Text 50, 1920 rader
Skriven 2005-04-10 17:42:00 av KURT WISMER (1:123/140)
Ärende: News, April 10 2005
===========================
[cut-n-paste from sophos.com]
Name W32/Mytob-R
Type
* Worm
How it spreads
* Email attachments
* Network shares
Affected operating systems
* Windows
Side effects
* Sends itself to email addresses found on the infected computer
* Modifies data on the computer
* Drops more malware
* Forges the sender's email address
* Uses its own emailing engine
Aliases
* WORM_MYTOB.X
* Net-Worm.Win32.Mytob.p
* Net-Worm.Win32.Mytob.q
* Worm.Mytob.H-3
Prevalence (1-5) 3
Description
W32/Mytob-R is a mass-mailing worm and backdoor Trojan that targets
users of Internet Relay Chat programs.
W32/Mytob-R is capable of spreading through various operating system
vulnerabilities such as LSASS (MS04-011).
W32/Mytob-R also drops a file C:\hellmsn.exe. This file is being
detected by Sophos as W32/Mytob-D.
Advanced
W32/Mytob-R is a mass-mailing worm and backdoor Trojan that targets
users of Internet Relay Chat programs.
W32/Mytob-R is capable of spreading through various operating system
vulnerabilities such as LSASS (MS04-011).
When first run, W32/Mytob-R copies itself to the Windows system folder
as taskgmr.exe, bingoo.exe and nethell.exe and creates the following
registry entries:
HKCU\SYSTEM\CurrentControlSet\Control\Lsa
WINTASK
taskgmr.exe
HKCU\Software\Microsoft\OLE
WINTASK
taskgmr.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
WINTASK
taskgmr.exe
HKLM\SOFTWARE\Microsoft\Ole
WINTASK
taskgmr.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
WINTASK
taskgmr.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
WINTASK
taskgmr.exe
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
WINTASK
taskgmr.exe
W32/Mytob-R copies itself to the drive C root folder as:
my_photo2005.scr
see_this!!.scr
funny_pic.scr
The worm also appends the following to the HOSTS file to deny access to
security-related websites:
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.microsoft.com
127.0.0.1 www.trendmicro.com
Emails sent by W32/Mytob-R have the following characteristics:
Subject line:
Error
Status
Server Report
Mail Transaction Failed
Mail Delivery System
hello
thanks!
read it immediately
<random>
Message text:
Here are your banks documents.
Mail transaction failed. Partial message is available.
The message contains Unicode characters and has been sent as a binary
attachment.
The message cannot be represented in 7-bit ASCII encoding and has been
sent as a binary attachment
The original message was included as an attachment.
Here are your banks documents.
The attached file consists of a base name followed by the extentions BAT,
CMD, PIF, SCR, EXE or ZIP. The worm may optionally create double
extensions where the first extension is DOC, TXT or HTM and the final
extension is PIF, SCR, EXE or ZIP.
W32/Mytob-R harvests email addresses from files on the infected computer
and from the Windows address book.
The worm also drops a batch file %SYSTEM%\2pac.txt. This file can be
safely deleted.
W32/Mytob-R also drops a file C:\hellmsn.exe. This file is being
detected by Sophos as W32/Mytob-D.
Name W32/Mytob-Q
Type
* Worm
How it spreads
* Email attachments
* Chat programs
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Modifies data on the computer
* Steals information
* Drops more malware
Aliases
* WORM_MYTOB.Q
Prevalence (1-5) 2
Description
W32/Mytob-Q is a mass-mailing worm and backdoor Trojan that targets
users of Internet Relay Chat programs.
W32/Mytob-Q is capable of spreading through email and through various
operating system vulnerabilities such as LSASS (MS04-011).
W32/Mytob-Q harvests email addresses from files on the infected computer
and from the Windows address book.
Advanced
W32/Mytob-Q is a mass-mailing worm and backdoor Trojan that targets
users of Internet Relay Chat programs.
When first run W32/Mytob-Q copies itself to the Windows system folder as
msnmsgs.exe and creates the following registry entries:
HKCU\System\CurrentControlSet\Control\Lsa
MSN MESSENGER
msnmsgs.exe
HKCU\Software\Microsoft\OLE
MSN MESSENGER
msnmsgs.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
MSN MESSENGER
msnmsgs.exe
HKLM\Software\Microsoft\Ole
MSN MESSENGER
msnmsgs.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
MSN MESSENGER
msnmsgs.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
MSN MESSENGER
msnmsgs.exe
HKLM\System\CurrentControlSet\Control\Lsa
MSN MESSENGER
msnmsgs.exe
W32/Mytob-Q copies itself to the root folder as:
funny pic.scr
photo album.scr
eminem vs 2pac.scr
and creates the helper file hellmsn.exe (detected by Sophos as
W32/Mytob-H) in the same location.
W32/Mytob-Q also appends the following to the HOSTS file to deny access
to security related websites:
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.microsoft.com
127.0.0.1 www.trendmicro.com
W32/Mytob-Q is capable of spreading through email and through various
operating system vulnerabilities such as LSASS (MS04-011). Email sent by
W32/Mytob-Q has the following properties:
Subject line:
Hello
thanks!
read it immediately
Message text:
This is a multi-part message in MIME format
Mail transaction failed. Partial message is available.
The message contains Unicode characters and has been sent as a binary
attachment.
The message cannot be represented in 7-bit ASCII encoding and has been
sent as a binary attachment.
The original message was included as an attachment.
I have received your document. The corrected document is attached.
The attached file consists of a base name followed by the extentions
PIF, SCR, EXE or ZIP. The worm may optionally create double extensions
where the first extension is DOC, TXT or HTM and the final extension is
PIF, SCR, EXE or ZIP.
W32/Mytob-Q harvests email addresses from files on the infected computer
and from the Windows address book.
Name W32/Rbot-ZQ
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Modifies data on the computer
* Steals information
* Downloads code from the internet
Aliases
* Backdoor.Win32.Rbot.gen
Prevalence (1-5) 2
Description
W32/Rbot-ZQ is an IRC backdoor and network worm.
W32/Rbot-ZQ may spread to remote network shares protected by weak
passwords and computers vulnerable to common exploits. The worm also
opens up a backdoor, allowing unauthorised remote access to infected
computers via the IRC network, while running in the background as a
service process. The worm exploits the following vulnerabilities:
RPC-DCOM (MS04-12), LSASS (MS04-11) and WKS (MS03-049). For patches for
these vulnerabilities, see:
http://www.microsoft.com/technet/security/bulletin/MS03-049.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx
W32/Rbot-ZQ can receive commands from a remote intruder to delete
network shares, log keypresses, participate in DDoS attacks, scan other
computers for vulnerabilities, steal passwords, steal registration keys
for computer games, create administrator accounts, terminate firewall
and anti-virus processes and capture video from webcameras attached to
the computer.
