[cut-n-paste from sophos.com]

Troj/Webber-A

Aliases
TrojanProxy.Win32.Webber.10, Backdoor.Berbew, BackDoor-AXJ, 
Downloader-DI

Type
Trojan

Detection
Sophos has received several reports of this Trojan from the wild.

Description
Troj/Webber-A is a backdoor Trojan with two components.

The loader component downloads the main part from a web address into 
the system folder and executes it.

The downloaded component is a password-stealing Trojan that attempts to 
extract sensitive information from several locations on the system and 
sends them to CGI scripts at another web address.

The downloaded component copies itself with a random name into the 
Windows system folder and drops and executes a DLL file (also with a 
random name) that runs the copy of the Trojan.

In order to be started automatically the Trojan creates the following 
registry entries:

HTLM\Software\Classes\CLSID\
79FA9088-19CE-715D-D85A-216290C5B738\InProcServer32\

HKLM\Software\Microsoft\Windows\CurrentVersion\
ShellServiceObjectDelayLoad\Web Event Logger

The Trojan also functions as a web proxy.





W32/Gruel-D

Aliases
I-Worm.Kiguat

Type
Win32 worm

Detection
At the time of writing Sophos has received no reports from users 
affected by this worm. However, we have issued this advisory following 
enquiries to our support department from customers.

Description
W32/Gruel-D is a mass mailing worm very similar to W32/Gruel-A that 
arrives in an email with the following characteristics:

Subject line: Microsoft Windows Critical Update
Message Text:
Critical Update: The Microsoft Windows updates found on this patch 
include fixes to following Windows operating systems: Any update that 
is critical to the operation of your computer is considered a Critical 
Update, and is automatically selected for installation during the scan 
for available updates. This patch is provided to help resolve known 
issues, and to protect your computer from known security vulnerabilities 
and all kinds of viruses. Whether a patch applies to your operating 
system, software programs, or hardware, it is listed in the Critical 
Updates category, like this patch attached. For Support please contact 
us at support{at}microsoft.com
Attached File: Rundll32.exe

On execution the worm displays a Windows XP style message box containing
the text: "Windows has encountered a problem a needs to close. We are 
sorry for the inconvenience. If you were in the middle of something, 
the information you were working on might be lost. Please tell 
microsoft about this problem. We have created an error report thet you 
cand send to us. we will treat this report as confidential and 
anounymous. To see what data this error report contains. Windows X 
found serious error".

There are two buttons, "Send Error" and "Send and Close".

Clicking on "Send Error" displays a bogus technical-looking error 
message, similar to the above, with "<< Back" and
"Close" buttons. 
"Close" does nothing and "<< Back" takes you back
to the previous 
screen.

Clicking on "Send and Close" will cause the worm to run many control 
panel applets, eject the CD-Rom drive, remove the taskbar and display a 
rant about Windows which cannot be closed:

Your computer now is mine, Why? Because I didn't had nothing to do and 
I thought, why not make the evil? Remember NOW YOUR PC IS IN MY POWER 
Windows Sucks! I can't stand it anymore! Windows has always sucked. 
Wake up people! It's a scam! You don't need a faster computer. You need 
a better operating system. Microsoft continuingly makes money by 
selling you the latest and greatest Windows. The latest Windows version 
is always the most inefficient yet, slowing down your fast computer. 
Also, now you have to upgrade all your other software too because 
different Windows versions are not compatible with each other! A hidden 
cost not mentioned at all. It's part of the scam. Capitalism Sucks!, 
Communism Sucks. KILLERGUATE.

W32/Gruel-D disables many Windows features, such as task manager, 
logoff, shutdown, lock computer, change password, etc. The worm also 
changes the default association for EXE files and deletes many files in 
the Windows system folder and its sub-folders.

The worm also copies itself to the Desktop as kIlLeRgUaTe1.03





W32/Mapson-C

Type
Win32 worm

Detection
Sophos has received several reports of this worm from the wild.

Description
W32/Mapson-C is an internet worm which spreads via email, IRC and 
peer-to-peer networks.

For further information, please see the analysis of W32/Mapson-A.





W32/Gruel-B

Type
Win32 worm

Detection
At the time of writing Sophos has received no reports from users 
affected by this worm. However, we have issued this advisory following 
enquiries to our support department from customers.

