Text 337, 827 rader
Skriven 2007-11-11 23:58:00 av KURT WISMER (1:123/140)
Ärende: News, November 11 2007
==============================
[cut-n-paste from sophos.com]
Name Troj/Zlob-AFW
Type
* Trojan
Affected operating systems
* Windows
Prevalence (1-5) 2
Description
Troj/Zlob-AFW is a Trojan for the Windows platform.
Name W32/Mabezat-A
Type
* Virus
How it spreads
* Removable storage devices
* Network shares
* Infected files
Affected operating systems
* Windows
Side effects
* Leaves non-infected files on computer
Aliases
* Worm.Win32.Mabezat.a
Prevalence (1-5) 2
Description
W32/Mabezat-A is a virus for the Windows platform which also spreads by
copying itself to network shares and removable devices.
Advanced
W32/Mabezat-A is a virus for the Windows platform which also spreads by
copying itself to network shares and removable devices.
W32/Mabezat-A copies itself to removable devices with one or more of
the following filenames:
"My documents .exe"
"Readme.doc .exe"
"tazebama.exe"
Note, the above filenames may have sevetal space characters inserted
between the stub and the extension in the hope that the user will not
notice the EXE extension and click on the file which will appear as a
folder in Explorer.
When W32/Mabezat-A is installed the following files are created:
<System>\salo.exe - copy of the virus dropper
<Root>\1.txt - innocuous LOG file of the virus' activities
Registry entries are set as follows:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden
0
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
<System>\userinit,salo.exe
The virus may also encrypt files (simple addition of 0x10 to every
byte) with the following extensions: HLP, PDF,HTML, TXT, ASPX.CS, ASPX,
PSD, MDF, RTF, HTM, PPT, PHP, ASP, PAS, H, CPP, XLS, DOC, RAR, ZIP and
MDB.
Name Troj/MDrop-BPY
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Drops more malware
Prevalence (1-5) 2
Description
Troj/MDrop-BPY is a dropper Trojan for the Windows platform.
The EXE dropped by Troj/MDrop-BPY is detected as Troj/Agent-GFJ.
Name W32/Anti-C
Type
* Worm
How it spreads
* Removable storage devices
* Network shares
Affected operating systems
* Windows
Side effects
* Installs itself in the Registry
Prevalence (1-5) 2
Description
W32/Anti-C is a worm for the Windows platform.
Name W32/Anti-C
Type
* Worm
How it spreads
* Removable storage devices
* Network shares
Affected operating systems
* Windows
Side effects
* Installs itself in the Registry
Prevalence (1-5) 2
Description
W32/Anti-C is a worm for the Windows platform.
Name W32/IRCBot-YZ
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Downloads code from the internet
* Reduces system security
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Prevalence (1-5) 2
Description
W32/IRCBot-YZ is a worm for the Windows platform.
Advanced
W32/IRCBot-YZ spreads to other network computers by exploiting common
buffer overflow vulnerabilities, including: LSASS (MS04-011), SRVSVC
(MS06-040), RPC-DCOM (MS04-012), WKS (MS03-049) (CAN-2003-0812) and
RealVNC (CVE-2006-2369) and by copying itself to network shares
protected by weak passwords.
W32/IRCBot-YZ runs continuously in the background, providing a backdoor
server which allows a remote intruder to gain access and control over
the computer via IRC channels.
When first run W32/IRCBot-YZ copies itself to <Windows>\trkwksvc.exe.
