[cut-n-paste from sophos.com]
W32/Slanper-A
Aliases
W32/Slanper.worm, Win32/HLLW.Rejase.A
Type
Win32 worm
Detection
At the time of writing Sophos has received just one report of this worm
from the wild.
Description
W32/Slanper-A is an internet worm that targets SMB/Windows shares using
port 445. The worm may arrive with the filename msmsgri3.exe.
Upon execution the worm installs itself as a background process with the
same name and sets the registry entry
HKLM/Software/Microsoft/Windows/CurrentVersion/Run/mssyslanhelper
to contain the path to itself.
W32/Slanper-A then generates a random list of IP numbers and attempts
to connect to them using port 445 in attempt to copy itself to
available shares. W32/Slanper-A also has some backdoor functionality.
The worm also extracts a secondary component to the same folder with
the filename payload.dat. If payload.dat is executed it sets the
registry entry
HKLM/Software/Microsoft/Windows/CurrentVersion/Run/System Initialization
to contain the path to itself, initiates TCP port connection and runs
in the background listening on open ports.
W32/Cailont-A
Aliases
Nolor
Type
Win32 worm
Detection
At the time of writing Sophos has received just one report of this worm
from the wild.
Description
W32/Cailont-A is an internet worm which sends itself out by email.
W32/Cailont-A creates seven files in your system folder. The files
explorer.exe, kernel32.exe, netdll.dll and serscg.dll are copies of the
worm. The file setup.htm is a web page containing a Visual Basic Script
which creates and launches the worm (this identity detects this file as
VBS/Cailont-A). The files Netsn.dll and Bsbk.dll are raw base64-encoded
copies of the worm and script files (these files are harmless on their
own and can be deleted).
W32/Cailont-A adds the value:
explorer = "\SYSTEM\FOLDER\explorer.exe"
to the registry key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
This means that the worm will run automatically every time you start
your computer.
W32/Cailont-A sends emails with the following characteristics:
Subject line: Re:baby!your friend send this file to you !
Message text: Read this file
Subject line: HELP??-
Message text: Help...
Subject line: Re:Get Password mail...
Message text: Enjoy
Subject line: Re:Get Password mail...
Message text: Read File attach .
Subject line: Re:Binladen_Sexy.jpg
Message text: run File Attach to extract:BinladenSexy.jpg...
Subject line: The Sexy story and 4 sexy picture of BINLADEN !
Message text: Enjoy! BINLADEN:SEXY..
Subject line: Re:I Love You...OKE!
Message text: Souvenir for you from file attach...
Subject line: A Greeting-card for you .
Message text: See the Greeting-card .
Subject line: Re:Kiss you..^{at}^
Message text: Read file attach
Subject line: Guide to fuck ...
Message text: I like Sexy with you.
Subject line: Re:Baby! 2000USD,Win this game...
Message text: Play the game from file attach
Subject line: Help
Message text: Help.
W32/Cailont-A names its attachment:
xxx.KISS.OK.EXE
or:
xxx.HTM
where xxx varies from email to email.
W32/Mumu-C
Aliases
Backdoor.MeteorShell.58
Type
Win32 worm
Detection
Sophos has received several reports of this worm from the wild.
Description
W32/Mumu-C is a worm which spreads by copying itself to and executing
itself on remote network shares with weak or no passwords.
The worm drops the following files in the Windows system folder:
* LAST.EXE, detected as Troj/BGirlB-A
* KAVFIND.EXE, detected as Troj/Hacline-B
* IPCPASS.TXT, an innocuous file used by Troj/Hacline-B
* PSEXEC.EXE, a legitimate networking utility
W32/Mumu-C uses Troj/Hacline-B to identify potential victim IP
addresses. The worm then copies itself to the remote computer and uses
PSEXEC to execute itself remotely.
Troj/Sandesa-A
Aliases
TrojanDownloader.Win32.Sandesa.11, DoS.Win32.Nenet,
Flooder.UDP.Pjam.35, Trojan.BAT.Passer.a
Type
Trojan
Detection
At the time of writing Sophos has received just one report of this
Trojan from the wild.
Description
Troj/Sandesa-A is a Trojan downloader program that drops the file
C:\system.dll and attempts to download a selection of malware and
hacker tools to the user's system.
W32/Sage-A
Aliases
BackDoor-ASV
Type
Win32 worm
Detection
At the time of writing Sophos has received just one report of this worm
from the wild.
Description
W32/Sage-A is a worm that spreads through email attachments. The emails
have the following characteristics :
Subject Line: UPDATE
Message Text:
ICQ Pro 2003a beta build 3800 popular pick
-----------------------------------------------
Download Now Free download 3.79MB
More download links
Downloads: 226,715,753
Publisher: ICQ
Date added: March 30, 2003
File size: 3.79MB; Clock this download
License: Free
Minimum requirements: Windows (all)
Uninstaller included?: Yes
------------------------------------------------
Publisher's Description
ICQ Pro 2003a is the latest release of ICQ, the instant-messaging
program that lets you communicate with friends and colleagues in real
time. To seek out a friend on the ICQ network, simply enter his or her
ICQ number, name, nickname, or e-mail address. Once your contact list
is set up, you'll be notified when your friends are online so you can
chat; send instant messages, files, and URLs; play games; or just hang
out.
ICQ Pro 2003a includes ICQphone, a feature that incorporates IP
telephony functions into the ICQ program. Users can initiate and
participate in PC-to-PC and PC-to-phone calls. In addition, users can
also utilize SMS technology, send wireless-pager messages, view
up-to-date information on ICQ channels, and integrate ICQ with Outlook.
With the latest version of ICQ, you can move instantly from the Pro to
Lite versions just by clicking "Switch to ICQ lite" from the Main menu,
and the shared ICQ preferences and password make it easy to move
between Lite and Pro versions without losing your settings. Other new
features include improved e-mail integration and user interface,
enhanced integration with Windows XP, automatic firewall detection, and
the new Search Google window which allows you instant access to Google
searches through the ICQ interface, plus much more. For a complete list
of new features, visit the ICQ New Features page.
Attached file: ICQ2003a.exe
Upon execution, the worm drops a copy of itself as svch0st.exe, and
another component as WinSocks.Dll, to the Windows System folder and
then removes itself from the current folder.
W32/Sage-a sets the following registry entries so that it is run on
startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\winsock
="\svch0st.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\winsock
="\svch0st.exe"
In addition, the worm adds the following entry to win.ini to run itself
on startup:
run=\svch0st.exe
W32/Sage-A worm also modifies the following registry entry so that it
is run whenever an executable is run:
HKCR\exefile\shell\open\command = "\svch0st.exe
"%1" %*"
W32/Sage-A opens numerous ports on the local computer and connects to a
remote computer. This might provide unauthorised backdoor access from a
remote location.
