| TIP: Click on subject to list as thread! | ANSI |
| echo: | |
|---|---|
| to: | |
| from: | |
| date: | |
| subject: | News, Sept. 6 2004 |
[cut-n-paste from sophos.com]
Name W32/Rbot-FL
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Downloads code from the internet
* Reduces system security
* Records keystrokes
* Installs itself in the Registry
Aliases
* Backdoor.Rbot.gen
* Sdbot.worm.gen.x
Prevalence (1-5) 2
Description
W32/Rbot-FL is a network worm and backdoor Trojan for the Windows
platform.
W32/Rbot-FL spreads to unpatched machines affected by the
vulnerabilities detailed in Microsoft Advisories 01-059, 03-007,
03-026, and 04-011.
Advanced
W32/Rbot-FL is a network worm and backdoor Trojan for the Windows
platform.
W32/Rbot-FL allows a malicious user remote access to an infected
computer.
The worm copies itself to a file named C:\ati2vid.exe and creates
registry entries to run itself on startup under:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\rxres32
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\rxres32
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\rxres32
W32/Rbot-FL spreads using a variety of techniques including exploiting
weak passwords on computers and SQL servers, exploiting operating system
vulnerabilites (including DCOM-RPC, LSASS, WebDAV and UPNP) and using
backdoors opened by other worms or Trojans.
W32/Rbot-FL can be controlled by a remote attacker over IRC channels.
The infected computer can be used to perform any of the following
functions:
Proxy server (SOCKS4)
FTP server
HTTP server
SMTP server
File system Manipulation
Port scanner
DDoS floods (TCP,UDP,SYN)
Remote shell (RLOGIN)
Packet sniffer
Key logger
Patches for the operating system vulnerabilities exploited by
W32/Rbot-FL can be obtained from Microsoft at:
http://www.microsoft.com/technet/security/bulletins/ms04-011.mspx
http://www.microsoft.com/technet/security/bulletins/ms03-026.mspx
http://www.microsoft.com/technet/security/bulletins/ms03-007.mspx
http://www.microsoft.com/technet/security/bulletins/ms01-059.mspx
Name W32/Rbot-CZ
Type
* Worm
Aliases
* W32/Sdbot.worm.gen.h
Prevalence (1-5) 2
Description
W32/Rbot-CZ is a worm which attempts to spread to remote network shares.
It also contains backdoor Trojan functionality, allowing unauthorised
remote access to the infected computer via IRC channels while running in
the background as a service process.
W32/Rbot-CZ spreads to network shares with weak passwords and via
network security exploits as a result of the backdoor Trojan element
receiving the appropriate command from a remote user.
W32/Rbot-CZ copies itself to the Windows system folder as WINSYS32.EXE
and creates entries at the following locations in the registry so as to
run itself on system startup, trying to reset them every minute:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
W32/Rbot-CZ sets the following registry entries, trying to reset them
every 2 minutes.
HKLM\SOFTWARE\Microsoft\Ole\EnableDCOM = "N"
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous = "1"
W32/Rbot-CZ tries to delete the C$, D$, E$, IPC$ and ADMIN$ network
shares on the host computer every 2 minutes.
W32/Rbot-CZ attempts to terminate certain processes related to
anti-virus and security programs including REGEDIT.EXE, MSCONFIG.EXE and
NETSTAT.EXE.
Name W32/Forbot-C
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Reduces system security
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* Backdoor.Win32.Wootbot.c
* W32/Sdbot.worm.gen.h
Prevalence (1-5) 2
Description
W32/Forbot-C is a worm which attempts to spread to remote network shares.
The worm also contains backdoor Trojan functionality, allowing
unauthorised remote access to the infected computer via IRC channels
while running in the background as a service process.
Advanced
W32/Forbot-C is a worm which attempts to spread to remote network shares.
The worm also contains backdoor Trojan functionality, allowing
unauthorised remote access to the infected computer via IRC channels
while running in the background as a service process.
