Text 329, 752 rader
Skriven 2007-09-16 19:15:00 av KURT WISMER (1:123/140)
Ärende: News, September 16 2007
===============================
[cut-n-paste from sophos.com]
Name W32/SillyFDC-AV
Type
* Spyware Worm
How it spreads
* Removable storage devices
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Steals information
* Downloads code from the internet
* Installs itself in the Registry
Prevalence (1-5) 2
Description
W32/SillyFDC-AV is a worm for the Windows platform.
Advanced
W32/SillyFDC-AV is a worm for the Windows platform.
When run W32/SillyFDC-AV copies itself <System>\dllhost.exe and creates
the file <Root>\autorun.inf.tmp. The file autorun.inf.tmp is also
detected as W32/SillyFDC-AV.
W32/SillyFDC-AV registers the file <System>\dllhost.exe as a system
service with the service name "COMSystemApp" and a display name "COM+
System Applications" and a startup type of automatic. Registry entries
are created under:
HKLM\SYSTEM\CurrentControlSet\Services\COMSystemApp\
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_COMSYSTEMAPP\
W32/SillyFDC-AV spreads via removable shared drives, copying itself to
<Root>\runauto..\autorun.pif a hidden, system file and creating the
file <Root&
gt;\autorun.inf so that the worm runs when the removable media is
plugged into a
n uninfected computer. The file <Root>\autorun.inf is also detected as
W32
/SillyFDC-AV.
W32/SillyFDC-AV includes functionality to:
- terminate security and anti-virus related processes
- steal information
- download code from the internet
Name Troj/RootKit-BM
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Reduces system security
Prevalence (1-5) 2
Description
Troj/RootKit-BM is a rootkit for the Windows platform.
Name Troj/PWS-AOU
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Steals information
* Installs itself in the Registry
Aliases
* Trojan-PSW.Win32.Magania.wv
* Trojan-Downloader.Win32.Small.eor
Prevalence (1-5) 2
Description
Troj/PWS-AOU is a password-stealing Trojan for the Windows platform.
Advanced
Troj/PWS-AOU is a password-stealing Trojan for the Windows platform.
Name Troj/Dloadr-BDW
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
Prevalence (1-5) 2
Description
Troj/Dloadr-BDW is a downloader Trojan for the Windows platform.
Troj/Dloadr-BDW attempts to download and execute a file from a remote
website to a configurable location, and has been seen downloading to
the file C:\uyghur.exe.
Name Troj/Pushdo-B
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Drops more malware
* Downloads code from the internet
Aliases
* Trojan-Downloader.Win32.Agent.deu
Prevalence (1-5) 2
Description
Troj/Pushdo-B is a Trojan for the Windows platform.
Advanced
Troj/Pushdo-B is a Trojan for the Windows platform.
When Troj/Pushdo-B is installed it drops and runs a further file in
memory, detected as Troj/Pushu-B or Mal/Basine-C. This will then drop
further files, using filenames from the following:
<Windows>\system32\drivers\ip6fw.sys
<Windows>\system32\drivers\netdtect.sys
<System>\drivers\runtime.sys
<System>\drivers\secdrv.sys
These files are used to provide stealthing for the Trojan, and are
detected as Troj/NTRootK-BY and Troj/Agent-FVT.
The dropped file in memory will also usually attempt to inject further
code into Internet Explorer.
Name Troj/VB-DXL
Type
* Trojan
Affected operating systems
* Windows
Prevalence (1-5) 2
Description
Troj/VB-DXL is a Trojan for the Windows platform.
Troj/VB-DXL may attempt to inject itself into other processes on the
system.
Name W32/Rbot-GTC
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
* Exploits system or software vulnerabilities
* Leaves non-infected files on computer
Aliases
* Backdoor.Win32.Rbot.buy
* Worm/Gaobot.1104511
* W32/Backdoor.AEVB
* W32/Sdbot.worm
* BKDR_Generic
* Trojan:Win32/Ircbrute!9CF1
Prevalence (1-5) 2
Description
W32/Rbot-GTC is a network worm for the Windows platform.
Advanced
W32/Rbot-GTC is a network worm for the Windows platform.
The worm spreads by copying itself to network shares and by exploiting
common software vulnerabilities including LSASS (MS04-011) and ASN.1
(MS04-007).
When first run, W32/Rbot-GTC moves itself to <System>\taksmanager.exe .
The following registry entries are created to run taksmanager.exe
automatically:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Microsoft Update
taksmanager.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
Microsoft Update
taksmanager.exe
W32/Rbot-GTC allows a remote attacker to control the infected computer
over an IRC connection.
Name Troj/DNSChan-LZ
Type
* Trojan
Affected operating systems
* Windows
Prevalence (1-5) 2
Description
Troj/DNSChan-LZ is a Trojan for the Windows platform.
Advanced
Troj/DNSChan-LZ is a Trojan for the Windows platform.
When first run Troj/DNSChan-LZ copies itself to <System>\kdjjz.exe.
