Text 126, 1354 rader
Skriven 2006-07-01 15:01:00 av KURT WISMER (1:123/140)
Ärende: News, July 1 2006
=========================
[cut-n-paste from sophos.com]
Name WM97/Kukudro-A
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Drops more malware
Prevalence (1-5) 3
Description
WM97/Kukudro-A is a Trojan dropping Word document.
WM97/Kukudro-A drops and runs a file detected by Sophos as Troj/Kuku-A.
Sophos has seen the Trojan horse spammed out in email messages with
the following characteristics:
Subject: "worth to see", "prices", "Hi", or "Hello".
Message body:
Hello <name>
--
Regards, <name> <email address>
Where <name> and <email address> are changing.
Attached to the email is a zip file (variously called prices.zip,
apple_prices.zip or sony_prices.zip) containing an infected Microsoft
Word document entitled my_Notebook.doc.
The Word document secretly installs a Trojan horse onto the PC
The Word document secretly installs the Troj/Kuku-A Trojan horse onto
the PC.
Name Troj/Zlob-PG
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Installs itself in the Registry
Prevalence (1-5) 2
Description
Troj/Zlob-PG is a Trojan for the Windows platform.
Advanced
Troj/Zlob-PG is a Trojan for the Windows platform.
When first run Troj/Zlob-PG copies itself to:
<User>\Local Settings\Application Data\<random filename>.exe
<System>\<random filename>.exe
The following registry entries are created to run <random
filename>.exe on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
<random filename>.exe
<User>\Local Settings\Application Data\<random filename>.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
<random filename>.exe
<System>\<random filename>.exe
Name Troj/Backdr-D
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Downloads code from the internet
* Installs itself in the Registry
Aliases
* Backdoor.Win32.Small.ld
Prevalence (1-5) 2
Description
Troj/Backdr-D is a backdoor Trojan for the Windows platform.
Troj/Backdr-D includes functionality to silently download files from
predefinded URLs and act as a Proxy server.
Advanced
Troj/Backdr-D is a backdoor Trojan for the Windows platform.
When Troj/Backdr-D is installed it creates the file
<System>\svrmsg.dll.
The file svrmsg.dll is registered as a new file system driver service
named "Ias", with a startup type of automatic, so that it is started
automatically during system startup. Registry entries are created
under:
HKLM\SYSTEM\CurrentControlSet\Services\Ias\
Troj/Backdr-D includes functionality to silently download files from
predefinded URLs and act as a Proxy server.
Name W32/Bagle-KJ
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Prevalence (1-5) 2
Description
W32/Bagle-KJ is an email worm for the Windows platform.
W32/Bagle-KJ searches an infected computer for email addresses to
send itself
to. Emails have the following characteristsics:
Subject line: <Random name of a person>
Message text chosen from:
To the beloved
I love you
Attachment filename: <Random name of a person>
Advanced
W32/Bagle-KJ is an email worm for the Windows platform.
W32/Bagle-KJ searches an infected computer for email addresses to
send itself
to. Emails have the following characteristsics:
Subject line: <Random name of a person>
Message text chosen from:
To the beloved
I love you
Attachment filename: <Random name of a person>
When first run, W32/Bagle-KJ copies itself to the following location:
<Current user>\Application Data\hidn\hidn2.exe
and drops a file named m_hook.sys to the same location.
The following registry entry is created in order to automatically start
W32/Bagle-KJ when an infected computer starts:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
drv_st_key
<Path to worm>
The file m_hook.sys is a device driver used to hide the worm on an
infected
computer, and also attempt to terminate any security programs running
on the
system. It is also detected as W32/Bagle-KJ.
m_hook.sys is registered as a service, creating entries under:
HKLM\SYSTEM\CurrentControlSet\Services\m_hook
W32/Bagle-KJ deletes the following registry entries, affecting the
safe-mode
boot configurations:
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network
Name W32/Tilebot-FR
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Reduces system security
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Prevalence (1-5) 2
Description
W32/Tilebot-FR is an IRC backdoor worm for the Windows platform.
