Tillbaka till svenska Fidonet
English   Information   Debug  
COMICS   0/15
CONSPRCY   0/899
COOKING   33158
COOKING_OLD1   0/24719
COOKING_OLD2   0/40862
COOKING_OLD3   0/37489
COOKING_OLD4   0/35496
COOKING_OLD5   9370
C_ECHO   0/189
C_PLUSPLUS   0/31
DIRTY_DOZEN   0/201
DOORGAMES   0/2064
DOS_INTERNET   0/196
duplikat   6002
ECHOLIST   0/18295
EC_SUPPORT   0/318
ELECTRONICS   0/359
ELEKTRONIK.GER   1534
ENET.LINGUISTIC   0/13
ENET.POLITICS   0/4
ENET.SOFT   0/11701
ENET.SYSOP   33918
ENET.TALKS   0/32
ENGLISH_TUTOR   0/2000
EVOLUTION   0/1335
FDECHO   0/217
FDN_ANNOUNCE   0/7068
FIDONEWS   24145
FIDONEWS_OLD1   0/49742
FIDONEWS_OLD2   0/35949
FIDONEWS_OLD3   0/30874
FIDONEWS_OLD4   0/37224
FIDO_SYSOP   12852
FIDO_UTIL   0/180
FILEFIND   0/209
FILEGATE   0/212
FILM   0/18
FNEWS_PUBLISH   4422
FN_SYSOP   41694
FN_SYSOP_OLD1   71952
FTP_FIDO   0/2
FTSC_PUBLIC   0/13600
FUNNY   0/4886
GENEALOGY.EUR   0/71
GET_INFO   105
GOLDED   0/408
HAM   0/16073
HOLYSMOKE   0/6791
HOT_SITES   0/1
HTMLEDIT   0/71
HUB203   466
HUB_100   264
HUB_400   39
HUMOR   0/29
IC   0/2851
INTERNET   0/424
INTERUSER   0/3
IP_CONNECT   719
JAMNNTPD   0/233
JAMTLAND   0/47
KATTY_KORNER   0/41
LAN   0/16
LINUX-USER   0/19
LINUXHELP   0/1155
LINUX   0/22103
LINUX_BBS   0/957
mail   18.68
mail_fore_ok   249
MENSA   0/341
MODERATOR   0/102
MONTE   0/992
MOSCOW_OKLAHOMA   0/1245
MUFFIN   0/783
MUSIC   0/321
N203_STAT   928
N203_SYSCHAT   313
NET203   321
NET204   69
NET_DEV   0/10
NORD.ADMIN   0/101
NORD.CHAT   0/2572
NORD.FIDONET   189
NORD.HARDWARE   0/28
NORD.KULTUR   0/114
NORD.PROG   0/32
NORD.SOFTWARE   0/88
NORD.TEKNIK   0/58
NORD   0/453
OCCULT_CHAT   0/93
OS2BBS   0/787
OS2DOSBBS   0/580
OS2HW   0/42
OS2INET   0/37
OS2LAN   0/134
OS2PROG   0/36
OS2REXX   0/113
OS2USER-L   207
OS2   0/4786
OSDEBATE   0/18996
PASCAL   0/490
PERL   0/457
PHP   0/45
POINTS   0/405
POLITICS   0/29554
POL_INC   0/14731
PSION   103
R20_ADMIN   1121
R20_AMATORRADIO   0/2
R20_BEST_OF_FIDONET   13
R20_CHAT   0/893
R20_DEPP   0/3
R20_DEV   399
R20_ECHO2   1379
R20_ECHOPRES   0/35
R20_ESTAT   0/719
R20_FIDONETPROG...
...RAM.MYPOINT
  0/2
R20_FIDONETPROGRAM   0/22
R20_FIDONET   0/248
R20_FILEFIND   0/24
R20_FILEFOUND   0/22
R20_HIFI   0/3
R20_INFO2   3233
R20_INTERNET   0/12940
R20_INTRESSE   0/60
R20_INTR_KOM   0/99
R20_KANDIDAT.CHAT   42
R20_KANDIDAT   28
R20_KOM_DEV   112
R20_KONTROLL   0/13284
R20_KORSET   0/18
R20_LOKALTRAFIK   0/24
R20_MODERATOR   0/1852
R20_NC   76
R20_NET200   245
R20_NETWORK.OTH...
...ERNETS
  0/13
R20_OPERATIVSYS...
...TEM.LINUX
  0/44
R20_PROGRAMVAROR   0/1
R20_REC2NEC   534
R20_SFOSM   0/340
R20_SF   0/108
R20_SPRAK.ENGLISH   0/1
R20_SQUISH   107
R20_TEST   2
R20_WORST_OF_FIDONET   12
RAR   0/9
RA_MULTI   106
RA_UTIL   0/162
REGCON.EUR   0/2056
REGCON   0/13
SCIENCE   0/1206
SF   0/239
SHAREWARE_SUPPORT   0/5146
SHAREWRE   0/14
SIMPSONS   0/169
STATS_OLD1   0/2539.065
STATS_OLD2   0/2530
STATS_OLD3   0/2395.095
STATS_OLD4   0/1692.25
SURVIVOR   0/495
SYSOPS_CORNER   0/3
SYSOP   0/84
TAGLINES   0/112
TEAMOS2   0/4530
TECH   0/2617
TEST.444   0/105
TRAPDOOR   0/19
TREK   0/755
TUB   0/290
UFO   0/40
UNIX   0/1316
USA_EURLINK   0/102
USR_MODEMS   0/1
VATICAN   0/2740
VIETNAM_VETS   0/14
VIRUS   0/378
VIRUS_INFO   0/201
VISUAL_BASIC   0/473
WHITEHOUSE   0/5187
WIN2000   0/101
WIN32   0/30
WIN95   0/4289
WIN95_OLD1   0/70272
WINDOWS   0/1517
WWB_SYSOP   0/419
WWB_TECH   0/810
ZCC-PUBLIC   0/1
ZEC   4

