Text 16, 1285 rader
Skriven 2004-12-19 18:58:00 av KURT WISMER (1:123/140)
Ärende: News, Dec. 19 2004
==========================
[cut-n-paste from sophos.com]
Name W32/Oddbob-A
Type
* Worm
Affected operating systems
* Windows
Side effects
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Prevalence (1-5) 2
Description
W32/Oddbob-A is a network worm for the Windows platform.
W32/Oddbob-A spreads by exploiting the LSASS vulnerability (MS04-011).
Advanced
W32/Oddbob-A is a network worm for the Windows platform.
W32/Oddbob-A spreads by exploiting the LSASS vulnerability (MS04-011).
W32/Oddbob-A copies itself to the Windows system folder using a
randomly generated filename.
On NT based versions of Windows W32/Oddbob-A registers itself as a
service process named NetDDEipx with the displayname NetDDEipx also
and a start type of Automatic so that the service is started
automatically each time a new Windows session is started.
For more details of the LSASS vulnerability, see
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
Name W32/Rbot-RW
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Downloads code from the internet
* Reduces system security
* Records keystrokes
* Installs itself in the Registry
Prevalence (1-5) 2
Description
W32/Rbot-RW is a network worm and IRC backdoor Trojan for the Windows
platform.
W32/Rbot-RW spreads using a variety of techniques including exploiting
weak passwords on computers and SQL servers, exploiting operating system
vulnerabilities (including DCOM-RPC, LSASS, WebDAV and UPNP) and using
backdoors opened by other worms or Trojans.
Advanced
W32/Rbot-RW is a network worm and IRC backdoor Trojan for the Windows
platform.
The worm copies itself to a file named servicsmjr.exe in the Windows
system folder and creates the following registry entries in order to run
each time a user logs on:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
k3ym4n
"servicsmjr.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
k3ym4n
"servicsmjr.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
k3ym4n
"servicsmjr.exe"
W32/Rbot-RW spreads using a variety of techniques including exploiting
weak passwords on computers and SQL servers, exploiting operating system
vulnerabilities (including DCOM-RPC, LSASS, WebDAV and UPNP) and using
backdoors opened by other worms or Trojans.
W32/Rbot-RW can be controlled by a remote attacker over IRC channels.
The backdoor component of W32/Rbot-RW can be instructed by a remote user
to perform the following functions:
start an FTP server
start a Proxy server
start a web server
take part in distributed denial of service (DDoS) attacks
log keypresses
capture screen/webcam images
packet sniffing
port scanning
download/execute arbitrary files
start a remote shell (RLOGIN)
Patches for the operating system vulnerabilities exploited by
W32/Rbot-RW can be obtained from Microsoft at:
http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx
http://www.microsoft.com/technet/security/bulletin/ms03-039.mspx
http://www.microsoft.com/technet/security/bulletin/ms03-007.mspx
http://www.microsoft.com/technet/security/bulletin/ms01-059.mspx
Name W32/Wort-D
Type
* Worm
Affected operating systems
* Windows
Side effects
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Prevalence (1-5) 2
Description
W32/Wort-D is a network worm that attempts to spread to remote computers
by exploiting the LSASS vulnerability (MS04-011).
W32/Wort-D generates random IP addresses to exploit.
Advanced
W32/Wort-D is a network worm that attempts to spread to remote computers
by exploiting the LSASS vulnerability (MS04-011).
W32/Wort-D creates the following registry entry to run itself
automatically at system startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
WinLsass =
<path to file>
See Microsoft TechNet article (MS04-011) for more information about the
LSASS exploit.
Name W32/Forbot-EQ
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Steals information
* Downloads code from the internet
* Reduces system security
Aliases
* WORM_WOOTBOT.EQ
Prevalence (1-5) 2
Description
W32/Forbot-EQ is a nIRC backdoor Trojan and network worm for the Windows
platform.
Once installed, W32/Forbot-EQ connects to a preconfigured IRC server and
joins a channel from which an attacker can issue further commands.
The worm can spread to unpatched machines affected by the LSASS
vulnerability (see MS04-011) and through backdoors left open by the
Troj/Optix Trojans.
Advanced
W32/Forbot-EQ is a IRC backdoor Trojan and network worm for the Windows
platform.
