TIP: Click on subject to list as thread! ANSI
echo: dirty_dozen
to: ALL
from: KURT WISMER
date: 2007-11-18 23:47:00
subject: News, November 18 2007
[cut-n-paste from sophos.com]

Name   W32/Rbot-GVC

Type  
    * Worm

Affected operating systems  
    * Windows

Prevalence (1-5) 2

Description
W32/Rbot-GVC is a worm for the Windows platform.

Advanced
W32/Rbot-GVC is a worm for the Windows platform.

When first run W32/Rbot-GVC copies itself to \nod64.exe and 
creates the file \a.bat.

The file a.bat is detected as Troj/Batten-A.





Name   Troj/VBDrop-D

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Drops more malware
    * Leaves non-infected files on computer

Prevalence (1-5) 2

Description
Troj/VBDrop-D is a Trojan for the Windows platform.

Advanced
Troj/VBDrop-D is a Trojan for the Windows platform.

When Troj/VBDrop-D is installed the following files are created:

\WindowsXP-KB923810-x86-ENU.exe
\kb923810.exe

The file kb923810.exe is detected as Mal/Basine-C.
The file WindowsXP-KB923810-x86-ENU.exe is a legitimate Windows XP 
security update.





Name   Troj/Wixud-B

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet
    * Reduces system security
    * Installs itself in the Registry
    * Modifies browser settings

Prevalence (1-5) 2

Description
Troj/Wixud-B is a Trojan for the Windows platform.

Advanced
Troj/Wixud-B is a Trojan for the Windows platform.

The following registry entry is created to run Troj/Wixud-B on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
clkhost


Troj/Wixud-B changes settings for Microsoft Internet Explorer by 
setting the following registry entries:

HKCU\Software\Microsoft\Internet Explorer\Main
Play_Animations
no

HKCU\Software\Microsoft\Internet Explorer\Main
Play_Background_Sounds
no

HKCU\Software\Microsoft\Internet Explorer\Main
Display Inline Videos
no

HKCU\Software\Microsoft\Internet Explorer\New Windows
PopupMgr
yes

HKCU\Software\Microsoft\Internet Explorer\New Windows
PlaySound
0



The following registry entries are set, affecting internet security:

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
1809
0

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
1809
0

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
1809
0

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
1809
0

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
1809
0

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
WarnonZoneCrossing
0

Registry settings are also modified under the following locations:

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet 
Settings\5.0\Cache\Extensible Cache

HKLM\SOFTWARE\Microsoft\Internet Explorer\Download





Name   W32/Sdbot-DIT

Type  
    * Worm

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Installs itself in the Registry

Aliases  
    * W32/Sdbot.worm.gen.z virus

Prevalence (1-5) 2

Description
W32/Sdbot-DIT is a worm with IRC backdoor functionality for the Windows 
platform.

Advanced
W32/Sdbot-DIT is a worm with IRC backdoor functionality for the Windows 
platform.

When first run W32/Sdbot-DIT copies itself to \dllcache\mlqm.exe.

The file mlqm.exe is registered as a new system driver service named 
"Logitech QuickCam Manager", with a display name of
"Logitech QuickCam 
Manager" and a startup type of automatic, so that it is started 
automatically during system startup. Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\Logitech QuickCam Manager

W32/Sdbot-DIT sets the following registry entries, disabling the 
automatic startup of other software:

HKLM\SYSTEM\CurrentControlSet\Services\wuauserv
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4

Note: disabling autostart for the SharedAccess service deactivates the 
Microsoft Internet Connection Firewall (ICF).

The following registry entry is set:

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N





Name   W32/IRCBot-ZA

Type  
    * Worm

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Installs itself in the Registry

Aliases  
    * Backdoor.Win32.IRCBot.amk
    * W32/Sdbot.worm.gen.a
    * Worm:Win32/Pushbot.gen

Prevalence (1-5) 2

Description
W32/IRCBot-ZA is a worm for the Windows platform that also includes 
backdoor functionality.

Advanced
W32/IRCBot-ZA is a worm for the Windows platform that also includes 
backdoor functionality.

W32/IRCBot-ZA runs continuously in the background, providing a backdoor 
server which allows a remote intruder to gain access and control over 
the computer via IRC channels.

When W32/IRCBot-ZA is installed the following files are created:

\img4851.zip
\sfhgj.exe
\STemp_01.exe

These files are also detected as W32/IRCBot-ZA.

The following registry entry is created to run sfhgj.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Audio Device Manager
sfhgj.exe





Name   W32/Sdbot-DIS

Type  
    * Worm

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Reduces system security
    * Installs itself in the Registry

Aliases  
    * W32/Sdbot.worm.gen.ci

Prevalence (1-5) 2

Description
W32/Sdbot-DIS is a worm with IRC backdoor functionality for the Windows 
platform.

Advanced
W32/Sdbot-DIS is a worm with IRC backdoor functionality for the Windows 
platform.

