[cut-n-paste from sophos.com]

W32/Sdbot-I

Aliases
WORM_SDBOT.D

Type
Win32 worm

Detection
At the time of writing Sophos has received no reports from users 
affected by this worm. However, we have issued this advisory following 
enquiries to our support department from customers.

Description
W32/Sdbot-I is a worm that spreads via network shares and has backdoor 
capabilities.

Upon execution, W32/Sdbot-I attempts spread to network shares with weak 
usernames and passwords belonging to computers from a list of randomly 
generated IP addresses.

In order to run automatically when Windows starts up the worm copies 
itself to the Windows system folder as service.exe and adds the 
following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Windows Services
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\Windows Services
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Windows Services

W32/Sdbot-I then connects to an IRC server and joins a particular 
channel, providing unauthorised access and control of the computer from 
an IRC channel.





W32/Agobot-AS

Aliases
W32/Gaobot.worm.gen, WORM_AGOBOT.AS

Type
Win32 worm

Detection
At the time of writing Sophos has received no reports from users 
affected by this worm. However, we have issued this advisory following 
enquiries to our support department from customers.

Description
W32/Agobot-AS is an IRC backdoor Trojan and network worm.

W32/Agobot-AS copies itself to network shares with weak passwords and 
attempts to spread to computers using the DCOM RPC and the RPC locator 
vulnerabilities.

These vulnerabilities allow the worm to execute its code on target 
computers with System level privileges. For further information on 
these vulnerabilities and for details on how to patch the computer 
against such attacks please see Microsoft security bulletins MS03-026 
and MS03-001.

When first run, W32/Agobot-AS copies itself to the Windows system folder 
with the filename syst18b.exe and creates the following registry entries 
so that the worm is run when Windows starts up:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
System Loaderav = syst18b.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
System Loaderav = syst18b.exe

W32/Agobot-AS also registers itself as a service which will be activated 
when Windows starts up. The name of the service is System Loaderav.

W32/Agobot-AS connects to a remote IRC server and joins a specific 
channel. The backdoor functionality of the worm can then be accessed by 
an attacker using the IRC network.

The worm also attempts to terminate and disable various security related 
programs.





Troj/HacDef-084

Aliases
Backdoor.Hacdef.084, Backdoor.HackDefender, BKDR_HACDEF.C

Type
Trojan

Detection
Sophos has received several reports of this Trojan from the wild.

Description
Troj/HacDef-084 is kernel level rootkit and backdoor Trojan that is 
targeted at NT/2000/XP operating systems.

As well as allowing unauthorised remote access to the victim's computer, 
this Trojan is also able to hide information about the victim's system 
including files, folders, processes, services, registry entries, network 
connections and loaded drivers.

The Trojan consists of the main executable, a system driver and a 
configuration file. The Trojan is only capable of hiding system 
resources locally. The files, service processes and registry entries are 
therefore still visible over a NetBIOS network connection.

Troj/HacDef-084 intercepts all network traffic. This means that it can 
make use of any port used by a legitimate service as a control channel.

Troj/HacDef-084 is also able to relay network traffic through a 
compromized computer and to alter the reported values of free and used 
hard disk space.





Troj/Litmus-AS

Aliases
Backdoor.Litmus.203, BackDoor-JZ, Win32/Litmus.203.AsPack, 
Backdoor.Litmus.203.b

Type
Trojan

Detection
Sophos has received several reports of this Trojan from the wild.

Description
Troj/Litmus-AS is a backdoor Trojan that runs in the background as a 
system process and allows unauthorised remote access to the computer via 
an IRC network connection.

The Trojan copies itself to C:\Windows\Server as svchost.EXE and adds an 
entry to the registry at 
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\LTM2 to run itself 
on system restart.

The Trojan may also attempt to steal passwords.





Troj/Sysbug-A

Aliases
Backdoor-CAG

Type
Trojan

Detection
Sophos has received several reports of this Trojan from the wild.

Description
Troj/Sysbug-A is a backdoor Trojan that steals system information and 
opens up a backdoor to allow unauthorised access to the compromised 
computer. This Trojan horse has been distributed in the form of an 
email with the following characteristics:

From: james2003{at}hotmail.com

Subject line: Re[2]: Mary

Message text:

Hello my dear Mary,

I have been thinking about you all night. I would like to apologize for 
the other night when we made beautiful love and did not use condoms. I 
know this was a mistake and I beg you to forgive me.

I miss you more than anything, please call me Mary, I need you. Do you 
remember when we were having wild sex in my house? I remember it all 
like it was only yesterday. You said that the pictures would not come 
out good, but you were very wrong, they are great. I didn't want to show 
you the pictures at first, but now I think it's time for you to see 
them. Please look in the attachment and you will see what I mean.

I love you with all my heart, James.

