This part of ViruZones was put together to archive viruses from
the main page. We suggest you still refer to this page in case you
need to refresh your memory on viruses that we've posted.
W32.Randex.EUS
Discovered on: August 16, 2005
W32.Randex.EUS is a network-aware
worm that spreads to network shares
protected by weak passwords. The worm
also opens a back door on the
compromised computer and may be
remotely controlled through IRC channels.
Systems Affected: Windows 2000,
Windows 95, Windows 98, Windows Me, Windows
NT, Windows Server 2003, Windows XP
Threat Assessment: High
This worm started attacking CNN
facilities in New York and Atlanta at 5:00 p.m. and ABC in New York at
1:30 p.m. the outage also may have been caused by the Zotob worm, which
was released last weekend. It will connect to a control server to ask
for instructions. It scans network neighborhoods and tries to infect
them, as well. Several versions of the worm have been released, some as
late as Tuesday, while the worm primarily affects Windows 2000, it also
can affect some early versions of XP. At any given time, there are
thousands of computer worms and viruses in
existence. Most are stopped from
becoming widespread problems by anti-virus
software.
UPDATE your anti-virus and check
Microsoft for updates and patches.
W32.Beagle.BW@mm
is a mass-mailing worm that uses its own SMTP engine to send
out copies of Trojan.Tooso.J. The worm also opens a back door on the
compromised computer on TCP port 80.
W32.Reatle.C@mm
is a variant of W32.Reatle@mm,
and is a mass-mailing worm that
opens a back door and attempts to spread by exploiting the Microsoft
Windows
LSASS Buffer Overrun Vulnerability (Microsoft Security Bulletin MS04-011)
on
TCP port 445.
It also downloads a copy
W32.Rants.B@mm and a variant of W32.Spybot.Worm.
W32.Kelvir.FK
Discovered on: July 17, 2005
W32.Kelvir.FK is a worm that spreads through MSN Messenger and drops a
copy of
W32.Spybot.Worm.
W32.Kelvir.FJ
Discovered on: July 16, 2005
W32.Kelvir.FJ is a worm that spreads through MSN Messenger.
W32.Looked.E
Discovered on: July 16, 2005
W32.Looked.E is a worm that spreads through network shares and attempts to
infect .exe files. It also lowers security settings and downloads and
executes a remote file.
Note: Definitions prior to July 14, 2005 may detect this worm as
PWSteal.Lemir.Gen.
W32.Rants.B@mm is a mass-mailing worm
that spreads using Microsoft Outlook,
MSN Messenger and the America Online user interface. It also ends
security-related processes and disables Windows security features.
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me,
Windows
NT, Windows Server 2003, Windows XP
Threat Assessment for all is HIGH
Damage Assessment is also HIGH
Trojan.Ascetic.C
Discovered on: May 15,
2005
Last Updated on: May 18, 2005 03:36:46 PM
Trojan.Ascetic.C
is a Trojan horse that uses its own SMTP engine to send spam email to
addresses gathered from the compromised computer. The email may be in
either English or German.
Note: Definitions prior to May 16, 2005 may detect this threat as
W32.Sober.P@mm.
W32.Mytob.CE@mm
is a mass-mailing worm with back door functionality that uses
its own SMTP engine to send an email to addresses that it gathers from the
compromised computer.
W32.Mytob.CF@mm
is a mass-mailing worm that uses its own SMTP engine to send
an email to addresses that it gathers from the compromised computer.
The worm also opens a back door and spreads through the network by
exploiting
the Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability
(described in Microsoft Security Bulletin MS03-026) and the Microsoft
Windows
Local Security Authority Service Remote Buffer Overflow (as described in
Microsoft Security Bulletin MS04-011).
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me,
Windows
NT, Windows Server 2003, Windows XP
Threat Assessment: High
Damage Assessment: High
If you get this virus's don't try to remove them your self call CEnet in
NC at
336-372-4029 or call LSNet in VA at 276-236-3400 for HELP!!!!
W32.Mytob.AE@mm is
a mass-mailing worm that uses its own SMTP engine to send
an email to addresses that it gathers from the compromised computer. The
worm
spreads by exploiting the DCOM RPC vulnerability (described in Microsoft
Security Bulletin MS03-026) and the Microsoft Windows Local Security
Authority Service Remote Buffer Overflow (described in Microsoft Security
Bulletin MS04-011).
VBS.Ypsan.D@mm
is a mass-mailing worm that sends itself to all email addresses
gathered from the Windows Address Book and attempts to shut down the
compromised computer.
W32.Kipis.N@mm
is a mass-mailing network-aware worm that spreads by sending an
email to addresses it finds on an infected computer. The worm also copies
itself to folders which contain the string "share".
W32.Myfip.AB
Discovered on: April 08, 2005
W32.Myfip.AB is a network-aware worm that steals files from a compromised
computer.
W32.Mytob.AD@mm
is a mass-mailing worm that uses its own SMTP engine to send
an email to addresses that it gathers from the compromised computer. The
worm
spreads by exploiting the DCOM RPC vulnerability (described in Microsoft
Security Bulletin MS03-026) and the Microsoft Windows Local Security
Authority Service Remote Buffer Overflow (described in Microsoft Security
Bulletin MS04-011).
