Spyware, Viruses, & Security forum

General discussion

VIRUS ALERTS - April 22, 2004

W32/Agobot-EV

Aliases
W32/Gaobot.worm.gen.g virus, Win32/Agobot.IH trojan, W32.HLLW.Gaobot.gen

Type
Win32 worm

Description
W32/Agobot-EV is an IRC backdoor Trojan and peer-to-peer (P2P) worm which
opens TCP ports to listen for and process commands received from a remote intruder.
This worm will move itself into the Windows System32 folder under the
filename regsvc32.exe and create the following registry entries so that it can
execute automatically on system restart:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Generic Service Process = regsvc32.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Generic Service Process = regsvc32.exe


More: http://www.sophos.com/virusinfo/analyses/w32agobotev.html

Discussion is locked
You are posting a reply to: VIRUS ALERTS - April 22, 2004
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: VIRUS ALERTS - April 22, 2004
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
W32/Agobot-GO

In reply to: VIRUS ALERTS - April 22, 2004

Collapse -
Troj/Tofger-J

In reply to: VIRUS ALERTS - April 22, 2004

Collapse -
Troj/Ranck-O

In reply to: VIRUS ALERTS - April 22, 2004

Type
Trojan

Description
Troj/Ranck-O is a backdoor Trojan that allows a malicious user to relay HTTP traffic through a compromised computer.
In order to run automatically when Windows starts up the Trojan adds the registry entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ctfmonn

pointing to the Trojan.

http://www.sophos.com/virusinfo/analyses/trojrancko.html

Collapse -
W32/Agobot-MH

In reply to: VIRUS ALERTS - April 22, 2004

Aliases
Backdoor.Agobot.mh, W32.HLLW.Gaobot.gen

Type
Win32 worm

Description
W32/Agobot-MH is a member of the W32/Agobot family of worms with a backdoor
component.
In order to run automatically when Windows starts up the worm copies itself to the file soundconf.exe in the Windows system folder and adds the following registry entries pointing to this file:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Configuration Loader

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Configuration
Loader


More: http://www.sophos.com/virusinfo/analyses/w32agobotmh.html

Collapse -
W32/Agobot-MI

In reply to: VIRUS ALERTS - April 22, 2004

Aliases
Backdoor.Agobot.mi, W32.HLLW.Gaobot.gen

Type
Win32 worm

Description
W32/Agobot-MI is a worm that spreads to remote shares with weak passwords.
The worm copies itself as svdhost32.exe to the Windows system folder.

To run on startup the worm sets the following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
MS Update Service

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
MS Update Service


More: http://www.sophos.com/virusinfo/analyses/w32agobotmi.html

Collapse -
W32/Agobot-GK

In reply to: VIRUS ALERTS - April 22, 2004

Aliases
Backdoor.Agobot.gen, W32.HLLW.Gaobot.gen, WORM_AGOBOT.GEN

Type
Win32 worm

Description
W32/Agobot-GK is a network worm which also allows unauthorised remote access to the computer via IRC channels.
W32/Agobot-GK tries to copy itself to network shares with weak passwords.

W32/Agobot-GK copies itself to the Windows system folder as cvscc.exe and
creates entries in the registry at the following locations to run itself on
system restart:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Winamp Agent

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Winamp Agent

The worm disables the shares C$, D$, ADMIN$ and IPC$.

W32/Agobot-GK attempts to terminate several anti-virus and security processes.

http://www.sophos.com/virusinfo/analyses/w32agobotgk.html

Collapse -
W32/Sdbot-BE

In reply to: VIRUS ALERTS - April 22, 2004

Type
Win32 worm

Description
W32/SdBot-BE is an IRC backdoor Trojan and network worm which attempts to spread to remote network shares and allows unauthorised remote access to the infected computer via IRC channels while running in the background as a service process.
This worm will attempt to establish IRC connections to remote servers
'irc.jumpincowz.com' or 'irc.cowsare.us' via TCP Port 6667.


