Text 99, 1805 rader
Skriven 2006-01-21 11:59:00 av KURT WISMER (1:123/140)
Ärende: News, January 21 2006
=============================
[cut-n-paste from sophos.com]
Name Troj/Banload-IJ
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
Aliases
* Trojan-Downloader.Win32.Banload.fc
Prevalence (1-5) 2
Description
Troj/Banload-IJ is a Trojan for the Windows platform.
Troj/Banload-IJ includes functionality to download, install and run
new software.
Will try to download to C:\windows\spoolsv.exe.
Name W32/Sdbot-AMF
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Modifies data on the computer
* Downloads code from the internet
* Exploits system or software vulnerabilities
Prevalence (1-5) 2
Description
W32/Sdbot-AMF is an internet worm and IRC backdoor Trojan for the
Windows platform.
W32/Sdbot-AMF runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain
access and control over the computer via IRC channels.
W32/Sdbot-AMF includes functionality to silently download, install
and run new software.
Advanced
W32/Sdbot-AMF is an internet worm and IRC backdoor Trojan for the
Windows platform.
W32/Sdbot-AMF spreads to other network computers by exploiting common
buffer overflow vulnerabilities, including:
LSASS (MS04-011), RPC-DCOM (MS04-012), PNP (MS05-039) and ASN.1
(MS04-007) and by copying itself to network shares
protected by weak passwords.
W32/Sdbot-AMF runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain
access and control over the computer via IRC channels.
W32/Sdbot-AMF includes functionality to silently download, install
and run new software.
The following patches for the operating system vulnerabilities
exploited by W32/Sdbot-AMF can be obtained from the
Microsoft website:
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx
http://www.microsoft.com/technet/security/bulletin/MS05-039.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-007.mspx
Name W32/Mytob-GO
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Sends itself to email addresses found on the infected computer
* Forges the sender's email address
* Uses its own emailing engine
* Installs itself in the Registry
* Exploits system or software vulnerabilities
* Used in DOS attacks
Prevalence (1-5) 2
Description
W32/Mytob-GO is a mass-mailing worm and backdoor Trojan that can be
controlled through the Internet Relay Chat (IRC)
network.
W32/Mytob-GO runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain
access and control over the computer via IRC channels.
W32/Mytob-GO spreads to other network computers by exploiting common
buffer overflow vulnerabilities, including: LSASS
(MS04-011) and ASN.1 (MS04-007)
W32/Mytob-GO sends emails in the following format, with details
filled in to make the email look more authentic:
Subject line chosen from:
*WARNING* Your email account is suspended
You are banned!!!
*DETECTED* Online User Violation
Important Notification
Your Account is Suspended For Security Reasons
Your Account is Suspended
Warning Message: Your services near to be closed.
Members Support
We have suspended your account
Security measures
Email Account Suspension
Notice of account limitation
Message text chosen from (the worm will insert the username and the
email domain of the addressee into the email):
"Some information about your account is attached."
"Dear Member,
Your e-mail account was used to send a huge amount of unsolicited
spam messages during the recent week.
If you could please take 5-10 minutes out of your online experience
and confirm the attached document so you will not
run into any future problems with the online service.
Virtually yours,
The Support Team"
"Dear Member,
We have temporarily suspended your email account .
This might be due to either of the following reasons:
1. A recent change in your personal information (i.e. change of
address).
2. Submiting invalid information during the initial sign up process.
3. An innability to accurately verify your selected option of
subscription due to an internal error within our
processors.
See the attached details to reactivate your account.
Sincerely,The Support Team"
The attached file consists of a base name followed by the extension
ZIP. The worm may optionally create double
extensions where the first extension is DOC, TXT or HTM and the final
extension is BAT, CMD, PIF, SCR, EXE or ZIP. The
base filenames are randomly chosen from:
important-details
account-details
email-details
account-info
information
readme
account-report
<random characters>
The zip file will contain the worm with double extension. The first
extension will be one of DOC, HTM, TXT followed by
spaces and the second extension is EXE, SCR or PIF.
W32/Mytob-GO harvests email addresses from files on the infected
computer and from the Windows address book.
Advanced
W32/Mytob-GO is a mass-mailing worm and backdoor Trojan that can be
controlled through the Internet Relay Chat (IRC)
network.
W32/Mytob-GO runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain
access and control over the computer via IRC channels.
W32/Mytob-GO spreads to other network computers by exploiting common
buffer overflow vulnerabilities, including: LSASS
(MS04-011) and ASN.1 (MS04-007)
When first run W32/Mytob-GO copies itself to <System>\svchosts.exe.