The worm creates numerous registry entries in order to alter system
security.
Advanced
W32/Rbot-ZQ is an IRC backdoor and network worm.
W32/Rbot-ZQ may spread to remote network shares protected by weak
passwords and computers vulnerable to common exploits. The worm also
opens up a backdoor, allowing unauthorised remote access to infected
computers via the IRC network, while running in the background as a
service process. The worm exploits the following vulnerabilities:
RPC-DCOM (MS04-12), LSASS (MS04-11) and WKS (MS03-049). For patches for
these vulnerabilities, see:
http://www.microsoft.com/technet/security/bulletin/MS03-049.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx
W32/Rbot-ZQ can receive commands from a remote intruder to delete
network shares, log keypresses, participate in DDoS attacks, scan other
computers for vulnerabilities, steal passwords, steal registration keys
for computer games, create administrator accounts, terminate firewall
and anti-virus processes and capture video from webcameras attached to
the computer.
W32/Rbot-ZQ copies itself to the Windows system folder with a random
filename and creates the following registry entries in order to alter
system security:
HKLM\SYSTEM\CurrentControlSet\Services\wscsvc
Start =
4
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM =
"N"
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start =
4
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous =
1
HKLM\SYSTEM\CurrentControlSet\Services\NetBT\Parameters
TransportBindName =
""
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MaxConnectionsPer1_0Server =
50
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MaxConnectionsPerServer =
50
HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
AutoShareWks =
0
HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
AutoShareServer =
0
The worm also creates a number of new registry entries under
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Name W32/Sdbot-WS
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Reduces system security
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* Trojan.SdBot-447
* W32/Sdbot.worm.gen.y
Prevalence (1-5) 2
Description
W32/Sdbot-WS is a member of the W32/Sdbot family of network worms. The
worm can spread to weakly protected network shares, and to computers
already infected with W32/MyDoom.
The worm has a backdoor component that connects to a preconfigured IRC
mchannel, allowing an attacker to issue instructions to the worm, thus
giving access to an infected computer.
W32/Sdbot-WS can be instructed to harvest product keys; scan for remote
computers to infect; upload, download and execute files; as well as
retrieve information about an infected system.
Advanced
W32/Sdbot-WS is a member of the W32/Sdbot family of network worms. The
worm can spread to weakly protected network shares, and to computers
already infected with W32/MyDoom.
In order to run automatically when Windows starts up the worm copies
itself to the <System> folder as winupdate.exe and creates the following
registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Windows Update
winupdate.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Windows Update
winupdate.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Windows Update
winupdate.exe
Once installed, W32/Sdbot-WS connects to a preconfigured IRC server and
joins a channel from which an attacker can issue further commands. These
commands can cause the infected computer to perform any of the following
actions:
Scan for remote computers to infect
Steal product keys
Upload, download and execute files
Retrieve information about an infected system
The worm can be instructed to secure an infected computer, and does this
by attempting to delete the C$, D$, IPC$ and ADMIN$ network shares, and
disable DCOM by setting the following registry entry:
HKLM\Software\Microsoft\OLE
EnableDCOM
N
Name Troj/StartPa-FM
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Modifies data on the computer
Aliases
* Trojan.Win32.StartPage.sr
* Trojan.Startpage-220
Prevalence (1-5) 2
Description
Troj/StartPa-FM is a Windows Trojan which changes the default Internet
settings.
When run the Trojan quietly changes the default Internet Explorer Start
Page and the Internet zone settings.
Troj/StartPa-FM also drops a file ~D2.TMP in the %TEMP% folder and runs
it. This file is a key generator application and is not malicious.
Name W32/Rbot-ZN
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Modifies data on the computer
* Deletes files off the computer
* Steals information
Aliases
* Backdoor.Win32.Rbot.gen
Prevalence (1-5) 2
Description
W32/Rbot-ZN is a worm with backdoor Trojan functionality.
W32/Rbot-ZN is capable of spreading to computers on the local network
protected by weak passwords after receiving the appropriate backdoor
command. The worm can also spread by exploiting a number of software
vulnerabilities.
Advanced
W32/Rbot-ZN is a worm with backdoor Trojan functionality.
W32/Rbot-ZN is capable of spreading to computers on the local network
protected by weak passwords after receiving the appropriate backdoor
command.
W32/Rbot-ZN will attempt to spread by exploiting the following
vulnerabilities:
DCOM (MS04-012)
LSASS and IIS5SSL (MS04-011)
Microsoft SQL servers with weak passwords
When first run, W32/Rbot-ZN moves itself to the Windows system folder as
INIT3.EXE. In order to run automatically each time a user logs in,
W32/Rbot-ZN will set the following registry entries:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Unix File Support
init3.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
Unix File Support
init3.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Unix File Support
init3.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Unix File Support
init3.exe
W32/Rbot-ZN will also set the following registry entries:
HKCU\Software\Microsoft\OLE
Unix File Support
init3.exe
HKCU\SYSTEM\CurrentControlSet\Control\Lsa
Unix File Support
init3.exe
The worm runs continuously in the background, providing backdoor access
to the infected computer over IRC channels.
