TIP: Click on subject to list as thread!

ANSI

echo:	virus
to:	ALL
from:	KURT WISMER
date:	2007-09-16 19:15:00
subject:	News, September 16 2007
[cut-n-paste from sophos.com] Name W32/SillyFDC-AV Type * Spyware Worm How it spreads * Removable storage devices Affected operating systems * Windows Side effects * Turns off anti-virus applications * Steals information * Downloads code from the internet * Installs itself in the Registry Prevalence (1-5) 2 Description W32/SillyFDC-AV is a worm for the Windows platform. Advanced W32/SillyFDC-AV is a worm for the Windows platform. When run W32/SillyFDC-AV copies itself \dllhost.exe and creates the file \autorun.inf.tmp. The file autorun.inf.tmp is also detected as W32/SillyFDC-AV. W32/SillyFDC-AV registers the file \dllhost.exe as a system service with the service name "COMSystemApp" and a display name "COM+ System Applications" and a startup type of automatic. Registry entries are created under: HKLM\SYSTEM\CurrentControlSet\Services\COMSystemApp\ HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_COMSYSTEMAPP\ W32/SillyFDC-AV spreads via removable shared drives, copying itself to \runauto..\autorun.pif a hidden, system file and creating the file other.txt. These files are then uploaded to the remote location. Troj/Desdie-A also drops some of the following clean files: C:\clm1.txt C:\FTP.txt C:\FTP1.txt C:\DSC_00219.jpg Name Troj/Agent-GCJ Type * Trojan Affected operating systems * Windows Aliases * Trojan-Downloader.Win32.Delf.aeu * Worm/Agent.AJ.22 * W32/Downldr2.MDK * WORM_Generic * Worm:Win32/Agent.CC Prevalence (1-5) 2 Description Troj/Agent-GCJ is a Trojan for the Windows platform. Advanced Troj/Agent-GCJ is a Trojan for the Windows platform. Name Troj/Psyme-FB Type * Trojan Affected operating systems * Windows Side effects * Drops more malware Prevalence (1-5) 2 Description Troj/Psyme-FB is a web page which exploits the ADODB stream object vulnerability in Microsoft Internet Explorer to download a remote file to the local computer. Name Troj/Nobond-B Type * Trojan Affected operating systems * Windows Side effects * Downloads code from the internet Prevalence (1-5) 2 Description Troj/Nobond-B is a downloader Trojan for the Windows platform. Advanced Troj/Nobond-B is a downloader Trojan for the Windows platform. Troj/Nobond-B attempts to drop the file \msie.dat, also detected as Troj/Nobond-B, and inject it into an instance of Microsoft Internet Explorer, in order to download a remote file to \msie.exe and execute it. Troj/Nobond-B displays a fake error message box with the title "Adobe Reader" and the following text : Adobe Reader could not open the document because it is either not a suported file type or because the file has been corrupted (for example, it was sent as an email attachment and wasn't correctly decoded). Name Troj/YBHO-A Type * Spyware Trojan Affected operating systems * Windows Side effects * Steals information * Downloads code from the internet * Records keystrokes * Installs itself in the Registry * Installs a browser helper object Aliases * PWS-FireMing.dll Prevalence (1-5) 2 Description Troj/YBHO-A is a password-stealing Trojan for the Windows platform. Troj/YBHO-A contains functionality to access the internet and communicate with a remote server. Advanced Troj/YBHO-A is a password-stealing Trojan for the Windows platform. Troj/YBHO-A contains functionality to access the internet and communicate with a remote server. When first run Troj/YBHO-A drops the following file: \yhelp.dll - detected as Troj/YBHO-A Troj/YBHO-A creates the following registry entry to start itself: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Yahoo! Helper Rundll32.exe yhelp.dll,Init as well as a COM object and Browser Helper Object (BHO) under the following registry trees: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E838FBB2-574D-4926-9C81-CCB15F3A3F53} HKCR\CLSID\{E838FBB2-574D-4926-9C81-CCB15F3A3F53} Name