities, including: RPC-DCOM (MS04-012) and
ASN.1 (MS04-007).
W32/Rbot-E runs continuously in the background, providing a backdoor
server which allows a remote intruder to gain access and control over
the computer via IRC channels.
When first run W32/Rbot-E copies itself to \SystemDebug.exe.
The following registry entries are created to run SystemDebug.exe on
startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
System Debugger
SystemDebug.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
System Debugger
SystemDebug.exe
The following registry entry is set:
HKCU\Software\Microsoft\OLE
System Debugger
SystemDebug.exe
Name W32/Stration-BC
Type
* Worm
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
Aliases
* Email-Worm.Win32.Warezov.do
* TROJ_STRAT.DR
Prevalence (1-5) 2
Description
W32/Stration-BC is a worm for the Windows platform.
W32/Stration-BC includes functionality to download, install and run
new software.
Name W32/Bagle-QR
Type
* Worm
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Installs itself in the Registry
Aliases
* IM-Worm.Win32.Qucan.b
Prevalence (1-5) 2
Description
W32/Bagle-QR is a worm for the Windows platform.
W32/Bagle-QR includes functionality to download, install and run new
software.
Advanced
W32/Bagle-QR is a worm for the Windows platform.
W32/Bagle-QR includes functionality to download, install and run new
software.
W32/Bagle-QR changes the Start Page for Microsoft Internet Explorer
by setting the registry entry:
HKCU\Software\Microsoft\Internet Explorer\Main\Start Page
The following registry entries are set, disabling the registry editor
(regedit) and the Windows task manager (taskmgr):
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
1
The following registry entry is set:
HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel
Homepage
1
Registry entries are created under:
HKCU\Software\Yahoo\Pager\View\YMSGR_Launchcast\
HKCU\Software\Yahoo\Pager\View\YMSGR_buzz\
Name Troj/Sufia-A
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Installs itself in the Registry
Prevalence (1-5) 2
Description
Troj/Sufia-A is a Trojan for the Windows platform.
Troj/Sufia-A includes functionality to access the internet and
communicate with a remote server via HTTP.
Advanced
Troj/Sufia-A is a Trojan for the Windows platform.
Troj/Sufia-A includes functionality to access the internet and
communicate with a remote server via HTTP.
When first run Troj/Sufia-A copies itself to:
\csrss.exe
\smss.exe
\explorer.exe
The following registry entries are created to run Troj/Sufia-A on
startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001
ClientServerRuntimeProcess
\csrss.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0002
ClientServerRuntimeProcess
\smss.exe
--- MultiMail/Win32 v0.43
* Origin: Try Our Web Based QWK: DOCSPLACE.ORG (1:123/140)
SEEN-BY: 633/267 270
@PATH: 123/140 500 379/1 633/267
|