The file trkwksvc.exe is registered as a new system driver service
named "NET Service", with a display name of "NET Service" and a startup
type of automatic, so that it is started automatically during system
startup. Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\NET Service
The following registry entries are set, affecting internet security:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPo
licy\DomainProfile
EnableFirewall
0
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPo
licy\DomainProfile
DoNotAllowExceptions
0
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPo
licy\DomainProfile
DisableNotifications
1
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPo
licy\StandardProfile
EnableFirewall
0
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPo
licy\StandardProfile
DoNotAllowExceptions
0
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPo
licy\StandardProfile
DisableNotifications
1
W32/IRCBot-YZ sets the following registry entries, disabling the
automatic startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\Messenger
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
Start
4
Registry entries are set as follows:
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MaxConnectionsPer1_0Server
fffe
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MaxConnectionsPerServer
fffe
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Windows File Protection
SFCDisable
ffffff9d
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Windows File Protection
SFCScan
0
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
EnableFirewall
0
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile
EnableFirewall
0
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DoNotAllowXPSP2
1
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
Registry entries are created under:
HKLM\SOFTWARE\Microsoft\Security Center
Name W32/Brontok-DP
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Reduces system security
* Installs itself in the Registry
* Leaves non-infected files on computer
Prevalence (1-5) 2
Description
W32/Brontok-DP is a worm for the Windows platform.
W32/Brontok-DP will attempt to copy itself to network and removable
drives. The worm will also create an autorun.inf file so that it is
automatically run when the drive is accessed.
Advanced
W32/Brontok-DP is a worm for the Windows platform.
W32/Brontok-DP will attempt to copy itself to network and removable
drives, using filenames including Music.exe and Default.pif. The worm
will also create an autorun.inf file so that it is automatically run
when the drive is accessed. The worm also spreads to other network
computers.
When first run W32/Brontok-DP copies itself to:
<User>\Documents\Music.exe
<Startup>\Default.pif
<Root>\Windowxp\explorer.exe
<Windows>\Fonts\smss.exe
<Windows>\System32.exe
<System>\dllcache\services.exe
<System>\oobe\isperror\csrss.exe
and creates the following files:
<Root>\autorun.inf
<Windows>\SoftWareProtector\smss_out.pr
<Windows>\winxp.inf
The following registry entry is changed to run W32/Brontok-DP on startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
<System>\userinit.exe,<Windows>\fonts\smss.exe
The following registry entries are set or modified, so that csrss.exe
is run when files with extensions of BAT, COM, EXE and PIF are
opened/launched:
HKCR\lnkfile\shell\open\command
(default)
<System>\oobe\isperror\csrss.exe" "%1" %*
HKCR\batfile\shell\open\command
(default)
<System>\oobe\isperror\csrss.exe" "%1" %*
HKCR\comfile\shell\open\command
(default)
<System>\oobe\isperror\csrss.exe" "%1" %*
HKCR\exefile\shell\open\command
(default)
<System>\oobe\isperror\csrss.exe" "%1" %*
HKCR\piffile\shell\open\command
(default)
<System>\oobe\isperror\csrss.exe" "%1" %*
Registry entries are set as follows:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFolderOptions
00
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HideClock
00
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoControlPanel
00
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoDrives
00
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFind
00
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoRun
00
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoShellSearchButton
00
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoSimpleStartMenu
00
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoDesktop
00
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableCMD
00
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
00
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
00
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoFolderOptions
00
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoControlPanel
00
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
kbao
AUTO.TXT
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
DisableTaskMgr
00
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
DisableRegistryTools
00
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
DisableConfig
00
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
DisableSR
00
HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer
LimitSystemRestoreCheckpointing
00
HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer
DisableMSI
00
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
000
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt
00
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden
000
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug
Debugger
<System>\dllcache\services.exe
Name W32/SdBot-DIP
Type
* Worm
Affected operating systems
* Windows
Prevalence (1-5) 2
Description
W32/SdBot-DIP is a worm for the Windows platform.
Advanced
W32/SdBot-DIP is a worm for the Windows platform.
W32/Sdbot-DIP includes functionality to access the internet and
communicate with a remote server via HTTP.
When first run W32/Sdbot-DIP copies itself to the Windows folder and to
<Program Files>\KaZaA\My Shared Folder\.
