TIP: Click on subject to list as thread!

ANSI

echo:	virus
to:	ALL
from:	KURT WISMER
date:	2007-11-11 23:58:00
subject:	News, November 11 2007
[cut-n-paste from sophos.com] Name Troj/Zlob-AFW Type * Trojan Affected operating systems * Windows Prevalence (1-5) 2 Description Troj/Zlob-AFW is a Trojan for the Windows platform. Name W32/Mabezat-A Type * Virus How it spreads * Removable storage devices * Network shares * Infected files Affected operating systems * Windows Side effects * Leaves non-infected files on computer Aliases * Worm.Win32.Mabezat.a Prevalence (1-5) 2 Description W32/Mabezat-A is a virus for the Windows platform which also spreads by copying itself to network shares and removable devices. Advanced W32/Mabezat-A is a virus for the Windows platform which also spreads by copying itself to network shares and removable devices. W32/Mabezat-A copies itself to removable devices with one or more of the following filenames: "My documents .exe" "Readme.doc .exe" "tazebama.exe" Note, the above filenames may have sevetal space characters inserted between the stub and the extension in the hope that the user will not notice the EXE extension and click on the file which will appear as a folder in Explorer. When W32/Mabezat-A is installed the following files are created: \salo.exe - copy of the virus dropper \1.txt - innocuous LOG file of the virus' activities Registry entries are set as follows: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ShowSuperHidden 0 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit \userinit,salo.exe The virus may also encrypt files (simple addition of 0x10 to every byte) with the following extensions: HLP, PDF,HTML, TXT, ASPX.CS, ASPX, PSD, MDF, RTF, HTM, PPT, PHP, ASP, PAS, H, CPP, XLS, DOC, RAR, ZIP and MDB. Name Troj/MDrop-BPY Type * Trojan Affected operating systems * Windows Side effects * Drops more malware Prevalence (1-5) 2 Description Troj/MDrop-BPY is a dropper Trojan for the Windows platform. The EXE dropped by Troj/MDrop-BPY is detected as Troj/Agent-GFJ. Name W32/Anti-C Type * Worm How it spreads * Removable storage devices * Network shares Affected operating systems * Windows Side effects * Installs itself in the Registry Prevalence (1-5) 2 Description W32/Anti-C is a worm for the Windows platform. Name W32/Anti-C Type * Worm How it spreads * Removable storage devices * Network shares Affected operating systems * Windows Side effects * Installs itself in the Registry Prevalence (1-5) 2 Description W32/Anti-C is a worm for the Windows platform. Name W32/IRCBot-YZ Type * Worm How it spreads * Network shares Affected operating systems * Windows Side effects * Allows others to access the computer * Downloads code from the internet * Reduces system security * Installs itself in the Registry * Exploits system or software vulnerabilities Prevalence (1-5) 2 Description W32/IRCBot-YZ is a worm for the Windows platform. Advanced W32/IRCBot-YZ spreads to other network computers by exploiting common buffer overflow vulnerabilities, including: LSASS (MS04-011), SRVSVC (MS06-040), RPC-DCOM (MS04-012), WKS (MS03-049) (CAN-2003-0812) and RealVNC (CVE-2006-2369) and by copying itself to network shares protected by weak passwords. W32/IRCBot-YZ runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels. When first run W32/IRCBot-YZ copies itself to \trkwksvc.exe. The file trkwksvc.exe is registered as a new system driver service named "NET Service", with a display name of "NET Service" and a startup type of automatic, so that it is started automatically during system startup. Registry entries are created under: HKLM\SYSTEM\CurrentControlSet\Services\NET Service The following registry entries are set, affecting internet security: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPo licy\DomainProfile EnableFirewall 0 HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPo licy\DomainProfile DoNotAllowExceptions 0 HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPo licy\DomainProfile DisableNotifications 1 HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPo licy\StandardProfile EnableFirewall 0 HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPo licy\StandardProfile DoNotAllowExceptions 0 HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPo licy\StandardProfile DisableNotifications 1 W32/IRCBot-YZ sets the following registry entries, disabling the automatic startup of other software: HKLM\SYSTEM\CurrentControlSet\Services\Messenger Start 4 HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry Start 4 HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr Start 4 Registry entries are set as follows: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings MaxConnectionsPer1_0Server fffe HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings MaxConnectionsPerServer fffe HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Windows File Protection SFCDisable ffffff9d HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Windows File Protection SFCScan 0 HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile EnableFirewall 0 HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile EnableFirewall 0 HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotAllowXPSP2 1 HKLM\SOFTWARE\Microsoft\Ole EnableDCOM N Registry entries are created under: HKLM\SOFTWARE\Microsoft\Security Center Name W32/Brontok-DP Type * Worm