| TIP: Click on subject to list as thread! | ANSI |
| echo: | |
|---|---|
| to: | |
| from: | |
| date: | |
| subject: | News |
[cut-n-paste from sophos.com]
W32/Mimail-I
Type
Win32 worm
Detection
Sophos has received several reports of this worm from the wild.
Description
W32/Mimail-I is a worm which spreads via email using addresses harvested
from the hard drive of your computer. All email addresses found on your
PC are saved in a file named el388.tmp in the Windows folder.
In order to run itself automatically when Windows starts up the worm
copies itself to the file svchost32.exe in the Windows folder and adds
the following registry entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SvcHost32
The emails sent by the worm pretend to come from the email address
donotreply{at}paypal.com, and have the following characteristics:
Subject line: YOUR PAYPAL.COM ACCOUNT EXPIRES
Message text:
Dear PayPal member,
PayPal would like to inform you about some important information
regarding your PayPal account. This account, which is associated with
the email address
will be expiring within five business days. We apologize for any
inconvenience that this may cause, but this is occurring because all of
our customers are required to update their account settings with their
personal information.
We are taking these actions because we are implementing a new security
policy on our website to insure everyone's absolute privacy. To avoid
any interruption in PayPal services then you will need to run the
application that we have sent with this email (see attachment) and
follow the instructions. Please do not send your personal information
through email, as it will not be as secure.
IMPORTANT! If you do not update your information with our secure
application within the next five business days then we will be forced to
deactivate your account and you will not be able to use your PayPal
account any longer. It is strongly recommended that you take a few
minutes out of your busy day and complete this now.
DO NOT REPLY TO THIS MESSAGE VIA EMAIL! This mail is sent by an
automated message system and the reply will not be received.
Thank you for using PayPal.
Attached file: www.paypal.com.scr
If you run the worm, a dialog box pops up requesting you to enter a
range of information about your credit card. This includes your full
credit card number, your PIN, the expiry date, and even the so-called
CVV code (this is an additional three-digit security code printed on
the back of your card which is not recorded by credit card machines
during transactions). The dialog includes a PayPal logo in a further
attempt to appear legitimate. Information entered into the form is sent
out by email.
Note: do not act on web links or attachments sent to you in emails
which claim to come from banks or financial companies. The apparent
source of an email is too easily forged.
Troj/Muly-A
Type
Trojan
Detection
Sophos has received several reports of this Trojan from the wild.
Description
Troj/Muly-A is a backdoor Trojan which runs in the background as a
service process and allows unauthorised remote access to the computer
over a network.
The Trojan attempts to copy itself the Windows system folder as
DIVX.EXE and create the following entry in the registry to run itself on
system restart:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\DivX Updater
= C:\\DIVX.EXE
Troj/Muly-A opens a random port (the default is 6000) and listens for
commands via a CGI script on a website (http://69.56.204.206). The
Trojan also sends information about the victim's computer to the remote
website.
Troj/Muly-A may attempt to update itself periodically via the remote
website.
Troj/Webber-C
Aliases
TrojanProxy.Win32.Webber.a, BackDoor-AXJ,
TrojanDownloader.Win32.Small.bu
Type
Trojan
Detection
Sophos has received several reports of this Trojan from the wild.
Description
This Trojan horse has been distributed in the form of an email with the
following characteristics:
From: " Account Manager " accounts_manager{at}citibank.com
Message body:
Dear Sir!
Thank you for your online application for a Home Equity Loan.
In order to be approved for any loan application we pull your
Credit Profile and Chexsystems information, which didn't satisfy
our minimum needs. Consequently, we regret to say that we cannot
approve you for Home Equity Loan at this time.
Attached are copy of your Credit Profile and Your Application that
you submitted with us. Please take a close look at it, you will
receive hard copy by mail withing next few days.
Attached file: www.citybankhomeloan.htm.pif
Troj/Webber-C is a backdoor Trojan with two components. The attached
file is the loader component which downloads the main part of the
Trojan from a Russian website. The downloaded file is called
neher.gif. However, neher.gif is not a GIF image file but a password
stealing Trojan that is run by the downloader.
