Virus Update

[StRiDeR]

W32/Famus-A

Aliases

W32/Misodene.a@MM virus

Type

Win32 worm

Detection

A virus identity (IDE) file which provides protection is available now from the Latest virus identities section, and will be incorporated into the June 2004 (3.82) release of Sophos Anti-Virus.

Customers using Enterprise Manager, PureMessage and any of the Sophos small business solutions will be automatically protected at their next scheduled update.


Sophos has received several reports of this worm from the wild.


Description

W32/Famus-A is a mass mailing worm for the Windows platform that copies
itself to the system folder as the file PentagonSecret.xls.exe where the second
extension is several whitespace characters after the first in an attempt to disguise itself as a Microsoft Excel spreadsheet file. Copies of the worm will also have a crude Excel icon.
W32/Famus-A will make additional copies of itself as Casper9247.exe and
Red7324.exe in the Temp folder along with other non malicious files related to
the sent emails. Among these will be the file SMTP.OCX which is a freeware
SMTP engine used in the mailing of W32/Famus-A to members of the user's address book.

W32/Famus-A will send itself to members of the user's Outlook address book attached to an email with the following characteristics:

Subject:

Que sabe el Pentagono sobreusted (What the Pentagon knows about you)

Body:

?Crees que estas a salvo del Pentagono de los E.U? Mira estos datos y te
asombraras.

Do you believe you are safe from the Pentagon of the E.U? Just look these
data and you will be surprised

Password: 123

Attachment:

PentagonSecret.xls.exe

Another email will also be sent to the address segurmatic@yahoo.es with the
subject line of Reporte. This is likely to be a notification message sent to
the worm author.


Recovery

Please follow the instructions for removing worms.

[StRiDeR]

Troj/Agobot-IB

Aliases

Backdoor.Agobot.gen, W32/Gaobot.worm.gen.j, W32.Gaobot.AFJ, WORM_AGOBOT.JH

Type

Trojan

Detection

A virus identity (IDE) file which provides protection is available now from the Latest virus identities section, and will be incorporated into the June 2004 (3.82) release of Sophos Anti-Virus.

Customers using Enterprise Manager, PureMessage and any of the Sophos small business solutions will be automatically protected at their next scheduled update.


At the time of writing, Sophos has received just one report of this Trojan from the wild.

Note: The IDE issued for Troj/Agobot-IB at 15:33 GMT on 5 May also contained detection for Troj/Gina-H, W32/Agobot-HK, W32/Agobot-IU, W32/Agobot-HL, W32/Agobot-HM, W32/Agobot-HN, W32/Agobot-HO and W32/Agobot-HP. This IDE has now been updated to enhance detection of Troj/Agobot-IB.


Description

A detailed analysis will be published here shortly. Please check again later.

Recovery

Please follow the instructions for removing Trojans.

[atokENSEM]

ingatkan dah takde artikel virus lagi..

[StRiDeR]

Hj.atokENSEM said:

ingatkan dah takde artikel virus lagi..

byk tok...leh kata tiap2 hari ader virus baru ...

[atokENSEM]

StRiDeR said:

byk tok...leh kata tiap2 hari ader virus baru ...

betul..atok byk dpt info dr email..dr bdk2 upm..mls nak post cni..sbb,ade yg strider dah post..

[StRiDeR]

Hj.atokENSEM said:

betul..atok byk dpt info dr email..dr bdk2 upm..mls nak post cni..sbb,ade yg strider dah post..

ooo, cam tue ...

[StRiDeR]

W32/Famus-C

Aliases

W32/Misodene.gen@MM virus, Win32/Liber.A worm

Type

Win32 worm

Detection

A virus identity (IDE) file which provides protection is available now from the Latest virus identities section, and will be incorporated into the June 2004 (3.82) release of Sophos Anti-Virus.

Customers using Enterprise Manager, PureMessage and any of the Sophos small business solutions will be automatically protected at their next scheduled update.


Sophos has received several reports of this worm from the wild.