In order to run automatically when Windows starts up the worm moves
itself to the Windows system folder as mpsvc.exe and creates the
following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
MP Services
"mpsvc.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\
MP Services
"mpsvc.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
MP Services
"mpsvc.exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
MP Services
"mpsvc.exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\
MP Services
"mpsvc.exe"
W32/Forbot-EQ also creates its own service named "MP Services" with the
display name "MP Services".
Once installed, W32/Forbot-EQ connects to a preconfigured IRC server and
joins a channel from which an attacker can issue further commands. These
commands can cause the infected machine to perform any of the following
actions:
flood a remote host (by either ping or HTTP)
start a SOCKS4 proxy server
start an HTTP server
start an FTP server
portscan randomly-chosen IP addresses
execute arbitrary commands
steal information such as passwords and product keys
upload/download files
The worm can spread to unpatched machines affected by the LSASS
vulnerability (see MS04-011) and through backdoors left open by the
Troj/Optix Trojans.
Name W32/Forbot-DA
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Reduces system security
* Installs itself in the Registry
* Exploits system or software vulnerabilities
* Used in DOS attacks
Prevalence (1-5) 2
Description
W32/Forbot-DA is a worm which attempts to spread to remote network
shares and computers vulnerable to common exploits. W32/Forbot-DA also
contains backdoor functionality, allowing unauthorised remote access to
the infected computer via the IRC network, while running in the
background as a service process.
W32/Forbot-DA connects to a preconfigured IRC channel and awaits
commands from a remote intruder. These include commands to:
steal information
delete network shares
reduce system security
start a proxy server
participate in DDoS attacks
exploit vulnerabilities
steal registration keys for computer games
harvest email addresses from the Windows address book and Instant
Messenger configuration files
Advanced
W32/Forbot-DA is a worm which attempts to spread to remote network
shares and computers vulnerable to common exploits.
W32/Forbot-DA copies itself to the Windows system folder and creates the
following registry entries to run itself automatically on log-on:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
HP Deskjet 500
HP_DeskJet_500.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\
HP Deskjet 500
HP_DeskJet_500.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
HP Deskjet 500
HP_DeskJet_500.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
HP Deskjet 500
HP_DeskJet_500.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\
HP Deskjet 500
HP_DeskJet_500.exe
On NT based versions of Windows HP_DeskJet_500.exe is run as a new
service named Level.Kicks-Ass.Org with a display name of "HP Deskjet
500"
New registry entries are created under
HKLM\SYSTEM\CurrentControlSet\Services\Level.Kicks-Ass.Org\
Name W32/Forbot-BI
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Downloads code from the internet
* Reduces system security
* Installs itself in the Registry
Aliases
* WORM_WOOTBOT.AQ
Prevalence (1-5) 2
Description
W32/Forbot-BI is an IRC backdoor Trojan and network worm for the Windows
platform.
Advanced
W32/Forbot-BI is an IRC backdoor Trojan and network worm for the Windows
platform.
In order to run automatically when Windows starts up the worm moves
itself to the Windows system folder as systemproc.exe and creates the
following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoftkeysd = "systemproc.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\
Microsoftkeysd = "systemproc.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Microsoftkeysd = "systemproc.exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoftkeysd = "systemproc.exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\
Microsoftkeysd = "systemproc.exe"
W32/Forbot-BI also creates its own service named "MicrosoftCorporations",
with the display name "Microsoftkeysd".
Once installed, W32/Forbot-BI connects to a preconfigured IRC server and
joins a channel from which an attacker can issue further commands. These
commands can cause the infected machine to perform any of the following
actions:
flood a remote host (by either ping or HTTP)
start a SOCKS4 proxy server
start an HTTP server
start an FTP server
portscan randomly chosen IP addresses
execute arbitrary commands
steal information such as passwords and product keys
upload/download files
The worm can spread to unpatched machines affected by the LSASS
vulnerability (see MS04-011) and through backdoors left open by the
Troj/Optix family of Trojans.
Name W32/Rbot-RR
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Reduces system security
* Records keystrokes
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* Backdoor.Win32.Rbot.gen
* W32/Sdbot.worm.gen.j
* WORM_RBOT.ADJ
Prevalence (1-5) 2
Description
W32/Rbot-RR is a worm which attempts to spread to remote network shares.
