It is highly
recommended that you have an anti-virus program
installed on your computer, the currently top two
recommended virus protection programs are McAfee and
Norton Anti-virus software.
The
following is a list of current viruses that are of
potential danger to our customers. To help combat
against your computer being infected with one of the
following high risk viruses it is
highly recommended that you use Outlook Express or
Netscape email programs to download your email as most
virus scanning software will scan emails for potential
viruses while they are being downloaded.*
(*Note
you may have to manually enable this feature, consult
you installation information for correct configuration)
W32.Sober.X@mm
is a mass-mailing worm that uses its own SMTP
engine to spread and lowers security settings.
It sends itself as an email attachment to
addresses gathered from the compromised
computer. The email may be in either English or
German.
Note: Symantec products that support
the Worm Blocking functionality automatically
detect this threat as it attempts to spread.
W32.Zotob.D is a worm that opens a back door and
exploits the Microsoft Windows Plug and Play Buffer
Overflow Vulnerability (described in Microsoft
Security Bulletin MS05-039) on TCP port 445.
W32.Sober.O@mm May 02, 2005
W32.Sober.O@mm is a
mass-mailing worm that sends itself as an email
attachment to addresses gathered from the compromised
computer. It uses its own SMTP engine to spread. The
email may be in either English or German
Windows
2000, Windows 95, Windows 98, Windows Me, Windows
NT, Windows Server 2003, Windows XP
When W32.Sober.O@mm is executed, it performs the
following actions:
W32.Mytob March 28, 2005
W32.Mytob.R@mm is a mass-mailing worm with
back door capabilities that uses its own SMTP
engine to send email to addresses that it
gathers from the compromised computer.
The worm also spreads by exploiting the
Microsoft Windows Local Security Authority
Service Remote Buffer Overflow (as described in Microsoft
Security Bulletin MS04-011) and the
Microsoft Windows DCOM RPC Interface Buffer
Overrun Vulnerability (as described in Microsoft
Security Bulletin MS03-026).
Windows 2000, Windows 95, Windows
98, Windows Me, Windows NT, Windows Server 2003,
Windows XP
W32.Sory.A March 29, 2005
W32.Sory.A is a worm that spreads through network
shares and steals confidential information.
Also Known As:
Worm.Win32.Soriw [Kaspersky Lab]
Type:
Worm
Infection Length:
236,291 bytes
Systems Affected:
Windows 2000, Windows 95, Windows
98, Windows Me, Windows NT, Windows Server 2003,
Windows XP
When W32.Sory.A is executed, it performs the following
actions:
Copies itself as %System%\Services.exe
Note: %System% is a variable that refers to
the System folder. By default this is
C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32
(Windows NT/2000), or C:\Windows\System32 (Windows
XP).
Creates the file %System%\wmksm.msm.
Attempts to spread through network shares.
Logs the following information:
Keystrokes
E-mail settings
Information about the computer hardware
Windows registration details
Saves the logged information in randomly named
files in the following folders:
%System%\Temp (5035 bytes)
%Windir%\Temp
Note: %Windir% is a variable that refers
to the Windows installation folder. By default,
this is C:\Windows or C:\Winnt.
Saves the names of these randomly named files in
%System%\wmksm.msm.
W32.Mydoom.AX@mm 2/28/05
W32.Mydoom.AX@mm
is a mass-mailing worm that uses it own SMTP
engine to send email to addresses that it
gathers from the Windows Address Book on a
compromised computer.
Note: Virus definitions version 70216x
(extended version 2/16/2005 rev. 24) or greater
are required to detect this threat.
Windows
2000, Windows 95, Windows 98, Windows Me,
Windows NT, Windows Server 2003, Windows XP
W32.Beagle.AZ@mm 1/26/05
W32.Beagle.AZ@mm is a
mass-mailing worm that also spreads through file-sharing
networks. The email will have a variable subject and
attachment name. The attachment will have a .com, .cpl,
.exe, or .scr file extension.
Note: Virus
definitions version 70126ax (extended version:
20050126.050) or greater are required to detect this
threat.
W32.Beagle.AV@mm
(11/01/04)
W32.Beagle.AV@mm
is a mass-mailing worm that also spreads through
file-sharing networks. The worm will open a backdoor on
TCP port 81. To repair the file download the FxBeagle.exe
file and run it.
Subject: (One of the following)
Re:
Re: Hello
Re: Hi
Re: Thank you!
