Attention: The forums will be placed on read only mode this Saturday (Oct. 20, 2018)

During this outage (6:30 AM to 8 PM PDT) the forums will be placed on read only mode. We apologize for this inconvenience. Click here to read details

Spyware, Viruses, & Security forum

General discussion

VIRUS ALERTS - May 18, 2005

by Marianna Schmudlach / May 18, 2005 1:28 AM PDT

Troj/Zapchas-J
Summary

Aliases Backdoor.Win32.mIRC-based
Backdoor.IRC.Zapchast
IRC/Flood.mirc

Type Trojan

Troj/Zapchas-J is an mIRC-based backdoor Trojan.
The Trojan creates several files in the Windows\system folder. One of these files, svchost.exe, is a renamed copy of the mIRC application, one is a mIRC script file (also detected as Troj/Zapchas-J) and the remainder are configuration settings for the Trojan.

http://www.sophos.com/virusinfo/analyses/trojzapchasj.html

Discussion is locked
You are posting a reply to: VIRUS ALERTS - May 18, 2005
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: VIRUS ALERTS - May 18, 2005
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Troj/Ghudl-A
by Marianna Schmudlach / May 18, 2005 1:30 AM PDT
Collapse -
W32/Sdbot-BLU
by Marianna Schmudlach / May 18, 2005 1:32 AM PDT

Aliases WORM_SDBOT.BLU

Type Worm

W32/Sdbot-BLU is a network worm with backdoor Trojan functionality for the Windows platform.
The worm spreads through network shares protected by weak passwords, MS-SQL servers and through various operating system vulnerabilities.
Patches for the vulnerabilities exploited by W32/Sdbot-BLU can be obtained from Microsoft at:
http://www.microsoft.com/technet/security/bulletin/MS02-039.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx

http://www.sophos.com/virusinfo/analyses/w32sdbotblu.html

Collapse -
Troj/AntiAd-A
by Marianna Schmudlach / May 18, 2005 1:34 AM PDT

Type Trojan

Troj/AntiAd-A is a Trojan for the Windows platform.
The Trojan attempts to delete registry entries and files associated with certain adware related processes and also attempts to restore certain changes made by these adware components.

http://www.sophos.com/virusinfo/analyses/trojantiada.html

Collapse -
W32/Mytob-BX
by Marianna Schmudlach / May 18, 2005 1:36 AM PDT
Collapse -
W32/Agobot-SQ
by Marianna Schmudlach / May 18, 2005 1:38 AM PDT

Aliases Backdoor.Win32.Agobot.kq
W32/Gaobot.worm.gen.bh

Type Worm

W32/Agobot-SQ is a network worm with backdoor Trojan functionality for the Windows platform.
W32/Agobot-SQ is capable of spreading to computers on the local network protected by weak passwords and using the following security exploits:
LSASS (MS04-011)
RPC-DCOM (MS04-012)
WKS (MS03-049)
WebDav (MS03-007)
MSSQL (MS02-039)
UPNP (MS01-059)
W32/Agobot-SQ attempts to terminate and disable various anti-virus and security related programs and modifies the HOSTS file.
Patches and information for the vulnerabilities exploited by W32/Agobot-SQ can be obtained from Microsoft at:
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx
http://www.microsoft.com/technet/security/bulletin/MS03-049.mspx
http://www.microsoft.com/technet/security/bulletin/MS03-007.mspx
http://www.microsoft.com/technet/security/bulletin/MS02-039.mspx
http://www.microsoft.com/technet/security/bulletin/MS01-059.mspx

http://www.sophos.com/virusinfo/analyses/w32agobotsq.html

Collapse -
W32/Kelvir-U
by Marianna Schmudlach / May 18, 2005 1:39 AM PDT

Aliases IM-Worm.Win32.Kelvir.ak
WORM_KELVIR.AQ

Type Worm

W32/Kelvir-U is an instant messenger worm. The worm sends instant messages to all the MSN messenger contacts. The message contains a link of URL, it encourages the recipients to visit the URL to download a file. The worm terminates anti-virus related processes.

