Spyware, Viruses, & Security forum

General discussion

VIRUS ALERTS - now really on May 20, 2005 ;)

Sorry, the May 20, 2005 thread was actually May 19, 2005 - now it is REALLY May 20, 2005 oops, can happen Wink

W32/Mytob-CK
Summary

Aliases WORM_MYTOB.DQ
W32.Mytob.R@mm
Net-Worm.Win32.Mytob.w

Type Worm

W32/Mytob-CK is a mass-mailing worm and backdoor Trojan that can be controlled through the Internet Relay Chat (IRC) network.
W32/Mytob-CK may drop a file called hellmsn.exe (detected by Sophos as W32/Mytob-D) in the same location. This component attempts to spread the worm by sending the aforementioned SCR files through Windows Messenger to all online contacts.
W32/Mytob-CK is capable of spreading through email and through various operating system vulnerabilities such as LSASS (MS04-011).
The following patch for the operating system vulnerability exploited by W32/Mytob-CK can be obtained from the Microsoft website:
LSASS (MS04-011) security vulnerability
W32/Mytob-CK is capable of spreading through email and through various operating system vulnerabilities such as LSASS (MS04-011). Email sent by W32/Mytob-CK has the following properties:
Subject line:
Good day
hello
Mail Delivery System
Mail Transaction Failed
Server Report
Status
Error
<random characters>
Message text:
'Here are your banks documents.'
'The original message was included as an attachment.'
'The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.'
'The message contains Unicode characters and has been sent as a binary attachment.'
'Mail transaction failed. Partial message is available.'
<random characters>
The attached file consists of a base name followed by the extentions PIF, SCR, EXE or ZIP. The worm may optionally create double extensions where the first extension is DOC, TXT or HTM and the final extension is PIF, SCR, EXE or ZIP.

http://www.sophos.com/virusinfo/analyses/w32mytobck.html

Discussion is locked
You are posting a reply to: VIRUS ALERTS - now really on May 20, 2005 ;)
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: VIRUS ALERTS - now really on May 20, 2005 ;)
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
W32/Spybot-DO

In reply to: VIRUS ALERTS - now really on May 20, 2005 ;)

Aliases Backdoor.Win32.SpyBoter.ci

Type Worm

W32/Spybot-DO is a worm that spreads through network shares and backdoors left open by other worms and Trojans. W32/Spybot-DO has backdoor capabilities.
W32/Spybot-DO monitors running processes and terminates regedit.exe, taskmgr.exe, msconfig.exe and netstat.exe if found running.
The worm then adds an entry in win.ini of the remote computer and also schedules a remote job to run the remote copy of the worm.
The worm logs on to a predefined IRC server to wait for backdoor commands.

http://www.sophos.com/virusinfo/analyses/w32spybotdo.html

Collapse -
W32/Agobot-SL

In reply to: VIRUS ALERTS - now really on May 20, 2005 ;)

Type Worm

W32/Agobot-SL is a network worm with IRC backdoor functionality.
W32/Agobot-SL connects to a preconfigured IRC server, joins a channel and awaits further instructions.
W32/Agobot-SL also terminates Anti-Virus and security related applications.
The worm spreads to computers affected by known vulnerabilities and running network services protected by weak passwords.
Vulnerabilities:
RPC DCOM (MS03-026, MS04-012)
MSSQL (MS02-039)
Services:
NetBios
The following patches for the operating system vulnerabilities exploited by W32/Agobot-SL can be obtained from the Microsoft website:
RPC-DCOM (MS04-012) security vulnerability
MSSQL (MS02-039) security vulnerability

http://www.sophos.com/virusinfo/analyses/w32agobotsl.html

Collapse -
Troj/Bdoor-IC

In reply to: VIRUS ALERTS - now really on May 20, 2005 ;)

Aliases Trojan-Dropper.Win32.Small.oe
Backdoor.Win32.Small.cl
BKDR_SMALL.CL

Type Trojan

Troj/Bdoor-IC is a backdoor Trojan on the Windows platform.
When run the Trojan drops 2 files:
1111swapmgr.exe - main backdoor Trojan component
1111tapidef.dll - DLL helper Trojan component
into the Windows System folder and runs the main backdoor component in the background as a service process.
These 2 files are also being detected by Sophos as Troj/Bdoor-IC.
Once installed, Troj/Bdoor-IC creates a backdoor component and sets up a listening server on a random TCP port awaiting instructions from a remote attacker. The main backdoor Trojan component then uses the DLL helper component to hook itself into the Windows Internet Explorer process to stealth itself.

