Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

General discussion

VIRUS ALERTS - December 13, 2005

Dec 12, 2005 9:00PM PST

Troj/Stinx-M

Type
Spyware Trojan

Aliases
BKDR_BREPLIBOT.M
Backdoor.Win32.Breplibot.n

Troj/Stinx-M is a backdoor Trojan for the Windows platform.

Troj/Stinx-M can be instructed to delete, download and execute files.

Sophos's anti-virus products include Genotype? detection technology, which can proactively protect against new threats without requiring an update. Sophos customers have been protected against Troj/Stinx-M (detected as Troj/Stinx-Fam) since version 3.98.

http://www.sophos.com/virusinfo/analyses/trojstinxm.html

Discussion is locked

- Collapse -
Troj/Iefeat-AS
Dec 12, 2005 11:20PM PST

Type
Trojan

Aliases
Trojan-Downloader.Win32.WinShow.bg
AdClicker-AJ.gen

Troj/Iefeat-AS is a browser hijacking Trojan for the Windows platform.

Troj/Iefeat-AS may be installed to the Windows system folder, and may also drop a helper component detected by Sophos as Troj/Dloader-AQ.

http://www.sophos.com/virusinfo/analyses/trojiefeatas.html

- Collapse -
Troj/Agent-FR
Dec 12, 2005 11:21PM PST
- Collapse -
W32/Tilebot-CF
Dec 12, 2005 11:23PM PST

Type
Worm

Aliases
Backdoor.Win32.SdBot.aad
Sdbot.worm.gen.l

W32/Tilebot-CF is a worm and IRC backdoor Trojan for the Windows platform.

W32/Tilebot-CF spreads to other network computers by exploiting common buffer overflow vulnerabilities, including: WKS (MS03-049) (CAN-2003-0812), RPC-DCOM (MS04-012), PNP (MS05-039) and ASN.1 (MS04-007) and by copying itself to network shares protected by weak passwords.

W32/Tilebot-CF runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

http://www.sophos.com/virusinfo/analyses/w32tilebotcf.html

- Collapse -
W32/Rbot-BBQ
Dec 12, 2005 11:30PM PST

Type
Worm

Aliases
Backdoor.Win32.Rbot.aie
Sdbot.worm.gen.l
W32.Spybot.Worm

W32/Rbot-BBQ is a worm and IRC backdoor Trojan for the Windows platform.

W32/Rbot-BBQ spreads:

- to other network computers infected with: Troj/Kuang, Troj/Sub7, Troj/NetDevil, W32/MyDoom, W32/Bagle and Troj/Optix
- to other network computers by exploiting common buffer overflow vulnerabilities, including: LSASS (MS04-011), RPC-DCOM (MS04-012), WKS (MS03-049) (CAN-2003-0812), WebDav (MS03-007), IIS5SSL (MS04-011) (CAN-2003-0719), UPNP (MS01-059), Veritas (CAN-2004-1172), Dameware (CAN-2003-1030) and ASN.1 (MS04-007)
- by copying itself to network shares protected by weak passwords

W32/Rbot-BBQ runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

http://www.sophos.com/virusinfo/analyses/w32rbotbbq.html

- Collapse -
W32/Rbot-BBR
Dec 12, 2005 11:32PM PST

Type
Worm

W32/Rbot-BBR is a worm and IRC backdoor Trojan for the Windows platform.

W32/Rbot-BBR runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

http://www.sophos.com/virusinfo/analyses/w32rbotbbr.html

- Collapse -
W32/Sdbot-AGS
Dec 12, 2005 11:34PM PST

Type
Worm

W32/Sdbot-AGS is a network worm and IRC backdoor Trojan for the Windows platform.

W32/Sdbot-AGS runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

When first run W32/Sdbot-AGS copies itself to <System> \lo71.exe

W32/Sdbot-AGS also creates the following files :

\msdirectx.sys
\xz.bat

The file msdirectx.sys is detected as Troj/NtRootK-F.

The file xz.bat is a batch file that attempts to stop the Security Center, Internet Connection Sharing and SharedAccess services.

http://www.sophos.com/virusinfo/analyses/w32sdbotags.html

- Collapse -
W32/Lewor-AA
Dec 12, 2005 11:36PM PST

Type
Spyware Worm

Aliases
IM-Worm.Win32.Lewor.aa
Generic

W32/Lewor-AA is a worm for the Windows platform.