W32/Rbot-ZN will modify the following registry entries in order to
disable DCOM and close restrictions on IPC$ shares:
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1
W32/Rbot-ZN will attempt to terminate the following processes:
_AVP32.EXE, _AVPCC.EXE, _AVPM.EXE, ACKWIN32.EXE, ADAWARE.EXE,
ADVXDWIN.EXE, AGENTSVR.EXE, AGENTW.EXE, ALERTSVC.EXE, ALEVIR.EXE,
ALOGSERV.EXE, AMON9X.EXE, ANTI-TROJAN.EXE, ANTIVIRUS.EXE, ANTS.EXE,
APIMONITOR.EXE, APLICA32.EXE, APVXDWIN.EXE, ARR.EXE, ATCON.EXE,
ATGUARD.EXE, ATRO55EN.EXE, ATUPDATER.EXE, ATWATCH.EXE, AU.EXE,
AUPDATE.EXE, AUTO-PROTECT.NAV80TRY.EXE, AUTODOWN.EXE, AUTOTRACE.EXE,
AUTOUPDATE.EXE, AVCONSOL.EXE, AVE32.EXE, AVGCC32.EXE, AVGCTRL.EXE,
AVGNT.EXE, AVGSERV.EXE, AVGSERV9.EXE, AVGUARD.EXE, AVGW.EXE, AVKPOP.EXE,
AVKSERV.EXE, AVKSERVICE.EXE, AVKWCTl9.EXE, AVLTMAIN.EXE, AVNT.EXE,
AVP.EXE, AVP32.EXE, AVPCC.EXE, AVPDOS32.EXE, AVPM.EXE, AVPTC32.EXE,
AVPUPD.EXE, AVSCHED32.EXE, AVSYNMGR.EXE, AVWIN95.EXE, AVWINNT.EXE,
AVWUPD.EXE, AVWUPD32.EXE, AVWUPSRV.EXE, AVXMONITOR9X.EXE,
AVXMONITORNT.EXE, AVXQUAR.EXE, BACKWEB.EXE, BARGAINS.EXE, bbeagle.exe,
BD_PROFESSIONAL.EXE, BEAGLE.EXE, BELT.EXE, BIDEF.EXE, BIDSERVER.EXE,
BIPCP.EXE, BIPCPEVALSETUP.EXE, BISP.EXE, BLACKD.EXE, BLACKICE.EXE,
BLSS.EXE, BOOTCONF.EXE, BOOTWARN.EXE, BORG2.EXE, BPC.EXE, BRASIL.EXE,
BS120.EXE, BUNDLE.EXE, BVT.EXE, CCAPP.EXE, CCEVTMGR.EXE, CCPXYSVC.EXE,
CDP.EXE, CFD.EXE, CFGWIZ.EXE, CFIADMIN.EXE, CFIAUDIT.EXE, CFINET.EXE,
CFINET32.EXE, Claw95.EXE, CLAW95CF.EXE, CLEAN.EXE, CLEANER.EXE,
CLEANER3.EXE, CLEANPC.EXE, CLICK.EXE, CMD32.EXE, CMESYS.EXE,
CMGRDIAN.EXE, CMON016.EXE, CONNECTIONMONITOR.EXE, CPD.EXE, CPF9X206.EXE,
CPFNT206.EXE, CTRL.EXE, CV.EXE, CWNB181.EXE, CWNTDWMO.EXE,
d3dupdate.exe, DATEMANAGER.EXE, DCOMX.EXE, DEFALERT.EXE, DEFSCANGUI.EXE,
DEFWATCH.EXE, DEPUTY.EXE, DIVX.EXE, DLLCACHE.EXE, DLLREG.EXE, DOORS.EXE,
DPF.EXE, DPFSETUP.EXE, DPPS2.EXE, DRWATSON.EXE, DRWEB32.EXE,
DRWEBUPW.EXE, DSSAGENT.EXE, DVP95.EXE, DVP95_0.EXE, ECENGINE.EXE,
EFPEADM.EXE, EMSW.EXE, ENT.EXE, ESAFE.EXE, ESCANH95.EXE, ESCANHNT.EXE,
ESCANV95.EXE, ESPWATCH.EXE, ETHEREAL.EXE, ETRUSTCIPE.EXE, EVPN.EXE,
EXANTIVIRUS-CNET.EXE, EXE.AVXW.EXE, EXPERT.EXE, EXPLORE.EXE,
F-AGNT95.EXE, F-AGOBOT.EXE, F-PROT.EXE, F-PROT95.EXE, F-STOPW.EXE,
FAMEH32.EXE, FAST.EXE, FCH32.EXE, FIH32.EXE, FINDVIRU.EXE, FIREWALL.EXE,
FLOWPROTECTOR.EXE, FNRB32.EXE, FP-WIN.EXE, FP-WIN_TRIAL.EXE, FPROT.EXE,
FRW.EXE, FSAA.EXE, FSAV.EXE, FSAV32.EXE, FSAV530STBYB.EXE,
FSAV530WTBYB.EXE, FSAV95.EXE, FSGK32.EXE, FSM32.EXE, FSMA32.EXE,
FSMB32.EXE, GATOR.EXE, GBMENU.EXE, GBPOLL.EXE, GENERICS.EXE, GMT.EXE,
GUARD.EXE, GUARDDOG.EXE, HACKTRACERSETUP.EXE, HBINST.EXE, HBSRV.EXE,
HIJACKTHIS.EXE, HOTACTIO.EXE, HOTPATCH.EXE, HTLOG.EXE, HTPATCH.EXE,
HWPE.EXE, HXDL.EXE, HXIUL.EXE, i11r54n4.exe, IAMAPP.EXE, IAMSERV.EXE,
IAMSTATS.EXE, IBMASN.EXE, IBMAVSP.EXE, ICLOAD95.EXE, ICLOADNT.EXE,
ICMON.EXE, ICSUPP95.EXE, ICSUPPNT.EXE, IDLE.EXE, IEDLL.EXE,
IEDRIVER.EXE, IEXPLORER.EXE, IFACE.EXE, IFW2000.EXE, INETLNFO.EXE,
INFUS.EXE, INFWIN.EXE, INIT.EXE, INTDEL.EXE, INTREN.EXE, IOMON98.EXE,
IPARMOR.EXE, IRIS.EXE, irun4.exe, ISASS.EXE, ISRV95.EXE, ISTSVC.EXE,
JAMMER.EXE, JDBGMRG.EXE, JEDI.EXE, KAVLITE40ENG.EXE, KAVPERS40ENG.EXE,
KAVPF.EXE, KAZZA.EXE, KEENVALUE.EXE, KERIO-PF-213-EN-WIN.EXE,
KERIO-WRL-421-EN-WIN.EXE, KERIO-WRP-421-EN-WIN.EXE, KERNEL32.EXE,
KILLPROCESSSETUP161.EXE, LAUNCHER.EXE, LDNETMON.EXE, LDPRO.EXE,
LDPROMENU.EXE, LDSCAN.EXE, LNETINFO.EXE, LOADER.EXE, LOCALNET.EXE,
LOCKDOWN.EXE, LOCKDOWN2000.EXE, LOOKOUT.EXE, LORDPE.EXE, LSETUP.EXE,
LUALL.EXE, LUAU.EXE, LUCOMSERVER.EXE, LUINIT.EXE, LUSPT.EXE,
MAPISVC32.EXE, MCAGENT.EXE, MCMNHDLR.EXE, MCSHIELD.EXE, MCTOOL.EXE,
MCUPDATE.EXE, MCVSRTE.EXE, MCVSSHLD.EXE, MD.EXE, MFIN32.EXE, MFW2EN.EXE,
MFWENG3.02D30.EXE, MGAVRTCL.EXE, MGAVRTE.EXE, MGHTML.EXE, MGUI.EXE,
MINILOG.EXE, MMOD.EXE, MONITOR.EXE, MOOLIVE.EXE, MOSTAT.EXE,
MPFAGENT.EXE, MPFSERVICE.EXE, MPFTRAY.EXE, MRFLUX.EXE, MSAPP.EXE,
MSBB.EXE, MSBLAST.EXE, MSCACHE.EXE, MSCCN32.EXE, MSCMAN.EXE,
MSCONFIG.EXE, mscvb32.exe, MSDM.EXE, MSDOS.EXE, MSIEXEC16.EXE,
MSINFO32.EXE, MSLAUGH.EXE, MSMGT.EXE, MSMSGRI32.EXE, MSSMMC32.EXE,
