| TIP: Click on subject to list as thread! | ANSI |
| echo: | |
|---|---|
| to: | |
| from: | |
| date: | |
| subject: | News, March 18 2007 |
[cut-n-paste from sophos.com]
Name Troj/Sinow-D
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Steals information
* Records keystrokes
Prevalence (1-5) 2
Description
Troj/Sinow-D is a keylogging DLL component Trojan for the Windows
platform.
Troj/Sinow-D will run continuously in the background logging
keystrokes.
Troj/Sinow-D contains functionality to email the recorded keystrokes
to hardcoded email addresses.
Name Troj/PWS-AKT
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Records keystrokes
* Installs itself in the Registry
Prevalence (1-5) 2
Description
Troj/PWS-AKT is an information stealing Trojan for the Windows
platform.
Advanced
Troj/PWS-AKT is an information stealing Trojan for the Windows
platform.
When Troj/PWS-AKT is installed the following files are created:
\Windows Media Player\svchost.exe
\pdll.dll
The following registry entry is changed to run Troj/PWS-AKT on startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
\userinit.exe,\Windows Media Player\svchost.exe,
Name W32/Sality-AG
Type
* Virus
How it spreads
* Network shares
* Infected files
Affected operating systems
* Windows
Side effects
* Steals credit card details
* Steals information
* Downloads code from the internet
Aliases
* W32/Expiro virus
* Win32/Expiro.A
* Virus.Win32.Expiro.a
Prevalence (1-5) 2
Description
W32/Sality-AG is a virus that tries to infect Windows executable
files on all drives.
Advanced
W32/Sality-AG is a virus that tries to infect Windows executable
files on all drives.
During infection W32/Sality-AG copies the host file with the same
filename but with an IVR extension.
W32/Sality-AG may also drop a DLL file to the Windows system folder.
This is also detected as W32/Sality-AG.
W32/Sality-AG attempts to monitor the user's internet activity and
logs certain banking and credit card details. W32/Sality-AG may also
display fake windows and message boxes to interact with the user, for
example it may display a message box with the title "Unable to
authorize" and the text "Unable to authorize - INCORRECT PIN. Please,
correct.", or message boxes with the text "Please, select Expiration
Year" or "Please, select Expiration Month".
Name W32/Rbot-GHO
Type
* Spyware Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Downloads code from the internet
* Records keystrokes
* Installs itself in the Registry
* Exploits system or software vulnerabilities
* Used in DOS attacks
Aliases
* Backdoor.Win32.Rbot.gen
* W32/Sdbot.worm.gen.x
* WORM_RBOT.CEC
Prevalence (1-5) 2
Description
W32/Rbot-GHO is a network worm and IRC backdoor Trojan for the
Windows platform.
Advanced
W32/Rbot-GHO is a network worm and IRC backdoor Trojan for the
Windows platform.
W32/Rbot-GHO spreads to other network computers by:
- exploiting common buffer overflow vulnerabilities, including LSASS
(MS04-011), SRVSVC (MS06-040), RPC-DCOM (MS04-012), PNP (MS05-039),
ASN.1 (MS04-007), RealVNC (CVE-2006-2369) and Symantec (SYM06-010)
- network shares protected by weak passwords
W32/Rbot-GHO runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Rbot-GHO includes functionality to:
- access the internet and communicate with a remote server via HTTP
- silently download, install and run new software
- log keystrokes
- remote login to network shares
- perform DDoS attacks
- setup a SOCKS4 server
When first run W32/Rbot-GHO copies itself to \radnom.exe.
The following registry entries are created to run W32/Rbot-GHO on
startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Microsoft
radnom.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft
radnom.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft
radnom.exe
Name Troj/Dropper-NX
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Drops more malware
Prevalence (1-5) 2
Description
Troj/Dropper-NX is a Trojan for the Windows platform.
The dropped file is detected as Troj/PWS-ADA.
