[cut-n-paste from sophos.com]

W32/Zafi-B

Type
Win32 worm

Detection
Sophos has received several reports of this worm from the wild.

Description
W32/Zafi-B is a peer-to-peer (P2P) and email worm that will copy itself 
to the Windows system folder as a randomly named EXE file and set the 
following registry entry to ensure that it will be run on system 
restart.

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\_Hazafibb
= \

The following registry branch will also be created:

HKLM\Software\Microsoft\_Hazafibb\

This registry branch will have value names consisting of two 
alphanumeric characters.

This worm will test for the presence of an Internet connection by 
attempting to connect to www.google.com or www.microsoft.com.

W32/Zafi-B collects email addresses from files which have the following 
extensions:

HTM, WAB, TXT, DBX, TBB, ASP, PHP, SHT, ADB, MBX, EML and PMR.

The worm stored the collected email addresses in randomly named files 
with a DLL extension in the Windows system folder.

W32/Zafi-B attempts to include itself as an attachment in email messages 
sent to addresses collected from the local machine. The worm will also 
copy itself into shared P2P folders as either 'WINAMP 7.0 
FULL_INSTALL.EXE' or 'TOTAL COMMANDER 7.0 FULL_INSTALL.EXE'.

W32/Zafi-B may display some Hungarian text in a message box on screen.





W32/Spybot-CG

Aliases
Spybot.worm.gen.e

Type
Win32 worm

Detection
At the time of writing, Sophos has received just one report of this worm 
from the wild.

Description
W32/Spybot-CG is a Windows worm that spreads via filesharing networks.

In order to run automatically when Windows starts up the worm copies 
itself to the file Winhub.exe in the Windows system folder and creates 
the following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Windows
Configuration=WINHUB.EXE

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\Windows
Configuration=WINHUB.EXE

W32/Spybot-CG copies itself to a folder called kazaabackupfiles in the 
Windows system folder with the following filenames:

AVP_Crack.exe
AquaNox2 Crack.exe
Battlefield1942_bloodpatch.exe
C&C Generals_crack.exe
FIFA2004 crack.exe
NBA2004_crack.exe
UT2004_bloodpatch.exe
Unreal2_bloodpatch.exe
movie_sex.exe
zoneallarm_pro_crack.exe

The worm also has a backdoor component that allows a malicious user to 
control the infected computer via IRC channels and perform any of the 
following operations:

keyboard logging
packet logging
portscan
flooding
stealing cached passwords
starting a socket proxy server
activating keyboard LEDs or CD player
rebooting the machine
monitoring and killing processes
uploading and downloading files
executing arbitrary commands





W32/Spybot-BZ

Type
Win32 worm

Detection
At the time of writing, Sophos has received just one report of this worm 
from the wild.

Description
W32/Spybot-BZ attempts to copy itself to CRCSSV.EXE in the Windows 
system folder and creates entries in the registry at the following 
locations to run itself on system restart:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

W32/Spybot-BZ copies itself to a folder called BACKUPS in the Windows
system folder with the following filenames:

GTA3_cive.city_crack.exe
All-windows-crack.exe
Enter_The_Matrix_crack.exe
Matrix_Reloaded_downloader.exe

W32/Spybot-BZ then sets the following registry entry to enable sharing 
of these files with KaZaA:

HKCU\SOFTWARE\KAZAA\LocalContent\Dir0

W32/Spybot-BZ remains resident, running in the background as a service
process and listening for commands from remote users via IRC channels.

W32/Spybot-BZ attempts to terminate various monitoring programs 
including the following:

REGEDIT.EXE
MSCONFIG.EXE
TASKMGR.EXE
NETSTAT.EXE





W32/Rbot-AE

Aliases
Backdoor.Rbot.gen, W32/Sdbot.worm.gen.o virus, W32.Spybot.Worm

Type
Win32 worm

Detection
At the time of writing, Sophos has received just one report of this worm 
from the wild.

Description
W32/Rbot-AE is a worm which attempts to spread to remote network shares. 
It also contains backdoor Trojan functionality, allowing unauthorised 
remote access to the infected computer via IRC channels while running in 
the background as a service process.

W32/Rbot-AE spreads to network shares with weak passwords as a result of 
the backdoor Trojan element receiving the appropriate command from a 
remote user.

W32/Rbot-AE copies itself to the Windows system folder as WINSYS.EXE and
creates registry entries MICROSOFT UPDATE under the following registry
entries to run itself on system startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

W32/Rbot-AE may set the following registry entries:

HKLM\SOFTWARE\Microsoft\Ole\EnableDCOM = "N"
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous = "1"

W32/Rbot-AE may try to delete network shares on the host computer.





