Spyware, Viruses, & Security forum

General discussion

VIRUS ALERTS - August 27, 2004

W32/Forbot-L

Type Worm

W32/Forbot-L is a worm which attempts to spread to remote network shares. It also contains backdoor Trojan functionality, allowing unauthorised remote access to the infected computer via IRC channels while running in the background as a service process.
W32/Forbot-L copies itself to the Windows system folder as w32usb2.exe and creates entries in the registry to run itself on system startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Win32 USB2.0 Driver
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\Win32 USB2.0 Driver
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32 USB2.0 Driver
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Win32 USB2.0 Driver
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\Win32 USB2.0 Driver
W32/Forbot-L attempts to terminate several processes related to security and anti-virus programs.
W32/Forbot-L attempts to spread to network machines using various exploits including the LSASS vulnerability (see MS04-011) and through backdoors left open by other Trojans.

http://www.sophos.com/virusinfo/analyses/w32forbotl.html

Discussion is locked
You are posting a reply to: VIRUS ALERTS - August 27, 2004
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: VIRUS ALERTS - August 27, 2004
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
W32/Sdbot-OG

In reply to: VIRUS ALERTS - August 27, 2004

Aliases Backdoor.SdBot.gen
WORM_RBOT.VC

Type Worm

W32/Sdbot-OG is a worm which attempts to spread to remote network shares. It also contains backdoor Trojan functionality, allowing unauthorised remote access to the infected computer via IRC channels while running in the background as a service process.

http://www.sophos.com/virusinfo/analyses/w32sdbotog.html

Collapse -
W32/Agobot-MK

In reply to: VIRUS ALERTS - August 27, 2004

Aliases W32/Gaobot.worm.pp

Type Worm

W32/Agobot-MK is an IRC backdoor worm.
Each time W32/Agobot-MK is run it attempts to connect to a remote IRC server and join a specific channel. The worm then runs continuously in the background, allowing a remote intruder to access and control the computer via IRC channels.
The worm will spread to network shares with weak passwords.

http://www.sophos.com/virusinfo/analyses/w32agobotmk.html

Collapse -
Troj/Radar-A

In reply to: VIRUS ALERTS - August 27, 2004

Collapse -
Troj/Tofger-BG

In reply to: VIRUS ALERTS - August 27, 2004

Aliases TrojanDropper.Win32.Small.jw
TrojanSpy.Win32.Tofger.bg

Type Trojan

Troj/Tofger-BG is a spyware Trojan that runs continuously in the background logging key presses and taking screen shots when a user accesses certain internet banking sites.
Troj/Tofger-BG has the ability to steal banking and credit card information.

http://www.sophos.com/virusinfo/analyses/trojtofgerbg.html

Collapse -
Troj/Powmail-A

In reply to: VIRUS ALERTS - August 27, 2004

Type Trojan

Troj/Powmail-A is a Trojan designed to turn affected machines into spam relays.
Troj/Powmail-A will create an entry under:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
to ensure that it will always be run on system restart.

http://www.sophos.com/virusinfo/analyses/trojpowmaila.html

Collapse -
W32/Rbot-HJ

In reply to: VIRUS ALERTS - August 27, 2004

Aliases W32/Sdbot.worm.gen.g

Type Worm

W32/Rbot-HJ is an IRC backdoor worm.
The worm connects to an IRC channel and listens for commands, allowing a remote user to control the machine.
W32/Rbot-HJ may spread to remote network shares with weak passwords, copying itself into the Windows system directory on the destination machine. The worm may also spread by email, IRC or FTP.

http://www.sophos.com/virusinfo/analyses/w32rbothj.html

Collapse -
Troj/Banker-DC

In reply to: VIRUS ALERTS - August 27, 2004

Collapse -
Troj/Servu-AG

In reply to: VIRUS ALERTS - August 27, 2004

Type Trojan

Troj/Servu-AG is a hacked version of a commercial FTP application.
By default, the Trojan runs an ftp server on TCP port 43958. This can be overridden by configuration data read from a file called ServUCrashReport.txt in the current folder.

