|
|
|
W32.Sasser.xx.Worm
|
|
Discovered: 04-30-04 (Level 3 of 4); New Variant: 05-01-04; 05-02, 05-03
Aliases:
W32/Sasser.worm W32/Sasser-A, Sasser, W32/Sasser.worm, Win32.Sasser.A, W32.Sasser.Worm, WORM_SASSER.B, W32/Sasser.worm.b
Description:
W32.Sasser.Worm is a worm that exploits the Windows LSASS vulnerability (MS04-011 security bulletin), which an attacker to gain full control of the affected system. It spreads by scanning the network with randomly-chosen IP addresses for vulnerable systems.
The script file CMD.FTP contains the instructions for the vulnerable system to download and execute a copy of this malware from a remote infected system using FTP on TCP port 5554.
Since this malware produces a buffer overflow in LSASS.EXE, it causes the program to crash and requires Windows to reboot.
Attachment: AVSERVE.EXE, AVSERVE2.EXE
Affected Systems:
Windows NT, Windows 2000, Windows XP, Windows Server 2003
|
|
W32.Sober.D@mm
|
|
Discovered: 03-07-04 (Level 2 of 4); Previous Variant: 12-18-03, 12-30-03
Aliases:
W32/Sober.D@mm, I-Worm.Sober.D, W32/Roca-A, Sober.D
Description:
W32.Sober.D@mm is a mass-mailing worm that sends itself as an attachment to email addresses it finds from files with specific extension names. The sender is shown to be at microsoft. The varying subjects and message bodies are written in either English or German.
Possible Email Source File Extentions:
ABD, ADB, ASP, DBX, DOC, EML, INI, LOG, MDB, PHP, PL, RTF, SHTML, TBB, TXT, WAB, XLS
From: <random>@microsoft.com
Subject: (either of the following)
Microsoft Alert: Please Read! Message-ID: <[Random Characters].qmail@microsoft.com>
Microsoft Alarm: Bitte Lesen! Message-ID: <[Random Characters].qmail@microsoft.com>
Message Body: <Random>
Variant 1 (English Variant):
New MyDoom Virus Variant Detected!
A new variant of the W32.Mydoom (W32.Novarg) worm spread rapidly through the Internet.
Anti-virus vendor Central Command claims that 1 in 45 e-mails contains the MyDoom virus.
The worm also has a backdoor Trojan capability.
By default, the Trojan component listens on port 13468.
Protection:
Please download this digitally signed attachment.
This Update includes the functionality of previously released patches.
+++ ©2004 Microsoft Corporation. All rights reserved.
+++ One Microsoft Way, Redmond, Washington 98052
+++ Restricted Rights at 48 CFR 52.227-19
Variant 2 (German Variant):
Neue Virus-Variante W32.Mydoom verbreitet sich schnell.
Eine neue Mydoom-Variante verbreitet sich derzeit rasend schnell im Internet.
Wie seine Vorgänger verschickt sich der Wurm von infizierten Windows-Rechnern per E-Mail an weitere Adressen.
Zudem installiert er auf infizierten Systemen einen gefährlichen Trojaner!
F?rende Virenspezialisten melden bereis ein vermehrtes Aufkommen des W32.Mydoom alias W32.Novarg.
Bitte daten Sie Ihr System mit dem Patch ab, um sich vor diesem Schädling zu sch?zen!
+++ ©2004 Microsoft Corporation. Alle Rechte vorbehalten.
+++ Microsoft Deutschland GmbH, Konrad-Zuse-Strasse
+++ 85716 Unterschleissheim, HRB 70438, DE 129 415 943atches.
Attachment: <Random Name><Random Numbers).exe or .zip
Random Names: Patch, MS-Security, MS-UD, UpDate, sys-patch, MS-Q
Affected Systems:
Windows 95, Windows 98, Windows ME, Windows NT, Windows 2000, Windows XP, Windows Server 2003
To Manually Remove the W32.Sober.D Virus
Manual Cleaning On Windows 95/98/Me/NT/2000/XP Systems:
1. Update the virus definitions.
2. Restart the computer in Safe mode (NT=VGA Mode).
3. Run a full system scan and delete all the files detected as W32.Sober.D@mm.
4. Remove the values the worm added to the registry.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
In the right pane, delete the value for the file(s) detected earlier.
5. Restart the computer in Normal mode.
|
|
W32/Netsky.xx
|
|
Discovered: 02-24-04 (Level 3 of 4); Updated: 03-01-04 (Level 4 of 4); New Variant: 03-08-04
Aliases:
W32/Netsky-B, I-Worm.Moodown.B, W32/Netsky.b@MM, Moodown.B, W32.Netsky.B@mm, Win32.Netsky.B, Win32.HLLM.Foo.41984, Worm/NetSky.C, I-Worm/Netsky.C, W32.Netsky.C@mm, W32/Netsky.c@MM, Win32/Netsky.C@mm, I-Worm.NetSky.c, W32/Netsky.C@mm!petite, W32.Netsky.D@mm, W32.Netsky.gen@mm, W32/Netsky-D, NetSky.D, W32/Netsky.d@MM
Description:
W32.Netsky.xx is a mass-mailing worm that sends itself to email addresses it finds when scanning hard drives and mapped drives. It drops copies of itself in various folders that have "SHAR" in the name and are located under the Windows directory.
