Tillbaka till svenska Fidonet
English   Information   Debug  
COMICS   0/15
CONSPRCY   0/899
COOKING   27601
COOKING_OLD1   0/24719
COOKING_OLD2   0/40862
COOKING_OLD3   0/37489
COOKING_OLD4   0/35496
COOKING_OLD5   9370
C_ECHO   0/189
C_PLUSPLUS   0/31
DIRTY_DOZEN   0/201
DOORGAMES   0/1974
DOS_INTERNET   0/196
duplikat   5999
ECHOLIST   0/18295
EC_SUPPORT   0/318
ELECTRONICS   0/359
ELEKTRONIK.GER   1534
ENET.LINGUISTIC   0/13
ENET.POLITICS   0/4
ENET.SOFT   0/11701
ENET.SYSOP   33771
ENET.TALKS   0/32
ENGLISH_TUTOR   0/2000
EVOLUTION   0/1335
FDECHO   0/217
FDN_ANNOUNCE   0/7068
FIDONEWS   23435
FIDONEWS_OLD1   0/49742
FIDONEWS_OLD2   0/35949
FIDONEWS_OLD3   0/30874
FIDONEWS_OLD4   0/37224
FIDO_SYSOP   12841
FIDO_UTIL   0/180
FILEFIND   0/209
FILEGATE   0/212
FILM   0/18
FNEWS_PUBLISH   4155
FN_SYSOP   41520
FN_SYSOP_OLD1   71952
FTP_FIDO   0/2
FTSC_PUBLIC   0/13555
FUNNY   0/4886
GENEALOGY.EUR   0/71
GET_INFO   105
GOLDED   0/408
HAM   0/16041
HOLYSMOKE   0/6791
HOT_SITES   0/1
HTMLEDIT   0/71
HUB203   466
HUB_100   264
HUB_400   39
HUMOR   0/29
IC   0/2851
INTERNET   0/424
INTERUSER   0/3
IP_CONNECT   719
JAMNNTPD   0/233
JAMTLAND   0/47
KATTY_KORNER   0/41
LAN   0/16
LINUX-USER   0/19
LINUXHELP   0/1155
LINUX   0/22002
LINUX_BBS   0/957
mail   18.68
mail_fore_ok   249
MENSA   0/341
MODERATOR   0/102
MONTE   0/992
MOSCOW_OKLAHOMA   0/1245
MUFFIN   0/783
MUSIC   0/321
N203_STAT   894
N203_SYSCHAT   313
NET203   321
NET204   69
NET_DEV   0/10
NORD.ADMIN   0/101
NORD.CHAT   0/2572
NORD.FIDONET   189
NORD.HARDWARE   0/28
NORD.KULTUR   0/114
NORD.PROG   0/32
NORD.SOFTWARE   0/88
NORD.TEKNIK   0/58
NORD   0/453
OCCULT_CHAT   0/93
OS2BBS   0/787
OS2DOSBBS   0/580
OS2HW   0/42
OS2INET   0/37
OS2LAN   0/134
OS2PROG   0/36
OS2REXX   0/113
OS2USER-L   207
OS2   0/4779
OSDEBATE   0/18996
PASCAL   0/490
PERL   0/457
PHP   0/45
POINTS   0/405
POLITICS   0/29554
POL_INC   0/14731
PSION   103
R20_ADMIN   1117
R20_AMATORRADIO   0/2
R20_BEST_OF_FIDONET   13
R20_CHAT   0/893
R20_DEPP   0/3
R20_DEV   399
R20_ECHO2   1379
R20_ECHOPRES   0/35
R20_ESTAT   0/719
R20_FIDONETPROG...
...RAM.MYPOINT
  0/2
R20_FIDONETPROGRAM   0/22
R20_FIDONET   0/248
R20_FILEFIND   0/24
R20_FILEFOUND   0/22
R20_HIFI   0/3
R20_INFO2   2626
R20_INTERNET   0/12940
R20_INTRESSE   0/60
R20_INTR_KOM   0/99
R20_KANDIDAT.CHAT   42
R20_KANDIDAT   28
R20_KOM_DEV   112
R20_KONTROLL   0/13029
R20_KORSET   0/18
R20_LOKALTRAFIK   0/24
R20_MODERATOR   0/1852
R20_NC   76
R20_NET200   245
R20_NETWORK.OTH...
...ERNETS
  0/13
R20_OPERATIVSYS...
...TEM.LINUX
  0/44
R20_PROGRAMVAROR   0/1
R20_REC2NEC   534
R20_SFOSM   0/340
R20_SF   0/108
R20_SPRAK.ENGLISH   0/1
R20_SQUISH   107
R20_TEST   2
R20_WORST_OF_FIDONET   12
RAR   0/9
RA_MULTI   106
RA_UTIL   0/162
REGCON.EUR   0/2055
REGCON   0/13
SCIENCE   0/1206
SF   0/239
SHAREWARE_SUPPORT   0/5146
SHAREWRE   0/14
SIMPSONS   0/169
STATS_OLD1   0/2539.065
STATS_OLD2   0/2530
STATS_OLD3   0/2395.095
STATS_OLD4   0/1692.25
SURVIVOR   0/495
SYSOPS_CORNER   0/3
SYSOP   0/84
TAGLINES   0/112
TEAMOS2   0/4530
TECH   0/2617
TEST.444   0/105
TRAPDOOR   0/19
TREK   0/755
TUB   0/290
UFO   0/40
UNIX   0/1316
USA_EURLINK   0/102
USR_MODEMS   0/1
VATICAN   0/2740
VIETNAM_VETS   0/14
VIRUS   0/378
VIRUS_INFO   0/201
VISUAL_BASIC   0/473
WHITEHOUSE   0/5187
WIN2000   0/101
WIN32   0/30
WIN95   0/4275
WIN95_OLD1   0/70272
WINDOWS   0/1517
WWB_SYSOP   0/419
WWB_TECH   0/810
ZCC-PUBLIC   0/1
ZEC   4

