General discussion

VIRUS ALERTS - February 18, 2005

W32/Assiral-A

Type Worm

W32/Assiral-A is a mass mailing worm which attempts to spread itself by sending emails with the following characteristics to addresses found in the victim's address book:
Subject: Re: LOV YA!
Body: Kindly read and reply to my LOVE LETTER in the attachments Happy
Attachment: LOVE_LETTER.TXT.exe
W32/Assiral-A will attempt to copy itself to floppy drives and network shares.
On opening the attachment, W32/Assiral-A will open a web page through Internet Explorer at geocities.com. W32/Assiral-A will attempt to modify Internet Explorer's homepage to the same page.
It will also attempt to kill off various security related applications and disable various capabilities of Windows.

http://www.sophos.com/virusinfo/analyses/w32assirala.html

Discussion is locked

Follow
Reply to: VIRUS ALERTS - February 18, 2005
PLEASE NOTE: Do not post advertisements, offensive materials, profanity, or personal attacks. Please remember to be considerate of other members. If you are new to the CNET Forums, please read our CNET Forums FAQ. All submitted content is subject to our Terms of Use.
Reporting: VIRUS ALERTS - February 18, 2005
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Comments
- Collapse -
W32/Rbot-WE
- Collapse -
W32/Sdbot-VI

Aliases W32/Gaobot.worm.gen.t
W32/Agobot.CRI

Type Worm

W32/Sdbot-VI is a network worm which attempts to spread via network shares. The worm contains backdoor functions that allow unauthorised remote access to the infected computer via IRC channels while running in the background.
W32/Sdbot-VI will try to spread to network shares with weak passwords.


http://www.sophos.com/virusinfo/analyses/w32sdbotvi.html

- Collapse -
W32/MyDoom-AS

Aliases W32/Mydoom.ba@MM

Type Worm

W32/MyDoom-AS is a mass-mailing and peer-to-peer worm which emails itself as an attachment to addresses found on the infected computer.
When run W32/MyDoom-AS will launch Notepad with garbage which serves as a decoy.
W32/MyDoom-AS may also create a file hserv.sys in the Windows system folder. This file is non-malicious and can be safely deleted.

http://www.sophos.com/virusinfo/analyses/w32mydoomas.html

- Collapse -
Troj/Keylog-AD
- Collapse -
W32/Poebot-H

Aliases Backdoor.Win32.PoeBot.a

Type Worm

W32/Poebot-H is a worm which attempts to spread to remote network shares with weak passwords. It also contains backdoor functionality allowing unauthorised remote access to the infected computer via IRC channels.

http://www.sophos.com/virusinfo/analyses/w32poeboth.html

- Collapse -
Troj/LdPinch-AN

Aliases TROJ_LDPINCH.AM

Type Trojan

Troj/LdPinch-AN is a Trojan for the Windows platform.
The Trojan steals information and opens multiple points of entry for remote attackers. The Trojan sends information gathered to remote users via HTTP POST/GET sessions.
Troj/LdPinch-AN steals information including the following:
login/password details for certain chat applications
email usernames, passwords and connection details
dialup connection information
Troj/LdPinch-AN can also be instructed to download/execute arbitrary files.

http://www.sophos.com/virusinfo/analyses/trojldpinchan.html

- Collapse -
Troj/Iyus-M
- Collapse -
Troj/Dropper-U
- Collapse -
Troj/Bdoor-EP
- Collapse -
W32/Nodmin-A

Aliases Worm.Win32.VB.u

Type Worm

W32/Nodmin-A is a worm which spreads via email,peer-to-peer applications and IRC.
W32/Nodmin-A will also attept to spread via email through Microsoft Outlook Express.
W32/Nodmin-A will copy itself to various peer-to-peer folders.Peer-to-peer applications it copies itself to include:
eDonkey2000
Ares
Emule
Kazza
Kazza Lite
ICQ
W32/Nodmin-A will modify mIRC's script.ini in an attempt to get it to spread via the IRC.
W32/Nodmin-A will also attempt to download and execute a file detected by Sophos as Troj/Bdoor-EP.

