Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

General discussion

VIRUS ALERTS - August 3, 2005

by roddy32 Aug 2, 2005 8:51PM PDT

W32/Rbot-AJO

Aliases
WORM_RBOT.BVE
Backdoor.Win32.Rbot.vi

Type Spyware Worm

W32/Rbot-AJO is a Windows network worm which attempts to spread via network shares. The worm contains backdoor functions that allows unauthorized remote access to the infected computer via IRC channels while running in the background.
The worm spreads to network shares with weak passwords and also by using the following security exploits:
LSASS (MS04-011)
RPC-DCOM (MS04-012)
WKS (MS03-049) (CAN-2003-0812)
MSSQL (MS02-039) (CAN-2002-0649)
The following patches for the operating system vulnerabilities exploited by W32/Rbot-AJO can be obtained from the Microsoft website:

http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx

http://www.microsoft.com/technet/security/bulletin/MS03-049.mspx

http://www.microsoft.com/technet/security/bulletin/MS02-039.mspx

http://www.sophos.com/virusinfo/analyses/w32rbotajo.html

Discussion is locked

31 - 60 of 59 Posts
- Collapse + Expand Details
- Collapse -
Dial/Eocha-A
by roddy32 Aug 3, 2005 7:52AM PDT

Aliases
Trojan.Win32.Dialer.jw
TROJ_SMALL.APA
Dialer-496

Type Trojan

Dial/Eocha-A is a dialer application for accessing pornographic material.
When first run Dial/Eocha-A copies itself to the Desktop and User folders.
Dial/Eocha-A changes the Start Page and security settings for Microsoft Internet Explorer

http://www.sophos.com/virusinfo/analyses/dialeochaa.html

- Collapse -
W32/Bobax-P
by roddy32 Aug 3, 2005 7:56AM PDT

Aliases
Net-Worm.Win32.Bobic.d
W32.Bobax.worm.gen


Type Virus

W32/Bobax-P is a virus and backdoor for the Windows platform.
W32/Bobax-P communicates with a remote server which will instruct it to perform specific actions.
http://www.sophos.com/virusinfo/analyses/w32bobaxp.html

- Collapse -
W32/Bobax-Q
by roddy32 Aug 3, 2005 8:01AM PDT

Aliases
Net-Worm.Win32.Bobic.d
W32.Bobax.worm.gen


Type Virus

W32/Bobax-Q is a virus and backdoor for the Windows platform.
W32/Bobax-Q communicates with a remote server which will instruct it to perform specific actions.


http://www.sophos.com/virusinfo/analyses/w32bobaxq.html

- Collapse -
Troj/SpyDldr-B
by roddy32 Aug 3, 2005 8:03AM PDT

Aliases Trojan-Downloader.Win32.Agent.bq

Type Trojan

Troj/SpyDldr-B is an advertising Trojan with downloading functionality.
Troj/SpyDldr-B periodically displays the following messages:
WARNING: Windows Firewall detected suspicious network activity on your computer. Malicious software codes try to steal your privacy information, such as credit card numbers, electronic mail accounts, financial data or passwords.
Do you want to learn how to protect your computer?
Your computer might be at risk
Your virus protection status is bad
Spyware Activity Detected
Click this balloon to fix this problem
Clicking on the messages opens a browser window on a page advertising anti-spyware software.
The Trojan attempts to download and run further Trojan files.

http://www.sophos.com/virusinfo/analyses/trojspydldrb.html

- Collapse -
W32/Mytob-KC
by roddy32 Aug 3, 2005 8:06AM PDT

Aliases
WORM_MYTOB.IX
W32.Mytob.AG@mm

Type Spyware Worm


W32/Mytob-KC is a mass-mailing worm and backdoor Trojan that can be controlled through the Internet Relay Chat (IRC) network.
W32/Mytob-KC is capable of spreading through email and through various operating system vulnerabilities such as LSASS. Email sent by W32/Mytob-KC has the following properties:
Subject line:
document
Good day
Hello
Mail Delivery System
Mail Transaction Failed
message
readme
Server Report
Status
Message text:
'This is a multi-part message in MIME format.'
'Mail transaction failed. Partial message is available.'
'The message contains Unicode characters and has been sent as a binary attachment.'
'The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.'
'The original message was included as an attachment.'
'Here are your banks documents.'
The attached file consists of a base name followed by the extentions PIF, SCR, EXE or ZIP. The worm may optionally create double extensions where the first extension is DOC, TXT or HTM and the final extension is PIF, SCR, EXE or ZIP.
A patch for the vulnerability exploited by W32/Mytob-KC is available from Microsoft at

http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx

Sophos's anti-virus products include Genotype? detection technology, which can proactively protect against new threats without requiring an update. Sophos customers have been protected against W32/Mytob-KC (detected as W32/Mytob-Fam) since version 3.94.

