General discussion

VIRUS ALERTS - February 17, 2005

W32/Rbot-WB
Summary


Aliases Backdoor.Win32.SdBot.ve
W32/Sdbot.worm.gen.y


Type Worm

W32/Rbot-WB is a worm with backdoor Trojan functionality.
W32/Rbot-WB is capable of spreading to computers on the local network protected by weak passwords after receiving the appropriate backdoor command.
W32/Rbot-WB may also spread by exploiting the following vulnerabilities:
LSASS (MS04-011)
DCOM (MS04-012)
Microsoft SQL servers with weak passwords.

http://www.sophos.com/virusinfo/analyses/w32rbotwb.html

Discussion is locked

Follow
Reply to: VIRUS ALERTS - February 17, 2005
PLEASE NOTE: Do not post advertisements, offensive materials, profanity, or personal attacks. Please remember to be considerate of other members. If you are new to the CNET Forums, please read our CNET Forums FAQ. All submitted content is subject to our Terms of Use.
Reporting: VIRUS ALERTS - February 17, 2005
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Comments
- Collapse -
W32/Forbot-EF

Aliases Backdoor.Win32.Rbot.gl; W32/Sdbot.worm.gen.t; W32/Sdbot.DMV;

Type Worm

W32/Forbot-EF is a worm which attempts to spread to remote network shares and computers vulnerable to common exploits. W32/Forbot-EF also contains backdoor Trojan functionality, allowing unauthorised remote access to the infected computer via the IRC network, while running in the background as a service process.
W32/Forbot-EF connects to a preconfigured IRC channel and awaits commands from a remote intruder. These include commands to steal information, delete network shares, reduce system security, start a proxy server, participate in DDoS attacks, exploit vulnerabilities, steal registration keys for computer games and harvest email addresses
from the Windows address book and Instant Messenger configuration files.

http://www.sophos.com/virusinfo/analyses/w32forbotef.html

- Collapse -
Troj/Iefeat-AA
- Collapse -
Troj/Iefeat-AB
- Collapse -
Troj/RaHack-A
- Collapse -
W32/Poebot-A

Aliases Backdoor.Win32.PoeBot.a

Type Worm

W32/Poebot-A is a network worm with backdoor Trojan functionality for the Windows platform.
The worm spreads through network shares protected by weak passwords.
The backdoor component joins a predetermined IRC channel and awaits further commands from a remote user.

http://www.sophos.com/virusinfo/analyses/w32poebota.html

- Collapse -
W32/Tirbot-B

Type Worm

W32/Tirbot-B is a network worm with backdoor Trojan functionality for the Windows platform.
The worm spreads to network computers vulnerable to the LSASS vulnerability (MS04-011) and through network shares protected by weak passwords.
The backdoor component joins a predetermined IRC channel and awaits further commands from remote users. The backdoor component can then be instructed to perform various functions.

http://www.sophos.com/virusinfo/analyses/w32tirbotb.html

- Collapse -
W32/Rbot-BBD

Type Worm

W32/Rbot-BBD is a network worm with backdoor Trojan functionality for the Windows platform.
W32/Rbot-BBD spreads using a variety of techniques including exploiting weak passwords on computers and SQL servers, exploiting operating system vulnerabilities (including DCOM-RPC, LSASS, WebDAV and UPNP) and using backdoors opened by other worms or Trojans.
W32/Rbot-BBD can be controlled by a remote attacker over IRC channels. The backdoor component of W32/Rbot-BBD can be instructed by a remote user to perform various functions.

http://www.sophos.com/virusinfo/analyses/w32rbotbbd.html

- Collapse -
Troj/Banker-BA
- Collapse -
Troj/Dloader-IA

Type Trojan

Troj/Dloader-IA is a downloader Trojan for the Windows platform.
The Trojan creates two files in the user's temp folder, order.txt and update.exe. Troj/Dloader-IA displays the contents of order.txt which is a fake order acknowledgement for a tablet PC.
Update.exe attempts to dowload a file to the user's temp folder as Temp48.exe. At the time of writing the downloaded file contains Troj/Banker-BA.

http://www.sophos.com/virusinfo/analyses/trojdloaderia.html

- Collapse -
W32/Kipis-I

Aliases Email-Worm.Win32.Kipis.k

Type Worm

W32/Kipis-I is an email worm for the Windows platform.
The worm harvests email addresses from files with the following file extensions:
ADB
DBX
DOC
EML
HTM
HTML
TBB
TXT
UIN
XLS
XML
The email sent by W32/Kipis-I has the following properties:
Subjects:
Valentine's day
Present
your
Happy day
Happy Valentine's day
your love
here
hi
you my love..
Re: My porno
Message texts:
With the coming Valentine's day! I very much love you. Please see
my flash present.
I congratulate on the coming Valentine's day! My gift to you.
love you! Happy,congratulate!"
Thank you!!!
----Original Message----
From: <random address>
To: <random address>
Sent: <time/date>
Subject: My porno
Attached file:
your present
present
flash love
love
Valentine
porn
porno_03
Joke
nude
My nude_04
Attachment extension:
.scr
.exe
From:
<current user>
adam
alex
anna
brenda
dana
dave
linda
liza
maria
mary
mike
rosa
sandra
stan
stiv
Note: The "from" field consists of one of the above names and "@<domain names found when harvesting email addresses>"
W32/Kipis-I will not send emails to addresses which contain any of the following strings:
.edu
.gov
abuse
accoun
antivir
bitdefen
borlan
bugs
cafee
contact
drweb
e-trust-
f-prot
foo.
help
icrosoft
info
iruslis
kaspersky
klamav
listserv
mailer
messagelab
news
newviru
nod32
nodomai
norman
panda
podpiska
privacy
rar
rating
register
ripe.
sales
secur
sendmail
service
soft
software.
sopho
support
sybari
symante
virus
webmaster
winrar
winzip
W32/Kipis-I also opens a backdoor to download remote files.

http://www.sophos.com/virusinfo/analyses/w32kipisi.html

- Collapse -
Troj/Hector-A
- Collapse -
Troj/Psyme-BL
- Collapse -
Troj/Rider-N
- Collapse -
Troj/Iefeat-AC
- Collapse -
W32/Rbot-WD

Aliases Backdoor.Win32.SdBot.lt
W32/Sdbot.worm.gen.y

Type Worm

W32/Rbot-WD is a network worm with backdoor functionality for the Windows platform.
W32/Rbot-WD is capable of spreading to computers on the local network protected by weak passwords after receiving the appropriate backdoor command. The worm can also spread by exploiting a number of software vulnerabilities.

http://www.sophos.com/virusinfo/analyses/w32rbotwd.html

- Collapse -
XM97/Cedric-A
- Collapse -
W32/Sdbot-VG

Aliases Backdoor.Win32.Rbot.gen
W32/Sdbot.worm.gen.t
WORM_SPYBOT.MAR

Type Worm

W32/Sdbot-VG is a network worm with backdoor functionality for the Windows platform.
W32/Sdbot-VG connects to an IRC channel and runs in the background waiting for commands from a remote attacker.
W32/Sdbot-VG may spread to remote network shares with weak passwords.
W32/Sdbot-VG contains backdoor functionality to download updates, steal system information and open an FTP or TFTP server.
W32/Sdbot-VG drops a file which is detected as Troj/NtRootK-F.

http://www.sophos.com/virusinfo/analyses/w32sdbotvg.html

- Collapse -
Troj/Swizzor-CO

CNET Forums

Forum Info