Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

General discussion

VIRUS ALERTS - August 3, 2005

Aug 2, 2005 8:51PM PDT

W32/Rbot-AJO

Aliases
WORM_RBOT.BVE
Backdoor.Win32.Rbot.vi

Type Spyware Worm

W32/Rbot-AJO is a Windows network worm which attempts to spread via network shares. The worm contains backdoor functions that allows unauthorized remote access to the infected computer via IRC channels while running in the background.
The worm spreads to network shares with weak passwords and also by using the following security exploits:
LSASS (MS04-011)
RPC-DCOM (MS04-012)
WKS (MS03-049) (CAN-2003-0812)
MSSQL (MS02-039) (CAN-2002-0649)
The following patches for the operating system vulnerabilities exploited by W32/Rbot-AJO can be obtained from the Microsoft website:

http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx

http://www.microsoft.com/technet/security/bulletin/MS03-049.mspx

http://www.microsoft.com/technet/security/bulletin/MS02-039.mspx

http://www.sophos.com/virusinfo/analyses/w32rbotajo.html

Discussion is locked

- Collapse -
Troj/Orse-E
Aug 2, 2005 8:53PM PDT

Aliases
Trojan.Win32.Crypt.i
Trojan.Abwiz.D
TROJ_LAGER.F

Type Trojan

Troj/Orse-E is a Trojan for the Windows platform.
Troj/Orse-E includes functionality to silently download, install and run new software. Troj/Orse-E will also attempt to download configuration data from preconfigured websites which may instruct the Trojan to send emails.

http://www.sophos.com/virusinfo/analyses/trojorsee.html

- Collapse -
Troj/Dropper-AW
Aug 2, 2005 8:56PM PDT
- Collapse -
Troj/Sharp-I
Aug 2, 2005 8:58PM PDT
- Collapse -
Troj/StartPa-HW
Aug 2, 2005 9:00PM PDT
- Collapse -
Troj/StartPa-HV
Aug 2, 2005 9:03PM PDT
- Collapse -
Troj/DownLdr-AQ
Aug 2, 2005 9:05PM PDT
- Collapse -
W32/Sdbot-ABL
Aug 2, 2005 9:07PM PDT

Type Worm

W32/Sdbot-ABL is a worm and IRC backdoor Trojan for the Windows platform.
W32/Sdbot-ABL runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.
When first run W32/Sdbot-ABL copies itself to <System> \icq2002.exe and creates registry entries to run icq2002.exe on startup.

http://www.sophos.com/virusinfo/analyses/w32sdbotabl.html

- Collapse -
Troj/Dloader-RP
Aug 2, 2005 9:08PM PDT
- Collapse -
Troj/Psyme-CF
Aug 2, 2005 9:10PM PDT
- Collapse -
W32/Mytob-HM
Aug 2, 2005 9:40PM PDT

Aliases Net-Worm.Win32.Mytob.t
WORM_MYTOB.HM
W32/Mytob.GX@mm

Type Worm

W32/Mytob-HM is a mass-mailing worm and backdoor Trojan that can be controlled through the Internet Relay Chat (IRC) network.
W32/Mytob-HM is capable of spreading through email and through various operating system vulnerabilities such as LSASS (MS04-011). Emails sent by W32/Mytob-HM have the following properties:
Subject line:
document
Good day
Hello
Mail Delivery System
Mail Transaction Failed
message
readme
Server Report
Status
Message text:
'This is a multi-part message in MIME format.'
'Mail transaction failed. Partial message is available.'
'The message contains Unicode characters and has been sent as a binary attachment.'
'The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.'
'The original message was included as an attachment.'
'Here are your banks documents.'
The attached file consists of a base name followed by the extentions PIF, SCR, EXE or ZIP. The worm may optionally create double extensions where the first extension is DOC, TXT or HTM and the final extension is PIF, SCR, EXE or ZIP.
Sophos's anti-virus products include Genotype ? detection technology, which can proactively protect against new threats without requiring an update. Sophos customers have been protected against W32/Mytob-HM (detected as W32/Mytob-Fam) since version 3.94.