Troj/Banker-EIS Type * Spyware Trojan Affected operating systems * Windows Side effects * Steals credit card details * Allows others to access the computer * Steals information * Uses its own emailing engine * Downloads code from the internet * Monitors browser activity Prevalence (1-5) 2 Description Troj/Banker-EIS is a Trojan for the Windows platform. Troj/Banker-EIS includes functionality to steal confidential information when a user visits banking-related websites. Advanced Troj/Banker-EIS is a Trojan for the Windows platform. Troj/Banker-EIS includes functionality to steal confidential information when a user visits banking-related websites. Once installed the Trojan monitors a user's internet access. When certain banking websites are accessed, Troj/Banker-EIS displays a fake login screen, prompting the user to enter confidential information, and sends the stolen details to a remote website. Name W32/Rbot-GTE Type * Worm How it spreads * Network shares Affected operating systems * Windows Side effects * Allows others to access the computer * Installs itself in the Registry Aliases * Backdoor.Win32.Rbot.btq * W32/Sdbot.VZM Prevalence (1-5) 2 Description W32/Rbot-GTE is a worm for the Windows platform. Advanced W32/Rbot-GTE is a worm for the Windows platform. When W32/Rbot-GTE is installed it creates the file \drivers\oreans32.sys. The file oreans32.sys is not malicious. Name Troj/VB-DXM Type * Trojan Affected operating systems * Windows Side effects * Downloads code from the internet * Installs itself in the Registry Aliases * TR/VB.Karsh * Trojan:Win32/VB.AAH Prevalence (1-5) 2 Description Troj/VB-DXM is a Trojan for the Windows platform. Troj/VB-DXM contains functionality to connect to the internet and communicate with a remote server via HTTP. Advanced Troj/VB-DXM is a Trojan for the Windows platform. Troj/VB-DXM contains functionality to connect to the internet and communicate with a remote server via HTTP. When first run Troj/VB-DXM copies itself to: \winlogonEvt.exe and creates the file: \Multi-ICQ.exe - also detected as Troj/VB-DXM. Troj/VB-DXM creates the following registry entry to start itself: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Windows Update \winlogonEvt.exe Troj/VB-DXM may replace the following file with a different version: \mswinsck.ocx - Legitimate Microsoft Winsock Control DLL Name W32/Rbot-GTF Type * Worm How it spreads * Network shares Affected operating systems * Windows Side effects * Turns off anti-virus applications * Allows others to access the computer * Installs itself in the Registry Aliases * W32/Sdbot.worm.gen.ay * Backdoor.Win32.Rbot.dyx Prevalence (1-5) 2 Description W32/Rbot-GTF is a worm for the Windows platform. Advanced W32/Rbot-GTF is a worm for the Windows platform. When first run W32/Rbot-GTF copies itself to \wgcptsud.exe. The following registry entries are created to run wgcptsud.exe on startup: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Microsoft Updates wgcptsud.exe HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Microsoft Updates wgcptsud.exe HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices Microsoft Updates wgcptsud.exe Registry entries are created under: HKCR\.key --- MultiMail/Win32 v0.43 * Origin: Doc's Place BBS Fido Since 1991 docsplace.tzo.com (1:123/140) SEEN-BY: 10/1 3 14/300 400 34/999 90/1 120/228 123/500 134/10 140/1 222/2 SEEN-BY: 229/4000 249/303 261/20 38 100 1381 1404 1406 1418 266/1413 280/1027 SEEN-BY: 320/119 393/68 633/260 262 267 285 712/848 800/432 801/161 189 SEEN-BY: 2222/700 2320/105 200 2800/18 2905/0 @PATH: 123/140 500 261/38 633/260 267
SOURCE: echomail via fidonet.ozzmosis.com

Email questions or comments to sysop@ipingthereforeiam.com
All parts of this website painstakingly hand-crafted in the U.S.A.!
IPTIA BBS/MUD/Terminal/Game Server List, © 2025 IPTIA Consulting™.