VIRUS ALERTS - December 20, 2005

Type Trojan

Aliases Trojan-Downloader.Win32.Delf.adr

Troj/Downdel-V is a Trojan for the Windows platform.
Troj/Downdel-V attempts to download and execute further malware.

http://www.sophos.com/virusinfo/analyses/trojdowndelv.html

Type Trojan

Aliases Downloader-YO

Troj/DownLdr-YO is a Trojan for the Windows platform.
Troj/DownLdr-YO includes functionality to access the internet and communicate with a remote server via HTTP.

http://www.sophos.com/virusinfo/analyses/trojdownldryo.html

Type Trojan

Troj/Gunboun-A is a Trojan for the Windows platform.
Troj/Gunboun-A includes functionality to access the internet and communicate with a remote server via HTTP.

http://www.sophos.com/virusinfo/analyses/trojgunbouna.html

Type Worm

Aliases BAT.WCup.B@mm

W32/Wcup-B is an email worm for the Windows platform.
W32/Wcup-B sends itself to email addresses found on an infected computer as an attachment named 'anhang.bat' with the following message:
"Sie haben Kazaa illegaler weise benutzt.Aus diesem Grund wurde ein Ermittlungsverfahren gegen sie eingeleitet. ANHANG!!"

http://www.sophos.com/virusinfo/analyses/w32wcupb.html

Type Spyware Worm

Aliases Email-Worm.Win32.Locksky.e
W32.Looksky.A@mm
WORM_LOCKSKY.O

W32/Loosky-G is an email worm for the Windows platform.
W32/Loosky-G also includes functionality to log keystrokes and download a selfupdate from the predefined location.
W32/Loosky-G attempts to send itself to email addresses harvested from the
infected computer. Emails sent have the following characteristics:
Subject line: Account # 494386JNO Tue, 19s
Message text: Hello,
We sent you an email a while ago, because you now qualifyfor a much lower rate based on the biggest rate drop in years.
You can now get $327,000 for as little as $617 a month!Bad credit? Doesn't matter, ^low rates are fixed no matter what!
Follow this link to process your application and a 24 hour approval:
http://<sitename>mainecomputergroup.com/
Best Regards,
Bernadine Guy
Attachment name:
main_comp.exe

http://www.sophos.com/virusinfo/analyses/w32looskyg.html

Type Trojan

Aliases TROJ_QOOLOGIC.AB
Trojan-Downloader.Win32.Qoologic.ai

Troj/Qoolaid-R is a Trojan for the Windows platform.
Troj/Qoolaid-R includes functionality to hide its files and processes.

http://www.sophos.com/virusinfo/analyses/trojqoolaidr.html

Type Trojan

Troj/Bifrose-K is a Trojan for the Windows platform.
Troj/Bifrose-K attempts to inject code into other processes in an attempt to avoid detection.

http://www.sophos.com/virusinfo/analyses/trojbifrosek.html

Type Spyware Trojan

Aliases Trojan-Spy.Win32.Bancos.ha

Troj/Bancos-FV is an internet banking Trojan for the Windows platform.
When first run Troj/Bancos-FV copies itself to <Windows>\kernels32.exe.

http://www.sophos.com/virusinfo/analyses/trojbancosfv.html

Type Worm

Aliases WORM_MYTOB.MV
Net-Worm.Win32.Mytob.do

W32/Mytob-FU is a mass-mailing worm and backdoor Trojan that can be controlled through the Internet Relay Chat (IRC) network.
W32/Mytob-FU spreads through email. W32/Mytob-FU harvests email addresses from files on the infected computer and from the Windows address book. Email sent by W32/Mytob-FU has the following properties:
Subject line:
Your password has been updated
Your password has been successfully updated
You have successfully updated your passworq
Your new account password is approved
Your Account is Suspended
*DETECTED* Online User Violation
Your Account is Suspended For Security Reasons
Warning Message: Your services near to be closed.
Important Notification
Members Support
Security measures
Email Account Suspension
Notice of account limitation

MORE: http://www.sophos.com/virusinfo/analyses/w32mytobfu.html

Type Trojan

Aliases Trojan-Downloader.Win32.Small.bqy

Troj/Small-BQY is a Trojan for the Windows platform.
Troj/Small-BQY hooks Windows Explorer and attempts to use it to download, install and run further malware.

http://www.sophos.com/virusinfo/analyses/trojsmallbqy.html

Type Spyware Trojan

Aliases Trojan-PSW.Win32.Lineage.on

Troj/Lineage-ON is a password stealing Trojan for the Windows platform that attempts to steal passwords associated with the game called "Lineage".
Troj/Lineage-ON includes functionality to access the internet and communicate with a remote server via HTTP.

