W32.Antinny.Q
This malware was reported by: Symantec
W32.Antinny.Q is a variant of W32.HLLW.Antinny, a worm that propagates through a Japanese file-sharing application called Winny. This variant attempts to delete files on the root of the C: drive and steal personal information.
BAT.Sebak
This malware was reported by: Symantec
BAT.Sebak is a Trojan that drops VBS.Tante.A@mm, displays a message, and disables certain functions on the computer.
VBS.Krim.G@mm
This malware was reported by: Symantec
Backdoor.Mtron
This malware was reported by: Symantec
Backdoor.Mtron is a backdoor Trojan that records financial activity and sends it to a remote attacker using IRC. It also gives the attacker the ability to download and run files on the infected computer.
Trojan.StartPage.C
This malware was reported by: Symantec
Trojan.StartPage.C is a variant of Trojan.StartPage. It changes the Internet Explorer home page to www.okww.net.
It is packed with UPX.
W32.Gaobot.FO
This malware was reported by: Symantec
W32.Gaobot.FO is a variant of W32.HLLW.Gaobot that attempts to spread through network shares and allows access to an infected computer through an IRC channel.
The worm uses multiple vulnerabilities to spread, including:
The DCOM RPC vulnerability (des
W32.Gaobot.RB
This malware was reported by: Symantec
W32.Gaobot.RB is a variant of W32.HLLW.Gaobot that attempts to spread to network shares. It allows access to an infected computer through an IRC channel.
The worm uses multiple vulnerabilities to spread, including:
The DCOM RPC vulnerability (descri
W32.Kibuv.D
This malware was reported by: Symantec
W32.Kibuv.D is a worm that attempts to spread itself through IRC, FTP, and by exploiting vulnerabilities.
Plexus.B
This malware was reported by: Panda Software
Plexus.B is a worm that spreads through different means:Through the Internet by exploiting the RPC DCOM and LSASS vulnerabilities in remote computers. The RPC DCOM vulnerability is critical for Windows 2003/XP/2000/NT computers that are not properly upda
Gaobot.WQ
This malware was reported by: Panda Software
Korgo.G
This malware was reported by: Panda Software
Korgo.G is a worm that spreads via the Internet by exploiting the LSASS vulnerability in remote computers. This vulnerability is critical for Windows XP/2000 operating systems that are not properly updated.Korgo.G opens several TCP ports and listens to t
Plexus.A
This malware was reported by: Panda Software
Plexus.A is a worm that spreads through different means:Through the Internet by exploiting the RPC DCOM and LSASS vulnerabilities in remote computers. The RPC DCOM vulnerability is critical for Windows 2003/XP/2000/NT computers that are not properly upda
Korgo.F
This malware was reported by: Panda Software
Korgo.F is a worm that spreads via the Internet by exploiting the LSASS vulnerability in remote computers. This vulnerability is critical for Windows XP/2000 operating systems that are not properly updated.Korgo.F opens several TCP ports and listens to t
Korgo.E
This malware was reported by: Panda Software
Korgo.E is a worm that spreads via the Internet by exploiting the LSASS vulnerability in remote computers. This vulnerability is critical for Windows XP/2000 operating systems that are not properly updated.Korgo.E opens several TCP ports and listens to t
Korgo.D
This malware was reported by: Panda Software
Korgo.D is a worm that spreads via the Internet by exploiting the LSASS vulnerability in remote computers. This vulnerability is critical for Windows XP/2000 operating systems that are not properly updated.Korgo.D opens several TCP ports and listens to t
Cult.J
This malware was reported by: Panda Software
Cult.J is a worm that goes memory resident and attempts to connect to an specific channel of an IRC server.If sucessful, it allows a remote user to carry out the following actions, among others, in the affected computer:- Launch flooding attacks.- S
Protoride.gen
This malware was reported by: Panda Software
Protoride.gen is not an specific worm, but a generic detection for future variants of the Protoride family. This group of worms has the following common characteristics:They spread across networks, by copying themselves to the shared resources
Acculoader.A
This malware was reported by: Panda Software
Keylog-Dingxa
This malware was reported by: Network Associates Inc
LogOff
This malware was reported by: Network Associates Inc
Korgo.H
This malware was reported by: F-Secure
This Korgo (aka Padobot) variant was found in the beginning of
June, 2004. It is very similar to the previous Korgo variants. It
spreads throughout the Internet using a vulnerability in
Microsoft Windows LSASS. A description of the vulnerability can
b
W32/Spybot-CC
This malware was reported by: Sophos
W32/Spybot-CC is a backdoor Trojan and worm which spreads via file sharing on
Kazaa P2P networks and by copying itself to network shares that have weak
password protection on the $ADMIN share.
