|
|
Post by StRiDeR on Apr 4, 2004 16:08:54 GMT 8
Troj/JDownL-A
Aliases
Trojan.Java.ClassLoader.c, Exploit-ByteVerify
Type
Trojan
Detection
A virus identity (IDE) file which provides protection is available now from the Latest virus identities section, and will be incorporated into the May 2004 (3.81) release of Sophos Anti-Virus.
Enterprise Manager and PureMessage customers will be automatically protected at their next scheduled update.
Sophos has received several reports of this Trojan from the wild.
Description
Troj/JDownL-A uses the Troj/ByteVeri-F exploit to download and install
Troj/Banker-H.
Recovery
Please follow the instructions for removing Trojans.
|
|
|
|
Post by StRiDeR on Apr 4, 2004 16:12:07 GMT 8
Troj/Adtoda-A
Type
Trojan
Detection
A virus identity (IDE) file which provides protection is available now from the Latest virus identities section, and will be incorporated into the May 2004 (3.81) release of Sophos Anti-Virus.
Enterprise Manager and PureMessage customers will be automatically protected at their next scheduled update.
At the time of writing, Sophos has received just one report of this Trojan from the wild.
Description
Troj/Adtoda-A is a backdoor Trojan.
When first run, Troj/Adtoda-A will display the following two messages:
"Setup was not able to continue the installation.
An illegal copy of Windows Operating System was detected on this computer.
The computer informations is already collect and will be post as this
computer name: (name of machine)"
"The operating system will not work properly before you get a permission after you complete the penalty!
For any detail informations, Please contact the following link:
http:\\www.microsoft.com\~msproduct\~watch\~piracy10
\secureID=OS_wiNver_532Fg32_ap12nt04A"
After the user clicks "OK" on both of these messages, Troj/Adtoda-A installs itself and activates the payload. This inverts the screen and freezes the machine so that is needs to be rebooted.
In order to run automatically when Windows starts up the Trojan creates the file
C:\Windows\system\winupd32.exe and the shortcut
C:\Windows\Start Menu\Programs\StartUp\System Update Service.lnk pointing to it.
These files will cause the payload to be run again on system boot.
Troj/Adtoda-A also attempts to modify C:\boot.ini to prevent debugging.
Recovery
Please follow the instructions for removing Trojans.
|
|
|
|
Post by atokENSEM on Apr 5, 2004 12:24:13 GMT 8
Pada view normal, tampilkan slide, dan klik Slide Show di sudut kiri bawah jendela PowerPoint. Jika Anda menyetel movie atau animated GIF agar dimainkan ketika Anda mengkliknya, maka Anda harus mengkliknya. (Atau, bila Anda memasukkan movie sebagai obyek yang akan diputar di Windows Media Player, Anda harus mengklik tombol Stop, Start, dan Pause.)
Perhatikan: Anda bisa juga menampilkan movie di tampilan normal dengan mengklik-dua kalinya. Jika movie atau GIF beranimasi merupakan bagian dari sekuens animasi buatan, Anda bisa mempertunjukkannya dengan mengklik Play di task pane Custom Animation.
|
|
|
|
Post by StRiDeR on Apr 5, 2004 15:21:27 GMT 8
W32/Sober-F
Type
Win32 worm
Detection
A virus identity (IDE) file which provides protection is available now from the Latest virus identities section, and will be incorporated into the May 2004 (3.81) release of Sophos Anti-Virus.
Enterprise Manager and PureMessage customers will be automatically protected at their next scheduled update.
Sophos has received several reports of this worm from the wild.
Description
W32/Sober-F is a mass mailing worm which sends itself to addresses harvested
from the local computer.
When first run the worm creates a TXT file called in the Temp folder and displays its contents using NOTEPAD.EXE. The text file begins with the text:
"#Mail Transaction Failed
#This mail couldn't be converted
---------------- Damage #Mime base64# part ----------------
<random text>"
The worm copies itself to the Windows system folder as an EXE file with a name
that is constructed from the following:
sys, host, dir, expolrer, win, run, log, 32, disc, crypt, data, diag, spool, service, smss32
and sets the following registry entry to ensure it is run at system logon:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\<random name>= <SYSTEM>\<random file> %1
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\<random name>\<random name>= <SYSTEM>\<random file>
where <random file> is the name of the copy of the worm and <random name> is generated using the same word list.
W32/Sober-F may change the registry entry at the following location to run itself before EXE files:
HKCR\exefile\shell\open\command
W32/Sober-F also creates the following files in the Windows system folder:
BCEGFDS.LLL - zero byte file
SPOOFED_RECIPS.OCX - list of harvested email addresses
SYST32WIN.DLL - list of harvested email addresses
WINHEX32XX.WRM - base64 encoded version of the worm
WINSYS32XX.ZZP - base64 encoded ZIP archive of the worm
ZHCARXXI.VVX - zero byte file
ZMNDPGWF.KXX - zero byte file
W32/Sober-F harvests email addresses from files with the following extensions:
WAB, TBB, ABD, ADB, PL, CTL, DHTM, CGI, PP, PPT, MSG, JSP, OFT, VBS, UIN, LDB, ABC, PST, CFG, MDW, MBX, MDX, MDA, ADP, NAB, FDB, VAP, DSP, ADE, SLN, DSW, MDE, FRM, BAS, ADR, CLS, INI, LDIF, LOG, MDB, XML, WSH, ABX, ,ADB, RTF, MMF, DOC, ODS, NCH, XLS, NSF, TXT, EML, HLP, MHT, NFO, PHP, ASP, SHTML, DBX
Emails can be either in English or German and have the following characteristics:
Subject lines (English):
Details
Oh my God
Hey
Hi!
