|
|
|
W32.Zotob.xx@mm
|
|
Discovered: 08-14-05 (Level 2 of 4); New Variant: 08-14-05, 08-15-05
Aliases:
Zotob.A, W32/Zotob.worm, W32/Zotob-A, WORM_ZOTOB.A, Zotob.B, W32/Zotob.worm.b, W32/Zotob-B, WORM_ZOTOB.B, W32.Zotob.C@mm, W32/Zotob.worm.gen
Description:
W32.Zotob is yet another worm that exploits the Microsoft Windows Plug and Play Service Vulnerability, Security Bulletin MS05-039.
Affected Systems:
Windows 2000, Windows XP
|
|
W32.Zafi.D
|
|
Discovered: 12-14-04 (Level 3 of 4);
Aliases:
Win32.Zafi.D, Zafi.D, W32/Zafi.d@MM, W32/Zafi.D.worm, W32/Zafi-D, WORM_ZAFI.D, W32.Erkez.D@mm, E-Card Virus
Description:
This is a mass-mailing worm that sends itself as a holiday E-Card to email addresses found on the infected computer. The worm may also attempt to lower security settings, terminate processes, and open a back door to the computer.
When executed displays a fake error message.
No security holes in the code are exploited, this is human engineering. It requires the user to run the attachment. Just plain old trickery.
Affected Systems:
Windows 95, Windows 98, Windows ME, Windows NT, Windows 2000, Windows XP, Windows Server 2003
|
|
W32.Sasser.xx.Worm
|
|
Discovered: 04-30-04 (Level 3 of 4); New Variant: 05-01-04; 05-02, 05-03
Aliases:
W32/Sasser.worm W32/Sasser-A, Sasser, W32/Sasser.worm, Win32.Sasser.A, W32.Sasser.Worm, WORM_SASSER.B, W32/Sasser.worm.b
Description:
W32.Sasser.Worm is a worm that exploits the Windows LSASS vulnerability (MS04-011 security bulletin), which an attacker to gain full control of the affected system. It spreads by scanning the network with randomly-chosen IP addresses for vulnerable systems.
The script file CMD.FTP contains the instructions for the vulnerable system to download and execute a copy of this malware from a remote infected system using FTP on TCP port 5554.
Since this malware produces a buffer overflow in LSASS.EXE, it causes the program to crash and requires Windows to reboot.
Attachment: AVSERVE.EXE, AVSERVE2.EXE
Affected Systems:
Windows NT, Windows 2000, Windows XP, Windows Server 2003
|
|
W32.Sober.D@mm
|
|
Discovered: 03-07-04 (Level 2 of 4); New Variant: 03-28-04; Previous Variant: 12-18-03, 12-30-03
Aliases:
W32/Sober.D@mm, I-Worm.Sober.D, W32/Roca-A, Sober.D
Description:
W32.Sober.D@mm is a mass-mailing worm that sends itself as an attachment to email addresses it finds from files with specific extension names. The sender is shown to be at microsoft. The varying subjects and message bodies are written in either English or German.
Possible Email Source File Extentions:
ABD, ADB, ASP, DBX, DOC, EML, INI, LOG, MDB, PHP, PL, RTF, SHTML, TBB, TXT, WAB, XLS
From: <random>@microsoft.com
Subject: (either of the following)
Microsoft Alert: Please Read! Message-ID: <[Random Characters].qmail@microsoft.com>
Microsoft Alarm: Bitte Lesen! Message-ID: <[Random Characters].qmail@microsoft.com>
Message Body: <Random>
Variant 1 (English Variant):
New MyDoom Virus Variant Detected!
A new variant of the W32.Mydoom (W32.Novarg) worm spread rapidly through the Internet.
Anti-virus vendor Central Command claims that 1 in 45 e-mails contains the MyDoom virus.
The worm also has a backdoor Trojan capability.
By default, the Trojan component listens on port 13468.
Protection:
Please download this digitally signed attachment.
This Update includes the functionality of previously released patches.
+++ ©2004 Microsoft Corporation. All rights reserved.
+++ One Microsoft Way, Redmond, Washington 98052
+++ Restricted Rights at 48 CFR 52.227-19
Variant 2 (German Variant):
Neue Virus-Variante W32.Mydoom verbreitet sich schnell.
Eine neue Mydoom-Variante verbreitet sich derzeit rasend schnell im Internet.
Wie seine Vorgänger verschickt sich der Wurm von infizierten Windows-Rechnern per E-Mail an weitere Adressen.
