Spyware, Viruses, & Security forum

General discussion

Virus Alerts - April 26, 2004

by Donna Buenaventura / April 26, 2004 12:01 AM PDT

CIH day

Today is the 26th of April.

For several years, this day used to mean worldwide damage caused by the CIH virus. This virus was very widespready during 1998-2000. It was programmed to activate destructively every year on this date, overwriting most of the data on the hard drive and attempting to overwrite the Flash BIOS chip of the computer, making it unbootable.

The CIH virus family is no longer widespread. Last time we saw significant amount of damage (mostly in Asia) was in April 2001. We expect to see no damage now in April 2004.

http://www.f-secure.com/weblog/#00000143

Discussion is locked
Flag
Permalink
You are posting a reply to: Virus Alerts - April 26, 2004
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: Virus Alerts - April 26, 2004
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Track this discussion
Thread display: Collapse / Expand
25 total posts
Collapse -
W32/Agobot-MN
by Marianna Schmudlach / April 26, 2004 12:53 AM PDT
Flag
Permalink
This was helpful (0)
Collapse -
Troj/Sdbot-HQ
by Marianna Schmudlach / April 26, 2004 12:57 AM PDT

Type
Trojan

Description
Troj/Sdbot-HQ is a backdoor Trojan that allows unauthorised remote access to
the infected computer via IRC channels while running in the background as a
service process.
Troj/Sdbot-HQ copies itself to the Windows system folder as UMCSS.EXE and
creates the following registry entry in order to run itself on system startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

http://www.sophos.com/virusinfo/analyses/trojsdbothq.html

Flag
Permalink
This was helpful (0)
Collapse -
W32/Sdbot-HR
by Marianna Schmudlach / April 26, 2004 1:00 AM PDT

Aliases
Backdoor.SdBot.jp, W32.Randex.YR, BKDR_SDBOT.HU

Type
Win32 worm

Description
W32/Sdbot-HR is a worm which attempts to spread to remote network shares. It
also contains backdoor Trojan functionality, allowing unauthorised remote access
to the infected computer via IRC channels while running in the background as a service process.
W32/Sdbot-HR copies itself to the Windows system folder as SYMANTEC32.EXE and creates entries in the registry at the following locations to run itself on system startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
HKCU\Software\Microsoft\Windows\CurrentVersion\Run


More: http://www.sophos.com/virusinfo/analyses/w32sdbothr.html

Flag
Permalink
This was helpful (0)
Collapse -
W32/Abogot-GR
by Marianna Schmudlach / April 26, 2004 1:02 AM PDT

Aliases
Agobot.fj, Polybot, Gaobot

Type
Win32 worm

Description
W32/Agobot-GR is an IRC backdoor Trojan and network worm that spreads via
the RPC/DCOM vulnerability or by using RPC calls on machines with weak passwords.
In order to run automatically when Windows starts up the worm copies
itself to the file wincrt32.exe in the Windows system folder, creates
its own service process named "Video Process" and adds the following registry
entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Video Process
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Video Process

More: http://www.sophos.com/virusinfo/analyses/w32abogotgr.html

Flag
Permalink
This was helpful (0)
Collapse -
W32/Sdbot-HS
by Marianna Schmudlach / April 26, 2004 1:05 AM PDT

Aliases
W32/Sdbot.worm.gen virus, W32.HLLW.Gaobot.gen

Type
Win32 worm

Description
W32/Sdbot-HS is a worm which attempts to spread to remote network shares. It
also contains backdoor Trojan functionality, allowing unauthorised remote
access to the infected computer via IRC channels while running in the
background as a service process.
W32/Sdbot-HS copies itself to the Windows system folder as MSGFIXP.EXE
and creates entries in the registry at the following locations to run itself on
system startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
HKCU\Software\Microsoft\Windows\CurrentVersion\Run


More: http://www.sophos.com/virusinfo/analyses/w32sdboths.html

Flag
Permalink
This was helpful (0)
Collapse -
W32/Sdbot-HT
by Marianna Schmudlach / April 26, 2004 1:08 AM PDT

Aliases
WORM_SPYBOT.RB, W32.Randex.gen, W32/Spybot.worm.gen.a virus

Type
Win32 worm

Description
W32/Sdbot-HT is a worm which attempts to spread to remote network shares. It
also contains backdoor Trojan functionality, allowing unauthorised remote access
to the infected computer via IRC channels while running in the background as a service process.

