TIP: Click on subject to list as thread!

ANSI

echo:	dirty_dozen
to:	ALL
from:	KURT WISMER
date:	2006-01-01 11:19:00
subject:	News, January 1 2006
[cut-n-paste from sophos.com] Name W32/Rbot-BFR Type * Worm How it spreads * Network shares Affected operating systems * Windows Side effects * Allows others to access the computer * Modifies data on the computer * Installs itself in the Registry * Exploits system or software vulnerabilities * Used in DOS attacks Aliases * Backdoor.Win32.Rbot.alj * W32/Sdbot.worm.gen.n * W32.Spybot.Worm * WORM_RBOT.DFP Prevalence (1-5) 2 Description W32/Rbot-BFR is a network worm with backdoor functionality for the Windows platform. W32/Rbot-BFR spreads: - to other network computers by exploiting common buffer overflow vulnerabilities, including: LSASS (MS04-011), RPC-DCOM (MS04-012), WKS (MS03-049) (CAN-2003-0812), PNP (MS05-039) and ASN.1 (MS04-007) - by copying itself to network shares protected by weak passwords W32/Rbot-BFR runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels. Advanced W32/Rbot-BFR is a worm with backdoor functionality for the Windows platform. W32/Rbot-BFR is a network worm with backdoor functionality for the Windows platform. W32/Rbot-BFR spreads: - to other network computers by exploiting common buffer overflow vulnerabilities, including: LSASS (MS04-011), RPC-DCOM (MS04-012), WKS (MS03-049) (CAN-2003-0812), PNP (MS05-039) and ASN.1 (MS04-007) - by copying itself to network shares protected by weak passwords W32/Rbot-BFR runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels. When first run W32/Rbot-BFR copies itself to \winsrt.exe. The following registry entries are created to run winsrt.exe on startup: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Windows SRT Client winsrt.exe HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Windows SRT Client winsrt.exe HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices Windows SRT Client winsrt.exe HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices Windows SRT Client winsrt.exe Registry entries are set as follows: HKCU\SYSTEM\CurrentControlSet\Control\Lsa Windows SRT Client winsrt.exe HKLM\SYSTEM\CurrentControlSet\Control\Lsa Windows SRT Client winsrt.exe HKCU\Software\Microsoft\OLE Windows SRT Client winsrt.exe HKLM\SOFTWARE\Microsoft\Ole Windows SRT Client winsrt.exe Name Troj/Raker-B Type * Trojan Affected operating systems * Windows Side effects * Drops more malware * Installs itself in the Registry Prevalence (1-5) 2 Description Troj/Raker-B is a Trojan for the Windows platform. Advanced Troj/Raker-B is a Trojan for the Windows platform. When first run Troj/Raker-B copies itself to \msjcf.exe and may drop a randomly named component which it will then load. Troj/Raker-B may set the following registry entry so as to auto-start: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MSOffice32 \msjcf.exe Troj/Raker-B will attempt to inject a DLL into the explorer process. Name W32/Hazif-C Type * Spyware Worm Affected operating systems * Windows Side effects * Turns off anti-virus applications * Steals information * Reduces system security * Installs itself in the Registry Prevalence (1-5) 2 Description W32/Hazif-C is a password stealing worm for the Windows platform. W32/Hazif-C can spread to the floppy drive with a preconfigured filename. W32/Hazif-C can be used to steal passwords for Yahoo Instant Messenger and can be preconfigured to send stolen passwords via email, Yahoo IM, or by accessing a remote URL. Name W32/Brontok-J Type * Worm How it spreads * Email messages Affected operating systems * Windows Side effects * Sends itself to email addresses found on the infected computer * Modifies data on the computer * Installs itself in the Registry Aliases * W32.Rontokbro{at}mm * Email-Worm.Win32.Brontok.c Prevalence (1-5) 2 Description W32/Brontok-J is an email worm for the Windows platform. W32/Brontok-J attempts to send itself to email addresses harvested from the computer. It will also attempt to modify various Windows Explorer settings. W32/Brontok-J will restart the computer if it finds a window title containing certain strings such as ".EXE". Advanced W32/Brontok-J is a email worm for the Windows platform. W32/Brontok-J attempts to send itself to email addresses harvested from the computer. It will also attempt to modify various Windows Explorer