Backdoor:Win32/Sdbot.OH is a backdoor Trojan that targets computers running certain versions of Microsoft Windows. The Trojan can spread by copying itself to network shares with weak passwords. The Trojan connects to an IRC server from the infected computer to receive commands from attackers.

Backdoor:Win32/Sdbot.RY is a backdoor Trojan that targets computers running certain versions of Microsoft Windows. The Trojan can spread by copying itself to network shares with weak passwords. The Trojan connects to an IRC server to receive commands from attackers.

Backdoor:Win32/Sdbot.SQ is a backdoor Trojan that targets computers running certain versions of Microsoft Windows. The Trojan can spread by copying itself to network shares with weak passwords. The Trojan connects to an IRC server to receive commands from attackers.

Backdoor:Win32/Sdbot.OI is a backdoor trojan that connects to an IRC server from an infected computer to allow unauthorized access to the computer. Attackers can send commands that include spreading the trojan to network shares using weak passwords and to other computers by exploiting certain Windows buffer-overrun vulnerabilities.

Backdoor:Win32/Sdbot.OM is a backdoor Trojan that targets computers running certain versions of Microsoft Windows. The Trojan connects to an IRC server from an infected computer to allow unauthorized access to the computer. Attackers can then send commands that include spreading the Trojan to network shares by trying weak passwords and to other computers by exploiting certain Windows buffer overrun vulnerabilities.

Backdoor:Win32/Ryknos.A is a backdoor Trojan that targets computers running certain versions of Microsoft Windows. The Trojan opens a backdoor on the infected computer to receive commands from attackers. If the rootkit VirTool:WinNT/F4IRootkit is already installed on the target computer, the Trojan uses the rootkit to hide.

Backdoor:Win32/Ryknos.B is a backdoor Trojan that targets computers running certain versions of Microsoft Windows. The Trojan opens a backdoor on the infected computer to receive commands from attackers. If the rootkit VirTool:WinNT/F4IRootkit is already installed on the target computer, the Trojan uses the rootkit to hide.

Backdoor:Win32/Kyzbot.A is a trojan that allows an attacker to control your computer remotely via an Internet Relay Chat (IRC) channel.

Backdoor:Win32/Ginwui.B is a Trojan dropper that installs a backdoor and rootkit on impacted systems. 

 

Backdoor:Win32/Ginwui.B was initially discovered being dropped and executed by Exploit:Win32/Wordjmp, an exploit targeting Microsoft Word 2002 and 2003. For details regarding Exploit:Win32/Wordjmp, see:

http://www.microsoft.com/security/encyclopedia/details.aspx?Name=Exploit:Win32/Wordjmp

 

Details and mitigation techniques for the exploit are described in Microsoft Security Advisory 919637, which can be viewed at: http://www.microsoft.com/technet/security/advisory/919637.mspx 

Backdoor:Win32/IRCbot.R is a backdoor Trojan that listens via pre-defined IRC channels, responding to commands from remote attackers. Backdoor:Win32/IRCbot.R registers itself as a service using the name "Windows Genuine Validation Notification", presumably in an attempt to masquerade as a legitimate Microsoft Windows component. Backdoor:Win32/IRCbot.R lowers security settings on the infected computer, possibly leaving the system vulnerable to further compromise.

Update: This threat has been renamed [URL]Backdoor:Win32/Mocbot.A.

 

Backdoor:Win32/Graweg.A is an IRC Trojan that connects to an IRC channel and awaits commands from remote attackers. When instructed, Backdoor:Win32/Graweg.A begins searching the local network for systems which have not yet applied the Microsoft Windows Server Service security patch described in Microsoft Security Bulletin MS06-040. The Trojan also includes the ability to send messages via AOL Instant Messenger (AIM) and ICQ. The exploit code used by Backdoor:Win32/Graweg.A is only effective against un-patched systems running Windows 2000. However, the Trojan can still infect patched versions of Windows 2000 and other Windows operating systems by means other than exploit. For example, Backdoor:Win32/Graweg.A could be distributed as an e-mail attachment, or a link to the Trojan could be sent to e-mail or AIM recipients.

