Spyware, Viruses, & Security forum

General discussion

VIRUS ALERTS - November 8, 2004

by Marianna Schmudlach / November 8, 2004 3:26 AM PST

W32/Rbot-PE

Aliases WORM_RBOT.ZV
Backdoor.Win32.Rbot.gen
W32/Sdbot.worm.gen.i

W32/Rbot-PE is a worm which attempts to spread via remote network shares. The worm contains backdoor Trojan functionality allowing unauthorised remote access to the infected computer via IRC channels while running in the background as a service process.
W32/Rbot-PE also has a backdoor component that allows a malicious intruder remote access shell to an infected computer.
The worm spreads to network shares with weak passwords using the following security exploits:
- LSASS exploit (MS04-011)
- RPC-DCOM exploit (MS04-012)
- WebDav exploit (MS03-007)

http://www.sophos.com/virusinfo/analyses/w32rbotpe.html

Discussion is locked
You are posting a reply to: VIRUS ALERTS - November 8, 2004
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: VIRUS ALERTS - November 8, 2004
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Troj/Agent-AT
by Marianna Schmudlach / November 8, 2004 3:28 AM PST

Aliases TrojanProxy.Win32.Agent.z
BackDoor-CEZ

Type Trojan

Troj/Agent-AT is a Trojan used for sending unsolicited commercial email (spam).
The Trojan downloads instructions from a preconfigured website every minute. These instructions provide details of what spam to send to whom. Status reports are sent back to the same site using HTTP POST.
Troj/Agent-AT may also attempt to find email addresses stored on the infected machine and include them in the list of spam recipients.

http://www.sophos.com/virusinfo/analyses/trojagentat.html

Collapse -
Troj/Mastseq-E
by Marianna Schmudlach / November 8, 2004 3:30 AM PST

Type Trojan

Troj/Mastseq-E is a member of the Troj/Mastseq family of extensible backdoor Trojans.
As with the other members of the Troj/Mastseq family Troj/Mastseq-E extracts and loads several modules which provide various services to an attacker.
These services include:
Starting and hijacking Internet Explorer
Showing system statistics
Listing processes
Storing encrypted data files in the Windows system folder
Starting and stopping services via the Service Control Manager

http://www.sophos.com/virusinfo/analyses/trojmastseqe.html

Collapse -
Troj/Delf-HA
by Marianna Schmudlach / November 8, 2004 3:32 AM PST

Aliases TrojanDropper.Win32.Delf.fa

Type Trojan

Troj/Delf-HA is a Trojan for the Windows platform that can be used to send unsolicited SMS messages. The Trojan comes as a self extractable UPX file inst.exe, but it can have any other name. When the Trojan installer is run, it creates the file rundnm.exe in the Windows system folder.

http://www.sophos.com/virusinfo/analyses/trojdelfha.html

Collapse -
Troj/Bancos-AI
by Marianna Schmudlach / November 8, 2004 3:33 AM PST

Type Trojan

Troj/Bancos-AI is a password stealing Trojan for the Windows platform.
Troj/Bancos-AI monitors which URLs are typed into a web browser and creates fake webpages for certain Brazilian banking sites in order to log user account information.
Troj/Bancos-AI may perodically send this information to a remote user via email.

http://www.sophos.com/virusinfo/analyses/trojbancosai.html

Collapse -
Troj/Certif-C
by Marianna Schmudlach / November 8, 2004 3:35 AM PST

Aliases PWS.Bancos.gen.e

Type Trojan

Troj/Certif-C is a password stealing Trojan that searches the local harddrive for files with the extensions CRT and KEY to a remote FTP server.
The Trojan also monitors system activity and collects user credentials typed into the windows of various online banking applications.

http://www.sophos.com/virusinfo/analyses/trojcertifc.html

Collapse -
Troj/Bancban-AB
by Marianna Schmudlach / November 8, 2004 3:36 AM PST

Type Trojan

Troj/Bancban-AB is a password stealing Trojan targeted at customers of the Brazilian bank Banco Do Brasil.
The Trojan consists of a downloader and the main password stealing component.
When first run the downloader component copies itself as the file rundll32.exe into the Windows folder, executes the copy and displays a fake error message
Run-time error 43.
Invalid adress fff:0d5f
The downloader then downloads the main component.

http://www.sophos.com/virusinfo/analyses/trojbancbanab.html

Collapse -
Linux/Nel-A
by Marianna Schmudlach / November 8, 2004 3:38 AM PST
Collapse -
mIRC/Boold-A
by Marianna Schmudlach / November 8, 2004 3:40 AM PST
Collapse -
Troj/Bancban-AC
by Marianna Schmudlach / November 8, 2004 3:42 AM PST

Aliases PWS-Bancban.gen.b

Type Trojan

Troj/Bancban-AC is a password-stealing Trojan targetted at customers of certain Brazilian banks.
Troj/Bancban-AC attempts to log keypresses entered into certain websites. The Trojan displays fake user interfaces in order to persuade the user to enter confidential details. Stolen information is sent by email to a remote user.
Troj/Bancban-AC also attempts to detect and delete files belonging to Norton AntiVirus and Norton Personal Firewall.
Stolen data may be saved to a file USER.TXT. An image file BARRA.BMP may also be dropped.

http://www.sophos.com/virusinfo/analyses/trojbancbanac.html

Collapse -
Troj/ServU-AO
by Marianna Schmudlach / November 8, 2004 3:44 AM PST
Collapse -
W32/Protoride-V
by Marianna Schmudlach / November 8, 2004 3:46 AM PST
Collapse -
W32/Sdbot-RA
by Marianna Schmudlach / November 8, 2004 3:48 AM PST
Collapse -
W32/Sdbot-RB
by Marianna Schmudlach / November 8, 2004 3:49 AM PST
Collapse -
W32/Bofra-A
by Marianna Schmudlach / November 8, 2004 3:51 AM PST