Zudem installiert er auf infizierten Systemen einen gefährlichen Trojaner!
F?rende Virenspezialisten melden bereis ein vermehrtes Aufkommen des W32.Mydoom alias W32.Novarg.
Bitte daten Sie Ihr System mit dem Patch ab, um sich vor diesem Schädling zu sch?zen!
+++ ©2004 Microsoft Corporation. Alle Rechte vorbehalten.
+++ Microsoft Deutschland GmbH, Konrad-Zuse-Strasse
+++ 85716 Unterschleissheim, HRB 70438, DE 129 415 943atches.
Attachment: <Random Name><Random Numbers).exe or .zip
Random Names: Patch, MS-Security, MS-UD, UpDate, sys-patch, MS-Q
Affected Systems:
Windows 95, Windows 98, Windows ME, Windows NT, Windows 2000, Windows XP, Windows Server 2003
|
|
W32/Netsky.xx
|
|
Discovered: 02-24-04 (Level 3 of 4); Updated: 03-01-04 (Level 4 of 4)
Aliases:
W32/Netsky-B, I-Worm.Moodown.B, W32/Netsky.b@MM, Moodown.B, W32.Netsky.B@mm, Win32.Netsky.B, Win32.HLLM.Foo.41984, Worm/NetSky.C, I-Worm/Netsky.C, W32.Netsky.C@mm, W32/Netsky.c@MM, Win32/Netsky.C@mm, I-Worm.NetSky.c, W32/Netsky.C@mm!petite, W32.Netsky.D@mm, W32.Netsky.gen@mm, W32/Netsky-D, NetSky.D, W32/Netsky.d@MM
Description:
W32.Netsky.xx is a mass-mailing worm that sends itself to email addresses it finds when scanning hard drives and mapped drives. It drops copies of itself in various folders that have "SHAR" in the name and are located under the Windows directory.
From: <spoofed>
(creates random email addresses from addresses & domains found on the infected computer)
Subject: (any of the following)
|
• ? hi read it immediatelly
• believe me
• Delivery Failed
• goodmorning
• hello
• Here is it
• hey trust me
• illegal...
• I'm back!
• important
• info
• its me
• last chance!
• lol
• moin
• notice!
• notification denied!
• private?
• Question
• question
• Re: <5664ddff?$??º2>
• Re: excuse me
|
• Re: hello
• Re: hey exception
• Re: hi
• Re: important
• Re: information
• Re: Re: Re: Re: re: take it error
• Re: unknown dear
• report
• something for you
• Status
• stolen
• warning fake?
• what's up?
• Yep Re: does it
• you?
• Re: Approved
• Re: Details
• Re: Document
• Re: Excel file
• Re: Here
• Re: Here is the document
|
• Re: My details
• Re: Re: Document
• Re: Re: Message
• Re: Re: Re: Your document
• Re: Re: Thanks!
• Re: Thanks!
• Re: Word file
• Re: Your archive
• Re: Your bill
• Re: Your details
• Re: Your document
• Re: Your letter
• Re: Your music
• Re: Your picture
• Re: Your product
• Re: Your software
• Re: Your text
• Re: Your website you?
|
Message Body: <Random>
Attachment: <Random>.bat, .cmd, .exe, .pif, .scr, or .zip
Affected Systems:
Windows 95, Windows 98, Windows ME, Windows NT, Windows 2000, Windows XP, Windows Server 2003
|
|
Mimail.R / Mydoom / Novarg
|
|
Discovered: 01-26-04 (Level 4 of 4); New Variant: 02-23-04, 03-02-04
Aliases:
W32/Mydoom@MM, WORM_MIMAIL.R, Mydoom, Win32.Mydoom.A, W32.Novarg.A@mm, W32/Mydoom.A.worm, Win32:Mydoom, Worm/MyDoom.A2, I-Worm.Win32.Mydoom.22528, Win32/Mydoom.A@mm, I-Worm.Novarg, W32/Mydoom.A@mm, Win32.HLLM.MyDoom.32768
Description:
W32.Novarg.A@mm/WORM_MIMAIL.R is a mass-mailing worm that spreads via email and Kazaa peer-to-peer file sharing network. The worm will arrive as an attachment with a file extension of .bat, .cmd, .exe, .pif, .scr, or .zip. The worm opens a backdoor component (SHIMGAPI.DLL) on port 3127 to allow remote users to access and manipulate infected systems.
The worm is designed to perform a denial of service (DoS) attack against www.sco.com starting on February 1, 2004..
