|
|
 
Page last modified Wednesday, 13-Feb-2008 13:28:07 CST
Protect Your PC: Download tools to protect your PC from virus infections, worms, spyware, adware and more!
Microsoft® Windows® Malicious Software Removal Tool (Windows XP, Windows 2000, and Windows Server 2003)
Symantec Virus Removal Tools
AVG Virus Removal Tools
McAfee AVERT Stinger Virus Removal Tool
Microsoft toll-free number for no-charge virus-related support: 1-866-PCSAFETY - (1-866-727-2338)
HALNet's Virus Scanning software stopped 8000 messages infected with the Mydoom worm in 10 hours on January 26th BEFORE they reached our subscribers' mailboxes! If you do not already subcribe to this service, we are offering a 30-day FREE TRIAL!. Go to the Postini filter login page and input your email address and password. Your account will automatically be activated. If you decide within the 30 day period you do not want the filter service, just call the office at 713-341-8104 or email registrar@hal-pc.org to cancel.
Please do not perpetuate virus hoaxes by forwarding 'warnings' to friends without confirming their accuracy! Trend Microsystems has a Virus Hoax Information Page. Check there before clogging the internet with bad information!
A very common hoax is the JDBGMGR hoax. In it, users are warned of a virulent virus that drops an infected file, JDBGMGR.EXE, on the user's hard drive. The message gives instructions on how to remove the file. JDBMGR.EXE is the Microsoft Debugger Registrar for Java. It uses an icon of a bear. If you have been the victim of this hoax and have deleted this file, you can visit the Microsoft information page for instructions on how to retrieve it.
Trend Micro Virus Information and Virus Scan
- NOTE: This page contains extensive Java Script code provided by Trend Micro.
When their servers become overloaded (especailly during heavy virus/worm activity),
the code may fail and send you to a Trend Micro error message page. Please be
patient and try again.
See the Virus and Spam Filter information page for information about HALNet's email filter system.
Valentine Storm Variant
February 13, 2008
Just in time for Valentine's Day, a new variant of the well known storm worm hit email boxes last night.
AdAware detects Storm as Zhelatin, this time with an exe simply named "valentine.exe".
In January we saw the first wave of the Storm Valentines propagation email campaign,
back now with a few slight changes but enough to make it undetectable by most Anti-Malware applications.
Some of the Subject lines for this new variant include:
"Just you", "Rockin' Valentine", "My Heart", "Be My Valentine"
Some of the bodies include:
"World Love", "Powerful Love", "My Love", and "Rockin' Valentine"
The body text is followed by a ip based url. The web pages for Storm now sport pretty Valentine's Day card-like
images, sort of like the ones we all received when we were children. When executed valentine.exe adds a service
to the registry and a .sys and an .ini file into %system32%. The .ini file has a constant name diperto.ini
and the sys file has a name similar to this diperto3de3-4a72.sys, with diperto being constant.
The service from what I have seen carries the same name as the .sys file.
Make certain your anti-adware/spyware software is up to date, do NOT open cute email (even if you THINK
you know where it came from!) and NEVER open an attachment you are not expecting. IF IN ANY DOUBT, contact
the apparent sender.
FAKE PATCH EMAIL
April 11, 2007
A new worm is being circulated in an email that states that there has been unusual activity associated with the user's IP address, due to a worm for which no patch has been issued. The email advises the user to open a ZIP file that is attached to the email and install the enclosed patch. The fake 'patch' contains a worm.
Delete the email immediately and do NOT open the ZIP file.
-----------------------
From: Customer Support
Subject: Worm Alert!
Dear customer our robot has detected an abnormal activity from your IP address on sending emails.
Probably it is connected with the last epidemic of a worm which does not have official patches at the moment.
We recommend you to install this patch to remove worm files and stop email sending, other wise your account will be blocked.
We had archived the patch because the worm can modify unpatched exe files.
You should open the archive file enter the password and run the patch immediately.
Password AIM05
Customer support robot.
-------------------------------------
FAKE HAL-PC.ORG SUPPORT EMAIL
March 27, 2007
A fake, virus-laden email is circulating that appears to come from HAL-PC support
Subject line: DETECTED Online User Violation
Return address: info@hal-pc.org
Text:
Dear hal-pc.org Member,
Your e-mail account was used to send a huge amount of unsolicited
spam messages during the recent week. If you could please take 5-10
minutes out of your online experience and confirm the attached
document so you will not run into any future problems with the
online service.
Virtually yours,
The hal-pc.org Support Team
The email has an attached ZIP file was a ZIP file named: account-info.zip
If you receive this email, delete it WITHOUT OPENING THE ZIP FILE. ANY TIME you are suspicious of an email that seems to come from our support team please call the office at 713-993-3300 to make sure it is legitimate!
W32.Nyxem.E.mm, aka W32.Blackmal.E@mm, Kama Sutra Worm
February 3, 2006
W32.Blackmal.E@mm is a mass-mailing worm that is also referred to as the “Kama Sutra worm” due to the content contained in some of the e-mails it sends out. The worm attempts to spread through network shares and lower security settings. On the third day of every month it attempts to rewrite files with certain extensions with custom text.
Disinfection Utility
F-Secure Corporation provides the special disinfection utility to clean Nyxem.e infection from a computer. This disinfection utility is called F-Force and it can be downloaded from our web and ftp sites:
ftp://ftp.f-secure.com/anti-virus/tools/f-force.zip
http://www.f-secure.com/tools/f-force.zip
The utility is distributed only in a ZIP archive that contains the following files:
f-force.exe - the main executable file
eult.rtf - End User License Terms document
readme.rtf - Readme file in RTF format
readme.txt - Readme file in ASCII format
Create a folder and unpack the archive, using WinZip or similar program.
IMPORTANT! Please make sure that you read the End User License Terms document (Eult.rtf) and the Readme file (either Readme.txt or Readme.rtf) before using the F-Force utility!
The F-Force utility needs the archive with the latest updates in order to function properly. The archive's name is LATEST.ZIP and it should be downloaded and put into the same folder where the F-Force utility is located. You don't have to unpack anything, just put the LATEST.ZIP file as is into the folder where you extracted the other files. This archive with the latest updates can be downloaded from these locations:
http://download.f-secure.com/latest/latest.zip
ftp://ftp.f-secure.com/anti-virus/updates/latest/latest.zip
Windows Metafile (WMF) Image Vulnerability
January 5, 2006
What is the Windows Metafile (WMF) image format?
A Windows Metafile (WMF) image is a 16-bit metafile format that can contain both vector information and bitmap information. It is optimized for the Windows operating system.
What is the scope of the vulnerability?
"This is a remote code execution vulnerability. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system."
Microsoft Security Bulletin MS06-001
Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution (912919)
W32.Sober.X@mm
November 19, 2005
W32.Sober.X@mm is a mass-mailing worm that uses its own SMTP engine to spread and lowers security settings. It sends itself as an email attachment to addresses gathered from the compromised computer. The email may be in either English or German.
Subject: One of the following:
Your Password
Registration Confirmation
smtp mail failed
Mail delivery failed
hi, ive a new mail address
You visit illegal websites
Your IP was logged
Paris Hilton & Nicole Richie
Message: One of the following:
Account and Password Information are attached!
This is an automatically generated Delivery Status Notification. SMTP_Error [ ]
hey its me, my old address dont work at time. i dont know why?!
we have logged your IP-address on more than 30 illegal Websites.
See Symantec Security Response for more details
W32.Mytob.MC@mm
November 22, 2005
W32.Mytob.MC@mm is a mass-mailing worm that opens a back door and lowers security settings on the compromised computer. Mytob.MC attaches itself to an email with one of the following subject lines:
Claim Your Free 4GB iPod nano!
Retrive You Free iPod Nano!
*IMPORTANT* Winnings notification
Shipping Address Request (YourFreeiPod.com)
Your Account is a winner
Free Account Signup
Claim your free prize
Free Prize.
Important Notification
YourFreeiPod Support
Sending Free iPod measures
Winnings Claim
Notice of prize winnings
http://securityresponse.symantec.com/avcenter/venc/data/w32.mytob.mc@mm.html for details
W32.Mytob.LO@mm
November 13th 2005
W32.Mytob.LO@mm is a mass-mailing worm that opens a back door and lowers security settings on the compromised computer.
FROM: (One of the following)
service@[DOMAIN NAME]
info@[DOMAIN NAME]
register@[DOMAIN NAME]
mail@[DOMAIN NAME]
webmaster@[DOMAIN NAME]
admin@[DOMAIN NAME]
support@[DOMAIN NAME]
SUBJECT: (One of the following)
Your password has been updated
Your password has been successfully updated
You have successfully updated your password
Your new account password is approved
Your Account is Suspended
*DETECTED* Online User Violation
Your Account is Suspended For Security Reasons
Warning Message: Your services near to be closed.
Important Notification
Members Support
Security measures
Email Account Suspension
Notice of account limitation
See Symantec Security Response for further details.
