| TIP: Click on subject to list as thread! | ANSI |
| echo: | |
|---|---|
| to: | |
| from: | |
| date: | |
| subject: | News, April 11 2004 |
[cut-n-paste from sophos.com]
W32/Agobot-GA
Aliases
Backdoor.Agobot.li, W32/Gaobot.worm.gen.g, W32.Gaobot.WX, WORM_AGOBOT.WN
Type
Win32 worm
Detection
At the time of writing, Sophos has received just one report of this worm
from the wild.
Description
W32/Agobot-GA is a backdoor Trojan and worm which spreads to computers
protected by weak passwords.
When first run, W32/Agobot-GA moves itself to the Windows system folder
as windns32.exe and creates the following registry entries to run itself
on startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\WinDNS
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\WinDNS
Each time W32/Agobot-GA is run it attempts to connect to a remote IRC
server and join a specific channel. It then runs continuously in the
background, allowing a remote intruder to access and control the
computer via IRC channels.
W32/Agobot-GA attempts to terminate and disable various anti-virus and
security related programs and modifies the HOSTS file located at
%Windows%\System32\Drivers\etc\HOSTS. Selected anti-virus websites are
mapped to the loopback address 127.0.0.1 in an attempt to prevent access
to these sites. Typically the following mappings will be appended to the
HOSTS file:
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.trendmicro.com
W32/SdBot-CM
Aliases
W32/Sdbot.worm.gen, W32.Randex.gen, WORM_RBOT.C
Type
Win32 worm
Detection
At the time of writing, Sophos has received just one report of this worm
from the wild.
Description
W32/SdBot-CM is a network worm and a backdoor Trojan which runs in the
background as a service process and allows unauthorised remote access to
the computer via IRC channels.
When executed W32/SdBot-CM copies itself to the Windows system folder
with the filename msgfix.exe and sets the following registry entries
with the path to the copy:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Configuration Loader
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Configuration Loader
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Configuration Loader
W32/SdBot-CM attempts to copy itself to remote network shares with weak
passwords.
As a backdoor W32/SdBot-CM can be used to install and execute programs
on your computer, retrieve system information and flood other computers
with network packets.
The information the worm retrieves includes computer name, user name,
operating system, memory size and CD-keys for various games.
Troj/Webber-H
Aliases
TrojanDownloader.Win32.Small.hg, Trojan.Download.Berbew,
Downloader-DI trojan
Type
Trojan
Detection
Sophos has received several reports of this Trojan from the wild.
Description
Troj/Webber-H is a two component backdoor Trojan.
The downloader component of the Trojan appears to have been mass mailed
out.
When run the Trojan downloads a remote file to C:\windows\usermade.exe
and executes it.
The downloaded component is a password stealing Trojan that attempts to
extract sensitive information from several locations on the system and
sends it to a remote computer.
The downloaded component copies itself as a file with a random name into
the Windows system folder and drops and executes a DLL file, also with a
random name, that runs the copy of the Trojan.
In order to be started automatically the Trojan creates the following
registry entries:
HKLM\Software\CLASSES\CLSID\{79FB9088-19CE-715D-D900-216290C5B738}
\InProcServer32
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
\Web Event Logger
Troj/Webber-H also sets the following Microsoft Internet Explorer
related registry entries to prompt the user into entering passwords:
HCU\Software\Microsoft\Internet Explorer\Main\FormSuggest Passwords
HCU\Software\Microsoft\Internet Explorer\Main\FormSuggest PW Ask
HCU\Software\Microsoft\Internet Explorer\Main\Use FormSuggest
Troj/Dloader-N
Aliases
Download.Trojan
Type
Trojan
Detection
At the time of writing, Sophos has received just one report of this
Trojan from the wild.
Description
Troj/Dloader-N is a Trojan downloader. When run the Trojan downloads a
remote file to C:\ass.exe and executes it. At the time of writing the
file it attempts to download did not exist.
W32/Sdbot-HB
Aliases
Backdoor.IRCBot.gen, Win32/IRCBot.CL
Type
Win32 worm
Detection
At the time of writing, Sophos has received just one report of this worm
from the wild.
