Attention: The forums will be placed on read only mode this Saturday (Oct. 20, 2018)

During this outage (6:30 AM to 8 PM PDT) the forums will be placed on read only mode. We apologize for this inconvenience. Click here to read details

Spyware, Viruses, & Security forum

General discussion

VIRUS ALERTS - August 16, 2004

by Marianna Schmudlach / August 16, 2004 12:30 AM PDT

W32/MyDoom-S

Type Worm

How it spreads Email attachments

Vulnerable operating systems Windows

Side effects Downloads code from the internet

Aliases Ratos

W32/MyDoom-S is a mass-mailing worm which harvests email addresses from your hard drive. The worm copies itself to the Windows folder and the System folder, and adds a registry entry to ensure it starts whenever you logon.
Emails sent by this worm have the subject line photos and an attachment named photos_arc.exe.

http://www.sophos.com/virusinfo/analyses/w32mydooms.html

Discussion is locked
You are posting a reply to: VIRUS ALERTS - August 16, 2004
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: VIRUS ALERTS - August 16, 2004
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Troj/Padodo-Fam
by Marianna Schmudlach / August 16, 2004 12:35 AM PDT

Type Trojan

Aliases Backdoor.AXJ
Berbew
Webber

Troj/Padodo-Fam is a family of proxy and backdoor Trojans with password
stealing funtionality.
When first run the Trojans copy themselves to the Windows system folder
with a random filename and an extension of EXE and drop a library DLL to
the system folder with a random filename and an extension of DLL.
The DLL is registered as a COM object creating registry entries similar
to the following:
HKCR\CLSID\(79FEACFF-FFCE-815E-A900-316290B5B738)
\InProcServer32\
HKCR\CLSID\(79FEACFF-FFCE-815E-A900-316290B5B738)
\InProcServer32\@ = <pathname of dropped DLL>
HKCR\CLSID\(79FEACFF-FFCE-815E-A900-

More: http://www.sophos.com/virusinfo/analyses/trojpadodofam.html

Collapse -
Troj/Dedler-D
by Marianna Schmudlach / August 16, 2004 12:37 AM PDT

Type Trojan

Aliases Worm.Win32.Dedler.r

Troj/Dedler-D is an ICQ Trojan which when run copies itself
to the Windows system folder as csmss.exe and sets one of the
following registry entries in order to auto-start on user logon
or system start:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
VC5MediaPlayer = <path_to_self>
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
WIN95DEFVIEW = <path_to_self>
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
WindowsInstaller = <path_to_self>
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
MsgApi = <path_to_self>
The Trojan will attempt to connect to icq.login.com and begin
data transfer.
Troj/Dedler-D will also attempt to terminate the following
security related services:
Network Client Monitor
Network Client
kavsvc
SAVScan
Symantec Core LC
navapsvc
wuauserv

http://www.sophos.com/virusinfo/analyses/trojdedlerd.html

Collapse -
Jerusalem-BF
by Marianna Schmudlach / August 16, 2004 12:39 AM PDT
Collapse -
Troj/Bdoor-CHR
by Marianna Schmudlach / August 16, 2004 12:41 AM PDT
Collapse -
Troj/LdPinch-DU
by Marianna Schmudlach / August 16, 2004 12:44 AM PDT
Collapse -
Troj/Prorat-F
by Marianna Schmudlach / August 16, 2004 12:46 AM PDT

Type Trojan

How it spreads Web browsing
Web downloads

Vulnerable operating systems Windows

Side effects Turns off anti-virus applications
Allows others to access the computer
Steals information
Drops more malware
Reduces system security
Records keystrokes

Troj/Prorat-F is a Trojan for the Windows platform.
The Trojan attempts to download additional components from a remote site.
When first run, Troj/Prorat-F copies itself into the Windows folder as services.exe. The Trojan also creates two additional copies of itself in:
<Windows folder>\system\sservice.exe
<Windows folder>\system32\fsservice.exe
The Trojan also drops two DLL files into the following locations:
<Windows folder>\system32\wininv.dll