W32/Sdbot-DIS runs continuously in the background, providing a backdoor 
server which allows a remote intruder to gain access and control over 
the computer via IRC channels.

When first run W32/Sdbot-DIS copies itself to \msnpla.exe.

The following registry entries are created to run msnpla.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Current32
\msnpla.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Current32
\msnpla.exe

The following registry entry is set, affecting internet security:

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPo
licy\StandardProfile\AuthorizedApplications\List
\msnpla.exe
\msnpla.exe:*:Enabled:Current32

The following registry entry is set:

HKCU\Software\Microsoft\OLE
Current32
\msnpla.exe





Name   Troj/Hupigon-SU

Type  
    * Spyware Trojan

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Steals information
    * Installs itself in the Registry

Aliases  
    * Backdoor.Win32.Hupigon.czj

Prevalence (1-5) 2

Description
Troj/Hupigon-SU is a Trojan for the Windows platform.

Troj/Hupigon-SU includes functionality to access the internet and 
communicate with a remote server via HTTP.

Advanced
Troj/Hupigon-SU is a Trojan for the Windows platform.

Troj/Hupigon-SU includes functionality to access the internet and 
communicate with a remote server via HTTP.

When first run Troj/Hupigon-SU copies itself to \system34.exe 
and creates the following files:

\DEWEFDDSFS.BAT
\SYSTEM34KEY.DLL
\system34.dll

The file system34.exe is registered as a new system driver service 
named "Fast User Switching Compatibi", with a display name of "Fast 
User Switching Compatibi" and a startup type of automatic, so that it 
is started automatically during system startup. Registry entries are 
created under:

HKLM\SYSTEM\CurrentControlSet\Services\Fast User Switching Compatibi

Troj/Hupigon-SU changes settings for Microsoft Internet Explorer by 
modifying values under:

HKCU\Software\Microsoft\Internet Explorer\Main\

The following registry entry is set:

HKCU\Software\Microsoft\Internet Explorer\Toolbar
Locked
1

Sophos's anti-virus products include Behavioral GenotypeŽ Protection 
and GenotypeŽ detection technologies, which can proactively guard 
against new threats without requiring an update. Sophos customers have 
been proactively protected against all three components of 
Troj/Hupigon-SU as follows:

The main executable, \system34.exe, has been detected as 
Troj/GrayBr-Gen since version 4.14.

The dll component \system34.dll has been detected as 
Mal/Packer since version 4.14.

The dll component \SYSTEM34KEY.DLL has been detected as 
Mal/GrayBird since version 4.15.





Name   W32/Unubot-B

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Installs itself in the Registry

Prevalence (1-5) 2

Description
W32/Unubot-B is a worm with IRC backdoor functionality for the Windows 
platform.

W32/Unubot-B runs continuously in the background, providing a backdoor 
server which allows a remote intruder to gain access and control over 
the computer via IRC channels.

Advanced
W32/Unubot-B is a worm with IRC backdoor functionality for the Windows 
platform.

W32/Unubot-B runs continuously in the background, providing a backdoor 
server which allows a remote intruder to gain access and control over 
the computer via IRC channels.

When first run W32/Unubot-B copies itself to \mdm.exe with the 
system and hidden attributes set and creates the following registry 
entries to run mdm.exe on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft Office
\mdm.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft Office
\mdm.exe

The following registry entries are set:

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1

The following registry entries are set:

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1





Name   Troj/PDrop-B

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Dropped by malware

Prevalence (1-5) 2

Description
Troj/PDrop-B is a Trojan for the windows platform.

Advanced
Troj/PDrop-B is a Trojan for the windows platform.

Troj/PDrop-B is dropped by Troj/PDrop-A





Name   W32/Unubot-A

Type  
    * Worm

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Reduces system security
    * Installs itself in the Registry

Prevalence (1-5) 2

Description
W32/Unubot-A is a worm with IRC backdoor functionality for the Windows 
platform.

Advanced
W32/Unubot-A is a worm with IRC backdoor functionality for the Windows 
platform.

W32/Unubot-A runs continuously in the background, providing a backdoor 
server which allows a remote intruder to gain access and control over 
the computer via IRC channels.

When first run W32/Unubot-A copies itself to \mdm.exe and 
creates the following files:

\WER1.tmp.dir00\appcompat.txt
\wer1.tmp

The following registry entries are created to run mdm.exe on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft Office
\mdm.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft Office
\mdm.exe

The following registry entry is set:

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N





Name   Troj/Banker-EJR

Type  
    * Spyware Trojan

Affected operating systems  
    * Windows

Side effects  
    * Steals information
    * Uses its own emailing engine
    * Installs itself in the Registry

Aliases  
    * TSPY_BANKER.MEW

Prevalence (1-5) 2

Description
Troj/Banker-EJR is a Trojan for the Windows platform.

Advanced
Troj/Banker-EJR is a Trojan for the Windows platform.

Troj/Banker-EJR includes functionality to transmit stolen banking 
details via SMTP to a remote location.

