| TIP: Click on subject to list as thread! | ANSI |
| echo: | |
|---|---|
| to: | |
| from: | |
| date: | |
| subject: | News |
[cut-n-paste from sophos.com] W32/Bagle-C Type Win32 worm Detection Sophos has received several reports of this worm from the wild. Description W32/Bagle-C is an email worm which sends itself via its own SMTP engine to addresses harvested from your hard disk. The worm appears with a Microsoft Office 2000 Excel icon. When run the worm opens NOTEPAD.EXE, copies itself to the Windows system folder as README.EXE and creates the following files in the same folder: DOC.EXE - a DLL plugin used to load ONDE.EXE ONDE.EXE - the main DLL component of the worm README.EXEOPEN - a copy of the worm in ZIP format W32/Bagle-C adds the value: gouday.exe = \readme.exe to the registry key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run This means that W32/Bagle-C runs every time you logon to your computer: W32/Bagle-C also creates the following registry entries: HKCU\Software\DateTime2\frun=1 HKCU\Software\DateTime2\port=2745 HKCU\Software\DateTime2\uid= Emails have the following characteristics: Subject lines: Price New Price-list Hardware devices price-list Weekly activity report Daily activity report Maria Jenny Jessica Registration confirmation USA government abolishes the capital punishment Freedom for everyone Flayers among us From Hair-cutter Melissa Camila Price-list Pricelist Price list Hello my friend Hi! Well... Greet the day The account Looking for the report You really love me? he he You are dismissed Accounts department From me Monthly incomings summary The summary Proclivity to servitude Ahtung! The employee There is no message text. Attached file: a randomly named ZIP archive W32/Bagle-C opens up a backdoor on port 2745 and listens for connections. If it receives the appropriate command it attempts to download and execute a file. W32/Bagle-C also makes a web connection to a remote URL, thus reporting the location and open port of infected computers. The worm terminates processes with the following names: ATUPDATER.EXE AVWUPD32.EXE AVPUPD.EXE LUALL.EXE DRWEBUPW.EXE ICSSUPPNT.EXE ICSUPP95.EXE UPDATE.EXE NUPGRADE.EXE ATUPDATER.EXE AUPDATE.EXE AUTODOWN.EXE AUTOTRACE.EXE AUTOUPDATE.EXE AVXQUAR.EXE CFIAUDIT.EXE MCUPDATE.EXE NUPGRADE.EXE OUTPOST.EXE AVLTMAIN.EXE If the date is after 14 March 2004, W32/Bagle-C terminates itself and deletes all the registry entries it created when it first ran. W32/Maddis-A Aliases W32/Maddis.worm, W32/Aveng.A Type Win32 worm Detection At the time of writing, Sophos has received just one report of this worm from the wild. Description W32/Maddis-A is a worm which spreads via networks shares. The worm uses stealth techniques in an attempt to hide its presence on an infected computer. When first run, W32/Maddis-A creates a copy of itself named usrinit.exe in the Windows system folder and a file named helper.dll in the Windows or Temp folder. On Windows98 based operating systems the worm adds the registry entry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate On Windows NT based operating systems usrinit.exe is registered as a service. Helper.dll hides the worm by intercepting system functions and masking any values which contain the following strings: helper.dll command.exe windowsupd* wiu*.exe uihelp userinit*.dll boomer* usrinit* W23/Maddis-A sends an HTTP packet containing various system and password information to the following urls: http://www.proxylist.ru/control/21/ http://www.proxylist.com.ua/control/21/ http://www.proxylist.com.ru/control/21/ http://www.proxylist.biz/control/21/ http://66.98.173.166/control/21/ The information sent to the URLs is similar to that shown below. GET /control/21/ HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MS IE 6.0; Windows NT 5.01) Host: www.proxylist.ru Info: Windows NT; Passwords not Found; POS not Found Ping: 0 CheckSum: tmFHE7kUmr Http: 1029 Socks : 1030 Telnet: 1031 HostName: john DNSName: john.example.com NetBios : N MsSQL: Y WinDir: C:\WINNT\ Cache-Control: no-cache Connection: close W32/Maddis-A opens several ports and runs proxy servers for Telnet, HTTP and Socks. W32/Nachi-D Aliases Worm.Win32.Welchia.d, W32.Welchia.D.Worm, WORM_NACHI.D, W95/Nachi.D Type Win32 worm Detection At the time of writing, Sophos has received no reports from users affected by this worm. However, we have issued this advisory following enquiries to our support department from customers. Description W32/Nachi-D is a worm which spreads to computers at random IP addresses that are infected with W32/MyDoom-A or are vulnerable to the following Microsoft buffer overflow vulnerabilities: DCOM RPC, WebDAV, IIS5/WEBDAV and Locator Service. For further information see Microsoft Security Bulletins MS03-026, MS03-007 and MS03-049. The worm connects to random IP addresses on port 135 or 445 and exploits these buffer-overflow vulnerabilities to execute a small amount code on computers that have not been patched. The buffer overflow code downloads the worm and runs it. The worm allows itself to be downloaded via a random port above 1024. The worm spreads to computers at random IP addresses that are infected with W32/MyDoom-A via a backdoor component installed by W32/MyDoom-A that provides access on port 3127. When first run the worm copies itself to \drivers\svchost.exe and creates a new service named WksPatch with the Startup Type set to Automatic, so that the service is run automatically each time Windows is started. The display name of the new service is created by randomly combining one word from each of the following 3 lists: "System", "Security", "Remote", "Routing", "Performance", "Network", "License" or "Internet" "logging", "Manager", "Procedure", "Accounts" or "Event" "provider", "sharing", "Messaging" or "Client" For example: "System logging provider". The worm tries to disable selected known malware by deleting files in the Windows System folder named intrenat.exe, Regedit.exe, shimgapi.dll, cftmon.dll, Explorer.exe or TaskMon.exe and by deleting the following registry entries (if they exist): HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Gremlin HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Nerocheck HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Taskmon HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Shimgapi.dll HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Explorer HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Explorer The worm deletes a service named RpcPatch (if it exists) and creates the following registry entry if it doesn't already exist: HKCR\CLSID(E6FB5E20-DE35-11CF-9C87-00AA005127ED)\InProcServer32 = "\System32\webcheck.dll" If the above registry entry was not already set, the worm creates a new 'clean' version of the HOSTS file located at \drivers\etc\hosts. The new HOSTS file simply contains an entry for localhost set to the loopback address of 127.0.0.1. The worm may also try to download and install service packs 1 and 2 for Windows 2000 and service pack 5 for Windows XP, if they haven't already been installed. On some language versions of Windows the worm replaces files with an extension of ASP, HTM, PHP, CGI, STM, SHTM or SHTML, located in the \help\iishelp\common folder, or in the folder specified by the following registry entry: HKLM\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots\ The replacement file is a harmless HTML file containing the text "LET HISTORY TELL FUTURE !". When the worm is run after July 2004 it will remove itself from the computer. W32/Agobot-FE Aliases Backdoor.Agobot.3.gen, Win32/Agobot.3.HF, W32.HLLW.Gaobot.AF Type Win32 worm Detection At the time of writing, Sophos has received just one report of this worm from the wild. Description W32/Agobot-FE is a network worm which also allows unauthorised remote access to the computer via