 
4DOS   0/134
ABORTION   0/7
ALASKA_CHAT   0/506
ALLFIX_FILE   0/1313
ALLFIX_FILE_OLD1   0/7997
ALT_DOS   0/152
AMATEUR_RADIO   0/1039
AMIGASALE   0/14
AMIGA   0/331
AMIGA_INT   0/1
AMIGA_PROG   0/20
AMIGA_SYSOP   0/26
ANIME   0/15
ARGUS   0/924
ASCII_ART   0/340
ASIAN_LINK   0/651
ASTRONOMY   0/417
AUDIO   0/92
AUTOMOBILE_RACING   0/105
BABYLON5   0/17862
BAG   135
BATPOWER   0/361
BBBS.ENGLISH   0/382
BBSLAW   0/109
BBS_ADS   0/5290
BBS_INTERNET   0/507
BIBLE   0/3563
BINKD   0/1119
BINKLEY   0/215
BLUEWAVE   0/2173
CABLE_MODEMS   0/25
CBM   0/46
CDRECORD   0/66
CDROM   0/20
CLASSIC_COMPUTER   0/378
Möte DIRTY_DOZEN, 201 texter
 lista första sista föregående nästa
Text 140, 1766 rader
Skriven 2006-09-24 00:49:00 av KURT WISMER (1:123/140)
Ärende: News, September 24 2006
===============================
[cut-n-paste from sophos.com]

Name   Troj/Clagger-AC

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet
    * Installs itself in the Registry

Prevalence (1-5) 3

Description
Troj/Clagger-AC is a downloader Trojan for the Windows platform.

Troj/Clagger-AC attempts to download and execute a number of files 
from remote websites.

Troj/Clagger-AC has been seen emailed as an attachment to emails with 
the following characteristics:

Subject lines:
Telekom
Telekom Nachzahlung September!
Telekom Rechnung Online Monat September 2006
Neue Telekom Rechnung 09.2006
Ihre Telekomrechnung 2006
Telekom Nachzahlung!
Rechnung Telekom
Telekom AG
Rechnung Online Monat September 2006

Message text:
Guten Tag,
die Gesamtsumme fur Ihre Rechnung im Monat August betragt: 200-1000 
Euro.

Sind Sie Unternehmer und benotigen unsere Rechnung zur Geltendmachung 
von
Vorsteuerabzug? Bitte beachten Sie dann, dass Sie seit 29.12.2004 die
Moglichkeit haben, Ihre Rechnung per E-Mail mit einer qualifizierten
elektronischen Signatur zu erhalten. Sie konnen diese im Bereich
"personliche Einstellungen" aktivieren.
Sollten Sie dem Finanzamt bisher eine von Ihnen zusatzlich beauftragte
Rechnung in Papierform zum Vorsteuerabzug vorgelegt haben, bitten wir
au?erdem zu beachten, dass wir Ihnen diese nur noch in Form eines
"Rechungsdoppels" bieten konnen, da nur so vermieden werden kann, 
dass T-Com
mehrere Rechnungsoriginale ausstellt.

Antworten auf Ihre weiteren Fragen zur digitalen Signatur finden Sie 
auch in
unseren FAQs unter dem Stichwort "Digitale Signatur".
======================================
RECHNUNG ONLINE - TIPP DES MONATS
Die neuen WunschDirWas Tarife sind jetzt da! Jetzt online anmelden 
unter
www.t-com.de/reo/WuenschDirWas und bis zu 10,- Euro sparen.
Die aktuellen Top-Angebote der Deutschen Telekom finden Sie unter:
www.t-com.de/aktuell.
======================================

Bei Fragen zu Rechnung Online oder zum Rechnungsinhalt klicken Sie 
bitte
unter www.t-com.de/rechnung (oben links) auf "Kontakt".

Mit freundlichen Gruen
Ihre T-Com
---------------------------------------------------

Attached file: Rechnung.pdf.zip, which unzips to Rechnung.pdf.exe

Advanced
Troj/Clagger-AC is a downloader Trojan for the Windows platform.

Troj/Clagger-AC attempts to download and execute a number of files 
from remote websites.

When first run Troj/Clagger-AC copies itself to <System>\ipf.exe and 
creates the file <System>\drivers\winut.dat.

The following registry entry is created to run ipf.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ifp
<System>\ipf.exe

Troj/Clagger-AC has been seen emailed as an attachment to emails with 
the following characteristics:

Subject lines:
Telekom
Telekom Nachzahlung September!
Telekom Rechnung Online Monat September 2006
Neue Telekom Rechnung 09.2006
Ihre Telekomrechnung 2006
Telekom Nachzahlung!
Rechnung Telekom
Telekom AG
Rechnung Online Monat September 2006

Message text:
Guten Tag,
die Gesamtsumme fur Ihre Rechnung im Monat August betragt: 200-1000 
Euro.

Sind Sie Unternehmer und benotigen unsere Rechnung zur Geltendmachung 
von
Vorsteuerabzug? Bitte beachten Sie dann, dass Sie seit 29.12.2004 die
Moglichkeit haben, Ihre Rechnung per E-Mail mit einer qualifizierten
elektronischen Signatur zu erhalten. Sie konnen diese im Bereich
"personliche Einstellungen" aktivieren.
Sollten Sie dem Finanzamt bisher eine von Ihnen zusatzlich beauftragte
Rechnung in Papierform zum Vorsteuerabzug vorgelegt haben, bitten wir
au?erdem zu beachten, dass wir Ihnen diese nur noch in Form eines
"Rechungsdoppels" bieten konnen, da nur so vermieden werden kann, 
dass T-Com
mehrere Rechnungsoriginale ausstellt.

