| TIP: Click on subject to list as thread! | ANSI |
| echo: | |
|---|---|
| to: | |
| from: | |
| date: | |
| subject: | News, July 11 2004 |
[cut-n-paste from sophos.com]
W32/Agobot-WD
Aliases
Backdoor.Agobot.gen, W32/Gaobot.worm.gen.f, Win32/Agobot.3.ABQ,
W32.HLLW.Gaobot.gen, WORM_AGOBOT.WD
Type
Win32 worm
Detection
At the time of writing, Sophos has received just one report of this worm
from the wild.
Description
W32/Agobot-WD is an IRC backdoor and network worm.
W32/Agobot-WD is capable of spreading to computers on the local network
that have weak passwords.
When first run, W32/Agobot-WD copies itself to the Windows system folder
as winxtc.exe and creates the following registry entries to run itself
on startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\windbs
= winxtc.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\windbs
= winxtc.exe
The worm runs continuously in the background as a service process,
providing backdoor access to the computer.
W32/Agobot-WD modifies the HOSTS file located at
\System32\Drivers\etc\HOSTS
mapping selected anti-virus websites to the loopback address 127.0.0.1 in
an attempt to prevent access to these sites. The worm may also terminate
and disable various anti-virus and security related programs, and may
delete network shares.
W32/Rbot-AS
Type
Win32 worm
Detection
At the time of writing, Sophos has received just one report of this worm
from the wild.
Description
W32/Rbot-AS is a worm which attempts to spread to remote network shares.
It also contains backdoor Trojan functionality, allowing unauthorised
remote access to the infected computer via IRC channels while running in
the background as a service process.
W32/Rbot-AS spreads to network shares with weak passwords as a result of
the backdoor Trojan element receiving the appropriate command from a
remote user.
W32/Rbot-AS moves itself to the Windows system folder as LSAS.EXE and
creates registry entries called SYSTEM under the following keys so as to
run itself on system startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
W32/Rbot-AS may set the following registry entries:
HKLM\SOFTWARE\Microsoft\Ole\EnableDCOM = "N"
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous = "1"
W32/Rbot-AS may try to delete network shares on the host computer.
W32/Rbot-AS may also attempt to shutdown security related processes as
well as processes associated with the W32/MyDoom family of worms.
Troj/HacDef-F
Type
Trojan
Detection
At the time of writing, Sophos has received just one report of this
Trojan from the wild.
Description
Troj/HacDef-F is a backdoor Trojan that is targeted at NT/2000/XP
operating systems. As well as allowing unauthorised remote access to
the victim's computer, this Trojan is able to hide information about
the victim's system including files, folders, processes, services and
registry entries.
When started the Trojan will copy itself to the Windows directory as
svchost.exe, create and load a driver (hxdefdrv.sys) and sets the
following registry entry so as to auto start on system boot or user
logon:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run Network Service
= C:\\svhost.exe
Troj/HacDef-F intercepts various system services and attempts to
terminate various security or monitoring processes. The Trojan also
modifies the current internet start page and internet SearchAssistant.
W32/Rbot-DE
Aliases
W32/Sdbot.worm.gen.k, Backdoor.Rbot.gen
Type
Win32 worm
Detection
At the time of writing, Sophos has received just one report of this worm
from the wild.
Description
W32/Rbot-DE is a worm which attempts to spread to remote network shares.
It also contains backdoor Trojan functionality, allowing unauthorised
remote access to the infected computer via IRC channels while running in
the background as a service process.
W32/Rbot-DE spreads to network shares with weak passwords and via
network security exploits as a result of the backdoor Trojan element
receiving the appropriate command from a remote user.
W32/Rbot-DE copies itself to the Windows system folder as WINSYS32.EXE
and creates entries at the following locations in the registry so as to
run itself on system startup, trying to reset them every minute:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
W32/Rbot-DE sets the following registry entries, trying to reset them
every 2 minutes.
HKLM\SOFTWARE\Microsoft\Ole\EnableDCOM = "N"
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous = "1"
W32/Rbot-DE tries to delete the C$, D$, E$, IPC$ and ADMIN$ network
shares on the host computer every 2 minutes.
W32/Rbot-DE attempts to terminate certain processes related to anti-virus
and security programs including REGEDIT.EXE, MSCONFIG.EXE and
NETSTAT.EXE.
