Spyware, Viruses, & Security forum

General discussion

VIRUS ALERTS - May 7, 2004

by Marianna Schmudlach / May 7, 2004 12:43 AM PDT

W32/Lovgate-V

Aliases
I-Worm.LovGate.w, W32.Lovgate.Gen@mm, WORM_LOVGATE.V

Type
Win32 worm

Description
W32/Lovgate-V is a variant of the W32/Lovgate family of worms that spread via email, network shares and filesharing networks.
W32/Lovgate-V copies itself to the Windows system folder as the files WinHelp.exe, iexplore.exe, kernel66.dll and ravmond.exe and to the Windows folder as systra.exe.

The worm also drops the files msjdbc11.dll, mssign30.dll and odbc16.dll which
provide unauthorised remote access to the computer over a network.


More: http://www.sophos.com/virusinfo/analyses/w32lovgatev.html

Discussion is locked
You are posting a reply to: VIRUS ALERTS - May 7, 2004
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: VIRUS ALERTS - May 7, 2004
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
W32/Sdbot-JT
by Marianna Schmudlach / May 7, 2004 12:47 AM PDT

Aliases
W32/Sdbot.worm.gen.j virus, W32.Randex.gen

Type
Win32 worm

Description
W32/Sdbot-JT is a member of the W32/Sdbot family of worms.
W32/Sdbot-JT copies itself to the Windows system folder as nmsmtp32.exe and sets the following registry entries to ensure it is run at system logon:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Windows driver update = <SYSTEM>\nmsmtp32.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Windows driver update = <SYSTEM>\nmsmtp32.exe

http://www.sophos.com/virusinfo/analyses/w32sdbotjt.html

Collapse -
W32/Sdbot-JQ
by Marianna Schmudlach / May 7, 2004 12:50 AM PDT

Aliases
W32.IRCBot.Gen, W32/Sdbot.worm.gen.b virus

Type
Win32 worm

Description
W32/Sdbot-JQ is a member of the W32/Sdbot family of worms.
W32/Sdbot-JQ copies itself to the Windows system folder as shrl.exe and sets
the following registry entry to ensure it is run at system logon:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Micosoftartup = shrl.exe

http://www.sophos.com/virusinfo/analyses/w32sdbotjq.html

Collapse -
W32/Sdbot-JR
by Marianna Schmudlach / May 7, 2004 12:52 AM PDT

Aliases
W32/Sdbot.worm.gen.b virus, Backdoor.IRC.Bot

Type
Win32 worm

Description
W32/Sdbot-JR is a member of the W32/Sdbot family of worms.
W32/Sdbot-JR copies itself to the Windows system folder as syxall.exe and sets the following registry entry to ensure it is run at system logon:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
MicosoftStartup = syxall.exe

http://www.sophos.com/virusinfo/analyses/w32sdbotjr.html

Collapse -
Troj/Ranck-P
by Marianna Schmudlach / May 7, 2004 12:54 AM PDT

Aliases
Backdoor.Ranky, Proxy-FBSR.gen trojan

Type
Trojan

Description
Troj/Ranck-P is an HTTP proxy Trojan that allows a remote intruder to route
HTTP traffic through the computer.
Troj/Ranck-P creates the following registry entry that points to the copy of the Trojan to ensure it is run at system logon:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NTServ

Troj/Ranck-P runs continuously in the background listening on a port.

http://www.sophos.com/virusinfo/analyses/trojranckp.html

Collapse -
W32/Sdbot-KV
by Marianna Schmudlach / May 7, 2004 12:56 AM PDT

Aliases
W32/Sdbot.worm.gen.b virus, W32.HLLW.Gaobot.gen

Type
Win32 worm

Description
W32/Sdbot-KV is a member of the W32/Sdbot family of worms.
W32/Sdbot-KV copies itself to the Windows system folder as ffqca.exe and sets the following registry entry to ensure it is run at system logon:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
dS35DLL = ffqca.exe

http://www.sophos.com/virusinfo/analyses/w32sdbotkv.html

Collapse -
Troj/Oscor-A
by Marianna Schmudlach / May 7, 2004 12:58 AM PDT

Type
Trojan

Description
Troj/Oscor-A is an IRC based backdoor Trojan that allows a remote intruder
access to your computer.
The Trojan copies itself as iexplore.exe to the Windows system folder and
create a service called iexplore to run this file.