W32/Sage-A runs in the background as a process and performs process
stealthing, which makes it difficult to terminate the running process.
W32/Yaha-T
Aliases
WORM_YAHA.N, W32/Yaha.t{at}MM
Type
Win32 worm
Detection
At the time of writing Sophos has received just one report of this worm
from the wild.
Description
W32/Yaha-T is a worm which spreads by emailing itself via SMTP to
addresses extracted from various sources on the victim's computer, by
copying itself to network shares and by copying itself to other fixed
drives connected to the computer.
The worm copies itself to the Windows system folder as WINTSK32.EXE and
EXELDR32.EXE and adds the following registry entries to run itself on
system restart:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
MicrosoftServiceManager = \WINTSK32.EXE
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
MicrosoftServiceManager = \WINTSK32.EXE
W32/Yaha-T also changes the entry in the registry at
HKCR\exefile\shell\open\command so that the worm is run before all EXE
files.
W32/Yaha-T attempts to exploit the IFRAME vulnerability in certain
versions of Microsoft Internet Explorer and Outlook Express which
allows automatic execution of files attached to emails when the email
is viewed.
The From field of the emails is randomly constructed from the following
lists of names and email addresses.
Names:
admin{at}hackers.com
admin{at}hackersclub.com
admin{at}viruswriters.com
American Beauty
Benting
britneyspears.org
Cathy Kindergarten
Clark Steel
Club Jenna
Codeproject
Hardcore Screensavers
Iori Yagami
Jasmine Stevens
Jaucques Antonio Barkinstein
Jenna Jameson
Jericho
John Vandervochich
Jonathan
Keanu Stevenson
Klein Anderson
KOF Online
Kyo Kusanagi
Love Inc.
Lovers Screensavers
McAfee Inc.
Nicolas Schwarzeneggar
Nomadic Screensavers
Noopman
Norton Antivirus
Omega Rugal
Paul Owen
Playboy Inc.
Plus 2
Plus 6
Ralph Jones
Raveena Pusanova
Real Inc.
Rocking Stone
Romantic Screensavers
Romeo & Juliet
Ross Anderson
Screensavers of Love
Sexy Screensavers
SQL Library
Super Soccer
Terry Bogard
The Rock
Trend Micro
Valentine Screensavers
Veronica Anderson
XXX Screensavers
Zdenka Podkapova
zporNstarS
Email addresses:
admin{at}clubjenna.com
admin{at}codeproject2.com
admin{at}hackers2.com
admin{at}hackersclub2.com
admin{at}kofonline2.com
admin{at}zpornstars.com
av_patch{at}mcafee.com
av_patch{at}norton.com
av_patch{at}trendmicro.com
caijob{at}online.sh.cn
cathy{at}21cn.com
cupid{at}freescreensavers.com
DNA_seraph{at}163.com
ericpan{at}online.com.pk
free{at}hardcorescreensavers.com
free{at}sexyscreensavers.com
free{at}sql.library.com
free{at}xxxscreensavers.com
hamada{at}seikosangyo.com
jenna{at}jennajameson.com
kkn{at}k2k.comscreensavers{at}nomadic.com
kl{at}aminoprojects.com
love{at}lovescreensavers.com
loverscreensavers{at}love.com
lubing{at}7135.com
luoairong{at}21cn.com
marketing{at}suppersoccer.com
me{at}me2K.com
newsletters{at}britneyspears.org
nics{at}noma.com
paul{at}kqscore2.com
plus{at}real.com
ravs{at}go2pussy.com
romanticscreensavers{at}love.com
sales{at}playboy.com
sales{at}real.com
samsun{at}online.sh.cn
screensavers{at}lovers.com
services{at}tcsonline2.com
stone{at}esterplaza.com
super{at}21cn.com
therock{at}wwe.com
valentinescreensavers{at}t2k.com
yjworks{at}online.sh.cn
zdenka{at}zpornstars.com
zhouyuye{at}citiz.net
The subject line of the email is randomly chosen from the following:
Are you a Soccer Fan ?
Are you beautiful
Are you in Love
Are you looking for Love
Are you the BEST
Check it out
Check this shit
Check ur friends Circle
Demo KOF 2002
Feel the fragrance of Love
Find a good friend
Freak Out
Free Demo Game
Free rAVs Screensavers
Free Screenavers of Love
Free Screensavers
Free Screensavers 4 U
Free Win32 API source
Free XXX
Hardcore Screensavers 4 U
Hello
hey check it yaar
Hi
How sweet this Screen saver
I am in Love
I Love You
I Love You..
Jenna 4 U
Learn How To Love
Learn SQL 4 Free
Lets Dance and forget pains
Looking for Friendship
love speaks from the heart
Lovers Corner
make ur friend happy
Need a friend?
Need money ??
One Hackers Love
One Virus Writers Story
Patch for Elkern.gen
Patch for Klez.H
Play KOF 2002 4 Free
Project
Sample KOF 2002
Sample Playboy
Sample Screensavers
Say I Like You To ur friend
Screensavers from Club Jenna
Sexy Screensavers 4 U
Shake it baby
The Hotmail Hack
The King of KOF
The world of Friendship
Things to note
to ur friends
to ur lovers
True Love
U realy Want this
Visit us
Wanna be a HE-MAN
Wanna be friends ?
Wanna be friends ??
Wanna be like a stone ?
Wanna be my sweetheart ??
Wanna Brawl ??
Wanna Hack ??
Wanna Rumble ??
war Againest Loneliness
We want peace
Whats up
Who is ur Best Friend
Who is your Valentine
World Tour
Wowwwwwwwwwww check it
WWE Screensavers
XXX Screensavers 4 U
You are so sweet
The message text is taken from the following list:
"hey,did u always dreamnt of hacking ur friends hotmail account..finally
i got a hotmail hack from the internet that really works..ur my best
friend thats why sending to u..check it..just run it..enter victim"s
address and u will get the pass."
"hi,check the attached love screensaverand feel the fragrance of true
love.."
"Hi,check the attached screensaver..its really wonderfool..i got it
from freescreensavers.com"
"Hi,check ur friends circle using the attached friendship screensaver..
check the attached screensaverand if u like it send it to all those you
consider to be true friends... if it comes back to you then you will
know that you have a circle of friends.."
"Hi,check the attached screensaverand enjoy the world of friendship.."
"Hi,are u in a rocking mood...check the attached scrennsaver and start
shaking.."
"Hi,Check the attached screensaver.."
"Hi,Are you lonely ??.. check the attached screensaver and forget the
pain of loneliness"
"Hi,Looking for online pals.. check the attached friend finder
software.."
"Hi,sending you a screensaver..check it and let me know how it is..."
"Hi,Check the attached screensaverand feel the fragrance of true
love..."