Description
W32/Sdbot-HB is a worm which attempts to spread to remote network shares.
It also contains backdoor Trojan functionality, allowing unauthorised
remote access to the infected computer via IRC channels while running in
the background as a service process.
W32/Sdbot-HB spreads to network shares with weak passwords as a result
of the backdoor Trojan element receiving the appropriate command from a
remote user.
W32/Sdbot-HB copies itself to the Windows system folder as MPTCLOAXS.EXE
and creates an entry in the registry at the following location to run
itself on system startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
W32/Sdbot-HB attempts to terminate a number of process relating to
anti-virus and security products, as well as some relating to
W32/Blaster-A and its variants, including the following:
_AVP32.EXE
_AVPCC.EXE
_AVPM.EXE
ACKWIN32.EXE
ADVXDWIN.EXE
ALERTSVC.EXE
amon.exe
ANTITROJAN.EXE
ANTI-TROJAN.EXE
ANTS.EXE
APVXDWIN.EXE
AUTODOWN.EXE
AVCONSOL.EXE
AVE32.EXE
AVGCTRL.EXE
AVKSERV.EXE
AVNT.EXE
AVP.EXE
AVP32.EXE
AVPCC.EXE
AVPDOS32.EXE
AVPM.EXE
AVPTC32.EXE
AVPUPD.EXE
AVSCHED32.EXE
AVWIN95.EXE
AVWUPD32.EXE
BLACKD.EXE
BLACKICE.EXE
bot.exe
CCAPP.EXE
CCEVTMGR.EXE
CCPXYSVC.EXE
CFIADMIN.EXE
CFIAUDIT.EXE
CFINET.EXE
CFINET32.EXE
CLAW95.EXE
CLAW95CF.EXE
CLEANER.EXE
CLEANER3.EXE
CONNECTIONMONITOR.EXE
CPD.EXE
CPDCLNT.EXE
dcomx.exe
DEFWATCH.EXE
DFW.EXE
drweb.exe
Drweb32w.exe
drweb386.exe
Drwebupw.exe
Drwebwcl.exe
DUMP.EXE
DUMP1.EXE
DUMPED.EXE
DUMPED1.EXE
DVP95.EXE
DVP95_0.EXE
ECENGINE.EXE
enbiei.exe
ESAFE.EXE
ESPWATCH.EXE
EXPLORER32.EXE
F-AGNT95.EXE
FINDVIRU.EXE
FPROT.EXE
F-PROT.EXE
F-PROT95.EXE
FP-WIN.EXE
FRW.EXE
F-STOPW.EXE
GUARDDOG.EXE
IAMAPP.EXE
IAMSERV.EXE
IBMASN.EXE
IBMAVSP.EXE
ICLOAD95.EXE
ICLOADNT.EXE
ICMON.EXE
ICSUPP95.EXE
ICSUPPNT.EXE
IFACE.EXE
index.exe
IOMON98.EXE
IRIS.EXE
JEDI.EXE
KILL.EXE
KILLER.EXE
KPF4GUI.EXE
KPF4SS.EXE
LDNETMON.EXE
LOCKDOWN.EXE
LOCKDOWN2000.EXE
lolx.exe
LOOKOUT.EXE
LordPE.EXE
LordPE32.EXE
LUALL.EXE
MINILOG.EXE
MOOLIVE.EXE
MPFTRAY.EXE
msblast.exe
MSCONFIG.EXE
mslaugh.exe
mspatch.exe
N32SCANW.EXE
NAVAPSVC.EXE
NAVAPW32.EXE
NAVLU32.EXE
NAVNT.EXE
NAVW32.EXE
NAVWNT.EXE
NDD32.EXE
NETSTAT.EXE
NETUTILS.EXE
NISSERV.EXE
NISUM.EXE
NMAIN.EXE
nod.exe
nod32.exe
NORMIST.EXE
NPROTECT.EXE
NPSSVC.EXE
NTVDM.EXE
NUPGRADE.EXE
NVC95.EXE
NVSVC32.EXE
NWTOOL16.EXE
OUTPOST.EXE
PADMIN.EXE
PAVCL.EXE
PAVSCHED.EXE
PAVW.EXE
PCCWIN98.EXE
PCFWALLICON.EXE
penis32.exe
PERSFW.EXE
PM.exe
POPROXY.EXE
PORTMONITOR.EXE
PRKILLER.EXE
PROCDUMP.EXE
PROCDUMP32.EXE
PS.EXE
PSKILL.EXE
PSLIST.EXE
RAV7.EXE
RAV7WIN.EXE
REGEDIT.EXE
RESCUE.EXE
root32.exe
rpc.exe
rpctest.exe
RTVSCN95.EXE
RUNDDL31.EXE
SAFEWEB.EXE
SCAN32.EXE
SCAN95.EXE
SCANPM.EXE
SCRSCAN.EXE
scvhost.exe
SERV95.EXE
SMC.EXE
SPHINX.EXE
spider.exe