When first run Troj/Banker-EJR copies itself to \helper.exe 
and creates the file \Helper.bak.

The file Helper.bak can be safely deleted.

The following registry entry is created to run helper.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ServicePack32
\Helper.exe





Name   Troj/Zlob-AGB

Type  
    * Trojan

Affected operating systems  
    * Windows

Prevalence (1-5) 2

Description
Troj/Zlob-AGB is a Trojan for the Windows platform.

Advanced
Troj/Zlob-AGB is a Trojan for the Windows platform.

When Troj/Zlob-AGB is installed the following files are created:

\key.lky
\setup1.exe.dat
\setup2.exe.dat
\setup3.exe.dat





Name   W32/Bagle-TC

Type  
    * Worm

How it spreads  
    * Peer-to-peer

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Downloads code from the internet
    * Reduces system security
    * Installs itself in the Registry

Prevalence (1-5) 2

Description
W32/Bagle-TC is a worm for the Windows platform.

W32/Bagle-TC may attempt to spread via the eMule P2P network.

Advanced
W32/Bagle-TC is a worm for the Windows platform.

W32/Bagle-TC may attempt to spread via the eMule P2P network.

W32/Bagle-TC includes functionality to access the internet and 
communicate with a remote server via HTTP.

When first run W32/Bagle-TC copies itself to \m\flec006.exe.

The following registry entry is created to run flec006.exe on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
mule_st_key
\m\flec006.exe

W32/Bagle-TC may also create other files in the same folder.

W32/Bagle-TC may create the following folder:

\m\shared\

W32/Bagle-TC may create registry entries under the following location:

HKCU\Software\MuleAppData

W32/Bagle-TC attempts to download and execute a file from a number of 
remote websites.





Name   Troj/MedPlg-A

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet
    * Exploits system or software vulnerabilities

Aliases  
    * Trojan-Downloader.JS.Agent.nw
    * JS/Agent.BK

Prevalence (1-5) 2

Description
Troj/MedPlg-A is a Trojan for the Windows platform.

Advanced
Troj/MedPlg-A is a downloader Trojan for the Windows platform.

Troj/MedPlg-A attempts to exploit a vulnerbility (MS06-006) to download 
and execute a remote file to C:\U.exe. This file is currently 
unavailable.





Name   W32/Nuwar-D

Type  
    * Worm

Affected operating systems  
    * Windows

Prevalence (1-5) 2

Description
W32/Nuwar-D is a worm for the Windows platform.





Name   Troj/Jardo-A

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet

Aliases  
    * Trojan.Java.ClassLoader.as
    * Java/ClassLoader trojan

Prevalence (1-5) 2

Description
Troj/Jardo-A is a Trojan for the Windows platform.

Advanced
Troj/Jardo-A is a Trojan for the Windows platform.

Troj/Jardo-A attempts to download an executable file from a location 
given to it to one following locations:

C:\ms.exe
\MSwin-.exe

Troj/Jardo-A has been used by scripts including Troj/Psyme-FP.





Name   Troj/Kango-D

Type  
    * Spyware Trojan

Affected operating systems  
    * Windows

Side effects  
    * Steals information
    * Drops more malware
    * Records keystrokes
    * Installs itself in the Registry

Prevalence (1-5) 2

Description
Troj/Kango-D is a Trojan for the Windows platform.

Troj/Kango-D includes functionality to access the internet and 
communicate with a remote server via HTTP.

Advanced
Troj/Kango-D is a Trojan for the Windows platform.

Troj/Kango-D includes functionality to access the internet and 
communicate with a remote server via HTTP.

When run Troj/Kango-D generates the fake error message:
"Microsoft Word has generated an error and will be closed!"

Troj/Kango-D installs the following files:

\drivers\kbd.dll - detected as Troj/Kango-D
\drivers\svchost.exe - detected as Mal/Behav-009
\drivers\test.dll - detected as Troj/Kango-D

The following registry entry is created to run Troj/Kango-D on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
service
\drivers\svchost.exe

 
--- MultiMail/Win32 v0.43
* Origin: Doc's Place BBS Fido Since 1991 docsplace.tzo.com (1:123/140)
SEEN-BY: 10/1 3 14/300 400 34/999 90/1 106/1 120/228 123/500 134/10 140/1
SEEN-BY: 222/2 226/0 236/150 249/303 261/20 38 100 1381 1404 1406 1410 1418
SEEN-BY: 266/1413 280/1027 320/119 633/260 262 267 285 712/848 800/432 801/161
SEEN-BY: 801/189 2222/700 2320/100 2905/0
@PATH: 123/140 500 261/38 633/260 267
SOURCE: echomail via fidonet.ozzmosis.com

Email questions or comments to sysop@ipingthereforeiam.com
All parts of this website painstakingly hand-crafted in the U.S.A.!
IPTIA BBS/MUD/Terminal/Game Server List, © 2025 IPTIA Consulting™.