TIP: Click on subject to list as thread!

ANSI

echo:	dirty_dozen
to:	ALL
from:	KURT WISMER
date:	2006-05-21 11:24:00
subject:	News, May 21 2006
[cut-n-paste from sophos.com] Name Troj/Clicker-CM Type * Trojan Affected operating systems * Windows Side effects * Downloads code from the internet * Installs itself in the Registry Aliases * Trojan-Clicker.Win32.BHO.d Prevalence (1-5) 2 Description Troj/Clicker-CM is a Trojan for the Windows platform. Advanced Troj/Clicker-CM is a Trojan for the Windows platform. When Troj/Clicker-CM is installed the following files are created: \temp.wsf \14125929733.tmp \IeHelperEx.dll The files IeHelperEx.dll and 14125929733.tmp are also detected as Troj/Clicker-CM. The file IeHelperEx.dll is registered as a COM object and Browser Helper Object (BHO) for Microsoft Internet Explorer, creating registry entries under: HKCR\CLSID\(673BA504-3DDA-4851-8B3C-37AE54E2D688) HKCR\CLSID\(BA12780E-B91E-41A7-A51A-528CBD64284E) HKCR\Interface\(57F88FBD-FFD2-4AF2-B138-CD644A8E62B5) HKCR\Interface\(9EF3F6BA-1BF9-4B4E-9475-437A02DBFA8B) HKCR\SpecSoft2.BrowserHook\ HKCR\SpecSoft2.BrowserHook.1\ HKCR\SpecSoft2.IExplorerHelper\ HKCR\SpecSoft2.IExplorerHelper.1\ HKCR\TypeLib\(B82C3D8C-F764-4B4E-8272-DC1185CE12FC) HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\(BA12780E-B91E-41A7-A51A-528CBD64284E) Name W32/Kassbot-P Type * Worm How it spreads * Network shares * Chat programs Affected operating systems * Windows Side effects * Turns off anti-virus applications * Allows others to access the computer * Downloads code from the internet * Installs itself in the Registry * Exploits system or software vulnerabilities * Used in DOS attacks Prevalence (1-5) 2 Description W32/Kassbot-P is a worm and IRC backdoor Trojan for the Windows platform. Advanced W32/Kassbot-P is a worm and IRC backdoor Trojan for the Windows platform. W32/Kassbot-P runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels. W32/Kassbot-P spreads to other network computers by: - exploiting common buffer overflow vulnerabilities, including: LSASS (MS04-011), RPC-DCOM (MS04-012), WKS (MS03-049) (CAN-2003-0812), PNP (MS05-039) and ASN.1 (MS04-007) - copying itself to network shares protected by weak passwords - via AOL Instant Messenger W32/Kassbot-P includes functionality to: - perform DDoS attacks - terminates security and anti-virus related processes - downloads code from the internet - perform port scanning When first run W32/Kassbot-P copies itself to \win32dll.exe. The file win32dll.exe is registered as a new system driver service named "winconfig.exe", with a display name of "winconfig.exe" and a startup type of automatic, so that it is started automatically during system startup. Registry entries are created under: HKLM\SYSTEM\CurrentControlSet\Services\winconfig.exe\ W32/Kassbot-P sets the following registry entries, disabling the automatic startup of other software: HKLM\SYSTEM\CurrentControlSet\Services\Messenger Start 4 HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry Start 4 HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr Start 4 Registry entries are set as follows: HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotAllowXPSP2 1 HKLM\SOFTWARE\Microsoft\Ole EnableDCOM N HKLM\SYSTEM\CurrentControlSet\Control\Lsa restrictanonymous 1 Registry entries are created under: HKLM\SOFTWARE\Microsoft\Security Center\ HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\ HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\ Name Troj/Agent-BMT Type * Trojan Affected operating systems * Windows Side effects * Drops more malware * Downloads code from the internet * Installs itself in the Registry Prevalence (1-5) 2 Description Troj/Agent-BMT is a Trojan for the Windows platform. Advanced Troj/Agent-BMT is a Trojan for the Windows platform. When Troj/Agent-BMT is installed the following files are created: \qkjyt7dx.dll \vook.sys - detected by Sophos as Troj/NTRootK-AC. The file vook.sys is registered as a new system driver service named "squell", with a display name of "squell". Registry entries are created under: HKLM\SYSTEM\CurrentControlSet\Services\squell\ Name Troj/Dwnldr-BVS Type * Trojan Affected operating systems * Windows Side effects * Downloads code from the internet Aliases * Trojan-Dropper.Win32.Small.rn * Win32/TrojanDropper.Small.RN Prevalence (1-5) 2 Description Troj/Dwnldr-BVS is a downloader Trojan for the Windows platform. Advanced Troj/Dwnldr-BVS is a downloader Trojan for the Windows platform. When Troj/Dwnldr-BVS is installed it creates the file \hpdll\hpdll.exe. Name Troj/Mlsuc-C Type * Trojan Affected operating systems * Windows Side effects * Allows others to access the computer * Downloads code from the internet * Installs itself in the Registry Prevalence (1-5) 2 Description Troj/Mlsuc-C is a backdoor Trojan for the Windows platform. Troj/Mlsuc-C includes functionality to send notification messages to remote locations. Troj/Mlsuc-C provides unauthorized remote access to the infected computer with the following services: delete files from infected computer reboot computer run files on infected computer terminate running processes on infected computer transfer files to and from infected computer Advanced Troj/Mlsuc-C is a backdoor