Spyware, Viruses, & Security forum

General discussion

VIRUS ALERTS - September 6, 2004

W32/Rbot-IH

Aliases Backdoor.Rbot.gen

Type Worm

W32/Rbot-IH is a worm which attempts to spread to remote network shares and also contains backdoor Trojan functionality allowing unauthorised remote access to the infected computer.

http://www.sophos.com/virusinfo/analyses/w32rbotih.html

Discussion is locked
You are posting a reply to: VIRUS ALERTS - September 6, 2004
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: VIRUS ALERTS - September 6, 2004
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
W32/Mydoom-T

In reply to: VIRUS ALERTS - September 6, 2004

Collapse -
W32/Rbot-ID

In reply to: VIRUS ALERTS - September 6, 2004

Aliases Backdoor.Win32.Rbot.bc

Type Worm

W32/Rbot-ID is an IRC backdoor Trojan and network worm which propagates by copying itself to the shared folders of network drives and sets registry entries to ensure that it is executed automatically upon restart.
W32/Rbot-ID will also attempt to establish a connection to a remote server to allow an intruder access to the compromised computer.

http://www.sophos.com/virusinfo/analyses/w32rbotid.html

Collapse -
Troj/Bancos-U

In reply to: VIRUS ALERTS - September 6, 2004

Aliases TrojanSpy.Win32.Bancos.ar
TROJ_BANCOS.BR

Type Trojan

Troj/Bancos-U is a password stealing Trojan.
The Trojan runs Internet Explorer and opens the web site www.google.com.br
Troj/Bancos-U monitors which URLs are typed into the browser and creates fake web pages for certain Brazilian banking sites in order to steal account information.

http://www.sophos.com/virusinfo/analyses/trojbancosu.html

Collapse -
Troj/Genserv-B

In reply to: VIRUS ALERTS - September 6, 2004

Collapse -
Troj/AdClick-L

In reply to: VIRUS ALERTS - September 6, 2004

Collapse -
W32/Sdbot-OJ

In reply to: VIRUS ALERTS - September 6, 2004

Aliases Backdoor.SdBot.gen

Type Worm

W32/Sdbot-OJ is an IRC backdoor Trojan and network worm which can propagate by copying itself into the shared folders of network drives. This worm can also set registry entries to ensure that it is executed automatically upon restart.
W32/Sdbot-OJ can establish a connection to a remote server to allow an intruder access to the compromised computer.

http://www.sophos.com/virusinfo/analyses/w32sdbotoj.html

Collapse -
Troj/Banito-L

In reply to: VIRUS ALERTS - September 6, 2004

Collapse -
Troj/NetAngle-A

In reply to: VIRUS ALERTS - September 6, 2004

Collapse -
Troj/FC-F

In reply to: VIRUS ALERTS - September 6, 2004

Collapse -
W32/Britney-B

In reply to: VIRUS ALERTS - September 6, 2004

Collapse -
Troj/Dloader-BX

In reply to: VIRUS ALERTS - September 6, 2004

Collapse -
Troj/Intrust-A

In reply to: VIRUS ALERTS - September 6, 2004

Aliases Win32.HLLC.Delfer.d
W95/HLLW.Delfer.B
W32.Delfer

Type Trojan

Troj/Intrust-A is a Trojan for the Windows platform.
When executed the Trojan copies itself to the Windows folder as wvm32.exe and edits a registry entry in order to run before any other exe file.
Troj/Intrust-A will slowly replace all executables on the infected system with itself.
Troj/Intrust-A drops a text file and a jpg to the Windows folder.

http://www.sophos.com/virusinfo/analyses/trojintrusta.html

Collapse -
Troj/LdPinch-R

In reply to: VIRUS ALERTS - September 6, 2004

Aliases Trojan.PSW.LdPinch.dy

Type Trojan

Troj/LdPinch-R sends passwords and confidential information to a remote location and provides backdoor access to the computer.
When first run the Trojan moves itself to the Windows folder and creates a registry entry to run itself on startup.
The Trojan periodically attempts to send confidential information to a remote location and provides backdoor access to the infected computer.

http://www.sophos.com/virusinfo/analyses/trojldpinchr.html

Collapse -
W32/Svoy-B

In reply to: VIRUS ALERTS - September 6, 2004

Aliases I-Worm.Svoy.b

Type Worm

W32/Svoy-B is an email worm for the Windows platform.
When executed the worm will copy itself to Windows system folder with several names and create a registry entry in order to run automatically when Windows starts up.
W32/Svoy-B will send itself by email to addresses harvested from the infected computer.