Antworten auf Ihre weiteren Fragen zur digitalen Signatur finden Sie 
auch in
unseren FAQs unter dem Stichwort "Digitale Signatur".
======================================
RECHNUNG ONLINE - TIPP DES MONATS
Die neuen WunschDirWas Tarife sind jetzt da! Jetzt online anmelden 
unter
www.t-com.de/reo/WuenschDirWas und bis zu 10,- Euro sparen.
Die aktuellen Top-Angebote der Deutschen Telekom finden Sie unter:
www.t-com.de/aktuell.
======================================

Bei Fragen zu Rechnung Online oder zum Rechnungsinhalt klicken Sie 
bitte
unter www.t-com.de/rechnung (oben links) auf "Kontakt".

Mit freundlichen Gruen
Ihre T-Com
---------------------------------------------------

Attached file: Rechnung.pdf.zip, which unzips to Rechnung.pdf.exe





Name   Troj/Tibdrop-A

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Drops more malware

Prevalence (1-5) 2

Description
Troj/Tibdrop-A is a Trojan for the Windows platform.

When Troj/Tibdrop-A is installed the following files are created:

\cc750.exe
\pp.bat





Name   Troj/Certif-R

Type  
    * Spyware Trojan

Affected operating systems  
    * Windows

Side effects  
    * Steals information
    * Downloads code from the internet
    * Records keystrokes
    * Installs itself in the Registry

Prevalence (1-5) 2

Description
Troj/Certif-R is a password stealing Trojan.

Advanced
Troj/Certif-R is a password stealing Trojan.

When first run the Trojan copies itself to <System>\systray.com

The following registry entry is created to run systray.com on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
systray.com
<System>\systray.com

The Trojan monitors system activity and collects user credentials 
typed into the windows of various online banking applications.

Troj/Certif-R also attemtps to upload all files with the extensions 
CRT, KEY and WAB found on the harddrive to a remote FTP server.





Name   Troj/Banloa-ANI

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet
    * Installs itself in the Registry

Aliases  
    * Trojan-Downloader.Win32.Banload.baq

Prevalence (1-5) 2

Description
Troj/Banloa-ANI is a Trojan for the Windows platform.

Advanced
Troj/Banloa-ANI is a Trojan for the Windows platform.

The Trojan includes functionality to access the internet and 
communicate with a remote server via HTTP.

When first run Troj/Banloa-ANI copies itself to <Windows>\msng.exe.

The following registry entry is created to run msng.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
msng
<path of Trojan executable>





Name   Troj/Lager-K

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet
    * Installs itself in the Registry

Aliases  
    * Trojan-Proxy.Win32.Lager.di
    * PAK_Generic.001

Prevalence (1-5) 2

Description
Troj/Lager-K is a Trojan for the Windows platform.

Troj/Lager-K includes functionality to access the internet and 
communicate with
a remote server via HTTP.

Advanced
Troj/Lager-K is a Trojan for the Windows platform.

Troj/Lager-K includes functionality to access the internet and 
communicate with
a remote server via HTTP.

When first run Troj/Lager-K copies itself to <Windows system 
folder>\taskdir.exe and creates the following files:

<Windows system folder>\taskdir.dll
<Windows system folder>\zlbw.dll

The file taskdir.dll is detected as Troj/HideDl-A. The file zlbw.dll 
is not malicious.

The following registry entry is created to run taskdir.exe on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
taskdir
<Windows system folder>\taskdir.exe





Name   W32/Looked-S

Type  
    * Virus

How it spreads  
    * Network shares
    * Infected files

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet
    * Installs itself in the Registry

Prevalence (1-5) 2

Description
W32/Looked-S is a Windows executable virus and network worm.

The virus includes functionality to access the internet and 
communicate with a remote server via HTTP.

Advanced
W32/Looked-S is a Windows executable virus and network worm.

The virus includes functionality to access the internet and 
communicate with a remote server via HTTP.

When first run W32/Looked-S copies itself to <Windows>\rundl132.exe 
and <Windows>\logo1_.exe and creates the file <Windows>\Dll.dll. This 
file is also detected as W32/Looked-S.

The virus infects EXE files found on the infected computer. The virus 
also attempts to copy itself to remote network shares.

Many files with the name "_desktop.ini" are created, in various 
folders on the infected computer. These files are harmless text files.

The following registry entry is created in order to run the virus on 
startup:

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
load
<Windows>\rundl132.exe





Name   W32/Looked-T

Type  
    * Virus

How it spreads  
    * Network shares
    * Infected files

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Modifies data on the computer
    * Downloads code from the internet
    * Installs itself in the Registry
    * Leaves non-infected files on computer

Prevalence (1-5) 2

Description
W32/Looked-T is a Windows executable virus and network worm.

Advanced
W32/Looked-T is a Windows executable virus and network worm.

The virus includes functionalities to:

- access the internet and communicate with a remote server via HTTP
- disable AV related processes
- silently download, install and run new software

When first run W32/Looked-T copies itself to <Windows>\rundl132.exe 
and creates the file <Windows>\Dll.dll. This file is also detected as 
W32/Looked-T.

The virus infects EXE files found on the infected computer. The virus 
also attempts to copy itself to remote network shares.

Many files with the name "_desktop.ini" are created, in various 
folders on the infected computer. These files are harmless text files.

The following registry entry is created in order to run the virus on 
startup:

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
load
<Windows>\rundl132.exe





Name   W32/Rbot-FLL

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities

Aliases  
    * W32.Spybot.Worm

Prevalence (1-5) 2

Description
W32/Rbot-FLL is a worm and IRC backdoor Trojan for the Windows 
platform.