"Hey,I just got this wonderfull screensaver from freescreensaver.com..
Just check it out and let me know how it is.."
"Hi,I just came across it.. check out..
============================================================
Are you one of those unfortunate human beings who are desperatelylooking
for friends.. but still not getting true friends with whomyou can share
your everything..anyway you wont feel down any more cause GC Chat
Network has broughtup a global chat and online match making system using
its own GC Messenger. Attached is the fully functional free version of
GCInstant Messenger and Match Making client..Just install, register an
account with us and find thousands of onlinepals all over the world..You
can also search for friends by specific country,city,region etc.Regards
Admin,GC Global Chat Network System.."
"Hi,So you think you are in love.. is it true love ? you may think
right now that you are intrue love but it is certainly possible that it
is nothingbut a mere infatuation to you..anyway to know yourself better
than you have ever known checkthe attached screensaver and feel the
fragrance of true love.."
"Hey pal,you know friendship is like a business...to get something you
need to give something.. though its not that harsh as business but
toget love and care from your friends you need to givelove,care and
respect to your friends.. right? check the attached screensaver and you
will learn how tomake your friends happy.."
"Hi,Its quite obvious that in our life we have numerous friendsbut..
BUT Best Friend can only be ONE.. right ?? so can you decide who is
your best friend ?? i guess not.. cause mostly you will find that your
best friendwont care about u like somebody else..anyway i found one way
to find who is my best friend.. check it.. just check the attached
screensaver.. answer some questionsin it and also ask your best friend
to answer the questions....then you will know more about him.."
"Hey pal,wanna have some fun in life... feel like life is too boring
and monotonous..check the attached screensaver and bring coloursto your
black & white life.. :)"
"Hi,I just came across this funny screensaver..sending it to u.. hope u
like it..check out and die laughing.. :)"
">>>>>>>>>>>>>>>>>>>>>>>>
This E-Mail is never sent unsolicited. If you receive thisE-Mail then
it is because you have subscribed to the officialnewsletter at the KOF
ONLINE website.King Of Fighters is one of the greatest action game ever
made.Now after the mind boggling sucess of KOF 2001 SNK proudly presents
to you KOF 2002 with 4 new charecters.Even though we need no publicity
for our product but thistime we have decided to give away a fully
functional trial version of KOF 2002. So check out the attached trial
versionof KOF 2002 and register at our official website to get a
freecopy of KOF2002 original versionBest Regards,Admin,KOF ONLINE..
>>>>>>>>>>>>>>>>>>>>>>>>"
"Hello,I just came across your email ID while searching in the Yahoo
profiles. Actually I want a true friend 4 life with whom I can share my
everything.So if you are interested in being my friend 4 life then mail
me.If you wanna know about me, attached is my profile along with some
of mypics. You can check and if you like it then do mail me.I will be
waiting for your mail.Best Wishes, Your Friend.."
"Hello,Looking for some Hardcore mind boggling action ? Install the
attached browser software and browseacross millions of paid hardcore
sex sites for free.Using the software you can safely and easily
browseacross most of the hardcore XXX paid sites across theinternet for
free. Using it you can also clean alltraces of your web browsing from
your computer.Note:The attached browser software is made exclusivleyfor
demo only. You can use the software for a limitedtime of 35 days after
which you have to register itat our official website for its furthur
use.Regards,Admin."
"Klez.H is the most common world-wide spreading worm.It"s very
dangerous by corrupting your files.Because of its very smart stealth
and anti-anti-virus technic,most common AV software can"t detect or
clean it.We developed this free immunity tool to defeat the malicious
virus.You only need to run this tool once,and then Klez will never come
into your PC"
"Hello,The attached product is send as a part of our official
campaignfor the popularity of our product.You have been chosen to try a
free fully functional sample of ourproduct.If you are satified then you
can send it to your friends.All you have to do is to install the
software and register an accountwith us using the links provided in the
software. Then send this softwareto your friends using your account ID
and for each person who registerswith us through your account, we will
pay you $1.5.Once your account reachesthe limit of $50, your payment
will be send to your registration address bycheck or draft.Please note
that the registration process is completely free which meansby
participating in this program you will only gain without loosing
anything.Best Regards,Admin,"
The attached file is one of the following:
Be_Happy.scr
Beautifull.scr
Best_Friend.scr
Body_Building.scr
Britney_Sample.scr
Codeproject.scr
colour_of_life.scr
Cupid.scr
dance.scr
FixElkern.com
FixKlez.com
FreakOut.exe
Free_Love_Screensavers.scr
Friend_Finder.exe
Friend_Happy.scr
friendship.scr
friendship_funny.scr
funny.scr
GC_Messenger.exe
Hacker.scr
Hacker_The_LoveStory.scr
Hardcore4Free.scr
hotmail_hack.exe
I_Like_You.scr
I_Love_You.scr
Jenna_Jemson.scr
King_of_Figthers.exe
KOF.exe
KOF_Demo.exe
KOF_Fighting.exe
KOF_Sample.exe
KOF_The_Game.exe
KOF2002.exe
life.scr
love.scr
My_Sexy_Pic.scr
MyPic.scr
MyProfile.scr
Notes.exe
Peace.scr
Playboy.scr
Plus2.scr
Plus6.scr
Project.exe
Ravs.scr
Real.scr
Romantic.scr
Romeo_Juliet.scr
Screensavers.scr
Services.scr
Sex.scrSoccer.scr
Sexy_Jenna.scr
shake.scr
SQL_4_Free.scr
Stone.scr
Sweet.scr
Sweetheart.scr
The_Best.scr
THEROCK.scr
True_Love.scr
up_life.scr
Valentines_Day.scr
VXer_The_LoveStory.scr
Ways_To_Earn_Money.exe
world_of_friendship.scr
World_Tour.scr
xxx4Free.scr
zDenka.scr
zXXX_BROWSER.exe
W32/Yaha-T copies itself to fixed drives connected to the computer and
to remote network shares as \REG32.EXE and \MSREGSCANNER.EXE and
changes the WIN.INI so that REG32.EXE is run when the system is
restarted.
