Text 169, 1364 rader
Skriven 2007-02-24 13:12:00 av KURT WISMER
Ärende: News, February 24 2007
==============================
[cut-n-paste from sophos.com]
Name VBS/Soad-C
Type
* Worm
How it spreads
* Removable storage devices
Affected operating systems
* Windows
Aliases
* Virus.VBS.Balamut.a
Prevalence (1-5) 2
Description
VBS/Soad-C is a script worm for the Windows platform.
Advanced
VBS/Soad-C is a script worm for the Windows platform.
When run VBS/Soad-C attemps to copy itself to removeable shared
drives. VBS/Soad-C also attempts to copy itself as random filenames
to the following folders:
C:\
C:\progra~1\
C:\docume~1\
C:\DOCUME~1\ALLUSE~1\Desktop\
C:\DOCUME~1\ALLUSE~1\STARTM~1\
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
VBS/Soad-C includes functionality to:
- eject the CD/DVD tray
- shutdown Windows within a specified time
VBS/Soad-C will also display the message "Hello This Is A Good Day!!"
if the system date is April 20.
The following registry entries are set:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
Folder\HideFileExt
UncheckedValue
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
Folder\Hidden\SHOWALL
CheckedValue
0
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
Folder\Hidden\SHOWALL
Type
<null>
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
Folder\SuperHidden
UncheckedValue
1
Name Troj/Psyme-DZ
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
Aliases
* Trojan-Downloader.Win32.VB.ft
Prevalence (1-5) 2
Description
Troj/Psyme-DZ is a downloading Trojan for the Windows platform.
Advanced
Troj/Psyme-DZ is a downloading Trojan for the Windows platform.
Troj/Psyme-DZ attempts to download the file codecs.exe from the
predefined website. At the time of writing this file is detected as
Troj/Abox-K.
Name W32/Poebot-KE
Type
* Spyware Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Steals credit card details
* Allows others to access the computer
* Steals information
* Records keystrokes
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* Win32/Poebot trojan
* W32/Sdbot.worm.gen.q
* W32/Sdbot.WAC
* Backdoor.Win32.PoeBot.r
Prevalence (1-5) 2
Description
W32/Poebot-KE is a worm with IRC Backdoor functionality for the
Windows platform.
W32/Poebot-KE spreads
- to computers vulnerable to common exploits, including: LSASS
(MS04-011), SRVSVC (MS06-040), RPC-DCOM (MS04-012), WKS (MS03-049),
Dameware (CAN-2003-1030) and PNP (MS05-039)
- to network shares protected by weak passwords
W32/Poebot-KE runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
Advanced
W32/Poebot-KE is a worm with IRC Backdoor functionality for the
Windows platform.
W32/Poebot-KE spreads
- to computers vulnerable to common exploits, including: LSASS
(MS04-011), SRVSVC (MS06-040), RPC-DCOM (MS04-012), WKS (MS03-049),
Dameware (CAN-2003-1030) and PNP (MS05-039)
- to network shares protected by weak passwords
W32/Poebot-KE runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
When first run W32/Poebot-KE copies itself to <System>\<filename>.exe
The following registry entry is created to run <filename>.exe on
startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
<description>
<System>\<filename>.exe
where <filename> and <description> are randomly generated.
Name Troj/Delf-ELF
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
Aliases
* BKDR_DELF.ABK
* Backdoor.Win32.Delf.apv
Prevalence (1-5) 2
Description
Troj/Delf-ELF is a Trojan for the Windows platform.
Advanced
Troj/Delf-ELF is a Trojan for the Windows platform.
When first run Troj/Delf-ELF copies itself to <System>\njil.exe.
The following registry entry is created to run njil.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NJIL
System\njil.exe
Name W32/Poebot-KG
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Prevalence (1-5) 2
Description
W32/Poebot-KG is a worm and IRC backdoor for the Windows platform.
W32/Poebot-KG spreads to other network computers by exploiting common
buffer overflow vulnerabilities, including: LSASS (MS04-011), SRVSVC
(MS06-040), RPC-DCOM (MS04-012) and PNP (MS05-039).
Advanced
W32/Poebot-KG is a worm and IRC backdoor for the Windows platform.
