Attention: The forums will be placed on read only mode this Saturday (Oct. 20, 2018)

During this outage (6:30 AM to 8 PM PDT) the forums will be placed on read only mode. We apologize for this inconvenience. Click here to read details

Spyware, Viruses, & Security forum

General discussion

VIRUS ALERTS - March 18, 2005

by Marianna Schmudlach / March 18, 2005 12:12 AM PST

W32/Rbot-YO
Summary

Type Worm

W32/Rbot-YO is a Windows network worm which attempts to spread via network shares. The worm contains backdoor functions that allows unauthorised remote access to the infected computer via IRC channels while running in the background.
The worm spreads to network shares with weak passwords and also by using the LSASS security exploit (MS04-011) and the RPC-DCOM security exploit (MS03-039).
Once installed, W32/Rbot-YO will attempt to participate in denial of service (DoS) attacks, download and run files from the internet, steal CD keys, log keystrokes and login to MS SQL servers and send EXEC commands to open a command shell when instructed to do so by a remote attacker.

http://www.sophos.com/virusinfo/analyses/w32rbotyo.html

Discussion is locked
You are posting a reply to: VIRUS ALERTS - March 18, 2005
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: VIRUS ALERTS - March 18, 2005
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Troj/StartPa-FG
by Marianna Schmudlach / March 18, 2005 12:15 AM PST
Collapse -
Troj/Small-DP
by Marianna Schmudlach / March 18, 2005 12:16 AM PST

Aliases TROJ_SMALL.ACZ
Trojan-Downloader.Win32.Small.aoa

Type Trojan

Troj/Small-DP is a Trojan downloader for the Windows platform.
In order to stealth itself, the Trojan also attempts to inject itself into the Windows Explorer process.

http://www.sophos.com/virusinfo/analyses/trojsmalldp.html

Collapse -
W32/Baba-E
by Marianna Schmudlach / March 18, 2005 12:18 AM PST

Aliases W32/Buchon.l
WORM_BUCHON.E

Type Worm

W32/Baba-E is a mass-mailing worm.
W32/Baba-E will also copy itself to any folder with the word "shar" or "pub" in its name using the name "winamp_6_full_emusic-plus.exe" and create a harmless text file C:\csrss.bin.

http://www.sophos.com/virusinfo/analyses/w32babae.html

Collapse -
Troj/Dloader-JP
by Marianna Schmudlach / March 18, 2005 12:20 AM PST

Type Trojan

Troj/Dloader-JP is a downloader for the Windows platform.
Troj/Dloader-JP will attempt to download and execute files from http://xawm.biz. The Trojan will also drop the following files:
<Windows system folder>\spoolsrv32.exe (detected as Troj/Dloader-JP)
<Windows system folder>\ssrpcsrv32.dll
<Windows system folder>\stxfdb32.dll
<Windows folder>\Web\desktop.html (harmless adware file)

http://www.sophos.com/virusinfo/analyses/trojdloaderjp.html

Collapse -
W32/Rbot-YM
by Marianna Schmudlach / March 18, 2005 12:21 AM PST

Aliases Backdoor.Win32.Rbot.gen

Type Worm

W32/Rbot-YM is a worm which attempts to spread to remote network shares. It also contains backdoor Trojan functionality, allowing unauthorised remote access to the infected computer via IRC channels while running in the background as a service process.
W32/Rbot-YM copies itself to the Windows system folder as mcafee32.exe and creates entries in the registry to run itself on system startup.

http://www.sophos.com/virusinfo/analyses/w32rbotym.html

Collapse -
Troj/Multidr-MI
by Marianna Schmudlach / March 18, 2005 12:23 AM PST

Aliases MultiDropper-MI
W32/Downloader.ABS

Type Trojan

Troj/Multidr-MI is a dropper Trojan.
Troj/Multidr-MI will drop and run files detected as Troj/Dloader-HO, Troj/Istbar-AL, Troj/Small-CN and W32/Rbot-TY.
The Trojan will also drop and run adware.

http://www.sophos.com/virusinfo/analyses/trojmultidrmi.html

Collapse -
Troj/AdClick-AL
by Marianna Schmudlach / March 18, 2005 12:25 AM PST
Collapse -
Troj/Bancos-BR
by Marianna Schmudlach / March 18, 2005 12:27 AM PST

