Vulnerability in Server Service Could Allow Remote Code Execution (958644)

Affected and Non-Affected Software

The following software have been tested to determine which versions or editions are affected. Other versions or editions are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, visit Microsoft Support Lifecycle.

Affected Software

Operating System
Maximum Security Impact
Aggregate Severity Rating
Bulletins Replaced by this Update

Microsoft Windows 2000 Service Pack 4

Remote Code Execution

Critical

MS06-040

Windows XP Service Pack 2

Remote Code Execution

Critical

MS06-040

Windows XP Service Pack 3

Remote Code Execution

Critical

None

Windows XP Professional x64 Edition

Remote Code Execution

Critical

MS06-040

Windows XP Professional x64 Edition Service Pack 2

Remote Code Execution

Critical

None

Windows Server 2003 Service Pack 1

Remote Code Execution

Critical

MS06-040

Windows Server 2003 Service Pack 2

Remote Code Execution

Critical

None

Windows Server 2003 x64 Edition

Remote Code Execution

Critical

MS06-040

Windows Server 2003 x64 Edition Service Pack 2

Remote Code Execution

Critical

None

Windows Server 2003 with SP1 for Itanium-based Systems

Remote Code Execution

Critical

MS06-040

Windows Server 2003 with SP2 for Itanium-based Systems

Remote Code Execution

Critical

None

Windows Vista and Windows Vista Service Pack 1

Remote Code Execution

Important

None

Windows Vista x64 Edition and Windows Vista x64 Edition Service Pack 1

Remote Code Execution

Important

None

Windows Server 2008 for 32-bit Systems*

Remote Code Execution

Important

None

Windows Server 2008 for x64-based Systems*

Remote Code Execution

Important

None

Windows Server 2008 for Itanium-based Systems

Remote Code Execution

Important

None

Save this article to PDF.

This is a wooden horse type injustice program of Troy classed to "a worm" generally.

    * Software to receive influence:
      Windows 98, ME, NT, 2000, XP, Server 2003

    * Movement of "WORM_SMALL.MDZ" is as follows.
          o install own in system
          o Worm activity (the use of MSN Messnger)
          o Worm activity (the use of a removable drive)
          o Change of a file
          o access Web site
          o Download a file

    * An invasion method:
          o It is downloaded from remote site and invades it
          o It is made by other unjust programs

    * An infection confirmation method:
          o I make the following files
                + ＜Windowsfolder＞※\PCHEALTH\HELPCTR\Binaries\svchost.exe
                + ＜Windowsfolder＞※\Photo_13301.zip
          o Registry add value
          o Registry changed value

Save this article to PDF.

1. Windows in safe mode, please restart.

2. Worm changes to fix the value of the registry.
The following registry please correct the value. Rectification registry values, please see.

Location:
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \
CurrentVersion \ Winlogon
Value (before):
Userinit = “<Windows FORUDA> \ userinit.exe”
Value (after):
Userinit = “<Windows SHISUTEMUFORUDA> \ userinit.exe”

3. Windows search function (Start] → [search] → [All files and folders to choose), using the worm was created following the unwanted file and delete the cases detected Please.
* MSWINSCK.OCX
* Kdcoms.dll

4. Worm have added “AUTORUN.INF” is removed.

1. Windows search function (Start] → [search] → [All files and folders to choose), using, “AUTORUN.INF” to find and detect if a text file, such as Notepad. Please use the open.

2. Following a string exists to make sure the file exists, please delete.

[AutoRun]
open = Secret.exe
; shell \ open = Open (& O)
shell \ open \ Command = Secret.exe
shell \ open \ Default = 1
; shell \ explore = Manager (& X)
shell \ explore \ Command = Secret.exe

3. Above “AUTORUN.INF” there is a drive to open the INF file, please delete.

5. Restart the computer in normal mode, please. The latest version (engine and pattern file) with the introduction of anti-virus products, scanners, please run. The worm is “WORM_AUTORUN.EB” and detected. All files are detected, please delete.

6. All drive search and detected nothing if the process is complete.

Save this article to PDF.

The following files have been added to the system:

%WINDIR%\system32\hhrdxd.dll
%WINDIR%\system32\hhrdxd.dll.log

The following registry elements have been created:

HKEY_LOCAL_MACHINE\software\classes\clsid\{17dfd111-bf3a-4cb4-adb0-88fcbfe69821}\
(default) = microsoft HKEY_LOCAL_MACHINE\software\classes\clsid\{17dfd111-bf3a-4cb4-adb0-88fcbfe69821}\inprocserver32\
(default) = c:\windows\system32\hhrdxd.dll threadingmodel = apartment

Save this article to PDF.

