Tillbaka till svenska Fidonet
English   Information   Debug  
COMICS   0/15
CONSPRCY   0/899
COOKING   27593
COOKING_OLD1   0/24719
COOKING_OLD2   0/40862
COOKING_OLD3   0/37489
COOKING_OLD4   0/35496
COOKING_OLD5   9370
C_ECHO   0/189
C_PLUSPLUS   0/31
DIRTY_DOZEN   0/201
DOORGAMES   0/1974
DOS_INTERNET   0/196
duplikat   5999
ECHOLIST   0/18295
EC_SUPPORT   0/318
ELECTRONICS   0/359
ELEKTRONIK.GER   1534
ENET.LINGUISTIC   0/13
ENET.POLITICS   0/4
ENET.SOFT   0/11701
ENET.SYSOP   33771
ENET.TALKS   0/32
ENGLISH_TUTOR   0/2000
EVOLUTION   0/1335
FDECHO   0/217
FDN_ANNOUNCE   0/7068
FIDONEWS   23434
FIDONEWS_OLD1   0/49742
FIDONEWS_OLD2   0/35949
FIDONEWS_OLD3   0/30874
FIDONEWS_OLD4   0/37224
FIDO_SYSOP   12841
FIDO_UTIL   0/180
FILEFIND   0/209
FILEGATE   0/212
FILM   0/18
FNEWS_PUBLISH   4155
FN_SYSOP   41520
FN_SYSOP_OLD1   71952
FTP_FIDO   0/2
FTSC_PUBLIC   0/13552
FUNNY   0/4886
GENEALOGY.EUR   0/71
GET_INFO   105
GOLDED   0/408
HAM   0/16041
HOLYSMOKE   0/6791
HOT_SITES   0/1
HTMLEDIT   0/71
HUB203   466
HUB_100   264
HUB_400   39
HUMOR   0/29
IC   0/2851
INTERNET   0/424
INTERUSER   0/3
IP_CONNECT   719
JAMNNTPD   0/233
JAMTLAND   0/47
KATTY_KORNER   0/41
LAN   0/16
LINUX-USER   0/19
LINUXHELP   0/1155
LINUX   0/22002
LINUX_BBS   0/957
mail   18.68
mail_fore_ok   249
MENSA   0/341
MODERATOR   0/102
MONTE   0/992
MOSCOW_OKLAHOMA   0/1245
MUFFIN   0/783
MUSIC   0/321
N203_STAT   894
N203_SYSCHAT   313
NET203   321
NET204   69
NET_DEV   0/10
NORD.ADMIN   0/101
NORD.CHAT   0/2572
NORD.FIDONET   189
NORD.HARDWARE   0/28
NORD.KULTUR   0/114
NORD.PROG   0/32
NORD.SOFTWARE   0/88
NORD.TEKNIK   0/58
NORD   0/453
OCCULT_CHAT   0/93
OS2BBS   0/787
OS2DOSBBS   0/580
OS2HW   0/42
OS2INET   0/37
OS2LAN   0/134
OS2PROG   0/36
OS2REXX   0/113
OS2USER-L   207
OS2   0/4779
OSDEBATE   0/18996
PASCAL   0/490
PERL   0/457
PHP   0/45
POINTS   0/405
POLITICS   0/29554
POL_INC   0/14731
PSION   103
R20_ADMIN   1117
R20_AMATORRADIO   0/2
R20_BEST_OF_FIDONET   13
R20_CHAT   0/893
R20_DEPP   0/3
R20_DEV   399
R20_ECHO2   1379
R20_ECHOPRES   0/35
R20_ESTAT   0/719
R20_FIDONETPROG...
...RAM.MYPOINT
  0/2
R20_FIDONETPROGRAM   0/22
R20_FIDONET   0/248
R20_FILEFIND   0/24
R20_FILEFOUND   0/22
R20_HIFI   0/3
R20_INFO2   2626
R20_INTERNET   0/12940
R20_INTRESSE   0/60
R20_INTR_KOM   0/99
R20_KANDIDAT.CHAT   42
R20_KANDIDAT   28
R20_KOM_DEV   112
R20_KONTROLL   0/13029
R20_KORSET   0/18
R20_LOKALTRAFIK   0/24
R20_MODERATOR   0/1852
R20_NC   76
R20_NET200   245
R20_NETWORK.OTH...
...ERNETS
  0/13
R20_OPERATIVSYS...
...TEM.LINUX
  0/44
R20_PROGRAMVAROR   0/1
R20_REC2NEC   534
R20_SFOSM   0/340
R20_SF   0/108
R20_SPRAK.ENGLISH   0/1
R20_SQUISH   107
R20_TEST   2
R20_WORST_OF_FIDONET   12
RAR   0/9
RA_MULTI   106
RA_UTIL   0/162
REGCON.EUR   0/2055
REGCON   0/13
SCIENCE   0/1206
SF   0/239
SHAREWARE_SUPPORT   0/5146
SHAREWRE   0/14
SIMPSONS   0/169
STATS_OLD1   0/2539.065
STATS_OLD2   0/2530
STATS_OLD3   0/2395.095
STATS_OLD4   0/1692.25
SURVIVOR   0/495
SYSOPS_CORNER   0/3
SYSOP   0/84
TAGLINES   0/112
TEAMOS2   0/4530
TECH   0/2617
TEST.444   0/105
TRAPDOOR   0/19
TREK   0/755
TUB   0/290
UFO   0/40
UNIX   0/1316
USA_EURLINK   0/102
USR_MODEMS   0/1
VATICAN   0/2740
VIETNAM_VETS   0/14
VIRUS   0/378
VIRUS_INFO   0/201
VISUAL_BASIC   0/473
WHITEHOUSE   0/5187
WIN2000   0/101
WIN32   0/30
WIN95   0/4275
WIN95_OLD1   0/70272
WINDOWS   0/1517
WWB_SYSOP   0/419
WWB_TECH   0/810
ZCC-PUBLIC   0/1
ZEC   4

