[cut-n-paste from sophos.com]
Name Troj/Puper-EY
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Installs itself in the Registry
Prevalence (1-5) 2
Description
Troj/Puper-EY is a downloader Trojan for the Windows platform.
Advanced
Troj/Puper-EY is a downloader Trojan for the Windows platform.
Troj/Puper-EY creates the files :
\dfrgsrv.exe
\ld???.tmp (where ??? is a random number)
Both files are detected as Troj/Puper-EY.
The Trojan creates the following registry entry to run dfrgsrv.exe on
startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run
wininet.dll
dfrgsrv.exe
Name W32/Rbot-CTJ
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* Backdoor.Win32.Rbot.aie
Prevalence (1-5) 2
Description
W32/Rbot-CTJ is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Rbot-CTJ runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
Advanced
W32/Rbot-CTJ is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Rbot-CTJ spreads:
- to other network computers infected with: Troj/Kuang, Troj/Sub7,
Troj/NetDevil, W32/MyDoom, W32/Bagle and Troj/Optix
- to other network computers by exploiting common buffer overflow
vulnerabilities, including: LSASS (MS04-011), RPC-DCOM (MS04-012),
WKS (MS03-049) (CAN-2003-0812), WebDav (MS03-007), IIS5SSL (ms04-011)
(CAN-2003-0719), UPNP (MS01-059), Veritas (CAN-2004-1172), Dameware
(CAN-2003-1030) and ASN.1 (MS04-007)
- by copying itself to network shares protected by weak passwords
W32/Rbot-CTJ runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
When first run W32/Rbot-CTJ copies itself to \windinit.exe
and creates the file \C27D8FEF-D7AE-42c0-82E6-F30598265639.exe.
The following registry entries are created to run windinit.exe on
startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsotufed Update 32
windinit.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Microsotufed Update 32
windinit.exe
Registry entries are set as follows:
HKCU\Software\Microsoft\OLE
Microsotufed Update 32
windinit.exe
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1
Name W32/Agobot-TA
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* W32/Gaobot.worm.gen.bj
* WORM_SDBOT.BDK
Prevalence (1-5) 2
Description
W32/Agobot-TA is a worm with backdoor functionality for the Windows
platform.
W32/Agobot-TA runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer.
Advanced
W32/Agobot-TA is a worm with backdoor functionality for the Windows
platform.
W32/Agobot-TA runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer.
When first run W32/Agobot-TA copies itself to \windowsfw.exe.
The following registry entries are created to run windowsfw.exe on
startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windowsfw
windowsfw.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Windowsfw
windowsfw.exe
Name Troj/Bdoor-XD
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Installs itself in the Registry
Aliases
* Backdoor.Win32.IRCBot.nw
* BackDoor-CMQ
Prevalence (1-5) 2
Description
Troj/Bdoor-XD is a Trojan for the Windows platform.
Troj/Bdoor-XD may install itself as the service "Windows Log".
Name W32/Brontok-Z
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Sends itself to email addresses found on the infected computer
* Forges the sender's email address
* Uses its own emailing engine
* Installs itself in the Registry
* Leaves non-infected files on computer
Aliases
* Email-Worm.Win32.Brontok.n
* W32/Rontokbro.gen{at}MM
* W32.Rontokbro.X{at}mm
Prevalence (1-5) 2
Description
W32/Brontok-Z is a mass-mailing worm for the Windows platform.
W32/Brontok-Z sends itself to email addresses found on the infected
computer.
Emails sent by the worm have the following characteristics:
From: angelina_ph{at}
or jennifer_sh{at}
If the recipient's address is Indonesian:
Subject: Fotoku yg Paling Cantik
Message text:
Hi,
Aku lg iseng aja pengen kirim foto ke kamu
Jangan lupain aku ya !.
Thanks
For all other addresses:
Subject: My Best Photo
Message text:
Hi,
I want to share my photo with you.
