TIP: Click on subject to list as thread! ANSI
echo: virus
to: ALL
from: KURT WISMER
date: 2007-05-06 12:03:00
subject: News, May 6 2007
[cut-n-paste from sophos.com]

Name   W32/Lovelet-AD

Type  
    * Worm

How it spreads  
    * Removable storage devices
    * Email attachments
    * Infected files
    * Chat programs

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Modifies data on the computer
    * Forges the sender's email address
    * Uses its own emailing engine
    * Downloads code from the internet
    * Reduces system security
    * Installs itself in the Registry

Aliases  
    * Win32/VB.BP

Prevalence (1-5) 2

Description
W32/Lovelet-AD is a worm for the Windows platform.

W32/Lovelet-AD spreads by:
- Copying itself to autorun.inf into any writable drive
- Email attachments
- Infected files
- Replacing PIF files with a copy of W32/Lovelet-AD
- Yahoo Instant Messenger

W32/Lovelet-AD includes functionality to access the internet and 
communicate with a remote server via HTTP.

Advanced
W32/Lovelet-AD is a worm for the Windows platform.

W32/Lovelet-AD spreads by:
- Copying itself to autorun.inf into any writable drive
- Email attachments
- Infected files
- Replacing PIF files with a copy of W32/Lovelet-AD
- Yahoo Instant Messenger

W32/Lovelet-AD includes functionality to access the internet and 
communicate with a remote server via HTTP.

When first run W32/Lovelet-AD copies itself to:

\Microsoft Word Document.scr
\autorun.inf
\New Microsoft Word Document.scr
\Programs\Microsoft Word Document.scr

as well as numerous locations (more than 1000 files) and sub folders 
in:

\Microsoft\CD Burning\
\
\
\
\
\
\
\Prefetch\
\gorgle\

The following registry entries are created to run W32/Lovelet-AD on 
startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
Run
\mskernel.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion
Run
\lsass.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion
Run
WinRun
\AutoRun.ini

as well as the following modification of existing entries:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
explorer.exe \services.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
\userinit.exe,\gorgle\csrss.exe

The following registry entries are created to make removal of 
W32/Lovelet-AD difficult for the user:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\HideFileExt
CheckedValue
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1

The following registry entries are set or modified, so that 
W32/Lovelet-AD is run when files with extensions of PIF are 
opened/launched:

HKCR\AVIFile\shell\open\command
(default)
\setup\mskernel.exe %1

HKCR\piffile\shell\open\command
(default)
\setup\mskernel.exe %1





Name   Troj/Starter-F

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Installs itself in the Registry
    * Leaves non-infected files on computer

Prevalence (1-5) 2

Description
Troj/Starter-F is a Trojan for the Windows platform.

Advanced
Troj/Starter-F is a Trojan for the Windows platform.

When run, it copies itself to \FLASH32.COM and creates the 
file \BLOCKS.EXE. The file BLOCKS.exe is not malicious.

The following registry entry is created to run FLASH32.COM on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Flash32
\FLASH32.COM -s

The following registry entry is set:

HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Run
Flash32
\FLASH32.COM -s





Name   Troj/Agent-EOL

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet

Aliases  
    * Trojan-Downloader.Win32.Agent.bls
    * TROJ_AGENT.NEV

Prevalence (1-5) 2

Description
Troj/Agent-EOL is a downloading Trojan for the Windows platform.





Name   W32/Alman-B

Type  
    * Virus

How it spreads  
    * Infected files

Affected operating systems  
    * Windows

Prevalence (1-5) 2

Description
W32/Alman-B is a virus for the Windows platform.

Advanced
W32/Alman-B is a virus for the Windows platform.

W32/Alman-B searches for and infects files with EXE extension.

When first run W32/Alman-B creates the following files :

\c_121.nls
\AppPatch\deamon.dll

These files are also detected as W32/Alman-B.





