|  Protect your system: McAfee.com VirusScan Online
W32/Mydoom.o@MM is a Medium-On-Watch
risk mass-mailing worm
that tries to open a hacker backdoor on your PC. Often
pretending to be a bounced email alert, the worm arrives
inside an attachment then spreads by sending itself to stolen
contacts and via peer-to-peer programs.
Atak was first discovered Monday. Although antivirus companies do not expect it
to cause much damage, they say it will be a nuisance because it can generate a
large amount of spam. (article)
W32/Bagle.ad@MM is a Medium Risk
mass-mailing worm that, like its predecessor, tries to open a backdoor on an
infected PC, giving a hacker remote access to the computer. The worm spreads by
emailing itself to contacts it steals and by using popular file-sharing
applications such as KaZaa, Bearshare and Limewire. W32/Bagle.ad@MM
also attempts to shut down anti-virus and firewall software running on infected
machines.
Note: Receiving an email alert stating that the virus came
from your email address is not an indication that you are infected -- the virus
often spoofs the "from" address.
--> What should I look for?
FROM: Varies (spoofed).
SUBJECT: Varies (examples, check our site for a full
listing): Re: Msg reply, Re: Hello, Re: Yahoo!
BODY: Uses various constructed strings.
ATTACHMENT: Varies. Can be a password-protected zip file,
with the password included in the message body (as plaintext
or within an image). Examples:
Information, Details, text_document
Updated 1/27/04 W32/Mydoom@MM is a
High-Outbreak mass-mailing worm flooding
email servers worldwide. When run, the worm steals email
addresses from the infected machine and also automatically
generates random email addresses for propagation. This email
generation engine is similar to technologies spammers use to
generate addresses for spam email campaigns.
W32/Mydoom@MM generates emails with a spoofed "From: field",
so incoming messages may appear to be from people you know.
Furthermore, the subject line and message body are both
randomly generated by the worm. More
Information ... Updated 12/05/03 Worm/MiMail.M is a memory resident Internet worm that spreads through email by tricking users
into opening the attached file. The email is crafted with adult content to
arouse curiousity. It spreads by using addresses it collects searching through
files located on the users hard disk. For more information on Worm/MiMail.M,
please follow the "More" link. More >
BDS/Purisca is a memory resident backdoor that could potentially allow someone with
malicious intent remote access to your computer. It will install a copy of
itself as "PuritySCAN.exe". For more information on BDS/Purisca,
please follow the "More" link. More >
Worm/MiMail.L is a memory resident Internet worm that spreads through email by tricking users
into opening the attached file. The worm has the functionality to launch a
Distributed Denial of Service attack on anti-spam websites. It spreads by
using addresses it collects searching through files located on the users hard
disk. For more information on Worm/MiMail.L, please follow the
"More" link. More >
Worm/Agobot.215552 is a memory resident Internet worm that spreads through open or weakly protected
network shares. It also exploits some well-known Microsoft vulnerablities in
order to propagate itself. The worm has a file size of 215.552KB and copies
itself under the filename "mwincfg32.exe". For more information
of Worm/Agobot.215552, please follow the "More" link. More >
Worm/Agobot.231936 is a memory resident Internet worm that also contains a variety of backdoor
functionalities. It also has the ability to disable real-time antivirus scanners
and personal firewall applications. The worm has a file size of 231.936KB and
copies itself under the filename "wincomm.exe". For more
information of Worm/Agobot.231936, please follow the "More" link. More >
Worm/Agobot.68608 is a memory resident Internet worm that spreads through open or weakly protected
network shares. It also exploits some well-known Microsoft vulnerablities in
order to propagate itself. The worm has a file size of 68.608KB and copies
itself under the filename "scvhost.exe". For more information of
Worm/Agobot.68608, please follow the "More" link. More >
BDS/Spyboter is a memory resident backdoor that could potentially allow someone with
malicious intent remote access to your computer. It will install a copy of
itself as "SVCHOSTS.EXE". For more information on BDS/Spyboter,
please follow the "More" link. More >
BDS/Carufax.A is a backdoor program that was discovered on November 29, 2003. It affects