Spiderml.exe
spidernt.exe
SWEEP95.EXE
SWNETSUP.EXE
SymProxySvc.exe
SYSCFG32.EXE
SYSOTRAY32.EXE
TASKKILL.EXE
TASKLIST.EXE
TASKMGR.EXE
TBSCAN.EXE
TC.EXE
TCA.EXE
TCM.EXE
TCPDUMP.EXE
TCPDUMP32.EXE
TDS2-98.EXE
TDS2-NT.EXE
teekids.exe
tftpd.exe
VET95.EXE
VETTRAY.EXE
VPC32.EXE
VPTRAY.EXE
VSCAN40.EXE
VSECOMR.EXE
VSHWIN32.EXE
VSMON.EXE
VSSTAT.EXE
WEBSCANX.EXE
WFINDV32.EXE
WINDRIVER.EXE
WINEXEC.EXE
WINHEX.EXE
WINSOCK2_2.EXE
worm.exe
WRADMIN.EXE
WRCTRL.EXE
ZAPRO.EXE
ZONEALARM.EXE
W32/Agobot-FV
Aliases
W32.HLLW.Gaobot.gen
Type
Win32 worm
Detection
At the time of writing, Sophos has received just one report of this worm
from the wild.
Description
W32/Agobot-FV is an IRC backdoor Trojan and network worm.
W32/Agobot-FV is capable of spreading to computers on the local network
protected by weak passwords.
When first run W32/Agobot-FV copies itself to the Windows system folder
as regsvc32.exe and creates the following registry entries to run itself
on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Generic Service Process = regsvc32.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
Generic Service Process = regsvc32.exe
Each time W32/Agobot-FV is run it attempts to connect to a remote IRC
server and join a specific channel.
W32/Agobot-FV then runs continuously in the background, allowing a
remote intruder to access and control the computer via IRC channels.
W32/Agobot-FV attempts to terminate and disable various anti-virus and
security-related programs.
W32/Netsky-T
Aliases
W32/Netsky.t{at}MM, W32.Netsky.T{at}mm, WORM_NETSKY.T
Type
Win32 executable file virus
Detection
Sophos has received many reports of this virus from the wild.
Description
W32/Netsky-T is a mass mailing worm with a backdoor component which is
functionally identical to W32/Netsky-S. Please refer to W32/Netsky-S for
further details.
W32/Lovgate-V
Aliases
WORM_LOVGATE.W
Type
Win32 worm
Detection
Sophos has received several reports of this worm from the wild.
Description
W32/Lovgate-V is a variant of the W32/Lovgate family of worms that
spread via email, network shares and filesharing networks.
W32/Lovgate-V copies itself to the Windows system folder as the files
WinHelp.exe, iexplore.exe, kernel66.dll and ravmond.exe and to the
Windows folder as systra.exe.
The worm also drops the files msjdbc11.dll, mssign30.dll and odbc16.dll
which provide unauthorised remote access to the computer over a network.
The worm drops ZIP files containing a copy of the worm onto accessible
drives. The ZIP file may also carry a RAR extension. The name of the
packed file is chosen from the following list:
WORK
setup
important
bak
letter
pass
The name of the contained unpacked file is either PassWord, email or
book, with a file extension of EXE, SCR, PIF or COM.