W32/Forbot-C moves itself to the Windows system folder as winitr32.exe
andcreates the following registry entries to run itself on system logon:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Win32 Wmls Driver = winitr32.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\
Win32 Wmls Driver = winitr32.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Win32 Wmls Driver = winitr32.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Win32 Wmls Driver = winitr32.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\
Win32 Wmls Driver = winitr32.exe
W32/Forbot-C attempts to spread to network machines using various
exploits including the LSASS vulnerability (please see MS04-011).
W32/Forbot-C attempts to terminate several processes related to
anti-virus and security related software.
Name W32/Rbot-IE
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Reduces system security
* Exploits system or software vulnerabilities
Aliases
* Backdoor.Rbot.gen
* W32/Sdbot.worm.gen.j
* WORM_RBOT_JP
Prevalence (1-5) 2
Description
W32/Rbot-IE is a worm which attempts to spread to remote network shares
and allows unauthorised remote access to the computer via IRC channels.
Advanced
W32/Rbot-IE is a worm which attempts to spread to remote network shares
and allows unauthorised remote access to the computer via IRC channels.
W32/Rbot-IE spreads to network shares with weak passwords and via
network security exploits as a result of the backdoor Trojan element
receiving the appropriate command from a remote user.
W32/Rbot-IE copies itself to the file mswctl32.exe in the Windows system
folder and creates entries at the following locations in the registry so
that the worm is run when a user logs on to Windows:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft Windows Control = mswctl32.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Microsoft Windows Control = mswctl32.exe
Name W32/Rbot-KO
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Steals information
* Reduces system security
* Installs itself in the Registry
Prevalence (1-5) 2
Description
W32/Rbot-KO is a worm of the Rbot family which attempts to spread to
remote network shares. It also contains backdoor Trojan functionality
allowing unauthorised remote access to the infected computer via IRC
channels while running in the background as a service process.
Advanced
W32/Rbot-KO is a worm of the Rbot family which attempts to spread to
remote network shares. It also contains backdoor Trojan functionality
allowing unauthorised remote access to the infected computer via IRC
channels while running in the background as a service process.
W32/Rbot-KO spreads to network shares with weak passwords as a result of
the backdoor Trojan element receiving the appropriate commands from a
remote user via an IRC channel.
W32/Rbot-KO copies itself to the Windows system folder as slserv32.exe
and creates entries in the registry at the following locations to run
itself on system startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Windows Service = \slserv32.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Windows Service = \slserv32.exe
HKCU\Software\Microsoft\OLE\
Windows Service = \slserv32.exe
W32/Rbot-KO also spreads by scanning for and exploiting various
vulnerabilities such as RPC/DCOM, LSASS, SUB7 etc.
To avoid detection the worm will terminate various AntiVirus and
security related processes.
Name W32/Rbot-IA
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Steals information
* Downloads code from the internet
* Reduces system security
* Records keystrokes
* Installs itself in the Registry
Aliases
* Trojan.Win32.Pakes
Prevalence (1-5) 2
Description
W32/Rbot-IA is a network worm with backdoor capabilities.
W32/Rbot-IA connects to an IRC server and awaits commands from a remote
attacker.
W32/Rbot-IA spreads by exploiting the Universal PNP (MS01-059), WebDav
(MS03-007), RPC/DCOM (MS03-026, MS04-012), LSASS (MS04-011) and DameWare
(CAN-2003-1030) vulnerabilities.
Advanced
W32/Rbot-IA is a network worm with IRC backdoor functionality.
In order to run automatically when Windows starts up the worm copies
itself to the file winxp43.exe in the Windows system folder.
Once installed, W32/Rbot-IA connects to a preconfigured IRC server,
joins a channel and awaits further instructions. These instructions can
cause the bot to perform any of the following actions:
flood a specified host with UDP, TCP, SYN, ICMP or ping packets
start a webserver offering the contents of the local drive
start a socks4 proxy server
redirect TCP connections
start a TFTP server
start a command shell server
search for product keys
download and install an updated version of itself
show statistics about the infected system
kill antivirus and security processes
list/terminate running processes
scan randomly- or sequentially-chosen IPs for infectable machines
start a keylogger
close down vulnerable services in order to secure the machine
The worm spreads to machines affected by known vulnerabilities, running
the network services protected by weak passwords or infected by common
backdoor Trojans.
