[virusinfo] virusinfo Digest V4 #102
- From: "Mike" <mikebike@xxxxxxxxx>
- To: virusinfo@xxxxxxxxxxxxx
- Date: Sat, 16 Apr 2005 08:34:53 -0700
virusinfo Digest Fri, 15 Apr 2005 Volume: 04 Issue: 102
In This Issue:
[virusinfo] W32/Kelvir-J
[virusinfo] W32/Tirbot-D
[virusinfo] Troj/DoomSend-A
----------------------------------------------------------------------
Date: Fri, 15 Apr 2005 09:51:56 -0700
From: "Mike" <mikebike@xxxxxxxxx>
Subject: [virusinfo] W32/Kelvir-J
From; Sophos Alert System:
Name: W32/Kelvir-J
Aliases: W32.Kelvir.T, W32/Kelvir.worm.gen
Type: Win32 worm
Date: 15 April 2005
A virus identity (IDE) file which provides protection is
available now from the Sophos website, and will be incorporated
into the June 2005 (3.94) release of Sophos Anti-Virus.
Customers using EM Library, PureMessage or any of our Sophos
small business solutions will be automatically protected at
their next scheduled update.
At the time of writing, Sophos has received a small number of
reports of this worm from the wild.
Information about W32/Kelvir-J can be found at:
http://www.sophos.com/virusinfo/analyses/w32kelvirj.html
This IDE file also includes detection for:
W32/Rbot-AAQ
http://www.sophos.com/virusinfo/analyses/w32rbotaaq.html
Troj/Ablank-S
http://www.sophos.com/virusinfo/analyses/trojablanks.html
W32/Sdbot-XE
http://www.sophos.com/virusinfo/analyses/w32sdbotxe.html
W32/Wurmark-H
http://www.sophos.com/virusinfo/analyses/w32wurmarkh.html
Troj/Killav-AJ
http://www.sophos.com/virusinfo/analyses/trojkillavaj.html
Troj/Dloader-LT
http://www.sophos.com/virusinfo/analyses/trojdloaderlt.html
W32/Rbot-AAP
http://www.sophos.com/virusinfo/analyses/w32rbotaap.html
Download the IDE file from:
http://www.sophos.com/downloads/ide/kelvir-j.ide
Download all the IDE files available for the current version of
Sophos Anti-Virus in a single compressed file. The file is
available in two formats:
Zip file:
http://www.sophos.com/downloads/ide/ides.zip
Self-extracting file:
http://www.sophos.com/downloads/ide/ides.exe
Read about how to use IDE files at
http://www.sophos.com/downloads/ide/using.html
*********** MIKE"S REPLY SEPARATOR ***********
Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see a sample on my web page
http://www3.telus.net/mikebike
------------------------------
Date: Fri, 15 Apr 2005 09:54:34 -0700
From: "Mike" <mikebike@xxxxxxxxx>
Subject: [virusinfo] W32/Tirbot-D
From; Sophos Alert System:
Name: W32/Tirbot-D
Type: Win32 worm
Date: 15 April 2005
A virus identity (IDE) file which provides protection is
available now from the Sophos website, and will be incorporated
into the June 2005 (3.94) release of Sophos Anti-Virus.
Customers using EM Library, PureMessage or any of our Sophos
small business solutions will be automatically protected at
their next scheduled update.
At the time of writing, Sophos has received a small number of
reports of this worm from the wild.
Note: The IDE issued for W32/Tirbot-D at 11 April 2005 21:55:18
(GMT) also contained detection for W32/Mytob-AV, W32/Mytob-AW,
Troj/Agent-DJ, W32/Mytob-AL, Troj/Bdoor-HN, and Troj/Ablank-Q.
This IDE has now been updated to enhance detection of
W32/Mytob-AW.
Information about W32/Tirbot-D can be found at:
http://www.sophos.com/virusinfo/analyses/w32tirbotd.html
W32/Tirbot-D is a network worm with backdoor functionality for the Windows
platform.
The worm spreads to network computers vulnerable to the LSASS vulnerability
(MS04-011) and through network shares protected by weak passwords.
