[cut-n-paste from sophos.com]

W32/Inmotecd-A

Aliases
Trojan.Win32.Inmota, TROJ_INMOTECD.A

Type
Win32 worm

Detection
At the time of writing Sophos has received just one report of this worm 
from the wild.

Description
W32/Inmotecd-A is an internet worm which spreads by replying to mail 
messages on computers using MAPI-based email clients such as Microsoft 
Outlook or Outlook Express.

The subject of the email is "Re: 0!~" and the attached file is 
default.htm.pif where  is a large number of space 
characters, aimed at hiding the file's true extension of PIF.

When default.htm.pif is run a message box is displayed with the 
text "Welcome", "Welcome Microsoft CD Key web site Press OK
to open the 
Web" and Microsoft Internet Explorer is launched with the URL 
http://omnitechdesign.com/cdkey.html.

The worm copies itself to the Windows and Windows System folders as 
default.htm.pif, drops the files rundl132.exe and Gate.dll to 
both the Windows and System folders and sets or creates one of the 
following registry entries to run rundl132.exe automatically on 
startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
 = rundl132.exe powrprof.dll,loadcurrentpwrscheme
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
PowerProfile = rundl132 kernel.dll,PowerProfileEnable

 is an existing sub-key which the worm changes. The worm 
changes all sub-keys of 
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ whose data contains 
the string "Rundll".





Troj/Bdoor-AAG

Aliases
Backdoor.G_Spot.20

Type
Trojan

Detection
At the time of writing Sophos has received just one report of this 
Trojan from the wild.

Description
Troj/Bdoor-AAG is a configurable IRC backdoor Trojan that allows 
unauthorized access to the user's computer.

The Trojan drops itself into the Windows system folder using a 
configured name and creates a registry entry under
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
to run itself automatically when Windows starts up.





XF97/Wisab-A

Aliases
Macro.Excel97.Wisab, XM.VNN, XF_SIC.A, XF/Sic.L

Type
Excel formula virus

Detection
Sophos has received several reports of this virus from the wild.

Description
XF97/Wisab-A spreads using a Formula Sheet called XL4Test5.

The virus creates a file in the XLSTART directory called BOOK1.





Troj/Ircbot-M

Type
Trojan

Detection
Sophos has received several reports of this Trojan from the wild.

Description
Troj/Ircbot-M is a backdoor Trojan that allows a malicious user remote 
access to the system.

In order to run automatically when Windows boots up the Trojan copies 
itself as RPCX1sq23.exe to the Windows system folder and creates the 
following registry entries which point to this file:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\windowsupdate

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\windowsupdate

The Trojan attempts to connect to a remote IRC server and join a 
specific channel and can be controlled via this connection.





W32/Agobot-AE

Aliases
Backdoor.Agobot.3.m, W32.HLLW.Gaobot.AE

Type
Win32 worm

Detection
Sophos has received several reports of this worm from the wild.

Description
W32/Agobot-AE is a network worm which also allows unauthorised remote 
access to the computer via IRC channels.

W32/Agobot-AE copies itself to network shares with weak passwords and 
attempts to spread to computers using the DCOM RPC and the RPC locator 
vulnerabilities.

These vulnerabilities allow the worm to execute its code on target 
computers with System level privileges. For further information on these 
vulnerabilities and for details on how to protect/patch the computer 
against such attacks please see Microsoft security bulletins MS03-026 
and MS03-001.

W32/Agobot-AE drops a copy of itself to the Windows system folder and 
creates the following registry entries to run itself on system restart:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Config Loader
= ""

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Config Loader
= ""

W32/Agobot-AE attempts to terminate various processes related to 
anti-virus and security software (e.g. SWEEP95.EXE, BLACKICE.EXE and 
ZONEALARM.EXE).





W32/Gibe-F

Aliases
W32/Swen.A{at}mm, I-Worm.Swen, Worm.Automat.AHB, WORM_SWEN.A

Type
Win32 worm

Detection
Sophos has received many reports of this worm from the wild.

Description
W32/Gibe-F is a worm which spreads by emailing itself via its own SMTP 
engine to addresses extracted from various sources on the victim's 
drives (e.g. MBX and DBX files). The worm also spreads using the KaZaA 
peer-to-peer shared folders, via IRC channels and will copy itself to 
the Startup folder of mapped network drives. W32/Gibe-F may also attempt 
to spread via usenet newsgroups (NNTP).

W32/Gibe-F will attempt to get a user to enter email account details by 
displaying a fake error dialog box with fields for entering user name, 
password, email address and server names.

If the worm is run with a filename which starts with a P,Q,U or I 
(regardless of the case) the W32/Gibe-F displays the message

"Microsoft Internet Update Pack
This update does not need to be installed on this system" or

"This will install Microsoft Security Update. Do you wish to continue?"

and may also pretend to be an installation package by displaying an
installation window with the following messages in the title bar:

"Searching for installed components ..."
"Extracting files ..."
"Copying files ..."
"Updating registry ..."

If W32/Gibe-F detects the installation of a debugger active in memory 
it displays the message "Try to pull my legs?".

