Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

General discussion

VIRUS ALERTS - December 10, 2005

Dec 9, 2005 8:34PM PST

W32/Sdbot-AGD

Type
Worm

W32/Sdbot-AGD is a worm and IRC backdoor Trojan for the Windows platform.

W32/Sdbot-AGD spreads to other network computers by exploiting common buffer overflow vulnerabilities, including: RPC-DCOM (MS04-012), WKS (MS03-049) (CAN-2003-0812) and ASN.1 (MS04-007) and by copying itself to network shares protected by weak passwords.

W32/Sdbot-AGD runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

The following patches for the operating system vulnerabilities exploited by W32/Sdbot-AGD can be obtained from the Microsoft website:

http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx

http://www.microsoft.com/technet/security/bulletin/MS03-049.mspx

http://www.microsoft.com/technet/security/bulletin/MS04-007.mspx

http://www.sophos.com/virusinfo/analyses/w32sdbotagd.html

Discussion is locked

- Collapse -
Troj/LdPinch-CI
Dec 9, 2005 8:36PM PST
- Collapse -
Troj/Bancban-KJ
Dec 9, 2005 8:37PM PST

Type
Spyware Trojan

Aliases
Trojan-Spy.Win32.Banker.ahy

Troj/Bancban-KJ is a Trojan for the Windows platform.

Troj/Bancban-KJ attempts to log information sent to certain websites and online banking applications. The Trojan may display fake user interfaces in order to persuade the user to enter confidential details. Stolen information is sent by email to a remote user.

http://www.sophos.com/virusinfo/analyses/trojbancbankj.html

- Collapse -
Troj/Banklis-A
Dec 9, 2005 8:39PM PST
- Collapse -
Troj/BanBot-A
Dec 9, 2005 9:06PM PST

Type
Spyware Trojan

Aliases
BackDoor-CSN

Troj/BanBot-A is a backdoor Trojan for the Windows platform.

Troj/BanBot-A can receive commands from a remote intruder to send and receive files remotely, execute code, delete files, steal passwords and hijack the mouse and keyboard.

http://www.sophos.com/virusinfo/analyses/trojbanbota.html

- Collapse -
Troj/DNSBust-D
Dec 9, 2005 9:08PM PST
- Collapse -
W32/Sdbot-AGB
Dec 9, 2005 9:09PM PST

Type
Worm

W32/Sdbot-AGB is a worm and IRC backdoor Trojan for the Windows platform.

W32/Sdbot-AGB runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

http://www.sophos.com/virusinfo/analyses/w32sdbotagb.html

- Collapse -
W32/Rbot-BAP
Dec 9, 2005 9:11PM PST

Type
Worm

Aliases
WORM_RBOT.DAT

W32/Rbot-BAP is a worm and IRC backdoor Trojan for the Windows platform.

W32/Rbot-BAP spreads:

- to other network computers infected with: Troj/Kuang, W32/Sasser, Troj/NetDevil, W32/MyDoom, W32/Bagle and Troj/Optix
- to other network computers by exploiting common buffer overflow vulnerabilities, including: LSASS (MS04-011), RPC-DCOM (MS04-012), WKS (MS03-049) (CAN-2003-0812), WebDav (MS03-007), UPNP (MS01-059), WINS (MS04-045), Dameware (CAN-2003-1030) and MSSQL (MS02-039) (CAN-2002-0649)
- by copying itself to network shares protected by weak passwords

W32/Rbot-BAP runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

http://www.sophos.com/virusinfo/analyses/w32rbotbap.html

- Collapse -
W32/Rbot-BAQ
Dec 9, 2005 9:19PM PST
- Collapse -
W32/Rbot-BAT
Dec 9, 2005 9:21PM PST

Type
Worm

W32/Rbot-BAT is a worm and IRC backdoor Trojan for the Windows platform.

W32/Rbot-BAT spreads:

- to other network computers infected with: Troj/Kuang, Troj/Sub7, Troj/NetDevil, W32/MyDoom, W32/Bagle and Troj/Optix
- to other network computers by exploiting common buffer overflow vulnerabilities, including: LSASS (MS04-011), RPC-DCOM (MS04-012), WebDav (MS03-007) and Dameware (CAN-2003-1030)
- to other network computers running MSSQL servers protected by weak passwords
- by copying itself to network shares protected by weak passwords

W32/Rbot-BAT runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

http://www.sophos.com/virusinfo/analyses/w32rbotbat.html

- Collapse -
W32/Rbot-BAV
Dec 9, 2005 9:22PM PST

Type
Worm

W32/Rbot-BAV is a worm and IRC backdoor Trojan for the Windows platform.

W32/Rbot-BAV spreads to other network computers by exploiting common buffer overflow vulnerabilities, including: LSASS (MS04-011), RPC-DCOM (MS04-012), WKS (MS03-049) (CAN-2003-0812), Veritas (CAN-2004-1172), MSSQL (MS02-039) (CAN-2002-0649) and ASN.1 (MS04-007) and by copying itself to network shares protected by weak passwords.

W32/Rbot-BAV runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

http://www.sophos.com/virusinfo/analyses/w32rbotbav.html

- Collapse -
W32/Rbot-BAW
Dec 9, 2005 9:24PM PST

Type
Worm

W32/Rbot-BAW is a network worm for the Windows platform.