The password stealing Trojan attempts to extract sensitive information
such as passwords from the passwords cache on the local machine (URL
passwords, share passwords, dial-up passwords, etc) and attempts to
send it to CGI scripts at another web address.
The downloaded component copies itself as a file with a random name
into the Windows system folder and drops and executes a DLL file (also
with a random name) that runs the copy of the Trojan.
In order to be started automatically the Trojan creates the following
registry entries:
HKCR\CLSID\79BF9088-19CE-715D-D85A-216290C5B738\InProcServer32
HKLM\Software\Microsoft\Windows\CurrentVersion\
ShellServiceObjectDelayLoad\Web Event Logger
Troj/Webber-C also functions as a web proxy.
Troj/BDSinit-A
Aliases
BackDoor-BAM, Win32/Fakesvc.C, Backdoor.Sinit, BKDR_SINIT.A
Type
Trojan
Detection
Sophos has received several reports of this Trojan from the wild.
Description
Troj/BDSinit-A is a backdoor Trojan.
Troj/BDSinit-A copies itself to the Windows system folder as
SVCINIT.EXE and creates the following registry entry to run itself on
system restart:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\SVC Service
Troj/BDSinit-A also creates an entry in WIN.INI under the Windows
section in order to run on system restart.
Troj/BDSinit-A opens a random port in order to receive input from an
intruder. The Trojan also creates the following registry entry:
HKLM\Software\Microsoft\DirectPlugin\EngineName
W32/Spybot-V
Type
Win32 worm
Detection
At the time of writing Sophos has received just one report of this worm
from the wild.
Description
W32/Spybot-V is a peer-to-peer worm and backdoor Trojan that copies
itself into the Windows system folder with the name iexplore.exe or
with a random name and sets the following registry entries:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\Winsock2 driver
= iexplore.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Winsock2 driver
= iexplore.exe
The worm creates the folder \kazaabackupfiles and copies itself
into this folder as divx.exe, fdd.exe, fuck.exe, gay.exe,
lesbiansex.exe, matrix.exe, pamela.exe, porn.exe, slsk.exe, torrent.exe
and xvid.exe and sets the following registry entry to point to this
folder:
HKCU\Software\Kazaa\LocalContent\Dir0
W32/Spybot-V terminates certain utility programs and logs on to a
predefined IRC server and waits for backdoor commands.
W32/Spybot-W
Type
Win32 worm
Detection
At the time of writing Sophos has received just one report of this worm
from the wild.
Description
W32/Spybot-W is a peer-to-peer worm that spreads via network drives,
email, Messenger and the IRC network.
In order to run automatically on system startup the worm copies itself
to the file wupdated.exe in the Windows system folder and registers
itself as the wupdated (Windows Update Service) service process.
The worm attempts to copy itself to the Windows system folder on
attached network drives with weak passwords and to start itself on the
remote computer as the Windows Update Service.
The worm tries the following usernames and password in all possible
combinations:
!{at}#$
!{at}#$%
!{at}#$%^
!{at}#$%^&
!{at}#$%^&*
1
111
123
1234
123456
654321
admin
administrator
asdf
asdfgh
database
guest
hidden
owner
pass
pass123
password
password123
root
secret
server
sql
sqlagent
system
user
wwwadmin
In order to spread via IRC the worm attempts to modify the configuration
files of the popular mIRC client. Each user that joins the same channel
the current user is on will receive a message urging him to download a
copy of the worm.
W32/Spybot-W attempts to spread via the MSN, AIM and Yahoo messenger
networks by sending the message "hey, check out this funny pic:
http://www.rf-mods.com/bot.pif."
W32/Spybot-W has an IRC backdoor component which has keylogging and
backdoor capabilities. The worm connects to an IRC server announcing
the infection and allows a malicious user remote access to the
computer.
W32/Yaha-X
Aliases
I-Worm.Lentin.s, W32/Yaha.aa{at}MM, Win32/Yaha.AF, W32.Yaha.AE
Type
Win32 worm
Detection
At the time of writing Sophos has received just one report of this worm
from the wild.
