[cut-n-paste from sophos.com]

W32/Rbot-EP

Aliases
Backdoor.Rbot.gen, W32/Sdbot.worm.gen.j

Type
Win32 worm

Detection
At the time of writing, Sophos has received just one report of this worm 
from the wild.

Description
W32/Rbot-EP is a network worm and an IRC backdoor Trojan. W32/Rbot-EP 
copies itself into the Windows system folder as wuamgrd.exe or with a 
random filename and sets the following registry entries to run itself 
automatically when Windows starts up

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Update
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\Microsoft 
Update

W32/Rbot-EP logs onto a predefined IRC server and waits for backdoor 
commands. When it receives the appropriate backdoor command W32/Rbot-EP 
will attempt to spread to other machines.





W32/Rbot-EK

Aliases
Backdoor.Rbot.gen, W32/Sdbot.worm.gen.h

Type
Win32 worm

Detection
At the time of writing, Sophos has received just one report of this worm 
from the wild.

Description
W32/Rbot-EK is a network worm and backdoor for the Windows platform.
W32/Rbot-EK allows a malicious user remote access to an infected 
computer via IRC.

In order to run automatically when Windows starts up W32/Rbot-EK copies 
itself to the Windows system folder as scvhost.exe and creates the 
following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Windows Firewalll
= scvhost.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Windows 
Firewalll = scvhost.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Windows Firewalll
= scvhost.exe

W32/Rbot-EK terminates the following processes if they exist:

i11r54n4.exe
irun4.exe
d3dupdate.exe
rate.exe
ssate.exe
winsys.exe
winupd.exe
SysMonXP.exe
bbeagle.exe
Penis32.exe
teekids.exe
MSBLAST.exe
mscvb32.exe
sysinfo.exe
PandaAVEngine.exe
wincfg32.exetaskmon.exe
zonealarm.exe
navapw32.exe
navw32.exe
zapro.exe
msblast.exe
netstat.exe
msconfig.exe
regedit.exe

W32/Rbot-EK spreads by exploiting network shares and Microsoft SQL 
servers with weak passwords, Windows operating system vulnerabilities 
and backdoors opened by other worms and Trojans.

Patches for the operating system vulnerabilities exploited by 
W32/Rbot-EK can be obtained from Microsoft at:
MS04-011
MS03-026
MS03-007
MS01-059





Troj/Dluca-CQ

Aliases
TrojanDownloader.Win32.Dyfuca.cq

Type
Trojan

Detection
At the time of writing, Sophos has received just one report of this 
Trojan from the wild.

Description
Troj/Dluca-CQ is an adware application.

The Trojan copies itself to the location
C:\Program Files\Internet Optimizer\optimize.exe
and creates the following registry entry in order to be run on startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Internet Optimizer
= \"C:\Program Files\Internet Optimizer\optimize.exe\"

The Trojan also creates registry entries in the following locations:

HKCU\Software\Avenue Media\
HKCU\Software\Policies\Avenue Media\
HKLM\SOFTWARE\Avenue Media\Internet Optimizer\
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DyFuCA\
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet 
Optimizer\
HKLM\SOFTWARE\Policies\Avenue Media\

The Trojan may execute files downloaded without the user's consent.





Troj/Delf-DU

Aliases
New Malware.b

Type
Trojan

Detection
At the time of writing, Sophos has received just one report of this 
Trojan from the wild.

Description
Troj/Delf-DU is a backdoor Trojan.

In order to run automatically when Windows starts up the Trojan copies 
itself to the file services.exe in the Windows system folder and creates 
the following registry entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Services = C:\Windows\system32\services.exe

Once installed Troj/Delf-DU connects to an IRC server and joins a 
channel from which it can receive further instructions. These 
instructions can cause the Trojan to kill specific processes or download 
files from arbitrary URLs and execute them.

