Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

General discussion

VIRUS ALERTS - December 23, 2005

Dec 22, 2005 7:58PM PST

Discussion is locked

- Collapse -
Troj/Dadobra-DF
Dec 23, 2005 12:16AM PST

Type
Spyware Trojan

Aliases
Trojan-Downloader.Win32.Dadobra.df

Troj/Dadobra-DF is a downloader Trojan for the Windows platform.

Troj/Dadobra-DF includes functionality to capture keystrokes, send email, display bitmap images, access the internet and communicate with a remote server via HTTP.

http://www.sophos.com/virusinfo/analyses/trojdadobradf.html

- Collapse -
Troj/Dloader-RN
Dec 23, 2005 12:17AM PST
- Collapse -
Troj/Banload-H
Dec 23, 2005 1:03AM PST

Type
Trojan

Aliases
Trojan-Downloader.Win32.Banload.ib

Troj/Banload-H is a Trojan for the Windows platform.

Troj/Banload-H includes functionality to access the internet and communicate with a remote server via HTTP.

Troj/Banload-H may try to silently download and execute programs from a predefined web-site.

At the time of writing, this file is detected as Troj/Bancb-Fam.

http://www.sophos.com/virusinfo/analyses/trojbanloadh.html

- Collapse -
Troj/Webdrop-C
Dec 23, 2005 1:07AM PST

Type
Trojan

Aliases
Trojan-Dropper.VBS.Inor.cz
JS/Exploit-HelpXSite

Troj/Webdrop-C is a downloader Trojan for the Windows platform.

Troj/Webdrop-C may attempt to download onto a susceptible computer files detected as Troj/Inor-Fam, Troj/DownLdr-DL, Troj/Dloader-KH, and Troj/Codebase-C.

http://www.sophos.com/virusinfo/analyses/trojwebdropc.html

- Collapse -
Troj/Spywad-J
Dec 23, 2005 1:09AM PST

Type
Trojan

Aliases
Downloader-AFH

Troj/Spywad-J is a Trojan for the Windows platform.

Troj/Spywad-J periodically displays fake warning messages in the Windows taskbar and attempts to change the user's Desktop wallpaper to another fake warning message.

http://www.sophos.com/virusinfo/analyses/trojspywadj.html

- Collapse -
Troj/Dloadr-AAD
Dec 23, 2005 1:11AM PST
- Collapse -
Troj/Dowadv-A
Dec 23, 2005 1:23AM PST

Type
Trojan

Aliases
Trojan-Downloader.Win32.Small.bfy
Generic Downloader.u
Download.Trojan

Troj/Dowadv-A is a downloader Trojan for the Windows platform.

Troj/Dowadv-A contacts a remote website to determine how many and which files to download.

Troj/Dowadv-A attempts to close certain notification windows related to anti-virus and security programs.

http://www.sophos.com/virusinfo/analyses/trojdowadva.html

- Collapse -
Troj/Feutel-AH
Dec 23, 2005 1:25AM PST

Type
Spyware Trojan

Aliases
Trojan-Spy.Win32.Delf.bf
Win32/Spy.Delf.BF
TROJ_DELF.DO

Troj/Feutel-AH is a backdoor Trojan for the Windows platform.

Troj/Feutel-AH contains backdoor functionality that allows a remote user to:
access the computer's file system

create screen and video captures

listen in on the infected computer

download, upload and run files

log key presses

Troj/Feutel-AH may create a DLL file which is keylogging component of the Trojan.

http://www.sophos.com/virusinfo/analyses/trojfeutelah.html

- Collapse -
Troj/Torpig-L
Dec 23, 2005 1:27AM PST

Type
Spyware Trojan

Aliases
Trojan-Dropper.Win32.Agent.abo
trojan or variant New

Troj/Torpig-L is a Trojan for the Windows platform.

The Trojan attempts to steal passwords, as well as logging keypresses and open window titles to text files and periodically sends the collected information to a remote user via HTTP.

The Trojan downloads and executes additional files from a remote site. Configuration files may also be downloaded which define further behaviors.

Troj/Torpig-L automatically closes security warning messages displayed by common anti-virus and security-related applications.

http://www.sophos.com/virusinfo/analyses/trojtorpigl.html

- Collapse -
W32/Rbot-AXW
Dec 23, 2005 1:28AM PST

Type
Worm

Aliases
Backdoor.Win32.Iroffer.23b05
W32/Sdbot.worm.gen.t
W32.Spybot.Worm

W32/Rbot-AXW is a network worm and IRC backdoor Trojan for the Windows platform. W32/Rbot-AXW runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

W32/Rbot-AXW spreads to other network computers by exploiting common buffer overflow vulnerabilities, including: LSASS (MS04-11) (CAN-2003-0812), RPC-DCO (MS04-012), WKS (MS03-049) (CAN-2003-0812) and ASN.1 (MS04-007) and by copying itself to network shares protected by weak passwords.

http://www.sophos.com/virusinfo/analyses/w32rbotaxw.html

- Collapse -
Troj/Prosti-C
Dec 23, 2005 1:35AM PST

Type
Trojan

Aliases
Backdoor.Win32.Prosti.c
AFXrootkit.gen
BKDR_PROSTI.D

Troj/Prosti-C is a backdoor Trojan creation kit.