http://www.sophos.com/virusinfo/analyses/w32kelviru.html

Collapse -
Troj/QQDragon-E
by Marianna Schmudlach / May 18, 2005 1:41 AM PDT
Collapse -
Troj/Netsnak-K
by Marianna Schmudlach / May 18, 2005 1:42 AM PDT

Aliases TROJ_NETSNAKE.B
W32/Netsnake.cBackdoor.Win32.Formador.e

Type Trojan

Troj/Netsnak-K is a Trojan for the Windows Platform.
Troj/Netsnak-K will set the following registry entry to ensure it is run on Windows logon:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
<filename>
<Path to self>
Troj/Netsnak-K will connect to a website specified in a downloaded configuration file and gather commands to execute on the infected computer.
The Trojan may send stolen information to that same website.

http://www.sophos.com/virusinfo/analyses/trojnetsnakk.html

Collapse -
Troj/Perda-B
by Marianna Schmudlach / May 18, 2005 1:44 AM PDT

Aliases Backdoor.Win32.Agent.jo

Type Trojan

Troj/Perda-B is a Trojan for the Windows platform.
Troj/Perda-B will attempt to disable Windows XP's firewall.
Troj/Perda-B serves as a proxy, allowing remote users the ability to route HTTP traffic through the infected computer. The Trojan may also accept commands from remote users.

http://www.sophos.com/virusinfo/analyses/trojperdab.html

Collapse -
W32/Opanki-I
by Marianna Schmudlach / May 18, 2005 1:46 AM PDT

Aliases IM-Worm.Win32.Opanki.b
WORM_OPANKI.I

Type Worm

W32/Opanki-I is an instant-messanging worm that attempts to spread via AOL Instant Messenger (AIM).
W32/Opanki-I sends the message "check out my pictures" to the infected user's contacts with a link to download a PIF file from http://redblock.co.kr. At the time of writing this file was unavailable for download.

http://www.sophos.com/virusinfo/analyses/w32opankii.html

Collapse -
Troj/Sdbot-YH
by Marianna Schmudlach / May 18, 2005 1:48 AM PDT

Type Trojan

Troj/Sdbot-YH is an IRC backdoor Trojan for the Windows platform.
Troj/Sdbot-YH allows unauthorised remote access to the infected computer via the IRC network. The Trojan joins a preconfigured IRC channel and waits for instructions from a remote intruder. The Trojan can be instructed to download updates and run arbitrary files.


http://www.sophos.com/virusinfo/analyses/trojsdbotyh.html

Collapse -
Troj/Dloader-NM
by Marianna Schmudlach / May 18, 2005 1:50 AM PDT
Collapse -
Troj/Rbot-ACT
by Marianna Schmudlach / May 18, 2005 1:52 AM PDT
Collapse -
Troj/Lineage-M
by Marianna Schmudlach / May 18, 2005 1:53 AM PDT

Aliases Trojan-PSW.Win32.Lineage.bg

Type Trojan

Troj/Lineage-M is a password stealing Trojan for the Windows platform that
attempts to steal passwords associated with the game called "Lineage".
Troj/Lineage-M searches for the "Lineage","Lineage Windows Client" window in attempt to initiate a keylogging routine.
Troj/Lineage-M will attempt to disable a number of anti-virus and security
related processes and windows.
Troj/Lineage-M may attempt to modify wininit.ini and add an entry pointing to the Trojan to ensure it runs on Windows startup.

http://www.sophos.com/virusinfo/analyses/trojlineagem.html

Collapse -
Troj/WFPDis-A
by Marianna Schmudlach / May 18, 2005 1:55 AM PDT
Collapse -
Troj/Labrap-A
by Marianna Schmudlach / May 18, 2005 1:56 AM PDT
Collapse -
Troj/Torpid-B
by Marianna Schmudlach / May 18, 2005 1:58 AM PDT

Aliases Trojan-Downloader.Win32.Small.apf
Downloader-XB

Type Trojan

Troj/Torpid-B is a downloader Trojan.
Troj/Torpid-B will attempt to close security-related windows, such as those generated by firewall and anti-virus applications.

