|
August
2005
Select
the links for detailed information and removal tools for the latest viruses
Looking
for a better AntiVirus / Spyware solution?
We use AVG Professional. Download it here
W32.Mailbancos 8/31/05 2
Trojan.Exphook 8/30/05 2
W32.Bobax.AH 8/29/05 2
W32.Mytob.JH 8/29/05 2
W32.Reatle.I 8/25/05 2
W32.Mytob.JF 8/25/05 2
W32.Zotob.L 8/25/05 2
W32.Zotob.K 8/24/05 2
W32.Kelvir.HI 8/20/05 2
W32.Zotob.J 8/20/05 2
W32.Ruland.A 8/23/05 2
W32.Guapim 8/23/05 2
W32.Esbot.C 8/22/05 2
W32.Gaobot.DXO 8/22/05 2
W32.Spybot.UOL 8/22/05 2
W32.Zotob.I 8/20/05 2
W32.Zotob.H 8/17/05 2
W32.Zotob.G 8/17/05 2
W32.Esbot.B 8/17/05 3
W32.Zotob.E 8/16/05 3
W32.Zotob.F 8/16/05 2
W32.Randex.EUS 8/16/05 2
W32.Zotob.D 8/16/05 2
W32.Esbot.A 8/15/05 3
W32.Zotob.B 8/14/05 2
W32.Zotob.A 8/14/05 2
W32.Spybot.UBH 8/14/05 2
W32.Beagle.CE 8/11/05 2
Trojan.Tooso.L 8/11/05 2
W32.Beagle.CD 8/10/05 2
W32.Qdens.E 8/09/05 2
W32.Beagle.CC 8/08/05 2
Trojan.Tooso.K 8/08/05 2
W32.Chod.D 8/04/05 2
W32.Beagle.BY 8/04/05 2
W32.Bratle.B 8/02/05 2
W32.Reatle.E 8/02/05 2
W32.Mydoom.CH 8/02/05 2
W32.Mytob.HL 8/02/05 2
W32.Reatle.D 8/01/05 2
W32.Reatle.D@mm
Discovered
August 1, 2005
Systems Affected: All Windows32 Systems
W32.Reatle.D@mm
is a mass-mailing worm that opens a back door and attempts to spread by
exploiting the Microsoft Windows LSASS Buffer Overrun Vulnerability (as
described in Microsoft Security Bulletin MS04-011).
Payload Trigger:
n/a
Payload: Opens a back door.
Large scale e-mailing: Uses its own SMTP engine to send itself as an email.
Compromises security settings: Blocks access to several security-related
Web sites.
Distribution
Subject of email: Varies
Name of attachment: Varies
Ports: TCP ports 3351 and 8190
Read
the full Symantec report here
W32.Mytob.HL@mm
Discovered
August 2, 2005
Systems Affected: All Windows32 Systems
W32.Mytob.HL@mm
is a mass-mailing worm that uses its own SMTP engine to send an email
to addresses that it gathers from the compromised computer. The worm also
spreads through the network by exploiting the Microsoft Windows Local
Security Authority Service Remote Buffer Overflow (as described in Microsoft
Security Bulletin MS04-011).
Payload Trigger:
n/a
Payload: Allows unauthorized remote access.
Large scale e-mailing: Uses its own SMTP engine to send emails.
Distribution
Subject of email: Varies
Name of attachment: Varies with a .zip file attachment.
Ports: TCP port 6667
Target of infection: Targets systems which can be exploited by the Microsoft
Windows LSASS vulnerability.
Read
the full Symantec report here
W32.Mydoom.CH@mm
Discovered
August 2, 2005
Systems Affected: All Windows32 Systems
W32.Mydoom.CH@mm
is a mass-mailing worm that opens a back door and lowers security settings
on the compromised computer.
Payload Trigger:
n/a
Payload: Opens a back door and allows unauthorized remote access.
Large scale e-mailing: Uses its own SMTP engine to send emails.
Compromises security settings: Lowers security settings by terminating
security-related processes and blocking access to security-related Web
sites.
Distribution
Subject of email: Varies
Name of attachment: Varies
Ports: TCP port 6667
Read
the full Symantec report here
W32.Reatle.E@mm
Discovered
August 2, 2005
Systems Affected: All Windows32 Systems
W32.Reatle.E@mm
is a mass-mailing worm that opens a back door and attempts to spread by
exploiting the DCOM RPC Vulnerability (Microsoft Security Bulletin MS03-026)
on TCP port 135.
