Tillbaka till svenska Fidonet
English   Information   Debug  
COMICS   0/15
CONSPRCY   0/899
COOKING   33158
COOKING_OLD1   0/24719
COOKING_OLD2   0/40862
COOKING_OLD3   0/37489
COOKING_OLD4   0/35496
COOKING_OLD5   9370
C_ECHO   0/189
C_PLUSPLUS   0/31
DIRTY_DOZEN   0/201
DOORGAMES   0/2064
DOS_INTERNET   0/196
duplikat   6002
ECHOLIST   0/18295
EC_SUPPORT   0/318
ELECTRONICS   0/359
ELEKTRONIK.GER   1534
ENET.LINGUISTIC   0/13
ENET.POLITICS   0/4
ENET.SOFT   0/11701
ENET.SYSOP   33918
ENET.TALKS   0/32
ENGLISH_TUTOR   0/2000
EVOLUTION   0/1335
FDECHO   0/217
FDN_ANNOUNCE   0/7068
FIDONEWS   24145
FIDONEWS_OLD1   0/49742
FIDONEWS_OLD2   0/35949
FIDONEWS_OLD3   0/30874
FIDONEWS_OLD4   0/37224
FIDO_SYSOP   12852
FIDO_UTIL   0/180
FILEFIND   0/209
FILEGATE   0/212
FILM   0/18
FNEWS_PUBLISH   4422
FN_SYSOP   41694
FN_SYSOP_OLD1   71952
FTP_FIDO   0/2
FTSC_PUBLIC   0/13600
FUNNY   0/4886
GENEALOGY.EUR   0/71
GET_INFO   105
GOLDED   0/408
HAM   0/16073
HOLYSMOKE   0/6791
HOT_SITES   0/1
HTMLEDIT   0/71
HUB203   466
HUB_100   264
HUB_400   39
HUMOR   0/29
IC   0/2851
INTERNET   0/424
INTERUSER   0/3
IP_CONNECT   719
JAMNNTPD   0/233
JAMTLAND   0/47
KATTY_KORNER   0/41
LAN   0/16
LINUX-USER   0/19
LINUXHELP   0/1155
LINUX   0/22103
LINUX_BBS   0/957
mail   18.68
mail_fore_ok   249
MENSA   0/341
MODERATOR   0/102
MONTE   0/992
MOSCOW_OKLAHOMA   0/1245
MUFFIN   0/783
MUSIC   0/321
N203_STAT   928
N203_SYSCHAT   313
NET203   321
NET204   69
NET_DEV   0/10
NORD.ADMIN   0/101
NORD.CHAT   0/2572
NORD.FIDONET   189
NORD.HARDWARE   0/28
NORD.KULTUR   0/114
NORD.PROG   0/32
NORD.SOFTWARE   0/88
NORD.TEKNIK   0/58
NORD   0/453
OCCULT_CHAT   0/93
OS2BBS   0/787
OS2DOSBBS   0/580
OS2HW   0/42
OS2INET   0/37
OS2LAN   0/134
OS2PROG   0/36
OS2REXX   0/113
OS2USER-L   207
OS2   0/4786
OSDEBATE   0/18996
PASCAL   0/490
PERL   0/457
PHP   0/45
POINTS   0/405
POLITICS   0/29554
POL_INC   0/14731
PSION   103
R20_ADMIN   1121
R20_AMATORRADIO   0/2
R20_BEST_OF_FIDONET   13
R20_CHAT   0/893
R20_DEPP   0/3
R20_DEV   399
R20_ECHO2   1379
R20_ECHOPRES   0/35
R20_ESTAT   0/719
R20_FIDONETPROG...
...RAM.MYPOINT
  0/2
R20_FIDONETPROGRAM   0/22
R20_FIDONET   0/248
R20_FILEFIND   0/24
R20_FILEFOUND   0/22
R20_HIFI   0/3
R20_INFO2   3233
R20_INTERNET   0/12940
R20_INTRESSE   0/60
R20_INTR_KOM   0/99
R20_KANDIDAT.CHAT   42
R20_KANDIDAT   28
R20_KOM_DEV   112
R20_KONTROLL   0/13284
R20_KORSET   0/18
R20_LOKALTRAFIK   0/24
R20_MODERATOR   0/1852
R20_NC   76
R20_NET200   245
R20_NETWORK.OTH...
...ERNETS
  0/13
R20_OPERATIVSYS...
...TEM.LINUX
  0/44
R20_PROGRAMVAROR   0/1
R20_REC2NEC   534
R20_SFOSM   0/340
R20_SF   0/108
R20_SPRAK.ENGLISH   0/1
R20_SQUISH   107
R20_TEST   2
R20_WORST_OF_FIDONET   12
RAR   0/9
RA_MULTI   106
RA_UTIL   0/162
REGCON.EUR   0/2056
REGCON   0/13
SCIENCE   0/1206
SF   0/239
SHAREWARE_SUPPORT   0/5146
SHAREWRE   0/14
SIMPSONS   0/169
STATS_OLD1   0/2539.065
STATS_OLD2   0/2530
STATS_OLD3   0/2395.095
STATS_OLD4   0/1692.25
SURVIVOR   0/495
SYSOPS_CORNER   0/3
SYSOP   0/84
TAGLINES   0/112
TEAMOS2   0/4530
TECH   0/2617
TEST.444   0/105
TRAPDOOR   0/19
TREK   0/755
TUB   0/290
UFO   0/40
UNIX   0/1316
USA_EURLINK   0/102
USR_MODEMS   0/1
VATICAN   0/2740
VIETNAM_VETS   0/14
VIRUS   0/378
VIRUS_INFO   0/201
VISUAL_BASIC   0/473
WHITEHOUSE   0/5187
WIN2000   0/101
WIN32   0/30
WIN95   0/4289
WIN95_OLD1   0/70272
WINDOWS   0/1517
WWB_SYSOP   0/419
WWB_TECH   0/810
ZCC-PUBLIC   0/1
ZEC   4

