| TIP: Click on subject to list as thread! | ANSI |
| echo: | |
|---|---|
| to: | |
| from: | |
| date: | |
| subject: | News |
[cut-n-paste from sophos.com]
W32/Cydog-A
Aliases
Win32/Chowl.A
Type
Win32 worm
Detection
At the time of writing Sophos has received no reports from users
affected by this worm. However, we have issued this advisory following
enquiries to our support department from customers.
Description
W32/Cydog-A is a P2P and email worm. When run the worm attempts to
delete DLL and EXE files from C:\Program Files\Common Files\Symantec
Shared\ and C:\Program Files\Norton AntiVirus\.
W32/Cydog-A copies itself into the Windows folder as CyberWolf.exe,
Rundll32.exe, System\explorer.exe, System\system.exe and into the
Windows system folder as CyberWolf.exe, Kernell32.exe, Ms-Dos.com,
regedit32.exe, service.exe, system.exe, system32.exe and Windows.scr.
W32/Cydog-A spreads in the following P2P networks.
KaZaA and Imesh:
The worm creates the C:\Windows\Windows Security Haches\ folder and
sets the following registry entries to point to this folder:
HKCU\Software\Kazaa\LocalContent\Dir0
HKCU\Software\Imesh\LocalContent\Dir0
The worm then drops itself into this folder with the following names:
Crackologic(all windows Apps).exe
Credit Card Numbers generator(incl Visa,MasterCard,...).exe
CyberWolf-Patch.exe
EA Games Keygen for All versions(only EA).exe
Edonkey2000-Speed me up scotty.exe
Free mem-Games-SpeedUP.exe
Hotmail Hacker 2003-Xss Exploit.exe
Imesh SDK+Xbit Speed Up.exe
Kazaa SDK + Xbit speedUp for 2.xx.exe
Microsoft KeyGenerator-Allmost all microsoft stuff.exe
My Kiss for you.scr
Netbios Nuker 2003.exe
PopUp remover 9.25.exe
Security-2003-Update.exe
Stripping MP3 dancer+crack.exe
The CyberWolf-Joke.scr
Visual Basic 6.0 Msdn Plugin.exe
W32.CyberWolf{at}mm Fix.exe
Windows Xp Exploit.exe
WinRar 3.xx Password Cracker.exe
WinZipped Visual C++ Tutorial.exe
XNuker 2003 2.93b.exe
ShareMonkey:
The worm copies itself into C:\Program files\eDonkey2000\Incoming\ as:
EA Games Keygen for All versions(only EA).exe
Edonkey2000-Ad remover.exe
Hotmail Hacker 2003-Xss Exploit.exe
Netbios Nuker 2003.exe
WinRar 3.xx Password Cracker.exe
Bearshare:
The worm copies itself into C:\Program Files\Bearshare\Shared\ as:
BearShare Pro 4.3.1 Beta Version.exe
Chaos Ip 2003-Xp compitable.exe
Hotmail Hacker 2003-Xss Exploit.exe
Netbios Nuker 2003.exe
XNuker 2003 2.93b.exe
Grokster:
The worm copies itself into C:\Program FIles\Grokster\My Grokster\ as:
Grokster ad-remover.exe
NetScan 1.6.exe
Stripping mp3 dancer+crack.exe
Trojan Utility 5.6.exe
Winrar 3.xx password cracker.exe
Xss security exploit-hotmail.exe
Morpheus:
The worm copies itself into the
C:\Program Files\Morpheus\My Shared Folder\ as:
Chaos Ip.exe
Morpheus-Gold.exe
Netbios Exploiter Xp.exe
WebSeek-Mp3.exe
Limewire:
The worm copies itself into C:\Program Files\limewire\Shared\ as:
CrackOlogic(all windows apps).exe
Credit card Generator
Lunix-Download.exe
W32/Cydog-A sets the following registry entries:
HKCU\Software\CyberWolf\CyberWolf = "You are Biten"
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\CyberWolf
= "\CyberWolf.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Windows Systems Service = \service.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Windows Kernell =
\Kernell32.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\dllhost =
\dllhost.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Windows Installer Service = \msiexec.exe
HKCU\Software\Microsoft\CyberWolf\CyberWolf = "You are Biten"
HKCU\Software\Microsoft\Windows\CyberWolf\CyberWolf = "You are Biten"
HKCU\Software\Windows\CyberWolf = "You are Biten"
HKCU\Software\Microsoft\Internet Explorer\Download Directory =
"\Windows Security Haches"
HKCU\Software\Microsoft\MessengerService\Server =
"www.hotmail.com;64.4.44.7:80"
HKCU\Software\Microsoft\MSNMessenger\Server =
"www.hotmail.com;64.4.44.7:80"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CyberWolf =
"\CyberWolf.exe"
W32/Cydog-A creates a new section in win.ini:
[MCI Extensions.BAK]
mp3=CyberWolf
mpg=CyberWolf
mpeg=CyberWolf
wma=CyberWolf
CyberWolf=CyberWolf
and adds a new section to system.ini:
[driver32]
CyberWolf=W32.CyberWolf{at}mm