How it spreads * Network shares Affected operating systems * Windows Side effects * Turns off anti-virus applications * Reduces system security * Installs itself in the Registry * Leaves non-infected files on computer Prevalence (1-5) 2 Description W32/Brontok-DP is a worm for the Windows platform. W32/Brontok-DP will attempt to copy itself to network and removable drives. The worm will also create an autorun.inf file so that it is automatically run when the drive is accessed. Advanced W32/Brontok-DP is a worm for the Windows platform. W32/Brontok-DP will attempt to copy itself to network and removable drives, using filenames including Music.exe and Default.pif. The worm will also create an autorun.inf file so that it is automatically run when the drive is accessed. The worm also spreads to other network computers. When first run W32/Brontok-DP copies itself to: \Documents\Music.exe \Default.pif \Windowxp\explorer.exe \Fonts\smss.exe \System32.exe \dllcache\services.exe \oobe\isperror\csrss.exe and creates the following files: \autorun.inf \SoftWareProtector\smss_out.pr \winxp.inf The following registry entry is changed to run W32/Brontok-DP on startup: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit \userinit.exe,\fonts\smss.exe The following registry entries are set or modified, so that csrss.exe is run when files with extensions of BAT, COM, EXE and PIF are opened/launched: HKCR\lnkfile\shell\open\command (default) \oobe\isperror\csrss.exe" "%1" %* HKCR\batfile\shell\open\command (default) \oobe\isperror\csrss.exe" "%1" %* HKCR\comfile\shell\open\command (default) \oobe\isperror\csrss.exe" "%1" %* HKCR\exefile\shell\open\command (default) \oobe\isperror\csrss.exe" "%1" %* HKCR\piffile\shell\open\command (default) \oobe\isperror\csrss.exe" "%1" %* Registry entries are set as follows: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer NoFolderOptions 00 HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer HideClock 00 HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer NoControlPanel 00 HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer NoDrives 00 HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer NoFind 00 HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer NoRun 00 HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer NoShellSearchButton 00 HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer NoSimpleStartMenu 00 HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer NoDesktop 00 HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System DisableCMD 00 HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System DisableTaskMgr 00 HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System DisableRegistryTools 00 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer NoFolderOptions 00 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer NoControlPanel 00 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system kbao AUTO.TXT HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system DisableTaskMgr 00 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system DisableRegistryTools 00 HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore DisableConfig 00 HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore DisableSR 00 HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer LimitSystemRestoreCheckpointing 00 HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer DisableMSI 00 HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Hidden 000 HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced HideFileExt 00 HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ShowSuperHidden 000 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug Debugger \dllcache\services.exe Name W32/SdBot-DIP Type * Worm Affected operating systems * Windows Prevalence (1-5) 2 Description W32/SdBot-DIP is a worm for the Windows platform. Advanced W32/SdBot-DIP is a worm for the Windows platform. W32/Sdbot-DIP includes functionality to access the internet and communicate with a remote server via HTTP. When first run W32/Sdbot-DIP copies itself to the Windows folder and to \KaZaA\My Shared Folder\. W32/Sdbot-DIP is registered as a new system driver service named "s3contrl (32-bit)", with a display name of "s3contrl (32-bit)" and a startup type of automatic, so that it is started automatically during system startup. Registry entries are created under: HKLM\SYSTEM\CurrentControlSet\Services\s3contrl (32-bit) The following registry entries are set, disabling system software: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System DisableTaskMgr 1 HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System DisableRegistryTools 1 W32/Sdbot-DIP sets the following registry entries, disabling the automatic startup of other software: HKLM\SYSTEM\CurrentControlSet\Services\Messenger Start 4 HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry Start 4 HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr Start 4 Registry entries are set as follows: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon SFCScan 0 HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile EnableFirewall 0 HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile EnableFirewall 0 HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotAllowXPSP2 1 HKLM\SOFTWARE\Microsoft\Ole EnableDCOM N HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon SFCDisable