[cut-n-paste from sophos.com]
W32/Agobot-Q
Aliases
Backdoor.Agobot.3, WORM_AGOBOT.P, W32.HLLW.GAOBOT.AA, W32/Gaobot.worm.y
Type
Win32 worm
Detection
At the time of writing Sophos has received just one report of this worm
from the wild.
Description
W32/Agobot-Q is a network aware worm and backdoor Trojan that allows
unauthorised remote access to a computer.
When an attacker connects to the backdoor via a specific IRC channel
they will be able to issue commands that cause the worm to scan the
internet for computers to copy itself to. The scan will target network
shares with weak passwords and computers vulnerable to both the DCOM
RPC vulnerability and the locator service vulnerability. Patches for
these two vulnerabilities are available from Microsoft at
www.microsoft.com/technet/security/bulletin/MS03-026.asp and
www.microsoft.com/technet/security/bulletin/MS03-001.asp
respectively.
W32/Agobot-Q is copied to the Windows system folder with the filenames
svchosl.exe and winhl32.exe and adds the following entries to the
registry so that the Trojan is run when Windows starts up:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Config Loader = svchosl.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Config Loader = svchosl.exe
W32/Pandem-B
Aliases
W32.Pandem.B.Worm, W32.Squirm{at}mm
Type
Win32 worm
Detection
At the time of writing Sophos has received no reports from users
affected by this worm. However, we have issued this advisory following
enquiries to our support department from customers.
Description
W32/Pandem-B is a worm which spreads via email, by copying itself to
the shared folders of various peer-to-peer networks (e.g. KaZaA,
Morpheus, eDonkey2000) and by via IRC channels.
The worm displays the messages
"Security Patch 329390
Patching system... Wait" and
"Security Patch 329390
Patched. Thanks for using Microsoft Windows".
W32/Pandem-B then drops the file ZLIB.DLL (a legitimate compression
plugin) into the Windows system folder and copies itself to the Windows
folder as CPUMGR.EXE.
The worm creates the following registry entry to run itself on system
restart:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\CPU Manager
= \CPUMGR.EXE
The worm also drops PHOTO.ZIP (a zipped copy of the worm called
COOL.SCR), CPUMGR.DLL (an encoded copy of the worm) and PDMN.SMT (a
text file containing the SMTP domain) in the Windows folder.
Emails sent by the worm have the following characteristics:
From: support{at}microsoft.com
Subject line: "Microsoft Security Bulletin"
Message text:
"Unchecked Buffer in Windows Explorer Could Enable System Compromise
(329390)
Summary
Who should read this bulletin: Customers using Microsoft Windows 95,98,
2K,ME,XP
Impact of vulnerability: Run code of an attackers choice
Maximum Severity Rating: Critical
Recommendation: Customers using Microsoft Windows 95,98,2K,ME,XP should
apply
the patch immediately."
Attached file: PATCH.ZIP (containing PATCH_329390.EXE).
W32/Pandem-B also attempts to copy itself to several locations within
peer-to-peer shared folders, for example:
c:\program files\gnucleus\downloads\incoming\ICQ Hack.exe
c:\program files\grokster\my grokster\Connection Booster.exe
c:\program files\gnucleus\downloads\incoming\Hotmail Hack.exe
c:\program files\gnucleus\downloads\incoming\Norton keygen-All vers.exe
c:\program files\KaZaa Lite\My Shared Folder\Hacker.scr
c:\program files\KaZaa Lite\My Shared Folder\credit card.exe
c:\program files\BearShare\Shared\Cracks Collections.exe
c:\program files\icq\shared files\Matrix Reloaded.scr
W32/Pandem-B also allows unauthorised access to the computer over a
network. The worm listens on port 61282 for commands from a remote
attacker.
Troj/Bdoor-RQ
Type
Trojan
Detection
At the time of writing Sophos has received just one report of this
Trojan from the wild.
Description
Troj/Bdoor-RQ is a modified copy of the netcat utility, used to read
and write data over network connections.
This modified version is coded to listen on a specific port and return
a command prompt to an attacker when they telnet to that port. The
versions of this modified tool seen by Sophos Anti-Virus listen on
ports 99, 1984 and 5000.
W32/Dumaru-A
Type
Win32 executable file virus
Detection
At the time of writing Sophos has received just one report of this
virus from the wild.
Description
W32/Dumaru-A is a virus that spreads using email and infects other
executable using NTFS Alternate Data Stream.
