| TIP: Click on subject to list as thread! | ANSI |
| echo: | |
|---|---|
| to: | |
| from: | |
| date: | |
| subject: | News, April 30 2005 |
[cut-n-paste from sophos.com]
Name W32/Mytob-E
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Modifies data on the computer
* Uses its own emailing engine
* Installs itself in the Registry
Aliases
* Net-Worm.Win32.Mytob.h
* W32/Mytob.gen{at}MM
* WORM_MYTOB.J
Prevalence (1-5) 2
Description
W32/Mytob-E is a mass-mailing worm and backdoor Trojan that targets
users of Internet Relay Chat programs.
Advanced
W32/Mytob-E is a mass-mailing worm and backdoor Trojan that targets
users of Internet Relay Chat programs.
When first run W32/Mytob-E copies itself to the Windows system folder as
taskgmr.exe and creates the following registry entries:
HKCU\Software\Microsoft\OLE
WINTASK
taskgmr.exe
HKCU\SYSTEM\CurrentControlSet\Control\Lsa
WINTASK
taskgmr.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
WINTASK
taskgmr.exe
HKLM\SOFTWARE\Microsoft\Ole
WINTASK
taskgmr.exe
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
WINTASK
taskgmr.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
WINTASK
taskgmr.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
WINTASK
taskgmr.exe
W32/Mytob-E copies itself to the root folder as:
funny_pic.scr
my_photo2005.scr
see_this!!.scr
and creates the helper file hellmsn.exe (detected by Sophos as
W32/Mytob-D) in the same location.
W32/Mytob-E also appends the following to the HOSTS file to deny access
to security related websites:
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.microsoft.com
127.0.0.1 www.trendmicro.com
Name Troj/PcClient-R
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Drops more malware
* Reduces system security
* Modifies passwords
Aliases
* Backdoor.Win32.PcClient.x
* BackDoor-CKB.dr
Prevalence (1-5) 2
Description
Troj/PcClient-R is a backdoor Trojan.
Advanced
Troj/PcClient-R is a backdoor Trojan.
Troj/PcClient-R will copy itself to the Windows system folder.
In order to run automatically each time a Windows session is started,
Troj/PcClient-R will attempt to install itself over the existing service
named "Schedule" The service has a display name of "Task
Scheduler".
Registry entries will be modified under the following registry branch:
HKLM\System\CurrentControlSet\Services\Schedule
In particular, the following registry entries will be modified:
HKLM\System\CurrentControlSet\Services\Schedule
ImagePath
where the default value on a standard Windows XP installation is
"%SystemRoot%\System32\svchost.exe -k netsvcs"
HKLM\System\CurrentControlSet\Services\Schedule
Type
110
where the default value on a standard Windows XP installation is "120"
Under Windows 9x systems, Troj/PcClient-R will set the following
registry entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
\
Troj/PcClient-R may attempt to hide itself and bypass personal firewalls
by loading DLL files from the WINLOGON.EXE processes.
Name W32/Agobot-RV
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Steals information
* Downloads code from the internet
* Reduces system security
* Modifies passwords
Prevalence (1-5) 2
Description
W32/Agobot-RV is a network worm with IRC backdoor functionality.
W32/Agobot-RV connects to a preconfigured IRC server, joins a channel
and awaits further instructions. These instructions can cause the bot to
perform any of the following actions:
start a UDP, TCP, ICMP, syn, http or ping flood
start a socks4, socks5, http or https proxy server
redirect TCP or GRE connections
start an FTP server
start a command shell server
show statistics about the infected system
reboot/shutdown the infected computer
kill anti-virus and security processes
list/terminate running processes
scan randomly- or sequentially-chosen IPs for infectable computers
make local drives network-shareable
close down vulnerable services in order to secure the computer
search for product keys
search local drives for AOL user details
sniff network traffic in order to find passwords
start a keylogger
download and install an updated version of itself
install bot plugins for additional functionality
The worm spreads to computers affected by known vulnerabilities and
running network services protected by weak passwords.
Vulnerabilities:
RPC DCOM (MS03-026, MS04-012)
MSSQL (MS02-039)
Services:
NetBios
Advanced
W32/Agobot-RV is a network worm with IRC backdoor functionality.
W32/Agobot-RV connects to a preconfigured IRC server, joins a channel
and awaits further instructions. These instructions can cause the bot to
perform any of the following actions:
start a UDP, TCP, ICMP, syn, http or ping flood
start a socks4, socks5, http or https proxy server
redirect TCP or GRE connections
start an FTP server
start a command shell server
show statistics about the infected system
reboot/shutdown the infected computer
kill anti-virus and security processes
list/terminate running processes
scan randomly- or sequentially-chosen IPs for infectable computers
make local drives network-shareable
close down vulnerable services in order to secure the computer
search for product keys
search local drives for AOL user details
sniff network traffic in order to find passwords
start a keylogger
download and install an updated version of itself
install bot plugins for additional functionality
The worm spreads to computers affected by known vulnerabilities and
running network services protected by weak passwords.