Payload Trigger: n/a
Payload: Opens a back door that allows a remote attacker to have unauthorized
access to the compromised computer.
Large scale e-mailing: Sends emails to addresses gathered from the compromised
computer.
Compromises security settings: Disbales system tools and blocks access
to security-related Web sites.
Distribution
Subject
of email: Re_
Name of attachment: Varies
Ports: TCP ports 1155, 2005, 135, 1052
Read
the full Symantec report here
W32.Bratle.B
Discovered
August 2, 2005
Systems Affected: All Windows32 Systems
W32.Bratle.B
is a worm that attempts to spread by exploiting the Microsoft Windows
LSASS Buffer Overrun Vulnerability (as described in Microsoft Security
Bulletin MS04-011). It also opens an FTP server on the compromised computer.
Payload Trigger:
n/a
Payload: Opens a back door that allows unauthorized remote access to the
compromised computer.
Degrades performance: Propagation may impact overall system performance.
Distribution
Ports: TCP port 4123
Read
the full Symantec report here
W32.Beagle.BY@mm
Discovered
August 4, 2005
Systems Affected: All Windows32 Systems
W32.Beagle.BY@mm
is a mass-mailing worm that uses its own SMTP engine to email copies of
itself to addresses gathered from the compromised computer. The worm also
opens a back door on TCP Port 9030 on the compromised computer.
Payload Trigger:
n/a
Payload: Downloads and executes remote files.
Large scale e-mailing: Uses its own SMTP engine to email a copies of itself
to adresses gathered on the compromised computer.
Compromises security settings: Attempts to end processes, some of which
are security related.
Distribution
Subject of email: Varies
Name of attachment: Varies
Ports: TCP Port 9030
Read
the full Symantec report here
W32.Chod.D
Discovered
August 4, 2005
Systems Affected: All Windows32 Systems
W32.Chod.D
is a worm with back door capabilities that spreads via MSN Messenger.
The worm also lowers security settings and blocks access to several Web
sites.
Payload Trigger:
n/a
Payload: Opens a back door that allows a remote attacker to have unauthorized
access to the compromised computer.
Compromises security settings: Lowers security settings by terminating
security-related processes and blocking access to security-related Web
sites.
Distribution
Target of infection: MSN Messenger
Read
the full Symantec report here
Trojan.Tooso.K
Discovered
August 8, 2005
Systems Affected: All Windows32 Systems
Trojan.Tooso.K
is a Trojan horse that lowers security settings by ending processes, stopping
services, removing registry entries, and deleting files.
Payload Trigger:
n/a
Payload: n/a
Large scale e-mailing: n/a
Deletes files: Attempts to delete security-related files.
Modifies files: n/a
Degrades performance: n/a
Causes system instability: n/a
Releases confidential info: n/a
Compromises security settings: Disables security-related processes and
services.
Read
the full Symantec report here
W32.Beagle.CC@mm
Discovered
August 8, 2005
Systems Affected: All Windows32 Systems
W32.Beagle.CC@mm
is a mass-worm that uses its own SMTP engine to send out copies of Trojan.Tooso.K.
The worm also opens a back door on the compromised computer on TCP port
80.
Payload Trigger:
n/a
Payload: Opens a back door.
Large scale e-mailing: Uses its own SMTP engine to email another malware.
Distribution
Subject of email: The Subject is blank.
Name of attachment: Varies
Ports: TCP Port 80
Read
the full Symantec report here
W32.Qdens.E
Discovered
August 9, 2005
Systems Affected: All Windows32 Systems
W32.Qdens.E
is a worm that lowers security settings and spreads through the instant
messenger programs QQ Messenger and Tencent Messenger.
Payload Trigger:
n/a
Payload: Sends a copy of itself through QQ Messenger and Tencent Messenger.
Compromises security settings: Ends security-related processes.
Read
the full Symantec report here
W32.Beagle.CD@mm
Discovered
August 10, 2005
Systems Affected: All Windows32 Systems
W32.Beagle.CD@mm
is a mass-mailing worm that opens a back door on the compromised computer
on TCP port 80.
