Tillbaka till svenska Fidonet
English   Information   Debug  
TREK   0/755
TUB   0/290
UFO   0/40
UNIX   0/1316
USA_EURLINK   0/102
USR_MODEMS   0/1
VATICAN   0/2740
VIETNAM_VETS   0/14
VIRUS   0/378
VIRUS_INFO   0/201
VISUAL_BASIC   0/473
WHITEHOUSE   0/5187
WIN2000   0/101
WIN32   0/30
WIN95   0/4288
WIN95_OLD1   0/70272
WINDOWS   0/1517
WWB_SYSOP   0/419
WWB_TECH   0/810
ZCC-PUBLIC   0/1
ZEC   4

 
4DOS   0/134
ABORTION   0/7
ALASKA_CHAT   0/506
ALLFIX_FILE   0/1313
ALLFIX_FILE_OLD1   0/7997
ALT_DOS   0/152
AMATEUR_RADIO   0/1039
AMIGASALE   0/14
AMIGA   0/331
AMIGA_INT   0/1
AMIGA_PROG   0/20
AMIGA_SYSOP   0/26
ANIME   0/15
ARGUS   0/924
ASCII_ART   0/340
ASIAN_LINK   0/651
ASTRONOMY   0/417
AUDIO   0/92
AUTOMOBILE_RACING   0/105
BABYLON5   0/17862
BAG   135
BATPOWER   0/361
BBBS.ENGLISH   0/382
BBSLAW   0/109
BBS_ADS   0/5290
BBS_INTERNET   0/507
BIBLE   0/3563
BINKD   0/1119
BINKLEY   0/215
BLUEWAVE   0/2173
CABLE_MODEMS   0/25
CBM   0/46
CDRECORD   0/66
CDROM   0/20
CLASSIC_COMPUTER   0/378
COMICS   0/15
CONSPRCY   0/899
COOKING   32552
COOKING_OLD1   0/24719
COOKING_OLD2   0/40862
COOKING_OLD3   0/37489
COOKING_OLD4   0/35496
COOKING_OLD5   9370
C_ECHO   0/189
C_PLUSPLUS   0/31
DIRTY_DOZEN   0/201
DOORGAMES   0/2051
DOS_INTERNET   0/196
duplikat   6002
ECHOLIST   0/18295
EC_SUPPORT   0/318
ELECTRONICS   0/359
ELEKTRONIK.GER   1534
ENET.LINGUISTIC   0/13
ENET.POLITICS   0/4
ENET.SOFT   0/11701
ENET.SYSOP   33887
ENET.TALKS   0/32
ENGLISH_TUTOR   0/2000
EVOLUTION   0/1335
FDECHO   0/217
FDN_ANNOUNCE   0/7068
FIDONEWS   24061
FIDONEWS_OLD1   0/49742
FIDONEWS_OLD2   0/35949
FIDONEWS_OLD3   0/30874
FIDONEWS_OLD4   0/37224
FIDO_SYSOP   12852
FIDO_UTIL   0/180
FILEFIND   0/209
FILEGATE   0/212
FILM   0/18
FNEWS_PUBLISH   4386
FN_SYSOP   41677
FN_SYSOP_OLD1   71952
FTP_FIDO   0/2
FTSC_PUBLIC   0/13598
FUNNY   0/4886
GENEALOGY.EUR   0/71
GET_INFO   105
GOLDED   0/408
HAM   0/16069
HOLYSMOKE   0/6791
HOT_SITES   0/1
HTMLEDIT   0/71
HUB203   466
HUB_100   264
HUB_400   39
HUMOR   0/29
IC   0/2851
INTERNET   0/424
INTERUSER   0/3
IP_CONNECT   719
JAMNNTPD   0/233
JAMTLAND   0/47
KATTY_KORNER   0/41
LAN   0/16
LINUX-USER   0/19
LINUXHELP   0/1155
LINUX   0/22089
LINUX_BBS   0/957
mail   18.68
mail_fore_ok   249
MENSA   0/341
MODERATOR   0/102
MONTE   0/992
MOSCOW_OKLAHOMA   0/1245
MUFFIN   0/783
MUSIC   0/321
N203_STAT   924
N203_SYSCHAT   313
NET203   321
NET204   69
NET_DEV   0/10
NORD.ADMIN   0/101
NORD.CHAT   0/2572
NORD.FIDONET   189
NORD.HARDWARE   0/28
NORD.KULTUR   0/114
NORD.PROG   0/32
NORD.SOFTWARE   0/88
NORD.TEKNIK   0/58
NORD   0/453
OCCULT_CHAT   0/93
OS2BBS   0/787
OS2DOSBBS   0/580
OS2HW   0/42
OS2INET   0/37
OS2LAN   0/134
OS2PROG   0/36
OS2REXX   0/113
OS2USER-L   207
OS2   0/4786
OSDEBATE   0/18996
PASCAL   0/490
PERL   0/457
PHP   0/45
POINTS   0/405
POLITICS   0/29554
POL_INC   0/14731
PSION   103
R20_ADMIN   1121
R20_AMATORRADIO   0/2
R20_BEST_OF_FIDONET   13
R20_CHAT   0/893
R20_DEPP   0/3
R20_DEV   399
R20_ECHO2   1379
R20_ECHOPRES   0/35
R20_ESTAT   0/719
R20_FIDONETPROG...
...RAM.MYPOINT
  0/2
R20_FIDONETPROGRAM   0/22
R20_FIDONET   0/248
R20_FILEFIND   0/24
R20_FILEFOUND   0/22
R20_HIFI   0/3
R20_INFO2   3198
R20_INTERNET   0/12940
R20_INTRESSE   0/60
R20_INTR_KOM   0/99
R20_KANDIDAT.CHAT   42
R20_KANDIDAT   28
R20_KOM_DEV   112
R20_KONTROLL   0/13251
R20_KORSET   0/18
R20_LOKALTRAFIK   0/24
R20_MODERATOR   0/1852
R20_NC   76
R20_NET200   245
R20_NETWORK.OTH...
...ERNETS
  0/13
R20_OPERATIVSYS...
...TEM.LINUX
  0/44
R20_PROGRAMVAROR   0/1
R20_REC2NEC   534
R20_SFOSM   0/340
R20_SF   0/108
R20_SPRAK.ENGLISH   0/1
R20_SQUISH   107
R20_TEST   2
R20_WORST_OF_FIDONET   12
RAR   0/9
RA_MULTI   106
RA_UTIL   0/162
REGCON.EUR   0/2056
REGCON   0/13
SCIENCE   0/1206
SF   0/239
SHAREWARE_SUPPORT   0/5146
SHAREWRE   0/14
SIMPSONS   0/169
STATS_OLD1   0/2539.065
STATS_OLD2   0/2530
STATS_OLD3   0/2395.095
STATS_OLD4   0/1692.25
SURVIVOR   0/495
SYSOPS_CORNER   0/3
SYSOP   0/84
TAGLINES   0/112
TEAMOS2   0/4530
TECH   0/2617
TEST.444   0/105
TRAPDOOR   0/19
Möte VIRUS_INFO, 201 texter
 lista första sista föregående nästa
Text 56, 2140 rader
Skriven 2005-05-28 17:17:00 av KURT WISMER (1:123/140)
Ärende: News, May 28 2005
=========================
[cut-n-paste from sophos.com]

