Free sophos software for windows

Resolve is the name for a set of small, downloadable Sophos utilities designed to remove and undo the changes made by certain viruses, Trojans and worms. They terminate any virus processes and reset any registry keys that the virus changed.
Existing infections can be cleaned up quickly and easily, both on individual workstations and over networks with large numbers of computers.
Troj/Stinx-Q is an IRC backdoor Trojan for the Windows platform.
The Trojan may arrive as an email attachment with the filename "Photo+Article.zip".
When first run Troj/Stinx-Q copies itself to csrnvrt.exe and creates two randomly named BAT files in the Temp folder. One of these files is used to attempt to bypass the Windows firewall. The other is used to delete the original copy of the Trojan. Troj/Stinx-Q is an IRC backdoor Trojan for the Windows platform.
The Trojan may arrive as an email attachment with the filename "Photo+Article.zip". Typically the email has characteristics similar to the following:
Subject line:
Photo and Article
Message text:
Hello,
Your photograph has reached editing stage as part of an article we are publishing for our February edition of Traders World Monthly. Can you check over the format and get back to us with your approval or any changes?
If the picture is not to your liking then please send a preferred one. Weve attached the photo with the article here.
Troj/Stinx-Q connects to an IRC channel and listens for backdoor commands from a remote user. Backdoor functionality includes the ability to run arbitrary commands.
The Trojan may also download further malicious code.
Troj/Stinx-Q attempts to terminate a number of processes, including some belonging to anti-virus applications.
When first run Troj/Stinx-Q copies itself to csrnvrt.exe and creates two randomly named BAT files in the Temp folder. One of these files is used to attempt to bypass the Windows firewall. The other is used to delete the original copy of the Trojan.
The following registry entries are created to run csrnvrt.exe on startup:
HKCUSoftwareMicrosoftWindowsCurrentVersionRun
DriverModule
csrnvrt.exe
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun
DriverModule
csrnvrt.exe
Troj/Stinx-R is a backdoor Trojan for the Windows platform.
The Trojan connects to an IRC server and joins a predetermined channel. The Trojan then accepts commands from remote attackers. Troj/Stinx-R is a backdoor Trojan for the Windows platform.
When first run Troj/Stinx-R copies itself to csrnvrt.exe and creates two randomly named BAT files in the Temp folder. One of these files is used to attempt to bypass the Windows firewall. The other is used to delete the original copy of the Trojan.
The following registry entries are created to run csrnvrt.exe on startup:
HKCUSoftwareMicrosoftWindowsCurrentVersionRun
DriverModule
csrnvrt.exe
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun
DriverModule
csrnvrt.exe
The Trojan connects to an IRC server and joins a predetermined channel. The Trojan then accepts commands from remote attackers.
The Trojan may also download further malicious code.
Troj/Stinx-R attempts to terminate a number of processes, including some belonging to anti-virus applications.
Troj/Stinx-S is a backdoor Trojan for the Windows platform.
Troj/Stinx-S connects to a number of remote ip addresses on port 8080, providing a backdoor server which allows a remote intruder to gain access and control over the computer.
When first run Troj/Stinx-S copies itself to lsadst.exe and creates the following registry entries to run this file on startup:
HKCUSoftwareMicrosoftWindowsCurrentVersionRun
WindowsProtocolLog
lsadst.exe
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun
WindowsProtocolLog
lsadst.exe
Troj/Stinx-S may drop and run files called .bat in order to bypass the Windows firewall using "netsh" or in order to delete itself.
Troj/Stinx-S attempts to terminate a number of processes related to anti-virus and security programs.
Troj/Stinx-S may download and execute files from a remote website.
Troj/Stinx-U is a backdoor Trojan for the Windows platform.
Troj/Stinx-U connects to a number of remote ip addresses on port 8080, providing a backdoor server which allows a remote intruder to gain access and control over the computer.
Troj/Stinx-U attempts to terminate a number of processes related to anti-virus and security programs.
Troj/Stinx-U may download and execute files from a remote website. Troj/Stinx-U is a backdoor Trojan for the Windows platform.
Troj/Stinx-U connects to a number of remote ip addresses on port 8080, providing a backdoor server which allows a remote intruder to gain access and control over the computer.
