VIRUS ALERTS - December 20, 2005

Type Spyware Worm

Aliases Backdoor.Win32.Rbot.agi
WORM_RBOT.CON

W32/Rbot-AVZ is a worm and IRC backdoor Trojan for the Windows platform.
W32/Rbot-AVZ spreads:
- to other network computers infected with Troj/Kuang
- to other network computers by exploiting common buffer overflow vulnerabilities, including LSASS (MS04-011), RPC-DCOM (MS04-012) and PNP (MS05-039)
- by copying itself to network shares protected by weak passwords
and by copying itself to network shares protected by weak passwords.
The following patches for the operating system vulnerabilities exploited by W32/Rbot-AVZ can be obtained from the Microsoft website:
MS04-011
MS04-012
MS05-039

http://www.sophos.com/virusinfo/analyses/w32rbotavz.html

Type Worm

Aliases WORM_SDBOT.CKT
Backdoor.Win32.SdBot.aad

W32/Tilebot-AW is a worm and IRC backdoor Trojan for the Windows platform.
W32/Tilebot-AW spreads to other network computers by exploiting common buffer overflow vulnerabilities, including: LSASS (MS04-011), RPC-DCOM (MS04-012), PNP (MS05-039) and ASN.1 (MS04-007) and by copying itself to network shares protected by weak passwords.
W32/Tilebot-AW includes functionality to access the internet and communicate with a remote server via HTTP.
When first run W32/Tilebot-AW creates the file <System>\rdriv.sys.
The file rdriv.sys is detected as Troj/Rootkit-W.
The following patches for the operating system vulnerabilities exploited by W32/Tilebot-AW can be obtained from the Microsoft website:
MS04-011
MS04-012
MS05-039
MS04-007

http://www.sophos.com/virusinfo/analyses/w32tilebotaw.html

Type Worm

Aliases Sdbot.worm.gen.bg
W32.Spybot.Worm

W32/Sdbot-AEV is a worm and IRC backdoor Trojan for the Windows platform.
W32/Sdbot-AEV spreads via file sharing on P2P networks and to other network computers by exploiting common buffer overflow vulnerabilities, including: LSASS (MS04-011), RPC-DCOM (MS04-012), WKS (MS03-049) (CAN-2003-0812), PNP (MS05-039) and ASN.1 (MS04-007).
The following patches for the operating system vulnerabilities exploited by W32/Sdbot-AEV can be obtained from the Microsoft website:
MS04-011
MS04-012
MS03-049
MS05-039
MS04-007

http://www.sophos.com/virusinfo/analyses/w32sdbotaev.html

Type Worm

Aliases Backdoor.Win32.SdBot.ach
W32.Randex

W32/Sdbot-AEY is a worm and IRC backdoor Trojan for the Windows platform.
W32/Sdbot-AEY spreads to other network computers by exploiting common buffer overflow vulnerabilities, including: PNP (MS05-039) and by copying itself to network shares protected by weak passwords.
The following patches for the operating system vulnerabilities exploited by W32/Sdbot-AEY can be obtained from the Microsoft website:
MS05-039
W32/Sdbot-AEY runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

http://www.sophos.com/virusinfo/analyses/w32sdbotaey.html

Type Worm

Aliases Backdoor.Win32.SdBot.adg
W32.Randex
WORM_RBOT.CAS

W32/Sdbot-AEZ is a worm and IRC backdoor Trojan for the Windows platform.
W32/Sdbot-AEZ spreads to other network computers by exploiting common buffer overflow vulnerabilities, including: PNP (MS05-039) and by copying itself to network shares protected by weak passwords.
The following patches for the operating system vulnerabilities exploited by W32/Sdbot-AEZ can be obtained from the Microsoft website:
MS04-039
W32/Sdbot-AEZ runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

http://www.sophos.com/virusinfo/analyses/w32sdbotaez.html

Type Worm

Aliases Backdoor.Win32.SdBot.acg
Sdbot.worm.gen.bh

W32/Sdbot-AFB is a worm and IRC backdoor Trojan for the Windows platform.
W32/Sdbot-AFB spreads to other network computers by exploiting common buffer overflow vulnerabilities, including: PNP (MS05-039) and by copying itself to network shares protected by weak passwords.
The following patches for the operating system vulnerabilities exploited by W32/Sdbot-AFB can be obtained from the Microsoft website:
MS05-039
W32/Sdbot-AFB runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

http://www.sophos.com/virusinfo/analyses/w32sdbotafb.html

Type Spyware Trojan

Aliases Trojan-PSW.Win32.Gamania.as
TSPY_LINEAGE.MC

Troj/Lineage-BE is a password stealing Trojan for the Windows platform that attempts to steal passwords associated with the game called "Lineage".

http://www.sophos.com/virusinfo/analyses/trojlineagebe.html

Type Trojan

Aliases Email-Worm.Win32.Bagle.cx

Troj/BagleDl-V is a Trojan for the Windows platform.

http://www.sophos.com/virusinfo/analyses/trojbagledlv.html

Type Worm

Aliases Email-Worm.Win32.Bagle.cs
W32/Bagle.dldr.gen
W32.Beagle.CG@mm
WORM_BAGLE.CZ

W32/Bagle-Z is a worm for the Windows platform.
W32/Bagle-Z includes functionality to download and run further malicious code. At the time of writing, the files it attempts to download are unavailable.
W32/Bagle-Z contains the Trojan Troj/Dropper-BB. This file may be dropped or sent by email.
Emails sent by the worm have the following characteristics. The worm may contain the Trojan as a ZIP attachment with one of the following filenames:
09_price
new__price
new_price
newprice
price
price_09
price_new
price2
The message text is chosen to be one of the following:
The password is <link to image>
new price
Password: <link to image>
price

http://www.sophos.com/virusinfo/analyses/w32baglez.html

Type Trojan

Troj/Codebase-M is a Trojan that exploits the CODEBASE vulnerability to run an executable file on the local computer.

http://www.sophos.com/virusinfo/analyses/trojcodebasem.html

Type Trojan

Troj/Dloader-UT is a Trojan that downloads further malicious code.

http://www.sophos.com/virusinfo/analyses/trojdloaderut.html