MSSYS.EXE, MSVXD.EXE, MU0311AD.EXE, MWATCH.EXE, N32SCANW.EXE, NAV.EXE,
NAVAP.NAVAPSVC.EXE, NAVAPSVC.EXE, NAVAPW32.EXE, NAVDX.EXE,
NAVENGNAVEX15.NAVLU32.EXE, NAVLU32.EXE, NAVNT.EXE, NAVSTUB.EXE,
NAVW32.EXE, NAVWNT.EXE, NC2000.EXE, NCINST4.EXE, NDD32.EXE,
NEOMONITOR.EXE, NEOWATCHLOG.EXE, NETARMOR.EXE, NETD32.EXE, NETINFO.EXE,
NETMON.EXE, NETSCANPRO.EXE, NETSPYHUNTER-1.2.EXE, NETSTAT.EXE,
NETUTILS.EXE, NISSERV.EXE, NISUM.EXE, NMAIN.EXE, NOD32.EXE, NORMIST.EXE,
NORTON_INTERNET_SECU_3.0_407.EXE, NOTSTART.EXE,
NPF40_TW_98_NT_ME_2K.EXE, NPFMESSENGER.EXE, NPROTECT.EXE, NPSCHECK.EXE,
NPSSVC.EXE, NSCHED32.EXE, NSSYS32.EXE, NSTASK32.EXE, NSUPDATE.EXE,
NT.EXE, NTRTSCAN.EXE, NTVDM.EXE, NTXconfig.EXE, NUI.EXE, NUPGRADE.EXE,
NVARCH16.EXE, NVC95.EXE, NVSVC32.EXE, NWINST4.EXE, NWSERVICE.EXE,
NWTOOL16.EXE, OLLYDBG.EXE, ONSRVR.EXE, OPTIMIZE.EXE, OSTRONET.EXE,
OTFIX.EXE, OUTPOST.EXE, OUTPOSTINSTALL.EXE, OUTPOSTPROINSTALL.EXE,
PADMIN.EXE, PandaAVEngine.exe, PANIXK.EXE, PATCH.EXE, PAVCL.EXE,
PAVPROXY.EXE, PAVSCHED.EXE, PAVW.EXE, PCC2002S902.EXE,
PCC2K_76_1436.EXE, PCCIOMON.EXE, PCCNTMON.EXE, PCCWIN97.EXE,
PCCWIN98.EXE, PCDSETUP.EXE, PCFWALLICON.EXE, PCIP10117_0.EXE,
PCSCAN.EXE, PDSETUP.EXE, PENIS.EXE, Penis32.exe, PERISCOPE.EXE,
PERSFW.EXE, PERSWF.EXE, PF2.EXE, PFWADMIN.EXE, PGMONITR.EXE,
PINGSCAN.EXE, PLATIN.EXE, POP3TRAP.EXE, POPROXY.EXE, POPSCAN.EXE,
PORTDETECTIVE.EXE, PORTMONITOR.EXE, POWERSCAN.EXE, PPINUPDT.EXE,
PPTBC.EXE, PPVSTOP.EXE, PRIZESURFER.EXE, PRMT.EXE, PRMVR.EXE,
PROCDUMP.EXE, PROCESSMONITOR.EXE, PROCEXPLORERV1.0.EXE,
PROGRAMAUDITOR.EXE, PROPORT.EXE, PROTECTX.EXE, PSPF.EXE, PURGE.EXE,
PUSSY.EXE, PVIEW95.EXE, QCONSOLE.EXE, QSERVER.EXE, RAPAPP.EXE, rate.exe,
RAV7.EXE, RAV7WIN.EXE, RAV8WIN32ENG.EXE, RAY.EXE, RB32.EXE, RCSYNC.EXE,
REALMON.EXE, REGED.EXE, REGEDIT.EXE, REGEDT32.EXE, RESCUE.EXE,
RESCUE32.EXE, RRGUARD.EXE, RSHELL.EXE, RTVSCAN.EXE, RTVSCN95.EXE,
RULAUNCH.EXE, RUN32DLL.EXE, RUNDLL.EXE, RUNDLL16.EXE, RUXDLL32.EXE,
SAFEWEB.EXE, SAHAGENT.EXE, SAVE.EXE, SAVENOW.EXE, SBSERV.EXE, SC.EXE,
SCAM32.EXE, SCAN32.EXE, SCAN95.EXE, SCANPM.EXE, SCRSCAN.EXE, SCRSVR.EXE,
SCVHOST.EXE, SD.EXE, SERV95.EXE, SERVICE.EXE, SERVLCE.EXE, SERVLCES.EXE,
SETUP_FLOWPROTECTOR_US.EXE, SETUPVAMEEVAL.EXE, SFC.EXE, SGSSFW32.EXE,
SH.EXE, SHELLSPYINSTALL.EXE, SHN.EXE, SHOWBEHIND.EXE, SMC.EXE, SMS.EXE,
SMSS32.EXE, SOAP.EXE, SOFI.EXE, SPERM.EXE, SPF.EXE, SPHINX.EXE,
SPOLER.EXE, SPOOLCV.EXE, SPOOLSV32.EXE, SPYXX.EXE, SREXE.EXE, SRNG.EXE,
SS3EDIT.EXE, ssate.exe, SSG_4104.EXE, SSGRATE.EXE, ST2.EXE, START.EXE,
STCLOADER.EXE, SUPFTRL.EXE, SUPPORT.EXE, SUPPORTER5.EXE, SVC.EXE,
SVCHOSTC.EXE, SVCHOSTS.EXE, SVSHOST.EXE, SWEEP95.EXE,
SWEEPNET.SWEEPSRV.SYS.SWNETSUP.EXE, SYMPROXYSVC.EXE, SYMTRAY.EXE,
SYSEDIT.EXE, sysinfo.exe, SysMonXP.exe, SYSTEM.EXE, SYSTEM32.EXE,
SYSUPD.EXE, TASKMG.EXE, TASKMO.EXE, TASKMON.EXE, TAUMON.EXE, TBSCAN.EXE,
TC.EXE, TCA.EXE, TCM.EXE, TDS-3.EXE, TDS2-98.EXE, TDS2-NT.EXE,
TEEKIDS.EXE, TFAK.EXE, TFAK5.EXE, TGBOB.EXE, TITANIN.EXE, TITANINXP.EXE,
TRACERT.EXE, TRICKLER.EXE, TRJSCAN.EXE, TRJSETUP.EXE, TROJANTRAP3.EXE,
TSADBOT.EXE, TVMD.EXE, TVTMD.EXE, UNDOBOOT.EXE, UPDAT.EXE, UPDATE.EXE,
UPGRAD.EXE, UTPOST.EXE, VBCMSERV.EXE, VBCONS.EXE, VBUST.EXE,
VBWIN9X.EXE, VBWINNTW.EXE, VCSETUP.EXE, VET32.EXE, VET95.EXE,
VETTRAY.EXE, VFSETUP.EXE, VIR-HELP.EXE, VIRUSMDPERSONALFIREWALL.EXE,
VNLAN300.EXE, VNPC3000.EXE, VPC32.EXE, VPC42.EXE, VPFW30S.EXE,
VPTRAY.EXE, VSCAN40.EXE, VSCENU6.02D30.EXE, VSCHED.EXE, VSECOMR.EXE,
VSHWIN32.EXE, VSISETUP.EXE, VSMAIN.EXE, VSMON.EXE, VSSTAT.EXE,
VSWIN9XE.EXE, VSWINNTSE.EXE, VSWINPERSE.EXE, W32DSM89.EXE, W9X.EXE,
WATCHDOG.EXE, WEBDAV.EXE, WEBSCANX.EXE, WEBTRAP.EXE, WFINDV32.EXE,
WGFE95.EXE, WHOSWATCHINGME.EXE, WIMMUN32.EXE, WIN-BUGSFIX.EXE,
WIN32.EXE, WIN32US.EXE, WINACTIVE.EXE, WINDOW.EXE, WINDOWS.EXE,
WININETD.EXE, WININIT.EXE, WININITX.EXE, WINLOGIN.EXE, WINMAIN.EXE,
WINNET.EXE, WINPPR32.EXE, WINRECON.EXE, WINSERVN.EXE, WINSSK32.EXE,
WINSTART.EXE, WINSTART001.EXE, winsys.exe, WINTSK32.EXE, winupd.exe,
WINUPDATE.EXE, WKUFIND.EXE, WNAD.EXE, WNT.EXE, WRADMIN.EXE, WRCTRL.EXE,
WSBGATE.EXE, WUPDATER.EXE, WUPDT.EXE, WYVERNWORKSFIREWALL.EXE,
XPF202EN.EXE, ZAPRO.EXE, ZAPSETUP3001.EXE, ZATUTOR.EXE, ZONALM2601.EXE,