Hi, it's me
hey you
damn
Well, surprise?!
Info
Information
.
Faulty mail delivery
Mail delivery failed
Mail Error
Illegal signs in Mail-Routing
Connectio failed
Invalid mail sentence length
Mail Delivery failure
Message Error
mail delivery status
Confirmation Required
Bad Gateway
Warning!
Your document
Message texts (English):
I was surprised, too! :-( Who could suspect something like that?
All OK :) see, what i've found!
hi its me i've found a shity virus on my pc. check your pc, too! follow the
steps in this article. bye
I 've told you!:-) sometime I grab your passwords!
I hope you accept the result! Follow the instructions to read the message.
Please read the document
Registration confirmation
Confirmation
Your Password
Your mail account
Your password was changed successfully.
Protected message is attached.
++++ Service: http://www.
++++ Mail To: User-info
*** Auto Mail Delivery System ***
67.28.114.32_failed_after_I_sent_the_message./Remote_host_said
:_554_delivery_error:_dd_Sorry_your_message_cannot_be_delivered.
_This_account_has_been_disabled_or_discontinued_[#102]._-_mta134.mail.dcn.com
** End of Transmission The original message is a separate attachment.
--- Web: http://www.
--- Mail To: UserHelp
Read the attachment for details.
Bad Gateway: The message has been attached.
+++ A service of +++ http://www. Mail: home
The message has been attached.
Database #Error -- Partial message is available! -- Error: llegal signs in
Mail-Routing -- Mail Server: ESMTP VX32.9 Version Betha Alpha
Anybody use your accounts! For further details see the attachment.
I have received your document. The corrected document is attached. greets corrected_text-file
The message text may end with the following:
Mail- Attachment: No suspicious Virus signatures
Mail Scanner: No Virus found
Anti-Virus: No Virus!
Subject lines (German):
Einzelheiten
Hallo Du!
Hallo!
Hey Du
Hi, Ich bin's
Ich bin es .-)
Verdammt
berrascht?!
Information
Fehlerhafte Mailzustellung
Mailzustellung fehlgeschlagen
Fehler
Illegale Zeichen in Mail-Routing
Verbindung fehlgeschlagen
ltige Mail-Satzl
Fehler in E-Mail
tigung
Registrierungs-Best
tigung
Ihr neues Passwort
Ihr Passwort
Datenbank-Fehler
Warnung!
Message texts (German):
Ich war auch ein wenig Wer konnte so etwas ahnen!? Lese selbst
Alles klaro bei dir? Schau mal was Ich gefunden habe!
Meinst Du das wirklich?
Sieh mal nach ob du den Scheiss auch bei dir drauf hast! Ist ein ziemlich
nervender Virus. Mach genau das, wie es im Text beschrieben ist! Bye
Ich habs dir doch gesagt, irgendwann schaffe ich es deine Passwrter
rauszubekommen!!!
Details entnehmen Sie bitte dem Attachment NShere Informationen befinden
sich im Anhang.
*** Auto Mail Delivery System *** Ihre E-Mail konnte nicht gesendet oder
empfangen werden. Bitte attach: * End Transmission
--- Web: http://www.
--- Mail To: User-Hilfe
Passwort und Benutzername wurde erfolgreich ge Mail- Anhang: Keine verd chtigen Virus- Signaturen gefunden Ihre Benutzernamen und Passwrter befinden sich im Anhang dieser E-Mail ++++ Im www erreichbar unter: http://www. ++++ E-Mail: KundenInfo
Wegen eines Datenbank- Fehlers k Wenn Sie Unregelm
igkeiten festgestellt haben, melden Sie uns bitte umgehend den Datenverlust.
Vielen Dank f +++ Ein Service von
Internet Provider Abuse: Wir haben festgestellt, dass Sie illegale Internet-
Seiten besuchen. Bitte beachten Sie folgende Liste:
The message text may end with the following:
Mail- Anhang: Keine verdchtigen Virus- Signaturen gefunden
Mail Scanner: Kein Virus gefunden
Anti- Virus: Es wurde kein Virus erkannt
Attached file (extension PIF or ZIP):
Webmaster, Fehler-Info, Administrator, RobotMailer, AutoMailer, Dokumente,
Dokument, KurzText, Register, Service, Info, Passwort, Kundenservice, Liste,
Schwarze-Liste, Information, text, Textdocument, anitv_text, instructions,
your_article, your_passwords, messagedoc, admin, pass-message, database, help, check_this, Police
Recovery
Please follow the instructions for removing worms.
|
|
|
|
Post by StRiDeR on Apr 6, 2004 14:30:35 GMT 8
W32/Nackbot-D
Aliases
Backdoor.Agobot.jy, W32.Randex.gen
Type
Win32 worm
Detection
A virus identity (IDE) file which provides protection is available now from the Latest virus identities section, and will be incorporated into the May 2004 (3.81) release of Sophos Anti-Virus.
Enterprise Manager and PureMessage customers will be automatically protected at their next scheduled update.
At the time of writing, Sophos has received just one report of this worm from the wild.
Description
W32/Nackbot-D is a peer-to-peer (P2P) worm which spreads via shared folders and has IRC backdoor functionality.
