| Worm Name |
Port# |
Subject, Message or
Attachment Signature |
|
W32.jalabed@mm |
2006 |
- Adds the value:
"Ya Salam" = "%System%\NancyAjram.exe"
to the following registry subkey:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
so that it runs every time Windows starts.
|
|
|
W32.beagle.dn@mm |
6777 |
Creates the following
files:
-
%System%\windspl.exe
- %System%\windspl.exeopen
- %System%\windspl.exeopenopen
-
%Windir%\regisp32.exe
Creates mutexes named "MuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D"
and "smtp_bagla_1000" in order to avoid multiple copies of
itself running at the same time.
Adds the value:
"DsplObjects"
= "%System%\windspl.exe"
to the registry subkey:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
|
|
|
w32.sygyp.a@mm |
|
Subject:
Google Earth – Explore, Search and Discover
Message body:
Want to know more about a specific location? Dive right in
-- Google Earth combines satellite
imagery, maps and the power of Google Search to put the world's
geographic information at your
fingertips.
* Fly from space to your neighborhood. Type in an address and
zoom right in.
* Search for schools, parks, restaurants, and hotels. Get
driving directions.
* Tilt and rotate the view to see 3D terrain and buildings.
* Save and share your searches and favorites. Even add your own
annotations.
Attachment:
GoogleEarthSetup.exe
Copies itself as the following files:
%System%\Regverif32.exe
%Windir%\GoogleEarthSetup.exe
Creates the following files:
%System%\Sys32.reg
%System%\Reg32.reg
%System%\OE32.reg
%System%\Sec32.reg
%System%\FWall32.reg
%System%\NTFS32.reg
%System%\W32Info.reg
Adds the value:
"RegVfy32" = "%System%\Regverif32.exe"
to the registry subkey:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
so that the worm runs every time Windows starts.
Adds the values:
"DisableTaskmgr" = "1"
"DisableRegistryTools" = "1"
to the registry subkey:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
to disable the Registry Editor and the Task Manager.
Adds the values:
"Compact Do not Ask Again" = "1"
"Delete Thread Warning" = "6"
"Mail Empty Subject Warning" = "1"
"Send Mail Warning" = "1"
to the registry subkey:
HKEY_CURRENT_USER\Identities\[DEFAULT
USER]\Software\Microsoft\Outlook Express\[OUTLOOK VERSION]\Dont
Show Dialogs
to prevent certain warning messages from being displayed by
Microsoft Outlook.
|
|
W32.feebs.d@mm |
80 |
Adds the value:
"Stubpath" = "C:\COMMAND.EXE"
to the registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed
Components
\{CD5AC91B-AE7B-E83A-0C4C-E616075972F3}
Adds the value:
"(default)" = "%System\[PATH TO DLL WORM
COMPONENT]"
to the registry subkey:
HKEY_CLASSES_ROOT\CLSID\{[RANDOM CLSID]}\InprocServer32
so that it runs every time Windows starts.
Adds the value:
"[FILE NAME OF DLL WORM COMPONENT]" =
"{[RANDOM CLSID]}"
to the registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
ShellServiceObjectDelayLoad
so that it runs every time Windows starts.
|
|
w32.looksky.f@mm |
|
Subject:
Your mail Account is Suspended
Message Body:
We regret to inform you that your account has been
suspended due to the violation of our site policy, more
info is attached.
Attachment:
acc_info9.exe
- Adds the value:
"HostSrv" = "%Windir%\sachostx.exe"
to the registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
so that it runs every time Windows starts.
- Uses the additional malware to steal information,
log keystrokes and execute commands from a remote
attacker.
|
|
|
W32.feebs.b@mm |
80 |
- Creates the following files:
- %System%\MS[RANDOM].exe
- %System%\MS[RANDOM]
- %System%\MS[RANDOM]32.DLL
Note: %System% is a variable that refers to
the System folder. By default this is
C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32
(Windows NT/2000), or C:\Windows\System32 (Windows
XP).
- Loads %System%\MS[RANDOM]32.DLL into all active
processes and blocks access to its files.
- Adds the value:
"Stubpath" = "C:\COMMAND.EXE"
to the registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active
Setup\Installed
Components\{CD5AC91B-AE7B-E83A-0C4C-E616075972F3}
so that it runs every time Windows starts.
- Adds the value:
"(default)" = "%System\[PATH TO DLL WORM COMPONENT]"
to the registry subkey:
HKEY_CLASSES_ROOT\CLSID\{[RANDOM CLSID]}\InprocServer32
so that it runs every time Windows starts.
|
|
|
w32.mytob.kp@mm |
3385 |
- Copies itself as the following file:
%System%\picx.exe
- Adds the value:
"PIC SYSTEM" = "picx.exe"
to the registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
so that it runs every time Windows starts.
