Spyware, Viruses, & Security forum

General discussion

VIRUS ALERTS - November 1, 2005

by roddy32 / October 31, 2005 7:54 PM PST

Troj/ParDrop-A

Type Trojan

Aliases

* Trojan.Win32.Small.da
* Trojan.Win32.Small.cz
* TROJ_SMALL.RX

roj/ParDrop-A is a dropper Trojan for the Windows platform.

When first run, Troj/ParDrop-A creates the following files (these files have their read-only, hidden file attributes set):

<System> \explore.exe - detected as Troj/ParDrop-A
<Temp> \<random filename>.tmp - detected as Troj/ParDrop-A
<System> \inetinfo.exe - detected as W32/Parite-B
<System> \svids.dll - data file which may be safely deleted

Troj/ParDrop-A then attempts to load the W32/Parite-B virus by running the file <System> \inetinfo.exe.

http://www.sophos.com/virusinfo/analyses/trojpardropa.html

Discussion is locked
You are posting a reply to: VIRUS ALERTS - November 1, 2005
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: VIRUS ALERTS - November 1, 2005
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Troj/LowZone-AW
by roddy32 / October 31, 2005 7:57 PM PST
Collapse -
W32/Mytob-FE
by roddy32 / October 31, 2005 8:00 PM PST

Type Worm

Aliases

* WORM_MYTOB.AZ
* W32.Mytob.U@mm

W32/Mytob-FE is a mass-mailing worm and IRC backdoor Trojan for the Windows platform.

W32/Mytob-FE spreads to other network computers by exploiting common buffer overflow vulnerabilites, including LSASS (MS04-011), RPC-DCOM (MS04-012), PNP (MS05-039) and by copying itself to network shares protected by weak passwords.

W32/Mytob-FE runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

W32/Mytob-FE is capable of spreading through email. Email sent by W32/Mytob-FE has the following properties:

Subject line:

Good day
hello
Mail Delivery System
Mail Transaction Failed
Server Report
Status
Error

Message text:

'Mail transaction failed. Partial message is available.'
'The message contains Unicode characters and has been sent as a binary attachment.
'The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.'
'The original message was included as an attachment.'
'Here are your banks documents.'
<random characters>

The attached file consists of a base name followed by the extentions PIF, SCR, EXE or ZIP. The worm may optionally create double extensions where the first extension is DOC, TXT or HTM and the final extension is PIF, SCR, EXE or ZIP.

The following patches for the operating system vulnerabilities exploited by W32/Mytob-FE can be obtained from the Microsoft website:

http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx

http://www.microsoft.com/technet/security/bulletin/MS05-039.mspx

Sophos's anti-virus products include Genotype? detection technology, which can proactively protect against new threats without requiring an update. Sophos customers have been protected against W32/Mytob-FE (detected as W32/Mytob-Fam) since version 3.97

http://www.sophos.com/virusinfo/analyses/w32mytobfe.html

Collapse -
W32/Tilebot-AN
by roddy32 / October 31, 2005 8:05 PM PST

Type Spyware Worm

Aliases

* Backdoor.Win32.SdBot.aad
* WORM_SDBOT.CGK

W32/Tilebot-AN is a worm and IRC backdoor Trojan for the Windows platform.

W32/Tilebot-AN spreads to other network computers by exploiting common buffer overflow vulnerabilities, including: LSASS (MS04-011), RPC-DCOM (MS04-012), PNP (MS05-039) and ASN.1 (MS04-007) and by copying itself to network shares protected by weak passwords.

The following patches for the operating system vulnerabilities exploited by W32/Tilebot-AN can be obtained from the Microsoft website:

http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx

http://www.microsoft.com/technet/security/bulletin/MS05-039.mspx

http://www.microsoft.com/technet/security/bulletin/MS04-007.mspx

http://www.sophos.com/virusinfo/analyses/w32tilebotan.html

Collapse -
W32/Opanki-J
by roddy32 / October 31, 2005 8:07 PM PST

Type Spyware Worm

Aliases

* Backdoor.Win32.Aimbot.at

W32/Opanki-J is an instant-messaging worm and IRC backdoor Trojan for the Windows platform.