Has=Infected you
The worm drops several copies of itself into the Windows system folder
with random file names and EXE, DLL, OCX, INI or random extensions and
attempts to spread as an email attachment using Microsoft Outlook.
W32/Cydog-A displays the fake error message
"Fatal error in Windows Kernell"
"Fatal error in Windows Kernell
Please allow a 10 MINUTES acces for windows to send an error report to
microsoft in hope they solve this error
This operation could take a few moments but it will help microsoft to
make an Windows Update
If a dialog is prompted from MS Outlook then please click the yes
button to allow Windows to send the e-mail!"
and then sends itself to email addresses found in the Outlook address
book. The email will have one of the following sets of characteristics.
Subject line: EA and EIDOS Presents...
Message text:
Dear client
Some information about our long-awaited product:CyberWolf
CyberWolf is the newest product of Electronic Arts and Eidos
Interactive! Its a complete new technology which actualy speeds up
you're processor time needed to play game of EA and EIDOS
Including FIFA 2003,BATTLEFIELD 1942,NHL2003,CM01/02 and all the other
games produced by these companies! The technology behind these new
product is something that clear's excisting ram when playing this
game--->Results: The speed and graphical abilities are increased by
35%,so loading a new game wile go 35% faster!So more gameplay,less
waiting and looking at that dum screen! EA and EIDOS worked for more
then 2.5 years on this and now its this close from beeing ready for
download But it will take sometime for EA and EIDOS to alert all
peoples who has EA and EIDOS games,but...
They decided to mail the CyberWolf-Patch to users who have games from
EA and EIDOS and to people who visited the website within the past 18
months! also they decided to mail this patch to workers in companies
and to other people who are using the internet regulary
If you want to enjoy this Speed-the-hell-out-ya-head-PATCH then just
install the attachment,restart you're pc and start playing games or...
wait until you buy a EA or EIDOS game,and enjoy it then!the choice is
yours! Before i forget:This patch seems to work on other games as
well,it speeds up those games by 15-30% depending on the game! This
e-mail and any attachment thereto may contain information which is
confidential, privileged or otherwise protected from disclosure and/or
protected by EA and EIDOS property rights. This product may NOT be
soled or copied!It may only be used by the intended recipient and this
only for the purpose for which it has been sent If you are not the
intended recipient,then please contact EA or EIDOS at
EE-CyberWolf.patch{at}EA-EIDOS.com and delete this e-mail and attachement
We believe and warrant that this e-mail and any attachments, are virus
free,we take full responsibility about this attachment CyberWolf is a
colicensed and registered trademark of EA and EIDOS.All rigths reserved
For more information please contact us at
EE-CyberWolf.patch{at}EA-EIDOS.com or suft to
www.EA.com/project\cyberwolf.htm
and www.eidos.com\cyberwolf.asp"
E-mail provided to you by Elena (Elena{at}EA-EIDOS.com)
Attached file: CyberWolf-Patch.exe
Subject line: PacketStorm:WINDOWS Xp has several exploits
Message text:
According to the redaction of PacketStormWindows Xp has several
exploits which could not be removed because if the do want to delete
it then they should rewrite Kernell! but this would mean rewriting
everything Micrsoft had build up over the last years'Bill Gates from
microsoft reported that there is no exploit at all!,it was just a joke
from a hacker attending to scar off windows XP users However the word
goes around that allready several users and admins have been hacked by
an mysterious hacker nicknamed 'The CyberWolf' if you want more
information about this exploit and the exploit itself,then open the
included e-mail do not forget to vote for PacktStorm when running the
attachment,Enjoy the rest of our services This email is provided to you
by PacketStorm,please enjoy our services
Attached file: Windows Xp Exploit.exe
Subject line: A Virtual joke...the funniest around!
