Tillbaka till svenska Fidonet
English   Information   Debug  
COMICS   0/15
CONSPRCY   0/899
COOKING   27601
COOKING_OLD1   0/24719
COOKING_OLD2   0/40862
COOKING_OLD3   0/37489
COOKING_OLD4   0/35496
COOKING_OLD5   9370
C_ECHO   0/189
C_PLUSPLUS   0/31
DIRTY_DOZEN   0/201
DOORGAMES   0/1974
DOS_INTERNET   0/196
duplikat   5999
ECHOLIST   0/18295
EC_SUPPORT   0/318
ELECTRONICS   0/359
ELEKTRONIK.GER   1534
ENET.LINGUISTIC   0/13
ENET.POLITICS   0/4
ENET.SOFT   0/11701
ENET.SYSOP   33771
ENET.TALKS   0/32
ENGLISH_TUTOR   0/2000
EVOLUTION   0/1335
FDECHO   0/217
FDN_ANNOUNCE   0/7068
FIDONEWS   23435
FIDONEWS_OLD1   0/49742
FIDONEWS_OLD2   0/35949
FIDONEWS_OLD3   0/30874
FIDONEWS_OLD4   0/37224
FIDO_SYSOP   12841
FIDO_UTIL   0/180
FILEFIND   0/209
FILEGATE   0/212
FILM   0/18
FNEWS_PUBLISH   4155
FN_SYSOP   41520
FN_SYSOP_OLD1   71952
FTP_FIDO   0/2
FTSC_PUBLIC   0/13555
FUNNY   0/4886
GENEALOGY.EUR   0/71
GET_INFO   105
GOLDED   0/408
HAM   0/16041
HOLYSMOKE   0/6791
HOT_SITES   0/1
HTMLEDIT   0/71
HUB203   466
HUB_100   264
HUB_400   39
HUMOR   0/29
IC   0/2851
INTERNET   0/424
INTERUSER   0/3
IP_CONNECT   719
JAMNNTPD   0/233
JAMTLAND   0/47
KATTY_KORNER   0/41
LAN   0/16
LINUX-USER   0/19
LINUXHELP   0/1155
LINUX   0/22002
LINUX_BBS   0/957
mail   18.68
mail_fore_ok   249
MENSA   0/341
MODERATOR   0/102
MONTE   0/992
MOSCOW_OKLAHOMA   0/1245
MUFFIN   0/783
MUSIC   0/321
N203_STAT   894
N203_SYSCHAT   313
NET203   321
NET204   69
NET_DEV   0/10
NORD.ADMIN   0/101
NORD.CHAT   0/2572
NORD.FIDONET   189
NORD.HARDWARE   0/28
NORD.KULTUR   0/114
NORD.PROG   0/32
NORD.SOFTWARE   0/88
NORD.TEKNIK   0/58
NORD   0/453
OCCULT_CHAT   0/93
OS2BBS   0/787
OS2DOSBBS   0/580
OS2HW   0/42
OS2INET   0/37
OS2LAN   0/134
OS2PROG   0/36
OS2REXX   0/113
OS2USER-L   207
OS2   0/4779
OSDEBATE   0/18996
PASCAL   0/490
PERL   0/457
PHP   0/45
POINTS   0/405
POLITICS   0/29554
POL_INC   0/14731
PSION   103
R20_ADMIN   1117
R20_AMATORRADIO   0/2
R20_BEST_OF_FIDONET   13
R20_CHAT   0/893
R20_DEPP   0/3
R20_DEV   399
R20_ECHO2   1379
R20_ECHOPRES   0/35
R20_ESTAT   0/719
R20_FIDONETPROG...
...RAM.MYPOINT
  0/2
R20_FIDONETPROGRAM   0/22
R20_FIDONET   0/248
R20_FILEFIND   0/24
R20_FILEFOUND   0/22
R20_HIFI   0/3
R20_INFO2   2626
R20_INTERNET   0/12940
R20_INTRESSE   0/60
R20_INTR_KOM   0/99
R20_KANDIDAT.CHAT   42
R20_KANDIDAT   28
R20_KOM_DEV   112
R20_KONTROLL   0/13029
R20_KORSET   0/18
R20_LOKALTRAFIK   0/24
R20_MODERATOR   0/1852
R20_NC   76
R20_NET200   245
R20_NETWORK.OTH...
...ERNETS
  0/13
R20_OPERATIVSYS...
...TEM.LINUX
  0/44
R20_PROGRAMVAROR   0/1
R20_REC2NEC   534
R20_SFOSM   0/340
R20_SF   0/108
R20_SPRAK.ENGLISH   0/1
R20_SQUISH   107
R20_TEST   2
R20_WORST_OF_FIDONET   12
RAR   0/9
RA_MULTI   106
RA_UTIL   0/162
REGCON.EUR   0/2055
REGCON   0/13
SCIENCE   0/1206
SF   0/239
SHAREWARE_SUPPORT   0/5146
SHAREWRE   0/14
SIMPSONS   0/169
STATS_OLD1   0/2539.065
STATS_OLD2   0/2530
STATS_OLD3   0/2395.095
STATS_OLD4   0/1692.25
SURVIVOR   0/495
SYSOPS_CORNER   0/3
SYSOP   0/84
TAGLINES   0/112
TEAMOS2   0/4530
TECH   0/2617
TEST.444   0/105
TRAPDOOR   0/19
TREK   0/755
TUB   0/290
UFO   0/40
UNIX   0/1316
USA_EURLINK   0/102
USR_MODEMS   0/1
VATICAN   0/2740
VIETNAM_VETS   0/14
VIRUS   0/378
VIRUS_INFO   0/201
VISUAL_BASIC   0/473
WHITEHOUSE   0/5187
WIN2000   0/101
WIN32   0/30
WIN95   0/4275
WIN95_OLD1   0/70272
WINDOWS   0/1517
WWB_SYSOP   0/419
WWB_TECH   0/810
ZCC-PUBLIC   0/1
ZEC   4