Vulnerabilities:
RPC DCOM (MS03-026, MS04-012)
MSSQL (MS02-039)
Services:
NetBios
W32/Agobot-RV copies itself to the Windows system folder and creates the
following registry entries to run itself automatically on computer
login:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
NvagNT
nvagNT.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
nvagNT
nvagNT.exe
The worm blocks access to security-related websites by adding the
following entries to the Windows hosts file:
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.trendmicro.com
W32/Agobot-RV terminates the following processes if they are running:
'_AVP32.EXE'
'_AVPCC.EXE'
'_AVPM.EXE'
'ACKWIN32.EXE'
'ADAWARE.EXE'
'ADVXDWIN.EXE'
'AGENTSVR.EXE'
'AGENTW.EXE'
'ALERTSVC.EXE'
'ALEVIR.EXE'
'ALOGSERV.EXE'
'AMON9X.EXE'
'ANTI-TROJAN.EXE'
'ANTIVIRUS.EXE'
'ANTS.EXE'
'APIMONITOR.EXE'
'APLICA32.EXE'
'APVXDWIN.EXE'
'ARR.EXE'
'ATCON.EXE'
'ATGUARD.EXE'
'ATRO55EN.EXE'
'ATUPDATER.EXE'
'ATWATCH.EXE'
'AU.EXE'
'AUPDATE.EXE'
'AUTO-PROTECT.NAV80TRY.EXE'
'AUTODOWN.EXE'
'AUTOTRACE.EXE'
'AUTOUPDATE.EXE'
'AVCONSOL.EXE'
'AVE32.EXE'
'AVGCC32.EXE'
'AVGCTRL.EXE'
'AVGNT.EXE'
'AVGSERV.EXE'
'AVGSERV9.EXE'
'AVGUARD.EXE'
'AVGW.EXE'
'AVKPOP.EXE'
'AVKSERV.EXE'
'AVKSERVICE.EXE'
'AVKWCTl9.EXE'
'AVLTMAIN.EXE'
'AVNT.EXE'
'AVP.EXE'
'AVP32.EXE'
'AVPCC.EXE'
'AVPDOS32.EXE'
'AVPM.EXE'
'AVPTC32.EXE'
'AVPUPD.EXE'
'AVSCHED32.EXE'
'AVSYNMGR.EXE'
'AVWIN95.EXE'
'AVWINNT.EXE'
'AVWUPD.EXE'
'AVWUPD32.EXE'
'AVWUPSRV.EXE'
'AVXMONITOR9X.EXE'
'AVXMONITORNT.EXE'
'AVXQUAR.EXE'
'BACKWEB.EXE'
'BARGAINS.EXE'
'BD_PROFESSIONAL.EXE'
'BEAGLE.EXE'
'BELT.EXE'
'BIDEF.EXE'
'BIDSERVER.EXE'
'BIPCP.EXE'
'BIPCPEVALSETUP.EXE'
'BISP.EXE'
'BLACKD.EXE'
'BLACKICE.EXE'
'BLSS.EXE'
'BOOTCONF.EXE'
'BOOTWARN.EXE'
'BORG2.EXE'
'BPC.EXE'
'BRASIL.EXE'
'BS120.EXE'
'BUNDLE.EXE'
'BVT.EXE'
'CCAPP.EXE'
'CCEVTMGR.EXE'
'CCPXYSVC.EXE'
'CDP.EXE'
'CFD.EXE'
'CFGWIZ.EXE'
'CFIADMIN.EXE'
'CFIAUDIT.EXE'
'CFINET.EXE'
'CFINET32.EXE'
'Claw95.EXE'
'CLAW95CF.EXE'
'CLEAN.EXE'
'CLEANER.EXE'
'CLEANER3.EXE'
'CLEANPC.EXE'
'CLICK.EXE'
'CMD32.EXE'
'CMESYS.EXE'
'CMGRDIAN.EXE'
'CMON016.EXE'
'CONNECTIONMONITOR.EXE'
'CPD.EXE'
'CPF9X206.EXE'
'CPFNT206.EXE'
'CTRL.EXE'
'CV.EXE'
'CWNB181.EXE'
'CWNTDWMO.EXE'
'DATEMANAGER.EXE'
'DCOMX.EXE'
'DEFALERT.EXE'
'DEFSCANGUI.EXE'
'DEFWATCH.EXE'
'DEPUTY.EXE'
'DIVX.EXE'
'DLLCACHE.EXE'
'DLLREG.EXE'
'DOORS.EXE'
'DPF.EXE'
'DPFSETUP.EXE'
'DPPS2.EXE'
'DRWATSON.EXE'
'DRWEB32.EXE'
'DRWEBUPW.EXE'
'DSSAGENT.EXE'
'DVP95.EXE'
'DVP95_0.EXE'
'ECENGINE.EXE'
'EFPEADM.EXE'
'EMSW.EXE'
'ENT.EXE'
'ESAFE.EXE'
'ESCANH95.EXE'
'ESCANHNT.EXE'
'ESCANV95.EXE'
'ESPWATCH.EXE'
'ETHEREAL.EXE'
'ETRUSTCIPE.EXE'
'EVPN.EXE'
'EXANTIVIRUS-CNET.EXE'
'EXE.AVXW.EXE'
'EXPERT.EXE'
'EXPLORE.EXE'
'F-AGNT95.EXE'
'F-AGOBOT.EXE'
'F-PROT.EXE'
'F-PROT95.EXE'
'F-STOPW.EXE'
'FAMEH32.EXE'
'FAST.EXE'
'FCH32.EXE'
'FIH32.EXE'
'FINDVIRU.EXE'
'FIREWALL.EXE'
'FLOWPROTECTOR.EXE'
'FNRB32.EXE'
'FP-WIN.EXE'
'FP-WIN_TRIAL.EXE'
'FPROT.EXE'
'FRW.EXE'
'FSAA.EXE'
'FSAV.EXE'
'FSAV32.EXE'
'FSAV530STBYB.EXE'
'FSAV530WTBYB.EXE'
'FSAV95.EXE'
'FSGK32.EXE'
'FSM32.EXE'
'FSMA32.EXE'
'FSMB32.EXE'
'GATOR.EXE'
'GBMENU.EXE'
'GBPOLL.EXE'
'GENERICS.EXE'
'GMT.EXE'
'GUARD.EXE'
'GUARDDOG.EXE'
'HACKTRACERSETUP.EXE'
