Tillbaka till svenska Fidonet
English   Information   Debug  
TREK   0/755
TUB   0/290
UFO   0/40
UNIX   0/1316
USA_EURLINK   0/102
USR_MODEMS   0/1
VATICAN   0/2740
VIETNAM_VETS   0/14
VIRUS   0/378
VIRUS_INFO   0/201
VISUAL_BASIC   0/473
WHITEHOUSE   0/5187
WIN2000   0/101
WIN32   0/30
WIN95   0/4275
WIN95_OLD1   0/70272
WINDOWS   0/1517
WWB_SYSOP   0/419
WWB_TECH   0/810
ZCC-PUBLIC   0/1
ZEC   4

 
4DOS   0/134
ABORTION   0/7
ALASKA_CHAT   0/506
ALLFIX_FILE   0/1313
ALLFIX_FILE_OLD1   0/7997
ALT_DOS   0/152
AMATEUR_RADIO   0/1039
AMIGASALE   0/14
AMIGA   0/331
AMIGA_INT   0/1
AMIGA_PROG   0/20
AMIGA_SYSOP   0/26
ANIME   0/15
ARGUS   0/924
ASCII_ART   0/340
ASIAN_LINK   0/651
ASTRONOMY   0/417
AUDIO   0/92
AUTOMOBILE_RACING   0/105
BABYLON5   0/17862
BAG   135
BATPOWER   0/361
BBBS.ENGLISH   0/382
BBSLAW   0/109
BBS_ADS   0/5290
BBS_INTERNET   0/507
BIBLE   0/3563
BINKD   0/1119
BINKLEY   0/215
BLUEWAVE   0/2173
CABLE_MODEMS   0/25
CBM   0/46
CDRECORD   0/66
CDROM   0/20
CLASSIC_COMPUTER   0/378
COMICS   0/15
CONSPRCY   0/899
COOKING   27601
COOKING_OLD1   0/24719
COOKING_OLD2   0/40862
COOKING_OLD3   0/37489
COOKING_OLD4   0/35496
COOKING_OLD5   9370
C_ECHO   0/189
C_PLUSPLUS   0/31
DIRTY_DOZEN   0/201
DOORGAMES   0/1974
DOS_INTERNET   0/196
duplikat   5999
ECHOLIST   0/18295
EC_SUPPORT   0/318
ELECTRONICS   0/359
ELEKTRONIK.GER   1534
ENET.LINGUISTIC   0/13
ENET.POLITICS   0/4
ENET.SOFT   0/11701
ENET.SYSOP   33773
ENET.TALKS   0/32
ENGLISH_TUTOR   0/2000
EVOLUTION   0/1335
FDECHO   0/217
FDN_ANNOUNCE   0/7068
FIDONEWS   23435
FIDONEWS_OLD1   0/49742
FIDONEWS_OLD2   0/35949
FIDONEWS_OLD3   0/30874
FIDONEWS_OLD4   0/37224
FIDO_SYSOP   12841
FIDO_UTIL   0/180
FILEFIND   0/209
FILEGATE   0/212
FILM   0/18
FNEWS_PUBLISH   4155
FN_SYSOP   41520
FN_SYSOP_OLD1   71952
FTP_FIDO   0/2
FTSC_PUBLIC   0/13556
FUNNY   0/4886
GENEALOGY.EUR   0/71
GET_INFO   105
GOLDED   0/408
HAM   0/16041
HOLYSMOKE   0/6791
HOT_SITES   0/1
HTMLEDIT   0/71
HUB203   466
HUB_100   264
HUB_400   39
HUMOR   0/29
IC   0/2851
INTERNET   0/424
INTERUSER   0/3
IP_CONNECT   719
JAMNNTPD   0/233
JAMTLAND   0/47
KATTY_KORNER   0/41
LAN   0/16
LINUX-USER   0/19
LINUXHELP   0/1155
LINUX   0/22002
LINUX_BBS   0/957
mail   18.68
mail_fore_ok   249
MENSA   0/341
MODERATOR   0/102
MONTE   0/992
MOSCOW_OKLAHOMA   0/1245
MUFFIN   0/783
MUSIC   0/321
N203_STAT   894
N203_SYSCHAT   313
NET203   321
NET204   69
NET_DEV   0/10
NORD.ADMIN   0/101
NORD.CHAT   0/2572
NORD.FIDONET   189
NORD.HARDWARE   0/28
NORD.KULTUR   0/114
NORD.PROG   0/32
NORD.SOFTWARE   0/88
NORD.TEKNIK   0/58
NORD   0/453
OCCULT_CHAT   0/93
OS2BBS   0/787
OS2DOSBBS   0/580
OS2HW   0/42
OS2INET   0/37
OS2LAN   0/134
OS2PROG   0/36
OS2REXX   0/113
OS2USER-L   207
OS2   0/4779
OSDEBATE   0/18996
PASCAL   0/490
PERL   0/457
PHP   0/45
POINTS   0/405
POLITICS   0/29554
POL_INC   0/14731
PSION   103
R20_ADMIN   1117
R20_AMATORRADIO   0/2
R20_BEST_OF_FIDONET   13
R20_CHAT   0/893
R20_DEPP   0/3
R20_DEV   399
R20_ECHO2   1379
R20_ECHOPRES   0/35
R20_ESTAT   0/719
R20_FIDONETPROG...
...RAM.MYPOINT
  0/2
R20_FIDONETPROGRAM   0/22
R20_FIDONET   0/248
R20_FILEFIND   0/24
R20_FILEFOUND   0/22
R20_HIFI   0/3
R20_INFO2   2630
R20_INTERNET   0/12940
R20_INTRESSE   0/60
R20_INTR_KOM   0/99
R20_KANDIDAT.CHAT   42
R20_KANDIDAT   28
R20_KOM_DEV   112
R20_KONTROLL   0/13029
R20_KORSET   0/18
R20_LOKALTRAFIK   0/24
R20_MODERATOR   0/1852
R20_NC   76
R20_NET200   245
R20_NETWORK.OTH...
...ERNETS
  0/13
R20_OPERATIVSYS...
...TEM.LINUX
  0/44
R20_PROGRAMVAROR   0/1
R20_REC2NEC   534
R20_SFOSM   0/340
R20_SF   0/108
R20_SPRAK.ENGLISH   0/1
R20_SQUISH   107
R20_TEST   2
R20_WORST_OF_FIDONET   12
RAR   0/9
RA_MULTI   106
RA_UTIL   0/162
REGCON.EUR   0/2055
REGCON   0/13
SCIENCE   0/1206
SF   0/239
SHAREWARE_SUPPORT   0/5146
SHAREWRE   0/14
SIMPSONS   0/169
STATS_OLD1   0/2539.065
STATS_OLD2   0/2530
STATS_OLD3   0/2395.095
STATS_OLD4   0/1692.25
SURVIVOR   0/495
SYSOPS_CORNER   0/3
SYSOP   0/84
TAGLINES   0/112
TEAMOS2   0/4530
TECH   0/2617
TEST.444   0/105
TRAPDOOR   0/19
Möte VIRUS_INFO, 201 texter
 lista första sista föregående nästa
Text 116, 1465 rader
Skriven 2006-05-07 14:43:00 av KURT WISMER (1:123/140)
Ärende: News, May 7 2006
========================
[cut-n-paste from sophos.com]