Name   W32/Rbot-GMZ

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Reduces system security
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities

Prevalence (1-5) 2

Description
W32/Rbot-GMZ is a worm for the Windows platform which attempts to 
spread via network shares.

W32/Rbot-GMZ spreads to computers vulnerable to common exploits, 
including: IIS5SSL (MS03-007).

Advanced
W32/Rbot-GMZ is a worm for the Windows platform which attempts to 
spread via network shares.

W32/Rbot-GMZ contains backdoor functions that allows unauthorized 
remote acces to the infected computer via IRC channels.

W32/Rbot-GMZ spreads to computers vulnerable to common exploits, 
including: IIS5SSL (MS03-007).

The following patch for the operating system vulnerability exploited 
by the worm can be obtained from the Microsoft website:

MS04-011

When first run W32/Rbot-GMZ copies itself as a randomly named exe to:
\.exe

W32/Rbot-GMZ may create the following registry entries:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows LoL Layer
azypbrx.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Windows LoL Layer
azypbrx.exe

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\Firewall
Policy
\StandardProfile\AuthorizedApplications\List\
\azypbrx.exe:*:Disabled:azypbrx

HKCU\.DEFAULT\Software\Microsoft\Windows\ShellNoRoam\MUICache\
\azypbrx.exe
azypbrx





Name   W32/KillFil-BP

Type  
    * Worm

How it spreads  
    * Network shares
    * Peer-to-peer

Affected operating systems  
    * Windows

Prevalence (1-5) 2

Description
W32/KillFil-BP is a worm for the Windows platform.

Advanced
W32/KillFil-BP is a worm for the Windows platform.





Name   VBS/Solow-D

Type  
    * Worm

How it spreads  
    * Removable storage devices

Affected operating systems  
    * Windows

Side effects  
    * Installs itself in the Registry
    * Leaves non-infected files on computer

Aliases  
    * Worm.VBS.Solow.a
    * VBS/IE-Title
    * VBS/Butsur.B
    * VBS_SOLOW.A

Prevalence (1-5) 2

Description
VBS/Solow-D is a worm for the Windows platform.

Advanced
VBS/Solow-D is a worm for the Windows platform.

VBS/Solow-D attempts to spread through removable storage devices.

When installed VBS/Solow-D copies itself to the 
\MS32DLL.dll.vbs.

The following registry entry is created to run the file 
MS32DLL.dll.vbs at startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MS32DLL
\MS32DLL.dll.VBS

The following registry entry is set:

HKCU\Software\Microsoft\Internet Explorer\Main
Windows Title
'Hacked by '

Every 200 seconds VBS/Solow-D enumerates available removable devices 
and attempts to copy itself to each with the filename 
MS32DLL.dll.vbs. The worm also creates the file autorun.inf that 
contains instructions to autorun the copy of the worm once the 
infected drive is accessed.





Name   Troj/Dloadr-AXU

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet

Prevalence (1-5) 2

Description
Troj/Dloadr-AXU is a Trojan downloader for the Windows platform.

Advanced
Troj/Dloadr-AXU is a Trojan downloader for the Windows platform.

Troj/Dloadr-AXU will attempt to download and execute a file detected 
as Troj/TinyDl-G.

When first run Troj/Dloadr-AXU copies itself to 
\1916435341.exe.

The following registry entry is created to run 1916435341.exe on 
startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
1916435341.exe
\1916435341.exe





Name   W32/Stando-B

Type  
    * Worm

How it spreads  
    * Removable storage devices
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Drops more malware
    * Installs itself in the Registry

Aliases  
    * TROJ_AGENT.MRW

Prevalence (1-5) 2

Description
W32/Stando-B is a worm for the Windows platform.

W32/Stando-B spreads to other network computers.

W32/Stando-B includes functionality to access the internet and 
communicate with a remote server via HTTP.

Advanced
W32/Stando-B is a worm for the Windows platform.

W32/Stando-B spreads to other network computers.

