| TIP: Click on subject to list as thread! | ANSI |
| echo: | |
|---|---|
| to: | |
| from: | |
| date: | |
| subject: | News, October 30 2005 |
[cut-n-paste from sophos.com]
Name Troj/Hanlo-B
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Drops more malware
* Downloads code from the internet
Aliases
* Trojan-Downloader.Win32.Hanlo.b
* Downloader-AGH
* TROJ_DLOADER.AJQ
Prevalence (1-5) 2
Description
Troj/Hanlo-B is a Trojan for the Windows platform.
Troj/Hanlo-B includes functionality to access the internet and
communicate with a remote server via HTTP.
Troj/Hanlo-B downloads the following files:
tBmp107.exe
tBmp207.exe
tBmp307.exe
tBmp407.exe
tBmp507.exe
tBmp607.exe
tBmp707.exe
Advanced
Troj/Hanlo-B is a Trojan for the Windows platform.
Troj/Hanlo-B includes functionality to access the internet and
communicate with a remote server via HTTP.
Troj/Hanlo-B downloads the following files:
tBmp107.exe
tBmp207.exe
tBmp307.exe
tBmp407.exe
tBmp507.exe
tBmp607.exe
tBmp707.exe
Troj/Hanlo-B creates the following file:
\avA6.sys
The file avA6.sys is detected as Troj/Haxdor-Gen.
The file avA6.sys is registered as a new system driver service named
"avA6", with a display name of "AVP update interface
A6". Registry
entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\avA6\
Name W32/Rbot-ATC
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Downloads code from the internet
* Installs itself in the Registry
* Exploits system or software vulnerabilities
* Used in DOS attacks
Aliases
* Backdoor.Win32.Rbot.nt
* BKDR_SDBOT.ON
Prevalence (1-5) 2
Description
W32/Rbot-ATC is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Rbot-ATC spreads to other network computers by exploiting common
buffer overflow vulnerabilities, including: LSASS (MS04-011), RPC-DCOM
(MS04-012) and WKS (MS03-049) (CAN-2003-0812) and by copying itself
to network shares protected by weak passwords.
W32/Rbot-ATC runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Rbot-ATC includes functionality to:
- carry out DDoS flooder attacks
- silently download, install and run new software, including updates
of its software
The following patches for the operating system vulnerabilities
exploited by W32/Rbot-ATC can be obtained from the Microsoft website:
MS04-011
MS04-012
MS03-049
Advanced
W32/Rbot-ATC is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Rbot-ATC spreads to other network computers by exploiting common
buffer overflow vulnerabilities, including: LSASS (MS04-011), RPC-DCOM
(MS04-012) and WKS (MS03-049) (CAN-2003-0812) and by copying itself
to network shares protected by weak passwords.
W32/Rbot-ATC runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Rbot-ATC includes functionality to:
- carry out DDoS flooder attacks
- silently download, install and run new software, including updates
of its software
When first run W32/Rbot-ATC copies itself to \MSAOL32dll.exe.
The following registry entries are created to run MSAOL32dll.exe on
startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
AOL Instant Messenger dll runtime
MSAOL32dll.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
AOL Instant Messenger dll runtime
MSAOL32dll.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
AOL Instant Messenger dll runtime
MSAOL32dll.exe
The following patches for the operating system vulnerabilities
exploited by W32/Rbot-ATC can be obtained from the Microsoft website:
MS04-011
MS04-012
MS03-049
Name Troj/Midrug-B
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
Aliases
* BackDoor-AYE
Prevalence (1-5) 2
Description
Troj/Midrug-B is a Trojan for the Windows platform. It may attempt to
connect to a remote server.
Advanced
Troj/Midrug-B is a Trojan for the Windows platform. It may attempt to
connect to a remote server.
Troj/Midrug-B is capabable of creating a registry entry to auto start
itself under:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Name W32/Mytob-BZ
Type
* Spyware Worm
How it spreads
* Email attachments
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Sends itself to email addresses found on the infected computer
* Modifies data on the computer
* Steals information
* Drops more malware
Prevalence (1-5) 2
Description
W32/Mytob-BZ is a mass-mailing worm and backdoor Trojan that can be
controlled through the Internet Relay Chat (IRC) network.
W32/Mytob-BZ is capable of spreading through email and through
various operating system vulnerabilities such as LSASS (MS04-011).
W32/Mytob-BZ harvests email addresses from files on the infected
computer and from the Windows address book.
