Text 178, 697 rader
Skriven 2007-03-10 18:19:00 av KURT WISMER
Ärende: News, March 10 2007
===========================
[cut-n-paste from sophos.com]
Name W32/Delbot-O
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Downloads code from the internet
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Prevalence (1-5) 2
Description
W32/Delbot-O is an IRC worm with backdoor functionality which allows
a remote intruder to gain access and control over the computer.
W32/Delbot-O includes functionality to download, install and run new
software.
W32/Delbot-O spreads to other network computers by scanning network
shares for weak passwords and by exploiting common buffer overflow
vulnerabilities, including Symantec (SYM06-010).
Advanced
W32/Delbot-O is an IRC worm with backdoor functionality which allows
a remote intruder to gain access and control over the computer.
W32/Delbot-O includes functionality to download, install and run new
software.
When first run W32/Delbot-O copies itself to <System>\crsss.exe
The following registry entry is created to run crsss.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Win32 Security Service
System\crsss.exe
W32/Delbot-O spreads to other network computers by scanning network
shares for weak passwords and by exploiting common buffer overflow
vulnerabilities, including Symantec (SYM06-010).
Name Troj/Dloadr-AUL
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
Prevalence (1-5) 2
Description
Troj/Dloadr-AUL is a downloader Trojan for the Windows platform.
Name Troj/Zlob-AAL
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
Aliases
* Win32/TrojanDownloader.Zlob.ASS
Prevalence (1-5) 2
Description
Troj/Zlob-AAL is a downloader Trojan for the Windows platform.
Name W32/Sdbot-DAQ
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
* Enables remote access
Aliases
* Backdoor.Win32.SdBot.qt
Prevalence (1-5) 2
Description
W32/Sdbot-DAQ is a worm for the Windows platform.
W32/Sdbot-DAQ contains IRC backdoor functionality.
W32/Sdbot-DAQ spreads
- to computers vulnerable to common exploits, including: SRVSVC
(MS06-040), RPC-DCOM (MS04-012), WKS (MS03-049) and ASN.1 (MS04-007)
- to network shares
Advanced
W32/Sdbot-DAQ is a worm for the Windows platform.
W32/Sdbot-DAQ contains IRC backdoor functionality.
W32/Sdbot-DAQ runs continuously in the background, listening for
commands from a remote user.
When first run W32/Sdbot-DAQ copies itself to <System>\ntfscrypt.exe
and creates the file <Temp>\sysremove.bat.
W32/Sdbot-DAQ spreads
- to computers vulnerable to common exploits, including: SRVSVC
(MS06-040), RPC-DCOM (MS04-012), WKS (MS03-049) and ASN.1 (MS04-007)
- to network shares
The file ntfscrypt.exe is registered as a new system driver service
named "NTFSCrypt", with a display name of "NTFS Crypto Technology"
and a startup type of automatic, so that it is started automatically
during system startup. Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\NTFSCrypt
Name W32/LCJump-A
Type
* Worm
How it spreads
* Removable storage devices
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
Prevalence (1-5) 2
Description
W32/LCJump-A is a worm for the Windows platform.
Advanced
W32/LCJump-A is a worm for the Windows platform.
W32/LCJump-A attempt to copy itself to mapped drives with the
filename RavMon.exe and create a file autorun.inf which will attempt
to load the worm automatically when the infected drive is accessed.
W32/LCJump-A also creates a backdoor, enabling a remote user control
over the infected computer.
When run, W32/LCJump-A copies itself to <Windows>\SVCHOST.EXE and
creates the file <Windows>\MDM.exe. The file MDM.exe is detected as
Troj/Bckdr-PXR.
The following registry entry is set:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SVCHOST
<Windows>\MDM.EXE
Name W32/Delbot-P
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* Win32/Rinbot.G
* W32/Sdbot.worm!678b37ba
* Backdoor.Win32.VanBot.ay
Prevalence (1-5) 2
Description
W32/Delbot-P is a worm with IRC backdoor functionality for the
Windows platform.
W32/Delbot-P spreads:
- to computers vulnerable to common exploits, including: Symantec
(SYM06-010)
- to MSSQL servers protected by weak passwords
W32/Delbot-P runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
Advanced
W32/Delbot-P is a worm with IRC backdoor functionality for the
Windows platform.
W32/Delbot-P spreads:
- to computers vulnerable to common exploits, including: Symantec
(SYM06-010)
- to MSSQL servers protected by weak passwords
W32/Delbot-P runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
When first run W32/Delbot-P copies itself to <System>\rst.exe.