The worm copies itself to the Windows folder as a randomly-named 
lowercase executable (e.g. jlfsm.exe) and adds an entry to the registry 
at HKLM\Software\Microsoft\Windows\CurrentVersion\Run to run itself on 
system restart.

The worm also changes the entries in the registry at:

HKCR\exefile\shell\open\command
HKCR\regfile\shell\open\command
HKCR\comfile\shell\open\command
HKCR\batfile\shell\open\command
HKCR\piffile\shell\open\command
HKCR\scrfile\shell\open\command
HKCR\scrfile\shell\config\command

so that it is run before EXE, COM, PIF, BAT, SCR files and to display a 
false error message (e.g. "Error occurred Memory access violation in 
module kernel32 at :") when REG files are opened.

The worm sets several entries in the registry to signify installation, 
confirm KaZaA infection and to prevent REGEDIT.EXE from running.

W32/Gibe-F may also create a file called SWEN1.DAT in the Windows folder 
containing a list of several IP addresses and domain names which may be 
NNTP servers.

W32/Gibe-F may attempt to exploit a vulnerability in Microsoft's 
software which allows automatic execution of attachments while viewing 
an email message. Microsoft issued a patch which reportedly fixes this 
vulnerability in 2001. The patch is available from 
www.microsoft.com/technet/security/bulletin/MS01-027.asp. (This patch 
fixes a number of vulnerabilities in Microsoft's software, including 
the one exploited by this worm.)

Emails constructed by the worm have the following characteristics:

From: may be the bona fide victim's name or may be randomly constructed 
from the following

unknown
Microsoft
Support
Assistance
Services
Bulletin
Customer
Public
Technical
Center
Department
Section
Division
Security
Network
Internet
Program
Corporation
Microsoft
MS
Domain
Server
Receiver
Recipient
Client
Receiver
Recipient
Puremail
America
Netmail
Freemail
Bigfoot
Rocketmail
Routine
Program
Daemon
Automat
Engine
Service
Mailer
master
System
Service
Delivery
Storage
Message
Email
Postmaster
Administrator

and

bulletin
confidence
advisor
updates
technet
support,
newsletters
ms
msn
microsoft
msdn
.com
.net

(e.g. MS Support Department {at}support.microsoft.com)

To: randomly constructed from the following

User
Client
Consumer
Partner
Customer
Commercial
Corporation
Microsoft
MS

Subject line: randomly constructed from the following

Corp.
Corporation
comes
which
Internet Explorer
Windows
update
package
correction
corrective
security
critical
internet
important
these
Install
Apply
Watch
Take a look at
Look at
Try on
Taste
Prove
Check out
Check
Upgrade
Update
Critical
Latest
Newest
Current
M$
MS
from
comes
came
which
this
that
these
the
See
Watch
Use
Apply

Message text: randomly constructed from the following

MS
Microsoft
Customer,
this is the latest version of security update, the
, Cumulative Patch update which
This update includes the functionality
of all previously released patches.
computer
system
on your
executable
to run
malicious user
attacker
the most serious of which could
allow an
from these vulnerabilities
maintain the security of your computer
protect your computer
continue keeping your computer secure
Install now to
vulnerabilities
newly discovered
as well as three
all known security vulnerabilities affecting
MS Internet Explorer, MS Outlook and MS Outlook Express
eliminates
resolves

the attached file (EXE, COM, PIF, BAT, SCR or ZIP) may have a randomly 
generated name or may be randomly chosen from the following

PATCH
UPDATE
UPGRADE
INSTALL

Alternatively, W32/Gibe-F may attempt to mimic a mail delivery failure 
message. The subject line and message text will then be constructed 
from the following

Message follows:
mail
message
Undelivered
Undeliverable
to one or more destinations.
to the following addresses:
the message returned below could not be delivered
I wasn't able to deliver your message
I'm afraid
I'm sorry to have to inform you that
I'm sorry
This is the qmail program
Hi.
Notice
Report
Announcement
Advice
Letter
Failure
Abort
Error
Bug
User unknown
Mailer
Sender
Returned To
Message
Mail
Returned
SUBJECT:
domain
server
home
mx
your
user
receiver
recipient
client
Receiver
Recipient

W32/Gibe-F copies itself to the KaZaA shared folder and to the Windows 
folder with various EXE or ZIP filenames randomly contructed from the 
following(e.g "WINZIP UPLOAD.EXE"):

Virus Generator
Magic Mushrooms Growing
Cooking with Cannabis
Hallucinogenic Screensaver
My naked sister
XXX Pictures
Sick Joke",
XXX Video
XP update
Emulator PS2
XboX Emulator
HardPorn
Jenna Jameson
Hotmail hacker
Yahoo hacker
AOL hacker
fixtool
cleaner
removal tool
remover
Sircam
Bugbear
installer
upload
hacked
key generator
Windows Media Player
GetRight FTP
Download Accelerator
Winamp
WinZip
WinRar
KaZaA media desktop
Kazaa Lite

W32/Gibe-F attempts to terminate various processes related to anti-virus 
or security software (e.g. sweep95, zonealarm and blackice).

 
--- MultiMail/Win32 v0.43