Spyware, Viruses, & Security forum

General discussion

VIRUS ALERTS - July 9, 2004

by Marianna Schmudlach / July 9, 2004 2:25 AM PDT

W32/Rbot-DE

Aliases
W32/Sdbot.worm.gen.k, Backdoor.Rbot.gen

Type
Win32 worm

Description
W32/Rbot-DE is a worm which attempts to spread to remote network shares. It also contains backdoor Trojan functionality, allowing unauthorised remote access to the infected computer via IRC channels while running in the background as a service process.
W32/Rbot-DE spreads to network shares with weak passwords and via network security exploits as a result of the backdoor Trojan element receiving the appropriate command from a remote user.

W32/Rbot-DE copies itself to the Windows system folder as WINSYS32.EXE and creates entries at the following locations in the registry so as to run itself on system startup, trying to reset them every minute:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

W32/Rbot-DE sets the following registry entries, trying to reset them every 2 minutes.


More: http://www.sophos.com/virusinfo/analyses/w32rbotde.html

Discussion is locked
You are posting a reply to: VIRUS ALERTS - July 9, 2004
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: VIRUS ALERTS - July 9, 2004
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Troj/Madr-C
by Marianna Schmudlach / July 9, 2004 2:28 AM PDT

Aliases
Backdoor.Small.r, BackDoor.c trojan

Type
Trojan

Description
Troj/Madr-C is a backdoor Trojan that allows a remote intruder access to and control of a victim's computer via IRC channels.
When first run, the Trojan sets its file attributes to read-only, system and hidden. The Trojan then copies itself to the folder <WINDOWS>\system and to the hidden folder <WINDOWS>\system32\wins

In order to run automatically each time Windows is started, the Trojan sets the following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Winlogon = <WINDOWS>\system\winlogon.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Winlogon = <WINDOWS>\system32\wins\WINLOGON.exe

Each time the Trojan is run it tries to connect to a remote IRC server and join specific channels using a random nickname. The Trojan then runs continuously in the background, listening on the channel for commands to execute.

Troj/Madr-C will attempt to terminate a number of anti-adware programs.

http://www.sophos.com/virusinfo/analyses/trojmadrc.html

Collapse -
W32/Hobot-A
by Marianna Schmudlach / July 9, 2004 2:30 AM PDT

Aliases
Worm.Win32.Hobot.a, W32/Hobot.worm, W32.Hobot.Worm

Type
Win32 worm

Description
W32/Hobot-A is a worm that disguises itself as a Macromedia Flash Animation.
W32/Hobot-A copies itself on to a floppy disk in the A: drive with a predefined name from a list.

The worm may also copy itself to the Windows System and Windows Temporary folders with the names Wins.dll.exe, SystemInfo.exe, WinMessing.exe, CTFMON.EXE and to C:\recycled\RECYCLED.exe

In order to run automatically each time Windows is started, the worm sets the following registry entries:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
CTFMON.EXE = <TEMP>\CTFMON.EXE
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
MSMSGS = <SYSTEM>\WinMessing.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
NortonUtility = C:\recycled\RECYCLED.exe

where <SYSTEM> is the Windows System folder and <TEMP> is the Windows user Temporary folder.

http://www.sophos.com/virusinfo/analyses/w32hobota.html

Collapse -
W32/Agobot-KO
by Marianna Schmudlach / July 9, 2004 2:32 AM PDT

Aliases
Backdoor.Agobot.gen, W32/Gaobot.worm.gen.h

Type
Win32 worm

Description
W32/Agobot-KO is a backdoor Trojan and worm which spreads to computers protected by weak passwords.
When first run, W32/Agobot-KO copies itself to the Windows system folder as NORTONAV.EXE and creates the following registry entries to run itself on startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NAV
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\NAV

The Trojan runs continuously in the background providing backdoor access to the computer.


More: http://www.sophos.com/virusinfo/analyses/w32agobotko.html

Collapse -
W32/Rbot-DF
by Marianna Schmudlach / July 9, 2004 2:33 AM PDT

Aliases
Backdoor.Rbot.z, W32/Sdbot.worm.gen.h

Type
Win32 worm

Description
W32/Rbot-DF is a worm which attempts to spread to remote network shares. It also contains backdoor Trojan functionality, allowing unauthorised remote access to the infected computer via IRC channels while running in the background as a service process.
W32/Rbot-DF spreads to network shares with weak passwords and via network security exploits as a result of the backdoor Trojan element receiving the appropriate command from a remote user.