W32/Opanki-J is an AOL Instant Messenging worm that attempts to spread by sending a message with a link to the worm copy to all the infected user's contacts.

W32/Opanki-J also spreads to other network computers by exploiting common buffer overflow vulnerability, including: PNP (MS05-039).

The following patch for the operating system vulnerability exploited by W32/Opanki-J can be obtained from the Microsoft website:

http://www.microsoft.com/technet/security/bulletin/MS05-039.mspx

http://www.sophos.com/virusinfo/analyses/w32opankij.html

Collapse -
W32/Rbot-AUU
by roddy32 / October 31, 2005 8:15 PM PST

Type Spyware Worm

Aliases

* Trojan.Win32.Agent.jy
* WORM_SDBOT.CJK

W32/Rbot-AUU is a network worm with backdoor Trojan functionality for the Windows platform.

W32/Rbot-AUU spreads using a variety of techniques including exploiting weak passwords on computers and SQL servers, exploiting operating system vulnerabilities (including DCOM-RPC, LSASS, WebDAV and UPNP) and using backdoors opened by other worms or Trojans.

Sophos's anti-virus products include Genotype? detection technology, which can proactively protect against new threats without requiring an update. Sophos customers have been protected against W32/Rbot-AUU (detected as W32/Rbot-Fam) since version 3.98.

http://www.sophos.com/virusinfo/analyses/w32rbotauu.html

Collapse -
W32/Agobot-UA
by roddy32 / October 31, 2005 8:19 PM PST

Type Spyware Worm

Aliases

* Backdoor.Win32.Agobot.afz
* WORM_AGOBOT.AXN

W32/Agobot-UA is an internet worm and IRC backdoor Trojan for the Windows platform.

W32/Agobot-UA spreads to other network computers by exploiting common buffer overflow vulnerabilities, including: RPC-DCOM (MS04-012) and PNP (MS05-039) and by copying itself to network shares protected by weak passwords.

W32/Agobot-UA runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

W32/Agobot-UA includes functionality to:

- steal confidential information
- carry out DDoS flooder attacks
- silently download, install and run new software, including updates of its software
- modify the HOSTS file
- disable other software, including anti-virus, firewall and security related applications

The following patches for the operating system vulnerabilities exploited by W32/Agobot-UA can be obtained from the Microsoft website:

http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx

http://www.microsoft.com/technet/security/bulletin/MS05-039.mspx

http://www.sophos.com/virusinfo/analyses/w32agobotua.html

Collapse -
Troj/Slogger-A
by roddy32 / October 31, 2005 8:34 PM PST

Type Trojan

Aliases

* Trojan-Dropper.Win32.Small.aib

Troj/Slogger-A is a backdoor Trojan for the Windows platform.

Troj/Slogger-A has the capability to communicate with remote servers via HTTP, download and run files, terminate security software, and send email as specified by a remote intruder.

http://www.sophos.com/virusinfo/analyses/trojsloggera.html

Collapse -
W32/Rbot-AUW
by roddy32 / October 31, 2005 8:37 PM PST

Type Spyware Worm

Aliases

* Backdoor.Win32.Rbot.age

W32/Rbot-AUW is an internet worm and IRC backdoor Trojan for the Windows platform.

W32/Rbot-AUW spreads to other network computers by exploiting common buffer overflow vulnerabilities, including: LSASS (MS04-011), RPC-DCOM (MS04-012), WebDav (MS03-007), IIS5SSL (MS04-011) (CAN-2003-0719), UPNP (MS01-059), Dameware (CAN-2003-1030), PNP (MS05-039) and ASN.1 (MS04-007) and by copying itself to network shares protected by weak passwords.