http://www.sophos.com/virusinfo/analyses/trojservuag.html

Collapse -
W32/Rbot-HH

In reply to: VIRUS ALERTS - August 27, 2004

Aliases Backdoor.Rbot.gen

Type Worm

W32/Rbot-HH is a worm that exploits operating system vulnerabilities and weak passwords.
W32/Rbot-HH opens a backdoor allowing a remote user to have unauthorised access to the infected computer.
The operating system vulnerabilities exploited by W32/Rbot-HH are addressed in Microsoft security bulletins MS04-011, MS03-039, MS03-007 and MS01-059.

http://www.sophos.com/virusinfo/analyses/w32rbothh.html

Collapse -
W32/Bagle-AJ

In reply to: VIRUS ALERTS - August 27, 2004

Aliases I-Worm.Bagle.am

Type Worm

W32/Bagle-AJ is a member of the W32/Bagle family of worms.
When first run W32/Bagle-AJ will display a fake error message containing the text "Can't find a viewer associated with the file".
W32/Bagle-AJ copies itself to the Windows system folder with the filename drvddll.exe as well as any peer-to-peer share folders and then runs the worm from that location.

http://www.sophos.com/virusinfo/analyses/w32bagleaj.html

Collapse -
Troj/KaoTan-B

In reply to: VIRUS ALERTS - August 27, 2004

Aliases TrojanDownloader.Win32.Kotan

Type Trojan

Troj/KaoTan-B is a configurable Trojan downloader.
The Trojan downloads either one or two files to the Windows folder, the system folder or the temporary folder. Each file successfully downloaded is then executed.
The URL(s) and the destination filename(s) are specified by the author.
Troj/KaoTan-B may delete itself after downloading has completed.

http://www.sophos.com/virusinfo/analyses/trojkaotanb.html

Collapse -
Dial/Dialer-CK

In reply to: VIRUS ALERTS - August 27, 2004

Collapse -
Troj/WebMoney-F

In reply to: VIRUS ALERTS - August 27, 2004

Collapse -
Troj/Dloader-BQ

In reply to: VIRUS ALERTS - August 27, 2004

Collapse -
W32/Gobot-T

In reply to: VIRUS ALERTS - August 27, 2004

Collapse -
W32/Tzet-B

In reply to: VIRUS ALERTS - August 27, 2004

Aliases Worm.Win32.Tzet
W32/Tzet.worm.e
Win32/Tzet.A.dropper

Type Worm

W32/Tzet-B is a network worm.
W32/Tzet-B searches the local network for computers with weak or no passwords on the administrator or admin accounts to which it can copy itself.

http://www.sophos.com/virusinfo/analyses/w32tzetb.html

Collapse -
W32/Sdbot-NB

In reply to: VIRUS ALERTS - August 27, 2004

Aliases Backdoor.Sdbot
IRC/SdBot.ATK
W32/Sdbot.worm.gen.b
Backdoor.SdBot.mw

Type Worm

W32/Sdbot-NB is a worm which attempts to spread to remote network shares. It also contains backdoor Trojan functionality, allowing unauthorised remote access to the infected computer via IRC channels while running in the background as a service process.
W32/Sdbot-NB copies itself to the Windows system folder as SAGE.EXE and creates the following registry entry to run itself on system startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Laptop Access = Sage.exe
W32/Sdbot-NB spreads to network shares with weak passwords as a result of the backdoor Trojan element receiving the appropriate command from a remote user.

http://www.sophos.com/virusinfo/analyses/w32sdbotnb.html

Collapse -
W32/Sdbot-NC

In reply to: VIRUS ALERTS - August 27, 2004

Aliases Backdoor.SdBot.nv
W32/Sdbot.worm.gen
IRC/SdBot.AXT
Backdoor.Ranky

Type Worm

W32/Sdbot-NC is a worm which attempts to spread to remote network shares. It also contains backdoor Trojan functionality, allowing unauthorised remote access to the infected computer via IRC channels while running in the background as a service process.
W32/Sdbot-NC copies itself to the Windows system folder under a random filename and creates the following registry entries to run itself on system startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Monitor Test
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Monitor Test
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Monitor Test
W32/Sdbot-NC spreads to network shares with weak passwords as a result of the backdoor Trojan element receiving the appropriate command from a remote user.

