Tillbaka till svenska Fidonet
English   Information   Debug  
TREK   0/755
TUB   0/290
UFO   0/40
UNIX   0/1316
USA_EURLINK   0/102
USR_MODEMS   0/1
VATICAN   0/2740
VIETNAM_VETS   0/14
VIRUS   0/378
VIRUS_INFO   0/201
VISUAL_BASIC   0/473
WHITEHOUSE   0/5187
WIN2000   0/101
WIN32   0/30
WIN95   0/4275
WIN95_OLD1   0/70272
WINDOWS   0/1517
WWB_SYSOP   0/419
WWB_TECH   0/810
ZCC-PUBLIC   0/1
ZEC   4

 
4DOS   0/134
ABORTION   0/7
ALASKA_CHAT   0/506
ALLFIX_FILE   0/1313
ALLFIX_FILE_OLD1   0/7997
ALT_DOS   0/152
AMATEUR_RADIO   0/1039
AMIGASALE   0/14
AMIGA   0/331
AMIGA_INT   0/1
AMIGA_PROG   0/20
AMIGA_SYSOP   0/26
ANIME   0/15
ARGUS   0/924
ASCII_ART   0/340
ASIAN_LINK   0/651
ASTRONOMY   0/417
AUDIO   0/92
AUTOMOBILE_RACING   0/105
BABYLON5   0/17862
BAG   135
BATPOWER   0/361
BBBS.ENGLISH   0/382
BBSLAW   0/109
BBS_ADS   0/5290
BBS_INTERNET   0/507
BIBLE   0/3563
BINKD   0/1119
BINKLEY   0/215
BLUEWAVE   0/2173
CABLE_MODEMS   0/25
CBM   0/46
CDRECORD   0/66
CDROM   0/20
CLASSIC_COMPUTER   0/378
COMICS   0/15
CONSPRCY   0/899
COOKING   27601
COOKING_OLD1   0/24719
COOKING_OLD2   0/40862
COOKING_OLD3   0/37489
COOKING_OLD4   0/35496
COOKING_OLD5   9370
C_ECHO   0/189
C_PLUSPLUS   0/31
DIRTY_DOZEN   0/201
DOORGAMES   0/1974
DOS_INTERNET   0/196
duplikat   5999
ECHOLIST   0/18295
EC_SUPPORT   0/318
ELECTRONICS   0/359
ELEKTRONIK.GER   1534
ENET.LINGUISTIC   0/13
ENET.POLITICS   0/4
ENET.SOFT   0/11701
ENET.SYSOP   33773
ENET.TALKS   0/32
ENGLISH_TUTOR   0/2000
EVOLUTION   0/1335
FDECHO   0/217
FDN_ANNOUNCE   0/7068
FIDONEWS   23435
FIDONEWS_OLD1   0/49742
FIDONEWS_OLD2   0/35949
FIDONEWS_OLD3   0/30874
FIDONEWS_OLD4   0/37224
FIDO_SYSOP   12841
FIDO_UTIL   0/180
FILEFIND   0/209
FILEGATE   0/212
FILM   0/18
FNEWS_PUBLISH   4155
FN_SYSOP   41520
FN_SYSOP_OLD1   71952
FTP_FIDO   0/2
FTSC_PUBLIC   0/13556
FUNNY   0/4886
GENEALOGY.EUR   0/71
GET_INFO   105
GOLDED   0/408
HAM   0/16041
HOLYSMOKE   0/6791
HOT_SITES   0/1
HTMLEDIT   0/71
HUB203   466
HUB_100   264
HUB_400   39
HUMOR   0/29
IC   0/2851
INTERNET   0/424
INTERUSER   0/3
IP_CONNECT   719
JAMNNTPD   0/233
JAMTLAND   0/47
KATTY_KORNER   0/41