 
4DOS   0/134
ABORTION   0/7
ALASKA_CHAT   0/506
ALLFIX_FILE   0/1313
ALLFIX_FILE_OLD1   0/7997
ALT_DOS   0/152
AMATEUR_RADIO   0/1039
AMIGASALE   0/14
AMIGA   0/331
AMIGA_INT   0/1
AMIGA_PROG   0/20
AMIGA_SYSOP   0/26
ANIME   0/15
ARGUS   0/924
ASCII_ART   0/340
ASIAN_LINK   0/651
ASTRONOMY   0/417
AUDIO   0/92
AUTOMOBILE_RACING   0/105
BABYLON5   0/17862
BAG   135
BATPOWER   0/361
BBBS.ENGLISH   0/382
BBSLAW   0/109
BBS_ADS   0/5290
BBS_INTERNET   0/507
BIBLE   0/3563
BINKD   0/1119
BINKLEY   0/215
BLUEWAVE   0/2173
CABLE_MODEMS   0/25
CBM   0/46
CDRECORD   0/66
CDROM   0/20
CLASSIC_COMPUTER   0/378
Möte DIRTY_DOZEN, 201 texter
 lista första sista föregående nästa
Text 7, 1418 rader
Skriven 2004-10-24 23:50:00 av KURT WISMER (1:123/140)
Ärende: News, Oct. 24 2004
==========================
[cut-n-paste from sophos.com]

Name   W32/Forbot-BW

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Deletes files off the computer
    * Steals information
    * Downloads code from the internet
    * Installs itself in the Registry

Aliases  
    * WORM_WOOTBOT.BM

Prevalence (1-5) 2

Description
W32/Forbot-BW is a network worm with backdoor Trojan functionality.

The worm runs continuously in the background providing backdoor access 
to the infected computer.

W32/Forbot-BW spreads by exploiting the LSASS (MS04-011) software 
vulnerability. The worm may also spread through backdoors left open by 
other malware.

Advanced
W32/Forbot-BW is a network worm with backdoor Trojan functionality.

W32/Forbot-BW spreads by exploiting the LSASS (MS04-011) software 
vulnerability. The worm may also spread through backdoors left open by 
other malware.

When first run, W32/Forbot-BW copies itself to the Windows System folder 
as PKSVC.EXE. In order to run automatically each time Windows is started, 
W32/Forbot-BW sets the following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
PK Services = pksvc.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\
PK Services = pksvc.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
PK Services = pksvc.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
PK Services = pksvc.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\
PK Services = pksvc.exe

W32/Forbot-BW creates a service named "farm" with the display name of 
"PK Services".

The worm runs continuously in the background providing backdoor access 
to the infected computer through IRC channels.

The backdoor component of W32/Forbot-BW can be used to:

start an FTP and HTTP server.
delete network shares.
start a SOCKS4, SOCKS5, HTTP, TCP and GRE proxy.
list and stop existing processes and services.
upload, download, run and delete files.
modify the registry.
add and delete services.
steal the product keys of popular games and applications.
scan other computers for open ports and attempt to exploit them.
take part in distributed denial of service (DDOS) attacks.
flush the DNS cache.
logoff, reboot and shut down the computer.

W32/Forbot-BW may delete the ADMIN$, IPC$, C$ and D$ network shares.