Payload Trigger:
n/a
Payload: Opens a back door.
Distribution
Subject of email: The subject of the email is blank.
Name of attachment: Varies
Ports: TCP Port 80.
Read
the full Symantec report here
Trojan.Tooso.L
Discovered
August 11, 2005
Systems Affected: All Windows32 Systems
Trojan.Tooso.L
is a Trojan horse that interferes with the operation of security software
by ending processes, stopping services, removing registry entries, and
deleting files.
Payload Trigger:
n/a
Payload: Attempts to download files from URLs.
Deletes files: Attempts to delete all instances of files, some of which
are security-related.
Degrades performance: Downloading remote files may impact computer performance.
Causes system instability: Attempts to find the explorer.exe process and
injects malware code into it.
Compromises security settings: Disables security-related processes and
services.
Read
the full Symantec report here
W32.Beagle.CE@mm
Discovered
August 11, 2005
Systems Affected: All Windows32 Systems
W32.Beagle.CE@mm
is a mass-worm that uses its own SMTP engine to send out copies of Trojan.Tooso.L.
The worm also opens a back door on the compromised computer on TCP port
80.
Payload Trigger:
n/a
Payload: Opens a back door, downloads remote files, and may act as a covert
proxy.
Large scale e-mailing: Sends a copy of Trojan.Tooso.L.
Distribution
Subject of email: Varies
Name of attachment: Varies
Ports: TCP port 80.
Read
the full Symantec report here
W32.Spybot.UBH
Discovered
August 14, 2005
Systems Affected: All Windows32 Systems
W32.Spybot.UBH
is a worm that has distributed denial of service and back door capabilities.
The worm spreads by using the vulnerability in Microsoft Windows Plug
and Play Service (as described in Microsoft Security Bulletin MS05-039).
Payload Trigger:
n/a
Payload: Allows unauthorized remote access.
Distribution
Ports: TCP port 5232.
Target of infection: Targets systems which can be exploited by a PnP vulnerability
(MS05-039).
Read
the full Symantec report here
W32.Zotob.A
Discovered
August 14, 2005
Systems Affected: All Windows32 Systems
W32.Zotob.A
is a worm that spreads using the vulnerability in Microsoft Windows Plug
and Play Service (as described in Microsoft Security Bulletin MS05-039).
Payload Trigger:
n/a
Payload: Allows unauthorized remote access.
Distribution
Ports: TCP ports 445, 8080, and 33333.
Target of infection: Targets systems which can be exploited by a PnP vulnerability
(MS05-039).
Read
the full Symantec report here
W32.Zotob.B
Discovered
August 14, 2005
Systems Affected: All Windows32 Systems
W32.Zotob.B
is a worm that spreads using the vulnerability in Microsoft Windows Plug
and Play Service (as described in Microsoft Security Bulletin MS05-039).
Payload Trigger:
n/a
Payload: Allows unauthorized remote access.
Distribution
Ports: TCP ports 445, 8080, and 33333.
Target of infection: Targets systems which can be exploited by a PnP vulnerability
(MS05-039).
Read
the full Symantec report here
W32.Esbot.A
Discovered
August 15, 2005
Systems Affected: All Windows32 Systems
W32.Esbot.A
is a worm that spreads by exploiting the Microsoft Windows Plug and Play
Service Vulnerability, as described in Microsoft Security Bulletin MS05-039.
Payload Trigger:
n/a
Payload: Opens a back door that allows a remote attacker to have unauthorized
access to the compromised computer.
Causes system instability: Stopping or disabling the Mouse Button Monitor
service results in system instability.
Distribution
Ports: TCP port 30722
Target of infection: Targets computers that can be exploited by the Microsoft
Windows Plug and Play Service Vulnerability (MS05-039)
Read
the full Symantec report here
W32.Zotob.D
Discovered
August 16, 2005
Systems Affected: All Windows32 Systems
W32.Zotob.D
is a worm that opens a back door and exploits the Microsoft Windows Plug
and Play Buffer Overflow Vulnerability (described in Microsoft Security
Bulletin MS05-039) on TCP port 445.
Payload Trigger:
n/a
Payload: Opens a back door.
Deletes files: Deletes files, some of which may be security-related.
Compromises security settings: Ends processes, some of which may be security-related.