LAN   0/16
LINUX-USER   0/19
LINUXHELP   0/1155
LINUX   0/22002
LINUX_BBS   0/957
mail   18.68
mail_fore_ok   249
MENSA   0/341
MODERATOR   0/102
MONTE   0/992
MOSCOW_OKLAHOMA   0/1245
MUFFIN   0/783
MUSIC   0/321
N203_STAT   894
N203_SYSCHAT   313
NET203   321
NET204   69
NET_DEV   0/10
NORD.ADMIN   0/101
NORD.CHAT   0/2572
NORD.FIDONET   189
NORD.HARDWARE   0/28
NORD.KULTUR   0/114
NORD.PROG   0/32
NORD.SOFTWARE   0/88
NORD.TEKNIK   0/58
NORD   0/453
OCCULT_CHAT   0/93
OS2BBS   0/787
OS2DOSBBS   0/580
OS2HW   0/42
OS2INET   0/37
OS2LAN   0/134
OS2PROG   0/36
OS2REXX   0/113
OS2USER-L   207
OS2   0/4779
OSDEBATE   0/18996
PASCAL   0/490
PERL   0/457
PHP   0/45
POINTS   0/405
POLITICS   0/29554
POL_INC   0/14731
PSION   103
R20_ADMIN   1117
R20_AMATORRADIO   0/2
R20_BEST_OF_FIDONET   13
R20_CHAT   0/893
R20_DEPP   0/3
R20_DEV   399
R20_ECHO2   1379
R20_ECHOPRES   0/35
R20_ESTAT   0/719
R20_FIDONETPROG...
...RAM.MYPOINT
  0/2
R20_FIDONETPROGRAM   0/22
R20_FIDONET   0/248
R20_FILEFIND   0/24
R20_FILEFOUND   0/22
R20_HIFI   0/3
R20_INFO2   2632
R20_INTERNET   0/12940
R20_INTRESSE   0/60
R20_INTR_KOM   0/99
R20_KANDIDAT.CHAT   42
R20_KANDIDAT   28
R20_KOM_DEV   112
R20_KONTROLL   0/13030
R20_KORSET   0/18
R20_LOKALTRAFIK   0/24
R20_MODERATOR   0/1852
R20_NC   76
R20_NET200   245
R20_NETWORK.OTH...
...ERNETS
  0/13
R20_OPERATIVSYS...
...TEM.LINUX
  0/44
R20_PROGRAMVAROR   0/1
R20_REC2NEC   534
R20_SFOSM   0/340
R20_SF   0/108
R20_SPRAK.ENGLISH   0/1
R20_SQUISH   107
R20_TEST   2
R20_WORST_OF_FIDONET   12
RAR   0/9
RA_MULTI   106
RA_UTIL   0/162
REGCON.EUR   0/2055
REGCON   0/13
SCIENCE   0/1206
SF   0/239
SHAREWARE_SUPPORT   0/5146
SHAREWRE   0/14
SIMPSONS   0/169
STATS_OLD1   0/2539.065
STATS_OLD2   0/2530
STATS_OLD3   0/2395.095
STATS_OLD4   0/1692.25
SURVIVOR   0/495
SYSOPS_CORNER   0/3
SYSOP   0/84
TAGLINES   0/112
TEAMOS2   0/4530
TECH   0/2617
TEST.444   0/105
TRAPDOOR   0/19
Möte VIRUS_INFO, 201 texter
 lista första sista föregående nästa
Text 112, 1253 rader
Skriven 2006-04-16 11:19:00 av KURT WISMER (1:123/140)
Ärende: News, April 16 2006
===========================
[cut-n-paste from sophos.com]