When first run Troj/Stinx-U copies itself to lsadst.exe and creates the following registry entries to run this file on startup:
HKCUSoftwareMicrosoftWindowsCurrentVersionRun
WindowsDiskEvt
svcsvh32.exe
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun
WindowsDiskEvt
svcsvh32.exe
Troj/Stinx-U may drop and run files called .bat in order to bypass the Windows firewall using "netsh" or in order to delete itself.
Troj/Stinx-U attempts to terminate a number of processes related to anti-virus and security programs.
Troj/Stinx-U may download and execute files from a remote website.
Troj/Stinx-Q, Troj/Stinx-R, Troj/Stinx-S and Troj/Stinx-U can be removed from Windows computers automatically with the following Resolve tools:
Windows disinfector
STINXGUI is a disinfector for standalone Windows computers. To use it you have to do the following:
- Open STINXGUI.com file from your desktop after downloading it.
- Click on the Start Scan Button.
- Wait for the process to complete.
Command line disinfector
STINXSFX.EXE is a self-extracting archive containing STINXCLI, a Resolve command line disinfector for use by system administrators on Windows networks.

Resolve is the name for a set of small, downloadable Sophos utilities designed to remove and undo the changes made by certain viruses, Trojans and worms. They terminate any virus processes and reset any registry keys that the virus changed. Existing infections can be cleaned up quickly and easily, both on individual workstations and over networks with large numbers of computers.
Troj/Daoser-C is a Trojan for the Windows platform.
Troj/Daoser-C will modify the start page for Internet Explorer.
Troj/Daoser-C may display popups and spy on web searches and browsing habits. Troj/Daoser-C is a Trojan for the Windows platform.
Troj/Daoser-C will modify the start page for Internet Explorer.
Troj/Daoser-C may display popups and spy on web searches and browsing habits.
When the Trojan is installed the following files are created:
ServicesSVCHOST32.DLL
Servicessecurity.exe
Servicessvchost.dll
Servicessvchost.exe
where is a string of letters and numbers.
The following registry entry is created to run svchost.exe on startup:
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun
Service Host
ServicesSVCHOST.EXE
The Trojan changes the Start Page for Microsoft Internet Explorer by altering the registry entry:
HKCUSoftwareMicrosoftInternet ExplorerMainStart Page
Troj/Daoser-C can be removed from Windows computers automatically with the following Resolve tools:
Windows disinfector
DAOSRGUI is a disinfector for standalone Windows computers. To use it you have to do the following:
- Open DAOSRGUI.com file from your desktop after downloading it.
- Click on the Start Scan Button.
- Wait for the process to complete.
Command line disinfector
DAOSRSFX.EXE is a self-extracting archive containing DAOSRCLI, a Resolve command line disinfector for use by system administrators on Windows networks.

Resolve is the name for a set of small, downloadable Sophos utilities designed to remove and undo the changes made by certain viruses, Trojans and worms.
They terminate any virus processes and reset any registry keys that the virus changed. Existing infections can be cleaned up quickly and easily, both on individual workstations and over networks with large numbers of computers.
W32/Badtrans-A is a worm which uses MAPI to spread. The worm arrives in an email message with the text "Take a look to the attachment".
The attachment filename is randomly chosen from the following list:
fun.pif
Humor.TXT.pif
docs.scr
s3msong.MP3.pif
Sorry_about_yesterday.DOC.pif
Me_nude.AVI.pif
Card.pif
SETUP.pif
searchURL.scr
YOU_are_FAT!.TXT.pif
hamster.ZIP.scr
news_doc.scr
New_Napster_Site.DOC.SCR
README.TXT.pif
images.pif
Pics.ZIP.scr
If the attached file is run, it displays the message "File data corrupt probably due to bad data transmission or bad disk access.", copies itself into the Windows directory with the filename INETD.EXE and changes win.ini so that the file is run at Windows startup.
When a new message arrives the worm sends a reply with an infected attachment.
The worm also drops a file kern32.exe, which is a password-stealing Trojan, Troj/Keylog-C, into the Windows system directory and changes the registry key
HKLMSOFTWAREMicrosoftWindows
CurrentVersionRunOnce so that the Trojan runs at Windows startup.
