[cut-n-paste from sophos.com]

Name   W32/Atax-A

Type  
    * Worm

How it spreads  
    * Removable storage devices
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Reduces system security
    * Installs itself in the Registry

Aliases  
    * Trojan-Dropper.Win32.BAT.a
    * WORM_AGENT.ADYN

Prevalence (1-5) 2

Description
W32/Atax-A is a worm for the Windows platform.

Advanced
W32/Atax-A is a worm for the Windows platform.

When first run, the worm copies itself to the following locations:

\100% user.exe
\VenoM.666\Explorer.exe
\SendTo\Disco extraible.pif
\SendTo\Documendos borrados de user.exe
\SendTo\Documentos compartidos.scr
\SendTo\Mis documetos.exe
\SendTo\Papelera de reciclaje compartida.ex
\winlogon.exe
\windows.exe

W32/Atax-A also creates the following files:

\bt.bat (detected as W32/Atax-A)
\SendTo\Game Over 2323.txt (can be deleted)
\VenoM.txt (can be deleted)
\autorun.inf (detected as W32/Atax-A)
\desktop.inf (can be deleted)
\autorun.inf (detected as W32/Atax-A)

The worm attempts to print out VenoM.txt. It's an ascii file that says 
the following:

"El juego a terminado. Tu has sido derrotado por VenoM (email address 
deleted)"

Which translates roughly to "The game is over. You have been defeated 
by VenoM."

W32/Atax-A sets the following registry entries:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
CFTMON.EXE
\winlogon.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFolderOptions
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
1

HKCU\_VenoM_Software_\Virus
estas
infectado

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
2

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HiddenFileExt
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden
0





Name   Troj/Tanto-G

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Installs itself in the Registry

Prevalence (1-5) 2

Description
Troj/Tanto-G is a Trojan for the Windows platform.

Advanced
Troj/Tanto-G is a backdoor Trojan which allows a remote intruder to 
gain access and control over the computer.

When first run Troj/Tanto-G copies itself to 
\.exe.

The following registry entry is created to run .exe 
on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
qmzt
\.exe

The file .exe is registered as a new system driver 
service named , with a display name of "Print Spooler 
Service" and a startup type of automatic, so that it is started 
automatically during system startup. Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\





Name   W32/Mypis-Fam

Type  
    * Virus

How it spreads  
    * Infected files

Affected operating systems  
    * Windows

Side effects  
    * Dropped by malware

Aliases  
    * W32/Noia.a
    * TrojanDownloader:Win32/Ganran.A!inf
    * PE_LIJI.A

Prevalence (1-5) 2

Description
W32/Mypis-Fam is a family of infected executable files that has been 
patched to download and execute malware from a remote location.

Advanced
W32/Mypis-Fam is a family of infected executable files that has been 
patched to download and execute malware from a remote location.

Members of W32/Mypis-Fam usually attempt to download a file to 
\system.bak, and to copy it to \system.log. They then 
decrypt this file and use it to download another file to 
\dllcache\svchost.exe.

Some members of W32/Mypis-Fam have been seen infecting other malware, 
in which case the disinfected file may also be malicious.





Name   W32/Blehs-A

Type  
    * Worm

How it spreads  
    * Removable storage devices
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Installs itself in the Registry

Prevalence (1-5) 2

Description
W32/Blehs-A is a worm for the Windows platform.

W32/Blehs-A attempts to copy itself to all folders on a number of drives.

Advanced
W32/Blehs-A is a worm for the Windows platform.

W32/Blehs-A drops the file \bt.bat, which 
contains the worm's main functionality. This file is also detected as 
W32/Blehs-A.

When first run, W32/Blehs-A copies itself to \winmsg.exe 
and sets the following registry entry to run itself on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
winmsg.exe
\winmsg.exe

W32/Blehs-A attempts to copy itself to all folders on  
and drives D to I, copying itself with the same name as the folder but 
with an EXE extension.





Name   Troj/Psyme-GB

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet
    * Exploits system or software vulnerabilities

Prevalence (1-5) 2

Description
Troj/Psyme-GB is a Trojan for the Windows platform.

Troj/Psyme-GB exploits a browser vulnerability in order to download and 
run further executable code.





Name   Troj/KillAV-ED

Type  
    * Spyware Trojan

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Modifies data on the computer
    * Steals information
    * Displays pop-up advertising

Prevalence (1-5) 2

Description
Troj/KillAV-ED is a Trojan for the Windows platform.

Advanced
Troj/KillAV-ED is a Trojan for the Windows platform.

