Spyware, Viruses, & Security forum

General discussion

VIRUS ALERTS May 3, 2005

by Marianna Schmudlach / May 3, 2005 1:02 AM PDT

W32/Rbot-ABP
Summary

Type Worm

W32/Rbot-ABP is a Windows network worm which attempts to spread via network shares. The worm contains backdoor functions that allows unauthorised remote access to the infected computer via IRC channels while running in the background.
The worm spreads to network shares with weak passwords and also by using the LSASS security exploit (MS04-011) and the RPC-DCOM security exploit (MS03-039).
Once installed, W32/Rbot-ABP will attempt to perform the following actions when instructed to do so by a remote attacker:
steal CD game keys
setup a FTP server
create a SOCKS4 server
terminate threads and processes
perform port scanning on IP addresses
steal computer system hardware information
capture keystrokes
copy itself to IPC$ network shared folders
download files from the Internet and run them
participate in denial of service (DoS) attacks
The following patches for the operating system vulnerabilities exploited by W32/Rbot-ABP can be obtained from the Microsoft website:
MS04-011
MS03-039

http://www.sophos.com/virusinfo/analyses/w32rbotabp.html

Discussion is locked
You are posting a reply to: VIRUS ALERTS May 3, 2005
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: VIRUS ALERTS May 3, 2005
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
W32/Kedebe-A
by Marianna Schmudlach / May 3, 2005 1:04 AM PDT

Aliases WORM_KEDEBE.A

Type Worm

W32/Kedebe-A is a mass-mailing worm for the Windows platform. It sends email using its own SMTP engine. It kills anti-virus programs and encrypts certain types of files.
W32/Kedebe-A blocks accessing certain anti-virus related URLs. The worm creates mutex to block W32/Bagle, W32/Mytob and W32/Netsky to run on the affected system.
Email sent by W32/Kedebe-A has the following characteristics:
Subject line:
(one of the following)
-Mail server upgrading
-Attention!
-Don't send this to me again!
Sender address:
(one of the following)
Secqrity Team
Internet Explorer Team iexplorer@microsoft.com
The Jackson Brothers
Recipient name:
daniel_kqql
helen
helen_2002
Recipient domain name:
(one of following)
@gmail.com
@hotmail.com
@msn.com
@yahoo.com
Message text:
Hey, why did you send this to me? I'm not going to talk to you again. You know I don't like such kinda pics. I have painted a reply on it. I have also covered the nasty parts with dark color. Anyway check it out it is all in the attachment. Please don't send this kind of pictures to me.
Hi, how are you? I'm fine. Why didn't you reply to me? I'm still waiting...by the way I have sent you my recent picture with the close that like most on. Please reply to me, I'm still waiting for you. I will send you another picture next time you reply, OK.
Attached file:
(one of following)
Norton AntiVirus 2006 Crack.exe
Naked teen-Actions.com
ZoneAlarm Security Suite 2005 Crack.com
Win Server 2003 Remote Exploit.cmd
Microsoft AntiSpyware Crack.com
DVD to MP3 converter.exe
Admini Password Cracker.exe

http://www.sophos.com/virusinfo/analyses/w32kedebea.html

Collapse -
Troj/Dcmbot-A
by Marianna Schmudlach / May 3, 2005 1:06 AM PDT

Type Trojan

Troj/Dcmbot-A is a Windows backdoor Trojan. The Trojan contains backdoor functions that allow unauthorised remote access to the infected computer while running in the background.
Once installed the Trojan sets up a listening server awaiting instructions from a remote intruder and injects itself into the Windows Explorer process to stealth itself.
Once an appropriate remote command is received, the Trojan can perform the following functions:
steal email account information from Microsoft Internet Account Manager including POP3 settings and passwords
download and run files from the internet
perform denial of service (DoS) attacks

http://www.sophos.com/virusinfo/analyses/trojdcmbota.html

Collapse -
Troj/Bdoor-HU
by Marianna Schmudlach / May 3, 2005 1:08 AM PDT

Aliases Backdoor.Win32.Small.fb

Type Trojan

Troj/Bdoor-HU is a Windows backdoor Trojan. The Trojan contains backdoor functions that allows unauthorised remote access to the infected computer via an IRC channel while running in the background.
The Trojan also creates the read-only file DCPROMO.LOG in the %WINDOWS%\Debug folder. This file DCPROMO.LOG is not malicious and can be safely deleted.
Troj/Bdoor-HU will also inject itself to the Windows Explorer process in an attempt to stealth itself.
The Trojan will attempt to participate in distributed denial-of-service (DDoS) attacks, download and run files from the internet and probe and test other computers or servers for the LSASS buffer exploit (MS04-011) security vulnerability when instructed to do so by a remote attacker.
The following patch for the operating system vulnerability exploited by Troj/Bdoor-HU can be obtained from the following Microsoft website:
MS04-011

http://www.sophos.com/virusinfo/analyses/trojbdoorhu.html

Collapse -
Troj/DNSBust-B
by Marianna Schmudlach / May 3, 2005 1:09 AM PDT

Aliases Trojan.Win32.DNSChanger.a
TROJ_DNSCHNGR.A

Type Trojan

Troj/DNSBust-B attempts to modify DNS settings on the computer.
The Trojan modifies the file %APPDATA%\Microsoft\Network\Connections\Pbk\rasphone.pbk by creating or changing the entries for IpDnsAddress and IpDns2Address to point to prespecified IP addresses. Troj/DNSBust-B then uses ipconfig.exe to flush the DNS cache.