Wishing you all the best.
Regards,
Attachment name: Photo.zip
Advanced
W32/Brontok-Z is a mass-mailing worm for the Windows platform.
W32/Brontok-Z sends itself to email addresses found on the infected
computer.
Emails sent by the worm have the following characteristics:
From: angelina_ph{at}
or jennifer_sh{at}
If the recipient's address is Indonesian:
Subject: Fotoku yg Paling Cantik
Message text:
Hi,
Aku lg iseng aja pengen kirim foto ke kamu
Jangan lupain aku ya !.
Thanks
For all other addresses:
Subject: My Best Photo
Message text:
Hi,
I want to share my photo with you.
Wishing you all the best.
Regards,
Attachment name: Photo.zip
The zip file contains Photo.bmp and View-Photo.bat. View-Photo.bat
runs Photo.bmp. Photo.bmp is an executable (currently detected as
Troj/Dloadr-ADW) which attempts to download and execute a copy of the
worm from a preconfigured website. At the time of writing, this
website is unavailable.
When W32/Brontok-Z is installed it copies itself to the following
locations:
\Local Settings\Application Data\dv\yesbron.com
\Local Settings\Application Data\jalak--bali.com
\n\b6108.exe
\n\c.bron.tok.txt
\n\csrss.exe
\n\lsass.exe
\n\services.exe
\n\smss.exe
\n\svr.exe
\n\winlogon.exe
\c_.com
\j.exe
\o.exe
\_default.pif
\\ib.exe
where etc. are randomly-chosen numbers
W32/Brontok-Z installs the following files:
\Baca Bro !!!.txt
\Tasks\At1.job
\Tasks\At2.job
The .job files each contain a scheduled task, instructing Windows to
execute the installed copies of the worm once per day.
The .txt file, when opened, will cause the worm to display the
following message:
######################### BRONTOK.C[22] #########################
-- Hentikanlah kebobrokan di negeri ini --
1. Penjarakan Koruptor, Penyelundup, Tukang Suap, & Bandar NARKOBA
( Send To NUSAKAMBANGAN )
2. Stop Free Sex, Aborsi, & Prostitusi
( Go To HELL )
3. Stop Pencemaran Alam, Pembakaran Hutan & Perburuan Liar.
4. SAY NO TO DRUGS !!!
-- Spizaetus Cirrhatus --
[ By JowoBot ]
+++++0000++++00000++++0000+++0+++++0++0000000+++0000+++0+++0+++++
+++++0++++0++0++++0++0++++0++00++++0+++++0+++++0++++0++0++0++++++
+++++0++++0++0++++0++0++++0++0+0+++0+++++0+++++0++++0++0+0+++++++
+++++00000+++00000+++0++++0++0++0++0+++++0+++++0++++0++00++++++++
+++++0++++0++0++0++++0++++0++0+++0+0+++++0+++++0++++0++0+0+++++++
+++++0++++0++0+++0+++0++++0++0++++00+++++0+++++0++++0++0++0++++++
+++++0000++++0++++0+++0000+++0+++++0+++++0++++++0000+++0+++0+++++
~~ Sedikit Jawaban u/ Membungkam Mulut Sesumbar 'Mereka' ~~
Nobron & Romdil = Otak Kosong, Mulut Besar, Cuma Bisa
Nobron = Satria Dungu = Nothing !!!
Romdil = Tukang Jiplak = Nothing !!!
Nobron & Romdil -->> Kicked by The Amazing Brontok
[ By JowoBot ]
W32/Brontok-Z closes windows whose titles contain any of the following:
task manager
registry
command prompt
system configuration
group policy
cmd.exe
computer management
scheduled task
killbox
hijack
SYSINTERNAL
PROCESS EXP
REMOVER
CLEANER
anti
washer
ertanto
BROWNIES
movzx
killer
pcmedia
pc-media
rontok
rontox
robknot
commander
windows script
norman
norton
symantec
cillin
trendmicro
bitdef
kaspersky
avg
avira
virus
trojan
worm
mcafee
b.e
folder option
wintask
alwil
sex
porn
naked
cewe
bugil
telanjang
nod32
task view
peid
ahnlab
W32/Brontok-Z adds entries to the system HOSTS file to prevent access
to security-related domains.