Description

W32/Famus-C will make an additional copy of itself as Red7324.exe in the Temp
folder along with other files which are used for mailing the worm. Among these
will be the file SMTP.OCX which is a freeware SMTP engine used in the mailing
of W32/Famus-C to email addresses found on the computer. Other dropped files
include:
c:/En Cuba no hay libertad de expresion - an empty file

<Windows>/temp/Casper9247.exe - used by the worm

<Windows>/temp/att1.att1 - contains the email's file attchment name

<Windows>/temp/msg.msg - contains the email's message text

<Windows>/temp/sub.sub - contains the email's subject line
The email sent by the worm will have the following characteristics:
Subject line:
Famous / Famosos

Message Text:
?Sabes por que los famosos son famosos?
?Do you know why the famous are famous?

Password: "123"

Attachment:
Famous.exe

Another email may also be sent out without a copy of the worm with the following characteristics:

Subject line:
Virus Infected!!!!

Message Text:
Su computadora ha sido infectada por el virus Libertad
pero no tema, este virus no causa daño
su unico objetivo es prostestar por la falta de
liebertad de expresión en Cuba.
Disculpe la molestia.
El Hobbit.

W32/Famus-C will also display a message box displaying the text above on the
infected computer.


Recovery

Please follow the instructions for removing worms.

Delete any unwanted dropped files.

[jaga_um]

virus berlambak keja duk takde je... ;D

[StRiDeR]

jaga_um said:

virus berlambak keja duk takde je... ;D

tul tue...yg nie aku sokong sesangat...cian lak kat ko...x pe laa, nanti mesti ader keje nyer...kau doa banyak2 yer ...

[StRiDeR]

W32/Sasser-E

Type

Win32 worm

Detection

A virus identity (IDE) file which provides protection is available now from the Latest virus identities section, and will be incorporated into the June 2004 (3.82) release of Sophos Anti-Virus.

Customers using Enterprise Manager, PureMessage and any of the Sophos small business solutions will be automatically protected at their next scheduled update.


Description

W32/Sasser-E is a network worm which spreads by exploiting the Microsoft LSASS vulnerability.
For further information on this vulnerability see Microsoft Security Bulletin
MS04-011.

When first run W32/Sasser-E copies itself to the Windows folder with the filename lsasss.exe and creates the following registry entry so the worm is run automatically each time Windows is started:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
LSASS SVR = lsasss.exe

W32/Sasser-E attempts to connect out on port TCP/1022 and TCP/445. An FTP script is then downloaded and executed which connects back on port TCP/1023 to download a copy of the worm via FTP.


Recovery

Please follow the instructions for removing worms.

[StRiDeR]

W32/Agobot-QA

Aliases

Backdoor.Agobot.gen, W32/Polybot.gen!irc, W32.Gaobot.gen!poly

Type

Win32 worm

Detection

A virus identity (IDE) file which provides protection is available now from the Latest virus identities section, and will be incorporated into the June 2004 (3.82) release of Sophos Anti-Virus.

Customers using Enterprise Manager, PureMessage and any of the Sophos small business solutions will be automatically protected at their next scheduled update.


At the time of writing, Sophos has received just one report of this worm from the wild.


Description

W32/Agobot-QA is an IRC backdoor Trojan and network worm which establishes an IRC channel to a remote server in order to grant an intruder access to the compromised machine.
This worm will move itself into the Windows System32 folder under the filename SYSTEMC.EXE and may create the following registry entries so that it can execute automatically on system restart:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
SysStrt = systemc.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
SysStrt = systemc.exe

The following registry branches will also be created:

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SYSTEM_START\
HKLM\SYSTEM\CurrentControlSet\Services\System Start\

W32/Agobot-QA may also attempt to collect email addresses from the Windows Address Book and send itself to these email addresses using its own SMTP engine with itself included as an executable attachment.