W32/Tilebot-FR runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Tilebot-FR may also attempt to spread to other computers via
network shares protected by weak passwords, as well as by using the
exploiting the following vulnerabilities :
LSASS
(http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx)
RPC-DCOM
(http://www.microsoft.com/technet/security/bulletin/ms04-012.mspx)
WKS
(http://www.microsoft.com/technet/security/bulletin/ms03-049.mspx)
(CAN-2003-0812)
PNP (http://www.microsoft.com/technet/security/bulletin/ms05-039.mspx)
ASN.1
(http://www.microsoft.com/technet/security/bulletin/ms04-007.mspx)
W32/Tilebot-FR includes functionality to access the internet and
communicate with a remote server via HTTP.
Advanced
W32/Tilebot-FR is an IRC backdoor worm for the Windows platform.
W32/Tilebot-FR runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Tilebot-FR may also attempt to spread to other computers via
network shares protected by weak passwords, as well as by using the
exploiting the following vulnerabilities :
LSASS
(http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx)
RPC-DCOM
(http://www.microsoft.com/technet/security/bulletin/ms04-012.mspx)
WKS
(http://www.microsoft.com/technet/security/bulletin/ms03-049.mspx)
(CAN-2003-0812)
PNP (http://www.microsoft.com/technet/security/bulletin/ms05-039.mspx)
ASN.1
(http://www.microsoft.com/technet/security/bulletin/ms04-007.mspx)
W32/Tilebot-FR includes functionality to access the internet and
communicate with a remote server via HTTP.
When first run W32/Tilebot-FR copies itself to <Windows
folder>\winlogon.exe.
The file <Windows folder>\winlogon.exe is registered as a new system
driver service named "Windows Spooler Service", with a display name
of "Microsoft Windows Spooler Service" and a startup type of
automatic, so that it is started automatically during system startup.
Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\Windows Spooler Service\
W32/Tilebot-FR sets the following registry entries, disabling the
automatic startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\Messenger
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
Start
4
Registry entries are set as follows:
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DoNotAllowXPSP2
1
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1
Registry entries are created under:
HKLM\SOFTWARE\Microsoft\Security Center\
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\
Name W32/Rbot-EMO
Type
* Spyware Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Reduces system security
* Installs itself in the Registry
* Exploits system or software vulnerabilities
* Used in DOS attacks
Aliases
* Backdoor.Win32.Rbot.gen
* W32.Spybot.Worm
Prevalence (1-5) 2
Description
W32/Rbot-EMO is a network worm with backdoor functionality for the
Windows platform.
W32/Rbot-EMO spreads using a variety of techniques including
exploiting weak passwords on computers and SQL servers, exploiting
operating system vulnerabilities (including RPC-DCOM, WKS, LSASS,
Veritas (CAN-2004-1172) and ASN.1) and using backdoors opened by
other worms or Trojans.
W32/Rbot-EMO can be controlled by a remote attacker over IRC
channels. The backdoor component of W32/Rbot-EMO can be instructed by
a remote user to perform the following functions:
start an FTP server
start a Proxy server
start a web server
take part in distributed denial of service (DDoS) attacks
log keypresses
capture screen/webcam images
packet sniffing
port scanning
download/execute arbitrary files
start a remote shell (RLOGIN)
steal product registration information from certain software
Advanced
W32/Rbot-EMO is a network worm with backdoor functionality for the
Windows platform.
W32/Rbot-EMO spreads using a variety of techniques including
exploiting weak passwords on computers and SQL servers, exploiting
operating system vulnerabilities (including RPC-DCOM, WKS, LSASS,
Veritas (CAN-2004-1172) and ASN.1) and using backdoors opened by
other worms or Trojans.
W32/Rbot-EMO can be controlled by a remote attacker over IRC
channels. The backdoor component of W32/Rbot-EMO can be instructed by
a remote user to perform the following functions:
start an FTP server
start a Proxy server
start a web server
take part in distributed denial of service (DDoS) attacks
log keypresses
capture screen/webcam images
packet sniffing
port scanning
download/execute arbitrary files
start a remote shell (RLOGIN)
steal product registration information from certain software
The worm copies itself to a file named HIMENSYST.EXE in the Windows
system folder and creates the following registry entries:
HKCU\Software\Microsoft\OLE
Windows File Migration Wizard
"HIMENSYST.EXE"
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Windows File Migration Wizard
"HIMENSYST.EXE"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows File Migration Wizard
"HIMENSYST.EXE"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Windows File Migration Wizard
"HIMENSYST.EXE"
Name W32/Brontok-AZ
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Modifies data on the computer
* Installs itself in the Registry
Aliases
* Email-Worm.Win32.Brontok.n
Prevalence (1-5) 2
Description
W32/Brontok-AZ is a mass-mailing worm for the Windows platform.
