[cut-n-paste from sophos.com]

W32/Eyeveg-B

Type
Win32 worm

Detection
At the time of writing, Sophos has received just one report of this worm 
from the wild.

Description
W32/Eyeveg-B is a password stealing Trojan and network worm.

The worm may arrive in an HTML file that exploits a Microsoft Internet 
Explorer vulnerability which allows the worm to be executed.

For further information on this vulnerability and for details on how to 
protect/patch the computer against such attacks please see Microsoft 
security bulletin MS02-015.

When first run, W32/Eyeveg-B copies itself to the Windows System folder 
using a random filename and adds its pathname to the following registry 
entry so that it is run automatically each time the computer is started:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\

W32/Eyeveg-B the attempts to send cached passwords and system 
information to a remote location.

W32/Eyeveg-B spreads to shared drives on the local network, copying 
itself to the startup folder specified in the following registry entry:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
Explorer\Shell Folders\Common Startup





VBS/Inor-C

Aliases
TrojanDropper.VBS.Inor.z, VBS/Inor.F{at}dr, VBS/Inor, W32.Dumaru.Z{at}mm

Type
Trojan

Detection
At the time of writing, Sophos has received just one report of this 
Trojan from the wild.

Description
VBS/Inor-C is a Trojan dropper.

VBS/Inor-C is a Microsoft Visual Basic script (sometimes embedded within 
an HTML file) which stores an executable encoded as text.

When run, VBS/Inor-C drops the executable and runs it.

VBS/Inor-C typically drops W32/Dumaru-Y as the file C:\2.exe.





Troj/Stawin-A

Type
Trojan

Detection
Sophos has received several reports of this Trojan from the wild.

Description
Troj/Stawin-A is a key logging Trojan that appears to have been 
mass-mailed out.

It may have arrived in an email with the following characteristics:

Subject line: I still love you 

Message text:
Error 551: We are sorry your UTF-8 encoding is not supported by the 
server, so the text was automatically zipped and attached to this 
message.

Attached file: message.zip

When logging data, Troj/Stawin-A will target user interactions with 
banks and financial institutions. For example data entered into online 
banking forms. The logged data will be sent to a specific email address.

When run it will copy itself to the Windows folder using its original 
filename. Examples already seen have used the filename message.exe.

The Trojan will then set the following registry entry that points to the 
copy of the Trojan to ensure it is run at system logon:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\OLE

Troj/Stawin-A will create the helper file HookerDll.Dll in the Windows 
folder.

The file kgn.txt may also be created in the Windows folder. This file is 
not malicious and can be deleted.





W32/MyDoom-A

Aliases
Mimail.R, Novarg.A, Shimg, W32.Novarg.A{at}mm, W32/Mydoom{at}MM

Type
Win32 worm

Detection
Sophos has received many reports of this worm from the wild.

Description
W32/MyDoom-A is a worm which spreads by email. When the infected
attachment is launched, the worm harvests email addresses from address
books and from files with the following extensions: WAB, TXT, HTM, SHT, 
PHP, ASP, DBX, TBB, ADB and PL.

W32/MyDoom-A creates a file called Message in the temp folder and runs 
Notepad to display the contents, which displays random characters.

W32/MyDoom-A 'spoofs', using randomly chosen email addresses in the 
"To:" and "From:" fields as well as a randomly chosen
subject line. The 
emails distributing this worm have the following characteristics.

Subject lines
error
hello
hi
mail delivery system
mail transaction failed
server report
status
test
[random collection of characters]

Message texts
test
The message cannot be represented in 7-bit ASCII encoding and has been 
sent as a binary attachment The message contains Unicode characters and 
has been sent as a binary attachment.

Mail transaction failed. Partial message is available.

Attachment filenames
body
data
doc
document
file
message
readme
test
[random collection of characters]

Attached files will have an extension of BAT, CMD, EXE, PIF, SCR or ZIP.

