TIP: Click on subject to list as thread!

ANSI

echo:	virus
to:	ALL
from:	KURT WISMER
date:	2006-07-09 23:49:00
subject:	News, July 9, 2006
[cut-n-paste from sophos.com] Name Troj/Zlob-PI Type * Trojan Affected operating systems * Windows Side effects * Installs itself in the Registry Aliases * Trojan-Downloader.Win32.Zlob.we * Puper.dll Prevalence (1-5) 2 Description Troj/Zlob-PI is a Trojan for the Windows platform. Advanced Troj/Zlob-PI is a Trojan for the Windows platform. When run Troj/Zlob-PI creates the following files \ZipCodec\uninst.exe \regperf.exe \ld100.tmp. The uninst.exe is a harmless file that when run will delete itself and the \ZipCodec folder. This file can be deleted. The files \regperf.exe and \ld100.tmp are detected as Troj/Zlob-PI. The following registry entry is set to run regperf.exe on startup HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run wininet.dll regperf.exe Name Troj/Lineage-VJ Type * Spyware Trojan Affected operating systems * Windows Side effects * Steals information Aliases * PWS-Lineage Prevalence (1-5) 2 Description Troj/Lineage-VJ is a password-stealing Trojan for the Windows platform. Advanced Troj/Lineage-VJ is a password-stealing Trojan for the Windows platform. When Troj/Lineage-VJ is installed the following files are created: \svchost.exe \pdll.dll Both of these files are detected as Troj/Lineage-VJ. The following registry entry is changed to run Troj/Lineage-VJ on startup: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit \userinit.exe,\svchost.exe, (the default value for this registry entry is "\System32\userinit.exe,"). Name Troj/SpyDldr-J Type * Trojan Affected operating systems * Windows Side effects * Downloads code from the internet * Installs itself in the Registry * Leaves non-infected files on computer Aliases * Hoax.Win32.Renos.dk * TFactory * Win32/Hoax.Renos.DK Prevalence (1-5) 2 Description Troj/SpyDldr-J is a Trojan for the Windows platform. Troj/SpyDldr-J creates registry entries and drops corrupt executable files on the infected computer that indicate the presence the of malware or adware on the computer and may generate fake alerts on the presence of them. Troj/SpyDldr-J may display the following fake error message: Warning! Local Security Authority Service ('lsass.exe') has encountered a serious problem (possible spyware infection). Click OK button to visit Windows Security Center web site and download spyware remover to protect your system against trojans, viruses and spyware. System scan is highly recommended by Windows Security Center. 'lsass.exe' terminated unexpectedly with status code -1073741819 Advanced Troj/SpyDldr-J is a Trojan for the Windows platform. Troj/SpyDldr-J creates registry entries and drops corrupt executable files on the infected computer that indicate the presence the of malware or adware on the computer and may generate fake alerts on the presence of them. Troj/SpyDldr-J may display the following fake error message: Warning! Local Security Authority Service ('lsass.exe') has encountered a serious problem (possible spyware infection). Click OK button to visit Windows Security Center web site and download spyware remover to protect your system against trojans, viruses and spyware. System scan is highly recommended by Windows Security Center. 'lsass.exe' terminated unexpectedly with status code -1073741819 Troj/SpyDldr-J attempts to download and install further files from a remote website to the following locations: \adobepnl.dll \qjrkvy.exe \reger.exe \winflash.dll Troj/SpyDldr-J attempts to download some of the following image files to the Windows folder: about_spyware_bg.gif about_spyware_bottom.gif as.gif as_header.gif bg.gif box_1.gif box_2.gif box_3.gif button_buynow.gif button_freescan.gif close-bar.gif download_box.gif features.gif footer_back.gif footer_back.jpg header_1.gif header_2.gif header_3.gif header_4.gif infected.gif main_back.gif rf.gif rf_header.gif scan_btn.gif security-center-bg.gif security-center-logo.gif security_center_caption.gif