| TIP: Click on subject to list as thread! | ANSI |
| echo: | |
|---|---|
| to: | |
| from: | |
| date: | |
| subject: | News, May 7 2006 |
[cut-n-paste from sophos.com]
Name Troj/Kango-C
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
Prevalence (1-5) 2
Description
Troj/Kango-C is a backdoor Trojan which allows a remote intruder to
gain access and control over the computer via IRC channels.
Advanced
Troj/Kango-C is a backdoor Trojan which allows a remote intruder to
gain access and control over the computer via IRC channels.
When first run Troj/Kango-C moves itself to <system>\system32.exe
and creates the following registry entries to run itself on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Microsoft Service
system32.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft Service
system32.exe
The following registry entry is set:
HKCU\Software\Microsoft\OLE
Microsoft Service
system32.exe
Name Troj/Zapchas-BF
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Drops more malware
* Installs itself in the Registry
Aliases
* TROJ_DROPPER.BCJ
Prevalence (1-5) 2
Description
Troj/Zapchas-BF is a multi-component backdoor Trojan that drops the
virus W32/Parite-B.
Troj/Zapchas-BF runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
Troj/Zapchas-BF includes functionality to access the internet and
communicate with a remote server via HTTP.
Advanced
Troj/Zapchas-BF is a multi-component backdoor Trojan that drops the
virus W32/Parite-B.
Troj/Zapchas-BF runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
Troj/Zapchas-BF includes functionality to access the internet and
communicate with a remote server via HTTP.
When Troj/Zapchas-BF is installed the following files are created:
\aliases.ini
\away.txt
\control.ini
\fullname.txt
\ident.txt
\mirc.ico
\mirc.ini
\nicks.txt
\remote.ini
\script.ini
\servers.ini
\sup.bat
\sup.reg
\svchost.exe
\users.ini
The file svchost.exe is a legitimate mIRC application infected with
the virus W32/Parite-B. The file script.ini is a malicious mIRC
configuration file and is also detected as Troj/Zapchas-BF. The other
files are harmless.
The following registry entries are set or modified so that
svchost.exe is run when files with extensions of CHA and IRC are
opened/launched:
HKCR\ChatFile\Shell\open\command
(default)
\svchost.exe" -noconnect
HKCR\irc\Shell\open\command
(default)
\svchost.exe" -noconnect
Registry entries are set as follows:
HKCR\ChatFile\DefaultIcon
(default)
\svchost.exe
HKCR\irc\DefaultIcon
(default)
\svchost.exe
Registry entries are created under:
HKCU\Software\Microsoft\Microsoft Agent\
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mIRC\
Name Troj/Dloadr-UP
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Installs itself in the Registry
Aliases
* Trojan-Downloader.Win32.VB.acc
Prevalence (1-5) 2
Description
Troj/Dloadr-UP is a Trojan for the Windows platform.
Troj/Dloadr-UP includes the functionality to access the internet and
communicate with a remote server via HTTP.
Advanced
Troj/Dloadr-UP is a Trojan for the Windows platform.
Troj/Dloadr-UP includes the functionality to access the internet and
communicate with a remote server via HTTP.
When Troj/Dloadr-UP is run it creates the following files
\LoadService.exe (also detected as
Troj/Dloadr-UP)
\softverfile.ini (this file is harmless and
may be deleted)
Troj/Dloadr-UP creates the following registry entry to run at system
startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
LoadService
\LoadService.exe
Name W32/Feebs-AA
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Sends itself to email addresses found on the infected computer
* Forges the sender's email address
Aliases
* Worm.Win32.Feebs.gi
* JS/Feebs.gen.a{at}MM
* JS/TrojanDownloader.Tivso.gen
Prevalence (1-5) 2
Description
W32/Feebs-AA is a worm for the Windows platform.
W32/Feebs-AA may arrive as an email with the following characteristics:
Subject:
Protected Mail from user.
where may be a common domain name.
Message text:
You have received Protected Mail
To read the message open attached file.
User ID:
Password:
Keep your password in a safe place.
