TIP: Click on subject to list as thread!

ANSI

echo:	dirty_dozen
to:	ALL
from:	KURT WISMER
date:	2007-06-02 13:42:00
subject:	News, June 2 2007
[cut-n-paste from sophos.com] Name Troj/Goldun-FZ Type * Spyware Trojan Affected operating systems * Windows Side effects * Steals information * Downloads code from the internet Prevalence (1-5) 2 Description Troj/Goldun-FZ is a Trojan for the Windows platform. Advanced Troj/Goldun-FZ is a Trojan for the Windows platform. When run, the Trojan creates the file \msdom2.dll and this file is detected as Troj/Goldun-FZ. Name W32/Looked-DW Type * Virus How it spreads * Network shares * Infected files Affected operating systems * Windows Side effects * Modifies data on the computer * Drops more malware * Downloads code from the internet * Installs itself in the Registry Prevalence (1-5) 2 Description W32/Looked-DW is a prepending virus and worm for the Windows platform. Advanced W32/Looked-DW is a prepending virus and worm for the Windows platform. W32/Looked-DW spreads to other network computers. W32/Looked-DW includes functionality to access the internet and communicate with a remote server via HTTP. W32/Looked-DW may attempt to download and execute additional files from a remote location. When first run W32/Looked-DW copies itself to the following locations: \uninstall\rundl132.exe \logo1_.exe and creates the file \RichDll.dll. The file RichDll.dll is also detected as W32/Looked-DW. The following registry entry is created to run rundl132.exe on startup: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run load \uninstall\rundl132.exe Registry entries are created under: HKLM\SOFTWARE\Soft\DownloadWWW\ Name Troj/Mdrop-BPE Type * Trojan Affected operating systems * Windows Side effects * Drops more malware Prevalence (1-5) 2 Description Troj/Mdrop-BPE is a Trojan for the Windows platform. Advanced Troj/Mdrop-BPE is a Trojan for the Windows platform. When Troj/Mdrop-BPE is installed the following files are created: \exec1.exe - detected as W32/IRCBot-WA \exec2.exe - detected as Troj/Keygen-BI Name W32/Seccmu-A Type * Worm How it spreads * Removable storage devices Affected operating systems * Windows Side effects * Installs itself in the Registry Aliases * Trojan.Win32.VB.pt * Win32/VB.PT trojan * WORM_VB.AK Prevalence (1-5) 2 Description W32/Seccmu-A is a worm for the Windows platform. Advanced W32/Seccmu-A is a worm for the Windows platform. W32/Seccmu-A attempts to copy itself to C:\Windows\system32\csrs.exe and A:\Practica3.exe, and sets the following registry entry to run itself on startup: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Windows Action C:\Windows\system32\csrs.exe W32/Seccmu-A generates a fake error message box with the title "Error de ejecucion" and the text "Practica3.xls Danado". Name Troj/Kimat-C Type * Trojan Affected operating systems * Windows Side effects * Installs itself in the Registry * Modifies browser settings Prevalence (1-5) 2 Description Troj/Kimat-C is a Trojan for the Windows platform. Advanced Troj/Kimat-C is a Trojan for the Windows platform. When first run Troj/Kimat-C copies itself to: \Templates\winword.doc.exe \Templates\winword2.doc.exe \sample1.doc.exe \Tiara Lestari.exe \goats\SAMPLE1.DOC.exe \sample1.doc.exe \config\systemprofile\Templates\winword.doc.exe \config\systemprofile\Templates\winword2.doc.exe \zistro.exe The following registry entry is created to run zistro.exe on startup: HKCU\Software\Microsoft\Windows\CurrentVersion\Run test \zistro.exe The following registry entry is set, disabling system software: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System DisableRegistryTools 1 Registry entries are set as follows: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer NoFolderOptions 1 HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System DisableRegedit 1 HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Hidden 0 HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced HideFileExt 1 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder \Hidden\SHOWALL DefaultValue 1 Name W32/Fujacks-AK Type * Virus How it spreads * Removable storage devices * Network shares * Infected files Affected operating systems * Windows Side effects * Drops more malware * Downloads code from the internet * Reduces system security * Installs itself in the Registry * Leaves non-infected files on computer Prevalence (1-5) 2 Description W32/Fujacks-AK is an