W32/Stando-B includes functionality to access the internet and 
communicate with a remote server via HTTP.

When first run W32/Stando-B copies itself to

\suchost.exe
\mgrShell.exe

and creates the file \activeds.exe.

The file activeds.exe is detected as Troj/Bckdr-QIA.

Registry entries are set as follows to run the worm copy on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
scApp
\DOCUME~1\REPCLI~1\LOCALS~1\Temp\suchost.exe

W32/Stando-B copies itself to the root folder of available disk 
drives with the filename sys.exe and creates the hidden file 
autorun.inf containing the following text:

[autorun]
open=sys.exe

W32/Stando-B may attempt to write to the end of files with a DOC 
extension, and may modify files in the root drive or internet cache 
folder called ~Thumbs.db or in the internet cache folder called 
~RSW114.tmp.

W32/Stando-B may set the following registry entry to allow Autoplay 
on removable, fixed, CD-ROM and RAM drives:

HKCU\Software\Microsoft\CurrentVersion\Policies\Explorer
NoDriveTypeAutoRun
91

W32/Stando-B may set the following registry entries to prevent hidden 
files from being shown, including files related to itself:

HKCU\Software\Microsoft\CurrentVersion\Explorer\Advanced
SuperHidden
1

HKCU\Software\Microsoft\CurrentVersion\Explorer\Advanced
ShowSuperHidden
0





Name   Troj/BHO-BQ

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Installs a browser helper object

Prevalence (1-5) 2

Description
Troj/BHO-BQ is a Trojan for the Windows platform.

Advanced
Troj/BHO-BQ is a Trojan for the Windows platform.

Troj/BHO-BQ will attempt to install itself as a browser helper object 
and redirect typed URLs and search queries to another website.





Name   W32/SillyFD-AA

Type  
    * Worm

How it spreads  
    * Removable storage devices

Affected operating systems  
    * Windows

Side effects  
    * Installs itself in the Registry
    * Leaves non-infected files on computer

Aliases  
    * Worm.Win32.VB.fw
    * W32/Sillyworm.WR
    * W32/Archiles.worm
    * WORM_VB.CNG

Prevalence (1-5) 2

Description
W32/SillyFD-AA is a worm for the Windows platform.

Advanced
W32/SillyFD-AA is a worm for the Windows platform.

Once installed W32/SillyFD-AA spreads through removable storage 
devices, including floppy drives and USB keys. The worm attempts to 
create a hidden file Autorun.inf on the removeable drive and copy 
itself to the removeable drive with the hidden filename 
\handydriver.exe.

The file \Autorun.inf is designed to start the worm once the 
removable drive is connected to a uninfected computer.

W32/SillyFD-AA copies itself to the following locations:
\kerneldrive.exe
\regedit.exe
\pchealth\helpctr\Binaries\msconfig.exe
\systeminit.exe
\wininit.exe
\winsystem.exe
\cmd.exe
\taskmgr.exe


W32/SillyFD-AA also creates the following file \autorun.inf.

The following registry entries are set to run W32/SillyFD-AA to run 
itself on startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
\userinit.exe,\systeminit.exe,

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
wininit
\wininit.exe


The following registry entries are also set:

HKCU\Software\Microsoft\Internet Explorer\Main
Window Title
Hacked by 1BYTE

HKCU\Software\Microsoft
ServicePack
1.2

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer
SearchHidden
0

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer
SearchSystemDirs
0

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFolderOptions
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegedit
1


HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1


HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
1

HKCU\Software\Microsoft
nFlag
1


HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden
0

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
SuperHidden
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoDriveTypeAutoRun
0

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
1





Name   Troj/Dloadr-AYA

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet
    * Opens links to websites

Aliases  
    * W32/Downloader.APBK
    * Trojan-Downloader.Win32.Delf.kc
    * TROJ_DLOADER.GXJ

Prevalence (1-5) 2

Description
Troj/Dloadr-AYA is a Trojan for the Windows platform.

