| TIP: Click on subject to list as thread! | ANSI |
| echo: | |
|---|---|
| to: | |
| from: | |
| date: | |
| subject: | News |
[cut-n-paste from sophos.com]
Troj/LDPinch-H
Aliases
Trojan.PSW.LdPinch.o, PWS-LDPinch trojan, PWSteal.Trojan
Type
Trojan
Detection
At the time of writing, Sophos has received just one report of this
Trojan from the wild.
Description
Troj/LDPinch-H sends passwords and confidential information to a remote
location and provides backdoor access to the computer.
When first run the Trojan moves itself to the Windows folder and adds
its pathname to the following registry entry, to run itself on startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\putil
The Trojan periodically attempts to send confidential information to a
remote location. The information includes:
* computer details (OS version, memory, CPU etc.)
* available drives (drive letter, type and free space)
* hostname and IP address
* Windows folder volume information
* data stored in the registry by selected software
* passwords and confidential information from 'Protected Storage'
* POP3 and IMAP server information, usernames and passwords
* FTP usernames and passwords
* RAS dial-up settings
The Trojan then runs continuously in the background providing backdoor
access to the computer.
The Trojan may also drop the file isfpr.dll to the Windows folder. This
file is detected as Troj/Mimail-F.
Troj/LDPinch-G
Aliases
Trojan.PSW.LdPinch.ca, PWS-LDPinch
Type
Trojan
Detection
At the time of writing, Sophos has received just one report of this
Trojan from the wild.
Description
Troj/LDPinch-G sends passwords and confidential information to a remote
location and provides backdoor access to the computer.
When first run the Trojan moves itself to the Windows folder and adds
its pathname to the following registry entry, to run itself on startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\putil
The Trojan periodically attempts to send confidential information to a
remote location. The information includes:
* computer details (OS version, memory, CPU etc.)
* available drives (drive letter, type and free space)
* hostname and IP address
* Windows folder volume information
* installation details and data stored in the registry for selected
software, including ICQ and Trillian
* passwords and confidential information from 'Protected Storage'
* POP3 and IMAP server information, usernames and passwords
* FTP usernames and passwords
* RAS dial-up settings
The Trojan then runs continuously in the background providing backdoor
access to the computer on port 2050. A remote intruder will be able to
connect to this port and receive a remote command shell.
The Trojan also drops the file isfpr.dll into the Windows folder. This
file is detected as Troj/Mimail-F.
W32/Bereb-B
Aliases
Worm.P2P.Astaber, Win32/Bereb.C, W32.HLLW.Bereb, WORM_BEREB.B
Type
Win32 worm
Detection
At the time of writing, Sophos has received just one report of this worm
from the wild.
Description
W32/Bereb-B is a peer-to-peer worm that copies itself to the shared
folder startrwin in the Windows folder using a variety of names
including:
007 Crack.exe
007 keygen.exe
007.exe
3D Flash Animator v3.7.exe
3D magic Pixel 3D Crack.exe
3D magic Pixel 3D.exe
9 naked girls.exe
ws_ftp.exe
xbox emulator (works!!).exe
xbox.info.exe.exe
xxx.exe
The following registry entry is added to make startrwin a shared folder:
HKCU\Software\Kazaa\LocalContent\Dir0 =
The worm will also copy itself to the Windows folder as svckernell.com
and set the following registry entry that points to this copy to ensure
it is run at system logon:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\svckernell
W32/Bereb-B is an IRC backdoor Trojan that listens for commands on
specific IRC channels.
W32/Bereb-B creates the file library.dat in the subfolder WinMx in the
Program Files folder. This file is not malicious and can be deleted.
Troj/Eyeveg-C
Aliases
TrojanDropper.JS.Mimail.b
Type
Trojan
Detection
At the time of writing, Sophos has received just one report of this
Trojan from the wild.
Description
Troj/Eyeveg-C is a password stealing Trojan for the Windows platform.
In order to run automatically when Windows starts up Troj/Eyeveg-C
copies itself to a file with a random name in the Windows system folder
and adds a registry entry pointing to this file.