W32/Poebot-KG spreads to other network computers by exploiting common
buffer overflow vulnerabilities, including: LSASS (MS04-011), SRVSVC
(MS06-040), RPC-DCOM (MS04-012) and PNP (MS05-039).
W32/Poebot-KG runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
When first run W32/Poebot-KG copies itself to <System>\csrs.exe.
The following registry entry is created to run csrs.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Client Server Runtime Process
<System>\csrs.exe
Name W32/Delbot-H
Type
* Spyware Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Records keystrokes
* Installs itself in the Registry
* Exploits system or software vulnerabilities
* Used in DOS attacks
Prevalence (1-5) 2
Description
W32/Delbot-H is a worm with IRC backdoor functionality for the
Windows platform.
W32/Delbot-H spreads
- to computers vulnerable to common exploits, including: Symantec
(SYM06-010)
- to MSSQL servers protected by weak passwords
W32/Delbot-H runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
Advanced
W32/Delbot-H is a worm with IRC backdoor functionality for the
Windows platform.
W32/Delbot-H spreads
- to computers vulnerable to common exploits, including: Symantec
(SYM06-010)
- to MSSQL servers protected by weak passwords
W32/Delbot-H runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
When first run W32/Delbot-H copies itself to <System>\fwcheck.exe.
The following registry entry is created to run fwcheck.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
FW Manager
System\fwcheck.exe
Name Troj/Murlo-EK
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Drops more malware
* Downloads code from the internet
Aliases
* Trojan-Downloader.Win32.Murlo.ek
* Generic BackDoor.n
Prevalence (1-5) 2
Description
Troj/Murlo-EK is a downloading Trojan for the Windows platform.
Advanced
Troj/Murlo-EK is a downloading Trojan for the Windows platform.
Troj/Murlo-EK includes functionality to access the internet and
communicate with a remote server via HTTP.
When installed Troj/Murlo-EK creates the file <Temp>\tmp1.tmp. This
file is detected as Troj/Inject-Gen.
The following registry entry is set:
HKLM\SOFTWARE\Microsoft\Internet Explorer
UID
29220100900300001b844e47
Name W32/Rbot-GFK
Type
* Worm
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
Aliases
* Backdoor.Win32.IRCBot.wt
* W32/Spybot.worm.gen
Prevalence (1-5) 2
Description
W32/Rbot-GFK is a worm for the Windows platform.
Advanced
When first run W32/Rbot-GFK copies itself to \algose32.exe.
The following registry entry is set:
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
Name W32/Piggi-B
Type
* Worm
How it spreads
* Email attachments
* Network shares
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Sends itself to email addresses found on the infected computer
* Drops more malware
* Forges the sender's email address
* Uses its own emailing engine
* Reduces system security
* Installs itself in the Registry
* Exploits system or software vulnerabilities
* Leaves non-infected files on computer
Aliases
* Win32/Piggi.NAA
* W32.Vutsog.A
Prevalence (1-5) 2
Description
W32/Piggi-B is a mass-mailing worm for the Windows platform.
W32/Piggi-B spreads via email and may pretend:
- to offer a free gift
- that your myspace, anti-virus, tax, financial or personal details
have been
hacked or expired
- that an email sent, was failed to deliver
- to be showing you a picture, movie, game, sound or website
- to offer a gambling, casino or poker technique or strategy
Attached files may contain any of the following extensions:
- .wav
- .wma
- .mp3
- .rtf
- .html
- .txt
- .gif
- .jpeg
- .com
- .exe
W32/Piggi-B may exploit RPCDCOM and LanManager exploits.
W32/Piggi-B harvests email addresses from the Windows Address Book,
and by
searching the computer.
When first run W32/Piggi-B may make hundreds of copies of itself to
any folder
with the following name:
- BearShare
- Uploads
- Downloads
- Shared
- Upload
- Share
- Collections
- My Shared Folder
Advanced
W32/Piggi-B is a mass-mailing worm for the Windows platform.
