Spyware, Viruses, & Security forum

General discussion

VIRUS ALERTS - August 18, 2004

Troj/Winflux-B

Aliases Backdoor.Win32.Flux.d
TrojanSpy.Win32.Flux.a

Type Trojan

Troj/Winflux-B is backdoor Trojan for the Windows platform.
Troj/Winflux-B can be used by a remote attacker to control an infected computer and steal information.

http://www.sophos.com/virusinfo/analyses/trojwinfluxb.html

Discussion is locked
You are posting a reply to: VIRUS ALERTS - August 18, 2004
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: VIRUS ALERTS - August 18, 2004
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Troj/Rapet-A

In reply to: VIRUS ALERTS - August 18, 2004

Collapse -
Troj/Demiz-A

In reply to: VIRUS ALERTS - August 18, 2004

Collapse -
W32/Rbot-GG

In reply to: VIRUS ALERTS - August 18, 2004

Aliases Backdoor.Rbot.gen

Type Worm

W32/Rbot-GG is a worm which attempts to spread to remote network shares. It also contains backdoor Trojan functionality, allowing unauthorised remote access to the infected computer via IRC channels while running in the background as a service process.
W32/Rbot-GG spreads to network shares with weak passwords as a result of the backdoor Trojan element receiving the appropriate command from a remote user.
W32/Rbot-GG moves itself to the Windows system folder as USBSVC.EXE and creates entries in the registry at the following locations to run on system startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
USB Host Service = usbsvc.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
USB Host Service = usbsvc.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
USB Host Service = usbsvc.exe
W32/Rbot-GG may also drop these hidden, system files into the Windows system folder: ADMDLL.DLL, COWNUT2.EXE, EXPIORER.EXE and RADDRV.DLL.
W32/Rbot-GG may delete shared drives and collect CD keys from several popular applications and computer games.

http://www.sophos.com/virusinfo/analyses/w32rbotgg.html

Collapse -
W32/Zooty-A

In reply to: VIRUS ALERTS - August 18, 2004

Aliases TrojanProxy.Win32.Agent.be

Type Worm

W32/Zooty-A is a backdoor Trojan and network worm which may change the file C:\<Windows system>\Drivers\etc\HOSTS file to prevent access to several anti-virus and security-related websites and copy itself into the Windows system folder as HOSTSVC.EXE.
The following registry entries will be set to ensure that this worm is executed automatically upon restart:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Windows Host Device = hostsvc.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Windows Host Device = hostsvc.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Windows Host Device = hostsvc.exe
W32/Zooty-A changes the following registry entry by appending the name of the worm to the existing entry:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
Shell = explorer.exe hostsvc.exe

http://www.sophos.com/virusinfo/analyses/w32zootya.html

Collapse -
Dial/Coulomb-L

In reply to: VIRUS ALERTS - August 18, 2004

Collapse -
Troj/Bancos-Q

In reply to: VIRUS ALERTS - August 18, 2004

Aliases Trojan.Win32.Bancos.y

Type Trojan

Troj/Bancos-Q is a password stealing Trojan. In order to run automatically when Windows starts up the Trojan copies itself to the Windows command folder and sets the following registry entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
AcidBurn Bank Catcher = C:\Windows\command\iexplorer.scr
When active, the Trojan monitors the URLs typed into a web browser in order to log credentials of accounts at several Brazilian banks.
The collected information is periodically sent out to a remote email account.

http://www.sophos.com/virusinfo/analyses/trojbancosq.html

Collapse -
Troj/BlckCore-A

In reply to: VIRUS ALERTS - August 18, 2004

Collapse -
Troj/BlckCore-B

In reply to: VIRUS ALERTS - August 18, 2004

Collapse -
W32/Wort-A

In reply to: VIRUS ALERTS - August 18, 2004

Collapse -
W32/Rbot-GI

In reply to: VIRUS ALERTS - August 18, 2004

Aliases Backdoor.Rbot.gen
W32.Spybot.Worm

Type Worm

W32/Rbot-GI is a network worm which contains IRC backdoor Trojan functionality, allowing unauthorised remote access to the infected computer while running in the background as a service process.

http://www.sophos.com/virusinfo/analyses/w32rbotgi.html

Collapse -
Dial/Dialer-DC

In reply to: VIRUS ALERTS - August 18, 2004

Collapse -
Troj/Vipgsm-A

In reply to: VIRUS ALERTS - August 18, 2004

Collapse -
Dial/Porndial-U

In reply to: VIRUS ALERTS - August 18, 2004

Collapse -
Troj/Iefeat-L

In reply to: VIRUS ALERTS - August 18, 2004

Collapse -
Troj/Bancos-R

In reply to: VIRUS ALERTS - August 18, 2004

Aliases Trojan.Win32.Bancos.x

Type Trojan

Troj/Bancos-R is a password stealing Trojan.
In order to run automatically when Windows starts up the Trojan copies itself to the Windows command folder and sets the following registry entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
AcidBurn Bank Catcher = C:\Windows\command\iexplorer.scr
When active, the Trojan monitors the URLs typed into a web browser in order to log credentials of accounts at several Brazilian banks.
The collected information is periodically sent out to a remote email account.