From: <spoofed>
(creates random email addresses from addresses & domains found on the infected computer)
Subject: (any of the following)
|
? hi read it immediatelly
believe me
Delivery Failed
goodmorning
hello
Here is it
hey trust me
illegal...
I'm back!
important
info
its me
last chance!
lol
moin
notice!
notification denied!
private?
Question
question
Re: <5664ddff?$??º2>
Re: excuse me
|
Re: hello
Re: hey exception
Re: hi
Re: important
Re: information
Re: Re: Re: Re: re: take it error
Re: unknown dear
report
something for you
Status
stolen
warning fake?
what's up?
Yep Re: does it
you?
Re: Approved
Re: Details
Re: Document
Re: Excel file
Re: Here
Re: Here is the document
|
Re: My details
Re: Re: Document
Re: Re: Message
Re: Re: Re: Your document
Re: Re: Thanks!
Re: Thanks!
Re: Word file
Re: Your archive
Re: Your bill
Re: Your details
Re: Your document
Re: Your letter
Re: Your music
Re: Your picture
Re: Your product
Re: Your software
Re: Your text
Re: Your website you?
|
Message Body: <Random>
Attachment: <Random>.bat, .cmd, .exe, .pif, .scr, or .zip
Affected Systems:
Windows 95, Windows 98, Windows ME, Windows NT, Windows 2000, Windows XP, Windows Server 2003
To Remove the W32/Netsky.xx Virus using Automatic Tools
|
Symantec - Norton W32/Netsky.xx Removal Tool
|
|
|
McAfee - AVERT Stinger - High Alert Virus Removal Tool
|
|
|
Trend Micro - System Cleaner - High Alert Virus Removal Tool
|
|
|
|
|
|
|
W32.Mimail.R@mm / W32.Novarg.A@mm
|
|
Discovered: 01-26-04 (Level 4 of 4)
Aliases:
W32/Mydoom@MM, WORM_MIMAIL.R, Mydoom, Win32.Mydoom.A, W32.Novarg.A@mm, W32/Mydoom.A.worm, Win32:Mydoom, Worm/MyDoom.A2, I-Worm.Win32.Mydoom.22528, Win32/Mydoom.A@mm, I-Worm.Novarg, W32/Mydoom.A@mm, Win32.HLLM.MyDoom.32768
Description:
W32.Novarg.A@mm/WORM_MIMAIL.R is a mass-mailing worm that spreads via email and Kazaa peer-to-peer file sharing network. The worm will arrive as an attachment with a file extension of .bat, .cmd, .exe, .pif, .scr, or .zip. The worm opens a backdoor component (SHIMGAPI.DLL) on port 3127 to allow remote users to access and manipulate infected systems.
The worm is designed to perform a denial of service (DoS) attack against www.sco.com starting on February 1, 2004..
From: <random>
(selects random email addresses from the infected computer)
Subject: (any of the following)
Error hi Status
Server Report Mail Transaction Failed
Mail Delivery System hello
Message Body:
Mail transaction failed. Partial message is available.
The message contains Unicode characters and has been sent as a binary attachment.
The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
Attachment: <Random>.bat, .cmd, .exe, .pif, .scr, or .zip
Affected Systems:
Windows 98, Windows ME, Windows NT, Windows 2000, Windows XP
To Remove the W32.Novarg.A@mm Virus using Automatic Tools
|
Symantec - Norton W32.Novarg.A@mm Removal Tool
|
|
|
McAfee - AVERT Stinger - High Alert Virus Removal Tool
|
|
|
Trend Micro - System Cleaner - High Alert Virus Removal Tool
|
|
|
|
|
|
|
W32.Beagle.A@mm
|
|
Discovered: 01-18-04 (Level 2 of 4); Upgraded: 01-20-04 (3 of 4)
Aliases:
I-Worm.Bagle, WORM_BAGLE.A, W32/Bagle-A, W32/Bagle@MM, Win32.Bagle.A, W32.Beagle.A@mm, Bagle
Description:
W32.Beagle.A@mm is an email worm that drops a file named bbeagle.exe, accesses remote Web sites, opens/listens to port 6777 to allows remote users to access, and sends itself to any addresses it finds using its own SMTP engine.
The worm may also launch the Windows Calculator program (calc.exe) as cover while running in the background.
The worm self-terminates after January 28, 2004.
From: <random>
(selects random email addresses from the infected computer)
Subject: Hi
Message Body:
Test =)
<Random characters>
--
Test, yep.
Attachment: <Random>.exe
Affected Systems:
Windows 95, Windows 98, Windows ME, Windows NT, Windows 2000, Windows XP
To Remove the W32.Beagle.A@mm Virus using Automatic Tools
|
Symantec - Norton W32.Beagle.A@mm Removal Tool
|
|
|
McAfee - AVERT Stinger - High Alert Virus Removal Tool
|
|
|
Trend Micro - System Cleaner - High Alert Virus Removal Tool
|
|
|
|
|
|
|
W32.Mimail.xx@mm
|
|
Discovered: 08-01-03 (Level 3 of 4); New Variant "C" 10-31-03 (2 of 4), Upgraded 11-02-03 (3 of 4); New Variant "D" 11-01-03 (3 of 4)
Aliases:
W32.Mimail.A@mm, W32/Mimail@MM, Mimail, Win32.Mimail.A, W32/Mimail-A, I-Worm.Mimail, WORM_MIMAIL.A, W32.Bics.A, I-Worm.WatchNet, Mimail.C, W32/Mimail.c@MM, W32/Mimail-C, Trojan.Sefex, I-Worm.Mimail.d, W32/Mimail.D@mm, Worm/Mimail.B
Description:
W32.Mimail@mm is a memory-resident mass-mailing worm that spreads via email, checks various files on your hard drive for email addresses, sends the email using its own SMTP engine, and includes information from a user's machine in the email.