W32.Zotob.A-E@mm
August 15th 2005
Zotob is a worm that opens a back door and exploits the Microsoft Windows Plug and Play Buffer Overflow Vulnerability (described in Microsoft Security Bulletin MS05-039) on TCP port 445 on Windows 2000–based computers. This worm and its variants install malicious software, and then search for other computers to infect. Zotob can run on, but not infect, computers running Windows 95/98/Me/NT4/XP. Although computers running these operating systems cannot be infected, they can still be used to infect vulnerable computers that they can connect to.
See Symantec Security Response for more details. Be sure you have installed the latest Microsoft security patches!
W32.Mytob.ES@mm
June 15th 2005
W32.Mytob.ES@mm is a mass-mailing worm that opens a back door and lowers security settings on the compromised computer. It is carried by an email that countains one of the following subjects
Subject: (One of the following):
Your password has been updated
Your password has been successfully updated
You have successfully updated your password
Your new account password is approved
Your Account is Suspended
*DETECTED* Online User Violation
Your Account is Suspended For Security Reasons
Warning Message: Your services near to be closed.
Important Notification
Members Support
Security measures
Email Account Suspension
Notice of account limitation
Opens a back door by connecting to an IRC channel on the a.zero-sec.info domain. The worm listens for commands that allow the remote attacker to perform any of the following actions:
Execute files
Download files
Perform other IRC commands determined by the attacker
Restart the compromised computer
See Symantec for details, including a list of email bodies used by the worm.
Trojan.Ascetic.C
May 25, 2005
Trojan.Ascetic.C is a Trojan horse that uses its own SMTP engine to send spam email to addresses gathered from the compromised computer. The email may be in either English or German. See Symantec Security Response for more detail, including lengthy list of subjects and message bodies.
W32.Mydoom.BO@mm
May 8, 2005
W32.Mydoom.BO@mm is a worm that uses its own SMTP engine to send an email to addresses that it gathers from the compromised computer. The worm also opens a back door on TCP port 6677.
Subject: One of the following:
Notice: **Last Warning**
Your email account access is restricted
Your Email Account is Suspended For Security Reasons
Notice:***Your email account will be suspended***
Security measures
Email Account Suspension
*IMPORTANT* Please Validate Your Email Account
*IMPORTANT* Your Account Has Been Locked
Read Symantec Security Response for more details.
W32.Sober.O@mm
May 3, 2005
W32.Sober.O@mm is a mass-mailing worm that sends itself as an email attachment to addresses gathered from the compromised computer. It uses its own SMTP engine to spread. The email may be in either English or German. When W32.Sober.O@mm is executed, it displays a message with the following text:
Title: WinZip Self-Extractor
Body: Error: CRC not complete
Subject:
One of the following:
Re:Your Password
Re:Registration Confirmation
Re:Your email was blocked
Re:mailing error
Re: [blank]
Message:
One of the following:
ok ok ok,,,,, here is it
Account and Password Information are attached!
Visit: http:/ /www.[random domain]
This is an automatically generated E-Mail Delivery Status Notification.
Mail-Header, Mail-Body and Error Description are attached
Appends one of the following to the bottom of the message:
Attachment-Scanner: Status OK
AntiVirus: No Virus found
Server-AntiVirus: No Virus (Clean)
http:/ / www.[random domain]
Attachment:
One of the following:
our_secret.zip
mail_info.zip
error-mail_info.zip
account_info.zip
account_info-text.zip
Note: The attachment will be a zip file containing a copy of the worm. The file name within the zip file will be Winzipped-Text_Data.txt[many spaces].pif or Winzipped-Text_Data.txt[many spaces].exe.
See Symantec Security Response for details.
W32.Beagle.BG@mm & .BH@mm
March 10, 2005
New Beagle variants BH and BG are proliferating.
.BH is a mass mailing worm that come as a zip attachment to an html-formatted email. The offending message has a spoofed sender address and blank subject line. Body of the email may contain a password for opening the zip attachment.
The attachment has one of the following file names:
- price.zip
- price2.zip
- price_new.zip
- price_08.zip
- 08_price.zip
- newprice.zip
- new_price.zp
- new__price.zip
See
symantec Security Response for more details
.BG contains a worm that opens a back door and allows a remote attacker to have unauthorized access to the compromised computer. The message has a spoofed sender address and blank subject line and a zip attachment with one of the file names listed above for .BH.
See Symantec Security Response for more details.
TROJ_BAGLE.BE
March 10, 2004
Related to: WORM_BAGLE.BE
This Trojan usually arrives on a system as a .ZIP compressed file attached on an email message. This Trojan is capable of terminating processes related to antivirus and security applications.
This Trojan's dropped file WIWSHOST.EXE deletes registry entries under the following key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
This Trojan also prevents users from accessing antivirus Web sites by appending entries in the system's HOSTS file.
See Trend Microsystems Virus Page for more information.
W32.Erkez.D@mm
December 15, 2004
Also known as Zafi.D
W32.Erkez.D@mm is a mass-mailing worm that sends itself to email addresses gathered from the infected computer. The worm may also attempt to lower security settings, terminate processes, and open a back door on the compromised computer. Attachment has an extension of cmd, bat, pif, com or zip. Message body is in HTML format and contains text with Christmas greetings which generates its language version depending on recipient domain. When the worm is launched it copies itself as Norton Update.exe and another file with random name and dll extension to Windows System directory and registers itself as Wxp4 in Run key in Windows Registry.
See Symantec Security Response for more information
W32.Sober.i@mm
November 19, 2004
W32.Sober.I@mm is a mass-mailing worm that uses its own SMTP engine to spread by sending itself as an email attachment to addresses gathered from the infected computer. The subject of the email varies and will be in either English or German. The email sender address is spoofed. The name of the email attachment varies, and it will have a .bat, .com, .pif, .scr, or .zip file extension. The attachment may also have a double extension.
See Symanted Security Response for details, including list of subject lines and message bodies generated by the worm.
W32.Mydoom.AB@mm
September 20, 2004
W32.MyDoom.AB@mm is a mass-mailing worm that downloads a copy of Backdoor.Nemog.D and spreads via ICQ and the Kazaa file-sharing network. Has a very long list of first and last names and a long list of subjects. See Symantec Security Response for details.
W32.Mexer.E@mm
September 20, 2004
W32.Mexer.E@mm is a mass-mailing worm that also spreads through several file-sharing networks.
Subject:
EBAY Information VISA Information Provider Information Your Crack Internet Information
See Symantec Security Response for more information.
W32.Mydoom.m@mm
July 26, 2004
W32.Mydoom.M@mmis a mass-mailing worm that opens a backdoor and uses its own SMTP engine to spread through email.
Subject: (One of the following)
say helo to my litl friend
click me baby, one more time
hello
error
status
test
report
delivery failed
Message could not be delivered
Mail System Error - Returned Mail
Delivery reports about your e-mail
Returned mail: see transcript for details
Returned mail: Data format error
See Symantec Security Response for details.
W32.BeagleAG@mm
July 19, 2004
W32.Beagle.AG@mm is a mass-mailing worm that uses its own SMTP engine to spread through email and opens a backdoor on TCP port 1080. The email's subject line, body, and attachment name vary. The attachment will have a .com, .cpl, .exe, .scr or .zip file extension.
When activated, this virus sends email to addresses collected from the infected computer, terminates processes associated with various security related programs and allows unauthorized remote access to the infected computer.
See Symantec Security Response for details and removal instructions.
Internet Explorer BHO Exploit
June 29, 2004
A "Browser Helper Object" is a DLL that allows developers to customize and control Internet Explorer. When IE 4.x and higher starts, it reads the registry to locate installed BHO's and then loads them into the memory space for IE. Created BHO's then have access to all the events and properties of that browsing session. This particular BHO watches for HTTPS (secure) access to URLs of several dozen banking and financial sites in multiple countries.
When an outbound HTTPS connection is made to such a URL, the BHO then grabs any outbound POST/GET data from within IE before it is encrypted by SSL. When it captures data, it creates an outbound HTTP connection to http://www.refestltd.com/cgi-bin/yes.pl and feeds the captured data to the script found at that location.
See: http://isc.sans.org/presentations/banking_malware.pdf for a full write-up. BHO Demon is a utility that protects you from unknown Browser Helper Objects (BHOs), by letting you enable/disable them individually. BHODemon is free, runs in the tray area, and works on Windows 95 or later operating systems. Download BHO Demon 2.0 here (freeware).
Download.ject
June 25, 2004
Web servers running Windows 2000 Server and IIS that have not applied update 835732, which was addressed by Microsoft Security Bulletin MS04-011, are possibly being compromised and being used to attempt to infect users of Internet Explorer with malicious code. Internet Explorer users should see the Microsoft security page for instructions on how to see if their machines are infected.
W32.Paps.A@mm
June 15, 2004
W32.Paps.A@mm is a mass-mailing worm that sends itself as an attachment to the email addresses that it finds on your computer. The email will have a variable subject and file attachment. The attachment will have a .exe file extension.
