[cut-n-paste from sophos.com]

W32/Lolol-A

Aliases
Worm.P2P.Lolol.a, Win32/Lolol.A worm, W32.HLLW.Lolol

Type
Win32 worm

Detection
At the time of writing Sophos has received no reports from users affected by
this worm. However, we have issued this advisory following enquiries to our
support department from customers.

Description
W32/Lolol-A is a worm and a backdoor Trojan.

The worm component is primarily targeted at users running the KaZaA
peer-to-peer application. The worm creates 88 copies of itself in the folders
C:\Program Files\Kazaa Lite\My Shared Folder, C:\Program Files\Kazaa\My
Shared Folder and C:\My Downloads.

The following list contains examples of the filenames used for the copies
of the worm:

100 free essays school.pif
age of empires 2 cheats.exe
aim cracker.exe
aim password cracker
anarchist cookbook.pif
aol cracker.exe
aol password cracker.exe
divx pro.exe
driver.exe
fireworks.exe
fuck.exe
GTA 3 Crack.exe
GTA 3 Serial.exe
gta3.exe
hondra screen saver.scr
HotGirls.exe
hotmail hack.exe
how to hack.exe
how to use a shell.pif
NBA 2003 Crack.exe
NBA 2003 serials.epif
NBA 2003.exe
pamela anderson screen saver.scr
play station emulator crack.exe
play station emulator.exe
porn screen saver.scr
steal usernames.exe
super mario bros.exe
super mario brothers.exe
supra screen saver.scr
ut 2k3.exe
ut 2k3.pif
virtua girl - completely nude.pif
virtua girl - jenn.pif
Virtua Girl (Full).exe
Virtua Sex.exe
warcraft 3 crack.exe
warcraft 3 serials.pif
winxp.iso.pif
worldbook.exe

The backdoor Trojan component will connect to an IRC server and join a
channel where it will wait for commands issued by an attacker using that IRC
channel. The commands will be interpreted by the server into actions to carry
out on the host computer.

When first executed the worm will copy itself to the file
C:\Windows\System\winsys.exe. 

The following registry entries will be created to start the worm when Windows
starts up:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Configuration Loader
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Configuration
Loader




XM97/Laroux-MW

Type
Excel 97 macro virus

Detection
At the time of writing Sophos has received just one report of this virus from
the wild.

Description
XM97/Laroux-MW is a Laroux variant that replicates using XL5GALRY.XLS.




Troj/VB-CH

Aliases
Backdoor.VB.CH

Type
Trojan

Detection
At the time of writing Sophos has received no reports from users affected by
this Trojan. However, we have issued this advisory following enquiries to our
support department from customers. 

Description
Troj/VB-CH is a backdoor Trojan which gives a remote intruder control over
the infected computer. 

On execution the Trojan creates the following registry entry to run itself on
system start:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunService\systray




W32/Lioten-A

Aliases
IraqiWorm, Iraq_Oil

Type
Win32 worm

Detection
At the time of writing Sophos has received no reports from users affected by
this worm. However, we have issued this advisory following enquiries to our
support department from customers. 

Description
W32/Lioten-A is a worm which spreads using network shares. The worm tries
to identify badly-secured Windows 2000 and Windows XP computers on the
internet, to copy itself onto these computers, and to send them commands to
start running their own copy of the worm. 

When W32/Lioten-A runs, it generates 100 random IP addresses and tries to
connect to the Windows IPC$ share on each of these computers, using an
anonymous account (no username or password). This sort of access is known
as a "null session" or "unauthenticated" connection.
The worm uses TCP port
445 (NetBIOS over TCP/IP) for this connection. 

W32/Lioten-A then uses its null session connection to request a list of
usernames from the potential victim computer. Unsecured Windows systems
permit null sessions to be used for this purpose. 

Armed with a list of usernames, W32-Lioten-A attempts to make an
authenticated connection to the ADMIN$ and C$ shares. The worm tries out
the following list of weak passwords for each user: 

[blank password]
admin
root
111
123
1234
123456
654321
1
!{at}#$
asdf
asdfgh
!{at}#$%
!{at}#$%^
!{at}#$%^&
!{at}#$%^&*
server

If any of the accounts can be "cracked" in this
way, W32/Lioten-A copies itself to
\WINNT\system32\iraq_oil.exe on the computer it
is attacking. W32/Lioten-A then sets up a
scheduled job on the remote computer which will
run the newly-added file in a short while. If
the account used by the worm has sufficient
privilege to configure jobs remotely, this will
cause the infected computer to attack 100
randomly-selected IP addresses in its turn. 

Note that W32/Lioten-A:

    can neither run on nor break into Windows
    95/98/Me computers;
    can run on but not break into Windows NT
    computers;
    can run on and break into Windows 2000 and
    Windows XP computers.




WM97/Titch-M

Type
Word 97 macro virus

Detection
At the time of writing Sophos has received just one report of this virus from
the wild.

Description
WM97/Titch-M is a member of the WM97/Titch family that has no malicious
payload.

WM97/Titch-M creates the non-viral file C:\arbind2000.tmp, used during
replication. The virus will normally delete this file after use.

 
--- MultiMail/MS-DOS v0.27