[cut-n-paste from sophos.com]

Troj/KeyHost-A

Type
Trojan

Detection
Sophos has received several reports of this Trojan from the wild.

Description
Following customer feedback Sophos has disabled detection of this 
application, which is not a Trojan.





W32/Netsky-B

Aliases
Win32/Netsky.B, W32.Netsky.B{at}mm, WORM_NETSKY.B, I-Worm.Moodown.b, 
Worm.SomeFool

Type
Win32 worm

Detection
Sophos has received many reports of this worm from the wild.

Description
W32/Netsky-B is a worm that spreads by email and Windows network shares.

W32/Netsky-B copies itself into the Windows folder as services.exe.

In order to run automatically when Windows starts up W32/Netsky-B 
creates the following registry entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
service= "C:\\WINDOWS\\services.exe -serv"

W32/Netsky-B searches all mapped drives for files with the following 
extensions in order to find email adresses: MSG, OFT, SHT, DBX, TBB, 
ADB, DOC, WAB, ASP, UIN, RTF, VBS, HTML, HTM, PL, PHP, TXT and EML.

W32/Netsky-B searches drives C: to Z: and attempts to copy itself into 
folders with names containing the string "share" or "sharing".

The file names used by the worm for copying itself to shared folders 
are:
angels.pif
cool screensaver.scr
dictionary.doc.exe
dolly_buster.jpg.pif
doom2.doc.pif
e-book.archive.doc.exe
e.book.doc.exe
eminem - lick my pussy.mp3.pif
hardcore porn.jpg.exe
how to hack.doc.exe
matrix.scr
max payne 2.crack.exe
nero.7.exe
office_crack.exe
photoshop 9 crack.exe
porno.scr
programming basics.doc.exe
rfc compilation.doc.exe
serial.txt.exe
sex sex sex sex.doc.exe
strippoker.exe
virii.scr
win longhorn.doc.exe
winxp_crack.exe

W32/Netsky-B may arrive in an email with the following characteristics:
Subject line: randomly chosen from -
unknown
fake
stolen
information
warning
something for you
read it immediately
hello

Message text: randomly chosen from -
something is fool
something is going wrong
you are bad
you try to steal
you feel the same
you earn money
thats wrong
why?
take it easy
reply
do you?
that's funny
here, the cheats
here, the introduction
here, the serials
from the chatter
about me
information about you
something is going wrong!
stuff about you?
greetings
see you
here it is
that is bad
yes, really?
i found this document about you
your name is wrong
i hope it is not true!
kill the writer of this document!
something about you!
I have your password!
you are a bad writer
is that from you?
i wait for a reply!
is that your account?
is that your name?
is that true?
here
my hero
read it immediately!
here is the document.
read the details.
i'm waiting
what does it mean?
anything ok?

Attached file: one of the following filenames with a double file 
extension -
misc
party
disco
part2
mail2
object
ranking
dinner
release
final
location
jokes
friend
website
mails
story
found
nomoney
aboutyou
shower
topseller
product
swimmingpool
bill
note
concert
textfile
posting
stuff
attachment
details
creditcard
message
ps
msg
talk
document
unknown
fake
stolen
information
warning
something for you
read it immediately
hello

The extension is combination of DOC, RTF, HTM, PIF, COM, SCR and EXE. 
W32/Netsky-B may also send a ZIP file.

The email address of the sender will be spoofed.

When the attachment is opened W32/Netsky-B may display a fake message 
box
"The file could not be opened".

W32/Netsky-B attempts to remove registry entries related to few recent 
viruses, including W32/MyDoom-A and W32/MyDoom-B.





Troj/DDosSmal-B

Type
Trojan

Detection
At the time of writing, Sophos has received just one report of this 
Trojan from the wild.

Description
Troj/DDosSmal-B is a Trojan which attempts a denial-of-service attack 
on a website.

