Click your ruby slippers together 3 times and repeat "There's no place like home, there's no place like home, there's no place like home..." If you came to this page directly, click the icon at the left to be taken to our Home Page

 
Virus News   

 


 

 

October 2005

Select the links for detailed information and removal tools for the latest viruses

Looking for a better AntiVirus / Spyware solution?
We use AVG Professional. Download it here



W32.Loxbot.B 10/31/05 2
W32.Mytob.LM 10/31/05 2
W32.Rontokbro.K 10/25/05 2
W32.Mydoom.FP 10/25/05 2
W32.Looksky.A 10/24/05 2
W32.Mocbot.A 10/23/05 2
W32.Botter.A 10/19/05 2
W32.Spybot.YXX 10/19/05 2
W32.Mytob.LE 10/17/05 2
W32.Loxbot.A 10/17/05 2
W32.Dabora.A 10/17/05 2
W32.Fanbot.A 10/17/05 2
W32.Mytob.LD 10/17/05 2
W32.Mytob.KU 10/16/05 2
W32.Mytob.KR 10/15/05 2
W32.Spybot.YQW 10/15/05 2
W32.Mytob.KP 10/14/05 2
W32.Rontokbro.D 10/12/05 2
W32.Mytob.KM 10/12/05 2
W32.Toxbot.AL 10/07/05 2
W32.Beagle.CL 10/07/05 2
W32.Mytob.KE 10/07/05 2
W32.Erkez.G 10/06/05 2
W32.Beagle.CK 10/06/05 2
W32.Mytob.KC 10/06/05 2
W32.Sober.Q 10/05/05 2
W32.Comdor.K 10/05/05 2
W32.Spybot.YCL 10/04/05 2
W32.Mytob.JW 10/03/05 2
W32.Rontokbro.B 10/02/05 2

W32.Rontokbro.B@mm
Discovered October 02, 2005
Systems Affected: All Windows32 Systems

W32.Rontokbro.B@mm is a mass-mailing worm that causes system instability.

Payload Trigger: n/a
Payload: May regularly restart the compromised computer.
Large scale e-mailing: Uses its own SMTP engine to send itself out.
Modifies files: Overwrites the C:\Autoexec.bat file.
Causes system instability: May regularly restart the compromised computer.
Distribution
Subject of email: [BLANK]
Name of attachment: Kangen.exe

Read the full Symantec report here

W32.Mytob.JW@mm
Discovered October 03, 2005
Systems Affected: All Windows32 Systems

W32.Mytob.JW@mm is a mass-mailing worm that opens a back door and lowers security settings on the compromised computer.

Payload Trigger: n/a
Payload: Opens a back door and allows a remote attacker to have unauthorized access to the compromised computer.
Large scale e-mailing: Creates a mass-mailing of itself which may impact system performance.
Degrades performance: Creates a mass-mailing of itself, which may clog mail servers or degrade network performance.
Distribution
Subject of email: Varies
Name of attachment: Varies
Ports: TCP ports 10027, 8000

Read the full Symantec report here

W32.Spybot.YCL
Discovered October 04, 2005
Systems Affected: All Windows32 Systems

W32.Spybot.YCL is a worm that has distributed denial of service and back door capabilities. The worm spreads by exploiting vulnerabilities and backdoors left by other malware.

Payload Trigger: n/a
Payload: Opens a back door.
Degrades performance: Scans the network for vulnerable computers.
Causes system instability: Disables processes causing system instability.
Compromises security settings: Disables processes, some of which may be security related.
Distribution
Ports: TCP port 7043

Read the full Symantec report here

W32.Comdor.K@mm
Discovered October 05, 2005
Systems Affected: All Windows32 Systems

W32.Comdor.K@mm is a worm that sends HTML formatted email with links that will download a copy of itself.It also downloads a variant of PWSteal.Bancos to the compromised computer.

Payload Trigger: n/a
Payload: Downloads and exexutes a copy of other malware.
Large scale e-mailing: Creates a mass-mailing of itself to addresses gathered from the compromised computer.
Degrades performance: Creates a mass-mailing which may clog mail servers and degrade network performance.
Releases confidential info: Sends the email address of the compromised computer to the author of the worm.
Distribution
Subject of email: Varies

Read the full Symantec report here

W32.Sober.Q@mm
Discovered October 05, 2005
Systems Affected: All Windows32 Systems

W32.Sober.Q@mm is a mass-mailing worm that uses its own SMTP engine to spread. It sends itself as an email attachment to addresses gathered from the compromised computer. The email may be in either English or German.

