VIRUS ALERTS - December 8, 2005

Type
Trojan

Aliases
Packed.Win32.Klone.b
Galapoper
TROJ_GALAPOPER.A

Troj/Orse-L is a Trojan for the Windows platform.

Troj/Orse-L includes functionality to silently download, install and run new software. Troj/Orse-L will also attempt to download configuration data from preconfigured websites which may instruct the Trojan to send emails.

http://www.sophos.com/virusinfo/analyses/trojorsel.html

Type
Spyware Trojan

Aliases
Trojan-Spy.Win32.Banker.ahy

Troj/Bancban-IY is a Trojan for the Windows platform.

Troj/Bancban-IY includes functionality to send notification messages to remote locations.

http://www.sophos.com/virusinfo/analyses/trojbancbaniy.html

Type
Trojan

Aliases
Trojan-Downloader.Win32.Small.ayl

Troj/Bahnhof-B is a downloader Trojan.

Troj/Bahnhof-B includes functionality to download, install and run new software.

Troj/Bahnhof-B will download and decrypt a file to either the Temporary folder or the Windows folder. The Trojan will then run the decrypted executable.

http://www.sophos.com/virusinfo/analyses/trojbahnhofb.html

Type
Spyware Trojan

Aliases
Trojan-Spy.Win32.Banker.ahy
PWS-Banker.gen.bb

Troj/Bancban-IX is an internet banking Trojan for the Windows platform.

http://www.sophos.com/virusinfo/analyses/trojbancbanix.html

Type
Spyware Trojan

Aliases
Trojan-PSW.Win32.QQRob.ak

Troj/QQRob-X is a password stealing Trojan for the Windows platform.

http://www.sophos.com/virusinfo/analyses/trojqqrobx.html

Type
Spyware Trojan

Aliases
Backdoor.Win32.Dumador.ew

Troj/Dumaru-W is a Trojan for the Windows platform.

Troj/Dumaru-W attempts to log keystrokes and other data from the infected computer and periodically sends this data to a remote website.

Troj/Dumaru-W changes settings for Microsoft Internet Explorer.

Troj/Dumaru-W attempts to bypass the Windows firewall.

Troj/Dumaru-W modifies the HOSTS file.

http://www.sophos.com/virusinfo/analyses/trojdumaruw.html

Type
Worm

Aliases
Backdoor.Win32.SdBot.aib
W32/Sdbot.worm.gen.bh

W32/Rbot-AZA is a Trojan for the Windows platform.

W32/Rbot-AZA spreads:

- to other network computers by exploiting common buffer overflow vulnerabilities, including: LSASS (MS04-011), RPC-DCOM (MS04-012), PNP (MS05-039) and ASN.1 (MS04-007)
- by copying itself to network shares protected by weak passwords

W32/Rbot-AZA runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

W32/Rbot-AZA includes functionality to access the internet and communicate with a remote server via HTTP.

http://www.sophos.com/virusinfo/analyses/w32rbotaza.html

Type
Worm

Aliases
W32/Opanki.worm.gen

W32/Ixbot-E is a worm and IRC backdoor Trojan for the Windows platform.

W32/Ixbot-E runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

W32/Ixbot-E spreads using the AOL Instant Messenger service.

When first run W32/Ixbot-E copies itself to <System>
\ebmqbx.exe.

http://www.sophos.com/virusinfo/analyses/w32ixbote.html

Type
Trojan

Aliases
Trojan-Dropper.Win32.Small.vv
Downloader-XB

Troj/Dloadr-ABJ is a Trojan for the Windows platform.

http://www.sophos.com/virusinfo/analyses/trojdloadrabj.html

Type
Trojan

Aliases
Trojan-Dropper.Win32.Agent.adv

Troj/Clicker-AG is a Trojan for the Windows platform.

Troj/Clicker-AG includes functionality to access the internet and communicate with a remote server via HTTP.

http://www.sophos.com/virusinfo/analyses/trojclickerag.html

Type
Spyware Trojan

Aliases
Trojan-Spy.Win32.Banbra.df

Troj/Bancban-KQ is a Torjan for the Windows platform.

Troj/Bancban-KQ targets the customers of certain Brazilian online banking websites, and attempts to steal account details.

http://www.sophos.com/virusinfo/analyses/trojbancbankq.html

Type
Spyware Trojan

Aliases
Trojan-Spy.Win32.Banker.ahy
PWS-Banker.gen.bb

Troj/Bancban-KY is a password-stealing Trojan for the Windows platform.

Troj/Bancban-KY includes functionality to send notification messages to remote locations.

Troj/Bancban-KY may display fake login interfaces for certain Brazilian banking websites in order to steal login details. Any information retrieved in this manner is submitted to the author by email.

http://www.sophos.com/virusinfo/analyses/trojbancbanky.html

Type
Spyware Trojan

Aliases
Trojan-Dropper.Win32.Agent.aar
PWS-Banker.dll
PWSteal.Banker.B

Troj/Bankhof-E is a password stealing Trojan for the Windows platform.

http://www.sophos.com/virusinfo/analyses/trojbankhofe.html

Type
Worm

Aliases
Trojan.Win32.Pakes
W32/Opanki.worm

W32/Opanki-W is a worm and IRC backdoor Trojan for the Windows platform.

