Spyware, Viruses, & Security forum

General discussion

VIRUS ALERTS - June 30, 2005

W32/Gatina-A
Summary

Aliases Email-Worm.Win32.Gatina.a
W32/Namuki
W32.Filukin.A@mm

Type Worm

W32/Gatina-A is an email and network worm.
The emails sent by the worm have forged "From:" addresses and the following characteristics:
Subject line:
FILIPINO'S SECRETS
LYRICS OF BAMBOO AND OTHER BOY BAND
Philippines Government Top Secret
New Virus Information
Ukinnam Virus Information
Message text:
Hi! Look the Attach Document for more details about FILIPINOS...
HOY! PINOY AKO! BUO AKING LOOB MAY AGIMAT AKO... FOR MORE LYRICS CHECK THE ATTACH FILE...
The Government of the Philippines revealed the truth. For more information please read the Attach file...
Please read the attach file for more information about computer virus...
If your computer has been infected by Ukinnam Virus. Open the attach file and follow the instruction to remove the virus..
Attached file:
README.DOC.exe
INFO.DOC.exe
TAETAE.TXT.exe
DATA.DOC.exe

http://www.sophos.com/virusinfo/analyses/w32gatinaa.html

Discussion is locked
You are posting a reply to: VIRUS ALERTS - June 30, 2005
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: VIRUS ALERTS - June 30, 2005
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Troj/ServU-AZ

In reply to: VIRUS ALERTS - June 30, 2005

Type Trojan

Troj/ServU-AZ is a hacked version of a commercial FTP server application.
By default, the Trojan runs an ftp server on port 43958.
When run Troj/ServU-AZ creates the following files:
libeay32.dll
logusr.dll
perfv009.dll
ssleay32.dll
These files may be deleted.

http://www.sophos.com/virusinfo/analyses/trojservuaz.html

Collapse -
Troj/Dloader-PO

In reply to: VIRUS ALERTS - June 30, 2005

Aliases Downloader-ABG
Trojan-Downloader.Win32.Small.avs

Type Trojan

Troj/Dloader-PO is a downloader Trojan which will download, install and run new software without notification that it is doing so.
Troj/Dloader-PO includes functionality to inject its code into the web browser process.

http://www.sophos.com/virusinfo/analyses/trojdloaderpo.html

Collapse -
W32/Sdbot-ZW

In reply to: VIRUS ALERTS - June 30, 2005

Aliases Backdoor.Win32.SdBot.xd
WORM_SDBOT.BJE

Type Worm

W32/Sdbot-ZW is a worm and IRC backdoor Trojan for the Windows platform.
W32/Sdbot-ZW spreads to other network computers infected with: LSASS (MS04-011), RPC-DCOM (MS04-012) and MSSQL (MS02-039) and by copying itself to network shares protected by weak passwords.
W32/Sdbot-ZW runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.
W32/Sdbot-ZW includes functionality to:
- change browser settings
- provide a proxy server
- silently download, install and run new software, including updates of its software
- change security settings
- stealth its processes and services
When first run W32/Sdbot-ZW copies itself to <Windows>\pwnsvc.exe.
When run W32/Sdbot-ZW may drop a file to <System>\rdriv.sys, which is detected as Troj/Rootkit-W.
The following patches for the operating system vulnerabilities exploited by W32/Sdbot-ZW can be obtained from the Microsoft website:
MS04-011
MS04-012
MS02-039

http://www.sophos.com/virusinfo/analyses/w32sdbotzw.html

Collapse -
Troj/Lineage-V

In reply to: VIRUS ALERTS - June 30, 2005

Collapse -
W32/ParaDrop-A

In reply to: VIRUS ALERTS - June 30, 2005

Aliases Trojan-Dropper.Win32.Paradrop.a
W32/Polybot.dr
PE_AGOBOT.AQM

Type Worm

W32/ParaDrop-A is a multi-component network worm.
W32/ParaDrop-A drops two files to the Windows system folder, scvhost.exe and iexplore.exe. Scvhost.exe is a member of the W32/Agobot family of worms and iexplore.exe is a member of the W32/Poebot family of network worms, and it is this latter file that spreads W32/ParaDrop-A to network shares with weak passwords and via network security exploits.