Advanced
Troj/Dloadr-AYA is a Trojan for the Windows platform.

Troj/Dloadr-AYA includes functionality to access the internet and 
communicate with a remote server via HTTP.

When first run Troj/Dloadr-AYA copies itself to the root folder.





Name   Troj/WLDrop-A

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Drops more malware
    * Installs itself in the Registry

Aliases  
    * W32/Agent.CIP
    * Spy-Agent.bv.dr
    * Win32/Wigon.W
    * Trojan.Win32.Agent.ady

Prevalence (1-5) 2

Description
Troj/WLDrop-A is a Trojan for the Windows platform.

Advanced
Troj/WLDrop-A is a Trojan for the Windows platform.

When Troj/WLDrop-A is installed it creates one of the following files:

\main.sys
\systems.dll

The file main.sys is detected as Troj/NTRootK-BP. The file 
systems.dll is detected as Mal/SpyAgent-A.

If the file main.sys is dropped, it is registered as a new system 
driver service named "EXAMPLE". Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\EXAMPLE

If the file systems.dll is dropped, the following registry entry is 
created to run it on system startup:

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
rundll32 "\systems.dll" X4,explorer.exe





Name   W32/Rising-B

Type  
    * Worm

How it spreads  
    * Removable storage devices
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet
    * Installs itself in the Registry

Aliases  
    * Worm.Win32.Agent.az
    * WORM_AGENT.OQV
    * Win32/Agent.NEO

Prevalence (1-5) 2

Description
W32/Rising-B is a worm for the Windows platform.

W32/Rising-B can spread to local drives, removable media and network 
shares.

W32/Rising-B includes functionality to access the internet and 
communicate with a remote server via HTTP.

Advanced
W32/Rising-B is a worm for the Windows platform.

W32/Rising-B can spread to local drives, removable media and network 
shares.

W32/Rising-B includes functionality to access the internet and 
communicate with a remote server via HTTP.

When first run W32/Rising-B copies itself to:

\rising.exe
\.exe

and drops the following files:

\autorun.inf - auto run script, may be deleted safely.
\.dll - also detected as W32/Rising-B

W32/Rising-B creates the following registry entries to start itself 
as a service:

HKLM\SYSTEM\CurrentControlSet\Services\ERSvc\

HKLM\SYSTEM\CurrentControlSet\Services\\

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_\

HKCU\SYSTEM\CurrentControlSet\Services\\

The  references above are all the same. The 
characters randomize when the worm is propagated.





Name   W32/Rbot-GOS

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Downloads code from the internet
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities
    * Used in DOS attacks

Aliases  
    * WORM_RBOT.FAY

Prevalence (1-5) 2

Description
W32/Rbot-GOS is a worm with IRC backdoor functionality for the 
Windows platform.

Advanced
W32/Rbot-GOS is a worm with IRC backdoor functionality for the 
Windows platform.

W32/Rbot-GOS runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

W32/Rbot-GOS spreads to other network computers:
- by exploiting common buffer overflow vulnerabilities, including: 
LSASS (MS04-011), SRVSVC (MS06-040), RPC-DCOM (MS04-012), PNP 
(MS05-039), ASN.1 (MS04-007), RealVNC (CVE-2006-2369) and Symantec 
(SYM06-010)

- networks protected by weak passwords

When first run W32/Rbot-GOS copies itself to \netsrv.exe. The 
following registry entries are created to run W32/Rbot-GOS on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft
netsrv.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Microsoft
netsrv.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft
netsrv.exe

W32/Rbot-GOS includes functionality to:
- terminate security and anti-virus related processes
- download code from the internet
- perform port scanning
- perform DDoS attacks
- steal information including computer game keys
- setup a SOCKS4 proxy server





Name   Troj/SpyAgent-E

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Drops more malware
    * Dropped by malware

Aliases  
    * Trojan-Dropper.Win32.Agent.bge
    * W32/Downloader2.BNE

Prevalence (1-5) 2

Description
Troj/SpyAgent-E is a dropper Trojan for the Windows platform.