Advanced
W32/Brontok-AZ is a mass-mailing worm for the Windows platform.
W32/Brontok-AZ sends itself to email addresses found on the infected
computer.
Emails sent by the worm have the following characteristics:
From: angelina_ph@<recipient's domain>
or jennifer_sh@<recipient's domain>
If the recipient's address is Indonesian:
Subject: Fotoku yg Paling Cantik
Message text:
Hi,
Aku lg iseng aja pengen kirim foto ke kamu
Jangan lupain aku ya !.
Thanks
For all other addresses:
Subject: My Best Photo
Message text:
Hi,
I want to share my photo with you.
Wishing you all the best.
Regards,
Attachment name: Photo.zip
The zip file contains Photo.bmp and View-Photo.bat. View-Photo.bat
runs Photo.bmp. Photo.bmp is an executable (Detected by Sophos as
Troj/Dloadr-ADW) which attempts to download and execute a copy of the
worm from a preconfigured website. At the time of writing, this
website is unavailable.
When installed W32/Brontok-AZ copies itself to the following files:
<User>\Local Settings\Application Data\dv<random1>\yesbron.com
<User>\Local Settings\Application Data\jalak-<random2>-bali.com
<Windows>\_default<random3>.pif
<Windows>\j<random4>.exe
<Windows>\o<random5>.exe
<Windows>\><radnom6>\ib<random7>.exe
<System>\c_32142k.com
<System>\n<random8>\b6108.exe
<System>\n<random8>\c.bron.tok.txt
<System>\n<random8>\csrss.exe
<System>\n<random8>\lsass.exe
<System>\n<random8>\services.exe
<System>\n<random8>\smss.exe
<System>\n<random8>\sv<random9>r.exe
<System>\n<random8>\winlogon.exe
where <random1> etc. are randomly-chosen numbers
Also W32/Brontok-AZ creates the following text files that may be
safely deleted:
<System>\n<random8>\c.bron.tok.txt
\Baca Bro !!!.txt
<Windows>\Tasks\At1.job
<Windows>\Tasks\At2.job
The .job files each contain a scheduled task, instructing Windows to
execute the installed copies of the worm once per day.
W32/Brontok-AZ closes windows whose titles contain any of the
following:
task manager
registry
command prompt
system configuration
group policy
cmd.exe
computer management
scheduled task
killbox
hijack
SYSINTERNAL
PROCESS EXP
REMOVER
CLEANER
anti
washer
ertanto
BROWNIES
movzx
killer
pcmedia
pc-media
rontok
rontox
robknot
commander
windows script
norman
norton
symantec
cillin
trendmicro
bitdef
kaspersky
avg
avira
virus
trojan
worm
mcafee
b.e
folder option
wintask
alwil
sex
porn
naked
cewe
bugil
telanjang
nod32
task view
peid
ahnlab
W32/Brontok-AZ may install a new version of the file
<System>\msvbvm60.dll.
The following registry entries are created to run yesbron.com,
_default<random3>.pif, j<random4>.exe and sv<random9>r.exe on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run
<random11>
<User>\Local Settings\Application Data\dv<random1>\yesbron.com
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run
<random12>
<Windows>\_default<random3>.pif
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
<random11>
<System>\n<random4>\sv<random9>r.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
<random12>
<Windows>\j<ramdom4>.exe
The following registry entries are changed to run j<random4>.exe and
o<random5>.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe "<Windows>\o<random5>.exe"
(the default value for this registry entry is "Explorer.exe" which
causes the Microsoft file <Windows>\Explorer.exe to be run on startup).
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
<System>\userinit.exe,<Windows>\j<random4>.exe
(the default value for this registry entry is
"<Windows>\System32\userinit.exe,").