Message text:
have you heard about the CyberWolf-Joke?
i hope you didn't cause i just sended it to you,check it out! its soooo
funny you 'll laugh yourself a bunch when you see and hear the joke
haha those little bastards on your screen are soooo funny:D:D just
download and open the attached screensaver (The CyberWolf-Joke.scr =
this is actually the joke) and look at it funny hu!!! after you have
run the joke click ctrl+shift+p to see who made it. I hope you have fun
with it greeetttzzz
This e-mail is presented to you by Joking-Soft,a division of MicroSoft.
If you have any problems with this e-mail or attachment then please
contact us. We take full responsability for this e-mail and
attachements. They are virusfree and are property of Joking-Soft
Please do not Sell or Distribute these atachments.
I thank you
Attached file: The CyberWolf-Joke.scr
Subject line: A kiss from me to you...
Message text:
Dear User
Someone has dropped a kiss in you're mailbox!
Check-Out the attached Kiss from the anonymous person,probably a secret
lover or a very good friend After you have been kissed please visit
www.internetkiss.com and send this kiss to all the person who you adore
or just like You are Nr.315723625 who has received this Internet-Kiss.
This Internet-Kiss-Letter is started on 13/01/1997 and hopes to
continue until 13/01/2007.
Attached file: My Kiss for you.scr
W32/Cydog-A runs several copies of itself from the Windows system
folder and, depending on various conditions, the worm may also set
several other registry entries making the computer practically
unusable.
W32/Hybris-H
Aliases
W32/Hybris.gen{at}MM, W95.Hybris.worm
Type
Win32 worm
Detection
At the time of writing Sophos has received just one report of this worm
from the wild.
Description
W32/Hybris-H is an email worm which is functionally similar to
W32/Hybris-C.
The worm drops various plugins in the Windows system folder which
determine the worm's specific functionality, e.g. the characteristics
of the email messages.
WM97/Opey-BG
Aliases
Macro.Word97.Hopel, W97M/Opey.bg, W97M.Hopel.A
Type
Word 97 macro virus
Detection
At the time of writing Sophos has received just one report of this worm
from the wild.
Description
WM97/Opey-BG is a complex Word macro virus with an encrypted
replication routine. The virus is so complex that replication, if it
occurs, should be noticeable due to the amount of time taken to do
routine operations e.g. FileClose, FileSave, FileNew etc.
WM97/Opey-BG has several possible payloads, mostly involving either
deleting or renaming DRV, DLL, EXE or COM files.
The virus may attempt to delete epson9.drv and rename the following
files:
cm8330.drv
cm8330.vxd
comdlg32.dll
command.com
dplay.dll
dplayx.dll
explorer.exe
mouse.drv
ndis.drv
netbeui.vxd
nwlink.vxd
sage.dll
sis597m.drv
sis597m.vxd
vmm32.vxd
vredir.vxd
If the virus does rename these files, the new filename will contain the
same characters in the reverse order e.g. sage.dll would be renamed to
egas.dll.
