| TIP: Click on subject to list as thread! | ANSI |
| echo: | |
|---|---|
| to: | |
| from: | |
| date: | |
| subject: | News, May 14 2005 |
[cut-n-paste from sophos.com]
Name W32/Bagz-D
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Sends itself to email addresses found on the infected computer
* Forges the sender's email address
* Uses its own emailing engine
* Downloads code from the internet
Aliases
* I-Worm.Bagz.d
Prevalence (1-5) 3
Description
W32/Bagz-D is mass mailing network worm that also contains a backdoor
which allows an intruder to download and install further components.
W32/Bagz-D will attempt to harvest email addresses from TXT, HTM, DBX,
TBI and TBB files, which it will use for both the to and from addresses
of emails that it sends.
The worm will also attempt to terminate anti-virus software.
Advanced
W32/Bagz-D is mass mailing network worm that also contains a backdoor
which allows an intruder to download and install further components.
W32/Bagz-D will attempt to harvest email addresses from TXT, HTM, DBX,
TBI and TBB files, which it will use for both the to and from addresses
of emails that it sends.
The sent email will have the following characteristics:
Subject line:
ASAP
please responce
Read this
urgent
toxic
contract
Money
office
Have a nice day
Hello
Russian's
Amirecans
attachments
attach
waiting
best regards
Administrator
Warning
text
Vasia
re: Andrey
re: please
re: order
Allert!
Attachment (ZIP format):
backup.zip
admin.zip
archivator.zip
about.zip
readme.zip
help.zip
photos.zip
payment.zip
archives.zip
manual.zip
inbox.zip
outbox.zip
save.zip
rar.zip
zip.zip
ataches.zip
documentation.zip
docs.zip
Attachment (EXE format):
backup.doc (spaces) .exe
admin.doc (spaces) .exe
archivator.doc (spaces) .exe
about.doc (spaces) .exe
readme.doc (spaces) .exe
help.doc (spaces) .exe
photos.doc (spaces) .exe
payment.doc (spaces) .exe
archives.doc (spaces) .exe
manual.doc (spaces) .exe
inbox.doc (spaces) .exe
outbox.doc (spaces) .exe
save.doc (spaces) .exe
rar.doc (spaces) .exe
zip.doc (spaces) .exe
ataches.doc (spaces) .exe
documentation.doc (spaces) .exe
docs.doc (spaces) .exe
sysboot.doc (spaces) .exe
W32/Bagz-D will keep a copy of the files that it sends in the Windows
system32 folder. The worm also drops the following components in to that
folder:
run32.exe (Detected as component of W32/Bagz-C)
rpc32.exe
ipdb.dll
wdate.dll
jobdb.dll
W32/Bagz-D will also modify the %system32%/drivers/etc/hosts file in
order to prevent access to major virus vendors websites.
The worm will install itself as a service called RPC32.
Name W32/Bagz-B
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Sends itself to email addresses found on the infected computer
* Forges the sender's email address
* Uses its own emailing engine
* Downloads code from the internet
* Installs itself in the Registry
Aliases
* I-Worm.Bagz.b
* W32/Bagz.b{at}MM
Prevalence (1-5) 2
Description
W32/Bagz-B is mass mailing network worm. It also contains a backdoor
which allows an intruder to instruct it to download and install further
components.
W32/Bagz-B may also try to disable the Windows default firewall on
startup.
W32/Bagz-B will attempt to harvest email addresses from the "Document
and setting" folder on the local machine with names such as *.txt,
*.htm, *.htm, *,dbx, *.tbi, *.tbb.
Advanced
The email it sends will contain an attachment either in ZIP format or in
a binary file. It will contain the following subject lines:
"last request before refunding"
"re: user id update"
"fwd: your funds are eligible for withdrawal"
"find a solution with this customer"
"no subject"
"re: help desk registration"
"failure notice"
"fwd: password"
"when should i call you?"
"re: re: a question"
"knowledge base article"
"open invoices"
"returned mail: see transcript for details"
"building maintenance"
"[fwd: broken link]"
"winxp"
"troubles are back again"
"questions"
"order approval"
"units available"
"progress news"
"big announcements"
"need help pls"
"you have recieved an ecard!"
"what is this ????"
"deactivation notice"
"message recieved, please confirm"
"my funny stories"
"cost inquiry"
"re: payment"
"referrences"
"webmail invite"
"re: quote request"
Attachments can use the following names:
arch.doc.exe
arch.zip
archive.doc.exe
archive.zip
atach.doc.exe
atach.zip
att.doc.exe
att.zip
contact.doc.exe
contact.zip
db.doc.exe
db.zip
dl.exe
doc.doc.exe
doc.zip
documents.doc.exe
documents.zip
file.doc.exe
file.zip
ipdb.dll
jobdb.dll
mail.doc.exe
mail.zip
message.doc.exe
message.zip
messages.doc.exe
messages.zip
msg.doc.exe
msg.zip
read.doc.exe
read.zip
readme.doc.exe
readme.zip
support.doc.exe
support.zip
syslogin.exe
tutorial.doc.exe
warning.doc.exe
warning.zip
W32/Bagz-B will keep a copy of the above files in the folder %system32%.
Other than the above, it will also drop the following components:
%system32%/dl.exe
%system32%/syslogin.exe
%system32%/ipdb.dll
%system32%/jobdb.dll
And also create the following autorun registry entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
syslogin.exe = syslogin.exe
Name W32/Forbot-AR
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Reduces system security
* Installs itself in the Registry
Aliases
* Backdoor.Win32.Wootbot.gen
* W32/Gaobot.worm.gen.q
* WORM_WOOTBOT.K
Prevalence (1-5) 2
Description
W32/Forbot-AR is a worm which attempts to spread to remote network
shares.
W32/Forbot-AR also contains backdoor Trojan functionality, allowing
unauthorised remote access to the infected computer via IRC channels
while running in the background as a service process.
Advanced
W32/Forbot-AR is a worm which attempts to spread to remote network
shares.
W32/Forbot-AR also contains backdoor Trojan functionality, allowing
unauthorised remote access to the infected computer via IRC channels
while running in the background as a service process.
W32/Forbot-AR copies itself to the Windows system folder as
securitychk.exe and creates entries in the registry at the following
locations to run itself on system startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Secure Messenger.NET Service
securitychk.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\Win32 USB2 Driver
Microsoft Secure Messenger.NET Service
securitychk.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32 USB2
Driver
Microsoft Secure Messenger.NET Service
securitychk.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Win32 USB2 Driver
Microsoft Secure Messenger.NET Service
securitychk.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\Win32 USB2 Driver
Microsoft Secure Messenger.NET Service
securitychk.exe
W32/Forbot-AR also creates its own service named
"Microsoft Secure Messenger.NET Service".
Name W32/Mytob-CA
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Sends itself to email addresses found on the infected computer
* Modifies data on the computer
* Steals information
Prevalence (1-5) 2
Description
W32/Mytob-CA is a mass-mailing worm and backdoor Trojan that can be
controlled through the Internet Relay Chat (IRC) network.
W32/Mytob-CA also appends to the HOSTS file to deny access to security
related websites.
W32/Mytob-CA is capable of spreading through email. Email sent by
W32/Mytob-CA has the following properties:
Subject line:
Error
hello
Here is your documents.
Mail Delivery System
Mail Transaction Failed
Re: Thank you for delivery
something for you
Status
Message text:
'Mail transaction failed. Partial message is available.'
'Mail transaction failed. Partial message is available.'
'The message cannot be represented in 7-bit ASCII encoding and has been
sent as a binary attachment.'
'The message cannot be represented in 7-bit ASCII encoding and has been
sent as a binary attachment.'
'The message contains Unicode characters and has been sent as a binary
attachment.'
'The message contains Unicode characters and has been sent as a binary
attachment.'
'The original message was included as an attachment.'
'The original message was included as an attachment.'
Advanced
W32/Mytob-CA is a mass-mailing worm and backdoor Trojan that can be
controlled through the Internet Relay Chat (IRC) network.
When first run W32/Mytob-CA copies itself to the Windows system folder
as shell.exe and creates the following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Windows Shell
"shell.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Windows Shell
"shell.exe"
W32/Mytob-CA also appends the following to the HOSTS file to deny access
to security related websites:
127.0.0.1 avp.com
127.0.0.1 ca.com
127.0.0.1 customer.symantec.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 download.mcafee.com
127.0.0.1 f-secure.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 kaspersky.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 mast.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 nai.com
127.0.0.1 networkassociates.com
127.0.0.1 rads.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 sophos.com
127.0.0.1 symantec.com
127.0.0.1 trendmicro.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 www.avp.com
127.0.0.1 www.ca.com
127.0.0.1 www.grisoft.com
127.0.0.1 www.kaspersky.com
127.0.0.1 www.mcafee.com
127.0.0.1 www.microsoft.com
127.0.0.1 www.my-etrust.com
127.0.0.1 www.nai.com
127.0.0.1 www.networkassociates.com
127.0.0.1 www.sophos.com
127.0.0.1 www.symantec.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.viruslist.com
W32/Mytob-CA is capable of spreading through email. Email sent by
W32/Mytob-CA has the following properties:
Subject line:
Error
hello
Here is your documents.