http://www.sophos.com/virusinfo/analyses/trojbdooric.html

Collapse -
Troj/Dloader-NO

In reply to: VIRUS ALERTS - now really on May 20, 2005 ;)

Collapse -
Troj/Banker-HG

In reply to: VIRUS ALERTS - now really on May 20, 2005 ;)

Aliases TSPY_BANCOS.AFG
Trojan-Spy.Win32.Banker.ju

Type Trojan

Troj/Banker-HG is a password stealing Trojan for the Windows platform.
Troj/Banker-HG monitors which URLs are visited by the web browser and creates fake web pages for certain Brazilian banking sites in order to log account information. The logged information is sent to remote users via email.

http://www.sophos.com/virusinfo/analyses/trojbankerhg.html

Collapse -
Troj/Haxdoor-Y

In reply to: VIRUS ALERTS - now really on May 20, 2005 ;)

Collapse -
Troj/Brdupd-A

In reply to: VIRUS ALERTS - now really on May 20, 2005 ;)

Aliases Trojan-Downloader.Win32.Braidupdate.d
TROJ_BRDUPDATE.D
TROJ_BRDUPDATE.E

Type Trojan

Troj/Brdupd-A is a downloader Trojan and Internet Explorer browser helper object that hijacks queries submitted through Internet Explorer's search function.
The components of Troj/Brdupd-A will usually have the filenames stlb2.dll and e6f1873b.dll.

http://www.sophos.com/virusinfo/analyses/trojbrdupda.html

Collapse -
W32/Mytob-AY

In reply to: VIRUS ALERTS - now really on May 20, 2005 ;)

Aliases Net-Worm.Win32.Mytob.au
W32/Mytob.DI@mm
W32/Mydoom.gen@MM

Type Worm

W32/Mytob-AY is a mass-mailing worm and backdoor Trojan which allows a remote intruder to gain access and control over the computer via IRC channels.
W32/Mytob-AY attaches itself to emails with the following characteristics:
Subject lines:
*IMPORTANT* Please Validate Your Email Account
*IMPORTANT* Your Email Account Has Been Locked
Email Account Suspension
Your Email Account is Suspended For Security Reasons
Security Measures
Notice:***Your email account will be suspended***
Your email account access is restricted
Notie:***Last Warning***
Message texts:
To safeguard your email account from possible termination, please see the attached file.
Once you have completed the form in the attached file , your account records will not be interrupted and will continue as normal.
We have suspended some of your email services, to resolve the problem you should read the attached document.
please look at attached document.
Account Information Are Attached!
Follow the instructions in the attachment.
Attached files will have the extension ZIP, EXE, PIF, SCR or CMD and one of the following basenames:
email-text
document_full
information
info-text
Your_details
IMPORTANT
email-info
email-doc
INFO
Occasionally the subject line, message text and attachment name will consist of a random set of characters.

http://www.sophos.com/virusinfo/analyses/w32mytobay.html

Collapse -
Troj/WMSteal-A

In reply to: VIRUS ALERTS - now really on May 20, 2005 ;)

Type Trojan

Troj/WMSteal-A is a password stealing Trojan targeted at the WebMoney Keeper Classic application.
When first run the Troj/WMSteal-A copies itself to <SYSTEM>\system.exe and creates the following files:
<SYSTEM>\mailpv.exe
<SYSTEM>\wmclients.dll
The file mailpv.exe is a legitimate mail box password recovery tool.
The file wmclients.dll is a malicious component of the Trojan used to send an email to an attacker containing information stolen from the infected computer.

http://www.sophos.com/virusinfo/analyses/trojwmsteala.html

Collapse -
Troj/PPdoor-G

In reply to: VIRUS ALERTS - now really on May 20, 2005 ;)

Aliases BackDoor-CHC
Backdoor.Win32.PPdoor.j

Type Trojan

Troj/PPdoor-G is a backdoor Trojan which allows a remote intruder to gain access and control over the computer.
The Trojan may download updates and terminate processes belonging to anti-virus and firewall applications.

http://www.sophos.com/virusinfo/analyses/trojppdoorg.html

Collapse -
W32/Oscabot-C

In reply to: VIRUS ALERTS - now really on May 20, 2005 ;)

