[cut-n-paste from sophos.com]

Troj/Ranckbot-A

Aliases
TrojanProxy.Win32.Ranky.p, Backdoor.SdBot.ev, W32/Sdbot.worm.gen.b, 
Proxy-FBSR.gen

Type
Trojan

Detection
At the time of writing, Sophos has received just one report of this 
Trojan from the wild.

Description
Troj/Ranckbot-A drops the files fqvwot.exe and wcs.exe into the folder 
WinNT\system32 and runs them. These files are detected as W32/Sdbot-EV 
and Troj/Ranck-M.

W32/Sdbot-EV copies itself to the file svchosts11.exe in the Windows 
system folder and creates the following registry entry, pointing to this 
file:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Microsong

Troj/Ranck-M creates the following registry entry to start itself 
automatically when Windows boots up:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Windows NT





W32/Bagle-U

Aliases
W32.Beagle.gen

Type
Win32 worm

Detection
Sophos has received several reports of this worm from the wild.

Description
W32/Bagle-U is a member of the W32/Bagle family of worms.

The worm starts the mshearts application on the system when active.

In order to run automatically when Windows starts up the worm copies 
itself to the file gigabit.exe in the Windows system folder and sets the 
following registry entry to point to this file:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\gigabit.exe

W32/Bagle-U also creates the following registry entries:

HKCU\Software\Windows2004\gsed
HKCU\Software\Windows2004\fr1n

The worm listens on port 4751 and sends registration information 
containing this port number to a remote web site. This port can be used 
by a remote attacker to update the worm. The uploaded file will be 
dropped as a random EXE filename starting with the string 'bsud' into 
the Windows folder and executed. If the file was dropped successfully 
the original worm file will be deleted.

W32/Bagle-U scans all fixed drives recursively for WAB, TXT, MSG, HTM, 
SHTM, STM, XML, DBX, MBX, MDX, EML, NCH, MMF, ODS, CFG, ASP, PHP, WSH, 
ADB, TBB, SHT, XLS, OFT, UIN, CGI, MHT, DHTM and JSP files, extracts 
email addresses from them and sends itself as an attachment to the found 
addresses.

Email addresses belonging to the domains AVP and Microsoft are skipped.

The emails send by the worm have an empty subject line and no message 
text and the attachment file names are random strings with an EXE 
extension. The sender address is spoofed and choosen from the list of 
addresses found on the system.

After the end of 2004 the worm will remove itself from the system.





W32/Lovgate-X

Aliases
I-Worm.LovGate.q, Win32/Lovgate.X, WORM_LOVGATE.Q

Type
Win32 worm

Detection
At the time of writing, Sophos has received just one report of this worm 
from the wild.

Description
W32/Lovgate-X is a worm with the backdoor functionality that spreads via 
email, network shares with weak passwords and filesharing networks.

W32/Lovgate-X may arrive in the email with the following 
characteristics:
Subject line: chosen from -
test
hi
hello
Mail Delivery System
Mail Transaction Failed
Server Report
Status
Error

Message text: chosen from -
It's the long-awaited film version of the Broadway hit. The message sent 
as a binary attachment.

The message contains Unicode characters and has been sent as a binary 
attachment.

Mail failed. For further assistance, please contact!

Attachment name: chosen from -
document
readme
doc
text
file
data
test
message
body

followed by .bat, .cmd, .exe, .pif or .scr

When executed W32/Lovgate-X creates the service "NetMeeting Remote 
Sharing," copies itself to the Windows folder with the filename 
Systra.exe and to the Windows system folder with the filenames 
iexplore.exe, Winexe.exe, avmond.exe, WinHelp.exe and Kernel66.dll.

W32/Lovgate-X extracts the backdoor components to the Windows system 
folder as ODBC16.DLL, msjdbc11.dll and MSSIGN30.DLL (detected as 
W32/Lovgate-W).