sep_hor.gif sep_vert.gif spacer.gif spyware-detected.gif star.gif star_gray.gif star_gray_small.gif star_small.gif ts.gif ts_header.gif warning-bar-ico.gif warning_icon.gif win_logo.gif Troj/SpyDldr-J creates some of the following files to pretend the computer is infected with other malware and adware: \alexaie.dll \alxie328.dll \alxtb1.dll \BTGrab.dll \dlmax.dll \Pynix.dll \susp.exe \ZServ.dll \a.exe \alxres.dll \bridge.dll \dailytoolbar.dll \jao.dll \questmod.dll \runsrv32.dll \runsrv32.exe \tcpservice2.exe \txfdb32.dll \udpmod.dll \wstart.dll Troj/SpyDldr-J creates some of the following registry entries to pretend the computer is infected with other malware and adware: HKCR\AlxTB.BHO HKCR\AppID\{951B3138-AE8E-4676-A05A-250A5F111631} HKCR\AppID\{F6BDB4E5-D6AA-4D1F-8B67-BCB0F2246E21} HKCR\AppID\DailyToolbar.DLL DailyToolbar dailytoolbar.dll HKCR\AppID\WStart.DLL WStart wstart.dll HKCR\Bridge.brdg Bridge HKCR\CLSID\{58F9B276-E1CC-458e-8159-21CBC021874B} HKCR\CLSID\{60e2e76b-60e2e76b-60e2e76b-60e2e76b-60e2e76b} HKCR\CLSID\{80bb7465-a638-43b5-9827-8e8fe38dfcc1} HKCR\CLSID\{8333C319-0669-4893-A418-F56D9249FCA6} HKCR\CLSID\{9896231A-C487-43A5-8369-6EC9B0A96CC0} HKCR\CLSID\{E52DEDBB-D168-4BDB-B229-C48160800E81} url_relpacer HKCR\CLSID\{F1FABE79-25FC-46de-8C5A-2C6DB9D64333} HKCR\DailyToolbar.IEBand DailyToolbar HKCR\DailyToolbar.SysMgr DailyToolbar HKCR\IEToolbar.AffiliateCtl IEToolbar HKCR\Interface\{0BBB0424-E98E-4405-9A94-481854765C80} HKCR\Interface\{0F3332B5-BC98-48AF-9FAC-05FEC94EBE73} HKCR\Interface\{10195311-E434-47A9-ADBA-48839E3F7E4E} HKCR\Interface\{3E60160F-0ED6-4DCC-B6B6-850CDE4FD217} HKCR\Interface\{4FDBDBAD-FEFE-4C4C-9CC1-1181052AFB12} HKCR\Interface\{A69107CC-BEC8-4A34-B474-211B0F46A764} HKCR\Interface\{A6A68CBD-6673-41B1-B997-3F83A25B45B0} HKCR\Interface\{ABAFA0B4-F78D-42E5-8C31-1A441D01C1DF} HKCR\Interface\{B71C7D9A-DA43-4E8B-BB98-1684AC2AF324} HKCR\Interface\{B7B84995-8B92-46BF-94AA-FA2F3DD23B84} HKCR\Interface\{FA77AD79-09CF-41FB-B171-CC856F9E737F} HKCR\jao.jao jao HKCR\PopMenu.Menu PopMenu HKCR\Popup.HTMLEvent. HTMLEvent HKCR\Popup.PopupKiller PopupKiller HKCR\TypeLib\{547AB549-4DD8-4ea0-B070-F6EA062148FF} HKCR\TYPELIB\{c094876d-1b0e-46fa-b6a6-7ffc0f970c27} HKCR\url_relpacer.URLResolver url_relpacer HKCR\WStart.WHttpHelper HKCR\WStart.WHttpHelper.1 HKCU\Software\Microsoft\IPCheck IPCheck HKCU\Software\Microsoft\Windows\CurrentVersion\Runonce\Srv32 spool service Adware.Srv32 HKLM\SOFTWARE\Alexa Internet Alexa Internet HKLM\SOFTWARE\Alexa Toolbar \Alexa Toolbar HKLM\SOFTWARE\DailyToolbar DailyToolbar HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00000000-59D4-4008-9058-080011001200} HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00000000-C1EC-0345-6EC2-4D0300000000} HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00000000-F09C-02B4-6EC2-AD0300000000} HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3ceff6cd-6f08-4e4d-bccd-ff7415288c3b} HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7b55bb05-0b4d-44fd-81a6-b136188f5deb} HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8333c319-0669-4893-a418-f56d9249fca6} HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9c691a33-7dda-4c2f-be4c-c176083f35cf} HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e52dedbb-d168-4bdb-b229-c48160800e81} HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ffd2825e-0785-40c5-9a41-518f53a8261f} HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Adware.Srv32 \runsrv32.exe HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Transponder \susp.exe HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce\Srv32 spool service Adware.Srv32 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Alexa Toolbar HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\bridge HKLM\SOFTWARE\NIX Solutions\DailyToolbar DailyToolbar HKLM\SOFTWARE\RespondMiter Adware.Srv32 \runsrv32.exe HKLM\SOFTWARE\Software\TPS108 Adware.Srv32 \runsrv32.exe HKLM\SOFTWARE\Transponder Adware.Srv32 \runsrv32.exe HKLM\SOFTWARE\WSoft WSoft Name W32/Brontok-BB Type * Spyware