Name W32/ShipUp-F
Type
* Spyware Worm
How it spreads
* Removable storage devices
Affected operating systems
* Windows
Side effects
* Steals information
* Downloads code from the internet
* Installs itself in the Registry
* Leaves non-infected files on computer
Prevalence (1-5) 2
Description
W32/ShipUp-F is a worm for the Windows platform.
Advanced
W32/ShipUp-F is a worm for the Windows platform.
When first run W32/ShipUp-F copies itself to:
\ccPrxy.exe
\infrom.dat
\SP00LSV.EXE
W32/ShipUp-F also creates the files:
\ldlist.txt
\ld.ini
\ver.txt
\FILETIME.DAT
\ldjs.txt
\driver32\Info.txt
\driver32\ldf
These files can be safely deleted.
W32/ShipUp-F attempts to copy itself to logical drives found on the
computer. The worm will attempt to create a hidden file
\autorun.inf on the removeable drive.
The following registry entry is created to run ccPrxy.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ccPrxy.exe
ccPrxy.exe
The following registry entry is set:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoDriveTypeAutoRun
9f
Registry entries are created under:
HKLM\SOFTWARE\Microsoft\ShipUp\
HKLM\SOFTWARE\Microsoft\ShipTr\
W32/ShipUp-F includes functionality to:
- download code from the internet as \netsvc.exe
- steal system information
Name W32/LCPrank-C
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Stops the computer from booting
* Modifies data on the computer
* Deletes files off the computer
* Installs itself in the Registry
Prevalence (1-5) 2
Description
W32/LCPrank-C is a worm for the Windows platform.
W32/LCPrank-C will attempt to copy itself to mapped drives and create
the file autorun.inf which will run the worm upon drive access.
Advanced
W32/LCPrank-C is a worm for the Windows platform.
W32/LCPrank-C will attempt to copy itself to mapped drives and create
the file autorun.inf which will run the worm upon drive access.
When run, W32/LCPrank-C creates the following files:
\TempCache\iscch.exe (Detected as W32/LCPrank-A)
\iscch.exe (Detected as W32/LCPrank-A)
\TempCache\winlogon.exe (Detected as W32/LCPrank-C)
The worm also creates the following files:
\autorun.inf (Can be safely removed)
\TempCache\autorun.inf (Can be safely removed)
The following registry entry is created to run iscch.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
iscch
\iscch.exe
The following registry entry is set, affecting internet security:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\Firewall
Policy\StandardProfile
DoNotAllowExceptions
0
The following registry entries are set, disabling the registry editor
(regedit) and the Windows task manager (taskmgr):
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
DisableTaskMgr
1
Registry entries are set as follows:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
NoViewContextMenu
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoControlPanel
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFind
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFolderOptions
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoPropertiesMycomputer
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoPropertiesMyDocuments
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoRun
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoShellSearchButton
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoStartMenuMorePrograms
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoToolBarsOnTaskBar
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoTrayContextMenu
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoTrayItemsDisplay
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoViewOnDrive
4
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoControlPanel
1
Name W32/Sality-AH
Type
* Virus
How it spreads
* Infected files
Affected operating systems
* Windows
Aliases
* Virus.Win32.Krepper.30760
* W32/Sality.h
* W32.HLLP.Sality
* PE_SALITY.L
Prevalence (1-5) 2
Description
W32/Sality-AH is a virus for the Windows platform.
Advanced
W32/Sality-AH is a virus for the Windows platform.
When first run, W32/Sality-AH creates the file \syslib32.dll.
This file is also detected as W32/Sality-AH.
Name W32/Nyxem-H
Type
* Worm
How it spreads
* Email attachments
* Network shares
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Sends itself to email addresses found on the infected computer
* Uses its own emailing engine
* Reduces system security
* Installs itself in the Registry
Aliases
* Win32/Nyxem.NAA worm
* WORM_NYXEM.AA
* Email-Worm.Win32.Nyxem.e
Prevalence (1-5) 2
Description
W32/Nyxem-H is an email and network worm for the Windows platform.
