Virus Update

[StRiDeR]

Troj/DDosSmal-B
Type
Trojan

Detection
A virus identity (IDE) file which provides protection is available now from the Latest virus identities section, and will be incorporated into the April 2004 (3.80) release of Sophos Anti-Virus.


Enterprise Manager and PureMessage customers will be automatically protected at their next scheduled update.

At the time of writing, Sophos has received just one report of this Trojan from the wild.


Description
Troj/DDosSmal-B is a Trojan which attempts a denial-of-service attack on a website.
In order to run automatically when Windows starts up the Trojan copies itself to the file winsys.exe in the Windows folder and adds the following registry entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\winsys


Recovery
Please follow the instructions for removing Trojans.

[atokENSEM]

StRiDeR said:

x yah pening2...ini just for your information jerk...bukan masuk exam pun...

mmg lah tak masuk..tp atok kena gak tau..virus yg terbaru ni..

[StRiDeR]

W32/MyDoom-F
Aliases
W32/Mydoom.f@MM, WORM_MYDOOM.F, Win32/Mydoom.F

Type
Win32 worm

Detection
A virus identity (IDE) file which provides protection is available now from the Latest virus identities section, and will be incorporated into the April 2004 (3.80) release of Sophos Anti-Virus.


Enterprise Manager and PureMessage customers will be automatically protected at their next scheduled update.

At the time of writing, Sophos has received no reports from users affected by this worm. However, we have issued this advisory following enquiries to our support department from customers.


Description
W32/MyDoom-F is a worm which spreads by email. When the infected attachment is launched the worm harvests email addresses from address books and from files on the hard disk.
W32/MyDoom-F either creates a file in the temp folder and runs Notepad to display the contents or displays one of the following messages:

Unable to open specified file
File cannot be opened
File is corrupted

W32/MyDoom-F 'spoofs', using randomly chosen email addresses in the "To:" and "From:" fields as well as a randomly chosen subject line. The emails distributing this worm have the following characteristics:

Subject lines
test
hi
hello
Returned Mail
Confirmation Required
Confirmation
Registration confirmation
please reply
please read
Read this message
Readme
Important
Your account has expired
Expired account
Notification
automatic responder
automatic notification
You have 1 day left
Warning
Information
For your information
For you
Something for you
Read it immediately
Read it immediately!
Your credit card
Schedule
Accident
Attention
stolen
news
recent news
Wanted
fake
unknown
bug
forget
read now!
Current Status
Your request is being processed
Your order is being processed
Your request was registered
Your order was registered
Re:
Undeliverable message
Love is...
Love is
Your account is about to be expired
Your IP was logged
You use illegal File Sharing...
Thank You very very much
hi, it's me
Approved
Re: Approved
Details
Re: Details
Thank you
Re: Thank you
Announcement

Message texts
test
Details are in the attached document. You need Microsoft Office to open it.
See the attached file for details
Please see the attached file for details
The document was sent in compressed format.
Check the attached document.
Everything ok?
OK
Okay
I'm waiting
Read the details.
Here is the document.
I wait for your reply.
Is that from you?
Is that yours?
You are a bad writer
I have your password
Something about you
Kill the writer of this document!
We have received this document from your email
Here it is
See you
Greetings
Information about you
Please, reply
Reply
Take it
You are bad

Attachment filenames
msg
doc
document
readme
text
file
data
test
message
body
details
creditcard
attachment
stuff
me
post
posting
textfile
info
information
note
notes
product
bill
check
ps
money
about
story
mail
list
joke
jokes
friend
site
website
object
mail2
part1
part4
part2
part3
misc
disc
paypal
approved
details
your_document
image
resume
photo

Attached files will have an extension of EXE, SCR, COM, PIF, BAT, CMD or ZIP.

W32/MyDoom-F creates a randomly named file in the Windows system or Windows temp folder and adds a randomly named registry entry to
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
to run this file every time Windows starts up. The worm will create multiple copies of itself, all with randomly generated filenames, in all folders.

W32/MyDoom-F also drops a randomly named file with the extension DLL in the Windows system or Windows temp folder. The DLL is a backdoor program loaded by the worm that allows remote attackers to connect to TCP port 1080 and upload files for the infected computer to run.