The Trojan also attempts to copy itself to the Windows startup folder.
Troj/Eyeveg-C collects system information and account passwords and sends
them to a remote web site.
W32/Netsky-M
Type
Win32 worm
Detection
At the time of writing, Sophos has received just one report of this worm
from the wild.
Description
W32/Netsky-M is a mass mailing worm which spreads by emailing itself to
addresses harvested from files on the local drives.
The worm copies itself to the Windows folder as AVPROTECT9X.EXE and adds
the following registry entry to run itself whenever the user logs on to
the computer:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\9XHtProtect=
\AVprotect9x.exe
W32/Netsky-M harvests email addresses from files with the following
extensions:
PL, HTM, HTML, EML, TXT, PHP, VBS, RTF, UIN, ADB, TBB, DBX, ASP, WAB,
DOC, SHT,OFT, MSG, JSP, WSH, XML, SHTM, CGI, DHTM
Emails have the following characteristics:
Subject lines:
Re: Requested file
Re: My file
Re: My document
Re: My information
Re: My details
Re: Information
Re: Improved
Re: Requested document
Re: Document
Re: Details
Re: Your document
Re: Your details
Re: Approved
Message texts:
Details for .
Document .
I have received your document. The improved document is
attached.
I have attached your document .
Your document is attached to this mail.
Authentification for required.
Requested file .
See the file .
Please read the important message msg_.
Please confirm the document .
is attached.
Your file is attached.
Please read the document .
Your document is attached.
Please read the attached file .
Please see the attached file for details.
Attached file (extension PIF):
improved_
message_
detailed_
your_document_
word_doc_
doc_
articel_
picture_
file_
your_file_
details_
document_
W32/Netsky-D
Aliases
W32/Netsky.c{at}MM, I-Worm.NetSky.d, Win32/Netsky.D, WORM_NETSKY.D
Type
Win32 worm
Detection
Sophos has received many reports of this worm from the wild.
Description
W32/Netsky-D is a worm that spreads via email. When emailing itself the
worm can spoof the sender's email address.
W32/Netsky-D may arrive in an email with the following characteristics:
Subject lines:
Re: Approved
Re: Details
Re: Document
Re: Excel file
Re: Hello
Re: Here
Re: Here is the document
Re: Hi
Re: My details
Re: Re: Document
Re: Re: Message
Re: Re: Re: Your document
Re: Re: Thanks!
Re: Thanks!
Re: Word file
Re: Your archive
Re: Your bill
Re: Your details
Re: Your document
Re: Your letter
Re: Your music
Re: Your picture
Re: Your product
Re: Your software
Re: Your text
Re: Your website
Message texts:
Your file is attached.
Please read the attached file.
Please have a look at the attached file.
See the attached file for details.
Here is the file.
Your document is attached.
Attached file:
all_document.pif
application.pif
document.pif
document_4351.pif
document_excel.pif
document_full.pif
document_word.pif
message_details.pif
message_part2.pif
mp3music.pif
my_details.pif
your_archive.pif
your_bill.pif
your_details.pif
your_document.pif
your_file.pif
your_letter.pif
your_picture.pif
your_product.pif
your_text.pif
your_website.pif
yours.pif
When first run W32/Netsky-D copies itself to the Windows folder as
winlogon.exe and creates the following registry entry so that
winlogon.exe is run automatically each time the user logs on to the
computer:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ICQ Net
= \winlogon.exe -stealth
W32/Netsky-D searches all mapped drives for files with the following
extensions in order to find email adresses: MSG, OFT, SHT, DBX, TBB, ADB,
DOC, WAB, ASP, UIN, RTF, VBS, HTML, HTM, PL, PHP, TXT and EML
W32/Netsky-D attempts to delete the following registry entries:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\au.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\d3dupdate.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Explorer
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\KasperskyAv
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\OLE
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Taskmon
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DELETE ME
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Explorer
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KasperskyAv
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msgsvr32
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sentry
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\service
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Taskmon
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\system
HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32
W32/Netsky-D queries for the following IP addresses:
62.155.255.16
145.253.2.171
151.189.13.35
193.193.158.10
193.193.144.12
193.189.244.205
193.141.40.42
194.25.2.129
194.25.2.130
194.25.2.131
194.25.2.132
194.25.2.133
194.25.2.134
195.185.185.195
195.20.224.234
212.185.252.136
212.7.128.162
212.7.128.165
212.185.253.70
212.185.252.73
212.44.160.8
213.191.74.19
217.5.97.137
W32/Netsky-D is programmed to not forward itself via email if the
recipient email address contains the following strings:
messagelabs
abuse
fbi
orton
f-pro
aspersky
cafee
orman
itdefender
f-secur
avp
spam
ymantec
antivi
icrosoft
W32/Netsky-D attempts to delete some registry entries including ones
related to the W32/MyDoom-A and W32/MyDoom-B worms in a similar way to
previous variants.
