[cut-n-paste from sophos.com]

Troj/Tofger-L

Aliases
TrojanDropper.Win32.Small.dd, Backdoor.Tofger

Type
Trojan

Detection
At the time of writing Sophos has received no reports from users 
affected by this Trojan. However, we have issued this advisory following 
enquiries to our support department from customers.

Description
Troj/Tofger-L is a keylogging Trojan.

In order to run automatically when Windows starts up Troj/Tofger-L copies 
itself to the file SURTE.EXE in the Windows folder and adds the following 
registry entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Online Service

The Trojan also drops a utility library file MSTO32.DLL (detected as 
Troj/Tofger-C) and creates the text file SYSINI.INI in the Windows 
folder.

When Troj/Tofger-L detects an active internet connection it captures 
keystrokes typed into Internet Explorer and sends the information to a 
remote internet address.





W32/Opaserv-S

Type
Win32 worm

Detection
At the time of writing Sophos has received just one report of this worm 
from the wild.

Description
W32/Opaserv-S is a worm that spreads on Windows shares exploiting a 
weakness available on unpatched Win95/98 based systems.

In order to run automatically when Windows starts up the worm copies 
itself to the file natal!.pif in the Windows folder and adds the 
following registry entry pointing to this file:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\4wd!!!

The worm also creates the log files natlog, natlog2, natsout.gay and 
natsin.gay in the Windows folder.

W32/Opaserv-S attempts to access remote websites to register itself and 
attempts to download and execute files from several sites probably to 
update itself. The websites used by the worm are not available at the 
time of writing.

The worm attempts to infect remote computers by scanning local subnets 
for vulnerable systems, copying itself across to the file 
C:\Windows\natal!.pif and by replacing the file win.ini on the remote 
machine with a version that starts the worm automatically when Windows 
boots up.

The worm temporarily creates the text file C:\lammer!.





W32/Bodiru-A

Aliases
W32.HLLW.Bodiru, PE_Bodiru.A

Type
Win32 worm

Detection
At the time of writing Sophos has received no reports from users 
affected by this worm. However, we have issued this advisory following 
enquiries to our support department from customers.

Description
W32/Bodiru-A is a worm that uses peer-to-peer networks to spread. When 
run, the worm creates a large number of copies of itself in the Incoming 
folders of the popular peer-to-peer file sharing networks KaZaA, Kazaa 
Lite K++, Edonkey2000 and Emule.


W32/Bodiru-A uses the following filenames:

ACDSee 5.5.exe
AOL Instant Messenger Crasher.exe
AVP Antivirus Pro Key Crack.exe
Adobe_Keyge.exe
Age of Empires 2 crack.exe
Aim bot ut3.exe
All Microsoft Products CD Key Generator.exe
All Norton Antivirus KEys!.exe
Ana Kournikova Sex Video (downloader).exe
Animated Screen 7.exe
Any Nick Name Msn 6.0.exe
Aol_cracker.exe
AquaNox2 Crack.exe
Audiograbber 2.05.exe
BabeFest 2003 ScreenSaver 1.6.exe
Battlefield1942_bloodpatch.exe
Battlefield1942_keygen.exe
Britney Spears Sex Video.exe
Buffy Vampire Slayer Movie.exe
BurnDvds.exe
Business Card Designer Plus 7.9.exe
Clone CD 5.0.0.3 (crack).exe
Clone CD 5.0.0.3.exe
Cool Edit Pro v2.55.exe
Counter Strike - See Through Walls.exe
Crack Passwords Mail.exe
Credit Card Numbers generator(incl Visa,MasterCard).exe
Credit_Card_Numbers_generator.exe
DVD Copy Plus v5.0.exe
DVD Region-Free 2.3.exe
Darkness_Krew.exe
DeadAim 4.0 KeyGen.exe
Diablo 3 Crack.exe
Diablo_2_Crack.exe
DirectDVD 5.0.exe
DirectX Buster (all versions).exe
DivX Video Bundle 6.5.exe
Divx_Pro_5.1_Serial.exe
Divx_pro (FINAL!).exe
Doom III (Cd KEys).exe
Download Accelerator Plus 6.1.exe
Dvd_Plus_Crack.exe
Dvd_Ripper(The Best 04).exe
Dvd_To_Vcd.exe
Easy_Dvd_Ripper.exe
Easy_Dvd_creator_Crack.exe
Edonkey2000-Speed me up scotty.exe
FIFA2003 crack.exe
Fifa 2004 (Cd Crack).exe
Final Fantasy VII XP Patch 1.5.exe
Flash MX crack (trial).exe
FlashGet 1.5.exe
FreeRAM XP Pro 1.9.exe
GTA 3 Crack.exe
GTA 3 Serial.exe
Game Cube Real Emulator.exe
GetRight 5.0a.exe
Gothic2 licence.exe
Guitar Chords Library 5.5.exe
Hack Any Kazaa User.exe
Hack The School.exe
Hack Website Easy.exe
Hacker_The_LoveStory.exe
Half Life 2 (Cd Crack).exe
Half Life 2 (cd Keys).exe
Harry potter2 Crack.exe
Hitman_2_no_cd_crack.exe
Hotmail Hacker Gold (All Msn Versions!).exe
Hotmail_Hacker_2003-Xss_Exploit.exe
Ip Nuker V6 (Reall Works).exe
KaZaA Hack 2.5.0.exe
KaZaA Speedup 3.6.exe
KaZaA-Hack_2.5.0.exe
Kazaa Lite )FINALL!(.exe
Kazaa SDK + Xbit speedUp for 2.xx.exe
LYNDEN.exe
Links 2003 Golf game (crack).exe
Living Waterfalls 1.3.exe
Love.exe
MSN Password Hacker 5.7 (worked on my ex-girlfriend!).exe
MWorld Of Warcraft (FULL) Installer and Downloader.exe
Macromedia product keys.exe
Macromedia_Keygen.exe
Mafia_crack.exe
Mail Bomber For msn messsenger 6.0.exe
Matrix Screensaver 1.5.exe
Mcafee Antivirus Scan Crack.exe
MediaPlayer Update.exe
Messenger Plus Latest!.exe
Microsoft .NET hack.exe
Microsoft KeyGenerator-Allmost all microsoft stuff.exe
Msn 6.0 (Multi Messenger).exe
Msn 6.0 Crasher!.exe
Msn 6.0 Kicker.exe
Msn 6.0 Password Cracker.exe
Msn Emotions (Version 6.0).exe
Msn Emotions (Version 6.1).exe
Msn Ip Finder 2004.exe
Msn Messenger 6.0 Bomber!.exe
Msn Messenger Betta 6.2.exe
Music Download 2003 (Full Albums).exe
NBA2003_crack.exe
Need 4 Speed crack.exe
Nero_Burning_Rom_Crack.exe
Netbios Nuker 2003.exe
Netbios Nuker 2004.exe
Netfast 1.8.exe
Network Cable e ADSL Speed 2.0.5.exe
Nimo CodecPack (new) 8.0.exe
Nimo_Codec_PackUpdater.exe
Norton Anvirus Key Crack.exe
PS2 PlayStation Simulator.exe
PalTalk 5.01b.exe
Panda Antivirus Titanium Crack.exe
Pop-Up Stopper 3.5.exe
Popup Defender 6.5.exe
Ps2 Real Emulator.exe
Quake 3 Keygen (works Great).exe
Quake3 - See through wallz.exe
Quick Time Key Crack.exe
QuickTime_Pro_Crack.exe
Real Sex Toys!.exe
Screen saver christina aguilera naked.exe
Security-2003-Update.exe
Serials 2003 v.8.0 Full.exe
Serials 2004 v.8.0 Full.exe
SmartFTP 2.0.0.exe
SmartRipper v2.7.exe
Space Invaders 1978.exe
Splinter_Cell_Crack.exe
Starcraft serials.exe
Stripping MP3 dancer+crack.exe
Sub 7 2.9.exe
Trillian 0.85 (free).exe
TweakAll 3.8.exe
UT2003_bloodpatch.exe
UT2003_keygen.exe
UT2003_no cd (crack).exe
UT2003_patch.exe
Unreal Tournament 2003 (Cd Crack).exe
Unreal Tournament 2003 (Cd KEys).exe
Unreal2_bloodpatch.exe
Unreal2_crack.exe
VB6.exe
Visual Basic (ALL KEYS GEN).exe
Visual Basic 6.0 Msdn Plugin.exe
Visual Basic Decompiler.exe
WarCraft_3_crack.exe
WinOnCD 4 PE_crack.exe
WinRar 3.xx Password Cracker.exe
WinZip 9.0b (CRACK).exe
WinZip 9.0b.exe
WinZipped Visual C++ Tutorial.exe
WindowBlinds_4.0.exe
Windows XP complete + serial.exe
Windows Xp Exploit.exe
Winzip KeyGenerator Crack.exe
XNuker 2003 2.93b.exe
XNuker_2003_2.93b.exe
Xvid_Codec_Installer.exe
Yahoo Account Stealer.exe
Yahoo Messenger 6.0.exe
Zelda Classic 2.00.exe
aol password cracker.exe
cable modem ultility pack.exe
cable modem.exe
counter-strike.exe
mIRC 6.40.exe
pamela_anderson.exe
play station emulator.exe
serials2000.exe
warcraft 3 crack (Really Works).exe
warcraft 3 serials.exe
winamp plugin pack.exe
winzip full version key generator.exe