http://www.sophos.com/virusinfo/analyses/w32paradropa.html

Collapse -
Troj/Multidr-DR

In reply to: VIRUS ALERTS - June 30, 2005

Collapse -
W32/Kelvir-BR

In reply to: VIRUS ALERTS - June 30, 2005

Collapse -
Troj/QQRob-E

In reply to: VIRUS ALERTS - June 30, 2005

Aliases Trojan-PSW.Win32.QQRob.e

Type Trojan

Troj/QQRob-E is a password-stealing Trojan.
Troj/QQRob-E will attempt to email out stolen details.
Troj/QQRob-E will attempt to close the windows of a number of anti-virus and security-related applications.
Troj/QQRob-E will attempt disable the Windows Security Center, and set the startup type of a number of anti-virus and security related services to disabled.

http://www.sophos.com/virusinfo/analyses/trojqqrobe.html

Collapse -
Troj/LdPinch-BF

In reply to: VIRUS ALERTS - June 30, 2005

Collapse -
Troj/Progent-A

In reply to: VIRUS ALERTS - June 30, 2005

Aliases Trojan-Spy.Win32.ProAgent.h
BackDoor-AVW
PWS-Progent.dll

Type Trojan

Troj/Progent-A is a backdoor Trojan for the Windows platform.
When first run, the Trojan displays the following message box:
Error
No Theme Editor 6600 In Your Computer
Troj/Progent-A includes functionality to:
- access the internet and communicate with a remote server via HTTP
- steal information and passwords from a number of games and applications
- send notification messages to remote locations
- log key presses

http://www.sophos.com/virusinfo/analyses/trojprogenta.html

Collapse -
W32/Rbot-AGQ

In reply to: VIRUS ALERTS - June 30, 2005

Type Worm

W32/Rbot-AGQ is a worm and IRC backdoor Trojan for the Windows platform.
W32/Rbot-AGQ spreads by copying itself to network shares protected by weak passwords.
W32/Rbot-AGQ runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.
W32/Rbot-AGQ includes functionality to:
- steal confidential information
- carry out DDoS flooder attacks
- silently download, install and run new software, including updates of its software

http://www.sophos.com/virusinfo/analyses/w32rbotagq.html

Collapse -
Troj/Dloader-PQ

In reply to: VIRUS ALERTS - June 30, 2005

Collapse -
Troj/MiniDl-B

In reply to: VIRUS ALERTS - June 30, 2005

Collapse -
Troj/Dloader-PP

In reply to: VIRUS ALERTS - June 30, 2005

Collapse -
Troj/StartPa-ZY

In reply to: VIRUS ALERTS - June 30, 2005

Aliases TROJ_STARTPAG.SB
Trojan.Win32.StartPage.zy

Type Trojan

Troj/StartPa-ZY is a Trojan for the Windows platform.
Troj/StartPa-ZY includes functionality to access the internet and communicate
with a remote server via HTTP.
Troj/StartPa-ZY changes the Start Page for Microsoft Internet Explorer.

http://www.sophos.com/virusinfo/analyses/trojstartpazy.html

Collapse -
Troj/Bancb-Fam

In reply to: VIRUS ALERTS - June 30, 2005

Collapse -
Troj/Banca-Fam

In reply to: VIRUS ALERTS - June 30, 2005

Collapse -
W32/Mytob-CT

In reply to: VIRUS ALERTS - June 30, 2005

Aliases Net-Worm.Win32.Mytob.gen

Type Worm

W32/Mytob-CT is a mass-mailing worm and IRC backdoor Trojan.
W32/Mytob-CT can spread by sending itself as an email attachment to email addresses it harvests from the infected computer, either as an attachment with a double-extension or as a zip file containing a file with a double-extension. W32/Mytob-CT avoids sending emails to addresses containing certain strings in them.
W32/Mytob-CT processes the emails it has harvested by splitting them into name and domain. Once it has sent itself to the emails it has harvested, it uses a predefined list of names with the harvested domains. W32/Mytob-CT spoofs the sender, sending emails as if from one of the following at the same domain as the recipient:
support
administrator
mail
service
admin
info
register
webmaster
For example if sending itself to name@example.com, W32/Mytob-CT might send the email as if from admin@example.com.
Emails sent by the worm have characteristics from the following:
Subject line:
Notice: **Last Warning**