Sincerely,
Encrypted Message System,
Advanced
W32/Feebs-AA is a worm for the Windows platform.
W32/Feebs-AA may arrive as an email with the following characteristics:
Subject:
Protected Mail from user.
where may be a common domain name.
Message text:
You have received Protected Mail
To read the message open attached file.
User ID:
Password:
Keep your password in a safe place.
Sincerely,
Encrypted Message System,
The worm will be contained in a ZIP file.
Name W32/Bobax-BV
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Uses its own emailing engine
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* Net-Worm.Win32.Bobic.ak
Prevalence (1-5) 2
Description
W32/Bobax-BV is a worm for the Windows platform.
W32/Bobax-BV spreads to other network computers by exploiting common
buffer overflow vulnerabilities, including PNP (MS05-039).
W32/Bobax-BV includes functionality to communicate with a remote
server via HTTP.
W32/Bobax-BV contains an SMTP engine which it may use in order to
spread by email.
Advanced
W32/Bobax-BV is a worm for the Windows platform.
W32/Bobax-BV spreads to other network computers by exploiting common
buffer overflow vulnerabilities, including PNP (MS05-039).
When run W32/Bobax-BV creates a copy of itself in the temp folder and
in the system folder with different random names.
W32/Bobax-BV attempts to contact a number of preconfigured internet
sites in order to report successful infection.
W32/Bobax-BV includes functionality to communicate with a remote
server via HTTP.
W32/Bobax-BV contains an SMTP engine which it may use in order to
spread by email.
W32/Bobax-BV modifies the HOSTS file located at
\Drivers\etc\HOSTS, mapping selected anti-virus websites to
the loopback address 255.255.255.255 in an attempt to prevent access
to these sites.
The following registry entry is created to run .exe
on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
\.exe
W32/Bobax-BV sets the following registry entries, disabling the
automatic startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4
Note: disabling autostart for the SharedAccess service deactivates
the Microsoft Internet Connection Firewall (ICF).
W32/Bobax-BV also sets the following registry entries, affecting
Windows Firewall settings:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\
FirewallPolicy\DomainProfile
DoNotAllowExceptions
0
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\
FirewallPolicy\DomainProfile
EnableFirewall
0
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\
FirewallPolicy\StandardProfile
EnableFirewall
0
HKLM\SOFTWARE\Microsoft\Security Center
AntiVirusOveride
1
HKLM\SOFTWARE\Microsoft\Security Center
FirewallOveride
1
W32/Bobax-BV injects itself into Explorer as a separate thread, so is
not visible as a separate process.
Name Troj/Banloa-CCC
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
Prevalence (1-5) 2
Description
Troj/Banloa-CCC is a Trojan for the Windows platform.
Troj/Banloa-CCC includes functionality to access the internet and
communicate
with a remote server via HTTP.
Troj/Banloa-CCC will attempt to download files from the internet and
run them.
They are detected by Sophos as Troj/Bnkmr-Fam.
Name Troj/Harnig-S
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Reduces system security
Aliases
* Trojan-Downloader.Win32.Harnig.bh
* Downloader-AVS
* Win32/TrojanDownloader.Small.CKJ
Prevalence (1-5) 2
Description
Troj/Harnig-S is a Trojan for the Windows platform.
Troj/Harnig-S includes the following functionalities to:
- access the Internet and communicate with a remote server via HTTP
- terminate processes
- silently download, install and run new software
Advanced
Troj/Harnig-S is a Trojan for the Windows platform.
