HolidayBuyer's Guide

Spyware, Viruses, & Security forum

General discussion

VIRUS ALERTS - November 22, 2005

by roddy32 / November 21, 2005 11:28 PM PST

W32/P2Load-D

Type Worm

Aliases

* W32.Peerload.A
* WORM_P2LOAD.A
* P2P-Worm.Win32.P2Load.a

W32/P2Load-D is a worm for the Windows platform.

W32/P2Load-D spreads via file sharing on P2P networks.

W32/P2Load-D includes functionality to access the internet and communicate with a remote server via HTTP.

http://www.sophos.com/virusinfo/analyses/w32p2loadd.html

Discussion is locked
You are posting a reply to: VIRUS ALERTS - November 22, 2005
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: VIRUS ALERTS - November 22, 2005
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Troj/Kod-D
by roddy32 / November 21, 2005 11:29 PM PST
Collapse -
W32/Mytob-FR
by roddy32 / November 21, 2005 11:31 PM PST

Type Worm

W32/Mytob-FR is a mass-mailing worm and backdoor Trojan that can be controlled through the Internet Relay Chat (IRC) network.

W32/Mytob-FR runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

Emails sent by W32/Mytob-FR sends emails in the following format, with details filled in to make the email look more authentic:

Subject line chosen from:

*IMPORTANT* Winnings notification
Claim your free prize
Free Account Signup
Free Prize.
Important Notification
Notice of prize winnings
Retrive You Free iPod Nano!
SENDING FREE IPOD MEASURES
Your Account is a winner
YourFreeiPod Support
<random characters>

Message text chosen from (the worm will insert the username and the email domain of the addressee into the email):

'Dear user <UserName>,

It has come to our attention that your one of five winners this month from YourFreeiPod.com

Please see the attachment in the email for further details.
Thank you for using YourFreeiPod.com!
The YourFreeiPod Team

+++ Attachment: No Virus (Clean)
+++ <domain> Antivirus - www.<domain>.com'

'Dear user <UserName>,

You have been picked to receive a free prize!

Check the attachment in this email for claiming your prize.

Thank you
The YourFreeiPod Team

+++ Attachment: No Virus (Clean)
+++ <domain> Antivirus - www.<domain>.com'

'Dear user <UserName>,

It has come to our attention that your one of five winners this month from YourFreeiPod.com

Please see the attachment in the email for further details.
Thank you for using YourFreeiPod.com!
The YourFreeiPod Team

+++ Attachment: No Virus (Clean)
+++ <domain> Antivirus - www.<domain>.com'

'Dear <domain> Member,

Please claim your free iPod Movie mediaplayer

Us here at YourFreeiPod.com like to treat our members so we give away a free iPod every month.

Attached to this email is the details on how you can claim your prize

Sincerely,The YourFreeiPod Team

+++ Attachment: No Virus (Clean)
+++ <domain> Antivirus - www.<domain>'

The attached file consists of a base name followed by the extension ZIP. The worm may optionally create double extensions where the first extension is DOC, TXT or HTM and the final extension is BAT, CMD, PIF, SCR, EXE or ZIP. The base filenames are randomly chosen from:

accept-terms
claim-prize
important-details
readme
ship-prize
shipping-details
terms
winner-details
winnings-report
<random>

The zip file will contain the worm with double extension. The first extension will be one of DOC, HTM, TXT followed by spaces and the second extension is EXE, SCR or PIF.

W32/Mytob-FR harvests email addresses from files on the infected computer and from the Windows address book.

http://www.sophos.com/virusinfo/analyses/w32mytobfr.html

Collapse -
Troj/Proxy-Y
by roddy32 / November 22, 2005 1:27 AM PST
Collapse -
Troj/Proxy-Z
by roddy32 / November 22, 2005 1:29 AM PST
Collapse -
Troj/Dloadr-AAJ
by roddy32 / November 22, 2005 1:31 AM PST
Collapse -
Troj/Bandler-G
by roddy32 / November 22, 2005 1:32 AM PST

Type Trojan

Aliases

* Trojan-Spy.Win32.Banker.zp

Troj/Bandler-G is a backdoor Trojan which allows a remote intruder to gain access and control over the computer.