W32/Rbot-FLL spreads to other network computers by exploiting common 
buffer
overflow vulnerabilities, including: SRVSVC (MS06-040), Psyme, PNP 
(MS05-039)
and ASN.1 (MS04-007) and by copying itself to network shares 
protected by weak
passwords.

W32/Rbot-FLL runs continuously in the background, providing a 
backdoor server
which allows a remote intruder to gain access and control over the 
computer via
IRC channels.

Advanced
W32/Rbot-FLL is a worm and IRC backdoor Trojan for the Windows 
platform.

W32/Rbot-FLL spreads to other network computers by exploiting common 
buffer
overflow vulnerabilities, including: SRVSVC (MS06-040), Psyme, PNP 
(MS05-039)
and ASN.1 (MS04-007) and by copying itself to network shares 
protected by weak
passwords.

W32/Rbot-FLL runs continuously in the background, providing a 
backdoor server
which allows a remote intruder to gain access and control over the 
computer via
IRC channels.

When first run W32/Rbot-FLL copies itself to <System>\<filename>.exe 
where
<filename> can be any random filename.

The following registry entries are created to run <filename>.exe on 
startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
Windows Kernel System Service
<filename>.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Windows Kernel System Service
<filename>.exe

The following registry entry is changed to run wkssvr.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe <filename>.exe

(the default value for this registry entry is "Explorer.exe" which 
causes the
Microsoft file <Windows>\Explorer.exe to be run on startup).

W32/Rbot-FLL sets the following registry entries, disabling the 
automatic
startup of other software:

HKLM\SYSTEM\CurrentControlSet\Services\wuauserv
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4

Note: disabling autostart for the SharedAccess service deactivates 
the Microsoft
Internet Connection Firewall (ICF).

Registry entries are set as follows:

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
<System>\userinit.exe,<filename>.exe

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
lmcompatibilitylevel
1

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1





Name   Troj/Banker-DLS

Type  
    * Spyware Trojan

Affected operating systems  
    * Windows

Side effects  
    * Steals information
    * Forges the sender's email address
    * Uses its own emailing engine
    * Records keystrokes
    * Installs itself in the Registry
    * Monitors browser activity

Prevalence (1-5) 2

Description
Troj/Banker-DLS is a password stealing Trojan for the Windows platform.

The Trojan includes functionality to access the internet and 
communicate with a remote server via HTTP.

Advanced
Troj/Banker-DLS is a password stealing Trojan for the Windows platform.

The Trojan includes functionality to access the internet and 
communicate with a remote server via HTTP.

When first run Troj/Banker-DLS copies itself to <System>\ImgPaint.exe 
and <Startup>\ImgPaint.exe.

Registry entries are created under:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ImgPaint
<path to Trojan executable>





Name   Troj/Zlobns-Q

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Drops more malware

Aliases  
    * Trojan-Downloader.Win32.Zlob.aky
    * Win32/TrojanDownloader.Zlob.ACH

Prevalence (1-5) 2

Description
Troj/Zlobns-Q is a Trojan for the Windows platform.

Troj/Zlobns-Q installs a DLL component that may download other 
Trojans in the Zlob family. Troj/Zlobns-Q is likely to masquerade as 
a video codec installation file.





Name   Troj/Spammit-G

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Uses its own emailing engine
    * Installs itself in the Registry

Prevalence (1-5) 2

Description
Troj/Spammit-G is a backdoor Trojan which allows an infected computer 
to send emails as instructed by a remote intruder.

Advanced
Troj/Spammit-G is a backdoor Trojan which allows an infected computer 
to send emails as instructed by a remote intruder.

The following registry entry is created to run Troj/Spammit-G on 
startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
WINDOWS
<pathname of the Trojan executable>

The following registry entries are set, affecting internet security:

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\ 
Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List
<pathname of the Trojan executable>
<pathname of the Trojan executable>:*:Enabled:Server

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\ 
Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
<pathname of the Trojan executable>
<pathname of the Trojan executable>:*:Enabled:Server





Name   Troj/Banker-DMN

Type  
    * Spyware Trojan

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Steals information
    * Installs itself in the Registry
    * Leaves non-infected files on computer

Prevalence (1-5) 2

Description
Troj/Banker-DMN is an internet banking Trojan for the Windows platform.

Advanced
Troj/Banker-DMN is an internet banking Trojan for the Windows platform.

Troj/Banker-DMN monitors the user's internet access and steals 
on-line banking details.

When Troj/Banker-DMN is installed the following files are created:

<System>\agpbrdg0.dll - detected as Troj/Banker-DLD
<System>\agpbrdg5.sys - detected as Troj/Haxdor-Gen
<System>\ksl48.bin - can be safely deleted

The following registry entries are created to run code exported by 
agpbrdg0.dll on startup:

HKLM\SOFTWARE\Microsoft\Windows 
NT\CurrentVersion\Winlogon\Notify\agpbrdg0
DllName
agpbrdg0.dll

HKLM\SOFTWARE\Microsoft\Windows 
NT\CurrentVersion\Winlogon\Notify\agpbrdg0
Startup
agpbrdg0

HKLM\SOFTWARE\Microsoft\Windows 
NT\CurrentVersion\Winlogon\Notify\agpbrdg0
Impersonate
1

Troj/Banker-DMN includes functionality to:

- modify the HOSTS file
- harvest the usernames and passwords from the Protected storage 
areas as well as from the Internet Account Manager

