Text 119, 1200 rader
Skriven 2006-05-27 23:49:00 av KURT WISMER (1:123/140)
Ärende: News, May 27 2006
=========================
[cut-n-paste from sophos.com]
Name Troj/Stinx-V
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Downloads code from the internet
* Installs itself in the Registry
Aliases
* Trojan.Brepibot.U
Prevalence (1-5) 3
Description
Troj/Stinx-V is an IRC backdoor Trojan for the Windows platform.
Advanced
Troj/Stinx-V is an IRC backdoor Trojan for the Windows platform.
When first run, Troj/Stinx-V copies itself to the Windows system
folder with the name cmssr.exe and creates the following registry
entry to run itself automatically:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
ATD Direct CD
<System>\cmssr.exe
Troj/Stinx-V connects to a preconfigured IRC server and joins a
specific channel. A remote attacker can then gain access and control
over the infected computer.
Name Troj/Opnis-C
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Installs itself in the Registry
Aliases
* Trojan.Win32.Opnis.g
Prevalence (1-5) 2
Description
Troj/Opnis-C is a Trojan for the Windows platform.
Advanced
Troj/Opnis-C is a Trojan for the Windows platform.
When Troj/Opnis-C is installed the following files are created:
<Windows system folder>\[Random1].dll
<Windows system folder>\[Random2].exe
<Windows system folder>\vsre446EC7DB.exe
The following registry entry is created to run [Random2].exe on
startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
[Random2]
<Windows system folder>\[Random2].exe
The following registry entries are created to run code exported by
[Random1].dll on startup:
HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\[Random1]
DllName
<Windows system folder>\[Random1].dll
HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\[Random1]
Startup
WlxStartupEvent
HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\[Random1]
Impersonate
0
Name Troj/Tometa-E
Type
* Trojan
Affected operating systems
* Windows
Aliases
* Win32/Bifrose
Prevalence (1-5) 2
Description
Troj/Tometa-E is a Trojan for the Windows platform.
Advanced
Troj/Tometa-E is a Trojan for the Windows platform.
When first run Troj/Tometa-E copies itself to <System>\kb32.com.
The following registry entry is created to run kb32.com on startup:
HKLM\SOFTWARE\Microsoft\Active Setup\Installed
Components\{686BC654-BC45-D597-22DC-CA34BD693002}
StUbPaTh
<System>\kb32.com s
Registry entries are created as follows:
HKCU\Software\Wget
KLG
hex:00
HKLM\SOFTWARE\Wget
NCK
hex:f7,11,26,35,57,32,2d,60,b4,3c,2a,5e,33,34,72,00,a3,78,26,35,57,32,2
d,60,b4,3c,2a,5e,33,34,72,00
Name W32/Sality-U
Type
* Worm
How it spreads
* Infected files
Affected operating systems
* Windows
Aliases
* Virus.Win32.Sality.o
Prevalence (1-5) 2
Description
W32/Sality-U is a parasitic virus for the Windows platform.
Advanced
W32/Sality-U is a parasitic virus for the Windows platform.
When run the virus drops the file <System>\wdmfmc32.dll. This file is
also detected as W32/Sality-U.
Name W32/Mytob-HX
Type
* Spyware Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Sends itself to email addresses found on the infected computer
* Steals information
* Uses its own emailing engine
* Downloads code from the internet
* Reduces system security
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Prevalence (1-5) 2
Description
W32/Mytob-HX is a worm for the Windows platform.
The worm harvests email addresses from files on the infected computer
and sends itself as an attachment to each address found.
Email sent by W32/Mytob-HX has the following message text:
Dear Valued Member,
According to our terms of services, you will have to confirm your
e-mail by the following link, or your account will be suspended
within 24 hours for security reasons.
After following the instructions in the sheet, your account will not
be interrupted and will continue as normal.
Thanks for your attention to this request. We apologize for any
inconvenience.
Sincerely, %s Abuse Department
<a
href="http://<BLOCKED>/Confirmation_Sheet.pif">http://www.%s/confirm.ph
p?account=%s</a>
where "%s" is an excerpt from the recipient's email address.