In order to run automatically when Windows starts up the Trojan copies 
itself to the file winsys.exe in the Windows folder and adds the 
following registry entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\winsys





W32/Tanx-A

Aliases
Win32/Bagle.B, Bagle.B, W32/Bagle.b{at}MM, W32.Alua{at}mm, WORM_BAGLE.B

Type
Win32 worm

Detection
Sophos has received many reports of this worm from the wild.

Description
W32/Tanx-A is a worm that uses email to spread.

The worm arrives in a message with the following characteristics:
Subject line: ID ... thanks
Message text: Yours ID 
--
Thank
Attached file: .exe

The address of the sender is spoofed.

When the attached infected file is run W32/Tanx-A copies itself into the 
Windows system folder as au.exe and changes creates the following 
registry entry so that the worm file is run during the Windows startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\au.exe
= \au.exe

If the filename of the launched file is not au.exe the worm attempts to 
launch the Windows sound recorder application sndrec32.exe.

W32/Tanx-A searches all fixed drives recursively for files with the 
extension WAB, TXT, HTM and HTML. These files are searchedfor email 
addresses that are later used to fill in the sender and recipient fields 
of the email message.

W32/Tanx-A opens a TCP port 8866 and listens for connections. The 
backdoor may be used to update the worm file.

W32/Tanx-A will connect to the following websites and submit information 
about the listening port and the randomly generated infection ID:
www.47df.de
www.strato.de and
intern.games-ring.de

W32/Tanx-A uses the registry key HKCU\Software\Windows2000 to store some 
other data values (like the randomly created infection ID). The registry 
values used are gid and frn.

W32/Tanx-A will stop spreading after 25 February 2004.





W32/Agobot-CW

Aliases
Backdoor.Agobot.3.gen

Type
Win32 worm

Detection
At the time of writing, Sophos has received just one report of this worm 
from the wild.

Description
W32/Agobot-CW is an IRC backdoor Trojan and network worm.

W32/Agobot-CW copies itself to network shares with weak passwords and 
attempts to spread to computers using the DCOM RPC and the RPC locator 
vulnerabilities.

These vulnerabilities allow the worm to execute its code on target 
computers with System level privileges. For further information on these 
vulnerabilities and for details on how to protect/patch the computer 
against such attacks please see Microsoft security bulletins MS03-001 
and MS03-026. MS03-026 has been superseded by Microsoft security 
bulletin MS03-039.

When first run, W32/Agobot-CW copies itself to the Windows system32 
folder with the filename winpn32.exe and creates the following registry 
entries so that the worm is run when Windows starts up:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Diagnostic Agent = diagent.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
Diagnostic Agent = diagent.exe

W32/Agobot-CW connects to a remote IRC server and joins a specific 
channel. The backdoor functionality of the worm can then be accessed by 
an attacker using the IRC network.

The worm also attempts to terminate and disable various security-related 
programs.





W32/Deadhat-B

Aliases
Worm.Win32.Vesser.b, W32.HLLW.Deadhat.B, WORM_DEADHAT.B

Type
Win32 worm

Detection
At the time of writing, Sophos has received just one report of this worm 
from the wild.

Description
W32/Deadhat-B is a worm that spreads via the SoulSeek file sharing 
network and computers infected with the W32/MyDoom worm.

W32/Deadhat-B creates a copy of itself in the system folder with the 
filename msgsrv32.exe and sets the following registry entry so that the 
worm is run when Windows starts up:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\msgsrv32

The worm copies itself to the shared folder of an existing SoulSeek 
installation using the following filenames:

WinXPKeyGen.exe
Windows2003Keygen.exe
mIRC.v6.12.Keygen.exe
Norton.All.Products.KeyMkr.exe
F-Secure.Antivirus.Keymkr.exe
FlashFXP.v2.1.FINAL.Crack.exe
SecureCRTPatch.exe
TweakXPProKeyGenerator.exe
FRUITYLOOPS.SPYWIRE.FIX.EXE
ALL.SERIALS.COLLECTION.2003-2004.EXE
WinRescue.XP.v1.08.14.exe
GoldenHawk.CDRWin.v3.9E.Incl.Keygen.exe
BlindWrite.Suite.v4.5.2.Serial.Generator.exe
Serv-U.allversions.keymaker.exe
WinZip.exe
WinRar.exe
WinAmp5.Crack.exe

W32/Deadhat-B has a backdoor component listening on TCP port 2766.