Variants A & D
From: Admin <admin@your_domain>
(The from address appears as if its coming from the same domain as in your email address)
Subject: your account your_user_name
Message Body:
Hello there,
I would like to inform you about important information regarding your email address. This email address will be expiring. Please read attachment for details.
Best regards, Administrator
Attachment: Message.zip
Variant C
From: james@<your_domain>
(The from address appears as if its coming from the same domain as in your email address)
Subject: Re[2]: our private photos [random string of letters]
Message Body:
Hello Dear!,
Finally i've found possibility to right u, my lovely girl :) All our photos which i've made at the beach (even when u're without ur bh:)) photos are great! This evening i'll come and we'll make the best SEX :)
Right now enjoy the photos.
Kiss, James.
Attachment: photos.zip
Affected Systems:
Windows 95, Windows 98, Windows ME, Windows NT, Windows 2000, Windows XP
Microsoft Outlook Express 5.5 , Microsoft Outlook Express 6.0
Microsoft Internet Explorer 5.01, Microsoft Internet Explorer 5.5, Microsoft Internet Explorer 6.0
To Remove the W32.Mimail.A@mm Virus using Automatic Tools
|
Symantec - Norton W32.Mimail.A@mm Removal Tool
|
|
|
McAfee - AVERT Stinger - High Alert Virus Removal Tool
|
|
|
Trend Micro - System Cleaner - High Alert Virus Removal Tool
|
|
|
|
|
To Manually Remove the W32.Mimail.A@mm Virus
Manual Cleaning On Windows 95/98/Me/NT/2000/XP Systems:
1. Restart the computer in Safe mode (NT=VGA Mode).
2. Remove the values the worm added to the registry.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
In the right pane, delete the value: videodrv.exe
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
In the right pane, delete the value: videodrv.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units
Delete the key: {11111111-1111-1111-1111-111111111111}
3. Restart the computer in Normal mode.
4. Update the virus definitions.
5. Run a full system scan and delete all the files detected as W32.Mimail.A@mm.
|
|
W32.Welchia.Worm
|
|
Discovered: 08-18-03 (Level 2 of 4); Upgraded 08-19-03 (Level 4 of 4)
Aliases:
Welchia,W32/Welchia.worm10240, W32/Nachi.worm, WORM_MSBLAST.D, Lovsan.D
Description:
A variant of the W32.Blast.AWorm which also exploits the RPC DCOM BUFFER OVERFLOW vulnerability in a Windows Distributed Component Object Model (DCOM) Remote Procedure Call (RPC) interface which allows an attacker to gain full access and execute any code on the target machine, leaving it compromised.
Strange thing with this worm, though it shares many of the same traits of the earlier variants, this one tries to clean up the mess created by the previous Blaster Worms.
Click the links below for more information on patching your computer against the DCOM RPC vulnerability.
Affected Systems:
Windows NT, Windows 2000, Windows XP
To Remove the W32.Welchia.Worm using Automatic Tools
|
Symantec - Norton W32.Welchia.Worm Removal Tool
|
|
|
McAfee - AVERT Stinger - High Alert Virus Removal Tool
|
|
|
Trend Micro - System Cleaner - High Alert Virus Removal Tool
|
|
|
|
|
Manual Cleaning On Windows 2000/XP Systems:
2. Follow the instructions
|
|
W32.Blaster.Worm
|
|
Discovered: 08-11-03 (Level 4 of 4)
Aliases:
W32/Lovsan.worm, Win32.Poza, Lovsan, WORM_MSBLAST.A, W32/Blaster-A, W32/Blaster
Description:
W32.Blaster.Worm exploits the RPC DCOM BUFFER OVERFLOW vulnerability in a Windows Distributed Component Object Model (DCOM) Remote Procedure Call (RPC) interface which allows an attacker to gain full access and execute any code on the target machine, leaving it compromised.
The worm also attempts to perform a Denial of Service (DoS) on Windows Update. This is an attempt to prevent you from applying a patch on your computer against the DCOM RPC vulnerability. Microsoft Security Bulletin MS03-026
Block access to TCP port 4444 at the firewall level, and then block the following ports, if they do not use the applications listed:
TCP Port 135, "DCOM RPC"
UDP Port 69, "TFTP"
Affected Systems:
Windows 2000, Windows XP
To Remove the W32.Blaster.Worm using Automatic Tools
|
Symantec - Norton W32.Blaster.Worm Removal Tool
|
|
|
McAfee - AVERT Stinger - High Alert Virus Removal Tool
|
|
|
Trend Micro - System Cleaner - High Alert Virus Removal Tool
|
|
|
|
|
Manual Cleaning On Windows 2000/XP Systems:
2. Follow the instructions
|
|
W32.Mimail.A@mm
|
|
Discovered: 08-01-03 (Level 3 of 4)
Aliases:
W32.Mimail.A@mm, W32/Mimail@MM, Mimail, Win32.Mimail.A, W32/Mimail-A, I-Worm.Mimail, WORM_MIMAIL.A
Description:
W32.Mimail@mm is a memory-resident mass-mailing worm that spreads via email, checks various files on your hard drive for email addresses, sends the email using its own SMTP engine, and includes information from a user's machine in the email.
