| TIP: Click on subject to list as thread! | ANSI |
| echo: | |
|---|---|
| to: | |
| from: | |
| date: | |
| subject: | News, October 14 2006 |
[cut-n-paste from sophos.com]
Name Troj/Arbin-A
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
Aliases
* Downloader-AYT
Prevalence (1-5) 3
Description
Troj/Arbin-A is a downloader Trojan for the Windows platform.
Advanced
Troj/Arbin-A is a downloader Trojan for the Windows platform.
Troj/Arbin-A attempts to download and execute a file from a remote
website to the following locations in the same folder as itself:
1file.tmp
2file.tmp
3file.tmp
4file.tmp
5file.tmp
This file is currently detected as Troj/PWS-ACN.
Troj/Arbin-A may drop the file \sf2e32.bat in order to delete
itself.
Name Troj/Nebuler-J
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Steals information
Aliases
* Trojan.Win32.Agent.vg
* W32/Nebuler.B
Prevalence (1-5) 2
Description
Troj/Nebuler-J is a Trojan for the Windows platform.
Troj/Nebuler-J may gather details relating to dialup services and
send collected information to a remote site via HTTP. The Trojan may
inject code into other processes in an attempt to remain hidden.
Name W32/Agobot-AHP
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Downloads code from the internet
Prevalence (1-5) 2
Description
W32/Agobot-AHP is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Agobot-AHP runs continuously in the background, providing a
backdoor server
which allows a remote intruder to gain access and control over the
computer via
IRC channels.
Advanced
W32/Agobot-AHP is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Agobot-AHP runs continuously in the background, providing a
backdoor server
which allows a remote intruder to gain access and control over the
computer via
IRC channels.
When first run W32/Agobot-AHP copies itself to \erv.exe.
The following registry entries are created to run erv.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
RPC Service
erv.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
RPC Service
erv.exe
Registry entries are set as follows:
HKCU\Software\Microsoft\OLE
RPC Service
erv.exe
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1
Registry entries are created under:
HKCR\.key\
Name W32/Mytob-JG
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Sends itself to email addresses found on the infected computer
* Forges the sender's email address
* Uses its own emailing engine
* Downloads code from the internet
* Reduces system security
* Installs itself in the Registry
Aliases
* WORM_MYTOB.OD
* W32.Mytob.FI
* Net-Worm.Win32.Mytob.bi
Prevalence (1-5) 2
Description
W32/Mytob-JG is a mass-mailing worm and backdoor Trojan that can be
controlled
through the Internet Relay Chat (IRC) network.
W32/Mytob-JG runs continuously in the background, providing a
backdoor server
which allows a remote intruder to gain access and control over the
computer via
IRC channels.
Emails sent by W32/Mytob-JG sends emails in the following format,
with details
filled in to make the email look more authentic:
Subject line chosen from:
Your password has been updated
Your password has been successfully updated
You have successfully updated your password
Your new account password is approved
Your Account is Suspended
*DETECTED* Online User Violation
Your Account is Suspended For Security Reasons
Warning Message: Your services near to be closed.
Important Notification
Members Support
Security measures
Email Account Suspension
Notice of account limitation
Message text chosen from (the worm will insert the username and the
email
domain of the addressee into the email):
'Dear user ,
You have successfully updated the password of your account.
If you did not authorize this change or if you need assistance with
your
account, please contact customer service at:
Thank you for using !
The Support Team
+++ Attachment: No Virus (Clean)
+++ Antivirus - www.'
'Dear user ,
It has come to our attention that your User Profile ( x )
records are
out of date. For further details see the attached document.
Thank you for using !
The Support Team
+++ Attachment: No Virus (Clean)
+++ Antivirus - www.'
'Dear Member,
We have temporarily suspended your email account .
This might be due to either of the following reasons:
1. A recent change in your personal information (i.e. change of
address).
2. Submiting invalid information during the initial sign up process.
3. An innability to accurately verify your selected option of
subscription due
to an internal error within our processors.
See the details to reactivate your account.
Sincerely,The Support Team
+++ Attachment: No Virus (Clean)
+++ Antivirus - www.'
'Dear Member,
Your e-mail account was used to send a huge amount of unsolicited
spam messages
during the recent week. If you could please take 5-10 minutes out of
your
online experience and confirm the attached document so you will not
run into
any future problems with the online service.
If you choose to ignore our request, you leave us no choice but to
cancel your
membership.
Virtually yours,
The Support Team
+++ Attachment: No Virus found
+++ Antivirus - www.'
The attached file consists of a base name followed by the extension
ZIP. The
worm may optionally create double extensions where the first
extension is DOC,
TXT or HTM and the final extension is BAT, CMD, PIF, SCR, EXE or ZIP.
The base
filenames are randomly chosen from:
updated-password
email-password
new-password
password
approved-password
account-password
accepted-password
important-details
account-details
email-details
account-info
document
readme
account-report
The zip file will contain the worm with double extension. The first
extension
will be one of DOC, HTM, TXT followed by spaces and the second
extension is
EXE, SCR or PIF.
W32/Mytob-JG harvests email addresses from files on the infected
computer and
from the Windows address book.
Advanced
W32/Mytob-JG is a mass-mailing worm and backdoor Trojan that can be
controlled
through the Internet Relay Chat (IRC) network.
W32/Mytob-JG runs continuously in the background, providing a
backdoor server
which allows a remote intruder to gain access and control over the
computer via
IRC channels.
When first run W32/Mytob-JG copies itself to \winds.exe
The following registry entries are created to run smsks.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
MICROSOFT WINDOWS SYSTEM 2
winds.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MICROSOFT WINDOWS SYSTEM 2
winds.exe
W32/Mytob-JG sets the following registry entries, disabling the
automatic
startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4
Note: disabling autostart for the SharedAccess service deactivates the
Microsoft Internet Connection Firewall (ICF).