Note: The worm will recreate these registry entries if
they are deleted.
- Modifies the value:
"Start" = "4"
in the registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess
which disables the Shared Access service in Windows 2000/XP.
Note: The worm will recreate this registry entry if it
is deleted.
|
|
w32.mytob.km@mm |
23523 |
Adds the value:
"PAX SYSTEM" =
"\scrigz.exe"
to the following registry subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
RunServices
|
|
W32.Mytob@mm |
10027
8000 |
Adds the value:
"WINTASKMAN" = "taskman.exe"
to the registry subkeys:
HKEY_CURRENT_USER\Software\Microsoft\OLE
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Control\Lsa
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
|
|
w32.sober.o@mm |
37 |
Displays a message
with the following text:
Title: WinZip Self-Extractor
Body: Error: CRC not complete
Adds the value:
" WinStart" = "%Windir%\Connection
Wizard\Status\services.exe"
to the registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
so that the worm runs every time Windows starts.
Adds the value:
"_WinStart" = "%Windir%\Connection
Wizard\Status\services.exe"
to the registry subkey:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
so that the worm runs every time Windows starts.
|
|
w32.mytob.cz@mm |
3030 |
Adds the value:
"WINDOWS SYSTEM" = "xxx.exe"
to the registry subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
RunServices
so that it runs every time Windows starts.
Note: The worm continually recreates these registry entries if
they are deleted.
Adds the value:
"Start" = "4"
to the registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess
|
|
w32.mytob.db@mm |
4512 |
Creates the mutex named: "h311b0t3f1x3.net", so that only one
instance of the threat runs on the compromised computer.
Copies itself as:
%System%\www.lienvandekelder.be.exe
Adds the value:
"Lien Van de Kelder" =
"www.lienvandekelder.be.exe"
to the registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
RunServices
so that the risk runs every time Windows starts.
|
|
W32.kalel.a@mm |
51435 |
|
|
W32.mytob.br@mm |
10087 |
Adds the value:
"WINRUN" = "taskgmr.exe"
to the registry subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\OLE
HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Control\Lsa
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
Creates
the following file:
C:\hellmsn.exe
|
|
Trojan.ascetic.b |
|
|
|
W32.chod@mm |
|
Adds the value:
"Installed" = "1"
to the registry subkeys:
HKEY_CLASSES_ROOT\Chode
HKEY_LOCAL_MACHINE\Software\Classes\Chode
|
|
W32.mytob.e@mm |
445 667 |
Adds the value:
"SVCHOST" = "scvhost.exe"
to the registry subkeys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\OLE
HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Control\SVCHOST
|
|
W32.mydoom.ax@mm |
|
Adds the values:
"JavaVM" = "%Winir%\java.exe
"
"Services" = "%Windir%\services.exe"
to one of the following registry keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
|
|
W32.aimdes.a@mm |
|
Adds the value:
"MsVBdll" = "[Directory
of file executed]C:\Windows\MsVBdll.pif"
to the registry keys:
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run |
|
W32.aimdes.c@mm |
|
Adds the value:
"MsVBdll" = "%Windir%\sys32dll.exe"
to the registry keys:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
|
|
W32.Ahker.B |
|
Subject:
Service Pack 2 BUG!!
Attachment: Fix_SP2.zip |
|
W32.Salga.B |
|
Attachment:
Britny spears marriage with Bnladen son.zip.exe
Network: Creates a network share named
"magic_cam", which contains a copy of the worm. |
|
W32.Sober.I |
37 |
When run displays the
following error message:
"WinZip_Data_Module is missing
~Error: {[random number]}"
|
|
W32.Neveg.B |
|
Adds the one of the
following values:
".Prog" = "%Windir%\system\services.exe"
"BuildLab" = "%Windir%\system\services.exe"
"ccApps" = "%Windir%\system\services.exe"
"FriendlyTypeName" = "%Windir%\system\services.exe"
"Microsoft Visual SourceSafe" = "%Windir%\system\services.exe"
"RegDone" = "%Windir%\system\services.exe"
"TEXTCONV" = "%Windir%\system\services.exe"
"WMAudio" = "%Windir%\system\services.exe"
to the registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run |
|
W32.EvaMan.C |
|
The email will have
one of these subjects:
- SN: New secure mail
- Secure delivery
- failed transaction
- Re: hello (Secure-Mail)
- Re: Extended Mail
- Delivery Status (Secure)
- Re: Server Reply
- SN: Server Status
|
|
W32.BugBros.C |
|
Subject:
New
products
Attachment: Twunk_64.exe |
|
W32.LoveGate.ak |
6000 |
Adds the values:
"Program in
Windows"="%system%\iexplore.exe"
"Protected Storage"="RUNDLL32.exe MSSIGN30.DLL
ondll_reg"
"VFW Encoder/Decoder Settings"="RUNDLL32.exe
MSSIGN30.DLL ondll_reg"
"WinHelp"="%system%\WinHelp.exe"
to the registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
|
|
MyDoom.L |
1042 |
Adds the value:"Traybar" = "%Windows%\lsass.exe"
to the registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
|
|
W32.Beagle.Y |
1234 |
When worm is run
it displays the message:
 |
|
W32.Bobax.A |
445, 5000 |
Adds the value"<random_characters>" =
"%System%\<random_characters>.exe"
to the registry keys
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
RunServices
|
|
BlackMal |
|
See Details about
worm |
|
GaoBot.dk |
|
See Details about
worm |
|
Mitglieder.E |
20742 |
See Details about
worm |
|
Hiton.A |
|
See Details about
worm |
|
NetSky (Variants) |
|
See Details about
worm |
|
Beagle.n |
2556 |
From: as
one of the following @Your_Domain
- management
- administration
- staff
- antivirus
- antispam
- noreply
- support
|
|
Trojan.Mercurycas |
|
Adds Registry
value:
"Olive System"="%System%\Szchost.exe"
to the RUN section of
the windows registry.
