Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

General discussion

VIRUS ALERTS - December 14, 2005

Dec 13, 2005 10:23PM PST

Discussion is locked

- Collapse -
W32/Chode-E
Dec 14, 2005 8:13AM PST

Type Spyware Worm

Aliases Backdoor.Win32.Landis.b

W32/Chode-E is a worm with IRC backdoor functionality.
W32/Chode-E attempts to spread via MSN Instant Messenger, by sending users a message "hey, is this you?" and a link. The link points to a copy of the worm.
The worm includes backdoor functionality to do any of the following:
send emails
download updates
participate in denial-of-service attacks
steal passwords
disable anti-virus products
modify the system HOSTS file

http://www.sophos.com/virusinfo/analyses/w32chodee.html

- Collapse -
W32/Mytob-EC
Dec 14, 2005 8:15AM PST

Type Worm

Aliases Net-Worm.Win32.Mytob.bi
W32/Polybot@MM
W32.Gaobot.gen!poly
WORM_MYTOB.IU

W32/Mytob-EC is a worm and IRC backdoor Trojan for the Windows platform.
W32/Mytob-EC runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.
Emails sent by W32/Mytob-EC sends emails in the following format, with details filled in to make the email look more authentic:
Subject line:
"Your password has been updated"
"Your password has been successfully updated"
"You have successfully updated your password"
"Your new account password is approved"
"Your Account is Suspended"
"*DETECTED* Online User Violation"
"Your Account is Suspended For Security Reasons"
"Warning Message: Your services near to be closed."
"Important Notification"
"Members Support"
"Security measures"
"Email Account Suspension"
"Notice of account limitation"

MORE: http://www.sophos.com/virusinfo/analyses/w32mytobec.html

- Collapse -
W32/Mytob-EB
Dec 14, 2005 8:16AM PST

Type Worm

Aliases Net-Worm.Win32.Mytob.bi
W32/Polybot@MM
W32.Gaobot.gen!poly
WORM_MYTOB.IU

W32/Mytob-EB is a worm and IRC backdoor Trojan for the Windows platform.
W32/Mytob-EB runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.
Emails sent by W32/Mytob-EB sends emails in the following format, with details filled in to make the email look more authentic:
Subject line:
"Your password has been updated"
"Your password has been successfully updated"
"You have successfully updated your password"
"Your new account password is approved"
"Your Account is Suspended"
"*DETECTED* Online User Violation"
"Your Account is Suspended For Security Reasons"
"Warning Message: Your services near to be closed."
"Important Notification"
"Members Support"
"Security measures"
"Email Account Suspension"
"Notice of account limitation"

MORE: http://www.sophos.com/virusinfo/analyses/w32mytobeb.html

- Collapse -
Troj/Bancos-DS
Dec 14, 2005 8:17AM PST

Type Spyware Trojan

Aliases Trojan-Spy.Win32.Bancos.dr
PWS-Banker.gen.l

Troj/Bancos-DS is an information stealing Trojan for the Windows platform.
Troj/Bancos-DS targets the customers of certain Brazilian internet banking websites and records account details.

http://www.sophos.com/virusinfo/analyses/trojbancosds.html

- Collapse -
W32/Codbot-Q
Dec 14, 2005 8:18AM PST

Type Spyware Worm

Aliases WORM_RBOT.BYW
Backdoor.Win32.Codbot.ai

W32/Codbot-Q is a worm and IRC backdoor for the Windows platform.
W32/Codbot-Q spreads to other network computers by exploiting common buffer overflow vulnerabilites, including: LSASS (MS04-011), RPC-DCOM (MS04-012) and MSSQL (MS02-039) (CAN-2002-0649).
W32/Codbot-Q runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.
The following patches for the operating system vulnerabilities exploited by W32/Codbot-Q can be obtained from the Microsoft website:
MS02-039
MS04-011
MS04-012

http://www.sophos.com/virusinfo/analyses/w32codbotq.html

- Collapse -
Troj/Lewor-B
Dec 14, 2005 8:18AM PST

Type Trojan

Aliases Trojan-Downloader.Win32.Delf.qv

Troj/Lewor-B is a Trojan for the Windows platform.
Troj/Lewor-B will attempt to terminate processes.
Troj/Lewor-B includes functionality to access the internet and communicate with a remote server via HTTP.
Troj/Lewor-B changes the Start Page for Microsoft Internet Explorer.