ZONEALARM.EXE
Name Troj/Bdoor-ZAT
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Modifies data on the computer
* Reduces system security
* Installs itself in the Registry
Prevalence (1-5) 2
Description
Troj/Bdoor-ZAT is a backdoor Trojan for the Windows platform.
The Trojan opens a backdoor on port 63714 and listens for connections
from remote intruders. The Trojan then can offer a remote shell to the
intruder.
Advanced
Troj/Bdoor-ZAT is a backdoor Trojan for the Windows platform.
The Trojan opens a backdoor on port 63714 and listens for connections
from remote intruders. The Trojan then can offer a remote shell to the
intruder. The Trojan remains active by hooking into the explorer
process.
Troj/Bdoor-ZAT installs itself in the Windows system folder as
explorer.exe and userinit.dll.
Name Troj/Agent-CZ
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Installs itself in the Registry
Aliases
* Trojan-Proxy.Win32.Small.bh
Prevalence (1-5) 2
Description
Troj/Agent-CZ is a Trojan for the Windows platform.
The Trojan attempts to redirect network traffic and download files from
the internet while running in the background as a process.
Advanced
Troj/Agent-CZ is a Trojan for the Windows platform.
The Trojan attempts to redirect network traffic and download files from
the internet while running in the background as a process.
Troj/Agent-CZ copies itself to the Windows folder as csrss.exe.
The Trojan creates the following registry entry to run itself
automatically on user logon:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
System
%WINDOWS\csrss.exe
Troj/Agent-CZ also creates the following registry entry:
HKLM\SOFTWARE\Microsoft\Windows\Port
@
7423
Name W32/Codbot-Gen
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Installs itself in the Registry
Prevalence (1-5) 2
Description
Sophos Anti-Virus products detect members of the W32/Codbot family of
worms as W32/Codbot-Gen.
Worms detected as W32/Codbot-Gen provide backdoor Trojan functionality
to a remote attacker via IRC channels. Such worms may spread to remote
network shares with weak passwords in response to a command from a
remote attacker.
Members of W32/Codbot family typically attempt to exploit
vulnerabilities, such as the LSASS vulnerability (MS04-011).
Advanced
Sophos Anti-Virus products detect members of the W32/Codbot family of
worms as W32/Codbot-Gen.
Worms detected as W32/Codbot-Gen provide backdoor Trojan functionality
to a remote attacker via IRC channels. Such worms may spread to remote
network shares with weak passwords in response to a command from a
remote attacker.
Members of W32/Codbot family may copy themselves to the Windows system
folder and create entries in the following registry entries to run
themselves when the user logs on:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal
This backdoor functionality typically includes the ability to sniff
packets, download further malicious code and steal passwords and other
system information.
W32/Codbot worms may register themselves as service processes.
Members of W32/Codbot family typically attempt to exploit
vulnerabilities, such as the LSASS vulnerability (MS04-011).
Name W32/Mytob-W
Type
* Worm
How it spreads
* Email attachments
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Sends itself to email addresses found on the infected computer
* Drops more malware
* Uses its own emailing engine
* Reduces system security
Aliases
* Net-Worm.Win32.Mytob.q
* WORM_MYTOB.W
Prevalence (1-5) 2
Description
W32/Mytob-W is a mass-mailing network worm with backdoor functionality
that targets users of Internet Relay Chat programs.
Emails sent by W32/Mytob-W have the following characteristics:
The subject line is one of the following:
Error
Good day
Hello
Mail Delivery System
Mail Transaction Failed
Server Report
Status
The message text is one of the following lines:
Mail transaction failed. Partial message is available.
The message contains Unicode characters and has been sent as a binary
attachment.
The message cannot be represented in 7-bit ASCII encoding and has been
sent as a binary attachment.
The original message was included as an attachment.