W32/Badtrans-B is an email-aware worm which uses MAPI to spread. The worm forwards itself to addresses found on the infected computer as an email message with no message text.
The worm finds addresses to send itself to by searching the address book. Additionally it searches the internet cache and "My Documents" folders for web pages, looking for further email addresses to which to send itself.
If the worm is replying to mail found on the infected machine, it will use the infected users address in the From: field of the email, otherwise it will use one of the following addresses in the From: field:
" Anna"
"JUDY"
"Rita Tulliani"
"Tina"
"Kelly Andersen"
" Andy"
"Linda"
"Mon S"
"Joanna"
"JESSICA BENAVIDES"
" Administrator"
" Admin"
"Support"
"Monika Prado"
"Mary L. Adams"
The email uses a known exploit in certain versions of Outlook Express 5 in order to launch the attached file automatically. Microsoft has released a patch which reportedly addresses this vulnerability. It is available at http://www.microsoft.com/technet/security/bulletin/MS01-027.asp.
(This patch fixes a number of vulnerabilities in Microsofts software, including the one exploited by this worm.)
The worm generates a subject line by reading email on the infected machine and "replying" to it. For instance,
Re:
For email addresses found via web pages in the internet cache or the "My Documents" folder, the subject line is simply "Re:" with no further text.
The worm attempts to create a name for the attached infected file by randomly generating it from three separate parts. The first part is taken from the list:
CARD
DOCS
FUN
HAMSTER
NEWS_DOC
HUMOR
IMAGES
info
ME_NUDE
New_Napster_Site
PICS
README
S3MSONG
SEARCHURL
SETUP
Sorry_about_yesterday
stuff
YOU_ARE_FAT!
The second from the list:
.DOC.
.MP3.
.ZIP.
(a bug inside the worm means that it never selects the ".ZIP." option)
and the last from:
pif
scr
For this reason the attached file can be called a large number of different names, including:
card.DOC.pif
docs.DOC.pif
fun.MP3.pif
HAMSTER.DOC.PIF
Humor.MP3.scr
IMAGES.DOC.pif
Me_nude.MP3.scr
New_Napster_Site.MP3.pif
Pics.DOC.scr
README.MP3.scr
S3MSONG.DOC.scr
SEARCHURL.MP3.pif
SETUP.DOC.scr
Sorry_about_yesterday.MP3.pif
Sorry_about_yesterday.MP3.scr
stuff.MP3.pif
YOU_ARE_FAT!.DOC.pif
YOU_are_FAT!.MP3.scr
If the attached file is run it may copy itself to the Windows or Windows system directory with the filename kernel32.exe and change the registry key HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunOnce so that the worm runs the next time Windows is started. Note that the registry key will refer to the original attachment if the worm has not created a copy in the Windows or Windows system directories.
The worm also drops a file named kdll.dll, which is the Troj/PWS-AV password-stealing Trojan horse.
W32/Badtrans-B uses the Trojan Troj/PWS-AV to log a users keystrokes in a file named cp_25389.nls in the Windows system directory. The log of keystrokes may be encrypted.
W32/Badtrans-B will attempt to send the log to one of the following email addresses:
ZVDOHYIK@yahoo.com
udtzqccc@yahoo.com
DTCELACB@yahoo.com
I1MCH2TH@yahoo.com
WPADJQ12@yahoo.com
fjshd@rambler.ru
smr@eurosport.com
bgnd2@canada.com
muwripa@fairesuivre.com
rmxqpey@latemodels.com
eccles@ballsy.net
suck_my_prick@ijustgotfired.com
suck_my_prick4@ukr.net
thisisno_fucking_good@usa.com
S_Mentis@mail-x-change.com
YJPFJTGZ@excite.com
JGQZCD@excite.com
XHZJ3@excite.com
OZUNYLRL@excite.com
tsnlqd@excite.com
cxkawog@krovatka.net
ssdn@myrealbox.com
W32/Badtrans-A and W32/Badtrans-B can be removed from Windows computers automatically with the following Resolve tools:
Windows disinfector
BADTRGUI is a disinfector for standalone Windows computers. To use it you have to do the following:
- Open BADTRGUI.com file from your desktop after downloading it.
