[cut-n-paste from sophos.com]

W32/Randex-Q

Aliases
W32.Randex.Q, WORM_RANDEX.Q

Type
Win32 worm

Detection
Sophos has received several reports of this worm from the wild.

Description
W32/Randex-Q is a network worm with backdoor capabilities which allows 
a remote intruder to access and control the computer via IRC channels.

W32/Randex-Q chooses IP addresses at random and tries to connect to
the IPC$ share using simple passwords. If the connection is sucessful 
the worm attempts to copy itself to the following remote locations:

\c$\winnt\system32\musirc4.71.exe

\Admin$\system32\musirc4.71.exe

W32/Randex-Q then schedules a job to execute the remotely dropped files.

Each time the worm is run it tries to connect to a remote IRC server and
join a specific channel. The worm then runs in the background as a server
process listening for commands to execute.

When first run the worm copies itself to Windows system folder as 
Musirc4.71.exe, metalrock.exe or metalrock-is-gay.exe and adds the 
pathname of this executable to a sub-key of the following registry 
entries so that the worm is run automatically each time Windows is 
started:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

Example registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
MusIRC (irc.musirc.com) client = musirc4.71.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
MusIRC (irc.musirc.com) client = musirc4.71.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
MeTaLRoCk (irc.musirc.com) has sex with printers = metalrock-is-gay.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
MeTaLRoCk (irc.musirc.com) has sex with printers = metalrock-is-gay.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Windows MeTaLRoCk service = metalrock.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Windows MeTaLRoCk service = metalrock.exe





VBS/Flea-A

Aliases
JS/Flea.A

Type
Visual Basic Script worm

Detection
At the time of writing Sophos has received just one report of this worm 
from the wild.

Description
VBS/Flea-A is a worm that propagates via HTML email. The worm arrives as 
the signature to an HTML email.

When the HTML email is rendered a webpage is loaded and JavaScript on it 
is run. The JavaScript then loads another webpage containing VB Script 
that will drop a file C.HTM in the Windows folder.

This file will also be set to the signature of Outlook Express.





W32/Agobot-AA

Aliases
Backdoor.Agobot.3.h

Type
Win32 worm

Detection
Sophos has received several reports of this worm from the wild.

Description
W32/Agobot-AA is a network worm which also allows unauthorised remote 
access to the computer via IRC channels.

W32/Agobot-AA is capable of spreading to computers on the local network 
protected by weak passwords.

The worm copies itself to the Windows System folder as Lsas.exe and 
creates the following registry entries, so that Lsas.exe is run 
automatically each time Windows is started:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Windows Explorer= LSAS.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Windows Explorer= LSAS.exe

Each time W32/Agobot-AA is run the worm attempts to connect to a remote 
IRC server and join a specific channel.

W32/Agobot-AA then runs continuously in the background, allowing a remote 
intruder to access and control the computer via IRC channels.





Troj/CoreFloo-C

Aliases
TrojanDropper.Win32.Emaner, CoreFlood.dr, Backdoor.Coreflood

Type
Trojan

Detection
Sophos has received several reports of this Trojan from the wild.

Description
Troj/CoreFloo-C is a backdoor Trojan which allows a remote intruder to 
access and control the computer via IRC channels.

The Trojan arrives as an installation executable with a random filename 
consisting of 7 characters a-z and an extension of EXE.

When the installation executable is run on Windows 95, 98 or ME (or FAT 
drives) it drops a DLL to the Windows System folder with a filename 
consisting of 7 random characters a-z and an extension of DLL.

When the installation executable is run on a Windows NT, 2000 or XP 
system with an NTFS drive it drops the DLL as an ADS file associated 
with the Windows System folder (typically \System32). The new 
ADS file will also have a random 7-character name with an extension of 
DLL.

The installation executable then launches the DLL component which adds 
its pathname to the following registry entry, so that it is run 
automatically each time Windows is started:

HKLMSoftware\Microsoft\Windows\CurrentVersion\RunOnce
\ = rundll32 %SYSTEM% .dll,Init 1

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
\ = rundll32 %SYSTEM% ,Init 1

The DLL component injects itself into the EXPLORER process making it 
invisible in the Task Manager process list.

Troj/CoreFloo-C also has anti-delete functionality which attempts to 
prevent viral processes from being terminated and resets the above 
registry entries if they are removed.





W32/Opaserv-R

Type
Win32 worm

Detection
At the time of writing Sophos has received no reports from users 
affected by this worm. However, we have issued this advisory following 
enquiries to our support department from customers.

Description
W32/Opaserv-R is a variant of W32/Opaserv-A.

W32/Opaserv-R spreads via network shares. The worm will copy itself into 
the Windows folder on the current drive and add the following registry 
entry so that it is run when the system starts:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Brasil= C:\Windows\Brasil.pif

The worm attempts to copy itself to the Windows folder on networked 
computers with open shared drives. The worm then modifies the win.ini on 
the remote machine to ensure it will be run on system restart.

The worm also attempts to download files and drop the files put.ini, 
brasil.dat and brasil!.dat to the root folder of the current drive.