Troj/Padodo-Fam
Aliases
Backdoor.AXJ, Berbew, Webber
Type
Trojan
Detection
At the time of writing, Sophos has received just one report of this
Trojan from the wild.
Description
Troj/Padodo-Fam is a family of proxy and backdoor Trojans with password
stealing funtionality.
When first run the Trojans copy themselves to the Windows system folder
with a random filename and an extension of EXE and drop a library DLL to
the system folder with a random filename and an extension of DLL.
The DLL is registered as a COM object creating registry entries similar
to the following:
HKCR\CLSID\(79FEACFF-FFCE-815E-A900-316290B5B738)
\InProcServer32\
HKCR\CLSID\(79FEACFF-FFCE-815E-A900-316290B5B738)
\InProcServer32\{at} =
HKCR\CLSID\(79FEACFF-FFCE-815E-A900-316290B5B738)
\InProcServer32\ThreadingModel = "Apartment"
The following registry entry is created to load the DLL on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
ShellServiceObjectDelayLoad\Web Event Logger =
(79FEACFF-FFCE-815E-A900-316290B5B738)
The DLL component launches the Trojan executable which then runs
continuously in the background allowing unauthorised access and control
of the computer from a remote network location.
Log files may be created in the system folder to store stolen passwords.
The Trojans provide a proxy server on a random port which allows data to
be routed through the computer. The proxy can be used to bypass access
restrictions, to hide the IP address of the source computer and to
forward spam email.
Following installation the Trojans try to send notification messages to
remote locations with details of the computer's IP address and access
ports.
Troj/Legmir-K
Aliases
PSW.QQpass.ak, Lemir-Gen, Legmir-AH
Type
Trojan
Detection
At the time of writing, Sophos has received just one report of this
Trojan from the wild.
Description
Troj/LegMir-K is a password-stealing Trojan.
In order to run automatically when Windows starts up the Trojan copies
itself to the file intrenat.exe in the Windows folder and adds the
following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Intrenat = C:\WINDOWS\intrenat.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Intrenat = C:\WINDOWS\intrenat.exe
Troj/LegMir-K also creates the file exp1orer.dll in the Windows folder.
This file is already detected as Troj/LegMir-E.
To avoid detection, Troj/LegMir-K attempts to terminate the following
processes:
EGHOST.EXE
MAILMON.EXE
KAVPFW.EXE
RAVTIMER.EXE
RAVMON.EXE
CCENTER.EXE
NAVAPW32.EXE
Troj/LegMir-K stores stolen passwords in the HKCR section of the registry
and sends them to the author via email. The destination email address and
the exact location in the registry can both be configured by the author.
W32/Agobot-KM
Aliases
Backdoor.Agobot.ty, W32/Gaobot.worm.gen.f virus
Type
Win32 worm
Detection
At the time of writing, Sophos has received just one report of this worm
from the wild.
Description
W32/Agobot-KM is a network worm that spreads to other computers by
exploiting network services with either weak passwords or unpatched
vulnerabilities.
In order to run automatically when Windows starts up W32/Agobot-KM copies
itself to the file MSVSRV32.EXE in the Windows system folder and adds the
following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\msvsrv32
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\msvsrv32
W32/Agobot-KM runs continuously in the background, allowing a remote
intruder to access and control the computer via IRC channels.
W32/Agobot-KM modifies the Windows HOSTS file to redirect several AV and
security-related websites to 127.0.0.1
W32/Lovgate-AD
Aliases
I-Worm.Lovgate.ae, W32/Lovgate.ad{at}MM virus, Win32/Lovgate.AI worm,
W32.HLLW.Lovgate.G
Type
Win32 worm
Detection
At the time of writing, Sophos has received just one report of this worm
from the wild.
Description
W32/Lovgate-AD is a Windows worm that spreads via email, network shares
and filesharing networks. The worm will create multiple copies of itself
in various locations and attempt to autostart copies of itself. The worm
may also replace copies of EXE files. The replaced EXE files will be
renamed with a ZMX extension.