Type Worm

W32/Oscabot-C is an instant messaging worm that can exploit users of AOL Instant Messaging clients.
W32/Oscabot-C connects to a specific channel on an IRC service and waits for an attacker to instruct the bot to send messages to contacts in the infected users AOL contacts list. The message reads "this was cool, check it out", where the word "this" is a link to the W32/Oscabot-C executable on the infected computer.
When first run W32/Oscabot-C copies itself to <WINDOWS>\userint32.exe.

http://www.sophos.com/virusinfo/analyses/w32oscabotc.html

Collapse -
W32/Mytob-AK

In reply to: VIRUS ALERTS - now really on May 20, 2005 ;)

Aliases WORM_MYTOB.BT

Type Worm

W32/Mytob-AK is a mass-mailing worm and IRC backdoor Trojan.
W32/Mytob-AK is capable of spreading through operating system vulnerabilities, including the LSASS (MS04-011) exploit.
W32/Mytob-AK can harvest email addresses from files on the infected computer and from the Windows address book.
Emails sent by the worm have the following characteristics:
Subject line:
Error
Status
Server Report
Mail Transaction Failed
Mail Delivery System
hello
Good day
<blank>
Message body:
The message contains Unicode characters and has been sent as a binary attachment.
Mail transaction failed. Partial message is available.
The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
The original message was included as an attachment,
Here are your bank documents

http://www.sophos.com/virusinfo/analyses/w32mytobak.html

Collapse -
W32/Kelvir-T

In reply to: VIRUS ALERTS - now really on May 20, 2005 ;)

Aliases IM-Worm.Win32.VB.j

Type Worm

W32/Kelvir-T is a worm for the Windows platform.
The worm runs automatically when a user logs on by setting the "load" parameter of win.ini to point to the worm EXE.
W32/Kelvir-T monitors the status of Windows Messenger contacts and sends the following text to all online contacts:
look at this
http://<domain>/pictures.php?email=<email address>
where <domain> has been omitted and <email address> is the email address of the recipient. At the time of writing, the URL was not available.

http://www.sophos.com/virusinfo/analyses/w32kelvirt.html

Collapse -
Troj/Restrict-A

In reply to: VIRUS ALERTS - now really on May 20, 2005 ;)

Aliases Trojan.Win32.LowZones.ba
W32/Lowzones.BA

Type Trojan

Troj/Restrict-A adds registry entries that add certain web sites and certain IP address ranges to Internet Explorer's 'Restricted sites' Web content zone. These web sites and IP addresses are then subject to the security restrictions of the 'Retricted sites' zone.

http://www.sophos.com/virusinfo/analyses/trojrestricta.html

Collapse -
Troj/LanFilt-I

In reply to: VIRUS ALERTS - now really on May 20, 2005 ;)

Type Trojan

Troj/LanFilt-I is a backdoor Trojan for the Windows platform.
Troj/LanFilt-I connects to the internet and attempts to send a message reporting the infection via the web-based ICQ interface. The Trojan then waits for further commands from a remote attacker.
Troj/LanFilt-I can record keystrokes, download and upload files and act as a proxy server.

http://www.sophos.com/virusinfo/analyses/trojlanfilti.html

Collapse -
Troj/StartPa-FS

In reply to: VIRUS ALERTS - now really on May 20, 2005 ;)

Collapse -
Troj/Psyme-BT

In reply to: VIRUS ALERTS - now really on May 20, 2005 ;)

Collapse -
Troj/Banker-CK

In reply to: VIRUS ALERTS - now really on May 20, 2005 ;)

Aliases Trojan-PSW.Win32.Agent.aa

Type Trojan

Troj/Banker-CK is an information stealing Trojan for the Windows platform.
The Trojan monitors a user's internet activity and steals login details when on-line banking and finance sites are used. These details are then sent to a remote user.
Troj/Banker-CK checks for approximately 2500 different financial websites.

http://www.sophos.com/virusinfo/analyses/trojbankerck.html

Collapse -
W32/Netsky-C

In reply to: VIRUS ALERTS - now really on May 20, 2005 ;)

