Spyware, Viruses, & Security forum

General discussion

VIRUS ALERTS - May 17, 2005

Troj/Kelvir-P

Type Trojan

Troj/Kelvir-P is a Trojan for the Windows platform.
The Trojan monitors the status of Windows Messenger contacts and sends the following text to all online contacts:
Hey look at this
http://<domain>/profile.php?email=<infected user's email address>

http://www.sophos.com/virusinfo/analyses/trojkelvirp.html

Discussion is locked
You are posting a reply to: VIRUS ALERTS - May 17, 2005
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: VIRUS ALERTS - May 17, 2005
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Troj/Kelvir-M

In reply to: VIRUS ALERTS - May 17, 2005

Aliases W32/Kamil.wor
Worm.Kelvir.O

Type Trojan

Troj/Kelvir-M is a Trojan for the Windows platform.
The Trojan monitors the status of Windows Messenger contacts and sends the following text to all online contacts:
look at my profile
http://<domain>/profile.php?email=<infected user's email address>

http://www.sophos.com/virusinfo/analyses/trojkelvirm.html

Collapse -
Troj/Dloader-MJ

In reply to: VIRUS ALERTS - May 17, 2005

Aliases Trojan-Downloader.Win32.VB.hf

Type Trojan

Troj/Dloader-MJ is a Trojan for the Windows platform.
The Trojan downloads and executes a file from a remote site. The downloaded file is placed in the Windows system folder as Winnet32.exe. The Trojan may also create a file named winrwtk.bat which deletes the downloaded EXE file before the Trojan downloads updated versions.

http://www.sophos.com/virusinfo/analyses/trojdloadermj.html

Collapse -
Troj/LowZone-X

In reply to: VIRUS ALERTS - May 17, 2005

Type Trojan

Troj/LowZone-X is a Trojan for the Windows platform.
Troj/LowZone-X makes changes to the system registry, reducing internet security. The Trojan then connects to a predetermined website and may download further malicious code.

http://www.sophos.com/virusinfo/analyses/trojlowzonex.html

Collapse -
Troj/Vbbot-B

In reply to: VIRUS ALERTS - May 17, 2005

Collapse -
W32/Agobot-RP

In reply to: VIRUS ALERTS - May 17, 2005

Aliases WORM_IRCBOT.N

Type Worm

W32/Agobot-RP is a worm with backdoor Trojan functionality.
The worm allows a remote intruder to gain access and control over the computer via IRC channels.
The worm also modifies the system HOSTS file in order to prevent access to certain websites.

http://www.sophos.com/virusinfo/analyses/w32agobotrp.html

Collapse -
W32/Agobot-RO

In reply to: VIRUS ALERTS - May 17, 2005

Aliases WORM_AGOBOT.AQT

Type Worm

W32/Agobot-RO is a worm with backdoor Trojan functionality.
The worm allows a remote intruder to gain access and control over the computer via IRC channels.
The worm also modifies the system HOSTS file in order to prevent access to certain websites.

http://www.sophos.com/virusinfo/analyses/w32agobotro.html

Collapse -
W32/Sdbot-XL

In reply to: VIRUS ALERTS - May 17, 2005

Aliases WORM_IRCBOT.L

Type Worm

W32/Sdbot-XL is a worm with backdoor Trojan functionality.
The worm allows a remote intruder to gain access and control over the system via IRC channels. The worm may also spread to remote network shares.

http://www.sophos.com/virusinfo/analyses/w32sdbotxl.html

Collapse -
W32/Oddbot-D

In reply to: VIRUS ALERTS - May 17, 2005

Aliases Net-Worm.Win32.DipNet.f
Trojan.Netdepix
BKDR_XDOOR.C

Type Worm

W32/Oddbob-D is a network worm that attempts to spread by exploiting the LSASS vulnerability.
The following patches for the operating system vulnerabilities exploited by W32/Oddbob-D can be obtained from the Microsoft website:
MS04-011.
W32/Oddbob-D connects to a predetermined website to download and run more malware.