W32/Rbot-AA

Aliases
Backdoor.Rbot.gen, W32/Sdbot.worm.gen.g virus, W32.Spybot.Worm

Type
Win32 worm

Detection
At the time of writing, Sophos has received just one report of this worm 
from the wild.

Description
W32/Rbot-AA is a worm which attempts to spread to remote network shares. 
It also contains backdoor Trojan functionality, allowing unauthorised 
remote access to the infected computer via IRC channels while running in 
the background as a service process.

W32/Rbot-AA spreads to network shares with weak passwords as a result of 
the backdoor Trojan element receiving the appropriate command from a 
remote user.

W32/Rbot-AA copies itself to the Windows system folder as SCRGRD.EXE and
creates registry entries MICROSOFT RESTORE under the following
keys so as to run itself on system startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

W32/Rbot-AA may set the following registry entries:

HKLM\SOFTWARE\Microsoft\Ole\EnableDCOM = "N"
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous = "1"

W32/Rbot-AA may try to delete network shares on the host computer.





W32/Korgo-H

Aliases
Worm.Win32.Padobot.gen, W32/Korgo.worm.i, W32.Korgo.H

Type
Win32 worm

Detection
At the time of writing, Sophos has received just one report of this worm 
from the wild.

Description
W32/Korgo-H is a member of the W32/Korgo family of network worms that 
propagates using the LSASS exploit (TCP port 445).

For details see the MS04-011 Microsoft Security Bulletin.

When executed W32/Korgo-H copies itself to the Windows system folder 
with a random filename and sets the following registry entry with the 
path to the copy to make sure the worm runs at on restart:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update

W32/Korgo-H marks the infection by setting the registry entry
HKLM\SOFTWARE\Microsoft\Wireless\.

W32/Korgo-H scans random IP addresses, attempting to exploit them. The 
results of the scans are transmitted to a specific IRC server from the 
following list:

rc.kar.net
gaspode.zanet.org.za
lia.zanet.net
irc.tsk.ru
london.uk.eu.undernet.org
washington.dc.us.undernet.org
los-angeles.ca.us.undernet.org
brussels.be.eu.undernet.org
caen.fr.eu.undernet.org
flanders.be.eu.undernet.org
graz.at.eu.undernet.org
moscow-advokat.ru

W32/Korgo-H attempts to delete ftpupd.exe and any registry entries that 
have the following values:

avserve2.exeUpdate Service
avserve.exe
Windows Update Service
WinUpdate
SysTray
Bot Loader
System Restore Service
Disk Defragmenter
Windows Security Manager

W32/Korgo-H may also prevent a system shutdown started by using 
InitiateSystemShutdown.





W32/Korgo-G

Type
Win32 worm

Detection
Sophos has received several reports of this worm from the wild.

Description
W32/Korgo-G is a network worm using the LSASS exploit to propagate. When
executed the worm copies itself to the Windows system folder using a 
randomly generated name and creates the following registry entry so that 
the worm starts when a user logs on:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Windows Update = \.exe

During infection the worm sill also use the temporary registry value

HKLM\Software\Microsoft\Wireless\Client = 1

W32/Korgo-G scans random IP addresses attempting to exploit them, the
results of the scans being transmitted to one of several IRC servers and 
channels.





W32/Dumaru-AK

Aliases
TrojanDropper.Win32.Mudrop.h, Worm.Win32.Plexus.a, W32.Explet.A{at}mm, 
W32/Plexus{at}MM virus, I-Worm.Plexus.a

Type
Win32 worm

Detection
At the time of writing, Sophos has received just one report of this worm 
from the wild.

Description
W32/Dumaru-AK consists of a dropper and a number of dropped files.

The dropper copies itself to the filename UPU.EXE in the Windows system 
folder. The dropper also drops the files SETUPEX.EXE to the same folder 
and SVCHOST.EXE to the Windows folder, running them both.

The dropper may display one of the following fake error messages:

CRC checksum failed.
Pace method not implemented.
Could not initialize installation. File size expected=26523, size 
returned=26344 File is corrupted.

SETUPEX.EXE runs as a service process, copying itself to SWCHOST.EXE and 
SVOHOST.EXE in the Windows system folder. It sets the following registry 
entry so as to run the SWCHOST.EXE copy on system startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\load32

SETUPEX.EXE sets an entry in the BOOT section of SYSTEM.INI with the key 
name SHELL in order to run the SWCHOST.EXE copy on system startup.

SETUPEX.EXE copies itself as SVCHOST.EXE to the folder found in the 
following registry entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell 
Folders\Startup

and writes loopback values to the HOSTS file to block access to various 
anti-virus websites.

