Spyware, Viruses, & Security forum

General discussion

VIRUS ALERTS - September 4, 2005

by roddy32 / September 4, 2005 1:49 AM PDT

W32/Rbot-AMR

Type Spyware Worm

W32/Rbot-AMR is an internet worm and backdoor Trojan for the Windows platform.
W32/Rbot-AMR spreads to other network computers by exploiting common buffer overflow vulnerabilites, including: RPC-DCOM (MS04-012), PNP (MS05-039) and ASN.1 (MS04-007) and by copying itself to network shares.
W32/Rbot-AMR runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

http://www.sophos.com/virusinfo/analyses/w32rbotamr.html

Discussion is locked
You are posting a reply to: VIRUS ALERTS - September 4, 2005
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: VIRUS ALERTS - September 4, 2005
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Troj/Singu-U
by roddy32 / September 4, 2005 1:52 AM PDT
Collapse -
Troj/Multidr-EH
by roddy32 / September 4, 2005 1:54 AM PDT
Collapse -
Troj/Yusufali-A
by roddy32 / September 4, 2005 2:04 AM PDT

Aliases Trojan.Win32.VB.zu

Type Trojan

Troj/Yusufali-A is a Trojan for the Windows platform.
Troj/Yusufali-A analyses the title of the window in focus looking for various words. Some of the words Troj/Yusufali-A searches for are:
sex
teen
xx
Phallus
jegger
Priapus
Phallic
*****
Exhibitionism
If Troj/Yusufali-A finds one of these words in the title bar it will minimise the current window and display the following message in english along with other messages in other languages.
YUSUFALI: Know, therefore, that there is no god but Allah, and ask forgiveness for thy fault, and for the men and women who believe: for Allah knows how ye move about and how ye dwell in your homes.
Troj/Yusufali-A will continue to display messages if the offending window is left open and after a while it displays a box in the middle of the screen containing the current time and a button 'For Exit Click Here'. As soon as the mouse is moved the box changes to have vertical bars and the text 'OH! NO i'm in the Cage'. The box contains LogOff, ShutDown and Restart buttons and the mouse pointer is locked within the confines of the box. All the buttons actually cause a logout. The keyboard is still useable.

http://www.sophos.com/virusinfo/analyses/trojyusufalia.html

Collapse -
W32/Sdranck-O
by roddy32 / September 4, 2005 2:06 AM PDT
Collapse -
W32/Rbot-LT
by roddy32 / September 4, 2005 3:25 AM PDT
Collapse -
Troj/Bckdr-CER
by roddy32 / September 4, 2005 3:27 AM PDT
Collapse -
Troj/TheMouse-A
by roddy32 / September 4, 2005 3:37 AM PDT

Aliases Backdoor.Win32.Agent.cx

Type Trojan

Troj/TheMouse-A is a backdoor Trojan which can be configured to accept connection on a predefined port. The Trojan will then listen for incoming connections and download and execute files as instructed by an intruder.

http://www.sophos.com/virusinfo/analyses/trojthemousea.html

Collapse -
W32/Forbot-AX
by roddy32 / September 4, 2005 3:39 AM PDT

Aliases
Backdoor.Win32.Agobot.vj
Exploit-MS04-011.gen
WORM_WOOTBOT.GEN

Type Spyware Worm

W32/Forbot-AX is a worm which attempts to spread to remote network shares. It also contains backdoor Trojan functionality, allowing unauthorised remote access to the infected computer via IRC channels while running in the background as a service process.
W32/Forbot-AX attempts to terminate several processes related to security and anti-virus programs.
W32/Forbot-AX attempts to spread to network machines using various exploits including the LSASS vulnerability (see MS04-011).

http://www.sophos.com/virusinfo/analyses/w32forbotax.html

Collapse -
W32/Forbot-AW
by roddy32 / September 4, 2005 4:32 AM PDT

Aliases
Backdoor.Win32.Agobot.vj
Exploit-MS04-011.gen
WORM_WOOTBOT.GEN

Type Spyware Worm

W32/Forbot-AW is a worm which attempts to spread to remote network shares. It also contains backdoor Trojan functionality, allowing unauthorised remote access to the infected computer via IRC channels while running in the background as a service process.
W32/Forbot-AW also attempts to copy the W32/Parite-B virus into memory so that it can infect files.
W32/Forbot-AW attempts to spread to network machines using various exploits including the LSASS vulnerability (see MS04-011).

