Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

General discussion

VIRUS ALERTS - January 6, 2006

Jan 6, 2006 12:14AM PST

Troj/Bancban-NI

Type
Spyware Trojan

Aliases
Trojan-Spy.Win32.Banker.apt
PWS-Banker.gen.i

Troj/Bancban-NI is a password-stealing Trojan for the Windows platform.

Troj/Bancban-NI includes functionality to send notification messages to remote locations.

http://www.sophos.com/virusinfo/analyses/trojbancbanni.html

Discussion is locked

- Collapse -
Troj/Feutel-CE
Jan 6, 2006 8:33AM PST
- Collapse -
Troj/Restrict-D
Jan 6, 2006 8:34AM PST

Type Trojan

Aliases Trojan.Win32.LowZones.bq
QLowZones-25
Trojan.LowZones

Troj/Restrict-D adds registry entries that add certain web sites and certain IP address ranges to Internet Explorer's 'Restricted sites' Web content zone. These web sites and IP addresses are then subject to the security restrictions of the 'Retricted sites' zone.

http://www.sophos.com/virusinfo/analyses/trojrestrictd.html

- Collapse -
Troj/Lewor-U
Jan 6, 2006 8:39AM PST

Type Trojan

Aliases Trojan-Downloader.Win32.Delf.yj
Downloader-AGP
Trojan.StartPage.Q

Troj/Lewor-U is a Trojan for the Windows platform.
Troj/Lewor-U may attempt to terminate processes.
Troj/Lewor-U includes functionality to access the internet and communicate with a remote server via HTTP.

http://www.sophos.com/virusinfo/analyses/trojleworu.html

- Collapse -
W32/Spybot-EV
Jan 6, 2006 8:40AM PST

Type Worm

Aliases W32.Spybot.Worm
P2P-Worm.Win32.SpyBot.gl

W32/Spybot-EV is a worm and IRC backdoor Trojan for the Windows platform.
W32/Spybot-EV spreads to other network computers infected with: Troj/Kuang and Troj/NetDevil.
W32/Spybot-EV runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

http://www.sophos.com/virusinfo/analyses/w32spybotev.html

- Collapse -
Troj/DNSBust-H
Jan 6, 2006 8:45AM PST
- Collapse -
Troj/Bancban-NJ
Jan 6, 2006 8:46AM PST

Type Spyware Trojan

Aliases Trojan-Spy.Win32.Banker.qo
PWS-Banker.gen.b
PWSteal.Bancos

Troj/Bancban-NJ is a backdoor Trojan which allows a remote intruder to gain access and control over the computer.
Troj/Bancban-NJ attempts to log information sent to certain Brazilian websites and online banking applications. The Trojan may display fake user interfaces in order to persuade the user to enter confidential details. Stolen information is sent by email to a remote user.
Troj/Bancban-NJ may also perform the following functions:
- start a Proxy server
- download and execute additional files

http://www.sophos.com/virusinfo/analyses/trojbancbannj.html

- Collapse -
Troj/Daemoni-T
Jan 6, 2006 8:47AM PST
- Collapse -
Troj/Puper-BA
Jan 6, 2006 8:47AM PST

Type Spyware Trojan

Troj/Puper-BA is a Trojan for the Windows platform.
The Trojan creates the files hp<random>.tmp and msvol.tlb in the Windows system folder. Both files are detected as Troj/Puper-BA.
The file hp<random>.tmp is registered as a COM object and Browser Helper Object (BHO) for Microsoft Internet Explorer.
Troj/Puper-BA changes search settings for Microsoft Internet Explorer.

http://www.sophos.com/virusinfo/analyses/trojpuperba.html

- Collapse -
Troj/Vixup-AD
Jan 6, 2006 8:48AM PST
- Collapse -
Troj/Zlob-CA
Jan 6, 2006 8:49AM PST
- Collapse -
Troj/Bancban-NK
Jan 6, 2006 8:50AM PST
- Collapse -
Troj/Mainzz-F
Jan 6, 2006 9:35AM PST

