[cut-n-paste from sophos.com]
Name Troj/Stinx-N
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Downloads code from the internet
* Reduces system security
* Installs itself in the Registry
Prevalence (1-5) 3
Description
Troj/Stinx-N is a backdoor Trojan for the Windows platform.
Troj/Stinx-N includes functionality to download and execute further
code, and attempts to disable various security related processes.
At the time of writing Troj/Stinx-N is being agressively spammed out
in emails with subject lines such as the following:
Campus Student Raped
Do you recognise this person?
Rape on Campus
The Trojan is included as an attachment, typically named "suspicious
photo.exe", which the recipient is encouraged to open. The body of
the email message is typically as follows:
Hello,
During the early morning of January 25 2006, a campus student was the
victim of a horrific sexual assault within college grounds.
Eyewitnesses report a tall black man in grey pants running away from
the scene. Campus CCTV has caught this man on camera and are looking
for ways to identify him. If anyone recognises the attached picture
could they inform administraion immediatly
Regards,
Robert Atkins
Campus Administration
All information contained within this e-mail, including any
attachment, is
confidential. If you have received this e-mail in error, please
delete it
immediately. Do not use, disclose or spread the information in any
way and notify the sender immediately. Any views and opinions
expressed in this e-mail may not represent those of Business Monthly
The following emails have also been seen distributing Troj/Stinx-N:
Subject line:
Photo Approval Required
Message text:
Hello,
Your photograph has reached editing stage as part of an article we
are publishing for our February edition of Traders World Monthly. Can
you check over the format and get back to us with your approval or
any changes?
If the picture is not to your liking then please send a preferred
one. We've attached the photo with the article here.
Kind regards,
Jamie Andrews
Editor
TradersWorld
Subject line:
Payment Receipt
Message text:
Dear customer.
Thank you for your subscription to .com" target="new">http://www..com
You have been billed as Paycom LLC for the amount of: USA 49.99 for
30 days then USA 39.99 recurring every 30 days.
Time: 2006-1-05 20:38
Transaction ID: 965658
Amount: GBP 49.99
Applied to Account0: 10915104
Payment Method: VISA
Your new subscription identification number is:10915104, please keep
this number in a safe place as it will be required for reference in
all future correspondence regarding your membership.
Advanced
Troj/Stinx-N is a backdoor Trojan for the windows platform.
Troj/Stinx-N includes functionality to download and execute further
code, and attempts to disable various security related processes.
When first run Troj/Stinx-N copies itself to \csrwjd.exe
The following registry entries are created to run cstsm.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ProtocolEventTsk
csrwjd.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
ProtocolEventTsk
csrwjd.exe
At the time of writing Troj/Stinx-N is being agressively spammed out
in emails with subject lines such as the following:
Campus Student Raped
Do you recognise this person?
Rape on Campus
The Trojan is included as an attachment, typically named "suspicious
photo.exe", which the recipient is encouraged to open. The body of
the email message is typically as follows:
Hello,
During the early morning of January 25 2006, a campus student was the
victim of a horrific sexual assault within college grounds.
Eyewitnesses report a tall black man in grey pants running away from
the scene. Campus CCTV has caught this man on camera and are looking
for ways to identify him. If anyone recognises the attached picture
could they inform administraion immediatly
Regards,
Robert Atkins
Campus Administration
All information contained within this e-mail, including any
attachment, is
confidential. If you have received this e-mail in error, please
delete it
immediately. Do not use, disclose or spread the information in any
way and notify the sender immediately. Any views and opinions
expressed in this e-mail may not represent those of Business Monthly
The following emails have also been seen distributing Troj/Stinx-N:
Subject line:
Photo Approval Required
Message text:
Hello,
Your photograph has reached editing stage as part of an article we
are publishing for our February edition of Traders World Monthly. Can
you check over the format and get back to us with your approval or
any changes?
If the picture is not to your liking then please send a preferred
one. We've attached the photo with the article here.
Kind regards,
Jamie Andrews
Editor
TradersWorld
Subject line:
Payment Receipt
Message text:
Dear customer.
Thank you for your subscription to .com" target="new">http://www..com
You have been billed as Paycom LLC for the amount of: USA 49.99 for
30 days then USA 39.99 recurring every 30 days.