See Symantec Security Response for details and removal instructions.
W32/Zafi.b@MM
June 14, 2004
W32/Zafi.b@mm (aka W32.Erkez.B@mm) is a mass-mailing worm that sends itself to the email addresses found on an infected computer. When it infects a computer it attempts to overwrite executables associated with security products installed on that machine. Worm spreads by sending itself to e-mail addresses that are taken from files with htm, wab, txt, dbx, tbb, asp, php, sht, adb, mbx, eml and pmr extension. Also, sender's address is fake.
To remove the worm:
- Disable System Restore (Windows Me/XP).
- If required, reinstall Symantec AntiVirus, Norton AntiVirus or any other products that may have been affected by the threat.
- Update the virus definitions.
- Do one of the following:
Windows 95/98/Me: Restart the computer in Safe mode.
Windows NT/2000/XP: End the malicious process.
- Run a full system scan and delete all the files detected as W32.Erkez.B@mm.
- Reverse the changes made to the registry.
For details on each of these steps, see Symantec Security Response
W32.Netsup.A@mm
May 30, 2004
W32.Netsup.A@mm is a mass-mailing worm that sends itself to addresses gathered from the Microsoft Outlook address book. The worm can also distribute itself through peer-to-peer file-sharing networks.
From: May contain one of the following:
- NetworkSupport@
- An address taken from the Microsoft Outlook address book.
Subjects: May contain one of the following:
- Tragedy
- Protecting your PC
- This pic of you is funny
- W32.Netsky and W32.Beagle protection
- Finances for the week
- Mail Delivery Subsystem Error
- Careful
- Undeliverable Message
- Mail Delivery Failed
Message Body: A message sent could not be delivered to one or more of its recipients correctly. This is a permanent error. Attached is a copy of the original message.
Attachment: message.eml.pif
See: Symantec Security Response for more details
W32.Sober.G@mm
May 18, 2004
W32.Sober.G@mm is a mass-mailing worm that uses its own SMTP engine to spread itself. The subject of the email varies, and it will be in either English or German. The email sender address is spoofed. The name of the email attachment varies, and it will have a .bat, .com, .pif, .scr, or .zip file extension. It may also have a double extension. The message will sometimes contain a fake anti-virus clearance that appears to come from the sender's ISP, for example:
+-+-+ X- Mail_Scanner: No Virus found
+-+-+ - AntiVirus Service
+-+-+ http://www.
Symantec Security Response has developed a removal tool to clean the infections of W32.Sober.G@mm.
W32.Bobax.C
May 18, 2004
W32.Bobax.C is a worm exploiting the LSASS vulnerability. This vulnerability described in Microsoft Security Bulletin MS04-011. Infected computers can become an email relay. Install Microsoft Security patches immediately. A side effect of this exploit is that it eventually crashes the LSASS process, forcing the computer to restart. This is similar to the effect of W32.Sasser.Worm.
If you are running Windows XP, we recommend that you temporarily turn off System Restore. Follow the instructions below for disabling the Sasser worm.
See Symantec Security Response for more details.
W32.Sasser.E.worm
May 10, 2004
Microsoft Sasser Worm Information Page
W32.Sasser.E.Worm is a minor variant of W32.Sasser.Worm. It attempts to exploit the LSASS vulnerability, described in Microsoft Security Bulletin MS04-011, and spreads by scanning randomly selected IP addresses for vulnerable systems. W32.Sasser.E.Worm differs from W32.Sasser.Worm as follows:
- Uses a different mutex: SkynetNotice.
- Uses a different file name: lsasss.exe.
- Creates a different value in the registry: "lsasss.exe"
- Uses different port numbers, used by FTP server and the remote shell: 1023 and 1022.
- After 2 hours of running it displays a message.
- It deletes the values from the registry, which are known to be installed by Trojan.Mitglieder, W32.Beagle.W@mm, and W32.Beagle.X@mm.
- The name of the file retrieved from the FTP server is followed by _update.exe.
- The worm logs data into the file C:\ftplog.txt.
W32.Sasser.E.Worm can run on, but not infect, Windows 95/98/Me computers. Although these operating systems cannot be infected, they can still be used to infect vulnerable computers.
Disabling Sasser.e:
Before you begin: If you are running Windows 2000 or XP, and have not yet done so, you must patch for the vulnerability described in Microsoft Security Bulletin MS04-011. If you do not, it is likely that your computer will continue to be reinfected.
What to do if the computer shuts down before you can patch
This threat can cause Windows to keep shutting down and restarting. This can prevent you from installing the Microsoft patch. To prevent the shut down, do the following. (You may have to try this several times, as you only have about 20 seconds to do steps 3 to 6.) (This will not work on Windows 2000.)
- Disconnect the computer from the network/Internet connection. (Disconnect the cable if necessary.)
- Restart the computer.
- As soon as Windows opens and you see the Windows desktop, click Start > Run.
- Type:
cmd
and press Enter.
- Type:
shutdown -i
and press Enter.
- In the Remote Shutdown Dialog that opens, change 20 seconds to:
9999
and click OK.
This gives you about three hours to get the patch installed, update the definitions, and so on.
- Reconnect the network/Internet connection. 8.Connect to the Internet, and get the patch. Then continue with the steps described below.
When you have patched for and removed the threat, you can re-enable the 20 second default warning if you want to.
See Symantec Security Response for more details for removing the worm from your computer.
W32/Sasser.worm
May 2, 2004
This worm (virus) applies to computers running Windows NT4, Windows 2000 and
Windows XP.
The Sasser.A worm affects computers running Windows NT4, 2000 & XP. This worm does NOT spread through email. No user action is required to become infected and to spread this worm. Sasser.A operates in much the same way as the Blaster worm did - it enters and infects computers through a hole in the operating system. Microsoft issued a patch to block this 'hole' in April - see the Microsoft Security Update Information Page for more information and links to the updates.
A side-effect of the worm is for the service, LSASS.exe to crash, which will cause your system to reboot after the crash occurs. The Microsoft system message you may see starts as follows:
LSA Shell (Export Version) has encountered a problem and needs to close. We are sorry for the inconvenience.
followed by a system shutdown message.
McAfee has developed a Stinger Tool to scan your system and remove the virus. Symantec has also developed a Removal Tool.
To end the malicious process on Windows 2000/XP computers:
- Press Ctrl+Alt+Delete once.
- Click Task Manager.
- Click the Processes tab.
- Double-click the Image Name column header to alphabetically sort the processes.
- Scroll through the list and look for the following processes:
avserve2.exe
any process with a name consisting of four or five digits, followed by _up.exe (eg 74354_up.exe).
- If you find any such process, click it, and then click End Process.
- Exit the Task Manager.
W32.Netsky.Y,Z@mm
April 20, 2004
W32.Netsky.Y@mm and W32.Netsky.Z@mm are variants of W32.Netsky.X@mm that scans for the email addresses on all non-CD-ROM drives on an infected computer. Then, the worm uses its own SMTP engine to send itself to the email addresses that it finds.
The format of the emails are:
Netsky.Y:
Subject: Delivery failure notice (ID-)
Attachment: www...session-.com
This threat is compressed with PE-Pack.
Netsky.Z
Subject: (one of the following)
Hello Hi Important Important bill! Important data! Important details! Important document! Important informations! Important notice! Important textfile! Important! Information
Attachment: (zip file with one of the following file names)
Bill.zip Data.zip Details.zip Important.zip Informations.zip Notice.zip Part-2.zip Textfile.zip
Symantec Security Response has developed a removal tool to clean the infections of Netsky.
W32.Sober.F@mm
April 3, 2004
W32.Sober.F@mm is a variant of W32.Sober.E@mm that spreads by sending itself as an email attachment using its own SMTP engine. The worm also attempts to download and execute a file from a remote Web site. May appear to come from the user's ISP. The Subject: and Body: of the email vary and are written in German or English. Subject lines include:
- Faulty mail delivery
- Mail delivery failed
- Mail Error
- Illegal signs in Mail-Routing
- Connection failed
- Invalid mail sentence length
- Mail Delivery failure
- Message Error
- mail delivery status
- Confirmation Required
- Bad Gateway
- Warning!
Fake error message of the virus:
Microsoft Windows
STOP: 0x80070725 {FatalSystemError}
System File [filename].exe
Connection lost or blocked by Firewall
See Symantec Security Response for more information. Symantec has also developed a removal tool.
W32.Witty.Worm
March 18, 2004
This memory-based worm spreads on systems running BlackIce. It does not drop any file nor create any registry entries. This worm spreads across the network via source port 4000 using UDP packets, which are sent to random destination ports. It sends itself to 20,000 remote machines using randomly-generated IP addresses. It is supposed to open a random physical disk drive and may overwrite a random sector of the affected hard disk. Note that the malware code that executes the attack resides only in the memory of affected BlackIce systems, and there are no file counterparts. Because of this, antivirus file scanners are unable to detect the code and there is no applicable pattern file.
The HALNet staff recommends that any user currently running BlackIce on their system REMOVE IT IMMEDIATELY.