systems running Windows 95, 98, ME, XP, 2000 and NT. For more information
on BDS/Carufax.A, please follow the "More" link. More >
BDS/IRCBot.13856 is a memory resident backdoor that could potentially allow someone with
malicious intent remote access to your computer. It will install a copy of
itself as "sysweb.exe". For more information on BDS/IRCBot.13856,
please follow the "More" link. More >
Worm/Agobot.AZ is a memory resident Internet worm that also contains a variety of backdoor
functionalities. It also has the ability to disable real-time antivirus
scanners and personal firewall applications. The worm has a file size of
228.572KB and copies itself under the filename "svch0st.exe". For more
information of Worm/Agobot.231936, please follow the "More" link. More > Updated 11/14/03 BDS/IRCBot.82779 is a backdoor application that could potentially allow someone with malicious
intent remote access to your computer. If executed, the backdoor remains memory
resident and copies itself in the \windows\%system% directory under the filename "cmst32.exe". For more information on BDS/IRCBot.82779, please follow
the "More" link. More>
Tr/Small.BU is trojan program. It is 6.176KB in size and has been seen to be sent out
(seeded) over email. It may arrive as if coming from an "account
manager" at Citibank. It does not contain its own replication routine. For
more information on Tr/Small.BU, please follow the "More" link. More> Updated 8/12/03
Name: Worm/Lovsan.A
Alias: W32/Lovsan.A
Type: Internet Worm
Discovered: August 11, 2003
Platform: Windows NT/2000/XP
Size: 6.176KB
Worm/Lovsan.A
is an Internet worm that exploits a known security vulnerability in Microsoft's
Windows Distributed Companent Object Model (DCOM) Remote Procedure Call (RPC)
interface. This security breach allows someone with malicious intent to run code
of their choice. TCP port directly affected by this exploit include: 135.
If executed, Worm/Lovsan.A will download and run the file msblast.exe using Tftp
The following are components of Worm/Lovsan.A:
- msblast.exe (the main component)
So that it gets run each time a user restart their computer the following
registry key gets added:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"windows auto update"="msblast.exe"
Microsoft has issued a patch to protect against the exploit used by Worm/Lovsan.A.
This patch is available from Microsoft
Security Bulletin MS03-026
Updated
5/23/03 Virus Warning issued for Worm/Palyh.A Updated 5/14/03 Virus Advisory issued for
Fizzer McAfee Security has seen a large and growing number of computers
infected with W32/Fizzer@MM. This is a MEDIUM-ON-WATCH
mass-mailing worm, which spreads by emailing itself to addresses in your Windows
Address Book and others on your PC. It tries to terminate your AV software,
contains a keylogger and attempts to spread using other programs, including IRC,
AIM and Kazaa. It arrives as an executable email attachment, requiring users to
double-click on the file to become infected. Users should update their
anti-virus software as soon as possible. ** VIRUS ALERT - 'Fizzer' Virus **
Updated 3/18/03 Virus Advisory issued for Ganda Updated 3/17/03 Virus Advisory issued for
W32/Nicehello Users with Hotmail addresses in MSN Messenger are vulnerable
to W32/Nicehello@MM, a MEDIUM RISK
mass-mailing worm that
emails itself to MSN Messenger contact lists. Worse, it also
attempts to send MSN Messenger usernames and passwords to
the virus author via an email message. So far, the virus
has a limited spread, but has been seen in several languages,
including English and Spanish.
When the W32/Nicehello@MM attachment is
run, a false Windows
XP error message displays and the worm copies itself in
several places on the infected computer. Updated 3/10/03 Virus Advisory issued for Worm/Deloader
Updated 2/27/03
Virus Advisory issued for Worm/Gibe.B
Updated 2/24/03
Virus
Warning issued for Worm/Lovegate.B
Updated 1/25/03
Virus Warning issued for W32/SQLSlammer
Updated 1/10/03
Virus Warning issued for Worm/SoBig.A
Updated 1/9/03
Virus Warning issued for Worm/Avril.B
Because of the length of the warning
I've set up a separate page this virus, please go to: Avril.B
Updated 1/9/03
Virus advisory
issued for Worm/ExplorerZip.E
Complete
description can be read online by clicking
here
Details:
Name: Worm/ExplorerZip.E
Alias: W32/ExploreZi-N
Type: Internet Worm (UPX packed)
Discovered: January 8, 2003
Size: 91.048KB
Platforms: Windows
Description:
Worm/ExplorerZip.E
is a mass mailing Internet worm that spreads through the use of stored e-mail
addresses.
