Spyware, Viruses, & Security forum

General discussion

VIRUS ALERTS - August 24, 2004

Discussion is locked
You are posting a reply to: VIRUS ALERTS - August 24, 2004
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: VIRUS ALERTS - August 24, 2004
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
W32/Apler-A

In reply to: VIRUS ALERTS - August 24, 2004

Aliases Worm.Win32.Apler
Win32/Apler.A
W32.Gramos
TROJ_RANCK.A

Type Worm

W32/Apler-A is a backdoor Trojan and network worm which can copy itself to MSGRAN.EXE and set the following registry entry so that this worm can execute automatically upon restart:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Messenger start-up = Msgran.exe
W32/Apler-A can also create the registry entry:
HKLM\Software\Microsoft\DownloadManager\
W32/Apler-A can copy itself to shared network drives and share / delete these network drives.

http://www.sophos.com/virusinfo/analyses/w32aplera.html

Collapse -
Troj/StartPa-CG

In reply to: VIRUS ALERTS - August 24, 2004

Aliases Trojan.Win32.StartPage.na
Exploit.HTML.Mht
JS/Seeker.i
Trojan.VBS.StartPage.g
VBS/Inor.AB@dr

Type Trojan

Troj/StartPa-CG is a multi-component Trojan which uses several HTML-based scripts to download, drop and execute files (e.g. helper.exe and rundll32.vbe) which change some of the default settings (e.g. start page, home page and search page) of Microsoft Internet Explorer by changing the the entries in the registry at the following location:
HKLM\Software\Microsoft\Internet Explorer\Main

http://www.sophos.com/virusinfo/analyses/trojstartpacg.html

Collapse -
Troj/KillF-FA

In reply to: VIRUS ALERTS - August 24, 2004

Aliases KillFiles-FA

Type Trojan

Troj/KillF-FA is a Trojan for the Windows platform.
The Trojan attempts to remove every file and folder from drive letters C:\ through F:\.
Subsequent missing files are likely to prevent the computer from booting.

http://www.sophos.com/virusinfo/analyses/trojkillffa.html

Collapse -
W32/Rbot-GV

In reply to: VIRUS ALERTS - August 24, 2004

Type Worm

W32/Rbot-GV is a worm which attempts to spread to remote network shares. It also contains backdoor Trojan functionality, allowing unauthorised remote access to the infected computer via IRC channels while running in the background as a service process.

http://www.sophos.com/virusinfo/analyses/w32rbotgv.html

Collapse -
Troj/Startpa-CH

In reply to: VIRUS ALERTS - August 24, 2004

Collapse -
Troj/Dloader-BL

In reply to: VIRUS ALERTS - August 24, 2004

Collapse -
Troj/DloadMan-A

In reply to: VIRUS ALERTS - August 24, 2004

Collapse -
Troj/Banker-BW

In reply to: VIRUS ALERTS - August 24, 2004

Collapse -
Troj/Almat-A

In reply to: VIRUS ALERTS - August 24, 2004

Aliases Trojan.PSW.Almat.i
PWS.b

Type Trojan

Troj/Almat-A is a password stealing Trojan.
When first executed, the Trojan copies itself to the Windows system folder and sets a registry entry in order that it may run on system startup.
The Trojan may email information to an address in Russia.

http://www.sophos.com/virusinfo/analyses/trojalmata.html

Collapse -
Troj/Ranck-AD

In reply to: VIRUS ALERTS - August 24, 2004

Collapse -
W32/Sdbot-NQ

In reply to: VIRUS ALERTS - August 24, 2004

Collapse -
Troj/Iefeat-N

In reply to: VIRUS ALERTS - August 24, 2004

Type Trojan

Troj/Iefeat-N is a downloader Trojan for the Windows platform.
Troj/Iefeat-N attempts to download and run files from a remote site.
Troj/Iefeat-N sets the Internet Explorer start page and search page in the system registry by modifying the following entries:
HKCU\Software\Microsoft\Internet Explorer\Main\
Search Page = <URL>
Start Page = <URL>
HKLM\Software\Microsoft\Internet Explorer\Main\
Default_Page_URL = <URL>
Default_Search_URL = <URL>
Search Bar = <URL>
Search Page = <URL>
Start Page = <URL>
Use Search Asst = "no"