ffffff9d HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell Explorer.exe %WINDIR%\ Registry entries are created under: HKLM\SOFTWARE\Microsoft\Security Center HKLM\SOFTWARE\Symantec\LiveUpdate Admin Name Troj/Agent-GFG Type * Trojan Affected operating systems * Windows Side effects * Allows others to access the computer * Installs itself in the Registry * Enables remote access Prevalence (1-5) 2 Description Troj/Agent-GFG is a Trojan for the Windows platform. Name W32/Virut-S Type * Virus How it spreads * Infected files Affected operating systems * Windows Prevalence (1-5) 2 Description W32/Virut-S is a virus for the Windows platform. Name W32/SpyBot-OD Type * Worm Affected operating systems * Windows Side effects * Allows others to access the computer * Installs itself in the Registry Prevalence (1-5) 2 Description W32/SpyBot-OD is a worm for the Windows platform. Advanced W32/SpyBot-OD is a worm for the Windows platform. W32/SpyBot-OD runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels. W32/SpyBot-OD includes functionality to access the internet and communicate with a remote server via HTTP. When first run W32/SpyBot-OD copies itself to \msnrav.exe. The file msnrav.exe is registered as a new system driver service named "MSN RAV", with a display name of "MSN RAV" and a startup type of automatic, so that it is started automatically during system startup. Registry entries are created under: HKLM\SYSTEM\CurrentControlSet\Services\MSN RAV W32/SpyBot-OD sets the following registry entries, disabling the automatic startup of other software: HKLM\SYSTEM\CurrentControlSet\Services\Messenger Start 4 HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry Start 4 HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr Start 4 Registry entries are set as follows: HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile EnableFirewall 0 HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile EnableFirewall 0 HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotAllowXPSP2 1 HKLM\SOFTWARE\Microsoft\Ole EnableDCOM N Registry entries are created under: HKLM\SOFTWARE\Microsoft\Security Center Name W32/SdBot-DIN Type * Worm Affected operating systems * Windows Side effects * Allows others to access the computer * Installs itself in the Registry Prevalence (1-5) 2 Description W32/SdBot-DIN is a worm for the Windows platform. Advanced W32/SdBot-DIN is a worm for the Windows platform. W32/SdBot-DIN runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels. W32/SdBot-DIN includes functionality to access the internet and communicate with a remote server via HTTP. When first run W32/SdBot-DIN copies itself to \dllcache\mravsc32.exe. The file mravsc32.exe is registered as a new system driver service named "Distributed Allocated Memory Unit", with a display name of "Distributed Allocated Memory Unit" and a startup type of automatic, so that it is started automatically during system startup. Registry entries are created under: HKLM\SYSTEM\CurrentControlSet\Services\Distributed Allocated Memory Unit W32/SdBot-DIN sets the following registry entries, disabling the automatic startup of other software: HKLM\SYSTEM\CurrentControlSet\Services\Messenger Start 4 HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry Start 4 HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr Start 4 Registry entries are set as follows: HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile EnableFirewall 0 HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile EnableFirewall 0 HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotAllowXPSP2 1 HKLM\SOFTWARE\Microsoft\Ole EnableDCOM N Registry entries are created under: HKLM\SOFTWARE\Microsoft\Security Center Name W32/Virut-R Type * Virus How it spreads * Infected files Affected operating systems * Windows Side effects * Allows others to access the computer Prevalence (1-5) 2 Description W32/Virut-R is an executable file virus for the Windows platform. W32/Virut-R runs continuously in the background, infecting executable files and allowing a remote user to access the computer. Name Troj/Delf-EYT Type * Trojan Affected operating systems * Windows Side effects * Downloads code from the internet * Installs itself in the Registry Prevalence (1-5) 2 Description Troj/Delf-EYT is a Trojan for the Windows platform. Troj/Delf-EYT includes functionality to download, install and run new software. Advanced Troj/Delf-EYT is a Trojan for the Windows platform. Troj/Delf-EYT includes functionality to download, install and run new software. When first run Troj/Delf-EYT copies itself to \imap.exe. The following registry entry is created to run imap.exe on startup: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run imap \imap.exe --- MultiMail/Win32 v0.43 * Origin: Doc's Place BBS Fido Since 1991 docsplace.tzo.com (1:123/140) SEEN-BY: 10/1 3 14/300 400 34/999 90/1 120/228 123/500 134/10 140/1 222/2 SEEN-BY: 226/0 249/303 261/20 38 100 1381 1404 1406 1418 266/1413 280/1027 SEEN-BY: 320/119 393/68 633/260 262 267 285 712/848 800/432 801/161 189 SEEN-BY: 2222/700 2320/105 200 2905/0 @PATH: 123/140 500 261/38 633/260 267
SOURCE: echomail via fidonet.ozzmosis.com

Email questions or comments to sysop@ipingthereforeiam.com
All parts of this website painstakingly hand-crafted in the U.S.A.!
IPTIA BBS/MUD/Terminal/Game Server List, © 2025 IPTIA Consulting™.