The worm connects to an IRC server and joins a predefined channel
where it then awaits commands from remote attackers.
Advanced
W32/Mytob-HX is a worm for the Windows platform.
When run, W32/Mytob-HX copies itself to the Windows system folder as
"windows.exe"
The worm harvests email addresses from files on the infected computer
and sends itself as an attachment to each address found.
Email sent by W32/Mytob-HX has the following message text:
Dear Valued Member,
According to our terms of services, you will have to confirm your
e-mail by the following link, or your account will be suspended
within 24 hours for security reasons.
After following the instructions in the sheet, your account will not
be interrupted and will continue as normal.
Thanks for your attention to this request. We apologize for any
inconvenience.
Sincerely, %s Abuse Department
<a
href="http://<BLOCKED>/Confirmation_Sheet.pif">http://www.%s/confirm.ph
p?account=%s</a>
where "%s" is an excerpt from the recipient's email address.
The worm connects to an IRC server and joins a predefined channel
where it then awaits commands from remote attackers.
The following registry entries are created in order to run the worm
each time a user logs on:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows System
"windows.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Windows System
"windows.exe"
Name W32/Bobandy-A
Type
* Worm
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Sends itself to email addresses found on the infected computer
* Forges the sender's email address
* Uses its own emailing engine
* Downloads code from the internet
* Installs itself in the Registry
* Leaves non-infected files on computer
Prevalence (1-5) 2
Description
W32/Bobandy-A is a mass-mailing worm for the Windows platform.
Emails sent by W32/Bobandy-A have the following characteristics:
Subject line:
Registration Confirmation
Cek This
hello
RE:bla bla bla
RE:HeLLO GuYs
Message text:
hi please see this file
For security reasons attached file is password protected.
The password is 55132098
hot babe high quality porn
For security reasons attached file is password protected.
The password is 55132098
free screen saver romance for you
Please Visit Our Web Site:http://www.moonLight.com
For security reasons attached file is password protected.
The password is 55132098
hey free brontok, small_kl & more removal
For security reasons attached file is password protected.
The password is 55132098
thank's for you register
For security reasons attached file is password protected.
The password is 55132098
your acount details are attached
For security reasons attached file is password protected.
The password is 55132098
Advanced
W32/Bobandy-A is a mass-mailing worm for the Windows platform.
Emails sent by W32/Bobandy-A have the following characteristics:
Subject line:
Registration Confirmation
Cek This
hello
RE:bla bla bla
RE:HeLLO GuYs
Message text:
hi please see this file
For security reasons attached file is password protected.
The password is 55132098
hot babe high quality porn
For security reasons attached file is password protected.
The password is 55132098
free screen saver romance for you
Please Visit Our Web Site:http://www.moonLight.com
For security reasons attached file is password protected.
The password is 55132098
hey free brontok, small_kl & more removal
For security reasons attached file is password protected.
The password is 55132098
thank's for you register
For security reasons attached file is password protected.
The password is 55132098
your acount details are attached
For security reasons attached file is password protected.
The password is 55132098
When first run W32/Bobandy-A copies itself to:
<Startup>\MySqld-nt Start.cmd
<Windows>\Brico.cmd
<Windows>\Systask.exe
<Windows>\command.com
<Windows>\java\clases\bin\csrss.exe
<System>\MySqld-nt.cmd
<System>\;applog\Sys\Winlogon.exe
<System>\dllcache\(CLSID)\msowcf.cmd
<System>\remotesp.cmd
<System>\run32dll.exe
and creates the following harmless files:
<User>\My Documents\Mo0nLighT.A.txt
<System>\MoonLigHT.rtf
W32/Bobandy-A creates the following registry entries:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
MooNlight
MySqld-nt.cmd
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
ObjectDock
Brico.cmd
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
explorer.exe, COMMAND\SETRAMD.cmd
Registry entries are created under:
HKCU\Software\VB and VBA Program Settings\untukmu\version\
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File
Execution Options\
W32/Bobandy-A attempts to copy itself to the root folders of all
mapped drives.
