Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

General discussion

VIRUS ALERTS - October 28, 2005

by roddy32 Oct 27, 2005 11:51PM PDT

W32/Rbot-ATQ

Type Worm

Aliases WORM_RBOT.COF

W32/Rbot-ATQ is a worm and IRC backdoor Trojan for the Windows platform.
W32/Rbot-ATQ runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

http://www.sophos.com/virusinfo/analyses/w32rbotatq.html

Discussion is locked

1 - 30 of 60 Posts
- Collapse + Expand Details
- Collapse -
Troj/Mdrop-BJ
by roddy32 Oct 27, 2005 11:53PM PDT
- Collapse -
Troj/LegMir-BI
by roddy32 Oct 27, 2005 11:55PM PDT
- Collapse -
Troj/RuinDl-E
by roddy32 Oct 27, 2005 11:57PM PDT
- Collapse -
Troj/Psyme-CM
by roddy32 Oct 27, 2005 11:59PM PDT
- Collapse -
Troj/Psyme-CL
by roddy32 Oct 28, 2005 12:01AM PDT

Type Trojan

Aliases Trojan-Downloader.VBS.Iwill.g

Troj/Psyme-CL is a downloader Trojan for the Windows platform.
The Trojan attempts to terminate processes named outpost.exe and drweb32.exe
and then downloads and executes a file from the internet.

http://www.sophos.com/virusinfo/analyses/trojpsymecl.html

- Collapse -
Troj/Dloader-XD
by roddy32 Oct 28, 2005 12:03AM PDT
- Collapse -
W32/Rbot-ATP
by roddy32 Oct 28, 2005 12:08AM PDT

Type Worm

Aliases W32/Sdbot.worm.gen.bh

W32/Rbot-ATP is a worm and IRC backdoor Trojan for the Windows platform.
W32/Rbot-ATP spreads to other network computers by exploiting common buffer overflow vulnerabilities, including: RPC-DCOM (MS04-012) and PNP (MS05-039) and by copying itself to network shares protected by weak passwords.
W32/Rbot-ATP runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

http://www.sophos.com/virusinfo/analyses/w32rbotatp.html

- Collapse -
W32/Rbot-ATR
by roddy32 Oct 28, 2005 12:10AM PDT

Type Worm

Aliases WORM_RBOT.COT

W32/Rbot-ATR is a worm and IRC backdoor Trojan for the Windows platform.
W32/Rbot-ATR spreads to other network computers by exploiting common buffer overflow vulnerabilities, including: LSASS (MS04-011), RPC-DCOM (MS04-012), WKS (MS03-049) (CAN-2003-0812), Veritas (CAN-2004-1172), MSSQL (MS02-039)
(CAN-2002-0649), PNP (MS05-039) and ASN.1 (MS04-007) and by copying itself to network shares protected by weak passwords.
W32/Rbot-ATR runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

http://www.sophos.com/virusinfo/analyses/w32rbotatr.html

- Collapse -
W32/Sdbot-AFA
by roddy32 Oct 28, 2005 12:17AM PDT

Type Spyware Worm

Aliases Backdoor.Win32.Aimbot.ap

W32/Sdbot-AFA is a worm for the Windows platform.
W32/Sdbot-AFA runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.
W32/Sdbot-AFA monitors the status of AOL Instant Messenger (AIM) and attempts to send itself to online contacts.

http://www.sophos.com/virusinfo/analyses/w32sdbotafa.html

- Collapse -
W32/Sdbot-CLY
by roddy32 Oct 28, 2005 12:19AM PDT

Type Spyware Worm

Aliases WORM_SDBOT.CLY

W32/Sdbot-CLY is a worm for the Windows platform.
W32/Sdbot-CLY runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.
W32/Sdbot-CLY monitors the status of AOL Instant Messenger (AIM) and attempts to send itself to online contacts.

