[cut-n-paste from sophos.com]

Troj/Nethief-C 
Aliases 
Backdoor.Nethief.XP.c, BackDoor-TW trojan, Backdoor.NetThief 
 
Type 
Trojan 
 
Detection 
At the time of writing Sophos has received just one report of this 
Trojan from the wild. 
 
 
Description 
Troj/Nethief-C is a backdoor Trojan that copies itself to IExplorer.exe 
in theWindows system folder and sets the registry entry

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Internet Explorer =
Iexplorer.exe
 
 


W32/Opaserv-E 
Type 
Win32 worm 
 
Detection 
At the time of writing Sophos has received no reports from users 
affected by this worm. However, we have issued this advisory following 
enquiries to our support department from customers. 
 
 
Description 
W32/Opaserv-E is a worm that spreads via network shares.

When executed the worm will create a file called scrsvr.exe in the 
Windows folder on the current drive. W32/Opaserv-E then adds the 
following registry entry to run itself when Windows starts:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ScrSvr = 
C:\Windows\ScrSvr.exe

The worm scans a range of IP addresses for the local area network 
searching for computers with an open C: share and NETBIOS enabled over 
TCP/IP. When a share is found the worm is copied to the Windows folder 
of that share and modifies the file win.ini so that the worm is 
executed the next time Windows is started on that computer. Once the 
local area network has been scanned the worm will start performing the 
same search on the internet starting at a randomly generated IP 
address. As a result anyone connected to the internet who has file 
sharing enabled and who enables NETBIOS over TCP/IP is potentially 
vulnerable to this worm.

W32/Opaserv-E also attempts to connect to a website that is currently 
unavailable. This attempted connection is most likely intended as a 
means of updating the worm executable.

The following non-viral files may be found in the root folder of 
infected systems:

tmp.ini
scrsin.dat
scrsout.dat
 
 


W32/Opaserv-C 
Aliases 
Opaserv-E 
 
Type 
Win32 worm 
 
Detection 
At the time of writing Sophos has received no reports from users 
affected by this worm. However, we have issued this advisory following 
enquiries to our support department from customers. 
 
 
Description 
W32/Opaserv-C is a variant of W32/Opaserv-A and is a worm that spreads 
via network shares. 

When executed the worm will create a file called brasil.exe or 
brasil.pif in the Windows folder on the current drive. W32/Opaserv-C 
then adds one of the following registry entries to run itself when the 
system starts: 

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Brasil = 
C:\WINDOWS\brasil.exe 

or 

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Brasil = 
C:\WINDOWS\brasil.pif 

The worm attempts to copy itself to the Windows folder on networked 
computers with open shared drives. It then modifies the win.ini file on 
the remote machine to ensure the copied file will be run on system 
start. The worm also searches local IP addresses for open C: shares and 
attempts to copy itself to the Windows folder of the share. Once the 
local area network has been scanned the worm will start performing the 
same search on the internet starting at a randomly generated IP 
address. As a result anyone connected to the internet who has file 
sharing enabled and who enables NETBIOS over TCP/IP is potentially 
vulnerable to this worm.

W32/Opaserv-C also attempts to connect to a website that is currently 
unavailable. This attempted connection is most likely intended as a 
means of updating the worm executable. 

The following three non-viral files may be found in the root folder of 
infected systems: 

put.ini
scrsin.dat
scrsout.dat
 
 

Troj/Netdex-A 
Aliases 
Backdoor.Netdex 
 
Type 
Trojan 
 
Detection 
At the time of writing Sophos has received no reports from users 
affected by this Trojan. However, we have issued this advisory 
following enquiries to our support department from customers. 
 
 
Description 
Troj/Netdex-A is a backdoor Trojan which allows unauthorised remote 
access to the computer. The Trojan is composed of several parts. When a 
user connects to an infected website the file BANNER.HTML may be run. 

BANNER.HTML drops and executes two files on the the victim's computer, 
A.COM and ZSHELL.JS. ZSHELL.JS is dropped in the Cookies folder. When 
this file is run it drops a BAT file to execute and delete A.COM. The 
BAT file is then also deleted. Finally ZSHELL.JS runs NETD.EXE which is 
created in the Windows Temp folder when A.COM is run. All communication 
to the remote server goes through NETD.EXE, which downloads the file 
INSTALL.PHP from the remote server. 

INSTALL.PHP creates the file REPOST.HTML and edits a registry entry to 
point to this file. It then runs NETD.EXE with a parameter to get 
SH.PHP. 

SH.PHP is the main Trojan script and runs NETD.EXE with an option to 
retreive the set of commands that the Trojan should execute. SH.PHP is 
then copied over ZSHELL.JS (NETD.EXE uses two files for input and 
output: it reads I.JS for input to send to the server and it writes the 
received data to O.JS. The new O.JS is copied over the old ZSHELL.JS to 
enable remote updating). The time zone synchronisation registry entries 
are modified to point to ZSHELL.JS so that it is periodically run.
 