settings. W32/Brontok-J will restart the computer if it finds a window title containing certain strings such as ".EXE". When first run W32/Brontok-J copies itself to: \Local Settings\Application Data\br4941on.exe \Local Settings\Application Data\csrss.exe \Local Settings\Application Data\inetinfo.exe \Local Settings\Application Data\lsass.exe \Local Settings\Application Data\services.exe \Local Settings\Application Data\smss.exe \Local Settings\Application Data\svchost.exe \Start Menu\Startup\Empty.pif \KesenjanganSosial.exe \ShellNew\RakyatKelaparan.exe \cmd-brontok.exe W32/Brontok-J will drop various files in My Docuement\My Pictures folder with message from the virus writer. The following registry entries are created to run br4941on.exe and RakyatKelaparan.exe on startup: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus-1959 \Local Settings\Application Data\br4941on.exe HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus \ShellNew\RakyatKelaparan.exe The following registry entry is changed to run KesenjanganSosial.exe on startup: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell Explorer.exe "\KesenjanganSosial.exe" (the default value for this registry entry is "Explorer.exe" which causes the Microsoft file \Explorer.exe to be run on startup). The following registry entry is set, disabling the registry editor (regedit): HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System DisableRegistryTools 1 Registry entries are set as follows: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer NoFolderOptions 1 HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System DisableCMD 0 HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Hidden 0 HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced HideFileExt 1 HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ShowSuperHidden 0 Name Troj/Spyaks-B Type * Trojan Affected operating systems * Windows Side effects * Downloads code from the internet Prevalence (1-5) 2 Description Troj/Spyaks-B is a Trojan for the Windows platform. The Trojan downloads and installs additional files from a remote site. Troj/Spyaks-B may create popup alerts with the title "Your computer is infected!" and the message text: "Dangerous malware infection was detected on your PC The system will now download and install most efficient anti malware program to prevent data loss and your private information theft. Click here to protect your computer from the biggest malware threats." Name Troj/DownLdr-LA Type * Trojan Affected operating systems * Windows Side effects * Drops more malware * Downloads code from the internet * Installs itself in the Registry * Leaves non-infected files on computer Aliases * Trojan-Downloader.Win32.Small.ccm * Downloader-ASE Prevalence (1-5) 2 Description Troj/DownLdr-LA is a Trojan for the Windows platform. Troj/DownLdr-LA includes functionality to access the internet and communicate with a remote server via HTTP. Advanced Troj/DownLdr-LA is a Trojan for the Windows platform. Troj/DownLdr-LA includes functionality to access the internet and communicate with a remote server via HTTP. When first run Troj/DownLdr-LA copies itself to \bum.exe and creates the file \tio.dll where are random numbers. The following registry entry is created to run bum939.exe on startup: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run rscn \bum.exe ymmud Troj/DownLdr-LA inserts the DLL component into the Internet Explorer process space. Name Troj/DownLdr-LW Type * Trojan Affected operating systems * Windows Side effects * Downloads code from the internet * Exploits system or software vulnerabilities Aliases * Exploit.Win32.Agent.t * Exploit-WMF trojan Prevalence (1-5) 2 Description Troj/DownLdr-LW is a Windows Metafile (WMF) file which exploits a vulnerability allowing the download and execution of an EXE file from a remote URL. At the time of writing, the downloaded file was Troj/DownLdr-LA. Name W32/Rbot-BGH Type * Worm How it spreads * Network shares Affected operating systems * Windows Side effects * Allows others to access the computer * Installs itself in the Registry * Exploits system or software vulnerabilities Aliases * Backdoor.Win32.Rbot.gen * WORM_RBOT.GEN Prevalence (1-5) 2 Description W32/Rbot-BGH is a worm with backdoor functionality for the Windows platform. W32/Rbot-BGH spreads to other network