It also contains backdoor Trojan functionality, allowing unauthorised
remote access to the infected computer via IRC channels while running in
the background as a service process.
W32/Rbot-RR spreads to network shares with weak passwords as a result of
the backdoor Trojan element receiving the appropriate command from a
remote user. W32/Rbot-RR will also attempt to spread via vulnerabilites.
Advanced
W32/Rbot-RR is a worm which attempts to spread to remote network shares.
It also contains backdoor Trojan functionality, allowing unauthorised
remote access to the infected computer via IRC channels while running in
the background as a service process.
W32/Rbot-RR spreads to network shares with weak passwords as a result of
the backdoor Trojan element receiving the appropriate command from a
remote user. W32/Rbot-RR will also attempt to spread via vulnerabilites.
W32/Rbot-RR copies itself to the Windows system folder as
iexplorerupdt.exe and may create entries in the registry at the
following locations to run itself on windows startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Start Upping
iexplorerupdt.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Start Upping
iexplorerupdt.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Start Upping
iexplorerupdt.exe
W32/Rbot-RR may also set the following registry entries:
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1
Name W32/Atak-I
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Sends itself to email addresses found on the infected computer
* Forges the sender's email address
* Uses its own emailing engine
* Installs itself in the Registry
Aliases
* Email-Worm.Win32.Atak.i
* Worm.Mydoom.Gen-unp
Prevalence (1-5) 2
Description
W32/Atak-I is a mass-mailing worm.
Advanced
W32/Atak-I is a mass-mailing worm.
W32/Atak-I arrives in an email with one of the following subject lines:
Merry X-Mas!
Happy New Year!
The subject line may be differently capitalised.
The message text contains the one of the following lines:
Happy New year and wish you good luck on next year!
Mery Chrismas & Happy New Year! 2005 will be the beginning!
The worm is included in the email as an attachment. This attachment may
be the worm executable itself or a ZIP file containing the executable.
The executable name is chosen so that both the main name and the
extension belong to the following list:
PIF, COM, SCR, BAT
If the file attached is a ZIP file, this is given one of the above names
with a ZIP extension.
W32/Atak-I harvests email addresses from files on the system drive and
on drives C: to Z: which have file extension LOG, HTML, MSG, EML, MHT,
DBX, ASP, PHP, JSP, HTM or TXT.
When first run, W32/Atak-I copies itself to the Windows system folder as
dec25.exe and adds the following line to the win.ini file to ensure it
is run at system startup:
run = %SYSTEM%\dec25.exe
The worm also creates the following registry entry in order to run
itself on system startup:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\run
%SYSTEM%\dec25.exe
Name W32/Protoride-Z
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Downloads code from the internet
* Records keystrokes
* Installs itself in the Registry
* Used in DOS attacks
Aliases
* Worm.Win32.Protoride.gen
Prevalence (1-5) 2
Description
W32/Protoride-Z is a network worm with backdoor functionality.
W32/Protoride-Z targets remote network shares allowing, at the same
time, remote access to the infected computer via IRC channels.
Advanced
W32/Protoride-Z is a Windows worm that spreads via network shares. The
worm also has a backdoor component that allows unauthorised remote
access to the computer via IRC channels.
W32/Protoride-Z attempts to copy itself to the Windows system folder
with the filename rdpty6.7.6.exe, and then set the following registry
entry so as to run itself before all EXE files:
HKCR\exefile\shell\open\command
W32/Protoride-Z attempts to copy itself to msupdate.exe in the startup
folder of shared network computers.
W32/Protoride-Z may also set the following registry entry:
HKLM\Software\BeyonD inDustries\ProtoType[v6.7.6.]
W32/Protoride-Z remains resident, running in the background as a service
process and listening for commands from remote users via IRC channels.
Name W32/Agobot-DAA
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Steals information
* Downloads code from the internet
* Reduces system security
* Records keystrokes
Prevalence (1-5) 2
Description
W32/Agobot-DAA is an IRC backdoor and network worm.
W32/Agobot-DAA is capable of spreading to computers on the local network
protected by weak passwords.
The Trojan runs continuously in the background providing backdoor access
to the computer.
Advanced
W32/Agobot-DAA is an IRC backdoor and network worm.
