VIRUS ALERTS - October 20, 2005

Type Spyware Worm

Aliases Trojan.Win32.Crypt.d

W32/Rbot-AHQ is a worm and IRC backdoor Trojan for the Windows platform.
W32/Rbot-AHQ runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.
W32/Rbot-AHQ can spread to remote network shares protected by weak passwords and to computers vulnerable to common exploits, including LSASS (MS04-011), WKS (MS03-049), WebDav (MS03-007) and Veritas (CAN-2004-1172). For patches for the operating system vulnerabilities, see:
MS03-007
MS03-049
MS04-011

http://www.sophos.com/virusinfo/analyses/w32rbotahq.html

Type Worm

Aliases Net-Worm.Win32.Mytob.bi

W32/Mytob-IU is a mass-mailing worm and backdoor Trojan that can be controlled through the Internet Relay Chat (IRC) network.
W32/Mytob-IU spreads through email. W32/Mytob-IU harvests email addresses from files on the infected computer and from the Windows address book. Email sent by W32/Mytob-IU has the following properties:
Subject line chosen from:
Your Account is Suspended
*DETECTED* Online User Violation
Your Account is Suspended For Security Reasons
Warning Message: Your services near to be closed.
Important Notification
Members Support
Security measures
Email Account Suspension
Notice of account limitation
Your password has been updated
Your password has been successfully updated
You have successfully updated your password
Your new account password is approved
Message text chosen from:

MORE: http://www.sophos.com/virusinfo/analyses/w32mytobiu.html

Type Spyware Worm

Side effects Turns off anti-virus applications
Allows others to access the computer
Downloads code from the internet
Reduces system security
Records keystrokes

W32/Rbot-BWF is a network worm with backdoor Trojan functionality for the Windows platform.
W32/Rbot-BWF spreads using a variety of techniques including exploiting weak passwords on computers and SQL servers, exploiting operating system vulnerabilities (including DCOM-RPC, LSASS, WebDAV and UPNP) and using backdoors opened by other worms or Trojans.
W32/Rbot-BWF can be controlled by a remote attacker over IRC channels. The backdoor component of W32/Rbot-BWF can be instructed by a remote user to perform the following functions:
start an FTP server
start a Proxy server
start a web server
take part in distributed denial of service (DDoS) attacks
log keypresses
capture screen/webcam images
packet sniffing
port scanning
download/execute arbitrary files
start a remote shell (RLOGIN)
steal product registration information from certain software
Patches for the operating system vulnerabilities exploited by W32/Rbot-BWF can be obtained from Microsoft at:
MS01-059
MS03-007
MS04-011
MS04-012

http://www.sophos.com/virusinfo/analyses/w32rbotbwf.html

Type Spyware Worm

Aliases Backdoor.Win32.Nanspy.c
WORM_NANPY.A
W32.Kassbot.B

W32/Nanpy-F is a worm for the Windows platform.
The worm may also steal login details for the aforementioned websites and sends the collected information to a remote user via FTP.
The worm can download and execute additional files from a remote site.
W32/Nanpy-F spreads through networks to unpatched computers vulnerable to the RPC-DCOM exploit. Details on the RPC-DCOM vulnerability are available from Microsoft at:
MS04-012

http://www.sophos.com/virusinfo/analyses/w32nanpyf.html

Type Trojan

Aliases TROJ_STARTPAG.TP

Troj/Paymite-B is a Start Page Trojan.

http://www.sophos.com/virusinfo/analyses/trojpaymiteb.html

Type Worm

Aliases WORM_RBOT.CDJ

W32/Sdbot-ACW is a worm and IRC backdoor Trojan for the Windows platform.
W32/Sdbot-ACW spreads:
- to other network computers infected with W32/Sasser
- to other network computers by exploiting common buffer overflow vulnerabilities, including: LSASS (MS04-011), RPC-DCOM (MS04-012), WKS (MS03-049) (CAN-2003-0812), WINS (MS04-045) and MSSQL (MS02-039) (CAN-2002-0649)
- by copying itself to network shares protected by weak passwords
W32/Sdbot-ACW runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.
The following patches for the operating system vulnerabilities exploited by W32/Sdbot-ACW can be obtained from the Microsoft website:
MS04-011
MS04-012
MS03-049
MS04-045
MS02-039

http://www.sophos.com/virusinfo/analyses/w32sdbotacw.html

Type Trojan

Aliases TROJ_KILLAV.A
Trojan.Win32.AVKill.e

Troj/Killav-AN is a Trojan that terminates anti-virus and firewall applications.
When first run Troj/Killav-AN copies itself to <System>\AvKill.exe.