When first run W32/Spybot-CC copies itself to the Win
W32/Spybot-CG
This malware was reported by: Sophos
W32/Spybot-CG is a Windows worm that spreads via filesharing networks.
In order to run automatically when Windows starts up the worm copies itself to
the file Winhub.exe in the Windows system folder and creates the following
registry entries:
W32.Korgo.I
This malware was reported by: Symantec
W32.Korgo.I is a variant of W32.Korgo.F. This worm attempts to propagate by exploiting the Microsoft Windows LSASS Buffer Overrun Vulnerability (described in Microsoft Security Bulletin MS04-011) on TCP port 445. It also listens on TCP ports 113, 3067,
W32/Korgo.worm.i
This malware was reported by: Network Associates Inc
This self-executing worm spreads by exploiting a Microsoft Windows vulnerability:
MS04-011 vulnerability (CAN-2003-0533)http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
The worm spreads with a random filename and acts
W32/Korgo-H
This malware was reported by: Sophos
W32/Korgo-H is a member of the W32/Korgo family of network worms that propagates using the LSASS exploit (TCP port 445).
For details see the MS04-011 Microsoft Security Bulletin.
When executed W32/Korgo-H copies itself to the Windows system fold
Trojan.Dingsta.A
This malware was reported by: Symantec
Trojan.Dingsta.A is a keylogger that tries to log keystrokes that are typed in open Web browser windows. Then, it sends the captured keystrokes to a predefined Web site.
Note: Virus definitions released on June 3, 2004 detect this threat as Backdoor.Tro
MS Vulnerabilities MS04-016 - 017
This malware was reported by: Network Associates Inc
Montp
This malware was reported by: F-Secure
Montp spying trojan was first discovered in April 2004. The last,
Montp.F variant was found on 6-7th of June 2004.
The Montp trojan has powerful spying features: it collects
information from users of numerous on-line banks and sends
collected data to
Korgo.I
This malware was reported by: Computer Associates
Win32.Korgo.I is a worm that spreads by exploiting the Microsoft Windows LSASS buffer overflow vulnerability. It also opens a backdoor that allows unauthori
Guzu.B
This malware was reported by: Computer Associates
Win32.Guzu.B is a trojan that acts as a SOCKS proxy on affected machines.
Dismowbot.A
This malware was reported by: Computer Associates
Win32.Dismowbot is an IRC-controlled backdoor trojan that allows unauthorized access to and control of an affected machine.
Dismowbot
This malware was reported by: Computer Associates
Win32.Dismowbot is a family of IRC-controlled backdoor trojans that allow unauthorized access to and control of a compromised system. Variants of this famil
ObjectDataHTA
This malware was reported by: Computer Associates
BackDoor-AET
This malware was reported by: Network Associates Inc
W32/Rbot-AA
This malware was reported by: Sophos
W32/Rbot-AA is a worm which attempts to spread to remote network shares. It
also contains backdoor Trojan functionality, allowing unauthorised remote
access to the infected computer via IRC channels while running in the
background as a service proc
Downloader.GK
This malware was reported by: Panda Software
Downloader.GK is a Trojan that downloads and runs the following adware programs on the affected computer:Adware/BetterInetAdware/SearchCentrix.Downloader.GK is downloaded to the computer when the user accesses certain web pages and accepts to install an
Qhost
This malware was reported by: F-Secure
Several malicious programs, for example Agobot backdoor, modify
Windows HOSTS file to block access to websites and update servers
of several anti-virus companies. As a result, websites of
anti-virus vendors become inaccessible and anti-virus programs
WORM_RBOT.AF
This malware was reported by: Trendmicro
W32/Agobot-JP
This malware was reported by: Sophos
W32/Agobot-JP is a backdoor Trojan and worm which spreads to computers
protected by weak passwords.