W32.Beagle.*@mm
March 15, 2004
Beagle variants continue to proliferate. These virii pull the domain name from the recipient's email address and purport to be a warning message from the administrative staff of the provider. For example, a Beagle virus email to a user of the hal-pc.org domain will contain a message that claims to be from the Hal-pc.org staff. For HALNet users, this is a dead give-away, since we always refer to ourselves as HALNet staff, not hal-pc.org staff. We also do not send attachments with email. See Symantec Security Response for a list of subject lines and message bodies used by this virus.
The virus-infected email asks the user to open an attachment for instructions. Often the attachment is a .zip file, which is password protected. This is a way to get past virus scanners, which are unable to scan password protected .zip files for virii.
Symantec Security Response has issued a Removal Tool should you find you are infected with Beagle.
W32/Bagle.J@mm
March 2, 2004
One more Bagle variant - Bagle.J has been found spreading late on March 2nd, 2004. This variant spreads as an executable file or in a password protected ZIP archive. The attachment would contain an executable file with a Wordpad icon. The messages the worm sends are tricky, as they refer to the recipients domain or company name. One of our users forwarded the following to HALNet tech support:
Hello user of Hal-pc.org e-mail server,
We waren you about some attacks on your e-mail account. Your computer may contain viruses. in order to keep your computer and e-mail account safe, please follow the instructions.
Please, read the attach for further details.
For security purposes the attached file is password protected. Password "63117".
Best wishes,
The Hal-pc.org team http://www.hal-pc.org
See F-Secure's website for a more complete list of subject lines and message bodies used by the worm.
The worm spreads to shared folders on an infected computer. Such functionality allows the worm to spread through file sharing clients as well as it can copy itself to their shared folders. The worm kills processes of anti-virus and security software. The worm opens PHP scripts on select web pages with certain parameters. This is done for tracking purposes as the site owner gets the IP address of an infected computer and the backdoor's port number.
W32.Netsky.C,D,E@mm
March 1, 2004
W32.Netsky.C, .D and .E are mass-mailing worms that use its own SMTP engine to send itself to the email addresses it finds when scanning hard drives and mapped drives. This worm also searches drives C through Y for the folder names containing "Shar" and then copies itself to those folders.
THE FROM: ADDRESS IS SPOOFED. See Netsky.C
Netsky.D
Netsky.E
for information on subject lines, message bodies and attachments.
Symantec has developed a Removal Tool for removal of Netsky variants.
W32.Netsky.B@mm
February 18, 2004
W32.Netsky.B is a mass-mailing worm that uses its own SMTP engine
Message: (One of the following)
anything ok?
what does it mean?
o
k i'm waiting
here is the document.
and about 20 more.
Attachment Name: (One of the following)
document msg doc talk message creditcard details
and about 20 more.
Attachment Extension 1: (May include one of the following)
.txt .rtf .doc .htm
Attachment Extension 2: (One of the following)
.exe .scr .com .pif
See: Symantec Security Response for more information. Removal using the W32.Netsky.B@mm Removal Tool
W32.Novarg.A@mm/I-WormMydoom
January 26 - McAfee
Mydoom (or Novarg) is a mass-mailing worm that arrives in an email message as follows:
From: (spoofed)
Subject: (Random)
Body: (Varies - appears to contain an error message, such as)
- The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
- The message contains Unicode characters and has been sent as a binary attachment.
- Mail transaction failed. Partial message is available.
Attachment: (varies [.exe, .pif, .cmd, .scr] - often arrives in a ZIP archive) (22,528 bytes)
The icon used by the file tries to make it appear as if the attachment is a text file. The worm opens a connection on TCP port 3127 suggesting remote access capabilities. If you open the file, Notepad opens and fills with nonsense characters. On the 1st of February 2004 worm starts a DoS attack on the site www.sco.com.
See McAffee or Symantec Security Response for more information.
NOTE: the 'From' address in these virus emails is SPOOFED. You may receive a notice from someone's virus screening service that indicates that you have sent a virus to someone. PLEASE JUST DELETE THESE NOTICES - your spoofed email address has been picked up by the virus scanning software and the notice automatically generated.
W32.Beagle.B@mm
February 19 - Symantec Security Response
W32.Beagle.B@mm is a mass-mailing worm that opens a backdoor on TCP port 8866. The worm uses its own SMTP engine for email propagation. It can also send the attacker the port on which the backdoor listens and a randomized ID number.
See Symatec Security Response for more information. Removal using the W32.Beagle.B@mm Removal Tool
Subject: ID ... thanks
Attachment: .exe
W32.Beagle.A@mm:
Subject: Hi
Filename: Random.exe
Filesize: 15,872 bytes
The worm will only work until January 28th, 2004. Symantec Security Response has developed a removal tool to clean the infections of W32.Beagle.A@mm.
W32.Mimail.L@mm
December 2 - Symantec Security Response
W32.Mimail.L@mm is a variant of W32.Mimail.C@mm that spreads by email and steals information from infected computers. The email has the following characteristics:
Subject: Re[2]We are going to bill your credit card:
Attachment: wendy.zip
Wendy.zip contains only one file, For_greg_with_love.jpg.exe. If the executable is run, it performs a Denial of Service (DoS) attack on one of a number of selected servers.
See Symantec Security Response for more details.
W32.Mimail.I@mm & J@mm
November 13, Grisoft (makers of AVG antivirus)
Mimail.I and Mimail.J are email worms which disguise themselves as an email from Paypal on-line payment service and tries to steal credit card information.
Mimial.I arrives with the subject YOUR PAYPAL.COM ACCOUNT EXPIRES and the following text:
Dear PayPal member
PayPal would like to inform you about some important information regarding your PayPal account. This account, which is associated with the email address
<your email address>
will be expiring within five business days. We apologize for any inconvenience that this may cause, but this is occurring because all of our customers are required to update their account settings with their personal information.
We are taking these actions because we are implementing a new security policy on our website to insure everyone's absolute privacy. To avoid any interruption in PayPal services then you will need to run the application that we have sent with this email (see attachment) and follow the instructions. Please do not send your personal information through email, as it will not be as secure.
IMPORTANT! If you do not update your information with our secure application within the next five business days then we will be forced to deactivate your account and you will not be able to use your PayPal account any longer. It is strongly recommended that you take a few minutes out of your busy day and complete this now.
DO NOT REPLY TO THIS MESSAGE VIA EMAIL! This mail is sent by an automated message system and the reply will not be received.
Thank you for using PayPal.
---
Best regards, Administrator
The virus uses www.paypal.com.scr file as an attachment.
Mimail.J has the subject: IMPORTANT, Sender address: Do_Not_Reply@paypal.com and the following message body:
Dear PayPal member,
We regret to inform you that your account is about to be expired in next five business days. To avoid suspension of your account you have to reactivate it by providing us with your personal information.
To update your personal profile and continue using PayPal services you have to run the attached application to this email. Just run it and follow the instructions.
IMPORTANT! If you ignore this alert, your account will be suspended in next five business days and you will not be able to use PayPal anymore.
Thank you for using PayPal.
Attachment name: www.paypal.com.pif
After running, the virus shows the following form:
Distinct from I-Worm/Mimail.I, in Mimail.J there is another dialog box displayed after you click on Next button:
The virus stores the entered data in c:\ppinfo.sys file, and sends them to mail addresses on centrum.cz or mail15.com servers.
Manual disinfection of an Mimail.I infected computer consists of the following steps:
- Remove the registry value [HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SvcHost32]
- Restart the computer
- Delete '%WinDir%\svchost32.exe' (where %WinDir% is the Windows Directory, typically c:\windows\ or c:\winnt)
W32.Yaha.AF@mm
November 12 - Symantec Security Response
W32.Yaha.AF@mm is a variant of the W32.Yaha.T@mm worm that does the following:
- Terminates some antivirus and firewall processes.
- Uses its own SMTP engine to email itself to all the contacts in the Windows address book, MSN and Windows Messenger, Yahoo Pager, ICQ Pager, as well as in all the files whose extensions contain the letters HT.
- Attempts to spread itself through shared network folders and mapped drives.
- Attempts to spread itself through the KaZaA file-sharing network.
- Installs a keylogger and emails the logs to the author.
- Performs Denial of Service (DoS) attacks to some specified and random hosts on TCP ports 135, 139, and 445.
The email message has a randomly chosen subject line, message, and attachment name. The attachment will have a .com, .exe, or .zip file extension.
See Symantec Security Respose for details
W32.Mimail.C@mm
October 31 - Symantec Security Response
W32.Mimail.C@mm, W32.Mimail.D@mm, W32.Mimail.E@mm, W32.Mimail.F@mm, W32.Mimail.G@mm, W32.Mimail.H@mm and W32.Mimail.K@mm are variants of W32.Mimail.A@mm. This worm spreads by sending itself within e-mails. The attachmnet name and message body differs. The virus copies itself to the Windows folder. The worm also creates 3 help files in same the folder. Virus registers itself in ...\CurrentVersion\Run key in the Windows registry. This enables it to launch every time your computer starts.
