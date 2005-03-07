Spyware, Viruses, & Security forum

General discussion

VIRUS ALERTS - March 7, 2005

by Marianna Schmudlach / March 7, 2005 12:11 AM PST

W32/Forbot-ER
Summary

Aliases Backdoor.Win32.Wootbot.u


Type Worm

W32/Forbot-ER is a network worm which attempts to spread via network shares. The worm contains backdoor functions that allow unauthorised remote access to the infected computer via IRC channels.
W32/Forbot-ER spreads to unpatched computers affected by the LSASS security exploit (MS04-011).

http://www.sophos.com/virusinfo/analyses/w32forboter.html

23 total posts
Troj/Prutec-B
by Marianna Schmudlach / March 7, 2005 12:14 AM PST

Type Trojan

Troj/Prutec-B is a password stealing Trojan.
Troj/Prutec-B will search for anti-virus and anti-spyware applications and may terminate them.
The Trojan will then look at running applications and attempt to eavesdrop on passwords entered into them.

http://www.sophos.com/virusinfo/analyses/trojprutecb.html

Troj/Prutec-C
by Marianna Schmudlach / March 7, 2005 12:16 AM PST
Troj/Agent-CJ
by Marianna Schmudlach / March 7, 2005 12:18 AM PST
W32/Aimdes-A
by Marianna Schmudlach / March 7, 2005 12:20 AM PST

Aliases IM-Worm.Win32.Aimes.a
W32/AimDes.worm
WORM_AIMDES.A

Type Worm

W32/Aimdes-A is a worm for the Windows platform that attempts to spread via AOL instant messenger.
W32/Aimdes-A may arrive in an email with the following characteristics:
From: spoofed
Subject line: "Service Pack 2 BUG!!"
Message body: "Dear user I have been informed that there was a BUG in Windows Service Pack 2 which was fixed I recommend you to download this Patch version which will fix the bug and keep your system safe."
Attachment: C:\Fix_SP2.zip
Also W32/Aimdes-A searches for the A drive in an attempt to copy itself with the filename homework.exe.

http://www.sophos.com/virusinfo/analyses/w32aimdesa.html

W32/Kelvir-C
by Marianna Schmudlach / March 7, 2005 12:21 AM PST

Aliases IM-Worm.Win32.Kelvir.b

Type Worm

W32/Kelvir-C is an instant messaging worm that spreads by sending a message through Windows Messenger to all of an infected user's contacts.
W32/Kelvir-C arrives as an attachment called omf.pif in a message that encourages the recipient to visit a web page to download an update and reads:
<URL> lol! seeit! u'll like it
W32/Kelvir-C also attempts to download a file named ME.JPG from a remote website. At the time of the writing the site was unavailable

http://www.sophos.com/virusinfo/analyses/w32kelvirc.html

W32/Sumom-A
by Marianna Schmudlach / March 7, 2005 12:23 AM PST
W32/Rbot-WZ
by Marianna Schmudlach / March 7, 2005 12:25 AM PST

Aliases Backdoor.Win32.Rbot.gen

Type Worm

W32/Rbot-WZ is a worm with backdoor Trojan functionality.
W32/Rbot-WZ is capable of spreading to computers on the local network protected by weak passwords after receiving the appropriate backdoor command.
W32/Rbot-WZ will attempt to terminate a number of anti-virus and security related applications, along with other malware.

http://www.sophos.com/virusinfo/analyses/w32rbotwz.html

Troj/Dowcen-A
by Marianna Schmudlach / March 7, 2005 12:27 AM PST
Troj/Dowins-A
by Marianna Schmudlach / March 7, 2005 12:28 AM PST
Troj/Wallop-A
by Marianna Schmudlach / March 7, 2005 12:30 AM PST
Troj/LowZone-R
by Marianna Schmudlach / March 7, 2005 12:31 AM PST
Troj/StartPa-PB
by Marianna Schmudlach / March 7, 2005 12:33 AM PST

Aliases Trojan.Win32.StartPage.pb
BackDoor-AZV

Type Trojan

Troj/StartPa-PB is a Start page Trojan.
Troj/StartPa-PB will modify the Start and Search page settings of Internet Explorer. The Trojan will also intercept attempts to start other web browsers and then display a predefined website with them.

http://www.sophos.com/virusinfo/analyses/trojstartpapb.html

W32/Sober-L
by Marianna Schmudlach / March 7, 2005 4:49 AM PST

Type Worm

W32/Sober-L is a mass-mailing worm for the Windows platform.
Emails sent by the worm will have the following characteristics:
Subject line:
Ich habe Ihre E-Mail bekommen!
or
Your Password & Account number
Message text:
Hallo,
jemand schickt ihre privaten Mails auf meinem Account.
Ich schaetze mal, das es ein Fehler vom Provider ist.
Insgesamt waren es jetzt schon 6 Mails!
Ich habe alle Mail-Texte im Texteditor kopiert und gezippt.
Wenn es doch kein Fehler vom Provider ist, sorge dafuer das diese Dinger nicht mehr auf meinem Account landen, es Nervt naemlich.
Gruss
or
hi,
i've got an admin mail with a Password and Account info!
but the mail recipient are you! it's probably an esmtp error, i think.
i've copied the full mail text in the Windows text-editor & zipped.
ok, cya...
Attached file:
MailTexte.zip
or
acc_text.zip

http://www.sophos.com/virusinfo/analyses/w32soberl.html

W32/Sober-Gen
by Marianna Schmudlach / March 7, 2005 4:51 AM PST
W32/Kelvir-D
by Marianna Schmudlach / March 7, 2005 8:33 AM PST

