Spyware, Viruses, & Security forum

General discussion

VIRUS ALERTS - February 9, 2005

by Marianna Schmudlach / February 9, 2005 12:50 AM PST

W32/MyDoom-AQ
Summary

Type Worm

W32/MyDoom-AQ is a mass mailing worm that can also spread using popular peer-to-peer networking applications.
W32/MyDoom-AQ harvests email addresses from the infected computer and sends an email to these addresses.
W32/MyDoom-AQ will attempt to copy itself to the shared folders of popular peer-to-peer applications.
W32/MyDoom-AQ will open up the notepad application to display what will appear to be garbage.

http://www.sophos.com/virusinfo/analyses/w32mydoomaq.html

Discussion is locked
You are posting a reply to: VIRUS ALERTS - February 9, 2005
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: VIRUS ALERTS - February 9, 2005
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
W32/MyDoom-AP
by Marianna Schmudlach / February 9, 2005 12:52 AM PST

Type Worm

W32/MyDoom-AP is a mass mailing worm that can also spread using popular peer-to-peer networking applications.
W32/MyDoom-AP harvests email addresses from the infected computer and sends an email to these addresses.
W32/MyDoom-AP will attempt to copy itself to the shared folders of popular peer-to-peer applications.
W32/MyDoom-AP will open up the notepad application to display what will appear to be garbage.

http://www.sophos.com/virusinfo/analyses/w32mydoomap.html

Collapse -
W32/Agobot-PO
by Marianna Schmudlach / February 9, 2005 12:54 AM PST

Type Worm

W32/Agobot-PO is a member of the Agobot family of network worms with backdoor functionality for the Windows platform that provides unauthorised remote access to the infected computer via IRC channels.
W32/Agobot-PO spreads through weakly protected network shares or by exploiting the following vulnerabilities:
Remote Procedure Call (RPC) vulnerability.
Distributed Component Object Model (DCOM) vulnerability.
RPC Locator vulnerability.
IIS5/WEBDAV Buffer Overflow vulnerability.

http://www.sophos.com/virusinfo/analyses/w32agobotpo.html

Collapse -
Troj/Divdavkt-B
by Marianna Schmudlach / February 9, 2005 12:55 AM PST
Collapse -
Troj/Divdavkt-C
by Marianna Schmudlach / February 9, 2005 12:57 AM PST
Collapse -
Troj/AdClick-BK
by Marianna Schmudlach / February 9, 2005 12:58 AM PST
Collapse -
Troj/AdClick-AH
by Marianna Schmudlach / February 9, 2005 1:00 AM PST
Collapse -
Troj/BesTof-A
by Marianna Schmudlach / February 9, 2005 1:02 AM PST

Aliases Trojan-Downloader.Win32.Agent.iu

Type Trojan

Troj/BesTof-A is a downloading Trojan and browser hijacker.
The Trojan attempts to download and run files, including a file detected as Troj/Clicker-DM.
The Trojan may drop an HTML file and set it as the Start Page and Search Page in Internet Explorer.
The Trojan provides an uninstallation option in the Add/Remove Programs dialog with the display name "Best Search Engine!!!".

http://www.sophos.com/virusinfo/analyses/trojbestofa.html

Collapse -
Troj/Blob-B
by Marianna Schmudlach / February 9, 2005 1:03 AM PST
Collapse -
W32/MyDoom-AR
by Marianna Schmudlach / February 9, 2005 1:05 AM PST

Aliases W32/Mydoom.ba@MM

Type Worm

W32/MyDoom-AR is a mass-mailing and peer-to-peer worm which emails itself as an attachment to addresses found on the infected computer.
When run the W32/MyDoom-AR will launch notepad with garbage which serves as a decoy.

http://www.sophos.com/virusinfo/analyses/w32mydoomar.html

Collapse -
W32/Rbot-ALO
by Marianna Schmudlach / February 9, 2005 1:08 AM PST

Aliases WORM_RBOT.ALO

Type Worm

W32/Rbot-ALO is a network worm and IRC backdoor Trojan for the Windows platform.
W32/Rbot-ALO spreads using a variety of techniques including exploiting weak passwords on computers and SQL servers, exploiting operating system vulnerabilities (including DCOM-RPC, LSASS, WebDAV and UPNP) and using backdoors opened by other worms or Trojans.
W32/Rbot-ALO can be controlled by a remote attacker over IRC channels. The backdoor component of W32/Rbot-ALO can be instructed by a remote user to perform the following functions:
start an FTP server
start a Proxy server
start a web server
take part in distributed denial of service (DDoS) attacks
log keypresses
capture screen/webcam images
packet sniffing
port scanning
download/execute arbitrary files
start a remote shell (RLOGIN)
W32/Rbot-ALO will attempt to terminate processes associated with security and anti-virus products.

