Spyware, Viruses, & Security forum

General discussion

VIRUS ALERTS - July 15, 2005

by Marianna Schmudlach / July 15, 2005 1:43 AM PDT
Discussion is locked
You are posting a reply to: VIRUS ALERTS - July 15, 2005
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: VIRUS ALERTS - July 15, 2005
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Troj/Chuckyb-A
by Marianna Schmudlach / July 15, 2005 1:45 AM PDT

Aliases Backdoor.Win32.Agent.kj
BackDoor-CSQ

Type Spyware Trojan

Troj/Chuckyb-A is a backdoor Trojan for the Windows platform.
Troj/Chuckyb-A runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access to and control over the computer.

http://www.sophos.com/virusinfo/analyses/trojchuckyba.html

Collapse -
Troj/Zapchas-O
by Marianna Schmudlach / July 15, 2005 1:47 AM PDT

Aliases Backdoor.Win32.mIRC-based
IRC/Flood.mirc

Type Trojan

Troj/Zapchas-O is an mIRC-based backdoor Trojan for the Windows platform.
Troj/Zapchas-O connects to a preconfigured IRC server and joins a channel in which it can receive further instructions from any of a list of usernames specified in one of the configuration files.

http://www.sophos.com/virusinfo/analyses/trojzapchaso.html

Collapse -
W32/Rbot-AIC
by Marianna Schmudlach / July 15, 2005 1:49 AM PDT

Type Worm

W32/Rbot-AIC is a worm and IRC backdoor Trojan for the Windows platform. When first run W32/Rbot-AIC copies itself to <Windows>\lsass.exe and creates the file <System>\rdriv.sys which is detected as Troj/Rootkit-W. rdrive.sys is used to stealth the processes started by this worm.

http://www.sophos.com/virusinfo/analyses/w32rbotaic.html

Collapse -
W32/Kalel-D
by Marianna Schmudlach / July 15, 2005 1:50 AM PDT

Aliases Net-Worm.Win32.Afire.c
W32.Kalel.B@mm

Type Worm

W32/Kalel-D is a worm and backdoor Trojan for the Windows platform that targets peer-to-peer file sharing utilities.
W32/Kalel-D may arrive in an email with the following characteristics:
Subject line:
Subject: **NOTICE** Mailbox Limitation
Message text:
This message was created automatically by "Mail Guard" software (MSG) - do not reply.
In order to safeguard your mailbox from unexpected termination,
follow the instructions in the attached document.
++ Attachment: No Virus found
++ Norton AntiVirus

Collapse -
W32/Sdbot-AAQ
by Marianna Schmudlach / July 15, 2005 1:52 AM PDT

Aliases Backdoor.Win32.SdBot.aad
WORM_SDBOT.BRQ


Type Spyware Worm

W32/Sdbot-AAQ is a worm and IRC backdoor Trojan for the Windows platform.
W32/Sdbot-AAQ spreads to other network computers by:
- copying itself to network shares protected by weak passwords
- sending itself over AOL Instant Messenger
- exploiting common buffer overflow vulnerabilites, including:
LSASS (MS04-011),
RPC-DCOM (MS04-012),
WKS (MS03-049) (CAN-2003-0812) and
MSSQL (MS02-039) (CAN-2002-0649)
W32/Sdbot-AAQ runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.
W32/Sdbot-AAQ includes functionality to:
- access the internet and communicate with a remote server via HTTP
- carry out DDoS flooder attacks
- provide a proxy server
- stealth its services by using any existing process with the name "mIRC" or "mIRC32"
- silently download, install and run new software, including updates of its software
When first run W32/Sdbot-AAQ creates the file <System>\rdriv.sys.
The file rdriv.sys is detected as Troj/Rootkit-W. W32/Sdbot-AAQ then uses the dropped file rdriv.sys to stealth itself.
The following patches for the operating system vulnerabilities exploited by W32/Sdbot-AAQ can be obtained from the Microsoft website:
MS03-049
MS04-011
MS04-012
MS02-039

http://www.sophos.com/virusinfo/analyses/w32sdbotaaq.html

Collapse -
Troj/Bancban-DS
by Marianna Schmudlach / July 15, 2005 1:54 AM PDT

Aliases Trojan-Spy.Win32.Banker.ju

Type Spyware Trojan

Troj/Bancban-DS is a password stealing Trojan targeted at customers of Brazilian banks.
Troj/Bancban-DS attempts to log keypresses entered into certain websites and online banking applications. The Trojan may display fake user interfaces in order to persuade the user to enter confidential details. Stolen information is sent by email to a remote user.