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me,
Windows
NT, Windows Server 2003, Windows XP
All the viruses Threat Assessment: High
All the viruses Damage Assessment: High
If you get this virus don't try to remove them your self call CEnet in NC
at
336-372-4029 or call LSNet in VA at 276-236-3400 for HELP!!!!
W32.Mytob family
of viruses are a mass-mailing worm with back door capabilities. The worm
uses its own SMTP engine to send email to addresses that it gathers from
the
compromised computer. The worm also spreads by exploiting the Microsoft
Windows Local Security Authority Service Remote Buffer Overflow (as
described
in Microsoft Security Bulletin MS04-011).
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me,
Windows
NT, Windows Server 2003, Windows XP
Threat Assessment: High
Damage Assessment: High
If you get this virus's don't try to remove them your self call CEnet in
NC at
336-372-4029 or call LSNet in VA at 276-236-3400 for HELP!!!!
W32.Chod@mm is a
mass-mailing worm that also propagates using MSN Messenger. The worm has
back door capabilities and can be controlled through IRC
channels. It also overwrites the Hosts file and lowers security settings.
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me,
Windows
NT, Windows Server 2003, Windows XP
Threat Assessment: High
If you get this virus don't try to remove it your self call CEnet in NC at
336-372-4029 or call LSNet in VA at 276-236-3400 for HELP!!!!
W32.Mytob.E@mm
is a mass-mailing worm that uses it own SMTP engine to send an
email to addresses that it gathers from the Windows Address Book on the
compromised computer.
The worm also has the ability to open a back door and spread through the
network by exploiting the Microsoft Windows Local Security Authority
Service
Remote Buffer Overflow vulnerability (described in Microsoft Security
Bulletin
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me,
Windows
NT, Windows Server 2003, Windows XP
Threat Assessment: High
If you get this virus don't try to remove it your self call CEnet in NC at
336-372-4029 or call LSNet in VA at 276-236-3400 for HELP!!!!
W32.Beagle.BK@mm
is a mass-mailing worm that uses its own SMTP engine
to send
out copies of Trojan.Tooso.E. The worm also opens a back door on the
compromised computer through TCP port 80.
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me,
Windows
NT, Windows Server 2003, Windows XP
Threat Assessment: High
If you get this virus don't try to remove it your self call CEnet in NC at
336-372-4029 or call LSNet in VA at 276-236-3400 for HELP!!!!
W32.Mydoom.BA@mm
is a mass-mailing worm that uses it own SMTP engine
to send
email to addresses that it gathers from the Windows Address Book on a
compromised computer.
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me,
Windows
NT, Windows Server 2003, Windows XP
Threat Assessment: High
Damage Assessment: High
Uses its own SMTP engine to send itself to the email addresses that it
finds.
The email may have the following properties:
From:
The From addresses is spoofed. The From address may also appear to have
been
returned undeliverable using the following display names at various
domains:
* Postmaster
* Mail Administrator
* Automatic Email Delivery Software
* Post Office
* The Post Office
* Bounced mail
* Returned mail
* MAILER-DAEMON
* Mail Delivery Subsystem
Subject:
One of the following:
* hello
* hi
* error
* status
* test
* report
* delivery failed
* Message could not be delivered
* Mail System Error - Returned Mail
* Delivery reports about your e-mail
* Returned mail: see transcript for details
* Returned mail: Data format error delivered
If you get this virus don't try to remove it your self call CEnet in NC at
336-372-4029 or call LSNet in VA at 276-236-3400 for HELP!!!!
W32.Mydoom.AX@mm
is a mass-mailing worm that uses it own SMTP engine
to send
email to addresses that it gathers from the Windows Address Book on a
compromised computer.
Note: Virus definitions version 70216x (extended version 2/16/2005 rev.
24) or
greater are required to detect this threat.
Also Known As: Win32.Mydoom.AU [Computer Associates],
Email-Worm.Win32.Mydoom.am [Kaspersky Lab],
W32/Mydoom.bb@MM
[McAfee],
WORM_MYDOOM.BB [Trend Micro]
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me,
Windows
NT, Windows Server 2003, Windows XP
Threat Assessment: High
From:
The From addresses is spoofed. The From address may also appear to have
been
returned undeliverable using the following display names at various
domains:
* Postmaster
* Mail Administrator
* Automatic Email Delivery Software
* Post Office
* The Post Office
* Bounced mail
* Returned mail
* MAILER-DAEMON
* Mail Delivery Subsystem
# Subject:
One of the following:
# hello
# hi
# error
# status
# test
# report
# delivery failed
# Message could not be delivered
# Mail System Error - Returned Mail
# Delivery reports about your e-mail
# Returned mail: see transcript for details
# Returned mail: Data format error delivered
If you get this virus, do not try to
fix it yourself, call CEnet at
(336)372-4029 or (336)414-7350 in North Carolina, or call
LSnet at (276)236-3400 in Virginia.
W32.Sober.I@mm
is a mass-mailing worm that uses its own SMTP engine to spread
by sending itself as an email attachment to addresses gathered from the
infected computer.
The subject of the email varies and will be in either English or German.