When executed, the worm will first attempt to terminate various processes
that might interfere with the working of the worm. These include
processes containing following strings:
"KV"
"KAV"
"Duba"
"NAV"
"kill"
"RavMon.exe"
"Rfw.exe"
"Gate"
"McAfee"
"Symantec"
"SkyNet"
"rising"
W32/Lovgate-AD then copies itself to:
\command.exe
\windows\system32\TkBellExe.exe
\windows\system32\Update_OB.exe
\windows\system32\hxdef.exe
\windows\system32\iexplore.exe
\windows\system32\kernel66.dll (hidden)
\windows\system32\ravmond.exe
\windows\systra.exe
The worm may also drop one of the files MSJDBC11.DLL, MSSIGN30.DLL and
ODBC16.DLL which provide unauthorised remote access to the computer over
a network.
In addition to above locations W32/Lovgate-AD may also copy itself into
random locations with various names such as
mmc.exe
xcopy.exe
winhlp32.exe
i386.exe
client.exe
findpass.exe
autoexec.bat
MSDN.ZIP.pif
Cain.pif
WindowsUpdate.pif
Support Tools.exe
Windows Media Player.zip.exe
Microsoft Office.exe
Documents and Settings.txt.exe
Internet Explorer.bat
WinRAR.exe
The worm may also drop zip files (with ZIP or RAR extension) which
contains a compressed copy of the worm.
In order to run automatically when Windows starts up, the worm creates
the following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\WinHelp
=C:\WINDOWS\System32\TkBellExe.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Hardware Profile
=C:\WINDOWS\System32\hxdef.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\VFW Encoder\Decoder
Settings =RUNDLL32.EXE MSSIGN30.DLL ondll_reg
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft NetMeeting
Associates, Inc. =NetMeeting.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Program In Windows
=C:\WINDOWS\System32\IEXPLORE.EXE
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Protected Storage
=RUNDLL32.EXE MSSIGN30.DLL ondll_reg
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Shell Extension
=C:\WINDOWS\System32\spollsv.exe
The worm will also runs itself as a service, under the name "Windows
Management Protocol v.0 (experimental)". It will also autostart itself
by modifying win.ini settings.
The worm will then create the following registry key:
HKCR\txtfile\Shell\open\command\{at}=Update_OB.exe %1.
Which will cause the worm to be executed when text files are opened in
explorer.
W32/Lovgate-AD has several ways to spread itself, these include:
1. Spread via network share
W32/Lovgate-AD copies itself into various network shares, logging in
using a default set of passwords and then dropping files in a similar
way as it does on the local system.
The worm will also attempt to connect to the service control manager on
the remote computer and start a copy of itself as a service. The service
is run from a file named netmanager.exe in the Windows system folder.
W32/Lovgate-AD also enables sharing of the Windows Media folder and
copies itself there using various filenames.
2. Spread via email
W32/Lovgate-AD spreads by email. The worm attempts to reply to emails
found in the user's inbox, generating emails with the following
characteristics:
Message text:
> Get your FREE account now! <
If you can keep your head when all about you
Are losing theirs and blaming it on you;
If you can trust yourself when all men doubt you,
But make allowance for their doubting too;
If you can wait and not be tired by waiting,
Or, being lied about,don't deal in lies,
Or, being hated, don't give way to hating,
And yet don't look too good, nor talk too wise;
... ... more look to the attachment.
Attached file:
the hardcore game-.pif
Sex in Office.rm.scr
Deutsch BloodPatch!.exe
s3msong.MP3.pif
Me_nude.AVI.pif
How to Crack all gamez.exe
Macromedia Flash.scr
SETUP.EXE
Shakira.zip.exe
dreamweaver MX (crack).exe
StarWars2 - CloneAttack.rm.scr
Industry Giant II.exe
DSL Modem Uncapper.rar.exe
joke.pif
Britney spears nude.exe.txt.exe
I am For u.doc.exe
The worm also attempts to harvest email addresses from WAB, TXT, HTM,
SHT, PHP, ASP, DBX, TBB, ADB and PL files found on the system. This worm
will spoof the sender's email address. The message text of these emails
is chosen from the following list:
pass
It's the long-awaited film version of the Broadway hit. The message sent
as a binary attachment.
The message contains Unicode characters and has been sent as a binary
attachment.
Mail failed. For further assistance, please contact!
3. Spread via KaZaA remote share
W32/Lovgate-AD copies itself to the KaZaA shared folder with a random
name.
W32/Rbot-CZ
Aliases
W32/Sdbot.worm.gen.h
Type
Win32 worm
Detection
At the time of writing, Sophos has received just one report of this worm
from the wild.
Description
W32/Rbot-CZ is a worm which attempts to spread to remote network shares.