The worm may drop and run a batch file c:\dllsystemhelp.bat. The script 
contains instructions to enable sharing of the local drives.


W32/Bodiru-A creates the following registry value so that the worm file 
is run during the Windows startup process:


HKLM\Software\Microsoft\Windows\CurrentVersion\Run\App.EXEName


W32/Bodiru-A attempts to infect the following files:

C:\Program Files\WinZip\WINZIP32.EXE
C:\Program Files\Norton AntiVirus\Navw32.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Windows\Wscript.exe
C:\Windows\Rundll.exe
C:\Windows\Rundll32.exe
C:\winnt\Regedit.exe
C:\Windows\System\Underwater.scr
C:\windows\Regedit.exe
C:\winnt\system32/Regedit.exe

The infection routine incorrectly infects files so that they become 
corrupt.


W32/Bodiru-A launches a denial-of-service attack against symantec.com 
and mess.be using ICMP ping flooding, sending large packets to the 
destination.


The worm attempts to terminate processes related to anti-virus and 
security software using this list:

_AVP.EXE
_AVP32.EXE
_AVPM.EXE
ANTI-TROJAN.EXE
APVXDWIN.EXE
AUTODOWN.EXE
AVCONSOL.EXE
AVE32.EXE
AVGCTRL.EXE
AVKSERV.EXE
AVNT.EXE
AVP.EXE
AVP32.EXE
AVPCC.EXE
AVPDOS32.EXE
AVPM.EXE
AVPMON.EXE
AVPNT.EXE
AVPTC32.EXE
AVPUPD.EXE
AVSCHED32.EXE
AVWIN95.EXE
AVWUPD32.EXE
BLACKD.EXE
BLACKICE.EXE
CCAPP.EXE
CFIADMIN.EXE
ESAFE.EXE
CFIAUDIT.EXE
CFIND.EXE
CFINET.EXE
CFINET32.EXE
CLAW95.EXE
CLAW95CF.EXE
CLAW95CT.EXE
CLEANER.EXE
CLEANER3.EXE
DV95.EXE
DV95_O.EXE
DVP95.EXE
DVP95_0.EXE
TerminateEXE
ECENGINE.EXE
EFINET32.EXE
ESPWATCH.EXE
F-AGNT95.EXE
FINDVIRU.EXE
FPROT.EXE
F-PROT.EXE
FPROT95.EXE
F-PROT95.EXE
FP-WIN.EXE
FRW.EXE
F-STOPW.EXE
IAMAPP.EXE
IAMSERV.EXE
IBMASN.EXE
IBMAVSP.EXE
ICLOAD95.EXE
ICLOADNT.EXE
ICMON.EXE
ICMOON.EXE
ICSSUPPNT.EXE
ICSUPP95.EXE
ICSUPPNT.EXE
IFACE.EXE
IOMON98.EXE
JED.EXE
JEDI.EXE
KPF.EXE
KPFW32.EXE
LOCKDOWN2000.EXE
LOOKOUT.EXE
LUALL.EXE
MOOLIVE.EXE
MPFTRAY.EXE
N32SCAN.EXE
N32SCANW.EXE
NAVAPW32.EXE
NAVLU32.EXE
NAVSCHED.EXE
NAVW.EXE
NAVW32.EXE
NAVWNT.EXE
NISUM.EXE
NMAIN.EXE
NORMIST.EXE
NUPGRADE.EXE
NVC95.EXE
OUTPOST.EXE
PADMIN.EXE
PAVCL.EXE
PAVSCHED.EXE
PAVW.EXE
PCCWIN98.EXE
PCFWALLICON.EXE
PERSFW.EXE
RAV7.EXE
RAV7WIN.EXE
RESCUE.EXE
SAFEWEB.EXE
SCAN32.EXE
SCAN95.EXE
SCANPM.EXE
SCRSCAN.EXE
SERV95.EXE
SMC.EXE
SPHINX.EXE
SWEEP95.EXE
TBSCAN.EXE
TCA.EXE
TDS2-98.EXE
TDS2-NT.EXE
VCONTROL.EXE
VET32.EXE
VET95.EXE
VET98.EXE
VETTRAY.EXE
VSCAN40.EXE
VSECOMR.EXE
VSHWIN32.EXE
VSSCAN40.EXE
VSSTAT.EXE
WEBSCAN.EXE
WEBSCANX.EXE
WFINDV32.EXE
ZAPRO.EXE
zonealarm.EXE
mcafee.exe
navapsvc.exe
zaplus.exe
vsmon.exe