Between the 17th and 22nd of any month the worm will attempt a distributed denial of service attack. There is a one third chance that the attack will be against riaa.com otherwise the attack will be against www.microsoft.com.

W32/MyDoom-F searches for and deletes 40% of files with extensions of AVI, BMP, DOC, JPG, MDB, SAV and XLS.


Recovery
Please follow the instructions for removing worms.

[atokENSEM]

"ngentot.exe", virus ini sudah menjalari hampir seluruh komputer kwn atok. Yang paling parah adalah harddisk dia yang tiba-tiba penuh padahal kapasitasnya 18,6 GB dan CPU menjadi berdengung. Program grafis seperti CorelDRAW dan Photoshop menjadi ngadat.tapi sampai skrg..atok tak tahu mcm mana nak tolong adik angkat atok tu untuk hilangkan virus tu!

[StRiDeR]

atok_ENSEM said:

"ngentot.exe", virus ini sudah menjalari hampir seluruh komputer kwn atok. Yang paling parah adalah harddisk dia yang tiba-tiba penuh padahal kapasitasnya 18,6 GB dan CPU menjadi berdengung. Program grafis seperti CorelDRAW dan Photoshop menjadi ngadat.tapi sampai skrg..atok tak tahu mcm mana nak tolong adik angkat atok tu untuk hilangkan virus tu!

x pernah dengar pun pasal virus tue...aper antivirus yg atok/adik angkat atok pakai?....tapi function virus tue cam pernah dengar...ader adik beradik dier...

[atokENSEM]

StRiDeR said:

x pernah dengar pun pasal virus tue...aper antivirus yg atok/adik angkat atok pakai?....tapi function virus tue cam pernah dengar...ader adik beradik dier...

die pakai Norton AntiVirus 2003 Professional Edition..atok pun rase camtu gak!pastu..atok up grade balik die nye computer..dah ok dah..tp..akan tiap kali kena virus..nak buat up grade je..tu skrg ni..atok tgh cari cara lain..

[StRiDeR]

atok_ENSEM said:

die pakai Norton AntiVirus 2003 Professional Edition..atok pun rase camtu gak!pastu..atok up grade balik die nye computer..dah ok dah..tp..akan tiap kali kena virus..nak buat up grade je..tu skrg ni..atok tgh cari cara lain..

Norton x bagus sangat...cuba atok pakai Pc-Cilin...x pun F-Prot...tue antara antivirus yg paling bagus...sebab sebelum system run atau execute aper2 fail, dia scan dulu...macam norton, bila dah kena baru nak bagitau...

[StRiDeR]

WORM_DARBY.D


Virus type: Worm

Destructive: No

Aliases: WORM/Darby.D

Overall risk rating: Low

-----------------------------------------------------------------------

Reported infections: Low

Damage Potential: High

Distribution Potential: High



-----------------------------------------------------------------------

Description:



This memory-resident worm propagates through peer-to-peer applications, email, or floppy disk.

To propagate through peer-to-peer networks, it drops copies of itself using enticing file names in default shared folders.

It sends copies of itself via email using its own Simple Mail Transfer Protocol (SMTP) engine to all email addresses found on the infected machine.

It overwrites .HTM files. and exploits known vulnerabilities in Windows as follows:

Object Tag Code Base Exploit (MS02-015)
MHTML Exploit (MS03-014)

It also terminates certain processes, which are usually associated with antivirus programs.

It uses an icon usually associated with Folders.

This UPX-compressed malware is written and compiled using Visual Basic, a high-level programming language.

It runs on Windows 95, 98, ME, NT, 2000 and XP.

Solution:



Identifying the Malware Program

To remove this malware, first identify the malware program.

Scan your system with your Trend Micro antivirus product.
NOTE all files detected as WORM_DARBY.D.
Trend Micro customers need to download the latest pattern file before scanning their system. Other Internet users may use Housecall, Trend Micro’s free online virus scanner.

Terminating the Malware Program

This procedure terminates the running malware process from memory. You will need the name(s) of the file(s) detected earlier.

