Spyware, Viruses, & Security forum

General discussion

VIRUS ALERTS - July 14, 2005

by Marianna Schmudlach / July 14, 2005 3:44 AM PDT
Discussion is locked
You are posting a reply to: VIRUS ALERTS - July 14, 2005
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: VIRUS ALERTS - July 14, 2005
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Troj/Dloader-QJ
by Marianna Schmudlach / July 14, 2005 3:46 AM PDT
Collapse -
Troj/Easydor-C
by Marianna Schmudlach / July 14, 2005 3:47 AM PDT

Aliases Backdoor.Win32.Easydor.f
Backdoor.Exdis

Type Spyware Trojan

Troj/Easydor-C is a backdoor Trojan which allows a remote intruder to gain access and control over the computer.
Troj/Easydor-C includes functionality to:
- provide a proxy server
- silently download, install and run new software
- send notification messages to remote locations
- inject its code into other processes
Troj/Easydor-C listens on several ports including port 80, allowing a remote user access to the infected computer.
Troj/Easydor-C may also steal bank details from several online banking sites.

http://www.sophos.com/virusinfo/analyses/trojeasydorc.html

Collapse -
W32/Rbot-AIB
by Marianna Schmudlach / July 14, 2005 3:49 AM PDT

Aliases Backdoor.Win32.IRCBot.az

Type Spyware Worm

W32/Rbot-AIB is an internet worm and IRC backdoor Trojan for the Windows platform.
W32/Rbot-AIB spreads to other network computers by exploiting the buffer overflow vulnerabilites LSASS (MS04-011) and RPC-DCOM (MS04-012).
W32/Rbot-AIB runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.
The following patches for the operating system vulnerabilities exploited by W32/Rbot-AIB can be obtained from the Microsoft website:
MS04-011
MS04-012

http://www.sophos.com/virusinfo/analyses/w32rbotaib.html

Collapse -
Troj/Agent-MD
by Marianna Schmudlach / July 14, 2005 3:51 AM PDT
Collapse -
Tro/Seedor-A
by Marianna Schmudlach / July 14, 2005 3:52 AM PDT
Collapse -
WM97/Sundor-A
by Marianna Schmudlach / July 14, 2005 3:53 AM PDT

Type Worm

WM97/Sundor-A is a file system worm for Microsoft Word.
The worm displays a picture of an alien with the following text:
I'm the alien
Have a happy week
I liked your computer
The worm also deletes programs and documents, changes system settings and disables some security software.

http://www.sophos.com/virusinfo/analyses/wm97sundora.html

Collapse -
Troj/Mkmoose-A
by Marianna Schmudlach / July 14, 2005 3:55 AM PDT

Type Trojan

Troj/Mkmoose-A is a Trojan for the Windows platform.
Troj/Mkmoose-A will inject code into other running processes in order to run without being noticed. It will contact a remote URL to report infection and to download files.
The Trojan also has backdoor functionality which will allow a remote user to perform the following activities:
Create/delete files and folders
Run commands
Upload/download files

http://www.sophos.com/virusinfo/analyses/trojmkmoosea.html

Collapse -
W32/Jlok-A
by Marianna Schmudlach / July 14, 2005 3:57 AM PDT

Aliases PE_JLOK.A

Type Virus

W32/Jlok-A is a prepending virus for the Windows platform.
W32/Jlok-A spreads via searching for files on the harddrive with a DOC extension and replacing them with a copy of itself with the filename .exe.
W32/Jlok-A contains a copy of the original file it replaced and may run the original file within Microsoft Word when executed.
W32/Jlok-A may restart the computer periodically.

http://www.sophos.com/virusinfo/analyses/w32jloka.html

Collapse -
W32/Rbot-AIA
by Marianna Schmudlach / July 14, 2005 3:58 AM PDT

Type Spyware Worm

W32/Rbot-AIA is a worm and IRC backdoor Trojan for the Windows platform.
W32/Rbot-AIA runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.
W32/Rbot-AIA spreads to other network computers
- by exploiting common buffer overflow vulnerabilites, including:
LSASS (MS04-011),
RPC-DCOM (MS04-012),
WKS (MS03-049) (CAN-2003-0812),
MSSQL (MS02-039) (CAN-2002-0649) and
WINS (MS04-045)
- by copying itself to network shares protected by weak passwords.
W32/Rbot-AIA includes functionality to:
- steal confidential information
- carry out DDoS flooder attacks
- provide a proxy server
- silently download, install and run new software
- disable other software, including anti-virus, firewall and security related applications
The following patches for the operating system vulnerabilities exploited by W32/Rbot-AIA can be obtained from the Microsoft website:
MS03-049
MS04-011
MS04-012
MS02-039
MS04-045

http://www.sophos.com/virusinfo/analyses/w32rbotaia.html

Collapse -
W32/Sdranck-H
by Marianna Schmudlach / July 14, 2005 4:00 AM PDT

Type Worm

W32/Sdranck-H is a multi-component network worm.
W32/Sdranck-H drops two files to the winnt\system32 folder, whatyou.exe and gonnado.exe.
Whatyou.exe is a member of the Troj/Ranck family of proxy Trojans and gonnado.exe is a member of the W32/Sdbot family of network worms. The dropped W32/Sdbot worm spreads W32/Sdranck-H to network shares with weak passwords.