The
email sender address is spoofed. The name of the email attachment varies,
and
it will have a .bat, .com, .pif, .scr, or .zip file extension. The
attachment
may also have a double extension.
This threat is written in the Microsoft Visual Basic programming language
and
is compressed with UPX.
Also Known As: Win32.Sober.I [Computer Associates], Sober.I
[F-Secure],
I-Worm.Sober.i [Kaspersky], W32/Sober.j@MM
[McAfee],
W32/Sober.I@mm [Norman],
W32/Sober.I.worm [Panda], W32/Sober-I [Sophos], WORM_SOBER.I [Trend
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me,
Windows
NT, Windows Server 2003, Windows XP.
Threat Assessment: High
Damage Assessment: High
Note:
* In certain circumstances the worm may corrupt itself. Should this
happen, the worm will not execute on the computer, and antivirus software
may
be unable to detect it. When a computer is infected with a corrupt version
of W32.Sober.I@mm,
command prompt windows may be displayed briefly when Windows
starts. The W32.Sober@mm
Removal Tool will be unable to uninstall corrupt
versions of W32.Sober.I@mm
and it is necessary to reinstall the Windows
Operating System on your computer. If you get this virus don't try to
remove
it your self call CEnet in NC at 336-372-4029 or call LSNet in VA at
276-236-3400 for HELP!!!!!
W32.Mydoom.AK@mm
is a mass-mailing worm that exploits the Microsoft
Internet
Explorer Malformed IFRAME Remote Buffer Overflow Vulnerability (as
described
in Bugtraq ID 11515). The worm also spreads by sending an email to
addresses
that it finds on the infected computer.
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me,
Windows
NT, Windows Server 2003, Windows X
Threat Assessment: High
Be looking out for messages from PayPal, don't go to the link to view
details
about an order it could infect your computer.
If you get infected you can get help at CEnet in NC or LSNet in VA.
W32.Mydoom.AF@mm
is a mass-mailing worm that uses its own SMTP engine
to send
itself to the email addresses that it finds from an infected system. The
worm
also contains back door functionality which allows unauthorized remote
access
to the infected computer.
The email will have a variable subject and attachment name. The attachment
will have a .cpl, .pif, or .scr file extension.
The threat is packed with UPX.
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me,
Windows
NT, Windows Server 2003, Windows XP
W32.Netsky.AD@mm
is a mass-mailing worm that uses its own SMTP engine
to send
itself to the email addresses it finds on the infected computer.
The email subject, message body, and attachment are variable.
This threat is compressed with UPX and PCPEC.
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me,
Windows
NT, Windows XP
Threat Assessment: High
W32.Funner
Discovered on: October 11, 2004
W32.Funner is a worm that spreads using Microsoft's Windows Messenger
instant
message program and modifies the hosts file.
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me,
Windows
NT, Windows Server 2003, Windows XP
Threat Assessment: Low
Latest virus threats
and security advisories
It has been a low in the virus world for the past two weeks but not a
dead one. There are six virus of low threat that are new.
Trojan.Tannick
W97M.Kamal
Trojan.Comxt
Trojan.AdRmove W32.Fili@mm W32.Bagz.B@mm
Security advisories are for Microsoft GDI+Library
JPEG Segment Length Integer
Underflow Vulnerability.
Risk
High
Date Discovered
09-14-2004
Description
Microsoft (Graphics Device Interface) GDI+ JPEG handler is reported prone
to
an integer underflow vulnerability when handling JPEG format images. This
issue presents itself due to a lack of sufficient sanity checks performed
on
certain JPEG data before this data employed as a bounds value for a memory
copy operation.
A specially crafted JPEG image may trigger this vulnerability and result
in
the execution of arbitrary attacker-supplied code. Code execution would
occur
in the context of the user who is running the vulnerable software.
Platforms Affected
Microsoft Excel 2002 SP3
Microsoft Excel 2003
Microsoft FrontPage 2002 SP3
Microsoft FrontPage 2003
Microsoft InfoPath 2003
Microsoft MSN Messenger Service 9.0
Microsoft OneNote 2003
Microsoft Outlook 2002 SP3
Microsoft Outlook 2003
Microsoft PowerPoint 2002 SP3
Microsoft PowerPoint 2003
Microsoft Publisher 2002 SP3
Microsoft Publisher 2003
Microsoft Visual Basic .NET Standard 2002
Microsoft Visual Basic .NET Standard 2003
Microsoft Visual C# .NET Standard 2002
Microsoft Visual C# .NET Standard 2003
Microsoft Visual C++ .NET Standard 2002
Microsoft Visual C++ .NET Standard 2003
Microsoft Visual J# .NET Standard 2003
Microsoft Word 2002 SP3
Microsoft Word 2003
Microsoft has no fix for this to date but Microsoft is working on it.
In the low in the virus world, now would be a good time to stop by for a
virus
check up, in Va. call LSNet at the Galax office 276-236-3400 or in NC call
CEnet at the Glade Valley office 336-372-4029
W32.Mydoom.R@mm
is a mass-mailing worm that uses its own SMTP engine to send
itself to the email addresses that it finds on an infected computer. The
email contains a spoofed From address. The subject and message body vary,
and
the attachment has a .bat, .cmd, .exe, .pif, .scr, or .zip extension.
