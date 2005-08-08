Spyware, Viruses, & Security forum

VIRUS ALERTS - August 9, 2005

by roddy32 / August 8, 2005 9:24 PM PDT

W32/Sdbot-ABV

Aliases Backdoor.Win32.SdBot.acx

Type Spyware Worm

W32/Sdbot-ABV is a worm and IRC backdoor Trojan for the Windows platform.
W32/Sdbot-ABV runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.
W32/Sdbot-ABV includes functionality to:
- carry out DDoS flooder attacks
- silently download, install and run new software
- access the internet and communicate with a remote server via HTTP
- steal CD game keys

http://www.sophos.com/virusinfo/analyses/w32sdbotabv.html

Troj/Puper-M
by roddy32 / August 8, 2005 9:26 PM PDT
W32/Agobot-TE
by roddy32 / August 8, 2005 9:28 PM PDT

Aliases Backdoor.Win32.Wisdoor.bf

Type Spyware Worm

W32/Agobot-TE is a network worm which allows a remote intruder to gain access and control over the computer.
W32/Agobot-TE runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

http://www.sophos.com/virusinfo/analyses/w32agobotte.html

Troj/Kaiten-L
by roddy32 / August 8, 2005 9:29 PM PDT

Aliases Backdoor.Win32.Katien.r

Type Trojan

Troj/Kaiten-L is a backdoor Trojan for the Windows platform.
Troj/Kaiten-L runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.
Troj/Kaiten-L includes functionality to:
- carry out DDoS flooder attacks
- silently download, install and run new software
- access the internet and communicate with a remote server via HTTP

http://www.sophos.com/virusinfo/analyses/trojkaitenl.html

W32/Tilebot-C
by roddy32 / August 8, 2005 9:33 PM PDT

Aliases Backdoor.Win32.SdBot.xd

Type Worm

W32/Tilebot-C is a worm and IRC backdoor Trojan for the Windows platform.
W32/Tilebot-C spreads to other network computers by exploiting common buffer overflow vulnerabilities, including:
LSASS (MS04-011)
RPC-DCOM (MS04-012)
MSSQL (MS02-039) (CAN-2002-0649)
W32/Tilebot-C runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.
W32/Tilebot-C includes functionality to:
- carry out DDoS flooder attacks
- silently download, install and run new software
- access the internet and communicate with a remote server via HTTP
When first run W32/Tilebot-C creates the file <System> \rdriv.sys.
The file rdriv.sys is detected as Troj/Rootkit-W.
The file rdriv.sys is registered as a new system driver service named ''rdriv'', with a display name of ''rdriv''.
The following patches for the operating system vulnerabilities exploited by W32/Tilebot-C can be obtained from the Microsoft website:

http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx

http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

http://www.microsoft.com/technet/security/bulletin/MS02-039.mspx

http://www.sophos.com/virusinfo/analyses/w32tilebotc.html

W32/Rbot-AJY
by roddy32 / August 8, 2005 9:36 PM PDT

Aliases Backdoor.Win32.Rbot.vq

Type Worm

W32/Rbot-AJY is a worm and IRC backdoor Trojan for the Windows platform.
W32/Rbot-AJY spreads to other network computers by exploiting common buffer overflow vulnerabilities, including: LSASS (MS04-011), RPC-DCOM (MS04-012), WKS (MS03-049) (CAN-2003-0812) and WINS (MS04-045) and by copying itself to network shares protected by weak passwords.
W32/Rbot-AJY runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.
The following patches for the operating system vulnerabilities exploited by W32/Rbot-AJY can be obtained from the Microsoft website:

http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx

http://www.microsoft.com/technet/security/bulletin/MS03-049.mspx

http://www.microsoft.com/technet/security/bulletin/MS04-045.mspx

http://www.sophos.com/virusinfo/analyses/w32rbotajy.html

Troj/Dloader-RS
by roddy32 / August 8, 2005 9:38 PM PDT

Aliases
Trojan-Dropper.Win32.Agent.hg
BackDoor-CPK
TROJ_DROPPER.BR

Type Trojan

Troj/Dloader-RS is a Trojan for the Windows platform.
Troj/Dloader-RS will drop a file to the current folder with the same name as the executable, except this dropped file will have a DAT extension. This dropped file is a DLL file used to access predefined URLs in order to download and execute files on the infected computer.

