Lovgate.AC
This malware was reported by: F-Secure
Bobax
This malware was reported by: F-Secure
Dabber
This malware was reported by: F-Secure
SdBot.MD
This malware was reported by: F-Secure
SdBot.MB
This malware was reported by: F-Secure
Sasser.E
This malware was reported by: F-Secure
Sasser.F
This malware was reported by: F-Secure
Bagle.AC
This malware was reported by: F-Secure
Wallon
This malware was reported by: F-Secure
Cycle.A
This malware was reported by: F-Secure
Exploit
This malware was reported by: F-Secure
BOO infector
This malware was reported by: F-Secure
Sasser.D
This malware was reported by: F-Secure
Bagle.Z
This malware was reported by: F-Secure
Bagle.Y
This malware was reported by: F-Secure
W32/Bagle.ab@MM
This malware was reported by: Network Associates Inc
-- Update June 7, 2004 --
The assessment of this threat has been downgraded to Low-Profiled due to a decrease in prevalence.
-- Update May 10, 2004 --
Due to a increase in prevalence, the risk assessment of this threat has been raised
W32/Sasser.worm.b
This malware was reported by: Network Associates Inc
-- Update June 7, 2004 --
The assessment of this threat has been downgraded to Low-Profiled due to a decrease in prevalence.
-- Update May 2, 2004 --
This risk assessment of this threat was upgraded to Medium due to an increase in pre
W32/Sasser.worm.d
This malware was reported by: Network Associates Inc
-- Update June 7, 2004 --
The assessment of this threat has been downgraded to Low-Profiled due to a decrease in prevalence.
-- Update May 4, 2004 --
Due to an increase in prevalence, the risk assessment of this threat has been upgra
W32/Sasser.worm.a
This malware was reported by: Network Associates Inc
-- Update June 7, 2004 --
The assessment of this threat has been downgraded to Low-Profiled due to a decrease in prevalence.
-- Update May 1, 2004 --
The assessment of this threat has been upgraded to Medium due to an increase in prev
Proxy-FBSR
This malware was reported by: Network Associates Inc
W32/Plexus@MM
This malware was reported by: Network Associates Inc
W32/Korgo.worm.g
This malware was reported by: Network Associates Inc
-- Update June 3rd, 2004 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at: http://software.silicon.com/malware/0,3800003100,39121085,00.htm
--
The worm is detected as W32/Korgo.worm.
IRC-Scanbot
This malware was reported by: Network Associates Inc
Reboot-AF
This malware was reported by: Network Associates Inc
W32/Korgo.worm.f
This malware was reported by: Network Associates Inc
This self-executing worm spreads by exploiting a Microsoft Windows vulnerability:
MS04-011 vulnerability (CAN-2003-0533)http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
The worm spreads with a random filename and acts
W32/Korgo.worm.e
This malware was reported by: Network Associates Inc
This self-executing worm spreads by exploiting a Microsoft Windows vulnerability:
MS04-011 vulnerability (CAN-2003-0533)http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
The worm spreads with a random filename and acts
W32/Korgo.worm.c
This malware was reported by: Network Associates Inc
This self-executing worm spreads by exploiting a Microsoft Windows vulnerability:
MS04-011 vulnerability (CAN-2003-0533)http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
The worm spreads with a random filename and acts
BackDoor-CBA
This malware was reported by: Network Associates Inc
Downloader-JT
This malware was reported by: Network Associates Inc
StartPage-BQ
This malware was reported by: Network Associates Inc
Urbin
This malware was reported by: Network Associates Inc
Exploit-ObjectData
This malware was reported by: Network Associates Inc
Zerolin
This malware was reported by: F-Secure
Zerolin is a family of trojan droppers written with Visual Basic Script.
They carry a binary that is written usually to the root of the C: drive as
"x.exe" and executed. The dropped binary file usually is one of the
downloaders of the Small
HackTool
This malware was reported by: F-Secure
Plexus.A
This malware was reported by: F-Secure
The Plexus.A worm was found on June 3th, 2004. This worm spreads
through Kazaa shares, email and through several vulnerabilities.