This threat is packed using UPX.
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows
Me,WindowsNT,
Windows XP
Threat Assessment: High
Subject: The subject may be one of the following:
* <Garbage string>
* <none>
* document
* Error
* hello
* hi
* Information
* Mail Delivery System
* Mail Transaction Failed
* message
* RE:my .....
* RE:test
* readme
* Server Report
* Status
* test
Message: The message may be one of the following:
* !!!!!!!!!!!, check the attachment!!!.
* (Norton Anti Virus : No Viruses Found , Check The Attachment For
More
Information.
* (Norton Antic Virus, Panda, McAfee No Viruses Found).
* Check the attachment for more information!.
* check the attachment to get the latest news.
* check.
* come back my friend.
* error , sorry we can't send the email so check the attachment.
* error to send the mail!!!!!.
* error, check the attachment for more information.
* failed to send the email!, check the attachment for more
information.
* failed, check the attachment for more information.
* hello :)
* hello check the attachment thx.
* hello.
* here is what you need, thx.
* loooooool ;)))
* Mail transaction failed. Partial message is available.
* sorry we can't send the mail try later , check the attachment for
more
information.
* the attachment for more information.
* Try Later, Check the Attachment.
* you can check the attachment for more information.
* your attachment , thx.
Threat assessment: High
Damage Assessment: High do to the damage to the system files and
regedit, if you get this worm call CEnet or LSNet for help
I do not recommend you try to fix this virus your self.
W32.Mydoom.P@mm
is a mass-mailing worm that uses its own SMTP engine to send
itself to the email addresses that it finds on an infected computer. The
email contains a spoofed From address. The subject and message body vary,
and the attachment has a .bat, .cmd, .exe, .pif, .scr, or .zip extension.
This threat is packed using UPX.
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me,
Windows
NT, Windows Server 2003, Windows XP
Threat Assessment: High
Damage Assessment: High
I've removed 16 of this virus from one computer on Saturday and 1 from a
laptop I do not recommend you try to fix this virus your self Damage
Assessment is high do to the damage to the system files and regedit, if
you get this worm call CEnet or
LSNet for help.
W32.Mydoom.M@mm
is a mass-mailing worm that drops and executes a backdoor,
detected as Backdoor.Zincite.A, that listens on TCP port 1034. The worm
uses
its own SMTP engine to send itself to email addresses it finds on the
infected computer.
The email contains a spoofed From address, and the Subject and Body text
will
vary. The attachment name will also vary.
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me,
Windows
NT, Windows Server 2003, Windows XP
From:
The From address will be spoofed.
Subject: (One of the following)
* hello
* error
* status
* test
* report
* delivery failed
* Message could not be delivered
* Mail System Error - Returned Mail
* Delivery reports about your e-mail
* Returned mail: see transcript for details
* Returned mail: Data format error
W32.Beagle.AB@mm
is a mass-mailing worm that uses its own SMTP engine
to
spread through email and opens a backdoor on TCP port 1080.
The email's subject line, body, and attachment name vary. The attachment
will have a .com, .cpl, .exe, .hta, .scr, .vbs, or .zip file extension.
The worm is packed with UPX.
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me,
Windows
NT, Windows XP
Attempts to create copies of itself in any folder that contains the
characters "shar". The files will have the following file names:
* ACDSee 9.exe
* Adobe Photoshop 9 full.exe
* Ahead Nero 7.exe
* Kaspersky Antivirus 5.0
* KAV 5.0
* Matrix 3 Revolution English Subtitles.exe
* Microsoft Office 2003 Crack, Working!.exe
* Microsoft Office XP working Crack, Keygen.exe
* Microsoft Windows XP, WinXP Crack, working Keygen.exe
* Opera 8 New!.exe
* Porno pics arhive, xxx.exe
* Porno Screensaver.scr
* Porno, sex, oral, anal cool, awesome!!.exe
* Serials.txt.exe
* WinAmp 5 Pro Keygen Crack Update.exe
* WinAmp 6 New!.exe
* Windown Longhorn Beta Leak.exe
* Windows Sourcecode update.doc.exe
* XXX hardcore images.exe
threat assessment: High
Damage Assessment: High do to the damage to the system files and
regedit, if you get this worm call CEnet or LSNet for help
I do not recommend you try to fix this virus your self
W32.Evaman@mm is
a mass-mailing worm that spreads to addresses found at the
website email.people.yahoo.com. This worm arrives as an attachment with
a .exe or .scr extension.
2. Subject:is one of the following:
Delivery Status (Failure)
failed transaction
failure delivery
mail failure
returned mail
server error
Threat Assessment: High
Damage Assessment: High do to the damage to the system files and
regedit, if you get this worm call CEnet or LSNet for help.
I do not recommend you try to fix this virus your self.
* A variant of
W32.Bugbear.B@mm and
W32.Bugbear.E@mm.
* A mass-mailing worm that also spreads through
network shares.
* Polymorphic and also infects .exe files.
* Possesses keylogging capabilities.