 
4DOS   0/134
ABORTION   0/7
ALASKA_CHAT   0/506
ALLFIX_FILE   0/1313
ALLFIX_FILE_OLD1   0/7997
ALT_DOS   0/152
AMATEUR_RADIO   0/1039
AMIGASALE   0/14
AMIGA   0/331
AMIGA_INT   0/1
AMIGA_PROG   0/20
AMIGA_SYSOP   0/26
ANIME   0/15
ARGUS   0/924
ASCII_ART   0/340
ASIAN_LINK   0/651
ASTRONOMY   0/417
AUDIO   0/92
AUTOMOBILE_RACING   0/105
BABYLON5   0/17862
BAG   135
BATPOWER   0/361
BBBS.ENGLISH   0/382
BBSLAW   0/109
BBS_ADS   0/5290
BBS_INTERNET   0/507
BIBLE   0/3563
BINKD   0/1119
BINKLEY   0/215
BLUEWAVE   0/2173
CABLE_MODEMS   0/25
CBM   0/46
CDRECORD   0/66
CDROM   0/20
CLASSIC_COMPUTER   0/378
Möte DIRTY_DOZEN, 201 texter
 lista första sista föregående nästa
Text 177, 1832 rader
Skriven 2007-03-31 14:28:00 av KURT WISMER
Ärende: News, March 31 2007
===========================
[cut-n-paste from sophos.com]

Name   W32/Mytob-KD

Type  
    * Spyware Worm

How it spreads  
    * Email attachments

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Allows others to access the computer
    * Sends itself to email addresses found on the infected computer
    * Modifies data on the computer
    * Steals information
    * Forges the sender's email address
    * Uses its own emailing engine
    * Downloads code from the internet
    * Reduces system security
    * Installs itself in the Registry

Prevalence (1-5) 2

Description
W32/Mytob-KD is a mass-mailing worm and backdoor Trojan that can be 
controlled through the Internet Relay Chat (IRC) network.

Advanced
W32/Mytob-KD is a mass-mailing worm and backdoor Trojan that can be 
controlled through the Internet Relay Chat (IRC) network.

W32/Mytob-KD is capable of spreading through email and through 
various operating system vulnerabilities such as the LSASS (MS04-011) 
vulnerability. Email sent by W32/Mytob-KD has the following properties:

Subject line:
  Notice: **Last Warning**
  *DETECTED* Online User Violation
  Your Email Account is Suspended For Security Reasons
  Account Alert
  Important Notification
  *WARNING* Your Email Account Will Be Closed
  Security measures
  Email Account Suspension
  Notice of account limitation

Message text:
  Once you have completed the form in the attached file , your 
account records will not be interrupted and will continue as normal.

  The original message has been included as an attachment.

  We regret to inform you that your account has been suspended due to 
the violation of our site policy, more info is attached.
  
  We attached some important information regarding your account.
  
  Please read the attached document and follow it's instructions.

The attached zip file consists of a base name followed by the 
extension ZIP. The worm may optionally create double extensions where 
the first extension is DOC, TXT or HTM and the final extension is 
BAT, CMD, PIF, SCR, EXE or ZIP. The base filenames are randomly 
chosen from:

account-details.zip
important-details.zip
email-details.zip
password-details.zip
email-password.zip
updated-password.zip

W32/Mytob-KD harvests email addresses from files on the infected 
computer and from the Windows address book. The worm avoids sending 
email to addresses that contain the following:

.gov
.mil
accoun
acketst
admin
anyone
arin.
avp
berkeley
borlan
bsd
bsd
bugs
ca
certific
contact
example
feste
fido
foo.
fsf.
gnu
gold-certs
google
google
gov.
help
iana
ibm.com
icrosof
icrosoft
ietf
info
inpris
isc.o
isi.e
kernel
linux
linux
listserv
math
me
mit.e
mozilla
mydomai
no
nobody
nodomai
noone
not
nothing
ntivi
page
panda
pgp
postmaster
privacy
rating
rfc-ed
ripe.
root
ruslis
samples
secur
sendmail
service
site
soft
somebody
someone
sopho
submit
support
syma
tanford.e
the.bat
unix
unix
usenet
utgers.ed
webmaster
you
your

When run, W32/Mytob-KD copies itself to the Windows system folder as 
ctech.exe and sets the following registry entries in order to run 
each time a user logs on:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
WINDOWS SYSTEM
ctech.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
WINDOWS SYSTEM
ctech.exe

W32/Mytob-KD sets the following registry entries, disabling the 
automatic startup of other software:

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4

W32/Mytob-KD modifies the HOSTS file, changing the URL-to-IP mappings 
for selected websites, therefore preventing normal access to these 
sites:

127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.grisoft.com
127.0.0.1 www.microsoft.com
127.0.0.1 microsoft.com
127.0.0.1 www.msn.com
127.0.0.1 www.virustotal.com
127.0.0.1 virustotal.com
127.0.0.1 www.oxyd.fr
127.0.0.1 oxyd.fr
127.0.0.1 www.t35.com
127.0.0.1 t35.com
127.0.0.1 www.t35.net
127.0.0.1 t35.net

W32/Mytob-KD terminates the following applications and 
security-related processes:

  ACKWIN32.EXE
  ADAWARE.EXE
  ADVXDWIN.EXE
  AGENTSVR.EXE
  AGENTW.EXE
  ALERTSVC.EXE
  ALEVIR.EXE
  ALOGSERV.EXE
  AMON9X.EXE
  ANTI-TROJAN.EXE
  ANTIVIRUS.EXE
  ANTS.EXE
  APIMONITOR.EXE
  APLICA32.EXE
  APVXDWIN.EXE
  ARR.EXE
  ATCON.EXE
  ATGUARD.EXE
  ATRO55EN.EXE
  ATUPDATER.EXE
  ATUPDATER.EXE
  ATWATCH.EXE
  AU.EXE
  AUPDATE.EXE
  AUPDATE.EXE
  AUTO-PROTECT.NAV80TRY.EXE
  AUTODOWN.EXE
  AUTODOWN.EXE
  AUTOTRACE.EXE
  AUTOTRACE.EXE
  AUTOUPDATE.EXE
  AUTOUPDATE.EXE
  AVCONSOL.EXE
  AVE32.EXE
  AVGCC32.EXE
  AVGCTRL.EXE
  AVGNT.EXE
  AVGSERV.EXE
  AVGSERV9.EXE
  AVGUARD.EXE
  AVGW.EXE
  AVKPOP.EXE
  AVKSERV.EXE
  AVKSERVICE.EXE
  AVKWCTl9.EXE
  AVLTMAIN.EXE
  AVNT.EXE
  AVP.EXE
  AVP32.EXE
  AVPCC.EXE
  AVPDOS32.EXE
  AVPM.EXE
  AVPTC32.EXE
  AVPUPD.EXE
  AVPUPD.EXE
  AVSCHED32.EXE
  AVSYNMGR.EXE
  AVWINNT.EXE
  AVWUPD.EXE
  AVWUPD32.EXE
  AVWUPD32.EXE
  AVWUPSRV.EXE
  AVXMONITOR9X.EXE
  AVXMONITORNT.EXE
  AVXQUAR.EXE
  AVXQUAR.EXE
  BACKWEB.EXE
  BARGAINS.EXE
  BD_PROFESSIONAL.EXE
  BEAGLE.EXE
  BELT.EXE
  BIDEF.EXE
  BIDSERVER.EXE
  BIPCP.EXE
  BIPCPEVALSETUP.EXE
  BISP.EXE
  BLACKD.EXE
  BLACKICE.EXE
  BLSS.EXE
  BOOTCONF.EXE
  BOOTWARN.EXE
  BORG2.EXE
  BPC.EXE
  BRASIL.EXE
  BS120.EXE
  BUNDLE.EXE
  BVT.EXE
  CCAPP.EXE
  CCEVTMGR.EXE
  CCPXYSVC.EXE
  CDP.EXE
  CFD.EXE
  CFGWIZ.EXE
  CFIADMIN.EXE
  CFIAUDIT.EXE
  CFIAUDIT.EXE
  CFINET.EXE
  CFINET32.EXE
  CLAW95CF.EXE
  CLEAN.EXE
  CLEANER.EXE
  CLEANER3.EXE
  CLEANPC.EXE
  CLICK.EXE
  CMD.EXE
  CMD32.EXE
  CMESYS.EXE
  CMGRDIAN.EXE
  CMON016.EXE
  CONNECTIONMONITOR.EXE
  CPD.EXE
  CPF9X206.EXE
  CPFNT206.EXE
  CTRL.EXE
  CV.EXE
  CWNB181.EXE
  CWNTDWMO.EXE
  DATEMANAGER.EXE
  DCOMX.EXE
  DEFALERT.EXE
  DEFSCANGUI.EXE
  DEFWATCH.EXE
  DEPUTY.EXE
  DIVX.EXE
  DLLCACHE.EXE
  DLLREG.EXE
  DOORS.EXE
  DPF.EXE
  DPFSETUP.EXE
  DPPS2.EXE
  DRWATSON.EXE
  DRWEB32.EXE
  DRWEBUPW.EXE
  DSSAGENT.EXE
  DVP95.EXE
  DVP95_0.EXE
  ECENGINE.EXE
  EFPEADM.EXE
  EMSW.EXE
  ENT.EXE
  ESAFE.EXE
  ESCANHNT.EXE
  ESCANV95.EXE
  ESPWATCH.EXE
  ETHEREAL.EXE
  ETRUSTCIPE.EXE
  EVPN.EXE
  EXANTIVIRUS-CNET.EXE
  EXE.AVXW.EXE
  EXPERT.EXE
  EXPLORE.EXE
  F-PROT.EXE
  F-PROT95.EXE
  F-STOPW.EXE
  FAMEH32.EXE
  FAST.EXE
  FCH32.EXE
  FIH32.EXE
  FINDVIRU.EXE
  FIREWALL.EXE
  FNRB32.EXE
  FP-WIN.EXE
  FP-WIN_TRIAL.EXE
  FPROT.EXE
  FRW.EXE
  FSAA.EXE
  FSAV.EXE
  FSAV32.EXE
  FSAV530STBYB.EXE
  FSAV530WTBYB.EXE
  FSAV95.EXE
  FSGK32.EXE
  FSM32.EXE
  FSMA32.EXE
  FSMB32.EXE
  GATOR.EXE
  GBMENU.EXE
  GBPOLL.EXE
  GENERICS.EXE
  GMT.EXE
  GUARD.EXE
  GUARDDOG.EXE
  HACKTRACERSETUP.EXE
  HBINST.EXE
  HBSRV.EXE
  HOTACTIO.EXE
  HOTPATCH.EXE
  HTLOG.EXE
  HTPATCH.EXE
  HWPE.EXE
  HXDL.EXE
  HXIUL.EXE
  IAMAPP.EXE
  IAMSERV.EXE
  IAMSTATS.EXE
  IBMASN.EXE
  IBMAVSP.EXE