Open Windows Task Manager.
On Windows 95/98/ME systems, press
CTRL+ALT+DELETE
On Windows NT/2000/XP systems, press
CTRL+SHIFT+ESC, then click the Processes tab.
In the list of running programs*, locate the malware file or files detected earlier.
Select one of the detected files, then press either the End Task or the End Process button, depending on the version of Windows on your system.
Do the same for all detected malware files in the list of running processes.
To check if the malware process has been terminated, close Task Manager, and then open it again.
Close Task Manager.
*NOTE: On systems running Windows 95/98/ME, Task Manager may not show certain processes. You may use a third party process viewer to terminate the malware process. Otherwise, continue with the next procedure, noting additional instructions.

Removing Autostart Entries from the Registry

Removing autostart entries from the registry prevents the malware from executing during startup.

Open Registry Editor. To do this, click Start>Run, type Regedit, then press Enter.
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>Run
In the right panel, locate and delete the entry:
MicroLoad = %System%\<malware path and file name>
Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 95, 98 and ME, C:\WINNT\System32 on Windows NT and 2000, and C:\Windows\System32 on Windows XP.
NOTE: If you were not able to terminate the malware process from memory as described in the previous procedure, restart your system.
Removing Other Malware Entries from the Registry

Still in the Registry Editor, in the left panel, double-click the following:
HKEY_LOCAL_MACHINE>GEDZAC LABS
Still in the left panel, delete the entry:
GEDZAC LABS
In the left panel, double-click the following:
HKEY_USERS>.Default>Software>Microsoft>
Windows>CurrentVersion>Policies>System>
In the right panel, locate and delete the entry:
DisableRegistryTools = 1
Close Registry Editor.
Deleting a Malware File

Right-click Start then click Search… or Find… depending on your version of Windows.
In the Named input box, type:
MailsM.dat;MailsL.dat;MailsH.dat
In the Look In drop-down list, select the drive which contains Windows, then press Enter.
Once located, select the file then hit Delete.
Additional Windows ME/XP Cleaning Instructions

Running Trend Micro Antivirus

Scan your system with Trend Micro antivirus and delete all files detected as WORM_DARBY.D. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro’s free online virus scanner.

Applying Patches

This malware exploits known vulnerabilities in Internet Explorer and Outlook Express. Download and install the fix patch supplied by Microsoft from the following links:

For MHTML Exploit (MS03-014)
For Object Tag Code Base Exploit (MS02-015)
Refrain from using this product until the appropriate patch has been installed. Trend Micro advises users to download and install critical patches released by vendors.

Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business or home PC.

[StRiDeR]

WORM_AGOBOT.DE

Virus type: Worm

Destructive: No

Pattern file needed: 750

Scan engine needed: 5.600

Overall risk rating: Low

--------------------------------------------------------------------------------

Reported infections: Low

Damage Potential: High

Distribution Potential: High



--------------------------------------------------------------------------------

Description:



This worm exploits certain vulnerabilities to propagate across networks. Like the earlier AGOBOT variants, it takes advantage of the following Windows vulnerabilities:

Remote Procedure Call (RPC) Distributed Component Object Model (DCOM) vulnerability
IIS5/WEBDAV Buffer Overflow vulnerability
RPC Locator vulnerability
For more information about these Windows vulnerabilities, please refer to the following Microsoft Web pages:

Microsoft Security Bulletin MS03-026
Microsoft Security Bulletin MS03-001
Microsoft Security Bulletin MS03-007
It attempts to log into systems using a list of user names and passwords and then drops a copy.

It also terminates antivirus-related processes and steals CD keys of certain game applications. It also has backdoor capabilities and may execute remote commands in the host machine.

It runs on Windows NT, 2000 and XP.

Solution:



Identifying the Malware Program

To remove this malware, first identify the malware program.

Scan your system with your Trend Micro antivirus product.
NOTE all files detected as WORM_AGOBOT.DE.
Trend Micro customers need to download the latest pattern file before scanning their system. Other Internet users may use Housecall, Trend Micro’s free online virus scanner.

