General discussion

VIRUS ALERTS - February 21, 2005

Discussion is locked

Follow
Reply to: VIRUS ALERTS - February 21, 2005
PLEASE NOTE: Do not post advertisements, offensive materials, profanity, or personal attacks. Please remember to be considerate of other members. If you are new to the CNET Forums, please read our CNET Forums FAQ. All submitted content is subject to our Terms of Use.
Reporting: VIRUS ALERTS - February 21, 2005
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Comments
- Collapse -
W32/Rbot-WG
- Collapse -
Troj/Banker-BB

Aliases Trojan-Spy.Win32.Banbra.q
Trojan-Spy.Win32.Banker.ju

Type Trojan

Troj/Banker-BB is a member of the Bancban family of Trojans that attempts to steal confidential information when a user visits predefined banking-related websites.
Troj/Banker-BB monitors URLs entered into Internet Explorer. When certain websites are visited, the Trojan may display a fake user interface in order to trick the user into entering confidential details. Stolen information is sent by email to a remote user.

http://www.sophos.com/virusinfo/analyses/trojbankerbb.html

- Collapse -
W32/Derdero-A

Type Worm

W32/Derdero-A is a virus that spreads via email and common file sharing networks. The virus also attempts to infect all files with an .EXE extension on drive C:
When the worm runs for the first time it displays the message box with the text "Runtime error '4': String out of bounds".
W32/Derdero-A changes the Windows HOSTS file so that the user cannot access a number of anti-virus related sites.

http://www.sophos.com/virusinfo/analyses/w32derderoa.html

- Collapse -
W32/Rbot-TY

Type Worm

W32/Rbot-TY is a network worm with backdoor functionality for the Windows platform.
W32/Rbot-TY spreads using a variety of techniques including exploiting weak passwords on computers and SQL servers and exploiting operating system vulnerabilities (including DCOM-RPC and LSASS).
Patches for the operating system vulnerabilities exploited by W32/Rbot-TY can be obtained from Microsoft at:
http://www.microsoft.com/technet/security/bulletin/ms04-012.mspx
http://www.microsoft.com/technet/security/bulletin/ms03-039.mspx

http://www.sophos.com/virusinfo/analyses/w32rbotty.html

- Collapse -
Troj/Sniffer-H

Aliases Backdoor.Win32.Delf.vu
BackDoor-CNS

Type Trojan

Troj/Sniffer-H is a Trojan that has an ability to sniff network packets.
The Trojan may be used to capture the local network traffic on the infected computer and to report the captured traffic to a remote location.

http://www.sophos.com/virusinfo/analyses/trojsnifferh.html

- Collapse -
Troj/PWS-CE
- Collapse -
Troj/Tofger-AI
- Collapse -
Troj/Multidr-CF
- Collapse -
Troj/Dropper-AA
- Collapse -
W32/Ahker-C

Aliases Email-Worm.Win32.Anker.c
WORM_AHKER.C

Type Worm

W32/Ahker-C is a mass-mailing worm which spreads by sending a copy of itself to addresses found in the Outlook address book.
W32/Ahker-C downloads a ZIP archive copy of itself to C:\ParisXXX.zip and sends it in an email which arrives with the following characteristics:
Subject line: Paris Hilton...download it!
Message body:
Hey man..Download it...I never saw paris gettin' ****** this way!
Ohhhh man! you better watch the first 23 mins of this clip!
Attached file: ParisXXX.zip
W32/Ahker-C will also attempt to initiate a system reboot every few minutes.