computers by exploiting common buffer overflow vulnerabilities, including: LSASS (MS04-011), RPC-DCOM (MS04-012), WKS (MS03-049) (CAN-2003-0812), PNP (MS05-039) and ASN.1 (MS04-007) and by copying itself to network shares protected by weak passwords. W32/Rbot-BGH runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels. Advanced W32/Rbot-BGH is a worm with backdoor functionality for the Windows platform. W32/Rbot-BGH spreads to other network computers by exploiting common buffer overflow vulnerabilities, including: LSASS (MS04-011), RPC-DCOM (MS04-012), WKS (MS03-049) (CAN-2003-0812), PNP (MS05-039) and ASN.1 (MS04-007) and by copying itself to network shares protected by weak passwords. W32/Rbot-BGH runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels. When first run W32/Rbot-BGH copies itself to \sysmsn.exe. The following registry entries are created to run sysmsn.exe on startup: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AdobeReaderPros sysmsn.exe HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices AdobeReaderPros sysmsn.exe The following registry entry is set: HKCU\Software\Microsoft\OLE AdobeReaderPros sysmsn.exe Name W32/Loosky-M Type * Worm How it spreads * Email attachments Affected operating systems * Windows Side effects * Installs itself in the Registry Aliases * Trojan-Dropper.Win32.Agent.afj Prevalence (1-5) 2 Description W32/Loosky-M is a worm for the Windows platform. Advanced W32/Loosky-M is a worm for the Windows platform. When first run W32/Loosky-M copies itself to \sachostx.exe and creates the following files: \attrib.ini \hard.lck \msvcrl.dll \sachostc.exe \sachostp.exe \sachosts.exe \sachostw.exe The following registry entry is created to run sachostx.exe on startup: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HostSrv \sachostx.exe Name Troj/Feutel-B Type * Spyware Trojan Affected operating systems * Windows Side effects * Allows others to access the computer * Reduces system security * Records keystrokes * Installs itself in the Registry Aliases * Backdoor.Win32.Hupigon.j Prevalence (1-5) 2 Description Troj/Feutel-B is a backdoor Trojan for the Windows platform. Troj/Feutel-B connects to the internet and attempts to download configuration files from preconfigured sites. The Trojan installs a keylogging component and opens up a backdoor allowing unauthorized remote access to the infected computer. Advanced Troj/Feutel-B is a backdoor Trojan for the Windows platform. Troj/Feutel-B connects to the internet and attempts to download configuration files from preconfigured sites. The Trojan installs a keylogging component and opens up a backdoor allowing unauthorized remote access to the infected computer. When first run Troj/Feutel-B copies itself to \svchost.exe or \sb.exe. and creates the following files: \svchost.dll \svchost_hook.dll \ or: \SBKey.DLL \SB_Hook.DLL \sb.dll \uninstal.bat The dll files are also detected as Troj/Feutel-B. Troj/Feutel-B may create the following registry entry in order to run automatically on computer login: HKCU\Software\Microsoft\Windows\CurrentVersion\Run svchost.exe = svchost.exe On NT-based versions of Windows (NT,2000,XP) svchost.exe is registered as a service process called Webservice with a displayname of "Webservice" and a start-type of automatic so that the Trojan is run automatically on computer login. Registry entries are created under HKLM\SYSTEM\CurrentControlSet\Services\Webservice and HKLM\SYSTEM\CurrentControlSet\Services\mchInjDrv Troj/Feutel-B also sets the following registry entry: HKCU\Software\Microsoft\Internet Explorer\Main\ Check_Associations = "no" Name W32/Nosun-A Type * Virus How it spreads * Infected files Affected operating systems * Windows Prevalence (1-5) 2 Description W32/Nosun-A is a virus for the Windows platform. On the 23rd of any month it displays the message : "I hate love, i love hate!" On Sundays it displays the message : "Your computer refuses to execute that program on sundays." Advanced W32/Nosun-A is a virus for the Windows platform. On the 23rd of any month it displays the message : "I hate love, i love hate!" On Sundays it displays the message : "Your computer refuses to execute that program on sundays." When the virus runs it creates a copy of the original, uninfected, file in the current folder as scheidenplatz.exe. This file is run and then deleted