When run the worm copies itself to the Windows System (or System32) folder as the file MSCLOCK.EXE. To ensure that the worm is run each time Windows is started W32/Nackbot-D creates the registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Digital Clock = msclock.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Microsoft Digital Clock = msclock.exe
W32/Nackbot-D attempts to spread to randomly chosen IP addresses. The worm attempts to access the C$, D$, E$ and Admin$ shares of the target computer using a list of passwords contained within the worm. The worm then copies itself to the Windows System (or System32) folder on the target computer as MSCLOCK.EXE.
W32/Nackbot-D contains backdoor components which can be controlled by a remote attacker via IRC. The backdoor functions include the ability to launch a distributed denial-of-service attack (DDoS).
W32/Nackbot-D searches for the following virus, anti-virus and security-related processes and terminates them if they are running:
_AVP32.EXE
_AVPCC.EXE
_AVPM.EXE
ACKWIN32.EXE
ADVXDWIN.EXE
ALERTSVC.EXE
amon.exe
ANTI-TROJAN.EXE
ANTITROJAN.EXE
ANTS.EXE
APVXDWIN.EXE
AUTODOWN.EXE
AVCONSOL.EXE
AVE32.EXE
AVGCTRL.EXE
AVKSERV.EXE
AVNT.EXE
AVP.EXE
AVP32.EXE
AVPCC.EXE
AVPDOS32.EXE
AVPM.EXE
AVPTC32.EXE
AVPUPD.EXE
AVSCHED32.EXE
AVWIN95.EXE
AVWUPD32.EXE
BLACKD.EXE
BLACKICE.EXE
bot.exe
CCAPP.EXE
CCEVTMGR.EXE
CCPXYSVC.EXE
CFIADMIN.EXE
CFIAUDIT.EXE
CFINET.EXE
CFINET32.EXE
CLAW95.EXE
CLAW95CF.EXE
CLEANER.EXE
CLEANER3.EXE
COMMVIEW.EXE
COMMVIEW32.EXE
CONNECTIONMONITOR.EXE
CPD.EXE
CPDCLNT.EXE
dcomx.exe
DEFWATCH.EXE
DFW.EXE
drweb.exe
Drweb32w.exe
drweb386.exe
Drwebupw.exe
Drwebwcl.exe
DUMP.EXE
DUMP1.EXE
DUMPED.EXE
DUMPED1.EXE
DVP95.EXE
DVP95_0.EXE
ECENGINE.EXE
EETHERCAP.EXE
EETHERCAP32.EXE
enbiei.exe
ESAFE.EXE
ESPWATCH.EXE
ETHERCAP.EXE
ETHERCAP32.EXE
EXPLORER32.EXE
F-AGNT95.EXE
F-PROT.EXE
F-PROT95.EXE
F-STOPW.EXE
FINDVIRU.EXE
FP-WIN.EXE
FPROT.EXE
FRW.EXE
GUARDDOG.EXE
IAMAPP.EXE
IAMSERV.EXE
IBMASN.EXE
IBMAVSP.EXE
ICLOAD95.EXE
ICLOADNT.EXE
ICMON.EXE
ICSUPP95.EXE
ICSUPPNT.EXE
IFACE.EXE
index.exe
IOMON98.EXE
IRIS.EXE
JEDI.EXE
KILL.EXE
KILLER.EXE
KPF4GUI.EXE
KPF4SS.EXE
LDNETMON.EXE
LOCKDOWN.EXE
LOCKDOWN2000.EXE
lolx.exe
LOOKOUT.EXE
LordPE.EXE
LordPE32.EXE
LUALL.EXE
MINILOG.EXE
MOOLIVE.EXE
MPFTRAY.EXE
MSBLAST.EXE
MSCONFIG.EXE
mslaugh.exe
mspatch.exe
N32SCANW.EXE
NAVAPSVC.EXE
NAVAPW32.EXE
NAVLU32.EXE
NAVNT.EXE
NAVW32.EXE
NAVWNT.EXE
NDD32.EXE
NETSTAT.EXE
NETUTILS.EXE
NISSERV.EXE
NISUM.EXE
NMAIN.EXE
nod.exe
nod32.exe
NORMIST.EXE
NPROTECT.EXE
NPSSVC.EXE
NTVDM.EXE
NUPGRADE.EXE
NVC95.EXE
NVSVC32.EXE
NWTOOL16.EXE
OUTPOST.EXE
PADMIN.EXE
PAVCL.EXE
PAVSCHED.EXE
PAVW.EXE
PCCWIN98.EXE
PCFWALLICON.EXE
penis32.exe
PERSFW.EXE
PM.exe
POPROXY.EXE
PORTMONITOR.EXE
PRKILLER.EXE
PROCDUMP.EXE
PROCDUMP32.EXE
PS.EXE
PSKILL.EXE
PSLIST.EXE
RAV7.EXE
RAV7WIN.EXE
REGEDIT.EXE
RESCUE.EXE
root32.exe
rpc.exe
rpctest.exe
RTVSCN95.EXE
RUNDDL31.EXE
SAFEWEB.EXE
SCAN32.EXE
SCAN95.EXE
SCANPM.EXE
SCRSCAN.EXE
scvhost.exe
SERV95.EXE
SMC.EXE
SPHINX.EXE
spider.exe
Spiderml.exe
spidernt.exe
SWEEP95.EXE
SWNETSUP.EXE
SymProxySvc.exe
SYSCFG32.EXE
SYSOTRAY32.EXE
TASKKILL.EXE
TASKLIST.EXE
TASKMGR.EXE
TBSCAN.EXE
TC.EXE
TCA.EXE
TCM.EXE
TCPDUMP.EXE
TCPDUMP32.EXE
TDS2-98.EXE
TDS2-NT.EXE
teekids.exe
tftpd.exe
VET95.EXE
VETTRAY.EXE
VPC32.EXE
VPTRAY.EXE
VSCAN40.EXE
VSECOMR.EXE
VSHWIN32.EXE
VSMON.EXE
VSSTAT.EXE
WEBSCANX.EXE
WFINDV32.EXE
WINDRIVER.EXE
WINEXEC.EXE
WINHEX.EXE
WINSOCK2.2.EXE
worm.exe
WRADMIN.EXE
WRCTRL.EXE
ZAPRO.EXE
ZLCLIENT.EXE
zlclient.exe
ZONEALARM.EXE
W32/Nackbot-D can also be used to steal the Windows Product ID and the CD keys from several computer games including:
Half-Life
Counter-Strike
Unreal Tournament 2003
Unreal Tournament 2004
Project IGI 2
Battlefield 1942
Battlefield: Vietnam
Battlefield 1942: Road To Rome
Rainbow Six III RavenShield
Neverwinter Nights
Soldier of Fortune II - Double Helix
Need For Speed Hot Pursuit 2
FIFA 2003
Command & Conquer: Generals
Recovery
Please follow the instructions for removing worms.