Cmdow.exe XP is not genuine by the built-in programs, but is often used in some version of XP installed automatically, such as the Super XP, WinXP_Pre-SP3v…, only to automatically install XP from various applications.
Cmdow.exe will be President Kabbah, Symantec, Lancaster, etc. fils Den judged hacker tool [definition] [Symantec Hacktool.HideWindow risktool.hide.windows, aa fils Den Lancaster is hacked Toolbox], then it is to delete this file, the system will not cause problems.

Cmdow.exe main function is to hide cmd window
Sometimes will be used to write programs run command prompt characters
When users in the use of, these fears jumped out windows
Cmdow will be used to hide, is to avoid disrupting appearance
This is the security file, only acts will be identified as hacktool

SecurityRisk.Cmdow 

Save this article to PDF.

Wild

• Wild Level: Low
• Number of Infections: 0 - 49
• Number of Sites: 0 - 2
• Geographical Distribution: Low
• Threat Containment: Easy
• Removal: Easy

Damage

• Damage Level: Low
• Payload: Opens a back door and lowers security settings.

Distribution

• Distribution Level: Low

Writeup By: Sean Kiernan

Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000

Once executed, the worm copies itself to the following location:
%System%\wldmgr.exe

The worm periodically recreates the following registry entries so that it runs when Windows starts:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”wldmgr” = “wldmgr.exe”
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\”wldmgr” = “wldmgr.exe”

The worm modifies the following registry entry to disable the Shared Access service in Windows 2000/XP:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\”Start” = “4″

It gathers email addresses from the Windows Address Book and from the following locations:

• %Windir%\Temporary Internet Files
• %Userprofile%\Local Settings\Temporary Internet Files
• %System%

It then gathers email addresses from files with the following extensions on all local drives from C to Y:

• .adb
• .asp
• .cgi
• .dbx
• .htm
• .html
• .jsp
• .php
• .sht
• .tbb
• .txt
• .wab
• .xml

The worm avoids sending itself to email addresses that contain any of the following strings:

• abuse
• accoun
• admin
• administrator
• anyone
• bsd
• bugs
• certific
• contact
• spam
• feste
• gold-certs
• google
• help
• icrosoft
• info
• linux
• listserv
• mail
• nobody
• noone
• not
• nothing
• ntivi
• page
• postmaster
• privacy
• rating
• register
• root
• samples
• secur
• service
• site
• soft
• somebody
• someone
• spm
• submit
• support
• the.bat
• unix
• webmaster
• www
• you
• your

The worm avoids sending itself to email addresses that contain any of the following strings in the domain name:

• .gov
• .mil
• acketst
• arin.
• avp
• berkeley
• borlan
• bsd
• example
• fido
• foo.
• fsf.
• gnu
• google
• gov.
• hotmail
• iana
• ibm.com
• icrosof
• ietf
• inpris
• isc.o
• isi.e
• kernel
• linux
• math
• mit.e
• mozilla
• msn.
• mydomai
• nodomai
• panda
• pgp
• rfc-ed
• ripe.
• ruslis
• secur
• sendmail
• sopho
• syma
• tanford.e
• unix
• usenet
• utgers.ed

It may append the following prefixes to domain names in an attempt to find Simple Mail Transfer Protocol (SMTP) servers:

• gate.
• mail.
• mail1.
• mx.
• mx1.
• mxs.
• ns.
• relay.
• smtp.

The worm uses its own SMTP engine to send itself to the email addresses that it finds. The email has the following characteristics:
From:
One of the following:

• adam
• alex
• andrew
• anna
• bill
• bob
• brenda
• brent
• brian
• claudia
• dan
• dave
• david
• debby
• frank
• fred
• george
• helen
• jack
• james
• jane
• jerry
• jim
• jimmy
• joe
• john
• jose
• josh
• julie
• kevin
• leo
• linda
• maria
• mary
• matt
• michael
• mike
• paul
• peter
• ray
• robert
• sandra
• sales
• sam
• serg
• smith
• stan
• steve
• ted
• tom

The worm may also spoof a From address from one of the addresses found on the compromised computer.