The following registry entry is created to run rst.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Random Interface Network
System\rst.exe
Name W32/Rbot-GHK
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Drops more malware
* Downloads code from the internet
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Prevalence (1-5) 2
Description
W32/Rbot-GHK is a worm with IRC backdoor functionality for the
Windows platform.
W32/Rbot-GHK runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Rbot-GHK spreads to other network computers:
- by exploiting common buffer overflow vulnerabilities, including:
LSASS (MS04-011), RPC-DCOM (MS04-012), WKS (MS03-049)
(CAN-2003-0812), MSSQL (MS02-039) (CAN-2002-0649), ASN.1 (MS04-007),
Realcast and Symantec (SYM06-010)
- networks protected by weak passwords
Advanced
W32/Rbot-GHK is a worm with IRC backdoor functionality for the
Windows platform.
W32/Rbot-GHK runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Rbot-GHK spreads to other network computers:
- by exploiting common buffer overflow vulnerabilities, including:
LSASS (MS04-011), RPC-DCOM (MS04-012), WKS (MS03-049)
(CAN-2003-0812), MSSQL (MS02-039) (CAN-2002-0649), ASN.1 (MS04-007),
Realcast and Symantec (SYM06-010)
- networks protected by weak passwords
When first run W32/Rbot-GHK copies itself to <System>\kernaldrn.exe
and creates the file \a.bat.
The file a.bat is detected as Troj/Batten-A.
The following registry entries are created to run winupser.exe on
startup:
W32/Rbot-GHK includes functionality to:
- download code from the internet
- perform port scanning
- perform DDoS attacks
- steal information including computer game keys
- setup a SOCKS4 proxy server
Name W32/Rbot-GHL
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Downloads code from the internet
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* W32.Spybot.Worm
Prevalence (1-5) 2
Description
W32/Rbot-GHL is a worm with IRC backdoor functionality for the
Windows platform.
W32/Rbot-GHL runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Rbot-GHL spreads
- to computers vulnerable to common exploits, including: SRVSVC
(MS06-040), RPC-DCOM (MS04-012), WKS (MS03-049) and ASN.1 (MS04-007)
- to network shares
Advanced
W32/Rbot-GHL is a worm with IRC backdoor functionality for the
Windows platform.
W32/Rbot-GHL runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Rbot-GHL spreads
- to computers vulnerable to common exploits, including: SRVSVC
(MS06-040), RPC-DCOM (MS04-012), WKS (MS03-049) and ASN.1 (MS04-007)
- to network shares
When first run W32/Rbot-GHL copies itself to <System>\applayer.ex and
creates the file <Temp>\sysremove.bat. The batch file can be deleted.
The file applayer.ex is registered as a new system driver service
named "applilserv", with a display name of "Application Layer Service
Control" and a startup type of automatic, so that it is started
automatically during system startup. Registry entries are created
under:
HKLM\SYSTEM\CurrentControlSet\Services\applilserv
Name W32/Looked-CG
Type
* Virus
How it spreads
* Network shares
* Infected files
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Downloads code from the internet
* Installs itself in the Registry
* Leaves non-infected files on computer
Prevalence (1-5) 2
Description
W32/Looked-CG is a prepending virus for the Windows platform.
Advanced
W32/Looked-CG is a prepending virus for the Windows platform.
The virus infects EXE files found on the infected computer. The virus
also attempts to copy itself to remote network shares.
W32/Looked-CG includes functionality to access the internet and
communicate with a remote server via HTTP. W32/Looked-CG may attempt
to download and execute additional files from a remote location.
When first run W32/Looked-CG copies itself to <Windows>\Logo_1.exe
and to <Windows>\uninstall\rundl132.exe and creates the following
files:
<Windows>\RichDll.dll
RichDll.dll is also detected as W32/Looked-CG.
W32/Looked-CG may also create many files with the name "_desktop.ini"
are created, in various folders on the infected computer. These files
are harmless text files and can be deleted.
The following registry entry is created to run rundl132.exe on startup:
HKLM\SOFTWARE\Microsoft\CurrentVersion\Run
load
<Windows>\uninstall\rundl132.exe
Registry entries are created under:
HKLM\SOFTWARE\Soft\DownloadWWW
Name W32/Delbot-S
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Downloads code from the internet
* Installs itself in the Registry
Prevalence (1-5) 2
Description
W32/Delbot-S is an IRC worm with backdoor functionality which allows
a remote intruder to gain access and control over the computer.