Name   W32/Mytob-CN

Type  
    * Worm

How it spreads  
    * Email messages
    * Email attachments

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Allows others to access the computer
    * Modifies data on the computer
    * Deletes files off the computer
    * Uses its own emailing engine

Prevalence (1-5) 3

Description
W32/Mytob-CN is a mass-mailing worm and IRC backdoor Trojan.

W32/Mytob-CN can spread by sending itself as an email attachment to 
email addresses it harvests from the infected computer.

Advanced
W32/Mytob-CN is a mass-mailing worm and IRC backdoor Trojan.

W32/Mytob-CN runs continuously in the background, providing a backdoor 
server which allows a remote intruder to gain access and control over 
the computer via IRC channels.

W32/Mytob-CN can spread by sending itself as an email attachment to 
email addresses it harvests from the infected computer.

Emails sent by the worm have the following characteristics:

Subject:
Security measures
Notice: **Last Warning**
*DETECTED* Online User Violation
Your Email Account is Suspended For Security Reasons
Account Alert
Important Notification
*WARNING* Your Email Account Will Be Closed
Email Account Suspension
Notice of account limitation

Message text:
Once you have completed the form in the attached file , your account 
records will not be interrupted and will continue as normal.

The original message has been included as an attachment.

We regret to inform you that your account has been suspended due to the 
violation of our site policy, more info is attached.

We attached some important information regarding your account.

Please read the attached document and follow it's instructions.

When first run W32/Mytob-CN copies itself to <Windows system>\nec.exe.

The following registry entries are created to run nec.exe on startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
WINDOWS SYSTEM
nec.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
WINDOWS SYSTEM
nec.exe

W32/Mytob-CN sets the following registry entries, disabling the 
automatic startup of other software:

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4

W32/Mytob-CN modifies the Windows hosts file in order to block access to 
the following security-related websites:

127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.grisoft.com
127.0.0.1 www.microsoft.com
127.0.0.1 microsoft.com
127.0.0.1 www.msn.com
127.0.0.1 www.virustotal.com
127.0.0.1 virustotal.com
 




Name   W32/Mytob-L

Type  
    * Worm

How it spreads  
    * Email attachments

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Allows others to access the computer
    * Sends itself to email addresses found on the infected computer
    * Forges the sender's email address

Prevalence (1-5) 3

Description
W32/Mytob-L is a mass-mailing worm with IRC backdoor functionality.

W32/Mytob-L runs continuously in the background, providing a backdoor 
server which allows a remote intruder to gain access and control over 
the computer via IRC channels

W32/Mytob-L can spread by sending itself as an email attachment to email 
addresses it harvests from the infected computer.

Emails sent by the worm have the following characteristics:

Subject:
Security measures
Notice: **Last Warning**
*DETECTED* Online User Violation
Your Email Account is Suspended For Security Reasons
Account Alert
Important Notification
*WARNING* Your Email Account Will Be Closed
Email Account Suspension
Notice of account limitation

Body:
Once you have completed the form in the attached file , your account 
records will not be interrupted and will continue as normal.

The original message has been included as an attachment.

We regret to inform you that your account has been suspended due to the 
violation of our site policy, more info is attached.

We attached some important information regarding your account.

Please read the attached document and follow it's instructions.

Advanced
W32/Mytob-L is a mass-mailing worm with IRC backdoor functionality.

W32/Mytob-L runs continuously in the background, providing a backdoor 
server which allows a remote intruder to gain access and control over 
the computer via IRC channels

W32/Mytob-L can spread by sending itself as an email attachment to email 
addresses it harvests from the infected computer.

Emails sent by the worm have the following characteristics:

Subject:
Security measures
Notice: **Last Warning**
*DETECTED* Online User Violation
Your Email Account is Suspended For Security Reasons
Account Alert
Important Notification
*WARNING* Your Email Account Will Be Closed
Email Account Suspension
Notice of account limitation

Body:
Once you have completed the form in the attached file , your account 
records will not be interrupted and will continue as normal.

The original message has been included as an attachment.

We regret to inform you that your account has been suspended due to the 
violation of our site policy, more info is attached.

We attached some important information regarding your account.

Please read the attached document and follow it's instructions.

When first run W32/Mytob-L copies itself to 
<Windows system folder>\nec.exe.