Troj/Harnig-S includes the following functionalities to:
- access the Internet and communicate with a remote server via HTTP
- terminate processes
- silently download, install and run new software
Troj/Harnig-S attempts to download files to the following locations:
/paytime.exe
/secure32.html
/country.exe
/kl1.exe
/ms1.exe
/tool1.exe
/tool2.exe
/tool3.exe
/tool4.exe
/tool5.exe
/toolbar.exe
/uniq
/hosts
Troj/Harnig-S modifies internet security settings by setting the
following registry entries:
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet\Settings\zonema
p
intranetname="1"
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet\Settings\zonema
p
uncasintranet="1"
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet\Settings\zonema
p
proxybypass="1"
Also in attempt to disable Windows firewall Troj/Harnig-S deletes a
registry entries under the following entry:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Name W32/Bagle-IV
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Sends itself to email addresses found on the infected computer
* Drops more malware
* Forges the sender's email address
* Uses its own emailing engine
* Downloads code from the internet
* Installs itself in the Registry
Aliases
* Email-Worm.Win32.Scano.t
* W32/Scano.H
Prevalence (1-5) 2
Description
W32/Bagle-IV is a mass-mailing worm and backdoor Trojan for the
Windows platform.
W32/Bagle-IV includes functionality to access the internet and
communicate with a remote server via HTTP.
Advanced
W32/Bagle-IV is a mass-mailing worm and backdoor Trojan for the
Windows platform.
W32/Bagle-IV includes functionality to access the internet and
communicate with a remote server via HTTP.
When first run W32/Bagle-IV copies itself to \csrss.exe and
creates the file \Message.zip.
The file Message.zp is detected as W32/Bagle-Zip.
The following registry entry is changed to run W32/Bagle-IV on startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File
Execution Options\explorer.exe
Debugger
\csrss.exe
W32/Bagle-IV will attempt to email itself to addresses harvested from
the infected computer as an attachment.
Name W32/Tumbi-B
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* WORM_TUMBI.E
* Backdoor.Win32.Delf.abc
Prevalence (1-5) 2
Description
W32/Tumbi-B is a network worm and backdoor Trojan for the Windows
platform.
Advanced
W32/Tumbi-B is a network worm and backdoor Trojan for the Windows
platform.
W32/Tumbi-B spreads to other network computers by exploiting common
buffer overflow vulnerabilities, including RPC-DCOM (MS04-012) and by
copying itself to network shares protected by weak passwords.
W32/Tumbi-B runs continuously in the background, providing a backdoor
server which allows a remote intruder to gain access and control over
the computer.
When run W32/Tumbi-B creates the following registry entry to run
itself on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft IIS
Name W32/Feebs-AB
Type
* Worm
How it spreads
* Email messages
Affected operating systems
* Windows
Side effects
* Drops more malware
Prevalence (1-5) 2
Description
W32/Feebs-AB is a worm for the Windows platform.
W32/Feebs-AB typically arrives in a zip file attached to an email.
The email claims that the attachment is an encrypted message which
the user should open to read. In reality the attachment drops the
worm's executable component.
Advanced
W32/Feebs-AB is a worm for the Windows platform.
W32/Feebs-AB typically arrives in a zip file attached to an email.
The email claims that the attachment is an encrypted message which
the user should open to read.
When opened, W32/Feebs-AB will create the file
C:\Recycled\userinit.exe, which is detected as W32/Feebs-Gen.
Name W32/Feebs-AC
Type
* Worm
How it spreads
* Peer-to-peer
Affected operating systems
* Windows
Side effects
* Installs itself in the Registry
Aliases
* Worm.Win32.Feebs.gj
* W32/Feebs.gen{at}MM
* WORM_FEEBS.JA
Prevalence (1-5) 2
Description
W32/Feebs-AC is a worm for the Windows platform.
W32/Feebs-AC spreads via file sharing on P2P networks.
W32/Feebs-AC creates ZIP archives containing a copy of the worm in
folders used by peer to peer applications.
The zip archives have the following names:
3dsmax_9_(3D_Studio_Max)_new!_full+crack.zip
ACDSee_9_new!_full+crack.zip
Adobe_Photoshop_10_(CS3)_new!_full+crack.zip
Adobe_Premiere_9_(2.0_pro)_new!_full+crack.zip
Ahead_Nero_8_new!_full+crack.zip
DivX_7.0_new!_full+crack.zip
ICQ_2006_new!_full+crack.zip
Internet_Explorer_7_new!_full+crack.zip
Kazaa_4_new!_full+crack.zip
Longhorn_new!_full+crack.zip
Microsoft_Office_2006_new!_full+crack.zip
winamp_5.2_new!_full+crack.zip
Advanced
W32/Feebs-AC is a worm for the Windows platform.