http://www.sophos.com/virusinfo/analyses/w32rbotalo.html

Collapse -
Troj/Dloader-HK
by Marianna Schmudlach / February 9, 2005 1:10 AM PST

Type Trojan

Troj/Dloader-HK is a downloader Trojan for the Windows platform.
Troj/Dloader-HK will drop a DLL file to the Windows temporary folder with a random name starting with stb. This file is then used to download and install a program without the users knowledge.
The Trojan will remove old versions of the program before installing the new program. This downloaded program is installed as a Browser Helper Object

http://www.sophos.com/virusinfo/analyses/trojdloaderhk.html

Collapse -
Troj/Choup-A
by Marianna Schmudlach / February 9, 2005 1:12 AM PST

Type Trojan

Troj/Choup-A is a Trojan for the Windows platform.
The Trojan can perform the following functions:
steal information
sends email
send, recieve and execute files
harvest email addresses from files containing HTM or TXT file extensions
log URLs visited
disable Windows Update
Modify the system registry
reduce the security zone settings for Internet Explorer
post information to remote sites via FTP or HTTP

http://www.sophos.com/virusinfo/analyses/trojchoupa.html

Collapse -
Troj/BankAsh-A
by Marianna Schmudlach / February 9, 2005 1:13 AM PST

Aliases Trojan-Spy.Win32.Banker.jv
PWS-Banker.j

Type Trojan

Troj/BankAsh-A is a banker and password stealing Trojan.
Troj/BankAsh-A will spy on a user's internet access. When certain banking and finance websites are accessed, the Trojan can display a fake login page or log keyboard presses in order to steal username and password information. Targeted banks include the following:
Barclays, Cahoot, Halifax, HSBC, Lloyds TSB, Nationwide, NatWest, Smile
The Trojan can also steal email login details and passwords from the protected store. Periodically, Troj/BankAsh-A will send the stolen details to a remote FTP site.
Troj/BankAsh-A will attempt to disable the beta version of Microsoft AntiSpyware. The Trojan may also attempt to deny access to a number of security-related and anti-virus websites.

http://www.sophos.com/virusinfo/analyses/trojbankasha.html

Collapse -
Troj/Bckdr-CKA
by Marianna Schmudlach / February 9, 2005 1:15 AM PST
Collapse -
W32/Kipis-H
by Marianna Schmudlach / February 9, 2005 1:18 AM PST

Aliases Email-Worm.Win32.MyDoom.al
W32/Kipis.h@MM

Type Worm

W32/Kipis-H is a mass-mailing worm with some backdoor functionality.
W32/Kipis-H will also attempt to terminate various anti-virus and security related processes and open a backdoor on port TCP/1988.

http://www.sophos.com/virusinfo/analyses/w32kipish.html

Collapse -
Troj/Clicker-AC
by Marianna Schmudlach / February 9, 2005 1:20 AM PST
Collapse -
W32/Agobot-PQ
by Marianna Schmudlach / February 9, 2005 7:07 AM PST

Type Worm

W32/Agobot-PQ is a network worm with backdoor functionality for the Windows platform.
W32/Agobot-PQ is capable of spreading to computers on the local network protected by weak passwords.
The backdoor component runs continuously in the background providing backdoor access to the computer through IRC channels.

http://www.sophos.com/virusinfo/analyses/w32agobotpq.html

Collapse -
W32/Rbot-VP
by Marianna Schmudlach / February 9, 2005 7:10 AM PST

Aliases Backdoor.Win32.Rbot.gen

Type Worm

32/Rbot-VP is a network worm with backdoor functionality for the Windows platform.
W32/Rbot-VP may spread to remote network shares protected by weak passwords and computers vulnerable to common exploits. The worm also opens up a backdoor, allowing unauthorised remote access to infected computers via the IRC network, while running in the background as a service process.
W32/Rbot-VP can receive commands from a remote intruder to:
delete network shares
log keypresses
participate in DDoS attacks
scan other computers for vulnerabilities
steal passwords
steal registration keys for computer games
create administrator accounts
terminate firewall and anti-virus processes
capture video from webcameras attached to the computer.

http://www.sophos.com/virusinfo/analyses/w32rbotvp.html

Collapse -
Troj/Istbar-AK
by Marianna Schmudlach / February 9, 2005 7:12 AM PST
Collapse -
Troj/Dloader-HL
by Marianna Schmudlach / February 9, 2005 7:14 AM PST
Collapse -
Troj/Multidr-CC
by Marianna Schmudlach / February 9, 2005 7:15 AM PST
Collapse -
XM97/Baris-I
by Marianna Schmudlach / February 9, 2005 7:17 AM PST

Aliases Virus.MSExcel.Barisada
X97M/Barisada.gen

Type Excel 97 macro virus

XM97/Baris-I is a minor variant of the XM97/Barisada-A virus.
On 24 April between 2pm and 3pm, the virus displays a series of dialog boxes asking the user questions which may be related to a fantasy role-playing game. The first dialog box has the title '1st Qusetion' and the text 'Question: What is the Sword Which Karl Styner (=Grey Scavenger) used? Answer: Barisada'. If you press 'No', a dialog box with the title 'Right Answer' and the message 'Good! You're Authorized now!' is displayed. If you press 'Yes', then a dialog box with the title 'Wrong Answer' and the text 'I will give you one more Chance. Be careful!!' is displayed.
The next dialog box has the title 'Wrong Answer may cause The Serious Problem!' and the text 'Summoning Xavier is the Ultimate Magic. Right?'. If you press 'Yes' a dialog box with the title 'Right Answer' and the message 'ok, i will forgive you' appears. If you press 'No' a dialog box with the title 'You shall Die' and the message 'Wrong Answer, Your file will be deleted!' appears. The virus then clears all the cells in all the open sheets.