Advanced
W32/Mytob-BZ is a mass-mailing worm and backdoor Trojan that can be
controlled through the Internet Relay Chat (IRC) network.
When first run W32/Mytob-BZ copies itself to the Windows system
folder as taskgmr.exe and creates the following registry entries:
HKCU\System\CurrentControlSet\Control\Lsa
W1NTASK
taskgmr.exe
HKCU\Software\Microsoft\OLE
W1NTASK
taskgmr.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
W1NTASK
taskgmr.exe
HKLM\System\CurrentControlSet\Control\Lsa
W1NTASK
taskgmr.exe
HKLM\Software\Microsoft\Ole
W1NTASK
taskgmr.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
W1NTASK
taskgmr.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
W1NTASK
taskgmr.exe
W32/Mytob-BZ copies itself to the root folder as:
funny_pic.scr
my_photo2005.scr
see_this!!.scr
and drops a file called hellmsn.exe (detected by Sophos as W32/Mytob-D)
in the same location. This component attempts to spread the worm by
sending the aforementioned SCR files through Windows Messenger to all
online contacts.
W32/Mytob-BZ also appends the following to the HOSTS file to deny
access to security related websites:
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.microsoft.com
127.0.0.1 www.trendmicro.com
W32/Mytob-BZ is capable of spreading through email and through
various operating system vulnerabilities such as LSASS (MS04-011).
Email sent by W32/Mytob-BZ has the following properties:
Subject line:
document
Good day
Mail Delivery System
Mail Transaction Failed
message
readme
Server Report
Status
Message text:
'This is a multi-part message in MIME format.'
'Mail transaction failed. Partial message is available.'
'The message contains Unicode characters and has been sent as a
binary attachment.'
'The message cannot be represented in 7-bit ASCII encoding and has
been sent as a binary attachment.'
'The original message was included as an attachment.'
'Here are your banks documents.'
The attached file consists of a base name followed by the extentions
PIF, SCR, EXE or ZIP. The worm may optionally create double
extensions where the first extension is DOC, TXT or HTM and the final
extension is PIF, SCR, EXE or ZIP.
W32/Mytob-BZ harvests email addresses from files on the infected
computer and from the Windows address book. The worm avoids sending
email to addresses that contain the following:
.gov
.mil
accoun
acketst
admin
anyone
arin.
avp
berkeley
borlan
bsd
bsd
bugs
ca
certific
contact
example
feste
fido
foo.
fsf.
gnu
gold-certs
google
google
gov.
help
iana
ibm.com
icrosof
icrosoft
ietf
info
inpris
isc.o
isi.e
kernel
linux
linux
listserv
math
me
mit.e
mozilla
mydomai
no
nobody
nodomai
noone
not
nothing
ntivi
page
panda
pgp
postmaster
privacy
rating
rfc-ed
ripe.
root
ruslis
samples
secur
sendmail
service
site
soft
somebody
someone
sopho
submit
support
syma
tanford.e
the.bat
unix
unix
usenet
utgers.ed
webmaster
you
your
Name W32/Rbot-ATE
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* Backdoor.Win32.Rbot.aci
Prevalence (1-5) 2
Description
W32/Rbot-ATE is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Rbot-ATE spreads to network shares with weak passwords and by
exploiting common buffer overflow vulnerabilities, including: RPC-DCOM
(MS04-012), PNP (MS05-039) and ASN.1 (MS04-007).
W32/Rbot-ATE runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
Advanced
W32/Rbot-ATE is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Rbot-ATE spreads to network shares with weak passwords and by
exploiting common buffer overflow vulnerabilities, including: RPC-DCOM
(MS04-012), PNP (MS05-039) and ASN.1 (MS04-007).
W32/Rbot-ATE runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
When first run W32/Rbot-ATE copies itself to \hhs32.pif.
The following registry entries are created to run hhs32.pif on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HTML32 Help System
hhs32.pif
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
HTML32 Help System
hhs32.pif
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HTML32 Help System
hhs32.pif
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
HTML32 Help System
hhs32.pif
Registry entries are set as follows:
HKLM\SOFTWARE\Microsoft\OLE
HTML32 Help System
hhs32.pif
HKCU\Software\Microsoft\OLE
HTML32 Help System
hhs32.pif
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
HTML32 Help System
hhs32.pif
HKCU\SYSTEM\CurrentControlSet\Control\Lsa
HTML32 Help System
hhs32.pif
Name Troj/Keylog-AP
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Steals information
* Forges the sender's email address
* Uses its own emailing engine
* Records keystrokes
* Installs itself in the Registry
Aliases
* Trojan-Dropper.Win32.Agent.zf
Prevalence (1-5) 2
Description
Troj/Keylog-AP is a keylogging Trojan for the Windows platform.