W32/Agobot-DAA is capable of spreading to computers on the local network
protected by weak passwords.
When first run, W32/Agobot-DAA copies itself to the Windows system
folder as winhlpp32.exe and creates registry entries under the following
to run itself each time a user logs on:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
The Trojan runs continuously in the background providing backdoor access
to the computer.
W32/Agobot-DAA attempts to terminate and disable various anti-virus and
security related programs and modifies the HOSTS file located at
<Windows system folder>\Drivers\etc\HOSTS, mapping certain anti-virus
websites to the loopback address 127.0.0.1 in an attempt to prevent
access to these sites. Typically the following mappings will be appended
to the HOSTS file:
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.trendmicro.com
W32/Agobot-DAA will also hide all files with names that contain the
string 'soun'.
Name W32/Sdbot-SG
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Reduces system security
* Installs itself in the Registry
* Used in DOS attacks
Aliases
* Backdoor.Win32.SdBot.gen
* W32/Sdbot.worm.gen.t
Prevalence (1-5) 2
Description
W32/Sdbot-SG is a worm with backdoor Trojan functionality.
W32/Sdbot-SG is capable of spreading to computers on the local network
protected by weak passwords after receiving the appropriate backdoor
command.
Advanced
W32/Sdbot-SG is a worm with backdoor Trojan functionality.
W32/Sdbot-SG is capable of spreading to computers on the local network
protected by weak passwords after receiving the appropriate backdoor
command.
When first run, W32/Sdbot-SG copies itself to the Windows system folder
as DQDDSS.EXE and runs this copy of the worm. In order to run each time
a user logs on, W32/Sdbot-SG will set the following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
ffeqfqs
dqddss.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
ffeqfqs
dqddss.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
ffeqfqs
dqddss.exe
The worm runs continuously in the background providing backdoor access
to the infected computer.
Name W32/Zafi-D
Type
* Worm
How it spreads
* Email attachments
* Peer-to-peer
Affected operating systems
* Windows
Side effects
* Sends itself to email addresses found on the infected computer
* Installs itself in the Registry
Aliases
* Email-Worm.Win32.Zafi.d
* W32/Zafi.d@MM
Prevalence (1-5) 5!
Description
W32/Zafi-D is a mass mailing worm and peer-to-peer worm.
W32/Zafi-D copies itself to the Windows system folder with the filename
Norton Update.exe.
W32/Zafi-D creates a number of files in the Windows system folder with
filenames consisting of 8 random characters and a DLL extension. Some of
these are exact or zipped copies of the worm, detected as W32/Zafi-D,
while others are log files created by the worm.
W32/Zafi-D harvests email addresses from the Windows Address Book and
from files found on the hard drive.
W32/Zafi-D copies itself to folders with names containing share, upload,
or music as ICQ 2005a new!.exe or winamp 5.7 new!.exe.
W32/Zafi-D displays an fake error message box with the caption "CRC:
04F6Bh" and the text "Error in packed file!".
A typical message sent by the W32/Zafi-D worm
Advanced
W32/Zafi-D is a mass mailing and peer-to-peer worm.
W32/Zafi-D copies itself to the Windows system folder with the filename
Norton Update.exe and creates the following entry in the registry so as
to run itself when a user logs on:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Wxp4
W32/Zafi-D creates a number of files in the Windows system folder with
filenames consisting of 8 random characters and a DLL extension. Some of
these are exact or zipped copies of the worm, detected as W32/Zafi-D,
while others are log files created by the worm.
W32/Zafi-D attempts to terminate processes related to files found in
folders that have names containing the following strings:
syman, viru, trend, secur, panda, cafee, sopho, kasper
W32/Zafi-D attempts to open files containing the following strings and
keep them open so as to make them inaccessible to the user:
reged, msconfig, task
W32/Zafi-D copies itself to folders containing one of the following
strings:
share, upload, music
W32/Zafi-D copies itself to these folders with one of the following
filenames:
ICQ 2005a new!.exe
winamp 5.7 new!.exe
W32/Zafi-D harvests email addresses from the Windows Address Book and
from files it finds with the extensions HTM, WAB, TXT, DBX, TBB, ASP,
PHP, SHT, ADB, MBX, EML, PMR, FPT or INB.
