Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

General discussion

VIRUS ALERTS - December 26, 2005

Dec 25, 2005 11:39PM PST

W32/Rbot-BFR

Type
Worm

Aliases
Backdoor.Win32.Rbot.alj
W32/Sdbot.worm.gen.n
W32.Spybot.Worm
WORM_RBOT.DFP

W32/Rbot-BFR is a network worm with backdoor functionality for the Windows platform.

W32/Rbot-BFR spreads:

- to other network computers by exploiting common buffer overflow vulnerabilities, including: LSASS (MS04-011), RPC-DCOM (MS04-012), WKS (MS03-049) (CAN-2003-0812), PNP (MS05-039) and ASN.1 (MS04-007)
- by copying itself to network shares protected by weak passwords

W32/Rbot-BFR runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

http://www.sophos.com/virusinfo/analyses/w32rbotbfr.html

Discussion is locked

- Collapse -
W32/Rbot-BFS
Dec 25, 2005 11:41PM PST

Type
Worm

Aliases
Backdoor.Win32.Rbot.gen
W32/Sdbot.worm.gen.bh

W32/Rbot-BFS is a worm and IRC backdoor Trojan for the Windows platform.

W32/Rbot-BFS spreads:

- to other network computers infected with: W32/MyDoom and W32/Bagle
- to other network computers by exploiting common buffer overflow vulnerabilities, including: LSASS (MS04-011), RPC-DCOM (MS04-012), WKS (MS03-049) (CAN-2003-0812), WebDav (MS03-007), IIS5SSL (MS04-011) (CAN-2003-0719), Veritas (CAN-2004-1172) and ASN.1 (MS04-007)
- by copying itself to network shares protected by weak passwords

W32/Rbot-BFS runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

http://www.sophos.com/virusinfo/analyses/w32rbotbfs.html

- Collapse -
W32/Brontok-I
Dec 25, 2005 11:42PM PST
- Collapse -
W32/Brontok-H
Dec 25, 2005 11:51PM PST
- Collapse -
Virus Signature File
Dec 26, 2005 12:13AM PST

Type
Spyware Trojan

Aliases
Backdoor.Win32.PcClient.jf
BackDoor-CKB

Troj/PcClient-X is a backdoor Trojan for the Windows platform that provides unauthorized remote access to the infected computer.

Troj/PcClient-X includes keylogging functionality.

http://www.sophos.com/virusinfo/analyses/trojpcclientx.html

- Collapse -
Troj/Banload-AI
Dec 26, 2005 12:14AM PST
- Collapse -
Troj/Bander-AD
Dec 26, 2005 12:16AM PST
- Collapse -
Troj/Agent-IG
Dec 26, 2005 12:17AM PST

Type
Spyware Trojan

Troj/Agent-IG is a Trojan for the Windows platform.

Troj/Agent-IG is capable of spying on a user's browsing habits, modifying Microsoft Internet Explorer settings, downloading further executables and displaying popup advertisements.

http://www.sophos.com/virusinfo/analyses/trojagentig.html

- Collapse -
Troj/Agent-IF
Dec 26, 2005 12:19AM PST

Type
Spyware Trojan

Troj/Agent-IF is a Trojan for the Windows platform.

Troj/Agent-IF is capable of spying on a user's browsing habits, modifying Microsoft Internet Explorer settings, downloading further executables and displaying popup advertisements.

http://www.sophos.com/virusinfo/analyses/trojagentif.html

- Collapse -
Troj/Agent-IE
Dec 26, 2005 12:20AM PST
- Collapse -
Troj/Raker-B
Dec 26, 2005 7:41AM PST
- Collapse -
Troj/Torpig-V
Dec 26, 2005 7:42AM PST

Type Spyware Trojan

Aliases PWS-JA

Troj/Torpig-V is an information stealing Trojan for the Windows platform.
The Trojan attempts to steal passwords, as well as logging keypresses and open window titles to text files and periodically sends the collected information to a remote user via HTTP.
Troj/Torpig-V automatically closes security warning messages displayed by common anti-virus and security related applications.

http://www.sophos.com/virusinfo/analyses/trojtorpigv.html

- Collapse -
W32/Rbot-BFT
Dec 26, 2005 7:43AM PST

Type Spyware Worm

W32/Rbot-BFT is a worm and IRC backdoor Trojan for the Windows platform.
W32/Rbot-BFT spreads to other network computers by exploiting common buffer overflow vulnerabilities, including: LSASS (MS04-011), RPC-DCOM (MS04-012), WKS (MS03-049) (CAN-2003-0812), MSSQL (MS02-039) (CAN-2002-0649) and ASN.1 (MS04-007) and by copying itself to network shares protected by weak passwords.