http://www.sophos.com/virusinfo/analyses/trojbancosr.html

Collapse -
Dial/Dialer-BO

In reply to: VIRUS ALERTS - August 18, 2004

Aliases Trojan.Win32.Dialer.bo

Type Trojan

Dial/Dialer-BO is a dialler application.
Dial/Dialer-BO terminates any currently active dial-up connections and then creates a new dial-up connection using a new RAS phonebook entry.
Dial/Dialer-BO then launches Microsoft Internet Explorer to display a remote web page.
The following registry entries are created:
HKCU\RemoteAccess\Addresses\AXIS
HKCU\RemoteAccess\Profile\AXIS\IP
Each time Dial/Dialer-BO is run it tries to silently download an executable file from a remote location to the Windows folder and execute it.
Known versions of Dial/Dialer-BO try to download an executable to %WINDOWS%\70000041.exe
Typically this will be an update of the Dial/Dialer-BO executable.

http://www.sophos.com/virusinfo/analyses/dialdialerbo.html

Collapse -
Dial/Dialui-A

In reply to: VIRUS ALERTS - August 18, 2004

Aliases Trojan.Win32.Dialui

Type Trojan

Dial/Dialui-A is a dialler application.
The Dial/Dialui-A executable drops a library DLL to %WINDOWS%\Application Data\Microsoft\Internet Explorer\V0.15.dat and registers V0.15.dat as a COM object.
V0.15.dat exports functionality to download configuration data from a remote server.

http://www.sophos.com/virusinfo/analyses/dialdialuia.html

Collapse -
W32/Rbot-GJ

In reply to: VIRUS ALERTS - August 18, 2004

Aliases Backdoor.Rbot.gen

Type Worm

W32/Rbot-GJ is a worm which attempts to spread to remote network shares. It also contains backdoor Trojan functionality, allowing unauthorised remote access to the infected computer via IRC channels while running in the background as a service process.
W32/Rbot-GJ spreads to network shares with weak passwords as a result of the backdoor Trojan element receiving the appropriate command from a remote user.
W32/Rbot-GJ moves itself to the Windows system folder as MSDEV.EXE and may create entries in the registry at the following locations to run on system startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
msvsc32 = MSDEV.EXE
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
msvsc32 = MSDEV.EXE
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
msvsc32 = MSDEV.EXE
W32/Rbot-GJ may also change the following registry entries to:
HKLM\SOFTWARE\Microsoft\Ole\
EnableDCOM = N
HKLM\SYSTEM\ControlSet001\Control\Lsa\
restrictanonymous = 1
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\
restrictanonymous = 1

http://www.sophos.com/virusinfo/analyses/w32rbotgj.html

Collapse -
W32/Agobot-ME

In reply to: VIRUS ALERTS - August 18, 2004

Collapse -
Troj/Nucbot-A

In reply to: VIRUS ALERTS - August 18, 2004

Collapse -
W32/Rbot-GL

In reply to: VIRUS ALERTS - August 18, 2004

Collapse -
W32/Rbot-GH

In reply to: VIRUS ALERTS - August 18, 2004

Collapse -
W32/Rbot-GK

In reply to: VIRUS ALERTS - August 18, 2004

Aliases Backdoor.Rbot.gen

Type Worm

W32/Rbot-GK spreads using a variety of vulnerabilities and exploiting shares with weak passwords.
W32/Rbot-GK allows a remote attacker access to the infected computer.
W32/Rbot-GK uses the exploits addressed by MS04-011, MS03-026, MS03-007 and MS01-059.

http://www.sophos.com/virusinfo/analyses/w32rbotgk.html

Collapse -
W32/Sdbot-MP

In reply to: VIRUS ALERTS - August 18, 2004

Collapse -
W32/Sdbot-MQ

In reply to: VIRUS ALERTS - August 18, 2004

Collapse -
W32/Cissi-E

In reply to: VIRUS ALERTS - August 18, 2004

Aliases Worm.Win32.Pinom.c
W32/Imbiat.worm
Win32/Pinom.C1
W32.IRCBot.Gen

Type Worm

W32/Cissi-E is a worm which attempts to spread by emailing itself via SMTP and by copying itself to network shares with weak passwords. The worm allows unauthorised remote access to the computer via IRC channels.
The worm copies itself to the Windows system folder as *****.EXE and changes the [boot] field within SYSTEM.INI (or WIN.INI under MS Win NT/2000/XP) to run itself on system restart. Under Windows NT based systems the following entry in the registry may be changed to run the worm on system restart:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
W32/Cissi-E may attempt to email itself to email addresses gleaned from files on the user's hard disk.
W32/Cissi-E attempts to copy itself to the Startup folder on remote shared computers as !IMPORTANT!.EXE or SETUP.EXE.

http://www.sophos.com/virusinfo/analyses/w32cissie.html

Collapse -
W32/Dumaru-Q

In reply to: VIRUS ALERTS - August 18, 2004

Collapse -
Troj/Agent-Y

In reply to: VIRUS ALERTS - August 18, 2004

Collapse -
Troj/Banker-F

In reply to: VIRUS ALERTS - August 18, 2004

Collapse -
Troj/Feardoor-B

In reply to: VIRUS ALERTS - August 18, 2004

Popular Forums

icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

GRAMMYS 2019

Here's Everything to Know About the 2019 Grammys

Find out how to watch the Grammy Awards if you don't have cable and more.