The virus arrives in an email message with the following
characteristics:
Sender: "Microsoft"
Subject line: Use this patch immediately !
Message text: Dear friend, use this Internet Explorer patch now!
There are dangerous virus in the Internet now!
More than 500.000 already infected!
Attached file: patch.exe
When the attachment is run W32/Dumaru-A copies itself into the Windows
folder as dllreg.exe and into the Windows system folder as load32.exe
and vxdmgr32.exe.
W32/Dumaru-A drops and runs \windrv.exe. Windrv.exe is a
backdoor Trojan detected by Sophos Anti-Virus as Troj/Narod-B.
The virus creates the registry value load32 of the registry key
\HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
so that the virus file \load32.exe is run on Windows
startup.
W32/Dumaru-A also changes system files system.ini and win.ini. The shell
entry of the boot section in System.ini is changed so that it contains
the reference to the virus file vxdmgr32 in the Windows systrem folder.
The virus creates a run entry in the windows section of win.ini to
reference the virus file dllreg.exe in the Windows folder.
W32/Dumaru-A has its own SMTP engine and attempts to collect email
addresses by searching the content of files with the extensions WAB,
HTM, HTML, DBX, ABD and TBB.
On systems with NTFS the virus attempts to infect all PE executable
files by replacing the original file with a copy of itself and saving
the original file in an alternate data stream STR.
W32/Sobig-F
Aliases
I-Worm.Sobig.f, W32/Sobig.F-mm, W32/Sobig.f{at}MM, WORM_SOBIG.F
Type
Win32 worm
Detection
Sophos has received many reports of this worm from the wild.
Description
W32/Sobig-F is a worm that spreads via email.
W32/Sobig-F copies itself to the Windows folder as winppr32.exe and
sets one of the following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\TrayX
= \winppr32.exe /sinc
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\TrayX
= http://www.microsoft.com/technet/security/bulletin/MS03-026.asp.
W32/Nachi-A
Aliases
W32/Nachi.worm, WORM_MSBLAST.D, Lovsan.D, W32.Welchia.Worm, Welchi
Type
Win32 worm
Detection
Sophos has received several reports of this worm from the wild.
Description
W32/Nachi-A is a worm that spreads using the RPC DCOM vulnerability in
a similar fashion to the W32/Blaster-A worm.
Microsoft issued a patch for the vulnerability exploited by this worm
on July 16, 2003. The patch is available from
http://www.microsoft.com/technet/security/bulletin/MS03-026.asp.
The worm also attempts to spread using a buffer overflow exploit for
ntdll.dll library in several versions of Microsoft Windows. The exploit
is attempted through a Search request of the WebDAV protocol.
Microsoft issued a patch for the vulnerability exploited by this worm
on March 17, 2003. The patch is available from
http://www.microsoft.com/technet/security/bulletin/MS03-007.asp.
W32/Nachi-A uses two files, dllhost.exe (10,240 bytes) and svchost.exe
(19,728 bytes). Dllhost.exe is the main worm component and svchost.exe
is a standard TFTP (Trivial File Transfer Protocol) server that is only
used by the worm to transfer itself from a source to a target machine.
When the worm is run, it copies itself into the <Windows System>\Wins
folder as dllhost.exe and uses the Windows Service Control Manager to
create new Windows Services. The services RpcPatch and RpcTftpd are
created.
RpcPatch, with the description "Network Connections Sharing", runs the
copy of the worm and RpcTftpd, with the description "WINS Client", runs
the accompanying TFTP server.
The worm then scans the network for computers on which to execute
exploits.
An ICMP Ping packet is sent first to check if a host is online. The
Ping packet is followed by a WebDAV search request or an RPC DCOM
exploit. If the exploit is sucessful W32/Nachi-A uses tftp.exe to copy
the worm files from the source system.