The Trojan automatically terminates any processes whose filenames 
contain one the following patterns:
winnt35.exe
w.exe
mb.exe
~.exe
1.exe
2.exe
scan.exe
svshost.exe





W32/Lovgate-V

Aliases
I-Worm.LovGate.w, W32.Lovgate.Gen{at}mm, WORM_LOVGATE.V

Type
Win32 worm

Detection
Sophos has received several reports of this worm from the wild.

Description
W32/Lovgate-V is a variant of the W32/Lovgate family of worms that 
spread via email, network shares and filesharing networks.

W32/Lovgate-V copies itself to the Windows system folder as the files 
WinHelp.exe, iexplore.exe, kernel66.dll and ravmond.exe and to the 
Windows folder as systra.exe.

The worm also drops the files msjdbc11.dll, mssign30.dll and odbc16.dll 
which provide unauthorised remote access to the computer over a network.

The worm drops ZIP files containing a copy of the worm onto accessible 
drives. The ZIP file may also carry a RAR extension. The name of the 
packed file is chosen from the following list:

WORK
setup
important
bak
letter
pass

The name of the contained unpacked file is either PassWord, email or 
book, with a file extension of EXE, SCR, PIF or COM.

In order to run automatically when Windows starts up W32/Lovgate-V 
creates the following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Hardware Profile = \hxdef.exe
Microsoft NetMeeting Associates, Inc. = NetMeeting.exe
Protected Storage = RUNDLL32.EXE MSSIGN30.DLL ondll_reg
VFW Encoder/Decoder Settings = RUNDLL32.EXE MSSIGN30.DLL ondll_reg
WinHelp = \WinHelp.exe
Program In Windows = \IEXPLORE.EXE

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\SystemTra =
\SysTra.EXE

HKU\Software\Microsoft\Windows NT\CurrentVersion\Windows\run = 
RAVMOND.exe

In addition W32/Lovgate-V copies itself to the file command.exe in the 
root folder and creates the file autorun.inf there containing an entry 
to run the dropped file upon system startup.

W32/Lovgate-V spreads by email. Email addresses are harvested from WAB, 
TXT, HTM, SHT, PHP, ASP, DBX, TBB, ADB and PL files found on the system.

Email have the following characteristics:

Subject line:

test
hi
hello
Mail Delivery System
Mail Transaction Failed
Server Report
Status
Error

Message text:

It's the long-awaited film version of the Broadway hit. The message sent 
as a binary attachment.

The message contains Unicode characters and has been sent as a binary
attachment.

Mail failed. For further assistance, please contact!

Attached file:

document
readme
doc
text
file
data
test
message
body

followed by ZIP, EXE, PIF or SCR.

W32/Lovgate-V also enables sharing of the Windows media folder and 
copies itself there using various filenames.

The worm also attempts to reply to emails found in the user's inbox 
using the following filenames as attachments:

the hardcore game-.pif
Sex in Office.rm.scr
Deutsch BloodPatch!.exe
s3msong.MP3.pif
Me_nude.AVI.pif
How to Crack all gamez.exe
Macromedia Flash.scr
SETUP.EXE
Shakira.zip.exe
dreamweaver MX (crack).exe
StarWars2 - CloneAttack.rm.scr
Industry Giant II.exe
DSL Modem Uncapper.rar.exe
joke.pif
Britney spears nude.exe.txt.exe
I am For u.doc.exe

The worm attempts to spread by copying itself to mounted shares using 
one of the following filenames:

mmc.exe
xcopy.exe
winhlp32.exe
i386.exe
client.exe
findpass.exe
autoexec.bat
MSDN.ZIP.pif
Cain.pif
WindowsUpdate.pif
Support Tools.exe
Windows Media Player.zip.exe
Microsoft Office.exe
Documents and Settings.txt.exe
Internet Explorer.bat
WinRAR.exe

W32/Lovgate-V also attempts to spread via weakly protected remote shares 
by connecting using a password from an internal dictionary and copying 
itself as the file NetManager.exe to the system folder on the admin$ 
share.

After successfully copying the file W32/Lovgate-V attempts to start it 
as the service "Windows Managment Network Service Extensions" on the 
remote computer.