W32/Forbot-BW is capable of stealing product keys from the following 
games and applications:

Unreal Tournament 2003
Unreal Tournament 2004
The Gladiators
Soldier of Fortune II - Double Helix
Soldiers Of Anarchy
Shogun: Total War: Warlord Edition
Rainbow Six III RavenShield
Neverwinter Nights
Need For Speed Hot Pursuit 2
Need For Speed: Underground
NHL 2002
NHL 2003
Nascar Racing 2002
Nascar Racing 2003
Medal of Honor: Allied Assault
Medal of Honor: Allied Assault: Breakthrough
Medal of Honor: Allied Assault: Spearhead
James Bond 007: Nightfire
Industry Giant 2
IGI 2: Covert Strike
Hidden & Dangerous 2
Half-Life
Gunman Chronicles
Global Operations
Freedom Force
FIFA 2002
FIFA 2003
Counter-Strike
Command and Conquer: Tiberian Sun
Command and Conquer: Red Alert 2
Command and Conquer: Generals (Zero Hour)
Command and Conquer: Generals
Black and White
Battlefield 1942
Battlefield 1942 (Road To Rome)
Battlefield 1942 (Secret Weapons of WWII)
Battlefield Vietnam
Yahoo Pager
AOL Instant Messenger
Call of Duty
Microsoft Messenger Service
Microsoft Windows Product ID

W32/Forbot-BW may alter the following registry entry in order to 
enable/disable DCOM:

HKLM\SOFTWARE\Microsoft\Ole\EnableDCOM

W32/Forbot-BW will attempt to disable other malware, such as members of 
the W32/Bagle family.





Name   W32/Bagz-D

Type  
    * Worm

How it spreads  
    * Email attachments

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Sends itself to email addresses found on the infected computer
    * Forges the sender's email address
    * Uses its own emailing engine
    * Downloads code from the internet

Aliases  
    * I-Worm.Bagz.d

Prevalence (1-5) 3

Description
W32/Bagz-D is mass mailing network worm that also contains a backdoor 
which allows an intruder to download and install further components.

W32/Bagz-D will attempt to harvest email addresses from TXT, HTM, DBX, 
TBI and TBB files, which it will use for both the to and from addresses 
of emails that it sends.

The worm will also attempt to terminate anti-virus software.

Advanced
W32/Bagz-D is mass mailing network worm that also contains a backdoor 
which allows an intruder to download and install further components.

W32/Bagz-D will attempt to harvest email addresses from TXT, HTM, DBX, 
TBI and TBB files, which it will use for both the to and from addresses 
of emails that it sends.

The sent email will have the following characteristics:

Subject line:

ASAP
please responce
Read this
urgent
toxic
contract
Money
office
Have a nice day
Hello
Russian's
Amirecans
attachments
attach
waiting
best regards
Administrator
Warning
text
Vasia
re: Andrey
re: please
re: order
Allert!

Attachment (ZIP format):

backup.zip
admin.zip
archivator.zip
about.zip
readme.zip
help.zip
photos.zip
payment.zip
archives.zip
manual.zip
inbox.zip
outbox.zip
save.zip
rar.zip
zip.zip
ataches.zip
documentation.zip
docs.zip

Attachment (EXE format):

backup.doc (spaces) .exe
admin.doc (spaces) .exe
archivator.doc (spaces) .exe
about.doc (spaces) .exe
readme.doc (spaces) .exe
help.doc (spaces) .exe
photos.doc (spaces) .exe
payment.doc (spaces) .exe
archives.doc (spaces) .exe
manual.doc (spaces) .exe
inbox.doc (spaces) .exe
outbox.doc (spaces) .exe
save.doc (spaces) .exe
rar.doc (spaces) .exe
zip.doc (spaces) .exe
ataches.doc (spaces) .exe
documentation.doc (spaces) .exe
docs.doc (spaces) .exe
sysboot.doc (spaces) .exe

W32/Bagz-D will keep a copy of the files that it sends in the Windows 
system32 folder. The worm also drops the following components in to that 
folder:

run32.exe (Detected as component of W32/Bagz-C)
rpc32.exe
ipdb.dll
wdate.dll
jobdb.dll

W32/Bagz-D will also modify the %system32%/drivers/etc/hosts file in 
order to prevent access to major virus vendors websites.

The worm will install itself as a service called RPC32.





Name   JS/Scob-A

Type  
    * Trojan

Aliases  
    * JS/Exploit-DialogArg.b
    * Trojan.JS.Scob.a

Prevalence (1-5) 2

Description
JS/Scob-A is a JavaScript Trojan that is reported to be appended to HTML 
files on IIS machines.

JS/Scob-A downloads a file from a Russian website, this website is no 
longer accessible.





Name   W32/Baba-A

Type  
    * Worm

How it spreads  
    * Email attachments

Affected operating systems  
    * Windows

Side effects  
    * Drops more malware
    * Forges the sender's email address
    * Uses its own emailing engine
    * Installs itself in the Registry
    * Leaves non-infected files on computer

Aliases  
    * W32/Netsky-AE
    * I-Worm.Baba.b
    * W32/Netsky.ai@MM
    * W32/Buchon@mm

Prevalence (1-5) 2

Description
W32/Baba-A is a mass-mailing worm.

Advanced
W32/Baba-A is a mass-mailing worm.

