new virus

Worm/NetSky.P - Worm

2006-08-27T07:58:00.001-07:00

Worm/NetSky.P It contains an integrated SMTP engine in order to send emails. A direct connection with the destination server will be established.

The body of the email is one of the following: I noticed that you have visited illegal websites. See the name in the list! , Important message, do not show this anyone! your big love, ;-) ,Thanks! Protected message is attached. ,Congratulations!, your best friend. ,Best wishes, your friend. , Your document is attached. , See the file. , Please see the attached file for details. , Your document is attached to this mail. , SMTP: Please confirm the attached message. , You have written a very good text, excellent, good work! , Your photo, uahhh.... , you are naked! ,You have received an extended message. Please read the instructions. , Partial message is available. , Waiting for authentification. , I hope the patch works. , Here is the website. ;-) , Your file is attached. ,Do not visit this illegal websites! , Delivered message is attached. , I cannot believe that. , I am shocked about your document! , Please authenticate the secure message , I have corrected your document. , Here is my icq list. , You got a new message. , I hope you accept the result! , Important message, do not show this anyone! , Please read the document.

Subject: One of the following: • Re:approved; approved bil; Re:Approved document; Re:Bad request; Re:Bill; data; Re:Delivery Server; Do you?; Does it matter?; Re:Encrypted Mail; Re:Error; Re:Error in document; Re:Failure; Re:file; Re:Free porn; Re:hello; Re:here; Re:Hi; Hi; I cannot forget you!; important data; Internet Provider Abuse; Is that your password?; Re:Its me; Re:List; Re:Message Error; Re:my bill; Re:my data; Re:Order; Postcard; Re:Proof of concept; Re:Protected Mail Delivery; Protected Mail System; Re:Protected Mail system; Re:Question; Re:Request; Re:Sample; Re:Secure SMTP Message; Shocking document; Fw:Warning again; Re:Status; Your day; Re:Your document; Re:your document_all

Aliases:
• Symantec: W32.Netsky.P@mm
• Mcafee: W32/Netsky.p@MM
• Kaspersky: Email-Worm.Win32.NetSky.q
• TrendMicro: WORM_NETSKY.P
• F-Secure: Email-Worm.Win32.NetSky.q
• Sophos: W32/Netsky-P
• Panda: W32/Netsky.P.worm
• Grisoft: I-Worm/Netsky.Q
• VirusBuster: I-Worm.Netsky.Q1
• Eset: Win32/Netsky.Q worm
• Bitdefender: Win32.Netsky.P@mm

Platforms / OS:
• Windows 95
• Windows 98
• Windows 98 SE
• Windows NT
• Windows ME
• Windows 2000
• Windows XP

Side effects:
• Drops a malicious file
• Uses its own Email engine
• Registry modification

Worm/Bagz.D.3 - Worm

2006-08-27T07:55:00.000-07:00

Worm/Bagz.D.3 make Side effects Blocks access to certain websites ,Blocks access to security websites , Drops files ,Drops malicious files ,Uses its own Email engine ,Registry modification

Aliases:
• Symantec: W32.Bagz.E@mm
• Mcafee: W32/Bagz.e@MM
• Kaspersky: Email-Worm.Win32.Bagz.d
• TrendMicro: WORM_BAGZ.D
• Sophos: W32/Bagz-D
• Grisoft: I-Worm/Bagz.D
• VirusBuster: I-Worm.Bagz.G

Platforms / OS:
• Windows 98
• Windows 98 SE
• Windows NT
• Windows ME
• Windows 2000
• Windows XP
• Windows 2003

BDS/Hupigon.E.201 - Backdoor Server

2006-08-27T07:49:00.000-07:00

BDS/Hupigon.E.201 - Backdoor Server Side effects Downloads a file and Drops malicious files , Records keystrokes and Registry modification , Steals information and Third party control

Aliases:
• Mcafee: BackDoor-AWQ.b.dr
• Kaspersky: Backdoor.Win32.Hupigon.bqp
• TrendMicro: BKDR_HUPIGON.NP
• F-Secure: Backdoor.Win32.Hupigon.bqp
• Sophos: Troj/Hupigo-BLN
• Bitdefender: Backdoor.Hupigon.E

Platforms / OS:
• Windows 98
• Windows 98 SE
• Windows NT
• Windows ME
• Windows 2000
• Windows XP
• Windows 2003

TR/PSW.Sinowal.V.5 - Trojan

2006-08-27T07:47:00.000-07:00

TR/PSW.Sinowal.V.5 - Trojan virus make Side effects Drops malicious files and Registry modification and Steals information , Third party control

Aliases:
• Kaspersky: Trojan-PSW.Win32.Sinowal.v
• TrendMicro: TSPY_SINOWAL.V
• F-Secure: Trojan-PSW.Win32.Sinowal.v
• Sophos: Troj/Torpig-AY
• Eset: Win32/TrojanDropper.Small.NEC
• Bitdefender: Trojan.PWS.Sinowal.U