W32/Lovgate-V starts a logging thread that listens on port 6000, sends a 
notification email to an external address and logs received data to the 
file C:\Netlog.txt.

W32/Lovgate-V attempts to terminate processes containing the following 
strings:

rising
SkyNet
Symantec
McAfee
Gate
Rfw.exe
RavMon.exe
kill
Nav
Duba
KAV
KV

W32/Lovgate-V also overwrites EXE files on the system with copies of 
itself. The original files are saved with a ZMX extension.





W32/MyDoom-N

Aliases
I-Worm.Mydoom-l

Type
Win32 worm

Detection
Sophos has received several reports of this worm from the wild.

Description
W32/MyDoom-N is a mass-mailing worm which spreads by emailing itself via 
SMTP using its own engine. The worm also allows unauthorised remote 
access to the computer via a network.

W32/MyDoom-N copies itself to the Windows folder as lsass.exe and 
creates the following registry entry to run itself on system logon:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Traybar = \lsass.exe





Troj/Bancban-C

Aliases
TrojanSpy.Win32.Banker.bf, PWS-Bancban.gen.b trojan

Type
Trojan

Detection
At the time of writing, Sophos has received just one report of this 
Trojan from the wild.

Description
Troj/Bancban-C is a password stealing Trojan targeted at customers of a 
Brazilian bank.

The Trojan creates an entry in the registry at the following location to 
run itself on logon:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run





W32/Sdbot-KK

Type
Win32 worm

Detection
Sophos has received several reports of this worm from the wild.

Description
W32/Sdbot-KK is a worm which attempts to spread to remote shares which 
have weak passwords. The worm also allows unauthorised remote access to 
the computer via IRC channels.

W32/Sdbot-KK copies itself to the Windows system folder as VIDEONS32.EXE 
and creates entries in the registry in the following locations to run 
itself on system restart:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft Video Drivers = videons32.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Microsoft Video Drivers = videons32.exe

This worm will search for shared folders on the internet with weak 
passwords and copy itself into them. A text file named HOSTS may also be 
dropped into C:\vers\etc which may contain a list of 
anti-virus and other security-related websites each bound to the IP 
loopback address of 127.0.0.1 which would effectively prevent access to 
these sites.
For example:

127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.grisoft.com





W32/Lovgate-AJ

Type
Win32 worm

Detection
Sophos has received several reports of this worm from the wild.

Description
W32/Lovgate-AJ is a Windows worm that spreads via email, network shares 
and filesharing networks. When executed the worm copies itself to the 
Windows system folder as RAVMOND.exe, hxdef.exe and IEXPLORE.EXE. The 
worm will also copy itself to COMMAND.EXE in the root folder,SYSTRA.EXE 
in the Windows folder, Internet Explorer.bat and Microsoft Office.exe in 
the \Media folders.

W32/Lovgate-AJ will also create the following registry entries to ensure 
that it is run on computer logon:

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\
run = RAVMOND.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Hardware Profile = \hxdef.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft NetMeeting Associates, Inc = NetMeeting.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Network Associates, Inc = internet.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
S0undMan = \svch0st.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Shell Extension = \spollsv.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\runServices\
SystemTra = \SysTra.EXE

W32/Lovgate-AJ drops several other files all of which are detected
by Sophos as various members of the W32/Lovgate family.





W32/Bagle-AI

Aliases
I-Worm.Bagle.ai

Type
Win32 worm

Detection
Sophos has received many reports of this worm from the wild.