W32/Rbot-AUW runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

W32/Rbot-AUW includes functionality to:

- steal confidential information
- carry out DDoS flooder attacks
- silently download, install and run new software

The following patches for the operating system vulnerabilities exploited by W32/Rbot-AUW can be obtained from the Microsoft website:

http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx

http://www.microsoft.com/technet/security/bulletin/MS03-007.mspx

http://www.microsoft.com/technet/security/bulletin/MS01-059.mspx

http://www.microsoft.com/technet/security/bulletin/MS05-039.mspx

http://www.microsoft.com/technet/security/bulletin/MS04-007.mspx

http://www.sophos.com/virusinfo/analyses/w32rbotauw.html

Collapse -
W32/Mytob-FF
by roddy32 / October 31, 2005 8:41 PM PST

Type Worm

W32/Mytob-FF is a mass-mailing worm and IRC backdoor Trojan.

W32/Mytob-FF runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels, including the ability to download and execute files on the infected computer.

W32/Mytob-FF can spread by sending itself as an email attachment to email addresses it harvests from the infected computer, either as an attachment with a double-extension or as a zip file containing a file with a double-extension. W32/Mytob-FF avoids sending emails to addresses containing certain strings in them.

W32/Mytob-FF processes the emails it has harvested by splitting them into name and domain. Once it has sent itself to the emails it has harvested, it uses a predefined list of names with the harvested domains. W32/Mytob-FF spoofs the sender, sending emails as if from one of the following at the same domain as the recipient:

support
administrator
mail
service
admin
info
register
webmaster

For example if sending itself to name@example.com, W32/Mytob-FF might send the email as if from admin@example.com.

Emails sent by the worm have characteristics from the following:

Subject line:
Your password has been updated
Your password has been successfully updated
You have successfully updated your password
Your new account password is approved
Your Account is Suspended
*DETECTED* Online User Violation
Your Account is Suspended For Security Reasons
Warning Message: Your services near to be closed.
Important Notification
Members Support
Security measures
Email Account Suspension
Notice of account limitation
<random characters>

Message text - a formatted version of one of the following:
Dear user <recipient's username>,

You have successfully updated the password of your <recipient's domain> account.

If you did not authorize this change or if you need assistance with your account, please contact <recipient's domain> customer service at: <spoofed sender address>

Thank you for using <recipient's domain>!
The <recipient's domain> Support Team <BR>

+++ Attachment: No Virus (Clean)
+++ <recipient's domain> Antivirus - www.<recipient's domain>

Dear user <recipient's username>,

It has come to our attention that your <recipient's domain> User Profile ( x ) records are out of date. For further details see the attached document.

Thank you for using <recipient's domain>!
The <recipient's domain> Support Team

+++ Attachment: No Virus (Clean)
+++ <recipient's domain> Antivirus - www.<recipient's domain>

Dear <recipient's username> Member,

We have temporarily suspended your email account <recipient's domain>.

This might be due to either of the following reasons:

1. A recent change in your personal information (i.e. change of address).
2. Submiting invalid information during the initial sign up process.
3. An innability to accurately verify your selected option of subscription due to an internal error within our processors.
See the details to reactivate your <recipient's domain> account.

Sincerely,The <recipient's domain> Support Team

+++ Attachment: No Virus (Clean)
+++ <recipient's domain> Antivirus - www.<recipient's domain>

Dear <recipient's domain> Member,

Your e-mail account was used to send a huge amount of unsolicited spam messages during the recent week. If you could please take 5-10 minutes out of your online experience and confirm the attached document so you will not run into any future problems with the online service.

If you choose to ignore our request, you leave us no choice but to cancel your membership.

Virtually yours,
The <recipient's domain> Support Team

+++ Attachment: No Virus found
+++ <recipient's domain> Antivirus - www.<recipent's domain>

Attachment name:
updated-password
email-password
new-password
password
approved-password
account-password
accepted-password
important-details
account-details
email-details
account-info
document
readme
account-report
<randomly named>

First extension (of attachment or of file inside zip):
doc
htm
txt

Second extension (of attachment or of file inside zip):
pif
scr
exe
cmd
bat

If the attachment is a zip file it will have the same base name as the double-extension file inside.