W32/Dafly-B

Aliases
Win32/Dafly.B, Worm.P2P.Dafly.b, W32/Dafly.worm

Type
Win32 executable file virus

Detection
At the time of writing Sophos has received no reports from users 
affected by this virus. However, we have issued this advisory following 
enquiries to our support department from customers.

Description
W32/Dafly-B is a prepending virus which infects Windows executable files.

W32/Dafly-B copies itself to the Windows system folder with the 
filenames SysDrv32.exe and Enjoy.exe and then sets the following 
registry entries to point to itself so that it is executed every time 
one of those filetypes is run (though a bug means that it may crash):

HKCR\batfile\shell\open\command\
HKCR\comfile\shell\open\command\
HKCR\exefile\shell\open\command\
HKCR\piffile\shell\open\command\
HKCR\scrfile\shell\open\command\

W32/Dafly-B infects all files in the folder and subfolders pointed to by 
the following registry entries:

HKCU\Software\Widcomm\BTConfig\Services\0005\root
HKLM\Software\Kazaa\CloudLoad\ShareDir

W32/Dafly-B will also copy itself to the folders pointed to by these 
entries with the filenames Matrix2.scr and Terminator3.scr.

W32/Dafly-B keeps a track of how many files it has infected by setting 
the number in the registry entry 
HKLM\Software\Microsoft\Windows\CurrentVersion\Infected.

After infecting 49 files W32/Dafly-B will delete files instead of 
infecting them.

W32/Dafly-B tries to stop registry tools from being run by setting the 
following key:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\
DisableRegistryTools = "1"

W32/Dafly-B tries to read the key value HKCU\Identies\Default User ID. 
The virus then tries to set the following entries:

HKCU\Identities\\Software\Microsoft\Outlook Express\5.0\
Signature Flags = "1"
HKCU\Identities\\Software\Microsoft\Outlook Express\5.0\
Signatures\Default Signature = "00000000"
HKCU\Identities\\Software\Microsoft\Outlook Express\5.0\
Signatures\00000000\file = "\Enjoy.exe"
HKCU\Identities\\Software\Microsoft\Outlook Express\5.0\
Signatures\00000000\name = "MADFYLY"
HKCU\Identities\\Software\Microsoft\Outlook Express\5.0\
Signatures\00000000\text = ""
HKCU\Identities\\Software\Microsoft\Outlook Express\5.0\
Signatures\00000000\type = "2"

W32/Dafly-B checks for the presence of the registry entry 
HKLM\Software\IDAVLab\DRWEB32W\ExePath. If this registry entry exists 
then the virus will not infect files that are run from the folder that 
it references, but will instead display the message "Dr.Web for Windows 
95-XP. EVALUATION version! To get your registration key, call regional 
dealer.". W32/Dafly-B will then also try to delete a registry entry 
from HKCR\CLSID.

W32/Dafly-B sets the following registry entry in the course of 
execution:

HKCU\Software\Microsoft\Internet Explorer\Main\Start Page = "MADFLY.TK"





Troj/IRCBot-P

Aliases
Backdoor.IRCBot.gen

Type
Trojan

Detection
Sophos has received several reports of this Trojan from the wild.

Description
Troj/IRCBot-P is an IRC backdoor Trojan which allows unauthorised 
remote access to a compromised computer via IRC channels.

The Trojan copies itself to the Windows system folder with the filename 
autoupdate.exe and sets the following registry entries to run this copy 
of the Trojan when Windows starts up:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\windowsupdate
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\windowsupdate





W32/Randex-I

Aliases
W32/Sdbot.worm.gen.b, Win32/Randex.J, W32.Randex.F, WORM_RANDEX.F

Type
Win32 worm

Detection
At the time of writing Sophos has received just one report of this worm 
from the wild.

Description
W32/Randex-I is a network worm with backdoor capabilities which allows a
remote intruder to access and control the computer via IRC channels.

W32/Randex-I spreads over a network by copying itself to the Windows
system32 folder of C$ and Admin$ shares that contain weak passwords.

Each time the worm is run it tries to connect to a remote IRC server and
join a specific channel. The worm then runs in the background as a server
process listening for commands to execute.

When first run the worm copies itself to Windows system folder as
msnv32.exe and creates the following registry entries so that the worm is 
run when Windows starts up:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Netview Component v5.1 = msnv32.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\
RunServices\Microsoft Netview Component v5.1 = msnv32.exe





W32/Donk-E

Aliases
W32/Sdbot.worm, W32.HLLW.Donk.B, BKDR_SDBOT.Y

Type
Win32 worm

Detection
At the time of writing Sophos has received just one report of this worm 
from the wild.

Description
W32/Donk-E is a network worm and backdoor Trojan.

W32/Donk-E copies itself to network shares with weak passwords and 
attempts to spread to computers using the DCOM RPC vulnerability.

This vulnerability allows the worm to execute its code on target 
computers with System level privileges. For further information on this 
vulnerability and for details on how to protect/patch the computer, see 
Microsoft security bulletin MS03-026.

