Spyware, Viruses, & Security forum

General discussion

VIRUS ALERTS - December 17, 2004

by Marianna Schmudlach / December 16, 2004 11:31 PM PST

W32/Forbot-EQ
Summary

Aliases WORM_WOOTBOT.EQ


Type Worm

W32/Forbot-EQ is a nIRC backdoor Trojan and network worm for the Windows platform.
Once installed, W32/Forbot-EQ connects to a preconfigured IRC server and joins a channel from which an attacker can issue further commands.
The worm can spread to unpatched machines affected by the LSASS vulnerability (see MS04-011) and through backdoors left open by the Troj/Optix Trojans.

http://www.sophos.com/virusinfo/analyses/w32forboteq.html

Discussion is locked
You are posting a reply to: VIRUS ALERTS - December 17, 2004
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: VIRUS ALERTS - December 17, 2004
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Troj/Iefeat-Q
by Marianna Schmudlach / December 16, 2004 11:33 PM PST
Collapse -
Troj/Iefeat-R
by Marianna Schmudlach / December 16, 2004 11:35 PM PST

Aliases Trojan-Downloader.Win32.Agent.bc

Type Trojan

Troj/Iefeat-R is a downloader Trojan for the Windows platform. The Trojan may download files from the internet. Troj/Iefeat-R may also register itself as a Browser Helper Object and has the ability to unregister services and delete the files associated with them.
Troj/Iefeat-R attempts to terminate processes associated with the following files:
1.00.07.dll
astctl32.ocx
astctl32.ocx
autosearch.dll
autosearch.dll
avpcc.dll
avpcc.dll
bootconf.exe
bootconf.exe
coolwebsearch-info.dll
coolwebsearch-info.dll
ctfmon32.exe
ctfmon32.exe
ctrlpan.dll

http://www.sophos.com/virusinfo/analyses/trojiefeatr.html

Collapse -
Troj/Agent-BK
by Marianna Schmudlach / December 16, 2004 11:37 PM PST

Type Trojan

Troj/Agent-BK is a backdoor Trojan for the Windows platform.
Troj/Agent-BK opens up a random port on the infected computer, reports its presence to a preconfigured website and awaits commands from a remote attacker.
Troj/Agent-BK allows a remote attacker to use the infected computer as a proxy, redirecting internet traffic to hide the location of the remote attacker.

http://www.sophos.com/virusinfo/analyses/trojagentbk.html

Collapse -
W32/Rbot-RU
by Marianna Schmudlach / December 16, 2004 11:39 PM PST

Aliases Backdoor.Win32.Rbot.gen

Type Worm

W32/Rbot-RU is a network worm which attempts to spread via network shares. The worm contains backdoor functions that allow unauthorised remote access to the infected computer via IRC channels while running in the background.
The worm spreads to network shares with weak passwords and also by using the LSASS security exploit (MS04-011) and the RPC-DCOM security exploit (MS03-039).
Once installed, W32/Rbot-RU will attempt to create an HTTPD server, steal CD game keys, log keystrokes, participate in distributed denial of service (DDoS) attacks, download and run files from the internet and perform other malicious actions when instructed to do so by a remote attacker.

http://www.sophos.com/virusinfo/analyses/w32rbotru.html

Collapse -
W32/Rbot-RT
by Marianna Schmudlach / December 16, 2004 11:40 PM PST

Type Worm

W32/Rbot-RT is a network worm and IRC backdoor Trojan for the Windows platform.
W32/Rbot-RT spreads using a variety of techniques including exploiting weak passwords on computers and SQL servers, exploiting operating system vulnerabilities (including DCOM-RPC, LSASS, WebDAV and UPNP) and using backdoors opened by other worms or Trojans.

http://www.sophos.com/virusinfo/analyses/w32rbotrt.html

Collapse -
Troj/StartPa-NK
by Marianna Schmudlach / December 16, 2004 11:42 PM PST
Collapse -
W32/Sdbot-SK
by Marianna Schmudlach / December 16, 2004 11:43 PM PST