Trojan for the Windows platform. Troj/Mlsuc-C includes functionality to send notification messages to remote locations. Troj/Mlsuc-C provides unauthorized remote access to the infected computer with the following services: delete files from infected computer reboot computer run files on infected computer terminate running processes on infected computer transfer files to and from infected computer When Troj/Mlsuc-C is installed the following files may be created: \delself.bat \res.dat \res.tmp \phde32.sys where phde32.sys is installed as an NT kernel driver that has the capability to hide processes and to steal system information. Name Troj/Banloa-ACM Type * Trojan Affected operating systems * Windows Side effects * Allows others to access the computer * Downloads code from the internet * Installs itself in the Registry Aliases * Trojan-Downloader.Win32.Banload.ahv Prevalence (1-5) 2 Description Troj/Banloa-ACM is a backdoor Trojan which allows a remote intruder to gain access and control over the computer. Advanced Troj/Banloa-ACM is a backdoor Trojan which allows a remote intruder to gain access and control over the computer. Troj/Banloa-ACM includes functionality to access the internet and communicate with a remote server via HTTP. When run Troj/Banloa-ACM attempts to store the downloaded file to \Isass.scr and run it. Name Troj/WowPWS-H Type * Spyware Trojan Affected operating systems * Windows Side effects * Steals information Prevalence (1-5) 2 Description Troj/WowPWS-H is a password stealing Trojan for the Windows platform. Troj/WowPWS-H targets the online game World of Warcraft. Advanced Troj/WowPWS-H is a password stealing Trojan for the Windows platform. Troj/WowPWS-H targets the online game World of Warcraft. When first run Troj/WowPWS-H copies itself to \lsass.exe. Name W32/Bagle-JJ Type * Spyware Worm How it spreads * Email attachments Affected operating systems * Windows Side effects * Sends itself to email addresses found on the infected computer * Steals information * Uses its own emailing engine Prevalence (1-5) 2 Description W32/Bagle-JJ is an email worm for the Windows platform. The worm harvests email addresses from files on the infected computer. The worm connects to a remote server in order to download additional configuration data. Advanced W32/Bagle-JJ is an email worm for the Windows platform. The worm harvests email addresses from files on the infected computer with the following file extensions: ADB ASP CFG CGI DBX DHTM EML HTM JSP MBX MDX MHT MMF MSG NCH ODS OFT PHP PL SHT SHTM STM TBB TXT UIN WAB WSH XLS XML W32/Bagle-JJ avoids sending emails to addresses containing any of the following: {at}. .{at} .. {at}avp. {at}foo {at}iana {at}messagelab abuse admin anyone{at} bsd bugs{at} cafee certific contract{at} f-secur feste free-av gold-certs{at} google help{at} icrosoft info{at} kasp linux listserv local news nobody{at} noone{at} noreply ntivi panda pgp postmaster{at} rating{at} root{at} samples sopho spam support unix update winrar winzip Email sent by W32/Bagle-JJ may contain attachments having the following filenames with the ZIP file extension: guupd02 Jol03 siupd02 upd02 viupd02 wsd01 zupd02 The worm connects to a remote server in order to download additional configuration data. Name W32/Brontok-AQ Type * Worm How it spreads * Email attachments Affected operating systems * Windows Side effects * Turns off anti-virus applications * Sends itself to email addresses found on the infected computer * Modifies data on the computer * Deletes files off the computer * Forges the sender's email address * Uses its own emailing engine * Installs itself in the Registry * Leaves non-infected files on computer Aliases * Win32/Pazetus.D * Email-Worm.Win32.Brontok.n * WORM_RONTKBR.GEN Prevalence (1-5) 2 Description W32/Brontok-AQ is a mass-mailing worm for the Windows platform. W32/Brontok-AQ sends itself to email addresses found on the infected computer. Emails sent by the worm have the following characteristics: From: dewi_21{at}cbn.net.id ratna_19{at}rad.net.id claudia_21{at}aol.com angelina_19{at}attglobal.net If the recipient's address is Indonesian: Subject: Fotoku yg Paling Cantik Message text: Hi, Aku lg iseng aja pengen kirim foto ke kamu Jangan lupain aku ya !. Thanks For all other addresses: Subject: My Best Photo Message text: Hi, I want to share my photo with you. Wishing you all the best. Regards, Attachment name: Photo.zip The zip file contains Photo.bmp and View-Photo.bat. View-Photo.bat runs Photo.bmp. Photo.bmp is an executable (currently detected as Troj/DwnLdr-BWB) which attempts to download and execute a copy of the worm from a preconfigured website. At the time of writing, this website is unavailable. Advanced W32/Brontok-AQ is a mass-mailing worm for the Windows platform. W32/Brontok-AQ sends itself to email addresses found on the infected computer. Emails sent by the worm have the following characteristics: From: dewi_21{at}cbn.net.id ratna_19{at}rad.net.id claudia_21{at}aol.com angelina_19{at}attglobal.net If the recipient's address is Indonesian: Subject: Fotoku yg Paling Cantik Message text: Hi, Aku lg iseng aja pengen kirim foto ke kamu Jangan lupain aku ya !. Thanks For all other addresses: Subject: My Best Photo