Worm Affected operating systems * Windows Side effects * Allows others to access the computer * Steals information * Downloads code from the internet * Installs itself in the Registry * Leaves non-infected files on computer Prevalence (1-5) 2 Description W32/Brontok-BB is a mass-mailing worm for the Windows platform. W32/Brontok-BB sends itself to email addresses found on the infected computer Advanced W32/Brontok-BB is a mass-mailing worm for the Windows platform. W32/Brontok-BB sends itself to email addresses found on the infected computer. Emails sent by the worm have the following characteristics: If the recipient's address is Indonesian: Subject: Fotoku yg Paling Cantik Message text: Hi, Aku lg iseng aja pengen kirim foto ke kamu Jangan lupain aku ya !. Thanks For all other addresses: Subject: My Best Photo Message text: Hi, I want to share my photo with you. Wishing you all the best. Regards, Attachment name: Photo.zip The zip file contains Photo.bmp and View-Photo.bat. View-Photo.bat runs Photo.bmp. Photo.bmp is an executable (currently detected as Troj/DwnLdr-AYN) which attempts to download and execute a copy of the worm from a preconfigured website. At the time of writing, this website is unavailable. W32/Brontok-BB closes windows whose titles contain any of the following: task manager baca bro !!! registry command prompt system configuration group policy cmd.exe computer management scheduled task killbox hijack SYSINTERNAL PROCESS EXP REMOVER CLEANER anti washer ertanto BROWNIES movzx killer pcmedia pc-media rontok rontox robknot commander windows script norman norton symantec cillin trendmicro bitdef kaspersky avg avira virus trojan worm mcafee b.e folder option wintask alwil sex porn naked cewe bugil telanjang nod32 task view peid ahnlab When first run W32/Brontok-BB copies itself to: \Local Settings\Application Data\dv\yesbron.com \Local Settings\Application Data\jalak.com \_default.pif \j.exe \o.exe \sa\ib.exe \c.com \n\b.exe \n\csrss.exe \n\lsass.exe \n\services.exe \n\smss.exe \n\sv.exe \n\winlogon.exe where is a sequence of randomly generated numbers. and creates the following files: Baca Bro !!!.txt \Tasks\At1.job \Tasks\At2.job \n5817\c.bron.tok.txt These files can be deleted. The .job files each contain a scheduled task, instructing Windows to execute the installed copies of the worm once per day. W32/Brontok-BB may install a new version of the file \msvbvm60.dll. The following registry entries are created to run yesbron.com, _default.pif, j.exe and sv.exe on startup: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run \Local Settings\Application Data\dv\yesbron.com HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run \_default.pif HKCU\Software\Microsoft\Windows\CurrentVersion\Run \n\sv.exe HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run \j.exe The following registry entries are changed to run j.exe and o.exe on startup: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell Explorer.exe "\o.exe" (the default value for this registry entry is "Explorer.exe" which causes the Microsoft file \Explorer.exe to be run on startup). HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit \userinit.exe,\j.exe (the default value for this registry entry is "\System32\userinit.exe,"). The following registry entry is set, disabling the registry editor (regedit): HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System DisableRegistryTools 1 Registry entries are set as follows: HKCU\Software\Brontok Message Look {at} "C:\Baca Bro !!!.txt" HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Hidden 0 HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced HideFileExt 1 HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ShowSuperHidden 0 Registry entries are created under: HKCU\Software\Brontok\ Name Troj/Banker-CSX Type * Spyware Trojan Affected operating systems * Windows Side effects * Turns off anti-virus applications * Steals information * Forges the sender's email address * Uses its own emailing engine * Reduces system