 
4DOS   0/134
ABORTION   0/7
ALASKA_CHAT   0/506
ALLFIX_FILE   0/1313
ALLFIX_FILE_OLD1   0/7997
ALT_DOS   0/152
AMATEUR_RADIO   0/1039
AMIGASALE   0/14
AMIGA   0/331
AMIGA_INT   0/1
AMIGA_PROG   0/20
AMIGA_SYSOP   0/26
ANIME   0/15
ARGUS   0/924
ASCII_ART   0/340
ASIAN_LINK   0/651
ASTRONOMY   0/417
AUDIO   0/92
AUTOMOBILE_RACING   0/105
BABYLON5   0/17862
BAG   135
BATPOWER   0/361
BBBS.ENGLISH   0/382
BBSLAW   0/109
BBS_ADS   0/5290
BBS_INTERNET   0/507
BIBLE   0/3563
BINKD   0/1119
BINKLEY   0/215
BLUEWAVE   0/2173
CABLE_MODEMS   0/25
CBM   0/46
CDRECORD   0/66
CDROM   0/20
CLASSIC_COMPUTER   0/378
Möte DIRTY_DOZEN, 201 texter
 lista första sista föregående nästa
Text 78, 1850 rader
Skriven 2005-12-24 01:14:00 av KURT WISMER (1:123/140)
Ärende: News, December 24 2005
==============================
[cut-n-paste from sophos.com]

Name   Troj/Small-FQ

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet
    * Installs itself in the Registry

Aliases  
    * Trojan-Downloader.Win32.Small.ccj

Prevalence (1-5) 3

Description
Troj/Small-FQ is a Trojan for the Windows platform.

Troj/Small-FQ has the functionality to download, install and run new 
software.

Advanced
Troj/Small-FQ is a Trojan for the Windows platform.

Troj/Small-FQ has the functionality to download, install and run new 
software.

When run, Troj/Small-FQ creates and runs the file 
<Windows>\snake.exe. The file snake.exe is detected by Sophos as 
Troj/CashGrab-J.

When run, Troj/Small-FQ sets the following registry entries:

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\
Parameters\firewallpolicy\

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
firewallpolicy\standardprofile\

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
firewallpolicy\standardprofile\authorizedapplications\

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
firewallpolicy\standardprofile\authorizedapplications\list\

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
firewallpolicy\standardprofile\authorizedapplications\list
<pathname of the Trojan executable>
<pathname of the Trojan executable>:*:eNableD:GMMM2





Name   W32/Bagle-EX

Type  
    * Worm

How it spreads  
    * Email attachments
    * Web downloads

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Uses its own emailing engine
    * Downloads code from the internet
    * Reduces system security

Prevalence (1-5) 3

Description
W32/Bagle-EX is an email worm for the Windows platform.

The worm sends email with ZIP file attachments and various subjects 
and message texts. At the time of writing, these ZIP files and the 
contained EXE files are detected by Sophos's anti-virus products as 
Troj/BagleDl-AY.

The email may use one of the following for a message subject:

New Year's
New Year's Day.
Happy New Year
We congratulate happy New Year

The message text may contain either "The password is <image file>" or 
"Password: <image file>"

Advanced
W32/Bagle-EX is an email worm for the Windows platform.

When run, W32/Bagle-EX copies itself to the Windows system folder as 
wind2ll2.exe and creates the following registry entries:

HKCU\Software\Microsoft\Windows\CurrentVersion\Ru1n

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru1n

W32/Bagle-EX does not send email to addresses containing the following:

@derewrdgrs
@eerswqe
@messagelab
@microsoft
anyone@
certific
contract@
f-secur
free-av
gold-certs@
google
icrosoft
listserv
nobody@
noone@
noreply
postmaster@
rating@
samples
support
update
winrar
winzip

Email sent by W32/Bagle-EX contains an attached ZIP file with one of 
the following names (followed by the ZIP file extension):

Andrew
Androw
Androwe
Anthonie
Anthony
Anthonye
Bennet
Bennet
Bennett
Christean
Christian
Christian
Constance
Daniel
Daniel
Danyell
Dorithie
Dorothee
Dorothy
Edmond
Edmonde
Edmund
Edmund
Edward
Edward
Edwarde
Elizabeth
Elizabeth
Elizabethe
Emanual
Emanuel
Emanuell
Frances
Francis
Francis
Fraunces
Gabriell
Geoffraie
George
Harrye
Henrie
Henrye
Humphrey
Humphrey
Humphrie
Isabel
Isabell
Isabell
Jeames
Jeffrey
Jeffrye
Josias
Judeth
Judith
Judith
Judithe
Katherine
Katherine
Katheryne
Leonard
Leonard
Leonarde
Margaret
Margaret
Margarett
Margerie
Margerye
Margret
Margrett
Martha
Michael
Michael
Mychaell
Nathaniel
Nathaniel
Nathaniell
Nathanyell
Nicholas
Nicholas
Nicholaus
Nycholas
Rebecka
Richard
Richard
Richarde
Robert
Robert
Roberte
Rycharde
Samuell
Sidney
Sindony
Stephen
Susanna
Susanna
Suzanna
Sybell
Sybyll
Syndony
Thomas
Valentyne
William
Winifred
Wynefrede
Wynefreed
Wynnefreede

At the time of writing, these ZIP files and the contained EXE files 
are detected by Sophos's anti-virus products as Troj/BagleDl-AY.

The email may use one of the following for a message subject:

New Year's
New Year's Day.
Happy New Year
We congratulate happy New Year

The message text may contain either "The password is <image file>" or 
"Password: <image file>"





Name   Troj/BagleDl-AS

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Modifies data on the computer
    * Downloads code from the internet
    * Installs itself in the Registry

Aliases  
    * Trojan.Bagle.BN

Prevalence (1-5) 3

Description
Troj/BagleDl-AS is a Trojan for the Windows platform.

Troj/BagleDl-AS includes functionality to access the internet and 
communicate with a remote server via HTTP.

