Text 107, 689 rader
Skriven 2006-03-11 12:30:00 av KURT WISMER (1:123/140)
Ärende: News, March 11 2006
===========================
[cut-n-paste from sophos]
Name Troj/Banker-AML
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Steals credit card details
* Steals information
* Records keystrokes
* Installs itself in the Registry
Aliases
* PWS-Banker.gen.b
* Trojan-Spy.Win32.Banker.aec
* W32/Banker.IXB
Prevalence (1-5) 2
Description
Troj/Banker-AML is a data stealing Trojan for the Windows platform
which attempts to capture confidential information related to
internet banking.
Advanced
Troj/Banker-AML is a data stealing Trojan for the Windows platform
which attempts to capture confidential information related to
internet banking.
When first run Troj/Banker-AML copies itself to <System>\winlogin.exe.
The following registry entry is created to run winlogin.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows Update
<System>\winlogin.exe
Name W32/Rbot-CLO
Type
* Spyware Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Reduces system security
* Records keystrokes
* Installs itself in the Registry
* Exploits system or software vulnerabilities
* Used in DOS attacks
Aliases
* Backdoor.Win32.Rbot.gen
* Backdoor.IRC.Bot
* WORM_RBOT.DZY
Prevalence (1-5) 2
Description
W32/Rbot-CLO is a network worm with backdoor functionality for the
Windows platform.
W32/Rbot-CLO spreads using a variety of techniques including:
-exploiting weak passwords on computers and SQL servers
-exploiting common buffer overflow vulnerabilities, including:
Veritas (CAN-2004-1172) and ASN.1 (MS04-007)
W32/Rbot-CLO attempts to disable anti-virus and other security
related software.
Advanced
W32/Rbot-CLO is a network worm with backdoor functionality for the
Windows platform.
W32/Rbot-CLO spreads using a variety of techniques including:
-exploiting weak passwords on computers and SQL servers
-exploiting common buffer overflow vulnerabilities, including:
Veritas (CAN-2004-1172) and ASN.1 (MS04-007)
W32/Rbot-CLO attempts to disable anti-virus and other security
related software.
W32/Rbot-CLO can be controlled by a remote attacker over IRC
channels. The backdoor component of W32/Rbot-CLO can be instructed by
a remote user to perform the following functions:
- start an FTP server
- start a Proxy server
- start a web server
- take part in distributed denial of service (DDoS) attacks
- log keypresses
- capture screen/webcam images
- port scanning
- download/execute arbitrary files
- start a remote shell (RLOGIN)
- steal product registration information from certain software
The worm copies itself to a file named b4db0yz.exe in the Windows
system folder and creates the following registry entries:
HKCU\Software\Microsoft\OLE
System Service
b4db0yz.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
System Service
b4db0yz.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
System Service
b4db0yz.exe
A patch for the operating system vulnerability exploited by
W32/Rbot-CLO can be obtained from Microsoft at: MS04-007
Name Troj/Dumador-AI
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Downloads code from the internet
* Installs itself in the Registry
* Leaves non-infected files on computer
Aliases
* W32/Dumaru.gen@MM
* Win32/Dumador
* Backdoor.Nibu
Prevalence (1-5) 2
Description
Troj/Dumador-AI is a Trojan for the Windows platform.
Troj/Dumador-AI includes functionality to access the internet and
communicate with a remote server via HTTP.
Troj/Dumador-AI can steal email and FTP passwords stored on the
infected computer.
Advanced
Troj/Dumador-AI is a Trojan for the Windows platform.
Troj/Dumador-AI includes functionality to access the internet and
communicate with a remote server via HTTP.
Troj/Dumador-AI can steal email and FTP passwords stored on the
infected computer.
When first run Troj/Dumador-AI copies itself to <System>\winldra.exe
and creates the following files:
<Temp>\fe43e701.htm
<Windows>\dvpd.dll
<Windows>\netdx.dat
The following registry entry is created to run winldra.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
load32
<System>\winldra.exe
Troj/Dumador-AI changes settings for Microsoft Internet Explorer by
modifying values under:
HKCU\Software\Microsoft\Internet Explorer\Main\
Registry entries are created under:
HKCU\Software\SARS\
Name W32/Hilder-A
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Sends itself to email addresses found on the infected computer
Prevalence (1-5) 2
Description
W32/Hilder-A is a mass-mailing worm for the Windows platform.
W32/Hilder-A will attempt to run its own VBScript code in order to
email itself to other computers using Microsoft Outlook if it is
installed. W32/Hilder-A sends emails to addresses found in the
Outlook address book with the subject line "GEIL!" and message text
"Heisse Bilder im Anhang!".
W32/Hilder-A also includes functionality to access the internet and
communicate with a remote server via HTTP.
Advanced
W32/Hilder-A is a mass-mailing worm for the Windows platform.
W32/Hilder-A is a hybrid worm comprising sections written in
assembly, batch scripting language, and VBScript. Despite its EXE
extension it is executed as a 16-bit COM executable.