Once the system is infected, W32/Nachi-A attempts to download and run
security patches from the Microsoft's update websites. Depending on the
operating system language W32/Nachi-A chooses the download URL from the
following list:
http://download.microsoft.com/download/6/9/5/6957d785-fb7a-4ac9-b1e6-
cb99b62f9f2a/Windows2000-KB823980-x86-KOR.exe
http://download.microsoft.com/download/6/9/5/6957d785-fb7a-4ac9-b1e6-
cb99b62f9f2a/Windows2000-KB823980-x86-KOR.exe
http://download.microsoft.com/download/5/8/f/58fa7161-8db3-4af4-b576-
0a56b0a9d8e6/Windows2000-KB823980-x86-CHT.exe
http://download.microsoft.com/download/0/1/f/01fdd40f-efc5-433d-8ad2-
b4b9d42049d5/Windows2000-KB823980-x86-ENU.exe
http://download.microsoft.com/download/e/3/1/e31b9d29-f650-4078-8a76-
3e81eb4554f6/WindowsXP-KB823980-x86-KOR.exe
http://download.microsoft.com/download/2/3/6/236eaaa3-380b-4507-9ac2-
6cec324b3ce8/WindowsXP-KB823980-x86-CHT.exe
http://download.microsoft.com/download/a/a/5/aa56d061-3a38-44af-8d48-
85e42de9d2c0/WindowsXP-KB823980-x86-CHS.exe
http://download.microsoft.com/download/9/8/b/98bcfad8-afbc-458f-aaee-
b7a52a983f01/WindowsXP-KB823980-x86-ENU.exe
If the security patch is successfully downloaded W32/Nachi-A attempts
to restart the system.
When the main service routine is launched, W32/Nachi-A checks for the
existence of the process name and the filename of W32/Blaster-A. If the
process exists W32/Nachi-A attempts to terminate it and to remove the
file.
W32/Nachi-A removes itself from the system if the system date is 1
January 2004 or later.
The worm contains the following text which does not get displayed:
=========== I love my wife & baby :)~~~ Welcome Chian~~~ Notice: 2004
will remove myself:)~~ sorry zhongli~~~=========== wins
Troj/Graybird-A
Aliases
Backdoor.GrayBird.g, BKDR_GRAYBIRD.B
Type
Trojan
Detection
At the time of writing Sophos has received no reports from users
affected by this Trojan. However, we have issued this advisory
following enquiries to our support department from customers.
Description
Troj/Graybird-A is a backdoor Trojan. When run on a victim's computer
that computer will become vulnerable to unauthorised access attacks.
Troj/Graybird-A copies itself to the Windows system folder with the
filename spoolsv.exe and sets the following registry entries so that
the Trojan is run when Windows starts up:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SPOOLSV
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\SPOOLSV
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\SPOOLSV
A 'Run' entry will be added to the file win.ini which will also cause
the Trojan to be run when Windows starts up.
The Trojan may be distributed in an email with the following
characteristics:
Subject line: updated
Message text: Dear customer:
At 11:34 A.M. Pacific Time on August 13, Microsoft began investigating
a worm reported by Microsoft Product Support Services (PSS). A new worm
commonly known as W32.Blaster.Worm has been identified that exploits
the vulnerability that was addressed by Microsoft Security Bulletin
MS03-026.
Download the attached update program. To begin the download process, do
one of the following:
To download the attached program to your computer for installation at
a later time, click Save or Save this program to disk.then run it. If
you have any problem, connect to us immediately.
Attached file: 03-26updated.exe
W32/Donk-C
Aliases
Backdoor.SdBot.gen, W32/Sdbot.worm.gen, W32.HLLW.Moega
Type
Win32 worm
Detection
At the time of writing Sophos has received just one report of this worm
from the wild.
Description
W32/Donk-C is a worm which copies itself around your network. The worm
also includes backdoor functionality which allows unauthorised
outsiders to control your computer through IRC channels.
When W32/Donk-C runs, it creates a copy of itself called scchost.exe
in your Windows System folder. It also sets the following entries in
the registry so it runs automatically every time you start up your
computer:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Configuration Loaded = "wupdated.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Configuration Loaded = "wupdated.exe"
W32/Donk-C includes a backdoor Trojan which can be used to install and
execute programs on your computer, as well as to flood other computers
with network packets from your PC.
W32/Donk-C creates the file r.bat in your temporary folder. This file
is not malicious by itself and can simply be deleted.
W32/Blaster-B
Aliases
W32/Lovsan.worm, W32.Blaster.Worm, WORM_MSBLAST.A, Win32.Poza,
Worm/Lovsan.A
Type
Win32 worm
Detection
At the time of writing Sophos has received just one report of this worm
from the wild.
Description
W32/Blaster-B is functionally equivalent to W32/Blaster-A, except that
this variant uses the filename teekids.exe and the registry entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Inet Xp..