The email that carries Mimail.C has the following characteristics:
Subject: Re[2]: our private photos [random string of letters]
Hello Dear!,
Finally i've found possibility to right u, my lovely girl :)
All our photos which i've made at the beach (even when u're without ur bh:))
photos are great! This evening i'll come and we'll make the best SEX :)
Right now enjoy the photos.
Kiss, James.
Attachment: photos.zip
The attached ZIP file contains a file called photos.jpg.exe.
The email that carries Mimail.D, E, F, G, H & K has the following characteristics:
Subject: don't be late! [random string of letters]
Will meet tonight as we agreed, because on Wednesday I don't think I'll make it,
so don't be late. And yes, by the way here is the file you asked for.
It's all written there. See you.
Attachment name: readnow.zip
The attached ZIP file contains a file called readnow.doc.scr.
Collects email address from all the files on the computer, except those with the extensions:
com wav cab pdf rar zip tif psd ocx vxd mp3 mpg avi dll exe gif jpg bmp.
Trojan.Qhosts
October 24 - Symantec Security Response
Trojan.Qhosts is a Trojan Horse that will modify the TCP/IP settings to point to a different DNS server.
Trojan.Qhosts cannot spread by itself. For a computer to become infected, you would have to open an HTML page that contains code, which allows it to open a viral HTML file on the target computer, so that the script can create and run the malicious executable.
Symantec Security Response has developed a removal tool to repair damage from infections of Trojan.Qhosts.
Symantec Security Response has received reports that visiting a specific page on www.fortunecity.com caused a popup to be displayed that redirected the visitor to a different web page. Being redirected to the web page appears to have caused the trojan to be downloaded to a visitor's system and then executed. Reports also state that the threat exploited the Internet Explorer Object Data Remote Execution vulnerability on several victims' computers to execute itself.
Microsoft has released a cumulative patch for this vulnerability, available here.
JS.Fortnight.D
October 24 - Symantec Security Response
JS.Fortnight.D is a Trojan Horse that drops a file, which is then inserted into the default signature of Microsoft Outlook Express.
See Symantec Security Response for more details.
Sober@mm
October 24 - Symantec Security Response
Sober@mm is a mass-mailing worm that uses its own SMTP engine to spread itself. The email willhave a variable subject in either English or German. The name of the email attachment will vary and have a .bat, .com, .exe, .pif, or .scr file extension.
See Symantec Security Response for more details.
W32.Marque.Worm
October 24 - Symantec Security Response
W32.Marque.Worm is a worm that uses its own SMTP engine to send a HTML format email to all the contacts in the Windows Address Book. The email contains a link that refers the user to a specific website. The worm, zelig.scr, is downloaded automatically when this site is visited.
See Symantec Security Response for more details.
W32.Wintoo.B.Worm
October 24 - Symantec Security Response
W32.Wintoo.B.Worm is a mass-mailing worm that sends itself to all the addresses in the Windows Address Book, by using the MAPI interface. However, in laboratory testing, the worm failed to reproduce.
See Symantec Security Response for more details.
PWSteal.Firum
October 16 - Symantec Security Response
PWSteal.Firum is a Trojan Horse that attempts to collect credit card information as it is entered into Web forms. This Trojan targets Visa, Mastercard, Eurocard, and American Express.
This threat is written in Visual Basic. It may be found as a file named "system32.exe" in the System directory. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
When PWSteal.Firum is executed, it does the following:
- Monitors Internet Explorer processes. Each time you submit a Web form, the Trojan checks it for one of the following values:
- visa
- mastercard
- american express
- eurocard
If one of these values is found, the Trojan extracts and saves all the information entered into the form.
- Creates the Systl64.dll file in the same directory as the Trojan. This file contains a report of the information extracted in step 1.
- Emails this information to its creator. The Trojan does this by making an HTTP connection on port 80 to a third-party Web site that allows visitors to send email through a Web form. The Trojan uses this Web site as an anonymous mailer, and does not appear to be affiliated with the site's owners.
See Symantec Security Response for more information.
W32.HLLW.Gaobot.AZ
October 16 - Symantec Security Response
W32.HLLW.Gaobot.AZ is a minor variant of W32.HLLW.Gaobot.AP that attempts to spread to network shares and allows access to an infected computer through an IRC channel.
The worm uses multiple vulnerabilities to spread, including:
MAKE SURE YOU HAVE APPLIED ALL MICROSOFT SECURITY PATCHES! This worm does NOT spread via email.
W32.Swen.A@mm
September 23 - Symantec Security Response
W32.Swen.A@mm is a mass-mailing worm that uses its own SMTP engine to spread itself. It attempts to spread through file-sharing networks, such as KaZaA and IRC, and attempts to kill antivirus and personal firewall programs running on a computer.
The worm can arrive as an email attachment. The subject, body, and From: address of the email may vary. Some examples claim to be patches for Microsoft Internet Explorer, or delivery failure notices from qmail. It often pretends to be a patch from Microsoft that patches the system for newly discovered vulnerabilities.
When W32.Swen.A@mm is executed, it performs the following actions:
- Checks to see if it has already been installed on the computer. If so, the installation procedure will end.
- If the executed filename starts with the letter q, u, p, or i, the worm will present the user with dialog boxes that pretend to be a "Microsoft Internet Update Pack."
Symantec (Norton) W32.Swen.A@mm Removal Tool
W32.Sobig.F@mm
August 19, 2003 - Symantec
W32.Sobig.F@mm is a mass-mailing, network-aware worm that sends itself to all the email addresses that it finds in the files with the following extensions:
- .dbx
- .eml
- .hlp
- .htm
- .html
- .mht
- .wab
- .txt
The Sobig.F worm is spreading virulently through the internet. The e-mail message that carries Sobig.F carries the message "Please see attached file for details" and one of the following subject lines:
Subject:
- Re: Details
- Re: Approved
- Re: Re: My details
- Re: Thank you!
- Re: That movie
- Re: Wicked screensaver
- Re: Your application
- Thank you!
- Your details
If a recipient clicks on the attachment, which has one of a number of names ending in the .pif file extension, the computer will be infected.
Attachment names:
- your_document.pif
- document_all.pif
- thank_you.pif
- your_details.pif
- details.pif
- document_9446.pif
- application.pif
- wicked_scr.scr
- movie0045.pif
The virus will then send itself out to names found in the victim's address book and will use one of these names to forge a return address. As such, the infected party may not quickly learn of the infection, while an innocent party may get the blame for helping to propagate it.
You may receive virus infection notices from systems across the internet, claiming that a message you sent had the Sobig.F worm attached. Because of the way the worm operates, your email address was 'spoofed' -- pulled at random out of the actual offending user's email address book. Please just ignore and delete these messages.
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP
Systems Not Affected: Linux, Macintosh, OS/2, UNIX, Windows 3.x
NOTE: The worm is due to deactivate on September 10, 2003. The last day on which the worm will spread is September 9, 2003.
Symantec Security Response
W32.Welchia.Worm
August 19, 2003 - Symantec
W32.Welchia.Worm is a worm that exploits multiple vulnerabilities:
- exploits the DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135. The worm specifically targets Windows XP machines using this exploit.
- exploits the WebDav vulnerability (described in Microsoft Security Bulletin MS03-007) using TCP port 80. The worm specifically targets machines running Microsoft IIS 5.0 using this exploit.
The worm attempts to download the DCOM RPC patch from Microsoft's Windows Update Web site, install it, and then reboot the computer. The worm checks for active machines to infect by sending an ICMP echo request, or PING, which will result in increased ICMP traffic. The worm will also attempt to remove W32.Blaster.Worm. Compromises security settings: Installs a TFTP server on all infected machines.
For removal tool and instructions, see: Symantec Security Response
W32/Blaster
UPDATE: WORM_MSBLAST.A is a high risk alert for all users
Aliases: W32/Lovsan.worm, W32/Blaster-A, W32.Blaster.Worm, Worm.Win32.Lovesan
See: McAffeeSecurity
August 5, 2003 - Symantec
W32.Blaster.Worm is a worm that uses a published flaw in Microsoft's Windows operating systems (described in Microsoft Security Bulletin MS03-026) to spread via network connections, without using e-mail. This worm attempts to download and run the Msblast.exe file. The worm also attempts to perform a Denial of Service (DoS) on Windows Update. This is an attempt to prevent you from applying a patch on your computer against the DCOM RPC vulnerability.
TO TRY AND STOP THE "SHUTDOWN" (W32.Blaster) VIRUS:
- There is a process (program running) called "msblast"
- Boot the computer up, Press Ctrl+Alt+Delete once.
- Click Task Manager.
- Click the Processes tab.
- Double-click the Image Name column header to alphabetically sort the processes.
- Scroll through the list and look for msblast.exe.
- If you find the file, click it, and then click End Process.
- Exit the Task Manager.
- Once done immediately download and install the MS patch.