Name   Troj/Kango-C

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Installs itself in the Registry

Prevalence (1-5) 2

Description
Troj/Kango-C is a backdoor Trojan which allows a remote intruder to 
gain access and control over the computer via IRC channels.

Advanced
Troj/Kango-C is a backdoor Trojan which allows a remote intruder to 
gain access and control over the computer via IRC channels.

When first run Troj/Kango-C moves itself to &ltsystem>\system32.exe 
and creates the following registry entries to run itself on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Microsoft Service
system32.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft Service
system32.exe

The following registry entry is set:

HKCU\Software\Microsoft\OLE
Microsoft Service
system32.exe





Name   Troj/Zapchas-BF

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Drops more malware
    * Installs itself in the Registry

Aliases  
    * TROJ_DROPPER.BCJ

Prevalence (1-5) 2 

Description
Troj/Zapchas-BF is a multi-component backdoor Trojan that drops the 
virus W32/Parite-B.

Troj/Zapchas-BF runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

Troj/Zapchas-BF includes functionality to access the internet and 
communicate with a remote server via HTTP.

Advanced
Troj/Zapchas-BF is a multi-component backdoor Trojan that drops the 
virus W32/Parite-B.

Troj/Zapchas-BF runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

Troj/Zapchas-BF includes functionality to access the internet and 
communicate with a remote server via HTTP.

When Troj/Zapchas-BF is installed the following files are created:

<System>\aliases.ini
<System>\away.txt
<System>\control.ini
<System>\fullname.txt
<System>\ident.txt
<System>\mirc.ico
<System>\mirc.ini
<System>\nicks.txt
<System>\remote.ini
<System>\script.ini
<System>\servers.ini
<System>\sup.bat
<System>\sup.reg
<System>\svchost.exe
<System>\users.ini

The file svchost.exe is a legitimate mIRC application infected with 
the virus W32/Parite-B. The file script.ini is a malicious mIRC 
configuration file and is also detected as Troj/Zapchas-BF. The other 
files are harmless.

The following registry entries are set or modified so that 
svchost.exe is run when files with extensions of CHA and IRC are 
opened/launched:

HKCR\ChatFile\Shell\open\command
(default)
<System>\svchost.exe" -noconnect

HKCR\irc\Shell\open\command
(default)
<System>\svchost.exe" -noconnect

Registry entries are set as follows:

HKCR\ChatFile\DefaultIcon
(default)
<System>\svchost.exe

HKCR\irc\DefaultIcon
(default)
<System>\svchost.exe

Registry entries are created under:

HKCU\Software\Microsoft\Microsoft Agent\
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mIRC\





Name   Troj/Dloadr-UP

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet
    * Installs itself in the Registry

Aliases  
    * Trojan-Downloader.Win32.VB.acc

Prevalence (1-5) 2

Description
Troj/Dloadr-UP is a Trojan for the Windows platform.

Troj/Dloadr-UP includes the functionality to access the internet and 
communicate with a remote server via HTTP.

