Text 139, 1817 rader
Skriven 2006-09-17 01:49:00 av KURT WISMER (1:123/140)
Ärende: News, September 17 2006
===============================
[cut-n-paste from sophos.com]
Name Troj/Cimuz-AS
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Reduces system security
* Records keystrokes
* Installs itself in the Registry
Aliases
* Spy-Agent.ak
Prevalence (1-5) 3
Description
Troj/Cimuz-AS is a keylogging Trojan with backdoor functionality.
Advanced
Troj/Cimuz-AS is a keylogging Trojan with backdoor functionality.
Troj/Cimuz-AS includes functionality to access the internet and
communicate with a remote server via HTTP.
When Troj/Cimuz-AS is installed the following files are created:
<System>\hook.dll
<System>\ipv6monl.dll
<System>\msn.exe
These files are also detected as Troj/Cimuz-AS.
The following registry entry is created to run msn.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MSN
<System>\msn.exe" /INITSERVICE
The file ipv6monl.dll is registered as a COM object and Browser
Helper Object (BHO) for Microsoft Internet Explorer, creating
registry entries under:
HKCR\CLSID\(73364D99-1240-4dff-B11A-67E448373048)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\browser
helper obJects\(73364D99-1240-4dff-B11A-67E448373048)
The following registry entries are set, affecting internet security:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\List\
<Program Files>\Internet Explorer\IEXPLORE.EXE
<Program Files>\Internet Explorer\IEXPLORE.EXE:*:Enabled:Internet
Explorer
Name Troj/Horst-EX
Type
* Trojan
Affected operating systems
* Windows
Aliases
* Trojan-Proxy.Win32.Horst.hz
Prevalence (1-5) 2
Description
Troj/Horst-EX is a Trojan for the Windows platform.
Troj/Horst-EX includes functionality to access the internet and
communicate with a remote server via HTTP.
Name W32/Sdbot-CPM
Type
* Worm
How it spreads
* Network shares
* Chat programs
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
* Exploits system or software vulnerabilities
* Used in DOS attacks
Aliases
* Backdoor.Win32.VanBot.e
Prevalence (1-5) 2
Description
W32/Sdbot-CPM is worm and IRC backdoor for the Windows platform.
W32/Sdbot-CPM spreads
to network shares
via MSN Messenger
via Yahoo Instant Messenger
by exploiting common buffer overflow vulnerabilities, including:
SRVSVC (MS06-040) and ASN.1 (MS04-007)
W32/Sdbot-CPM runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
Advanced
W32/Sdbot-CPM is worm and IRC backdoor for the Windows platform.
W32/Sdbot-CPM spreads
to network shares
via MSN Messenger
via Yahoo Instant Messenger
by exploiting common buffer overflow vulnerabilities, including:
SRVSVC (MS06-040) and ASN.1 (MS04-007)
W32/Sdbot-CPM runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
When first run W32/Sdbot-CPM copies itself to <Windows system
folder>\dllcache\thesims2.exe.
The file thesims2.exe is registered as a new system driver service
named "The Sims 2", with a display name of "The Sims 2" and a startup
type of automatic, so that it is started automatically during system
startup. Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\The Sims 2\
W32/Sdbot-CPM sets the following registry entries, disabling the
automatic
startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\wuauserv
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4
Note: disabling autostart for the SharedAccess service deactivates
the Microsoft Internet Connection Firewall (ICF).
Registry entries are set as follows:
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
lmcompatibilitylevel
1
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1
Name W32/Rbot-FMX
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Downloads code from the internet
* Installs itself in the Registry
Aliases
* Backdoor.Win32.Rbot.aus
Prevalence (1-5) 2
Description
W32/Rbot-FMX is a worm and IRC backdoor Trojan for the Windows
platform.
Advanced
W32/Rbot-FMX is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Rbot-FMX spreads to other network computers by:
- exploiting common buffer overflow vulnerabilities, including: WKS
(MS03-049) (CAN-2003-0812), MSSQL (MS02-039) (CAN-2002-0649) and
Realcast
- networks protected by weak passwords
W32/Rbot-FMX runs continuously in the background, providing a
backdoor server wh
ich allows a remote intruder to gain access and control over the
computer via IRC channels.