The following registry entry is set, disabling the registry editor
(regedit):
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1
Registry entries are set as follows:
HKCU\Software\Brontok
Message
Look @ "C:\Baca Bro !!!.txt"
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden
0
Registry entries are created under:
HKCU\Software\Brontok\
W32/Brontok-AZ modifies the Windows HOST file in attempt to prevent
access to the security-related domains.
Name Troj/Zlob-PJ
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Installs itself in the Registry
* Downloads updates
Prevalence (1-5) 2
Description
Troj/Zlob-PJ is a Trojan for the Windows platform.
The Trojan downloads and installs software from a remote site.
Advanced
Troj/Zlob-PJ is a Trojan for the Windows platform.
The Trojan downloads and installs software from a remote site.
Troj/Zlob-PJ creates the following registry entry in order to run
each time a user logs on:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run
kernel32.dll
"<path to Trojan EXE>"
Name Troj/LdPinc-LZ
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Drops more malware
* Downloads code from the internet
* Reduces system security
* Records keystrokes
* Installs itself in the Registry
* Monitors browser activity
* Monitors system activity
* Enables remote access
Aliases
* Trojan-Spy.Win32.Agent.kd
* PWS-LDPinch
* Infostealer.Ldpinch
Prevalence (1-5) 2
Description
Troj/LdPinc-LZ is a password-stealing Trojan with backdoor
functionality.
Troj/LdPinc-LZ attempts to steal confidential information and send it
to a remote location via HTTP or email.
Advanced
Troj/LdPinc-LZ is a password-stealing Trojan with backdoor
functionality.
Troj/LdPinc-LZ attempts to steal confidential information and send it
to a remote location via HTTP or email.
The information that Troj/LdPinc-LZ attempts to gather includes:
- keypresses (with the aid of a dropped keylogger DLL)
- computer details
- drive and volume information
- hostname and IP address
- information (including passwords and usernames) relating to
selected applications installed on the computer, including: Miranda
ICQ, mirabilis ICQ, The Bat!, Trillian, Windows Commander and Total
Commander
- passwords and confidential information stored by the system in
'Protected Storage'
- POP3 and IMAP server information, usernames and passwords
- FTP usernames and passwords
- RAS dial-up settings
Troj/LdPinc-LZ provides a backdoor server on a pre-configured port
(the default is 2050). A remote intruder will be able to connect to
this port and receive command shell access.
Troj/LdPinc-LZ can arrive as a result of web browsing. Certain web
pages may exploit vulnerabilities associated with Microsoft Internet
Explorer to silently download and install/run the Trojan without user
interaction.
Troj/LdPinc-LZ includes functionality to steal confidential
information.
When first run Troj/LdPinc-LZ copies itself to <System>\mssync20.exe
and creates the file <System>\mssync20.sys (also detected as
Troj/LdPinc-LZ).
The file mssync20.sys is registered as a new system driver service
named "mssync2020", with a display name of "mssync2020" and a startup
type of automatic, so that it is started automatically during system
startup. Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\mssync2020\
Name Troj/Opnis-E
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Installs itself in the Registry
Aliases
* Trojan.Win32.Agent.wc
Prevalence (1-5) 2
Description
Troj/Opnis-E is a Trojan for the Windows platform.
Advanced
Troj/Opnis-E is a Trojan for the Windows platform.
When Troj/Opnis-E is installed the following files are created:
<System>\cswiz.dll
<System>\drpr449BA67F.dll
<System>\mcas449BA67F.exe
<System>\msts449BA67F.dll
<System>\shdo449BA67F.dll
These files are also detected as Troj/Opnis-E.
The following registry entries are created to run code exported by
cswiz.dll on startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cswiz
DllName
<System>\cswiz.dll
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cswiz
Startup
WlxStartupEvent
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cswiz
Impersonate
0
Name Troj/Opnis-F
Type
* Trojan
Affected operating systems
* Windows
Aliases
* Trojan.Win32.Opnis.k
Prevalence (1-5) 2
Description
Troj/Opnis-F is a Trojan for the Windows platform.
When Troj/Opnis-F is installed it creates the file
<System>\smwiz32.cmd. This file can be safely deleted.