In order to run automatically when Windows starts up W32/Lovgate-V
creates the following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Hardware Profile = \hxdef.exe
Microsoft NetMeeting Associates, Inc. = NetMeeting.exe
Protected Storage = RUNDLL32.EXE MSSIGN30.DLL ondll_reg
VFW Encoder/Decoder Settings = RUNDLL32.EXE MSSIGN30.DLL ondll_reg
WinHelp = \WinHelp.exe
Program In Windows = \IEXPLORE.EXE
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\SystemTra =
\SysTra.EXE
HKU\Software\Microsoft\Windows NT\CurrentVersion\Windows\run =
RAVMOND.exe
In addition W32/Lovgate-V copies itself to the file command.exe in the
root folder and creates the file autorun.inf there containing an entry
to run the dropped file upon system startup.
W32/Lovgate-V spreads by email. Email addresses are harvested from WAB,
TXT, HTM, SHT, PHP, ASP, DBX, TBB, ADB and PL files found on the system.
Email have the following characteristics:
Subject line:
test
hi
hello
Mail Delivery System
Mail Transaction Failed
Server Report
Status
Error
Message text:
It's the long-awaited film version of the Broadway hit. The message sent
as a binary attachment.
The message contains Unicode characters and has been sent as a binary
attachment.
Mail failed. For further assistance, please contact!
Attached file:
document
readme
doc
text
file
data
test
message
body
followed by ZIP, EXE, PIF or SCR.
W32/Lovgate-V also enables sharing of the Windows media folder and
copies itself there using various filenames.
The worm also attempts to reply to emails found in the user's inbox
using the following filenames as attachments:
the hardcore game-.pif
Sex in Office.rm.scr
Deutsch BloodPatch!.exe
s3msong.MP3.pif
Me_nude.AVI.pif
How to Crack all gamez.exe
Macromedia Flash.scr
SETUP.EXE
Shakira.zip.exe
dreamweaver MX (crack).exe
StarWars2 - CloneAttack.rm.scr
Industry Giant II.exe
DSL Modem Uncapper.rar.exe
joke.pif
Britney spears nude.exe.txt.exe
I am For u.doc.exe
The worm attempts to spread by copying itself to mounted shares using
one of the following filenames:
mmc.exe
xcopy.exe
winhlp32.exe
i386.exe
client.exe
findpass.exe
autoexec.bat
MSDN.ZIP.pif
Cain.pif
WindowsUpdate.pif
Support Tools.exe
Windows Media Player.zip.exe
Microsoft Office.exe
Documents and Settings.txt.exe
Internet Explorer.bat
WinRAR.exe
W32/Lovgate-V also attempts to spread via weakly protected remote shares
by connecting using a password from an internal dictionary and copying
itself as the file NetManager.exe to the system folder on the admin$
share.
After successfully copying the file W32/Lovgate-V attempts to start it
as the service "Windows Managment Network Service Extensions" on the
remote computer.
W32/Lovgate-V starts a logging thread that listens on port 6000, sends a
notification email to an external address and logs received data to the
file C:\Netlog.txt.
W32/Lovgate-V attempts to terminate processes containing the following
strings:
rising
SkyNet
Symantec
McAfee
Gate
Rfw.exe
RavMon.exe
kill
Nav
Duba
KAV
KV
W32/Lovgate-V also overwrites EXE files on the system with copies of
itself. The original files are saved with a ZMX extension.
Troj/Small-AG
Aliases
TrojanDownloader.Win32.Small.fv, Win32/TrojanDownloader.Esepor.G
Type
Trojan
Detection
At the time of writing, Sophos has received just one report of this
Trojan from the wild.
Description
Troj/Small-AG will download and install a Trojan when executed.
