[cut-n-paste from sophos.com]

Troj/Backsm-A

Aliases
Backdoor.Small.c, Backdoor.Sdbot

Type
Trojan

Detection
Sophos has received several reports of this Trojan from the wild.

Description
Troj/Backsm-A is a backdoor Trojan.

When executed the Trojan initiates a background process and attempts to connect
to a remote IRC server and provide unauthorised access to the infected
omputer.

Troj/Backsm-A sets the following registry entry in an attempt to run the Trojan
when Windows starts up:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
"winlogin"=<System>\Winlogin.exe





Troj/Apdoor-A

Aliases
Backdoor.Apdoor.c, CoreFlood trojan, Win32/Apdoor.C, Backdoor.Coreflood.B

Type
Trojan

Detection
Sophos has received several reports of this Trojan from the wild.

Description
Troj/Apdoor-A is a backdoor Trojan that drops a DLL with a random name into the
Windows temporary folder and executes it.

The Trojan DLL attempts to inject itself into the Program Manager process, then
copies itself and the Trojan EXE into the Windows system or temporary folder
and sets the following registry entry or the corresponding HKCU entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
= 

Troj/Apdoor-A monitors this registry entry and attempts to reset it if the
entry is modified or removed.

Troj/Apdoor-A is typically distributed by a malicious script hosted on a
website. The script will drop a downloader EXE file and run it. The dropped EXE
program drops a DLL into the Windows temporary folder with a random name and
executes it. The dropped DLL attempts to inject itself into the Program Manager
process, copies itself and its dropper EXE into the Windows system or temporary
folder and sets the following HKLM or HKCU registry key:

\Software\Microsoft\Windows\CurrentVersion\Run\
= 

The DLL then attempts to download Troj/Apdoor-A from a predefined website onto
the user's machine and run it.





W32/Blaxe-A

Aliases
Worm.P2P.Blaxe, Win32/Lablan.A, W32.HLLW.Blaxe, WORM_BLAXE.A

Type
Win32 worm

Detection
At the time of writing Sophos has received just one report of this worm from
the wild.

Description
W32/Blaxe-A is a worm which spreads via file sharing on P2P networks.

When first run W32/Blaxe-A copies itself to the Windows folder as BearShare.exe
and WinBat.exe and creates the following registry entries so that BearShare.exe
is run automatically each time Windows is started:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\BearShare
= %WINDOWS%BearShare.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\BearShare
= %WINDOWS%\BearShare.exe

W32/Blaxe-A adds the pathname of WinBat.exe to the following registry entry so
that WinBat.exe is run each time a MS-DOS batch file is run or opened:

HKLM\Software\CLASSES\batfile\shell\open\command

W32/Blaxe-A creates a sub-folder of the Windows folder named \Kernell\, with
the Hidden attribute set, and copies itself to this folder using filenames such
as:

(Adult porn sex nude illegal gangbang) Website Password Cracker.exe
A+ Certification Ultimate Study Guide.exe
ACDSee 4.1 cracked.exe
Adobe 6 crack.exe
Adobe 6 full (iso).exe
Adobe 6.0 crack.exe
Adobe 6.0 full.exe
Adobe 6.0.exe
Adobe crack.exe
Adobe Photoshop 6 Ultimate Study Guide.exe
Adobe Photoshop 6.0.exe
Adobe Photoshop.exe
Adult movie.exe
adult(hardcore sex movie xxx)movie.exe
AdvZip Recovery.exe
AIM hacker.exe
AIM Pass stealer.exe
aim.exe
aimcracker.exe
aimhacker.exe
All Cliff notes (cliff's).exe
AMI BIOS Cracker.exe
anarchistcookbook.exe
anastasia anal.exe
anastasia naked.exe
anastasia nude.exe
Anonymous email.exe
ANSI C Ultimate Study Guide.exe
antistudy.exe
AOL Hacker.exe
aol.exe
Autocad 2002 Crack.exe
BabylonX Backdoor.exe
BabylonX password cracker.exe
Bandwidth Booster 4.2 for Cable.exe
BlackICE Defender.exe
Borland C++ Builder 8.0 iso.exe
Britney Spears anal movie.exe
Britney Spears Blowjob movie.exe
Britney Spears hardcore xx movie.exe
Britney Spears in bath (movie).exe
Britney Spears naked.exe
Britney Spears Nipple slip.exe
Britney Spears nude wallpaper.exe
BRUTAL FORCED PRETEEN ANAL SEX.exe
buttman.exe
C++ Ultimate Study Guide.exe
Cable Modem Anonymizer.exe
Cable Uncapper.exe
catherine zeta jones anal.exe
catherine zeta jones naked.exe
catherine zeta jones nude.exe
Christina Aguilera adult movie.exe
Christina Aguilera having sex(mov).exe
Christina Aguilera movie.exe
Christina Aguilera nude wallpaper (xxx lesbian).exe
Christina Aguilera sucks cock.exe
CloneCD Crack (all versions).exe
CloneCD Keygen.exe
CloneCD.exe
College Biology Ultimate Study Guide.exe
College Chemistry Ultimate Study Guide.exe
College Computer Engineering Ultimate Study Guide.exe
College Computer Science Ultimate Study Guide.exe
College English Ultimate Study Guide.exe
College Ethics Ultimate Study Guide.exe
College History Ultimate Study Guide.exe
College Philosophy Ultimate Study Guide.exe
Command and Conquer cnc c&c Generals iso.exe
Command and Conquer cnc c&c Renegade iso.exe
Conceal PC Firewall.exe
Copy (11) of ZoneAlarm Firewall Pro.exe
Copy of ZoneAlarm Firewall Pro.exe
Counter Strike CD Keygen.exe
counter-strike.exe
Crack XBOX live.exe
Credit Card number generator VERIFIER (cc cc#).exe
Dark Planet Battle For Natrolis cracked.exe
Delphi 5 Keygen.exe
Delphi 6 Keygen.exe
Delphi Ultimate Study Guide.exe
delphi.exe
Digimon.exe
DivX Codec 4.0 (codec only).exe
DivX Codec 5.0 (codec only).exe
DivX Codec 6.0 beta (codec only).exe
divx fix.exe
divx pro.exe
divx repair.exe
DoS Attacker.exe
Dreamcast Emulator.exe
driver.exe
DSL Anonymizer.exe
DSL Uncapper.exe
Easy CD Creator crack (all versions) (core).exe
edonkey serverlist.exe
Emailbomber.exe
End Of Twilight iso.exe
ESPN NFL Primetime 2002 iso.exe
ftp cracker.exe
ftp hacker.exe
fuck.exe
Gamecube Emulator.exe
Ghost Recon - Desert Siege.exe
Girls gone wild collection - sex porn nudity hardcore (self-extractor).exe
GTA 2 crack noCD.exe
GTA Vice City crack noCD.exe
GTA Vice City crack.exe
gta3.exe
hack aim.exe
Hack hotmail.exe
hacker utils 2002.exe
hacking tools 2002.exe
Half life Cd keygen.exe
happybirthday.exe
Hooligans iso.exe
host faker.exe
host spoofer.exe
HotGirls.exe
hotmail account sniffer.exe
hotmail hack.exe
hotmail hacker.exe
hotmailcracker.exe
hotmailhacker.exe
HOWTO Crack XBOX live.txt.exe
ICQ AIM Password stealer.exe
ICQ hack.exe
ICQ Hackingtools.exe
icqcracker.exe
icqhacker.exe
ident faker.exe
ident spoofer.exe
IIS shellbind exploit.exe
Incoming Forces iso.exe
invisible IP.exe
ip faker.exe
ip spoofer.exe
IRC hacker.exe
Kate Winslet adult movie.exe
Kazaa Advertisement Ad remover.exe
kazaa.exe
keygen all.exe
Keylogger v1.0.exe
kmd151 en.exe
learn how to hack.exe
linux root.exe
Linux rootaccess.exe
linux.exe
Macromedia Flash 5 Ultimate Study Guide.exe
Macromedia Flash 5.exe
Max Payne full iso.exe
Max Payne Multiplayer Addon.exe
MCSE Ultimate Study Guide.exe
Microsoft Office XP Upgrade (from older versions).exe
Microsoft Visual C++ 7.0 iso.exe
Might and Magic 1 crack.exe
Might and Magic 2 crack.exe
Might and Magic 3 crack.exe
Might and Magic 4 crack.exe
Might and Magic 5 crack.exe
Might and Magic 6 crack.exe
Might and Magic 7 crack.exe
Might and Magic 8 crack.exe
Might and Magic 9 crack.exe
Mirc 6.4.exe
mIRC backdoor hack.exe
Monsterville cracked.exe
MSN banner remover.exe
MSN hacker.exe
msn IP finder.exe
msncracker.exe
msnhacker.exe
Nero 5.5 Crack.exe
Nero Burning Rom 5 cracked.exe
Nero Burning Rom 5.5 Crack.exe
Nikki Cox nude.exe
Nikki cox Playboy session.exe
Nikki Cox sex movie.exe
Norton AntiVirus 2002.exe
Norton Internet Security 2002.exe
Norton Systemworks 2002.exe
Norton Utilities 2002.exe
Notron Utilities 2002.exe
Office key Gen.exe
Office XP Corporate Ed. iso.exe
Office XP crack.exe
Office Xp keygen.exe
OfficeXP Keygen.exe
Oni 2nd second edition.exe
Pamela Anderson adult movie.exe
pamela anderson anal.exe
Pamela Anderson and Tommy Lee hardcore holiday movie.exe
Pamela Anderson deepthroat.exe
Pamela Anderson gets fucked.exe
pamela anderson naked.exe
pamela anderson nude.exe
pamela anderson.exe
Perl Ultimate Study Guide.exe
PHP4 Ultimate Study Guide.exe
Playboy nude wallpaper.exe
Playstation 2 PS2 Emulator.exe
Pokemon.exe
porn account cracker.exe
porn account hacker.exe
PS1 BootCD.exe
PS2 BootCD.exe
PS2 emulator bleem.exe
Quake 3 cracked (works on all servers).exe
Quake 4 leaked beta (cracked).exe
Quicken Pro 2002 iso.exe
Ray Crisis iso.exe
Return to the Castle Wolfenstein iso.exe
sandra bullock naked.exe
sandra bullock nude.exe
sarah michelle gellar naked.exe
sarah michelle gellar nude.exe
serials2003.exe
shakira a-sf--ked.exe
shakira anal.exe
shakira naked.exe
shakira nude.exe
shakira paparazzi collection.exe
Soldier of Fortune 2 CD1 ISO.exe
Soldier of Fortune 2 CD2 ISO.exe
Sound Forge XP Studio + Serial.exe
Space Empires IV 4 Gold iso.exe
Spiderman SVCD CD1.exe
Spiderman SVCD CD2.exe
Spiderman SVCD CD3.exe
Sub7 masterpwd.exe
subseven.exe
tripod cracker.exe
tripod hacker.exe
VB6.exe
VirtuaSex.exe
visio.exe
wc3 keygen.exe
win2k pass decryptor.exe
Win2k reboot exploit.exe
win2k serial.exe
Winamp.exe
Windows 98 crack.exe
Windows 98 keygen.exe
Windows Keygen allver.exe
Windows ME crack.exe
Windows ME keygen.exe
Windows NT crack.exe
Windows NT keygen.exe
Windows XP crack.exe
Windows XP keygen.exe
winxp crack.exe
winxp cracker.exe
winxp hacker.exe
WinXP Keygen.exe
winxphack.exe
Winzip Pass Cracker.exe
Word Pass Cracker.exe
worldbook.exe
xbox emulator beta.exe
XP Box emulator.exe
XP DVD Plugin.exe
XP keygen.exe
XP ScreenSaver.exe
XP.exe
yahoo cracker.exe
yahoo hacker.exe
Yahoo mail cracker.exe