'HBINST.EXE'
'HBSRV.EXE'
'HIJACKTHIS.EXE'
'HOTACTIO.EXE'
'HOTPATCH.EXE'
'HTLOG.EXE'
'HTPATCH.EXE'
'HWPE.EXE'
'HXDL.EXE'
'HXIUL.EXE'
'IAMAPP.EXE'
'IAMSERV.EXE'
'IAMSTATS.EXE'
'IBMASN.EXE'
'IBMAVSP.EXE'
'ICLOAD95.EXE'
'ICLOADNT.EXE'
'ICMON.EXE'
'ICSUPP95.EXE'
'ICSUPPNT.EXE'
'IDLE.EXE'
'IEDLL.EXE'
'IEDRIVER.EXE'
'IEXPLORER.EXE'
'IFACE.EXE'
'IFW2000.EXE'
'INETLNFO.EXE'
'INFUS.EXE'
'INFWIN.EXE'
'INIT.EXE'
'INTDEL.EXE'
'INTREN.EXE'
'IOMON98.EXE'
'IPARMOR.EXE'
'IRIS.EXE'
'ISASS.EXE'
'ISRV95.EXE'
'ISTSVC.EXE'
'JAMMER.EXE'
'JDBGMRG.EXE'
'JEDI.EXE'
'KAVLITE40ENG.EXE'
'KAVPERS40ENG.EXE'
'KAVPF.EXE'
'KAZZA.EXE'
'KEENVALUE.EXE'
'KERIO-PF-213-EN-WIN.EXE'
'KERIO-WRL-421-EN-WIN.EXE'
'KERIO-WRP-421-EN-WIN.EXE'
'KERNEL32.EXE'
'KILLPROCESSSETUP161.EXE'
'LAUNCHER.EXE'
'LDNETMON.EXE'
'LDPRO.EXE'
'LDPROMENU.EXE'
'LDSCAN.EXE'
'LNETINFO.EXE'
'LOADER.EXE'
'LOCALNET.EXE'
'LOCKDOWN.EXE'
'LOCKDOWN2000.EXE'
'LOOKOUT.EXE'
'LORDPE.EXE'
'LSETUP.EXE'
'LUALL.EXE'
'LUAU.EXE'
'LUCOMSERVER.EXE'
'LUINIT.EXE'
'LUSPT.EXE'
'MAPISVC32.EXE'
'MCAGENT.EXE'
'MCMNHDLR.EXE'
'MCSHIELD.EXE'
'MCTOOL.EXE'
'MCUPDATE.EXE'
'MCVSRTE.EXE'
'MCVSSHLD.EXE'
'MD.EXE'
'MFIN32.EXE'
'MFW2EN.EXE'
'MFWENG3.02D30.EXE'
'MGAVRTCL.EXE'
'MGAVRTE.EXE'
'MGHTML.EXE'
'MGUI.EXE'
'MINILOG.EXE'
'MMOD.EXE'
'MONITOR.EXE'
'MOOLIVE.EXE'
'MOSTAT.EXE'
'MPFAGENT.EXE'
'MPFSERVICE.EXE'
'MPFTRAY.EXE'
'MRFLUX.EXE'
'MSAPP.EXE'
'MSBB.EXE'
'MSBLAST.EXE'
'MSCACHE.EXE'
'MSCCN32.EXE'
'MSCMAN.EXE'
'MSCONFIG.EXE'
'MSDM.EXE'
'MSDOS.EXE'
'MSIEXEC16.EXE'
'MSINFO32.EXE'
'MSLAUGH.EXE'
'MSMGT.EXE'
'MSMSGRI32.EXE'
'MSSMMC32.EXE'
'MSSYS.EXE'
'MSVXD.EXE'
'MU0311AD.EXE'
'MWATCH.EXE'
'N32SCANW.EXE'
'NAV.EXE'
'NAVAP.NAVAPSVC.EXE'
'NAVAPSVC.EXE'
'NAVAPW32.EXE'
'NAVDX.EXE'
'NAVENGNAVEX15.NAVLU32.EXE'
'NAVLU32.EXE'
'NAVNT.EXE'
'NAVSTUB.EXE'
'NAVW32.EXE'
'NAVWNT.EXE'
'NCINST4.EXE'
'NDD32.EXE'
'NEOMONITOR.EXE'
'NEOWATCHLOG.EXE'
'NETARMOR.EXE'
'NETD32.EXE'
'NETINFO.EXE'
'NETMON.EXE'
'NETSCANPRO.EXE'
'NETSPYHUNTER-1.2.EXE'
'NETSTAT.EXE'
'NETUTILS.EXE'
'NISSERV.EXE'
'NISUM.EXE'
'NMAIN.EXE'
'NOD32.EXE'
'NORMIST.EXE'
'NORTON_INTERNET_SECU_3.0_407.EXE'
'NOTSTART.EXE'
'NPF40_TW_98_NT_ME_2K.EXE'
'NPFMESSENGER.EXE'
'NPROTECT.EXE'
'NPSCHECK.EXE'
'NPSSVC.EXE'
'NSCHED32.EXE'
'NSSYS32.EXE'
'NSTASK32.EXE'
'NSUPDATE.EXE'
'NT.EXE'
'NTRTSCAN.EXE'
'NTVDM.EXE'
'NTXconfig.EXE'
'NUI.EXE'
'NUPGRADE.EXE'
'NVARCH16.EXE'
'NVC95.EXE'
'NVSVC32.EXE'
'NWINST4.EXE'
'NWSERVICE.EXE'
'NWTOOL16.EXE'
'OLLYDBG.EXE'
'ONSRVR.EXE'
'OPTIMIZE.EXE'
'OSTRONET.EXE'
'OTFIX.EXE'
'OUTPOST.EXE'
'OUTPOSTINSTALL.EXE'
'OUTPOSTPROINSTALL.EXE'
'PADMIN.EXE'
'PANIXK.EXE'
'PATCH.EXE'
'PAVCL.EXE'
'PAVPROXY.EXE'
'PAVSCHED.EXE'
'PAVW.EXE'
'PCCIOMON.EXE'
'PCCNTMON.EXE'
'PCCWIN97.EXE'
'PCCWIN98.EXE'
'PCDSETUP.EXE'
'PCFWALLICON.EXE'
'PCSCAN.EXE'
'PDSETUP.EXE'
'PENIS.EXE'
'PERISCOPE.EXE'
'PERSFW.EXE'
'PERSWF.EXE'
'PF2.EXE'
'PFWADMIN.EXE'
'PGMONITR.EXE'
'PINGSCAN.EXE'
'PLATIN.EXE'
'POP3TRAP.EXE'
'POPROXY.EXE'
'POPSCAN.EXE'
'PORTDETECTIVE.EXE'
'PORTMONITOR.EXE'
'POWERSCAN.EXE'
'PPINUPDT.EXE'
'PPTBC.EXE'
'PPVSTOP.EXE'
'PRIZESURFER.EXE'
'PRMT.EXE'
'PRMVR.EXE'
'PROCDUMP.EXE'
'PROCESSMONITOR.EXE'
'PROCEXPLORERV1.0.EXE'
'PROGRAMAUDITOR.EXE'
'PROPORT.EXE'
'PROTECTX.EXE'
