TIP: Click on subject to list as thread!

ANSI

echo:	virus
to:	ALL
from:	KURT WISMER
date:	2004-09-26 19:04:00
subject:	News, Sept 26 2004
[cut-n-paste from sophos.com] Name W32/Xbot-C Type * Worm How it spreads * Network shares Affected operating systems * Windows Side effects * Allows others to access the computer * Downloads code from the internet * Reduces system security * Installs itself in the Registry * Used in DOS attacks Aliases * Sdbot.worm.gen.j Prevalence (1-5) 2 Description W32/Xbot-C is a network worm with IRC backdoor capability. W32/Xbot-C spreads using network services protected by weak passwords. An infected machine can be remotely controlled by an attacker through IRC channels. Advanced W32/Xbot-C is a network worm with IRC backdoor capability. In order to run automatically when Windows starts up the worm creates the files dhcp\csrss.exe and Webchecks.dll in the Windows system folder. The worm may also create the following (harmless) files beneath the Windows system folder: msvcp60.dll (if it doesn't already exist) dhcp\msadm.dll dhcp\msusr.dll dhcp\mspwd.dll dhcp\msdb.dll updater.exe W32/Xbot-C attempts to spread via network shares and SQL services protected by weak passwords. W32/Xbot-C connects to a preconfigured IRC server and joins a channel in which it can await instructions from a remote attacker. These instructions can start any of the following actions: flood another machine with ping packets execute arbitrary files/commands download an updated version of the bot close network services that have commonly-exploited vulnerabilities kill security-related processes The worm creates the following registry entry: HKCR\CLSID\(E6FB5E20-DE35-11CF-9C87-00AA005127ED)\InProcServer32\ {at} = "C:\Windows\System32\webchecks.dll" Name W32/Noomy-A Type * Worm How it spreads * Email attachments * Chat programs Affected operating systems * Windows Side effects * Allows others to access the computer * Sends itself to email addresses found on the infected computer * Stops the computer from booting * Deletes files off the computer * Steals information Prevalence (1-5) 2 Description W32/Noomy-A is a mass mailing worm which will attempt to send itself to email addresses harvested from dbx, htm, html and php files. When first executed W32/Noomy-A will display the fake error message: "CRC error: 5418#223 Close file", and continue running in background. Advanced W32/Noomy-A will attempt to send emails using the Winsock interface. If the required mswinsck.ocx is not found, it will then attempt to download the file from a predefined location on interent. The email sent will be from a fake email address and have any of the following subject lines: Re: eCard Delivery Error: Re: VoiceMail to - Delivery Error You`ve got 1 new eCard! bad request server not found! One new VoiceMail! ID: One new eCard! ID: New eCard in your inbox! You got one VoiceMail! See online! Num: One new eCard from Num: One new voicemail from Mail Delivery (error ) Re: Message Error! mail: Bad Request Server not found! Re: Mail System Error - Returned Mail Extended mail system error: Re: Mail Delivery Error! Protected Mail Server invalid! Re: Mail Delivery: - Error Re: mail error num: - Returned mail: see transcript for details Warning!!! Why you SPAM? Last notice! Re: Regard ! Please read... This is not OK ! Don't spam!!!!! Question about YOUR SPAM!! Information!You spam this email: Last chance!STOP SPAM THIS EMAIL: W32/Noomy-A copies itself to %windows%/Sysconf32.exe and to the folder %windows%/Systembck with various filenames. In order to run automatically when Windows starts up W32/Noomy-A creates the following registry entry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ Windows HTML file reader=%WINDOWS%\Sysconf32.exe. W32/Noomy-A can also spread by sending spam messages via Email or the IRC service, to instruct users to download files from the backdoor HTML server. This server will be accessed from the %windows%/Systembck folder, in which all files are copies of W32/Noomy-A. A specific URL of the backdoor HTML server will allow an intruder to log on and view various aspects of the