VIRUS ALERTS - October 25, 2005

Type Trojan

Troj/Delf-LG is a downloader Trojan for the Windows platform.
The Trojan is installed as a Browser Helper Object (BHO), creating registry entries in the following locations :
HKCR\CLSID\{B212D577-05B7-4963-911E-4A8588160DFA}
HKCU\Software\Microsoft\style32
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\style32
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ SharedTaskScheduler

http://www.sophos.com/virusinfo/analyses/trojdelflg.html

Type Trojan

Aliases
Trojan.Win32.Dialer.ks
QDial-34

Troj/Dloader-TU is a downloader Trojan for the Windows platform.
Troj/Dloader-TU includes functions that download and install other software from the internet. At the time of writing the downloaded software is detected by Sophos's anti-virus products as Troj/Delf-LG.

http://www.sophos.com/virusinfo/analyses/trojdloadertu.html

Type Spyware Trojan

Aliases Backdoor.Win32.Haxdoor.ed

Troj/Haxdoor-ED is a Trojan for the Windows platform.
Troj/Haxdoor-ED is a backdoor Trojan which allows remote attackers the ability to gain access and control over the infected computer. The Trojan attempts to steal login details for WebMoney and other online accounts.

http://www.sophos.com/virusinfo/analyses/trojhaxdoored.html

Type Spyware Trojan

Aliases
Trojan-Spy.Win32.Banker.ju
PWSteal.Banpaes

Troj/Banker-FJ is a Trojan for the Windows platform.
Troj/Banker-FJ includes functionality to access the internet and communicate with a remote server via HTTP.
The Trojan displays fake login pages for certain banking sites and attempts to steal usernames and passwords. The Trojan sends the stolen credentials to a remote user.

http://www.sophos.com/virusinfo/analyses/trojbankerfj.html

Type Spyware Trojan

Aliases Trojan-Spy.Win32.Bancos.gq

Troj/Bancos-GQ is a Trojan for the Windows platform.
Troj/Bancos-GQ monitors internet sessions for traffic to certain banking websites. The Trojan displays fake login pages in an attempt to steal account credentials and sends them to a remote user via email.

http://www.sophos.com/virusinfo/analyses/trojbancosgq.html

Type Trojan

Troj/Spyjack-E is a Trojan for the Windows platform.
Troj/Spyjack-E replaces the Desktop wallpaper with the following message :
Your computer might be infected with spyware or adware !!!
Strange homepage, popups, loss of important data and unstable functioning are the sure signs that you are infected.
Click here to get the latest spyware removal software.
Your computer is still vulnerable to new attacks !!!
The Spyjack-E Trojan horse changes the Desktop wallpaper.
Troj/Spyjack-E has an icon in the system tray that displays the fake warning message:
Your computer is infected!
Click here to protect your computer from spyware / virus threat.
The Spyjack-E Trojan horse displays a fake warning message in the system tray.
If the user clicks on this icon or the displayed message, then Troj/Spyjack-E will open a web page selling software purported to solve this problem.
Troj/Spyjack-E includes functionality to access the internet and communicate with a remote server via HTTP

http://www.sophos.com/virusinfo/analyses/trojspyjacke.html

Type Trojan

Aliases Trojan-Downloader.Win32.VB.ne

Troj/Dloader-TQ is a Downloader Trojan for the Windows platform.
Troj/Dloader-TQ includes functionality to access the internet and communicate with a remote server via HTTP.
The Trojan may set the following registry values:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
protect
\protect.scr

http://www.sophos.com/virusinfo/analyses/trojdloadertq.html

Type Spyware Trojan

Aliases
Backdoor.Win32.RtKit.121
NTRootKit-E.dll
BKDR_RTKIT.121

Troj/NtRootK-I is a kernel driver rootkit.
Once installed, Troj/NtRootK-I opens a backdoor on TCP port 445 to await instructions from a remote attacker.
Troj/NtRootK-I then proceeds to stealth itself by hiding the folder RtKit from the Windows Explorer.
Troj/NtRootK-I includes functionality to:
- steal confidential information and log keystrokes
- carry out DDoS flooder attacks
- silently download software
- hide registry entries
- hide folders
- list, hide and terminate processes
- open a remote command shell