|
|
|
|
Post by StRiDeR on Apr 6, 2004 14:34:47 GMT 8
W32/Lovgate-V
Aliases
WORM_LOVGATE.W
Type
Win32 worm
Detection
A virus identity (IDE) file which provides protection is available now from the Latest virus identities section, and will be incorporated into the May 2004 (3.81) release of Sophos Anti-Virus.
Enterprise Manager and PureMessage customers will be automatically protected at their next scheduled update.
Sophos has received several reports of this worm from the wild.
Description
W32/Lovgate-V is a variant of the W32/Lovgate family of worms that spread via email, network shares and filesharing networks.
W32/Lovgate-V copies itself to the Windows system folder as the files WinHelp.exe, iexplore.exe, kernel66.dll and ravmond.exe and to the Windows folder as systra.exe.
The worm also drops the files msjdbc11.dll, mssign30.dll and odbc16.dll which
provide unauthorised remote access to the computer over a network.
The worm drops ZIP files containing a copy of the worm onto accessible drives.
The ZIP file may also carry a RAR extension. The name of the packed file is chosen from the following list:
WORK
setup
important
bak
letter
pass
The name of the contained unpacked file is either PassWord, email or book, with a file extension of EXE, SCR, PIF or COM.
In order to run automatically when Windows starts up W32/Lovgate-V creates the
following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Hardware Profile = <SYSTEM>\hxdef.exe
Microsoft NetMeeting Associates, Inc. = NetMeeting.exe
Protected Storage = RUNDLL32.EXE MSSIGN30.DLL ondll_reg
VFW Encoder/Decoder Settings = RUNDLL32.EXE MSSIGN30.DLL ondll_reg
WinHelp = <SYSTEM>\WinHelp.exe
Program In Windows = <SYSTEM>\IEXPLORE.EXE
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\SystemTra =
<WINDOWS>\SysTra.EXE
HKU\Software\Microsoft\Windows NT\CurrentVersion\Windows\run = RAVMOND.exe
In addition W32/Lovgate-V copies itself to the file command.exe in the root folder and creates the file autorun.inf there containing an entry to run the dropped file upon system startup.
W32/Lovgate-V spreads by email. Email addresses are harvested from WAB, TXT,
HTM, SHT, PHP, ASP, DBX, TBB, ADB and PL files found on the system.
Email have the following characteristics:
Subject line:
test
hi
hello
Mail Delivery System
Mail Transaction Failed
Server Report
Status
Error
Message text:
It's the long-awaited film version of the Broadway hit. The message sent as a
binary attachment.
The message contains Unicode characters and has been sent as a binary
attachment.
Mail failed. For further assistance, please contact!
Attached file:
document
readme
doc
text
file
data
test
message
body
followed by ZIP, EXE, PIF or SCR.
W32/Lovgate-V also enables sharing of the Windows media folder and copies
itself there using various filenames.
The worm also attempts to reply to emails found in the user's inbox using the
following filenames as attachments:
the hardcore game-.pif
*** in Office.rm.scr
Deutsch BloodPatch!.exe
s3msong.MP3.pif
Me_****.AVI.pif
How to Crack all gamez.exe
Macromedia Flash.scr
SETUP.EXE
Shakira.zip.exe
dreamweaver MX (crack).exe
StarWars2 - CloneAttack.rm.scr
Industry Giant II.exe
DSL Modem Uncapper.rar.exe
joke.pif
Britney spears ****.exe.txt.exe
I am For u.doc.exe
The worm attempts to spread by copying itself to mounted shares using one of the following filenames:
mmc.exe
xcopy.exe
winhlp32.exe
i386.exe
client.exe
findpass.exe
autoexec.bat
MSDN.ZIP.pif
Cain.pif
WindowsUpdate.pif
Support Tools.exe
Windows Media Player.zip.exe
Microsoft Office.exe
Documents and Settings.txt.exe
Internet Explorer.bat
WinRAR.exe
W32/Lovgate-V also attempts to spread via weakly protected remote shares by connecting using a password from an internal dictionary and copying itself as the file NetManager.exe to the system folder on the admin$ share.