http://www.sophos.com/virusinfo/analyses/trojlineageon.html

Type Trojan

Troj/Dloadr-AAM is a Trojan for the Windows platform.
Troj/Dloadr-AAM includes functionality to access the internet and communicate with a remote server via HTTP.

http://www.sophos.com/virusinfo/analyses/trojdloadraam.html

Type Trojan

Aliases Trojan-Downloader.Win32.Banload.ft
PWS-Banker.dldr
Download.Trojan

Troj/Banload-I is a Trojan for the Windows platform.
Troj/Banload-I includes functionality to download, install and run new software.

http://www.sophos.com/virusinfo/analyses/trojbanloadi.html

Type Spyware Trojan

Aliases PWS-Lineage

Troj/Lineage-OZ is a password stealing Trojan for the Windows platform.
Troj/Lineage-OZ includes functionality to log both keystrokes and mouse operations, and to email such information to a predefined email address. The Trojan attempts to disable some security related applications so that this email activity is undected.

http://www.sophos.com/virusinfo/analyses/trojlineageoz.html

Type Trojan

Aliases TROJ_VBSWG.A

Troj/VBSWG-AC is a Trojan for the Windows platform.

http://www.sophos.com/virusinfo/analyses/trojvbswgac.html

Type Trojan

Aliases TROJ_VBSWG.A

Troj/VBSWG-AD is a Trojan for the Windows platform.

http://www.sophos.com/virusinfo/analyses/trojvbswgad.html

Type Worm

Aliases Backdoor.Win32.VBbot.i

W32/Chode-O is an instant messenger worm with IRC backdoor functionality for the Windows platform that spreads by sending itself to IM contacts using MSN and AOL's instant messenger.

http://www.sophos.com/virusinfo/analyses/w32chodeo.html

Type Spyware Trojan

Aliases MultiDropper-PH

Troj/Danmec-B is a Trojan for the Windows platform.

http://www.sophos.com/virusinfo/analyses/trojdanmecb.html

Type Spyware Worm

Aliases Backdoor.Win32.Rbot.sr

W32/Rbot-AFV is an internet worm and IRC backdoor Trojan for the Windows platform.
W32/Rbot-AFV spreads to other network computers by exploiting the buffer overflow vulnerabilites LSASS (MS04-011), RPC-DCOM (MS04-012), WKS (MS03-049) and MSSQL (MS02-039) and by copying itself to network shares protected by weak passwords.
W32/Rbot-AFV runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.
The following patches for the operating system vulnerabilities exploited by W32/Rbot-AFV can be obtained from the Microsoft website:
MS04-011
MS04-012
MS03-049
MS02-039

http://www.sophos.com/virusinfo/analyses/w32rbotafv.html

Type Spyware Worm

W32/Rbot-AFU is a network worm and IRC backdoor Trojan for the Windows platform.
W32/Rbot-AFU spreads using a variety of techniques including exploiting weak passwords on computers and exploiting operating system vulnerabilities including:
LSASS (MS04-011)
RPC-DCOM (MS04-012)
WKS (MS03-049) (CAN-2003-0812)
WebDav (MS03-007)
IIS5SSL (MS04-011) (CAN-2003-0719)
MSSQL (MS02-039) (CAN-2002-0649)
UPNP (MS01-059)
Veritas (CAN-2004-1172)
Dameware (CAN-2003-1030)
W32/Rbot-AFU may also attempt to spread through backdoors left open by the folloing families of worms and Trojans:
Troj/Kuang
Troj/Sub7
Troj/NetDevil
W32/MyDoom
W32/Bagle
Troj/Optix
W32/Rbot-AFU can be controlled by a remote attacker over IRC channels. The backdoor component of W32/Rbot-AFU can be instructed by a remote user to perform a list of functions.
The following patches for the operating system vulnerabilities exploited by W32/Rbot-AFU can be obtained from the Microsoft website at:
MS04-011.
MS04-012.
MS03-049.
MS03-007.
MS02-039.
MS01-059.

http://www.sophos.com/virusinfo/analyses/w32rbotafu.html

Type Trojan

Aliases Trojan-Downloader.Win32.Small.awa

Troj/Dloader-PE is a downloader Trojan which will download, install and run software without notification that it is doing so.
Troj/Dloader-PE saves the downloaded files to <System>\maxd.exe and <Temp>\maxdd.game and runs them.

