[cut-n-paste from sophos.com]

Name   W32/Hupigon-SV

Type  
    * Worm

How it spreads  
    * Removable storage devices
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Drops more malware
    * Downloads code from the internet
    * Installs itself in the Registry
    * Leaves non-infected files on computer

Prevalence (1-5) 2

Description
W32/Hupigon-SV is a worm for the Windows platform.

Advanced
W32/Hupigon-SV is a Trojan for the Windows platform.

W32/Hupigon-SV will attempt to spread by copying itself to every active 
drive. This means that it will also spread to any currently connected 
removable storage devices, as well as any mapped network drives that 
have write access enabled.

W32/Hupigon-SV will also copy an autorun.inf file so that the worm will 
be activated every time the folder is viewed in Windows Explorer. This 
file is also detected as W32/Hupigon-SV.

W32/Hupigon-SV includes functionality to access the internet and 
communicate with a remote server via HTTP.

When first run W32/Hupigon-SV copies itself to:

\Microsoft Shared\msinfo\inetin.exe
\inetin.exe
\_inetin.exe

and creates the following file:
\Microsoft Shared\msinfo\ReDelBat.bat - May be safely 
deleted.

The file inetin.exe is registered as a new system driver service named 
"IIS Admin", with a display name of "IIS Admin Service"
and a startup 
type of automatic, so that it is started automatically during system 
startup. Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\IIS Admin





Name   Troj/Torpig-BY

Type  
    * Spyware Trojan

Affected operating systems  
    * Windows

Side effects  
    * Steals information
    * Installs itself in the Registry
    * Dropped by malware

Prevalence (1-5) 2

Description
Troj/Torpig-BY is a Trojan for the Windows platform.

Advanced
Troj/Torpig-BY is a Trojan for the Windows platform.

Troj/Torpig-BY is usually installed by another member of the Torpig 
family of Trojans, usually to one of the folders C:\Program 
Files\Common Files\Microsoft Shared\Web Folders or \..\temp, 
and the following files are usually created in this folder:

ibm00000.exe
ibm00001.dll
ibm00001.exe
ibm00002.dll
tmp.tmp

All files starting ibm are typically executables in the Torpig family 
of Trojans. tmp.tmp is a clean data file. Troj/Torpig-BY may attempt to 
delete files with the same name if they already exist.

Registry entries may be set at the following locations to run 
ibm00001.exe on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

An entry may be added to the file SYSTEM.INI in the "boot" section to 
attempt to run ibm00001.exe on startup.

The Trojan attempts to steal passwords, as well as logging keypresses 
and open window titles to text files and periodically sends the 
collected information to a remote user via HTTP.

The Trojan downloads and executes additional files from a remote site. 
Configuration files may also be downloaded which define further actions.

Troj/Torpig-BY automatically closes security warning messages displayed 
by common anti-virus and security-related applications.





Name   Troj/Goopo-A

Type  
    * Trojan

How it spreads  
    * Web downloads

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet

Prevalence (1-5) 2

Description
Troj/Goopo-A is a malicious script that redirects the visitor from the 
malicious website to another malicious web page which installs 
additional malicious files.





Name   VBS/Nutpea-A

Type  
    * Worm

How it spreads  
    * Removable storage devices

Affected operating systems  
    * Windows

Side effects  
    * Installs itself in the Registry

Prevalence (1-5) 2

Description
VBS/Nutpea-A is a VBS worm for the Windows platform.

Advanced
VBS/Nutpea-A is a VBS worm for the Windows platform.

When run the worm will attempt to copy itself and its components to any 
removable and fixed drives.





Name   Troj/Zlob-AGJ

Type  
    * Trojan

Affected operating systems  
    * Windows

Prevalence (1-5) 2

Description
Troj/Zlob-AGJ is a Trojan for the Windows platform.





Name   W32/OnlineG-Z

Type  
    * Spyware Worm

How it spreads  
    * Removable storage devices

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Steals information
    * Drops more malware
    * Records keystrokes
    * Installs itself in the Registry

Prevalence (1-5) 2

Description
W32/OnlineG-Z is a worm for the Windows platform.

W32/OnlineG-Z spreads by copying itself to removable storage devices.

Advanced
W32/OnlineG-Z is a worm for the Windows platform.

W32/OnlineG-Z spreads by copying itself to removable storage devices.

W32/OnlineG-Z contains functionality to steal credentials for certain 
online games.

When first run W32/OnlineG-Z copies itself to \avpo.exe and 
creates the following files:

\ckxf0zhc.sys
\ddjxa7.dll
\avpo0.dll

The file ckxf0zhc.sys is detected as Mal/RootKit-A.

The following registry entry is created to run avpo.exe on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
avpa
\avpo.exe





Name   Troj/Dload-AA

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet

Prevalence (1-5) 2

Description
Troj/Dload-AA is a Trojan for the Windows platform.





Name   W32/Mabezat-B

Type  
    * Virus

How it spreads  
    * Removable storage devices
    * Network shares
    * Infected files

Affected operating systems  
    * Windows

Aliases  
    * W32/Mabezat.a
    * Win32/Mabezat.A
    * Worm.Win32.Mabezat.b

Prevalence (1-5) 2

Description
W32/Mabezat-B is a virus for the Windows platform which also spreads by 
copying itself to network shares and removable devices.

Advanced
W32/Mabezat-B is a virus for the Windows platform which also spreads by 
copying itself to network shares and removable devices.

W32/Mabezat-B copies itself to removable devices with one or more of 
the following filenames:

"My documents .exe"
"Readme.doc .exe"
"tazebama.exe"

When W32/Mabezat-B is installed the following files are created:

\Documents and Settings\hook.dl_
\Documents and Settings\tazebama.dl_
\Documents and Settings\tazebama.dll





Name   Troj/Agent-GHN

Type  
    * Spyware Trojan

Affected operating systems  
    * Windows

Side effects  
    * Steals information

Prevalence (1-5) 2

Description
Troj/Agent-GHN is a Trojan for the Windows platform.





Name   Troj/Agent-GHM

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Installs itself in the Registry

Prevalence (1-5) 2

Description
Troj/Agent-GHM is a Trojan for the Windows platform.

Advanced
Troj/Agent-GHM is a Trojan for the Windows platform.

Troj/Agent-GHM includes functionality to access the internet and 
communicate with a remote server via HTTP.

When first run Troj/Agent-GHM copies itself to:

\auto.exe
\86affa28.exe

and creates the following files:

\autorun.inf
\318f153a.dll
\delme.bat

The file autorun.if is detected as W32/SillyFD-G and the file 
318f153a.dll is detected as Mal/Behav-027.

The file 86AFFA28.EXE is registered as a new service named "6AD13D8A", 
with a display name of "6AD13D8A". Registry entries are created under:

HKCU\SYSTEM\CurrentControlSet\Services\6AD13D8A

The file 86AFFA28.EXE is registered as a new system driver service 
named "6AD13D8A", with a display name of "6AD13D8A" and
a startup type 
of automatic, so that it is started automatically during system 
startup. Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\6AD13D8A

The following registry entry is set:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\H
idden\SHOWALL
CheckedValue
0

Registry entries are created under:

HKLM\SOFTWARE\Microsoft\Windows NT





Name   Troj/DrProt-Gen

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet

Prevalence (1-5) 2

Description
Troj/DrProt-Gen is a Trojan for the Windows platform.

Troj/DrProt-Gen pretends to be an anti-spyware application.

Troj/DrProt-Gen will attempt to silently download and run more malware.

 
--- MultiMail/Win32 v0.43