VIRUS ALERTS - December 19, 2005

Type
Trojan

Aliases
NetTool.Win32.Calc-DNet.h
Win32/TrojanProxy.DistNet.B
Win32/TrojanProxy.DistNet.B

Troj/Dnet-C launches a specific version of distributed.net's clean client application that is usually installed by a Trojan into the hidden folder IOSDT within the Windows system folder.

http://www.sophos.com/virusinfo/analyses/trojdnetc.html

Type
Worm

Aliases
Backdoor.Win32.Rbot.gen
W32/Sdbot.worm.gen.bh
W32.Spybot.Worm
WORM_RBOT.CPU

W32/Rbot-BDF is a worm and IRC backdoor Trojan for the Windows platform.

W32/Rbot-BDF spreads to other network computers by exploiting common buffer overflow vulnerabilities, including: LSASS (MS04-011), RPC-DCOM (MS04-012), WKS (MS03-049) (CAN-2003-0812), PNP (MS05-039) and ASN.1 (MS04-007) and by copying itself to network shares protected by weak passwords.

W32/Rbot-BDF runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

http://www.sophos.com/virusinfo/analyses/w32rbotbdf.html

Type
Spyware Trojan

Aliases
Trojan.Win32.Agent.cc

Troj/CashGrab-I is a Trojan for the Windows platform.

Troj/CashGrab-I monitors internet browser windows for certain banking URLs, attempting to steal information if it finds them.

Troj/CashGrab-I also contains browser redirecting functionality.

http://www.sophos.com/virusinfo/analyses/trojcashgrabi.html

Type
Worm

Aliases
Backdoor.Win32.Aimbot.br

W32/Rbot-BDV is a worm and IRC backdoor Trojan for the Windows platform.

W32/Rbot-BDV spreads:

- by attempting to use AOL Instant Messenger
- to other network computers by exploiting common buffer overflow
vulnerabilities, including: LSASS (MS04-011), RPC-DCOM (MS04-012), WKS
(MS03-049), PNP (MS05-039) and ASN.1 (MS04-007)
- by copying itself to network shares and Microsoft SQL servers protected by
weak passwords

W32/Rbot-BDV runs continuously in the background, providing a backdoor server
which allows a remote intruder to gain access and control over the computer via
IRC channels.

http://www.sophos.com/virusinfo/analyses/w32rbotbdv.html

Type
Trojan

Troj/Fiserv-A is a backdoor Trojan for the Windows platform.

Troj/Fiserv-A allows a remote intruder to use an infected computer as a file server, as well as run arbitrary programs.

Troj/Fiserv-A may attempt to hide its activities on an infected computer.

http://www.sophos.com/virusinfo/analyses/trojfiserva.html

Type
Trojan

Aliases
Trojan-Downloader.Win32.Small.bav

Troj/Dowdum-A is a downloader Trojan for the Windows platform.

Troj/Dowdum-A attempts to download a file from a remote website to <Windows> \wmplayer.exe and execute it. This file is currently detected as Troj/Dumaru-BA.

http://www.sophos.com/virusinfo/analyses/trojdowduma.html

Type
Trojan

Aliases
Exploit.VBS.Phel.bx
JS/Exploit-HelpXSite

Troj/Dowpok-A is a downloader Trojan.

Troj/Dowpok-A attempts to download a file from a remote website by exploiting the HTML Help Control Vulnerability (MS05-001). The downloaded file is currently detected as Troj/Inor-Fam.

http://www.sophos.com/virusinfo/analyses/trojdowpoka.html

Type
Trojan

Aliases
DNSChanger.a

Troj/RuinDl-H is a downloading Trojan for the Windows platform.

http://www.sophos.com/virusinfo/analyses/trojruindlh.html

Type Trojan

Aliases Backdoor.Win32.Agent.ah
Trojan-Downloader.Win32.PurityScan.d
W32/Backdoor.ALU

Troj/Agent-GG is a Trojan for the Windows platform.
Troj/Agent-GG includes functionality to access the internet and communicate with a remote server via HTTP.

http://www.sophos.com/virusinfo/analyses/trojagentgg.html

Type Trojan

Aliases Backdoor.Win32.Haxdoor.fi
Backdoor.Haxdoor.E

Troj/Haxdoor-FI is a backdoor Trojan for the Windows platform.

http://www.sophos.com/virusinfo/analyses/trojhaxdoorfi.html

Type Trojan

Aliases Trojan-Downloader.Win32.VB.ji

Troj/VBDown-A is a Trojan for the Windows platform.
The Trojan downloads and runs files from a remote site.

http://www.sophos.com/virusinfo/analyses/trojvbdowna.html

Type Trojan

Aliases Trojan-Downloader.Win32.Banload.il

Troj/Banload-AK is a Trojan for the Windows platform.
The Trojan downloads and runs files from a remote site.

http://www.sophos.com/virusinfo/analyses/trojbanloadak.html

Type Trojan

Aliases Trojan-Downloader.JS.Cobase.d
Trojan-PSW.Win32.PdPinch.gen

roj/Drocod-A is a Trojan for the Windows platform.
Troj/Drocod-A contains a javascript file sp2.js, detected as Troj/Codebase-O, that it uses to attempt to execute another contained file web.exe, detected as Troj/LdPnch-Gen.