http://www.sophos.com/virusinfo/analyses/w32svoyb.html

Collapse -
Troj/CoreFlo-E

In reply to: VIRUS ALERTS - September 6, 2004

Aliases Backdoor.Afcore.ai
CoreFlood.dll
Backdoor.Coreflood

Type Trojan

Troj/CoreFlo-E is a helper DLL used by backdoor Trojans.
Troj/CoreFlo-E provides a Trojan executable with the ability to:
* Install and uninstall the DLL
* Connect to the internet
* Find, create and delete files
* Find, create and terminate processes
* Record keystrokes

http://www.sophos.com/virusinfo/analyses/trojcorefloe.html

Collapse -
Troj/Dloader-BV

In reply to: VIRUS ALERTS - September 6, 2004

Aliases TrojanDownloader.Win32.Small.ps

Type Trojan

Troj/Dloader-BV is a Trojan downloader for the Windows platform.
When executed, the Trojan attempts to download files from a remote website. These files would then be executed and later deleted.
The domains containing the files were not accessable when tested.

http://www.sophos.com/virusinfo/analyses/trojdloaderbv.html

Collapse -
Troj/Bdoor-RX

In reply to: VIRUS ALERTS - September 6, 2004

Aliases Backdoor.Delf.oj

Type Trojan

Troj/Bdoor-RX is a backdoor Trojan for the Windows platform.
Troj/Bdoor-RX allows a malicious user remote access to an infected computer. The Trojan contains an SMTP engine for sending mass emails and Windows MCI features to eject the local CD-Tray.


http://www.sophos.com/virusinfo/analyses/trojbdoorrx.html

Collapse -
W32/Rbot-CZ

In reply to: VIRUS ALERTS - September 6, 2004

Aliases W32/Sdbot.worm.gen.h

Type Worm


W32/Rbot-CZ is a worm which attempts to spread to remote network shares. It also contains backdoor Trojan functionality, allowing unauthorised remote access to the infected computer via IRC channels while running in the background as a service process.
W32/Rbot-CZ spreads to network shares with weak passwords and via network security exploits as a result of the backdoor Trojan element receiving the appropriate command from a remote user.
W32/Rbot-CZ copies itself to the Windows system folder as WINSYS32.EXE and creates entries at the following locations in the registry so as to run itself on system startup, trying to reset them every minute:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
W32/Rbot-CZ sets the following registry entries, trying to reset them every 2 minutes.
HKLM\SOFTWARE\Microsoft\Ole\EnableDCOM = "N"
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous = "1"
W32/Rbot-CZ tries to delete the C$, D$, E$, IPC$ and ADMIN$ network shares on the host computer every 2 minutes.
W32/Rbot-CZ attempts to terminate certain processes related to anti-virus and security programs including REGEDIT.EXE, MSCONFIG.EXE and NETSTAT.EXE.

http://www.sophos.com/virusinfo/analyses/w32rbotcz.html

Collapse -
Troj/StartPa-BR

In reply to: VIRUS ALERTS - September 6, 2004

Collapse -
Troj/Mdrop-B

In reply to: VIRUS ALERTS - September 6, 2004

Type Trojan

Troj/Mdrop-B drops the following files:
<Windows>\exploror.exe - detected by Sophos Anti-Virus as Troj/Dloader-AI
<System>\exploror.exe - detected by Sophos Anti-Virus as Troj/Delf-ON
<System>\exploror.dll - detected by Sophos Anti-Virus as Troj/Delf-ON
<System>\findriv.dll - detected by Sophos Anti-Virus as Troj/Delf-ON
Please see the descriptions of the respective Trojans for more details.

http://www.sophos.com/virusinfo/analyses/trojmdropb.html

Collapse -
W32/Bagle-Src

In reply to: VIRUS ALERTS - September 6, 2004

Collapse -
Troj/Dropper-B

In reply to: VIRUS ALERTS - September 6, 2004

Type Trojan

Troj/Dropper-B is a Trojan dropper.
In order to run automatically when Windows starts up the Trojan copies itself to the file msvcrtid.exe in the Windows system folder and creates the following registry entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Tiny Firewall
= C:\Windows\System32\msvcrtid.exe
Troj/Dropper-B drops a file named locallpr.exe in the Windows system folder and runs it - locallpr is identified as Troj/Agent-H.

http://www.sophos.com/virusinfo/analyses/trojdropperb.html

Collapse -
Troj/Agent-H

In reply to: VIRUS ALERTS - September 6, 2004

Type Trojan

Aliases Proxy-Agent.A

Troj/Agent-H is a Trojan dropper with an IRC backdoor.
The Trojan drops the following files to the Windows system folder:
msdtcvs.exe : socket proxy server
msievc.exe : http proxy server
msvdtc.exe : socket proxy server with encryption
mssvcv.exe : multipurpose Denial-of-Service tool
msievc.exe is detected by SAV as Troj/Delf-EA. The other three are all detected as Troj/Agent-H. All except mssvcv.exe are executed after being created.
Troj/Agent-H connects to an IRC server and joins a preconfigured channel in which it can be controlled by a remote attacker.

http://www.sophos.com/virusinfo/analyses/trojagenth.html

Collapse -
W32/Rbot-DA

In reply to: VIRUS ALERTS - September 6, 2004

Type Worm

Aliases Sdbot
Spybot.

