Win32/Randex.H is a network worm that targets computers running certain versions of Microsoft Windows. The worm attempts to spread by randomly scanning IP addresses for computers that do not have Microsoft Security Bulletin MS03-026 installed or for writeable network shares with weak passwords. The worm also drops a backdoor proxy Trojan that acts as an HTTP proxy that allows attackers to access the infected computer.

Backdoor:Win32/Rbot.BG is a backdoor Trojan that connects to an IRC server to receive commands from remote attackers. Commands could include instructions to spread to other computers via open network shares or by exploit of a security vulnerability, or to launch a denial of service (DoS) attack against specified targets.

Backdoor:Win32/Rbot.CB is a backdoor Trojan that connects to an IRC server to receive commands from remote attackers. Commands could include instructions to spread to other computers via open network shares or by exploit of a security vulnerability, or to launch a denial of service (DoS) attack against specified targets.

Backdoor:Win32/Rbot.EZ is a backdoor Trojan that runs in the background, gathers software installation and computer configuration details, and connects to an IRC server to receive commands from remote attackers. Commands could include instructions to spread to other computers via open network shares or by exploit of a security vulnerability, or to launch a denial of service (DoS) attack against specified targets.

Backdoor:Win32/Rbot.FS is a backdoor Trojan that runs in the background, gathers software installation and computer configuration details, and connects to an IRC server to receive commands from remote attackers. Commands could include instructions to spread to other computers via open network shares or by exploit of a security vulnerability, or to launch a denial of service (DoS) attack against specified targets.

Win32/Lovgate.V@mm is a mass-mailing worm that targets computers running certain versions of Microsoft Windows. The worm spreads by sending itself as an e-mail attachment and by copying itself to writeable network shares. The worm opens a backdoor that allows attackers to access and control the infected computer.

Worm:Win32/Kelvir.CD is an instant messaging worm that spreads by sending a message to the user's MSN Messenger or Windows Messenger contacts. The message contains a link that points to a copy of the worm.

Win32/Bugbear.B@mm is a mass-mailing e-mail worm that also spreads via unprotected network shares. E-mail messages used by the Win32/Bugbear.B@mm worm may use the vulnerability mentioned in Microsoft Security Bulletin MS01-020, Incorrect MIME Header Can Cause IE to Execute E-mail Attachment, to run automatically on some computers when an infected e-mail is viewed. Win32/Bugbear.B@mm also includes a file infecting component and opens an unsecured backdoor on TCP port 1080.

Trojan:Win32/Alureon.B is a trojan that may help an attacker intercept inbound and outbound Internet traffic from the host computer. This may allow an attacker to capture confidential information such as user names, passwords, and credit card data. The trojan may also enable an attacker to transmit malicious data to the infected computer. Trojan:Win32/Alureon.B may modify DNS settings on the host computer to enable the attacker to perform malicious tasks. Therefore it may be necessary to reconfigure DNS settings after the trojan is removed from the computer.

Trojan:Win32/Alureon.E is a trojan that modifies DNS settings on the host computer. The altered DNS settings may enable an attacker to intercept inbound and outbound Internet traffic in order to gather confidential information such as user names, passwords, and credit card data. The modified DNS settings may also enable an attacker to transmit malicious data to the infected computer. Because the trojan modifies DNS settings on the computer, it may be necessary to reconfigure those settings after the trojan is removed from the computer.

Win32/Wowstealer.A@mm is a mass mailing e-mail worm that targets the account credentials used to access the World of Warcraft online game. Win32/Wowstealer.A@mm lowers the security settings in Microsoft Outlook Express that would normally prevent accidental opening of executable e-mail attachments.

PWS:Win32/Cimuz.C is a password stealing Trojan that installs itself as a Browser Helper Object (BHO) in Microsoft Internet Explorer. The Trojan monitors Web traffic for sites related to certain German banks. When these sites are visited, PWS:Win32/Cimuz.C begins logging keystrokes and attempts to send that log to a remote Web site. The Trojan also attempts to download a file from a remote Web site.

Exploit:Win32/Siveras.B is detection for specific known malware used to exploit a vulnerability in the Domain Name System (DNS) Server Service. This vulnerability impacts Microsoft Windows 2000 Server Service Pack 4, Windows Server 2003 Service Pack 1, and Windows Server 2003 Service Pack 2.

 

Note that exploit of the vulnerability may not be file-based or the malicious files might be removed by the attacker after successful exploit. For vulnerability details, workarounds, and patch information, please refer to Microsoft Security Advisory (935964).

TrojanSpy:Win32/VBStat.E collects details about the system it was executed on and sends those details to a remote IP address hosted in the Netherlands.

VirTool:WinNT/Mactu.A is a kernel-mode Trojan rootkit that hides files on an infected machine.

Worm:Win32/Brontok.BU@mm is a mass-mailing e-mail worm that spreads by sending a copy of itself as an e-mail attachment to e-mail addresses that it gathers from files on the infected computer. Worm:Win32/Brontok.BU@mm can also copy itself to USB and pen drives. This worm can disable antivirus and security software, immediately terminate certain applications, and cause Windows to restart immediately when certain applications run. This worm may conduct denial of service (DoS) attacks against certain Web sites.

TrojanSpy:Win32/Monstres is a Trojan that steals data and sends the captured credentials to a remote web site. TrojanSpy:Win32/Monstres also attempts to inhibit its removal, and the removal of related malware and components.

Backdoor:Win32/Sdbot.ZC is a backdoor Trojan that allows an attacker to take control of an infected computer. When a computer is infected, the Trojan connects to an Internet Relay Chat (IRC) server and joins a channel in order to receive commands from the controlling attacker. These commands can instruct the Trojan to perform a number of different actions, including downloading and installing additional components and spreading to other computers via MSN Messenger.

Trojan:Win32/Tibs.DV is a Trojan that allows unauthorized access to an infected computer. The Trojan receives commands indirectly from a remote attacker via its connection to a malicious peer-to-peer network. This Trojan also contains advanced stealth functionality that allows it to hide particular files, folders and processes.

Backdoor:Win32/Rbot!D195 is a backdoor Trojan that runs in the background, gathers software installation and computer configuration details, and connects to an IRC server to receive commands from remote attackers. Commands could include instructions to spread to other computers via open network shares or by exploit of a security vulnerability, or to launch a denial of service (DoS) attack against specified targets. Backdoor:Win32/Rbot!D195 may arrive