[cut-n-paste from sophos.com]

Troj/Hackarmy-A

Aliases
Backdoor.Hackarmy

Type
Trojan

Detection
At the time of writing Sophos has received no reports from users 
affected by this trojan. However, we have issued this advisory 
following enquiries to our support department from customers.

Description
Troj/Hackarmy-A is an IRC backdoor Trojan that copies itself into the 
Windows system folder as win32server.scr and sets the following 
registry entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Winsock32driver
= win32server.scr.

The Trojan then logs on to a predefined IRC server and waits for 
backdoor commands.





Troj/Qhosts-1

Aliases
Qhosts-1, Delude, Qhost

Type
Trojan

Detection
At the time of writing Sophos has received just one report of this 
trojan from the wild.

Description
Troj/Qhosts-1 is a Trojan that changes the Windows primary DNS server 
setting so that all infected machines use the same host for the DNS 
queries. If the number of infected computers is high, it may 
effectively launch a denial of service attack on the DNS server.

Troj/Qhosts-1 also "hijacks" Internet Explorer browser usage so that web 
request are redirected to the server chosen by the Trojan writer. The 
Trojan is installed and run if a user visits a web page that exploits a 
vulnerability in Internet Explorer. A VB script embedded in the web page 
is run automatically when the page is viewed using Internet Explorer.

The VB script drops and runs file aolfix.exe to the user's temporary 
folder. Aolfix.exe is a Windows batch file that is converted to the 
Windows binary executable using the demo version of the Batch file 
Compiler V5.1 utility. Aolfix.exe creates a hidden folder bdtmp\tmp, 
extracts a batch file with a random name and runs the batch file.

The batch file creates several files in the Windows folder. The file 
Hosts is responsible for Internet Explorer "hijack". Troj/Qhosts-1 
copies the file HOSTS into the folder \Help and appends the 
original HOST file to it.

The Trojan changes the registry values

HKLM\System\ControlSet001\Services\Tcpip\ Parameters\DataBasePath and
HKLM\System\ControlSet002\Services\Tcpip\ Parameters\DataBasePath

so that the Trojan copy of the HOSTS files is used by the system. There 
are few known variants of the Trojan. Depending on the variant the 
Trojan may set some other registry values, such as

HKLM\System\CurrentControlSet\Services\VxD\MSTCP
EnableDNS = 1
NameServer = 216.127.92.38 or 69.57.146.14, 69.57.147.175
Hostname = "host"
Domain= "mydomain.com"

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable= 00000000
MigrateProxy=00000000
HKCU\Software\Microsoft\Internet Explorer\Main
Use Search Asst=no
Search Page= http://www.google.com
Search Bar=http://www.google.com/ie

HKCU\Software\Microsoft\Internet Explorer\SearchURL
""="http://www.google.com/keyword/
provider=gogl

HKLM\SOFTWARE\Microsoft\Internet Explorer\Search
SearchAssistant=http://www.google.com/ie

HKLM\SYSTEM\ControlSet001\Services \Tcpip\Parameters\interfaces\windows
r0x=your s0x
HKLM\SYSTEM\ControlSet002\Services \Tcpip\Parameters\interfaces\windows
r0x=your s0x

Some of the variants drop and run VB script o.vbs into the Windows 
folder. The script attempts to use Windows Management Instrumentation 
to change the primary DNS server setting for the network interface.





XF97/Wisab-A

Aliases
Macro.Excel97.Wisab, XM.VNN, XF_SIC.A

Type
Excel formula virus

Detection
At the time of writing Sophos has received just one report of this 
virus from the wild.

Description
XF97/Wisab-A spreads using a Formula Sheet called XL4Test5.

The virus creates a file in the XLSTART directory called BOOK1.





W32/Dumaru-E

Type
Win32 worm

Detection
At the time of writing Sophos has received just one report of this worm 
from the wild.

Description
W32/Dumaru-E is an email worm with backdoor functions. The worm arrives 
in a message with the following characteristics:


From: security{at}microsoft.com

Subject line: Use this patch immediately !

Message text:

Dear friend , use this Internet Explorer patch now!

There are dangerous virus in the Internet now!

More than 500.000 already infected!

Attached file: patch.exe


The worm copies itself to the Windows folder as dllreg.exe, the Windows 
system folder as load32.exe and vxdmgr.exe and the startup folder as 
rundllw.exe. The worm also creates the file guid32.dll in the Windows 
folder. Guid32.dll monitors running programs and keypresses and logs 
the information in the file vxdload.log in the Windows folder. The worm 
also logs information in the file winload.log in the Windows folder. 
The logs of system activity may be uploaded to a remote FTP server.


W32/Dumaru-E creates the following entries in the registry in order to 
ensure that the worm is run each time Windows is started:


HKLM\Software\Microsoft\Windows\CurrentVersion\

Run\load32 = load32.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\

Explorer\Shell Folders\startup = load32.exe


The worm also adds the name of one of the copies of itself to the Run= 
line of win.ini and the shell= line of system.ini.