 
4DOS   0/134
ABORTION   0/7
ALASKA_CHAT   0/506
ALLFIX_FILE   0/1313
ALLFIX_FILE_OLD1   0/7997
ALT_DOS   0/152
AMATEUR_RADIO   0/1039
AMIGASALE   0/14
AMIGA   0/331
AMIGA_INT   0/1
AMIGA_PROG   0/20
AMIGA_SYSOP   0/26
ANIME   0/15
ARGUS   0/924
ASCII_ART   0/340
ASIAN_LINK   0/651
ASTRONOMY   0/417
AUDIO   0/92
AUTOMOBILE_RACING   0/105
BABYLON5   0/17862
BAG   135
BATPOWER   0/361
BBBS.ENGLISH   0/382
BBSLAW   0/109
BBS_ADS   0/5290
BBS_INTERNET   0/507
BIBLE   0/3563
BINKD   0/1119
BINKLEY   0/215
BLUEWAVE   0/2173
CABLE_MODEMS   0/25
CBM   0/46
CDRECORD   0/66
CDROM   0/20
CLASSIC_COMPUTER   0/378
Möte DIRTY_DOZEN, 201 texter
 lista första sista föregående nästa
Text 28, 1412 rader
Skriven 2005-02-26 19:42:00 av KURT WISMER (1:123/140)
Ärende: News, Feb. 26 2005
==========================
[cut-n-paste from sophos.com]

Name   W32/Poebot-I

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Reduces system security
    * Installs itself in the Registry

Aliases  
    * Backdoor.Win32.Poebot-I
    * BKDR_POEBOT.B

Prevalence (1-5) 2

Description
W32/Poebot-I is a worm that attempts to spread to remote network shares 
with weak passwords. W32/Poebot-I also contains backdoor functionality 
allowing unauthorised remote access to the infected computer via IRC 
channels.

Advanced
W32/Poebot-I is a worm that attempts to spread to remote network shares 
with weak passwords. W32/Poebot-I also contains backdoor functionality 
allowing unauthorised remote access to the infected computer via IRC 
channels.

When run, the worm copies itself the System folder as winamp.exe and 
sets the following registry entry in order to run when a user logs on:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Winamp Agent
&ltWindows system folder>\winamp.exe





Name   W32/Sdranck-B

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Drops more malware
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities

Prevalence (1-5) 2

Description
W32/Sdranck-B is a multi-component network worm.

W32/Sdranck-B drops components detected by Sophos's anti-virus products 
as W32/Sdbot-Fam and Troj/Ranck-CC.

The dropped Sdbot component spreads W32/Sdranck-B to network shares with 
weak passwords and via network security exploits.

Advanced
W32/Sdranck-B is a multi-component network worm.

W32/Sdranck-B drops two files in the following locations:

C:\WINNT\SYSTEM32\ipazysud.exe
C:\WINNT\SYSTEM32\pinaduli.exe

W32/Sdranck-B then runs these files.

IPAZYSUD.EXE is a proxy Trojan detected as Troj/Ranck-CC. PINADULI.EXE 
is a member of the W32/Sdbot family of network worms.

The latter file attempts to spread W32/Sdranck-B to network shares with 
weak passwords and via network security exploits.





Name   W32/Kelvir-A

Type  
    * Worm

How it spreads  
    * Chat programs

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet

Aliases  
    * IM-Worm.Win32.Kelvir.a
    * W32/Kelvir.worm.a

Prevalence (1-5) 2

Description
W32/Kelvir-A is an instant messaging worm.