Aliases W32/Kelvir.worm.d

Type Worm

W32/Kelvir-D is an instant messenging worm that spreads by sending a message through Windows Messenger to all of an infected user's contacts.
W32/Kelvir-D arrives attached to the message that encourages the recipient to visit a web page to download an update and reads:
lol! see it! u'll like it .
W32/Kelvir-D also attempts to download and execute ME.JPG and FILE.EXE files from the predefined websites.
For more information about ME.JPG see W32/Rbot-XA.

http://www.sophos.com/virusinfo/analyses/w32kelvird.html

W32/Rbot-XA
by Marianna Schmudlach / March 7, 2005 8:36 AM PST

Aliases Backdoor.Win32.Rbot.kp
W32/Sdbot.worm.gen.y
WORM_SDBOT.AUK

Type Worm

W32/Rbot-XA is a network worm with backdoor functionality for the Windows platform.
W32/Rbot-XA spreads using a variety of techniques including exploiting weak passwords on computers and SQL servers, exploiting operating system vulnerabilities (including DCOM-RPC, LSASS, WebDAV and UPNP) and using backdoors opened by other worms or Trojans.
Patches for the operating system vulnerabilities exploited by W32/Rbot-XA can be obtained from Microsoft at:
http://www.microsoft.com/technet/security/bulletin/ms04-012.mspx
http://www.microsoft.com/technet/security/bulletin/ms03-039.mspx
http://www.microsoft.com/technet/security/bulletin/ms03-007.mspx
http://www.microsoft.com/technet/security/bulletin/ms01-059.mspx

http://www.sophos.com/virusinfo/analyses/w32rbotxa.html

Troj/Rindas-A
by Marianna Schmudlach / March 7, 2005 8:37 AM PST
W32/Rbot-XB
by Marianna Schmudlach / March 7, 2005 8:39 AM PST

Aliases Backdoor.Win32.Rbot.gen
W32/Sdbot.worm.gen.y
WORM_RBOT.GEN

Type Worm

W32/Rbot-XB a network worm with backdoor functionality for the Windows platform.
W32/Rbot-XB spreads to weakly protected network shares and to computers vulnerable to the LSASS, RPC-DCOM, and IIS5SSL exploits.
For more information about these vulnerabilities see MS04-011 (for both theLSASS and IIS5SSL exploits) and MS04-012 (for the RPC-DCOM exploit).
When installed W32/Rbot-XB connects to a preconfigured IRC server and joins a channel from which an attacker can issue further commands. These commands can cause the infected computer to perform any of the following actions:
Scan for remote computers to infect
Start a HTTP, an FTP, or a SOCKS4 server
Log any kesytrokes made on an infected computer
Flood a remote computer using ICMP, SYN, UDP or TCP
Search for, upload, download, and execute files
Browse and attempt to modify any services installed on the computer
Participate in a distributed denial-of-service (DDoS) attack
List and terminate processes
Attempt to disable security software
Create and delete network shares

http://www.sophos.com/virusinfo/analyses/w32rbotxb.html

Troj/Banker-KQ
by Marianna Schmudlach / March 7, 2005 8:41 AM PST

Aliases Trojan-Spy.Win32.Banker.kq

Type Trojan

Troj/Banker-KQ is a Trojan for the Windows platform.
The Trojan displays fake login pages for certain banking sites and steals credentials entered into the fake pages. The harvested information is sent to a remote attacker via FTP.

http://www.sophos.com/virusinfo/analyses/trojbankerkq.html

Troj/Mosuck-G
by Marianna Schmudlach / March 7, 2005 8:43 AM PST

Aliases Trojan.Mosucker-27

Type Trojan

Troj/Mosuck-G is a backdoor Trojan.
Troj/Mosuck-G drops files in random locations that are also detected as Troj/Mosuck-G.
Troj/Mosuck-G may drop and run a clean file.
The Trojan may modify the system HOSTS file in order to prevent access to anti-virus websites.

http://www.sophos.com/virusinfo/analyses/trojmosuckg.html

Troj/Small-DJ
by Marianna Schmudlach / March 7, 2005 8:45 AM PST

Aliases backdoor.win32.small.ec
w32/backdoor.awt
backdoor-coq
[bkdr_tiny.a]
trojan.small-56

Type Trojan

Troj/Small-DJ is a backdoor Trojan allowing a remote user to open a command prompt, giving them extensive control over the infected system.

http://www.sophos.com/virusinfo/analyses/trojsmalldj.html

Troj/Ablank-F
by Marianna Schmudlach / March 7, 2005 8:46 AM PST

Aliases StartPage-DU.dll.dr
Trojan.Win32.StartPage.uz

Type Trojan

Troj/Ablank-F is a browser hijacking Trojan.
Troj/Ablank-F changes settings for Internet Explorer and intercepts attempts to view the home page, instead showing a file dropped by the Trojan.

http://www.sophos.com/virusinfo/analyses/trojablankf.html