'PSPF.EXE'
'PURGE.EXE'
'PUSSY.EXE'
'PVIEW95.EXE'
'QCONSOLE.EXE'
'QSERVER.EXE'
'RAPAPP.EXE'
'RAV7.EXE'
'RAV7WIN.EXE'
'RAV8WIN32ENG.EXE'
'RAY.EXE'
'RB32.EXE'
'RCSYNC.EXE'
'REALMON.EXE'
'REGED.EXE'
'REGEDIT.EXE'
'REGEDT32.EXE'
'RESCUE.EXE'
'RESCUE32.EXE'
'RRGUARD.EXE'
'RSHELL.EXE'
'RTVSCAN.EXE'
'RTVSCN95.EXE'
'RULAUNCH.EXE'
'RUN32DLL.EXE'
'RUNDLL.EXE'
'RUNDLL16.EXE'
'RUXDLL32.EXE'
'SAFEWEB.EXE'
'SAHAGENT.EXE'
'SAVE.EXE'
'SAVENOW.EXE'
'SBSERV.EXE'
'SC.EXE'
'SCAM32.EXE'
'SCAN32.EXE'
'SCAN95.EXE'
'SCANPM.EXE'
'SCRSCAN.EXE'
'SCRSVR.EXE'
'SCVHOST.EXE'
'SD.EXE'
'SERV95.EXE'
'SERVICE.EXE'
'SERVLCE.EXE'
'SERVLCES.EXE'
'SETUP_FLOWPROTECTOR_US.EXE'
'SETUPVAMEEVAL.EXE'
'SFC.EXE'
'SGSSFW32.EXE'
'SH.EXE'
'SHELLSPYINSTALL.EXE'
'SHN.EXE'
'SHOWBEHIND.EXE'
'SMC.EXE'
'SMS.EXE'
'SMSS32.EXE'
'SOAP.EXE'
'SOFI.EXE'
'SPERM.EXE'
'SPF.EXE'
'SPHINX.EXE'
'SPOLER.EXE'
'SPOOLCV.EXE'
'SPOOLSV32.EXE'
'SPYXX.EXE'
'SREXE.EXE'
'SRNG.EXE'
'SS3EDIT.EXE'
'SSGRATE.EXE'
'ST2.EXE'
'START.EXE'
'STCLOADER.EXE'
'SUPFTRL.EXE'
'SUPPORT.EXE'
'SUPPORTER5.EXE'
'SVC.EXE'
'SVCHOSTC.EXE'
'SVCHOSTS.EXE'
'SVSHOST.EXE'
'SWEEP95.EXE'
'SWEEPNET.SWEEPSRV.SYS.SWNETSUP.EXE'
'SYMPROXYSVC.EXE'
'SYMTRAY.EXE'
'SYSEDIT.EXE'
'SYSTEM.EXE'
'SYSTEM32.EXE'
'SYSUPD.EXE'
'TASKMG.EXE'
'TASKMO.EXE'
'TASKMON.EXE'
'TAUMON.EXE'
'TBSCAN.EXE'
'TC.EXE'
'TCA.EXE'
'TCM.EXE'
'TDS-3.EXE'
'TDS2-98.EXE'
'TDS2-NT.EXE'
'TEEKIDS.EXE'
'TFAK.EXE'
'TFAK5.EXE'
'TGBOB.EXE'
'TITANIN.EXE'
'TITANINXP.EXE'
'TRACERT.EXE'
'TRICKLER.EXE'
'TRJSCAN.EXE'
'TRJSETUP.EXE'
'TROJANTRAP3.EXE'
'TSADBOT.EXE'
'TVMD.EXE'
'TVTMD.EXE'
'UNDOBOOT.EXE'
'UPDAT.EXE'
'UPDATE.EXE'
'UPGRAD.EXE'
'UTPOST.EXE'
'VBCMSERV.EXE'
'VBCONS.EXE'
'VBUST.EXE'
'VBWIN9X.EXE'
'VBWINNTW.EXE'
'VCSETUP.EXE'
'VET32.EXE'
'VET95.EXE'
'VETTRAY.EXE'
'VFSETUP.EXE'
'VIR-HELP.EXE'
'VIRUSMDPERSONALFIREWALL.EXE'
'VNLAN300.EXE'
'VNPC3000.EXE'
'VPC32.EXE'
'VPC42.EXE'
'VPFW30S.EXE'
'VPTRAY.EXE'
'VSCAN40.EXE'
'VSCENU6.02D30.EXE'
'VSCHED.EXE'
'VSECOMR.EXE'
'VSHWIN32.EXE'
'VSISETUP.EXE'
'VSMAIN.EXE'
'VSMON.EXE'
'VSSTAT.EXE'
'VSWIN9XE.EXE'
'VSWINNTSE.EXE'
'VSWINPERSE.EXE'
'W32DSM89.EXE'
'W9X.EXE'
'WATCHDOG.EXE'
'WEBDAV.EXE'
'WEBSCANX.EXE'
'WEBTRAP.EXE'
'WFINDV32.EXE'
'WGFE95.EXE'
'WHOSWATCHINGME.EXE'
'WIMMUN32.EXE'
'WIN-BUGSFIX.EXE'
'WIN32.EXE'
'WIN32US.EXE'
'WINACTIVE.EXE'
'WINDOW.EXE'
'WINDOWS.EXE'
'WININETD.EXE'
'WININIT.EXE'
'WININITX.EXE'
'WINLOGIN.EXE'
'WINMAIN.EXE'
'WINNET.EXE'
'WINPPR32.EXE'
'WINRECON.EXE'
'WINSERVN.EXE'
'WINSSK32.EXE'
'WINSTART.EXE'
'WINSTART001.EXE'
'WINTSK32.EXE'
'WINUPDATE.EXE'
'WKUFIND.EXE'
'WNAD.EXE'
'WNT.EXE'
'WRADMIN.EXE'
'WRCTRL.EXE'
'WSBGATE.EXE'
'WUPDATER.EXE'
'WUPDT.EXE'
'WYVERNWORKSFIREWALL.EXE'
'XPF202EN.EXE'
'ZAPRO.EXE'
'ZAPSETUP3001.EXE'
'ZATUTOR.EXE'
'ZONALM2601.EXE'
'ZONEALARM.EXE'
Name W32/Kelvir-D
Type
* Worm
How it spreads
* Email messages
Affected operating systems
* Windows
Side effects
* Sends itself to email addresses found on the infected computer
* Downloads code from the internet
* Reduces system security
Aliases
* W32/Kelvir.worm.d
Prevalence (1-5) 2
Description
W32/Kelvir-D is an instant messenging worm that spreads by sending a
message through Windows Messenger to all of an infected user's contacts.