W32/Kelvir-A spreads by sending a message through Windows Messenger to 
all of an infected user's contacts. The message encourages the recipient 
to visit a web page to download an update and reads:

*** URGENT *** Download the latest patch from <URL> to prevent getting 
infected by W32.Bropia.C.

Advanced
W32/Kelvir-A is an instant messaging worm.

W32/Kelvir-A spreads by sending a message through Windows Messenger to 
all of an infected user's contacts. The message encourages the recipient 
to visit a web page to download an update and reads:

*** URGENT *** Download the latest patch from <URL> to prevent getting 
infected by W32.Bropia.C.

At the time of writing, this URL was unavailable.

W32/Kelvir-A will attempt to download a file named PATCH.EXE from a 
remote website. At the time of writing, this file was unavailable.





Name   W32/Sdbot-VN

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Modifies data on the computer
    * Deletes files off the computer
    * Steals information
    * Downloads code from the internet

Prevalence (1-5) 2

Description
W32/Sdbot-VN is a network worm with backdoor Trojan functionality for 
the Windows platform.

The worm joins a predetermined IRC channel and awaits further commands 
from remote attackers.

The worm spreads through network shares protected by weak passwords.

Advanced
W32/Sdbot-VN is a network worm with backdoor Trojan functionality for 
the Windows platform.

When first run, W32/Sdbot-VN copies itself to the Windows system folder 
as msn16.exe and creates the following registry entries in order to run 
each time a user logs on:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
MSN
msn16.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
MSN
msn16.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
MSN
msn16.exe

The worm joins a predetermined IRC channel and awaits further commands 
from remote attackers. The backdoor component can then be instructed to 
perform the following:

take part in distributed denial of service (DDoS) attacks
upload/download/execute arbitrary files
add/remove network shares
scan networks for vulnerabilities

The worm spreads through network shares protected by weak passwords.





Name   W32/Codbot-Gen

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Steals information
    * Installs itself in the Registry

Prevalence (1-5) 2

Description
Worms detected as W32/Codbot-Gen provide backdoor Trojan functionality 
to a remote attacker via IRC channels. Such worms may spread to remote 
network shares with weak passwords in response to a command from a 
remote attacker.

Members of W32/Codbot family typically attempt to exploit 
vulnerabilities, such as the LSASS vulnerability (MS04-011).

Advanced
Worms detected as W32/Codbot-Gen provide backdoor Trojan functionality 
to a remote attacker via IRC channels. Such worms may spread to remote 
network shares with weak passwords in response to a command from a 
remote attacker.

Members of W32/Codbot family may copy themselves to the Windows system 
folder and create entries in the following registry entries to run 
themselves when the user logs on:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal

This backdoor functionality typically includes the ability to sniff 
packets, download further malicious code and steal passwords and other 
system information.

W32/Codbot worms may register themselves as service processes.

Members of W32/Codbot family typically attempt to exploit 
vulnerabilities, such as the LSASS vulnerability (MS04-011).





Name   Troj/Dloader-IE

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet

Aliases  
    * Trojan-Downloader.Win32.Delf.ij

Prevalence (1-5) 2

Description
Troj/Dloader-IE is a downloader Trojan for the Windows platform.

Troj/Dloader-IE will download a file from a predefined url. The 
downloaded file will be in the windows folder as active_url.dll. The 
downloaded file is a configuration file used to tell the Trojan other 
files to download. The Trojan will also copy itself to the Windows 
system folder as msapp.exe.

Advanced
Troj/Dloader-IE is a downloader Trojan for the Windows platform.

Troj/Dloader-IE will download a file from a predefined url. The 
downloaded file will be in the windows folder as active_url.dll. The 
downloaded file is a configuration file used to tell the Trojan other 
files to download. The Trojan will also copy itself to the Windows 
system folder as msapp.exe.

Troj/Dloader-IE will create or modify the following registry entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
msnmsgs.exe
<Windows system folder>\msapp.exe





Name   W32/Agobot-QE

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Allows others to access the computer
    * Modifies data on the computer
    * Steals information
    * Downloads code from the internet

Prevalence (1-5) 2

Description
W32/Agobot-QE is a backdoor Trojan and worm which spreads to computers 
protected by weak passwords.

Each time the Trojan is run it attempts to connect to a remote IRC 
server and join a specific channel.

The Trojan then runs continuously in the background, allowing a remote 
intruder to access and control the computer via IRC channels.

Advanced
W32/Agobot-QE is a backdoor Trojan and worm which spreads to computers 
protected by weak passwords.

When first run, W32/Agobot-QE moves itself to the Windows system folder 
as Hnksvc32.exe and creates the following registry entries to run itself 
on logon or startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Hekio Startups
Hnksvc32.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Hekio Startups
Hnksvc32.exe

Each time the Trojan is run it attempts to connect to a remote IRC 
server and join a specific channel.

