Brookfield
Golden Master
- Messages
- 10,056
AVG detected over a dozen of these at one go, they are safely in the vault, what are they, what's their connection, with Windows, & how dangerous are they?
WIN32/PE patch
- Thread starter Brookfield
- Start date
Steff
Daemon Poster
- Messages
- 1,435
Trojan.Win32.PePatch.cp
Type: Malware
Type Description: Malware ("malicious software") consists of software with clearly malicious, hostile, or harmful functionality or behavior and that is used to compromise and endanger individual PCs as well as entire networks.
Category: Trojan
Category Description: Trojan is a general term for malicious software that is installed under false or deceptive pretenses or is installed without the user's full knowledge and consent. Most Trojans exhibit some form of malicious, hostile, or harmful functionality or behavior.
Level: High
Level Description: High risks are typically installed without user interaction through security exploits, and can severely compromise system security. Such risks may open illicit network connections, use polymorphic tactics to self-mutate, disable security software, modify system files, and install additional malware. These risks may also collect and transmit personally identifiable information (PII) without your consent and severely degrade the performance and stability of your computer.
Advice Type: Remove
File Traces: update.exe
Also...
Aliases: [Win32/]Rbot.FAY; [Win32/]Spybot.4wq!Worm (InoculateIT); [Win32/]Packed.Win32.PePatch.aw (Kaspersky); [Win32/]Rbot.FAY;
Date Modified: 11-May-2006
Date Published: 11-May-2006
Description:
Win32.Rbot.FAY is an IRC controlled backdoor (or "bot") that can be used to gain unauthorized access to a victim's machine. It can also exhibit worm-like functionality by exploiting weak passwords on administrative shares and by exploiting many different software vulnerabilities, as well as backdoors created by other malware. There are many variants of Rbot, and more are discovered regularly. Rbot is highly configurable, and is being very actively developed, however the core functionality is quite consistent between variants.
This particular variant of Rbot is distributed as a 71,578 byte, Win32 executable that exhibits the following specific characteristics:
When executed this variant copies itself to the %System% directory as W1nUpdate.exe and makes the following modifications to the registry to ensure that this file is executed at each Windows system start:
HKLM\Software\Microsoft\Wind ows\CurrentVersion\Run\Microsoft Windows Update Service = "w1nupdate.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Microsoft Windows Update Service = "w1nupdate.exe"
Note: '%System%' and '%Windows%' are variable locations. The determines the location of these folders by querying the operating system. The default location for the System directory for Windows 2000 and NT is C:\Winnt\System32; for 95,98 and ME is C:\Windows\System; and for XP is C:\Windows\System32. The default installation location for the Windows directory for Windows 2000 and NT is C:\Winnt; for 95,98 and ME is C:\Windows; and for XP is C:\Windows.
Type: Malware
Type Description: Malware ("malicious software") consists of software with clearly malicious, hostile, or harmful functionality or behavior and that is used to compromise and endanger individual PCs as well as entire networks.
Category: Trojan
Category Description: Trojan is a general term for malicious software that is installed under false or deceptive pretenses or is installed without the user's full knowledge and consent. Most Trojans exhibit some form of malicious, hostile, or harmful functionality or behavior.
Level: High
Level Description: High risks are typically installed without user interaction through security exploits, and can severely compromise system security. Such risks may open illicit network connections, use polymorphic tactics to self-mutate, disable security software, modify system files, and install additional malware. These risks may also collect and transmit personally identifiable information (PII) without your consent and severely degrade the performance and stability of your computer.
Advice Type: Remove
File Traces: update.exe
Also...
Aliases: [Win32/]Rbot.FAY; [Win32/]Spybot.4wq!Worm (InoculateIT); [Win32/]Packed.Win32.PePatch.aw (Kaspersky); [Win32/]Rbot.FAY;
Date Modified: 11-May-2006
Date Published: 11-May-2006
Description:
Win32.Rbot.FAY is an IRC controlled backdoor (or "bot") that can be used to gain unauthorized access to a victim's machine. It can also exhibit worm-like functionality by exploiting weak passwords on administrative shares and by exploiting many different software vulnerabilities, as well as backdoors created by other malware. There are many variants of Rbot, and more are discovered regularly. Rbot is highly configurable, and is being very actively developed, however the core functionality is quite consistent between variants.
This particular variant of Rbot is distributed as a 71,578 byte, Win32 executable that exhibits the following specific characteristics:
When executed this variant copies itself to the %System% directory as W1nUpdate.exe and makes the following modifications to the registry to ensure that this file is executed at each Windows system start:
HKLM\Software\Microsoft\Wind ows\CurrentVersion\Run\Microsoft Windows Update Service = "w1nupdate.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Microsoft Windows Update Service = "w1nupdate.exe"
Note: '%System%' and '%Windows%' are variable locations. The determines the location of these folders by querying the operating system. The default location for the System directory for Windows 2000 and NT is C:\Winnt\System32; for 95,98 and ME is C:\Windows\System; and for XP is C:\Windows\System32. The default installation location for the Windows directory for Windows 2000 and NT is C:\Winnt; for 95,98 and ME is C:\Windows; and for XP is C:\Windows.
OP
OP
Brookfield
Golden Master
- Messages
- 10,056
Blimey, [gulp!]
OP
OP
Brookfield
Golden Master
- Messages
- 10,056
OP
OP
Brookfield
Golden Master
- Messages
- 10,056
I haven't had any for five days.
muz
Golden Master
- Messages
- 6,928
i havent had any for a few years
yeah i had my last one 3 weeks ago on my laptop . But yeah with being connected all the time there are problems
DJ-CHRIS1
Golden Master
- Messages
- 5,203
So it looks like this was an initial backdoor, than someone would use it to install more software to attack other computers (DDOS attack)
I havn't had a virus for years*
*on my main computer or laptop, I play around with virus's quite a bit in test enviroments.