Korgo.G
This malware was reported by: F-Secure
This Korgo (aka Padobot) variant was found on June 2nd, 2004. It
is very similar to the previous variants. It spreads throughout
the Internet using a vulnerability in Microsoft Windows LSASS. A
description of the vulnerability can be found in Microsof
Korgo.F
This malware was reported by: F-Secure
This Korgo (aka Padobot) variant was found in the very end of
May, 2004. It is very similar to other Korgo variants. It spreads
throughout the Internet using a vulnerability in Microsoft
Windows LSASS. A description of the vulnerability can be found i
Korgo.E
This malware was reported by: F-Secure
This Korgo (aka Padobot) variant was found in the very end of
May, 2004. It is very similar to Korgo.G variant that appeared
later. It spreads throughout the Internet using a vulnerability
in Microsoft Windows LSASS. A description of the vulnerability
Korgo.A
This malware was reported by: F-Secure
Korgo (aka Padobot) is a network worm written by the Russian
Hangup Team virus group. It spreads throughout the Internet using
a vulnerability in Microsoft Windows LSASS. A description of the
vulnerability can be found in Microsoft Security Bulletin
M
Bagle.M
This malware was reported by: F-Secure
Another new Bagle variant appeared on March 11th, 2004. This
variant drops a new Mitglieder proxy trojan variant on an
infected computer. Bagle.M does not have its own replication
routine, so it was most likely spammed using computers where proxy
troj
NetSky.Q
This malware was reported by: F-Secure
The Netsky.Q variant was discovered on March 29th, 2004.
This worm spreads in email using different exploits and
social engineering.
NetSky.Q performs a DDoS against several websites and makes
the infected computers beep randomly.
NetSky.P
This malware was reported by: F-Secure
NetSky.S
This malware was reported by: F-Secure
NetSky.S worm was discovered on April 4th, 2004. This variant has
a limited set of features comparing to previous ones. It does not
spread to local network and P2P and does not uninstall Bagle
worm. The worm has a backdoor that listens on port 6789.
NetSky.T
This malware was reported by: F-Secure
NetSky.T worm was discovered on April 6th, 2004. This variant is
very close to the Netsky.S variant. Like the .S variant, it has a
limited set of features. The worm spreads in e-mails, but does
not spread to local network and P2P and does not uninstal
NetSky.U
This malware was reported by: F-Secure
NetSky.U worm was discovered on April 8th, 2004.
This variant is extremely close to the latest NetSky variants.
For example, sharing up to approximately 94% of the code and features in
common with NetSky.S.
NetSky.V
This malware was reported by: F-Secure
NetSky.V worm was discovered late night on April 14th, 2004.
Netsky.V does not send itself as an attachment but uses HTML
emails which exploit vulnerability known as Microsoft Internet
Explorer XML Page Object Type Validation Vulnerability
(MS03-040
NetSky.W
This malware was reported by: F-Secure
NetSky.W worm variant was discovered on April 16th, 2004.