http://www.sophos.com/virusinfo/analyses/xm97barisi.html

Collapse -
Troj/QHost-I
by Marianna Schmudlach / February 9, 2005 7:19 AM PST

Aliases TROJ_QHOST.I

Type Trojan

Troj/QHost-I is a Trojan for the Windows platform.
The Trojan downloads a configuration file from a remote site which defines further actions. The configuration files are downloaded to the Windows temp folder and contain a schedule of registry changes, files to be downloaded and files to be executed.

http://www.sophos.com/virusinfo/analyses/trojqhosti.html

Collapse -
Dial/Porndial-W
by Marianna Schmudlach / February 9, 2005 7:21 AM PST
Collapse -
Troj/Bancban-BJ
by Marianna Schmudlach / February 9, 2005 7:24 AM PST

Aliases Trojan-Spy.Win32.Banbra.be
PWS-Bancban.gen.b

Type Trojan

Troj/Bancban-BJ is a password stealing Trojan targeted at customers of Brazilian banks.
Troj/Bancban-BJ attempts to log keypresses entered into certain websites and online banking applications. The Trojan may display fake user interfaces in order to persuade the user to enter confidential details. Stolen information is sent by email to a remote user.
Troj/Bancban_BJ may attempt to shut down anti-virus products.

http://www.sophos.com/virusinfo/analyses/trojbancbanbj.html

Collapse -
W32/Rbot-VQ
by Marianna Schmudlach / February 9, 2005 2:09 PM PST

Type Worm

W32/Rbot-VQ is a network worm and IRC backdoor Trojan for the Windows platform.
W32/Rbot-VQ spreads using a variety of techniques including exploiting weak passwords on computers and SQL servers, exploiting operating system vulnerabilities (including DCOM-RPC, LSASS).
W32/Rbot-VQ can be controlled by a remote attacker over IRC channels. The backdoor component of W32/Rbot-VQ can be instructed by a remote user to perform a set of functions.

http://www.sophos.com/virusinfo/analyses/w32rbotvq.html

Collapse -
Troj/Dloader-HM
by Marianna Schmudlach / February 9, 2005 2:12 PM PST
Collapse -
W32/Agobot-AGD
by Marianna Schmudlach / February 9, 2005 2:14 PM PST

Type Worm

W32/Agobot-AGD is an IRC backdoor Trojan and network worm.
W32/Agobot-AGD is capable of spreading to computers on the local network protected by weak passwords.
The backdoor component runs continuously in the background providing backdoor access to the computer through IRC channels. The backdoor component can be instructed to perform the following functions:
harvest email addresses
steal product registration information for certain software
take part in Distributed Denial of Service (DDoS) attacks
scan networks for vulnerabilities
download/execute arbitrary files
start a proxy server (SOCKS4/SOCKS5)
start/stop system services
monitor network communications (packet sniffing)
add/remove network shares
send email
log keypresses
W32/Agobot-AGD attempts to terminate and disable various anti-virus and security related programs and modifies the HOSTS file located at <SYSTEM>\Drivers\etc\HOSTS,mapping selected anti-virus websites
to the loopback address 127.0.0.1 in an attempt to prevent access to these sites.

http://www.sophos.com/virusinfo/analyses/w32agobotagd.html

Collapse -
W32/Sdbot-AGY
by Marianna Schmudlach / February 9, 2005 2:15 PM PST

Type Worm

W32/Sdbot-AGY is a network worm and IRC backdoor Trojan for the Windows platform which allows a remote intruder to access and control the computer via IRC channels.
The backdoor component joins a specific channel on an IRC server and then runs continuously in the background as a service process, listening on the IRC channel for specific commands and carrying out the appropriate actions.

http://www.sophos.com/virusinfo/analyses/w32sdbotagy.html

Collapse -
W32/Forbot-EB
by Marianna Schmudlach / February 9, 2005 2:17 PM PST

Type Worm

W32/Forbot-EB is a network worm with backdoor Trojan functionality for the Windows platform.
Once installed, W32/Forbot-EB connects to a preconfigured IRC server and joins a channel from which an attacker can issue further commands.
The worm can spread to unpatched machines affected by the LSASS vulnerability (see MS04-011) and through backdoors left open by the Troj/Optix Trojans.

http://www.sophos.com/virusinfo/analyses/w32forboteb.html

Popular Forums

icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

FALL TV PREMIERES

Your favorite shows are back!

Don’t miss your dramas, sitcoms and reality shows. Find out when and where they’re airing!