attempted virus and worm for the Windows platform. W32/Fujacks-AK spreads to other network computers through available network shares and removeable storage devices by coping itself with the filenames GameSetup.exe and setup.exe correspondingly. W32/Fujacks-AK also creates the file autorun.inf to ensure that the file setup.exe is executed. Advanced W32/Fujacks-AK is an attempted virus and worm for the Windows platform. W32/Fujacks-AK spreads to other network computers through available network shares and removeable storage devices by coping itself with the filenames GameSetup.exe and setup.exe correspondingly. W32/Fujacks-AK also creates the file autorun.inf to ensure that the file setup.exe is executed. W32/Fujacks-AK includes functionality to access the internet and communicate with a remote server via HTTP. When first run W32/Fujacks-AK copies itself to \drivers\spoclsv.exe. \setup.exe. \autorun.inf. - This file can be safely deleted. The following registry entry is created to run spoclsv.exe on startup: HKCU\Software\Microsoft\Windows\CurrentVersion\Run svcshare \drivers\spoclsv.exe The following registry entry is set: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder \Hidden\SHOWALL CheckedValue 0 W32/Fujacks-AK searches for EXE files in attempt to infect them and creates Desktop_.ini file every time when succeed. This file may be safely deleted. W32/Fujacks-AK includes functionality to delete shares including the Admin$ share. W32/Fujacks-AK attempts to periodically copy itself to removeable drives, including floppy drives and USB keys. The worm will attempt to create a hidden file Autorun.inf on the removeable drive and copy itself to the same location. The file Autorun.inf is designed to start the worm once the removeable drive is connected to a uninfected computer. Name Troj/LdPinch-QW Type * Spyware Trojan Affected operating systems * Windows Side effects * Steals information Aliases * Trojan-PSW.Win32.LdPinch.bvf Prevalence (1-5) 2 Description Troj/LdPinch-QW is a Trojan for the Windows platform. Name Troj/BHO-CC Type * Trojan Affected operating systems * Windows Side effects * Installs a browser helper object Prevalence (1-5) 2 Description Troj/BHO-CC is a Trojan for the Windows platform. Troj/BHO-CC may register itself as a browser helper object for Internet Explorer. When installed, it may steal user browsing habits and redirect searches. Advanced Troj/BHO-CC is a Trojan for the Windows platform. Troj/BHO-CC may register itself as a browser helper object for Internet Explorer. When installed, it may steal user browsing habits and redirect searches. Name Mal/Behav-043 Type * Malicious Behavior Affected operating systems * Windows Prevalence (1-5) 2 Description Mal/Behav-043 is a malicious file for the Windows platform. Advanced Mal/Behav-043 is a malicious file for the Windows platform. Name W32/Poebot-LP Type * Spyware Worm How it spreads * Network shares Affected operating systems * Windows Side effects * Allows others to access the computer * Steals information * Downloads code from the internet * Reduces system security * Records keystrokes * Installs itself in the Registry * Exploits system or software vulnerabilities * Used in DOS attacks * Scans network for vulnerabilities * Scans network for weak passwords Prevalence (1-5) 2 Description W32/Poebot-LP is a worm for the Windows platform. The worm spreads through network shares protected by weak passwords and through operating system vulnerabilities such as LSASS (MS04-011), RPC-DCOM (MS04-012), PNP (MS05-039), SRVSVC (MS06-040) and Dameware (CAN-2003-1030). The backdoor component of W32/Poebot-LP connects to a predefined IRC server and awaits commands from remote attackers. The backdoor component of W32/Poebot-LP can be instructed by a remote user to perform the following functions: - start an FTP server - start a proxy server - start a web server - take part in distributed denial of service (DDoS) attacks - log keypresses - capture screen/webcam images - packet sniffing - port scanning - download/execute arbitrary files - start a remote shell (RLOGIN) - steals information from the Protected Storage Area - steal product registration information from certain software Advanced W32/Poebot-LP is a worm for the Windows platform. The worm spreads through network shares protected by weak passwords and through operating system vulnerabilities such as LSASS (MS04-011), RPC-DCOM (MS04-012), PNP (MS05-039), SRVSVC (MS06-040) and Dameware (CAN-2003-1030). The backdoor component of W32/Poebot-LP connects to a predefined IRC server and awaits commands from remote attackers. The backdoor component of W32/Poebot-LP can be instructed by a remote user to perform the following functions: - start an FTP server - start a proxy server - start a web server - take part in distributed denial of service (DDoS) attacks - log keypresses - capture screen/webcam images - packet sniffing - port scanning - download/execute arbitrary files - start a remote shell (RLOGIN) - steals information from the Protected Storage Area - steal product registration information from certain software When first run, W32/Poebot-LP copies itself to \lsass.exe W32/Poebot-LP sets the following registry entry to start at system startup: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Local Security Authority Servce \lssas.exe Name W32/Fujacks-AL Type * Virus How it spreads * Removable storage devices * Network shares * Infected files Affected operating systems * Windows Side effects * Turns off anti-virus applications * Allows others to access the computer * Modifies data on the computer * Steals information * Downloads code from the internet * Reduces system security * Records keystrokes * Installs itself in the Registry Prevalence (1-5) 2 Description W32/Fujacks-AL is a virus for the Windows platform. Advanced W32/Fujacks-AL is a virus for the Windows platform. W32/Fujacks-AL spreads to other network computers. W32/Fujacks-AL includes functionality to access the internet and communicate with a remote server via HTTP. When first run W32/Fujacks-AL copies itself to \drivers\ncscv32.exe. The following registry entry is created to run ncscv32.exe on startup: HKCU\Software\Microsoft\Windows\CurrentVersion\Run nvscv32 \drivers\ncscv32.exe The following registry entry is set: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder \Hidden\SHOWALL CheckedValue 0 W32/Fujacks-AL attempts to periodically copy itself to removeable drives, including floppy drives and USB keys. The worm will attempt to create a hidden file Autorun.inf on the removeable drive and copy itself to the same location. The file Autorun.inf is designed to start the virus once the removeable drive is connected to a uninfected computer. Name Troj/Torpig-BV Type * Trojan Affected operating systems * Windows Side effects * Downloads code from the internet Prevalence (1-5) 2 Description Troj/Torpig-BV is a downloader Trojan for the Windows platform. Advanced Troj/Torpig-BV is a downloader Trojan for the Windows platform. When run Troj/Torpig-BV creates the file \clean_4392d.dll. This file is also detected as Troj/Torpig-BV. Troj/Torpig-BV attempts to install the a service with the name "ldrsvc". Registry entries are created under: HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_LDRSVC\ HKLM\SYSTEM\CurrentControlSet\Services\ldrsvc\ Name W32/Tilebot-JS Type * Trojan Affected operating systems * Windows Side effects * Allows others to access the computer * Installs itself in the Registry Prevalence (1-5) 2 Description W32/Tilebot-JS is a backdoor worm for the Windows platform which allows a remote intruder to gain access and control over the computer. Advanced W32/Tilebot-JS is a backdoor worm for the Windows platform which allows a remote intruder to gain access and control over the computer. W32/Tilebot-JS includes functionality to access the internet and communicate with a remote server via HTTP. W32/Tilebot-JS patches the Windows executable files ftp.exe and tftp.exe so that they no longer function. W32/Tilebot-JS also patches the Windows system file sfc_os.dll to disable Windows system file checking. When first run W32/Tilebot-JS copies itself to \iexplore.exe. The file iexplore.exe is registered as a new system driver service named "Microsoft Internet Explorer", with a display name of "Microsoft Internet Explorer" and a startup type of automatic, so that it is started automatically during system startup. Registry entries are created under: HKLM\SYSTEM\CurrentControlSet\Services\Microsoft Internet Explorer Registry entries are set as follows: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon SFCScan 0 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon SFCDisable ffffff9d Name W32/SillyFDC-HO Type * Worm How it spreads * Removable storage devices Affected operating systems * Windows Side effects * Modifies