Emails sent by W32/Mytob-JG sends emails in the following format,
with details
filled in to make the email look more authentic:
Subject line chosen from:
Your password has been updated
Your password has been successfully updated
You have successfully updated your password
Your new account password is approved
Your Account is Suspended
*DETECTED* Online User Violation
Your Account is Suspended For Security Reasons
Warning Message: Your services near to be closed.
Important Notification
Members Support
Security measures
Email Account Suspension
Notice of account limitation
Message text chosen from (the worm will insert the username and the
email
domain of the addressee into the email):
'Dear user ,
You have successfully updated the password of your account.
If you did not authorize this change or if you need assistance with
your
account, please contact customer service at:
Thank you for using !
The Support Team
+++ Attachment: No Virus (Clean)
+++ Antivirus - www.'
'Dear user ,
It has come to our attention that your User Profile ( x )
records are
out of date. For further details see the attached document.
Thank you for using !
The Support Team
+++ Attachment: No Virus (Clean)
+++ Antivirus - www.'
'Dear Member,
We have temporarily suspended your email account .
This might be due to either of the following reasons:
1. A recent change in your personal information (i.e. change of
address).
2. Submiting invalid information during the initial sign up process.
3. An innability to accurately verify your selected option of
subscription due
to an internal error within our processors.
See the details to reactivate your account.
Sincerely,The Support Team
+++ Attachment: No Virus (Clean)
+++ Antivirus - www.'
'Dear Member,
Your e-mail account was used to send a huge amount of unsolicited
spam messages
during the recent week. If you could please take 5-10 minutes out of
your
online experience and confirm the attached document so you will not
run into
any future problems with the online service.
If you choose to ignore our request, you leave us no choice but to
cancel your
membership.
Virtually yours,
The Support Team
+++ Attachment: No Virus found
+++ Antivirus - www.'
The attached file consists of a base name followed by the extension
ZIP. The
worm may optionally create double extensions where the first
extension is DOC,
TXT or HTM and the final extension is BAT, CMD, PIF, SCR, EXE or ZIP.
The base
filenames are randomly chosen from:
updated-password
email-password
new-password
password
approved-password
account-password
accepted-password
important-details
account-details
email-details
account-info
document
readme
account-report
The zip file will contain the worm with double extension. The first
extension
will be one of DOC, HTM, TXT followed by spaces and the second
extension is
EXE, SCR or PIF.
W32/Mytob-JG harvests email addresses from files on the infected
computer and
from the Windows address book.
W32/Mytob-JG modifies the file \drivers\etc\host by appending
the
following information:
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 pandasoftware.com
127.0.0.1 www.pandasoftware.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.grisoft.com
127.0.0.1 www.microsoft.com
127.0.0.1 microsoft.com
127.0.0.1 www.virustotal.com
127.0.0.1 virustotal.com
127.0.0.1 www.amazon.com
127.0.0.1 www.amazon.co.uk
127.0.0.1 www.amazon.ca
127.0.0.1 www.amazon.fr
127.0.0.1 www.paypal.com
127.0.0.1 paypal.com
127.0.0.1 moneybookers.com
127.0.0.1 www.moneybookers.com
127.0.0.1 www.ebay.com
127.0.0.1 ebay.com
Name Troj/Zlob-UT
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Dropped by malware
Aliases
* Win32/TrojanDownloader.Zlob
Prevalence (1-5) 2
Description
Troj/Zlob-UT is a Trojan for the Windows platform.
Advanced
Troj/Zlob-UT is a Trojan for the Windows platform.
The Troj/Zlob-UT DLL is registered as a COM object, creating registry
entries under:
HKCR\CLSID\(d869742a-e5d2-4624-96c7-aae26170665e)
Name Troj/DwnLdr-FUM
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Installs itself in the Registry
* Leaves non-infected files on computer
Aliases
* TROJ_DLOADER.ETK
* Trojan-Downloader.Win32.Tibs.if
Prevalence (1-5) 2
Description
Troj/DwnLdr-FUM is a Trojan for the Windows platform.
Advanced
Troj/DwnLdr-FUM is a Trojan for the Windows platform.
When run Troj/DwnLdr-FUM copies itself to \kernels8.exe and
creates the file \dlh9jkdq8.exe. The file
\dlh9jkdq8.exe can be safely deleted.
The following registry entry is set to run itself on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
System
\kernels8.exe
Name Troj/Tiny-BP
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
Prevalence (1-5) 2
Description
Troj/Tiny-BP is a downloader Trojan for the Windows platform.
Advanced
Troj/Tiny-BP is a downloader Trojan for the Windows platform.
When run the Trojan attempts to download a component from the web
into \services.exe and execute it.
The following registry entry is also created:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
WinMedia
Name W32/Sdbot-CSD
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Installs itself in the Registry
* Exploits system or software vulnerabilities
* Scans network for vulnerabilities
* Scans network for weak passwords
Aliases
* W32/Sdbot.worm.gen.g
Prevalence (1-5) 2
Description
W32/Sdbot-CSD is a worm for the Windows platform.
Advanced
W32/Sdbot-CSD is a worm for the Windows platform.
When first run W32/Sdbot-CSD copies itself to \btserv.exe and
creates the file \sysremove.bat.
The file btserv.exe is registered as a new system driver service
named "Btnfserv", with a display name of "Bluetooth Notification
Service" and a startup type of automatic, so that it is started
automatically during system startup. Registry entries are created
under:
HKLM\SYSTEM\CurrentControlSet\Services\Btnfserv\
Exploit code for the following vulnerabilities is in the file:
SRVSVC (MS06-040)
RPC-DCOM (MS04-012)
WKS (MS03-049) (CAN-2003-0812)
ASN.1 (MS04-007)
Name W32/Sality-AC
Type
* Virus
How it spreads
* Infected files
Affected operating systems
* Windows
Side effects
* Modifies data on the computer
* Downloads code from the internet
Aliases
* W32/Sality.x
Prevalence (1-5) 2
Description
W32/Sality-AC is a parasitic virus for the Windows platform that also
acts as a keylogger.