Message text: Hi, I want to share my photo with you. Wishing you all the best. Regards, Attachment name: Photo.zip The zip file contains Photo.bmp and View-Photo.bat. View-Photo.bat runs Photo.bmp. Photo.bmp is an executable (currently detected as Troj/DwnLdr-BWB) which attempts to download and execute a copy of the worm from a preconfigured website. At the time of writing, this website is unavailable. W32/Brontok-AQ closes windows whose titles contain any of the following: wintask folder option trojan windows script commander pc-media killer ertanto CLEANER REMOVER PROCESS EXP SYSINTERNAL killbox scheduled task computer management cmd.exe group policy system configuration command prompt registry baca bro !!! task manager When first run W32/Brontok-AQ copies itself to: \Local Settings\Application Data\dv\yesbron.com \Local Settings\Application Data\jalak.com \_default.pif \j.exe \o.exe \sa\ib.exe \c.com \n\b.exe \n\csrss.exe \n\lsass.exe \n\services.exe \n\smss.exe \n\sv.exe \n\winlogon.exe where is a sequence of randomly generated numbers. and creates the following files: Baca Bro !!!.txt \Tasks\At1.job \Tasks\At2.job \n5817\c.bron.tok.txt These files can be deleted. The .job files each contain a scheduled task, instructing Windows to execute the installed copies of the worm once per day. W32/Brontok-AQ may install a new version of the file \msvbvm60.dll. The following registry entries are created to run yesbron.com, _default.pif, j.exe and sv.exe on startup: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run \Local Settings\Application Data\dv\yesbron.com HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run \_default.pif HKCU\Software\Microsoft\Windows\CurrentVersion\Run \n\sv.exe HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run \j.exe The following registry entries are changed to run j.exe and o.exe on startup: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell Explorer.exe "\o.exe" (the default value for this registry entry is "Explorer.exe" which causes the Microsoft file \Explorer.exe to be run on startup). HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit \userinit.exe,\j.exe (the default value for this registry entry is "\System32\userinit.exe,"). The following registry entry is set, disabling the registry editor (regedit): HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System DisableRegistryTools 1 Registry entries are set as follows: HKCU\Software\Brontok Message Look {at} "C:\Baca Bro !!!.txt" HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Hidden 0 HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced HideFileExt 1 HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ShowSuperHidden 0 Registry entries are created under: HKCU\Software\Brontok\ W32/Brontok-AQ also overwrites the HOSTS file with the following mappings: 127.0.0.21 mcafee.com 127.0.0.21 www.mcafee.com 127.0.0.21 mcafee.net 127.0.0.21 www.mcafee.net 127.0.0.21 mcafee.org 127.0.0.21 www.mcafee.org 127.0.0.21 mcafeesecurity.com 127.0.0.21 www.mcafeesecurity.com 127.0.0.21 mcafeesecurity.net 127.0.0.21 www.mcafeesecurity.net 127.0.0.21 mcafeesecurity.org 127.0.0.21 www.mcafeesecurity.org 127.0.0.21 mcafeeb2b.com 127.0.0.21 www.mcafeeb2b.com 127.0.0.21 mcafeeb2b.net 127.0.0.21 www.mcafeeb2b.net 127.0.0.21 mcafeeb2b.org 127.0.0.21 www.mcafeeb2b.org 127.0.0.21 nai.com 127.0.0.21 www.nai.com 127.0.0.21 nai.net 127.0.0.21 www.nai.net 127.0.0.21 nai.org 127.0.0.21 www.nai.org 127.0.0.21 vil.nai.com 127.0.0.21 www.vil.nai.com 127.0.0.21 vil.nai.net 127.0.0.21 www.vil.nai.net 127.0.0.21 vil.nai.org 127.0.0.21 www.vil.nai.org 127.0.0.21 grisoft.com 127.0.0.21 www.grisoft.com 127.0.0.21 grisoft.net 127.0.0.21 www.grisoft.net 127.0.0.21 grisoft.org 127.0.0.21 www.grisoft.org 127.0.0.21 kaspersky-labs.com 127.0.0.21 www.kaspersky-labs.com 127.0.0.21 kaspersky-labs.net 127.0.0.21 www.kaspersky-labs.net 127.0.0.21 kaspersky-labs.org 127.0.0.21 www.kaspersky-labs.org 127.0.0.21 kaspersky.com 127.0.0.21 www.kaspersky.com 127.0.0.21 kaspersky.net 127.0.0.21 www.kaspersky.net 127.0.0.21 kaspersky.org 127.0.0.21 www.kaspersky.org 127.0.0.21 downloads1.kaspersky-labs.com 127.0.0.21 www.downloads1.kaspersky-labs.com 127.0.0.21 downloads1.kaspersky-labs.net 127.0.0.21 www.downloads1.kaspersky-labs.net 127.0.0.21 downloads1.kaspersky-labs.org 127.0.0.21 www.downloads1.kaspersky-labs.org 127.0.0.21 downloads2.kaspersky-labs.com 127.0.0.21 www.downloads2.kaspersky-labs.com 127.0.0.21 downloads2.kaspersky-labs.net 127.0.0.21 www.downloads2.kaspersky-labs.net 127.0.0.21 downloads2.kaspersky-labs.org 127.0.0.21 www.downloads2.kaspersky-labs.org 127.0.0.21 downloads3.kaspersky-labs.com 127.0.0.21 www.downloads3.kaspersky-labs.com 127.0.0.21 downloads3.kaspersky-labs.net 127.0.0.21 www.downloads3.kaspersky-labs.net 127.0.0.21 downloads3.kaspersky-labs.org 127.0.0.21 www.downloads3.kaspersky-labs.org 127.0.0.21 downloads4.kaspersky-labs.com 127.0.0.21 www.downloads4.kaspersky-labs.com 127.0.0.21 downloads4.kaspersky-labs.net 127.0.0.21 www.downloads4.kaspersky-labs.net 127.0.0.21 downloads4.kaspersky-labs.org 127.0.0.21 www.downloads4.kaspersky-labs.org 127.0.0.21 download.mcafee.com 127.0.0.21 www.download.mcafee.com 127.0.0.21 download.mcafee.net 127.0.0.21 