Attention: The forums will be placed on read only mode this Saturday (Oct. 20, 2018)

During this outage (6:30 AM to 8 PM PDT) the forums will be placed on read only mode. We apologize for this inconvenience. Click here to read details

Spyware, Viruses, & Security forum

General discussion

VIRUS ALERTS - April 15, 2005

by Marianna Schmudlach / April 15, 2005 12:51 AM PDT

W32/Kelvir-J
Summary

Aliases W32/Kelvir.worm.gen
W32.Kelvir.T

Type Worm

W32/Kelvir-J is an instant messaging worm.
W32/Kelvir-J spreads by sending a message through Windows Messenger to all of the infected user's contacts.
W32/Kelvir-J encourages the recipient to visit a website to download a file which is usually a copy of the worm. The message text is "it's you <URL>".
W32/Kelvir-J may also drop a file detected by Sophos as W32/Sdbot-XE.

http://www.sophos.com/virusinfo/analyses/w32kelvirj.html

Discussion is locked
You are posting a reply to: VIRUS ALERTS - April 15, 2005
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: VIRUS ALERTS - April 15, 2005
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
W32/Rbot-AAQ
by Marianna Schmudlach / April 15, 2005 12:53 AM PDT

Aliases W32/Sdbot.worm.gen.h

Type Worm

W32/Rbot-AAQ is a network worm and IRC backdoor Trojan for the Windows platform.
W32/Rbot-AAQ spreads using a variety of techniques including exploiting weak passwords on computers and SQL servers, exploiting operating system vulnerabilities (including DCOM-RPC, LSASS, WebDAV and UPNP) and using backdoors opened by other worms or Trojans.
W32/Rbot-AAQ can be controlled by a remote attacker over IRC channels. The backdoor component of W32/Rbot-AAQ can be instructed by a remote user to perform the following functions:
start an FTP server
start a Proxy server
start a web server
take part in distributed denial of service (DDoS) attacks
log keypresses
capture screen/webcam images
packet sniffing
port scanning
download/execute arbitrary files
start a remote shell (RLOGIN)

http://www.sophos.com/virusinfo/analyses/w32rbotaaq.html

Collapse -
Troj/Ablank-S
by Marianna Schmudlach / April 15, 2005 12:55 AM PDT

Aliases Trojan.Win32.StartPage.vr
TROJ_STARTPAG.IQ
StartPage-DU.dll.dr
Trojan.Startpage-227

Type Trojan

Troj/Ablank-S is a browser-hijacking Trojan that changes the Internet Explorer Main page and Search page.
The Trojan also provides an uninstallation option via the Add or Remove Programs dialog in the Windows Control Panel. Under test conditions this uninstallation option did not work.
Troj/Ablank-S drops the file se.dll in the %TEMP% folder. The dropped file is detected by Sophos Anti-Virus as Troj/Ablank-S.

http://www.sophos.com/virusinfo/analyses/trojablanks.html

Collapse -
W32/Sdbot-XE
by Marianna Schmudlach / April 15, 2005 12:57 AM PDT

Aliases Backdoor.Win32.SdBot.gen

Type Worm

W32/Sdbot-XE is an IRC backdoor Trojan and network worm.
W32/Sdbot-XE attempts to spread to remote network shares protected by weak passwords and computers vulnerable to common exploits.
W32/Sdbot-XE opens up a backdoor, allowing unauthorised remote access to the infected computer via the IRC network, while running in the background as a service process.
W32/Sdbot-XE can receive commands from a remote attacker allowing them to control the infected computer.

http://www.sophos.com/virusinfo/analyses/w32sdbotxe.html

Collapse -
W32/Wurmark-H
by Marianna Schmudlach / April 15, 2005 12:59 AM PDT

Aliases Email-Worm.Win32.Wurmark.h
W32/Mugly.j@MM
WORM_MUGLY.B

Type Worm

W32/Wurmark-H is a mass-mailing worm that emails itself as a ZIP file.
When run, W32/Wurmark-H displays a JPEG image named uglym.jpg while installing itself on the computer.


http://www.sophos.com/virusinfo/analyses/w32wurmarkh.html

Collapse -
Troj/Killav-AJ
by Marianna Schmudlach / April 15, 2005 1:00 AM PDT
Collapse -
Troj/Dloader-LT
by Marianna Schmudlach / April 15, 2005 1:02 AM PDT

