[cut-n-paste from sophos.com]

Bat/Boohoo-A

Aliases
Bat.NTScan.A, Bat.IROffer12.A, Bat/Mumu

Type
Batch file worm

Detection
At the time of writing Sophos has received just one report of this worm 
from the wild.

Description
Bat/Boohoo-A is an internet worm that spreads via weakly protected 
network shares on Windows computers. The worm generates random IP 
numbers and uses a network scanner to scan these IP ranges for 
vulnerable computers.

The worm consists of the following files detected by Sophos Anti-Virus:
starter.bat
scan.bat
ip.bat
hacker.bat
Xecuter.bat
regkeyadd.REG

and the following benign files:
ntscan.exe (a vulnerability scanner)
HideRun.exe (a utility to start other programs hidden)
psexec.bat
rep.bat
service.exe
clearlogs.exe
Firedaemon.exe
CommonDlg32.dll
CYGWIN1.dll
drvrquery32.exe
psexec.exe
rep.EXE
random.exe
protmp.txt
proreset.txt
replace.txt
sys.txt
wm.txt
pro.gif

The files are copied to the Windows system32 folder on the remote 
compromised computer. The subfolders tmp and tmp1 are created inside 
the Windows system32 folder on the remote machine and the hidden 
attribute is set on the system32 folder. After the files are copied the 
worm is started remotely.

The worm starts the following services:
startupdll (startup script psexec.bat)
msnet (svhost.exe)
drvmanager (drvrquery32.exe)
serv-u (drvrquery32.exe)

Bat/Boohoo-A attempts to delete all LOG files from the root folders of 
drives C: and D: and uses the included clearlogs.exe application to 
clean system log files. The worm also attempts to remove the shares C$ 
to Z$.

Bat/Boohoo-A creates backup copies of several of its files:
drvrquery32.exe -< sys.bak
CommonDlg32.dll -< admini.bak
svhost.exe -< systemrun.bak
pro.gif -< sysdlladmin.bak
cygwin1.dll -< starterdll.bak

In order to run automatically on system startup Bat/Boohoo-A sets the 
following registry entries below
HKLM\Software\Microsoft\Windows\CurrentVersion\Run:

drvrmanager = "C:\\winnt\\system32\\drvrquery32.exe /S"
HideRun.exe = "C:\\winnt\\system32\\HideRun.exe 
c:\\winnt\\system32\\svhost.exe c:\\winnt\\system32\\pro.gif"
Xecuter.bat = C:\\winnt\\system32\\psexec.bat"

The worm also sets the following network registry entries below
HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters:
"AutoShareWks"=dword:00000000
"AutoShareServer"=dword:00000000





W32/Mimail-A

Aliases
W32.Mimail.A{at}mm WORM_MIMAIL_A

Type
Win32 worm

Detection
Sophos has received many reports of this worm from the wild.

Description
W32/Mimail-A is a worm that arrives with the following characteristics:

Subject line: your account 
Message text:
Hello there, I would like to inform you about important information
regarding your email address. This email address will be expiring.
Please read attachment for details.
---
Best regards, Administrator
Attached file: message.zip

If run, the worm will copy itself to

C:\\exe.tmp
and
C:\\videodrv.exe

The worm exploits a known security vulnerability. A patch has been 
available from Microsoft for some months which reportedly fixes the 
vulnerability.

W32/Mimail-A adds the following entry to the registry to run itself on 
system restart:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\VideoDriver
=C:\\videodrv.exe

The worm looks for email addresses in files on the local drive. It 
attempts to exclude the following extensions from its search:

    * AVI

    * BMP

    * CAB

    * COM

    * DLL

    * EXE

    * GIF

    * JPG

    * MP3

    * MPG

    * OCX

    * PDF

    * PSD

    * RAR

    * TIF

    * VXD

    * WAV

    * ZIP

It places the email addresses it finds in the file C:\\eml.tmp





W32/Gruel-M

Type
Win32 worm

Detection
At the time of writing Sophos has received just one report of this worm 
from the wild.

Description
W32/Gruel-M is a worm of the "Gruel" family.

For further information, please see W32/Gruel-Fam.





W32/Cidu-A

Type
Win32 executable file virus

Detection
At the time of writing Sophos has received just one report of this 
virus from the wild.

Description
W32/Cidu-A is a virus written in Delphi.