W32/Blaxe-A makes the %WINDOWS%\Kernell\ folder shareable on KaZaA, Grokster
and iMesh P2P networks by setting the registry entries:

HKCU\Software\Kazaa\LocalContent\dir0 = 012345:C:\WINDOWS\kernell
HKCU\Software\Grokster\LocalContent\dir0 = 012345:C:\WINDOWS\kernell
HKCU\Software\iMesh\Client\LocalContent\dir1 = 012345:C:\WINDOWS\kernell
HKCU\Software\iMesh\Client\LocalContent\dir2 = 012345:C:\WINDOWS\kernell

W32/Blaxe-A also copies itself to the KaZaA, KaZaA Lite, BearShare, Grokster
and Morpheus shared folders, replacing executable files currently in these
folders.





Troj/Eyeveg-A

Aliases
Backdoor.Lorac,BKDR_LORAC.A,Backdoor_AYU

Type
Trojan

Detection
At the time of writing Sophos has received just one report of this Trojan from
the wild.

Description
Troj/Eyeveg-A is a password stealing Trojan and network worm.

Troj/Eyeveg-A attempts to send cached passwords and system information to a
remote location.

Troj/Eyeveg-A spreads to shared drives on the local network, copying itself as
Explore.exe to the startup folder specified in the registry entry:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
Explorer\Shell Folders\Common Startup

When first run, Troj/Eyeveg-A copies itself to the Windows System folder using
a random filename and adds its pathname to the registry entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\

so that it is run automatically each time the computer is started.





OF97/ExeDrop-B
Aliases
TrojanDropper.Macro.AcceV, A97M/AcceV, A2KM_GRYBIRD.DRP
Type
Trojan
Detection
A virus identity file (IDE) file which provides protection is available now
from the Latest virus identities section, and will be incorporated into the
October 2003 (3.74) release of Sophos Anti-Virus.

At the time of writing Sophos has received just one report of this Trojan from
the wild.
Description

OF97/ExeDrop-B is a macro that drops and runs Troj/Graybird-A.

OF97/ExeDrop-B requires a double-byte version of Office 2000 (or above) and is
received by being spammed with an Access Database named SEP 2003 POM.mdb.

 
--- MultiMail/Win32 v0.43