Text 28, 807 rader
Skriven 2004-12-05 16:48:00 av KURT WISMER (1:123/140)
Ärende: News, Dec. 5 2004
=========================
[cut-n-paste from sophos.com]
Name W32/Rbot-RC
Type
* Worm
How it spreads
* Network shares
* Chat programs
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Reduces system security
* Installs itself in the Registry
* Exploits system or software vulnerabilities
* Used in DOS attacks
Aliases
* Backdoor.Win32.Rbot.dy
* WORM_SDBOT.AFI
Prevalence (1-5) 2
Description
W32/Rbot-RC is an IRC backdoor Trojan and network worm.
W32/Rbot-RC may spread to remote network shares protected by weak
passwords and computers vulnerable to common exploits. The worm also
opens up a backdoor, allowing unauthorised remote access to infected
computers via the IRC network, while running in the background as a
service process.
W32/Rbot-RC copies itself to the Windows system folder and creates
registry entries to run itself automatically at system log-on.
W32/Rbot-RC will listen on port 113 for incoming commands such as to
delete network shares, log keypresses, participate in DDoS attacks,
scan other computers for vulnerabilities, steal passwords, steal
registration keys for computer games and capture video from webcameras
attached to infected computers.
Advanced
W32/Rbot-RC is an IRC backdoor Trojan and network worm.
W32/Rbot-RC may spread to remote network shares protected by weak
passwords and computers vulnerable to common exploits. The worm also
opens up a backdoor, allowing unauthorised remote access to infected
computers via the IRC network, while running in the background as a
service process.
W32/Rbot-RC copies itself to the Windows system folder and creates the
following registry entries to run itself automatically on log-on:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Microsfot Lmhosting Servic
lmhosts.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Microsfot Lmhosting Service
lmhosts.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Microsfot Lmhosting
Service
lmhosts.exe
In addition, W32/Rbot-RC also creates the registry entry
HKLM\SOFTWARE\Krypton\ that will show a reference to the original copy
of the worm that gets deleted upon execution.
W32/Rbot-RC will listen on port 113 for incoming commands such as to
delete network shares, log keypresses, participate in DDoS attacks,
scan other computers for vulnerabilities, steal passwords, steal
registration keys for computer games and capture video from webcameras
attached to infected computers.
Name W32/Sdbot-RU
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Reduces system security
* Installs itself in the Registry
* Exploits system or software vulnerabilities
* Used in DOS attacks
Aliases
* Win32.IRCBot.a
* W32/Sdbot.worm.gen
Prevalence (1-5) 2
Description
W32/Sdbot-RU is a network worm from the Sdbot family which attempts to
spread to remote network shares protected by weak passwords and
computers vulnerable to common exploits. W32/Sdbot-RU also contains
backdoor Trojan functionality, allowing unauthorised remote access to
the infected computer via IRC channels while running in the background
as a service process.
A remote attacker can use the backdoor to send commands to the Trojan.
These commands include instructions to delete network shares, steal
registration keys for computer games, redirect internet traffic,
participate in DDoS attacks, scan other computers and spread to network
shares.
Advanced
W32/Sdbot-RU is a network worm from the Sdbot family which attempts to
spread to remote network shares protected by weak passwords and
computers vulnerable to common exploits. W32/Sdbot-RU also contains
backdoor Trojan functionality, allowing unauthorised remote access to
the infected computer via IRC channels while running in the background
as a service process.
A remote attacker can use the backdoor to send commands to the Trojan.
These commands include instructions to delete network shares, steal
registration keys for computer games, redirect internet traffic,
participate in DDoS attacks, scan other computers and spread to network
shares.
W32/Sdbot-RU copies itself to the Windows system folder and creates the
following registry entries to run itself automatically on log-on:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
outlook
"outlook.exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
outlook
"outlook.exe"
Name W32/Rbot-QX
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Macintosh
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Steals information
* Downloads code from the internet
* Reduces system security
* Records keystrokes
Aliases
* Backdoor.Win32.Rbot.gen
* W32/Sdbot.worm.gen.j
* WORM_RBOT.XQ
Prevalence (1-5) 2
Description
W32/Rbot-QX is a network worm and IRC backdoor Trojan for the Windows
platform.