The worm contains an internal message which does not get displayed. The
message is different from the one contained in W32/Blaster-A and says
the following:
Microsoft can suck my left testi!
Bill Gates can suck my right testi!
And All Antivirus Makers Can Suck My Big Fat Cock
Microsoft issued a patch for the vulnerability exploited by this worm
on July 16, 2003. The patch is available from
www.microsoft.com/technet/security/bulletin/MS03-026.asp.
W32/RpcSpybot-A
Aliases
Win32:RPCexploit, Backdoor.Sdbot.au, TrojanDropper.Win32.Small.bd,
Exploit-DcomRPC, WORM_RPCSDBOT.A, W32.Randex.E
Type
Win32 worm
Detection
At the time of writing Sophos has received no reports from users
affected by this worm. However, we have issued this advisory following
enquiries to our support department from customers.
Description
W32/RpcSpybot-A is a worm that exploits the RPC/DCOM vulnerability on
computers running the Windows operating system to spread. The worm has
a backdoor component that allows a malicious user remote access to an
infected computer.
Microsoft issued a patch for the vulnerability exploited by this worm
on July 16, 2003. The patch is available from
www.microsoft.com/technet/security/bulletin/MS03-026.asp.
W32/Blaster-A
Aliases
W32/Lovsan.worm, W32.Blaster.Worm, WORM_MSBLAST.A, Win32.Poza,
Worm/Lovsan.A
Type
Win32 worm
Detection
Sophos has received many reports of this worm from the wild.
Description
W32/Blaster-A is a worm that uses the internet to exploit the DCOM
vulnerability in the RPC (Remote Procedure Call) service. The DCOM
vulnerability was first reported by Microsoft in mid-July 2003. This
worm does not use email to spread.
Targeted computers include the following Microsoft operating systems:
* Windows NT 4.0
* Windows NT 4.0 Terminal Services Edition
* Windows 2000
* Windows XP
* Windows Server 2003
On Windows XP the exploit can accidentally cause the remote RPC service
to terminate displaying a message entitled "System Shutdown". The
Windows XP machine then reboots.
Windows 95/98/Me computers, which don't run an RPC service or have a
TFTP client (default setting), are not at risk.
On finding a vulnerable computer system, the worm causes the remote
machine to acquire a copy of the worm using TFTP, which is saved as
msblast.exe or penis32.exe in the Windows system folder.
Microsoft issued a patch for the vulnerability exploited by this worm
on July 16, 2003. The patch is available from
http://www.microsoft.com/technet/security/bulletin/MS03-026.asp.
From 16 August 2003, one month after the security patch was posted, the
worm is programmed to launch a distributed denial-of-service attack on
windowsupdate.com, which may severely impact access to the website
Microsoft uses to distribute security patches. Each machine which
begins to run the worm on or after this date (with a new infection or
after a reboot) will send 50 SYN packets per second to port 80 on
windowsupdate.com.
Additionally the worm creates the following registry entry so as to run
on system start:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\windows auto update
The worm contains the following text, which does not get displayed:
I just want to say LOVE YOU SAN!! billy gates why do you make this
possible ? Stop making money and fix your software!!
W32/Randex-D
Aliases
Worm.Win32.Randex.d, W32/Slanper.worm.gen, WORM_RANDEX.D
Type
Win32 worm
Detection
Sophos has received several reports of this worm from the wild.
Description
W32/Randex-D is a network worm which, when executed, connects to
68.192.170.235 and listens for extra instructions. The worm will also
set the following registry key to the location of the executable:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\mssyslanhelper
W32/Randex-D then chooses IP addresses at random and tries to connect
to the IPC$ share using the following list of simple passwords:
admin
root
1
111
123
1234
123456
654321
!{at}#$
asdf
asdfgh
!{at}#$%
!{at}#$%^
!{at}#$%^&
!{at}#$%^&*
server
If the connection is successful, the worm attempts to copy itself to
the following remote locations:
\c$\winnt\system32\msmsgri32.exe
\Admin$\system32\msmsgri32.exe
W32/Randex-D then schedules a job to execute the remotely dropped files
and also drops a backdoor Trojan in the file PAYLOAD.DAT which Sophos
Anti-Virus detects as Troj/SView-A.
--- MultiMail/Win32 v0.43
* Origin: Try Our Web Based QWK: DOCSPLACE.ORG (1:123/140)
SEEN-BY: 633/267 270
@PATH: 123/140 500 106/2000 633/267
|