W32/Sober-C

Aliases
I-Worm.Sober.c, W95/Sober.C{at}mm, W32/Sober.c{at}MM, Win32/Sober.C, 
WORM_SOBER.C

Type
Win32 worm

Detection
Sophos has received many reports of this worm from the wild.

Description
W32/Sober-C is an internet worm which spreads via file sharing on 
peer-to-peer networks and by emailing itself to addresses found within 
files on the computer.

The email subject line and message text are randomly chosen from 
internal lists and will be in either English or German.

Example subject lines include:
ups, i've got your mail
Sorry, thats your mail
hi, its me
Thank You very very much
you are an idiot
why me?
I hate you
Preliminary investigation were started
Your IP was logged
You use illegal File Sharing ...
A Trojan horse is on your PC
a trojan is on your computer!
Anime, Pokemon, Manga, ...
Caution: To all gamers
Attention: To all gamers
Anmeldebestätigung
Bankverbindungs- Daten
Sie sind ein Raubkopierer

The following are examples of possible message texts:
"Sehr geehrter Kunde,
Vielen Dank für Ihre Anmeldung auf unserem Server.
Der Betrag von Euro 279,- wurde erfolgreich von Ihrem Konto abgebucht.

Ihnen stehen nun 1 Jahr lang mehr als 2300 sehr sehr heiße
Internet Seiten zur Verfügung.

Wir bedauern, das es im Vorfeld so lange gedauert hat,
unser Mail Dienst hatte diese Daten auf einen anderen E-Mail Empfänger
geschickt.
Da nun dieser Fehler behoben zu sein scheint, wünschen wir Ihnen
viel Spass mit unserem Angebot!

Die Seiten die Sie nun aufrufen können und die Zugangsdaten
befinden sich gesichert im Anhang."

"hi, I am from Austria and you'll don't believe me,
but a trojan horse in on your pc.
I've scanned the network-ports on the internet.
And I have found your pc.
Your pc is open on the internet for everybody!
Because the >filename<.exe trojan is running on your system.
Check this, open the task manager and try to stop that!
You'll see, you can't stop this trojan.
When you use win98/me you can't see the trojan!!

On my system was this trojan, too!
And I've found a tool to kill that bad thing.
I hope that I've helped you!"

The attachment filename is also randomly chosen from an internal list 
and can have an extension of EXE, SCR, PIF, COM, CMD or BAT. Examples 
include:

www.iq4you-german-test.com
www.freewantiv.com
www.free4manga.com
www.free4share4you.com
www.tagespolitik-umfragen.com
www.onlinegamerspro-worm.com
www.freegames4you-gzone.com
www.boards4all-terror432.com
www.anime4allfree.com
www.animepage43252.com

When first run, the worm copies itself to the Windows system folder as 
syshostx.exe and two other randomly selected filenames.