From: <random>
(selects random email addresses from the infected computer)
Subject: (any of the following)
• Error • hi • Status
• Server Report • Mail Transaction Failed
• Mail Delivery System • hello
Message Body:
Mail transaction failed. Partial message is available.
The message contains Unicode characters and has been sent as a binary attachment.
The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
Attachment: <Random>.bat, .cmd, .exe, .pif, .scr, or .zip
Affected Systems:
Windows 98, Windows ME, Windows NT, Windows 2000, Windows XP
|
|
W32.Beagle.XX@mm
|
|
Discovered: 01-18-04 (Level 2 of 4); Upgraded: 01-20-04 (3 of 4); New Variant: 02-18-04, 03-02-04, 03-13-04,..... 01-27-05
Aliases:
I-Worm.Bagle, WORM_BAGLE.A, W32/Bagle-A, W32/Bagle@MM, Win32.Bagle.A, W32.Beagle.A@mm, Bagle
Description:
W32.Beagle.A@mm is an email worm that drops a file named bbeagle.exe, accesses remote Web sites, opens/listens to port 6777 to allows remote users to access, and sends itself to any addresses it finds using its own SMTP engine.
From: <random>
(selects random email addresses from the infected computer)
Subject: Hi
Message Body:
Test =)
<Random characters>
--
Test, yep.
Attachment: <Random>.exe
Affected Systems:
Windows 95, Windows 98, Windows ME, Windows NT, Windows 2000, Windows XP
|
|
W32.Mimail.xx@mm
|
|
Discovered: 08-01-03 (Level 3 of 4); New Variants ..............; New Variant "P" 01-07-04 (2 of 4)
Aliases:
W32.Mimail.A@mm, W32/Mimail@MM, Mimail, Win32.Mimail.A, W32/Mimail-A, I-Worm.Mimail, WORM_MIMAIL.A, W32.Bics.A, I-Worm.WatchNet, Mimail.C, W32/Mimail.c@MM, W32/Mimail-C, Trojan.Sefex, I-Worm.Mimail.d, W32/Mimail.D@mm, Worm/Mimail.B
Description:
W32.Mimail@mm is a memory-resident mass-mailing worm that spreads via email, checks various files on your hard drive for email addresses, sends the email using its own SMTP engine, and includes information from a user's machine in the email.
Variants A & D
From: Admin <admin@your_domain>
(The from address appears as if its coming from the same domain as in your email address)
Subject: your account your_user_name
Message Body:
Hello there,
I would like to inform you about important information regarding your email address. This email address will be expiring. Please read attachment for details.
Best regards, Administrator
Attachment: Message.zip
Variant C
From: james@<your_domain>
(The from address appears as if its coming from the same domain as in your email address)
Subject: Re[2]: our private photos [random string of letters]
Message Body:
Hello Dear!,
Finally i've found possibility to right u, my lovely girl :) All our photos which i've made at the beach (even when u're without ur bh:)) photos are great! This evening i'll come and we'll make the best SEX :)
Right now enjoy the photos.
Kiss, James.
Attachment: photos.zip
Affected Systems:
Windows 95, Windows 98, Windows ME, Windows NT, Windows 2000, Windows XP
Microsoft Outlook Express 5.5 , Microsoft Outlook Express 6.0
Microsoft Internet Explorer 5.01, Microsoft Internet Explorer 5.5, Microsoft Internet Explorer 6.0
|
|
W32.Welchia.Worm
|
|
Discovered: 08-18-03 (Level 2 of 4); Upgraded 08-19-03 (Level 4 of 4)
Description:
A variant of the W32.Blast.AWorm which also exploits the RPC DCOM BUFFER OVERFLOW vulnerability in a Windows Distributed Component Object Model (DCOM) Remote Procedure Call (RPC) interface which allows an attacker to gain full access and execute any code on the target machine, leaving it compromised.
|
|
W32.Blaster.Worm
|
|
Discovered: 08-11-03 (Level 4 of 4)
Description:
W32.Blaster.Worm exploits the RPC DCOM BUFFER OVERFLOW vulnerability in a Windows Distributed Component Object Model (DCOM) Remote Procedure Call (RPC) interface which allows an attacker to gain full access and execute any code on the target machine, leaving it compromised.
|
|
W32.Mimail.A@mm
|
|
Discovered: 08-01-03 (Level 3 of 4)
Description:
W32.Mimail@mm is a memory-resident mass-mailing worm that spreads via email, checks various files on your hard drive for email addresses, sends the email using its own SMTP engine, and includes information from a user's machine in the email.