The Trojan can remove root Windows file shares making remote administration
difficult.

http://www.sophos.com/virusinfo/analyses/trojoscora.html

Collapse -
W32/Agobot-HQ
by Marianna Schmudlach / May 7, 2004 1:00 AM PDT

Aliases
Agobot.HD, Gaobot.worm.gen.d

Type
Win32 worm

Description
W32/Agobot-HQ is a worm that spreads via the RPC/DCOM vulnerability or by
using RPC calls on machines with weak passwords.
In order to run automatically when Windows starts up the worm copies
itself to the file winaps.exe in the Windows system folder, creates its own
process named "Video Proces" and adds the following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Video Proces = winaps.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Video Proces = winaps.exe

W32/Agobot-HQ runs continuously in the background, allowing a remote
intruder to access and control the computer via IRC channels.


MORE: http://www.sophos.com/virusinfo/analyses/w32agobothq.html

Collapse -
W32/Sdbot-IB
by Marianna Schmudlach / May 7, 2004 1:03 AM PDT

Aliases
W32/Sdbot.worm.gen.e, Backdoor.Sdbot.Y

Type
Win32 worm

Description
W32/Sdbot-IB is a worm which attempts to spread to remote network shares.
It also contains backdoor Trojan functionality, allowing unauthorised remote
access to the infected computer via IRC channels while running in the
background as a service process.
W32/Sdbot-IB copies itself to the Windows system folder as IEXPLORE.EXE
and creates a system service of the same name in order to run itself on system
startup.

W32/Sdbot-IB deletes all networks shares on the local machine.

W32/Sdbot-IB spreads to network shares with weak passwords as a result of the
backdoor Trojan element receiving the appropriate command from a remote user.

http://www.sophos.com/virusinfo/analyses/w32sdbotib.html

Collapse -
Troj/Daemoni-D
by Marianna Schmudlach / May 7, 2004 1:05 AM PDT
Collapse -
W32/Agobot-HV
by Marianna Schmudlach / May 7, 2004 1:07 AM PDT

Type
Win32 worm

Description
W32/Agobot-HV is a member of the W32/Agobot family of worms with a backdoor
component.
In order to run automatically when Windows starts up the worm copies itself to
the file cvmonitor.exe in the Windows system folder and adds the following
registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\cvmonitor
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\cvmonitor.

W32/Agobot-HV allows remote access to a compromised computer via the IRC network.

http://www.sophos.com/virusinfo/analyses/w32agobothv.html

Collapse -
W32/Sdbot-IH
by Marianna Schmudlach / May 7, 2004 2:05 AM PDT

Type
Win32 worm

Description
W32/Sdbot-IH is a network worm and backdoor Trojan. The worm spreads by copying itself to network shares that have weak passwords.
The worm creates a copy of itself named bot.exe in the Windows system folder
and adds the following registry entries to ensure that the copy is run each time Windows starts:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Synchronization Manager = bot.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Synchronization Manager = bot.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Microsoft Synchronization Manager = bot.exe

W32/Sdbot-IH maintains a log of the user's keystrokes in a file named keylog.txt
in the Windows system folder.