http://www.sophos.com/virusinfo/analyses/w32mytobhm.html

- Collapse -
W32/Mytob-HN
Aug 2, 2005 9:42PM PDT

Type Spyware Worm

W32/Mytob-HN is a mass-mailing worm and backdoor Trojan that can be controlled through the Internet Relay Chat (IRC) network.
W32/Mytob-HN is capable of spreading through email and through various operating system vulnerabilities such as LSASS (MS04-011). Emails sent by W32/Mytob-HN have the following properties:
Subject line:
document
Good day
Hello
Mail Delivery System
Mail Transaction Failed
message
readme
Server Report
Status
Message text:
'This is a multi-part message in MIME format.'
'Mail transaction failed. Partial message is available.'
'The message contains Unicode characters and has been sent as a binary attachment.'
'The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.'
'The original message was included as an attachment.'
'Here are your banks documents.'
The attached file consists of a base name followed by the extentions PIF, SCR, EXE or ZIP. The worm may optionally create double extensions where the first extension is DOC, TXT or HTM and the final extension is PIF, SCR, EXE or ZIP.

http://www.sophos.com/virusinfo/analyses/w32mytobhn.html

- Collapse -
Troj/LdPinch-BR
Aug 2, 2005 9:44PM PDT

Aliases Trojan-PSW.Win32.LdPinch.rg

Type Spyware Trojan

Troj/LdPinch-BR is a password-stealing Trojan with backdoor functionality.
Troj/LdPinch-BR attempts to steal confidential information and send it to a remote location via HTTP or email.

http://www.sophos.com/virusinfo/analyses/trojldpinchbr.html

- Collapse -
Troj/Dumaru-J
Aug 2, 2005 9:45PM PDT

Type Trojan

Troj/Dumaru-J is a Trojan for the Windows platform.
Troj/Dumaru-J includes functionality to access the internet and communicate with a remote server via HTTP.
Troj/Dumaru-J attempts to steal confidential information and send it to a remote location. The Trojan allows a remote intruder to gain access to and control over the computer.

http://www.sophos.com/virusinfo/analyses/trojdumaruj.html

- Collapse -
Troj/Stoped-B
Aug 2, 2005 9:47PM PDT

Type Spyware Trojan

Troj/Stoped-B is a downloader Trojan for the Windows platform.
The Trojan downloads configuration data from a remote site which defines further behaviors. Troj/Stoped-B collects system information which is then sent to the remote site.

http://www.sophos.com/virusinfo/analyses/trojstopedb.html

- Collapse -
Troj/Zcrew-G
Aug 2, 2005 9:49PM PDT
- Collapse -
Troj/Multidr-DZ
Aug 2, 2005 9:50PM PDT
- Collapse -
Troj/Sharp-H
Aug 2, 2005 9:52PM PDT
- Collapse -
W32/Mytob-DY
Aug 3, 2005 2:38AM PDT