Here are your banks documents
The worm is included as an attachment to the message, either as an
executable file (with CMD, BAT, DOC, HTM, PIF, SCR, TMP, TXT, EXE or COM
extension) or as a ZIP file containing the executable. The filename
(excluding file extension) is chosen from the following list:
BODY
DATA
DOC
DOCUMENT
FILE
MESSAGE
README
TEST
TEXT
Advanced
W32/Mytob-W is a mass-mailing network worm with backdoor functionality
that targets users of Internet Relay Chat programs.
W32/Mytob-W spreads attached to the email messages or by exploiting
known vulnerabilities. For details about these vulnerabilities see
MS04-012 and MS04-011 as for LSASS and RPC/DCOM vulnerability
correspondingly.
W32/Mytob-W attempts to harvest email addresses from the infected
system. Emails sent by W32/Mytob-W have the following characteristics:
The subject line is one of the following:
Error
Good day
Hello
Mail Delivery System
Mail Transaction Failed
Server Report
Status
The message text is one of the following lines:
Mail transaction failed. Partial message is available.
The message contains Unicode characters and has been sent as a binary
attachment.
The message cannot be represented in 7-bit ASCII encoding and has been
sent as a binary attachment.
The original message was included as an attachment.
Here are your banks documents
The worm is included as an attachment to the message, either as an
executable file (with CMD, BAT, DOC, HTM, PIF, SCR, TMP, TXT, EXE or COM
extension) or as a ZIP file containing the executable. The filename
(excluding file extension) is chosen from the following list:
BODY
DATA
DOC
DOCUMENT
FILE
MESSAGE
README
TEST
TEXT
Once executed W32/Mytob-W copies itself to the Windows system folder
with the filenames NETHELL.EXE and TASKGMR.EXE, and in order to be able
to run automatically when Windows starts up sets the registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
WINTASK
taskgmr.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
WINTASK
taskgmr.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
WINTASK
taskgmr.exe
Also W32/Mytob-W modifies the following registry entries:
HKCU\SYSTEM\CurrentControlSet\Control\Lsa
WINTASK
taskgmr.exe
HKCU\Software\Microsoft\OLE
WINTASK
taskgmr.exe
HKLM\SOFTWARE\Microsoft\Ole
WINTASK
taskgmr.exe
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
WINTASK
taskgmr.exe
W32/Mytob-W also creates a hellmsn.exe file in the root folder that is
detected by the W32/Mytob-D and copies itself to the root folder using
following filenames:
funny_pic.scr
my_photo2005.scr
see_this!!.scr
W32/Mytob-W modifies the system HOSTS file in order to prevent access to
the following web addresses:
avp.com
ca.com
customer.symantec.com
dispatch.mcafee.com
download.mcafee.com
f-secure.com
kaspersky.com
liveupdate.symantec.com
liveupdate.symantecliveupdate.com
mast.mcafee.com
mcafee.com
my-etrust.com
nai.com
networkassociates.com
rads.mcafee.com
secure.nai.com
securityresponse.symantec.com
sophos.com
symantec.com
trendmicro.com
update.symantec.com
updates.symantec.com
us.mcafee.com
viruslist.com
viruslist.com
www.avp.com
www.ca.com
www.f-secure.com
www.kaspersky.com
www.mcafee.com
www.microsoft.com
www.my-etrust.com
www.nai.com
www.networkassociates.com
www.sophos.com
www.symantec.com
www.trendmicro.com
www.viruslist.com
Name W32/Reper-A
Type
* Worm
Affected operating systems
* Windows
Side effects
* Installs itself in the Registry
* Leaves non-infected files on computer
Aliases
* Virus.Win32.Repka.a
* W32/Sautor.worm.gen
* W32.Reper.A
* WORM_REPER.A
Prevalence (1-5) 2
Description
W32/Reper-A is a Windows worm.
Advanced
W32/Reper-A is a Windows worm.
When run the worm attempts to copy itself to any logical drives as
reper.exe and create or overwrite the file autorun.inf which references
the executable such that it is automatically run.
W32/Reper-A will also copy itself to the Windows folder as viewer.exe
and to the %WINDOWS%\System32 folder as N0TEPAD.exe (the digit zero
being used instead of the letter 'O'.)
The following registry entry is created by the worm:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
runreper
%WINDOWS%\viewer.exe
W32/Reper-A also modifies the associated text viewer key from:
HKCR\txtfile\shell\open\command
%SystemRoot%\system32\NOTEPAD.EXE %1
to (again substituting the letter 'O' in NOTEPAD with the digit zero):
HKCR\txtfile\shell\open\command
%WINDOWS%\System32\N0TEPAD.EXE %1
The worm will also attempt to terminate regedit.exe, cmd.exe and
taskmgr.exe.
Name W32/Rbot-AAC
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Modifies data on the computer
* Steals information
* Drops more malware
Prevalence (1-5) 2
Description
W32/Rbot-AAC is a network worm which attempts to spread via network
shares. The worm contains backdoor functions that allows unauthorised
remote access to the infected computer via IRC channels while running in
the background.
The worm spreads to network shares with weak passwords and also by using
the RPC-DCOM security exploit (MS03-039).
W32/Rbot-AAC drops the file C:\hellmsn.exe and runs it. This file is
currently being detected by Sophos as W32/Mytob-H.
Advanced
W32/Rbot-AAC is a network worm which attempts to spread via network
shares. The worm contains backdoor functions that allows unauthorised
remote access to the infected computer via IRC channels while running in
the background.
The worm spreads to network shares with weak passwords and also by using
the RPC-DCOM security exploit (MS03-039).
When run W32/Rbot-AAC moves itself to the Windows System folder as a
hidden, read-only, system file named msnmsgs.exe. The worm then copies
itself to the following filenames:
C:\eminem vs 2pac.scr
C:\funny pic.scr
C:\photo album.scr
The above 3 files have their read-only, hidden, system and archive file
attributes set.
W32/Rbot-AAC then creates the following registry entries so as to run
itself on computer logon:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
MSN MESSENGER
msnmsgs.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
MSN MESSENGER
msnmsgs.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
MSN MESSENGER
msnmsgs.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MSN MESSENGER
msnmsgs.exe
The worm also creates the following registry entries:
HKCU\SYSTEM\CurrentControlSet\Control\Lsa
MSN MESSENGER
msnmsgs.exe
HKCU\Software\Microsoft\Ole
MSN MESSENGER
msnmsgs.exe
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
MSN MESSENGER
msnmsgs.exe
HKLM\SOFTWARE\Microsoft\Ole
MSN MESSENGER
msnmsgs.exe
The worm changes the following registry entry as follows:
from:
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
Y
to:
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
from:
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
dword:00000000
to:
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
dword:00000001
Once installed, W32/Rbot-AAC will attempt to perform the following
actions when instructed to do so by a remote attacker:
scan ports
create an HTTPD server
create a SOCKS4 server
participate in distributed denial of service (DDoS) attacks
download and run files from the Internet
log keystrokes to the file %SYSTEM%\keys.txt
capture clipboard information
terminates anti-virus, security and Windows applications and processes
The worm also prevents accesses to anti-virus and security related
websites by appending the HOSTS file in the %SYSTEM%\drivers\etc folder
with the following mappings:
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.microsoft.com
127.0.0.1 www.trendmicro.com
W32/Rbot-AAC drops the file C:\hellmsn.exe and runs it. This file is
currently being detected by Sophos as W32/Mytob-H.