W32/Rbot-FMX includes functionality to:
- access the internet and communicate with a remote server via HTTP
- act as a proxy redirecting internet traffic
- terminate processes
When first run W32/Rbot-FMX copies itself to <System>\WinSock32.exe.
The following registry entries are created to run W32/Rbot-FMX on
startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Windows Socket Procedure
WinSock32.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows Socket Procedure
WinSock32.exe
The following registry entries are set:
HKCU\Software\Microsoft\OLE
Windows Socket Procedure
WinSock32.exe
HKLM\SOFTWARE\Microsoft\Ole
EnableRemoteConnect
N
HKLM\SYSTEM\CurrentControlSet\Services\wscsvc
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\NetBT\Parameters
TransportBindName
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\wuauserv
Start
4
HKLM\SYSTEM\ControlSet1\Services\wscsvc
Start
4
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKLM\SOFTWARE\Microsoft\Ole
EnableRemoteConnect
N
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\
SCHANNEL\Protocols\PCT1.0\Server
Enabled
HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
AutoShareWks
0
HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
AutoShareServer
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MaxConnectionsPer1_0Server
50
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MaxConnectionsPerServer
50
Registry entries are also set under:
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Name W32/Rbot-FMZ
Type
* Spyware Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Steals information
* Downloads code from the internet
* Records keystrokes
* Installs itself in the Registry
* Exploits system or software vulnerabilities
* Used in DOS attacks
Aliases
* Backdoor.Win32.Rbot.adf
* W32/Sdbot.worm.gen.ax
* WORM_RBOT.ASY
Prevalence (1-5) 2
Description
W32/Rbot-FMZ is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Rbot-FMZ spreads to other network computers by exploiting common
buffer overflow vulnerabilities, including: LSASS (MS04-011),
RPC-DCOM (MS04-012), WKS (MS03-049) (CAN-2003-0812) and ASN.1
(MS04-007) and by copying itself to network shares protected by weak
passwords.
W32/Rbot-FMZ runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Rbot-FMZ may modify the system HOSTS file, preventing access to
certain websites.
The worm also contains functionality to download updates, participate
in denial-of-service attacks, kill processes, log keypresses and
monitor network traffic. The worm also provides a remote command shell.
Advanced
W32/Rbot-FMZ is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Rbot-FMZ spreads to other network computers by exploiting common
buffer overflow vulnerabilities, including: LSASS (MS04-011),
RPC-DCOM (MS04-012), WKS (MS03-049) (CAN-2003-0812) and ASN.1
(MS04-007) and by copying itself to network shares protected by weak
passwords.
W32/Rbot-FMZ runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Rbot-FMZ may modify the system HOSTS file, preventing access to
certain websites.
The worm also contains functionality to download updates, participate
in denial-of-service attacks, kill processes, log keypresses and
monitor network traffic. The worm also provides a remote command shell.
When first run W32/Rbot-FMZ copies itself to <System>\svchosl.exe.
The following registry entries are created to run svchosl.exe on
startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft Corp. Host Services
svchosl.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft Corp. Host Services
svchosl.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
Microsoft Corp. Host Services
svchosl.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Microsoft Corp. Host Services
svchosl.exe
Registry entries are set as follows:
HKCU\SYSTEM\CurrentControlSet\Control\Lsa
Microsoft Corp. Host Services
svchosl.exe
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
Microsoft Corp. Host Services
svchosl.exe
HKCU\Software\Microsoft\OLE
Microsoft Corp. Host Services
svchosl.exe
HKLM\SOFTWARE\Microsoft\Ole
Microsoft Corp. Host Services
svchosl.exe
The following lines may be added to the system HOSTS file:
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 pandasoftware.com
127.0.0.1 www.pandasoftware.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.grisoft.com
127.0.0.1 www.microsoft.com
127.0.0.1 microsoft.com
127.0.0.1 www.virustotal.com
127.0.0.1 virustotal.com
Name Troj/WowPWS-W
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Steals information
* Reduces system security
* Installs itself in the Registry
Aliases
* Trojan-PSW.Win32.WOW.hh
* PWS-WoW
* TSPY_WOW.DJ
* Win32/PSW.Legendmir
Prevalence (1-5) 2
Description
Troj/WowPWS-W is a password-stealing Trojan for the Windows platform.