IRC channels. W32/Agobot-FE attempts to copy itself to network shares with weak passwords and spread to computers using the DCOM RPC and the RPC locator vulnerabilities. These vulnerabilities allow the worm to execute its code on target computers with System level privileges. For further information on these vulnerabilities and for details on how to protect/patch the computer against such attacks please see Microsoft security bulletins MS03-001 and MS03-026. MS03-026 has been superseded by Microsoft security bulletin MS03-039. W32/Agobot-FE moves itself to the Windows system folder as WINSEC16.EXE and creates entries in the registry at the following locations to run itself on system restart: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\WinSec HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\WinSec W32/Agobot-FE attempts to connect to a remote IRC server and join a specific channel. W32/Agobot-FE attempts to terminate the following security or virus related processes: _AVP32.EXE _AVPCC.EXE _AVPM.EXE ACKWIN32.EXE ANTI-TROJAN.EXE APVXDWIN.EXE AUTODOWN.EXE AVCONSOL.EXE AVE32.EXE AVGCTRL.EXE AVKSERV.EXE AVNT.EXE AVP.EXE AVP32.EXE AVPCC.EXE AVPDOS32.EXE AVPM.EXE AVPTC32.EXE AVPUPD.EXE AVSCHED32.EXE AVWIN95.EXE AVWUPD32.EXE BLACKD.EXE BLACKICE.EXE CFIADMIN.EXE CFIAUDIT.EXE CFINET.EXE CFINET32.EXE CLAW95.EXE CLAW95CF.EXE CLEANER.EXE CLEANER3.EXE dllhost.exe DVP95.EXE DVP95_0.EXE ECENGINE.EXE ESAFE.EXE ESPWATCH.EXE F-AGNT95.EXE FINDVIRU.EXE FPROT.EXE F-PROT.EXE F-PROT95.EXE FP-WIN.EXE FRW.EXE F-STOPW.EXE IAMAPP.EXE IAMSERV.EXE IBMASN.EXE IBMAVSP.EXE ICLOAD95.EXE ICLOADNT.EXE ICMON.EXE ICSUPP95.EXE ICSUPPNT.EXE IFACE.EXE IOMON98.EXE JEDI.EXE LOCKDOWN2000.EXE LOOKOUT.EXE LUALL.EXE MOOLIVE.EXE MPFTRAY.EXE msblast.exe mspatch.exe N32SCANW.EXE NAVAPW32.EXE NAVLU32.EXE NAVNT.EXE NAVW32.EXE NAVWNT.EXE NISUM.EXE NMAIN.EXE NORMIST.EXE NUPGRADE.EXE NVC95.EXE OUTPOST.EXE PADMIN.EXE PAVCL.EXE PAVSCHED.EXE PAVW.EXE PCCWIN98.EXE PCFWALLICON.EXE penis32.exe PERSFW.EXE RAV7.EXE RAV7WIN.EXE RESCUE.EXE SAFEWEB.EXE SCAN32.EXE SCAN95.EXE SCANPM.EXE SCRSCAN.EXE scvhosl.exe SERV95.EXE SMC.EXE SPHINX.EXE SWEEP95.EXE TBSCAN.EXE TCA.EXE TDS2-98.EXE TDS2-NT.EXE tftpd.exe VET95.EXE VETTRAY.EXE VSCAN40.EXE VSECOMR.EXE VSHWIN32.EXE VSSTAT.EXE WEBSCANX.EXE WFINDV32.EXE winppr32.exe ZONEALARM.EXE W32/Netsky-C Aliases I-Worm.Moodown.c, Win32/Netsky.C, W32.Netsky.C{at}mm, WORM_NETSKY.C Type Win32 worm Detection Sophos has received several reports of this worm from the wild. Description W32/Netsky-C is a worm which spreads via shared networks and by emailing itself to addresses found within files located on drives C: to Z:. The email subject line, message text and attachment filename are randomly chosen from lists within the worm. The name of the attached file is chosen from: associal, msg, yours, doc, wife, talk, message, response, creditcard, description, details, attachment, pic, me, trash, card, stuff, poster, posting, portmoney, textfile, moonlight, concert, sexy, information, news, note, number_phone, bill, mydate, swimmingpool, class_photos, product, old_photos, topseller, ps, important, shower, myaunt, aboutyou, yours, nomoney, birth, found, death, story, worker, mails, letter, more, website, regards, regid, friend, unfolds, jokes, doc_ang, your_stuff, location, 454543403, final, schock, release, webcam, dinner, intimate stuff, sexual, ranking, object, secrets, mail2, attach2, part2, msg2, disco, freaky, visa, party, material, misc, nothing, transfer, auction, warez, undefinied, violence, update, masturbation, injection, naked1, naked2, tear, music, paypal, id, privacy, word_doc, image or incest. The attachment extension will be ZIP, COM, EXE, PIF or SCR and may be preceded by .DOC, .HTM, .RTF or .TEXT. (e.g. visa.htm.scr) When first run W32/Netsky-C copies itself to the Windows folder as winlogon.exe and creates the following registry entry so that winlogon.exe is run automatically