The following registry entries are created to run nec.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
WINDOWS SYSTEM
nec.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
WINDOWS SYSTEM
nec.exe

W32/Mytob-L sets the following registry entries, disabling the automatic 
startup of other software:

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4

W32/Mytob-L modifies the Windows hosts file in order to block access to 
the following security-related websites:

127.0.0.1 avp.com
127.0.0.1 ca.com
127.0.0.1 customer.symantec.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 download.mcafee.com
127.0.0.1 f-secure.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 kaspersky.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 mast.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 microsoft.com
127.0.0.1 my-etrust.com
127.0.0.1 nai.com
127.0.0.1 networkassociates.com
127.0.0.1 rads.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 sophos.com
127.0.0.1 symantec.com
127.0.0.1 trendmicro.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 virustotal.com
127.0.0.1 www.avp.com
127.0.0.1 www.ca.com
127.0.0.1 www.f-secure.com
127.0.0.1 www.grisoft.com
127.0.0.1 www.kaspersky.com
127.0.0.1 www.mcafee.com
127.0.0.1 www.microsoft.com
127.0.0.1 www.msn.com
127.0.0.1 www.my-etrust.com
127.0.0.1 www.nai.com
127.0.0.1 www.networkassociates.com
127.0.0.1 www.sophos.com
127.0.0.1 www.symantec.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.viruslist.com
127.0.0.1 www.virustotal.com





Name   W32/Mytob-I

Type  
    * Worm

How it spreads  
    * Email attachments

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Forges the sender's email address
    * Uses its own emailing engine
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities

Aliases  
    * Net-Worm.Win32.Mytob.gen
    * W32/Mytob.gen@MM

Prevalence (1-5) 3

Description
W32/Mytob-I is a mass-mailing worm with IRC backdoor functionality.

W32/Mytob-I can spread by sending itself as an email attachment to email 
addresses it harvests from the infected computer, and to computers 
vulnerable to the RCP-DCOM (MS04-012) and LSASS (MS04-011) exploits.

Emails sent by the worm have the following characteristics:

Subject:

Server Report

Sensitive information inside

Important documents

F-R-E-E. American Idol Screen Saver

<random>

Body:

Very cool American Idol Screen Saver.

The message contains Unicode characters and has been sent as a binary 
attachment.

Mail transaction failed. Partial message is available.

The original message was included as an attachment

The message cannot be represented in 7-bit ASCII encoding and has been 
sent as a binary attachment.

Advanced
W32/Mytob-I is a mass-mailing worm with IRC backdoor functionality.

W32/Mytob-I can spread by sending itself as an email attachment to email 
addresses it harvests from the infected computer, and to computers 
vulnerable to the RCP-DCOM (MS04-012) and LSASS (MS04-011) exploits. The 
following patches for the operating system vulnerabilities exploited by 
W32/Mytob-I can be obtained from the Microsoft website:

MS04-011
MS04-012

Emails sent by the worm have the following characteristics:

Subject:

Server Report

Sensitive information inside

Important documents

F-R-E-E. American Idol Screen Saver

<random>

Body:

Very cool American Idol Screen Saver.

The message contains Unicode characters and has been sent as a binary 
attachment.

Mail transaction failed. Partial message is available.

The original message was included as an attachment

The message cannot be represented in 7-bit ASCII encoding and has been 
sent as a binary attachment.

When first run W32/Mytob-I copies itself to:

C:\american_idols.scr
C:\girl_juggling_monkeys.scr
C:\matrix4_screen_saver.scr
<Windows system folder>\scvhost.exe

The following registry entries are created to run scvhost.exe on 
startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
WINTASK
scvhost.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
WINTASK
scvhost.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
WINTASK
scvhost.exe

Registry entries are set as follows:

HKCU\SYSTEM\CurrentControlSet\Control\Lsa
WINTASK
scvhost.exe

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
WINTASK
scvhost.exe

HKCU\Software\Microsoft\OLE
WINTASK
scvhost.exe

HKLM\SOFTWARE\Microsoft\Ole
WINTASK
scvhost.exe

W32/Mytob-I blocks access to security-related websites by writing the 
folllowing entries to the Windows hosts file:

127.0.0.1 avp.com
127.0.0.1 ca.com
127.0.0.1 customer.symantec.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 download.mcafee.com
127.0.0.1 f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 mast.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 nai.com
127.0.0.1 networkassociates.com
127.0.0.1 rads.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 sophos.com
127.0.0.1 symantec.com
127.0.0.1 trendmicro.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 www.avp.com
127.0.0.1 www.ca.com
127.0.0.1 www.f-secure.com
127.0.0.1 www.kaspersky.com
127.0.0.1 www.mcafee.com
127.0.0.1 www.microsoft.com
127.0.0.1 www.my-etrust.com
127.0.0.1 www.nai.com
127.0.0.1 www.networkassociates.com
127.0.0.1 www.sophos.com
127.0.0.1 www.symantec.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.viruslist.com





Name   W32/Mytob-AN

Type  
    * Worm

How it spreads  
    * Email attachments

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Sends itself to email addresses found on the infected computer
    * Drops more malware
    * Forges the sender's email address
    * Uses its own emailing engine

Aliases  
    * Net-Worm.Win32.Mytob.x

Prevalence (1-5) 2

Description
W32/Mytob-AN is a mass-mailing worm and backdoor Trojan that can be 
controlled through the Internet Relay Chat (IRC) network.

W32/Mytob-AN is capable of spreading through email and through various 
operating system vulnerabilities such as LSASS (MS04-011). Email sent by 
W32/Mytob-AN has the following properties:

Subject line:

document
Good day
Mail Delivery System
Mail Transaction Failed
message
readme
Server Report
Status

Message text:

'This is a multi-part message in MIME format.'

'Mail transaction failed. Partial message is available.'

'The message contains Unicode characters and has been sent as a binary 
attachment.'

'The message cannot be represented in 7-bit ASCII encoding and has been 
sent as a binary attachment.'

'The original message was included as an attachment.'

'Here are your banks documents.'

The attached file consists of a base name followed by the extentions 
PIF, SCR, EXE,CMD or ZIP. The worm may optionally create double 
extensions where the first extension is DOC, TXT or HTM and the final 
extension is PIF, SCR, EXE, CMD or ZIP.

W32/Mytob-AN harvests email addresses from files on the infected 
computer and from the Windows address book.

Advanced
W32/Mytob-AN is a mass-mailing worm and backdoor Trojan that can be 
controlled through the Internet Relay Chat (IRC) network.

