| TIP: Click on subject to list as thread! | ANSI |
| echo: | |
|---|---|
| to: | |
| from: | |
| date: | |
| subject: | News, November 13 2005 |
[cut-n-paste from sophos.com]
Name Troj/Haxdoor-AO
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Installs itself in the Registry
Aliases
* Backdoor.Win32.Haxdoor.es
Prevalence (1-5) 2
Description
Troj/Haxdoor-AO is a Trojan for the Windows platform.
Troj/Haxdoor-AO includes functionality to:
- stealth its files, processes, registry entries and services
- prevent itself being terminated
- prevent itself being deleted
Advanced
Troj/Haxdoor-AO is a Trojan for the Windows platform.
Troj/Haxdoor-AO includes functionality to:
- stealth its files, processes, registry entries and services
- prevent itself being terminated
- prevent itself being deleted
When Troj/Haxdoor-AO is installed it creates the file
\cpudev.sys.
The file cpudev.sys is registered as a new system driver service
named "cpudev", with a display name of "CPU microcode
correction".
Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\cpudev\
Name W32/Nelo-A
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Installs itself in the Registry
Aliases
* Trojan.Win32.VB.wf
* Trojan.Cdtray
Prevalence (1-5) 2
Description
W32/Nelo-A is a worm for the Windows platform.
W32/Nelo-A attempts to copy itself to the root of any any connected
hard disks, removable disks, ram disks and networked drives along
with a file named Autorun.inf.
W32/Nelo-A may open and close CD drive doors.
Advanced
W32/Nelo-A is a worm for the Windows platform.
W32/Nelo-A attempts to copy itself to the root of any any connected
hard disks, removable disks, ram disks and networked drives along
with a file named Autorun.inf.
W32/Nelo-A may open and close CD drive doors.
When first run W32/Nelo-A copies itself to
\Internet Explorer\Systrsy.exe and creates the file
\Autorun.inf.
The following registry entry is created to run Systrsy.exe on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
(default)
\Internet Explorer\Systrsy.exe
Name Troj/Dadobra-J
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
Aliases
* Trojan-Downloader.Win32.Dadobra.em
Prevalence (1-5) 2
Description
Troj/Dadobra-J is a Trojan for the Windows platform.
Troj/Dadobra-J includes functionality to access the internet and
communicate with a remote server via HTTP.
Name W32/Tilebot-AY
Type
* Spyware Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Downloads code from the internet
* Installs itself in the Registry
Aliases
* Backdoor.Win32.SdBot.aad
* W32/Sdbot.worm.gen.g
* W32/Sdbot.worm.gen.h
* WORM_RBOT.CHU
Prevalence (1-5) 2
Description
W32/Tilebot-AY is a network worm and backdoor Trojan for the Windows
platform.
W32/Tilebot-AY spreads by copying itself to network shares protected
by weak passwords and by exploiting the following vulnerabilities:
LSASS (MS04-011), RPC-DCOM (MS04-012), PNP (MS05-039), ASN.1 (MS04-007)
Advanced
W32/Tilebot-AY is a network worm and backdoor Trojan for the Windows
platform.
W32/Tilebot-AY spreads by copying itself to network shares protected
by weak passwords and by exploiting the following vulnerabilities:
LSASS (MS04-011), RPC-DCOM (MS04-012), PNP (MS05-039), ASN.1 (MS04-007)
The following patches for the operating system vulnerabilities
exploited by W32/Tilebot-AY can be obtained from the Microsoft website:
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx
http://www.microsoft.com/technet/security/bulletin/MS05-039.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-007.mspx
W32/Tilebot-AY copies itself to \cytob.exe and registers
itself as a service process named "WindowsSysBoot". Registry entries
are created under:
HKLM\SYSTEM\CurrentControlSet\Services\WindowsSysBoot\
W32/Tilebot-AY allows a remote user to perform a wide range of
actions on the infected computer, including:
downloading and executing further files
editing registry entries
capturing network traffic
stealing passwords stored on local disks
W32/Tilebot-AY attempts to terminate the following security services:
Tlntsvr
RemoteRegistry
Messenger
SharedAccess
wscsvc
W32/Tilebot-AY sets the following registry entries:
HKLM\SOFTWARE\Microsoft\Ole\
EnableDCOM
N
HKLM\SOFTWARE\Microsoft\Security Center\
AntiVirusOverride
1
HKLM\SOFTWARE\Microsoft\Security Center\
FirewallOverride
1
HKLM\SYSTEM\CurrentControlSet\Control\
WaitToKillServiceTimeout
7000
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1
Name W32/Sdbot-XH
Type
* Spyware Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Steals information
* Drops more malware
* Downloads code from the internet
* Reduces system security
Aliases
* WORM_SDBOT.BHU
* W32.Spybot.Worm
Prevalence (1-5) 2
Description
W32/Sdbot-XH is a network worm with backdoor Trojan functionality for
the Windows platform, that spreads through network shares protected
by weak passwords, MS-SQL servers and through various operating
system vulnerabilities.