Name   W32/Rbot-DPM

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Allows others to access the computer
    * Downloads code from the internet
    * Reduces system security
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities
    * Used in DOS attacks

Aliases  
    * Backdoor.Win32.Rbot.awg
    * W32/Sdbot.PAM

Prevalence (1-5) 2

Description
W32/Rbot-DPM is a worm for the Windows platform.

W32/Rbot-DPM spreads

- to computers vulnerable to common exploits, including: LSASS 
(MS04-011), RPC-DCOM (MS04-012), WKS (MS03-049), PNP (MS05-039) and 
ASN.1 (MS04-007)

- to MSSQL servers protected by weak passwords

- to network shares

The backdoor component connects to an IRC server and awaits commands 
from remote attackers.

Advanced
W32/Rbot-DPM is a worm for the Windows platform.

When first run W32/Rbot-DPM copies itself to <System>\snmoo.exe

The following registry entries are created to run snmoo.exe on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Inom
snmoo.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Inom
snmoo.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
Inom
snmoo.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Inom
snmoo.exe

Registry entries are set as follows:

HKCU\SYSTEM\CurrentControlSet\Control\Lsa
Inom
snmoo.exe

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
Inom
snmoo.exe

HKCU\Software\Microsoft\OLE
Inom
snmoo.exe

HKLM\SOFTWARE\Microsoft\Ole
Inom
snmoo.exe

W32/Rbot-DPM spreads

- to computers vulnerable to common exploits, including: LSASS 
(MS04-011), RPC-DCOM (MS04-012), WKS (MS03-049), PNP (MS05-039) and 
ASN.1 (MS04-007)

- to MSSQL servers protected by weak passwords

- to network shares

The backdoor component connects to an IRC server and awaits commands 
from remote attackers.





Name   Troj/Agent-BEK

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Modifies data on the computer
    * Reduces system security
    * Installs itself in the Registry
    * Leaves non-infected files on computer

Prevalence (1-5) 2

Description
Troj/Agent-BEK is a Trojan for the Windows platform.

Troj/Agent-BEK creates randomly named shortcuts in the <Favorites> 
folder.

The Trojan waits for an Internet Explorer window to open and then 
displays a pop
up.

Advanced
Troj/Agent-BEK is a Trojan for the Windows platform.

Troj/Agent-BEK creates randomly named shortcuts in the folder.

The following registry entries are set, affecting internet security:

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\17hib.com\

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\17hib.com
*
2

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\51hi8.com\

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\51hi8.com
*
2





Name   Troj/Dloadr-AVQ

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet

Aliases  
    * Downloader-AVQ
    * Trojan-Downloader.Win32.Agent.afl

Prevalence (1-5) 2

Description
Troj/Dloadr-AVQ is a Trojan for the Windows platform.

The Trojan downloads and installs files from a remote site.





Name   Troj/ExpHm-B

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet

Prevalence (1-5) 2

Description
Troj/ExpHm-B is a downloading Trojan for the Windows platform.

Advanced
Troj/ExpHm-B is a Trojan for the Windows platform.

When run, Troj/ExpHm-B executes shell code from within Internet 
Explorer which attempts to download and run \cpu.exe.





Name   W32/Agobot-ABR

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities

Aliases  
    * Backdoor.Win32.Agobot.gen
    * W32.IRCBot

Prevalence (1-5) 2

Description
W32/Agobot-ABR is a worm with backdoor functionality for the Windows 
platform.

W32/Agobot-ABR spreads to other network computers by exploiting 
common buffer overflow vulnerabilities, including: PNP (MS05-039) and 
ASN.1 (MS04-007).

W32/Agobot-ABR runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

Advanced
W32/Agobot-ABR is a worm with backdoor functionality for the Windows 
platform.

W32/Agobot-ABR spreads to other network computers by exploiting 
common buffer overflow vulnerabilities, including: PNP (MS05-039) and 
ASN.1 (MS04-007).

W32/Agobot-ABR runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

When first run W32/Agobot-ABR copies itself to <Windows system 
folder>\sslphp32.exe.

The following registry entries are created to run sslphp32.exe on 
startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Svcphpwin
sslphp32.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Svcphpwin
sslphp32.exe

Registry entries are set as follows:

HKCU\Software\Policies\Microsoft\Windows\WindowsUpdate\AU
NoAutoUpdate
1

HKCU\Software\Policies\Microsoft\Windows\WindowsUpdate\AU
AUOptions
1

HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
NoAutoUpdate
1

HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
AUOptions
1

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
AUOptions
1

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
0

Registry entries are created under:

HKCU\Software\Microsoft\Security Center\
HKLM\SOFTWARE\Microsoft\Security Center\





Name   W32/Francette-Z

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities

Aliases  
    * Backdoor.Win32.Delf.abc
    * Win32/Tumbi

Prevalence (1-5) 2

Description
W32/Francette-Z is a worm and backdoor Trojan for the Windows platform.

W32/Francette-Z spreads to other network computers by exploiting 
common buffer
overflow vulnerabilities, including RPC-DCOM (MS04-012).

Advanced
W32/Francette-Z is a worm and backdoor Trojan for the Windows platform.