http://www.sophos.com/virusinfo/analyses/w32sdranckh.html

Collapse -
W32/Forbot-FD
by Marianna Schmudlach / July 14, 2005 9:23 AM PDT

Aliases Net-Worm.Win32.Mytob.bw

Type Worm

W32/Forbot-FD is a worm and IRC backdoor Trojan for the Windows platform.
W32/Forbot-FD spreads to other network computers by exploiting common buffer
overflow vulnerabilites, including: LSASS (MS04-011) and WKS (MS03-049)
(CAN-2003-0812).
W32/Forbot-FD runs continuously in the background, providing a backdoor server
which allows a remote intruder to gain access and control over the computer via
IRC channels.
W32/Forbot-FD also has mass-mailing functionality allowing it to spread through email. Email with the following characteristics is sent to addresses harvested from the infected computer:
Subject line:
*DETECTED* Online User Violation
*WARNING* Your email account is suspended
Email Account Suspension
Important Notification
Members Support
Notice of account limitation
Security measures
Warning Message: Your services near to be closed.
We have suspended your account
You are banned!!!
Your Account is Suspended
Your Account is Suspended For Security Reasons
Message text:
Some information about your <str> account is attached.
The <str> Support Team
Dear <str> Member,
We have temporarily suspended your email account <str>.
This might be due to either of the following reasons:
1. A recent change in your personal information (i.e. change of address).
2. Submiting invalid information during the initial sign up process.
3. An innability to accurately verify your selected option of subscription due to an internal error within our processors.
See the attached details to reactivate your <str> account.
Sincerely,The <str> Support Team
Dear <str> Member,
Your e-mail account was used to send a huge amount of unsolicited spam messages during the recent week. If you could please take 5-10 minutes out of your online experience and confirm the attached document so you will not run into any future problems with the online service.
Virtually yours,
The <str> Support Team
In the above message text samples <str> will be replaced with text aquired from the harvested email address.

http://www.sophos.com/virusinfo/analyses/w32forbotfd.html

Collapse -
W32/Forbot-FE
by Marianna Schmudlach / July 14, 2005 9:25 AM PDT

Type Worm

W32/Forbot-FE is a IRC backdoor Trojan and network worm for the Windows platform.
W32/Forbot-FE connects to a preconfigured IRC server and joins a channel from which an attacker can issue further commands. These commands can cause the infected computer to perform any of the following actions:
flood a remote host (by either ping or HTTP)
start a SOCKS4 proxy server
start an HTTP server
start an FTP server
portscan randomly-chosen IP addresses
execute arbitrary commands
steal information such as passwords and product keys
upload/download files

http://www.sophos.com/virusinfo/analyses/w32forbotfe.html

Collapse -
Troj/Dropper-AR
by Marianna Schmudlach / July 14, 2005 9:27 AM PDT

Aliases MultiDropper-EB

Type Trojan

Troj/Dropper-AR is a Trojan for the Windows platform.
When Troj/Dropper-AR is installed the following files are created and run:
<System>\downll32.exe
<System>\mptask.exe
<System>\ndrbk32.dll
<System>\Porn23321.jpg
The files downll32.exe, mptask.exe and ndrbk32.dll are detected as Troj/Delf-CL.
Porn23321.jpg may be safely deleted.
When run Troj/Dropper-AR displays a pornographic picture.

http://www.sophos.com/virusinfo/analyses/trojdropperar.html

Collapse -
Troj/Haxdoor-AG
by Marianna Schmudlach / July 14, 2005 9:29 AM PDT

Aliases Trojan-Spy.Win32.Goldun.bf

Type Trojan

Troj/Haxdoor-AG is a backdoor Trojan for the Windows platform.
Troj/Haxdoor-AG allows a remote attacker to run arbitrary commands. The Trojan may download and run further malicious code.
The Trojan uses stealthing techniques to avoid being terminated.

http://www.sophos.com/virusinfo/analyses/trojhaxdoorag.html

Collapse -
Troj/Istsvc-B
by Marianna Schmudlach / July 14, 2005 9:30 AM PDT

Aliases TROJ_ISTBAR.AM

Type Trojan

Troj/Istsvc-B is a Trojan for the Windows platform.
Troj/Istsvc-B includes functionality to access the internet and communicate with a remote server via HTTP.
Downloaded files are usually placed in the %temp% folder and normally will have
randomly generated filenames.

http://www.sophos.com/virusinfo/analyses/trojistsvcb.html

Collapse -
Troj/Dloader-QK
by Marianna Schmudlach / July 14, 2005 9:31 AM PDT
Collapse -
Troj/Vax-A
by Marianna Schmudlach / July 14, 2005 9:32 AM PDT
Collapse -
Troj/AdClick-AV
by Marianna Schmudlach / July 14, 2005 9:34 AM PDT

Aliases Trojan-Clicker.Win32.Small.hf
Trojan.Adclicker

Type Trojan

Troj/AdClick-AV is a Trojan for the Windows platform that attempts to connect to various websites and then display selected banner advertisements.
Troj/AdClick-AV queries the www.msxsecurity.com in attempt to open redirect.php, a script file that contains redirect instructions.

http://www.sophos.com/virusinfo/analyses/trojadclickav.html

Collapse -
Troj/Prorat-N
by Marianna Schmudlach / July 14, 2005 9:36 AM PDT
Collapse -
W32/Sdbot-AAP
by Marianna Schmudlach / July 14, 2005 9:38 AM PDT

Aliases Backdoor.Win32.SdBot.ys
W32/Sdbot.worm.gen.t
W32.Randex.gen

Type Worm

W32/Sdbot-AAP is a network worm and IRC backdoor Trojan for the Windows platform.
W32/Sdbot-AAP runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.


http://www.sophos.com/virusinfo/analyses/w32sdbotaap.html

Popular Forums
icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

CNET FORUMS TOP DISCUSSION

Help, my PC with Windows 10 won't shut down properly

Since upgrading to Windows 10 my computer won't shut down properly. I use the menu button shutdown and the screen goes blank, but the system does not fully shut down. The only way to get it to shut down is to hold the physical power button down till it shuts down. Any suggestions?