http://www.sophos.com/virusinfo/analyses/trojtorpidb.html

Collapse -
W32/Oscabot-F
by Marianna Schmudlach / May 18, 2005 2:00 AM PDT

Aliases TROJ_DLOADER.LS

Type Worm

W32/Oscabot-F is an instant messaging worm that can exploit users of AOL Instant Messaging clients.
W32/Oscabot-F connects to a specific channel on an IRC service and waits for an attacker to instruct the bot to send messages to contacts in the infected user's AOL contacts list. The message will read:
"lol have you seen this?"
The word "this" is a link to the W32/Oscabot-F executable on the infected computer.

http://www.sophos.com/virusinfo/analyses/w32oscabotf.html

Collapse -
Troj/Goldun-U
by Marianna Schmudlach / May 18, 2005 2:02 AM PDT

Type Trojan

Troj/Goldun-U is a password-stealing Trojan targeted at the users of the
E-Gold online services.
Troj/Goldun-U will install a DLL as a Browser Help Object which intercepts internet requests destined for the E-Gold site and steals account information, forwarding it to a remote site.
When run the Trojan may display a Window with the title "E-gold ServicePack" and the user will be instructed to click on the "Install" button, at which point a progress bar is displayed. The user is instructed to reboot once the installation is supposedly completed.


http://www.sophos.com/virusinfo/analyses/trojgoldunu.html

Collapse -
Troj/SecondT-C
by Marianna Schmudlach / May 18, 2005 2:03 AM PDT

Aliases Trojan-Downloader.Win32.Small.aui

Type Trojan

Troj/SecondT-C is a Trojan for the Windows platform.
Troj/SecondT-C attempts to download a configuration file from a number of websites in order to determine its behaviour, including the ability to download and execute further files from remote locations and to set or delete entries in the registry.

http://www.sophos.com/virusinfo/analyses/trojsecondtc.html

Collapse -
W32/Kelvir-Y
by Marianna Schmudlach / May 18, 2005 2:05 AM PDT

Aliases W32.Kelvir.J
IM-Worm.Win32.Kelvir.a
WORM_KELVIR.A

Type Worm

W32/Kelvir-Y is an instant messenging worm that spreads by sending a message
through Windows Messenger to all of an infected user's contacts.
W32/Kelvir-Y sends the following message to all MSN Messenger contacts encouraging recipients to visit a website:
quick! see this picture - <URL>
W32/Kelvir-Y may also attempt to download a file from a pre-defined website to C:\msnsetup.exe and execute it.
At the time of writing, the URL was not available.

http://www.sophos.com/virusinfo/analyses/w32kelviry.html

Collapse -
W32/Rbot-ACS
by Marianna Schmudlach / May 18, 2005 2:07 AM PDT

Type Worm

W32/Rbot-ACS is a Windows network worm which attempts to spread via network shares. The worm contains backdoor functions that allows unauthorised remote access to the infected computer via IRC channels while running in the background.
The worm spreads to network shares with weak passwords and also by using the following security exploits:
LSASS (MS04-011)
RPC-DCOM (MS03-039)
WKS (MS03-049) (CAN-2003-0812)
MSSQL (MS02-039) (CAN-2002-0649)
Once installed, W32/Rbot-ACS will attempt to perform the following actions when instructed to do so by a remote attacker:
terminate anti-virus and system related threads and processes
perform port scanning on IP addresses
steal computer system hardware information
copy itself to network shared folders
download files from the Internet and run them
participate in denial of service (DoS) attacks
The following patches for the operating system vulnerabilities exploited by W32/Rbot-ACS can be obtained from the Microsoft website:
LSASS (MS04-011) security vulnerability
RPC-DCOM (MS03-039) security vulnerability
WKS (MS03-049) (CAN-2003-0812) security vulnerability
MSSQL (MS02-039) (CAN-2002-0649) security vulnerability

http://www.sophos.com/virusinfo/analyses/w32rbotacs.html

Collapse -
Troj/Banker-HF
by Marianna Schmudlach / May 18, 2005 2:09 AM PDT

Aliases Trojan-Spy.Win32.Banbra.cb

Type Trojan

Troj/Banker-HF is a password stealing Trojan for the Windows platform.
Troj/Banker-HF monitors which URLs are visited by the web browser and creates fake web pages for certain Brazilian banking sites in order to log account information. The logged information is sent to remote users via email.