Advanced
W32/Sality-AC is a parasitic virus for the Windows platform that also
acts as a keylogger.
W32/Sality-AC drops \vcdgcw32.dll \vcdgcw32.dl_, also
detected as W32/Sality-AC, which it uses to log keystrokes to certain
windows, as well as information about the infected computer. This
logged data is periodically sent by email to a remote website.
Name W32/Levona-A
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Reduces system security
* Installs itself in the Registry
Aliases
* Trojan.Win32.Agent.qj
* W32/Avon{at}MM
* Win32/Levona.NAA
* WORM_RENOV.A
Prevalence (1-5) 2
Description
W32/Levona-A is a worm for the Windows platform.
W32/Levona-A spreads to network shares and removable drives.
W32/Levona-A includes the functionality to disable or minimize many
applications.
Advanced
W32/Levona-A is a worm for the Windows platform.
W32/Levona-A spreads to network shares and removable drives.
When first run W32/Levona-A copies itself to:
\Renova.exe
\Alisa.exe
\Emma.exe
\Nova.exe
The worm will search for logical drives on the computer. If any are
found, W32/Levona-A will copy itself as New Folder.exe. The worm also
searches the logical drives for DOC files and will copy itself as
.doc.
W32/Levona-A includes the functionality to disable or minimize many
applications by searching for certain words or phrases in the Windows
Title Bar, including the following security related ones:
ADVANCED REGISTRY TRACER
CASTLECOPS
CILLIN
CLEANER
COMPACTBYTEAV
EARTHLINK PROTECTION
F-SECURE
GRISOFT
HACKER
HIJACK
KASPERSKY
KILLBOX
MACHINE
MCAFEE
NORMAN
NORTON
PROCESS EXPLORER - SYSINTERNALS
PROCEXP
REGISTRYFIX
REMOVER
SECUNIA
SOPHOS
SYMANTEC
VAKSIN
WASHER
The following registry entries are created to run Renova.exe and
Nova.exe on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Shell
\Renova.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Renova
Nova.exe
The following registry entries are changed to run Renova.exe on
startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
explorer.exe "\Renova.exe"
(the default value for this registry entry is "Explorer.exe" which
causes the Microsoft file \Explorer.exe to be run on startup).
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
explorer.exe "\Renova.exe"
(the default value for this registry entry is
"\System32\userinit.exe,").
The following registry entries are set, disabling system restore:
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
DisableConfig
1
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
DisableSR
1
Registry entries are set as follows:
HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy
Objects\LocalUser\Software\
Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoSaveSettings
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFolderOptions
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFind
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoRun
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoControlPanel
0
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoFolderOptions
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoControlPanel
0
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoFind
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoRun
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisabletaskMgr
0
HKCU\Software\Policies\Microsoft\Windows\System
DisableCMD
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
2
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt
1
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot
AlternateShell
\Renova.exe
Name W32/Brontok-BU
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Sends itself to email addresses found on the infected computer
* Reduces system security
* Installs itself in the Registry
Aliases
* Worm.Win32.VB.dt
* W32/Rontokbro.gen{at}MM
* Win32/VB.DA
Prevalence (1-5) 2
Description
W32/Brontok-BU is a worm for the Windows platform.
Advanced
W32/Brontok-BU is a worm for the Windows platform.
When first run W32/Brontok-BU copies itself to:
\Empty.pif
\Local Settings\Application Data\windows\csrss.exe
\Local Settings\Application Data\windows\lsass.exe
\Local Settings\Application Data\windows\services.exe
\Local Settings\Application Data\windows\smss.exe
\Local Settings\Application Data\windows\winlogon.exe
\RosTika.exe
\RosTika.exe
\shell.exe
and creates the file \biakKITE.txt.
The following registry entries are created to run W32/Brontok-BU on
startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
RosTika
\RosTika.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Servicerepclient1
\Local Settings\Application Data\WINDOWS\SERVICES.EXE
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Logonrepclient1
\Local Settings\Application Data\WINDOWS\CSRSS.EXE
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
System Monitoring
\Local Settings\Application Data\WINDOWS\LSASS.EXE
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
MSMSGS
\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
The following registry entries are set or modified, so that shell.exe
is run when files with extensions of BAT, COM and PIF are
opened/launched:
HKCR\lnkfile\shell\open\command
(default)
\shell.exe" "%1" %*
HKCR\batfile\shell\open\command
(default)
\shell.exe" "%1" %*
HKCR\comfile\shell\open\command
(default)
\shell.exe" "%1" %*
HKCR\piffile\shell\open\command
(default)
\shell.exe" "%1" %*
The following registry entries are set, disabling the Windows task
manager (taskmgr) and the command prompt:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableCMD
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
DisableTaskMgr
1
Registry entries are set as follows:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden
0
Name W32/Mobler-C
Type
* Worm
How it spreads
* Network shares
* Peer-to-peer
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Installs itself in the Registry
Aliases
* Virus.Win32.VB.bj
Prevalence (1-5) 2
Description
W32/Mobler-C is a worm for the Windows platform.
W32/Mobler-C spreads by coping itself to the available network shares
including floppies, fixed drives, USB devices.
Advanced
W32/Mobler-C is a worm for the Windows platform.
W32/Mobler-C spreads by coping itself to the available network shares
including floppies, fixed drives, USB devices.