Example attachment names include document.txt.pif and information.doc.cmd, usually with a large number of spaces between the extensions.

W32/Mytob-FF modifies the Windows hosts file in order to block access to certain security-related websites.

http://www.sophos.com/virusinfo/analyses/w32mytobff.html

Collapse -
W32/Rbot-ATE
by roddy32 / October 31, 2005 11:57 PM PST

Type Worm

Aliases

* Backdoor.Win32.Rbot.aci

W32/Rbot-ATE is a worm and IRC backdoor Trojan for the Windows platform.

W32/Rbot-ATE spreads to network shares with weak passwords and by exploiting common buffer overflow vulnerabilities, including: RPC-DCOM (MS04-012), PNP (MS05-039) and ASN.1 (MS04-007).

W32/Rbot-ATE runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels

http://www.sophos.com/virusinfo/analyses/w32rbotate.html

Collapse -
Troj/CWS-N
by roddy32 / November 1, 2005 12:00 AM PST
Collapse -
Troj/Rider-AB
by roddy32 / November 1, 2005 12:02 AM PST

Type Trojan

Troj/Rider-AB is a Trojan that attempts to download further malicious code.

The Trojan exploits a vulnerability associated with some versions of Microsoft Internet Explorer to load a malicious script (or HTML page containing a malicious script) via the DATA attribute of an OBJECT element.

http://www.sophos.com/virusinfo/analyses/trojriderab.html

Collapse -
Troj/LegMir-BH
by roddy32 / November 1, 2005 12:07 AM PST
Collapse -
Troj/Stinx-B
by roddy32 / November 1, 2005 12:12 AM PST

Type Trojan

Aliases

* Backdoor.Win32.Breplibot.a
* W32/Brepibot

Troj/Stinx-B is a backdoor Trojan for the Windows platform.

Troj/Stinx-B runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

Troj/Stinx-B may arrive as an attachment to an email with the subject line 'Photo Approval Needed'. The filename used is 'Photo + Article.exe'.

Troj/Stinx-B can be instructed to delete, execute, and download and execute files.

Troj/Stinx-B will also try and circumvent the Windows Firewall if it is present.

http://www.sophos.com/virusinfo/analyses/trojstinxb.html

Collapse -
Troj/Multidr-EQ
by roddy32 / November 1, 2005 12:13 AM PST

Type Trojan

Troj/Multidr-EQ is a Trojan for the Windows platform.

When run, Troj/Multidr-EQ creates and runs the following files in the current folder:

is.exe (detected as Troj/ConHook-N)
low.exe (detected as Troj/LowZone-AU)
mmxateam.exe (detected as Troj/Dloader-WX)
sw.bat (may be safely deleted)
tb.exe (adware component)
xe.exe (detected as Troj/Drsmartl-A)

http://www.sophos.com/virusinfo/analyses/trojmultidreq.html

Collapse -
Troj/Proxyser-M
by roddy32 / November 1, 2005 12:15 AM PST
Collapse -
Troj/HconKit-B
by roddy32 / November 1, 2005 12:41 AM PST
Collapse -
Troj/HelpCon-G
by roddy32 / November 1, 2005 12:44 AM PST
Collapse -
Troj/LowZone-AU
by roddy32 / November 1, 2005 12:46 AM PST
Collapse -
Troj/GetReal-A
by roddy32 / November 1, 2005 12:48 AM PST
Collapse -
Troj/Dloader-WZ
by roddy32 / November 1, 2005 12:50 AM PST
Collapse -
Troj/Paymite-C
by roddy32 / November 1, 2005 1:36 AM PST
Collapse -
Troj/Dloader-XV
by roddy32 / November 1, 2005 1:38 AM PST
Collapse -
Troj/Small-ER
by roddy32 / November 1, 2005 1:41 AM PST
Collapse -
Troj/Dloader-XU
by roddy32 / November 1, 2005 1:42 AM PST
Collapse -
Troj/Killav-AR
by roddy32 / November 1, 2005 1:45 AM PST
Collapse -
Troj/Bancban-HB
by roddy32 / November 1, 2005 1:48 AM PST

Type Spyware Trojan

Aliases

* Trojan-Spy.Win32.Banker.aho
* PWS-Banker.gen.bb

Troj/Bancban-HB is a password stealing Trojan targeted at customers of Brazilian banks.