www.download.mcafee.net 127.0.0.21 download.mcafee.org 127.0.0.21 www.download.mcafee.org 127.0.0.21 norton.com 127.0.0.21 www.norton.com 127.0.0.21 norton.net 127.0.0.21 www.norton.net 127.0.0.21 norton.org 127.0.0.21 www.norton.org 127.0.0.21 symantec.com 127.0.0.21 www.symantec.com 127.0.0.21 symantec.net 127.0.0.21 www.symantec.net 127.0.0.21 symantec.org 127.0.0.21 www.symantec.org 127.0.0.21 liveupdate.symantecliveupdate.com 127.0.0.21 www.liveupdate.symantecliveupdate.com 127.0.0.21 liveupdate.symantecliveupdate.net 127.0.0.21 www.liveupdate.symantecliveupdate.net 127.0.0.21 liveupdate.symantecliveupdate.org 127.0.0.21 www.liveupdate.symantecliveupdate.org 127.0.0.21 liveupdate.symantec.com 127.0.0.21 www.liveupdate.symantec.com 127.0.0.21 liveupdate.symantec.net 127.0.0.21 www.liveupdate.symantec.net 127.0.0.21 liveupdate.symantec.org 127.0.0.21 www.liveupdate.symantec.org 127.0.0.21 update.symantec.com 127.0.0.21 www.update.symantec.com 127.0.0.21 update.symantec.net 127.0.0.21 www.update.symantec.net 127.0.0.21 update.symantec.org 127.0.0.21 www.update.symantec.org 127.0.0.21 securityresponse.symantec.com 127.0.0.21 www.securityresponse.symantec.com 127.0.0.21 securityresponse.symantec.net 127.0.0.21 www.securityresponse.symantec.net 127.0.0.21 securityresponse.symantec.org 127.0.0.21 www.securityresponse.symantec.org 127.0.0.21 sarc.com 127.0.0.21 www.sarc.com 127.0.0.21 sarc.net 127.0.0.21 www.sarc.net 127.0.0.21 sarc.org 127.0.0.21 www.sarc.org 127.0.0.21 vaksin.com 127.0.0.21 www.vaksin.com 127.0.0.21 vaksin.net 127.0.0.21 www.vaksin.net 127.0.0.21 vaksin.org 127.0.0.21 www.vaksin.org 127.0.0.21 forum.vaksin.com 127.0.0.21 www.forum.vaksin.com 127.0.0.21 forum.vaksin.net 127.0.0.21 www.forum.vaksin.net 127.0.0.21 forum.vaksin.org 127.0.0.21 www.forum.vaksin.org 127.0.0.21 norman.com 127.0.0.21 www.norman.com 127.0.0.21 norman.net 127.0.0.21 www.norman.net 127.0.0.21 norman.org 127.0.0.21 www.norman.org 127.0.0.21 trendmicro.com 127.0.0.21 www.trendmicro.com 127.0.0.21 trendmicro.net 127.0.0.21 www.trendmicro.net 127.0.0.21 trendmicro.org 127.0.0.21 www.trendmicro.org 127.0.0.21 trendmicro-europe.com 127.0.0.21 www.trendmicro-europe.com 127.0.0.21 trendmicro-europe.net 127.0.0.21 www.trendmicro-europe.net 127.0.0.21 trendmicro-europe.org 127.0.0.21 www.trendmicro-europe.org 127.0.0.21 ae.trendmicro-europe.com 127.0.0.21 www.ae.trendmicro-europe.com 127.0.0.21 ae.trendmicro-europe.net 127.0.0.21 www.ae.trendmicro-europe.net 127.0.0.21 ae.trendmicro-europe.org 127.0.0.21 www.ae.trendmicro-europe.org 127.0.0.21 it.trendmicro-europe.com 127.0.0.21 www.it.trendmicro-europe.com 127.0.0.21 it.trendmicro-europe.net 127.0.0.21 www.it.trendmicro-europe.net 127.0.0.21 it.trendmicro-europe.org 127.0.0.21 www.it.trendmicro-europe.org 127.0.0.21 secunia.com 127.0.0.21 www.secunia.com 127.0.0.21 secunia.net 127.0.0.21 www.secunia.net 127.0.0.21 secunia.org 127.0.0.21 www.secunia.org 127.0.0.21 winantivirus.com 127.0.0.21 www.winantivirus.com 127.0.0.21 winantivirus.net 127.0.0.21 www.winantivirus.net 127.0.0.21 winantivirus.org 127.0.0.21 www.winantivirus.org 127.0.0.21 pandasoftware.com 127.0.0.21 www.pandasoftware.com 127.0.0.21 pandasoftware.net 127.0.0.21 www.pandasoftware.net 127.0.0.21 pandasoftware.org 127.0.0.21 www.pandasoftware.org 127.0.0.21 esafe.com 127.0.0.21 www.esafe.com 127.0.0.21 esafe.net 127.0.0.21 www.esafe.net 127.0.0.21 esafe.org 127.0.0.21 www.esafe.org 127.0.0.21 f-secure.com 127.0.0.21 www.f-secure.com 127.0.0.21 f-secure.net 127.0.0.21 www.f-secure.net 127.0.0.21 f-secure.org 127.0.0.21 www.f-secure.org 127.0.0.21 europe.f-secure.com 127.0.0.21 www.europe.f-secure.com 127.0.0.21 europe.f-secure.net 127.0.0.21 www.europe.f-secure.net 127.0.0.21 europe.f-secure.org 127.0.0.21 www.europe.f-secure.org 127.0.0.21 bhs.com 127.0.0.21 www.bhs.com 127.0.0.21 bhs.net 127.0.0.21 www.bhs.net 127.0.0.21 bhs.org 127.0.0.21 www.bhs.org 127.0.0.21 datafellows.com 127.0.0.21 www.datafellows.com 127.0.0.21 datafellows.net 127.0.0.21 www.datafellows.net 127.0.0.21 datafellows.org 127.0.0.21 www.datafellows.org 127.0.0.21 cheyenne.com 127.0.0.21 www.cheyenne.com 127.0.0.21 cheyenne.net 127.0.0.21 www.cheyenne.net 127.0.0.21 cheyenne.org 127.0.0.21 www.cheyenne.org 127.0.0.21 ontrack.com 127.0.0.21 www.ontrack.com 127.0.0.21 ontrack.net 127.0.0.21 www.ontrack.net 127.0.0.21 ontrack.org 127.0.0.21 www.ontrack.org 127.0.0.21 sands.com 127.0.0.21 www.sands.com 127.0.0.21 sands.net 127.0.0.21 www.sands.net 127.0.0.21 sands.org 127.0.0.21 www.sands.org 127.0.0.21 sophos.com 127.0.0.21 www.sophos.com 127.0.0.21 sophos.net 127.0.0.21 www.sophos.net 127.0.0.21 sophos.org 127.0.0.21 www.sophos.org 127.0.0.21 icubed.com 127.0.0.21 www.icubed.com 127.0.0.21 icubed.net 127.0.0.21 www.icubed.net 127.0.0.21 icubed.org 127.0.0.21 www.icubed.org 127.0.0.21 perantivirus.com 127.0.0.21 www.perantivirus.com 127.0.0.21 perantivirus.net 127.0.0.21 www.perantivirus.net 127.0.0.21 perantivirus.org 127.0.0.21 www.perantivirus.org 127.0.0.21 castlecops.com 127.0.0.21 www.castlecops.com 127.0.0.21 castlecops.net 127.0.0.21 www.castlecops.net 127.0.0.21 castlecops.org 127.0.0.21 www.castlecops.org 127.0.0.21 virustotal.com 127.0.0.21 www.virustotal.com 127.0.0.21 virustotal.net 