The worm terminates programs with the following names:
_AVP32.EXE
_AVPCC
_AVPCC.EXE
_AVPM.EXE
ACKWIN32
AckWin32
ACKWIN32.EXE
AckWin32.exe
ADVXDWIN
ADVXDWIN.EXE
agentw.exe
ALERTSVC
ALERTSVC.EXE
alogserv
ALOGSERV
ALOGSERV.EXE
alogserv.exe
AMON9X
AMON9X.EXE
ANTI-TROJAN
ANTI-TROJAN.EXE
ANTS.EXE
apvxdwin
APVXDWIN
apvxdwin.exe
APVXDWIN.EXE
ATCON.EXE
ATUPDATER
ATUPDATER.EXE
ATWATCH
ATWATCH.EXE
AutoDown
AUTODOWN
AUTODOWN.EXE
AutoDown.exe
AUTODOWN.exe
AutoTrace
AutoTrace.exe
AVCONSOL
AVCONSOL.EXE
AVGCC32
AVGCC32.EXE
Avgctrl
AVGCTRL
Avgctrl.exe
AVGCTRL.EXE
AVGSERV
AvgServ
AVGSERV.EXE
AVGSERV9
AVGSERV9.EXE
AVGW.EXE
avkpop
avkpop.exe
AvkServ
AvkServ.exe
avkservice
avkservice.exe
avkwctl9
avkwctl9.exe
AVP.EXE
AVP32.EXE
AVPM.EXE
avpm.exe
Avsched32
Avsched32.exe
AVSYNMGR
AVSYNMGR
AvSynMgr
AVSYNMGR.exe
AVWINNT
AVWINNT.EXE
AVXMONITOR9X
AVXMONITOR9X.EXE
AVXMONITORNT
AVXMONITORNT.EXE
AVXQUAR
AVXQUAR.EXE
AVXQUAR.EXE.EXE
AVXW.EXE
BLACKD
blackd
BLACKD.EXE
blackd.exe
BlackICE
BlackICE.exe
CDP.EXE
cfgWiz
cfgWiz.exe
CLAW95
Claw95
CLAW95.EXE
Claw95.exe
CLAW95CF
Claw95cf
CLAW95CF.EXE
Claw95cf.exe
cleaner
cleaner.EXE
cleaner3
cleaner3.EXE
CMGrdian
CMGRDIAN
CMGRDIAN.EXE
CONNECTIONMONITOR
CONNECTIONMONITOR.EXE
cpd.exe
CPDClnt
CPDClnt.exe
CPDCLNT.EXE
CTRL.EXE
defalert
defalert.exe
defscangui
defscangui.exe
DEFWATCH
DEFWATCH.EXE
DOORS.EXE
DVP95.EXE
DVP95_0.EXE
EFPEADM
EFPEADM.EXE
EFPEADM.exe
ETRUSTCIPE
ETRUSTCIPE.EXE
ETRUSTCIPE.exe
EVPN.EXE
EVPN.exe
EXPERT
EXPERT.EXE
F-AGNT95
F-AGNT95.EXE
fameh32
fameh32.exe
fch32.exe
fih32.exe
fnrb32
fnrb32.exe
F-PROT
F-PROT.EXE
F-PROT95
F-PROT95.EXE
FP-WIN
FP-WIN.EXE
FRW.EXE
fsaa.exe
fsav32
fsav32.exe
fsgk32
fsgk32.exe
fsm32.exe
fsma32
fsma32.exe
fsmb32
fsmb32.exe
F-STOPW
f-stopw
F-STOPW.EXE
f-stopw.exe
gbmenu
gbmenu.exe
gbpoll
GBPOLL
gbpoll.exe
GBPOLL.EXE
GENERICS
GENERICS.EXE
GUARD.EXE
GUARDDOG
GUARDDOG.EXE
IAMAPP
iamapp
IAMAPP.EXE
iamapp.exe
IAMSERV
iamserv
IAMSERV.EXE
iamserv.exe
IAMSTATS
IAMSTATS.EXE
ICLOAD95
ICLOAD95.EXE
ICLOADNT
ICLOADNT.EXE
ICMON.EXE
ICSUPP95
ICSUPP95
ICSUPP95.EXE
ICSUPP95.EXE
ICSUPPNT
ICSUPPNT.EXE
IFACE.EXE
IOMON98
IOMON98.EXE
ISRV95
ISRV95.EXE
JEDI.EXE
LDNETMON
LDNETMON.EXE
LDPROMENU
LDPROMENU.EXE
LDSCAN
LDSCAN.EXE
LOCKDOWN
LOCKDOWN.EXE
LOCKDOWN2000
lockdown2000
LOCKDOWN2000.EXE
lockdown2000.exe
LUALL.EXE
LUCOMSERVER
LUCOMSERVER.EXE
LUSPT.exe
MCAGENT
MCAGENT.EXE
MCMNHDLR
MCMNHDLR.EXE
Mcshield.exe
MCTOOL
MCTOOL.EXE
MCUPDATE
MCUPDATE.EXE
MCVSRTE
MCVSRTE.EXE
MCVSSHLD
MCVSSHLD.EXE
MGAVRTCL
MGAVRTCL.EXE
MGAVRTE
MGAVRTE.EXE
MGHTML
MGHTML.EXE
MINILOG
MINILOG.EXE
MONITOR
Monitor
MONITOR.EXE
Monitor.exe
MOOLIVE
MOOLIVE.EXE
MPFAGENT.EXE
MPFSERVICE
MPFSERVICE.exe
MPFTRAY.EXE
MWATCH
MWATCH.EXE
MWATCH.exe
NAV Auto-Protect
NAV32_LOADER
navapsvc
navapsvc.exe
NAVAPSVC.EXE
NAVAPW32
navapw32
NAVAPW32.EXE
NAVENGNAVEX15
NAVLU32
NAVLU32.EXE
NAVW32
Navw32
Navw32.exe
NAVWNT
NAVWNT.EXE
NDD32.EXE
NeoWatchLog
NeoWatchLog.exe
NETUTILS
NETUTILS.EXE
NISSERV
NISSERV.EXE
NISUM.EXE
NMAIN.EXE
NORMIST
NORMIST.EXE
notstart
notstart.exe
NPROTECT
NPROTECT.EXE
npscheck
npscheck.exe
NPSSVC
NPSSVC.EXE
NSCHED32
NSCHED32.EXE
ntrtscan
ntrtscan.EXE
NTVDM.EXE
NTXconfig
NTXconfig.exe
Nui.EXE
Nupgrade
Nupgrade.exe
NVC95.EXE
NVSVC32
NWService
NWService.exe
NWTOOL16
NWTOOL16.EXE
PADMIN
PADMIN.EXE
pavproxy
PAVPROXY
pavproxy.exe
PAVPROXY.EXE
PCCIOMON
PCCIOMON.EXE
pccntmon
pccntmon.EXE
pccwin97
pccwin97.EXE
PCCWIN98
PCCWIN98.EXE
pcscan
pcscan.EXE
PERSFW
PERSFW.EXE
PERSWF
PERSWF.EXE
POP3TRAP
POP3TRAP.EXE
POPROXY
POPROXY.EXE
PORTMONITOR
PORTMONITOR.EXE
PROCESSMONITOR
PROCESSMONITOR.EXE
PROGRAMAUDITOR
PROGRAMAUDITOR.EXE
PVIEW95
PVIEW95.EXE
rapapp.exe
RAV7.EXE
RAV7WIN
RAV7WIN.EXE
REALMON
REALMON.EXE
RESCUE
Rescue
RESCUE.EXE
Rescue.exe
RTVSCN95
RTVSCN95.EXE
RULAUNCH
RULAUNCH.EXE
sbserv
sbserv.exe
SCAN32
SCAN32.EXE
SCRSCAN
SCRSCAN.EXE
SMC.EXE
SPHINX
Sphinx
SPHINX.EXE
Sphinx.exe
SPYXX.EXE
SS3EDIT
SS3EDIT.EXE
SWEEP95
SWEEP95.EXE
SweepNet
SWEEPSRV.SYS
SWNETSUP
SWNETSUP.EXE
SymProxySvc
SymProxySvc.exe
SYMTRAY
SYMTRAY.EXE
SYSHELP.EXE
TAUMON
TAUMON.EXE
TC.EXE
TCA.EXE
TCM.EXE
TCPSVS32
TDS-3.EXE
TFAK.EXE
vbcmserv
vbcmserv.exe
VbCons
VbCons.exe
VET32.EXE
VET32.exe
VET95.EXE
Vet95.exe
VETTRAY
VetTray
VETTRAY.EXE
VetTray.exe
VIR-HELP
VIR-HELP.EXE
VPC32.EXE
VPTRAY
VPTRAY.EXE
VSCHED
VSCHED.EXE
VSECOMR
VSECOMR.EXE
VSHWIN32
vshwin32
VSHWIN32.EXE
VSMAIN
VSMAIN.EXE
VSMON.EXE
vsmon.exe
VSSTAT
VSSTAT.EXE
WATCHDOG
WATCHDOG.EXE
WEBSCANX
WEBSCANX.EXE
WEBTRAP
WEBTRAP.EXE
WGFE95
WGFE95.EXE
WIMMUN32
WIMMUN32.EXE
WINGATE.EXE
WINMGM32.EXE
WINSERVICES
WRADMIN
WrAdmin
WRADMIN.EXE
WrAdmin.exe
WRCTRL
WrCtrl
WRCTRL.EXE
WrCtrl.exe
zapro.exe
zonealarm
zonealarm.exe
The worm shuts down windows with the names "Process Viewer",
"Registry
