Spyware, Viruses, & Security forum

General discussion

VIRUS ALERTS - February 23, 2005

by Marianna Schmudlach / February 23, 2005 12:47 AM PST
Discussion is locked
You are posting a reply to: VIRUS ALERTS - February 23, 2005
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: VIRUS ALERTS - February 23, 2005
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
W32/Rbot-WK
by Marianna Schmudlach / February 23, 2005 12:49 AM PST

Type Worm

W32/Rbot-WK is a network worm with backdoor Trojan functionality for the Windows platform.
W32/Rbot-WK spreads using a variety of techniques including exploiting weak passwords on computers and SQL servers, exploiting operating system vulnerabilities (including DCOM-RPC, LSASS and UPNP) and using backdoors opened by other worms or Trojans.
Patches for the operating system vulnerabilities exploited by W32/Rbot-WK can be obtained from Microsoft at:
http://www.microsoft.com/technet/security/bulletin/ms04-012.mspx
http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx
http://www.microsoft.com/technet/security/bulletin/ms03-039.mspx
http://www.microsoft.com/technet/security/bulletin/ms01-059.mspx

http://www.sophos.com/virusinfo/analyses/w32rbotwk.html

Collapse -
Troj/Dloader-IC
by Marianna Schmudlach / February 23, 2005 12:50 AM PST
Collapse -
Troj/Proxy-J
by Marianna Schmudlach / February 23, 2005 12:52 AM PST
Collapse -
Troj/Hogil-B
by Marianna Schmudlach / February 23, 2005 12:54 AM PST
Collapse -
W32/Forbot-EH
by Marianna Schmudlach / February 23, 2005 12:56 AM PST

Aliases WORM_AGOBOT.AMY

Type Worm

W32/Forbot-EH is a worm which attempts to spread to remote network shares. It also contains backdoor Trojan functionality, allowing unauthorised remote access to the infected computer via IRC channels.

http://www.sophos.com/virusinfo/analyses/w32forboteh.html

Collapse -
Troj/Riler-E
by Marianna Schmudlach / February 23, 2005 12:58 AM PST

Aliases BackDoor-BCB

Type Trojan

Troj/Riler-E is a backdoor Trojan.
Troj/Riler-E spies on network traffic on the infected computer. The Trojan will relay certain types of network traffic to a remote site.
Troj/Riler-E has a backdoor component that will connect to a remote site and await backdoor commands.
Troj/Riler-E may arrive by email as a CHM file with the following subject line:
China: Remembering the victims of police brutality in Gulja, Xinjiang on 5-6 Feb

http://www.sophos.com/virusinfo/analyses/trojrilere.html

Collapse -
Troj/Small-DI
by Marianna Schmudlach / February 23, 2005 1:00 AM PST
Collapse -
W32/Sdranck-A
by Marianna Schmudlach / February 23, 2005 2:24 AM PST

Aliases Trojan-Proxy.Win32.Ranky.bc
INFECTED
W32/Sdbot.worm.gen

Type Worm

W32/Sdranck-A is a multi-component network worm that uses a member of the W32/Sdbot family to spread. W32/Sdranck-A also drops a member of the Troj/Ranck family of proxy Trojans.

http://www.sophos.com/virusinfo/analyses/w32sdrancka.html

Collapse -
Troj/Ranck-CN
by Marianna Schmudlach / February 23, 2005 2:26 AM PST
Collapse -
W32/Ahker-E
by Marianna Schmudlach / February 23, 2005 2:28 AM PST

Aliases WORM_AHKER.E
Email-Worm.Win32.Anker.e

Type Worm

W32/Ahker-E is a mass-mailing and P2P worm.
W32/Ahker-E will arrive as a ZIP attachment to an email. For example,
Attachment name: "Removal Tool.zip"
Subject: World's most dangerous Internet Worm!
From: security@microsoft.com
Body:
We have been informed that you are one of the victims of the latest worm: Ahker, the E variant.
You're computer is infected with this worm!
Ahker.E uses FULL STEALTH METHOD to fool the user and the system!
Ahker.E infects the system without the knowledge of the user which is bad!
Microsoft suggests you to download the removal tool for this threat located in the attachment.
This tool will scan your system in order to find the worm then removes it.
Please hurry before the worm mutates!
Good luck!
Microsoft (c) 2004-2005
W32/Ahker-E will attempt to terminate a number of anti-virus and security-related processes. The worm will also attempt to deny access to certain anti-virus websites.
W32/Ahker-E will attempt to disable or compromise a number of Windows security features, such as Windows Firewall and Windows Auto-update.
Periodically, W32/Ahker-E will attempt to shut down the computer.