Mail Delivery System
Mail Transaction Failed
Re: Thank you for delivery
something for you
Status
Message text:
'Mail transaction failed. Partial message is available.'
'Mail transaction failed. Partial message is available.'
'The message cannot be represented in 7-bit ASCII encoding and has been
sent as a binary attachment.'
'The message cannot be represented in 7-bit ASCII encoding and has been
sent as a binary attachment.'
'The message contains Unicode characters and has been sent as a binary
attachment.'
'The message contains Unicode characters and has been sent as a binary
attachment.'
'The original message was included as an attachment.'
'The original message was included as an attachment.'
The attached file consists of a base name followed by the extentions
PIF, SCR, EXE or ZIP. The base names will be one of the following:
DOCUMENT
README
ATTACHMENT
creditcard
LETTER
PayPal
W32/Mytob-CA harvests email addresses from files on the infected
computer and from the Windows address book. The worm avoids sending
email to addresses that contain the following:
.gov
.mil
accoun
acketst
admin
anyone
arin.
avp
berkeley
borlan
bsd
bsd
bugs
ca
certific
contact
example
feste
fido
foo.
fsf.
gnu
gold-certs
google
google
gov.
help
iana
ibm.com
icrosof
icrosoft
ietf
info
inpris
isc.o
isi.e
kernel
linux
linux
listserv
math
me
mit.e
mozilla
mydomai
no
nobody
nodomai
noone
not
nothing
ntivi
page
panda
pgp
postmaster
privacy
rating
rfc-ed
ripe.
root
ruslis
samples
secur
sendmail
service
site
soft
somebody
someone
sopho
submit
support
syma
tanford.e
the.bat
unix
unix
usenet
utgers.ed
webmaster
you
your
W32/Mytob-CA may produce the file helllogger.txt which is a harmless
text file used to log the activity of the user.
Name W32/Mytob-CH
Type
* Worm
How it spreads
* Email attachments
* Network shares
Affected operating systems
* Windows
Side effects
* Sends itself to email addresses found on the infected computer
* Modifies data on the computer
* Drops more malware
* Forges the sender's email address
* Uses its own emailing engine
Aliases
* WORM_MYTOB.DA
Prevalence (1-5) 2
Description
W32/Mytob-CH is a mass-mailing worm and backdoor Trojan that can be
controlled through the Internet Relay Chat (IRC) network.
W32/Mytob-CH copies itself to the root folder as:
funny_pic.scr
my_photo2005.scr
see_this!!.scr
and drops a file called hellmsn.exe (detected by Sophos as W32/Mytob-D)
in the same location. This component attempts to spread the worm by
sending the aforementioned SCR files through Windows Messenger to all
online contacts.
W32/Mytob-CH is capable of spreading through email and through the LSASS
(MS04-011) operating system vulnerability.
W32/Mytob-CH harvests email addresses from files on the infected
computer and from the Windows address book as well as the Microsoft
Internet Account Manager.
The following patch for the operating system vulnerability exploited by
W32/Mytob-CH can be obtained from the Microsoft website:
LSASS (MS04-011) security vulnerability
Advanced
W32/Mytob-CH is a mass-mailing worm and backdoor Trojan that can be
controlled through the Internet Relay Chat (IRC) network.
When first run W32/Mytob-CH copies itself to the Windows system folder
as iexplorer.exe and creates the following registry entries:
HKLM\SOFTWARE\Microsoft\Ole
WINTASK
iexplorer.exe
HKCU\Software\Microsoft\Ole
WINTASK
iexplorer.exe
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
WINTASK
iexplorer.exe
HKCU\SYSTEM\CurrentControlSet\Control\Lsa
WINTASK
iexplorer.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
WINTASK
iexplorer.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
WINTASK
iexplorer.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
WINTASK
iexplorer.exe
W32/Mytob-CH copies itself to the root folder as:
funny_pic.scr
my_photo2005.scr
see_this!!.scr
and drops a file called hellmsn.exe (detected by Sophos as W32/Mytob-D)
in the same location. This component attempts to spread the worm by
sending the aforementioned SCR files through Windows Messenger to all
online contacts.
W32/Mytob-CH also appends the following to the HOSTS file to deny access
to security related websites:
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.microsoft.com
127.0.0.1 www.trendmicro.com
W32/Mytob-CH is capable of spreading through email and through the LSASS
(MS04-011) operating system vulnerability.
Email sent by W32/Mytob-CH has the following properties:
Subject line chosen from:
Good day
hello
Mail Delivery System
Mail Transaction Failed
Server Report
Status
Error
Message text chosen from:
'Mail transaction failed. Partial message is available.'
'The message contains Unicode characters and has been sent as a binary
attachment.'
'The message cannot be represented in 7-bit ASCII encoding and has been
sent as a binary attachment.'
'The original message was included as an attachment.'
'Here are your banks documents.'
The attached file consists of a base name followed by the extentions
PIF, SCR, EXE or ZIP. The worm may optionally create double extensions
where the first extension is DOC, TXT or HTM and the final extension is
PIF, SCR, EXE or ZIP.
W32/Mytob-CH harvests email addresses from files on the infected
computer and from the Windows address book as well as the Microsoft
Internet Account Manager.
The following patch for the operating system vulnerability exploited by
W32/Mytob-CH can be obtained from the Microsoft website:
LSASS (MS04-011) security vulnerability
Name Troj/Sqdrop-A
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Drops more malware
Prevalence (1-5) 2
Description
Troj/Sqdrop-A is a dropper Trojan for the Windows platform.
Troj/Sqdrop-A will drop two files to the Windows system folder as
divxenc.exe and msld.dll. The Trojan will then execute divxenc.exe.
Advanced
Troj/Sqdrop-A is a dropper Trojan for the Windows platform.
Troj/Sqdrop-A will drop two files to the Windows system folder as
divxenc.exe and msld.dll. The Trojan will then execute divxenc.exe.
Troj/Sqdrop-A will then create or modify the following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
divx
\divxenc.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
divx
\divxenc.exe
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon Shell
Explorer.exe
\divxenc.exe
Name W32/Eyeveg-F
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Sends itself to email addresses found on the infected computer
* Steals information
* Forges the sender's email address
* Uses its own emailing engine
Aliases
* Worm.Win32.Eyeveg.f
* W32/Eyeveg.worm.gen
Prevalence (1-5) 2
Description
W32/Eyeveg-F is a worm for the Windows platform with backdoor
capabilities.
W32/Eyeveg-F will send itself to email addresses found on the infected
computer as a ZIP file.
W32/Eyeveg-F will also attempt to contact a predefined URL in order to
get commands. The tasks that the worm can be instructed to perform are:
Keylogging
Monitoring web traffic
Sending email
Stealing passwords from infected computer
Advanced
W32/Eyeveg-F is a worm for the Windows platform with backdoor
capabilities.
W32/Eyeveg-F will send itself to email addresses found on the infected
computer as a ZIP file. The executable in the ZIP file will have one of
the following names:
Details.doc .scr
Girls.jpg .scr
Image.jpg .scr
Love.jpg .scr
Message.txt .scr
Music.mp3 .scr
News.doc .scr
Photo.jpg .scr
Pic.jpg .scr
Resume.doc .scr
Screensaver .scr
Song.wav .scr
Video.avi .scr
The ZIP file's name and the subject will be the same as the name above
without an extension.
W32/Eyeveg-F will also attempt to contact a predefined URL in order to
get commands. The tasks that the worm can be instructed to perform are:
Keylogging
Monitoring web traffic
Sending email
Stealing passwords from infected computer
W32/Eyeveg-F will avoid sending email to addresses containing the
following strings:
abuse
admin
hostmaster
localdomain
localhost
mcafee
messagelab
microsoft
noreply
postmaster
recipients
reports
root
spam
symantec
webmaster
W32/Eyeveg-F will copy itself to the Windows system folder with a random
name. W32/Eyeveg-F will then create the following registry entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
.exe
Name W32/Kelvir-Gen
Type
* Worm
How it spreads
* Chat programs
Affected operating systems
* Windows
Prevalence (1-5) 2
Description
W32/Kelvir-Gen is a family of instant-messenging worms.
Members of W32/Kelvir-Gen spread by sending a message through Windows
Messenger to the infected user's contacts. The message encourages the
recipient to visit a web page to download a file that is often itself a
member of W32/Kelvir-Gen.
Some members of W32/Kelvir-Gen also attempt to download and execute
files from remote websites.
Name Troj/Goldun-T
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Steals credit card details
* Steals information
* Reduces system security
* Installs itself in the Registry
Aliases
* Trojan-Dropper.Win32.Agent.ku
* Trojan-Spy.Win32.Goldun.ar
* Trojan-Spy.Win32.Goldun.aq
Prevalence (1-5) 2
Description
Troj/Goldun-T is a password-stealing Trojan targeted at users of the
e-gold online services.