The Trojan also attempts to block access to anti-virus and security 
related websites including:

updates1.kaspersky-labs.com
customer.symantec.com
download.mcafee.com
downloads1.kaspersky-labs.com
downloads1.kaspersky-labs.com
downloads2.kaspersky-labs.com
avp.com
avp.ru
awaps.net
downloads3.kaspersky-labs.com
dispatch.mcafee.com
downloads4.kaspersky-labs.com
avp.ch
updates1.kaspersky-labs.com
updates2.kaspersky-labs.com
virustotal.com
updates3.kaspersky-labs.com
d-ru-2f.kaspersky-labs.com
updates3.kaspersky-labs.com
updates4.kaspersky-labs.com
updates5.kaspersky-labs.com
downloads-us1.kaspersky-labs.com
downloads-us2.kaspersky-labs.com
downloads-us3.kaspersky-labs.com
engine.awaps.net
f-secure.com
ftp.avp.ch
ftp.downloads2.kaspersky-labs.com
ftp.f-secure.com
ftp.kasperskylab.ru
ftp.kaspersky.ru
d-ru-1f.kaspersky-labs.com
d-eu-1f.kaspersky-labs.com
rads.mcafee.com
d-eu-2f.kaspersky-labs.com
liveupdate.symantec.com
d-us-1f.kaspersky-labs.com
ftp.sophos.com
ids.kaspersky-labs.com
kaspersky.com
kaspersky-labs.com
kaspersky.ru
liveupdate.symantecliveupdate.com
mast.mcafee.com
mcafee.com
my-etrust.com
networkassociates.com
phx.corporate-ir.net
securityresponse.symantec.com
service1.symantec.com
sophos.com
spd.atdmt.com
symantec.com
trendmicro.com
update.symantec.com
updates.symantec.com
us.mcafee.com





Name   Troj/Agent-DGY

Type  
    * Spyware Trojan

Affected operating systems  
    * Windows

Side effects  
    * Steals information
    * Downloads code from the internet
    * Reduces system security

Prevalence (1-5) 2

Description
Troj/Agent-DGY is a Trojan for the windows platform.

Advanced
Troj/Agent-DGY is a Trojan for the windows platform.

When Troj/Agent-DGY is installed it creates the following files:

<System>\ahug.exe
<System>\ntdbg.exe
<System>\RECOVER32.DLL
<Root>\rmass.exe
<Application Data>\gymspzd.dll

These files are detected as Troj/Agent-DGY.

<Application Data>\shc<random character>.tmp
<Application Data>\tmp<random character>.tmp

These files are harmless and may be deleted.

The following registry entries is created to run Troj/Agent-DGY on 
startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
<name of Trojan executable>
<pathname of the Trojan executable>

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
<name of Trojan executable>
<pathname of the Trojan executable>

Troj/Agent-DGY creates the following registry entries:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer
ShellState Backup Policy
<Hexadecimal Value>

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
Connection Policy
Default Flags
<Hexadecimal Value>

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
SubshellState
<Hexadecimal Value>

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet 
Settings\Connection Policy
Default Flags
<Hexadecimal Value>

HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
NoAutoUpdate
00005200

Troj/Agent-DGY modifies the following registry entries:

HKLM\SOFTWARE\Microsoft\Security Center
AntiVirusDisableNotify

HKLM\SOFTWARE\Microsoft\Security Center
AntiVirusOverride

HKLM\SOFTWARE\Microsoft\Security Center
FirewallDisableNotify

HKLM\SOFTWARE\Microsoft\Security Center
UpdatesDisableNotify

Troj/Agent-DGY includes functionality to:

- download code from a remote website
- send information to a remote website

Troj/Agent-DGY will download a file detected as Dial/TlfLic-J.





Name   W32/Looked-V

Type  
    * Virus

How it spreads  
    * Network shares
    * Infected files

Affected operating systems  
    * Windows

Side effects  
    * Drops more malware

Aliases  
    * Worm.Win32.Viking.ad
    * W32/HLLP.Philis.aw

Prevalence (1-5) 2

Description
W32/Looked-V is a virus for the Windows platform.

The virus includes functionality to access the internet and 
communicate with a remote server via HTTP.

The virus infects EXE files found on the infected computer and 
attempts to spread to remote network shares with weak passwords.

Advanced
W32/Looked-V is a virus for the Windows platform.

The virus includes functionality to access the internet and 
communicate with a remote server via HTTP.

When first run W32/Looked-V copies itself to <Windows 
folder>\rundl132.exe and <Windows folder>\logo1_.exe and creates the 
file <Windows>\Dll.dll. This file is detected as W32/Looked-S.

The virus infects EXE files found on the infected computer and 
attempts to spread to remote network shares with weak passwords.

Many files with the name "_desktop.ini" are created, in various 
folders on the infected computer. These files are harmless text files.

The following registry entry is created in order to run the virus on 
startup:

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
load
<Windows folder>\rundl132.exe





Name   Troj/IRCBot-RV

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Installs itself in the Registry
    * Leaves non-infected files on computer

Prevalence (1-5) 2

Description
Troj/IRCBot-RV is a Trojan for the Windows platform.

Advanced
Troj/IRCBot-RV is a Trojan for the Windows platform.

When first run Troj/IRCBot-RV copies itself to <Windows>\scvhost.exe 
and creates the file <Windows>\mswinsck.ocx. The file mswinsck.ocx is 
not malicious and can be removed safely.

The following registry entry is changed to run scvhost.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe scvhost.exe

(the default value for this registry entry is "Explorer.exe" which 
causes the Microsoft file <Windows>\Explorer.exe to be run on startup).





Name   W32/Looked-W

Type  
    * Virus

How it spreads  
    * Network shares
    * Infected files

Affected operating systems  
    * Windows

Side effects  
    * Steals information
    * Downloads code from the internet
    * Installs itself in the Registry

Aliases  
    * Trojan-Downloader.Win32.Agent.awz

Prevalence (1-5) 2

Description
W32/Looked-W is a Windows executable virus and network worm.

The virus infects EXE files found on the infected computer. The virus 
also attempts to copy itself to remote network shares.

Advanced
W32/Looked-W is a Windows executable virus and network worm.

The virus infects EXE files found on the infected computer. The virus 
also attempts to copy itself to remote network shares.