  ICLOADNT.EXE
  ICMON.EXE
  ICSUPP95.EXE
  ICSUPPNT.EXE
  IDLE.EXE
  IEDLL.EXE
  IEDRIVER.EXE
  IEXPLORER.EXE
  IFACE.EXE
  IFW2000.EXE
  INETLNFO.EXE
  INFUS.EXE
  INFWIN.EXE
  INIT.EXE
  INTDEL.EXE
  INTREN.EXE
  IOMON98.EXE
  ISTSVC.EXE
  JAMMER.EXE
  JDBGMRG.EXE
  JEDI.EXE
  KAVLITE40ENG.EXE
  KAVPERS40ENG.EXE
  KAVPF.EXE
  KAZZA.EXE
  KEENVALUE.EXE
  KERIO-PF-213-EN-WIN.EXE
  KERIO-WRL-421-EN-WIN.EXE
  KERIO-WRP-421-EN-WIN.EXE
  KERNEL32.EXE
  KILLPROCESSSETUP161.EXE
  LAUNCHER.EXE
  LDNETMON.EXE
  LDPRO.EXE
  LDPROMENU.EXE
  LDSCAN.EXE
  LNETINFO.EXE
  LOADER.EXE
  LOCALNET.EXE
  LOCKDOWN.EXE
  LOCKDOWN2000.EXE
  LOOKOUT.EXE
  LORDPE.EXE
  LSETUP.EXE
  LUALL.EXE
  LUALL.EXE
  LUAU.EXE
  LUCOMSERVER.EXE
  LUINIT.EXE
  LUSPT.EXE
  MAPISVC32.EXE
  MCAGENT.EXE
  MCMNHDLR.EXE
  MCSHIELD.EXE
  MCTOOL.EXE
  MCUPDATE.EXE
  MCUPDATE.EXE
  MCVSRTE.EXE
  MCVSSHLD.EXE
  MD.EXE
  MFIN32.EXE
  MFW2EN.EXE
  MFWENG3.02D30.EXE
  MGAVRTCL.EXE
  MGAVRTE.EXE
  MGHTML.EXE
  MGUI.EXE
  MINILOG.EXE
  MMOD.EXE
  MONITOR.EXE
  MOOLIVE.EXE
  MOSTAT.EXE
  MPFAGENT.EXE
  MPFSERVICE.EXE
  MPFTRAY.EXE
  MRFLUX.EXE
  MSAPP.EXE
  MSBB.EXE
  MSBLAST.EXE
  MSCACHE.EXE
  MSCCN32.EXE
  MSCMAN.EXE
  MSCONFIG.EXE
  MSDM.EXE
  MSDOS.EXE
  MSIEXEC16.EXE
  MSINFO32.EXE
  MSLAUGH.EXE
  MSMGT.EXE
  MSMSGRI32.EXE
  MSSMMC32.EXE
  MSSYS.EXE
  MSVXD.EXE
  MU0311AD.EXE
  MWATCH.EXE
  N32SCANW.EXE
  NAV.EXE
  NAVAP.NAVAPSVC.EXE
  NAVAPSVC.EXE
  NAVAPW32.EXE
  NAVDX.EXE
  NAVLU32.EXE
  NAVNT.EXE
  NAVSTUB.EXE
  NAVW32.EXE
  NAVWNT.EXE
  NC2000.EXE
  NCINST4.EXE
  NDD32.EXE
  NEOMONITOR.EXE
  NEOWATCHLOG.EXE
  NETARMOR.EXE
  NETD32.EXE
  NETINFO.EXE
  NETMON.EXE
  NETSCANPRO.EXE
  NETSPYHUNTER-1.2.EXE
  NETSTAT.EXE
  NETUTILS.EXE
  NISSERV.EXE
  NISUM.EXE
  NMAIN.EXE
  NOD32.EXE
  NORMIST.EXE
  NORTON_INTERNET_SECU_3.0_407.EXE
  NOTSTART.EXE
  NPF40_TW_98_NT_ME_2K.EXE
  NPFMESSENGER.EXE
  NPROTECT.EXE
  NPSCHECK.EXE
  NPSSVC.EXE
  NSCHED32.EXE
  NSSYS32.EXE
  NSTASK32.EXE
  NSUPDATE.EXE
  NT.EXE
  NTRTSCAN.EXE
  NTVDM.EXE
  NTXconfig.EXE
  NUI.EXE
  NUPGRADE.EXE
  NUPGRADE.EXE
  NVARCH16.EXE
  NVC95.EXE
  NVSVC32.EXE
  NWINST4.EXE
  NWSERVICE.EXE
  NWTOOL16.EXE
  OLLYDBG.EXE
  ONSRVR.EXE
  OPTIMIZE.EXE
  OSTRONET.EXE
  OTFIX.EXE
  OUTPOST.EXE
  OUTPOST.EXE
  OUTPOSTINSTALL.EXE
  OUTPOSTPROINSTALL.EXE
  PADMIN.EXE
  PANIXK.EXE
  PATCH.EXE
  PAVCL.EXE
  PAVPROXY.EXE
  PAVSCHED.EXE
  PAVW.EXE
  PCFWALLICON.EXE
  PCIP10117_0.EXE
  PCSCAN.EXE
  PDSETUP.EXE
  PERISCOPE.EXE
  PERSFW.EXE
  PERSWF.EXE
  PF2.EXE
  PFWADMIN.EXE
  PGMONITR.EXE
  PINGSCAN.EXE
  PLATIN.EXE
  POP3TRAP.EXE
  POPROXY.EXE
  POPSCAN.EXE
  PORTDETECTIVE.EXE
  PORTMONITOR.EXE
  POWERSCAN.EXE
  PPINUPDT.EXE
  PPTBC.EXE
  PPVSTOP.EXE
  PRIZESURFER.EXE
  PRMT.EXE
  PRMVR.EXE
  PROCDUMP.EXE