The main dropper for Troj/Goldun-T usually pretends to be part of a new
security system to allow secure access to the e-gold website and has
been seen as an attachment to an email with the following message body:
Dear E-gold payment system users,
The recent cases of fraud, unauthorized withdrawal of cash from our
clients' accounts and recurred attempts of hackers to access our server
forced us to implement a new security system. The special program will
ensure safe connection of your computer to our server by means of a
unique
encoded key, specially generated for each account. Only the combination
of
your login, password and the key will allow you to access the system. The
program is enclosed to the message and doesn't need any installation. By
one click you will be connected to the server and the program will
generate
the key. After that you will enter your account from Internet Explorer,
which is absolutely safe. You will be signed out of the program
automatically after closing the window. See the detailed operational
instruction enclosed to the program.
We have to warn you, that if you want to be the user of our system in
future, you'll have to accept our rules and to use this program.
Otherwise
please call the numbers below to withdraw your funds. For the detailed
information please enter our site or use our hot line to contact us by
phone.
Our Contacts:
Phone (Worldwide) +1 321-951-1200
FAX (Worldwide) +1 321-956-0790
Best regards, E-gold.
Advanced
Troj/Goldun-T is a password-stealing Trojan targeted at users of the
e-gold online services.
Troj/Goldun-T drops the files BOSKGJE.EXE and PINCH.EXE to the Windows
temp folder. BOSKGJE.EXE is also detected as Troj/Goldun-T, and
PINCH.EXE is detected as Troj/LdPinch-AZ.
The file dropped as BOSKGJE.EXE will drop the file IDMAS.DLL to the
Windows system folder, also detected as Troj/Goldun-T. Before dropping
and running the file DELT.BAT in the Windows temp folder in order to
delete itself, it creates an entry in the registry at
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
Browser Helper Objects\[68363724-9abc-def0-0fed-fad682644311]
and also entries in the registry under the following location to point
to the dropped DLL:
HKCR\CLSID\[68363724-9abc-def0-0fed-fad682644311]\
The file dropped as IDMAS.DLL monitors access to www.e-gold.com and
steals information about the user's account, sending it to a script at
http://65.75.191.79.
The main dropper for Troj/Goldun-T usually pretends to be part of a new
security system to allow secure access to the e-gold website and will
display a fake message box entitled "E-gold security connect" with an
e-gold image and "Connect" and "Exit" buttons. If the
"Connect" button
is pressed the box displays "Connecting", then
"Runing", and finally
attempts to open Microsoft Internet Explorer at the legitimate e-gold
login page.
The main dropper for Troj/Goldun-T has been seen as an attachment to an
email with the following message body:
Dear E-gold payment system users,
The recent cases of fraud, unauthorized withdrawal of cash from our
clients' accounts and recurred attempts of hackers to access our server
forced us to implement a new security system. The special program will
ensure safe connection of your computer to our server by means of a
unique
encoded key, specially generated for each account. Only the combination
of
your login, password and the key will allow you to access the system. The
program is enclosed to the message and doesn't need any installation. By
one click you will be connected to the server and the program will
generate
the key. After that you will enter your account from Internet Explorer,
which is absolutely safe. You will be signed out of the program
automatically after closing the window. See the detailed operational
instruction enclosed to the program.
We have to warn you, that if you want to be the user of our system in
future, you'll have to accept our rules and to use this program.
Otherwise
please call the numbers below to withdraw your funds. For the detailed
information please enter our site or use our hot line to contact us by
phone.
Our Contacts:
Phone (Worldwide) +1 321-951-1200
FAX (Worldwide) +1 321-956-0790
Best regards, E-gold.
Name W32/Rbot-AAY
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Steals information
* Downloads code from the internet
* Modifies passwords
* Records keystrokes
Prevalence (1-5) 2
Description
W32/Rbot-AAY is an IRC backdoor Trojan and network worm.
W32/Rbot-AAY may spread to remote network shares protected by weak
passwords and computers vulnerable to common exploits. The worm also
opens up a backdoor, allowing unauthorised remote access to infected
computers via the IRC network, while running in the background as a
service process.
The following patches for the operating system vulnerabilities exploited
by W32/Rbot-AAY can be obtained from the Microsoft website:
MS04-012
MS04-011
MS03-049
W32/Rbot-AAY can receive commands from a remote intruder to delete
network shares, log keypresses, participate in DDoS attacks, scan other
computers for vulnerabilities, steal passwords, steal registration keys
for computer games, create administrator accounts, terminate firewall
and anti-virus processes and capture video from webcameras attached to
the computer.
Advanced
W32/Rbot-AAY is an IRC backdoor Trojan and network worm.
W32/Rbot-AAY may spread to remote network shares protected by weak
passwords and computers vulnerable to common exploits. The worm also
opens up a backdoor, allowing unauthorised remote access to infected
computers via the IRC network, while running in the background as a
service process.
The following patches for the operating system vulnerabilities exploited
by W32/Rbot-AAY can be obtained from the Microsoft website:
MS04-012
MS04-011
MS03-049
W32/Rbot-AAY can receive commands from a remote intruder to delete
network shares, log keypresses, participate in DDoS attacks, scan other
computers for vulnerabilities, steal passwords, steal registration keys
for computer games, create administrator accounts, terminate firewall
and anti-virus processes and capture video from webcameras attached to
the computer.
W32/Rbot-AAY copies itself to the Windows system folder as "msaol32.exe"
and creates the following registry entries in order to run automatically
on computer login:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft AOL Instant Messenger
MSAOL32.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Microsoft AOL Instant Messenger
MSAOL32.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
Microsoft AOL Instant Messenger
MSAOL32.exe
Name W32/Agobot-SE
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* Backdoor.Win32.Agobot.ace
Prevalence (1-5) 2
Description
W32/Agobot-SE is a network worm with backdoor functionality for the
Windows platform.
W32/Agobot-SE connects to an IRC channel and listens for commands from a
remote attacker. The worm may spread to remote network shares with weak
passwords.
The following patches for the operating system vulnerabilities exploited
by W32/Agobot-SE can be obtained from the Microsoft website:
MS04-011
MS04-012
MS03-049
MS02-039
Advanced
W32/Agobot-SE is a network worm with backdoor functionality for the
Windows platform.
W32/Agobot-SE connects to an IRC channel and listens for commands from a
remote attacker. The worm may spread to remote network shares with weak
passwords.
The following patches for the operating system vulnerabilities exploited
by W32/Agobot-SE can be obtained from the Microsoft website:
MS04-011
MS04-012
MS03-049
MS02-039
When first run the worm copies itself to the Windows system folder as
system.exe. The following registry entries are created to run system.exe
on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows
system.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Windows
system.exe
Registry entries are also set as follows:
HKCU\SOFTWARE\Microsoft\Ole
Windows
system.exe
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1
Name Troj/Whistler-F
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Modifies data on the computer
* Deletes files off the computer
* Installs itself in the Registry
* Leaves non-infected files on computer
Aliases
* Trojan.Win32.Dire.c
* QDel247
* Win32/Dire.C
* TROJ_QDEL247.A
Prevalence (1-5) 2
Description
Troj/Whistler-F is a destructive Trojan for the Windows platform.
Troj/Whistler-F will attempt to delete files on the user's computer. The
Trojan will also create a file at C:\WXP and copy it over other files.
The file contains the message "You did a piracy, you deserve it."
Advanced
Troj/Whistler-F is a destructive Trojan for the Windows platform.
Troj/Whistler-F will attempt to delete files on the user's computer. The
Trojan will also create a file at C:\WXP and copy it over other files.
The file contains the message "You did a piracy, you deserve it."
When first run the Trojan copies itself to \whismng.exe.
The following registry entry is created to run whismng.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Whistler
\whismng.exe -n
Name W32/Rbot-ACC
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Steals information
* Downloads code from the internet
* Reduces system security
* Modifies passwords
Aliases
* W32/Rbot-ACC
Prevalence (1-5) 2
Description
W32/Rbot-ACC is a network worm with IRC backdoor functionality for the
Windows platform.
W32/Rbot-ACC may spread to remote network shares protected by weak
passwords and computers vulnerable to common exploits. The worm also
opens up a backdoor, allowing unauthorised remote access to infected
computers via the IRC network, while running in the background as a
service process. The worm exploits vulnerabilities including: RPC-DCOM
(MS04-12), LSASS (MS04-11) and WKS (MS03-049). The following patches for
the operating system vulnerabilities exploited by W32/Rbot-ACC can be
obtained from the Microsoft website:
MS02-039
MS04-011
MS04-012
W32/Rbot-ACC can receive commands from a remote intruder to delete
network shares, log keypresses, participate in DDoS attacks, scan other
computers for vulnerabilities, steal passwords, steal registration keys
for computer games, create administrator accounts, terminate firewall
and anti-virus processes and capture video from webcameras attached to
the computer.
Advanced
W32/Rbot-ACC is a network worm with IRC backdoor functionality for the
Windows platform.
W32/Rbot-ACC may spread to remote network shares protected by weak
passwords and computers vulnerable to common exploits. The worm also
opens up a backdoor, allowing unauthorised remote access to infected
computers via the IRC network, while running in the background as a
service process. The worm exploits vulnerabilities including: RPC-DCOM
(MS04-12), LSASS (MS04-11) and WKS (MS03-049). The following patches for
the operating system vulnerabilities exploited by W32/Rbot-ACC can be
obtained from the Microsoft website:
MS02-039
MS04-011
MS04-012
W32/Rbot-ACC can receive commands from a remote intruder to delete
network shares, log keypresses, participate in DDoS attacks, scan other
computers for vulnerabilities, steal passwords, steal registration keys
for computer games, create administrator accounts, terminate firewall
and anti-virus processes and capture video from webcameras attached to
the computer.
