TIP: Click on subject to list as thread!

ANSI

echo:	dirty_dozen
to:	ALL
from:	KURT WISMER
date:	2007-10-08 22:53:00
subject:	News, October 8 2007
[cut-n-paste from sophos.com] Name W32/SillyFDC-AY Type * Worm How it spreads * Removable storage devices * Peer-to-peer Affected operating systems * Windows Side effects * Modifies data on the computer * Downloads code from the internet * Reduces system security * Installs itself in the Registry * Leaves non-infected files on computer Prevalence (1-5) 2 Description W32/SillyFDC-AY is a worm for the Windows platform. Advanced W32/SillyFDC-AY is a worm for the Windows platform. When run W32/SillyFDC-AY copies itself to the following locations: \My Documents\sex.scr \Documents\Linkin park.scr \Documents\sex.scr \svhost.exe \Restore\razor.exe \ami.exe \disdn\mirc.exe W32/SillyFDC-AY also creates the files: \mhjo.log \rz.txt \drivers\td.txt \drives\etc\td.txt \Restore\rstrlog.dat These files can be safely deleted. W32/SillyFDC-AY spreads via removable shared drives and via Yahoo! Messenger. W32/SillyFDC-AY sets the following registry entries to run itself on startup: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ami.exe \ami.exe HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run mirc.exe \disdn\mirc.exe HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run razor.exe \Restore\razor.exe HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run rz.scr \Restore\rz.scr HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run svhost.exe \svhost.exe W32/SillyFDC-AY also sets the following registry entries: HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile EnableFirewall 0 HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile EnableFirewall 0 HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotAllowXPSP2 1 HKLM\SYSTEM\CurrentControlSet\Control SafeBoot Razor worm HKCU\Software\Microsoft\Windows Script\Settings JITDebug 0 HKCU\Software\yahoo\pager\FileTransfer Virus Checker nothing HKLM\SOFTWARE\Microsoft\Security Center AntiVirusDisableNotify 1 HKLM\SOFTWARE\Microsoft\Security Center AntiVirusOverride 1 HKLM\SOFTWARE\Microsoft\Security Center FirewallDisableNotify 1 HKLM\SOFTWARE\Microsoft\Security Center FirewallOverride 1 HKLM\SOFTWARE\Microsoft\Security Center UpdatesDisableNotify 1 The following registry entries are modified: HKCU\Software\yahoo\pager\profiles Custom Msgs HKLM\SOFTWARE\Microsoft\TelnetServer\1.0 NTML 1 The worm also attempts to start the following Windows system processes: "Application Layer Gateway Service" "IP Network Address Translator" "NT LM Security Support Provider" "RDPWD" "Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS)" "TDTCP" "Telnet" W32/SillyFDC-AY spreads via removable shared drives by creating the file \razor.inf on the shared drive and copying itself to the shared drive as \rz.scr. The file \razor.inf is designed to run the worm and is also detected as W32/SillyFDC-AY. W32/SillyFDC-AY includes functionality to: - download files from the internet - modify the HOSTS file - modify the system time Name Mal/Dropper-U Type * Malicious Behavior Affected operating systems * Windows Side effects * Drops more malware * Installs itself in the Registry * Installs a browser helper object Prevalence (1-5) 2 Description Mal/Dropper-U is a Trojan which installs and executes other malicious files. Name Troj/Dropper-RL Type * Trojan Affected operating systems * Windows Prevalence (1-5) 2 Description Troj/Dropper-RL is a Trojan for the Windows platform. Name W32/Autorun-E Type * Worm How it spreads * Removable storage devices Affected operating systems * Windows Side effects * Leaves non-infected files on computer Aliases * W32/Autorun.worm.g Prevalence (1-5) 2 Description W32/Autorun-E is a worm for the Windows platform. W32/Autorun-E may attempt to spread by copying itself to removable drives and creating an autorun.inf file to enable the worm copy to be run. Advanced W32/Autorun-E is a worm for the Windows platform. W32/Autorun-E may attempt to spread by copying itself to removable drives and creating an autorun.inf file to enable the worm copy to be run. When W32/Autorun-E may create multiple copies of itself in various folders on the local computer. Name W32/Minerv-A Type * Worm How it spreads * Removable storage devices * Network shares Affected operating systems * Windows Side effects * Drops more malware * Installs itself in the Registry Prevalence (1-5) 2 Description W32/Minerv-A is a worm for the Windows platform. Advanced W32/Minerv-A is a worm for the Windows platform. When first run W32/Minerv-A copies itself to: \Windows Media Player\New Game.exe \minerva.com \Minerva.exe \Good_Bye_Aeris.com \minerva.com W32/Minerv-A copies itself to the currently active folder as it becomes active, using the filenames: Minerva Game.exe New_Game.exe New Game.exe New_Games.exe (W32/Minerv-A will copy itself to folders on network shares and removable devices) W32/Minerv-A installs the following files (also detected as W32/Minerv-A): \Hipotalamus.dll \InjectCalc.exe \InjectMsconfig.exe \InjectRegedit.exe \InjectTaskman.exe \InjectCalc.exe \InjectMsconfig.exe \InjectRegedit.exe \InjectTaskman.exe The following harmless files are created: \COLUMNS.DAT \Aeris.mid \BittersweetRomance.mid \FF8Theme.mid \FFTheme.mid \FFXOpening.mid \GarnetTheme.mid \Loss_of_Me.mid \SongOfMemory.mid \Victory.mid \Waltztm.mid \YunaTheme.mid \Columns.exe \ROGER.WAV \TOENG.WAV \Media\ROGER.WAV \Media\TOENG.WAV The following registry entries are changed to run Minerva.exe on startup: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe Debugger \Minerva.