Aliases TROJ_BANCOS.QG
Trojan-Spy.Win32.Bancos.cr

Type Trojan

Troj/Bancos-BR is a password stealing Trojan for the Windows platform that targets customers of Brazilian banks.
Troj/Bancos-BR monitors a user's internet access, and when certain internet banking sites are visited, the Trojan will display a fake login screen in order to trick the user into inputting their details.

http://www.sophos.com/virusinfo/analyses/trojbancosbr.html

Collapse -
Troj/Dropper-AC
by Marianna Schmudlach / March 18, 2005 12:28 AM PST
Collapse -
Troj/HideDial-D
by Marianna Schmudlach / March 18, 2005 12:30 AM PST

Aliases Trojan-Downloader.Win32.Tibser.c
Trojan.Downloader.Tibser-3

Type Trojan

Troj/HideDial-D is a dialler-related Trojan.
Troj/HideDial-D drops and runs a dialler (detected by Sophos as Dial/Tibsys-A) which attempts to connect to a premium-rate phone number for pornographic material. The Trojan runs in the background and attempts to conceal the dialler application by hiding windows that the dialler would usually display.

http://www.sophos.com/virusinfo/analyses/trojhidediald.html

Collapse -
Dial/XXXDial-H
by Marianna Schmudlach / March 18, 2005 12:31 AM PST
Collapse -
Dial/Switch-D
by Marianna Schmudlach / March 18, 2005 12:33 AM PST

Aliases Trojan-Downloader.Win32.Delf.kb; application

Type Trojan

Dial/Switch-D is a premium rate porn dialler. When the dialler is installed it may attempt to dial premium rate services without the knowledge of the user.
Dial/Switch-D will attempt to reduce security levels and lock down control of Internet Explorer and Netscape.

http://www.sophos.com/virusinfo/analyses/dialswitchd.html

Collapse -
W32/Chode-A
by Marianna Schmudlach / March 18, 2005 12:35 AM PST

Aliases W32/NoChod@MM
WORM_CHOD.A

Type Worm

W32/Chode-A is a complex worm with backdoor functionality for the Windows platform.
The worm spreads by emailing itself to email addresses harvested from the infected computer, using its own SMTP engine, and to IM contacts using MSN Instant Messenger.
W32/Chode-A also copies itself to the shared folders of popular peer-to-peer (P2P) file sharing utilities.

http://www.sophos.com/virusinfo/analyses/w32chodea.html

Collapse -
Troj/DelShare-K
by Marianna Schmudlach / March 18, 2005 12:36 AM PST
Collapse -
Troj/Bdoor-FD
by Marianna Schmudlach / March 18, 2005 12:38 AM PST
Collapse -
Troj/Cyberno-A
by Marianna Schmudlach / March 18, 2005 12:40 AM PST

Type Trojan

Troj/Cyberno-A is a Trojan for the Windows platform.
Troj/Cyberno-A deletes files with extensions MP3 and COM. This will prevent NT-based versions of Windows (NT,2000,XP) from starting up.
The Trojan then runs every time a program is executed on the infected computer, preventing any EXE files from running and displaying an abusive image instead.

http://www.sophos.com/virusinfo/analyses/trojcybernoa.html

Collapse -
W32/Rbot-YN
by Marianna Schmudlach / March 18, 2005 3:01 AM PST

Type Worm

W32/Rbot-YN is a network worm with backdoor functionality for the Windows platform.
W32/Rbot-YN may spread to remote network shares protected by weak passwords and computers vulnerable to common exploits. The worm also opens up a backdoor, allowing unauthorised remote access to infected computers via the IRC network, while running in the background as a service process. The worm exploits the following vulnerabilities: RPC-DCOM (MS04-012) and LSASS (MS04-011).
W32/Rbot-YN can receive commands from a remote intruder to delete network shares, log keypresses, participate in DDoS attacks, scan other computers for vulnerabilities, steal passwords, steal registration keys for computer games, create administrator accounts, terminate firewall and anti-virus processes and capture video from webcameras attached to the computer.