When run the worm attempts to create a helper component csrss.exe in the 
C:\ folder and executes it. The helper component then creates the 
following registry entry so as to auto-start on user logon:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Key Logger = c:\csrss.exe

W32/Baba-A will attempt to harvest email addresses from files on the 
infected computer with the following extensions:

DBX WAB MBX EML MDB TBB NBOX DAT

Sent emails are composed as HTML and take the following form:

Subject:

Mail Delivery failure -

Mail body:

If the message will not displayed automatically,
you can check original in attached message.txt

Failed message also saved at:
www.<host>/inbox/security/read.asp?sessionid-<random number>
(check attached instructions)

+++ Attachment: No Virus found
+++ MC-Afee AntiVirus - www.mcafee.com

W32/Baba-A contains the text "SoonChunHyang" and "Bucheon".





Name   W32/Rbot-NJ

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Allows others to access the computer
    * Downloads code from the internet
    * Reduces system security
    * Records keystrokes

Aliases  
    * Backdoor.Win32.Rbot.gen

Prevalence (1-5) 2

Description
W32/Rbot-NJ is a network worm which contains IRC backdoor Trojan 
functionality, allowing unauthorised remote access to the infected 
computer.

Advanced
W32/Rbot-NJ is a worm which attempts to spread to remote network shares. 
It also contains backdoor Trojan functionality, allowing unauthorised 
remote access to the infected computer via IRC channels while running in 
the background as a service process.

W32/Rbot-NJ spreads to network shares with weak passwords and via 
network security exploits as a result of the backdoor Trojan element 
receiving the appropriate command from a remote user.

W32/Rbot-NJ copies itself to the Windows system folder as LOGON.EXE and 
creates entries at the following locations in the registry with the 
value "update run msword" so as to run itself on system startup, 
resetting them every minute:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

W32/Rbot-NJ sets the following registry entries every 2 minutes:

HKLM\SOFTWARE\Microsoft\Ole\EnableDCOM = "N"
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous = "1"

W32/Rbot-NJ attempts to delete network shares on the host computer every 
2 minutes.

W32/Rbot-NJ may attempt to log keystrokes to the file REGSNS.TXT in the 
Windows system folder.

W32/Rbot-NJ attempts to terminate processes related to the following 
files:

regedit.exe
msconfig.exe
netstat.exe
msblast.exe
zapro.exe
navw32.exe
navapw32.exe
zonealarm.exe
wincfg32.exetaskmon.exe [sic]
PandaAVEngine.exe
sysinfo.exe
mscvb32.exe
MSBLAST.exe
teekids.exe
Penis32.exe
bbeagle.exe
SysMonXP.exe
winupd.exe
winsys.exe
ssate.exe
rate.exe
d3dupdate.exe
irun4.exe
i11r54n4.exe





Name   Troj/Banker-EK

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Steals information

Aliases  
    * PWS-Bancban.gen.b

Prevalence (1-5) 2

Description
Troj/Banker-EK is an information stealing Trojan.

Advanced
Troj/Banker-EK is an information stealing Trojan. The Trojan monitors 
the user's internet activity and records login details for the website 
www2.bancobrasil.com.br.

The login information is then emailed to an email address in Brazil.





Name   OF97/Toraja-I

Type  
    * Virus

Aliases  
    * O97M.Toraja.Gen
    * X97M/Toraja
    * O97M_TORAJA.I

Prevalence (1-5) 2

Description
OF97/Toraja-I is a macro virus for the Microsoft Office 97 platform.
It will create an infected document in the following location to ensure 
it is run when Excel starts.

C:\Program Files\Microsoft Office\Office\Xlstart\start25.xls





Name   W32/Rbot-NG

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Reduces system security
    * Installs itself in the Registry

Aliases  
    * Win32.Rbot.gen
    * W32/Sdbot.worm.gen.i
    * WORM_RBOT.RW

Prevalence (1-5) 2

Description
W32/Rbot-NG is a worm which attempts to spread to remote network shares. 
It also contains backdoor Trojan functionality, allowing unauthorised 
remote access to the infected computer via IRC channels while running in 
the background as a service process.

Advanced
W32/Rbot-NG is a worm which attempts to spread to remote network shares. 
It also contains backdoor Trojan functionality, allowing unauthorised 
remote access to the infected computer via IRC channels while running in 
the background as a service process.

W32/Rbot-NG spreads to network shares with weak passwords as a result of 
the backdoor Trojan element receiving the appropriate commands from a 
remote user.

W32/Rbot-NG copies itself to the Windows System32 folder as NETSIS.EXE 
and creates entries in the registry at the following locations to run 
itself on system startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Networks Controler = Netsis.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Networks Controler = Netsis.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Networks Controler = Netsis.exe





Name   W32/Forbot-BR

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Allows others to access the computer
    * Deletes files off the computer
    * Steals information
    * Reduces system security

Prevalence (1-5) 2

Description
W32/Forbot-BR is a network worm and IRC backdoor Trojan for the Windows 
platform.

Advanced
W32/Forbot-BR is a network worm and IRC backdoor Trojan for the Windows 
platform.