http://www.sophos.com/virusinfo/analyses/w32mytobkc.html

- Collapse -
W32/Bobax-N
by roddy32 Aug 3, 2005 8:34AM PDT

Aliases
Net-Worm.Win32.Bobic.d
W32.Bobax.Z@mm
W32.Proxed

Type Virus

W32/Bobax-N is an email virus for the Windows platform.
W32/Bobax-N has the ability to infect executable files.
W32/Bobax-N can send itself to email addresses harvested from the infected computer.
W32/Bobax-N attempts to contact a number of preconfigured internet sites in order to report successful infection.
Emails sent by the worm have the following characteristics:
Subject line:
Cool
Captured..
He has been captured..
Finally! Captured
Finally
God Bless the USA!
Message text (chosen from):
Saddam Hussein - Attempted Escape, Shot dead
Attached some pics that i found
Osama Bin Laden Captured.
Attached some pics that i found
Testing
Secret!
Hey,
Remember this?
Hello,
Long time! Check this out!
Hey,
I was going through my album, and look what I found..
Hey,
Check this out Happy
+++ Attachment: No Virus found
+++ Panda AntiVirus - You are protected
+++ www.pandasoftware.com
+++ Attachment: No Virus found
+++ Norman AntiVirus - You are protected
+++ www.norman.com
+++ Attachment: No Virus found
+++ F-Secure AntiVirus - You are protected
+++ www.f-secure.com
+++ Attachment: No Virus found
+++ Norton AntiVirus - You are protected
+++ www.symantec.com
"Turn on your TV.
Osama Bin Laden has been captured.
While CNN has no pictures at this point of time, the military channel (PPV) rele
ased some pictures.
I managed to capture a couple of these pictures off my TV.
Ive attached a slideshow containing all the pictures I managed to capture.
I apologize for the low quality, its the best I could do at this point of time.
Hopefully CNN will have pictures and a video soon.
God bless the USA!"
Possible attached filename stubs:
pics
funny
bush
joke
secret
Possible attached file extensions:
pif
exe
scr
zip
W32/Bobax-N also attempts to disable the Windows firewall and attempts to suppress Windows security warnings.

http://www.sophos.com/virusinfo/analyses/w32bobaxn.html

- Collapse -
Troj/Angelfre-D
by roddy32 Aug 3, 2005 8:37AM PDT
- Collapse -
W32/Oscabot-M
by roddy32 Aug 3, 2005 8:42AM PDT

Aliases Backdoor.Win32.Aimbot.g

Type Worm

W32/Oscabot-M is an instant messaging worm that can exploit users of AOL Instant Messaging clients.
W32/Oscabot-M connects to a specific channel on an IRC service and waits for a remote attacker to instruct the worm to send messages to contacts in the infected users AOL contacts list. The message will read:
"Tell me this isn't you!".
The word "this" is a link to the W32/Oscabot-M executable on the infected computer.

http://www.sophos.com/virusinfo/analyses/w32oscabotm.html

- Collapse -
Troj/Winad-K
by roddy32 Aug 3, 2005 8:44AM PDT
- Collapse -
Troj/Feutel-P
by roddy32 Aug 3, 2005 8:48AM PDT

Aliases
Keylog-CN
BackDoor-AWQ.b.dll.gen

Type Spyware Trojan


Troj/Feutel-P is a backdoor Trojan which allows a remote intruder to gain access and control over the computer. It can provide keylogging functionality and steal other information about the host.

http://www.sophos.com/virusinfo/analyses/trojfeutelp.html

- Collapse -
W32/Sdbot-ABE
by roddy32 Aug 3, 2005 8:50AM PDT
- Collapse -
Troj/Feutel-O
by roddy32 Aug 3, 2005 8:53AM PDT
- Collapse -
Troj/BMInst-A
by roddy32 Aug 3, 2005 8:55AM PDT
- Collapse -
Troj/Dadobra-DF
by roddy32 Aug 3, 2005 8:56AM PDT

Aliases Trojan-Downloader.Win32.Dadobra.df

Type Spyware Trojan

Troj/Dadobra-DF is a downloader Trojan for the Windows platform.
Troj/Dadobra-DF includes functionality to capture keystrokes, send email, display bitmap images, access the internet and communicate with a remote server via HTTP.

http://www.sophos.com/virusinfo/analyses/trojdadobradf.html

- Collapse -
Troj/Dloader-RN
by roddy32 Aug 3, 2005 8:58AM PDT
- Collapse -
Download.Trojan
by emme51 Aug 4, 2005 4:50AM PDT

Hi,

Yesterday I ran a scan and Symantec found what it callled the virus "Download.Trojan". This could not be removed or quarantined. It's in the Interent Explorer connection wizard\task 32.exe. Of course it's Windows XP. Is this the same Trojan Downloader you're talking about? Any suggestions? Thanks.