W32/Lewor-AA may spread via instant messenger applications.

W32/Lewor-AA includes functionality to download, install and run new software, to log keypresses, and to email the information it steals to a remote user.

W32/Lewor-AA also attempts to terminate certain security related applications, and to delete their run-keys from the registry to prevent their automatic startup.

W32/Lewor-AA may change settings for Microsoft Internet Explorer, including the Start Page and Search Page.

http://www.sophos.com/virusinfo/analyses/w32leworaa.html

- Collapse -
Troj/Borobot-X
Dec 13, 2005 8:27AM PST
- Collapse -
Troj/Borodr-B
Dec 13, 2005 8:28AM PST

Type Trojan

Troj/Borodr-B is a Trojan for the Windows platform.
The Trojan downloads and executes a file from a remote site. At the time of writing, the downloaded file is detected by Sophos's anti-virus products as Troj/Borobot-X.

http://www.sophos.com/virusinfo/analyses/trojborodrb.html

- Collapse -
Troj/Bancban-LL
Dec 13, 2005 8:29AM PST

Type Spyware Trojan

Aliases Trojan-Spy.Win32.Banbra.df

Troj/Bancban-LL is a Trojan for the Windows platform.
The Trojan monitors desktop windows for browser sessions with web sites related to banking and financial services. The Trojan steals login credentials and sends the stolen information to a remote attacker.

http://www.sophos.com/virusinfo/analyses/trojbancbanll.html

- Collapse -
Troj/Singu-C
Dec 13, 2005 8:30AM PST
- Collapse -
Troj/SunDir-A
Dec 13, 2005 8:31AM PST

Type Trojan

Aliases Exploit.SunOS.Small.a
Backdoor.SunOS.Small.a

Troj/SunDir-A tries to take advantage of either of two Solaris directory-traversal vulnerabilities in order to load a malicious kernel module. The kernel module (also detected as Troj/SunDir-A) is then used to provide an unprivileged user with a shell with root privileges.
The following patches for the operating system vulnerabilities exploited by Troj/SunDir-A can be obtained from the Sun website:
49131
57479

http://www.sophos.com/virusinfo/analyses/trojsundira.html

- Collapse -
Troj/FireFly-A
Dec 13, 2005 8:31AM PST
- Collapse -
Troj/LegMir-BY
Dec 13, 2005 8:32AM PST
- Collapse -
Troj/NtRootK-J
Dec 13, 2005 8:33AM PST

Type Trojan

Aliases Backdoor.Win32.Rootodor.a

Troj/NtRootK-J is a Trojan for the Windows platform.
Troj/NtRootK-J stealths itself by hiding the folder RtKit from the Windows Explorer.
Troj/NtRootK-J includes functionality to:
- steal confidential information and log keystrokes
- carry out DDoS flooder attacks
- silently download software
- hide registry entries
- hide folders
- list, hide and terminate processes
- open a remote command shell

http://www.sophos.com/virusinfo/analyses/trojntrootkj.html

- Collapse -
Troj/GrayBrd-G
Dec 13, 2005 8:34AM PST

Type Trojan

Aliases Backdoor.Win32.Delf.aeo

Troj/GrayBrd-G is a backdoor Trojan which allows a remote intruder to gain access and control over the computer.
Troj/GrayBrd-G includes functionality to access the internet and communicate with a remote server via HTTP.

http://www.sophos.com/virusinfo/analyses/trojgraybrdg.html

- Collapse -
Troj/Hackvan-B
Dec 13, 2005 8:35AM PST
- Collapse -
Troj/GrayBrd-H
Dec 13, 2005 8:36AM PST

Type Trojan

Aliases Backdoor.Win32.Hupigon.fo

Troj/GrayBrd-H is a backdoor Trojan which allows a remote intruder to gain access and control over the computer.
Troj/GrayBrd-H includes functionality to access the internet and communicate with a remote server via HTTP.