W32/Zafi-D may copy the file from which it is harvesting addresses to
C:\S.CM.
W32/Zafi-D does not harvest addresses that contain the following words:
yaho, google, win, use, info, help, admi, webm, micro, msn, hotm,
suppor, syman, viru, trend, secur, panda, cafee, sopho, kasper
W32/Zafi-D does not harvest addresses that contain 16 or more digits.
W32/Zafi-D may generate random addresses using harvested domain names.
W32/Zafi-D produces emails with the following characteristics depending
on the nationality of the recipient, which it gathers from the
region-specific top-level domain (e.g. .uk, .de, .fr, .nl etc.)
A typical message sent by the W32/Zafi-D worm
From line: This is either a name gathered from the host email setup or
one of the following:
Pamela M.
T. Antonio
J. Martin
V. Dusan
R. Cornel
H. Irene
S. Ewa
C. Lina
M. Virtanen
M. Emma
J. Andersson
V. Jensen
V. Tatyana
N. Fernandez
T. Maria
Subject line: This can start either "Re:", "Fw:" or with nothing,
continuing with one of the following:
Merry Christmas!
Buon Natale!
Joyeux Noel!
Christmas pohlednice
Prettige Kerstdagen!
Weihnachen card.
Christmas - Kertki!
Christmas - Atviruka!
Christmas postikorti!
Christmas Postkort!
Christmas Vykort!
Christmas Kort!
ecard.ru
Feliz Navidad!
boldog karacsony...
Message body: This is in plain text and html format. Both consist either
of two words or spaces, followed by a smiley and the sender name from
the subject line. In the html the words or spaces are separated by
"...." strings and an lewd animated GIF file of two smileys and the line
starts and ends in asterisks. The html text ends in a string containing
a domain name followed by the text "Picture Size: 11 KB, Mail +OK".
The words used in the text are from the following, or using non-Roman
characters:
Happy Hollydays!
Buon Natale!
Joyeux Noel!
Prettige Kerstdagen!
Frohliche Wiehnachten!
Wesolych Swiat!
Naujieji Metai!
Iloista Joulua!
God Jul!
Glaedelig Jul!
Feliz Navidad
Kellemes Unnepeket!
Attached filename: This starts "link." or nothing, followed by one name
from the following list:
postcard.
cartoline.
ecarte.
phlednice.
kerstdagen.
weihnachten.
kartki.
atviruka.
postikorti.
postkort.
vykort.
ekort.
card.
navidad.
karacsony.
This is then followed by "christmas." or nothing, then by "index." or
nothing.
The attachment then has one of the following fake extensions followed by
4 random digits:
.php
.htm
.jpg
.gif
The attachment has one of the following actual extensions:
.cmd
.bat
.pif
.com
.zip
If the attachment is a ZIP file then the worm inside it has a filename
of one of the following:
postcard.
wishcard.
xmascard.
giftcard.
This is followed by either "id" or "php", four random digits and one of
the following extensions:
.cmd
.bat
.pif
.com
For example, the attached file may be a zip file named
atviruka.christmas.index.jpg6245.zip containing a copy of the virus
named wishcard.id8302.cmd
W32/Zafi-D creates entries in the registry, some related to file it
drops and some related to system information. The entries are all at
HKLM\Software\Microsoft\Wxp4\ with some of the following values:
t1, t2, t3, t4, t5, t6, t7, t8, t9, tA, tB, tC, tD, tE, tZ, rB, rC,
mA, mB, mC, ... , mX, mY, mZ
lA, lB, lC, ... , lX, lY, lZ
W32/Zafi-D displays an fake error message box with the caption "CRC:
04F6Bh" and the text "Error in packed file!".
Name W32/Atak-G
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Forges the sender's email address
* Uses its own emailing engine
* Installs itself in the Registry
Prevalence (1-5) 2
Description
W32/Atak-G is a Windows worm that spreads via email. W32/Atak-G copies
itself to a file with a random name in the Windows system folder.
W32/Atak-G sends itself to all email addresses found on the computer.
The worm arrives as a ZIP attachment in an email. The subject line,
message text and attachment filenames are randomly constructed from the
building blocks listed in the Advanced Description.