W32/Kelvir-D arrives attached to the message that encourages the
recipient to visit a web page to download an update and reads:
lol! see it! u'll like it .
W32/Kelvir-D also attempts to download and execute ME.JPG and FILE.EXE
files from the predefined websites.
The ME.JPG file is detected by Sophos as W32/Rbot-XA.
Name W32/MyDoom-BN
Type
* Worm
How it spreads
* Email attachments
* Peer-to-peer
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Sends itself to email addresses found on the infected computer
* Steals information
* Forges the sender's email address
* Uses its own emailing engine
Aliases
* Email-Worm.Win32.Mydoom.as
Prevalence (1-5) 2
Description
W32/MyDoom-BN is a member of the W32/MyDoom family of email worms.
As the other members of the MyDoom family W32/MyDoom-BN opens Notepad to
display the file message that contains random strings.
As the other MyDoom worms W32/MyDoom-BN scans the filesystem and mounted
shares for email addresses.
The worm may listen on ports exposing a backdoor which can be made use
of by potential attackers.
Advanced
W32/MyDoom-BN is a member of the W32/MyDoom family of email worms.
As the other members of the MyDoom family W32/MyDoom-BN opens Notepad to
display the file message that contains random strings.
As the other MyDoom worms W32/MyDoom-BN scans the filesystem and mounted
shares for email addresses.
The worm may listen on ports exposing a backdoor which can be made use
of by potential attackers.
In order to run automatically W32/MyDoom-BN copies itself to the file
taskmon.exe in the Windows system folder and creates the following
registry entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
TaskMon
"\taskmon.exe"
W32/MyDoom-BN will create email messages with one of the following
subjects:
Duvido voce me reconher =)
estou longe!!
Eu nao ti vejo a muito tempo.
Eu te amo
lembra de mim??
Oi
Oi a quanto tempo... =)
Saudades de voce!!!
Voce me reconhece??
The following will be the body of the email:
Ola, a quanto tempo! Eu me mudei dai para os Estados Unidos, e faz um
tempo que perdemos o contato e consegui seu email atraves de uma amiga
sua. Vamos fazer assim, eu vou lhe mandar meu album de fotos se voce me
reconhecer, me retorna o email. Quero ver se voce ainda lembra de mim. :)
W32/MyDoom-BN will copy itself to the KaZaa share folder, if available,
as one of the following:
activation_crack.
icq2004-final.
office_crack.
rootkitXP.
strip-girl-2.0bdcom_patches.
winamp5.
In the above will be one of the following at random:
bat
cmd
exe
pif
scr
zip
W32/MyDoom-BN will attach itself to the email with one of the following
filenames with one of the extentions listed above:
album
album_de_foto
eu
foto
fotografia
fotos
minhas_fotos
W32/MyDoom-BN will avoid email addresses containing the following:
acketst
arin.
avp
berkeley
borlan
bsd
example
fido
fsf.
gnu
google
iana
ibm.com
icrosof
ietf
inpris
isc.o
isi.e
kernel
linux
math
mit.e
mozilla
mydomai
nodomai
pgp
rfc-ed
ripe.
ruslis
secur
sendmail
syma
tanford.e
unix
usenet
utgers.ed
Along with using email addresses found on the infected system,
W32/MyDoom-BN may send email that looks as though it comes from one of
the following domains:
aol.com.br
bol.com.br
gmail.com
hotmail.com.br
msn.com.br
uol.com.br
yahoo.com.br
Name W32/Banish-A
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Deletes files off the computer
* Uses its own emailing engine
* Reduces system security
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Prevalence (1-5) 2
Description
W32/Banish-A is a mass-mailing worm.
Emails sent by the worm have the following characteristics:
Subject line:
OK. Read the attached instructions to solve the problem.
Here are the details.
Re: Thank you for your choice.
Thank you for shopping. This mail contains your invoice.
Thank you. Your credit card was processed successfully.
Attached file:
A filename chosen from those in the current user's "Recent Documents"
folder.
W32/Banish-A also spreads by exploiting the following vulnerabilities:
LSASS (MS04-011)
IIS5 (MS04-011)
W32/Banish-A contains the following message:
ExiliuM SerieS A
In honour to all the people that were, are, or will be forced
to leave their homelands. NO MORE EXILED PEOPLE, NO MORE WARS
(c)ThE ExpaTRiatE 2005
Advanced
W32/Banish-A is a mass-mailing worm.
W32/Banish-A submits queries to popular search engines in order to find
email addresses to which to send itself.
Emails sent by the worm have the following characteristics:
Subject line:
OK. Read the attached instructions to solve the problem.
Here are the details.
Re: Thank you for your choice.
Thank you for shopping. This mail contains your invoice.
Thank you. Your credit card was processed successfully.
Attached file:
A filename chosen from those in the current user's "Recent Documents"
folder.
W32/Banish-A also spreads by exploiting the following vulnerabilities:
LSASS (MS04-011)
IIS5 (MS04-011)
When first run, W32/Banish-A copies itself to one of the following
filenames in the Windows folder:
smss.exe
lsass.exe
csrss.exe
services.exe
winlogon.exe
The worm installs itself as a service with the name "Windows Object
Manager". The other characteristics of this service are copied from one
of the already-existing services, chosen at random.
W32/Banish-A deletes any files found in the "repair" subfolder of the
Windows folder.
W32/Banish-A contains the following message:
ExiliuM SerieS A
In honour to all the people that were, are, or will be forced
to leave their homelands. NO MORE EXILED PEOPLE, NO MORE WARS
(c)ThE ExpaTRiatE 2005
Name W32/Icpass-A
Type
* Worm
How it spreads
* Chat programs
Affected operating systems
* Windows
Side effects
* Drops more malware
Prevalence (1-5) 2
Description
W32/Icpass-A is a worm for the Windows platform.
W32/Icpass-A will create zip files using archiving applications
installed on the infected system. It will also connect to a predefined
IRC server and channel. As people join the IRC channel they will be sent
the zip file created and become infected.
Advanced
W32/Icpass-A is a worm for the Windows platform.
W32/Icpass-A will create zip files using archiving applications
installed on the infected system. It will also connect to a predefined
IRC server and channel. As people join the IRC channel they will be sent
the zip file created and become infected.