W32/Feebs-AC spreads via file sharing on P2P networks.
When first run W32/Feebs-AC copies itself to:
\ms??
\ms??.exe
where ?? are randomly chosen characters.
The worm also creates the file
\ms??32.dll
which is also detected as W32/Feebs-AC.
The following registry entry is created to run code exported by the
worm library on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayL
oad
ms??32.dll
{8F53293D-EBEB-A101-F67A-64EE3F0E359D}
The file ms??32.dll is registered as a COM object, creating registry
entries under:
HKCR\CLSID\{8F53293D-EBEB-A101-F67A-64EE3F0E359D}
W32/Feebs-AC creates ZIP archives containing a copy of the worm in
folders used by peer to peer applications.
The zip archives have the following names:
3dsmax_9_(3D_Studio_Max)_new!_full+crack.zip
ACDSee_9_new!_full+crack.zip
Adobe_Photoshop_10_(CS3)_new!_full+crack.zip
Adobe_Premiere_9_(2.0_pro)_new!_full+crack.zip
Ahead_Nero_8_new!_full+crack.zip
DivX_7.0_new!_full+crack.zip
ICQ_2006_new!_full+crack.zip
Internet_Explorer_7_new!_full+crack.zip
Kazaa_4_new!_full+crack.zip
Longhorn_new!_full+crack.zip
Microsoft_Office_2006_new!_full+crack.zip
winamp_5.2_new!_full+crack.zip
Name W32/Sdbot-BLW
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Downloads code from the internet
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* Backdoor.Win32.SdBot.apx
* W32/Sdbot.worm.gen.ay
* WORM_SDBOT.DVT
Prevalence (1-5) 2
Description
W32/Sdbot-BLW is a network worm and IRC backdoor Trojan for the
Windows platform.
Advanced
W32/Sdbot-BLW is a network worm and IRC backdoor Trojan for the
Windows platform.
W32/Sdbot-BLW spreads to remote network shares protected by weak
passwords and to computers vulnerable to common exploits, including
LSASS (MS04-011), RPC-DCOM (MS04-012), PNP (MS05-039) and ASN.1
(MS04-007).
W32/Sdbot-BLW includes functionality to access the internet and
communicate with a remote server via HTTP.
When first run W32/Sdbot-BLW copies itself to \netbtd.exe.
The file netbtd.exe is registered as a new system driver service
named "NetBTD", with a display name of "NetBTD(ntbtd)" and a
description of"Net bios background information transfer service." and
a startup type of automatic, so that it is started automatically
during system startup. Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\NetBTD\
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETBTD\
W32/Sdbot-BLW sets the following registry entries, disabling the
automatic startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
AutoShareServer
0
HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
AutoShareWks
0
HKLM\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters
AutoShareServer
0
HKLM\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters
AutoShareWks
0
HKLM\SYSTEM\CurrentControlSet\Services\wscsvc
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\Messenger
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
Start
4
Registry entries are set as follows:
HKLM\SOFTWARE\Microsoft\Security Center
AntiVirusDisableNotify
1
HKLM\SOFTWARE\Microsoft\Security Center
AntiVirusOverride
1
HKLM\SOFTWARE\Microsoft\Security Center
FirewallDisableNotify
1
HKLM\SOFTWARE\Microsoft\Security Center
FirewallOverride
1
HKLM\SOFTWARE\Microsoft\Security Center
UpdatesDisableNotify
1
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
EnableFirewall
0
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile
EnableFirewall
0
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DoNotAllowXPSP2
1
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1
Name W32/Rbot-DID
Type
* Spyware Worm
How it spreads
* Network shares
* Chat programs
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Modifies data on the computer
* Downloads code from the internet
* Records keystrokes
* Installs itself in the Registry
* Used in DOS attacks
* Leaves non-infected files on computer
Prevalence (1-5) 2
Description
W32/Rbot-DID is a network and AOL Instant Messenger worm and IRC
backdoor Trojan for the Windows platform.