W32/Rbot-ACC copies itself to the Windows system folder as
"trmupdate.exe" and creates the following registry entries in order to
run automatically on computer log on:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
MS Unix Binary
trmupdate.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
MS Unix Binary
trmupdate.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
MS Unix Binary
trmupdate.exe
The worm alters system security by setting the following registry
entries:
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1
Name W32/Wurmark-K
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Sends itself to email addresses found on the infected computer
* Deletes files off the computer
* Drops more malware
* Forges the sender's email address
* Leaves non-infected files on computer
Aliases
* Email-Worm.Win32.Wurmark.j
Prevalence (1-5) 2
Description
W32/Wurmark-K is a mass-mailing worm.
W32/Wurmark-K emails itself as a ZIP file. When run, W32/Wurmark-K
displays a JPEG image of an albino gorilla while installing itself on
the computer.
The image displayed by the Wurmark-K worm
The image displayed by the Wurmark-K worm.
W32/Wurmark-K harvests email addresses from the infected computer and
drops another piece of malware detected as W32/Rbot-ABK.
Emails sent by the worm have the following characteristics:
Subject lines:
Hehehe LOL!!
Your Photo Is On A Webpage!!
Hey Rate My Pic Plz...
Someone admire's you!
Message text:
I just saw this on my computer from a while ago
download it and see if you can remember it
lol i was lauging like crazy when i saw it! :D
email me back hehe...
I was vieweing this website and came across
a picture they look just like you! infact im sure
it is haha , did you email this pic into them ? or
is it someonce else :S ? pic is attached
a zip so download it and check & email me back!
Hi ive sent 5 emails now and nobody will rate
my pic!! :( please download and tell me what you
think out of 10 , dont worry if you dont like it
just say i wont be offended p.s i was drunk when
it was taken :P
Someone has asked us on there behalf to send
you this email and tell you they think you are
wonderfull!!! All the The mystery persons details
you need are enclosed in the attachment :)
please download and respond telling us if you
would like to make further contact with this
person.
Regards Hallmark Admirer Mail Admin.
ZIP filename:
Download.zip
Attachment filenames within the ZIP:
Scanned_03.scr
Sexy_02.scr
IMG_001.scr
Admirer_005.scr
Photo_01.pif
Lover_01.scr
Your_Pic.scr
Just_For_You.pif
Advanced
W32/Wurmark-K is a mass-mailing worm.
W32/Wurmark-K emails itself as a ZIP file. When run, W32/Wurmark-K
displays a JPEG image of an albino gorilla while installing itself on
the computer.
The image displayed by the Wurmark-K worm
The image displayed by the Wurmark-K worm.
W32/Wurmark-K harvests email addresses from the infected computer and
drops another piece of malware detected as W32/Rbot-ABK.
Emails sent by the worm have the following characteristics:
Subject lines:
Hehehe LOL!!
Your Photo Is On A Webpage!!
Hey Rate My Pic Plz...
Someone admire's you!
Message text:
I just saw this on my computer from a while ago
download it and see if you can remember it
lol i was lauging like crazy when i saw it! :D
email me back hehe...
I was vieweing this website and came across
a picture they look just like you! infact im sure
it is haha , did you email this pic into them ? or
is it someonce else :S ? pic is attached
a zip so download it and check & email me back!
Hi ive sent 5 emails now and nobody will rate
my pic!! :( please download and tell me what you
think out of 10 , dont worry if you dont like it
just say i wont be offended p.s i was drunk when
it was taken :P
Someone has asked us on there behalf to send
you this email and tell you they think you are
wonderfull!!! All the The mystery persons details
you need are enclosed in the attachment :)
please download and respond telling us if you
would like to make further contact with this
person.
Regards Hallmark Admirer Mail Admin.
ZIP filename:
Download.zip
Attachment filenames within the ZIP:
Scanned_03.scr
Sexy_02.scr
IMG_001.scr
Admirer_005.scr
Photo_01.pif
Lover_01.scr
Your_Pic.scr
Just_For_You.pif
W32/Wurmark-K copies itself to the Windows system folder as "xtc.tmp",
creates the file "wini.exe" which is detected as W32/Rbot-ABK, and
creates the clean DLL files "ansmtp.dll" and "bszip.dll".
W32/Wurmark-K will create junk files with the following names,
overwriting the original files if these exist:
regedit.com
taskmgr.exe
tasklist.com
taskkill.com
netstat.com
tracert.com
ping.com
cmd.com
Name W32/Mytob-CF
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Sends itself to email addresses found on the infected computer
* Forges the sender's email address
* Uses its own emailing engine
Prevalence (1-5) 2
Description
W32/Mytob-CF is a mass-mailing worm and backdoor Trojan that can be
controlled through the Internet Relay Chat (IRC) network.
W32/Mytob-CF also modifies the HOSTS file to deny access to security
related websites.
Advanced
W32/Mytob-CF is a mass-mailing worm and backdoor Trojan that can be
controlled through the Internet Relay Chat (IRC) network.
When first run W32/Mytob-CF copies itself to the Windows system folder
as 1hellbot.exe and creates the following registry entries:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HELLBOT TEST
1hellbot.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
HELLBOT TEST
1hellbot.exe
W32/Mytob-CF also appends the following to the HOSTS file to deny access
to security related websites:
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.grisoft.com
127.0.0.1 www.microsoft.com
Email sent by W32/Mytob-CF has the following properties:
Subject line chosen from:
Your email account access is restricted
Notice:***Your email account will be suspended***
Notice: **Last Warning**
Security measures
*IMPORTANT* Please Validate Your Email Account
Your Email Account is Suspended For Security Reasons
Message text chosen from:
'We have suspended some of your email services, to resolve the problem
you should read the attached document.'
'Once you have completed the form in the attached file , your account
records will not be interrupted and will continue as normal.'
'To safeguard your email account from possible termination, please see
the attached file.'
'Follow the instructions in the attachment.'
'Account Information Are Attached!'
'To unblock your email account acces, please see the attachment.'
The attached file consists of a base name followed by the extentions
PIF, SCR, EXE or ZIP. The worm may optionally create double extensions
where the first extension is DOC, TXT or HTM and the final extension is
PIF, SCR, EXE or ZIP.
W32/Mytob-CF harvests email addresses from files on the infected
computer and from the Windows address book.
Name W32/Nopir-B
Type
* Worm
How it spreads
* Peer-to-peer
Affected operating systems
* Windows
Side effects
* Deletes files off the computer
* Installs itself in the Registry
Prevalence (1-5) 2
Description
W32/Nopir-B is a worm for the Windows platform.
W32/Nopir-B will display an anti-piracy image on the screen when run.
The worm will then delete all COM and MP3 files from the computer. The
worm will also disable taskmanager, registry tools, and access to the
control panel. W32/Nopir-B will also check for debuggers and may attempt
to disable any such software that it finds.
W32/Nopir-B copies itself to \Projects Visual
Studio.NET\Nctrup.exe, \Restore\.exe,
\eMule\Incoming\AnyDVD 5.1.0.1 Crack+Keygen By Razor.exe.
Advanced
W32/Nopir-B is a worm for the Windows platform.
W32/Nopir-B will display an anti-piracy image on the screen when run, as
seen here:
The image displayed by the Nopir-B worm
The image displayed by the Nopir-B worm.
The worm will then delete all COM and MP3 files from the computer. The
worm will also disable taskmanager, registry tools, and access to the
control panel. W32/Nopir-B will also check for debuggers and may attempt
to disable any such software that it finds.
W32/Nopir-B copies itself to \Projects Visual
Studio.NET\Nctrup.exe, \Restore\.exe,
\eMule\Incoming\AnyDVD 5.1.0.1 Crack+Keygen By Razor.exe.
W32/Nopir-B will create the following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Verif
\Restore\.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
securw
\Projects Visual Studio.NET\Nctrup.exe
HKCR\exefile\Shell\open\command
\Projects Visual Studio.NET\Nctrup.exe
HKCR\batfile\Shell\open\command
\Projects Visual Studio.NET\Nctrup.exe
HKCR\comfile\Shell\open\command
\Projects Visual Studio.NET\Nctrup.exe
HKCR\scrfile\Shell\open\command
\Projects Visual Studio.NET\Nctrup.exe
HKCR\piffile\Shell\open\command
\Projects Visual Studio.NET\Nctrup.exe
HKCR\vbsfile\Shell\open\command
\Projects Visual Studio.NET\Nctrup.exe
HKCR\vbefile\Shell\open\command
\Projects Visual Studio.NET\Nctrup.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoControlPanel
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1
Name W32/Mytob-BC
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Modifies data on the computer
* Forges the sender's email address
* Uses its own emailing engine
* Reduces system security
Aliases
* Net-Worm.Win32.Mytob.au
Prevalence (1-5) 2
Description
W32/Mytob-BC is a mass-mailing worm and IRC backdoor Trojan.
W32/Mytob-BC can harvest email addresses from files on the infected
computer and from the Windows address book.