W32/Icpass-A will copy itself to the Windows system folder as system.exe
and create the following registry entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
windows run
"\system32\system.exe"
W32/Icpass-A will drop winn.dll to the Windows folder(detected as
W32/Icpass-A) and will create files under the following names in the
Windows folder(detected as W32/Icpass-A):
gledanje_tv_preko_interneta(vsi_slo_programi).zip
proti_virusni_program(program_v_slovenscini).zip
izdelovanje_animacijskih_slik(slovenska_verzija).zip
vse_slike_glasuj_zame.zip
zelo_dober_program_za_tejkanje_irc_kanalov.zip
novi_klepet_program(veliko_deklet_in_fantov(2000uporabnikov)).zip
Name W32/Mytob-BW
Type
* Worm
How it spreads
* Email attachments
* Network shares
* Chat programs
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Sends itself to email addresses found on the infected computer
* Modifies data on the computer
* Deletes files off the computer
* Steals information
Aliases
* WORM_MYTOB.BW
Prevalence (1-5) 2
Description
W32/Mytob-BW is a mass-mailing worm and backdoor Trojan that can be
controlled through the Internet Relay Chat (IRC) network.
W32/Mytob-BW drops a file called hellmsn.exe (detected by Sophos as
W32/Mytob-D) in the same location. This component attempts to spread the
worm through Windows Messenger to all online contacts.
Advanced
W32/Mytob-BW is a mass-mailing worm and backdoor Trojan that can be
controlled through the Internet Relay Chat (IRC) network.
When first run W32/Mytob-BW copies itself to the Windows system folder
as explorer.exe and creates the following registry entries:
HKCU\System\CurrentControlSet\Control\Lsa
WksSVC
"EXPLORER.exe"
HKCU\Software\Microsoft\OLE
WksSVC
"EXPLORER.exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
WksSVC
"EXPLORER.exe"
HKLM\System\CurrentControlSet\Control\Lsa
WksSVC
"EXPLORER.exe"
HKLM\Software\Microsoft\Ole
WksSVC
"EXPLORER.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
WksSVC
"EXPLORER.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
WksSVC
"EXPLORER.exe"
W32/Mytob-BW copies itself to the root folder as:
funny_pic.scr
my_photo2005.scr
see_this!!.scr
and drops a file called hellmsn.exe (detected by Sophos as W32/Mytob-D)
in the same location. This component attempts to spread the worm by
sending the aforementioned SCR files through Windows Messenger to all
online contacts.
W32/Mytob-BW also appends the following to the HOSTS file to deny access
to security related websites:
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.microsoft.com
127.0.0.1 www.trendmicro.com
W32/Mytob-BW is capable of spreading through email and through various
operating system vulnerabilities such as LSASS (MS04-011). Email sent by
W32/Mytob-BW has the following properties:
Subject line:
document
Good day
Hello
Mail Delivery System
Mail Transaction Failed
message
readme
Server Report
Status
Message text:
'This is a multi-part message in MIME format.'
'Mail transaction failed. Partial message is available.'
'The message contains Unicode characters and has been sent as a binary
attachment.'
'The message cannot be represented in 7-bit ASCII encoding and has been
sent as a binary attachment.'
'The original message was included as an attachment.'
'Here are your banks documents.'
The attached file consists of a base name followed by the extentions
PIF, SCR, EXE or ZIP. The worm may optionally create double extensions
where the first extension is DOC, TXT or HTM and the final extension is
PIF, SCR, EXE or ZIP.
W32/Mytob-BW harvests email addresses from files on the infected
computer and from the Windows address book. The worm avoids sending
email to addresses that contain the following:
.gov
.mil
accoun
acketst
admin
anyone
arin.
avp
berkeley
borlan
bsd
bsd
bugs
ca
certific
contact
example
feste
fido
foo.
fsf.
gnu
gold-certs
google
google
gov.
help
iana
ibm.com
icrosof
icrosoft
ietf
info
inpris
isc.o
isi.e
kernel
linux
linux
listserv
math
me
mit.e
mozilla
mydomai
no
nobody
nodomai
noone
not
nothing
ntivi
page
panda
pgp
postmaster
privacy
rating
rfc-ed
ripe.
root
ruslis
samples
secur
sendmail
service
site
soft
somebody
someone
sopho
submit
support
syma
tanford.e
the.bat
unix
unix
usenet
utgers.ed
webmaster
you
your
Name W32/Mytob-AK
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Sends itself to email addresses found on the infected computer
* Forges the sender's email address
* Uses its own emailing engine
Aliases
* WORM_MYTOB.BT
Prevalence (1-5) 2
Description
W32/Mytob-AK is a mass-mailing worm and IRC backdoor Trojan.
W32/Mytob-AK is capable of spreading through operating system
vulnerabilities, including the LSASS (MS04-011) exploit.
W32/Mytob-AK can harvest email addresses from files on the infected
computer and from the Windows address book.
Emails sent by the worm have the following characteristics:
Subject line:
Error
Status
Server Report
Mail Transaction Failed
Mail Delivery System
hello
Good day
Message body:
The message contains Unicode characters and has been sent as a binary
attachment.
Mail transaction failed. Partial message is available.
The message cannot be represented in 7-bit ASCII encoding and has been
sent as a binary attachment.
The original message was included as an attachment,
Here are your bank documents
Advanced
W32/Mytob-AK is a mass-mailing worm and IRC backdoor Trojan.
W32/Mytob-AK is capable of spreading through operating system
vulnerabilities, including the LSASS (MS04-011) exploit.
W32/Mytob-AK can harvest email addresses from files on the infected
computer and from the Windows address book.
Emails sent by the worm have the following characteristics:
Subject line:
Error
Status
Server Report
Mail Transaction Failed
Mail Delivery System
hello
Good day
Message body:
The message contains Unicode characters and has been sent as a binary
attachment.
Mail transaction failed. Partial message is available.
The message cannot be represented in 7-bit ASCII encoding and has been
sent as a binary attachment.