WM97/Opey-BG can also password protect documents with the password
"xp", change the formatting of documents (including changing text to
upper case and adding columns) and alter the Word User Information and
File Summary information as follows:
Username = PUKKA
UserAddress = PHILLIPPINES
UserInitials = ^^^
Author = PUKKA
Keywords = HOPELOSJAVSI"
W32/Yaha-P
Aliases
I-Worm.Lentin.m, W32/Yaha.V
Type
Win32 worm
Detection
At the time of writing Sophos has received just one report of this worm
from the wild.
Description
W32/Yaha-P is a worm from the Yaha family.
Preliminary analysis shows that W32/Yaha-P shares many of the
characteristics of W32/Yaha-E (currently the most prevalent variant in
this family), including:
* Sending out email using its own SMTP client
* Terminating Task Manager to make it hard to stop the worm's
process
* Using a wide range of attachment names
* Using realistic (though not business-like) email message text
* Terminating a range of security and anti-virus programs
Note that W32/Yaha-stores itself on your hard disk under different file
names to those used by W32/Yaha-E. W32/Yaha-P places the files
mstask32.exe and exeloader.exe into your system folder. These files are
marked as hidden to make them less noticeable.
W32/Yaha-P changes the registry value:
HKCR\exefile\shell\open\command\(Default)
so that the copy of the worm in the file exeloader.exe is triggered
every time you launch an EXE file.
W32/Yaha-P also adds the registry value:
MicrosoftServiceManager="\yoursystemfolder\mstask32.exe"
to the registry keys:
HKLM\Software\Microsoft\CurrentVersion\Run
HKLM\Software\Microsoft\CurrentVersion\RunServices
This runs the worm automatically when you start up your PC.
Troj/Slacker-A
Aliases
VirTool Win32.Slackworm, Win32/Slacke.worm
Type
Trojan
Detection
At the time of writing Sophos has received no reports from users
affected by this Trojan. However, we have issued this advisory
following enquiries to our support department from customers.
Description
Troj/Slacker-A is a complex Trojan that may be installed by
Troj/Yabinder or any other generic Trojan dropper.
Troj/Slacker-A may be delivered separately or packed within cnn3.exe
which is a variant of Troj/Yabinder.
When executed cnn3.exe creates a new folder in the root folder with the
name SP and extracts the following files to the new folder, setting
their attributes to hidden:
abc.bat
main.exe
psexec.exe
slacke-worm.exe
Cnn3.exe then spawns slacke-worm.exe. Slacke-worm.exe runs in the
background as a "netbios auto-router by eRiC" VB application and
searches for available IP addresses with no password or a weak
password (on port 445).
Slacke-worm.exe then calls abc.bat, with the relevant computer name,
which tries a list of passwords for the administrative accounts and
then uses psexec.exe to copy over and run main.exe on the remote
computer.
Main.exe is detected as Troj/SDBot-S. Psexec.exe is a legitimate
"Sysinternals PsExec" application.
WM97/Van-A
Type
Word 97 macro virus
Detection
At the time of writing Sophos has received just one report of this
virus from the wild.
Description
WM97/Van-A infects active documents when an infected document is closed.
XM97/Aro-A
Type
Excel 97 macro virus
Detection
At the time of writing Sophos has received just one report of this
virus from the wild.
Description
XM97/Aro-A is a simple macro virus. When you use an infected file, the
virus spreads into any other files which you have open in Excel. The
virus hides itself in an invisible worksheet called "Sheet17".
XM97/Aro-A does not copy itself to the XLSTART folder.
W32/Lovgate-D
Aliases
I-Worm.Lovgate.d, W32/Lovgate.gen{at}M, Win32/Lovgate.D, WORM_LOVGATE.D
Type
Win32 worm
Detection
At the time of writing Sophos has received no reports from users
affected by this worm. However, we have issued this advisory following
enquiries to our support department from customers.
Description
W32/Lovgate-D is a worm and backdoor Trojan. The worm spreads across
the local network by copying itself into shared folders using the
following filenames:
billgt.exe
Card.EXE
docs.exe
fun.exe
hamster.exe
humor.exe
images.exe
joke.exe
midsong.exe
news_doc.exe
pics.exe
PsPGame.exe
s3msong.exe
searchURL.exe
SETUP.EXE
tamagotxi.exe
W32/Lovgate-D also attempts to spread via email by sending itself to
email addresses collected from *.ht* files. Emails sent to these
addresses will have the following characteristics:
Subject line: Documents
Message body: Send me your comments...