Aliases
WORM_MYTOB.IK
W32.Mytob.EE@mm
Net-Worm.Win32.Mytob.bi

Type Worm

W32/Mytob-DY spreads through email. W32/Mytob-DY harvests email addresses from files on the infected computer and from the Windows address book. Email sent by W32/Mytob-DY has the following properties:
Subject line:
Your Account is Suspended
*DETECTED* Online User Violation
Your Account is Suspended For Security Reasons
Warning Message: Your services near to be closed.
Important Notification
Members Support
Security measures
Email Account Suspension
Notice of account limitation
Your password has been updated
Your password has been successfully updated
You have successfully updated your password
Your new account password is approved
Message text:
Dear user [str],
You have successfully updated the password of your [str] account.
If you did not authorize this change or if you need assistance with your account, please contact [str] customer service at: [str]
Thank you for using [str]!
The [str] Support Team
+++ Attachment: No Virus (Clean)
+++ [str] Antivirus - www.[str]
Dear user [str],
It has come to our attention that your [str] User Profile ( x ) records are out of date. For further details see the attached document.
Thank you for using [str]!
The [str] Support Team
+++ Attachment: No Virus (Clean)
+++ [str] Antivirus - www.[str]
Dear [str] Member,
We have temporarily suspended your email account [str].
This might be due to either of the following reasons:
1. A recent change in your personal information (i.e. change of address).
2. Submiting invalid information during the initial sign up process.
3. An innability to accurately verify your selected option of subscription due to an internal error within our processors.
See the details to reactivate your [str] account.
Sincerely,The [str] Support Team
+++ Attachment: No Virus (Clean)
+++ [str] Antivirus - www.[str]
Dear [str] Member,
Your e-mail account was used to send a huge amount of unsolicited spam messages during the recent week. If you could please take 5-10 minutes out of your online experience and confirm the attached document so you will not run into any future problems with the online service. If you choose to ignore our request, you leave us no choice but to cancel your membership.
Virtually yours,
The [str] Support Team
+++ Attachment: No Virus found
+++ [str] Antivirus - www.[str]
In the above message text [str] would be replaced with text from the user's email address.
The attached file consists of a base name followed by the extensions CMD, PIF, SCR, EXE or ZIP. The worm may optionally create double extensions where the first extension is DOC, TXT or HTM and the final extension is BAT, CMD, PIF, SCR, EXE or ZIP. The base filenames are randomly chosen from:
accepted-password
account-details
account-info
account-password
account-report
approved-password
document
email-details
email-password
important-details
new-password
password
readme
updated-password
Sophos's anti-virus products include Genotype? detection technology, which can proactively protect against new threats without requiring an update. Sophos customers have been protected against W32/Mytob-DY (detected as W32/MyDoom-Gen) since version 3.94.

http://www.sophos.com/virusinfo/analyses/w32mytobdy.html

- Collapse -
W32/Sdranck-K
Aug 3, 2005 2:40AM PDT

Type Worm

W32/Sdranck-K is a multi-component network worm.
W32/Sdranck-K drops two files in the following locations:
<System> \tecome.exe
<System> \comete.exe
W32/Sdranck-K then runs these files.
TECOME.EXE is a proxy Trojan detected as Troj/Ranck-Fam. COMETE.EXE is a backdoor Trojan detected as W32/Sdbot-Fam.
The file detected as W32/Sdbot-Fam attempts to spread W32/Sdranck-K to network shares with weak passwords and via network security exploits.

http://www.sophos.com/virusinfo/analyses/w32sdranckk.html

- Collapse -
Troj/Tompai-C
Aug 3, 2005 3:20AM PDT

Aliases Backdoor.Win32.Tompai.e

Type Trojan

Troj/Tompai-C is a Trojan for the Windows platform.
Troj/Tompai-C will open a backdoor on the infected system and report the infection by contacting a predefined URL and via email.
Troj/Tompai-C provides a remote user with the functionality to:
- access folders
- change attributes of files/folders
- delete files
- execute files
- shutdown the infected computer

http://www.sophos.com/virusinfo/analyses/trojtompaic.html

- Collapse -
W32/Rbot-AJQ
Aug 3, 2005 3:22AM PDT

Aliases
Backdoor.Win32.Rbot.l
W32.Spybot.Worm
WORM_SDBOT.A

Type Spyware Worm

W32/Rbot-AJQ is a worm and IRC backdoor Trojan for the Windows platform.
W32/Rbot-AJQ runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.
W32/Rbot-AJQ spreads:
- to other network computers infected with: Troj/Kuang, Troj/Sub7, Troj/NetDevil, W32/MyDoom, W32/Bagle and Troj/Optix
- to other network computers by exploiting common buffer overflow vulnerabilites, including: RPC-DCOM (MS04-012), WebDav (MS03-007), MSSQL (MS02-039) (CAN-2002-0649) and Dameware (CAN-2003-1030)
- by copying itself to network shares protected by weak passwords
The following patches for the operating system vulnerabilities exploited by W32/Rbot-AJQ can be obtained from the Microsoft website:

http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx

http://www.microsoft.com/technet/security/bulletin/MS03-007.mspx

http://www.microsoft.com/technet/security/bulletin/MS02-039.mspx

http://www.sophos.com/virusinfo/analyses/w32rbotajq.html

- Collapse -
W32/Kedebe-E
Aug 3, 2005 3:25AM PDT

Aliases Email-Worm.Win32.Kebede.g

Type Worm

W32/Kedebe-E is a mass-mailing worm for the Windows platform that spreads by sending emails using its own SMTP engine.
W32/Kedebe-E is a mass-mailing worm for the Windows platform that spreads by sending emails using its own SMTP engine.
W32/Kedebe-E creates the file <original filename>.txt and opens up the Windows Notepad application to display the following text:
'This document cannot be run under old version. <non Roman characters> Please install latest version of Notepad. <non Roman characters> '
W32/Kedebe-E may arrive in the email message with the following characteristics:
The sender's name chosen from:
bill
jack
fred
ted
kevin
david
george
sami
andrew
jose
maria
mary
ray
tom
peter
john
daniel
alex
michael
james
mike
robert
jane
joe
bini
dave
matt
steve
smith
debby
helen
jerry
jimmy
brenda
claudia
sandra
calvin
christoph
julie
linda
adam
brent
alice
anna
Subject title chosen from:
**WARNING** Account Currently Disabled
**WARNING** Your Internet account
*Breaking News* Michael Jackson Died
*IMPORTANT* Microsoft Windows Automatic Update disabled
*IMPORTANT* You Won Diversity Visa Lottery!
[No Subject]
Administrator
Author of Mydoom has been ARRESTED!
FOR GIRLS ONLY!!, Boys
FOR THE LAST TIME!!
Fw: Fw: Osama Bin Laden has been arrested!
Fw: Fw: The 'SECRET' behind John Paul's death
I'm going to somewhere
It seems a good day!!
J Lo with no closes ON!!
John Paul's death and the doctors...
let's chat here...
Make sure u are alone
PaRtY tonight??!
Password
Re: hi
RE: the document
WE NEED TO TALK.
Welcome back
You chat room friend
you_lied
Your Information
Message text chosen from:
'For girls only!!'
'you again!! c ya!'
'no hay sitio para ...!!'
'Are you alone? The have fun Wink'
'This is for the last time. Answer me.'
'I'm back with the password. Hit me back'
'i have found a new chat rooms, see you there.'
'Call me when you finish reading the document'
'We were waiting for u! Group pic is available.'
'Hey we need to talk. Read the attachment and hit me back'
'HeEeLLLoOoOoO! Party tonight???!!! Let me KnOw what's up.'
'I'm on vacation, what about you? Check out my girl, N-A-K-E-D!!'
'hey it's me from the chat room, remember? anyway I've sent u my pic. let me know wussup.'
'Attached is a confidential information about the Webs you browsed. The list was logged since 2004.'
'[The mail client could not display the picture due to high resolution on the graphics. Contents has been attached as a hexadecimal text.]'
'[BODY REMOVED]'
'[NEW DOCUMENT ATTACHED]'
'Microsoft has also released a new form that the sender can fill in and take the money. The sender is urged to send his/her post address to Microsoft or SCO using the attached form.'
'Your IP was logged because you accessed porn related sites. Attached is list of sites you visited and information about your Internet account.'
'someone sent me this document which is stolen from a secret government body and deals about John Paul's death. It says he was killed by two 'doctors' who were hired by some government bodies. The text attached contains all the story behind his death and who these doctors are.'
'We have found that Windows Automatic Update is not enabled on your computer and Windows could not update itself. This may have happened because your system is infected with a latest virus. We recommend you to download updates manually and install on your system. We have sent you Microsoft Windows Malicious Software Removal Tool. Scan your system with this software and delete any file detected as virus. Then try to update Windows.
This message was sent automatically from the Microsoft Windows Update Web site.
Microsoft Corporation (c) 2001-2005. All rights reserved.'
'A new Worm is spreading by using Michael Jackson's death. "After the death of the famous pop star, Michael Jackson, during the acciedent yesterday, new computer Worms appeared to use the news as a subject", said Graham Cluley, senior technology consultant at Sophos. This Worm has 10 different subjects which made it spread widely. All the characterstics of the e-mail are attached in text document. "System and server administrators are advised to read/know the characterstics of the Worm," urges Sophos. Sophos would also like to express its grief about the pop star's death.
Sophos Internet Worm Protection Center.
++Attachment: No Virus Found(Clean text document)
++Scanner: Sophos Anti-virus'
'You have won this year's diversity visa lottery. We reommend you to start the process as soon as possible. Read the attached document for more information.
The Visa Lottery Commite.'
'I have attached it Happy
-Original Message-
From: horst.schaeffer@gmx.net
To: bini@gmx.net
Sent: horst.schaeffer@gmx.net
Subject: the document
> Please send me that document, thanx
>
>
>'
'Microsoft is proud to announce the latest version of Windows-Long Horn. What make this version special is that it is the only Microsoft's product with component's source code available to 3rd party. Full documentation is attached document. We have also included Windows Media Player 10's source code.
Microsoft Corporation (c) 1993 - 2006'
'Microsoft has just annouced the arrest of the author of the Internet Worm "MyDoom". Microsoft says, "Someone sent us an e-mail that has a document about the location where the author live. Even though the information true and led us to the arrest of the author, the sender didn't mention about himself so that we are unable to give him the $500,000 reward. And the author of MyDoom has be found to be a former Microsoft's employee fired becuase of his discipline." Now Microsoft and SCO are confused to whom to give the reward. Microsoft has also released a new form that the sender can fill in and take the money. The sender is urged to send his/her post address to Microsoft or SCO using the attached form.
This message was sent because of your registration at:

To unregister, just go to http://www.bbc.co.uk/'
'Big day huh! What a great surprise! I've just read on Arab site that Osama bin Laden has been arested by the US soldiers. It's lot to talk here. I just copied the whole text in Notepad and attached it. Nice news huh?!'
'You will not be able to log on to your account anymore. See the attac '
'I don't know how to say it, but it is really annoying thing that happened on John Paul the 2nd. He was killed by two 'doctors' who were hired by some security firms. The text attached contains all the story behind his death. Please, try to forward this document to all your relatives and reveal the truth.'
Attachment filenames are compressed Microsoft Cabinet (with the file extension .cab) files with filenames chosen from:
Bin_Laden_Arrested.txt
Info.txt
boys.txt
chat_server
Microsoft_form.doc
message.doc
my_pics.jpeg
JohnPaul_Death.Doc
body.txt
True_Ezin.doc
Hex_Pic.doc
JohnPaul.txt
with_this_girl.jpg
Account.doc
password.doc
you_lied.txt
where_the_party_is.doc
characters.txt
messaggio.doc
document.doc
Removal_tool
your_document.doc
ditail.txt
photo.jpg
files.txt
attached_document.doc
contents.txt
Important.doc
microsoft.doc
Bin_Laden_Arrested
you_lied
party_location.txt
worm_characters.txt
Microsoft_form
read_carefully
Hex_Picture.txt
my_pictur.jpeg
chat_server.txt
my_girl.jpg
Sex stories.txt

