TIP: Click on subject to list as thread! ANSI
echo: dirty_dozen
to: ALL
from: KURT WISMER
date: 2007-10-28 14:51:00
subject: News, October 28 2007
[cut-n-paste from sophos.com]

Name   Troj/Inject-BU

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Drops more malware

Prevalence (1-5) 2

Description
Troj/Inject-BU is a Trojan for the Windows platform.

Advanced
Troj/Inject-BU is a Trojan for the Windows platform.

When Troj/Inject-BU is installed it creates the file 
\drivers\runtime.sys.

The file runtime.sys is detected as Troj/Pushu-Gen.

The file runtime.sys is registered as a new system driver service named 
"runtime". Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\runtime





Name   W32/Autorun-F

Type  
    * Worm

How it spreads  
    * Removable storage devices
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Installs itself in the Registry

Aliases  
    * Trojan-Spy.Win32.Bancos.adk
    * W32/Autorun.worm.f

Prevalence (1-5) 2

Description
W32/AutoRun-F is a worm for the Windows platform which spreads by 
copying itself to removable devices.

Advanced
W32/AutoRun-F is a worm for the Windows platform which spreads by 
copying itself to removable devices.

When first run W32/Autorun-F copies itself to:

\taskmmgr.exe
\chkdisk.exe
\Svchost.EXE

and creates the following files:

\autorun.inf
\Intro.avi

The following registry entries are created to run taskmmgr.exe on 
startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Svchost
\taskmmgr.EXE

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
TasKmgr
\taskmmgr.EXE





Name   Troj/Agent-GEP

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Allows others to access the computer
    * Downloads code from the internet
    * Reduces system security
    * Installs itself in the Registry

Aliases  
    * Trojan.Win32.Agent.bxj
    * Downloader-BEW
    * Backdoor:Win32/Zonebac.D

Prevalence (1-5) 2

Description
Troj/Agent-GEP is a backdoor Trojan for the windows platform.

Advanced
Troj/Agent-GEP is a backdoor Trojan for the windows platform.

Troj/Agent-GEP will attempt to communicate with a remote server via HTTP.

Troj/Agent-GEP will create the following file:
\.dat

Troj/Agent-GEP will create several entries under the following registry 
entries:
Software\Microsoft\Windows\CurrentVersion\Internet 
Settings\ZoneMap\Domains
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
Software\Microsoft\Windows\CurrentVersion\Internet 
Settings\ZoneMap\Ranges\





Name   W32/Vetor-G

Type  
    * Virus

How it spreads  
    * Infected files

Affected operating systems  
    * Windows

Prevalence (1-5) 2

Description
W32/Vetor-G is an executable file virus for the Windows platform.





Name   Troj/Flood-II

Type  
    * Trojan

Affected operating systems  
    * Unix

Side effects  
    * Used in DOS attacks

Aliases  
    * INFECTED HackTool.Perl.BBSXP.b
    * PERL_Generic.ZA

Prevalence (1-5) 2

Description
Troj/Flood-II is a Trojan for the UNIX platform.

Advanced
Troj/Flood-II is a Trojan for the UNIX platform.

The Trojan attempts to perform a network flood on a specified target.





Name   W32/Naplik-A

Type  
    * Virus

How it spreads  
    * Infected files

Affected operating systems  
    * Windows

Prevalence (1-5) 2

Description
W32/Naplik-A is a virus for the Windows platform.

W32/Naplik-A attempts to infect executables on the infected computer.





Name   W32/Autorun-G

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Installs itself in the Registry

Aliases  
    * W32/Autorun.worm.h
    * Win32/VB.FX

Prevalence (1-5) 2

Description
W32/Autorun-G is a worm for the Windows platform.

W32/Autorun-G attempts to spread to any device that is mapped to a 
drive letter.

Advanced
W32/Autorun-G is a worm for the Windows platform.

W32/Autorun-G attempts to spread to any device that is mapped to a 
drive letter.

When first run W32/Autorun-G copies itself to:

\New Documents.exe
\sample1.exe
\l0g0n.scr
\1046\ctfmon.exe
\1055\svchost.exe

The following registry entries are created to run W32/Autorun-G on 
startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
ctfmon
\1046\ctfmon.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ctfmon
\1046\ctfmon.exe

HKCU\Control Panel\desktop
SCRNSAVE.EXE
\l0g0n.scr

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe, \1055\svchost.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
System
\1055\svchost.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
\userinit.exe, \1055\svchost.exe

Registry entries are set as follows to change the way Windows Explorer 
displays files:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
0

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden
0





Name   W32/Sdbot-DIJ

Type  
    * Worm

Affected operating systems  
    * Windows

Prevalence (1-5) 2

Description
W32/Sdbot-DIJ is a worm for the Windows platform.

Advanced
W32/Sdbot-DIJ is a worm with IRC backdoor functionality for the Windows 
platform.

W32/Sdbot-DIJ runs continuously in the background, providing a backdoor 
server which allows a remote intruder to gain access and control over 
the computer via IRC channels.

When first run W32/Sdbot-DIJ copies itself to \dllcache\mlqm.exe.

The file mlqm.exe is registered as a new system driver service named 
"Logitech QuickCam Manager", with a display name of
"Logitech QuickCam 
Manager" and a startup type of automatic, so that it is started 
automatically during system startup. Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\Logitech QuickCam Manager

W32/Sdbot-DIJ sets the following registry entries, disabling the 
automatic startup of other software:

HKLM\SYSTEM\CurrentControlSet\Services\wuauserv
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4

Note: disabling autostart for the SharedAccess service deactivates the 
Microsoft Internet Connection Firewall (ICF).

The following registry entry is set:

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N





Name   Mal/EncPk-BK

Type  
    * Malicious Behavior

Affected operating systems  
    * Windows

Prevalence (1-5) 2

Description
Mal/EncPk-BK is a program that has been packed with a protection system 
typically used by malware authors.





Name   Troj/VB-DXQ

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet

Aliases  
    * Backdoor.Win32.VB.bnb

Prevalence (1-5) 2

Description
Troj/VB-DXQ is a downloader Trojan for the Windows platform.

Advanced
Troj/VB-DXQ is a downloader Trojan for the Windows platform.

Troj/VB-DXQ includes functionality to access the internet and 
communicate with a remote server via HTTP. The Trojan attempts to 
download an EXE to the location \qiawpbjj.exe.

 
--- MultiMail/Win32 v0.43
* Origin: Doc's Place BBS Fido Since 1991 docsplace.tzo.com (1:123/140)
SEEN-BY: 10/1 3 14/300 400 34/999 90/1 106/1 120/228 123/500 134/10 140/1
SEEN-BY: 222/2 226/0 236/150 249/303 261/20 38 100 1381 1404 1406 1410 1418
SEEN-BY: 266/1413 280/1027 320/119 633/260 262 267 285 712/848 800/432 801/161
SEEN-BY: 801/189 2222/700 2905/0
@PATH: 123/140 500 261/38 633/260 267
SOURCE: echomail via fidonet.ozzmosis.com

Email questions or comments to sysop@ipingthereforeiam.com
All parts of this website painstakingly hand-crafted in the U.S.A.!
IPTIA BBS/MUD/Terminal/Game Server List, © 2025 IPTIA Consulting™.