Spyware, Viruses, & Security forum

General discussion

VIRUS ALERTS - august 2, 2004

by Marianna Schmudlach / August 2, 2004 12:23 AM PDT

W32/Stewon-A

Aliases
Worm.P2P.Stewon

Type
Win32 worm

Description
W32/Stewon-A is a peer-to-peer network worm.
When first run W32/Stewon-A copies itself to:
<SYSTEMROOT>\system32\genoxial.exe
and creates the following registry entry to ensure it is run at system logon:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
MSN Sucks use IRC = genoxial.exe

W32/Stewon-A creates the following files:
C:\download\random.exe
C:\downloads\random.exe
which are actually zip compressed copies of the worm.


More: http://www.sophos.com/virusinfo/analyses/w32stewona.html

Discussion is locked
You are posting a reply to: VIRUS ALERTS - august 2, 2004
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: VIRUS ALERTS - august 2, 2004
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
W32/Sdbot-KX
by Marianna Schmudlach / August 2, 2004 12:26 AM PDT

Aliases
W32.Randex.gen, W32/Sdbot.worm.gen, Backdoor.SdBot.gen

Type
Win32 worm

Description
W32/Sdbot-KX is a worm which attempts to spread to remote network shares. It also contains backdoor Trojan functionality, allowing unauthorised remote access to the infected computer via IRC channels while running in the background as a service process.
W32/Sdbot-KX spreads to network shares with weak passwords as a result of the backdoor Trojan element receiving the appropriate command from a remote user.

W32/Sdbot-KX copies itself to the Windows System folder as RCL0ADERS.EXE and creates the following entries in the registry to run itself on system startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Inters Configuration Loader = RCL0ADERS.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Inters Configuration Loader = RCL0ADERS.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Inters Configuration Loader = RCL0ADERS.exe

W32/Sdbot-KX can delete shared network drives and collect CD keys from several popular computer games and applications.

http://www.sophos.com/virusinfo/analyses/w32sdbotkx.html

Collapse -
W32/Sdbot-KZ
by Marianna Schmudlach / August 2, 2004 12:27 AM PDT

Aliases
W32.Randex.gen, Backdoor.SdBot.gen, BKDR_IRCSDBOT.JP, Exploit-Mydoom

Type
Win32 worm

Description
W32/Sdbot-KZ is a worm which attempts to spread to remote network shares. It also contains backdoor Trojan functionality, allowing unauthorised remote access to the infected computer via IRC channels while running in the background as a service process.
W32/Sdbot-KZ spreads to network shares with weak passwords as a result of the backdoor Trojan element receiving the appropriate command from a remote user.

W32/Sdbot-KZ copies itself to the Windows System folder as XXX.EXE and creates the following entries in the registry to run itself on system startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Synchronization Manager = xXx.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Microsoft Synchronization Manager = xXx.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Synchronization Manager = xXx.exe

W32/Sdbot-KZ can delete shared network drives and collect CD keys from several popular computer games and applications. This worm may also log the users keystrokes into a file in the Windows System folder named KEYLOG.TXT.

http://www.sophos.com/virusinfo/analyses/w32sdbotkz.html

Collapse -
W32/Rbot-FU
by Marianna Schmudlach / August 2, 2004 12:29 AM PDT

Aliases
Backdoor.SdBot.nx

Type
Win32 worm

Description
W32/Rbot-FU is a worm which attempts to spread to remote network shares. It also contains backdoor Trojan functionality, allowing unauthorised remote access to the infected computer via IRC channels while running in the background as a service process.
W32/Rbot-FU spreads to network shares with weak passwords as a result of the backdoor Trojan element receiving the appropriate command from a remote user.

W32/Rbot-FU moves itself to the Windows System folder as a randomly named read-only, hidden, system EXE file and creates entries in the registry at the following locations to run on system startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Windows Kernel Service

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Windows Kernel Service

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Windows Kernel Service

http://www.sophos.com/virusinfo/analyses/w32rbotfu.html

Collapse -
W32/Sdbot-LA
by Marianna Schmudlach / August 2, 2004 12:31 AM PDT

Aliases
W32.Randex.gen, W32/Sdbot.worm.gen.o, Backdoor.SdBot.gen

Type
Win32 worm

Description
W32/Sdbot-LA is a worm which attempts to spread to remote network shares. It also contains backdoor Trojan functionality, allowing unauthorised remote access to the infected computer via IRC channels while running in the background as a service process.
W32/Sdbot-LA spreads to network shares with weak passwords as a result of the backdoor Trojan element receiving the appropriate command from a remote user.