Editor", "System Configuration Utility" and "Windows
Task Manager".
W32/Yaha-T also deletes files and registry entries related to certain
types of software.
W32/Yaha-T may also drop a DLL plugin which allows it to record
keystrokes which may subsequently be emailed to an external address.
The worm may also attempt a denial-of-service attack on the following
URLs:
finance.gov.pk
forisb.org
jamatdawa.org
interior.gov.pk
infopak.gov.pk
W32/Sobig-E
Type
Win32 worm
Detection
Sophos has received many reports of this worm from the wild.
Description
This worm arrives via email and attempts to travel via network shares.
The worm sends itself as an attachment to email addresses collected
from infected computers.
A typical email has the following format:
Subject line: Chosen from -
Re: Application
Re: Movie
Re: Movies
Re: Submited (Ref: 003746)
Re: Screensaver
Re: Documents
Re: Re: Application ref. 003644
Re: Re: Document
Your application
Application.pif
Applications.pif
movie.pif
screensaver.scr
submited.pif
new_document.pif
re.document.pif
004448554.pif
referer.pif
Message text:
Please see the attached zip file for details
Attached file: One of -
your_details.zip (containing details.pif)
application.zip (containing application.pif)
document.zip (containing document.pif)
screensaver.zip (containing sky_world.scr)
Movie.zip (containing Movie.pif)
W32/Sobig-E may spoof the From field of the sent emails using the email
address support{at}yahoo.com or addresses collected from the user's
computer.
When run W32/Sobig-E copies itself into the Windows folder as
winssk32.exe and sets the following registry entries:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SSK Service
= \winssk32.exe
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SSK Service
= \winssk32.exe
W32/Sobig-E will not spread if the date is 14th July or later.
WM97/Simuleek-B
Aliases
Macro.Word97.Omni, W97M.Radnet.B, W97M_BUHAY.A, W97M/Simuleek.B
Type
Word 97 macro virus
Detection
At the time of writing Sophos has received just one report of this
virus from the wild.
Description
WM97/Simuleek-B creates a VBScript file called WordSeek.vbs in the
Windows folder which it uses to infect Word files. The virus adds a
line to win.ini to run this VBScript, which is detected as
VBS/Simuleek-B.
JS/Fortnight-E
Type
JavaScript worm
Detection
At the time of writing Sophos has received just one report of this worm
from the wild.
Description
JS/Fortnight-E is a virus that is combination of JavaScripts and Java
Applets. When an email infected with JS/Fortnight-E is read by an HTML
aware mail client the virus attempts to open a website. The website
runs a Java Applet that makes use of Troj/ByteVeri-A to run itself
locally.
JS/Fortnight-E then attempts to drop a file S.HTM in WINDOWS that it
will set as the signature for Outlook Express 5.0.
JS/Fortnight-E also creates a file in the Windows folder called hosts.
The hosts file has the effect of subverting access to certain
websites.
JS/Fortnight-E edits the following registry entries:
HKCU\Software\Microsoft\Internet Explorer\Main\Search Page
HKCU\Software\Microsoft\Internet Explorer\Main\Search Bar
HKCU\Software\Policies\Microsoft\Internet Explorer\Control
Panel\SecurityTab
HKCU\Software\Policies\Microsoft\Internet Explorer\Control
Panel\AdvancedTab
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix
The following files will be dropped in the Favorities Folder:
Nude Nurses.url
Search You Trust.url
Your Favorite Porn Links.url
JS/Fortnight-E exploits a vulnerability in the Microsoft VM ActiveX
component.
If an affected web page is opened, a JScript embedded on the page
attempts to use the vulnerability in order to drop files on a local
drive, change registry keys without the user's knowledge or perform any
other malicious action on the local computer.
For more details about the Microsoft VM ActiveX component exception
vulnerability please see Microsoft Security Bulletin MS00-075.
WM97/Relax-C
Type
Word 97 macro virus
Detection
At the time of writing Sophos has received just one report of this
virus from the wild.
Description
On the 10th, 20th and 30th of April, August and December, WM97/Relax-C
attempts to append code to C:\autoexec.bat that displays the text:
" NOTE !!!
***
*****
*******
*****
***
Sometimes you must RELAX.
Please, RELAX while deleting all files in C:\
*****
*******
*****
GREECE
===================================
All files deleted!!!
Now, you have a clean COMPUTER
*******
*******".
WM97/Relax-C uses the file C:\temp.tmp to replicate.
Troj/PcGhost-A
Type
Trojan
Detection
At the time of writing Sophos has received just one report of this
Trojan from the wild.
