[cut-n-paste from sophos.com]
Name Troj/Agent-GMU
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
Aliases
* Backdoor.Win32.Agent.dgr
Prevalence (1-5) 2
Description
Troj/Agent-GMU is a backdoor Trojan which allows a remote intruder to
gain access and control over the computer.
Advanced
Troj/Agent-GMU is a backdoor Trojan which allows a remote intruder to
gain access and control over the computer.
When first run Troj/Agent-GMU copies itself to \.exe.
The following registry entry is created to run .exe
on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
\.exe
The file .exe is registered as a new system driver
service named , with a display name of "Print
Spooler Service" and a startup type of automatic, so that it is started
automatically during system startup. Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\
Name VBS/Edibara-A
Type
* Virus
Affected operating systems
* Windows
Side effects
* Modifies data on the computer
* Steals information
* Downloads code from the internet
Aliases
* VBS/Edibara{at}M virus
* VBS/Envary.A virus
* Trojan-Dropper.VBS.Small.w
Prevalence (1-5) 2
Description
VBS/Edibara-A is a visual basic script virus.
VBS/Edibara-A will attempt to modify files with htm and html extensions
and include a segment of VBScript which will drop a copy of the virus
on computer which read the infected htm/html file.
VBS/Edibara-A will also obtain your email address from Yahoo! Pager
information and send an email to your account, with the subject line
"Hello", prompting you to visit certain website.
Advanced
VBS/Edibara-A is a visual basic script virus.
VBS/Edibara-A will attempt to modify files with htm and html extensions
and include a segment of VBScript which will drop a copy of the virus
on computer which read the infected htm/html file.
The script will also drop the following files:
<system32>/TPS32E.dll
<system32>/TPS32V.dll
<system32>/Systemv.dll
<system32>/Kernel.exe
<system32>/Kernel.vbs
All of which are detected by VBS/Edibara-A.
VBS/Edibara-A will autostart itself by setting the following registry
entries:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Windows
<system32>\Kernel.vbs
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Microsoft Windows
<system32>\Kernel.exe
VBS/Edibara-A will also obtain your email address from Yahoo! Pager
information and send an email to your account, with the subject line
"Hello", prompting you to visit certain website.
Kernel.exe is a component which will download and execute a file from
remote server.
Name VBS/Solow-H
Type
* Worm
How it spreads
* Removable storage devices
Affected operating systems
* Windows
Prevalence (1-5) 2
Description
VBS/Solow-H is a VisualBasic Script worm for the Windows platform.
Advanced
VBS/Solow-H is a VisualBasic Script worm for the Windows platform.
Name Troj/Dloadr-BHH
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Installs itself in the Registry
Aliases
* Trojan-Downloader.Win32.Obfuscated.cw
Prevalence (1-5) 2
Description
Troj/Dloadr-BHH is a Trojan downloader for the Windows platform.
Advanced
Troj/Dloadr-BHH is a Trojan downloader for the Windows platform.
When Troj/Dloadr-BHH is installed it creates the file \xp2008.dat.
The file xp2008.dat is registered as a COM object and Browser Helper
Object (BHO) for Microsoft Internet Explorer, creating registry entries
under:
HKCR\CLSID\{A941CC19-7623-4F26-AC15-4DBD0314ACCA}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper
Objects\{A941CC19-7623-4F26-AC15-4DBD0314ACCA
Name Troj/KillJWS-A
Type
* Trojan
How it spreads
* Web browsing
Affected operating systems
* Windows
Side effects
* Installs itself in the Registry
Prevalence (1-5) 2
Description
Troj/KillJWS-A is a Trojan for the Windows platform. The Trojan targets
the software commonly used for Windows accessibility by blind people.
The Trojan is reportedly distributed as a crack program for the popular
screen reader program JAWS version 9.
Advanced
Troj/KillJWS-A is a Trojan for the Windows platform.