MORE: http://www.sophos.com/virusinfo/analyses/w32mytobct.html

Collapse -
W32/Mytob-CR

In reply to: VIRUS ALERTS - June 30, 2005

Aliases W32/Mytob.gen@MM

Type Worm

W32/Mytob-CR is a mass-mailing worm and IRC backdoor Trojan.
W32/Mytob-CR can spread by sending itself as an email attachment to email addresses it harvests from the infected computer, either as an attachment with a double-extension or as a zip file containing a file with a double-extension. W32/Mytob-CR avoids sending emails to addresses containing certain strings in them.
W32/Mytob-CR processes the emails it has harvested by splitting them into name and domain. Once it has sent itself to the emails it has harvested, it uses a predefined list of names with the harvested domains. W32/Mytob-CR spoofs the sender, sending emails as if from one of the following at the same domain as the recipient:
support
administrator
mail
service
admin
info
register
webmaster
For example if sending itself to name@example.com, W32/Mytob-CR might send the email as if from admin@example.com.
Emails sent by the worm have characteristics from the following:
Subject line:
Your password has been updated

MORE: http://www.sophos.com/virusinfo/analyses/w32mytobcr.html

Collapse -
Troj/Ranck-CR

In reply to: VIRUS ALERTS - June 30, 2005

Collapse -
Troj/DownLdr-F

In reply to: VIRUS ALERTS - June 30, 2005

Aliases Trojan-Downloader.Win32.Small.avt
Downloader-ABK

Type Trojan

Troj/DownLdr-F is a downloader Trojan for the Windows platform.
Troj/DownLdr-F includes functionality to access the internet and communicate with a remote server via HTTP.

http://www.sophos.com/virusinfo/analyses/trojdownldrf.html

Collapse -
W32/Tirbot-H

In reply to: VIRUS ALERTS - June 30, 2005

Aliases W32/Sdbot.worm.gen.d

Type Worm

W32/Tirbot-H is a network worm with backdoor Trojan functionality.
W32/Tirbot-H runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access to and control over the computer via IRC channels.
W32/Tirbot-H spreads to unprotected network shares.

http://www.sophos.com/virusinfo/analyses/w32tirboth.html

Collapse -
Troj/DSSDoor-C

In reply to: VIRUS ALERTS - June 30, 2005

Aliases Trojan.Win32.Pakes

Type Trojan

Troj/DSSDoor-C is a backdoor Trojan.
Troj/DSSDoor-C includes functionality to access the internet and communicate with a remote server via HTTP.
Troj/DSSDoor-C will attempt to download encrypted data from a number of predefined websites. The Trojan may then attempt to download and install further executable files.

http://www.sophos.com/virusinfo/analyses/trojdssdoorc.html

Collapse -
Troj/Bancor-A

In reply to: VIRUS ALERTS - June 30, 2005

Aliases Trojan-Spy.Win32.Bancos.ha
PWS-Banker.gen.l
PWSteal.Bancos

Type Trojan

Troj/Bancor-A is a password-stealing Trojan for the Windows platform.
Troj/Bancor-A monitors internet browsing in an attempt to steal confidential details for certain online banking applications. The Trojan can send stolen details to a remote email address.

http://www.sophos.com/virusinfo/analyses/trojbancora.html

Collapse -
Troj/Gpcode-C

In reply to: VIRUS ALERTS - June 30, 2005

Aliases Virus.Win32.Gpcode.e
Trojan.Gpcoder.C

Type Trojan

Troj/Gpcode-C is a Trojan for the Windows platform.
Troj/Gpcode-C maliciously encrypts data files and then attempts to extort money in return for an offer of the decoder.

http://www.sophos.com/virusinfo/analyses/trojgpcodec.html

Collapse -
W32/Codbot-Gen

In reply to: VIRUS ALERTS - June 30, 2005

Type Worm

Sophos Anti-Virus products detect members of the W32/Codbot family of worms as W32/Codbot-Gen.
Worms detected as W32/Codbot-Gen provide backdoor Trojan functionality to a remote attacker via IRC channels. Such worms may spread to remote network shares with weak passwords in response to a command from a remote attacker.
Members of W32/Codbot family typically attempt to exploit vulnerabilities, such as the LSASS vulnerability (MS04-011).

http://www.sophos.com/virusinfo/analyses/w32codbotgen.html

Collapse -
Troj/Borobt-Gen

In reply to: VIRUS ALERTS - June 30, 2005

Type Trojan

Sophos Anti-Virus products detect members of the Troj/Borobot family of Trojans as Troj/Borobt-Gen.
Members of Troj/Borobot family allow unauthorised remote access to the computer via a network and may download and execute files from remote websites if instructed to do so.

http://www.sophos.com/virusinfo/analyses/trojborobtgen.html

Popular Forums

icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

GIVEAWAY

Enter to win* a free holiday tech gift!

CNET's giving five lucky winners the gift of their choice valued up to $250!