It also contains backdoor Trojan functionality, allowing unauthorised
remote access to the infected computer via IRC channels while running in
the background as a service process.
W32/Rbot-CZ spreads to network shares with weak passwords and via
network security exploits as a result of the backdoor Trojan element
receiving the appropriate command from a remote user.
W32/Rbot-CZ copies itself to the Windows system folder as WINSYS32.EXE
and creates entries at the following locations in the registry so as to
run itself on system startup, trying to reset them every minute:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
W32/Rbot-CZ sets the following registry entries, trying to reset them
every 2 minutes.
HKLM\SOFTWARE\Microsoft\Ole\EnableDCOM = "N"
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous = "1"
W32/Rbot-CZ tries to delete the C$, D$, E$, IPC$ and ADMIN$ network
shares on the host computer every 2 minutes.
W32/Rbot-CZ attempts to terminate certain processes related to anti-virus
and security programs including REGEDIT.EXE, MSCONFIG.EXE and
NETSTAT.EXE.
W32/Lovgate-AG
Aliases
W32/Lovgate.ae{at}MM virus, Win32/Lovgate.AJ worm, I-Worm.LovGate.ag
Type
Win32 worm
Detection
At the time of writing, Sophos has received just one report of this worm
from the wild.
Description
W32/Lovgate-AG is a Windows worm that spreads via email, network shares
and filesharing networks. It also uses the RPC Buffer overflow exploit.
It will create multiple copies of itself in various locations and
attempt to autostart them. It may also prepend viral code to exe files
in writable drives. The infected files may be capable of spreading
copies of W32/Lovgate-AG further.
When executed, it will first attempt to terminate various processes that
might interfere with the working of the worm. These include processes
which contain the following strings:
"KV"
"KAV"
"Duba"
"NAV"
"kill"
"RavMon.exe" (Other version of Lovgate)
"Rfw.exe"
"Gate"
"McAfee"
"Symantec"
"SkyNet" (Other copies of netsky)
"rising"
It then will copy Lovgate to:
/cdrom.com
/windows/system32/TkBellExe.exe
/windows/system32/Update_OB.exe
/windows/system32/hxdef.exe
/windows/system32/iexplorer.exe (Lovgate-V)
/windows/system32/kernel66.dll (hidden)
/windows/system32/ravmond.exe
/windows/cdplay.exe
/Windows/Exploier.exe
The worm may also drop one of the files MSJDBC11.DLL, MSSIGN30.DLL or
ODBC16.DLL which provide unauthorised remote access to the computer over
a network.
In addition to the above locations, it may also copy itself to random
locations in user's computer with various names such as
"mmc.exe"
"xcopy.exe"
"winhlp32.exe"
"i386.exe"
"client.exe"
"findpass.exe"
"autoexec.bat"
"MSDN.ZIP.pif"
"Cain.pif"
"WindowsUpdate.pif"
"Support Tools.exe"
"Windows Media Player.zip.exe"
"Microsoft Office.exe"
"Documents and Settings.txt.exe"
"Internet Explorer.bat"
"WinRAR.exe"
It may also drop zip files (with ZIP or RAR extension) which contains an
uncompressed copy of the worm.
In order to run automatically when Windows starts up, the worm creates
the following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
WinHelp=C:\WINDOWS\System32
TkBellExe.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Hardware
Profile=C:\WINDOWS\System32\hxdef.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\VFW Encoder/Decoder
Settings=RUNDLL32.EXE MSSIGN30.DLL ondll_reg
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft
Associates, Inc.=iexplorer.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Program In
Windows=C:\WINDOWS\System32\Explore.EXE
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Protected
Storage=RUNDLL32.EXE MSSIGN30.DLL ondll_reg
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Shell
Extension=C:\WINDOWS\System32\spollsv.exe
The worm will also run itself as a service under the name "_reg" and
"Windows Management Protocol v.0 (experimental)". It will also autostart
itself by modifying win.ini settings.
The worm will then create the following registry key:
HKCR\txtfile\Shell\open\command\{at}=Update_OB.exe %1.
Which will cause the worm to be executed when text files are opened in
explorer.
W32/Lovgate-AG has numerous ways to spread itself, these include:
1. Spread via network share
It can copy multiple copies of itself into various network shares by
trying to login to $admin with a default set of passwords and then
dropping files in a similar way as it did on the local system.