When first run W32/Mytob-AN copies itself to the Windows system folder 
as wpad.exe and creates the following registry entries:

HKCU\SYSTEM\CurrentControlSet\Control\Lsa\
MS PLUS INC
"wpad.exe"

HKCU\Software\Microsoft\OLE\
MS PLUS INC
"wpad.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
MS PLUS INC
"wpad.exe"

HKLM\SOFTWARE\Microsoft\Ole\
MS PLUS INC
"wpad.exe"

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
MS PLUS INC
"wpad.exe"

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
MS PLUS INC
"wpad.exe"

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\
MS PLUS INC
"wpad.exe"

W32/Mytob-AN copies itself to the root folder as:

funny_pic.scr
my_photo2005.scr
see_this!!.scr

and drops a file called hellmsn.exe detected by Sophos Anti-Virus 
products as W32/Mytob-D. This component attempts to spread the worm by 
sending the aforementioned SCR files through Windows Messenger to all 
online contacts.

W32/Mytob-AM also appends the following to the HOSTS file to deny access 
to security related websites:

127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.microsoft.com
127.0.0.1 www.trendmicro.com

W32/Mytob-AN is capable of spreading through email and through various 
operating system vulnerabilities such as LSASS (MS04-011). Email sent by 
W32/Mytob-AN has the following properties:

Subject line:

document
Good day
Mail Delivery System
Mail Transaction Failed
message
readme
Server Report
Status

Message text:

'This is a multi-part message in MIME format.'

'Mail transaction failed. Partial message is available.'

'The message contains Unicode characters and has been sent as a binary 
attachment.'

'The message cannot be represented in 7-bit ASCII encoding and has been 
sent as a binary attachment.'

'The original message was included as an attachment.'

'Here are your banks documents.'

The attached file consists of a base name followed by the extentions 
PIF, SCR, EXE,CMD or ZIP. The worm may optionally create double 
extensions where the first extension is DOC, TXT or HTM and the final 
extension is PIF, SCR, EXE, CMD or ZIP.

W32/Mytob-AN harvests email addresses from files on the infected 
computer and from the Windows address book. The worm avoids sending 
email to addresses that contain the following:

.gov
.mil
accoun
acketst
admin
anyone
arin.
avp
berkeley
borlan
bsd
bsd
bugs
ca
certific
contact
example
feste
fido
foo.
fsf.
gnu
gold-certs
google
google
gov.
help
iana
ibm.com
icrosof
icrosoft
ietf
info
inpris
isc.o
isi.e
kernel
linux
linux
listserv
math
me
mit.e
mozilla
mydomai
no
nobody
nodomai
noone
not
nothing
ntivi
page
panda
pgp
postmaster
privacy
rating
rfc-ed
ripe.
root
ruslis
samples
secur
sendmail
service
site
soft
somebody
someone
sopho
submit
support
syma
tanford.e
the.bat
unix
unix
usenet
utgers.ed
webmaster
you
you





Name   W32/Rizon-B

Type  
    * Worm

Affected operating systems  
    * Windows

Side effects  
    * Deletes files off the computer

Aliases  
    * Trojan.Win32.VB.uj
    * W32/Rizon.worm

Prevalence (1-5) 2

Description
W32/Rizon-B is a worm that terminates processes and deletes files.

Advanced
W32/Rizon-B is a worm that terminates processes and deletes files.

W32/Rizon-B attempts to install itself in the Start Menu by copying 
itself to the following folders:

C:\Documents and Settings\All Users\Menu 
Start\Programma's\Opstarten\SoundMAX.exe

H:\Windows NT 5.1 Workstation Profile\Menu 
Start\Programma's\Opstarten\SoundMAX.exe

The worm terminates the following processes:

rclnt.exe
rshelper.exe
srvany.exe
WUOLService.exe
wuser32.exe

W32/Rizon-B deletes the folders C:\NOVELL and C:\progra~1\divace~1 .

The worm makes a copy of the system file cmd.exe named temp.exe in the 
Windows system folder.





Name   W32/Alcra-A

Type  
    * Worm

How it spreads  
    * Peer-to-peer

Affected operating systems  
    * Windows

Side effects  
    * Modifies data on the computer
    * Deletes files off the computer
    * Steals information
    * Drops more malware
    * Downloads code from the internet
    * Reduces system security

Aliases  
    * WORM_ALCAN.A
    * W32.Alcra.A
    * W32/Alcan.worm!p2p
    * P2P-Worm.Win32.Alcan.a
    * W32.Alcra.A

Prevalence (1-5) 2

Description
W32/Alcra-A is a worm for the Windows platform.

W32/Alcra-A drops the files temp.zip, p2pnetwork.exe and bszip.dll to 
the Windows system folder. The temp.zip file is a zipped copy of the 
worm. Bszip.dll is a clean file compression utility. Sophos's anti-virus 
products detect p2pnetwork.exe as W32/Rbot-ACZ.

The worm copies itself into shared folders used by common Peer to Peer 
(P2P) filesharing applications.

Advanced
W32/Alcra-A is a worm for the Windows platform.

When run, W32/Alcra-A copies itself to the following locations:
<Program files folder>/MsConfigs/MsConfigs.exe
/z.tmp

The worm then sets the following registry entry in order to run each 
time a user logs on:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
MsConfigs
"<Program files folder>\MsConfigs\MsConfigs.exe"

W32/Alcra-A drops the files temp.zip, p2pnetwork.exe and bszip.dll to 
the Windows system folder. The temp.zip file is a zipped copy of the 
worm. Bszip.dll is a clean file compression utility. Sophos's anti-virus 
products detect p2pnetwork.exe as W32/Rbot-ACZ.

W32/Alcra-A replaces the following system utilities with corrupt files:

cmd.com
netstat.com
ping.com
regedit.com
taskkill.com
tasklist.com
taskmgr.exe
tracert.com

The worm copies itself into shared folders used by common Peer to Peer 
(P2P) filesharing applications where the path to the folder contains any 
of the following:

Ares\My Shared Folder
Bearshare\Shared
Edonkey2000\Incoming
eMule\Incoming
gnucleus\downloads
grokster\my grokster
Kazaa\My Shared Folder
Limewire\Shared
morpheus\My Shared Folder
My Shared Folder
rapigator\share
shareaza\downloads
shared

W32/Alcra-A may also modify documents containing hyperlinks by changing 
the hyperlink destination to point to a predefined URL.





