Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

General discussion

VIRUS ALERTS - October 20, 2005

Oct 20, 2005 2:03AM PDT

W32/Rbot-ANK

Type Worm

Aliases Backdoor.Win32.Rbot.gen
W32.Spybot.Worm

W32/Rbot-ANK is a worm with backdoor functionality for the Windows platform.
W32/Rbot-ANK spreads to other network computers by exploiting common buffer overflow vulnerabilites, including: LSASS (MS04-011), RPC-DCOM (MS04-012), WKS (MS03-049) (CAN-2003-0812) and ASN.1 (MS04-007) and by copying itself to network shares protected by weak passwords.
The following patches for the operating system vulnerabilities exploited by W32/Rbot-ANK can be obtained from the Microsoft website:
MS04-011
MS04-012
MS03-049
MS04-007
W32/Rbot-ANK runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

http://www.sophos.com/virusinfo/analyses/w32rbotank.html

Discussion is locked

- Collapse -
W32/Rbot-AHQ
Oct 20, 2005 8:01AM PDT

Type Spyware Worm

Aliases Trojan.Win32.Crypt.d

W32/Rbot-AHQ is a worm and IRC backdoor Trojan for the Windows platform.
W32/Rbot-AHQ runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.
W32/Rbot-AHQ can spread to remote network shares protected by weak passwords and to computers vulnerable to common exploits, including LSASS (MS04-011), WKS (MS03-049), WebDav (MS03-007) and Veritas (CAN-2004-1172). For patches for the operating system vulnerabilities, see:
MS03-007
MS03-049
MS04-011

http://www.sophos.com/virusinfo/analyses/w32rbotahq.html

- Collapse -
W32/Mytob-IU
Oct 20, 2005 8:02AM PDT

Type Worm

Aliases Net-Worm.Win32.Mytob.bi

W32/Mytob-IU is a mass-mailing worm and backdoor Trojan that can be controlled through the Internet Relay Chat (IRC) network.
W32/Mytob-IU spreads through email. W32/Mytob-IU harvests email addresses from files on the infected computer and from the Windows address book. Email sent by W32/Mytob-IU has the following properties:
Subject line chosen from:
Your Account is Suspended
*DETECTED* Online User Violation
Your Account is Suspended For Security Reasons
Warning Message: Your services near to be closed.
Important Notification
Members Support
Security measures
Email Account Suspension
Notice of account limitation
Your password has been updated
Your password has been successfully updated
You have successfully updated your password
Your new account password is approved
Message text chosen from:

MORE: http://www.sophos.com/virusinfo/analyses/w32mytobiu.html

- Collapse -
W32/Rbot-BWF
Oct 20, 2005 8:03AM PDT

Type Spyware Worm

Side effects Turns off anti-virus applications
Allows others to access the computer
Downloads code from the internet
Reduces system security
Records keystrokes

W32/Rbot-BWF is a network worm with backdoor Trojan functionality for the Windows platform.
W32/Rbot-BWF spreads using a variety of techniques including exploiting weak passwords on computers and SQL servers, exploiting operating system vulnerabilities (including DCOM-RPC, LSASS, WebDAV and UPNP) and using backdoors opened by other worms or Trojans.
W32/Rbot-BWF can be controlled by a remote attacker over IRC channels. The backdoor component of W32/Rbot-BWF can be instructed by a remote user to perform the following functions:
start an FTP server
start a Proxy server
start a web server
take part in distributed denial of service (DDoS) attacks
log keypresses
capture screen/webcam images
packet sniffing
port scanning
download/execute arbitrary files
start a remote shell (RLOGIN)
steal product registration information from certain software
Patches for the operating system vulnerabilities exploited by W32/Rbot-BWF can be obtained from Microsoft at:
MS01-059
MS03-007
MS04-011
MS04-012

http://www.sophos.com/virusinfo/analyses/w32rbotbwf.html

- Collapse -
W32/Nanpy-F
Oct 20, 2005 8:04AM PDT

Type Spyware Worm

Aliases Backdoor.Win32.Nanspy.c
WORM_NANPY.A
W32.Kassbot.B

W32/Nanpy-F is a worm for the Windows platform.
The worm may also steal login details for the aforementioned websites and sends the collected information to a remote user via FTP.
The worm can download and execute additional files from a remote site.
W32/Nanpy-F spreads through networks to unpatched computers vulnerable to the RPC-DCOM exploit. Details on the RPC-DCOM vulnerability are available from Microsoft at:
MS04-012

http://www.sophos.com/virusinfo/analyses/w32nanpyf.html

- Collapse -
Troj/Paymite-B
Oct 20, 2005 8:32AM PDT
- Collapse -
W32/Sdbot-ACW
Oct 20, 2005 8:33AM PDT

Type Worm

Aliases WORM_RBOT.CDJ

W32/Sdbot-ACW is a worm and IRC backdoor Trojan for the Windows platform.
W32/Sdbot-ACW spreads:
- to other network computers infected with W32/Sasser
- to other network computers by exploiting common buffer overflow vulnerabilities, including: LSASS (MS04-011), RPC-DCOM (MS04-012), WKS (MS03-049) (CAN-2003-0812), WINS (MS04-045) and MSSQL (MS02-039) (CAN-2002-0649)
- by copying itself to network shares protected by weak passwords
W32/Sdbot-ACW runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.
The following patches for the operating system vulnerabilities exploited by W32/Sdbot-ACW can be obtained from the Microsoft website:
MS04-011
MS04-012
MS03-049
MS04-045
MS02-039

http://www.sophos.com/virusinfo/analyses/w32sdbotacw.html

- Collapse -
Troj/Killav-AN
Oct 20, 2005 8:34AM PDT
- Collapse -
Troj/NtRootK-H
Oct 20, 2005 8:35AM PDT

