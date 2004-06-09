Spyware, Viruses, & Security forum

VIRUS ALERTS - June 10, 2004

by Marianna Schmudlach / June 9, 2004 8:59 PM PDT

W32/Agobot-JX

Type
Win32 worm

Description
W32/Agobot-JX is a backdoor Trojan and worm which spreads to computers
protected by weak passwords and to computers infected with variants of
W32/MyDoom.
When first run, W32/Agobot-JX moves itself to the Windows system folder as
wupdate.exe and creates the following registry entries to run itself on system
logon:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
napv.exe = wupdate.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
napv.exe = wupdate.exe

W32/Agobot-JX also sets itself up as a windows service, with the
service name "navp.exe".


More: http://www.sophos.com/virusinfo/analyses/w32agobotjx.html

W32/Agobot-JT
W32/Agobot-JT
by Marianna Schmudlach / June 9, 2004 9:02 PM PDT

Aliases
Gaobot

Type
Win32 worm

Description
W32/Agobot-JT is a backdoor worm which runs in the background as a
system process and allows unauthorised remote access to the computer.
The worm copies itself to the Windows system folder as NAVAPSVC.EXE and adds entries to the registry at

HKLM\Software\Microsoft\Windows\CurrentVersion\Run and
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

to run itself on system restart.


More: http://www.sophos.com/virusinfo/analyses/w32agobotjt.html

Troj/Servu-N
Troj/Servu-N
by Marianna Schmudlach / June 9, 2004 9:04 PM PDT
Troj/Servu-O
Troj/Servu-O
by Marianna Schmudlach / June 9, 2004 9:06 PM PDT
Dial/Casino-A
Dial/Casino-A
by Marianna Schmudlach / June 9, 2004 9:08 PM PDT

Aliases
Trojan.Win32.Dialer.bh, Win32/Dialer.BH trojan

Type
Dialler

Description
Dial/Casino-A downloads configuration data from a website and uses this data
to dial a potential premium rate number.
The dialler will launch Internet Explorer and try to connect to a number of
websites. The dialler may close other browser windows.

The dialler creates an internet shortcut named default.lnk on the desktop.

http://www.sophos.com/virusinfo/analyses/dialcasinoa.html

Troj/Padodor-D
Troj/Padodor-D
by Marianna Schmudlach / June 9, 2004 9:10 PM PDT

Aliases
BackDoor-AXJ

Type
Trojan

Description
Troj/Padodor-D is a proxy and backdoor Trojan with password stealing
functionality.
When first run Troj/Padodor-D copies itself to the Windows System32 folder with
a random filename and an extension of EXE and drops a library DLL into the
same folder with a random filename and an extension of DLL.


More: http://www.sophos.com/virusinfo/analyses/trojpadodord.html

W32/Agobot-JV
W32/Agobot-JV
by Marianna Schmudlach / June 9, 2004 9:12 PM PDT

Aliases
Backdoor.Agobot.lo

Type
Win32 worm

W32/Agobot-JV is an IRC backdoor Trojan and network worm.
W32/Agobot-JV is capable of spreading to computers on the local network
protected by weak passwords.

When first run W32/Agobot-JV copies itself to the Windows system folder as
svchostx.exe and creates the following registry entries to run itself on
startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
WSAConfiguration

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
WSAConfiguration

Each time W32/Agobot-JV is run it attempts to connect to a remote IRC server
and join a specific channel.

W32/Agobot-JV then runs continuously in the background, allowing a remote
intruder to access and control the computer via IRC channels.

W32/Agobot-JV attempts to terminate and disable various anti-virus and
security-related programs.

http://www.sophos.com/virusinfo/analyses/w32agobotjv.html

Troj/Boxed-D
Troj/Boxed-D
by Marianna Schmudlach / June 9, 2004 9:14 PM PDT

Type
Trojan

Description
Troj/Boxed-D is a DDoS flooder.
Troj/Boxed-D runs continuously in the background sending random TCP packets
to selected domains on port 80 (HTTP).

The Trojan also replaces the Windows HOSTS file with its own version which
maps several antivirus and security-related domain names to the loopback
address (127.0.0.1).