http://www.sophos.com/virusinfo/analyses/trojdloaderrs.html

W32/Mytob-ED
by roddy32 / August 9, 2005 12:40 AM PDT

Aliases WORM_MYTOB.JL

Type Worm

W32/Mytob-ED is a mass-mailing worm and backdoor Trojan that can be controlled through the Internet Relay Chat (IRC) network.
W32/Mytob-ED includes functionality to change browser settings.
W32/Mytob-ED is capable of spreading through email. Email sent by W32/Mytob-ED has the following properties:
Subject line chosen from:
Abuse report
<random characters>
Message text chosen from:
'After several complaints, we are forced to suspend your e-mail account due to violation of our terms of services. The abuse report is included in the attachment.'
'After several complaints, we are forced to suspend your e-mail account due to violation of our terms of services. The abuse report is included in the attachment.'
<random characters>
The attached file consists of a base name followed by the extension ZIP. The worm may create double extensions where the first extension is DOC, TXT or HTM and the final extension is BAT, CMD, PIF, SCR, EXE or ZIP. The base filenames are randomly chosen from:
email-doc
<random characters>
W32/Mytob-ED harvests email addresses from files on the infected computer and from the Windows address book.
W32/Mytob-ED modifies the HOSTS file, changing the URL-to-IP mappings for selected websites, therefore preventing normal access to these sites.
Sophos's anti-virus products include Genotype? detection technology, which can proactively protect against new threats without requiring an update. Sophos customers have been protected against W32/Mytob-ED (detected as W32/Mytob-Fam) since version 3.95.

http://www.sophos.com/virusinfo/analyses/w32mytobed.html

W32/Sdbot-ABU
by roddy32 / August 9, 2005 12:42 AM PDT

Aliases Backdoor.Win32.SdBot.act

Type Worm

W32/Sdbot-ABU is a worm and IRC backdoor Trojan for the Windows platform.
W32/Sdbot-ABU spreads by copying itself to network shares protected by weak passwords.
W32/Sdbot-ABU runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

http://www.sophos.com/virusinfo/analyses/w32sdbotabu.html

Troj/KillProc-G
by roddy32 / August 9, 2005 12:48 AM PDT
Troj/Mirjock-B
by roddy32 / August 9, 2005 12:51 AM PDT
Troj/CWS-M
by roddy32 / August 9, 2005 12:53 AM PDT
Troj/Stox-A
by roddy32 / August 9, 2005 12:55 AM PDT
W32/Sdbot-ABW
by roddy32 / August 9, 2005 12:56 AM PDT

Aliases
Backdoor.Win32.SdBot.acw
W32/Sdbot.worm.gen.n

Type Spyware Worm

W32/Sdbot-ABW is a worm and IRC backdoor Trojan for the Windows platform.
W32/Sdbot-ABW runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.
W32/Sdbot-ABW can spread to remote network shares protected by weak passwords.

http://www.sophos.com/virusinfo/analyses/w32sdbotabw.html

W32/Lebreat-E
by roddy32 / August 9, 2005 2:13 AM PDT

Aliases
W32/Reatle.gen
Worm.Mytob.GH

Type Worm

W32/Lebreat-E is a worm and backdoor Trojan for the Windows platform.
W32/Lebreat-E spreads to other network computers by exploiting common buffer overflow vulnerabilites, including LSASS (MS04-011).
W32/Lebreat-E attempts a denial-of-service attack on the sites www.sophos.com and www.kaspersky.com.
W32/Lebreat-E will send itself to email addresses harvested from the infected computer. These emails have subject line "Re_" and message text chosen from the following:
Animals
foto3 and MP3
fotogalary and Music
fotoinfo
Lovely animals
Predators
Screen and Music
The snake
The worm is included as an attachment as either a ZIP file or an executable file with one of the following extensions:
BAT
CMD
COM
CPL
EXE
PIF
SCR
The attachment name is chosen from the following:
Cat
Cool_MP3
Dof
Fish
Garry
MP3
Music_MP3
New_MP3_Player
The attachment filename includes a large number of spaces between the base name and the file extension.
The email From address is spoofed and will appear to come from one of these usernames:
admin
support
The email will appear to come from one of these domains:
aol.com
ca.com
f-secure.com
kaspersky.com
mastercard.com
mcafee.com
msn.com
paypal.com
sarc.com
security.com
securityfocus.com
sophos.com
symantec.com
trendmicro.com
visa.com
yahoo.com
W32/Lebreat-E will avoid sending to email addresses containing the following strings:
@microsoft.com
@mm
bugs@
cafee
f-secure
kasp
ntivi
panda
sopho
symantec
trendmicro
W32/Lebreat-E runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer.
The system HOSTS file is modified, preventing access to the following web addresses:
127.0.0.1 ca.com
127.0.0.1 download.mcafee.com
127.0.0.1 f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 mcafee.com
127.0.0.1 pandasoftware.com
127.0.0.1 sophos.com
127.0.0.1 symantec.com
127.0.0.1 trendmicro.com
127.0.0.1 us.mcafee.com
127.0.0.1 www.ca.com
127.0.0.1 www.f-secure.com
127.0.0.1 www.kaspersky.com
127.0.0.1 www.mcafee.com
127.0.0.1 www.my-etrust.com
127.0.0.1 www.nai.com
127.0.0.1 www.pandasoftware.com
127.0.0.1 www.sarc.com
127.0.0.1 www.sophos.com
127.0.0.1 www.symantec.com
127.0.0.1 www.trendmicro.com
Microsoft provides a patch for the LSASS vulnerability at the following URL:
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