When W32.Bugbear.K@mm
is executed, it performs the following actions:
1. Copies itself as %System%\<random filename>.exe.
Note: %System% is a variable. The worm locates the System folder and
copies itself to that location. By default, this is
C:\Windows\System (Windows
95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32
(Windows XP).
2. Drops three files as %System%\<random filename>.dll.
Note: One of the .dll files is detected as PWS.Hooker.Trojan and
should be deleted. The other two files are not malicious.
3. Creates a randomly named file with a .tmp extension in the %System%
folder. This is a .zip file containing a copy of the worm.
4. Creates a randomly named .nls file in the %System% folder. This file
is not malicious.
5. Creates several randomly named .dat files, and a .bak file in the %Windir%
folder. These files are not malicious.
Note: %Windir% is a variable. The worm locates the Windows
installation folder (by default, this is C:\Windows or C:\Winnt) and
copies itself to that location.
6. Adds the value:
"<random value>" = "%System%\<random filename>.exe" in the registry
key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run so
that the worm runs when Windows starts.
7. The worm is also a polymorphic file infector that attempts to append
its code to the following files in the %Windir% folder and %ProgramFiles%
folder:
* scandskw.exe
* regedit.exe
* mplayer.exe
* hh.exe
* notepad.exe
* winhelp.exe
* Internet Explorer\iexplore.exe
* adobe\acrobat 7.0\reader\acrord32.exe
* WinRAR\WinRAR.exe
* Windows Media Player\mplayer2.exe
* Real\RealPlayer\realplay.exe
* Outlook Express\msimn.exe
* Far\Far.exe
* CuteFTP\cutftp32.exe
* Adobe\Acrobat 6.0\Reader\AcroRd32.exe
* Adobe\Acrobat 5.0\Reader\AcroRd32.exe
* Adobe\Acrobat 4.0\Reader\AcroRd32.exe
* ACDSee32\ACDSee32.exe
* MSN Messenger\msnmsgr.exe
* WS_FTP\WS_FTP95.exe
* QuickTime\QuickTimePlayer.exe
* StreamCast\Morpheus\Morpheus.exe
* Zone Labs\ZoneAlarm\ZoneAlarm.exe
* Trillian\Trillian.exe
* Lavasoft\Ad-aware 6\Ad-aware.exe
* AIM95\aim.exe
* Winamp\winamp.exe
* DAP\DAP.exe
* ICQ\Icq.exe
* kazaa\kazaa.exe
* winzip\winzip32.exe
Note: %ProgramFiles% is a variable that refers to the path to
the program files folder. By default, this is C:\Program Files.
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me,
Windows NT, Windows Server 2003, Windows XP
Threat Assessment: High
Damage Assessment: High do to the damage to the system files and regedit,
if you get this worm call CEnet or LSNet for help.
CEnet encourages all users to adhere to the following basic security "best
practices":
1 Turn off and remove unneeded services. By default, many operating
systems install auxiliary services that are not critical, such as an FTP
server, telnet, and a Web server. These services are avenues of attack. If
they are removed, blended threats have less avenues of attack and you have
fewer services to maintain through patch updates.
.
2 If a blended threat exploits one or more network services, disable, or
block access to, those services until a patch is applied.
3 Always keep your patch and update's for Windows up-to-date and a
firewall and AntiVir
I do not recommend you try to fix this virus your self.
Henry!!!!!
W32.Korgo!gen
Discovered on: June 23, 2004
W32.Korgo!gen is a generic detection that detects variants of W32.Korgo.
W32.Korgo is a family of worms that attempts to propagate by exploiting
the Microsoft Windows LSASS Buffer Overrun Vulnerability (described in
Microsoft Security Bulletin MS04-011) on TCP port 445. It may also listen
on several other TCP ports and attempts to connect to an IRC or HTTP
server.
Microsoft Windows LSASS Buffer Overrun Vulnerability
Description:
Microsoft Windows LSASS (Local Security Authority Subsystem Service) is
prone
to a remotely exploitable buffer overrun vulnerability. Successful
exploitation of this issue could allow a remote attacker to execute
malicious code on a vulnerable system, resulting in full system
compromise.
This issue could be exploited by an anonymous user on Microsoft Windows
2000
and XP operating systems. The issue may reportedly only be exploited by
local, authenticated users on Microsoft Windows Server 2003 and Microsoft
Windows XP 64-Bit Edition 2003.
Systems Affected: Windows 2000, Windows XP
Threat Assessment: High
I do not recommend you try to fix this virus your self I worked on this
virus on Sunday for 5 hours and it is a bear!!!!! If you get this virus,
or suspect that your computer has it, give us a call.
Henry
VBS.Pub
Discovered on: June 06, 2004
VBS.Pub is a VBScript file-infecting and mass-mailing worm. VBS.Pub
infects
files with the extensions .ASP, .HTA, .HTM, .HTT, .HTML, .VBE, and .VBS.
The
worm also mails itself out via Microsoft Outlook to everyone in the
address
book. If the day is the 6th, 13th, 21st, or 28th, the worm deletes all the
files on the system.
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me,
Windows
NT, Windows Server 2003, Windows XP.