Name WM97/Kukudro-B
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Drops more malware
Prevalence (1-5) 2
Description
WM97/Kukudro-B is a Trojan dropping Word document.
WM97/Kukudro-B drops and runs a file detected by Sophos as Troj/Kuku-A.
Name Troj/DwnLdr-DFE
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Installs itself in the Registry
Aliases
* Win32/TrojanDropper.Small.ALI
Prevalence (1-5) 2
Description
Troj/DwnLdr-DFE is a downloader Trojan for the Windows platform.
Troj/DwnLdr-DFE includes functionality to download, install and run
new software.
Advanced
Troj/DwnLdr-DFE is a downloader Trojan for the Windows platform.
Troj/DwnLdr-DFE includes functionality to download, install and run
new software.
Downloaded files have names in the format of a<random number>a.exe.
When first run Troj/DwnLdr-DFE copies itself to <Windows system
folder>\q<random number>q.exe and creates the file <Windows system
folder>\z<random number>z.dll.
The following registry entry is created to run the Trojan on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
tiwc
<Path to Trojan> sdcfsi
Name WM97/Kukudr-Fam
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Drops more malware
Aliases
* CME-136
* Trojan-Dropper.MSWord.Lafool.j
* W97M/Kukudro.c
Prevalence (1-5) 2
Description
WM97/Kukudr-Fam is a Trojan dropping Word document.
WM97/Kukudr-Fam typically drops and runs a file detected by Sophos as
Troj/Kuku-A.
Name Troj/Clagger-U
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Modifies data on the computer
* Downloads code from the internet
* Reduces system security
* Installs itself in the Registry
Prevalence (1-5) 2
Description
Troj/Clagger-U is a Trojan for the Windows platform.
Troj/Clagger-U attempts to download further malicious code. At the
time of writing, none of the files the Trojan attempts to download
were available.
Troj/Clagger-U has been seen attached to emails with the following
characteristics:
Subject line:
EBAY
eBay AG Rechnung vom 29.06.2006
eBay International AG Rechnung vom 29 Juni 2006
eBay Rechnung
eBay Rechnung vom 29 Juni 2006
eBay Rechnung vom 29.06.2006
Attached file:
Ebay-Rechnung.pdf.zip containing Ebay-Rechnung.pdf.exe
Message text:
Guten Tag,
hier ist eine Zusammenfassung der Kontoaktivitaeten seit Ihrer
letzten Rechnung
In der beigelegten PDF Datei finden Sie die genaue Auflistung ihrer
Rechnung
-----------------------------------------------------------------------
--------
Rechnung vom 29 Juni 2006
Abrechnungszeitraum: 1.Juni 2006 - 1.Juli 2006 PST/PDT
Fortlaufende ID:
12-EU45783499-0
AG
eBay International AG
Helvetiastrasse 15/17
3005 Bern
Schweiz
Schweizer MwSt-Nummer: 508 508
EU - Umsatzsteuer-Identifikationsnummer:
EU528009572
Firmennummer:
CH-035.3.611.950-2
eBay-Kontonummer:
E137895093697-EUR
Rechnungsnummer:
045178-1394745185820
Letzte Rechnung: |0,00
Zahlungen und Gutschriften: |0,00
Faelliger Gesamtbetrag:
||%RND_FIRST_DIGIT41,64
Zahlungsmethode
Sie sind für das Lastschriftverfahren angemeldet. Der Rechnungsbetrag
wird innerhalb der nächsten fünf bis sieben Tage von Ihrem
Bankkonto abgebucht. (Der Abbuchungsbetrag kann von Ihrem
Rechnungsbetrag abweichen, wenn Sie im Zeitraum zwischen der
Rechnungserstellung und dem Abbuchungsdatum Zahlungen geleistet oder
Gutschriften erhalten haben.)
Hinweis
Saeumnisgebuehren: Wenn Ihr eBay-Konto ueberfaellig ist faellt eine
Saeumnisgebuehr an. Um Naeheres zu diesem Thema zu erfahren, gehen
Sie bitte zu Rechnungen und Zahlungen.