W32/Brontok-Z may install a new version of the file \msvbvm60.dll.
The following registry entries are created to run the installed
copies of the worm on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run
\Local Settings\Application Data\dv\yesbron.com
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run
\_default.pif
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
\n\svr.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
\j.exe
The following registry entries are changed to run j6321422.exe and
o4321427.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe "\o.exe"
(the default value for this registry entry is "Explorer.exe" which
causes the Microsoft file \Explorer.exe to be run on
startup).
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
\userinit.exe,\.exe
(the default value for this registry entry is "\System32\userinit.exe,").
The following registry entry is set, disabling the registry editor
(regedit):
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1
Registry entries are set as follows:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden
0
Registry entries are created under:
HKCU\Software\Brontok\
Name Troj/Hearse-A
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Steals information
* Drops more malware
* Installs itself in the Registry
Aliases
* TROJ_HEARSE.A
* Trojan.Goldun.K
* Trojan-Spy.Win32.Goldun.im
Prevalence (1-5) 2
Description
Troj/Hearse-A is a Trojan for the Windows platform.
The Trojan creates two files detected as members of the Haxdoor
family of password stealing Trojans.
Advanced
Troj/Hearse-A is a Trojan for the Windows platform.
When run the Trojan creates the following files:
\zopenssl.dll
\zopenssld.sys
The file zopenssl.dll is detected as Troj/Haxdor-Fam and the file
zopenssld.sys is detected as Troj/Haxdor-Gen.
The following registry entries are created in order to load the
zopenssl.dll file each time a user logs on:
HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\zopenssl
Asynchronous
dword:00000001
HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\zopenssl
DllName
zopenssl.dll
HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\zopenssl
Impersonate
dword:00000001
HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\zopenssl
MaxWait
dword:00000001
HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\zopenssl
nk48id
"[88BF38A86A50D1EAA]"
HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\zopenssl
Startup
"zopenssl"
Name Troj/Singu-AK
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
Prevalence (1-5) 2
Description
Troj/Singu-AK is a Trojan for the Windows platform.
Advanced
Troj/Singu-AK is a Trojan for the Windows platform.
When Troj/Singu-AK is installed the following files are created:
\Win32en.bat
\taskmone.exe
\winscket.dll
Taskmone.exe and winscket.dll are detected by Sophos's anti-virus
products as Troj/Singu-AK.
Win32en.bat may be safely deleted.
The following registry entry is created to run taskmone.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
taskmone
\taskmone.exe
The file winscket.dll is registered as a COM object and Browser
Helper Object (BHO) for Microsoft Internet Explorer, creating
registry entries under:
HKCR\CLSID\{EA806E03-A6B1-205A-117C-138934661726}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser
Helper Objects\{EA806E03-A6B1-205A-117C-138934661726}
Name Troj/Drsmartl-X
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
Aliases
* Trojan-Downloader.Win32.Adload.ah
Prevalence (1-5) 2
Description
Troj/Drsmartl-X is a Trojan for the Windows platform.
Troj/Drsmartl-X includes functionality to download, install and run
new software without notification that it is doing so.
Name W32/Alcra-F
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Drops more malware
* Installs itself in the Registry
Aliases
* Email-Worm.Win32.VB.an
* W32.Spybot.Worm
* TROJ_MULDROP.CV
Prevalence (1-5) 2
Description
W32/Alcra-F is a worm for the windows platform.
W32/Alcra-F uses file sharing applications to spread.
W32/Alcra-F typically arrives with the filename Setup.exe.