Troj/Bandler-G includes functionality to access the internet and communicate with a remote server via HTTP.

http://www.sophos.com/virusinfo/analyses/trojbandlerg.html

Collapse -
W32/Rbot-AYB
by roddy32 / November 22, 2005 1:35 AM PST

Type Worm

Aliases

* W32/Sdbot.worm.gen.n

W32/Rbot-AYB is a worm and IRC backdoor Trojan for the Windows platform.

W32/Rbot-AYB spreads to other network computers by exploiting common buffer overflow vulnerabilities, including: LSASS (MS04-011), RPC-DCOM (MS04-012), WKS (MS03-049) (CAN-2003-0812), Veritas (CAN-2004-1172), MSSQL (MS02-039) (CAN-2002-0649) and ASN.1 (MS04-007).

W32/Rbot-AYB includes functionality to:

* access the internet and communicate with a remote server via HTTP

* perform DDoS attacks


The following patches for the operating system vulnerabilities exploited by W32/Rbot-AYB can be obtained from the Microsoft website:

http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx

http://www.microsoft.com/technet/security/bulletin/MS03-049.mspx

http://www.microsoft.com/technet/security/bulletin/MS02-039.mspx

http://www.microsoft.com/technet/security/bulletin/MS04-007.mspx

http://www.sophos.com/virusinfo/analyses/w32rbotayb.html

Collapse -
W32/Sdbot-AFP
by roddy32 / November 22, 2005 1:37 AM PST
Collapse -
Troj/Bancban-IO
by roddy32 / November 22, 2005 1:42 AM PST
Collapse -
Troj/SikBot-A
by roddy32 / November 22, 2005 1:48 AM PST
Collapse -
Troj/Aimbot-BC
by roddy32 / November 22, 2005 1:50 AM PST

Type Trojan

Aliases

* Backdoor.Win32.Aimbot.bc

Troj/Aimbot-BC is a Trojan for the Windows platform.

Troj/Aimbot-BC runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

http://www.sophos.com/virusinfo/analyses/trojaimbotbc.html

Collapse -
W32/Opanki-T
by roddy32 / November 22, 2005 1:52 AM PST

Type Worm

Aliases

* Backdoor.Win32.Aimbot.bd

W32/Opanki-T is a worm and IRC backdoor Trojan for the Windows platform.

W32/Opanki-T runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

http://www.sophos.com/virusinfo/analyses/w32opankit.html

Collapse -
Troj/Agent-FE
by roddy32 / November 22, 2005 1:58 AM PST
Collapse -
Troj/Danmec-A
by Marianna Schmudlach / November 22, 2005 7:01 AM PST

Type Trojan

Aliases MultiDropper-PH
Trojan.Danmec
Trojan-Proxy.Win32.Agent.hx

Troj/Danmec-A is a Trojan for the Windows platform.
The Trojan opens a port and offers remote attackers the ability to route HTTP traffic through the infected computer. The Trojan may also download and install additional files.

http://www.sophos.com/virusinfo/analyses/trojdanmeca.html

Collapse -
Troj/NuclRat-C
by Marianna Schmudlach / November 22, 2005 7:02 AM PST
Collapse -
W32/Nanpy-Gen
by Marianna Schmudlach / November 22, 2005 7:03 AM PST
Collapse -
Troj/Dloadr-AAL
by Marianna Schmudlach / November 22, 2005 7:04 AM PST
Collapse -
WM97/Handle-A
by Marianna Schmudlach / November 22, 2005 7:05 AM PST