Advanced
W32/Rbot-DID is a network and AOL Instant Messenger worm and IRC
backdoor Trojan for the Windows platform.
W32/Rbot-DID runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Rbot-DID spreads to other computers via network shares protected
by weak passwords and by AOL Instant Messenger by sending attachments
of itself to the list of contacts.
The filenames attached can be chosen from any of the following:
file.TXT.scr
document.TXT.exe
images_packed_with_winzip.ZIP.exe
Upgrade_messenger.exe
messgr_icon_install.exe
animation_icon_pack.exe
install_update.exe
free_smser_install.exe
document1.DOC.scr
readme.DOC.scr
document_saved.zip
free_stuff_2394.zip
pictures_winzip.zip
new version (messenger).zip
animation_icons.zip
messenger_icons.zip
critical_update.zip
free sms install.zip
secret (important).zip
story_read_this.zip
When first run W32/Rbot-DID copies itself to \msclt.exe and
creates the file \rBot.txt. The file rBot.txt can be deleted.
W32/Rbot-DID includes functionality to:
- log keystrokes
- perform DDoS attacks
- setup a SOCKS4 server
- download code from the internet
The following registry entries are created to run msclt.exe on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft client for NT
msclt.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft client for NT
msclt.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
Microsoft client for NT
msclt.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Microsoft client for NT
msclt.exe
The following registry entry is changed to run msclt.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe msclt.exe
(the default value for this registry entry is "Explorer.exe" which
causes the Microsoft file \Explorer.exe to be run on startup).
W32/Rbot-DID sets the following registry entries, disabling the
automatic startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\wuauserv
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4
Note: disabling autostart for the SharedAccess service deactivates
the Microsoft Internet Connection Firewall (ICF).
Registry entries are set as follows:
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
W32/Rbot-DID may also create or change registry entries under:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\List
HKLM\SOFTWARE\Microsoft\security center
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
HKLM\SOFTWARE\Microsoft\OLE
W32/Rbot-DID also overwrites the HOSTS file with the following
mappings:
127.0.0.1 localhost
14.156.202.237 avp.com
7.50.30.209 ca.com
43.211.251.140 customer.symantec.com
9.173.175.98 dispatch.mcafee.com
53.217.31.32 download.mcafee.com
184.168.12.166 downloads1.kaspersky-labs.com
3.192.145.174 downloads2.kaspersky-labs.com
221.230.184.6 downloads3.kaspersky-labs.com
54.3.82.57 downloads4.kaspersky-labs.com
42.181.121.214 downloads-eu1.kaspersky-labs.com
178.141.86.201 downloads-eu2.kaspersky-labs.com
96.58.21.244 downloads-eu3.kaspersky-labs.com
108.202.171.17 downloads-eu4.kaspersky-labs.com
61.73.87.108 downloads-us1.kaspersky-labs.com
119.76.239.151 downloads-us2.kaspersky-labs.com
65.83.120.39 downloads-us3.kaspersky-labs.com
244.249.20.247 downloads-us4.kaspersky-labs.com
56.221.190.187 f-secure.com
77.208.111.176 ftp.avp.com
157.144.5.65 ftp.ca.com
182.61.39.127 ftp.customer.symantec.com
79.73.254.177 ftp.dispatch.mcafee.com
139.248.224.213 ftp.download.mcafee.com
137.208.219.104 ftp.downloads1.kaspersky-labs.com
119.251.197.206 ftp.downloads2.kaspersky-labs.com
186.10.174.33 ftp.downloads3.kaspersky-labs.com