Distribution
Ports: TCP port 6667: TCP port 1117 and; TCP port 445.
Read
the full Symantec report here
Download
the Removal Tool here
W32.Randex.EUS
Discovered
August 16, 2005
Systems Affected: All Windows32 Systems
W32.Randex.EUS
is a network-aware worm that spreads to network shares protected by weak
passwords. The worm also opens a back door on the compromised computer
and may be remotely controlled through IRC channels.
Payload Trigger:
n/a
Payload: Installs an IRC back door on the compromised computer.
Degrades performance: May allow the compromised computer to be used as
a traffic relay or proxy, which may impact network bandwidth.
Causes system instability: Perform ping, SYN, or UDP denial of service
attacks which may impact system stability.
Releases confidential info: Collect CD keys from computer games and send
them to the attacker via the IRC channel
Compromises security settings: May stop processes as commanded by the
remote attacker.
Distribution
Ports: TCP Port 4095
Read
the full Symantec report here
W32.Zotob.F
Discovered
August 16, 2005
Systems Affected: Windows 2000
W32.Zotob.F
is a worm that opens a back door and exploits the Microsoft Windows Plug
and Play Buffer Overflow Vulnerability (described in Microsoft Security
Bulletin MS05-039) on TCP port 445.
W32.Zotob.F
can run on, but not infect, computers running Windows 95/98/Me/NT4/XP.
Although computers running these operating systems cannot be infected,
they can still be used to infect vulnerable computers that they can connect
to.
Payload Trigger:
n/a
Payload: Attempts to open a back door
Degrades performance: Attempts to detect network connections and a routable
IP address.
Distribution
Ports: TCP port 445
Target of infection: Targets systems which can be exploited by the Microsoft
Windows Plug and Play Service Vulnerability (MS05-039).
Read
the full Symantec report here
W32.Zotob.E
Discovered
August 16, 2005
Systems Affected: Windows 2000
W32.Zotob.E
is a worm that opens a back door and exploits the Microsoft Windows Plug
and Play Buffer Overflow Vulnerability (described in Microsoft Security
Bulletin MS05-039) on TCP port 445.
W32.Zotob.E
can run on, but not infect, computers running Windows 95/98/Me/NT4/XP.
Although computers running these operating systems cannot be infected,
they can still be used to infect vulnerable computers that they can connect
to.
Payload Trigger:
n/a
Payload: Attempts to open a back door
Degrades performance: Attempts to detect network connections and a routable
IP address.
Distribution
Ports: TCP ports 8594, 8080, and 445; UDP port 69
Target of infection: Targets computers that can be exploited by the Microsoft
Windows Plug and Play Service Vulnerability (MS05-039).
Read
the full Symantec report here
Download
the Removal Tool here
W32.Esbot.B
Discovered
August 17, 2005
Systems Affected: Windows 2000
W32.Esbot.B
is a worm that spreads by exploiting the Microsoft Windows Plug and Play
Service Vulnerability, as described in Microsoft Security Bulletin MS05-039.
Payload Trigger:
n/a
Payload: Opens a back door that allows a remote attacker to have unauthorized
access to the compromised computer.
Distribution
Ports: TCP port 18067
Target of infection: Targets computers that can be exploited by the Microsoft
Windows Plug and Play Service Vulnerability (MS05-039)
Read
the full Symantec report here
W32.Zotob.G
Discovered
August 17, 2005
Systems Affected: Windows 2000
W32.Zotob.G
is a worm that opens a back door and exploits the Microsoft Windows Plug
and Play Buffer Overflow Vulnerability (described in Microsoft Security
Bulletin MS05-039) on TCP port 445.
Payload Trigger:
n/a
Payload: Opens a back door.
Deletes files: Deletes files and registry entries.
Distribution
Ports: TCP
port 445.
Read
the full Symantec report here
Download
the Removal Tool here
W32.Zotob.H
Discovered
August 17, 2005
Systems Affected: Windows 2000
W32.Zotob.H
is a worm that opens a back door and exploits the Microsoft Windows Plug
and Play Buffer Overflow Vulnerability (described in Microsoft Security
Bulletin MS05-039) on TCP port 445.
Payload Trigger:
n/a
Payload: Opens a back door.
Degrades performance: Attempts to detect network connections and a routable
IP address.