W32/Sdbot-XH connects to a predetermined IRC channel and awaits
further commands from remote users. The backdoor component of
W32/Sdbot-XH can be instructed to perform the following functions:
scan networks for vulnerabilities
download/execute arbitrary files
start an ftp server
Patches for the vulnerabilities exploited by W32/Sdbot-XH can be
obtained from Microsoft at:
http://www.microsoft.com/technet/security/bulletin/MS02-039.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx
Advanced
W32/Sdbot-XH is a network worm with backdoor Trojan functionality for
the Windows platform.
When first run, W32/Sdbot-XH copies itself to the Windows system
folder as windesktop.exe, and in order to be able to run
automatically when Windows starts up sets the following registry
entries in order to run each time a user logs on:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Windows Desktop Controler
windesktop.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Windows Desktop Controler
windesktop.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices\
Windows Desktop Controler
windesktop.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
Windows Desktop Controler
windesktop.exe
The worm sets the following registry entries, disabling the automatic
startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\wuauserv\
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\wuauserv\
Start
4
Registry entries are also created under:
HKCU\Software\Microsoft\OLE\
HKLM\SOFTWARE\Microsoft\Ole\
The worm spreads through network shares protected by weak passwords,
MS-SQL servers and through various operating system vulnerabilities.
W32/Sdbot-XH connects to a predetermined IRC channel and awaits
further commands from remote users. The backdoor component of
W32/Sdbot-XH can be instructed to perform the following functions:
scan networks for vulnerabilities
download/execute arbitrary files
start an ftp server
Patches for the vulnerabilities exploited by W32/Sdbot-XH can be
obtained from Microsoft at:
http://www.microsoft.com/technet/security/bulletin/MS02-039.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx
W32/Sdbot-XH also drops a file to the current folder as msdirectx.sys.
The dropped file is detected by Sophos's anti-virus products as
Troj/NtRootK-F.
The worm changes the Windows HOSTS file in attempt to prevent access
to sites from the following list:
avp.com
ca.com
customer.symantec.com
dispatch.mcafee.com
download.mcafee.com
f-secure.com
kaspersky.com
kaspersky-labs.com
liveupdate.symantec.com
liveupdate.symantecliveupdate.com
mast.mcafee.com
mcafee.com
my-etrust.com
nai.com
networkassociates.com
rads.mcafee.com
secure.nai.com
securityresponse.symantec.com
sophos.com
symantec.com
trendmicro.com
update.symantec.com
updates.symantec.com
us.mcafee.com
viruslist.com
www.avp.com
www.ca.com
www.f-secure.com
www.grisoft.com
www.kaspersky.com
www.mcafee.com
www.my-etrust.com
www.nai.com
www.networkassociates.com
www.sophos.com
www.symantec.com
www.trendmicro.com
www.viruslist.com
W32/Sdbot-XH terminates a number of processes including those related
to various AV and security applications as well as system tools and
other Worms and Trojans.
Name W32/Stando-E
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Reduces system security
* Installs itself in the Registry
* Leaves non-infected files on computer
Aliases
* Generic Dropper.l
Prevalence (1-5) 2
Description
W32/Stando-A is a worm for the Windows platform.
W32/Stando-A copies itself to the root folder of available disk
drives with the filename sys.exe and creates the hidden file
autorun.inf to run it.
Advanced
W32/Stando-A is a worm for the Windows platform.
When first run W32/Stando-A copies itself to:
\mgrShell.exe
\scApp.exe
The following registry entry is created to run scApp.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
scApp
\scApp.exe
W32/Stando-A copies itself to the root folder of available disk
drives with the filename sys.exe and creates the hidden file
autorun.inf containing the following text:
[autorun]
open=sys.exe
W32/Stando-A may attempt to write to the end of files with a DOC
extension, and may modify files in the root drive or internet cache
folder called ~Thumbs.db or in the internet cache folder called
~RSW114.tmp.
W32/Stando-A may set the following registry entry to allow Autoplay
on removable, fixed, CD-ROM and RAM drives:
HKCU\Software\Microsoft\CurrentVersion\Policies\Explorer
NoDriveTypeAutoRun
91
W32/Stando-A may set the following registry entries to prevent hidden
files from being shown, including files related to itself:
HKCU\Software\Microsoft\CurrentVersion\Explorer\Advanced
SuperHidden
1
HKCU\Software\Microsoft\CurrentVersion\Explorer\Advanced
ShowSuperHidden
0
W32/Stando-A injects its code into explorer.exe and from there runs
\scApp.exe.
