[cut-n-paste from sophos.com]

W32/Rbot-AS

Type
Win32 worm

Detection
At the time of writing, Sophos has received just one report of this worm 
from the wild.

Description
W32/Rbot-AS is a worm which attempts to spread to remote network shares. 
It also contains backdoor Trojan functionality, allowing unauthorised 
remote access to the infected computer via IRC channels while running in 
the background as a service process.

W32/Rbot-AS spreads to network shares with weak passwords as a result of 
the backdoor Trojan element receiving the appropriate command from a 
remote user.

W32/Rbot-AS moves itself to the Windows system folder as LSAS.EXE and
creates registry entries called SYSTEM under the following
keys so as to run itself on system startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

W32/Rbot-AS may set the following registry entries:

HKLM\SOFTWARE\Microsoft\Ole\EnableDCOM = "N"
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous = "1"

W32/Rbot-AS may try to delete network shares on the host computer.

W32/Rbot-AS may also attempt to shutdown security related processes as
well as processes associated with the W32/MyDoom family of worms.





W32/Rbot-CR

Aliases
Backdoor.Rbot.gen, W32/Sdbot.worm.gen.o

Type
Win32 worm

Detection
At the time of writing, Sophos has received just one report of this worm 
from the wild.

Description
W32/Rbot-CR is a network worm and backdoor for the Windows platform. 
W32/Rbot-CR allows a malicious user remote access to an infected 
computer.

The worm copies itself to a file named taskmngrs.exe in the Windows 
system folder and creates the following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Update 
Machine =taskmngrs.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Microsoft 
Update Machine =taskmngrs.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Update 
Machine =taskmngrs.exe.

W32/Rbot-CR spreads using a variety of techniques including exploiting 
weak passwords on computers and SQL servers, exploiting operating system 
vulnerabilites including DCOM-RPC, LSASS, WebDAV and UPNP and using 
backdoors opened by other worms or Trojans.

W32/Rbot-CR can be controlled by a remote attacker over IRC channels.

Patches for the operating system vulnerabilities exploited by 
W32/Rbot-CR can be obtained from Microsoft at:
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx
http://www.microsoft.com/technet/security/bulletin/MS03-007.mspx
http://www.microsoft.com/technet/security/bulletin/MS01-059.mspx





W32/Lovgate-AD

Aliases
I-Worm.Lovgate.ae, W32/Lovgate.ad{at}MM

Type
Win32 worm

Detection
At the time of writing, Sophos has received just one report of this worm 
from the wild.

Description
W32/Lovgate-AD is a Windows worm that spreads via email, network shares 
and filesharing networks. The worm will create multiple copies of itself 
in various locations and attempt to autostart copies of itself. The worm 
may also replace copies of EXE files. The replaced EXE files will be 
renamed with a ZMX extension.

When executed, the worm will first attempt to terminate various 
processes that might interfere with the working of the worm. These 
include processes containing following strings:

"KV"
"KAV"
"Duba"
"NAV"
"kill"
"RavMon.exe"
"Rfw.exe"
"Gate"
"McAfee"
"Symantec"
"SkyNet"
"rising"

W32/Lovgate-AD then copies itself to:
\command.exe
\windows\system32\TkBellExe.exe
\windows\system32\Update_OB.exe
\windows\system32\hxdef.exe
\windows\system32\iexplore.exe
\windows\system32\kernel66.dll (hidden)
\windows\system32\ravmond.exe
\windows\systra.exe

The worm may also drop one of the files MSJDBC11.DLL, MSSIGN30.DLL and 
ODBC16.DLL which provide unauthorised remote access to the computer over 
a network.

In addition to above locations W32/Lovgate-AD may also copy itself into 
random locations with various names such as
mmc.exe
xcopy.exe
winhlp32.exe
i386.exe
client.exe
findpass.exe
autoexec.bat
MSDN.ZIP.pif
Cain.pif
WindowsUpdate.pif
Support Tools.exe
Windows Media Player.zip.exe
Microsoft Office.exe
Documents and Settings.txt.exe
Internet Explorer.bat
WinRAR.exe

The worm may also drop zip files (with ZIP or RAR extension) which 
contains a compressed copy of the worm.