Description
W32/Yaha-X is a worm which spreads by emailing itself via SMTP to
addresses extracted from various sources on the victim's computer (e.g.
the Windows Address Book) and by copying itself to network shares and
other fixed drives connected to the computer.
The worm copies itself to the Windows System folder as CMDE32.EXE and
MEXPLORE.EXE and adds the following entries to the registry to run
itself on system restart:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
MS Explorer = \MEXPLORE.EXE
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
MS Explorer = \MEXPLORE.EXE
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
MS Explorer = \MSEXPLORE.EXE
The worm also changes WIN.INI to run itself on system restart.
W32/Yaha-X changes the values in the following registry keys so that
the worm is run before all EXE, SCR, PIF, COM and BAT files:
HKCR\exefile\shell\open\command
HKCR\scrfile\Shell\open\command
HKCR\piffile\shell\open\command
HKCR\batfile\shell\open\command
HKCR\comfile\shell\open\command
W32/Yaha-X drops text files called HOSTS and LMHOSTS within the Windows
folder which contain the following URLs preceded by the IP address
127.0.0.1:
www.sophos.com
www.symantec.com
www.microsoft.com
www.trendmicro.com
www.avp.ch
www.mcafee.com
www.pandasoftware.com
www3.ca.com
www.ca.com
W32/Yaha-X attempts to exploit the IFRAME vulnerability in certain
versions of Microsoft Internet Explorer and Outlook Express which
allows automatic execution of files attached to emails when the email
is viewed.
W32/Yaha-X may attempt to modify WIN.INI so that it is run when the
system is restarted.
W32/Yaha-X may also drop a plugin which allows it to record keystrokes
which may subsequently be emailed to an external address.
Please refer to W32/Yaha-T for further details.
W32/Mimail-H
Type
Win32 worm
Detection
Sophos has received several reports of this worm from the wild.
Description
W32/Mimail-H is a worm which spreads via email using addresses harvested
from the hard drive of the infected computer. All email addresses found
on the computer are saved in a file named eml.tmp in the Windows folder.
In order to run itself automatically when Windows starts up the worm
copies itself to the file cnfrm33.exe in the Windows folder and adds
the following registry entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Cn323
The emails sent by the worm have the following characteristics:
Subject line: don't be late!
Message text:
Will meet tonight as we agreed, because on Wednesday I don't think i'll
make it, so don't be late. And yes, by the way here is the file you
asked for. It's all written there. See you.
Attached file: readnow.zip
W32/Mimail-H spoofs the From field of the sent emails using the email
address john{at}
Readnow.zip is a compressed file which contains an executable file
named readnow.doc.scr. The worm also creates a copy of itself named
exe.tmp and a copy of readnow.zip named zip.tmp, both in the Windows
folder. W32/Mimail-H will occasionally generate and send corrupted copies of
readnow.zip.
While searching for email addresses in files on the local hard drive
W32/Mimail-H attempts to exclude files that have the following
extensions from the search:
* avi
* bmp
* cab
* com
* dll
* exe
* gif
* jpg
* mp3
* mpg
* ocx
* pdf
* psd
* rar
* tif
* vxd
* wav
* zip
W32/Mimail-H also attempts denial of service attacks targeting:
spamhaus.org
www.spamhaus.org
spews.org
www.spews.org
W32/Agobot-AG
Type
Win32 worm
Detection
At the time of writing Sophos has received just one report of this worm
from the wild.
Description
W32/Agobot-AG is an IRC backdoor Trojan and network worm.
W32/Agobot-AG is capable of spreading to computers on the local network
protected by weak passwords.
When first run, W32/Agobot-AG copies itself to the Windows system folder
and creates the following registry entries:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
and
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
so that the worm executes automatically each time Windows is started.
Each time W32/Agobot-AG is run it attempts to connect to a remote IRC
server and join a specific channel.
