Spyware, Viruses, & Security forum

General discussion

VIRUS ALERTS - August 26, 2004

Discussion is locked
You are posting a reply to: VIRUS ALERTS - August 26, 2004
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: VIRUS ALERTS - August 26, 2004
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Troj/Dloader-BS

In reply to: VIRUS ALERTS - August 26, 2004

Collapse -
Troj/StarDial-B

In reply to: VIRUS ALERTS - August 26, 2004

Collapse -
Troj/Aconti-C

In reply to: VIRUS ALERTS - August 26, 2004

Collapse -
W32/Antinny-H

In reply to: VIRUS ALERTS - August 26, 2004

Collapse -
Troj/Psyme-AL

In reply to: VIRUS ALERTS - August 26, 2004

Aliases TrojanDownloader.VBS.Psyme.ak

Type Trojan

Troj/Psyme-AL is a JavaScript downloader Trojan which exploits the ADODB stream vulnerability associated with Microsoft Internet Explorer to silently download a file from a remote server to:
<Program Files>\Windows Media Player\wmplayer.exe
replacing any existing file.

http://www.sophos.com/virusinfo/analyses/trojpsymeal.html

Collapse -
Troj/DloadKit-A

In reply to: VIRUS ALERTS - August 26, 2004

Collapse -
Troj/Meteor-D

In reply to: VIRUS ALERTS - August 26, 2004

Collapse -
W32/Sdbot-OA

In reply to: VIRUS ALERTS - August 26, 2004

Aliases Backdoor.SdBot.gen
W32/Sdbot.worm.gen

Type Worm

W32/Sdbot-OA is a worm which attempts to spread to remote network shares. It also contains backdoor Trojan functionality, allowing unauthorised remote access to the infected computer via IRC channels while running in the background as a service process.
W32/Sdbot-OA copies itself to the Windows system folder as ASCLT.EXE and creates the following entries in the registry to run itself on system startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Windows Configuration Loader = asclt.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\
Windows Configuration Loader = asclt.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Windows Configuration Loader = asclt.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Windows Configuration Loader = asclt.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\
Windows Configuration Loader = asclt.exe
W32/Sdbot-OA spreads to network shares with weak passwords as a result of the backdoor Trojan element receiving the appropriate command from a remote user.

http://www.sophos.com/virusinfo/analyses/w32sdbotoa.html

Collapse -
Troj/Psyme-AM

In reply to: VIRUS ALERTS - August 26, 2004

Type Trojan

Troj/Psyme-AM is a JavaScript downloader Trojan which exploits the ADODB stream vulnerability associated with Microsoft Internet Explorer to silently download a file from a remote server to
<Program Files>\Windows Media Player\wmplayer.exe
replacing any existing file.

http://www.sophos.com/virusinfo/analyses/trojpsymeam.html

Collapse -
W32/Rbot-X

In reply to: VIRUS ALERTS - August 26, 2004

Type Worm

W32/Rbot-X is an IRC backdoor Trojan and network worm.
When first run W32/Rbot-X copies itself to the Windows system folder as MSlti32.exe and creates the following registry entries to run MSlti32.exe automatically on startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft AUT Update = MSlti32.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Microsoft AUT Update = MSlti32.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft AUT Update = MSlti32.exe
Each time W32/Rbot-X is run it attempts to connect to a remote IRC server and join a specific channel. The worm then runs continuously in the background listening on the channel for instructions.
W32/Rbot-X attempts to logon to network shares protected by weak passwords
by brute force using a list of common passwords and then copies itself to the Windows system folder of the remote computer.

http://www.sophos.com/virusinfo/analyses/w32rbotx.html

Collapse -
Troj/Servu-I

In reply to: VIRUS ALERTS - August 26, 2004

Collapse -
Troj/Bizex-D

In reply to: VIRUS ALERTS - August 26, 2004

Type Trojan

Troj/Bizex-D is a password stealer and keystroke monitor that copies itself to a hidden folder "ZZTP" in the Windows system folder using as the file svchost.exe before deleting its original copy. The Trojan then adds the following registry
entry so that it is started on user logon:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\zztp
Troj/Bizex-D also creates two DLL files (_kwui.dll, _kwuiex.dll) and places them into the Windows System folder. The Trojan then attempts to download and execute files from a remote web server and send gathered data to a remote FTP server.


http://www.sophos.com/virusinfo/analyses/trojbizexd.html

Collapse -
Troj/Inpar-A

In reply to: VIRUS ALERTS - August 26, 2004

Collapse -
Troj/KillAV-AH

In reply to: VIRUS ALERTS - August 26, 2004

Type Trojan

Aliases ProcKill-BI
Trojan.KillAV

Troj/KillAV-AH is a member of the Troj/KillAV Trojan family that attempts to shut down several anti-virus and security related applications, and also attempts to delete virus definitions libraries for several anti-virus products.

http://www.sophos.com/virusinfo/analyses/trojkillavah.html

Collapse -
Troj/Bdoor-CES

In reply to: VIRUS ALERTS - August 26, 2004

Type Trojan

Aliases Trojan.AOL.Casey.b
BackDoor-CES

Troj/Bdoor-CES is a Trojan for the Windows platform.
The Trojan copies itself to the Windows folder as caseyvid.exe. In order to run automatically when Windows starts up Troj/Bdoor-CES creates the following registry entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\caseyvid
Troj/Bdoor-CES attempts to download a configuration file from a remote website.
When first run the Trojan displays the following fake error message:
"Windows cannot find 'wmplayer32.dll'. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and
then click Search."

