cut-n-paste from sophos.com]

Name   Troj/Haxdoor-AO

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Installs itself in the Registry

Aliases  
    * Backdoor.Win32.Haxdoor.es

Prevalence (1-5) 2

Description
Troj/Haxdoor-AO is a Trojan for the Windows platform.

Troj/Haxdoor-AO includes functionality to:

- stealth its files, processes, registry entries and services
- prevent itself being terminated
- prevent itself being deleted

Advanced
Troj/Haxdoor-AO is a Trojan for the Windows platform.

Troj/Haxdoor-AO includes functionality to:

- stealth its files, processes, registry entries and services
- prevent itself being terminated
- prevent itself being deleted

When Troj/Haxdoor-AO is installed it creates the file 
\cpudev.sys.

The file cpudev.sys is registered as a new system driver service 
named "cpudev", with a display name of "CPU microcode
correction". 
Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\cpudev\





Name   W32/Nelo-A

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Installs itself in the Registry

Aliases  
    * Trojan.Win32.VB.wf
    * Trojan.Cdtray

Prevalence (1-5) 2

Description
W32/Nelo-A is a worm for the Windows platform.

W32/Nelo-A attempts to copy itself to the root of any any connected 
hard disks, removable disks, ram disks and networked drives along 
with a file named Autorun.inf.

W32/Nelo-A may open and close CD drive doors.

Advanced
W32/Nelo-A is a worm for the Windows platform.

W32/Nelo-A attempts to copy itself to the root of any any connected 
hard disks, removable disks, ram disks and networked drives along 
with a file named Autorun.inf.

W32/Nelo-A may open and close CD drive doors.

When first run W32/Nelo-A copies itself to 
\Internet Explorer\Systrsy.exe and creates the file 
\Autorun.inf.

The following registry entry is created to run Systrsy.exe on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
(default)
\Internet Explorer\Systrsy.exe





Name   Troj/Dadobra-J

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet

Aliases  
    * Trojan-Downloader.Win32.Dadobra.em

Prevalence (1-5) 2

Description
Troj/Dadobra-J is a Trojan for the Windows platform.

Troj/Dadobra-J includes functionality to access the internet and 
communicate with a remote server via HTTP.





Name   W32/Tilebot-AY

Type  
    * Spyware Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Steals information
    * Downloads code from the internet
    * Installs itself in the Registry

Aliases  
    * Backdoor.Win32.SdBot.aad
    * W32/Sdbot.worm.gen.g
    * W32/Sdbot.worm.gen.h
    * WORM_RBOT.CHU

Prevalence (1-5) 2

Description
W32/Tilebot-AY is a network worm and backdoor Trojan for the Windows 
platform.

W32/Tilebot-AY spreads by copying itself to network shares protected 
by weak passwords and by exploiting the following vulnerabilities: 
LSASS (MS04-011), RPC-DCOM (MS04-012), PNP (MS05-039), ASN.1 (MS04-007)

Advanced
W32/Tilebot-AY is a network worm and backdoor Trojan for the Windows 
platform.

W32/Tilebot-AY spreads by copying itself to network shares protected 
by weak passwords and by exploiting the following vulnerabilities: 
LSASS (MS04-011), RPC-DCOM (MS04-012), PNP (MS05-039), ASN.1 (MS04-007)

The following patches for the operating system vulnerabilities 
exploited by W32/Tilebot-AY can be obtained from the Microsoft website:

http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx
http://www.microsoft.com/technet/security/bulletin/MS05-039.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-007.mspx

W32/Tilebot-AY copies itself to \cytob.exe and registers 
itself as a service process named "WindowsSysBoot". Registry entries 
are created under:

HKLM\SYSTEM\CurrentControlSet\Services\WindowsSysBoot\

W32/Tilebot-AY allows a remote user to perform a wide range of 
actions on the infected computer, including:

downloading and executing further files
editing registry entries
capturing network traffic
stealing passwords stored on local disks

W32/Tilebot-AY attempts to terminate the following security services:

Tlntsvr
RemoteRegistry
Messenger
SharedAccess
wscsvc

W32/Tilebot-AY sets the following registry entries:

HKLM\SOFTWARE\Microsoft\Ole\
EnableDCOM
N

HKLM\SOFTWARE\Microsoft\Security Center\
AntiVirusOverride
1

HKLM\SOFTWARE\Microsoft\Security Center\
FirewallOverride
1

HKLM\SYSTEM\CurrentControlSet\Control\
WaitToKillServiceTimeout
7000

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1





Name   W32/Sdbot-XH

Type  
    * Spyware Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Allows others to access the computer
    * Steals information
    * Drops more malware
    * Downloads code from the internet
    * Reduces system security

Aliases  
    * WORM_SDBOT.BHU
    * W32.Spybot.Worm

Prevalence (1-5) 2

Description
W32/Sdbot-XH is a network worm with backdoor Trojan functionality for 
the Windows platform, that spreads through network shares protected 
by weak passwords, MS-SQL servers and through various operating 
system vulnerabilities.

W32/Sdbot-XH connects to a predetermined IRC channel and awaits 
further commands from remote users. The backdoor component of 
W32/Sdbot-XH can be instructed to perform the following functions:

scan networks for vulnerabilities
download/execute arbitrary files
start an ftp server

Patches for the vulnerabilities exploited by W32/Sdbot-XH can be 
obtained from Microsoft at:

http://www.microsoft.com/technet/security/bulletin/MS02-039.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx

Advanced
W32/Sdbot-XH is a network worm with backdoor Trojan functionality for 
the Windows platform.

When first run, W32/Sdbot-XH copies itself to the Windows system 
folder as windesktop.exe, and in order to be able to run 
automatically when Windows starts up sets the following registry 
entries in order to run each time a user logs on:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Windows Desktop Controler
windesktop.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Windows Desktop Controler
windesktop.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices\
Windows Desktop Controler
windesktop.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
Windows Desktop Controler
windesktop.exe

The worm sets the following registry entries, disabling the automatic 
startup of other software:

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\wuauserv\
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\wuauserv\
Start
4

Registry entries are also created under:

HKCU\Software\Microsoft\OLE\
HKLM\SOFTWARE\Microsoft\Ole\

The worm spreads through network shares protected by weak passwords, 
MS-SQL servers and through various operating system vulnerabilities.

W32/Sdbot-XH connects to a predetermined IRC channel and awaits 
further commands from remote users. The backdoor component of 
W32/Sdbot-XH can be instructed to perform the following functions:

scan networks for vulnerabilities
download/execute arbitrary files
start an ftp server

Patches for the vulnerabilities exploited by W32/Sdbot-XH can be 
obtained from Microsoft at:

http://www.microsoft.com/technet/security/bulletin/MS02-039.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx

W32/Sdbot-XH also drops a file to the current folder as msdirectx.sys. 
The dropped file is detected by Sophos's anti-virus products as 
Troj/NtRootK-F.

The worm changes the Windows HOSTS file in attempt to prevent access 
to sites from the following list:

avp.com
ca.com
customer.symantec.com
dispatch.mcafee.com
download.mcafee.com
f-secure.com
kaspersky.com
kaspersky-labs.com
liveupdate.symantec.com
liveupdate.symantecliveupdate.com
mast.mcafee.com
mcafee.com
my-etrust.com
nai.com
networkassociates.com
rads.mcafee.com
secure.nai.com
se
--- Platinum Xpress/Win/WINServer v3.0pr5