Subject:

• *IMPORTANT* Information
• Account Information
• Account Status Updated
• Critical Information
• Important Data
• Important Information
• Important Notice
• Important Notification
• Information about your account
• Information about your account
• Notification regarding your account
• Security Information
• Warning: Read ASAP

Message Body:
One of the following:

• Dear [USER NAME],
  Your account (%s) has been detected as sending large amounts of spam e-mail.
  If you believe this could be in error, please first review the attached evidence, If you need help resolving the problem then feel free to contact [DOMAIN] customer service at: [SPOOFED EMAIL]
  Thank you for using [DOMAIN]
  Sincerely, [DOMAIN] Customer Service
  === Attachment: Safe (No Virus)
  === %s Antivirus - www.[FULL DOMAIN]
• Dear [USER NAME], \n
  It has come to our attention that your %s account information is outdated. Please see the attached document for further information.
  Thanks for using [DOMAIN]
  Sincerely, [DOMAIN] Customer Service
  === Attachment: Safe (No Virus)
  === %s Antivirus - www.[FULL DOMAIN]
• Dear [USER NAME] Member,
  We have been forced to temporarily disable your account, [EMAIL].
  This is usually due to one of the following reasons:
  1. An unauthorized change to your personal information.
  2. Invalid account information provided when you created your account.
  3. Our inability to verify the information that you provided to us.
  Please view the attached document for information to reactivate your [EMAILl] account.
  Sincerely, [DOMAIN] Customer Service
  === Attachment: Safe (No Virus)
  === %s Antivirus - www.[FULL DOMAIN]

Note: [DOMAIN] is the domain part of the recipient’s email address, [USER NAME] is the username part of the recipient’s email address, [SPOOFED EMAIL] is a spoofed email address on the same domain, and [EMAIL] is the recipient’s email address.

Attachment:
One of the following:

• document
• important-details
• important-doc
• important-document
• information
• info-doc
• readme.t

  with one of the following extensions:

• .bat
• .cmd
• .exe
• .pif
• .scr

The attachment may also be a .zip file containing a copy of the worm with two file extensions. The copy of the worm will have .doc, .htm, or .txt as the first extension, and .exe, .pif, or .scr as the second extension.

The worm connects to an IRC server at 203.169.186.27 on TCP port 8080. The worm listens for commands that allow the remote attacker to perform any of the following actions:

• Execute files
• Download files
• Perform other IRC commands determined by the remote attacker
• Restart the compromised computer

The worm also blocks access to several security-related Web sites by appending the following text to the hosts file:

• 127.0.0.1 www.symantec.com
• 127.0.0.1 securityresponse.symantec.com
• 127.0.0.1 symantec.com
• 127.0.0.1 www.sophos.com
• 127.0.0.1 sophos.com
• 127.0.0.1 www.mcafee.com
• 127.0.0.1 mcafee.com
• 127.0.0.1 liveupdate.symantecliveupdate.com
• 127.0.0.1 www.viruslist.com
• 127.0.0.1 viruslist.com
• 127.0.0.1 viruslist.com
• 127.0.0.1 f-secure.com
• 127.0.0.1 www.f-secure.com
• 127.0.0.1 kaspersky.com
• 127.0.0.1 kaspersky-labs.com
• 127.0.0.1 www.avp.com
• 127.0.0.1 www.kaspersky.com
• 127.0.0.1 avp.com
• 127.0.0.1 www.networkassociates.com
• 127.0.0.1 networkassociates.com
• 127.0.0.1 www.ca.com
• 127.0.0.1 ca.com
• 127.0.0.1 mast.mcafee.com
• 127.0.0.1 my-etrust.com
• 127.0.0.1 www.my-etrust.com
• 127.0.0.1 download.mcafee.com
• 127.0.0.1 dispatch.mcafee.com
• 127.0.0.1 secure.nai.com
• 127.0.0.1 nai.com
• 127.0.0.1 www.nai.com
• 127.0.0.1 update.symantec.com
• 127.0.0.1 updates.symantec.com
• 127.0.0.1 us.mcafee.com
• 127.0.0.1 liveupdate.symantec.com
• 127.0.0.1 customer.symantec.com
• 127.0.0.1 rads.mcafee.com
• 127.0.0.1 trendmicro.com
• 127.0.0.1 pandasoftware.com
• 127.0.0.1 www.pandasoftware.com
• 127.0.0.1 www.trendmicro.com
• 127.0.0.1 www.grisoft.com
• 127.0.0.1 www.microsoft.com
• 127.0.0.1 microsoft.com
• 127.0.0.1 www.virustotal.com
• 127.0.0.1 virustotal.com
• 127.0.0.1 www.amazon.com
• 127.0.0.1 www.amazon.co.uk
• 127.0.0.1 www.amazon.ca
• 127.0.0.1 www.amazon.fr
• 127.0.0.1 www.paypal.com
• 127.0.0.1 paypal.com
• 127.0.0.1 moneybookers.com
• 127.0.0.1 www.moneybookers.com
• 127.0.0.1 www.ebay.com
• 127.0.0.1 ebay.com