W32/Agobot-AG then runs continuously in the background, allowing a
remote intruder to access and control the computer via IRC channels.
W32/Agobot-AG collects system information and registration keys of
popular games that are installed on the computer.
The worm also attempts to terminate and disable various security
related programs.
W32/Mimail-F
Aliases
I-Worm.Mimail.g, W32/Mimail.gen{at}MM
Type
Win32 worm
Detection
Sophos has received several reports of this worm from the wild.
Description
W32/Mimail-F is a worm which spreads via email using addresses
harvested from the hard drive of the infected computer. All email
addresses found on the computer are saved in a file named eml.tmp in
the Windows folder.
In order to run itself automatically when Windows starts up the worm
copies itself to the file sysload32.exe in the Windows folder and adds
the following registry entry :
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SystemLoad32
The emails sent by the worm have the following characteristics:
Subject line : don't be late!
Message text :
Will meet tonight as we agreed, because on Wednesday I don't think I'll
make it,
so don't be late. And yes, by the way here is the file you asked for.
It's all written there. See you.
Attached file : readnow.zip
W32/Mimail-F spoofs the From field of the sent emails using the email
address
john{at}
Readnow.zip is a compressed file which contains an executable file named
readnow.doc.scr. The worm also creates a copy of itself named exe.tmp
and a copy of readnow.zip named zip.tmp, both in the Windows folder.
While searching for email addresses in files on the local hard drive
W32/Mimail-F attempts to exclude files that have the following
extensions from the search:
* avi
* bmp
* cab
* com
* dll
* exe
* gif
* jpg
* mp3
* mpg
* ocx
* pdf
* psd
* rar
* tif
* vxd
* wav
* zip
W32/Mimail-F also attempts to launch a denial of service attack against
the websites mysupersales.com and www.mysupersales.com.
W32/Mimail-E
Aliases
I-Worm.Mimail.e
Type
Win32 worm
Detection
Sophos has received several reports of this worm from the wild.
Description
W32/Mimail-E is a worm which spreads via email using addresses harvested
from the hard drive of the infected computer. All email addresses found
on the computer are saved in a file named eml.tmp in the Windows folder.
In order to run itself automatically when Windows starts up the worm
copies itself to the file cnfrm.exe in the Windows folder and adds the
following registry entry :
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Cnfrm32
The emails sent by the worm have the following characteristics:
Subject line : don't be late!
Message text :
Will meet tonight as we agreed, because on Wednesday I don't think I'll
make it,
so don't be late. And yes, by the way here is the file you asked for.
It's all written there. See you.
Attached file : readnow.zip
W32/Mimail-E spoofs the From field of the sent emails using the email
address
john{at}
Readnow.zip is a compressed file which contains an executable file named
readnow.doc.scr. The worm also creates a copy of itself named exe.tmp
and a copy of readnow.zip named zip.tmp, both in the Windows folder.
While searching for email addresses in files on the local hard drive
W32/Mimail-E attempts to exclude files that have the following
extensions from the search:
* avi
* bmp
* cab
* com
* dll
* exe
* gif
* jpg
* mp3
* mpg
* ocx
* pdf
* psd
* rar
* tif
* vxd
* wav
* zip
W32/Mimail-E also attempts denial of service attacks. There are two
slight variants of the worm, each of which attacks different servers.
The first variant targets:
spews.org
www.spews.org
spamhaus.org
www.spamhaus.org
spamcop.net
www.spamcop.net
The second variant targets:
fethard.biz
www.fethard.biz
fethard-finance.com
www.fethard-finance.com
--- MultiMail/Win32 v0.43
* Origin: Try Our Web Based QWK: DOCSPLACE.ORG (1:123/140)SEEN-BY: 633/267 270 @PATH: 123/140 500 106/2000 633/267 |
|
| SOURCE: echomail via fidonet.ozzmosis.com | |
Email questions or comments to sysop@ipingthereforeiam.com
All parts of this website painstakingly hand-crafted in the U.S.A.!
IPTIA BBS/MUD/Terminal/Game Server List, © 2025 IPTIA Consulting™.