Name Troj/Nuclear-F
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Reduces system security
* Records keystrokes
* Installs itself in the Registry
Aliases
* Backdoor.Win32.Nuclear.b
Prevalence (1-5) 2
Description
Troj/Nuclear-F is a configurable backdoor Trojan for the Windows
platform which allows full remote access capabilities via a remote
client. The Client application allows the creation of server applets
which act as the backdoor when installed on the infected computer.
Advanced
Troj/Nuclear-F is a configurable backdoor Trojan for the Windows
platform which allows full remote access capabilities via a remote
client. The Client application allows the creation of server applets
which act as the backdoor when installed on the infected computer.
The generated Trojan component can be customised upon creation.
Troj/Nuclear-F may copy itself to a new folder under the Windows folder
as well as create a helper dll of the same name.
The following registry entry may also be created:
HKLM\Softwae\Classes\dllfile\shell\open\command\
Troj/Nuclear-F may create a number of files including an IP logger
script and initial script as follows:
logger.php
settings.in
The Trojan is capable of logging keystrokes, monitoring attached media
devices such as webcams and microphones and interacting with the
desktop.
Name WM97/Xaler-A
Type
* Virus
How it spreads
* Infected files
Affected operating systems
* Windows
Aliases
* Virus.MSWord.Xaler.a
* W97M.Lexar.A
Prevalence (1-5) 2
Description
WM97/Xaler-A is a macro virus for Microsoft Word.
On predefined days WM97/Xaler-A will display a message telling the user
to relax while all of the files on the computer are deleted, although no
files are actually deleted.
Name W32/Wurmark-F
Type
* Worm
How it spreads
* Email messages
* Email attachments
Affected operating systems
* Windows
Side effects
* Sends itself to email addresses found on the infected computer
* Drops more malware
* Uses its own emailing engine
Aliases
* Email-Worm.Win32.Wurmark.g
* W32/Mugly.h@MM
* WORM_MUGLY.H
Prevalence (1-5) 2
Description
W32/Wurmark-F is a mass mailing worm which sends itself as a zip
attachment to email addresses found on the infected computer.
When run the worm displays the image uglym.jpg as it installs itself on
the computer.
The image displayed by the Wurmark-F worm
The image displayed by the Wurmark-F worm.
W32/Wurmark-F drops several files to the Windows system folder.
W32/Wurmark-F will drop attached.zip, which is a zip file containing
W32/Wurmark-F, and xxz.tmp, which is a copy of the worm. W32/Wurmark-F
will also drop the following clean files:
ANSMTP.DLL
bszip.dll
uglym.jpg
W32/Wurmark-F will drop a file belonging to the W32/Rbot family of worms
filename svchosts.exe.
W32/Wurmark-F harvests email addresses from files with the extensions:
WAB
ADB
TBB
DBX
ASP
PHP
HTM
HTML
SHT
TXT
DOC
The worm will skip email addresses containing the following strings:
.gov
ada
avg
gri
icro
lavat
mcae
nod
panda
rsky
soph
sophos
symac
The zip file containing W32/Wurmark-F called attached.zip is attached to
emails sent by the worm appearing to originate from the listed addresses
containing those below and taking the following forms along with others:
adead_poet@hotmail.com
alex_edwards2000@msn.com
romeorichard@google.com
apiffany@cnet.com
Subject: Hhahahah lol!!!!
Body:
i found this on my computer from ages ago
download it and see if you can remember it
lol i was lauging like mad when i saw it! :D
email me back haha...
Subject: Your Pic On A Website!!
Body:
I was looking at a website and came across
this pic they look just like you! infact im sure
it is lol , did you send this pic into them ? or
is it someonce else :S ? Ive Added the pic in
a zip so download it and check & email me back!
The file within the attachment can have one of the following
names:
Pic_001.jpg.scr
Sexy_09.jpg.scr
Scan_04.jpg.scr
Advanced
W32/Wurmark-F is a mass mailing worm which sends itself as a zip
attachment to email addresses found on the infected computer.
When run the worm displays the image uglym.jpg as it installs itself on
the computer.
The image displayed by the Wurmark-F worm
The image displayed by the Wurmark-F worm.
W32/Wurmark-F drops several files to the Windows system folder.
W32/Wurmark-F will drop attached.zip, which is a zip file containing
W32/Wurmark-F, and xxz.tmp, which is a copy of the worm. W32/Wurmark-F
will also drop the following clean files:
ANSMTP.DLL
bszip.dll
uglym.jpg
W32/Wurmark-F will drop a file belonging to the W32/Rbot family of worms
filename svchosts.exe.
W32/Wurmark-F harvests email addresses from files with the extensions:
WAB
ADB
TBB
DBX
ASP
PHP
HTM
HTML
SHT
TXT
DOC
The worm will skip email addresses containing the following strings:
.gov
ada
avg
gri
icro
lavat
mcae
nod
panda
rsky
soph
sophos
symac
The zip file containing W32/Wurmark-F called attached.zip is attached to
emails sent by the worm appearing to originate from the listed addresses
below and taking the following forms:
adead_poet@hotmail.com
alex_edwards2000@msn.com
romeorichard@google.com
apiffany@cnet.com
sexy_lil_thing@no-ip.com
cutie_pie@ogrish.com
easy_lay666@lovenet.com
hunk_hogan78@hallmark.com
britany_slut56@sex.com
tit_fuck_909@gmail.com
good_fuck12@yahoo.com
blowjob_lips666@romance.com
tit_fuck_909@paltalk.com
sexy_guy88@aol.com
mucle_bound_hunk892@download.com
Subject: Hhahahah lol!!!!
Body:
i found this on my computer from ages ago
download it and see if you can remember it
lol i was lauging like mad when i saw it! :D
email me back haha...
Subject: Your Pic On A Website!!
Body:
I was looking at a website and came across
this pic they look just like you! infact im sure
it is lol , did you send this pic into them ? or
is it someonce else :S ? Ive Added the pic in
a zip so download it and check & email me back!
Subject: Rate My Pic.......