  PROCESSMONITOR.EXE
  PROCEXPLORERV1.0.EXE
  PROGRAMAUDITOR.EXE
  PROPORT.EXE
  PROTECTX.EXE
  PSPF.EXE
  PURGE.EXE
  QCONSOLE.EXE
  QSERVER.EXE
  RAPAPP.EXE
  RAV7.EXE
  RAV7WIN.EXE
  RAV8WIN32ENG.EXE
  RAY.EXE
  RB32.EXE
  RCSYNC.EXE
  REALMON.EXE
  REGED.EXE
  REGEDIT.EXE
  REGEDT32.EXE
  RESCUE.EXE
  RESCUE32.EXE
  RRGUARD.EXE
  RSHELL.EXE
  RTVSCAN.EXE
  RTVSCN95.EXE
  RULAUNCH.EXE
  RUN32DLL.EXE
  RUNDLL.EXE
  RUNDLL16.EXE
  RUXDLL32.EXE
  SAFEWEB.EXE
  SAHAGENT.EXE
  SAVE.EXE
  SAVENOW.EXE
  SBSERV.EXE
  SC.EXE
  SCAM32.EXE
  SCAN32.EXE
  SCAN95.EXE
  SCANPM.EXE
  SCRSCAN.EXE
  SETUPVAMEEVAL.EXE
  SETUP_FLOWPROTECTOR_US.EXE
  SFC.EXE
  SGSSFW32.EXE
  SH.EXE
  SHELLSPYINSTALL.EXE
  SHN.EXE
  SHOWBEHIND.EXE
  SMC.EXE
  SMS.EXE
  SMSS32.EXE
  SOAP.EXE
  SOFI.EXE
  SPERM.EXE
  SPF.EXE
  SPHINX.EXE
  SPOLER.EXE
  SPOOLCV.EXE
  SPOOLSV32.EXE
  SPYXX.EXE
  SREXE.EXE
  SRNG.EXE
  SS3EDIT.EXE
  SSGRATE.EXE
  SSG_4104.EXE
  ST2.EXE
  START.EXE
  STCLOADER.EXE
  SUPFTRL.EXE
  SUPPORT.EXE
  SUPPORTER5.EXE
  SVC.EXE
  SVCHOSTC.EXE
  SVCHOSTS.EXE
  SVSHOST.EXE
  SWEEP95.EXE
  SWEEPNET.SWEEPSRV.SYS.SWNETSUP.EXE
  SYMPROXYSVC.EXE
  SYMTRAY.EXE
  SYSEDIT.EXE
  SYSTEM.EXE
  SYSTEM32.EXE
  SYSUPD.EXE
  TASKMG.EXE
  TASKMGR.EXE
  TASKMO.EXE
  TASKMON.EXE
  TAUMON.EXE
  TBSCAN.EXE
  TC.EXE
  TCA.EXE
  TCM.EXE
  TDS-3.EXE
  TDS2-NT.EXE
  TEEKIDS.EXE
  TFAK.EXE
  TFAK5.EXE
  TGBOB.EXE
  TITANIN.EXE
  TITANINXP.EXE
  TRACERT.EXE
  TRICKLER.EXE
  TRJSCAN.EXE
  TRJSETUP.EXE
  TROJANTRAP3.EXE
  TSADBOT.EXE
  TVMD.EXE
  TVTMD.EXE
  UNDOBOOT.EXE
  UPDAT.EXE
  UPDATE.EXE
  UPDATE.EXE
  UPGRAD.EXE
  UTPOST.EXE
  VBCMSERV.EXE
  VBCONS.EXE
  VBUST.EXE
  VBWIN9X.EXE
  VBWINNTW.EXE
  VCSETUP.EXE
  VET32.EXE
  VET95.EXE
  VETTRAY.EXE
  VFSETUP.EXE
  VIR-HELP.EXE
  VIRUSMDPERSONALFIREWALL.EXE
  VNLAN300.EXE
  VNPC3000.EXE
  VPC32.EXE
  VPC42.EXE
  VPFW30S.EXE
  VPTRAY.EXE
  VSCAN40.EXE
  VSCENU6.02D30.EXE
  VSCHED.EXE
  VSECOMR.EXE
  VSHWIN32.EXE
  VSISETUP.EXE
  VSMAIN.EXE
  VSMON.EXE
  VSSTAT.EXE
  VSWIN9XE.EXE
  VSWINNTSE.EXE
  VSWINPERSE.EXE
  W32DSM89.EXE
  W9X.EXE
  WATCHDOG.EXE
  WEBDAV.EXE
  WEBSCANX.EXE
  WEBTRAP.EXE
  WFINDV32.EXE
  WHOSWATCHINGME.EXE
  WIMMUN32.EXE
  WIN-BUGSFIX.EXE
  WIN32.EXE
  WIN32US.EXE
  WINACTIVE.EXE
  WINDOW.EXE
  WINDOWS.EXE
  WININETD.EXE
  WININIT.EXE
  WININITX.EXE
  WINLOGIN.EXE
  WINMAIN.EXE
  WINNET.EXE
  WINPPR32.EXE
  WINRECON.EXE
  WINSERVN.EXE
  WINSSK32.EXE
  WINSTART.EXE
  WINSTART001.EXE
  WINTSK32.EXE
  WINUPDATE.EXE
  WKUFIND.EXE
  WNAD.EXE
  WNT.EXE
  WRADMIN.EXE
  WRCTRL.EXE
  WSBGATE.EXE
  WUPDATER.EXE
  WUPDT.EXE
  WYVERNWORKSFIREWALL.EXE
  XPF202EN.EXE
  ZAPRO.EXE
  ZAPSETUP3001.EXE
  ZATUTOR.EXE
  ZONALM2601.EXE
  ZONEALARM.EXE
  _AVP32.EXE
  _AVPCC.EXE
  _AVPM.EXE