W32/Nyxem-H includes functionality to access the internet and
communicate with a remote server via HTTP.
W32/Nyxem-H may drop an empty file to the Windows system folder with
the same name as itself but with a ZIP extension and attempts to open
it in order to hide its functionality.
W32/Nyxem-H may periodically attempt to download and run an update of
itself.
W32/Nyxem-H tries to terminate and remove selected anti-virus and
security related applications and deletes registry entries to prevent
applications from running on startup
W32/Nyxem-H is also capable of disabling the mouse and keyboard of
the affected system.
W32/Nyxem-H sends itself to email addresses it harvests from files on
the infected computer, sending itself as if from one contact to
another. The emails sent have the following characteristics:
Subject lines include the following, or may be blank:
*Hot Movie*
A Great Video
Arab sex DSC-00465.jpg
eBook.pdf
Fuckin Kama Sutra pics
Fw:
Fw: DSC-00465.jpg
Fw: Funny :)
Fw: Picturs
Fw: Real show
Fw: SeX.mpg
Fw: Sexy
Fwd: Crazy illegal Sex!
Fwd: image.jpg
Fwd: Photo
give me a kiss
Hello
Miss Lebanon 2006
My photos
Part 1 of 6 Video clipe
Re:
Re: Sex Video
School girl fantasies gone bad
The Best Videoclip Ever
the file
Word file
You Must View This Videoclip!
Message bodies include the following, and may contain images that
cannot be displayed:
----- forwarded message -----
???????????????????????????? ????????????? ?????? ???????????
forwarded message
DSC-00465.jpg DSC-00466.jpg DSC-00467.jpg
forwarded message attached.
Fuckin Kama Sutra pics
hello, i send the file. bye
hi i send the details bye
Hot XXX Yahoo Groups
how are you? i send the details. OK ?
i attached the details. Thank you
i just any one see my photos. It's Free :)
Note: forwarded message attached.
photo photo2 photo3
Please see the file.
ready to be FUCKED :)
VIDEOS! FREE! (US$ 0,00)
What?
Attachments may be executable files or mime files containing
executable files. Executable attachment filenames include the
following:
007.pif
04.pif
677.pif
document.pif
DSC-00465.Pif
DSC-00465.pIf
eBook.PIF
image04.pif
New_Document_file.pif
photo.pif
School.pif
Mime attachment filenames include the following:
3.92315089702606E02.UUE
Attachments[001].B64
Attachments00.HQX
Attachments001.BHX
eBook.Uu
Original Message.B64
Sex.mim
SeX.mim
Video_part.mim
WinZip.BHX
Word_Document.hqx
Word_Document.uu
Mime attachment filenames also include the following:
392315089702606E-02
Clipe
Miss
Photos
Sweet_09
with one of the following extensions:
.b64
.BHx
.HQX
.mim
.uu
.UUE
.XxE
If the attachment is a mime file, it contains a file with one of the
following filenames followed by several spaces and an SCR extension:
392315089702606E-02,UUE
Adults_9,zip
ATT01.zip
Atta[001],zip
Attachments,zip
Attachments[001],B64
Clipe,zip
New Video,zip
Photos,zip
SeX,zip
WinZip,zip
WinZip.zip
Word XP.zip
Word.zip
W32/Nyxem-H attempts to spread to network shares with weak passwords
using the name WINZIP_TMP.exe.
Advanced
W32/Nyxem-H is an email and network worm for the Windows platform.
W32/Nyxem-H includes functionality to access the internet and
communicate with a remote server via HTTP.
W32/Nyxem-H may drop an empty file to the Windows system folder with
the same name as itself but with a ZIP extension and attempts to open
it in order to hide its functionality.
W32/Nyxem-H may periodically attempt to download and run an update of
itself.
W32/Nyxem-H tries to terminate and remove selected anti-virus and
security related applications and deletes registry entries to prevent
applications from running on startup
W32/Nyxem-H is also capable of disabling the mouse and keyboard of
the affected system.