When W32/Looked-W is installed the following files are created:

<Windows>\Dll.dll - detected as W32/Looked-W
<Windows>\Logo1_.exe - detected as W32/Looked-W
<Windows>\rundl132.exe - detected as W32/Looked-W

The following registry entry is created to run rundl132.exe on startup:

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
load
<Windows>\rundl132.exe

Registry entries are created under:

HKLM\SOFTWARE\Soft\DownloadWWW\





Name   W32/Vanebot-M

Type  
    * Spyware Worm

How it spreads  
    * Network shares
    * Chat programs

Affected operating systems  
    * Windows

Side effects  
    * Steals credit card details
    * Turns off anti-virus applications
    * Allows others to access the computer
    * Steals information
    * Downloads code from the internet
    * Reduces system security
    * Records keystrokes
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities
    * Scans network for vulnerabilities

Aliases  
    * Backdoor.Win32.IRCBot.wo
    * W32/Spybot.worm.gen.e
    * W32.Spybot.Worm
    * WORM_SPYBOT.EX

Prevalence (1-5) 2

Description
W32/Vanebot-M is a worm for the Windows platform. W32/Vanebot-M also 
contains IRC backdoor Trojan functionality which allows a remote 
intruder to gain access and control over the computer.

W32/Vanebot-M spreads:
to computers vulnerable to common exploits, including SRVSVC (MS06-040)
to MSSQL servers protected by weak passwords
to network shares
via MSN Messenger
via Yahoo Instant Messenger

Advanced
W32/Vanebot-M is a worm for the Windows platform. W32/Vanebot-M also 
contains IRC backdoor Trojan functionality which allows a remote 
intruder to gain access and control over the computer.

W32/Vanebot-M spreads:
to computers vulnerable to common exploits, including SRVSVC (MS06-040)
to MSSQL servers protected by weak passwords
to network shares
via MSN Messenger
via Yahoo Instant Messenger

W32/Vanebot-M may spread with the filename redworld.exe, 
redworld2.exe or <random numbers>_redworld2.exe.

When first run W32/Vanebot-M copies itself to <Windows system 
folder>\dllcache\dragonage.exe.

The file dragonage.exe is registered as a new system driver service 
named "Dragon Age - Bioware", with a display name of "Dragon Age - 
Bioware" and a startup type of automatic, so that it is started 
automatically during system startup. Registry entries are created 
under:

HKLM\SYSTEM\CurrentControlSet\Services\Dragon Age - Bioware\

W32/Vanebot-M sets the following registry entries, disabling the 
automatic startup of other software:

HKLM\SYSTEM\CurrentControlSet\Services\wuauserv
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4

Note: disabling autostart for the SharedAccess service deactivates 
the Microsoft Internet Connection Firewall (ICF).

Registry entries are set as follows:

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
lmcompatibilitylevel
1

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1

W32/Vanebot-M attempts to terminate a number of processes related to 
security and anti-virus applications.





Name   W32/Vanebot-O

Type  
    * Spyware Worm

How it spreads  
    * Network shares
    * Chat programs

Affected operating systems  
    * Windows

Side effects  
    * Steals credit card details
    * Turns off anti-virus applications
    * Allows others to access the computer
    * Steals information
    * Downloads code from the internet
    * Reduces system security
    * Records keystrokes
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities
    * Used in DOS attacks
    * Scans network for vulnerabilities
    * Scans network for weak passwords

Aliases  
    * Backdoor.Win32.VanBot.e
    * W32.Spybot.Worm
    * BKDR_PCCLIENT.OX

Prevalence (1-5) 2

Description
W32/Vanebot-O is a worm with backdoor functionality which allows a 
remote intruder to gain access and control over the computer.

W32/Vanebot-O spreads to other network computers by exploiting common 
buffer overflow vulnerabilities, including SRVSVC (MS06-040) and 
Psyme. The worm also spreads to network shares and MSSQL servers 
protected by weak passwords. W32/Vanebot-O can spread via MSN 
Messenger and Yahoo Instant Messenger.

W32/Vanebot-O includes functionality to:

- set up a proxy server
- ownload and execute arbitrary files
- record keypresses
- steal information from Protected Storage
- port scanning
- access the internet and communicate with a remote server via HTTP
- take part in Distributed Denial of Service (DDoS) attacks

Advanced
W32/Vanebot-O is a worm with backdoor functionality which allows a 
remote intruder to gain access and control over the computer.

W32/Vanebot-O spreads to other network computers by exploiting common 
buffer overflow vulnerabilities, including SRVSVC (MS06-040) and 
Psyme. The worm also spreads to network shares and MSSQL servers 
protected by weak passwords. W32/Vanebot-O can spread via MSN 
Messenger and Yahoo Instant Messenger.

W32/Vanebot-O includes functionality to:

- set up a proxy server
- ownload and execute arbitrary files
- record keypresses
- steal information from Protected Storage
- port scanning
- access the internet and communicate with a remote server via HTTP
- take part in Distributed Denial of Service (DDoS) attacks

When first run W32/Vanebot-O copies itself to 
<System>\dllcache\mswincom32.exe.

The file mswincom32.exe is registered as a new system driver service 
named "MSCommmand", with a display name of "MSCommmand" and a startup 
type of automatic, so that it is started automatically during system 
startup. Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\MSCommmand\

W32/Vanebot-O sets the following registry entries, disabling the 
automatic startup of other software:

HKLM\SYSTEM\CurrentControlSet\Services\wuauserv
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4

Note: disabling autostart for the SharedAccess service deactivates 
the Microsoft Internet Connection Firewall (ICF).