When first run W32/Hilder-A copies itself to the following locations
(if available) :
<user>\STARTM~1\progra~1\autost~1\wind0ws.exe
<Windows folder>\WINSECURITY\CSRSS.EXE
<Windows folder>\WINSECURITY\SERVICES.EXE
<Windows folder>\WINSECURITY\SMSS.EXE
<Windows folder>\WINSECURITY\SOCKET1.IFO
<Windows folder>\WINSECURITY\SOCKET2.IFO
<Windows folder>\WINSECURITY\SOCKET3.IFO
G:\wichtig.exe
A:\wichtig.exe
C:\FUUU.exe
C:\FU.exe
C:\me.exe
C:\by.exe
C:\u were infected.exe
<Windows folder>\INF3CTED.EXE
<Windows folder>\NET5KY.EXE
<Windows folder>\SA55ER.EXE
<Windows folder>\MYD00M.EXE
C:\Dokumente und Einstellungen\All Users\Dokumente\funny.exe
C:\Dokumente und Einstellungen\All Users\Dokumente\unbelieveable.exe
<Windows folder>\TEMP\FU0001.TMP
<Windows folder>\TEMP\FU0002.TMP
C:\hiberfile.sys
W32/Hilder-A will also attempt to delete files from the following
locations in order to disable anti-virus protection :
C:\programme\mcafee\*.*
C:\programme\symantec\*.*
This attempt is specifically aimed at the German version of Windows.
W32/Hilder-A will attempt to run its own VBScript code in order to
email itself to other computers using Microsoft Outlook if it is
installed. W32/Hilder-A sends emails to addresses found in the
Outlook address book with the subject line "GEIL!" and message text
"Heisse Bilder im Anhang!".
W32/Hilder-A also includes functionality to access the internet and
communicate with a remote server via HTTP.
Name W32/VB-ACS
Type
* Worm
How it spreads
* Peer-to-peer
Affected operating systems
* Windows
Aliases
* W32/Bactera.worm!p2p
Prevalence (1-5) 2
Description
W32/VB-ACS is a worm for the Windows platform.
W32/VB-ACS can spread via peer-to-peer networks.
Advanced
W32/VB-ACS is a worm for the Windows platform.
W32/VB-ACS can spread via peer-to-peer networks.
When first run W32/VB-ACS copies itself to:
\AntiVirScan.exe
\bac.exe
\bac2.exe
Registry entries are created under:
HKCU\Software\VB and VBA Program Settings\Bactera\BAC1\
Name Troj/Runner-F
Type
* Trojan
Affected operating systems
* Windows
Prevalence (1-5) 2
Description
Troj/Runner-F is a Trojan for the Windows platform.
Troj/Runner-F can be used in conjunction with other malware. The
Trojan will run the program "dgfgql.exe"
Name Troj/Dumaru-BZ
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Modifies data on the computer
* Steals information
* Uses its own emailing engine
* Reduces system security
* Records keystrokes
* Installs itself in the Registry
* Leaves non-infected files on computer
Aliases
* Backdoor.Win32.Dumador.ft
Prevalence (1-5) 2
Description
Troj/Dumaru-BZ is a Trojan with password stealing capabilities.
Advanced
Troj/Dumaru-BZ is a Trojan with password stealing capabilities.
When first run Troj/Dumaru-BZ copies itself to the Windows System
folder as winldra.exe and creates the following registry entry so as
to run itself on user logon:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
load32
<System>\winldra.exe
The following files may also be created:
<Windows>\dvpd.dll
<Windows>\sendlogs_dat
<Windows>\dvp.log
<Windows>\prntk.log
<Windows>\prntc.log
<Windows>\netdx.dat
<Temp>\fe43e701.htm
The files sendlogs_dat, dvp.log, prntk.log, prntc.log, netdx.dat and
fe43e701.htm are non-malicious and may be safely deleted.
dvpd.dll is also being detected by Sophos as Troj/Dumaru-BZ.
Troj/Dumaru-BZ captures clipboard data, window text, cached passwords
and confidential information from the protected storage area of
Windows.
The Trojan has the ability to log keystrokes.
The Trojan also attempts to steal confidential information related to
E-Gold, WebMoney, Total Commander and Far Manager account details as
well as TCP/IP Interface settings, Internet Account Manager POP3 user
names/passwords and Windows user names.
The Trojan creates the following registry entry:
HKCU\Software\SARS
SocksPort
<random hexadecimal port number>
The Trojan then uses this port number to set up a backdoor listening
port to await for commands from a remote user.