The following registry entries are created to run svchosts.exe on
startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
Win32 Driver
svchosts.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Win32 Driver
svchosts.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Win32 Driver
svchosts.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Win32 Driver
svchosts.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Win32 Driver
svchosts.exe
W32/Mytob-GO sends emails in the following format, with details
filled in to make the email look more authentic:
Subject line chosen from:
*WARNING* Your email account is suspended
You are banned!!!
*DETECTED* Online User Violation
Important Notification
Your Account is Suspended For Security Reasons
Your Account is Suspended
Warning Message: Your services near to be closed.
Members Support
We have suspended your account
Security measures
Email Account Suspension
Notice of account limitation
Message text chosen from (the worm will insert the username and the
email domain of the addressee into the email):
"Some information about your account is attached."
"Dear Member,
Your e-mail account was used to send a huge amount of unsolicited
spam messages during the recent week.
If you could please take 5-10 minutes out of your online experience
and confirm the attached document so you will not
run into any future problems with the online service.
Virtually yours,
The Support Team"
"Dear Member,
We have temporarily suspended your email account .
This might be due to either of the following reasons:
1. A recent change in your personal information (i.e. change of
address).
2. Submiting invalid information during the initial sign up process.
3. An innability to accurately verify your selected option of
subscription due to an internal error within our
processors.
See the attached details to reactivate your account.
Sincerely,The Support Team"
The attached file consists of a base name followed by the extension
ZIP. The worm may optionally create double
extensions where the first extension is DOC, TXT or HTM and the final
extension is BAT, CMD, PIF, SCR, EXE or ZIP. The
base filenames are randomly chosen from:
important-details
account-details
email-details
account-info
information
readme
account-report
<random characters>
The zip file will contain the worm with double extension. The first
extension will be one of DOC, HTM, TXT followed by
spaces and the second extension is EXE, SCR or PIF.
W32/Mytob-GO harvests email addresses from files on the infected
computer and from the Windows address book.
Name Troj/RuinDl-K
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Installs itself in the Registry
Aliases
* Trojan.Win32.Small.fb
Prevalence (1-5) 2
Description
Troj/RuinDl-K is a Trojan for the Windows platform.
Advanced
Troj/RuinDl-K is a Trojan for the Windows platform.
When first run Troj/RuinDl-K copies itself to <System>\dmcoj.exe.
The following registry entry is created to run dmcoj.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
dmcoj.exe
<System>\dmcoj.exe
Name Troj/Zlob-CN
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Reduces system security
* Installs itself in the Registry
Aliases
* Trojan.Zlob
Prevalence (1-5) 2
Description
Troj/Zlob-CN is a Trojan for the Windows platform.
Troj/Zlob-CN changes search settings for Microsoft Internet Explorer.
Advanced
Troj/Zlob-CN is a Trojan for the Windows platform.
When Troj/Zlob-CN is installed the following files are created:
<System>\hp<random characters>.tmp
<System>\msvol.tlb
<System>\ncompat.tlb
The file ncompat.tlb is a clean data file. The other two files are
both also detected as Troj/Zlob-CN.
The file hp<random characters>.tmp is registered as a COM object and
Browser Helper Object (BHO) for Microsoft
Internet Explorer, creating registry entries under:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser
Helper Objects\(e0103cd4-d1ce-411a-b75b-4fec072867f4)
HKCR\CLSID\(E0103CD4-D1CE-411A-B75B-4FEC072867F4)
Troj/Zlob-CN sets the following registry entry to run nvctrl.exe,
usually a copy of itself, on system startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run
nvctrl.exe
nvctrl.exe
Troj/Zlob-CN changes search settings for Microsoft Internet Explorer
by modifying values under:
HKCU\Software\Microsoft\Internet Explorer\Search\
Registry entries are set under the following registry keys:
HKLM\SOFTWARE\Microsoft\Windows\Curre\ntVersion\Explorer\Browser
Helper Objects(e0103cd4-d1ce-411a-b75b-4fec072867f4)\
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser
Helper Objecta\(e0103cd4-d1ce-411a-b75b-4fec072867f4)\
Name W32/Nyxem-D
Type
* Worm
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Sends itself to email addresses found on the infected computer
* Deletes files off the computer
* Forges the sender's email address
* Uses its own emailing engine
* Downloads code from the internet
* Reduces system security
* Installs itself in the Registry
Aliases
* Email-Worm.Win32.VB.bi
* W32/Generic.worm!p2p
Prevalence (1-5) 2
Description
W32/Nyxem-D is an email & network worm for the Windows platform.
W32/Nyxem-D may open an empty dropped ZIP file in order to hide its
functionality.
W32/Nyxem-D may periodically attempt to download and run an update of
itself.
W32/Nyxem-D may attempt to display an icon in the Windows taskbar
with the text "Update Please wait" if it detects the
presence of anti-virus software. W32/Nyxem-D may also attempt to
close windows, terminate programs, remove registry
entries and delete files related to security and anti-virus programs.
