VIRUS ALERTS - December 14, 2005

Type Spyware Worm

Aliases Backdoor.Win32.Landis.b

W32/Chode-E is a worm with IRC backdoor functionality.
W32/Chode-E attempts to spread via MSN Instant Messenger, by sending users a message "hey, is this you?" and a link. The link points to a copy of the worm.
The worm includes backdoor functionality to do any of the following:
send emails
download updates
participate in denial-of-service attacks
steal passwords
disable anti-virus products
modify the system HOSTS file

http://www.sophos.com/virusinfo/analyses/w32chodee.html

Type Worm

Aliases Net-Worm.Win32.Mytob.bi
W32/Polybot@MM
W32.Gaobot.gen!poly
WORM_MYTOB.IU

W32/Mytob-EC is a worm and IRC backdoor Trojan for the Windows platform.
W32/Mytob-EC runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.
Emails sent by W32/Mytob-EC sends emails in the following format, with details filled in to make the email look more authentic:
Subject line:
"Your password has been updated"
"Your password has been successfully updated"
"You have successfully updated your password"
"Your new account password is approved"
"Your Account is Suspended"
"*DETECTED* Online User Violation"
"Your Account is Suspended For Security Reasons"
"Warning Message: Your services near to be closed."
"Important Notification"
"Members Support"
"Security measures"
"Email Account Suspension"
"Notice of account limitation"

MORE: http://www.sophos.com/virusinfo/analyses/w32mytobec.html

Type Worm

Aliases Net-Worm.Win32.Mytob.bi
W32/Polybot@MM
W32.Gaobot.gen!poly
WORM_MYTOB.IU

W32/Mytob-EB is a worm and IRC backdoor Trojan for the Windows platform.
W32/Mytob-EB runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.
Emails sent by W32/Mytob-EB sends emails in the following format, with details filled in to make the email look more authentic:
Subject line:
"Your password has been updated"
"Your password has been successfully updated"
"You have successfully updated your password"
"Your new account password is approved"
"Your Account is Suspended"
"*DETECTED* Online User Violation"
"Your Account is Suspended For Security Reasons"
"Warning Message: Your services near to be closed."
"Important Notification"
"Members Support"
"Security measures"
"Email Account Suspension"
"Notice of account limitation"

MORE: http://www.sophos.com/virusinfo/analyses/w32mytobeb.html

Type Spyware Trojan

Aliases Trojan-Spy.Win32.Bancos.dr
PWS-Banker.gen.l

Troj/Bancos-DS is an information stealing Trojan for the Windows platform.
Troj/Bancos-DS targets the customers of certain Brazilian internet banking websites and records account details.

http://www.sophos.com/virusinfo/analyses/trojbancosds.html

Type Spyware Worm

Aliases WORM_RBOT.BYW
Backdoor.Win32.Codbot.ai

W32/Codbot-Q is a worm and IRC backdoor for the Windows platform.
W32/Codbot-Q spreads to other network computers by exploiting common buffer overflow vulnerabilites, including: LSASS (MS04-011), RPC-DCOM (MS04-012) and MSSQL (MS02-039) (CAN-2002-0649).
W32/Codbot-Q runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.
The following patches for the operating system vulnerabilities exploited by W32/Codbot-Q can be obtained from the Microsoft website:
MS02-039
MS04-011
MS04-012

http://www.sophos.com/virusinfo/analyses/w32codbotq.html

Type Trojan

Aliases Trojan-Downloader.Win32.Delf.qv

Troj/Lewor-B is a Trojan for the Windows platform.
Troj/Lewor-B will attempt to terminate processes.
Troj/Lewor-B includes functionality to access the internet and communicate with a remote server via HTTP.
Troj/Lewor-B changes the Start Page for Microsoft Internet Explorer.

http://www.sophos.com/virusinfo/analyses/trojleworb.html

Type Trojan

Aliases Trojan-Dropper.Win32.VB.gp

Troj/StartPa-HC changes browser settings for Microsoft Internet Explorer.
Troj/StartPa-HC periodically changes the Start Page for Microsoft Internet Explorer.

http://www.sophos.com/virusinfo/analyses/trojstartpahc.html

Type Trojan

Aliases BKDR_RA.AB
Backdoor.Win32.RA-based.f

Troj/RaHack-B is a Trojan for the Windows platform.
The Trojan scans IP addresses incrementally, searching for an open RAdmin Server, and may attempt to gain entry using a list of weak passwords.