The installed Trojan will drop the hidden files TMKSRVU.EXE and
XPLUGIN.DLL into the Windows System folder and a small text file, HOSTS,
into the Windows folder upon execution. The following registry entry
will be created:
HKLM\Software\TMKSoft\XPlugin\
This Trojan will attempt to connect to the following sites:
a1monitor.com
alltracksgone.com
allspamgone.com
adsgone.com
freepassbucks.com
webpower.com
WebPower.com
xxxod.net
online-dialer.com
coolwebsearch.com
umaxsearch.com
msn.com
altavista.com
yahoo.com
google.com
Troj/Small-AG may also try to display adverts from these websites:
http://www.xxxod.net
http://connect.online-dialer.com
http://download.online-dialer.com
http://www.adultfriendfinder.com
http://www.freepassbucks.com
W32/Nackbot-D
Aliases
Backdoor.Agobot.jy, W32.Randex.gen
Type
Win32 worm
Detection
At the time of writing, Sophos has received just one report of this worm
from the wild.
Description
W32/Nackbot-D is a peer-to-peer (P2P) worm which spreads via shared
folders and has IRC backdoor functionality.
When run the worm copies itself to the Windows System (or System32)
folder as the file MSCLOCK.EXE. To ensure that the worm is run each time
Windows is started W32/Nackbot-D creates the registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Digital Clock = msclock.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Microsoft Digital Clock = msclock.exe
W32/Nackbot-D attempts to spread to randomly chosen IP addresses. The
worm attempts to access the C$, D$, E$ and Admin$ shares of the target
computer using a list of passwords contained within the worm. The worm
then copies itself to the Windows System (or System32) folder on the
target computer as MSCLOCK.EXE.
W32/Nackbot-D contains backdoor components which can be controlled by a
remote attacker via IRC. The backdoor functions include the ability to
launch a distributed denial-of-service attack (DDoS).
W32/Nackbot-D searches for the following virus, anti-virus and
security-related processes and terminates them if they are running:
_AVP32.EXE
_AVPCC.EXE
_AVPM.EXE
ACKWIN32.EXE
ADVXDWIN.EXE
ALERTSVC.EXE
amon.exe
ANTI-TROJAN.EXE
ANTITROJAN.EXE
ANTS.EXE
APVXDWIN.EXE
AUTODOWN.EXE
AVCONSOL.EXE
AVE32.EXE
AVGCTRL.EXE
AVKSERV.EXE
AVNT.EXE
AVP.EXE
AVP32.EXE
AVPCC.EXE
AVPDOS32.EXE
AVPM.EXE
AVPTC32.EXE
AVPUPD.EXE
AVSCHED32.EXE
AVWIN95.EXE
AVWUPD32.EXE
BLACKD.EXE
BLACKICE.EXE
bot.exe
CCAPP.EXE
CCEVTMGR.EXE
CCPXYSVC.EXE
CFIADMIN.EXE
CFIAUDIT.EXE
CFINET.EXE
CFINET32.EXE
CLAW95.EXE
CLAW95CF.EXE
CLEANER.EXE
CLEANER3.EXE
COMMVIEW.EXE