More: http://www.sophos.com/virusinfo/analyses/w32sdbotht.html

Flag
Permalink
This was helpful (0)
Collapse -
W32/Sdbot-HU
by Marianna Schmudlach / April 26, 2004 1:11 AM PDT

Aliases
W32.HLLW.Gaobot.gen, W32/Sdbot.worm.gen virus

Type
Win32 worm

Description
W32/Sdbot-HU is a worm which attempts to spread to remote network shares. It
also contains backdoor Trojan functionality, allowing unauthorised remote access
to the infected computer via IRC channels while running in the background as a service process.

More: http://www.sophos.com/virusinfo/analyses/w32sdbothu.html

Flag
Permalink
This was helpful (0)
Collapse -
W32/Resdoc-B
by Marianna Schmudlach / April 26, 2004 1:14 AM PDT

Aliases
W32/Bluros

Type
Win32 worm

Description
W32/Resdoc-B is a worm which can copy itself to the locations A:\RESCUED DOCUMENTS.EXE and C:\<Windows System>\SYSTEM.BAT.
The following registry entry will be set so that this program will execute every time that the computer restarts:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
SystemTray = C:\<Windows System>\SYSTEM.BAT

The worm will attempt to open the Microsoft Word application and display the text:

"More than at any time in history mankind faces a crossroads. One path leads to despair and utter hopelessness, the other to total extinction. Let us pray that we have the wisdom to choose correctly.
- Woody Allen "

http://www.sophos.com/virusinfo/analyses/w32resdocb.html

Flag
Permalink
This was helpful (0)
Collapse -
WM97/Spatch-C
by Marianna Schmudlach / April 26, 2004 1:17 AM PDT
Flag
Permalink
This was helpful (0)
Collapse -
W32/Agobot-QJ
by Marianna Schmudlach / April 26, 2004 1:20 AM PDT

Aliases
W32/Gaobot.worm.gen.e virus

Type
Win32 worm

Description
W32/Agobot-QJ is an IRC backdoor Trojan and network worm which establishes an IRC channel to a remote server in order to grant an intruder access to the compromised machine.

More: http://www.sophos.com/virusinfo/analyses/w32agobotqj.html

Flag
Permalink
This was helpful (0)
Collapse -
VBS/Yarr-A
by Marianna Schmudlach / April 26, 2004 1:23 AM PDT
Flag
Permalink
This was helpful (0)
Collapse -
W32/Agobot-NN
by Marianna Schmudlach / April 26, 2004 1:26 AM PDT

Aliases
W32.HLLW.Gaobot.gen, W32/Gaobot.worm.gen.j virus

Type
Win32 worm

Description
W32/Agobot-NN is a member of the Agobot family of worms with a backdoor component.
In order to run automatically when Windows starts up W32/Agobot-NN creates
the following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Update Service=wmiprvre.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Microsoft Update Service=wmiprvre.exe.


http://www.sophos.com/virusinfo/analyses/w32agobotnn.html

Flag
Permalink
This was helpful (0)
Collapse -
W32/Sdbot-CB
by Marianna Schmudlach / April 26, 2004 1:28 AM PDT

Aliases
BKDR_SDBOT.RC, W32/Sdbot.worm.gen.g virus

Type
Win32 worm

Description
W32/Sdbot-CB is an IRC backdoor Trojan and network worm.
W32/Sdbot-CB spreads to other computers on the local network protected by
weak passwords.