Name Troj/Stinx-E
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Downloads code from the internet
* Reduces system security
* Installs itself in the Registry
Prevalence (1-5) 2
Description
Troj/Stinx-E is a backdoor Trojan for the Windows platform.
Troj/Stinx-E connects to one of several IP addresses and runs
continuously in the background, providing a backdoor server which
allows a remote intruder to gain access and control over the computer
via IRC channels.
When first run Troj/Stinx-E copies itself to \$sys$drv.exe.
Troj/Stinx-E can be instructed to delete, execute, and download and
execute files.
Advanced
Troj/Stinx-E is a backdoor Trojan for the Windows platform.
Troj/Stinx-E connects to one of several IP addresses and runs
continuously in the background, providing a backdoor server which
allows a remote intruder to gain access and control over the computer
via IRC channels.
When first run Troj/Stinx-E copies itself to \$sys$drv.exe.
Troj/Stinx-E can be instructed to delete, execute, and download and
execute files.
Troj/Stinx-E will attempt to circumvent the Windows Firewall if it is
present by adding itself to the list of allowed programs.
Troj/Stinx-E may be stealthed on an infected system by exploiting
Sony DRM (Digital Rights Management) software.
Troj/Stinx-E creates a Mutex variable named "SonyEnabled".
Troj/Stinx-E may arrive as an email attachment wherein it is claimed
that the attached file is a photograph to be published that requires
approval.
Name Troj/Bancban-HX
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Steals information
* Downloads code from the internet
* Installs itself in the Registry
Aliases
* Trojan-Spy.Win32.Banbra.df
* PWS-Banker.gen.ba
Prevalence (1-5) 2
Description
Troj/Bancban-HX is a Trojan that attempts to steal information
related to various banking websites.
Troj/Bancban-HX includes functionality to download further malicious
code.
Advanced
Troj/Bancban-HX is a Trojan that attempts to steal information
related to various banking websites.
Troj/Bancban-HX includes functionality to download further malicious
code.
When Troj/Bancban-HX is installed it may create the following image
files:
\imgrt.txt
\keylogf.dlol
\vhosts2
The Trojan creates the following registry entry in an attempt to run
itself on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
dark
\imgrt.scr
Name W32/Francette-W
Type
* Worm
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Modifies data on the computer
* Installs itself in the Registry
Aliases
* Backdoor.Win32.Delf.abc
Prevalence (1-5) 2
Description
W32/Francette-W is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Francette-W spreads to other network computers by exploiting
common buffer overflow vulnerabilities, including RPC-DCOM (MS04-012).
W32/Francette-W runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
Information on the exploits above can be found here:
http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx
Advanced
W32/Francette-W is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Francette-W spreads to other network computers by exploiting
common buffer overflow vulnerabilities, including RPC-DCOM (MS04-012).
W32/Francette-W runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
The following registry entry is created to run W32/Francette-W on
startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft IIS
W32/Francette-W modifies the Windows hosts file to redirect the
following domains to a phishing site:
www.halifax-online.co.uk
ibank.barclays.co.uk
online.lloydstsb.co.uk
online-business.lloydstsb.co.uk
www.ukpersonal.hsbc.co.uk
www.nwolb.com
banesnet.banesto.es
extranet.banesto.es
ebanking.bccbrescia.it
www.bankofscotlandhalifax-online.co.uk
www.rbsdigital.com
oi.cajamadrid.es
bancae.caixapenedes.com
banking.postbank.de
meine.deutsche-bank.de
myonlineaccounts2.abbeynational.co.uk
ibank.cahoot.com
webbank.openplan.co.uk
bancopostaonline.poste.it
www.rasbank.it
www.credem.it
mybank.bybank.it
www.bancagenerali.it
www.bancaintesa.it
www.creval.it
ibank.internationalbanking.barclays.com
www.abbeyinternational.com
www.bbvanet.com
www.fineco.it
www.cajamar.es
welcome7.co-operativebank.co.uk
welcome11.co-operativebankonline.co.uk
Information on the exploits above can be found here:
http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx
Name Troj/Clagger-A
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Downloads code from the internet
* Reduces system security
Aliases
* Trojan-Downloader.Win32.Agent.yu
* AdClicker.k
Prevalence (1-5) 2
Description
Troj/Clagger-A is a downloader Trojan for the Windows platform.
Troj/Clagger-A includes functionality to access the internet and
communicate with a remote server via HTTP.
Troj/Clagger-A attempts to disable firewall software.
Name W32/Badgrad-B
Type
* Worm
Affected operating systems
* Windows
Side effects
* Leaves non-infected files on computer
Prevalence (1-5) 2
Description
W32/Badgrad-B is a worm for the Windows platform.