http://www.sophos.com/virusinfo/analyses/trojbancbands.html

Collapse -
Troj/Qeds-D
by Marianna Schmudlach / July 15, 2005 1:55 AM PDT
Collapse -
Troj/Ablank-AC
by Marianna Schmudlach / July 15, 2005 1:57 AM PDT
Collapse -
Troj/Hogil-E
by Marianna Schmudlach / July 15, 2005 1:59 AM PDT

Aliases Trojan.Win32.Dialer.eb

Type Trojan

Troj/Hogil-E is a Trojan for the Windows platform.
Troj/Hogil-E attempts to terminate the current dial-up connection and dial a
different number.
Troj/Hogil-E may attempt to download files from a remote site.
Troj/Hogil-E may display a message box with the title "Error" and the message "Could not start Event Logger".

http://www.sophos.com/virusinfo/analyses/trojhogile.html

Collapse -
W32/Forbot-FD
by Marianna Schmudlach / July 15, 2005 2:00 AM PDT

Aliases Net-Worm.Win32.Mytob.bw

Type Worm

W32/Forbot-FD is a worm and IRC backdoor Trojan for the Windows platform.
W32/Forbot-FD spreads to other network computers by exploiting common buffer
overflow vulnerabilites, including: LSASS (MS04-011) and WKS (MS03-049)
(CAN-2003-0812).
W32/Forbot-FD runs continuously in the background, providing a backdoor server
which allows a remote intruder to gain access and control over the computer via
IRC channels.
W32/Forbot-FD also has mass-mailing functionality allowing it to spread through email. Email with the following characteristics is sent to addresses harvested from the infected computer:
Subject line:
*DETECTED* Online User Violation
*WARNING* Your email account is suspended
Email Account Suspension
Important Notification
Members Support
Notice of account limitation
Security measures
Warning Message: Your services near to be closed.
We have suspended your account
You are banned!!!
Your Account is Suspended
Your Account is Suspended For Security Reasons

MORE: http://www.sophos.com/virusinfo/analyses/w32forbotfd.html

Collapse -
W32/Forbot-FE
by Marianna Schmudlach / July 15, 2005 2:02 AM PDT

Type Worm

W32/Forbot-FE is a IRC backdoor Trojan and network worm for the Windows platform.
W32/Forbot-FE connects to a preconfigured IRC server and joins a channel from which an attacker can issue further commands. These commands can cause the infected computer to perform any of the following actions:
flood a remote host (by either ping or HTTP)
start a SOCKS4 proxy server
start an HTTP server
start an FTP server
portscan randomly-chosen IP addresses
execute arbitrary commands
steal information such as passwords and product keys
upload/download files

http://www.sophos.com/virusinfo/analyses/w32forbotfe.html

Collapse -
Troj/Dropper-AR
by Marianna Schmudlach / July 15, 2005 2:04 AM PDT

Aliases MultiDropper-EB

Type Trojan

Troj/Dropper-AR is a Trojan for the Windows platform.
When Troj/Dropper-AR is installed the following files are created and run:
<System>\downll32.exe
<System>\mptask.exe
<System>\ndrbk32.dll
<System>\Porn23321.jpg
The files downll32.exe, mptask.exe and ndrbk32.dll are detected as Troj/Delf-CL.
Porn23321.jpg may be safely deleted.
When run Troj/Dropper-AR displays a pornographic picture.

http://www.sophos.com/virusinfo/analyses/trojdropperar.html

Collapse -
Troj/Haxdoor-AG
by Marianna Schmudlach / July 15, 2005 2:05 AM PDT

Aliases Trojan-Spy.Win32.Goldun.bf

Type Trojan

Troj/Haxdoor-AG is a backdoor Trojan for the Windows platform.
Troj/Haxdoor-AG allows a remote attacker to run arbitrary commands. The Trojan may download and run further malicious code.
The Trojan uses stealthing techniques to avoid being terminated.

http://www.sophos.com/virusinfo/analyses/trojhaxdoorag.html

Collapse -
Troj/Istsvc-B
by Marianna Schmudlach / July 15, 2005 2:07 AM PDT

Aliases TROJ_ISTBAR.AM

Type Trojan

Troj/Istsvc-B is a Trojan for the Windows platform.
Troj/Istsvc-B includes functionality to access the internet and communicate with a remote server via HTTP.
Downloaded files are usually placed in the %temp% folder and normally will have
randomly generated filenames.