Advanced
W32/Alcra-F is a worm for the windows platform.
W32/Alcra-F uses file sharing applications to spread.
W32/Alcra-F typically arrives with the filename Setup.exe.
When first run W32/Alcra-F displays a dialog box with the text
"Setup", "Welcome to the Setup Wizard ...".
The dialog then gives a fake error message, before closing.
W32/Alcra-F creates the folder \winsupdater and copies
itself to this folder as
a.temp
winsupdater.exe
winsupdater.exe has the hidden file attribute and similarly the
\winsupdater\ folder is a hidden folder.
W32/Alcra-F creates the following files:
\at.exe
\winsupdater\a.zip
Where the a.zip file contains a copy of the Setup.exe.
The file at.exe is detected as W32/Rbot-CVY.
When first run, W32/Alcra-F creates the following registry entry to
ensure that it is run when an infected system starts:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
winsupdater
\winsupdater\winsupdater.exe /auto
Name Troj/RKDepo-A
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Reduces system security
* Installs itself in the Registry
Prevalence (1-5) 2
Description
Troj/RKDepo-A is a Trojan rootkit downloader for the Windows platform.
Troj/RKDepo-A attempts to hide information about its files and
registry entries.
Troj/RKDepo-A periodically attempts to download and execute files
from a number of websites.
Advanced
Troj/RKDepo-A is a Trojan rootkit downloader for the Windows platform.
Troj/RKDepo-A attempts to hide information about its files and
registry entries, providing stealthing by directly manipulating
structures in the system kernel.
When first run Troj/RKDepo-A copies itself to \sxlntr.exe and
creates the clean log file \dgkmldgmdfgdf.tjh.
Troj/RKDepo-A attempts to set the following registry entries to run
itself on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
hdloker
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
hdloker
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
load
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
run
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
hdloker
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
hdloker
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
load
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
run
The following registry entry is set to run sxlntr.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
explorer.exe
(the default value for this registry entry is "Explorer.exe" which
causes the Microsoft file \Explorer.exe to be run on startup).
Troj/RKDepo-A creates the following registy entry with a unique
number to identify the infected computer:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer
WINID
Troj/RKDepo-A periodically attempts to download and execute files
from a number of websites to \.exe.
Name Troj/DNSBust-L
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Installs itself in the Registry
Aliases
* DNSChanger.a
Prevalence (1-5) 2
Description
Troj/DNSBust-L is a Trojan for the Windows platform.
Troj/DNSBust-L includes functionality to access the internet and
communicate with a remote server via HTTP.
Advanced
Troj/DNSBust-L is a Trojan for the Windows platform.
Troj/DNSBust-L includes functionality to access the internet and
communicate with a remote server via HTTP.
When first run Troj/DNSBust-L copies itself to \hgqhp.exe.
The following registry entry is created to run hgqhp.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
hgqhp.exe
\hgqhp.exe
Name Troj/BankAsh-P
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Installs itself in the Registry
Prevalence (1-5) 2
Description
Troj/BankAsh-P is a Trojan for the Windows platform.
Troj/BankAsh-P includes functionality to access the internet and
communicate with a remote server via HTTP.
Troj/BankAsh-P contains functionality to download, install and run
new software.
Advanced
Troj/BankAsh-P is a Trojan for the Windows platform.
Troj/BankAsh-P includes functionality to access the internet and
communicate with a remote server via HTTP.
Troj/BankAsh-P contains functionality to download, install and run
new software.
When first run Troj/BankAsh-P copies itself to \[Num1]c.exe
and also creates \dyna[Num2].dll
(Where Num1 and Num2 are randomly generated values containing three
numbers.)
The following registry entry is created to run [Num1]c.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
vthi
\[Num1]c.exe dummy
Name W32/Rbot-CWU
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
Prevalence (1-5) 2
Description
W32/Rbot-CWU is a worm with backdoor functionality for the Windows
platform.