The worm arrives through e-mail in the following format:
Subject: RE: <random text>
Body:
Hi <email name> !
I received your email and I shall send you a reply ASAP.
Till then, take a look at the attached zipped docs.
bye.
Attachment: zipped_files.exe
If executed, the worm copies itself in the \windows\%system% directory under the
filenames "_setup.exe", "<random filename>,exe" and
"Explorer.exe".
Additionally, the "Win.ini" file in C:\Windows will also get modified:
- C:\Windows\Win.ini
run=
run=C:\Windows\system\_setup.exe or
run=C:\Windows\system\explore.exe
So that it gets run each time a user restart their computer the following
registry key gets added:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
"run"="C:\\WINNT\\System32\\Explore.exe"
** Registry key created only with Microsoft Windows NT/2000/XP
Worm/ExplorerZip.E will then zero out the lengths of files with the following
extensions:
- *.asm,
- *.c
- *.cpp
- *.doc
- *.h
- *.ppt
- *.xls
Updated 1/7/03
Virus advisory
issued for Worm/Naith.A (aka: Avril Lavigne, also
see: Avril.B)
Complete description can be read online by clicking
here
Details:
Name: Worm/Naith.A
Alias: W32/Naith.A-mm
Type: Internet Worm
Discovered: January 7, 2003
Size: 32.766KB
Orig File: IAmWiThYoU.exe
Platform: Windows
Description:
Worm/Naith.A
is an Internet worm that spreads through e-mail by using addresses it collects
in the Microsoft Outlook Address Book, as well as, through the use of the mIRC
network.
The worm arrives through e-mail in the following format:
Subject: Re: The real estate plunger
Body:
Avril fans subscription
FanList admits you to take in Avril Lavigne 2003 Billboard awards ceremony
Vote for I'm with you!
Admission form attached below
Attachment: IAmWiThYoU.exe
Worm/Naith.A arrives via email or mIRC. Due to an vulnerability the virus has the ability to
execute itself automatically in preview pane on Micorsoft Outlook. After it
copies itself to various locations is creates the file "c:\windows\listrecp.dll"
where the found email adresses are stored. It also creates a script.ini file for
mIRC so it can spread through mIRC. A third file is created called
"c:\windows\temp\avril-ii.inf" which contains some comments from the
virus author. For example: "2002 (c) Otto von Gutenberg" and
"Made in .::]|KaZAkHstaN|[::.". The virus has its own SMTP engine.
The directories the worm copies itself to include:
- C:\Windows\temp\AvrilSmiles.exe
- C:\Windows\temp\bfD46g62.TFT
- C:\RECYCLED\0cE26cHf.exe
- C:\RECYCLED\Bbh1dFeD.exe
- C:\RECYCLED\31c9a1Af.exe
- C:\RECYCLED\25G0466A.exe
So that it gets run each time a user restart their computer the following
registry key gets added:
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"Avril Lavigne -
Muse"="C:\\WINDOWS\\SYSTEM\\7h827fg6b6c.EXE"
- HKEY_LOCAL_MACHINE\Software\OvG\Avril Lavigne
@="Done"
"PSW-Trojan"="1"
Updated 1/1/03
Virus advisory issued for Worm/Yaha.M
Complete description can be read online by clicking
here
Details:
Name: Worm/Yaha.M
Alias: W32/Yaha-M
Type: Internet Worm
Discovered: December 21, 2002
Size: 34.304KB
Description:
Worm/Yaha.M is is a modification of Worm/Yaha.A
(Valentine.scr), an Internet worm that spread by retrieving e-mail addresses
from the Windows Address Book, as well as, from addresses found in cached
webpages(HTM, HTML and HTA files). Unlike other variants of Yaha, this variant
does not show the funny screens the previous versions displayed.