W32/Nyxem-H sends itself to email addresses it harvests from files on
the infected computer, sending itself as if from one contact to
another. The emails sent have the following characteristics:
Subject lines include the following, or may be blank:
*Hot Movie*
A Great Video
Arab sex DSC-00465.jpg
eBook.pdf
Fuckin Kama Sutra pics
Fw:
Fw: DSC-00465.jpg
Fw: Funny :)
Fw: Picturs
Fw: Real show
Fw: SeX.mpg
Fw: Sexy
Fwd: Crazy illegal Sex!
Fwd: image.jpg
Fwd: Photo
give me a kiss
Hello
Miss Lebanon 2006
My photos
Part 1 of 6 Video clipe
Re:
Re: Sex Video
School girl fantasies gone bad
The Best Videoclip Ever
the file
Word file
You Must View This Videoclip!
Message bodies include the following, and may contain images that
cannot be displayed:
----- forwarded message -----
???????????????????????????? ????????????? ?????? ???????????
forwarded message
DSC-00465.jpg DSC-00466.jpg DSC-00467.jpg
forwarded message attached.
Fuckin Kama Sutra pics
hello, i send the file. bye
hi i send the details bye
Hot XXX Yahoo Groups
how are you? i send the details. OK ?
i attached the details. Thank you
i just any one see my photos. It's Free :)
Note: forwarded message attached.
photo photo2 photo3
Please see the file.
ready to be FUCKED :)
VIDEOS! FREE! (US$ 0,00)
What?
Attachments may be executable files or mime files containing
executable files. Executable attachment filenames include the
following:
007.pif
04.pif
677.pif
document.pif
DSC-00465.Pif
DSC-00465.pIf
eBook.PIF
image04.pif
New_Document_file.pif
photo.pif
School.pif
Mime attachment filenames include the following:
3.92315089702606E02.UUE
Attachments[001].B64
Attachments00.HQX
Attachments001.BHX
eBook.Uu
Original Message.B64
Sex.mim
SeX.mim
Video_part.mim
WinZip.BHX
Word_Document.hqx
Word_Document.uu
Mime attachment filenames also include the following:
392315089702606E-02
Clipe
Miss
Photos
Sweet_09
with one of the following extensions:
.b64
.BHx
.HQX
.mim
.uu
.UUE
.XxE
If the attachment is a mime file, it contains a file with one of the
following filenames followed by several spaces and an SCR extension:
392315089702606E-02,UUE
Adults_9,zip
ATT01.zip
Atta[001],zip
Attachments,zip
Attachments[001],B64
Clipe,zip
New Video,zip
Photos,zip
SeX,zip
WinZip,zip
WinZip.zip
Word XP.zip
Word.zip
W32/Nyxem-H attempts to spread to network shares with weak passwords
using the name WINZIP_TMP.exe.
When first run W32/Nyxem-H copies itself to:
\WinZip Quick Pick.exe
\WINZIP_TMP.exe
\Rundll16.exe
\WINZIP_TMP.exe
\scanregw.exe
and creates the following files:
\Tasks\At1.job
\Tasks\At2.job
\%ORIGFILENAME%
These files can be deleted.
The following registry entry is created to run scanregw.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ScanRegistry
scanregw.exe /scan
Name W32/Looked-CL
Type
* Virus
How it spreads
* Network shares
* Infected files
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Installs itself in the Registry
Prevalence (1-5) 2
Description
W32/Looked-CL is a Windows executable virus and network worm.
Advanced
W32/Looked-CL is a Windows executable virus and network worm.
When first run the virus copies itself to \Logo1_.exe and
\uninstall\rundl132.exe and creates the file
\RichDll.dll.
The virus infects EXE files found on the infected computer. The virus
also attempts to copy itself to remote network shares.