From: Admin <admin@your_domain>
(The from address appears as if its coming from the same domain as in your email address)
Subject: your account your_user_name
Message Body:
Hello there,
I would like to inform you about important information regarding your email address. This email address will be expiring. Please read attachment for details.
Best regards, Administrator
Attachment: Message.zip
Affected Systems:
Windows 95, Windows 98, Windows ME, Windows NT, Windows 2000, Windows XP
Microsoft Outlook Express 5.5 , Microsoft Outlook Express 6.0
Microsoft Internet Explorer 5.01, Microsoft Internet Explorer 5.5, Microsoft Internet Explorer 6.0
To Remove the W32.Mimail.A@mm Virus using Automatic Tools
|
Symantec - Norton W32.Mimail.A@mm Removal Tool
|
|
|
McAfee - AVERT Stinger - High Alert Virus Removal Tool
|
|
|
Trend Micro - System Cleaner - High Alert Virus Removal Tool
|
|
|
|
|
To Manually Remove the W32.Mimail.A@mm Virus
Manual Cleaning On Windows 95/98/Me/NT/2000/XP Systems:
1. Restart the computer in Safe mode (NT=VGA Mode).
2. Remove the values the worm added to the registry.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
In the right pane, delete the value: videodrv.exe
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
In the right pane, delete the value: videodrv.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units
Delete the key: {11111111-1111-1111-1111-111111111111}
3. Restart the computer in Normal mode.
4. Update the virus definitions.
5. Run a full system scan and delete all the files detected as W32.Mimail.A@mm.
|
|
W32.Sobig.B@mm / W32.Palyh@mm
|
|
Discovered: 05-18-03 (Level 3 of 4)
Aliases:
W32.HLLW.Mankx@mm, W32/Palyh@MM, W32/Palyh-A, I-Worm.Palyh, WORM_PALYH.A, Win32.Palyh.A
Description:
W32.Sobig.B@mm / W32.Palyh@mm is a mass-mailing worm using its own SMTP engine to send itself to all the email addresses it finds in files with the following extensions:
.wab .dbx .htm .html .eml .txt
From: support@microsoft.com
Subject: (any of the following)
|
Approved (Ref: 38446-263)
Cool screensaver
Re: Approved (Ref: 3394-65467)
Re: Movie
Re: My application
|
Re: My details
Screensaver
Your details
Your password
|
Message Body:
All information is in the attached file.
Attachment: (any of the following)
|
application.pif
approved.pif
doc_details.pif
movie28.pif
password.pif
|
ref-394755.pif
screen_doc.pif
screen_temp.pif
your_details.pif
|
Affected Systems:
Windows 95, Windows 98, Windows ME, Windows NT, Windows 2000, Windows XP
|
|
W32.HLLW.Fizzer@mm
|
|
Discovered: 05-09-03 (Level 2 of 4); Upgraded: 05-12-03 (Level 3 of 4)
Aliases:
W32/Fizzer@MM, Win32.Fizzer, W32/Fizzer-A, WORM_FIZZER.A, Fizzer, Win32/Fizzer.A@mm, I-Worm.Fizzer
Description:
W32.HLLW.Fizzer@mm is a mass-mailing worm that has both worm and backdoor capabilities. As a worm, it sends itself to all contacts in the Windows Address Book & Microsoft Outlook address book using its own SMTP (Simple Mail Transfer Protocol) engine and the Kazaa file-sharing network. As a backdoor, it uses IRC (Internet Relay Chat) servers and joins channels to communicate with a remote attacker. The worm contains a keylogger and attempts to terminate various antivirus programs if they're active.
From: Uses either the senders address or a randomly selected email address from one of the address books.
Subject: (may have any of the following)
|
I thought this was interesting...
rather psychedelic...
found this on the net, you might like it...
discothèque
imbrue
Damn it feels good to be gangsta.
The way I feel - Remy Shand
Paradigm Shift
WASSUP!
Know Thyself
Hell
I love you
you need to lose weight.
why?
kind of simple, but fun nonetheless.
check it out.
|
little popup remover
B cannot remember
Yo, WASSUP, B?
an interesting program...
You might not appreciate this...
I think you might find this amusing...
LOL
check this out... hehehe
question...
see you tomorrow.
how are you?
Please discard if you don't like or agree with our present leadership...
|
Message: (may have any of the following)
I sent this program (Sparky) from anonymous places on the net.
The way to gain a good reputation is to endeavor to be what you desire to appear.
There is only one good, knowledge, and one evil, ignorance.
Watchin' the game, having a bud.
Did you ever stop to think that viruses are good for the economy? Maybe the primary creators of the world's worst viruses are the companies that make the Anti-Virus software.