http://www.sophos.com/virusinfo/analyses/trojdrocoda.html

Type Trojan

Troj/Rider-AC is a downloader Trojan.
Troj/Rider-AC attempts to exploit a vulnerability associated with some versions of Microsoft Internet Explorer to load and run a remote file. This file is currently detected as Troj/Drocod-A.

http://www.sophos.com/virusinfo/analyses/trojriderac.html

Type Trojan

Aliases Trojan-Downloader.JS.Cobase.d
Downloader.Trojan

Troj/Codebase-O is a downloader Trojan that attempts to use exploits in certain internet browsers to download a file execute it.

http://www.sophos.com/virusinfo/analyses/trojcodebaseo.html

Type Trojan

Troj/Dowlet-A is a Trojan that attempts to run two files from the same location as itself.

http://www.sophos.com/virusinfo/analyses/trojdowleta.html

Type Trojan

Troj/LegMir-CC is a Trojan for the Windows platform.
Troj/LegMir-CC attempts to disable some security related processes.

http://www.sophos.com/virusinfo/analyses/trojlegmircc.html

Type Spyware Trojan

Aliases Trojan-PSW.Win32.Gamania.be
PWS-Lineage

Troj/Lineage-BV is a password stealing Trojan for the Windows platform.
Troj/Lineage-BV includes functionality to access the internet and communicate with a remote server via HTTP.

http://www.sophos.com/virusinfo/analyses/trojlineagebv.html

Type Spyware Trojan

Aliases Trojan-PSW.Win32.Lineage.po

Troj/Lineage-PO is a password stealing Trojan for the Windows platform.

http://www.sophos.com/virusinfo/analyses/trojlineagepo.html

Type Spyware Trojan

Aliases Trojan-Spy.Win32.Banker.ahy
W32/Banker.GBB

Troj/Bancban-LE is a Trojan for the Windows platform.
Troj/Bancban-LE includes functionality to send notification messages to remote locations.

http://www.sophos.com/virusinfo/analyses/trojbancbanle.html

Type Spyware Trojan

Aliases Trojan-Spy.Win32.Goldun.en
PWS-Banker.ar

Troj/Bankem-P is a Trojan for the Windows platform.
Troj/Bankem-P includes functionality to access the internet and communicate with a remote server via HTTP.

http://www.sophos.com/virusinfo/analyses/trojbankemp.html

Type Trojan

Aliases Trojan-Downloader.Win32.Delf.wr
PWS-Banker.dldr

Troj/Bancban-LD is a Trojan for the Windows platform.
Troj/Bancban-LD includes functionality to access the internet and communicate with a remote server via HTTP.

http://www.sophos.com/virusinfo/analyses/trojbancbanld.html

Type Spyware Worm

W32/Feebs-A is a worm for the Windows platform.
The worm may arrive as an attachment to an email claiming to be sent via "Protected E-Mail service" with bogus credentials. The message may lure the recipient into entering the supplied credentials into an attached HTML document.
W32/Feebs-A also creates several copies of itself in ZIP format in paths containing "share".
W32/Feebs-A may also harvest information from the infected computer and send stolen data to a remote user via FTP.

http://www.sophos.com/virusinfo/analyses/w32feebsa.html

Type Trojan

Troj/Bifrose-R is a Trojan for the Windows platform.

http://www.sophos.com/virusinfo/analyses/trojbifroser.html

Type Trojan

Aliases JS/Exploit-BO.gen

Troj/Dloadr-ACP is a downloader Trojan for the Windows platform.
Troj/Dloadr-ACP attempts to download and execute a file from the internet.

http://www.sophos.com/virusinfo/analyses/trojdloadracp.html

Type Trojan

Aliases Exploit-ByteVerify

Troj/Bizves-C is a Trojan for the Windows platform.
Troj/Bizves-C creates a file named loadclean.exe in the Windows folder.
Loadclean.exe is detected by Sophos's anti-virus products as Troj/Bizves-Gen.

http://www.sophos.com/virusinfo/analyses/trojbizvesc.html

Type Trojan

Aliases Trojan-Downloader.Win32.Adload.j

Troj/Dloadr-ACQ is a downloader Trojan for the Windows platform.
The Trojan downloads a file to C:\drsmartload.exe and runs the downloaded file.
At the time of writing drsmartload.exe is detected by Sophos's anti-virus products as Troj/Drsmartl-C.

http://www.sophos.com/virusinfo/analyses/trojdloadracq.html

Type Trojan

Aliases Trojan-Downloader.Win32.Delf.xq

Troj/Banload-CA is a Trojan for the Windows platform.
The Trojan downloads and runs additional files from a remote site.

http://www.sophos.com/virusinfo/analyses/trojbanloadca.html

Type Trojan

Aliases Trojan-Downloader.Win32.Banload.ls

Troj/Banload-CC is a Trojan for the Windows platform.
The Trojan downloads and runs additional files from a remote site.

http://www.sophos.com/virusinfo/analyses/trojbanloadcc.html

Type Spyware Trojan

Aliases Trojan-Spy.Win32.Bancos.lo

Troj/VBanker-C is a Trojan for the Windows platform.
The Trojan monitors Internet Explorer windows for sessions with online banking web sites. The Trojan captures login credentials and sends stolen information to a remote attacker.

http://www.sophos.com/virusinfo/analyses/trojvbankerc.html