Attached file: Private.zip (contains wendynaked.jpg.exe)

Troj/Sysbug-A will copy itself to the Windows folder as sysdeb32.exe and 
adds the following registry entry to ensure it gets run at system logon:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SystemDebug

Troj/Sysbug-A creates the files svc.sav in the Windows folder and 
C:\temp35.txt. These files are not malicious and can simply be deleted.





W32/Mimail-K

Type
Win32 worm

Detection
Sophos has received several reports of this worm from the wild.

Description
W32/Mimail-K is a worm which spreads via email using addresses 
harvested from the hard drive of the infected computer. All email 
addresses found on the computer are saved in a file named eml.tmp in 
the Windows folder.

In order to run itself automatically when Windows starts up the worm 
copies itself to the file sysload32.exe in the Windows folder and adds 
the following registry entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SystemLoad32

The emails sent by the worm may have the following characteristics:

Subject line : don't be late!<30 spaces><random characters>
Message text : Will meet tonight as we agreed, because on Wednesday I 
don't think i'll make it, so don't be late. And yes, by the way here is 
the file you asked for. It's all written there. See you.


Attached file : readnow.zip

W32/Mimail-K spoofs the From field of the sent emails using the email 
address john{at}

Readnow.zip is a compressed file which contains an executable file 
named readnow.doc.scr. The worm also creates a copy of itself named 
exe.tmp and a copy of readnow.zip named zip.tmp, both in the Windows 
folder.

While searching for email addresses in files on the local hard drive 
W32/Mimail-K attempts to exclude files that have the following 
extensions from the search:

avi
bmp
cab
com
dll
exe
gif
jpg
mp3
mpg
ocx
pdf
psd
rar
tif
vxd
wav
zip

W32/Mimail-K also attempts denial of service attacks targeting:

darkprofits.cc
www.darkprofits.cc
darkprofits.ws
www.darkprofits.ws





JS/Flea-B

Aliases
JS.Flea.b, JS/Flea.B, JS.Fortnight.D, JS/Fortnight.gen{at}M

Type
JavaScript worm

Detection
Sophos has received several reports of this worm from the wild.

Description
JS/Flea-B is a worm that propagates via HTML email. The worm arrives as 
the signature to an HTML email.

When the HTML email is rendered a webpage is loaded and a JavaScript 
component is run. The JavaScript then attempts to run a java class file 
from the same site, but at the time of writing the requested file was 
not available.





Troj/Tofger-A

Aliases
MultiDropper-GP.a, TrojanDropper.JS.Mimail.b, Trojan.Sefex

Type
Trojan

Detection
At the time of writing Sophos has received just one report of this 
Trojan from the wild.

Description
Troj/Tofger-A is a keylogging Trojan.

In order to run automatically when Windows starts up the Trojan copies 
itself to the file system.exe in the Windows folder and adds the 
following registry entry pointing to this file:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Online Service

The Trojan also drops the utility library file msin32.dll and creates 
the text file sysini.ini in the Windows folder.

When the Trojan detects an active internet connection it captures 
keystrokes typed into Internet Explorer and sends the information to a 
remote internet address.

Troj/Tofger-A is spread as an email attachment MyProfile.zip. The ZIP 
archive contains a HTML page Profile.html that uses the codebase and 
MHTML vulnerabilities in Internet Explorer and Outlook/Outlook Express 
to drop and execute the Trojan binary automatically as the file 
\dating.exe.

For more information please see the Microsoft security bulletins 
MS02-015 and MS02-014.





W32/Mimail-J

Aliases
infected: I-Worm.Mimail.j, W32/Mimail.j{at}MM virus, W32.Mimail.J{at}mm, 
WORM_MIMAIL.J

Type
Win32 worm

Detection
Sophos has received many reports of this worm from the wild.

Description
W32/Mimail-J is a worm very similar to W32/Mimail-I. This variant tries 
to get you to give up your credit card details, just like W32/Mimail-I, 
but also asks you for additional personal information such as your 
Social Security Number and your mother's maiden name.

W32/Mimail-J drops itself to your Windows folder using the names 
SvcHost32.exe and ee98af.tmp. It also creates fake PayPal web pages in 
your root directory using the names pp.hta and index2.hta. These web 
pages include scripts which ask you for the personal information 
described above.





W32/Opaserv-V

Type
Win32 worm

Detection
At the time of writing Sophos has received just one report of this worm 
from the wild.

Description
W32/Opaserv-V is a worm which spreads by copying itself to network 
shares.

The worm drops copies of itself to the Windows folder as Banda!, 
Podre!! and speedy.pif, then adds an entry to the registry at

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Spees3

to run itself on system restart.

The worm attempts to copy itself to the Windows folder on networked 
computers with open shared drives. The worm then modifies the win.ini 
on the remote machine to ensure it will be run on system restart.

W32/Opaserv-V also attempts to update itself periodically from a 
pre-configured website.

 
--- MultiMail/Win32 v0.43