[cut-n-paste from sophos.com]

Troj/Sdbot-FM

Aliases
Backdoor.SdBot.gen, BKDR_Sdbot.Gen

Type
Trojan

Detection
At the time of writing, Sophos has received just one report of this 
Trojan from the wild.

Description
Troj/Sdbot-FM is a backdoor Trojan which runs in the background as a 
service process and allows unauthorised remote access to the computer 
via IRC channels.

The Trojan copies itself to the Windows system folder as svch0st.exe and 
creates entries in the registry at the following locations to run itself 
on system restart:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

The Trojan remains resident, listening for commands from remote users. 
If it receives the appropriate command the Trojan attempts to drop and 
execute a batch file detected as Bat/Botsecure-A in order to change the 
user's security settings.





W32/Agobot-CP

Aliases
Backdoor.Agobot.3.gen

Type
Win32 worm

Detection
At the time of writing, Sophos has received just one report of this worm 
from the wild.

Description
W32/Agobot-CP is an IRC backdoor Trojan and network worm.

W32/Agobot-CP copies itself to network shares with weak passwords and 
attempts to spread to computers using the DCOM RPC and the RPC locator 
vulnerabilities.

These vulnerabilities allow the worm to execute its code on target 
computers with System level priviledges. For further information on 
these vulnerabilities and for details on how to protect/patch the 
computer against such attacks please see Microsoft security bulletins 
MS03-001 and MS03-026. MS03-026 has been superseded by Microsoft 
security bulletin MS03-039.

When first run, W32/Agobot-CP copies itself to the Windows system32 
folder with the filename winpn32.exe and creates the following registry 
entries so that the worm is run when Windows starts up:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinPN32
= winpn32.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\WinPN32
= winpn32.exe

W32/Agobot-CP connects to a remote IRC server and joins a specific 
channel. The backdoor functionality of the worm can then be accessed by 
an attacker using the IRC network.

The worm also attempts to terminate and disable various security-related 
programs.





W32/Mimail-T

Aliases
W32/Mimail.gen{at}MM

Type
Win32 worm

Detection
At the time of writing, Sophos has received just one report of this worm 
from the wild.

Description
W32/Mimail-T is an email worm.

W32/Mimail-T copies itself to the Windows folder with the filename 
kaspersky.exe and sets the following registry entry so as to run itself 
on system startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\KasperskyAv

W32/Mimail-T contains the following text:

"*** GLOBAL WARNING: if any free email company or hosting company will 
close/filter my email/site accounts, it will be DDoS'ed in next version.

WARNING: centrum.cz will be DDoS'ed in next versions, coz they have 
closed my mimail-email account. Who next? ***"





W32/Holar-J

Aliases
W32.Galil.F{at}mm

Type
Win32 worm

Detection
At the time of writing, Sophos has received just one report of this worm 
from the wild.

Description
W32/Holar-J is a worm which spreads by emailing itself via SMTP or via 
Microsoft Outlook. The worm also attempts to spread via MSN Messenger.

When run for the first time the worm displays the following false error 
message:

"The WinZip Wizard cannot open this file it does not apear to be a valid 
archive. if you downloaded this file, try downloading it again. if you 
want to add this file to an archive, first create or open the archive, 
then drop the file again."

W32/Holar-J is composed of a main dropper which drops and executes the 
files SYSCHK.EXE and SMTP.OCX within the Windows system folder. 
SMTP.OCX contains the worm's SMTP functionality and is detected by 
Sophos as W32/Holar-G.

The dropper also creates copies of SYSCHK.EXE as MIZZABBAT.EXE in the 
Windows folder and as ZACKER.EXE in a new folder called SYS32S within 
the Windows folder.

The worm creates an entry in the registry at the following location to 
run itself on system restart:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SystemChecker

W32/Holar-J creates the following CAB archives which contain the file 
RUNHELP.INF:

C:\\RUNHELP.CAB
C:\\SYS32S\RUNHELP.CAB

RUNHELP.INF attempts to run the file ZACKER.EXE.

W32/Holar-J also creates a file called FOLDER.HTT in the Windows web 
folder.