127.0.0.21 www.virustotal.net 127.0.0.21 virustotal.org 127.0.0.21 www.virustotal.org 127.0.0.21 free-av.com 127.0.0.21 www.free-av.com 127.0.0.21 free-av.net 127.0.0.21 www.free-av.net 127.0.0.21 free-av.org 127.0.0.21 www.free-av.org 127.0.0.21 antivirus.com 127.0.0.21 www.antivirus.com 127.0.0.21 antivirus.net 127.0.0.21 www.antivirus.net 127.0.0.21 antivirus.org 127.0.0.21 www.antivirus.org 127.0.0.21 anti-virus.com 127.0.0.21 www.anti-virus.com 127.0.0.21 anti-virus.net 127.0.0.21 www.anti-virus.net 127.0.0.21 anti-virus.org 127.0.0.21 www.anti-virus.org 127.0.0.21 ca.com 127.0.0.21 www.ca.com 127.0.0.21 ca.net 127.0.0.21 www.ca.net 127.0.0.21 ca.org 127.0.0.21 www.ca.org 127.0.0.21 fajarweb.com 127.0.0.21 www.fajarweb.com 127.0.0.21 fajarweb.net 127.0.0.21 www.fajarweb.net 127.0.0.21 fajarweb.org 127.0.0.21 www.fajarweb.org 127.0.0.21 jasakom.com 127.0.0.21 www.jasakom.com 127.0.0.21 jasakom.net 127.0.0.21 www.jasakom.net 127.0.0.21 jasakom.org 127.0.0.21 www.jasakom.org 127.0.0.21 backup.grisoft.com 127.0.0.21 www.backup.grisoft.com 127.0.0.21 backup.grisoft.net 127.0.0.21 www.backup.grisoft.net 127.0.0.21 backup.grisoft.org 127.0.0.21 www.backup.grisoft.org 127.0.0.21 infokomputer.com 127.0.0.21 www.infokomputer.com 127.0.0.21 infokomputer.net 127.0.0.21 www.infokomputer.net 127.0.0.21 infokomputer.org 127.0.0.21 www.infokomputer.org 127.0.0.21 playboy.com 127.0.0.21 www.playboy.com 127.0.0.21 playboy.net 127.0.0.21 www.playboy.net 127.0.0.21 playboy.org 127.0.0.21 www.playboy.org 127.0.0.21 sex-mission.com 127.0.0.21 www.sex-mission.com 127.0.0.21 sex-mission.net 127.0.0.21 www.sex-mission.net 127.0.0.21 sex-mission.org 127.0.0.21 www.sex-mission.org 127.0.0.21 pornstargals.com 127.0.0.21 www.pornstargals.com 127.0.0.21 pornstargals.net 127.0.0.21 www.pornstargals.net 127.0.0.21 pornstargals.org 127.0.0.21 www.pornstargals.org 127.0.0.21 kaskus.com 127.0.0.21 www.kaskus.com 127.0.0.21 kaskus.net 127.0.0.21 www.kaskus.net 127.0.0.21 kaskus.org 127.0.0.21 www.kaskus.org 127.0.0.21 17tahun.com 127.0.0.21 www.17tahun.com 127.0.0.21 17tahun.net 127.0.0.21 www.17tahun.net 127.0.0.21 17tahun.org 127.0.0.21 www.17tahun.org 127.0.0.21 padinet.com 127.0.0.21 www.padinet.com 127.0.0.21 padinet.net 127.0.0.21 www.padinet.net 127.0.0.21 padinet.org 127.0.0.21 www.padinet.org 127.0.0.21 jeruk.padinet.com 127.0.0.21 www.jeruk.padinet.com 127.0.0.21 jeruk.padinet.net 127.0.0.21 www.jeruk.padinet.net 127.0.0.21 jeruk.padinet.org 127.0.0.21 www.jeruk.padinet.org 127.0.0.21 compactbyte.com 127.0.0.21 www.compactbyte.com 127.0.0.21 compactbyte.net 127.0.0.21 www.compactbyte.net 127.0.0.21 compactbyte.org 127.0.0.21 www.compactbyte.org 127.0.0.21 blog.compactbyte.com 127.0.0.21 www.blog.compactbyte.com 127.0.0.21 blog.compactbyte.net 127.0.0.21 www.blog.compactbyte.net 127.0.0.21 blog.compactbyte.org 127.0.0.21 www.blog.compactbyte.org 127.0.0.21 blogs.compactbyte.com 127.0.0.21 www.blogs.compactbyte.com 127.0.0.21 blogs.compactbyte.net 127.0.0.21 www.blogs.compactbyte.net 127.0.0.21 blogs.compactbyte.org 127.0.0.21 www.blogs.compactbyte.org Name Troj/Cimuz-AI Type * Spyware Trojan Affected operating systems * Windows Side effects * Steals information * Installs itself in the Registry Aliases * Trojan-Spy.Win32.Agent.eo * Spy-Agent.ak Prevalence (1-5) 2 Description Troj/Cimuz-AI is a Trojan for the Windows platform. Troj/Cimuz-AI includes functionality to access the internet and communicate with a remote server via HTTP. The Trojan opens a backdoor and connects to several remote sites to report the availability of the infected computer and the port on which attackers can connect. Troj/Cimuz-AI may also steal information such as email account usernames and passwords. Advanced Troj/Cimuz-AI is a Trojan for the Windows platform. Troj/Cimuz-AI includes functionality to access the internet and communicate with a remote server via HTTP. The Trojan opens a backdoor and connects to several remote sites to report the availability of the infected computer and the port on which attackers can connect. Troj/Cimuz-AI may also steal information such as email account usernames and passwords. When Troj/Cimuz-AI is installed it creates the file \ipv4mons.dll. The file ipv4mons.dll is registered as a COM object and Browser Helper Object (BHO) for Microsoft Internet Explorer, creating registry entries under: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\(78364D99-A240-4dff-B11A-67E448373045) HKCR\CLSID\(78364D99-A240-4dff-B11A-67E448373045) The following registry entry is set, affecting internet security: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\Firewall Policy\StandardProfile\AuthorizedApplications\List\\Internet Explorer IEXPLORE.EXE \Internet Explorer\IEXPLORE.EXE::Enabled:Internet Explorer The following registry entry is set: HKCU\Software\Microsoft\Internet Explorer\Main Enable Browser Extensions yes Name Troj/Zlob-JU Type Trojan Affected operating systems * Windows Side effects * Installs itself in the Registry Aliases * Win32/TrojanDownloader.Zlob.NW Prevalence (1-5) 2 Description Troj/Zlob-JU is a Trojan for the Windows platform. Advanced Troj/Zlob-JU is a Trojan for the Windows platform. When Troj/Zlob-JU is installed the following files are created: \simpole.tlb \stdole3.tlb \hp.tmp where is a string of random characters. These files are also detected as Troj/Zlob-JU. The file hp.tmp is registered as a COM object and Browser Helper Object (BHO) for Microsoft Internet Explorer, creating registry entries under: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\({0398eca-0bcd-4645-8261-5e9dc70248d0} HKCR\CLSID\{B0398ECA-0BCD-4645-8261-5E9DC70248D0} Troj/Zlob-JU changes Start Page and search settings for Microsoft Internet Explorer by modifying values under: HKCU\Software\Microsoft\Internet Explorer\Search\ HKCU\Software\Microsoft\Internet Explorer\Main\Start Page Registry entries may be set under: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objecta\{b0398eca-0bcd-4645-8261-5e9dc70248d0} Name Troj/Agent-BMV Type * Trojan Affected operating systems * Windows Side effects * Drops more malware Aliases * Trojan-Dropper.Win32.Agent.aie * TROJ_DROPPER.UF Prevalence (1-5) 2 Description Troj/Agent-BMV is a Trojan installer for the Windows platform. Advanced Troj/Agent-BMV is a Trojan installer for the Windows platform. When Troj/Agent-BMV is installed the following files are created: \.exe (detected as Troj/DwnLdr-EFH) \A.exe (detected as Troj/DwnLdr-EFH) \jptc.dat \offun.exe (detected as Troj/DwnLdr-ACV) \pf78.exe (detected as Troj/Agent-BQS) \pf79.exe jptc.dat is a harmless data file. Pf79.exe is a potentially unwanted application. Name Troj/Mdrop-AMA Type * Trojan Affected operating systems * Windows Side effects * Drops more malware * Downloads code from the internet Aliases * Trojan-Dropper.Win32.Agent.hl Prevalence (1-5) 2 Description Troj/Mdrop-AMA is a multidropper Trojan for the Windows platform. Advanced Troj/Mdrop-AMA is a multidropper Trojan for the Windows platform. When Troj/Mdrop-AMA is installed the following files are created: \mc-110-12-0000118.exe - detected as App/Maxif-Dlr \Download\mc-110-12-0000118.exe - detected as App/Maxif-Dlr \explorer.exe - detected as Troj/Adload-BN Name W32/Tilebot-EU Type * Spyware Worm How it spreads * Network shares * Chat programs Affected operating systems * Windows Side effects * Steals information * Installs itself in the Registry * Exploits system or software vulnerabilities * Used in DOS attacks Aliases * Backdoor.Win32.SdBot.aad * W32.Spybot.Worm Prevalence (1-5) 2 Description W32/Tilebot-EU is a worm with IRC backdoor functionality for the Windows platform. W32/Tilebot-EU spreads to other network computers by exploiting common buffer overflow vulnerabilities, including: LSASS (http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx), RPC-DCOM (http://www.microsoft.com/technet/security/bulletin/ms04-012.mspx), WKS (http://www.microsoft.com/technet/security/bulletin/ms03-049.mspx) (CAN-2003-0812), PNP (http://www.microsoft.com/technet/security/bulletin/ms05-039.mspx) and ASN.1 (http://www.microsoft.com/technet/security/bulletin/ms04-007.mspx) and by copying itself to network shares protected by weak passwords. W32/Tilebot-EU runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels. W32/Tilebot-EU includes functionality to: set up an FTP server set up a proxy server spread via AOL Instant Messager by sending messages automatically set or remove network shares port scanning packet sniffing access the internet and communicate with a remote server via HTTP harvest information from clipboard take part in Distributed Denial of Service (DDoS) attacks The following patches for operating system vulnerabilities exploited by W32/Tilebot-EU are available from Microsoft: http://www.microsoft.com/technet/security/bulletin/ms03-049.mspx http://www.microsoft.com/technet/security/bulletin/ms04-007.mspx http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx http://www.microsoft.com/technet/security/bulletin/ms04-012.mspx http://www.microsoft.com/technet/security/bulletin/ms05-039.mspx Advanced W32/Tilebot-EU is a worm with IRC backdoor functionality for the Windows platform. W32/Tilebot-EU spreads to other network computers by exploiting common buffer overflow vulnerabilities, including: LSASS (http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx), RPC-DCOM (http://www.microsoft.com/technet/security/bulletin/ms04-012.mspx), WKS (http://www.microsoft.com/technet/security/bulletin/ms03-049.mspx) (CAN-2003-0812), PNP (http://www.microsoft.com/technet/security/bulletin/ms05-039.mspx) and ASN.1 (http://www.microsoft.com/technet/security/bulletin/ms04-007.mspx) and by copying itself to network shares protected by weak passwords. W32/Tilebot-EU runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels. W32/Tilebot-EU includes functionality to: set up an FTP server set up a proxy server spread via AOL Instant Messager by sending messages automatically set or remove network shares port scanning packet sniffing access the internet and communicate with a remote server via HTTP harvest information from clipboard take part in Distributed Denial of Service (DDoS) attacks When first run W32/Tilebot-EU copies itself to \alg.exe. The file alg.exe is registered as a new system driver service named "AppLayerGatewayMgr", with a display name of "Application Layer Gateway Manager" and a startup type of automatic, so that it is started automatically during system startup. Registry