Body:
Hi ive sent 5 emails now and nobody will rate
my pic!! :( please download and tell me what you
think out of 10 , dont worry if you dont like it
just say i wont be offended p.s i was drunk when
it was taken :P
Subject: You have an Admirer
Body:
Someone has asked us on there behalf to send
you this email and tell you they think you are
wonderfull!!! All the The mystery persons details
you need are enclosed in the attachment :)
please download and respond telling us if you
would like to make further contact with this
person.
Regards Hallmark Admirer Mail Admin.
The file within the attachment can have one of the following
names:
Pic_001.jpg.scr
Sexy_09.jpg.scr
Scan_04.jpg.scr
Photo_01.jpg.scr
admire_001.jpg.scr
is_this_you.jpg.scr
love_04.jpg.scr
for_you.pif
Name W32/Agobot-RJ
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Modifies data on the computer
* Deletes files off the computer
* Steals information
Prevalence (1-5) 2
Description
W32/Agobot-RJ is a network worm with backdoor functionality for the
Windows platform.
W32/Agobot-RJ is capable of spreading to computers on the local network
protected by weak passwords.
The backdoor component runs continuously in the background providing
backdoor access to the computer through IRC channels.
Advanced
W32/Agobot-RJ is a network worm with backdoor functionality for the
Windows platform.
W32/Agobot-RJ is capable of spreading to computers on the local network
protected by weak passwords.
When first run, W32/Agobot-RJ copies itself to the Windows system folder
as updateXPSPC.exe and creates the following registry entries to run
itself each time a user logs on:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
USB 2.0 Driver
updateXPSPC.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
USB 2.0 Driver
updateXPSPC.exe
The backdoor component runs continuously in the background providing
backdoor access to the computer through IRC channels. The backdoor
component can be instructed to perform the following functions:
harvest email addresses
steal product registration information for certain software
take part in Distributed Denial of Service (DDoS) attacks
scan networks for vulnerabilities
download/execute arbitrary files
start a proxy server (SOCKS4/SOCKS5)
start/stop system services
monitor network communications (packet sniffing)
add/remove network shares
send email
log keypresses
W32/Agobot-RJ attempts to terminate and disable various anti-virus and
security related programs and modifies the HOSTS file located at
<Windows system folder>\Drivers\etc\HOSTS, mapping selected anti-virus
websites to the loopback address 127.0.0.1 in an attempt to prevent
access to these sites. Typically the following mappings will be appended
to the HOSTS file:
127.0.0.1 avp.com
127.0.0.1 ca.com
127.0.0.1 customer.symantec.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 download.mcafee.com
127.0.0.1 f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 mast.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 nai.com
127.0.0.1 networkassociates.com
127.0.0.1 rads.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 sophos.com
127.0.0.1 symantec.com
127.0.0.1 trendmicro.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 www.avp.com
127.0.0.1 www.ca.com
127.0.0.1 www.f-secure.com
127.0.0.1 www.kaspersky.com
127.0.0.1 www.mcafee.com
127.0.0.1 www.my-etrust.com
127.0.0.1 www.nai.com
127.0.0.1 www.networkassociates.com
127.0.0.1 www.sophos.com
127.0.0.1 www.symantec.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.viruslist.com
W32/Agobot-RJ attempts to terminate the following processes:
_AVP32.EXE
_AVPCC.EXE
_AVPM.EXE
ACKWIN32.EXE
ADAWARE.EXE
ADVXDWIN.EXE
AGENTSVR.EXE
AGENTW.EXE
ALERTSVC.EXE
ALEVIR.EXE
ALOGSERV.EXE
AMON9X.EXE
ANTI-TROJAN.EXE
ANTIVIRUS.EXE
ANTS.EXE
APIMONITOR.EXE
APLICA32.EXE
APVXDWIN.EXE
ARR.EXE
ATCON.EXE
ATGUARD.EXE
ATRO55EN.EXE
ATUPDATER.EXE
ATWATCH.EXE
AU.EXE
AUPDATE.EXE
AUTO-PROTECT.NAV80TRY.EXE
AUTODOWN.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
AVCONSOL.EXE
AVE32.EXE
AVGCC32.EXE
AVGCTRL.EXE
AVGNT.EXE
AVGSERV.EXE
AVGSERV9.EXE
AVGUARD.EXE
AVGW.EXE
AVKPOP.EXE
AVKSERV.EXE
AVKSERVICE.EXE
AVKWCTl9.EXE
AVLTMAIN.EXE
AVNT.EXE
AVP.EXE
AVP32.EXE
AVPCC.EXE
AVPDOS32.EXE
AVPM.EXE
AVPTC32.EXE
AVPUPD.EXE
AVSCHED32.EXE
AVSYNMGR.EXE
AVWIN95.EXE
AVWINNT.EXE
AVWUPD.EXE
AVWUPD32.EXE
AVWUPSRV.EXE
AVXMONITOR9X.EXE
AVXMONITORNT.EXE
AVXQUAR.EXE
BACKWEB.EXE
BARGAINS.EXE
BD_PROFESSIONAL.EXE
BEAGLE.EXE
BELT.EXE
BIDEF.EXE
BIDSERVER.EXE
BIPCP.EXE
BIPCPEVALSETUP.EXE
BISP.EXE
BLACKD.EXE
BLACKICE.EXE
BLSS.EXE
BOOTCONF.EXE
BOOTWARN.EXE
BORG2.EXE
BPC.EXE
BRASIL.EXE
BS120.EXE
BUNDLE.EXE
BVT.EXE
CCAPP.EXE
CCEVTMGR.EXE
CCPXYSVC.EXE
CDP.EXE
CFD.EXE
CFGWIZ.EXE
CFIADMIN.EXE
CFIAUDIT.EXE
CFINET.EXE
CFINET32.EXE
Claw95.EXE
CLAW95CF.EXE
CLEAN.EXE
CLEANER.EXE
CLEANER3.EXE
CLEANPC.EXE
CLICK.EXE
CMD32.EXE
CMESYS.EXE
CMGRDIAN.EXE
CMON016.EXE
CONNECTIONMONITOR.EXE
CPD.EXE
CPF9X206.EXE
CPFNT206.EXE
CTRL.EXE
CV.EXE
CWNB181.EXE
CWNTDWMO.EXE
DATEMANAGER.EXE
DCOMX.EXE
DEFALERT.EXE
DEFSCANGUI.EXE
DEFWATCH.EXE
DEPUTY.EXE
DIVX.EXE
DLLCACHE.EXE
DLLREG.EXE
DOORS.EXE
DPF.EXE
DPFSETUP.EXE
DPPS2.EXE
DRWATSON.EXE
DRWEB32.EXE
DRWEBUPW.EXE
DS
|