Vulnerabilities:
Universal PNP (MS01-059)
WebDav (MS03-007)
RPC DCOM (MS03-026, MS04-012)
LSASS (MS04-011)
DameWare (CAN-2003-1030)
Services:
NetBios
NTPass
MS SQL
Backdoors:
Troj/Kuang
Troj/Optix
Troj/NetDevil
W32/Bagle
Troj/Sub7
W32/Rbot-IA creates or modifies the following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Machine = "winxp43.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Microsoft Machine = "winxp43.exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Machine = "winxp43.exe"
HKLM\SOFTWARE\Microsoft\Ole\EnableDCOM = "N"
HKLM\SYSTEM\ControlSet001\Control\Lsa\restrictanonymous = 00000001
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous = 00000001
The worm terminates the following processes
regedit.exe
msconfig.exe
netstat.exe
msblast.exe
zapro.exe
navw32.exe
navapw32.exe
zonealarm.exe
wincfg32.exetaskmon.exe (sic)
PandaAVEngine.exe
sysinfo.exe
mscvb32.exe
MSBLAST.exe
teekids.exe
Penis32.exe
bbeagle.exe
SysMonXP.exe
winupd.exe
winsys.exe
ssate.exe
rate.exe
d3dupdate.exe
irun4.exe
i11r54n4.exe
W32/Rbot-IA searches for product keys for the following software:
Counter-Strike (Retail)
The Gladiators
Gunman Chronicles
Half-Life
Industry Giant 2
Legends of Might and Magic
Soldiers of Anarchy
Microsoft Windows
Unreal Tournament 2003
Unreal Tournament 2004
IGI 2: Covert Strike
Freedom Force
Battlefield 1942
Battlefield 1942 (Road to Rome)
Battlefield 1942 (Secret Weapons of WWII)
Battlefield Vietnam
Black and White
Command and Conquer: Generals (Zero Hour)
James Bond 007: Nightfire
Command and Conquer: Generals
Medal of Honor: Allied Assault
Medal of Honor: Allied Assault: Breakthrough
Medal of Honor: Allied Assault: Spearhead
Need for Speed Hot Pursuit 2
Need for Speed: Underground
Shogun: Total War: Warlord Edition
FIFA 2002
FIFA 2003
NHL 2002
NHL 2003
Nascar Racing 2002
Nascar Racing 2003
Rainbow Six III RavenShield
Command and Conquer: Tiberian Sun
Command and Conquer: Red Alert
Command and Conquer: Red Alert 2
NOX
Chrome
Hidden & Dangerous
Soldier of Fortune II - Double Helix
Neverwinter Nights
Neverwinter Nights (Shadows of Undrentide)
Neverwinter Nights (Hordes of the Underdark)
Name W32/Forbot-M
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Steals information
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* Backdoor.Win32.Agobot.vf
Prevalence (1-5) 2
Description
W32/Forbot-M is a worm which attempts to spread to remote network shares.
It also contains backdoor Trojan functionality, allowing unauthorised
remote access to the infected computer via IRC channels while running in
the background as a service process.
Advanced
W32/Forbot-M copies itself to the Windows system folder as winusb32.exe
and creates entries in the registry at the following locations so as to
run itself on system startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Win32 USB Driver
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\Win32 USB Driver
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32 USB
Driver
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Win32 USB Driver
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\Win32 USB Driver
W32/Forbot-M also creates its own service named "irc.name", with the
display name "Win32 USB Driver".
W32/Forbot-M attempts to terminate several processes related to security
and anti-virus programes.
W32/Forbot-M attempts to spread to network machines using various
exploits including the LSASS vulnerability (see Microsoft security
bulletin MS04-011).