It has been reported that it may arrive as one of the following files and that inside the ZIP archive is a file named PW_Klass.Pic.packed-bitmap.exe:

  • KlassenFoto.zip
  • pword_change.zip

Payload Trigger: n/a
Payload: Displays a fake error message.
Large scale e-mailing: Sends a mass-mailing of itself to email addresses gathered from the compromised computer.

Displays the following message:

Read the full Symantec report here

Download the Removal Tool here

W32.Mytob.KC@mm
Discovered October 06, 2005
Systems Affected: All Windows32 Systems

W32.Mytob.KC@mm is a mass-mailing worm that opens a back door and lowers security settings on the compromised computer.

Payload Trigger: n/a
Payload: Opens a back door and allows a remote attacker to have unauthorized access to the compromised computer.
Large scale e-mailing: Sends an email to addresses gathered from the compromised computer.
Degrades performance: Creates a mass-mailing of itself, which may clog mail servers or degrade network performance.
Compromises security settings: Lowers Internet security settings by modifying the hosts file
Distribution
Subject of email: Vaires
Name of attachment: Varies

Read the full Symantec report here

W32.Beagle.CK@mm
Discovered October 06, 2005
Systems Affected: All Windows32 Systems

W32.Beagle.CK@mm is a mass-mailing worm that uses its own SMTP engine to email copies of itself to addresses gathered from the compromised computer.

The worm also opens a back door on TCP Port 9035 on the compromised computer.

Payload Trigger: n/a
Payload: Opens a back door.
Large scale e-mailing: Attempts to email a copy of itself to the email addresses it gathered.
Compromises security settings: Attempts to end processes which may be security-related.
Distribution
Subject of email: Varies
Name of attachment: Varies
Ports: TCP Port 9035

Read the full Symantec report here

W32.Erkez.G@mm
Discovered October 06, 2005
Systems Affected: All Windows32 Systems

W32.Erkez.G@mm is a mass-mailing worm that sends itself to email addresses gathered from the compromised computer.

Payload Trigger: n/a
Payload: n/a
Large scale e-mailing: Sends a copy of itself to email addresses it gathers from the compromised computer.
Degrades performance: Mass-mailing of itself may degrade performance and resources.
Compromises security settings: Prevents processes from running.
Distribution
Subject of email: Varies
Name of attachment: Varies

Displays the following fake error message:

Displays the following message, if the system date is March 12:


Read the full Symantec report here

W32.Mytob.KE@mm
Discovered October 07, 2005
Systems Affected: All Windows32 Systems

W32.Mytob.KE@mm is a mass-mailing worm that uses its own SMTP engine to send an email to addresses that it gathers from the compromised computer.

Payload Trigger: n/a
Payload: Downloads and executes remote files.
Large scale e-mailing: Sends emails to addresses gathered on the compromised computer.
Degrades performance: Opens a back door which may degrade performance and resources.
Compromises security settings: Ends processes and blocks access to Web sites, some of which may be security-related.
Distribution
Subject of email: Varies
Name of attachment: Varies
Ports: TCP port 27999

Read the full Symantec report here

Download the Removal Tool here

W32.Beagle.CL@mm
Discovered October 07, 2005
Systems Affected: All Windows32 Systems

W32.Beagle.CL@mm is a mass-mailing worm with back door capabilities that uses its own SMTP engine to email copies of itself to addresses gathered from the compromised computer.

Payload Trigger: n/a
Payload: Opens a back door and allows a remote attacker to have unauthorized access to the compromised computer.
Large scale e-mailing: Attempts to email a copy of itself to the email addresses it gathered.
Degrades performance: Creates a mass-mailing of itself which may clog mail servers or degrade network performance.
Compromises security settings: Attempts to end processes which may be secuirity-related.
Distribution
Subject of email: Varies
Name of attachment: Varies
Ports: TCP port 9035

Read the full Symantec report here

Download the Removal Tool here

W32.Toxbot.AL
Discovered October 07, 2005
Systems Affected: All Windows32 Systems

W32.Toxbot.AL is a worm that opens an IRC back door on the compromised computer and spreads by exploiting vulnerabilities.

Payload Trigger: n/a
Payload: n/a
Causes system instability: Spreads by exploiting remote vulnerabilities which may cause instability.
Releases confidential info: Steals confidential information.
Compromises security settings: Ends processes which may compromise security settings.
Distribution
Ports: TCP port 6556
Target of infection: Targets computers exposed to several common system vulnerabilities.