Advanced
Troj/Dloadr-UP is a Trojan for the Windows platform.

Troj/Dloadr-UP includes the functionality to access the internet and 
communicate with a remote server via HTTP.

When Troj/Dloadr-UP is run it creates the following files

<Windows system folder>\LoadService.exe (also detected as 
Troj/Dloadr-UP)
<Windows system folder>\softverfile.ini (this file is harmless and 
may be deleted)

Troj/Dloadr-UP creates the following registry entry to run at system 
startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
LoadService
<Windows system folder>\LoadService.exe





Name   W32/Feebs-AA

Type   
    * Worm

How it spreads  
    * Email attachments

Affected operating systems  
    * Windows

Side effects  
    * Sends itself to email addresses found on the infected computer
    * Forges the sender's email address

Aliases  
    * Worm.Win32.Feebs.gi
    * JS/Feebs.gen.a@MM
    * JS/TrojanDownloader.Tivso.gen

Prevalence (1-5) 2

Description
W32/Feebs-AA is a worm for the Windows platform.

W32/Feebs-AA may arrive as an email with the following characteristics:

Subject:
Protected Mail from <service provider> user.

where <service provider> may be a common domain name.

Message text:

You have received Protected Mail

To read the message open attached file.

User ID: <number>
Password: <letters>

Keep your password in a safe place.

Sincerely,
Encrypted Message System,
<service provider>

Advanced
W32/Feebs-AA is a worm for the Windows platform.

W32/Feebs-AA may arrive as an email with the following characteristics:

Subject:
Protected Mail from <service provider> user.

where <service provider> may be a common domain name.

Message text:

You have received Protected Mail

To read the message open attached file.

User ID: <number>
Password: <letters>

Keep your password in a safe place.

Sincerely,
Encrypted Message System,
<service provider>

The worm will be contained in a ZIP file.





Name   W32/Bobax-BV

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Uses its own emailing engine
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities

Aliases  
    * Net-Worm.Win32.Bobic.ak

Prevalence (1-5) 2

Description
W32/Bobax-BV is a worm for the Windows platform.

W32/Bobax-BV spreads to other network computers by exploiting common 
buffer overflow vulnerabilities, including PNP (MS05-039).

W32/Bobax-BV includes functionality to communicate with a remote 
server via HTTP.

W32/Bobax-BV contains an SMTP engine which it may use in order to 
spread by email.

Advanced
W32/Bobax-BV is a worm for the Windows platform.

W32/Bobax-BV spreads to other network computers by exploiting common 
buffer overflow vulnerabilities, including PNP (MS05-039).

When run W32/Bobax-BV creates a copy of itself in the temp folder and 
in the system folder with different random names.

W32/Bobax-BV attempts to contact a number of preconfigured internet 
sites in order to report successful infection.

W32/Bobax-BV includes functionality to communicate with a remote 
server via HTTP.

W32/Bobax-BV contains an SMTP engine which it may use in order to 
spread by email.

W32/Bobax-BV modifies the HOSTS file located at 
<System>\Drivers\etc\HOSTS, mapping selected anti-virus websites to 
the loopback address 255.255.255.255 in an attempt to prevent access 
to these sites.

The following registry entry is created to run <virus filename>.exe 
on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
<random characters>
<System>\<virus name>.exe

W32/Bobax-BV sets the following registry entries, disabling the 
automatic startup of other software:

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4

Note: disabling autostart for the SharedAccess service deactivates 
the Microsoft Internet Connection Firewall (ICF).

W32/Bobax-BV also sets the following registry entries, affecting 
Windows Firewall settings:

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\ 
FirewallPolicy\DomainProfile
DoNotAllowExceptions
0

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\ 
FirewallPolicy\DomainProfile
EnableFirewall
0

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\ 
FirewallPolicy\StandardProfile
EnableFirewall
0

HKLM\SOFTWARE\Microsoft\Security Center
AntiVirusOveride
1

HKLM\SOFTWARE\Microsoft\Security Center
FirewallOveride
1

W32/Bobax-BV injects itself into Explorer as a separate thread, so is 
not visible as a separate process.





Name   Troj/Banloa-CCC

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet

Prevalence (1-5) 2

Description
Troj/Banloa-CCC is a Trojan for the Windows platform.

Troj/Banloa-CCC includes functionality to access the internet and 
communicate
with a remote server via HTTP.

Troj/Banloa-CCC will attempt to download files from the internet and 
run them.
They are detected by Sophos as Troj/Bnkmr-Fam.





Name   Troj/Harnig-S

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet
    * Reduces system security

Aliases  
    * Trojan-Downloader.Win32.Harnig.bh
    * Downloader-AVS
    * Win32/TrojanDownloader.Small.CKJ

Prevalence (1-5) 2

Description
Troj/Harnig-S is a Trojan for the Windows platform.

Troj/Harnig-S includes the following functionalities to:

- access the Internet and communicate with a remote server via HTTP
- terminate processes
- silently download, install and run new software

Advanced
Troj/Harnig-S is a Trojan for the Windows platform.