When first run, W32/Forbot-BR copies itself to the Windows system folder 
with the filename windows.exe

In order to run on system start, the worm creates the following registry 
entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
NDIS Adapter = windows.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\
NDIS Adapter = windows.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
NDIS Adapter = windows.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
NDIS Adapter = windows.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\
NDIS Adapter = windows.exe

The backdoor component connects to an IRC channel and awaits commands 
from a remote user. The Trojan can then be instructed to:

take part in DDoS attacks
steal product registration information
scan other machines for vulnerabilities
harvest information from files on the hard disk
act as a server (FTP, HTTP, SOCKS4)





Name   W32/Forbot-BQ

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Deletes files off the computer
    * Steals information
    * Downloads code from the internet
    * Reduces system security

Aliases  
    * Backdoor.Win32.Wootbot.gen

Prevalence (1-5) 2

Description
W32/Forbot-BQ is a network worm with backdoor Trojan functionality.

The worm runs continuously in the background providing backdoor access 
to the infected computer.

W32/Forbot-BQ spreads through network shares and by exploiting the LSASS 
(MS04-011) software vulnerability. The worm may also spread through 
backdoors left open by other malware.

Advanced
W32/Forbot-BQ is a network worm with backdoor Trojan functionality.

W32/Forbot-BQ spreads through network shares and by exploiting the LSASS 
(MS04-011) software vulnerability. The worm may also spread through 
backdoors left open by other malware.

When first run, W32/Forbot-BQ copies itself to the Windows System folder 
as WIN32USB.EXE. In order to run automatically each time Windows is 
started, W32/Forbot-BQ sets the following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
USB Device = win32usb.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\
USB Device = win32usb.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
USB Device = win32usb.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
USB Device = win32usb.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\
USB Device = win32usb.exe

W32/Forbot-BQ creates a service named "blargh" with
the display name of "USB Device".

The worm runs continuously in the background providing backdoor access 
to the infected computer through IRC channels.

The backdoor component of W32/Forbot-BQ can be used to:

start an FTP and HTTP server.
delete network shares.
start a SOCKS4, SOCKS5, HTTP, TCP and GRE proxy.
list and stop existing processes and services.
upload, download, run and delete files.
modify the registry.
add and delete services.
steal the product keys of popular games and applications.
scan other computers for open ports and attempt to exploit them.
take part in distributed denial of service (DDOS) attacks.
flush the DNS cache.
logoff, reboot and shut down the computer.

W32/Forbot-BQ may delete the ADMIN$, IPC$, C$ and D$ network shares.

W32/Forbot-BQ is capable of stealing product keys from the following 
games and applications:

Unreal Tournament 2003
Unreal Tournament 2004
The Gladiators
Soldier of Fortune II - Double Helix
Soldiers Of Anarchy
Shogun: Total War: Warlord Edition
Rainbow Six III RavenShield
Neverwinter Nights
Need For Speed Hot Pursuit 2
Need For Speed: Underground
NHL 2002
NHL 2003
Nascar Racing 2002
Nascar Racing 2003
Medal of Honor: Allied Assault
Medal of Honor: Allied Assault: Breakthrough
Medal of Honor: Allied Assault: Spearhead
James Bond 007: Nightfire
Industry Giant 2
IGI 2: Covert Strike
Hidden & Dangerous 2
Half-Life
Gunman Chronicles
Global Operations
Freedom Force
FIFA 2002
FIFA 2003
Counter-Strike
Command and Conquer: Tiberian Sun
Command and Conquer: Red Alert 2
Command and Conquer: Generals (Zero Hour)
Command and Conquer: Generals
Black and White
Battlefield 1942
Battlefield 1942 (Road To Rome)
Battlefield 1942 (Secret Weapons of WWII)
Battlefield Vietnam
Yahoo Pager
AOL Instant Messenger
Call of Duty
Microsoft Messenger Service
Microsoft Windows Product ID

W32/Forbot-BQ may alter the following registry entry in order to 
enable/disable DCOM:

HKLM\SOFTWARE\Microsoft\Ole\EnableDCOM

W32/Forbot-BQ will attempt to disable other malware, such as members of 
the W32/Bagle family.





Name   W32/Spybot-DF

Type  
    * Worm

How it spreads  
    * Network shares
    * Chat programs
    * Peer-to-peer

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Allows others to access the computer
    * Steals information
    * Reduces system security
    * Records keystrokes
    * Installs itself in the Registry

Aliases  
    * Worm.P2P.SpyBot.gen
    * W32/Spybot.worm.gen.a

Prevalence (1-5) 2

Description
W32/Spybot-DF is an IRC backdoor worm.

W32/Spybot-DF connects to a remote IRC server and runs in the background 
as a service process, listening for backdoor commands from a remote 
user. The worm may spread to network shares with weak passwords or by 
DCC. The worm may also spread through peer-to-peer networks, copying 
itself to the folder <system>\kazaabackupfiles as DOWNLOAD_ME.EXE.

While the worm is active it attempts to terminate various monitoring 
programs.

