| TIP: Click on subject to list as thread! | ANSI |
| echo: | |
|---|---|
| to: | |
| from: | |
| date: | |
| subject: | News |
[cut-n-paste from sophos.com] W32/Randex-Q Aliases W32.Randex.Q, WORM_RANDEX.Q Type Win32 worm Detection Sophos has received several reports of this worm from the wild. Description W32/Randex-Q is a network worm with backdoor capabilities which allows a remote intruder to access and control the computer via IRC channels. W32/Randex-Q chooses IP addresses at random and tries to connect to the IPC$ share using simple passwords. If the connection is sucessful the worm attempts to copy itself to the following remote locations: \c$\winnt\system32\musirc4.71.exe \Admin$\system32\musirc4.71.exe W32/Randex-Q then schedules a job to execute the remotely dropped files. Each time the worm is run it tries to connect to a remote IRC server and join a specific channel. The worm then runs in the background as a server process listening for commands to execute. When first run the worm copies itself to Windows system folder as Musirc4.71.exe, metalrock.exe or metalrock-is-gay.exe and adds the pathname of this executable to a sub-key of the following registry entries so that the worm is run automatically each time Windows is started: HKLM\Software\Microsoft\Windows\CurrentVersion\Run HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices Example registry entries: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ MusIRC (irc.musirc.com) client = musirc4.71.exe HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\ MusIRC (irc.musirc.com) client = musirc4.71.exe HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ MeTaLRoCk (irc.musirc.com) has sex with printers = metalrock-is-gay.exe HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\ MeTaLRoCk (irc.musirc.com) has sex with printers = metalrock-is-gay.exe HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ Windows MeTaLRoCk service = metalrock.exe HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\ Windows MeTaLRoCk service = metalrock.exe VBS/Flea-A Aliases JS/Flea.A Type Visual Basic Script worm Detection At the time of writing Sophos has received just one report of this worm from the wild. Description VBS/Flea-A is a worm that propagates via HTML email. The worm arrives as the signature to an HTML email. When the HTML email is rendered a webpage is loaded and JavaScript on it is run. The JavaScript then loads another webpage containing VB Script that will drop a file C.HTM in the Windows folder. This file will also be set to the signature of Outlook Express. W32/Agobot-AA Aliases Backdoor.Agobot.3.h Type Win32 worm Detection Sophos has received several reports of this worm from the wild. Description W32/Agobot-AA is a network worm which also allows unauthorised remote access to the computer via IRC channels. W32/Agobot-AA is capable of spreading to computers on the local network protected by weak passwords. The worm copies itself to the Windows System folder as Lsas.exe and creates the following registry entries, so that Lsas.exe is run automatically each time Windows is started: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ Windows Explorer= LSAS.exe HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\ Windows Explorer= LSAS.exe Each time W32/Agobot-AA is run the worm attempts to connect to a remote IRC server and join a specific channel. W32/Agobot-AA then runs continuously in the background, allowing a remote intruder to access and control the computer via IRC channels. Troj/CoreFloo-C Aliases TrojanDropper.Win32.Emaner, CoreFlood.dr, Backdoor.Coreflood Type Trojan Detection Sophos has received several reports of this Trojan from the wild. Description Troj/CoreFloo-C is a backdoor Trojan which allows a remote intruder to access and control the computer via IRC channels. The Trojan arrives as an installation executable with a random filename consisting of 7 characters a-z and an extension of EXE. When the installation executable is run on Windows 95, 98 or ME (or FAT drives) it drops a DLL to the Windows System folder with a filename consisting of 7 random characters a-z and an extension of DLL. When the installation executable is run on a Windows NT, 2000 or XP system with an NTFS drive it drops the DLL as an ADS file associated with the Windows System folder (typically \System32). The new ADS file will also have a random 7-character name with an extension of DLL. The installation executable then launches the DLL component which adds its pathname to the following registry entry, so that it is run automatically each time Windows is started: HKLMSoftware\Microsoft\Windows\CurrentVersion\RunOnce \ = rundll32 %SYSTEM% .dll,Init 1 HKLM\Software\Microsoft\Windows\CurrentVersion\Run \ = rundll32 %SYSTEM% ,Init 1 The DLL component injects itself into the EXPLORER process making it invisible in the Task Manager process list. Troj/CoreFloo-C also has anti-delete functionality which attempts to prevent viral processes from being terminated and resets the above registry entries if they are removed. W32/Opaserv-R Type Win32 worm Detection At the time of writing Sophos has received no reports from users affected by this worm. However, we have issued this advisory following enquiries to our support department from customers. Description W32/Opaserv-R is a variant of W32/Opaserv-A. W32/Opaserv-R spreads via network shares. The worm will copy itself into the Windows folder on the current drive and add the following registry entry so that it is run when the system starts: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ Brasil= C:\Windows\Brasil.pif The worm attempts to copy itself to the