Advanced
Troj/BagleDl-AS is a Trojan for the Windows platform.

Troj/BagleDl-AS includes functionality to access the internet and 
communicate with a remote server via HTTP.

When first run Troj/BagleDl-AS copies itself to \anti_troj.exe.

The following registry entries are created to run anti_troj.exe on 
startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
anti_troj
\anti_troj.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
anti_troj
\anti_troj.exe

Registry entries are created under:

HKCU\Software\FirstRRRun\





Name   Troj/Bckdr-E

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Installs itself in the Registry

Aliases  
    * BackDoor-AWQ.b

Prevalence (1-5) 2

Description
Troj/Bckdr-E is a Trojan for the Windows platform.

Advanced
Troj/Bckdr-E is a Trojan for the Windows platform.

When first run Troj/Bckdr-E copies itself to <Windows>\Server2.0.exe.

The file Server2.0.exe is registered as a new system driver service 
named "Server2.0", with a display name of "Server2.0" and a startup 
type of automatic, so that it is started automatically during system 
startup. Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\Server2.0\





Name   W32/Rbot-BCQ

Type  
    * Spyware Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Steals information
    * Downloads code from the internet
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities
    * Used in DOS attacks

Aliases  
    * Backdoor.Win32.Rbot.aeu

Prevalence (1-5) 2

Description
W32/Rbot-BCQ is a worm and IRC backdoor Trojan for the Windows 
platform.

W32/Rbot-BCQ spreads:

- to other network computers infected with: Troj/Kuang, Troj/Sub7, 
Troj/NetDevil, W32/MyDoom, W32/Bagle and Troj/Optix
- to other network computers by exploiting common buffer overflow 
vulnerabilities, including: LSASS (MS04-011), RPC-DCOM (MS04-012), 
WKS (MS03-049) (CAN-2003-0812), WebDav (MS03-007), IIS5SSL (MS04-011) 
(CAN-2003-0719), UPNP (MS01-059), Veritas (CAN-2004-1172), Dameware 
(CAN-2003-1030) and ASN.1 (MS04-007)
- by copying itself to network shares protected by weak passwords

W32/Rbot-BCQ runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

The following patches for the operating system vulnerabilities 
exploited by W32/Rbot-BCQ can be obtained from the Microsoft website:

http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx
http://www.microsoft.com/technet/security/bulletin/MS03-049.mspx
http://www.microsoft.com/technet/security/bulletin/MS03-007.mspx
http://www.microsoft.com/technet/security/bulletin/MS01-059.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-007.mspx

Advanced
W32/Rbot-BCQ is a worm and IRC backdoor Trojan for the Windows 
platform.

W32/Rbot-BCQ spreads:

- to other network computers infected with: Troj/Kuang, Troj/Sub7, 
Troj/NetDevil, W32/MyDoom, W32/Bagle and Troj/Optix
- to other network computers by exploiting common buffer overflow 
vulnerabilities, including: LSASS (MS04-011), RPC-DCOM (MS04-012), 
WKS (MS03-049) (CAN-2003-0812), WebDav (MS03-007), IIS5SSL (MS04-011) 
(CAN-2003-0719), UPNP (MS01-059), Veritas (CAN-2004-1172), Dameware 
(CAN-2003-1030) and ASN.1 (MS04-007)
- by copying itself to network shares protected by weak passwords

W32/Rbot-BCQ runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

When first run W32/Rbot-BCQ copies itself to <System>\winupl.exe.

The following registry entries are created to run winupl.exe on 
startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
DRam prosessor
winupl.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
DRam prosessor
winupl.exe

Registry entries are set as follows:

HKCU\Software\Microsoft\OLE
DRam prosessor
winupl.exe

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1

The following patches for the operating system vulnerabilities 
exploited by W32/Rbot-BCQ can be obtained from the Microsoft website:

http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx
http://www.microsoft.com/technet/security/bulletin/MS03-049.mspx
http://www.microsoft.com/technet/security/bulletin/MS03-007.mspx
http://www.microsoft.com/technet/security/bulletin/MS01-059.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-007.mspx





Name   Troj/BagleDl-AR

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet
    * Reduces system security
    * Installs itself in the Registry

Prevalence (1-5) 2

Description
Troj/BagleDl-AR is a Trojan for the Windows platform.

Troj/BagleDl-AR includes functionality to access the internet and 
communicate with a remote server via HTTP.

Advanced
Troj/BagleDl-AR is a Trojan for the Windows platform.

Troj/BagleDl-AR includes functionality to access the internet and 
communicate with a remote server via HTTP.

Troj/BagleDl-AR may arrive as attachment in the email with the 
following message text:

Dear customer.

Thank you for your subscription to http://www.<sitename>.com.

You have been billed as Paycom LLC for the amount of: GBP 24.95 for
30 days then GBP 24.95 recurring every 30 days.

Time: 2005-12-16 10:54:56
Transaction ID: 965658
Amount: GBP 24.95
Applied to Account #: 10915104
Pay Method: VISA

Your new subscription identification number is: 10915104, please
keep this number in a safe place, as it will be required
for reference in all future correspondence regarding your
membership.

Your membership access information is:
Username for your subscription: 112002
Password for your subscription: regina
Membership website: http://www.<sitename>.com

For further details regarding this transaction and direct access to
our online billing support services, available
24-hours a day, 365-days a year, please check your transaction
details in attachment.

Thank you for choosing Paycom as the eMerchant for your
subscription!

Customer Support

****************************************
Billing services provided by Paycom, LLC

Troj/BagleDl-AR attempts to download to the Windows folder and execute
msupdate.exe file. This file is detected as Troj/CashGrab-I.

The following registry entry is set, affecting internet security:

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters
\firewallpolicy\standardprofile\authorizedapplications\list
<pathname of the Trojan executable>
<original filename>:*:EnaBleD:cvv2





Name   Troj/Agent-GG

Type  
    * Trojan

Affected operating systems  
    * Windows

Aliases  
    * Backdoor.Win32.Agent.ah
    * Trojan-Downloader.Win32.PurityScan.d
    * W32/Backdoor.ALU

Prevalence (1-5) 2

Description
Troj/Agent-GG is a Trojan for the Windows platform.