Troj/SpyAgent-E drops further malware detected as Troj/Pushu-B.

Troj/SpyAgent-E may be dropped by members of the Mal/SpyAgent-A family.





Name   W32/Poebot-LL

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities

Prevalence (1-5) 2

Description
W32/Poebot-LL is a worm for the Windows platform.

W32/Poebot-LL spreads to other network computers by exploiting common 
buffer overflow vulnerabilities, including: LSASS (MS04-011), SRVSVC 
(MS06-040), RPC-DCOM (MS04-012) and PNP (MS05-039).

Advanced
W32/Poebot-LL is a worm for the Windows platform.

W32/Poebot-LL spreads to other network computers by exploiting common 
buffer overflow vulnerabilities, including: LSASS (MS04-011), SRVSVC 
(MS06-040), RPC-DCOM (MS04-012) and PNP (MS05-039).

When first run W32/Poebot-LL copies itself to \spoolsvc.exe 
and creates the file \pzyhjvv.bat.
 
The following registry entry is created to run spoolsvc.exe on startup:
 
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Spooler SubSystem App
\spoolsvc.exe





Name   Troj/Banker-EFM

Type  
    * Spyware Trojan

Affected operating systems  
    * Windows

Side effects  
    * Steals credit card details
    * Steals information
    * Records keystrokes
    * Installs itself in the Registry

Aliases  
    * Trojan-Spy.Win32.Banker.ciy

Prevalence (1-5) 2

Description
Troj/Banker-EFM is an internet banking Trojan for the Windows platform.

Advanced
Troj/Banker-EFM is an internet banking Trojan for the Windows platform.

When Troj/Banker-EFM is installed the following files are created:

\file.exe
\start.bat
\wsnctfy.exe
\svchost.exe
\Tasks\startt.job

The following registry entry is changed to run Troj/Banker-EFM on 
startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
explorer.exe \svchost.exe

The file explorer \svchost.exe is registered as a new 
service named "GbpSv". Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\GbpSv





Name   Troj/DownLd-ABF

Type  
    * Trojan

How it spreads  
    * Web browsing

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet
    * Installs itself in the Registry

Prevalence (1-5) 2

Description
Troj/DownLd-ABF is an advertising related downloader Trojan for the 
Windows platform.

Troj/DownLd-ABF infects HTML files stored on the local computer with 
IFRAME links to advertising related HTML pages.

Troj/DownLd-ABF can arrive as a result of web browsing. Visiting 
certain web sites may initiate the download process.

Advanced
Troj/DownLd-ABF is an advertising related downloader Trojan for the 
Windows platform.

Troj/DownLd-ABF infects all HTML files on the computer, appending a 
SRC= link to a remote JavaScript file. This JavaScript simply uses 
document.write to append a new IFRAME element to the HTML file, with 
a SRC= link to a advertising related HTML page.

Troj/DownLd-ABF can arrive as a result of web browsing. Visiting 
certain web sites may initiate the download process.

When Troj/DownLd-ABF is installed the following files are typically 
created:

\123.txt
\1234.txt
\edit.txt
\ganran.txt
\5640.exe
\705.54755640.exe
\winsock.exe
\mh[1].exe

The following registry entry is created to run 5640.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
(Default)
\5640.exe

 
--- MultiMail/Win32 v0.43
* Origin: Doc's Place BBS Fido Since 1991 docsplace.tzo.com (1:123/140)
SEEN-BY: 633/267
@PATH: 123/140 500 379/1 633/267
SOURCE: echomail via fidonet.ozzmosis.com

Email questions or comments to sysop@ipingthereforeiam.com
All parts of this website painstakingly hand-crafted in the U.S.A.!
IPTIA BBS/MUD/Terminal/Game Server List, © 2025 IPTIA Consulting™.