virusinfo Digest Fri, 15 Apr 2005 Volume: 04 Issue: 102 In This Issue: [virusinfo] W32/Kelvir-J [virusinfo] W32/Tirbot-D [virusinfo] Troj/DoomSend-A ---------------------------------------------------------------------- Date: Fri, 15 Apr 2005 09:51:56 -0700 From: "Mike" <mikebike@xxxxxxxxx> Subject: [virusinfo] W32/Kelvir-J From; Sophos Alert System: Name: W32/Kelvir-J Aliases: W32.Kelvir.T, W32/Kelvir.worm.gen Type: Win32 worm Date: 15 April 2005 A virus identity (IDE) file which provides protection is available now from the Sophos website, and will be incorporated into the June 2005 (3.94) release of Sophos Anti-Virus. Customers using EM Library, PureMessage or any of our Sophos small business solutions will be automatically protected at their next scheduled update. At the time of writing, Sophos has received a small number of reports of this worm from the wild. Information about W32/Kelvir-J can be found at: http://www.sophos.com/virusinfo/analyses/w32kelvirj.html This IDE file also includes detection for: W32/Rbot-AAQ http://www.sophos.com/virusinfo/analyses/w32rbotaaq.html Troj/Ablank-S http://www.sophos.com/virusinfo/analyses/trojablanks.html W32/Sdbot-XE http://www.sophos.com/virusinfo/analyses/w32sdbotxe.html W32/Wurmark-H http://www.sophos.com/virusinfo/analyses/w32wurmarkh.html Troj/Killav-AJ http://www.sophos.com/virusinfo/analyses/trojkillavaj.html Troj/Dloader-LT http://www.sophos.com/virusinfo/analyses/trojdloaderlt.html W32/Rbot-AAP http://www.sophos.com/virusinfo/analyses/w32rbotaap.html Download the IDE file from: http://www.sophos.com/downloads/ide/kelvir-j.ide Download all the IDE files available for the current version of Sophos Anti-Virus in a single compressed file. The file is available in two formats: Zip file: http://www.sophos.com/downloads/ide/ides.zip Self-extracting file: http://www.sophos.com/downloads/ide/ides.exe Read about how to use IDE files at http://www.sophos.com/downloads/ide/using.html *********** MIKE"S REPLY SEPARATOR *********** Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www3.telus.net/mikebike ------------------------------ Date: Fri, 15 Apr 2005 09:54:34 -0700 From: "Mike" <mikebike@xxxxxxxxx> Subject: [virusinfo] W32/Tirbot-D From; Sophos Alert System: Name: W32/Tirbot-D Type: Win32 worm Date: 15 April 2005 A virus identity (IDE) file which provides protection is available now from the Sophos website, and will be incorporated into the June 2005 (3.94) release of Sophos Anti-Virus. Customers using EM Library, PureMessage or any of our Sophos small business solutions will be automatically protected at their next scheduled update. At the time of writing, Sophos has received a small number of reports of this worm from the wild. Note: The IDE issued for W32/Tirbot-D at 11 April 2005 21:55:18 (GMT) also contained detection for W32/Mytob-AV, W32/Mytob-AW, Troj/Agent-DJ, W32/Mytob-AL, Troj/Bdoor-HN, and Troj/Ablank-Q. This IDE has now been updated to enhance detection of W32/Mytob-AW. Information about W32/Tirbot-D can be found at: http://www.sophos.com/virusinfo/analyses/w32tirbotd.html W32/Tirbot-D is a network worm with backdoor functionality for the Windows platform. The worm spreads to network computers vulnerable to the LSASS vulnerability (MS04-011) and through network shares protected by weak passwords. The backdoor component joins one of 4 predetermined IRC channels and awaits further commands from remote users. The backdoor component can then be instructed to perform the following: Take part in distributed denial of service (DDoS) attacks Upload/download files Execute files Serve as a proxy server Harvest information from the system registry Report filesystem information List running processes Scan for the presence anti-virus software Terminate running processes Remove