General discussion

VIRUS ALERTS - February 15, 2005


Type Worm

W32/Codbot-B is a backdoor which contains functionality to spread via network shares.
W32/Codbot-B contains backdoor functionality which includes packet sniffing and downloading further code,gathering system information and killing processes.
W32/Codbot-B may create Run and RunServices registry entries in order to run itself on system startup.
W32/Codbot-B may attempt to exploit a number of vulnerabilities.

Discussion is locked

Reply to: VIRUS ALERTS - February 15, 2005
PLEASE NOTE: Do not post advertisements, offensive materials, profanity, or personal attacks. Please remember to be considerate of other members. If you are new to the CNET Forums, please read our CNET Forums FAQ. All submitted content is subject to our Terms of Use.
Reporting: VIRUS ALERTS - February 15, 2005
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
- Collapse -

Aliases Trojan.Win32.StartPage.nk

Type Trojan

Troj/Dloader-HW is a downloader Trojan for the Windows platform.
Troj/Dloader-HW downloads a configuration file from a website in the domain. The configuration file contains URLs and filenames from which the Trojan downloads further files.

- Collapse -

Aliases Virus.Win32.DeadCode.a

Type Virus

W32/Deadcode-A is a parasitic virus for the Windows platform. The virus will locate and attempt to infect executable files with an EXE extension.
Infected files will still run and display a dialog stating "Long Live Great SERBIA" when they terminate.

- Collapse -
- Collapse -

Type Worm

W32/Rbot-VY is a network worm with backdoor functionality for the Windows platform.
W32/Rbot-VY spreads using a variety of techniques including exploiting weak passwords on computers and SQL servers, exploiting operating system vulnerabilities (including DCOM-RPC, LSASS) and using backdoors opened by other worms or Trojans.

- Collapse -
- Collapse -
- Collapse -

Type Worm

W32/Rbot-VZ is a member of the W32/Rbot family of network worms. The worm can spread to computers vulnerable to the LSASS, RPC-DCOM, and IIS5SSL exploits. For more information see Microsoft Security Bulletins MS04-011 (for both the LSASS and IIS5SSL exploits) and MS04-012 (for the RPC-DCOM exploit). The worm can also spread to weakly protected network shares.
The worm has a backdoor component that connects to a preconfigured IRC channel, allowing an attacker to issue instructions to the worm, thus giving access to an infected computer.
W32/Rbot-VZ can be instructed to scan for remote computers to infect; log any kesytrokes made on an infected computer; search for, upload, download, and execute files; attempt to disable security software; and articipate in a distributed denial-of-service (DDoS) attack.

- Collapse -

Aliases Backdoor.Win32.PdPinch.gen

Type Worm

W32/Forbot-EC is a network worm with backdoor functionality for the Windows platform. The worm allows unauthorised remote access to the infected system via IRC channels while running in the background as a service process. The worm may also spread by DCC.
W32/Forbot-EC exploits various vulnerabilities, including the LSASS vulnerability (see MS04-011).
The backdoor functionality of the worm includes being able to act as a proxy, sniff packets, download updates, delete network shares and steal keys for various software products.

- Collapse -
- Collapse -
- Collapse -
- Collapse -
- Collapse -
- Collapse -

Type Worm

W32/Sdbot-VA is a worm which attempts to spread to remote shares which have weak passwords. The worm also allows unauthorised remote access to the computer via IRC channels.
W32/Sdbot-VA copies itself to the Windows system folder as winsvc32.exe and creates entries in the registry to run on system restart.

- Collapse -

Aliases Backdoor.Win32.Agobot.nq

Type Worm

W32/Agobot-PT is a network worm with backdoor functionality for the Windows platform, allowing unauthorised remote access to the infected computer.

- Collapse -
- Collapse -
- Collapse -
- Collapse -

Type Worm

W32/Forbot-ED is a IRC backdoor and network worm for the Windows platform.
Once installed, W32/Forbot-ED connects to a preconfigured IRC server and joins a channel from which an attacker can issue further commands.
The worm can spread to unpatched machines affected by the LSASS vulnerability (see MS04-011) and through backdoors left open by the Troj/Optix Trojans.

- Collapse -

Type Worm

W32/Sdbot-GIB is a network worm with backdoor Trojan functionality for the Windows platform.
The worm spreads through network shares protected by weak passwords, MS-SQL servers and through various operating system vulnerabilities.
W32/Sdbot-GIB connects to a predetermined IRC channel and awaits further commands from remote users.

- Collapse -

Type Worm

W32/Agobot-PU is an IRC backdoor Trojan and network worm.
W32/Agobot-PU spreads to network shares with weak passwords and via network security vulnerabilities including the RPC-DCOM (MS04-012), WebDav (MS03-007) and LSASS (MS04-011) vulnerabilities.
W32/Agobot-PU will terminate and disable various anti-virus and security related programs. The worm can also download and execute remote files on the infected computer, log keystrokes, retrieve information such as CD keys for popular games and flood other computers with network packets.

CNET Forums

Forum Info