Emails sent by the worm have the following characteristics:
Subject line:
Notice:***Your email account will be suspended***
YOUR EMAIL ACCOUNT ACCESS IS RESTRICTED
Your Email Account is Suspended For Security Reasons
Your email account access is restricted
Notice:**Last Warning**
Email Account Suspension
*IMPORTANT* Your Account Has Been Locked
Security Measures
*IMPORTANT* PLEASE VALIDATE YOUR EMAIL ACCOUNT
<random>
Message body:
Please see the attachment.
please look at attached document.
We have suspended some of your email services, to resolve the problem
you should read the attached document.
Once you have completed the form in the attached file , your account
records will not be interrupted and will continue as normal.
To unblock your email account acces, please see the attachment.
To safeguard your email account from possible termination, please see
the attached file.
Account Information Are Attached!
<random>
Advanced
W32/Mytob-BC is a mass-mailing worm and IRC backdoor Trojan.
W32/Mytob-BC can harvest email addresses from files on the infected
computer and from the Windows address book.
Emails sent by the worm have the following characteristics:
Subject line:
Notice:***Your email account will be suspended***
YOUR EMAIL ACCOUNT ACCESS IS RESTRICTED
Your Email Account is Suspended For Security Reasons
Your email account access is restricted
Notice:**Last Warning**
Email Account Suspension
*IMPORTANT* Your Account Has Been Locked
Security Measures
*IMPORTANT* PLEASE VALIDATE YOUR EMAIL ACCOUNT
<random>
Message body:
Please see the attachment.
please look at attached document.
We have suspended some of your email services, to resolve the problem
you should read the attached document.
Once you have completed the form in the attached file , your account
records will not be interrupted and will continue as normal.
To unblock your email account acces, please see the attachment.
To safeguard your email account from possible termination, please see
the attached file.
Account Information Are Attached!
<random>
When first run the worm copies itself to <SYSTEM>\1hellbot.exe.
The following registry entries are created to run 1hellbot.exe on
startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HELLBOT TEST
1hellbot.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
HELLBOT TEST
1hellbot.exe
The worm sets the following registry entry to reduce system security:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4
W32/Mytob-BC blocks access to security-related websites by writing the
folllowing entries to the Windows hosts file:
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.grisoft.com
127.0.0.1 www.microsoft.com
Name Troj/LanFilt-J
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Steals information
* Drops more malware
* Reduces system security
* Records keystrokes
* Installs itself in the Registry
Aliases
* Backdoor.Win32.Delf.zc
Prevalence (1-5) 2
Description
Troj/LanFilt-J is a Trojan for the Windows platform.
Troj/LanFilt-J can perform the following actions:
log keystrokes
steal information
steal passwords
terminate processes
capture screen-shots and webcam images
disable the Windows XP firewall
turn off System Restore
upload and download files
hide from view by stealthing
Troj/LanFilt-J sends stolen information to a remote website.
The Trojan may drop further applications in order to steal dial-up,
Instant Messenger and email account passwords.
Advanced
Troj/LanFilt-J is a Trojan for the Windows platform.
Troj/LanFilt-J can perform the following actions:
log keystrokes
steal information
steal passwords
terminate processes
capture screen-shots and webcam images
disable the Windows XP firewall
turn off System Restore
upload and download files
hide from view by stealthing
Troj/LanFilt-J sends stolen information to a remote website.
Troj/LanFilt-J copies itself to the Windows folder as "mshost.exe" and
creates a DLL named "xpcore.dll" in the same folder. These files may be
hidden from view as the Trojan is capable of stealth.
The Trojan may drop further applications in order to steal dial-up,
Instant Messenger and email account passwords. These files are created
in the C:\ folder as "00x.sys" where x is a number. One of the files
will be detected by Sophos as Troj/Spav-A but the other files are
legitimate applications.
The following registry is created to run the Trojan automatically on
computer login:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Services
mshost.exe
The Trojan also creates the registry entry:
HKLM\Software\Microsoft\Windows
XP_CORE
<WINDOWS>\mshost.exe
On NT-based versions of Windows (NT,2000,XP) the Trojan may create a new
service process named "mchInjDrv". Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\mchInjDrv
The Trojan terminates the following processes:
_AVP32
_AVP32.EXE
_AVPCC
_AVPCC.EXE
_AVPM
_AVPM.EXE
AckWin32
ACKWIN32
ACKWIN32.EXE
AckWin32.exe
ADVXDWIN
ADVXDWIN.EXE
agentw.exe
ALERTSVC
ALERTSVC.EXE
ALOGSERV
ALOGSERV.EXE
AMON9X
AMON9X.EXE
ANTI-TROJAN
ANTI-TROJAN.EXE
ANTS
ANTS.EXE
apvxdwin
APVXDWIN
apvxdwin.exe
APVXDWIN.EXE
ATCON
ATCON.EXE
ATUPDATER
ATUPDATER.EXE
ATWATCH
ATWATCH.EXE
AUTODOWN
AutoDown
AUTODOWN.EXE
AUTODOWN.exe
AutoDown.exe
AutoTrace
AutoTrace.exe
AVCONSOL
AVCONSOL.EXE
AVGCC32
AVGCC32.EXE
AVGCTRL
Avgctrl
AVGCTRL.EXE
Avgctrl.exe
AVGSERV
AvgServ
AVGSERV.EXE
AVGSERV9
AVGSERV9.EXE
AVGW
AVGW.EXE
avkpop
avkpop.exe
AvkServ
AvkServ.exe
avkservice
avkservice.exe
avkwctl9
avkwctl9.exe
AVP.EXE
AVP32
AVP32.EXE
AVPCC
AVPM
avpm
avpm.exe
AVPM.EXE
Avsched32
Avsched32.exe
AVSYNMGR
AvSynMgr
AVSYNMGR
AVSYNMGR.EXE
AVSYNMGR.EXE
AVWINNT
AVWINNT.EXE
AVXMONITOR9X
AVXMONITOR9X.EXE
AVXMONITORNT
AVXMONITORNT.EXE
AVXQUAR
AVXQUAR.EXE
AVXQUAR.EXE.EXE
AVXW
AVXW.EXE
blackd
BLACKD
BLACKD.EXE
blackd.exe
BlackICE
BlackICE.exe
ccApp.exe
ccEvtMgr
ccEvtMgr.exe
ccPxySvc.exe
CDP.EXE
Claw95
CLAW95
CLAW95.EXE
Claw95.exe
CLAW95CF
Claw95cf
Claw95cf.exe
CLAW95CF.EXE
cleaner
cleaner.EXE
cleaner3
cleaner3.EXE
cmd.exe
CMGRDIAN
CMGRDIAN.EXE
Command
Command.exe
CONNECTIONMONITOR
CONNECTIONMONITOR.EXE
cpd.exe
CTRL
CTRL.EXE
defalert
defalert.exe
defscangui
defscangui.exe
DEFWATCH
DEFWATCH.EXE
DOORS
DOORS.EXE
dpatrol.exe
DVP95
DVP95.EXE
DVP95_0
DVP95_0.EXE
EFPEADM
EFPEADM.exe
EFPEADM.EXE
ETRUSTCIPE
ETRUSTCIPE.exe
ETRUSTCIPE.EXE
EVPN
EVPN.EXE
EVPN.exe
EXPERT
EXPERT.EXE
F-AGNT95
F-AGNT95.EXE
F-PROT
F-PROT.EXE
F-PROT95
F-PROT95.EXE
F-STOPW
f-stopw
F-STOPW.EXE
f-stopw.exe
fameh32
fameh32.exe
fch32
fch32.exe
fih32
fih32.exe
fnrb32
fnrb32.exe
FP-WIN
FP-WIN.EXE
FRW.EXE
fsaa
fsaa.exe
fsav32
fsav32.exe
fsgk32
fsgk32.exe
fsm32
fsm32.exe
fsma32
fsma32.exe
fsmb32
fsmb32.exe
gbmenu
gbmenu.exe
GBPOLL
gbpoll
GBPOLL.EXE
gbpoll.exe
GENERICS
GENERICS.EXE
GUARD
GUARD.EXE
GUARDDOG
GUARDDOG.EXE
iamapp
IAMAPP
iamapp.exe
IAMAPP.EXE
IAMSERV
iamserv
iamserv.exe
IAMSERV.EXE
IAMSTATS
IAMSTATS.EXE
ICLOAD95
ICLOAD95.EXE
ICLOADNT
ICLOADNT.EXE
ICMON
ICMON.EXE