W32/Nyxem-D sends itself to email addresses it harvests from files on
the infected computer, sending itself as if from
one contact to another. The emails sent have the following
characteristics:
Subject lines include the following, or may be blank:
*Hot Movie*
A Great Video
Arab sex DSC-00465.jpg
eBook.pdf
Fuckin Kama Sutra pics
Fw:
Fw: DSC-00465.jpg
Fw: Funny :)
Fw: Picturs
Fw: Real show
Fw: SeX.mpg
Fw: Sexy
Fwd: Crazy illegal Sex!
Fwd: image.jpg
Fwd: Photo
give me a kiss
Hello
Miss Lebanon 2006
My photos
Part 1 of 6 Video clipe
Re:
Re: Sex Video
School girl fantasies gone bad
The Best Videoclip Ever
the file
Word file
You Must View This Videoclip!
Message bodies include the following, and may contain images that
cannot be displayed:
----- forwarded message -----
???????????????????????????? ????????????? ?????? ???????????
>> forwarded message
DSC-00465.jpg DSC-00466.jpg DSC-00467.jpg
forwarded message attached.
Fuckin Kama Sutra pics
hello, i send the file. bye
hi i send the details bye
Hot XXX Yahoo Groups
how are you? i send the details. OK ?
i attached the details. Thank you
i just any one see my photos. It's Free :)
Note: forwarded message attached.
photo photo2 photo3
Please see the file.
ready to be FUCKED :)
VIDEOS! FREE! (US$ 0,00)
What?
Attachments may be executable files or mime files containing
executable files. Executable attachment filenames include
the following:
007.pif
04.pif
677.pif
document.pif
DSC-00465.Pif
DSC-00465.pIf
eBook.PIF
image04.pif
New_Document_file.pif
photo.pif
School.pif
Mime attachment filenames include the following:
3.92315089702606E02.UUE
Attachments[001].B64
Attachments00.HQX
Attachments001.BHX
eBook.Uu
Original Message.B64
Sex.mim
SeX.mim
Video_part.mim
WinZip.BHX
Word_Document.hqx
Word_Document.uu
Mime attachment filenames also include the following:
392315089702606E-02
Clipe
Miss
Photos
Sweet_09
with one of the following extensions:
.b64
.BHx
.HQX
.mim
.uu
.UUE
.XxE
If the attachment is a mime file, it contains a file with one of the
following filenames followed by several spaces
and an SCR extension:
392315089702606E-02,UUE
Adults_9,zip
ATT01.zip
Atta[001],zip
Attachments,zip
Attachments[001],B64
Clipe,zip
New Video,zip
Photos,zip
SeX,zip
WinZip,zip
WinZip.zip
Word XP.zip
Word.zip
W32/Nyxem-D attempts to spread to network shares with weak passwords.
Advanced
W32/Nyxem-D is an email & network worm for the Windows platform.
W32/Nyxem-D copies itself with some of the following filenames:
<Windows>\Rundll16.exe
<System>\scanregw.exe
<System>\Winzip.exe
<System>\Update.exe
<System>\WinZip_Tmp.exe
<System>\New WinZip File.exe
movies.exe
Zipped Files.exe
W32/Nyxem-D sets the following registry entry to run itself on system
startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ScanRegistry
scanregw.exe /scan
W32/Nyxem-D also sets the following registry entries:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
WebView
0
W32/Nyxem-D may modify registry values under the following locations:
HKCU\Control Panel\BMale
HKCU\Control Panel\DNS
W32/Nyxem-D may drop an empty file to the Windows system folder with
the same name as itself but with a ZIP extension
and attempts to open it in order to hide its functionality.
W32/Nyxem-D may periodically attempt to download and run an update of
itself.
W32/Nyxem-D may attempt to display an icon in the Windows taskbar
with the text "Update Please wait" if it detects the
presence of anti-virus software. W32/Nyxem-D may also attempt to
close windows, terminate programs, remove registry
entries and delete files related to security and anti-virus programs.
W32/Nyxem-D sends itself to email addresses it harvests from files on
the infected computer, sending itself as if from
one contact to another. The emails sent have the following
characteristics:
Subject lines include the following, or may be blank:
*Hot Movie*
A Great Video
Arab sex DSC-00465.jpg
eBook.pdf
Fuckin Kama Sutra pics
Fw:
Fw: DSC-00465.jpg
Fw: Funny :)
Fw: Picturs
Fw: Real show
Fw: SeX.mpg
Fw: Sexy
Fwd: Crazy illegal Sex!