http://www.sophos.com/virusinfo/analyses/w32oddbotd.html

Collapse -
W32/Mytob-CI

In reply to: VIRUS ALERTS - May 17, 2005

Aliases Email-Worm.Win32.Mydoom.am

Type Worm

W32/Mytob-CI is a member of the W32/Mytob family of email worms.
W32/Mytob-CI also terminates various anti-virus and system related processes and modifies the HOSTS file.
Once installed, W32/Mytob-CI attempts to logon to remote IRC servers and open a backdoor to allow remote commands to be executed. W32/Mytob-CI also tries to download files from a remote website and run them.
W32/Mytob-CI will harvest email addresses and server related information from the Windows Address Book and the Microsoft Internet Account Manager. Email messages sent by W32/Mytob-CI have the following characteristics:
Subject line chosen from:
'Notice: **Last Warning**'
'Your email account access is restricted'
'Your Email Account is Suspended For Security Reasons'
'Notice:***Your email account will be suspended***'
'Security measures'
'Email Account Suspension'
'*IMPORTANT* Please Validate Your Email Account'
'*IMPORTANT* Your Account Has Been Locked'
<random characters>
Message text chosen from:
'Once you have completed the form in the attached file , your account records will not be interrupted and will continue as normal.'
'To unblock your email account acces, please see the attachment.'
'Follow the instructions in the attachment.'
'We have suspended some of your email services, to resolve the problem you should read the attached document.'
'To safeguard your email account from possible termination, please see the attached file.'
'please look at attached document.'
'Account Information Are Attached!'
<random characters>
Attached filenames chosen from:
email-info
email-text
email-doc
information
your_details
document_full
INFO
IMPORTANT
info-text
<random characters>
The attached file consists of any of the abovementioned base names followed by the extentions PIF, SCR, EXE, CMD, BAT or ZIP. The worm may optionally create double extensions where the first extension is DOC, TXT or HTM and the final extension is PIF, SCR, EXE, CMD, BAT or ZIP.

http://www.sophos.com/virusinfo/analyses/w32mytobci.html

Collapse -
W32/Rbot-ACR

In reply to: VIRUS ALERTS - May 17, 2005

Type Worm

W32/Rbot-ACR is a network worm with backdoor Trojan functionality for the Windows platform.
W32/Rbot-ACR spreads using a variety of techniques including exploiting weak passwords on computers and SQL servers, exploiting operating system vulnerabilities (including DCOM-RPC, LSASS, WebDAV and UPNP) and using backdoors opened by other worms or Trojans.

http://www.sophos.com/virusinfo/analyses/w32rbotacr.html

Collapse -
Troj/Bancos-CT

In reply to: VIRUS ALERTS - May 17, 2005

Collapse -
Troj/Banker-JV

In reply to: VIRUS ALERTS - May 17, 2005

Aliases Trojan-Spy.Win32.Banker.ju

Type Trojan

Troj/Banker-JV is a password stealing Trojan for the Windows platform.
The Trojan monitors Internet Explorer sessions and captures keypresses when certain banking sites are visited. The harvested information is then sent to a remote user via email.


http://www.sophos.com/virusinfo/analyses/trojbankerjv.html

Collapse -
Troj/Istbar-BA

In reply to: VIRUS ALERTS - May 17, 2005

Collapse -
Troj/Agent-SC

In reply to: VIRUS ALERTS - May 17, 2005

Collapse -
W32/Mytob-CJ

In reply to: VIRUS ALERTS - May 17, 2005

Type Worm

W32/Mytob-CJ is a member of the W32/Mytob family of email worms.
Once installed, W32/Mytob-CJ attempts to logon to remote IRC servers and open a backdoor to allow remote commands to be executed. W32/Mytob-CJ also tries to download files from a remote website and run them.
W32/Mytob-CJ also terminates anti-virus and system related processes.
W32/Mytob-CJ also modifies the HOSTS file to deny access to anti-virus and security related websites.
W32/Mytob-CJ will harvest email addresses and server related information from the Windows Address Book and the Microsoft Internet Account Manager. Email messages sent by W32/Mytob-CJ has the following characteristics:
Subject line chosen from:
'Notice: **Last Warning**'
'Your email account access is restricted'
'Your Email Account is Suspended For Security Reasons'
'Notice:***Your email account will be suspended***'
'Security measures'
'Email Account Suspension'
'*IMPORTANT* Please Validate Your Email Account'
'*IMPORTANT* Your Account Has Been Locked'
'*WARNING* Your Email Account Will Be Closed'
<random characters>
Message text chosen from:
'Once you have completed the form in the attached file , your account records will not be interrupted and will continue as normal.'
'To unblock your email account acces, please see the attachment.'
'Follow the instructions in the attachment.'
'We have suspended some of your email services, to resolve the problem you should read the attached document.'
'To safeguard your email account from possible termination, please see the attached file.'
'please look at attached document.'
'Account Information Are Attached!'
<random characters>
Attached filenames chosen from:
email-info
email-text
email-doc
information
your_details
document_full
INFO
IMPORTANT
info-text
<random characters>
The attached file consists of any of the abovementioned base names followed by the extentions PIF, SCR, EXE, CMD, BAT or ZIP. The worm may optionally create double extensions where the first extension is DOC, TXT or HTM and the final extension is PIF, SCR, EXE, CMD, BAT or ZIP.

http://www.sophos.com/virusinfo/analyses/w32mytobcj.html

Collapse -
W32/Sdbot-BPY

In reply to: VIRUS ALERTS - May 17, 2005

Aliases WORM_SDBOT.BPY

Type Worm

W32/Sdbot-BPY is a network worm with backdoor Trojan functionality for the Windows platform.
The worm spreads through network shares protected by weak passwords, MS-SQL servers and through various operating system vulnerabilities.