W32/Rbot-DF copies itself to the Windows system folder as SYSCONFIGS.EXE and creates entries at the following locations in the registry so as to run itself on system startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

W32/Rbot-DF may set the following registry entries:

HKLM\SOFTWARE\Microsoft\Ole\EnableDCOM = "N"
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous = "1"

W32/Rbot-DF may try to delete the C$, D$, E$, IPC$ and ADMIN$ network shares on the host computer.

W32/Rbot-DF creates a log file at C:\DEBUG.TXT.

http://www.sophos.com/virusinfo/analyses/w32rbotdf.html

Collapse -
W32/Agobot-KP
by Marianna Schmudlach / July 9, 2004 2:35 AM PDT

Type
Win32 worm

Description
W32/Agobot-KP is an IRC backdoor Trojan and network worm.
W32/Agobot-KP is capable of spreading to computers on the local network protected by weak passwords.

When first run W32/Agobot-KP copies itself to the Windows system folder as wincfg.exe and creates the following registry entries to run itself on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows System Configuration = wincfg.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\Windows System Configuration = wincfg.exe

Each time W32/Agobot-KP is run it attempts to connect to a remote IRC server and join a specific channel. W32/Agobot-KP then runs continuously in the background, allowing a remote intruder to access and control the computer via IRC channels.

W32/Agobot-KP attempts to terminate and disable various anti-virus and security-related programs.

http://www.sophos.com/virusinfo/analyses/w32agobotkp.html

Collapse -
W32/Bagle-AE
by Marianna Schmudlach / July 9, 2004 2:37 AM PDT
Collapse -
W32/Francette-M
by Marianna Schmudlach / July 9, 2004 2:38 AM PDT

Aliases
Worm.Win32.Francette.k (KAV), W32/Tumbi.worm.gen.b (McAfee), Win32/Tumbi.U (ESET), W32.Francette.Worm (Symc), WORM_FRANCETTE.F (Trend)

Type
Win32 worm

Description
W32/Francette-M is a Windows worm with a backdoor component that spreads by scanning the internet for computers vulnerable to the RPC/DCOM exploit and using backdoors opened by members of the W32/MyDoom family of worms.
In order to run automatically when Windows starts up the worm drops adds the registry entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft IIS

This variant of the Francette worm also contains and drops a key logging stealing component as the file lol.dll. The worm uses the key logging component to attempt to steal on-line banking details.

W32/Francette-M may also drop and run a copy of Troj/Dloader-HP.

W32/Francette-M contains IRC backdoor functionality that allows a malicious user remote control of an infected computer.

http://www.sophos.com/virusinfo/analyses/w32francettem.html

Collapse -
Troj/Dloader-HP
by Marianna Schmudlach / July 9, 2004 2:40 AM PDT

Aliases
TrojanDownloader.Win32.Small.ee (KAV), Downloader-HP (McAfee), Win32/TrojanDownloader.Small.EE (ESET), Download.Trojan (Symc), TROJ_SMALL.CJ (Trend)

Type
Trojan

Description
Troj/Dloader-HP downloads a file from a website. The file is written to the local hard disk as syshost.exe in the Windows system folder. Troj/Dloader-HP runs the downloaded file when the download is completed.

http://www.sophos.com/virusinfo/analyses/trojdloaderhp.html

Collapse -
Troj/HacDef-F
by Marianna Schmudlach / July 9, 2004 2:42 AM PDT

Type
Trojan

Description
Troj/HacDef-F is a backdoor Trojan that is targeted at NT/2000/XP operating systems. As well as allowing unauthorised remote access to the victim's computer, this Trojan is able to hide information about the victim's system including files, folders, processes, services and registry entries.
When started the Trojan will copy itself to the Windows directory as svchost.exe, create and load a driver (hxdefdrv.sys) and sets the following registry entry so as to auto start on system boot or user logon:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run Network Service = C:\<windows folder>\svhost.exe

Troj/HacDef-F intercepts various system services and attempts to terminate various security or monitoring processes. The Trojan also modifies the current internet start page and internet SearchAssistant.


http://www.sophos.com/virusinfo/analyses/trojhacdeff.html

Collapse -
W32/Rbot-AS
by Marianna Schmudlach / July 9, 2004 7:19 AM PDT

Type
Win32 worm

Description
W32/Rbot-AS is a worm which attempts to spread to remote network shares. It
also contains backdoor Trojan functionality, allowing unauthorised remote
access to the infected computer via IRC channels while running in the
background as a service process.
W32/Rbot-AS spreads to network shares with weak passwords as a result of the
backdoor Trojan element receiving the appropriate command from a remote user.