http://www.sophos.com/virusinfo/analyses/trojntrootki.html

Type Spyware Worm

W32/Rbot-AND is a worm and IRC backdoor Trojan for the Windows platform.
W32/Rbot-AND spreads:
- to other network computers infected with: Troj/Kuang, Troj/Sub7, Troj/NetDevil, W32/MyDoom, W32/Bagle and Troj/Optix
- to other network computers by exploiting common buffer overflow vulnerabilities, including: LSASS (MS04-011), RPC-DCOM (MS04-012), WKS (MS03-049) (CAN-2003-0812), WebDav (MS03-007), UPNP (MS01-059) and Dameware (CAN-2003-1030)
- by copying itself to network shares protected by weak passwords
W32/Rbot-AND runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.
The following patches for the operating system vulnerabilities exploited by W32/Rbot-AND can be obtained from the Microsoft website:

http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx

http://www.microsoft.com/technet/security/bulletin/MS03-049.mspx

http://www.microsoft.com/technet/security/bulletin/MS03-007.mspx

http://www.microsoft.com/technet/security/bulletin/MS01-059.mspx

http://www.sophos.com/virusinfo/analyses/w32rbotand.html

Type Spyware Worm

Aliases
Email-Worm.Win32.Loosky.a
W32/Loosky@MM


W32/Loosky-A is a mass-mailing worm for the Windows platform.
When first run W32/Loosky-A copies itself to temp.bak.
W32/Loosky-A can spread by sending itself as an email attachment to email addresses harvested from the infected computer.
Emails sent by the worm have the following properties:
Subject line: Skylook for Skype
Message text:
Hello, You asked me to send you Skylook - here it is:
With Skylook, you can get 1 hour of world-wide calls FREE!
Voice Calls (as MP3), Instant Messages, Email, Appointments, Contacts all organized and under control in Microsoft Outlook!
Halloween Special!
Try it before October 31 and receive 1 hour of free world-wide calls (SkypeOut). Also You`ll get 40% off a business license or 30% off a home license.
Use Skylook 1.0 to record Skype VoIP Calls to MP3!
Skylook attache
Attached filename: skylook_1.exe
W32/Loosky-A also includes functionality to harvests information from the Windows Address Book and from RIT The Bat!

http://www.sophos.com/virusinfo/analyses/w32looskya.html

Type Trojan

Aliases
Trojan-Dropper.Win32.Agent.yy
MultiDropper-OZ

Troj/Multidr-EP is a downloader Trojan for the Windows platform.

http://www.sophos.com/virusinfo/analyses/trojmultidrep.html

Type Spyware Trojan

Aliases
PWS-Vassay
Trojan-PSW.Win32.Agent.cs

Troj/PWSteal-D is a keylogger and password stealing Trojan for the Windows platform.

http://www.sophos.com/virusinfo/analyses/trojpwsteald.html

Type Trojan

Aliases
Trojan-Proxy.Win32.Daemonize.bp
Proxy-Agent.ac

Troj/Proxy-V is a backdoor Trojan for the Windows platform.
Once installed, Troj/Proxy-V connects to a remote server and provides a proxy server relaying internet traffic

http://www.sophos.com/virusinfo/analyses/trojproxyv.html

Type Trojan

Aliases Trojan-Downloader.Win32.Delf.tf

Troj/Dloader-WW is a downloader Trojan which will download, install and run new software without notification that it is doing so.

http://www.sophos.com/virusinfo/analyses/trojdloaderww.html

Type Trojan

Troj/Dloader-WV is a downloader Trojan which will download, install and run new software without notification that it is doing so.