Troj/Harnig-S includes the following functionalities to:

- access the Internet and communicate with a remote server via HTTP
- terminate processes
- silently download, install and run new software

Troj/Harnig-S attempts to download files to the following locations:

<Program Files>/paytime.exe
<Program Files>/secure32.html
<root>/country.exe
<root>/kl1.exe
<root>/ms1.exe
<root>/tool1.exe
<root>/tool2.exe
<root>/tool3.exe
<root>/tool4.exe
<root>/tool5.exe
<root>/toolbar.exe
<root>/uniq
<Windows>/hosts

Troj/Harnig-S modifies internet security settings by setting the 
following registry entries:

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet\Settings\zonema
p
intranetname="1"
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet\Settings\zonema
p
uncasintranet="1"
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet\Settings\zonema
p
proxybypass="1"

Also in attempt to disable Windows firewall Troj/Harnig-S deletes a 
registry entries under the following entry:

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess





Name   W32/Bagle-IV

Type  
    * Worm

How it spreads  
    * Email attachments

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Sends itself to email addresses found on the infected computer
    * Drops more malware
    * Forges the sender's email address
    * Uses its own emailing engine
    * Downloads code from the internet
    * Installs itself in the Registry

Aliases  
    * Email-Worm.Win32.Scano.t
    * W32/Scano.H

Prevalence (1-5) 2

Description
W32/Bagle-IV is a mass-mailing worm and backdoor Trojan for the 
Windows platform.

W32/Bagle-IV includes functionality to access the internet and 
communicate with a remote server via HTTP.

Advanced
W32/Bagle-IV is a mass-mailing worm and backdoor Trojan for the 
Windows platform.

W32/Bagle-IV includes functionality to access the internet and 
communicate with a remote server via HTTP.

When first run W32/Bagle-IV copies itself to <Windows>\csrss.exe and 
creates the file <Temp>\Message.zip.

The file Message.zp is detected as W32/Bagle-Zip.

The following registry entry is changed to run W32/Bagle-IV on startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File 
Execution Options\explorer.exe
Debugger
<Windows>\csrss.exe

W32/Bagle-IV will attempt to email itself to addresses harvested from 
the infected computer as an attachment.





Name   W32/Tumbi-B

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities

Aliases  
    * WORM_TUMBI.E
    * Backdoor.Win32.Delf.abc

Prevalence (1-5) 2

Description
W32/Tumbi-B is a network worm and backdoor Trojan for the Windows 
platform.

Advanced
W32/Tumbi-B is a network worm and backdoor Trojan for the Windows 
platform.

W32/Tumbi-B spreads to other network computers by exploiting common 
buffer overflow vulnerabilities, including RPC-DCOM (MS04-012) and by 
copying itself to network shares protected by weak passwords.

W32/Tumbi-B runs continuously in the background, providing a backdoor 
server which allows a remote intruder to gain access and control over 
the computer.

When run W32/Tumbi-B creates the following registry entry to run 
itself on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft IIS
<path to worm executable>





Name   W32/Feebs-AB

Type  
    * Worm

How it spreads  
    * Email messages

Affected operating systems  
    * Windows

Side effects  
    * Drops more malware

Prevalence (1-5) 2

Description
W32/Feebs-AB is a worm for the Windows platform.

W32/Feebs-AB typically arrives in a zip file attached to an email. 
The email claims that the attachment is an encrypted message which 
the user should open to read. In reality the attachment drops the 
worm's executable component.

Advanced
W32/Feebs-AB is a worm for the Windows platform.

W32/Feebs-AB typically arrives in a zip file attached to an email. 
The email claims that the attachment is an encrypted message which 
the user should open to read.

When opened, W32/Feebs-AB will create the file 
C:\Recycled\userinit.exe, which is detected as W32/Feebs-Gen.





Name   W32/Feebs-AC

Type  
    * Worm

How it spreads  
    * Peer-to-peer

Affected operating systems  
    * Windows

Side effects  
    * Installs itself in the Registry

Aliases  
    * Worm.Win32.Feebs.gj
    * W32/Feebs.gen@MM
    * WORM_FEEBS.JA

Prevalence (1-5) 2

Description
W32/Feebs-AC is a worm for the Windows platform.

W32/Feebs-AC spreads via file sharing on P2P networks.

W32/Feebs-AC creates ZIP archives containing a copy of the worm in 
folders used by peer to peer applications.

The zip archives have the following names:

3dsmax_9_(3D_Studio_Max)_new!_full+crack.zip
ACDSee_9_new!_full+crack.zip
Adobe_Photoshop_10_(CS3)_new!_full+crack.zip
Adobe_Premiere_9_(2.0_pro)_new!_full+crack.zip
Ahead_Nero_8_new!_full+crack.zip
DivX_7.0_new!_full+crack.zip
ICQ_2006_new!_full+crack.zip
Internet_Explorer_7_new!_full+crack.zip
Kazaa_4_new!_full+crack.zip
Longhorn_new!_full+crack.zip
Microsoft_Office_2006_new!_full+crack.zip
winamp_5.2_new!_full+crack.zip

Advanced
W32/Feebs-AC is a worm for the Windows platform.

W32/Feebs-AC spreads via file sharing on P2P networks.