Troj/WowPWS-W targets the online game World of Warcraft, and attempts
to steal account details.
Advanced
Troj/WowPWS-W is a password-stealing Trojan for the Windows platform.
Troj/WowPWS-W targets the online game World of Warcraft, and attempts
to steal account details.
When first run Troj/WowPWS-W copies itself to:
<Common Files>\iexplore.pif
<Program Files>\Internet Explorer\iexplore.com
<Windows folder>\Debug\DebugProgram.exe
<Windows system folder>\dxdiag.com
<Windows system folder>\msconfig.com
<Windows system folder>\regedit.com
<Windows system folder>\command.pif
<Windows system folder>\finder.com
<Windows system folder>\rundll32.com
<Windows folder>\1.com
<Windows folder>\BOOT.BIN.BAK
<Windows folder>\ExERoute.exe
<Windows folder>\explorer.com
<Windows folder>\finder.com
<Windows folder>\SMSS.EXE
The following registry entry is created to run lsass.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
TProgram
<Windows folder>\smss.exe
Troj/WowPWS-W changes settings for Microsoft Internet Explorer by
setting the following registry entries:
HKCR\.bfc\ShellNew
Command
<Windows system folder>\rundll32.com
<System>\syncui.dll,Briefcase_Create %2!d! %1
HKCR\.lnk\ShellNew
Command
rundll32.com appwiz.cpl,NewLinkHere %1
HKCR\Applications\iexplore.exe\shell\open\command
(default)
<Program Files>\Internet Explorer\iexplore.com %1
HKCR\cplfile\shell\cplopen\command
(default)
rundll32.com shell32.dll,Control_RunDLL %1,%*
HKCR\Drive\shell\find\command
(default)
<Windows folder>\explorer.com
HKCR\dunfile\shell\open\command
(default)
<Windows system folder>\rundll32.com NETSHELL.DLL,InvokeDunFile %1
HKCR\ftp\shell\open\command
(default)
<Program Files>\Internet Explorer\iexplore.com %1
HKCR\htmlfile\shell\open\command
(default)
<Program Files>\Internet Explorer\iexplore.com -nohome
HKCR\htmlfile\shell\opennew\command\
- "C:\Program Files\Internet Explorer\iexplore.exe" %1
<Common Files>\iexplore.pif %1
HKCR\htmlfile\shell\print\command\
(default)
rundll32.com <Windows system folder>\mshtml.dll,PrintHTML "%1"
HKCR\http\shell\open\command
(default)
<Common Files>\iexplore.pif -nohome
HKCR\inffile\shell\Install\command
(default)
<Windows system folder>\rundll32.com setupapi,InstallHinfSection
DefaultInstall 132 %1
HKCR\InternetShortcut\shell\open\command
(default)
finder.com shdocvw.dll,OpenURL %l
HKCR\scrfile\shell\install\command\
(default)
finder.com desk.cpl,InstallScreenSaver %l
HKCR\scriptletfile\Shell\Generate Typelib\command
(default)
<Windows system folder>\finder.com
<System>\scrobj.dll,GenerateTypeLib "%1"
HKCR\telnet\shell\open\command
(default)
finder.com url.dll,TelnetProtocolHandler %l
HKCR\Unknown\shell\openas\command
(default)
<Windows system folder>\finder.com <System>\shell32.dll,OpenAs_RunDLL
%1
HKLM\SOFTWARE\Clients\StartMenuInternet
(default)
iexplore.pif
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
(default)
Explorer.exe 1
HKCU\Software\Microsoft\Internet Explorer\Main\Check_Associations
(default)
No
Name W32/Rbot-FNA
Type
* Spyware Worm
How it spreads
* Network shares
* Chat programs
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Downloads code from the internet
* Reduces system security
* Records keystrokes
* Installs itself in the Registry
* Used in DOS attacks
* Enables remote access
* Scans network for vulnerabilities
* Scans network for weak passwords
Prevalence (1-5) 2
Description
W32/Rbot-FNA is a worm and IRC backdoor for the Windows platform.