Name W32/Rbot-HU
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Reduces system security
* Installs itself in the Registry
Aliases
* Backdoor.Win32.Rbot.bh
* W32/Sdbot.worm.gen.h
Prevalence (1-5) 2
Description
W32/Rbot-HU is a worm which attempts to spread to remote network shares
and allows unauthorised remote access to the computer via IRC channels.
Advanced
W32/Rbot-HU is a worm which attempts to spread to remote network shares
and allows unauthorised remote access to the computer via IRC channels.
W32/Rbot-HU spreads to network shares with weak passwords and via
network security exploits as a result of the backdoor Trojan element
receiving the appropriate command from a remote user.
W32/Rbot-HU copies itself to the file servicz.exe in the Windows system
folder and creates entries at the following locations in the registry so
that the worm is run when a user logs on to Windows:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft Update Machine = servicz.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Microsoft Update Machine = servicz.exe
The following registry entries are also created:
HKLM\Software\Microsoft\OLE
Microsoft Update Machine = servicz.exe
HKCU\Software\Microsoft\OLE
Microsoft Update Machine = servicz.exe
Name W32/Rbot-MG
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Reduces system security
* Installs itself in the Registry
Aliases
* Backdoor.Rbot.gen
Prevalence (1-5) 2
Description
W32/Rbot-MG is a worm which attempts to spread to remote network shares.
It also contains backdoor Trojan functionality, allowing unauthorised
remote access to the infected computer via IRC channels while running in
the background as a service process.
Advanced
W32/Rbot-MG is a worm which attempts to spread to remote network shares.
It also contains backdoor Trojan functionality, allowing unauthorised
remote access to the infected computer via IRC channels while running in
the background as a service process.
W32/Rbot-MG spreads to network shares with weak passwords as a result of
the backdoor Trojan element receiving the appropriate command from a
remote user.
W32/Rbot-MG moves itself to the Windows system folder as WINu32.EXE and
creates entries in the registry at the following locations to run on
system startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
update service = svxhost.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
update service = svxhost.exe
The following registry entries are also created:
HKCU\Software\Microsoft\OLE\
update service = svxhost.exe
Name W32/Rbot-HT
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
Aliases
* Backdoor.Rbot.gen
* W32/Sdbot.worm.gen.h
Prevalence (1-5) 2
Description
W32/Rbot-HT is an IRC backdoor Trojan and network worm which can copy
itself into shared network folders.
W32/Rbot-HT will establish a connection to a remote server to allow an
intruder access to the compromised computer.
Advanced
W32/Rbot-HT is a worm which attempts to spread to remote network shares.
It also contains backdoor Trojan functionality, allowing unauthorised
remote access to the infected computer via IRC channels while running in
the background as a service process.
W32/Rbot-HT spreads to network shares with weak passwords as a result of
the backdoor Trojan element receiving the appropriate command from a
remote user.
W32/Rbot-HT moves itself to the Windows system folder under a random
filename and creates registry entries at the following locations so as
to run itself on system startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
nvviddrv32
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
nvviddrv32
Name W32/Bagle-AT
Type
* Worm
How it spreads
* Email attachments
* Network shares
Affected operating systems
* Windows
Side effects
* Sends itself to email addresses found on the infected computer
* Forges the sender's email address
* Uses its own emailing engine
* Installs itself in the Registry
Aliases
* I-Worm.Bagle.an
* W32/Bagle.at{at}MM
Prevalence (1-5) 2
Description
W32/Bagle-AT is a worm which spreads using email and shared folders.
The worm forges the sender address of the email.
W32/Bagle-AT avoids sending email to addresses which may be anti-virus or
security related.
Email sent by the worm has the following characteristics:
Subject line : foto
Message text : foto
Attached file : fotos.zip
The attached file contains Troj/BagleDl-A.
Advanced
W32/Bagle-AT is a worm which spreads using email and shared folders.
The worm forges the sender address of the email.