After successfully copying the file W32/Lovgate-V attempts to start it as the service "Windows Managment Network Service Extensions" on the remote computer.
W32/Lovgate-V starts a logging thread that listens on port 6000, sends a notification email to an external address and logs received data to the file C:\Netlog.txt.
W32/Lovgate-V attempts to terminate processes containing the following strings:
rising
SkyNet
Symantec
McAfee
Gate
Rfw.exe
RavMon.exe
kill
Nav
Duba
KAV
KV
W32/Lovgate-V also overwrites EXE files on the system with copies of itself. The original files are saved with a ZMX extension.
Recovery
Please follow the instructions for removing worms.
|
|
|
|
Post by StRiDeR on Apr 7, 2004 11:40:58 GMT 8
W32/Agobot-FV
Aliases
W32.HLLW.Gaobot.gen
Type
Win32 worm
Detection
A virus identity (IDE) file which provides protection is available now from the Latest virus identities section, and will be incorporated into the May 2004 (3.81) release of Sophos Anti-Virus.
Enterprise Manager and PureMessage customers will be automatically protected at their next scheduled update.
At the time of writing, Sophos has received just one report of this worm from the wild.
Description
W32/Agobot-FV is an IRC backdoor Trojan and network worm.
W32/Agobot-FV is capable of spreading to computers on the local network protected by weak passwords.
When first run W32/Agobot-FV copies itself to the Windows system folder as regsvc32.exe and creates the following registry entries to run itself on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Generic Service Process = regsvc32.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
Generic Service Process = regsvc32.exe
Each time W32/Agobot-FV is run it attempts to connect to a remote IRC server and join a specific channel.
W32/Agobot-FV then runs continuously in the background, allowing a remote intruder to access and control the computer via IRC channels.
W32/Agobot-FV attempts to terminate and disable various anti-virus and security-related programs.
Recovery
Please follow the instructions for removing worms.
|
|
|
|
Post by StRiDeR on Apr 7, 2004 11:43:05 GMT 8
W32/Bugbear-E
Aliases
W32/Bugbear.gen@MM, W32.Bugbear.E@mm
Type
Win32 worm
Detection
A virus identity (IDE) file which provides protection is available now from the Latest virus identities section, and will be incorporated into the May 2004 (3.81) release of Sophos Anti-Virus.
Enterprise Manager and PureMessage customers will be automatically protected at their next scheduled update.
At the time of writing, Sophos has received no reports from users affected by this worm. However, we have issued this advisory following enquiries to our support department from customers.
Description
W32/Bugbear-E is a worm that spreads using its own SMTP engine by emailing itself to the addresses found within files on the local computer whose names contain the string "inbox", or have an extension of DBX, TBB, EML, MBX, NCH, MMF or ODS.
W32/Bugbear-E may arrive in email with a subject line chosen from -
Hello!
update
Payment notices
Just a reminder
Correction of errors
history screen
Announcement
various
Introduction
Interesting...
I need help about script!!!
Please Help...
Report
Membership Confirmation
Today Only
New Contests
Lost & Found
bad news
fantastic
click on this!
Market Update Report
empty account
My eBay ads
25 merchants and rising
CALL FOR INFORMATION!
new reading
Sponsors needed
SCAM alert!!!
Warning!
its easy
free shipping!
Daily Email Reminder
Tools For Your Online Business
New bonus in your cash account
Your Gift
good news!
Your News Alert
Greets!
The attached file can have the same filename as another file on the victim’s computer, will have an extension of SCR, EXE, PIF or ZIP and may have a double extension.
Attachments with an extension of SCR, EXE or PIF attempt to exploit a known vulnerability in Microsoft Internet Explorer 5.01/5.5, so that the attachment is run automatically when the email message is opened. See Microsoft Security Bulletin MS01-027.
Attachments with a ZIP extension contain zipped HTML with a base64 encoded version of the worm that attempts to exploit the codebase vulnerability associated with Microsoft Internet Explorer to decode and run the worm automatically when the HTML file is opened.
When first run W32/Bugbear-E copies itself to the Windows System folder, using a randomly-generated filename and adds the pathname of this copy to a new random sub-key of the following registry entry to run itself on startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
W32/Bugbear-E creates three DLL files with random names in the Windows system folder. One provides keylogging functionality and is detected as W32/Bugbear-B.
W32/Bugbear-E also logs keystrokes, clipboard text and window text and emails this data to a remote account.
