Spyware, Viruses, & Security forum

General discussion

VIRUS ALERTS - May 20, 2005

W32/Rbot-RF
Summary


Aliases Backdoor.Win32.Rbot.gen
W32/Sdbot.worm.gen.j
WORM_SPYBOT.HF

W32/Rbot-RF is a network worm and IRC backdoor Trojan for the Windows platform.
W32/Rbot-RF spreads using a variety of techniques including exploiting weak passwords on computers and SQL servers, exploiting operating system vulnerabilities (including DCOM-RPC, LSASS, WebDAV and UPNP) and using backdoors opened by other worms or Trojans.
W32/Rbot-RF can be controlled by a remote attacker over IRC channels. The backdoor component of W32/Rbot-RF can be instructed by a remote user to perform the following functions:
start an FTP server
start a Proxy server
start a web server
take part in distributed denial of service (DDoS) attacks
log keypresses
capture screen/webcam images
packet sniffing
port scanning
download/execute arbitrary files
start a remote shell (RLOGIN)

http://www.sophos.com/virusinfo/analyses/w32rbotrf.html

Discussion is locked
You are posting a reply to: VIRUS ALERTS - May 20, 2005
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: VIRUS ALERTS - May 20, 2005
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Troj/Dloader-YP

In reply to: VIRUS ALERTS - May 20, 2005

Aliases TrojanDownloader.Win32.Agent.am
Downloader-JU
Trojan-Dropper.Win32.Agent.az
Trojan.Agent-64

Type Trojan

Troj/Dloader-YP is a downloader Trojan.
Troj/Dloader-YP may be copied to the Windows system folder with a filename equivalent to the name of a system DLL found in that folder, where the DLL extension is replaced with an EXE extension.

http://www.sophos.com/virusinfo/analyses/trojdloaderyp.html

Collapse -
Troj/BettInet-C

In reply to: VIRUS ALERTS - May 20, 2005

Collapse -
W32/Rbot-RI

In reply to: VIRUS ALERTS - May 20, 2005

Aliases Backdoor.Win32.Rbot.gen

Type Worm

W32/Rbot-RI is a network worm which attempts to spread via network shares. The worm contains backdoor functions that allow unauthorised remote access to the infected computer via IRC channels while running in the background.
The worm spreads to network shares with weak passwords and also by using the LSASS security exploit (MS04-011) and the RPC-DCOM security exploit (MS03-039).
Once installed, W32/Rbot-RI will attempt to partake in distributed denial of service (DDoS) attacks, download and run files from the internet, steal CD keys and create a SOCKS4 server when instructed to do so by a remote attacker.

http://www.sophos.com/virusinfo/analyses/w32rbotri.html

Collapse -
W32/Agobot-OG

In reply to: VIRUS ALERTS - May 20, 2005

Type Worm

W32/Agobot-OG is an IRC backdoor Trojan and network worm.
W32/Agobot-OG is capable of spreading to computers on the local network protected by weak passwords.
The Trojan runs continuously in the background providing backdoor access to the computer through IRC channels.

http://www.sophos.com/virusinfo/analyses/w32agobotog.html

Collapse -
W32/Rbot-RG

In reply to: VIRUS ALERTS - May 20, 2005

Aliases Backdoor.Win32.PoeBot.a

Type Worm

W32/Rbot-RG is a network worm which attempts to spread via network shares. The worm contains backdoor functions that allow unauthorised remote access to the infected computer via IRC channels while running in the background.
The worm spreads to network shares with weak passwords and also by using the LSASS security exploit (MS04-011) and the RPC-DCOM security exploit (MS03-039).
W32/Rbot-RG may try to exploit backdoors and vulnerabilites used by the MyDoom family of worms.

http://www.sophos.com/virusinfo/analyses/w32rbotrg.html

Collapse -
W32/Maslan-A

In reply to: VIRUS ALERTS - May 20, 2005

Type Worm

W32/Maslan-A is a worm which spreads by emailing itself to addresses found on the infected computer.
The worm also spreads to network shares with weak passwords and by using the LSASS security exploit (MS04-011) and the RPC-DCOM security exploit (MS03-039).