The worm may also log keystrokes, saving them to a local file or sending 
them directly to a remote user over IRC.

Sophos anti-virus products since version 3.84 have been capable of 
detecting this worm as Troj/Spybot-Fam without requiring an update.

Advanced
W32/Spybot-DF is an IRC backdoor worm.

W32/Spybot-DF connects to a remote IRC server and runs in the background 
as a service process, listening for backdoor commands from a remote 
user. The worm may spread to network shares with weak passwords or by 
DCC. The worm may also spread through peer-to-peer networks, copying 
itself to the folder <system>\kazaabackupfiles as DOWNLOAD_ME.EXE and 
setting the following registry entry to point to this location:

HKCU\Software\Kazaa\LocalContent\
Dir0

In order to be run automatically on system startup, the worm copies 
itself to the system folder as WINDOWSUPDATER.EXE and registry entries 
at the following locations to point to this file:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\

While the worm is active it attempts to terminate various monitoring 
programs.

The worm may also log keystrokes, saving them to a local file or sending 
them directly to a remote user over IRC.





Name   W32/Forbot-BP

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Steals information
    * Downloads code from the internet
    * Reduces system security
    * Installs itself in the Registry

Prevalence (1-5) 2

Description
W32/Forbot-BP is a network worm which attempts to spread via network 
shares. The worm contains backdoor Trojan functions that allows 
unauthorised remote access to the infected computer via IRC channels 
while running in the background.

Advanced
W32/Forbot-BP is a network worm which attempts to spread via network 
shares. The worm contains backdoor Trojan functions that allows 
unauthorised remote access to the infected computer via IRC channels 
while running in the background.

When run W32/Forbot-BP moves itself to the Windows System folder as 
crsrs.exe and creates the following registry entries so as to run itself 
either on user logon or computer restart:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Auto updat = crsrs.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
Auto updat = crsrs.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Auto updat = crsrs.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Auto updat = crsrs.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
Auto updat = crsrs.exe

Once installed, W32/Forbot-BP will attempt to perform the following 
actions when instructed to do so by a remote attacker:

- setup a SOCKS4 proxy
- setup a HTTP proxy
- delete network shares
- partake in denial of service (DDOS) attacks
- port scan IP addresses
- download and run files from the Internet
- steal CD keys

The worm will also create the following registry entries:-

HKLM\SYSTEM\CurrentControlSet\Services\crcss.exe\

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CRCSS.EXE\

W32/Forbot-BP also creates its own service named "crcss.exe", with the 
display name "Auto updat".

W32/Forbot-BP can spread to unpatched machines affected by the LSASS 
vulnerability (MS04-011).





Name   W32/Rbot-ND

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Steals information
    * Reduces system security
    * Records keystrokes
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities

Aliases  
    * Backdoor.Win32.Rbot.gen
    * W32/Spybot.worm.gen.e
    * WORM_SDBOT.WK

Prevalence (1-5) 2

Description
W32/Rbot-ND is a worm and backdoor for the Windows platform.

The worm spread to shares and Microsoft SQL servers protected by weak 
passwords and to computers with unpatched operating system 
vulnerabilities or backdoors opened by other worms and Trojans.

The backdoor component connects to a predefined IRC server and waits for 
commands from a remote attacker.

The vulnerabitilies exploited by W32/Rbot-ND are addressed by Microsoft 
security bulletins MS04-012 and MS03-007.

Advanced
W32/Rbot-ND is a worm and backdoor for the Windows platform.

The worm spread to shares and Microsoft SQL servers protected by weak 
passwords and to computers with unpatched operating system 
vulnerabilities or backdoors opened by other worms and Trojans.

The backdoor component connects to a predefined IRC server and waits for 
commands from a remote attacker.

W32/Rbot-ND copies itself to the Windows system folder as webm.exe and 
adds the following registry entries to ensure that the copy is run each 
time Windows is started:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Update = "webm.exe"

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Update = "webm.exe"

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Microsoft Update = "webm.exe"

The backdoor component allows an attacker to control the infected 
computer and offers functions such as:

Keystroke logging
Distributed denial of service attacks
Packet sniffing
Remote login
Video capture
File transfer
Proxy server

The vulnerabitilies exploited by W32/Rbot-ND are addressed by Microsoft 
security bulletins MS04-012 and MS03-007.





Name   W32/Forbot-BN

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Deletes files off the computer
    * Steals information
    * Downloads code from the internet
    * Reduces system security

Prevalence (1-5) 2

Description
W32/Forbot-BN is a network worm with backdoor Trojan functionality.

The worm runs continuously in the background providing backdoor access 
to the infected computer.

W32/Forbot-BN spreads through network shares and by exploiting the LSASS 
(MS04-011) software vulnerability. The Trojan may also spread through 
backdoors left open by other malware.

Advanced
W32/Forbot-BN is a network worm with backdoor Trojan functionality.