W32/Rbot-FNA spreads using a variety of techniques including
exploiting weak passwords on computers and SQL servers, exploiting
operating system vulnerabilities (including SRVSVC (MS06-040) and
ASN.1 (MS04-007).) and by MSN Messenger and Yahoo Instant Messenger
W32/Rbot-FNA runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Rbot-FNA includes functionality to:
- set up an FTP server
- set up a proxy server
- log keypresses
- port scanning
- packet sniffing
- access the internet and communicate with a remote server via HTTP
- harvest information Protected Storage
- take part in Distributed Denial of Service (DDoS) attacks
Advanced
W32/Rbot-FNA is a worm and IRC backdoor for the Windows platform.
W32/Rbot-FNA spreads using a variety of techniques including
exploiting weak passwords on computers and SQL servers, exploiting
operating system vulnerabilities (including SRVSVC (MS06-040) and
ASN.1 (MS04-007).) and by MSN Messenger and Yahoo Instant Messenger
W32/Rbot-FNA runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Rbot-FNA includes functionality to:
- set up an FTP server
- set up a proxy server
- log keypresses
- port scanning
- packet sniffing
- access the internet and communicate with a remote server via HTTP
- harvest information Protected Storage
- take part in Distributed Denial of Service (DDoS) attacks
When first run W32/Rbot-FNA copies itself to
<System>\dllcache\mshcp.exe.
The file mshcp.exe is registered as a new system driver service named
"Microsoft DHCPA Service", with a display name of "Microsoft DHCPA
Service" and a startup type of automatic, so that it is started
automatically during system startup. Registry entries are created
under:
HKLM\SYSTEM\CurrentControlSet\Services\Microsoft DHCPA Service\
W32/Rbot-FNA sets the following registry entries, disabling the
automatic startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\wuauserv
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4
Note: disabling autostart for the SharedAccess service deactivates
the Microsoft Internet Connection Firewall (ICF).
Registry entries are set as follows:
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
lmcompatibilitylevel
1
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1
Name Troj/Banworm-H
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Steals information
* Installs itself in the Registry
* Leaves non-infected files on computer
Prevalence (1-5) 2
Description
Troj/Banworm-H is a Trojan for the Windows platform.
Advanced
Troj/Banworm-H is a Trojan for the Windows platform.
Troj/Banworm-H includes functionality to:
- access the internet and communicate with a remote server via HTTP
- steal information
Troj/Banworm-H may modify the HOSTS file which maps the URLs of
selected websites to a loopback IP address or to its own IP
addresses, in order to prevent access to certain sites and to
control/hijack browsing. By this technique Troj/Banworm-H tries to
block access to several security related sites and hijack a number of
banking related sites.
When Troj/Banworm-H is installed the following files are created:
<Windows>\tmp.log
<Windows>\uid.id
These files can be safely removed.
Registry entries are set as follows:
HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\crypt32net
DllName
crypt32net.dll
HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\crypt32net
Logon
ChainWlxLogoffEvent
HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\crypt32net
Asynchronous
1
HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\crypt32net
Impersonate
0
Name Troj/Bankem-Z
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Steals credit card details
* Records keystrokes
* Installs itself in the Registry
Aliases
* PWS-Banker.gen.i
Prevalence (1-5) 2
Description
Troj/Bankem-Z is a is a password stealing Trojan aimed at customers
of Brazilian banks.
Troj/Bankem-Z monitors a user's internet access in attempt to steal
confidential information.
Troj/Bankem-Z will then send the stolen details to a remote address.
The Trojan displays fake login screens to a number of Brazilian banks
that offer online services in an attempt to steal bank account details.
Advanced
Troj/Bankem-Z is a is a password stealing Trojan aimed at customers
of Brazilian banks.