W32/Piggi-B spreads via email and may pretend:
- to offer a free gift
- that your myspace, anti-virus, tax, financial or personal details
have been
hacked or expired
- that an email sent, was failed to deliver
- to be showing you a picture, movie, game, sound or website
- to offer a gambling, casino or poker technique or strategy
Attached files may contain any of the following extensions:
- .wav
- .wma
- .mp3
- .rtf
- .html
- .txt
- .gif
- .jpeg
- .com
- .exe
W32/Piggi-B may exploit RPCDCOM and LanManager exploits.
W32/Piggi-B harvests email addresses from the Windows Address Book,
and by
searching the computer.
When first run W32/Piggi-B may make hundreds of copies of itself to
any folder
with the following name:
- BearShare
- Uploads
- Downloads
- Shared
- Upload
- Share
- Collections
- My Shared Folder
and to the following filenames as ADS (Alternate Data Stream) streams:
<Windows>\lsass.exe
<Program Files>\Internet Explorer\iexplore.exe
<System>\dllcache\svchost.exe
<Windows>\svchost.exe
and creates the following files:
<System>\drivers\<random 5 characters>.sys - detected as
Troj/NTRootK-BB
<System>\msfsr.sys - detected as Troj/NTRootK-BB
\zyxwvuts.log
The following registry entry is created to run W32/Piggi-B on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
<original name of the worm>
<pathname of the worm executable>
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
SvcHost
<System>\svchost.exe:svchost.exe
The following registry entry is changed to run lsass.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
explorer.exe <Windows>\lsass.exe
The file <random 5 characters>.sys is registered as a new system
driver service
named "<random 5 characters>", with a display name of "<random 5
characters>"
and a startup type of automatic, so that it is started automatically
during
system startup. Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\<random 5 characters>
The file msfsr.sys is registered as a new system driver service named
"msfsr",
with a display name of "msfsr". Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\msfsr
The following registry entry is set, affecting internet security:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\
Parameters\FirewallPolicy
StandardProfile\AuthorizedApplications\List
<pathname of the worm executable>
<Current Folder>\<original filename>:*:enabled:@xpsp2res.dll,-22019
W32/Piggi-B sets the following registry entries, disabling the
automatic startup
of other software:
HKLM\SYSTEM\CurrentControlSet\Services\wuauserv
Start
3
W32/Piggi-B may overwrite the wuauserv services and any Norton
LiveUpdate
services.
Name W32/Pitin-A
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Reduces system security
* Installs itself in the Registry
Aliases
* W32/Pitin.worm
* Win32/Delf.YL
Prevalence (1-5) 2
Description
W32/Pitin-A is a network worm for the Windows platform.
Advanced
W32/Pitin-A is a network worm for the Windows platform.
When first run W32/Pitin-A copies itself to Documents and
Settings\Nitip.exe for all users, as well as filenames that
correspond to found directories.
The following registry entry is created to run W32/Pitin-A on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Wkyo86
<pathname of the worm executable>
The following registry entries are set, disabling system software:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
1
Registry entries are set as follows:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoRun
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoSaveSettings
0
Name Troj/SpamToo-U
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Installs itself in the Registry
* Leaves non-infected files on computer
Prevalence (1-5) 2
Description
Troj/SpamToo-U is a spamming Trojan for the Windows platform.
Advanced
Troj/SpamToo-U is a spamming Trojan for the Windows platform.
When run Troj/SpamToo-U creates the following files:
<Temp>\Zupastik.exe - detected as Troj/SpamToo-U
<System>\rsvp32_2.dll - detected as Troj/SpamToo-U
<System>\sporder.dll - clean file
<Temp>\wallpapers_030226_rover_brodyaga.jpg - clean image file
Troj/SpamToo-U also attempts to display the file
<Temp>\wallpapers_030226_rover_brodyaga.jpg with the default image
editor.
Once installed Troj/SpamToo-U registers <System>\rsvp32_2.dll as a
(LSP) Layered Service Provider and sets the following registry
entries to startup whenever a network stream is initialised:
HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\
Protocol_Catalog9\Catalog_Entries\
Troj/SpamToo-U may creates entries under:
HKLM\SOFTWARE\WinSock2\Buibert\
Troj/SpamToo-U then attempts to send spam messages via instant
messaging client applications including Yahoo! Messenger and also via
webmail hosting sites including webmail.tiscali.co.uk,
ComcastWebMail, Google Mail and Care2WebMail.