W32/Bagle-AT avoids sending email to addresses which contain any of the
following strings:
{at}eerswqe
{at}derewrdgrs
{at}microsoft
rating{at}
f-secur
news
update
anyone{at}
bugs{at}
contract{at}
feste
gold-certs{at}
help{at}
info{at}
nobody{at}
noone{at}
kasp
admin
icrosoft
support
ntivi
unix
bsd
linux
listserv
certific
sopho
{at}foo
{at}iana
free-av
{at}messagelab
winzip
google
winrar
samples
abuse
panda
cafee
spam
pgp
{at}avp.
noreply
local
root{at}
postmaster{at}
Email sent by the worm has the following characteristics:
Subject line : foto
Message text : foto
Attached file : fotos.zip
The attached file contains Troj/BagleDl-A.
The worm harvests email addresses from the files with the following
extensions:
WAB
TXT
MSG
HTM
SHTM
STM
XML
DBX
MBX
MDX
EML
NCH
MMF
ODS
CFG
ASP
PHP
PL
WSH
ADB
TBB
SHT
XLS
OFT
UIN
CGI
MHT
DHTM
JSP
When run the worm will create copies of itself named windll.exe,
windll.exeopen and windll.exeopenopen in the Windows system folder.
The worm adds the registry entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Ru1n
erthgdr
\windll.exe
The worm will remove the registry entry if it is run after 2 September
2004.
W32/Bagle-AT copies itself to any folder with the string 'shar' in its
name using the following filenames:
Microsoft Office 2003 Crack, Working!.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Microsoft Office XP working Crack, Keygen.exe
Porno, sex, oral, anal cool, awesome!!.exe
Porno Screensaver.scr
Serials.txt.exe
KAV 5.0
Kaspersky Antivirus 5.0
Porno pics arhive, xxx.exe
Windows Sourcecode update.doc.exe
Ahead Nero 7.exe
Windown Longhorn Beta Leak.exe
Opera 8 New!.exe
XXX hardcore images.exe
WinAmp 6 New!.exe
WinAmp 5 Pro Keygen Crack Update.exe
Adobe Photoshop 9 full.exe
Matrix 3 Revolution English Subtitles.exe
ACDSee 9.exe
W32/Bagle-AT deletes the following entries from the registry under
HKLM\Software\Microsoft\Windows\CurrentVersion\Ru1n
and
HKCU\Software\Microsoft\Windows\CurrentVersion\Ru1n :
My AV
Zone Labs Client Ex
9XHtProtect
Antivirus
Special Firewall Service
service
Tiny AV
ICQNet
HtProtect
NetDy
Jammer2nd
FirewallSvr
MsInfo
SysMonXP
EasyAV
PandaAVEngine
Norton Antivirus AV
KasperskyAVEng
SkynetsRevenge
ICQ Net
Name W32/Rbot-HR
Type
* Worm
How it spreads
* Network shares
* Chat programs
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Downloads code from the internet
* Reduces system security
* Records keystrokes
* Installs itself in the Registry
Prevalence (1-5) 2
Description
W32/Rbot-HR is a network worm and backdoor Trojan for the Windows
platform.
W32/Rbot-HR allows a malicious user remote access to an infected
computer.
Advanced
W32/Rbot-HR is a network worm and backdoor Trojan for the Windows
platform.
W32/Rbot-HR allows a malicious user remote access to an infected
computer.
The worm copies itself to winusb.exe in the Windows system folder and
creates the following registry entries to run itself on startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Windows USB controler = winusb.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Windows USB controler = winusb.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Windows USB controler = winusb.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices\
Windows USB controler = winusb.exe
W32/Rbot-HR spreads using a variety of techniques including exploiting
weak passwords on computers and SQL servers, exploiting operating system
vulnerabilites (including DCOM-RPC, LSASS, WebDAV and UPNP) and using
backdoors opened by other worms or Trojans.
W32/Rbot-HR can be controlled by a remote attacker over IRC channels.