Attached file: Docs.exe
Subject line: Roms
Message body: Test this ROM! IT ROCKS!.
Attached file: Roms.exe
Subject line: Pr0n!
Message body: Adult content!!! Use with parental advisory.
Attached file: Sex.exe
Subject line: Evaluation copy
Message body: Test it 30 days for free.
Attached file: Setup.exe
Subject line: Help
Message body: I'm going crazy... please try to find the bug!
Attached file: Source.exe
Subject line: Beta
Message body: Send reply if you want to be official beta tester.
Attached file: _SetupB.exe
Subject line: Do not release
Message body: This is the pack ;)
Attached file: Pack.exe
Subject line: Last Update
Message body: This is the last cumulative update.
Attached file: LUPdate.exe
Subject line: The patch
Message body: I think all will work fine.
Attached file: Patch.exe
Subject line: Cracks!
Message body: Check our list and mail your requests!
Attached file: CrkList.exe
W32/Lovgate-D copies itself into the Windows system folder as
rpcsrv.exe, syshelp.exe, WinGate.exe, winrpc.exe and WinRpcsrv.exe and
sets the following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\syshelp
= "\syshelp.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\WinGate initialize
= "\WinGate.exe -remoteshell"
HKLM\Software\CLASSES\txtfile\shell\open\command = "winrpc.exe %1"
W32/Lovgate-D is also a backdoor Trojan that provides an attacker with
unauthorized access to the user's computer and can send a notification
email message to the attacker.
W32/Oror-R
Aliases
I-Worm.Roron.51, WORM_OROR.Q
Type
Win32 worm
Detection
At the time of writing Sophos has received just one report of this worm
from the wild.
Description
W32/Oror-R is an internet worm which spreads via network shares, file
sharing on KaZaA networks and by emailing itself to addresses found
within files on the local hard drive.
The email subject line, message text and attachment filename are
randomly chosen from a variety of possibilities.
The worm attempts to exploit a known vulnerability in Internet Explorer
versions 5.01 and 5.5, so that the attachment is launched automatically
when the email isselected for viewing. To prevent reinfection, users of
Microsoft Outlook and Outlook Express should install the following
patch available from Microsoft:
http://www.microsoft.com/technet/security/bulletin/MS01-027.asp.
This patch fixes a number of vulnerabilities in Microsoft's software,
including the one exploited by this worm.
The worm copies itself to the Windows folder with a name that is a
combination of 'Cmd', the computer's name backwards and "16.exe",
"32.exe" or ".exe".
For example if the computer's name is "test", the worm copies itself as
Cmdtset16.exe.
The worm creates the registry entry
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\LoadProfile
= .exe powrprof.dll,LoadCurrentPwrScheme
so that the worm is run automatically each time Windows is started.
The worm also prepends its pathname to the registry entry
HKCR\exefile\shell\open\command\
so that the worm is run whenever any EXE file is run.
W32/Oror-R chooses a random sub-folder of the Program Files folder and
copies itself to this folder using the sub-folder name concatenated
with "16.exe", "32.exe" or ".exe". If the
chosen folder name contains
spaces only the beginning of the folder name is used, for example the
worm may copy itself as
\Program Files\Internet Explorer\Internet16.exe.
The worm adds the pathname of this executable under the registry entry
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
so that this copy of the worm is run automatically on startup.
The worm also copies itself to the Windows System folder using the name
of a randomly selected file from the System folder, but with "16.exe",
"32.exe" or ".exe" in place of the file's extension.
The worm runs this copy of itself automatically on startup by adding
the line
run=
to the [Windows] section of \win.ini.
W32/Oror-R spreads over the local network by copying itself to selected
shared folders using random filenames. During this process the worm may
create additional entries under the registry entry
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
and may drop a file named AUTORUN.INF in the root folder of shared
drives in an attempt to run the worm via the AutoPlay option.