When first run W32/Feebs-AC copies itself to:

<Windows system folder>\ms??
<Windows system folder>\ms??.exe

where ?? are randomly chosen characters.

The worm also creates the file

<Windows system folder>\ms??32.dll

which is also detected as W32/Feebs-AC.

The following registry entry is created to run code exported by the 
worm library on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayL
oad
ms??32.dll
{8F53293D-EBEB-A101-F67A-64EE3F0E359D}

The file ms??32.dll is registered as a COM object, creating registry 
entries under:

HKCR\CLSID\{8F53293D-EBEB-A101-F67A-64EE3F0E359D}

W32/Feebs-AC creates ZIP archives containing a copy of the worm in 
folders used by peer to peer applications.

The zip archives have the following names:

3dsmax_9_(3D_Studio_Max)_new!_full+crack.zip
ACDSee_9_new!_full+crack.zip
Adobe_Photoshop_10_(CS3)_new!_full+crack.zip
Adobe_Premiere_9_(2.0_pro)_new!_full+crack.zip
Ahead_Nero_8_new!_full+crack.zip
DivX_7.0_new!_full+crack.zip
ICQ_2006_new!_full+crack.zip
Internet_Explorer_7_new!_full+crack.zip
Kazaa_4_new!_full+crack.zip
Longhorn_new!_full+crack.zip
Microsoft_Office_2006_new!_full+crack.zip
winamp_5.2_new!_full+crack.zip





Name   W32/Sdbot-BLW

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Downloads code from the internet
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities

Aliases  
    * Backdoor.Win32.SdBot.apx
    * W32/Sdbot.worm.gen.ay
    * WORM_SDBOT.DVT

Prevalence (1-5) 2

Description
W32/Sdbot-BLW is a network worm and IRC backdoor Trojan for the 
Windows platform.

Advanced
W32/Sdbot-BLW is a network worm and IRC backdoor Trojan for the 
Windows platform.

W32/Sdbot-BLW spreads to remote network shares protected by weak 
passwords and to computers vulnerable to common exploits, including 
LSASS (MS04-011), RPC-DCOM (MS04-012), PNP (MS05-039) and ASN.1 
(MS04-007).

W32/Sdbot-BLW includes functionality to access the internet and 
communicate with a remote server via HTTP.

When first run W32/Sdbot-BLW copies itself to <System>\netbtd.exe.

The file netbtd.exe is registered as a new system driver service 
named "NetBTD", with a display name of "NetBTD(ntbtd)" and a 
description of"Net bios background information transfer service." and 
a startup type of automatic, so that it is started automatically 
during system startup. Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\NetBTD\
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETBTD\

W32/Sdbot-BLW sets the following registry entries, disabling the 
automatic startup of other software:

HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
AutoShareServer
0

HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
AutoShareWks
0

HKLM\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters
AutoShareServer
0

HKLM\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters
AutoShareWks
0

HKLM\SYSTEM\CurrentControlSet\Services\wscsvc
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\Messenger
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
Start
4

Registry entries are set as follows:

HKLM\SOFTWARE\Microsoft\Security Center
AntiVirusDisableNotify
1

HKLM\SOFTWARE\Microsoft\Security Center
AntiVirusOverride
1

HKLM\SOFTWARE\Microsoft\Security Center
FirewallDisableNotify
1

HKLM\SOFTWARE\Microsoft\Security Center
FirewallOverride
1

HKLM\SOFTWARE\Microsoft\Security Center
UpdatesDisableNotify
1

HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
EnableFirewall
0

HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile
EnableFirewall
0

HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DoNotAllowXPSP2
1

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1





Name   W32/Rbot-DID

Type  
    * Spyware Worm

How it spreads  
    * Network shares
    * Chat programs

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Modifies data on the computer
    * Downloads code from the internet
    * Records keystrokes
    * Installs itself in the Registry
    * Used in DOS attacks
    * Leaves non-infected files on computer

Prevalence (1-5) 2

Description
W32/Rbot-DID is a network and AOL Instant Messenger worm and IRC 
backdoor Trojan for the Windows platform.

Advanced
W32/Rbot-DID is a network and AOL Instant Messenger worm and IRC 
backdoor Trojan for the Windows platform.

W32/Rbot-DID runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

W32/Rbot-DID spreads to other computers via network shares protected 
by weak passwords and by AOL Instant Messenger by sending attachments 
of itself to the list of contacts.

The filenames attached can be chosen from any of the following:

file.TXT.scr
document.TXT.exe
images_packed_with_winzip.ZIP.exe
Upgrade_messenger.exe
messgr_icon_install.exe
animation_icon_pack.exe
install_update.exe
free_smser_install.exe
document1.DOC.scr
readme.DOC.scr
document_saved.zip
free_stuff_2394.zip
pictures_winzip.zip
new version (messenger).zip
animation_icons.zip
messenger_icons.zip
critical_update.zip
free sms install.zip
secret (important).zip
story_read_this.zip

When first run W32/Rbot-DID copies itself to <System>\msclt.exe and 
creates the file \rBot.txt. The file rBot.txt can be deleted.

