[cut-n-paste from sophos.com]

Name   W32/Expiro-C

Type  
    * Virus

How it spreads  
    * Infected files

Affected operating systems  
    * Windows

Prevalence (1-5) 2

Description
W32/Expiro-C is a virus for the Windows platform.





Name   Troj/Tanto-H

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Downloads code from the internet
    * Installs itself in the Registry

Prevalence (1-5) 2

Description
Troj/Tanto-H is a backdoor Trojan which allows a remote intruder to 
gain access and control over the computer.

Advanced
Troj/Tanto-H is a backdoor Trojan which allows a remote intruder to 
gain access and control over the computer.

Troj/Tanto-H includes functionality to download, install and run new 
software.

When first run Troj/Tanto-H copies itself to \wscntfy.exe.

The file wscntfy.exe is registered as a new system driver service named 
"Microsoft wscntfy Service", with a display name of
"Microsoft wscntfy 
Service" and a startup type of automatic, so that it is started 
automatically during system startup. Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\Microsoft wscntfy Service

Troj/Tanto-H sets the following registry entries, disabling the 
automatic startup of other software:

HKLM\SYSTEM\CurrentControlSet\Services\Messenger
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
Start
4

Registry entries are set as follows:

HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
EnableFirewall
0

HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile
EnableFirewall
0

HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DoNotAllowXPSP2
1

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N

Registry entries are created under:

HKLM\SOFTWARE\Microsoft\Security Center





Name   Troj/DllLoad-E

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Drops more malware

Prevalence (1-5) 2

Description
Troj/DllLoad-E is a Trojan dropper for the Windows platform.

When run the Trojan will decrypt and drop a DLL which it will then 
attempt to load.





Name   Troj/DwnLdr-HAL

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet
    * Installs itself in the Registry

Aliases  
    * Trojan-Downloader.Win32.Small.hqo

Prevalence (1-5) 2

Description
Troj/DwnLdr-HAL is a Trojan for the Windows platform.

Advanced
Troj/DwnLdr-HAL includes functionality to access the internet and 
communicate with a remote server via HTTP.

When Troj/DwnLdr-HAL is installed the following files are created:

\.exe

At the time of this writing the above file is detected by Sophos as 
W32/Sality-AM.

The following registry entry is created to run Troj/DwnLdr-HAL on 
startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
IpSec






Name   Troj/ByteVer-AB

Type  
    * Trojan

Affected operating systems  
    * Windows

Prevalence (1-5) 2

Description
Troj/ByteVer-AB is a Java Trojan.

Advanced
Troj/ByteVer-AB is a Java Trojan.

Troj/ByteVer-AB creates a file in \q319243.com.

q319243.com is detected as Troj/Dropper-RY.





Name   Troj/Keylog-JW

Type  
    * Spyware Trojan

Affected operating systems  
    * Windows

Side effects  
    * Steals credit card details
    * Steals information
    * Downloads code from the internet
    * Records keystrokes
    * Installs itself in the Registry

Aliases  
    * TR/Keylog.1EF32979
    * TR/PSW.Steal.53248.18

Prevalence (1-5) 2

Description
Troj/Keylog-JW is a keylogger Trojan for the Windows platform.

Advanced
Troj/Keylog-JW is a keylogger Trojan for the Windows platform.

Troj/Keylog-JW runs silently in the background logging keystrokes, in 
an attempt to capture information such as passwords and visited URLs.

Troj/Keylog-JW may be installed by a downloader Trojan such as 
Troj/Dwnldr-HAJ.

When Troj/Keylog-JW is installed the following files are typically 
created:

\pages.sys (a harmless log file)
\cftmon.exe
\ctfmmmm.exe
\mam.exe
\mam2.exe
\mscontig3.exe
\st.img (a harmless log file)

The following registry entry is changed to run cftmon.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
explorer.exe \cftmon.exe





Name   Troj/Bagle-TL

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet
    * Installs itself in the Registry

Aliases  
    * Trojan-Downloader.Win32.Bagle.ik

Prevalence (1-5) 2

Description
Troj/Bagle-TL is a Trojan for the Windows platform.

Advanced
Troj/Bagle-TL is a Trojan for the Windows platform.

The following registry entry is set:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
EnableLUA
0

Registry entries are created under:

HKCU\Software\FirstRRRun





Name   Troj/Psyme-HI

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet

Aliases  
    * Trojan-PSW.Win32.OnLineGames.ifz

Prevalence (1-5) 2

Description
Troj/Psyme-HI is a Javascript-based Trojan downloader.

