Spyware, Viruses, & Security forum

General discussion

VIRUS ALERTS - April 23, 2004

by Marianna Schmudlach / April 23, 2004 1:25 AM PDT

W32.Gaobot.ADV

Discovered on: April 22, 2004
Last Updated on: April 23, 2004 01:45:15 PM

W32.Gaobot.ADV is a minor variant of W32.Gaobot.SY. This worm attempts to spread through network shares that have weak passwords and allows attackers to access an infected computer using a predetermined IRC channel.

The worm uses multiple vulnerabilities to spread, including:


The DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135.
The WebDav vulnerability (described in Microsoft Security Bulletin MS03-007) using TCP port 80.
The Workstation service buffer overrun vulnerability (described in Microsoft Security Bulletin MS03-049) using TCP port 445. Windows XP users are protected against this vulnerability if Microsoft Security Bulletin MS03-043 has been applied. Windows 2000 users must apply MS03-049.
The Microsoft Messenger Service Buffer Overrun Vulnerability (described in Microsoft Security Bulletin MS03-043)
The Locator service vulnerability (described in Microsoft Security Bulletin MS03-001) using TCP port 445. The worm specifically targets Windows 2000 computers with this exploit.
The UPnP vulnerability (described in Microsoft Security Bulletin MS01-059).
The vulnerabilities in Microsoft SQL Server 2000 or MSDE 2000 audit (described in Microsoft Security Bulletin MS02-061) using UDP port 1434.
Sending itself to the backdoor ports that the Beagle and Mydoom families of worms open.

This threat may be compressed with UPX and Yoda.



Type: Worm
Infection Length: about 100K

http://securityresponse.symantec.com/avcenter/venc/data/w32.gaobot.adv.html

Discussion is locked
You are posting a reply to: VIRUS ALERTS - April 23, 2004
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: VIRUS ALERTS - April 23, 2004
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Troj/Banker-S
by Marianna Schmudlach / April 23, 2004 1:33 AM PDT

Type
Trojan

Description
Troj/Banker-S is a password stealing Trojan that attempts to capture keylogs
associated with web browsing.
Troj/Banker-S creates the following files which are all detected by this
identity:

<Windows>\dllreg.exe
<Windows>\sock64.dll
<StartUp>\rundllw.exe
<Windows System>\load32.exe
<Windows System>\vxdmgr32.exe

In order to run on system restart Troj/Banker-S creates the following
registry entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\load32

Troj/Banker-S adds the name of one of the copies of itself to the Run= line of
win.ini and the shell= line of system.ini.

Troj/Banker-S uses it's own SMTP engine to send results of the keylogger to a
russian email address.

http://www.sophos.com/virusinfo/analyses/trojbankers.html

Collapse -
W32/Agobot-LV
by Marianna Schmudlach / April 23, 2004 1:37 AM PDT

Type
Win32 worm

Description
W32/Agobot-LV is a backdoor worm which spreads to computers
protected by weak passwords.
When first run, W32/Agobot-LV copies itself to the Windows system folder as
svehost.exe and creates the following registry entries to run itself on
startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
MS Update Service Pr = svehost.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
MS Update Service Pr = svehost.exe

The worm runs continuously in the background providing backdoor access to
the computer.


More: http://www.sophos.com/virusinfo/analyses/w32agobotlv.html

Collapse -
Troj/Legmir-L
by Marianna Schmudlach / April 23, 2004 1:40 AM PDT

Type
Trojan

Description
Troj/Legmir-L is Trojan which attempts to log keystrokes (e.g. passwords) and
send this information to an external email address via SMTP.
The Trojan copies itself to the Windows folder as intrenat.exe and to the
Windows system folder as WinSocks.DLL and adds the following entries to the
registry to ensure it is run on system logon:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Intrenat = C:\WINDOWS\intrenat.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Intrenat =C:\WINDOWS\intrenat.exe.