Troj/Agent-GG includes functionality to access the internet and 
communicate with a remote server via HTTP.

Advanced
Troj/Agent-GG is a Trojan for the Windows platform.

Troj/Agent-GG includes functionality to access the internet and 
communicate with a remote server via HTTP.

When Troj/Agent-GG is installed the following files are created:

<Windows system folder>\vld5750.dll

The file vld5750.dll is registered as a COM object and Browser Helper 
Object (BHO) for Microsoft Internet Explorer, creating registry 
entries under:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser 
Helper Objects\{CF021F40-3E14-23A5-CBA2-71766C645750}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser 
Helper Objects\{CF021F40-3E14-23A5-CBA2-71766C645750}
HKCR\CLSID\{CF021F40-3E14-23A5-CBA2-71766C645750}
HKCR\Interface\{CF021F40-3E14-23A5-CBA2-71766C645750}
HKCR\TypeLib\{CF021F40-3E14-23A5-CBA2-71766C645750}
HKCR\VLD5750.VLD5750.1\

Registry entries are created under:

HKCR\VLD5750.VLD5750\





Name   W32/Feebs-A

Type  
    * Spyware Worm

How it spreads  
    * Email attachments

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Allows others to access the computer
    * Steals information
    * Drops more malware
    * Reduces system security
    * Installs itself in the Registry
    * Leaves non-infected files on computer

Prevalence (1-5) 2

Description
W32/Feebs-A is a worm for the Windows platform.

The worm may arrive as an attachment to an email claiming to be sent 
via "Protected E-Mail service" with bogus credentials. The message 
may lure the recipient into entering the supplied credentials into an 
attached HTML document.

W32/Feebs-A also creates several copies of itself in ZIP format in 
paths containing "share".

W32/Feebs-A may also harvest information from the infected computer 
and send stolen data to a remote user via FTP.

Advanced
W32/Feebs-A is a worm for the Windows platform.

The worm may arrive as an attachment to an email claiming to be sent 
via "Protected E-Mail service" with bogus credentials. The message 
may lure the recipient into entering the supplied credentials into an 
attached HTML document.

The worm copies itself to the Windows system folder as ms<two random 
letters>.exe and creates the file ms<random characters>.dll. 
W32/Feebs-A also creates several copies of itself in ZIP format in 
paths containing "share". The worm uses the following ZIP filenames:

3dsmax_9_(3D_Studio_Max)_new!_full+crack.zip
ACDSee_9_new!_full+crack.zip
Adobe_Photoshop_10_(CS3)_new!_full+crack.zip
Adobe_Premiere_9_(2.0_pro)_new!_full+crack.zip
Ahead_Nero_8_new!_full+crack.zip
DivX_7.0_new!_full+crack.zip
ICQ_2006_new!_full+crack.zip
Internet_Explorer_7_new!_full+crack.zip
Kazaa_4_new!_full+crack.zip
Longhorn_new!_full+crack.zip
Microsoft_Office_2006_new!_full+crack.zip
winamp_5.2_new!_full+crack.zip

W32/Feebs-A may also harvest information from the infected computer 
and send stolen data to a remote user via FTP.

The worm modifies registry entries under:

HKCR\CLSID\{<random clsid>}\InprocServer32
(default)
"<System>\<path to worm DLL component>"

HKCU\Software\Policies\Microsoft\WindowsFirewall

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ 
ShellServiceObjectDelayLoad\
<Worm DLL Component>
"{<random clsid>}"

HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall





Name   Troj/Banload-BS

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet

Aliases  
    * Trojan-Downloader.Win32.Banload.kh

Prevalence (1-5) 2

Description
Troj/Banload-BS is a Trojan downloader for the Windows platform.

Troj/Banload-BS includes functionality to access the internet and 
communicate
with a remote server via HTTP.





Name   W32/Traxg-G

Type  
    * Worm

How it spreads  
    * Email attachments
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Sends itself to email addresses found on the infected computer
    * Drops more malware
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities

Aliases  
    * WORM_XDDTRAY.A
    * W32.Xddtray@mm

Prevalence (1-5) 2

Description
W32/Traxg-G is a worm for the Windows platform.

W32/Traxg-G includes functionality to spread through emails, network 
shares or by coping itself to the drives A and D.

W32/Traxg-G may display the following fake warning message:

Warning
This Folder Has Been Damage!

Advanced
W32/Traxg-G is a worm for the Windows platform.

W32/Traxg-G includes functionality to spread through emails, network 
shares or by coping itself to the drives A and D with the filename 
Windows.exe.

The worm may add a user account "admin" if it does not already exist. 
The worm also may create network shares for local files and folders.

W32/Traxg-G may display the following fake warning message:

Warning
This Folder Has Been Damage!

Registry entries are set as follows:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
0

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt
1

The worm may create the files C:\FOLDER.HTT and nethood.htm. This 
file exploits the "Microsoft VM ActiveX Component" vulnerabilty, 
associated with certain versions of Microsoft Internet Explorer, to 
run further executable code. This vulnerability allows an HTML-based 
script to access the file system or registry without any of the usual 
security restrictions placed on ActiveX controls. For further 
information see Microsoft security bulletin MS00-075.





Name   Troj/BagleDl-AP

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Downloads code from the internet
    * Installs itself in the Registry

Aliases  
    * Bloodhound.Beagle
    * W32/Bagle.gen

Prevalence (1-5) 2

Description
Troj/BagleDl-AP is a downloader Trojan for the Windows platform.

Advanced
Troj/BagleDl-AP is a downloader Trojan for the Windows platform.

Troj/BagleDl-AP includes functionality to access the internet and 
communicate with a remote server via HTTP.

When first run Troj/BagleDl-AP copies itself to <System>\anti_troj.exe.