More: http://www.sophos.com/virusinfo/analyses/trojboxedd.html

W32/LegMir-P
W32/LegMir-P
by Marianna Schmudlach / June 9, 2004 9:16 PM PDT

Aliases
Philis-A, Philis-B, Sypon-A

Type
Win32 worm

Description
W32/LegMir-P is a prepending virus which includes a keyboard logger.
In order to run automatically at startup the virus copies itself to the Windows
folder with the name Sos.exe and creates the following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
SOS = C:\WINDOWS\SOS.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
SOS = C:\WINDOWS\SOS.exe

W32/LegMir-P monitors all keypresses for potential passwords and periodically
emails its findings to a preconfigured email address.


http://www.sophos.com/virusinfo/analyses/w32legmirp.html

Troj/Psyme-X
Troj/Psyme-X
by Marianna Schmudlach / June 9, 2004 9:18 PM PDT

Aliases
Weis

Type
Trojan

Description
Troj/Psyme-X is a HTML based script which exploits the ADODB stream and CODEBASE vulnerabilties associated with Microsoft Internet Explorer to
download and run an executable.
Troj/Psyme-X attempts to download an executable from a remote location to
C:\Program Files\Internet Explorer\<random>.EXE and then execute this file.

The Troj/Psyme-X HTML page may arrive on the computer via web pages that exploit the MSITS vulnerability associated with Microsoft Internet Explorer.

Such web pages will contain links pointing to a remote CHM file (compiled HTML help file format) which contains the Troj/Psyme-X HTML.

http://www.sophos.com/virusinfo/analyses/trojpsymex.html

W32/Fremmy-A
W32/Fremmy-A
by Marianna Schmudlach / June 9, 2004 9:20 PM PDT

Type
Win32 worm

Description
W32/Fremmy-A is a mass mailing worm. The email sent by the worm has the
following characteristics:
Subject lines:
Plz Help us!
Bring'im back!
Sing Song Alone!
Great MP3!
Welcome friend!

Message texts:
Dear Customer,
Please informed that our server has been changed so any email you have
received will be attached as email attachment.
This only a temporary problem.
Our service will be smooth within a couple days.

Notice:
Because of our services is not configured properly, your email message has
been converted to attachment.
In order to read the message please download the attachment.'


More: http://www.sophos.com/virusinfo/analyses/w32fremmya.html

W32/Agobot-JW
W32/Agobot-JW
by Marianna Schmudlach / June 9, 2004 11:58 PM PDT

Type
Win32 worm

Description
W32/Agobot-JW is a worm which spreads to networks shares with weak passwords. The worm also includes backdoor functions which can be controlled over IRC by a remote attacker.
When first run the worm copies itself to neroasm.exe in the Windows system
folder and adds the registry entries

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NeroAutoStartClient

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
NeroAutoStartClient

The worm removes registry entries and files used by a number of other worms
and terminates a large number of anti-virus and security related processes.

W32/Agobot-JW copies itself to shares with weak passwords as a file named
wrtx.exe.

http://www.sophos.com/virusinfo/analyses/w32agobotjw.html

W32/Rbot-AD
W32/Rbot-AD
by Marianna Schmudlach / June 10, 2004 12:00 AM PDT

Aliases
Backdoor.Rbot.gen

Type
Win32 worm

Description
W32/Rbot-AD is a network worm. The worm also contains backdoor Trojan
functionality, allowing unauthorised remote access to the infected computer via
IRC channels while running in the background as a service process.
W32/Rbot-AD spreads as a result of the backdoor Trojan element receiving the
appropriate command from a remote user. To spread the worm attacks network
shares with weak passwords, Microsoft SQL servers with weak administrator
passwords, operating system vulnerabilities and backdoors opened by other
worms.


http://www.sophos.com/virusinfo/analyses/w32rbotad.html

W32/Spybot-CL
W32/Spybot-CL
by Marianna Schmudlach / June 10, 2004 12:02 AM PDT

Aliases
Worm.P2P.SpyBot.gen, W32/Spybot.worm.gen.a, Win32/SpyBot.RD, W32.Spybot.Worm, WORM_SPYBOT.A