In order to run automatically when Windows starts up W32/Lovgate-X 
creates the following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\SystemTra
= C:\WINDOWS\SysTra.EXE

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
VFW Encoder/Decoder Settings = "RUNDLL32.EXE MSSIGN30.DLL ondll_reg"

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Program In Windows
= "C:\\WINDOWS\\System32\\IEXPLORE.EXE"

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Protected Storage
= "RUNDLL32.EXE MSSIGN30.DLL ondll_reg"

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\runServices\
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\runServices\SystemTra
= "C:\\WINDOWS\\SysTra.EXE"

HKU\Software\Microsoft\Windows NT\CurrentVersion\Windows\run
= "RAVMOND.exe"

HKCR\exefile\shell\open\command
= C:\WINDOWS\System\winexe.exe

W32/Lovgate-X may change the win.ini file by adding path to the 
Ravmond.exe to the 'run=' line.

W32/Lovgate-X attempts to terminate a number of processes with names 
that contains a string chosen from the following list:
KV
KAV
Duba
NAV
kill
RavMon.exe
Rfw.exe
Gate
McAfee
Symantec
SkyNet
rising

W32/Lovgate-X copies itself to the share folders of filesharing networks 
with one of the following filenames:
Are you looking for Love.doc.exe
autoexec.bat
The world of lovers.txt.exe
How To Hack Websites.exe
Panda Titanium Crack.zip.exe
Mafia Trainer!!!.exe
100 free essays school.pif
AN-YOU-SUCK-IT.txt.pif
Sex_For_You_Life.JPG.pif
CloneCD + crack.exe
Age of empires 2 crack.exe
MoviezChannelsInstaler.exe
Star Wars II Movie Full Downloader.exe
Winrar + crack.exe
SIMS FullDownloader.zip.exe
MSN Password Hacker and Stealer.exe

W32/Lovgate-X copies itself to the share folder of the KaZaa network 
with one of the following filenames:
wrar320sc
REALONE
BlackIcePCPSetup_creak
Passware5.3
word_pass_creak
HEROSOFT
orcard_original_creak
rainbowcrack-1.1-win
W32Dasm
setup


follwed by .bat, .exe, .pif or .scr





W32/Agobot-EX

Aliases
Backdoor.Agobot.hm, WORM_AGOBOT.HM, W32.HLLW.Polybot

Type
Win32 worm

Detection
At the time of writing, Sophos has received just one report of this worm 
from the wild.

Description
W32/Agobot-EX is an IRC backdoor Trojan and network worm.

When first run W32/Agobot-EX copies itself to the Windows system folder 
with the filename soundman.exe. The following registry entries are 
created with the intention of starting the worm when a user logs into 
Windows, but an error results in these values being garbage:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
^`d}qZxu= ~`d}qzxu3zYF

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
^`d}qZxu= ~`d}qzxu3zYF

W32/Agobot-EX also registers itself as a service which will be activated 
when Windows starts up. The name of the service is SoundMan.

W32/Agobot-EX connects to a remote IRC server and joins a specific 
channel. The backdoor functionality of the worm can then be accessed by 
an attacker using the IRC network. An attacker can issue commands to 
start the worm scanning for vulnerable computers to copy itself to.

The worm also attempts to terminate and disable various security-related 
programs.





W32/Agobot-EF

Aliases
Backdoor.Agobot.3.gen

Type
Win32 worm

Detection
At the time of writing, Sophos has received just one report of this worm 
from the wild.

Description
W32/Agobot-EF is an IRC backdoor Trojan and network worm.

W32/Agobot-EF copies itself to network shares with weak passwords and 
attempts to spread to computers using the DCOM RPC and the RPC locator 
vulnerabilities.

These vulnerabilities allow the worm to execute its code on target 
computers with System level priviledges. For further information on 
these vulnerabilities and for details on how to protect/patch the 
computer against such attacks please see Microsoft security bulletins 
MS03-001 and MS03-026. MS03-026 has been superseded by Microsoft 
security bulletin MS03-039.

When first run W32/Agobot-EF copies itself to the Windows system folder 
with the filename explore.exe and creates the following registry entries 
so that the worm is run when Windows starts up:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Monitor = explor.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
Monitor = explor.exe

W32/Agobot-EF also registers itself as a service which will be activated 
when Windows starts up. The name of the service is Monitor.