W32/Sober-C then creates the following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\

that point to the two copies of the worm with randomly selected 
filenames to ensure it is run at system logon.

The following files are also created in the Windows system folder:

ms16taskwin.exe
savesyss.dll
Humgly.lkur
yfjq.yqwm

These files are not malicious and can simply be deleted.

W32/Sober-C copies itself to the My Shared Folder in the KaZaA folder 
replacing existing executables that have an extension of COM, EXE, SCR, 
BAT, CMD or PIF.





W32/Sober-B

Aliases
Worm/Sober.B

Type
Win32 worm

Detection
At the time of writing Sophos has received just one report of this worm 
from the wild.

Description
W32/Sober-B is worm that spreads via email, network shares and 
filesharing networks.

When first executed the worm displays a bogus error message 'Header 
corrupt'.

W32/Sober-B harvests email addresses by scanning the filesystem for 
files with one of the following extensions:
HTT, RTF, DOC, XLS, INI, MDB, TXT, HTM, HTML, WAB, PST, FDB, CFG, LDB, 
EML, ABC, LDIF, NAB, ADP, MDW, MDA, MDE, ADE, SLN, DSW, DSP, VAP, PHP, 
NSF, ASP, SHTML, SHTM, DBX, HLP, MHT, NFO

The harvested addresses are stored in the log file mscolmon.ocx in the 
Windows system folder. A file Humgly.lkur is created in the Windows 
system folder. These files are not malicious and can be deleted.

The worm may arrive in an email that is written in either English or 
German.

For the German email the subject line, message text and attachment 
filename are chosen randomly from the following selection:

Subject line:
Hihi, ich war auf deinem Computer
Du bist Ge-Hackt worden
Ich habe Sie Ge-hackt
Der Kannibale von Rotenburg

Message text:
Nette, ungewöhnliche und ausgefallene Sachen hast du da
auf deinem Computer! (Was soll man dazu noch sagen)
Ich überlege mir schon die ganze Zeit, ob ich ein paar deiner Dateien
im Internet auf einer Web-Seite stellen soll!
Weil, genug Stoff habe ich ja von Dir! (Muhahahah)
Du fragst dich sicherlich, was ich alles von Dir habe,,,, siehe selbst

Was wohl gewisse Behörden dazu sagen würden? **hust*
Ich weiss nicht so recht, soll ich dich bestechen oder
die Behörden einschalten ???
Du kannst jetzt ruhig Deine Dateien löschen oder sonst was, aber
nützen wird es Dir wenig, weil ich sie auch habe!
Wenn du meinst das ich Mist rede, dann sehe Dir die Datei-Liste an.
Dann siehst du, was ich alles von Dir habe.
Na ja,, ich melde mich nächste Woche noch einmal!

Entschuldigen Sie bitte diese überaus deutliche Betreffzeile!
Aber ein neuer Dialer macht mit dieser Überschrift unzählige User zu Opfern.
Die User werden mit dem versprechen gelockt, sich das
äusserts abscheuliche Tat- Video anzuschauen zu d
Stattdessen aber, installiert sich ein sehr teurer Dialer und ein
Virus auf dem PC.
Da aber unzählige User auf diese Finte hereinfallen, haben wir mit
Zustimmung des Bundeskriminalamtes BKA, eine Web-Seite erstellt,
wo einige dieser äusserts brisanten Fotos und Videos
einzusehen sind, um den Leuten die Neugier zu nehmen.
natürlich sind diese Videos und Fotos leicht zensiert worden.
Um auf diesen Web-Server zu gelangen, müssen Sie zuerst bestätigen,
dass Sie das 18 Lebensjahr bereits vollendet haben.
Wir bitten sie ausdrücklichst, keine Kinder diese Seite einsehen zu lassen.
I.A.: Dieter Braun
----- MultiMedia AG München ia. BKA (ORG. Rund-Mail V6.02)
Geschaeftsfuehere: Michael Leuningen (089/8941440) FAX: 089/89414434

Attached file:
DateiList.pif
Daten-Text.pif
Server.com

For the English email the worm selects one of the following 
possibilities:

Subject line:
George W. Bush wants a new war
George W. Bush plans new wars
You Got Hacked
Have you been hacked?