|
|
W32.Sobig.x@mm / W32.Palyh@mm
|
|
Discovered: 05-18-03 (Level 3 of 4); New Variant: SoBig.E (6-25-03); New Variant: SoBig.F (8-19-03)
Description:
W32.Sobig.B@mm / W32.Palyh@mm is a mass-mailing worm using its own SMTP engine to send itself to all the email addresses it finds in files with the following extensions:
.wab .dbx .htm .html .eml .txt
|
|
W32.HLLW.Fizzer@mm
|
|
Discovered: 05-09-03 (Level 2 of 4); Upgraded: 05-12-03 (Level 3 of 4)
Description:
W32.HLLW.Fizzer@mm is a mass-mailing worm that has both worm and backdoor capabilities. As a worm, it sends itself to all contacts in the Windows Address Book & Microsoft Outlook address book using its own SMTP (Simple Mail Transfer Protocol) engine and the Kazaa file-sharing network. As a backdoor, it uses IRC (Internet Relay Chat) servers and joins channels to communicate with a remote attacker. The worm contains a keylogger and attempts to terminate various antivirus programs if they're active.
|
|
W32.HLLW.Lovgate.C@mm
|
|
Discovered: 02-19-03; New Variants: 02-24-03 (Level 3 of 4)
Description:
W32.HLLW.Lovgate.C@mm is the latest variant of W32.HLLW.Lovgate@mm. This worm contains both mass-mailing and backdoor functionalities, and can spread through network shared folders and email.
|
|
W32.Lirva.C@mm
|
|
Discovered: 01-08-03; Status Upgrade: 01-10-03 (Level 3 of 4)
Description:
This mass-mailing worm spreads itself via email, network-shares, IRC, ICQ and the peer-to-peer file-sharing of Kazaa. It affects all versions of Windows. When executed, it uses Microsoft Outlook to send email to all contacts in the Windows Address Book (.wab), and gathers email recipients from files with the following extensions:
.IDX .NCH .SHTML .TBB .HTM .WAB .MBX .DBX
|
|
W32.Bugbear@mm
|
|
Discovered: 09-30-02 (Level 4 of 4)
Description:
W32.Bugbear@mm is a mass-mailing worm that arrives as an email attachment with a randomly generated name. The subject line and the message body are also randomly generated. This worm can also spread through network shares. It has backdoor capabilities, keystroke logging and will also attempt to disable various antivirus and firewall programs.
|
|
W32.Frethem.K@mm
|
|
Discovered: 07-15-02 (Level 3 of 4)
Description:
W32.Frethem.K@mm is a variant of W32.Frethem.xx@mm worm. It uses its own SMTP engine to send itself to email addresses that it finds in the Microsoft Windows Address Book, and in .dbx, .wab, .mbx, .eml, and .mdb files.
|
|
W32.Liac@mm
|
|
Discovered: 07-08-02 (Level 3 of 4)
Description:
W32.Liac@mm is a mass-mailing worm written in Visual Basic. It affects all versions of Windows and hides by using an icon for movie files. When executed, it uses Microsoft Outlook to send email to all contacts in the Windows Address Book (.wab), tries to make a copy of itself, and update the registry so it can run when you start Windows.
|
|
W32.KLEZ.xx@MM
|
|
Discovered: 10-21-01; New Variants: 01-17-02, 04-17-02 (Level 4 of 4)
Description:
When this mass-mailing worm is executed, it copies itself to the C:\Windows\System or C:\Winnt\System32 folder as Wink<random characters>.exe. In addition to using SMTP to propagate via email the worm also copies itself to local, mapped, and network drives. Messages arrive with random subject lines, message bodies, and attachment file names.
|
|
Is This Real or Not?
|
|
For More Information on Virus & Other Internet Hoaxes:
|
|
Online Virus Scanners
|
|
If you haven't installed an anti virus program or you believe you are already infected and can't install one or the one you installed has been disabled, click the link below to perform an online scan:
|
|
Norton Anti-Virus Update Errors
|
|
If you're having problems with the new definition updates not completing with a known good subscription: download & install the two (2) LiveUpdate patches, then run update twice.
Many users are reporting problems with email protection being disabled after updating virus definitions. Systems By... doesn't use this feature by default as viruses will still be caught upon file execution.
|
|
As of January 2004 Norton AntiVirus is experiencing a high failure rate causing computer to crash. At the very least some computers can not access the internet. Uninstalling NAV (may require an additional uninstall program) can restore functionality.
As a temporary measure please use the Online Virus Scanner (above).
|
|
|