The worm willl also attempt to connect to the service control manager on
the remote computer and attempt to startup another service with a copy
of the worm in \system32\netmanager.exe
W32/Lovgate-AG also enables sharing of the Windows Media folder and
copies itself there using various filenames.
2. Spread via Email
W32/Lovgate-AG spreads by email. The worm attempts to reply to emails
found in the user's inbox using the following filenames as attachments:
'the hardcore game-.pif'
'Sex in Office.rm.scr'
'Deutsch BloodPatch!.exe'
's3msong.MP3.pif'
'Me_nude.AVI.pif'
'How to Crack all gamez.exe'
'Macromedia Flash.scr'
'SETUP.EXE'
'Shakira.zip.exe'
'dreamweaver MX (crack).exe'
'StarWars2 - CloneAttack.rm.scr'
'Industry Giant II.exe'
'DSL Modem Uncapper.rar.exe'
'joke.pif'
'Britney spears nude.exe.txt.exe'
'I am For u.doc.exe'
With the body of the text as:
'> Get your FREE %s now! <'
' If you can keep your head when all about you'
' Are losing theirs and blaming it on you;'
' If you can trust yourself when all men doubt you,'
' But make allowance for their doubting too;'
' If you can wait and not be tired by waiting,'
' Or, being lied about,don't deal in lies,'
' Or, being hated, don't give way to hating,'
' And yet don't look too good, nor talk too wise;'
' ... ... more look to the attachment. '
It also attempts to harvest Email addresses from WAB, TXT, HTM, SHT, PHP,
ASP, DBX, TBB, ADB and PL files found on the system. The worm will spoof
the sender's email address. The body text will be one of the following:
"It's the long-awaited film version of the Broadway hit. The message
sent as a binary attachment."
"The message contains Unicode characters and has been sent as a binary
attachment."
"Mail failed. For further assistance, please contact!"
3. Spread via Kazaa remote share
It will copy itself to the kazaa share folder with a random name.
4. Spread via RPC Buffer overflow exploit.
W32/Lovgate-AG will gain remote shell access using the RPC Buffer
overflow exploit. It will open up an ftp server on the infected computer.
Once it has gained control of a remote computer, it will instruct the
remote computer to download a copy of W32/Lovgate-AG in the name of
"hxdef.exe" from the infected host.
W32/Sdbot-JY
Aliases
W32/Specx.worm.b!p2p, Win32/Specx.C, WORM_SDBOT.I
Type
Win32 worm
Detection
At the time of writing, Sophos has received just one report of this worm
from the wild.
Description
W32/Sdbot-JY is a worm which attempts to spread using P2P shared folders.
It also contains backdoor Trojan functionality, allowing unauthorised
remote access to the infected computer via IRC channels while running in
the background as a service process.
W32/Sdbot-JY copies itself to the Windows system folder as
IEXPLORE32.EXE and creates an entry in the registry at the following
location so as to run itself on system startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
W32/Sdbot-JY copies itself to a folder called DRIVERS32 in the Windows
system folder with almost 400 filenames, most of which end "Serial
Generator.exe" or "Crack.exe".
W32/Sdbot-JY then sets the following registry entries to enable sharing
of these files with KaZaA and iMesh:
HKCU\SOFTWARE\KAZAA\LocalContent\Dir0
HKCU\SOFTWARE\iMesh\Client\LocalContent\Dir0
W32/Sdbot-JY attempts to terminate several processes related to security
and anti-virus programs including REGEDIT.EXE, MSCONFIG.EXE and
NETSTAT.EXE.
W32/Sdbot-JY sits in the background as a service process waiting for
commands from a remote user.
W32/Bagle-AD
Type
Win32 worm
Detection
Sophos has received several reports of this worm from the wild.
Description
W32/Bagle-AD is a member of the W32/Bagle family of email worms.
When run the worm displays a fake message box with the title "Error!"
and the message
Can't find a viewer associated with the file
W32/Bagle-AD spreads by email. The email addresses are collected from
files on the computer containing the following file extensions:
WAB, TXT, MSG, HTM, SHTM, STM, XML, DBX, MBX, MDX, EML, NCH, MMF, ODS,
CFG, ASP, PHP, PL, WSH, ADB, TBB, SHT, XLS, OFT, UIN, CGI, MHT, DHTM,
JSP.
W32/Bagle-AD uses its own internal SMTP engine to spread.
The worm sends a HTML based email with the following characteristics:
Sender:
The sender address is always spoofed.