W32/Sdbot-LA copies itself to the Windows System folder as WIN32EXEC.EXE and creates the following entries in the registry to run itself on system startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Configuration Loader = win32exec.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Configuration Loader = win32exec.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Configuration Loader = win32exec.exe

W32/Sdbot-LA can delete shared network drives and collect CD keys from several popular computer games and applications.

http://www.sophos.com/virusinfo/analyses/w32sdbotla.html

Collapse -
W32/Protoride-J
by Marianna Schmudlach / August 2, 2004 12:33 AM PDT

Aliases
W32.Protoride.Worm, W32/Protoride.worm, Worm.Win32.Protoride.n, WORM_PROTORIDE.N

Type
Win32 worm

Description
W32/Protoride-J is a Windows worm that spreads via network shares. The worm also has a backdoor component that allows a malicious user remote access to an infected computer via the IRC network. This worm can also copy itself into the shared folders of several peer-to-peer (P2P) file sharing utilities.
This worm will copy itself into the Windows System folder and may set the following registry entries so that it is executed automatically upon restart:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
"" = \"%1\" %*

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
"" = C:<Windows System>\<filename>

In order to run automatically when Windows starts up the worm may change the following registry entry so that it is executed before any EXE files:

HKCR\exefile\shell\open\command\
"" = C:\<full file path> "%1 %*"


More: http://www.sophos.com/virusinfo/analyses/w32protoridej.html

Collapse -
Troj/Agent-I
by Marianna Schmudlach / August 2, 2004 12:35 AM PDT

Aliases
Agent.Z, Backdoor-CEZ, Backdoor-CEZ, TrojanProxy.Win32.Agent.Z

Type
Trojan

Description
Troj/Agent-I is a Trojan used for sending unsolicited commercial email (spam).
The Trojan downloads instructions from a preconfigured website every minute. These instructions provide details of what spam to send to whom. Status reports are sent back to the same site using HTTP POST.

Troj/Agent-I may also attempt to find email addresses stored on the infected computer and include them in the list of spam recipients.

http://www.sophos.com/virusinfo/analyses/trojagenti.html

Collapse -
W32/Sdbot-LB
by Marianna Schmudlach / August 2, 2004 12:37 AM PDT

Aliases
IRC/SdBot.AUP, W32/Randex.gen, W32/Sdbot.gen.r, Backdoor.SdBot.gen, WORM_RBOT.K

Type
Win32 worm

Description
W32/Sdbot-LB is a worm which attempts to spread to remote network shares. It also contains backdoor Trojan functionality, allowing unauthorised remote access to the infected computer via IRC channels while running in the background as a service process.
W32/Sdbot-LB copies itself to the Windows System folder as MSGFIX.EXE and creates entries in the registry at the following locations so as to run itself on system startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

W32/Sdbot-LB spreads to network shares with weak passwords and via network security exploits as a result of the backdoor Trojan element receiving the appropriate command from a remote user, copying itself to PAYLOAD.DAT on the local machine at the same time.

http://www.sophos.com/virusinfo/analyses/w32sdbotlb.html

Collapse -
W32/Sdbot-LC
by Marianna Schmudlach / August 2, 2004 12:39 AM PDT

Aliases
W32.Randex.gen, W32/Sdbot.worm.gen.j, Backdoor.SdBot.gen, BKDR_SDBOT.CD

Type
Win32 worm

Description
W32/Sdbot-LC is a worm which attempts to spread to remote network shares. It also contains backdoor Trojan functionality, allowing unauthorised remote access to the infected computer via IRC channels while running in the background as a service process.
W32/Sdbot-LC copies itself to the Windows System folder as WICONF.EXE and creates entries in the registry at the following locations so as to run itself on system startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

W32/Sdbot-LC spreads to network shares with weak passwords and via network security exploits as a result of the backdoor Trojan element receiving the appropriate command from a remote user, copying itself to SYSCONF.DAT on the local computer at the same time.

http://www.sophos.com/virusinfo/analyses/w32sdbotlc.html

Collapse -
W32/Rbot-FF
by Marianna Schmudlach / August 2, 2004 12:40 AM PDT

Aliases
Backdoor.Rbot.gen

Type
Win32 worm

Description
W32/Rbot-FF is a worm which attempts to spread to remote network shares. It also contains backdoor Trojan functionality, allowing unauthorised remote access to the infected computer via IRC channels while running in the background as a service process.
W32/Rbot-FF spreads to network shares with weak passwords and via network security exploits as a result of the backdoor Trojan element receiving the appropriate command from a remote user.

W32/Rbot-FF copies itself to the file UPDATEX.EXE in the Windows System folder and creates entries at the following locations in the registry so as to run itself on system startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

W32/Rbot-FF may try to set the following registry entries:

HKLM\SOFTWARE\Microsoft\Ole\EnableDCOM = "N"
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous = "1"

W32/Rbot-FF may try to delete the C$, D$, E$, IPC$ and ADMIN$ network shares on the host computer.