Terminating the Malware Program

This procedure terminates the running malware process from memory.

Open Windows Task Manager.
To do this, press
CTRL+SHIFT+ESC, and click the Processes tab.
In the list of running programs, locate the process:
EXPLORE.EXE
Select the malware process, then press either the End Task or the End Process button, depending on the version of Windows on your system.
To check if the malware process has been terminated, close Task Manager, and then open it again.
Close Task Manager.
Removing Autostart Entries from the Registry

Removing autostart entries from the registry prevents the malware from executing during startup.

Open Registry Editor. To do this, click Start>Run, type Regedit, then press Enter.
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>Run
In the right panel, locate and delete the entry:
Video Services = "explore.exe"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>
CurrentVersion>RunServices
In the right panel, locate and delete the entry:
Video Services = "explore.exe"
Close Registry Editor.
NOTE:Since the malware cannot be terminated manually, restart your system.
Additional Windows XP Cleaning Instructions

Running Trend Micro Antivirus

Scan your system with Trend Micro antivirus and delete all files detected as WORM_AGOBOT.DE. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro’s free online virus scanner.

Applying Patches

This malware exploits known vulnerabilities on certain platforms. Download and install the critical pathes from the following links:

Microsoft Security Bulletin MS03-026
Microsoft Security Bulletin MS03-001
Microsoft Security Bulletin MS03-007
Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business or home PC.

[StRiDeR]

WORM_CASPID.B

Virus type: Worm

Destructive: No

Pattern file needed: 776

Scan engine needed: 5.600

Overall risk rating: Low

--------------------------------------------------------------------------------

Reported infections: Low

Damage Potential: Medium

Distribution Potential: High



--------------------------------------------------------------------------------

Description:



This memory-resident worm propagates via peer-to-peer (P2P) applications and email.

It then drops the following copies of itself in the Windows folder:

EDISPAC.EXE
CAPGEDZAC.PIF
CAPCodB.HTM
CAPBPlan.HTM
It also drops a copy of itself using a random file name with an SCR extension in the Windows system folder.

It takes advantage of the following vulnerabilities:

A known vulnerability that affects Microsoft Outlook Express 5.5 and 6.0
Object Tag Code Base Exploit, which affects Microsoft Internet Explorer 5.01, 5.5, and 6.0
More information on the said vulnerabilities is available at following Microsoft pages:

Microsoft Bulletin MS03-014
Microsoft Bulletin MS02-015

This UPX-compressed malware runs on Windows 95, 98, ME, NT, 2000, and XP.

Solution:



Identifying the Malware Program

Before proceeding to remove this malware, first identify the malware program.

Scan your system with Trend Micro antivirus and NOTE all files detected as . To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro's free online virus scanner.

Terminating the Malware Program

This procedure terminates the running malware process from memory. You will need the name(s) of the file(s) detected earlier.

Open Windows Task Manager.
On Windows 95/98/ME systems, press
CTRL+ALT+DELETE
On Windows NT/2000/XP systems, press
CTRL+SHIFT+ESC, then click the Processes tab.
In the list of running programs*, locate the malware file or files detected earlier.
Select one of the detected files, then press either the End Task or the End Process button, depending on the version of Windows on your system.
Do the same for all detected malware files in the list of running processes.
To check if the malware process has been terminated, close Task Manager, and then open it again.
Close Task Manager.
*NOTE: On systems running Windows 95/98/ME, Task Manager may not show certain processes. You may use a third party process viewer to terminate the malware process. Otherwise, continue with the next procedure, noting additional instructions.

Removing Autostart Entries from the Registry

Removing autostart entries from the registry prevents the malware from executing during startup.

Open Registry Editor. To do this, click Start>Run, type Regedit, then press Enter.
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>Run
In the right panel, locate and delete the entry:
WinregB = "%System%\<random file name>.scr"
Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 95, 98 and ME, C:\WINNT\System32 on Windows NT and 2000, and C:\Windows\System32 on Windows XP.