http://www.sophos.com/virusinfo/analyses/w32rbotyn.html

Collapse -
Troj/Banker-BO
by Marianna Schmudlach / March 18, 2005 3:03 AM PST

Aliases TROJ_BANKER.FU

Type Trojan

Troj/Banker-BO is a password stealing Trojan for the Windows platform that
targets particular online banking sites.
Running in the background Troj/Banker-BO monitors a user's internet access
to the ceratin banking websites in attempt to log user activity and send the
stolen details to the predefined remote location.

http://www.sophos.com/virusinfo/analyses/trojbankerbo.html

Collapse -
Troj/Haxdoor-AE
by Marianna Schmudlach / March 18, 2005 3:05 AM PST
Collapse -
Dial/XXXDial-G
by Marianna Schmudlach / March 18, 2005 3:07 AM PST
Collapse -
Troj/Multidr-CO
by Marianna Schmudlach / March 18, 2005 3:08 AM PST

Aliases Trojan-Dropper.Win32.Joiner.aj
BackDoor-CEO

Type Trojan

Troj/Multidr-CO is a dropper Trojan for the Windows platform.
Once executed Troj/Multidr-CO extracts to the TEMP folder and runs IEHarvester.exe and upd1.exe files.
For more information see Troj/Banker-BO and Troj/Haxdoor-AE respectively.

http://www.sophos.com/virusinfo/analyses/trojmultidrco.html

Collapse -
Troj/LdPinch-AR
by Marianna Schmudlach / March 18, 2005 3:10 AM PST

Type Trojan

Troj/LdPinch-AR is a password-stealing and downloader Trojan the Windows platform.
Troj/LdPinch-AR is capable of stealing information that includes the next:
Computer details
POP3 and IMAP email server information, usernames and passwords
FTP usernames and passwords
Protected Storage area passwords, used by applications such as MS Wallet
Details from a number of applications including ICQ, Trillian, AIM, Far FTP,
Windows Commander, Total Commander, Cute FTP, WS FTP and The Bat!
Troj/LdPinch-AR downloads and executes Troj/Multidr-CO dropper Trojan with the filename spec.exe from the predefined web location.

http://www.sophos.com/virusinfo/analyses/trojldpinchar.html

Collapse -
W32/Rbot-YZ
by Marianna Schmudlach / March 18, 2005 3:11 AM PST

Aliases Backdoor.Win32.Rbot.fa
W32/Gaobot.worm.gen.t
WORM_SPYBOT.NH

Type Worm

W32/Rbot-YZ is a network worm with backdoor functionality for the Windows platform.
W32/Rbot-YZ spreads using a variety of techniques including exploiting weak passwords on computers and SQL servers, exploiting operating system vulnerabilities (including DCOM-RPC, LSASS, WebDAV and UPNP) and using backdoors opened by other worms or Trojans.
Patches for the operating system vulnerabilities exploited by W32/Rbot-YZ can be obtained from Microsoft at:
http://www.microsoft.com/technet/security/bulletin/ms04-012.mspx
http://www.microsoft.com/technet/security/bulletin/ms03-039.mspx
http://www.microsoft.com/technet/security/bulletin/ms03-007.mspx
http://www.microsoft.com/technet/security/bulletin/ms01-059.mspx

http://www.sophos.com/virusinfo/analyses/w32rbotyz.html

Collapse -
Troj/IPCScan-B
by Marianna Schmudlach / March 18, 2005 3:13 AM PST

Type Trojan

Sophos detected as Troj/IPCScan-B a tool for finding insecure IPC shares on remote machines.
The tool scans a specified hostname or IP address for accessible IPC shares, and can try common passwords stored in a separate file. However, the tool does not attempt to run without the user's knowledge and so detection has been removed.

http://www.sophos.com/virusinfo/analyses/trojipcscanb.html

Collapse -
W32/Poebot-K
by Marianna Schmudlach / March 18, 2005 6:29 AM PST

Aliases ackdoor.Win32.PoeBot.b; W32/Spybot.HYD;

Type Worm

W32/Poebot-K is a network worm with backdoor functionality for the Windows platform.
W32/Poebot-K may spread to remote network shares protected by weak passwords and computers vulnerable to common exploits, including RPC-DCOM (MS04-012), LSASS (MS04-011), WebDav (MS03-007) and NTPass.
W32/Poebot-K contains backdoor functionality allowing unauthorised remote access to infected computers via IRC channels while running in the background. The worm may also steal Internet Explorer and email passwords from users of the infected computer.