The following registry entries are created to run anti_troj.exe on 
startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
anti_troj
<System>\anti_troj.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
anti_troj
<System>\anti_troj.exe

Registry entries are created under:

HKCU\Software\FirstRRRun\





Name   W32/Rbot-AFV

Type  
    * Spyware Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Steals information
    * Downloads code from the internet
    * Reduces system security
    * Installs itself in the Registry

Aliases  
    * Backdoor.Win32.Rbot.sr

Prevalence (1-5) 2

Description
W32/Rbot-AFV is an internet worm and IRC backdoor Trojan for the 
Windows platform.

W32/Rbot-AFV spreads to other network computers by exploiting the 
buffer overflow vulnerabilites LSASS (MS04-011), RPC-DCOM (MS04-012), 
WKS (MS03-049) and MSSQL (MS02-039) and by copying itself to network 
shares protected by weak passwords.

W32/Rbot-AFV runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

The following patches for the operating system vulnerabilities 
exploited by W32/Rbot-AFV can be obtained from the Microsoft website:

http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx
http://www.microsoft.com/technet/security/bulletin/MS03-049.mspx
http://www.microsoft.com/technet/security/bulletin/MS02-039.mspx

Advanced
W32/Rbot-AFV is an internet worm and IRC backdoor Trojan for the 
Windows platform.

W32/Rbot-AFV spreads to other network computers by exploiting the 
buffer overflow vulnerabilites LSASS (MS04-011), RPC-DCOM (MS04-012), 
WKS (MS03-049) and MSSQL (MS02-039) and by copying itself to network 
shares protected by weak passwords.

W32/Rbot-AFV runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

W32/Rbot-AFV includes functionality to:

- steal confidential information
- carry out DDoS flooder attacks
- silently download, install and run new software, including updates 
of its software

When first run W32/Rbot-AFV moves itself to the Windows system folder 
using a random filename and creates the following registry entries to 
ensure it is run at system logon:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
AIM Instant Message Cookies
<random name>

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
AIM Instant Message Cookies
<random name>

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
AIM Instant Message Cookies
<random name>

HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
AIM Instant Message Cookies
<random name>

W32/Rbot-AFV creates the following registry entries:

HKLM\SOFTWARE\Microsoft\Ole
AIM Instant Message Cookies
<random name>

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
AIM Instant Message Cookies
<random name>

HKCU\Software\Microsoft\OLE
AIM Instant Message Cookies
<random name>

HKCU\SYSTEM\CurrentControlSet\Control\Lsa
AIM Instant Message Cookies
<random name>

W32/Rbot-AFV also sets the following registry entries:

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1

The following patches for the operating system vulnerabilities 
exploited by W32/Rbot-AFV can be obtained from the Microsoft website:

http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx
http://www.microsoft.com/technet/security/bulletin/MS03-049.mspx
http://www.microsoft.com/technet/security/bulletin/MS02-039.mspx





Name   W32/Bloat-A

Type  
    * Virus

How it spreads  
    * Infected files

Affected operating systems  
    * Windows

Side effects  
    * Modifies data on the computer
    * Installs itself in the Registry

Prevalence (1-5) 2

Description
W32/Bloat-A is a prepending virus for the Windows platform.

Advanced
W32/Bloat-A is a prepending virus for the Windows platform.

When run the virus will create the file <Windows>\svchost.com and 
modify the
following registry entry:

HKLM\SOFTWARE\CLASSES\exefile\shell\open\command
(default)
<Windows>\svchost.com "%1 %*"

The infected file will run the original host while it infects other 
files on
the computer.





Name   Troj/Smwg-A

Type  
    * Trojan

Affected operating systems  
    * Windows

Aliases  
    * Constructor.Win32.SMWG.b
    * New

Prevalence (1-5) 2

Description
Troj/Smwg-A is a Trojan for the Windows platform.





Name   W32/Sunk-A

Type  
    * Worm

How it spreads  
    * Chat programs
    * Peer-to-peer

Affected operating systems  
    * Windows

Aliases  
    * Virus.Win32.VB.aa

Prevalence (1-5) 2

Description
W32/Sunk-A is a worm for the Windows platform.

The worm will display the following fake error message:

"An unexpected error has occurred on the execution of this file"

W32/Sunk-A will attempt to replace every file on the infected 
computer that has the extension EXE with a copy of itself. The worm 
will also copy itself to folders known to be used by popular 
Peer-To-Peer programs using various names.

W32/Sunk-A will send messages to AIM users with one of the following 
messages and a link to a url that contains an executable:

Aim Hacker 1.3 FREE!
Best Aim Password Cracker written by ZeX.
Better then limewire and kazaa put together!
Check my Pics Out!
Check out my music!
Check out my webcam.
Click to join! Better then myspace and xanga!
Cool hacking programs!
Download Aim Optimized 4.9!
Download Dead Aim (5.9+)- NEW!
Download my mp3 i made.
Download My Profile.
Email Hacker Pro 1.5 This is awsome! :)
Free Aim Password Cracker. Use it to hack your friends.
Funniest Clip Ever!
Game Hacker program download here.
Get X-im Chat! Better then AIM!
Hack Webcams and Aim accounts with O-Hax! This is the last day it 
will be out
for free!
Have you see this!
INFINITE FREE PICS OF ASIAN HOTTIES!
Join this free music site!
LMAO OMG THIS IS HILARIOUS!
LOL Check these Pics out.
Lol OMG! Someone posted your picture here!
LOL Watch this clip!
LOLOL WTF IS THIS?!
Make your own Profile!
My Xanga!
OMG LOOK IT'S YOU!
Play the new Aim Online game!
See my Beach pictures!!
Take my Quiz!
THE KEY TO HAPPINESS IS LAUGHTER!
This game is badass! Play now!
View My BuddyProfile
Wanna See My Profile!

Advanced
W32/Sunk-A is a worm for the Windows platform.