Type Spyware Trojan

Aliases NTRootKit-E
Backdoor.Rtkit.B
BKDR_RTKIT.B

Troj/NtRootK-H is a rootkit.
When first run Troj/NtRootK-H copies itself to \RtKit\rtkit.exe and creates the following files:
\RtKit\globalc.dll - detected as Troj/NtRootK-H
\RtKit\npf.sys - generic packet filter driver
\RtKit\rtkit.log - this file is not malicious and can be deleted
Troj/NtRootK-H sets the following registry entry to run npf.sys at startup:
HKLM\SYSTEM\CurrentControlSet\Services\NPF
HKLM\SOFTWARE\rtkit\
Once installed, Troj/NtRootK-H opens a backdoor on TCP port 445 to await instructions from a remote attacker.
Troj/NtRootK-H then proceeds to stealth itself by hiding the folder RtKit from the Windows Explorer.
Troj/NtRootK-H includes functionality to:
- steal confidential information and log keystrokes
- carry out DDoS flooder attacks
- silently download software
- hide registry entries
- hide folders
- list, hide and terminate processes
- open a remote command shell

http://www.sophos.com/virusinfo/analyses/trojntrootkh.html

- Collapse -
W32/Agobot-TG
Oct 20, 2005 8:36AM PDT
- Collapse -
W32/Rbot-ANC
Oct 20, 2005 8:37AM PDT
- Collapse -
Troj/Dadobra-CK
Oct 20, 2005 8:38AM PDT
- Collapse -
Troj/OptixP-C
Oct 20, 2005 8:39AM PDT
- Collapse -
Troj/Bancos-EE
Oct 20, 2005 8:40AM PDT

Type Spyware Trojan

Aliases Trojan-Spy.Win32.Bancos.ha
PWS-Banker.gen.ba
PWSteal.Bancos

Troj/Bancos-EE is an Internet Banking Trojan for the Windows platform.
Troj/Bancos-EE targets the users of several Brazilian banks, by monitoring the user's internet activity and displaying fake login pages if the user visits certain predefined URLs. Any login details entered on the fake pages are logged.
Troj/Bancos-EE contains the functionality to email these logged details to a remote user.

http://www.sophos.com/virusinfo/analyses/trojbancosee.html

- Collapse -
Troj/Dloader-WO
Oct 20, 2005 3:34PM PDT

Type Trojan

Side effects Turns off anti-virus applications
Downloads code from the internet
Installs itself in the Registry

Troj/Dloader-WO is a downloader Trojan for the Windows platform.
The Trojan attempts to download and install further software and disable Microsoft Anti-Spyware. Troj/Dloader-WO may also monitor user activity.

http://www.sophos.com/virusinfo/analyses/trojdloaderwo.html

- Collapse -
Troj/StartPa-HN
Oct 20, 2005 3:35PM PDT
- Collapse -
Troj/Dloader-WP
Oct 20, 2005 3:36PM PDT
- Collapse -
Troj/Subot-D
Oct 20, 2005 3:37PM PDT
- Collapse -
W32/Rbot-ASW
Oct 20, 2005 3:38PM PDT

Type Worm

Side effects Allows others to access the computer
Installs itself in the Registry
Exploits system or software vulnerabilities

W32/Rbot-ASW is an IRC worm and backdoor Trojan for the Windows platform.
W32/Rbot-ASW may spread by copying itself to network shares or by exploiting the vulnerabilities LSASS (MS04-011), RPC-DCOM (MS04-012), WKS (MS03-049), WebDav (MS03-007), IIS5SSL (MS04-011), UPNP (MS01-059), Veritas (CAN-2004-1172), Dameware (CAN-2003-1030) or ASN.1 (MS04-007).
W32/Rbot-ASW runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

http://www.sophos.com/virusinfo/analyses/w32rbotasw.html

- Collapse -
W32/Rbot-ASU
Oct 20, 2005 3:39PM PDT

Type Worm

Aliases W32/Sdbot.worm.gen.l

W32/Rbot-ASU is a worm and IRC backdoor Trojan for the Windows platform.
W32/Rbot-ASU spreads by copying itself to network shares protected by weak passwords and to other network computers by exploiting common buffer overflow vulnerabilities, including: RPC-DCOM (MS04-012), PNP (MS05-039) and ASN.1 (MS04-007).
W32/Rbot-ASU runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

http://www.sophos.com/virusinfo/analyses/w32rbotasu.html

- Collapse -
Troj/Banker-FZ
Oct 20, 2005 3:40PM PDT

Type Spyware Trojan

Aliases Trojan-Spy.Win32.Banbra.ek

Troj/Banker-FZ is a password stealing Trojan for the Windows platform.
Troj/Banker-FZ targets the customers of certain Brazilian online banking websites, by logging any keystrokes entered into any forms at those websites as well as creating screen grabs.

http://www.sophos.com/virusinfo/analyses/trojbankerfz.html

- Collapse -
Troj/BankDl-O
Oct 20, 2005 3:41PM PDT
- Collapse -
Troj/Banker-FY
Oct 20, 2005 3:42PM PDT