Advanced
W32/Badgrad-B is a worm for the Windows platform.
When W32/Badgrad-B is installed the worm copies itself to the
following location:
C:\Documents and Settings\All Users\Menu
Start\Programma's\Opstarten\badgers_s.exe
The following files may be created:
C:\Documents and Settings\All Users\Menu
tart\Programma's\Opstarten\badgers.exe
\MMBPlayer\badgers.exe
\MMBPlayer\bat.bat
The files called badgers.exe are media files. The file bat.bat is a
batch script used by the worm to spread. The script copies all files
from the following location:
C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\
into the following location:
%USERPROFILE%\Menu Start\Programma's\Opstarten\
Name Troj/Torpig-K
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Steals information
* Installs itself in the Registry
Aliases
* Trojan-Spy.Win32.Small.dg
* PWS-JA
Prevalence (1-5) 2
Description
Troj/Torpig-K is an information stealing Trojan for the Windows
platform.
The Trojan attempts to steal passwords, as well as logging keypresses
and open window titles to text files and periodically sends the
collected information to a remote user via HTTP.
Troj/Torpig-K automatically closes security warning messages
displayed by common anti-virus and security related applications.
Advanced
Troj/Torpig-K is an information stealing Trojan for the Windows
platform.
The Trojan attempts to steal passwords, as well as logging keypresses
and open window titles to text files and periodically sends the
collected information to a remote user via HTTP.
Troj/Torpig-K automatically closes security warning messages
displayed by common anti-virus and security related applications.
When Troj/Torpig-K is run some or all of the following files are
created either in the folder
C:\Program Files\Common Files\Microsoft Shared\Web Folders
or in the folder
\..\temp:
ibm00001.dll
ibm00001.exe
ibm00002.dll
Name W32/Yusufali-B
Type
* Worm
How it spreads
* Infected files
Affected operating systems
* Windows
Side effects
* Installs itself in the Registry
Prevalence (1-5) 2
Description
W32/Yusufali-B is a worm for the Windows platform.
W32/Yusufali-B analyses the title of the window in focus looking for
various words. Some of the words W32/Yusufali-B searches for are:
sex
teen
xx
Phallus
jeggar
Priapus
Phallic
Penis
Exhibitionism
If W32/Yusufali-B finds one of these words in the title bar it will
minimise the current window and display the following dialog box:
Caption: vay vay Sex chera !!!
Message: Aoozo bellahe mena SHAITAN rajim...
W32/Yusufali-B will display a box in the middle of the screen
containing the current time and a button 'For Exit Click Here'. As
soon as the mouse is moved the box changes to have vertical bars and
the text 'OH! NO i'm in the Cage'. The box contains LogOff, ShutDown
and Restart buttons and the mouse pointer is locked within the
confines of the box. All the buttons actually cause a logout. The
keyboard is still useable.
W32/Yusufali-B may display a small text box on screen which displays
the title of the window currently in focus.
Advanced
W32/Yusufali-B is a worm for the Windows platform.
W32/Yusufali-B spreads by copying itself to Documents.exe on the
floppy disk, if available.
W32/Yusufali-B analyses the title of the window in focus looking for
various words. Some of the words W32/Yusufali-B searches for are:
sex
teen
xx
Phallus
jeggar
Priapus
Phallic
Penis
Exhibitionism
If W32/Yusufali-B finds one of these words in the title bar it will
minimise the current window and display the following dialog box:
Caption: vay vay Sex chera !!!
Message: Aoozo bellahe mena SHAITAN rajim...
W32/Yusufali-B will display a box in the middle of the screen
containing the current time and a button 'For Exit Click Here'. As
soon as the mouse is moved the box changes to have vertical bars and
the text 'OH! NO i'm in the Cage'. The box contains LogOff, ShutDown
and Restart buttons and the mouse pointer is locked within the
confines of the box. All the buttons actually cause a logout. The
keyboard is still useable.
W32/Yusufali-B may display a small text box on screen which displays
the title of the window currently in focus.
When first run W32/Yusufali-B copies itself to \Systemdll.exe.
The following registry entry is created to run Systemdll.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
System4224411
\Systemdll.exe
--- MultiMail/Win32 v0.43
* Origin: Try Our Web Based QWK: DOCSPLACE.ORG (1:123/140)SEEN-BY: 633/267 270 @PATH: 123/140 500 106/2000 633/267 |
|
| SOURCE: echomail via fidonet.ozzmosis.com | |
Email questions or comments to sysop@ipingthereforeiam.com
All parts of this website painstakingly hand-crafted in the U.S.A.!
IPTIA BBS/MUD/Terminal/Game Server List, © 2025 IPTIA Consulting™.