by the virus. Name W32/Mytob-GK Type * Worm How it spreads * Email messages Affected operating systems * Windows Side effects * Turns off anti-virus applications * Allows others to access the computer * Sends itself to email addresses found on the infected computer * Reduces system security * Installs itself in the Registry * Used in DOS attacks Prevalence (1-5) 2 Description W32/Mytob-GK is an mass-mailing worm with backdoor functionality for the Windows platform. W32/Mytob-GK runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels. W32/Mytob-GK spreads by sending itself as an attachment to the email addresses harvested from files on the infected computer and from the Windows address book. Advanced W32/Mytob-GK is a mass-mailing worm with backdoor functionality for the Windows platform. W32/Mytob-GK runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels. W32/Mytob-GK spreads by sending itself as an attachment to the email addresses harvested from files on the infected computer and from the Windows address book. When installed W32/Mytob-GK attempts to copy itself to the \winsvc32.exe file. The following registry entries are set to run winsvc32.exe at the restart: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Windows Services32 winsvc32.exe HKLM\Software\Microsoft\Windows\CurrentVersion\Run ServicesWindows Services32 winsvc32.exe W32/Mytob-GK sets the following registry entries, disabling the automatic startup of other software: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess Start 4 Note: disabling autostart for the SharedAccess service deactivates the Microsoft Internet Connection Firewall (ICF). W32/Mytob-GK attempts to terminate the anti-virus related processes. W32/Mytob-GK also modifies the Windows HOSTS file in an attempt to prevent access to the following sites: antivir.com avast.com avg.com avira.com avp.com bitdefender.com ca.com cert.org clamav.net customer.symantec.com dispatch.mcafee.com download.mcafee.com drweb.com f-prot.com f-secure.com fortinet.com fortinet.net free-av.com free.grisoft.com grisoft.com housecall.trendmicro.com kaspersky-labs.com kaspersky.com mast.mcafee.com mcafee.com my-etrust.com nai.com networkassociates.com nod32.com norton.com pandasoftware.com quickheal.com rads.mcafee.com ravantivirus.com sarc.com secure.nai.com securityresponse.symantec.com service.symantec.com service1.symantec.com sophos.com symantec.com trendmicro.com us.mcafee.com vil.nai.com viruslist.com virustotal.com www.antivir.com www.avast.com www.avg.com www.avira.com www.avp.com www.bitdefender.com www.ca.com www.cert.org www.clamav.net www.drweb.com www.f-prot.com www.f-secure.com www.fortinet.com www.fortinet.net www.free-av.com www.grisoft.com www.kaspersky-labs.com www.kaspersky.com www.mcafee.com www.my-etrust.com www.nai.com www.networkassociates.com www.nod32.com www.norton.com www.pandasoftware.com www.quickheal.com www.ravantivirus.com www.sarc.com www.sophos.com www.symantec.com www.trendmicro.com www.viruslist.com www.virustotal.com Name W32/Sdbot-AKZ Type * Worm How it spreads * Network shares Affected operating systems * Windows Side effects * Allows others to access the computer * Installs itself in the Registry Aliases * W32/Sdbot.worm.gen.l Prevalence (1-5) 2 Description W32/Sdbot-AKZ is a worm with backdoor functionality for the Windows platform. W32/Sdbot-AKZ runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels. Advanced W32/Sdbot-AKZ is a worm with backdoor functionality for the Windows platform. W32/Sdbot-AKZ runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels. When first run W32/Sdbot-AKZ copies itself to \spoolss.exe. The following registry entries are created to run spoolss.exe on startup: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AdobeReaderPro spoolss.exe HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices AdobeReaderPro spoolss.exe The following registry entry is set: HKCU\Software\Microsoft\OLE AdobeReaderPro spoolss.exe --- MultiMail/Win32 v0.43 * Origin: Try Our Web Based QWK: DOCSPLACE.ORG (1:123/140) SEEN-BY: 633/267 270 @PATH: 123/140 500 106/2000 633/267
SOURCE: echomail via fidonet.ozzmosis.com

Email questions or comments to sysop@ipingthereforeiam.com
All parts of this website painstakingly hand-crafted in the U.S.A.!
IPTIA BBS/MUD/Terminal/Game Server List, © 2025 IPTIA Consulting™.