http://www.sophos.com/virusinfo/analyses/trojleworb.html

- Collapse -
Troj/StartPa-HC
Dec 14, 2005 8:20AM PST
- Collapse -
Troj/RaHack-B
Dec 14, 2005 8:20AM PST

Type Trojan

Aliases BKDR_RA.AB
Backdoor.Win32.RA-based.f

Troj/RaHack-B is a Trojan for the Windows platform.
The Trojan scans IP addresses incrementally, searching for an open RAdmin Server, and may attempt to gain entry using a list of weak passwords.

http://www.sophos.com/virusinfo/analyses/trojrahackb.html

- Collapse -
W32/Rbot-BCC
Dec 14, 2005 8:21AM PST

Type Worm

Aliases Backdoor.Win32.Rbot.akx

W32/Rbot-BCC is a worm and IRC backdoor Trojan for the Windows platform.
W32/Rbot-BCC runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.
The worm attempts to spread by copying itself to remote network shares with weak passwords and by exploiting the following system vulnerabilities: LSASS (MS04-011), RPC-DCOM (MS04-012), WebDav (MS03-007) and UPNP (MS01-059).

http://www.sophos.com/virusinfo/analyses/w32rbotbcc.html

- Collapse -
W32/Rbot-CUG
Dec 14, 2005 8:22AM PST

Type Spyware Worm

Aliases WORM_RBOT.CUG

W32/Rbot-CUG is a network worm with backdoor Trojan functionality for the Windows platform.
W32/Rbot-CUG spreads using a variety of techniques including:
-exploiting weak passwords on computers and SQL servers
-exploiting operating system vulnerabilities such as LSASS (MS04-011), RPC-DCOM (MS04-012), WebDav (MS03-007), IIS5SSL (MS04-011) (CAN-2003-0719), UPNP (MS01-059) and Dameware (CAN-2003-1030)
-using backdoors opened by other worms or Trojans.
W32/Rbot-CUG can be controlled by a remote attacker over IRC channels.

http://www.sophos.com/virusinfo/analyses/w32rbotcug.html

- Collapse -
W32/Rbot-BBX
Dec 14, 2005 8:23AM PST

Type Worm

Aliases Backdoor.Win32.Agent.on
W32/Sdbot.MFL

W32/Rbot-BBX is a worm and IRC backdoor Trojan for the Windows platform.
W32/Rbot-BBX spreads to other network computers by exploiting common buffer overflow vulnerabilities, including: RPC-DCOM (MS04-012) and ASN.1 (MS04-007).
W32/Rbot-BBX runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

http://www.sophos.com/virusinfo/analyses/w32rbotbbx.html

- Collapse -
W32/Tilebot-CG
Dec 14, 2005 8:24AM PST

Type Worm

Aliases Backdoor.Win32.SdBot.ajg
WORM_SDBOT.CUD

W32/Tilebot-CG is a worm and IRC backdoor Trojan for the Windows platform.
W32/Tilebot-CG runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.
W32/Tilebot-CG exploits the following sofwtare vulnerabilities:
LSASS (MS04-011)
RPC-DCOM (MS04-012)
PNP (MS05-039)
ASN.1 (MS04-007)
W32/Tilebot-CG includes functionality to access the internet and communicate with a remote server via HTTP.

http://www.sophos.com/virusinfo/analyses/w32tilebotcg.html

- Collapse -
W32/Sdbot-AGP
Dec 14, 2005 8:25AM PST

Type Worm

Aliases Backdoor.Win32.SdBot.ajn
W32/Sdbot.worm

W32/Sdbot-AGP is a worm and IRC backdoor Trojan for the Windows platform.
W32/Sdbot-AGP runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.
W32/Sdbot-AGP attempts to spread by exploiting the following vulnerabilities:
LSASS (MS04-011), RPC-DCOM (MS04-012) and ASN.1 (MS04-007). The worm may also spread to remote network shares with weak passwords.