http://www.sophos.com/virusinfo/analyses/trojbdoorces.html

Collapse -
Troj/Vtftp-A

In reply to: VIRUS ALERTS - August 26, 2004

Collapse -
Troj/Sdbot-CR

In reply to: VIRUS ALERTS - August 26, 2004

Type Trojan

Troj/Sdbot-CR is a backdoor Trojan that allows unauthorised remote access to
the infected computer via IRC channels while running in the background as a
service process.
Troj/Sdbot-CR copies itself to the Windows system folder as WIN32CFG.EXE
creates entries in the registry at the following locations to run itself on system startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
WinReg = win32cfg.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
WinReg = win32cfg.exe

http://www.sophos.com/virusinfo/analyses/trojsdbotcr.html

Collapse -
W32/Agobot-ZJ

In reply to: VIRUS ALERTS - August 26, 2004

Aliases Backdoor.Agobot.sv
W32/Gaobot.worm.gen.r
Win32/Agobot.3.AGS
W32.HLLW.Gaobot.gen
WORM_AGOBOT.ZG

Type Worm

W32/Agobot-ZJ is a member of the W32/Agobot family of worms with a backdoor component.
W32/Agobot-ZJ copies itself to the Windows system folder as SMSSL.EXE and
creates the following entries in the registry to run itself on system restart:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System Config Manager
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\System Config Manager

More: http://www.sophos.com/virusinfo/analyses/w32agobotzj.html

Collapse -
Troj/Agent-BX

In reply to: VIRUS ALERTS - August 26, 2004

Collapse -
JS/DialogArg-B

In reply to: VIRUS ALERTS - August 26, 2004

Aliases JS/Exploit-DialogArg.b

Type Trojan

JS/DialogArg-B is a HTML-based script which loads a malicious script indirectly via the showModalDialog() method.
Known variants of JS/DialogArg-A load variants of Troj/Psyme- such as Troj/Psyme-AM.

http://www.sophos.com/virusinfo/analyses/jsdialogargb.html

Collapse -
W32/Sdbot-OB

In reply to: VIRUS ALERTS - August 26, 2004

Aliases Backdoor.SdBot.gen
W32/Sdbot.worm.gen

Type Worm

W32/Sdbot-OB is a worm which attempts to spread to remote network shares. It also contains backdoor Trojan functionality, allowing unauthorised remote access to the infected computer via IRC channels while running in the background as a service process.
W32/Sdbot-OB copies itself to the Windows system folder as DEZI.EXE and creates the following entries in the registry to run itself on system startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Configuration Loader = dezi.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Configuration Loader = dezi.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Configuration Loader = dezi.exe
W32/Sdbot-OB spreads to network shares with weak passwords as a result of the backdoor Trojan element receiving the appropriate command from a remote user.

http://www.sophos.com/virusinfo/analyses/w32sdbotob.html

Collapse -
Troj/Singu-O

In reply to: VIRUS ALERTS - August 26, 2004

Collapse -
Troj/Omprox-A

In reply to: VIRUS ALERTS - August 26, 2004

Collapse -
Troj/Fatoos-C

In reply to: VIRUS ALERTS - August 26, 2004

Collapse -
Troj/LQupdate-A

In reply to: VIRUS ALERTS - August 26, 2004

Type Trojan

Troj/LQupdate-A is a Trojan that acts depending on a remote configuration file downloaded from the internet. Troj/LQupdate-A is capable of changing the start page and search URL of Internet Explorer. It may also drop various links in the Favorites folder. It can also download and execute files from any location specified in the configuration.


Recovery

Summary Description Recovery Advanced

This section tells you how to disinfect this virus.
Please follow the instructions for removing Trojans.


Advanced

Summary Description Recovery Advanced

This section is for technical experts, who want to know more about this virus.
When first executed, Troj/LQupdate-A will move itself to a randomly named file:
<system32>\win???32.exe
In order to run automatically when Windows starts up Troj/LQupdate-A creates the following registry entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
SysA = <system32>\win???32.exe.
Troj/LQupdate-A will then make a copy of itself under the name bkmsf32.dat. It will also inject running threads into various running processes on the system. These processes will then monitor various registry entries and file settings related to Troj/LQupdate-A.
Troj/LQupdate-A will also set various registry entries under:
HKCU\Software\LQ\

http://www.sophos.com/virusinfo/analyses/trojlqupdatea.html

Collapse -
Troj/DloadKit-B

In reply to: VIRUS ALERTS - August 26, 2004

Collapse -
W32/Dugert-A

In reply to: VIRUS ALERTS - August 26, 2004

Collapse -
W32/Forbot-E

In reply to: VIRUS ALERTS - August 26, 2004

Aliases WORM_SDBOT.SR
Backdoor.Win32.Agent.cf

Type Worm

W32/Forbot-E is a worm which attempts to spread to remote network shares. It also contains backdoor Trojan functionality, allowing unauthorised remote access to the infected computer via IRC channels while running in the background as a service process.

http://www.sophos.com/virusinfo/analyses/w32forbote.html

Collapse -
W32/Sdbot-OC

In reply to: VIRUS ALERTS - August 26, 2004

Collapse -
Troj/Dloader-BP

In reply to: VIRUS ALERTS - August 26, 2004

Popular Forums

icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

GRAMMYS 2019

Here's Everything to Know About the 2019 Grammys

Find out how to watch the Grammy Awards if you don't have cable and more.