When the worm is run on 2 March 2004 between 06:00 and 08:59 it may
cause the computer to beep sporadically.
W32/Netsky-L
Type
Win32 worm
Detection
Sophos has received several reports of this worm from the wild.
Description
W32/Netsky-L is a worm that arrives in an email with the following
characteristics:
Subject line: one of the following -
Re: Important
Re: Your document
Re: Your details
Re: Approved
Message text: one of the following -
Your file is attached.
Please read the document.
Your document is attached.
Please read the attached file.
Please see the attached file for details.
The attached filename has the following construction:
_.pif
or
.pif
where is one of:
your_file_
details_
document_
and the user name is taken from the string preceeding the "{at}" in the
recipient's email address.
For example if the recipient's email address is Joe.Bloggs{at}example.com
then the attached file could be details_Joe.Bloggs.pif
When W32/Netsky-L is run a copy will be created in the Windows folder
with the filename AVprotect.exe and the following registry entry will be
created so that the worm is run when the victim logs on to Windows:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\HtProtect
Troj/Domwis-A
Aliases
BackDoor-AOZ, BKDR_DOMWIS.A
Type
Trojan
Detection
At the time of writing, Sophos has received just one report of this
Trojan from the wild.
Description
Troj/Domwis-A is an IRC backdoor Trojan which allows a malicious user
remote access to an infected computer.
When first run the Trojan copies itself to the Windows folder as
RUNDLL16.EXE and creates the following registry entry to ensure it is
run on system logon:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Windows DLL Loader = \RUNDLL16.EXE
Troj/Domwis-A will steal system information and log keystrokes.
Troj/Domwis-A can download and execute remote files on the infected
computer. The Trojan can also be instructed to retrieve file listings
and delete files and terminate processes.
Troj/Domwis-A will create the file temp.bat in the Windows folder. This
file is not malicious on its own, however it should be deleted.
Troj/Cidra-D
Type
Trojan
Detection
Sophos has received several reports of this Trojan from the wild.
Description
Troj/Cidra-D is a backdoor proxy Trojan that allows a remote intruder to
relay TCP traffic through the compromised computer.
The Trojan normally runs as the file usb_d.exe. In order to be executed
automatically when the user logs on to the computer Troj/Cidra-D adds a
registry entry at the following location:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Usbd
The Trojan opens a random listening port and periodically attempts to
connect to a remote website to register itself.
The Trojan also has the ability to download and execute a file from a
remote website.
Troj/Cidra-D appears to have been spammed out. The email has the
following characteristics:
The subject line is "This your photo?", possibly interspersed with
non-Roman characters. For example:
+This your photo?
This+ your photo?
This your photo?
This y_our photo?
This your pho+to^?
This yo_ur -photo?
Th_is your photo?
This you-r _photo?
Thi^s your photo?
Thi-s +your photo?
The message text is "Is this your photo? I cant belive it made it onto
the internet!"
The attached file is a ZIP archive called p_usb.zip.
W32/Agobot-DQ
Aliases
Backdoor.Agobot.3.gen, W32/Gaobot.worm.gen.d
Type
Win32 worm
Detection
At the time of writing, Sophos has received just one report of this worm
from the wild.
Description
W32/Agobot-DQ is a network worm which also allows unauthorised remote
access to the computer via IRC channels.