 


W32/Appix-B 
Aliases 
I-Worm.Apbost, W32/Xiv.b virus 
 
Type 
Win32 executable file virus 
 
Detection 
At the time of writing Sophos has received just one report of this 
virus from the wild. 
 
Description 
W32/Appix-B is a virus that arrives in an email with the following 
characteristics:

Subject line:
Begins with one of-

A nice Screensaver of
Ein netter Screensaver von
New Version of
Eine neue Version von

Followed by one of -

BestTool
Pamela Anderson
Angelina Jolie
Anna Kournikova
Porn Screensaver
Sex ScreenSaver
TvTool
Flashget
WarezBoardAccess
Undelivarable Email
Brute Force Tool

Attached file:

Chosen from -

PamAnderson.scr
Jolie.scr
AnnaKournikova.scr
XXX.scr
FreeSex.exe
TvTool.exe
FlashGet.exe
WarezBoardAccess.exe
Undelivarablemail.exe

The virus attempts to exploit a MIME Vulnerability in some versions of 
Microsoft Outlook, Microsoft Outlook Express, and Internet Explorer to 
allow the executable file to run automatically without the user 
double-clicking on the attachment.

When the virus is executed it creates a copy of itself in the Windows 
folder called Appboost.exe and changes the registry by setting the 
following entry to point to Appboost.exe so that this file will be 
executed every time an EXE file is run:

HKLM\Software\Classes\exefile\shell\open\command

W32/Appix-B attempts to stop the following services:

ANTIVIR
AVP32
AVPCC
NOD32
NPSSVC
NRESQ32
NSCHED32
NSCHEDNT
NSPLUGIN
NAV
NAVA
PSVC
NAVAPW32
NAVLU32
NAVRUNR
NAVW32
AVPM
ALERTSVC
AMON
N32SCANW
NAVWNT
AVPUPD
AVGCTRL
AVWIN95
SCAN32
VSHWIN32
F-STOPW
F-PROT95
ACKWIN32
VETTRAY
SWEEP95
PCCWIN98
IOMON98
AVPTC
AVE32
AVCONSOL
FP-WIN
DVP95
F-AGNT95
CLAW95
NVC95
SCAN
VIRUS
LOCKDOWN2000
NORTON
MCAFEE
ANTIVIR
FIREWAL
VET95
SAFEWEB
WEBSCANX
ICMON
CFINET
AVP.EXE
ZONEALARM
AMON.EXE
PCCIOMON
PCCMAIN
POP3TRAP
WEBTRAP
AVSYNMGR
NMAIN
LUALL
LUCOMSERVER
IAMAPP
ATRACK
IAMSERV
PCFWALLICON
TDS2-98
TDS2-NT
VSECOMR
NISSERV
NISUM
F-PROT
AOL

This virus may also infect PHP and PHTML files by adding code that is 
intended to spread via PHP, PHTML, HTM and HTML files.

Microsoft has issued a patch which secures against the incorrect MIME 
header vulnerability which can be downloaded from 
http://www.microsoft.com/technet/security/bulletin/MS01-027.asp
(This patch fixes a number of vulnerabilities in Microsoft's software, 
including the one exploited by this virus.)
 
 


W32/Opaserv-D 
Aliases 
Worm.Win32.Opasoft.d, BackDoor-ALB trojan 
 
Type 
Win32 worm 
 
Detection 
At the time of writing Sophos has received just one report of this 
worm from the wild. 
 
 
Description 
W32/Opaserv-D is a variant of W32/Opaserv-A and is a worm that spreads 
via network shares. 

When executed the worm will create a file called scrsvr.exe in the 
Windows folder on the current drive. W32/Opaserv-D then adds the 
following registry entry to run itself when the system starts: 

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ScrSvr = 
C:\WINDOWS\ScrSvr.exe 

The worm attempts to copy itself to the Windows folder on networked 
computers with open shared drives. It then modifies the win.ini file on 
the remote machine to ensure the copied file will be run on system 
start. The worm also searches local IP addresses for open C: shares and 
attempts to copy itself to the Windows folder of the share. Once the 
local area network has been scanned the worm will start performing the 
same search on the internet starting at a randomly generated IP 
address. As a result anyone connected to the internet who has file 
sharing enabled and who enables NETBIOS over TCP/IP is potentially 
vulnerable to this worm.

W32/Opaserv-D also attempts to connect to a website that is currently 
unavailable. This attempted connection is most likely intended as a 
means of updating the worm executable. 

The following three non-viral files may be found in the root folder of 
infected systems: 

tmp.ini
scrsin.dat
scrsout.dat

 
 

 

--- MultiMail/MS-DOS v0.27