http://www.sophos.com/virusinfo/analyses/trojistsvcb.html

Collapse -
Troj/Dloader-QK
by Marianna Schmudlach / July 15, 2005 2:09 AM PDT
Collapse -
Troj/Vax-A
by Marianna Schmudlach / July 15, 2005 2:10 AM PDT
Collapse -
Troj/AdClick-AV
by Marianna Schmudlach / July 15, 2005 2:12 AM PDT

Aliases Trojan-Clicker.Win32.Small.hf
Trojan.Adclicker

Type Trojan

Troj/AdClick-AV is a Trojan for the Windows platform that attempts to connect to various websites and then display selected banner advertisements.
Troj/AdClick-AV queries the www.msxsecurity.com in attempt to open redirect.php, a script file that contains redirect instructions.

http://www.sophos.com/virusinfo/analyses/trojadclickav.html

Collapse -
Troj/Prorat-N
by Marianna Schmudlach / July 15, 2005 2:13 AM PDT
Collapse -
W32/Sdbot-AAP
by Marianna Schmudlach / July 15, 2005 2:15 AM PDT

Aliases Backdoor.Win32.SdBot.ys
W32.Randex.gen

Type Worm

W32/Sdbot-AAP is a network worm and IRC backdoor Trojan for the Windows platform.
W32/Sdbot-AAP runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

http://www.sophos.com/virusinfo/analyses/w32sdbotaap.html

Collapse -
W32/Lebreat-A
by Marianna Schmudlach / July 15, 2005 8:44 AM PDT

Aliases Net-Worm.Win32.Lebreat.gen
W32/Reatle.gen@MM

Type Worm

W32/Lebreat-A is a worm with a backdoor component for the Windows platform.
W32/Lebreat-A spreads by exploiting the LSASS vulnerablity.
W32/Lebreat-A will send itself to email addresses harvested from the infected computer. These emails will have the following properties:
Subject:
**WARNING** Your Account Currently Disabled.
Email
Error
Hello
Importnat Information
info
Mail Delivery System
Message could not be delivered
Password
Message text:
Your credit card was charged for $500 USD. For additional information see the attachment.
Binary message is available.
The message contains Unicode characters and has been sent as a binary attachment.
Here are your banks documents
The original message was included as an attachment.
We have temporarily suspended your email account checkout the attachment for more info.
You have successfully updated the password of your domain account checkout the attachment for more info.
Important Notification checkout the attachment for more info.
Your Account Suspended checkout the document.
Your password has been updated checkout the document.
checkout the attachment.
Hello,
I was in a hurry and I forgot to attach an important
document. Please see attached.

http://www.sophos.com/virusinfo/analyses/w32lebreata.html

Collapse -
W32/Rbot-AID
by Marianna Schmudlach / July 15, 2005 8:46 AM PDT

Aliases Backdoor.Win32.Rbot.us

Type Spyware Worm

W32/Rbot-AID is a network worm with backdoor functionality for the Windows platform.
W32/Rbot-AID runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.
W32/Rbot-AID can spread to remote network shares protected by weak passwords.

http://www.sophos.com/virusinfo/analyses/w32rbotaid.html

Collapse -
Troj/PurScan-AC
by Marianna Schmudlach / July 15, 2005 8:48 AM PDT
Collapse -
Troj/Haxdoor-AH
by Marianna Schmudlach / July 15, 2005 8:50 AM PDT
Collapse -
W32/Tenga-A
by Marianna Schmudlach / July 15, 2005 8:51 AM PDT
Collapse -
Troj/Dloader-QL
by Marianna Schmudlach / July 15, 2005 8:53 AM PDT

Aliases Downloader-ADB
Downloader-ADB.dll

Type Trojan

Troj/Dloader-QL is a downloader Trojan for the Windows platform.
The Trojan injects code into the Windows Explorer process and uses it to download files from a preconfigured location.

http://www.sophos.com/virusinfo/analyses/trojdloaderql.html

Collapse -
W32/FlyVB-C
by Marianna Schmudlach / July 15, 2005 8:54 AM PDT

Type Worm

W32/FlyVB-C is a worm for the Windows platform.
W32/FlyVB-C will send itself as an attachment to email addresses harvested from the infected computer. The email will have the following properties:
Subject Line:
Fwd: Microsoft SP3 Update
Latest Update
SP3 Update
Message text:
Microsoft SP3 Update Download It
Update your computer with the latest services pack from microsoft
Latest update [ services pack 3 ]

http://www.sophos.com/virusinfo/analyses/w32flyvbc.html

Popular Forums

icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

FALL TV PREMIERES

Your favorite shows are back!

Don’t miss your dramas, sitcoms and reality shows. Find out when and where they’re airing!