VIRUS ALERTS - December 22, 2005

Type
Trojan

Aliases
Backdoor.Linux.Tsunami.o
Linux/DDoS-Kaiten
Backdoor.Kaitex
ELF_KAITEN.M

Troj/Namitsu-C is a Trojan for Unix-like platforms.

Troj/Namitsu-C can be used to perform denial-of-service attacks on remote computers.

http://www.sophos.com/virusinfo/analyses/trojnamitsuc.html

Type
Trojan

Aliases
Trojan-Downloader.Win32.Small.cah

Troj/Small-FP is a Trojan for the Windows platform.

Troj/Small-FP includes functionality to access the internet and communicate with a remote server via HTTP.

http://www.sophos.com/virusinfo/analyses/trojsmallfp.html

Type
Worm

Aliases
Net-Worm.Linux.Lupper.b
Linux/Lupper.worm.b
ELF_LUPPER.D

Linux/Lupper-E is a worm for the Linux operating system.

Linux/Lupper-E attempts to spread by exploiting the XML-RPC for PHP vulnerability.

http://www.sophos.com/virusinfo/analyses/linuxluppere.html

Type
Worm

Aliases
Net-Worm.Linux.Mare.a
ELF_KAITEN.N

Linux/Mare-A is a worm for unix-like platforms.

Linux/Mare-A can be spread via an exploitable PHP script.

http://www.sophos.com/virusinfo/analyses/linuxmarea.html

Type
Worm

Aliases
Email-Worm.Win32.Bagle.ek
WORM_BAGLE.BS

W32/Bagle-AR is a mass-mailing worm for the Windows platform.

W32/Bagle-AR sends a ZIP file as an email attachment. The ZIP file contains an executable detected as either Troj/BagleDl-W, Troj/BagleDl-Y or Troj/BagleDl-Z.

Once installed, this executable attempts to download further files, which may include copies of the original worm W32/Bagle-AR.

Emails sent by W32/Bagle-AR have the following characteristics:

Subject line: <Blank>

Message text chosen from:

info
texte
The password is <image>
Password: <image>

The attachment filename chosen from:

text_sms.zip
sms_text.zip
The_new_prices.zip
Info_prices.zip
Business_dealing.zip
Business.zip
Health_and_knowledge.zip

W32/Bagle-AR will avoid sending emails to addresses containing any of the following strings:

@derewrdgrs
@eerswqe
@messagelab
@microsoft
anyone@
certific
contract@
f-secur
free-av
gold-certs@
google
icrosoft
listserv
nobody@
noone@
noreply
postmaster@
rating@
samples
support
update
winrar
winzip

Sophos's anti-virus products include Genotype? detection technology, which can proactively protect against new threats without requiring an update. Sophos customers have been protected against W32/Bagle-AR (detected as W32/Bagle-Gen) since version 3.97.

http://www.sophos.com/virusinfo/analyses/w32baglear.html

Type
Worm

Aliases
Backdoor.Win32.Rbot.agf

W32/Rbot-AWC is a Network worm for the Windows platform.

http://www.sophos.com/virusinfo/analyses/w32rbotawc.html

Type
Spyware Worm

Aliases
Backdoor.Win32.Rbot.agi
WORM_RBOT.CON

W32/Rbot-AVZ is a worm and IRC backdoor Trojan for the Windows platform.

W32/Rbot-AVZ spreads:

- to other network computers infected with Troj/Kuang
- to other network computers by exploiting common buffer overflow vulnerabilities, including LSASS (MS04-011), RPC-DCOM (MS04-012) and PNP (MS05-039)
- by copying itself to network shares protected by weak passwords
and by copying itself to network shares protected by weak passwords.

The following patches for the operating system vulnerabilities exploited by W32/Rbot-AVZ can be obtained from the Microsoft website:

http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx

http://www.microsoft.com/technet/security/bulletin/MS05-039.mspx

http://www.sophos.com/virusinfo/analyses/w32rbotavz.html

Type
Worm

Aliases
WORM_SDBOT.CKT
Backdoor.Win32.SdBot.aad

W32/Tilebot-AW is a worm and IRC backdoor Trojan for the Windows platform.

W32/Tilebot-AW spreads to other network computers by exploiting common buffer overflow vulnerabilities, including: LSASS (MS04-011), RPC-DCOM (MS04-012), PNP (MS05-039) and ASN.1 (MS04-007) and by copying itself to network shares protected by weak passwords.

W32/Tilebot-AW includes functionality to access the internet and communicate with a remote server via HTTP.

When first run W32/Tilebot-AW creates the file <System>\rdriv.sys.

The file rdriv.sys is detected as Troj/Rootkit-W.

The following patches for the operating system vulnerabilities exploited by W32/Tilebot-AW can be obtained from the Microsoft website:

http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx

http://www.microsoft.com/technet/security/bulletin/MS05-039.mspx

http://www.microsoft.com/technet/security/bulletin/MS04-007.mspx

http://www.sophos.com/virusinfo/analyses/w32tilebotaw.html

Type
Worm

Aliases
Sdbot.worm.gen.bg
W32.Spybot.Worm

W32/Sdbot-AEV is a worm and IRC backdoor Trojan for the Windows platform.