Emme51

- Collapse -
There are 1000's of
by roddy32 Aug 4, 2005 4:57AM PDT

different downloader trojans. You are in the middle of yesterday's Virus Alerts thread. Please start your own thread for your question so it doesn't get lost in this big one.

- Collapse -
Downloader.Trojans
by Vanillaman Dec 16, 2005 10:15PM PST

Hi Emma

I've got the same problem as you. Norton/Symantec aren't as great as they say. Indeed, they are totally useless when it comes to this. Your activity log will list a number of Downloader.Trojans, showing "Access denied, Repair failed" for each one. My PC is a Compaq 1421 with Windows XP Home edition. I was advised to remove the virus through "Safe Mode". The only problem with Safe Mode is that access to anything is extremely limited, so much so that you cannot even perform an AntiVirus full system scan to manually remove it. So, basically, "Safe Mode" is totally useless, and does NOT provide any service at all.

You can remove them from your activity log by highlighting them pressing delete, but only if they are located in your Temporary Files folder, as it is safe to delete anything in this folder, but once you've deleted them from your Activity log, delete the Temp folder immediately afterwards, before the littles sods emigrate into your system. Let me know how you get on?

- Collapse -
Troj/Spexta-A
by roddy32 Aug 3, 2005 9:46AM PDT

Aliases
SpamTool.Win32.Delf.h
Spam-SPM
TROJ_DONBOMB.A

Type Trojan

Troj/Spexta-A is a Trojan for the Windows platform.
Troj/Spexta-A may be used to send out spam emails to addresses harvested from the infected system. The Trojan may also download and run further malicious code.
Troj/Spexta-A may arrive as an email attachment in emails claiming to be from "CNN Newsletter" with subject line "TERROR HITS LONDON". The Trojan is included as an attachment with filename "LondonTerrorMovie.zip".

http://www.sophos.com/virusinfo/analyses/trojspextaa.html

- Collapse -
Troj/Ranck-CT
by roddy32 Aug 3, 2005 9:58AM PDT
- Collapse -
Troj/LegMir-AM
by roddy32 Aug 3, 2005 10:00AM PDT
- Collapse -
Troj/Delf-KS
by roddy32 Aug 3, 2005 10:02AM PDT
- Collapse -
Troj/QLowZon-A
by roddy32 Aug 3, 2005 10:38AM PDT
- Collapse -
Troj/Blacklog-A
by roddy32 Aug 3, 2005 10:40AM PDT

Type Spyware Trojan

Troj/Blacklog-A is a keylogger Trojan for the Windows platform.
Troj/Blacklog-A displays a fake error message with the title "KB826929 Setup Error" and the text "Setup cannot update your Windows files because the language installed on your system is different from the update language."
The Trojan may inject itself into the explorer process or register itself as a service process in order to prevent itself from being terminated.
Troj/Blacklog-A records keystrokes to the file servms.dll in the Windows system folder. When this file becomes larger than 30kb, its contents are submitted to the author by email. The file servms.dll may be deleted.

http://www.sophos.com/virusinfo/analyses/trojblackloga.html

- Collapse -
W32/Monkbd-A
by roddy32 Aug 3, 2005 10:42AM PDT

Aliases Backdoor.Win32.Rbot.uj

Type Spyware Worm

W32/Monkbd-A is a keylogger and backdoor worm which allows a remote intruder to gain access and control over the computer via IRC channels.
W32/Monkbd-A includes functionality to:
- steal computer information
- log keystrokes and send them to a remote location
W32/Monkbd-A may also attempt to copy itself to network shares.

http://www.sophos.com/virusinfo/analyses/w32monkbda.html

- Collapse -
Troj/IWDL-A
by roddy32 Aug 3, 2005 10:44AM PDT

Aliases
Trojan-Dropper.Win32.VB.ga
Hacktool
TROJ_DLOADER.KK

Type Trojan

Troj/IWDL-A is a Trojan creator for the Windows platform.
Files created by Troj/IWDL-A are detected by Sophos's anti-virus products as Troj/Dloader-PO.

http://www.sophos.com/virusinfo/analyses/trojiwdla.html

- Collapse -
Troj/Iefeat-AK
by roddy32 Aug 3, 2005 10:46AM PDT
- Collapse -
Troj/QQPass-I
by roddy32 Aug 3, 2005 10:48AM PDT
- Collapse -
Troj/QQLoad-A
by roddy32 Aug 3, 2005 10:50AM PDT
Back to Spyware, Viruses, & Security forum

CNET Forums

Operating Systems
Software
Electronics & Gadgets
Hardware
Tablets & Mobile Devices
General Help
Brand Forums
Roadshow Autos
Off Topic

Other Forums

Forum Info