Attachment Name:
The basename of the attachment is choosen from the following list:
Information
Details
text_document
Updates
Readme
Document
Info
Details
MoreInfo
Message
W32/Bagle-AD is able to send itself as an encrypted ZIP file, A HTA file,
a VBS file, a CPL file or a normal executable file with the extension
EXE, COM or SCR.
The worm may also send its own source code in a file named sources.zip
Subject line:
Re: Msg reply
Re: Hello
Re: Yahoo!
Re: Thank you!
Re: Thanks :)
RE: Text message
Re: Document
Incoming message
Re: Incoming Message
RE: Incoming Msg
RE: Message Notify
Notification
Changes..
Update
Fax Message
Protected message
RE: Protected message
Forum notify
Site changes
Re: Hi
Encrypted document
Mesage text:
When the worm arrives in an unencrypted (i.e directly executable) file
the message text is one of the following:
Read the attach.
Your file is attached.
More info is in attach
See attach.
Please, have a look at the attached file.
Your document is attached.
Please, read the document.
Attach tells everything.
Attached file tells everything.
Check attached file for details.
Check attached file.
Pay attention at the attach.
See the attached file for details.
Message is in attach
Here is the file.
When the worm attaches itself as an encrypted file the password is
included in the email as an bitmap image and the message text is one of
the following:
For security reasons attached file is password protected.
The password is
For security purposes the attached file is password protected.
Password --
Attached file is protected with the password for security reasons.
Password is
In order to read the attach you have to use the following
password:
Note: Use password to open archive
Archive password:
Password -
Password:
The ZIP file contains an executable with the extensions EXE, COM or SCR
and a benign text file with one of the extensions INI, CFG, TXT, VXD,
DEF OR DLL.
The worm the tries to remove registry run entries for several security
and anti-virus related products. The following entries are removed from
HKLM\Software\Microsoft\Windows\CurrentVersion\Run if they exist:
My AV
Zone Labs Client Ex
9XHtProtect
Antivirus
Special Firewall Service
service
Tiny AV
ICQNet
HtProtect
NetDy
Jammer2nd
FirewallSvr
MsInfo
SysMonXP
EasyAV
PandaAVEngine
Norton Antivirus AV
KasperskyAVEng
SkynetsRevenge
ICQ Net
The worm checks the current date and terminates itself if the date is
after 6th July 2004.
W32/Bagle-AD then creates copies of itself in all folders containing the
substring SHAR on all drives. The worm uses the following filenames:
Microsoft Office 2003 Crack, Working!.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Microsoft Office XP working Crack, Keygen.exe
Porno, sex, oral, anal cool, awesome!!.exe
Porno Screensaver.scr
Serials.txt.exe
KAV 5.0
Kaspersky Antivirus 5.0
Porno pics arhive, xxx.exe
Windows Sourcecode update.doc.exe
Ahead Nero 7.exe
Windown Longhorn Beta Leak.exe
Opera 8 New!.exe
XXX hardcore images.exe
WinAmp 6 New!.exe
WinAmp 5 Pro Keygen Crack Update.exe
Adobe Photoshop 9 full.exe
Matrix 3 Revolution English Subtitles.exe
ACDSee 9.exe
W32/Sdbot-JS
Aliases
Multidropper-KS, Backdoor.SdBot.os, IRC/SdBot.AXJ,
TrojanProxy.Win32.Ranky.am, Troj/Ranck-Fam
Type
Win32 worm
Detection
At the time of writing, Sophos has received just one report of this worm
from the wild.
Description
W32/Sdbot-JS is a worm which attempts to spread to remote network shares.
It also contains backdoor Trojan functionality, allowing unauthorised
remote access to the infected computer via IRC channels while running in
the background as a service process.
W32/Sdbot-JS drops two files to the folder C:\WinNT\system32. One is
dropped as GFHHR.EXE and is also detected as W32/Sdbot-JS, the other is
dropped as KHJBB.EXE and is detected as Troj/Ranck-X.
The file dropped as GFHHR.EXE copies itself to a file called BNDSDX.EXE
in the Windows system folder and creates entries in the registry at the
following locations to run this copy on system startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
W32/Sdbot-JS spreads to network shares with weak passwords as a result
of the backdoor Trojan element receiving the appropriate command from a
remote user, spreading by copying the file GRGWIT.EXE from the Windows
system folder (which should be the original W32/Sdbot-JS dropper file)
to the remote computer.