When first run, W32/Agobot-JP moves itself to the Windows system folder as
windns32.exe and creates the following registry entries to run itself o
W32/Bagle-Zip
This malware was reported by: Sophos
Sophos Anti-Virus detects as W32/Bagle-Zip the password-protected archive files created by W32/Bagle-F, W32/Bagle-G, W32/Bagle-H, W32/Bagle-I, W32/Bagle-J, W32/Bagle-K (ZIP archives), W32/Bagle-N, W32/Bagle-O (ZIP and RAR archives), W32/Bagle-W and W
W32/Korgo-I
This malware was reported by: Sophos
Trojan.Gletta.A
This malware was reported by: Symantec
Trojan.Gletta.A is a Trojan horse that steals Internet banking passwords. It logs keystrokes when you visit certain Web pages and emails the log to the attacker.
Web pages that link to .CHM files to exploit the Microsoft Internet Explorer ITS Protocol Z
VBS_PUB.A
This malware was reported by: Trendmicro
This malicious Visual Basic (VB) script spreads via email. It does this by gathering email addresses and sending a copy of itself using Messaging Application Program Interface.
X97M.Crex
This malware was reported by: Symantec
X97M.Crex is a macro virus that infects Microsoft Excel 97 (and later) spreadsheets. If the system date is greater than January 2, 2004, it will attempt to remove the component, "universelle."
Backdoor.Berbew.E
This malware was reported by: Symantec
Backdoor.Berbew.E is a backdoor Trojan horse that gives an attacker access to your computer. The Trojan opens TCP ports 23232 and 32121, by default.
This Trojan is packed with MPPEC.
W32.Tubty.A@mm
This malware was reported by: Symantec
W32.Tubty.A@mm is a mass-mailing worm that uses its own SMTP engine to send itself to all the contacts in the Windows Address Book. The email hast he subject: "MESSAGE_ID:" and the attachment is "photos.exe."
W32.Gaobot.AQS
This malware was reported by: Symantec
W32.Gaobot.AQS is a worm that spreads through open network shares and several Windows vulnerabilities including:
The DCOM RPC Vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135.
The WebDav Vulnerability (described i
W32.Kobot.A
This malware was reported by: Symantec
W32.Kobot.A is a worm that spreads through open network shares, telnet, dameware, realserv, VNC, and niprint. This worm also uses three remotely exploitable Windows vulnerabilities to propagate.
The worm can also function as an email relay and as a pr
Nuke-Nukeit.gen
This malware was reported by: Network Associates Inc
JS/Dismissed.gen
This malware was reported by: Network Associates Inc
For details on this threat see:
http://vil.nai.com/vil/content/v_100548.htm
Top of Page
W32/Sdbot.worm
This malware was reported by: Network Associates Inc
Pub
This malware was reported by: Computer Associates
W32/Agobot-JX
This malware was reported by: Sophos
W32/Agobot-JX is a backdoor Trojan and worm which spreads to computers
protected by weak passwords and to computers infected with variants of
W32/MyDoom.
When first run, W32/Agobot-JX moves itself to the Windows system folder as
wupdate.exe and
Siboco.A
This malware was reported by: Panda Software
Exploit-SMBAdde
This malware was reported by: Network Associates Inc
W32/Agobot-JT
This malware was reported by: Sophos
W32/Agobot-JT is a backdoor worm which runs in the background as a
system process and allows unauthorised remote access to the computer.