Re: Thanks :)
Message body:
:))
Attachment: (One of the following)
Price
price
Joke
with a .com, .cpl, .exe, or, . scr file extension.
W32.Mydoom.M@mm
(7/27/04)
W32.Mydoom.M@mm is a mass-mailing worm that drops
and executes a backdoor, detected as Backdoor.Zincite.A,
that listens on TCP port 1034. The worm uses its own
SMTP engine to send itself to email addresses it finds
on the infected computer.
The email contains a spoofed From address, and the
Subject and Body text will vary. The attachment name
will also vary.
Note: Symantec Consumer and Enterprise products
that support Worm Blocking functionality automatically
detect this threat as it attempts to spread.
W32.Mydoom.M@mm is packed with UPX.
Symantec Security Response has developed a removal
tool to clean the following infections:
The W32.Mydoom@mm Removal Tool does the following:
Terminates W32.Mydoom@mm viral processes.
Terminates the viral thread running under
Explorer.exe.
Deletes W32.Mydoom@mm files.
Reverses the changes made to the \Run and
InProcServer32 registry keys.
Subject: (One of the following)
hello
error
status
test
report
delivery failed
Message could not be delivered
Mail System Error - Returned Mail
Delivery reports about your e-mail
Returned mail: see transcript for details
Returned mail: Data format error
W32.Beagle.AB@mm
(7/15/04)
W32.Beagle.AB@mm is a mass-mailing worm that uses
its own SMTP engine to spread through email and opens a
backdoor on TCP port 1080.
The email's subject line, body, and attachment name
vary. The attachment will have a .com, .cpl, .exe, .hta,
.scr, .vbs, or .zip file extension.
The worm is packed with UPX.
Notes:
Symantec Security Response has developed a removal
tool to clean the infections of
W32.Beagle.AB@mm.
Virus definitions dated prior to July 15, 2004 may
detect this as Bloodhound.Packed.
Virus definitions greater than version 60715av
(extended version 7/15/2004 rev. 48) are required to
detect this as W32.Beagle.AB@mm.
W32.Korgo.F (6/1/04)
Due to an increased rate of submissions, Symantec
Security Response has upgraded this threat from a
Category 2 to a Category 3 as of June 2, 2004.
W32.Korgo.F is a minor variant of W32.Korgo.E.
It is a worm that attempts to propagate by exploiting
the Microsoft Windows LSASS Buffer Overrun Vulnerability
(BID 10108) on TCP port 445. It also listens on TCP
ports 113, 3067, and other random ports.
Notes:
Rapid Release virus definitions version 6/2/2004
rev 17 (sequence number 31552) or greater detect
this threat specifically as W32.Korgo.F.
Virus definitions version 60408w (extended version
4/8/2004 rev. 23) detect this threat as
Bloodhound.Packed.
Symantec Security Response has published a removal
tool to clean infections of W32.Korgo.F.
W32.Sasser.B.Worm
(5/1/04)
W32.Sasser.B.Worm is a variant of
W32.Sasser.Worm. It attempts to exploit the LSASS
vulnerability described in Microsoft Security Bulletin
MS04-011, and spreads by scanning randomly-chosen IP
addresses for vulnerable systems.
The MD5 hash value for this worm is
0x1A2C0E6130850F8FD9B9B5309413CD00.
Symantec Security Response has developed a removal
tool to clean the infections of
W32.Sasser.B.Worm.
Block TCP ports 5554, 9996 and 445 at the
perimeter firewall and install the appropriate
Microsoft patch (MS04-011) to prevent remote
exploitation of the vulnerability.
W32.Beagle.X@mm is a mass-mailing worm that attempts
to spread using mail and file-sharing networks. The worm
also opens a backdoor on an infected computer.
The threat is packed using UPX, and it appends random
data to the end of itself, so it does not have a static
MD5 value.
When the worm runs, it displays a message box with the
following text:
Can't find a viewer associated with the file. Notes:
Virus definitions version 60223g (extended version
2/23/2004 rev. 7) and later detected this threat as
Bloodhound.Packed.
Virus definitions version 60428w (extended version
4/28/2004 rev. 23) are required to detect this
threat as W32.Beagle.X@mm.
Symantec Security Response has developed a removal
tool to clean the infections of W32.Beagle.X@mm.
W32.Netsky.AB@mm
(4/29/04)
W32.Netsky.AB@mm is a worm that scans for the email
addresses on all non-CD-ROM drives on an infected
computer. The worm then uses its own SMTP engine to send
itself to the email addresses that it finds.
