Spyware, Viruses, & Security forum

General discussion

VIRUS ALERTS - May 13, 2004

by Marianna Schmudlach / May 12, 2004 3:40 PM PDT

W32.Posit@mm

Discovered on: May 11, 2004
Last Updated on: May 13, 2004 10:03:31 AM

W32.Posit@mm is a mass-mailing worm that attempts to format the C: drive. The worm spreads through Microsoft Outlook. The email has the following characteristics:

Subject: 100 Sex Positions in Document
Attachment: Me.zip


--------------------------------------------------------------------------------
Note: Virus definitions dated prior to May 12, 2004 detect this threat as Bloodhound.W32.VBWORM.

--------------------------------------------------------------------------------


Also Known As: Bloodhound.W32.VBWORM

Type: Worm


http://securityresponse.symantec.com/avcenter/venc/data/w32.posit@mm.html

Discussion is locked
You are posting a reply to: VIRUS ALERTS - May 13, 2004
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: VIRUS ALERTS - May 13, 2004
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
TROJ_MITGLIEDR.H
by Marianna Schmudlach / May 12, 2004 3:46 PM PDT

Virus type: Worm

Destructive: No

Aliases: Trojan.Mitglieder.F, Win32.Mitglieder.ag

Description:


This TROJ_MITGLIEDR variant listens on either port 17771 or 14441 for remote commands and acts as a mail dispatcher.

It also connects to several Web sites to download a list of banned IP addresseses that the proxy ignores. It then saves the list as BAN_LIST.TXT, which it may use for its malicious activities.

It terminates certain processes, most of which are related to security and antivirus programs.

This UPX-compressed malware runs on Windows 95, 98, ME, NT, 2000, and XP.

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_MITGLIEDR.H

Collapse -
W32/Agobot-ZH
by Marianna Schmudlach / May 13, 2004 12:55 AM PDT

Type
Win32 worm

Description
W32/Agobot-ZH copies itself to network shares with weak passwords and attempts to spread to computers using the DCOM RPC and RPC locator vulnerabilities.
These vulnerabilities allow the worm to execute its code on target computers with system level privileges. For further information on these vulnerabilities and for details on how to patch the computer against such attacks please see Microsoft security bulletins MS03-026 and MS03-001.


More: http://www.sophos.com/virusinfo/analyses/w32agobotzh.html

Collapse -
W32/Sdbot-IK
by Marianna Schmudlach / May 13, 2004 12:59 AM PDT

Aliases
W32/Sdbot.worm.gen.b, WORM_SDBOT.KW

Type
Win32 worm

Description
W32/Sdbot-IK is a worm which attempts to spread to remote network shares. It
also contains backdoor Trojan functionality, allowing unauthorised remote
access to the infected computer via IRC channels while running in the
background as a service process.
W32/Sdbot-IK copies itself to the Windows system folder as WNETMGR.EXE
and as COOL.EXE and creates entries in the registry at the following locations
so as to run itself on system startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft System Checkup

HKLM\Software\Microsoft\Windows\CurrentVersion\Run Services\
Microsoft System Checkup

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NT Logging Service


More: http://www.sophos.com/virusinfo/analyses/w32sdbotik.html

Collapse -
W32/Agobot-ID
by Marianna Schmudlach / May 13, 2004 1:01 AM PDT

Aliases
INFECTED Backdoor.Agobot.gen, W32/Gaobot.worm.gen.j virus, W32.Gaobot.AFJ, WORM_AGOBOT.JH

Type
Win32 worm

Description
W32/Agobot-ID is a worm and backdoor Trojan for the Windows platform.
W32/Agobot-ID allows a malicious user remote access to an infected computer.

In order to run automatically when Windows starts up W32/Agobot-ID creates the following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
scvhost.exe=scvhost.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
scvhost.exe=scvhost.exe..

http://www.sophos.com/virusinfo/analyses/w32agobotid.html

Collapse -
W32/Agobot-ZG
by Marianna Schmudlach / May 13, 2004 1:03 AM PDT

Aliases
INFECTED Backdoor.Agobot.gen, W32/Gaobot.worm.gen.d, W32.HLLW.Gaobot.gen

Type
Win32 worm

Description
W32/Agobot-ZG is an IRC backdoor Trojan and network worm.
W32/Agobot-ZG is capable of spreading to computers on the local network
protected by weak passwords.