Description
W32/Gruel-B is a mass mailing worm very similar to W32/Gruel-A. But 
this variant arrives in an email with different characteristics:

Subject: Microsoft Windows Critical Update
Message Text:
Critical Update: The Microsoft Windows updates found on this patch 
include fixes to following Windows operating systems: Any update that 
is critical to the operation of your computer is considered a Critical 
Update, and is automatically selected for installation during the scan 
for available updates. This patch is provided to help resolve known 
issues, and to protect your computer from known security 
vulnerabilities and all kinds of viruses. Whether a patch applies to 
your operating system, software programs, or hardware, it is listed in 
the Critical Updates category, like this patch attached. For Support 
please contact us at support{at}microsoft.com
Attached File: Rundll32.exe

(Safety tip: remember that Microsoft never sends out security updates 
as email attachments.)





W32/Gruel-C

Type
Win32 worm

Detection
At the time of writing Sophos has received just one report of this worm 
from the wild.

Description
W32/Gruel-C is a mass mailing worm very similar to W32/Gruel-A.

W32/Gruel-C uses the same subject line and message text as the -A 
variant.





W32/Coconut-A

Aliases
W32/Conut{at}MM

Type
Win32 executable file virus

Detection
Note: At the time of writing Sophos has received no reports from users 
affected by this virus. However, we have issued this advisory following 
interest from the media.

Description
W32/Coconut-A is a prepending virus (written in C#) and a mass mailing 
worm.

W32/Coconut-A places a dropper copy of itself as C:\coconut.exe and 
temporarily drops VBS/Coconut-A as C:\mail.vbs. The virus then uses the 
VBScript to mail the dropper to all entries in the Windows address book 
using an email with the following characteristics:

Subject line: The Coconut Game
Message Text: This game made me feel like I was on a vacation :)
Attached File: coconut.exe

W32/Coconut-A will then display a 'Coconut Shy' game, in which the user 
has 3 goes at hitting a picture of either Frans Devaere (for 1 point) 
or Graham Cluley (for 2 points) by pressing a button. The virus then 
infects 6- files on the system.

Finally, the virus displays a message box telling the user how many 
points they scored, and how many files are infected.

Frans Devaere is an alleged hacker from Belgium. Graham Cluley is 
senior technology consultant and head of corporate communications for 
Sophos Anti-Virus.





W32/Gruel-A

Type
Win32 worm

Detection
At the time of writing Sophos has received just one report of this worm 
from the wild.

Description
W32/Gruel-A is a mass mailing worm that arrives in an email with the 
following characteristics:

Subject line: Symantec: New serious virus found
Message Text:
Norton Security Response: has detected a new virus in the Internet. For 
this
reason we made this tool attachement, to protect your computer from this
serious virus. Due to the number of submissions received from customers,
Symantec Security Response has upgraded this threat to a Category 5 
(Maximum ).
Attached File: Rundll32.exe

On execution the worm displays a Windows XP style messagebox containing 
the text "Windows has encountered a problem a needs to close. We are 
sorry for the inconvenience. If you were in the middle of something, 
the information you were working on might be lost. Please tell 
microsoft about this problem. We have created an error report thet you 
cand send to us. we will treat this report as confidential and 
anounymous. To see what data this error report contains. Windows X 
found serious error."

There are two buttons: "Send Error" and "Send and Close".

Clicking on "Send Error" displays a bogus technical-looking error 
message, similar to the above, with "<< Back" and
"Close" buttons. 
"Close" does nothing and "<< Back" takes you back
to the previous 
screen.

Clicking on "Send and Close" will cause the worm to run many control 
panel applets, eject the CD-Rom drive, remove the taskbar and display a 
rant about Windows which cannot be closed.

Your computer now is mine, Why? Because I didn't had nothing to do and 
I thought, why not make the evil? Remember NOW YOUR PC IS IN MY POWER
Windows Sucks! I can't stand it anymore! Windows has always sucked. 
Wake up people! It's a scam! You don't need a faster computer. You need 
a better operating system. Microsoft continuingly makes money by 
selling you the latest and greatest Windows. The latest Windows version 
is always the most inefficient yet, slowing down your fast computer. 
Also, now you have to upgrade all your other software too because 
different Windows versions are not compatible with each other! A hidden 
cost not mentioned at all. It's part of the scam. Capitalism Sucks!, 
Communism Sucks. KILLERGUATE.

W32/Gruel-A disables many Windows features, such as task manager, 
logoff, shutdown, lock computer, change password, etc. The worm also 
changes the default association for EXE files and deletes many files in 
the Windows system folder and its sub-folders.