Symantec Security Response information
Symantec W32.Blaster.Worm Removal Tool
W32/Mimail@MM
August 5, 2003 - Network Associates
This malware bears similarities to Downloader-DK, which was spammed several days ago. This threat may have also been spammed. It is received as an email attachment as follows:
From: Admin (ADMIN@your_domain)
Subject: your account %user%
Importance: High
Hello there, I would like to inform you about important information regarding your email address. This email address will be expiring. Please read attachment for details.
--- Best regards, Administrator
Attachment: message.zip
The attached .ZIP file contains a file named MESSAGE.HTM. This file uses the codebase exploit to automatically create the file foo.exe in the Temporary Internet Files folder and run it. The following files are created in the WINDOWS (%WinDir%) directory:
videodrv.exe (19,824 bytes)
exe.tmp (20,445 bytes)
zip.tmp (20,567 bytes)
More information is available at this Network Associates page.
W32/Bugbear.b@MM
June 8, 2003 - McAfee
A virulent derivative of the Bugbear virus is curculating. This version infects a large number of files on affected computers, ends processes belonging to security programs, opens the port 1080, captures keystrokes and allows a hacker to gain remote access to the resources of the computer.
For details, see: McAfee website & Symantec website
JS/Fortnight.b@M
February 3, 2003 - McAfee
This script virus resides on a website. When users visit this page, a link to this webpage is appended to their email signature file for Outlook Express 5.0. When an infected user manually sends out an email message, a link will appear at the bottom pointing to a web page on this site. The link to the infected webpage is included in an IFrame, so if the receiving e-mail client supported HTML, the page would open automatically and be displayed inside the e-mail message.
The virus will create the file s.htm in the WINDOWS directory which contains the IFrame link to the infected website address.
It will then create an invalid Windows 'hosts' file. The Windows HOSTS file serves to associate host names with IP addresses. It is queried prior to any DNS queries being issued. The hosts file dropped by this virus contains of a list of URLs, each associated with a bogus IP address.
The code on the web page activates by using the Microsoft VM ActiveX vulnerability. This vulnerability has been fixed, and a patch is available from Microsoft
For details, see: McAfee Website & F-Secure Virus Descriptions
PWSteal.Netsnake
November 9, 2002 - Symantec
PWSteal.Netsnake is a Trojan horse that steals passwords. It collects user passwords and mails them to the intruder. After the Trojan copies itself, it It adds the value Internat.exe %windir%\internat.exe to the registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
so that the Trojan runs when you start Windows. When it runs at startup, it displays the message Hello. I'm NetSnake.
For details, see: Symantec Security Response
W32.Bugbear@mm
October 3, 2002 - McAfee
W32/Bugbear@MM is rated as HIGH RISK FOR HOME AND CORPORATE USERS. This mass-mailing worm attempts to send itself to email addresses found on an infected system. It also spreads through open network shares and has the ability to send print jobs to printers found on an infected network.
Once the virus is run, it will attempt to disable various security products, including many forms of anti-virus and personal firewall software. It will also attempt to install a backdoor trojan that will allow a hacker access to the infected PC.
This virus spreads via email and via network shares. It makes use of the Incorrect MIME Header Can Cause IE to Execute E-mail Attachment vulnerability in Microsoft Internet Explorer (v 5.01 or 5.5 without SP2). Simply opening or previewing an infected message in a vulnerable email reader can result in infection.
This virus can "spoof" the "from" field, by combining random elements to form a fake "from" address.
For details, see:
Symantec Security Response
McAfee
Sophos
I-Worm/Klez.E
April 30, 2002 (Symantec upgrade to category 4)
The spread of the Klez worm family has reached epidemic proportions.
This W32/Klez variant has the ability to spoof the email from field. The senders address used by the virus, is one that was found on the infected user's system. Thus, it may appear that you have received this virus from one person, when it was actually sent from a different user's system. Viewing the entire email header will display the actual senders address.
This worm makes use of Incorrect MIME Header Can Cause IE to Execute E-mail Attachment vulnerability in Microsoft Internet Explorer (ver 5.01 or 5.5 without SP2)
This worm arrives in an Email message with a subject and body randomly composed from a rather long pool of strings that the virus carries inside itself. The worm interferes with running programs and frequently displays a fake error message. This virus can also unload several antivirus programs from memory. W32/Klez.e@MM sends itself out using SMTP protocol. It harvests the Windows address book for email addresses.
Refer to your virus protection software website for removal instructions.
MyLife
March 21, 2002
This mass-mailing worm, written in Visual Basic 6, uses Microsoft Outlook to send itself to all addresses in the Outlook Address book and addresses on the MSN Messenger contact list. It arrives in an email containing the following information:
When executed, the worm propagates itself to all addresses found in the Outlook Address book and addresses on the MSN Messenger contact list, using Microsoft Outlook. The worm copies itself to the System folder, modifying the Registry to run this copy at subsequent startup.
Upon restarting the machine, the worm does not propagate again, and the above image is not displayed. When the worm is run from the SYSTEM directory and the hour is 8am, the worm deletes the following files:
* *.* from C:\ D:\ E:\ and F:\
* *.SYS, *.VXD, *.OCX and *.NLS from C:\WINDOWS\SYSTEM
See your antivirus update site for removal instructions.
Hybris
March 13, 2002 This old favorite is causing trouble again. Hybris arrives in an email with the following characteristics:
From: Hahaha [hahaha@sexyfun.net]
Subject: Snowhite and the Seven Dwarfs - The REAL story!
Body: Today, Snowhite was turning 18. The 7 Dwarfs always where very educated and polite with Snowhite. When they go out work at morning, they promissed a *huge* surprise. Snowhite was anxious. Suddlently, the door open, and the Seven Dwarfs enter...
Attachment: sexy virgin.scr or joke.exe or midgets.scr or dwarf4you.exe
When first executed, this worm tries to infect the WSOCK32.DLL file in the WINDOWS\SYSTEM directory. First it tries to infect the WSOCK32.DLL file directly. If it fails because the file is already in use, then it creates an infected copy on the WSOCK32.DLL in a new file. This new file goes by an extensionless filename made up of 8 random characters. A line is then created in the WININIT.INI file to rename this newly created file to WSOCK32.DLL, thus overwriting the original WSOCK32.DLL file. This change takes place the next time the system is booted. A registry value under Software\Microsoft\Windows\CurrentVersion\RunOnce\(default) is also created to run the worm at the next bootup, in case the previous attempts to infect WSOCK32.DLL fail.
The modified WSOCK32.DLL file watches all Internet activity and attempts to mail a copy of the worm, in the form of a .EXE or .SCR file, to any valid e-mail address sent over the Internet connection, whether part of a e-mail message, web page, or newsgroup posting. W32/Hybris.gen@M is sent unknowingly by the infected user.
For removal instructions, please see:
http://www.symantec.com/avcenter/venc/data/w95.hybris.worm.html or http://securityresponse.symantec.com/avcenter/venc/data/w95.hybris.gen.html
W32/Gibe@MM
March 7, 2002 (Symantec)
W32.Gibe@mm is a worm that uses Microsoft Outlook and its own SMTP engine to spread. This worm arrives in an email message--which is disguised as a Microsoft Internet Security Update--as the attachment Q216309.exe:
From: Microsoft Corporation Security Center
Subject: Internet Security Update
Message:
Microsoft Customer,
this is the latest version of security update, the update which eliminates all known
security vulnerabilities affecting Internet Explorer and MS Outlook/Express as well as
six new vulnerabilities
.
.
.
How to install
Run attached file q216309.exe
How to use
You don't need to do anything after installing this item.
.
.
.
Attachment: Q216309.exe
The attached file, Q216309.exe, is written in Visual Basic; it contains other worm
components inside itself. To remove the virus, delete files that are detected as
W32.Gibe@mm, delete the 02_N803.dat file, and remove the key and values that the worm
added to the registry. See the website of your antivirus software for details.
W32/MyParty-A
January 28, 2002 (Sophos)
W32/MyParty-A is a Windows 32 email-aware worm which arrives as an email
with the following characteristics:
Subject: new photos from my party!
Message text:
Hello!
My party... It was absolutely amazing!
I have attached my web page with new photos!
If you can please make color prints of my photos. Thanks!
Attached filename: www.myparty.yahoo.com
Some people may be fooled into believing the attached file is a link to a
website. If the attached file is executed between 25 January and 29 January 2002
(inclusive) the worm sends a copy of itself to everybody in the Windows
Address book (except the current user) using a built in SMTP engine.
The worm also sends an email to napster@gala.net to track its spread.
In addition the worm drops a copy of the Trojan Troj/Msstake-A in the user's
startup directory. The Trojan is contained in a file named msstask.exe.
Check with your virus protection software website for removal instructions.
JS.Gigger.A
January 11, 2002 (Symantec)
JS.Gigger.A@mm is a worm written in JavaScript. It uses Microsoft Outlook and mIRC to
spread. It attempts to delete all files on the computer and to format drive C if the
computer is successfully restarted.