Fwd: image.jpg
Fwd: Photo
give me a kiss
Hello
Miss Lebanon 2006
My photos
Part 1 of 6 Video clipe
Re:
Re: Sex Video
School girl fantasies gone bad
The Best Videoclip Ever
the file
Word file
You Must View This Videoclip!
Message bodies include the following, and may contain images that
cannot be displayed:
----- forwarded message -----
???????????????????????????? ????????????? ?????? ???????????
>> forwarded message
DSC-00465.jpg DSC-00466.jpg DSC-00467.jpg
forwarded message attached.
Fuckin Kama Sutra pics
hello, i send the file. bye
hi i send the details bye
Hot XXX Yahoo Groups
how are you? i send the details. OK ?
i attached the details. Thank you
i just any one see my photos. It's Free :)
Note: forwarded message attached.
photo photo2 photo3
Please see the file.
ready to be FUCKED :)
VIDEOS! FREE! (US$ 0,00)
What?
Attachments may be executable files or mime files containing
executable files. Executable attachment filenames include
the following:
007.pif
04.pif
677.pif
document.pif
DSC-00465.Pif
DSC-00465.pIf
eBook.PIF
image04.pif
New_Document_file.pif
photo.pif
School.pif
Mime attachment filenames include the following:
3.92315089702606E02.UUE
Attachments[001].B64
Attachments00.HQX
Attachments001.BHX
eBook.Uu
Original Message.B64
Sex.mim
SeX.mim
Video_part.mim
WinZip.BHX
Word_Document.hqx
Word_Document.uu
Mime attachment filenames also include the following:
392315089702606E-02
Clipe
Miss
Photos
Sweet_09
with one of the following extensions:
.b64
.BHx
.HQX
.mim
.uu
.UUE
.XxE
If the attachment is a mime file, it contains a file with one of the
following filenames followed by several spaces
and an SCR extension:
392315089702606E-02,UUE
Adults_9,zip
ATT01.zip
Atta[001],zip
Attachments,zip
Attachments[001],B64
Clipe,zip
New Video,zip
Photos,zip
SeX,zip
WinZip,zip
WinZip.zip
Word XP.zip
Word.zip
W32/Nyxem-D attempts to spread to network shares with weak passwords
using the name WINZIP_TMP.exe.
Name W32/Agobot-VI
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* Backdoor.Win32.Agobot.gen
Prevalence (1-5) 2
Description
W32/Agobot-VI is a worm with backdoor functionality for the Windows
platform.
W32/Agobot-VI spreads to other network computers by exploiting common
buffer overflow vulnerabilities, including: PNP
(MS05-039) and ASN.1 (MS04-007) and by copying itself to network
shares protected by weak passwords.
W32/Agobot-VI runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain
access and control over the computer via IRC channels.
Advanced
W32/Agobot-VI is a worm with backdoor functionality for the Windows
platform.
W32/Agobot-VI spreads to other network computers by exploiting common
buffer overflow vulnerabilities, including: PNP
(MS05-039) and ASN.1 (MS04-007) and by copying itself to network
shares protected by weak passwords.
W32/Agobot-VI runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain
access and control over the computer via IRC channels.
When first run W32/Agobot-VI copies itself to <Windows system
folder>\Stney.exe.
The following registry entries are created to run Stney.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows Help
Stney.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Windows Help
Stney.exe
Registry entries are set as follows:
HKCU\Software\Policies\Microsoft\Windows\WindowsUpdate\AU
NoAutoUpdate
1
HKCU\Software\Policies\Microsoft\Windows\WindowsUpdate\AU
AUOptions
1
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
NoAutoUpdate
1
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
AUOptions
1
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
AUOptions
1
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
0
Registry entries are created under:
HKCU\Software\Microsoft\Security Center\
HKLM\SOFTWARE\Microsoft\Security Center\
Name Troj/Dloadr-ACY
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
Aliases
* Trojan-Downloader.Win32.Small.asa
Prevalence (1-5) 2
Description
Troj/Dloadr-ACY is a Trojan for the Windows platform.
Troj/Dloadr-ACY has functionality to communicate with a remote server
via HTTP.
The downloaded file is saved to C:\tmp.bat which is then executed by
Troj/Dloadr-ACY.
Name W32/Rbot-BMG
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* Backdoor.Win32.Rbot.anu
Prevalence (1-5) 2
Description
W32/Rbot-BMG is an internet worm and IRC backdoor Trojan for the
Windows platform.
W32/Rbot-BMG spreads to other network computers by exploiting the
buffer overflow vulnerabilites LSASS
(MS04-011), RPC-DCOM (MS04-012) , PNP (MS05-039), ASN.1 (MS04-007),
and WKS (MS03-049) and by copying itself
to network shares protected by weak passwords.
W32/Rbot-BMG runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain
access and control over the computer via IRC channels.