W32/Rbot-AS moves itself to the Windows system folder as LSAS.EXE and
creates registry entries called SYSTEM under the following
keys so as to run itself on system startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

W32/Rbot-AS may set the following registry entries:

HKLM\SOFTWARE\Microsoft\Ole\EnableDCOM = "N"
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous = "1"

More: http://www.sophos.com/virusinfo/analyses/w32rbotas.html

Collapse -
JS/NoClose-M
by Marianna Schmudlach / July 9, 2004 7:21 AM PDT

Type
Trojan

Description
JS/NoClose-M moves the browser Window it is activated in out of the desktop
view and then periodically attempts to open webpages some of which may have adult content.
JS/NoCLose-M typically arrives on the computer by browsing websites whose HTML pages contain the script

http://www.sophos.com/virusinfo/analyses/jsnoclosem.html

Collapse -
W32/Rodal-A
by Marianna Schmudlach / July 9, 2004 7:24 AM PDT

Type
Win32 worm

Description
W32/Rodal-A is a worm for the for the Windows platform that has a backdoor
component that allows a malicious user remote access to an infected computer
via the IRC network.
In order to run automatically when Windows starts up
W32/Rodal-A copies itself to the file msmsgr.exe in the windows system
folder and creates the following registry entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
MSN Messenger=msmsgr.exe.

When started W32/Rodal-A attempts to connect to an IRC server on a remote
host and listens for commands.

The worm is able to spread by modifying configuration files used by an
installed MIRC client on the local computer. This functionality is triggered
by a command received via the control channel.

http://www.sophos.com/virusinfo/analyses/w32rodala.html

Collapse -
Troj/Mtron-A
by Marianna Schmudlach / July 9, 2004 7:26 AM PDT

Aliases
Backdoor.MTBot.a, IRC-Mtron, Backdoor.Mtron, BKDR_MTRON.A

Type
Trojan

Description
Troj/Mtron-A is a backdoor Trojan designed to steal online banking information.
The Trojan copies itself to mswinsrv.exe in the Windows system folder and adds
the registry entry
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\MSWinSrv

Troj/Mtron-A monitors keystrokes in Windows that have titles including
Netbenefits, Fidelity, e-gold, Citibank or Citi. The Trojan also deletes all
cookies and can act as a SOCKS proxy server.

Troj/Mtron-A is controlled by a remote attacker via IRC.

http://www.sophos.com/virusinfo/analyses/trojmtrona.html

Collapse -
Troj/Dumaru-AL
by Marianna Schmudlach / July 9, 2004 7:28 AM PDT

Aliases
TrojanSpy.Win32.Dumarin.g, BackDoor-CCT, Backdoor.Nibu.E

Type
Trojan

Description
Troj/Dumaru-AL is a key-logging Trojan.
Troj/Dumaru-AL runs as a service process, copying itself to NETDA.EXE and
NETDC.EXE in the Windows system folder. It sets the following registry entry
so as to run the NETDA.EXE copy on system startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\load32

Troj/Dumaru-AL sets an entry in the BOOT section of SYSTEM.INI with the key
name SHELL in order to run the NETDC.EXE copy on system startup.

Troj/Dumaru-AL copies itself as NETDB.EXE to the folder found in the following
registry entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\
Shell Folders\Startup

and writes loopback values to the HOSTS file to block access to various
anti-virus websites.

The Trojan sets the following registry entries:

HKCU\Software\SARS\SocksPort

Troj/Dumaru-AL logs key strokes and window titles to a file in the
Windows folder called PRNTK.LOG.

Troj/Dumaru-AL drops PRNTSVR.DLL in the Windows folder. PRNTSVR.DLL
is a backdoor program detected by Sophos Anti-Virus as Troj/Dumaru-B.

http://www.sophos.com/virusinfo/analyses/trojdumarual.html

Collapse -
W32/Agobot-JZ
by Marianna Schmudlach / July 9, 2004 7:31 AM PDT

Aliases
Backdoor.Agobot.gen, W32/Gaobot.worm.gen.f, W32.HLLW.Gaobot.gen

Type
Win32 worm

Description
W32/Agobot-JZ is an IRC backdoor Trojan and network worm which establishes
an IRC channel to a remote server in order to grant an intruder access to the
compromised machine.
This worm will move itself into the Windows System32 folder under the filename
WMMON32.EXE and may create the following registry entries so that it can
execute automatically on system restart:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
WSSAConfiguration = wmmon32.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
WSSAConfiguration = wmmon32.exe


More: http://www.sophos.com/virusinfo/analyses/w32agobotjz.html

Collapse -
W32/Rbot-AR
by Marianna Schmudlach / July 9, 2004 7:33 AM PDT

Type
Win32 worm

Description
W32/Rbot-AR is a worm which attempts to spread to remote network shares. It
also contains backdoor Trojan functionality, allowing unauthorised remote
access to the infected computer via IRC channels while running in the
background as a service process.
W32/Rbot-AR spreads to network shares with weak passwords as a result of the
backdoor Trojan element receiving the appropriate command from a remote user.