Troj/Prosti-C is used to configure and create backdoor Trojan servers.

These servers are detected by Sophos Anti-Virus as W32/Bdoor-ZAR.

http://www.sophos.com/virusinfo/analyses/trojprostic.html

- Collapse -
Troj/Small-FQ
Dec 23, 2005 1:38AM PST
- Collapse -
Troj/Mifeng-E
Dec 23, 2005 1:39AM PST
- Collapse -
Troj/Fasong-C
Dec 23, 2005 1:41AM PST
- Collapse -
Troj/Fasong-D
Dec 23, 2005 1:43AM PST
- Collapse -
Troj/Fasong-E
Dec 23, 2005 1:44AM PST
- Collapse -
W32/Tilebot-GS
Dec 23, 2005 5:58AM PST

Type
Worm

Aliases
WORM_SDBOT.CWF
W32/Tilebot-Gen

W32/Tilebot-GS is a worm and IRC backdoor for the Windows platform.

W32/Tilebot-GS spreads to other network computers by exploiting common buffer overflow vulnerabilities, including: LSASS (MS04-011), RPC-DCOM (MS04-012), WKS (MS03-049) (CAN-2003-0812), PNP (MS05-039) and ASN.1 (MS04-007) and by copying itself to network shares protected by weak passwords.

W32/Tilebot-GS runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

W32/Tilebot-GS includes functionality to access the internet and communicate with a remote server via HTTP.

Sophos's anti-virus products include Genotype? detection technology, which can proactively protect against new threats without requiring an update. Sophos customers have been protected against W32/Tilebot-GS (detected as W32/Tilebot-Gen) since version 3.97

The following patches for the vulnerabilities exploited by W32/Tilebot-GS are available from Microsoft:

http://www.microsoft.com/technet/security/bulletin/ms03-049.mspx

http://www.microsoft.com/technet/security/bulletin/ms04-007.mspx

http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx

http://www.microsoft.com/technet/security/bulletin/ms04-012.mspx

http://www.microsoft.com/technet/security/bulletin/ms05-039.mspx

http://www.sophos.com/virusinfo/analyses/w32tilebotgs.html

- Collapse -
Troj/Bckdr-AY
Dec 23, 2005 6:00AM PST
- Collapse -
Troj/ServU-BS
Dec 23, 2005 6:02AM PST

Type
Trojan

Troj/ServU-BS is a hacked version of a commercial FTP application.

By default, the Trojan runs an ftp server on TCP port 43958. This can be overriden by configuration data read from a file called comtcldebug.dll in the current folder.

http://www.sophos.com/virusinfo/analyses/trojservubs.html

- Collapse -
Troj/Spyjack-I
Dec 23, 2005 6:03AM PST
- Collapse -
Troj/StartPa-IO
Dec 23, 2005 6:05AM PST
- Collapse -
Troj/VB-NU
Dec 23, 2005 6:07AM PST
- Collapse -
Troj/VBbot-J
Dec 23, 2005 6:08AM PST
- Collapse -
Troj/Zlob-BL
Dec 23, 2005 6:10AM PST
- Collapse -
VBS/BWG-D
Dec 23, 2005 6:11AM PST
- Collapse -
W32/Cratab-A
Dec 23, 2005 6:13AM PST
- Collapse -
W32/Bagle-BY
Dec 23, 2005 6:14AM PST

Type
Worm

Aliases
Email-Worm.Win32.Bagle.ex

W32/Bagle-BY is an email worm for the Windows platform.

The worm sends email containing an attached ZIP file. At the time of writing, these ZIP files and the contained EXE files are detected by Sophos's anti-virus products as Troj/BagleDl-AZ.

The email may use one of the following for a message subject:

New Year's
New Year's Day.
Happy New Year
We congratulate happy New Year

The message text may contain either "The password is <image file>" or "Password: <image file>"

http://www.sophos.com/virusinfo/analyses/w32bagleby.html

- Collapse -
Troj/Bagle-AS
Dec 23, 2005 6:15AM PST
- Collapse -
W32/Ixbot-Gen
Dec 23, 2005 6:16AM PST

Type Worm

Sophos's anti-virus products detect members of the W32/Ixbot family of IRC backdoor worms as W32/Ixbot-Gen.
The worm usually spread using the AOL Instant Messenger service.
Members of the W32/Ixbot family of worms typically include functionality to:
- remove or disable registry entries related to security and anti-virus
applications
- download files from the internet

http://www.sophos.com/virusinfo/analyses/w32ixbotgen.html

- Collapse -
Troj/BagleDl-AZ
Dec 23, 2005 6:16AM PST