W32/Forbot-BN spreads through network shares and by exploiting the LSASS 
(MS04-011) software vulnerability. The Trojan may also spread through 
backdoors left open by other malware.

When first run, W32/Forbot-BN copies itself to the Windows System folder 
as RUNDLL.EXE. In order to run automatically each time Windows is 
started, W32/Forbot-BN sets the following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Win32 USB Driver = rundll.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\
Win32 USB Driver = rundll.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Win32 USB Driver = rundll.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Win32 USB Driver = rundll.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\
Win32 USB Driver = rundll.exe

W32/Forbot-BN creates a service named "EatShit" with the display name 
"Win32 USB Driver".

The worm runs continuously in the background providing backdoor access 
to the infected computer through IRC channels.

The backdoor component of W32/Forbot-BN can be used to:

start an FTP and HTTP server.
delete network shares.
start a SOCKS4, SOCKS5, HTTP, TCP and GRE proxy.
list and stop existing processes and services.
upload, download, run and delete files.
modify the registry.
add and delete services.
steal the product keys of popular games and applications.
scan other computers for open ports and attempt to exploit them.
take part in distributed denial of service (DDOS) attacks.
flush the DNS cache.
logoff, reboot and shut down the computer.

W32/Forbot-BN may delete the ADMIN$, IPC$, C$ and D$ network shares.

W32/Forbot-BN is capable of stealing product keys from the following 
games and applications:

AOL Instant Messenger
Yahoo Pager
Microsoft Messenger Service
Microsoft Windows Product ID
Counter-Strike
The Gladiators
Gunman Chronicles
Half-Life
Industry Giant 2
Unreal Tournament 2003
Unreal Tournament 2004
IGI 2: Covert Strike
Freedom Force
Battlefield 1942
Battlefield 1942 (Road To Rome)
Battlefield 1942 (Secret Weapons of WWII)
Battlefield Vietnam
Black and White
Command and Conquer: Tiberian Sun
Command and Conquer: Red Alert 2
Command and Conquer: Generals (Zero Hour)
Command and Conquer: Generals
James Bond 007: Nightfire
Global Operations
Medal of Honor: Allied Assault
Medal of Honor: Allied Assault: Breakthrough
Medal of Honor: Allied Assault: Spearhead
Need For Speed Hot Pursuit 2
Need For Speed: Underground
Shogun: Total War: Warlord Edition
FIFA 2002
FIFA 2003
NHL 2002
NHL 2003
Nascar Racing 2002
Nascar Racing 2003
Rainbow Six III RavenShield
Hidden & Dangerous 2
Soldiers Of Anarchy
Soldier of Fortune II - Double Helix
Call of Duty
Neverwinter Nights

W32/Forbot-BN may alter the following registry entry in order to 
enable/disable DCOM:

HKLM\SOFTWARE\Microsoft\Ole\EnableDCOM

W32/Forbot-BN will attempt to disable other malware, such as members of 
the W32/Bagle family.





Name   W32/Forbot-AR

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Reduces system security
    * Installs itself in the Registry

Aliases  
    * Backdoor.Win32.Wootbot.gen
    * W32/Gaobot.worm.gen.q
    * WORM_WOOTBOT.K

Prevalence (1-5) 2

Description
W32/Forbot-AR is a worm which attempts to spread to remote network 
shares.

W32/Forbot-AR also contains backdoor Trojan functionality, allowing 
unauthorised remote access to the infected computer via IRC channels 
while running in the background as a service process.

Advanced
W32/Forbot-AR is a worm which attempts to spread to remote network 
shares.

W32/Forbot-AR also contains backdoor Trojan functionality, allowing 
unauthorised remote access to the infected computer via IRC channels 
while running in the background as a service process.

W32/Forbot-AR copies itself to the Windows system folder as 
securitychk.exe and creates entries in the registry at the following 
locations to run itself on system startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Secure Messenger.NET Service
securitychk.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\Win32 USB2 Driver
Microsoft Secure Messenger.NET Service
securitychk.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32 USB2 
Driver Microsoft Secure Messenger.NET Service
securitychk.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Win32 USB2 Driver
Microsoft Secure Messenger.NET Service
securitychk.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\Win32 USB2 Driver
Microsoft Secure Messenger.NET Service
securitychk.exe

W32/Forbot-AR also creates its own service named
"Microsoft Secure Messenger.NET Service".





Name   W32/Rbot-NA

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Downloads code from the internet
    * Reduces system security
    * Records keystrokes
    * Installs itself in the Registry

Aliases  
    * Backdoor.Win32.Rbot.gen

Prevalence (1-5) 2

Description
W32/Rbot-NA is a network worm which contains IRC backdoor Trojan 
functionality, allowing unauthorised remote access to the infected 
computer.

Advanced
W32/Rbot-NA is a worm which attempts to spread to remote network shares. 
It also contains backdoor Trojan functionality, allowing unauthorised 
remote access to the infected computer via IRC channels while running in 
the background as a service process.