W32/Rbot-FF creates a log file C:\DEBUG.TXT.

W32/Rbot-FF may log user keystrokes and window text to the file KEYS.TXT in the Windows System folder.

http://www.sophos.com/virusinfo/analyses/w32rbotff.html

Collapse -
W32/Rbot-FG
by Marianna Schmudlach / August 2, 2004 12:42 AM PDT

Aliases
W32.Sdbot.worm.gen.t, Backdoor.Rbot.gen, WORM_SDBOT.EH

Type
Win32 worm

Description
W32/Rbot-FG is a worm which attempts to spread to remote network shares. It also contains backdoor Trojan functionality, allowing unauthorised remote access to the infected computer via IRC channels while running in the background as a service process.
W32/Rbot-FG spreads to network shares with weak passwords and via network security exploits as a result of the backdoor Trojan element receiving the appropriate command from a remote user.

W32/Rbot-FG copies itself to the file WUAPDCT32.EXE in the Windows System folder and creates entries at the following locations in the registry so as to run itself on system startup, resetting them every minute:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

W32/Rbot-FG may try to set the following registry entries:

HKLM\SOFTWARE\Microsoft\Ole\EnableDCOM = "N"
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous = "1"

W32/Rbot-FG may try to delete the C$, D$, E$, IPC$ and ADMIN$ network shares on the host computer.

W32/Rbot-FG attempts to terminate processes relating to the following files:

regedit.exe
msconfig.exe
netstat.exe
msblast.exe
zapro.exe
navw32.exe
navapw32.exe
zonealarm.exe
wincfg32.exetaskmon.exe [sic]
PandaAVEngine.exe
sysinfo.exe
mscvb32.exe
MSBLAST.exe
teekids.exe
*****32.exe
bbeagle.exe
SysMonXP.exe
winupd.exe
winsys.exe
ssate.exe
rate.exe
d3dupdate.exe
irun4.exe
i11r54n4.exe

http://www.sophos.com/virusinfo/analyses/w32rbotfg.html

Collapse -
Troj/CmjSpy-Z
by Marianna Schmudlach / August 2, 2004 12:44 AM PDT

Type
Trojan

Description
Troj/CmjSpy-Z is a keylogging Trojan.
In order to run automatically when Windows starts up the Trojan copies itself to the Windows system folder as hpserver.exe and starts itself as a service named HPprinter, adding registry entries in the following locations:

HKLM\SYSTEM\ControlSet001\Services\HPprinter\
HKLM\SYSTEM\CurrentControlSet\Services\HPprinter\

The Trojan may also add the following registry entry to run itself on system startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\HPprinter

Troj/CmjSpy-Z creates the following files in the Windows System folder:

hlicense.vxd
madll2sy.dll
sssdda334342.vxd

Keypresses are logged to hlicense.vxd.

http://www.sophos.com/virusinfo/analyses/trojcmjspyz.html

Collapse -
Troj/MadHook-A
by Marianna Schmudlach / August 2, 2004 12:46 AM PDT
Collapse -
W32/Sdbot-LD
by Marianna Schmudlach / August 2, 2004 12:48 AM PDT

Aliases
W32.Spybot.Worm, W32/Sdbot.worm.gen.o, Backdoor.Agobot.qp

Type
Win32 worm

Description
W32/Sdbot-LD is a worm which attempts to spread to remote network shares. It also contains backdoor Trojan functionality, allowing unauthorised remote access to the infected computer via IRC channels while running in the background as a service process.
W32/Sdbot-LD spreads to network shares with weak passwords as a result of the backdoor Trojan element receiving the appropriate command from a remote user.

W32/Sdbot-LD copies itself to the Windows system folder as CSRSSS.EXE and creates the following entries in the registry to run itself on system startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Client Server Runtime Process = csrsss.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Client Server Runtime Process = csrsss.exe

W32/Sdbot-LD can delete shared network drives and collect CD keys from several popular computer games and applications.

http://www.sophos.com/virusinfo/analyses/w32sdbotld.html

Collapse -
Troj/Yungs-A
by Marianna Schmudlach / August 2, 2004 12:50 AM PDT

Aliases
Trojan.Yungs.A

Type
Trojan

Description
Troj/Yungs-A is a backdoor Trojan that can report the installation of the Trojan to a predefined email address and download new components.
When first run, it will drop two files with random filenames into the <system32> directory. In order to autostart itself, it will create a registry entry of:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
ShellServiceObjectDelayLoad\Network.ConnectionCache = <random clsid>

The Trojan will register itself as a COM object with above clsid. It will attempt to connect to predefined SMTP/POP3 servers to upload information about the infected host and download new configurations.

