General discussion

VIRUS ALERTS - February 16, 2005

W32/Codbot-C
Summary

Aliases W32/Sdbot.worm.gen.j

W32/Codbot-C is a backdoor Trojan containing functionality to spread via network shares.
The worm connects to an IRC channel and listens for backdoor commands from a remote attacker. The backdoor functionality of the worm includes the ability to sniff packets, download further malicious code and steal passwords and other system information.
W32/Codbot-C may attempt to exploit a number of vulnerabilities, including the LSASS vulnerability (MS04-011).

http://www.sophos.com/virusinfo/analyses/w32codbotc.html

Discussion is locked

Follow
Reply to: VIRUS ALERTS - February 16, 2005
PLEASE NOTE: Do not post advertisements, offensive materials, profanity, or personal attacks. Please remember to be considerate of other members. If you are new to the CNET Forums, please read our CNET Forums FAQ. All submitted content is subject to our Terms of Use.
Reporting: VIRUS ALERTS - February 16, 2005
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Comments
- Collapse -
W32/Sdbot-VE

Aliases WORM_SDBOT.AOH

Type Worm

W32/Sdbot-VE is a worm which attempts to spread to remote network shares. It also contains backdoor Trojan functionality, allowing unauthorised remote access to the infected computer via IRC channels while running in the background as a service process.
W32/Sdbot-VE spreads to network shares with weak passwords and via network security exploits as a result of the backdoor Trojan element receiving the appropriate command from a remote user.

http://www.sophos.com/virusinfo/analyses/w32sdbotve.html

- Collapse -
W32/Sdbot-VD

Aliases WORM_SDBOT.AOX

Type Worm

W32/Sdbot-VD is a worm which attempts to spread to remote network shares. It also contains backdoor Trojan functionality, allowing unauthorised remote access to the infected computer via IRC channels while running in the background as a service process.
W32/Sdbot-VD spreads to network shares with weak passwords as a result of the backdoor Trojan element receiving the appropriate command from a remote user, copying itself to SHELL16.DAT on the local machine at the same time.

http://www.sophos.com/virusinfo/analyses/w32sdbotvd.html

- Collapse -
Troj/Mdrop-AE
- Collapse -
Troj/Surila-O

Aliases Backdoor.Win32.Surila.o
BackDoor-CEB.f

Type Trojan

Troj/Surila-O is a backdoor Trojan which allows unauthorised access to the infected computer.
Troj/Surila-O can act as a web proxy allowing a remote intruder to route web traffic through the infected computer.

http://www.sophos.com/virusinfo/analyses/trojsurilao.html

- Collapse -
W32/Rbot-WA

Type Worm

W32/Rbot-WA is a worm with backdoor Trojan functionality.
W32/Rbot-WA is capable of spreading to computers on the local network protected by weak passwords after receiving the appropriate backdoor command. The worm can also spread by exploiting a number of software vulnerabilities.

http://www.sophos.com/virusinfo/analyses/w32rbotwa.html

- Collapse -
Troj/Multidr-CE

Type Trojan

Troj/Multidr-CE is a Trojan that creates two files in the Windows system folder and then executes them.
The first file created has the name dikoweb.exe and is detected as W32/Sdbot-VE. The second file created has the name muwemafyh.exe and is detected as Troj/Ranck-CH.

http://www.sophos.com/virusinfo/analyses/trojmultidrce.html

- Collapse -
W32/Agobot-PZ

Type Worm

W32/Agobot-PZ is a backdoor Trojan and worm which spreads to computers protected by weak passwords and to computers infected with variants of W32/MyDoom.
Each time the Trojan is run it attempts to connect to a remote IRC server and join a specific channel.
The Trojan then runs continuously in the background, allowing a remote intruder to access and control the computer via IRC channels.

http://www.sophos.com/virusinfo/analyses/w32agobotpz.html

- Collapse -
Troj/Lineage-D
- Collapse -
W32/Sdbot-VB
- Collapse -
W32/Sdbot-VC

Aliases WORM_SDBOT.AOW

Type Worm

W32/Sdbot-VC is a worm which attempts to spread to remote network shares. It also contains backdoor Trojan functionality, allowing unauthorised remote access to the infected computer via IRC channels while running in the background as a service process.
W32/Sdbot-VC spreads to network shares with weak passwords and via network security exploits as a result of the backdoor Trojan element receiving the appropriate command from a remote user (it copies itself to MSYGSY.DAT on the local machine at the same time).

http://www.sophos.com/virusinfo/analyses/w32sdbotvc.html

- Collapse -
W32/Poebot-G

Aliases Win32.PoeBot.b
WORM_POEBOT.G
WORM_POEBOT.B

Type Worm

W32/Poebot-G is a worm which attempts to spread to remote network shares with weak passwords. It also contains backdoor Trojan functionality allowing unauthorised remote access to the infected computer via IRC channels.

http://www.sophos.com/virusinfo/analyses/w32poebotg.html

- Collapse -
Troj/Borodldr-M
- Collapse -
Troj/Borobot-M
- Collapse -
Troj/Goldun-H
- Collapse -
W32/Sdbot-SB
- Collapse -
Troj/Ranck-BH
- Collapse -
Troj/SecondT-AA