It attempts to end the following processes, some of which may be security-related:

• _AVP32.EXE
• _AVPCC.EXE
• _AVPM.EXE
• ACKWIN32.EXE
• ADAWARE.EXE
• ADVXDWIN.EXE
• AGENTSVR.EXE
• AGENTW.EXE
• ALERTSVC.EXE
• ALEVIR.EXE
• ALOGSERV.EXE
• AMON9X.EXE
• ANTI-TROJAN.EXE
• ANTIVIRUS.EXE
• ANTS.EXE
• APIMONITOR.EXE
• APLICA32.EXE
• APVXDWIN.EXE
• ARR.EXE
• ATCON.EXE
• ATGUARD.EXE
• ATRO55EN.EXE
• ATUPDATER.EXE
• ATWATCH.EXE
• AU.EXE
• AUPDATE.EXE
• AUTO-PROTECT.NAV80TRY.EXE
• AUTODOWN.EXE
• AUTOTRACE.EXE
• AUTOUPDATE.EXE
• AVCONSOL.EXE
• AVE32.EXE
• AVGCC32.EXE
• AVGCTRL.EXE
• AVGNT.EXE
• AVGSERV.EXE
• AVGSERV9.EXE
• AVGUARD.EXE
• AVGW.EXE
• AVKPOP.EXE
• AVKSERV.EXE
• AVKSERVICE.EXE
• AVKWCTl9.EXE
• AVLTMAIN.EXE
• AVNT.EXE
• AVP.EXE
• AVP32.EXE
• AVPCC.EXE
• AVPDOS32.EXE
• AVPM.EXE
• AVPTC32.EXE
• AVPUPD.EXE
• AVSCHED32.EXE
• AVSYNMGR.EXE
• AVWINNT.EXE
• AVWUPD.EXE
• AVWUPD32.EXE
• AVWUPSRV.EXE
• AVXMONITOR9X.EXE
• AVXMONITORNT.EXE
• AVXQUAR.EXE
• BACKWEB.EXE
• BARGAINS.EXE
• BD_PROFESSIONAL.EXE
• BEAGLE.EXE
• BELT.EXE
• BIDEF.EXE
• BIDSERVER.EXE
• BIPCP.EXE
• BIPCPEVALSETUP.EXE
• BISP.EXE
• BLACKD.EXE
• BLACKICE.EXE
• BLSS.EXE
• BOOTCONF.EXE
• BOOTWARN.EXE
• BORG2.EXE
• BPC.EXE
• BRASIL.EXE
• BS120.EXE
• BUNDLE.EXE
• BVT.EXE
• CCAPP.EXE
• CCEVTMGR.EXE
• CCPXYSVC.EXE
• CDP.EXE
• CFD.EXE
• CFGWIZ.EXE
• CFIADMIN.EXE
• CFIAUDIT.EXE
• CFINET.EXE
• CFINET32.EXE
• CLAW95CF.EXE
• CLEAN.EXE
• CLEANER.EXE
• CLEANER3.EXE
• CLEANPC.EXE
• CLICK.EXE
• CMD.EXE
• CMD32.EXE
• CMESYS.EXE
• CMGRDIAN.EXE
• CMON016.EXE
• CONNECTIONMONITOR.EXE
• CPD.EXE
• CPF9X206.EXE
• CPFNT206.EXE
• CTRL.EXE
• CV.EXE
• CWNB181.EXE
• CWNTDWMO.EXE
• DATEMANAGER.EXE
• DCOMX.EXE
• DEFALERT.EXE
• DEFSCANGUI.EXE
• DEFWATCH.EXE
• DEPUTY.EXE
• DIVX.EXE
• DLLCACHE.EXE
• DLLREG.EXE
• DOORS.EXE
• DPF.EXE
• DPFSETUP.EXE
• DPPS2.EXE
• DRWATSON.EXE
• DRWEB32.EXE
• DRWEBUPW.EXE
• DSSAGENT.EXE
• DVP95.EXE
• DVP95_0.EXE
• ECENGINE.EXE
• EFPEADM.EXE
• EMSW.EXE
• ENT.EXE
• ESAFE.EXE
• ESCANHNT.EXE
• ESCANV95.EXE
• ESPWATCH.EXE
• ETHEREAL.EXE
• ETRUSTCIPE.EXE