W32/Bugbear-E attempts to terminate a number processes related to the following anti-virus and security applications:
_AVP32.EXE
_AVPCC.EXE
_AVPM.EXE
ACKWIN32.EXE
ANTI-TROJAN.EXE
APVXDWIN.EXE
AUTODOWN.EXE
AVCONSOL.EXE
AVE32.EXE
AVGCTRL.EXE
AVKSERV.EXE
AVNT.EXE
AVP.EXE
AVP32.EXE
AVPCC.EXE
AVPDOS32.EXE
AVPM.EXE
AVPTC32.EXE
AVPUPD.EXE
AVSCHED32.EXE
AVWIN95.EXE
AVWUPD32.EXE
BLACKD.EXE
BLACKICE.EXE
CFIADMIN.EXE
CFIAUDIT.EXE
CFINET.EXE
CFINET32.EXE
CLAW95.EXE
CLAW95CF.EXE
CLEANER.EXE
CLEANER3.EXE
DVP95.EXE
DVP95_0.EXE
ECENGINE.EXE
ESAFE.EXE
ESPWATCH.EXE
F-AGNT95.EXE
FINDVIRU.EXE
FPROT.EXE
F-PROT.EXE
F-PROT95.EXE
FP-WIN.EXE
FRW.EXE
F-STOPW.EXE
IAMAPP.EXE
IAMSERV.EXE
IBMASN.EXE
IBMAVSP.EXE
ICLOAD95.EXE
ICLOADNT.EXE
ICMON.EXE
ICSUPP95.EXE
ICSUPPNT.EXE
IFACE.EXE
IOMON98.EXE
JEDI.EXE
LOCKDOWN2000.EXE
LOOKOUT.EXE
LUALL.EXE
MOOLIVE.EXE
MPFTRAY.EXE
N32SCANW.EXE
NAVAPW32.EXE
NAVLU32.EXE
NAVNT.EXE
NAVW32.EXE
NAVWNT.EXE
NEALARM.EXE
NISUM.EXE
NMAIN.EXE
NORMIST.EXE
NUPGRADE.EXE
NVC95.EXE
OUTPOST.EXE
PADMIN.EXE
PAVCL.EXE
PAVSCHED.EXE
PAVW.EXE
PCCWIN98.EXE
PCFWALLICON.EXE
PERSFW.EXE
RAV7.EXE
RAV7WIN.EXE
RESCUE.EXE
SAFEWEB.EXE
SCAN32.EXE
SCAN95.EXE
SCANPM.EXE
SCRSCAN.EXE
SERV95.EXE
SMC.EXE
SPHINX.EXE
SWEEP95.EXE
TBSCAN.EXE
TCA.EXE
TDS2-98.EXE
TDS2-NT.EXE
VET95.EXE
VETTRAY.EXE
VSCAN40.EXE
VSECOMR.EXE
VSHWIN32.EXE
VSSTAT.EXE
WEBSCANX.EXE
WFINDV32.EXE
Recovery
Please follow the instructions for removing worms.
|
|
|
|
Post by StRiDeR on Apr 8, 2004 11:02:17 GMT 8
W32/Sdbot-HB
Aliases
Backdoor.IRCBot.gen, Win32/IRCBot.CL
Type
Win32 worm
Detection
A virus identity (IDE) file which provides protection is available now from the Latest virus identities section, and will be incorporated into the May 2004 (3.81) release of Sophos Anti-Virus.
Enterprise Manager and PureMessage customers will be automatically protected at their next scheduled update.
At the time of writing, Sophos has received just one report of this worm from the wild.
Description
W32/Sdbot-HB is a worm which attempts to spread to remote network shares. It also contains backdoor Trojan functionality, allowing unauthorised remote access to the infected computer via IRC channels while running in the background as a service process.
W32/Sdbot-HB spreads to network shares with weak passwords as a result of the backdoor Trojan element receiving the appropriate command from a remote user.
W32/Sdbot-HB copies itself to the Windows system folder as MPTCLOAXS.EXE and creates an entry in the registry at the following location to run itself on system startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
W32/Sdbot-HB attempts to terminate a number of process relating to anti-virus and security products, as well as some relating to W32/Blaster-A and its variants, including the following:
_AVP32.EXE
_AVPCC.EXE
_AVPM.EXE
ACKWIN32.EXE
ADVXDWIN.EXE
ALERTSVC.EXE
amon.exe
ANTITROJAN.EXE
ANTI-TROJAN.EXE
ANTS.EXE
APVXDWIN.EXE
AUTODOWN.EXE
AVCONSOL.EXE
AVE32.EXE
AVGCTRL.EXE
AVKSERV.EXE
AVNT.EXE
AVP.EXE
AVP32.EXE
AVPCC.EXE
AVPDOS32.EXE
AVPM.EXE
AVPTC32.EXE
AVPUPD.EXE
AVSCHED32.EXE
AVWIN95.EXE
AVWUPD32.EXE
BLACKD.EXE
BLACKICE.EXE
bot.exe
CCAPP.EXE
CCEVTMGR.EXE
CCPXYSVC.EXE
CFIADMIN.EXE
CFIAUDIT.EXE
CFINET.EXE
CFINET32.EXE
CLAW95.EXE
CLAW95CF.EXE
CLEANER.EXE
CLEANER3.EXE
CONNECTIONMONITOR.EXE
CPD.EXE
CPDCLNT.EXE
dcomx.exe
DEFWATCH.EXE
DFW.EXE
drweb.exe
Drweb32w.exe
drweb386.exe
Drwebupw.exe
Drwebwcl.exe
DUMP.EXE
DUMP1.EXE
DUMPED.EXE
DUMPED1.EXE
DVP95.EXE
DVP95_0.EXE
ECENGINE.EXE
enbiei.exe
ESAFE.EXE
ESPWATCH.EXE
EXPLORER32.EXE
F-AGNT95.EXE
FINDVIRU.EXE
FPROT.EXE
F-PROT.EXE
F-PROT95.EXE
FP-WIN.EXE
FRW.EXE
F-STOPW.EXE
GUARDDOG.EXE
IAMAPP.EXE
IAMSERV.EXE
IBMASN.EXE
IBMAVSP.EXE
ICLOAD95.EXE
ICLOADNT.EXE
ICMON.EXE
ICSUPP95.EXE
ICSUPPNT.EXE
IFACE.EXE
index.exe
IOMON98.EXE
IRIS.EXE
JEDI.EXE
KILL.EXE
KILLER.EXE
KPF4GUI.EXE
KPF4SS.EXE
LDNETMON.EXE
LOCKDOWN.EXE
LOCKDOWN2000.EXE
lolx.exe
LOOKOUT.EXE
LordPE.EXE
LordPE32.EXE
LUALL.EXE
MINILOG.EXE
MOOLIVE.EXE
MPFTRAY.EXE
msblast.exe
MSCONFIG.EXE
mslaugh.exe
mspatch.exe
N32SCANW.EXE
NAVAPSVC.EXE
NAVAPW32.EXE
NAVLU32.EXE
NAVNT.EXE
NAVW32.EXE
NAVWNT.EXE