When first run W32/Mobler-C copies itself to:
\Documents\My Pictures\Sample Pictures\Blue hills.jpg.exe
\Documents\My Pictures\Sample Pictures\Sunset.jpg.exe
\Documents\My Pictures\Sample Pictures\Water lilies.jpg.exe
\Documents\My Pictures\Sample Pictures\Winter.jpg.exe
\Microsoft Shared\Grphflt\MS.JPG.exe
\Microsoft Shared\Stationery\Clear Day Bkgrd.jpg.exe
\Microsoft Shared\Stationery\Fiesta Bkgrd.jpg.exe
\Microsoft Shared\Stationery\Glacier Bkgrd.jpg.exe
\Microsoft Shared\Stationery\Leaves Bkgrd.jpg.exe
\Microsoft Shared\Stationery\Maize Bkgrd.jpg.exe
\Microsoft Shared\Stationery\Nature Bkgrd.jpg.exe
\Microsoft Shared\Stationery\Pie Charts Bkgrd.jpg.exe
\Microsoft Shared\Stationery\Sunflower Bkgrd.jpg.exe
\Microsoft Office\Templates\Access\100.JPG.exe
\Microsoft Office\Templates\Access\GRAY.JPG.exe
\Microsoft Office\Templates\Access\GRAYST.JPG.exe
\Microsoft Office\Templates\Access\MC.JPG.exe
\Microsoft Office\Templates\Access\MCST.JPG.exe
\Microsoft Office\Templates\Access\MSACCESS.JPG.exe
\Microsoft Office\Templates\Access\SKY.JPG.exe
\Microsoft Office\Templates\Access\STONES.JPG.exe
\Microsoft Office\Templates\Access\TILES.JPG.exe
\Microsoft Office\Templates\Access\ZIGZAG.JPG.exe
\nia_ramadani.exe
\Web\Wallpaper\Ascent.jpg.exe
\Web\Wallpaper\Autumn.jpg.exe
\Web\Wallpaper\Azul.jpg.exe
\Web\Wallpaper\Crystal.jpg.exe
\Web\Wallpaper\Follow.jpg.exe
\Web\Wallpaper\Friend.jpg.exe
\Web\Wallpaper\Home.jpg.exe
\Web\Wallpaper\Moon flower.jpg.exe
\Web\Wallpaper\Peace.jpg.exe
\Web\Wallpaper\Power.jpg.exe
\Web\Wallpaper\Purple flower.jpg.exe
\Web\Wallpaper\Radiance.jpg.exe
\Web\Wallpaper\Red moon desert.jpg.exe
\Web\Wallpaper\Ripple.jpg.exe
\Web\Wallpaper\Stonehenge.jpg.exe
\Web\Wallpaper\Tulips.jpg.exe
\Web\Wallpaper\Vortec space.jpg.exe
\Web\Wallpaper\Wind.jpg.exe
\Web\Wallpaper\Windows XP.jpg.exe
\host.exe
\pchealth\helpctr\System\DVDUpgrd\stripe.jpg.exe
\pchealth\helpctr\System\sysinfo\graphics\greendot.jpg.exe
\oobe\html\mouse\images\bulzano.jpg.exe
\oobe\html\mouse\images\bulzanom.jpg.exe
\oobe\html\mouse\images\heidelb.jpg.exe
\oobe\html\mouse\images\heidelbm.jpg.exe
\oobe\html\mouse\images\paris.jpg.exe
\oobe\html\mouse\images\parism.jpg.exe
\oobe\html\mouse\images\pisa.jpg.exe
\oobe\html\mouse\images\pisam.jpg.exe
\oobe\html\mouse\images\prague.jpg.exe
\oobe\html\mouse\images\praguem.jpg.exe
\oobe\html\mouse\images\tyrol.jpg.exe
\oobe\html\mouse\images\tyrolm.jpg.exe
\oobe\html\mouse\images\venice.jpg.exe
\oobe\html\mouse\images\venicem.jpg.exe
\oobe\html\mouse\images\verona.jpg.exe
\oobe\html\mouse\images\veronam.jpg.exe
\oobe\images\backdown.jpg.exe
\oobe\images\backoff.jpg.exe
\oobe\images\backover.jpg.exe
\oobe\images\backup.jpg.exe
\oobe\images\mslogo.jpg.exe
\oobe\images\newbtm1.jpg.exe
\oobe\images\newbtm8.jpg.exe
\oobe\images\newmark1.jpg.exe
\oobe\images\newmark8.jpg.exe
\oobe\images\newtop1.jpg.exe
\oobe\images\newtop8.jpg.exe
\oobe\images\nextdown.jpg.exe
\oobe\images\nextoff.jpg.exe
\oobe\images\nextover.jpg.exe
\oobe\images\nextup.jpg.exe
\oobe\images\oemcoa.jpg.exe
\oobe\images\skipdown.jpg.exe
\oobe\images\skipoff.jpg.exe
\oobe\images\skipover.jpg.exe
\oobe\images\skipup.jpg.exe
\oobe\images\wpaback.jpg.exe
\oobe\images\wpabtm.jpg.exe
\oobe\images\wpaflag.jpg.exe
\oobe\images\wpakey.jpg.exe
\oobe\images\wpatop.jpg.exe
The following registry entry is created to run host.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
Run
\host.exe
The following registry entry is set, disabling the registry editor
(regedit):
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1
Registry entries are set as follows:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFolderOptions
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
Folder\Hidden\SHOWALL
DefaultValue
1
Name W32/Mytob-JF
Type
* Spyware Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Modifies data on the computer
* Steals information
* Downloads code from the internet
* Reduces system security
* Installs itself in the Registry
Prevalence (1-5) 2
Description
W32/Mytob-JF is a mass-mailing worm and backdoor Trojan that can be
controlled through the Internet Relay Chat (IRC) network.
Emails sent by W32/Mytob-JF sends emails in the following format,
with details filled in to make the email look more authentic:
Subject line chosen from:
Your password has been updated
Your password has been successfully updated
You have successfully updated your password
Your new account password is approved
Your Account is Suspended
*DETECTED* Online User Violation
Your Account is Suspended For Security Reasons
Warning Message: Your services near to be closed.