W32/Lovgate-F
Type
Win32 worm
Detection
Sophos has received many reports of this worm from the wild.
Description
W32/Lovgate-F is a mass mailing and network worm. When started the worm
copies itself to the root folder as COMMAND.EXE, to the Windows folder
as SYSTRA.EXE and to the Windows system folder as IEXPLORE.EXE,
kernel66.dll (hidden) and RAVMOND.exe.
W32/Lovgate-F also creates a file AUTORUN.INF in the root folder and
msjdbc11.dll, MSSIGN30.DLL and ODBC16.dll in the Windows system folder
(which are detected by Sophos as W32/Lovgate-V).
This worm may also drop itself into the Windows system folder using a
random name as well as two FTP server components, SPOLLSV.EXE and
NETMEETING.EXE.
In order to auto-start the worm sets the following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Hardware Profile = C:\\hxdef.exe
Microsoft NetMeeting Associates, Inc. = NetMeeting.exe
Program In Windows = C:\\IEXPLORE.EXE
Protected Storage = RUNDLL32.EXE MSSIGN30.DLL ondll_reg
Shell Extension = C:\\spollsv.exe
VFW Encoder/Decoder Settings = RUNDLL32.EXE MSSIGN30.DLL ondll_reg
WinHelp = C:\\realsched.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\runServices\
COM++ System = suchost.exe
SystemTra = C:\\SysTra.EXE
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\
run = RAVMOND.exe
A new INI file named TWAIN_32.DLL may be created in the Windows folder
which will contain the following parameter in the Windows section:
run=RAVMOND.exe
The following registry entry may also be changed to execute this worm
before opening a text file:
HKCR\txtfile\shell\open\command\
"" = %1
W32/Lovgate-F will also create the following registry branches:
HKLM\SYSTEM\CurrentControlSet\Services\_reg\
HKLM\SYSTEM\CurrentControlSet\Services\
Windows Management Protocol v.0 (experimental)\
The worm copies itself to other folders using the following names:
Support Tools.exe
xcopy.exe
Windows Media Player.zip.exe
winhlp32.exe
Documents and Settings.txt.exe
WindowsUpdate.pif
findpass.exe
WinRAR.exe
MSDN.ZIP.pif
mmc.exe
Internet Explorer.bat
Microsoft Office.exe
client.exe
WindowsUpdate.pif
autoexec.bat
i386.exe
Cain.pif
W32/Lovgate-F also attempts to spread via weakly protected remote shares
by connecting using passwords from an internal dictionary. This worm can
also exploit a vulnerability explained in the Microsoft Knowledge Base
article 827363 (Microsoft Security Bulletin MS03-039) to run code with
system privileges on remote computers.
This worm can copy itself into remote Windows system folders as
NETMANAGER.EXE and execute this file as a service named 'Windows
Management Network Service Extensions'. An FTP script named 'a' is
created which instructs the remote host to download the worm from the
infected machine and execute it.
W32/Lovgate-F spreads by email. Email addresses are harvested from WAB,
TXT, HTM, SHT, PHP, ASP, DBX, TBB, ADB and PL files found on the system.
This worm will spoof the sender's email address.
This worm will also attach itself to outgoing email messages using
randomly generated names or one of the following:
the hardcore game-.pif
Sex in Office.rm.scr
Deutsch BloodPatch!.exe
s3msong.MP3.pif
Me_nude.AVI.pif
How to Crack all gamez.exe
Macromedia Flash.scr
SETUP.EXE
Shakira.zip.exe
dreamweaver MX (crack).exe
StarWars2 - CloneAttack.rm.scr
Industry Giant II.exe
DSL Modem Uncapper.rar.exe
joke.pif
Britney spears nude.exe.txt.exe
I am For u.doc.exe
--- MultiMail/Win32 v0.43
* Origin: Try Our Web Based QWK: DOCSPLACE.ORG (1:123/140)SEEN-BY: 633/267 270 @PATH: 123/140 500 106/2000 633/267 |
|
| SOURCE: echomail via fidonet.ozzmosis.com | |
Email questions or comments to sysop@ipingthereforeiam.com
All parts of this website painstakingly hand-crafted in the U.S.A.!
IPTIA BBS/MUD/Terminal/Game Server List, © 2025 IPTIA Consulting™.