W32/Rbot-AR moves copies itself to the Windows system folder as WUPDMGT.EXE and creates registry entries called
'Microsoft Windows Services' under the following keys so as to run itself on
system startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

W32/Rbot-AR may set the following registry entries:

HKLM\SOFTWARE\Microsoft\Ole\EnableDCOM = "N"
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous = "1"

W32/Rbot-AR may try to delete network shares on the host computer.

http://www.sophos.com/virusinfo/analyses/w32rbotar.html

Collapse -
W32/Rbot-AT
by Marianna Schmudlach / July 9, 2004 7:35 AM PDT

Aliases
W32.Spybot.Worm

Type
Win32 worm

Description
W32/Rbot-AT is a worm which attempts to spread to remote network shares. It
also contains backdoor Trojan functionality, allowing unauthorised remote
access to the infected computer via IRC channels while running in the
background as a service process.
W32/Rbot-AT spreads to network shares with weak passwords as a result of the
backdoor Trojan element receiving the appropriate command from a remote user.

W32/Rbot-AT copies itself to the Windows system folder as SSMS.EXE and
creates registry entries called Scan Register under the following registry
keys to run itself on system startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

W32/Rbot-AT may try to delete network shares on the host computer.

http://www.sophos.com/virusinfo/analyses/w32rbotat.html

Collapse -
Troj/Loony-L
by Marianna Schmudlach / July 9, 2004 7:36 AM PDT

Aliases
W32/Spybot.worm.gen.b, Backdoor.IRC.Loonbot

Type
Trojan

Description
Troj/Loony-L is a backdoor Trojan which allows unauthorised remote access to
the infected computer via IRC channels.
Troj/Loony-L copies itself to the Windows system folder as MPL32.EXE and
creates the following registry entry so as to run itself on system startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
MPL32 Driver = "MPL32.exe"

Troj/Loony-L may display a fake error message with the title "Error-388" and
the text "A valid dll file was not found"

http://www.sophos.com/virusinfo/analyses/trojloonyl.html

Collapse -
Dial/Dialer-U
by Marianna Schmudlach / July 9, 2004 7:40 AM PDT
Collapse -
W32/Agobot-WD
by Marianna Schmudlach / July 9, 2004 8:38 AM PDT

Aliases
Backdoor.Agobot.gen, W32/Gaobot.worm.gen.f, Win32/Agobot.3.ABQ, W32.HLLW.Gaobot.gen, WORM_AGOBOT.WD

Type
Win32 worm

Description
W32/Agobot-WD is an IRC backdoor and network worm.
W32/Agobot-WD is capable of spreading to computers on the local network that have weak passwords.

When first run, W32/Agobot-WD copies itself to the Windows system folder as winxtc.exe and creates the following registry entries to run itself on startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\windbs
= winxtc.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\windbs
= winxtc.exe

The worm runs continuously in the background as a service process, providing backdoor access to the computer.


More: http://www.sophos.com/virusinfo/analyses/w32agobotwd.html

Collapse -
W32/Rbot-DG
by Marianna Schmudlach / July 9, 2004 8:40 AM PDT

Aliases
W32/Sdbot.worm.gen.j

Type
Win32 worm

Description
W32/Rbot-DG is a worm which attempts to spread to remote network shares. The worm also contains backdoor functionality, allowing unauthorised remote access to the infected computer via IRC channels while running in the background as a service process.
W32/Rbot-DG spreads to network shares with weak passwords as a result of the backdoor Trojan element receiving the appropriate command from a remote user.

W32/Rbot-DG copies itself to the Windows system folder with a randomly chosen filename. To run itself on system startup, the worm creates the following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Machine
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Microsoft Update Machine
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Machine


More: http://www.sophos.com/virusinfo/analyses/w32rbotdg.html

Popular Forums
icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

GIVEAWAY

We are giving away 'Black Panther' swag!

Four lucky readers will be taking home *Marvel*ous "Black Panther" prizes, including magazines autographed by the King of Wakanda himself! Giveaway ends Feb. 25, 2018.