It is also capable of downloading new components from predefined web addresses into the temporary folder and executing them.

http://www.sophos.com/virusinfo/analyses/trojyungsa.html

Collapse -
Troj/Psyme-AJ
by Marianna Schmudlach / August 2, 2004 12:51 AM PDT
Collapse -
W32/Sdbot-NW
by Marianna Schmudlach / August 2, 2004 12:53 AM PDT

Aliases
Backdoor.SdBot.nv

Type
Win32 worm

Description
W32/Sdbot-NW is a worm which attempts to spread to remote network shares. It also contains backdoor Trojan functionality, allowing unauthorised remote access to the infected computer via IRC channels while running in the background as a service process.
W32/Sdbot-NW spreads to network shares with weak passwords as a result of the backdoor Trojan element receiving the appropriate command from a remote user. The worm spreads as a file named construct.exe. Construct.exe is a self-extracting archive containing a copy of W32/Sdbot-NW named feqwfewt.exe and a copy of Troj/Ranck-AP named gregttp.exe. The archive will attempt to extract the files to the Windows System folder.

W32/Sdbot-NW copies itself to the Windows System folder as CONSOLES.EXE and creates entries in the registry at the following locations to run itself on system startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\systrasx
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\systrasx
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\systrasx


http://www.sophos.com/virusinfo/analyses/w32sdbotnw.html

Collapse -
Troj/Ranck-AP
by Marianna Schmudlach / August 2, 2004 12:55 AM PDT

Aliases
TrojanProxy.Win32.Ranky.ap

Type
Trojan

Description
Troj/Ranck-AP is an HTTP proxy. The Trojan runs an HTTP proxy server on a randomly chosen port. The port number is reported to a number of websites.
In order to ensure that the Trojan is run each time Windows starts Troj/Ranck-AP creates the following registry entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Ran

http://www.sophos.com/virusinfo/analyses/trojranckap.html

Collapse -
W32/Sdbot-LE
by Marianna Schmudlach / August 2, 2004 12:56 AM PDT

Aliases
WORM_SDBOT.N, Backdoor.SdBot.gen

Type
Win32 worm

Description
W32/Sdbot-LE is a network worm and a backdoor Trojan which runs in the background as a service process and allows unauthorised remote access to the computer via IRC channels.
When executed W32/Sdbot-LE copies itself to the Windows System folder with the filename MSGFIX.EXE and sets the following registry entries to ensure the worm is run at Windows login:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Configuration Loader = msgfix.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Configuration Loader = msgfix.exe

W32/Sdbot-LE attempts to copy itself to remote network shares with weak passwords.

As a backdoor, W32/Sdbot-LE can be used to install and execute programs on your computer, retrieve system information and flood other computers with network packets.

http://www.sophos.com/virusinfo/analyses/w32sdbotle.html

Collapse -
W32/Rbot-FH
by Marianna Schmudlach / August 2, 2004 12:58 AM PDT

Aliases
WORM_RBOT.DV

Type
Win32 worm

Description
W32/Rbot-FH is a network worm with backdoor functionality. When executed the worm will move itself to the Windows System folder as sxvhost.exe and create the following registry entries so as to auto-start on user logon or system reboot:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Mircrosoft--Updates = sxvhost.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Mircrosoft--Updates = sxvhost.exe

The following registry entries are also modified:

HKCU\Software\Microsoft\OLE\Microsoft--Updates = sxvhost.exe

W32/Rbot-FH will also attempt to terminate various security related processes, steal passwords and game keys, brute-force weak network shares and connect to a remote IRC server to receive further instruction from an attacker.

http://www.sophos.com/virusinfo/analyses/w32rbotfh.html

Collapse -
Troj/Antilam-F
by Marianna Schmudlach / August 2, 2004 1:00 AM PDT

Aliases
Backdoor.Antilam.g1, BackDoor-AED trojan, Win32/Antilam.G1 trojan

Type
Trojan

Description
Troj/Antilam-F is a backdoor Trojan.
Troj/Antilam-F can be used to take control of a compromised computer and includes functionality such as uploading and downloading files, stealing passwords and restarting Windows.

Troj/Antilam-F will copy itself to either the Windows or the Windows System folder depending on the specific configuration details. It also creates a registry entry to run itself on system startup at:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

http://www.sophos.com/virusinfo/analyses/trojantilamf.html

Popular Forums

icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

FALL TV PREMIERES

Your favorite shows are back!

Don’t miss your dramas, sitcoms and reality shows. Find out when and where they’re airing!