W32/Francette-Z spreads to other network computers by exploiting 
common buffer
overflow vulnerabilities, including RPC-DCOM (MS04-012).

W32/Francette-Z runs continuously in the background, providing a 
backdoor server
which allows a remote intruder to gain access and control over the 
computer via
IRC channels.

The following registry entry is created to run W32/Francette-Z on 
startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft IIS
<pathname of the Trojan executable>





Name   Troj/Mlsuc-A

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Uses its own emailing engine
    * Downloads code from the internet
    * Installs itself in the Registry

Prevalence (1-5) 2

Description
Troj/Mlsuc-A is a backdoor Trojan for the Windows platform.

Troj/Mlsuc-A includes functionality to send notification messages to 
remote locations.

Advanced
Troj/Mlsuc-A is a backdoor Trojan for the Windows platform.

Troj/Mlsuc-A includes functionality to send notification messages to 
remote locations.

When Troj/Mlsuc-A is installed it creates the following clean files:

<System>\delself.bat
<System>\res.dat
<System>\res.tmp

The following registry entry is created to run Troj/Mlsuc-A on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
DrCache
<pathname of the Trojan executable>

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
DrCache
<pathname of the Trojan executable>

Troj/Mlsuc-A attempts to delete these registry entries if it detects 
that regedit.exe or taskmgr.exe are running. However it in fact 
deletes entries with the name "MS NetVR" instead, which are set by 
the similar Trojan Troj/Agent-AN.

Troj/Mlsuc-A may perform a number of actions if instructed to do so 
by a remote user, including sending emails, rebooting the computer, 
sending and receiving files, and executing files.





Name   Troj/Bdoor-YL

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer

Prevalence (1-5) 2

Description
Troj/Bdoor-YL is a backdoor Trojan.

Troj/Bdoor-YL includes an FTP server and IRC file transfer program as 
well as a number of legitimate applications.

Advanced
Troj/Bdoor-YL is a backdoor Trojan.

Troj/Bdoor-YL includes an FTP server and IRC file transfer program as 
well as a number of legitimate applications.

Troj/Bdoor-YL may install the following files:

cygcrypt-0.dll
cygwin1.dll
install.bat
install.exe
mdrctrl.dll
mss.ini
msvcr70.dll
msvcr80.dll
packs.txt
rundll32.dll
schedsvc32.dll
schedsvc32.exe
ServUCert.key
ServUDaemon.ini
ServUPerfCount.dll
ServUStartUpLog.txt
snmpapi.dll
spoolsv.exe
spoolsv32.exe
welcome.txt

Install.bat, mss.ini, schedsvc32.exe, spoolsv.exe and spoolsv32.exe 
are detected as Troj/Bdoor-YL. All other files are legitimate 
applications or their associated data files.

Troj/Bdoor-YL may install itself as services named SessionUpdate and 
Smhost.





Name   Troj/Proxy-CE

Type  
    * Trojan

Affected operating systems  
    * Windows

Prevalence (1-5) 2

Description
Troj/Proxy-CE is a proxy Trojan for the Windows platform.

The Trojan changes internet settings in order that network traffic is 
directed to a remote address, unknown to the infected user.

Advanced
Troj/Proxy-CE is a proxy Trojan for the Windows platform.

The Trojan changes internet settings in order that network traffic is 
directed to a remote address, unknown to the infected user.

The following registry entries are set:

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyServer
<proxy IP address>:9870

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
31





Name   W32/Letum-A

Type  
    * Worm

How it spreads  
    * Email attachments

Affected operating systems  
    * Windows

Side effects  
    * Sends itself to email addresses found on the infected computer
    * Forges the sender's email address
    * Uses its own emailing engine
    * Installs itself in the Registry

Aliases  
    * Email-Worm.Win32.Letum.a
    * WORM_LETUM.A
    * MSIL/Letum.a@MM
    * MSIL.Letum.A@mm

Prevalence (1-5) 2

Description
W32/Letum-A is a mass-mailing and newsgroup messaging worm for the 
Windows platform.