Aliases Trojan.Win32.SecondThought.aa
BackDoor-BDI

Type Trojan

Troj/SecondT-AA is a Trojan for the Windows platform.
The Trojan may register itself as a service process in order to run even when one user logs off and another logs on. Troj/SecondT-AA will attempt to download a configuration file from one of four websites. Depending on the contents of the configuration file the Trojan may do any of the following things:
Download files
Execute files
Kill running processes
Remove/Copy/Move files
Remove/Create folders
Report system information
Set/Create registry entries
The Trojan will repeatedly attempt to contact one of the following sites in order to get the configuration file.
www.danetport.com
www.infport.com
www.srfgate.com
www.webnetinfo.net

http://www.sophos.com/virusinfo/analyses/trojsecondtaa.html

- Collapse -
Troj/StartPa-MP
- Collapse -
Troj/Wurmark-B

Type Trojan

Troj/Wurmark-B drops and executes W32/Sdbot-SB.
When first run Troj/Wurmark-B attempts to remove various applications and files dropped by W32/Wurmark-A.
If the Visual Basic library file msvbvm60.dll is not present on the system Troj/Wurmark-B attempts to download it from the internet.

http://www.sophos.com/virusinfo/analyses/trojwurmarkb.html

- Collapse -
W32/Sdbot-SC

Type Worm

W32/Sdbot-SC is an IRC backdoor Trojan with spreading capability.
W32/Sdbot-SC logs onto a predefined IRC server and waits for backdoor commands.
W32/Sdbot-SC may spread to other machines protected by weak passwords.

http://www.sophos.com/virusinfo/analyses/w32sdbotsc.html

- Collapse -
Troj/Ranck-BI
- Collapse -
Troj/Multidr-BA
- Collapse -
Troj/Crabton-C

Aliases Trojan-Downloader.Win32.Zdesnado.z

Type Trojan

Troj/Crabton-C is a downloader Trojan that attempts to download configuration files from a website detailing what other files to download and execute.
The Trojan weakens the security of an infected system by removing anti-virus and security related applications and disabling web access to the vendors' websites.

http://www.sophos.com/virusinfo/analyses/trojcrabtonc.html

- Collapse -
W32/Sdbot-SD

Aliases Backdoor.Win32.SdBot.gen
WORM_SDBOT.XK

Type Worm

W32/Sdbot-SD is a worm which attempts to spread to remote network shares. It also contains backdoor Trojan functionality, allowing unauthorised remote access to the infected computer via IRC channels while running in the background as a service process.
W32/Sdbot-SD may also attempt to spread through backdoors left behind by the MyDoom family of worms.

http://www.sophos.com/virusinfo/analyses/w32sdbotsd.html

- Collapse -
W32/Sdbot-VH

Type Worm

W32/Sdbot-VH is a network worm with backdoor functionality for the Windows platform.
The worm spreads through network shares protected by weak passwords, MS-SQL servers and through various operating system vulnerabilities.
W32/Sdbot-VH connects to a predetermined IRC channel and awaits further commands from remote users.

http://www.sophos.com/virusinfo/analyses/w32sdbotvh.html

- Collapse -
Troj/Manacle-A

Aliases IM-Worm.Win32.Bropia.g
BackDoor-COD

Type Trojan

Troj/Manacle-A is a Trojan that drops and runs a worm detected as W32/Forbot-EE.
When first run, the Trojan displays an adult image.
The Trojan may display a URL at members.home.nl, preceded by one of the following strings:
LOOK!
***....
****!
LMFAO!
rofl!
At the time of writing the URL points to a non-existant file, but this may have previously pointed to a copy of the Trojan.

http://www.sophos.com/virusinfo/analyses/trojmanaclea.html

- Collapse -
W32/Forbot-EE

Aliases Backdoor.Win32.Rbot.iv
WORM_WOOTBOT.GEN
BackDoor-COD

Type Worm

W32/Forbot-EE is a network worm with backdoor functionality for the Windows platform.
W32/Forbot-EE may spread by copying itself to network shares with weak passwords.
The worm contains functionality to delete network shares, download and run more software, terminate processes and participate in denial-of-service attacks.

http://www.sophos.com/virusinfo/analyses/w32forbotee.html

- Collapse -
Troj/Bobdoor-A

Type Trojan

Troj/Bobdoor-A is a backdoor Trojan for the Windows platform.
Troj/Bobdoor-A listens on port 2000 and runs any commands that are received via this channel.
Troj/Bobdoor-A is appended to EXE files and can be disinfected. The Trojan is not a virus however, as it cannot infect other files on its own. Infected files must be created with a separate infecting program.

http://www.sophos.com/virusinfo/analyses/trojbobdoora.html

- Collapse -
W32/Ahker-D

Aliases Email-Worm.Win32.Anker.d
WORM_AHKER.D

Type Worm

W32/Ahker-D is a mass mailing worm. It will attempt to send itself as addresses found on the infected computer. The email sent will appear to be from securityresponse@symantec.com, with a random subject line and an attachement called Patch.zip. The email will contain reference to a patch for a fake new Blaster worm from Symantec.
W32/Ahker-D contains a payload which can overwrite hal.dll with a predefined string, and disable running of explorer.exe at several predefined dates.

http://www.sophos.com/virusinfo/analyses/w32ahkerd.html

- Collapse -
Troj/Dloader-HZ

Aliases Trojan-Downloader.Win32.INService.bl

Type Trojan

Troj/Dloader-HZ is a Trojan downloader.
Troj/Dloader-HZ downloads two files from remote locations and saves them to the Windows temp folder with filenames starting MUTE and VOLUME and with EXE extensions, executing them once they have downloaded.

http://www.sophos.com/virusinfo/analyses/trojdloaderhz.html

CNET Forums

Forum Info