JS.Gigger.A@mm arrives as an email message that has the following characteristics:
Subject: Outlook Express Update
Message: MSNSofware Co.
Attachement: Mmsn_offline.htm
See: Symantec website for removal instructions.
Maldal
December 20, 2001 (Trend Micro)
This destructive, memory-resident worm is a Visual Basic-compiled
Windows executable. It propagates via email using Microsoft Outlook. It
arrives in an email with the details:
Subject: Happy New Year
Message Body: Hii
I can’t describe my feelings
But all i can say is
Happy New Year :)
Bye
Attachment: CHRISTMAS.EXE
Its destructive payload deletes files in the Windows system directory.
See the Trend Micro web site for removal instructions.
WORM_SHOHO.A
F-Secure Security Information Center - December 20, 2001
The Welya worm utilises it's own SMTP engine so it does not depend on Outlook for e-mail sending. The recipient addresses are collected from different files in the system, e.g:
*.wab files (Windows Address Book), *.mbx (Mailbox). See TrendMicro's web site for removal instructions
Gokar
December 15, 2001
Gokar is a yet another Windows executable worm propagated by Microsoft Outlook and mIRC. Although it apparently is not actively distructive, it installs a backdoor in the infected system through the mIRC application.
Manual Removal Instructions
To manually clean infected systems:
- Delete the %Windows%\KAREN.EXE file. %Windows% is variable. It is the directory where your Windows folder is located. This is usually at C:\Windows so that the file to be deleted is found at C:\Windows\KAREN.EXE.
- Click Start > Run, type Regedit then hit the Enter key:
HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>CurrentVersion>Run>Karen
- Look for the following and delete it: C:\MIRC\SCRIPT.INI
- Close the Registry.
- Restore the file C:\INETPUB\WWWROOT\DEFAULT.HTM from backup.
- Delete the file C:\INETPUB\WWWROOT\REDESI.HTM.
- Delete the file C:\INETPUB\WWWROOT\WEB.EXE.
Goner/Pentagone
Internet Security Systems Security Alert
December 4, 2001
Goner is a new virulent e- mail
worm that is currently propagating rapidly. The worm is disguised as an
.SCR screensaver file and is propagated via email and the ICQ chat
network. Goner is mildly destructive and generates a large amount of
network traffic, which may overload network devices and email gateways.
Goner also attempts to disable personal firewall and antivirus software.
Users who rely on these products may or may not be protected. In addition,
the Goner worm contains a powerful distributed denial of service (DDoS)
component, which may enable attackers to control infected systems over the
IRC (Internet Relay Chat) network to initiate flooding attacks on targets.
Description:
The Goner worm infects Microsoft Outlook and Microsoft Outlook Express
users by delivering the worm executable in the form of an .SCR file
attachment. The filename is GONE.SCR. This file needs to be manually
executed by the user to spread. The body and subject each infected email
is identical. Upon infection, the Goner worm will send a copy of itself to
every contact in the user's address book.
Microsoft Outlook 2002 will block potentially harmful attachments by
default. Outlook 2002 will also prompt users with the following
information in a dialog box if the worm is executed:
A program is trying to access e-mail addresses you have stored in
Outlook. Do you want to allow this?
If this is unexpected, it may be a virus and you should choose "No".
The following is an example of infected email message:
Subject: Hi
How are you ?
When I saw this screen saver, I immediately thought about you
I am in a harry, I promise you will love it!
Attachment: GONE.SCR
The worm also has the ability to propagate via ICQ if it is installed.
Goner uses ICQ's ICQMAPI.DLL interface to send copies of itself to all
contacts that are currently online. The contact must approve the file
transfer to receive a copy of the worm. The contact must then execute the
file in order to be infected. The worm also includes a backdoor to infect
mIRC installations, so that they can be used to launch IRC-based
distributed denial of service attacks.
The Goner worm copies itself to the infected user's hard drive, and then
points a registry key to the file location to execute the worm each time
the system reboots. The following registry key is created:
\
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run\%System%\gone.scr = %System%\gone.scr
Goner also attempts to disable antivirus and personal firewall software.
The list of antivirus and personal firewall executables appears to have
been taken from a previous worm, known as I-Worm.fog. More information on
the I-Worm.fog email worm is available at:
http://www.avp.ch/avpve/worms/email/fog.stm
Recommendations:
All users and system administrators should update
their antivirus software and initiate a virus scan.
Network administrators may choose to filter ICQ traffic during an
infection to block further propagation. ICQ client to server
communication is conducted over TCP port 5190. Network administrators may
also block the worm's communication over IRC by blocking the host,
"twisted.ma.us.dal.net".
Consider upgrading Microsoft Outlook email clients to Outlook 2002.
Outlook 2002 has many security features that will block the propagation of
Goner and many other worms.
To remove the Goner worm from your system:
Manual Cleaning on Windows 95/98/Me Systems:
- Reboot the computer.
- Before the startup logo appears, press F8.
- Choose the "Command prompt only" option.
- Go to the %System% directory. %System% is variable. It is usually located at
C:\Windows\System.
- At the command prompt, type the following command then hit the Enter key:
attrib –s –h –r gone.scr
- Type the following command and then hit the Enter key to delete the Worm file:
del gone.scr
- Restart the computer.
- Double click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>CurrentVersion>Run>%System%
- Look for the following registry entry and then delete it:
gone.scr
- Delete all files named REMOTE32.INI in your mIRC folders.
- Either delete or restore from backup the file MIRC.INI.
Manual Cleaning on Windows NT/2000 Systems:
- Kill all running instances of the worm in the task manager. Look for applications named "pentagone" and for processes named gone.scr. Kill these processes.
- Scan your system with your antivirus software and delete all files detected as WORM_GONE.A. You can use Trend Micro's free online virus scanner.
- Remove the registry key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\%System%\gone.scr
- Delete all files named REMOTE32.INI in your mIRC folders.
Either delete or restore from backup the file MIRC.INI.
Additional Information:
Trend Micro - http://www.antivirus.com/pc-cillin/vinfo/virusencyclo/default5.asp?VName=WORM_GONE.A
ISS X-Force Database - http://xforce.iss.net/static/7638.php
F-Secure - http://www.f-secure.com/v-descs/goner.shtml
Badtrans.B
November 26, 2001 -- TrendMicro Virus Alert
This memory-resident internet worm is a
variant of WORM_BADTRANS.A. It propagates via MAPI32, has a Key
Logger component, and arrives with randomly selected double
extension filenames.
It does not require the email receiver to open the attachment for it to
execute. It uses a known vulnerability in Internet Explorer-based email
clients (Microsoft Outlook and Microsoft Outlook Express) to
automatically execute the file attachment. This is also known as
Automatic Execution of Embedded MIME type.
It records all keystrokes, the date, time, user name, and the
application name where a keystroke was typed, in encrypted
form, to a CP_25389.NLS file. It then connects to a SMTP
server to send the information via email to a specific email
address. The information in the email may contain sensitive
information such as, documents and passwords.
For instructions on removing this worm from an infected system, see
P-Cillin.com; Symantec
Magistr
October 2, 2001 -- McAffee Virus Alerts
Reports are being received of many HAL users passing on the W32/Magistr@MM virus/worm. This is not a new virus, but it's spread is increasing and it is quite virulent. W32/Magistr@MM is a combination of a files infector virus and e-mail worm.
- The viral code infects 32 bit PE type files (.exe) files in the WINDOWS directory and subdirectories.
- The worm part is using mass mailing techniques to send itself to email addresses stored in several places.
The worm installs itself to run at each system startup.
Five minutes after the virus is run, it attempts a mailing routine. Email addresses are gathered from the Windows Address Book, Outlook Express mailboxes, and Netscape mailboxes (address found in the email messages within existing mailboxes are gathered), and these file locations and addresses are saved to a hidden .DAT file somewhere on the hard disk (varies). The messages sent by the worm contain varying subject headings, body text, and attachments. The body of the message is derived from the contents of other files on the victim's computer. It may send more than one attachment and may include non .EXE or non-viral files along with an infectious .EXE file.
The virus proceeds by infecting 32 bit PE (Portable Executable) type .EXE files found in the WINDOWS SYSTEM directory and subdirectories. The viral code is encrypted, polymorphic, and uses anti-debugging techniques to make it difficult detected. Email addresses have been seen encrypted in infected files. These addresses are believed to represent other users that have also been infected from the same point of origin.
In the decrypted body of the virus code, the following comments exist:
ARF! ARF! I GOT YOU! v1rus: Judges Disemboweler.
by: The Judges Disemboweler.
written in Malmo (Sweden)
Symptoms of W32/Magistr@MM include:
- Icons on the desktop move when the mouse cursor passes over them
- Increase in size in .EXE files (adds 24Kb or more)
- Infected files use a modified access date of the time of the infection
- Presence of a newly created .DAT file containing email addresses (representing those users which were sent the virus)
- Entry in WIN.INI RUN=(App)
- Entry in Registry, run key value:
HKLM\Software\Microsoft\Windows\CurrentVersion\
Run\AppName (varies)=C:\WINDOWS\SYSTEM\(App).EXE (varies)
W32/Magistr@MM has a payload routine that on some systems may result in cmos/bios info being erased as well as destroying sectors on the hard disk.