The original message was included as an attachment,
Here are your bank documents
W32/Mytob-AK copies itself to the Windows system folder as
"taskgmr32.exe " and creates the following registry entries in order to
run automatically on computer login:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
WINTASK =
taskgmr32.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
WINTASK =
taskgmr32.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
WINTASK =
taskgmr32.exe
The worm also creates the following registry entries:
HKCU\SYSTEM\CurrentControlSet\Control\Lsa\
WINTASK =
taskgmr32.exe
HKCU\Software\Microsoft\OLE\
WINTASK =
taskgmr32.exe
HKLM\SOFTWARE\Microsoft\Ole\
WINTASK =
taskgmr32.exe
W32/Mytob-AK copies itself to the root folder with the following
filenames:
funny_pic.scr
my_photo2005.scr
see_this!!.scr
W32/Mytob-AK blocks access to security-related websites by writing the
following entries to the Windows hosts file:
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.microsoft.com
127.0.0.1 www.trendmicro.com
W32/Mytob-AK may create a new file detected by Sophos as W32/Mytob-D.
Name W32/Antiman-A
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Sends itself to email addresses found on the infected computer
* Forges the sender's email address
* Uses its own emailing engine
* Installs itself in the Registry
Aliases
* Email-Worm.Win32.Antiman.a
Prevalence (1-5) 2
Description
W32/Antiman-A is a mass-mailing worm for the Windows platform.
Emails sent by the worm can have the following features:
Subject line chosen from:
Faza cu camila
Sex in camin
Antivirus
Poza de la mare...
De ce mor mai repede curiosii...
Antimanele
Votati astazi!
Cu sau fara Manele ?
Pentru Ionel
Message text chosen from:
Ti-am trimis ultima poza de la mare. Asta e?
Asta e ultimul antivirus. Ar trebui sa rezolve toate problemele.
:)))))))
Nu deschide acest mesaj! E numai pentru persoanele prea curioase!
Daca sunteti nu mai suportati manelele la servici, tramvai, taxi, metrou,
etc., trimiteti acest mesaj la toti prietenii dvs. !
Va multumesc (din suflet).
Credeti ca ar fi mai bine ca Romania sa-si retraga trupele d in Irak
anul acesta?
Deschideti programul Vot, alegeti votul dvs. si vedeti rezul tatele.
Parerea dvs. conteaza!
Draga Ionel
Scuza-ma ca nu ti-am mai scris de mult timp, dar am avut ceva probleme
cu calculatorul
Ti-am promis ultima data pe chat o poza cu mine dezbracata... m-am
gandit mult la asta si cred ca pana la urma cel mai bine e sa-ti trimit
o poza.
Sper sa-ti placa. Daca nu o sa-mi mai scrii dupa mesajul asta, o sa te
inteleg...
Roxana,
Attached filename chosen from:
poza_roxana._JPG.exe
antimanele.exe
curiosii.exe
camila.exe
ioana_divx._AVI.exe
antivirus.exe
scan_picture_0001._JPG.exe
film_papa._avi._divx_.exe
Advanced
W32/Antiman-A is a mass-mailing worm for the Windows platform.
When run the worm copies itself to the Windows folder as funny.scr and
to the current users Startup folder as startwin.exe. The worm will then
modify the following registry entry so as to become the new screen
saver:
HKCU\Control Panel\desktop
SCRNSAVE.EXE
%WINDOWS%\funny.scr
Emails sent by the worm can have the following features:
Subject line chosen from:
Faza cu camila
Sex in camin
Antivirus
Poza de la mare...
De ce mor mai repede curiosii...
Antimanele
Votati astazi!
Cu sau fara Manele ?
Pentru Ionel
Message text chosen from:
Ti-am trimis ultima poza de la mare. Asta e?
Asta e ultimul antivirus. Ar trebui sa rezolve toate problemele.
:)))))))
Nu deschide acest mesaj! E numai pentru persoanele prea curioase!
Daca sunteti nu mai suportati manelele la servici, tramvai, taxi,
metrou, etc., trimiteti acest mesaj la toti prietenii dvs. !
Va multumesc (din suflet).
Credeti ca ar fi mai bine ca Romania sa-si retraga trupele d in Irak
anul acesta?
Deschideti programul Vot, alegeti votul dvs. si vedeti rezul tatele.
Parerea dvs. conteaza!
Draga Ionel
Scuza-ma ca nu ti-am mai scris de mult timp, dar am avut ceva probleme
cu calculatorul
Ti-am promis ultima data pe chat o poza cu mine dezbracata... m-am
gandit mult la asta si cred ca pana la urma cel mai bine e sa-ti trimit
o poza.
Sper sa-ti placa. Daca nu o sa-mi mai scrii dupa mesajul asta, o sa te
inteleg...
Roxana,
Attached filename chosen from:
poza_roxana._JPG.exe
antimanele.exe
curiosii.exe
camila.exe
ioana_divx._AVI.exe
antivirus.exe
scan_picture_0001._JPG.exe
film_papa._avi._divx_.exe
Name W32/Sdbot-ZC
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Modifies data on the computer
* Deletes files off the computer
* Steals information
* Downloads code from the internet
Prevalence (1-5) 2
Description
W32/Sdbot-ZC is a network worm with backdoor functionality for the
Windows platform.
The worm spreads through network shares protected by weak passwords,
MS-SQL servers and through various operating system vulnerabilities.
W32/Sdbot-ZC connects to a predetermined IRC channel and awaits further
commands from remote users. The backdoor component of W32/Sdbot-ZC can
be instructed to perform various tasks.
Advanced
W32/Sdbot-ZC is a network worm with backdoor functionality for the
Windows platform.
When first run, W32/Sdbot-ZC copies itself to the Windows system folder
as wnmgre.exe and creates the following registry entries in order to run
each time a user logs on:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
IPC Spool Manager
wnmgre.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
IPC Spool Manager
wnmgre.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
IPC Spool Manager
wnmgre.exe
The worm spreads through network shares protected by weak passwords,
MS-SQL servers and through various operating system vulnerabilities.
W32/Sdbot-ZC connects to a predetermined IRC channel and awaits further
commands from remote users. The backdoor component of W32/Sdbot-ZC can
be instructed to perform the following functions:
scan networks for vulnerabilities
download/execute arbitrary files
start an ftp server
take part in distributed denial of service (DDoS) attacks
The following patches for the operating system vulnerabilities exploited
by W32/Sdbot-ZC can be obtained from the Microsoft website:
MS02-039
MS04-011
MS04-012
Name W32/Sdbot-WM
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Downloads code from the internet
* Records keystrokes
* Installs itself in the Registry
Aliases
* Backdoor.Win32.SdBot.un
Prevalence (1-5) 2
Description
W32/Sdbot-WM is a worm which attempts to spread to remote network
shares. It also contains backdoor Trojan functionality, allowing
unauthorised remote access to the infected computer via IRC channels.