Troj/Bankem-Z monitors a user's internet access in attempt to steal
confidential information.
Troj/Bankem-Z will then send the stolen details to a remote address.
The Trojan displays fake login screens to a number of Brazilian banks
that offer online services in an attempt to steal bank account details.
The Troj/Bankem-Z is registered as a COM object, creating registry
entries under:
HKCR\CLSID\(041D5395-99FA-4EAC-8104-77366E7CA528)
HKCR\Interface\(0B59858A-0550-463B-909E-5071A3F14355)
HKCR\MixMessenger.MIXSVRMSG\
HKCR\TypeLib\(BA85609E-B9F0-4E0B-BCDF-80A74CBD5642)
Registry entries are created under:
HKCR\Component Categories\(13E85B3C-9508-11D2-AB63-00C04FA35CFA)\
Name W32/Tufik-D
Type
* Virus
How it spreads
* Infected files
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
Aliases
* Virus.Win32.Tufik.c
* W95/Tufik.C
* PE_TUFIK.D
Prevalence (1-5) 2
Description
W32/Tufik-D is a appending virus for the Windows platform.
W32/Tufik-D infects EXE files, and can spread to drives F: to Z:. The
virus can be disinfected.
W32/Tufik-D can upload log files to a remote location. The virus
makes contact with a preconfigured internet site to report successful
infection.
Name Troj/Zlob-SA
Type
* Trojan
Affected operating systems
* Windows
Aliases
* Win32/TrojanProxy.Horst.HD
Prevalence (1-5) 2
Description
Troj/Zlob-SA is a Trojan for the Windows platform.
Name W32/Brontok-BO
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Sends itself to email addresses found on the infected computer
* Installs itself in the Registry
Aliases
* Email-Worm.Win32.Brontok.w
Prevalence (1-5) 2
Description
W32/Brontok-BO is a worm for the Windows platform.
Advanced
W32/Brontok-BO is a worm for the Windows platform.
When first run W32/Brontok-BO copies itself to:
\Data sara.exe
<Startup>\Empty.pif
<User>\Local Settings\Application Data\windows\csrss.exe
<User>\Local Settings\Application Data\windows\lsass.exe
<User>\Local Settings\Application Data\windows\services.exe
<User>\Local Settings\Application Data\windows\smss.exe
<User>\Local Settings\Application Data\windows\winlogon.exe
\Kr0n1C.exe
\Kr0n1C\New Folder.exe
<Windows>\Kr0n1C.exe
<System>\IExplorer.exe
<System>\MrHelloween.scr
<System>\shell.exe
and creates the following files:
\Kr0n1C\Folder.htt
\Puisi.txt
The following registry entries are created to run W32/Brontok-BO on
startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Kr0n1C
<Windows>\Kr0n1C.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Servicesara
<User>\Local Settings\Application Data\WINDOWS\SERVICES.EXE
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Logonsara
<User>\Local Settings\Application Data\WINDOWS\CSRSS.EXE
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
System Monitoring
<User>\Local Settings\Application Data\WINDOWS\LSASS.EXE
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
MSMSGS
<User>\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
The following registry entries are changed to run W32/Brontok-BO on
startup:
HKCU\Control Panel\Desktop
SCRNSAVE.EXE
<System>\MRHELL~1.SCR
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe "<System>\IExplorer.exe"
(the default value for this registry entry is "Explorer.exe" which
causes the Microsoft file <Windows>\Explorer.exe to be run on startup).
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
<System>\userinit.exe,<System>\IExplorer.exe
(the default value for this registry entry is
"<Windows>\System32\userinit.exe,").