(http://pages.ebay.de/help/account/payfees.html)
Mehr zum Thema eBay-Gebühren
(http://pages.ebay.de/help/sell/fees.html)
Mitteilungen
Hinweis: eBay fragt niemals per E-Mail nach vertraulichen oder
persoenlichen Daten (z.B. Kennwort, Kreditkarte, Kontonummer).
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
Hilfreiche Links
Zur Beantwortung Ihrer Fragen zu Ihrem eBay-Konto benutzen Sie bitte
den folgenden Link:
http://pages.ebay.de/help/account/selling-account-overview.html
Um Ihre Mitgliedsdaten zu aktualisieren, benutzen Sie bitte den
folgenden Link:
http://cgi4.ebay.de/aw-cgi/eBayISAPI.dll?ChangeRegistrationShow
Um eBay zu kontaktieren, verwenden Sie bitte den folgenden Link:
http://pages.ebay.de/help/contact_inline/index.html
Mit freundlichen Gruessen
eBay International AG
Zusaetzliche Mitteilungen
Die oben aufgeführten Leistungen beziehen sich ausschließlich auf Ihre
Anmeldung unter www.ebay.de.
Advanced
Troj/Clagger-U is a Trojan for the Windows platform.
Troj/Clagger-U attempts to download further malicious code. At the
time of writing, none of the files the Trojan attempts to download
were available.
When first run Troj/Clagger-U copies itself to <System>\ipf.exe and
creates the file <System>\drivers\winut.dat.
The following registry entry is created to run ipf.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
IPF
<System>\ipf.exe
The following registry entries are set, affecting internet security:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\List
<pathname of the Trojan executable>
<pathname of the Trojan executable>:*:Enabled:<Trojan filename>
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\List\
<System>\ipf.exe
<System>\ipf.exe:*:Enabled:ipf
Troj/Clagger-U has been seen attached to emails with the following
characteristics:
Subject line:
EBAY
eBay AG Rechnung vom 29.06.2006
eBay International AG Rechnung vom 29 Juni 2006
eBay Rechnung
eBay Rechnung vom 29 Juni 2006
eBay Rechnung vom 29.06.2006
Attached file:
Ebay-Rechnung.pdf.zip containing Ebay-Rechnung.pdf.exe
Message text:
Guten Tag,
hier ist eine Zusammenfassung der Kontoaktivitaeten seit Ihrer
letzten Rechnung
In der beigelegten PDF Datei finden Sie die genaue Auflistung ihrer
Rechnung
-----------------------------------------------------------------------
--------
Rechnung vom 29 Juni 2006
Abrechnungszeitraum: 1.Juni 2006 - 1.Juli 2006 PST/PDT
Fortlaufende ID:
12-EU45783499-0
AG
eBay International AG
Helvetiastrasse 15/17
3005 Bern
Schweiz
Schweizer MwSt-Nummer: 508 508
EU - Umsatzsteuer-Identifikationsnummer:
EU528009572
Firmennummer:
CH-035.3.611.950-2
eBay-Kontonummer:
E137895093697-EUR
Rechnungsnummer:
045178-1394745185820
Letzte Rechnung: |0,00
Zahlungen und Gutschriften: |0,00
Faelliger Gesamtbetrag:
||%RND_FIRST_DIGIT41,64
Zahlungsmethode
Sie sind für das Lastschriftverfahren angemeldet. Der Rechnungsbetrag
wird innerhalb der nächsten fünf bis sieben Tage von Ihrem
Bankkonto abgebucht. (Der Abbuchungsbetrag kann von Ihrem
Rechnungsbetrag abweichen, wenn Sie im Zeitraum zwischen der
Rechnungserstellung und dem Abbuchungsdatum Zahlungen geleistet oder
Gutschriften erhalten haben.)
Hinweis
Saeumnisgebuehren: Wenn Ihr eBay-Konto ueberfaellig ist faellt eine
Saeumnisgebuehr an. Um Naeheres zu diesem Thema zu erfahren, gehen
Sie bitte zu Rechnungen und Zahlungen.
(http://pages.ebay.de/help/account/payfees.html)
Mehr zum Thema eBay-Gebühren
(http://pages.ebay.de/help/sell/fees.html)
Mitteilungen
Hinweis: eBay fragt niemals per E-Mail nach vertraulichen oder
persoenlichen Daten (z.B. Kennwort, Kreditkarte, Kontonummer).