The attached file will take one of the following names:
mypic.zip
dataKU.zip
attach.zip
Update.zip
Doc.uu
file.zip
thisfile.uu
pic.zip
The attached file is detected as Troj/BobanDl-A
W32/Bobandy-A harvests email addresses from files on the infected
computer.
Name Troj/Clagger-S
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Reduces system security
Prevalence (1-5) 2
Description
Troj/Clagger-S is a Trojan that downloads further malicious code.
Advanced
Troj/Clagger-S is a Trojan that downloads further malicious code.
The Trojan downloads a file to <Windows>\suhoy330.exe and runs it.
The following registry entry is created in an attempt to bypass the
Windows firewall:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
FiREWaLLpolicy\StAnDaRDPrOFiLe\AUtHorizedapplications\List
<pathname of Trojan executable>
<pathname of Trojan executable>:*:ENABLED:0
Name W32/Zasran-C
Type
* Spyware Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Sends itself to email addresses found on the infected computer
* Modifies data on the computer
* Steals information
* Drops more malware
* Uses its own emailing engine
Aliases
* Email-Worm.Win32.Banwarum.c
Prevalence (1-5) 2
Description
W32/Zasran-C is a worm for the Windows platform.
W32/Zasran-C spreads via email. Email sent by W32/Zasran-C contains a
message text written in German.
Attached files have the ZIP file extension with one of the following
randomly chosen base names:
Abbild-Der-Rechnung
Anhang
Anhang-Tickets
archiv
Auszahlungen
bank-kontoauszuge
Desktop
Kontoauszug
Neuer Ordner
New Folder
Postbank
Postbank-Ueberweisungen
Rechnung
Rechnung-Anhang
Tickets
Ueberweisung
Weltmeisterschaft
WM-Anhang
WM-Tickets
Advanced
W32/Zasran-C is a worm for the Windows platform.
The worm creates the file <System>\mszsrn32.dll and injects code into
the winlogon.exe process in an attempt to hide some actions.
The worm downloads configuration data from a remote site that defines
further behaviors.
W32/Zasran-C spreads via email. Email sent by W32/Zasran-C contains a
message text written in German.
Attached files have the ZIP file extension with one of the following
randomly chosen base names:
Abbild-Der-Rechnung
Anhang
Anhang-Tickets
archiv
Auszahlungen
bank-kontoauszuge
Desktop
Kontoauszug
Neuer Ordner
New Folder
Postbank
Postbank-Ueberweisungen
Rechnung
Rechnung-Anhang
Tickets
Ueberweisung
Weltmeisterschaft
WM-Anhang
WM-Tickets
Name W32/Tilebot-FA
Type
* Spyware Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Downloads code from the internet
* Installs itself in the Registry
* Exploits system or software vulnerabilities
* Used in DOS attacks
Aliases
* Backdoor.Win32.SdBot.xd
* W32/Sdbot.worm.gen.g
Prevalence (1-5) 2
Description
W32/Tilebot-FA is a worm with backdoor functionality for the Windows
platform.
W32/Tilebot-FA spreads to other network computers by exploiting
common buffer overflow vulnerabilities, including: WKS (MS03-049)
(CAN-2003-0812), PNP (MS05-039) and ASN.1 (MS04-007). The worm may
also spreads via network shares and MSSQL servers protected by weak
passwords.
W32/Tilebot-FA runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Tilebot-FA includes functionality to:
- set up an FTP server
- set up a proxy server
- spread via AOL Instant Messager by sending messages automatically
- change Internet Explorer start page
- set or remove network shares
- port scanning
- packet sniffing
- access the internet and communicate with a remote server via HTTP
- harvest information from clipboard
- take part in Distributed Denial of Service (DDoS) attacks
Advanced
W32/Tilebot-FA is a worm with backdoor functionality for the Windows
platform.