When first run, W32/Donk-E copies itself to the Windows system folder as 
COOL.EXE and NETAPI32.EXE and creates the following registry entries so 
that NETAPI32.EXE is run automatically each time Windows is started:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Microsoft System Checkup = netapi32.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
RunServices\Microsoft System Checkup = netapi32.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run\NT Logging Service = syslog32.exe

W32/Donk-E fails to copy itself as syslog32.exe.
W32/Donk-E connects to other computers on the local network. If a 
computer have a weak password W32/Donk-E copies itself to the following 
startup folders:

\WINNT\Profiles\All Users\Start Menu\Programs\Startup
\WINDOWS\Start Menu\Programs\Startup
\Documents and Settings\All Users\Start Menu\Programs\Startup

W32/Donk-E also includes backdoor Trojan functionality which allows a 
remote intruder to access and control the computer via IRC channels.

Each time W32/Donk-E is run it tries to connect to a remote IRC server 
and join a specific channel. W32/Donk-E then runs continuously in the 
background as a service process listening for commands to execute.

The remote intruder will be able to carry out a variety of actions such 
as get system information, download files, perform a DDoS flooder attack 
on another computer and execute programs. One of the files that 
W32/Donk-E may download and execute on the victim's computer is a sample 
of W32/Donk-D.





W32/Agobot-AB

Aliases
Backdoor.Agobot.3.h

Type
Win32 worm

Detection
At the time of writing Sophos has received just one report of this worm 
from the wild.

Description
W32/Agobot-AB is a variant of the Agobot family of worms with a backdoor 
component. This version drops the file Iexplorer.exe into the Windows 
system folder and creates the following registry entries to run 
automatically when Windows boots up:

HKLM\Software\Microsoft\Windows\CurrentVersion\
Run\Windows Backup Configuration

HKLM\Software\Microsoft\Windows\CurrentVersion\
RunServices\Windows Backup Configuration





W32/Donk-D

Aliases
WORM_DONK.B, W32/Sdbot.worm.gen, Backdoor.SdBot.gen

Type
Win32 worm

Detection
At the time of writing Sophos has received just one report of this worm 
from the wild.

Description
W32/Donk-D is a network worm and backdoor Trojan.

W32/Donk-D copies itself to network shares with weak passwords and 
attempts to spread to computers using the DCOM RPC vulnerability.

This vulnerability allows the worm to execute its code on target 
computers with System level priviledges. For further information on this 
vulnerability and for details on how to protect/patch the computer, see 
Microsoft security bulletin MS03-026.

When first run, W32/Donk-D copies itself to the Windows System folder as 
Cool.exe and Wnetlib.exe and creates the following registry entries so 
that Wnetlib.exe is run automatically each time Windows is started:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Microsoft System Checkup = wnetlib.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
Microsoft System Checkup = wnetlib.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
NT Logging Service = syslog32.exe

(W32/Donk-D fails to copy itself as syslog32.exe.)

W32/Donk-D connects to other computers on the local network that have 
weak passwords and then copies itself to the following startup folders:

\WINNT\Profiles\All Users\Start Menu\Programs\Startup

\WINDOWS\Start Menu\Programs\Startup

\Documents and Settings\All Users\Start Menu\Programs\Startup

W32/Donk-D also includes backdoor Trojan functionality which allows a 
remote intruder to access and control the computer via IRC channels.

Each time W32/Donk-D is run it tries to connect to a remote IRC server 
and join a specific channel. W32/Donk-D then runs continuously in the 
background listening for commands to execute.

The remote intruder will be able to carry out a variety of actions such 
as: get system information, download files, perform a DDoS flooder 
attack on another computer and execute programs.





W32/Spybot-R

Aliases
W32.Spybot.Worm, Worm.P2P.SpyBot.gen

Type
Win32 worm

Detection
At the time of writing Sophos has received just one report of this worm 
from the wild.

Description
W32/Spybot-R is a P2P worm that spreads via the KaZaA file sharing 
network.

Upon execution, W32/Spybot-R displays the fake error message
"Runtime Error", "Unable to locate Smartinstl32.dll.
Re-installing the 
application may fix the problem".

The worm creates the folder \kazaabackupfiles and copies itself 
there using several different filenames, including:

Battlefield_1942.Keygen.FDX.ShareReactor.exe
C&C.Generals-keygen.exe
cs-keygen.exe
dev-nfs.exe
eatop605kg.exe
Freelancer Keygen.exe
hv-Max5-kg.exe
Opera601key.exe
PowerDVD XP v4.0 Keygen.exe
QuickTime 6 Pro keygen.exe
Sonic Foundry ACID Pro 4.0 Keygen(1).exe
VMware 320 keygen (1).exe
Windows XP Professional Keygen by CaFo.exe

To enable sharing of these files the registry entry

HKCU\Software\Kazaa\LocalContent\Dir0

is updated to point to this location.

In order to be run automatically on system startup the worm copies 
itself to explorer64.exe in the Windows system folder and adds the 
following registry entries which point to this file:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Explorer(64)

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\
Microsoft Explorer(64)

W32/Spybot-R has an IRC backdoor component which has keylogging and 
backdoor capabilities. The worm connects to an IRC server announcing 
the infection and allows a malicious user remote access to the computer.






 
--- MultiMail/Win32 v0.43