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe Debugger \Minerva.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ansavgd.exe Debugger \Minerva.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansav.exe Debugger \Minerva.exe The file Minerva.exe is registered as a new file system driver service named "Minerva", with a display name of "The Opposite Of Renova" and a startup type of automatic, so that it is started automatically during system startup. Registry entries are created under: HKLM\SYSTEM\CurrentControlSet\Services\Minerva Name W32/Virut-M Type * Virus How it spreads * Infected files Affected operating systems * Windows Side effects * Allows others to access the computer Aliases * Virus.Win32.Virut.r * W32/Virut.d virus Prevalence (1-5) 2 Description W32/Virut-M is a virus for the Windows platform. W32/Virut-M infects executable files. W32/Virut-M also contains functionality to connect to an IRC channel and listen for instructions to download further executable code. Name W32/Looked-DV Type * Virus How it spreads * Network shares * Infected files Affected operating systems * Windows Side effects * Turns off anti-virus applications * Downloads code from the internet * Installs itself in the Registry * Leaves non-infected files on computer Prevalence (1-5) 2 Description W32/Looked-DV is a Windows executable virus and network worm. The virus infects EXE files found on the infected computer and attempts to copy itself to remote network shares. Advanced W32/Looked-DV is a Windows executable virus and network worm. The virus infects EXE files found on the infected computer and attempts to copy itself to remote network shares. When first run the virus copies itself to \uninstall\rundl132.exe and creates a file \RichDll.dll which is also detected as W32/Looked-DV. This file attempts to download further malicious code. Files with the name _desktop.ini are created on the infected computer. These files are harmless text files. The following registry entry is created in order to run the virus on startup: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Load=\uninstall\rundl132.exe The hosts file \drivers\etc\hosts is potentially modified. Attempts may be made to stop Anti-virus software running on the affected ystem. The following registry entry is also created: HKLM\Software\Soft\DownloadWWW\auto=1 Name W32/Agobot-AIZ Type * Worm How it spreads * Network shares Affected operating systems * Windows Side effects * Installs itself in the Registry * Exploits system or software vulnerabilities Prevalence (1-5) 2 Description W32/Agobot-AIZ is a worm for the Windows platform. W32/Agobot-AIZ attempts to spread via network shares and by exploiting common vulnerabilities, including PNP (MS05-039) and ASN.1 (MS04-007). W32/Agobot-AIZ includes functionality to access the internet and communicate with a remote server via HTTP. Advanced W32/Agobot-AIZ is a worm for the Windows platform. W32/Agobot-AIZ attempts to spread via network shares and by exploiting common vulnerabilities, including PNP (MS05-039) and ASN.1 (MS04-007). When first run W32/Agobot-AIZ copies itself to the Windows system folder. The following registry entries are created to run W32/Agobot-AIZ on startup: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Microsoft Updates HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices Microsoft Updates Registry entries are set as follows: HKCU\Software\Policies\Microsoft\Windows\WindowsUpdate\AU NoAutoUpdate 1 HKCU\Software\Policies\Microsoft\Windows\WindowsUpdate\AU AUOptions 1 HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU NoAutoUpdate 1 HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AUOptions 1 Registry entries are created under: HKCU\Software\Microsoft\Security Center HKLM\SOFTWARE\Microsoft\Security Center Name W32/Rbot-GUA Type * Worm How it spreads * Network shares * Chat programs Affected operating systems * Windows Side effects * Turns off anti-virus applications * Allows others to access the computer * Downloads code from the internet * Reduces system security * Installs itself in the Registry * Exploits system or software vulnerabilities Aliases * Backdoor.Win32.Rbot.eak * WORM_RBOT.EYY Prevalence (1-5) 2 Description W32/Rbot-GUA is a backdoor worm for the Windows platform. W32/Rbot-GUA spreads via the network shares and instant messenger. W32/Rbot-GUA contains the following vulnerabilites: - RPC-DCOM (MS04-012) - ASN.1 (MS04-007) - Symantec (SYM06-010) Advanced W32/Rbot-GUA is a backdoor worm for the Windows platform. W32/Rbot-GUA spreads via the network shares and instant messenger. W32/Rbot-GUA contains