W32/Agobot-QA may attempt to terminate anti-virus and other security-related processes, in addition to other viruses, worms or Trojans. For example:
_AVPM
_AVPCC
_AVP32
ZONEALARM
ZONALM2601
ZATUTOR
ZAPSETUP3001
ZAPRO
XPF202EN
WYVERNWORKSFIREWALL
WUPDT
WUPDATER
WSBGATE
WRCTRL
WRADMIN
WNT
WNAD
WKUFIND
WINUPDATE
WINTSK32
WINSTART001
WINSTART
WINSSK32
WINSERVN
WINRECON
WINPPR32
WINNET
WINMAIN
WINLOGIN
WININITX
WININIT
WININETD
WINDOWS
WINDOW
WINACTIVE
WIN32US
WIN32
WIN-BUGSFIX
WIMMUN32
WHOSWATCHINGME
WGFE95
WFINDV32
WEBTRAP
WEBSCANX
WEBDAV
WATCHDOG
W9X
W32DSM89
VSWINPERSE
VSWINNTSE
VSWIN9XE
VSSTAT
VSMON
VSMAIN
VSISETUP
VSHWIN32
VSECOMR
VSCHED
VSCENU6.02D30
VSCAN40
VPTRAY
VPFW30S
VPC42
VPC32
VNPC3000
VNLAN300
VIRUSMDPERSONALFIREWALL
VIR-HELP
VFSETUP
VETTRAY
VET95
VET32
VCSETUP
VBWINNTW
VBWIN9X
VBUST
VBCONS
VBCMSERV
UTPOST
UPGRAD
UPDAT
UNDOBOOT
TVTMD
TVMD
TSADBOT
TROJANTRAP3
TRJSETUP
TRJSCAN
TRICKLER
TRACERT
TITANINXP
TITANIN
TGBOB
TFAK5
TFAK
TEEKIDS
TDS2-NT
TDS2-98
TDS-3
TCM
TCA
TC
TBSCAN
TAUMON
TASKMON
TASKMO
TASKMG
SYSUPD
SYSTEM32
SYSTEM
SYSEDIT
SYMTRAY
SYMPROXYSVC
SWEEPNET.SWEEPSRV.SYS.SWNETSUP
SWEEP95
SVSHOST
SVCHOSTS
SVCHOSTC
SVC
SUPPORTER5
SUPPORT
SUPFTRL
STCLOADER
START
ST2
SSG_4104
SSGRATE
SS3EDIT
SRNG
SREXE
SPYXX
SPOOLSV32
SPOOLCV
SPOLER
SPHINX
SPF
SPERM
SOFI
SOAP
SMSS32
SMS
SMC
SHOWBEHIND
SHN
UPDATE
SHELLSPYINSTALL
SH
SGSSFW32
SFC
SETUP_FLOWPROTECTOR_US
SETUPVAMEEVAL
SERVLCES
SERVLCE
SERVICE
SERV95
SD
SCVHOST
SCRSVR
SCRSCAN
SCANPM
SCAN95
SCAN32
SCAM32
SC
SBSERV
SAVENOW
SAVE
SAHAGENT
SAFEWEB
RUXDLL32
RUNDLL16
RUNDLL
RUN32DLL
RULAUNCH
RTVSCN95
RTVSCAN
RSHELL
RRGUARD
RESCUE32
RESCUE
REGEDT32
REGEDIT
REGED
REALMON
RCSYNC
RB32
RAY
RAV8WIN32ENG
RAV7WIN
RAV7
RAPAPP
QSERVER
QCONSOLE
PVIEW95
PUSSY
PURGE
PSPF
PROTECTX
PROPORT
PROGRAMAUDITOR
PROCEXPLORERV1.0
PROCESSMONITOR
PROCDUMP
PRMVR
PRMT
PRIZESURFER
PPVSTOP
PPTBC
PPINUPDT
POWERSCAN
PORTMONITOR
PORTDETECTIVE
POPSCAN
POPROXY
POP3TRAP
PLATIN
PINGSCAN
PGMONITR
PFWADMIN
PF2
PERSWF
PERSFW
PERISCOPE
PENIS
PDSETUP
PCSCAN
PCIP10117_0
PCFWALLICON
PCDSETUP
PCCWIN98
PCCWIN97
PCCNTMON
PCCIOMON
PCC2K_76_1436
PCC2002S902
PAVW
PAVSCHED
PAVPROXY
PAVCL
PATCH
PANIXK
PADMIN
OUTPOSTPROINSTALL
OUTPOSTINSTALL
OTFIX
OSTRONET
OPTIMIZE
ONSRVR
OLLYDBG
NWTOOL16
NWSERVICE
NWINST4
NVSVC32
NVC95
NVARCH16
NUI
NTXconfig
NTVDM
NTRTSCAN
NT
NSUPDATE
NSTASK32
NSSYS32
NSCHED32
NPSSVC
NPSCHECK
NPROTECT
NPFMESSENGER
NPF40_TW_98_NT_ME_2K
NOTSTART
NORTON_INTERNET_SECU_3.0_407
NORMIST
NOD32
NMAIN
NISUM
NISSERV
NETUTILS
NETSTAT
NETSPYHUNTER-1.2
NETSCANPRO
NETMON
NETINFO
NETD32
NETARMOR
NEOWATCHLOG
NEOMONITOR
NDD32
NCINST4
NC2000
NAVWNT
NAVW32
NAVSTUB
NAVNT
NAVLU32
NAVENGNAVEX15.NAVLU32
NAVDX
NAVAPW32
NAVAPSVC
NAVAP.NAVAPSVC
AUTO-PROTECT.NAV80TRY
NAV
OUTPOST
NUPGRADE
N32SCANW
MWATCH
MU0311AD
MSVXD
MSSYS
MSSMMC32
MSMSGRI32
MSMGT
MSLAUGH
MSINFO32