- Click on the Start Scan Button.
- Wait for the process to complete.
Command line disinfector
BADTRSFX.EXE is a self-extracting archive containing BADTRCLI, a Resolve command line disinfector for use on Windows networks.
After removing the worm you should install the Microsoft patch MS01-027 or, on single computers, update with all relevant security patches from Windows update.

Resolve is the name for a set of small, downloadable Sophos utilities designed to remove and undo the changes made by certain viruses, Trojans and worms. They terminate any virus processes and reset any registry keys that the virus changed.
Existing infections can be cleaned up quickly and easily, both on individual workstations and over networks with large numbers of computers.
W32/Agobot-BT is a network worm which also allows unauthorised remote access to the computer via IRC channels.
W32/Agobot-BT copies itself to network shares with weak passwords and attempts to spread to computers using the DCOM RPC and the RPC locator vulnerabilities.
These vulnerabilities allow the worm to execute its code on target computers with System level privileges. For further information on these vulnerabilities and for details on how to protect/patch the computer against such attacks please see Microsoft security bulletins MS03-001 and MS03-026. MS03-026 has been superseded by Microsoft security bulletin MS03-039.
W32/Agobot-BT copies itself to the Windows system folder as sysinfo.exe and creates the following registry entries to run itself on system restart:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
Configuration Loader
HKLMSoftwareMicrosoftWindowsCurrentVersionRunServices
Configuration Loader
Each time W32/Agobot-BT is run it attempts to connect to a remote IRC server and join a specific channel.
W32/Agobot-BT attempts to terminate various processes related to anti-virus and security software (e.g. SWEEP95.EXE, BLACKICE.EXE and ZONEALARM.EXE).
W32/Agobot-BT, W32/Agobot-HD, W32/Agobot-HH, W32/Agobot-HL, W32/Agobot-HS, W32/Agobot-IJ, W32/Agobot-IK, W32/Agobot-LG, W32/Agobot-LT, W32/Agobot-MR, W32/Agobot-MW, W32/Agobot-NA, W32/Agobot-NZ, W32/Agobot-OT, W32/Agobot-OU, W32/Agobot-QF, W32/Agobot-QO,
Windows disinfector
AGOBTGUI is a disinfector for standalone Windows computers. To use it you have to do the following:
- Open AGOBTGUI.com file from your desktop after downloading it.
- Click on the Start Scan Button.
- Wait for the process to complete.
Command line disinfector
AGOBTSFX.EXE is a self-extracting archive containing AGOBTCLI, a Resolve command line disinfector for use by system administrators on Windows networks.
After removing the worm you should check the virus analysis for details of any Microsoft security updates you should make, or, on single computers, update with all relevant security patches from Windows update.
For W32/Agobot-HH, W32/Agobot-LT, W32/Agobot-NZ, W32/Agobot-OT, W32/Agobot-OU and W32/Agobot-SX you should replace the HOSTS file from backup, or open it in Notepad and remove any of the entries listed in the virus description.

Resolve is the name for a set of small, downloadable Sophos utilities designed to remove and undo the changes made by certain viruses, Trojans and worms.
They terminate any virus processes and reset any registry keys that the virus changed. Existing infections can be cleaned up quickly and easily, both on individual workstations and over networks with large numbers of computers.
W32/Alcra-B is a worm for the Windows platform.
W32/Alcra-B spreads via file sharing on P2P networks.
W32/Alcra-B includes functionality to download, install and run new malware executables. W32/Alcra-B is a worm for the Windows platform.
W32/Alcra-B spreads via file sharing on P2P networks.
W32/Alcra-B includes functionality to download, install and run new malware executables.
W32/Alcra-B typically arrives with the filename Setup.exe.
When first run W32/Alcra-B displays a dialog box with the text "Setup", "Welcome to the Setup Wizard ...". W32/Alcra-B creates the folder winupdates, copies itself to this folder as winupdates.exe and creates the following files:
winupdatesa.zip
cmd.com
bszip.dll
netstat.com
ping.com
regedit.com
taskkill.com
tasklist.com
tracert.com
All files and folders will have the hidden and system attributes set, including the Windows system folder.
a.zip is a zip archive containing a copy of W32/Alcra-B named Setup.exe.