The Trojan then runs continuously in the background, allowing a remote 
intruder to access and control the computer via IRC channels.

The Trojan attempts to terminate and disable various anti-virus and 
security-related programs and modifies the HOSTS file located at 
<Windows>\System32\Drivers\etc\HOSTS, mapping selected anti-virus 
websites to the loopback address 127.0.0.1 in an attempt to prevent 
access to these sites.

127.0.0.1 avp.com
127.0.0.1 ca.com
127.0.0.1 customer.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 sophos.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 networkassociates.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 www.nai.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 www.networkassociates.com
127.0.0.1 www.viruslist.com
127.0.0.1 www.f-secure.com
127.0.0.1 www.ca.com
127.0.0.1 www.my-etrust.com





Name   W32/MyDoom-BD

Type  
    * Worm

How it spreads  
    * Email attachments

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Sends itself to email addresses found on the infected computer
    * Modifies data on the computer
    * Drops more malware
    * Forges the sender's email address

Aliases  
    * Email-Worm.Win32.Mydoom.am
    * W32/Mydoom.bd@MM
    * WORM_MYDOOM.BD

Prevalence (1-5) 2

Description
W32/MyDoom-BD is an email worm for the Windows platform.

Advanced
W32/MyDoom-BD is an email worm. When first run, the worm copies itself 
to either the Windows or Temp folders as java.exe, and adds one of the 
following registry entries to ensure that the copy is run each time 
Windows starts:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\JavaVM
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\JavaVM

W32/MyDoom-BD also creates a file named services.exe in the Windows or 
Temp folder and runs the file. Services.exe is a backdoor component 
detected by Sophos as W32/MyDoom-O.

W32/MyDoom-BD searches the hard disk email addresses. The worm searches 
files with the extensions PL*, PH*, TX*, HT*, ASP, TBB, SHT*, WAB, ADB 
and DBX and the Windows address book. In addition the worm may use an 
internet search engine to find more email addresses. The worm will send 
a query to the search engine using domain names from email addresses 
found on the hard disk and then examine the query results, searching for 
more addresses. The internet search engines used by W32/MyDoom-BD and 
the percentage chance that each is used are:

www.google.com (45%)
search.lycos.com (22.5%)
search.yahoo.com (20%)
www.altavista.com (12.5%)

When choosing addresses to send itself to W32/MyDoom-BD will avoid 
addresses which contain any of the following strings:

mailer-d
spam
abuse
master
sample
accoun
privacycertific
bugs
listserv
submit
ntivi
support
admin
page
the.bat
gold-certs
ca
feste
not
help
foo
no
soft
site
rating
me
you
your
someone
anyone
nothing
nobody
noone
info
winrar
winzip
rarsoft
sf.net
sourceforge
ripe.
arin.
google
gnu.
gmail
seclist
secur
bar.
foo.com
trend
update
uslis
domain
example
sophos
yahoo
spersk
panda
hotmail
msn.
msdn.
microsoft
sarc.
syma
avp

The email sent by the worm has a spoofed sender.

The subject line may be blank or one of the following:

hello
hi
error
status
test
report
delivery failed
Message could not be delivered
Mail System Error - Returned Mail
Delivery reports about your e-mail
Returned mail: see transcript for details
Returned mail: Data format error

The message text of the email is constructed from a set of optional 
strings within the worm. The message sent is blank or similar to one of 
the following messages:

Dear user of <domain>
Mail server administrator of <domain> would like to inform you that
We have detected that your e-mail account has been used to send a large
amount of unsolicited e-mail messages during this recent week.
We suspect that your computer had been compromised by a recent virus and now
runs a trojan proxy server.
Please follow our instructions in the attachment file
in order to keep your computer safe.
Virtually yours
<domain> user support team.

The message could not be delivered

The original message was included as attachment

The original message was received at <time> from <address>
----- The following addresses had permanent fatal errors -----
<address>
----- Transcript of the session follows -----
... while talking to host <hostname>:
<<< MAIL From:<address>
<<< 501 User unknown
Session aborted
>>> RCPT To:<address>
<<< 550 MAILBOX NOT FOUND

The message was undeliverable due to the following reason(s):
Your message was not delivered because the destination computer was
not reachable within the allowed queue period. The amount of time
a message is queued before it is returned depends on local configura-
tion parameters.
Most likely there is a network problem that prevented delivery, but
it is also possible that the computer is turned off, or does not
have a mail system running right now.
Your message was not delivered within <number> days:
Mail server <hostname> is not responding.
The following recipients did not receive this message:
<address>
Please reply to postmaster@<domain>
if you feel this message to be in error.