Emails and newsgroup messages sent by W32/Letum-A have the following 
characteristics:

From:
Symantec Security Response

Subject lines chosen from:

Warning!
Virus Alert
Customer Support
Re:
Re:Warning
Letum
Virus Report

Message text:

'Dear Users

Due to the high increase of the Letum worm, we have upgraded it to 
Category B. Please use our attached removal tool to scan and 
disinfect your computer from the malware.

Regards
Security Response'

'Hiya,

I've found this tool a couple of weeks ago, and after using it i was 
surprised on how good it was on squashing viruses. I wonder if avers 
know about this? ;)'

'Maybe not but try this, i'm sure it will help you in your fight 
against malware. The engine it uses isnt to bad, but the searching 
speed is very fast for such a small size '

Emails sent by the worm have the file attachment of a copy of the 
worm as test.exe.

Newsgroup messages sent by the worm also enclose a copy of the worm 
executable.

Advanced
W32/Letum-A is a mass-mailing and newsgroup messaging worm for the 
Windows platform.

Once installed W32/Letum-A attempts to harvest SMTP and NNTP server 
settings from the Microsoft Internet Account Manager under the 
registry entry:

HKCU\Software\Microsoft\Internet Account Manager

If the SMTP server setting is not found, W32/Letum-A uses the default 
host mail.primaryhost.org.uk.

If the NNTP server setting is not found, W32/Letum-A uses the default 
host news.microsoft.com.

Emails and newsgroup messages sent by W32/Letum-A have the following 
characteristics:

From:
Symantec Security Response

Subject lines chosen from:

Warning!
Virus Alert
Customer Support
Re:
Re:Warning
Letum
Virus Report

Message text:

'Dear Users

Due to the high increase of the Letum worm, we have upgraded it to 
Category B. Please use our attached removal tool to scan and 
disinfect your computer from the malware.

Regards
Security Response'

'Hiya,

I've found this tool a couple of weeks ago, and after using it i was 
surprised on how good it was on squashing viruses. I wonder if avers 
know about this? ;)'

'Maybe not but try this, i'm sure it will help you in your fight 
against malware. The engine it uses isnt to bad, but the searching 
speed is very fast for such a small size '

Emails sent by the worm have the file attachment of a copy of the 
worm as test.exe.

Newsgroup messages sent by the worm also enclose a copy of the worm 
executable.

When run W32/Letum-A attempts to copy itself to a random folder as 
Letum.exe.

W32/Letum-A creates the following registry entry to run itself on 
startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Letum
<path to worm executable>\Letum.exe

W32/Letum-A also creates the following registry entry:

HKCU\Software\Retro
Letum
<path to worm executable>\Letum.exe

W32/Letum-A may also display a message box with the characteristics:

Title:

'Name Entry Error'

Message:

'GeNeTiX is a person not a f**king genetically modified food product.
She's not happy you called her that!

Regards'





Name   W32/Tilebot-EK

Type  
    * Trojan

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Drops more malware
    * Reduces system security
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities

Aliases  
    * Backdoor.Win32.Aimbot.df
    * W32/Kelvir.worm.gen
    * WORM_KELVIR.CW

Prevalence (1-5) 2

Description
W32/Tilebot-EK is a worm with backdoor Trojan functionality.

The worm may spread by copying itself to remote network shares or by 
exploiting any of the following vulnerabilities: LSASS (MS04-011), 
RPC-DCOM (MS04-012), ASN.1 (MS04-007).

Advanced
W32/Tilebot-EK is a worm with backdoor Trojan functionality.

The worm may spread by copying itself to remote network shares or by 
exploiting any of the following vulnerabilities: LSASS (MS04-011), 
RPC-DCOM (MS04-012), ASN.1 (MS04-007).

When first run W32/Tilebot-EK copies itself to <Windows>\nssrv.exe 
and creates the following file:

<System>\rofl.sys

The file rofl.sys is detected as Troj/RKPort-A.