When you run an infected program, W32/Cidu-A searches your hard disk 
for EXE (program) files, and overwrites each program it finds with a 
copy of itself.

W32/Cidu-A attempts to make a copy of the original program first, using 
the original name with the extension .DLL added. But the virus 
sometimes fails to copy the original program, creating instead a 
zero-byte file. This makes the virus very noticeable, as programs 
destroyed in this way (rather obviously) do not work any more.

W32/Cidu-A marks infected files hidden, system and read-only. It also 
adds a registry entry of the form:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\OriginalFileName

for each infected file.

As a payload, W32/Cidu-A activates the tray of your CD-ROM drive, 
displays and then removes a picture of a black dog merged with a human 
face, removes and possibly replaces your Desktop icons, disables your 
taskbar and disables your keyboard or mouse.





W32/Randon-R

Aliases
Worm.Win32.Randon.n, BAT_RANDON.N, IRC/Flood.bi

Type
Win32 worm

Detection
At the time of writing Sophos has received just one report of this worm 
from the wild.

Description
W32/Randon-R is a network worm. When run the worm creates the following
files in the folder C:\Windows\System\msdtc\trace:


    * MCOP.DLL, an INI file used by the worm and detected by this 
 identity
    * MMSQL32.BAT, a BAT file used by the worm and detected by Sophos 
 Anti-Virus as Troj/Passer-A
    * MNN32.EXE, a clean utility to view and manipulate processes
    * MSNQ32.EXE, a clean utility to hide/show windows
    * MTNM32.DLL, an INI file used by the worm and detected by Sophos 
 Anti-Virus as Troj/Flood-BJ
    * PMMC32.EXE, a clean utility called PSExec
    * NTNWSYS.OCX, a configuration file used by the worm
    * SCM32.BAT, a BAT file used by the worm and detected by Sophos 
 Anti-Virus as Troj/Flood-BAT

The worm adds the following registry entry to run the file msmngr32.exe 
when Windows starts up:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\msmanager32

W32/Randon-R searches the local network for computers with weak or no 
passwords on the administrator or admin accounts to which it can copy 
itself.





Troj/Mimail-A

Aliases
TrojanDropper.JS.Mimail.b

Type
Trojan

Detection
Sophos has received several reports of this Trojan from the wild.

Description
Troj/Mimail-A will attempt to download and execute a file from a 
particular website. At the time of writing, this website is 
unavailable.

The Trojan arrives as an email attachment with the filename readme.htm, 
which may be zipped and appear as readme.zip





W32/BabyBear-A

Aliases
I-Worm.BabyBear, W32.Babybear{at}mm

Type
Win32 worm

Detection
At the time of writing Sophos has received no reports from users 
affected by this worm. However, we have issued this advisory following 
enquiries to our support department from customers.

Description
W32/BabyBear-A is a worm that will send itself to all entries found in 
the address book. It will arrive in an email with one of the following 
subject and message text combinations:

Subject line: Please Confirm
Message text:
Dear Sir or Madame, We have detected that you have placed a Order for
Msn8. Before we start your Service please confirm your order. To confirm
your order please check the attachement. Thanks, Microsoft Corporation
Support

Subject line: File You Requested
Message text: Hey Here is the file you wanted

The attachment filename will depend on what file name the worm had when 
it was executed.

W32/BabyBear-A displays a message box with the following fake error:
"Application Error! Missing .Dll File" and displays a picture with 
references to the Bugbear worm.