Although it has been just discovered, this variant is much more similar to
NetSky.P or NetSky.Q than to any of the later variants. In fact, its structure
bears a striking resemblance to that o
NetSky.X
This malware was reported by: F-Secure
NetSky.Y
This malware was reported by: F-Secure
NetSky.Y worm was discovered late night on April 20th, 2004. It
is similar to the Netsky.X variant found earlier during the same
day. It is repacked with PEpack. For more information on Netsky.X
see:
http://www.f-secure.com/v-descs/netsky_x.shtml
N
Bagle.W
This malware was reported by: F-Secure
Another new Bagle variant appared on April 5th, 2004. It is very
similar to Bagle.O, Bagle.L and Bagle.M variants, but drops a bit
different Mitglieder proxy trojan variant on an infected
computer. Bagle.W, like the previous .O, .L and .M variants doe
Bagle.X
This malware was reported by: F-Secure
A new Bagle variant appeared on April 19th, 2004. It is very
similar to Bagle.W variant, but drops a bit different Mitglieder
proxy trojan variant on an infected computer. Bagle.X, like the
previous variant does not have its own replication routine, s
TrojanClicker
This malware was reported by: F-Secure
Trojan Clicker (generic description)
Trojan Clicker is a trojan that remains resident in Windows
memory and constantly tries to connect to certain websites on
Internet. This is done to fake visit counters for certain pages
in order to earn more money
TrojanDownloader
This malware was reported by: F-Secure
TrojanDropper
This malware was reported by: F-Secure
TrojanSpy
This malware was reported by: F-Secure
TrojanProxy
This malware was reported by: F-Secure
Proxy Trojan (generic description)
TrojanProxy is usually a standalone application that allows
remote hackers to use an infected computer as a proxy to connect
to Internet. That way hackers can hide their original location
because the connection can
Plexus.A
This malware was reported by: Computer Associates
Win32.Plexus.A is a worm that spreads via e-mail using its own SMTP code. It is distributed as a 16,208-byte FSG-compressed Win32 executable.
Korgo.G
This malware was reported by: Computer Associates
Win32.Korgo.G is a worm that spreads by exploiting the Microsoft Windows LSASS buffer overflow vulnerability. It also opens a backdoor that allows unauthori
HacDef.B
This malware was reported by: Computer Associates
W32/Korgo-G
This malware was reported by: Sophos
W32/Korgo-G is a network worm using the LSASS exploit to propagate. When
executed the worm copies itself to the Windows system folder using a randomly
generated name and creates the following registry entry so that the worm
starts when a user logs
Troj/StartPa-AE
This malware was reported by: Sophos
Troj/StartPa-AE changes browser settings for Microsoft Internet Explorer each
time Windows is started.
Troj/StartPa-AE is simply a text file (typically named sysdll.reg) which can
be used as an input to Regedit to set the following registry entri
W32/Spybot-BZ
This malware was reported by: Sophos
W32/Spybot-BZ attempts to copy itself to CRCSSV.EXE in the Windows system
folder and creates entries in the registry at the following locations to run
itself on system restart:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
HKCUSoftwareMicrosoftW
W32/Sdbot-DB
This malware was reported by: Sophos
W32/Sdbot-DB is a network worm and IRC backdoor Trojan which runs in the background as a service process and allows unauthorised remote access to the computer via IRC channels.
When executed W32/Sdbot-DB copies itself to the Windows System32 folder
W32/Agobot-JM
This malware was reported by: Sophos
W32/Agobot-JM is a member of the W32/Agobot family of network worms and backdoor Trojans that exploits a number of known vulnerabilities and is also able to function as an IRC bot.
For more information about these Windows vulnerabilities, please re
W32/Korgo-A
This malware was reported by: Sophos
W32/Korgo-A is a network worm using the LSASS exploit to propagate. When executed the worm copies itself to the Windows system folder using a randomly generated name and creates the following registry entry so that the worm starts when a user logs on:
W32/Korgo-D
This malware was reported by: Sophos
W32/Rbot-Y
This malware was reported by: Sophos
W32/Rbot-Y is a worm which attempts to spread to remote network shares. It
also contains backdoor Trojan functionality, allowing unauthorised remote
access to the infected computer via IRC channels while running in the background as a service proces
W32/Dumaru-AK
This malware was reported by: Sophos
W32/Agobot-SG
This malware was reported by: Sophos
W32/Agobot-SG is a backdoor Trojan and network worm which can spread by copying itself to network shares with weak passwords and may attempt to
spread using the DCOM RPC and/or RPC locator vulnerabilities.
When first run, the worm/Trojan copies it
WORM_KORGO.H
This malware was reported by: Trendmicro
This worm exploits the Windows LSASS vulnerability, which is a buffer overrun that allows remote code execution and enables an attacker to gain full control of an affected system. The said vulnerability is discussed in detail in the following pages:
WORM_PLEXUS.C
This malware was reported by: Trendmicro
This worm propagates via email, network shares, and the peer-to-peer network of Kazaa.