Type
Win32 worm

Description
W32/Spybot-CL is a peer-to-peer (P2P) and network worm with backdoor Trojan functionality.
W32/Spybot-CL attempts to move itself to WINCFG32.EXE in the Windows
System folder and creates entries in the registry at the following locations to run
itself on system restart:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\
Win Startup=WINCFG32.EXE

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Win Startup=WINCFG32.EXE


More: http://www.sophos.com/virusinfo/analyses/w32spybotcl.html

W32/Spybot-CM
W32/Spybot-CM
by Marianna Schmudlach / June 10, 2004 12:04 AM PDT

Aliases
Worm.P2P.SpyBot.gen, W32/Spybot.worm.gen.a, Win32/SpyBot.WT, W32.Spybot.Worm

Type
Win32 worm

Description
W32/Spybot-CM is a peer-to-peer (P2P) worm that spreads via common file
sharing networks.
In order to run automatically when Windows starts up the worm copies itself to
the file SPOLSV.EXE in the Windows System32 folder and adds the following
registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Winsock2 driver = SPOLSV.EXE

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\
Winsock2 driver = SPOLSV.EXE


More: http://www.sophos.com/virusinfo/analyses/w32spybotcm.html

W32/Spybot-CN
W32/Spybot-CN
by Marianna Schmudlach / June 10, 2004 12:06 AM PDT

Aliases
Worm.P2P.SpyBot.dv, W32/Spybot.worm.gen.i, W32.Spybot.Worm

Type
Win32 worm

Description
W32/Spybot-CN is a peer-to-peer (P2P) worm that spreads via common file
sharing networks.
In order to run automatically when Windows starts up the worm copies itself to
the file WINNT32.EXE in the Windows System32 folder and adds the following
registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Winsock2 driver = WINNT32.EXE

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\
Winsock2 driver = WINNT32.EXE


More: http://www.sophos.com/virusinfo/analyses/w32spybotcn.html

W32/Sdbot-DM
W32/Sdbot-DM
by Marianna Schmudlach / June 10, 2004 12:08 AM PDT

Type
Win32 worm

Description
W32/Sdbot-DM is a network worm and backdoor. The worm spreads by copying itself to network shares that have weak passwords.
The worm creates a copy of itself named dllmnr.exe in the Windows system
folder and adds the following registry entries to ensure that the copy is run each
time Windows starts:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft DLL Manager = dllmnr.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Microsoft DLL Manager = dllmnr.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
Microsoft DLL Manager = dllmnr.exe

W32/Sdbot-DM maintains a log of the user's keystrokes in a file named
ntfsvi.txt in the Windows system folder.

The backdoor component of the worm attempts to connect to an IRC server and
awaits commands from a remote attacker.

http://www.sophos.com/virusinfo/analyses/w32sdbotdm.html

W32/Agobot-XX
W32/Agobot-XX
by Marianna Schmudlach / June 10, 2004 2:18 AM PDT

Type
Win32 worm

Description
W32/Agobot-XX is capable of spreading to computers on the local network
protected by weak passwords.
When first run W32/Agobot-XX copies itself to the Windows system folder as
dmrss.exe and creates the following registry entries to run itself on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
DSService = dmrss.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
DSService = dmrss.exe

Each time W32/Agobot-XX is run it attempts to connect to a remote IRC server
and join a specific channel.


More: http://www.sophos.com/virusinfo/analyses/w32agobotxx.html

Troj/Startpa-BD
Troj/Startpa-BD
by Marianna Schmudlach / June 10, 2004 2:20 AM PDT

Type
Trojan

Description
Troj/StartPa-BD is a Trojan which changes browser settings for Microsoft
Internet Explorer by creating or changing the following registry entries:
HKCU\Software\Microsoft\Internet Explorer\Main\Search Page
HKCU\Software\Microsoft\Internet Explorer\Main\Search Bar
HKLM\Software\Microsoft\Internet Explorer\Search\Default_Search_Url
HKLM\Software\Microsoft\Internet Explorer\Main\Default_Search_Url

In order to run automatically when Windows starts up the Trojan creates
the following registry entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
\SysInit = C:/Program Files/Common Files/svchost.exe

Troj/StartPa-BD may also create internet shortcuts in the Favorites folder.