Description
W32/Bagle-AI is a member of the W32/Bagle family of email worms. 
W32/Bagle-AI spreads by emailing itself to addresses found on the 
infected computer's hard disk. The worm searches for email addresses in 
files with the following extensions:

WAB, TXT, MSG, HTM, SHTM, STM, XML, DBX, MBX, MDX, EML, NCH, MMF, ODS, 
CFG, ASP, PHP, PL, WSH, ADB, TBB, SHT, XLS, OFT, UIN, CGI, MHT, DHTM, 
JSP

The worm will not send mail to addresses which contain any of the 
following strings:

{at}microsoft
rating{at}
f-secur
news
update
anyone{at}
bugs{at}
contract{at}
feste
gold-certs{at}
help{at}
info{at}
nobody{at}
noone{at}
kasp
admin
icrosoft
support
ntivi
unix
bsd
linux
listserv
certific
sopho
{at}foo
{at}iana
free-av
{at}messagelab
winzip
google
winrar
samples
abuse
panda
cafee
spam
pgp
{at}avp.
noreply
local
root{at}
postmaster{at}

W32/Bagle-AI uses it's own internal SMTP engine to send email messages.

The worm sends an HTML email message with the following characteristics.

Sender:

The sender is always spoofed.

Attached file:

The name of the attached file is

MP3, Music_MP3, New_MP3_Player, Cool_MP3, Doll, Garry, Cat, Dog, Fish

with an extension of ZIP, CPL, EXE, COM or SCR file. When ZIP is used an 
image file may also be attached using a random name and the extension 
JPEG. The ZIP file is detected by Sophos Anti-Virus as W32/Bagle-Zip and 
contains a copy of the worm and a benign data file with an extension of 
INI, CFG, TXT, DOC, VXD, DEF or DLL.

Subject line:

Re:

Message text:

foto3 and MP3
fotogalary and Music
fotoinfo
lovely animals
animals
predators
the snake
screen and music

When the attachment is a password protected ZIP file the message text 
will also contain one of the following strings:

Password:
Pass -
Key -

W32/Bagle-AI attempts to delete the following registry entries from the 
registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Run:

My AV
Zone Labs Client Ex
9XHtProtect
Antivirus
Special Firewall Service
service
Tiny AV
ICQNet
HtProtect
NetDy
Jammer2nd
FirewallSvr
MsInfo
SysMonXP
EasyAV
PandaAVEngine
Norton Antivirus AV
KasperskyAVEng
SkynetsRevenge
ICQ Net

W32/Bagle-AI copies itself to the Windows system folder as winxp.exe and 
to all folders with the string 'shar' in their names as the following 
files:

Microsoft Office 2003 Crack, Working!.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Microsoft Office XP working Crack, Keygen.exe
Porno, sex, oral, anal cool, awesome!!.exe
Porno Screensaver.scr
Serials.txt.exe
KAV 5.0
Kaspersky Antivirus 5.0
Porno pics arhive, xxx.exe
Windows Sourcecode update.doc.exe
Ahead Nero 7.exe
Windown Longhorn Beta Leak.exe
Opera 8 New!.exe
XXX hardcore images.exe
WinAmp 6 New!.exe
WinAmp 5 Pro Keygen Crack Update.exe
Adobe Photoshop 9 full.exe
Matrix 3 Revolution English Subtitles.exe
ACDSee 9.exe





W32/Rbot-DX

Aliases
Backdoor.Rbot.gen

Type
Win32 worm

Detection
At the time of writing, Sophos has received just one report of this worm 
from the wild.

Description
W32/Rbot-DX is a worm which attempts to spread to remote network shares. 
It also contains backdoor Trojan functionality, allowing unauthorised 
remote access to the infected computer via IRC channels while running in 
the background as a service process.

W32/Rbot-DX spreads to network shares with weak passwords as a result of 
the backdoor Trojan element receiving the appropriate command from a 
remote user.

W32/Rbot-DX copies itself to the Windows system folder as WUAMGRD.EXE 
and creates entries at the following locations in the registry so as to 
run itself on system startup, resetting the entries every minute:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Updete = wuamgrd.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Microsoft Updete = wuamgrd.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
Microsoft Updete = wuamgrd.exe

W32/Rbot-DX may set the following registry entries:

HKLM\SOFTWARE\Microsoft\Ole\EnableDCOM = "N"
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous = "1"

W32/Rbot-DX attempts to terminate certain processes relating to 
anti-virus and security programs including REGEDIT.EXE, MSCONFIG.EXE and 
NETSTAT.EXE.