http://www.sophos.com/virusinfo/analyses/w32forbotaw.html

Collapse -
W32/Sdbot-PW
by roddy32 / September 4, 2005 4:53 AM PDT
Collapse -
W32/Backterra-C
by roddy32 / September 4, 2005 4:56 AM PDT
Collapse -
Troj/Banker-DT
by roddy32 / September 4, 2005 5:00 AM PDT
Collapse -
W32/Rbot-LU
by roddy32 / September 4, 2005 5:05 AM PDT

Aliases
W32/Sdbot.worm.gen.j
Backdoor.Win32.Rbot.gen

Type Spyware Worm

W32/Rbot-LU is a worm which attempts to spread to remote network shares. It also contains backdoor Trojan functionality, allowing unauthorised remote access to the infected computer via IRC channels while running in the background as a service process.
W32/Rbot-LU spreads to network shares with weak passwords as a result of the backdoor Trojan element receiving the appropriate command from a remote user. It may also use various exploits such as RPC-DCOM, Troj/Optix backdoor and W32/Bagle backdoor.

http://www.sophos.com/virusinfo/analyses/w32rbotlu.html

Collapse -
W32/Rbot-LV
by roddy32 / September 4, 2005 5:08 AM PDT

Aliases
Backdoor.Win32.Rbot.gen
W32/Sdbot.worm.gen.t

Type Spyware Worm

W32/Rbot-LV is a worm which attempts to spread to remote network shares. It also contains backdoor Trojan functionality, allowing unauthorised remote access to the infected computer via IRC channels while running in the background as a service process.
W32/Rbot-LV spreads to network shares with weak passwords as a result of the backdoor Trojan element receiving the appropriate command from a remote user. The worm may also spread through IRC channels by using DCC.
W32/Rbot-LV may also log keypresses, steal Windows passwords, participate in DDOS attacks and steal keys for certain software products.

http://www.sophos.com/virusinfo/analyses/w32rbotlv.html

Collapse -
W32/Tilebot-B
by roddy32 / September 4, 2005 5:58 AM PDT

Aliases WORM_SDBOT.BVR

Type Spyware Worm

W32/Tilebot-B is a worm that attempts to spread to remote network shares. It also contains backdoor functionality, allowing unauthorized remote access to the infected computer via IRC channels.
W32/Tilebot-B spreads to network shares with weak passwords as a result of the backdoor Trojan element receiving the appropriate command from a remote user.
W32/Tilebot-B allows a remote user to perform a wide range of actions on the infected computer including downloading further files, setting registry entries and stealing information from the computer including from protected storage areas.
W32/Tilebot-B attempts to interfere with and disable certain security related processes.

http://www.sophos.com/virusinfo/analyses/w32tilebotb.html

Collapse -
Troj/Clicker-DF
by roddy32 / September 4, 2005 6:00 AM PDT
Collapse -
Troj/Emcarn-A
by roddy32 / September 4, 2005 6:02 AM PDT
Collapse -
W32/Rbot-AJR
by roddy32 / September 4, 2005 6:06 AM PDT

Aliases
Backdoor.Win32.Rbot.sa
WORM_GAOBOT.BM

Type Spyware Worm

W32/Rbot-AJR is a worm and backdoor for the Windows platform.
W32/Rbot-AJR spreads to other network computers infected with worms from the W32/MyDoom and W32/Bagle families, by exploiting common buffer overflow vulnerabilites, including LSASS, RPC-DCOM and WebDav and by copying itself to network shares protected by weak passwords.
W32/Rbot-AJR includes functionality to:
carry out DDoS flooder attacks
silently download, install and run new software
access the internet and communicate with a remote server via HTTP
act as a SOCKS4 proxy
disable other software, including anti-virus, firewall and security related applications
When W32/Rbot-AJR is installed it creates the file <Windows system folder> \svkp.sys.
The file SVKP.sys is registered as a new system driver service named ''SVKP'', with a display name of ''SVKP'' and a startup type of automatic, so that it is started automatically during system startup.
The following patches for the operating system vulnerabilities exploited by W32/Rbot-AJR can be obtained from the Microsoft website:

http://www.microsoft.com/technet/security/bulletin/MS03-007.mspx

http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx

http://www.sophos.com/virusinfo/analyses/w32rbotajr.html

Collapse -
Dial/Eocha-A
by roddy32 / September 4, 2005 6:21 AM PDT

Aliases
Trojan.Win32.Dialer.jw
TROJ_SMALL.APA
Dialer-496

Type Trojan

Dial/Eocha-A is a dialer application for accessing pornographic material.
When first run Dial/Eocha-A copies itself to the Desktop and User folders.
Dial/Eocha-A changes the Start Page and security settings for Microsoft Internet Explorer.