W32/Sdbot-DIP is registered as a new system driver service named
"s3contrl (32-bit)", with a display name of "s3contrl (32-bit)" and a
startup type of automatic, so that it is started automatically during
system startup. Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\s3contrl (32-bit)
The following registry entries are set, disabling system software:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1
W32/Sdbot-DIP sets the following registry entries, disabling the
automatic startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\Messenger
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
Start
4
Registry entries are set as follows:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
SFCScan
0
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
EnableFirewall
0
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile
EnableFirewall
0
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DoNotAllowXPSP2
1
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
SFCDisable
ffffff9d
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe %WINDIR%\<original worm filename>
Registry entries are created under:
HKLM\SOFTWARE\Microsoft\Security Center
HKLM\SOFTWARE\Symantec\LiveUpdate Admin
Name Troj/Agent-GFG
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
* Enables remote access
Prevalence (1-5) 2
Description
Troj/Agent-GFG is a Trojan for the Windows platform.
Name W32/Virut-S
Type
* Virus
How it spreads
* Infected files
Affected operating systems
* Windows
Prevalence (1-5) 2
Description
W32/Virut-S is a virus for the Windows platform.
Name W32/SpyBot-OD
Type
* Worm
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
Prevalence (1-5) 2
Description
W32/SpyBot-OD is a worm for the Windows platform.
Advanced
W32/SpyBot-OD is a worm for the Windows platform.
W32/SpyBot-OD runs continuously in the background, providing a backdoor
server which allows a remote intruder to gain access and control over
the computer via IRC channels.
W32/SpyBot-OD includes functionality to access the internet and
communicate with a remote server via HTTP.
When first run W32/SpyBot-OD copies itself to <System>\msnrav.exe.
The file msnrav.exe is registered as a new system driver service named
"MSN RAV", with a display name of "MSN RAV" and a startup type of
automatic, so that it is started automatically during system startup.
Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\MSN RAV
W32/SpyBot-OD sets the following registry entries, disabling the
automatic startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\Messenger
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
Start
4
Registry entries are set as follows:
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
EnableFirewall
0
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile
EnableFirewall
0
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DoNotAllowXPSP2
1
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
Registry entries are created under:
HKLM\SOFTWARE\Microsoft\Security Center
Name W32/SdBot-DIN
Type
* Worm
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
Prevalence (1-5) 2
Description
W32/SdBot-DIN is a worm for the Windows platform.
Advanced
W32/SdBot-DIN is a worm for the Windows platform.
W32/SdBot-DIN runs continuously in the background, providing a backdoor
server which allows a remote intruder to gain access and control over
the computer via IRC channels.
W32/SdBot-DIN includes functionality to access the internet and
communicate with a remote server via HTTP.
When first run W32/SdBot-DIN copies itself to
<System>\dllcache\mravsc32.exe.
The file mravsc32.exe is registered as a new system driver service
named "Distributed Allocated Memory Unit", with a display name of
"Distributed Allocated Memory Unit" and a startup type of automatic, so
that it is started automatically during system startup. Registry
entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\Distributed Allocated Memory Unit
W32/SdBot-DIN sets the following registry entries, disabling the
automatic startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\Messenger
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
Start
4
Registry entries are set as follows:
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
EnableFirewall
0
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile
EnableFirewall
0
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DoNotAllowXPSP2
1
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
Registry entries are created under:
HKLM\SOFTWARE\Microsoft\Security Center
Name W32/Virut-R
Type
* Virus
How it spreads
* Infected files
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
Prevalence (1-5) 2
Description
W32/Virut-R is an executable file virus for the Windows platform.
W32/Virut-R runs continuously in the background, infecting executable
files and allowing a remote user to access the computer.
Name Troj/Delf-EYT
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Installs itself in the Registry
Prevalence (1-5) 2
Description
Troj/Delf-EYT is a Trojan for the Windows platform.
Troj/Delf-EYT includes functionality to download, install and run new
software.
Advanced
Troj/Delf-EYT is a Trojan for the Windows platform.
Troj/Delf-EYT includes functionality to download, install and run new
software.
When first run Troj/Delf-EYT copies itself to <System>\imap.exe.
The following registry entry is created to run imap.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
imap
<System>\imap.exe
--- MultiMail/Win32 v0.43
* Origin: Doc's Place BBS Fido Since 1991 docsplace.tzo.com (1:123/140)
|