Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

General discussion

VIRUS ALERTS - January 4, 2005

Jan 3, 2006 9:40PM PST

W32/Brontok-M

Type
Worm

W32/Brontok-M is a worm for the Windows platform.

When first run W32/Brontok-M may copy itself to:

<User> \Local Settings\Application Data\br<4 random digits>on.exe
<User> \Local Settings\Application Data\csrss.exe
<User> \Local Settings\Application Data\inetinfo.exe
<User> \Local Settings\Application Data\lsass.exe
<User> \Local Settings\Application Data\services.exe
<User> \Local Settings\Application Data\smss.exe
<User> \Local Settings\Application Data\svchost.exe
<Windows> \ShellNew\bbm-qotkmgfc.exe
<Windows> \sembako-cfzjkmg.exe
<System> \cmd-bro-mkx.exe

and create the following file:

<System> \sistem.sys

http://www.sophos.com/virusinfo/analyses/w32brontokm.html

Discussion is locked

- Collapse -
Troj/QLowZon-H
Jan 3, 2006 9:42PM PST
- Collapse -
Troj/Spyal-A
Jan 3, 2006 9:44PM PST

Type
Spyware Trojan

Aliases
Trojan-Spy.Win32.Agent.iz

Troj/Spyal-A is a Trojan for the Windows platform.

Troj/Spyal-A has the functionality to:

- log key strokes
- communicate with a remote server via email
- act as a proxy server relaying information

http://www.sophos.com/virusinfo/analyses/trojspyala.html

- Collapse -
Troj/Banker-TA
Jan 3, 2006 9:48PM PST
- Collapse -
Troj/DownLdr-QK
Jan 4, 2006 12:30AM PST
- Collapse -
W32/Rbot-BHV
Jan 4, 2006 12:32AM PST

Type
Worm

Aliases
Backdoor.Win32.Rbot.rq

W32/Rbot-BHV is a worm for the Windows platform.

W32/Rbot-BHV spreads to other network computers by exploiting common buffer overflow vulnerabilities, including: LSASS (MS04-011), RPC-DCOM (MS04-012), WKS (MS03-049) (CAN-2003-0812), WINS (MS04-045) and MSSQL (MS02-039) (CAN-2002-0649) and by copying itself to network shares protected by weak passwords.

http://www.sophos.com/virusinfo/analyses/w32rbotbhv.html

- Collapse -
Troj/Bancban-NF
Jan 4, 2006 12:34AM PST
- Collapse -
Troj/LewDl-H
Jan 4, 2006 12:36AM PST
- Collapse -
Troj/Lecna-H
Jan 4, 2006 12:37AM PST
- Collapse -
Troj/NtRootK-M
Jan 4, 2006 12:39AM PST

Type
Trojan

Aliases
NTRootKit-S
Backdoor.Win32.Lecna.p

Aliases
NTRootKit-S
Backdoor.Win32.Lecna.p

- Collapse -
Troj/Bancban-NE
Jan 4, 2006 12:41AM PST
- Collapse -
Troj/Bckdr-PS
Jan 4, 2006 12:43AM PST
- Collapse -
W32/Rbot-LT
Jan 4, 2006 1:12AM PST
- Collapse -
Troj/Bckdr-CER
Jan 4, 2006 1:14AM PST
- Collapse -
Troj/TheMouse-A
Jan 4, 2006 1:17AM PST

Type
Trojan

Aliases
Backdoor.Win32.Agent.cx

Troj/TheMouse-A is a backdoor Trojan which can be configured to accept connection on a predefined port. The Trojan will then listen for incoming connections and download and execute files as instructed by an intruder.

http://www.sophos.com/virusinfo/analyses/trojthemousea.html

- Collapse -
W32/Forbot-AX
Jan 4, 2006 1:20AM PST

Type
Spyware Worm

Aliases
Backdoor.Win32.Agobot.vj
Exploit-MS04-011.gen
WORM_WOOTBOT.GEN

W32/Forbot-AX is a worm which attempts to spread to remote network shares. It also contains backdoor Trojan functionality, allowing unauthorized remote access to the infected computer via IRC channels while running in the background as a service process.

W32/Forbot-AX attempts to terminate several processes related to security and anti-virus programs.

W32/Forbot-AX attempts to spread to network machines using various exploits including the LSASS vulnerability (see MS04-011).

http://www.sophos.com/virusinfo/analyses/w32forbotax.html

- Collapse -
W32/Forbot-AW
Jan 4, 2006 1:30AM PST

Type
Spyware Worm

Aliases
Backdoor.Win32.Agobot.vj
Exploit-MS04-011.gen
WORM_WOOTBOT.GEN

W32/Forbot-AW is a worm which attempts to spread to remote network shares. It also contains backdoor Trojan functionality, allowing unauthorised remote access to the infected computer via IRC channels while running in the background as a service process.