When Troj/KillAV-ED is run the following files are created:

\All Users\Application Data\MPEG ELSE ONE 
VIEW\web math.exe
\Local Settings\Temp\sta10.exe
\Application Data\gridhopefirst\Save peak.exe
\Application Data\gridhopefirst\lvcdzwel.exe
\Application Data\gridhopefirst\SOFT THIRD TEST MESS.exe
\Application Data\gridhopefirst\bib dent real.exe

These files are also detected as Troj/KillAV-ED

The following key is set to allow Troj/KillAV-ED to execute on start up:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
pile scr
(path to)\Save peak.exe

Troj/KillAV-ED will also replace the Windows HOSTS file to prevent 
access to certain anti-malware sites.





Name   Troj/Cargar-A

Type  
    * Spyware Trojan

Affected operating systems  
    * Windows

Side effects  
    * Steals information
    * Downloads code from the internet

Prevalence (1-5) 2

Description
Troj/Cargar-A is a Trojan for the Windows platform.

Troj/Cargar-A spams MSN Messenger contacts.

Advanced
Troj/Cargar-A is a Trojan for the Windows platform.

Troj/Cargar-A spams MSN Messenger contacts.

Troj/Cargar-A creates the following files:
\IXP000.TMP\run.exe - also detected as Troj/Cargar-A
\win32.exe - also detected as Troj/Cargar-A

Troj/Cargar-A replaces the contents of:
\drivers\etc\hosts - should be restored from CD





Name   Troj/Revkey-A

Type  
    * Spyware Trojan

Affected operating systems  
    * Windows

Side effects  
    * Steals information
    * Records keystrokes

Prevalence (1-5) 2

Description
Troj/Revkey-A is a hacked copy of the commercial "Actual Spy" keylogger.





Name   W32/YMWorm-A

Type  
    * Worm

How it spreads  
    * Chat programs

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet
    * Installs itself in the Registry

Prevalence (1-5) 2

Description
W32/YMWorm-A is an instant messenger worm for the Windows platform.

Advanced
W32/YMWorm-A is an instant messenger worm for the Windows platform.

W32/YMWorm-A includes functionality to download, install and run new 
software.

When W32/YMWorm-A is installed the following files are created:

\cmd.exe
\svchost.exe
\svchost32.exe

The following registry entries are created to run W32/YMWorm-A on 
startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Task Manager
\svchost.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Yahoo Messenger
\svchost32.exe

W32/YMWorm-A changes settings for Microsoft Internet Explorer by 
modifying values under:

HKCU\Software\Microsoft\Internet Explorer\Main\Start Page

The following registry entries are set, disabling system software:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1

Registry entries are set as follows:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoRun
1

HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel
Homepage
1

Registry entries are created under:

HKCU\Software\Yahoo\pager\View\YMSGR_Launchcast
HKCU\Software\Yahoo\pager\View\YMSGR_buzz





Name   Troj/Proxy-IB

Type  
    * Trojan

Affected operating systems  
    * Windows

Aliases  
    * Backdoor:Win32/Agent.ACG

Prevalence (1-5) 2

Description
Troj/Proxy-IB is a proxy server Trojan for the Windows platform.

Advanced
Troj/Proxy-IB is a proxy server Trojan for the Windows platform.

The proxy server runs continuously in the background listening on a 
pre-configured port and allows data to be routed through the computer.

The proxy may be used to forward spam.

Troj/Proxy-IB runs as a new service named "aspimgr".





Name   W32/Looked-EB

Type  
    * Virus

How it spreads  
    * Network shares
    * Infected files

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Drops more malware
    * Downloads code from the internet
    * Installs itself in the Registry

Aliases  
    * Worm.Win32.Viking.lw
    * W32/HLLP.Philis.kl virus
    * Win32/Viking.LU virus
    * PE_LOOKED.ACX-O

Prevalence (1-5) 2

Description
W32/Looked-EB is a virus and network worm for the Windows platform.

The virus infects EXE files found on the infected computer and attempts 
to spread to remote network shares with weak passwords.

Advanced
W32/Looked-EB is a virus and network worm for the Windows platform.

The virus infects EXE files found on the infected computer and attempts 
to spread to remote network shares with weak passwords.

When first run the virus creates the following files:

\rundl132.exe

and creates a file \RichDll.dll, detected as Mal/EncPk-BW. 
This file attempts to download further executable code.

Many files with the name "_desktop.ini" are created, in various folders 
on the infected computer. These files are harmless text files.

The following registry entry is created to run rundl132.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
load
\uninstall\rundl132.exe

Registry entries are created under:

HKLM\SOFTWARE\Soft\DownloadWWW\

 
--- MultiMail/Win32 v0.43