The attached file may be named similarly to the recipient's username or 
domain or using one of the following names:

readme
instruction
transcript
mail
letter
file
text
attachment
document
message

with an optional extension of DOC, TXT, HTM, HTML and a final extension 
of EXE, COM, BAT, CMD, SCR or PIF. The attached file may also be a zip 
file containing a file named as described.





Name   W32/Sdranck-A

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Drops more malware

Aliases  
    * Trojan-Proxy.Win32.Ranky.bc
    * INFECTED
    * W32/Sdbot.worm.gen

Prevalence (1-5) 2

Description
W32/Sdranck-A is a multi-component network worm that uses a member of 
the W32/Sdbot family to spread. W32/Sdranck-A also drops a member of the 
Troj/Ranck family of proxy Trojans.

Advanced
W32/Sdranck-A is a multi-component network worm.

W32/Sdranck-A drops two files to the winnt\system32 folder, DAQUWU32.EXE 
and G58S2A1.EXE. DAQUWU32.EXE is a member of the Troj/Ranck family of 
proxy Trojans and G58S2A1.EXE is a member of the W32/Sdbot family of 
network worms, and it is this latter file that spreads W32/Sdranck-A to 
network shares with weak passwords and via network security exploits.





Name   W32/Domwis-G

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Allows others to access the computer
    * Modifies data on the computer
    * Deletes files off the computer
    * Steals information

Aliases  
    * Backdoor.Win32.Wisdoor.k

Prevalence (1-5) 2

Description
W32/Domwis-G is a network worm with backdoor functionality for the 
Windows platform that allows a malicious user remote access to an 
infected computer.

W32/Domwis-G can delete, download and execute remote files on the 
infected computer. The backdoor component can be used to send files to 
other IRC users.

The backdoor component can be used to flood other computers with 
internet traffic. To evade detection, the worm can spoof the IP address 
of the infected computer.

The backdoor component of W32/Domwis-G can steal system information, log 
keystrokes, create screen and webcam captures and send them to a remote 
user.

The backdoor component can also be used to scan other computers for open 
ports and for vulnerabilities in web and database servers.

Advanced
W32/Domwis-G is a network worm with backdoor functionality for the 
Windows platform that allows a malicious user remote access to an 
infected computer.

When first run, the worm copies itself to the Windows folder as a hidden 
file named SYSCFG16.EXE.

In order to run automatically each time Windows is started the worm sets 
the following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Windows System Configuration
<Windows system folder>\SYSCFG16.EXE

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Windows DLL Loader
<Windows system folder>\SYSCFG16.EXE

W32/Domwis-G can delete, download and execute remote files on the 
infected computer. The backdoor component can be used to send files to 
other IRC users.

The backdoor component can be used to flood other computers with 
internet traffic. To evade detection, the worm can spoof the IP address 
of the infected computer.

The backdoor component of W32/Domwis-G can steal system information, log 
keystrokes, create screen and webcam captures and send them to a remote 
user.

The backdoor component can also be used to scan other computers for open 
ports and for vulnerabilities in web and database servers.





Name   W32/Sdbot-VL

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Drops more malware
    * Downloads code from the internet
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities

Prevalence (1-5) 2

Description
W32/Sdbot-VL is a worm with backdoor functionality.

W32/Sdbot-VL may spread to remote network shares with weak passwords.

W32/Sdbot-VL connects to a predetermined IRC channel and runs in the 
background listening for backdoor commands.

W32/Sdbot-VL contains functionality to participate in denial of service 
attacks and download and run further code.

W32/Sdbot-VL may spread as an archive file that also drops the proxy 
Trojan Troj/Ranck-CC.

Advanced
Summary  Description  Recovery  Advanced   
This section is for technical experts who want to know more.

W32/Sdbot-VL is a worm with backdoor functionality.

W32/Sdbot-VL may spread to remote network shares with weak passwords.

W32/Sdbot-VL connects to a predetermined IRC channel and runs in the 
background listening for backdoor commands.

W32/Sdbot-VL contains functionality to participate in denial of service 
attacks and download and run further code.

W32/Sdbot-VL may spread as an archive file KERENEBO.EXE, which also 
drops the proxy Trojan Troj/Ranck-CC.

W32/Sdbot-VL copies itself to the Windows system folder as UWANAH.EXE 
and creates the following registry entries in order to run itself on 
system startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
uwanah
uwanah.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
uwanah
uwanah.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
uwanah
uwanah.exe





Name   W32/Bropia-P

Type  
    * Worm

How it spreads  
    * Chat programs

Affected operating systems  
    * Windows

Side effects  
    * Drops more malware
    * Leaves non-infected files on computer

Aliases  
    * WORM_BROPIA.S
    * W32/Bropia.worm.q

Prevalence (1-5) 2

Description
W32/Bropia-P is a worm for the Windows platform.