The file nssrv.exe is registered as a new system driver service named 
"Microsoft Name Server", with a display name of "Microsoft Name 
Server" and a startup type of automatic, so that it is started 
automatically during system startup. Registry entries are created 
under:

HKLM\SYSTEM\CurrentControlSet\Services\Microsoft Name Server\

The file rofl.sys is registered as a new system driver service named 
"rofl", with a display name of "rofl". Registry entries are created 
under:

HKLM\SYSTEM\CurrentControlSet\Services\rofl\

W32/Tilebot-EK sets the following registry entries, disabling the 
automatic startup of other software:

HKLM\SYSTEM\CurrentControlSet\Services\Messenger
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
Start
4

Registry entries are set as follows:

HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DoNotAllowXPSP2
1

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1

Registry entries are created under:

HKLM\SOFTWARE\Microsoft\Security Center\
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\





Name   W32/Bagle-GM

Type  
    * Worm

How it spreads  
    * Email attachments

Affected operating systems  
    * Windows

Side effects  
    * Sends itself to email addresses found on the infected computer
    * Forges the sender's email address
    * Uses its own emailing engine
    * Downloads code from the internet
    * Installs itself in the Registry

Aliases  
    * Trojan-Dropper.Win32.Agent.ami
    * Trojan.Dropper.Small-66
    * Trojan.Clicker.Agent-41

Prevalence (1-5) 2

Description
W32/Bagle-GM is a mass-mailing worm for the Windows platform.

Messages sent by the worm will have the following characteristics:

Subject: chosen randomly from

=?koi8-r?Q?=F0=D2=C9=D7=C5=D4=2C=CB=C1=CB=C9=C5_=CE=CF=D7=CF=D3=D4=C9=3
F?=

=?koi8-r?Q?=F4=D9_=D3=C5=C7=CF=C4=CE=D1_=CB=CF_=CD=CE=C5_=D0=D2=C9=C5=C
4?=
=?koi8-r?Q?=C5=DB=D8=3F?=

=?koi8-r?Q?=F1_=D4=C5=C2=D1_=D3=C5=C7=CF=C4=CE=D1_=D7=C9=C4=C5=CC=C1?=

Message text: non-Latin characters

Attachment name: chosen randomly from

new.cab
me.cab
you.cab
cool.cab
Re.cab

Advanced
W32/Bagle-GM is a mass-mailing worm for the Windows platform.

Messages sent by the worm will have the following characteristics:

Subject: chosen randomly from

=?koi8-r?Q?=F0=D2=C9=D7=C5=D4=2C=CB=C1=CB=C9=C5_=CE=CF=D7=CF=D3=D4=C9=3
F?=

=?koi8-r?Q?=F4=D9_=D3=C5=C7=CF=C4=CE=D1_=CB=CF_=CD=CE=C5_=D0=D2=C9=C5=C
4?=
=?koi8-r?Q?=C5=DB=D8=3F?=

=?koi8-r?Q?=F1_=D4=C5=C2=D1_=D3=C5=C7=CF=C4=CE=D1_=D7=C9=C4=C5=CC=C1?=

Message text: non-Latin characters

Attachment name: chosen randomly from

new.cab
me.cab
you.cab
cool.cab
Re.cab

The attachment is a CAB archive containing a file with a random 
basename and one of the following double extensions:

.cab .cpl
.doc .cpl
.txt .cpl
.avi .cpl
.mpeg .cpl

This file is also detected as W32/Bagle-GM.

When first run W32/Bagle-GM copies itself to <Windows 
folder>\csrss.exe.

The following registry entry is changed to run W32/Bagle-GM on startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File 
Execution Options\explorer.exe
Debugger
<Windows folder>\csrss.exe

W32/Bagle-GM creates registry entries for its own use beneath

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Devices

W32/Bagle-GM contains functionality to download and install updated 
versions of itself from preconfigured URLs.





Name   W32/Mytob-HG

Type  
    * Worm

How it spreads  
    * Email attachments
    * Network shares
    * Chat programs
    * Peer-to-peer

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Allows others to access the computer
    * Sends itself to email addresses found on the infected computer
    * Forges the sender's email address
    * Uses its own emailing engine
    * Installs itself in the Registry
    * Leaves non-infected files on computer

Aliases  
    * Net-Worm.Win32.Small.k
    * W32.Mydoom!gen
    * WORM_MYTOB.PG

Prevalence (1-5) 2

Description
W32/Mytob-HG is a mass-mailing worm with IRC backdoor functionality.