registry entries W32/Tirbot-D will attempt to report the infection to a predefined URL. When first run, W32/Tirbot-D copies itself to the Windows system folder as MSDTCs.exe and sets the following registry entry in order to run each time a user logs on: HKLM\Software\Microsoft\Windows\CurrentVersion\Run IECheck <Windows system folder>\MSDTCs.exe A patch is available from Microsoft for the LSASS vulnerability exploited by W32/Tirbot-D: http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx This IDE file also includes detection for: W32/Mytob-AV http://www.sophos.com/virusinfo/analyses/w32mytobav.html W32/Mytob-AW http://www.sophos.com/virusinfo/analyses/w32mytobaw.html Troj/Agent-DJ http://www.sophos.com/virusinfo/analyses/trojagentdj.html W32/Mytob-AL http://www.sophos.com/virusinfo/analyses/w32mytobal.html Troj/Bdoor-HN http://www.sophos.com/virusinfo/analyses/trojbdoorhn.html Troj/Ablank-Q http://www.sophos.com/virusinfo/analyses/trojablankq.html Download the IDE file from: http://www.sophos.com/downloads/ide/tirbot-d.ide Download all the IDE files available for the current version of Sophos Anti-Virus in a single compressed file. The file is available in two formats: Zip file: http://www.sophos.com/downloads/ide/ides.zip Self-extracting file: http://www.sophos.com/downloads/ide/ides.exe Read about how to use IDE files at http://www.sophos.com/downloads/ide/using.html *********** MIKE"S REPLY SEPARATOR *********** Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www3.telus.net/mikebike ------------------------------ Date: Fri, 15 Apr 2005 14:48:42 -0700 From: "Mike" <mikebike@xxxxxxxxx> Subject: [virusinfo] Troj/DoomSend-A From; Sophos Alert System: Name: Troj/DoomSend-A Aliases: Backdoor.Win32.Naninf.c Type: Trojan Date: 15 April 2005 A virus identity (IDE) file which provides protection is available now from the Sophos website, and will be incorporated into the June 2005 (3.94) release of Sophos Anti-Virus. Customers using EM Library, PureMessage or any of our Sophos small business solutions will be automatically protected at their next scheduled update. At the time of writing, Sophos has received a small number of reports of this Trojan from the wild. Information about Troj/DoomSend-A can be found at: http://www.sophos.com/virusinfo/analyses/trojdoomsenda.html This IDE file also includes detection for: Troj/Banker-CD http://www.sophos.com/virusinfo/analyses/trojbankercd.html Troj/LdPinch-AU http://www.sophos.com/virusinfo/analyses/trojldpinchau.html Troj/FakeAle-A http://www.sophos.com/virusinfo/analyses/trojfakealea.html W32/Rbot-AAT http://www.sophos.com/virusinfo/analyses/w32rbotaat.html W32/Kelvir-Q http://www.sophos.com/virusinfo/analyses/w32kelvirq.html Troj/KillAV-AE http://www.sophos.com/virusinfo/analyses/trojkillavae.html Troj/Killav-AI http://www.sophos.com/virusinfo/analyses/trojkillavai.html Download the IDE file from: http://www.sophos.com/downloads/ide/doomse-a.ide Download all the IDE files available for the current version of Sophos Anti-Virus in a single compressed file. The file is available in two formats: Zip file: http://www.sophos.com/downloads/ide/ides.zip Self-extracting file: http://www.sophos.com/downloads/ide/ides.exe Read about how to use IDE files at http://www.sophos.com/downloads/ide/using.html *********** MIKE"S REPLY SEPARATOR *********** Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www3.telus.net/mikebike <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe> http://www3.telus.net/mikebike/worm_removal.htm See my Anti-Virus pages http://virusinfo.hackfix.org/index <virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe> A Technical Support Alliance and OWTA Charter Member ------------------------------ End of virusinfo Digest V4 #102 *******************************