Description
Troj/PcGhost-A is a configurable password stealing Trojan which logs
keystrokes and steals confidential information, sending them to a
pre-configured email address.
Troj/Hacline-B
Type
Trojan
Detection
At the time of writing Sophos has received just one report of this
Trojan from the wild.
Description
Troj/Hacline-B can be used by intruders to gain unauthorised access to
a remote computer. The Trojan attempts to connect to remote computers
using a set of passwords listed in a file called IPCPASS.TXT.
W32/Nofer-C
Aliases
I-Worm.Fearso.c, Win32/Farex.C, PE_NOFEAR.C, W32/Nofer.C{at}mm,
W95/Fearso.C{at}mm
Type
Win32 executable file virus
Detection
At the time of writing Sophos has received no reports from users
affected by this virus. However, we have issued this advisory following
enquiries to our support department from customers.
Description
W32/Nofer-C is a virus which tries to email itself to addresses
extracted from a variety of sources on your computer. W32/Nofer-C also
infects programs already on your computer.
W32/Nofer-C copies itself into the Windows folder, using the filenames
svchost.exe and kernel.dll (usually 66048 bytes). W32/Nofer-C also
copies itself to a randomly-named hidden file (e.g. Uhy43cuAqUQ.exe) in
your Windows folder. The virus then adds a registry entry to:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
so that the hidden file is launched every time you logon to your
computer.
W32/Magold-D
Aliases
I-Worm.Magold.e
Type
Win32 worm
Detection
Sophos has received several reports of this worm from the wild.
Description
W32/Magold-D is a memory resident worm that uses email, IRC channels,
network shared drives and P2P network shares to spread.
The worm arrives in an email message with subject line and message text
of non-Roman characters.
If the viral attachment is run W32/Magold-D displays the message box
"DirectX Error! Address:19851022" and copies itself to
C:\\dreAd.exe, C:\\dreAd\Maya Gold.scr,
C:\\Maya Gold.scr and C:\\wdread.exe
During the execution of the email routine, the worm sends a
notification message to the virus writer containing the IP address,
username, computer name and available shares of the infected machine.
W32/Magold-D uses the Windows Address Book and HTML files found on the
local drive to retrieve email addresses that will be used to send the
worm message. All addresses found are stored in the file ravec.txt that
will be saved by the worm in the Windows folder.
The worm may create a folder dreAd in the Windows folder and attempt to
register the folder in the registry as one used as a file repository
for a number of P2P clients.
W32/Magold-A searches for and terminates processes that belong to
several anti-virus products.
The worm changes the following registry entries so that the worm file
dreAd.exe is run before any file with the extension EXE, PIF, COM, SCR
and BAT:
HKCR\exefile\shell\open\command
HKCR\comfile\shell\open\command
HKCR\piffile\shell\open\command
HKCR\batfile\shell\open\command
HKCR\scrfile\shell\open\command
W32/Magold-A also creates the registry entry
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raVe
so that the worm file dreAd.exe is run on Windows startup.
The registry entry HKLM\Software\dreAd is used by the worm to store
data used internally by the worm.
The worm contains several randomly triggered payload routines such as
opening the CD-ROM drive tray, changing the Windows colour scheme,
restricting the movement of the mouse pointer to the lower part of the
screen, opening the web page http://www.offspring.com, writing the text
"=:-) OFFSPRING is coOL =:-) PUNK'S NOT DEAD =:-)" to the caption area
of the topmost window and creating a large number of zero-byte text
files on the Desktop.
W32/Magold-D may also send a Hungarian text to be printed on the
default printer and may attempt to delete all files with the extension
BMP, GIF and JPG from the hard drive.
The worm may attempt to copy itself to all local drives, shared network
drives and floppy disks (if one is in the floppy disk drive) as Maya
Gold.scr and may create the file autorun.inf so that the worm file is
run automatically when the drive is opened using Explorer if the
autorun feature is enabled.
On an infected computer, the two copies of the worm dreAd.exe and
wdread.exe run in the background as processes and monitor each other so
that if one is terminated, the other restarts it immediately.
Furthermore, the registry entries created above are also monitored such
that a registry value is immediately restored if it was changed.
W32/Redist-C
Aliases
WORM_GANT.C, W32.RedZed{at}mm, Win32/OutSid.C
Type
Win32 worm
Detection
At the time of writing Sophos has received no reports from users
affected by this worm. However, we have issued this advisory following
enquiries to our support department from customers.
Description
W32/Redist-C is an internet worm which spreads by email and over
peer-to-peer networks.
W32/Redist-C uses Outlook to send itself to entries in your address
book. Emails sent out by the worm have the following characteristics:
Subject line: Some card games
Message text:
Hello,
Try these card games (in the attachments).
Enjoy!
Attached file: Card_install.pif
Subject line: MP3 downloader
Message text:
Hello,
Do you like MP3's?
Check out this cool MP3 downloader!
It works well on my computer :)
Cya!
Attached file: MP3Connect.pif
Subject line: Modem booster
Message text:
I had a fairly slow modem until I installed the file in the
attachments! This program is a "Modem booster", it can make your
internet connection go at most 2x faster :)
Enjoy!
Attached file: ModemBooster.exe
Subject line: Fire ScreenSaver
Message text:
Check out this ScreenSaver of fire!
I think that it's one of the best ScreenSavers that I have ever seen!
Cya!
Attached file: FireScreen.pif
Subject line: Program
Message text: Here is that program that you asked for yesterday.
Attached file: Winprg32.pif
Subject line: Password list
Message text:
Hello,
Here is that password list that you asked for about days ago.
It is in the attachments as "PswdLst.pif". It also includes my computer
login password, so please dont show anyone else this file.
Thanks.
Attached file: PswdLst.pif
W32/Redist-C makes itself available over peer-to-peer networks by
copying itself to the following folders:
KMD
Kazaa
Kazaa Lite
LimeWire\Shared
Gnucleus\Downloads
Gnucleus\Downloads\Incoming
Shareaza\Downloads
BearShare\Shared
Edonkey2000\Incoming
Edonkey
Incoming
Morpheus
Grokster\My Grokster
WinMX
ICQ\Shared Files
My Music
My Documents\My Music
My Downloads
W32/Redist-C makes two copies of itself to your Windows folder, using
the names:
Mslg32.exe
Winprg32.pif
The worm copies itself to your System folder, using the name:
Winlg32.pif
(Files infected with W32/Redist-C are usually 19456 bytes in size.)
W32/Redist-C adds this entry to your registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SecureLogin
This value is set to launch the file Mslg32.exe every time you log on
to your computer.