W32/Mytob-HG spreads:

- via email and Instant Messaging networks
- via filesharing on P2P networks
- through network shares with weak passwords
- to other network computers infected with other backdoors
- to other network computers by exploiting common buffer overflow
vulnerabilities

W32/Mytob-HG runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer through IRC channels.

W32/Mytob-HG sends emails with the following characteristics:

Subject: none, or chosen randomly from

test
hi
hello
Mail Delivery System
Mail Transaction Failed
Server Report
Status
Error

Advanced
W32/Mytob-HG is a mass-mailing worm with IRC backdoor functionality.

W32/Mytob-HG spreads:

- via email and Instant Messaging networks
- via filesharing on P2P networks
- through network shares with weak passwords
- to other network computers infected with: Troj/Kuang, Troj/Sub7,
Troj/NetDevil, W32/MyDoom, W32/Bagle, Troj/Optix
- to other network computers by exploiting common buffer overflow
vulnerabilities, including: LSASS (MS04-011), RPC-DCOM (MS04-012), 
WebDav
(MS03-007), IIS5SSL (MS04-011), DameWare (CAN-2003-1030), MSSQL 
(MS02-039) and
PnP (MS05-039).

W32/Mytob-HG runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer through IRC channels.

W32/Mytob-HG sends emails with the following characteristics:

From: an address harvested from the infected computer

Subject: none, or chosen randomly from

test
hi
hello
Mail Delivery System
Mail Transaction Failed
Server Report
Status
Error

Message text: none, or chosen randomly from

test
The message cannot be represented in 7-bit ASCII encoding and has 
been sent as a binary attachment.
The message contains Unicode characters and has been sent as a binary 
attachment.
Mail transaction failed. Partial message is available.

Attachment: one of the following basenames

document
readme
doc
text
file
data
test
message
body

The attached file may be a zip archive, containing a copy of the worm 
executable with a double extension. In all other cases, the attached 
file is the worm executable itself, with one of the extensions PIF, 
SCR, EXE, CMD or BAT.

W32/Mytob-HG spreads by IM networks such as Yahoo, MSN Messenger and 
AOL, as well as IRC. Messages sent by the worm contain one of the 
following descriptions:

LOL, this shit is funny
lol, don't forget to watch this video
your going to like this :D
hehe, watch this
look at this video
just look at this brother

The worm will then attempt a file transfer using one of the following 
filenames:

funny3.scr
crazyjump.scr
lucky.scr
mjackson.scr
picture1.scr
haha.scr
funny1.scr
funny2.scr
exposed.scr
crazy5.scr
HoT.pif

The worm may also send a link to itself of the form

http://<ip>:2001/<filename>

(where <ip> is the IP address of the infected computer)

W32/Mytob-HG copies itself to the shared folders of various P2P 
applications with the following filenames:

activation_crack
Alcohol_120%%_patch
Angilina_Jolie_Sucks_a_Dick
Britney_Spears_sucks_someones_dick.scr
BritneySpears_SoSexy
DAP7.4.x.x_crack
DarkAngel_Lady_get_fucked_so_hardly
dcom_patch
icq2006-final
JenniferLopez_Film_Sexy_Enough
KAV2006_Crack
lcc-win32_update
LimeWire_speed++
Madonna_the_most_sexiest_girl_in_the_world.com
Mariah_Carey_showering_in_bathroom.com
MSN7.0Loader
MSN7.0UniversalPatch
nice_big_asshole_fuck_Jennifer_Lopez.scr
NortonAV2006_Crack
notepad++
nuke2006
office_crack
Opera8
Outlook_hotmail+_fix
RealPlayerv10.xx_crack
rootkitXP
strip-girl-3.0
TaskCatcher
winamp6
YahooMessenger_Loader
ZoneAlarmPro6.xx_Crack

When first run, W32/Mytob-HG copies itself to 0.exe in the Windows 
system folder. The worm then creates the following registry entry in 
order to be run on startup

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
[string]
<Windows system folder>\0.exe

(Where string may change including variations like 'begin', 'solid', 
etc.)