http://www.sophos.com/virusinfo/analyses/w32sdbotcly.html

- Collapse -
Troj/Banker-GD
by roddy32 Oct 28, 2005 2:01AM PDT
- Collapse -
Troj/Cosdoor-A
by roddy32 Oct 28, 2005 2:04AM PDT
- Collapse -
Troj/BeastDo-AB
by roddy32 Oct 28, 2005 2:14AM PDT
- Collapse -
Troj/Restrict-C
by roddy32 Oct 28, 2005 2:19AM PDT

Type Trojan

Aliases Trojan.Win32.LowZones.ba

Troj/Restrict-C adds registry entries that add certain web sites and certain IP address ranges to Internet Explorer's 'Restricted sites' Web content zone. These web sites and IP addresses are then subject to the security restrictions of the 'Restricted sites' zone.

http://www.sophos.com/virusinfo/analyses/trojrestrictc.html

- Collapse -
Troj/PcClient-N
by roddy32 Oct 28, 2005 2:30AM PDT
- Collapse -
Troj/Bancban-GV
by roddy32 Oct 28, 2005 2:32AM PDT
- Collapse -
Troj/Bancban-GX
by roddy32 Oct 28, 2005 2:41AM PDT

Type Spyware Trojan

Aliases
Trojan-Spy.Win32.Banker.agq
PWS-Banker.gen.bb
TSPY_BANCOS.AYG

Troj/Bancban-GX is an information stealing Trojan for the Windows platform.
Troj/Bancban-GX includes functionality to send notification messages to remote locations.

http://www.sophos.com/virusinfo/analyses/trojbancbangx.html

- Collapse -
Troj/Banker-GC
by roddy32 Oct 28, 2005 2:42AM PDT

Type Spyware Trojan

Aliases Trojan-Spy.Win32.Delf.ij

Troj/Banker-GC is an information stealing Trojan for the Windows platform.
Troj/Banker-GC includes functionality to access the internet and communicate
with a remote server via HTTP.
When first run Troj/Banker-GC copies itself to the Windows system folder.

http://www.sophos.com/virusinfo/analyses/trojbankergc.html

- Collapse -
W32/Agobot-TY
by roddy32 Oct 28, 2005 2:46AM PDT

Type Spyware Worm

W32/Agobot-TY is a worm and IRC backdoor Trojan for the Windows platform.
W32/Agobot-TY spreads to other network computers by exploiting common buffer overflow vulnerabilities, including: LSASS (MS04-011), RPC-DCOM (MS04-012), WKS (MS03-049) (CAN-2003-0812), UPNP (MS01-059), Veritas (CAN-2004-1172), MSSQL (MS02-039) (CAN-2002-0649), PNP (MS05-039) and ASN.1 (MS04-007) and by copying itself to network shares protected by weak passwords.
W32/Agobot-TY runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.
The following patches for the operating system vulnerabilities exploited by W32/Agobot-TY can be obtained from the Microsoft website:

http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx

http://www.microsoft.com/technet/security/bulletin/MS03-049.mspx

http://www.microsoft.com/technet/security/bulletin/MS01-059.mspx

http://www.microsoft.com/technet/security/bulletin/MS02-039.mspx

http://www.microsoft.com/technet/security/bulletin/MS05-039.mspx

http://www.microsoft.com/technet/security/bulletin/MS04-007.mspx

http://www.sophos.com/virusinfo/analyses/w32agobotty.html

- Collapse -
W32/Rbot-AUB
by roddy32 Oct 28, 2005 2:51AM PDT

Type Spyware Worm

Aliases Backdoor.Win32.Aimbot.af

W32/Rbot-AUB is a worm and IRC backdoor Trojan for the Windows platform.
W32/Rbot-AUB spreads to other network computers by exploiting common buffer overflow vulnerabilities, including: LSASS (MS04-011), RPC-DCOM (MS04-012), PNP (MS05-039) and ASN.1 (MS04-007).
When first run W32/Rbot-AUB creates the file <System>\rofl.sys.
The file rofl.sys is detected as Troj/RKPort-Fam.
W32/Rbot-AUB includes functionality to:
- access the internet and communicate with a remote server via HTTP
- steal information
- carry out DDoS attacks
The following patches for the operating system vulnerabilities exploited by W32/Rbot-AUB can be obtained from the Microsoft website:

http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx

http://www.microsoft.com/technet/security/bulletin/MS05-039.mspx

http://www.microsoft.com/technet/security/bulletin/MS04-007.mspx

http://www.sophos.com/virusinfo/analyses/w32rbotaub.html

- Collapse -
W32/Randex-Y
by roddy32 Oct 28, 2005 3:58AM PDT

Type Worm

Aliases
WORM_RANDEX.GEN
Backdoor.IRCBot.gen

W32/Randex-Y is a network worm with backdoor capabilities which allows a remote intruder to access and control the computer via IRC channels.
W32/Randex-Y chooses IP addresses at random and tries to connect to the IPC$ share using simple passwords. If the connection is successful the worm copies itself to the following remote locations:
\ADMIN$\system32\msnv32.exe
\C$\WINNT\system32\msnv32.exe
W32/Randex-Y then schedules a job to execute the remotely created files.
Each time the worm is run it tries to connect to a remote IRC server and join a specific channel. The worm then runs in the background as a server process listening for commands to execute.
When first run the worm copies itself to the Windows system folder as IRBMe.exe and adds the following registry entries to point to this copy of the worm to ensure it is run at system startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\IRBMe Sucks!!
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\IRBMe Sucks!!
W32/Randex-Y may also create the file remove.bat in the Windows temp folder. This file is not malicious and can simply be deleted.

http://www.sophos.com/virusinfo/analyses/w32randexy.html

- Collapse -
Troj/Troll-A
by roddy32 Oct 28, 2005 4:01AM PDT

Type Trojan

Aliases TrojanDownloader.Win32.Troll

Troj/Troll-A is a downloader which can be configured to fetch files from up to three URLs and save them to the Windows folder, System folder or temporary folder. The downloaded file(s) will then be executed.
Troj/Troll-A may also send a message to an ICQ account and/or delete itself after successfully downloading the files.

http://www.sophos.com/virusinfo/analyses/trojtrolla.html

- Collapse -
W32/SdBot-T
by roddy32 Oct 28, 2005 4:03AM PDT

Type Worm

Aliases
Backdoor.SdBot.gen
W32/Sdbot.worm.gen
BKDR_SDBOT.GEN

W32/SdBot-T is a worm which attempts to spread to remote shares which have weak passwords. The worm also allows unauthorised remote access to the computer via IRC channels.
W32/SdBot-T copies itself to the Windows system folder as MAIN.EXE and creates entries in the registry in the following locations to run itself on system restart:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

http://www.sophos.com/virusinfo/analyses/w32sdbott.html

- Collapse -
W32/SdBot-U
by roddy32 Oct 28, 2005 4:05AM PDT

Type Worm

Aliases
Backdoor.SdBot.gen
W32/Sdbot.worm.gen
BKDR_SDBOT.GEN

W32/SdBot-U is a worm which attempts to spread to remote shares which have weak passwords. The worm also allows unauthorised remote access to the computer via IRC channels.
W32/SdBot-U copies itself to the Windows system folder as WIN32OP.EXE and creates entries in the registry in the following locations to run itself on system restart:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

http://www.sophos.com/virusinfo/analyses/w32sdbotu.html

- Collapse -
W32/Agobot-BW
by roddy32 Oct 28, 2005 4:07AM PDT

Type Worm

Aliases WORM_AGOBOT.CK

W32/Agobot-BW is a network worm which also allows unauthorised remote access to the computer via IRC channels.
W32/Agobot-BW copies itself to network shares with weak passwords and attempts to spread to computers using the DCOM RPC and the RPC locator vulnerabilities.
These vulnerabilities allow the worm to execute its code on target computers with System level privileges. For further information on these vulnerabilities and for details on how to protect/patch the computer against such attacks please see Microsoft security bulletins MS03-001 and MS03-026. MS03-026 has been superseded by Microsoft security bulletin MS03-039.
W32/Agobot-BW drops a copy of itself to the Windows system folder as cpuidlexp.exe and creates the following registry entries to run itself on startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\CPU Idle
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\CPU Idle
W32/Agobot-BW attempts to terminate various processes related to anti-virus and security software (e.g. SWEEP95.EXE, BLACKICE.EXE and ZONEALARM.EXE).
W32/Agobot-BW collects system information and registration keys of popular games that are installed on the computer.