If executed, the worm copies itself in the \windows\%system% directory under the
filenames:
- tcpsvs32.exe
- nav32_loader.exe
- WinServices.exe
- winloader32.dll
So that it gets run each time a user restart their computer the following
registry keys get added:
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"WinServices"="C:\\WINDOWS\\SYSTEM\\WinServices.exe"
and
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
"WinServices"="C:\\WINDOWS\\SYSTEM\\WinServices.exe"
Additionally, the following key gets added:
- HKEY_CLASSES_ROOT\exefile\shell\open\command
@="\"%1\" %*"
@="\"C:\\WINDOWS\\SYSTEM\\nav32_loader.exe\"\"%1\"%*"
Worm/Yaha.M was originally received as "hotmail_hack.exe".
Updated 12/05/02
Virus advisory issued for Worm/Holar.C
Complete description can be read online by clicking
here
Name: Worm/Holar.C
Alias: W32/SfxDeth.A-mm
Type: Internet Worm
Discovered: December 4, 2002
Size: 54.514KB
Worm/Holar.C is an Internet worm that spreads through e-mail by using addresses
it collects from *.htm and *.html files on the local hard drive. It does so by
use of its own SMTP engine.
The worm arrives through e-mail in the following format:
Subject: Fwd: Crazy illegal sex !
Body: Note: forwarded message attached.
Updated 11/20/02
Name: Tr/Jeem
Alias: Downloader-BO.dr
Type: Trojan
Discovered: November 19, 2002
Size: 13.380KB
Description: Tr/Jeem arrives through e-mail in the following format:
Subject: FAILED DELIVERY
Body: Unfortunately, it was not possible to deliver one or more of your
messages. For more information, take a look in the attachment.
or
Body: Your message, attached did not reach the reciepent. <xxxxxx@recipient
domain>. #5.5.0 smtp; 550 Requested action not taken: mailbox unavailable.
** where xxxxxx = selected numbers
Attachment: Mail.hta
If executed, the attachment will display a false advertisement for Perfection by
Paradise skin cream.
Updated 11/12/02 VIRUS ADVISORY The Central Command Emergency Virus Response Team™ (EVRT™)
has received virus infection reports for the trojan Tr/Mastaz. Due to
increased customer inquires the EVRT is issuing a VIRUS ADVISORY.
Complete description can be read online by clicking
here
Name: Tr/Mastaz
Alias: Troj/Maz.A
Type: Trojan Downloader
Discovered: November 11, 2002
Size: 4.096 KB
Platform: Microsoft Windows 95/98/Me/NT/2000/XP
Description:
Tr/Mastaz is a trojan downloader that downloads the file "Msrexe. exe
(30.720KB)" from a specified website and installs it in the users
\windows\system\ directory.
So that it gets run each time a user restart their computer the following
registry key gets added:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "System
Service"="C:\\WINDOWS\\SYSTEM\\MSREXE. EXE"
It also adds the key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Swartax "ImagePath"="C:\\WINDOWS\\SYSTEM\\MSREXE.
EXE"
Updated 10/11/02
McAfee.com has seen a large and growing number of computers infected with W32/Bugbear@MM
virus. The risk assessment has been UPDATED TO HIGH
for home and corporate users. Users should update their anti-virus software as
soon as possible. Please inform your visitors and/or subscribers in a
timely manner. ***DESCRIPTION***
W32/Bugbear@MM is a mass-mailing worm that
attempts to send itself to email addresses found on an infected system. It also
spreads through open network shares and has the ability to send print jobs to
printers found on an infected network.
The "from" field, subject line, message body, and
attachment all vary widely and may appear to be legitimate email.
The virus will attempt to disable various security products,
including anti-virus and personal firewall software.
It will also try to install a backdoor trojan that can capture
what the user types, including sensitive information such as passwords. The
trojan will also allow a hacker to upload files from the infected system,
download files onto the system, run executable files and stop processes from
running. Protect your system, go to: McAfee.com VirusScan Online
|