security * Installs itself in the Registry * Monitors browser activity Aliases * Trojan-Spy.Win32.Banker.ark Prevalence (1-5) 2 Description Troj/Banker-CSX is an internet banking Trojan for the Windows platform. When run Troj/Banker-CSX attempts to disable software that may be running on the user's computer. Troj/Banker-CSX then continuously monitors Microsoft Internet Explorer for certain strings related to internet banking websites. Once a match is found, Troj/Banker-CSX will display a fake login screen, prompting the user to enter confidential information. Advanced Troj/Banker-CSX is an internet banking Trojan for the Windows platform. When run Troj/Banker-CSX attempts to disable software that may be running on the user's computer. Troj/Banker-CSX then continuously monitors Microsoft Internet Explorer for certain strings related to internet banking websites. Once a match is found, Troj/Banker-CSX will display a fake login screen, prompting the user to enter confidential information. Troj/Banker-CSX sends the harvested information to a remote address via SMTP. Troj/Banker-CSX copies itself to \nvcpll.exe. Troj/Banker-CSX creates the following registry entry to run nvcpll.exe on startup: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run nvcpll \nvcpll.exe Name Troj/Clagger-V Type * Trojan Affected operating systems * Windows Prevalence (1-5) 2 Description Troj/Clagger-V is a Trojan downloader for the Windows platform. Troj/Clagger-V attempts to download a file from a remote website to \new.exe and execute it. Troj/Clagger-V drops the clean file 1.bat to the same folder as itself in order to delete itself. Advanced Troj/Clagger-V is a Trojan downloader for the Windows platform. Troj/Clagger-V attempts to download a file from a remote website to \new.exe and execute it. Troj/Clagger-V sets the following registry entry in order to bypass the Windows firewall: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\ FiREWaLLpolicy\StAnDaRDPrOFiLe\AUtHorizedapplications\List ::ENABLED:0 Troj/Clagger-V drops the clean file 1.bat to the same folder as itself in order to delete itself. Name Troj/Cimuz-AO Type Spyware Trojan Affected operating systems * Windows Side effects * Steals credit card details * Steals information * Installs itself in the Registry * Installs a browser helper object Aliases * Win32/Spy.Agent.EO * Spy-Agent.ba Prevalence (1-5) 2 Description Troj/Cimuz-AO is an information-stealing Trojan for the Windows platform. Troj/Cimuz-AO attempts to steal information such as email account usernames and passwords, as well as creating screenshots to capture information such as banking details, and may send the stolen information to a remote user via FTP. Advanced Troj/Cimuz-AO is an information-stealing Trojan for the Windows platform. Troj/Cimuz-AO attempts to steal information such as email account usernames and passwords, as well as creating screenshots to capture information such as banking details, and may send the stolen information to a remote user via FTP. Troj/Cimuz-AO drops the file \ipv6mons.dll, also detected as Troj/Cimuz-AO. This file is registered as a COM object and Browser Helper Object (BHO) for Microsoft Internet Explorer, creating registry entries under: HKCR\CLSID\{73364D99-1240-4dff-B11A-67E448373048} HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper ObJects\{73364D99-1240-4dff-B11A-67E448373048} The following registry entry is set, affecting internet security: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\Firewall Policy\StandardProfile\AuthorizedApplications\List\\Internet Explorer IEXPLORE.EXE "\\Internet Explorer\\IEXPLORE.EXE::Enabled:Internet Explorer" Troj/Cimuz-AO creates the following registry value: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\load\net_insll Name Troj/Ogre-A Type Spyware Trojan Affected operating systems * Windows Side effects * Steals information * Records keystrokes * Monitors browser activity Aliases * Trojan-Spy.Win32.Bancos.px * Win32/Spy.Bancos.IV Prevalence (1-5) 2 Description