[StRiDeR]

MSIEXEC16
MSDOS
MSDM
MSCONFIG
MSCMAN
MSCCN32
MSCACHE
MSBLAST
MSBB
MSAPP
MRFLUX
MPFTRAY
MPFSERVICE
MPFAGENT
MOSTAT
MOOLIVE
MONITOR
MMOD
MINILOG
MGUI
MGHTML
MGAVRTE
MGAVRTCL
MFWENG3.02D30
MFW2EN
MFIN32
MD
MCVSSHLD
MCVSRTE
MCTOOL
MCSHIELD
MCMNHDLR
MCAGENT
MAPISVC32
LUSPT
LUINIT
LUCOMSERVER
LUAU
LSETUP
LORDPE
LOOKOUT
LOCKDOWN2000
LOCKDOWN
LOCALNET
LOADER
LNETINFO
LDSCAN
LDPROMENU
LDPRO
LDNETMON
LAUNCHER
KILLPROCESSSETUP161
KERNEL32
KERIO-WRP-421-EN-WIN
KERIO-WRL-421-EN-WIN
KERIO-PF-213-EN-WIN
KEENVALUE
KAZZA
KAVPF
KAVPERS40ENG
KAVLITE40ENG
JEDI
JDBGMRG
JAMMER
ISTSVC
MCUPDATE
LUALL
ISRV95
ISASS
IRIS
IPARMOR
IOMON98
INTREN
INTDEL
INIT
INFWIN
INFUS
INETLNFO
IFW2000
IFACE
IEXPLORER
IEDRIVER
IEDLL
IDLE
ICSUPPNT
ICMON
ICLOADNT
ICLOAD95
IBMAVSP
IBMASN
IAMSTATS
IAMSERV
IAMAPP
HXIUL
HXDL
HWPE
HTPATCH
HTLOG
HOTPATCH
HOTACTIO
HBSRV
HBINST
HACKTRACERSETUP
GUARDDOG
GUARD
GMT
GENERICS
GBPOLL
GBMENU
GATOR
FSMB32
FSMA32
FSM32
FSGK32
FSAV95
FSAV530WTBYB
FSAV530STBYB
FSAV32
FSAV
FSAA
FRW
FPROT
FP-WIN_TRIAL
FP-WIN
FNRB32
FLOWPROTECTOR
FIREWALL
FINDVIRU
FIH32
FCH32
FAST
FAMEH32
F-STOPW
F-PROT95
F-PROT
F-AGNT95
EXPLORE
EXPERT
EXE.AVXW
EXANTIVIRUS-CNET
EVPN
ETRUSTCIPE
ETHEREAL
ESPWATCH
ESCANV95
ICSUPP95
ESCANHNT
ESCANH95
ESAFE
ENT
EMSW
EFPEADM
ECENGINE
DVP95_0
DVP95
DSSAGENT
DRWEBUPW
DRWEB32
DRWATSON
DPPS2
DPFSETUP
DPF
DOORS
DLLREG
DLLCACHE
DIVX
DEPUTY
DEFWATCH
DEFSCANGUI
DEFALERT
DCOMX
DATEMANAGER
Claw95
CWNTDWMO
CWNB181
CV
CTRL
CPFNT206
CPF9X206
CPD
CONNECTIONMONITOR
CMON016
CMGRDIAN
CMESYS
CMD32
CLICK
CLEANPC
CLEANER3
CLEANER
CLEAN
CFINET32
CFINET
CFIADMIN
CFGWIZ
CFD
CDP
CCPXYSVC
CCEVTMGR
CCAPP
BVT
BUNDLE
BS120
BRASIL
BPC
BORG2
BOOTWARN
BOOTCONF
BLSS
BLACKICE
BLACKD
BISP
BIPCPEVALSETUP
BIPCP
BIDSERVER
BIDEF
BELT
BEAGLE
BD_PROFESSIONAL
BARGAINS
BACKWEB
CLAW95CF
CFIAUDIT
AVXMONITORNT
AVXMONITOR9X
AVWUPSRV
AVWUPD
AVWINNT
AVWIN95
AVSYNMGR
AVSCHED32
AVPTC32
AVPM
AVPDOS32
AVPCC
AVP32
AVP
AVNT
AVLTMAIN
AVKWCTl9
AVKSERVICE
AVKSERV
AVKPOP
AVGW
AVGUARD
AVGSERV9
AVGSERV
AVGNT
AVGCTRL
AVGCC32
AVE32
AVCONSOL
AU
ATWATCH
ATRO55EN
ATGUARD
ATCON
ARR
APVXDWIN
APLICA32
APIMONITOR
ANTS
ANTIVIRUS
ANTI-TROJAN
AMON9X
ALOGSERV
ALEVIR
ALERTSVC
AGENTW
AGENTSVR
ADVXDWIN
ADAWARE
AVXQUAR
ACKWIN32
AVWUPD32
AVPUPD
AUTOUPDATE
AUTOTRACE
AUTODOWN
AUPDATE
ATUPDATER