http://www.sophos.com/virusinfo/analyses/trojiefeatn.html

Collapse -
Troj/Iefeat-M

In reply to: VIRUS ALERTS - August 24, 2004

Type Trojan

Troj/Iefeat-M is a downloader Trojan for the Windows platform.
Troj/Iefeat-M weakens Internet security settings in the system registry and then attempts to download and run files from a remote site.
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
MinLevel = "Code Download"
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
Security_RunActiveXControls = dword:01000000
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
Security_RunScripts = dword:01000000
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
Safety Warning Level = "SucceedSilent"
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
ZoneMap\<several entries>
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\
2001 = dword:00000000
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\
2004 = dword:00000000
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
Trust Warning Level = "No Security"
The Trojan then adds numerous URLs to the trusted zones.
HKCU\Software\Microsoft\Windows\CurrentVersion\WinTrust\trust provider\
software publishing\trust database\<several entries>
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\
Domains\<several URLs>
Troj/Iefeat-M sets the Internet Explorer start page and search page in the
system registry by modifying the following entries:
HKCU\Software\Microsoft\Internet Explorer\Main\
Search Page = <URL>
Start Page = <URL>
HKLM\Software\Microsoft\Internet Explorer\Main\
Default_Page_URL = <URL>
Default_Search_URL = <URL>
Search Bar = <URL>
Search Page = <URL>
Start Page = <URL>

http://www.sophos.com/virusinfo/analyses/trojiefeatm.html

Collapse -
VBS/Inor-D

In reply to: VIRUS ALERTS - August 24, 2004

Collapse -
Dial/Sever-A

In reply to: VIRUS ALERTS - August 24, 2004

Type Trojan

Dial/Sever-A is a dialer masquerading as a virus utility from Symantec. When run the dialer will install the files dialer.exe and cmdial32.dll in the 'Click to update' subfolder of the program files folder.
Dial/Sever-A will then prompt the user to connect to one of a number of dial-up servers.

http://www.sophos.com/virusinfo/analyses/dialsevera.html

Collapse -
W32/Opaserv-X

In reply to: VIRUS ALERTS - August 24, 2004

Collapse -
W32/Sdbot-NP

In reply to: VIRUS ALERTS - August 24, 2004

Collapse -
W32/Sdbot-NN

In reply to: VIRUS ALERTS - August 24, 2004

Aliases WORM_SDBOT.XA
Backdoor.SdBot.gen

Type Worm

W32/Sdbot-NN is a network worm and a backdoor Trojan which runs in the background as a service process and allows unauthorised remote access to the computer via IRC channels.

http://www.sophos.com/virusinfo/analyses/w32sdbotnn.html

Collapse -
Troj/Small-AS

In reply to: VIRUS ALERTS - August 24, 2004

Collapse -
Troj/Dloader-BM

In reply to: VIRUS ALERTS - August 24, 2004

Collapse -
W32/Rbot-FC

In reply to: VIRUS ALERTS - August 24, 2004

Aliases Backdoor.Rbot.gen

Type Worm

W32/Rbot-FC is a worm which attempts to spread to remote network shares. It also contains backdoor Trojan functionality, allowing unauthorised remote access to the infected computer via IRC channels while running in the background as a service process.
W32/Rbot-FC spreads to network shares with weak passwords as a result of the backdoor Trojan element receiving the appropriate command from a remote user.
W32/Rbot-FC copies itself to the Windows System folder as WINSYST32.EXE and creates entries at the following locations in the registry so as to run itself on system startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft IT Update = winsyst32.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Microsoft IT Update = winsyst32.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft IT Update = winsyst32.exe
W32/Rbot-FC may try to delete network shares and also try to log keystrokes and window text to a file with a CRF extension in the root folder.
W32/Rbot-FC can collect the CD keys of several popular computer games and applications.

http://www.sophos.com/virusinfo/analyses/w32rbotfc.html

Collapse -
W32/Sdbot-KW

In reply to: VIRUS ALERTS - August 24, 2004

Aliases Backdoor.SdBot.gen

Type Worm

W32/Sdbot-KW is a worm which attempts to spread to remote network shares. It also contains backdoor Trojan functionality, allowing unauthorised remote access to the infected computer via IRC channels while running in the background as a service process.
W32/Sdbot-KW spreads to network shares with weak passwords as a result of the backdoor Trojan element receiving the appropriate command from a remote user.
W32/Sdbot-KW copies itself to the Windows System folder as IEXPLORE.EXE and creates entries in the registry at the following locations to run itself on system startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Configuration Loader = IEXPLORE.EXE
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Configuration Loader = IEXPLORE.EXE
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Configuration Loader = IEXPLORE.EXE
W32/Sdbot-KW can delete shared network drives and collect CD keys from several popular computer games and applications.

http://www.sophos.com/virusinfo/analyses/w32sdbotkw.html

Collapse -
Troj/Bancos-P

In reply to: VIRUS ALERTS - August 24, 2004

Type Trojan

Aliases TrojanSpy.Win32.Banker.br

Troj/Bancos-P is a password stealing Trojan.
In order to run automatically when Windows starts up the Trojan copies itself to the Windows System folder and adds entries pointing to this file to the following registry key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
When active, the Trojan monitors the URLs typed into Internet Explorer in order to log credentials of accounts at various brazilian banks.
The collected information is periodically sent out to a remote email account.