When Troj/KillJWS-A is installed the following files are created:
\config\svchost.exe
\mci32.exe
\securityService.dll
The following registry entries are created to run code exported by
securityService.dll on startup:
HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\securityService
DllName
securityService.dll
HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\securityService
impersonate
0
HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\securityService
Startup
startup
After 26 December 2007 Troj/KillJWS-A will terminate the following
processes related to popular speech synthesis and speech recognition
software:
jfw.exe
hal.exe
narrator.exe
wineyes
speech32
gwm32
kurzweil
Name Troj/Agent-GMO
Type
* Trojan
Affected operating systems
* Windows
Prevalence (1-5) 2
Description
Troj/Agent-GMO is a Trojan for the Windows platform.
Advanced
Troj/Agent-GMO is a Trojan for the Windows platform.
Troj/Agent-GMO may attempt to disable access to the registry and task
manager by setting the following registry entries:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\SYSTEM
DisableRegistryTools
1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\SYSTEM
DisableTaskMgr
1
Name Troj/Mdrop-BQD
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Drops more malware
* Installs itself in the Registry
Prevalence (1-5) 2
Description
Troj/Mdrop-BQD is a Trojan for the Windows platform.
Advanced
Troj/Mdrop-BQD is a Trojan for the Windows platform.
When Troj/Mdrop-BQD is run it creates the file
\ixp000.tmp\server~1.exe.
The file server~1.exe is detected as Mal/Behav-043.
Name Troj/Bayrob-B
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Steals credit card details
* Steals information
* Reduces system security
Aliases
* Trojan-Dropper.Win32.Agent.dpo
Prevalence (1-5) 2
Description
Troj/Bayrob-B is an information-stealing Trojan for the Windows platform.
Advanced
Troj/Bayrob-B is an information-stealing Trojan for the Windows platform.
Troj/Bayrob-B includes functionality to act as a proxy as well as
change the user's proxy settings.
When first run Troj/Bayrob-A copies itself to \fdihkchp.exe.
Troj/Bayrob-B attempts to drop a clean data file called "tst" to a
number of folders, including \44682352, and drops files to the
Temp folder called CNQJ.EXE. These are all detected
as Troj/Bayrob-A.
Troj/Bayrob-B adds itself to run on startup in three different ways:
- creates one of the following registry entries:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Tikbnqen
\fdihkchp.exe
- adds itself as a service:
HKLM\SYSTEM\CurrentControlSet\Services\Bbonxhdz
- adds itself to the current user's Start Menu:
\Programs\Startup\fdihkchp.exe.
Troj/Bayrob-B may modify the contents of the following files:
\drivers\etc\hosts
\Mozilla\Firefox\Profiles\\user.js
Troj/Bayrob-B attempts to redirect from sites including ebay.com in
order to steal information from the user.
Troj/Bayrob-B attempts to disguise itself by dropping a copy of "Kodak
Viewer Express" and loading an image, for example that of a motorcyle.
Name W32/Autorun-AN
Type
* Worm
Affected operating systems
* Windows
Aliases
* Win32/AutoRun.AC worm
* Virus.Win32.AutoRun.ia
* W32/Autorun.worm.r
Prevalence (1-5) 2
Description
W32/Autorun-AN is a worm for the Windows platform.
Advanced
W32/Autorun-AN is a worm for the Windows platform.
Name VBS/Edibara-B
Type
* Virus
Affected operating systems
* Windows
Side effects
* Modifies data on the computer
* Steals information
* Downloads code from the internet
Prevalence (1-5) 2
Description
VBS/Edibara-B is a Visual Basic script virus.
The virus attempts to modify htm, html and htt files on fixed and
remote drives to include a segment of Visual Basic script which infects
other systems which read the infected files.
VBS/Edibara-B will also obtain the email address from Yahoo! Pager
information on a system and send email.
Advanced
VBS/Edibara-B is a Visual Basic script virus.
The virus drops the following files:
\TPS32E.dll
\TPS32V.dll
\Systemv.dll
\config\Netlogon.vbs
\dd.txt
\se3gl9km.bat
\NetLogon.exe
The NetLogon.vbs script attempts to modify htm, html and htt files on
fixed and remote drives to include a segment of Visual Basic script
which infects other systems which read the infected files.
The script creates the following registry entry:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
ComService
The NetLogon.exe file is initially droped as \Demon and then
copied to \NetLogon.exe.
The NetLogon.exe file includes functionality to download, install and
run new software.