On Windows NT, 2000, and XP, double-click the following in the left panel:
HKEY_LOCAL_MACHINE>Software>Microsoft>Windows NT>
CurrentVersion\Winlogon
In the right panel, locate and modify the entries:
From "Shell"="Explorer.exe %Windows%\edispaC.exe"
To "Shell"="Explorer.exe "
Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)
NOTE: If you were not able to terminate the malware process from memory as described in the previous procedure, restart your system.
Removing Other Malware Entries from the Registry

Still in Registry Editor, in the left panel, double-click the following:
HKEY_CURRENT_USER>Identities>{D5032522-D766-48EE-
9EAF-6A2C70E16F7A}>Software>Microsoft>Outlook Express>5.0>Mail
In the right panel, locate and delete the entries:
Wide Stationery Name = "%Windows%\CapBPlan.htm"
Stationery Name = "%Windows%\CapBPlan.htm"

(Note:You may also simply set a different stationery file in Outlook Express.)
In the left panel, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>
Office>10.0>Common>MailSettings
In the right panel, locate and delete the entry:
NewStationery = "Capside"
In the left panel, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>
Windows Messaging Subsystem>Profiles>
0a0d020000000000c000000000000046
In the right panel, locate and delete the entry:
001e0360 = "Capside"
Delete the said entry from the following registry keys In the left panel:
HKEY_CURRENT_USER>Software>Microsoft>
Windows Messaging Subsystem>Profiles>
Microsoft Outlook Internet Settings>
0a0d020000000000c000000000000046

HKEY_CURRENT_USER>Software>Microsoft>Windows NT>
CurrentVersion>Windows Messaging Subsystem> Profiles>0a0d020000000000c000000000000046

HKEY_CURRENT_USER>Software>Microsoft>Windows NT>
CurrentVersion>Windows Messaging Subsystem>
Profiles>Microsoft Outlook Internet Settings>
0a0d020000000000c000000000000046
Close Registry Editor.
Removing Autostart Entries from System Files


A malware modifies system files so that it automatically executes at every Windows startup. These startup entries must be removed before the system can be restarted safely.

Open the SYSTEM.INI file. To do this, click Start>Run, type SYSTEM.INI, then press Enter. This should open the file in your default text editor (usually Notepad).
Under the [boot] section, locate the line that begins with:
Shell=Explorer.exe
From the same line, delete the malware path and file name:
%Windows%\edispaC.EXE
Close the SYSTEM.INI file and click Yes when prompted to save.
Open the WIN.INI file using your default text editor. Click Start>Run, type WIN.INI, then press Enter.
Under the [windows] section, locate the line(s) that begin with:
load =
run =
From the same line(s), delete the malware path and file name:
%Windows%\CAPGEDZAC.PIF
Close the WIN.INI file and click Yes when prompted to save.
Additional Windows ME/XP Cleaning Instructions

Running Trend Micro Antivirus

Scan your system with Trend Micro antivirus and delete all files detected as WORM_CASPID.B. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro’s free online virus scanner.

Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business or home PC.

[StRiDeR]

W32/Bizex-A
Aliases
W32/Bizex.worm, Worm.Win32.Bizex

Type
Win32 worm

Detection
A virus identity (IDE) file which provides protection is available now from the Latest virus identities section, and will be incorporated into the April 2004 (3.80) release of Sophos Anti-Virus.


Enterprise Manager and PureMessage customers will be automatically protected at their next scheduled update.

At the time of writing, Sophos has received no reports from users affected by this worm. However, we have issued this advisory following enquiries to our support department from customers.


Description
W32/Bizex-A is a worm which propagates over ICQ.
The worm appears as an ICQ message prompting the user to visit a website hosted on www.jokeworld.com. The web page downloads a file to the user's computer as startup.wav and runs the file.

Startup.wav contains a script which creates the file WinUpdate.exe in the startup folder. When Windows is next started WinUpdate.exe attempts to download a file named updater.exe to the Windows temp folder as aptgetupd.exe. Aptgetupd.exe is the main component of W32/Bizex-A. The worm copies itself to the sysmon subfolder of the Windows system folder as a file named sysmon.exe and adds the following registry entry to ensure that the worm is run each time Windows starts up:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\sysmon

W32/Bizex-A also drops the following DLL files in the Windows system folder
icw_socket.dll, ICQ2003Decrypt.dll, java32.dll and javaext.dll.