If the computer is online, the Trojan will start up Internet Explorer on a preconfigured URL. This is repeated every 15 minutes.

http://www.sophos.com/virusinfo/analyses/trojstartpabd.html

W32/SdBot-IT
W32/SdBot-IT
by Marianna Schmudlach / June 10, 2004 2:22 AM PDT

Aliases
Backdoor.IRCBot.gen

Type
Win32 worm

Description
W32/Sdbot-IT is a worm which attempts to spread to remote network shares. It
also contains backdoor Trojan functionality, allowing unauthorised remote access to the infected computer via IRC channels while running in the background as a service process.
W32/Sdbot-IT copies itself to the Windows system folder as NXCM.EXE and creates an entry in the registry at the following locations to run itself on system
startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

W32/Sdbot-IT spreads to network shares with weak passwords as a result of the
backdoor Trojan element receiving the appropriate command from a remote user,
copying itself to MOO.DAT on the local machine at the same time.

http://www.sophos.com/virusinfo/analyses/w32sdbotit.html

Dial/Scom-B
Dial/Scom-B
by Marianna Schmudlach / June 10, 2004 2:24 AM PDT

Type
Dialler

Description
Dial/Scom-B is premium rate dialler that copies itself to
C:\Program Files\scom\dialers\videogirls_gb\videogirls_gb.exe and creates shortcuts on the Desktop and in the Startup menu.
The following registry entry is created so that the dialler is run when a user logs on to Windows:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
VideoGirls_gb = VideoGirls_gb.exe

The dialler also creates several registry entries under HKCU\Software\Scom.

http://www.sophos.com/virusinfo/analyses/dialscomb.html

Dial/WMX-A
Dial/WMX-A
by Marianna Schmudlach / June 10, 2004 2:26 AM PDT

Type
Dialler

Description
Dial/Wmx-A is premium rate dialler that copies itself to
C:\Program Files\wmx\dialers\roughriders\roughriders.exe and creates shortcuts
on the Desktop and in the Startup menu.
The following registry entry is created so that the dialler is run when a user logs
on to Windows:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Roughriders = Roughriders.exe

The dialler also creates several registry entries under HKCU\Software\wmx.

http://www.sophos.com/virusinfo/analyses/dialwmxa.html

JS/Relink-A
JS/Relink-A
by Marianna Schmudlach / June 10, 2004 2:27 AM PDT
Troj/Psyme-W
Troj/Psyme-W
by Marianna Schmudlach / June 10, 2004 2:29 AM PDT
Troj/Dloader-S
Troj/Dloader-S
by Marianna Schmudlach / June 10, 2004 2:31 AM PDT
Collapse -
JS/Exploit-DialogArg.b and Exploit-MhtRedir.gen
by Marianna Schmudlach / June 10, 2004 5:39 AM PDT

Notice
This is a Low-Profiled Threat Notice for JS/Exploit-DialogArg.b and Exploit-MhtRedir.gen.

Justification
JS/Exploit-DialogArg.b and Exploit-MhtRedir.gen have been deemed Low-Profiled due to Media Attention at http://news.com.com/Pop-up+toolbar+spreads+via+IE+flaws/2100-1002_3-5229707.html?tag=nefd.top. These threats are referred to as [two Microsoft Internet Explorer security flaws].

Read About It
Information about JS/Exploit-DialogArg.b and Exploit-MhtRedir.gen is located on VIL at: http://vil.nai.com/vil/content/v_126241.htm and http://vil.nai.com/vil/content/v_101033.htm

Detection
These new JS/Exploit-DialogArg.b and Exploit-MhtRedir.gen variants were first discovered on 06/06/2004 and detection will be added to the 4366 dat files (Release Date: 06/16/2004). Though we consider these a low threat, AVERT has posted an extra.dat as part of the above descriptions for your convenience.

If you suspect you have JS/Exploit-DialogArg.b or Exploit-MhtRedir.gen, please submit a sample to http://www.webimmune.net.

PE_ZAFI.B
PE_ZAFI.B
by Marianna Schmudlach / June 10, 2004 11:14 AM PDT