The worm also copies itself as Norton 2003 Pro.exe into the default 
KaZaA shared folder.





Troj/CMJSpy-B

Aliases
Backdoor.Cmjspy.B

Type
Trojan

Detection
At the time of writing Sophos has received just one report of this 
Trojan from the wild.

Description
Troj/CMJSpy-B is a backdoor and keylogging Trojan which runs in the 
background as a service process allowing unauthorised remote access to 
the computer over a network while also logging keystrokes.

The Trojan moves itself to the Windows system folder as WINGMT.EXE and 
adds to the following registry entry in order to run itself on system 
restart:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Troj/CMJSpy-B attempts to download a file from the internet. The Trojan 
may also terminate processes with certain names.





Troj/Ataka-E

Type
Trojan

Detection
At the time of writing Sophos has received just one report of this 
Trojan from the wild.

Description
Troj/Ataka-E is a multicomponent IRC backdoor Trojan.

The main installer component (sx.exe) is typically downloded from the 
internet by a downloader. The installer drops the following files: 
calc32.exe, gamma.exe, ght.dll, hajr.drv, infsyst.reg, kasperlamm.cab, 
msvcrtd.dll, nocx.ocx, NoeWinnt.exe, oje.txt and syn32.exe into the 
folder Program Files\NetMeeting\conf\.

Some of these files are clean and are not detected. Gamma.exe is a
Trojan dropper and is detected as Troj/Prx-A.

Troj/Ataka-E sets the following registry entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NTsocket =
C:\Program Files\NetMeeting\conf\NoeWinnt.exe





Troj/Golon-A

Type
Trojan

Detection
At the time of writing Sophos has received just one report of this 
Trojan from the wild.

Description
Troj/Golon-A is a backdoor Trojan.

The Trojan copies itself to the Windows system folder as logon.exe and 
sets the following registry entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\logon.exe =
\logon.exe

Troj/Golon-A also creates several registry entries under 
HKLM\Software\Microsoft\Kernel.





Troj/Migmaf-A

Type
Trojan

Detection
At the time of writing Sophos has received no reports from users 
affected by this Trojan. However, we have issued this advisory 
following enquiries to our support department from customers.

Description
Troj/Migmaf-A is a backdoor Trojan which allows unauthorised remote 
access to the computer over a network.

The Trojan adds an entry to the registry at
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
to run itself on system restart.

Troj/Migmaf-A may act as reverse proxy web server on the victim's 
computer. This would allow a remote user to host undesirable websites 
via the victim's computer without being traced and shutdown.





W32/Mofei-B

Aliases
W32/MoFei.worm, Worm.Mofeir.c, WORM_MOFEI.C

Type
Win32 worm

Detection
At the time of writing Sophos has received just one report of this worm 
from the wild.

Description
W32/Mofei-B is a worm which may attempt to spread to ADMIN$ and IPC$ 
network shares with weak passwords. The worm also has a backdoor Trojan 
component which runs in the background as a service process and allows 
unauthorised remote access to the computer over a network.

The worm has three main components: an EXE dropper, a DLL plugin 
(LASVR32.DLL) and another EXE (NAPW32.EXE).

W32/Mofei-B has system specific behaviour. Under Windows NT/2000/XP the 
worm moves itself to the Windows system32 folder as LASVR32.EXE and 
drops and invokes the DLL plugin LASVR32.DLL which contains the 
backdoor functionality. The worm runs itself on system restart by 
masquerading as the Smart Card Helper service and by creating the 
following registry entry:

HKLM\System\CurrentControlSet\Services\SCardDrv\ImagePath =
\LASVR32.EXE -v

W32/Mofei-B attempts to spread to network shares only under systems 
based on Windows NT.

Note that LASVR32.DLL may attempt to attach its own code to the running 
process LSASS.EXE.

Under Windows 95/98/ME the worm moves itself to the Windows system32 
folder as LASVR32.EXE and drops and executes the EXE NAPW32.EXE which 
contains the backdoor functionality. The worm also creates the 
following registry entry to run itself on system restart:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NavAgent32 =
\LASVR32.EXE -v

The backdoor capabilities include downloading and uploading files, 
deleting files, executing files, running a commmand prompt, getting 
system specific information (such as processor type and disk 
information) and getting passwords.