W32/Rbot-CWU runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
Advanced
W32/Rbot-CWU is a worm with backdoor functionality for the Windows
platform.
W32/Rbot-CWU runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
When first run W32/Rbot-CWU copies itself to \mskiks.exe and creates the following files:
\kikrun.kik
\winzipk.zip
The file winzipk.zip contains thefile.exe which is a copy of
W32/Rbot-CWU.
The following registry entry is created to run mskiks.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft WinXP Spooler SubSystem
\mskiks.exe
Name Troj/Sdbot-BEI
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
Aliases
* Backdoor.Win32.SdBot.fg
Prevalence (1-5) 2
Description
Troj/Sdbot-BEI is an IRC backdoor Trojan for the Windows platform.
Name Troj/BankDl-AN
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
Aliases
* Trojan-Downloader.Win32.Banload.ael
* Win32/TrojanDownloader.VB.NAW
Prevalence (1-5) 2
Description
Troj/BankDl-AN is a Trojan for the Windows platform.
Troj/BankDl-AN includes functionality to download, install and run
new software.
Name Troj/BagleDl-BP
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Installs itself in the Registry
Aliases
* W32/Bagle.ew
Prevalence (1-5) 2
Description
Troj/BagleDl-BP is a Trojan for the Windows platform.
Troj/BagleDl-BP pretends to be a hacking tool, opening a dialog box
with the title "Select file to crack". Whichever file is selected,
the Trojan displays the message "Incorrect file version".
The Trojan attempts to download further malicious code.
Advanced
Troj/BagleDl-BP is a Trojan for the Windows platform.
Troj/BagleDl-BP pretends to be a hacking tool, opening a dialog box
with the title "Select file to crack". Whichever file is selected,
the Trojan displays the message "Incorrect file version".
The Trojan attempts to download further malicious code.
When Troj/BagleDl-BP is installed the following file is created:
\ldr64.dll
This file is also detected as Troj/BagleDl-BP.
The following registry entries are created to run code exported by
ldr64.dll on startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ldr64
DllName
ldr64.dll
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ldr64
Impersonate
0
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ldr64
Startup
Startup
Name Troj/IRCBot-GW
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Downloads code from the internet
* Installs itself in the Registry
Prevalence (1-5) 2
Description
Troj/IRCBot-GW is a backdoor Trojan for the Windows platform.
Advanced
Troj/IRCBot-GW is a backdoor Trojan for the Windows platform.
When first run Troj/IRCBot-GW copies itself to \vmmon32.exe.
The following registry entries are created to run vmmon32.exe on
startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Printer
\vmmon32.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Printer
\vmmon32.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Printer
\vmmon32.exe
Registry entries are set as follows:
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1
Name W32/Feebs-P
Type
* Worm
How it spreads
* Peer-to-peer
Affected operating systems
* Windows
Side effects
* Installs itself in the Registry
Aliases
* Worm.Win32.Feebs.gen
* JS/Feebs.gen.f{at}MM
* JS_FEEBS.GEN-4
Prevalence (1-5) 2
Description
W32/Feebs-P is a worm for the Windows platform.
W32/Feebs-P spreads via file sharing on P2P networks.
Advanced
W32/Feebs-P is a worm for the Windows platform.
W32/Feebs-P spreads via file sharing on P2P networks.
When first run W32/Feebs-P copies itself to:
\msdf.exe
\msld
and creates the following files:
\msqn32.dll
\b
These files are also detected as W32/Feebs-P.
The worm also copies itself to shared folders for various
peer-to-peer applications.