W32/Agobot-DQ tries to copy itself to network shares with weak passwords.
W32/Agobot-DQ copies itself to the Windows system folder as FILENAME.EXE
and creates entries in the registry at the following locations to run
itself on system restart:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Configuration Loader
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Configuration Loader
The worm disables the shares C$, D$, ADMIN$ and IPC$.
W32/Agobot-DP attempts to terminate the following virus, anti-virus and
security processes:
tftpd.exe
dllhost.exe
winppr32.exe
mspatch.exe
penis32.exe
msblast.exe
ZONEALARM.EXE
WFINDV32.EXE
WEBSCANX.EXE
VSSTAT.EXE
VSHWIN32.EXE
VSECOMR.EXE
VSCAN40.EXE
VETTRAY.EXE
VET95.EXE
TDS2-NT.EXE
TDS2-98.EXE
TCA.EXE
TBSCAN.EXE
SWEEP95.EXE
SPHINX.EXE
SMC.EXE
SERV95.EXE
SCRSCAN.EXE
SCANPM.EXE
SCAN95.EXE
SCAN32.EXE
SAFEWEB.EXE
RESCUE.EXE
RAV7WIN.EXE
RAV7.EXE
PERSFW.EXE
PCFWALLICON.EXE
PCCWIN98.EXE
PAVW.EXE
PAVSCHED.EXE
PAVCL.EXE
PADMIN.EXE
OUTPOST.EXE
NVC95.EXE
NUPGRADE.EXE
NORMIST.EXE
NMAIN.EXE
NISUM.EXE
NAVWNT.EXE
NAVW32.EXE
NAVNT.EXE
NAVLU32.EXE
NAVAPW32.EXE
N32SCANW.EXE
MPFTRAY.EXE
MOOLIVE.EXE
LUALL.EXE
LOOKOUT.EXE
LOCKDOWN2000.EXE
JEDI.EXE
IOMON98.EXE
IFACE.EXE
ICSUPPNT.EXE
ICSUPP95.EXE
ICMON.EXE
ICLOADNT.EXE
ICLOAD95.EXE
IBMAVSP.EXE
IBMASN.EXE
IAMSERV.EXE
IAMAPP.EXE
FRW.EXE
FPROT.EXE
FP-WIN.EXE
FINDVIRU.EXE
F-STOPW.EXE
F-PROT95.EXE
F-PROT.EXE
F-AGNT95.EXE
ESPWATCH.EXE
ESAFE.EXE
ECENGINE.EXE
DVP95_0.EXE
DVP95.EXE
CLEANER3.EXE
CLEANER.EXE
CLAW95CF.EXE
CLAW95.EXE
CFINET32.EXE
CFINET.EXE
CFIAUDIT.EXE
CFIADMIN.EXE
BLACKICE.EXE
BLACKD.EXE
AVWUPD32.EXE
AVWIN95.EXE
AVSCHED32.EXE
AVPUPD.EXE
AVPTC32.EXE
AVPM.EXE
AVPDOS32.EXE
AVPCC.EXE
AVP32.EXE
AVP.EXE
AVNT.EXE
AVKSERV.EXE
AVGCTRL.EXE
AVE32.EXE
AVCONSOL.EXE
AUTODOWN.EXE
APVXDWIN.EXE
ANTI-TROJAN.EXE
ACKWIN32.EXE
_AVPM.EXE
_AVPCC.EXE
_AVP32.EXE
W32/Agobot-DQ listens on a particular port and supplies a copy of the
worm in response to incoming connections.
W32/Bagle-K
Aliases
I-Worm.Bagle.j, W32.Beagle.A{at}mm, WORM_BAGLE.GEN
Type
Win32 worm
Detection
Sophos has received many reports of this worm from the wild.
Description
W32/Bagle-K is an email worm which sends itself via its own SMTP engine
to addresses harvested from your hard disk. The worm searches for files
with the extensions WAB, TXT, HTM, XML, DBX, MDX, EML, NCH, MMF, ODS,
CFG, ASP, PHP, PL, ADB, TBB and SHT.