Threat Assessment: High
Damage Assessment: High do to the damage to the system files and
regedit, if you get this worm call CEnet or LSNet for help.
Backdoor.Mtron
Discovered on: May 26, 2004
Backdoor.Mtron is a backdoor Trojan that records financial activity and
sends it to a remote attacker using IRC. It also gives the attacker the
ability to download and run files on the infected computer.
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me,
Windows
NT, Windows Server 2003, Windows XP
Threat Assessment: Low
The damage assessment is High do to the damage to the system files and
regedit, if you get this worm call CEnet or LSNet for help.
Make sure you update your anti-virus
software, this will prevent you from getting this worm.
W32.Wallon.A@mm is a mass-mailing
worm that sends email messages containing a hyperlink to download the worm
body from certain URLs. It also harvests the email addresses on the
infected machine.
Attempts to reply to all the
email messages in the Microsoft Outlook inbox.
Scans files with .txt, .pl, .wab,
.adb, .tbb, .dbx, .asp, .php, .sht, and .htm extensions for email
addresses and uses its own SMTP engine to send itself to the address it
finds.
Attempts to copy itself to Kazaa
shared folders and all computers on a local network.
The "sender" of the email is spoofed and its subject line and message
vary. The attachment name varies with a .bat, .cmd, .exe, .pif, or .scr
file extension. It may also send a .zip file, containing an executable, as
an attachment.
This threat is written in the C++ programming language and is compressed
with JDPack and ASPack.
Type: Worm
Systems Affected: Windows 2000, Windows NT, Windows Server 2003, Windows
XP
W32.Sasser.E.Worm
Discovered on: May 09, 2004
W32.Sasser.E.Worm is a minor variant of W32.Sasser.Worm. It attempts to
exploit the LSASS vulnerability described in Microsoft Security Bulletin
MS04-011 and spreads by scanning randomly selected IP addresses for
vulnerable systems. W32.Sasser.E.Worm differs from W32.Sasser.Worm as
follows:
* Uses a different mutex: SkynetNotice.
* Uses a different file name: lsasss.exe.
* Creates a different value in the registry: "lsasss.exe".
* Uses different port numbers, used by FTP server and the remote
shell:
1023 and 1022.
* After 2 hours of running it displays a message.
* It deletes the values from the registry, which are known to be
installed
by Trojan.Mitglieder,
W32.Beagle.W@mm, and
W32.Beagle.X@mm.
* The name of the file retrieved from the FTP
server is followed by
_update.exe.
* The worm logs data into the file C:\ftplog.txt.
W32.Sasser.E.Worm can run on (but not infect) Windows 95/98/Me computers.
Although these operating systems cannot be infected, they can still be
used
to infect vulnerable systems that they are able to connect to.
Systems Affected: Windows 2000, Windows XP
Threat Assessment: High
This is probably a
copycat, but is still very dangerous.
Spreads by scanning randomly
selected IP addresses for vulnerable systems.
W32.Sasser.D can only execute
on Windows XP systems. The worm can exploit a vulnerable (unpatched)
Windows 2000 machine remotely and copy itself to that machine. However, it
will exit before running any code. In such cases, this worm will produce
the following error:
The procedure entry point IcmpSendEcho could
not be located in the dynamic link library iphlpapi.dll.
Threat: Low
Security ALERT
Microsoft Windows LSASS Buffer Overrun Vulnerability
Risk
High
Date Discovered
04-13-2004
Description
Microsoft Windows LSASS (Local Security Authority Subsystem Service) is
prone
to a remotely exploitable buffer overrun vulnerability. Successful
exploitation of this issue could allow a remote attacker to execute
malicious
code on a vulnerable system, resulting in full system compromise.
This issue could be exploited by an anonymous user on Microsoft Windows
2000
and XP operating systems. The issue may reportedly only be exploited by
local, authenticated users on Microsoft Windows Server 2003 and Microsoft
Windows XP 64-Bit Edition 2003.
Systems Affected: Windows 2000, Windows Server 2003, Windows XP
W32.Sasser.B.Worm attempts to exploit the LSASS vulnerability described in
Microsoft Security Bulletin MS04-011, and spreads by scanning
randomly-chosen
IP addresses for vulnerable systems.
W32.Sasser.C.Worm
Discovered on: May 3, 2004
W32.Sasser.C.Worm is a minor variant of W32.Sasser.B.Worm. It attempts to
exploit the LSASS vulnerability described in Microsoft Security Bulletin
MS04-011, and spreads by scanning randomly-chosen IP addresses for
vulnerable
systems. This particular variant spawns 1024 threads for the infection
routine, where as previous variant W32.Sasser.B.Worm uses 128 threads.
Systems Affected: Windows 2000, Windows Server 2003, Windows XP
Threat Assessment: High
W32.Sasser.B.Worm
Discovered on: May 2, 2004
Updated May 2. 2004 at 6:30 PM by CEnet.
The W32.Sasser.B.Worm threat is upgraded by Symantec to a Category 4 based
on
the increased rate of distribution.
W32.Sasser.Worm
Discovered on: May 2, 2004
W32.Sasser.Worm is a worm that attempts to exploit the MS04-011
vulnerability.
It spreads by scanning randomly-chosen IP addresses for vulnerable
systems.
