Lavasoft Malware Labs Blog
Malware Encyclopedia
HEUR:Trojan.Win32.Generic (Kaspersky), Trojan-PWS.Win32.Zbot!IK (Emsisoft), GenericAutorunWorm.YR, GenericIRCBot.YR, GenericMSNWorm.YR, GenericProxy.YR, Blazebot.YR (Lavasoft MAS)
Behaviour: Trojan, Worm, WormAutorun, IRCBot, MSNWorm, Trojan-Proxy
Susp_Dropper (Kaspersky), LooksLike.Win32.Malware!B (v) (VIPRE), Email-Worm.Win32.Brontok!IK (Emsisoft), Virus.Win32.Duel.FD, GenericEmailWorm.YR, GenericIRCBot.YR (Lavasoft MAS)
Behaviour: Worm, Email-Worm, Virus, IRCBot
HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Win32.Encpk.afnb (v) (VIPRE), Worm.Win32.Gamarue!IK (Emsisoft), Backdoor.Win32.Farfli.FD, Worm.Win32.Dorkbot.FD, BankerGeneric.YR, GenericInjector.YR, GenericPhysicalDrive0.YR, WormDorkbot.YR, GenericAutorunWorm.YR, GenericIRCBot.YR, GenericDNSBlocker.YR, GenericUDPFlooder.YR, GenericSYNFlooder.YR, GenericProxy.YR, GenericUSBInfector.YR, GenericMSNWorm.YR (Lavasoft MAS)
Behaviour: Banker, Trojan, Backdoor, Flooder, Worm, WormAutorun, IRCBot, MSNWorm, DNSBlocker, UDPFlooder, SYNFlooder, Trojan-Proxy, USBInfector
Platform: Win32
Type: Exploit
Size: 1410681 bytes
File type: rtf
MD5: 93d0222c8c7b57d38931cfd712523c67
SHA1: 94b802273340f406d5bfda7812330d15eb8dcdeb
Aliases : Red October RTF, Exploit.Win32.CVE-2012-0158
Summary
This Exploit uses a vulnerability in Microsoft Windows Common Control Library (MSCOMCTL.OCX) ActiveX (CVE-2012-0158, MS12-027 ) to execute an arbitrary code on a target computer.
Platform: Win32
Type: Trojan
Size: 135168 bytes
Language: Visual Basic
MD5: 3b342eeb7b7496b8c21b7dc1e8640eb6
SHA256: 02b10491765333205f8daaccd93d1a619c76c191419a4fe0b96647f94630a05b
Aliases: Trojan:Win32/Diacam.A (Microsoft), Trojan.Win32.Jorik.Mokes.cbk (Kaspersky), Win32/VB.QMS (ESET-NOD32), W32/VBagent.B.gen!Eldorado (F-Prot)
Summary
Trojan.Win32.VB.qms is a Trojan program designed to steal confidential data as well as provide a remote access to the computer without user’s knowledge or consent. The following are strings displayed in the file information:
We discovered a new modification of the Kelihos backdoor dated March, 4 2013 (MD5:80bb0a4c115ca5309baaf4c85017869), which is still in operation after the much publicized botnet shut down at RSA Conference. The new modification is able to steal passwords from Internet browsers.
The compilation date of the unpacked backdoor body is March, 4 2013.
Platform: Win32
Type: Trojan
Size: 878592 bytes
Language: С++
MD5: 1f19849a7befa7bf2e3ca04e2757829d
SHA1: 478260ca3fdbcb792a5756956838d2260121de25
Aliases: Backdoor:Win32/Kelihos.F(Microsoft), TrojanPSW.FTPAgent
Summary
Detect: Win32.Сhir.b
Platform: Win32
Type: Worm
Size: 10 748 bytes
md5: a0ec5fc7ccb941955c24d53374361915
sha1: 3e0e6e1e2b7879f70fe6284a9c24020d1c05264f
Summary
It is an email worm which spreads via the Internet as an attachment of its executable file copy to the infected messages. For mailing, the worm uses addresses found on the infected computer.
Platform: Win32
Type: Downloader
Size: 214528 bytes
Packer: unknown packer
Unpacked size: ~127 Kb
Platform: Win32
Type: Trojan
Size: 127035 bytes
Language: C++
MD5: 33e10314899a5b890a25f8cd85d67e67
SHA1: ff0a5ddd0c3769dcf918ec43e83d62d6bcd48bd1
Aliases: Diple, Carberp
Summary
Trojan.Win32.Carberp is a spyware designed to steal confidential user’s data.