Today is a good day to die...
so, how are you?
the attachment is only for you to look at
you must not show this to anyone...
delete this as soon as you look at it...
Let me know what you think of this...
If you don't like it, just delete it.
thought I'd let you know
you don't have to if you don't want to.
Attachment: (email attachment is randomly generated)
<random>.EXE
<random>.COM
<random>.PIF
<random>.SCR
|
|
W32.HLLW.Lovgate.C@mm
|
|
Discovered: 02-19-03; New Variants: 02-24-03 (Level 3 of 4)
Aliases:
WORM_LOVGATE.C, Win32/Lovgate.C@mm, W32/Lovgate.c@M, I-Worm.Supnot.c, W32/Lovgate-B, Win32.Lovgate.C, W32.HLLW.Lovgate@mm,W32/Lovgate.a@M, W32.HLLW.Lovgate.B@mm
Description:
W32.HLLW.Lovgate.C@mm is the latest variant of W32.HLLW.Lovgate@mm. This worm contains both mass-mailing and backdoor functionalities, and can spread through network shared folders and email.
The worm attempts to reply to incoming messages when they arrive in the mailbox of certain MAPI-compliant email clients, which include Microsoft Outlook. W32.HLLW.Lovgate.C@mm does this by emulating the auto-reply function of the email client.
There are no major functionality differences between the variants.
To Remove the W32.HLLW.Lovgate.C Virus using Automatic Tools
Not Yet Posted - Please Call for Assistance
|
|
W32.Lirva.C@mm
|
|
Discovered: 01-08-03; New Variants: 01-10-03 (Level 3 of 4)
Aliases:
Win32.Lirva.B, W32/Avril-B, WORM_LIRVA.C I-Worm.Avron.b, Win32/Naith.C@mm, W32.Lirva.C@mm,
Description:
This mass-mailing worm spreads itself via email, network-shares, IRC, ICQ and the peer-to-peer file-sharing of Kazaa. It affects all versions of Windows.When executed, it uses Microsoft Outlook to send email to all contacts in the Windows Address Book (.wab), and gathers email recipients from files with the following extensions:
.IDX .NCH .SHTML .TBB .HTM .WAB .MBX .DBX
Win32.Lirva.C attempts to terminate antivirus and firewall software, email cached Windows 95/98/Me dial-up networking passwords back to the virus writer, connect to a web site on web.host.kz/ and download BackOrifice, which it executes.
On the 7th, 11th, and 24th day of the month, the worm will launch your Web browser to www.avril-lavigne.com and display a graphic animation on the Windows desktop.
From: Uses either the senders address or a randomly selected email address.
Subject: (may have any of the following)
Fw: Redirection error notification
Re: Brigada Ocho Free membership
Re: According to Purge's Statement
Fw: Avril Lavigne - CHART ATTACK!
Re: Reply on account for IIS-Security Breach (TFTP)
Re: ACTR/ACCELS Transcriptions
Re: IREX admits you to take in FSAU 2003
Fwd: Re: Have U requested Avril Lavigne bio?
Re: Reply on account for IFRAME-Security breach
Fwd: Re: Reply on account for Incorrect MIME-header
Re: Vote seniors masters - don't miss it!
Fwd: RFC-0245 Specification requested...
Fwd: RFC-0841 Specification requested...
Fw: F. M. Dostoyevsky "Crime and Punishment"
Re: Junior Achievement
Re: Ha perduto qualque cosa signora?
Message: (may have any of the following)
Network Associates weekly report: Microsoft has identified a security vulnerability in Microsoft IIS 4.0 and 5.0 that is eliminated by a previously-released patch. Customers who have applied that patch are already protected against the vulnerability and do not need to take additional action. to apply the patch immediately. Microsoft strongly urges all customers using IIS 4.0 and 5.0 who have not already done so Patch is also provided to subscribed list of Microsoft Tech Support: Patch: Date
or
Restricted area response team (RART) Attachment you sent to %s is intended to overwrite start address at 0000:HH4F To prevent from the further buffer overflow attacks apply the MSO-patch
or
Avril fans subscription FanList admits you to take in Avril Lavigne 2003 Billboard awards ceremony Vote for I'm with you! Admission form attached below
or
Chart attack active list: Vote fo4r I'm with you! Vote fo4r Sk8er Boi!Vote fo4r Complicated!AVRIL LAVIGNE - THE CHART ATTACK!
or
AVRIL LAVIGNE - THE BEST Avril Lavigne's popularity increases:> SO: First, Vote on TRL for I'm With U! Next, Update your pics database! Chart attack active list:
or
AVRIL LAVIGNE - THE BEST Avril Lavigne's popularity increases:> SO: First, Vote on TRL for I'm With U! Next, Update your pics database! Orginal Message:
Attachment: (may have any of the following)
Resume.exe
ADialer.exe
MSO-Patch-0071.exe
MSO-Patch-0035.exe
Two-Up-Secretly.exe
Transcripts.exe
Readme.exe
AvrilSmiles.exe
AvrilLavigne.exe
Complicated.exe
TrickerTape.exe
Singles.exe
Sophos.exe
Cogito_Ergo_Sum.exe
CERT-Vuln-Info.exe
Sk8erBoi.exe
IAmWiThYoU.exe
Phantom.exe
EntradoDePer.exe
SiamoDiTe.exe
BioData.exe
ALavigne.exe
<random>.TXT
<random>.DOC
To Remove the Win32.Lirva.C Virus using Automatic Tools
|
Symantec - Norton Win32.Lirva.C Removal Tool
|
|
|
Trend Micro - PC-cillin Win32.Lirva.C Removal Tool
|
|
|
|
|
To Manually Remove the Win32.Lirva.C Virus
Manual Cleaning On Windows 95/98/Me/NT/2000 Systems:
1. Restart the computer in Safe mode.
2. Remove the value that the worm added to the registry.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
In the right pane, delete the value:
Avril Lavigne - Muse
3. Restart in Normal mode.
4. Update the virus definitions.
5. Run a full system scan and delete all the files detected as W32.Lirva.C@mm.
|
|
W32.Bugbear@mm
|
|
Discovered: 09-30-02 (Level 4 of 4)
Aliases:
W32/Bugbear-A, WORM_BUGBEAR.A, Win32.Bugbear, W32/Bugbear@MM, I-Worm.Tanatos, W32/Bugbear, Tanatos
Description:
W32.Bugbear@mm is a mass-mailing worm that arrives as an email attachment with a randomly generated name. The subject line and the message body are also randomly generated. This worm can also spread through network shares. It has backdoor capabilities, keystroke logging and will also attempt to disable various antivirus and firewall programs.
The email messages that this worm sends out contain no message body and may have
any of the following as subjects:
|
$150 FREE Bonus!
25 merchants and rising
Announcement
bad news
CALL FOR INFORMATION!
click on this!
Confirmation of Recipes
Correction of errors
Daily Email Reminder
empty account
fantastic
free shipping!
Get 8 FREE issues - no risk!
Get a FREE gift!
Greets!
|
hello!
history screen
hmm..
I need help about script!!!
Interesting...
Introduction
its easy
Just a reminder
Lost & Found
Market Update Report
Membership Confirmation
My eBay ads
New bonus in your cash account
New Contests
new reading
|
Payment notices
Please Help...
Report
SCAM alert!!!
Sponsors needed
Stats
Today Only
Tools For Your Online Business
update
various
Warning!
Your Gift
Your News Alert
|
|
|
W32.Frethem.K@mm
|
|
Discovered: 07-15-02 (Level 3 of 4)
Aliases:
I-Worm.Frethem.l, W32/Frethem.l@MM, WORM_FRETHEM.K, W32/Frethem-Fam
Description:
W32.Frethem.K@mm is a variant of W32.Frethem.xx@mm worm. It uses its own SMTP engine to send itself to email addresses that it finds in the Microsoft Windows Address Book, and in .dbx, .wab, .mbx, .eml, and .mdb files. It arrives as an attachment with the following details:
Subject: Re: Your password!
Message: You can access very important information by this
password DO NOT SAVE password to disk use
your mind now press cancel
Attachments: Decrypt-password.exe and Password.txt
|
|
W32.Liac@mm
|
|
Discovered: 07-08-02 (Level 3 of 4)
Aliases:
W32.Liac.A@mm, WORM_LIAC.A, W32/Calil-A, W32/Liac@MM
Description:
W32.Liac@mm is a mass-mailing worm written in Visual Basic. It affects all versions of Windows and hides by using an icon for movie files. When executed, it uses Microsoft Outlook to send email to all contacts in the Windows Address Book (.wab), tries to make a copy of itself, and update the registry so it can run when you start Windows.
Subject: FW:FW: LILAC project video attach
Message: Things that the govt. dont want you to know
Attachment: LILAC_WHAT_A_WONDERFULNAME.avi.exe
When it run it displays the following message:
Windows
Error54: Media Player not installed correctly
The copy of itself will be found in one of these directories if they exist:
C:\Win98\Temp
C:\Win95\Temp
C:\Winnt\Temp
C:\Winme\Temp
C:\Winxp\Temp
C:\Windows\Temp
So that the worm runs each time that you start Windows, it adds Lilac to the registry key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Finally, the worm attempts to add or modify the following registry values:
RegisteredOwner xEnOcrAtEs
LegalNoticeCaption Owned by:
LegalNoticeText Owned by: xEnOcrAtEs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
On some occasions, the worm may display this message:
Your PC is infected with LILAC virus by: xEnOcrAtEs
To Manually Remove the W32.Liac@mm Virus
Update the virus definitions, run a full system scan, and
delete all files that are detected as W32.Liac@mm
Manual Cleaning On Windows 95/98/Me/NT/2000 Systems:
1. Click Start>Run, type REGEDIT and press [Enter].
2. In the left panel, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>Windows>
CurrentVersion>Run
3. In the right panel, locate and delete the entry: Lilac
4. In the left panel, double click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>
CurrentVersion
5. In the right panel, locate and delete the entry:
RegisteredOwner = xEn0crAtEs
6. Again in the left panel, double click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>
CurrentVersion\Winlogon
7. In the right panel, locate and delete the entry:
LegalNoticeCaption = Owned by:
8. Still in the right panel, delete the entry:
LegalNoticeText = Owned by: xEn0crAtEs
|
|
W32.Fbound.b@MM
|
|
Discovered: 03-14-02 (Level 3 of 4)
Aliases:
JAPANIZE.A, FIDAO.A, FIDAO, W32.Dotjaypee@mm, W32/FBound.c@mm, WORM_FIDAO, WORM_FBOUND.B, Win32/Japanize.Worm, I-Worm.Zircon.B, Win32/Japanize.Worm, I-Worm.Zircon.B, W32.Impo.gen@mm
Description:
This is a mass-mailing worm that mails itself to all email addresses in the infected user's Windows Address Book (WAB) and contains no payload. The email arrives with an attachment named Patch.exe and a subject that it randomly selects from a group of Japanese language phrases if the email address of the recipient ends with .jp. Otherwise, the subject is Important.