When run the worm opens copies itself to the Windows system folder as
winsys.exe.
W32/Bagle-K adds the value ssate.exe = \winsys.exe to the
registry entry HKCU\Software\Microsoft\Windows\CurrentVersion\Run.
This means that W32/Bagle-K runs every time you logon to your computer.
Emails have the following characteristics:
Sender: One of -
management{at}
administration{at}
staff{at}
noreply{at}
support{at}
Subject lines:
E-mail account security warning
Notify about using the e-mail account.
Warning about your e-mail account.
Important notify about your e-mail account.
Email account utilization warning.
Notify about your e-mail account utilization.
E-mail account disabling warning.
Message text: Randomly combined by taking one string from each of the
following paragraphs:
Dear user of
Dear user of e-mail server gateway,
Dear user of e-mail server ",
Hello user of e-mail server,
Dear user of " mailing system,
Dear user, the management of mailing system
wants to let you know that,
and
Your e-mail account has been temporary disabled because of unauthorized
access. Our main mailing server will be temporary unavaible for next
two days, to continue receiving mail in these days you have to
configure our free auto-forwarding service.
Your e-mail account will be disabled because of improper using in next
three days, if you are still wishing to use it, please, resign your
account information.
We warn you about some attacks on your e-mail account. Your computer may
contain viruses, in order to keep your computer and e-mail account safe,
please, follow the instructions.
Our antivirus software has detected a large ammount of viruses outgoing
from your email account, you may use our free anti-virus tool to clean
up your computer software.
Some of our clients complained about the spam (negative e-mail content)
outgoing from your e-mail account. Probably, you have been infected by a
proxy-relay trojan server. In order to keep your computer safe, follow
the instructions.
and
For more information see the attached file.
Further details can be obtained from attached file.
Advanced details can be found in attached file.
For details see the attach.
For details see the attached file.
For further details see the attach.
Please, read the attach for further details.
Pay attention on attached file.
and
For security reasons attached file is password protected. The password
is "".
For security purposes the attached file is password protected. Password
is "".
Attached file is protected with the password for security reasons.
Password is ".
In order to read the attach you have to use the following password:
".
and
The Management,
Sincerely,
Best wishes,
Have a good day,
Cheers,
Kind regards,
and
The team
http://www.;
Attached file: a randomly named ZIP archive. The name is chosen from:
Attach
Information
Readme
Document
Info
TextDocument
Text
MoreInfo
Message
As an example, here is how the worm could appear if your company's
domain name was XYZCORP.COM:
An example of the kind of email which can be sent by the Bagle-K worm
W32/Bagle-K opens up a backdoor on port 2745 and listens for connections.
If it receives the appropriate command it attempts to download and
execute a file. W32/Bagle-K also makes a web connection to a remote URL,
thus reporting the location and open port of infected computers.
W32/Bagle-K attempts to terminate several anti-virus and
security-related processes:
ATUPDATER.EXE
AVWUPD32.EXE
AVPUPD.EXE
LUALL.EXE
DRWEBUPW.EXE
ICSSUPPNT.EXE
ICSUPP95.EXE
UPDATE.EXE
NUPGRADE.EXE
ATUPDATER.EXE
AUPDATE.EXE
AUTODOWN.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
AVXQUAR.EXE
CFIAUDIT.EXE
MCUPDATE.EXE
NUPGRADE.EXE
OUTPOST.EXE
AVLTMAIN.EXE
W32/Bagle-K searches the mapped drives for the folders containing the
string "shar" in the folder name. If such folder is found, the worm
copies itself to the folder using the following names:
ACDSee 9.exe
Adobe Photoshop 9 full.exe
Ahead Nero 7.exe
Matrix 3 Revolution English Subtitles.exe
Microsoft Office 2003 Crack, Working!.exe
Microsoft Office XP working Crack, Keygen.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Opera 8 New!.exe
Porno Screensaver.scr
Porno pics arhive, xxx.exe
Porno, sex, oral, anal cool, awesome!!.exe
Serials.txt.exe
WinAmp 5 Pro Keygen Crack Update.exe
WinAmp 6 New!.exe
Windown Longhorn Beta Leak.exe
Windows Sourcecode update.doc.exe
XX hardcore images.exe
If the date is after 25 April 2005, W32/Bagle-K terminates itself and
deletes all the registry entries it created.