http://www.sophos.com/virusinfo/analyses/w32sdbotagp.html

- Collapse -
W32/Sdbot-AGL
Dec 14, 2005 8:26AM PST

Type Worm

Aliases Backdoor.Win32.Rbot.gen
W32/Sdbot.MFS

W32/Sdbot-AGL is a worm and IRC backdoor Trojan for the Windows platform.
W32/Sdbot-AGL spreads to other network computers by exploiting common buffer overflow vulnerabilities, including: RPC-DCOM (MS04-012), PNP (MS05-039) and ASN.1 (MS04-007) and by copying itself to network shares protected by weak passwords.
W32/Sdbot-AGL runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

http://www.sophos.com/virusinfo/analyses/w32sdbotagl.html

- Collapse -
W32/Delf-LY
Dec 14, 2005 8:27AM PST

Type Worm

W32/Delf-LY is a worm for the Windows platform.
W32/Delf-LY spreads via file sharing on P2P networks.
When first run W32/Delf-LY copies itself to:
<System>\keygen.exe
<System>\svchost.exe
and creates zipped copies of itself in P2P related folders

http://www.sophos.com/virusinfo/analyses/w32delfly.html

- Collapse -
Troj/Proxy-AA
Dec 14, 2005 8:27AM PST
- Collapse -
Troj/LineKit-B
Dec 14, 2005 8:28AM PST
- Collapse -
Troj/Bckdr-C
Dec 14, 2005 8:29AM PST

Type Trojan

Aliases Backdoor.Win32.Bifrose.iv
BackDoor-CEP

Troj/Bckdr-C is a Trojan for the Windows platform.
Troj/Bckdr-C includes functionality to access the internet and communicate with a remote server via HTTP.
When first run Troj/Bckdr-C copies itself to <Windows>\svchost.exe and creates the following files:
<Windows>\SysPr.prx
<Windows>\plugin1.dat

http://www.sophos.com/virusinfo/analyses/trojbckdrc.html

- Collapse -
Troj/Webdrop-E
Dec 14, 2005 8:30AM PST
- Collapse -
Troj/Lineage-BW
Dec 14, 2005 8:31AM PST
- Collapse -
Troj/Agent-FW
Dec 14, 2005 8:32AM PST

Type Spyware Trojan

Aliases Backdoor.Win32.Agent.qe
BackDoor-AWQ.b
PWSteal.Trojan
TSPY_DRAGENT.A

Troj/Agent-FW is a backdoor Trojan for the Windows platform.
Troj/Agent-FW includes password stealing functionality and functionality to access the internet and communicate with a remote server via HTTP.

http://www.sophos.com/virusinfo/analyses/trojagentfw.html

- Collapse -
Troj/Zlob-CS
Dec 14, 2005 8:33AM PST
- Collapse -
Troj/Spyaks-A
Dec 14, 2005 8:34AM PST

Type Trojan

Aliases Spyaxe trojan

Troj/Spyaks-A is a Trojan for the Windows platform.
The Trojan downloads and installs additional files from a remote site.
Troj/Spyaks-A may create popup alerts with the title "Your computer is infected!" and the message text:

Dangerous malware infection was detected on your PC
The system will now download and install most efficient anti malware program to prevent data loss and your private information theft.
Click here to protect your computer from the biggest malware threats.


http://www.sophos.com/virusinfo/analyses/trojspyaksa.html

- Collapse -
SpyAxe removal
Dec 27, 2005 8:55AM PST

After following all of the online guides for removing the SpyAxe infection transport tray app, it continued to come back. I searched the registry for all explorer hooks, etc., but no luck. I noticed it was being used by explorer via a dll, so no process to find in the process list. My last ditch effort was to look for recently created/modified files in the obvious places, starting with system32. I found a bunch of log files, but one file stood out: wbeconm.dll. After checking the file out in a hex editor, I confirmed all the tool tips from the nasty tray app were in there.

I killed explorer from the task manager and then open up a command prompt and removed the dll extension. That did it. No more tray app with the annoying tool tip ''Dangerous malware infection was detected...''.