More: http://www.sophos.com/virusinfo/analyses/w32sdbotcb.html

Flag
Permalink
This was helpful (0)
Collapse -
Troj/StartPa-GF
by Marianna Schmudlach / April 26, 2004 1:31 AM PDT

Type
Trojan

Description
Troj/StartPa-GF is a Trojan that adds the following entries to the registry:
HKCU\Software\Microsoft\Internet Explorer\Main\Search Bar=
"http://www.search-and-go.com/search.html"

HKCU\Software\Microsoft\Internet Explorer\Main\Use Search Asst="no"

HKCU\Software\Microsoft\Internet Explorer\Main\Use Custom Search URL=
dword:00000001

HKCU\Software\Microsoft\Internet Explorer\Main\Start Page=
"http://www.search-and-go.com"

HKCU\Software\Microsoft\Internet Explorer\Main\Search Page=
"http://www.search-and-go.com"

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\sounddrv=
<Path to Trojan>.

http://www.sophos.com/virusinfo/analyses/trojstartpagf.html

Flag
Permalink
This was helpful (0)
Collapse -
Troj/Netspree-C
by Marianna Schmudlach / April 26, 2004 1:34 AM PDT

Type
Trojan

Description
Troj/Netspree-C is a backdoor Trojan that allows unauthorised remote access to
the infected computer via IRC channels while running in the background as a
service process.
Troj/Netspree-C copies itself to the Windows system folder as WINLOAD.EXE
and creates the following entries in the registry so as to run itself on system
startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Windows Subsys

HKLM\Software\Microsoft\Windows\CurrentVersion\Run Services\
Windows Subsys


More: http://www.sophos.com/virusinfo/analyses/trojnetspreec.html

Flag
Permalink
This was helpful (0)
Collapse -
W32/Agobot-GV
by Marianna Schmudlach / April 26, 2004 1:36 AM PDT

Type
Win32 worm

Description
W32/Agobot-GV is an IRC backdoor Trojan and network worm that spreads via the
RPC/DCOM vulnerability or by using RPC calls on machines with weak passwords.
In order to run automatically when Windows starts up the worm copies
itself to the file navapsvc.exe in the Windows system folder, creates
its own service process named "Norton Service Process" and adds the
following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Norton Service Process

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Norton Service Process


More: http://www.sophos.com/virusinfo/analyses/w32agobotgv.html

Flag
Permalink
This was helpful (0)
Collapse -
Troj/StartPa-AF
by Marianna Schmudlach / April 26, 2004 1:40 AM PDT

Type
Trojan

Description
Troj/StartPa-AF is a simple Trojan which makes changes to some settings in the registry.
Troj/StartPa-AF sets the registry entry:

HKLM\Software\pup\
12212 = 1
cname = winpup.exe
nname = <numeral.exe>
oname = winpup.exe

This Trojan will also set the registry entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
<numeral.exe> = C:\<Windows System>\<numeral.exe>

Troj/StartPa-AF will attempt to open a browser window in order to connect to http://www.lazychestnuts.net.

http://www.sophos.com/virusinfo/analyses/trojstartpaaf.html

Flag
Permalink
This was helpful (0)
Collapse -
Troj/Dedler-C
by Marianna Schmudlach / April 26, 2004 1:42 AM PDT

Type
Trojan

Description
Troj/Dedler-C is a downloader Trojan.
Upon execution the Trojan tries to download executable files from a remote location and run them.

When first run Troj/Dedler-C copies itself to the Windows system folder as smvss.exe and adds its pathname to one of the following new registry entries to
run smvss.exe automatically on startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ActiveXUpdate
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftOEM
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SoundControl
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\OfficeGuardUI

http://www.sophos.com/virusinfo/analyses/trojdedlerc.html

Flag
Permalink
This was helpful (0)
Collapse -
XM97/Bobman-A
by Marianna Schmudlach / April 26, 2004 1:45 AM PDT

Type
Excel 97 macro virus

Description
XM97/Bobmon-A is an excel macro virus that has several potential payloads.
On the 14th of February it will place the text

"Huppy Valentinos Days .. AlL oF YoU"

in the first cell of an opened Excel document.