When first run, W32/Agobot-ZG copies itself to the Windows system folder
as antivir32.exe and creates the following registry entries to run itself on logon:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
CONFIGURE= antivir32.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
CONFIGURE = antivir32.exe

The Trojan runs continuously in the background providing backdoor access to
the computer.


More: http://www.sophos.com/virusinfo/analyses/w32agobotzg.html

Collapse -
WM97/MMTour-A
by Marianna Schmudlach / May 13, 2004 1:06 AM PDT
Collapse -
W32/Sdbot-BL
by Marianna Schmudlach / May 13, 2004 1:08 AM PDT

Aliases
Sdbot.AJY, Randex, IRCbot

Type
Win32 worm

Description
W32/Sdbot-BL is a member of the W32/Sdbot family of worms.
In order to run automatically when Windows starts up the worm copies itself to
the file Windowz.exe in the Windows system folder and adds the following
registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Windows Gui = Windowz.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Microsoft Windows GUI = Windowz.exe

W32/Sdbot-BL allows a malicious user remote access to the infected computer
through IRC channels.

W32/Sdbot-BL generates random IP addresses and attempts to spread to them
via RPC services with weak passwords.

http://www.sophos.com/virusinfo/analyses/w32sdbotbl.html

Collapse -
Troj/Nab-A
by Marianna Schmudlach / May 13, 2004 1:09 AM PDT

Aliases
Trojan.Win32.VB.hn, Win32/NBA.A trojan

Type
Trojan

Description
Troj/Nab-A attempts to incapacitate the computer by deleting certain folders
and disabling the keyboard and mouse. The Trojan also creates several registry
entries to change policy settings on the computer and attempts to shut it down.
Troj/Nab-A copies creates an entry in the registry at the following location to
run itself on system logon:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

The Trojan copies itself the Windows system32 folder as CKCNVK.EXE.

Troj/Nab-A drops a BAT file in the C:\ root folder called TMP_D.BAT (detected
as W32/FlyVB-A) which attempts to terminate several processes using an application called Taskkill.

http://www.sophos.com/virusinfo/analyses/trojnaba.html

Collapse -
Troj/Bckdr-CEP
by Marianna Schmudlach / May 13, 2004 1:12 AM PDT

Aliases
Backdoor.Bifrose

Type
Trojan

Description
Troj/Bckdr-CEP is a backdoor Trojan for the Windows platform. The Trojan is configurable and uses different file names, registry entries and ports depending
on the choices of the attacker.
The Trojan will create a copy of itself in the Windows or Windows system folder.

In order to run automatically when Windows starts up Troj/Bckdr-CEP may
create registry entries referring to the copy under:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
or
HKLM\Software\Microsoft\Active Setup\Installed Components\

http://www.sophos.com/virusinfo/analyses/trojbckdrcep.html

Collapse -
W32/Francette-J
by Marianna Schmudlach / May 13, 2004 1:14 AM PDT

Type
Win32 worm

Description
W32/Francette-J is a backdoor Trojan and a worm that attempts to spread by exploiting vulnerabilties and backdoors left by members of the W32/MyDoom family.
W32/Francette-J may spread to vulnerable computers by taking advantage of the DCOM RPC vulnerability (MS03-039) and the Web Directory Traversal vulnerability (MS00-078).

W32/Francette-J allows a malicious user remote access to an infected computer.

The virus drops the dll file LOL.DLL which is used to capture the user keystrokes that may be sent to the attacker's email account.


More: http://www.sophos.com/virusinfo/analyses/w32francettej.html

Collapse -
Troj/VB-HA
by Marianna Schmudlach / May 13, 2004 1:16 AM PDT

Aliases
TrojanDownloader.Win32.VB.ah

Type
Trojan

Description
Troj/VB-HA is a downloader Trojan.
Troj/VB-HA runs continuously in the background and periodically tries to download configuration data from a remote location.

Depending upon the contents of the configuration data, Troj/VB-HA may then try
to download and run executables.

When first run Troj/VB-HA creates the following registry entry to run itself on startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
<Trojan> = <Trojan.exe>

where <Trojan> is the name of the Trojan executable minus its extension and <Trojan.exe> is the full pathname of the Trojan executable.