W32/Rbot-DID includes functionality to:

- log keystrokes
- perform DDoS attacks
- setup a SOCKS4 server
- download code from the internet

The following registry entries are created to run msclt.exe on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft client for NT
msclt.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft client for NT
msclt.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
Microsoft client for NT
msclt.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Microsoft client for NT
msclt.exe

The following registry entry is changed to run msclt.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe msclt.exe

(the default value for this registry entry is "Explorer.exe" which 
causes the Microsoft file <Windows>\Explorer.exe to be run on startup).

W32/Rbot-DID sets the following registry entries, disabling the 
automatic startup of other software:

HKLM\SYSTEM\CurrentControlSet\Services\wuauserv
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4

Note: disabling autostart for the SharedAccess service deactivates 
the Microsoft Internet Connection Firewall (ICF).

Registry entries are set as follows:

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous

W32/Rbot-DID may also create or change registry entries under:

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\List

HKLM\SOFTWARE\Microsoft\security center

HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate

HKLM\SOFTWARE\Microsoft\OLE

W32/Rbot-DID also overwrites the HOSTS file with the following 
mappings:

127.0.0.1 localhost
14.156.202.237 avp.com
7.50.30.209 ca.com
43.211.251.140 customer.symantec.com
9.173.175.98 dispatch.mcafee.com
53.217.31.32 download.mcafee.com
184.168.12.166 downloads1.kaspersky-labs.com
3.192.145.174 downloads2.kaspersky-labs.com
221.230.184.6 downloads3.kaspersky-labs.com
54.3.82.57 downloads4.kaspersky-labs.com
42.181.121.214 downloads-eu1.kaspersky-labs.com
178.141.86.201 downloads-eu2.kaspersky-labs.com
96.58.21.244 downloads-eu3.kaspersky-labs.com
108.202.171.17 downloads-eu4.kaspersky-labs.com
61.73.87.108 downloads-us1.kaspersky-labs.com
119.76.239.151 downloads-us2.kaspersky-labs.com
65.83.120.39 downloads-us3.kaspersky-labs.com
244.249.20.247 downloads-us4.kaspersky-labs.com
56.221.190.187 f-secure.com
77.208.111.176 ftp.avp.com
157.144.5.65 ftp.ca.com
182.61.39.127 ftp.customer.symantec.com
79.73.254.177 ftp.dispatch.mcafee.com
139.248.224.213 ftp.download.mcafee.com
137.208.219.104 ftp.downloads1.kaspersky-labs.com
119.251.197.206 ftp.downloads2.kaspersky-labs.com
186.10.174.33 ftp.downloads3.kaspersky-labs.com
106.131.218.197 ftp.downloads4.kaspersky-labs.com
33.197.45.20 ftp.downloads-eu1.kaspersky-labs.com
231.33.161.240 ftp.downloads-eu2.kaspersky-labs.com
193.152.60.152 ftp.downloads-eu3.kaspersky-labs.com
153.220.144.14 ftp.downloads-eu4.kaspersky-labs.com
157.196.74.92 ftp.downloads-us1.kaspersky-labs.com
58.235.209.36 ftp.downloads-us2.kaspersky-labs.com
205.57.252.170 ftp.downloads-us3.kaspersky-labs.com
77.238.95.210 ftp.downloads-us4.kaspersky-labs.com
221.148.176.197 ftp.f-secure.com
169.70.96.45 ftp.grisoft.com
250.73.62.197 ftp.kaspersky.com
207.243.224.42 ftp.kaspersky-labs.com
122.62.31.152 ftp.liveupdate.symantec.com
17.141.88.162 ftp.liveupdate.symantecliveupdate.com
36.16.211.254 ftp.mast.mcafee.com
142.65.120.226 ftp.mcafee.com
215.91.164.171 ftp.my-etrust.com
119.228.217.66 ftp.nai.com
119.18.41.227 ftp.networkassociates.com
173.28.103.89 ftp.norton.com
48.106.44.56 ftp.rads.mcafee.com
35.136.169.186 ftp.sandbox.norman.com
130.89.207.202 ftp.secure.nai.com
24.10.214.69 ftp.securityresponse.symantec.com
41.154.146.165 ftp.sophos.com
36.24.60.2 ftp.symantec.com
70.205.147.33 ftp.symantecliveupdate.com
139.27.237.140 ftp.symatec.com
226.31.179.218 ftp.trendmicro.com
234.233.205.31 ftp.uk.trendmicro-europe.com
66.128.3.188 ftp.update.symantec.com
171.64.93.16 ftp.updates.symantec.com
130.121.249.18 ftp.updates1.kaspersky-labs.com
210.219.232.127 ftp.updates2.kaspersky-labs.com
138.251.135.173 ftp.updates3.kaspersky-labs.com
18.23.241.124 ftp.updates4.kaspersky-labs.com
74.82.110.162 ftp.us.mcafee.com
181.161.253.197 ftp.viruslist.com
208.23.240.137 grisoft.com
92.61.36.154 kaspersky.com
36.193.203.213 kaspersky-labs.com
124.21.113.150 liveupdate.symantec.com
122.191.132.64 liveupdate.symantecliveupdate.com
190.155.37.32 mast.mcafee.com
179.161.9.181 mcafee.com
41.132.42.106 my-etrust.com
46.209.19.103 nai.com
18.188.116.128 networkassociates.com
102.224.110.218 norton.com
110.135.33.97 pandasoftware.com
227.223.254.145 rads.mcafee.com
227.24.108.55 sandbox.norman.com
128.204.161.63 secure.nai.com
185.75.243.140 securityresponse.symantec.com
114.137.213.147 sophos.com
136.226.80.33 symantec.com
49.231.59.13 symantecliveupdate.com
72.96.243.68 symatec.com
163.70.92.96 trendmicro.com
39.224.225.195 uk.trendmicro-europe.com
34.55.79.110 update.symantec.com
51.17.51.112 updates.symantec.com
195.186.28.77 updates1.kaspersky-labs.com
79.51.233.162 updates2.kaspersky-labs.com
131.142.129.220 updates3.kaspersky-labs.com
128.44.152.225 updates4.kaspersky-labs.com
46.4.120.236 us.mcafee.com
130.171.209.13 viruslist.com
161.232.23.116 virusscan.jotti.org
52.87.239.27 virustotal.com
97.7.185.87 www.avp.com
201.151.42.236 www.ca.com
112.46.2.63 www.customer.symantec.com
222.94.245.36 www.dispatch.mcafee.com
138.73.34.126 www.download.mcafee.com
67.20.191.27 www.downloads1.kaspersky-labs.com
29.141.118.136 www.downloads2.kaspersky-labs.com
174.131.234.216 www.downloads3.kaspersky-labs.com
155.52.120.122 www.downloads4.kaspersky-labs.com
176.92.43.170 www.downloads-eu1.kaspersky-labs.com
158.195.116.44 www.downloads-eu2.kaspersky-labs.com
0.204.163.184 www.downloads-eu3.kaspersky-labs.com
84.237.28.93 www.downloads-eu4.kaspersky-labs.com
11.154.96.188 www.downloads-us1.kaspersky-labs.com
67.244.93.229 www.downloads-us2.kaspersky-labs.com
234.91.150.57 www.downloads-us3.kaspersky-labs.com
215.168.20.129 www.downloads-us4.kaspersky-labs.com
16.53.61.77 www.f-secure.com
70.114.129.161 www.grisoft.com
213.50.110.17 www.kaspersky.com
58.109.29.215 www.kaspersky-labs.com
81.162.28.132 www.liveupdate.symantec.com
88.147.48.75 www.liveupdate.symantecliveupdate.com
130.13.152.142 www.mast.mcafee.com
144.242.62.188 www.mcafee.com
198.181.227.8 www.my-etrust.com
55.254.71.159 www.nai.com
35.172.213.224 www.networkassociates.com
127.103.209.64 www.norton.com
221.241.146.73 www.pandasoftware.com
181.1.69.122 www.rads.mcafee.com
228.41.75.111 www.sandbox.norman.com
81.68.155.126 www.secure.nai.com
8.215.212.84 www.securityresponse.symantec.com
211.212.87.42 www.sophos.com
3.190.143.162 www.symantec.com
252.29.87.107 www.symantecliveupdate.com
79.54.147.163 www.symatec.com
198.248.107.186 www.trendmicro.com
212.162.189.184 www.uk.trendmicro-europe.com
60.239.70.160 www.update.symantec.com
221.248.127.108 www.updates.symantec.com
145.0.185.74 www.updates1.kaspersky-labs.com
96.206.3.146 www.updates2.kaspersky-labs.com
155.118.65.51 www.updates3.kaspersky-labs.com
22.124.37.242 www.updates4.kaspersky-labs.com
140.220.95.86 www.us.mcafee.com
231.211.177.136 www.viruslist.com
7.113.74.125 www.virustotal.com