|
|
MyDoom.F |
|
Attachment:
Varies with an extension of .pif, .scr, .exe, .cmd, .com, .bat,
or .zip.
|
|
Dumaru.AH |
|
Attachment:
document.zip |
|
Mertian.Worm |
|
Subject:
want
to see my new pic!!! |
|
Gubed.int |
|
Subject:
"Congratulations for your site" or "Important
EMail for [recipient's name]"
|
|
Hllw.Cult |
|
Subject:
Hi,
I sent you an eCard from BlueMountain.com |
|
Maldal.C |
|
Subject: Happy
New Year |
|
Mitglieder.c |
|
Adds Registry value
"ssgrate.exe"="%System%\system.exe"
to the RUN section of the windows registry. |
|
Hunch |
|
Message: Mensaje
importante para <Name of the sender> en el archivo adjunto... |
|
Stoogy.Worm |
|
Message:
This
is the patch you asked for |
|
Enemany.B |
|
Subject:
Edonkey
Update |
|
Prt_Ticky.B |
|
Subject:
XXX
Picture... |
|
Shiba.Worm |
|
Subject: Hello,Shibatsu. |
|
Hopalong.Worm |
|
Subject: Look
At This!!! |
|
Hllp.julk |
|
Attachment:
Mabel.exe |
|
MiMail.I |
|
Subject:
YOUR
PAYPAL.COM ACCOUNT EXPIRES |
|
MiMail.J |
|
Attachment:
InfoUpdate.exe or www.paypal.com.pif
|
|
MiMail.T |
|
Attachment:
varies with .exe, .pif, or .scr file extension
|
|
MyDoom.B |
|
Attachment:
extensions of ( .pif, .scr, .exe, .cmd, .bat, or .zip.) |
|
DMspammer |
|
Backdoor.DMSpammer is
usually found as the file, C:\Program
Files\Common Files\MSDM\msdm.exe.
|
|
MyDoom.A |
|
Attachment:
extensions of ( .pif, .scr, .exe, .cmd, .bat, or .zip.) |
|
Beagle.A |
|
Subject:
Hi |
|
Taripox |
|
Attachment:Random
or the recipient's name with the ".doc.pif" string
appended
|
|
Backdoor.Hogle |
|
Open Proxy for Mail
relay by spammers |
|
Naldem |
|
Adds Registry
Value: "DivX Updater" =
%windows%/divx.exe to the RUN section of the
windows registry |
|
Dumaru.AD |
|
Subject:
Important
information for you. Read it immediately ! |
|
W32.maddis.b |
|
Adds Registry
Value: WindowsUpdate" =
"%System%\USRINIT.EXE to the RUN section of the
windows Registry |
|
W32.Supova.z.MM |
|
Adds Registry
Value:"Windows Drive
Compatibility"="%Windir%\System32Drive32.exe"
to the RUN
section of the windows registry |
|
W32.tubty.a@mm |
|
The email has the
following characteristics:
From: ballfruit@mail.ru
Subject: MESSAGE_ID:<zzz>
Attachment: photos.exe
|
|
W32.Erkez.B |
|
Creates the
registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\_Hazafibb
Adds the value:
"<random
name>"="%system%\<random file name>.exe"
to the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
|
|
trojan.ascetic.a |
|
Creates the
following nonviral files in the %System% directory:
bcegfds.lll
zhcarxxi.vvx
cvqaikxt.apk
Odin-Anon.Ger
mswn32sock.dats
llsapwin32.dats
|
|
W32.paps.a@mm |
|
Adds the value:
"Win32Config" = "%Windir%\win32config.exe"
in the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
|
