[cut-n-paste from sophos.com]
W32/Agobot-KW
Type
Win32 worm
Detection
Sophos has received several reports of this worm from the wild.
Description
W32/Agobot-KW is a network worm which spreads by copying itself to
computers protected by weak passwords and via IRC channels. The worm
also allows unauthorised remote access to the computer via a network.
W32/Agobot-KW copies itself to the Windows system folder as svchosts.exe
and adds entries to the registry at the following locations to run
itself on system logon:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\WindowsConfig =
\svchosts.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\WindowsConfig
= http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
W32/Rbot-DL
Aliases
Backdoor.Rbot.gen, W32/Sdbot.worm.gen.k, WORM_RBOT.W
Type
Win32 worm
Detection
At the time of writing, Sophos has received just one report of this worm
from the wild.
Description
W32/Rbot-DL is a network worm and backdoor Trojan for the Windows
platform.
W32/Rbot-DL allows a malicious user remote access to an infected
computer.
The worm copies itself to a file named winsyst.exe in the Windows system
folder and creates the following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Update = winsyst.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Microsoft Update = winsyst.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Update = winsyst.exe.
W32/Rbot-DL spreads using a variety of techniques including exploiting
weak passwords on computers and SQL servers, exploiting operating system
vulnerabilities (including DCOM-RPC, LSASS, WebDAV and UPNP) and using
backdoors opened by other worms or Trojans.
W32/Rbot-DL can be controlled by a remote attacker over IRC channels.
Patches for the operating system vulnerabilities exploited by
W32/Rbot-DL can be obtained from Microsoft at:
MS04-011
MS03-026
MS03-007
MS01-059
W32/Rbot-DJ
Type
Win32 worm
Detection
At the time of writing, Sophos has received just one report of this worm
from the wild.
Description
W32/Rbot-DJ is a member of the W32/Rbot family of worms with backdoor
capabilities.
In order to run automatically when Windows starts up the worm copies
itself to the file updata.exe in the Windows system folder and adds the
following registry entries pointing to this file:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft
Machine=updata.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Microsoft
Machine=updata.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft
Machine=updata.exe
When run the worm attempts to connect to a remote IRC server. This
connection is used as a control channel that allows a malicious user
access to the infected computer.
Troj/Keylog-Q
Aliases
Juntador-C, MultiDropper-BN
Type
Trojan
Detection
At the time of writing, Sophos has received just one report of this
Trojan from the wild.
Description
Troj/Keylog-Q is a password-stealing Trojan.
When first run, the Trojan creates the following files in the Windows
system folder:
finds.exe
cks.exe
svchost.exe
msconfig.exe
key1.exe
bpk.exe
bpkhk.dll
bpkr.exe
bpkwb.dll
mc.dat
bpk.dat
pk.bin
All of the EXE and DLL files are detected as Troj/Keylog-Q, while the
remaining files are harmless.
In order to run automatically when Windows starts up Troj/Keylog-Q
creates the following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\svchost
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\msconfig
The Trojan attempts to steal passwords by taking screenshots and logging
keyboard and mouse events. Screenshots are saved as JPG files in a folder
named temp\ beneath the Windows system folder but without using the JPG
extension. Keyboard and mouse events are recorded in the file
password.crt in the Windows folder.
Troj/Keylog-Q periodically uploads these log files to an FTP server
specified by the Trojan's author.
--- MultiMail/Win32 v0.43
* Origin: Try Our Web Based QWK: DOCSPLACE.ORG (1:123/140)
SEEN-BY: 633/267 270
@PATH: 123/140 500 106/2000 633/267
|