http://www.sophos.com/virusinfo/analyses/w32poebotk.html

Collapse -
VBS/LoveLet-AA
by Marianna Schmudlach / March 18, 2005 6:31 AM PST

Aliases VBS/Gorum.gen@MM
VBS_LOVELETTER.A
VBS.LoveLetter.D

Type Worm

VBS/LoveLet-AA is a mass-mailing worm.
VBS/LoveLet-AA attempts to send itself as an email attachment to contacts in the Outlook Express address book. The worm is sent with filename LOVE-LETTER-FOR-YOU.TXT.VBS, with subject line "ILOVEYOU" and message text "kindly check the attached LOVELETTER coming from me."
VBS/LoveLet-AA may create a SCRIPT.INI file, also detected as VBS/LoveLet-A, designed to send the worm to other users who join the same mIRC channel.
VBS/LoveLet-AA overwrites or deletes files with certain extensions.
VBS/LoveLet-AA may change the Internet Explorer Start Page to point to an EXE file at a randomly chosen web address.

http://www.sophos.com/virusinfo/analyses/vbsloveletaa.html

Collapse -
W32/Rbot-YQ
by Marianna Schmudlach / March 18, 2005 6:35 AM PST

Type Worm

W32/Rbot-YQ is a network worm with backdoor functionality for the Windows platform.
W32/Rbot-YQ may spread to remote network shares protected by weak passwords and computers vulnerable to common exploits. The worm also opens up a backdoor, allowing unauthorised remote access to infected computers via the IRC network, while running in the background as a service process.
The worm exploits the following vulnerabilities:
RPC-DCOM (MS04-012)
LSASS (MS04-011)
W32/Rbot-YQ can receive commands from a remote intruder to delete network shares, log keypresses, participate in DDoS attacks, scan other computers for vulnerabilities, steal passwords, steal registration keys for computer games, create administrator accounts, terminate firewall and anti-virus processes and capture video from webcameras attached to the computer.

http://www.sophos.com/virusinfo/analyses/w32rbotyq.html

Collapse -
Troj/Dumaru-AT
by Marianna Schmudlach / March 18, 2005 6:36 AM PST

Aliases Backdoor.Win32.Dumador.at

Type Trojan

Troj/Dumaru-AT is a Trojan for the Windows platform that provides backdoor access and control over the computer and sends confidential information to a remote location.
Troj/Dumaru-AT gathers clipboard data, Window text, cached passwords and confidential information from the system registry, including data stored related to Webmoney, Far Manager, Total Commander ftp and the bat email client.

http://www.sophos.com/virusinfo/analyses/trojdumaruat.html

Collapse -
W32/Sdbot-VZ
by Marianna Schmudlach / March 18, 2005 6:38 AM PST

Aliases Backdoor.Win32.Rbot.gen
W32/Sdbot.worm.gen.m
WORM_RBOT.AUQ

Type Worm

W32/Sdbot-VZ is a network worm with backdoor functionality which runs in the background as a service process and allows unauthorised remote access to the computer via IRC channels.
When executed W32/Sdbot-VZ copies itself to the Windows System32 folder with the filename CorelDraw.exe and sets registry entries to run automatically every time the computer restarts.

http://www.sophos.com/virusinfo/analyses/w32sdbotvz.html

Collapse -
W32/Rbot-YR
by Marianna Schmudlach / March 18, 2005 6:40 AM PST

Aliases W32/Sdbot.worm.gen.h

Type Worm

W32/Rbot-YR is a worm which attempts to spread to remote network shares. It also contains backdoor functionality, allowing unauthorised remote access to the infected computer while running in the background as a service process.
W32/Rbot-YR copies itself to the Windows System32 folder as tasksetup.exe and creates entries in the registry to run itself on system startup.

http://www.sophos.com/virusinfo/analyses/w32rbotyr.html

Popular Forums

icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

FALL TV PREMIERES

Your favorite shows are back!

Don’t miss your dramas, sitcoms and reality shows. Find out when and where they’re airing!