• EVPN.EXE
• EXANTIVIRUS-CNET.EXE
• EXE.AVXW.EXE
• EXPERT.EXE
• EXPLORE.EXE
• F-PROT.EXE
• F-PROT95.EXE
• F-STOPW.EXE
• FAMEH32.EXE
• FAST.EXE
• FCH32.EXE
• FIH32.EXE
• FINDVIRU.EXE
• FIREWALL.EXE
• FNRB32.EXE
• FP-WIN.EXE
• FP-WIN_TRIAL.EXE
• FPROT.EXE
• FRW.EXE
• FSAA.EXE
• FSAV.EXE
• FSAV32.EXE
• FSAV530STBYB.EXE
• FSAV530WTBYB.EXE
• FSAV95.EXE
• FSGK32.EXE
• FSM32.EXE
• FSMA32.EXE
• FSMB32.EXE
• GATOR.EXE
• GBMENU.EXE
• GBPOLL.EXE
• GENERICS.EXE
• GMT.EXE
• GUARD.EXE
• GUARDDOG.EXE
• HACKTRACERSETUP.EXE
• HBINST.EXE
• HBSRV.EXE
• HOTACTIO.EXE
• HOTPATCH.EXE
• HTLOG.EXE
• HTPATCH.EXE
• HWPE.EXE
• HXDL.EXE
• HXIUL.EXE
• IAMAPP.EXE
• IAMSERV.EXE
• IAMSTATS.EXE
• IBMASN.EXE
• IBMAVSP.EXE
• ICLOADNT.EXE
• ICMON.EXE
• ICSUPP95.EXE
• ICSUPPNT.EXE
• IDLE.EXE
• IEDLL.EXE
• IEDRIVER.EXE
• IEXPLORER.EXE
• IFACE.EXE
• IFW2000.EXE
• INETLNFO.EXE
• INFUS.EXE
• INFWIN.EXE
• INIT.EXE
• INTDEL.EXE
• INTREN.EXE
• IOMON98.EXE
• ISTSVC.EXE
• JAMMER.EXE
• JDBGMRG.EXE
• JEDI.EXE
• KAVLITE40ENG.EXE
• KAVPERS40ENG.EXE
• KAVPF.EXE
• KAZZA.EXE
• KEENVALUE.EXE
• KERIO-PF-213-EN-WIN.EXE
• KERIO-WRL-421-EN-WIN.EXE
• KERIO-WRP-421-EN-WIN.EXE
• KERNEL32.EXE
• KILLPROCESSSETUP161.EXE
• LAUNCHER.EXE
• LDNETMON.EXE
• LDPRO.EXE
• LDPROMENU.EXE
• LDSCAN.EXE
• LNETINFO.EXE
• LOADER.EXE
• LOCALNET.EXE
• LOCKDOWN.EXE
• LOCKDOWN2000.EXE
• LOOKOUT.EXE
• LORDPE.EXE
• LSETUP.EXE
• LUALL.EXE
• LUAU.EXE
• LUCOMSERVER.EXE
• LUINIT.EXE
• LUSPT.EXE
• MAPISVC32.EXE
• MCAGENT.EXE
• MCMNHDLR.EXE
• MCSHIELD.EXE
• MCTOOL.EXE
• MCUPDATE.EXE
• MCVSRTE.EXE
• MCVSSHLD.EXE
• MD.EXE
• MFIN32.EXE
• MFW2EN.EXE
• MFWENG3.02D30.EXE
• MGAVRTCL.EXE
• MGAVRTE.EXE
• MGHTML.EXE
• MGUI.EXE
• MINILOG.EXE
• MMOD.EXE
• MONITOR.EXE
• MOOLIVE.EXE
• MOSTAT.EXE
• MPFAGENT.EXE
• MPFSERVICE.EXE
• MPFTRAY.EXE
• MRFLUX.EXE
• MSAPP.EXE
• MSBB.EXE
• MSBLAST.EXE
• MSCACHE.EXE
• MSCCN32.EXE
• MSCMAN.EXE
• MSCONFIG.EXE
• MSDM.EXE
• MSDOS.EXE
• MSIEXEC16.EXE
• MSINFO32.EXE
• MSLAUGH.EXE
• MSMGT.EXE
• MSMSGRI32.EXE
• MSSMMC32.EXE
• MSSYS.EXE
• MSVXD.EXE
• MU0311AD.EXE
• MWATCH.EXE