More: http://www.sophos.com/virusinfo/analyses/trojlegmirl.html

Collapse -
Troj/Bdoor-BCQ
by Marianna Schmudlach / April 23, 2004 1:43 AM PDT
Collapse -
Troj/Dloader-O
by Marianna Schmudlach / April 23, 2004 1:45 AM PDT

Type
Trojan

Description
Troj/Dloader-O is a downloader Trojan that will automatically attempt to
download a remote file to somewhere on the local computer while masking this
activity with a fake error message.
The exact file name, URL and message text are configurable in the construction
program for this Trojan.

http://www.sophos.com/virusinfo/analyses/trojdloadero.html

Collapse -
Troj/Navid-A
by Marianna Schmudlach / April 23, 2004 1:48 AM PDT

Type
Trojan

Description
Troj/Navid-A is a proxy Trojan.
Troj/Navid-A sets up a proxy server on the host computer and sends information
to one of the following web addresses:

http://b00sterpac.biz/proxy/update.php?
http://makeyrday.biz/proxy/update.php?
http://www.sweetestlife.biz/proxy/update.php?

Troj/Navid-A copies itself to the Windows system folder with the filename
.exe, where consists of 8 random lowercase characters.
Troj/Navid-A saves the value of to a file in the Windows system
folder called MSPR.DAT, which it then alters to have the same file time
characterstics as the file CALC.EXE in the Windows system folder.

Troj/Navid-A sets the following registry entry so as to run itself on system
startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\nvid


More: http://www.sophos.com/virusinfo/analyses/trojnavida.html

Collapse -
Troj/APS-TV
by Marianna Schmudlach / April 23, 2004 1:50 AM PDT

Type
Trojan

Description
Troj/APS-TV is an AOL password stealing Trojan. When run, the Trojan shows a
dialog box with the messages
"To protect your LAN activated account you must verify your SecurID pin every
hour of online time for validation purposes."

and

"(Your account will be logged off if ou do not validate your 6 digit RSA SecurID pin and AOL sign in Password)"

and the following three fields:

Screen Name
Password
SecurID

When the "Submit" button is pressed, the content of each field is submitted to
the author's website. The Trojan then displays the following message:

"Thank you, Your SecurID has been Verified"

http://www.sophos.com/virusinfo/analyses/trojapstv.html

Collapse -
W32/Agobot-G
by Marianna Schmudlach / April 23, 2004 1:52 AM PDT

Type
Win32 worm

Description
W32/Agobot-G is a member of the W32/Agobot family of worms with backdoor
component.
In order to run automatically when Windows starts up the worm copies itself to
the file wmiprvse32.exe in the Windows system folder and adds the following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Windows Update Service

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Windows Update Service.

The worm also modifies the file \windows\system32\drivers\etc\hosts to disable name resolution to anti-virus related websites.

http://www.sophos.com/virusinfo/analyses/w32agobotg.html

Collapse -
Troj/Banker-W
by Marianna Schmudlach / April 23, 2004 1:55 AM PDT

Type
Trojan

Description
Troj/Banker-W drops and loads a DLL named LSD_F3.DLL into the Windows System folder.
This Trojan also sets the registry entries:

HKLM\System\CurrentControlSet\Control\
Impersonate = [<numbers>[<computername>]

HKLM\System\CurrentControlSet\Control\MPRServices\TestService\
Dllname = lsd_f3.dll
EntryPoint = LSD_F3
StackSize = <number>

This DLL may log keyboard entries that the user types into a window whose title bar contains any of the following strings:

'exhosting.biz'
'Fidelity'
'e-gold'
'e-metal'
'westpac'
'planters'
'paypal'
'fethard'
'banque'
'huntington'
'offshore'
'bookers'
'keybank'

Captured text may be periodically sent to the attacker in an email.

http://www.sophos.com/virusinfo/analyses/trojbankerw.html

Popular Forums
icon
Computer Help 51,912 discussions
icon
Computer Newbies 10,498 discussions
icon
Laptops 20,411 discussions
icon
Security 30,882 discussions
icon
TVs & Home Theaters 21,253 discussions
icon
Windows 10 1,672 discussions
icon
Phones 16,494 discussions
icon
Windows 7 7,855 discussions
icon
Networking & Wireless 15,504 discussions

REVIEW

Meet the drop-resistant Moto Z2 Force

The Moto Z2 Force is really thin, with a fast processor and great battery life. It can survive drops without shattering.