The email's Subject, Body, and attachment vary. The
attachment has a .pif extension.
Note:
Symantec Consumer products that support Worm
Blocking functionality automatically detect this
threat as it attempts to spread.
W32.Gaobot.UL is a variant of
W32.Gaobot.gen. Symantec Security Response is currently
investigating this worm and will post more information
as it becomes available.
W32.Gaobot.UJ (4/1/04)
W32.Gaobot.UJ is a variant of W32.Gaobot.gen. It
attempts to spread through network shares that have weak
passwords and allows attackers to access an infected
computer through an IRC channel.
The worm uses multiple vulnerabilities to spread,
including:
W32.Gaobot.UJ is packed first with ASPack and then
with Morphine.
Symantec Security Response has developed a removal
tool to clean the infections of W32.Gaobot.UJ. This
is the preferred method in most cases.
W32.Netsky.R@mm (3/31/04)
W32.Netsky.R@mm is a mass-mailing worm,
and a variant of W32.Netsky.Q@mm. This worm has been
packed with a known runtime compression utility.
Subject
RE: Document [%i] (where [%i] may be a random number)
From
[Spoofed]
Body
Excuse me,
the important document is attached,
Your sincerely
Attachment
Document[%i].pif
The worm will send an email message to all contacts that
were found when scanning the system for email addresses,
and it may send an email message to jena@yahoo.cz.
W32.Netsky.Q@mm.enc
(3/30/04)
When a file is detected as infected with
W32.Netsky.Q@mm.enc, it indicates that it is a
Base64-encoded file that contains the W32.Netsky.Q@mm
worm. For additional information, read the document, What
is an .enc detection, as well as the W32.Netsky.Q@mm
write-up.
W32.Beagle.V@mm (3/29/04)
W32.Beagle.V@mm is a variant of W32.Beagle.U@mm
that opens a backdoor on TCP port 4751.
The worm sends itself as an email with a blank subject
and body and an attachment named game.exe.
This threat is compressed with FSG.
Rapid Release definitions with sequence number
28927 or later will detect this threat as
W32.Beagle.V@mm.
Virus definitions prior to these definitions
detect this threat as W32.Beagle.U@mm.
W32.Netsky.Q@mm (3/28/04)
As of March 29, 2004, due to an increase in
submission rate, Symantec Security Response has upgraded
W32.Netsky.Q@mm to a Category 3 level threat from a
Category 2 threat.
The W32.Netsky.Q@mm worm:
Is a mass-mailing worm that consists of two
components: a dropper and a mass-mailing component.
Uses its own SMTP engine to send itself to the
email addresses it finds when scanning the disk
drives.
The From line of the email is spoofed, and its Subject
line and message body vary. The attachment name also
varies and has a .exe, .pif, .scr, or .zip file
extension.
Symantec antivirus products that support Worm
Blocking functionality automatically detect this
threat as it attempts to spread.
The worm has an MD5 value of
0x04871d17dbbd1911afc76aad6d9dbd20.
LiveUpdate virus definitions created March 28,
2004 (US Pacific Time) which were released on March
29, 2004 (US Pacific Time) contain detection for
this threat.
Symantec Security Response has developed a removal
tool to clean the infections of W32.Netsky.Q@mm.
W32.Sober.E@mm
(3/27/04)
W32.Sober.E@mm is a variant of W32.Sober.D@mm that
spreads by sending itself as an email attachment using
its own SMTP engine.
The Subject: and Body: of the email vary and is
written in English.
The worm also attempts to download and execute a file
from a remote website.
W32.Sober.E@mm is written in Microsoft Visual Basic and
is packed with UPX.
Symantec Security Response has developed
a removal
tool to clean the infections of W32.Sober.E@mm.
W32.Beagle.U@mm
(3/26/04)
Due to an increase in the rate of submissions,
Symantec Security Response has upgraded W32.Beagle.U@mm
to a Category 3 from a Category 2 threat as of March 25,
2004.
W32.Beagle.U@mm is a variant of W32.Beagle.T@mm.
The worm sends itself as an email with a blank subject
and body and a randomly named attachment. It also opens
a backdoor on TCP port 4751.The attachment name is a
random string of letters with an .exe extension.
Rapid Release definitions with sequence number
28833 or later will detect this threat as
W32.Beagle.U@mm.
