TIP: Click on subject to list as thread!

ANSI

echo:	virus
to:	ALL
from:	KURT WISMER
date:	2007-11-04 17:01:00
subject:	News, November 4 2007
[cut-n-paste from sophos.com] Name W32/Virut-Q Type * Virus How it spreads * Infected files Affected operating systems * Windows Side effects * Allows others to access the computer Aliases * Virus.Win32.Virut.ao * PE_VIRUT.YC * Win32/Virut.X Prevalence (1-5) 2 Description W32/Virut-Q is a virus for the Windows platform. Advanced W32/Virut-Q is a virus for the Windows platform. W32/Virut-Q attempts to hook the operating system and infect files with an EXE or SCR extension. W32/Virut-Q may also attempt to connect to a remote IRC server, and may download and execute further files if instructed to do so. W32/Virut-Q may modify the following registry entry in order to bypass the Windows firewall: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPo licy\ StandardProfile\AuthorizedApplications\List Name Troj/BagleDl-DB Type * Trojan Affected operating systems * Windows Side effects * Downloads code from the internet Aliases * Trojan-Downloader.Win32.Bagle.ff * Win32/Bagle.KQ Prevalence (1-5) 2 Description Troj/BagleDl-DB is a Trojan for the Windows platform. Advanced Troj/BagleDl-DB is a Trojan for the Windows platform. Troj/BagleDl-DB includes functionality to access the internet and communicate with a remote server via http. Troj/BagleDl-DB attempts to download files from a number of pre-specified URLs to a file .exe and run it. Troj/BagleDl-DB copies itself to \drivers\hidr2.exe and creates the following file \drivers\srosa.sys. This file is also detected as Troj/BagleDl-DB. The file srosa.sys is registered as a new system driver service named "srosa", with a display name of "srosa". Registry entries are created under: HKLM\SYSTEM\CurrentControlSet\Services\srosa\ The Trojan will search for various security applications, such as firewalls and anti-virus and attempt to delete them. Troj/BagleDl-DB changes the following registry entries: HKLM\SYSTEM\CurrentControlSet\Services\Alerter Start 4 HKLM\SYSTEM\CurrentControlSet\Services\Ndisuio Start 4 HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess Start 4 HKLM\SYSTEM\CurrentControlSet\Services\wuauserv Start 4 HKLM\SYSTEM\CurrentControlSet\Services\wscsvc Start 4 Troj/BagleDl-DB also sets the following registry entry: HKCU\Software\FirstRRRun FirstRRRun Troj/BagleDl-DB deletes entries under: HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot Name Troj/Conhook-AI Type * Trojan Affected operating systems * Windows Side effects * Drops more malware * Downloads code from the internet * Installs itself in the Registry Prevalence (1-5) 2 Description Troj/Conhook-AI is a Trojan for the Windows platform. Advanced Troj/Conhook-AI is a Trojan for the Windows platform. When Troj/Conhook-AI is installed the following files are created: \.sys \.dll \.exe \drivers\.sys The following registry entries are created to run code exported by .dll on startup: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ DLLName .dll HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ Impersonate 0 The file .dll is registered as a new service named "". Registry entries are created under: HKLM\SYSTEM\CurrentControlSet\Services\ The file .sys is registered as a new system driver service named "", with a display name of "Microsoft RPC API Helper". Registry entries are created under: HKLM\SYSTEM\CurrentControlSet\Services\ The file .dll is registered as a COM object and Browser Helper Object (BHO) for Microsoft Internet Explorer, creating registry entries under: HKCR\CLSID\(447E6663-81F1-44AC-90E2-4B106EED6D1D) HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ (447E6663-81F1-44AC-90E2-4B106EED6D1D) Registry entries are set as follows: HKCR\\CLSID (default) (447E6663-81F1-44AC-90E2-4B106EED6D1D) HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\OptimalLayout File \drivers\.sys Name Mal/Bifrose-F Type * Malicious Behavior Affected operating systems * Windows Side effects * Allows others to access the computer Aliases * BackDoor-CEP.svr * Backdoor.Win32.Bifrose.aqy Prevalence (1-5) 2 Description Mal/Bifrose-F is a malicious program for the Windows platform. Detection for members of Mal/Bifrose-F is behavior based. It is extremely important that customers report detections of Mal/Bifrose-F to Sophos and send a sample for analysis. Name Troj/BatKill-B Type * Trojan Affected operating systems * Windows Side effects * Deletes files off the computer * Reduces system security Prevalence (1-5) 2 Description Troj/BatKill-B is a Trojan for the Windows platform. Advanced Troj/BatKill-B is a Trojan for the