Registry entries are set as follows:

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
lmcompatibilitylevel
1

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1





Name   W32/Looked-Y

Type  
    * Virus

How it spreads  
    * Network shares
    * Infected files

Affected operating systems  
    * Windows

Side effects  
    * Modifies data on the computer
    * Drops more malware
    * Downloads code from the internet
    * Installs itself in the Registry
    * Leaves non-infected files on computer

Prevalence (1-5) 2

Description
W32/Looked-Y is a Windows executable virus and network worm.

Advanced
W32/Looked-Y is a Windows executable virus and network worm.

The virus includes functionalities to:

- access the internet and communicate with a remote server via HTTP
- disable AV related processes
- silently download, install and run new software

When first run W32/Looked-Y copies itself to <Windows>\rundl132.exe 
and creates the file <Windows>\Dll.dll. This file is also detected as 
W32/Looked-S.

The virus infects EXE files found on the infected computer. The virus 
also attempts to copy itself to remote network shares.

Many files with the name "_desktop.ini" are created, in various 
folders on the infected computer. These files are harmless text files.

The following registry entry is created in order to run the virus on 
startup:

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
load
<Windows>\rundl132.exe





Name   Troj/Sappit-B

Type  
    * Spyware Trojan

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Modifies data on the computer
    * Steals information
    * Reduces system security

Prevalence (1-5) 2

Description
Troj/Sappit-B is a password stealing Trojan for the Windows platform.

Advanced
Troj/Sappit-B is a password stealing Trojan for the Windows platform.

Troj/Sappit-B attempts to steal Yahoo Messenger passwords, and can be 
configured to perform various operations, including:

- steal dialup passwords
- disable various AV software and Windows Firewall
- disable Windows tools such as TaskManager and Regedit
- Steal information such as computer name, IP address and operating 
system

This information is then sent via HTTP to a remote user.

Troj/Sappit-B is generated by a tool called Troj/SapKit-B.





Name   W32/Stration-AE

Type  
    * Worm

How it spreads  
    * Email attachments

Affected operating systems  
    * Windows

Side effects  
    * Drops more malware
    * Downloads code from the internet
    * Installs itself in the Registry

Aliases  
    * Email-Worm.Win32.Warezov.an

Prevalence (1-5) 2

Description
W32/Stration-AE is a worm for the Windows platform.

W32/Stration-AE spreads via email.

W32/Stration-AE includes functionality to download, install and run 
new software.

Advanced
W32/Stration-AE is a worm for the Windows platform.

W32/Stration-AE spreads via email.

W32/Stration-AE includes functionality to download, install and run 
new software.

When first run W32/Stration-AE copies itself to <Windows>\tserv.exe 
and creates the following files:

<System>\cmut449c14b7.dll
<System>\e1.dll
<System>\hpzl449c14b7.exe
<System>\msji449c14b7.dll
<Windows>\tserv.dll
<Windows>\tserv.wax

The files tserv.dll and cmut449c14b7.dll are detected as 
W32/Strati-Gen.

The following registry entry is created to run tserv.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
tserv
<Windows>\tserv.exe s





Name   W32/WinLose-A

Type  
    * Worm

How it spreads  
    * Infected files

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Installs itself in the Registry
    * Leaves non-infected files on computer
    * Modifies browser settings

Aliases  
    * Worm.Win32.VB.bw
    * Generic VB.c
    * Win32/VB.NGB
    * W32.SillyFDC

Prevalence (1-5) 2

Description
W32/WinLose-A is a worm for the Windows platform.

W32/WinLose-A will periodically attempt to spread itself to any 
available floppy disk or attached flash drives.

Advanced
W32/WinLose-A is a worm for the Windows platform.

When first run W32/WinLose-A copies itself to:

<My Documents>\AllMyLifeToLive.exe
<My Documents>\LiveForever.exe
<My Documents>\WelcomeToSystem.exe
C:\StillAlive.exe
<Temp>\NewName.BAT

and creates the following files:

<My Documents>\WelcomeToSystem.html
<System>\oeminfo.ini
<System>\oemlogo.bmp

W32/WinLose-A will periodically attempt to spread itself to any 
available floppy disk or attached flash drives. If spreading is 
successful, one of the explorer's animated search assistants will be 
displayed in the middle of the screen.

When first run, W32/WinLose-A will display the following message box:

Title: EULA

Message:

Agreement (R).

You agree that this file will be transferred into any computer via 
FlashDisk and Floppy.
But I accepts no responsibility whatever arising from the use of this 
File.

The following registry entries are created to run LiveForever.exe and 
StillAlive.exe on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
ThinkDifferent
<My Documents>\LiveForever.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
IwillSurvive
<My Documents>\LiveForever.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ToBeFree
C:\StillAlive.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WinLogon
Shell
Explorer.exe C:\StillAlive.exe

(the default value is "Explorer.exe")

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot
AlternateShell
C:\StillAlive.exe

(the default value is "cmd.exe")

The file NewName.BAT is registered as a new system driver service 
named "crlxss", with a display name of "Remote Protection File 
System" and a startup type of automatic, so that it is started 
automatically during system startup. Registry entries are created 
under:

HKLM\SYSTEM\CurrentControlSet\Services\crlxss\

W32/WinLose-A changes settings for Microsoft Internet Explorer, 
including the Start Page, by modifying values under:

HKCU\Software\Microsoft\Internet Explorer\Main\
HKCU\Software\Microsoft\Internet Explorer\Main\Start Page

Registry entries are set as follows:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFolderOptions
0

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden
0

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder
\SuperHidden
UncheckedValue
0





Name   Troj/WOW-HH

Type  
    * Spyware Trojan

Affected operating systems  
    * Windows

Side effects  
    * Steals information
    * Installs itself in the Registry

Aliases  
    * Trojan-PSW.Win32.WOW.fo

Prevalence (1-5) 2

Description
Troj/WOW-HH is a password stealing Trojan for the Windows platform.

Advanced
Troj/WOW-HH is a password stealing Trojan for the Windows platform.

