1. Backdoor.Lavandos.A
...ge.php?query=249D9E66C4923FA7&hl=9&n=mozilla&do=index&client=a7&article=a8&id=unknown HTTP/1.1
- GET /vito/page.php?client=unknown&id=249D9E66C4923FA7&n=a3&var=a7&article=9&key=mozilla HTTP/1.1
- GET /vito/page.php?u...
2. Backdoor.IRCBot.Dorkbot.A
...e looked for in the url string and in the optional data. The goal is to retrieve the login information of some accounts (first string is searched in the url string, second string in the optional data, third string is the target account) :
- "*paypal...
3. Win32.Worm.Korgo.R
...he presence of "ID" string; if it doesn't exist it is initialized with a string of 13 to 20 random characters. Then it checks for "Windows Update" string in "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" key and if doesn't exis...
4. Win32.Worm.Korgo.P
...he presence of "ID" string; if it doesn't exist it is initialized with a string of 10 to 20 random characters. Then it checks for "Windows Update" string in "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" key and if doesn't exis...
5. Win32.Yahaa.D@mm
... xxxx is the random generated string from above. Also it will drop a file xxxx.txt in Windows directory where xxxx is the same string as above. This file contains a text written by the author. Finally the worm checks to see if the host computer is connected to th...
6. Win32.Evaman.C@mm (Win32.Linort.A@mm)
...s if they contain certain sub-strings, in which case the process is killed. These sub-strings are: uba, mc, Mc, av, AV, cc, sym, Sym, nv, can, scn, java, xp.exe, ecur, nti, erve, sss, iru, ort, SkyNet and KV. Then it checks some registry key marks, to see if this...
7. Win32.Yahaa.P@mm/Q@mm
...mmer auTHoR * inDIan haCKeRs & VXeRs * inDiAn s0 caLLeD IT eXpeRTs * pe0pLeS wh0 fiGHt agAINsT coRRupti0n ( i guEss itS alm0st NULL ) * aLL mEmbERs of iNDiAn sNAKeS * t0 mY bEsT friENd thIs iS a waR beTweeN inDia & paK hAckeRS.. n0 c0untrY shouLD gEt inVol...
8. Win32.Netsky.S@mm
...achment data.
Most of the strings used by the worm are encrypted using a translation table for A-Z and a-z characters.
It searches drives from C: through Z: but skipping DVD/CD-ROM drives in specific file types for suitable email addresses, but only up to ...
9. Win32.Moe.A@mm
...ent the file infector part is searching in Windows directory for a file with a name randomly generated from the following string: leginolasoPeyeguiEsmtpeglAdklityghbcxskalBxvqe ex: legin.exe egino.exe uiEsm.exe, etc If it founds it executes tha...
10. Win32.Atak.B@mm
..." There also is another string - an encrypted one - discovered in both versions, namely: "Developed by Melhacker(TM) for personal research only." The string was found at offset 0xA238 (41528) in the upacked file: The encryption is weak: all bit...
|