W32/Tilebot-FA spreads to other network computers by exploiting
common buffer overflow vulnerabilities, including: WKS (MS03-049)
(CAN-2003-0812), PNP (MS05-039) and ASN.1 (MS04-007). The worm may
also spreads via network shares and MSSQL servers protected by weak
passwords.
W32/Tilebot-FA runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Tilebot-FA includes functionality to:
- set up an FTP server
- set up a proxy server
- spread via AOL Instant Messager by sending messages automatically
- change Internet Explorer start page
- set or remove network shares
- port scanning
- packet sniffing
- access the internet and communicate with a remote server via HTTP
- harvest information from clipboard
- take part in Distributed Denial of Service (DDoS) attacks
When first run W32/Tilebot-FA copies itself to the Windows folder as
services.exe. The file services.exe is registered as a new system
driver service named "aolsoftwares", with a display name of
"aolsoftwares" and a startup type of automatic, so that it is started
automatically during system startup. Registry entries are created
under:
HKLM\SYSTEM\CurrentControlSet\Services\aolsoftwares\
W32/Tilebot-FA sets the following registry entries, disabling the
automatic
startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\Messenger
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\wscsvc
Start
4
Additional registry entries are set as follows:
HKCR\.key
(default)
regfile
HKLM\SOFTWARE\Microsoft\Security Center
AntiVirusDisableNotify
1
HKLM\SOFTWARE\Microsoft\Security Center
AntiVirusOverride
1
HKLM\SOFTWARE\Microsoft\Security Center
FirewallDisableNotify
1
HKLM\SOFTWARE\Microsoft\Security Center
FirewallOverride
1
HKLM\SOFTWARE\Microsoft\Security Center
UpdatesDisableNotify
1
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DoNotAllowXPSP2
1
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
EnableFirewall
0
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile
EnableFirewall
0
HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
AutoShareServer
0
HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
AutoShareWks
0
HKLM\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters
AutoShareServer
0
HKLM\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters
AutoShareWks
0
HKLM\SYSTEM\CurrentControlSet\Control\
WaitToKillServiceTimeout
7000
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1
Name W32/Rbot-DVC
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Modifies data on the computer
* Downloads code from the internet
* Installs itself in the Registry
* Exploits system or software vulnerabilities
* Used in DOS attacks
Prevalence (1-5) 2
Description
W32/Rbot-DVC is a worm and IRC backdoor Trojan for the Windows
platform.
Advanced
W32/Rbot-DVC is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Rbot-DVC runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Rbot-DVC spreads to other network computers by exploiting common
buffer overflow vulnerabilities, including: LSASS (MS04-011),
RPC-DCOM (MS04-012) and WKS (MS03-049) (CAN-2003-0812) and by copying
itself to network shares protected by weak passwords.
When first run W32/Rbot-DVC copies itself to <System>\usaplug.exe.
