Text 198, 786 rader
Skriven 2007-07-28 16:32:00 av KURT WISMER
Ärende: News, July 27 2007
==========================
[cut-n-paste from sophos.com]
Name W32/Kik-A
Type
* Spyware Worm
How it spreads
* Email messages
* Email attachments
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Sends itself to email addresses found on the infected computer
* Steals information
* Downloads code from the internet
* Records keystrokes
* Installs itself in the Registry
Aliases
* IRC-Worm.Win32.Agent.a
Prevalence (1-5) 2
Description
W32/Kik-A is a worm and IRC backdoor Trojan for the Windows platform.
Advanced
W32/Kik-A is a worm and IRC backdoor Trojan for the Windows platform.
W32/Kik-A spreads via email.
W32/Kik-A runs continuously in the background, providing a backdoor
server which allows a remote intruder to gain access and control over
the computer via IRC channels.
W32/Kik-A includes functionality to:
- steal confidential information
- silently download, install and run new software, including updates
of its software
- send notification messages to remote locations
- inject its code into other processes
When first run W32/Kik-A copies itself to the Windows system folder as
printers.exe and drops a DLL to the Windows system folder with the
filename notiffy.dll.
The file notiffy.dll is registered as a COM object, creating registry
entries under:
HKCR\CLSID\{B37243A4-BF51-4604-B648-237A759F7845}
HKCR\CLSID\{9ED561ED-FFB1-4008-9643-D225082C82E0}
HKCR\CLSID\{61C00BEB-9641-4A13-9D1D-26ADD3EB2DEC}
HKCR\CLSID\{5ADE6B7F-BF6C-43DA-B29C-E3416FC6F919}
HKCR\CLSID\{0018E1CB-DC4C-49E3-B96E-E545D8C0DBE8}
The following registry entry is created to run code exported by
notiffy.dll on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoa
d
printers
{61C00BEB-9641-4A13-9D1D-26ADD3EB2DEC}
Name Troj/Banloa-CW
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
Aliases
* Trojan-Downloader.Win32.VB.azz
* Win32/TrojanDownloader.VB.NHQ trojan
Prevalence (1-5) 2
Description
Troj/Banloa-CW is a Trojan downloader for the Windows platform.
Advanced
Troj/Banloa-CW is a Trojan downloader for the Windows platform.
Troj/Banloa-CW attempts to download files from remote websites to the
following locations:
<Windows>\kl.exe
<Windows>\klmsn.exe
Name W32/Sdbot-DGN
Type
* Worm
How it spreads
* Network shares
* Peer-to-peer
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Modifies data on the computer
* Reduces system security
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Prevalence (1-5) 2
Description
W32/Sdbot-DGN is a worm with backdoor functionality for the Windows
platform.
Advanced
W32/Sdbot-DGN is a worm with backdoor functionality for the Windows
platform.
When first run W32/Sdbot-DGN copies itself to \BTTray.exe and to
\KaZaA\My Shared Folder\.
W32/Sdbot-DGN runs continuously in the background, providing a backdoor
server which allows a remote intruder to gain access and control over
the computer via IRC channels.
W32/Sdbot-DGN spreads to other network computers by exploiting weak
password MSSQL server spread. The worm may also spreads via network
shares protected by weak passwords.
W32/Sdbot-DGN includes functionality to access the internet and
communicate with a remote server via HTTP.
W32/Sdbot-DGN is registered as a new system driver service named
"Windows Bluetooth Tray Application", with a display name of "Windows
Bluetooth Tray Application" and a startup type of automatic, so that it
is started automatically during system startup. Registry entries are
created under:
HKLM\SYSTEM\CurrentControlSet\Services\Windows Bluetooth Tray Application
The following registry entries are set, disabling system software:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1
W32/Sdbot-DGN sets the following registry entries, disabling the
automatic startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\Messenger
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
Start
4
Registry entries are set as follows:
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
EnableFirewall
0
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile
EnableFirewall
0
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DoNotAllowXPSP2
1
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe %WINDIR%\
Registry entries are created under:
HKLM\SOFTWARE\Microsoft\Security Center
HKLM\SOFTWARE\Symantec\LiveUpdate Admin
W32/Sdbot-DGN attempts to disable the system file checker by modifying
sfc_os.dll or sfc.dll and setting the following registry entries:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
SFCScan
0
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
SFCDisable
ffffff9d
The modified sfc_os.dll or sfc.dll is detected as "Disabled System File
Check DLL".