http://www.sophos.com/virusinfo/analyses/trojkillavan.html

Type Spyware Trojan

Aliases NTRootKit-E
Backdoor.Rtkit.B
BKDR_RTKIT.B

Troj/NtRootK-H is a rootkit.
When first run Troj/NtRootK-H copies itself to \RtKit\rtkit.exe and creates the following files:
\RtKit\globalc.dll - detected as Troj/NtRootK-H
\RtKit\npf.sys - generic packet filter driver
\RtKit\rtkit.log - this file is not malicious and can be deleted
Troj/NtRootK-H sets the following registry entry to run npf.sys at startup:
HKLM\SYSTEM\CurrentControlSet\Services\NPF
HKLM\SOFTWARE\rtkit\
Once installed, Troj/NtRootK-H opens a backdoor on TCP port 445 to await instructions from a remote attacker.
Troj/NtRootK-H then proceeds to stealth itself by hiding the folder RtKit from the Windows Explorer.
Troj/NtRootK-H includes functionality to:
- steal confidential information and log keystrokes
- carry out DDoS flooder attacks
- silently download software
- hide registry entries
- hide folders
- list, hide and terminate processes
- open a remote command shell

http://www.sophos.com/virusinfo/analyses/trojntrootkh.html

Type Worm

Aliases Backdoor.Win32.Agobot.gen
W32/Gaobot.worm.gen.u

http://www.sophos.com/virusinfo/analyses/w32agobottg.html

Type Worm


Aliases Trojan.Win32.Pakes
W32/Sdbot.worm.gen.n



W32/Rbot-ANC is a Worm and IRC backdoor Trojan for the Windows platform.
When first run W32/Rbot-ANC copies itself and creatres several registry entries.

http://www.sophos.com/virusinfo/analyses/w32rbotanc.html

Type Spyware Trojan

Aliases Trojan-Spy.Win32.Bancos.u

Troj/Dadobra-CK is a downloader Trojan for the Windows platform.
Troj/Dadobra-CK includes functionality to access the internet and communicate with a remote server via HTTP.

http://www.sophos.com/virusinfo/analyses/trojdadobrack.html

Type Spyware Trojan

Aliases BackDoor-CMI

Troj/OptixP-C is a backdoor Trojan for the Windows platform which allows a remote intruder to gain access and control over the computer.

http://www.sophos.com/virusinfo/analyses/trojoptixpc.html

Type Spyware Trojan

Aliases Trojan-Spy.Win32.Bancos.ha
PWS-Banker.gen.ba
PWSteal.Bancos

Troj/Bancos-EE is an Internet Banking Trojan for the Windows platform.
Troj/Bancos-EE targets the users of several Brazilian banks, by monitoring the user's internet activity and displaying fake login pages if the user visits certain predefined URLs. Any login details entered on the fake pages are logged.
Troj/Bancos-EE contains the functionality to email these logged details to a remote user.

http://www.sophos.com/virusinfo/analyses/trojbancosee.html

Type Trojan

Side effects Turns off anti-virus applications
Downloads code from the internet
Installs itself in the Registry

Troj/Dloader-WO is a downloader Trojan for the Windows platform.
The Trojan attempts to download and install further software and disable Microsoft Anti-Spyware. Troj/Dloader-WO may also monitor user activity.

http://www.sophos.com/virusinfo/analyses/trojdloaderwo.html

Type Trojan

Aliases Trojan.Win32.StartPage.aed
StartPage-HP

Troj/StartPa-HN is a Trojan for the Windows platform.

http://www.sophos.com/virusinfo/analyses/trojstartpahn.html

Type Trojan

Aliases Trojan-Downloader.Win32.Small.bsj

Troj/Dloader-WP is a Trojan for the Windows platform.
Troj/Dloader-WP includes functionality to download, install and run new software.

http://www.sophos.com/virusinfo/analyses/trojdloaderwp.html

Type Trojan

Aliases Backdoor.Win32.Delf.xf

Troj/Subot-D is a backdoor Trojan for the Windows platform.

http://www.sophos.com/virusinfo/analyses/trojsubotd.html

Type Worm

Side effects Allows others to access the computer
Installs itself in the Registry
Exploits system or software vulnerabilities

W32/Rbot-ASW is an IRC worm and backdoor Trojan for the Windows platform.
W32/Rbot-ASW may spread by copying itself to network shares or by exploiting the vulnerabilities LSASS (MS04-011), RPC-DCOM (MS04-012), WKS (MS03-049), WebDav (MS03-007), IIS5SSL (MS04-011), UPNP (MS01-059), Veritas (CAN-2004-1172), Dameware (CAN-2003-1030) or ASN.1 (MS04-007).
W32/Rbot-ASW runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

http://www.sophos.com/virusinfo/analyses/w32rbotasw.html

Type Worm

Aliases W32/Sdbot.worm.gen.l

W32/Rbot-ASU is a worm and IRC backdoor Trojan for the Windows platform.
W32/Rbot-ASU spreads by copying itself to network shares protected by weak passwords and to other network computers by exploiting common buffer overflow vulnerabilities, including: RPC-DCOM (MS04-012), PNP (MS05-039) and ASN.1 (MS04-007).
W32/Rbot-ASU runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

http://www.sophos.com/virusinfo/analyses/w32rbotasu.html

Type Spyware Trojan

Aliases Trojan-Spy.Win32.Banbra.ek

Troj/Banker-FZ is a password stealing Trojan for the Windows platform.
Troj/Banker-FZ targets the customers of certain Brazilian online banking websites, by logging any keystrokes entered into any forms at those websites as well as creating screen grabs.

http://www.sophos.com/virusinfo/analyses/trojbankerfz.html

Type Trojan

Aliases Trojan-Spy.Win32.Banbra.ej

Troj/BankDl-O is a downloader Trojan for the Windows platform.

http://www.sophos.com/virusinfo/analyses/trojbankdlo.html

Type Spyware Trojan

Aliases Trojan-Spy.Win32.Banbra.ej

Troj/BankDl-O is a downloader Trojan for the Windows platform.

http://www.sophos.com/virusinfo/analyses/trojbankdlo.html