The file at.aut is created in the Windows folder.

http://www.sophos.com/virusinfo/analyses/trojvbha.html

Collapse -
W32/Agobot-JI
by Marianna Schmudlach / May 13, 2004 1:18 AM PDT

Aliases
Gaobot, Nortonbot, Phatbot, Polybot.

Type
Win32 worm

Description
W32/Agobot-JI is an IRC backdoor Trojan and network worm which establishes
an IRC channel to a remote server in order to grant an intruder access to the compromised computer.
This worm will move itself into the Windows System32 folder under the filename CSRSS32.EXE and may create the following registry entries so that it can
execute automatically on system restart:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
System Log Event = csrss32.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
System Log Event = csrss32.exe


More: http://www.sophos.com/virusinfo/analyses/w32agobotji.html

Collapse -
Troj/DownLdr-FE
by Marianna Schmudlach / May 13, 2004 1:21 AM PDT
Collapse -
W32/Agobot-ZD
by Marianna Schmudlach / May 13, 2004 1:23 AM PDT

Type
Win32 worm

Description
W32/Agobot-ZD is an IRC backdoor Trojan and network worm.
W32/Agobot-ZD is capable of spreading to computers on the local network
protected by weak passwords.

When first run, W32/Agobot-ZD copies itself to the Windows system folder
as windate.exe and creates the following registry entries to run itself
on logon:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
CONFIGURE= antivir62.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
CONFIGURE = antivir62.exe

The Trojan runs continuously in the background providing backdoor access to
the computer.


More: http://www.sophos.com/virusinfo/analyses/w32agobotzd.html

Collapse -
Troj/Haxdoor-E
by Marianna Schmudlach / May 13, 2004 1:25 AM PDT

Aliases
Backdoor.Haxdoor, BackDoor-BAC trojan, BKDR_HAXDOOR.O

Type
Trojan

Description
Troj/Haxdoor-E is a backdoor Trojan that provides an unauthorized access to the infected computer through the TCP port connection.
When executed Troj/Haxdoor-E copies itself to the Windows system folder with
the filename w32_ss.exe, attempts to delete klif.sys and klpf.sys files from
the Windows system drivers folder and creates services with the service names
Sdmapi and Boot32 and the display names KeSDM and KeBoot.

To be able run at the restart Troj/Haxdoor-E creates the registry entries

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
Notify\debugg\DllName = hex(2):64,65,62,75,67,67,2e,64,6c,6c,00

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
Notify\debugg\Startup = "MemManager"

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
Notify\debugg\Impersonate = dword:00000001


More: http://www.sophos.com/virusinfo/analyses/trojhaxdoore.html

Collapse -
W32/Agobot-IQ
by Marianna Schmudlach / May 13, 2004 1:27 AM PDT

Aliases
Gaobot, Nortonbot, Phatbot, Polybot.

Type
Win32 worm

Description
W32/Agobot-IQ is an IRC backdoor Trojan and network worm which establishes
an IRC channel to a remote server in order to grant an intruder access to the compromised computer.
This worm will move itself into the Windows System32 folder under the filename WSUPDATE.EXE and may create the following registry entries so that it can execute automatically on system restart:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
IPSEC Configuration = wsupdate.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
IPSEC Configuration = wsupdate.exe


More: http://www.sophos.com/virusinfo/analyses/w32agobotiq.html

Collapse -
Troj/Padodor-B
by Marianna Schmudlach / May 13, 2004 1:30 AM PDT

Aliases
BackDoor-AXJ trojan, Backdoor.Berbew.B, Backdoor.Padodor.h

Type
Trojan

Description
Troj/Padodor-B is a backdoor Trojan which allows unauthorised access
and control of the computer from a remote network location. It can also function
as a proxy.
Upon execution Troj/Padodor-B drops a copy of itself and a DLL component,
both with random names and into the Windows System folder.

Troj/Padodor-B then sets the following registry entries so that the DLL
component runs at startup:

HKCR\CLSID\<COM object number>\InProcServer32

HKLM\Software\Microsoft\Windows\CurrentVersion\
ShellServiceObjectDelayLoad\Web Event Logger
="<COM object number>"

(where the COM object number is 79FB9088-19CE-715E-D900-216290C5B738)


More: http://www.sophos.com/virusinfo/analyses/trojpadodorb.html

Collapse -
W32/Agobot-IE
by Marianna Schmudlach / May 13, 2004 1:32 AM PDT

Type
Win32 worm

Description
W32/Agobot-IE is a network worm and backdoor. The worm creates a copy of itself
named scvhost.exe in the Windows system folder and adds the following registry
entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\scvhost.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\scvhost.exe

W32/Agobot-IE spread to network shares with weak passwords and by exploiting
the LSASS vulnerability. A patch for the vulnerability is available from
http://www.microsoft.com/security/technet/bulletins/ms04-011.asp.