http://www.sophos.com/virusinfo/analyses/w32ahkerc.html

- Collapse -
Troj/Borobot-N
- Collapse -
W32/Sober-K

Aliases Email-Worm.VBS.Sober.k
W32/Sober.M@mm
WORM_SOBER.GEN

Type Worm

W32/Sober-K is a mass-mailing worm which sends itself to addresses harvested from the infected computer.
When first run, W32/Sober-K will open Notepad and display a body of text that starts:
Text#674327:
------------
--------------------- %WinZip CodeText Modul% is missing ------------------
W32/Sober-K will arrive by email as a ZIP attachment containing an executable file with a double extension. For example, doc_data-text.txt<SPACES>.pif
Subject lines include the following:
You visit illegal websites
Ihr Passwort wurde geaendert
Message body texts include the following:
Dear Sir/Madam,
we have logged your IP-address on more than 40 illegal Websites.
Important: Please answer our questions!
The list of questions are attached.
Yours faithfully,
M. John Stellford
--
## Diese E-Mail wurde automatisch generiert
## Aus Gruenden der Sicherheit, bekommen Sie diese E-Mail
## wenn Ihr aktuelles Benutzer- Passwort veraendert wurde
Ihr neues Passwort und weiter Informationen befinden sich im beigefuegten Dokument.

http://www.sophos.com/virusinfo/analyses/w32soberk.html

- Collapse -
W32/MyDoom-BE

Type Worm

W32/MyDoom-BE is an email worm for the Windows platform.
W32/MyDoom-BE spreads by sending itself as an attachment to email addresses harvested from the infected computer as well as internet search engines.
W32/MyDoom-BE also drops a backdoor component named services.exe. This file is detected by Sophos as W32/MyDoom-O.

http://www.sophos.com/virusinfo/analyses/w32mydoombe.html

- Collapse -
W32/Kwbot-J

Type Worm

W32/Kwbot-J is a network worm and IRC backdoor for the Windows platform.
W32/Kwbot-J spreads to shared drives and network shares protected by weak passwords.
W32/Kwbot-J also attempts to download and execute a file from a remote website.

http://www.sophos.com/virusinfo/analyses/w32kwbotj.html

- Collapse -
W32/Kwbot-I

Type Worm

W32/Kwbot-I is a network worm and IRC backdoor for the Windows platform.
W32/Kwbot-I spreads to shared drives and network shares protected by weak passwords.
W32/Kwbot-I also attempts to download and execute a file from a remote website. The downloaded file is detected by Sophos as W32/Kwbot-J.

http://www.sophos.com/virusinfo/analyses/w32kwboti.html

- Collapse -
Troj/Ablank-C

Aliases Trojan.Win32.StartPage.ix
StartPage-DU.dll.dr

Type Trojan

Troj/Ablank-C is a browser hijacking Trojan.
Troj/Ablank-C changes settings for Internet Explorer and intercepts attempts to view the home page, instead showing a file dropped by the Trojan.

http://www.sophos.com/virusinfo/analyses/trojablankc.html

- Collapse -
Troj/StartPa-EW
- Collapse -
Troj/Msnflood-D
- Collapse -
Troj/Delf-KI
- Collapse -
Troj/Zins-B

Aliases BackDoor-AWV

Type Trojan

Troj/Zins-B is a configurable backdoor Trojan for Windows platform with keylogging and password-stealing functionality particularly related to some online banks that runs in a background in a stealth mode under Windows NT-based operating systems.

http://www.sophos.com/virusinfo/analyses/trojzinsb.html

- Collapse -
Troj/Banker-BC

Aliases Trojan-Spy.Win32.Banker.ka
W32/Pate.b

Type Trojan

Troj/Banker-BC is a password stealing Trojan targeted at customers of Brazilian online banks.
Troj/Banker-BC will monitor a user's internet access. When certain internet banking sites are visited, the Trojan will display a fake login screen in order to trick the user into inputting their details.
Troj/Banker-BC will then send the stolen details to a Brazilian email address.
Troj/Banker-BC also drops a copy of the W32/Parite-B virus onto the computer.

http://www.sophos.com/virusinfo/analyses/trojbankerbc.html

- Collapse -
W32/Rbot-KLB

Type Worm

W32/Rbot-KLB is a worm with backdoor Trojan functionality.
W32/Rbot-KLB is capable of spreading to computers on the local network protected by weak passwords after receiving the appropriate backdoor command. The worm can also spread by exploiting a number of software vulnerabilities.

http://www.sophos.com/virusinfo/analyses/w32rbotklb.html

- Collapse -
W32/Small-DH

CNET Forums

Forum Info