Aliases W32/Sdbot.worm.gen.t

Type Worm

W32/Sdbot-SK is a Windows worm that contains backdoor functions that allow unauthorised remote access to the infected computer via IRC channels while running in the background.
W32/Sdbot-SK can also be dropped byanother Windows Trojan, Troj/Multi-BF, which persists as the filename respond.exe. The worm attempts to spread to network shares using the Trojan filename respond.exe.
W32/Sdbot-SK will try to particpate in denial-of-service (DoS) attacks and download and run files from the internet when instructed to do so by a remote attacker.

http://www.sophos.com/virusinfo/analyses/w32sdbotsk.html

Collapse -
W32/Delf-JB
by Marianna Schmudlach / December 17, 2004 1:01 AM PST

Aliases Trojan.Win32.Delf.gk

Type Virus

W32/Delf-JB is a virus for the Windows platform.
When executed the virus will attempt to terminate the following processes:
spidernt.exe
taskmgr.exe
mstask.exe
regedit.exe
msconfig.exe
cmd.exe
The virus will then write a copy of itself over the beginning of all executables it can find.

http://www.sophos.com/virusinfo/analyses/w32delfjb.html

Collapse -
Dial/Dialer-F
by Marianna Schmudlach / December 17, 2004 1:03 AM PST
Collapse -
Troj/StartPa-DZ
by Marianna Schmudlach / December 17, 2004 1:05 AM PST
Collapse -
Troj/Bdoor-CDQ
by Marianna Schmudlach / December 17, 2004 1:08 AM PST
Collapse -
Troj/Multidr-BF
by Marianna Schmudlach / December 17, 2004 1:10 AM PST

Type Trojan

Troj/Multidr-BF is a Windows Trojan dropper.
When run the Trojan attempts to create the folder C:\WINNT\SYSTEM32 and creates and runs the following files:
C:\WINNT\SYSTEM32\cxass.exe
C:\WINNT\SYSTEM32\dwqst.exe
File cxass.exe is currently being detected as Troj/Ranck-BI.
File dwqst.exe is currently being detected as W32/Sdbot-SK.

http://www.sophos.com/virusinfo/analyses/trojmultidrbf.html

Collapse -
Daffy ZAFI - WORM_ZAFI.D (Medium Risk)
by Marianna Schmudlach / December 17, 2004 2:48 AM PST

WORM_ZAFI.D is a memory-resident, mass-mailing worm that is currently spreading in-the-wild. On December 14 Trend Micro declared a Yellow Alert to control the spread of this worm. It uses its own built-in Simple Mail Transfer Protocol (SMTP) engine to send malicious Christmas greetings. It runs on Windows 98, ME, NT, 2000, and XP.

Upon execution, this mass-mailing, memory-resident worm displays a message box. It drops a copy of itself as NORTON UPDATE.EXE, and drops copies of itself as .DLL files with 8-character random file names. Some .DLL files are copies of itself while others are email log files in the Windows system folder. It also drops a log file called S.CM in the root folder. It then adds a registry entry that allows it to automatically execute at every system startup.

This worm drops a copy of itself using either of the following filenames:

WINAMP 5.7 NEW!.EXE
ICQ 2005A NEW!.EXE
It drops the file in folders that contain one of the following strings:

share
upload
music
Most file-sharing applications, such as KaZaA, Shareaza, and Morpheus, use folder names with these strings when sharing files through peer-to-peer (P2P) networks. P2P users who search for Winamp and ICQ installers may inadvertently download this dropped ZAFI copy instead.

This worm uses its own built-in Simple Mail Tranfer Protocol (SMTP) engine, which allows it to send malicious Christmas greetings without having to use other email applications like Outlook Express. The language used in the message body is dependent on the domain of the email recipient. For example, When the Top Level Domain of the user's email address is .COM, the message is sent in English. When the Top Level Domain of the user's email address is .DE, the message is sent in German. Please visit the Technical Details of this virus description to view samples and screenshots of the email it sends.


More:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_ZAFI.D

Collapse -
W32/Wort-D
by Marianna Schmudlach / December 17, 2004 1:44 PM PST
Collapse -
Troj/Webmoner-A
by Marianna Schmudlach / December 17, 2004 1:52 PM PST

Aliases Trojan-Spy.Win32.
Webmoner.f

Type Trojan

Troj/Webmoner-A is a password stealing Trojan aimed at users of the application
"WebMoney."
When first run, Troj/Webmoner-A will display a fake installation progress bar. At 90%, the Trojan displays a message box containing "System error 100342".
Troj/Webmoner-A will replace the WebMoney executable with a Trojan executable file. This replacement is also detected as Troj/Webmoner-A.
When run, the replacement will display a fake WebMoney interface in order to trick the user into entering their details. The stolen details will be sent to a Russian email address.

http://www.sophos.com/virusinfo/analyses/trojwebmonera.html

Collapse -
W32/Rbot-RV
by Marianna Schmudlach / December 17, 2004 1:54 PM PST

Type Worm

W32/Rbot-RV is a worm with a backdoor component.
W32/Rbot-RV connects to an IRC server and waits for commands from an attacker.
W32/Rbot-RV can spread to computers on the local network protected by weak passwords and by exploiting a number of software vulnerabilities.

http://www.sophos.com/virusinfo/analyses/w32rbotrv.html

Collapse -
Troj/QQPass-F
by Marianna Schmudlach / December 17, 2004 1:56 PM PST

Aliases VirTool.Win32.HeiBai
Win32.KillProc.d
PWS-QQPass
PWSteal.Lemir.Gen
TROJ_LEMIR.HE
TROJ_LEMIR.X

Type Trojan

Troj/QQPass-F is a password stealing Trojan for the Windows platform.
When executed the Trojan creates the file QQSB.exe in the Windows system folder.
Stolen passwords may be sent from the infected computer by email.

http://www.sophos.com/virusinfo/analyses/trojqqpassf.html

Collapse -
Troj/Wordor-A
by Marianna Schmudlach / December 17, 2004 1:58 PM PST
Collapse -
W32/Atak-K
by Marianna Schmudlach / December 17, 2004 2:00 PM PST

Type Worm

W32/Atak-K is a mass-mailing worm.
W32/Atak-K arrives in an email with one of the following subject lines:
X-Mas Greeting!
Happy X-Mas to u!
The subject line can have different capitalisation.
Possible message texts include the following:
I would like to say Happy X-Mas if you celebrate it and Happy New Year! Be matured not childish!
Forgive me if I have make some mistake and hope much better next year! Happy X-Mas and New Year
W32/Atak-K arrives as a ZIP attachment with one the following base filenames:
attached
scroll
present
santa_gift
The ZIP file contains an executable file with the same base filename and one of the following file extensions:
BAT
SCR
COM
PIF
W32/Atak-K will send itself to email addresses harvested from the infected computer.

http://www.sophos.com/virusinfo/analyses/w32atakk.html

Collapse -
Troj/Loony-P
by Marianna Schmudlach / December 17, 2004 2:02 PM PST

Aliases Backdoor.Win32.Hackarmy.gen.
W32/Spybot.worm.gen.b

Type Trojan

Troj/Loony-P is a backdoor Trojan which allows unauthorised remote access to infected computers via the IRC network.
Troj/Loony-P allows a remote attacker to control the infected computer, accepting commands including:
downloading files via HTTP
listing the contents of the hard drive
stealing passwords and product keys
performing DDoD attacks
executing arbitrary commands
listing and killing processes
uninstalling or restarting the Trojan

http://www.sophos.com/virusinfo/analyses/trojloonyp.html

Popular Forums
icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

CNET FORUMS TOP DISCUSSION

Help, my PC with Windows 10 won't shut down properly

Since upgrading to Windows 10 my computer won't shut down properly. I use the menu button shutdown and the screen goes blank, but the system does not fully shut down. The only way to get it to shut down is to hold the physical power button down till it shuts down. Any suggestions?