Type Virus

WM97/Handle-A is a virus that infects Microsoft Word documents.
WM97/Handle-A displays a message box containing the text "You can't open the files!!" and "Information for you ".
On certain days, the virus displays a message box containing the text "Files missing today!" and "Warning ".
The virus deletes EXE and DLL files from the following locations:
C:\WINDOWS\
C:\WINDOWS\SYSTEM\
C:\WINDOWS\SYSTEM32\
C:\WINNT\SYSTEM32\
C:\WINNT\

http://www.sophos.com/virusinfo/analyses/wm97handlea.html

Collapse -
Troj/Brogger-C
by Marianna Schmudlach / November 22, 2005 7:06 AM PST

Type Spyware Trojan

Aliases Trojan-Spy.Win32.Banker.ahu
PWS-Banker.gen.i
PWS-Banker.gen.p

Troj/Brogger-C is an information stealing Trojan for the Windows platform.
Troj/Brogger-C targets the customers of certain online banking websites. The Trojan monitors browser usage and logs any account details entered, and may display fake user interfaces and record any entered details.


http://www.sophos.com/virusinfo/analyses/trojbroggerc.html

Collapse -
XM97/Netsnak-B
by Marianna Schmudlach / November 22, 2005 7:07 AM PST

Type Virus

Aliases Virus.MSExcel.NetSnak.a
XF/NetSnake.c
X97M.Dropo
XF_NETSNAKE.B

XM97/Netsnak-B infects Excel files and drops Troj/Netsnak-A.
XM97/Netsnak-B is both a VBA and Excel formula virus. The infection routine is such that not all parts of the virus are replicated.
The Excel formula macro runs automatically and runs the VBA macro. You cannot disable Excel formula macros when you open Excel.
The VBA macro will delete any file called "normal.xlm" within the folder marked as the Excel StartupPath (normally XLSTART). It will then read information from within a hidden sheet, called "@kbtasto@she3#".

http://www.sophos.com/virusinfo/analyses/xm97netsnakb.html

Collapse -
W32/Rbot-AYD
by Marianna Schmudlach / November 22, 2005 7:07 AM PST

Type Worm

W32/Rbot-AYD is a worm for the Windows platform.
W32/Rbot-AYD spreads to other network computers by exploiting common software vulnerabilities, including:
LSASS (MS04-011)
RPC-DCOM (MS04-012)
WKS (MS03-049) (CAN-2003-0812)
WebDav (MS03-007)
IIS5SSL (MS04-011) (CAN-2003-0719)
UPNP (MS01-059)
Veritas (CAN-2004-1172)
Dameware (CAN-2003-1030)
ASN.1 (MS04-007)
by exploiting the following Trojan backdoors:
Troj/Kuang
Troj/Sub7
Troj/NetDevil
W32/MyDoom
W32/Bagle
Troj/Optix
and by copying itself to network shares and Micrsoft SQL servers protected by weak passwords.
W32/Rbot-AYD runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.
W32/Rbot-AYD includes functionality to access the internet and communicate with a remote server via HTTP.

http://www.sophos.com/virusinfo/analyses/w32rbotayd.html

Collapse -
Troj/Chast-A
by Marianna Schmudlach / November 22, 2005 7:08 AM PST

Type Spyware Trojan

Aliases Trojan-Spy.Win32.KeyLogger.ao
Keylog-Chast
Win32/Spy.KeyLogger.AO
TROJ_KEYLOGER.AO

Troj/Chast-A is a backdoor and keylogging Trojan for the Windows platform.
Troj/Chast-A can also log Instant Messaging conversations, as well as retrieve information about infected systems.

http://www.sophos.com/virusinfo/analyses/trojchasta.html

Collapse -
Troj/HacDef-AB
by Marianna Schmudlach / November 22, 2005 7:09 AM PST

Type Trojan

Aliases Backdoor.Win32.HacDef.h
HackerDefender.sys

Troj/HacDef-AB is a backdoor Trojan that is targeted at NT/2000/XP operating systems.
As well as allowing unauthorized remote access to the victim's computer, Troj/HacDef-AB is able to hide information about the victim's system including files, folders, processes, services and registry entries.