The following registry entries are created to run usaplug.exe on
startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft USA Plug
usaplug.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft USA Plug
usaplug.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
Microsoft USA Plug
usaplug.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Microsoft USA Plug
usaplug.exe
Registry entries are set as follows:
HKCU\SYSTEM\CurrentControlSet\Control\Lsa
Microsoft USA Plug
usaplug.exe
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
Microsoft USA Plug
usaplug.exe
HKCU\Software\Microsoft\OLE
Microsoft USA Plug
usaplug.exe
HKLM\SOFTWARE\Microsoft\Ole
Microsoft USA Plug
usaplug.exe
W32/Rbot-DVC includes functionality to:
- access the internet and communicate with a remote server via HTTP
- log keystrokes
- perform DDoS attacks
- setup a SOCKS4 server
- steal information
W32/Rbot-DVC also appends the following mappings to the HOSTS file,
denying access to security and anti-virus related websites:
0.0.0.0 www.symantec.com
0.0.0.0 securityresponse.symantec.com
0.0.0.0 symantec.com
0.0.0.0 www.sophos.com
0.0.0.0 sophos.com
0.0.0.0 www.mcafee.com
0.0.0.0 mcafee.com
0.0.0.0 liveupdate.symantecliveupdate.com
0.0.0.0 www.viruslist.com
0.0.0.0 viruslist.com
0.0.0.0 viruslist.com
0.0.0.0 f-secure.com
0.0.0.0 www.f-secure.com
0.0.0.0 kaspersky.com
0.0.0.0 kaspersky-labs.com
0.0.0.0 www.avp.com
0.0.0.0 www.kaspersky.com
0.0.0.0 avp.com
0.0.0.0 www.networkassociates.com
0.0.0.0 networkassociates.com
0.0.0.0 www.ca.com
0.0.0.0 ca.com
0.0.0.0 mast.mcafee.com
0.0.0.0 my-etrust.com
0.0.0.0 www.my-etrust.com
0.0.0.0 download.mcafee.com
0.0.0.0 dispatch.mcafee.com
0.0.0.0 secure.nai.com
0.0.0.0 nai.com
0.0.0.0 www.nai.com
0.0.0.0 update.symantec.com
0.0.0.0 updates.symantec.com
0.0.0.0 us.mcafee.com
0.0.0.0 liveupdate.symantec.com
0.0.0.0 customer.symantec.com
0.0.0.0 rads.mcafee.com
0.0.0.0 trendmicro.com
0.0.0.0 pandasoftware.com
0.0.0.0 www.pandasoftware.com
0.0.0.0 www.trendmicro.com
0.0.0.0 www.grisoft.com
0.0.0.0 www.microsoft.com
0.0.0.0 microsoft.com
0.0.0.0 www.virustotal.com
0.0.0.0 virustotal.com
0.0.0.0 www.zango.com
0.0.0.0 zango.com
Name W32/Mytob-HZ
Type
* Worm
How it spreads
* Email attachments
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Sends itself to email addresses found on the infected computer
* Uses its own emailing engine
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* Net-Worm.Win32.Domwoot.a
* W32/Mytob.ii@MM
* W32.Mytob@mm
* Win32/Mytob.TN
Prevalence (1-5) 2
Description
W32/Mytob-HZ is a mass-mailing worm with backdoor functionality that
can be controlled through the Internet Relay Chat (IRC) network.
W32/Mytob-HZ runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Mytob-HZ spreads to other network computers by exploiting common
buffer overflow vulnerabilities, including: LSASS (MS04-011) and
ASN.1 (MS04-007).
W32/Mytob-HZ runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
Emails sent by W32/Mytob-HZ sends emails in the following format,
with details filled in to make the email look more authentic:
Subject line chosen from:
*DETECTED* Online User Violation
*WARNING* Your email account is suspended
Email Account Suspension
Important Notification
Members Support
Notice of account limitation
Security measures
Warning Message: Your services near to be closed.
We have suspended your account
You are banned!!!
Your Account is Suspended
Your Account is Suspended For Security Reasons
<random characters>
Message text chosen from (the worm will insert the username and the
email domain of the addressee into the email):
Dear <domain> Member,
We have temporarily suspended your email account <domain>.
This might be due to either of the following reasons:
1. A recent change in your personal information (i.e. change of
address).
2. Submiting invalid information during the initial sign up process.
3. An innability to accurately verify your selected option of
subscription due to an internal error within our processors.
Sincerely,The <domain> Support Team
Some information about your <domain> account is attached.
The <domain> Support Team
Your e-mail account was used to send a huge amount of unsolicited
spam messages during the recent week. If you could please take 5-10
minutes out of your online experience and confirm the attached
document so you will not run into any future problems with the online
service.
Virtually yours,
The attached file consists of a base name followed by the extension
ZIP. The worm may optionally create double extensions where the first
extension is DOC, TXT or HTM and the final extension is BAT, CMD,
PIF, SCR, EXE or ZIP. The base filenames are randomly chosen from:
updated-password
email-password
new-password
password
approved-password
account-password
accepted-password
important-details
account-details
email-details
account-info
document
readme
account-report
<random characters>
W32/Mytob-HZ harvests email addresses from files on the infected
computer and from the Windows address book.