• N32SCANW.EXE
• NAV.EXE
• NAVAP.NAVAPSVC.EXE
• NAVAPSVC.EXE
• NAVAPW32.EXE
• NAVDX.EXE
• NAVLU32.EXE
• NAVNT.EXE
• NAVSTUB.EXE
• NAVW32.EXE
• NAVWNT.EXE
• NC2000.EXE
• NCINST4.EXE
• NDD32.EXE
• NEC.EXE
• NEOMONITOR.EXE
• NEOWATCHLOG.EXE
• NETARMOR.EXE
• NETD32.EXE
• NETINFO.EXE
• NETMON.EXE
• NETSCANPRO.EXE
• NETSPYHUNTER-1.2.EXE
• NETSTAT.EXE
• NETUTILS.EXE
• NISSERV.EXE
• NISUM.EXE
• NMAIN.EXE
• NOD32.EXE
• NORMIST.EXE
• NORTON_INTERNET_SECU_3.0_407.EXE
• NOTSTART.EXE
• NPF40_TW_98_NT_ME_2K.EXE
• NPFMESSENGER.EXE
• NPROTECT.EXE
• NPSCHECK.EXE
• NPSSVC.EXE
• NSCHED32.EXE
• NSSYS32.EXE
• NSTASK32.EXE
• NSUPDATE.EXE
• NT.EXE
• NTRTSCAN.EXE
• NTVDM.EXE
• NTXconfig.EXE
• NUI.EXE
• NUPGRADE.EXE
• NVARCH16.EXE
• NVC95.EXE
• NVSVC32.EXE
• NWINST4.EXE
• NWSERVICE.EXE
• NWTOOL16.EXE
• OLLYDBG.EXE
• ONSRVR.EXE
• OPTIMIZE.EXE
• OSTRONET.EXE
• OTFIX.EXE
• OUTPOST.EXE
• OUTPOSTINSTALL.EXE
• OUTPOSTPROINSTALL.EXE
• PADMIN.EXE
• PANIXK.EXE
• PATCH.EXE
• PAVCL.EXE
• PAVPROXY.EXE
• PAVSCHED.EXE
• PAVW.EXE
• PCFWALLICON.EXE
• PCIP10117_0.EXE
• PCSCAN.EXE
• PDSETUP.EXE
• PERISCOPE.EXE
• PERSFW.EXE
• PERSWF.EXE
• PF2.EXE
• PFWADMIN.EXE
• PGMONITR.EXE
• PINGSCAN.EXE
• PLATIN.EXE
• POP3TRAP.EXE
• POPROXY.EXE
• POPSCAN.EXE
• PORTDETECTIVE.EXE
• PORTMONITOR.EXE
• POWERSCAN.EXE
• PPINUPDT.EXE
• PPTBC.EXE
• PPVSTOP.EXE
• PRIZESURFER.EXE
• PRMT.EXE
• PRMVR.EXE
• PROCDUMP.EXE
• PROCESSMONITOR.EXE
• PROCEXPLORERV1.0.EXE
• PROGRAMAUDITOR.EXE
• PROPORT.EXE
• PROTECTX.EXE
• PSPF.EXE
• PURGE.EXE
• QCONSOLE.EXE
• QSERVER.EXE
• RAPAPP.EXE
• RAV7.EXE
• RAV7WIN.EXE
• RAV8WIN32ENG.EXE
• RAY.EXE
• RB32.EXE
• RCSYNC.EXE
• REALMON.EXE
• REGED.EXE
• REGEDIT.EXE
• REGEDT32.EXE
• RESCUE.EXE
• RESCUE32.EXE
• RRGUARD.EXE
• RSHELL.EXE
• RTVSCAN.EXE
• RTVSCN95.EXE
• RULAUNCH.EXE
• RUN32DLL.EXE
• RUNDLL.EXE
• RUNDLL16.EXE
• RUXDLL32.EXE
• SAFEWEB.EXE
• SAHAGENT.EXE
• SAVE.EXE
• SAVENOW.EXE
• SBSERV.EXE
• SC.EXE
• SCAM32.EXE
• SCAN32.EXE
• SCAN95.EXE
• SCANPM.EXE
• SCRSCAN.EXE
• SETUP_FLOWPROTECTOR_US.EXE
• SETUPVAMEEVAL.EXE
• SFC.EXE
• SGSSFW32.EXE
