General discussion

VIRUS ALERTS - March 2, 2007

WORM_RINBOT.F

Alert ID : FrSIRT/ALRT-2007-01469
Aliases : N/A
Size : 213504 bytes
Rated as : Low Risk
Release Date : 2007-03-02


Description

This worm propagates via network shares. It does the said routine by dropping a copy of itself in the IPC$ folder, which is a default share.

References

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_RINBOT.F

Credits

Reported by Trend Micro

Discussion is locked
Follow
Reply to: VIRUS ALERTS - March 2, 2007
PLEASE NOTE: Do not post advertisements, offensive materials, profanity, or personal attacks. Please remember to be considerate of other members. If you are new to the CNET Forums, please read our CNET Forums FAQ. All submitted content is subject to our Terms of Use.
Reporting: VIRUS ALERTS - March 2, 2007
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Comments
- Collapse -
W32/Sdbot.worm!678b37ba

Alert ID : FrSIRT/ALRT-2007-01474
Aliases : N/A
Size : N/A
Rated as : Low Risk
Release Date : 2007-03-02


Description

W32/Sdbot.worm!678b37ba is an internet relay chat controlled backdoor, which provides an attacker with unauthorized remote access to the compromised computer. An attacker can gain control over the compromised computer and use it to send spam, install adware or launch a DDos attack on internet systems. There are multiple versions of the W32/Sdbot family of worms that use IRC (Internet Relay Chat) as a command and control mechanism.

References

http://vil.nai.com/vil/content/v_141606.htm

Credits

Reported by McAfee

- Collapse -
W32/Rbot-GDC
- Collapse -
W32/Rbot-GDD
- Collapse -
W32/Delbot-N
- Collapse -
Troj/IRCFlood-N

Type Trojan

Aliases Backdoor.Win32.mIRC-based

Troj/IRCFlood-N is a Trojan for the Windows platform.

Troj/IRCFlood-N uses a legitimate IRC-client program to connect to a remote server.

Troj/IRCFlood-N downloads data from the remote server to send spam emails.

http://www.sophos.com/security/analyses/trojircfloodn.html

- Collapse -
W32/Rbot-GHG

Type Worm

Aliases Backdoor.Win32.Rbot.gen

W32/Rbot-GHG is a network worm with IRC backdoor functionality for the Windows platform.

W32/Rbot-GHG spreads to other network computers by exploiting common buffer overflow vulnerabilities, including: LSASS (MS04-011), SRVSVC (MS06-040), ASN.1 (MS04-007) and Symantec (SYM06-010) and by copying itself to network shares protected by weak passwords.

http://www.sophos.com/security/analyses/w32rbotghg.html

- Collapse -
Troj/Banloa-BD
- Collapse -
W32/Rbot-GHF

Type Spyware Worm

W32/Rbot-GHF is a network worm with IRC backdoor functionality for the Windows platform.

When first run W32/Rbot-GHF copies itself to <System>\msnmsgsr.exe and creates the file \a.bat.

The file a.bat is detected as Troj/Batten-A.

http://www.sophos.com/security/analyses/w32rbotghf.html

- Collapse -
Troj/Cimuz-BX
- Collapse -
Troj/PWS-AHU
- Collapse -
Troj/Ezibot-B

Type Spyware Trojan

Aliases Backdoor.Win32.Agent.aec

Troj/Ezibot-B is a Trojan for the Windows platform.

The Trojan allows a remote user to access the infected computer and performs actions including stealing personal information, keylogging, shutting down the computer, and downloading and executing remote files.

http://www.sophos.com/security/analyses/trojezibotb.html

- Collapse -
Troj/Cimuz-BY
- Collapse -
Troj/Banker-EAL
- Collapse -
Troj/Banker-EAN
- Collapse -
Troj/Zapchas-CZ

Type Trojan

Troj/Zapchas-CZ is a Trojan for the Windows platform.

Troj/Zapchas-CZ runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

Troj/Zapchas-CZ includes functionality to access the internet and communicate with a remote server via HTTP.

http://www.sophos.com/security/analyses/trojzapchascz.html

- Collapse -
Troj/Dloadr-AUK
- Collapse -
Troj/Backdr-I
- Collapse -
Troj/Banker-EAO
- Collapse -
Troj/WowPWS-AS
- Collapse -
Troj/Banker-EAM
- Collapse -
Troj/BankDL-BX
- Collapse -
Troj/Crybot-G
- Collapse -
Troj/QQRob-ACX
- Collapse -
Troj/Banloa-BBY
- Collapse -
Troj/Dloadr-AUM
- Collapse -
VBS/DownLdr-A
- Collapse -
Mal/Cimuz-C
- Collapse -
Mal/Behav-099
- Collapse -
W32/HLLP.Philis.gy

Description:
W32/HLLP.Philis.gy is a file infecting virus. It searches for executable files on the infected machine to prepend its viral code and due to a bug in virus code it may corrupt the executables. It is also responsible for dropping a .DLL file, which dow...

http://vil.nai.com/vil/content/v_141607.htm

- Collapse -
W32/HLLP.Philis.gz

Description:
W32/HLLP.Philis.gz is a file infecting virus. It searches for executable files on the infected machine to prepend its viral code and due to a bug in virus code it may corrupt the executables. It is also responsible for dropping a .DLL file, which dow...

http://vil.nai.com/vil/content/v_141608.htm

CNET Forums