The worm monitors the status of MSN Messenger and sends a copy of itself 
to Messenger contacts.

W32/Bropia-P drops a file to the Windows system folder named winis.exe 
which is detected by Sophos's anti-virus products as W32/Rbot-WI.

Advanced
W32/Bropia-P is a worm for the Windows platform.

When first run, the W32/Bropia-P worm displays a pornographic image of a 
young woman. The image appears to be of the same woman as displayed by 
the W32/Bropia-O worm. The worm can also copy itself to the root folder 
as exe.exe.

The image displayed by the W32/Bropia-P worm
The image displayed by the W32/Bropia-P worm.

The worm monitors the status of MSN Messenger and sends a copy of itself 
to Messenger contacts.

W32/Bropia-P will also set the following registy entries:

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N

HKLM\SYSTEM\ControlSet001\Control\Lsa
restrictanonymous
1

W32/Bropia-P drops a file to the Windows system folder named winis.exe 
which is detected by Sophos's anti-virus products as W32/Rbot-WI.





Name   W32/MyDoom-BE

Type  
    * Worm

How it spreads  
    * Email attachments

Affected operating systems  
    * Windows

Side effects  
    * Sends itself to email addresses found on the infected computer
    * Drops more malware
    * Forges the sender's email address
    * Uses its own emailing engine
    * Downloads code from the internet

Prevalence (1-5) 2

Description
W32/MyDoom-BE is a mass-mailing worm.

W32/MyDoom-BE also creates a file named services.exe in the Windows or 
Temp folder and runs the file. Services.exe is detected by Sophos as 
W32/MyDoom-O.

W32/MyDoom-BE searches the local Windows Address Book, temporary 
internet files and all fixed disks for email addresses. In addition the 
worm may use the internet search engines to find more email addresses.

W32/MyDoom-BE also attempts to download and run files from several 
websites.

Advanced
W32/MyDoom-BE is a mass-mailing worm.

When first run, the worm copies itself to either the Windows or Temp 
folder as java.exe, and adds one of the following registry entries to 
ensure that the copy is run each time Windows starts:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\JavaVM
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\JavaVM

W32/MyDoom-BE also creates a file named services.exe in the Windows or 
Temp folder and runs the file. Services.exe is detected by Sophos as 
W32/MyDoom-O.

W32/MyDoom-BE searches the local Windows Address Book, temporary 
internet files and all fixed disks for email addresses. In addition the 
worm may use the following internet search engines to find more email 
addresses.

www.google.com
search.lycos.com
search.yahoo.com
www.altavista.com

When choosing addresses to send itself to W32/MyDoom-BE will avoid 
addresses which contain any of the following strings:

abuse
accoun
admin
anyone
arin.
avp
bar.
bugs
ca
domain
example
feste
foo
foo.com
gmail
gnu.
gold-certs
google
help
hotmail
info
listserv
mailer-d
master
me
microsoft
msdn.
msn.
no
nobody
noone
not
nothing
ntivi
page
panda
privacycertific
rarsoft
rating
ripe.
sample
sarc.
seclist
secur
sf.net
site
soft
someone
sophos
sourceforge
spam
spersk
submit
support
syma
the.bat
trend
update
uslis
winrar
winzip
yahoo
you
your

The email sent by the worm has a spoofed sender.

Subject line may be blank or one of the following:

hello
hi
error
status
test
report
delivery failed
Message could not be delivered
Mail System Error - Returned Mail
Delivery reports about your e-mail
Returned mail: see transcript for details
Returned mail: Data format error

Message text of the email is constructed from a set of optional strings 
within the worm. The message sent is blank or similar to one of the 
following messages:

Dear user of <domain>
Mail server administrator of <domain> would like to inform you that We 
have detected that your e-mail account has been used to send a large 
amount of unsolicited e-mail messages during this recent week. We 
suspect that your computer had been compromised by a recent virus and 
now runs a trojan proxy server.
Please follow our instructions in the attachment file in order to keep 
your computer safe.
Virtually yours
<domain> user support team.

The message could not be delivered

The original message was included as attachment

The original message was received at <time> from <address>
----- The following addresses had permanent fatal errors -----
<address>
----- Transcript of the session follows -----
... while talking to host <hostname>:
>>> MAIL From:<address>
<<< 501 User unknown
Session aborted
>>> RCPT To:<address>
<<< 550 MAILBOX NOT FOUND

The message was undeliverable due to the following reason(s):
Your message was not delivered because the destination computer was not 
reachable within the allowed queue period. The amount of time a message 
is queued before it is returned depends on local configura-tion 
parameters.
Most likely there is a network problem that prevented delivery, but it 
is also possible that the computer is turned off, or does not have a 
mail system running right now.
Your message was not delivered within <number> days:
Mail server is not responding. The following recipients did not receive 
this message:
<address>
Please reply to postmaster@<domain>
if you feel this message to be in error.