W32/Bagle-K contains the following text hidden inside its code, which is
not displayed:
Hey, NetSky, fuck off you bitch!
W32/Netsky-J
Type
Win32 worm
Detection
Sophos has received many reports of this worm from the wild.
Description
W32/Netsky-J is a mass mailing worm that uses its own SMTP engine to
email itself to addresses harvested from files on local drives.
In order to run automatically when the user logs on to the computer the
worm copies itself to the file winlogon.exe in the Windows folder and
creates the following registry entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ICQ Net
=\winlogon.exe -stealth
The worm attempts to disable various anti-virus and security related
applications as well as other worm processes by deleting registry
entries used by them.
In particular it attempts to delete the following values:
Taskmon, Explorer, KasperskyAv, system., msgsvr32, DELETE ME, service,
Sentry, Windows Services Host
below the registry key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
The worm deletes the following values:
Explorer, KasperkyAv, d3dupdate.exe, au.exe, OLE, Windows Services Host
below the registry key:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
W32/Netsky-J also deletes the following registry entries:
HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32
HKLM\System\CurrentControlSet\Services\WksPatch
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\PINF
Some of the above entries are created by the different variants of the
W32/Bagle and W32/MyDoom families of worms.
W32/Netsky-J harvests email addresses from files on all local drives
which have one of the following extensions:
DHTM, CGI, SHTM, MSG, OFT, SHT, DBX, TBB, ADB, DOC, WAB, ASP, UIN, RTF,
VBS, HTML, HTM, PL, PHP, TXT, EML
The worm avoids email addresses containing the following strings:
skynet
messagelabs
abuse
fbi
orton
f-pro
aspersky
cafee
orman
itdefender
f-secur
spam
ymantec
antivi
icrosoft
Emails have the following characteristics:
Subject lines:
Re: Your website
Re: Your product
Re: Your letter
Re: Your archive
Re: Your text
Re: Your bill
Re: Your details
Re: My details
Re: Word file
Re: Excel file
Re: Details
Re: Approved
Re: Your software
Re: Your music
Re: Here
Re: Re: Re: Your document
Re: Hello
Re: Hi
Re: Re: Message
Re: Your picture
Re: Here is the document
Re: Your document
Re: Thanks!
Re: Re: Thanks!
Re: Re: Document
Re: Document
Message texts:
Your file is attached.
Please read the attached file.
Please have a look at the attached file.
See the attached file for details.
Here is the file.
Your document is attached.
Attached filename:
your_website.pif
your_product.pif
your_letter.pif
your_archive.pif
your_text.pif
your_bill.pif
your_details.pif
document_word.pif
document_excel.pif
my_details.pif
all_document.pif
application.pif
mp3music.pif
yours.pif
document_4351.pif
your_file.pif
message_details.pif
your_picture.pif
document_full.pif
message_part2.pif
document.pif
your_document.pif
On 2 March 2004 at 6:00 AM W32/Netsky-I plays random sounds for three
hours.
W32/Netsky-K
Type
Win32 worm
Detection
Sophos has received several reports of this worm from the wild.
Description
W32/Netsky-K is a mass mailing worm that uses its own SMTP engine to
email itself to addresses harvested from files on local drives.
In order to run automatically when the user logs on to the computer the
worm copies itself to the file avpguard.exe in the Windows folder and
creates the following registry entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\My AV
= \avpguard.exe -av serv
The worm attempts to disable various anti-virus and security related
applications as well as other worm processes by deleting registry
entries used by them.