W32/Deadhat-B also has an IRC backdoor component. The worm attempts to 
connect to one of a list of IRC servers and receives commands that allow 
a remote attacker control over the infected computer via this channel.

W32/Deadhat-B scans network address ranges for ports opened by the 
W32/MyDoom worm and will attempt to copy itself to compromised machines.

The worm may attempt to delete the following files:

C:\boot.ini
C:\autoexec.bat
C:\config.sys
C:\Windows\win.ini
C:\Windows\system.ini
C:\Windows\wininit.ini
C:\Winnt\win.ini
C:\Winnt\system.ini
C:\Winnt\wininit.ini

W32/Deadhat-B also attempts to terminate the following system monitoring 
and anti-virus related processes:

_avp
kfp4gui
kfp4ss
zonealarm
Azonealarm
avwupd32
avwin95
avsched32
avnt
avkserv
avgw
avgctrl
avgcc32
ave32
avconsol
apvxdwin
ackwin32
blackice
blackd
dv95
espwatch
esafe
efinet32
ecengine
f-stopw
fp-win
f-prot95
f-prot
fprot
f-agnt95
gibe
iomon98
iface
icsupp
icssuppnt
icmoon
icmon
icloadnt
icload95
ibmavsp
ibmasn
iamserv
iamapp
kpfw32
nvc95
nupgrade
nupdate
normist
nmain
nisum
navw
navsched
navnt
navlu32
navapw32
zapro





W32/MyDoom-E

Type
Win32 worm

Detection
At the time of writing, Sophos has received just one report of this worm 
from the wild.

Description
W32/MyDoom-E is a worm which spreads by email. When the infected 
attachment is launched, the worm harvests email addresses from address 
books and from files with the following extensions: wab, htm, txt, sht, 
php, asp, dbx, tbb, adb and pl.

W32/MyDoom-E uses randomly chosen email addresses in the "To:" and 
"From:" fields as well as a randomly chosen subject line. The emails 
distributing this worm have the following characteristics:

Subject lines:
error
hello
hi
mail delivery system
mail transaction failed
server report
status
test
[random collection of characters]

Message texts:
test
The message cannot be represented in 7-bit ASCII encoding and has been 
sent as a binary attachment.
The message contains Unicode characters and has been sent as a binary 
attachment.
Mail transaction failed. Partial message is available.

Attachment filenames:
body
data
doc
document
file
message
readme
test
text
[random collection of characters]

Attached files will have an extension of BAT, CMD, EXE, PIF, SCR, or 
ZIP.

The worm will also copy itself into the shared folder of the KaZaA 
peer-to-peer application with one of the following filenames and a PIF, 
EXE, SCR or BAT extension:

activation_crack
icq2004-final
nuke2004
office_crack
rootkitXP
strip-girl-2.0bdcom_patches
winamp5

W32/MyDoom-E will copy itself to the Windows system folder using the 
filename taskmon.exe and sets the following registry entry to point to 
this copy to ensure it is run at system logon:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\TaskMon

Please note that on Windows 95/98/Me, there is a legitimate file called 
taskmon.exe in the Windows folder.

W32/MyDoom-E will create the file shimgapi.dll in the Windows system or 
temp folder. This is a backdoor program loaded by the worm that allows 
outsiders to connect to TCP port 3127. The DLL adds the following 
registry entry so that it is
run on startup:

HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32\
Default= ""

Between the 1st February 2004 and 14th February 2006, the worm will 
attempt a denial-of-service attack on www.sco.com. After the 14th 
February 2006 W32/MyDoom-E will no longer spread however it will still 
run the backdoor component.

 
--- MultiMail/Win32 v0.43