W32/Rbot-DA is a worm which attempts to spread to remote network shares. It also contains backdoor Trojan functionality, allowing unauthorised remote access to the infected computer via IRC channels while running in the background as a service process.
W32/Rbot-DA spreads to network shares with weak passwords as a result of the backdoor Trojan element receiving the appropriate command from a remote user.
W32/Rbot-DA moves itself to the Windows system folder as TSKMGRHLP.EXE and creates entries in the registry at the following locations to run on system startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Task Manager Help = tskmgrhlp.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Task Manager Help = tskmgrhlp.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Task Manager Help = tskmgrhlp.exe
W32/Rbot-DA may also change these registry entries to the following:
HKLM\SOFTWARE\Microsoft\Ole\
EnableDCOM = N
HKLM\SYSTEM\ControlSet001\Control\Lsa\
restrictanonymous = 1
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\
restrictanonymous = 1

http://www.sophos.com/virusinfo/analyses/w32rbotda.html

Collapse -
W32/Rbot-DB

In reply to: VIRUS ALERTS - September 6, 2004

Aliases W32/Sdbot.worm.gen.g
W32.Spybot.Worm
WORM_AGOBOT.NG

Type Worm

W32/Rbot-DB is a worm which attempts to spread to remote network shares. It also contains backdoor Trojan functionality, allowing unauthorised remote access to the infected computer via IRC channels while running in the background as a service process.
W32/Rbot-DB copies itself to the Windows system folder as FIREWAL1.EXE and creates entries at the following locations in the registry so as to run itself on system startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
W32/Rbot-DB spreads to network shares with weak passwords and via network security exploits as a result of the backdoor Trojan element receiving the appropriate command from a remote user, copying itself to FIREWAL1.DAT on the local computer at the same time.
W32/Rbot-DB may set the following registry entries:
HKLM\SOFTWARE\Microsoft\Ole\EnableDCOM = "N"
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous = "1"
W32/Rbot-DB may try to delete the C$, D$, E$, IPC$ and ADMIN$ network shares on the host computer.

http://www.sophos.com/virusinfo/analyses/w32rbotdb.html

Collapse -
W32/Sdbot-KD

In reply to: VIRUS ALERTS - September 6, 2004

Type Worm

Aliases Randex

W32/Sdbot-KD is a network worm with backdoor capabilities which allows a remote intruder to access and control the computer via IRC channels.
W32/Sdbot-KD spreads over a network by copying itself to the Windows system folder of C$ and Admin$ shares with weak passwords.
Each time the worm is run it tries to connect to a remote IRC server and join a specific channel. The worm then runs in the background as a server process listening for commands to execute.
When first run the worm copies itself to the Windows system folder as SPOOLSVC.EXE and creates the following registry entries so that the worm runs when Windows starts up:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
SPOOL Configuration = spoolsvc.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
SPOOL Configuration = spoolsvc.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
SPOOL Configuration = spoolsvc.exe
W32/Sdbot-KD may also collect the CD keys of popular games that are installed on the computer.

http://www.sophos.com/virusinfo/analyses/w32sdbotkd.html

Collapse -
Troj/Afcore-AJ

In reply to: VIRUS ALERTS - September 6, 2004

Type Trojan

Aliases TrojanDropper.Win32.Small.is
CoreFlood.dr

Troj/Afcore-AJ is a backdoor Trojan which allows unauthorised access to the computer over a network.
The Trojan consists of two components, an installation exe and a dll which have names composed of random letters. The Trojan may also drop randomly named '.dat' files.
The installation exe drops the dll to the Windows Temp folder and then executes a function exported by the dll. Both files may be deleted when the machine next reboots.

http://www.sophos.com/virusinfo/analyses/trojafcoreaj.html

Collapse -
W32/Rbot-FL

In reply to: VIRUS ALERTS - September 6, 2004

Aliases Backdoor.Rbot.gen
Sdbot.worm.gen.x

Type Worm

W32/Rbot-FL is a network worm and backdoor Trojan for the Windows platform.
W32/Rbot-FL spreads to unpatched machines affected by the vulnerabilities detailed in Microsoft Advisories 01-059, 03-007, 03-026, and 04-011.

http://www.sophos.com/virusinfo/analyses/w32rbotfl.html

Collapse -
W32/Sdbot-OL

In reply to: VIRUS ALERTS - September 6, 2004

Collapse -
Troj/WinREG-B

In reply to: VIRUS ALERTS - September 6, 2004

Popular Forums

icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

GRAMMYS 2019

Here's Everything to Know About the 2019 Grammys

Find out how to watch the Grammy Awards if you don't have cable and more.