In particular it attempts to delete the following values:
Taskmon, Explorer, system., msgsvr32, DELETE ME, service, Sentry,
Windows Services Host
below the registry key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
The worm deletes the following values:
Explorer, d3dupdate.exe, au.exe, OLE, Windows Services Host, gouday.exe,
rate.exe, sate.exe, ssate.exe, srate.exe, sysmon.exe.
below the registry key:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
W32/Netsky-K also deletes the following registry entries:
HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32
HKLM\System\CurrentControlSet\Services\WksPatch
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\PINF
Some of the above entries are created by variants of the W32/Bagle and
W32/MyDoom families of worms.
W32/Netsky-K harvests email addresses from files on all local drives
which have one of the following extensions:
XML, WSH, JSP, DHTM, CGI, SHTM, MSG, OFT, SHT, DBX, TBB, ADB, DOC, WAB,
ASP, UIN, RTF, VBS, HTML, HTM, PL, PHP, TXT, EML
The worm avoids email addresses containing the following strings:
iruslis
antivir
sophos
freeav
andasoftwa
skynet
messagelabs
abuse
fbi
orton
f-pro
aspersky
cafee
orman
itdefender
f-secur
spam
ymantec
antivi
icrosoft
Emails have the following characteristics:
Subject lines:
Your product
Your letter
Re: corrected homework
Re: I've found your document
Re: Your bill
Re: hello again
Re: hi again
Re: part 3
Re: important document part 2
Re: important
Re: Your data
Re: Your application
Re: your music
Re: excel document
Re: Re: Re: word document
Re: Your details
Re: My details
Re: Your requested file
Re: Read it immediately
Re: Approved
Re: Your software
Re: my memberlist
Re: Your document
Re: Your file
Re: Your important document
www..tripod.com
Hi Mr.
Moi
Yours faithfully,
Message to
Hi Mrs.
Is .doc yours?
Is .xls yours?
Whats up
www.paypal.com/
Best
Love
Good morning
Have a good day
Dear
To , it's me
Welcome
Moin
Hello
Your account is expired!
Hey
www..freepage.com, your website
Hi , your product
Hello , your letter
Re: Hi , your archive
Re: , your text
Re: Hello , your bill
Re: Hi , your details
Re: Hello , my details
Re: Hi , your word file
Re: Hello , your excel file
Re: Hi , details
Re: Hello , Approved
Re: Hello , your software
Re: Hi , your music
Re: Dear , Here
Re: Re: Re: Hello , your document
Re: Hi
Re: Dear , Hi
Re: Re: Hi , your message
Re: Here , your picture
Re: Hi , here is the document
Re: Hello , your document
Re: , thanks!
Re: Re: , thanks!
Re: Re: Hi , document
Re: Hello , document
Message texts:
My details are in the attached file.
I have corrected your document.
Please do not forget to read the important document.
I have an interesting document about you.
The sample is attached.
Your personal document is attached.
Your file is attached to this mail.
Note that I have attached your file.
The important document is attached.
Please read the document. It's important.
Your document is attached to this mail.
See the attachment for further details.
Your file is attached. Use this password for the file: .
Please read the attached file. Password for the file is .
Please have a look at the attached file. Password for decrypting is .
See the attached file for details. Password is .
Here is the file. My password is .
Your document is attached. Your password is .
where is a variable number.
Attached file:
website_.pif
your_product_.pif
letter_.pif
archive.pif
your_text.pif
bill_.pif
your_details.pif
_details.pif
_document_word.pif
_document_excel.pif
_my_details.pif
_all_document.pif
_application.pif
mp3music_.pif
yours.pif
document_4351.pif
_picture.pif
_file.pif
_message_details.pif
yourpicture.pif
_document_full.pif
_your_message_part2.pif
information.pif
document.pif
_your_document.pif
On 10 March 2004 W32/Netsky-K plays random sounds between 10 a.m. and
11 a.m.
W32/Randex-AA
Aliases
Backdoor.SdBot.gen, W32/Randbot.worm, Win32/Randex.AL, W32.Randex.R
Type
Win32 worm
Detection
At the time of writing, Sophos has received just one report of this worm
from the wild.
Description
W32/Randex-AA is a network worm with backdoor capabilities which allows
a remote intruder to access and control the computer via IRC channels.
W32/Randex-AA spreads over a network by copying itself to the Windows
system32 folder of C$ and Admin$ shares that contain weak passwords.