W32/Dumaru-E searches for email addresses to send itself to in the files 
with the extensions HTM, WAB, HTML, DBX, TBB and ABD.


The worm may also terminates processes with the following names:


ZAUINST.EXE

ZAPRO.EXE

ZONEALARM.EXE

ZATUTOR.EXE

MINILOG.EXE

VSMON.EXE

LOCKDOWN.EXE

ANTS.EXE

FAST.EXE

GUARD.EXE

TC.EXE

SPYXX.EXE

PVIEW95.EXE

REGEDIT.EXE

DRWATSON.EXE

SYSEDIT.EXE

NSCHED32.EXE

MOOLIVE.EXE

TCA.EXE

TCM.EXE

TDS-3.EXE

SS3EDIT.EXE

UPDATE.EXE

ATCON.EXE

ATUPDATER.EXE

ATWATCH.EXE

WGFE95.EXE

POPROXY.EXE

NPROTECT.EXE

VSSTAT.EXE

VSHWIN32.EXE

NDD32.EXE

MCAGENT.EXE

MCUPDATE.EXE

WATCHDOG.EXE

TAUMON.EXE

IAMAPP.EXE

IAMSERV.EXE

LOCKDOWN2000.EXE

SPHINX.EXE

WEBSCANX.EXE

VSECOMR.EXE

PCCIOMON.EXE

ICLOAD95.EXE

ICMON.EXE

ICSUPP95.EXE

ICLOADNT.EXE

ICSUPPNT.EXE

FRW.EXE

BLACKICE.EXE

BLACKD.EXE

WRCTRL.EXE

WRADMIN.EXE

WRCTRL.EXE

PCFWALLICON.EXE

APLICA32.EXE

CFIADMIN.EXE

CFIAUDIT.EXE

CFINET32.EXE

CFINET.EXE

TDS2-98.EXE

TDS2-NT.EXE

SAFEWEB.EXE

NVARCH16.EXE

MSSMMC32.EXE

PERSFW.EXE

VSMAIN.EXE

LUALL.EXE

LUCOMSERVER.EXE

AVSYNMGR.EXE

DEFWATCH.EXE

RTVSCN95.EXE

VPC42.EXE

VPTRAY.EXE

PAVPROXY.EXE

APVXDWIN.EXE

AGENTSVR.EXE

NETSTAT.EXE

MGUI.EXE

MSCONFIG.EXE

NMAIN.EXE

NISUM.EXE

NISSERV.EXE


W32/Dumaru-E includes a backdoor component which uses port 2283 and an 
FTP server which uses port 10000.





W32/Randex-G

Aliases
Worm.Randex.g, W95/Randex.J, W32/Sdbot.worm.gen.b, Win32/Randex.G, 
W32.Randex.C, WORM_RANDEX.F

Type
Win32 worm

Detection
Sophos has received several reports of this worm from the wild.

Description
W32/Randex-G is a network worm with backdoor capabilities that allows a 
remote intruder to access and control a computer via IRC channels.

W32/Randex-G spreads over a network by copying itself to the Windows 
system32 folder of C$ and Admin$ shares with weak passwords.

Each time the worm is run it tries to connect to a remote IRC server 
and join a specific channel. The worm then runs in the background as a 
server process, listening for commands to execute.

When first run the worm copies itself to Windows system folder as 
ntd32.exe and creates the following registry entries so that the worm 
is run when Windows starts up:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Network Daemon for Win32 = ntd32.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Microsoft Network Daemon for Win32 = ntd32.exe

W32/Randex-G obtains and sends out the CD key for the following games:
Battlefield 1942
Battlefield 1942 The Road to Rome
Half-Life
Unreal Tournament 2003





W32/Lovgate-R

Aliases
I-Worm.Lovgate.n, W32.HLLW.Lovgate{at}mm

Type
Win32 worm

Detection
At the time of writing Sophos has received no reports from users 
affected by this worm. However, we have issued this advisory following 
enquiries to our support department from customers.

Description
W32/Lovgate-R is a worm and backdoor Trojan similar to W32/Lovgate-D. 
The worm spreads across the local network by copying itself into shared 
folders using the following filenames:

billgt.exe
Card.EXE
docs.exe
fun.exe
hamster.exe
humor.exe
images.exe
joke.exe
midsong.exe
news_doc.exe
pics.exe
PsPGame.exe
s3msong.exe
searchURL.exe
SETUP.EXE
tamagotxi.exe

W32/Lovgate-R also attempts to spread via email by sending itself to 
email addresses collected from *.ht* files. Emails sent to these 
addresses will have the following characteristics:

Subject line: Documents
Message body: Send me your comments...
Attached file: Docs.exe

Subject line: Roms
Message body: Test this ROM! IT ROCKS!.
Attached file: Roms.exe

Subject line: Pr0n!
Message body: Adult content!!! Use with parental advisory.
Attached file: Sex.exe

Subject line: Evaluation copy
Message body: Test it 30 days for free.
Attached file: Setup.exe