Distribution
Ports: TCP ports 445, 8563, and 6667; UDP port 69
Target of infection: Targets systems which can be exploited by the Microsoft
Windows Plug and Play Service Vulnerability (MS05-039).
Read
the full Symantec report here
W32.Zotob.I
Discovered
August 20, 2005
Systems Affected: Windows 2000
W32.Zotob.I
is a worm that opens a back door and exploits the Microsoft Windows Plug
and Play Buffer Overflow Vulnerability (as described in Microsoft Security
Bulletin MS05-039) on TCP port 445.
Note: While
computers running Windows 95/98/Me/NT4/XP operating systems cannot be
infected remotely, it is possible they could be infected if W32.Zotob.I
is executed locally (although this is an unlikely occurrence). Vulnerable
Windows 2000 computers could then be infected by the compromised computer.
Payload Trigger:
n/a
Payload: Opens a back door.
Degrades performance: Attempts to detect network connections and a routable
IP address.
Distribution
Ports: TCP ports 445, 5544 and 19907.
Target of infection: Targets systems which can be exploited by the Microsoft
Windows Plug and Play Service Vulnerability (MS05-039).
Read
the full Symantec report here
Download
the Removal Tool here
W32.Spybot.UOL
Discovered
August 22, 2005
Systems Affected: All Windows32 Systems
W32.Spybot.UOL
is a worm that has distributed denial of service and back door capabilities.
The worm spreads by exploiting vulnerabilities, including the Microsoft
Windows Plug and Play Buffer Overflow Vulnerability (described in Microsoft
Security Bulletin MS05-039).
Payload Trigger:
n/a
Payload: Opens a back door on the compromised computer.
Degrades performance: Performs denial of service attacks and downloads
and executes remote files, which may degrade performance.
Distribution
Ports: TCP ports 6060, 139, 445.
Read
the full Symantec report here
W32.Gaobot.DXO
Discovered
August 22, 2005
Systems Affected: All Windows32 Systems
W32.Gaobot.DXO
is a network-aware worm with back door capabilities that can be controlled
through IRC channels and spreads to network shares protected by weak passwords.
It also attempts to lower security settings by ending processes.
Payload Trigger:
n/a
Payload: Opens a back door.
Compromises security settings: Ends security-related processes.
Distribution
Ports: TCP port 8066.
Read
the full Symantec report here
W32.Esbot.C
Discovered
August 22, 2005
Systems Affected: Windows 2000
W32.Esbot.C
is a worm that spreads by exploiting the Microsoft Windows Plug and Play
Buffer Overflow Vulnerability (described in Microsoft Security Bulletin
MS05-039), allowing a remote attacker access to the compromised computer.
Note:
While computers
running Windows 95/98/Me/NT4/XP operating systems cannot be infected remotely,
it is possible they could be infected if the threat is executed locally
(although this is an unlikely occurrence). Vulnerable Windows 2000 computers
could then be infected by the compromised computer.
Payload Trigger:
n/a
Payload: Opens a back door that allows a remote attacker to have unauthorized
access to the compromised computer.
Distribution
Ports: TCP port 18067
Target of infection: Targets computers that can be exploited by the Microsoft
Windows Plug and Play Service Vulnerability (MS05-039)
Read
the full Symantec report here
W32.Guapim
Discovered
August 23, 2005
Systems Affected: All Windows32 Systems
W32.Guapim
is a worm that spreads through Instant Messenger programs and file-sharing
networks. It attempts to lower security settings on the compromised computer
and may download and execute a copy of W32.Spybot.Worm.
Payload Trigger:
n/a
Payload: Downloads and executes a remote file.
Compromises security settings: Blocks access to security-related Web sites.
Read
the full Symantec report here
W32.Ruland.A@mm
Discovered
August 23, 2005
Systems Affected: All Windows32 Systems
W32.Ruland.A@mm
is a mass-mailing worm that spreads using Microsoft Outlook and downloads
a Trojan Horse.
Payload Trigger:
n/a
Payload: Downloads files from the Internet.
Large scale e-mailing: Uses Microsoft Outlook to email embedded URL links
to contacts in the user's address book.
Causes system instability: Mass-mailing of emails may cause system instability.
Releases confidential info: May release confidential banking passwords.
Distribution
Subject of email: Radio Terra!