Troj/Ogre-A is a password-stealing Trojan for the Windows platform. Advanced Troj/Ogre-A is a password-stealing Trojan for the Windows platform. Troj/Ogre-A attempts to steal confidential data when a user attempts to access Orkut. Troj/Ogre-A will display a fake login screen for Orkut when a user accesses the website via a web browser. Name W32/Looked-B Type * Virus How it spreads * Network shares * Infected files Affected operating systems * Windows Side effects * Downloads code from the internet * Installs itself in the Registry Aliases * Worm.Win32.Viking.n * Win32/Viking.N Prevalence (1-5) 2 Description W32/Looked-B is a Windows executable virus and network worm. The virus infects EXE files found on the infected computer. The virus also attempts to copy itself to remote network shares. Advanced W32/Looked-B is a Windows executable virus and network worm. When first run the virus copies itself to \rundl132.exe and creates a file \vDll.dll, also detected as W32/Looked-B. This file attempts to download further malicious code. The virus infects EXE files found on the infected computer. The virus also attempts to copy itself to remote network shares. Many files with the name "_desktop.ini" are created, in various folders on the infected computer. These files are harmless text files. The following registry entry is created in order to run the virus on startup: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows load \rundl132.exe Name Troj/Cimuz-AP Type * Trojan Affected operating systems * Windows Side effects * Drops more malware Aliases * Spy-Agent.ak Prevalence (1-5) 2 Description Troj/Cimuz-AP is a Trojan for the Windows platform. Advanced Troj/Cimuz-AP is a Trojan for the Windows platform. When Troj/Cimuz-AP is installed it creates the file \ipv6mons.dll. The file ipv6mons.dll is detected as Troj/Cimuz-Gen. The file ipv6mons.dll is registered as a COM object and Browser Helper Object (BHO) for Microsoft Internet Explorer, creating registry entries under: HKCR\CLSID\(73364D99-1240-4dff-B11A-67E448373048) HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\browser helper obJects\(73364D99-1240-4dff-B11A-67E448373048) The following registry entries are set, affecting internet security: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\Firewall Policy\ HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\Firewall Policy\StandardProfile\ HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\Firewall Policy\StandardProfile\AuthorizedApplications\ HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\Firewall Policy\StandardProfile\AuthorizedApplications\List\ HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\Firewall Policy\StandardProfile\AuthorizedApplications\List\\Internet Explorer IEXPLORE.EXE \Internet Explorer\IEXPLORE.EXE::Enabled:Internet Explorer Name Troj/Agent-CDK Type Trojan Affected operating systems * Windows Side effects * Downloads code from the internet * Reduces system security * Installs itself in the Registry Aliases * Trojan-Downloader.Win32.Agent.nw * W32/Agent.XR * Downloader-LE.gen * Win32/TrojanDownloader.Agent.LG Prevalence (1-5) 2 Description Troj/Agent-CDK is a Trojan for the Windows platform. Troj/Agent-CDK includes functionality to download, install and run new software. Troj/Agent-CDK also contains functionality to access the internet and communicate with a remote server via HTTP. Advanced Troj/Agent-CDK is a Trojan for the Windows platform. Troj/Agent-CDK includes functionality to download, install and run new software. Troj/Agent-CDK also contains functionality to access the internet and communicate with a remote server via HTTP. When first run Troj/Agent-CDK copies itself to \[random1]\[random2].exe. (Where random1 and random2 are a randomly generated names containing 6 and 5 characters respectively.) The following registry entry is created to run cosvcx.exe on startup: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [random2] \[random1]\[random2].exe The file [random2].exe is registered as a COM