HolidayBuyer's Guide

Spyware, Viruses, & Security forum

General discussion

VIRUS ALERTS - August 24, 2005

by roddy32 / August 23, 2005 11:50 PM PDT

W32/PrsKey-A

Type Spyware Worm

W32/PrsKey-A is a password stealing and keylogging worm aimed at the Priston Tale game and Yahoo! web email accounts.
The worm silently monitors keyboard activity waiting for the user to either play Priston Tale or access Yahoo! email accounts and begins keylogging information once access is found.
W32/PrsKey-A includes functionality to:
- access the internet and communicate with a remote server via HTTP
- send the logged information to a remote location

http://www.sophos.com/virusinfo/analyses/w32prskeya.html

Discussion is locked
You are posting a reply to: VIRUS ALERTS - August 24, 2005
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: VIRUS ALERTS - August 24, 2005
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Troj/LegMir-AT
by roddy32 / August 23, 2005 11:54 PM PDT

Aliases Trojan-PSW.Win32.Lmir.ajt

Type Spyware Trojan

Troj/LegMir-AT is a backdoor Trojan which allows a remote intruder to gain access and control over the computer.
Troj/LegMir-AT includes functionality to:
- steal confidential information
- silently download, install and run new software
- disable other applications

http://www.sophos.com/virusinfo/analyses/trojlegmirat.html

Collapse -
Troj/QQPass-P
by roddy32 / August 23, 2005 11:56 PM PDT

Aliases
Trojan-PSW.Win32.Lmir.aju
Trojan.PWS.QQPass

Type Spyware Trojan


Troj/QQPass-P is a password stealing Trojan for the Windows platform.
Stolen passwords may be sent from the infected computer by email.
Troj/QQPass-P includes functionality to disable other software, including anti-virus, firewall and security related applications.

http://www.sophos.com/virusinfo/analyses/trojqqpassp.html

Collapse -
W32/Rbot-ALJ
by roddy32 / August 24, 2005 12:04 AM PDT

Aliases
Backdoor.Win32.Rbot.yw
W32/Sdbot.worm.gen.ar

Type Spyware Worm


W32/Rbot-ALJ is a worm and IRC backdoor Trojan for the Windows platform.
W32/Rbot-ALJ spreads:
- to other network computers infected with:
Troj/Kuang, Troj/Sub7, Troj/NetDevil, W32/MyDoom, W32/Bagle and Troj/Optix
- to other network computers by exploiting common buffer overflow vulnerabilites, including:
LSASS (MS04-011) , RPC-DCOM (MS04-012), WKS (MS03-049) (CAN-2003-0812), WebDav (MS03-007), IIS5SSL (MS04-011) (CAN-2003-0719), MSSQL (MS02-039) (CAN-2002-0649), UPNP (MS01-059), Veritas (CAN-2004-1172) and Dameware (CAN-2003-1030)
- by copying itself to network shares protected by weak passwords
W32/Rbot-ALJ runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.
W32/Rbot-ALJ includes functionality to:
- steal confidential information
- carry out DDoS flooder attacks
- provide a proxy server
- silently download, install and run new software
The following patches for the operating system vulnerabilities exploited by W32/Rbot-ALJ can be obtained from the Microsoft website:

http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx

http://www.microsoft.com/technet/security/bulletin/MS03-049.mspx

http://www.microsoft.com/technet/security/bulletin/MS03-007.mspx

http://www.microsoft.com/technet/security/bulletin/MS02-039.mspx

http://www.microsoft.com/technet/security/bulletin/MS01-059.mspx

http://www.sophos.com/virusinfo/analyses/w32rbotalj.html

Collapse -
Troj/Lineage-AM
by roddy32 / August 24, 2005 12:06 AM PDT
Collapse -
Troj/Cmjspy-BN
by roddy32 / August 24, 2005 12:08 AM PDT

Aliases
Backdoor.Win32.Cmjspy.bn
Backdoor.MLink

Type Trojan

Troj/Cmjspy-BN is a backdoor Trojan for the Windows platform.
When first run Troj/Cmjspy-BN copies itself to <System> \system.exe and creates the file <System> \m2syadll.dll.

Collapse -
Troj/VB-XR
by roddy32 / August 24, 2005 12:12 AM PDT

Aliases Trojan.Win32.VB.xr

Type Trojan

Troj/VB-XR is a Trojan for the Windows platform.
When first run Troj/VB-XR copies itself to:
<System> \d11host.exe
<System> \n0tepad.exe
and creates the file <System> \windll.dll which is non-malicious and can be
safely deleted.

http://www.sophos.com/virusinfo/analyses/trojvbxr.html

Collapse -
Troj/Banker-FE
by roddy32 / August 24, 2005 12:14 AM PDT

Aliases Trojan-Downloader.Win32.VB.nx

Type Spyware Trojan

Troj/Banker-FE is a password stealing Trojan aimed at customers of Brazilian banks.
The Trojan sends stolen information to a remote address via email.
Troj/Banker-FE may attempt to download files from a remote website.