Troj/Bancban-HB attempts to log keypresses entered into certain websites and online banking applications. The Trojan may display fake user interfaces in order to persuade the user to enter confidential details. Stolen information is sent by email to a remote user.

http://www.sophos.com/virusinfo/analyses/trojbancbanhb.html

Collapse -
W32/Rbot-AUV
by roddy32 / November 1, 2005 1:52 AM PST

Type Spyware Worm

Aliases

* WORM_RBOT.CGJ

W32/Rbot-AUV is a worm and IRC backdoor Trojan for the Windows platform.

W32/Rbot-AUV spreads:

- to other network computers infected with: W32/MyDoom and W32/Bagle
- to other network computers by exploiting common buffer overflow vulnerabilities, including: LSASS (MS04-011), RPC-DCOM (MS04-012), WKS (MS03-049) (CAN-2003-0812), WebDav (MS03-007), Veritas (CAN-2004-1172), PNP (MS05-039) and ASN.1 (MS04-007)
- by copying itself to network shares protected by weak passwords

W32/Rbot-AUV runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

Information on the exploits above can be found here:

http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx

http://www.microsoft.com/technet/security/bulletin/MS03-049.mspx

http://www.microsoft.com/technet/security/bulletin/MS04-007.mspx

http://www.microsoft.com/technet/security/bulletin/MS03-007.mspx

http://www.microsoft.com/technet/security/bulletin/MS05-039.mspx

http://www.sophos.com/virusinfo/analyses/w32rbotauv.html

Collapse -
W32/Rbot-AUX
by roddy32 / November 1, 2005 1:58 AM PST

Type Worm

Aliases

* Backdoor.Win32.Rbot.uc
* Sdbot.worm.gen.q
* W32.Spybot.Worm
* WORM_AGOBOT.ATL

W32/Rbot-AUX is a worm for the Windows platform.

W32/Rbot-AUX spreads to other network computers by exploiting common buffer overflow vulnerabilities, including RPC-DCOM (MS04-012).

When first run W32/Rbot-AUX copies itself to <System> \wininet.exe and creates the file \a.bat.

The file a.bat is detected as W32/Rbot-AIF.

http://www.sophos.com/virusinfo/analyses/w32rbotaux.html

Collapse -
W32/Rbot-AUY
by roddy32 / November 1, 2005 2:00 AM PST

Type Worm

Aliases

* Backdoor.Win32.Rbot.gen
* Sdbot.worm.gen.bi
* W32.Spybot.Worm
* WORM_RBOT.GEN

W32/Rbot-AUY is a worm and IRC backdoor Trojan for the Windows platform.

W32/Rbot-AUY spreads to other network computers by exploiting common buffer overflow vulnerabilities, including: LSASS (MS04-011), RPC-DCOM (MS04-012), WKS (MS03-049) (CAN-2003-0812), PNP (MS05-039) and ASN.1 (MS04-007) and by copying itself to network shares protected by weak passwords.

W32/Rbot-AUY runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

http://www.sophos.com/virusinfo/analyses/w32rbotauy.html

Popular Forums
icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

CNET FORUMS TOP DISCUSSION

Help, my PC with Windows 10 won't shut down properly

Since upgrading to Windows 10 my computer won't shut down properly. I use the menu button shutdown and the screen goes blank, but the system does not fully shut down. The only way to get it to shut down is to hold the physical power button down till it shuts down. Any suggestions?