App/ViewMov-A

Type
Application

Detection
Sophos has received several reports of this virus from the wild.

Note: App/ViewMov-A is not a virus, it is an application. This IDE 
includes detection for App/Optimiz-A and App/CrmRest-A.

Description
App/ViewMov-A, App/Optimiz-A and App/CrmRest-A are a collection of 
internet-based applications for Microsoft Windows which have appeared 
on a website run by Avenue Media NV of Curacao. The applications are 
not viruses, but because of email traffic which can be generated by the 
applications, some users have become concerned.

Typically, users receive emails inviting them to visit a website 
containing free comic video clips. Their email contacts then also 
receive similar messages inviting them to visit the website.

The video clips are not delivered directly, but instead by means of 
helper applications: App/ViewMov-A or App/CrmRest-A. These applications 
install App/Optimiz-A. This program (which claims to be an "Internet 
Optimizer" and is also published by Avenue Media NV) is added to the 
registry entry:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

so that it loads automatically every time a user logs on to the 
computer.

Internet Optimizer (IO) has an End User License Agreement (EULA) which 
grants rights to Avenue Media, including:


      "In consideration for viewing of video content, Avenue Media may 
send email to your Microsoft Outlook contacts and/or send instant 
messages to your IM contacts offering the video to them on your behalf. 
By viewing the video content, you expressly consent to said activity."


      "For your convenience, [IO] automatically updates itself and any 
other [IO]-installed software to the latest available versions at 
periodic intervals. In consideration for this feature, you grant Avenue 
Media access to your machine to automatically update [IO], add new 
features and other benefits, and periodically install and uninstall 
optional software packages."

The EULA goes on to point out that any additional software installed 
via the ports opened up by Internet Optimizer will automatically be 
subject to the same licensing conditions.

Note that the emails sent out soliciting your presence on Avenue 
Media's website do not contain attachments. The active content is 
delivered from the website itself.





W32/Israz-A

Aliases
W32.Akosw{at}mm

Type
Windows 95 executable file virus

Detection
At the time of writing Sophos has received no reports from users 
affected by this virus. However, we have issued this advisory following 
enquiries to our support department from customers.

Description
W32/Israz-A is an email worm that spreads using its own SMTP engine. 
W32/Israz-A also targets the KaZaA file sharing utility.

Upon execution the worm creates copies of itself in the Windows system 
folder with the filenames vShell.exe and Win32.exe. The worm also 
creates copies of itself in the Windows temp folder using the filenames 
Fun.exe, FAQ.exe, Q322593.exe, Support.exe, ToolBar.exe and Wizard.exe.

W32/Israz-A extracts a freeware SMTP Component ossmtp.dll and 
vUser.exe, the secondary worm component, into the Windows system 
folder.

W32/Israz-A collects email addresses from the Windows Address Book and 
sends itself as an attachment of an email message with the following 
characteristics:

From : update{at}microsoft.com
Subject line: Windows Update
Message text:
Your file is attached to message.
For more information go to Windows Update 
http://windowsupdate.microsoft.com
Attached file: Update.exe

From: update{at}microsoft.com
Subject line: PS1
Message text:
Your file is attached to message.
For more information go to Windows Update 
http://windowsupdate.microsoft.com
Attached file: Q322593.exe

From: update{at}microsoft.com
Subject line: Update Your ToolBar
Message text:
Your file is attached to message.
For more information go to Windows Update http://www.google.com
Attached file: ToolBar.exe

From: help{at}google.com
Subject line:Auto Search Wizard
Message text:
Your file is attached to message.
For more information go to Google home page http://www.google.com
Attached file: Wizard.exe

From: copyright{at}yahoo-inc.com
Subject line:Yahoo FAQ
Message text:
Your file is attached to message.
For more information go to Yahoo home page http://www.yahoo.com
Attached file: FAQ.exe

From: copyright{at}yahoo-inc.com
Subject line:Support For Search
Message text:
Your file is attached to message.
For more information go to Yahoo home page http://www.yahoo.com
Attached file: Support.exe

W32/Israz-A searches for the default KaZaA download folder. 
If the folder is found, the worm creates a copy of itself using one of 
the following filenames:

XP Keys.exe
OfficeXP Keys.exe
NAV_2003 Crack.exe
Doom_3 Crack.exe
GTA Vice City Crack.exe

The worm also creates the following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Win32
so that it contains the location of Win32.exe,

HKLM\Software\Classes\txtfile\shell\open\command\
so that it contains the location of vShell.exe

and

HKLM\Software\Symantec\ScriptBlocking
so that it contains the string "Script Blocking".