ICSUPP95
ICSUPP95
ICSUPP95.EXE
ICSUPP95.EXE
ICSUPPNT
ICSUPPNT.EXE
IFACE
IFACE.EXE
IOMON98
IOMON98.EXE
ISRV95
ISRV95.EXE
JEDI
JEDI.EXE
LDNETMON
LDNETMON.EXE
LDPROMENU
LDPROMENU.EXE
LDSCAN
LDSCAN.EXE
LOCKDOWN
LOCKDOWN.EXE
LOCKDOWN2000
lockdown2000
LOCKDOWN2000.EXE
lockdown2000.exe
LUALL
LUALL.EXE
LUCOMSERVER
LUCOMSERVER.EXE
LUSPT
LUSPT.exe
MCAGENT
MCAGENT.EXE
MCMNHDLR
MCMNHDLR.EXE
Mcshield.exe
MCTOOL
MCTOOL.EXE
MCUPDATE
MCUPDATE.EXE
MCVSRTE
MCVSRTE.EXE
MCVSSHLD
MCVSSHLD.EXE
MGAVRTCL
MGAVRTCL.EXE
MGAVRTE
MGAVRTE.EXE
MGHTML
MGHTML.EXE
MINILOG
MINILOG.EXE
Monitor
MONITOR
Monitor.exe
MONITOR.EXE
MOOLIVE
MOOLIVE.EXE
MPFAGENT.EXE
MPFSERVICE
MPFSERVICE.exe
MPFTRAY.EXE
MWATCH
MWATCH.exe
MWATCH.EXE
NAV Auto-Protect
NAVAP
navapsvc
NAVAPSVC.EXE
navapsvc.exe
NAVAPW32
navapw32
NAVAPW32.EXE
NAVENGNAVEX15
NAVLU32
NAVLU32.EXE
NAVW32
Navw32
Navw32.exe
NAVWNT
NAVWNT.EXE
NDD32
NDD32.EXE
NeoWatchLog
NeoWatchLog.exe
NETUTILS
NETUTILS.EXE
NISSERV
NISSERV.EXE
NISUM
NISUM.EXE
NMAIN
NMAIN.EXE
NORMIST
NORMIST.EXE
notstart
notstart.exe
NPROTECT
NPROTECT.EXE
npscheck
npscheck.exe
NPSSVC
NPSSVC.EXE
NSCHED32
NSCHED32.EXE
ntrtscan
ntrtscan.EXE
NTVDM
NTVDM.EXE
NTXconfig
NTXconfig.exe
Nui.EXE
Nupgrade
Nupgrade.exe
NVC95
NVC95.EXE
NVSVC32
NWService
NWService.exe
NWTOOL16
NWTOOL16.EXE
PADMIN
PADMIN.EXE
pavproxy
PAVPROXY
pavproxy.exe
PAVPROXY.EXE
PCCIOMON
PCCIOMON.EXE
pccntmon
pccntmon.EXE
pccwin97
pccwin97.EXE
PCCWIN98
PCCWIN98.EXE
pcscan
pcscan.EXE
PERSFW
PERSFW.EXE
PERSWF
PERSWF.EXE
POP3TRAP
POP3TRAP.EXE
POPROXY
POPROXY.EXE
PORTMONITOR
PORTMONITOR.EXE
PROCESSMONITOR
PROCESSMONITOR.EXE
PROGRAMAUDITOR
PROGRAMAUDITOR.EXE
PVIEW95
PVIEW95.EXE
rapapp.exe
RAV7
RAV7.EXE
RAV7WIN
RAV7WIN.EXE
REALMON
REALMON.EXE
regedit
regedit.exe
RESCUE
Rescue
Rescue.exe
RESCUE.EXE
RTVSCN95
RTVSCN95.EXE
RULAUNCH
RULAUNCH.EXE
sbserv
sbserv.exe
SCAN32
SCAN32.EXE
SCRSCAN
SCRSCAN.EXE
SMC.EXE
Sphinx
SPHINX
Sphinx.exe
SPHINX.EXE
SPYXX
SPYXX.EXE
SS3EDIT
SS3EDIT.EXE
SWEEP95
SWEEP95.EXE
SweepNet
SWEEPSRV.SYS
SWNETSUP
SWNETSUP.EXE
SymProxySvc
SymProxySvc.exe
SYMTRAY
SYMTRAY.EXE
taskmgr
taskmgr.exe
TAUMON
TAUMON.EXE
TC.EXE
TCA.EXE
TCM.EXE
TDS-3
TDS-3.EXE
TFAK
TFAK.EXE
vbcmserv
vbcmserv.exe
VbCons
VbCons.exe
VET32
VET32.EXE
VET32.exe
VET95
Vet95
VET95.EXE
Vet95.exe
VETTRAY
VetTray
VETTRAY.EXE
VetTray.exe
VIR-HELP
VIR-HELP.EXE
VPC32
VPC32.EXE
VPTRAY
VPTRAY.EXE
VSCHED
VSCHED.EXE
VSECOMR
VSECOMR.EXE
vshwin32
VSHWIN32
vshwin32.exe
VSHWIN32.EXE
VSMAIN
VSMAIN.EXE
vsmon
VSMON.EXE
vsmon.exe
VSSTAT
VSSTAT.EXE
WATCHDOG
WATCHDOG.EXE
WEBSCANX
WEBSCANX.EXE
WEBTRAP
WEBTRAP.EXE
WGFE95
WGFE95.EXE
WIMMUN32
WIMMUN32.EXE
WRADMIN
WrAdmin
WRADMIN.EXE
WrAdmin.exe
WrCtrl
WRCTRL
WrCtrl.exe
WRCTRL.EXE
zapro
zapro.exe
zonealarm
zonealarm.exe
Name Troj/Banker-HC
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Steals information
* Uses its own emailing engine
* Records keystrokes
* Installs itself in the Registry
Aliases
* Trojan-Spy.Win32.Banker.ju
Prevalence (1-5) 2
Description
Troj/Banker-HC is a password stealing Trojan for the Windows platform.
Troj/Banker-HC monitors which URLs are visited by the web browser and
creates fake web pages for certain Brazilian banking sites in order to
log account information. The logged information is sent to remote users
via email.
Advanced
Troj/Banker-HC is a password stealing Trojan for the Windows platform.
Troj/Banker-HC creates the following registry entry using the name of
the file when executed to ensure it is run at system logon:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Troj/Banker-HC monitors which URLs are visited by the web browser and
creates fake web pages for certain Brazilian banking sites in order to
log account information. The logged information is sent to remote users
via email.
Name W32/Kelvir-Gen
Type
* Worm
How it spreads
* Chat programs
Affected operating systems
* Windows
Prevalence (1-5) 2
Description
W32/Kelvir-Gen is a family of instant-messenging worms.
Members of W32/Kelvir-Gen spread by sending a message through Windows
Messenger to the infected user's contacts. The message encourages the
recipient to visit a web page to download a file that is often itself a
member of W32/Kelvir-Gen.
Some members of W32/Kelvir-Gen also attempt to download and execute
files from remote websites.
Name W32/Agobot-SJ
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Modifies data on the computer
* Steals information
* Downloads code from the internet
Aliases
* W32/Sdbot.worm.gen.j
* WORM_AGOBOT.AUC
Prevalence (1-5) 2
Description
W32/Agobot-SJ is a network worm with IRC backdoor functionality.
W32/Agobot-SJ connects to a preconfigured IRC server, joins a channel
and awaits further instructions. These instructions can cause the bot to
perform any of the following actions:
start a UDP, TCP, ICMP, syn, http or ping flood
start a socks4, socks5, http or https proxy server
redirect TCP or GRE connections
start an FTP server
start a command shell server
show statistics about the infected system
reboot/shutdown the infected computer
kill anti-virus and security processes
list/terminate running processes
scan randomly- or sequentially-chosen IPs for infectable computers
make local drives network-shareable
close down vulnerable services in order to secure the computer
search for product keys
search local drives for AOL user details
sniff network traffic in order to find passwords
start a keylogger
download and install an updated version of itself
install bot plugins for additional functionality
The worm spreads to computers affected by known vulnerabilities and
running network services protected by weak passwords.
The following patches for the operating system vulnerabilities exploited
by W32/Agobot-SJ can be obtained from the Microsoft website:
MS03-026
MS03-039
MS04-012
MS02-039
Services:
NetBios
Advanced
W32/Agobot-SJ is a network worm with IRC backdoor functionality.
W32/Agobot-SJ connects to a preconfigured IRC server, joins a channel
and awaits further instructions. These instructions can cause the bot to
perform any of the following actions:
start a UDP, TCP, ICMP, syn, http or ping flood
start a socks4, socks5, http or https proxy server
redirect TCP or GRE connections
start an FTP server
start a command shell server
show statistics about the infected system
reboot/shutdown the infected computer
kill anti-virus and security processes
list/terminate running processes
scan randomly- or sequentially-chosen IPs for infectable computers
make local drives network-shareable
close down vulnerable services in order to secure the computer
search for product keys
search local drives for AOL user details
sniff network traffic in order to find passwords
start a keylogger
download and install an updated version of itself
install bot plugins for additional functionality
The worm spreads to computers affected by known vulnerabilities and
running network services protected by weak passwords.