http://www.sophos.com/virusinfo/analyses/trojbankerfe.html

Collapse -
Troj/Whistler-F
by roddy32 / August 24, 2005 1:15 AM PDT

Aliases
Trojan.Win32.Dire.c
QDel247
Win32/Dire.C
TROJ_QDEL247.A

Type Trojan

Troj/Whistler-F is a destructive Trojan for the Windows platform.
Troj/Whistler-F will attempt to delete files on the user's computer. The Trojan will also create a file at C:\WXP and copy it over other files. The file contains the message "You did a piracy, you deserve it."

http://www.sophos.com/virusinfo/analyses/trojwhistlerf.html

Collapse -
Dial/Scom-D
by roddy32 / August 24, 2005 1:18 AM PDT
Collapse -
Troj/Revopdo-A
by roddy32 / August 24, 2005 1:22 AM PDT
Collapse -
Troj/Divlo-A
by roddy32 / August 24, 2005 1:24 AM PDT
Collapse -
Troj/Nailed-A
by roddy32 / August 24, 2005 1:28 AM PDT
Collapse -
Troj/Prutec-E
by roddy32 / August 24, 2005 1:30 AM PDT
Collapse -
Troj/LowZone-AA
by roddy32 / August 24, 2005 1:40 AM PDT
Collapse -
W32/Rbot-ACF
by roddy32 / August 24, 2005 1:43 AM PDT

Aliases W32/Sdbot.worm.gen.bj

Type Spyware Worm

W32/Rbot-ACF is a Windows network worm which attempts to spread via network shares. The worm contains backdoor functions that allows unauthorised remote access to the infected computer via IRC channels while running in the background.
The worm spreads to network shares with weak passwords and the following operating system vulnerabilites:
LSASS (MS04-011)
RPC-DCOM (MS04-012)
WKS (MS03-049)
WebDav (MS03-007)
IIS5SSL (MS04-011)
MSSQL (MS02-039)
UPNP (MS01-059)
Dameware (CAN-2003-1030)
The following patches for the operating system vulnerabilities exploited by W32/Rbot-ACF can be obtained from the Microsoft website:

http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx

http://www.microsoft.com/technet/security/bulletin/MS03-049.mspx

http://www.microsoft.com/technet/security/bulletin/MS03-007.mspx

http://www.microsoft.com/technet/security/bulletin/MS02-039.mspx

http://www.microsoft.com/technet/security/bulletin/MS01-059.mspx

http://www.sophos.com/virusinfo/analyses/w32rbotacf.html

Collapse -
W32/Oscabot-B
by roddy32 / August 24, 2005 1:45 AM PDT

Aliases
W32/Opanki.worm
Oscarbot
Doyorg

Type Worm

W32/Oscabot-B is a Windows worm that has backdoor functions that allows unauthorised remote access to the infected computer via IRC channels and may attempt to spread via AOL's instant messenger after receiving the appropriate command from a remote intruder.

http://www.sophos.com/virusinfo/analyses/w32oscabotb.html

Collapse -
W32/Lebreat-F
by roddy32 / August 24, 2005 9:37 AM PDT

Type Worm

W32/Lebreat-F is a mass-mailing worm and backdoor for the Windows platform.
W32/Lebreat-F spreads to other network computers by exploiting common buffer overflow vulnerabilities, including LSASS (MS04-011) and PnP (MS05-039).
W32/Lebreat-F also contains the functionality to act as an ftp server allowing access to remote users.
W32/Lebreat-F will also attempt to download and execute a file from a predefined URL. This file was not available at the time of analysis.
W32/Lebreat-F will also send itself to email addressed harvested from the infected computer with the following attributes:
Subject line:
Changes..
Fax Message
Forum notify
Incoming message
Notification
Protected message
Re: Document
Re: Hello
Re: Hi
Re: Incoming Message
Re: Incoming Msg
Re: Message Notify
Re: Msg reply
Re: Protected message
Re: Text message
Re: Thank you!
Re: Thanks Happy
Re: Yahoo!
Site changes
Update
Message text:
Attach tells everything.
Attached file tells everything.
Check attached file for details.
Check attached file.
Encrypted document
Here is the file.
Message is in attach
More info is in attach
Pay attention at the attach.
Please, have a look at the attached file.
Please, read the document.
Read the attach.
See attach.
See the attached file for details.
Try this.
webmaster
Your document is attached.
Your file is attached.
The following patches for the operating system vulnerabilities exploited by W32/Lebreat-F can be obtained from the Microsoft website:

http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx

http://www.microsoft.com/technet/security/bulletin/ms05-039.mspx

http://www.sophos.com/virusinfo/analyses/w32lebreatf.html

Collapse -
W32/Lilbre-A
by roddy32 / August 24, 2005 9:43 AM PDT

Aliases
Net-Worm.Win32.Lebreat.i
W32.Bratle.C

Type Worm

W32/Lilbre-A is a network worm and backdoor for the Windows platform.
W32/Lilbre-A spreads to other network computers by exploiting common buffer overflow vulnerabilities, including LSASS (MS04-011) and PnP (MS05-039).
W32/Lilbre-A also contains the functionality to act as an ftp server allowing access to remote users.
The following patches for the operating system vulnerabilities exploited by W32/Lilbre-A can be obtained from the Microsoft website:

http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx

http://www.microsoft.com/technet/security/bulletin/ms05-039.mspx

http://www.sophos.com/virusinfo/analyses/w32lilbrea.html

Collapse -
Troj/Delf-LD
by roddy32 / August 24, 2005 9:45 AM PDT

Aliases Backdoor.Win32.FTP.Simpel.12

Type Trojan

Troj/Delf-LD is a backdoor Trojan which allows a remote intruder to gain access and control over the computer.
When Troj/Delf-LD is installed it creates the file <Trojan filename>.ini. This file is a harmless configuration file and can safely be removed.

http://www.sophos.com/virusinfo/analyses/trojdelfld.html

Collapse -
W32/Rbot-ALP
by roddy32 / August 24, 2005 9:48 AM PDT

Aliases
Backdoor.Win32.Rbot.yf
WORM_RBOT.CAE

Type Spyware Worm

W32/Rbot-ALP is a network worm with backdoor Trojan functionality for the Windows platform.
W32/Rbot-ALP spreads using a variety of techniques including exploiting weak passwords on computers and SQL servers, exploiting operating system vulnerabilities (including DCOM-RPC, LSASS, WebDAV and UPNP) and using backdoors opened by other worms or Trojans.
W32/Rbot-ALP can be controlled by a remote attacker over IRC channels. The backdoor component of W32/Rbot-ALP can be instructed by a remote user to perform the following functions:
start an FTP server
start a Proxy server
start a web server
take part in distributed denial of service (DDoS) attacks
log keypresses
capture screen/webcam images
sniff packets
scan for open ports
download/execute arbitrary files
start a remote shell (RLOGIN)
steal product registration information from certain software
Patches for the operating system vulnerabilities exploited by W32/Rbot-ALP can be obtained from Microsoft at:

http://www.microsoft.com/technet/security/bulletin/ms01-059.mspx

http://www.microsoft.com/technet/security/bulletin/ms03-007.mspx

http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx

http://www.microsoft.com/technet/security/bulletin/ms04-012.mspx

http://www.sophos.com/virusinfo/analyses/w32rbotalp.html

Collapse -
W32/Rbot-ALQ
by roddy32 / August 24, 2005 9:51 AM PDT

Aliases
Backdoor.Win32.Aimbot.ac
W32/Opanki.worm
W32.Spybot.Worm

Type Spyware Worm

W32/Rbot-ALQ is a network worm with backdoor Trojan functionality for the Windows platform.
W32/Rbot-ALQ spreads using a variety of techniques including exploiting weak passwords on computers and SQL servers, exploiting operating system vulnerabilities (including DCOM-RPC, LSASS, WebDAV and UPNP) and using backdoors opened by other worms or Trojans.
W32/Rbot-ALQ may also attempt to spread via AOL Instant Messenger.
W32/Rbot-ALQ can be controlled by a remote attacker over IRC channels. The backdoor component of W32/Rbot-ALQ can be instructed by a remote user to perform the following functions:
start an FTP server
start a Proxy server
start a web server
take part in distributed denial of service (DDoS) attacks
log keypresses
capture screen/webcam images
sniff packets
scan for open ports
download/execute arbitrary files
start a remote shell (RLOGIN)
steal product registration information from certain software
Patches for the operating system vulnerabilities exploited by W32/Rbot-ALQ can be obtained from Microsoft at:

http://www.microsoft.com/technet/security/bulletin/ms01-059.mspx

http://www.microsoft.com/technet/security/bulletin/ms03-007.mspx

http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx

http://www.microsoft.com/technet/security/bulletin/ms04-012.mspx

http://www.sophos.com/virusinfo/analyses/w32rbotalq.html

Collapse -
W32/Floppy-D
by roddy32 / August 24, 2005 10:13 AM PDT

Aliases W32.SillyFDC

Type Worm

W32/Floppy-D is a floppy drive worm that may attempt to copy itself to
A:\New document.exe
W32/Floppy-D may periodically cause the infected computer to beep and may also attempt to shutdown Microsoft Windows.

http://www.sophos.com/virusinfo/analyses/w32floppyd.html

Popular Forums
icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

The Samsung RF23M8090SG

One of the best French door fridges we've tested

A good-looking fridge with useful features like an auto-filling water pitcher and a temperature-adjustable "FlexZone" drawer. It was a near-flawless performer in our cooling tests.