W32/Mytob-HG attempts to terminate the following security-related 
processes:

_AVPCC.EXE
_AVPM.EXE
_FINDVIRU.EXE
ACKWIN32.EXE
ALOGSERV.EXE
AMON.EXE
ANTI-TROJAN.EXE
APVXDWIN.EXE
ATGUARD.EXE
AVE32.EXE
AVKSERV.EXE
AVNT.EXE
AVPCC.EXE
AVPM.EXE
AVWIN95.EXE
BLACKICE.EXE
CLAW95CF.EXE
CMGRDIAN.EXE
ECENGINE.EXE
ESAFE.EXE
F-PROT95.EXE
FINDVIRU.EXE
FP-WIN.EXE
FPROT.EXE
GUARDDOG.EXE
IAMAPP.EXE
IOMON98.EXE
KAVPF.EXE
LOOKOUT.EXE
NAVAPSVC.EXE
NAVAPW32.EXE
NAVNT.EXE
NAVW32.EXE
NAVWNT.EXE
NOD32.EXE
NSPLUGIN.EXE
OGRC.EXE
OUTPOST.EXE
OUTPOSTINSTALL.EXE
OUTPOSTPROINSTALL.EXE
RAV7.EXE
RULAUNCH.EXE
SCAN32.EXE
SPIDER.EXE
VET95.EXE
VETTRAY.EXE
VSMAIN.EXE
ZAPRO.EXE
ZAPSETUP3001.EXE
ZATUTOR.EXE
ZONALARM.EXE
ZONALM2601.EXE
ZONEALARM.EXE





Name   Troj/Zlob-HQ

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet
    * Installs itself in the Registry

Aliases  
    * Trojan-Downloader.Win32.Zlob.li

Prevalence (1-5) 2

Description
Troj/Zlob-HQ is a downloader Trojan for the Windows platform.

Troj/Zlob-HQ may be installed as part of a package pretending to be a 
video
codec.

Advanced
Troj/Zlob-HQ is a downloader Trojan for the Windows platform.

Troj/Zlob-HQ may be installed as part of a package pretending to be a 
video
codec to the Windows system folder

as a file named dfrgsrv.exe.

This file creates a randomly named DLL also in the system folder 
which then
attempts to download further code.

The following registry entry may be set:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run
wininet.dll
dfrgsrv.exe





Name   W32/Mytob-HH

Type  
    * Worm

How it spreads  
    * Email attachments
    * Network shares
    * Peer-to-peer

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Allows others to access the computer
    * Sends itself to email addresses found on the infected computer
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities

Prevalence (1-5) 2

Description
W32/Mytob-HH is a mass-mailing, network and peer-to-peer worm for the 
Windows platforms. The worm also has an IRC backdoor component.

W32/Mytob-HH will harvest email addresses from the infected computer 
and then mail itself to those addresses as an attachment with 
extension ZIP.

W32/Mytob-HH also attempts to terminate a number of anti-virus and 
security related applications.

Advanced
W32/Mytob-HH is a mass-mailing, network and peer-to-peer worm for the 
Windows platforms. The worm also has an IRC backdoor component.

W32/Mytob-HH spreads to other network computers by exploiting common 
buffer overflow vulnerabilities, including: LSASS (MS04-011), 
RPC-DCOM (MS04-012), WebDav (MS03-007), IIS5SSL (ms04-011) 
(CAN-2003-0719), Dameware (CAN-2003-1030), MSSQL (MS02-039) 
(CAN-2002-0649) and PNP (MS05-039)

W32/Mytob-HH copies itself to <System>\ISPSupport.exe as well as 
various P2P shared folders using various filenames, eg:

\My Downloads\YahooMessenger_Loader.scr
<Program Files>\KaZaA\My Shared Folder\icq2006-final.bat
<Program Files>\eDonkey2000\Incoming\Angilina_Jolie_Sucks_a_Dick.scr

In order to run automatically when Windows starts up W32/Mytob-HH 
creates the following registry entry:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ISPSystem
<System>\ISPSupport.exe

W32/Mytob-HH will harvest email addresses from the infected computer 
and then mail itself to those addresses as an attachment with 
extension ZIP.

W32/Mytob-HH also attempts to terminate a number of anti-virus and 
security related applications.

 
--- MultiMail/Win32 v0.43
 * Origin: Try Our Web Based QWK: DOCSPLACE.ORG (1:123/140)