More: http://www.sophos.com/virusinfo/analyses/w32sdbotbe.html

Collapse -
Troj/Bizten-C

In reply to: VIRUS ALERTS - April 22, 2004

Aliases
Trojan.Win32.Bizten.j

Type
Trojan

Description
Troj/Bizten-C will hijack Internet Explorer settings,changing its default start and search page to a particular site by setting the following registry keys:
HKCU\Software\Microsoft\Internet Explorer\Main\Use Search Asst
HKCU\Software\Microsoft\Internet Explorer\Main\Search Bar
HKCU\Software\Microsoft\Internet Explorer\Main\Search Page
HKCU\Software\Microsoft\Internet Explorer\Main\Start Page
HKCU\Software\Microsoft\Internet Explorer\SearchUrl
HKCU\Software\Microsoft\Internet Explorer\SearchUrl\provider
HKLM\Software\Microsoft\Internet Explorer\Search\SearchAssistant

Troj/Bizten-C will add many websites to Internet Explorer's
Favourites list by creating .URL files in the Windows Favourites folder.


More: http://www.sophos.com/virusinfo/analyses/trojbiztenc.html

Collapse -
W32/Agobot-LC

In reply to: VIRUS ALERTS - April 22, 2004

Type
Win32 worm

Description
W32/Agobot-LC is an IRC backdoor Trojan and network worm.
W32/Agobot-LC copies itself to network shares protected by weak passwords.

When first run W32/Agobot-LC copies itself to the Windows system folder as svhost.exe. The worm will create the following registry entries to ensure it is run
on logon:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
\Security Service Process = svhost.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
\Security Service Process = svhost.exe


More: http://www.sophos.com/virusinfo/analyses/w32agobotlc.html

Collapse -
Troj/Legmir-K

In reply to: VIRUS ALERTS - April 22, 2004

Collapse -
W32/Agobot-LO

In reply to: VIRUS ALERTS - April 22, 2004

Collapse -
W32/Sdbot-HO

In reply to: VIRUS ALERTS - April 22, 2004

Collapse -
Troj/Padodor-A

In reply to: VIRUS ALERTS - April 22, 2004

Collapse -
W32/Agobot-GL

In reply to: VIRUS ALERTS - April 22, 2004

Collapse -
Troj/Agent-AA

In reply to: VIRUS ALERTS - April 22, 2004

Collapse -
W32/Agobot-GN

In reply to: VIRUS ALERTS - April 22, 2004

Collapse -
W32/Agobot-KR

In reply to: VIRUS ALERTS - April 22, 2004

Collapse -
W32/Rbot-F

In reply to: VIRUS ALERTS - April 22, 2004

Collapse -
W32/Sdbot-HP

In reply to: VIRUS ALERTS - April 22, 2004

Type
Win32 worm

Description
W32/SdBot-HP is a worm which attempts to spread to remote network shares. It
also contains backdoor Trojan functionality, allowing unauthorised remote access
to the infected computer via IRC channels while running in the background as a service process.
W32/SdBot-HP spreads to network shares with weak passwords as a result of
the backdoor Trojan element receiving the appropriate command from a remote
user.

W32/Sdbot-HP may also spread using the vulnerability in Microsoft RPC-DCOM
service similar to W32/Blaster-A.


More: http://www.sophos.com/virusinfo/analyses/w32sdbothp.html

Collapse -
Troj/Banker-R

In reply to: VIRUS ALERTS - April 22, 2004

Aliases
TrojanSpy.Win32.Banker.r

Type
Trojan

Description
Troj/Banker-R is a password stealing Trojan that attempts to capture keylogs
associated with web browsing.
Troj/Banker-R creates the following files which are all detected by this
identity:

<Windows>\dllreg.exe
<Windows>\sock64.dll
<StartUp>\rundllw.exe
<Windows System>\load32.exe
<Windows System>\vxdmgr32.exe

In order to run on system restart Troj/Banker-R creates the following
registry entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\load32

Troj/Banker-R attempts to send details to a Russian email address.

http://www.sophos.com/virusinfo/analyses/trojbankerr.html

Collapse -
Troj/StartPa-AE

In reply to: VIRUS ALERTS - April 22, 2004

Collapse -
Troj/Mixtar-B

In reply to: VIRUS ALERTS - April 22, 2004

Aliases
DoS.Win32.Mixter, FDoS-Mixtar, Hacktool.DoS

Type
Trojan

At the time of writing, Sophos has received just one report of this Trojan from the wild.