The following registry entries are created to run the NetLogon.exe file
on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
(default)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
(default)
The NetLogon.exe file changes settings for Microsoft Internet Explorer
by modifying values under:
HKCU\Software\Microsoft\Internet Explorer\Main\
The NetLogon.exe file creates registry entries are set as follows:
HKCU\Software\Microsoft\Internet Explorer
Download Directory
\drivers
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\H
idden\SHOWALL
(default)
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\H
idden\SHOWALL
CheckedValue
0
Name Troj/Dorf-AS
Type
* Trojan
Affected operating systems
* Windows
Prevalence (1-5) 2
Description
Troj/Dorf-AS is a Trojan for the Windows platform.
Name Troj/Dorf-AP
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Installs itself in the Registry
Prevalence (1-5) 2
Description
Troj/Dorf-AP is a Trojan for the Windows platform.
Advanced
Troj/Dorf-AP is a Trojan for the Windows platform.
Troj/Dorf-AP creates a file named \burito.ini, this file is
harmless and should be deleted.
Name Troj/IRCbot-ZV
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
Prevalence (1-5) 2
Description
Troj/IRCbot-ZV is a backdoor Trojan for the Windows platform.
Name Troj/Dropin-A
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Drops more malware
* Dropped by malware
Aliases
* Trojan-Dropper.Win32.Agent.ben
* TR/Drop.Agent.ben
* TROJ_DROPPER.CUO
* TrojanDropper:Win32/Agent
Prevalence (1-5) 2
Description
Troj/Dropin-A is a Trojan for the Windows platform.
Advanced
Troj/Dropin-A is a Trojan for the Windows platform.
When first run Troj/Dropin-A copies itself to \windoskey.exe
and creates the following files:
\load.exe
\wdoskey.exe
The file wdoskey.exe is detected as Mal/Behav-024, and the file
load.exe is detected as the hacking tool "Inject Loader" - load.exe is
used to inject wdoskey.exe into iexplore.exe.
The following registry entry is created to run windoskey.exe on startup:
HKLM\SOFTWARE\Microsoft\Active Setup\Installed
Components\{S-1-5-21-1635847982-2902227367-3824404516-500}
StubPath
windoskey.exe
Other entries are also created under HKLM\SOFTWARE\Microsoft\Active
Setup\Installed
Components\{S-1-5-21-1635847982-2902227367-3824404516-500}.
The following registry entry is set to try to allow iexplore.exe to
bypass the Windows firewall:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPo
licy\StandardProfile\AuthorizedApplications\List
\..\..\Program Files\Internet Explorer\iexplore.exe
\..\..\Program Files\Internet
Explorer\iexplore.exe:*:Enabled:IExplore
Troj/Dropin-A has been seen dropped by files detected as Mal/Emogen-Y.
Name Troj/IRCBot-ZS
Type
* Trojan
Affected operating systems
* Unix
Prevalence (1-5) 2
Description
Troj/IRCBot-ZS is a Trojan for Linux platforms.
Name W32/Autoit-F
Type
* Worm
How it spreads
* Removable storage devices
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Reduces system security
* Installs itself in the Registry
Prevalence (1-5) 2
Description
W32/Autoit-F is a worm for the Windows platform.
Advanced
W32/Autoit-F is a worm for the Windows platform.
When first run W32/Autoit-F copies itself to
\Microsoft\msmsgs.exe.
The following registry entry is changed to run W32/Autoit-F on startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
\userinit.exe,\Microsoft\Msmsgs.exe
The following registry entries are set, disabling system software:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\system
DisableTaskMgr
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\system
DisableRegistryTools
1
Registry entries are set as follows:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFind
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFolderOptions
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
2
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
SuperHidden
0
--- MultiMail/Win32 v0.43
* Origin: Doc's Place BBS Fido Since 1991 docsplace.tzo.com (1:123/140)
SEEN-BY: 10/1 3 14/300 34/999 90/1 120/228 123/500 134/10 140/1 222/2 226/0
SEEN-BY: 249/303 261/20 38 100 1381 1404 1406 1418 266/1413 280/1027 320/119
SEEN-BY: 393/68 633/260 262 267 285 712/848 800/432 801/161 189 2222/700
SEEN-BY: 2320/100 105 200 2905/0
@PATH: 123/140 500 261/38 633/260 267
|