Message text:
Bush plans new wars against China, Cuba and Iran.
Please visit our website and vote against this very crazy war(s).
More information:

by me,, idiot!
haha, very nice files on your system.
i've made a website. i show your files on this website hahaha
visit:

YA of me
a great many files on your pc and very very interesting
what would say the police?!,,, i don't know .-]
files of you
See:

Attached file:
www.gwbush-new-wars.com
www.hcket-user-pcs.com
allfiles.cmd
yourlist.pif

W32/Sober-B creates two copies of itself in the Windows system folder 
using random filenames and executes them.

In order to be started automatically when Windows boots up the worm sets 
a random registry entry below 
HKLM\Software\Microsoft\Windows\CurrentVersion\Run, 
pointing to one of the two files.

These two processes will re-spawn each other and restore the registry 
entry if one of them is killed or the registry entry deleted.

In addition, the worm will also copy itself to the Windows system folder 
using the fixed filename spooler.exe.

In order to spread via filesharing networks W32/Sober-B replaces files 
found in the shared folders of popular peer-to-peer networks with a copy 
of itself.





W32/Agobot-BM

Aliases
Backdoor.Agobot.3.gen, W32.HLLW.Gaobot.AO

Type
Win32 worm

Detection
At the time of writing Sophos has received just one report of this worm 
from the wild.

Description
W32/Agobot-BM is an IRC backdoor Trojan and network worm.

W32/Agobot-BM is capable of spreading to computers on the local network 
protected by weak passwords. The worm can also spread to other machines 
using certain vulnerabilities.

When first run, W32/Agobot-BM copies itself to the Windows system folder 
as wmplayer.exe and creates the following registry entries so that 
wmplayer.exe is run automatically on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Windows Media Player = wmplayer.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
Windows Media Player = wmplayer.exe

The worm runs in the background as a service process named "Windows 
Media Player".

Each time W32/Agobot-BM is run it attempts to connect to a remote IRC 
server, join a specific channel and wait for backdoor commands.

W32/Agobot-BM attempts to terminate and disable various security-related 
programs and attempts to prevent its own process from being deleted.





Troj/Uproot-A

Aliases
Backdoor.UpRootKit, Backdoor.Uprootkit, Backdoor.Uprootkit.cli

Type
Trojan

Detection
At the time of writing Sophos has received no reports from users 
affected by this Trojan. However, we have issued this advisory following 
enquiries to our support department from customers.

Description
Troj/UpRoot-A is a backdoor Trojan for Windows 2000/XP that allows a 
malicious user remote access to the system. The Trojan can use the ICMP 
as well as the TCP or UDP protocols on configurable ports for 
communication.

In order to run automatically when Windows starts up the Trojan copies 
itself to the Windows system folder as uprootkit.exe and registers 
itself as the service process uprootkit.





W32/Mimail-M

Type
Win32 worm

Detection
Sophos has received several reports of this worm from the wild.

Description
W32/Mimail-M is a worm which spreads via email using addresses harvested 
from the hard drive of the infected computer. All email addresses found 
on the computer are saved in a file named xjwu2.tmp in the Windows 
folder.


The worm copies itself to the Windows folder with the filename 
netmon.exe and creates the following registry entry so that this file is 
run when Windows starts up:


HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NetMon


W32/Mimail-M can arrive in three different email formats. Some users may 
find the explicit language used by the worm offensive.


The first type of email the worm can send has the following 
characteristics:


Subject line: Re[3]<44 spaces><random characters>

Message text:

Hello Greg,


I was shocked, when I found out that it wasn't you but your twin 
brother!!! That's amazing, you're as like as two peas. No one in bed is 
better than you Greg. I remember, I remember everything very well, that 
promised you to tell how it was, I'll give you a call today after 9.


He took my skirt off, then my panties, then my bra, he sucked my tits, 
with the same fury you do it. He was writing alphabet on my pussy for 20 
minutes, then suddenly stopped, put me in doggy style position and stuck 
his dagger.But Greg, why didn't you warn me that his dick is 15 inches 
long?? I was struck, we fucked whole night.


I'm so thankful to you, for acquainted me to your brother. I think we 
can do it on the next Saturday all three together? What do you think? O 
yes, as you wanted I've made a few pictures check them out in archive, 
I hope they will excite you, and you will dream of our new meeting...