Virus definitions prior to these definitions
detect this threat as W32.Beagle.gen.
Symantec Security Response has developed a removal
tool to clean the infections of W32.Beagle.U@mm.
W32.Netsky.P@mm (3/21/04)
Due to an increase in the rate of submissions,
Symantec Security Response has upgraded W32.Netsky.P@mm
to a Category 3 from a Category 2 threat as of March 22,
2004.
W32.Netsky.P@mm (also known as W32.Netsky.Q@mm) is a
mass-mailing worm that uses its own SMTP engine to send
itself to the email addresses it finds when scanning the
hard drives and mapped drives. The worm also tries to
spread through various file-sharing programs by copying
itself into various shared folders.
The From line of the email is spoofed, and its Subject
line and message body of the email vary. The attachment
name varies with the .exe, .pif, .scr, or .zip file
extension.
Symantec Consumer products that support Worm
Blocking functionality automatically detect this
threat.
The worm's executable has a static MD5 hash value
of 0x0A9FFA57D65083C92E0D3D69B00F2F0D.
Rapid release definitions dated March 21, 2004 or
March 22, 2004 may detect this threat as
W32.Netsky.Q@mm.
Symantec Security Response has developed a removal
tool to clean the infections of W32.Netsky.P@mm.
W32.Beagle.T@mm
(3/18/04)
W32.Beagle.T@mm is a variant of W32.Beagle.O@mm.
Symantec Security Response is currently investigating
this worm and will post more information when it becomes
available.
Note: Symantec antivirus programs with current
virus definitions will detect this worm as Bloodhound.Packed.
W32.Beagle.S@mm
(3/18/04)
W32.Beagle.S@mm is a variant of W32.Beagle.O@mm.
Symantec Security Response is currently investigating
this worm and will post more information when it becomes
available.
Note: Symantec antivirus programs with current
virus definitions will detect this worm as Bloodhound.Packed.
W32.Beagle.R@mm
(3/18/04)
W32.Beagle.R@mm is a variant of W32.Beagle.O@mm. This
worm attempts to send an HTML email to addresses found
in files on the infected computer. The email does not
contain an attachment of the worm. Instead, the HTML
email uses the Microsoft Internet Explorer Object Tag
Vulnerability that allows the automatic download and
execution of a file hosted on a remote website. This
file is a copy of the worm, but may change in the
future.
The worm also opens a backdoor, starts a Web server
on port 81 to serve out the worm, and attempts to spread
through file-sharing networks by copying itself to
folders with "shar" in their names. The worm
is also a file infector that appends itself to .exe
files found in the c:\emails folder on the computer.
W32.Beagle.O@mm (3/18/04)
W32.Beagle.O@mm is a polymorphic mass-mailing worm
that uses its own SMTP engine to spread through email.
The worm opens a backdoor on TCP port 2556 and attempts
to spread through file-sharing networks by copying
itself to the folders that contain "shar" in
their names. W32.Beagle.O@mm also infects files with the
.exe file extension. The email has the following
characteristics:
From: Spoofed to appear as though it is coming
from a predetermined addresses at the recipient's
domain. Subject: Varies Attachment: A randomly named .exe file, stored
inside a .zip file, a .rar file, or a .pif file. The
.zip and .rar files file may be password-protected.
Symantec Security Response has developed a removal
tool to clean the infections of W32.Beagle.O@mm.
W32.Beagle.N@mm
(03/15/04)
W32.Beagle.N@mm is a polymorphic mass-mailing worm
that uses its own SMTP engine to spread through email.
Like previous Beagle variants, this worm opens a
backdoor (it listens on TCP port 2556), and attempts to
spread through file-sharing networks by copying itself
to the folders that contain "shar" in their
names. W32.Beagle.N@mm also infects files with the EXE
extension. The email has the following characteristics:
W32.Beagle.M@mm (3/13/04)
The W32.Beagle.M@mm is a polymorphic mass-mailing
worm that uses its own SMTP engine to spread through
email. Like previous Beagle variants, this worm opens a
backdoor (it listens on TCP port 2556) and attempts to
spread through file-sharing networks by copying itself
to folders that contain "shar" in their names.
W32.Beagle.M@mm also infects files with the EXE
extension.
T
W32.Netsky.K@mm
(3/9/04)
W32.Netsky.K@mm is a mass-mailing worm that uses its
own SMTP engine to send itself to the email addresses it
finds when scanning hard drives and mapped drives.