W32/Sunk-A will copy itself to the following locations:

C:\skunk.exe
C:\Documents and Settings\All Users\Start 
Menu\Programs\Startup\Skunk.exe
C:\WINDOWS\system32\Skunk.exe
C:\WINNT\system32\Skunk.exe
A:\Skunk.exe

The worm will also display the following fake error message:

"An unexpected error has occurred on the execution of this file"

W32/Sunk-A will change a large number of registry entries under:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies

W32/Sunk-A will attempt to replace every file on the infected 
computer that has the extension EXE with a copy of itself. The worm 
will also copy itself to folders known to be used by popular 
Peer-To-Peer programs using various names.

W32/Sunk-A will send messages to AIM users with one of the following 
messages and a link to a url that contains an executable:

Aim Hacker 1.3 FREE!
Best Aim Password Cracker written by ZeX.
Better then limewire and kazaa put together!
Check my Pics Out!
Check out my music!
Check out my webcam.
Click to join! Better then myspace and xanga!
Cool hacking programs!
Download Aim Optimized 4.9!
Download Dead Aim (5.9+)- NEW!
Download my mp3 i made.
Download My Profile.
Email Hacker Pro 1.5 This is awsome! :)
Free Aim Password Cracker. Use it to hack your friends.
Funniest Clip Ever!
Game Hacker program download here.
Get X-im Chat! Better then AIM!
Hack Webcams and Aim accounts with O-Hax! This is the last day it 
will be out
for free!
Have you see this!
INFINITE FREE PICS OF ASIAN HOTTIES!
Join this free music site!
LMAO OMG THIS IS HILARIOUS!
LOL Check these Pics out.
Lol OMG! Someone posted your picture here!
LOL Watch this clip!
LOLOL WTF IS THIS?!
Make your own Profile!
My Xanga!
OMG LOOK IT'S YOU!
Play the new Aim Online game!
See my Beach pictures!!
Take my Quiz!
THE KEY TO HAPPINESS IS LAUGHTER!
This game is badass! Play now!
View My BuddyProfile
Wanna See My Profile!





Name   W32/Rbot-BFL

Type  
    * Spyware Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Steals information
    * Downloads code from the internet
    * Records keystrokes
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities
    * Used in DOS attacks

Prevalence (1-5) 2

Description
W32/Rbot-BFL is an internet worm and IRC backdoor Trojan for the 
Windows platform.

W32/Rbot-BFL spreads to other network computers by exploiting common 
buffer overflow vulnerabilities, including: LSASS (MS04-011) and 
RPC-DCOM (MS04-012) and by copying itself to network shares protected 
by weak passwords.

W32/Rbot-BFL runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

W32/Rbot-BFL includes functionality to:

- steal confidential information
- carry out DDoS flooder attacks
- silently download, install and run new software

The following patches for the operating system vulnerabilities 
exploited by W32/Rbot-BFL can be obtained from the Microsoft website:

http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx

Advanced
W32/Rbot-BFL is an internet worm and IRC backdoor Trojan for the 
Windows platform.

W32/Rbot-BFL spreads to other network computers by exploiting common 
buffer overflow vulnerabilities, including: LSASS (MS04-011) and 
RPC-DCOM (MS04-012) and by copying itself to network shares protected 
by weak passwords.

W32/Rbot-BFL runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

W32/Rbot-BFL includes functionality to:

- steal confidential information
- carry out DDoS flooder attacks
- silently download, install and run new software

When first run W32/Rbot-BFL moves itself to <System>\BIOSserv.exe.

The following registry entries are created to run BIOSserv.exe on 
startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
BIOS Net Service
BIOSserv.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
BIOS Net Service
BIOSserv.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
BIOS Net Service
BIOSserv.exe

Registry entries are set as follows:

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1

The following patches for the operating system vulnerabilities 
exploited by W32/Rbot-BFL can be obtained from the Microsoft website:

http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx





Name   W32/Protorid-AG

Type  
    * Spyware Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Steals information
    * Reduces system security
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities

Aliases  
    * W32/Protoride.worm

Prevalence (1-5) 2

Description
W32/Protorid-AG is a worm and IRC backdoor Trojan for the Windows 
platform.

W32/Protorid-AG spreads to other network computers infected with: 
Troj/NetDevil, W32/MyDoom, W32/Bagle and Troj/Optix and by copying 
itself to network shares protected by weak passwords.

W32/Protorid-AG runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

Advanced
W32/Protorid-AG is a worm and IRC backdoor Trojan for the Windows 
platform.

W32/Protorid-AG spreads to other network computers infected with: 
Troj/NetDevil, W32/MyDoom, W32/Bagle and Troj/Optix and by copying 
itself to network shares protected by weak passwords.

W32/Protorid-AG runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

When first run W32/Protorid-AG copies itself to the Windows system 
folder.

The following registry entry is created to run W32/Protorid-AA on 
startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows Taskbar Manager
<System>\<original worm filename>

W32/Protorid-AG may also set the registry entry:

HKLM\Software\BeyonD inDustries\ProtoType[v3]

W32/Protorid-AG copies itself as INTERNAT.EXE to the startup folder 
of the available shared network computers:

\WINDOWS\Menu Iniciar\Programas\Iniciar\
\WIN98\Menu Iniciar\Programas\Iniciar\
\WINME\Menu Iniciar\Programas\Iniciar\
\WIN95\Menu Iniciar\Programas\Iniciar\
\WINDOWS.000\Menu Iniciar\Programas\Iniciar\
\WINDOWS\Start Menu\Programs\StartUp\
\WIN98\Start Menu\Programs\StartUp\
\WINME\Start Menu\Programs\StartUp\
\WIN95\Start Menu\Programs\StartUp\
\WINDOWS.000\Start Menu\Programs\StartUp\
\Documents and Settings\All Users\Start Menu\Programs\StartUp\
\Documents and Settings\All Users\Menu Iniciar\Programas\Iniciar\
\Documents and Settings\All Users\Menuen Start\Programmer\Start\
\WINDOWS\Menuen Start\Programmer\Start\
\WIN98\Menuen Start\Programmer\Start\
\WINME\Menuen Start\Programmer\Start\
\WIN95\Menuen Start\Programmer\Start\
\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\
\WINDOWS\Menu Start\Programma's\Opstarten\
\WIN98\Menu Start\Programma's\Opstarten\
\WINME\Menu Start\Programma's\Opstarten\
\WIN95\Menu Start\Programma's\Opstarten\
\Documents and Settings\All Users\Start Menu\Programlar\BASLANGI
\WINDOWS\Start Menu\Programlar\BASLANGI
\WIN98\Start Menu\Programlar\BASLANGI
\WINME\Start Menu\Programlar\BASLANGI
\WIN95\Start Menu\Programlar\BASLANGI
\Documents and Settings\All Users\Menu Start\Programy\Autostart\
\WINDOWS\Menu Start\Programy\Autostart\
\WIN98\Menu Start\Programy\Autostart\
\WINME\Menu Start\Programy\Autostart\
\WIN95\Menu Start\Programy\Autostart\
\Documents and Settings\All Users\Start-Reny\Programmer\Oppstart\
\WINDOWS\Start-Reny\Programmer\Oppstart\
\WIN98\Start-Reny\Programmer\Oppstart\
\WINME\Start-Reny\Programmer\Oppstart\
\WIN95\Start-Reny\Programmer\Oppstart\
\Documents and Settings\All Users\Start-Renyn\Program\Autostart\
\WINDOWS\Start-Renyn\Program\Autostart\
\WIN98\Start-Renyn\Program\Autostart\
\WINME\Start-Renyn\Program\Autostart\
\WIN95\Start-Renyn\Program\Autostart\
\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione 
automatica\
\WINDOWS\Menu Avvio\Programmi\Esecuzione automatica\
\WIN98\Menu Avvio\Programmi\Esecuzione automatica\
\WINME\Menu Avvio\Programmi\Esecuzione automatica\
\WIN95\Menu Avvio\Programmi\Esecuzione automatica





Name   W32/Sdbot-TQ

Type  
    * Spyware Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Steals information
    * Downloads code from the internet
    * Reduces system security
    * Installs itself in the Registry

Prevalence (1-5) 2

Description
W32/Sdbot-TQ is a network worm with backdoor functionality for the 
Windows platform.

The worm spreads through network shares protected by weak passwords. 
When copying itself across the network, W32/Sdbot-TQ uses the 
filename msgfix.exe.

The backdoor component joins an IRC channel and awaits further 
commands from a remote user.

Advanced
W32/Sdbot-TQ is a network worm with backdoor functionality for the 
Windows platform.

When first run, W32/Sdbot-TQ copies itself to the Windows system 
folder as WindowsSP2.exe and creates the following registry entries 
in order to run each time a user logs on:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Windows Service Pack 2
WindowsSP2.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Windows Service Pack 2
WindowsSP2.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Windows Service Pack 2
WindowsSP2.exe

The worm spreads through network shares protected by weak passwords. 
When copying itself across the network, W32/Sdbot-TQ uses the 
filename msgfix.exe.

The backdoor component joins an IRC channel and awaits further 
commands from a remote user. W32/Sdbot-TQ can then be instructed to 
perform the following:

download/execute arbitrary files
take part in distributed denial of service (DDoS) attacks
perform proxy server functionality
modify the system registry
steal product registration information for certain software





Name   W32/Bobax-N

Type  
    * Virus

How it spreads  
    * Email attachments

Affected operating systems  
    * Windows

Side effects  
    * Sends itself to email addresses found on the infected computer
    * Drops more malware
    * Forges the sender's email address
    * Uses its own emailing engine
    * Installs itself in the Registry

Aliases  
    * Net-Worm.Win32.Bobic.d
    * W32.Bobax.Z@mm
    * W32.Proxed

Prevalence (1-5) 2

Description
W32/Bobax-N is an email virus for the Windows platform.

W32/Bobax-N has the ability to infect executable files.

W32/Bobax-N can send itself to email addresses harvested from the 
infected computer.

W32/Bobax-N attempts to contact a number of preconfigured internet 
sites in order to report successful infection.

Emails sent by the worm have the following characteristics:

Subject line:

Cool
Captured..
He has been captured..
Finally! Captured
Finally
God Bless the USA!

Message text (chosen from):

Saddam Hussein - Attempted Escape, Shot dead
Attached some pics that i found

Osama Bin Laden Captured.
Attached some pics that i found

Testing

Secret!

Hey,
Remember this?

Hello,
Long time! Check this out!

Hey,
I was going through my album, and look what I found..

Hey,
Check this out :-)

+++ Attachment: No Virus found
+++ Panda AntiVirus - You are protected
+++ www.pandasoftware.com

+++ Attachment: No Virus found
+++ Norman AntiVirus - You are protected
+++ www.norman.com

+++ Attachment: No Virus found
+++ F-Secure AntiVirus - You are protected
+++ www.f-secure.com

+++ Attachment: No Virus found
+++ Norton AntiVirus - You are protected
+++ www.symantec.com

"Turn on your TV.
Osama Bin Laden has been captured.

While CNN has no pictures at this point of time, the military channel 
(PPV) rele
ased some pictures.
I managed to capture a couple of these pictures off my TV.
Ive attached a slideshow containing all the pictures I managed to 
capture.
I apologize for the low quality, its the best I could do at this 
point of time.

Hopefully CNN will have pictures and a video soon.

God bless the USA!"

Possible attached filename stubs:

pics
funny
bush
joke
secret

Possible attached file extensions:

pif
exe
scr
zip

W32/Bobax-N also attempts to disable the Windows firewall and 
attempts to suppress Windows security warnings.

Advanced
W32/Bobax-N is an email virus for the Windows platform.

W32/Bobax-N has the ability to infect executable files.

W32/Bobax-N can send itself to email addresses harvested from the 
infected computer.

W32/Bobax-N attempts to contact a number of preconfigured internet 
sites in order to report successful infection.

Emails sent by the worm have the following characteristics:

Subject line:

Cool
Captured..
He has been captured..
Finally! Captured
Finally
God Bless the USA!