Attached file may be named similarly to the recipient's username or 
domain or using one of the following names:

attachment
document
file
instruction
letter
mail
message
readme
text
transcript

with an optional extension of DOC, TXT, HTM, HTML followed by a number 
of spaces and a final extension of EXE, COM, BAT, CMD, SCR or PIF. The 
attached file may also be a zip file containing a file named as 
described.

W32/MyDoom-BE also attempts to download and run files from several 
websites.





Name   W32/Forbot-EG

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Modifies data on the computer
    * Downloads code from the internet
    * Reduces system security
    * Installs itself in the Registry

Aliases  
    * Backdoor.Win32.PdPinch.gen

Prevalence (1-5) 2

Description
W32/Forbot-EG is a network worm which also contains IRC backdoor Trojan 
functionality, allowing unauthorised remote access to the infected 
computer.

Advanced
W32/Forbot-EG is a worm which attempts to spread to remote network 
shares. It also contains backdoor Trojan functionality, allowing 
unauthorised remote access to the infected computer via IRC channels 
while running in the background as a service process.

W32/Forbot-EG copies itself to the Windows system folder as SNAPPLE.EXE 
and attempts to create a service with a Service Name and Display Name of 
"snapple" set to run the copy on system startup.

W32/Forbot-EG also sets the following registry entries so as to run 
itself on system startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
snapple =
"snapple.exe"

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
snapple =
"snapple.exe"

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\
snapple =
"snapple.exe"

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
snapple =
"snapple.exe"

W32/Forbot-EG spreads to network shares with weak passwords and via 
network security exploits as a result of the backdoor Trojan element 
receiving the appropriate command from a remote user.

W32/Forbot-EG may attempt to sets the following registry entries:

HKLM\SOFTWARE\Microsoft\Ole\EnableDCOM = "N"
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous = "1"

W32/Forbot-EG may attempt to delete network shares on the host computer.





Name   W32/Sober-K

Type  
    * Worm

How it spreads  
    * Email attachments

Affected operating systems  
    * Windows

Side effects  
    * Sends itself to email addresses found on the infected computer
    * Uses its own emailing engine
    * Installs itself in the Registry
    * Leaves non-infected files on computer

Aliases  
    * Email-Worm.VBS.Sober.k
    * W32/Sober.M@mm
    * WORM_SOBER.GEN

Prevalence (1-5) 2

Description
W32/Sober-K is a mass-mailing worm which sends itself to addresses 
harvested from the infected computer.

When first run, W32/Sober-K will open Notepad and display a body of text 
that starts:

Text#674327:
------------
--------------------- %WinZip CodeText Modul% is missing ------------------

W32/Sober-K will arrive by email as a ZIP attachment containing an 
executable file with a double extension. For example, 
doc_data-text.txt<SPACES>.pif

Subject lines include the following:

You visit illegal websites
Ihr Passwort wurde geaendert

Message body texts include the following:

Dear Sir/Madam,

we have logged your IP-address on more than 40 illegal Websites.

Important: Please answer our questions!
The list of questions are attached.

Yours faithfully,
M. John Stellford

--
## Diese E-Mail wurde automatisch generiert
## Aus Gruenden der Sicherheit, bekommen Sie diese E-Mail
## wenn Ihr aktuelles Benutzer- Passwort veraendert wurde

Ihr neues Passwort und weiter Informationen befinden sich im 
beigefuegten Dokument.

Advanced
W32/Sober-K is a mass-mailing worm which sends itself to addresses 
harvested from the infected computer.

When first run, W32/Sober-K will open Notepad and display a body of text 
that starts:

Text#674327:
------------
--------------------- %WinZip CodeText Modul% is missing ------------------

W32/Sober-K will copy itself to a folder named %WINDOWS%\MSAGENT\WIN32 
with the filenames CSRSS.EXE, SMSS.EXE and WINLOGON.EXE. In order to run
automatically each time a user logs on, W32/Sober-K will continually set
the following registry entries:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
winsystem.sys
%WINDOWS%\msagent\win32\smss.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
_winsystem.sys
%WINDOWS%\msagent\win32\smss.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
winsystem.sys
%WINDOWS%\msagent\win32\smss.exe %1

W32/Sober-K also creates the following files:

%WINDOWS%\msagent\win32\datamx<number>.dat
%WINDOWS%\msagent\win32\zipedso<number>.ber
%WINDOWS%\msagent\win32\GoTo<number>.dat
%WINDOWS%\msagent\win32\runnowso.ber
%SYSTEM%\read.me
%SYSTEM%\nonrunso.ber
%SYSTEM%\stopruns.zhz

The READ.ME file contains the following text:

Ist eine weitere Test-Version. Läuft nur ein paar Tage!