each time Windows is started: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ICQNet = \winlogon.exe -stealth W32/Netsky-C spreads via file sharing networks by copying itself to folders on drives C: to Z: whose name contains the sub-string 'Shar', using a filename randomly chosen from the following list: 1000 Sex and more.rtf.exe 3D Studio Max 3dsmax.exe ACDSee 9.exe Adobe Photoshop 9 full.exe Adobe Premiere 9.exe Ahead Nero 7.exe Best Matrix Screensaver.scr Clone DVD 5.exe Cracks & Warez Archive.exe Dark Angels.pif Dictionary English - France.doc.exe DivX 7.0 final.exe Doom 3 Beta.exe E-Book Archive.rtf.exe Full album.mp3.pif Gimp 1.5 Full with Key.exe How to hack.doc.exe IE58.1 full setup.exe Keygen 4 all appz.exe Learn Programming.doc.exe Lightwave SE Update.exe Magix Video Deluxe 4.exe Microsoft Office 2003 Crack.exe Microsoft WinXP Crack.exe MS Service Pack 5.exe Norton Antivirus 2004.exe Opera.exe Partitionsmagic 9.0.exe Porno Screensaver.scr RFC Basics Full Edition.doc.exe Screensaver.scr Serials.txt.exe Smashing the stack.rtf.exe Star Office 8.exe Teen Porn 16.jpg.pif The Sims 3 crack.exe Ulead Keygen.exe Virii Sourcecode.scr Visual Studio Net Crack.exe Win Longhorn Beta.exe WinAmp 12 full.exe Windows Sourcecode.doc.exe WinXP eBook.doc.exe XXX hardcore pic.jpg.exe W32/Netsky-C attempts to delete the following registry entries if they exist: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Taskmon HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Explorer HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Explorer HKLM\Software\Microsoft\Windows\CurrentVersion\Run\KasperskyAv HKCU\Software\Microsoft\Windows\CurrentVersion\Run\KasperskyAv HKLM\Software\Microsoft\Windows\CurrentVersion\Run\system. HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\system. HKLM\Software\Microsoft\Windows\CurrentVersion\Run\service HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Sentry HKLM\Software\Microsoft\Windows\CurrentVersion\Run\msgsrv32 HKLM\Software\Microsoft\Windows\CurrentVersion\Run\DELETE ME HKCU\Software\Microsoft\Windows\CurrentVersion\Run\D3dupdate.exe HKCU\Software\Microsoft\Windows\CurrentVersion\Run\au.exe HKCU\Software\Microsoft\Windows\CurrentVersion\Run\OLE HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Windows services host HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Windows services host HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\PINF HKLM\System\CurrentControlSet\Services\WksPatch HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32 When the worm is run on the 26th of February 2004 between 06:00 and 09:00 it may cause the computer to beep sporadically. The Netsky-C worm contains the following text embedded in its code: <-<- we are the skynet - you can't hide yourself! - we kill malware writers (they have no chance!) - [LaMeRz-->]MyDoom.F is a thief of our idea! - -- ->-> Troj/Narhem-A Aliases Backdoor.VB.gen Type Trojan Detection At the time of writing, Sophos has received just one report of this Trojan from the wild. Description Troj/Narhem-A is a keylogging Trojan. Troj/Narhem-A copies itself to the following locations: \Reader.exe \Help\Mehran.exe \System\Mehran.exe \System32\Acrobat.exe Troj/Narhem-A creates the following registry entries in order to run on system startup: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Acrobat HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Syscheck Troj/Narhem-A logs keystrokes into C:\Syslog.dat and periodically emails this file to a predefined email address. --- MultiMail/Win32 v0.43* Origin: Try Our Web Based QWK: DOCSPLACE.ORG (1:123/140) SEEN-BY: 633/267 270 @PATH: 123/140 500 106/2000 633/267 |
|
| SOURCE: echomail via fidonet.ozzmosis.com | |
Email questions or comments to sysop@ipingthereforeiam.com
All parts of this website painstakingly hand-crafted in the U.S.A.!
IPTIA BBS/MUD/Terminal/Game Server List, © 2025 IPTIA Consulting™.