Name W32/Dref-AE
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Uses its own emailing engine
* Installs itself in the Registry
Aliases
* Backdoor.Win32.Pakes
* W32/Backdoor.AFEY
Prevalence (1-5) 2
Description
W32/Dref-AE is a worm with backdoor functionality for the Windows
platform.
W32/Dref-AE may spread via IRC channels and by sending itself out as
an email attachment.
W32/Dref-AE runs continuously in the background providing a backdoor
server which allows a remote intruder to gain access and control over
the computer.
Advanced
W32/Dref-AE is a worm with backdoor functionality for the Windows
platform.
W32/Dref-AE may spread via IRC channels and by sending itself out as
an email attachment.
W32/Dref-AE runs continuously in the background providing a backdoor
server which allows a remote intruder to gain access and control over
the computer.
The following registry entries are created to run W32/Dref-AE on
startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Windows Firewall
<pathname of the Trojan executable>
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows Firewall
<pathname of the Trojan executable>
The following registry entries are set, disabling system software:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
DisableTaskMgr
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
DisableRegistryTools
1
Name W32/SillyFDC-R
Type
* Worm
How it spreads
* Removable storage devices
Affected operating systems
* Windows
Aliases
* Virus.Win32.VB.dd
Prevalence (1-5) 2
Description
W32/SillyFDC-R is a worm for the Windows platform.
Advanced
W32/SillyFDC-R is a worm for the Windows platform.
When run W32/SillyFDC-R attempts to spread itself via removeable
drives by copying itself to <Root>\ha.exe or <Root>\<filename>.gho
and creating the file <Root>\Autorun.inf to run <Root>\ha.exe or
<Root>\<filename>.gho.
W32/SillyFDC-R also creates the file <System>\ctfmon.exe. The file
<System>\ctfmon.exe is also copied to <Root>\ctfmon.exe,
<System>\IsDrv120.sys and <System>\drivers\cdrom.sys. These files are
also detected as W32/SillyFDC-R.
The following registry entries are set:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
2
HKLM\SOFTWARE\Microsoft\Rpc
UuidSequenceNumber
<random number>
HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc
Start
4
Name Troj/Spy-UL
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Steals information
* Drops more malware
* Downloads code from the internet
* Installs itself in the Registry
Aliases
* Spy-Agent.bu
* Trojan-Spy.Win32.Small.gm
* TSPY_SMALL.ECQ
Prevalence (1-5) 2
Description
Troj/Spy-UL is an information stealing Trojan for the Windows platform.
Advanced
Troj/Spy-UL is an information stealing Trojan for the Windows platform.
When run Troj/Spy-UL creates the files:
<System>\odbcmr32.dll - detected as Troj/Spy-UL
<Temp>\odbcmr32.dll - detected as Troj/Spy-UL
<System>\obdwk.sys - detected as Troj/NTRootK-BF
When run Troj/Spy-UL creates the following registry entries to run
itself on startup:
HKCR\CLSID\(ClassID)\InprocServer32
(default)
odbcmr32.dll
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayL
oad
odb_set
(ClassID)
Troj/Spy-UL creates the file <System>\obdwk.sys and registers it as a
new system driver service named "mcemgr" with a display name of
"mcemgr"and a startup type of automatic, so that it is started
automatically during system startup. Registry entries are created
under:
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MCEMGR\
HKLM\SYSTEM\CurrentControlSet\Services\mcemgr\
Troj/Spy-UL includes functionality to monitor network traffic and
send the information to a remote location via HTTP.
Name Troj/Dloadr-ATW
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Installs itself in the Registry
Aliases
* Trojan-Downloader.Win32.Small.ecw
Prevalence (1-5) 2
Description
Troj/Dloadr-ATW is a Trojan for the Windows platform.
Advanced
Troj/Dloadr-ATW is a Trojan for the Windows platform.
Troj/Dloadr-ATW includes functionality to access the internet and
communicate with a remote server via HTTP.
When first run Troj/Dloadr-ATW copies itself to <System>\scvhsot.exe
and creates the following files:
<Temp>\24838.txt
<Temp>\41.txt
These files may just be deleted.