The following patches for the operating system vulnerabilities
exploited by W32/Rbot-BMG can be obtained from the
Microsoft website:
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx
http://www.microsoft.com/technet/security/bulletin/MS05-039.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-007.mspx
http://www.microsoft.com/technet/security/bulletin/MS03-049.mspx
Advanced
W32/Rbot-BMG is an internet worm and IRC backdoor Trojan for the
Windows platform.
W32/Rbot-BMG spreads to other network computers by exploiting the
buffer overflow vulnerabilites LSASS
(MS04-011), RPC-DCOM (MS04-012) , PNP (MS05-039), ASN.1 (MS04-007),
and WKS (MS03-049) and by copying itself
to network shares protected by weak passwords.
W32/Rbot-BMG runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain
access and control over the computer via IRC channels.
The following patches for the operating system vulnerabilities
exploited by W32/Rbot-BMG can be obtained from the
Microsoft website:
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx
http://www.microsoft.com/technet/security/bulletin/MS05-039.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-007.mspx
http://www.microsoft.com/technet/security/bulletin/MS03-049.mspx
When first run W32/Rbot-BMG copies itself to <System>\CCapp1.exe.
The following registry entries are created to run MSGUPDAT32.EXE on
startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Antivirus Protection
CCapp1.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices\
Antivirus Protection
CCapp1.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Antivirus Protection
CCapp1.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
Antivirus Protection
CCapp1.exe
The following registry entry is set:
HKCU\Software\Microsoft\OLE\
Antivirus Protection
CCapp1.exe
Name W32/Loosky-AE
Type
* Spyware Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Sends itself to email addresses found on the infected computer
* Drops more malware
* Forges the sender's email address
* Uses its own emailing engine
* Reduces system security
* Records keystrokes
* Installs itself in the Registry
* Leaves non-infected files on computer
Aliases
* Email-Worm.Win32.Locksky.t
* W32/Loosky.dr
* W32/Locksky.U
* WORM_LOCKSKY.AB
* Worm.Locksky.I
Prevalence (1-5) 2
Description
W32/Loosky-AE is a mass-mailing worm for the Windows platform.
Messages sent by the worm have the following characteristics:
Subject: Your Ebay Account is Suspended
Message text: We regret to inform you that your account has been
suspended due to the violation of our site policy,
more info is attached.
Attachment name: ebay_info.exe
W32/Loosky-AE contains functionality to run an HTTP or SOCKS proxy,
steal passwords and record keypresses.
Advanced
W32/Loosky-AE is a mass-mailing worm for the Windows platform.
W32/Loosky-AE sends itself by email to addresses harvested from
address books and HTML files on the local drives.
Messages sent by the worm have the following characteristics:
Subject: Your Ebay Account is Suspended
Message text: We regret to inform you that your account has been
suspended due to the violation of our site policy,
more info is attached.
Attachment name: ebay_info.exe
When first run W32/Loosky-AE copies itself to <Windows>\sachostx.exe
and creates the following files:
<System>\attrib.ini
<System>\hard.lck
<System>\msvcrl.dll
<System>\sachostc.exe
<System>\sachostp.exe
<System>\sachostm.exe
<System>\sachosts.exe
<System>\sachostw.exe
attrib.ini contains recorded keypresses and other stolen information.
hard.lck is harmless. The remaining files are
detected as W32/Loosky-AE.
The following registry entry is created to run sachostx.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HostSrv
<Windows>\sachostx.exe
W32/Loosky-AE contains functionality to run an HTTP or SOCKS proxy,
steal passwords and record keypresses.
Name Troj/Zlob-CO
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Drops more malware
* Installs itself in the Registry
Aliases
* Trojan-Downloader.Win32.Zlob.es
Prevalence (1-5) 2
Description
Troj/Zlob-CO is a Trojan for the Windows platform.
Troj/Zlob-CO has the functionality to communciate with a remote
server via HTTP.
Advanced
Troj/Zlob-CO is a Trojan for the Windows platform.
Troj/Zlob-CO has the functionality to communciate with a remote
server via HTTP.
When run, Troj/Zlob-CO creates the following files:
<System>hp<random characters>.tmp
<System>\msvol.tlb
<System>\ncompat.tlb
The files hp923.tmp and msvol.tlb are detected by Sophos as
Troj/Zlob-CO. The
file ncompat.tlb can be deleted safely.