The following registry entries are set or modified, so that shell.exe
is run when files with extensions of BAT, COM, EXE and PIF are
opened/launched:
HKCR\lnkfile\shell\open\command
(default)
<System>\shell.exe" "%1" %*
HKCR\batfile\shell\open\command
(default)
<System>\shell.exe" "%1" %*
HKCR\comfile\shell\open\command
(default)
<System>\shell.exe" "%1" %*
HKCR\exefile\shell\open\command
(default)
<System>\shell.exe" "%1" %*
HKCR\piffile\shell\open\command
(default)
<System>\shell.exe" "%1" %*
The following registry entries are set, disabling the registry editor
(regedit), the Windows task manager (taskmgr), the command prompt and
system restore:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableCMD
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
DisableTaskMgr
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
DisableRegistryTools
1
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
DisableConfig
1
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
DisableSR
1
Registry entries are set as follows:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFolderOptions
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoFolderOptions
1
HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer
LimitSystemRestoreCheckpointing
1
HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer
DisableMSI
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden
0
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug
Debugger
<System>\Shell.exe
HKCR\exefile
(default)
File Folder
Name W32/Rbot-FMW
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Reduces system security
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Prevalence (1-5) 2
Description
W32/Rbot-FMW is a backdoor worm for the Windows platform.
Advanced
W32/Rbot-FMW is a backdoor worm for the Windows platform.
The worm spreads to other network computers by exploiting common
buffer overflow vulnerabilities, including: LSASS (MS04-011),
RPC-DCOM (MS04-012), WKS (MS03-049) (CAN-2003-0812) and MSSQL
(MS02-039) (CAN-2002-0649).
The worm runs continuously in the background, providing a backdoor
server which allows a remote intruder to gain access and control over
the computer via IRC channels.
When run the worm copies itself to <System>\FrameWork.exe.
The following registry entries are created to run FrameWork.exe on
startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
FrameWork 2.5
FrameWork.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
FrameWork 2.5
FrameWork.exe
The worm sets the following registry entries, disabling the automatic
startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\wuauserv
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\wscsvc
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4
Note: disabling autostart for the SharedAccess service deactivates
the Microsoft Internet Connection Firewall (ICF).
Registry entries are set as follows:
HKCU\Software\Microsoft\OLE
FrameWork 2.5
FrameWork.exe
HKLM\SOFTWARE\Microsoft\Ole
EnableRemoteConnect
N
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
Name W32/Stration-X
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Sends itself to email addresses found on the infected computer
* Forges the sender's email address
* Uses its own emailing engine
* Downloads code from the internet
* Installs itself in the Registry
Aliases
* W32/Station@MM
* Win32/Stration
Prevalence (1-5) 2
Description
W32/Stration-X is a mass-mailing worm for the Windows platform.
Mails sent by the worm have the following characteristics:
Subject line: chosen from a list including
Mail server report.
Mail Transaction Failed
Error
Status
hello.
Message text: chosen from a list including
The message contains Unicode characters and has been sent as a binary
attachment.
The message cannot be represented in 7-bit ASCII encoding and has
been sent as a binary attachment.
Mail transaction failed. Partial message is available.
Advanced
W32/Stration-X is a mass-mailing worm for the Windows platform.
Mails sent by the worm have the following characteristics:
Subject line: one of
Mail server report.
Mail Transaction Failed
Error
Status
hello.
Good day
Message text: one of
Mail server report.
Our fireweall determined the e-mails containing worm copies are being
sent from your computer.
Nowadays it happens from many computers, because this is a new virus
type (Network Worms).
Using the new bug in Windows, these viruses infect the computer
unnoticeably.
After penetrating into the computer the virus harvest all the e-mail
addresses and sends the copies of itself to these e-mail addresses
Please install updates for worm elimination and your computer
restoring.
Best regards,
Customers support service
The message contains Unicode characters and has been sent as a binary
attachment.
The message cannot be represented in 7-bit ASCII encoding and has
been sent as a binary attachment.
Mail transaction failed. Partial message is available.
W32/Stration-X includes functionality to download, install and run
new software.
When first run W32/Stration-X copies itself to <Windows
folder>\tsrv.exe and creates
the following files:
<Windows system folder>\<random>.dll
<Windows system folder>\<random>.exe
<Windows system folder>\<random>.dll
<Windows folder>\tsrv.dll
These four files are also detected as W32/Stration-X.
The following registry entries are created to run tsrv.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
tsrv
<Windows folder>\tsrv.exe s
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\
AppInit_DLLs
<path to one of the randomly-named DLLs>
When first run, W32/Stration-X displays the following message:
Title: Information
Message: Update successfully installed.