The worm attempts to spread via file sharing on KaZaA networks by
creating the folder \Profiles and copying itself to this
folder using filenames randomly selected from the following list:
KaZaA Media Desktop v2.13
Serials2K 7.1 (FULL Updated)
Serials2003_8.0(14.02.03)
Dreamweaver_MX_Update
ACDSee
WinAmp_3.1_Cool
Download Accelerator 5.5
Nero Burning Rom 5.7.7.3
cReditCarDs_gEn
Mail HACK
WinXP Crack Password
DiViDiX Coder 5.0 Beta
Eminem BioData
DMX Desktop
NFS HP Bonus Cars
Counter Strike 1.5 (Hack)
WinZip Password Crack
WinZip 8.1(FULL)
DivX 5.5 Full
Nice Girl*
15 years old blonde*
Shakira Boobs
Pamela3D
Teen_Sex_Cam
Sarah fingers pussy on webcam*
Skinny Lolita French Teen*
17year old teen babysitter*
KamaSutra*
Teen raped in bathroom*
Silvia Saint Theme
Russian_Teen*
mariana hot virgin*
German Rape*
BlondeShow*
ClubExtreme
Story015
Gipsy
Elfbowl
snowball_fight
mTVCharts
BoxDave
Pamela*
KamaSutra
Fishfood
Story017
16Yr_Old_Teen*
mTV_Charts
optionally followed by:
7.1 FULL
v5.5
(zip)
3.0
(Eng)
(Cracked)
(sHow)
3D
v4.5
(Rated)
3.3
_v1.1
2.3
and with an EXE extension.
The worm makes the folder \Profiles shareable on KaZaA
networks by setting the registry entries:
HKCU\Software\Kazaa\LocalContent\Dir0 = 012345:\profiles
and
HKCU\Software\Kazaa\LocalContent\DisableSharing = 0.
W32/Oror-R creates a new version of the mIRC initialization file
\Mirc.ini and may also replace other files with an extension of
INI in the mIRC folder.
The new INI files allow a remote intruder backdoor access to the
computer via IRC channels.
The worm will attempt to terminate selected Windows based anti-virus
programs.
The worm creates several configuration files in the Windows and System
folders using randomly generated filenames.
WM97/Ekiam-A
Aliases
W97M/Maike
Type
Word 97 macro virus
Detection
At the time of writing Sophos has received just one report of this
virus from the wild.
Description
WM97/Ekiam-A is a simple macro virus. On 1, 14 and 28 of the month the
virus will set the following registry values:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RegisteredOwner =
"Maike you are"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RegisteredOrganization =
"the most beautiful"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ProductId =
"girl in the world"
W32/Lovgate-A
Aliases
WORM_LOVGATE.A
Type Win32 worm
Detection
At the time of writing Sophos has received just one report of this worm
from the wild.
Description
W32/Lovgate-A is a worm and backdoor Trojan. The worm spreads across
the local network by copying itself into folders with the following
names:
billgt.exe
Card.EXE
docs.exe
fun.exe
hamster.exe
humor.exe
images.exe
joke.exe
midsong.exe
news_doc.exe
pics.exe
PsPGame.exe
s3msong.exe
searchURL.exe
SETUP.EXE
tamagotxi.exe
W32/Lovgate-A also attempts to spread via email by sending itself to
email addresses collected from *.ht* files. Emails sent to these
addresses will have the following characteristics:
Subject: Documents
Message body: Send me your comments...
Attached file: Docs.exe
Subject: Roms
Message body: Test this ROM! IT ROCKS!.
Attached file: Roms.exe
Subject: Pr0n!
Message body: Adult content!!! Use with parental advisory.
Attached file: Sex.exe
Subject: Evaluation copy
Message body: Test it 30 days for free.
Attached file: Setup.exe
Subject: Help
Message body: I'm going crazy... please try to find the bug!
Attached file: Source.exe
Subject: Beta
Message body: Send reply if you want to be official beta tester.