The "sender" of the email is spoofed, and its
subject, message body, and attachment vary. The
attachment has a .pif extension.
This threat is compressed with tElock.
Symantec Consumer products that support the Worm
Blocking functionality automatically detect this
threat as it attempts to spread.
The worm has an MD5 hash value of
0xE26BC65552359A226CE6589E60C22151.
Symantec Security Response has developed a removal
tool to clean the infections of W32.Netsky.K@mm.
W32.Sober.D@mm
(3/9/04)
W32.Sober.D@mm is a variant of W32.Sober.C@mm that
spreads by sending itself as an email attachment using
its own SMTP engine.
The Subject: and Body: of the email vary and is written
in either English or German.
Rapid Release definitions version 2004.03.07
rev.22 or later will detect this threat.
The worm has an MD5 hash value of
0xF258A945EACE78DF510CA7BDAA0EC8FB.
Head
off hoaxes They're not as directly
dangerous as viruses, but e-mail hoaxes could end up
costing your company more money. Wayne Rash tells you
how easily hoaxes slip through your firewall--and how
you can halt them.
By Wayne Rash, Enterprise
You've
almost certainly received an e-mail warning you about a
new virus. You know the type--one of those mass e-mails
containing warnings of all sorts of dire things that can
happen if the described virus or worm gets loose on your
system. The e-mail goes on to list the name of the
offending file, and tells you that all you need to do is
delete the file, and the threat will be gone.
So you check your system, and sure
enough, there in the Windows directory is the very file
the e-mail warned you about. You wonder briefly why your
antivirus software didn't pick up this one, but then you
remember that the letter said that this one was so
clever that antivirus software couldn't detect it. Guess
you'd better delete it, right?
Wrong. If you actually do delete
the file, you could very easily spend the next couple of
hours reinstalling Windows. And that, of course, is why
the antivirus software didn't issue an alert. The e-mail
was a hoax, and if you follow its instructions, you
could delete an important Windows file--one that's
supposed to be there.
"Hoaxes are almost a bigger
problem than viruses," notes Roger Thompson,
technical director of malicious code research for the
ICSA in Herndon, Virginia. He notes that it's a lot
easier to create a good hoax than it is to create a good
virus. And antivirus software, obviously, can't detect a
hoax. So these hoaxes usually get through.
As a result, enormous amounts of
company resources are used up in dealing with hoaxes.
Employees spend time sending the messages to others,
some waste time looking for and deleting the offending
files, and time is also spent restoring users' computers
after they've deleted those files.
Right now, the hot hoax is one
that warns of a file on your computer called JDBGMGR.EXE,
which an e-mail claims will invade your computer, lie
dormant for two weeks, and then release a worm. In
reality, this is a file that allows Windows to use Java.
If you erase it, you won't be able to use Java.
Making matters more complicated,
JDBGMGR.EXE is a file that is sometimes sent out in
infected form by the MAGISTR virus, meaning that you
could find it as an attachment in an e-mail. The result
is even more complicated; in one case, you don't want to
erase the file (when it's on your hard disk) but in
another case, you do (when it's in an e-mail). You can
imagine how much fun the support desk is having with
that one.
In some ways, JDBGMGR.EXE is
similar to the granddaddy of virus hoaxes--the "Goodtimes"
virus of seven years ago. If activated, this virus was
supposed to execute code that would cause your CPU to
overheat and fail. Aside from the fact that you can't do
that with software (at least not the way the e-mail
described it) there was simply nothing to it. But for
months, thousands of people were searching for anything
named "Goodtimes."
That hoax was complicated by two
things. In those days, Microsoft shipped a music video
on the Windows CD called "Goodtimes." So
people were freaking out when they found what they
thought was a virus on their operating system CD where
it couldn't be erased. Then, a few months later,
somebody actually did release a virus called "Goodtimes."
By then, most people had learned that Goodtimes wasn't a
virus. So they didn't treat it as one. Imagine the
consternation.
The answer to the chaos caused by
these hoaxes isn't all that easy, but you should start
by making sure your employees know that such things
exist. Maybe that will help them learn not to believe
everything they read in e-mail. The next thing you
should do is appoint someone to be the hoax point of
contact. Then, when people receive warnings, real or
imagined, about viruses, you have someone who can
actually investigate and tell whether it's real.
Remember, if a hoax requires as much resources as fixing
a virus does, there's not much practical difference. It
might as well be a real virus.