W32/Agobot-EF connects to a remote IRC server and joins a specific 
channel. The backdoor functionality of the worm can then be accessed by 
an attacker using the IRC network.

The worm also attempts to terminate and disable various security-related 
programs.





W32/Sdbot-GR

Aliases
Backdoor.IRCBot.gen, W32/Sdbot.worm.gen

Type
Win32 worm

Detection
At the time of writing, Sophos has received just one report of this worm 
from the wild.

Description
W32/Sdbot-GR is a backdoor Trojan and network-aware worm which runs in 
the background as a service process and allows unauthorised remote 
access to the computer via IRC channels.

W32/Sdbot-GR copies itself to the Windows system folder as wintask.exe 
and creates the following registry entries so that the Trojan is run 
when a user logs on to Windows:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\winlog
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\winlog
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\winlog
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\winlog
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\winlog

W32/Sdbot-GR remains resident, listening for commands from remote users. If the
appropriate commands are received the worm will begin scanning the internet for
network shares with weak administrator passwords and will attempt to copy
itself to these shares.





W32/Netsky-P

Aliases
Win32/Netsky.Q, WORM_NETSKY.P

Type
Win32 worm

Detection
Sophos has received many reports of this worm from the wild.

Description
W32/Netsky-P is a mass-mailing worm which spreads by emailing itself to 
addresses harvested from files on the local drives.

The worm copies itself to the Windows folder as FVProtect.exe and adds 
the following registry entry to run itself whenever the user logs on to 
the computer:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Norton Antivirus AV
= \FVProtect.exe

The worm will also copy itself to various peer-to-peer shared folders as the
following files:

1001 Sex and more.rtf.exe
3D Studio Max 6 3dsmax.exe
ACDSee 10.exe
Adobe Photoshop 10 crack.exe
Adobe Photoshop 10 full.exe
Adobe Premiere 10.exe
Ahead Nero 8.exe
Altkins Diet.doc.exe
American Idol.doc.exe
Arnold Schwarzenegger.jpg.exe
Best Matrix Screensaver new.scr
Britney sex xxx.jpg.exe
Britney Spears and Eminem porn.jpg.exe
Britney Spears blowjob.jpg.exe
Britney Spears cumshot.jpg.exe
Britney Spears fuck.jpg.exe
Britney Spears full album.mp3.exe
Britney Spears porn.jpg.exe
Britney Spears Sexy archive.doc.exe
Britney Spears Song text archive.doc.exe
Britney Spears.jpg.exe
Britney Spears.mp3.exe
Clone DVD 6.exe
Cloning.doc.exe
Cracks & Warez Archiv.exe
Dark Angels new.pif
Dictionary English 2004 - France.doc.exe
DivX 8.0 final.exe
Doom 3 release 2.exe
E-Book Archive2.rtf.exe
Eminem blowjob.jpg.exe
Eminem full album.mp3.exe
Eminem Poster.jpg.exe
Eminem sex xxx.jpg.exe
Eminem Sexy archive.doc.exe
Eminem Song text archive.doc.exe
Eminem Spears porn.jpg.exe
Eminem.mp3.exe
Full album all.mp3.pif
Gimp 1.8 Full with Key.exe
Harry Potter 1-6 book.txt.exe
Harry Potter 5.mpg.exe
Harry Potter all e.book.doc.exe
Harry Potter e book.doc.exe
Harry Potter game.exe
Harry Potter.doc.exe
How to hack new.doc.exe
Internet Explorer 9 setup.exe
Kazaa Lite 4.0 new.exe
Kazaa new.exe
Keygen 4 all new.exe
Learn Programming 2004.doc.exe
Lightwave 9 Update.exe
Magix Video Deluxe 5 beta.exe
Matrix.mpg.exe
Microsoft Office 2003 Crack best.exe
Microsoft WinXP Crack full.exe
MS Service Pack 6.exe
netsky source code.scr
Norton Antivirus 2005 beta.exe
Opera 11.exe
Partitionsmagic 10 beta.exe
Porno Screensaver britney.scr
RFC compilation.doc.exe
Ringtones.doc.exe
Ringtones.mp3.exe
Saddam Hussein.jpg.exe
Screensaver2.scr
Serials edition.txt.exe
Smashing the stack full.rtf.exe
Star Office 9.exe
Teen Porn 15.jpg.pif
The Sims 4 beta.exe
Ulead Keygen 2004.exe
Visual Studio Net Crack all.exe
Win Longhorn re.exe
WinAmp 13 full.exe
Windows 2000 Sourcecode.doc.exe
Windows 2003 crack.exe
Windows XP crack.exe
WinXP eBook newest.doc.exe
XXX hardcore pics.jpg.exe