object, creating registry entries under: HKCR\CLSID\{86999974-0C67-0C36-58D5-200AED9213EB} Troj/Agent-CDK changes settings for Microsoft Internet Explorer by modifying values under: HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ The following registry entry is set, affecting internet security: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer Name Troj/Dloadr-YT Type * Trojan Affected operating systems * Windows Side effects * Downloads code from the internet * Reduces system security * Installs itself in the Registry Aliases * Trojan-Downloader.Win32.Small.cul Prevalence (1-5) 2 Description Troj/Dloadr-YT is a downloading Trojan for the Windows platform. Advanced Troj/Dloadr-YT is a downloading Trojan for the Windows platform. The Trojan includes functionality to access the internet and communicate with a remote server via HTTP. When first run Troj/Dloadr-YT copies itself to \upnp.exe. The file being downloaded was unavailable at the time of writing. The following registry entry is created to run upnp.exe on startup: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run upnp \upnp.exe The following registry entries are set, affecting internet security: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\Firewall Policy StandardProfile\AuthorizedApplications\List ::Enabled: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\Firewall Policy StandardProfile\AuthorizedApplications\List\ \upnp.exe \upnp.exe::Enabled:upnp Name W32/Bagle-KN Type * Worm How it spreads * Email attachments Affected operating systems * Windows Side effects * Turns off anti-virus applications * Forges the sender's email address * Downloads code from the internet * Installs itself in the Registry * Leaves non-infected files on computer Prevalence (1-5) 2 Description W32/Bagle-KN is a mass-mailing worm and downloader Trojan for the Windows platform. Emails sent by the worm have the following characteristics: The sender's email address is spoofed. Message text chosen from: To the beloved I love you And appended with any of the following strings: archive password: The password is Password -- Use password to open archive. Password is Zip password: archive password: Password - Password: The email comes with 2 file attachments: .GIF .ZIP The file .GIF contains a GIF image which contains the password to unzip the ZIP file. The file .ZIP when unzipped contains 2 files: \.dll - this file may be safely deleted .exe - detected as W32/Bagle-KN Advanced W32/Bagle-KN is a mass-mailing worm and downloader Trojan for the Windows platform. When run W32/Bagle-KN creates the file \Application Data\hidn\m_hook.sys. This file is also detected as W32/Bagle-KN and includes functionality to terminate anti-virus and system-related processes and to hide processes. The file m_hook.sys is registered as a new system driver service named "m_hook", with a display name of "Empty" and a startup type of automatic, so that it is started automatically during system startup. Registry entries are created under: HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_M_HOOK\ HKLM\SYSTEM\CurrentControlSet\Services\m_hook\ The following registry entry is also set: HKCU\Software\FirstRuxzx FirstRun 1 W32/Bagle-KN also creates the file C:\error.gif. This is a GIF file which is also subsequently run and can be safely deleted. Emails sent by the worm have the following characteristics: The sender's email address is spoofed. Message text chosen from: To the beloved I love you And appended with any of the following strings: archive password: The password is Password -- Use password to open archive. Password is Zip password: archive password: Password - Password: The email comes with 2 file attachments: .GIF .ZIP The file .GIF contains a GIF image which contains the password to unzip the ZIP file. The file .ZIP when unzipped contains 2 files: \.dll - this file may be safely deleted .exe - detected as W32/Bagle-KN W32/Bagle-KN may also copy itself to \Application Data\hidn\hidn1.exe and sets the following registry entry to