The following registry entry is created to run scvhsot.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
QQKAV
System\scvhsot.exe
Name W32/Fujacks-Z
Type
* Virus
How it spreads
* Network shares
* Infected files
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
Aliases
* Worm.Win32.Fujack.aj
* Win32/Fujacks.AG
* PE_FUJACKS.EH
Prevalence (1-5) 2
Description
W32/Fujacks-Z is a prepending virus for the Windows platform.
Advanced
W32/Fujacks-Z is a prepending virus for the Windows platform.
W32/Fujacks-Z spreads to other network computers.
W32/Fujacks-Z runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer.
W32/Fujacks-Z includes functionality to access the internet and
communicate with a remote server via HTTP.
When W32/Fujacks-Z is installed the following files are created:
<Current Folder>\Games.exe.exe
<System>\drivers\nvscv32.exe
The following registry entry is created to run nvscv32.exe on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
svcshare
<System>\drivers\nvscv32.exe
The following registry entry is set:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder
\Hidden\SHOWALL
CheckedValue
0
Name W32/Tilebot-IW
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Downloads code from the internet
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* Backdoor.Win32.SdBot.xd
* W32/Backdoor.ABMO
Prevalence (1-5) 2
Description
W32/Tilebot-IW is a worm with IRC backdoor functionality for the
Windows platform.
W32/Tilebot-IW spreads to other network computers by exploiting
common buffer overflow vulnerabilities, including: LSASS (MS04-011),
SRVSVC (MS06-040), RPC-DCOM (MS04-012), PNP (MS05-039), ASN.1
(MS04-007), RealVNC (CVE-2006-2369) and Symantec (SYM06-010).
Advanced
W32/Tilebot-IW is a worm with IRC backdoor functionality for the
Windows platform.
W32/Tilebot-IW spreads to other network computers by exploiting
common buffer overflow vulnerabilities, including: LSASS (MS04-011),
SRVSVC (MS06-040), RPC-DCOM (MS04-012), PNP (MS05-039), ASN.1
(MS04-007), RealVNC (CVE-2006-2369) and Symantec (SYM06-010).
W32/Tilebot-IW runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Tilebot-IW includes functionality to access the internet and
communicate with a remote server via HTTP.
When first run W32/Tilebot-IW copies itself to <System>\dllhost.exe.
The file dllhost.exe is registered as a new system driver service
named "DLLHOST32", with a display name of "Windows Host Services" and
a startup type of automatic, so that it is started automatically
during system startup. Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\DLLHOST32
W32/Tilebot-IW sets the following registry entries, disabling the
automatic startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\Messenger
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
Start
4
Registry entries are set as follows:
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
EnableFirewall
0
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile
EnableFirewall
0
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DoNotAllowXPSP2
1
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKCU\Software\Microsoft\Security Center
FirewallDisableNotify
1
HKCU\Software\Microsoft\Security Center
UpdatesDisableNotify
1
HKCU\Software\Microsoft\Security Center
AntiVirusDisableNotify
1
HKLM\SOFTWARE\Microsoft\Security Center
FirewallOverride
1
HKLM\SOFTWARE\Microsoft\Security Center
AntiVirusOverride
1
Name W32/Fujacks-AA
Type
* Virus
How it spreads
* Network shares
* Infected files
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Downloads code from the internet
* Installs itself in the Registry
* Leaves non-infected files on computer
Aliases
* W32/Fujacks.k
* W32.Fujacks.D
* WORM_FUJACKS.AO
Prevalence (1-5) 2
Description
W32/Fujacks-AA is a virus with backdoor functionality for the Windows
platform.
W32/Fujacks-AA spreads to other network computers, and may create
autorun.inf files to enable autorun on removable devices.
W32/Fujacks-AA runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer.
W32/Fujacks-AA includes functionality to access the internet and
communicate with a remote server via HTTP.
Advanced
W32/Fujacks-AA is a virus with backdoor functionality for the Windows
platform.
W32/Fujacks-AA spreads to other network computers, and may create
autorun.inf files to enable autorun on removable devices.
W32/Fujacks-AA runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer.