The backdoor component joins one of 4 predetermined IRC channels and awaits
further commands from remote users. The backdoor component can then be
instructed to perform the following:
Take part in distributed denial of service (DDoS) attacks
Upload/download files
Execute files
Serve as a proxy server
Harvest information from the system registry
Report filesystem information
List running processes
Scan for the presence anti-virus software
Terminate running processes
Remove registry entries
W32/Tirbot-D will attempt to report the infection to a predefined URL.
When first run, W32/Tirbot-D copies itself to the Windows system folder as
MSDTCs.exe and sets the following registry entry in order to run each time
a user logs on:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
IECheck
<Windows system folder>\MSDTCs.exe
A patch is available from Microsoft for the LSASS vulnerability exploited
by W32/Tirbot-D:
http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx
This IDE file also includes detection for:
W32/Mytob-AV
http://www.sophos.com/virusinfo/analyses/w32mytobav.html
W32/Mytob-AW
http://www.sophos.com/virusinfo/analyses/w32mytobaw.html
Troj/Agent-DJ
http://www.sophos.com/virusinfo/analyses/trojagentdj.html
W32/Mytob-AL
http://www.sophos.com/virusinfo/analyses/w32mytobal.html
Troj/Bdoor-HN
http://www.sophos.com/virusinfo/analyses/trojbdoorhn.html
Troj/Ablank-Q
http://www.sophos.com/virusinfo/analyses/trojablankq.html
Download the IDE file from:
http://www.sophos.com/downloads/ide/tirbot-d.ide
Download all the IDE files available for the current version of
Sophos Anti-Virus in a single compressed file. The file is
available in two formats:
Zip file:
http://www.sophos.com/downloads/ide/ides.zip
Self-extracting file:
http://www.sophos.com/downloads/ide/ides.exe
Read about how to use IDE files at
http://www.sophos.com/downloads/ide/using.html
*********** MIKE"S REPLY SEPARATOR ***********
Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see a sample on my web page
http://www3.telus.net/mikebike
------------------------------
Date: Fri, 15 Apr 2005 14:48:42 -0700
From: "Mike" <mikebike@xxxxxxxxx>
Subject: [virusinfo] Troj/DoomSend-A
From; Sophos Alert System:
Name: Troj/DoomSend-A
Aliases: Backdoor.Win32.Naninf.c
Type: Trojan
Date: 15 April 2005
A virus identity (IDE) file which provides protection is
available now from the Sophos website, and will be incorporated
into the June 2005 (3.94) release of Sophos Anti-Virus.
Customers using EM Library, PureMessage or any of our Sophos
small business solutions will be automatically protected at
their next scheduled update.
At the time of writing, Sophos has received a small number of
reports of this Trojan from the wild.
Information about Troj/DoomSend-A can be found at:
http://www.sophos.com/virusinfo/analyses/trojdoomsenda.html
This IDE file also includes detection for:
Troj/Banker-CD
http://www.sophos.com/virusinfo/analyses/trojbankercd.html
Troj/LdPinch-AU
http://www.sophos.com/virusinfo/analyses/trojldpinchau.html
Troj/FakeAle-A
http://www.sophos.com/virusinfo/analyses/trojfakealea.html
W32/Rbot-AAT
http://www.sophos.com/virusinfo/analyses/w32rbotaat.html
W32/Kelvir-Q
http://www.sophos.com/virusinfo/analyses/w32kelvirq.html
Troj/KillAV-AE
http://www.sophos.com/virusinfo/analyses/trojkillavae.html
Troj/Killav-AI
http://www.sophos.com/virusinfo/analyses/trojkillavai.html
Download the IDE file from:
http://www.sophos.com/downloads/ide/doomse-a.ide
Download all the IDE files available for the current version of
Sophos Anti-Virus in a single compressed file. The file is
available in two formats:
Zip file:
http://www.sophos.com/downloads/ide/ides.zip
Self-extracting file:
http://www.sophos.com/downloads/ide/ides.exe
Read about how to use IDE files at
http://www.sophos.com/downloads/ide/using.html
*********** MIKE"S REPLY SEPARATOR ***********
Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see a sample on my web page
http://www3.telus.net/mikebike
<mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe>
http://www3.telus.net/mikebike/worm_removal.htm
See my Anti-Virus pages http://virusinfo.hackfix.org/index
<virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe>
A Technical Support Alliance and OWTA Charter Member
------------------------------
End of virusinfo Digest V4 #102
*******************************
Other related posts:
- » [virusinfo] virusinfo Digest V4 #102