http://www.sophos.com/virusinfo/analyses/trojbankerhf.html

Collapse -
W32/Mytob-BZ
by Marianna Schmudlach / May 18, 2005 3:59 AM PDT

Type Worm

W32/Mytob-BZ is a mass-mailing worm and backdoor Trojan that can be controlled through the Internet Relay Chat (IRC) network.
W32/Mytob-BZ is capable of spreading through email and through various operating system vulnerabilities such as LSASS (MS04-011).
W32/Mytob-BZ harvests email addresses from files on the infected computer and from the Windows address book.

http://www.sophos.com/virusinfo/analyses/w32mytobbz.html

Collapse -
W32/Rbot-ABU
by Marianna Schmudlach / May 18, 2005 4:01 AM PDT

Aliases Backdoor.Win32.Agobot.aby

Type Worm

W32/Rbot-ABU is an internet worm and backdoor Trojan.
W32/Rbot-ABU spreads to other network computers by exploiting LSASS (MS04-011), RPC-DCOM (MS04-012), WKS (MS03-049) and MSSQL (MS02-039) buffer overflow vulnerabilities and by copying itself to network shares protected by weak passwords.
W32/Rbot-ABU runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.
The worm also includes functionality to:
- steal confidential information
- carry out DDoS flooder attacks
- silently download, install and run new software
- disable other applications
- execute arbitrary commands
The following patches for the operating system vulnerabilities exploited by W32/Rbot-ABU can be obtained from the Microsoft website:
MS04-011
MS04-012
MS03-049
MS02-039

http://www.sophos.com/virusinfo/analyses/w32rbotabu.html

Collapse -
Troj/Dloader-NA
by Marianna Schmudlach / May 18, 2005 4:03 AM PDT
Collapse -
Troj/Dloader-MY
by Marianna Schmudlach / May 18, 2005 4:05 AM PDT
Collapse -
Troj/ServU-AS
by Marianna Schmudlach / May 18, 2005 4:06 AM PDT

Aliases Backdoor.Win32.ServU-based

Type Trojan

Troj/ServU-AS is a hacked version of a commercially available FTP server that will listen on a port for incoming commands from a remote attacker.
Troj/ServU-AS creates text files named chkdrv.vxd and tskman.dll in the current folder.

http://www.sophos.com/virusinfo/analyses/trojservuas.html

Collapse -
W32/Rbot-ABT
by Marianna Schmudlach / May 18, 2005 4:08 AM PDT

Aliases W32/Sdbot.worm.gen.ag

Type Worm

W32/Rbot-ABT is a Windows network worm which attempts to spread via network shares. The worm contains backdoor functions that allows unauthorised remote access to the infected computer via IRC channels while running in the background.
Once installed, W32/Rbot-ABT will give a remote attacker the ablility to perform a set of functions on the infected computer.

http://www.sophos.com/virusinfo/analyses/w32rbotabt.html

Collapse -
Troj/Vidlo-J
by Marianna Schmudlach / May 18, 2005 5:08 AM PDT

Aliases Trojan-Downloader.Win32.Vidlo.m
Downloader-AAP

Type Trojan

Troj/Vidlo-J is a downloading Trojan for the Windows platform that downloads from a predefined web location a prev.exe file detected by Sophos's anti-virus products as Troj/Dloader-NN

http://www.sophos.com/virusinfo/analyses/trojvidloj.html

Popular Forums

icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

FALL TV PREMIERES

Your favorite shows are back!

Don’t miss your dramas, sitcoms and reality shows. Find out when and where they’re airing!