When first run Troj/WOW-HH copies itself to:

<Common Files>\inexplore.pif
<Program Files>\Internet Explorer\inexplore.com
<Windows folder>\1.com
<Windows folder>\Debug\DebugProgram.exe
<Windows folder>\exerouter.exe
<Windows folder>\exp10rer.com
<Windows folder>\finders.com
<Windows folder>\smss.exe
<Windows system folder>\command.pif
<Windows system folder>\dxdiag.com
<Windows system folder>\msconfig.com
<Windows system folder>\regedit.com
<Windows system folder>\rund1132.com

The file inexplore.com is registered as a COM object, creating 
registry entries under:

HKCR\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}

Troj/WOW-HH changes settings for Microsoft Internet Explorer by 
modifying values under:

HKCU\Software\Microsoft\Internet Explorer\Main\

Registry entries are set as follows:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
explorer.exe 1

HKCR\Drive\shell\find\command
(default)
<Windows folder>\EXP10RER.com

HKCR\htmlfile\shell\opennew\command
(default)
<Common Files>\inexplore.pif" %1

HKCR\htmlfile\shell\print\command
(default)
rundll32.exe <Windows system folder>\mshtml.dll,PrintHTML "%1"

Registry entries are created under:

HKCU\Software\VB and VBA Program Settings\Microsoft Soft 
Debuger\Settings\





Name   Troj/Bancos-AWI

Type  
    * Spyware Trojan

Affected operating systems  
    * Windows

Side effects  
    * Steals credit card details
    * Steals information
    * Uses its own emailing engine
    * Reduces system security
    * Records keystrokes
    * Installs itself in the Registry
    * Leaves non-infected files on computer

Aliases  
    * Trojan-Spy.Win32.Bancos.xp
    * TSPY_BANCOS.BMH

Prevalence (1-5) 2

Description
Troj/Bancos-AWI is an internet banking Trojan targeting Brazilian 
bank websites.

Troj/Bancos-AWH targets the users of several Brazilian banks by 
monitoring the user's internet activity, displaying fake login pages 
if the user visits certain predefined URLs, and logging details 
entered on the fake pages.

Advanced
Troj/Bancos-AWI is an internet banking Trojan targeting Brazilian 
bank websites.

Troj/Bancos-AWI targets the users of several Brazilian banks by 
monitoring the user's internet activity, displaying fake login pages 
if the user visits certain predefined URLs, and logging details 
entered on the fake pages.

When run Troj/Bancos-AWI displays a message box with the caption 
"FIND ERROR" and the message "Requerido Windows NT Server".

Once installed, Troj/Bancos-AWI steals confidential information 
relating to certain online banking applications by displaying fake 
login screens and sends stolen information to a remote user via 
email. Troj/Bancos-AWI also may attempt to steal information from the 
Protected Storage Area.

When first run Troj/Bancos-AWI copies itself to 
<System>\tasklist32.exe and creates the file <Windows>\winhlp32.dat.

The following registry entry is created to run tasklist32.exe on 
startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
TaskList
<System>\tasklist32.exe





Name   Troj/WowPWS-Z

Type  
    * Spyware Trojan

Affected operating systems  
    * Windows

Side effects  
    * Steals information
    * Downloads code from the internet
    * Installs itself in the Registry

Aliases  
    * Trojan-PSW.Win32.WOW.ih
    * TSPY_WOW.LW

Prevalence (1-5) 2

Description
Troj/WowPWS-Z is an information stealing Trojan for the Windows 
platform.

Advanced
Troj/WowPWS-Z is an information stealing Trojan for the Windows 
platform.

When run Troj/WowPWS-Z copies itself to

<Program Files>\Common Files\INTEXPLORE.pif
<Program Files>\Internet Explorer\INTEXPLORE.com
<Windows>\EXERT.exe
<Windows>\LSASS.exe
<Windows>\Debug\DebugProgram.exe
<System>\dxdiag.com
<System>\MSCONFIG.COM
<System>\regedit.com

Troj/WowPWS-Z sets the following registry entry to run itself on 
startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ToP
<Windows>\LSASS.exe

Troj/WowPWS-Z also sets the following registry entries:

HKCU\Software\VB and VBA Program Settings\
Microsoft Soft Debuger\Settings
GUID
(F4V53Y-F9CBM2-1GYB1U-CPG8T6-EM6D9W)

HKCR\WindowFiles\DefaultIcon
(default)
"%1"

HKCR\WindowFiles\Shell\Open\Command
(default)
<Windows>\EXERT.exe \"%1\" %*

HKLM\SOFTWARE\Clients\StartMenuInternet\INTEXPLORE.pif
LocalizedString
INTEXPLORE

HKLM\SOFTWARE\Clients\StartMenuInternet\INTEXPLORE.pif\shell\
open\command
(default)
<Program Files>\Common Files\INTEXPLORE.pif\





Name   Troj/Lineag-ABA

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Drops more malware
    * Uses its own emailing engine
    * Installs itself in the Registry

Aliases  
    * Trojan-PSW.Win32.Lineage.aja

Prevalence (1-5) 2

Description
Troj/Lineag-ABA is a Trojan for the Windows platform.

Troj/Lineag-ABA includes functionality to send notification messages 
to remote locations.

Advanced
Troj/Lineag-ABA is a Trojan for the Windows platform.

Troj/Lineag-ABA includes functionality to send notification messages 
to remote
locations.

When first run Troj/Lineag-ABA copies itself to \Intel\rundll32.exe and
creates the file <System>\ztdll.dll.

The file ztdll.dll is detected as Troj/Lineag-Gen.

The following registry entry is created to run rundll32.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
zt
<Windows>\Intel\rundll32.exe

 
--- MultiMail/Win32 v0.43
 * Origin: Try Our Web Based QWK: DOCSPLACE.ORG (1:123/140)