More: http://www.sophos.com/virusinfo/analyses/trojproratf.html

Collapse -
Troj/Dload-BE
by Marianna Schmudlach / August 16, 2004 12:48 AM PDT

Type Trojan

Troj/Dload-BE is a Trojan for the Windows platform.
When first run, Troj/Dload-BE copies itself to the Windows folder as:
<Windows>/system32/ffservice.exe
<Windows>system32/lservice.exe
<Windows>system32/wservice.exe
In order to run on system startup, Troj/Dload-BE creates the following
registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Windows Reg Services = <Windows>\System32\ffservice.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Windows Reg Services = <Windows>\System32\ffservice.exe
Troj/Dload-BE downloads files from a remote site and then runs them.

http://www.sophos.com/virusinfo/analyses/trojdloadbe.html

Collapse -
W32/Rbot-GA
by Marianna Schmudlach / August 16, 2004 12:50 AM PDT

Type Worm

W32/Rbot-GA is a worm which attempts to spread to remote network shares. It also contains backdoor Trojan functionality, allowing unauthorised remote access to the infected computer via IRC channels while running in the background as a service process.
W32/Rbot-GA moves itself to the file WUAMGRD.EXE in the Windows system folder and creates entries at the following locations in the registry so as to run itself on Windows login:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

http://www.sophos.com/virusinfo/analyses/w32rbotga.html

Collapse -
W32/Rbot-GB
by Marianna Schmudlach / August 16, 2004 12:52 AM PDT
Collapse -
Dial/Coulomb-K
by Marianna Schmudlach / August 16, 2004 12:53 AM PDT
Collapse -
Troj/StartPa-CC
by Marianna Schmudlach / August 16, 2004 12:55 AM PDT

Type Trojan

Vulnerable operating systems Windows

Side effects Modifies data on the computer
Drops more malware
Downloads code from the internet
Reduces system security
Installs itself in the Registry

Aliases Trojan.Win32.Hoster.b
StartPage-CP

Troj/StartPa-CC is is an adware Trojan which may download and run other unwanted programs on an infected machine.
Troj/StartPa-CC interferes with a user's internet browsing experience.

http://www.sophos.com/virusinfo/analyses/trojstartpacc.html

Collapse -
Troj/Multidr-KE
by Marianna Schmudlach / August 16, 2004 12:58 AM PDT
Collapse -
W32/Apribot-C
by Marianna Schmudlach / August 16, 2004 1:04 AM PDT

Type Worm

How it spreads Email attachments
Web downloads
Chat programs

Vulnerable operating systems Windows

Side effects Turns off anti-virus applications
Allows others to access the computer
Modifies data on the computer
Deletes files off the computer
Steals information

Aliases Backdoor.IRCBot.gen

A detailed analysis will be published here shortly. Please check again later.
W32/Apribot-C is an IRC backdoor with spreading capability.
Each time the worm is run it tries to connect to a remote IRC server and join a specific channel. The backdoor component then runs in the background as a server process, listening for commands to execute. The infected computer can be used to perform several functions:

http://www.sophos.com/virusinfo/analyses/w32apribotc.html

Collapse -
W32/Rbot-FZ
by Marianna Schmudlach / August 16, 2004 1:08 AM PDT

Type Worm

How it spreads Network shares

Vulnerable operating systems Windows

Side effects Allows others to access the computer
Steals information
Uses its own emailing engine
Downloads code from the internet
Reduces system security
Records keystrokes

Aliases Rbot.Gen
Rbot-Fam

W32/Rbot-FZ attempts to spread via the LSASS (MS04-011), RPC-DCOM (MS03-059), RPC-DCOM2 (MS04-012), WebDav (MS03-007), Universal Plug-and-Play (MS01-059) or DameWare (CAN-2003-1030) vulnerabilities, backdoors installed by other malware and network services using weak passwords.
A computer infected with W32/Rbot-FZ can be controlled remotely through IRC channels.

http://www.sophos.com/virusinfo/analyses/w32rbotfz.html

Collapse -
Troj/Agent-ZB
by Marianna Schmudlach / August 16, 2004 1:11 AM PDT

Type Trojan

Vulnerable operating systems Windows

Side effects Downloads code from the internet
Reduces system security
Installs itself in the Registry

Aliases Backdoor.Agent.z
BackDoor-CEH
Win32/Agent.Z
TROJ_AGENT.Z

Troj/Agent-ZB is a downloader Trojan with adware capabilities.
The Trojan may interfere with a user's browsing experience.