W32/Agobot-QA may also be used to terminate the following services on remote computers:
Themes
srservice
wuauserv
WZCSVC
winmgmt
WebClient
W32Time
uploadmgr
TrkWks
TermService
TapiSrv
stisvc
SSDPSRV
Spooler
ShellHWDetection
SENS
seclogon
Schedule
SamSs
RpcSs
RasMan
ProtectedStorage
PolicyAgent
PlugPlay
Nla
Netman
Messenger
MDM
LmHosts
lanmanworkstation
lanmanserver
helpsvc
FastUserSwitchingCompatibility
EventSystem
Eventlog
ERSvc
Dnscache
dmserver
Dhcp
CryptSvc
Browser
AudioSrv
Ati HotKey Poller

W32/Agobot-QA may search for shared folders on the internet with weak passwords and copy itself into them.

A text file named HOSTS in C:\<Windows System32>\drivers\etc\ may be created or overwritten with a list of anti-virus and other security-related websites, each bound to the IP loopback address of 127.0.0.1 which would effectively prevent access to these sites. For example:
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.trendmicro.com

W32/Agobot-QA can sniff HTTP, ICMP, FTP and IRC network traffic and steal data from them.

The following vulnerabilities can also be exploited to aid propagation on unpatched systems and manipulate registry keys:

Remote Procedure Call (RPC) vulnerability
Distributed Component Object Model (DCOM) vulnerability
RPC Locator vulnerability
IIS5/WEBDAV Buffer Overflow vulnerability

For more information about these Windows vulnerabilities, please refer to the following Microsoft Security Bulletins:

Microsoft Security Bulletin MS03-001
Microsoft Security Bulletin MS03-007
Microsoft Security Bulletin MS03-039

W32/Agobot-QA can also polymorph on installation in order to evade detection and share / delete the admin$, ipc$ etc drives.