COMMVIEW32.EXE
CONNECTIONMONITOR.EXE
CPD.EXE
CPDCLNT.EXE
dcomx.exe
DEFWATCH.EXE
DFW.EXE
drweb.exe
Drweb32w.exe
drweb386.exe
Drwebupw.exe
Drwebwcl.exe
DUMP.EXE
DUMP1.EXE
DUMPED.EXE
DUMPED1.EXE
DVP95.EXE
DVP95_0.EXE
ECENGINE.EXE
EETHERCAP.EXE
EETHERCAP32.EXE
enbiei.exe
ESAFE.EXE
ESPWATCH.EXE
ETHERCAP.EXE
ETHERCAP32.EXE
EXPLORER32.EXE
F-AGNT95.EXE
F-PROT.EXE
F-PROT95.EXE
F-STOPW.EXE
FINDVIRU.EXE
FP-WIN.EXE
FPROT.EXE
FRW.EXE
GUARDDOG.EXE
IAMAPP.EXE
IAMSERV.EXE
IBMASN.EXE
IBMAVSP.EXE
ICLOAD95.EXE
ICLOADNT.EXE
ICMON.EXE
ICSUPP95.EXE
ICSUPPNT.EXE
IFACE.EXE
index.exe
IOMON98.EXE
IRIS.EXE
JEDI.EXE
KILL.EXE
KILLER.EXE
KPF4GUI.EXE
KPF4SS.EXE
LDNETMON.EXE
LOCKDOWN.EXE
LOCKDOWN2000.EXE
lolx.exe
LOOKOUT.EXE
LordPE.EXE
LordPE32.EXE
LUALL.EXE
MINILOG.EXE
MOOLIVE.EXE
MPFTRAY.EXE
MSBLAST.EXE
MSCONFIG.EXE
mslaugh.exe
mspatch.exe
N32SCANW.EXE
NAVAPSVC.EXE
NAVAPW32.EXE
NAVLU32.EXE
NAVNT.EXE
NAVW32.EXE
NAVWNT.EXE
NDD32.EXE
NETSTAT.EXE
NETUTILS.EXE
NISSERV.EXE
NISUM.EXE
NMAIN.EXE
nod.exe
nod32.exe
NORMIST.EXE
NPROTECT.EXE
NPSSVC.EXE
NTVDM.EXE
NUPGRADE.EXE
NVC95.EXE
NVSVC32.EXE
NWTOOL16.EXE
OUTPOST.EXE
PADMIN.EXE
PAVCL.EXE
PAVSCHED.EXE
PAVW.EXE
PCCWIN98.EXE
PCFWALLICON.EXE
penis32.exe
PERSFW.EXE
PM.exe
POPROXY.EXE
PORTMONITOR.EXE
PRKILLER.EXE
PROCDUMP.EXE
PROCDUMP32.EXE
PS.EXE
PSKILL.EXE
PSLIST.EXE
RAV7.EXE
RAV7WIN.EXE
REGEDIT.EXE
RESCUE.EXE
root32.exe
rpc.exe
rpctest.exe
RTVSCN95.EXE
RUNDDL31.EXE
SAFEWEB.EXE
SCAN32.EXE
SCAN95.EXE
SCANPM.EXE
SCRSCAN.EXE
scvhost.exe
SERV95.EXE
SMC.EXE
SPHINX.EXE
spider.exe
Spiderml.exe
spidernt.exe
SWEEP95.EXE
SWNETSUP.EXE
SymProxySvc.exe
SYSCFG32.EXE
SYSOTRAY32.EXE
TASKKILL.EXE
TASKLIST.EXE
TASKMGR.EXE
TBSCAN.EXE
TC.EXE
TCA.EXE
TCM.EXE
TCPDUMP.EXE
TCPDUMP32.EXE
TDS2-98.EXE
TDS2-NT.EXE
teekids.exe
tftpd.exe
VET95.EXE
VETTRAY.EXE
VPC32.EXE
VPTRAY.EXE
VSCAN40.EXE
VSECOMR.EXE
VSHWIN32.EXE
VSMON.EXE
VSSTAT.EXE
WEBSCANX.EXE
WFINDV32.EXE
WINDRIVER.EXE
WINEXEC.EXE
WINHEX.EXE
WINSOCK2.2.EXE
worm.exe
WRADMIN.EXE
WRCTRL.EXE
ZAPRO.EXE
ZLCLIENT.EXE
zlclient.exe
ZONEALARM.EXE
W32/Nackbot-D can also be used to steal the Windows Product ID and the
CD keys from several computer games including:
Half-Life
Counter-Strike
Unreal Tournament 2003
Unreal Tournament 2004
Project IGI 2
Battlefield 1942
Battlefield: Vietnam
Battlefield 1942: Road To Rome
Rainbow Six III RavenShield
Neverwinter Nights
Soldier of Fortune II - Double Helix
Need For Speed Hot Pursuit 2
FIFA 2003
Command & Conquer: Generals
W32/Netsky-S
Type
Win32 worm
Detection
Sophos has received several reports of this worm from the wild.