http://www.sophos.com/virusinfo/analyses/trojrahackb.html

Type Worm

Aliases Backdoor.Win32.Rbot.akx

W32/Rbot-BCC is a worm and IRC backdoor Trojan for the Windows platform.
W32/Rbot-BCC runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.
The worm attempts to spread by copying itself to remote network shares with weak passwords and by exploiting the following system vulnerabilities: LSASS (MS04-011), RPC-DCOM (MS04-012), WebDav (MS03-007) and UPNP (MS01-059).

http://www.sophos.com/virusinfo/analyses/w32rbotbcc.html

Type Spyware Worm

Aliases WORM_RBOT.CUG

W32/Rbot-CUG is a network worm with backdoor Trojan functionality for the Windows platform.
W32/Rbot-CUG spreads using a variety of techniques including:
-exploiting weak passwords on computers and SQL servers
-exploiting operating system vulnerabilities such as LSASS (MS04-011), RPC-DCOM (MS04-012), WebDav (MS03-007), IIS5SSL (MS04-011) (CAN-2003-0719), UPNP (MS01-059) and Dameware (CAN-2003-1030)
-using backdoors opened by other worms or Trojans.
W32/Rbot-CUG can be controlled by a remote attacker over IRC channels.

http://www.sophos.com/virusinfo/analyses/w32rbotcug.html

Type Worm

Aliases Backdoor.Win32.Agent.on
W32/Sdbot.MFL

W32/Rbot-BBX is a worm and IRC backdoor Trojan for the Windows platform.
W32/Rbot-BBX spreads to other network computers by exploiting common buffer overflow vulnerabilities, including: RPC-DCOM (MS04-012) and ASN.1 (MS04-007).
W32/Rbot-BBX runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

http://www.sophos.com/virusinfo/analyses/w32rbotbbx.html

Type Worm

Aliases Backdoor.Win32.SdBot.ajg
WORM_SDBOT.CUD

W32/Tilebot-CG is a worm and IRC backdoor Trojan for the Windows platform.
W32/Tilebot-CG runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.
W32/Tilebot-CG exploits the following sofwtare vulnerabilities:
LSASS (MS04-011)
RPC-DCOM (MS04-012)
PNP (MS05-039)
ASN.1 (MS04-007)
W32/Tilebot-CG includes functionality to access the internet and communicate with a remote server via HTTP.

http://www.sophos.com/virusinfo/analyses/w32tilebotcg.html

Type Worm

Aliases Backdoor.Win32.SdBot.ajn
W32/Sdbot.worm

W32/Sdbot-AGP is a worm and IRC backdoor Trojan for the Windows platform.
W32/Sdbot-AGP runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.
W32/Sdbot-AGP attempts to spread by exploiting the following vulnerabilities:
LSASS (MS04-011), RPC-DCOM (MS04-012) and ASN.1 (MS04-007). The worm may also spread to remote network shares with weak passwords.

http://www.sophos.com/virusinfo/analyses/w32sdbotagp.html

Type Worm

Aliases Backdoor.Win32.Rbot.gen
W32/Sdbot.MFS

W32/Sdbot-AGL is a worm and IRC backdoor Trojan for the Windows platform.
W32/Sdbot-AGL spreads to other network computers by exploiting common buffer overflow vulnerabilities, including: RPC-DCOM (MS04-012), PNP (MS05-039) and ASN.1 (MS04-007) and by copying itself to network shares protected by weak passwords.
W32/Sdbot-AGL runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

http://www.sophos.com/virusinfo/analyses/w32sdbotagl.html

Type Worm

W32/Delf-LY is a worm for the Windows platform.
W32/Delf-LY spreads via file sharing on P2P networks.
When first run W32/Delf-LY copies itself to:
<System>\keygen.exe
<System>\svchost.exe
and creates zipped copies of itself in P2P related folders

http://www.sophos.com/virusinfo/analyses/w32delfly.html

Type Trojan

Aliases Trojan-Proxy.Win32.Ranky.de
Trojan-Proxy.Win32.Agent.ic

Troj/Proxy-AA is a proxy Trojan for the Windows platform.

http://www.sophos.com/virusinfo/analyses/trojproxyaa.html

Type Trojan

Aliases Trojan-PSW.Win32.Lineage.oi
PWS-Lineage.dll

Troj/LineKit-B is an application which creates password stealing Trojans for the
Windows platform.
Trojans generated by Troj/LineKit-B are detected as Troj/Lineage-BW.