On Monday, Wednesday and Friday if an infected document is opened in the last 10 minutes of the hour the virus will attempt to place little coloured stars in the sheet.

XM97/Bobman-A will attempt to hide data from the user, and will also attempt to spread via network drives.

http://www.sophos.com/virusinfo/analyses/xm97bobmana.html

Flag
Permalink
This was helpful (0)
Collapse -
W32.Bugbear.E@mm
by Marianna Schmudlach / April 26, 2004 2:00 AM PDT
Flag
Permalink
This was helpful (0)
Collapse -
Backdoor.Sdbot.Y
by Marianna Schmudlach / April 26, 2004 2:04 AM PDT
Flag
Permalink
This was helpful (0)
Collapse -
WORM_BAGLE.X
by Marianna Schmudlach / April 26, 2004 2:07 AM PDT

Virus type: Worm

Destructive: No

Description:

As of April 26, 2004 8:42 AM PST, TrendLabs has received several infection reports of another BAGLE variant spreading Europe and the US. This polymorphic worm is spreading via email with varying subjects, message bodies, and attachment file names. TrendLabs is currently doing an in-depth analysis regarding the spread of this malware and will inform you as soon as possible.

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_BAGLE.X

Flag
Permalink
This was helpful (0)
Collapse -
Re:WORM_BAGLE.X
by Marianna Schmudlach / April 26, 2004 6:17 AM PDT
In reply to: WORM_BAGLE.X

Description
W32/Bagle-W is a member of the W32/Bagle family of worms.
When first run W32/Bagle-W will display a fake error message containing the text "Can't find a viewer associated with the file".

W32/Bagle-W copies itself to the Windows system folder with the filename drvsys.exe and then runs the worm from that location.

The following registry entry is created so that the worm is run when a user logs on to Windows:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
drvsys.exe = drvsys.exe

W32/Bagle-W recursively scans all fixed drives for WAB, TXT, MSG, HTM, SHTM, STM, XML, DBX, MBX, MDX, EML, NCH, MMF, ODS, CFG, ASP, PHP, WSH, ADB, TBB, ***, XLS, OFT, UIN, CGI, MHT, DHTM and JSP files and then extracts email addresses from these files to be used for the mass mailing component of the worm.

The email sent by the worm will have the following characterisitcs:

Subject line may contain the following text:


More: http://www.sophos.com/virusinfo/analyses/w32baglew.html

Flag
Permalink
This was helpful (0)
Collapse -
W32/Bagle.z@MM
by Marianna Schmudlach / April 26, 2004 3:18 AM PDT

Virus Information
Discovery Date: 04/26/2004
Origin: Unknown
Length: Various (Appended garbage)
Type: Virus
SubType: E-mail worm

- Update 26th April 09:37 PST --
Due to increased prevalence, this threat has had its risk assessment raised to medium.
--

This is a new variant of W32/Bagle@MM. It is packed using UPX. It is not polymorphic and a static MD5 is not suitable as garbage is always appended to the file.

This is a mass-mailing worm with the following characteristics:

contains its own SMTP engine to construct outgoing messages
harvests email addresses from the victim machine
the From: address of messages is spoofed
attachment can be a password-protected zip file, with the password included in the message body.
contains a remote access component (notification is sent to hacker)
copies itself to folders that have the phrase shar in the name (such as common peer-to-peer applications; KaZaa, Bearshare, Limewire, etc)

More: http://vil.nai.com/vil/content/v_122415.htm

Flag
Permalink
This was helpful (0)
Back to Spyware, Viruses, & Security forum 25 total posts
Popular Forums
icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

REVIEW

A slim, stylish 2-in-1 with some graphics muscle

Asus packed a lot of value -- and discrete graphics -- into the slim ZenBook Flip 14, making it fine choice for more performance and portability in a two-in-one design.