host. There is also an option to remove .sys files from the root folder which will prevent the system from booting. The intruder will also be able to install new malware on the system. W32/Noomy-A may drop a batch file pingme.bat in the root folder. This file will attempt to carry out ICMP DOS against www.Microsoft.com, www.sophos.com and www.kaspersky.com website. The worm will keep a copy of the email addresses in %Windows%\emls.tmp. The following two files will also be created in the root folder: ReAd_ThiS_ShiT.txt StpLogs.vbs Name W32/Forbot-AJ Type Worm How it spreads * Network shares * Chat programs Affected operating systems * Windows Side effects * Allows others to access the computer * Reduces system security * Installs itself in the Registry * Exploits system or software vulnerabilities * Used in DOS attacks Prevalence (1-5) 2 Description W32/Forbot-AJ is a network worm and backdoor Trojan for the Windows platform. Advanced W32/Forbot-AJ is a network worm and backdoor Trojan for the Windows platform. When first run, W32/Forbot-AJ copies itself to the Windows system folder as videosd32.exe. In order to run on system startup, the worm creates the following registry entries: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ Win32 Configuration = videosd32.exe HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\ Win32 Configuration = videosd32.exe HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\ Win32 Configuration = videosd32.exe HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ Win32 Configuration = videosd32.exe HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\ Win32 Configuration = videosd32.exe W32/Forbot-AJ registers itself as a service process and connects to an IRC channel where it awaits commands from a remote user. The backdoor component can be used to perform the following functions: execute arbitrary commands (remote shell) download and execute files from the internet harvest product registration keys from the system registry socks4 proxy server port scanner start/stop system service processes DDoS (Distributed Denial of Service) attacks W32/Forbot-AJ spreads through the network via the LSASS exploit and through backdoors left open by the Optix family of backdoor Trojans. Name W32/Agobot-MX Type * Worm How it spreads * Network shares Affected operating systems * Windows Side effects * Turns off anti-virus applications * Steals information * Reduces system security * Installs itself in the Registry * Exploits system or software vulnerabilities * Used in DOS attacks Aliases * Backdoor.Agobot.bh Prevalence (1-5) 2 Description W32/Agobot-MX is a network worm with backdoor functionality. When run the worm will attempt to copy itself to the Windows system folder as services21.exe and register itself as a service process. Advanced W32/Agobot-MX is a network worm with backdoor functionality. When run the worm will attempt to copy itself to the Windows system folder as services21.exe and register itself as a service process. The worm will create the following registry entries so as to auto-start on user logon or computer restart: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Windows Startup = %SYSTEM%\services21.exe HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices Windows Startup = %SYSTEM%\services21.exe W32/Agobot-MX will also attempt to copy itself to the Windows system folder as winhlpp32.exe, tftpd.exe, dllhost.exe, winppr32.exe, mspatch.exe, penis32.exe and msblast.exe. The worm will also attempt to copy itself to network shares, utilizing an inbuilt dictionary to try to guess weak passwords. The worm will also attempt to connect to an IRC server from where it may receive further commands, scan the local drives for game CD keys, scan the network for vulnerable computers, and terminate various anti-virus and security related processes. When instructed W32/Agobot-MX can also start a DoS attack, exploit vulnerable computers and act as a proxy or FTP server. Name W32/Zusha-A Type * Worm Affected operating systems * Windows Side effects * Downloads code from the internet * Installs itself in the Registry * Exploits