Name of attachment: Sends a URL link embedded in the message body.
Ports: Possible use of TCP port 6667.
Read
the full Symantec report here
W32.Zotob.J@mm
Discovered
August 23, 2005
Systems Affected: All Windows32 Systems
W32.Zotob.J@mm
is a mass-mailing worm that opens a back door and exploits the Microsoft
Windows Plug and Play Buffer Overflow Vulnerability (described in Microsoft
Security Bulletin MS05-039), on TCP port 445.
Payload Trigger:
n/a
Payload: Opens a back door.
Large scale e-mailing: Uses its own SMTP engine to send itself to the
email addresses that it finds.
Degrades performance: Mass-mailing may degrade performance.
Compromises security settings: Blocks access to security-related Web sites
and disables the Windows firewall.
Distribution
Subject of email: Varies
Name of attachment: Varies
Ports: TCP port 445.
Target of infection: Attempts to spread to systems vulnerable to a Windows
Plug and Play exploit (MS05-039).
Read
the full Symantec report here
W32.Kelvir.HI
Discovered
August 23, 2005
Systems Affected: All Windows32 Systems
W32.Kelvir.HI
is a worm that drops a copy of W32.Spybot.Worm and spreads through MSN
Messenger.
Payload Trigger:
n/a
Payload: Downloads a copy of W32.Spybot.Worm.
Distribution
Target of infection: Spreads through MSN Messenger.
Read
the full Symantec report here
W32.Zotob.K
Discovered
August 24, 2005
Systems Affected: Windows 2000
W32.Zotob.K
is a worm that opens a back door and exploits the Microsoft Windows Plug
and Play Buffer Overflow Vulnerability (as described in Microsoft Security
Bulletin MS05-039) on TCP port 445.
Note: While
computers running Windows 95/98/Me/NT4/XP operating systems cannot be
infected remotely, it is possible they could be infected if W32.Zotob.K
is executed locally (although this is an unlikely occurrence). Vulnerable
Windows 2000 computers could then be infected by the compromised computer.
Payload Trigger:
n/a
Payload: Opens a back door.
Degrades performance: Attempts to detect network connections and a routable
IP address.
Distribution
Ports: TCP ports 445, 8172, and 6664; UDP port 69
Target of infection: Targets computers that are vulnerable to the Microsoft
Windows Plug and Play Service Vulnerability (MS05-039).
Read
the full Symantec report here
W32.Zotob.L
Discovered
August 25, 2005
Systems Affected: All Windows32 Systems
W32.Zotob.L
is a worm that opens a back door and exploits various vulnerabilities.
The worm spreads by exploiting vulnerabilities, including the Microsoft
Windows Plug and Play Buffer Overflow Vulnerability (described in Microsoft
Security Bulletin MS05-039).
Payload Trigger:
n/a
Payload: Opens a back door.
Distribution
Ports: TCP ports 445 and 8080
Read
the full Symantec report here
W32.Mytob.JF@mm
Discovered
August 25, 2005
Systems Affected: All Windows32 Systems
W32.Mytob.JF@mm
is a mass-mailing worm that opens a back door and lowers security settings
on the compromised computer.
Payload Trigger:
n/a
Payload: Opens a back door; Downloads and executes remote files.
Large scale e-mailing: Creates a mass-mailing of itself.
Degrades performance: Creates a mass-mailing of itself, which may impact
performance.
Compromises security settings: Lowers security settings by ending security-related
processes and blocking access to security-related Web sites.
Distribution
Subject of email: Varies
Name of attachment: Varies
Ports: TCP port 6673
Read
the full Symantec report here
W32.Reatle.I@mm
Discovered
August 25, 2005
Systems Affected: All Windows32 Systems
W32.Reatle.I@mm
is a mass-mailing worm that downloads remote files and lowers security
settings. The worm spreads by exploiting vulnerabilities, and may attempt
to download and execute a copy of W32.Spybot.Worm.
Payload Trigger:
n/a
Payload: Downloads and executes remote files.
Compromises security settings: Blocks access to security-related Web sites.
Distribution
Subject of email: Varies
Name of attachment: Varies
Ports: TCP ports 9955, 445, and 9958
Read
the full Symantec report here
W32.Mytob.JH@mm
Discovered
August 29, 2005
Systems Affected: All Windows32 Systems
W32.Mytob.JH@mm
is a mass-mailing worm the opens a back door and lowers security settings
on the compromised computer.