MORE: http://www.sophos.com/virusinfo/analyses/w32sdbotih.html

Collapse -
Troj/Bulkem-A
by Marianna Schmudlach / May 7, 2004 2:08 AM PDT
Collapse -
W32/Agobot-HR
by Marianna Schmudlach / May 7, 2004 2:10 AM PDT
Collapse -
Troj/Multidr-N
by Marianna Schmudlach / May 7, 2004 2:12 AM PDT
Collapse -
Troj/Multidr-O
by Marianna Schmudlach / May 7, 2004 2:14 AM PDT
Collapse -
W32/Sdbot-IC
by Marianna Schmudlach / May 7, 2004 2:16 AM PDT
Collapse -
W32/Sdbot-ID
by Marianna Schmudlach / May 7, 2004 2:18 AM PDT
Collapse -
W32/Agobot-HS
by Marianna Schmudlach / May 7, 2004 2:20 AM PDT
Collapse -
Troj/Sdbot-BF
by Marianna Schmudlach / May 7, 2004 2:22 AM PDT
Collapse -
W32/Agobot-HT
by Marianna Schmudlach / May 7, 2004 2:24 AM PDT
Collapse -
W32/Agobot-MJ
by Marianna Schmudlach / May 7, 2004 2:26 AM PDT
Collapse -
W32.Randex.AEV
by Marianna Schmudlach / May 7, 2004 1:27 PM PDT

Discovered on: May 06, 2004
Last Updated on: May 07, 2004 02:13:33 PM

W32.Randex.AEV is a network-aware worm that tries to connect to a predetermined IRC server. If this worm is successful, it will wait for instructions from the attacker.

W32.Randex.AEV is written in Microsoft Visual C++, and is packed with UPX and Morphine.

Note: Virus definitions version 60503av (extended version 5/3/2004 rev. 48) detected this threat as W32.Randex.gen.


Also Known As: W32/Sdbot.worm.gen.j [McAfee], WORM_SDBOT.Z [Trend]

Type: Worm
Infection Length: 44,032 bytes

http://securityresponse.symantec.com/avcenter/venc/data/w32.randex.aev.html

Collapse -
W32.Gobot.A
by Marianna Schmudlach / May 7, 2004 1:29 PM PDT

Discovered on: May 06, 2004
Last Updated on: May 07, 2004 11:22:01 AM

W32.Gobot.A is a worm that spreads through IRC, open network shares, and file-sharing networks. The worm also propagates through any backdoors installed by the Mydoom family of worms.

The worm is written in Borland Delphi programming language and may be compressed with UPX.


Also Known As: Backdoor.Gobot.u [Kaspersky], Exploit-Mydoom [McAfee]

Type: Trojan Horse, Worm
Infection Length: vary

http://securityresponse.symantec.com/avcenter/venc/data/w32.gobot.a.html

Collapse -
Hacktool.Upload
by Marianna Schmudlach / May 7, 2004 1:32 PM PDT

Discovered on: May 07, 2004
Last Updated on: May 07, 2004 11:12:31 AM

Hacktool.Upload is a script that an attacker can use to upload files to Web servers that have already been compromised.

This tool can only run on Windows 2000/XP/Server 2003 computers that have Microsoft Internet Information Services (IIS) installed.




Type: Trojan Horse
Infection Length: 486 bytes, 5871 bytes

http://securityresponse.symantec.com/avcenter/venc/data/hacktool.upload.html

Collapse -
W32.Axon
by Marianna Schmudlach / May 7, 2004 1:34 PM PDT

Discovered on: May 07, 2004
Last Updated on: May 07, 2004 02:41:33 PM

W32.Axon is a simple virus that prepends itself to the files with the .exe extension. It also deletes the files with .mp3 and .avi extensions.

Also Known As: W32/Riaz [McAfee], Win32.HLLP.Xenon [Kaspersky]

Type: Virus
Infection Length: 85000 bytes

http://securityresponse.symantec.com/avcenter/venc/data/w32.axon.html

Collapse -
DDoS-Chessmess
by Marianna Schmudlach / May 7, 2004 1:38 PM PDT

Popular Forums

icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

FALL TV PREMIERES

Your favorite shows are back!

Don’t miss your dramas, sitcoms and reality shows. Find out when and where they’re airing!