Read the full Symantec report here

Download the Removal Tool here

W32.Mytob.KM@mm
Discovered October 12, 2005
Systems Affected: All Windows32 Systems

W32.Mytob.KM@mm is a mass-mailing worm that opens a back door and lowers security settings on the compromised computer.

Payload Trigger: n/a
Payload: Opens backdoor.
Large scale e-mailing: Uses its own SMTP engine to send itself to email addresses it gathers on the compromised computer.
Modifies files: Adds entries to the hosts file to block access to several security-related Web sites.
Compromises security settings: Ends processes, several of which are security related.
Distribution
Subject of email: Varies.
Name of attachment: Varies.
Ports: TCP port 23523

Read the full Symantec report here

W32.Rontokbro.D@mm
Discovered October 12, 2005
Systems Affected: All Windows32 Systems

W32.Rontokbro.D@mm is a mass-mailing worm that causes system instability.

Payload Trigger: n/a
Payload: n/a
Modifies files: Overwrites the Autoexec.bat file.
Causes system instability: May randomly restart the computer.

Uses its own SMTP engine to send itself to the email addresses that it finds. The email has the following characteristics:

From: [SPOOFED]

Subject: [BLANK]

Message:
BRONTOK.A [ By: H[REMOVED]M Community ]
-- Hentikan kebobrokan di negeri ini --
1. Adili Koruptor, Penyelundup, Tukang Suap, Penjudi, & Bandar NARKOBA
( Send to "NUSAKAMBANGAN")
2. Stop Free Sex, Absorsi, & Prostitusi
3. Stop (pencemaran laut & sungai), pembakaran hutan & perburuan liar.
4. SAY NO TO DRUGS !!!
-- KIAMAT SUDAH DEKAT --
Terinspirasi oleh: Elang Brontok (Spizaetus Cirrhatus) yang hampir punah[ By: H[REMOVED]unity --

Attachment:
Kangen.exe

Read the full Symantec report here

W32.Mytob.KP@mm
Discovered October 12, 2005
Systems Affected: All Windows32 Systems

W32.Mytob.KP@mm is a mass-mailing worm that opens a back door and lowers security settings on the compromised computer.

Payload Trigger: n/a
Payload: Downloads and executes remote files.
Large scale e-mailing: Sends emails to addresses gathered on the compromised computer.
Degrades performance: Opens a back door which may degrade performance and resources.
Compromises security settings: Ends processes and blocks access to Web sites, some of which may be security-related.
Distribution
Subject of email: Varies
Name of attachment: Varies
Ports: TCP port 3385

Read the full Symantec report here

W32.Spybot.YQW
Discovered October 15, 2005
Systems Affected: All Windows32 Systems

W32.Spybot.YQW is a network-aware worm that opens a back door on the compromised computer.

Payload Trigger: n/a
Payload: Opens a back door and allows a remote attacker to have unauthorized access to the compromised computer.
Degrades performance: Spreads by exploiting vulnerabilities, which may degrade the compromised computer's performance.
Compromises security settings: Disables processes some of which may be security-related.
Distribution
Ports: TCP port 7043

Read the full Symantec report here

W32.Mytob.KR@mm
Discovered October 15, 2005
Systems Affected: All Windows32 Systems

W32.Mytob.KR@mm is a mass-mailing worm that opens a back door and lowers security settings on the compromised computer.

Payload Trigger: n/a
Payload: n/a
Large scale e-mailing: Sends emails to addresses gathered on the compromised computer.
Degrades performance: Opens a back door which may degrade performance and resources.
Compromises security settings: Ends processes and blocks access to Web sites, some of which may be security-related.
Distribution
Subject of email: Varies
Name of attachment: Varies
Ports: TCP port 43287

Read the full Symantec report here

W32.Mytob.KU@mm
Discovered October 15, 2005
Systems Affected: All Windows32 Systems

W32.Mytob.KU@mm is a mass-mailing worm that opens a back door and lowers security settings on the compromised computer.

Payload Trigger: n/a
Payload: n/a
Large scale e-mailing: Sends emails to addresses gathered on the compromised computer.
Degrades performance: Opens a back door which may degrade performance and resources.
Compromises security settings: Ends processes and blocks access to Web sites, some of which may be security-related.
Distribution
Subject of email: Varies
Name of attachment: Varies
Ports: TCP port 43287

Read the full Symantec report here

W32.Mytob.LD@mm
Discovered October 17, 2005
Systems Affected: All Windows32 Systems

W32.Mytob.LD@mm is a mass-mailing worm that opens a back door and lowers security settings on the compromised computer.