Troj/Zlob-CO changes search settings for Microsoft Internet Explorer by
modifying values under:
HKCU\Software\Microsoft\Internet Explorer\Search\
When run, Troj/Zlob-CO sets the following registry entries:
HKLM\SOFTWARE\Microsoft\Windows\Curre\ntVersion\Explorer\Browser Helper
Objects(e0103cd4-d1ce-411a-b75b-4fec072867f4)\
HKLM\SOFTWARE\Microsoft\Windows\Curre\ntVersion\Explorer\Browser Helper
Objects(e0103cd4-d1ce-411a-b75b-4fec072867f4)\(default)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper
Objecta\(e0103cd4-d1ce-411a-b75b-4fec072867f4)\
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper
Objecta\(e0103cd4-d1ce-411a-b75b-4fec072867f4)\(default)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run
nvctrl.exe
nvctrl.exe
Name Troj/Hupigon-CI
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Downloads code from the internet
* Installs itself in the Registry
Aliases
* Backdoor.Win32.Hupigon.po
Prevalence (1-5) 2
Description
Troj/Hupigon-CI is a Trojan for the Windows platform.
Troj/Hupigon-CI includes functionality to access the internet and
communicate with a remote server via HTTP.
Advanced
Troj/Hupigon-CI is a Trojan for the Windows platform.
Troj/Hupigon-CI includes functionality to access the internet and
communicate with a remote server via HTTP.
When first run Troj/Hupigon-CI copies itself to <Windows>\qq.exe.
The file qq.exe is registered as a new system driver service named
"qq", with a display name of "qq" and a startup
type of automatic, so that it is started automatically during system
startup. Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\qq\
Name W32/Tilebot-CZ
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Downloads code from the internet
* Reduces system security
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Prevalence (1-5) 2
Description
W32/Tilebot-CZ is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Tilebot-CZ spreads:
- to other network computers by exploiting common buffer overflow
vulnerabilities, including: LSASS (MS04-011),
RPC-DCOM (MS04-012), PNP (MS05-039) and ASN.1 (MS04-007)
- to other network computers running MSSQL servers protected by weak
passwords
- by copying itself to network shares protected by weak passwords
W32/Tilebot-CZ runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain
access and control over the computer via IRC channels.
Advanced
W32/Tilebot-CZ is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Tilebot-CZ spreads:
- to other network computers by exploiting common buffer overflow
vulnerabilities, including: LSASS (MS04-011),
RPC-DCOM (MS04-012), PNP (MS05-039) and ASN.1 (MS04-007)
- to other network computers running MSSQL servers protected by weak
passwords
- by copying itself to network shares protected by weak passwords
W32/Tilebot-CZ runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain
access and control over the computer via IRC channels.
W32/Tilebot-CZ includes functionality to download, install and run
new software.
When first run W32/Tilebot-CZ copies itself to <Windows>\win32ssr.exe
and may create the clean file <System>\svkp.sys.
The file win32ssr.exe is registered as a new system driver service
named "Win32Sr", with a display name of "Win32Sr"
and a startup type of automatic, so that it is started automatically
during system startup. Registry entries are
created under:
HKLM\SYSTEM\CurrentControlSet\Services\Win32Sr\
The clean file SVKP.sys is registered as a new system driver service
named "SVKP", with a display name of "SVKP" and a
startup type of automatic, so that it is started automatically during
system startup. Registry entries are created
under:
HKLM\SYSTEM\CurrentControlSet\Services\SVKP\
W32/Tilebot-CZ sets the following registry entries, disabling the
automatic startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\Messenger
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
Start
4
Registry entries are set as follows:
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DoNotAllowXPSP2
1
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1
Registry entries are created under:
HKLM\SOFTWARE\Microsoft\Security Center\
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\
Name Troj/Ooj-B
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Steals information
* Uses its own emailing engine
Aliases
* Trojan-PSW.Win32.VB.fl
Prevalence (1-5) 2
Description
Troj/Ooj-B is a password stealing Trojan for the Windows platform.
Troj/Ooj-B harvests email account information, passwords and ICQ
numbers from the infected computer, and emails stolen
data to a remote attacker.
Name W32/Zotob-K
Type
* Worm
How it spreads
* Email attachments
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Sends itself to email addresses found on the infected computer
* Forges the sender's email address
* Downloads code from the internet
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* Net-Worm.Win32.Mytob.dt
Prevalence (1-5) 2
Description
W32/Zotob-K is a mass-mailing and network worm and IRC backdoor
Trojan for the Windows platform.
W32/Zotob-K spreads to other network computers by exploiting common
buffer overflow vulnerabilities, including: PNP
(MS05-039) and ASN.1 (MS04-007), as well as to network shares with
weak passwords.
W32/Zotob-K runs continuously in the background, providing a backdoor
server which allows a remote intruder to gain
access and control over the computer via IRC channels, including the
ability to download and execute files on the
infected computer.
W32/Zotob-K can spread by sending itself as an email attachment to
email addresses it harvests from the infected
computer, either as an attachment with a double-extension or as a zip
file containing a file with a double-extension.