The DLL files are used to send ICQ messages to people on the infected user's contact list and to monitor user activity.

W32/Bizex-A monitors user activity and logs keystrokes associated with the following windows:

Acceso a Banca por Internet
Accueil Bred.fr > Espace Bred.fr
American Express UK - Personal Finance
Banamex.com
baNK
Banque
Banque en ligne
Barclaycard Merchant Services
Collegamento a Scrigno
Commercial Electronic Office Sign On
Credit Lyonnais interacti
CyberMUT
e-gold Account Access
E*TRADE Log On
Home Page Banca Intesa
LloydsTSB online - Welcome
Merchant Administration
Page d'accueil
Secure User Area
SUNCORP METWAY
Tous les produits et services
VeriSign Partner Manager
VeriSign Personal Trust Service
Wells Fargo - Small Business Home Page

Logged information is sent via FTP to a remote server.


Recovery
Please follow the instructions for removing worms.

[StRiDeR]

W32/Netsky-C
Aliases
I-Worm.Moodown.c, Win32/Netsky.C, W32.Netsky.C@mm, WORM_NETSKY.C

Type
Win32 worm

Detection
A virus identity (IDE) file which provides protection is available now from the Latest virus identities section, and will be incorporated into the April 2004 (3.80) release of Sophos Anti-Virus.


Enterprise Manager and PureMessage customers will be automatically protected at their next scheduled update.

Sophos has received several reports of this worm from the wild.


Description
W32/Netsky-C is a worm which spreads via shared networks and by emailing itself to addresses found within files located on drives C: to Z:.
The email subject line, message text and attachment filename are randomly chosen from lists within the worm.

The name of the attached file is chosen from:

associal, msg, yours, doc, wife, talk, message, response,
creditcard, description, details, attachment, pic, me, trash,
card, stuff, poster, posting, portmoney, textfile, moonlight,
concert, sexy, information, news, note, number_phone, bill,
mydate, swimmingpool, class_photos, product, old_photos, topseller,
ps, important, shower, myaunt, aboutyou, yours, nomoney, birth,
found, death, story, worker, mails, letter, more, website,
regards, regid, friend, unfolds, jokes, doc_ang, your_stuff,
location, 454543403, final, schock, release, webcam, dinner,
intimate stuff, sexual, ranking, object, secrets, mail2, attach2,
part2, msg2, disco, freaky, visa, party, material, misc,
nothing, transfer, auction, warez, undefinied, violence, update,
masturbation, injection, naked1, naked2, tear, music, paypal,
id, privacy, word_doc, image or incest.

The attachment extension will be ZIP, COM, EXE, PIF or SCR and may be preceded by .DOC, .HTM, .RTF or .TEXT. (e.g. visa.htm.scr)

When first run W32/Netsky-C copies itself to the Windows folder as winlogon.exe and creates the following registry entry so that winlogon.exe is run automatically each time Windows is started:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ICQNet
= <WINDOWS>\winlogon.exe -stealth

W32/Netsky-C spreads via file sharing networks by copying itself to folders on drives C: to Z: whose name contains the sub-string 'Shar', using a filename randomly chosen from the following list:

1000 Sex and more.rtf.exe
3D Studio Max 3dsmax.exe
ACDSee 9.exe
Adobe Photoshop 9 full.exe
Adobe Premiere 9.exe
Ahead Nero 7.exe
Best Matrix Screensaver.scr
Clone DVD 5.exe
Cracks & Warez Archive.exe
Dark Angels.pif
Dictionary English - France.doc.exe
DivX 7.0 final.exe
Doom 3 Beta.exe
E-Book Archive.rtf.exe
Full album.mp3.pif
Gimp 1.5 Full with Key.exe
How to hack.doc.exe
IE58.1 full setup.exe
Keygen 4 all appz.exe
Learn Programming.doc.exe
Lightwave SE Update.exe
Magix Video Deluxe 4.exe
Microsoft Office 2003 Crack.exe
Microsoft WinXP Crack.exe
MS Service Pack 5.exe
Norton Antivirus 2004.exe
Opera.exe
Partitionsmagic 9.0.exe
Porno Screensaver.scr
RFC Basics Full Edition.doc.exe
Screensaver.scr
Serials.txt.exe
Smashing the stack.rtf.exe
Star Office 8.exe
Teen Porn 16.jpg.pif
The Sims 3 crack.exe
Ulead Keygen.exe
Virii Sourcecode.scr
Visual Studio Net Crack.exe
Win Longhorn Beta.exe
WinAmp 12 full.exe
Windows Sourcecode.doc.exe
WinXP eBook.doc.exe
XXX hardcore pic.jpg.exe