W32/MyDoom-A is programmed to not forward itself via email if the 
recipient email address satisfies various conditions:

    * The worm will not send itself to email addresses belonging to 
      domains containing the following strings: acketst, arin., avp, 
      berkeley, borlan, bsd, example, fido, foo., fsf., gnu, google, 
      .gov, gov., hotmail, iana, ibm.com, icrosof, ietf, inpris, isc.o, 
      isi.e, kernel, linux, math, .mil, mit.e, mozilla, msn., mydomai, 
      nodomai, panda, pgp, rfc-ed, ripe., ruslis, secur, sendmail, 
      sopho, syma, tanford.e, unix, usenet, utgers.ed

      As a consequence the worm does not forward itself to a number of 
      email domains, including several anti-virus companies and 
      Microsoft.

    * The worm will not send itself to email addresses in which the 
      username contains the following strings: abuse, anyone, bugs, ca, 
      contact, feste, gold-certs, help, info, me, no, noone, nobody, 
      not, nothing, page, postmaster, privacy, rating, root, samples, 
      secur, service, site, spm, soft, somebody, someone, submit, 
      the.bat, webmaster, you, your, www

    * The worm will not send itself to email addresses which contain the 
      the following strings: admin, accoun, bsd, certific, google, 
      icrosoft, linux, listserv, ntivi, spam, support, unix


The worm can also copy itself into the shared folder of the KaZaA 
peer-to-peer application with one of the following filenames and a PIF, 
EXE, SCR or BAT extension:
activation_crack
icq2004-final
nuke2004
office_crack
rootkitXP
strip-girl-2.0bdcom_patches
winamp5

W32/MyDoom-A creates a file called taskmon.exe in the system or temp 
folder and adds the following registry entry to run this file every 
time Windows starts up:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Taskmon = taskmon.exe

Please note that on Windows 95/98/Me, there is a legitimate file called 
taskmon.exe in the Windows folder.

W32/MyDoom-A also drops a file named shimgapi.dll to the temp or system 
folder. This is a backdoor program loaded by the worm that allows 
outsiders to connect to TCP port 3127. The DLL adds the following 
registry entry so that it is run on startup:

HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32\
Default= ""

The worm will also add the following entries to the registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32

Between the 1st and 12th February 2004, the worm will attempt a 
denial-of-service attempt to www.sco.com, sending numerous GET requests 
to the web server.

After the 12th February W32/MyDoom-A will no longer spread, due to an 
expiry date set in the code. It will, however, still run the backdoor 
component.

Further reading: MyDoom worm spreads widely across internet, Sophos 
warns users to be wary of viral email and hacker attack





W32/Mimail-Q

Type
Win32 worm

Detection
Sophos has received several reports of this worm from the wild.

Description
W32/Mimail-Q is a worm which spreads via email using addresses harvested 
from the hard drive of the infected computer. All email addresses found 
on the computer are saved in a file named outlook.cfg in the Windows 
folder.

The email can arrive with random properties which are built up from 
extensive lists contained within W32/Mimail-Q.

W32/Mimail-Q creates fake a Microsoft web page in the root folder named 
MSHOME.HTA in order to steal personal information. This page is 
displayed when W32/Mimail-Q is executed and prompts the user to enter 
credit card and other personal information.

Several files are dropped into C:\ and can be deleted:

logo.jpg
logobig.gif
mshome.hta
wind.gif.

In order to run automatically when windows starts up the worm copies 
itself to the file sys32.exe in the Windows folder and sets the registry 
entry

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\System
pointing to this file.

The worm also drops the file outlook.exe into the Windows folder.

W32/Mimail-Q displays a fake error message
ERROR: Bad CRC32
when run.





W32/Dumaru-K

Aliases
I-Worm.Dumaru.k, I-Worm.Dumaru.l, WORM_DUMARU.Z

Type
Win32 worm

Detection
Sophos has received several reports of this worm from the wild.

Description
W32/Dumaru-K is an email worm, a password stealing Trojan and a 
downloader for an IRC backdoor Trojan.

W32/Dumaru-K arrives in an email with the following characteristics:
Subject line: Important information for you. Read it immediately !
Message text: Here is my photo, that you asked for yesterday.
Attached file: myphoto.zip

The email addresses that this email is mass-mailed to are harvested from 
files with the following extensions and then saved to the file 
winload.log in the Windows folder:
htm
html
wab
dbx
tbb
abd

When W32/Dumaru-K is run the following copies will be created:
\dllxw.exe
\l32x.exe
\vxd32v.exe
\zip.tmp

The following registry entries are created with references to these 
copies of the worm:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\load32 = l32x.exe

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
= explorer C:\\vxd32v.exe

W32/Dumaru-K downloads a Trojan dropper, detected by Sophos Anti-Virus 
as Troj/Small-AW, to the Windows folder with the filename nvidia32.exe. 
This Trojan is then executed which drops and runs the DLL file 
rwtrisfg32.dll. The Trojan is an IRC backdoor Trojan detected by Sophos 
Anti-Virus as Troj/Mahru-A.

Please see the descriptions of Troj/Small-AW and Troj/Mahru-A for more 
details.

W32/Dumaru-K will periodically send an email to an attacker containing 
information about the victim's computer.





W32/SdBot-DC

Aliases
Backdoor.SdBot.dc, W32/Spybot.worm.gen virus, Win32/SpyBot.QD worm, 
W32.Randex.AZ, WORM_SPYBOT.AX

Type
Win32 worm

Detection
At the time of writing, Sophos has received just one report of this worm 
from the wild.

Description
W32/SdBot-DC is an internet worm and an IRC backdoor Trojan. 
W32/SdBot-DC copies itself into the Windows system folder as 
EXECDLL32.EXE and creates the following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
System Executable DLL Library

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
System Executable DLL Library

W32/SdBot-DC attempts to run as a service process.

W32/SdBot-DC scans networks for shares protected by weak passwords and 
attempts to copy itself over to those shares. The worm also logs onto a 
predefined IRC server and waits for backdoor commands.





W32/Dumaru-Y

Type
Win32 worm

Detection
Sophos has received several reports of this worm from the wild.

Description
W32/Dumaru-Y is an email worm with backdoor functions. The worm arrives 
in a message with the following characteristics:

From: "Elene" 
Subject line: Important information for you.Read it immediately !
Message text: Hi !
Here is my photo, that you asked for yesterday
Attached file: myphoto.zip

which contains myphoto.jpg.exe file.

When executed the worm copies itself to the Windows system folder as 
l32x.exe and vxd32v.exe and the startup folder as dllxw.exe.

W32/Dumaru-Y sets the entry in the registry in order to ensure that the 
worm is run each time Windows is started:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\load32 = l32x.exe

When executed under Windows NT W32/Dumaru-Y sets the entry in the 
registry:

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\Shell=
"explorer.exe" C:\\Windows\System32\\vxd32.exe

The worm also changes the system.ini file by adding the 
"C:\WINDOWS\SYSTEM\VXD32V.EXE" to the shell= line.

W32/Dumaru-Y monitors running programs and keypresses and logs the 
information in the file vxdload.log in the Windows folder.

The worm also logs information in the file winload.log in the Windows 
folder.

The logs of system activity may be uploaded to a remote FTP server.

W32/Dumaru-Y has its own SMTP engine and attempts to collect email 
addresses by searching the content of files with the extensions WAB, 
HTM, HTML, DBX, ABD and TBB.

W32/Dumaru-Y includes a backdoor component which uses port 2283 and an 
FTP server which uses port 10000.

Once installed W32/Dumaru-Y sends a notification email to the owner.

 
--- MultiMail/Win32 v0.43