entries are created under: HKLM\SYSTEM\CurrentControlSet\Services\AppLayerGatewayMgr\ W32/Tilebot-EU sets the following registry entries, disabling the automatic startup of other software: HKLM\SYSTEM\CurrentControlSet\Services\Messenger Start 4 HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry Start 4 HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr Start 4 HKLM\SYSTEM\CurrentControlSet\Services\wscsvc Start 4 Additional registry entries are set as follows: HKLM\SOFTWARE\Microsoft\Security Center AntiVirusDisableNotify 1 HKLM\SOFTWARE\Microsoft\Security Center AntiVirusOverride 1 HKLM\SOFTWARE\Microsoft\Security Center FirewallDisableNotify 1 HKLM\SOFTWARE\Microsoft\Security Center FirewallOverride 1 HKLM\SOFTWARE\Microsoft\Security Center UpdatesDisableNotify 1 HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotAllowXPSP2 1 HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile EnableFirewall 0 HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile EnableFirewall 0 HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters AutoShareServer 0 HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters AutoShareWks 0 HKLM\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters AutoShareServer 0 HKLM\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters AutoShareWks 0 HKLM\SYSTEM\CurrentControlSet\Control\ WaitToKillServiceTimeout 7000 HKLM\SOFTWARE\Microsoft\Ole EnableDCOM N HKLM\SYSTEM\CurrentControlSet\Control\Lsa restrictanonymous 1 The following patches for operating system vulnerabilities exploited by W32/Tilebot-EU are available from Microsoft: http://www.microsoft.com/technet/security/bulletin/ms03-049.mspx http://www.microsoft.com/technet/security/bulletin/ms04-007.mspx http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx http://www.microsoft.com/technet/security/bulletin/ms04-012.mspx http://www.microsoft.com/technet/security/bulletin/ms05-039.mspx Name W32/Dbit-B Type * Virus How it spreads * Infected files Affected operating systems * Windows Side effects * Turns off anti-virus applications * Allows others to access the computer * Deletes files off the computer * Steals information * Records keystrokes * Installs itself in the Registry Aliases * Trojan.Win32.Dbit.d * Infostealer * TROJ_PWSTEAL.AE Prevalence (1-5) 2 Description W32/Dbit-B is a virus and backdoor Trojan for the Windows platform. W32/Dbit-B attempts to infect EXE files. W32/Dbit-B allows unauthorized remote access to the infected computer. W32/Dbit-B will attempt to connect to predefined URLs in order to report infection and download files. The virus may also act as a backdoor allowing the following actions to be performed by a remote user on the infected system: Create folder Delete files Execute files Rename files Act as a proxy server Log keypresses Steal passwords W32/Dbit-B will also attempt to collect information about the infected system and report it to a predefined URL. The information collected includes: Username Running processes IP related information Available drives W32/Dbit-B also contains a stealthing component in order to make itself invisible to the user. Advanced W32/Dbit-B is a virus and backdoor Trojan for the Windows platform. W32/Dbit-B attempts to infect EXE files. W32/Dbit-B allows unauthorized remote access to the infected computer. W32/Dbit-B will attempt to connect to predefined URLs in order to report infection and download files. The virus may also act as a backdoor allowing the following actions to be performed by a remote user on the infected system: Create folder Delete files Execute files Rename files Act as a proxy server Log keypresses Steal passwords W32/Dbit-B will also attempt to collect information about the infected system and report it to a predefined URL. The information collected includes: Username Running processes IP related information Available drives W32/Dbit-B also contains a stealthing component in order to make itself invisible to the user. When W32/Dbit-B is installed it creates the file \msjet62.dll. The file msjet62.dll is registered as a new system driver service named "Irmon", with a display name of "Portable Media Serial Number Service" and a startup type of automatic, so that it is started automatically during system startup. Registry entries are created under: HKLM\SYSTEM\CurrentControlSet\Services\Irmon\ W32/Dbit-B will attempt to remove processes and services associated with the following files: ethereal.exe aports.exe tcpview windump.exe iris.exe CV.exe sniffer.exe iexplore.exe outlook.exe icq.exe msimn.exe msmsgs.exe msnmsgr.exe qq.exe endoscope.EXE icqlite.exe foxmail.exe Name Troj/Tibs-AR Type * Trojan Affected operating systems * Windows Side effects * Drops more malware * Downloads code from the internet * Installs itself in the Registry * Leaves non-infected files on computer Aliases * Packed.Win32.Tibs Prevalence (1-5) 2 Description Troj/Tibs-AR is a Trojan for the Windows platform. Troj/Tibs-AR includes functionality to access the internet and communicate with a remote server via HTTP to download and install software. Advanced Troj/Tibs-AR is a Trojan for the Windows platform. Troj/Tibs-AR includes functionality to access the internet and communicate with a remote server