http://www.sophos.com/virusinfo/analyses/trojdnsbustb.html

Collapse -
W32/Sober-L
by Marianna Schmudlach / May 3, 2005 1:11 AM PDT

Type Worm

W32/Sober-L is a mass-mailing worm for the Windows platform.
Emails sent by the worm will have the following characteristics:
Subject line:
Ich habe Ihre E-Mail bekommen!
or
Your Password & Account number
Message text:
Hallo,
jemand schickt ihre privaten Mails auf meinem Account.
Ich schaetze mal, das es ein Fehler vom Provider ist.
Insgesamt waren es jetzt schon 6 Mails!
Ich habe alle Mail-Texte im Texteditor kopiert und gezippt.
Wenn es doch kein Fehler vom Provider ist, sorge dafuer das diese Dinger nicht mehr auf meinem Account landen, es Nervt naemlich.
Gruss
or
hi,
i've got an admin mail with a Password and Account info!
but the mail recipient are you! it's probably an esmtp error, i think.
i've copied the full mail text in the Windows text-editor & zipped.
ok, cya...
Attached file:
MailTexte.zip
or
acc_text.zip

http://www.sophos.com/virusinfo/analyses/w32soberl.html

Collapse -
W32/Sober-Gen
by Marianna Schmudlach / May 3, 2005 1:13 AM PDT
Collapse -
W32/Mytob-CA
by Marianna Schmudlach / May 3, 2005 3:47 AM PDT
Collapse -
W32/Rbot-ABQ
by Marianna Schmudlach / May 3, 2005 7:23 AM PDT

Aliases Backdoor.Win32.Rbot.gen

Type Worm

W32/Rbot-ABQ is a member of the W32/Rbot family of worms with a backdoor component that spread on weakly protected network shares on the Windows platform.
W32/Rbot-ABQ also has a backdoor component that allows a malicious user remote access to an infected computer.

http://www.sophos.com/virusinfo/analyses/w32rbotabq.html

Collapse -
W32/Rbot-ABS
by Marianna Schmudlach / May 3, 2005 7:25 AM PDT

Type Worm

W32/Rbot-ABS is a network worm with backdoor Trojan functionality for the Windows platform.
W32/Rbot-ABS spreads using a variety of techniques including exploiting weak passwords on computers and SQL servers, exploiting operating system vulnerabilities (including DCOM-RPC, LSASS, WebDAV and UPNP) and using backdoors opened by other worms or Trojans.



http://www.sophos.com/virusinfo/analyses/w32rbotabs.html

Collapse -
W32/Sdbot-XX
by Marianna Schmudlach / May 3, 2005 7:26 AM PDT
Collapse -
Troj/Kelvir-V
by Marianna Schmudlach / May 3, 2005 7:28 AM PDT

Type Trojan

Troj/Kelvir-V is a Trojan for the Windows platform.
The Trojan monitors the status of Windows Messenger contacts and sends the following text to all online contacts:
"check this game http://<domain removed>.com/formav25.exe its hella funny"
At the time of writing, the formav25.exe file was a member of the W32/Sdbot family of worms.

http://www.sophos.com/virusinfo/analyses/trojkelvirv.html

Collapse -
Troj/LowZone-AN
by Marianna Schmudlach / May 3, 2005 7:29 AM PDT

Aliases Trojan.Win32.LowZones.an

Type Trojan

Troj/LowZone-AN is a Trojan for the Windows platform.
The Trojan modifies the security settings for the Internet Zone. The Trojan then opens two Internet Explorer windows displaying predetermined URLs.

http://www.sophos.com/virusinfo/analyses/trojlowzonean.html

Collapse -
Troj/Warspy-G
by Marianna Schmudlach / May 3, 2005 7:31 AM PDT
Collapse -
Troj/RopeDrop-B
by Marianna Schmudlach / May 3, 2005 7:32 AM PDT
Collapse -
Troj/RopeDrop-C
by Marianna Schmudlach / May 3, 2005 7:34 AM PDT
Popular Forums
icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

Does BMW or Volvo do it best?

Pint-size luxury and funky style

Shopping for a new car this weekend? See how the BMW X2 stacks up against the Volvo XC40 in our side-by-side comparison.