W32/Bagle-Zip

Aliases
Win32/Bagle.gen.zip

Type
Win32 worm

Detection
Sophos has received many reports of this worm from the wild.

Description
Sophos Anti-Virus detects as W32/Bagle-Zip the password-protected 
archive files created by W32/Bagle-F, W32/Bagle-G, W32/Bagle-H, 
W32/Bagle-I, W32/Bagle-J, W32/Bagle-K (ZIP archives), W32/Bagle-N, 
W32/Bagle-O (ZIP and RAR archives), W32/Bagle-W, W32/Bagle-AA , 
W32/Bagle-AF and W32/Bagle-AG.





W32/Bagle-AG

Type
Win32 worm

Detection
Sophos has received several reports of this worm from the wild.

Description
W32/Bagle-AG is a member of the W32/Bagle family of email worms.

W32/Bagle-AG spreads by email. The email addresses are collected from 
files on the computer containing the following file extensions:

WAB, TXT, MSG, HTM, SHTM, STM, XML, DBX, MBX, MDX, EML, NCH, MMF, ODS, 
CFG, ASP, PHP, PL, WSH, ADB, TBB, SHT, XLS, OFT, UIN, CGI, MHT, DHTM, 
JSP.

W32/Bagle-AG uses its own internal SMTP engine to spread.

The worm sends a HTML based email with the following characteristics:

Sender:

The sender address is always spoofed.

Attachment Name:

The basename of the attachment is choosen from the following list:

Foto3
Foto2
Foto1
Secret
Doll
Garry
Cat
Dog
Fish

W32/Bagle-AG is able to send itself as an encrypted ZIP file (detected 
as W32/Bagle-Zip), a CPL file or a normal executable file with the 
extension EXE, COM or SCR.

Subject line:

Re:

Message text:

When the worm arrives in an unencrypted (i.e directly executable) file 
the message text is one of the following:

foto3
Fotogalary
Fotoinfo
LovelyAnimals
Animals
Predators
TheSnake
Screen

When the worm attaches itself as an encrypted file the password is 
included in the email as a bitmap image and one of the following message 
texts is appended to the email body:

Password: 
Pass - 
Key - 
:)

The ZIP file contains an executable with the extensions EXE, COM or SCR 
and a benign text file with one of the extensions INI, CFG, TXT, VXD, 
DEF OR DLL.

The worm the tries to remove registry run entries for several security
and anti-virus related products. The following entries are removed from
HKLM\Software\Microsoft\Windows\CurrentVersion\Run if they exist:

My AV
Zone Labs Client Ex
9XHtProtect
Antivirus
Special Firewall Service
service
Tiny AV
ICQNet
HtProtect
NetDy
Jammer2nd
FirewallSvr
MsInfo
SysMonXP
EasyAV
PandaAVEngine
Norton Antivirus AV
KasperskyAVEng
SkynetsRevenge
ICQ Net

W32/Bagle-AG copies itself to the Windows system folder and creates a 
registry entry to run itself on startup under:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\

W32/Bagle-AG then creates copies of itself in all folders containing the
substring SHAR on all drives. The worm uses the following filenames:

Microsoft Office 2003 Crack, Working!.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Microsoft Office XP working Crack, Keygen.exe
Porno, sex, oral, anal cool, awesome!!.exe
Porno Screensaver.scr
Serials.txt.exe
KAV 5.0
Kaspersky Antivirus 5.0
Porno pics arhive, xxx.exe
Windows Sourcecode update.doc.exe
Ahead Nero 7.exe
Windown Longhorn Beta Leak.exe
Opera 8 New!.exe
XXX hardcore images.exe
WinAmp 6 New!.exe
WinAmp 5 Pro Keygen Crack Update.exe
Adobe Photoshop 9 full.exe
Matrix 3 Revolution English Subtitles.exe
ACDSee 9.exe

 
--- MultiMail/Win32 v0.43