Name W32/Looked-Q
Type
* Virus
How it spreads
* Infected files
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
Prevalence (1-5) 2
Description
W32/Looked-Q is a virus for the Windows platform.
Advanced
W32/Looked-Q is a virus for the Windows platform.
When first run the virus copies itself to <Windows>\rundl132.exe and
creates a file <Windows>\Dll.dll, also detected as W32/Looked-Q. This
file attempts to download further executable code.
The virus infects EXE files found on the infected computer.
Many files with the name "_desktop.ini" are created, in various
folders on the infected computer. These files are harmless text files.
Name W32/IRCBot-RJ
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
* Exploits system or software vulnerabilities
* Used in DOS attacks
Aliases
* Backdoor.Win32.Rbot.bed
* W32/Ircbot.NX
Prevalence (1-5) 2
Description
W32/IRCBot-RJ is a worm and IRC backdoor for the Windows platform.
W32/IRCbor-RJ spreads
- to computers vulnerable to common exploits, including: ASN.1
(MS04-007)
- to network shares protected by weak passwords
W32/IRCBot-RJ runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
Advanced
W32/IRCBot-RJ is a worm and IRC backdoor for the Windows platform.
W32/IRCBot-RJ spreads
- to computers vulnerable to common exploits, including: ASN.1
(MS04-007)
- to network shares protected by weak passwords
W32/IRCBot-RJ runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
When first run W32/IRCBot-RJ copies itself to <Windows system
folder>\Googlesetup.exe.
The following registry entries are created to run Googlesetup.exe on
startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Google service
Googlesetup.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Google service
Googlesetup.exe
The following registry entry is set:
HKCU\Software\Microsoft\OLE
Google service
Googlesetup.exe
Name W32/Tilebot-GW
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* Backdoor.Win32.SdBot.avu
* W32/Gaobot.worm.gen.e
* W32.Spybot.Worm
* WORM_SPYBOT.KJ
Prevalence (1-5) 2
Description
W32/Tilebot-GW is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Tilebot-GW spreads to other network computers by exploiting
common buffer overflow vulnerabilities, including: LSASS (MS04-011),
SRVSVC (MS06-040), RPC-DCOM (MS04-012), PNP (MS05-039) and ASN.1
(MS04-007).
W32/Tilebot-GW runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Tilebot-GW includes functionality to access the internet and
communicate with a remote server via HTTP.
Advanced
W32/Tilebot-GW is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Tilebot-GW spreads to other network computers by exploiting
common buffer overflow vulnerabilities, including: LSASS (MS04-011),
SRVSVC (MS06-040), RPC-DCOM (MS04-012), PNP (MS05-039) and ASN.1
(MS04-007).
W32/Tilebot-GW runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Tilebot-GW includes functionality to access the internet and
communicate with a remote server via HTTP.
When first run W32/Tilebot-GW copies itself to <Windows>\smsc.exe.
The file smsc.exe is registered as a new system driver service named
"smsc", with a display name of "smsc" and a startup type of
automatic, so that it is started automatically during system startup.
Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\smsc\
W32/Tilebot-GW modifies the following files, affecting the command
line file transfers:
<System>\ftp.exe
<System>\tftp.exe
W32/Tilebot-GW may modify the following file in order to prevent
Windows File Protection from noticing the above modifications:
<System>\sfc_os.dll
The following registry entries are set, disabling the registry editor
(regedit) and the Windows task manager (taskmgr):
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1
W32/Tilebot-GW sets the following registry entries, disabling the
automatic startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\Messenger
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
Start
4
Registry entries are set as follows:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
SFCScan
0
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DoNotAllowXPSP2
1
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
SFCDisable
ffffff9d
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1
Registry entries are created under:
HKLM\SOFTWARE\Microsoft\Security Center\
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\
Name W32/Tilebot-GV
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Downloads code from the internet
* Reduces system security
* Installs itself in the Registry
Prevalence (1-5) 2
Description
W32/Tilebot-GV is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Tilebot-GV runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
Advanced
W32/Tilebot-GV is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Tilebot-GV runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
When first run W32/Tilebot-GV copies itself to <Windows>\sqldps.exe.