It can also test the available bandwidth by attempting to GET or POST data to the following websites:
yahoo.co.jp
www.nifty.com
www.d1asia.com
www.st.lib.keio.ac.jp
www.lib.nthu.edu.tw
www.above.net
www.level3.com
nitro.ucsc.edu
www.burst.net
www.cogentco.com
www.rit.edu
www.nocster.com
www.verio.com
www.stanford.edu
www.xo.net
de.yahoo.com
www.belwue.de
www.switch.ch
www.1und1.de
verio.fr
www.utwente.nl
www.schlund.net

W32/Agobot-QA can also be used to initiate denial-of-service (DoS) and distributed denial-of-service (DDoS) synflood/httpflood/fraggle/smurf attacks against remote systems.

This worm can steal the Windows Product ID and keys from several computer applications or games including:
AOL Instant Messenger
Battlefield 1942
Battlefield 1942: Secret Weapons Of WWII
Battlefield 1942: The Road To Rome
Battlefield 1942: Vietnam
Black and White
Call of Duty
Command and Conquer: Generals
Command and Conquer: Generals: Zero Hour
Command and Conquer: Red Alert2
Command and Conquer: Tiberian Sun
Counter-Strike
FIFA 2002
FIFA 2003
Freedom Force
Global Operations
Gunman Chronicles
Half-Life
Hidden and Dangerous 2
Industry Giant 2
IGI2: Covert Strike
James Bond 007: Nightfire
Medal of Honor: Allied Assault
Medal of Honor: Allied Assault: Breakthrough
Medal of Honor: Allied Assault: Spearhead
Nascar Racing 2002
Nascar Racing 2003
NHL 2002
NHL 2003
Need For Speed: Hot Pursuit 2
Need For Speed: Underground
Neverwinter Nights
Ravenshield
Shogun Total War - Warlord Edition
Soldiers Of Anarchy
Soldier of Fortune II - Double Helix
The Gladiators
Unreal Tournament 2003
Unreal Tournament 2004
Windows Messenger

W32/Agobot-QA will delete all files named "sound*.*".


Recovery

Please follow the instructions for removing worms.

[StRiDeR]

Troj/Adtoda-A

Type

Trojan

Detection

A virus identity (IDE) file which provides protection is available now from the Latest virus identities section, and is incorporated into the May 2004 (3.81) release of Sophos Anti-Virus.
At the time of writing, Sophos has received just one report of this Trojan from the wild.

Note: The IDE issued for Troj/Adtoda-A at 11:28 GMT on 2 April also contained detection for Troj/Adtoda-B, Troj/INServ-A, Troj/StartPa-AB, Troj/ByteVeri-G, W32/Agobot-FO, W32/Agobot-JS and W32/Agobot-FP. This IDE has now been updated to enhance detection of W32/Agobot-FP.


Description

Troj/Adtoda-A is a backdoor Trojan.
When first run, Troj/Adtoda-A will display the following two messages:
"Setup was not able to continue the installation.
An illegal copy of Windows Operating System was detected on this computer.
The computer informations is already collect and will be post as this
computer name: (name of machine)"

"The operating system will not work properly before you get a permission after you complete the penalty!
For any detail informations, Please contact the following link:
http:\\www.microsoft.com\~msproduct\~watch\~piracy10
\secureID=OS_wiNver_532Fg32_ap12nt04A"

After the user clicks "OK" on both of these messages, Troj/Adtoda-A installs itself and activates the payload. This inverts the screen and freezes the machine so that is needs to be rebooted.

In order to run automatically when Windows starts up the Trojan creates the file
C:\Windows\system\winupd32.exe and the shortcut
C:\Windows\Start Menu\Programs\StartUp\System Update Service.lnk pointing to it.

These files will cause the payload to be run again on system boot.

Troj/Adtoda-A also attempts to modify C:\boot.ini to prevent debugging.


Recovery

Please follow the instructions for removing Trojans.

[StRiDeR]

W32/Sdbot-IK

Aliases

W32/Sdbot.worm.gen.b, WORM_SDBOT.KW

Type

Win32 worm

Detection

A virus identity (IDE) file which provides protection is available now from the Latest virus identities section, and will be incorporated into the June 2004 (3.82) release of Sophos Anti-Virus.

Customers using Enterprise Manager, PureMessage and any of the Sophos small business solutions will be automatically protected at their next scheduled update.


Sophos has received several reports of this worm from the wild.