The following patches for the operating system vulnerabilities exploited
by W32/Agobot-SJ can be obtained from the Microsoft website:
MS03-026
MS03-039
MS04-012
MS02-039
Services:
NetBios
W32/Agobot-SJ copies itself to the Windows system folder and creates the
following registry entries to run itself automatically on computer log
on:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HPl Services
hmlsvc32.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
HPl Services
hmlsvc32.exe
The worm blocks access to security-related websites by adding the
following entries to the Windows hosts file:
127.0.0.1 avp.com
127.0.0.1 ca.com
127.0.0.1 customer.symantec.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 download.mcafee.com
127.0.0.1 f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 mast.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 nai.com
127.0.0.1 networkassociates.com
127.0.0.1 rads.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 sophos.com
127.0.0.1 symantec.com
127.0.0.1 trendmicro.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 viruslist.com
127.0.0.1 www.avp.com
127.0.0.1 www.ca.com
127.0.0.1 www.f-secure.com
127.0.0.1 www.kaspersky.com
127.0.0.1 www.mcafee.com
127.0.0.1 www.my-etrust.com
127.0.0.1 www.nai.com
127.0.0.1 www.networkassociates.com
127.0.0.1 www.sophos.com
127.0.0.1 www.symantec.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.viruslist.com
W32/Agobot-SJ terminates the following processes if they are running:
_AVP32.EXE
_AVPCC.EXE
_AVPM.EXE
ACKWIN32.EXE
ADAWARE.EXE
ADVXDWIN.EXE
AGENTSVR.EXE
AGENTW.EXE
ALERTSVC.EXE
ALEVIR.EXE
ALOGSERV.EXE
AMON9X.EXE
ANTI-TROJAN.EXE
ANTIVIRUS.EXE
ANTS.EXE
APIMONITOR.EXE
APLICA32.EXE
APVXDWIN.EXE
ARR.EXE
ATCON.EXE
ATGUARD.EXE
ATRO55EN.EXE
ATUPDATER.EXE
ATWATCH.EXE
AU.EXE
AUPDATE.EXE
AUTO-PROTECT.NAV80TRY.EXE
AUTODOWN.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
AVCONSOL.EXE
AVE32.EXE
AVGCC32.EXE
AVGCTRL.EXE
AVGNT.EXE
AVGSERV.EXE
AVGSERV9.EXE
AVGUARD.EXE
AVGW.EXE
AVKPOP.EXE
AVKSERV.EXE
AVKSERVICE.EXE
AVKWCTl9.EXE
AVLTMAIN.EXE
AVNT.EXE
AVP.EXE
AVP32.EXE
AVPCC.EXE
AVPDOS32.EXE
AVPM.EXE
AVPTC32.EXE
AVPUPD.EXE
AVSCHED32.EXE
AVSYNMGR.EXE
AVWIN95.EXE
AVWINNT.EXE
AVWUPD.EXE
AVWUPD32.EXE
AVWUPSRV.EXE
AVXMONITOR9X.EXE
AVXMONITORNT.EXE
AVXQUAR.EXE
BACKWEB.EXE
BARGAINS.EXE
BD_PROFESSIONAL.EXE
BEAGLE.EXE
BELT.EXE
BIDEF.EXE
BIDSERVER.EXE
BIPCP.EXE
BIPCPEVALSETUP.EXE
BISP.EXE
BLACKD.EXE
BLACKICE.EXE
BLSS.EXE
BOOTCONF.EXE
BOOTWARN.EXE
BORG2.EXE
BPC.EXE
BRASIL.EXE
BS120.EXE
BUNDLE.EXE
BVT.EXE
CCAPP.EXE
CCEVTMGR.EXE
CCPXYSVC.EXE
CDP.EXE
CFD.EXE
CFGWIZ.EXE
CFIADMIN.EXE
CFIAUDIT.EXE
CFINET.EXE
CFINET32.EXE
Claw95.EXE
CLAW95CF.EXE
CLEAN.EXE
CLEANER.EXE
CLEANER3.EXE
CLEANPC.EXE
CLICK.EXE
CMD32.EXE
CMESYS.EXE
CMGRDIAN.EXE
CMON016.EXE
CONNECTIONMONITOR.EXE
CPD.EXE
CPF9X206.EXE
CPFNT206.EXE
CTRL.EXE
CV.EXE
CWNB181.EXE
CWNTDWMO.EXE
DATEMANAGER.EXE
DCOMX.EXE
DEFALERT.EXE
DEFSCANGUI.EXE
DEFWATCH.EXE
DEPUTY.EXE
DIVX.EXE
DLLCACHE.EXE
DLLREG.EXE
DOORS.EXE
DPF.EXE
DPFSETUP.EXE
DPPS2.EXE
DRWATSON.EXE
DRWEB32.EXE
DRWEBUPW.EXE
DSSAGENT.EXE
DVP95.EXE
DVP95_0.EXE
ECENGINE.EXE
EFPEADM.EXE
EMSW.EXE
ENT.EXE
ESAFE.EXE
ESCANH95.EXE
ESCANHNT.EXE
ESCANV95.EXE
ESPWATCH.EXE
ETHEREAL.EXE
ETRUSTCIPE.EXE
EVPN.EXE
EXANTIVIRUS-CNET.EXE
EXE.AVXW.EXE
EXPERT.EXE
EXPLORE.EXE
F-AGNT95.EXE
F-AGOBOT.EXE
F-PROT.EXE
F-PROT95.EXE
F-STOPW.EXE
FAMEH32.EXE
FAST.EXE
FCH32.EXE
FIH32.EXE
FINDVIRU.EXE
FIREWALL.EXE
FLOWPROTECTOR.EXE
FNRB32.EXE
FP-WIN.EXE
FP-WIN_TRIAL.EXE
FPROT.EXE
FRW.EXE
FSAA.EXE
FSAV.EXE
FSAV32.EXE
FSAV530STBYB.EXE
FSAV530WTBYB.EXE
FSAV95.EXE
FSGK32.EXE
FSM32.EXE
FSMA32.EXE
FSMB32.EXE
GATOR.EXE
GBMENU.EXE
GBPOLL.EXE
GENERICS.EXE
GMT.EXE
GUARD.EXE
GUARDDOG.EXE
HACKTRACERSETUP.EXE
HBINST.EXE
HBSRV.EXE
HIJACKTHIS.EXE
HOTACTIO.EXE
HOTPATCH.EXE
HTLOG.EXE
HTPATCH.EXE
HWPE.EXE
HXDL.EXE
HXIUL.EXE
IAMAPP.EXE
IAMSERV.EXE
IAMSTATS.EXE
IBMASN.EXE
IBMAVSP.EXE
ICLOAD95.EXE
ICLOADNT.EXE
ICMON.EXE
ICSUPP95.EXE
ICSUPPNT.EXE
IDLE.EXE
IEDLL.EXE
IEDRIVER.EXE
IEXPLORER.EXE
IFACE.EXE
IFW2000.EXE
INETLNFO.EXE
INFUS.EXE
INFWIN.EXE
INIT.EXE
INTDEL.EXE
INTREN.EXE
IOMON98.EXE
IPARMOR.EXE
IRIS.EXE
ISASS.EXE
ISRV95.EXE
ISTSVC.EXE
JAMMER.EXE
JDBGMRG.EXE
JEDI.EXE
KAVLITE40ENG.EXE
KAVPERS40ENG.EXE
KAVPF.EXE
KAZZA.EXE
KEENVALUE.EXE
KERIO-PF-213-EN-WIN.EXE
KERIO-WRL-421-EN-WIN.EXE
KERIO-WRP-421-EN-WIN.EXE
KERNEL32.EXE
KILLPROCESSSETUP161.EXE
LAUNCHER.EXE
LDNETMON.EXE
LDPRO.EXE
LDPROMENU.EXE
LDSCAN.EXE
LNETINFO.EXE
LOADER.EXE
LOCALNET.EXE
LOCKDOWN.EXE
LOCKDOWN2000.EXE
LOOKOUT.EXE
LORDPE.EXE
LSETUP.EXE
LUALL.EXE
LUAU.EXE
LUCOMSERVER.EXE
LUINIT.EXE
LUSPT.EXE
MAPISVC32.EXE
MCAGENT.EXE
MCMNHDLR.EXE
MCSHIELD.EXE
MCTOOL.EXE
MCUPDATE.EXE
MCVSRTE.EXE
MCVSSHLD.EXE
MD.EXE
MFIN32.EXE
MFW2EN.EXE
MFWENG3.02D30.EXE
MGAVRTCL.EXE
MGAVRTE.EXE
MGHTML.EXE
MGUI.EXE
MINILOG.EXE
MMOD.EXE
MONITOR.EXE
MOOLIVE.EXE
MOSTAT.EXE
MPFAGENT.EXE
MPFSERVICE.EXE
MPFTRAY.EXE
MRFLUX.EXE
MSAPP.EXE
MSBB.EXE
MSBLAST.EXE
MSCACHE.EXE
MSCCN32.EXE
MSCMAN.EXE
MSCONFIG.EXE
MSDM.EXE
MSDOS.EXE
MSIEXEC16.EXE
MSINFO32.EXE
MSLAUGH.EXE
MSMGT.EXE
MSMSGRI32.EXE
MSSMMC32.EXE
MSSYS.EXE
MSVXD.EXE
MU0311AD.EXE
MWATCH.EXE
N32SCANW.EXE
NAV.EXE