http://www.sophos.com/virusinfo/analyses/trojagentzb.html

Collapse -
Troj/Dload-BD
by Marianna Schmudlach / August 16, 2004 1:13 AM PDT
Collapse -
Troj/Lydra-F
by Marianna Schmudlach / August 16, 2004 1:15 AM PDT
Collapse -
W32/Sdbot-ML
by Marianna Schmudlach / August 16, 2004 1:17 AM PDT

Type Worm

W32/Sdbot-ML is a member of the W32/Sdbot family of worms.
In order to run automatically when Windows starts up the worm copies itself to the file explorer32.exe in the Windows system folder and adds the following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Configuration
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Configuration
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Configuration
W32/Sdbot-ML connects to a remote IRC server and allows a malicious user remote access to an infected computer.

http://www.sophos.com/virusinfo/analyses/w32sdbotml.html

Collapse -
W32/Forbot-J
by Marianna Schmudlach / August 16, 2004 1:18 AM PDT
Collapse -
Troj/Midaddle-A
by Marianna Schmudlach / August 16, 2004 1:20 AM PDT

Type Trojan

Troj/Midaddle-A is a downloader Trojan which downloads and installs/runs adware software.
Troj/Midaddle-A is typically installed to the Windows TEMP folder as Updater.exe.
Updater.exe copies itself using a random filename and adds its pathname to a new sub-key of the following registry entry to run itself on startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
(the new sub-key will have the same name as the executable).
Troj/Midaddle-A also creates the registry entry:
HKCU\Software\Microsoft\Internet Explorer\Main\Updater
The adware software installed by Troj/Midaddle-A can typically be uninstalled via the Add or Remove Programs dialog in the Windows Control Panel (Start -> Settings -> Control Panel -> Add/Remove Programs) by selecting the 'midADdle' entry.

http://www.sophos.com/virusinfo/analyses/trojmidaddlea.html

Collapse -
Troj/Daemoni-G
by Marianna Schmudlach / August 16, 2004 1:27 AM PDT
Collapse -
W32/Sdbot-MN
by Marianna Schmudlach / August 16, 2004 1:29 AM PDT

Type Worm

How it spreads Network shares

Vulnerable operating systems Windows

Side effects Allows others to access the computer
Installs itself in the Registry
Exploits known vulnerabilites

Aliases Backdoor.SdBot.oi
W32.Spybot.Worm
WORM_RBOT.AZ

W32/Sdbot-MN is a network worm which contains IRC backdoor Trojan functionality, allowing unauthorised remote access while running in the background as a service process.

http://www.sophos.com/virusinfo/analyses/w32sdbotmn.html

Collapse -
W32/Rbot-GC
by Marianna Schmudlach / August 16, 2004 1:31 AM PDT

Type Worm

How it spreads Network shares

Vulnerable operating systems Windows

Side effects Allows others to access the computer
Installs itself in the Registry
Exploits known vulnerabilites

Aliases Backdoor.Rbot.gen

W32/Rbot-GC is a networm worm which also contains IRC backdoor Trojan functionality, allowing unauthorised remote access to the infected computer while running in the background as a service process.


http://www.sophos.com/virusinfo/analyses/w32rbotgc.html

Collapse -
W32/Gobot-D
by Marianna Schmudlach / August 16, 2004 1:33 AM PDT

Type Worm

How it spreads Chat programs
Peer-to-peer

Vulnerable operating systems Windows

Side effects Allows others to access the computer
Installs itself in the Registry

Aliases W32.Gobot.A
Exploit-Mydoom
Backdoor.Gobot.u
BKDR_GOBOT.B

W32/Gobot-D is a peer-to-peer worm and mIRC backdoor Trojan. W32/Gobot-D creates a randomly named copy of itself in the Windows folder and updates the following registry entry with a randomly named value to run the worm when a user logs on to Windows:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
W32/Gobot-D creates multiple copies of itself in the shared folders of several popular peer-to-peer applications and may overwrite existing files in those folders.
W32/Gobot-D attempts to connect to a remote IRC server and join a specific channel. W32/Gobot-D then runs continuously in the background, allowing a remote intruder to access and control the computer.

http://www.sophos.com/virusinfo/analyses/w32gobotd.html

Collapse -
W32/Ourtime-A
by Marianna Schmudlach / August 16, 2004 1:35 AM PDT

Type Worm

How it spreads Peer-to-peer

Vulnerable operating systems Windows

Side effects Installs itself in the Registry

Aliases W32.Doep.A

W32/Ourtime-A is a Windows worm that spreads via filesharing networks. W32/Ourtime-A contains a ZIP engine and uses this to create archives with file names likely to be searched for by other p2p users. The worm then attempts to share these files via Kazzaa, eDonkey and eMule clients.