The Trojan also changes the settings of Internet Explorer and Windows
Explorer by creating the following registry entries:
HKCU\Software\Microsoft\Internet Explorer\Main
AllowWindowReuse
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
Append Completion
yes
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
AutoSuggest
yes
Troj/Dumaru-BZ also appends the HOSTS file with the following
mappings to deny access to anti-virus and security related websites:
127.0.0.1 www.trendmicro.com
127.0.0.1 trendmicro.com
127.0.0.1 rads.mcafee.com
127.0.0.1 customer.symantec.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 updates.symantec.com
127.0.0.1 update.symantec.com
127.0.0.1 www.nai.com
127.0.0.1 nai.com
127.0.0.1 secure.nai.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 download.mcafee.com
127.0.0.1 www.my-etrust.com
127.0.0.1 my-etrust.com
127.0.0.1 mast.mcafee.com
127.0.0.1 ca.com
127.0.0.1 www.ca.com
127.0.0.1 networkassociates.com
127.0.0.1 www.networkassociates.com
127.0.0.1 avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 kaspersky.com
127.0.0.1 www.f-secure.com
127.0.0.1 f-secure.com
127.0.0.1 viruslist.com
127.0.0.1 www.viruslist.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 mcafee.com
127.0.0.1 www.mcafee.com
127.0.0.1 sophos.com
127.0.0.1 www.sophos.com
127.0.0.1 symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 us.mcafee.com/root/
127.0.0.1 www.symantec.com
The Trojan then injects the dropped DLL helper component dvpd.dll
into the Windows Explorer process and begins keylogging functionality
when Internet Explorer is started.
The keylogged information is then stored in the file prntk.log in the
Windows folder. This file is then sent to a pre-configured website as
a web form to a pre-configured attacker.
Once this data has been sent, the Trojan sets the following registry
entry:
HKCU\Software\SARS
mailsended
<number>
Name Troj/BrontDl-B
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Installs itself in the Registry
Prevalence (1-5) 2
Description
Troj/BrontDl-B is a downloading Trojan for the Windows platform.
Troj/BrontDl-B attempts to download and execute a file from a
preconfigured location on the internet.
Advanced
Troj/BrontDl-B is a downloading Trojan for the Windows platform.
Troj/BrontDl-B attempts to download a file from a preconfigured
location to <System>\dll\lsass.exec2u.bin and execute it.
At the time of writing, this file was unavailable for download.
When first run Troj/BrontDl-B copies itself to <System>\dll\lsass.exe.
The following registry entry is changed to run lsass.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe "<System>\dll\lsass.exe"
(the default value for this registry entry is "Explorer.exe" which
causes the Microsoft file <Windows>\Explorer.exe to be run on startup).
Name W32/USKAF-A
Type
* Worm
How it spreads
* Infected files
Affected operating systems
* Windows
Side effects
* Deletes files off the computer
* Installs itself in the Registry
Aliases
* Trojan.Win32.VB.abe
* W32/Generic.m
* WORM_USKAF.A
Prevalence (1-5) 2
Description
W32/USKAF-A is a worm for the Windows platform.
Advanced
W32/USKAF-A is a worm for the Windows platform.
When first run W32/USKAF-A copies itself to
<Startup>\ImagViewer.exe
<Program Files>\GifAnimator.exe
and creates the file <Program Files>\Font1.Gif(harmless image file).
The worm may replace files with the following extensions with a copy
of itself:
BMP
COM
GIF
JPG
LNK
MP3
PIF
PNG
SCR
TIF
The following registry entry is created to run GifAnimator.exe on
startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ImagViewer
<Program Files>\GifAnimator.exe
The following registry entries are set, disabling the registry editor
(regedit) and the Windows task manager (taskmgr):
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Policies\System
DisableRegistryTools
1
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Policies\System
DisableTaskMgr
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
1
Registry entries are created under:
HKCR\keyfile\shell\open\command\
Name Troj/PWS-KI
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Uses its own emailing engine
* Reduces system security
* Installs itself in the Registry
Aliases
* SennaSpy2001
Prevalence (1-5) 2
Description
Troj/PWS-KI is a backdoor Trojan which allows a remote intruder to
gain access and control over the computer.
Troj/PWS-KI includes functionality to access the internet and
communicate with a remote server via HTTP. The Trojan may send an
email to inform a remote user when a computer has been compromised,
and may also inform the remote user of the password used to connect
to the internet.
Troj/PWS-KI modifies internet security settings.
Advanced
Troj/PWS-KI is a backdoor Trojan which allows a remote intruder to
gain access and control over the computer.
Troj/PWS-KI includes functionality to access the internet and
communicate with a remote server via HTTP. The Trojan may send an
email to inform a remote user when a computer has been compromised,
and may also inform the remote user of the password used to connect
to the internet.
When first run Troj/PWS-KI copies itself to the Windows folder and to
<Startup>\Server.exe.
Troj/PWS-KI also creates the following files:
\sendhmtl.htm
<CurrentFolder>\regadd706.Reg
The file sendhmtl.htm can be deleted.
The file regadd706.Reg may cause the follwing registry entry to be
set, so that the Trojan automatically runs on system startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft
<name of copy of Trojan in the Windows folder>
Note that the second copy of the Trojan, in the <Startup> folder,
will also be started automatically.
The following registry entry is also set, affecting internet security:
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\3
1601
0
--- MultiMail/Win32 v0.43
* Origin: Try Our Web Based QWK: DOCSPLACE.ORG (1:123/140)
|