The following registry entry is changed to run kdjjz.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
System
kdjjz.exe
Name W32/IRCBot-XV
Type
* Spyware Worm
How it spreads
* Network shares
* Chat programs
Affected operating systems
* Windows
Side effects
* Steals information
* Downloads code from the internet
* Records keystrokes
* Installs itself in the Registry
* Exploits system or software vulnerabilities
* Scans network for vulnerabilities
Prevalence (1-5) 2
Description
W32/IRCBot-XV is a worm for the Windows platform.
Advanced
W32/IRCBot-XV is a worm with backdoor functionality for the Windows
platform.
W32/IRCBot-XV spreads to other network computers by exploiting common
buffer overflow vulnerabilities, including: SRVSVC (MS06-040), WKS
(MS03-049) (CAN-2003-0812), PNP (MS05-039) and ASN.1 (MS04-007). The
worm may also spreads via network shares and MSSQL servers protected by
weak passwords.
W32/IRCBot-XV runs continuously in the background, providing a backdoor
server which allows a remote intruder to gain access and control over
the computer via IRC channels.
W32/IRCBot-XV includes functionality to:
- check to see if the bot is running under VPC, VMWare or Anubis
- set up an FTP server
- set up a proxy server
- spread via MSN Instant Messager by sending messages automatically
- port scanning
- packet sniffing
- start a remote shell (RLOGIN)
- access the internet and communicate with a remote server via HTTP
- harvest information from clipboard
When first run W32/IRCBot-XV copies itself to <System>\csrss.exe
W32/IRCBot-XV can be ordered to spread via MSN with one of the
following messages:
Hey man accept my pics. :( i just edited it to look maad funny..Dude i
found your picture on hotornot.com! Take a look!
do I look dumb in this picture? I want to put it on myspace.
hey you got a myspace album? anyways heres my new myspace album :)
accept k?
ok, I DO NOT like my new hair color.. but people on facebook do. what
do you think? And no laughing! lol
Have you seen me Naked Yet :D
OMG, i found ur pic on cuteornot.com! Check it out!!!
Hey just finished new myspace album! :) theres a few kinky ones in there!
I think this picture is terrible. but my friends on myspace want to see
it. please dont show noone.
Hey accept my pictures, i got a bunch from when i was like a toddler :X
OMG just accept please its only some pics!!
do you think this picture is too kinky for Myspace?
Wanna see my pics before i send em to facebook?
dude i just got these pictures off my digital for you! Gimme a moment
to find em and send
haha, this guy up my street just slammed his $90k car into a telephone
pole! I got a pic of it with my cellphone
Can you believe somone actually wears this size bra? I could use it for
a Tent.
I've been editing some pics you should def see em loL! accept :)
Lmfao hey im sending my new pictures! Check em out!
I can't believe they wanted me to upload this picture to facebook lol.
Its terrible. Like my outfit tho?
Take a look at the new pics already! :p
wanna see this pic of my Boobs?Can i put this pic of you into my new
myspace album?
wow! look at this old picture i found....
my crazy sister wants u to see these pics for some reason... take a look
wow I just dyed my hair... You will never believe the color it is now.
lol And dont laugh
is this pic tooo sexy for photobucket??
sry about the messup i fixed the pic! Try it one more time pz
you care if i put this pictuer of you in my new album?
can i up some of these pics of ya to my myspace profile?
hey did i ever show you this picture of me?
haha lets hope your parents dont see this picture of you :D
Wow i think i found your pic on myspace!
This picture isnt you... right?
The attachment will be the file My_Pictures2007.zip. This file is also
detected as W32/IRCBot-XV
The following registry entry is created to run csrss.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Runtime Server Subsystem
<System>\csrss.exe
The following registry entry is set:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions
MeltCc32
<pathname of the worm executable>
Name Troj/Desdie-A
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Steals information
* Downloads code from the internet
* Leaves non-infected files on computer
Prevalence (1-5) 2
Description
Troj/Desdie-A is a Trojan for the Windows platform.
Advanced
Troj/Desdie-A is a Trojan for the Windows platform.
Troj/Desdie-A attempts to connect to a remote location using FTP, and
then to download and execute two files to the following locations:
C:\mspass.exe
C:\pspv.exe
These are used to steal information from the infected computer and save
it to the files C:\<Computer name>icq.txt and C:\<Computer
name>other.txt. These files are then uploaded to the remote location.
Troj/Desdie-A also drops some of the following clean files:
C:\clm1.txt
C:\FTP.txt
C:\FTP1.txt
C:\DSC_00219.jpg
Name Troj/Agent-GCJ
Type
* Trojan
Affected operating systems
* Windows
Aliases
* Trojan-Downloader.Win32.Delf.aeu
* Worm/Agent.AJ.22
* W32/Downldr2.MDK
* WORM_Generic
* Worm:Win32/Agent.CC
Prevalence (1-5) 2
Description
Troj/Agent-GCJ is a Trojan for the Windows platform.
Advanced
Troj/Agent-GCJ is a Trojan for the Windows platform.