Type Trojan

Aliases Net-Worm.Win32.Dedler.q
Exploit-Lsass.dll
Hacktool.Scan

Troj/Mainzz-F is a Trojan DLL that provides malicious functionality to another worm or Trojan.
Troj/Mainzz-F contains functionality to exploit the LSASS (MS04-011) vulnerability and may be used by a worm to spread to remote network shares with weak passwords.

http://www.sophos.com/virusinfo/analyses/trojmainzzf.html

- Collapse -
Troj/AdClick-BL
Jan 6, 2006 9:36AM PST
- Collapse -
Troj/Dloadr-ABT
Jan 6, 2006 9:37AM PST
- Collapse -
Troj/Dloadr-ABU
Jan 6, 2006 9:38AM PST
- Collapse -
Troj/Codorda-A
Jan 6, 2006 9:39AM PST
- Collapse -
W32/Rbot-BBV
Jan 6, 2006 9:40AM PST

Type Worm

Aliases Backdoor.Win32.Rbot.adf
W32/Sdbot.worm.gen.bh

W32/Rbot-BBV is a worm and IRC backdoor Trojan for the Windows platform.
W32/Rbot-BBV spreads:
- to other network computers infected with: Troj/Kuang, Troj/Sub7, Troj/NetDevil, W32/MyDoom, W32/Bagle and Troj/Optix
- to other network computers by exploiting common buffer overflow vulnerabilities, including: LSASS (MS04-011), RPC-DCOM (MS04-012), WKS (MS03-049) (CAN-2003-0812), WebDav (MS03-007), IIS5SSL (MS04-011) (CAN-2003-0719), UPNP (MS01-059), Veritas (CAN-2004-1172), Dameware (CAN-2003-1030), PNP (MS05-039) and ASN.1 (MS04-007)
- by copying itself to network shares protected by weak passwords
W32/Rbot-BBV runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

http://www.sophos.com/virusinfo/analyses/w32rbotbbv.html

- Collapse -
Troj/Agent-FV
Jan 6, 2006 9:41AM PST

Type Trojan

Aliases Trojan-Clicker.Win32.Small.jc

Troj/Agent-FV is a Trojan for the Windows platform.
Troj/Agent-FV is capable of spying on a user's browsing habits, modifying Internet Explorer settings, downloading further executables and displaying popup advertisements.

http://www.sophos.com/virusinfo/analyses/trojagentfv.html

- Collapse -
Troj/Webdrop-D
Jan 6, 2006 9:42AM PST

Type Trojan

Aliases Exploit.HTML.Mht

Troj/Webdrop-D is a Trojan dropper for Windows based systems.
Troj/Webdrop-D is an HTML script that tries to ascertain whether a system viewing that script in a web browser has certain vulnerabilities.
If the system has one or more of these vunlerabilities, Troj/Webdrop-D exploits them to download and run malicious code.
Troj/Webdrop-D checks for computers that have a vulnerable Microsoft Virtual Machine installed, or that are vulnerable to the MhtRedir or IFRAME exploits.

http://www.sophos.com/virusinfo/analyses/trojwebdropd.html

- Collapse -
W32/Rbot-BBZ
Jan 6, 2006 9:43AM PST

Type Worm

Aliases Backdoor.Win32.Rbot.akb

W32/Rbot-BBZ is a worm and IRC backdoor Trojan for the Windows platform.
W32/Rbot-BBZ spreads to other network computers infected with Troj/Kuang and to other network computers by exploiting common buffer overflow vulnerabilities, including: LSASS (MS04-011), RPC-DCOM (MS04-012), WKS (MS03-049) (CAN-2003-0812), WebDav (MS03-007), IIS5SSL (MS04-011) (CAN-2003-0719), UPNP (MS01-059) and ASN.1 (MS04-007).
W32/Rbot-BBZ runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

http://www.sophos.com/virusinfo/analyses/w32rbotbbz.html

- Collapse -
W32/Rbot-BBY
Jan 6, 2006 9:44AM PST

Type Worm

W32/Rbot-BBY is a worm for the Windows platform.
W32/Rbot-BBY runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.
W32/Rbot-BBY attempts to spread by exploiting the following vulnerabilities: LSASS (MS04-011), RPC-DCOM (MS04-012), WKS (MS03-049) (CAN-2003-0812), WebDav (MS03-007), IIS5SSL (MS04-011) (CAN-2003-0719), UPNP (MS01-059), Veritas (CAN-2004-1172), Dameware (CAN-2003-1030), PNP (MS05-039), ASN.1 (MS04-007) and by copying itself to remote network shares with weak passwords.
W32/Rbot-BBY includes functionality to access the internet and communicate with a remote server via HTTP.