system or software vulnerabilities Aliases * Worm.Win32.Zusha.a * WORM_ZUSHA.B Prevalence (1-5) 2 Description W32/Zusha-A is a worm for the Windows platform. W32/Zusha-A spreads by exploiting the LSASS (MS04-011) vulnerability, causing vulnerable computers to download a copy of the worm from an FTP site. Advanced W32/Zusha-A is a worm for the Windows platform. W32/Zusha-A spreads by exploiting the LSASS (MS04-011) vulnerability, causing vulnerable computers to download a copy of the worm from an FTP site. When run W32/Zusha-A copies itself to aux32.exe in the Windows system folder and adds the following registry entries: HKLM\Software\Microsoft\Windows\CurrentVersion\Run auxAudioDevice = "\aux32.exe" HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\ FirewallPolicy\StandardProfile\AuthorizedApplications\List\ \aux32.exe = "aux32.exe::Enabled:aux32.exe" W32/Zusha-A also contacts a website. If the website returns the string "AnyoneElseWangSomeZu" the worm will remove its registry entries. Name W32/Rbot-KJ Type Worm How it spreads * Network shares Affected operating systems * Windows Side effects * Allows others to access the computer * Steals information * Uses its own emailing engine * Downloads code from the internet * Reduces system security * Records keystrokes Aliases * Backdoor.Rbot.gen Prevalence (1-5) 2 Description W32/Rbot-KJ is a network worm with IRC backdoor functionality. W32/Rbot-KJ attempts to spread by exploiting the Universal PNP (MS01-059), WebDav (MS03-007), RPC DCOM (MS03-026, MS04-012), LSASS (MS04-011), DameWare (CAN-2003-1030) or IIS5 SSL (CAN-2003-0719) vulnerabilities. W32/Rbot-KJ allows a remote attacker to control the infected computer via IRC channels. Advanced W32/Rbot-KJ is a network worm with IRC backdoor functionality. In order to run automatically when Windows starts up the worm copies itself to the file Msloader32.exe in the Windows system folder. Once installed, W32/Rbot-KJ connects to a preconfigured IRC server, joins a channel and awaits further instructions. These instructions can cause the bot to perform any of the following actions: flood a specified host with UDP, TCP, SYN, ICMP or ping packets start a webserver offering the contents of the local drive start a socks4 proxy server redirect TCP connections start a TFTP, rlogind or command shell server send emails search for product keys download and install an updated version of itself show statistics about the infected system show/flush the DNS cache list/terminate running processes scan randomly- or sequentially-chosen IPs for infectable machines start a keylogger search for passwords in files, running processes and network traffic read the contents of the clipboard capture images from the screen or any attacked webcam close down vulnerable services in order to secure the machine The worm spreads to machines affected by known vulnerabilities, running network services protected by weak passwords or infected by common backdoor Trojans. Vulnerabilities: Universal PNP (MS01-059) WebDav (MS03-007) RPC DCOM (MS03-026, MS04-012) LSASS (MS04-011) DameWare (CAN-2003-1030) IIS5 SSL (CAN-2003-0719) Services: NetBios NTPass MS SQL Backdoors: Troj/Kuang Troj/Optix Troj/NetDevil W32/Bagle Troj/Sub7 W32/MyDoom W32/Rbot-KJ creates or modifies the following registry entries: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ MS Config Service = "Msloader32.exe" HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\ MS Config Service = "Msloader32.exe" HKCU\Software\Microsoft\OLE MS Config Service = "Msloader32.exe" W32/Rbot-KJ searches for product keys for the following software: Counter-Strike (Retail) The Gladiators Gunman Chronicles Half-Life Industry Giant 2 Legends of Might and Magic Soldiers of Anarchy Microsoft Windows Unreal Tournament 2003 Unreal Tournament 2004 IGI 2: Covert Strike Freedom Force Battlefield 1942 Battlefield 1942 (Road to Rome) Battlefield 1942 (Secret Weapons of WWII) Battlefield Vietnam Black and White Command and Conquer: Generals (Zero Hour) James Bond 007: Nightfire Command and Conquer: Generals Medal of Honor: Allied Assault Medal of Honor: Allied Assault: Breakthrough Medal of Honor: Allied Assault: Spearhead Need for Speed Hot Pursuit 2 Need for Speed: Underground Shogun: Total War: Warlord Edition FIFA 2002 FIFA 2003 NHL 2002 NHL 2003 Nascar Racing 2002 Nascar Racing 2003 Rainbow Six III RavenShield Command and Conquer: Tiberian Sun Command and Conquer: Red Alert Command and Conquer: Red Alert 2 NOX Chrome Hidden & Dangerous Soldier of Fortune II - Double Helix Neverwinter Nights Neverwinter Nights (Shadows of Undrentide) Neverwinter Nights (Hordes of the Underdark) Name W32/Forbot-AG Type * Worm Affected operating systems * Windows Side effects * Allows others to access the computer * Reduces system security * Installs itself in the Registry * Exploits system or software vulnerabilities * Used in DOS attacks Aliases * Backdoor.Win32.Wootbot.gen Prevalence (1-5) 2 Description W32/Forbot-AG is a worm and backdoor for the Windows platform. The worm spread by exploiting operating system vulnerabilities and backdoors opened by other worms. The vulnerabilities exploited by W32/Forbot-AG are addressed by MS04-011. The backdoor component contacts a predefined IRC server and waits for commands from a remote attacker. Advanced W32/Forbot-AG is a worm and backdoor for the Windows platform. The worm spread by exploiting operating system vulnerabilities and backdoors opened by other worms. The vulnerabilities exploited by W32/Forbot-AG are addressed by MS04-011. The backdoor component contacts a predefined IRC server and waits for commands from a remote attacker. When run W32/Forbot-AG copies itself to the Windows system folder as IEXPLORE.EXE and creates the following registry entries: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Microsoft IE = "IEXPLORE.EXE" HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce Microsoft IE = "IEXPLORE.EXE" HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices Microsoft IE = "IEXPLORE.EXE" HKLM\Software\Microsoft\Windows\CurrentVersion\Run Microsoft IE = "IEXPLORE.EXE" HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce Microsoft IE = "IEXPLORE.EXE" The worm also installs itself as a service named "Microsoft IE". The backdoor component allows a remote attacker to control the infected computer and includes functionality to launch distributed denial of service attacks or act as a proxy server. Name W32/Myfip-C Type * Worm How it spreads * Network shares Affected operating systems * Windows Side effects * Steals information * Reduces system security * Installs itself in the Registry Aliases * Worm.Win32.Myfip.c * W32/Myfip.worm Prevalence (1-5) 2 Description W32/Myfip-C is a worm from the W32/Myfip family that spreads using network shares that are either unprotected or protected only by weak passwords. Advanced W32/Myfip-C is a worm from the W32/Myfip family that spreads using network shares that are either unprotected or protected only by weak passwords. The worm copies itself to the file kernel32dll.exe in the Windows system folder on the local machine. Copies on network shares can be called worm.txt.exe or dfsvc.exe. W32/Myfip-C may also create files named temp.exe (detected by Sophos as W32/Myfip-A) and temp.txt (harmless). The worm attempts to register itself as a service process with the ServiceName and DisplayName "Distributed Link Tracking Extensions". W32/Myfip-C creates the following registry entry: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ Distributed File System = "kernel32dll.exe" W32/Myfip-C builds a list of all filenames whose path does not contain any of the following strings: Winnt Windows I386 Program Files All Users Recycler System Volume Information Inetpub Documents and Settings Wutemp My Music The worm then sends the contents of each file to a preconfigured IP address. --- MultiMail/Win32 v0.43 * Origin: Try Our Web Based QWK: DOCSPLACE.ORG (1:123/140) SEEN-BY: 633/267 270 @PATH: 123/140 500 106/2000 633/267
SOURCE: echomail via fidonet.ozzmosis.com

Email questions or comments to sysop@ipingthereforeiam.com
All parts of this website painstakingly hand-crafted in the U.S.A.!
IPTIA BBS/MUD/Terminal/Game Server List, © 2025 IPTIA Consulting™.