W32/Forbot-AW also attempts to copy the W32/Parite-B virus into memory so that it can infect files.

W32/Forbot-AW attempts to spread to network machines using various exploits including the LSASS vulnerability (see MS04-011).

http://www.sophos.com/virusinfo/analyses/w32forbotaw.html

- Collapse -
W32/Sdbot-PW
Jan 4, 2006 1:40AM PST
- Collapse -
W32/Backterra-C
Jan 4, 2006 3:27AM PST
- Collapse -
Troj/Banker-DT
Jan 4, 2006 3:30AM PST
- Collapse -
W32/Rbot-LU
Jan 4, 2006 3:31AM PST
- Collapse -
W32/Rbot-LV
Jan 4, 2006 3:33AM PST

Type
Spyware Worm

Aliases
Backdoor.Win32.Rbot.gen
W32/Sdbot.worm.gen.t

W32/Rbot-LV is a worm which attempts to spread to remote network shares. It also contains backdoor Trojan functionality, allowing unauthorized remote access to the infected computer via IRC channels while running in the background as a service process.

W32/Rbot-LV spreads to network shares with weak passwords as a result of the backdoor Trojan element receiving the appropriate command from a remote user. The worm may also spread through IRC channels by using DCC.

W32/Rbot-LV may also log keypresses, steal Windows passwords, participate in DDOS attacks and steal keys for certain software products.

http://www.sophos.com/virusinfo/analyses/w32rbotlv.html

- Collapse -
W32/Rbot-BFR
Jan 4, 2006 4:01AM PST

Type
Worm

Aliases
Backdoor.Win32.Rbot.alj
W32/Sdbot.worm.gen.n
W32.Spybot.Worm
WORM_RBOT.DFP

W32/Rbot-BFR is a network worm with backdoor functionality for the Windows platform.

W32/Rbot-BFR spreads:

- to other network computers by exploiting common buffer overflow vulnerabilities, including: LSASS (MS04-011), RPC-DCOM (MS04-012), WKS (MS03-049) (CAN-2003-0812), PNP (MS05-039) and ASN.1 (MS04-007)
- by copying itself to network shares protected by weak passwords

W32/Rbot-BFR runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

http://www.sophos.com/virusinfo/analyses/w32rbotbfr.html

- Collapse -
W32/Rbot-BFS
Jan 4, 2006 4:03AM PST

Type
Worm

Aliases
Backdoor.Win32.Rbot.gen
W32/Sdbot.worm.gen.bh

W32/Rbot-BFS is a worm and IRC backdoor Trojan for the Windows platform.

W32/Rbot-BFS spreads:

- to other network computers infected with: W32/MyDoom and W32/Bagle
- to other network computers by exploiting common buffer overflow vulnerabilities, including: LSASS (MS04-011), RPC-DCOM (MS04-012), WKS (MS03-049) (CAN-2003-0812), WebDav (MS03-007), IIS5SSL (MS04-011) (CAN-2003-0719), Veritas (CAN-2004-1172) and ASN.1 (MS04-007)
- by copying itself to network shares protected by weak passwords

W32/Rbot-BFS runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

http://www.sophos.com/virusinfo/analyses/w32rbotbfs.html

- Collapse -
W32/Brontok-I
Jan 4, 2006 4:05AM PST
- Collapse -
W32/Brontok-H
Jan 4, 2006 4:07AM PST
- Collapse -
Troj/PcClient-X
Jan 4, 2006 4:09AM PST

Type
Spyware Trojan

Aliases
Backdoor.Win32.PcClient.jf
BackDoor-CKB

roj/PcClient-X is a backdoor Trojan for the Windows platform that provides unauthorized remote access to the infected computer.

Troj/PcClient-X includes keylogging functionality.

http://www.sophos.com/virusinfo/analyses/trojpcclientx.html

- Collapse -
Troj/Banload-AI
Jan 4, 2006 4:12AM PST
- Collapse -
Troj/Bander-AD
Jan 4, 2006 4:14AM PST
- Collapse -
Troj/Agent-IG
Jan 4, 2006 4:17AM PST

Type
Spyware Trojan

Troj/Agent-IG is a Trojan for the Windows platform.

Troj/Agent-IG is capable of spying on a user's browsing habits, modifying Microsoft Internet Explorer settings, downloading further executables and displaying popup advertisements.

http://www.sophos.com/virusinfo/analyses/trojagentig.html

- Collapse -
Troj/Agent-IF
Jan 4, 2006 4:19AM PST

Type
Spyware Trojan

Troj/Agent-IF is a Trojan for the Windows platform.

Troj/Agent-IF is capable of spying on a user's browsing habits, modifying Microsoft Internet Explorer settings, downloading further executables and displaying popup advertisements.

http://www.sophos.com/virusinfo/analyses/trojagentif.html