Description
A detailed analysis will be published here shortly. Please check again later.

http://www.sophos.com/virusinfo/analyses/trojmixtarb.html

Collapse -
Troj/Agent-E

In reply to: VIRUS ALERTS - April 22, 2004

Aliases
TrojanProxy.Win32.Agent.y, Proxy-Swiss

Type
Trojan

At the time of writing, Sophos has received just one report of this Trojan from the wild.


Description
A detailed analysis will be published here shortly. Please check again later.

http://www.sophos.com/virusinfo/analyses/trojagente.html

Collapse -
Troj/Ketch-B

In reply to: VIRUS ALERTS - April 22, 2004

Collapse -
Troj/StartPa-GH

In reply to: VIRUS ALERTS - April 22, 2004

Collapse -
Troj/DeathCo-B

In reply to: VIRUS ALERTS - April 22, 2004

Aliases
Backdoor.VB.ph, VB-BackDoor.a.gen, Win32/VB.PH

Type
Trojan

At the time of writing, Sophos has received just one report of this Trojan from the wild.


Description
Troj/DeathCo-B is a backdoor Trojan that allows an attacker to remotely control a compromised computer.

http://www.sophos.com/virusinfo/analyses/trojdeathcob.html

Collapse -
W32/FlyVB-A

In reply to: VIRUS ALERTS - April 22, 2004

Aliases
Worm.Win32.FlyVB, W32/Spidr@MM, W32.Spider.A@mm

Type
Win32 worm

At the time of writing, Sophos has received no reports from users affected by this worm. However, we have issued this advisory following enquiries to our support department from customers.


Description
A detailed analysis will be published here shortly. Please check again later.

http://www.sophos.com/virusinfo/analyses/w32flyvba.html

Collapse -
Troj/Agent-L

In reply to: VIRUS ALERTS - April 22, 2004

Collapse -
Re:Troj/Agent-L

In reply to: Troj/Agent-L

Aloha I have this worm on my computer.
Can you please direct me for directions to get it
off? Norton did not pick it up. But House Call Trend Micro did.
It was unable to clean it or delete it however.
Today is May 14th, I hope it is not too late to contact you about this and you can reply as soon as possible. Thank you,
Antoinette
islandantoinette@earthlink.net
OS is
I have a Pentium 4
Run Windows XP Home Edition
512 RAM
HD 30
HD 80
Flat Panel 15" Monitor Neovo Brand
Lexmark 3 in 1 printer
Apollo Printer (HP knock off)

Collapse -
Re:Troj/Agent-L

In reply to: Troj/Agent-L

Aloha I have this worm on my computer.
Can you please direct me for directions to get it
off? Norton did not pick it up. But House Call Trend Micro did.
It was unable to clean it or delete it however.
I have persued the trojan link you give below. From this URL:
http://www.sophos.com/virusinfo/analyses/trojagentl.html
Is it sufficient to go into the registry and delete the following:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SysUpd

AND

HKCU\Software\Microsoft\SysUpd.

Today is May 14th, I hope it is not too late to contact you about this and you can reply as soon as possible. Thank you,
Antoinette
islandantoinette@earthlink.net
OS is
I have a Pentium 4
Run Windows XP Home Edition
512 RAM
HD 30
HD 80
Flat Panel 15" Monitor Neovo Brand
Lexmark 3 in 1 printer
Apollo Printer (HP knock off)

Popular Forums

icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

SMART HOME

This one tip will help you sleep better tonight

A few seconds are all you need to get a better night's rest.