http://www.sophos.com/virusinfo/analyses/trojdloaderpe.html

Type Trojan

Aliases Trojan-Clicker.Win32.Tiny.c

Troj/Dloader-PD is a Trojan which when run accesses a remote website without prior user notification and may be used to download, install and run new software.

http://www.sophos.com/virusinfo/analyses/trojdloaderpd.html

Type Virus

Aliases Virus.Win32.Padmer.a

W32/Mepad-A is a virus for the Windows platform.
The virus infects files with the EXE file extension.

http://www.sophos.com/virusinfo/analyses/w32mepada.html

Type Worm

Aliases Backdoor.Win32.Agobot.aci
W32/Gaobot.worm.gen.d

W32/Agobot-APJ is a network worm with backdoor Trojan functionality for the Windows platform.
W32/Agobot-APJ is capable of spreading to computers on the local network protected by weak passwords.
The backdoor component runs continuously in the background providing backdoor access to the computer through IRC channels. The backdoor component can be instructed to perform the following functions:
harvest email addresses
steal product registration information for certain software
take part in Distributed Denial of Service (DDoS) attacks
scan networks for vulnerabilities
download/execute arbitrary files
start a proxy server (SOCKS4/SOCKS5)
start/stop system services
monitor network communications (packet sniffing)
add/remove network shares
send email
log keypresses

http://www.sophos.com/virusinfo/analyses/w32agobotapj.html

Type Trojan

Aliases Trojan-DDoS.Win32.Small.h
FDoS.d

Troj/Smlog-A is a backdoor Trojan for the Windows platform.
Troj/Smlog-A will contact a remote URL and download a configuration file. Depending on the contents of the configuration file the Trojan may do one or more of the following:
Perform a DDoS on a given URL
Execute commands on the infected system
Display a message on the infected system
Uninstall itself

http://www.sophos.com/virusinfo/analyses/trojsmloga.html

Type Spyware Worm

W32/Spybot-DP is a worm and IRC backdoor Trojan for the Windows platform.
W32/Spybot-DP spreads via file sharing on P2P networks.
W32/Spybot-DP may also attempt to spread via backdoors left open by the following Trojans:
Troj/Kuang
Troj/Sub7
W32/Spybot-DP runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

http://www.sophos.com/virusinfo/analyses/w32spybotdp.html

Type Spyware Trojan

Aliases BackDoor-CGZ

Troj/Bdoor-IP is a backdoor Trojan for the Windows platform.
Troj/Bdoor-IP includes functionality to access the internet and communicate with a remote server via HTTP.
Troj/Bdoor-IP may attempt to send stolen system information to a remote website.
Troj/Bdoor-IP may also execute commands from a remote website.

http://www.sophos.com/virusinfo/analyses/trojbdoorip.html

Type Spyware Trojan

Aliases Trojan-Spy.Win32.Bancos.ha

Troj/Bancos-DA is a password stealing Trojan aimed at customers of Brazilian banks.
Troj/Bancos-DA will monitor a user's internet access. When certain internet banking sites are visited, the Trojan will display a fake login screen in order to trick the user into inputting their details.
Troj/Bancos-DA will then send the stolen details to an email address.

http://www.sophos.com/virusinfo/analyses/trojbancosda.html

Type Worm

Aliases Email-Worm.Win32.Bagle.ek
WORM_BAGLE.BS

W32/Bagle-AR is a mass-mailing worm for the Windows platform.
W32/Bagle-AR sends a ZIP file as an email attachment. The ZIP file contains an executable detected as either Troj/BagleDl-W, Troj/BagleDl-Y or Troj/BagleDl-Z.
Once installed, this executable attempts to download further files, which may include copies of the original worm W32/Bagle-AR.
Emails sent by W32/Bagle-AR have the following characteristics:
Subject line: <Blank>
Message text chosen from:
info
texte
The password is <image>
Password: <image>
The attachment filename chosen from:
text_sms.zip
sms_text.zip
The_new_prices.zip
Info_prices.zip
Business_dealing.zip
Business.zip
Health_and_knowledge.zip
W32/Bagle-AR will avoid sending emails to addresses containing any of the following strings:
@derewrdgrs
@eerswqe
@messagelab
@microsoft
anyone@
certific
contract@
f-secur
free-av
gold-certs@
google
icrosoft
listserv
nobody@
noone@
noreply
postmaster@
rating@
samples
support
update
winrar
winzip

http://www.sophos.com/virusinfo/analyses/w32baglear.html

Type Worm

Aliases Backdoor.Win32.Rbot.agf

W32/Rbot-AWC is a Network worm for the Windows platform.

http://www.sophos.com/virusinfo/analyses/w32rbotawc.html