W32/Sdbot-AEV spreads via file sharing on P2P networks and to other network computers by exploiting common buffer overflow vulnerabilities, including: LSASS (MS04-011), RPC-DCOM (MS04-012), WKS (MS03-049) (CAN-2003-0812), PNP (MS05-039) and ASN.1 (MS04-007).

The following patches for the operating system vulnerabilities exploited by W32/Sdbot-AEV can be obtained from the Microsoft website:

http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx

http://www.microsoft.com/technet/security/bulletin/MS03-049.mspx

http://www.microsoft.com/technet/security/bulletin/MS05-039.mspx

http://www.microsoft.com/technet/security/bulletin/MS04-007.mspx

http://www.sophos.com/virusinfo/analyses/w32sdbotaev.html

Type
Worm

Aliases
Backdoor.Win32.SdBot.ach
W32.Randex

W32/Sdbot-AEY is a worm and IRC backdoor Trojan for the Windows platform.

W32/Sdbot-AEY spreads to other network computers by exploiting common buffer overflow vulnerabilities, including: PNP (MS05-039) and by copying itself to network shares protected by weak passwords.

The following patches for the operating system vulnerabilities exploited by W32/Sdbot-AEY can be obtained from the Microsoft website:

http://www.microsoft.com/technet/security/bulletin/MS05-039.mspx

W32/Sdbot-AEY runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

http://www.sophos.com/virusinfo/analyses/w32sdbotaey.html

Type
Worm

Aliases
Backdoor.Win32.SdBot.adg
W32.Randex
WORM_RBOT.CAS

W32/Sdbot-AEZ is a worm and IRC backdoor Trojan for the Windows platform.

W32/Sdbot-AEZ spreads to other network computers by exploiting common buffer overflow vulnerabilities, including: PNP (MS05-039) and by copying itself to network shares protected by weak passwords.

The following patches for the operating system vulnerabilities exploited by W32/Sdbot-AEZ can be obtained from the Microsoft website:

http://www.microsoft.com/technet/security/bulletin/MS05-039.mspx

W32/Sdbot-AEZ runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

http://www.sophos.com/virusinfo/analyses/w32sdbotaez.html

Type
Worm

Aliases
Backdoor.Win32.SdBot.acg
Sdbot.worm.gen.bh
W32/Sdbot-AFB is a worm and IRC backdoor Trojan for the Windows platform.

W32/Sdbot-AFB spreads to other network computers by exploiting common buffer overflow vulnerabilities, including: PNP (MS05-039) and by copying itself to network shares protected by weak passwords.

The following patches for the operating system vulnerabilities exploited by W32/Sdbot-AFB can be obtained from the Microsoft website:

http://www.microsoft.com/technet/security/bulletin/MS05-039.mspx

W32/Sdbot-AFB runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

http://www.sophos.com/virusinfo/analyses/w32sdbotafb.html

Type
Spyware Trojan

Aliases
Trojan-PSW.Win32.Gamania.as
TSPY_LINEAGE.MC

Troj/Lineage-BE is a password stealing Trojan for the Windows platform that attempts to steal passwords associated with the game called "Lineage".

http://www.sophos.com/virusinfo/analyses/trojlineagebe.html

Type Worm

W32/Bagle-EX is an E-mail worm for the Windows platform.
The worm sends email with ZIP file attachments and various subjects and message texts. At the time of writing, these ZIP files and the contained EXE files are detected by Sophos's anti-virus products as Troj/BagleDl-AY.
The email may use one of the following for a message subject:
New Year's
New Year's Day.
Happy New Year
We congratulate happy New Year
The message text may contain either "The password is <image file>" or "Password: <image file>"

http://www.sophos.com/virusinfo/analyses/w32bagleex.html

Type Trojan

Aliases Trojan-Downloader.Win32.Bagle.l

Troj/BagleDl-AV is a Trojan for the Windows platform.
Troj/BagleDl-AV includes functionality to access the internet and communicate with a remote server via HTTP.

http://www.sophos.com/virusinfo/analyses/trojbagledlav.html

Type Trojan

Troj/BagleDl-AW is a Trojan for the Windows platform.
Troj/BagleDl-AW includes functionality to access the internet and communicate with a remote server via HTTP.

http://www.sophos.com/virusinfo/analyses/trojbagledlaw.html

Type Trojan

Troj/BagleDl-AX is a Trojan for the Windows platform.
Troj/BagleDl-AX includes functionality to access the internet and communicate with a remote server via HTTP.

http://www.sophos.com/virusinfo/analyses/trojbagledlax.html

Type Trojan

Troj/BagleDl-AY is a Trojan for the Windows platform.
Troj/BagleDl-AY includes functionality to access the internet and communicate with a remote server via HTTP.

http://www.sophos.com/virusinfo/analyses/trojbagledlay.html