Aliases Trojan.WinREG.LowZones.a
Trojan.LowZones
TROJ_LOWZONES.BK

Type Trojan

Troj/Dloader-LT is a downloader Trojan.
Troj/Dloader-LT reduces internet browser security settings and then attempts to download and run scripts in order to download and execute further files. The downloaded scripts and file may be adware-related.
Troj/Dloader-LT drops a number of files and displays the following messages:
"Updating Windows Shell Files....."
"Updating Windows Shell Files is now Complete."

http://www.sophos.com/virusinfo/analyses/trojdloaderlt.html

Collapse -
W32/Rbot-AAP
by Marianna Schmudlach / April 15, 2005 1:04 AM PDT

Aliases Backdoor.Win32.Rbot.gen
WORM_RBOT.BCZ

Type Worm

W32/Rbot-AAP is a worm which attempts to spread to remote network shares. It also contains backdoor Trojan functionality, allowing unauthorised remote access to the infected computer via IRC channels.

http://www.sophos.com/virusinfo/analyses/w32rbotaap.html

Collapse -
W32/Tirbot-D
by Marianna Schmudlach / April 15, 2005 2:16 AM PDT

Type Worm

W32/Tirbot-D is a network worm with backdoor functionality for the Windows platform.
The worm spreads to network computers vulnerable to the LSASS vulnerability (MS04-011) and through network shares protected by weak passwords.
The backdoor component joins one of 4 predetermined IRC channels and awaits further commands from remote users. The backdoor component can then be instructed to perform the following:
Take part in distributed denial of service (DDoS) attacks
Upload/download files
Execute files
Serve as a proxy server
Harvest information from the system registry
Report filesystem information
List running processes
Scan for the presence anti-virus software
Terminate running processes
Remove registry entries

http://www.sophos.com/virusinfo/analyses/w32tirbotd.html

Collapse -
W32/Mytob-AV
by Marianna Schmudlach / April 15, 2005 2:19 AM PDT

Type Worm

W32/Mytob-AV is a mass-mailing worm with backdoor functionality that targets users of Internet Relay Chat programs.
W32/Mytob-AV is capable of spreading through email and through various operating system vulnerabilities such as LSASS (MS04-011).

http://www.sophos.com/virusinfo/analyses/w32mytobav.html

Collapse -
W32/Mytob-AW
by Marianna Schmudlach / April 15, 2005 2:20 AM PDT

Type Worm

W32/Mytob-AW is a mass-mailing worm with backdoor functionality that targets users of Internet Relay Chat programs.
W32/Mytob-AW is capable of spreading through email and through various operating system vulnerabilities such as LSASS (MS04-011).

http://www.sophos.com/virusinfo/analyses/w32mytobaw.html

Collapse -
Troj/Agent-DJ
by Marianna Schmudlach / April 15, 2005 2:22 AM PDT

Type Trojan

Troj/Agent-DJ is a Trojan for the Windows platform.
Troj/Agent-DJ is capable of spying on a user's browsing habits, modifying Internet Explorer settings, downloading further executables and displaying popup advertisements.
When first run, Troj/Agent-DJ will drop and register a DLL that is also detected as Troj/Agent-DJ.

http://www.sophos.com/virusinfo/analyses/trojagentdj.html

Collapse -
W32/Mytob-AL
by Marianna Schmudlach / April 15, 2005 2:23 AM PDT

Aliases Net-Worm.Win32.Mytob.t
W32/Mytob.u@MM

Type Worm

W32/Mytob-AL is a mass-mailing worm with backdoor functionality that targets users of Internet Relay Chat programs.
W32/Mytob-AL is capable of spreading through email and through various operating system vulnerabilities such as LSASS (MS04-011).
W32/Mytob-AL harvests email addresses from files on the infected computer and from the Windows address book.

http://www.sophos.com/virusinfo/analyses/w32mytobal.html

Collapse -
Troj/Bdoor-HN
by Marianna Schmudlach / April 15, 2005 2:25 AM PDT
Collapse -
Troj/Ablank-Q
by Marianna Schmudlach / April 15, 2005 2:27 AM PDT

Aliases StartPage-DU.dll
Trojan.Win32.StartPage.uz

Type Trojan

Troj/Ablank-Q is a Trojan for the Windows platform.
Troj/Ablank-Q is a DLL file that may be dropped by members of the Troj/Ablank family of Trojans. Troj/Ablank-Q may display popup advertisements.