http://www.sophos.com/virusinfo/analyses/trojdloaderwv.html

Type Trojan

Aliases
Trojan-Proxy.Win32.Daemonize.bq
Proxy-Agent.ac

Troj/Proxy-W is a backdoor Trojan for the Windows platform.
Once installed, Troj/Proxy-W connects to a remote server and provides a proxy server relaying internet traffic.

http://www.sophos.com/virusinfo/analyses/trojproxyw.html

Type Trojan

Aliases
Backdoor.Win32.Agent.pg
BackDoor-CVG

Troj/Bdoor-JP is a backdoor Trojan for the Windows platform.
Once installed, Troj/Bdoor-JP opens a listening port on TCP port 321 awaiting commands from a remote intruder.
Troj/Bdoor-JP includes functionality to:
- read/copy/move files
- navigate and browse folders on the infected computer
- download files from the internet without user notification and run them

http://www.sophos.com/virusinfo/analyses/trojbdoorjp.html

Type Spyware Trojan

Aliases Trojan-Spy.Win32.Banker.yq

Troj/Bancos-FE is an internet banking Trojan

http://www.sophos.com/virusinfo/analyses/trojbancosfe.html

Type Spyware Worm

Aliases W32.Spybot.YQW

W32/Rbot-ATD is a worm and IRC backdoor Trojan for the Windows platform.
W32/Rbot-ATD spreads to other network computers by exploiting common buffer overflow vulnerabilities, including:LSASS (MS04-011), RPC-DCOM (MS04-012), WKS (MS03-049) (CAN-2003-0812) and ASN.1 (MS04-007) and by copying itself to network shares protected by weak passwords.
W32/Rbot-ATD runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.
The following patches for the operating system vulnerabilities exploited by W32/Rbot-ATD can be obtained from the Microsoft website:

http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx

http://www.microsoft.com/technet/security/bulletin/MS03-049.mspx

http://www.microsoft.com/technet/security/bulletin/MS04-007.mspx

http://www.sophos.com/virusinfo/analyses/w32rbotatd.html

Type Trojan

Aliases
Backdoor.IRC.Zapchast
IRC/Flood.eu.dr

Troj/Flood-EU is a backdoor Trojan for the Windows platform.

http://www.sophos.com/virusinfo/analyses/trojfloodeu.html

Type Trojan

Troj/Dropper-BJ is a dropper Trojan for the Windows platform.

http://www.sophos.com/virusinfo/analyses/trojdropperbj.html

Type Trojan

Troj/Rider-AA is a Trojan.
Troj/Rider-AA silently loads up an HTML page from a specific website, currently detected as JS/Fote-A.

http://www.sophos.com/virusinfo/analyses/trojrideraa.html

Type Worm

Aliases
Backdoor.Win32.Rbot.gen
W32/Sdbot.worm.gen.ac

W32/Rbot-APU is a worm and IRC backdoor Trojan for the Windows platform.
W32/Rbot-APU spreads:
- to other network computers infected with W32/Sasser
- to other network computers by exploiting common buffer overflow vulnerabilities, including: LSASS (MS04-011), RPC-DCOM (MS04-012), WKS (MS03-049) (CAN-2003-0812), Veritas (CAN-2004-1172), WINS (MS04-045), MSSQL (MS02-039) (CAN-2002-0649), PNP (MS05-039) and ASN.1 (MS04-007)
- to other network computers running MSSQL servers protected by weak passwords
- by copying itself to network shares protected by weak passwords
W32/Rbot-APU runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

http://www.sophos.com/virusinfo/analyses/w32rbotapu.html

Type Worm

Aliases
Backdoor.Win32.Rbot.zd
W32/Sdbot.worm.gen.m
W32.Spybot.Worm

W32/Rbot-APV is a worm for the Windows platform.
W32/Rbot-APV spreads:
- to other network computers infected with W32/Sasser
- to other network computers by exploiting common buffer overflow vulnerabilities, including: LSASS (MS04-011), RPC-DCOM (MS04-012), WKS (MS03-049) (CAN-2003-0812), WINS (MS04-045), MSSQL (MS02-039) (CAN-2002-0649 and ASN.1 (MS04-007)
- to other network computers running MSSQL servers protected by weak passwords
- by copying itself to network shares protected by weak passwords
W32/Rbot-APV attempts to stealth itself.
W32/Rbot-APV attempts to terminate processes and services related to anti-virus and security progeams.
W32/Rbot-APV may attempt to modify the HOSTS file to prevent access to certain websites.