Windows platform. When Troj/BatKill-B is run, it deletes the file \javaws.exe. Troj/BatKill-B will also attempt to stop system services that have the following names: norton antivirus server mcshield f-secure gatekeeper handler starter f-secure network request broker f-secure automatic update symantec antivirus Symantec AntiVirus Definition Watcher Symantec Event Manager Symantec Settings Manager symantec central quarantine Network Associates McShield McAfee Framework Service Name W32/Mypis-B Type * Virus How it spreads * Infected files Affected operating systems * Windows Side effects * Downloads code from the internet Aliases * Virus.Win32.Downloader.r Prevalence (1-5) 2 Description W32/Mypis-B is a virus for the Windows platform. Advanced W32/Mypis-B is a virus for the Windows platform. The virus may attempt to download and execute additional files. At the time of writing, W32/Mypis-B created the file \dllcache\svchost.exe. This file is detected as Mal/PWS-K. W32/Mypis-B may also create the file \system.log. This file may be safely deleted. Name Troj/Zlob-AFI Type * Trojan Affected operating systems * Windows Side effects * Downloads code from the internet * Installs itself in the Registry Prevalence (1-5) 2 Description Troj/Zlob-AFI is a Trojan for the Windows platform. Advanced Troj/Zlob-AFI is a Trojan for the Windows platform. Name Troj/ConHook-AH Type * Trojan Affected operating systems * Windows Side effects * Installs itself in the Registry * Monitors browser activity * Installs a browser helper object Aliases * TROJ_CONHOOK.FM Prevalence (1-5) 2 Description Troj/ConHook-AH is a Trojan for the Windows platform. Troj/ConHook-AH includes functionality to access the internet and communicate with a remote server via HTTP. Advanced Troj/ConHook-AH is a Trojan for the Windows platform. Troj/ConHook-AH includes functionality to access the internet and communicate with a remote server via HTTP. The Troj/ConHook-AH DLL is registered as a COM object and Browser Helper Object (BHO) for Microsoft Internet Explorer, creating registry entries under: HKCR\CLSID\{8A06A1A7-9E64-4359-8556-B6EA03D69814} HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8A06A1A7-9E64-4359-8556-B6EA03D69814} Name W32/Rbot-GUP Type * Worm How it spreads * Network shares Affected operating systems * Windows Side effects * Allows others to access the computer * Installs itself in the Registry * Exploits system or software vulnerabilities Prevalence (1-5) 2 Description W32/Rbot-GUP is a worm with IRC backdoor functionality for the Windows platform. Advanced W32/Rbot-GUP is a worm with IRC backdoor functionality for the Windows platform. W32/Rbot-GUP spreads to other network computers by exploiting common buffer overflow vulnerabilities, including: LSASS (MS04-011), RPC-DCOM (MS04-012), WKS (MS03-049) (CAN-2003-0812), WebDav (MS03-007), IIS5SSL (ms04-011) (CAN-2003-0719), Veritas (CAN-2004-1172), WINS (MS04-045), PNP (MS05-039), IMAIL Server, ASN.1 (MS04-007) and RealVNC (CVE-2006-2369) and by copying itself to network shares protected by weak passwords. W32/Rbot-GUP runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels. When first run W32/Rbot-GUP copies itself to \Msnhelper.exe and creates the file \images.zip. images.zip contains a copy of the worm executable with the PIF extension. The following registry entry is created to run Msnhelper.exe on startup: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MSN Msnhelper.exe Name Troj/TmDrop-A Type * Spyware Trojan Affected operating systems * Windows Side effects * Steals information Prevalence (1-5) 2 Description Troj/TmDrop-A is a Trojan for the Windows platform. Name Mal/Dropper-X Type * Malicious Behavior Affected operating systems * Windows Prevalence (1-5) 2 Description Mal/Dropper-X is a Trojan which installs and executes other malicious files. Detection for members of Mal/Dropper-X is behavior based. It is extremely important that customers report detections of Mal/Dropper-X to Sophos and send a sample for analysis. --- MultiMail/Win32 v0.43 * Origin: Doc's Place BBS Fido Since 1991 docsplace.tzo.com (1:123/140) SEEN-BY: 10/1 3 14/300 400 34/999 90/1 120/228 123/500 134/10 140/1 222/2 SEEN-BY: 226/0 249/303 261/20 38 100 1381 1404 1406 1418 266/1413 280/1027 SEEN-BY: 320/119 393/68 633/260 262 267 285 712/848 800/432 801/161 189 SEEN-BY: 2222/700 2320/105 200 2905/0 @PATH: 123/140 500 261/38 633/260 267
SOURCE: echomail via fidonet.ozzmosis.com

Email questions or comments to sysop@ipingthereforeiam.com
All parts of this website painstakingly hand-crafted in the U.S.A.!
IPTIA BBS/MUD/Terminal/Game Server List, © 2025 IPTIA Consulting™.