Name   W32/Qeds-A

Type  
    * Worm

How it spreads  
    * Infected files

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet
    * Installs itself in the Registry

Aliases  
    * Trojan.Win32.VB.xb
    * W32/Qeds

Prevalence (1-5) 2

Description
W32/Qeds-A is a virus for the Windows platform.

The virus will attempt to download and execute a file from one of four 
predefined URLs.

W32/Qeds-A will disable Taskmanager and the registry tools before 
copying itself to the Windows system folder, and to the following 
locations as DHelp.dll.

<Windows folder>
<Windows system folder>
<Windows system folder>\wbem

Advanced
W32/Qeds-A is a virus for the Windows platform.

The virus will attempt to download and execute a file from one of four 
predefined URLs.

W32/Qeds-A will disable Taskmanager and the registry tools before 
copying itself to the Windows system folder, and to the following 
locations as DHelp.dll.

<Windows folder>
<Windows system folder>
<Windows system folder>\wbem

W32/Qeds-A will terminate any processes associated of the following 
executables and inject code into the files in order to cause itself to 
be executed when the infected file is executed:

<Windows system folder>\dllcache\notepad.exe
<Windows system folder>\dllcache\\explorer.exe
<Windows system folder>\dllcache\\iexplore.exe
<Windows system folder>\notepad.exe
<Windows folder>\notepad.exe
<Windows folder>\explorer.exe
\Program Files\Internet Explorer\iexplore.exe
<path to file>\QQexternal.exe
<path to file>\TIMPlatform.exe
<path to file>\BugReport.exe
<path to file>\QQ.exe
<path to file>\QQGame.exe

W32/Qeds-A will create or modify the following registry entries:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
"1"

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows Management Instrumentation
"<executable name>"

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
"0"





Name   W32/Rbot-ADA

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Allows others to access the computer
    * Steals information
    * Downloads code from the internet
    * Reduces system security

Aliases  
    * W32/Sdbot.worm.gen
    * WORM_RBOT.AZM

Prevalence (1-5) 2

Description
W32/Rbot-ADA is a worm which attempts to spread to remote network 
shares. It also contains backdoor Trojan functionality, allowing 
unauthorised remote access to the infected computer via IRC channels.

Advanced
W32/Rbot-ADA is a worm which attempts to spread to remote network 
shares. It also contains backdoor Trojan functionality, allowing 
unauthorised remote access to the infected computer via IRC channels.

W32/Rbot-ADA spreads to network shares with weak passwords and via 
network security exploits as a result of the backdoor Trojan element 
receiving the appropriate command from a remote user.

W32/Rbot-ADA copies itself to the Windows system folder with the 
filename SCRTKFG.EXE and creates entries at the following locations in 
the registry with the value "System CSRSS Patch" so as to run itself on 
system startup, resetting these values times multiple times every 
minute:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

W32/Rbot-ADA also sets the following registry entry to point to itself 
with the same value, resetting it multiple times every minute:

HKCU\Software\Microsoft\OLE

W32/Rbot-ADA attempts to set the following registry entries every 2 
minutes:

HKLM\SOFTWARE\Microsoft\Ole\EnableDCOM = "N"
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous = "1"

W32/Rbot-ADA attempts to delete network shares on the host computer 
every 2 minutes.

W32/Rbot-ADA attempts to terminate a large number of processes related 
to security and anti-virus programs including REGEDIT.EXE, MSCONFIG.EXE 
and NETSTAT.EXE.

W32/Rbot-ADA may attempt to log keystrokes to the file DHANFJF.XML in 
the Windows system folder.





Name   W32/Kipis-U

Type  
    * Worm

How it spreads  
    * Email attachments
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Sends itself to email addresses found on the infected computer
    * Forges the sender's email address
    * Uses its own emailing engine
    * Reduces system security

Aliases  
    * Email-Worm.Win32.Kipis.u
    * W32/Kipis.u@MM
    * W32.Kipis.A@mm
    * WORM_KIPIS.M

Prevalence (1-5) 2

Description
W32/Kipis-U is an email and network share worm and backdoor for the 
Windows platform.

W32/Kipis-U sends itself by email to addresses found on the hard disk of 
the infected computer.

Email sent by the worm has a subject line, message text and attachment 
name in one of 6 languages, English, French, German, Russian, Spanish or 
Ukrainian. The language is chosen according to the domain of the email 
recipient.

W32/Kipis-U runs continuously in the background, providing a backdoor 
server which allows a remote intruder to upload and run arbitrary 
programs on the infected computer.

Advanced
W32/Kipis-U is an email and network share worm and backdoor for the 
Windows platform.

W32/Kipis-U sends itself by email to addresses found on the hard disk of 
the infected computer in files with the following extensions :

ADB
DBX
DHTM
DOC
EML
HTM
MSG
PAB
PHP
SHTM
TBB
TXT
UIN
WAB
XLS

The worm avoids sending email to addresses containing any of the 
following strings:

@avp.
@bitdefen
@borlan
@drweb
@fido
@foo
@iana
@ietf
@kasper
@klamav
@license
@mcafee
@messagelab
@microsof
@mydomai
@nod3
@nodomai
@norman
@panda
@rfc-ed
@somedomai
@sopho
@symante
@usenet
@virusli
abuse@
accoun
admin@
antivir
anyone@
bsd
bugs@
contact@
contract@
f-secur
free-av
google
help@
info@
listserv
mailer-
mozzila
news@
newvir
nobody@
noone@
noreply
notice@
page@
pgp
podpiska@
postmaster@
privacy@
rar@
rating@
register@
root@
sales@
service@
site@
soft@
spm111@
suporte@
support@
technical@
the.bat
update@
virus@
webmaster@
winrar
winzip
you@

Email sent by the worm has a subject line, message text and attachment 
name in one of 6 languages, English, French, German, Russian, Spanish or 
Ukrainian. The language is chosen according to the domain of the email 
recipient.

