[virusinfo] W32/Nanpy-A

• From: "Mike" <mikebike@xxxxxxxxx>
• To: virusinfo@xxxxxxxxxxxxx
• Date: Tue, 21 Jun 2005 13:02:15 -0700

From; Sophos Alert System:

Name: W32/Nanpy-A
Type: Win32 worm
Date: 21 June 2005

Sophos has issued protection for W32/Nanpy-A.

At the time of writing, Sophos has received a small number of
reports of this worm from the wild.

Customers using EM Library, Enterprise Console, PureMessage or
any of our Sophos small business solutions will be automatically
protected at their next scheduled update.


Note: The IDE issued for W32/Nanpy-A at 30 May 2005 06:21:16
(GMT) also contained detection for Troj/Orse-C, Troj/LdPinch-BA,
Troj/Daoser-D, Troj/Dloader-PC, Troj/Small-EJ and W32/Tibick-F. 
This IDE has now been updated to enhance detection of
Troj/Orse-C.

Information about W32/Nanpy-A can be found at:
http://www.sophos.com/virusinfo/analyses/w32nanpya.html

W32/Nanpy-A is a worm for the Windows platform. It may spread to vulnerable 
computers via the RPC-DCOM exploit, and attempt to redirect access to various 
banking websites. 
When first run W32/Nanpy-A copies itself to <System>\mmsvc32.exe. 
The following registry entry is created to run mmsvc32.exe on startup: 
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft Network Services Controller
<System>\mmsvc32.exe 
W32/Nanpy-A modifies the HOSTS file, mapping the URLs of banking websites to a 
remote IP. At the time of writing, this IP address is not functional. 
lloydstsb.co.uk
online.lloydstsb.co.uk
www.lloydstsb.co.uk
www.lloydstsb.com
personal.barclays.co.uk
barclays.co.uk
ibank.barclays.co.uk
www.barclays.co.uk
www.nwolb.com
nwolb.com
hsbc.co.uk
www.hsbc.co.uk
abbey.com
www.abbey.com
www.abbey.co.uk
abbey.co.uk
cahoot.com
www.cahoot.com
www.cahoot.co.uk
cahoot.co.uk
www.co-operativebank.co.uk
co-operativebank.co.uk
www.co-operativebank.com
co-operativebank.com
welcome2.co-operativebankonline.co.uk
welcome6.co-operativebankonline.co.uk
welcome8.co-operativebankonline.co.uk
welcome10.co-operativebankonline.co.uk
www.smile.co.uk
smile.co.uk 

The W32/Nanpy-A virus identity file (IDE) includes detection for:


Troj/Orse-C
http://www.sophos.com/virusinfo/analyses/trojorsec.html
Troj/LdPinch-BA
http://www.sophos.com/virusinfo/analyses/trojldpinchba.html
Troj/Daoser-D
http://www.sophos.com/virusinfo/analyses/trojdaoserd.html
Troj/Dloader-PC
http://www.sophos.com/virusinfo/analyses/trojdloaderpc.html
Troj/Small-EJ
http://www.sophos.com/virusinfo/analyses/trojsmallej.html
W32/Tibick-F
http://www.sophos.com/virusinfo/analyses/w32tibickf.html

Customers with 3.xx or lower versions of Sophos Anti-Virus, 
who are not running EM Library, can manually download the IDE
for W32/Nanpy-A from:

http://www.sophos.com/downloads/ide/nanpy-a.ide

Read about how to use IDE files at
http://www.sophos.com/support/knowledgebase/article/363.html

*********** MIKE"S REPLY SEPARATOR  ***********
Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see a sample on my web page
http://www3.telus.net/mikebike
<mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe>
http://www3.telus.net/mikebike/worm_removal.htm
See my Anti-Virus pages  http://virusinfo.hackfix.org/index
<virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe>
A Technical Support Alliance  and OWTA Charter Member 

Other related posts:

• » [virusinfo] W32/Nanpy-A
• » [virusinfo] W32/Nanpy-A

1. Home
2. virusinfo
3. Archive
4. 06-2005

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---