W32/Opanki-W spreads via AOL Instant Messenger and via weak passwords.

W32/Opanki-W runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

http://www.sophos.com/virusinfo/analyses/w32opankiw.html

Type
Spyware Trojan

Aliases
Trojan-Spy.Win32.Banbra.cc

Troj/Banker-IL is a password stealing Trojan for the Windows platform.

Troj/Banker-IL targets the customers of certain Brazilian online banking websites by displaying fake interfaces and recording any details that are entered.

http://www.sophos.com/virusinfo/analyses/trojbankeril.html

Type
Trojan

Aliases
Trojan-Spy.Win32.Agent.dg

Troj/Agent-FJ is a Trojan for the Windows platform.

Troj/Agent-FJ may drop the stealthing component Troj/Rootkit-V.

http://www.sophos.com/virusinfo/analyses/trojagentfj.html

Type
Spyware Trojan

Aliases
Trojan-PSW.Win32.Agent.eb

Troj/PWSSagi-F is a Trojan for the Windows platform.

http://www.sophos.com/virusinfo/analyses/trojpwssagif.html

Type
Worm

Aliases
W32/Zusha.worm

W32/Zusha-D is a worm for the Windows platform.

W32/Zusha-D spreads to other network computers by exploiting common buffer overflow vulnerabilities, including: LSASS (MS04-011) and RPC-DCOM (MS04-012).

W32/Zusha-D includes functionality to access the internet and communicate with a remote server via HTTP.

http://www.sophos.com/virusinfo/analyses/w32zushad.html

Type
Trojan

Aliases
Del-489

Troj/DelAll-F is a Trojan for the Windows platform.

When run, Troj/DelAll-F attempts to delete all the files on the drive from which it was run.

http://www.sophos.com/virusinfo/analyses/trojdelallf.html

Type
Trojan

Aliases
Trojan-Downloader.Win32.Small.amb
StartPage-DU

Troj/DownLdr-EK is a downloader Trojan for the Windows platform.

http://www.sophos.com/virusinfo/analyses/trojdownldrek.html

Type Trojan

Troj/Funot-A is a Trojan for the Windows platform that includes functionality to
replace exist files using the original filenames with the text file, rename exist files using names contructed from the predefined list, creates text files, to access the internet and communicate with a remote server via HTTP.

http://www.sophos.com/virusinfo/analyses/trojfunota.html

Type Spyware Trojan

Aliases Trojan-Spy.Win32.VB.cp
PWSteal.Trojan

Troj/Keylog-AU is a configurable keylogging application for the Windows platform.
Troj/Keylog-AU can log keypresses and send the log files via FTP.

http://www.sophos.com/virusinfo/analyses/trojkeylogau.html

Type Trojan

Troj/Krepper-Y is a Trojan for the Windows platform.

http://www.sophos.com/virusinfo/analyses/trojkreppery.html

Type Trojan

Aliases Trojan-Proxy.Win32.Ranky.cv

Troj/Ranck-DG is a Trojan for the Windows platform.
When run, Troj/Ranck-DG opens a random port and allows remote attackers the ability to route HTTP traffic through the infected computer.

http://www.sophos.com/virusinfo/analyses/trojranckdg.html

Type Trojan

Aliases Backdoor.Win32.Bifrose.hm

Troj/Bifrose-HM is a backdoor Trojan for the Windows platform.

http://www.sophos.com/virusinfo/analyses/trojbifrosehm.html

Type Trojan

Aliases Trojan-Downloader.Win32.Zlob.ci

Troj/Zlob-Q is a downloading Trojan for the Windows platform.
The following registry entry is created to run Troj/Zlob-Q on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run
kernel32.dll
<pathname of the Trojan executable>

http://www.sophos.com/virusinfo/analyses/trojzlobq.html

Type Trojan

Aliases Trojan-Downloader.Win32.Zlob.cc
Downloader-AQW

Troj/Zlob-CC is a downloader Trojan for the Windows platform.

http://www.sophos.com/virusinfo/analyses/trojzlobcc.html

Type Trojan

Aliases Backdoor.Win32.PcClient.gf
BackDoor-CKB
Backdoor.Pcclient

Troj/Bckdr-CKC is a multicomponent backdoor Trojan for the Windows platform.
Troj/Bckdr-CKC includes functionality to access the internet and communicate with a remote server via HTTP.

http://www.sophos.com/virusinfo/analyses/trojbckdrckc.html

Type Spyware Trojan

Aliases Trojan-Spy.Win32.Banker.bw
PWS-Banker.gen.b

Troj/Banker-IH is a Trojan for the Windows platform.

http://www.sophos.com/virusinfo/analyses/trojbankerih.html

Type Spyware Trojan

Aliases Trojan-Spy.Win32.Banker.ahy
PWS-Banker.gen.ba

Troj/Banker-AHZ is a Trojan for the Windows platform.
The Trojan monitors internet sessions and displays fake login pages when certain banking web sites are visited. Stolen credentials are sent to a remote attacker via email.

http://www.sophos.com/virusinfo/analyses/trojbankerahz.html