Advanced
Troj/Keylog-AP is a keylogging Trojan for the Windows platform.
When Troj/Keylog-AP is installed it creates the file
\wcsys.exe.
The following registry entry is created to run wcsys.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
wcsys
\wcsys.exe
Troj/Keylog-AP creates a file named wcsys.dll in the Windows system
folder. This file is detected as Troj/Keylog-AC.
The Trojan may inject itself into the explorer process or register
itself as a service process in order to prevent itself from being
terminated.
Troj/Keylog-AP records keystrokes to the file wcsys32.dll in the
Windows system folder. When this file becomes larger than 4kb, its
contents are submitted to the author by email.
Name W32/Agobot-TW
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Prevalence (1-5) 2
Description
W32/Agobot-TW is a worm and backdoor Trojan for the Windows platform.
W32/Agobot-TW runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer.
W32/Agobot-TW spreads via common buffer overflow exploits, including
LSASS (MS04-011), RPC-DCOM (MS04-012), and PNP (MS05-039), as well as
to weakly protected network shares.
Advanced
W32/Agobot-TW is a worm and backdoor Trojan for the Windows platform.
W32/Agobot-TW runs continuously in the background, providing a
backdoor server
which allows a remote intruder to gain access and control over the
computer.
W32/Agobot-TW spreads via common buffer overflow exploits, including
LSASS (MS04-011), RPC-DCOM (MS04-012), and PNP (MS05-039), as well as
to weakly protected network shares.
When first run W32/Agobot-TW copies itself to \msn5.exe.
The following registry entries are created to run msn5.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Video Process
msn5.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Video Process
msn5.exe
The file msn5.exe is registered as a new file system driver service
named "Video Process", with a display name of "Video
Process" and a
startup type of automatic, so that it is started automatically during
system startup. Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\Video Process\
Name W32/Chode-J
Type
* Worm
How it spreads
* Chat programs
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Installs itself in the Registry
* Used in DOS attacks
Aliases
* Backdoor.Win32.Virkel.a
Prevalence (1-5) 2
Description
W32/Chode-J is a worm with IRC backdoor Trojan functionality.
W32/Chode-J attempts to spread via MSN Instant Messenger and AOL
Instant Messenger, by sending users a link to a copy of the worm.
W32/Chode-J includes functionality to:
- carry out DDoS flooder attacks
- provide a proxy server
- silently download, install and run new software
- modify the HOSTS file
- disable other software, including anti-virus, firewall and security
related application
- update itself
W32/Chode-J attempts to disable a number of AV and security related
processes.
W32/Chode-J modifies the HOSTS file, changing the URL-to-IP mappings
for selected websites.
Advanced
W32/Chode-J is a worm with IRC backdoor Trojan functionality.
W32/Chode-J attempts to spread via MSN Instant Messenger and AOL
Instant Messenger, by sending users a link to a copy of the worm.
W32/Chode-J includes functionality to:
- carry out DDoS flooder attacks
- provide a proxy server
- silently download, install and run new software
- modify the HOSTS file
- disable other software, including anti-virus, firewall and security
related application
- update itself
When first run W32/Chode-J copies itself to
\\csrss.exe and also creates the file csrss.lnk to
the folder.
The following registry entries are created:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
csrss
"\\csrss.exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
csrss
"\\msmsgs.exe /background"
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
csrss
"nwiz.exe /installquiet"
W32/Chode-J modifies a number of registry entries as the following:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
load
"\\csrss.exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
2
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
SuperHidden
0
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore
DisableSR
1
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\srservice
Start
4
W32/Chode-J also inserts the following entry into [Windows] section
of \win.ini:
run=\ * Origin: Try Our Web Based QWK: DOCSPLACE.ORG (1:123/140)SEEN-BY: 633/267 270 @PATH: 123/140 500 106/2000 633/267 |
|
| SOURCE: echomail via fidonet.ozzmosis.com | |
Email questions or comments to sysop@ipingthereforeiam.com
All parts of this website painstakingly hand-crafted in the U.S.A.!
IPTIA BBS/MUD/Terminal/Game Server List, © 2025 IPTIA Consulting™.