via HTTP to download and install software. When first run Troj/Tibs-AR copies itself to \taskdir.exe and creates the following files: \taskdir.dll \zlbw.dll where file taskdir.dll is detected as Troj/HideDl-A. and zlbw.dll is a clean compression library. The following registry entry is created to run taskdir.exe on startup: HKCU\Software\Microsoft\Windows\CurrentVersion\Run taskdir \taskdir.exe Name W32/Tilebot-EW Type * Worm How it spreads * Network shares Affected operating systems * Windows Side effects * Allows others to access the computer * Installs itself in the Registry * Exploits system or software vulnerabilities Aliases * Backdoor.Win32.SdBot.xd * WORM_SDBOT.ARX Prevalence (1-5) 2 Description W32/Tilebot-EW is a worm and IRC backdoor Trojan for the Windows platform. W32/Tilebot-EW spreads to other network computers by exploiting common buffer overflow vulnerabilities, including: LSASS (MS04-011), RPC-DCOM (MS04-012), WKS (MS03-049) (CAN-2003-0812), PNP (MS05-039) and ASN.1 (MS04-007) and by copying itself to network shares protected by weak passwords. W32/Tilebot-EW runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels. Advanced W32/Tilebot-EW is a worm and IRC backdoor Trojan for the Windows platform. W32/Tilebot-EW spreads to other network computers by exploiting common buffer overflow vulnerabilities, including: LSASS (MS04-011), RPC-DCOM (MS04-012), WKS (MS03-049) (CAN-2003-0812), PNP (MS05-039) and ASN.1 (MS04-007) and by copying itself to network shares protected by weak passwords. W32/Tilebot-EW runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels. When first run W32/Tilebot-EW copies itself to \winfix32.exe. The file winfix32.exe is registered as a new system driver service named "Windows Fix Services", with a display name of "Windows Fix Services" and a startup type of automatic, so that it is started automatically during system startup. Registry entries are created under: HKLM\SYSTEM\CurrentControlSet\Services\Windows Fix Services\ W32/Tilebot-EW sets the following registry entries, disabling the automatic startup of other software: HKLM\SYSTEM\CurrentControlSet\Services\Messenger Start 4 HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry Start 4 HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr Start 4 Registry entries are set as follows: HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotAllowXPSP2 1 HKLM\SOFTWARE\Microsoft\Ole EnableDCOM N HKLM\SYSTEM\CurrentControlSet\Control\Lsa restrictanonymous 1 Registry entries are created under: HKLM\SOFTWARE\Microsoft\Security Center\ HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\ HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\ Name Troj/Xorpix-E Type * Trojan Affected operating systems * Windows Side effects * Downloads code from the internet * Installs itself in the Registry Aliases * Trojan-Proxy.Win32.Xorpix.u Prevalence (1-5) 2 Description Troj/Xorpix-E is a proxy Trojan for the Windows platform. Troj/Xorpix-A allows network traffic to be routed through an infected computer as specified by a remote intruder. Troj/Xorpix-E attempts to turn off security related services including the Windows Security Centre and the Windows Firewall. Troj/Xorpix-A may download and run further executable files. Advanced Troj/Xorpix-E is a proxy Trojan for the Windows platform. Troj/Xorpix-A allows network traffic to be routed through an infected computer as specified by a remote intruder. Troj/Xorpix-E attempts to turn off security related services including the Windows Security Centre and the Windows Firewall. Troj/Xorpix-A may download and run further executable files. When run, Troj/Xorpix-E will attempt to copy itself to the Windows system folder and create registry entries under: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\20242402reg Name Troj/Agent-BOR Type * Trojan Affected operating systems * Windows Side effects * Allows others to access the computer * Drops more malware * Installs itself in the Registry Aliases * Backdoor.Win32.Agent.uu Prevalence (1-5) 2 Description Troj/Agent-BOR is a backdoor Trojan which allows a remote intruder to gain access and control over the computer. Advanced Troj/Agent-BOR is a backdoor Trojan which allows a remote intruder to gain access and control over the computer. When Troj/Agent-BOR is installed it creates the file \dcom_16.dll. The file dcom_16.dll is detected as Troj/SpamThru-C. The following registry entries are created to run code exported by the Trojan libraries on startup: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskSched uler {2C1CD3D7-86AC-4068-93BC-A02304BB8C34} DCOM Server HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayL oad DCOM Server {2C1CD3D7-86AC-4068-93BC-A02304BB8C34} The file dcom_16.dll is registered as a COM object, creating registry entries under: HKCR\CLSID\{2C1CD3D7-86AC-4068-93BC-A02304BB8C34} --- MultiMail/Win32 v0.43 * Origin: Try Our Web Based QWK: DOCSPLACE.ORG (1:123/140) SEEN-BY: 633/267 270 @PATH: 123/140 500 106/2000 633/267
SOURCE: echomail via fidonet.ozzmosis.com

Email questions or comments to sysop@ipingthereforeiam.com
All parts of this website painstakingly hand-crafted in the U.S.A.!
IPTIA BBS/MUD/Terminal/Game Server List, © 2025 IPTIA Consulting™.