W32/Rbot-NA spreads to network shares with weak passwords and via 
network security exploits as a result of the backdoor Trojan element 
receiving the appropriate command from a remote user.

W32/Rbot-NA copies itself to the Windows system folder as TASKMSG.EXE 
and creates entries at the following locations in the registry with the 
value candynet so as to run itself on system startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

W32/Rbot-NA also sets the following registry entry with the same value 
to point to itself:

HKCU\Software\Microsoft\OLE

W32/Rbot-NA may attempt to sets the following registry entries:

HKLM\SOFTWARE\Microsoft\Ole\EnableDCOM = "N"
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous = "1"

W32/Rbot-NA may attempt to delete network shares on the host computer.

W32/Rbot-NA may attempt to log keystrokes to the file KEY.TXT in the 
Windows system folder.





Name   W32/Sluter-E

Type  
    * Worm

How it spreads  
    * Network shares
    * Chat programs

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Allows others to access the computer
    * Steals information
    * Reduces system security
    * Records keystrokes
    * Installs itself in the Registry

Prevalence (1-5) 2

Description
W32/Sluter-E is an IRC backdoor Trojan and network worm for the Windows 
platform. The worm spreads through network shares and by scanning 
network machines for known vulnerabilities.

Advanced
W32/Sluter-E is an IRC backdoor Trojan and network worm for the Windows 
platform. The worm spreads through network shares and by scanning 
network machines for known vulnerabilities.

When first run, the worm copies itself to the Windows system folder with 
the filename winsci32.exe. In order to run on system start, W32/Sluter-E 
creates the following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Winsci Loaded = %System%\winsci32.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Winsci Loaded = %System%\winsci32.exe

The worm registers itself as a system service with the service name 
"Winsci32" and the imagepath set to the path of winsci32.exe

W32/Sluter-E connects to an IRC channel where it awaits commands from a 
remote user. The backdoor component can be instructed to perform any of 
the following functions:

SOCKS4 proxy server
FTP server
send email
keylogger
take part in DDoS attacks (SYN, ICMP, Ping)
steal product registration keys
insert and send insulting text into open IM windows (AIM, Yahoo, MSN 
Messenger)
gather system information (filesystem, hardware, running processes)
open and close CDROM trays
download/upload files
execute arbitrary commands

W32/Sluter-E queries the following registry entries for product keys 
belonging to certain game software:

HKLM\Software\Westwood\Tiberian Sun
HKLM\Software\Westwood\Red Alert 2
HKLM\Software\IGI 2 Retail\CDKey
HKLM\Software\Electronic Arts\EA GAMES\Generals\ergc
HKLM\Software\Electronic Arts\EA Sports\FIFA 2003\ergc
HKLM\Software\Electronic Arts\EA GAMES\Need For Speed Hot Pursuit
HKCU\Software\Eugen Systems\The Gladiators
HKLM\Software\Activision\Soldier of Fortune II - Double Helix
HKLM\Software\BioWare\NWN\Neverwinter
HKLM\Software\Red Storm Entertainment\RAVENSHIELD
HKLM\Software\Electronic Arts\EA GAMES\Battlefield 1942 The Road to Rome
HKLM\Software\Electronic Arts\EA GAMES\Battlefield 1942
HKLM\Software\IGI 2 Retail
HKCU\Software\Valve\CounterStrike\Settings
HKLM\Software\Unreal Technology\Installed Apps\UT2003
HKCU\Software\Valve\Half-Life\Settings





Name   W32/Wort-B

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet
    * Reduces system security
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities

Aliases  
    * Exploit.Win32.RPCLsa.10
    * Exploit-MS04-011.gen

Prevalence (1-5) 2

Description
W32/Wort-B is a network worm that attempts to spread to remote computers 
by exploiting the LSASS vulnerability.

W32/Wort-B may may also attempt to download and execute files to the 
remote computer from internet sites as SETTER.EXE or SETTROW.EXE. At the 
time of writing the file downloaded as SETTER.EXE is detected as 
Troj/Hostol-A and the file SETTROW.EXE is not available for download.

Advanced
W32/Wort-B is a network worm that attempts to spread to remote computers 
by exploiting the LSASS vulnerability.

W32/Wort-B may may also attempt to download and execute files to the 
remote computer from internet sites as SETTER.EXE or SETTROW.EXE. At the 
time of writing the file downloaded as SETTER.EXE is detected as 
Troj/Hostol-A and the file SETTROW.EXE is not available for download.

The Trojan creates the following registry entry to run itself on system 
startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\WinLsass

W32/Wort-B may also create the following registry entry to run itself on 
system startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\WinLsass

W32/Wort-B may also attempt to delete a registry entry entry at the 
following location:

HKCU\Software\System\WinTmp

W32/Wort-B generates random IP addresses to exploit.

W32/Wort-B may send information about its status to a remote website.

 
--- MultiMail/Win32 v0.43
 * Origin: Try Our Web Based QWK: DOCSPLACE.ORG (1:123/140)