The infected computer can be used to perform any of the following
functions:
Proxy server (SOCKS4)
FTP server
HTTP server
SMTP server
File system Manipulation
Port scanner
DDoS floods (TCP,UDP,SYN)
Remote shell (RLOGIN)
Packet sniffer
Key logger
Patches for the operating system vulnerabilities exploited by
W32/Rbot-HR can be obtained from Microsoft at:
http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx
http://www.microsoft.com/technet/security/bulletin/ms03-026.mspx
http://www.microsoft.com/technet/security/bulletin/ms03-007.mspx
http://www.microsoft.com/technet/security/bulletin/ms01-059.mspx
Name W32/Rbot-HQ
Type
* Worm
How it spreads
* Network shares
* Chat programs
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Reduces system security
* Installs itself in the Registry
* Exploits system or software vulnerabilities
* Used in DOS attacks
Prevalence (1-5) 2
Description
W32/Rbot-HQ is a network worm and backdoor Trojan for the Windows
platform.
W32/Rbot-HQ allows a malicious user remote access to an infected
computer.
Advanced
W32/Rbot-HQ is a network worm and backdoor Trojan for the Windows
platform. W32/Rbot-HQ allows a malicious user remote access to an
infected computer.
The worm copies itself to mscnsz.exe in the Windows system folder and
creates the following registry entries to run itself on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Microsoft Time Manager = "dveldr.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
Microsoft Time Manager = "dveldr.exe"
The worm creates an additional registry entry under:
HKCU\Software\Microsoft\OLE\
Microsoft Time Manager = "dveldr.exe"
W32/Rbot-HQ spreads using a variety of techniques including exploiting
weak passwords on computers and SQL servers, exploiting operating system
vulnerabilites (including DCOM-RPC, LSASS, WebDAV and UPNP) and using
backdoors opened by other worms or Trojans.
W32/Rbot-HQ can be controlled by a remote attacker over IRC channels.
The infected computer can be used to perform any of the following
functions:
Proxy server (SOCKS4)
FTP server
HTTP server
SMTP server
File system Manipulation
Port scanner
DDoS floods (TCP,UDP,SYN)
Remote shell (RLOGIN)
Packet sniffer
Key logger
Patches for the operating system vulnerabilities exploited by
W32/Rbot-HQ can be obtained from Microsoft at:
MS04-011
MS03-026
MS03-007
MS01-059
Name Troj/BagleDl-A
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Downloads code from the internet
* Installs itself in the Registry
Aliases
* W32/Bagle.dll.dr
* Glieder.H
* Glieder.I
Prevalence (1-5) 4
Description
Troj/BagleDl-A is a downloader Trojan. The Trojan attempts to download
and execute a file named b.jpg from 131 separate websites.
Advanced
Troj/BagleDl-A is a downloader Trojan. The Trojan attempts to download
and execute a file named b.jpg from 131 separate websites.
The Trojan arrives as a ZIP file attached to an email. The ZIP file
contains two files: foto.html or foto.htm and foto\foto1.exe or
1\calc.exe.
If the user opens the HTML document it will in turn run the executable.
The executable (foto1.exe or calc.exe) copies itself to the Windows
system folder as doriot.exe and creates a file named gdqfw.exe, also in
the Windows system folder.
Doriot.exe injects gdqfw.exe into the process space of explorer.exe.
Gdqfw.exe then attempts to download b.jpg from 131 separate websites. If
the download is successful the downloaded file is written to
_re_file.exe or file.exe in the Windows folder and executed. The Trojan
repeats the download attempt every 6 hours. At the time of writing the
file was not available for download from any of the sites used by the
Trojan.