http://www.sophos.com/virusinfo/analyses/w32ahkere.html

Collapse -
W32.Gaobot .DBP.Worm is killing my system Please Help
by akang / March 29, 2005 6:57 PM PST
In reply to: W32/Ahker-E

I have just been hit by W32.Gaobot.DBP.worm.
Kindly advice me on where to get the removal tool.
Thank you

Collapse -
akang
by roddy32 / March 29, 2005 7:56 PM PST

You should start you own thread for this. This is going to get lost in this older thread that has nothing to do with your problem. You should also supply some more info and to how you found out that you have this, you operating system, etc. There are many versions of the one that you think you have but I can't find anything on the version "DBP". Symantec has a removal tool for many of them but whether it will work on yours, I have no idea because it's not on the list. Please make sure you read the entire page to see if it pertains to you.
http://www.symantec.com/avcenter/venc/data/w32.gaobot.removal.tool.html

Collapse -
Troj/Ranck-CM
by Marianna Schmudlach / February 23, 2005 2:30 AM PST

Aliases Trojan-Proxy.Win32.Ranky.bc

Type Trojan

Troj/Ranck-CM is a proxy Trojan that allows a remote attacker to route internet traffic through the infected computer while running continuously in the background.
Troj/Ranck-CM sends information to a number of websites, alerting them to the fact that the computer is infected by the Trojan.


http://www.sophos.com/virusinfo/analyses/trojranckcm.html

Collapse -
Troj/Mdrop-AF
by Marianna Schmudlach / February 23, 2005 2:32 AM PST

Type Trojan

Troj/Mdrop-AF is a dropper Trojan for the Windows platform.
Troj/Mdrop-AF creates two files named "iwejalewu.exe" which is detected by Sophos as W32/Sdbot-Fam and "asezavyj.exe" which is detected by Sophos as Troj/Ranck-CM.

http://www.sophos.com/virusinfo/analyses/trojmdropaf.html

Collapse -
Troj/Delf-KJ
by Marianna Schmudlach / February 23, 2005 2:33 AM PST
Collapse -
Troj/Bancos-BC
by Marianna Schmudlach / February 23, 2005 2:35 AM PST

Type Trojan

Troj/Bancos-BC is a password stealing Trojan for the Windows platform that targets customers of Brazilian banks.
Troj/Bancos-BC monitors an user's internet access, and when certain internet banking sites are visited, the Trojan will display a fake login screen in order to trick the user into inputting their details.

http://www.sophos.com/virusinfo/analyses/trojbancosbc.html

Collapse -
W32/Bropia-R
by Marianna Schmudlach / February 23, 2005 6:47 AM PST

Aliases W32.Bropia.R
IM-Worm.Win32.Bropia.i

Type Worm

W32/Bropia-R is a worm for the Windows platform.
The worm then displays a comical image as it installs the embedded EXE files.
W32/Bropia-R monitors the status of MSN Messenger and sends a copy of itself to Messenger contacts.

http://www.sophos.com/virusinfo/analyses/w32bropiar.html

Collapse -
W32/Forbot-GL
by Marianna Schmudlach / February 23, 2005 6:50 AM PST

Aliases WORM_WOOTBOT.GL
Backdoor.Win32.Wootbot.ar

Type Worm

W32/Forbot-GL is a network worm with backdoor functionality for the Windows platform.
Once installed, W32/Forbot-GL connects to a preconfigured IRC server and joins a channel from which an attacker can issue further commands.
The worm can spread to unpatched machines affected by the LSASS vulnerability (MS04-011) and through backdoors left open by the Troj/Optix Trojans.