Advanced
W32/Atak-G is a Windows worm that spreads via email. W32/Atak-G copies
itself to a file with a random name in the Windows system folder.
On W9x systems W32/Atak-G inserts a 'load=' entry under the [windows]
class of the WIN.INI file pointing to the worm so as to auto-start on
user logon.
On NT, W2k and XP systems, the worm creates the following registry entry
to autorun on windows logon:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
load
<Path to worm>
W32/Atak-G sends itself to all email addresses found on the system. The
worm harvests addresses from files with various extensions such as HTM,
EML, ASP or DBX.
The worms email will have the following characteristics:
Attachment name: chosen from
separate_file.zip
textfile.zip
print.zip
note.zip
white_paper.zip
part001.zip
Subject Lines:
<random1> Love <random2> <smiley>
where the random parts are selected from the following lists.
<random1>:
Stay
True
Get
Make
Have a
<random2>:
human spirit
Not Wars
and get money
for fun
will freedom
to other
with me
Not spam
<smiley >:
:D
;)
:>
;-D
- ;-*
!!
!?!
:K
An example is 'Have a Love to other :>'.
The message starts with a greeting of the form
<random1> <random2>,'
with <random1> selected from:
Dear
Congratulation
Welcome
Greet
Hi
Hello
Nice to meet you
and <random2> one of:
Ladies & Gentleman
Sir/Madam
Person
Customer
User
An example is 'Welcome User,'.
After the greeting appears one of the following lines:
We have installed our anti-spam tools to protect your email
Your account info has been setting up to block spam email
We have make a few change for our customer. Please be informed
We have upgraded your account features
Your account has been upgraded with our new services
followed by another randomly assembled line of the format
<random1> website at http://www.<domain> to <random2>
with <random1> choosen from:
Please check our
Visit our
Goto our
Logon to
and <randome2> selected from:
know about account features
learn about our features
get more info
find out our services.
The domainname is either harvested from the system or randomly
constructed.
The next part of the email message is one of the following lines:
Remember this note
Please take note this info
Keep this info
Your account info
followed by
---> Email: <email>
---> Password: <password> <text>
<email> is a randomly constructed email address for the domainname that
was choosen previously. The password is a random string. <text> is
choosen randomly from the following:
* [please change it after registeration]
* (You can change it later)
* (temp. pwd only)
* (temporary password).
The next line in the email has the format
<random1> website to <random2> http://www.<domain> .
with <random1> one of:
Please check our
Visit our
Goto our
Logon to
and <random2> selected from:
know about account features
learn about our features
get more info
find out our services.
The last line has the format
<random1>ormation <random2>.
with <random1> one of:
Saved
Email account
Your credential
Your account
NOTE: All your account
and <random2> choosen from:
has been saved. Please check when needed
can be found at your email attachment
has been clipped to your email
already included into your email
has been attached as a file and ready to be printed.
The email ends with a greeting of the form
<random1>, <domain> <random2>
with <random1> selected from:
By
Thank you
Your sincerely
Regard
and <random2> one of:
Help Team
Technical Support
Customer Services
Administrator
Services Team
Team.
An example for an email is:
Welcome Sir/Madam,
We have installed our anti-spam tools to protect your email.
Please check our website at http://www.microsoft.com to know about
account features.
Your account info:
---> Email: inet@microsoft.com
---> Password: 2aff (temporary password)
Please check our website to learn about our features
http://www.microsoft.com .
Your account information has been saved. Please check when needed.
Your sincerely,
microsoft.com Team
Name W32/Sdbot-SB
Type
* Worm
Affected operating systems
* Windows
Side effects
* Installs itself in the Registry
* Exploits system or software vulnerabilities
* Dropped by malware
Prevalence (1-5) 2
Description
W32/Sdbot-SB is a member of the W32/Sdbot family of worms with a
backdoor component.
Advanced
W32/Sdbot-SB is a member of the W32/Sdbot family of worms with a
backdoor component.
In order to run automatically when Windows starts up the worm copies
itself to the file winprotect.exe in the Windows system folderand adds
the following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\winprotect
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\winprotect
W32/Sdbot-SB is dropped by Troj/Wurmark-B.
--- MultiMail/Win32 v0.43
* Origin: Try Our Web Based QWK: DOCSPLACE.ORG (1:123/140)
|