NDD32.EXE
NETSTAT.EXE
NETUTILS.EXE
NISSERV.EXE
NISUM.EXE
NMAIN.EXE
nod.exe
nod32.exe
NORMIST.EXE
NPROTECT.EXE
NPSSVC.EXE
NTVDM.EXE
NUPGRADE.EXE
NVC95.EXE
NVSVC32.EXE
NWTOOL16.EXE
OUTPOST.EXE
PADMIN.EXE
PAVCL.EXE
PAVSCHED.EXE
PAVW.EXE
PCCWIN98.EXE
PCFWALLICON.EXE
penis32.exe
PERSFW.EXE
PM.exe
POPROXY.EXE
PORTMONITOR.EXE
PRKILLER.EXE
PROCDUMP.EXE
PROCDUMP32.EXE
PS.EXE
PSKILL.EXE
PSLIST.EXE
RAV7.EXE
RAV7WIN.EXE
REGEDIT.EXE
RESCUE.EXE
root32.exe
rpc.exe
rpctest.exe
RTVSCN95.EXE
RUNDDL31.EXE
SAFEWEB.EXE
SCAN32.EXE
SCAN95.EXE
SCANPM.EXE
SCRSCAN.EXE
scvhost.exe
SERV95.EXE
SMC.EXE
SPHINX.EXE
spider.exe
Spiderml.exe
spidernt.exe
SWEEP95.EXE
SWNETSUP.EXE
SymProxySvc.exe
SYSCFG32.EXE
SYSOTRAY32.EXE
TASKKILL.EXE
TASKLIST.EXE
TASKMGR.EXE
TBSCAN.EXE
TC.EXE
TCA.EXE
TCM.EXE
TCPDUMP.EXE
TCPDUMP32.EXE
TDS2-98.EXE
TDS2-NT.EXE
teekids.exe
tftpd.exe
VET95.EXE
VETTRAY.EXE
VPC32.EXE
VPTRAY.EXE
VSCAN40.EXE
VSECOMR.EXE
VSHWIN32.EXE
VSMON.EXE
VSSTAT.EXE
WEBSCANX.EXE
WFINDV32.EXE
WINDRIVER.EXE
WINEXEC.EXE
WINHEX.EXE
WINSOCK2_2.EXE
worm.exe
WRADMIN.EXE
WRCTRL.EXE
ZAPRO.EXE
ZONEALARM.EXE
Recovery
Please follow the instructions for removing worms.
Check your administrator passwords and review network security.
Renaming the registry editor
Using Windows explorer, browse to the Windows folder (usually C:\Windows or C:\Winnt) right-click Regedit.exe and make a copy of it.
Rename the copy of Regedit.exe to Regedit.com.
At the taskbar, click Start|Run. Type 'Regedit.com' and press Return. The registry editor opens.
In Windows NT/2000/XP/2003 you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.
Locate the HKEY_LOCAL_MACHINE entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
and remove any reference to any file you deleted.
Close the registry editor.
|
|
|
|
Post by StRiDeR on Apr 8, 2004 11:03:41 GMT 8
Troj/Dloader-N
Aliases
Download.Trojan
Type
Trojan
Detection
A virus identity (IDE) file which provides protection is available now from the Latest virus identities section, and will be incorporated into the May 2004 (3.81) release of Sophos Anti-Virus.
Enterprise Manager and PureMessage customers will be automatically protected at their next scheduled update.
At the time of writing, Sophos has received just one report of this Trojan from the wild.
Description
Troj/Dloader-N is a Trojan downloader. When run the Trojan downloads a remote file to C:\ass.exe and executes it. At the time of writing the file it attempts to download did not exist.
Recovery
Please follow the instructions for removing Trojans.
|
|
|
|
Post by StRiDeR on Apr 8, 2004 11:05:29 GMT 8
Troj/Bagle-X
Aliases
W32/Bagle.X.worm, W32/Bagle.x!proxy, I-Worm.Bagle.v, Troj/Lohav-Fam
Type
Trojan
Detection
A virus identity (IDE) file which provides protection is available now from the Latest virus identities section, and will be incorporated into the May 2004 (3.81) release of Sophos Anti-Virus.
Enterprise Manager and PureMessage customers will be automatically protected at their next scheduled update.
At the time of writing, Sophos has received no reports from users affected by this Trojan. However, we have issued this advisory following enquiries to our support department from customers.
Description
Troj/Bagle-X is a proxy backdoor Trojan.
The Trojan runs continuously in the background providing a proxy server on a random port number above 2000.
Data can be routed to other computers via the proxy in order to bypass access restrictions and to hide the IP address of the source computer.
The proxy may be used to forward SPAM email.
When first run the Trojan copies itself to the Windows system folder as window.exe and creates the following registry entry, so that window.exe is run automatically on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\window.exe
= <Windows system folder>\window.exe
The following registry entries are also created
HKCU\Software\Timeout\uid = <random 9-digit string>
HKCU\Software\Timeout\pid = <process ID for the Trojan>
HKCU\Software\Timeout\port = <port the Trojan listens on>
The Trojan tries to send connection information to several remote locations.