Time: 2006-1-05 20:38
Transaction ID: 965658
Amount: GBP 49.99
Applied to Account0: 10915104
Payment Method: VISA
Your new subscription identification number is:10915104, please keep
this number in a safe place as it will be required for reference in
all future correspondence regarding your membership.
Name Troj/BagleDl-BJ
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Steals information
* Drops more malware
* Downloads code from the internet
* Reduces system security
* Installs itself in the Registry
* Dropped by malware
Aliases
* Email-Worm.Win32.Bagle.fg
* W32/Mitglieder.HJ
Prevalence (1-5) 3
Description
Troj/BagleDl-BJ is a Trojan for the Windows platform.
When first run, the Trojan creates the files im_1.exe and im_2.exe in
the Windows system folder and then runs them. The Trojan also creates
a JPG image in the folder with the filename "~.jpg" and displays the image. The files im_1.exe and im_2.exe
are also detected as Troj/BagleDl-BJ.
Advanced
Troj/BagleDl-BJ is a Trojan for the Windows platform.
When first run, the Trojan creates the files im_1.exe and im_2.exe in
the Windows system folder and then runs them. The Trojan also creates
a JPG image in the folder with the filename "~.jpg" and displays the image. The files im_1.exe and im_2.exe
are also detected as Troj/BagleDl-BJ.
The Trojan attempts to download files from several remote sites.
The following registry entry is created to run the Trojan each time a
user logs on:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
im_autorn
"\im_1.exe"
The following registry entry are also created:
HKCU\Software\Microsoft\IME
FirstRun
dword:00000001
Name Troj/Mdrop-KZ
Type
* Trojan
Affected operating systems
* Windows
Aliases
* Trojan-Dropper.Win32.Agent.xp
Prevalence (1-5) 2
Description
Troj/Mdrop-KZ is a Trojan for the Windows platform.
Advanced
Troj/Mdrop-KZ is a Trojan for the Windows platform.
When Troj/Mdrop-KZ is installed the following files are created
without the user's knowledge:
\cache.exe
\vbrun32.exe
These files are essentially non-malicious.
Troj/Mdrop-KZ may also create a copy of itself as the file
vbscript.dll.
Name W32/Sdbot-AOS
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Downloads code from the internet
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* Backdoor.Win32.SdBot.alq
Prevalence (1-5) 2
Description
W32/Sdbot-AOS is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Sdbot-AOS attempts to spread by copying itself to network shares
with weak passwords or by exploiting any of the following
vulnerabilities: LSASS (MS04-011), RPC-DCOM (MS04-012), PNP
(MS05-039), ASN.1 (MS04-007).
W32/Sdbot-AOS runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Sdbot-AOS includes functionality to download, install and run new
software.
Advanced
W32/Sdbot-AOS is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Sdbot-AOS attempts to spread by copying itself to network shares
with weak passwords or by exploiting any of the following
vulnerabilities: LSASS (MS04-011), RPC-DCOM (MS04-012), PNP
(MS05-039), ASN.1 (MS04-007).
W32/Sdbot-AOS runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Sdbot-AOS includes functionality to download, install and run new
software.
When first run W32/Sdbot-AOS copies itself to \win32ssr.exe.
The file win32ssr.exe is registered as a new system driver service
named "Win32Sr", with a display name of "Win32Sr" and a
startup type
of automatic, so that it is started automatically during system
startup. Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\Win32Sr\
W32/Sdbot-AOS sets the following registry entries, disabling the
automatic startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\Messenger
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
Start
4
Registry entries are set as follows:
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DoNotAllowXPSP2
1
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1
Registry entries are created under:
HKLM\SOFTWARE\Microsoft\Security Center\
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\
Name W32/Rbot-BSC
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
* Used in DOS attacks
Prevalence (1-5) 2
Description
W32/Rbot-BSC is a worm for the Windows platform.
W32/Rbot-BSC runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Rbot-BSC includes functionality to access the internet and
communicate with a remote server via HTTP.
When first run W32/Rbot-BSC copies itself to \snddrv.exe.
Advanced
W32/Rbot-BSC is a worm for the Windows platform.
W32/Rbot-BSC runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Rbot-BSC includes functionality to access the internet and
communicate with a remote server via HTTP.