http://www.sophos.com/virusinfo/analyses/w32lebreate.html

Troj/Goldun-Y
by roddy32 / August 9, 2005 2:15 AM PDT

Aliases Trojan-Spy.Win32.Goldun.bg

Type Spyware Trojan

Troj/Goldun-Y is a Trojan component for the Windows platform.
Troj/Goldun-Y is a DLL file that contains functionality to steal information and communicate with a remote website. The Trojan may download and run further malicious code.
Stolen information may relate to E-Gold account details.

http://www.sophos.com/virusinfo/analyses/trojgolduny.html

Troj/Geekmy-A
by roddy32 / August 9, 2005 2:17 AM PDT

Aliases Backdoor.Win32.Agent.kz

Type Spyware Trojan

Troj/Geekmy-A is a backdoor Trojan which allows a remote intruder to gain access and control over the computer.
Troj/Geekmy-A includes functionality to:
log keystrokes to \dnslookup.dat

delete files

add or delete registry entries

shutdown the infected computer

steal confidential information

disable other applications

http://www.sophos.com/virusinfo/analyses/trojgeekmya.html

W32/Rbot-AJN
by roddy32 / August 9, 2005 2:20 AM PDT

Aliases Backdoor.Win32.Rbot.d

Type Spyware Worm

W32/Rbot-AJN is a worm and backdoor Trojan for the Windows platform.
W32/Rbot-AJN spreads:
to other network computers infected with: Troj/Kuang, Troj/Sub7, Troj/NetDevil, W32/MyDoom, W32/Bagle and Troj/Optix

to other network computers by exploiting common buffer overflow vulnerabilites, including: LSASS (MS04-011), RPC-DCOM (MS04-012), WebDav (MS03-007), MSSQL (MS02-039) (CAN-2002-0649), UPNP (MS01-059) and Dameware (CAN-2003-1030)

by copying itself to network shares protected by weak passwords

W32/Rbot-AJN includes functionality to:
steal confidential information including Internet Account Manager and Hotmail user accounts and passwords

carry out DDoS flooder attacks

silently download, install and run new software

access the internet and communicate with a remote server via HTTP

act as a SOCKS4 proxy

disable other software, including anti-virus, firewall and security related applications

The following patches for the operating system vulnerabilities exploited by W32/Rbot-AJN can be obtained from the Microsoft website:

http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx

http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

http://www.microsoft.com/technet/security/bulletin/MS03-007.mspx

http://www.microsoft.com/technet/security/bulletin/MS01-059.mspx

http://www.microsoft.com/technet/security/bulletin/MS02-039.mspx

http://www.sophos.com/virusinfo/analyses/w32rbotajn.html

Troj/PurScan-AE
by roddy32 / August 9, 2005 2:26 AM PDT
Troj/Spyjack-C
by roddy32 / August 9, 2005 2:29 AM PDT
Troj/Bancos-DL
by roddy32 / August 9, 2005 2:31 AM PDT
Troj/Mosuck-I
by roddy32 / August 9, 2005 2:33 AM PDT

Aliases
Backdoor.Win32.MoSucker.06
Win32/MoSucker.C
BackDoor-EE
BKDR_MOSUCKER.J

Type Spyware Trojan

Troj/Mosuck-I is a backdoor Trojan for the Windows platform.
The Trojan contains functionality to log keypresses, capture screen and webcam images, steal files, provide a remote command shell and download updates.
When Troj/Mosuck-I is installed the following files are created:
<Windows> \ActiveXExe\<random filename1>.exe - detected as Troj/Mosuck-I
<Windows> \ActiveXExe\<random filename2>.exe - detected as Troj/Mosuck-H
<System> \<random characters>32\<random filename>>.exe - detected as Troj/Mosuck

http://www.sophos.com/virusinfo/analyses/trojmosucki.html

Troj/Ciadoor-M
by roddy32 / August 9, 2005 2:35 AM PDT
W32/Sdranck-J
by roddy32 / August 9, 2005 2:36 AM PDT

Type Worm

W32/Sdranck-J is a multi-component network worm.
When run W32/Sdranck-J creates two files to the winnt\system32 folder:
makeit.exe - detected as W32/Sdbot-Fam
madeit.exe - detected as Troj/Ranck-Fam
Madeit.exe is a member of the Troj/Ranck family of proxy Trojans and makeit.exe is a member of the W32/Sdbot family of network worms. The dropped W32/Sdbot worm spreads W32/Sdranck-J to network shares with weak passwords.

