[cut-n-paste from sophos.com]

W32/Mumu-C

Aliases
Backdoor.MeteorShell.58

Type
Win32 worm

Detection
Sophos has received several reports of this worm from the wild.

Description
W32/Mumu-C is a worm which spreads by copying itself to and executing 
itself on remote network shares with weak or no passwords.

The worm drops the following files in the Windows system folder:


    * LAST.EXE, detected as Troj/BGirlB-A
    * KAVFIND.EXE, detected as Troj/Hacline-B
    * IPCPASS.TXT, an innocuous file used by Troj/Hacline-B
    * PSEXEC.EXE, a legitimate networking utility

W32/Mumu-C uses Troj/Hacline-B to identify potential victim IP 
addresses. The worm then copies itself to the remote computer and uses 
PSEXEC to execute itself remotely.

W32/Mumu-C uses Troj/BGirlB-A to log keystrokes and steal passwords and 
then sends them to a preconfigured email account at certain intervals.





WM97/Revas-A

Type
Word 97 macro virus

Detection
At the time of writing Sophos has received just one report of this 
virus from the wild.

Description
WM97/Revas-A is a macro virus that will make copies of infected files 
in the folder Office\Doc_Copy within the Microsoft Office folder.





W32/Klexe-A

Type
Win32 worm

Detection
At the time of writing Sophos has received no reports from users 
affected by this worm. However, we have issued this advisory following 
enquiries to our support department from customers.

Description
W32/Klexe-A is a worm that uses Microsoft Outlook to send an email to 
all addresses found in the address book. The email arrives with the 
following characteristics:

Subject line: "Re:"
Message text:
" You received this email because you where sent a 'pass this on
e-messenger card' through one of our valued partners. If you believe you
received this message in error or would no longer like to receive e-mail
from us click here http://www.geocities.com/ecardmessenger/us.htm

To download your card click on the link below:



P.S. If you received this message but do not know the sender or wish to
unsubscribe or if you have any questions, please mail to
services{at}emmsconline.com"

Attached file: no attachment.

If the user clicks on the above link, the ZIP file will be downloaded. 
Ecmsetup1.zip containins two files: a copy of W32/Klexe-A with the file 
name ecmsetup1.exe and a Trojan detected by Sophos anti-virus as 
Troj/Klexe-A with the file name kl.exe.

When executed, W32/Klexe-A (ecmsetup1.exe) will display the following 
fake error message:

"The specified file refers to a location that is unavailable. It could 
be on a hard drive on this computer, on a network, or on a different 
computer on your home network. Check to make sure that the disk is 
properly inserted, or that you are connected to the Internet or home 
network, and then try again. If it still cannot be located, the 
information might have been moved to a different location."

and will try to copy Troj/Klexe-A (kl.exe) to the following locations:
c:\windows\startm~1\programs\startup\Windows Explorer.exe
d:\windows\startm~1\programs\startup\Windows Explorer.exe
e:\windows\startm~1\programs\startup\Windows Explorer.exe
f:\windows\startm~1\programs\startup\Windows Explorer.exe

W32/Klexe-A will also use Troj/Klexe-A in attempt to send system 
information to a specific email address.





W32/Sage-A

Aliases
BackDoor-ASV

Type
Win32 worm

Detection
At the time of writing Sophos has received just one report of this worm 
from the wild.

Description
W32/Sage-A is a worm that spreads through email attachments. The emails 
have the following characteristics :

Subject Line: UPDATE
Message Text:
ICQ Pro 2003a beta build 3800 popular pick
-----------------------------------------------
Download Now Free download 3.79MB
More download links
Downloads: 226,715,753
Publisher: ICQ
Date added: March 30, 2003
File size: 3.79MB; Clock this download
License: Free
Minimum requirements: Windows (all)
Uninstaller included?: Yes

------------------------------------------------
Publisher's Description
ICQ Pro 2003a is the latest release of ICQ, the instant-messaging 
program that lets you communicate with friends and colleagues in real 
time. To seek out a friend on the ICQ network, simply enter his or her 
ICQ number, name, nickname, or e-mail address. Once your contact list 
is set up, you'll be notified when your friends are online so you can 
chat; send instant messages, files, and URLs; play games; or just hang 
out.
ICQ Pro 2003a includes ICQphone, a feature that incorporates IP 
telephony functions into the ICQ program. Users can initiate and 
participate in PC-to-PC and PC-to-phone calls. In addition, users can 
also utilize SMS technology, send wireless-pager messages, view 
up-to-date information on ICQ channels, and integrate ICQ with Outlook.

With the latest version of ICQ, you can move instantly from the Pro to 
Lite versions just by clicking "Switch to ICQ lite" from the Main menu, 
and the shared ICQ preferences and password make it easy to move 
between Lite and Pro versions without losing your settings. Other new 
features include improved e-mail integration and user interface, 
enhanced integration with Windows XP, automatic firewall detection, and 
the new Search Google window which allows you instant access to Google 
searches through the ICQ interface, plus much more. For a complete list 
of new features, visit the ICQ New Features page.

Attached file: ICQ2003a.exe

Upon execution, the worm drops a copy of itself as svch0st.exe, and 
another component as WinSocks.Dll, to the Windows System folder and 
then removes itself from the current folder.

W32/Sage-a sets the following registry entries so that it is run on 
startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\winsock
="\svch0st.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\winsock
="\svch0st.exe"

In addition, the worm adds the following entry to win.ini to run itself 
on startup:
run=\svch0st.exe

W32/Sage-A worm also modifies the following registry entry so that it 
is run whenever an executable is run:

HKCR\exefile\shell\open\command = "\svch0st.exe
"%1" %*"

W32/Sage-A opens numerous ports on the local computer and connects to a 
remote computer. This might provide unauthorised backdoor access from a 
remote location.

W32/Sage-A runs in the background as a process and performs process 
stealthing, which makes it difficult to terminate the running process.





W32/Sluter-A

Aliases
Worm.Win32.Sluter, W32/Sluter.worm, Win32/Sluter.A, W32.Randex.B,
WORM_SLUTER.A

Type
Win32 worm

Detection
At the time of writing Sophos has received just one report of this worm 
from the wild.

Description
W32/Sluter-A is a network aware worm.

W32/Sluter-A scans port 445 of a large number of randomly generated IP 
addresses. When an open port is found the worm will test the shares C$ 
and Admin$ for the following administrator passwords:

admin
root
1
111
123
1234
123456
654321
!{at}#$
asdf
asdfgh
!{at}#$%
!{at}#$%^
!{at}#$%^&
!{at}#$%^&*
server

If the worm gains access to one of the shares then the worm executable 
will be copied to the system folder of that share with the filename 
msslut32.exe. W32/Sluter-A will then schedule a job to start the worm 
on the compromised computer.

W32/Sluter-A creates the following registry entry so that the worm is 
run when Windows starts up:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Superslut = 
msslut32.exe





W32/Colevo-A

Aliases
W32.Vivael{at}mm, I-Worm.Colevo

Type
Win32 worm

Detection
At the time of writing Sophos has received just one report of this worm 
from the wild.

Description
W32/Colevo-A is an email worm that sends itself to the infected user's 
MSN Messenger contacts. The email will have the following 
characteristics:

Subject line: El fin se puede hackear a hotmail!!
Message text: Oye te ? paso el programa para entrar a cuentas del 
messenger. y facilingo te lo paso a voz nomas, prometeme que no se lo 
pasas a nadie, ya?
Respondeme que tal te parecio, chau
Attached file: hotmailpass.exe

W32/Colevo-A copies itself to the following files:
\command.exe
\Hot Girl.scr
\hotmailpass.exe
\Inf.exe
\Internet download .exe
\Internet File.exe
\Part Hard Disk.exe
\Shell.exe
\system.exe
\System32.exe
\System64.pif
\Temp.exe
\All User\Server.exe
\system32\command.com
\system32\net.com
\system32\www.microsoft.com
\system32\Inf.exe
\menu inicio\programas\inicio\www.microsoft\com
\Evo Morales.scr

W32/Colevo-A will make the following registry changes:
HKCR\htafile\shell\open\command\(Default)
= "C:\Windows\commands.exe", "%1 %*"
HKCR\exefile\shell\open\command\(Default)
= "C:\Windows\command.exe", "%1 %*"
HKCR\comfile\shell\open\command\(Default)
= "C:\Windows\Inf.exe", "%1 %*"
HKCR\batfile\shell\open\command\(Default)
= "C:\Windows\temp.exe", "%1 %*"
HKCR\piffile\shell\open\command\(Default)
= "C:\Windows\commands.exe", "%1 %*"
HKCR\exefile\NeverShowExt
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\System
= C:\Windows\system.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\1\2\3\4\System
= C:\Windows\temp.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\System
= C:\Windows\commands.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\System
= C:\Windows\system.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\1\2\3\4\System
= C:\Windows\system.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\System
= C:\Windows\temp.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce\System
= C:\Windows\system.exe

The following lines will be prepended to win.ini:
[windows]
load=archivo.exe
run=archivo.exe
####Viva el EVO, y jamas erradicaran la Coca Cola!!! mentira colla 
maldito!!
(PYN Pablo_Hack{at}hotmail.com)####

The following lines will be prepended to system.ini:
[boot]
Shell=explorer.exe temp.exe

The file winstart.bat will be created and will contain the single line
"null=c:\windows\system.exe".

W32/Colevo-A runs in the background as a backdoor server allowing 
unauthorised access to the victim's computer.

W32/Colevo-A continually opens the user's web browser to any of the 
following
pages:

http://jeremybigwood.net/Bolivia/images/
Bolivia.Sept.2K.000.jpg
http://news.bbc.co.uk/olmedia/775000/images/
_778100_morales150.jpg
http://www.commondreams.org/headlines/images/100700-01.jpg
http://www.ni.laprensa.com.ni/archivo/2002/julio/09/elmundo/
elmundo-20020709-01.jpg
http://www.soc.uu.se/mapuche/indgen/puntofinal020822.jpg
http://www.cannabisculture.com/library/images/images/uploads/
2409-Evo-morales-speaking.jpg
http://www.chilevive.cl/news/img/evom.jpg
http://membres.lycos.fr/asocamerlat/evo%20morales_bolivia2.gif
http://news.bbc.co.uk/media/images/38128000/jpg/
_38128025_020710bolivia300b.jpg

All the links above contain clean image files.

 
--- MultiMail/Win32 v0.43