WORM_KORGO.E
This malware was reported by: Trendmicro
This worm is a member of the KORGO family of worms, which propagates by exploiting a buffer overrun vulnerability in the Windows LSASS (Local Security Authority Subsystem Service). This vulnerability is discussed in detail in the following pages:
WORM_PLEXUS.A
This malware was reported by: Trendmicro
This worm arrives via network shares. It takes advantage of the Remote Procedure Call (RPC) Distributed Component Object Model (DCOM) vulnerability in Windows. Read more on this vulnerability from the following page:
WORM_KORGO.D
This malware was reported by: Trendmicro
This worm is a member of the KORGO family of worms, which propagates by exploiting a buffer overrun vulnerability in the Windows LSASS (Local Security Authority Subsystem Service). This vulnerability is discussed in detail in the following pages:
WORM_KORGO.F
This malware was reported by: Trendmicro
NOTE: This worm was previously detected as WORM_KORGO.D.
WORM_KORGO.G
This malware was reported by: Trendmicro
NOTE: This worm was previously detected as WORM_KORGO.F.
WORM_AGOBOT.SU
This malware was reported by: Trendmicro
This memory-resident worm spreads through network shares. It uses NetBEUI functions to get any available lists of user names and passwords. It then searches for shared folders and drops a copy of itself by using the gathered list.
W64_RUGRAT.A
This malware was reported by: Trendmicro
This file infector targets 64-bit systems. It infects 64-bit .EXE files by appending its code to the host PE (Portable Executable) file.
WORM_LAMUD.A
This malware was reported by: Trendmicro
This worm spreads via network shares. It searches for writeable network shares and drops a copy of itself in the root of the shared directories or in certain folders.
W32.Korgo.H
This malware was reported by: Symantec
W32.Korgo.H is a variant of W32.Korgo.F. This worm attempts to propagate by exploiting the Microsoft Windows LSASS Buffer Overrun Vulnerability (BID 10108), described in Microsoft Security Bulletin MS04-011. It uses TCP port 445 to do this.
W32.Korgo.
W32.Rainwash
This malware was reported by: Symantec
W32.Rainwash is a worm that propagates by copying itself to the Kazaa-shared folder. When the worm is executed, it displays the fake message, "Cannot find vbflash32.dll, program disrupted."
Trojan.Mitglieder.L
This malware was reported by: Symantec
Trojan.Mitglieder.L is a Trojan horse that allows a compromised system to be used as an email relay. Systems compromised in this way are often used to relay spam.
Trojan.Mitglieder.L also terminates processes associated with various antivirus and secur
Backdoor.Ducy
This malware was reported by: Symantec
Backdoor.Ducy is a backdoor Trojan horse that uses MSN Messenger to give an attacker access to your computer.
Trojan.Startpage.E
This malware was reported by: Symantec
Trojan.StartPage.E is a Trojan horse that:
Changes your Internet Explorer home page
Terminates security programs
Overwrites the Hosts file
VBS.Pub
This malware was reported by: Symantec
VBS.Pub is a VBScript file-infecting and mass-mailing worm. VBS.Pub infects the files that have the .asp, .hta, .htm, .htt, .html, .vbe, and .vbs. file extensions.
The worm also uses Microsoft Outlook to send itself to everyone in the Microsoft Outlook
W32.Joot.A@mm
This malware was reported by: Symantec
W32.Joot.A@mm is a mass-mailing worm that attempts to send itself to the email addresses that it finds on the computer. It also attempts to spread using open shares and the peer-to-peer file-sharing networks Kazaa, iMesh, and Grokster.
The worm tries to
W32.Svoy.A@mm
This malware was reported by: Symantec
W32.Svoy.A@mm is a mass mailing worm that uses Mapi.dll to send itself to the email addresses that it finds on your computer.