http://www.sophos.com/virusinfo/analyses/trojablankq.html

Collapse -
Troj/DoomSend-A
by Marianna Schmudlach / April 15, 2005 7:12 AM PDT

Aliases Backdoor.Win32.Naninf.c

Type Trojan

Troj/DoomSend-A is a Trojan for the Windows platform.
Troj/DoomSend-A is capable of exploiting a backdoor in the W32/MyDoom series of worms. The Trojan may be used by other Trojans or worms as a helper component.
Troj/DoomSend-A may arrive as an email attachment named "Screenshot of Site.zip" along with the following email text:
Hello,
I noticed whilst browsing your site that there were problems with some of
your links, when I tried again with Internet Explorer the problems were not
there so I assume that they were caused by me using the Mozilla browser.
As more people are turning to alternative browsers now it may be of help
for you to know this. I have enclosed a screen capture of the problem so
your team can get it fixed if you deem it an issue.

http://www.sophos.com/virusinfo/analyses/trojdoomsenda.html

Collapse -
Troj/Banker-CD
by Marianna Schmudlach / April 15, 2005 7:14 AM PDT
Collapse -
Troj/LdPinch-AU
by Marianna Schmudlach / April 15, 2005 7:16 AM PDT
Collapse -
Troj/FakeAle-A
by Marianna Schmudlach / April 15, 2005 7:18 AM PDT

Aliases Trojan.Win32.Agent.ct
W32/FakeAlert.L
TROJ_AGENT.JA

Type Trojan

Troj/FakeAle-A is a Trojan that may change the Windows wallpaper to an image displaying a fake error message.
The image shows a blue screen and the following text:
Security warning
A fatal error in IE has occured at 0028:C0011E36 in VXD VMM(01) + 00010E36. Error was caused by Trojan-Spy.HTML.Smitfraud.c
* System can not function in normal mode.
Please check you security settings.
* Scan your PC with any avaliable antivirus / spyware remover
program to fix the problem.
This image may only be displayed when certain software is installed on the machine.

http://www.sophos.com/virusinfo/analyses/trojfakealea.html

Collapse -
W32/Rbot-AAT
by Marianna Schmudlach / April 15, 2005 7:19 AM PDT

Aliases W32/Sdbot.worm.gen.z
W32.Spybot.Worm

Type Worm

W32/Rbot-AAT is a network worm and IRC backdoor Trojan for the Windows platform.
W32/Rbot-AAT spreads using a variety of techniques including exploiting weak passwords on computers and SQL servers, exploiting operating system vulnerabilities (including DCOM-RPC, LSASS, WebDAV and UPNP) and using backdoors opened by other worms or Trojans.
W32/Rbot-AAT can be controlled by a remote attacker over IRC channels. The backdoor component of W32/Rbot-AAT can be instructed by a remote user to perform the following functions:
start an FTP server
start a Proxy server
start a web server
take part in distributed denial of service (DDoS) attacks
log keypresses
capture screen/webcam images
packet sniffing
port scanning
download/execute arbitrary files
start a remote shell (RLOGIN)

http://www.sophos.com/virusinfo/analyses/w32rbotaat.html

Collapse -
W32/Kelvir-Q
by Marianna Schmudlach / April 15, 2005 7:21 AM PDT

Aliases WORM_KELVIR.Q

Type Worm

W32/Kelvir-Q is a worm for the Windows platform.
W32/Kelvir-Q monitors the status of Windows Messenger contacts and sends the following text to all online contacts:
http://<domain>/pictures.php?email=<email address>
picture of you!

http://www.sophos.com/virusinfo/analyses/w32kelvirq.html

Collapse -
Troj/KillAV-AE
by Marianna Schmudlach / April 15, 2005 7:23 AM PDT

Aliases Trojan.BAT.KillAV.bk

Type Trojan

Troj/KillAV-AE is a Trojan that kills anti-virus software.
Troj/KillAV-AE displays the following fake message as it terminates processes and deletes all EXE files in the C:\ folder:
*************** UPDATING WINDOWS SYSTEm ************************

http://www.sophos.com/virusinfo/analyses/trojkillavae.html

Collapse -
Troj/Killav-AI
by Marianna Schmudlach / April 15, 2005 7:25 AM PDT

Popular Forums

icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

FALL TV PREMIERES

Your favorite shows are back!

Don’t miss your dramas, sitcoms and reality shows. Find out when and where they’re airing!