http://www.sophos.com/virusinfo/analyses/w32sdbotnc.html

Collapse -
W32/Protoride-N

In reply to: VIRUS ALERTS - August 27, 2004

Aliases Worm.Win32.Protoride.aa
W32/Protoride.worm
Win32/Protoride.P
W32.Protoride.Worm

Type Worm

W32/Protoride-N is a Windows worm that spreads via network shares. The worm also has a backdoor component that allows unauthorised remote access to the computer via IRC channels.
W32/Protoride-N will set the following registry entry so that it runs automatically upon restart:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Windows Taskbar Manager
W32/Protoride-N attempts to copy itself to WINMNGR.EXE in the startup folder of shared network computers.
W32/Protoride-N may also set the following registry entry:
HKLM\Software\BeyonD inDustries\ProtoType[v2]
W32/Protoride-N remains resident, running in the background as a service process and listening for commands from remote users via IRC channels.

http://www.sophos.com/virusinfo/analyses/w32protoriden.html

Collapse -
Troj/Vidlo-E

In reply to: VIRUS ALERTS - August 27, 2004

Collapse -
W32/Sdbot-ND

In reply to: VIRUS ALERTS - August 27, 2004

Aliases Backdoor.SdBot.nt
W32/Sdbot.worm.gen.k
Win32/IRCBot.KE
W32.Spybot.Worm

Type Worm

W32/Sdbot-ND is a worm which attempts to spread to remote network shares. It also contains backdoor Trojan functionality, allowing unauthorised remote access to the infected computer via IRC channels while running in the background as a service process.
W32/Sdbot-ND copies itself to the Windows system folder as WINDOWSNT.COM and creates the following registry entries to run itself on system startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
System Information Manager = windowsNt.com
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
System Information Manager = windowsNt.com
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
System Information Manager = windowsNt.com
W32/Sdbot-ND spreads to network shares with weak passwords as a result of the backdoor Trojan element receiving the appropriate command from a remote user.
W32/Sdbot-ND may also try to log the users keystrokes for later retrieval by the remote intruder in a file named KEYLOG.TXT in the Windows system folder.


http://www.sophos.com/virusinfo/analyses/w32sdbotnd.html

Collapse -
W32/Rbot-GM

In reply to: VIRUS ALERTS - August 27, 2004

Aliases Backdoor.Rbot.gen


Type Worm

W32/Rbot-GM spreads using several vulnerabilities and backdoors opened by other worms.
The vulnerabilities used are addressed in MS04-011, MS03-026, MS03-007 and MS01-059.
W32/Rbot-GM allows a remote attacker unauthorised access to the infected computer. An infected computer may have its anti-virus and security software disabled.

http://www.sophos.com/virusinfo/analyses/w32rbotgm.html

Collapse -
W32/Rbot-GN

In reply to: VIRUS ALERTS - August 27, 2004

Aliases Backdoor.Rbot.gen

W32/Rbot-GN spreads using vulnerabilities and backdoors opened by other worms. The vulnerabilities used are addressed by MS04-011, MS03-026, MS03-007 and MS01-059.
W32/Rbot-GN allows remote attackers to have unauthorised access to infected computers.

http://www.sophos.com/virusinfo/analyses/w32rbotgn.html

Collapse -
Troj/Banker-AR

In reply to: VIRUS ALERTS - August 27, 2004

Collapse -
W98/Flcss-B

In reply to: VIRUS ALERTS - August 27, 2004

Aliases Win32.FunLove.3662
W32/Cassi.intd
W32.Funlove.C
PE_FUNLOVE.3662

Type Virus

W98/Flcss-B is a Windows98 parasitic virus which infects executable files locally and over NetBIOS shares with the following extenstions: OCX, SCR, EXE.

http://www.sophos.com/virusinfo/analyses/w98flcssb.html

Collapse -
Re: VIRUS ALERTS - August 27, 2004

In reply to: VIRUS ALERTS - August 27, 2004

Will deleting those Keys in the RegEdit fix this Worm? Is there an automatic cleaning app out there?

Timmay

Popular Forums

icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

GRAMMYS 2019

Here's Everything to Know About the 2019 Grammys

Find out how to watch the Grammy Awards if you don't have cable and more.