run hidn1.exe on startup: HKCU\Software\Microsoft\Windows\CurrentVersion\Run drv_st_key Name W32/Oscabot-O Type * Worm How it spreads * Chat programs Affected operating systems * Windows Side effects * Allows others to access the computer * Installs itself in the Registry Aliases * Backdoor.Win32.Aimbot.v Prevalence (1-5) 2 Description W32/Oscabot-O is a Trojan for the Windows platform. W32/Oscabot-O runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels. Advanced W32/Oscabot-O is a Trojan for the Windows platform. W32/Oscabot-O runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels. W32/Oscabot-O spreads via AOL Instant Messenger. When first run W32/Oscabot-O copies itself to \msclean.exe. The following registry entry is created to run msclean.exe on startup: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run msclean \msclean.exe The following registry entry is set: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon msclean msclean.exe\msclean.exe Name Troj/LowZone-CX Type * Trojan Affected operating systems * Windows Side effects * Reduces system security * Installs itself in the Registry * Modifies browser settings Aliases * Trojan.Win32.LowZones.dt * QLowZones-2.gen * Trojan.LowZones * TROJ_LOWZONE.AF Prevalence (1-5) 2 Description Troj/LowZone-CX is a Trojan for the Windows platform. Troj/LowZone-CX includes functionality to access the internet and communicate with a remote server via HTTP. Advanced Troj/LowZone-CX is a Trojan for the Windows platform. Troj/LowZone-CX includes functionality to access the internet and communicate with a remote server via HTTP. When first run Troj/LowZone-CX copies itself to \bikini.exe. The following registry entry is created to run bikini.exe on startup: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run bikini bikini.exe The following registry entry is set, affecting internet security: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 CurrentLevel 11 Name Troj/Dloadr-ZL Type * Trojan Affected operating systems * Windows Side effects * Downloads code from the internet Aliases * Trojan-Downloader.Win32.Delf.qz Prevalence (1-5) 2 Description Troj/Dloadr-ZL is a Trojan for the Windows platform. Troj/Dloadr-ZL includes functionality to download, install and run new software. Advanced Troj/Dloadr-ZL is a Trojan for the Windows platform. Troj/Dloadr-ZL includes functionality to download, install and run new software. When first run, Troj/Dloadr-ZL downloads a file from a remote server called manual.exe. This file is written to \Explorer.EXE and executed. The file \Explorer.EXE is detected by Sophos as Troj/Bnkmr-Fam. Name Troj/Sharp-S Type * Spyware Trojan Affected operating systems * Windows Side effects * Allows others to access the computer * Steals information * Downloads code from the internet * Installs itself in the Registry Aliases * Trojan.Win32.Enfal.f * Win32/Spy.Agent.M Prevalence (1-5) 2 Description Troj/Sharp-S is a backdoor Trojan for the Windows platform. Troj/Sharp-S includes functionality to access the internet and communicate with a remote server via HTTP. Troj/Sharp-S injects several threads into the explorer process space. Advanced Troj/Sharp-S is a backdoor Trojan for the Windows platform. Troj/Sharp-S includes functionality to access the internet and communicate with a remote server via HTTP. Troj/Sharp-S injects several threads into the explorer process space. The Trojan copies itself to the Windows system folder as dllhst2d.exe and dt7x.exe. Troj/Sharp-R will modify the following registry entry to ensure the Trojan is run on Windows Login: HKLM\SOFTWARE\Microsoft\Windows NT\Winlogon Userinit ,\dllhst2d.exe --- MultiMail/Win32 v0.43 * Origin: Try Our Web Based QWK: DOCSPLACE.ORG (1:123/140) SEEN-BY: 633/267 270 @PATH: 123/140 500 106/2000 633/267
SOURCE: echomail via fidonet.ozzmosis.com

Email questions or comments to sysop@ipingthereforeiam.com
All parts of this website painstakingly hand-crafted in the U.S.A.!
IPTIA BBS/MUD/Terminal/Game Server List, © 2025 IPTIA Consulting™.