http://www.sophos.com/virusinfo/analyses/w32rbotapv.html

Type Worm

Aliases
Backdoor.Win32.Rbot.adf
W32/Sdbot.worm.gen.ac
W32.Spybot.Worm

W32/Rbot-APX is a worm and IRC backdoor Trojan for the Windows platform.
W32/Rbot-APX spreads:
- to other network computers infected with: Troj/Kuang, Troj/Sub7, Troj/NetDevil, W32/MyDoom, W32/Bagle and Troj/Optix
- to other network computers by exploiting common buffer overflow vulnerabilities, including: LSASS (MS04-011), RPC-DCOM (MS04-012), WKS (MS03-049) (CAN-2003-0812), WebDav (MS03-007), IIS5SSL (MS04-011) (CAN-2003-0719), UPNP (MS01-059), Veritas (CAN-2004-1172), Dameware (CAN-2003-1030) and ASN.1 (MS04-007)
- to other network computers running MSSQL servers protected by weak passwords
- by copying itself to network shares protected by weak passwords
W32/Rbot-APX runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

http://www.sophos.com/virusinfo/analyses/w32rbotapx.html

Type Spyware Trojan

Aliases
Trojan-Spy.Win32.Banbra.dy
PWS-Banker.gen.b

Troj/Bancban-FT is a password-stealing Trojan targeted at customers of certain Brazilian banks.
Troj/Bancban-FT attempts to log keypresses entered into certain websites. The Trojan displays fake user interfaces in order to persuade the user to enter confidential details. Stolen information is sent by email to a remote user.
Troj/Bancban-FT may display a message box with the title "Warning" and the following text:
Run-time error 53.
Invalid adress ffff:0d2f

http://www.sophos.com/virusinfo/analyses/trojbancbanft.html

Type Worm

Aliases
Backdoor.Win32.Rbot.adm
W32/Sdbot.worm.gen.by
W32.Spybot.Worm

W32/Rbot-APY is a worm and IRC backdoor Trojan for the Windows platform.
W32/Rbot-APY spreads:
- to other network computers by exploiting common buffer overflow vulnerabilities, including: RPC-DCOM (MS04-012) and ASN.1 (MS04-007)
- by copying itself to network shares protected by weak passwords
W32/Rbot-APY runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

http://www.sophos.com/virusinfo/analyses/w32rbotapy.html

Type Worm

Aliases Backdoor.Win32.IRCBot.az

W32/Rbot-APZ is a worm and IRC backdoor Trojan for the Windows platform.
W32/Rbot-APZ spreads to other network computers infected with: Troj/Kuang, Troj/Sub7, W32/Sasser, Troj/NetDevil, W32/MyDoom, W32/Bagle and Troj/Optix and to other network computers by exploiting common buffer overflow vulnerabilities, including: LSASS (MS04-011), RPC-DCOM (MS04-012), WebDav (MS03-007), IIS5SSL (MS04-011) (CAN-2003-0719), UPNP (MS01-059), Dameware (CAN-2003-1030) and ASN.1 (MS04-007).

http://www.sophos.com/virusinfo/analyses/w32rbotapz.html

Type Spyware Trojan

Aliases Trojan-PSW.Win32.Lmir.ald

Troj/LegMir-BB is a Trojan for the Windows platform with password stealing functionality.

http://www.sophos.com/virusinfo/analyses/trojlegmirbb.html

Type Spyware Trojan

Aliases Trojan-PSW.Win32.QQShou.bn

Troj/QQPass-AB is a Trojan for the Windows platform.

http://www.sophos.com/virusinfo/analyses/trojqqpassab.html