http://www.sophos.com/virusinfo/analyses/w32rbotbft.html

- Collapse -
Troj/Banker-LI
Dec 26, 2005 7:43AM PST
- Collapse -
Troj/Hupigon-K
Dec 26, 2005 7:44AM PST
- Collapse -
Troj/Bancban-MX
Dec 26, 2005 7:45AM PST

Type Spyware Trojan

Aliases Trojan-Spy.Win32.Banker.ahy

Troj/Bancban-MX is an internet banking Trojan for the Windows platform.
Troj/Bancban-MX has the functionalities to:
- enumerate windows and display fake screens
- steal information
- send notification messages to remote location via email

http://www.sophos.com/virusinfo/analyses/trojbancbanmx.html

- Collapse -
Troj/Lineage-CG
Dec 26, 2005 7:46AM PST
- Collapse -
Troj/StartPa-IH
Dec 26, 2005 7:47AM PST
- Collapse -
W32/Tilebot-GS
Dec 26, 2005 7:48AM PST

Type Worm

Aliases WORM_SDBOT.CWF
W32/Tilebot-Gen

W32/Tilebot-GS is a worm and IRC backdoor for the Windows platform.
W32/Tilebot-GS spreads to other network computers by exploiting common buffer overflow vulnerabilities, including: LSASS (MS04-011), RPC-DCOM (MS04-012), WKS (MS03-049) (CAN-2003-0812), PNP (MS05-039) and ASN.1 (MS04-007) and by copying itself to network shares protected by weak passwords.
W32/Tilebot-GS runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.
W32/Tilebot-GS includes functionality to access the internet and communicate with a remote server via HTTP.
Sophos's anti-virus products include Genotype? detection technology, which can proactively protect against new threats without requiring an update. Sophos customers have been protected against W32/Tilebot-GS (detected as W32/Tilebot-Gen) since version 3.97
The following patches for the vulnerabilities exploited by W32/Tilebot-GS are available from Microsoft:
MS03-049
MS04-007
MS04-011
MS04-012
MS05-039

http://www.sophos.com/virusinfo/analyses/w32tilebotgs.html

- Collapse -
Troj/Bckdr-AY
Dec 26, 2005 7:49AM PST
- Collapse -
Troj/ServU-BS
Dec 26, 2005 7:49AM PST

Type Trojan

Troj/ServU-BS is a hacked version of a commercial FTP application.
By default, the Trojan runs an ftp server on TCP port 43958. This can be overriden by configuration data read from a file called comtcldebug.dll in the current folder.

http://www.sophos.com/virusinfo/analyses/trojservubs.html

- Collapse -
Troj/Spyjack-I
Dec 26, 2005 7:50AM PST
- Collapse -
Troj/StartPa-IO
Dec 26, 2005 7:51AM PST
- Collapse -
Troj/VB-NU
Dec 26, 2005 7:52AM PST
- Collapse -
Troj/VBbot-J
Dec 26, 2005 7:53AM PST
- Collapse -
Troj/Zlob-BL
Dec 26, 2005 7:53AM PST
- Collapse -
VBS/BWG-D
Dec 26, 2005 7:54AM PST
- Collapse -
W32/Cratab-A
Dec 26, 2005 7:55AM PST
- Collapse -
W32/Bagle-BY
Dec 26, 2005 7:56AM PST

Type Worm

Aliases Email-Worm.Win32.Bagle.ex

W32/Bagle-BY is an email worm for the Windows platform.
The worm sends email containing an attached ZIP file. At the time of writing, these ZIP files and the contained EXE files are detected by Sophos's anti-virus products as Troj/BagleDl-AZ.
The email may use one of the following for a message subject:
New Year's
New Year's Day.
Happy New Year
We congratulate happy New Year
The message text may contain either "The password is <image file>" or "Password: <image file>"

http://www.sophos.com/virusinfo/analyses/w32bagleby.html

- Collapse -
Troj/BagleDl-AZ
Dec 26, 2005 7:57AM PST
- Collapse -
W32/Hazif-C
Dec 26, 2005 2:06PM PST

Type Spyware Worm

W32/Hazif-C is a password stealing worm for the Windows platform.
W32/Hazif-C can spread to the floppy drive with a preconfigured filename.
W32/Hazif-C can be used to steal passwords for Yahoo Instant Messenger and can be preconfigured to send stolen passwords via email, Yahoo IM, or by accessing a remote URL.

http://www.sophos.com/virusinfo/analyses/w32hazifc.html