http://www.sophos.com/virusinfo/analyses/w32agobotbw.html

- Collapse -
W32/Agobot-BX
by roddy32 Oct 28, 2005 4:10AM PDT

Type Worm

Aliases
WORM_AGOBOT.FB
Backdoor.Agobot.3.gen
W32.HLLW.Gaobot.FB
BKDR_SDBOT.GEN


W32/Agobot-BX is a network worm which also allows unauthorised remote access to the computer via IRC channels.
W32/Agobot-BX copies itself to network shares with weak passwords and attempts to spread to computers using the DCOM RPC and the RPC locator vulnerabilities.
These vulnerabilities allow the worm to execute its code on target computers with System level privileges. For further information on these vulnerabilities and for details on how to protect/patch the computer against such attacks please see Microsoft security bulletins MS03-001 and MS03-026. MS03-026 has been superseded by Microsoft security bulletin MS03-039.
W32/Agobot-BX drops a copy of itself to the Windows system folder as wsys32.exe and creates the following registry entries to run itself on startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Windows Configuration
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Windows configuration
W32/Agobot-BX attempts to terminate various processes related to anti-virus and security software (e.g. SWEEP95.EXE, BLACKICE.EXE and ZONEALARM.EXE).
W32/Agobot-BX collects system information and registration keys of popular games that are installed on the computer.

http://www.sophos.com/virusinfo/analyses/w32agobotbx.html

- Collapse -
W32/Agobot-CC
by roddy32 Oct 28, 2005 4:12AM PDT

Type Worm

Aliases
Backdoor.Agobot.3.gen
WORM_AGOBOT.CD
Win32/Agobot.3.FU

W32/Agobot-CC is a network worm which also allows unauthorised remote access to the computer via IRC channels.
W32/Agobot-CC attempts to copy itself to network shares with weak passwords and attempts to spread to computers using the DCOM RPC and the RPC locator vulnerabilities.
These vulnerabilities allow the worm to execute its code on target computers with System level privileges. For further information on these vulnerabilities and for details on how to protect/patch the computer against such attacks please see Microsoft security bulletins MS03-001 and MS03-026. MS03-026 has been superseded by Microsoft security bulletin MS03-039.
W32/Agobot-CC moves itself to the Windows system folder as LSASS.EXE and creates entries in the registry at the following locations to run itself on system restart:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
HKLM\SYSTEM\CurrentControlSet\Services\Driver\ImagePath
Each time W32/Agobot-CC is run it attempts to connect to a remote IRC server and join a specific channel.
W32/Agobot-CC attempts to terminate various anti-virus and security processes, e.g. sweep95, blackice and zonealarm. The worm also attempts to terminate processes related to W32/Blaster-A and its variants, e.g. MSBLAST.EXE, *****32.EXE and DLLHOST.EXE.

http://www.sophos.com/virusinfo/analyses/w32agobotcc.html

- Collapse -
Troj/Squado-A
by roddy32 Oct 28, 2005 5:20AM PDT
- Collapse -
Troj/Psyme-CK
by roddy32 Oct 28, 2005 5:22AM PDT
- Collapse -
Troj/Chorus-B
by roddy32 Oct 28, 2005 5:24AM PDT
Back to Spyware, Viruses, & Security forum

CNET Forums

Operating Systems
Software
Electronics & Gadgets
Hardware
Tablets & Mobile Devices
General Help
Brand Forums
Roadshow Autos
Off Topic

Other Forums

Forum Info