W32/Kipis-U also attempts to spread to shared folders by copying itself 
to any folder that has 'share' or 'microsof' in its name. The worm uses 
the following filenames when copying to shared folders:

Land Attack(source and files).exe
DDoS bot(src)..scr
Forum Hack.txt.scr
Winamp 6(plugins).exe
Crack collection.scr
NLP.scr
Hack Unix Server(info).scr
Screensaver for Hackers.scr
Windows 2000(source code).scr
Hack Chat.exe
Kaspersy Antivirus Key(ver.5.xx,Pro,Personal).exe

W32/Kipis-U runs continuously in the background, providing a backdoor 
server which allows a remote intruder to upload and run arbitrary 
programs on the infected computer.

When first run W32/Kipis-U copies itself to:

<Windows folder>\regedit.com
<Windows system folder>\Microsoft\iexplore.exe

The following registry entry is created to run iexplore.exe on startup:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe <Windows system folder>\Microsoft\iexplore.exe

The following registry entry is also set:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WOW\boot
shell
<Windows system folder>\Microsoft\iexplore.exe

W32/Kipis-U attempts to disable services that have the follwing strings 
in their names:

anvir
apv
avc
aveng
avg
avk
avp
avw
avx
blackd
blacki
blss
cfi
clean
defwat
drweb
egedit.ex
ewall
fsa
fsm
guard
hijack
hxde
ilemon
kerio
klagent
klamav
luacomserv
minilog.
monitor
mooli
mosta
mpf
nav
neomon
netarm
netspy
nisse
nisum
nod3
norman
normis
norton
outpos
pav
pavsrv
pcc
protect
proxy.
rav
rfw
spider
svc.
syman
taskmgr
tmon
trojan
updat
upgrad
virus
vsmon
zapro.
zonalm
zonea





Name   W32/Agobot-SN

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Modifies data on the computer
    * Steals information
    * Reduces system security
    * Records keystrokes
    * Installs itself in the Registry

Aliases  
    * W32/Gaobot.worm.gen.j

Prevalence (1-5) 2

Description
W32/Agobot-SN is a worm and IRC backdoor Trojan for the Windows 
platform.

W32/Agobot-SN spreads to other network computers by exploiting common 
buffer overflow vulnerabilites, including RPC-DCOM (MS04-012) and by 
copying itself to network shares protected by weak passwords.

W32/Agobot-SN runs continuously in the background, providing a backdoor 
server which allows a remote intruder to gain access and control over 
the computer via IRC channels.

Advanced
W32/Agobot-SN is a worm and IRC backdoor Trojan for the Windows 
platform.

W32/Agobot-SN spreads to other network computers by exploiting common 
buffer overflow vulnerabilites, including RPC-DCOM (MS04-012) and by 
copying itself to network shares protected by weak passwords.

W32/Agobot-SN runs continuously in the background, providing a backdoor 
server which allows a remote intruder to gain access and control over 
the computer via IRC channels.

When first run W32/Agobot-SN copies itself to <System>\hmlsvc32.exe.

The following registry entries are created to run hmlsvc32.exe on 
startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HPl Services
hmlsvc32.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HPl Services
hmlsvc32.exe

W32/Agobot-SN modifies the HOSTS file, changing the URL to IP mappings 
for selected websites, thus preventing normal access to these sites, by 
adding the following entries:

127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.trendmicro.com





Name   Troj/Molehut-A

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Installs itself in the Registry

Aliases  
    * Trojan.Win32.Mole.f
    * MoleHut

Prevalence (1-5) 2

Description
Troj/Molehut-A is a Trojan for the Windows platform.

Troj/Molehut-A will move itself to the Windows system folder as System.

Advanced
Troj/Molehut-A is a Trojan for the Windows platform.

Troj/Molehut-A will move itself to the Windows system folder as System.

The Trojan will then create several entries under the following registry 
entry:

HKCU\Software\Microsoft\Mole

The Trojan will also create the following registry entry:

HKLM\Software\Policies\Microsoft\Internet 
Explorer\Infodelivery\Restrictions
NoSplash
1





Name   W32/Mytob-AK

Type  
    * Worm

How it spreads  
    * Email attachments

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Sends itself to email addresses found on the infected computer
    * Forges the sender's email address
    * Uses its own emailing engine

Aliases  
    * WORM_MYTOB.BT

Prevalence (1-5) 2

Description
W32/Mytob-AK is a mass-mailing worm with IRC backdoor functionality for 
the windows platform..

W32/Mytob-AK is capable of spreading through operating system 
vulnerabilities, including the LSASS (MS04-011) exploit.

W32/Mytob-AK can harvest email addresses from files on the infected 
computer and from the Windows address book.

Emails sent by the worm have the following characteristics:

Subject line:
Error
Status
Server Report
Mail Transaction Failed
Mail Delivery System
hello
Good day
<blank>

Message body:
The message contains Unicode characters and has been sent as a binary 
attachment.

Mail transaction failed. Partial message is available.

The message cannot be represented in 7-bit ASCII encoding and has been 
sent as a binary attachment.

The original message was included as an attachment,

Here are your bank documents

Advanced
W32/Mytob-AK is a mass-mailing worm with IRC backdoor functionality for 
the windows platform..

W32/Mytob-AK is capable of spreading through operating system 
vulnerabilities, including the LSASS (MS04-011) exploit. The following 
patches for the operating system vulnerabilities exploited by 
W32/Mytob-AK can be obtained from the Microsoft website:

MS04-011

W32/Mytob-AK can harvest email addresses from files on the infected 
computer and from the Windows address book.

Emails sent by the worm have the following characteristics:

Subject line:
Error
Status
Server Report
Mail Transaction Failed
Mail Delivery System
hello
Good day
<blank>

Message body:
The message contains Unicode characters and has been sent as a binary 
attachment.

Mail transaction failed. Partial message is available.

The message cannot be represented in 7-bit ASCII encoding and has been 
sent as a binary attachment.