SETUPEX.EXE sets the following registry entries:

HKCU\Software\SARS\SocksPort
HKLM\System\CurrentControlSet\Services\SharedAccess\Start = 3
HKCU\Software\Microsoft\Internet Explorer\Main\AllowWindowReuse = 0

SETUPEX.EXE logs key strokes and window titles to a file in the Windows 
folder called PRNTK.LOG and logs information about certain files to 
RUNDLLN.SYS in the Windows folder.

SETUPEX.EXE drops PRNTSVR.DLL in the Windows folder. PRNTSVR.DLL is a 
backdoor program detected by Sophos Anti-Virus as Troj/Dumaru-B.

The SVCHOST.EXE file dropped by the dropper is an email and network 
share worm which also spreads by exploiting the RPC and LSASS 
vulnerabilities. For more information about these vulnerabilities see 
MS040-011 and MS03-026.

The email sent by the worm to the email addresses harvested from the 
PHP, TXT, TBB, HTML and HTM files, has characteristics chosen from the 
following lists.

Subject line :
RE: order
For you
Hi, Mike
Good offer.
RE:

Message text :
Hi.
Here is the archive with those information, you asked me.
And don't forget, it is strongly confidencial!!!
Seya, man.
P.S. Don't forget my fee ;)

Hi, my darling :)
Look at my new screensaver. I hope you will enjoy...
Your Liza

My friend gave me this account generator for http://www.pantyola.com I 
wanna share it with you :)
And please do not distribute it. It's private.

Greets! I offer you full base of accounts with passwords of mail server
yahoo.com. Here is archive with small part of it . You can see that all
information is real. If you want to b uy full base, please reply me...

Hi, Nick. In this archive you can find all those things, you asked me.
See you. Steve

Attached file :

release.exe
demo.exe
AGen1.03.exe
AtlantI.exe
SecUNCE.exe

The worm copies itself into the KaZaA transfer folder and available 
shared folders with the following filenames:

AVP5.xcrack.exe
InternetOptimizer1.05b.exe
Shrek_2.exe
UnNukeit9xNTICQ04noimageCrk.exe
YahooDBMails.exe
hx00def.exe
ICQBomber.exe

The worm adds the following registry entry so that it is run each time 
Windows starts:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NvClipRsv

The worm also modifies the HOSTS files in an attempt to prevent 
anti-virus updates.

The worm listens on port 1250 for incoming connections which may contain 
updated copies of the worm or other files to install on the infected 
computer.





W32/Bagle-Zip

Aliases
Win32/Bagle.gen.zip

Type
Win32 worm

Detection
Sophos has received many reports of this worm from the wild.

Description
Sophos Anti-Virus detects as W32/Bagle-Zip the password-protected 
archive files created by W32/Bagle-F, W32/Bagle-G, W32/Bagle-H, 
W32/Bagle-I, W32/Bagle-J, W32/Bagle-K (ZIP archives), W32/Bagle-N, 
W32/Bagle-O (ZIP and RAR archives), W32/Bagle-W and W32/Bagle-AA.





W32/Agobot-XX

Type
Win32 worm

Detection
At the time of writing, Sophos has received just one report of this worm 
from the wild.

Description
W32/Agobot-XX is capable of spreading to computers on the local network
protected by weak passwords.

When first run W32/Agobot-XX copies itself to the Windows system folder 
as dmrss.exe and creates the following registry entries to run itself on 
startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
DSService = dmrss.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
DSService = dmrss.exe

Each time W32/Agobot-XX is run it attempts to connect to a remote IRC 
server and join a specific channel.

W32/Agobot-XX then runs continuously in the background, allowing a 
remote intruder to access and control the computer via IRC channels.

W32/Agobot-XX attempts to terminate and disable various anti-virus and
security-related programs.

This worm will search for shared folders on the internet with weak 
passwords and copy itself into them. A text file named HOSTS may also be 
dropped into C:\\drivers\etc which may contain a list 
of anti-virus and other security-related websites each bound to the IP 
loopback address of 127.0.0.1 which would effectively prevent access to 
these sites.
For example:

127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.trendmicro.com





W32/Agobot-JX

Type
Win32 worm

Detection
At the time of writing, Sophos has received just one report of this worm 
from the wild.

Description
W32/Agobot-JX is a backdoor Trojan and worm which spreads to computers
protected by weak passwords and to computers infected with variants of
W32/MyDoom.

When first run, W32/Agobot-JX moves itself to the Windows system folder 
as wupdate.exe and creates the following registry entries to run itself 
on system logon:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
napv.exe = wupdate.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
napv.exe = wupdate.exe

W32/Agobot-JX also sets itself up as a windows service, with the
service name "navp.exe".

W32/Agobot-JX will hide all files whose filenames begin with "sound".