  
  
  
  
Name   W32/Tilebot-JH

Type  
    * Spyware Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Steals information
    * Downloads code from the internet
    * Reduces system security
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities
    * Scans network for vulnerabilities
    * Scans network for weak passwords

Prevalence (1-5) 2

Description
W32/Tilebot-JH is a worm with IRC backdoor functionality for the 
Windows platform.

Advanced
W32/Tilebot-JH is a worm with IRC backdoor functionality for the 
Windows platform.

W32/Tilebot-JH spreads to other network computers by exploiting 
common buffer overflow vulnerabilities, including: LSASS (MS04-011), 
SRVSVC (MS06-040), RPC-DCOM (MS04-012), PNP (MS05-039), ASN.1 
(MS04-007), RealVNC (CVE-2006-2369) and Symantec (SYM06-010).

W32/Tilebot-JH runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

W32/Tilebot-JH includes functionality to access the internet and 
communicate with a remote server via HTTP.

When first run W32/Tilebot-JH copies itself to <System>\system.exe.

The file system.exe is registered as a new system driver service 
named "SYSTEMSVC", with a display name of "Windows System Service" 
and a startup type of automatic, so that it is started automatically 
during system startup. Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\SYSTEMSVC

W32/Tilebot-JH sets the following registry entries, disabling the 
automatic startup of other software:

HKLM\SYSTEM\CurrentControlSet\Services\Messenger
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
Start
4

Registry entries are set as follows:

HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
EnableFirewall
0

HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile
EnableFirewall
0

HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DoNotAllowXPSP2
1

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N

Registry entries are created under:

HKLM\SOFTWARE\Microsoft\Security Center





Name   W32/Delbot-V

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Downloads code from the internet
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities

Aliases  
    * W32/Nirbot.worm.gen

Prevalence (1-5) 2

Description
W32/Delbot-V is an IRC worm with backdoor functionality which allows 
a remote intruder to gain access and control over the computer.

W32/Delbot-V includes functionality to download, install and run new 
software.

W32/Delbot-V spreads to other network computers by scanning network 
shares for weak passwords and by exploiting common buffer overflow 
vulnerabilities, including Symantec (SYM06-010).

W32/Delbot-V my also attempt to spread by utilising weaknesses 
associated with SQL servers.

Advanced
W32/Delbot-V is an IRC worm with backdoor functionality which allows 
a remote intruder to gain access and control over the computer.

W32/Delbot-V includes functionality to download, install and run new 
software.

W32/Delbot-V spreads to other network computers by scanning network 
shares for weak passwords and by exploiting common buffer overflow 
vulnerabilities, including Symantec (SYM06-010).

W32/Delbot-V my also attempt to spread by utilising weaknesses 
associated with SQL servers.

When first run W32/Delbot-V copies itself to <System>\read.exe.

The following registry entry is created to run read.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
WinReader
<System>\read.exe





Name   W32/IRCBot-VJ

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Installs itself in the Registry

Aliases  
    * Possibly a new variant of W32/NewMalware-Rootkit-I-based!Maximus
    * W32/Sdbot.worm.gen.cg

Prevalence (1-5) 2

Description
W32/IRCBot-VJ is a worm with IRC backdoor functionality for the 
Windows platform.

Advanced
W32/IRCBot-VJ is a worm with IRC backdoor functionality for the 
Windows platform.

W32/IRCBot-VJ runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

When first run W32/IRCBot-VJ copies itself to <Common 
Files>\System\msdevl.exe.

The file msdevl.exe is registered as a new system driver service 
named "msdelv", with a display name of "msdevl" and a startup type of 
automatic, so that it is started automatically during system startup. 
Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\msdelv

The following registry entry is set, affecting internet security:

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\Firewall
Policy\
StandardProfile\AuthorizedApplications\List
<Common Files>\System\msdevl.exe
<Common Files>\System\msdevl.exe:*:Enabled:Update





Name   W32/Rbot-GKL

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Downloads code from the internet
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities
    * Used in DOS attacks

Prevalence (1-5) 2

Description
W32/Rbot-GKL is a worm with IRC backdoor functionality for the 
Windows platform.

Advanced
W32/Rbot-GKL is a worm with IRC backdoor functionality for the 
Windows platform.

W32/Rbot-GKL runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

W32/Rbot-GKL spreads to other network computers:

- by exploiting common buffer overflow vulnerabilities, including: 
LSASS (MS04-011), SRVSVC (MS06-040), RPC-DCOM (MS04-012), PNP 
(MS05-039), ASN.1 (MS04-007), RealVNC (CVE-2006-2369) and Symantec 
(SYM06-010)

- networks protected by weak passwords

When first run W32/Rbot-GKL copies itself to <System>\winupdte.exe.

The following registry entries are created to run 
<System>\winupdte.exe on startup:

W32/Rbot-GKL includes functionality to:

- download code from the internet
- perform port scanning
- perform DDoS attacks
- steal information including computer game keys
- setup a SOCKS4 proxy server





Name   Troj/PWS-ALQ

Type  
    * Spyware Trojan

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Steals information
    * Downloads code from the internet
    * Reduces system security
    * Installs itself in the Registry

Prevalence (1-5) 2

Description
Troj/PWS-ALQ is a Trojan for the Windows platform.

Advanced
Troj/PWS-ALQ is a Trojan for the Windows platform.

When run Troj/PWS-ALQ copies itself to <Program Files>\Windows Media 
Player\svchost.exe and creates the file <System>\pdll.dll. The file 
pdll.dll is also detected as Troj/PWS-ALQ.

Troj/PWS-ALQ attempts to register itself as a service named "kingxxx" 
with a description of "kingxxx". The following registry entry is set 
to run the service on startup:

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_KINGXXX\

Troj/PWS-ALQ also creates the following registry entry to run itself 
on startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
<System>\userinit.exe,<Program Files>\Windows Media Player\svchost.exe,

Troj/PWS-ALQ includes functionality to:
- terminate anti-virus processes
- download code from the internet





Name   W32/Delbot-W

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Installs itself in the Registry

Prevalence (1-5) 2

Description
W32/Delbot-W is a backdoor IRC worm which allows a remote intruder to 
gain access and control over the computer.