W32/BabyBear-A will copy itself to the following paths:
C:\Attachment.exe
C:\jNotepad.exe
C:\kNotepad.exe
C:\lNotepad.exe
C:\My Shared Folder\Avril vs. Madonna Video.exe
C:\My Shared Folder\file manager program.exe
C:\My Shared Folder\Modem Booster.exe
C:\My Shared Folder\Msn 8 Full.exe
C:\My Shared Folder\Norton Anti-Virus 2003 Cracked!.exe
C:\My Shared Folder\Virtual Sex.exe
C:\My Shared Folder\Windows Xp Home Edition Key Gen.exe
C:\My Shared Folder\Windows Xp Home Edition SP1 Serial.exe
C:\Njotepad.exe
C:\Nkotepad.exe
C:\Nlotepad.exe
C:\Nojtepad.exe
C:\Noktepad.exe
C:\Noltepad.exe
C:\Noqtepad.exe
C:\Nortepad.exe
C:\Notejpad.exe
C:\Notekpad.exe
C:\Notelpad.exe
C:\Notepad.exe
C:\Notepadj.exe
C:\Notepadk.exe
C:\Notepadl.exe
C:\NotepadQ.exe
C:\NotepadW.exe
C:\Notepajd.exe
C:\Notepakd.exe
C:\Notepald.exe
C:\NotepaQd.exe
C:\NotepaWd.exe
C:\Notepjad.exe
C:\Notepkad.exe
C:\Noteplad.exe
C:\NotepQad.exe
C:\NotepWad.exe
C:\NoteQpad.exe
C:\NoteWpad.exe
C:\Notjepad.exe
C:\Notkepad.exe
C:\Notlepad.exe
C:\NotQepad.exe
C:\Notrepad.exe
C:\NotWepad.exe
C:\NoWtepad.exe
C:\Nqotepad.exe
C:\Nrotepad.exe
C:\NWotepad.exe
C:\qNotepad.exe
C:\rNotepad.exe
C:\Windows\Defrag.exe
C:\Windows\fNotrepad.exe
C:\Windows\Notrefpad.exe
C:\Windows\Notrepad.erxe
C:\Windows\Notrepad.exe
C:\Windows\Notrepad.exef
C:\Windows\Notrepadg.exe
C:\Windows\Notrepadr.exe
C:\Windows\Notrepagd.exe
C:\Windows\Notrepajd.exe
C:\Windows\Notrepard.exe
C:\Windows\Notrepatd.exe
C:\Windows\Notrerpad.exe
C:\Windows\Notretpad.exe
C:\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe
C:\Windows\Systefm\Notrepad.exe
C:\Windows\Systegfm\Notrepad.exe
C:\windows\system\Microsoft.ini
C:\Windows\System\Ngotrepad.exe
C:\Windows\System\Nhotrepad.exe
C:\Windows\System\Nodtrepad.exe
C:\Windows\System\Nogtrepad.exe
C:\Windows\System\Notrepad.exe
C:\Windows\System\Notrepdad.exe
C:\Windows\System\Notrtepad.exe
C:\Windows\System\Noturepad.exe
C:\Windows\System\Nrotrepad.exe
C:\Windows\System\Ntotrepad.exe
C:\Windows\Welcome.exe
C:\Windowsf\Notrepad.exe
C:\WNotepad.exe
C:\Wscript.exe

and will create the following registry entries to ensure it is run at 
system startup:
HKLM\Software\microsoft\windows\currentversion\run\Msgmgr
HKLM\Software\microsoft\windows\currentversion\run\Microsoft Corporation

Both of the previous two registry entries point to a location that 
contains a copy of the worm.

W32/BabyBear-A creates a system tray icon and if this icon is clicked 
your system will shutdown.