When first run W32/Rbot-BSC copies itself to \snddrv.exe.
The file snddrv.exe is registered as a new system driver service
named "SndDRV", with a display name of "SndDRV (MS Sound
Driver)" and
a startup type of automatic, so that it is started automatically
during system startup. Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\SndDRV\
W32/Rbot-BSC sets the following registry entries, disabling the
automatic startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\Messenger
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
Start
4
Registry entries are set as follows:
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DoNotAllowXPSP2
1
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1
Registry entries are created under:
HKLM\SOFTWARE\Microsoft\Security Center\
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\
Name W32/Feebs-E
Type
* Spyware Worm
How it spreads
* Email attachments
* Peer-to-peer
Affected operating systems
* Windows
Side effects
* Sends itself to email addresses found on the infected computer
* Steals information
* Uses its own emailing engine
* Installs itself in the Registry
Aliases
* Worm.Win32.Feebs.gen
* JS/Feebs.gen.c{at}MM
Prevalence (1-5) 2
Description
W32/Feebs-E is a worm for the Windows platform.
The worm may arrive as an attachment to an email claiming to be sent
via "Protected Message service" with bogus credentials. The message
may lure the recipient into entering the supplied credentials into an
attached HTML document.
W32/Feebs-E spreads via file sharing on P2P networks.
Advanced
W32/Feebs-E is a worm for the Windows platform.
The worm may arrive as an attachment to an email claiming to be sent
via "Protected Message service" with bogus credentials. The message
may lure the recipient into entering the supplied credentials into an
attached HTML document.
W32/Feebs-E spreads via file sharing on P2P networks.
When first run W32/Feebs-E copies itself to:
\ms.exe
\ms
and creates the \ms32.dll where are random characters and
ms32.dll is a DLL component of the worm.
The following registry entry is created to run code exported by the
worm library on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
ShellServiceObjectDelayLoad
ms32.dll
The file ms32.dll is registered as a COM object, creating
registry entries under:
HKCR\CLSID\\InprocServer32
W32/Feebs-E copies itself to the available shared folders using the
following filenames:
3dsmax_9_(3D_Studio_Max)_new!_full+crack.zip
ACDSee_9_new!_full+crack.zip
Adobe_Photoshop_10_(CS3)_new!_full+crack.zip
Adobe_Premiere_9_(2.0_pro)_new!_full+crack.zip
Ahead_Nero_8_new!_full+crack.zip
DivX_7.0_new!_full+crack.zip
ICQ_2006_new!_full+crack.zip
Internet_Explorer_7_new!_full+crack.zip
Kazaa_4_new!_full+crack.zip
Longhorn_new!_full+crack.zip
Microsoft_Office_2006_new!_full+crack.zip
winamp_5.2_new!_full+crack.zip
Registry entries are created under:
HKLM\SOFTWARE\Microsoft\MSAE\
Name Troj/Drsmartl-E
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
Aliases
* Trojan-Downloader.Win32.Adload.j
Prevalence (1-5) 2
Description
Troj/Drsmartl-E is a Trojan for the Windows platform.
Troj/Drsmartl-E includes functionality to download, install and run
new software without notification that it is doing so. The Trojan
typically installs advertising software.
Name W32/Sdbot-AQH
Type
* Worm
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Downloads code from the internet
* Installs itself in the Registry
Aliases
* Backdoor.Win32.SdBot.alv
* New
Prevalence (1-5) 2
Description
W32/Sdbot-AQH is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Sdbot-AQH runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Sdbot-AQH includes functionality to access the internet and
communicate with a remote server via HTTP.
Advanced
W32/Sdbot-AQH is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Sdbot-AQH runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Sdbot-AQH includes functionality to access the internet and
communicate with a remote server via HTTP.
When first run W32/Sdbot-AQH copies itself to \RpcCenter.exe.