Important Notification
Members Support
Security measures
Email Account Suspension
Notice of account limitation
Message text chosen from (the worm will insert the username and the
email domain of the addressee into the email):
'Dear user ,
You have successfully updated the password of your account.
If you did not authorize this change or if you need assistance with
your account, please contact customer service at:
Thank you for using !
The Support Team
+++ Attachment: No Virus (Clean)
+++ Antivirus - www.'
'Dear user ,
It has come to our attention that your User Profile ( x )
records are out of date. For further details see the attached document.
Thank you for using !
The Support Team
+++ Attachment: No Virus (Clean)
+++ Antivirus - www.'
'Dear Member,
We have temporarily suspended your email account .
This might be due to either of the following reasons:
1. A recent change in your personal information (i.e. change of
address).
2. Submiting invalid information during the initial sign up process.
3. An innability to accurately verify your selected option of
subscription due to an internal error within our processors.
See the details to reactivate your account.
Sincerely,The Support Team
+++ Attachment: No Virus (Clean)
+++ Antivirus - www.'
'Dear Member,
Your e-mail account was used to send a huge amount of unsolicited
spam messages during the recent week. If you could please take 5-10
minutes out of your online experience and confirm the attached
document so you will not run into any future problems with the online
service.
If you choose to ignore our request, you leave us no choice but to
cancel your membership.
Virtually yours,
The Support Team
+++ Attachment: No Virus found
+++ Antivirus - www.'
The attached file consists of a base name followed by the extension
ZIP. The worm may optionally create double extensions where the first
extension is DOC, TXT or HTM and the final extension is BAT, CMD,
PIF, SCR, EXE or ZIP. The base filenames are randomly chosen from:
updated-password
email-password
new-password
password
approved-password
account-password
accepted-password
important-details
account-details
email-details
account-info
document
readme
account-report
The zip file will contain the worm with double extension. The first
extension will be one of DOC, HTM, TXT followed by spaces and the
second extension is EXE, SCR or PIF.
W32/Mytob-JF harvests email addresses from files on the infected
computer and from the Windows address book.
Advanced
W32/Mytob-JF is a mass-mailing worm and backdoor Trojan that can be
controlled through the Internet Relay Chat (IRC) network.
W32/Mytob-JF runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
When first run W32/Mytob-JF copies itself to \service5.exe
The following registry entries are created to run smsks.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
WINDOWS SYSTEM
service5.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
WINDOWS SYSTEM
service5.exe
W32/Mytob-JF sets the following registry entries, disabling the
automatic startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4
Note: disabling autostart for the SharedAccess service deactivates
the Microsoft Internet Connection Firewall (ICF).
Emails sent by W32/Mytob-JF sends emails in the following format,
with details filled in to make the email look more authentic:
Subject line chosen from:
Your password has been updated
Your password has been successfully updated
You have successfully updated your password
Your new account password is approved
Your Account is Suspended
*DETECTED* Online User Violation
Your Account is Suspended For Security Reasons
Warning Message: Your services near to be closed.
Important Notification
Members Support
Security measures
Email Account Suspension
Notice of account limitation
Message text chosen from (the worm will insert the username and the
email domain of the addressee into the email):
'Dear user ,
You have successfully updated the password of your account.
If you did not authorize this change or if you need assistance with
your account, please contact customer service at:
Thank you for using !
The Support Team
+++ Attachment: No Virus (Clean)
+++ Antivirus - www.'
'Dear user ,
It has come to our attention that your User Profile ( x )
records are out of date. For further details see the attached document.
Thank you for using !
The Support Team
+++ Attachment: No Virus (Clean)
+++ Antivirus - www.'
'Dear Member,
We have temporarily suspended your email account .
This might be due to either of the following reasons:
1. A recent change in your personal information (i.e. change of
address).
2. Submiting invalid information during the initial sign up process.
3. An innability to accurately verify your selected option of
subscription due to an internal error within our processors.
See the details to reactivate your account.
Sincerely,The Support Team
+++ Attachment: No Virus (Clean)
+++ Antivirus - www.'
'Dear Member,
Your e-mail account was used to send a huge amount of unsolicited
spam messages during the recent week. If you could please take 5-10
minutes out of your online experience and confirm the attached
document so you will not run into any future problems with the online
service.
If you choose to ignore our request, you leave us no choice but to
cancel your membership.
Virtually yours,
The Support Team
+++ Attachment: No Virus found
+++ Antivirus - www.'
The attached file consists of a base name followed by the extension
ZIP. The worm may optionally create double extensions where the first
extension is DOC, TXT or HTM and the final extension is BAT, CMD,
PIF, SCR, EXE or ZIP. The base filenames are randomly chosen from:
updated-password
email-password
new-password
password
approved-password
account-password
accepted-password
important-details
account-details
email-details
account-info
document
readme
account-report
The zip file will contain the worm with double extension. The first
extension will be one of DOC, HTM, TXT followed by spaces and the
second extension is EXE, SCR or PIF.
W32/Mytob-JF harvests email addresses from files on the infected
computer and from the Windows address book.
W32/Mytob-JF modifies the file \drivers\etc\host by appending
the following information:
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 pandasoftware.com
127.0.0.1 www.pandasoftware.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.grisoft.com
127.0.0.1 www.microsoft.com
127.0.0.1 microsoft.com
127.0.0.1 www.virustotal.com
127.0.0.1 virustotal.com
127.0.0.1 www.amazon.com
127.0.0.1 www.amazon.co.uk
127.0.0.1 www.amazon.ca
127.0.0.1 www.amazon.fr
127.0.0.1 www.paypal.com
127.0.0.1 paypal.com
127.0.0.1 moneybookers.com
127.0.0.1 www.moneybookers.com
127.0.0.1 www.ebay.com
127.0.0.1 ebay.com
Name Troj/Iefeat-BF
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Installs itself in the Registry
Aliases
* Trojan-Downloader.Win32.Small.bhu
Prevalence (1-5) 2
Description
Troj/Iefeat-BF is a downloader Trojan for the Windows platform.