http://www.sophos.com/virusinfo/analyses/w32forbotgl.html

Collapse -
W32/Rbot-WN
by Marianna Schmudlach / February 23, 2005 6:52 AM PST

Aliases Backdoor.Win32.Rbot.ja

Type Worm

W32/Rbot-WN is a network worm with backdoor functionality for the Windows platform.
W32/Rbot-WN spreads using a variety of techniques including exploiting weak passwords on computers and SQL servers, exploiting operating system vulnerabilities (including DCOM-RPC, LSASS, WebDAV and UPNP) and using backdoors opened by other worms or Trojans.
W32/Rbot-WN can be controlled by a remote attacker over IRC channels. The backdoor component of W32/Rbot-WN can be instructed by a remote user to perform various functions.

http://www.sophos.com/virusinfo/analyses/w32rbotwn.html

Collapse -
Troj/CWS-G
by Marianna Schmudlach / February 23, 2005 6:54 AM PST

Aliases Trojan.Win32.StartPage.up
StartPage-GL

Type Trojan

Troj/CWS-G is a dropper Trojan for the Windows platform.
Troj/CWS-G will drop and register a DLL file named SEHLP.DLL, detected as Troj/CWS-C.
For further information, see Troj/CWS-C.

http://www.sophos.com/virusinfo/analyses/trojcwsg.html

Collapse -
Troj/Dloader-ID
by Marianna Schmudlach / February 23, 2005 6:56 AM PST

Type Trojan

Troj/Dloader-ID is a downloader Trojan for the Windows platform.
Troj/Dloader-ID connects to a preconfigured internet site and attempts to download and run an EXE file. This file is currently detected by Sophos as Troj/Agent-CG. Troj/Dloader-ID will try and close Internet Explorer windows when it is run.

http://www.sophos.com/virusinfo/analyses/trojdloaderid.html

Collapse -
Troj/Agent-CG
by Marianna Schmudlach / February 23, 2005 6:57 AM PST
Collapse -
W32/Rbot-WL
by Marianna Schmudlach / February 23, 2005 6:59 AM PST

Aliases Backdoor.Win32.Rbot.gen

Type Worm

W32/Rbot-WL is a network worm with backdoor functionality for the Windows platform.
W32/Rbot-WL may spread to remote network shares protected by weak passwords and computers vulnerable to common exploits. The worm also opens up a backdoor, allowing unauthorised remote access to infected computers via the IRC network, while running in the background as a service process.
W32/Rbot-WL can receive commands from a remote intruder to:
delete network shares
log keypresses
participate in DDoS attacks
scan other computers for vulnerabilities
steal passwords
steal registration keys for computer games
create administrator accounts
terminate firewall and anti-virus processes
capture video from webcameras attached to the computer

http://www.sophos.com/virusinfo/analyses/w32rbotwl.html

Collapse -
W32/Agobot-QC
by Marianna Schmudlach / February 23, 2005 7:01 AM PST

Aliases Backdoor.Win32.Agobot.gen
W32/Gaobot.worm.gen.d
WORM_AGOBOT.AKK

Type Worm

W32/Agobot-QC is a network worm with backdoor functionality for the Windows platform.
W32/Agobot-QC connects to an IRC channel and listens for backdoor commands from a remote attacker. The worm may also spread to network shares with weak passwords, or by sending itself via IRC.
In response to backdoor commands, W32/Agobot-QC may do any of the following:
Download updates or other malicious code
Participate in denial of service attacks
Reboot or shutdown the system, or log off the current user
List, create or kill processes and services
Open a remote command shell
Log keypresses
Act as a proxy server
Sniff packets
Delete network shares
Steal system and registry information
Create registry entries
W32/Agobot-QC may exploit an number of vulnerabilities, including RPC-DCOM (MS04-012) and LSASS (MS04-011).
W32/Agobot-QC may attempt to kill processes of anti-virus or security-related applications.
W32/Agobot-QC may modify the system HOSTS file in order to block access to anti-virus and other websites.

http://www.sophos.com/virusinfo/analyses/w32agobotqc.html

Popular Forums
icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

GIVEAWAY

We are giving away 'Black Panther' swag!

Four lucky readers will be taking home *Marvel*ous "Black Panther" prizes, including magazines autographed by the King of Wakanda himself! Giveaway ends Feb. 25, 2018.