Systems Affected: Windows 2000, Windows Server 2003, Windows XP
W32.Sasser.B.Worm
Discovered on: May 2, 2004
W32.Sasser.B.Worm is a variant of W32.Sasser.Worm. It attempts to exploit
the
LSASS vulnerability described in Microsoft Security Bulletin MS04-011, and
spreads by scanning randomly-chosen IP addresses for vulnerable systems.
Systems Affected: Windows 2000, Windows Server 2003, Windows XP
Threat Assessment High
CEnet encourages all users to adhere to the following basic security
"best
practices":
1 Turn off and remove unneeded services. By default, many operating
systems install auxiliary services that are not critical, such as an FTP
server, telnet, and a Web server. These services are avenues of attack. If
they are removed, blended threats have less avenues of attack and you have
fewer services to maintain through patch updates
.
2 If a blended threat exploits one or more network services, disable,
or
block access to, those services until a patch is applied.
3 Always keep your patch and update's for Windows up-to-date and a
firewall and anti-virus.
4 I do not recommend you try to fix these viruses your self.
W32.Gaobot.ADX
Discovered on: April 24, 2004
W32.Gaobot.ADX is a worm that spreads through open network shares, several
Windows vulnerabilities, and back doors installed by Beagle and Mydoom
worms.
The worm also has the ability to act as a back door server program and
attack
other systems. Additionally the worm attempts to kill the process of many
anti-virus and security applications.
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me,
Windows NT, Windows Server 2003, Windows XP
Threat Assessment: High
I do not recommend you try to fix this virus your self I worked on this
virus
on Saturday for 5 hours on a laptop and it is a bear!!!!!
W32.Gaobot.ADV
Discovered on: April 22, 2004
W32.Gaobot.ADV is a minor variant of
W32.Gaobot.SY. This worm attempts to spread through network shares that
have weak passwords and allows attackers to access an infected computer
using a predetermined IRC channel.
Type: worm
Systems Affected: Windows 2000,
Windows NT, Windows Server 2003, Windows XP
Threat Assessment: Low
W32.Randex.AAS
Discovered on: April 22, 2004
W32.Randex.AAS is a network-aware
worm, which copies itself to, as the following, to the computers that have
weak administrator passwords:
\Admin$\system32\GT.exe
\c$\winnt\system32\GT.exe
Type: worm
Systems Affected:
Windows 2000, Windows 95, Windows
98, Windows Me, Windows NT, Windows Server 2003, Windows XP
Threat Assessment: Low
Trojan.Mercurycas.A
Discovered on: April 22, 2004
Type: Trojan Horse
Systems Affected: Windows 2000,
Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003,
Windows XP
Threat: medium
Backdoor.Berbew.D
Discovered on: April 21, 2004
Backdoor.Berbew.D is a Backdoor
Trojan horse that attempts to steal cached passwords.
Note: Virus definitions released
April 21, 2004 detect this threat as Backdoor.Padodor.
Also Known As:
Backdoor.Padodor.e [Kaspersky]
Variants: Backdoor.Berbew, Backdoor.Berbew.B, Backdoor.Berbew.C
Type: Trojan Horse
Systems Affected: Windows 2000,
Windows 95, Windows 98, Windows Me, Windows NT, Windows XP
Threat Assessment: Low
W32.HLLP.Shodi.B
Discovered on: April 20, 2004
W32.HLLP.Shodi.B is a virus that
preens itself to executable files.
Systems Affected: Windows 2000,
Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003,
Windows XP
Threat Assessment: Low
W97M.Evo
Discovered on: April 19, 2004
W97M.Evo is a destructive macro worm
that spreads using mIRC.
Type: Macro, Worm
Systems Affected: Windows 2000,
Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003,
Windows XP
W32.Netsky.W@mm
is a minor variant of
W32.Netsky.N@mm. This variant is also a
mass-mailing worm that uses its own SMTP engine to send itself to the
email addresses it finds when scanning the hard drives and mapped drives.
The "sender" of the email is spoofed, and its subject, message body, and
attachment vary. The attachment has .exe, .pif, or .scr as extension. The
worm may also send its zipped copy as attachment.
This threat is compressed with UPX.
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me,
Windows NT, Windows Server 2003, Windows XP
Threat Assessment: High
Note: "Spoof" means that someone uses
your e-mail address as a hoax, or in order to send out malicious e-mail.
If/when this happens, you may get an e-mail notice saying that an e-mail
that you had sent to someone was infected with a virus, when you may not
even know this person.
W32.Mydoom.I@mm
is a mass-mailing worm that arrives as an attachment with the file
extension .bat, .cmd, .exe, .pif, .scr, or .zip. It is similar in
functionality to W32.Mydoom.A@mm.
Systems Affected: Windows 2000, Windows 95, Windows
98, Windows Me, Windows NT, Windows XP
W32.Netsky.V@mm
is a mass-mailing worm that sends itself to email addresses it gathers
from certain files on the system. This variant does not send an attachment
with its email messages, but instead sends a link to the
compromised computer in its attempt to download and run the worm's
executable.
W32.Netsky.V@mm
relies on several exploits to replicate successfully (see the
Technical Details section below).