Advanced
W32/Delbot-W is a backdoor IRC worm which allows a remote intruder to 
gain access and control over the computer.

W32/Delbot-W may attempt to spread by utilising network shares 
protected by weak passwords and weaknesses associated with SQL servers.

When first run W32/Delbot-W copies itself to <System>\mpn.exe.

The following registry entry is created to run mpn.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MPNet
<System>\mpn.exe





Name   W32/Looked-CV

Type  
    * Virus

How it spreads  
    * Network shares
    * Infected files

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Modifies data on the computer
    * Downloads code from the internet
    * Reduces system security
    * Installs itself in the Registry

Prevalence (1-5) 2

Description
W32/Looked-CV is a virus and network worm for the Windows platform.

Advanced
W32/Looked-CV is a virus and network worm for the Windows platform.

W32/Looked-CV infects files found on the local computer. 
W32/Looked-CV also copies itself to remote network shares and may 
infect files found on those shares.

W32/Looked-CV includes functionality to access the internet and 
communicate with a remote server via HTTP. W32/Looked-CV may attempt 
to download and execute additional files from a remote location.

When first run W32/Looked-CV copies itself as to 
<Windows>\logo1_.exe, <Windows>\uninstall\rundl132.exe and drops the 
file <Windows>\RichDll.dll which is detected as W32/Looked-CV.

W32/Looked-CV may also create many files with the name "_desktop.ini" 
in various folders on the infected computer. These files are harmless 
text files and can be deleted.

The following registry entry is created to run rundl132.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
load
<Windows>\command\rundl132.exe





Name   Troj/Dloadr-AWG

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Downloads code from the internet
    * Reduces system security
    * Installs itself in the Registry

Prevalence (1-5) 2

Description
Troj/Dloadr-AWG is a Trojan for the Windows platform.

Advanced
Troj/Dloadr-AWG is a Trojan for the Windows platform.

Troj/Dloadr-AWG includes functionality to access the internet and 
communicate with a remote server via HTTP.

When first run Troj/Dloadr-AWG copies itself to <System>\uvcx.exe.

The following registry entry is created to run uvcx.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
uvnx
<System>\uvcx.exe

The Trojan may attempt to terminate the following security related 
processed:

- kpf4ss.exe
- kavpf.exe
- outpost.exe
- zlclient.exe
- lspfix.exe

Registry entries are created under:

HKCU\Software\ewrew\uvcx\main





Name   Troj/Dloadr-AWJ

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Installs itself in the Registry

Prevalence (1-5) 2

Description
Troj/Dloadr-AWJ is a Trojan for the Windows platform.

Troj/Dloadr-AWJ has been seen attached to spam emails and may 
download further executable code.

Advanced
Troj/Dloadr-AWJ is a Trojan for the Windows platform.

Troj/Dloadr-AWJ has been seen attached to spam emails and may 
download further executable code.

When Troj/Dloadr-AWJ is installed the following files may be created:

<System>\ntos.exe
<System>\wsnpoem\audio.dll
<System>\wsnpoem\video.dll

The file ntos.exe is also detected as Troj/Dloadr-AWJ.

The following registry entry is created to run ntos.exe on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
userinit
<System>\ntos.exe

The following registry entry is changed to run ntos.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
<System>\userinit.exe,<System>\ntos.exe,





Name   W32/Rbot-GKQ

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Installs itself in the Registry
    * Downloads updates
    * Enables remote access
    * Scans network for vulnerabilities
    * Scans network for weak passwords

Aliases  
    * W32/Sdbot.worm.gen.ax

Prevalence (1-5) 2

Description
W32/Rbot-GKQ is a network worm with IRC backdoor functionality for 
the Windows platform.

Advanced
W32/Rbot-GKQ is a network worm with IRC backdoor functionality for 
the Windows platform.

W32/Rbot-GKQ spreads by exploiting common network vulnerabilities.

W32/Rbot-GKQ allows a remote attacker to gain access and control over 
the infected computer using IRC channels.

When first run W32/Rbot-GKQ copies itself to <System>\algose32.exe 
and creates the following registry entries to run algose32.exe on 
startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Offices Monitorse
<System>\algose32.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Offices Monitorse
<System>\algose32.exe

W32/Rbot-GKQ sets the following registry entries in order to secure 
the infected computer against further exploits:

HKLM\SOFTWARE\Microsoft\Ole\
EnableDCOM
N

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\
restrictanonymous
1





Name   Troj/Nofere-E

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet
    * Installs itself in the Registry

Prevalence (1-5) 2

Description
Troj/Nofere-E is a Trojan for the Windows platform.

Advanced
Troj/Nofere-E is a Trojan for the Windows platform.

Troj/Nofere-E includes functionality to access the internet and 
communicate with a remote server via HTTP.

When first run Troj/Nofere-E copies itself to <Windows>\rund1132.exe.

The following registry entry is created to run expl0rer.exe on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
ravshell
<path to Trojan executable>





Name   Troj/Zlob-ABF

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet
    * Installs itself in the Registry

Prevalence (1-5) 2

Description
Troj/Zlob-ABF is a downloader Trojan for the Windows platform.

Advanced
Troj/Zlob-ABF is a downloader Trojan for the Windows platform.

When run Troj/Zlob-ABF may create registry entries under:

HKCU\Software\Internet Security\





Name   Troj/Agent-EFP

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Reduces system security
    * Installs itself in the Registry

Prevalence (1-5) 2

Description
Troj/Agent-EFP is a Trojan for the Windows platform.

Troj/Agent-EFP runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

Advanced
Troj/Agent-EFP is a Trojan for the Windows platform.

Troj/Agent-EFP runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

When first run Troj/Agent-EFP copies itself to \System\asper.exe.