Name   Troj/Clicker-CO

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Installs itself in the Registry

Aliases  
    * Trojan-Clicker.Win32.VB.lf

Prevalence (1-5) 2

Description
Troj/Clicker-CO is a Trojan for the Windows platform.

Troj/Clicker-CO includes functionality to access the internet and 
communicate with a remote server via HTTP.

Advanced
Troj/Clicker-CO is a Trojan for the Windows platform.

Troj/Clicker-CO includes functionality to access the internet and 
communicate with a remote server via HTTP.

When first run Troj/Clicker-CO copies itself to the Program Files 
folder. Locations seen include:
<Program Files>\Internet Explorer\
<Program Files>\Updates\
<Program Files>\winupdates\

The following registry entry is created to run Troj/Clicker-CO on 
startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
<original Trojan filename>
<Copied location in Program Files>\





Name   Troj/Haxdoor-CA

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Drops more malware
    * Reduces system security
    * Installs itself in the Registry

Aliases  
    * Backdoor.Win32.Haxdoor.ir

Prevalence (1-5) 2

Description
Troj/Haxdoor-CA is a Trojan for the Windows platform.

Troj/Haxdoor-CA runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer.

Troj/Haxdoor-CA includes functionality to:

stealth its files, processes, registry entries and services
prevent itself being terminated
prevent itself being deleted
disable other software, including anti-virus, firewall and security 
related applications

Advanced
Troj/Haxdoor-CA is a Trojan for the Windows platform.