Message text (chosen from):

Saddam Hussein - Attempted Escape, Shot dead
Attached some pics that i found

Osama Bin Laden Captured.
Attached some pics that i found

Testing

Secret!

Hey,
Remember this?

Hello,
Long time! Check this out!

Hey,
I was going through my album, and look what I found..

Hey,
Check this out :-)

+++ Attachment: No Virus found
+++ Panda AntiVirus - You are protected
+++ www.pandasoftware.com

+++ Attachment: No Virus found
+++ Norman AntiVirus - You are protected
+++ www.norman.com

+++ Attachment: No Virus found
+++ F-Secure AntiVirus - You are protected
+++ www.f-secure.com

+++ Attachment: No Virus found
+++ Norton AntiVirus - You are protected
+++ www.symantec.com

"Turn on your TV.
Osama Bin Laden has been captured.

While CNN has no pictures at this point of time, the military channel 
(PPV) rele
ased some pictures.
I managed to capture a couple of these pictures off my TV.
Ive attached a slideshow containing all the pictures I managed to 
capture.
I apologize for the low quality, its the best I could do at this 
point of time.

Hopefully CNN will have pictures and a video soon.

God bless the USA!"

Possible attached filename stubs:

pics
funny
bush
joke
secret

Possible attached file extensions:

pif
exe
scr
zip

W32/Bobax-N may copy itself to the Windows system folder with a 
random lowercase filename and may create the following registry entry 
in order to run automatically on computer login:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
<random>
<System>\<worm filename>

The dropper component of the worm creates a DLL in a temporary folder 
and injects this DLL into the Shell_Tray process. The DLL contains 
the spreading functionality of the worm and can disable mouse and 
keyboard input to process enumeration windows. Thus the worm may 
disable the Task Manager window.

W32/Bobax-N may set the following registry entries to disable the 
Windows firewall and automatic security notifications:

HKLM\SOFTWARE\Microsoft\Security Center
FirewallOverride
1

HKLM\SOFTWARE\Microsoft\Security Center
FirewallDisableNotify
1

HKLM\SOFTWARE\Microsoft\Security Center
AntiVirusDisableNotify
1

HKLM\SOFTWARE\Microsoft\Security Center
UpdatesDisableNotify
1

W32/Bobax-N also attempts to execute the following commands:

netsh.exe firewall set opmode mode=disable profile=all

sc.exe config SharedAccess start= disabled





Name   W32/Tilebot-GS

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Modifies data on the computer
    * Drops more malware
    * Reduces system security
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities

Aliases  
    * WORM_SDBOT.CWF
    * W32/Tilebot-Gen

Prevalence (1-5) 2

Description
W32/Tilebot-GS is a worm and IRC backdoor for the Windows platform.

W32/Tilebot-GS spreads to other network computers by exploiting 
common buffer overflow vulnerabilities, including: LSASS 
(http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx), 
RPC-DCOM 
(http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx), 
WKS 
(http://www.microsoft.com/technet/security/bulletin/MS03-049.mspx) 
(CAN-2003-0812), PNP 
(http://www.microsoft.com/technet/security/bulletin/MS05-039.mspx) 
and ASN.1 
(http://www.microsoft.com/technet/security/bulletin/MS04-007.mspx) 
and by copying itself to network shares protected by weak passwords.

W32/Tilebot-GS runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

W32/Tilebot-GS includes functionality to access the internet and 
communicate with a remote server via HTTP.

The following patches for the vulnerabilities exploited by 
W32/Tilebot-GS are available from Microsoft:
http://www.microsoft.com/technet/security/bulletin/MS03-049.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-007.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx
http://www.microsoft.com/technet/security/bulletin/MS05-039.mspx

Advanced
W32/Tilebot-GS is a worm and IRC backdoor for the Windows platform.

W32/Tilebot-GS spreads to other network computers by exploiting 
common buffer overflow vulnerabilities, including: LSASS 
(http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx), 
RPC-DCOM 
(http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx), 
WKS 
(http://www.microsoft.com/technet/security/bulletin/MS03-049.mspx) 
(CAN-2003-0812), PNP 
(http://www.microsoft.com/technet/security/bulletin/MS05-039.mspx) 
and ASN.1 
(http://www.microsoft.com/technet/security/bulletin/MS04-007.mspx) 
and by copying itself to network shares protected by weak passwords.

W32/Tilebot-GS runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

W32/Tilebot-GS includes functionality to access the internet and 
communicate with a remote server via HTTP.

When first run W32/Tilebot-GS copies itself to <Windows 
folder>\nvidcgui.exe and creates the file <Windows system 
folder>\remon.sys.

The file remon.sys is detected as Troj/RKFu-A.

The file nvidcgui.exe is registered as a new system driver service 
named "pxlmdl", with a display name of "PixelModule" and a startup 
type of automatic, so that it is started automatically during system 
startup. Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\pxlmdl\

The file remon.sys is registered as a new system driver service named 
"remon", with a display name of "remon". Registry entries are created 
under:

HKLM\SYSTEM\CurrentControlSet\Services\remon\

The following registry entries are set, disabling the registry editor 
(regedit) and the Windows task manager (taskmgr):

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1

W32/Tilebot-GS sets the following registry entries, disabling the 
automatic startup of other software:

HKLM\SYSTEM\CurrentControlSet\Services\Messenger
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
Start
4

Registry entries are set as follows:

HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DoNotAllowXPSP2
1

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1

Registry entries are created under:

HKLM\SOFTWARE\Microsoft\Security Center\
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\

The following patches for the vulnerabilities exploited by 
W32/Tilebot-GS are available from Microsoft:
http://www.microsoft.com/technet/security/bulletin/MS03-049.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-007.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx
http://www.microsoft.com/technet/security/bulletin/MS05-039.mspx

 
--- MultiMail/Win32 v0.43
 * Origin: Try Our Web Based QWK: DOCSPLACE.ORG (1:123/140)