http://www.sophos.com/virusinfo/analyses/w32ourtimea.html

Collapse -
W32/Sdbot-MO
by Marianna Schmudlach / August 16, 2004 1:36 AM PDT

Type Worm

How it spreads Network shares

Vulnerable operating systems Windows

Side effects Allows others to access the computer
Installs itself in the Registry

Aliases W32/Sdbot.worm.gen.t
Backdoor.SdBot.gen

W32/Sdbot-MO is a worm which attempts to spread to remote network shares. It also contains backdoor Trojan functionality, allowing unauthorised remote access to the infected computer via IRC channels while running in the background as a service process.
W32/Sdbot-MO copies itself to the Windows system folder as SYSPASS.EXE and creates entries in the registry at the following locations to run itself on system startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
System Information Manager = syspass.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
System Information Manager = syspass.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
System Information Manager = syspass.exe
W32/Sdbot-MO spreads to network shares with weak passwords as a result of the backdoor Trojan element receiving the appropriate command from a remote user.

http://www.sophos.com/virusinfo/analyses/w32sdbotmo.html

Collapse -
W32/Agobot-MC
by Marianna Schmudlach / August 16, 2004 1:38 AM PDT

Type Worm

How it spreads Network shares

Vulnerable operating systems Windows

Side effects Turns off anti-virus applications
Allows others to access the computer
Sends itself to addresses in Outlook address books
Steals information
Downloads code from the internet

Aliases Nortonbot
Phatbot
Agobot.gen
Bkdr_Agobot.D

W32/Agobot-MC is a network worm which spreads using unpatched vulnerabilities, backdoors installed by other malware and services protected by weak passwords.
The worm has backdoor functionality, allowing an attacker to remotely control the infected computer through IRC channels.
W32/Agobot-MC attempts to exploit the Universal Plug-n-Play, WebDav, Workstation Service, RPC DCOM and DameWare vulnerabilities.

http://www.sophos.com/virusinfo/analyses/w32agobotmc.html

Collapse -
Troj/Daemoni-F
by Marianna Schmudlach / August 16, 2004 1:40 AM PDT

Type Trojan

Vulnerable operating systems Windows

Side effects Used in DOS attacks

Aliases TROJ_SMALL.EE
Backdoor.Trojan
Win32/TrojanNotifier.Small.E
Downloader-IJ
TrojanNotifier.Win32.Small.e

Troj/Daemoni-F is a proxy Trojan.
The Trojan allows data to be routed through the infected computer in order to bypass access restrictions and to hide the IP address of the source.
The infected computer may be used to forward spam email.

http://www.sophos.com/virusinfo/analyses/trojdaemonif.html

Collapse -
Troj/Bdoor-CHR
by Marianna Schmudlach / August 16, 2004 2:50 AM PDT
Collapse -
Troj/Prorat-F
by Marianna Schmudlach / August 16, 2004 2:54 AM PDT

Type Trojan

Troj/Prorat-F is a Trojan for the Windows platform.
The Trojan attempts to download additional components from a remote site.
When first run, Troj/Prorat-F copies itself into the Windows folder as services.exe. The Trojan also creates two additional copies of itself in:
<Windows folder>\system\sservice.exe
<Windows folder>\system32\fsservice.exe
The Trojan also drops two DLL files into the following locations:
<Windows folder>\system32\wininv.dll
<Windows folder>\system32\winkey.dll
Troj/Prorat-F creates or modifies several registry entries under:
HKCU\Software\Microsoft DirectX\
HKLM\Software\Microsoft\Active Setup\Installed Components\
(5Y99AE78-58TT-11dW-BE53-Y67078979Y)\
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\
Troj/Prorat-F and its helper DLL files gather information from an infected computer and email it to a remote user. The information gathered includes:

System information

Recorded keystrokes

Passwords and account information

http://www.sophos.com/virusinfo/analyses/trojproratf.html

Popular Forums

icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

FALL TV PREMIERES

Your favorite shows are back!

Don’t miss your dramas, sitcoms and reality shows. Find out when and where they’re airing!