[cut-n-paste from sophos.com]

Troj/Divix-A

Aliases
Worm.Win32.Randon.o, Backdoor.Trojan, IRC/Flood.bat

Type
Trojan

Detection
At the time of writing, Sophos has received just one report of this 
Trojan from the wild.

Description
Troj/Divix-A is a mIRC Trojan that can be used to gain unauthorised 
access to a victim's computer.

The operation of this Trojan will depend on two other Trojans detected 
by Sophos Anti-Virus as Troj/Saye-A and Troj/DoSDelf-A.

The Trojan also requires the use of several clean utilities including a 
mIRC client application and a tool to hide windows on the victim's 
desktop.





Troj/Weasyw-A

Aliases
Trojan.Win32.StartPage.aw, TrojanDownloader.Win32.VB.al

Type
Trojan

Detection
Sophos has received several reports of this Trojan from the wild.

Description
Troj/Weasyw-A is a multi-component backdoor Trojan which allows 
unauthorised remote access to the computer.

One component (possibly called PAYLOADE.EXE) of the Trojan downloads and 
executes the next component of the Trojan as a file called EASYWWW.EXE 
to the Windows folder.

The Trojan adds the following entry to the registry to run itself on 
system restart:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\easywww
= C:\<path to Trojan>

Troj/Weasyw-A downloads a text file containing backdoor commands from 
the URL: www.easywww.info/data.asp?rnd=

This file is saved as 31331333.CHK in the Windows folder. Depending on 
the contents of the file the Trojan may download and execute EXE files 
(possibly to update itself) and change the Microsoft Internet Explorer 
settings in the registry so that the default start and search pages are 
directed to URLs defined within the text file.

Troj/Weasyw-A may also download and execute App/DCToolBar-A as the file 
REDIRECT?.EXE where ? may be a random number.





W32/SdBot-DC

Aliases
Backdoor.SdBot.dc, W32/Spybot.worm.gen virus, Win32/SpyBot.QD worm, 
W32.Randex.AZ, WORM_SPYBOT.AX

Type
Win32 worm

Detection
At the time of writing, Sophos has received just one report of this worm 
from the wild.

Description
W32/SdBot-DC is an internet worm and an IRC backdoor Trojan. 
W32/SdBot-DC copies itself into the Windows system folder as 
EXECDLL32.EXE and creates the following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
System Executable DLL Library

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
System Executable DLL Library

W32/SdBot-DC attempts to run as a service process.

W32/SdBot-DC scans networks for shares protected by weak passwords and 
attempts to copy itself over to those shares. The worm also logs onto a 
predefined IRC server and waits for backdoor commands.





Troj/Mmdload-A

Type
Trojan

Detection
Sophos has received several reports of this Trojan from the wild.

Description
Troj/Mmdload-A attempts to download a copy of W32/Mimail-N to the file
c:\tmp.exe and then execute that file.

See the description of W32/Mimail-N for more details.





W32/Rirc-A

Aliases
W32/Rirc.worm, Backdoor.Rirc

Type
Win32 worm

Detection
At the time of writing, Sophos has received just one report of this worm 
from the wild.

Description
W32/Rirc-A is a worm which spreads by copying itself to network shares 
protected by weak passwords at random IP addresses.

When first run, W32/Rirc-A copies itself to the Windows System folder 
and appends its pathname to the shell= line in the [Boot] section of 
\System.ini, so that it is run automatically each time Windows 
is started. For example:

[Boot]
shell=Explorer.exe \

On versions of Windows NT, 2000 and XP the worm also appends its 
pathname to the following registry entry to run itself on startup:

HKLM\Sofware\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

The new value of this registry entry will typically be

"Explorer.exe \".

Each time the worm runs it tries to connect to random IP addresses on 
port 139. If successful the worm tries to copy itself as Setup.exe to 
the following startup folders of shares:

\Documents and Settings\All Users\Start Menu\Programs\Startup\
\WINDOWS\Start Menu\Programs\Startup\
\WINNT\Profiles\All Users\Start Menu\Programs\Startup\

The worm attempts to logon to the Administrator account of remote 
computers using a list of 'weak' passwords and if the schedule service 
is active on the remote computer the worm schedules a new job to run the 
worm.

The worm also attempts to connect to a remote IRC server and join a 
specific channel. The worm then sends status information to this 
channel.





Troj/Inor-B

Aliases
TrojanDropper.VBS.Inor.e, VBS/Aproxd.A.dropper

Type
Trojan

Detection
At the time of writing, Sophos has received just one report of this 
Trojan from the wild.

Description
Troj/Inor-B is a malicious web page that drops and runs an executable 
program on the local file system.

When a page containing Troj/Inor-B is visited, a malicious VBScript runs 
and drops an executable file onto the local hard drive.





W32/Randex-Y

Aliases
WORM_RANDEX.GEN, Backdoor.IRCBot.gen

Type
Win32 worm

Detection
At the time of writing Sophos has received just one report of this worm 
from the wild.

Description
W32/Randex-Y is a network worm with backdoor capabilities which allows a 
remote intruder to access and control the computer via IRC channels.

W32/Randex-Y chooses IP addresses at random and tries to connect to the 
IPC$ share using simple passwords. If the connection is successful the 
worm copies itself to the following remote locations:

\ADMIN$\system32\msnv32.exe
\C$\WINNT\system32\msnv32.exe

W32/Randex-Y then schedules a job to execute the remotely created files.

Each time the worm is run it tries to connect to a remote IRC server and 
join a specific channel. The worm then runs in the background as a 
server process listening for commands to execute.

When first run the worm copies itself to the Windows system folder as 
IRBMe.exe and adds the following registry entries to point to this copy 
of the worm to ensure it is run at system startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\IRBMe Sucks!!
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\IRBMe Sucks!!

W32/Randex-Y may also create the file remove.bat in the Windows temp 
folder. This file is not malicious and can simply be deleted.

 
--- MultiMail/Win32 v0.43