W32/Netsky-C attempts to delete the following registry entries if they exist:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Taskmon
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Explorer
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Explorer
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\KasperskyAv
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\KasperskyAv
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\system.
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\system.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\service
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Sentry
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\msgsrv32
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\DELETE ME
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\D3dupdate.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\au.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\OLE
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Windows services host
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Windows services host
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\PINF
HKLM\System\CurrentControlSet\Services\WksPatch
HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32

When the worm is run on the 26th of February 2004 between 06:00 and 09:00 it may cause the computer to beep sporadically.


Recovery
Please follow the instructions for removing W32/Netsky-C.

[StRiDeR]

W32/Netsky disinfection instructions
Resolve is the name for a set of small, downloadable Sophos utilities designed to remove and undo the changes made by certain viruses, Trojans and worms. They terminate any virus processes and reset any registry keys that the virus changed. Existing infections can be cleaned up quickly and easily, both on individual workstations and over networks with large numbers of computers.

Windows 95/98/Me and Windows NT/2000/XP/2003

W32/Netsky-B and W32/Netsky-C can be removed from Windows 95/98/Me and Windows NT/2000/XP/2003 computers automatically with the following Resolve tools.

Windows disinfector

NTSKYGUI is a disinfector for standalone Windows computers

open NTSKYGUI ( www.sophos.com/support/cleaners/ntskygui.com )
run it
then click GO.
If you are disinfecting several computers, download it, save it to floppy disk and run it from there.

Command line disinfector

NTSKYSFX.EXE is a self-extracting archive containing NTSKYCLI, a Resolve command line disinfector for use on Windows networks. Read the notes enclosed in the self-extractor for details on running this program.

Other platforms

To remove W32/Netsky-B and W32/Netsky-C on other platforms please follow the instructions for removing worms.

[StRiDeR]

Troj/Narhem-A
Aliases
Backdoor.VB.gen

Type
Trojan

Detection
A virus identity (IDE) file which provides protection is available now from the Latest virus identities section, and will be incorporated into the April 2004 (3.80) release of Sophos Anti-Virus.


Enterprise Manager and PureMessage customers will be automatically protected at their next scheduled update.

At the time of writing, Sophos has received just one report of this Trojan from the wild.


Description
Troj/Narhem-A is a keylogging Trojan.
Troj/Narhem-A copies itself to the following locations:
<Windows>\Reader.exe
<Windows>\Help\Mehran.exe
<Windows>\System\Mehran.exe
<Windows>\System32\Acrobat.exe

Troj/Narhem-A creates the following registry entries in order to run on system startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Acrobat
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Syscheck

Troj/Narhem-A logs keystrokes into C:\Syslog.dat and periodically emails this file to a predefined email address.


Recovery
Please follow the instructions for removing Trojans.

Change any data that may have become compromised.

Delete the file C:\Syslog.dat if it exists.

Windows NT/2000/XP/2003

In Windows NT/2000/XP/2003 you will also need to edit the following registry entries. The removal of these entries is optional in Windows 95/98/Me. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Acrobat
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Syscheck

and delete them if they exist.

Close the registry editor.

[StRiDeR]

W32/Agobot-FE
Aliases
Backdoor.Agobot.3.gen, Win32/Agobot.3.HF, W32.HLLW.Gaobot.AF

Type
Win32 worm

Detection
A virus identity (IDE) file which provides protection is available now from the Latest virus identities section, and will be incorporated into the April 2004 (3.80) release of Sophos Anti-Virus.