Description

W32/Sdbot-IK is a worm which attempts to spread to remote network shares. It
also contains backdoor Trojan functionality, allowing unauthorised remote
access to the infected computer via IRC channels while running in the
background as a service process.
W32/Sdbot-IK copies itself to the Windows system folder as WNETMGR.EXE
and as COOL.EXE and creates entries in the registry at the following locations
so as to run itself on system startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft System Checkup

HKLM\Software\Microsoft\Windows\CurrentVersion\Run Services\
Microsoft System Checkup

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NT Logging Service

W32/Sdbot-IK spreads to network shares with weak passwords as a result of the
backdoor Trojan element receiving the appropriate command from a remote user.

W32/Sdbot-IK attempts to clear the Security system log file.

W32/Sdbot-IK attempts to download and execute several files to the Temp folder,
but at the time of writing none of these were available.

W32/Sdbot-IK attempts to terminate and disable various anti-virus and security
related programs and services.

W32/Sdbot-IK also modifies the HOSTS file located at
%WINDOWS%\System32\Drivers\etc\HOSTS, mapping selected anti-virus websites to the loopback address 127.0.0.1 in an attempt to prevent access to these sites. Typically the following mappings will be appended to the HOSTS file:

127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.trendmicro.com


Recovery

Please follow the instructions for removing worms.

Replace the Hosts file from a backup or edit it in Notepad to remove the changes that the worm has made.

Check your administrator passwords and review network security.

You will also need to edit the following registry entries, if they are present. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft System Checkup

HKLM\Software\Microsoft\Windows\CurrentVersion\Run Services\
Microsoft System Checkup

and delete them if they exist.

Close the registry editor.

[StRiDeR]

W32/Agobot-JI

Aliases

Gaobot, Nortonbot, Phatbot, Polybot.

Type

Win32 worm

Detection

A virus identity (IDE) file which provides protection is available now from the Latest virus identities section, and will be incorporated into the June 2004 (3.82) release of Sophos Anti-Virus.

Customers using Enterprise Manager, PureMessage and any of the Sophos small business solutions will be automatically protected at their next scheduled update.


At the time of writing, Sophos has received just one report of this worm from the wild.


Description

W32/Agobot-JI is an IRC backdoor Trojan and network worm which establishes
an IRC channel to a remote server in order to grant an intruder access to the compromised computer.
This worm will move itself into the Windows System32 folder under the filename CSRSS32.EXE and may create the following registry entries so that it can
execute automatically on system restart:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
System Log Event = csrss32.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
System Log Event = csrss32.exe

This worm may also attempt to glean email addresses from the Windows Address Book and send itself to these email addresses using its own SMTP engine with itself included as an executable attachment.

W32/Agobot-JI may attempt to terminate anti-virus and other security-related processes, in addition to other viruses, worms or Trojans. For example:

_AVPM
_AVPCC
_AVP32
ZONEALARM
ZONALM2601
ZATUTOR
ZAPSETUP3001
ZAPRO
XPF202EN
WYVERNWORKSFIREWALL
WUPDT
WUPDATER
WSBGATE
WRCTRL
WRADMIN
WNT
WNAD
WKUFIND
WINUPDATE
WINTSK32
WINSTART001
WINSTART
WINSSK32
WINSERVN
WINRECON
WINPPR32
WINNET
WINMAIN
WINLOGIN
WININITX
WININIT
WININETD
WINDOWS
WINDOW
WINACTIVE
WIN32US
WIN32
WIN-BUGSFIX
WIMMUN32
WHOSWATCHINGME
WGFE95
WFINDV32
WEBTRAP
WEBSCANX
WEBDAV
WATCHDOG
W9X
VSWINPERSE
VSWINNTSE
VSWIN9XE
VSSTAT
VSMON
VSMAIN
VSISETUP
VSHWIN32
VSECOMR
VSCHED
VSCENU6.02D30
VSCAN40
VPTRAY
VPFW30S
VPC42
VPC32
VNPC3000
VNLAN300
VIRUSMDPERSONALFIREWALL
VIR-HELP
VFSETUP
VETTRAY
VET95
W32DSM89
VET32
VCSETUP
VBWINNTW
VBWIN9X
VBUST
VBCONS
VBCMSERV
UTPOST
UPGRAD
UPDAT
UNDOBOOT
TVTMD
TVMD
TSADBOT
TROJANTRAP3
TRJSETUP
TRJSCAN
TRICKLER
TRACERT
TITANINXP
TITANIN
TGBOB
TFAK5
TFAK
TEEKIDS
TDS2-NT
TDS2-98
TDS-3
TCM
TCA
TC
TBSCAN
TAUMON
TASKMON
TASKMO
TASKMG
SYSUPD
SYSTEM32
SYSTEM
SYSEDIT
SYMTRAY
SYMPROXYSVC
SWEEPNET.SWEEPSRV.SYS.SWNETSUP
SWEEP95
SVSHOST
SVCHOSTS
SVCHOSTC
SVC
SUPPORTER5
SUPPORT
SUPFTRL
STCLOADER
START
ST2
SSGRATE
SS3EDIT
SRNG
SREXE
SPYXX
SPOOLSV32
SPOOLCV
SPOLER
SPHINX
SPF
SPERM
SOFI
SOAP
SMSS32
SMS
SMC
SHOWBEHIND
SHN
SHELLSPYINSTALL
SH
SGSSFW32
SFC
SETUP_FLOWPROTECTOR_US
UPDATE
SETUPVAMEEVAL
SERVLCES
SERVLCE
SERVICE
SERV95
SD
SCVHOST
SCRSVR
SCRSCAN
SCANPM
SCAN95
SCAN32
SCAM32
SC
SBSERV
SAVENOW
SAVE
SAHAGENT
SAFEWEB
RUXDLL32
RUNDLL16
RUNDLL
RUN32DLL
RULAUNCH
RTVSCN95
RTVSCAN
RSHELL
RRGUARD
RESCUE32
RESCUE
REGEDT32
REGEDIT
REGED
REALMON
RCSYNC
RB32
RAY
RAV8WIN32ENG
RAV7WIN
RAV7
RAPAPP
QSERVER
QCONSOLE
PVIEW95
PUSSY
PURGE
PSPF
PROTECTX
PROPORT
PROGRAMAUDITOR
PROCEXPLORERV1.0
PROCESSMONITOR
PROCDUMP
PRMVR
PRMT
PRIZESURFER
PPVSTOP
PPTBC
PPINUPDT
POWERSCAN
PORTMONITOR
PORTDETECTIVE
POPSCAN
POPROXY
POP3TRAP
PLATIN
PINGSCAN
PGMONITR
PFWADMIN
PF2
PERSWF
PERSFW
PERISCOPE
PENIS
PDSETUP
PCSCAN
PCFWALLICON
PCDSETUP
PCCWIN98
PCCWIN97
PCCNTMON
PCCIOMON
PAVW
PAVSCHED
PAVPROXY
PAVCL
PATCH
PANIXK
PADMIN
OUTPOSTPROINSTALL
OUTPOSTINSTALL
OTFIX
OSTRONET
OPTIMIZE
ONSRVR
NWTOOL16
NWSERVICE
NWINST4
NVSVC32
NVC95
NVARCH16
NUI
NTXconfig
NTVDM
NTRTSCAN
NT
NSUPDATE
NSTASK32
NSSYS32
NSCHED32
NPSSVC
NPSCHECK
NPROTECT
NPFMESSENGER
NPF40_TW_98_NT_ME_2K
NOTSTART
NORTON_INTERNET_SECU_3.0_407
NORMIST
NOD32M2
NOD32CC
NOD32
NMAIN
NISUM
NISSERV
NETUTILS
NETSTAT
NETSPYHUNTER-1.2
NETSCANPRO
NETMON
NETINFO
NETD32
NETARMOR
NEOWATCHLOG
NEOMONITOR
NDD32
NCINST4
NAVWNT
NAVW32
NAVSTUB
NAVNT
NAVLU32
NAVENGNAVEX15.NAVLU32
NAVDX
NAVAPW32
NAVAPSVC
NAVAP.NAVAPSVC
AUTO-PROTECT.NAV80TRY
NAV
N32SCANW
MWATCH
OLLYDBG
OUTPOST
NUPGRADE
MU0311AD
MSVXD
MSSYS
MSSMMC32
MSMSGRI32
MSMGT
MSLAUGH