[cut-n-paste from sophos.com]

W32/Agobot-GP

Aliases
W32.HLLW.Gaobot.gen, W32/Gaobot.worm.gen.j

Type
Win32 worm

Detection
At the time of writing, Sophos has received just one report of this worm 
from the wild.

Description
W32/Agobot-GP is an IRC backdoor Trojan and network worm.

W32/Agobot-GP is capable of spreading to computers on the local network 
protected by weak passwords.

When first run W32/Agobot-GP copies itself to the Windows system folder 
as csrss32.exe and creates the following registry entries to run itself 
on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Updater Service Process = csrss32.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
Updater Service Process = csrss32.exe

Each time W32/Agobot-GP is run it attempts to connect to a remote IRC 
server and join a specific channel. W32/Agobot-GP then runs continuously 
in the background, allowing a remote intruder to access and control the 
computer via IRC channels.

W32/Agobot-GP attempts to terminate and disable various anti-virus and 
security related programs.

W32/Agobot-GP modifies the hosts file on the infected computer in an 
attempt to resolve a number of security related websites to the 
localhost address.





Troj/Badparty-A

Type
Trojan

Detection
At the time of writing, Sophos has received just one report of this 
Trojan from the wild.

Description
Troj/Badparty-A displays a message box containing the text 'Press OK to 
install the party invitation...'.

When the user clicks on OK the Trojan deletes the partition table in the 
master boot sector and the contents of the FAT. The Trojan then attempts 
to create a new partition table.

The Trojan creates the following files, which are all copies of 
legitimate utilities:
ginst0.dll in the Windows temp folder
int86_16.dll, int86_32.dll, playme.exe and party.ini in the Windows 
folder





W32/Lovgate-V

Aliases
I-Worm.LovGate.w, W32.Lovgate.Gen{at}mm, WORM_LOVGATE.V

Type
Win32 worm

Detection
Sophos has received several reports of this worm from the wild.

Description
W32/Lovgate-V is a variant of the W32/Lovgate family of worms that 
spread via email, network shares and filesharing networks.

W32/Lovgate-V copies itself to the Windows system folder as the files 
WinHelp.exe, iexplore.exe, kernel66.dll and ravmond.exe and to the 
Windows folder as systra.exe.

The worm also drops the files msjdbc11.dll, mssign30.dll and odbc16.dll 
which provide unauthorised remote access to the computer over a network.

The worm drops ZIP files containing a copy of the worm onto accessible 
drives. The ZIP file may also carry a RAR extension. The name of the 
packed file is chosen from the following list:

WORK
setup
important
bak
letter
pass

The name of the contained unpacked file is either PassWord, email or 
book, with a file extension of EXE, SCR, PIF or COM.

In order to run automatically when Windows starts up W32/Lovgate-V 
creates the following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Hardware Profile = \hxdef.exe
Microsoft NetMeeting Associates, Inc. = NetMeeting.exe
Protected Storage = RUNDLL32.EXE MSSIGN30.DLL ondll_reg
VFW Encoder/Decoder Settings = RUNDLL32.EXE MSSIGN30.DLL ondll_reg
WinHelp = \WinHelp.exe
Program In Windows = \IEXPLORE.EXE

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\SystemTra =
\SysTra.EXE

HKU\Software\Microsoft\Windows NT\CurrentVersion\Windows\run = RAVMOND.exe

In addition W32/Lovgate-V copies itself to the file command.exe in the 
root folder and creates the file autorun.inf there containing an entry 
to run the dropped file upon system startup.

W32/Lovgate-V spreads by email. Email addresses are harvested from WAB, 
TXT, HTM, SHT, PHP, ASP, DBX, TBB, ADB and PL files found on the system.

Email have the following characteristics:

Subject line:

test
hi
hello
Mail Delivery System
Mail Transaction Failed
Server Report
Status
Error

Message text:

It's the long-awaited film version of the Broadway hit. The message sent 
as a binary attachment.

The message contains Unicode characters and has been sent as a binary
attachment.

Mail failed. For further assistance, please contact!

Attached file:

document
readme
doc
text
file
data
test
message
body

followed by ZIP, EXE, PIF or SCR.

W32/Lovgate-V also enables sharing of the Windows media folder and 
copies itself there using various filenames.

The worm also attempts to reply to emails found in the user's inbox 
using the following filenames as attachments:

the hardcore game-.pif
Sex in Office.rm.scr
Deutsch BloodPatch!.exe
s3msong.MP3.pif
Me_nude.AVI.pif
How to Crack all gamez.exe
Macromedia Flash.scr
SETUP.EXE
Shakira.zip.exe
dreamweaver MX (crack).exe
StarWars2 - CloneAttack.rm.scr
Industry Giant II.exe
DSL Modem Uncapper.rar.exe
joke.pif
Britney spears nude.exe.txt.exe
I am For u.doc.exe

The worm attempts to spread by copying itself to mounted shares using 
one of the following filenames:

mmc.exe
xcopy.exe
winhlp32.exe
i386.exe
client.exe
findpass.exe
autoexec.bat
MSDN.ZIP.pif
Cain.pif
WindowsUpdate.pif
Support Tools.exe
Windows Media Player.zip.exe
Microsoft Office.exe
Documents and Settings.txt.exe
Internet Explorer.bat
WinRAR.exe

W32/Lovgate-V also attempts to spread via weakly protected remote shares 
by connecting using a password from an internal dictionary and copying 
itself as the file NetManager.exe to the system folder on the admin$ 
share.

After successfully copying the file W32/Lovgate-V attempts to start it 
as the service "Windows Managment Network Service Extensions" on the 
remote computer.

W32/Lovgate-V starts a logging thread that listens on port 6000, sends a 
notification email to an external address and logs received data to the 
file C:\Netlog.txt.

W32/Lovgate-V attempts to terminate processes containing the following 
strings:

rising
SkyNet
Symantec
McAfee
Gate
Rfw.exe
RavMon.exe
kill
Nav
Duba
KAV
KV

W32/Lovgate-V also overwrites EXE files on the system with copies of 
itself. The original files are saved with a ZMX extension.





Troj/Loony-E

Aliases
Backdoor.SdBot.iw

Type
Trojan

Detection
At the time of writing, Sophos has received just one report of this 
Trojan from the wild.

Description
Troj/Loony-E is a backdoor Trojan that allows unauthorised access and 
control of the infected computer from a remote location via IRC 
channels.

Troj/Loony-E copies itself to the Windows system folder as SVSHOST.EXE 
and creates the following registry entry in order to run itself on 
system startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\svshostdriver





W32/Agobot-GG

Aliases
Backdoor.Agobot.gen, W32/Gaobot.worm.gen.e, Win32/Agobot.3.NZ, 
W32.HLLW.Gaobot.gen, WORM_AGOBOT.SB

Type
Win32 worm

Detection
At the time of writing, Sophos has received just one report of this worm 
from the wild.

Description
W32/Agobot-GG is an IRC backdoor Trojan and network worm.

W32/Agobot-GG is capable of spreading to computers on the local network 
protected by weak passwords.

When first run W32/Agobot-GG moves itself to the Windows system folder 
as systems.exe.

The worm may also add its pathname to the following registry entries to 
run itself on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\

Each time W32/Agobot-GG is run it attempts to connect to a remote IRC 
server and join a specific channel.

W32/Agobot-GG then runs continuously in the background, allowing a 
remote intruder to access and control the computer via IRC channels.

W32/Agobot-GG attempts to terminate selected anti-virus and 
security-related programs.





W32/Sdbot-HL

Aliases
Backdoor.IRCBot.gen, W32/Spybot.worm.gen.a, W32.Randex.gen, 
BKDR_IRCBOT.L

Type
Win32 worm

Detection
At the time of writing, Sophos has received just one report of this worm 
from the wild.

Description
W32/Sdbot-HL is a worm which attempts to spread to remote network 
shares. It also contains backdoor Trojan functionality, allowing 
unauthorised remote access to the infected computer via IRC channels 
while running in the background as a service process.

W32/Sdbot-HL spreads to network shares with weak passwords as a result 
of the backdoor Trojan element receiving the appropriate command from a 
remote user, copying itself to the file CSNT.EXE on the local machine at 
the same time.

W32/Sdbot-HL copies itself to the Windows system folder as CSRS.EXE and 
creates entries in the registry at the following locations to run itself 
on system startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

W32/Sdbot-HL tries to delete the following registry entries to prevent 
the associated programs from running on system startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\pccclient.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\pccguide.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\pop3trap.exe

W32/Sdbot-HL sets the following registry entry in an attempt to disable 
the use of registry tools:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\
DisableRegistryTools = "1"





W32/Agobot-FZ

Aliases
Backdoor.Agobot.kt, W32/Gaobot.worm.gen.j

Type
Win32 worm

Detection
Sophos has received several reports of this worm from the wild.

Description
W32/Agobot-FZ is an IRC backdoor Trojan and network worm.

W32/Agobot-FZ is capable of spreading to computers on the local network 
protected by weak passwords.

When first run W32/Agobot-FZ copies itself to the Windows system folder 
as msdtc32.exe and creates the following registry entries to run itself 
on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Video Device Loader = msdtc32.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
Video Device Loader = msdtcc32.exe

Each time W32/Agobot-FZ is run it attempts to connect to a remote IRC 
server and join a specific channel.

W32/Agobot-FZ then runs continuously in the background, allowing a 
remote intruder to access and control the computer via IRC channels.

W32/Agobot-FZ attempts to terminate and disable various anti-virus and 
security-related programs.





Troj/Webber-H

Aliases
TrojanDownloader.Win32.Small.hg, Trojan.Download.Berbew, Downloader-DI 
trojan, Downloader-DI!zip

Type
Trojan

Detection
Sophos has received several reports of this Trojan from the wild.

Description
Troj/Webber-H is a two component backdoor Trojan.

The downloader component of the Trojan appears to have been mass mailed 
out.

When run the Trojan downloads a remote file to C:\windows\usermade.exe 
and executes it.

The downloaded component is a password stealing Trojan that attempts to 
extract sensitive information from several locations on the system and 
sends it to a remote computer.

The downloaded component copies itself as a file with a random name into 
the Windows system folder and drops and executes a DLL file, also with a 
random name, that runs the copy of the Trojan.

In order to be started automatically the Trojan creates the following 
registry entries:

HKLM\Software\CLASSES\CLSID\{79FB9088-19CE-715D-D900-216290C5B738}
\InProcServer32

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
\Web Event Logger

Troj/Webber-H also sets the following Microsoft Internet Explorer 
related registry entries to prompt the user into entering passwords:

HCU\Software\Microsoft\Internet Explorer\Main\FormSuggest Passwords
HCU\Software\Microsoft\Internet Explorer\Main\FormSuggest PW Ask
HCU\Software\Microsoft\Internet Explorer\Main\Use FormSuggest

 
--- MultiMail/Win32 v0.43