The worm arrives in an email, with the subject line of "Message is not delivered" and a variable attachment name. The attachmen
W32.Gaobot.AOL
This malware was reported by: Symantec
W32.Gaobot.AOL is a worm that spreads through open network shares and several Windows vulnerabilities. The vulnerabilities are:
The Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability (described in Microsoft Security Bulletin MS03-026).
W32.Dabber.B
This malware was reported by: Symantec
W32.Dabber.B is a variant of W32.Dabber.A. This worm propagates by exploiting a vulnerability in the FTP server component of W32.Sasser.Worm and its variants.
W32.Dabber.B is based on available exploit code. It installs a backdoor on infected hosts a
W32.Donk.R
This malware was reported by: Symantec
W32.Donk.R is a worm that propagates through open network shares. It attempts to spread by exploiting these vulnerabilities:
Microsoft DCOM RPC (as described in Microsoft Security Bulletin MS03-026).
Microsoft Windows LSASS Buffer Overrun Vulnerabilit
Backdoor.IRC.Aladinz.R
This malware was reported by: Symantec
Backdoor.IRC.Aladinz.R is a backdoor server that allows a remote attacker to obtain access to your computer. The backdoor server uses an mIRC client and client scripts to communicate with a remote attacker. It also creates a FTP server.
Backdoor.Nibu.G
This malware was reported by: Symantec
Backdoor.Nibu.G is a variant of Backdoor.Nibu.E that attempts to steal passwords and bank account information.
This Trojan is packed with FSG.
W32.Korgo.G
This malware was reported by: Symantec
W32.Korgo.G is a minor variant of W32.Korgo.C. It is a worm that attempts to propagate by exploiting the Microsoft Windows LSASS Buffer Overrun Vulnerability (BID 10108) on TCP port 445. It also listens on TCP ports 113, 3067, and other random ports.
No
W32.Explet.A@mm
This malware was reported by: Symantec
W32.Explet.A@mm is a mass-mailing worm that:
Retrieves email address from files with .htm, .html, .php, .tbb, and .txt extensions, on all fixed drives from C through Y.
Uses its own SMTP engine to send itself to the email addresses it finds.
Spreads t
W32.Korgo.F
This malware was reported by: Symantec
Due to an increased rate of submissions, Symantec Security Response has upgraded this threat from a Category 2 to a Category 3 as of June 2, 2004.
W32.Korgo.F is a minor variant of W32.Korgo.E. It is a worm that attempts to propagate by exploiting th
W32.Shoes@mm
This malware was reported by: Symantec
W32.Shoes@mm is a mass-mailing worm that sends itself to contacts in the Microsoft Outlook address book. It also alters the Internet Explorer Start page.
W32.Shoes@mm is written in Visual Basic.
W32.Korgo.E
This malware was reported by: Symantec
W32.Korgo.E is a minor variant of W32.Korgo.D. This worm propagates by exploiting the LSASS vulnerability on TCP port 445 (as described in Microsoft Security Bulletin MS04-011). It also opens backdoors on TCP ports 113 and 3067.
W32.Korgo.E is compre
VBS.Yeno@mm
This malware was reported by: Symantec
VBS.Yeno@mm is a mass-mailing worm that sends itself to all the email addresses that it finds in the Microsoft Outlook Address Book.
The email has the following characteristics:
Subject: Fw: give some ...
Attachment: Variable file name.
This worm als
W32.Korgo.D
This malware was reported by: Symantec
W32.Korgo.D is a minor variant of W32.Korgo.C. This worm propagates by exploiting the LSASS vulnerability on TCP port 445 (as described in Microsoft Security Bulletin MS04-011) and opens a backdoor on TCP ports 113 and 3067.
Note: Definitions dated b
W32.Netsup.A@mm
This malware was reported by: Symantec
W32.Netsup.A@mm is a mass-mailing worm that sends itself to addresses gathered from the Microsoft Outlook address book. The worm can also distribute itself through file-sharing networks.