Type Worm

W32/Bofra-A is a Worm for the Windows platform that arrives via email.
The body of the email will try to entice the user to click on a hyperlink to look at webcam images or to visit an adult website.
More information will be provided shortly. Please check again later.

http://www.sophos.com/virusinfo/analyses/w32bofraa.html

Collapse -
W32/Forbot-CF
by Marianna Schmudlach / November 8, 2004 8:38 AM PST

Type Worm

W32/Forbot-CF is a network worm and IRC backdoor Trojan for the Windows platform.
W32/Forbot-CF spreads through network shares and by exploiting the LSASS (MS04-011) software vulnerability. The worm may also spread through backdoors left open by other malware.
The backdoor component of W32/Forbot-CF can be used to:
start an FTP and HTTP server.
delete network shares.
start a SOCKS4, SOCKS5, HTTP, TCP and GRE proxy.
list and stop existing processes and services.
download, run and delete files.
modify the registry.
add and delete services.
steal the product keys of popular games and applications.
scan other computers for open ports and attempt to exploit them.
take part in distributed denial of service (DDOS) attacks.
flush the DNS cache.
logoff, reboot and shut down the computer.

http://www.sophos.com/virusinfo/analyses/w32forbotcf.html

Collapse -
W32/Forbot-CE
by Marianna Schmudlach / November 8, 2004 8:40 AM PST

Type Worm

W32/Forbot-CE is a backdoor Trojan and network worm for the Windows platform.
W32/Forbot-CE can spread to remote network shares and computers vulnerable to common exploits.
The worm opens up a backdoor allowing unauthorised access to a remote intruder

http://www.sophos.com/virusinfo/analyses/w32forbotce.html

Collapse -
Troj/Perflog-B
by Marianna Schmudlach / November 8, 2004 8:42 AM PST

Aliases Keylog-Perfect.dr
TrojanSpy.Win32.Perfloger.g

Type Trojan

Troj/Perflog-B is a self-extracting archive which installs the "Perfect keylogger" commercial keylogger application (not detected by Sophos's anti-virus products).
Troj/Perflog-B may be downloaded to the computer and run by variants of Troj/Psyme-BA. For further information please refer to the Troj/Psyme-BA description.

http://www.sophos.com/virusinfo/analyses/trojperflogb.html

Collapse -
Troj/MhtRedir-H
by Marianna Schmudlach / November 8, 2004 8:44 AM PST

Aliases Exploit.HTML.Mht
Exploit-MhtRedir.gen

Type Trojan

Troj/MhtRedir-H is a HTML-based script which exploits a vulnerability associated with some versions of Microsoft Internet Explorer to load a malicious script or HTML page containing a malicious script.
Known versions of Troj/MhtRedir-H attempt to load an HTML file containing Troj/Psyme-BA

http://www.sophos.com/virusinfo/analyses/trojmhtredirh.html

Collapse -
Troj/ByteVeri-L
by Marianna Schmudlach / November 8, 2004 8:46 AM PST

Aliases Trojan.Java.ClassLoader.u

Type Trojan

Troj/ByteVeri-L is a Java Applet which exploits a vulnerability in the Byte Code Verify component of the Microsoft VM to run an executable file on the local computer.
Troj/ByteVeri-L is activated by browsing web sites whose pages contain applets that use the Troj/ByteVeri-L class.

http://www.sophos.com/virusinfo/analyses/trojbyteveril.html

Collapse -
Troj/Psyme-BA
by Marianna Schmudlach / November 8, 2004 8:48 AM PST

Type Trojan

Troj/Psyme-BA is a JavaScript downloader Trojan which exploits the ADODB stream vulnerability associated with some versions of Microsoft Internet Explorer to silently download a file from a remote location to
<Program Files folder>\Windows Media Player\wmplayer.exe,
replacing any existing file.
Troj/Psyme-BA can arrive on the computer by browsing websites whose HTML pages contain the script or by visiting a HTML page that contains a SRC= link to an infected page.
Troj/Psyme-BA is known to be loaded via some versions of Troj/MhtRedir-H. For further information please refer to the Troj/MhtRedir-H description.

http://www.sophos.com/virusinfo/analyses/trojpsymeba.html

Collapse -
Troj/Multidr-HB
by Marianna Schmudlach / November 8, 2004 8:49 AM PST
Collapse -
Troj/Ciadoor-F
by Marianna Schmudlach / November 8, 2004 8:51 AM PST
Collapse -
AVERT Low-Profiled Threat Notice: W32/Mydoom.ag@MM
by Marianna Schmudlach / November 8, 2004 12:28 PM PST
Collapse -
AVERT Medium Threat Advisory: W32/Mydoom.ah@MM
by Marianna Schmudlach / November 8, 2004 2:48 PM PST

Advisory
This is a Medium Threat Advisory for W32/Mydoom.ah@MM

Justification
W32/Mydoom.ah@MM has been deemed Medium Threat due to prevalence.

Read About It
Information about W32/Mydoom.ah@MM is located on VIL at: http://vil.nai.com/vil/content/v_129631.htm

Popular Forums
icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

GIVEAWAY

Turn up the volume with our Apple Byte sweeps!

Two lucky winners will take home the coveted smart speaker that lets Siri help you around your connected house. This sweepstake ends Feb. 25, 2018.