the following vulnerabilites: - RPC-DCOM (MS04-012) - ASN.1 (MS04-007) - Symantec (SYM06-010) When first run W32/Rbot-GUA copies itself to: \dllcache\mravsc32.exe and registers a new system driver service named "Distributed Allocated Memory Unit", with a display name of "Distributed Allocated Memory Unit" and a startup type of automatic, so that it is started automatically during system startup. Registry entries are created under: HKLM\SYSTEM\CurrentControlSet\Services\Distributed Allocated Memory Unit W32/Rbot-GUA sets the following registry entries, disabling the automatic startup of other software: HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotAllowXPSP2 1 HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile EnableFirewall 0 HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile EnableFirewall 0 HKLM\SOFTWARE\Microsoft\Ole EnableDCOM N HKLM\SOFTWARE\Microsoft\Security Center AntiVirusOverride 1 HKLM\SOFTWARE\Microsoft\Security Center FirewallOverride 1 HKLM\SYSTEM\CurrentControlSet\Control WaitToKillServiceTimeout 7000 HKLM\SYSTEM\CurrentControlSet\Control\Lsa restrictanonymous 1 HKLM\SYSTEM\CurrentControlSet\Control ServiceCurrent 0xa HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry Start 4 HKLM\SYSTEM\CurrentControlSet\Services\wscsvc Start 4 HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters AutoShareWks 0 HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters AutoShareServer 0 HKLM\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters AutoShareWks 0 HKLM\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters AutoShareServer 0 Name Troj/Delf-EYG Type * Trojan Affected operating systems * Windows Side effects * Downloads code from the internet Prevalence (1-5) 2 Description Troj/Delf-EYG is a Trojan for the Windows platform. Troj/Delf-EYG has functionality to download and execute software from a remote website. Name W32/Brontok-CV Type * Worm How it spreads * Removable storage devices * Network shares Affected operating systems * Windows Side effects * Turns off anti-virus applications * Reduces system security * Installs itself in the Registry * Leaves non-infected files on computer Prevalence (1-5) 2 Description W32/Brontok-CV is a worm for the Windows platform. W32/Brontok-CV will attempt to copy itself to network and removable drives. The worm will also create an autorun.inf file so that it is automatically run when the drive is accessed. Advanced W32/Brontok-CV is a worm for the Windows platform. W32/Brontok-CV will attempt to copy itself to network and removable drives, using filenames including Open.exe, Music.exe and Empty.pif. The worm will also create an autorun.inf file so that it is automatically run when the drive is accessed. When first run W32/Brontok-CV copies itself to some of the following filenames: \fonts\smss.exe \oobe\isperror\shell.exe \IExplorer.exe \System32.exe \Empty.pif and creates the following file: \Autorun.inf - may be deleted. W32/Brontok-CV also attempts to copy itself to existing filenames with EXE extensions, but with an extra space between the filename and the extension, eg if it finds the file "Example.exe" it may copy itself to the same folder as "Example .exe" W32/Brontok-CV attempts to terminate process, close windows and delete registry entries related to security and anti-virus applications, and may restart an infected computer. W32/Brontok-CV may also display a fake error message with the title "Warning" and the text "Illegal Application", before attempting to terminate processes related to security and anti-virus applications. W32/Brontok-CV may also display fake error messages including "Windows Firewall has detected [W32RontokBro{at}mm as Security risk that requires your attention. ". The following registry entries are set to run the W32/Brontok-CV on startup: HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon services \fonts\smss.exe HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot AlternateShell \fonts\smss.exe HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit \userinit.exe, \fonts\smss.exe HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon shell HKLM\Software\Microsoft\Windows\CurrentVersion\Run kb HKLM\Software\Microsoft\Windows\CurrentVersion\Run services W32/Brontok-CV may set the following registry entries to run files other than itself on startup: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug Debugger \Shell.exe HKLM\Software\Microsoft\Windows\CurrentVersion\Run kb drivers\AUTO.txt Some of the following registry entries are set or modified, so that W32/Brontok-CV is run when files are run with the extensions listed: HKCR\exefile\shell\open\command (default) \fonts\smss.exe %1 %* HKCR\lnkfile\shell\open\command (default) \oobe\isperror\shell.exe %1 %* HKCR\piffile\shell\open\command (default) \oobe\isperror\shell.exe %1 %* HKCR\batfile\shell\open\command (default) \oobe\isperror\shell.exe %1 %* HKCR\comfile\shell\open\command (default) \oobe\isperror\shell.exe %1 %* Some of the following registry entries may also be set, usually to one of two values: HKCR\exefile (default) HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug Auto HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer HideClock HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer NoControlPanel HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer NoControlPanel HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer NoDrives HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer NoFind HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer NoRun HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer NoShellSearchButton HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System DisableCMD HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System DisableTaskMgr HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System DisableTaskMgr HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer NoFolderOptions HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer NoFolderOptions HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System DisableRegistryTools HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System DisableRegistryTools HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer NoDesktop HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore DisableConfig HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore DisableSR HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer LimitSystemRestoreCheckpointing HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer DisableMSI HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\CabinetState FullPathAddress HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced HideFileExt HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Hidden HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ShowSuperHidden HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon LegalNoticeCaption HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon LegalNoticeText HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\WinOldApp Disable HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\WinOldApp Disable Name W32/Dabber-D Type * Worm Affected operating systems * Windows Side effects * Installs itself in the Registry Aliases * Backdoor.Win32.IRCBot.acd * Win32/IRCBot.WO * W32/Sdbot.AAOV Prevalence (1-5) 2 Description W32/Dabber-D is a worm for the Windows platform. W32/Dabber-D includes functionality to access the internet and communicate with a remote server via HTTP. Advanced W32/Dabber-D is a worm for the Windows platform. W32/Dabber-D includes functionality to access the internet and communicate with a remote server via HTTP. When first run W32/Dabber-D copies itself to \msnfix.exe and creates the following files: \auto.txt \libinets.dll \libweb.dll The files libinets.dll and libweb.dll are detected as Mal/Generic-A. The files libinets.dll and libweb.dll are registered as COM objects, creating registry entries under: HKCR\CLSID\{442B222A-0112-48B8-A8EF-1409332F9B8F} HKCR\CLSID\{CCB13A8A-BBA4-4603-9012-996E69602713} The following registry entries are created to run code exported by libinets.dll and libweb.dll on startup: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad printers {CCB13A8A-BBA4-4603-9012-996E69602713} HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad version {442B222A-0112-48B8-A8EF-1409332F9B8F Name W32/Viking-I Type * Worm Affected operating systems * Windows Side effects * Installs itself in the Registry Aliases * Win32.Viking.ez * Win32/Viking.CD * W32/HLLP.Philis.ge * PE_LOOKED.DD-O Prevalence (1-5) 2 Description W32/Viking-I is a worm for the Windows platform. Advanced W32/Viking-I is a worm for the Windows platform. When first run W32/Viking-I copies itself to \uninstall\rundl132.exe and drops the file \RichDll.dll. The following registry entry is created to run rundl132.exe on startup: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run load \uninstall\rundl132.exe The following registry entry is created: HKLM\SOFTWARE\Soft\DownloadWWW Name W32/Rbot-GUB Type * Worm How it spreads * Network shares Affected operating systems * Windows Side effects * Allows others to access the computer * Downloads code from the internet * Reduces system security * Installs itself in the Registry Aliases * Backdoor.Win32.Rbot.gen Prevalence (1-5) 2 Description W32/Rbot-GUB is a worm for the Windows platform. W32/Rbot-GUB spreads - to computers vulnerable to common exploits, including: RPC-DCOM (MS04-012), ASN.1 (MS04-007), RealVNC (CVE-2006-2369) and Symantec (SYM06-010) - to MSSQL servers protected by weak passwords - to network shares protected by weak passwords Advanced W32/Rbot-GUB is a worm for the Windows platform. W32/Rbot-GUB spreads - to computers vulnerable to common exploits, including: RPC-DCOM (MS04-012), ASN.1 (MS04-007), RealVNC (CVE-2006-2369) and Symantec (SYM06-010) - to MSSQL servers protected by weak passwords - to network shares protected by weak passwords W32/Rbot-GUB includes functionality to access the internet and communicate with a remote server via HTTP. When first run W32/Rbot-GUB copies itself to \inetsrv\Win32.exe and creates the clean file \del.bat to delete itself. The following registry entries are created to run