General discussion

VIRUS ALERTS - February 24, 2005

W32/Agobot-QE
Summary


Type Worm

W32/Agobot-QE is a backdoor Trojan and worm which spreads to computers protected by weak passwords.
Each time the Trojan is run it attempts to connect to a remote IRC server and join a specific channel.
The Trojan then runs continuously in the background, allowing a remote intruder to access and control the computer via IRC channels.

http://www.sophos.com/virusinfo/analyses/w32agobotqe.html

Discussion is locked

Follow
Reply to: VIRUS ALERTS - February 24, 2005
PLEASE NOTE: Do not post advertisements, offensive materials, profanity, or personal attacks. Please remember to be considerate of other members. If you are new to the CNET Forums, please read our CNET Forums FAQ. All submitted content is subject to our Terms of Use.
Reporting: VIRUS ALERTS - February 24, 2005
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Comments
- Collapse -
Troj/Agent-CH

Aliases Trojan-Spy.Win32.Agent.w

Type Trojan

Troj/Agent-CH is a backdoor Trojan for the Windows platform.
Troj/Agent-CH will also create a DLL in the Windows system folder named yemarvdn.dll. This file is currently detected by Sophos as Troj/Iyus-Fam.
Troj/Agent-CH will also modify the HOSTS file in an attempt to block access to a predefined list of Anti-virus vendors.

http://www.sophos.com/virusinfo/analyses/trojagentch.html

- Collapse -
Troj/Bancban-BM

Aliases Trojan-Spy.Win32.Banker.kk
TROJ_BANCOS.MX

Type Trojan

Troj/Bancban-BM is a password stealing Trojan for the Windows platform.
Troj/Bancban-BM monitors which URLs are visited by the web browser and creates fake web pages for certain Brazilian banking sites in order to log account information. The logged information is sent to remote users via email.

http://www.sophos.com/virusinfo/analyses/trojbancbanbm.html

- Collapse -
Troj/Bancos-BD

Type Trojan

Troj/Bancos-BD is a password stealing Trojan for the Windows platform that targets customers of Brazilian banks.
Troj/Bancos-BD monitors a user's internet access. When certain internet banking sites are visited, the Trojan will display a fake login screen in order to trick the user into entering their details and will email the information to a predefined email account.

http://www.sophos.com/virusinfo/analyses/trojbancosbd.html

- Collapse -
Troj/Bancos-BE

Type Trojan

Troj/Bancos-BE is a password stealing Trojan for the Windows platform that targets customers of Brazilian banks.
Troj/Bancos-BE monitors a user's internet access. When certain internet banking sites are visited, the Trojan will display a fake login screen in order to trick the user into entering their details and will email the information to a predefined email account.

http://www.sophos.com/virusinfo/analyses/trojbancosbe.html

- Collapse -
W32/Aimdes-B
- Collapse -
W32/Codbot-Gen

Type Worm

W32/Codbot-Gen detects worms of the W32/Codbot family.
Worms detected as W32/Codbot-Gen provide backdoor Trojan functionality to a remote attacker via IRC channels. Such worms may spread to remote network shares with weak passwords in response to a backdoor command.
W32/Codbot-Gen worms typically attempt to exploit vulnerabilities, such as the LSASS vulnerability (MS04-011).

http://www.sophos.com/virusinfo/analyses/w32codbotgen.html

- Collapse -
Troj/Borobt-Gen
- Collapse -
W32/MyDoom-BD
- Collapse -
W32/MyDoom-BF

Aliases Email-Worm.Win32.Mydoom.am
W32/Mydoom.bf@MM
W32/MyDoom-O
WORM_MYDOOM.BF

Type Worm

W32/MyDoom-BF is an email worm for the Windows platform.
Email sent by the worm has characteristics similar to the following examples:
Subject line:
hi
error
test
Message could not be delivered
Message body:
Dear user of <domain>
Mail server administrator of <domain> would like to inform you that
We have detected that your e-mail account has been used to send a large
amount of unsolicited e-mail messages during this recent week.
We suspect that your computer had been compromised by a recent virus and now
runs a trojan proxy server.
Please follow our instructions in the attachment file
in order to keep your computer safe.
Virtually yours
<domain> user support team.
Attached file:
attachment.com
letter.zip
<username>.exe

http://www.sophos.com/virusinfo/analyses/w32mydoombf.html

- Collapse -
Troj/Banker-DL

Aliases Trojan-Spy.Win32.Banker.jg
TROJ_BANKER.DL

Type Trojan

Troj/Banker-DL is a Trojan for the Windows platform.
Troj/Banker-DL steals usernames and passwords for banking institutions and sends them via FTP and email to remote users.

