[cut-n-paste from sophos.com]

Name   Troj/Dload-AY

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet

Aliases  
    * Trojan-Downloader.JS.Agent.bcb

Prevalence (1-5) 2

Description
Troj/Dload-AY is a Trojan downloader which attempts to download and execute a
file called exe.exe. This file is currently detected as Troj/Agent-GNY.





Name   Troj/JSdown-A

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet

Prevalence (1-5) 2

Description
Troj/JSdown-A is a malicious JavaScript that may be added to compromised
websites.





Name   Troj/Banloa-EW

Type  
    * Trojan

Affected operating systems  
    * Windows

Prevalence (1-5) 2

Description
Troj/Banloa-EW is a Trojan for the Windows platform.

Advanced
Troj/Banloa-EW is a Trojan for the Windows platform.

TTroj/Banloa-EW includes functionality to access the internet and communicate
with a remote server via HTTP.

When first run Troj/Banloa-EW copies itself to the root folder.

Troj/Banloa-EW is registered as a new system driver service named
"EvenSystems", with a display name of "EvenSystems" and
a startup type of
automatic, so that it is started automatically during system startup. Registry
entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\EvenSystems

The following registry entry is set, affecting internet security:

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
1601
0





Name   Troj/Bagle-TN

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Downloads code from the internet
    * Reduces system security

Aliases  
    * Trojan-Downloader.Win32.Bagle.in

Prevalence (1-5) 2

Description
Troj/Bagle-TN is a Trojan for the Windows platform.

Advanced
Troj/Bagle-TN is a Trojan for the Windows platform.

Troj/Bagle-TN disables numerous security vendor applications to avoid
etection.

When Troj/Bagle-TN is first run the following registry entry is set:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
EnableLUA
0

Registry entries are created under:

HKCU\Software\FirstRRRun





Name   Troj/Agent-GNW

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet

Aliases  
    * Trojan-Clicker.JS.Agent.h

Prevalence (1-5) 2

Description
Troj/Agent-GNW is a Trojan for the Windows platform.

Troj/Agent-GNW includes functionality to access the internet and communicate
with a remote server via HTTP.

Troj/Agent-GNW contains obfuscated Javascript which executes VBScript code. The
VBScript code attempts to further download and execute code.





Name   Troj/KillWin-R

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Stops the computer from booting
    * Deletes files off the computer

Prevalence (1-5) 2

Description
Troj/KillWin-R is a Trojan for the Windows platform.

Advanced
Troj/KillWin-R is a Trojan for the Windows platform.

Troj/KillWin-R attempts to delete the following files:

C:\boot.ini
C:\ntldr
C:\bootmgr

The removal of any of these files will affect the Windows boot process.





Name   Troj/DwnLdr-HAM

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet

Prevalence (1-5) 2

Description
Troj/DwnLdr-HAM is a downloader Trojan for the Windows platform.

Advanced
Troj/DwnLdr-HAM is a downloader Trojan for the Windows platform.

When first run Troj/DwnLdr-HAM copies itself to \ppnsvc.exe.

The following registry entry is created to run ppnsvc.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows Audio Control
ppnsvc.exe





Name   W32/Hish-B

Type  
    * Worm

How it spreads  
    * Removable storage devices

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Downloads code from the internet
    * Reduces system security

Prevalence (1-5) 2

Description
W32/Hish-B is a worm for the Windows platform.

Advanced
W32/Hish-B is a worm for the Windows platform.

The worm patches the host file and attempts to terminate various Security
related processes

W32/Hish-B includes functionality to access the internet and communicate with a
remote server via HTTP.

When first run W32/Hish-B copies itself to:
\Explorer.exe
\auto.exe
\system.exe

and creates the following files:
\autorun.inf
\upgrade.pdf
\upgrade.tpl

The file autorun.if is detected as W32/SillyFD-G.





Name   Troj/Dropper-TL

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Drops more malware
    * Installs itself in the Registry
    * Dropped by malware

Prevalence (1-5) 2

Description
Troj/Dropper-TL is a Trojan for the Windows platform.

Advanced
Troj/Dropper-TL is a Trojan for the Windows platform.

Troj/Dropper-TL creates and runs the following files:

\svthall32.exe ( Detected as Troj/Dropper-TM )
\ntdefend32.dll ( Detected as Troj/Bckdr-QLM )
\ntkrnl32.dll ( Detected as Troj/Bckdr-QLN )

Troj/Dropper-TL also creates the following registry entry to run svthall32.exe
on startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
svthall32
\svthall32.exe





Name   W32/Bckdr-QLL

Type  
    * Worm

How it spreads  
    * Removable storage devices

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Installs itself in the Registry

Aliases  
    * W32/Trojan.BXQI
    * W32/Generic.worm.f
    * Virus.Win32.AutoRun.cd

Prevalence (1-5) 2

Description
W32/Bckdr-QLL is a worm with backdoor functionality which allows a remote
intruder to gain access and control over the computer.

Advanced
W32/Bckdr-QLL is a worm with backdoor functionality which allows a remote
intruder to gain access and control over the computer.

W32/Bckdr-QLL includes functionality to send notification messages to remote
locations.

When W32/Bckdr-QLL is installed it creates the file \logfile.txt.
W32/Bckdr-QLL may attempt to copy itself to \mem32.exe and to
\notepad.dll.

W32/Bckdr-QLL may also attempt to copy istelf to removable storage devices and
create an autorun.inf on the device to automaticly run the worm.

The following registry entries are created to automaticly run the worm upon
startup

 HKLM\Software\Microsoft\Windows\CurrentVersion\Run
mem32
\mem32.exe

HKCR\txtfile\Shell\open\command
{at}
\notepad.dll \"%1\"





Name   Troj/Agent-GOF

Type  
    * Trojan

Prevalence (1-5) 2

Description
Troj/Agent-GOF is a Trojan for the Windows platform.





Name   Troj/Rootkit-BW

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Reduces system security

Aliases  
    * Rootkit.Win32.Agent.tw

Prevalence (1-5) 2

Description
Troj/Rootkit-BW is a Trojan for the Windows platform.

 
--- MultiMail/Win32 v0.43