W32/Sdbot-DGN replaces the following files with a program that does
nothing.
\ftp.exe
\tftp.exe
The original version of sfc_os.dll or sfc.dll is copied to \trash
The original version of ftp.exe may be copied to \Microsoft\backup.ftp.
The original version of tftp.exe may be copied to
\Microsoft\backup.tftp.
These files can also be restored from backups.
Name W32/OutLaw-B
Type
* Worm
How it spreads
* Removable storage devices
* Network shares
Affected operating systems
* Windows
Side effects
* Installs itself in the Registry
Aliases
* Virus.Win32.AutoRun.bd
* W32/Generic.worm.j
Prevalence (1-5) 2
Description
W32/OutLaw-B is a worm for the Windows platform.
Advanced
W32/OutLaw-B is a worm for the Windows platform.
W32/OutLaw-B spreads to other network computers.
When first run W32/OutLaw-B copies itself to:
<Root>\recycler\systems.com
<System>\taskmger.com
and creates the file <Root>\autorun.inf on all drives connected to the
computer.
The file <Root>\autorun.inf is detected as Mal/AutoInf-A.
The following registry entry is changed to run taskmger.com on startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe taskmger.com
The following registry entries are set, disabling system software:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskmgr
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1
Name Troj/SmlDl-Gen
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
Prevalence (1-5) 2
Description
Troj/SmlDl-Gen is a downloader Trojan for the Windows platform.
Name Troj/Agent-FZA
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Drops more malware
* Downloads code from the internet
Prevalence (1-5) 2
Description
Troj/Agent-FZA is a Trojan for the Windows platform.
Troj/Agent-FZA has functionality to communicate with a remote server
via HTTP.
Name W32/Agobot-AIX
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Downloads code from the internet
* Reduces system security
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Prevalence (1-5) 2
Description
W32/Agobot-AIX is a worm for the Windows platform with backdoor
functionality.
W32/Agobot-AIX spreads
- to computers vulnerable to common exploits, including: LSASS
(MS04-011), SRVSVC (MS06-040), RPC-DCOM (MS04-012), ASN.1 (MS04-007),
RealVNC (CVE-2006-2369) and Symantec (SYM06-010)
- to network shares
Advanced
W32/Agobot-AIX is a worm for the Windows platform with backdoor
functionality.
W32/Agobot-AIX spreads
- to computers vulnerable to common exploits, including: LSASS
(MS04-011), SRVSVC (MS06-040), RPC-DCOM (MS04-012), ASN.1 (MS04-007),
RealVNC (CVE-2006-2369) and Symantec (SYM06-010)
- to network shares
W32/Agobot-AIX runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
When first run W32/Agobot-AIX copies itself to <System>\winins.exe.
W32/Agobot-AIX attempts to modify the HOSTS file by appending the
following lines in order to prevent access to the websites listed:
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 downloads1.kaspersky-labs.com
127.0.0.1 downloads2.kaspersky-labs.com
127.0.0.1 downloads3.kaspersky-labs.com
127.0.0.1 downloads4.kaspersky-labs.com
127.0.0.1 downloads5.kaspersky-labs.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 www.kaspersky-labs.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.trendmicro.com
Name Troj/Banhost-C
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Modifies data on the computer
Prevalence (1-5) 2
Description
Troj/Banhost-C is a Trojan for the Windows platform.
Advanced
Troj/Banhost-C is a Trojan for the Windows platform.
Troj/Banhost-C alters the following file:
<System>\drivers\etc\hosts
to redirect select banking related website requests to a fake banking
website.
Name Troj/Enclag-A
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Installs itself in the Registry
* Leaves non-infected files on computer
* Monitors system activity
Aliases
* Trojan.Win32.Agent.vk
* TROJ_AGENT.WFP
Prevalence (1-5) 2
Description
Troj/Enclag-A is a Trojan for the Windows platform.
Advanced
Troj/Enclag-A is a Trojan for the Windows platform.
When first run Troj/Enclag-A copies itself to C:\wsusupd.exe.
Troj/Enclag-A sets the following registry entry to run itself on startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
ShareSearcher
C:\wsusupd.exe
Troj/Enclag-A logs information about network connections and contents
to the file <System>\SFList.txt and periodically uploads it to a remote
site via FTP.