W32/Redist-C also adds the registry entry:
HKCU\Software\Zed\Outsider\Outsider3 = "W32/Outsider.C by Zed"
W32/Redist-C tries to overwrite files with extensions starting with
"MP" and
"WM" (these are usually music files). The additional extension
".pif"
is added to the filename. Although the filename looks the same as it
was, you will launch the virus if you double-click on these files in
the future. Note that the original music files are destroyed. You will
not easily be able to restore them unless you have a recent backup.
W32/Redist-C logs what you type and writes your keystrokes into a file
named Mskmap32.txt or Mskmap.txt. The worm then emails this file to a
Hotmail address.
W32/Redist-C looks for and shuts down a wide range of security software
by finding and killing off processes with these names:
_AVP.EXE
_AVP32.EXE
_AVPCC.EXE
_AVPM.EXE
ANTI-TROJAN.EXE
APVXDWIN.EXE
AUTODOWN.EXE
AVCONSOL.EXE
AVE32.EXE
AVGCTRL.EXE
AVKSERV.EXE
AVNT.EXE
AVP.EXE
AVP32.EXE
AVPCC.EXE
AVPDOS32.EXE
AVPM.EXE
AVPMON.EXE
AVPNT.EXE
AVPTC32.EXE
AVSCHED32.EXE
AVWIN95.EXE
AVWUPD32.EXE
BLACKD.EXE
BLACKICE.EXE
CCAPP.EXE
CFIADMIN.EXE
CFIAUDIT.EXE
CFIND.EXE
CFINET.EXE
CFINET32.EXE
CLAW95.EXE
CLAW95CF.EXE
CLAW95CT.EXE
CLEANER.EXE
CLEANER3.EXE
DV95.EXE
DV95_O.EXE
DVP95.EXE
DVP95_0.EXE
ECENGINE.EXE
EFINET32.EXE
ESAFE.EXE
ESPWATCH.EXE
F-AGNT95.EXE
FINDVIRU.EXE
FPROT.EXE
F-PROT.EXE
FPROT95.EXE
F-PROT95.EXE
FP-WIN.EXE
FRW.EXE
F-STOPW.EXE
IAMAPP.EXE
IAMSERV.EXE
IBMASN.EXE
IBMAVSP.EXE
ICLOAD95.EXE
ICLOADNT.EXE
ICMON.EXE
ICMOON.EXE
ICSSUPPNT.EXE
ICSUPP95.EXE
ICSUPPNT.EXE
IFACE.EXE
NAVW.EXE
IOMON98.EXE
JED.EXE
JEDI.EXE
KPF.EXE
KPFW32.EXE
LOCKDOWN2000.EXE
LOOKOUT.EXE
LUALL.EXE
MOOLIVE.EXE
MPFTRAY.EXE
N32SCAN.EXE
N32SCANW.EXE
NAVAPW32.EXE
NAVLU32.EXE
NAVNT.EXE
NAVSCHED.EXE
NAVW32.EXE
NAVWNT.EXE
NISUM.EXE
NMAIN.EXE
NORMIST.EXE
NUPGRADE.EXE
NVC95.EXE
OUTPOST.EXE
PADMIN.EXE
PAVCL.EXE
PAVSCHED.EXE
PAVW.EXE
PCCWIN98.EXE
PCFWALLICON.EXE
PERSFW.EXE
RAV7.EXE
RAV7WIN.EXE
RESCUE.EXE
SAFEWEB.EXE
SCAN32.EXE
SCAN95.EXE
SCANPM.EXE
SCRSCAN.EXE
SERV95.EXE
SMC.EXE
SPHINX.EXE
SWEEP95.EXE
TBSCAN.EXE
TCA.EXE
TDS2-98.EXE
TDS2-NT.EXE
VCONTROL.EXE
VET95.EXE
VET98.EXE
VETTRAY.EXE
VSCAN40.EXE
VSECOMR.EXE
VSHWIN32.EXE
VSSCAN40.EXE
VSSTAT.EXE
WEBSCAN.EXE
WEBSCANX.EXE
WFINDV32.EXE
ZAPRO.EXE
ZONEALARM.EXE
W32/Nofer-B
Type
Win32 executable file virus
Detection
At the time of writing Sophos has received no reports from users
affected by this virus. However, we have issued this advisory following
enquiries to our support department from customers.
Description
W32/Nofer-B is an internet worm which tries to email itself to
addresses extracted from a variety of sources on your computer.
W32/Nofer-B also infects programs already on your computer.
W32/Nofer-B copies itself into your Windows folder, using the filenames
svchost.exe (usually 43023 bytes) and kernel.dll (usually 59904 bytes).
W32/Nofer-B also copies itself to a randomly-named hidden file (e.g.
MWd0veUK.exe) in your Windows folder. The virus then adds a registry
entry to:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
so that this hidden file is launched every time you logon to your
computer.
Bat/Mumu-B
Aliases
HackTool.Win32.Hucline, Bat/Muma-A
Type
Batch file worm
Detection
Sophos has received several reports of this worm from the wild.
Description
Bat/Mumu-B, like Bat/Mumu-A, is a network worm that consists of a
collection of hacking tools and scripts used to discover and exploit
common configuration problems of the IPC$ share on Windows computers.
Vulnerable systems are found by scanning random IP addresses. The worm
spreads by copying the files ntservice.bat and ipcnl.exe to the Windows
system32 folder of the remote machine.
Bat/Mumu-B uses the Trojan Troj/Hacline-A to scan remote machines.
The worm starts the Trojan Troj/PcGhost that logs keystrokes and steals
passwords and attempts to send them to a preconfigured email account at
certain intervals.
Bat/Mumu-B also attempts to weaken the security of the computer by
creating an account in the local admin group with the username admin
and the password KKKKKKK.
Bat/Mumu-B mainly consists of the following BAT files:
10.BAT
HACK.BAT
IPC.BAT
MUMA.BAT
NEAR.BAT
RANDOM.BAT
REPLACE.BAT
START.BAT
SS.BAT
with TXT files:
IPCPASS.TXT
NWIZE.IN_
NTSERVICE.INI
SPACE.TXT
TIHUAN.TXT
and also contains the following clean executables:
PSEXEC.EXE (A networking utility)
REP.EXE (A string manipulation utility)
PCMSG.DLL (A legitimate utility associated with logging keystrokes).
NTSERVICE.EXE (A utility to start services under Windows NT).
JS/Fortnight-F
Aliases
Trojan.JS.SetPage
Type
JavaScript worm
Detection
Sophos has received several reports of this worm from the wild.
Description
JS/Fortnight-F is a JScript encoded form of JS/Fortnight-D.
Troj/Mystri-A
Type
Trojan
Detection
At the time of writing Sophos has received no reports from users
affected by this Trojan. However, we have issued this advisory
following enquiries to our support department from customers.