Description
W32/Netsky-S is a mass mailing worm with a backdoor component. The worm
copies itself to the Windows folder using the name EasyAV.exe, creates a
file called uinmzertinmds.opm (a base64 encoded form of the worm) and
sets the following registry entry to auto start on user login:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\EasyAV =
\EasyAV.exe
W32/Netsky-S has a backdoor component listening for connections on TCP
port 6789 allowing an unauthorised program to download and execute
arbitrary code on the infected computer.
The worm harvests email addresses from files on the local drives with
the following extensions:
SHT, ADB, TBB, WAB, DBX, OFT, DOC, MSG
Generated emails typically have the following form:
Subject lines:
Hi
Hello
Re: Hi
Re: Hello
Approved
Re: Approved
Thank you!
Re: Thanks you!
Request
Re: Request
Your document
Re: Your document
Your details
Re: Your details
Your information
Re: Your information
My details
Important
Re: Important
Message texts:
Hi!
Hello!
Please read the .
Please have a look at the .
Here is the .
The is attached.
Please see the .
I have sent the .
The requested is attached!
Here is the document.
See the document for details.
Please have a look at the attached document.
Please read the attached document.
Your file is attached to this mail.
Please, .
Your is attached.
My is attached.
I have found the .
Approved, here is the document.
For more information see the attached document.
For more details see the attached document.
Please read quickly.
Please notice the attached document.
Please notice the attached .
Your .
I have spent much time for your document.
I have spent much time for the .
The .
My .
Note that I have attached your document.
Thanks
Thank you
Yours sincerely
+++ X-Attachment-Type: document
+++ X-Attachment-Status: no virus found
+++ Powered by the new Panda OnlineAntiVirus
+++ Website: www.pandasoftware.com
+++ X-Attachment-Type: document
+++ X-Attachment-Status: no virus found
+++ Powered by the new MCAfee OnlineAntiVirus
+++ Homepage: www.mcafee.com
+++ X-Attachment-Type: document
+++ X-Attachment-Status: no virus found
+++ Powered by the new F-Secure OnlineAntiVirus'
+++ Visit us: www.f-secure.com
Attached file:
approved_file
list
corrected_document
archive
abuse_list
presentation_document
instructions
details
improved_document
note
message
contact_list
number_list
file
secound_document
improved_file
user_list
textfile
new_document
text
information
info
word_document
excel_document
powerpoint_document
detailed_document
homepage
letter
mail
document
old_document
approved_document
movie_document
picture_document
summary
description
requested_document
notice
bill
answer
release
final version
diggest
important_document
order
photo_document
personal_message
phone_number
e-mail
icq number
report
story
concept
developement
sample
postcard
account
Note, the attached filename is concatenated with a random digit and has
a PIF extension.
Between 14 and 23 April 2004 the worm will attempt a denial of service
attack on the following sites by continously requesting web pages from
them:
www.cracks.am
www.emule.de
www.kazaa.com
www.freemule.net
www.keygen.us
W32/Sober-F
Type
Win32 worm
Detection
Sophos has received several reports of this worm from the wild.
Description
W32/Sober-F is a mass mailing worm which sends itself to addresses
harvested from the local computer.
When first run the worm creates a TXT file called .TXT in
the Temp folder and displays its contents using NOTEPAD.EXE. The text
file begins with the text:
"#Mail Transaction Failed
#This mail couldn't be converted
---------------- Damage #Mime base64# part ----------------
"
The worm copies itself to the Windows system folder as an EXE file with
a name that is constructed from the following:
sys, host, dir, expolrer, win, run, log, 32, disc, crypt, data, diag,
spool, service, smss32
and sets the following registry entry to ensure it is run at system
logon:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\=
\ %1
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\ * Origin: Try Our Web Based QWK: DOCSPLACE.ORG (1:123/140)SEEN-BY: 633/267 270 @PATH: 123/140 500 106/2000 633/267 |
|
| SOURCE: echomail via fidonet.ozzmosis.com | |
Email questions or comments to sysop@ipingthereforeiam.com
All parts of this website painstakingly hand-crafted in the U.S.A.!
IPTIA BBS/MUD/Terminal/Game Server List, © 2025 IPTIA Consulting™.