Troj/Enclag-A may set the following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion
UID
HKLM\Software\Microsoft\Windows\CurrentVersion
LSpc
HKLM\Software\Microsoft\Windows\CurrentVersion
NVS
Name Troj/Dwara-A
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
Aliases
* not-virus:Hoax.Win32.Renos.dk
Prevalence (1-5) 2
Description
Troj/Dwara-A is a downloader Trojan for the Windows platform.
Name Troj/Laqma-A
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Reduces system security
* Installs itself in the Registry
Aliases
* Trojan-Downloader.Win32.Agent.bsh
Prevalence (1-5) 2
Description
Troj/Laqma-A is a Trojan for the Windows platform.
Advanced
Troj/Laqma-A is a Trojan for the Windows platform.
When first run Troj/Laqma-A may copy itself to some of the following
locations:
<System>\qm<random characters>exe
<System>\lanmanwrk.exe
When first run Troj/Laqma-A also creates the following files:
<System>\iexchg.dll
<System>\lanmandrv.sys
<System>\qmopt.dll
<System>\<current filename>.jpg
The file lanmandrv.sys is also detected as Troj/Laqma-A, and is used to
provide stealthing for the Trojan. The other files may be safely deleted.
The file lanmandrv.sys is registered as a new system driver service
named "lanmandrv", with a display name of "lanmandrv". Registry entries
are created under:
HKLM\SYSTEM\CurrentControlSet\Services\lanmandrv
Troj/Laqma-A may attempt to delete the following registry in order to
prevent a file from running on system startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
ZwQueryService
Name Troj/Agent-FZG
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Drops more malware
* Downloads code from the internet
Prevalence (1-5) 2
Description
Troj/Agent-FZG is a Trojan for the Windows platform.
Advanced
Troj/Agent-FZG is a Trojan for the Windows platform.
When Troj/Agent-FZG is installed it creates the folowing files :
<System>\drivers\runtime.sys
<System>\drivers\secdrv.sys
The file runtime.sys is detected as Troj/NTRootK-BY. The file
secdrv.sys is detected as Troj/Agent-FVT. These files are used to
provide stealthing for the Trojan.
Name W32/Rubble-C
Type
* Worm
How it spreads
* Removable storage devices
Affected operating systems
* Windows
Side effects
* Modifies data on the computer
* Installs itself in the Registry
Prevalence (1-5) 2
Description
W32/Rubble-C is a worm for the Windows platform.
Advanced
W32/Rubble-C is a worm for the Windows platform.
The worm has the functionality to spread via removable storage devices.
When run, the worm copies itself to:
\WINDOWS.exe
<Windows>\.exe
<Windows>\ActiveX.exe
<Windows>\friska_w32.exe
<Windows>\win32.exe
<System>\csrss.exe
<System>\lsass.exe
<System>\smss.exe
<System>\svchost.exe
<System>\winlogon.exe
<System>\_default.pif
<System>\copy.pif
<System>\surif.bin
The worm creates the following files:
\baca euy.txt
<System>\Oeminfo.ini
These files can be safely removed.
The worm hides the folder <Windows> by setting the folder attribute to
hidden.
The following registry entries are created to run the worm on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
present
<Windows>\.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Raymond present
<Windows>\friska_w32.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Administrator
<System>\winlogon.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Default
<System>\_default.pif
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
load
<Windows>\ActiveX.exe
The following registry entries are changed to run win32.exe and
copy.pif on startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\taskmgr.exe
Debugger
<Windows>\win32.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\regedit.exe
Debugger
<Windows>\win32.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\msconfig.exe
Debugger
<Windows>\win32.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\cmd.exe
Debugger
<Windows>\win32.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
<System>\userinit.exe,<System>\copy.pif
(the default value for this registry entry is
"<Windows>\System32\userinit.exe,").
The following registry entry is set, disabling system restore:
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
DisableConfig
1
Registry entries are set as follows:
HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer
DisableMSI
1
HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer
LimitSystemRestoreCheckpointing
1
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
DisableSR
0
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoFind
1
Name Troj/Dloadr-BCN
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Drops more malware
Aliases
* Backdoor.Win32.VB.bck
Prevalence (1-5) 2
Description
Troj/Dloadr-BCN is a Trojan for the Windows platform.
--- MultiMail/Win32 v0.43
* Origin: Doc's Place BBS Fido Since 1991 docsplace.tzo.com (1:123/140)
|