• SH.EXE
• SHELLSPYINSTALL.EXE
• SHN.EXE
• SHOWBEHIND.EXE
• SMC.EXE
• SMS.EXE
• SMSS32.EXE
• SOAP.EXE
• SOFI.EXE
• SPERM.EXE
• SPF.EXE
• SPHINX.EXE
• SPOLER.EXE
• SPOOLCV.EXE
• SPOOLSV32.EXE
• SPYXX.EXE
• SREXE.EXE
• SRNG.EXE
• SS3EDIT.EXE
• SSG_4104.EXE
• SSGRATE.EXE
• ST2.EXE
• START.EXE
• STCLOADER.EXE
• SUPFTRL.EXE
• SUPPORT.EXE
• SUPPORTER5.EXE
• SVC.EXE
• SVCHOSTC.EXE
• SVCHOSTS.EXE
• SVSHOST.EXE
• SWEEP95.EXE
• SWEEPNET.SWEEPSRV.SYS.SWNETSUP.EXE
• SYMPROXYSVC.EXE
• SYMTRAY.EXE
• SYSEDIT.EXE
• SYSTEM.EXE
• SYSTEM32.EXE
• SYSUPD.EXE
• TASKMG.EXE
• TASKMGR.EXE
• TASKMO.EXE
• TASKMON.EXE
• TAUMON.EXE
• TBSCAN.EXE
• TC.EXE
• TCA.EXE
• TCM.EXE
• TDS-3.EXE
• TDS2-NT.EXE
• TEEKIDS.EXE
• TFAK.EXE
• TFAK5.EXE
• TGBOB.EXE
• TITANIN.EXE
• TITANINXP.EXE
• TRACERT.EXE
• TRICKLER.EXE
• TRJSCAN.EXE
• TRJSETUP.EXE
• TROJANTRAP3.EXE
• TSADBOT.EXE
• TVMD.EXE
• TVTMD.EXE
• UNDOBOOT.EXE
• UPDAT.EXE
• UPDATE.EXE
• UPGRAD.EXE
• UTPOST.EXE
• VBCMSERV.EXE
• VBCONS.EXE
• VBUST.EXE
• VBWIN9X.EXE
• VBWINNTW.EXE
• VCSETUP.EXE
• VET32.EXE
• VET95.EXE
• VETTRAY.EXE
• VFSETUP.EXE
• VIR-HELP.EXE
• VIRUSMDPERSONALFIREWALL.EXE
• VNLAN300.EXE
• VNPC3000.EXE
• VPC32.EXE
• VPC42.EXE
• VPFW30S.EXE
• VPTRAY.EXE
• VSCAN40.EXE
• VSCENU6.02D30.EXE
• VSCHED.EXE
• VSECOMR.EXE
• VSHWIN32.EXE
• VSISETUP.EXE
• VSMAIN.EXE
• VSMON.EXE
• VSSTAT.EXE
• VSWIN9XE.EXE
• VSWINNTSE.EXE
• VSWINPERSE.EXE
• W32DSM89.EXE
• W9X.EXE
• WATCHDOG.EXE
• WEBDAV.EXE
• WEBSCANX.EXE
• WEBTRAP.EXE
• WFINDV32.EXE
• WHOSWATCHINGME.EXE
• WIMMUN32.EXE
• WIN-BUGSFIX.EXE
• WIN32.EXE
• WIN32US.EXE
• WINACTIVE.EXE
• WINDOW.EXE
• WINDOWS.EXE
• WININETD.EXE
• WININIT.EXE
• WININITX.EXE
• WINLOGIN.EXE
• WINMAIN.EXE
• WINNET.EXE
• WINPPR32.EXE
• WINRECON.EXE
• WINSERVN.EXE
• WINSSK32.EXE
• WINSTART.EXE
• WINSTART001.EXE
• WINTSK32.EXE
• WINUPDATE.EXE
• WKUFIND.EXE
• WNAD.EXE
• WNT.EXE
• WRADMIN.EXE
• WRCTRL.EXE
• WSBGATE.EXE
• WUPDATER.EXE
• WUPDT.EXE
• WYVERNWORKSFIREWALL.EXE
• XPF202EN.EXE
• ZAPRO.EXE
• ZAPSETUP3001.EXE
• ZATUTOR.EXE
• ZONALM2601.EXE
• ZONEALARM.EXE