Payload Trigger: n/a
Payload: Opens a back door.
Large scale e-mailing: Sends emails to addresses gathered on the compromised computer.
Modifies files: Modifies the hosts file.
Degrades performance: Opens a back door which may degrade performance and resources.
Compromises security settings: Blocks access to security-related Web sites and attempts to disable processes.
Distribution
Subject of email: Varies
Name of attachment: Varies

Read the full Symantec report here

W32.Fanbot.A@mm
Discovered October 17, 2005
Systems Affected: All Windows32 Systems

W32.Fanbot.A@mm is a mass-mailing worm that lowers security settings on the compromised computer. It also spreads by exploiting the Microsoft Windows Plug and Play Buffer Overflow Vulnerability (described in Microsoft Security Bulletin MS05-039) and through peer-to-peer networks.

Payload Trigger: n/a
Payload: Lowers security settings on the compromised computer.
Large scale e-mailing: Creates a mass-mailing of itself using its own SMTP engine.
Modifies files: Adds entries to the hosts file.
Compromises security settings: Blocks access to security-related Web sites by adding entries to the hosts file and attempts to end several security-related processes.
Distribution
Subject of email: Varies
Name of attachment: Varies
Ports: TCP 5652

Read the full Symantec report here

W32.Dabora.A@mm
Discovered October 17, 2005
Systems Affected: All Windows32 Systems

W32.Dabora.A@mm is a mass-mailing worm that mimics financial Web sites and downloads a Bancos variant.

Payload Trigger: n/a
Payload: Downloads and executes remote files on the compromised computer.
Large scale e-mailing: Send itself as an HTML-based email using its own SMTP engine.
Distribution
Subject of email: Varies.

Read the full Symantec report here

W32.Loxbot.A
Discovered October 17, 2005
Systems Affected: All Windows32 Systems

W32.Loxbot.A is a worm that opens a back door and can receive commands from a remote attacker. It can spread using AOL Instant Messenger. The worm also uses rootkit capabilities to hide its process in memory.

Payload Trigger: n/a
Payload: Opens a back door.
Degrades performance: May impact resources while attempting to spread.
Compromises security settings: Disables security-related services
Distribution
Ports: TCP port 9515
Target of infection: AOL Instant Messenger

Read the full Symantec report here

W32.Mytob.LE@mm
Discovered October 17, 2005
Systems Affected: All Windows32 Systems

W32.Mytob.LE@mm is a mass-mailing worm that opens a back door and lowers security settings on the compromised computer.

Payload Trigger: n/a
Payload: Opens a back door.
Large scale e-mailing: Sends emails.
Modifies files: Modifies the hosts file.
Compromises security settings: Ends processes and stops services, some of which may be security related. Blocks access to security-related Web sites.
Distribution
Subject of email: Varies
Name of attachment: Varies

Read the full Symantec report here

W32.Spybot.YXX
Discovered October 19, 2005
Systems Affected: All Windows32 Systems

W32.Spybot.YXX is a network-aware worm that opens a back door on the compromised computer. It spreads by exploiting common system vulnerabilities. The worm is also dropped by W32.Botter.A@mm.

Payload Trigger: n/a
Payload: Opens a back door.
Degrades performance: Propagation may degrade performance.
Compromises security settings: Blocks access to security-related Web sites and ends processes.
Distribution
Ports: TCP port 8080
Target of infection: Exploits vulnerablities.

Read the full Symantec report here

W32.Botter.A@mm
Discovered October 19, 2005
Systems Affected: All Windows32 Systems

W32.Botter.A@mm is a mass-mailing worm that also spreads through IRC. It also drops W32.Spybot.YXX, and inserts itself into rar archives.

Payload Trigger: n/a
Payload: n/a
Large scale e-mailing: Send an email to addresses that it gathers from the compromised computer's Windows Address Book.
Degrades performance: Mass-mailing may degrade performance.
Distribution
Subject of email: Varies
Name of attachment: Varies
Ports: Port 8080
Target of infection: Spreads to users in a chatroom on predetermined IRC servers.

Read the full Symantec report here

W32.Mocbot.A
Discovered October 23, 2005
Systems Affected: All Windows32 Systems

W32.Mocbot.A is a worm with back door capabilities that exploits the Microsoft Windows Plug and Play Buffer Overflow vulnerability (as described in Microsoft Security Bulletin MS05-039).