The following registry entry is created in order to run the virus on
startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
load
\uninstall\rundl132.exe
Name W32/Rbot-GHQ
Type
* Worm
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* W32/Nirbot.worm
Prevalence (1-5) 2
Description
W32/Rbot-GHQ is a worm and IRC Backdoor for the Windows platform.
W32/Rbot-GHQ runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
Advanced
W32/Rbot-GHQ is a worm and IRC Backdoor for the Windows platform.
W32/Rbot-GHQ runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
When first run W32/Rbot-GHQ copies itself to \algose32.exe.
The following registry entries are created to run algose32.exe on
startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Offices Monitorse
\algose32.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Offices Monitorse
\algose32.exe
The following registry entry is set:
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
Name W32/Catcher-A
Type
* Worm
How it spreads
* Removable storage devices
* Network shares
Affected operating systems
* Windows
Side effects
* Installs itself in the Registry
* Modifies browser settings
Aliases
* Worm.VBS.Solow.a
* VBS/Butsur.B
* VBS.Solow
Prevalence (1-5) 2
Description
W32/Catcher-A is a worm for the Windows platform.
Advanced
W32/Catcher-A is a worm for the Windows platform.
W32/Catcher-A spreads by copying itself to the root of all mapped
drives.
When first run W32/Catcher-A copies itself to:
\fucker.vbs
\fucker.vbs
and creates the file \autorun.inf.
The following registry entry is created to run fucker.vbs on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Fucker
\fucker.vbs
W32/Catcher-A changes settings for Microsoft Internet Explorer by
modifying values under:
HKCU\Software\Microsoft\Internet Explorer\Main\
HKCU\Software\Microsoft\Internet Explorer\Main\Start Page
Name Troj/Mosuck-CZ
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
Aliases
* New VB-b
* Backdoor.Win32.MoSucker.bh
* W32/Backdoor.AIXR
Prevalence (1-5) 2
Description
Troj/Mosuck-CZ is a backdoor Trojan which allows a remote intruder to
gain access and control over the computer.
Advanced
Troj/Mosuck-CZ is a backdoor Trojan which allows a remote intruder to
gain access and control over the computer.
Troj/Mosuck-CZ includes functionality to access the internet and
communicate with a remote server via HTTP.
When Troj/Mosuck-CZ is installed it copies itself
\fonts\lsass.exe.
The following registry entries are created to run lsass.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
lsass
\FONTS\lsass.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
lsass
\FONTS\lsass.exe /RunOnce
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
lsass
\FONTS\lsass.exe
The following registry entry is set or modified, so that lsass.exe is
run when files with extensions of EXE are opened/launched:
HKCR\exefile\shell\open\command
(default)
\FONTS\lsass.exe "%1" %*
Registry entries are created under:
HKCU\Software\VB and VBA Program
Settings\BCHQBID13512610000BHNBDT\BCHQBID13512610000BHNBDT
HKCU\Software\VB and VBA Program Settings\Options\Windows XP
Name W32/MSNVB-E
Type
* Spyware Worm
How it spreads
* Chat programs
Affected operating systems
* Windows
Side effects
* Steals information
Prevalence (1-5) 2
Description
W32/MSNVB-E is a worm for the Windows platform.
Advanced
W32/MSNVB-E is a worm for the Windows platform.
W32/MSNVB-E may attempt to spread through Microsoft's MSN Messenger
program.
W32/MSNVB-E may attempt to steal information from an infected computer.
When first run W32/MSNVB-E-A copies itself to \ * Origin: Doc's Place BBS Fido Since 1991 docsplace.tzo.com (1:123/140)SEEN-BY: 633/267 @PATH: 123/140 500 379/1 633/267 |
|
| SOURCE: echomail via fidonet.ozzmosis.com | |
Email questions or comments to sysop@ipingthereforeiam.com
All parts of this website painstakingly hand-crafted in the U.S.A.!
IPTIA BBS/MUD/Terminal/Game Server List, © 2025 IPTIA Consulting™.