W32/Zotob-K avoids sending emails to addresses containing certain
strings in them.
W32/Zotob-K processes the emails it has harvested by splitting them
into name and domain. Once it has sent itself to
the emails it has harvested, it uses a predefined list of names with
the harvested domains. W32/Zotob-K spoofs the
sender, sending emails as if from one of the following at the same
domain as the recipient:
support
administrator
mail
service
admin
info
register
webmaster
For example if sending itself to name@example.com, W32/Zotob-K might
send the email as if from admin@example.com.
Emails sent by the worm have characteristics from the following:
Subject line:
Your password has been updated
Your password has been successfully updated
You have successfully updated your password
Your new account password is approved
Your Account is Suspended
*DETECTED* Online User Violation
Your Account is Suspended For Security Reasons
Warning Message: Your services near to be closed.
Important Notification
Members Support
Security measures
Email Account Suspension
Notice of account limitation
<random characters>
Message text - a formatted version of one of the following:
Dear user <recipient's username>,
You have successfully updated the password of your <recipient's
domain> account.
If you did not authorize this change or if you need assistance with
your account, please contact <recipient's domain>
customer service at: <spoofed sender address>
Thank you for using <recipient's domain>!
The <recipient's domain> Support Team <BR>
+++ Attachment: No Virus (Clean)
+++ <recipient's domain> Antivirus - www.<recipient's domain>
Dear user <recipient's username>,
It has come to our attention that your <recipient's domain> User
Profile ( x ) records are out of date. For further
details see the attached document.
Thank you for using <recipient's domain>!
The <recipient's domain> Support Team
+++ Attachment: No Virus (Clean)
+++ <recipient's domain> Antivirus - www.<recipient's domain>
Dear <recipient's username> Member,
We have temporarily suspended your email account <recipient's domain>.
This might be due to either of the following reasons:
1. A recent change in your personal information (i.e. change of
address).
2. Submiting invalid information during the initial sign up process.
3. An innability to accurately verify your selected option of
subscription due to an internal error within our
processors.
See the details to reactivate your <recipient's domain> account.
Sincerely,The <recipient's domain> Support Team
+++ Attachment: No Virus (Clean)
+++ <recipient's domain> Antivirus - www.<recipient's domain>
Dear <recipient's domain> Member,
Your e-mail account was used to send a huge amount of unsolicited
spam messages during the recent week. If you could
please take 5-10 minutes out of your online experience and confirm
the attached document so you will not run into any
future problems with the online service.
If you choose to ignore our request, you leave us no choice but to
cancel your membership.
Virtually yours,
The <recipient's domain> Support Team
+++ Attachment: No Virus found
+++ <recipient's domain> Antivirus - www.<recipent's domain>
Attachment name:
updated-password
email-password
new-password
password
approved-password
account-password
accepted-password
important-details
account-details
email-details
account-info
document
readme
account-report
First extension (of attachment or of file inside zip):
doc
htm
txt
Second extension (of attachment or of file inside zip):
pif
scr
exe
cmd
bat
If the attachment is a zip file it will have the same base name as
the double-extension file inside.
Example attachment names include document.txt.pif and
information.doc.cmd, usually with a large number of spaces
between the extensions.
Advanced
W32/Zotob-K is a mass-mailing and network worm and IRC backdoor
Trojan for the Windows platform.
W32/Zotob-K spreads to other network computers by exploiting common
buffer overflow vulnerabilities, including: PNP
(MS05-039) and ASN.1 (MS04-007), as well as to network shares with
weak passwords.
W32/Zotob-K runs continuously in the background, providing a backdoor
server which allows a remote intruder to gain
access and control over the computer via IRC channels, including the
ability to download and execute files on the
infected computer.
When first run W32/Zotob-K copies itself to <System>\winint.exe.
The file winint.exe is registered as a new system driver service
named "Microsoft System Debugger", with a display
name of "Microsoft System Debugger" and a startup type of automatic,
so that it is started automatically during system
startup. Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\Microsoft System Debugger\
W32/Zotob-K may set the following registry entries to run
<System>\wininit.exe on system startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
WINDOWS INIT
<System>\wininit.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
WINDOWS INIT
<System>\wininit.exe
W32/Zotob-K can spread by sending itself as an email attachment to
email addresses it harvests from the infected
computer, either as an attachment with a double-extension or as a zip
file containing a file with a double-extension.
W32/Zotob-K avoids sending emails to addresses containing certain
strings in them.
W32/Zotob-K processes the emails it has harvested by splitting them
into name and domain. Once it has sent itself to
the emails it has harvested, it uses a predefined list of names with
the harvested domains. W32/Zotob-K spoofs the
sender, sending emails as if from one of the following at the same
domain as the recipient:
support
administrator
mail
service
admin
info
register
webmaster
For example if sending itself to name@example.com, W32/Zotob-K might
send the email as if from admin@example.com.