In diesem Sinne:
Odin alias Anon

W32/Sober-K will attempt to terminate processes containing the following 
strings:

gcas, gcip, giantanti, msssrt

W32/Sober-K harvests email addresses from files with the following 
strings in their filenames:

pmr phtm stm slk inbox imb csv bak imh xhtml imm imh cms nws vcf ctl 
dhtm cgi pp ppt msg jsp oft vbs uin ldb abc pst cfg mdw mbx mdx mda adp 
nab fdb vap dsp ade sln dsw mde frm bas adr cls ini ldif log mdb xml wsh 
tbb abx abd adb pl rtf mmf doc ods nch xls nsf txt wab eml hlp mht nfo 
php asp shtml dbx aero com coop edu gov museum name int net org pro info

Emails will have the following characteristics:

Subject Lines include the following:

You visit illegal websites
Your new Password
Mail_delivery_failed
Paris Hilton, pure!
Alert! New Sober Worm!
Ihr Passwort wurde geaendert
Ihr neues Passwort
EMail-Empfang fehlgeschlagen
Paris Hilton Nackt!
Paris Hilton SexVideos
Seitensprung gesucht?
Vorsicht! Neuer Sober Wurm!

Message body texts include the following:

Dear Sir/Madam,

we have logged your IP-address on more than 40 illegal Websites.

Important: Please answer our questions!
The list of questions are attached.

Yours faithfully,
M. John Stellford

--
More than 50 <WORD> Hilton Videos
More than 3000 Hilton picks

FREE Download until April, 2005

Make your own Download Account, it's free!
Further details are attached

Thanks & have fun ;)

--
Antivirus vendors are warning of a new variant of the <WORD> Sober virus 
discovered today that can delete the hard disk.

Download and read the zipped patch. It's very easy to install!
Thanks for your cooperation!

--
## Diese E-Mail wurde automatisch generiert
## Aus Gruenden der Sicherheit, bekommen Sie diese E-Mail
## wenn Ihr aktuelles Benutzer- Passwort veraendert wurde

Ihr neues Passwort und weiter Informationen befinden sich im 
beigefuegten Dokument.

--
- System Mail -

Diese an ihnen gerichtete E-Mail, wurde in einem falschen Format 
gesendet.
Der Betreff, Header und Text dieser Mail, wurde deshalb separat in einer 
Text-Datei gespeichert und gezippt.

Vielen Dank fuer Ihr Verstaendnis[System auto- mail]

--
Hallo,

wir hoffen das Ihnen die Betreffszeile unsere Mail genug sagt.
Der Jugendschutz verbietet uns leider mehr Auskunft ueber unser Angebot 
zu geben.

Informationen,,,, wie Sie sich bei uns anmelden koennen befinden sich im 
beigefuegten Dokument. Natuerlich ist die Anmeldung Kostenlos!

Mehr als 2.5 Millionen registrierte Benutzer!!!
Da ist fuer jeden was dabei!

Auf Wiedersehen

--
Vielen Dank, dass Sie sich bei <NAME> registriert haben.

Der Betrag von ,- Euro ist erfolgreich auf unserem Konto eingegangen.

Passwort, Benutzername und weitere wichtige Informationen zu ihrem neuen 
Account befinden sich im angehefteten Dokument.

Hochachtungsvoll
Silvia Hochberger

--
Guten Tag,

mehr als 50 Videos,
Mehr als 1000 heisse Fotos
und mehr als 300 original Sounds von der kleinen Hilton ........ .

Alles frei zum Download, aber nur bis zum 01 April 2005 !!!

Weitere Details entnehmen Sie bitte dem vorliegendem Dokument.

Vielen Dank!

--
Wichtige Information!

Eine neue Sober-Variante verbreitet sich derzeit im Internet.
Wie seine Vorgaenger verschickt sich der Wurm von infizierten 
Windows-Rechnern per E-Mail an weitere Adressen.

Es wird deshalb empfohlen, das Patch-Tool auszufuehren um sich vor 
diesem Wurm zu schuetzen bzw. diesen wieder zu entfernen.

The attached file will have a ZIP extension and includes the following:

Formular.zip
zipped-mail.zip
<DOMAIN>PSW-Text.zip
zipped-text.zip
Register-Info.zip
Tool.zip
text.zip
register.zip
help-text.zip
indictment_cit<NUMBER>.zip

The ZIP file will contain an executable file with a double extension. 
For example, doc_data-text.txt<SPACES>.pif

The From address line will be faked, but will start with one of the 
following:

Service, Webmaster, Register, Hostmaster, Postmaster, police, Officer, 
Admin, Web, FBI, Security

 
--- MultiMail/Win32 v0.43
 * Origin: Try Our Web Based QWK: DOCSPLACE.ORG (1:123/140)