http://www.sophos.com/virusinfo/analyses/trojhacdefab.html

Collapse -
Troj/TBPS-A
by Marianna Schmudlach / November 22, 2005 7:10 AM PST
Collapse -
W32/Yimp-B
by Marianna Schmudlach / November 22, 2005 7:11 AM PST

Type Worm

W32/Yimp-B is an Instant Messaging worm for the Windows platform.
W32/Yimp-B attempts to spread via the Yahoo and AOL Instant Messenger clients.
W32/Yimp-B will send one of the following messages to the user's contacts, with
a link pointing to to a copy of the worm:
wow! me and my friends just got on my new webcam! come watch us:
wow.. is this you?
found your picture! is this you?
haha, this girl got busted so bad..
lmao i cant stop laughing at this!
omg... this doesn't look right at all!!
this girl is crazy! go look at here
you have to take a look at this, tell me if you can open it
hey, you have to try this out... - removes all the spyware and viruses
check this out: - it's live and free
omg... i think i just found a pic of you, let me know

http://www.sophos.com/virusinfo/analyses/w32yimpb.html

Collapse -
W32/Nanpy-K
by Marianna Schmudlach / November 22, 2005 7:12 AM PST

Type Worm

Aliases Net-Worm.Win32.Nanspy.i

W32/Nanpy-K is a worm for the Windows platform.
W32/Nanpy-K spreads to other network computers by exploiting common buffer overflow vulnerabilities, including RPC-DCOM (MS04-012).
W32/Nanpy-K includes functionality to download, install and run new software.

http://www.sophos.com/virusinfo/analyses/w32nanpyk.html

Collapse -
W32/Mytob-FS
by Marianna Schmudlach / November 22, 2005 3:07 PM PST

Type Worm

W32/Mytob-FS is a mass-mailing worm and backdoor Trojan that can be controlled
through the Internet Relay Chat (IRC) network.
W32/Mytob-FS runs continuously in the background, providing a backdoor server
which allows a remote intruder to gain access and control over the computer via
IRC channels.
Emails sent by W32/Mytob-FS sends emails in the following format, with details
filled in to make the email look more authentic:
Subject line chosen from:
Your password has been updated
Your password has been successfully updated
You have successfully updated your password
Your new account password is approved
Your Account is Suspended
*DETECTED* Online User Violation
Your Account is Suspended For Security Reasons
Warning Message: Your services near to be closed.
Important Notification
Members Support
Security measures
Email Account Suspension
Notice of account limitation
<random characters>
Message text chosen from (the worm will insert the username and the email
domain of the addressee into the email):

MORE: http://www.sophos.com/virusinfo/analyses/w32mytobfs.html

Collapse -
Troj/QQRob-V
by Marianna Schmudlach / November 22, 2005 3:08 PM PST

Type Spyware Trojan

Aliases Trojan-PSW.Win32.QQRob.17.b

Troj/QQRob-V is a password stealing Trojan for the Windows platform.
Troj/QQRob-V includes the following functionalities:
- to access the internet and communicate with a remote server via HTTP
- steal confidential information via keystrokes
- send information via email
- terminates and disables security and anti-virus processes and services

http://www.sophos.com/virusinfo/analyses/trojqqrobv.html

Collapse -
W32/Tilebot-BP
by Marianna Schmudlach / November 22, 2005 3:09 PM PST
Collapse -
Troj/LowZone-AY
by Marianna Schmudlach / November 22, 2005 3:10 PM PST
Popular Forums
icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

HOLIDAY GIFT GUIDE 2017

Cameras that make great holiday gifts

Let them start the new year with a step up in photo and video quality from a phone.