http://www.sophos.com/virusinfo/analyses/trojgraybrdh.html

- Collapse -
W32/Rbot-BBU
Dec 13, 2005 8:37AM PST

Type Worm

Aliases WORM_SDBOT.CUP

W32/Rbot-BBU is a network worm and backdoor Trojan for the Windows platform.
W32/Rbot-BBU spreads to other network computers by exploiting common buffer overflow vulnerabilites, including: LSASS (MS04-011), RPC-DCOM (MS04-012), WKS (MS03-049) (CAN-2003-0812), PNP (MS05-039) and ASN.1 (MS04-007) and by copying itself to network shares protected by weak passwords.
W32/Rbot-BBU runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

http://www.sophos.com/virusinfo/analyses/w32rbotbbu.html

- Collapse -
W32/Mytob-OZ
Dec 13, 2005 8:38AM PST

Type Worm

Aliases Net-Worm.Win32.Mytob.bf

W32/Mytob-OZ is a mass-mailing worm and backdoor Trojan that can be controlled through the Internet Relay Chat (IRC) network.
W32/Mytob-OZ spreads through email. W32/Mytob-OZ harvests email addresses from files on the infected computer and from the Windows address book. Email sent by W32/Mytob-OZ has the following properties:
Subject line:
Account Alert
Message text:
Dear Valued Member,
According to our terms of services, you will have to confirm your e-mail by the following link, or your account will be suspended within 24 hours for security reasons.
After following the instructions in the sheet, your account will not be interrupted and will continue as normal.
Thanks for your attention to this request. We apologize for any inconvenience.
<a href="http://<URL>/Confirmation_Sheet.pif">
http://www.<string>/confirm.php?account=%s</a>
Sincerely, <string> Security Department
In the above message text <string> will be replaced by text extracted from harvested email addresses.

http://www.sophos.com/virusinfo/analyses/w32mytoboz.html

- Collapse -
Troj/Darro-A
Dec 13, 2005 8:39AM PST
- Collapse -
W32/Mytob-LC
Dec 13, 2005 8:40AM PST

Type Spyware Worm

Aliases WORM_MYTOB.LC

W32/Mytob-LC is a mass-mailing worm and backdoor Trojan that can be controlled through the Internet Relay Chat (IRC) network.
W32/Mytob-LC spreads through email. W32/Mytob-LC harvests email addresses from files on the infected computer and from the Windows address book. Email sent by W32/Mytob-LC has the following properties:
Subject line:
Account Alert
Message text:
Dear Valued Member,
According to our terms of services, you will have to confirm your e-mail by the following link, or your account will be suspended within 24 hours for security reasons.
After following the instructions in the sheet, your account will not be interrupted and will continue as normal.
Thanks for your attention to this request. We apologize for any inconvenience.
<a href="http://<URL>/Confirmation_Sheet.pif">
http://www.<string>/confirm.php?account=%s</a>
Sincerely, <string> Security Department
In the above message text <string> will be replaced by text extracted from harvested email addresses.

http://www.sophos.com/virusinfo/analyses/w32mytoblc.html

- Collapse -
Troj/GrayBrd-F
Dec 13, 2005 8:41AM PST
- Collapse -
Troj/DcmDown-B
Dec 13, 2005 8:42AM PST
- Collapse -
Troj/DcmBot-F
Dec 13, 2005 8:43AM PST
- Collapse -
W32/Mytob-GD
Dec 13, 2005 8:43AM PST
- Collapse -
W32/Sdbot-AGT
Dec 13, 2005 3:00PM PST

Type Worm

W32/Sdbot-AGT is a network worm and IRC backdoor Trojan for the Windows
platform.
W32/Sdbot-AGT runs continuously in the background, providing a backdoor server
which allows a remote intruder to gain access and control over the computer via
IRC channels.
When first run W32/Sdbot-AGT copies itself to <System>\lo71.exe
W32/Sdbot-AGT also creates the following files :
\msdirectx.sys
\xz.bat
The file msdirectx.sys is detected as Troj/NtRootK-F.
The file xz.bat is a batch file that attempts to stop the Security Center, Internet Connection Sharing and SharedAccess services. This file is detected as Troj/KillProc-A.

http://www.sophos.com/virusinfo/analyses/w32sdbotagt.html

- Collapse -
Troj/Banload-ID
Dec 13, 2005 3:01PM PST

Type Trojan

Aliases TrojanDownloader.Win32.Banload.id

Troj/Banload-ID is a Trojan for the Windows platform.
The Trojan downloads files from a remote site. The downloaded files may contain
additional instructions for further downloads, email addresses to report to and
data to send via MSN Messenger.

http://www.sophos.com/virusinfo/analyses/trojbanloadid.html

- Collapse -
W32/Kelvir-ED
Dec 13, 2005 3:02PM PST
- Collapse -
Troj/AdClick-BI
Dec 13, 2005 3:03PM PST