W32/Fujacks-AA includes functionality to access the internet and
communicate with a remote server via HTTP.
The virus may infect HTML and ASP files, these files are detected as
Troj/Fujif-Gen.
When first run W32/Fujacks-AA copies itself to
<System>\drivers\spoclsv.exe.
The following registry entry is created to run spoclsv.exe on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
svcshare
<System>\drivers\spoclsv.exe
The following registry entry is set:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder
\Hidden\SHOWALL
CheckedValue
0
Name Troj/BagleDl-CJ
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Drops more malware
* Downloads code from the internet
* Reduces system security
* Installs itself in the Registry
Prevalence (1-5) 2
Description
Troj/BagleDl-CJ is a downloader Trojan for the Windows platform.
Advanced
Troj/BagleDl-CJ is a downloader Trojan for the Windows platform.
When run Troj/BagleDl-CJ creates the files:
<Temp>\~D.exe - detected as Troj/BagleDl-CJ
<Temp>\~E.exe - detected as Troj/BagleDl-CJ
<Temp>\~F.exe - detected as Troj/BagleDl-CJ
<System>\m_hook.sys - detected as Troj/NTRootK-BG
Troj/BagleDl-CJ creates registers the file m_hook.sys as a new system
driver service named "m_hook" with a display name of "Empty" and a
startup type of automatic, so that it is started automatically during
system startup. Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_M_HOOK\
HKLM\SYSTEM\CurrentControlSet\Services\m_hook\
The following registry entries are set:
HKLM\SYSTEM\CurrentControlSet\Services\Alerter
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\Ndisuio
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\wuauserv
Start
4
Registry entries are created under:
HKCU\Software\DateTime4\
HKCU\Software\FirtR\
Troj/BagleDl-CJ includes functionality to:
- terminate security and anti-virus related processes
- download code from the internet
Troj/BagleDl-CJ may also set the following registry entry to run the
downloaded file on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Name OF97/Blic-A
Type
* Virus
Affected operating systems
* Windows
Side effects
* Drops more malware
* Dropped by malware
Prevalence (1-5) 2
Description
OF97/Blic-A is a macro that drops files detected as Mal/Behav-010.
Files are dropped to:
<System>\blackice.exe
<System>\kernel.dll
The dropped files in turn affect the Microsoft Excel and Word
environment. Subsequent files created will be detected as OF97/Blic-A.
Name Troj/BHO-BE
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Installs itself in the Registry
* Monitors browser activity
* Opens links to websites
* Installs a browser helper object
Aliases
* Spyware-JuanSearch
* Win32/BHO.G
* Trojan.Adclicker
Prevalence (1-5) 2
Description
Troj/BHO-BE is a Trojan for the Windows platform.
Troj/BHO-BE may install itself as a Browser Helper Object and
redirect typed URLs and search queries to another website.
Name W32/Looked-CD
Type
* Virus
How it spreads
* Network shares
* Infected files
Affected operating systems
* Windows
Side effects
* Drops more malware
* Installs itself in the Registry
* Leaves non-infected files on computer
Prevalence (1-5) 2
Description
W32/Looked-CD is a virus for the Windows platform.
W32/Looked-CD includes functionality to access the internet and
communicate with a remote server via HTTP.
W32/Looked-CD also may spread through available network shares.
Advanced
W32/Looked-CD is a virus for the Windows platform.
W32/Looked-CD includes functionality to access the internet and
communicate with a remote server via HTTP.
W32/Looked-CD also may spread through available network shares.
When first run W32/Looked-CD copies itself to <Windows>\rundl132.exe
When W32/Looked-CD is installed the following file is created:
<Windows>\RichDll.dll
RichDll.dll is also detected as W32/Looked-CD.
W32/Looked-CD creates a number of files with the name "_desktop.ini"
are created, in various folders on the infected computer. These files
are harmless text files.
The following registry entry is created to run rundl132.exe on startup:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
load
<Windows>\rundl132.exe
Registry entries are created under:
HKLM\SOFTWARE\Soft\DownloadWWW\
--- MultiMail/Win32 v0.43
* Origin: Doc's Place BBS Fido Since 1991 docsplace.tzo.com (1:123/140)
|