http://www.sophos.com/virusinfo/analyses/dialeochaa.html

Collapse -
W32/Bobax-P
by roddy32 / September 4, 2005 6:23 AM PDT

Aliases
Net-Worm.Win32.Bobic.d
W32.Bobax.worm.gen


Type Virus

W32/Bobax-P is a virus and backdoor for the Windows platform.
W32/Bobax-P communicates with a remote server which will instruct it to perform specific actions.

http://www.sophos.com/virusinfo/analyses/w32bobaxp.html

Collapse -
W32/Bobax-Q
by roddy32 / September 4, 2005 6:25 AM PDT

Aliases
Net-Worm.Win32.Bobic.d
W32.Bobax.worm.gen

Type Virus

W32/Bobax-Q is a virus and backdoor for the Windows platform.
W32/Bobax-Q communicates with a remote server which will instruct it to perform specific actions.

http://www.sophos.com/virusinfo/analyses/w32bobaxq.html

Collapse -
Troj/SpyDldr-B
by roddy32 / September 4, 2005 6:28 AM PDT

Aliases Trojan-Downloader.Win32.Agent.bq

Type Trojan

Troj/SpyDldr-B is an advertising Trojan with downloading functionality.
Troj/SpyDldr-B periodically displays the following messages:
WARNING: Windows Firewall detected suspicious network activity on your computer. Malicious software codes try to steal your privacy information, such as credit card numbers, electronic mail accounts, financial data or passwords.
Do you want to learn how to protect your computer?
Your computer might be at risk
Your virus protection status is bad
Spyware Activity Detected
Click this balloon to fix this problem
Clicking on the messages opens a browser window on a page advertising anti-spyware software.
The Trojan attempts to download and run further Trojan files.

http://www.sophos.com/virusinfo/analyses/trojspydldrb.html

Collapse -
W32/Mytob-KC
by roddy32 / September 4, 2005 6:31 AM PDT

Aliases
WORM_MYTOB.IX
W32.Mytob.AG@mm

Type Spyware Worm

W32/Mytob-KC is a mass-mailing worm and backdoor Trojan that can be controlled through the Internet Relay Chat (IRC) network.
W32/Mytob-KC is capable of spreading through email and through various operating system vulnerabilities such as LSASS. Email sent by W32/Mytob-KC has the following properties:
Subject line:
document
Good day
Hello
Mail Delivery System
Mail Transaction Failed
message
readme
Server Report
Status
Message text:
'This is a multi-part message in MIME format.'
'Mail transaction failed. Partial message is available.'
'The message contains Unicode characters and has been sent as a binary attachment.'
'The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.'
'The original message was included as an attachment.'
'Here are your banks documents.'
The attached file consists of a base name followed by the extentions PIF, SCR, EXE or ZIP. The worm may optionally create double extensions where the first extension is DOC, TXT or HTM and the final extension is PIF, SCR, EXE or ZIP.
A patch for the vulnerability exploited by W32/Mytob-KC is available from Microsoft at :

http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx

Sophos's anti-virus products include Genotype? detection technology, which can proactively protect against new threats without requiring an update. Sophos customers have been protected against W32/Mytob-KC (detected as W32/Mytob-Fam) since version 3.94.

http://www.sophos.com/virusinfo/analyses/w32mytobkc.html

Popular Forums
icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

CNET FORUMS TOP DISCUSSION

Help, my PC with Windows 10 won't shut down properly

Since upgrading to Windows 10 my computer won't shut down properly. I use the menu button shutdown and the screen goes blank, but the system does not fully shut down. The only way to get it to shut down is to hold the physical power button down till it shuts down. Any suggestions?