The worm listens on IRC for commands from a remote attacker.


More: http://www.sophos.com/virusinfo/analyses/w32agobotie.html

Collapse -
Troj/Sdbot-CG
by Marianna Schmudlach / May 13, 2004 1:34 AM PDT

Aliases
W32/Sdbot.worm.gen.m

Type
Trojan

Description
Troj/Sdbot-CG is an IRC backdoor Trojan that allows unauthorised
remote users access and control of the computer.
When first run Troj/Sdbot-CG will copy itself to the Windows system folder as wininit32.exe and sets the following registry entries to ensure it is run at system logon:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
SysInit = wininit32.exe -drivers

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
SysInit = wininit32.exe -services

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
SysInit = wininit32.exe -services


More: http://www.sophos.com/virusinfo/analyses/trojsdbotcg.html

Collapse -
W32/SdBot-CH
by Marianna Schmudlach / May 13, 2004 1:36 AM PDT

Aliases
INFECTED Backdoor.IRCBot.gen, W32/Sdbot.worm.gen, W32.IRCBot.Gen

Type
Win32 worm

Description
W32/SdBot-CH is a network worm and a backdoor Trojan which runs in the
background as a service process and allows unauthorised remote access
to the computer via IRC channels.
When executed W32/SdBot-CH copies itself to the Windows system folder with
the filename mdms.exe and sets the registry entries

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Machine Debug Manager=mdms.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Machine Debug Manager=mdms.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Machine Debug Manager=mdms.exe

with the path to the copy.


http://www.sophos.com/virusinfo/analyses/w32sdbotch.html

Collapse -
W32/Spybot-T
by Marianna Schmudlach / May 13, 2004 1:38 AM PDT

Type
Win32 worm

Description
W32/Spybot-T is a peer-to-peer (P2P) worm with backdoor Trojan functionality.
W32/Spybot-T attempts to move itself to ASCRLL.EXE in the Windows System
folder and creates entries in the registry at the following locations to run
itself on system restart:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\
Auto Scroll Loader = ASCRLL.EXE

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Auto Scroll Loader = ASCRLL.EXE


More: http://www.sophos.com/virusinfo/analyses/w32spybott.html

Collapse -
Troj/StartPa-AE
by Marianna Schmudlach / May 13, 2004 7:06 AM PDT

Aliases
Trojan.WinREG.StartPage

Type
Trojan

Description
Troj/StartPa-AE changes browser settings for Microsoft Internet Explorer each
time Windows is started.
Troj/StartPa-AE is simply a text file (typically named sysdll.reg) which can
be used as an input to Regedit to set the following registry entries:

HKCU\Software\Microsoft\Internet Explorer\Main\Start Page
HKCU\Software\Microsoft\Internet Explorer\Main\HOMEOldSP
HKCU\Software\Microsoft\Internet Explorer\Main\Search Bar
HKCU\Software\Microsoft\Internet Explorer\Main\Search Page
HKCU\Software\Microsoft\Internet Explorer\Search\SearchAssistant
HKLM\Software\Microsoft\Internet Explorer\Main\Start Page
HKLM\Software\Microsoft\Internet Explorer\Main\HOMEOldSP
HKLM\Software\Microsoft\Internet Explorer\Main\Search Bar
HKLM\Software\Microsoft\Internet Explorer\Main\Search Page
HKLM\Software\Microsoft\Internet Explorer\Search\SearchAssistant

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
sys = "regedit -s sysdll.reg"

The last of these registry entries causes the registry to be updated using
Troj/StartPa-AE each time Windows is started.