Subject line: Help
Message body: I'm going crazy... please try to find the bug!
Attached file: Source.exe

Subject line: Beta
Message body: Send reply if you want to be official beta tester.
Attached file: _SetupB.exe

Subject line: Do not release
Message body: This is the pack ;)
Attached file: Pack.exe

Subject line: Last Update
Message body: This is the last cumulative update.
Attached file: LUPdate.exe

Subject line: The patch
Message body: I think all will work fine.
Attached file: Patch.exe

Subject line: Cracks!
Message body: Check our list and mail your requests!
Attached file: CrkList.exe

W32/Lovgate-R copies itself into the Windows system folder as 
rpcsrv.exe, syshelp.exe, WinGate.exe, winrpc.exe and WinRpcsrv.exe and 
sets the following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\syshelp
= "\syshelp.exe"

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\WinGate initialize
= "\WinGate.exe -remoteshell"

HKLM\Software\CLASSES\txtfile\shell\open\command = "winrpc.exe %1"

W32/Lovgate-R is also a backdoor Trojan that provides an attacker with 
unauthorized access to the user's computer and can send a notification 
email message to the attacker.





W32/Dumaru-B

Aliases
I-Worm.Dumaru.c, PE_DUMARU.B

Type
Win32 worm

Detection
At the time of writing Sophos has received just one report of this worm 
from the wild.

Description
W32/Dumaru-B is an email worm with backdoor functions. The worm arrives 
in a message with the following characteristics:

From: security{at}microsoft.com
Subject line: Use this patch immediately !
Message text: Dear friend , use this Internet Explorer patch now!
There are dangerous virus in the Internet now!
More than 500.000 already infected!
Attached file: patch.exe

The worm copies itself to the Windows folder as dllreg.exe, the Windows 
system folder as load32.exe and vxdmgr.exe and the startup folder as 
rundllw.exe. The worm also creates the file guid32.dll in the Windows 
folder. Guid32.dll monitors running programs and keypresses and logs 
the information in the file vxdload.log in the Windows folder. The worm 
also logs information in the file winload.log in the Windows folder. 
The logs of system activity may be uploaded to a remote FTP server.

W32/Dumaru-B creates the following entries in the registry in order to 
ensure that the worm is run each time Windows is started:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\load32 = load32.exe

W32/Dumaru-B creates another registry entry as a marker:

HKLM\Software\SARS\kwmfound

The worm also adds the name of one of the copies of itself to the Run= 
line of win.ini and the shell= line of system.ini.

W32/Dumaru-B drops and runs file \windrive.exe. Windrv.exe is 
a backdoor Trojan detected by Sophos Anti-Virus as Troj/Small-G.

The worm also attempts to terminate processes with the following names:
AGENTSVR.EXE
ANTS.EXE
APLICA32.EXE
APVXDWIN.EXE
ATCON.EXE
ATUPDATER.EXE
ATWATCH.EXE
AVSYNMGR.EXE
BLACKD.EXE
BLACKICE.EXE
CFIADMIN.EXE
CFIAUDIT.EXE
CFINET.EXE
CFINET32.EXE
DEFWATCH.EXE
DRWATSON.EXE
FAST.EXE
FRW.EXE
GUARD.EXE
IAMAPP.EXE
IAMSERV.EXE
ICLOAD95.EXE
ICLOADNT.EXE
ICMON.EXE
ICSUPP95.EXE
ICSUPPNT.EXE
LOCKDOWN.EXE
LOCKDOWN2000.EXE
LUALL.EXE
LUCOMSERVER.EXE
MCAGENT.EXE
MCUPDATE.EXE
MGUI.EXE
MINILOG.EXE
MOOLIVE.EXE
MSCONFIG.EXE
MSSMMC32.EXE
NDD32.EXE
NETSTAT.EXE
NISSERV.EXE
NISUM.EXE
NMAIN.EXE
NPROTECT.EXE
NSCHED32.EXE
NVARCH16.EXE
PAVPROXY.EXE
PCCIOMON.EXE
PCFWALLICON.EXE
PERSFW.EXE
POPROXY.EXE
PVIEW95.EXE
REGEDIT.EXE
RTVSCN95.EXE
SAFEWEB.EXE
SPHINX.EXE
SPYXX.EXE
SS3EDIT.EXE
SYSEDIT.EXE
TAUMON.EXE
TC.EXE
TCA.EXE
TCM.EXE
TDS2-98.EXE
TDS2-NT.EXE
TDS-3.EXE
UPDATE.EXE
VPC42.EXE
VPTRAY.EXE
VSECOMR.EXE
VSHWIN32.EXE
VSMAIN.EXE
VSMON.EXE
VSSTAT.EXE
WATCHDOG.EXE
WEBSCANX.EXE
WGFE95.EXE
WRADMIN.EXE
WRCTRL.EXE
WRCTRL.EXE
ZAPRO.EXE
ZATUTOR.EXE
ZAUINST.EXE
ZONEALARM.EXE


 
--- MultiMail/Win32 v0.43