W32/Rbot-BAW spreads:

- to other network computers by exploiting common buffer overflow vulnerabilities, including: LSASS (MS04-011), RPC-DCOM (MS04-012), WKS (MS03-049) (CAN-2003-0812), Veritas (CAN-2004-1172), MSSQL (MS02-039) (CAN-2002-0649), PNP (MS05-039), IMAIL Server and ASN.1 (MS04-007)
- via the MSN, Yahoo and AOL Instant Messenger programs
- to other network computers running MSSQL servers protected by weak passwords
- by copying itself to network shares protected by weak passwords.

W32/Rbot-BAW runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

http://www.sophos.com/virusinfo/analyses/w32rbotbaw.html

- Collapse -
W32/Rbot-BAX
Dec 9, 2005 9:25PM PST

Type
Worm

W32/Rbot-BAX is a worm and IRC backdoor Trojan for the Windows platform.

W32/Rbot-BAX spreads:

- to other network computers infected with Troj/Optix
- to other network computers by exploiting common buffer overflow vulnerabilities, including: LSASS (MS04-011) and RPC-DCOM (MS04-012)
- by copying itself to network shares protected by weak passwords

W32/Rbot-BAX runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

http://www.sophos.com/virusinfo/analyses/w32rbotbax.html

- Collapse -
W32/Rbot-BAY
Dec 9, 2005 9:27PM PST

Type
Worm

Aliases
Backdoor.Win32.Rbot.adf

W32/Rbot-BAY is a worm and IRC backdoor Trojan for the Windows platform.

W32/Rbot-BAY spreads:

- to other network computers infected with: Troj/Kuang, Troj/Sub7, Troj/NetDevil, W32/MyDoom, W32/Bagle and Troj/Optix
- to other network computers by exploiting common buffer overflow vulnerabilities, including: LSASS (MS04-011), RPC-DCOM (MS04-012), WKS (MS03-049) (CAN-2003-0812), WebDav (MS03-007), IIS5SSL (MS04-011) (CAN-2003-0719), UPNP (MS01-059), Veritas (CAN-2004-1172), Dameware (CAN-2003-1030) and ASN.1 (MS04-007)
- by copying itself to network shares protected by weak passwords

W32/Rbot-BAY runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

http://www.sophos.com/virusinfo/analyses/w32rbotbay.html

- Collapse -
W32/Agobot-UJ
Dec 10, 2005 1:47AM PST

Type
Worm

Aliases
Backdoor.Win32.Agobot.gen
W32/Gaobot.worm.gen.d
Win32/Agobot.NGJ
W32.Gaobot.ALV
WORM_AGOBOT.TS

W32/Agobot-UJ is a worm and IRC backdoor Trojan for the Windows platform.

W32/Agobot-UJ spreads to other network computers by exploiting common buffer overflow vulnerabilities, including: RPC-DCOM (MS04-012), WKS (MS03-049) (CAN-2003-0812) and WebDav (MS03-007) and by copying itself to network shares protected by weak passwords.

W32/Agobot-UJ runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

When first run W32/Agobot-UJ copies itself to the %CurrentFolder%\ folder and to:

&ltSystem> \svchostt.exe
&ltSystem> \svchostt.exe.poly
&ltSystem> \winhlpp32.exe

http://www.sophos.com/virusinfo/analyses/w32agobotuj.html

- Collapse -
Troj/Dloade-AAH
Dec 10, 2005 1:49AM PST

Type
Trojan

Aliases
Trojan-Dropper.Win32.Delf.ev
Downloader.ab
Trojan.Dropper
TROJ_DELF.EV

Troj/Dloade-AAH is a Trojan for the Windows platform.

Troj/Dloade-AAH includes functionality to download, install and run new software.

When Troj/Dloade-AAH is installed the following files are created:

&ltTemp> \atiupdate.exe
&ltSystem> \msshed32.exe

http://www.sophos.com/virusinfo/analyses/trojdloadeaah.html

- Collapse -
Troj/ExeBund-C
Dec 10, 2005 1:51AM PST
- Collapse -
Troj/Dloadr-ABO
Dec 10, 2005 1:54AM PST
- Collapse -
Troj/Banload-FK
Dec 10, 2005 1:56AM PST
- Collapse -
Troj/Bancban-LC
Dec 10, 2005 2:02AM PST

Type
Spyware Trojan

Aliases
Trojan-Spy.Win32.Banbra.df
PWS-Banker.gen.ba
PWSteal.Banpaes

Troj/Bancban-LC is a password stealing Trojan for the Windows platform.

Troj/Bancban-LC includes functionality to access the internet and communicate with a remote server via HTTP.

Troj/Bancban-LC targets the customers of certain Brazilian online banking websites by attempting to steal account details.

http://www.sophos.com/virusinfo/analyses/trojbancbanlc.html

- Collapse -
Troj/Cimuz-O
Dec 10, 2005 2:06AM PST

Type
Trojan

Aliases
Trojan-Proxy.Win32.Cimuz.bz

Troj/Cimuz-O includes functionality to access the internet and communicate with a remote server via HTTP.

Troj/Cimuz-O acts as a proxy server, and may download and execute remote files.

http://www.sophos.com/virusinfo/analyses/trojcimuzo.html

- Collapse -
Troj/Asune-A
Dec 10, 2005 2:07AM PST

Type
Trojan

Troj/Asune-A is a Trojan for the Windows platform.

Troj/Asune-A includes functionality to access the internet and communicate with a remote server via HTTP. The

Torjan attempts to download and execute code.

Troj/Asune-A also launches Windows Notepad.

http://www.sophos.com/virusinfo/analyses/trojasunea.html

- Collapse -
Troj/Dloadr-ABN
Dec 10, 2005 2:09AM PST
- Collapse -
W32/Kelvir-BQ
Dec 10, 2005 2:11AM PST