http://www.sophos.com/virusinfo/analyses/w32sdranckj.html

W32/Codbot-Gen
by roddy32 / August 9, 2005 4:15 AM PDT

Type Spyware Worm

Sophos Anti-Virus products detect members of the W32/Codbot family of worms as W32/Codbot-Gen.
Worms detected as W32/Codbot-Gen provide backdoor Trojan functionality to a remote attacker via IRC channels. Such worms may spread to remote network shares with weak passwords in response to a command from a remote attacker.
Members of W32/Codbot family typically attempt to exploit vulnerabilities, such as the LSASS vulnerability (MS04-011).

http://www.sophos.com/virusinfo/analyses/w32codbotgen.html

Troj/Borobt-Gen
by roddy32 / August 9, 2005 4:16 AM PDT

Type Trojan

Sophos Anti-Virus products detect members of the Troj/Borobot family of Trojans as Troj/Borobt-Gen.
Members of Troj/Borobot family allow unauthorised remote access to the computer via a network and may download and execute files from remote websites if instructed to do so.

http://www.sophos.com/virusinfo/analyses/trojborobtgen.html

W32/Mytob-JM
by roddy32 / August 9, 2005 6:29 AM PDT

Aliases Net-Worm.Win32.Mytob.gen

Type Worm

W32/Mytob-JM is a mass-mailing worm and backdoor Trojan that can be controlled through the Internet Relay Chat (IRC) network.
W32/Mytob-JM spreads through email. W32/Mytob-JM harvests email addresses from files on the infected computer and from the Windows address book. Email sent by W32/Mytob-JM has the following properties:
Subject line:
*DETECTED* Online User Violation
*WARNING* Your Email Account Will Be Closed
Account Alert
Email Account Suspension
Important Notification
Notice of account limitation
Notice: **Last Warning**
Security measures
Your Email Account is Suspended For Security Reasons
Message text:
Once you have completed the form in the attached file , your account records will not be interrupted and will continue as normal.
The original message has been included as an attachment.
We regret to inform you that your account has been suspended due to the violation of our site policy, more info is attached.
We attached some important information regarding your account.
Please read the attached document and follow it's instructions.
Sophos's anti-virus products include Genotype? detection technology, which can proactively protect against new threats without requiring an update. Sophos customers have been protected against W32/Mytob-JM (detected as W32/MyTob-Fam) since version 3.94.

http://www.sophos.com/virusinfo/analyses/w32mytobjm.html

Troj/Ablank-AH
by roddy32 / August 9, 2005 6:30 AM PDT

Aliases
TROJ_STARTPAG.ZL
Trojan.Win32.StartPage.uz
StartPage-DU.dll
Trojan.StartPage

Type Trojan

Troj/Ablank-AH is a browser hijacking Trojan for the Windows platform.
Troj/Ablank-AH changes settings for Internet Explorer and intercepts attempts to view the home page, instead showing an HTML file contained in the Trojan.

http://www.sophos.com/virusinfo/analyses/trojablankah.html

Troj/Blanfon-A
by roddy32 / August 9, 2005 6:32 AM PDT

Type Trojan

Troj/Blanfon-A is a Trojan for Symbian operating system. The Trojan is packaged as a Symbian SIS (Symbian installation system) file. The file may have been planted by the Trojan writers to the freeware Symbian web sites.
When the Trojan SIS file is installed a font file panic.gdr is installed onto the device into the folder c:\system\fonts. The file causes the device to stop displaying text as the installed font is blank.

http://www.sophos.com/virusinfo/analyses/trojblanfona.html

Troj/Inor-P
by roddy32 / August 9, 2005 6:34 AM PDT

Aliases
Trojan-Dropper.VBS.Inor.cz
VBS/Inor

Type Trojan

Troj/Inor-P is a dropper Trojan written in VB Script.
Troj/Inor-P drops and executes the file C:\netlog.exe. This file is currently detected as Troj/Borodldr-G.
Troj/Inor-P may claim to be a Microsoft Update Wizard package.

http://www.sophos.com/virusinfo/analyses/trojinorp.html

Troj/Borodldr-G
by roddy32 / August 9, 2005 6:36 AM PDT

Aliases Downloader-WN

Type Trojan

Troj/Borodldr-G is a downloader Trojan.
Troj/Borodldr-G attempts to download and execute a file from http://zone.megaspaware.com to WIN32SBB.EXE in the Windows system folder or temporary files folder. This file is currently detected as Troj/Borobot-K.
Troj/Borodldr-G has been seen dropped by Troj/Inor-P.
Sophos's anti-virus products include Genotype? detection technology, which can proactively protect against new threats without requiring an update. Sophos customers have been protected against Troj/Borodldr-G (detected as Troj/Borodr-Fam) since version 3.92.

http://www.sophos.com/virusinfo/analyses/trojborodldrg.html