Emails sent by the worm have characteristics from the following:
Subject line:
Your password has been updated
Your password has been successfully updated
You have successfully updated your password
Your new account password is approved
Your Account is Suspended
*DETECTED* Online User Violation
Your Account is Suspended For Security Reasons
Warning Message: Your services near to be closed.
Important Notification
Members Support
Security measures
Email Account Suspension
Notice of account limitation
<random characters>
Message text - a formatted version of one of the following:
Dear user <recipient's username>,
You have successfully updated the password of your <recipient's
domain> account.
If you did not authorize this change or if you need assistance with
your account, please contact <recipient's domain>
customer service at: <spoofed sender address>
Thank you for using <recipient's domain>!
The <recipient's domain> Support Team <BR>
+++ Attachment: No Virus (Clean)
+++ <recipient's domain> Antivirus - www.<recipient's domain>
Dear user <recipient's username>,
It has come to our attention that your <recipient's domain> User
Profile ( x ) records are out of date. For further
details see the attached document.
Thank you for using <recipient's domain>!
The <recipient's domain> Support Team
+++ Attachment: No Virus (Clean)
+++ <recipient's domain> Antivirus - www.<recipient's domain>
Dear <recipient's username> Member,
We have temporarily suspended your email account <recipient's domain>.
This might be due to either of the following reasons:
1. A recent change in your personal information (i.e. change of
address).
2. Submiting invalid information during the initial sign up process.
3. An innability to accurately verify your selected option of
subscription due to an internal error within our
processors.
See the details to reactivate your <recipient's domain> account.
Sincerely,The <recipient's domain> Support Team
+++ Attachment: No Virus (Clean)
+++ <recipient's domain> Antivirus - www.<recipient's domain>
Dear <recipient's domain> Member,
Your e-mail account was used to send a huge amount of unsolicited
spam messages during the recent week. If you could
please take 5-10 minutes out of your online experience and confirm
the attached document so you will not run into any
future problems with the online service.
If you choose to ignore our request, you leave us no choice but to
cancel your membership.
Virtually yours,
The <recipient's domain> Support Team
+++ Attachment: No Virus found
+++ <recipient's domain> Antivirus - www.<recipent's domain>
Attachment name:
updated-password
email-password
new-password
password
approved-password
account-password
accepted-password
important-details
account-details
email-details
account-info
document
readme
account-report
First extension (of attachment or of file inside zip):
doc
htm
txt
Second extension (of attachment or of file inside zip):
pif
scr
exe
cmd
bat
If the attachment is a zip file it will have the same base name as
the double-extension file inside.
Example attachment names include document.txt.pif and
information.doc.cmd, usually with a large number of spaces
between the extensions.
Name W32/Kookoo-A
Type
* Virus
How it spreads
* Infected files
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Steals information
* Downloads code from the internet
Prevalence (1-5) 2
Description
W32/Kookoo-A is a virus for the Windows platform.
W32/Kookoo-A spreads via infected files.
W32/Kookoo-A runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer.
W32/Kookoo-A includes functionality to:
- send stolen confidential information to a remote address
- provide a proxy server
- silently download, install and run new software
- terminate and delete anti-virus related software
Advanced
W32/Kookoo-A is a virus for the Windows platform.
W32/Kookoo-A spreads via infected files.
W32/Kookoo-A runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer.
W32/Kookoo-A includes functionality to:
- send stolen confidential information to a remote address
- provide a proxy server
- silently download, install and run new software
- terminate and delete anti-virus related software
When the virus is installed it creates the file
<System>\oledsp32.dll, which is detected as W32/Kookoo-A.
Name Troj/Haxdoor-AS
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Downloads code from the internet
* Reduces system security
* Records keystrokes
* Installs itself in the Registry
* Dropped by malware
Aliases
* PWS-Goldun.dll
Prevalence (1-5) 2
Description
Troj/Haxdoor-AS is a Trojan for the Windows platform.
The Trojan steals usernames and passwords and sends stolen data to a
remote attacker.
Advanced
Troj/Haxdoor-AS is a Trojan for the Windows platform.
The Trojan steals usernames and passwords and sends stolen data to a
remote attacker.
Troj/Haxdoor-AS copies itself to the Windows system folder as
satdll.dll.
The Trojan may set registry entries under:
HKLM\SYSTEM\CurrentControlSet\Control\MPRServices\TestService
<several entries>
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
satdll
The Trojan may also create the file vxdgfx.sys in the Windows system
folder.
--- MultiMail/Win32 v0.43
* Origin: Try Our Web Based QWK: DOCSPLACE.ORG (1:123/140)
|