[cut-n-paste from sophos.com]

Troj/Pinbol-A

Type
Trojan

Detection
At the time of writing, Sophos has received just one report of this 
Trojan from the wild.

Description
Troj/Pinbol-A is an IRC backdoor Trojan.

When Troj/Pinbol-A is first executed a copy is created in the Windows 
folder with the filename smvc32.exe and the following registry entry is 
created so that the Trojan is run when Windows starts up:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
SMVC = smvc32.exe

Troj/Pinbol-A connects to a channel on a remote IRC server enabling an 
attacker to gain unauthorised access to the victim's machine.

Troj/Pinbol-A will store email addresses harvested from the victim's 
computer in the file C:\cyclop.bin and periodically email this 
information to the attacker.

A proxy server is set up on a random port number which is stored in the 
registry at HKCU\Software\socks.

The following registry entry will also be created by the Trojan:
HKCU\Software\magic = 666.





W32/DoomHunt-A

Type
Win32 worm

Detection
At the time of writing, Sophos has received just one report of this worm 
from the wild.

Description
W32/DoomHunt-A is a worm which spreads to computers infected with the 
W32/MyDoom-A and W32/MyDoom-B worms and terminates processes and removes 
files associated with these worms.

W32/DoomHunt-A listens for connections on port 3127. If a connection is 
made the worm sends back a copy of itself to be executed on the remote 
computer.

When run the worm copies itself to the Windows system folder using the 
filename worm.exe and creates the following registry entry to ensure it 
is run at system logon:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\DELETE ME

W32/DoomHunt-A will terminate the following processes:

SHIMGAPI.DLL
CTFMON.DLL
REGEDIT.EXE
TEEKIDS.EXE
MSBLAST.EXE
EXPLORER.EXE
TASKMON.EXE
INTRENAT.EXE

and deletes the following files:

SHIMGAPI.DLL
CTFMON.DLL
REGEDIT.EXE
TEEKIDS.EXE
MSBLAST.EXE
EXPLORER.EXE
TASKMON.EXE
INTRENAT.EXE





W32/Wukill-B

Aliases
I-Worm.Rays, Win32/Wukill.B, W32.Wullik.B{at}mm, WORM_WUKILL.B

Type
Win32 worm

Detection
At the time of writing, Sophos has received just one report of this worm 
from the wild.

Description
W32/Wukill-B is an internet worm which can email itself to contacts 
found in the Microsoft Outlook address book.

The worm copies itself to the Windows folder as MSTRAY.EXE and creates 
the following registry entry so that MSTRAY.EXE is run automatically 
each time Windows is started:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
RavTimeXP= \MSTRAY.EXE

The worm may copy itself to the A: floppy drive as Winkill.exe and may 
also copy itself to the following folders using random filenames 
consisting of 1-5 characters B-Z with an extension of EXE:

\System
\Web
\Fonts
\Temp
\Help

W32/Wukill-B may also drop a harmless data file called 
\Winfile.ini and COMMENT.HTT and DESKTOP.INI as hidden, system 
files in the root folder.

This worm may display the message "Warning. This File Has Been Damage!" 
upon execution:

W32/Wukill-B may open the File Manager application when executed on the 
28th of the month.





W32/Doomjuice-A

Aliases
W32/Doomjuice.worm.a, W32.HLLW.Doomjuice, WORM_DOOMJUICE.A, 
Win32.Doomjuice.A, Worm.Win32.Doomjuice

Type
Win32 worm

Detection
Sophos has received several reports of this worm from the wild.

Description
W32/Doomjuice-A is a worm which spreads by exploiting a backdoor 
installed by W32/MyDoom-A.

The worm creates a copy of itself named intrenat.exe in the Windows 
system folder and creates the following registry entry to ensure that 
the copy is run when Windows is started:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Gremlin
= \intrenat.exe

The worm also creates a file named sync-src-1.00.tbz in the root, 
Windows, Windows system and user profile folders. Sync-src-1.00.tbz is 
a compressed archive containing source code of W32/MyDoom-A.


Source code dropped by the W32/Doomjuice-A worm

W32/Doomjuice-A will contact computers infected with W32/MyDoom-A by 
attempting to connect to port 3127 of randomly chosen IP addresses. If 
the worm contacts a computer infected with W32/MyDoom-A a copy of 
W32/Doomjuice-A will be transfered to the computer and executed.

On 9th February and any date thereafter the worm will wait for between 
2 and 6 minutes and then attempt a distributed denial of service (DDoS) 
attack against www.microsoft.com.





Troj/Myss-C

Aliases
TrojanDownloader.Win32.Donn.r, Downloader-DS

Type
Trojan

Detection
At the time of writing, Sophos has received just one report of this 
Trojan from the wild.

Description
Troj/Myss-C is a simple Trojan that overwrites the file 
Windows\Hosts.sam under Windows 95/98/Me, and 
Windows\System32\Drivers\etc\hosts under Windows NT/2000/XP based 
systems with '127.0.0.1 localhost'.

Troj/Myss-C will then attempt to download and run the file Sys.exe from 
http://teens3.com/dialler/new2/1/m121689.mpg.

 
--- MultiMail/Win32 v0.43