Doriot.exe adds the following registry entries:
* HKLM\Software\Microsoft\Windows\CurrentVersion\Run
* wersds.exe
* \doriot.exe
* HKCU\Software\Microsoft\Windows\CurrentVersion\Run
* wersds.exe
* \doriot.exe
Gdqfw.exe terminates the following processes:
ATUPDATER.EXE
AUPDATE.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
FIREWALL.EXE
ATUPDATER.EXE
LUALL.EXE
DRWEBUPW.EXE
AUTODOWN.EXE
NUPGRADE.EXE
OUTPOST.EXE
ICSSUPPNT.EXE
ICSUPP95.EXE
ESCANH95.EXE
AVXQUAR.EXE
ESCANHNT.EXE
UPGRADER.EXE
AVXQUAR.EXE
AVWUPD32.EXE
AVPUPD.EXE
CFIAUDIT.EXE
UPDATE.EXE
NUPGRADE.EXE
MCUPDATE.EXE
Name W32/Rbot-HO
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Downloads code from the internet
* Records keystrokes
* Installs itself in the Registry
Aliases
* Backdoor.Rbot.gen
Prevalence (1-5) 2
Description
W32/Rbot-HO is a worm which attempts to spread to remote network shares
and contains backdoor Trojan functionality allowing unauthorised remote
access to the infected computer
Advanced
W32/Rbot-HO is a worm which attempts to spread to remote
network shares. It also contains backdoor Trojan functionality,
allowing unauthorised remote access to the infected computer
via IRC channels while running in the background as a service
process.
W32/Rbot-HO moves itself to the Windows system folder as
syswin32.exe and creates the following registry entries to
ensure it is run at system logon:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft WinUpdate = syswin32.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft WinUpdate = syswin32.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Microsoft WinUpdate = syswin32.exe
W32/Rbot-HO speads to network shares with weak passwords and via
network security exploits.
W32/Rbot-HO will also download and execute remote files on
the infected computer, log key strokes, retrieve information such
as CD keys for various games and flood other computers with network
packets.
Name W32/Rbot-HI
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Downloads code from the internet
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* Backdoor.Rbot.gen
* W32/Sdbot.worm.gen.o
Prevalence (1-5) 2
Description
W32/Rbot-HI is a network worm which contains IRC backdoor Trojan
functionality, allowing unauthorised remote access to the infected
computer.
Advanced
W32/Rbot-HI is a worm which attempts to spread to remote network shares.
It also contains backdoor Trojan functionality, allowing unauthorised
remote access to the infected computer via IRC channels while running in
the background as a service process.
W32/Rbot-HI spreads to network shares with weak passwords and via
network security exploits as a result of the backdoor Trojan element
receiving the appropriate command from a remote user.
W32/Rbot-HI copies itself to the Windows system folder as SYSTESMS.EXE
and creates entries at the following locations in the registry with the
value Systesms.exe so as to run itself on system startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
W32/Rbot-HI may set the following registry entries:
HKLM\SOFTWARE\Microsoft\Ole\EnableDCOM = "N"
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous = "1"
W32/Rbot-HI may attempt to delete network shares on the host computer.
W32/Rbot-HI may attempt to log the user's keystrokes to a file
SYSTEMSSS.TXT in the Windows system folder.
Name Troj/LegMir-R
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Steals information
* Drops more malware
* Installs itself in the Registry
Aliases
* Trojan.PSW.Lmir.qj
* PWS-LegMir.dll
* PWSteal.Lemir.Gen
Prevalence (1-5) 2
Description
Troj/LegMir-R is a password-stealing Trojan.
Advanced
Troj/LegMir-R is a password-stealing Trojan.
When first run Troj/LegMir-R copies itself to the Windows folder as
_Win32.exe and creates the following registry entry to ensure it is run
at system logon:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
WinDll32_ = \_Win32.exe
Troj/LegMir-R also creates the helper file _Win32.dll in the Windows
folder.
--- MultiMail/Win32 v0.43
* Origin: Try Our Web Based QWK: DOCSPLACE.ORG (1:123/140)SEEN-BY: 633/267 270 @PATH: 123/140 500 106/2000 633/267 |
|
| SOURCE: echomail via fidonet.ozzmosis.com | |
Email questions or comments to sysop@ipingthereforeiam.com
All parts of this website painstakingly hand-crafted in the U.S.A.!
IPTIA BBS/MUD/Terminal/Game Server List, © 2025 IPTIA Consulting™.