http://www.sophos.com/virusinfo/analyses/w32maslana.html

Collapse -
Troj/Sdbot-RV

In reply to: VIRUS ALERTS - May 20, 2005

Aliases Backdoor.Win32.IRCBot.b

Type Trojan

Troj/Sdbot-RV is a Windows Trojan.
The Trojan contains backdoor functions that allows unauthorised remote access to the infected computer via IRC channels while running in the background.
Troj/Sdbot-RV will attempt to partake in distributed denial-of-service (DDoS) attacks and download and run files from the internet when instructed to do so by a remote attacker.
The Trojan also tries to terminate and disable various anti-virus and security-related programs.

http://www.sophos.com/virusinfo/analyses/trojsdbotrv.html

Collapse -
W32/Mytob-EM

In reply to: VIRUS ALERTS - May 20, 2005

Aliases WORM_MYTOB.EM
Net-Worm.Win32.Mytob.t
W32.Mytob.CF@mm

Type Worm

W32/Mytob-EM is a mass-mailing worm and backdoor Trojan that can be controlled through the Internet Relay Chat (IRC) network.
W32/Mytob-EM drops a file called hellmsn.exe (detected by Sophos as W32/Mytob-D) in the same location. This component attempts to spread the worm by sending copies through Windows Messenger to all online contacts.
W32/Mytob-EM is capable of spreading through email and through various operating system vulnerabilities such as LSASS (MS04-011).

http://www.sophos.com/virusinfo/analyses/w32mytobem.html

Collapse -
Troj/StartPa-GI

In reply to: VIRUS ALERTS - May 20, 2005

Collapse -
W32/Sdranck-F

In reply to: VIRUS ALERTS - May 20, 2005

Type Worm

W32/Sdranck-F is a multi-component network worm.
W32/Sdranck-F drops two files to the winnt\system32 folder, OSEDET.EXE and OMECIDU.EXE. OMECIDU.EXE is a member of the Troj/Ranck family of proxy Trojans and OSEDET.EXE is a member of the W32/Sdbot family of network worms. The OSEDET.EXE spreads W32/Sdranck-F to network shares with weak passwords and via network security exploits.

http://www.sophos.com/virusinfo/analyses/w32sdranckf.html

Collapse -
W32/Sdranck-E

In reply to: VIRUS ALERTS - May 20, 2005

Type Worm

W32/Sdranck-E is a multi-component network worm.
W32/Sdranck-E drops two files to the winnt\system32 folder, IPOCI.EXE and EYENEDUMI.EXE. EYENEDUMI.EXE is a member of the Troj/Ranck family of proxy Trojans and IPOCI.EXE is a member of the W32/Sdbot family of network worms. The IPOCI.EXE spreads W32/Sdranck-E to network shares with weak passwords and via network security exploits.


http://www.sophos.com/virusinfo/analyses/w32sdrancke.html

Collapse -
Troj/StartPa-UA

In reply to: VIRUS ALERTS - May 20, 2005

Collapse -
Troj/Rootkit-W

In reply to: VIRUS ALERTS - May 20, 2005

Collapse -
W32/Sdbot-BPZ

In reply to: VIRUS ALERTS - May 20, 2005

Type Worm

W32/Sdbot-BPZ is a network worm with backdoor Trojan functionality for the Windows platform.
W32/Sdbot-BPZ connects to a predetermined IRC channel and awaits further commands from remote users.
The worm spreads through network shares protected by weak passwords, MS-SQL servers and through various operating system vulnerabilities.
W32/Sdbot-BPZ also drops a file as rdriv.sys. Sophos's anti-virus products detect rdriv.sys as Troj/Rootkit-W.

http://www.sophos.com/virusinfo/analyses/w32sdbotbpz.html

Collapse -
Troj/Rival-A

In reply to: VIRUS ALERTS - May 20, 2005

Aliases Trojan-Downloader.Win32.Small.ahv
W32/Downloader.AIH
Downloader-UH
Trojan.Downloader.Small-380

Type Trojan

Troj/Rival-A is a Trojan that attempts to download and run further malware.
At the time of writing, different versions of this Trojan have been seen to download files detected as Troj/Small-VQ, Troj/Dropper-R and Dial/Conc-A.