Troj/Iefeat-BF attempts to download and execute files from remote
websites.
Advanced
Troj/Iefeat-BF is a downloader Trojan for the Windows platform.
Troj/Iefeat-BF attempts to download and execute files from remote
websites to the Temp, root or Windows folder.
Troj/Iefeat-BF sets the following registry entry to run itself on
startup, though may delete it again later:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NAVNet
/m
Name W32/Bagle-PS
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Sends itself to email addresses found on the infected computer
* Forges the sender's email address
* Uses its own emailing engine
* Downloads code from the internet
* Reduces system security
* Installs itself in the Registry
* Leaves non-infected files on computer
Aliases
* Email-Worm.Win32.Bagle.gn
* Win32/Bagle.HA
Prevalence (1-5) 2
Description
W32/Bagle-PS is a mass-mailing worm for the Windows platform.
Messages sent by the worm have the following characteristics:
The subject line is one of the following:
Delivery service mail
Delivery by mail
Registration is accepted
Is delivered mail
You are made active
Thanks for use of our software.
Before use read the help
The message text is one of the following:
The password is
Password --
Use password to open archive.
Password is
Zip password:
Zip archive password:
Password -
Password:
The attachment may contain a damaged copy of the worm.
Advanced
W32/Bagle-PS is a mass-mailing worm for the Windows platform.
Messages sent by the worm have the following characteristics:
The subject line is one of the following:
Delivery service mail
Delivery by mail
Registration is accepted
Is delivered mail
You are made active
Thanks for use of our software.
Before use read the help
The message text is one of the following:
The password is
Password --
Use password to open archive.
Password is
Zip password:
Zip archive password:
Password -
Password:
There are two attachments: a password-protected ZIP file and an image
(GIF) file. The ZIP file contains a damaged copy of the worm
executable and a garbage text file with a DLL extension. The image
file shows the password for the ZIP file.
The first time it is run, W32/Bagle-PS drops the clean file
C:\error.gif and opens it. This is an image of the word "Error".
When first run W32/Bagle-PS copies itself to:
C:\Documents and Settings\user\Application Data\hidn\hidn2.exe
C:\Documents and Settings\user\Application Data\hidn\hldrrr.exe
W32/Bagle-PS may create the file C:\Documents and
Settings\user\Application Data\hidn\m_hook.sys. This file is also
detected as W32/Bagle-PS.
The file m_hook.sys is registered as a new system driver service
named "m_hook", with a display name of "Empty".
Registry entries are
created under:
HKLM\SYSTEM\CurrentControlSet\Services\m_hook\
W32/Bagle-PS sets the following registry entries, disabling the
automatic startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\Alerter
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\Ndisuio
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\wuauserv
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4
Note: disabling autostart for the SharedAccess service deactivates
the Microsoft Internet Connection Firewall (ICF).
W32/Bagle-PS drops the file C:\temp.zip, which is included in
messages sent by the worm.
W32/Bagle-PS attempts to download a file from a number of remote
websites to \re_file.exe and then execute it.
W32/Bagle-PS attempts to terminate and disable a number of services
related to security and anti-virus applications.
W32/Bagle-PS attempts to delete the following registry entry in order
to disrupt booting into Safe Mode:
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot
W32/Bagle-PS creates the following registry entry the first time it
is run:
HKCU\Software\FirstRuxzx
FirstRun
1
Name Troj/Haxdoor-DG
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Drops more malware
* Reduces system security
* Installs itself in the Registry
Prevalence (1-5) 2
Description
Troj/Haxdoor-DG is a Trojan for the Windows platform.
Advanced
Troj/Haxdoor-DG is a Trojan for the Windows platform.
When Troj/Haxdoor-DG is installed the following files are created:
\kgctini.dat
\lps.dat
\qo.dll
\qo.sys
\ycsvgd.sys
\ydsvgd.dll
\ydsvgd.sys
The files qo.dll, qo.sys, ycsvgd.sys, ydsvgd.dll and ydsvgd.sys are
detected as Troj/Haxdor-Fam.
The dat files are data files and can safely be deleted.
The following registry entries are created to run code exported by
ydsvgd.dll on startup:
HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\ydsvgd
DllName
ydsvgd.dll
HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\ydsvgd
Startup
XWD33Sifix
HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\ydsvgd
Impersonate
1
The file ycsvgd.sys is registered as a new system driver service
named "ycsvgd", with a display name of "PTA Adapter". Registry
entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\ycsvgd\
Name Troj/Agent-DJV
Type
* Trojan
Affected operating systems
* Windows
Aliases
* Trojan.Win32.Agent.rx
* TROJ_AGENT.ECN
Prevalence (1-5) 2
Description
Troj/Agent-DJV is a Trojan for the Windows platform.
Advanced
Troj/Agent-DJV is a Trojan for the Windows platform.
Registry entries may be created under:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
gwiz
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders
SecurityProviders
Name W32/Bustoy-A
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Prevalence (1-5) 2
Description
W32/Bustoy-A is a worm for the Windows platform.
Advanced
W32/Bustoy-A is a worm for the Windows platform.
When first run W32/Bustoy-A copies itself to:
\systemnt.exe - This will cause the worm to autorun on
Windows startup.
\mslogon.exe
W32/Bustoy-A will also attempt to copy itself to removable drives as
toy.exe. The worm also creates the file autorun.inf on the drive in
an attempt to run itself automatically when the drive is connected.