Aliases I-Worm.Moodown.c
Win32/Netsky.C
W32.Netsky.C@mm
WORM_NETSKY.C

Type Worm

W32/Netsky-C is a worm which spreads via shared networks and by emailing itself to addresses found within files located on drives C: to Z:.
The email subject line, message text and attachment filename are randomly chosen from lists within the worm.
The name of the attached file is chosen from:

More: http://www.sophos.com/virusinfo/analyses/w32netskyc.html

Collapse -
W32/Sdbot-YJ

In reply to: VIRUS ALERTS - now really on May 20, 2005 ;)

Aliases Backdoor.Win32.Rbot.gen
W32/Sdbot.worm.gen.w
W32.Spybot.Worm
WORM_SDBOT.BVC

Type Worm

W32/Sdbot-YJ is a network worm with backdoor functionality for the Windows platform.
W32/Sdbot-YJ runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels. The worm may spread to remote network shares with weak passwords.
The following patches for the operating system vulnerabilities exploited by W32/Sdbot-YJ can be obtained from the Microsoft website:
MS02-039
MS03-049
MS04-011
MS04-012
MS04-045

http://www.sophos.com/virusinfo/analyses/w32sdbotyj.html

Collapse -
Troj/Dowpid-A

In reply to: VIRUS ALERTS - now really on May 20, 2005 ;)

Collapse -
Troj/Inordr-A

In reply to: VIRUS ALERTS - now really on May 20, 2005 ;)

Collapse -
Troj/Agent-DP

In reply to: VIRUS ALERTS - now really on May 20, 2005 ;)

Type Trojan

Troj/Agent-DP is a backdoor Trojan for the Windows platform that provides an unauthorized remote access to the infected computer.
Troj/Agent-DP terminates processes related to the number of the AV and security
applications.
Also Troj/Agent-DP modifies a Windows HOSTS file in attempt to prevent access tothe predefined AV sites.

http://www.sophos.com/virusinfo/analyses/trojagentdp.html

Collapse -
Troj/Pixclub-A

In reply to: VIRUS ALERTS - now really on May 20, 2005 ;)

Aliases TROJ_PIXCLUB.A
Trojan-Proxy.Win32.Symbab.aj
Proxy-EasySearch

Type Trojan

Troj/Pixclub-A is a Trojan for the Windows platform.
The Trojan serves as a proxy, allowing remote users the ability to route HTTP traffic through the infected computer.
The Trojan may also redirect HTTP search requests to certain predetermined domains.


http://www.sophos.com/virusinfo/analyses/trojpixcluba.html

Collapse -
Troj/Proxage-A

In reply to: VIRUS ALERTS - now really on May 20, 2005 ;)

Collapse -
Troj/Liewar-C

In reply to: VIRUS ALERTS - now really on May 20, 2005 ;)

Aliases Trojan.Win32.Liewar.j

Type Trojan

Troj/Liewar-C is a Trojan which displays misleading message boxes and attempts to connect to the internet.
The Trojan displays fake message boxes in turn with the following characteristics:
Title: Microsoft Network Information
Message: <randomly chosen string in the following list>?

More: http://www.sophos.com/virusinfo/analyses/trojliewarc.html

Collapse -
Troj/Delfiles-Q

In reply to: VIRUS ALERTS - now really on May 20, 2005 ;)

Collapse -
Troj/Riler-H

In reply to: VIRUS ALERTS - now really on May 20, 2005 ;)

Aliases Trojan.Win32.Riler.g
JS/BackDoor-BCB
BackDoor-BCB

Type Trojan

Troj/Riler-H is a backdoor Trojan for the Windows platform.
Troj/Riler-H spies on network traffic on the infected computer. The Trojan will relay certain types of network traffic to a remote site. Troj/Riler-H has a backdoor component that will connect to a remote site and await backdoor commands.

http://www.sophos.com/virusinfo/analyses/trojrilerh.html

Collapse -
Troj/Nuclear-H

In reply to: VIRUS ALERTS - now really on May 20, 2005 ;)

Aliases Backdoor.Win32.Delf.aaa

Type Trojan

Troj/Nuclear-H is a configurable backdoor Trojan for the Windows platform which allows full remote access capabilities via a remote client. The Client application allows the creation of server applets which act as the backdoor when installed on the infected computer.

http://www.sophos.com/virusinfo/analyses/trojnuclearh.html

Popular Forums

icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

GIVEAWAY

Enter to win* a free holiday tech gift!

CNET's giving five lucky winners the gift of their choice valued up to $250!