 

Backdoor:Win32/Graweg.A may lower security settings on infected systems and allows the system to be used for nefarious purposes, such as launching a Denial of Service (DoS) attack against others. Backdoor:Win32/Graweg.A includes the ability to download other files, thus the Trojan could update its functionality or download additional malicious software to infected systems.

 

Backdoor:Win32/Graweg.A has been assigned CME ID 482 and will be detected by Microsoft as

Update: This threat has been renamed Backdoor:Win32/Mocbot.A.

 

Backdoor:Win32/Graweg.B is an IRC Trojan that connects to an IRC channel and awaits commands from remote attackers. When instructed, Backdoor:Win32/Graweg.B begins searching the local network for systems which have not yet applied the Microsoft Windows Server Service security patch described in Microsoft Security Bulletin MS06-040. The Trojan also includes the ability to send messages via AOL Instant Messenger (AIM) and ICQ. The exploit code used by Backdoor:Win32/Graweg.B is only effective against un-patched systems running Windows 2000. However, the Trojan can still infect patched versions of Windows 2000 and other Windows operating systems by means other than exploit. For example, Backdoor:Win32/Graweg.B could be distributed as an e-mail attachment, or a link to the Trojan could be sent to e-mail or AIM recipients.

 

Backdoor:Win32/Graweg.B may lower security settings on infected systems and allows the system to be used for nefarious purposes, such as launching a Denial of Service (DoS) attack against others. Backdoor:Win32/Graweg.B includes the ability to download other files, thus the Trojan could update its functionality or download additional malicious software to infected systems.

 

Backdoor:Win32/Graweg.B has been assigned CME ID 762 and will be detected by Microsoft as

Backdoor:Win32/Tuesoy.A is a backdoor Trojan that may be dropped by TrojanDropper:Win32/Tuesoy.A.

 

TrojanDropper:Win32/Tuesoy.A exploits the vulnerability described in Microsoft Security Bulletin MS06-047.

Backdoor:Win32/Mocbot.A is an IRC trojan that connects to an IRC channel and awaits commands  from remote attackers. When instructed, Backdoor:Win32/Mocbot.A begins searching the local network for systems which have not yet applied the Microsoft Windows Server service security patch described in Microsoft Security Bulletin MS06-040. The trojan also includes the ability to send messages via AOL Instant Messenger (AIM) and ICQ.

 

The exploit code used by Backdoor:Win32/Mocbot.A is only effective against un-patched systems. The trojan can still infect patched versions of Windows by means other than exploit. For example,  Backdoor:Win32/Mocbot.A could be distributed as an e-mail attachment, or a link to the trojan could be sent to e-mail or AIM recipients.

 

Backdoor:Win32/Mocbot.A may lower security settings on infected systems and allows the system to be used for nefarious purposes, such as launching a denial of service (DoS) attack against others. Backdoor:Win32/Mocbot.A includes the ability to download other files, thus the trojan could update its functionality or download additional malicious software to infected systems.

 

Backdoor:Win32/Mocbot.A has been assigned CME ID 482 and will be detected by Microsoft as Backdoor:Win32/Mocbot.A!CME-482.

Update: This threat was originally detected as Backdoor:Win32/Graweg.B.

 

Backdoor:Win32/Mocbot.B is an IRC Trojan that connects to an IRC channel and awaits commands from remote attackers. When instructed, Backdoor:Win32/Mocbot.B begins searching the local network for systems which have not yet applied the Microsoft Windows Server Service security patch described in Microsoft Security Bulletin MS06-040. The Trojan also includes the ability to send messages via AOL Instant Messenger (AIM) and ICQ. The exploit code used by Backdoor:Win32/Mocbot.B is only effective against un-patched systems running Windows 2000. However, the Trojan can still infect patched versions of Windows 2000 and other Windows operating systems by means other than exploit. For example, Backdoor:Win32/Mocbot.B could be distributed as an e-mail attachment, or a link to the Trojan could be sent to e-mail or AIM recipients.

 

Backdoor:Win32/Mocbot.B may lower security settings on infected systems and allows the system to be used for nefarious purposes, such as launching a Denial of Service (DoS) attack against others. Backdoor:Win32/Mocbot.B includes the ability to download other files, thus the Trojan could update its functionality or download additional malicious software to infected systems.

 

Backdoor:Win32/Mocbot.B has been assigned CME ID 762 and will be detected by Microsoft as