W32/Bustoy-A may display the following message on the computer's
screen:
( Compare And Cooperation ):
BBS
In Memory Of C8C
?--2005
In the beginning God created the heaven and the earth.
And the earth was without form, and void.
And darkness was upon the face of the deep.
God said: Let there be light. And there was light.
Also There was another world.
Into the world of music, spirit and meditation.
And relax yourself , Let the rhythm be your guiding light!
BTW: Hei! You need to take care of your own file in Removable Disk.
Name W32/Tilebot-HI
Type
* Spyware Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Downloads code from the internet
* Installs itself in the Registry
* Exploits system or software vulnerabilities
* Used in DOS attacks
* Enables remote access
* Scans network for vulnerabilities
* Scans network for weak passwords
Aliases
* Backdoor.Win32.SdBot.xd
* W32/Sdbot.worm.gen.h
Prevalence (1-5) 2
Description
W32/Tilebot-HI is a worm with backdoor functionality for the Windows
platform.
W32/Tilebot-HI spreads to other network computers by exploiting
common buffer overflow vulnerabilities, including: SRVSVC (MS06-040),
WKS (MS03-049) (CAN-2003-0812), PNP (MS05-039) and ASN.1 (MS04-007).
The worm may also spreads via network shares protected by weak
passwords.
W32/Tilebot-HI runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Tilebot-HI includes functionality to:
- set up an FTP server
- set up a proxy server
- spread via AOL Instant Messager by sending messages automatically
- change Internet Explorer start page
- set or remove network shares
- port scanning
- packet sniffing
- access the internet and communicate with a remote server via HTTP
- harvest information from clipboard
- take part in Distributed Denial of Service (DDoS) attacks
Advanced
W32/Tilebot-HI is a worm with backdoor functionality for the Windows
platform.
W32/Tilebot-HI spreads to other network computers by exploiting
common buffer overflow vulnerabilities, including: SRVSVC (MS06-040),
WKS (MS03-049) (CAN-2003-0812), PNP (MS05-039) and ASN.1 (MS04-007).
The worm may also spreads via network shares protected by weak
passwords.
W32/Tilebot-HI runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Tilebot-HI includes functionality to:
- set up an FTP server
- set up a proxy server
- spread via AOL Instant Messager by sending messages automatically
- change Internet Explorer start page
- set or remove network shares
- port scanning
- packet sniffing
- access the internet and communicate with a remote server via HTTP
- harvest information from clipboard
- take part in Distributed Denial of Service (DDoS) attacks
When first run W32/Tilebot-HI copies itself to \win32host.exe.
The file win32host.exe is registered as a new system driver service
named "Win32Kernel", with a display name of "Win32 Kernel
Update" and
a startup type of automatic, so that it is started automatically
during system startup. Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\Win32Kernel\
W32/Tilebot-HI sets the following registry entries, disabling the
automatic startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\Messenger
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\wscsvc
Start
4
Additional registry entries are set as follows:
HKLM\SOFTWARE\Microsoft\Security Center
AntiVirusDisableNotify
1
HKLM\SOFTWARE\Microsoft\Security Center
AntiVirusOverride
1
HKLM\SOFTWARE\Microsoft\Security Center
FirewallDisableNotify
1
HKLM\SOFTWARE\Microsoft\Security Center
FirewallOverride
1
HKLM\SOFTWARE\Microsoft\Security Center
UpdatesDisableNotify
1
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DoNotAllowXPSP2
1
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
EnableFirewall
0
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile
EnableFirewall
0
HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
AutoShareServer
0
HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
AutoShareWks
0
HKLM\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters
AutoShareServer
0
HKLM\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters
AutoShareWks
0
HKLM\SYSTEM\CurrentControlSet\Control\
WaitToKillServiceTimeout
7000
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1
Name W32/Rungbu-B
Type
* Virus
How it spreads
* Email attachments
* Infected files
* Chat programs
Affected operating systems
* Windows
Side effects
* Sends itself to email addresses found on the infected computer
* Modifies data on the computer
* Installs itself in the Registry
Aliases
* Virus.Win32.VB.bp
* WORM_VB.BOE
Prevalence (1-5) 2
Description
W32/Rungbu-B is a mass-mailing worm and prepending virus for the
Windows platform.
Messages sent by the worm have the following characteristics:
Subject: one of
"Read my letter for you"
"Love, for Forgiveness :->"
Message text: one of
"this was created from the deep inside my heart."
"I love u please forgive me!..."
Attachment filename:
MsWord.exe
The worm also attempts to send itself using instant messaging
applications, if installed.
W32/Rungbu-B infects Microsoft Word DOC files by copying itself to
the same filename but with an SCR extension, appending the DOC file
to the SCR copy and then deleting the original DOC file.
Advanced
W32/Rungbu-B is a mass-mailing worm and prepending virus for the
Windows platform.
Messages sent by the worm have the following characteristics:
Subject: one of
"Read my letter for you"
"Love, for Forgiveness :->"
Message text: one of
"this was created from the deep inside my heart."
"I love u please forgive me!..."
Attachment filename:
MsWord.exe
The worm also attempts to send itself using instant messaging
applications, if installed.
W32/Rungbu-B infects Microsoft Word DOC files by copying itself to
the same filename but with an SCR extension, appending the DOC file
to the SCR copy and then deleting the original DOC file.
W32/Rungbu-B installs itself in the following locations:
\philconst.exe
\Downloaded Program Files\philconst.exe
\MsWord.exe
\setup\dllhost.com
\setup\dllhost.scr
\AutoRun.ini
\lsass.exe
\lsass.exe
\dllhost.com
The worm sets the following registry entries in order to be run
automatically:
HKCR\AVIFile\shell\open\command
""
"\setup\dllhost.com" %1
(the default value for this entry is "C:\Program Files\Windows Media
Player\wmplayer.exe" /Open "%L")
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
"explorer.exe "lsass.exe.exe"
(the default value for this entry is "Explorer.exe")
HKCR\piffile\shell\open\command
""
"\setup\dllhost.com %1"
(the default value for this entry is "%1" %*)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
""
\lsass.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
WinRun
\AutoRun.ini
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
""
C:\WINDOWS\System32\dllhost.com
W32/Rungbu-B sets the following registry entries in order to disguise
signs of infection and complicate the recovery process.