The worm copies itself to a file in the Windows system folder with a
filename consisting of nine randomly chosen lowercase letters and an
EXE extension.
W32/Rbot-QX spreads using a variety of techniques including exploiting
weak passwords on computers and SQL servers, exploiting operating system
vulnerabilities (including DCOM-RPC, LSASS, WebDAV and UPNP) and using
backdoors opened by other worms or Trojans.
W32/Rbot-QX can be controlled by a remote attacker over IRC channels.
The backdoor component of W32/Rbot-QX can be instructed by a remote user
to perform the following functions:
start an FTP server
start a Proxy server
start a web server
take part in distributed denial-of-service (DDoS) attacks
log keypresses
capture screen/webcam images
packet sniffing
port scanning
download/execute arbitrary files
start a remote shell (RLOGIN)
Advanced
W32/Rbot-QX is a network worm and IRC backdoor Trojan for the Windows
platform.
The worm copies itself to a file in the Windows system folder with a
filename consisting of nine randomly chosen lowercase letters and the
EXE file extension and creates the following registry entries in order
to run when a user logs on:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
WindowsRegKey upd4te2d4te
<9 letter filename>.EXE
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
WindowsRegKey upd4te2d4te
<9 letter filename>.EXE
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
WindowsRegKey upd4te2d4te
<9 letter filename>.EXE
W32/Rbot-QX spreads using a variety of techniques including exploiting
weak passwords on computers and SQL servers, exploiting operating system
vulnerabilities (including DCOM-RPC, LSASS, WebDAV and UPNP) and using
backdoors opened by other worms or Trojans.
W32/Rbot-QX can be controlled by a remote attacker over IRC channels.
The backdoor component of W32/Rbot-QX can be instructed by a remote user
to perform the following functions:
start an FTP server
start a Proxy server
start a web server
take part in distributed denial-of-service (DDoS) attacks
log keypresses
capture screen/webcam images
packet sniffing
port scanning
download/execute arbitrary files
start a remote shell (RLOGIN)
Patches for the operating system vulnerabilities exploited by
W32/Rbot-QX can be obtained from Microsoft at:
http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx
http://www.microsoft.com/technet/security/bulletin/ms03-039.mspx
http://www.microsoft.com/technet/security/bulletin/ms03-007.mspx
http://www.microsoft.com/technet/security/bulletin/ms01-059.mspx
Name W32/Agobot-OL
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Steals information
* Downloads code from the internet
* Reduces system security
* Records keystrokes
Aliases
* Backdoor.Win32.Agobot.gen
* W32/Gaobot.worm.gen.q
* WORM_AGOBOT.ACE
Prevalence (1-5) 2
Description
W32/Agobot-OL is a worm with backdoor functionality which spreads to
computers protected by weak passwords.
The worm then tries to connect to a remote IRC server while running
continuously in the background, allowing a remote intruder to access and
control the computer via IRC channels.
Once installed, W32/Agobot-OL will attempt to participate in distributed
denial-of-service (DDoS) attacks, steal CD keys, log keystrokes and set
up a SOCKS4 and a HTTP proxy server when instructed to do so by a remote
attacker.
W32/Agobot-OL also tries to terminate and disable various anti-virus and
security-related programs and modifies the HOSTS file.
Advanced
W32/Agobot-OL is a worm with backdoor functionality which spreads to
computers protected by weak passwords.
When run W32/Agobot-OL moves itself to the Windows system folder as
smsvc32.exe and creates the following registry entries to run itself on
computer logon:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
SMSvc32
smsvc32.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
SMSvc32
smsvc32.exe
The worm then tries to connect to a remote IRC server while running
continuously in the background, allowing a remote intruder to access and
control the computer via IRC channels.