Payload Trigger:
n/a
Payload: Opens a back door and allows a remote attacker to download and
execute remote files.
Large scale e-mailing: Sends a copy of itself to email addresses gathered
from the compromised computer.
Compromises security settings: Blocks access to security-related Web sites
and ends security-related processes.
Distribution
Subject of email: Varies.
Name of attachment: Varies.
Ports: TCP port 6673.
Read
the full Symantec report here
W32.Bobax.AH@mm
Discovered
August 29, 2005
Systems Affected: All Windows32 Systems
W32.Bobax.AH@mm
is a mass-mailing worm that attempts to use the compromised computer as
a covert proxy. The worm spreads by exploiting the Microsoft Windows Plug
and Play Buffer Overflow Vulnerability (as described in Microsoft Security
Bulletin MS05-039) and by sending a copy of itself to email addresses
gathered.
Payload Trigger:
n/a
Payload: Attempts to use the compromised computer as a covert proxy.
Large scale e-mailing: Sends a copy of itself to email addresses gathered
from the compromised computer.
Modifies files: Modifies the hosts file.
Compromises security settings: Blocks access to security-related Web sites.
Distribution
Subject of email: Varies.
Name of attachment: Varies.
The email may have the following characteristics:
Subject:
One of the following:
Cool
pics
funny
bush
joke
secret
Message:
One of the following:
Saddam Hussein
- Attempted Escape, Shot dead
Attached some pics that i found
Osama Bin Laden Captured.
Attached some pics that i found
Testing
Secret!
Hey,
Remember this?
Hello,
Long time! Check this out!
Hey,
I was going through my album, and look what I found..
Hey,
Check this out :-)
Followed
by one of the following messages:
++ Attachment:
No Virus found
++ Panda AntiVirus - You are protected
++ www.pandasoftware.com
++ Attachment: No Virus found
++ Norman AntiVirus - You are protected
++ www.norman.com
++ Attachment: No Virus found
++ F-Secure AntiVirus - You are protected
++ www.f-secure.com
++ Attachment: No Virus found
++ Norton AntiVirus - You are protected
+++ www.symantec.com
Read
the full Symantec report here
Trojan.Exphook
Discovered
August 30, 2005
Systems Affected: All Windows32 Systems
Trojan.Exphook
is a password stealing Trojan horse that hooks Internet Explorer and searches
local files in an attempt to collect passwords and other sensitive information
from the compromised computer.
Payload Trigger:
n/a
Payload: n/a
Releases confidential info: Attempts to collect passwords and other sensitive
information from the compromised computer.
Attempts
to collect passwords and other sensitive information from the compromised
computer by hooking Internet Explorer and monitoring check boxes, radio
buttons, text areas, AutoComplete text fields and searching local files.
Saves gathered
information to the following file:
%System%\temp1.log
Displays
a message box with the following properties:
Title: Completed
Message: Press Ok to exit
Once the
Ok button is pressed, the Trojan checks for an Internet connection. If
the Internet connection is present, the Trojan sends gathered information
to one of the following Web sites:
[http://]sipper113.com/[Removed]/view.php
[http://]sipper113.siteburg.com/[Removed]/view.php
[http://]www.netadvisepro.com/[Removed]/view.php
[http://]66.225.221.197/cgi-bin/[Removed]/dma.cgi
Read
the full Symantec report here
W32.Mailbancos@mm
Discovered
August 31, 2005
Systems Affected: All Windows32 Systems
W32.Mailbancos@mm
is a worm that downloads and executes a copy of PWSteal.Bancos and sends
emails to addresses gathered from the compromised computer.
Payload Trigger:
n/a
Payload: Downloads and executes a variant of PWSteal.Bancos.
Large scale e-mailing: Sends HTML emails with links that will download
a copy of itself.
Releases confidential info: Sends the email address of the compromised
computer to the attacker.
Distribution
Subject of email: Ol? [SENDER], [RECIPIENT] deixou uma musica na Radio
Terra! - [Concorra a 1 Fox Zero Kilometro - Musica Premiada Radio Terra!]
Read
the full Symantec report here
|
If you came to this page directly, click the icon at the left to be taken to our Home Page 