Bszip.dll is a clean file compression utility.
The new files created in the Windows system folder by W32/Alcra-B with a COM extension are simply MZ stubs (2-byte files simply containing "MZ"), designed to disable the standard Windows applications: cmd, netstat, ping, regedit, taskkill, tasklist and tracert. Executables files with a COM extension have precedence over files with the same filename, but an extension of EXE, therefore if a user runs "cmd", "netstat", "ping", "regedit", "taskkill", "tasklist" or "tracert", the new file with a COM extension will be executed rather than the legitimate executable with an extension of EXE.
The following registry entry is created to run winupdates.exe on startup:
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun
winupdates
winupdateswinupdates.exe /auto
W32/Alcra-B can be removed from Windows computers automatically with the following Resolve tools:
Windows disinfector
ALCRAGUI is a disinfector for standalone Windows computers. To use it you have to do the following:
- Open ALCRAGUI.com file from your desktop after downloading it.
- Click on the Start Scan Button.
- Wait for the process to complete.
Command line disinfector
ALCRASFX.EXE is a self-extracting archive containing ALCRACLI, a Resolve command line disinfector for use by system administrators on Windows networks.

Resolve is the name for a set of small, downloadable Sophos utilities designed to remove and undo the changes made by certain viruses, Trojans and worms. They terminate any virus processes and reset any registry keys that the virus changed. Existing infections can be cleaned up quickly and easily, both on individual workstations and over networks with large numbers of computers.
Troj/Delf-ALI is a worm and IRC backdoor Trojan for the Windows platform.
Troj/Delf-ALI spreads to other network computers by exploiting common buffer overflow vulnerabilities, including RPC-DCOM (MS04-012).
Troj/Delf-ALI runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.
Troj/Delf-ALI includes functionality to access the internet and communicate with a remote server via HTTP.
When Troj/Delf-ALI is installed it creates the clean text file msguid32.dll.
The following registry entry is created to run Troj/Delf-ALI on startup:
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun
Microsoft IIS
Troj/Delf-ALI attempts to log details from banking applications related to the following sites:
www.halifax-online.co.uk
ibank.barclays.co.uk
online.lloydstsb.co.uk
online-business.lloydstsb.co.uk
www.ukpersonal.hsbc.co.uk
banesnet.banesto.es
extranet.banesto.es
ebanking.bccbrescia.it
www.bankofscotlandhalifax-online.co.uk
oi.cajamadrid.es
bancae.caixapenedes.com
banking.postbank.de
meine.deutsche-bank.de
myonlineaccounts2.abbeynational.co.uk
ibank.cahoot.com
webbank.openplan.co.uk
bancopostaonline.poste.it
mybank.bybank.it
ibank.internationalbanking.barclays.com
welcome7.co-operativebank.co.uk
welcome11.co-operativebankonline.co.uk
Troj/Delf-ALI modifies the HOSTS file in order to redirect access to the above sites.
Troj/Delf-ALI stores logged information to the following clean text files in the Windows system folder:
abbey.dll
bane.dll
bankofscot.dll
barc.dll
barc3.dll
bccbrescia.dll
bybank.dll
cahoot.dll
caixapenedes.dll
cajamadrid.dll
coo11.dll
coo7.dll
deutchebank.dll
halif.dll
hsbc.dll
lloy.dll
posta.dll
postbank.dll
wool.dll
Troj/Delf-ALI can be removed from Windows computers automatically with the following Resolve tools:
Windows disinfector
DELFAGUI is a disinfector for standalone Windows computers. To use it you have to do the following:
- Open DELFAGUI.com file from your desktop after downloading it.
- Click on the Start Scan Button.
- Wait for the process to complete.
- After removing the worm you should install the Microsoft patch MS04-012 or, on single computers, update with all relevant security patches from Windows update.
Command line disinfector
DELFASFX.EXE is a self-extracting archive containing DELFACLI, a Resolve command line disinfector for use by system administrators on Windows networks.