Troj/StartPa-AE may be installed on the computer by Troj/AdClick-AE.

http://www.sophos.com/virusinfo/analyses/trojstartpaae.html

Collapse -
Troj/Mixtar-B
by Marianna Schmudlach / May 13, 2004 7:08 AM PDT
Collapse -
Troj/Agent-E
by Marianna Schmudlach / May 13, 2004 7:10 AM PDT
Collapse -
Troj/Ketch-B
by Marianna Schmudlach / May 13, 2004 7:12 AM PDT

Aliases
Backdoor.Ketch.h

Type
Trojan

Description
Troj/Ketch-B is a backdoor Trojan that allows remote intruders access and
control over the computer.
In order to run automatically when Windows starts up the Trojan copies itself to
the file sysmon45.exe in the Windows system folder and adds the registry entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\sysmon

pointing to this file.

Troj/Ketch-B sets registry entries below HKLM\SOFTWARE\sysmon.

Troj/Ketch-B can be remotely instructed to execute certain operations such as to download and execute remote files, delete files and modify the registry (such as deleting registry entries or creating new entries).

Troj/Ketch-B will also steal system information such as computer name, username and operating system version.

http://www.sophos.com/virusinfo/analyses/trojketchb.html

Collapse -
Troj/StartPa-GH
by Marianna Schmudlach / May 13, 2004 7:14 AM PDT

Aliases
Trojan.Win32.StartPage.gh

Type
Trojan

Description
Troj/StartPa-GH is a StartPage Trojan.
Troj/StartPa-GH copies itself to the Windows folder with the filename WIN32.EXE
and sets a registry value at the following location in order to run itself on system startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Troj/StartPa-GH sets the following registry entry in order to change the StartPage
in Internet Explorer:

HKCU\Software\Microsoft\Internet Explorer\Main\
Start Page = "http://martfinder.com/index.htm"

Troj/StartPa-GH sometimes appends this value with "?aff=" and a value read from
the file WIN32.DAT in the same folder as it.

Troj/StartPa-GH sets the following registry entry to instruct Internet Explorer to use a personalised stylesheet:

HKCU\Software\Microsoft\Internet Explorer\Styles\Use My Stylesheet = "1"

Troj/StartPa-GH then sets the following registry entry to point to the file
WIN32.BMP in the same folder as it:

HKCU\Software\Microsoft\Internet Explorer\Styles\User Stylesheet

http://www.sophos.com/virusinfo/analyses/trojstartpagh.html

Collapse -
Troj/DeathCo-B
by Marianna Schmudlach / May 13, 2004 7:16 AM PDT
Collapse -
W32/FlyVB-A
by Marianna Schmudlach / May 13, 2004 7:18 AM PDT

Aliases
Worm.Win32.FlyVB, W32/Spidr@MM, W32.Spider.A@mm

Type
Win32 worm

Description
W32/FlyVB-A is a worm that spreads via email, network shares and common file
sharing networks.
In order to run automatically when Windows starts up the worm copies itself to the file avpmonitor.exe in the Windows system folder and modifies the file
autoexec.bat.

W32/FlyVB-A also has a backdoor component that allows a remote user access
to a compromised computer.


http://www.sophos.com/virusinfo/analyses/w32flyvba.html

Collapse -
Troj/Agent-L
by Marianna Schmudlach / May 13, 2004 7:20 AM PDT

Type
Trojan

Description
Troj/Agent-L is a backdoor proxy Trojan.
In order to run automatically when Windows starts up the Trojan creates the
registry entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SysUpd

pointing to itself.

Troj/Agent-L also creates registry entries below:

HKCU\Software\Microsoft\SysUpd.

http://www.sophos.com/virusinfo/analyses/trojagentl.html

Collapse -
Troj/IEStart-H
by Marianna Schmudlach / May 13, 2004 7:22 AM PDT

Aliases
TrojanClicker.VBS.Krepper, VBS/IEstart.gen.e, VBS_RANDPOP.A

Type
Trojan

Description
Troj/IEStart-H launches Microsoft Internet Explorer every 60 minutes and attempts to load a remote web page.
Troj/IEStart-H is a Microsoft Visual Basic script which may arrive on the computer as part of an HTML based email message or by browsing web sites whose pages contain the script.

http://www.sophos.com/virusinfo/analyses/trojiestarth.html

Popular Forums
icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

CNET FORUMS TOP DISCUSSION

Help, my PC with Windows 10 won't shut down properly

Since upgrading to Windows 10 my computer won't shut down properly. I use the menu button shutdown and the screen goes blank, but the system does not fully shut down. The only way to get it to shut down is to hold the physical power button down till it shuts down. Any suggestions?