http://www.sophos.com/virusinfo/analyses/w32nodmina.html

- Collapse -
W32/MyDoom-BC

Aliases Email-Worm.Win32.Mydoom.am
W32/Mydoom.bc@MM

Type Worm

W32/MyDoom-BC is an email worm for the Windows platform.
Email sent by the worm has characteristics similar to the following examples:
Subject line:
hi
error
test
Message could not be delivered
Message body:
Dear user of <domain>
Mail server administrator of <domain> would like to inform you that
We have detected that your e-mail account has been used to send a large
amount of unsolicited e-mail messages during this recent week.
We suspect that your computer had been compromised by a recent virus and now
runs a trojan proxy server.
Please follow our instructions in the attachment file
in order to keep your computer safe.
Virtually yours
<domain> user support team.
Attached file:
attachment.com
letter.zip
<username>.exe

http://www.sophos.com/virusinfo/analyses/w32mydoombc.html

- Collapse -
Troj/Psyme-BM

Aliases Trojan-Downloader.JS.gen

Type Trojan

Troj/Psyme-BM contains functionality to generate webpages which exploit the ADODB stream vulnerability in Microsoft Internet Explorer to silently download executable files from a remote server to the local computer.

http://www.sophos.com/virusinfo/analyses/trojpsymebm.html

- Collapse -
W32/Codbot-D

Aliases W32/Sdbot.worm.gen.j

Type Worm

W32/Codbot-D is a network worm with backdoor functionality for the Windows platform.
W32/Codbot-D may spread to remote network shares and computers vulnerable to common exploits, including the LSASS exploit (MS04-011) and the RPM-DCOM exploit (MS04-012).
W32/Codbot-D connects to a preconfigured IRC server when an internet connection is available and awaits instructions from a remote attacker. The worm can be commanded to sniff network traffic, download further code, send itself to random IP addresses, start an FTP server and steal passwords and system information.

http://www.sophos.com/virusinfo/analyses/w32codbotd.html

- Collapse -
VBS/Roor-A

Aliases Virus.VBS.Redlof.k

Type Virus

VBS/Roor-A is a virus that may infect HTML or text files.
VBS/Roor-A infects files with file extension HTM, HTML or HTT in the folder in which it is run.
VBS/Roor-A creates dropper files for the virus with the names DESKTOP.INI and FOLDER.HTT in the current folder, the Windows folder, the Windows system folder, the Windows Desktop and the subfolder WEB of the Windows folder. Dropper files may also be created in the root folders of any other drives.
On the 26th of September, the virus may attempt to shut down windows.

http://www.sophos.com/virusinfo/analyses/vbsroora.html

- Collapse -
W32/Codbot-E

Aliases Backdoor.Win32.Codbot.i

Type Worm

W32/Codbot-E is a network worm with backdoor functionality for the Windows platform.
W32/Codbot-E may spread to remote network shares and computers vulnerable to common exploits, including the LSASS exploit (MS04-011) and the RPM-DCOM exploit (MS04-012).
W32/Codbot-E connects to a preconfigured IRC server when an internet connection is available and awaits instructions from a remote attacker. The worm can be commanded to sniff network traffic, download further code, send itself to random IP addresses, start an FTP server and steal passwords and system information.

http://www.sophos.com/virusinfo/analyses/w32codbote.html

- Collapse -
W32/Sdbot-VJ

Aliases Backdoor.Win32.Rbot.gen
W32/Sdbot.worm.gen.g

Type Worm

W32/Sdbot-VJ is a network worm with backdoor functionality for the Windows platform.
W32/Sdbot-VJ connects to an IRC channel and listens for backdoor commands from a remote attacker. The worm may also spread to remote network shares with weak passwords.
The backdoor functionality of the worm includes the ability to run an FTP or TFTP server, download updates or steal system information.

http://www.sophos.com/virusinfo/analyses/w32sdbotvj.html

- Collapse -
Troj/AdClick-AI
- Collapse -
W32/MyDoom-BC

Aliases Email-Worm.Win32.Mydoom.am
W32/Mydoom.bc@MM
W32/Mydoom.db@MM
Worm.Mydoom.M-2