The details of the email it arrives with may be as follows:
To: <recipient>
Subject: <"Important" or random Japanese text
(applicable on Japanese supported platforms)>
Message: <blank>
Attachment: patch.exe
|
|
W32.Yarner@mm
|
|
Aliases:
YARNER, YARNER.A, YARNER.B, YAWSETUP
Description:
W32.Yarner.A@mm is a mass-mailing worm written in the Delphi language. Upon execution, this mass-mailing worm drops files and creates an entry in the AutoRun key of the system registry. It propagates via Microsoft Outlook by sending itself out to all email addresses listed in the address book of the infected user.
The worm uses MAPI to send itself as yawsetup.exe to email addresses listed in the Microsoft Outlook address book and by searching files with the extension .php, .htm, .shtm, .cgi, and .pl The message has the following characteristics:
Subject: Trojaner-Info Newsletter [Current Date]
Message Body:
Hallo !
Willkomen zur neuesten Newsletter-Ausgabe der Webseite Trojaner-Info.de.
Hier die Themen im Ueberblick:
01. YAW 2.0 - Unser Dialerwarner in neuer Version......
To Manually Remove the W32.Yarner@mm Virus
Manual Cleaning On Windows 95/98/Me/NT/2000 Systems:
1. Scan you Windows folder with your antivirus software and take note of all files detected as WORM_YARNER.A. Do not delete these detected files just yet.
2. Click Start>Run, type REGEDIT.EXE then hit the Enter key.
3. In the left panel, double click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>Windows >CurrentVersion>Runonce
4. In the right panel, look for the registry entry that is similar to the filename detected as WORM_YARNER.B. Delete this value.
5. In the left panel, double click the following:
HKEY_CURRENT_USER>Software>Microsoft>Windows >CurrentVersion>Runonce
6. In the right panel, look for the registry entry that is the similar to the filename detected as WORM_YARNER.A. Delete this value.
7. Scan your system with your antivirus software again and delete all files detected as WORM_YARNER.A.
8. Go to your Windows folder and rename NOTEDPAD.EXE as NOTEPAD.EXE
9. In the event that this worm has already performed its payload, restore your deleted files from a clean backup.
|
|
WORM_MALDAL.C
|
|
Aliases:
KERZAC.A, KERZAC, W32.Reeezak.A@mm,
W32.Zacker.C@mm, W32.Maldal.C@mm,
W32/Maldal.c@MM
Description:
This destructive, memory-resident worm is a Visual Basic-compiled Windows
executable. It propagates via email using Microsoft Outlook. It arrives in an email
with the details:
Subject: Happy New Year
Message Body: Hii
I cant describe my feelings
But all i can say is
Happy New Year :)
Bye
Attachment: CHRISTMAS.EXE
Its destructive payload deletes files in the Windows system directory.
|
|
W32.Myparty@mm
|
|
Aliases:
WORM_MYPARTY.A, MYPARTY.A, MYPARTY, W32.Myparty@mm, W32/Myparty@MM, W32/MyParty-A, Win32.MyParty, I-Worm.Myparty
Description:
This UPX-compressed, mass-mailer has a built-in SMTP engine, which it uses to send itself via email to all addresses listed in the infected user's Windows Address Book (WAB)and Outlook Express Database (DBX) files. It arrives in an email with the subject line: "new photos from my party!" and with the attachment "www.myparty.yahoo.com."
Subject: new photos from my party!
Message: Hello!
My party... It was absolutely amazing!
I have attached my web page with new photos!
If you can please make color prints of my photos. Thanks!
Attachment: www.myparty.yahoo.com
To Manually Remove the W32.Myparty@mm Virus
Manual Cleaning On Windows 95/98/Me/NT/2000 Systems:
1. Update your anti-virus software and run a full scan.
2. Delete all files that are detected as W32.Myparty@mm or Backdoor.Myparty.
|
|
WORM_GONE.A
|
|
Aliases:
GONE.A, WORM_GONER.A, I-Worm.Goner, Gone, W32/Goner@MM
Description:
This worm is a Visual Basic-compiled Windows executable that propagates copies of itself via email using Microsoft Outlook and via ICQ.
It finds certain files in memory and then terminates the processes of these found files. Thereafter, it executes its destructive payload of deleting files.
To Manually Remove the Worm_Gone.A Virus
Manual Cleaning On Windows 95/98/Me Systems:
WINDOWS 95/98/ME
1. Restart Windows in Safe Mode (reboot your computer, just before the
large WINDOWS startup screen comes up, hit the F5 key). You can
recognize that you're in Safe Mode by the text Safe Mode in the 4
corners of the desktop.