Enterprise Manager and PureMessage customers will be automatically protected at their next scheduled update.

At the time of writing, Sophos has received just one report of this worm from the wild.


Description
W32/Agobot-FE is a network worm which also allows unauthorised remote access to the computer via IRC channels.
W32/Agobot-FE attempts to copy itself to network shares with weak passwords and spread to computers using the DCOM RPC and the RPC locator vulnerabilities.

These vulnerabilities allow the worm to execute its code on target computers with System level priviledges. For further information on these vulnerabilities and for details on how to protect/patch the computer against such attacks please see Microsoft security bulletins MS03-001 and MS03-026. MS03-026 has been superseded by Microsoft security bulletin MS03-039.

W32/Agobot-FE moves itself to the Windows system folder as WINSEC16.EXE and creates entries in the registry at the following locations to run itself on
system restart:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\WinSec
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\WinSec

W32/Agobot-FE attempts to connect to a remote IRC server and join a specific channel.

W32/Agobot-FE attempts to terminate the following security or virus related processes:
_AVP32.EXE
_AVPCC.EXE
_AVPM.EXE
ACKWIN32.EXE
ANTI-TROJAN.EXE
APVXDWIN.EXE
AUTODOWN.EXE
AVCONSOL.EXE
AVE32.EXE
AVGCTRL.EXE
AVKSERV.EXE
AVNT.EXE
AVP.EXE
AVP32.EXE
AVPCC.EXE
AVPDOS32.EXE
AVPM.EXE
AVPTC32.EXE
AVPUPD.EXE
AVSCHED32.EXE
AVWIN95.EXE
AVWUPD32.EXE
BLACKD.EXE
BLACKICE.EXE
CFIADMIN.EXE
CFIAUDIT.EXE
CFINET.EXE
CFINET32.EXE
CLAW95.EXE
CLAW95CF.EXE
CLEANER.EXE
CLEANER3.EXE
dllhost.exe
DVP95.EXE
DVP95_0.EXE
ECENGINE.EXE
ESAFE.EXE
ESPWATCH.EXE
F-AGNT95.EXE
FINDVIRU.EXE
FPROT.EXE
F-PROT.EXE
F-PROT95.EXE
FP-WIN.EXE
FRW.EXE
F-STOPW.EXE
IAMAPP.EXE
IAMSERV.EXE
IBMASN.EXE
IBMAVSP.EXE
ICLOAD95.EXE
ICLOADNT.EXE
ICMON.EXE
ICSUPP95.EXE
ICSUPPNT.EXE
IFACE.EXE
IOMON98.EXE
JEDI.EXE
LOCKDOWN2000.EXE
LOOKOUT.EXE
LUALL.EXE
MOOLIVE.EXE
MPFTRAY.EXE
msblast.exe
mspatch.exe
N32SCANW.EXE
NAVAPW32.EXE
NAVLU32.EXE
NAVNT.EXE
NAVW32.EXE
NAVWNT.EXE
NISUM.EXE
NMAIN.EXE
NORMIST.EXE
NUPGRADE.EXE
NVC95.EXE
OUTPOST.EXE
PADMIN.EXE
PAVCL.EXE
PAVSCHED.EXE
PAVW.EXE
PCCWIN98.EXE
PCFWALLICON.EXE
penis32.exe
PERSFW.EXE
RAV7.EXE
RAV7WIN.EXE
RESCUE.EXE
SAFEWEB.EXE
SCAN32.EXE
SCAN95.EXE
SCANPM.EXE
SCRSCAN.EXE
scvhosl.exe
SERV95.EXE
SMC.EXE
SPHINX.EXE
SWEEP95.EXE
TBSCAN.EXE
TCA.EXE
TDS2-98.EXE
TDS2-NT.EXE
tftpd.exe
VET95.EXE
VETTRAY.EXE
VSCAN40.EXE
VSECOMR.EXE
VSHWIN32.EXE
VSSTAT.EXE
WEBSCANX.EXE
WFINDV32.EXE
winppr32.exe
ZONEALARM.EXE


Recovery
Please follow the instructions for removing worms.