Description
Troj/Mystri-A listens on port 6000 and logs all traffic to the file
c:\logfile.txt. At regular intervals the Trojan sends the collected
data to a specific email address.
In order to be run automatically when Windows starts up the Trojan
copies itself to the file systrimit.exe in the Windows system folder
and creates the following registry entry to point to this file:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\systrimit
W32/Lovgate-M
Aliases
I-Worm.LovGate.gen, W95/Lovgate.L{at}mm, W32/Lovgate.gen{at}M virus,
W32.HLLW.Lovgate.I{at}mm, PE_LOVGATE.J
Type
Win32 worm
Detection
At the time of writing Sophos has received just one report of this worm
from the wild.
Description
W32/Lovgate-M is a minor variant of W32/Lovgate-J.
W32/Sobig-D
Aliases
W32/Sobig.dam
Type
Win32 worm
Detection
At the time of writing Sophos has received just one report of this worm
from the wild.
Description
W32/Sobig-D is an internet worm which spreads by copying itself to the
startup folder of network shares and by emailing itself to addresses
found within locally stored files that have an extension of TXT, EML,
HTML, HTM or DBX.
The emails sent have the following characteristics:
Subject line: chosen from -
Application Ref: 456003
Re: Accepted
Re: App. 00347545-002
Re: Application
Re: Documents
Re: Movies
Re: Screensaver
Re: Your Application (Ref: 003844)
Your Application
Message text:
See the attached file for details
Attached file: one of -
Accepted.pif
app003475.pif
Application844.pif
Applications.pif
Document.pif
movies.pif
ref 456.pif
Screensaver.pif
Screensaver.scr
W32/Sobig-D spoofs the From: field using email addresses extracted from
locally stored files or "admin{at}support.com".
W32/Sobig-D will not spread if the date is July 2nd 2003 or later.
When run, the worm copies itself to the Windows folder as cftrb32.exe
and creates the following registry entries so that cftrb32.exe is run
automatically each time Windows is started:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
SFtrb Service = %WINDOWS%\cftrb32.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
SFtrb Service = %WINDOWS%\cftrb32.exe
The worm enumerates network drives and copies itself to the following
startup folders if they are shared with write access:
Windows\All Users\Start Menu\Programs\Startup
Documents and Settings\All Users\Start Menu\Programs\Startup
W32/Sobig-D also creates the file rssp32.dat in the Windows folder.
W32/Crock-A
Type
Win32 worm
Detection
At the time of writing Sophos has received no reports from users
affected by this worm. However, we have issued this advisory following
enquiries to our support department from customers.
Description
W32/Crock-A is a worm which spreads by email.
Infected emails contain an attachment named CROCK.EXE or CROCK.SCR. If
you run this attachment, a dialog containing a Yahoo icon pops up,
inviting you to "Connect to everything in Y!". You are asked to type in
your "Yahoo ID" (which is filled in with your computer name) and your
"password", and then to click [OK] or [Cancel].
If you click [OK], W32/Crock-A will email itself to everyone in your
address book, producing emails with the following characteristics:
Subject line: Your free yahoo account and file!
Message text:
Yahoo ID: YOUR-PC-NAME
password: the-password-you-typed-in
But if you click [Cancel], W32/Crock-A will produce an email with these
characteristics:
Subject line: Yahoo Game House
Message text:
>From the makers of Yahoo Game House, here is a new game from vAndEEd0!
The Crock
Yahooligans!
W32/Crock-A also creates a hidden copy of itself (using the name
CROCK.EXE or CROCK.SCR) in your startup folder. This means that the
worm relaunches itself every time you log on to your computer.
W32/Crock-A adds the following value to your registry:
HKCU\Software\Microsoft\Windows\
CurrentVersion\System Signature
If this registry value already exists when W32/Crock-A starts up, the
worm will neither pop up its bogus Yahoo dialog nor send out email.
This means it emails only once for each user of the computer.
W32/Crock-A looks for and shuts down a wide range of security software
by finding and killing off processes with these names:
Ackwin32
Anti-Trojan
Apvxdwin
Avconsol
Avkserv
Avnt
_Avp
Avp
AVP MONITOR
AVPMON
Avsched32
Avwin95
Avwupd32
BLACKICE
Blackice
Esafe
F-Agnt95
F-Prot
F-STOPW
F-Stopw
Fp-Win
Fprot
IOMON98
Lockdown2000
N32scanw
NAI_VS_STAT
Nav
Nisum
Nmain
Normist
Nupgrade
Nvc95
Outpost
Padmin
Pavcl
Pavsched
Pavw
Pccwin98
Pcfwallicon
Persfw
POP3TRAP
Rav
Rescue
Safeweb
Scan
Serv95
Sweep
Tbscan
Vet95
Vscan40
Vshwin32
Webscanx
Wfindv32
Zonealarm
W32/Crock-A also creates a file named CROCK.BAT in your startup folder
(the file is not hidden). This file is supposed to be a parasitic batch
file virus, but does not work correctly. (Sophos detects this file as
Bat/Crock-A anyway.)
VBS/Suhd-A
Aliases
X97M.Suhd, VBS_DELTAD.B, W32/DeltaD{at}MM, I-Worm.Deltad
Type
Visual Basic Script worm
Detection
At the time of writing Sophos has received just one report of this worm
from the wild.
Description
VBS/Suhd-A is an internet worm which emails itself to every contact in
the Microsoft Windows address book. The emails have the following
characteristics:
Subject line: FW: Daily Report!!!
Message text: All:
Daily Report.FYI
DGPIT
Attached file: Daily Report.Xls
If opened, Daily Report.Xls creates a file called suhdlog.vbs in the
Windows folder. Suhdlog.vbs is the mailing component of the worm.
Both Daily Report.Xls and Suhdlog.vbs are detected as VBS/Suhd-A.
W32/Nofer-A
Aliases
I-Worm.Fearso, Win32/Farex.A, PE_NOFEAR.A, W32/Nofer.A{at}mm,
W95/Fearso.A{at}mm
Type
Win32 worm
Detection
At the time of writing Sophos has received no reports from users
affected by this worm. However, we have issued this advisory following
enquiries to our support department from customers.
Description
W32/Nofer-A is an internet worm that will attempt to email itself to
addresses found from a variety of sources on the local machine.
W32/Nofer-A will also try to infect executable files.
W32/Nofer-A will copy itself to svchost.exe and to a randomly named
executable file in the Windows folder. It creates a registry entry in
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
that points to the randomly named executable file to ensure the worm is
run at system startup.
W32/Nofer-A will also attempt to spread using peer-to-peer networks.
--- MultiMail/Win32 v0.43
* Origin: Try Our Web Based QWK: DOCSPLACE.ORG (1:123/140)
SEEN-BY: 633/267 270
@PATH: 123/140 500 106/2000 633/267
|