2. Click START | FIND | Files or Folders ...
Type Gone.scr and hit ENTER
Delete GONE.SCR (if present)
3. Click START | RUN, type REGEDIT and hit ENTER
Click the (+) next to HKEY_LOCAL_MACHINE
Click the (+) next to SOFTWARE
Click the (+) next to MICROSOFT
Click the (+) next to WINDOWS
Click the (+) next to CURRENTVERSION
Click RUN
4. Click on C:\WINDOWS\SYSTEM\gone.scr on the right and hit DELETE on
the keyboard
5. Click Registry, and click Exit.
** See Additional Windows ME Info below
6. Restart the computer.
7. Reinstall your Anti-Virus (if needed), and restart the computer.
**Additional Windows ME Info:
NOTE: Windows ME utilizes a backup utility that backs up selected
files automatically to the C:\_Restore folder. This means that an
infected file could be stored there as a backup file, and VirusScan
will be unable to delete these files. These instructions explain how
to remove the infected files from the C:\_Restore folder.
Disabling the Restore Utility
1. Right click the My Computer icon on the Desktop.
2. Click on the Performance Tab.
3. Click on the File System button.
4. Click on the Troubleshooting Tab.
5. Put a check mark next to "Disable System Restore".
6. Click the Apply button.
7. Click the Close button.
8. Click the Close button again.
9. You will be prompted to restart the computer. Click Yes.
NOTE: The Restore Utility will now be disabled.
10. Restart the computer in Safe Mode.
11. Run a scan with VirusScan to delete all infected files, or browse
the file's located in the C:\_Restore folder and remove the file's.
12. After removing the desired files, restart the computer normally.
NOTE: To re-enable the Restore Utility, follow steps 1-9 and on step
5 remove the check mark next to "Disable System Restore". The
infected file's are removed and the System Restore is once again
active.
Manual Cleaning On Windows NT/2000 Systems:
1. Boot from a Windows 2000 CD and select the "repair install console."
2. Go to the %System% directory. %System% is variable. It is usually
located at C:\Windows\System.
3. At the command prompt, type the following and then hit the Enter key:
attrib s h r gone.scr
4. Type the following command and then hit the Enter key to delete the
Worm file:
del gone.scr
5. Restart the computer.
6. Double click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft
>Windows>CurrentVersion>Run>%System%
7. Look for the following entry and delete it:
gone.scr
|
|
W32.Nimda.A@mm
|
|
Nimda: The Computer Virus Cocktail
Nimda is a mix of several effective technologies used in previous viruses combined into one highly infectious, very fast spreading, user computer infecting, server attacking, email sending, internet clogging virus. Not only do you need to update your anti-virus software but you will also need to update Internet Explorer installed on your computer.
Symantec Security Response has received a number of submissions on W32.Nimda.A@mm and is rating it as a Category 4.
W32.Nimda.A@mm is a new mass-mailing worm that utilizes multiple methods to spread itself. The worm sends itself out by email, searches for open network shares, attempts to copy itself to unpatched or already vulnerable Microsoft IIS web servers, and is a virus infecting both local files and files on remote network shares.
To Manually Remove the Nimda Virus
1. Install NAV Update to make sure that you have the most recent virus definitions.
2. Start Norton AntiVirus (NAV), and make sure that NAV is configured to scan all files. For instruction on how to do
this, read the document How to configure Norton AntiVirus to scan all files.
3. Run a full system scan.
4. If any files are detected as infected by W32.Nimda.A@mm or W32.Nimda.A@mm (html), click Repair.
5. If any files are detected as infected by W32.Nimda.A@mm (dr) or W32.Nimda.A@mm (dll), click Delete.
6. Reboot the computer.
7. Repeat steps 1-6 above until no more files are detected as W32.Nimda.A@mm.
8. Delete the following text from the Shell= entry in system.ini: load.exe -dontrunold
9. Remove unnecessary shares.
10. Delete the guest account from the Administrators group (if applicable)
|
|
WORM_BADTRANS.B
|
|
WORM_BADTRANS.B spreads by first copying itself into the file kernel32.exe and then registering as a system service. From that point it tries to capture sensitive data, such as passwords and financial info by logging keystrokes and screens. Then the worm creates an encrypted file with the collected data and sends it to one of several email accounts (now turned off), as well as sending files from your computer to others to spread itself to new machines.
To Manually Remove the WORM_BADTRANS.B Virus
1. Restart your computer in Safe Mode.
2. Click Start>Run, type Regedit then hit the Enter key.
3. Double click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft
>Windows>CurrentVersion>RunOnce
4. In the right panel, look for following registry value: kernel32
5. Click the registry value and then delete it.
6. Restart your system.
7. Scan your system and delete all files detected as WORM_BADTRANS.B.
8. Search & Delete the file CP_25389.NLS.
|
|
Note: If installing on a stand-alone computer, use c:\windows\temp (not f:\temp or f:\xfer)
|
|
|
|
|
Tested AV Updates*
|
|
|
|
AV Update Sites
|
|
|
|
|
We always recommend downloading & manually installing updates.
* during high virus alerts this link may be updated to download the latest
update rather than the last tested update.
|
|
|