The file RpcCenter.exe is registered as a new system driver service
named "RpcCenter", with a display name of "Remote Procedure Call
(RPC) Center" and a startup type of automatic, so that it is started
automatically during system startup. Registry entries are created
under:
HKLM\SYSTEM\CurrentControlSet\Services\RpcCenter\
W32/Sdbot-AQH sets the following registry entries, disabling the
automatic startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\Messenger
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
Start
4
Registry entries are set as follows:
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DoNotAllowXPSP2
1
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1
Registry entries are created under:
HKLM\SOFTWARE\Microsoft\Security Center\
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\
Name Troj/Clckr-W
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Steals information
* Installs itself in the Registry
* Leaves non-infected files on computer
Aliases
* AdClicker-DW
* Trojan-Downloader.Win32.Small.cgz
* Trojan-Clicker.Win32.Bomka.d
Prevalence (1-5) 2
Description
Troj/Clckr-W is a Trojan for the Windows platform.
Troj/Clckr-W is capable of spying on a user's browsing habits,
modifying Microsoft Internet Explorer settings, downloading further
executables and displaying popup advertisements.
Advanced
Troj/Clckr-W is a Trojan for the Windows platform.
Troj/Clckr-W is capable of spying on a user's browsing habits,
modifying Microsoft Internet Explorer settings, downloading further
executables and displaying popup advertisements.
When Troj/Clckr-W is installed the following files are created:
\Documentazione_riservata.pps
\kaboom.dll
\msx.dll
The files kaboom.dll and msx.dll are registered as COM objects and
Browser Helper Objects (BHOs) for Microsoft Internet Explorer,
creating registry entries under:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser
Helper Objects\
{037CE595-57CB-4EB5-9775-97BC112F3BB3}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser
Helper Objects\
{25E1A054-1262-459F-9F14-BF06148F4253}
HKCR\CLSID\{037CE595-57CB-4EB5-9775-97BC112F3BB3}
HKCR\CLSID\{25E1A054-1262-459F-9F14-BF06148F4253}
HKCR\Interface\{675F23A3-14DD-4A36-82AA-25C06E1015C3}
HKCR\Interface\{7E951E5E-C57B-41ED-806F-1FBB2E4538C1}
HKCR\Kaboom.Ckbm\
HKCR\Kaboom.Ckbm.1\
HKCR\TypeLib\{140F2204-A6BF-444A-960B-947C5A265A8C}
HKCR\TypeLib\{3E55D5AA-2006-4572-BCF3-643D6AAB9063}
HKCR\do.msx\
HKCR\do.msx.1\
Registry entries are created under:
HKCU\Software\Microsoft\Office\8.0\Common\General\
HKLM\SOFTWARE\Microsoft\zeal\
Name Troj/Dloadr-HR
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Downloads code from the internet
Prevalence (1-5) 2
Description
Troj/Dloadr-HR is a Trojan for the Windows platform.
Troj/Dloadr-HR includes functionality to download, install and run
new software.
Advanced
Troj/Dloadr-HR is a Trojan for the Windows platform.
Troj/Dloadr-HR includes functionality to download, install and run
new software.
When Troj/Dloadr-HR is installed the following files are created:
\1.bat - this file may be deleted
\uj.exe - detected as Troj/CashGrab-K
The following registry entries are set, affecting internet security:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FiREWaLL
policy\
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FiREWaLL
policy
StAnDaRDPrOFiLe\
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FiREWaLL
policy
StAnDaRDPrOFiLe\AUtHorizedapplications\
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FiREWaLL
policy
StAnDaRDPrOFiLe\AUtHorizedapplications\List\
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FiREWaLL
policy
StAnDaRDPrOFiLe\AUtHorizedapplications\List
:*:Enabled:cmsscs
Name W32/Feebs-G
Type
* Worm
How it spreads
* Email messages
* Network shares
* Peer-to-peer
Affected operating systems
* Windows
Side effects
* Drops more malware
* Downloads code from the internet
* Installs itself in the Registry
Prevalence (1-5) 2
Description
W32/Feebs-G is a worm for the Windows Platform.
W32/Feebs-G may download or drop other files.
Name Troj/Dropper-EB
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Drops more malware
Aliases
* AdClicker-DW
* Trojan.Adclicker
* Trojan-Downloader.Win32.Small.cgz
* Trojan-Clicker.Win32.Bomka.d
Prevalence (1-5) 2
Description
Troj/Dropper-EB is a Trojan for the Windows platform.
Troj/Dropper-EB may arrive as attachment with the filename game.zip
in email with the subject that suggest to open new "Game for you".