Type Worm

W32/MyDoom-BC is an email worm for the Windows platform.
Email sent by the worm has characteristics similar to the following examples:
Subject line:
hi
error
test
Message could not be delivered
Message body:
Dear user of <domain>
Mail server administrator of <domain> would like to inform you that
We have detected that your e-mail account has been used to send a large
amount of unsolicited e-mail messages during this recent week.
We suspect that your computer had been compromised by a recent virus and now
runs a trojan proxy server.
Please follow our instructions in the attachment file
in order to keep your computer safe.
Virtually yours
<domain> user support team.
Attached file:
attachment.com
letter.zip
<username>.exe

http://www.sophos.com/virusinfo/analyses/w32mydoombc.html

- Collapse -
Troj/Psyme-BM

Aliases Trojan-Downloader.JS.gen

Type Trojan

Troj/Psyme-BM contains functionality to generate webpages which exploit the ADODB stream vulnerability in Microsoft Internet Explorer to silently download executable files from a remote server to the local computer.

http://www.sophos.com/virusinfo/analyses/trojpsymebm.html

- Collapse -
W32/Codbot-D

Aliases W32/Sdbot.worm.gen.j

Type Worm

W32/Codbot-D is a network worm with backdoor functionality for the Windows platform.
W32/Codbot-D may spread to remote network shares and computers vulnerable to common exploits, including the LSASS exploit (MS04-011) and the RPM-DCOM exploit (MS04-012).
W32/Codbot-D connects to a preconfigured IRC server when an internet connection is available and awaits instructions from a remote attacker. The worm can be commanded to sniff network traffic, download further code, send itself to random IP addresses, start an FTP server and steal passwords and system information.

http://www.sophos.com/virusinfo/analyses/w32codbotd.html

- Collapse -
VBS/Roor-A

Aliases Virus.VBS.Redlof.k

Type Virus

VBS/Roor-A is a virus that may infect HTML or text files.
VBS/Roor-A infects files with file extension HTM, HTML or HTT in the folder in which it is run.
VBS/Roor-A creates dropper files for the virus with the names DESKTOP.INI and FOLDER.HTT in the current folder, the Windows folder, the Windows system folder, the Windows Desktop and the subfolder WEB of the Windows folder. Dropper files may also be created in the root folders of any other drives.
On the 26th of September, the virus may attempt to shut down windows.

http://www.sophos.com/virusinfo/analyses/vbsroora.html

- Collapse -
W32/Codbot-E

Aliases Backdoor.Win32.Codbot.i

Type Worm

W32/Codbot-E is a network worm with backdoor functionality for the Windows platform.
W32/Codbot-E may spread to remote network shares and computers vulnerable to common exploits, including the LSASS exploit (MS04-011) and the RPM-DCOM exploit (MS04-012).
W32/Codbot-E connects to a preconfigured IRC server when an internet connection is available and awaits instructions from a remote attacker. The worm can be commanded to sniff network traffic, download further code, send itself to random IP addresses, start an FTP server and steal passwords and system information.

http://www.sophos.com/virusinfo/analyses/w32codbote.html

- Collapse -
W32/Sdbot-VJ

Aliases Backdoor.Win32.Rbot.gen
W32/Sdbot.worm.gen.g

Type Worm

W32/Sdbot-VJ is a network worm with backdoor functionality for the Windows platform.
W32/Sdbot-VJ connects to an IRC channel and listens for backdoor commands from a remote attacker. The worm may also spread to remote network shares with weak passwords.
The backdoor functionality of the worm includes the ability to run an FTP or TFTP server, download updates or steal system information.

http://www.sophos.com/virusinfo/analyses/w32sdbotvj.html

- Collapse -
Troj/AdClick-AI
- Collapse -
Troj/Surila-P

Aliases Backdoor.Win32.Surila.o
W32/Mydoom.AZ@bd
W32/Mydoom.AY@bd
BackDoor-CEB.f
BackDoor-CEB.b
BKDR_SURILA.O
Trojan.Surila.O
Trojan.Surila.O-2

Type Trojan

Troj/Surila-P is a backdoor Trojan.
The Trojan allows a remote attacker to control the infected computer.

http://www.sophos.com/virusinfo/analyses/trojsurilap.html

CNET Forums

Forum Info