In order to run automatically when Windows starts up, the worm creates 
the following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\WinHelp
=C:\WINDOWS\System32\TkBellExe.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Hardware Profile
=C:\WINDOWS\System32\hxdef.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\VFW Encoder\Decoder 
Settings =RUNDLL32.EXE MSSIGN30.DLL ondll_reg
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft NetMeeting 
Associates, Inc. =NetMeeting.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Program In Windows
=C:\WINDOWS\System32\IEXPLORE.EXE
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Protected Storage
=RUNDLL32.EXE MSSIGN30.DLL ondll_reg
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Shell Extension
=C:\WINDOWS\System32\spollsv.exe

The worm will also runs itself as a service, under the name "Windows 
Management Protocol v.0 (experimental)". It will also autostart itself 
by modifying win.ini settings.

The worm will then create the following registry key:
HKCR\txtfile\Shell\open\command\{at}=Update_OB.exe %1.
Which will cause the worm to be executed when text files are opened in 
explorer.

W32/Lovgate-AD has several ways to spread itself, these include:

1. Spread via network share

W32/Lovgate-AD copies itself into various network shares, logging in 
using a default set of passwords and then dropping files in a similar 
way as it does on the local system.

The worm will also attempt to connect to the service control manager on 
the remote computer and start a copy of itself as a service. The service 
is run from a file named netmanager.exe in the Windows system folder.

W32/Lovgate-AD also enables sharing of the Windows Media folder and 
copies itself there using various filenames.

2. Spread via email

W32/Lovgate-AD spreads by email. The worm attempts to reply to emails 
found in the user's inbox, generating emails with the following 
characteristics:

Message text:
> Get your FREE account now! <
If you can keep your head when all about you
Are losing theirs and blaming it on you;
If you can trust yourself when all men doubt you,
But make allowance for their doubting too;
If you can wait and not be tired by waiting,
Or, being lied about,don't deal in lies,
Or, being hated, don't give way to hating,
And yet don't look too good, nor talk too wise;
... ... more look to the attachment.

Attached file:
the hardcore game-.pif
Sex in Office.rm.scr
Deutsch BloodPatch!.exe
s3msong.MP3.pif
Me_nude.AVI.pif
How to Crack all gamez.exe
Macromedia Flash.scr
SETUP.EXE
Shakira.zip.exe
dreamweaver MX (crack).exe
StarWars2 - CloneAttack.rm.scr
Industry Giant II.exe
DSL Modem Uncapper.rar.exe
joke.pif
Britney spears nude.exe.txt.exe
I am For u.doc.exe

The worm also attempts to harvest email addresses from WAB, TXT, HTM, 
SHT, PHP, ASP, DBX, TBB, ADB and PL files found on the system. This worm 
will spoof the sender's email address. The message text of these emails 
is chosen from the following list:

pass
It's the long-awaited film version of the Broadway hit. The message sent 
as a binary attachment. The message contains Unicode characters and has 
been sent as a binary attachment. Mail failed. For further assistance, 
please contact!

3. Spread via KaZaA remote share

W32/Lovgate-AD copies itself to the KaZaA shared folder with a random 
name.





W32/Sdbot-JF

Type
Win32 worm

Detection
At the time of writing, Sophos has received just one report of this worm 
from the wild.

Description
W32/Sdbot-JF is a worm which attempts to spread to remote network shares. 
It also contains backdoor Trojan functionality, allowing unauthorised 
remote access to the infected computer via IRC channels while running in 
the background as a service process.

W32/Sdbot-JF spreads to network shares with weak passwords as a result 
of the backdoor Trojan element receiving the appropriate command from a 
remote user.

W32/Sdbot-JF copies itself to the Windows system folder as AOLMSNGR.EXE 
and creates entries in the registry at the following locations to run 
itself on system startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
AOL Messenger = aolmsngr.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
AOL Messenger = aolmsngr.exe

W32/Sdbot-JF attempts to terminate certain processes related to security 
and anti-virus programs and to delete any network shares.





JS/Scob-A

Aliases
JS/Exploit-DialogArg.b trojan, Trojan.JS.Scob.a

Type
Trojan

Detection
At the time of writing, Sophos has received just one report of this 
Trojan from the wild.

Description
JS/Scob-A is a JavaScript Trojan that is reported to be appended to HTML 
files on IIS machines.

JS/Scob-A downloads a file from a Russian website, this website is no 
longer accessible.





W32/Rbot-CG

Type
Win32 worm

Detection
At the time of writing, Sophos has received just one report of this worm 
from the wild.

Description
W32/Rbot-CG is a backdoor Trojan and network worm that allows 
unauthorised remote access to the infected computer via IRC channels 
while running in the background as a service process.

In order to run automatically when Windows starts up the worm copies
itself to the file USWTME.EXE in the Windows system folder
and adds the following registry entries:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Windows Task Manager-Emulator = uswtme.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Windows Task Manager-Emulator = uswtme.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
Windows Task Manager-Emulator = uswtme.exe

The worm attempts to copy itself to the Windows system folder as GT.EXE 
on weakly protected network shares.