Save this article to PDF.

Wild

• Wild Level: Low
• Number of Infections: 0 - 49
• Number of Sites: 0 - 2
• Geographical Distribution: Low
• Threat Containment: Easy
• Removal: Easy

Damage

• Damage Level: Medium
• Deletes Files: Delete all files containing a .VBS extension.

Distribution

• Distribution Level: Low
• Target of Infection: Copies itself to all drives of the compromised computer.

Writeup By: John Canavan Details >VBS.Autill

To delete the value from the registry
Important: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified subkeys only. For instructions refer to the document: How to make a backup of the Windows registry.

1. Click Start > Run.
2. Type regedit
3. Click OK.

   Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor. Security Response has developed a tool to resolve this problem. Download and run this tool, and then continue with the removal.

4. Restore the following registry entries to their original values, if required:
   • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\”Userinit” = “%System%\userinit.exe, %System%\wscript.exe %System%\killVBS.vbs”
   • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\”Window Title” = ” “
   • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\”Start Page” = ” “
   • HKEY_CLASSES_ROOT\vbsfile\”DefaultIcon” = “%SystemRoot%\System32\WScript.exe,2″
5. Exit the Registry Editor.

   Note: If the risk creates or modifies registry subkeys or entries under HKEY_CURRENT_USER, it is possible that it created them for every user on the compromised computer. To ensure that all registry subkeys or entries are removed or restored, log on using each user account and check for any HKEY_CURRENT_USER items listed above.

Writeup By: John Canavan

Save this article to PDF.

Wild

• Wild Level: Low
• Number of Infections: 0 - 49
• Number of Sites: 0 - 2
• Geographical Distribution: Low
• Threat Containment: Easy
• Removal: Easy

Damage

• Damage Level: Low

Distribution

• Distribution Level: Low

Writeup By: Chen Yu Details >Trojan.Trafbrush

To delete the value from the registry
Important: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified subkeys only. For instructions refer to the document: How to make a backup of the Windows registry.

1. Click Start > Run.
2. Type regedit
3. Click OK.

   Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor. Security Response has developed a tool to resolve this problem. Download and run this tool, and then continue with the removal.

4. Navigate to and delete the following entries:
   • HKEY_CLASSES_ROOT\Brushy.brush.1
   • HKEY_CLASSES_ROOT\Brushy.brush
   • HKEY_CLASSES_ROOT\CLSID\{E157D62A-D8A4-45DF-8E9B-C33D93821BDF}
   • HKEY_CLASSES_ROOT\TypeLib\{F54A0656-1D23-4FC1-883E-E68E4CD29566}
   • HKEY_CLASSES_ROOT\Interface\{5A1F62AE-0E47-4547-8E5C-AC73FE58C9AE}
   • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E157D62A-D8A4-45DF-8E9B-C33D93821BDF
   • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[SIX RANDOM LETTERS][TWO RANDOM NUMBERS]\”ImagePath” = “%System%\drivers\[SIX RANDOM LETTERS][TWO RANDOM NUMBERS].sys”
   • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\[SIX RANDOM LETTERS][TWO RANDOM NUMBERS]\”ImagePath” = “%System%\drivers\[SIX RANDOM LETTERS][TWO RANDOM NUMBERS].sys”
   • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations\”SUCCESS” = “%UserProfile%\Local Settings\Temp\v22.exe”
5. Exit the Registry Editor.

   Note: If the risk creates or modifies registry subkeys or entries under HKEY_CURRENT_USER, it is possible that it created them for every user on the compromised computer. To ensure that all registry subkeys or entries are removed or restored, log on using each user account and check for any HKEY_CURRENT_USER items listed above.

5. To find and stop the service

1. Click Start > Run.
2. Type services.msc, and then click OK.
3. Locate and select the service that was detected.
4. Click Action > Properties.
5. Click Stop.
6. Change Startup Type to Manual.
7. Click OK and close the Services window.
8. Restart the computer.

Writeup By: Chen Yu

Save this article to PDF.

Wild

• Wild Level: Low
• Number of Infections: 0 - 49
• Number of Sites: 0 - 2
• Geographical Distribution: Low
• Threat Containment: Moderate
• Removal: Easy

Damage

• Damage Level: Low
• Payload: May download potentially malicious files on to the compromised computer.
• Degrades Performance: Exploits a vulnerability which may degrade performance.

Distribution

• Distribution Level: Low

Save this article to PDF.

Behavior

Trackware.ProSearch is a trackware program that tracks all search queries directed to major search engines (Google, Yahoo, and Msn) and sends this information to a remote server.

Save this article to PDF.