Advanced
W32/Sdbot-WM is a worm which attempts to spread to remote network
shares. It also contains backdoor Trojan functionality, allowing
unauthorised remote access to the infected computer via IRC channels.
W32/Sdbot-WM attempts to spread to network shares with weak passwords.
W32/Sdbot-WM copies itself to the Windows system folder as MSNMSGR.EXE
and creates entries at the following locations in the registry with the
value "Microsoft Windows Update" so as to run itself on system startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
W32/Sdbot-WM may attempt to send a message via certain instant messenger
programs to encourage users to download a file from the website
http://kasized.com. At the time of writing this file was unavailable for
download.
W32/Sdbot-WM may set the following registry entry:
HKLM\SOFTWARE\Microsoft\Ole\EnableDCOM = "N"
W32/Sdbot-WM may attempt to delete network shares on the host computer.
W32/Sdbot-WM may attempt to log keystrokes to the file KEYLOG.TXT in the
Windows system folder.
W32/Sdbot-WM also copies itself to the filename MSNCFG.DAT and may also
copy itself to the filename PAYLOAD.DAT.
Name W32/Wurmark-I
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Sends itself to email addresses found on the infected computer
* Drops more malware
* Forges the sender's email address
* Leaves non-infected files on computer
Aliases
* Email-Worm.Win32.Wurmark.i
Prevalence (1-5) 2
Description
W32/Wurmark-I is a mass-mailing worm.
W32/Wurmark-I emails itself as a ZIP file attachment.zip. When run,
W32/Wurmark-I attempts to connect to a website to display a picture.
The email messages that the worm generates have the following subject
lines:
Hehehe LOL!!
email me back hehe...
Your Photo Is On A Webpage!!
Hey Rate My Pic Plz...
Someone Admire's You!
Hey Hows it Goin ?
W32/Wurmark-I harvests email addresses from files with the extensions
WAB, ADB, TBB, DBX, ASP, PHP, HTM, HTML and SHT and also tries to spread
via Instant Messenger and to computers vulnerable to the LSASS exploit
MS04-011.
Advanced
W32/Wurmark-I is a mass-mailing worm.
W32/Wurmark-I emails itself as a ZIP file attachment.zip. When run,
W32/Wurmark-I attempts to connect to a website to display a picture.
W32/Wurmark-I harvests email addresses from files with the extensions
WAB, ADB, TBB, DBX, ASP, PHP, HTM, HTML and SHT and also tries to spread
via Instant Messenger and to computers vulnerable to the LSASS exploit
MS04-011.
W32/Wurmark-I copies itself to the Windows system folder and drops the
worm W32/Rbot-ABC at the same time. W32/Wurmark-I also creates two clean
files named ansmtp.dll and bszip.dll.
The email messages that the worm generates have the following
characteristics:
Subject lines:
Hehehe LOL!!
email me back hehe...
Your Photo Is On A Webpage!!
Hey Rate My Pic Plz...
Someone Admire's You!
Hey Hows it Goin ?
Message text:
i just saw this on my computer from a while ago
download it and see if you can remember :)
lol i was lauging like crazy when i saw! :D
I was viewwing this website and came across
a picture they look just like you! infact im sure
it is haha , did you email this pic into them ? or
is it someonce elses that looks like you :S ? pic is attached
in zip file so downloaded it and see and email me back
Hi ive sent 4 emails now & nobody will rate
my photo! :( please download and tell me your opinion
rated out of 10 , its ok if you dont like it
just say i wont be offended p.s i was drunk when
it was taken haha :)
Someone has asked us on there behalf to send
you this email and tell you they think you are
Amazing!! All the The secret persons details
you need are enclosed in the attachment :)
please download and respond telling us if you
would like to make further contact with this
person.
Regards Hallmark Admirer Mail Admin.
Attachment filenames (within the ZIP file):
IMG_001.scr
Photo_01.pif
admirer_005.scr
Lover_01.scr
love_04.scr
Your_pic.scr
Just_For_You.pif
Sexy_02.scr
Scanned_03.scr
W32/Wurmark-I blocks access to a number of system utilities by creating
a set of companion dummy files with file extension COM in the system
folder. The orm creates the following files:
cmd.com
netstat.com
ping.com
regedit.com
taskkill.com
tasklist.com
tracert.com
Name W32/Rbot-ABB
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Reduces system security
* Records keystrokes
* Installs itself in the Registry
Prevalence (1-5) 2
Description
W32/Rbot-ABB is a Windows network worm which attempts to spread via
network shares. The worm contains backdoor functions that allows
unauthorised remote access to the infected computer via IRC channels
while running in the background.
The worm spreads to network shares with weak passwords and also by using
the exploits for the security vulnerabilities in Windows described in
Microsoft security bulletins MS04-011 and MS03-039.
Advanced
W32/Rbot-ABB is a Windows network worm which attempts to spread via
network shares. The worm contains backdoor functions that allows
unauthorised remote access to the infected computer via IRC channels
while running in the background.
The worm spreads to network shares with weak passwords and also by using
the exploits for the security vulnerabilities in Windows described in
Microsoft security bulletins MS04-011 and MS03-039.
When first run W32/Rbot-ABB moves itself to \msaol32.exe.
The following registry entries are created to run MSAOL32.exe on
startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft AOL Instant Messenger
MSAOL32.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Microsoft AOL Instant Messenger
MSAOL32.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft AOL Instant Messenger
MSAOL32.exe
Once installed, W32/Rbot-ABB will attempt to perform the following
actions when instructed to do so by a remote attacker:
setup a FTP server
create a SOCKS4 server
terminate threads and processes
perform port scanning on IP addresses
steal computer system hardware information
capture keystrokes
copy itself to IPC$ network shared folders
download files from the Internet and run them
participate in denial of service (DoS) attacks
--- MultiMail/Win32 v0.43
* Origin: Try Our Web Based QWK: DOCSPLACE.ORG (1:123/140)SEEN-BY: 633/267 270 @PATH: 123/140 500 106/2000 633/267 |
|
| SOURCE: echomail via fidonet.ozzmosis.com | |
Email questions or comments to sysop@ipingthereforeiam.com
All parts of this website painstakingly hand-crafted in the U.S.A.!
IPTIA BBS/MUD/Terminal/Game Server List, © 2025 IPTIA Consulting™.