Name Troj/Psyme-FB
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Drops more malware
Prevalence (1-5) 2
Description
Troj/Psyme-FB is a web page which exploits the ADODB stream object
vulnerability in Microsoft Internet Explorer to download a remote file
to the local computer.
Name Troj/Nobond-B
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
Prevalence (1-5) 2
Description
Troj/Nobond-B is a downloader Trojan for the Windows platform.
Advanced
Troj/Nobond-B is a downloader Trojan for the Windows platform.
Troj/Nobond-B attempts to drop the file <Temp>\msie.dat, also detected
as Troj/Nobond-B, and inject it into an instance of Microsoft Internet
Explorer, in order to download a remote file to <Temp>\msie.exe and
execute it.
Troj/Nobond-B displays a fake error message box with the title "Adobe
Reader" and the following text :
Adobe Reader could not open the document because it is either not a
suported
file type or because the file has been corrupted (for example, it was
sent as an
email attachment and wasn't correctly decoded).
Name Troj/YBHO-A
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Steals information
* Downloads code from the internet
* Records keystrokes
* Installs itself in the Registry
* Installs a browser helper object
Aliases
* PWS-FireMing.dll
Prevalence (1-5) 2
Description
Troj/YBHO-A is a password-stealing Trojan for the Windows platform.
Troj/YBHO-A contains functionality to access the internet and
communicate with a remote server.
Advanced
Troj/YBHO-A is a password-stealing Trojan for the Windows platform.
Troj/YBHO-A contains functionality to access the internet and
communicate with a remote server.
When first run Troj/YBHO-A drops the following file:
<Windows>\yhelp.dll - detected as Troj/YBHO-A
Troj/YBHO-A creates the following registry entry to start itself:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Yahoo! Helper
Rundll32.exe yhelp.dll,Init
as well as a COM object and Browser Helper Object (BHO) under the
following registry trees:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper
Objects\{E838FBB2-574D-4926-9C81-CCB15F3A3F53}
HKCR\CLSID\{E838FBB2-574D-4926-9C81-CCB15F3A3F53}
Name Troj/Banker-EIS
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Steals credit card details
* Allows others to access the computer
* Steals information
* Uses its own emailing engine
* Downloads code from the internet
* Monitors browser activity
Prevalence (1-5) 2
Description
Troj/Banker-EIS is a Trojan for the Windows platform.
Troj/Banker-EIS includes functionality to steal confidential
information when a user visits banking-related websites.
Advanced
Troj/Banker-EIS is a Trojan for the Windows platform.
Troj/Banker-EIS includes functionality to steal confidential
information when a user visits banking-related websites.
Once installed the Trojan monitors a user's internet access. When
certain banking websites are accessed, Troj/Banker-EIS displays a fake
login screen, prompting the user to enter confidential information, and
sends the stolen details to a remote website.
Name W32/Rbot-GTE
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
Aliases
* Backdoor.Win32.Rbot.btq
* W32/Sdbot.VZM
Prevalence (1-5) 2
Description
W32/Rbot-GTE is a worm for the Windows platform.
Advanced
W32/Rbot-GTE is a worm for the Windows platform.
When W32/Rbot-GTE is installed it creates the file
<System>\drivers\oreans32.sys.
The file oreans32.sys is not malicious.
Name Troj/VB-DXM
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Installs itself in the Registry
Aliases
* TR/VB.Karsh
* Trojan:Win32/VB.AAH
Prevalence (1-5) 2
Description
Troj/VB-DXM is a Trojan for the Windows platform.
Troj/VB-DXM contains functionality to connect to the internet and
communicate with a remote server via HTTP.
Advanced
Troj/VB-DXM is a Trojan for the Windows platform.
Troj/VB-DXM contains functionality to connect to the internet and
communicate with a remote server via HTTP.
When first run Troj/VB-DXM copies itself to:
<System>\winlogonEvt.exe
and creates the file:
<Windows>\Multi-ICQ.exe - also detected as Troj/VB-DXM.
Troj/VB-DXM creates the following registry entry to start itself:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Windows Update
<System>\winlogonEvt.exe
Troj/VB-DXM may replace the following file with a different version:
<System>\mswinsck.ocx - Legitimate Microsoft Winsock Control DLL
Name W32/Rbot-GTF
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Installs itself in the Registry
Aliases
* W32/Sdbot.worm.gen.ay
* Backdoor.Win32.Rbot.dyx
Prevalence (1-5) 2
Description
W32/Rbot-GTF is a worm for the Windows platform.
Advanced
W32/Rbot-GTF is a worm for the Windows platform.
When first run W32/Rbot-GTF copies itself to <System>\wgcptsud.exe.
The following registry entries are created to run wgcptsud.exe on
startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft Updates
wgcptsud.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft Updates
wgcptsud.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Microsoft Updates
wgcptsud.exe
Registry entries are created under:
HKCR\.key
--- MultiMail/Win32 v0.43
* Origin: Doc's Place BBS Fido Since 1991 docsplace.tzo.com (1:123/140)
|