See McAffee Virus Alert and Symantec Security Response for more information.
NIMDA
September 18, 2001 -- sarc.com, washingtonpost.com
Starting this morning, numerous system administrators have observed a
dramatic increase in probes from remote systems. The probes, coming sometimes hundreds per
minute, appear to be attempting to access several commonly exploited files on sites
running Microsoft's Internet Information Server. Although most of these exploits are useless, the bandwidth
consumed by the attacks is enormous.
Dubbed W32.Nimda.A@mm (or nimda for short) the new mass-mailing worm utilizes multiple methods to spread itself. The
worm sends itself out by email, searches for open network shares, attempts to copy itself to
unpatched or already vulnerable Microsoft IIS web servers, and is a virus infecting both local files and
files on remote network shares.
The worm uses the Unicode Web Traversal exploit. A patch and information regarding this exploit can
be found at http://www.microsoft.com/technet/security/bulletin/ms00-078.asp.
When the worm arrives by email, the worm uses a MIME exploit allowing the virus to be executed
just by reading or previewing the file. Information and a patch for this exploit can be found at
http://www.microsoft.com/technet/security/bulletin/MS01-020.asp
Users visiting compromised Web servers will be prompted to download an .eml (Outlook Express)
email file, which contains the worm as an attachment.
Also, the worm will create open network shares on the infected computer, allowing access to the
system. During this process the worm creates the guest account with Administrator privileges.
Visit Symantec Security Response website
for more information.
Sircam
July 20, 2001 -- CNN.com
A troublesome worm called "Sircam" is making the rounds.
Although it has been known about for some time, several anti-virus companies
have raised a warning flag due to the speed at which it is now spreading.
Sircam is a mass mailing virus that uses Microsoft Outlook Express to distribute
itself, according to Trend Micro.
It attempts to evade detection by arriving with a random subject line and an attachment by the same name.
But Sircam is particularly nasty since it can send out personal documents saved
on the hard drive.
F-Secure's
anti-virus warning described Sircam's message like this:
Subject: Document file name (without extension)
From: [user_of_infected_machine@prodigy.net.mx]
To: [random@email.from.address.book]]]>
I send you this file in order to have your advice
See you later! Thanks
Once a computer is infected, Sircam creates a list of files with extensions such
as .DOC and .JPG that are located in the user's "My Documents" folder. The
virus then sends copies of itself to users in the victim's address book, including
one of those files chosen at random.
"Since quite often users keep their personal or company-related documents
there, it means that the worm can send out confidential information," states the
F-Secure Web site.
Anti-virus firm Symantec had elevated its warning level Thursday from a 3 to a
4 on a scale of 1 to 5, while others designated it as a "medium" risk.
When Sircam is run, it copies itself to the Recycling Bin, sets up a directory
called 'c:\recycled\SirC32.exe' and appears as 'SCam32.exe' in the Windows
system directory. This way the worm's activity is disguised. Despite its intrusive nature,
Sircam appears to do little in terms of deleted files, the anti-virus companies stated.
Instructions on how to remove Sircam from an infected computer are posted
on most anti-virus Web sites.
MS Security Alert worm
July 16, 2001
Worm distributed via email that appears to be a Microsoft security alert
This worm downloads components from Web sites and contains code to accept commands from IRC. The only differences between this threat and W32.Leave.Worm are the Web sites from which the components are downloaded, and that this threat is crafted to appear as a security bulletin from Microsoft. The message begins as follows:
Subject: Microsoft Security Bulletin MS01-037
Message: The following is a Security Bulletin from the Microsoft Product Security Notification Service.
Please do not reply to this message, as it was sent from an unattended mailbox.
********************************
-----------------------------------------------------------------------
Title: Vulnerability in Windows systems allowing an upload of a serious virus.
Date: 30 June 2001
Software: Windows 2000
Impact: Privilege Elevation
Bulletin: MS01-037
Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com/technet/security/bulletin/MS01-037.asp
part of message clipped for brevity
The message goes on to describe a destructive virus and directs the recipient to a URL to download and run a 'security patch'. When activated, the worm downloads components from Web sites and contains code to accept commands from IRC.
For more information, see:
Symantec write up
InfoWorld
Malicious Virus Hoax
June 1, 2001
NEW VIRUS HOAX ALERT!! June 1 Virus SULFNBK.EXE
BEWARE: While this is a hoax the information contained in this hoax could
damage your computer system!!
A new computer Email hoax is circulating that warns users regarding a virus alleged to become active on June
1, 2001; SULFNBK.EXE. While this is a hoax, the message contained in the
email instructs users to delete a critical system file. Ignore the information in this hoax and DO NOT delete a file
named SULFNBK.EXE
The Email message subject line may read: Virus Alert, or SULFNBK.EXE
Several different versions of the e-mail message are circulating in various
languages (Portuguese, English). If you receive this message ignore it; DO
NOT forward the message to other users, which will only spread the hoax.
Delete the message, DO NOT delete SULFNBX.exe or other system files.
SULFNBX.exe is a standard part of the Windows Operating System used to
restore long file names
The Email Message you receive may read in part as follows:
============================================================================
It was brought to my attention yesterday that a virus is in circulation via
email. I looked for it and to my surprise I found it on mine. ..
Please follow the directions and remove it from yours TODAY!!!!!!!
No Virus software can detect it. It will become active on June 1, 2001.
It might be too late by then. It wipes out all files and folders on
the hard drive. This virus travels thru E-mail and migrates to the
'C:\windows\command' folder.
The bad part is: You need to contact everyone you have sent ANY
E-mail to in the past few months. Many major companies have found this virus
on their computers. Please help your friends !!!!!!!!
DO NOT RELY ON YOUR ANTI-VIRUS SOFTWARE. McAFEE and NORTON CANNOT
DETECT IT BECAUSE IT DOES NOT BECOME A VIRUS UNTIL JUNE 1ST.
WHATEVER YOU DO, DO NOT OPEN THE FILE!!!
===========================================================================
Homepage
May 9, 2001 -- cnn.com
Unlike some predecessors, a virulent new computer virus doesn't
usesexual intrigue to entice people to open infected e-mail.
Instead, this worm, once unleashed, attempts to open numerous
X-rated Web pages.
Known as "Homepage," the application has been rated a serious threat by Internet
security professionals and caused major infections in Europe, Australia and Asia
on Wednesday.
"This is an extremely dangerous worm, similar to the ("Anna Kournikova" virus),
but spreading even faster," warned anti-virus company F-Secure Inc. in an alert
Wednesday morning.
The virus, first detected late Tuesday, will
probably infiltrate more computers worldwide than
the Kournikova outbreak, which struck about
500,000 PCs in February, said F-Secure's Mikko
Hypponen.
But advance warning should prevent the new infection from gaining a foothold in
North America, according to the Finish anti-virus expert.
"We don't expect things to be as bad in the United States as it was in Australia,
New Zealand and Europe because the anti-virus programs have been updated and
because of the press coverage," Hypponen said.
Spreads through Microsoft Outlook
The new executable, created with a Visual Script worm generator, propagates
only through Microsoft Outlook. It sends itself -- as an e-mail attachment -- to
all addresses listed in an infected user's address book. Then it tries to open at
random a number of pornographic Web sites using Internet Explorer, according
to Trend Micro Inc.
Other security companies issued similar alerts.
"While this particular worm has a minimally destructive payload, it does have the
capability to crash e-mail servers and so immediately disrupt business because of
its fast-spreading nature," said Hank Dugan, CEO of Norman Data Defense Systems.
The e-mail arrives with the subject line "Homepage" and the attachment
"HOMEPAGE.HTML.VBS." The message of the e-mail reads: "Hi! You've got to
see this page! It's really cool ;O)"
After it sends out infected e-mails, the worm deletes them to prevent detection,
Trend Micro said.
Anti-virus companies, some of which posted Homepage disinfectants
Wednesday, caution Internet users to avoid opening suspicious e-mails
attachments.
Anti-Virus Web Sites
AVG Home Page
http://www.grisoft.com/us/us_index.php
Download AVG Free Edition
http://www.grisoft.com/us/us_dwnl_free.php
AVG Anti-Virus Free Edition Updates
http://www.grisoft.com/us/us_updt6.php?lng=fe
AVG 6.0 Professional Updates
http://www.grisoft.com/us/us_updt6.php
McAfee Virus Information Library Search Center
http://vil.mcafee.com/
VirusScan
http://download.mcafee.com/updates/updates.asp?
Sophos AntiVirus
http://www.sophos.com/virusinfo
Sophos Antivirus
http://www.sophos.com/virusinfo/analyses/
Norton AntiVirus Encyclopedia
http://www.symantec.com/avcenter/vinfodb.html
Virus Information Library
http://vil.nai.com/vil/default.asp
User Support Page
|