Troj/Dropper-EB drops kaboom.dll and msx.dll files that are detected
as Troj/Clckr-W.
Advanced
Troj/Dropper-EB is a Trojan for the Windows platform.
Troj/Dropper-EB may arrive as attachment with the filename game.zip
in email with the subject that suggest to open new "Game for you".
When Troj/Dropper-EB is installed the following files are created:
\game1.exe
\kaboom.dll
\msx.dll
The files kaboom.dll and msx.dll are detected as Troj/Clckr-W,
game1.exe is a joke application that flips the Windows desktop making
everything upside down.
The files kaboom.dll and msx.dll are registered as COM objects and
Browser Helper Objects (BHOs) for Microsoft Internet Explorer,
creating registry entries under:
HKCR\CLSID\(037CE595-57CB-4EB5-9775-97BC112F3BB3)
HKCR\CLSID\(25E1A054-1262-459F-9F14-BF06148F4253)
HKCR\Interface\(675F23A3-14DD-4A36-82AA-25C06E1015C3)
HKCR\Interface\(7E951E5E-C57B-41ED-806F-1FBB2E4538C1)
HKCR\Kaboom.Ckbm\
HKCR\Kaboom.Ckbm.1\
HKCR\TypeLib\(140F2204-A6BF-444A-960B-947C5A265A8C)
HKCR\TypeLib\(3E55D5AA-2006-4572-BCF3-643D6AAB9063)
HKCR\do.msx\
HKCR\do.msx.1\
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser
Helper Objects\(037CE595-57CB-4EB5-9775-97BC112F3BB3)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser
Helper Objects\(25E1A054-1262-459F-9F14-BF06148F4253)
Registry entries are created under:
HKLM\SOFTWARE\Microsoft\zeal\
Name W32/Sdbot-AOP
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
Aliases
* W32/Sdbot.worm.gen.h
* Backdoor.Win32.IRCBot.cg
Prevalence (1-5) 2
Description
W32/Sdbot-AOP is an IRC worm for the Windows platform.
Name Troj/Stinx-O
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Downloads code from the internet
* Reduces system security
* Installs itself in the Registry
Prevalence (1-5) 2
Description
Troj/Stinx-O is a backdoor Trojan for the Windows platform.
Troj/Stinx-O includes functionality to download and execute further
code and attempts to disable various security related processes.
Advanced
Troj/Stinx-O is a backdoor Trojan for the Windows platform.
Troj/Stinx-O includes functionality to download and execute further
code and attempts to disable various security related processes.
Troj/Stinx-O attempts to connect to a pre-defined IRC server on port
8080 and awaits further commands from a remote user.
When first run Troj/Stinx-O copies itself to \csrwnd.exe and creates the following files:
\696.bat
\910.bat
The following registry entries are created to run csrwnd.exe on
startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
SystemProcEvent
csrwnd.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SystemProcEvent
csrwnd.exe
Name Troj/Stinx-P
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Reduces system security
* Installs itself in the Registry
Aliases
* Backdoor.Win32.Breplibot.x
Prevalence (1-5) 2
Description
Troj/Stinx-P is a backdoor Trojan for the Windows platform.
Troj/Stinx-P connects to one of several IP addresses and runs
continuously in the background, providing a backdoor server which
allows a remote intruder to gain access and control over the computer
via IRC channels.
Troj/Stinx-P can be instructed to delete, and download and execute
files.
Advanced
Troj/Stinx-P is a backdoor Trojan for the Windows platform.
Troj/Stinx-P connects to one of several IP addresses and runs
continuously in the background, providing a backdoor server which
allows a remote intruder to gain access and control over the computer
via IRC channels.
When first run Troj/Stinx-P copies itself to \csrwnd.exe.
The following registry entries are created to run csrwnd.exe on
startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
SystemProcEvent
csrwnd.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SystemProcEvent
csrwnd.exe
Troj/Stinx-P can be instructed to delete, and download and execute
files.
Troj/Stinx-P will attempt to circumvent the Windows Firewall if it is
present by adding itself to the list of allowed programs.
--- MultiMail/Win32 v0.43
* Origin: Try Our Web Based QWK: DOCSPLACE.ORG (1:123/140)
SEEN-BY: 633/267 270
@PATH: 123/140 500 106/2000 633/267
|