The worm copies itself to the Windows system folder as NAVAPSVC.EXE and adds entries to the registry at
HKL
Korgo.I
This malware was reported by: Panda Software
Korgo.I is a worm that spreads via the Internet by exploiting the LSASS vulnerability in remote computers. This vulnerability is critical for Windows XP/2000 operating systems that are not properly updated.Korgo.I opens several TCP ports and listens to t
Korgo.H
This malware was reported by: Panda Software
Korgo.H is a worm that spreads via the Internet by exploiting the LSASS vulnerability in remote computers. This vulnerability is critical for Windows XP/2000 operating systems that are not properly updated.Korgo.H opens several TCP ports and listens to t
Downloader-LB
This malware was reported by: Network Associates Inc
W32/Agobot-JW
This malware was reported by: Sophos
W32/Agobot-JW is a worm which spreads to networks shares with weak passwords. The worm also includes backdoor functions which can be controlled over IRC by a remote attacker.
When first run the worm copies itself to neroasm.exe in the Windows syste
Crash Pentium
This malware was reported by: Network Associates Inc
VBS/Pub
This malware was reported by: Network Associates Inc
On executing the infected file, the virus will copy itself to the %WINDOWS% folder as Pubrn.vbs
. The case of the filename may change eg. PuBrN.vBs.
VBS/Pub is an encrypted appending virus. The virus will append itself to all files fou
VBS/Pub-A
This malware was reported by: Sophos
VBS/Pub-A is a polymorphic mass-mailing virus.
On the 6th, 13th, 21st or 28th of the month VBS/Pub-A will attempt to delete all files on fixed and remote (networked) drives of the computer.
On other days the virus will attempt to append its code
W32/Agobot-XX
This malware was reported by: Sophos
W32/Agobot-XX is capable of spreading to computers on the local network
protected by weak passwords.
When first run W32/Agobot-XX copies itself to the Windows system folder as
dmrss.exe and creates the following registry entries to run itself on
PE_ZAFI.B
This malware was reported by: Trendmicro
Upon execution, this memory-resident worm drops copies of itself in the Windows system folder as follows:
Exploit-MhtRedir.gen
This malware was reported by: Network Associates Inc
JS/Exploit-DialogArg.b
This malware was reported by: Network Associates Inc
BackDoor-AXJ.htm
This malware was reported by: Network Associates Inc
JS/Exploit-DialogArg
This malware was reported by: Network Associates Inc
W32/Sdbot.worm.gen.i
This malware was reported by: Network Associates Inc
Due to the large volume of members of this virus family, the size of extra.dats required to detect these is very large. AVERT have therefore split the detection into multiple drivers although the behaviour of all members is broadly similar.
Wessy
This malware was reported by: Computer Associates
Win32.Wessy is a trojan which attempts to steal online banking details. Reports from the wild show that the original infection vector was via a spam message
Korgo.P
This malware was reported by: Computer Associates
Win32.Korgo.P is a worm that spreads by exploiting the Microsoft Windows LSASS buffer overflow vulnerability. It also opens a backdoor that allows unauthori
W32.Sasser.G
This malware was reported by: Symantec
W32.Sasser.G has been renamed to W32.Sasser.E.Worm. For further details on this worm, please refer to the information provided on the W32.Sasser.E.Worm threat page.
W32/Rbot-AE
This malware was reported by: Sophos
W32/Rbot-AE is a worm which attempts to spread to remote network shares. It
also contains backdoor Trojan functionality, allowing unauthorised remote
access to the infected computer via IRC channels while running in the
background as a service proc
W32/Pam.worm
This malware was reported by: Network Associates Inc
This detection is for a floppy worm written in Delphi. The viruses disguises itself using a JPEG file icon
When run on the victim machine the worm installs itself into the %SYSDIR% directory.