http://www.sophos.com/virusinfo/analyses/w32kedebee.html

- Collapse -
W32/Rbot-AJP
Aug 3, 2005 3:31AM PDT

Type Worm

W32/Rbot-AJP is a worm for the Windows platform.
W32/Rbot-AJP spreads:
- to other network computers infected with:
Troj/Kuang
Troj/Sub7
Troj/NetDevil
W32/MyDoom
W32/Bagle and Troj/Optix
- to other network computers by exploiting common buffer overflow vulnerabilites, including:
LSASS (MS04-011)
RPC-DCOM (MS04-012)
WebDav (MS03-007)
WKS (MS03-049) (CAN-2003-0812)
MSSQL (MS02-039) (CAN-2002-0649)
UPNP (MS01-059) and Dameware (CAN-2003-1030)
- by copying itself to network shares protected by weak passwords
W32/Rbot-AJP includes functionality to:
- steal confidential information including Internet Account Manager and Hotmail user accounts and passwords
- carry out DDoS flooder attacks
- silently download, install and run new software
- access the internet and communicate with a remote server via HTTP
- act as a SOCKS4 proxy
- disable other software, including anti-virus, firewall and security related applications
When first run W32/Rbot-AJP copies itself to \winlogin.exe.
The following patches for the operating system vulnerabilities exploited by W32/Rbot-AJP can be obtained from the Microsoft website:

http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx

http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

http://www.microsoft.com/technet/security/bulletin/MS03-007.mspx

http://www.microsoft.com/technet/security/bulletin/MS01-059.mspx

http://www.microsoft.com/technet/security/bulletin/MS02-039.mspx

http://www.microsoft.com/technet/security/bulletin/MS03-049.mspx

http://www.sophos.com/virusinfo/analyses/w32rbotajp.html

- Collapse -
Troj/Bload-A
Aug 3, 2005 3:32AM PDT
- Collapse -
Troj/Bload-B
Aug 3, 2005 3:34AM PDT
- Collapse -
W32/Rbot-AJS
Aug 3, 2005 3:36AM PDT

Aliases W32/Sdbot

Type Worm

W32/Rbot-AJS is a worm and IRC backdoor Trojan for the Windows platform.
W32/Rbot-AJS can spread to weakly protected network shares, and via AOL Instant Messenger.
W32/Rbot-AJS runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels

http://www.sophos.com/virusinfo/analyses/w32rbotajs.html

- Collapse -
W32/Tilebot-B
Aug 3, 2005 7:41AM PDT

Aliases WORM_SDBOT.BVR

Type Spyware Worm

W32/Tilebot-B is a worm that attempts to spread to remote network shares. It also contains backdoor functionality, allowing unauthorized remote access to the infected computer via IRC channels.
W32/Tilebot-B spreads to network shares with weak passwords as a result of the backdoor Trojan element receiving the appropriate command from a remote user.
W32/Tilebot-B allows a remote user to perform a wide range of actions on the infected computer including downloading further files, setting registry entries and stealing information from the computer including from protected storage areas.
W32/Tilebot-B attempts to interfere with and disable certain security related processes.

http://www.sophos.com/virusinfo/analyses/w32tilebotb.html

- Collapse -
Troj/Clicker-DF
Aug 3, 2005 7:43AM PDT
- Collapse -
Troj/Emcarn-A
Aug 3, 2005 7:46AM PDT
- Collapse -
W32/Rbot-AJR
Aug 3, 2005 7:49AM PDT

Aliases
Backdoor.Win32.Rbot.sa
WORM_GAOBOT.BM

Type Spyware Worm

W32/Rbot-AJR is a worm and backdoor for the Windows platform.
W32/Rbot-AJR spreads to other network computers infected with worms from the W32/MyDoom and W32/Bagle families, by exploiting common buffer overflow vulnerabilites, including LSASS, RPC-DCOM and WebDav and by copying itself to network shares protected by weak passwords.
W32/Rbot-AJR includes functionality to:
carry out DDoS flooder attacks
silently download, install and run new software
access the internet and communicate with a remote server via HTTP
act as a SOCKS4 proxy
disable other software, including anti-virus, firewall and security related applications
When W32/Rbot-AJR is installed it creates the file <Windows system folder>\svkp.sys.
The file SVKP.sys is registered as a new system driver service named "SVKP", with a display name of "SVKP" and a startup type of automatic, so that it is started automatically during system startup.
The following patches for the operating system vulnerabilities exploited by W32/Rbot-AJR can be obtained from the Microsoft website:

http://www.microsoft.com/technet/security/bulletin/MS03-007.mspx

http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx