[cut-n-paste from sophos.com]

W32/Scold-A

Aliases
W32/Scold{at}mm

Type
Win32 worm

Detection
At the time of writing Sophos has received just one report of this worm 
from the wild.

Description
W32/Scold-A is a mass mailer that uses Microsoft Outlook to spread.

W32/Scold-A may arrive in the email with the following characteristics:

Subject line: One of -

"When It's Cold Outside She Gives Me Warm Inside"
"Re: When It's Cold Outside She Gives Me Warm Inside"
"Fw: When It's Cold Outside She Gives Me Warm Inside"

- followed by a random number of random characters.

Message text: One of -

"You will love this cute picture."
"Enjoy this great picture."
"Donīt miss this cool picture."

- followed by the rest of the message:
"============= Free Online Virus Scan =============
100% VIRUS FREE
No viruses or suspicious files were found in the attached file. "

The attached file will have a filename constructed from the same 
characters that were used in the subject line, followed by a random 
number and an SCR extension.

When executed W32/Scold-A displays a photo of a seal, copies itself to 
the Windows folder as Warm.scr and sets following the registry entry 
with the path to this copy:

HKLM/Software/Microsoft/Windows/CurrentVersion/Run/ExeName32

W32/Scold-A sends itself to all entries from the Outlook Address Book 
and in addition searches for email addresses in HTM and HTML files from 
the IE Save folder and CTT files from the MY Documents folder.





Troj/Dloader-F

Aliases
Downloader-DI

Type
Trojan

Detection
Sophos has received several reports of this Trojan from the wild.

Description
Troj/Dloader-F attempts to download and execute an EXE file from the 
internet.

The Trojan attempts to download NEHER.GIF from bancoline.hotmail.ru, 
save it as HANGUP.EXE within the Windows folder and execute it.

The file NEHER.GIF did not exist at the time of writing.

The Trojan is configurable so filenames and URLs may change in the 
future.





W32/Yaha-Y

Aliases
WORM_YAHA.AF, W32/Yaha.y{at}MM, W32.Yaha.AF{at}mm

Type
Win32 worm

Detection
Sophos has received several reports of this worm from the wild.

Description
W32/Yaha-Y is a worm which spreads by copying itself to network shares 
and by emailing itself to addresses found within files and registry 
entries on the local computer.

The email subject line, message text and attachment filename are 
randomly selected from internal lists. Example emails are as follows:

Attached File: Fixblastz.com
Subject line: Fix for the latest W32/Blaster.Z
Message text: Dear customer, We are enclosing Fix for W32.Blaster.Z as 
per your request.

Attached File: Fixblastz.zip
Subject line: Fix for the New Worm Threat
Message text: Dear customer, We are enclosing Fix for W32.Blaster.Z as 
per your request.

Attached File: FixBlast.com
Subject line: Fix for W32.Blaster/Welcha
Message text: Dear customer, We are enclosing Fix for both Welcha and 
Blaster worms as per your request.

Attached File: wicked.zip
Subject line: Wicked Screen Saver
Message text: Hi, This is the most wicked screen saver i have ever
seen.Enjoy!!!

Attached File: MS-Q3526.com
Subject line: Critical Updates
Message text: Dear customer, Thanks for using Microsoft products. Recent 
viruses have prompted microsoft to issue patches to all its customers 
worldwide.

Attached File: thankyou.zip
Subject line: Thank you
Message text: Please see the attached file for details.

Attached File: your_documents.zip
Subject line: Your Document
Message text: See the attached file for your documents.

Attached File: FixBlast.zip
Subject line: Hi check your computer with this!!!
Message text: Hi, I am cutting and pasting the message i got from 
symantec antivirus I think the last mail you sent me was infected with 
W32.Blaster. please use this tool and disinfect your machine.

Attached File: details.zip
Subject line: Details
Message text: Hi, See the attached file for details.

Attached File: FixBlast.zip
Subject line: I got an infected email from you
Message text: Hi, Your previous mail to me is infected with Blaster.

Attached File: porncrack.zip
Subject line: Crack for Porn sites
Message text: Hi, This is a new crack for porn site. Please download 
and check program. Bye.

Attached File: application.zip
Subject line: Your application
Message text: Please see the attached file for application details.

When first run, the worm copies itself to the Windows System folder as 
EXE32.EXE and MSMGR32.EXE with the hidden attributes set and creates 
the following registry entries to run itself on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\MsManager
= \MSMGR32.EXE

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\MsManager
= \MSMGR32.EXE

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\MsManager
= \MSMGR32.EXE

The worm also prepends \EXE32.EXE to the following registry 
entries, so that EXE32.EXE is run whenever any file with an extension 
of EXE, COM, BAT or SCR is run or opened:

HKCU\batfile\shell\open\command
HKCU\comfile\shell\open\command
HKCU\exefile\shell\open\command
HKCU\scrfile\shell\open\command

The files Hosts and Lmhosts are dropped to the Windows folder and 
MSS32.DLL is dropped to the System folder.

W32/Yaha-Y copies itself as MSMGR32.EXE to StartUp folders on local and 
network drives, for example:

\Documents and Settings\All Users\Start Menu\Programs\Startup
\Documents and Settings\\Start Menu\Programs\Startup

The worm also copies itself to the Windows folder of network shares as 
EXE32.EXE and adds a new line "run=EXE32.EXE" to the [Windows] section 
of \Win.ini to run EXE32.EXE on startup.

Whilst the worm is active it continually tries to terminate selected 
anti-virus and security related processes and resets the registry 
entries mentioned above if they are changed or deleted.

The worm disables Regedit.exe by setting the registry entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\
DisableRegistryTools = 1





Troj/Zana-A

Type
Trojan

Detection
At the time of writing Sophos has received just one report of this 
Trojan from the wild.

Description
Troj/Zana-A is a small browser application that displays material 
containing pornographic content. Additionally the website contacted by 
the Trojan may attempt to download a premium rate porn dialler detected 
by Sophos Anti-Virus as Dial/Coulomb-E.





W32/Agobot-BD

Aliases
WORM_AGOBOT.BD

Type
Win32 worm

Detection
Sophos has received several reports of this worm from the wild.

Description
W32/Agobot-BD is an IRC backdoor Trojan and network worm.

W32/Agobot-BD is capable of spreading to computers on the local network 
protected by weak passwords.

When first run, W32/Agobot-BD moves itself to the Windows system folder 
as Filename.exe and creates the following registry entries so that it 
is run automatically on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Win Init= \Filename.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
Win Init= \Filename.exe

On NT based versions of Windows the worm creates a new service named 
"Win Init" with the startup property set to automatic, so that the 
service starts automatically each time Windows is started.

Each time W32/Agobot-BD is run it attempts to connect to a remote IRC 
server and join a specific channel.

W32/Agobot-BD then runs continuously in the background, allowing a 
remote intruder to access and control the computer via IRC channels.

W32/Agobot-BD attempts to terminate and disable various security related 
programs and attempts to prevent its own process from being deleted.

 
--- MultiMail/Win32 v0.43