W32/Graps-A

Aliases
W32/Graps.worm, W32.HLLW.Graps, Win32.Graps

Type
Win32 worm

Detection
At the time of writing Sophos has received no reports from users 
affected by this worm. However, we have issued this advisory following 
enquiries to our support department from customers.

Description
W32/Graps-A is a worm that uses Windows hidden system shares, intended 
for inter process communication and administration tasks (IPC$ and 
ADMIN$), to spread.

W32/Graps-A spreads with the filename mwd.exe together with two other 
files, a utility psexec.exe and an OCX file mswinsck.ocx. The worm 
drops three batch files wds.bat, wds2.bat and wds3.bat into the current 
directory.

The dropped batch files are used to probe for IPC$ or ADMIN$ shares 
with weak or blank passwords.

If a share is successfully probed, the batch file copies wdm.exe, 
psexec.exe and mswinsck.ocx to the remote computer and uses psexec.exe 
to remotely launch wdm.exe.

W32/Graps-A creates a new registry entry

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Windows Management Instrumentation

so that the file wdm.exe from the Windows System folder is run on 
Windows startup.

The worm also contains a backdoor component that can be used by an 
attacker to launch denial of service attacks or use an infected machine 
as a TCP proxy.





WM97/Adenu-A

Type
Word 97 macro virus

Detection
At the time of writing Sophos has received just one report of this 
virus from the wild.

Description
WM97/Adenu-A lowers the Microsoft Office Security settings by setting 
the following registry entry:

HKCU\Software\Microsoft\Office\9.0\Word\Security\Level=01

WM97/Adenu-A also disables the following menu options within Microsoft 
Word:

Tools|Macro
Tools|Customize
Tools|Templates and Add-Ins

WM97/Adenu-A creates the file GbcHS4664.VBS in the Windows system 
folder and sets the registry entry

HKLM\Software\Microsoft\Windows\CurrentVersion\
Run\GgcHS464 ="\GbcHS4664.VBS"

so that it is run when Windows is started. GbcHS4664.VBS is detected by 
Sophos Anti-Virus as VBS/Adenu-A.

On 26th June WM97/Adenu-A replaces the contents of the active document 
with text in Filipino.





WM97/ZWMVC-B

Type
Word 97 macro virus

Detection
At the time of writing Sophos has received just one report of this 
virus from the wild.

Description
WM97/ZWMVC-B is a simple macro virus that uses the name "zwmvc_macro" 
for the infected VBA module. The virus displays the message "Yet Again 
Porn Error" every time an infected document is opened or a clean 
document is infected.





W32/MyLife-M

Type
Win32 worm

Detection
Sophos has received several reports of this worm from the wild.

Description
W32/MyLife-M is a worm that spreads via email. Using Microsoft Outlook,
W32/MyLife-M sends emails to addresses found in the Outlook address 
book.

The email has one of the following characteristics:

Subject line: Old Shakira
Message text:
Hi
i saw this good ASS,, i sleep 3 hours ;-)
check Shakira ass soory Shakira movi :)

========No virus detected========
MCAFEE.COM
Attached file: Shakira_1997_part_1_.Mpeg_.scr


Subject line: Fw: Julia Roberts
Message text:
How are you?
Lexy and Mystique, a couple of 18 yr old
bi gothic chicks, came over and
had some fun in our shower. This scene
looks even better on video, check
em out at gotgiclex.com
Attached file: Julia_Roberts_Fucking_toilet.Mpeg_.scr

The worm drops the file C:\MyLife.mpg and attempts to play it.

If W32/MyLife-M is executed in the Windows system folder, the worm 
checks the time on the system clock. If the number of minutes past the 
hour is greater than or equal to 50, the worm attempts to delete all 
SYS files from the Windows folder, all files from the Windows system 
folder and all files and folders from drives D:, E: and F:

In order to run automatically when Windows starts up, the worm attempts 
to copy itself to the Windows system folder as a file named 
Shakira_1997_part_1_.Mpeg_.scr and creates the registry entry

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Win32

pointing to this file. The worm may also create a copy of itself named 
Julia_Roberts_Fucking_toilet.Mpeg_.scr in the Windows system folder.

 
--- MultiMail/Win32 v0.43