http://www.sophos.com/virusinfo/analyses/trojlinekitb.html

Type Trojan

Aliases Backdoor.Win32.Bifrose.iv
BackDoor-CEP

Troj/Bckdr-C is a Trojan for the Windows platform.
Troj/Bckdr-C includes functionality to access the internet and communicate with a remote server via HTTP.
When first run Troj/Bckdr-C copies itself to <Windows>\svchost.exe and creates the following files:
<Windows>\SysPr.prx
<Windows>\plugin1.dat

http://www.sophos.com/virusinfo/analyses/trojbckdrc.html

Type Trojan

Troj/Webdrop-E is a Trojan dropper for Windows based systems.
Troj/Webdrop-E exploits browser-related vulnerabilities to download and run malicious code.

http://www.sophos.com/virusinfo/analyses/trojwebdrope.html

Type Spyware Trojan

Aliases Trojan-PSW.Win32.Lineage.mz

Troj/Lineage-BW is a password stealing Trojan for the Windows platform.

http://www.sophos.com/virusinfo/analyses/trojlineagebw.html

Type Spyware Trojan

Aliases Backdoor.Win32.Agent.qe
BackDoor-AWQ.b
PWSteal.Trojan
TSPY_DRAGENT.A

Troj/Agent-FW is a backdoor Trojan for the Windows platform.
Troj/Agent-FW includes password stealing functionality and functionality to access the internet and communicate with a remote server via HTTP.

http://www.sophos.com/virusinfo/analyses/trojagentfw.html

Type Trojan

Aliases Trojan-Downloader.Win32.Zlob.cs

Troj/Zlob-CS is a malware component which may be used by downloader Trojans to decrypt files which have been encrypted in an attempt to avoid detection.

http://www.sophos.com/virusinfo/analyses/trojzlobcs.html

Type Trojan

Aliases Spyaxe trojan

Troj/Spyaks-A is a Trojan for the Windows platform.
The Trojan downloads and installs additional files from a remote site.
Troj/Spyaks-A may create popup alerts with the title "Your computer is infected!" and the message text:

Dangerous malware infection was detected on your PC
The system will now download and install most efficient anti malware program to prevent data loss and your private information theft.
Click here to protect your computer from the biggest malware threats.


http://www.sophos.com/virusinfo/analyses/trojspyaksa.html

Type Trojan

Aliases Trojan-Proxy.Win32.Horst.g

Troj/Horst-B is a backdoor Trojan which allows a remote intruder to gain access and control over the computer.
Troj/Horst-B includes functionality to
- download, install and run new software
- communicate with a remote user via HTTP
- start a Proxy server
To prevent the user from becoming aware that their computer is infected, The Trojan looks for windows containing any of the following text, and tries to gives a response that will allow it to carry on undetected:
Create rule for <Trojan filename>
Warning: Components Have Changed
Hidden Process Requests Network Access
Windows Security Alert
Allow all activities for this application
AnVir Task Manager
Remember this answer the next time I use this program

http://www.sophos.com/virusinfo/analyses/trojhorstb.html

Type Spyware Trojan

Aliases Trojan-Spy.Win32.Bancos.ha

Troj/Bancos-FV is an internet banking Trojan for the Windows platform.
When first run Troj/Bancos-FV copies itself to <Windows>\kernels32.exe.

http://www.sophos.com/virusinfo/analyses/trojbancosfv.html

Type Worm

Aliases WORM_MYTOB.MV
Net-Worm.Win32.Mytob.do

W32/Mytob-FU is a mass-mailing worm and backdoor Trojan that can be controlled through the Internet Relay Chat (IRC) network.
W32/Mytob-FU spreads through email. W32/Mytob-FU harvests email addresses from files on the infected computer and from the Windows address book. Email sent by W32/Mytob-FU has the following properties:
Subject line:
Your password has been updated
Your password has been successfully updated
You have successfully updated your passworq
Your new account password is approved
Your Account is Suspended
*DETECTED* Online User Violation
Your Account is Suspended For Security Reasons
Warning Message: Your services near to be closed.
Important Notification
Members Support
Security measures
Email Account Suspension
Notice of account limitation

MORE: http://www.sophos.com/virusinfo/analyses/w32mytobfu.html

Type Trojan

Aliases Trojan-Downloader.Win32.Small.bqy

Troj/Small-BQY is a Trojan for the Windows platform.
Troj/Small-BQY hooks Windows Explorer and attempts to use it to download, install and run further malware.

http://www.sophos.com/virusinfo/analyses/trojsmallbqy.html