Each time the Trojan is run it attempts to connect to a remote IRC 
server and join a specific channel.

The Trojan then runs continuously in the background, allowing a remote
intruder to access and control the computer via IRC channels.

The Trojan attempts to terminate and disable various anti-virus and 
security-related programs and modifies the HOSTS file located at
\System32\Drivers\etc\HOSTS, mapping selected anti-virus 
websites to the loopback address 127.0.0.1 in an attempt to prevent 
access to these sites.





W32/Agobot-JW

Type
Win32 worm

Detection
At the time of writing, Sophos has received just one report of this worm 
from the wild.

Description
W32/Agobot-JW is a worm which spreads to networks shares with weak 
passwords. The worm also includes backdoor functions which can be 
controlled over IRC by a remote attacker.

When first run the worm copies itself to neroasm.exe in the Windows 
system folder and adds the registry entries

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NeroAutoStartClient

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
NeroAutoStartClient

The worm removes registry entries and files used by a number of other 
worms and terminates a large number of anti-virus and security related 
processes.

W32/Agobot-JW copies itself to shares with weak passwords as a file 
named wrtx.exe.





W32/Agobot-JT

Aliases
Gaobot

Type
Win32 worm

Detection
At the time of writing, Sophos has received just one report of this worm 
from the wild.

Description
W32/Agobot-JT is a backdoor worm which runs in the background as a
system process and allows unauthorised remote access to the computer.

The worm copies itself to the Windows system folder as NAVAPSVC.EXE and 
adds entries to the registry at

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
and
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

to run itself on system restart.

W32/Agobot-JT may also add a number of registry entries at:

HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_VIDEO_LINE
HKLM\SYSTEM\ControlSet001\Services\Video line
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VIDEO_LINE
HKLM\SYSTEM\CurrentControlSet\Services\Video line

Each time W32/Agobot-JT is run it attempts to connect to a remote IRC 
server and join a specific channel.

W32/Agobot-JT may also collect system information and registration keys 
of software that is installed on the computer.





W32/Agobot-JP

Aliases
Backdoor.Agobot.gen, W32/Gaobot.worm.gen.d virus, W32.HLLW.Gaobot.gen, 
WORM_AGOBOT.IY

Type
Win32 worm

Detection
At the time of writing, Sophos has received just one report of this worm 
from the wild.

Description
W32/Agobot-JP is a backdoor Trojan and worm which spreads to computers
protected by weak passwords.

When first run, W32/Agobot-JP moves itself to the Windows system folder 
as windns32.exe and creates the following registry entries to run itself 
on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Windows TaskManager Service

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
Windows TaskManager Service

Each time W32/Agobot-JP is run it attempts to connect to a remote IRC
server and join a specific channel. It then runs continuously in the 
background allowing a remote intruder to access and control the computer 
via IRC channels.

W32/Agobot-JP attempts to terminate and disable various anti-virus and
security related programs and modifies the HOSTS file located at
%WINDOWS%\System32\Drivers\etc\HOSTS. Selected anti-virus websites are 
mapped to the loopback address 127.0.0.1 in an attempt to prevent access 
to these sites. Typically the following mappings will be appended to the 
HOSTS file:

127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.trendmicro.com





Troj/StartPa-AE

Aliases
Trojan.WinREG.StartPage

Type
Trojan

Detection
At the time of writing, Sophos has received just one report of this 
Trojan from the wild.

Description
Troj/StartPa-AE changes browser settings for Microsoft Internet Explorer 
each time Windows is started.

Troj/StartPa-AE is simply a text file (typically named sysdll.reg) which 
can be used as an input to Regedit to set the following registry entries:

HKCU\Software\Microsoft\Internet Explorer\Main\Start Page
HKCU\Software\Microsoft\Internet Explorer\Main\HOMEOldSP
HKCU\Software\Microsoft\Internet Explorer\Main\Search Bar
HKCU\Software\Microsoft\Internet Explorer\Main\Search Page
HKCU\Software\Microsoft\Internet Explorer\Search\SearchAssistant
HKLM\Software\Microsoft\Internet Explorer\Main\Start Page
HKLM\Software\Microsoft\Internet Explorer\Main\HOMEOldSP
HKLM\Software\Microsoft\Internet Explorer\Main\Search Bar
HKLM\Software\Microsoft\Internet Explorer\Main\Search Page
HKLM\Software\Microsoft\Internet Explorer\Search\SearchAssistant

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
sys = "regedit -s sysdll.reg"

The last of these registry entries causes the registry to be updated 
using Troj/StartPa-AE each time Windows is started.

Troj/StartPa-AE may be installed on the computer by Troj/AdClick-AE.

 
--- MultiMail/Win32 v0.43