http://www.sophos.com/virusinfo/analyses/trojrivala.html

Collapse -
Troj/HacDef-Q

In reply to: VIRUS ALERTS - May 20, 2005

Collapse -
WM97/Downfet-A

In reply to: VIRUS ALERTS - May 20, 2005

Collapse -
Troj/Horst-A

In reply to: VIRUS ALERTS - May 20, 2005

Collapse -
Troj/Inor-M

In reply to: VIRUS ALERTS - May 20, 2005

Collapse -
Troj/SecondT-D

In reply to: VIRUS ALERTS - May 20, 2005

Aliases Trojan-Downloader.Win32.Agent.fn
Downloader-TZ
W32/Downloader.BGQ

Type Trojan

Troj/SecondT-D is a Trojan for the Windows platform.
Troj/SecondT-D attempts to download a configuration file from a number of websites in order to determine its behaviour, including the ability to download and execute further files from remote locations and to set or delete entries in the registry.

http://www.sophos.com/virusinfo/analyses/trojsecondtd.html

Collapse -
W32/Agobot-AAZ

In reply to: VIRUS ALERTS - May 20, 2005

Type Worm

W32/Agobot-AAZ is a network worm with backdoor Trojan functionality for the Windows platform.
W32/Agobot-AAZ is capable of spreading to computers on the local network protected by weak passwords.
The backdoor component runs continuously in the background providing backdoor access to the computer through IRC channels.

http://www.sophos.com/virusinfo/analyses/w32agobotaaz.html

Collapse -
Troj/Ablank-Y

In reply to: VIRUS ALERTS - May 20, 2005

Collapse -
W32/Rbot-ACV

In reply to: VIRUS ALERTS - May 20, 2005

Aliases WORM_SDBOT.Y

Type Worm

W32/Rbot-ACV is a Windows network worm which attempts to spread via network shares. The worm contains backdoor functions that allow unauthorised remote access to the infected computer via IRC channels while running in the background.
Once installed, W32/Rbot-ACV will attempt to perform the following actions when instructed to do so by a remote attacker:
steal CD game keys
perform port scanning on IP addresses
capture keystrokes

http://www.sophos.com/virusinfo/analyses/w32rbotacv.html

Collapse -
Troj/AVTerm-A

In reply to: VIRUS ALERTS - May 20, 2005

Collapse -
Troj/AVTerm-B

In reply to: VIRUS ALERTS - May 20, 2005

Collapse -
Troj/Banker-CU

In reply to: VIRUS ALERTS - May 20, 2005

Type Trojan

Troj/Banker-CU is a password stealing Trojan for the Windows platform.
Troj/Banker-CU monitors which URLs are visited by the web browser and creates fake web pages for certain Brazilian banking sites in order to log account information. The logged information is sent to remote users via email.

http://www.sophos.com/virusinfo/analyses/trojbankercu.html

Collapse -
Troj/Keylog-AJ

In reply to: VIRUS ALERTS - May 20, 2005

Aliases Keylogger.Trojan
Backdoor.Win32.Vatos.24
BackDoor-CQL.dll

Type Trojan

Troj/Keylog-AJ is a DLL keylogger helper component for the Windows platform.
Once installed, the Trojan hooks itself into the installer-defined process and silently captures keystrokes and sends the information back to the installer application.

http://www.sophos.com/virusinfo/analyses/trojkeylogaj.html

Collapse -
W32/Rbot-ACU

In reply to: VIRUS ALERTS - May 20, 2005

Aliases Backdoor.Win32.Rbot.px

Type Worm

W32/Rbot-ACU is a Windows network worm which attempts to spread via network shares. The worm contains backdoor functions that allows unauthorised remote access to the infected computer via IRC channels while running in the background.
Once installed, W32/Rbot-ACU will attempt to perform the following actions when instructed to do so by a remote attacker:
capture keystrokes
terminate threads and processes
perform port scanning on IP addresses
steal computer system hardware information
copy itself to network shared folders
download files from the Internet and run them
participate in denial of service (DoS) attacks
perform DCC file transfers over IRC channels
act as a HTTP proxy
setup a SOCKS4 server

http://www.sophos.com/virusinfo/analyses/w32rbotacu.html

Popular Forums

icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

SMART HOME

This one tip will help you sleep better tonight

A few seconds are all you need to get a better night's rest.