106.131.218.197 ftp.downloads4.kaspersky-labs.com
33.197.45.20 ftp.downloads-eu1.kaspersky-labs.com
231.33.161.240 ftp.downloads-eu2.kaspersky-labs.com
193.152.60.152 ftp.downloads-eu3.kaspersky-labs.com
153.220.144.14 ftp.downloads-eu4.kaspersky-labs.com
157.196.74.92 ftp.downloads-us1.kaspersky-labs.com
58.235.209.36 ftp.downloads-us2.kaspersky-labs.com
205.57.252.170 ftp.downloads-us3.kaspersky-labs.com
77.238.95.210 ftp.downloads-us4.kaspersky-labs.com
221.148.176.197 ftp.f-secure.com
169.70.96.45 ftp.grisoft.com
250.73.62.197 ftp.kaspersky.com
207.243.224.42 ftp.kaspersky-labs.com
122.62.31.152 ftp.liveupdate.symantec.com
17.141.88.162 ftp.liveupdate.symantecliveupdate.com
36.16.211.254 ftp.mast.mcafee.com
142.65.120.226 ftp.mcafee.com
215.91.164.171 ftp.my-etrust.com
119.228.217.66 ftp.nai.com
119.18.41.227 ftp.networkassociates.com
173.28.103.89 ftp.norton.com
48.106.44.56 ftp.rads.mcafee.com
35.136.169.186 ftp.sandbox.norman.com
130.89.207.202 ftp.secure.nai.com
24.10.214.69 ftp.securityresponse.symantec.com
41.154.146.165 ftp.sophos.com
36.24.60.2 ftp.symantec.com
70.205.147.33 ftp.symantecliveupdate.com
139.27.237.140 ftp.symatec.com
226.31.179.218 ftp.trendmicro.com
234.233.205.31 ftp.uk.trendmicro-europe.com
66.128.3.188 ftp.update.symantec.com
171.64.93.16 ftp.updates.symantec.com
130.121.249.18 ftp.updates1.kaspersky-labs.com
210.219.232.127 ftp.updates2.kaspersky-labs.com
138.251.135.173 ftp.updates3.kaspersky-labs.com
18.23.241.124 ftp.updates4.kaspersky-labs.com
74.82.110.162 ftp.us.mcafee.com
181.161.253.197 ftp.viruslist.com
208.23.240.137 grisoft.com
92.61.36.154 kaspersky.com
36.193.203.213 kaspersky-labs.com
124.21.113.150 liveupdate.symantec.com
122.191.132.64 liveupdate.symantecliveupdate.com
190.155.37.32 mast.mcafee.com
179.161.9.181 mcafee.com
41.132.42.106 my-etrust.com
46.209.19.103 nai.com
18.188.116.128 networkassociates.com
102.224.110.218 norton.com
110.135.33.97 pandasoftware.com
227.223.254.145 rads.mcafee.com
227.24.108.55 sandbox.norman.com
128.204.161.63 secure.nai.com
185.75.243.140 securityresponse.symantec.com
114.137.213.147 sophos.com
136.226.80.33 symantec.com
49.231.59.13 symantecliveupdate.com
72.96.243.68 symatec.com
163.70.92.96 trendmicro.com
39.224.225.195 uk.trendmicro-europe.com
34.55.79.110 update.symantec.com
51.17.51.112 updates.symantec.com
195.186.28.77 updates1.kaspersky-labs.com
79.51.233.162 updates2.kaspersky-labs.com
131.142.129.220 updates3.kaspersky-labs.com
128.44.152.225 updates4.kaspersky-labs.com
46.4.120.236 us.mcafee.com
130.171.209.13 viruslist.com
161.232.23.116 virusscan.jotti.org
52.87.239.27 virustotal.com
97.7.185.87 www.avp.com
201.151.42.236 www.ca.com
112.46.2.63 www.customer.symantec.com
222.94.245.36 www.dispatch.mcafee.com
138.73.34.126 www.download.mcafee.com
67.20.191.27 www.downloads1.kaspersky-labs.com
29.141.118.136 www.downloads2.kaspersky-labs.com
174.131.234.216 www.downloads3.kaspersky-labs.com
155.52.120.122 www.downloads4.kaspersky-labs.com
176.92.43.170 www.downloads-eu1.kaspersky-labs.com
158.195.116.44 www.downloads-eu2.kaspersky-labs.com
0.204.163.184 www.downloads-eu3.kaspersky-labs.com
84.237.28.93 www.downloads-eu4.kaspersky-labs.com
11.154.96.188 www.downloads-us1.kaspersky-labs.com
67.244.93.229 www.downloads-us2.kaspersky-labs.com
234.91.150.57 www.downloads-us3.kaspersky-labs.com
215.168.20.129 www.downloads-us4.kaspersky-labs.com
16.53.61.77 www.f-secure.com
70.114.129.161 www.grisoft.com
213.50.110.17 www.kaspersky.com