Platforms / OS:
• Windows 98
• Windows 98 SE
• Windows NT
• Windows ME
• Windows 2000
• Windows XP
• Windows 2003

TR/Dldr.Small.GI.1 - Trojan

2006-08-27T07:45:00.000-07:00

TR/Dldr.Small.GI.1 make Side effects Downloads a malicious file

Aliases:
• Kaspersky: Trojan-Downloader.Win32.Small.dnz
• TrendMicro: TROJ_SMALL.CPM
• Sophos: Troj/Dloadr-AMA
• VirusBuster: Trojan.DL.Small.DPN
• Eset: Win32/TrojanDownloader.Small.NOF
• Bitdefender: Trojan.Downloader.Small.BGX

Platforms / OS:
• Windows 95
• Windows 98
• Windows 98 SE
• Windows NT
• Windows ME
• Windows 2000
• Windows XP
• Windows 2003

TR/Spy.Small.GI - Trojan

2006-08-27T07:42:00.000-07:00

TR/Spy.Small.GI make Side effects Registry modification and Steals information

Aliases:
• Mcafee: Spy-Agent.bg
• Kaspersky: Trojan-Spy.Win32.Small.gi
• TrendMicro: TSPY_SMALL.CPO
• Eset: Win32/Spy.Small.GI
Platforms / OS:
• Windows 98
• Windows 98 SE
• Windows NT
• Windows ME
• Windows 2000
• Windows XP
• Windows 2003

JS/Wonka

2006-08-27T07:39:00.000-07:00

JS/Wonka Trojan

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc

Exploit-WMF

2006-08-27T07:37:00.000-07:00

Trojan Exploit-WMF

IRC-Mocbot!MS06-040

2006-08-27T07:16:00.000-07:00

IRC-Mocbot

This is a detection for variants of IRC-Mocbot that exploits the Microsoft Windows Server Service Buffer Overflow MS06-040 against Windows 2000 machines.
This worm installs itself in the WINDOWS SYSTEM directory (typically c:\windows\system32) as wgareg.exe (MD5: 9928a1e6601cf00d0b7826d13fb556f0) or wgavm.exe (MD5: 2bf2a4f0bdac42f4d6f8a062a7206797). It creates a service(s) with the following properties:
Name: wgareg
Display name: Windows Genuine Advantage Registration Service
Description: Ensures that your copy of Microsoft Windows is genuine and registered. Stopping or disabling this service will result in system instability.
Name: wgavm
Display name: Windows Genuine Advantage Validation Monitor
Description: Ensures that your copy of Microsoft Windows is genuine. Stopping or disabling this service will result in system instability..
(The "Windows Genuine Advantage"programs installed by Microsoft via Windows Update does not typically contain a wgareg.exe or wgavm.exe file in the WINDOWS SYSTEM directory)

Aliases
Backdoor.Win32.IRCBot.st (Kaspersky)
Backdoor:Win32/Graweg.A (Microsoft)
Backdoor:Win32/Graweg.B (Microsoft)
CME-482
CME-762
W32.Wargbot (Symantec)
W32/Cuebot-L (Sophos)
W32/Cuebot-M (Sophos)
WORM_IRCBOT.JK (TrendMicro)
WORM_IRCBOT.JL (TrendMicro)
Characteristics
This is a detection for a variant of IRC-Mocbot that exploits the Microsoft Windows Server Service Buffer Overflow MS06-040 against Windows 2000 machines.
This worm installs itself in the WINDOWS SYSTEM directory (typically c:\windows\system32) as wgareg.exe (MD5: 9928a1e6601cf00d0b7826d13fb556f0) or wgavm.exe (MD5: 2bf2a4f0bdac42f4d6f8a062a7206797). It creates a service(s) with the following properties:
Name: wgareg
Display name: Windows Genuine Advantage Registration Service
Description: Ensures that your copy of Microsoft Windows is genuine and registered. Stopping or disabling this service will result in system instability.
Name: wgavm
Display name: Windows Genuine Advantage Validation Monitor
Description: Ensures that your copy of Microsoft Windows is genuine. Stopping or disabling this service will result in system instability..
(The "Windows Genuine Advantage"programs installed by Microsoft via Windows Update does not typically contain a wgareg.exe or wgavm.exe file in the WINDOWS SYSTEM directory)
As in the older variants, this bot first attempts to connect to the following IRC servers on TCP 18067:
bbjj.househot.com
ypgw.wallloan.com
The bot connects to a specified channel and awaits commands, including:
DDoS
Scan (for vulnerable systems)
Download / execute remote files
Once instructed, the bot scans the class A subnet addresses, sending SYN packets via TCP 139 (netbios), and 445 (microsoft-ds), looking for systems vulnerable to the MS06-040 vulnerability. When a vulnerable system is discovered, the infected host causes a buffer overflow to occur on the remote system, instructing it to download Mocbot, save it to the WINDOWS SYSTEM directory as a file named .exe and then execute it. Unlike many exploiting bots, Mocbot doesn't use FTP or TFTP to achieve the downloading, but rather contains its own downloader code. The remote system downloads the worm via a random TCP port..
Symptoms
Heavy netbios and microsoft-ds network traffic
Presense of the file wgareg.exe or wgavm.exe in the WINDOWS SYSTEM directory
TCP 18067 connections to bniu.househot.com, bbjj.househot.com or ypgw.wallloan.com
The following registry key(s) may be added or modified to disable the Windows Security Center firewall and anti-virus monitors:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft

\Ole\EnableDCOM = "n"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\security center\antivirusdisablenotify = 0x00000001
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\security center\antivirusoverride = 0x00000001
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\security center\firewalldisablenotify = 0x00000001
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\security center\firewalldisableoverride = 0x00000001
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\restrictanonymous = 0x00000001
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft

\windowsfirewall\standardprofile\enablefirewall = 0x00000000
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft

\windowsfirewall\domainprofile\enablefirewall = 0x00000000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Start = 0x00000004

Method of InfectionThis worm spreads by exploitin the MS06-040 vulnerability.
Removal
All Users:Please update to 4828 (08/13/2006) or later DAT release package
Intrushield protects against this threat with sigset(s) 3.1.19, 2.1.46, 1.9.63, 1.8.80 released on?/8/2006.
Buffer Overflow Protection in VirusScan Enterprise 8.0 and VirusScan Consumer 11 does NOT protect against this threat.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Additional Windows ME/XP removal considerations
This threat modifies a number of system configurations that includes disabling the default Windows Firewall on the infected machine. These changes should be manually configured.

Variants
Variants
N/A

TR/Spy.Banker.819156

2006-08-27T05:48:00.000-07:00

TR/Spy.Banker.819156 make Side effects Uses its own Email engine and Registry modification , Steals information.

Virus: TR/Spy.Banker.819156
Date discovered: 02/07/2006
Type: Trojan
In the wild: No
Reported Infections: Low
Distribution
Potential: Low
Damage Potential: Medium
Static file: Yes

Aliases:
• Kaspersky: Trojan-Spy.Win32.Banker.anv
• TrendMicro: TSPY_BANKER.OK
• F-Secure: Trojan-Spy.Win32.Banker.anv
• Eset: Win32/Spy.Banker.ANV

Platforms / OS:
• Windows 98
• Windows 98 SE
• Windows NT
• Windows ME
• Windows 2000
• Windows XP
• Windows 2003

Side effects:
• Uses its own Email engine
• Registry modification
• Steals information

It doesn't have its own spreading routine but it has the ability to send an email. It is most likely that the receiver is the author. The characteristics are described below:

Email design:
From: "Infectou"
To: xptoban@gmail.com;cyberband74@gmail.com
Subject: %computer name%
Body: • -~*´¨¯¨`*·~-.¸-()-,.-~*´¨¯¨`*·~-.¸
[Infectado OnLine]:
Maquina.............: %computer name%
IP..................: %IP address%
Data................: %current date%
Hora................: %current hour%
Versão do Windows...: %Windows version%
Mac Address.........: %MAC address%
..-~*´¨¯¨`*·~-.¸-()-,.-~*´¨¯¨`*·~-.¸ .

From: H1S1B1C1
To: xptoban@gmail.com
Subject: INFO B4NK %computer name%
Body: • h1s1b1c1
!=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[Ag/Conta]: %stolen information%
[cpf]:%stolen information%
[AssEle]:%stolen information%
[Cartao]:%stolen information%
!=-=-=-=-=-=-=-=-=-=-=-=-=-=-= .

From: CaixaEconomica
To: xptoban@gmail.com
Subject: INFO B4NK %computer name%
Body: • Caixa Economica federal -
VindO d3: %computer name%
Site: "https://internetcaixa.caixa.gov.br/NASApp/SIIBC

/login_autentica.processa","Internet Banking CAIXA"
!=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[Caixa Tip].............: %stolen information%
[Caixa Agê].............: %stolen information%
[Caixa Con].............: %stolen information%
[Caixa SeNet]...........: %stolen information%
[Caixa AssElet].........: %stolen information%
!=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Placa de Rede: %MAC address% .

From: Banespa
To: xptoban@gmail.com
Subject: INFO B4NK %computer name%
Body: • Banespa -
Vindo d3:%computer name% Site:"http://www.santanderbanespa.com.br

/portal/gsb/script/templates/GCMRequest.do?page=50 ","http://www.santanderbanespa.com.br/portal/gsb/script

/templates/GCMRequest.do?page=50"
!=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
![Ag]:...........%stolen information%
![Cont]:.........%stolen information%
![Nome Acesso]:..%stolen information%
![Sen]:..........%stolen information%
![Ass E]:........%stolen information%
!=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
MacAddress:%MAC address% .