General discussion

VIRUS ALERTS - February 20, 2005

Aliases Email-Worm.Win32.Mydoom.am
W32/Mydoom.bc@MM
W32/Mydoom.db@MM
Worm.Mydoom.M-2

Type Worm

W32/MyDoom-BC is an email worm for the Windows platform.
Email sent by the worm has characteristics similar to the following examples:
Subject line:
hi
error
test
Message could not be delivered
Message body:
Dear user of <domain>
Mail server administrator of <domain> would like to inform you that
We have detected that your e-mail account has been used to send a large
amount of unsolicited e-mail messages during this recent week.
We suspect that your computer had been compromised by a recent virus and now
runs a trojan proxy server.
Please follow our instructions in the attachment file
in order to keep your computer safe.
Virtually yours
<domain> user support team.
Attached file:
attachment.com
letter.zip
<username>.exe

http://www.sophos.com/virusinfo/analyses/w32mydoombc.html

Discussion is locked

Follow
Reply to: VIRUS ALERTS - February 20, 2005
PLEASE NOTE: Do not post advertisements, offensive materials, profanity, or personal attacks. Please remember to be considerate of other members. If you are new to the CNET Forums, please read our CNET Forums FAQ. All submitted content is subject to our Terms of Use.
Reporting: VIRUS ALERTS - February 20, 2005
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Comments
- Collapse -
Troj/Psyme-BM

Aliases Trojan-Downloader.JS.gen

Type Trojan

Troj/Psyme-BM contains functionality to generate webpages which exploit the ADODB stream vulnerability in Microsoft Internet Explorer to silently download executable files from a remote server to the local computer.

http://www.sophos.com/virusinfo/analyses/trojpsymebm.html

- Collapse -
W32/Codbot-D

Aliases W32/Sdbot.worm.gen.j

Type Worm

W32/Codbot-D is a network worm with backdoor functionality for the Windows platform.
W32/Codbot-D may spread to remote network shares and computers vulnerable to common exploits, including the LSASS exploit (MS04-011) and the RPM-DCOM exploit (MS04-012).
W32/Codbot-D connects to a preconfigured IRC server when an internet connection is available and awaits instructions from a remote attacker. The worm can be commanded to sniff network traffic, download further code, send itself to random IP addresses, start an FTP server and steal passwords and system information.

http://www.sophos.com/virusinfo/analyses/w32codbotd.html

- Collapse -
VBS/Roor-A

Aliases Virus.VBS.Redlof.k

Type Virus

VBS/Roor-A is a virus that may infect HTML or text files.
VBS/Roor-A infects files with file extension HTM, HTML or HTT in the folder in which it is run.
VBS/Roor-A creates dropper files for the virus with the names DESKTOP.INI and FOLDER.HTT in the current folder, the Windows folder, the Windows system folder, the Windows Desktop and the subfolder WEB of the Windows folder. Dropper files may also be created in the root folders of any other drives.
On the 26th of September, the virus may attempt to shut down windows.

http://www.sophos.com/virusinfo/analyses/vbsroora.html

- Collapse -
W32/Codbot-E

Aliases Backdoor.Win32.Codbot.i

Type Worm

W32/Codbot-E is a network worm with backdoor functionality for the Windows platform.
W32/Codbot-E may spread to remote network shares and computers vulnerable to common exploits, including the LSASS exploit (MS04-011) and the RPM-DCOM exploit (MS04-012).
W32/Codbot-E connects to a preconfigured IRC server when an internet connection is available and awaits instructions from a remote attacker. The worm can be commanded to sniff network traffic, download further code, send itself to random IP addresses, start an FTP server and steal passwords and system information.

http://www.sophos.com/virusinfo/analyses/w32codbote.html

- Collapse -
W32/Sdbot-VJ

Aliases Backdoor.Win32.Rbot.gen
W32/Sdbot.worm.gen.g

Type Worm

W32/Sdbot-VJ is a network worm with backdoor functionality for the Windows platform.
W32/Sdbot-VJ connects to an IRC channel and listens for backdoor commands from a remote attacker. The worm may also spread to remote network shares with weak passwords.
The backdoor functionality of the worm includes the ability to run an FTP or TFTP server, download updates or steal system information.