Recovery
Please follow the instructions for removing Trojans.
|
|
|
|
Post by StRiDeR on Apr 8, 2004 11:06:59 GMT 8
W32/Netsky-U
Aliases
I-Worm.NetSky.v
Type
Win32 worm
Detection
A virus identity (IDE) file which provides protection is available now from the Latest virus identities section, and will be incorporated into the May 2004 (3.81) release of Sophos Anti-Virus.
Enterprise Manager and PureMessage customers will be automatically protected at their next scheduled update.
At the time of writing, Sophos has received no reports from users affected by this worm. However, we have issued this advisory following enquiries to our support department from customers.
Description
W32/Netsky-U is a mass mailing worm with a backdoor component which is functionally identical to W32/Netsky-S. Please refer to W32/Netsky-S for further details.
Recovery
Please follow the instructions for removing worms.
|
|
|
|
Post by StRiDeR on Apr 12, 2004 17:24:16 GMT 8
Troj/Webber-H
Aliases
TrojanDownloader.Win32.Small.hg, Trojan.Download.Berbew, Downloader-DI trojan
Type
Trojan
Detection
A virus identity (IDE) file which provides protection is available now from the Latest virus identities section, and will be incorporated into the May 2004 (3.81) release of Sophos Anti-Virus.
Enterprise Manager and PureMessage customers will be automatically protected at their next scheduled update.
Sophos has received several reports of this Trojan from the wild.
Description
Troj/Webber-H is a two component backdoor Trojan.
The downloader component of the Trojan appears to have been mass mailed out.
When run the Trojan downloads a remote file to C:\windows\usermade.exe and
executes it.
The downloaded component is a password stealing Trojan that attempts to extract
sensitive information from several locations on the system and sends it to a remote computer.
The downloaded component copies itself as a file with a random name into the
Windows system folder and drops and executes a DLL file, also with a random
name, that runs the copy of the Trojan.
In order to be started automatically the Trojan creates the following registry entries:
HKLM\Software\CLASSES\CLSID\{79FB9088-19CE-715D-D900-216290C5B738}
\InProcServer32
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
\Web Event Logger
Troj/Webber-H also sets the following Microsoft Internet Explorer related registry entries to prompt the user into entering passwords:
HCU\Software\Microsoft\Internet Explorer\Main\FormSuggest Passwords
HCU\Software\Microsoft\Internet Explorer\Main\FormSuggest PW Ask
HCU\Software\Microsoft\Internet Explorer\Main\Use FormSuggest
Recovery
Please follow the instructions for removing Trojans.
Change any data that may have become compomised.
|
|
|
|
Post by StRiDeR on Apr 12, 2004 17:26:08 GMT 8
W32/SdBot-CM
Aliases
W32/Sdbot.worm.gen, W32.Randex.gen, WORM_RBOT.C
Type
Win32 worm
Detection
A virus identity (IDE) file which provides protection is available now from the Latest virus identities section, and will be incorporated into the May 2004 (3.81) release of Sophos Anti-Virus.
Enterprise Manager and PureMessage customers will be automatically protected at their next scheduled update.
At the time of writing, Sophos has received just one report of this worm from the wild.
Description
W32/SdBot-CM is a network worm and a backdoor Trojan which runs in the background as a service process and allows unauthorised remote access to the computer via IRC channels.
When executed W32/SdBot-CM copies itself to the Windows system folder with the filename msgfix.exe and sets the following registry entries with the path to the copy:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Configuration Loader
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Configuration Loader
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Configuration Loader
W32/SdBot-CM attempts to copy itself to remote network shares with weak passwords.
As a backdoor W32/SdBot-CM can be used to install and execute programs on your computer, retrieve system information and flood other computers with network packets.
The information the worm retrieves includes computer name, user name, operating system, memory size and CD-keys for various games.
Recovery
Please follow the instructions for removing worms.
|
|
|
|
Post by StRiDeR on Apr 12, 2004 17:28:09 GMT 8
W32/Agobot-GA Aliases Backdoor.Agobot.li, W32/Gaobot.worm.gen.g, W32.Gaobot.WX, WORM_AGOBOT.WN Type Win32 worm Detection A virus identity (IDE) file which provides protection is available now from the Latest virus identities section, and will be incorporated into the May 2004 (3.81) release of Sophos Anti-Virus. Enterprise Manager and PureMessage customers will be automatically protected at their next scheduled update. At the time of writing, Sophos has received just one report of this worm from the wild. Description W32/Agobot-GA is a backdoor Trojan and worm which spreads to computers protected by weak passwords.
When first run, W32/Agobot-GA moves itself to the Windows system folder as windns32.exe and creates the following registry entries to run itself on startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\WinDNS
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\WinDNS
Each time W32/Agobot-GA is run it attempts to connect to a remote IRC server and join a specific channel. It then runs continuously in the background, allowing a remote intruder to access and control the computer via IRC channels.
W32/Agobot-GA attempts to terminate and disable various anti-virus and security related programs and modifies the HOSTS file located at
%Windows%\System32\Drivers\etc\HOSTS. Selected anti-virus websites are mapped to the loopback address 127.0.0.1 in an attempt to prevent access to these sites. Typically the following mappings will be appended to the HOSTS file:
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.trendmicro.com
Recovery Please follow the instructions for removing worms. |
|