http://www.sophos.com/virusinfo/analyses/w32sdbotbpy.html

Collapse -
Troj/PPdoor-H

In reply to: VIRUS ALERTS - May 17, 2005

Collapse -
Troj/LegMir-AE

In reply to: VIRUS ALERTS - May 17, 2005

Collapse -
W32/Oscabot-E

In reply to: VIRUS ALERTS - May 17, 2005

Aliases W32/Sdbot.worm.gen.bh

Type Worm

W32/Oscabot-E is an instant messaging worm that can exploit users of AOL Instant Messaging clients.
W32/Oscabot-E connects to a specific channel on an IRC service and waits for an attacker to instruct the bot to send messages to contacts in the infected user's AOL contacts list. The message will read:
"check this out, is that you?".

http://www.sophos.com/virusinfo/analyses/w32oscabote.html

Collapse -
Troj/Bancos-CS

In reply to: VIRUS ALERTS - May 17, 2005

Aliases Win32/Spy.Banker

Type Trojan

Troj/Bancos-CS is a password-stealing Trojan that targets Brazilian banking websites.
Troj/Bancos-CS displays fake user interfaces in order to persuade the user to enter confidential details such as credit card number, login name, password, and PIN code. Stolen information is sent by email to a remote user.

http://www.sophos.com/virusinfo/analyses/trojbancoscs.html

Collapse -
Troj/Feutel-G

In reply to: VIRUS ALERTS - May 17, 2005

Type Trojan

Troj/Feutel-G is a backdoor Trojan for the Windows platform.
Troj/Feutel-G may arrive in an email claiming to contain a screen-saver. The attached executable will drop and run a legitimate screen-saver application and Troj/Feutel-G.

http://www.sophos.com/virusinfo/analyses/trojfeutelg.html

Collapse -
Troj/BeyDl-A

In reply to: VIRUS ALERTS - May 17, 2005

Collapse -
Troj/BeyProxy-A

In reply to: VIRUS ALERTS - May 17, 2005

Collapse -
W32/Kelvir-X

In reply to: VIRUS ALERTS - May 17, 2005

Collapse -
WM97/Lebone-A

In reply to: VIRUS ALERTS - May 17, 2005

Type Virus

WM97/Lebone-A is a macro virus for Microsoft Word that adds a viral macro to the active document when the document closed.
WM97/Lebone-A modifies the active document by inserting the string:
"A vida pode ser feliz!!"
WM97/Lebone-A attempts to stop processes associated with files that are located in the Windows, Windows system and Windows Command folders, and have either EXE or COM extension.
Also on the 6th, 13th, 17th, 23rd and 28th WM97/Lebone-A displays the message " Virus modificou seus arquivos!!", "Word texto informa!!" and attempts to stop processes associated with files that are located in the root and Windows folders, and that have one of the following extensions:
COM, INI, TXT, GIF, XLS, PDF

http://www.sophos.com/virusinfo/analyses/wm97lebonea.html

Collapse -
Troj/Gorgs-A

In reply to: VIRUS ALERTS - May 17, 2005

Collapse -
Dial/MPB-A

In reply to: VIRUS ALERTS - May 17, 2005

Collapse -
W32/Oscabot-D

In reply to: VIRUS ALERTS - May 17, 2005

Aliases Backdoor.Win32.Agent.jn
IM-Worm.Win32.Pakes
W32/Oscarbot

Type Worm

W32/Oscabot-D is a worm with backdoor functionality for the Windows platform that allows unauthorised remote access to the infected computer via IRC channels.
W32/Oscabot-D attempts to spread via AOL Instant Messenger (AIM) after receiving the appropriate command from a remote intruder by sending the following message with the link to the worm copy:
This was cool, check it out


http://www.sophos.com/virusinfo/analyses/w32oscabotd.html

Collapse -
Troj/Vidlo-J

In reply to: VIRUS ALERTS - May 17, 2005

Aliases Trojan-Downloader.Win32.Vidlo.m
Downloader-AAP

Type Trojan

Troj/Vidlo-J is a downloading Trojan for the Windows platform that downloads from a predefined web location a prev.exe file detected by Sophos's anti-virus products as Troj/Dloader-NN

http://www.sophos.com/virusinfo/analyses/trojvidloj.html

Collapse -
Troj/Jfor-A

In reply to: VIRUS ALERTS - May 17, 2005

Aliases JS_MHTREDIR.O
JS/Exploit-MhtRedir.gen

Type Trojan

Troj/Jfor-A is a script Trojan which exploits a vulnerability associated with some versions of Microsoft Internet Explorer to load a file via the DATA attribute of an OBJECT element.

http://www.sophos.com/virusinfo/analyses/trojjfora.html

Popular Forums

icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

GIVEAWAY

Enter to win* a free holiday tech gift!

CNET's giving five lucky winners the gift of their choice valued up to $250!