The original message was included as an attachment,

Here are your bank documents

W32/Mytob-AK copies itself to the Windows system folder as 
"taskgmr32.exe" or "t4skmgr.exe" and creates the following registry 
entries in order to run automatically on computer logon:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
WINTASK

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
WINTASK

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
WINTASK

The worm also creates the following registry entries to point to itself:

HKCU\SYSTEM\CurrentControlSet\Control\Lsa\
WINTASK

HKCU\Software\Microsoft\OLE\
WINTASK

HKLM\SOFTWARE\Microsoft\Ole\
WINTASK

W32/Mytob-AK copies itself to the root folder with the following 
filenames:

funny_pic.scr
my_photo2005.scr
see_this!!.scr

W32/Mytob-AK blocks access to security-related websites by writing the 
following entries to the Windows hosts file:

127.0.0.1 avp.com
127.0.0.1 ca.com
127.0.0.1 customer.symantec.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 download.mcafee.com
127.0.0.1 f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 mast.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 nai.com
127.0.0.1 networkassociates.com
127.0.0.1 rads.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 sophos.com
127.0.0.1 symantec.com
127.0.0.1 trendmicro.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 www.avp.com
127.0.0.1 www.ca.com
127.0.0.1 www.f-secure.com
127.0.0.1 www.kaspersky.com
127.0.0.1 www.mcafee.com
127.0.0.1 www.microsoft.com
127.0.0.1 www.my-etrust.com
127.0.0.1 www.nai.com
127.0.0.1 www.networkassociates.com
127.0.0.1 www.sophos.com
127.0.0.1 www.symantec.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.viruslist.com

W32/Mytob-AK may create a new file detected by Sophos as W32/Mytob-D.





Name   Troj/RNWatch-A

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Steals information

Prevalence (1-5) 2

Description
Troj/RNWatch-A is a backdoor Trojan for the Windows platforms.

Advanced
Troj/RNWatch-A is a backdoor Trojan for the Windows platforms.

Once executed Troj/RNWatch-A copies itself to the Windows system folder 
with the filenames winierun.exe and bfwinier.exe, and in order to be 
able to run automatically when Windows starts up sets the registry 
entries:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
WinIeRun
"winierun.exe"

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
WinIeRun
"winierun.exe"





Name   W32/Agobot-ATK

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Allows others to access the computer
    * Modifies data on the computer
    * Deletes files off the computer
    * Steals information

Aliases  
    * WORM_AGOBOT.ATK
    * W32.HLLW.Gaobot
    * W32/Sdbot.worm.gen.bj

Prevalence (1-5) 2

Description
W32/Agobot-ATK is a network worm with backdoor functionality for the 
Windows platform.

W32/Agobot-ATK spreads through network shares protected by weak 
passwords and through various unpatched operating system vulnerabilities.

Advanced
W32/Agobot-ATK is a network worm with backdoor functionality for the 
Windows platform.

When run, W32/Agobot-ATK copies itself to the Windows system folder as 
hmlsvc32.exe and sets the following registry entries in order to run 
each time a user logs on:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HPl Services
hmlsvc32.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
HPl Services
hmlsvc32.exe

The backdoor component joins a predetermined IRC channel and awaits 
commands from a remote user.

W32/Agobot-ATK spreads through network shares protected by weak 
passwords and through various unpatched operating system vulnerabilities.





Name   W32/Banish-A

Type  
    * Worm

How it spreads  
    * Email attachments

Affected operating systems  
    * Windows

Side effects  
    * Deletes files off the computer
    * Uses its own emailing engine
    * Reduces system security
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities

Prevalence (1-5) 2

Description
W32/Banish-A is a mass-mailing worm.

Emails sent by the worm have the following characteristics:

Subject line:

OK. Read the attached instructions to solve the problem.
Here are the details.
Re: Thank you for your choice.
Thank you for shopping. This mail contains your invoice.
Thank you. Your credit card was processed successfully.

Attached file:
A filename chosen from those in the current user's "Recent Documents" 
folder.

W32/Banish-A also spreads by exploiting the following vulnerabilities:

LSASS (MS04-011)
IIS5 (MS04-011)

W32/Banish-A contains the following message:

ExiliuM SerieS A
In honour to all the people that were, are, or will be forced
to leave their homelands. NO MORE EXILED PEOPLE, NO MORE WARS
(c)ThE ExpaTRiatE 2005

Advanced
W32/Banish-A is a mass-mailing worm.

W32/Banish-A submits queries to popular search engines in order to find 
email addresses to which to send itself.

Emails sent by the worm have the following characteristics:

Subject line:

OK. Read the attached instructions to solve the problem.
Here are the details.
Re: Thank you for your choice.
Thank you for shopping. This mail contains your invoice.
Thank you. Your credit card was processed successfully.

Attached file:
A filename chosen from those in the current user's "Recent Documents" 
folder.

W32/Banish-A also spreads by exploiting the following vulnerabilities:

LSASS (MS04-011)
IIS5 (MS04-011)

When first run, W32/Banish-A copies itself to one of the following 
filenames in the Windows folder:

smss.exe
lsass.exe
csrss.exe
services.exe
winlogon.exe

The worm installs itself as a service with the name "Windows Object 
Manager". The other characteristics of this service are copied from one 
of the already-existing services, chosen at random.

W32/Banish-A deletes any files found in the "repair" subfolder of the 
Windows folder.

W32/Banish-A contains the following message:

ExiliuM SerieS A
In honour to all the people that were, are, or will be forced
to leave their homelands. NO MORE EXILED PEOPLE, NO MORE WARS
(c)ThE ExpaTRiatE 2005





Name   W32/Rbot-UH

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Steals information
    * Uses its own emailing engine
    * Reduces system security
    * Records keystrokes
    * Installs itself in the Registry

Aliases  
    * Backdoor.Win32.Rbot.gen

Prevalence (1-5) 2

Description
W32/Rbot-UH is a worm with backdoor functionality.

W32/Rbot-UH is capable of spreading to computers on the local network 
protected by weak passwords after receiving the appropriate backdoor 
command.

W32/Rbot-UH will attempt to spread by exploiting the DCOM (MS04-012) and 
LSASS (MS04-011) software vulnerabilities and to computers running 
Microsoft SQL servers with weak passwords

Advanced
W32/Rbot-UH is a worm with backdoor functionality.

W32/Rbot-UH is capable of spreading to computers on the local network 
protected by weak passwords after receiving the appropriate backdoor 
command.

W32/Rbot-UH will attempt to spread by exploiting the following 
vulnerabilities:

DCOM (MS04-012)
LSASS (MS04-011)
Microsoft SQL servers with weak passwords.