W32/Spybot-CW

Aliases
Backdoor.Agobot.gen, W32.HLLW.Gaobot.gen

Type
Win32 worm

Detection
At the time of writing, Sophos has received just one report of this worm 
from the wild.

Description
W32/Spybot-CW is a peer-to-peer and network worm with backdoor Trojan 
functionality.

W32/Spybot-CW copies itself to Navapsvcc.exe in the Windows system folder
and creates entries in the registry at the following locations to run 
itself on system restart:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Video Process = Navapsvcc.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Video Process = Navapsvcc.exe

W32/Spybot-CW may create several copies of itself in a folder called
kazaabackupfiles and then set the following registry entry to enable 
sharing of this folder on the KaZaA peer-to-peer network:

HKCU\Software\Kazaa\LocalContent\Dir0

W32/Spybot-CW remains resident, running in the background as a service 
process and listening for commands from remote users via IRC channels.





W32/Rbot-CC

Aliases
sdbot, spybot

Type
Win32 worm

Detection
At the time of writing, Sophos has received just one report of this worm 
from the wild.

Description
W32/Rbot-CC is a member of the W32/Rbot family of worms with backdoor
component.

In order to run automatically when Windows starts up the worm copies
itself to the file goawv.exe in the Windows system folder
and adds the following registry entries pointing to this file:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\OutlookExpress
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\OutlookExpress
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\OutlookExpress
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices\OutlookExpress

The worm also adds the following registry entries:

HKLM\SOFTWARE\Microsoft\Ole\0utlook Express = "goawv.exe"
HKCU\Software\Microsoft\OLE\0utlook Express = "goawv.exe"
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\0utlook Express = "goawv.exe"
HKCU\SYSTEM\CurrentControlSet\Control\Lsa\0utlook Express = "goawv.exe"
HKLM\SYSTEM\ControlSet001\Control\Lsa\0utlook Express = "goawv.exe"

and sets the entries:

HKLM\SYSTEM\ControlSet001\Control\Lsa\restrictanonymous = 1
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous = 1
HKLM\SOFTWARE\Microsoft\Ole\EnableDCOM = "N"

When active W32/Rbot-CC attempts to connect to a remote IRC server and
enables a malicious user to remotely control the infected computer via
a specific IRC channel.





W32/Agobot-KE

Aliases
Backdoor.Agobot.gen, W32/Gaobot.worm.gen.j virus, Win32/Agobot.NBZ 
trojan, W32.HLLW.Gaobot.gen, WORM_AGOBOT.KW

Type
Win32 worm

Detection
At the time of writing, Sophos has received just one report of this worm 
from the wild.

Description
W32/Agobot-KE is a backdoor Trojan and worm which spreads to computers
protected by weak passwords.

When first run, W32/Agobot-KE moves itself to the Windows system folder 
as VDISP.EXE and creates the following registry entries to run itself on
startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Video Display
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\Video Display

Each time W32/Agobot-KE is run it attempts to connect to a remote IRC 
server and join a specific channel. It then runs continuously in the 
background, allowing a remote intruder to access and control the 
computer via IRC channels.

The Trojan attempts to terminate and disable various anti-virus and
security-related programs and modifies the HOSTS file located at
%WINDOWS%\System32\Drivers\etc\HOSTS, mapping selected anti-virus
websites to the loopback address 127.0.0.1 in an attempt to prevent 
access to these sites. Typically the following mappings will be appended 
to the HOSTS file:

127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.trendmicro.com





W32/Rbot-CA

Aliases
Spybot

Type
Win32 worm

Detection
At the time of writing, Sophos has received just one report of this worm 
from the wild.

Description
W32/Rbot-CA is a worm which attempts to spread to remote network shares. 
It also contains backdoor Trojan functionality, allowing unauthorised 
remote access to the infected computer via IRC channels while running in 
the background as a service process.

W32/Rbot-CA spreads to network shares with weak passwords as a result of 
the backdoor Trojan element receiving the appropriate command from a 
remote user.

W32/Rbot-CA moves itself to the Windows system folder as a randomly 
named read-only, hidden, system EXE file and creates entries in the 
registry at the following locations to run on system startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Updating = 

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Microsoft Updating = 

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Updating = 

The following registry entries will also be created:

HKLM\SOFTWARE\Krypton\\
K-Key = 

HKLM\SOFTWARE\Krypton\\
K-Key = 

 
--- MultiMail/Win32 v0.43