W32/BabyBear-A will also create the following empty folders:
C:\$nProgram Files\System
C:\2Coding7
C:\2Program Files\System
C:\3Coding51
C:\C2oding1
C:\C4oding67
C:\Cchoding74
C:\cCoding55
C:\cCoding67
C:\Ccoding74
C:\Ccodinllg74
C:\cCodlling67
C:\cCoduuing55
C:\Cczhoding74
C:\chCoding67
C:\Cjroding466
C:\Cnoding1
C:\Co2ding2
C:\Co4ding74
C:\Cod2ing3
C:\Codi2ng4
C:\Codi3ng11
C:\Codin2g5
C:\Codin3g23
C:\Codincg11
C:\Codincg23
C:\Codincgkk23
C:\Codincguu11
C:\Codinchg11
C:\Codincyg23
C:\Codinczyg23
C:\Coding1
C:\Coding11
C:\Coding12
C:\Coding142
C:\Coding2
C:\Coding23
C:\Coding23j
C:\Coding26
C:\Coding2c3
C:\Coding2ch3
C:\Coding3
C:\Coding31
C:\Coding331
C:\Coding4
C:\Coding411
C:\Coding42
C:\Coding432
C:\Coding44
C:\Coding44c
C:\Coding44j
C:\Coding466
C:\Coding4c2
C:\Coding4cy2
C:\Coding4czy2
C:\Coding4t4
C:\Coding5
C:\Coding51
C:\Coding51c
C:\Coding55
C:\Coding55t
C:\Coding5r1
C:\Coding6
C:\Coding67
C:\Coding67r
C:\Coding7
C:\Coding74
C:\Coding7n
C:\Coding7xn
C:\Codingc12
C:\Codingc12uu
C:\Codingc31
C:\Codingc31kk
C:\Codingch12
C:\Codingcy31
C:\Codingczy31
C:\Codingd2
C:\Codingd2yy
C:\Codingf1
C:\Codingn6
C:\Codingr42
C:\Codings3
C:\Codings4
C:\Codingsy4
C:\Codingt23
C:\Codingxn6
C:\Codingys3
C:\Codingyyf1
C:\Codinkkcg11
C:\Codinng4
C:\Codinng5
C:\Codinrg31
C:\Codintg12
C:\Codinxng5
C:\Codinycg11
C:\Codinygd2
C:\Codinzg466
C:\Codinzycg11
C:\Codinzzg67r
C:\Codirng23
C:\Codirng2xx3
C:\Coditng11
C:\Codixnng4
C:\Codiyngf1
C:\Codiyyng17
C:\Codizng55t
C:\Codizngsy4
C:\Codning3
C:\Codring11
C:\Codrinxxg11
C:\Codsing5
C:\Codsing5y
C:\Codsing6
C:\Codsinjjg6
C:\Codsizng5y
C:\Codsjjing5
C:\Codxning3
C:\Codzing4t4
C:\Codzingys3
C:\Codzzing5r1
C:\Cojjdings4
C:\Cojrding17
C:\Collding51c
C:\Conding2
C:\Cording17
C:\Cording1uu7
C:\Couuding44c
C:\Coxnding2
C:\Coyyding466
C:\Cozdingt23
C:\Cozdinygd2
C:\Croding466
C:\Crodinuug466
C:\Csoding7
C:\Csoding7jj
C:\Cysoding7
C:\Cysodinzg7
C:\czhCoding67
C:\Czodintg12
C:\Czodiyngf1
C:\Czzodingr42
C:\H2elp
C:\hCoding51cy
C:\hCoding51zcy
C:\Hechlp8
C:\Heclp8
C:\Heczhlp8
C:\Hel4p8
C:\Heljrp1
C:\Help
C:\Help1
C:\Help8
C:\Helrp1
C:\Helrp1uf
C:\Heslp
C:\Heyslp
C:\Hezyslp
C:\Hlueclp8
C:\Htelp8
C:\Htelpz8
C:\Hyelp1
C:\jcCoding55
C:\jjCodings3
C:\kkHeslp
C:\llCoding4c2
C:\nProgram Files\System
C:\Pro3gram Files\System1
C:\Progchra1m Files\System
C:\Progcra1m Files\System
C:\Progcuura1m Files\System
C:\Progdram Files\System1
C:\Progr4a1m Files\System
C:\Progra1m Files\System
C:\Program Files\System
C:\Program Files\System1
C:\Progrgam Files\System
C:\Progydram Files\System1
C:\Progyyrgam Files\System
C:\Progzydram Files\System1
C:\Prokkgdram Files\System1
C:\Protgra1m Files\System
C:\Protgraz1m Files\System
C:\Proygrgam Files\System
C:\Prrogram Files\System1
C:\Prroxxgram Files\System1
C:\rHelp
C:\tCoding17
C:\tCoding74
C:\tCodinzg17
C:\tCodizngzz74
C:\Th3e Sims
C:\The 2Sims
C:\The 4S1ims
C:\The jr2Sims
C:\The r2Sims
C:\The rddaljflajflkjorjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjj2Sims
C:\The S1ims
C:\The Sims
C:\Thec S1ims
C:\Thech S1ims
C:\Theczzh S1ims
C:\Thes Sims
C:\Theuuc S1ims
C:\Theys Sims
C:\Thezys Sims
C:\Thkes Sims
C:\Thte S1ims
C:\Thte Sz1ims
C:\Thye 2Sims
C:\Thye 2Szims
C:\Thyye 2Sims
C:\Trhe Sims
C:\Trxxhe Sims
C:\uuCoding2c3
C:\xxrHelp
C:\yCodsing6
C:\yCodsizng6
C:\yyCoding55
C:\yyHelp1
C:\zCodinrg31
C:\zCoditng1z1
C:\zProygrgam Files\System

 
--- MultiMail/Win32 v0.43