W32/Netsky-P harvests email addresses from files with the following 
extensions:
PL, HTM, HTML, EML, TXT, PHP, ASP, VBS, RTF, UIN, SHTM, CGI, DHTM, ADB, 
TBB, DBX, SHT, OFT, MSG, JSP, WSH, XML.

The worm has a trigger date of 24th of March 2004, at which time it will 
attempt to mass mail.

Emails have the following characteristics (note that not all variations 
listed):
Subject lines: constructed from the following groups of strings -
Re: Re:
Re: Encrypted Mail
Re: Extended Mail
Re: Status
Re: Notify
Re: SMTP Server
Re: Mail Server
Re: Delivery Server
Re: Bad Request
Re: Failure
Re: Thank you for delivery
Re: Test
Re: Administration
Re: Message Error
Re: Error
Re: Extended Mail System
Re: Secure SMTP Message
Re: Protected Mail Request
Re: Protected Mail System
Re: Protected Mail Delivery
Re: Secure delivery
Re: Delivery Protection
Re: Mail Authentification

Message texts: chosen from -
Please confirm my request.
ESMTP [Secure Mail System #334]: Secure message is attached.
Partial message is available.
Waiting for a Response. Please read the attachment.
First part of the secure mail is available.
For more details see the attachment.
For further details see the attachment.
Your requested mail has been attached.
Protected Mail System Test.
Secure Mail System Beta Test.
Forwarded message is available.
Delivered message is attached.
Encrypted message is available.
Please read the attachment to get the message.
Follow the instructions to read the message.
Please authenticate the secure message.
Protected message is attached.
Waiting for authentification.
Protected message is available.
Bad Gateway: The message has been attached.
SMTP: Please confirm the attached message.
You got a new message.
Now a new message is available.
New message is available.
You have received an extended message. Please read the instructions.

Attachment description: chosen from -
Your details.
Your document.
I have received your document. The corrected document is attached.
I have attached your document.
Your document is attached to this mail.
Authentication required.
Requested file.
See the file.
Please read the important document.
Please confirm the document.
Your file is attached.
Please read the document.
Your document is attached.
Please read the attached file!
Please see the attached file for details.

followed by -

:

+++ Attachment: No Virus found
+++ MessageLabs AntiVirus - www.messagelabs.com
+++ Attachment: No Virus found
+++ Bitdefender AntiVirus - www.bitdefender.com
+++ Attachment: No Virus found
+++ MC-Afee AntiVirus - www.mcafee.com
+++ Attachment: No Virus found
+++ Kaspersky AntiVirus - www.kaspersky.com
+++ Attachment: No Virus found
+++ Panda AntiVirus - www.pandasoftware.com
++++ Attachment: No Virus found
++++ Norman AntiVirus - www.norman.com
++++ Attachment: No Virus found
++++ F-Secure AntiVirus - www.f-secure.com
++++ Attachment: No Virus found
++++ Norton AntiVirus - www.symantec.de

Attached file:
_ .

 chosen from:

document_all
message
excel document
word document
screensaver
application
website
product
letter
information
details
document

 chosen from:

EXE
SCR
PIF
ZIP

W32/Netsky-P attempts to delete registry entries which may be set by 
variants of the W32/Mydoom and W32/Bagle worms.

W32/Netsky-P also creates a number of the TMP files in the Windows 
folder: base64.tmp, zip1.tmp, zip2.tmp, zip3.tmp, zipped.tmp.

 
--- MultiMail/Win32 v0.43