data on the computer * Installs itself in the Registry Prevalence (1-5) 2 Description W32/SillyFDC-HO is a worm for the Windows platform. Advanced W32/SillyFDC-HO is a worm for the Windows platform. When run W32/SillyFDC-HO enumerates all the folders on the infected computer and copies itself to those folders with that same folder name but appended with an .exe file extension. W32/SillyFDC-HO copies itself to \windows.exe and sets the following registry entry to run itself on startup: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ gpmce \windows.exe HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer NoFolderOptions 1 HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\system DisableRegistryTools 1 HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\system DisableTaskMgr 1 HKCU\Software\Policies\Microsoft\Windows\System disableCMD 2 HKCU\Software\Microsoft\Internet Explorer\Main Start Page www.booble.com HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced DisableThumbnailCache 1 Name W32/Bagle-WX Type * Worm How it spreads * Email attachments Affected operating systems * Windows Side effects * Sends itself to email addresses found on the infected computer * Installs itself in the Registry Prevalence (1-5) 2 Description W32/Bagle-WX is a worm for the Windows platform. Advanced W32/Bagle-WX is a worm for the Windows platform. W32/Bagle-WX creates the file \hidires\m_hook.sys. This file is registered as a service named "m_hook" with a startup type of automatic. Registry entries are created under: HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_M_HOOK\ HKLM\SYSTEM\CurrentControlSet\Services\m_hook\ The file m_hook.sys is also detected as W32/Bagle-WX. The following registry entries are set: HKLM\SYSTEM\CurrentControlSet\Services\Alerter Start 4 HKLM\SYSTEM\CurrentControlSet\Services\Ndisuio Start 4 HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess Start 4 HKLM\SYSTEM\CurrentControlSet\Services\wuauserv Start 4 Name W32/Bagle-SR Type * Worm How it spreads * Email messages * Email attachments Affected operating systems * Windows Side effects * Sends itself to email addresses found on the infected computer * Drops more malware * Downloads code from the internet Prevalence (1-5) 2 Description W32/Bagle-SR is a worm for the Windows platform. Advanced W32/Bagle-SR is a worm for the Windows platform. When run W32/Bagle-SR creates the files: - \Local settings\Temp\~3.exe - detected as W32/Bagle-WX - \Local settings\Temp\~4.exe - detected as Troj/BagleDL-PQ - \Local settings\Temp\~5.exe - detected as W32/Bagle-WW W32/Bagle also creates the following files which are harmless and can be safely deleted: - \Local settings\Temp\~3.tmp - \Local settings\Temp\~4.tmp - \Local settings\Temp\~5.tmp W32/Bagle-SR creates the file \hidires\m_hook.sys which is detected as W32/Bagle-WX. This file is registered as a service named "m_hook" with a startup type of automatic. Registry entries are created under: HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_M_HOOK\ HKLM\SYSTEM\CurrentControlSet\Services\m_hook\ The following registry entries are set: HKLM\SYSTEM\CurrentControlSet\Services\Alerter Start 4 HKLM\SYSTEM\CurrentControlSet\Services\Ndisuio Start 4 HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess Start 4 HKLM\SYSTEM\CurrentControlSet\Services\wuauserv Start 4 Name W32/Looked-DH Type * Virus How it spreads * Network shares * Infected files Affected operating systems * Windows Side effects * Installs itself in the Registry Aliases * Worm.Win32.Viking.lr * Win32/Viking.DC Prevalence (1-5) 2 Description W32/Looked-DH is a virus for the Windows platform. Advanced W32/Looked-DH is a virus for the Windows platform. When first run W32/Looked-DH unsuccessfully copies itself to: \.exe \uninstall\rundl132.exe \Logo1_.exe The above files are a corrupt version of the original and may simply be deleted. W32/Looked-DH creates the following registry entry to start itself: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run load \uninstall\rundl132.exe --- MultiMail/Win32 v0.43 * Origin: Doc's Place BBS Fido Since 1991 docsplace.tzo.com (1:123/140) SEEN-BY: 633/267 @PATH: 123/140 500 379/1 633/267
SOURCE: echomail via fidonet.ozzmosis.com

Email questions or comments to sysop@ipingthereforeiam.com
All parts of this website painstakingly hand-crafted in the U.S.A.!
IPTIA BBS/MUD/Terminal/Game Server List, © 2025 IPTIA Consulting™.