http://www.sophos.com/virusinfo/analyses/trojbancosp.html

Collapse -
W32/Rbot-FD

In reply to: VIRUS ALERTS - August 24, 2004

Type Worm

Aliases Win32:SdBot-194-B
Sdbot.worm.gen.g
Backdoor.Rbot.gen

W32/Rbot-FD is a worm which attempts to spread to remote network shares. It also contains backdoor Trojan functionality, allowing unauthorised remote access to the infected computer via IRC channels while running in the background as a service process.
W32/Rbot-FD spreads to network shares with weak passwords and via network security exploits as a result of the backdoor Trojan element receiving the appropriate command from a remote user.
W32/Rbot-FD copies itself to the file WIN31.EXE in the Windows System folder and creates entries at the following locations in the registry so as to run itself on system startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
W32/Rbot-FD may try to set the following registry entries:
HKLM\SOFTWARE\Microsoft\Ole\EnableDCOM = "N"
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous = "1"
W32/Rbot-FD may try to delete the C$, D$, E$, IPC$ and ADMIN$ network shares on the host computer.
W32/Rbot-FD creates a log file C:\DEBUG.CRF.
W32/Rbot-FD may log user keystrokes and window text to the file TEST.CRF in the Windows System folder.

http://www.sophos.com/virusinfo/analyses/w32rbotfd.html

Collapse -
W32/Rbot-FE

In reply to: VIRUS ALERTS - August 24, 2004

Type Worm

Aliases W32/Sdbot.worm.gen.g
Backdoor.Rbot.gen

W32/Rbot-FE is a worm which attempts to spread to remote network shares. It also contains backdoor Trojan functionality, allowing unauthorised remote access to the infected computer via IRC channels while running in the background as a service process.
W32/Rbot-FE spreads to network shares with weak passwords as a result of the backdoor Trojan element receiving the appropriate command from a remote user.
W32/Rbot-FE copies itself to the Windows System folder as MSUPDATE.EXE and creates entries at the following locations in the registry so as to run itself on system startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft IT Update = msupdate.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Microsoft IT Update = msupdate.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft IT Update = msupdate.exe
W32/Rbot-FE may try to delete network shares and also try to log keystrokes and window text to a file with a CRF extension in the root folder.
W32/Rbot-FE can collect the CD keys of several popular computer games and applications.

http://www.sophos.com/virusinfo/analyses/w32rbotfe.html

Collapse -
Troj/Servu-AC

In reply to: VIRUS ALERTS - August 24, 2004

Type Trojan

Troj/Servu-AC is a hacked version of a commercial FTP application.
By default, the Trojan runs an FTP server on TCP port 43958. This can be overriden by configuration data read from a file called inetconfig.dll in the current folder.
By running with specific parameters, Troj/Servu-AC can run as a background service named "netsvc"

http://www.sophos.com/virusinfo/analyses/trojservuac.html

Collapse -
Troj/Dloader-AT

In reply to: VIRUS ALERTS - August 24, 2004

Collapse -
Troj/Singu-M

In reply to: VIRUS ALERTS - August 24, 2004

Type Trojan

Aliases Backdoor.Singu.m

Troj/Singu-M is a backdoor Trojan.
When first run, Troj/Singu-M copies itself into the Windows System folder as iexploror.exe. The Trojan then drops a hidden dll file named FinDriv.dll into the Windows System folder and runs it. This dll file is also detected as Troj/Singu-M.
In order to run each time Windows is started, Troj/Singu-M sets the following registry entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
exploror = <SYSTEM>\iexploror.exe
Troj/Singu-M monitors this registry entry and will restore it if the entry is deleted.
Troj/Singu-M listens for connections from a malicious user. Once connected, the malicious user can send commands to control and spy on the infected computer.
The backdoor can be used to:
Copy, delete, run, send and download files on the infected computer.

Log keyboard presses.

Control the keyboard and mouse.

Take screenshots of the desktop.

Capture images from the webcam.

Listen in using the microphone.

Control and close windows on the desktop.

Shut down and lock the computer.

Steal user information and passwords from the computer.

http://www.sophos.com/virusinfo/analyses/trojsingum.html

Collapse -
W32/Sdbot-OP

In reply to: VIRUS ALERTS - August 24, 2004

Type Worm

W32/Sdbot-OP is a worm which spreads via network shares.
When first run the worm will create a copy of itself named ntsys32.exe in the Windows System folder and create the following registry entries to ensure that the copy is run every time Windows starts:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Configuration = ntsys32.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Configuration = ntsys32.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Configuration = ntsys32.exe
W32/Sdbot-OP searches for shared folders with weak passwords and copies itself to the Windows System folder of a vulnerable computer as ntsys32.exe.
The worm includes backdoor functions which can be controlled by a remote attacker over IRC.

http://www.sophos.com/virusinfo/analyses/w32sdbotop.html

Collapse -
W32/Lovgate-AK

In reply to: VIRUS ALERTS - August 24, 2004

Popular Forums

icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

GRAMMYS 2019

Here's Everything to Know About the 2019 Grammys

Find out how to watch the Grammy Awards if you don't have cable and more.