Advanced
W32/Mytob-HZ is a mass-mailing worm with backdoor functionality that
can be controlled through the Internet Relay Chat (IRC) network.
W32/Mytob-HZ runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Mytob-HZ spreads to other network computers by exploiting common
buffer overflow vulnerabilities, including: LSASS (MS04-011) and
ASN.1 (MS04-007).
W32/Mytob-HZ runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
When first run W32/Mytob-HZ copies itself to <Windows system
folder>\svchosts.exe.
The following registry entries are created to run svchosts.exe on
startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Win32 Cnfg32
svchosts.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Win32 Cnfg32
svchosts.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
Win32 Cnfg32
svchosts.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Win32 Cnfg32
svchosts.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Win32 Cnfg32
svchosts.exe
The file svchosts.exe is registered as a new file system driver
service named "shit", with a display name of "shit". Registry entries
are created under:
HKLM\SYSTEM\CurrentControlSet\Services\shit\
Emails sent by W32/Mytob-HZ sends emails in the following format,
with details filled in to make the email look more authentic:
Subject line chosen from:
*DETECTED* Online User Violation
*WARNING* Your email account is suspended
Email Account Suspension
Important Notification
Members Support
Notice of account limitation
Security measures
Warning Message: Your services near to be closed.
We have suspended your account
You are banned!!!
Your Account is Suspended
Your Account is Suspended For Security Reasons
<random characters>
Message text chosen from (the worm will insert the username and the
email domain of the addressee into the email):
Dear <domain> Member,
We have temporarily suspended your email account <domain>.
This might be due to either of the following reasons:
1. A recent change in your personal information (i.e. change of
address).
2. Submiting invalid information during the initial sign up process.
3. An innability to accurately verify your selected option of
subscription due to an internal error within our processors.
Sincerely,The <domain> Support Team
Some information about your <domain> account is attached.
The <domain> Support Team
Your e-mail account was used to send a huge amount of unsolicited
spam messages during the recent week. If you could please take 5-10
minutes out of your online experience and confirm the attached
document so you will not run into any future problems with the online
service.
Virtually yours,
The attached file consists of a base name followed by the extension
ZIP. The worm may optionally create double extensions where the first
extension is DOC, TXT or HTM and the final extension is BAT, CMD,
PIF, SCR, EXE or ZIP. The base filenames are randomly chosen from:
updated-password
email-password
new-password
password
approved-password
account-password
accepted-password
important-details
account-details
email-details
account-info
document
readme
account-report
<random characters>
W32/Mytob-HZ harvests email addresses from files on the infected
computer and from the Windows address book.
Name W32/Sdbot-BSL
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Reduces system security
* Installs itself in the Registry
Aliases
* W32/Sdbot.worm.gen.bp
Prevalence (1-5) 2
Description
W32/Sdbot-BSL is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Sdbot-BSL runs continuously in the background, providing a
backdoor server
which allows a remote intruder to gain access and control over the
computer via
IRC channels.
Advanced
W32/Sdbot-BSL is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Sdbot-BSL runs continuously in the background, providing a
backdoor server
which allows a remote intruder to gain access and control over the
computer via
IRC channels.
When first run W32/Sdbot-BSL copies itself to <Windows>\Msmgs.exe.
The file Msmgs.exe is registered as a new system driver service named
"Windows
web messenger", with a display name of "Windows web messenger" and a
startup
type of automatic, so that it is started automatically during system
startup.
Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\Windows web messenger\
W32/Sdbot-BSL sets the following registry entries, disabling the
automatic
startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\Messenger
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
Start
4
Registry entries are set as follows:
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DoNotAllowXPSP2
1
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1
Registry entries are created under:
HKLM\SOFTWARE\Microsoft\Security Center\
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\
--- MultiMail/Win32 v0.43
* Origin: Try Our Web Based QWK: DOCSPLACE.ORG (1:123/140)
|