Once installed, W32/Agobot-OL will attempt to participate in distributed
denial-of-service (DDoS) attacks, steal CD keys, log keystrokes and
setup a SOCKS4 and a HTTP proxy server when instructed to do so by a
remote attacker.
The worm may also tries to spread to network shares using the filename
testfile.
W32/Agobot-OL attempts to terminate and disable various anti-virus and
security-related programs. The worm modifies the HOSTS file by appending
the following mappings:
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.trendmicro.com
Name W32/Agobot-OH
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Steals information
* Downloads code from the internet
* Reduces system security
Aliases
* Backdoor.Win32.Agobot.gen
* DOS_AGOBOT.GEN
Prevalence (1-5) 2
Description
W32/Agobot-OH is a worm with backdoor functionality which spreads to
computers protected by weak passwords.
The worm then tries to connect to a remote IRC server while running
continuously in the background, allowing a remote intruder to access and
control the computer via IRC channels.
W32/Agobot-OH also tries to terminate and disable various anti-virus and
security related programs and modifies the HOSTS file.
Advanced
W32/Agobot-OH is a worm with backdoor functionality which spreads to
computers protected by weak passwords.
When run W32/Agobot-OH copies itself to the Windows system folder as
trendav.exe and creates the following registry entries to run itself on
computer logon:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Trend Micro AV
trendav.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Trend Micro AV
trendav.exe
The worm then tries to connect to a remote IRC server while running
continuously in the background, allowing a remote intruder to access and
control the computer via IRC channels.
Once installed, W32/Agobot-OH will attempt to participate in distributed
denial-of-service (DDoS) attacks, steal CD keys, setup a SOCKS4 and HTTP
server and login to MS SQL servers and send EXEC commands to open a
command shell when instructed to do so by a remote attacker.
W32/Agobot-OH also tries to terminate and disable various anti-virus and
security related programs. The worm modifies the HOSTS file by appending
the following mappings:
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.trendmicro.com
Name W32/Agobot-NZ
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Steals information
* Reduces system security
* Records keystrokes
* Installs itself in the Registry
Aliases
* Backdoor.Win32.Agobot.gen
Prevalence (1-5) 2
Description
W32/Agobot-NZ is a backdoor Trojan and worm which spreads to computers
protected by weak passwords.
Each time the Trojan is run it attempts to connect to a remote IRC
server and join a specific channel.
The Trojan then runs continuously in the background, allowing a remote
intruder to access and control the computer via IRC channels.
The Trojan attempts to terminate and disable various anti-virus and
security-related programs and modifies the HOSTS file.
Advanced
W32/Agobot-NZ is a backdoor Trojan and worm which spreads to computers
protected by weak passwords and to computers infected with variants of
W32/MyDoom.
When first run, W32/Agobot-NZ moves itself to the Windows system folder
as gmsvc32.exe and creates the following registry entries to run itself
on startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Gmsvc32
gmsvc32.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Gmsvc32
gmsvc32.exe
Each time the Trojan is run it attempts to connect to a remote IRC
server and join a specific channel.
The Trojan then runs continuously in the background, allowing a remote
intruder to access and control the computer via IRC channels.
The Trojan attempts to terminate and disable various anti-virus and
security-related programs and modifies the HOSTS file located at
%WINDOWS%\System32\Drivers\etc\HOSTS, mapping selected anti-virus
websites to the loopback address 127.0.0.1 in an attempt to prevent
access to these sites. Typically the following mappings will be appended
to the HOSTS file:
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.trendmicro.com
Name W32/Wurmark-A
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Drops more malware
* Forges the sender's email address
* Leaves non-infected files on computer
Aliases
* Email-Worm.Win32.Wurmark.a
* W32/Mugly.b@MM
Prevalence (1-5) 2
Description
W32/Wurmark-A is a Visual Basic mass-mailing worm.
When run the worm first displays a JPEG graphic using the default viewer
and then creates ansmtp.dll, attached.zip, bszip.dll, uglym.jpg,
winit.exe and xxz.tmp in the Windows system folder.