The following registry entry is created to run code exported by the
worm library on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
ShellServiceObjectDelayLoad
msqn32.dll
(361495F2-1D75-80CC-AA2D-8C0479EF7FC0)
The file msqn32.dll is registered as a COM object, creating registry
entries under:
HKCR\CLSID\(361495F2-1D75-80CC-AA2D-8C0479EF7FC0)
Registry entries are created under:
HKLM\SOFTWARE\Microsoft\MSAE
Name W32/Tilebot-EH
Type
* Worm
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* Backdoor.Win32.SdBot.xd
* W32/Sdbot.OVU
Prevalence (1-5) 2
Description
W32/Tilebot-EH is a worm and IRC backdoor for the Windows platform.
W32/Tilebot-EH spreads to other network computers by exploiting
common buffer overflow vulnerabilities, including: RPC-DCOM
(http://www.microsoft.com/technet/security/bulletin/ms04-012.mspx),
PNP
(http://www.microsoft.com/technet/security/bulletin/ms05-039.mspx)
and ASN.1
(http://www.microsoft.com/technet/security/bulletin/ms04-007.mspx).
W32/Tilebot-EH runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
The following patches for the operating system vulnerabilities
exploited by W32/Tilebot-EH are available from Microsoft:
http://www.microsoft.com/technet/security/bulletin/ms04-007.mspx
http://www.microsoft.com/technet/security/bulletin/ms04-012.mspx
http://www.microsoft.com/technet/security/bulletin/ms05-039.mspx
Advanced
W32/Tilebot-EH is a worm and IRC backdoor for the Windows platform.
W32/Tilebot-EH spreads to other network computers by exploiting
common buffer overflow vulnerabilities, including: RPC-DCOM
(http://www.microsoft.com/technet/security/bulletin/ms04-012.mspx),
PNP
(http://www.microsoft.com/technet/security/bulletin/ms05-039.mspx)
and ASN.1
(http://www.microsoft.com/technet/security/bulletin/ms04-007.mspx).
W32/Tilebot-EH runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
When first run W32/Tilebot-EH copies itself to \wintray.exe.
The file wintray.exe is registered as a new system driver service
named "WINTRAY", with a display name of "Windows System
Tray" and a
startup type of automatic, so that it is started automatically during
system startup.
Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\WINTRAY\
W32/Tilebot-EH sets the following registry entries, disabling the
automatic startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\Messenger
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
Start
4
Registry entries are set as follows:
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DoNotAllowXPSP2
1
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1
Registry entries are created under:
HKLM\SOFTWARE\Microsoft\Security Center\
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\
The following patches for the operating system vulnerabilities
exploited by W32/Tilebot-EH are available from Microsoft:
http://www.microsoft.com/technet/security/bulletin/ms04-007.mspx
http://www.microsoft.com/technet/security/bulletin/ms04-012.mspx
http://www.microsoft.com/technet/security/bulletin/ms05-039.mspx
Name Troj/Dermon-I
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Drops more malware
* Downloads code from the internet
Aliases
* Trojan-Spy.Win32.Agent.jt
Prevalence (1-5) 2
Description
Troj/Dermon-I is a password stealing Trojan for the Windows platform.
Advanced
Troj/Dermon-I is a password stealing Trojan for the Windows platform.
When first run Troj/Dermon-I copies itself to \abrada.exe and
creates
the following files:
\abrada.dll - Troj/Dermon-I
\abradaload.dll - Troj/Dermon-G
\abrada.dll is a remote notification DLL component which
sends stolen
information to a remote website.
\abradaload.dll is a process injector DLL component which
will attempt
to inject itself into other processes in order to stealth itself.
Troj/Dermon-I also attempts to create the following files:
\abrada.ini
\abrada.dat
These files may be deleted.
The following registry entries may be created to run abrada.exe on
startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Abrada win32
\abradaload.dll
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Abrada win32
\abradaload.dll
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Abrada win32
\abradaload.dll
--- MultiMail/Win32 v0.43
* Origin: Try Our Web Based QWK: DOCSPLACE.ORG (1:123/140)
SEEN-BY: 633/267 270
@PATH: 123/140 500 106/2000 633/267
|