HKCR\batfile\shell\edit\command
""
""
HKCR\comfile\shell\edit\command
""
""
HKCR\exefile\shell\edit\command
""
""
HKCR\scrfile\shell\edit\command
""
""
HKCR\artfile\shell\edit\command
""
C:\WINDOWS\System32\dllhost.com %1
HKCR\datfile\shell\edit\command
""
C:\WINDOWS\System32\dllhost.com %1
HKCR\batfile\shell\edit\command
""
C:\WINDOWS\System32\dllhost.com %1
(the default value for this entry is
%SystemRoot%\System32\NOTEPAD.EXE %1)
HKCR\comfile
""
"File Folder"
(the default value for this entry is MS-DOS Application)
HKCR\comfile\DefaultIcon
""
"%SystemRoot%\System32\shell32.dll,3"
(the default value for this entry is
%SystemRoot%\System32\shell32.dll,2)
HKCR\inifile\shell\open\command
""
"%1" %*
(the default value for this entry is
%SystemRoot%\System32\NOTEPAD.EXE %1)
HKCR\scrfile
""
"Microsoft Word Document"
(the default value for this entry is "Screen Saver")
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\HideFileExt
CheckedValue
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoFolderOptions
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoRun
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
Run
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1
The worm also creates entries beneath the following locations:
HKLM\SOFTWARE\Microsoft\Windows\System\DarkAngel\
HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\MSCrusher\
Name Troj/Paproxy-D
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
* Leaves non-infected files on computer
Aliases
* Trojan-Proxy.Win32.Agent.ay
* BackDoor-CUX
Prevalence (1-5) 2
Description
Troj/Paproxy-D is a Trojan for the Windows platform.
Troj/Paproxy-D includes functionality to access the internet and
communicate
with a remote server via HTTP.
Advanced
Troj/Paproxy-D is a Trojan for the Windows platform.
Troj/Paproxy-D includes functionality to access the internet and
communicate
with a remote server via HTTP.
When first run Troj/Paproxy-D copies itself to \lsrss.exe and
creates
some of the following clean config and log files:
\software.inf
\mslogsvr.ini
\msnextlog.dll
The following registry entries may be set to run lsrss.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
LogService
\lsrss.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
LogService
\lsrss.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
LogService
\lsrss.exe
The following registry entry is also changed to run lsrss.exe on
startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe \lsrss.exe
(the default value for this registry entry is "Explorer.exe" which
causes the
Microsoft file \Explorer.exe to be run on startup).
Name Troj/Zlobmi-A
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Drops more malware
* Downloads code from the internet
* Installs itself in the Registry
Aliases
* Trojan-Downloader.Win32.Zlob.aoi
Prevalence (1-5) 2
Description
Troj/Zlobmi-A is a Trojan for the Windows platform.
Advanced
Troj/Zlobmi-A is a Trojan for the Windows platform.
Troj/Zlobmi-A drops other Zlob Trojans and monitors them to make sure
they are running.
Troj/Zlobmi-A includes functionality to:
- silently download, install and new Zlob executables
- display fake warning popup messages about the state of the infected
computer
Troj/Zlobmi-A typically has components named:
pmsngr.exe
pmmon.exe
isamini.exe
isaddon.dll
The Troj/Zlobmi-A executables run continuously in the background and
attempt to prevent each other from being terminated.
A registry entry may be set at the following location to run a
Troj/Zlobmi-A executable on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run
Troj/Zlobmi-A sets registry entries under the following location:
HKCU\Software\Internet Security
Troj/Zlobmi-A refreshes these registry entries if they are modified
or deleted.
Most components of Troj/Zlobmi-A are detected generically as
Troj/Zlobmi-Gen via Sophos's Genotype™ detection technology.
Name W32/Rbot-FPF
Type
* Spyware Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Downloads code from the internet
* Records keystrokes
* Installs itself in the Registry
* Used in DOS attacks
Aliases
* Backdoor.Win32.Rbot.bll
Prevalence (1-5) 2
Description
W32/Rbot-FPF is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Rbot-FPF spreads by copying itself to network shares protected by
weak passwords.
W32/Rbot-FPF runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
Advanced
W32/Rbot-FPF is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Rbot-FPF spreads by copying itself to network shares protected by
weak passwords.
W32/Rbot-FPF runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Rbot-FPF includes functionality to:
- log keystrokes
- log active processes
- carry out DDoS flooder attacks
- scan IP addresses
- silently download, install and run new software, including updates
of its software and/or other malware executables
- modify network settings
When first run W32/Rbot-FPF copies itself to
<Windows>\messengersystem.exe.
The following registry entries are created to run messengersystem.exe
on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Messenger91
messengersystem.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Messenger91
messengersystem.exe
The following registry entry is set:
HKCU\Software\Microsoft\OLE
Messenger91
messengersystem.exe
--- MultiMail/Win32 v0.43
* Origin: Try Our Web Based QWK: DOCSPLACE.ORG (1:123/140)SEEN-BY: 633/267 270 @PATH: 123/140 500 379/1 633/267 |
|
| SOURCE: echomail via fidonet.ozzmosis.com | |
Email questions or comments to sysop@ipingthereforeiam.com
All parts of this website painstakingly hand-crafted in the U.S.A.!
IPTIA BBS/MUD/Terminal/Game Server List, © 2025 IPTIA Consulting™.