http://www.sophos.com/virusinfo/analyses/w32rbotbby.html

- Collapse -
W32/Blaster-M
Jan 6, 2006 9:45AM PST

Type Worm

W32/Blaster-M is a worm for the Windows platform.
W32/Blaster-M attempts to spread to computers vulnerable to the RPC-DCOM vulnerability (MS04-012).
W32/Blaster-M includes functionality to access the internet and communicate with a remote server via HTTP.

http://www.sophos.com/virusinfo/analyses/w32blasterm.html

- Collapse -
W32/Chode-P
Jan 6, 2006 9:46AM PST

Type Worm

Aliases Backdoor.Win32.Virkel.e
W32/NoChod@MM

W32/Chode-P is an instant messaging worm for the Windows platform with IRC backdoor functionality.
W32/Chode-P attempts to spread via MSN Instant Messenger and AOL Instant Messenger by sending users a link to a copy of the worm.
When first run W32/Chode-P copies itself to <System>\tikcfva\csrss.exe and creates the following files:
<Startup>\csrss.lnk
<System>\netstat.com
<System>\taskkill.com
<System>\tikcfva\csrss.ini
<System>\tikcfva\smss.exe

http://www.sophos.com/virusinfo/analyses/w32chodep.html

- Collapse -
Troj/Lewor-P
Jan 6, 2006 9:48AM PST
- Collapse -
Troj/Delf-LV
Jan 6, 2006 9:49AM PST
- Collapse -
W32/Rbot-BCA
Jan 6, 2006 9:50AM PST

Type Worm

Aliases Backdoor.Win32.IRCBot.es
W32/IRCbot.worm.gen

W32/Rbot-BCA is a worm and IRC backdoor Trojan for the Windows platform.
W32/Rbot-BCA runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.
W32/Rbot-BCA spreads by using AOL Instant Messenger, via network shares and SQL servers with weak passwords.
The following patches for the operating system vulnerabilities exploited by W32/Rbot-BCA can be obtained from the Microsoft website:
LSASS (MS04-011)
RPC-DCOM (MS04-012)
WKS (MS03-049) (CAN-2003-0812)
PNP (MS05-039)
ASN.1 (MS04-007)


http://www.sophos.com/virusinfo/analyses/w32rbotbca.html

- Collapse -
W32/Bagle-BP
Jan 6, 2006 2:39PM PST

Type Worm

Aliases Email-Worm.Win32.Bagle.ex
W32.Beagle.DB@mm

W32/Bagle-BP is an email worm for the Windows platform.
W32/Bagle-BP does not send email to addresses containing the following:
@derewrdgrs
@eerswqe
@messagelab
@microsoft
anyone@
certific
contract@
f-secur
free-av
gold-certs@
google
icrosoft
listserv
nobody@
noone@
noreply
postmaster@
rating@
samples
support
update
winrar
winzip
Email sent by W32/Bagle-BP contains an attached ZIP file with one of the following names (followed by the ZIP

MORE:

http://www.sophos.com/virusinfo/analyses/w32baglebp.html

- Collapse -
Troj/DNSBust-I
Jan 6, 2006 2:40PM PST

Type Trojan

Troj/DNSBust-I is a Trojan for the Windows platform.
Troj/DNSBust-I includes functionality to access the internet and communicate with a remote server via HTTP. Troj/DNSBust-I attempts to modify DNS settings on the computer.

http://www.sophos.com/virusinfo/analyses/trojdnsbusti.html

- Collapse -
W32/Codbot-AV
Jan 6, 2006 2:41PM PST
- Collapse -
Troj/Banker-TM
Jan 6, 2006 2:42PM PST