Windows folder on networked computers with open shared drives. The worm then modifies the win.ini on the remote machine to ensure it will be run on system restart. The worm also attempts to download files and drop the files put.ini, brasil.dat and brasil!.dat to the root folder of the current drive. W32/Dafly-B Aliases Win32/Dafly.B, Worm.P2P.Dafly.b, W32/Dafly.worm Type Win32 executable file virus Detection At the time of writing Sophos has received no reports from users affected by this virus. However, we have issued this advisory following enquiries to our support department from customers. Description W32/Dafly-B is a prepending virus which infects Windows executable files. W32/Dafly-B copies itself to the Windows system folder with the filenames SysDrv32.exe and Enjoy.exe and then sets the following registry entries to point to itself so that it is executed every time one of those filetypes is run (though a bug means that it may crash): HKCR\batfile\shell\open\command\ HKCR\comfile\shell\open\command\ HKCR\exefile\shell\open\command\ HKCR\piffile\shell\open\command\ HKCR\scrfile\shell\open\command\ W32/Dafly-B infects all files in the folder and subfolders pointed to by the following registry entries: HKCU\Software\Widcomm\BTConfig\Services\0005\root HKLM\Software\Kazaa\CloudLoad\ShareDir W32/Dafly-B will also copy itself to the folders pointed to by these entries with the filenames Matrix2.scr and Terminator3.scr. W32/Dafly-B keeps a track of how many files it has infected by setting the number in the registry entry HKLM\Software\Microsoft\Windows\CurrentVersion\Infected. After infecting 49 files W32/Dafly-B will delete files instead of infecting them. W32/Dafly-B tries to stop registry tools from being run by setting the following key: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\ DisableRegistryTools = "1" W32/Dafly-B tries to read the key value HKCU\Identies\Default User ID. The virus then tries to set the following entries: HKCU\Identities\\Software\Microsoft\Outlook Express\5.0\ Signature Flags = "1" HKCU\Identities\\Software\Microsoft\Outlook Express\5.0\ Signatures\Default Signature = "00000000" HKCU\Identities\\Software\Microsoft\Outlook Express\5.0\ Signatures\00000000\file = "\Enjoy.exe" HKCU\Identities\\Software\Microsoft\Outlook Express\5.0\ Signatures\00000000\name = "MADFYLY" HKCU\Identities\\Software\Microsoft\Outlook Express\5.0\ Signatures\00000000\text = "" HKCU\Identities\\Software\Microsoft\Outlook Express\5.0\ Signatures\00000000\type = "2" W32/Dafly-B checks for the presence of the registry entry HKLM\Software\IDAVLab\DRWEB32W\ExePath. If this registry entry exists then the virus will not infect files that are run from the folder that it references, but will instead display the message "Dr.Web for Windows 95-XP. EVALUATION version! To get your registration key, call regional dealer.". W32/Dafly-B will then also try to delete a registry entry from HKCR\CLSID. W32/Dafly-B sets the following registry entry in the course of execution: HKCU\Software\Microsoft\Internet Explorer\Main\Start Page = "MADFLY.TK" Troj/IRCBot-P Aliases Backdoor.IRCBot.gen Type Trojan Detection Sophos has received several reports of this Trojan from the wild. Description Troj/IRCBot-P is an IRC backdoor Trojan which allows unauthorised remote access to a compromised computer via IRC channels. The Trojan copies itself to the Windows system folder with the filename autoupdate.exe and sets the following registry entries to run this copy of the Trojan when Windows starts up: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\windowsupdate HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\windowsupdate W32/Randex-I Aliases W32/Sdbot.worm.gen.b, Win32/Randex.J, W32.Randex.F, WORM_RANDEX.F Type Win32 worm Detection At the time of writing Sophos has received just one report of this worm from the wild. Description W32/Randex-I is a network worm with backdoor capabilities which allows a remote intruder to access and control the computer via IRC channels. W32/Randex-I spreads over a network by copying itself to the Windows system32 folder of C$ and Admin$ shares that contain weak passwords. Each time the worm is run it tries to connect to a remote IRC server and join a specific channel. The worm then runs in the background as a server process listening for commands to execute. When first run the worm copies itself to Windows system folder as msnv32.exe and creates the following registry entries so that the worm is run when Windows starts up: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ Microsoft Netview Component v5.1 = msnv32.exe HKLM\Software\Microsoft\Windows\CurrentVersion\ RunServices\Microsoft Netview Component v5.1 = msnv32.exe W32/Donk-E Aliases W32/Sdbot.worm, W32.HLLW.Donk.B, BKDR_SDBOT.Y Type Win32 worm Detection At the time of writing Sophos has received just one report of this worm from the wild. Description W32/Donk-E is a network worm and backdoor Trojan. W32/Donk-E copies itself to network shares with weak passwords and attempts to spread to computers using the DCOM RPC vulnerability. This vulnerability allows the worm to execute its code on target computers with System level privileges. For further information on this vulnerability and for details on how to protect/patch the computer, see Microsoft security bulletin MS03-026. When first run, W32/Donk-E copies itself to the Windows system folder as COOL.EXE and NETAPI32.EXE and creates the following registry entries so that NETAPI32.EXE is run automatically each time Windows is started: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ Microsoft System Checkup = netapi32.exe HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ RunServices\Microsoft System Checkup = netapi32.exe HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ Run\NT Logging Service = syslog32.exe W32/Donk-E fails to copy itself as syslog32.exe. W32/Donk-E connects to other computers on the local network. If a computer have a weak password W32/Donk-E copies itself to the following startup folders: \WINNT\Profiles\All Users\Start Menu\Programs\Startup \WINDOWS\Start Menu\Programs\Startup \Documents and Settings\All Users\Start Menu\Programs\Startup W32/Donk-E also includes backdoor Trojan functionality which allows a remote intruder to access and control the computer via IRC channels. Each time W32/Donk-E is run it tries to connect to a remote IRC server and join a specific channel. W32/Donk-E then runs continuously in the background as a service process listening for commands to execute. The remote intruder will be able to carry out a variety of actions such as get system information, download files, perform a DDoS flooder attack on another computer and execute programs. One of the files that W32/Donk-E may download and execute on the victim's computer is a sample of W32/Donk-D. W32/Agobot-AB Aliases Backdoor.Agobot.3.h Type Win32 worm Detection At the time of writing Sophos has received just one report of this worm from the wild. Description W32/Agobot-AB is a variant of the Agobot family of worms with a backdoor component. This version drops the file Iexplorer.exe into the Windows system folder and creates the following registry entries to run automatically when Windows boots up: HKLM\Software\Microsoft\Windows\CurrentVersion\ Run\Windows Backup Configuration HKLM\Software\Microsoft\Windows\CurrentVersion\ RunServices\Windows Backup Configuration W32/Donk-D Aliases WORM_DONK.B, W32/Sdbot.worm.gen, Backdoor.SdBot.gen Type Win32 worm Detection At the time of writing Sophos has received just one report of this worm from the wild. Description W32/Donk-D is a network worm and backdoor Trojan. W32/Donk-D copies itself to network shares with weak passwords and attempts to spread to computers using the DCOM RPC vulnerability. This vulnerability allows the worm to execute its code on target computers with System level priviledges. For further information on this vulnerability and for details on how to protect/patch the computer, see Microsoft security bulletin MS03-026. When first run, W32/Donk-D copies itself to the Windows System folder as Cool.exe and Wnetlib.exe and creates the following registry entries so that Wnetlib.exe is run automatically each time Windows is started: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ Microsoft System Checkup = wnetlib.exe HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\ Microsoft System Checkup = wnetlib.exe HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ NT Logging Service = syslog32.exe (W32/Donk-D fails to copy itself as syslog32.exe.) W32/Donk-D connects to other computers on the local network that have weak passwords and then copies itself to the following startup folders: \WINNT\Profiles\All Users\Start Menu\Programs\Startup \WINDOWS\Start Menu\Programs\Startup \Documents and Settings\All Users\Start Menu\Programs\Startup W32/Donk-D also includes backdoor Trojan functionality which allows a remote intruder to access and control the computer via IRC channels. Each time W32/Donk-D is run it tries to connect to a remote IRC server and join a specific channel. W32/Donk-D then runs continuously in the background listening for commands to execute. The remote intruder will be able to carry out a variety of actions such as: get system information, download files, perform a DDoS flooder attack on another computer and execute programs. W32/Spybot-R Aliases W32.Spybot.Worm, Worm.P2P.SpyBot.gen Type Win32 worm Detection At the time of writing Sophos has received just one report of this worm from the wild. Description W32/Spybot-R is a P2P worm that spreads via the KaZaA file sharing network. Upon execution, W32/Spybot-R displays the fake error message "Runtime Error", "Unable to locate Smartinstl32.dll. Re-installing the application may fix the problem". The worm creates the folder \kazaabackupfiles and copies itself there using several different filenames, including: Battlefield_1942.Keygen.FDX.ShareReactor.exe C&C.Generals-keygen.exe cs-keygen.exe dev-nfs.exe eatop605kg.exe Freelancer Keygen.exe hv-Max5-kg.exe Opera601key.exe PowerDVD XP v4.0 Keygen.exe QuickTime 6 Pro keygen.exe Sonic Foundry ACID Pro 4.0 Keygen(1).exe VMware 320 keygen (1).exe Windows XP Professional Keygen by CaFo.exe To enable sharing of these files the registry entry HKCU\Software\Kazaa\LocalContent\Dir0 is updated to point to this location. In order to be run automatically on system startup the worm copies itself to explorer64.exe in the Windows system folder and adds the following registry entries which point to this file: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ Microsoft Explorer(64) HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\ Microsoft Explorer(64) W32/Spybot-R has an IRC backdoor component which has keylogging and backdoor capabilities. The worm connects to an IRC server announcing the infection and allows a malicious user remote access to the computer. --- MultiMail/Win32 v0.43* Origin: Try Our Web Based QWK: DOCSPLACE.ORG (1:123/140) SEEN-BY: 633/267 270 @PATH: 123/140 500 106/2000 633/267 |
|
| SOURCE: echomail via fidonet.ozzmosis.com | |
Email questions or comments to sysop@ipingthereforeiam.com
All parts of this website painstakingly hand-crafted in the U.S.A.!
IPTIA BBS/MUD/Terminal/Game Server List, © 2025 IPTIA Consulting™.