Advanced
W32/Delbot-S is an IRC worm with backdoor functionality which allows
a remote intruder to gain access and control over the computer.
W32/Delbot-S includes functionality to download, install and run new
software.
At the time of writing the file downloaded by W32/Delbot-S was
detected as W32/IRCBot-UW.
W32/Delbot-S spreads to other network computers by scanning network
shares for weak passwords and by exploiting common buffer overflow
vulnerabilities, including Symantec (SYM06-010).
W32/Delbot-S my also attempt to spread by utilising weaknesses
associated with SQL servers.
When first run W32/Delbot-S copies itself to <System>\crsrs.exe and
creates the file \jpb.exe.
The following registry entry is created to run crsrs.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Win32 Information Service
System\crsrs.exe
Name W32/Rajilo-A
Type
* Worm
How it spreads
* Removable storage devices
Affected operating systems
* Windows
Side effects
* Modifies passwords
* Installs itself in the Registry
Aliases
* Trojan.Win32.VB.awh
* Rajilo trojan
Prevalence (1-5) 2
Description
W32/Rajilo-A is a worm for the Windows platform.
W32/Rajilo-A may spread via removable storage devices.
W32/Rajilo-A includes functionality to
- access the internet and communicate with a remote server via HTTP.
- modify administrator account password of the system.
Advanced
W32/Rajilo-A is a worm for the Windows platform.
W32/Rajilo-A may spread via removable storage devices.
W32/Rajilo-A includes functionality to
- access the internet and communicate with a remote server via HTTP.
- modify administrator account password of the system.
When first run W32/Rajilo-A copies itself to <System>\svhost.exe and
may create a file autorun.inf. The inf file can be deleted.
The following registry entry is created to run svhost.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SysTray
<System>\svhost.exe
The following registry entry is set:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoDriveTypeAutoRun
0
Name W32/Mytob-IS
Type
* Worm
How it spreads
* Email messages
* Network shares
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Modifies data on the computer
* Forges the sender's email address
* Uses its own emailing engine
* Installs itself in the Registry
Prevalence (1-5) 2
Description
W32/Mytob-IS is a mass-mailing worm and backdoor Trojan that can be
controlled through the Internet Relay Chat (IRC) network.
Advanced
W32/Mytob-IS is a mass-mailing worm and backdoor Trojan that can be
controlled through the Internet Relay Chat (IRC) network.
W32/Mytob-IS is capable of spreading through email and through
various operating system vulnerabilities.
When run, W32/Mytob-IS copies itself to <System>\winsys32.exe and
sets the following registry entries:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows System
\winsys32.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Windows System
\winsys32.exe
Email sent by W32/Mytob-IS has the following properties:
Subject:
Account Alert
<Random Characters>
Message Text:
Dear Valued Member,
According to our terms of services, you will have to confirm your
e-mail by the following link, or your account will be suspended
within 24 hours for security reasons.
<link to malware>
After following the instructions in the sheet, your account will not
be interrupted and will continue as normal.
Thanks for your attention to this request. We apologize for any
inconvenience.
Sincerely, <random name> Abuse Department
W32/Mytob-IS modifies the HOSTS file, changing the URL-to-IP mappings
for selected websites.
W32/Mytob-IS terminates security related applications.
Name W32/Delbot-T
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Downloads code from the internet
* Installs itself in the Registry
* Used in DOS attacks
Aliases
* Backdoor.Win32.VanBot.az
Prevalence (1-5) 2
Description
W32/Delbot-T is an IRC worm with backdoor functionality which allows
a remote intruder to gain access and control over the computer.
Advanced
W32/Delbot-T is an IRC worm with backdoor functionality which allows
a remote intruder to gain access and control over the computer.
W32/Delbot-T includes functionality to download, install and run new
software.
W32/Delbot-T spreads to other network computers by scanning network
shares for weak passwords and by exploiting common buffer overflow
vulnerabilities, including Symantec (SYM06-010).
W32/Delbot-T my also attempt to spread by utilising weaknesses
associated with SQL servers.
When first run W32/Delbot-T copies itself to <System>\nortonav.exe.
The following registry entry is created to run nortonav.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Norton Antivirus Updater
System\nortonav.exe
--- MultiMail/Win32 v0.43
* Origin: Doc's Place BBS Fido Since 1991 docsplace.tzo.com (1:123/140)
|