Win32.exe on startup: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Win32 Critical File \inetsrv\Win32.exe HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Win32 Critical File \inetsrv\Win32.exe HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices Win32 Critical File \inetsrv\Win32.exe The following registry entry is set, affecting internet security: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\ AuthorizedApplications\List \inetsrv\Win32.exe \inetsrv\Win32.exe::Enabled:Win32 Critical File Registry entries are set as follows: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer DisallowRun 1 HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun Protected system files1 avgupsvc.exe HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun Protected system files2 avgamsvr.exe HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun Protected system files3 avgcc.exe HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun Protected system files4 nod32kui.exe HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun Protected system files5 nod32krn.exe HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun Protected system files6 ccSetMgr.exe HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun Protected system files7 ccEvtMgr.exe HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun Protected system files8 DefWatch.exe HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun Protected system files9 SavRoam.exe HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun Protected system files10 Rtvscan.exe HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun Protected system files11 VPTray.exe HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun Protected system files12 ccApp.exe HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun Protected system files13 AluSchedulerSvc.exe HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun Protected system files14 nod32.exe HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun Protected system files15 nod32ra.exe HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun Protected system files16 UpdaterUI.exe HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun Protected system files17 tbmon.exe HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun Protected system files18 Mcshield.exe HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun Protected system files19 SHSTAT.exe HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun Protected system files20 ashMaiSv.exe HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun Protected system files21 ashServ.exe HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun Protected system files22 ashWebSv.exe HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun Protected system files23 aswUpdSv.exe HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun Protected system files24 AVGUARD.exe HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun Protected system files25 AVWUPSRV.exe HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun Protected system files26 avscan.exe HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun Protected system files27 guardgui.exe HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun Protected system files28 VxMon.exe HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun Protected system files29 AVGNT.exe HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun Protected system files30 avgemc.exe HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun Protected system files31 avp.exe HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun Protected system files32 avp.com HKLM\SOFTWARE\Microsoft\Ole EnableDCOM N Name W32/IRCBot-YG Type Spyware Worm How it spreads * Chat programs Affected operating systems * Windows Side effects * Steals information * Installs itself in the Registry Prevalence (1-5) 2 Description W32/IRCBot-YG is a worm with IRC backdoor functionality for the Windows platform. Advanced W32/IRCBot-YG is a worm with IRC backdoor functionality for the Windows platform. W32/IRCBot-YG runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels. When first run W32/IRCBot-YG copies itself to \mdm.exe. The following registry entries are created to run mdm.exe on startup: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Microsoft Office \mdm.exe HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Microsoft Office \mdm.exe The following registry entry is set: HKLM\SOFTWARE\Microsoft\Ole EnableDCOM N --- MultiMail/Win32 v0.43 * Origin: Doc's Place BBS Fido Since 1991 docsplace.tzo.com (1:123/140) SEEN-BY: 10/1 3 14/300 400 34/999 90/1 106/1 120/228 123/500 134/10 140/1 SEEN-BY: 222/2 226/0 229/4000 236/150 249/303 261/20 38 100 1381 1404 1406 SEEN-BY: 261/1410 1418 266/1413 280/1027 320/119 633/260 262 267 285 712/848 SEEN-BY: 800/432 801/161 189 2222/700 2800/18 2905/0 @PATH: 123/140 500 261/38 633/260 267
SOURCE: echomail via fidonet.ozzmosis.com

Email questions or comments to sysop@ipingthereforeiam.com
All parts of this website painstakingly hand-crafted in the U.S.A.!
IPTIA BBS/MUD/Terminal/Game Server List, © 2025 IPTIA Consulting™.