When first run, W32/Rbot-UH copies itself to the Windows system folder 
as MCAFESHIELD.EXE and runs this copy of the worm. The copy will then 
attempt to delete the original file. In order to run each time a user 
logs in, W32/Rbot-UH will set the following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Mcafee Auto Protect
mcafeshield.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Mcafee Auto Protect
mcafeshield.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Mcafee Auto Protect
mcafeshield.exe

The worm runs continuously in the background providing backdoor access 
to the infected computer.

The backdoor component of W32/Rbot-UH can be used to:

Initiate Distributed Denial-of-Service (DDoS) attacks.
Redirect TCP and SOCKS4 traffic.
Provide a remote login command shell.
Download, upload, delete and execute files.
Set up an HTTP, TFTP and FTP file server.
Steal passwords (including PayPal account information).
Log key presses and clipboard data.
Capture screenshots, webcam pictures and videos.
List and kill processes.
Stop, start, pause and delete services.
Open and close vulnerabilities.
Port scan for vulnerabilities on other remote computers.
Send emails as specified by the remote user.
Flush the DNS and ARP caches.
Shut down and reboot the computer.
Add and delete network shares, groups and users.
Sniff network traffic for passwords.
Send Net Messages.

W32/Rbot-UH can be used to steal registration and key details from 
several computer games and applications including:

Battlefield 1942
Battlefield 1942 (Road To Rome)
Battlefield 1942 (Secret Weapons of WWII)
Battlefield Vietnam
Black and White
Chrome
Command and Conquer: Generals
Command and Conquer: Generals (Zero Hour)
Command and Conquer: Red Alert
Command and Conquer: Red Alert 2
Command and Conquer: Tiberian Sun
Counter-Strike
Far Cry
FIFA 2002
FIFA 2003
Freedom Force
Global Operations
Ground Control II
Gunman Chronicles
Half-Life
Hidden & Dangerous 2
IGI 2: Covert Strike
Industry Giant 2
James Bond 007: Nightfire
Joint Operations: Typhoon Rising
Legends of Might and Magic
Medal of Honor: Allied Assault
Medal of Honor: Allied Assault: Breakthrough
Medal of Honor: Allied Assault: Spearhead
Microsoft Windows Product ID
Nascar Racing 2002
Nascar Racing 2003
Need For Speed Hot Pursuit 2
Need For Speed: Underground
Neverwinter Nights
Neverwinter Nights (Hordes of the Underdark)
Neverwinter Nights (Shadows of Undrentide)
NHL 2002
NHL 2003
NOX
Rainbow Six III RavenShield
Shogun: Total War: Warlord Edition
Soldier of Fortune II - Double Helix
Soldiers Of Anarchy
The Gladiators
Unreal Tournament 2003
Unreal Tournament 2004

W32/Rbot-UH will alter the following registry entries in order to 
enable/disable DCOM and open/close restrictions on IPC$ shares:

HKLM\Software\Microsoft\Ole\EnableDCOM

HKLM\System\CurrentControlSet\Control\Lsa\restrictanonymous

W32/Rbot-UH is capable of altering the following registry entry to 
restrict anonymous enumeration of SAM accounts:

HKLM\System\CurrentControlSet\Control\Lsa\restrictanonymousSAM

W32/Rbot-UH can add and delete network shares and users on the infected 
computer. The worm can also change the network logon rights of accounts 
in the local system policy.





Name   W32/Sdbot-YT

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Installs itself in the Registry

Aliases  
    * Backdoor.Win32.SdBot.yn
    * W32/Sdbot.worm.gen.i
    * W32.Randex
    * WORM_SDBOT.BVI

Prevalence (1-5) 2

Description
W32/Sdbot-YT is a network worm with IRC backdoor functionality.

W32/Sdbot-YT allows a remote attacker to control the infected computer 
through an IRC connection.

Advanced
W32/Sdbot-YT is a worm with IRC backdoor functionality for the Windows 
platform.

W32/Sdbot-YT spreads to other network computers infected with certain 
types of malware and by copying itself to network shares protected by 
weak passwords.

W32/Sdbot-YT runs continuously in the background, providing a backdoor 
server which allows a remote intruder to gain access and control over 
the computer via IRC channels.

When first run W32/Sdbot-YT copies itself to 
<Windows system folder>\aim.exe.

The following registry entries are created to run aim.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
AOL Instant Messanger
aim.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
AOL Instant Messanger
aim.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
AOL Instant Messanger
aim.exe





Name   Troj/Zlob-H

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet
    * Installs itself in the Registry

Aliases  
    * Downloader-XC

Prevalence (1-5) 2

Description
Troj/Zlob-H is a downloader Trojan.

Troj/Zlob-H attempts to stealth itself by injecting itself into 
EXPLORER.EXE or by registering itself as a service process.

Troj/Zlob-H attempts to download information from one of the following 
websites:

dumpserv.com
zxserv0.com
vnp7s.net

Troj/Zlob-H will also try to download files from these websites to the 
LogFiles subfolder of the Windows system with a filename based on the 
information it downloaded previously, and it may then execute the 
downloaded file.

Advanced
Troj/Zlob-H is a downloader Trojan.

Troj/Zlob-H creates the following entry in the registry so as to run 
itself on system startup, assuming it is called MSMSGS.EXE in a suitable 
folder:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
notepad.exe
"msmsgs.exe"

Troj/Zlob-H also adds MSMSGS.EXE to the following registry entry so as 
to run itself on system startup:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell

Troj/Zlob-H creates a registry entry at the following location:

HKLM\Software\Microsoft\Windows\CurrentVersion
uuid

Troj/Zlob-H attempts to stealth itself by injecting itself into 
EXPLORER.EXE or by registering itself as a service process.

Troj/Zlob-H attempts to download information from one of the following 
websites:

dumpserv.com
zxserv0.com
vnp7s.net

Troj/Zlob-H will also try to download files from these websites to the 
LogFiles subfolder of the Windows system with a filename based on the 
information it downloaded previously, and it may then execute the 
downloaded file.

 
--- MultiMail/Win32 v0.43
 * Origin: Try Our Web Based QWK: DOCSPLACE.ORG (1:123/140)