The file sqldps.exe is registered as a new system driver service
named "sqldps", with a display name of "sqldps" and a startup type of
automatic, so that it is started automatically during system startup.
Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\sqldps\
W32/Tilebot-GV sets the following registry entries, disabling the
automatic startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\Messenger
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
Start
4
Registry entries are set as follows:
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DoNotAllowXPSP2
1
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1
Registry entries are created under:
HKLM\SOFTWARE\Microsoft\Security Center\
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\
Name Troj/PcClien-ID
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Drops more malware
* Installs itself in the Registry
* Leaves non-infected files on computer
Aliases
* BackDoor-CKB
* TROJ_AGENT.EAH
* Win32/TrojanDropper.Agent.IL
Prevalence (1-5) 2
Description
Troj/PcClien-ID is a backdoor Trojan which allows a remote intruder
to gain access and control over the computer.
Advanced
Troj/PcClien-ID is a backdoor Trojan which allows a remote intruder
to gain access and control over the computer.
When first run Troj/PcClien-ID copies itself to <Temp>\@BEde.exe and
creates the following files:
<current folder>\<original filename>.doc
<Windows>\offitems.log
<System>\drivers\updjsjas.sys
<System>\updjsjas.dll
<System>\updjsjas.drv
<System>\updjsjas.log
The file updjsjas.sys is detected as Troj/Agent-BSL. The document
file is clean, and is opened by the Trojan when the Trojan is first
executed.
The file updjsjas.dll is registered as a service named "SENS".
Registry entries are created or modified under:
HKLM\SYSTEM\CurrentControlSet\Services\SENS\
Name W32/Tilebot-DM
Type
* Worm
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Drops more malware
* Downloads code from the internet
* Installs itself in the Registry
Aliases
* MultiDropper-BU
Prevalence (1-5) 2
Description
W32/Tilebot-DM is a Trojan for the Windows platform.
W32/Tilebot-DM runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Tilebot-DM includes functionality to access the internet and
communicate with a remote server via HTTP.
Advanced
W32/Tilebot-DM is a Trojan for the Windows platform.
W32/Tilebot-DM runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Tilebot-DM includes functionality to access the internet and
communicate with a remote server via HTTP.
When first run W32/Tilebot-DM copies itself to <Windows>\svchost.exe.
The file ~zy1.tmp is detected as Troj/Drsmartl-G.
The file <Windows>\svchost.exe is registered as a new system driver
service named "Generic Host Process", with a display name of "Generic
Host Process For Win32 Services" and a startup type of automatic, so
that it is started automatically during system startup. Registry
entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\Generic Host Process\
W32/Tilebot-DM sets the following registry entries, disabling the
automatic startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\Messenger
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
Start
4
Registry entries are set as follows:
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DoNotAllowXPSP2
1
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1
Registry entries are created under:
HKCR\.key\
HKLM\SOFTWARE\Microsoft\Security Center\
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\
Name Troj/Bancos-AVL
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Steals credit card details
* Records keystrokes
* Installs itself in the Registry
* Monitors browser activity
Aliases
* Trojan-Spy.Win32.Bancos.xp
* Win32/Spy.Bancos.U
Prevalence (1-5) 2
Description
Troj/Bancos-AVL is a password stealing Trojan aimed at customers of
Brazilian banks.
Troj/Bancos-AVL monitors a user's internet access in attempt to steal
confidential information.
The Trojan will then send the stolen details to a remote address.
Advanced
Troj/Bancos-AVL is a password stealing Trojan aimed at customers of
Brazilian banks.
Troj/Bancos-AVL monitors a user's internet access in attempt to steal
confidential information.
The Trojan will then send the stolen details to a remote address.
When first run Troj/Bancos-AVL copies itself to <Windows system
folder>\tasklist32.exe.
--- MultiMail/Win32 v0.43
* Origin: Try Our Web Based QWK: DOCSPLACE.ORG (1:123/140)
|