http://www.sophos.com/virusinfo/analyses/w32sdbotvj.html

- Collapse -
Troj/AdClick-AI
- Collapse -
Troj/Surila-P

Aliases Backdoor.Win32.Surila.o
W32/Mydoom.AZ@bd
W32/Mydoom.AY@bd
BackDoor-CEB.f
BackDoor-CEB.b
BKDR_SURILA.O
Trojan.Surila.O
Trojan.Surila.O-2

Type Trojan

Troj/Surila-P is a backdoor Trojan.
The Trojan allows a remote attacker to control the infected computer.

http://www.sophos.com/virusinfo/analyses/trojsurilap.html

- Collapse -
W32/Rbot-WF

Type Worm

W32/Rbot-WF is a worm with backdoor Trojan functionality.
W32/Rbot-WF is capable of spreading to computers on the local network protected by weak passwords after receiving the appropriate backdoor command. The worm can also spread by exploiting a number of software vulnerabilities.
W32/Rbot-WF will attempt to terminate a number of anti-virus and security related applications, along with other malware.

http://www.sophos.com/virusinfo/analyses/w32rbotwf.html

- Collapse -
W32/Agobot-PX

Aliases BKDR_SDBOT.KU

Type Worm

W32/Agobot-PX is a network worm with a backdoor Trojan component.
W32/Agobot-PX is capable of spreading to computers on the local network protected by weak passwords after receiving the appropriate backdoor command. W32/Agobot-PF can spread to other computers through a number of software vulnerabilities.
W32/Agobot-PX will run in the background and provide backdoor access to remote users over IRC channels.
W32/Agobot-PX will attempt to terminate a number of anti-virus and security-related applications. The worm will also attempt to deny access to a list of anti-virus and security related websites by modifying the Windows HOSTS file.

http://www.sophos.com/virusinfo/analyses/w32agobotpx.html

- Collapse -
Troj/LdPinch-AO

Type Trojan

Troj/LdPinch-AO is a password-stealing and downloader Trojan.
Troj/LdPinch-AO will steal login and user information from a number of applications. The Trojan will then send the data to a remote website.
Troj/LdPinch-AO will attempt to download and run an executable file. Troj/LdPinch-AO may arrive as an attachment to an email that starts with:
Hello
Thank you for your recent order with Amazon.com.
You buy The Satellite 3 R42 Tablet PC.

http://www.sophos.com/virusinfo/analyses/trojldpinchao.html

- Collapse -
W32/Inforyou-A

Aliases W32/Inforyou@MM
WORM_INFORYOU.A
Email-Worm.Win32.Padowor.a

Type Worm

W32/Inforyou-A is an email worm for the Windows platform.
W32/Inforyou-A will arrive as an email that will invite the recipient to look at an attachment. The attachment will be a password-protected ZIP file, with the password given in the body of the email. The theme of the email will be one of the following:
"Fraudulent activity was detected by security" and an account was frozen.
"Interesting" information has been uncovered about "budget usage."
A "new version of credit" software has been released.
The attachment relates to material of "a naked kind."
The attachment relates to "art" which the sender has found on a computer.
The ZIP file will contain a file with a random name and an extension of SRC, PIF or EXE.
W32/Inforyou-A will attempt to terminate anti-virus software.

http://www.sophos.com/virusinfo/analyses/w32inforyoua.html

- Collapse -
Troj/Ablank-A

Type Trojan

Troj/Ablank-A is a browser hijacking Trojan.
Troj/Ablank-A changes settings for Internet Explorer and intercept attempts to view the home page, instead showing a file dropped by the Trojan.
Troj/Ablank-A Trojan provides an uninstallation option via the Add or Remove Programs dialog in the Windows Control Panel. The attempt to uninstall the Trojan through Control Panel in our testing environment has failed.
Troj/Ablank-A drops a file se.dll. The dropped file is detected by Sophos Anti-Virus as Troj/AdClick-AI

http://www.sophos.com/virusinfo/analyses/trojablanka.html

- Collapse -
Troj/Ablank-B
- Collapse -
W32/Jupir-A

CNET Forums

Forum Info