NAVAP.NAVAPSVC.EXE
NAVAPSVC.EXE
NAVAPW32.EXE
NAVDX.EXE
NAVENGNAVEX15.NAVLU32.EXE
NAVLU32.EXE
NAVNT.EXE
NAVSTUB.EXE
NAVW32.EXE
NAVWNT.EXE
NCINST4.EXE
NDD32.EXE
NEOMONITOR.EXE
NEOWATCHLOG.EXE
NETARMOR.EXE
NETD32.EXE
NETINFO.EXE
NETMON.EXE
NETSCANPRO.EXE
NETSPYHUNTER-1.2.EXE
NETSTAT.EXE
NETUTILS.EXE
NISSERV.EXE
NISUM.EXE
NMAIN.EXE
NOD32.EXE
NORMIST.EXE
NORTON_INTERNET_SECU_3.0_407.EXE
NOTSTART.EXE
NPF40_TW_98_NT_ME_2K.EXE
NPFMESSENGER.EXE
NPROTECT.EXE
NPSCHECK.EXE
NPSSVC.EXE
NSCHED32.EXE
NSSYS32.EXE
NSTASK32.EXE
NSUPDATE.EXE
NT.EXE
NTRTSCAN.EXE
NTVDM.EXE
NTXconfig.EXE
NUI.EXE
NUPGRADE.EXE
NVARCH16.EXE
NVC95.EXE
NVSVC32.EXE
NWINST4.EXE
NWSERVICE.EXE
NWTOOL16.EXE
OLLYDBG.EXE
ONSRVR.EXE
OPTIMIZE.EXE
OSTRONET.EXE
OTFIX.EXE
OUTPOST.EXE
OUTPOSTINSTALL.EXE
OUTPOSTPROINSTALL.EXE
PADMIN.EXE
PANIXK.EXE
PATCH.EXE
PAVCL.EXE
PAVPROXY.EXE
PAVSCHED.EXE
PAVW.EXE
PCCIOMON.EXE
PCCNTMON.EXE
PCCWIN97.EXE
PCCWIN98.EXE
PCDSETUP.EXE
PCFWALLICON.EXE
PCSCAN.EXE
PDSETUP.EXE
PENIS.EXE
PERISCOPE.EXE
PERSFW.EXE
PERSWF.EXE
PF2.EXE
PFWADMIN.EXE
PGMONITR.EXE
PINGSCAN.EXE
PLATIN.EXE
POP3TRAP.EXE
POPROXY.EXE
POPSCAN.EXE
PORTDETECTIVE.EXE
PORTMONITOR.EXE
POWERSCAN.EXE
PPINUPDT.EXE
PPTBC.EXE
PPVSTOP.EXE
PRIZESURFER.EXE
PRMT.EXE
PRMVR.EXE
PROCDUMP.EXE
PROCESSMONITOR.EXE
PROCEXPLORERV1.0.EXE
PROGRAMAUDITOR.EXE
PROPORT.EXE
PROTECTX.EXE
PSPF.EXE
PURGE.EXE
PUSSY.EXE
PVIEW95.EXE
QCONSOLE.EXE
QSERVER.EXE
RAPAPP.EXE
RAV7.EXE
RAV7WIN.EXE
RAV8WIN32ENG.EXE
RAY.EXE
RB32.EXE
RCSYNC.EXE
REALMON.EXE
REGED.EXE
REGEDIT.EXE
REGEDT32.EXE
RESCUE.EXE
RESCUE32.EXE
RRGUARD.EXE
RSHELL.EXE
RTVSCAN.EXE
RTVSCN95.EXE
RULAUNCH.EXE
RUN32DLL.EXE
RUNDLL.EXE
RUNDLL16.EXE
RUXDLL32.EXE
SAFEWEB.EXE
SAHAGENT.EXE
SAVE.EXE
SAVENOW.EXE
SBSERV.EXE
SC.EXE
SCAM32.EXE
SCAN32.EXE
SCAN95.EXE
SCANPM.EXE
SCRSCAN.EXE
SCRSVR.EXE
SCVHOST.EXE
SD.EXE
SERV95.EXE
SERVICE.EXE
SERVLCE.EXE
SERVLCES.EXE
SETUP_FLOWPROTECTOR_US.EXE
SETUPVAMEEVAL.EXE
SFC.EXE
SGSSFW32.EXE
SH.EXE
SHELLSPYINSTALL.EXE
SHN.EXE
SHOWBEHIND.EXE
SMC.EXE
SMS.EXE
SMSS32.EXE
SOAP.EXE
SOFI.EXE
SPERM.EXE
SPF.EXE
SPHINX.EXE
SPOLER.EXE
SPOOLCV.EXE
SPOOLSV32.EXE
SPYXX.EXE
SREXE.EXE
SRNG.EXE
SS3EDIT.EXE
SSGRATE.EXE
ST2.EXE
START.EXE
STCLOADER.EXE
SUPFTRL.EXE
SUPPORT.EXE
SUPPORTER5.EXE
SVC.EXE
SVCHOSTC.EXE
SVCHOSTS.EXE
SVSHOST.EXE
SWEEP95.EXE
SWEEPNET.SWEEPSRV.SYS.SWNETSUP.EXE
SYMPROXYSVC.EXE
SYMTRAY.EXE
SYSEDIT.EXE
SYSTEM.EXE
SYSTEM32.EXE
SYSUPD.EXE
TASKMG.EXE
TASKMO.EXE
TASKMON.EXE
TAUMON.EXE
TBSCAN.EXE
TC.EXE
TCA.EXE
TCM.EXE
TDS-3.EXE
TDS2-98.EXE
TDS2-NT.EXE
TEEKIDS.EXE
TFAK.EXE
TFAK5.EXE
TGBOB.EXE
TITANIN.EXE
TITANINXP.EXE
TRACERT.EXE
TRICKLER.EXE
TRJSCAN.EXE
TRJSETUP.EXE
TROJANTRAP3.EXE
TSADBOT.EXE
TVMD.EXE
TVTMD.EXE
UNDOBOOT.EXE
UPDAT.EXE
UPDATE.EXE
UPGRAD.EXE
UTPOST.EXE
VBCMSERV.EXE
VBCONS.EXE
VBUST.EXE
VBWIN9X.EXE
VBWINNTW.EXE
VCSETUP.EXE
VET32.EXE
VET95.EXE
VETTRAY.EXE
VFSETUP.EXE
VIR-HELP.EXE
VIRUSMDPERSONALFIREWALL.EXE
VNLAN300.EXE
VNPC3000.EXE
VPC32.EXE
VPC42.EXE
VPFW30S.EXE
VPTRAY.EXE
VSCAN40.EXE
VSCENU6.02D30.EXE
VSCHED.EXE
VSECOMR.EXE
VSHWIN32.EXE
VSISETUP.EXE
VSMAIN.EXE
VSMON.EXE
VSSTAT.EXE
VSWIN9XE.EXE
VSWINNTSE.EXE
VSWINPERSE.EXE
W32DSM89.EXE
W9X.EXE
WATCHDOG.EXE
WEBDAV.EXE
WEBSCANX.EXE
WEBTRAP.EXE
WFINDV32.EXE
WGFE95.EXE
WHOSWATCHINGME.EXE
WIMMUN32.EXE
WIN-BUGSFIX.EXE
WIN32.EXE
WIN32US.EXE
WINACTIVE.EXE
WINDOW.EXE
WINDOWS.EXE
WININETD.EXE
WININIT.EXE
WININITX.EXE
WINLOGIN.EXE
WINMAIN.EXE
WINNET.EXE
WINPPR32.EXE
WINRECON.EXE
WINSERVN.EXE
WINSSK32.EXE
WINSTART.EXE
WINSTART001.EXE
WINTSK32.EXE
WINUPDATE.EXE
WKUFIND.EXE
WNAD.EXE
WNT.EXE
WRADMIN.EXE
WRCTRL.EXE
WSBGATE.EXE
WUPDATER.EXE
WUPDT.EXE
WYVERNWORKSFIREWALL.EXE
XPF202EN.EXE
ZAPRO.EXE
ZAPSETUP3001.EXE
ZATUTOR.EXE
ZONALM2601.EXE
ZONEALARM.EXE
Name Troj/Whistler-F
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Modifies data on the computer
* Deletes files off the computer
* Installs itself in the Registry
* Leaves non-infected files on computer
Aliases
* Trojan.Win32.Dire.c
* QDel247
* Win32/Dire.C
* TROJ_QDEL247.A
Prevalence (1-5) 2
Description
Troj/Whistler-F is a destructive Trojan for the Windows platform.
Troj/Whistler-F will attempt to delete files on the user's computer. The
Trojan will also create a file at C:\WXP and copy it over other files.
The file contains the message "You did a piracy, you deserve it."
Advanced
Troj/Whistler-F is a destructive Trojan for the Windows platform.
Troj/Whistler-F will attempt to delete files on the user's computer. The
Trojan will also create a file at C:\WXP and copy it over other files.
The file contains the message "You did a piracy, you deserve it."
When first run the Trojan copies itself to \whismng.exe.
The following registry entry is created to run whismng.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Whistler
\whismng.exe -n
--- MultiMail/Win32 v0.43
* Origin: Try Our Web Based QWK: DOCSPLACE.ORG (1:123/140)SEEN-BY: 633/267 270 @PATH: 123/140 500 106/2000 633/267 |
|
| SOURCE: echomail via fidonet.ozzmosis.com | |
Email questions or comments to sysop@ipingthereforeiam.com
All parts of this website painstakingly hand-crafted in the U.S.A.!
IPTIA BBS/MUD/Terminal/Game Server List, © 2025 IPTIA Consulting™.