The following registry entry is created to run asper.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
WindowsSystem32
\System\asper.exe

The following registry entry is set, affecting internet security:

HKLM\SYSTEM\CurrentControlSet\Services\SharEFPccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizEFPpplications\List
\System\asper.exe
Common Files\System\asper.exe:*:Enabled:WindowsSystem32





Name   W32/Grum-A

Type  
    * Worm

Affected operating systems  
    * Windows

Prevalence (1-5) 2

Description
W32/Grum-A is a worm on the Windows platform.

Advanced
W32/Grum-A is a appending virus for the Windows platform.

When run the virus will copy itself to <Temp>\winlogon.exe and 
attempts to infect files that are referenced by Run keys.

W32/Grum-A will also create the following registry entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Firewall auto setup
<Temp>\winlogon.exe

The virus will also truncate the HOSTS file, inject a thread into 
system.dll and attempt to patch the system files ntdll.dll and 
kernel32.dll





Name   W32/ShipUp-H

Type  
    * Worm

How it spreads  
    * Removable storage devices

Affected operating systems  
    * Windows

Side effects  
    * Installs itself in the Registry
    * Leaves non-infected files on computer

Aliases  
    * Trojan.Win32.ShipUp.c

Prevalence (1-5) 2

Description
W32/ShipUp-H is a worm for the Windows platform.

Advanced
W32/ShipUp-H is a worm for the Windows platform.

When first run W32/ShipUp-H copies itself to <System>\ccPrxy.exe.

The following files are created:

<Windows>\ldjs.txt
<Windows>\upnum.txt

These files can be safely deleted.

W32/ShipUp-H attempts to copy itself to logical drives found on the 
computer. The worm will attempt to create a hidden file Autorun.inf 
on the removeable drive to run the worm.

The following registry entry is created to run ccPrxy.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ccPrxy.exe
ccPrxy.exe

The following registry entry is set:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoDriveTypeAutoRun
9f

Registry entries are created under:

HKLM\SOFTWARE\Microsoft\ShipUp





Name   Troj/Krepper-BJ

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet
    * Installs itself in the Registry

Aliases  
    * Trojan-Downloader.Win32.CWS.am
    * Win32/TrojanDownloader.CWS.J

Prevalence (1-5) 2

Description
Troj/Krepper-BJ is a Trojan for the Windows platform.

Advanced
Troj/Krepper-BJ is a Trojan for the Windows platform.

Troj/Krepper-BJ includes functionality to download, install and run 
new software.

When first run Troj/Krepper-BJ copies itself to 
<Windows>\ServicePackFiles\services.exe.

The following registry entries are created to run Troj/Krepper-BJ on 
startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
xp_system
<Windows>\ServicePackFiles\services.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
xp_system
<Windows>\ServicePackFiles\services.exe





Name   Troj/Proxy-HG

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Installs itself in the Registry

Aliases  
    * destructive program named W32/Trojan.ABSM

Prevalence (1-5) 2

Description
Troj/Proxy-HG is a Trojan for the Windows platform.

Advanced
Troj/Proxy-HG is a Trojan for the Windows platform.

When first run Troj/Proxy-HG copies itself to <Windows>\nvchost.exe.

Registry entries are created under:

HKLM\SOFTWARE\Microsoft\Nvchost





Name   W32/Rbot-GKW

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities

Aliases  
    * Backdoor.Win32.IRCBot.az

Prevalence (1-5) 2

Description
W32/Rbot-GKW is a worm with IRC backdoor functionality for the 
Windows platform.

W32/Rbot-GKW spreads to other network computers by exploiting common 
buffer overflow vulnerabilities, including: LSASS (MS04-011), WebDav 
(MS03-007) and ASN.1 (MS04-007) and by copying itself to network 
shares protected by weak passwords.

W32/Rbot-GKW runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

Advanced
W32/Rbot-GKW is a worm with IRC backdoor functionality for the 
Windows platform.

W32/Rbot-GKW spreads to other network computers by exploiting common 
buffer overflow vulnerabilities, including: LSASS (MS04-011), WebDav 
(MS03-007) and ASN.1 (MS04-007) and by copying itself to network 
shares protected by weak passwords.

W32/Rbot-GKW runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

When first run W32/Rbot-GKW copies itself to <System>\<filename>.exe 
where <filename> consists of 8 random letters.

The following registry entries are created to run <filename>.exe on 
startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
WinFix service
<filename>.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
WinFix service
<filename>.exe

The following registry entry is set:

HKCU\Software\Microsoft\OLE
WinFix service
<filename>.exe





Name   W32/Grum-C

Type  
    * Virus

How it spreads  
    * Infected files

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet

Prevalence (1-5) 2

Description
W32/Grum-C is a virus for the Windows platform.

Advanced
W32/Grum-C is a virus for the Windows platform.

When run W32/Grum-C copies itself to <Temp>\winlogon.exe and attempts 
to infect files that are referenced by Run keys.

Infected files are detected as W32/Grum-A.





Name   W32/Poebot-KN

Type  
    * Spyware Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Steals information
    * Downloads code from the internet
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities

Prevalence (1-5) 2

Description
W32/Poebot-KN is a worm for the Windows platform.

W32/Poebot-KN spreads through network shares protected by weak 
passwords and by exploiting common vulnerabilities.

Advanced
W32/Poebot-KN is a worm for the Windows platform.

W32/Poebot-KN spreads through network shares protected by weak 
passwords and by exploiting common vulnerabilities including:

LSASS (MS04-011)
SRVSVC (MS06-040)
RPC-DCOM (MS04-012)
WKS (MS03-049)
Dameware (CAN-2003-1030)
PNP (MS05-039)

W32/Poebot-KN runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

When first run W32/Poebot-KN copies itself to <System>\spooIsv.exe.

The following registry entry is created to run spooIsv.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Spooler SubSystem App
<System>\spooIsv.exe

 
--- MultiMail/Win32 v0.43
 * Origin: Doc's Place BBS Fido Since 1991 docsplace.tzo.com (1:123/140)