For example: C:WindowsSystem32ScanregW
W32/Sasser.worm.e
This malware was reported by: Network Associates Inc
- Update June 11th 2004 --
A slighltly modified version of this variant has been reported. The file size is 15,873 bytes (+1 from original e variant). This sample is detected and cleaned as W32/Sasser.worm.e with the 4359 DATs or greate
Zafi.B
This malware was reported by: F-Secure
A new variant of Zafi worm - Zafi.B is spreading. While the
original Zafi.A uses only Hungarian, the new Zafi.B spreads in
email in English, Italian, Spanish, Russian, Swedish etc.
The worm sends itself in emails mostly as .pif attachment and in
rare
W32/Zafi.b@MM
This malware was reported by: Network Associates Inc
Troj/Sober-H
This malware was reported by: Sophos
Troj/Sober-H emails messages in German to addresses found in files on the hard disk. The Trojan searches for email addresses in files whose names contain the following strings:
pmr stm slk inbox imb csv bak imh xhtml imm imh cms nws vcf ctl dhtm cg
W32/Zafi-B
This malware was reported by: Sophos
W32.Erkez.B@mm
This malware was reported by: Symantec
W32.Erkez.B@mm is a mass-mailing worm that sends itself to the email addresses found on an infected computer.
This threat is compressed with FSG.
Note: The worm has an MD5 value of 0Xd922c0c380fe85c0341b53672a7d7253.
Downloader-KL
This malware was reported by: Network Associates Inc
DDoS-Boxed
This malware was reported by: Network Associates Inc
Downloader-KY
This malware was reported by: Network Associates Inc
BackDoor-CFG
This malware was reported by: Network Associates Inc
Sober.H
This malware was reported by: F-Secure
Zafi.B
This malware was reported by: Computer Associates
Win32.Zafi.B is a worm that spreads via e-mail using several different languages, including English, Hungarian and Russian. It is a 12,800-byte, FSG-packed
WORM_SOBER.H
This malware was reported by: Trendmicro
Trojan.Ascetic.A
This malware was reported by: Symantec
W32.Sober.H@mm
This malware was reported by: Symantec
W32/Sober.h
This malware was reported by: Network Associates Inc
W32/Sober.gen@MM
This malware was reported by: Network Associates Inc
-- Update 13th June 2004 --
W32/Sober.h is proactively detected as W32/Sober.gen@MM since the 4349 DATs and 4.3.20 engine (with scanning of compressed files enabled).
--
This is a generic detection for W32/Sober variants. To obta
Zafi.B
This malware was reported by: Panda Software
Zafi.B is a worm that looks for directories in which antivirus programs are installed. If successful, Zafi.B overwrites the executable files with copies of itself. By doing so, the user will be unprotected against the attack of other malware. So whenever
W32/Plexus.a@MM
This malware was reported by: Network Associates Inc
W32/Spybot-CO
This malware was reported by: Sophos
W32/Spybot-CO is a P2P worm that spreads via the KaZaA file sharing network.
In order to be run automatically on system startup, the worm copies itself to
a file named AUGMSG.EXE in the Windows system folder and sets the following
registry entrie
W32/Dansh.worm!irc
This malware was reported by: Network Associates Inc
This detection is for an IRC bot that is intended to propagate via various mechanisms.
Once running on the victim machine, the bot attempts to connect to a remote IRC server, and join a specific channel. Once connected, the bot is able to a
WORM_SDBOT.FO
This malware was reported by: Trendmicro
W32.Paps.A@mm
This malware was reported by: Symantec
W32.Paps.A@mm is a mass-mailing worm that sends itself as an attachment to the email addresses that it finds on your computer. The email will have a variable subject and file attachment. The attachment will have a .exe file extension.
This threat is wri
Gaobot.XW
This malware was reported by: Panda Software
Gaobot.XW is a worm with backdoor characteristics that affects Windows 2003/XP/2000/NT computers only. Gaobot.XW exploits the LSASS and RPC DCOM vulnerabilities to spread to as many computers as possible.Gaobot.XW also spreads by attempting to copy itsel