Payload Trigger: n/a
Payload: Opens a back door on the compromised computer.
Distribution
Ports: TCP port 18067.

Read the full Symantec report here

W32.Looksky.A@mm
Discovered October 24, 2005
Systems Affected: All Windows32 Systems

W32.Looksky.A@mm is a mass-mailing worm that drops additional threats and lowers security settings on the compromised computer.

Payload Trigger: n/a
Payload: Opens a back door that allows a remote attacker to have unauthorized access to the compromised computer.
Large scale e-mailing: Sends emails to addresses gathered from the compromised computer.
Releases confidential info: Logs keystrokes and sends the stolen information to the email address.
Compromises security settings: Lowers security settings by bypassing the firewall settings.
Distribution
Subject of email: Skylook for Skype
Name of attachment: skylook_1.exe
Size of attachment: Varies
Ports: TCP port 321

Read the full Symantec report here

W32.Mydoom.FP@mm
Discovered October 25, 2005
Systems Affected: All Windows32 Systems

W32.Mydoom.FP@mm is a mass-mailing worm that uses its own SMTP engine to spread by email.

Payload Trigger: n/a
Payload: Creates a mass-mailing of itself using addresses gathered from the compromised computer.
Large scale e-mailing: Sends out emails to email addresses gathered from the compromised computer.
Degrades performance: Mass-mailing of itself may clog mail servers or degrade network performance.
Causes system instability: Mass-mailing of itself may impact system performance.
Distribution
Subject of email: Varies
Name of attachment: Varies
Size of attachment: 25,600 bytes

Subject:
One of the following:


VY PUR FVTAVSVPN
Vy Frffb fhee Rebgvpb dhnqreab qv pnfn
Ercbegb cre han fhcresvpvr qv dhrr vzcbegnagv
vy cevzb fragvzragb r dhryyb qryy'vzcbgramn
Ybtvb r vzcbegnagv vy Y'nhgbprafhen Tnzrb
Vy dhnqreab qv pnfn Zntantuv-Mbembyv
Cerzrggb pur fbab ancbyrgnab,ibtyvb Rebgvfzb
[RANDOM CHARACTERS]


Message Body:
One of the following:


Il utilitio prevede:
diritto del malato [REMOVED]
6. Sondaggio
7. Aggiungi ai Preferiti
Uno stupro Faccio il bagno con una donna che non conosco in un bel mare con un grande senso di gioia
Il Mediterraneo non ha mai interrotto nulla, non ha mai segnato separazioni. Anzi, in dai tempi della colonizzazione greca, era un bacino i cui bordi erano ricercati, biti.
[RANDOM CHARACTERS]

Read the full Symantec report here

W32.Rontokbro.K@mm
Discovered October 25, 2005
Systems Affected: All Windows32 Systems

W32.Rontokbro.K@mm is a mass-mailing worm that causes system instability. The email arrives with a blank subject line and an attachment of Kangen.exe.

Payload Trigger: n/a
Payload: Launches a ping flood attack.
Large scale e-mailing: Mass-mails itself to addresses gathered from the compromised computer.
Causes system instability: Reboots the compromised computer when it detects an open window whose title contains certain strings.
Distribution
Subject of email: The email subject is blank.
Name of attachment: Kangen.exe

Read the full Symantec report here

W32.Mytob.LM@mm
Discovered October 31, 2005
Systems Affected: All Windows32 Systems

W32.Mytob.LM@mm is a mass-mailing worm that uses its own SMTP engine to send an email to addresses that it gathers from the compromised computer. The worm also spreads through network shares and by exploiting the Microsoft Windows Local Security Authority Service Remote Buffer Overflow (as described in Microsoft Security Bulletin MS04-011).

Payload Trigger: n/a
Payload: Opens a back door.
Large scale e-mailing: Uses its own SMTP engine to send itself to the email addresses that it finds.
Releases confidential info: Monitors the user's Internet browsing habits and logs any information it finds.
Compromises security settings: Ends the following security-related processes
Distribution
Subject of email: Varies
Name of attachment: Varies
Ports: Random ports.

Read the full Symantec report here

W32.Loxbot.B
Discovered October 31, 2005
Systems Affected: All Windows32 Systems

W32.Loxbot.B is a network-aware worm with back door capabilities that can also spread using AOL Instant Messenger.

Payload Trigger: n/a
Payload: Opens a back door on the compromised computer.
Distribution
Ports: TCP port 9515.

Read the full Symantec report here

 
   
     
© Copyright 1999 - 2005 The Computer Wizard