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
Hilfreiche Links
Zur Beantwortung Ihrer Fragen zu Ihrem eBay-Konto benutzen Sie bitte
den folgenden Link:
http://pages.ebay.de/help/account/selling-account-overview.html
Um Ihre Mitgliedsdaten zu aktualisieren, benutzen Sie bitte den
folgenden Link:
http://cgi4.ebay.de/aw-cgi/eBayISAPI.dll?ChangeRegistrationShow
Um eBay zu kontaktieren, verwenden Sie bitte den folgenden Link:
http://pages.ebay.de/help/contact_inline/index.html
Mit freundlichen Gruessen
eBay International AG
Zusaetzliche Mitteilungen
Die oben aufgeführten Leistungen beziehen sich ausschließlich auf Ihre
Anmeldung unter www.ebay.de.
Name Troj/Zlob-PH
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Drops more malware
* Downloads code from the internet
* Reduces system security
* Installs itself in the Registry
Prevalence (1-5) 2
Description
Troj/Zlob-PH is a Trojan for the Windows platform.
Advanced
Troj/Zlob-PH is a Trojan for the Windows platform.
When Troj/Zlob-PH is installed it creates the file
<System>\regperf.exe and <System>\ld100.tmp (both files detected as
Troj/Zlob-PH). The file ld100.tmp is also detected as Troj/Zlobre-Gen.
The following registry entry is created to run regperf.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run
wininet.dll
regperf.exe
Name W32/Akbot-AB
Type
* Worm
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* Backdoor.Win32.Agent.vc
* BKDR_AGENT.CQU
Prevalence (1-5) 2
Description
W32/Akbot-AB is a network worm and backdoor Trojan for the Windows
platform.
W32/Akbot-AB may attempt to spread to other network computers by
exploiting common buffer overflow vulnerabilities, including: LSASS
(MS04-011) and ASN.1 (MS04-007).
Advanced
W32/Akbot-AB is a network worm and backdoor Trojan for the Windows
platform.
W32/Akbot-AB may attempt to spread to other network computers by
exploiting common buffer overflow vulnerabilities, including: LSASS
(MS04-011) and ASN.1 (MS04-007).
When first run W32/Akbot-AB copies itself to <System>\utasvc.dll.
The following registry entry is created to run code exported by
utasvc.dll on
startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
utasvc
rundll32.exe <System>\utasvc.dll,start
W32/Akbot-AB may also modify the HOSTS file of an infected computer
to deny access to various security related websites.
Name W32/Cuebot-K
Type
* Worm
How it spreads
* Chat programs
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
Aliases
* Backdoor.Win32.IRCBot.st
* Win32/IRCBot.OO
Prevalence (1-5) 2
Description
W32/Cuebot-K is a instant messaging worm and backdoor for the Windows
platform.
W32/Cuebot-K spreads via AOL Instant Messenger.
Advanced
W32/Cuebot-K is a instant messaging worm and backdoor for the Windows
platform.
W32/Cuebot-K spreads via AOL Instant Messenger.
When first run W32/Cuebot-K copies itself to <Windows system
folder>\wgavn.exe and creates the file <Windows
folder>\Debug\dcpromo.log.
The file wgavn.exe is registered as a new system driver service named
"wgavn", with a display name of "Windows Genuine Advantage Validation
Notification" and a startup type of automatic, so that it is started
automatically during system startup. Registry entries are created
under:
HKLM\SYSTEM\CurrentControlSet\Services\wgavn\
W32/Cuebot-K sets the following registry entries, disabling the
automatic startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4
Registry entries are set as follows:
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
n
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1
Registry entries are created under:
HKLM\SOFTWARE\Microsoft\security center\
HKLM\SOFTWARE\Policies\Microsoft\windowsfirewall\domainprofile\
HKLM\SOFTWARE\Policies\Microsoft\windowsfirewall\standardprofile\
--- MultiMail/Win32 v0.43
* Origin: Try Our Web Based QWK: DOCSPLACE.ORG (1:123/140)
|