TIP: Click on subject to list as thread! ANSI
echo: dirty_dozen
to: ALL
from: KURT WISMER
date: 2007-03-25 18:48:00
subject: News, March 25 2007
[cut-n-paste from sophos.com]

Name   Troj/SpyAge-B

Type  
    * Spyware Trojan

Affected operating systems  
    * Windows

Side effects  
    * Steals information
    * Installs itself in the Registry

Aliases  
    * Win32/Wigon.D
    * Spy-Agent.bv.dr
    * Trojan.Win32.Agent.ady

Prevalence (1-5) 3

Description
Troj/SpyAge-B is a Trojan for the Windows platform.

Advanced
Troj/SpyAge-B is a Trojan for the Windows platform.

When Troj/SpyAge-B is installed the following files are created:

\main.sys
\reg.sys

The file reg.sys is also detected as Troj/SpyAge-B. The file main.sys 
is detected as Troj/Devspy-Fam.

The file main.sys is registered as a new system driver service named 
"EXAMPLE". Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\EXAMPLE





Name   W32/Looked-CP

Type  
    * Virus

How it spreads  
    * Infected files

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet
    * Installs itself in the Registry

Prevalence (1-5) 2

Description
W32/Looked-CP is a prepending virus for the Windows platform.

Advanced
W32/Looked-CP is a prepending virus for the Windows platform.

When first run, W32/Looked-CP copies itself to 
\uninstall\rundl132.exe and \Logo1_.exe.

W32/Looked-CP creates the following registry entry in order to be run 
itself on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
load
\uninstall\rundl132.exe

W32/Looked-CP also creates the file \RichDll.dll. This file 
is also detected as W32/Looked-CP.





Name   W32/TrigXF-A

Type  
    * Worm

How it spreads  
    * Chat programs

Affected operating systems  
    * Windows

Prevalence (1-5) 2

Description
W32/TrigXF-A is an instant messaging worm for the Windows platform.

Advanced
W32/TrigXF-A is an instant messaging worm for the Windows platform.

W32/TrigXF-A includes functionality to access the internet and 
communicate with a remote server via HTTP.

When W32/TrigXF-A is installed the following files are created:

\instr32.exe
\windebug.log
\windebug2.log





Name   W32/Sality-AI

Type  
    * Virus

How it spreads  
    * Infected files

Affected operating systems  
    * Windows

Side effects  
    * Drops more malware

Aliases  
    * Virus.Win32.Sality.l
    * W32/Sality.K
    * W32/Sality.n
    * Win32/Sality.NAE
    * W32.HLLP.Sality.O

Prevalence (1-5) 2

Description
W32/Sality-AI is a virus for the Windows platform.

Advanced
W32/Sality-AI is a virus for the Windows platform.

When W32/Sality-AI is installed the file \wmimgr32.dll is 
created. This file is detected as W32/Sality-I.





Name   W32/Brontok-DB

Type  
    * Worm

How it spreads  
    * Email messages
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Sends itself to email addresses found on the infected computer
    * Uses its own emailing engine
    * Installs itself in the Registry

Aliases  
    * Win32/Brontok.G worm
    * W32/Rontokbro.gen{at}MM
    * Email-Worm.Win32.Brontok.q
    * WORM_RONTOKBRO.H

Prevalence (1-5) 2

Description
W32/Brontok-DB is a worm for the Windows platform.

Advanced
W32/Brontok-DB is a worm for the Windows platform.

When first run W32/Brontok-DB copies itself to:

\Local Settings\Application Data\csrss.exe
\Local Settings\Application Data\inetinfo.exe
\Local Settings\Application Data\lsass.exe
\Local Settings\Application Data\services.exe
\Local Settings\Application Data\smss.exe
\ShellNew\bronstab.exe
\eksplorasi.exe

The following registry entries are created to run W32/Brontok-DB on 
startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Tok-Cirrhatus
\Local Settings\Application Data\smss.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Bron-Spizaetus
\ShellNew\bronstab.exe

The following registry entry is changed to run eksplorasi.exe on 
startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe "\eksplorasi.exe"

The following registry entry is set, disabling system software:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1

W32/Brontok-DB will restart the computer whenever the user opens a 
command prompt.

Registry entries are set as follows:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFolderOptions
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableCMD
0

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
0

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden
0





Name   W32/Feebs-BK

Type  
    * Worm

How it spreads  
    * Email attachments

Affected operating systems  
    * Windows

Side effects  
    * Sends itself to email addresses found on the infected computer
    * Drops more malware
    * Forges the sender's email address
    * Uses its own emailing engine

Prevalence (1-5) 2

Description
W32/Feebs-BK is an email worm for the Windows platform.

Advanced
W32/Feebs-BK is an email worm for the Windows platform.

W32/Feebs-BK includes functionality to access the internet and 
communicate with a remote server via HTTP.

When run, the worm creates the files

\.exe (Detected as Mal/Packer)
\
SOURCE: echomail via fidonet.ozzmosis.com

Email questions or comments to sysop@ipingthereforeiam.com
All parts of this website painstakingly hand-crafted in the U.S.A.!
IPTIA BBS/MUD/Terminal/Game Server List, © 2025 IPTIA Consulting™.