Advanced
Troj/Psyme-HI is a Javascript-based Trojan downloader.

Troj/Psyme-HI downloads an EXE file and runs it. At the time of 
writing, the EXE file is detected as Mal/Dropper-Y.





Name   Troj/Bishin-A

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Installs itself in the Registry

Prevalence (1-5) 2

Description
Troj/Bishin-A is a Trojan for the Windows platform.

Advanced
Troj/Bishin-A is a .NET Trojan for the Windows platform.

If run before 31st Jan 2008, Troj/Bishin-A copies itself to 
\MVScvs\svchost.exe and creates the following 
registry entry in order to be run automatically:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
MVSvcs
\MVScvs\svchost.exe

Troj/Bishin-A also displays the first JPG file found in the current 
folder, if any exist.





Name   Troj/Clicker-EP

Type  
    * Trojan

Affected operating systems  
    * Windows

Prevalence (1-5) 2

Description
Troj/Clicker-EP is a Trojan for the Windows platform.

Advanced
Troj/Clicker-EP is a Trojan for the Windows platform.

Troj/Clicker-EP includes functionality to access the internet and 
communicate with a remote server via HTTP.

Troj/Clicker-EP changes settings for Microsoft Internet Explorer by 
modifying values under:

HKCU\Software\Microsoft\Internet Explorer\Main\

Registry entries are set as follows:

HKLM\SOFTWARE\Microsoft\Internet Explorer\Download
1
6008DE3FD507060001001400040023002900EC02

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
WarnonZoneCrossing
0





Name   W32/IRCBot-ZZ

Type  
    * Spyware Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Steals information
    * Downloads code from the internet
    * Reduces system security
    * Records keystrokes
    * Installs itself in the Registry
    * Scans network for vulnerabilities
    * Scans network for weak passwords

Aliases  
    * Backdoor.Win32.IRCBot.bep

Prevalence (1-5) 2

Description
W32/IRCBot-ZZ is a worm for the Windows platform.

W32/IRCBot-ZZ spreads
 - to computers vulnerable to common exploits, including: SRVSVC 
(MS06-040), RealVNC (CVE-2006-2369) and Symantec (SYM06-010)
 - to MSSQL servers protected by weak passwords
 - to network shares protected by weak passwords

The following patch for the operating system vulnerability exploited by 
the worm can be obtained from the Microsoft website:

http://www.microsoft.com/technet/security/bulletin/MS06-040.mspx

W32/IRCBot-ZZ can be controlled by a remote attacker over IRC channels. 
The backdoor component of W32/IRCBot-ZZ can be instructed by a remote 
user to perform the following functions:

- start an FTP server
- start a Proxy server
- start a web server
- log keypresses
- harvest information from clipboard
- packet sniffing
- port scanning
- download/execute arbitrary files
- start a remote shell (RLOGIN)

Advanced
W32/IRCBot-ZZ is a worm for the Windows platform.

W32/IRCBot-ZZ spreads
 - to computers vulnerable to common exploits, including: SRVSVC 
(MS06-040), RealVNC (CVE-2006-2369) and Symantec (SYM06-010)
 - to MSSQL servers protected by weak passwords
 - to network shares protected by weak passwords

The following patch for the operating system vulnerability exploited by 
the worm can be obtained from the Microsoft website:

http://www.microsoft.com/technet/security/bulletin/MS06-040.mspx

W32/IRCBot-ZZ can be controlled by a remote attacker over IRC channels. 
The backdoor component of W32/IRCBot-ZZ can be instructed by a remote 
user to perform the following functions:

- start an FTP server
- start a Proxy server
- start a web server
- log keypresses
- harvest information from clipboard
- packet sniffing
- port scanning
- download/execute arbitrary files
- start a remote shell (RLOGIN)

 When first run W32/IRCBot-ZZ creates the following files

\system32.exe (also detected as W32/IRCBot-ZZ)
\c980da7d.tmp (not malicious. can be deleted)

The following registry entries are created to run system32.exe on 
startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft
system32.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Microsoft
system32.exe

The following registry entry is set:

HKCR\CLSID\{random CLSID}

HKCU\Software\ASProtect
Microsoft
system32.exe





Name   VBS/Autorun-AU

Type  
    * Worm

How it spreads  
    * Removable storage devices

Affected operating systems  
    * Windows

Side effects  
    * Installs itself in the Registry

Prevalence (1-5) 2

Description
VBS/Autorun-AU is a Visual Basic worm for the Windows platform.

Advanced
VBS/Autorun-AU is a Visual Basic worm for the Windows platform.

 
--- MultiMail/Win32 v0.43