Wendy.


Attached file: only_for_greg.zip (contains for_greg.jpg.exe)


The second email format, which appears to have been manually 
mass-mailed out, has the following characteristics:


Subject line: Re:Greg

Message text:

Hi Greg its Wendy.


I was shocked, when I found out that it wasn't you but your twin brother, 
that's amazing, you're as like as two peas. No one in bed is better than 
you Greg. I remember, I remember everything very well, that promised you 
to tell how it was, I'll give you a call today after 9.


He took my skirt off, then my panties, then my bra, he sucked my tits, 
with the same fury you do it. He was writing alphabet on my pussy for 20 
minutes, then suddenly stopped, put me in doggy style position and stuck 
his dagger. But Greg, why didn't you warn me that his dick is 15 inches 
long? I was struck, we fucked whole night.


I'm so thankful to you, for acquainted me to your brother. I think we 
can do it on the next Saturday all three together? What do you think? O 
yes, as you wanted I've made a few pictures check them out in archive, I 
hope they will excite you, and you will dream of our new meeting...


For unzip archiver download WinZip: 
http://download.winzip.com/winzip81.exe

Password for archive is "kiss".


Attached file: wendy.zip (contains file wendy.exe)


The third email format also appears to have been delibarately 
mass-mailed and has the following characteristics:


Subject line: Your message delivery has been failed

Message text:

This is the Postfix program at host 


I'm sorry to have to inform you that the message returned below could 
not be delivered to one or more destinations.


The message itself and all the other important information are included 
into the attachment.


Attached file: fail.hta (contains file test.exe)


W32/Mimail-M creates a copy of itself named nji2.tmp and a copy of 
only_for_greg.zip named msi2.tmp, both in the Windows folder.


W32/Mimail-M also attempts a denial of service attack targeting:


darkprofits.com

darkprofits.net

darkprofits.cc

darkprofits.ws

www.darkprofits.com

www.darkprofits.net

www.darkprofits.cc

www.darkprofits.ws





VBS/Suzer-B

Aliases
TrojanDropper.VBS.Inor.u, VBS/Inor, Download.Trojan

Type
Trojan

Detection
Sophos has received several reports of this Trojan from the wild.

Description
VBS/Suzer-B is a Trojan that drops and executes Troj/Cidra-A as 
usb_d.exe.





Troj/Antikl-Dam

Type
Trojan

Detection
Sophos has received several reports of this Trojan from the wild.

Description
Troj/Antikl-Dam is a corrupt (truncated), non-executable Trojan that is 
being seeded via an email that contains the following text:

"Dear customer,
The security of your personal and account information is extremely 
important to us. By practicing good security habits, you can help us 
ensure that your private information is protected. Please install our 
special software, that will remove all the keyloggers and backdoors 
from your computer.
And will help us to prevent credit card fraud in future.
Thank you.

Best regards,

"

where  has been seen to be the name of a banking institution.

The From address is likely to be admin{at}.com





W32/Agobot-BT

Aliases
W32.HLLW.Gaobot.gen

Type
Win32 worm

Detection
At the time of writing Sophos has received just one report of this worm 
from the wild.

Description
W32/Agobot-BT is a network worm which also allows unauthorised remote 
access to the computer via IRC channels.

W32/Agobot-BT copies itself to network shares with weak passwords and 
attempts to spread to computers using the DCOM RPC and the RPC locator 
vulnerabilities.

These vulnerabilities allow the worm to execute its code on target 
computers with System level priviledges. For further information on 
these vulnerabilities and for details on how to protect/patch the 
computer against such attacks please see Microsoft security bulletins 
MS03-001 and MS03-026. MS03-026 has been superseded by Microsoft 
security bulletin MS03-039.

W32/Agobot-BT copies itself to the Windows system folder as sysinfo.exe 
and creates the following registry entries to run itself on system 
restart:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Configuration Loader

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Configuration Loader

Each time W32/Agobot-BT is run it attempts to connect to a remote IRC 
server and join a specific channel.

W32/Agobot-BT attempts to terminate various processes related to 
anti-virus and security software (e.g. SWEEP95.EXE, BLACKICE.EXE and 
ZONEALARM.EXE).

 
--- MultiMail/Win32 v0.43