Each time the worm is run it tries to connect to a remote IRC server and
join a specific channel. The worm then runs in the background as a
server process listening for commands to execute.
When first run the worm copies itself to Windows system folder and
creates the following registry entries so that the worm is run when
Windows starts up:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Mouse Driver Ver 3.0
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\
Microsoft Mouse Driver Ver 3.0
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Microsoft Mouse Driver Ver 3.0
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Mouse Driver Ver 3.0
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\
Microsoft Mouse Driver Ver 3.0
W32/Randex-AA collects CD keys of popular games that are installed on
the computer.
W32/Roca-A
Aliases
Sober.D, W32/Sober.D{at}mm, I-Worm.Sober.D
Type
Win32 worm
Detection
Sophos has received several reports of this worm from the wild.
Description
W32/Roca-A is a worm that arrives in an email with the following
characteristics:
Subject line: Microsoft Alert: Please Read!
Message text:
New MyDoom Virus Variant Detected!
A new variant of the W32.Mydoom (W32.Novarg) worm spread rapidly through
the Internet. Anti-virus vendor Central Command claims that 1 in 45
e-mails contains the MyDoom virus. The worm also has a backdoor Trojan
capability. By default, the Trojan component listens on port 13468.
Protection:
Please download this digitally signed attachment.
This Update includes the functionality of previously released patches.
+++ 2004 Microsoft Corporation. All rights reserved.
+++ One Microsoft Way, Redmond, Washington 98052
+++ Restricted Rights at 48 CFR 52.227-19
OR
Subject line: Microsoft Alarm: Bitte Lesen!
Message text:
Neue Virus-Variante W32.Mydoom verbreitet sich schnell.
Eine neue Mydoom-Variante verbreitet sich derzeit rasend schnell im
Internet. Wie seine VorgSnger verschickt sich der Wurm von infizierten
Windows-Rechnern per E-Mail an weitere Adressen. Zudem installiert er
auf infizierten Systemen einen gefShrlichen Trojaner! Bitte daten Sie
Ihr System mit dem Patch ab, um sich vor diesem SchSdling zu schntzen!
+++ 2004 Microsoft Corporation. Alle Rechte vorbehalten.
+++ Microsoft Deutschland GmbH, Konrad-Zuse-Strasse 1
+++ 85716 Unterschleissheim, HRB 70438, DE 129 415 943
The attachment name is one of the following keywords followed by a
random number with either an EXE or ZIP extension:
Patch
MS-Security
MS-UD
UpDate
sys-patch
W32/Roca-A copies itself to the Windows system folder using a
combination of the following words with an EXE extension: sys, host,
dir, explorer, win, run, log, 32, disc, crypt, data, diag, spool,
service, smss32
and sets the following registry entries to ensure it is run at system
logon:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\
= \ %1
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
\ = \
where is the name of the copy of the worm and
is generated using the same word list.
W32/Roca-A will also create the following files in the Windows system
folder:
* Humgly.lkur
* mslogs32.dll - a list of email addresses found on system
* temp32x.data - a base64 encoded copy of the worm
* wintmpx33.dat - a base64 encoded ZIP copy of the worm
* yfjq.yqwm
* zmndpgwf.kxx
The files mslogs32.dll, zmndpgwf.kxx, yfjq.yqwm and Humgly.lkur are not
malicious and can be deleted.
When first run W32/Roca-A will display a message box stating
"This patch has been successfully installed."
If the worm is executed again it will display a message box stating
"This patch does not need to be installed on this system.
Status: OK"
--- MultiMail/Win32 v0.43
* Origin: Try Our Web Based QWK: DOCSPLACE.ORG (1:123/140)SEEN-BY: 633/267 270 @PATH: 123/140 500 106/2000 633/267 |
|
| SOURCE: echomail via fidonet.ozzmosis.com | |
Email questions or comments to sysop@ipingthereforeiam.com
All parts of this website painstakingly hand-crafted in the U.S.A.!
IPTIA BBS/MUD/Terminal/Game Server List, © 2025 IPTIA Consulting™.