Advanced
W32/Wurmark-A is a Visual Basic mass-mailing worm.
When run the worm first displays a JPEG graphic using the default viewer
and then creates ansmtp.dll, attached.zip, bszip.dll, uglym.jpg,
winit.exe and xxz.tmp in the Windows system folder.
ANSMTP.DLL is a commercial Mailer Engine registered by the worm.
BSZIP.DLL is a commercial ZIP engine and can be safely deleted.
XXZ.TMP is a copy of the worm
UGLYM.JPG is an image file and can be safely deleted.
WINIT.EXE is detected by Sophos as W32/Rbot-QV.
Name Troj/Dloader-EP
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Installs itself in the Registry
Aliases
* Trojan-Downloader.Win32.Delf.ep
Prevalence (1-5) 2
Description
Troj/Dloader-EP is a downloader Trojan.
The Trojan downloads and runs files without informing the user
Advanced
Troj/Dloader-EP is a downloader Trojan. When run the Trojan copyies
itself to the Windows system folder as msshed32.exe. Troj/Dloader-EP
will attempt to download moneyspj.exe from aidintime.com and can be
configured to download other files through this site. The downloaded
files are copied to the Windows system folder and executed. The Trojan
may also report the user's Windows ID to aidintime.com. This is done
without any user interaction.
Troj/Dloader-EP may create the following registry entries:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
atiupdate
<Windows system>\msshed32.exe
HKCU\Software\xjado
fr
<random value>
Name Troj/Banker-AN
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Steals credit card details
* Steals information
* Reduces system security
* Records keystrokes
* Installs itself in the Registry
Aliases
* TrojanSpy.Win32.Banker.cy
* PWS-Bancban
Prevalence (1-5) 2
Description
Troj/Banker-AN is a Trojan for the Windows platform that attempts to
steal confidential information when a user visits banking-related
websites.
Troj/Banker-AN attempts to download the file CARPserver.exe from a
predefined remote Brazilian location.
Advanced
When executed Troj/Banker-AN creates Iexplore.exe in the Windows folder
sets the following registry entries in order to run automatically when
Windows starts up:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
irwftp
iexplorer.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CARPserver
CARPserver.exe
Troj/Banker-AN also sets the following registry entries:
HKCU\Software\WinRAR SFX\c%%windows%system
HKCU\irwftp\
HKLM\SOFTWARE\Microsoft\DownloadManager\
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\@
Name W32/Forbot-CW
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Reduces system security
* Installs itself in the Registry
* Exploits system or software vulnerabilities
* Used in DOS attacks
Aliases
* Backdoor.Win32.Wootbot.gen
Prevalence (1-5) 2
Description
W32/Forbot-CW is a worm which attempts to spread to remote network
shares and computers vulnerable to common exploits.
W32/Forbot-CW contains backdoor Trojan functionality, allowing
unauthorised remote access to the infected computer via the IRC network.
W32/Forbot-CW connects to a preconfigured IRC channel and awaits
commands from a remote intruder. These include commands to steal
information, delete network shares, reduce system security, start a
proxy server, participate in DDoS attacks, exploit vulnerabilities,
steal registration keys for computer games and harvest email addresses
from the Windows address book and Instant Messenger configuration files.
Advanced
W32/Forbot-CW copies itself to the Windows system folder and creates the
following registry entries to run itself automatically on log-on:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
ScManager
scman.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
ScManager
scman.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
ScManager
scman.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
ScManager
scman.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
ScManager
scman.exe
W32/Forbot-CW also creates a number of entries in the registry under the
following entries:
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_USBFIRE\
HKLM\SYSTEM\ControlSet001\Services\USBFire\
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_USBFIRE\
HKLM\SYSTEM\CurrentControlSet\Services\USBFire\
--- MultiMail/Win32 v0.43
* Origin: Try Our Web Based QWK: DOCSPLACE.ORG (1:123/140)
|