Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

General discussion

VIRUS ALERTS - December 20, 2005

Dec 19, 2005 10:40PM PST

Troj/Banload-BS

Type
Trojan

Aliases
Trojan-Downloader.Win32.Banload.kh

Troj/Banload-BS is a Trojan downloader for the Windows platform.

Troj/Banload-BS includes functionality to access the internet and communicate
with a remote server via HTTP.

http://www.sophos.com/virusinfo/analyses/trojbanloadbs.html

Discussion is locked

- Collapse -
W32/Rbot-AVZ
Dec 20, 2005 9:14AM PST

Type Spyware Worm

Aliases Backdoor.Win32.Rbot.agi
WORM_RBOT.CON

W32/Rbot-AVZ is a worm and IRC backdoor Trojan for the Windows platform.
W32/Rbot-AVZ spreads:
- to other network computers infected with Troj/Kuang
- to other network computers by exploiting common buffer overflow vulnerabilities, including LSASS (MS04-011), RPC-DCOM (MS04-012) and PNP (MS05-039)
- by copying itself to network shares protected by weak passwords
and by copying itself to network shares protected by weak passwords.
The following patches for the operating system vulnerabilities exploited by W32/Rbot-AVZ can be obtained from the Microsoft website:
MS04-011
MS04-012
MS05-039

http://www.sophos.com/virusinfo/analyses/w32rbotavz.html

- Collapse -
W32/Tilebot-AW
Dec 20, 2005 9:15AM PST

Type Worm

Aliases WORM_SDBOT.CKT
Backdoor.Win32.SdBot.aad

W32/Tilebot-AW is a worm and IRC backdoor Trojan for the Windows platform.
W32/Tilebot-AW spreads to other network computers by exploiting common buffer overflow vulnerabilities, including: LSASS (MS04-011), RPC-DCOM (MS04-012), PNP (MS05-039) and ASN.1 (MS04-007) and by copying itself to network shares protected by weak passwords.
W32/Tilebot-AW includes functionality to access the internet and communicate with a remote server via HTTP.
When first run W32/Tilebot-AW creates the file <System>\rdriv.sys.
The file rdriv.sys is detected as Troj/Rootkit-W.
The following patches for the operating system vulnerabilities exploited by W32/Tilebot-AW can be obtained from the Microsoft website:
MS04-011
MS04-012
MS05-039
MS04-007

http://www.sophos.com/virusinfo/analyses/w32tilebotaw.html

- Collapse -
W32/Sdbot-AEV
Dec 20, 2005 9:16AM PST

Type Worm

Aliases Sdbot.worm.gen.bg
W32.Spybot.Worm

W32/Sdbot-AEV is a worm and IRC backdoor Trojan for the Windows platform.
W32/Sdbot-AEV spreads via file sharing on P2P networks and to other network computers by exploiting common buffer overflow vulnerabilities, including: LSASS (MS04-011), RPC-DCOM (MS04-012), WKS (MS03-049) (CAN-2003-0812), PNP (MS05-039) and ASN.1 (MS04-007).
The following patches for the operating system vulnerabilities exploited by W32/Sdbot-AEV can be obtained from the Microsoft website:
MS04-011
MS04-012
MS03-049
MS05-039
MS04-007

http://www.sophos.com/virusinfo/analyses/w32sdbotaev.html

- Collapse -
W32/Sdbot-AEY
Dec 20, 2005 9:17AM PST

Type Worm

Aliases Backdoor.Win32.SdBot.ach
W32.Randex

W32/Sdbot-AEY is a worm and IRC backdoor Trojan for the Windows platform.
W32/Sdbot-AEY spreads to other network computers by exploiting common buffer overflow vulnerabilities, including: PNP (MS05-039) and by copying itself to network shares protected by weak passwords.
The following patches for the operating system vulnerabilities exploited by W32/Sdbot-AEY can be obtained from the Microsoft website:
MS05-039
W32/Sdbot-AEY runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

http://www.sophos.com/virusinfo/analyses/w32sdbotaey.html

- Collapse -
W32/Sdbot-AEZ
Dec 20, 2005 9:18AM PST

Type Worm

Aliases Backdoor.Win32.SdBot.adg
W32.Randex
WORM_RBOT.CAS

W32/Sdbot-AEZ is a worm and IRC backdoor Trojan for the Windows platform.
W32/Sdbot-AEZ spreads to other network computers by exploiting common buffer overflow vulnerabilities, including: PNP (MS05-039) and by copying itself to network shares protected by weak passwords.
The following patches for the operating system vulnerabilities exploited by W32/Sdbot-AEZ can be obtained from the Microsoft website:
MS04-039
W32/Sdbot-AEZ runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

http://www.sophos.com/virusinfo/analyses/w32sdbotaez.html

- Collapse -
W32/Sdbot-AFB
Dec 20, 2005 9:21AM PST

Type Worm

Aliases Backdoor.Win32.SdBot.acg
Sdbot.worm.gen.bh

W32/Sdbot-AFB is a worm and IRC backdoor Trojan for the Windows platform.
W32/Sdbot-AFB spreads to other network computers by exploiting common buffer overflow vulnerabilities, including: PNP (MS05-039) and by copying itself to network shares protected by weak passwords.
The following patches for the operating system vulnerabilities exploited by W32/Sdbot-AFB can be obtained from the Microsoft website:
MS05-039
W32/Sdbot-AFB runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

http://www.sophos.com/virusinfo/analyses/w32sdbotafb.html

- Collapse -
Troj/Lineage-BE
Dec 20, 2005 9:22AM PST
- Collapse -
Troj/BagleDl-V
Dec 20, 2005 9:27AM PST
- Collapse -
W32/Bagle-Z
Dec 20, 2005 9:28AM PST

Type Worm

Aliases Email-Worm.Win32.Bagle.cs
W32/Bagle.dldr.gen
W32.Beagle.CG@mm
WORM_BAGLE.CZ

W32/Bagle-Z is a worm for the Windows platform.
W32/Bagle-Z includes functionality to download and run further malicious code. At the time of writing, the files it attempts to download are unavailable.
W32/Bagle-Z contains the Trojan Troj/Dropper-BB. This file may be dropped or sent by email.
Emails sent by the worm have the following characteristics. The worm may contain the Trojan as a ZIP attachment with one of the following filenames:
09_price
new__price
new_price
newprice
price
price_09
price_new
price2
The message text is chosen to be one of the following:
The password is <link to image>
new price
Password: <link to image>
price

http://www.sophos.com/virusinfo/analyses/w32baglez.html

- Collapse -
Troj/Codebase-M
Dec 20, 2005 9:29AM PST
- Collapse -
Troj/Dloader-UT
Dec 20, 2005 9:30AM PST