The From line of the email is spoofed, and its Subject line and message
body
vary. The worm is packed with UPXSh!t v0.07, UPXSh!t v0.06, and UPX 1.24.
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me,
Windows
NT, Windows Server 2003, Windows XP
Threat Assessment: High
The New Microsoft Windows Security Updates Are
Available at Microsoft go and
get them in IE go to tools, windows updates, on the browser and download
them.
W32.Tunk A
Discovered April 6, 2004
W32.Tunk.A is a file-pre-pending virus. From May
2004 onward, infected systems may fail to restart.
Type: Virus, Worm
Systems Affected: Windows 2000,
Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003,
Windows XP
Threat: High
Damage: High
Distribution: Low
This virus searches the
C drive for execute files. The file explore.exe and any other .exe files
and eats them. This virus is very dangerous, if you get it, you will have
to have Windows re-installed on your computer because there is no fix for
it.
W32.Netsky.U@mm
is a mass-mailing worm and a variant of
W32.Netsky.S@mm.
This worm also contains backdoor functionality and may perform a Denial of
Service (DoS) attack against predetermined Web sites.
Type: Worm
Systems Affected: Windows 2000,
Windows 95, Windows 98, Windows Me, Windows NT, Windows XP
The Subject and Attachment name will
vary. The attachment will have a .pif file extension.
Threat: Low
Damage: Low
Distribution: High
W32.Netsky.S@mm is a mass-mailing worm and
a variant of
W32.Netsky.R@mm. It also contains backdoor
functionality and may perform Denial of Service (DoS) attack against
specified Web sites. The email has a variable subject line and attachment
name. The attachment will have a .pif file extension.
Type: worm
Subject of the e-mail varies, name of
attachment varies with .pif extension.
Systems affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows
Server 2003, Windows XP
32.Netsky.S@mm
is a variant of W32.Netsky.R@mm.
Symantec Security Response is currently
investigating this worm CEnet will post more information when it becomes
available.
Due to an increased rate of submissions, Symantec Security Response has
upgraded this threat from a Category 2 to a Category 3 rating as of April
4, 2004.
W32.Sober.F@mm
is a variant of W32.Sober.E@mm
that spreads by sending itself as an email attachment using its own SMTP
engine. The worm also attempts to download and execute a file from a
remote Web site.
The Subject: and Body: of the email vary and are written in German.
W32.Sober.F@mm
is written in Microsoft Visual Basic and is packed with UPX.
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me,
Windows NT, Windows XP
W32.Beagle.V@mm
is a variant of W32.Beagle.U@mm.
The worm sends itself as an email with a blank
subject and body and a randomly named attachment. It also opens a backdoor
on TCP port 4751.The attachment name is game.exe.
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP
Due to an increase in the rate of submissions
Symantec Security Response has upgraded
W32.Netsky.Q@mm
from a Category 2 threat to a Category 3 threat as of 29th March, 2004.
W32.Netsky.Q@mm
is a mass-mailing worm that uses its own SMTP engine to send itself to the
email addresses it finds when scanning the disk drives.
The From line of the email is spoofed, and its
Subject line and message body of the email vary. The attachment name
varies with the .exe, .pif, .scr,
or .zip file extension.
The worm uses the Incorrect MIME Header Can Cause IE
to Execute E-mail Attachment vulnerability to cause un-patched systems to
auto-execute the worm when reading or previewing an infected message.
W32.Netsky.Q@mm
consists of 2 components: the dropper and the mass-mailer component, which
is dropped as DLL and loaded by the dropper. The dropper is packed with
Petite. The mass-mailer component (DLL) is packed with UPX.
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP
W32.Sober.E@mm
is a variant of W32.Sober.D@mm
that spreads by sending itself as an email
attachment using its own SMTP engine.
The Subject: and Body: of the email vary and is written in English.
The worm also attempts to download and execute a file from a remote
website.
W32.Sober.E@mm
is written in Microsoft Visual Basic and is packed with UPX.
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me,
Windows NT, Windows Server 2003, Windows XP
Due to an increase in the rate of submissions,
Symantec Security Response has upgraded
W32.Beagle.U@mm
to a Category 3 from a Category 2 threat as of March
25, 2004.
W32.Beagle.U@mm
is a variant of W32.Beagle.T@mm.
The worm sends itself as an email with a blank
subject and body and a randomly named attachment. It also opens a
backdoor on TCP port 4751.The attachment name is a random string of
letters with an .exe extension.
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me,
Windows XP
Threat assessment - High
W32.Timese.AG
Discovered on: March 25, 2004
W32.Timese.AG is a worm that displays the date and time on the active
window's title bar. It sets itself to run at startup and attempts to copy
itself to
the floppy disk drive.
W32.Timese.AG is written in Visual Basic and is packed with ASPack.
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me,
Windows NT, Windows Server 2003, Windows XP
Threat assessment - Low
W32.Hesi.Worm
Discovered on: March 25, 2004
W32.Hesi.Worm is a Visual Basic (VB) worm that copies itself to remote
drives.
Systems Affected: Windows 95, Windows 98, Windows Me, Windows NT, Windows
Server 2003, Windows XP