Troj/Haxdoor-CA runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer.

Troj/Haxdoor-CA includes functionality to:

stealth its files, processes, registry entries and services
prevent itself being terminated
prevent itself being deleted
disable other software, including anti-virus, firewall and security 
related applications

When Troj/Haxdoor-CA is installed the following files are created:

<Windows system folder>\klgcptini.dat
<Windows system folder>\qz.dll
<Windows system folder>\qz.sys
<Windows system folder>\stt82.ini
<Windows system folder>\vistaj.sys
<Windows system folder>\vistax.dll

The files qz.dll, qz.sys, vistaj.sys and vistax.dll are detected as 
Troj/Haxdor-Fam.

The following registry entries are created to run code exported by 
vistax.dll on startup:

HKLM\SOFTWARE\Microsoft\Windows 
NT\CurrentVersion\Winlogon\Notify\vistax
DllName
vistax.dll

HKLM\SOFTWARE\Microsoft\Windows 
NT\CurrentVersion\Winlogon\Notify\vistax
Startup
CxaEqsData

HKLM\SOFTWARE\Microsoft\Windows 
NT\CurrentVersion\Winlogon\Notify\vistax
Impersonate
1

The file vistaj.sys is registered as a new system driver service 
named "vistaj", with a display name of "SE 3.0 memory driver".

Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\vistaj\

The file vistaj.sys is also registered as a new system driver service 
named "vistax", with a display name of "SE 3.2 memory driver" and a 
startup type of automatic, so that it is started automatically during 
system startup.

Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\vistax\





Name   Troj/FakeVir-M

Type  
    * Trojan

Affected operating systems  
    * Windows

Aliases  
    * FakeAlert-B

Prevalence (1-5) 2

Description
Troj/FakeVir-M is a Trojan for the Windows platform.

Advanced
Troj/FakeVir-M is a Trojan for the Windows platform.

Troj/FakeVir-M will create a notification area icon which repeatedly 
creates a
window which says:

Your computer is infected!
Critical System Error!
System detected virus activities.
They may cause critical system
failure. Please, use antimalware
software to clean and protect your
system from parasite programs.
Click here to get all available
software.

When the window is clicked, a browser is opened and directed to
www.spyfalcon.com.





Name   Troj/Spammit-B

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Forges the sender's email address
    * Uses its own emailing engine
    * Installs itself in the Registry

Aliases  
    * Win32/Agent.TK
    * SpamTool.Win32.Agent.i

Prevalence (1-5) 2

Description
Troj/Spammit-B is a backdoor Trojan which allows an infected computer 
to send emails as instructed by a remote intruder.

Advanced
Troj/Spammit-B is a backdoor Trojan which allows an infected computer 
to send emails as instructed by a remote intruder.

The following registry entry is created to run Troj/Spammit-B on 
startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
WINDOWS
<pathname of the Trojan executable>

The following registry entries are set, affecting internet security:

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\Firewall 
Policy\
DomainProfile\AuthorizedApplications\List
<pathname of the Trojan executable>
C:\NvRun\<original filename>:*:Enabled:Server

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\Firewall
Policy\
StandardProfile\AuthorizedApplications\List
<pathname of the Trojan executable>
C:\NvRun\<original filename>:*:Enabled:Server





Name   Troj/PWS-SA

Type  
    * Spyware Trojan

Affected operating systems  
    * Windows

Side effects  
    * Steals information

Aliases  
    * PWS-JA
    * Win32/TrojanDropper.Small.NEA
    * Trojan-PSW.Win32.Sinowal.n

Prevalence (1-5) 2

Description
Troj/PWS-SA is a Trojan for the Windows platform.





Name   Troj/Slogger-K

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Allows others to access the computer
    * Forges the sender's email address
    * Uses its own emailing engine
    * Downloads code from the internet
    * Installs itself in the Registry

Aliases  
    * Trojan-Proxy.Win32.Wopla.v
    * Win32/TrojanDropper.Small.ZK

Prevalence (1-5) 2

Description
Troj/Slogger-K is a Trojan for the Windows platform.

Troj/Slogger-K includes the following functionalities to:
- communicate with remote servers via HTTP
- download and run files
- terminate anti-virus and security related processes
- send email

Advanced
Troj/Slogger-K is a Trojan for the Windows platform.

Troj/Slogger-K includes the following functionalities to:
- communicate with remote servers via HTTP
- download and run files
- terminate anti-virus and security related processes
- send email

When first run Troj/Slogger-K copies itself to &ltSystem>\&ltrandom 
filename&gt.exe
and creates the file &ltSystem>\&ltrandom filename&gt.dll.

The following registry entry is created to run code exported by the 
Trojan
library on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
SysTray.Exbt
(5368D5FC-6F6C-4f5b-B564-E67214F67552)

The DLL file is registered as a COM object, creating registry entries 
under:

HKCR\CLSID\(5368D5FC-6F6C-4f5b-B564-E67214F67552)

Troj/Slogger-K changes settings for Microsoft Internet Explorer by 
modifying
values under:

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\

 
--- MultiMail/Win32 v0.43
 * Origin: Try Our Web Based QWK: DOCSPLACE.ORG (1:123/140)