http://www.sophos.com/virusinfo/analyses/trojbankerdl.html

- Collapse -
W32/Agobot-QD

Aliases Backdoor.Win32.Agobot.yq

Type Worm

W32/Agobot-QD is a network worm with backdoor functionality for the Windows platform.
W32/Agobot-QD is capable of spreading to computers on the local network protected by weak passwords.
The backdoor component runs continuously in the background providing backdoor access to the computer through IRC channels. The backdoor component can be instructed to perform the following functions:
harvest email addresses
steal product registration information for certain software
take part in Distributed Denial of Service (DDoS) attacks
scan networks for vulnerabilities
download/execute arbitrary files
start a proxy server (SOCKS4/SOCKS5)
start/stop system services
monitor network communications (packet sniffing)
add/remove network shares
send email
log keypresses

http://www.sophos.com/virusinfo/analyses/w32agobotqd.html

- Collapse -
W32/Rbot-AIS
- Collapse -
W32/Rbot-AHG

Aliases WORM_RBOT.AHG
Backdoor.Win32.Rbot.fo

Type Worm

W32/Rbot-AHG is a network worm with backdoor Trojan functionality for the Windows platform.
W32/Rbot-AHG spreads using a variety of techniques including exploiting weak passwords on computers and SQL servers, exploiting operating system vulnerabilities (including DCOM-RPC, LSASS, WebDAV and UPNP) and using backdoors opened by other worms or Trojans.

http://www.sophos.com/virusinfo/analyses/w32rbotahg.html

- Collapse -
Troj/Dloader-IE

Aliases Trojan-Downloader.Win32.Delf.ij

Type Trojan

Troj/Dloader-IE is a downloader Trojan for the Windows platform.
Troj/Dloader-IE will download a file from a predefined url. The downloaded file will be in the windows folder as active_url.dll. The downloaded file is a configuration file used to tell the Trojan other files to download. The Trojan will also copy itself to the Windows system folder as msapp.exe.

http://www.sophos.com/virusinfo/analyses/trojdloaderie.html

- Collapse -
Troj/AdClick-AJ
- Collapse -
Troj/Goldun-J

Aliases Trojan-Spy.Win32.Goldun.p;

Type Trojan


Troj/Goldun-J is a password-stealing Trojan.
Troj/Goldun-J monitors outgoing HTTP requests for traffic going to specific internet banking sites. On encountering such a request the Trojan will attempt to extract account details from the returned page and submit these details to the Trojan's author using an HTTP form submission.

http://www.sophos.com/virusinfo/analyses/trojgoldunj.html

- Collapse -
Troj/Agent-DA

Aliases Trojan.Win32.Agent.bh; BackDoor-COK.dr

Type Trojan

Troj/Agent-DA is a Trojan for the Windows platform.
Troj/Agent-DA can be used to steal system information and download files onto the infected computer. When run the Trojan connects to a preconfigured internet site and downloads further instructions.

http://www.sophos.com/virusinfo/analyses/trojagentda.html

- Collapse -
W32/Cuebot-C

Type Worm

W32/Cuebot-C is a network worm with backdoor functionality for the Windows platform, and can spread to remote computers vulnerable to the LSASS exploit (see Microsoft Security Bulletin MS04-011).
The worm contains a backdoor component that connects to a pre-configured IRC channel, giving a remote intruder access to an infected computer.

http://www.sophos.com/virusinfo/analyses/w32cuebotc.html

- Collapse -
Troj/Rider-O

Aliases Exploit.HTML.Mht
Exploit-MhtRedir.gen

Type Trojan

Troj/Rider-O is an HTML-based script which exploits a vulnerability associated with some versions of Microsoft Internet Explorer to load a malicious script (or HTML page containing a malicious script) via the DATA attribute of an OBJECT element.
Troj/Rider-O will attempt to load an HTML file detected as Troj/Psyme-BG. The HTML file will attempt to download and run Troj/Padodor-W.

http://www.sophos.com/virusinfo/analyses/trojridero.html

- Collapse -
Troj/Padodor-W

CNET Forums

Forum Info