58.109.29.215 www.kaspersky-labs.com
81.162.28.132 www.liveupdate.symantec.com
88.147.48.75 www.liveupdate.symantecliveupdate.com
130.13.152.142 www.mast.mcafee.com
144.242.62.188 www.mcafee.com
198.181.227.8 www.my-etrust.com
55.254.71.159 www.nai.com
35.172.213.224 www.networkassociates.com
127.103.209.64 www.norton.com
221.241.146.73 www.pandasoftware.com
181.1.69.122 www.rads.mcafee.com
228.41.75.111 www.sandbox.norman.com
81.68.155.126 www.secure.nai.com
8.215.212.84 www.securityresponse.symantec.com
211.212.87.42 www.sophos.com
3.190.143.162 www.symantec.com
252.29.87.107 www.symantecliveupdate.com
79.54.147.163 www.symatec.com
198.248.107.186 www.trendmicro.com
212.162.189.184 www.uk.trendmicro-europe.com
60.239.70.160 www.update.symantec.com
221.248.127.108 www.updates.symantec.com
145.0.185.74 www.updates1.kaspersky-labs.com
96.206.3.146 www.updates2.kaspersky-labs.com
155.118.65.51 www.updates3.kaspersky-labs.com
22.124.37.242 www.updates4.kaspersky-labs.com
140.220.95.86 www.us.mcafee.com
231.211.177.136 www.viruslist.com
7.113.74.125 www.virustotal.com
Name Troj/Clicker-CO
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
Aliases
* Trojan-Clicker.Win32.VB.lf
Prevalence (1-5) 2
Description
Troj/Clicker-CO is a Trojan for the Windows platform.
Troj/Clicker-CO includes functionality to access the internet and
communicate with a remote server via HTTP.
Advanced
Troj/Clicker-CO is a Trojan for the Windows platform.
Troj/Clicker-CO includes functionality to access the internet and
communicate with a remote server via HTTP.
When first run Troj/Clicker-CO copies itself to the Program Files
folder. Locations seen include:
\Internet Explorer\
\Updates\
\winupdates\
The following registry entry is created to run Troj/Clicker-CO on
startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
\
Name Troj/Haxdoor-CA
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Drops more malware
* Reduces system security
* Installs itself in the Registry
Aliases
* Backdoor.Win32.Haxdoor.ir
Prevalence (1-5) 2
Description
Troj/Haxdoor-CA is a Trojan for the Windows platform.
Troj/Haxdoor-CA runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer.
Troj/Haxdoor-CA includes functionality to:
stealth its files, processes, registry entries and services
prevent itself being terminated
prevent itself being deleted
disable other software, including anti-virus, firewall and security
related applications
Advanced
Troj/Haxdoor-CA is a Trojan for the Windows platform.
Troj/Haxdoor-CA runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer.
Troj/Haxdoor-CA includes functionality to:
stealth its files, processes, registry entries and services
prevent itself being terminated
prevent itself being deleted
disable other software, including anti-virus, firewall and security
related applications
When Troj/Haxdoor-CA is installed the following files are created:
\klgcptini.dat
\qz.dll
\qz.sys
\stt82.ini
\vistaj.sys
\vistax.dll
The files qz.dll, qz.sys, vistaj.sys and vistax.dll are detected as
Troj/Haxdor-Fam.
The following registry entries are created to run code exported by
vistax.dll on startup:
HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\vistax
DllName
vistax.dll
HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\vistax
Startup
CxaEqsData
HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\vistax
Impersonate
1
The file vistaj.sys is registered as a new system driver service
named "vistaj", with a display name of "SE 3.0 memory driver".
Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\vistaj\
The file vistaj.sys is also registered as a new system driver service
named "vistax", with a display name of "SE 3.2 memory
driver" and a
startup type of automatic, so that it is started automatically during
system startup.
Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\vistax\
Name Troj/FakeVir-M
Type
* Trojan
Affected operating systems
* Windows
Aliases
* FakeAlert-B
Prevalence (1-5) 2
Description
Troj/FakeVir-M is a Trojan for the Windows platform.
Advanced
Troj/FakeVir-M is a Trojan for the Windows platform.
Troj/FakeVir-M will create a notification area icon which repeatedly
creates a
window which says:
Your computer is infected!
Critical System Error!
System detected virus activities.
They may cause critical system
failure. Please, use antimalware
software to clean and protect your
system from parasite programs.
Click here to get all available
software.
When the window is clicked, a browser is opened and directed to
www.spyfalcon.com.
Name Troj/Spammit-B
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Forges the sender's email address
* Uses its own emailing engine
* Installs itself in the Registry
Aliases
* Win32/Agent.TK
* SpamTool.Win32.Agent.i
Prevalence (1-5) 2
Description
Troj/Spammit-B is a backdoor Trojan which allows an infected computer
to send emails as instructed by a remote intruder.
Advanced
Troj/Spammit-B is a backdoor Trojan which allows an infected computer
to send emails as instructed by a remote intruder.
The following registry entry is created to run Troj/Spammit-B on
startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
WINDOWS
The following registry entries are set, affecting internet security:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\Firewall
Policy\
DomainProfile\AuthorizedApplications\List
C:\NvRun\:*:Enabled:Server
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\Firewall
Policy\
StandardProfile\AuthorizedApplications\List
C:\NvRun\:*:Enabled:Server
Name Troj/PWS-SA
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Steals information
Aliases
* PWS-JA
* Win32/TrojanDropper.Small.NEA
* Trojan-PSW.Win32.Sinowal.n
Prevalence (1-5) 2
Description
Troj/PWS-SA is a Trojan for the Windows platform.
Name Troj/Slogger-K
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Forges the sender's email address
* Uses its own emailing engine
* Downloads code from the internet
* Installs itself in the Registry
Aliases
* Trojan-Proxy.Win32.Wopla.v
* Win32/TrojanDropper.Small.ZK
Prevalence (1-5) 2
Description
Troj/Slogger-K is a Trojan for the Windows platform.
Troj/Slogger-K includes the following functionalities to:
- communicate with remote servers via HTTP
- download and run files
- terminate anti-virus and security related processes
- send email
Advanced
Troj/Slogger-K is a Trojan for the Windows platform.
Troj/Slogger-K includes the following functionalities to:
- communicate with remote servers via HTTP
- download and run files
- terminate anti-virus and security related processes
- send email
When first run Troj/Slogger-K copies itself to <System>\<random
filename>.exe
and creates the file <System>\<random filename>.dll.
The following registry entry is created to run code exported by the
Trojan
library on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
SysTray.Exbt
(5368D5FC-6F6C-4f5b-B564-E67214F67552)
The DLL file is registered as a COM object, creating registry entries
under:
HKCR\CLSID\(5368D5FC-6F6C-4f5b-B564-E67214F67552)
Troj/Slogger-K changes settings for Microsoft Internet Explorer by
modifying
values under:
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\
--- MultiMail/Win32 v0.43
* Origin: Try Our Web Based QWK: DOCSPLACE.ORG (1:123/140)SEEN-BY: 633/267 270 @PATH: 123/140 500 106/2000 633/267 |
|
| SOURCE: echomail via fidonet.ozzmosis.com | |
Email questions or comments to sysop@ipingthereforeiam.com
All parts of this website painstakingly hand-crafted in the U.S.A.!
IPTIA BBS/MUD/Terminal/Game Server List, © 2025 IPTIA Consulting™.