Emails have the following characteristics-

the subject line and message text may be absent or may be combinations 
of the following:
"Fw:"
"Re:"
"hey Check this out :)"
"Hey I thought you trusted me but ... i haven't thought i should send u 
my briefcase to gain ur Trust. Have it all :) bye"
"Hey Wussap? Here is the Emmy :) Dont tell Sam abt it Cya"
"Another one?"
"Heyyyy I lost the other email , anyway i sent u all u need Cya"
"Hey i have just got it , plz tell me if u need more. bye"
"Heyyyyyyyy Lola Wussaaap?? I forgot to tell u , the other file is with 
Sam:) bye"
"YO DUMP , IM SICK OF UR EMAILS , IF U LOSE IT AGAIN I WONT GIVE IT TO 
U, SAVE BYEEE"
"Hey wussap?i lost Sara's Email plzz send this file to her :) and tell 
her i can't be online tonight bye"
"heyyy I can't be online tonight :( anyway , i sent u something u r 
gonna love :) cya tomorrow"
"Hi i just wanted to say sorry for last night and .. i wish u accept 
this as an apology bye dear"
"elegant ppl should satisfy thier taste with elegant things :) Wait for 
more :)"
"I've got your email , but you forgot to upload the attachments. Don't 
be selfish , i sent you all the files i have, send me anything :( bye"
"heyyy i tried many times to send u this email but ur account was out of 
storage ss i any way , make sure that i didn't and i won't forget u :) 
Cya Forgotten :P"
"i thing the subject is enough to describe the attached file ! check it 
out and replay your opinion Cya"
"Hiiiiiii i've got this surprise from a friend :) it really deserves a 
few minutes of your time. Bye"
"Never mind !"
"Attatchments"
"See the attatched file"
"you seem to be mad {at} me coz i didn't send u anything for along time, i 
didn't forget u , but i was kinda busy , i've got all of ur emails thanx 
:) and i hope u accept this one as an apology."
"gift"
"Surprise!"
"Hi i'm fine , thanx for asking :) and thanx for the nice attachements. 
but unfortunately, i don't remember you i will be waiting for u emaill 
to remind me of your self. Hummm , i hope u accept this show as an 
apology. bye"
"save it for hard times"
"Happy Times :)"
"Useful"
"Very funny"
"hey wuts up? cyaaa"
"you have to see this!"
"amazing!"

the attached file can have one of the following extensions:

UUE, MIM, HQX, UU, XXE, BHX, EXE

W32/Holar-J deletes files with the following extensions:

JPG, DOC, PPS, RAM, RM, XLS, MDB, RAR, MPEG, MPG, AVI, MPE, ASF





W32/Agobot-CS

Aliases
W32.HLLW.Gaobot.gen

Type
Win32 worm

Detection
At the time of writing, Sophos has received just one report of this worm 
from the wild.

Description
W32/Agobot-CS is an IRC backdoor Trojan and network worm that copies 
itself to network shares with weak passwords.

When first run, W32/Agobot-CS copies itself to the Windows system folder 
as spolsv.exe and creates the following registry entries to ensure it is 
run at system logon:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
SpoolService= spolsv.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
SpoolService= spolsv.exe

Each time W32/Agobot-CS is run it attempts to connect to a remote IRC 
server and join a specific channel.

W32/Agobot-CS then runs continuously in the background, allowing a 
remote intruder to access and control the computer via IRC channels.

W32/Agobot-CS collects system information and registration keys of 
popular games that are installed on the computer.

The worm also attempts to terminate and disable various 
security-related programs.





W32/Agobot-P

Aliases
Backdoor.Agobot.3.co, WORM_AGOBOT.U

Type
Win32 worm

Detection
At the time of writing, Sophos has received just one report of this worm 
from the wild.

Description
W32/Agobot-P is an IRC backdoor Trojan and network worm.

W32/Agobot-P copies itself to network shares with weak passwords and 
attempts to spread to computers using the DCOM RPC and the RPC locator 
vulnerabilities.

These vulnerabilities allow the worm to execute its code on target 
computers with System level priviledges. For further information on 
these vulnerabilities and for details on how to protect/patch the 
computer against such attacks please see Microsoft security bulletins 
MS03-001 and MS03-026. MS03-026 has been superseded by Microsoft 
security bulletin MS03-039.

When first run, W32/Agobot-P copies itself to the Windows System32 
folder with the filename systems.exe and creates the following registry 
entries so that the worm is run when Windows starts up:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IISADMINS
= systems.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\IISADMINS
= systems.exe

W32/Agobot-P connects to a remote IRC server and joins a specific 
channel. The backdoor functionality of the worm can then be accessed by 
an attacker using the IRC network.

The worm also attempts to terminate and disable various 
security-related programs.





W32/SdBot-W

Aliases
Backdoor.SdBot.gen, W32/Sdbot.worm.gen, BKDR_SDBOT.GEN

Type
Win32 worm

Detection
At the time of writing, Sophos has received just one report of this worm 
from the wild.

Description
W32/SdBot-W is a worm that attempts to spread to remote shares which 
have weak passwords. The worm also allows unauthorised remote access to 
the computer via IRC channels.

W32/SdBot-W copies itself to the Windows system folder as ADVAP.EXE and 
creates entries in the registry in the following locations to run itself 
on system restart:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

 
--- MultiMail/Win32 v0.43