You should search through the registry for the dll and remove all references of it's parent CLSID.

I don't know if the trojan renames itself to various dlls and adds the appropriate dll registration for the explorer shell, but I couldn't find any references of wbeconm.dll through google.

Let me know if anyone else finds this helpful.

CX.

- Collapse -
Spyaxe removal
Dec 27, 2005 11:52AM PST

Hey CX,
I am having this exact problem.
Your quote mentions you...

" ... then open up a command prompt and removed the dll extension. That did it. No more tray app with the annoying tool tip ''Dangerous malware infection was detected..."

I'm new to this forum - how do you open a command prompt to remove the dll extension?
I found the wbeconm.dll file (by doing a search), but could not delete it.

Thanks,
Andrew

- Collapse -
Spyaxe removal
Dec 28, 2005 2:52AM PST

Hi Andrew,

Here's the detailed steps taken to remove the tray app used by Spyaxe:

1. Reboot your computer in safe mode (press F8 during startup)

2. Once in safe mode, open up the task manager (right-click in a blank portion of the start menu bar)

3. In the task manager window, select the Processes tab

4. Right-click on the process called "explorer.exe" and select "End process". Select "Yes" from the confirmation popup.

5. You're windows explorer desktop shell is no longer running, so the tray app can be removed/renamed.

6. In the task manager, select the Applications tab.

7. Select File/New Task (Run...)

8. In the Create New Task popup window, type "cmd" and enter.

9. In the DOS command window, change to the directory you found the wbeconm.dll in (mine was in windows\system32)

10. Rename the wbeconm.dll to wbeconm.bak

11. In the task manager, select the Applications tab.

12. Select File/New Task (Run...)

13. In the Create New Task popup window, type "explorer" and enter.

14. The windows explorer desktop shell will restart and you should no longer see the SpyAxe tray notification.

I tried running the SpyAxe removal tool located here:
http://noahdfear.geekstogo.com/click%20counter/click.php?id=1

But it didn't fix my issue. After looking at the script, it *DOES* search for WBECONM.DLL, but not in the SYSTEM32 directory! However, I'd run the tool before using my instructions just to be sure. It does a thorough job of removing all variants of the SpyAxe infection.

Hope this helps,
CX.

- Collapse -
Troj/Horst-B
Dec 14, 2005 8:35AM PST

Type Trojan

Aliases Trojan-Proxy.Win32.Horst.g

Troj/Horst-B is a backdoor Trojan which allows a remote intruder to gain access and control over the computer.
Troj/Horst-B includes functionality to
- download, install and run new software
- communicate with a remote user via HTTP
- start a Proxy server
To prevent the user from becoming aware that their computer is infected, The Trojan looks for windows containing any of the following text, and tries to gives a response that will allow it to carry on undetected:
Create rule for <Trojan filename>
Warning: Components Have Changed
Hidden Process Requests Network Access
Windows Security Alert
Allow all activities for this application
AnVir Task Manager
Remember this answer the next time I use this program

http://www.sophos.com/virusinfo/analyses/trojhorstb.html

- Collapse -
Troj/Bancos-FV
Dec 14, 2005 8:46AM PST
- Collapse -
W32/Mytob-FU
Dec 14, 2005 8:47AM PST

Type Worm

Aliases WORM_MYTOB.MV
Net-Worm.Win32.Mytob.do

W32/Mytob-FU is a mass-mailing worm and backdoor Trojan that can be controlled through the Internet Relay Chat (IRC) network.
W32/Mytob-FU spreads through email. W32/Mytob-FU harvests email addresses from files on the infected computer and from the Windows address book. Email sent by W32/Mytob-FU has the following properties:
Subject line:
Your password has been updated
Your password has been successfully updated
You have successfully updated your passworq
Your new account password is approved
Your Account is Suspended
*DETECTED* Online User Violation
Your Account is Suspended For Security Reasons
Warning Message: Your services near to be closed.
Important Notification
Members Support
Security measures
Email Account Suspension
Notice of account limitation

MORE: http://www.sophos.com/virusinfo/analyses/w32mytobfu.html

- Collapse -
Troj/Small-BQY
Dec 14, 2005 8:48AM PST