Attached file: _SetupB.exe
Subject: Do not release
Message body: This is the pack ;)
Attached file: Pack.exe
Subject: Last Update
Message body: This is the last cumulative update.
Attached file: LUPdate.exe
Subject: The patch
Message body: I think all will work fine.
Attached file: Patch.exe
Subject: Cracks!
Message body: Check our list and mail your requests!
Attached file: CrkList.exe
The worm also attempts to reply to emails found in the user's inbox.
The worm uses the following attachment names for these emails:
billgt.exe
Card.EXE
docs.exe
fun.exe
hamster.exe
humor.exe
images.exe
joke.exe
midsong.exe
news_doc.exe
pics.exe
PsPGame.exe
s3msong.exe
searchURL.exe
SETUP.EXE
tamagotxi.exe
W32/Lovgate-A copies itself into the Windows system folder as
rpcsrv.exe, syshelp.exe, WinGate.exe, winrpc.exe and WinRpcsrv.exe and
sets the following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Module Call
initialize = "RUNDLL32.EXE reg.dll ondll_reg"
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\syshelp
= "\syshelp.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\WinGate initialize =
"\WinGate.exe -remoteshell"
HKLM\Software\CLASSES\txtfile\shell\open\command = "winrpc.exe %1"
On Windows NT the worm drops the files ily.dll, task.dll, reg.dll and
win32vxd.dll into the Windows system folder. These files are also
detected as W32/Lovgate-A.
W32/Lovgate-A is also a backdoor Trojan that provides an attacker with
unauthorized access to the user's computer and can send notification
email messages to the attacker.
W32/Lovgate-B
Aliases
Lovgate-C, I-Worm.Supnot.c, W32.HLLW.Lovgate.C{at}mm, WORM_LOVGATE.C,
W32/Lovgate.C{at}M
Type
Win32 worm
Detection
Sophos has received several reports of this worm from the wild.
Description
W32/Lovgate-B is a worm and backdoor Trojan which attempts to spread
via email and local networks. It is substantially similar to
W32/Lovgate-A, using the same filenames, email subject lines and
message bodies. The only significant difference is that W32/Lovgate-B
does not drop and use the file win32vxd.dll.
W32/Gibe-D
Type
Win32 worm
Detection
At the time of writing Sophos has received just one report of this worm
from the wild.
Description
W32/Gibe-D is a worm which spreads by sending out email and by making
itself available for download via the KaZaA peer-to-peer file sharing
system.
If you run an infected file, W32/Gibe-D pops up a dialog claiming to
be a Microsoft security update. (Microsoft never send out security
updates via email, and never publish security updates on peer-to-peer
file sharing networks.)
W32/Gibe-D drops a number of files onto your hard disk. These include
a file named DX3DRndr.exe (detected by this identity), which is a
mailing program. W32/Gibe-D also makes copies of itself, including
multiple copies in your KaZaA folder. These files may have a variey of
names, including:
IEPatch.exe
KaZaA upload.exe
Porn.exe
Sex.exe
XboX Emulator.exe
PS2 Emulator.exe
XP update.exe
XXX Video.exe
Sick Joke.exe
Free XXX Pictures.exe
My naked sister.exe
Hallucinogenic Screensaver.exe
Cooking with Cannabis.exe
Magic Mushrooms Growing.exe
I-Worm_Gibe Cleaner.exe
If you have mIRC installed, W32/Gibe-D also creates a file called
Script.ini in your mIRC folder. This script is detected as
mIRC/Simp-Fam.
--- MultiMail/Win32 v0.43
* Origin: Try Our Web Based QWK: DOCSPLACE.ORG (1:123/140)SEEN-BY: 633/267 270 @PATH: 123/140 500 106/1 379/1 633/267 |
|
| SOURCE: echomail via fidonet.ozzmosis.com | |
Email questions or comments to sysop@ipingthereforeiam.com
All parts of this website painstakingly hand-crafted in the U.S.A.!
IPTIA BBS/MUD/Terminal/Game Server List, © 2025 IPTIA Consulting™.