Virus Updates and Warnings
W32.Badtrans.B@mm:
W32.Badtrans.B@mm is a MAPI worm that
emails itself out using different file names. It worm also creates the file
\Windows\System\Kdll.dll. It uses functions from this .dll to log
keystrokes.
You may receive a blank email from
someone you know or may not know that has an attachment name of one of the
following:
Ø
Pics
Ø
Images
Ø
README
Ø
New_Napster_Site
Ø
news_doc
Ø
HAMSTER
Ø
YOU_are_FAT!
Ø
Stuff
Ø
SETUP
Ø
Card
Ø
Me_nude
Ø
Sorry_about_yesterday
Ø
Info
Ø
Docs
Ø
Humor
Ø
fun
You need to keep your anti-virus
definitions up-to-date to block this virus.
For more information on what the virus
does and how to clear up the virus - see
http://securityresponse.symantec.com/avcenter/venc/data/w32.badtrans.b@mm.html.
ANTHRAZ VIRUS:
A new virus is being reported hitting the
Internet. You can find out more from this
link - http://www.symantec.com/avcenter/venc/dyn/44.html.
Anthrax (x)
Detected as:
Anthrax (x)
Aliases:
None
Area of Infection:
.COM Files,
.EXE Files, COMMAND.COM, Master Boot Record
Characteristics:
Memory
Resident, Wild, Multi-partite
Infected programs contain the text
"Anthrax" and "Damage, Inc". The virus writes a copy of
itself to the last few sectors of the hard disk. Any data located there is
destroyed.
This threat is detected by the latest Virus
Definitions.
All computer users should employ safe computing
practices, including:
Keeping your Virus Definitions updated.
Installing Norton AntiVirus program updates, when
available.
Deleting suspicious looking emails.
VIRUS ALERT: COMPUTER ASSOCIATES CALLS "Nimda" WORM A HIGH-RISK THREAT
Get the latest virus info
& updates ASAP:
Win32.Nimda worm (Also known
as W32/Nimda@MM <mailto:W32/Nimda@MM> )
Win32.Nimda worm (Also known
as W32/Nimda@MM <mailto:W32/Nimda@MM> )
Nimda.A is an Internet worm
spreading via a number of different methods and
exploiting several known
vulnerabilities in Internet Explorer and IIS
systems. It also works as a
file virus infecting Win32 Portable Executable
programs as well as files
with extensions: html, htm, asp.
This worm may enter a system
in the following ways:
* via an HTML e-mail with a specifically constructed MIME header;
* by visiting a Web site hosted on an infected system;
* via open network shares;
* via unpatched IIS systems (both 4.0 and 5.0).
When a user views an HTML e-mail carrying the worm or visits an
infected Web site, Internet
Explorer may launch the attached program
executing the Nimda.A code
(from the program: readme.exe). This is due to
the "Incorrect MIME
Header" vulnerability in Microsoft Internet Explorer
5.01 and 5.5. For a detailed
description of this security hole and links to
the appropriate patches,
please visit:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
The worm may also exploit the following HTTP security loopholes
in
systems running Microsoft
IIS:
* Microsoft IIS 4.0/5.0 File Permission Canonicalization
Vulnerability
* Microsoft IIS/PWS Escaped Characters Decoding Command Execution
Vulnerability
* Microsoft IIS and PWS Extended Unicode Directory Traversal
Vulnerability
The worm finds vulnerable Internet
Servers via randomly selected IP
addresses. The address
generation and scanning is performed by the process
named mmc.exe (the file
mmc.exe is overwritten by the worm with its own
copy). Users of affected Win
NT/2000 systems may experience a significant
deterioration of their
system performance when the mmc.exe process is
running. Additionally the
worm copies itself as Admin.dll to the root
directories of all
accessible drives (the worm marks Admin.dll as a true
DLL).
Once the worm gets access to
a victim machine's files, it searches all
directories and infects htm,
asp and html files by adding a one line
JavaScript code. In every
directory with successfully infected files, the
worm drops its own code in
the MIME format as readme.eml or readme.nws. The
worm is executed from within
these MIME files when an infected htm* or asp
file is opened.
The worm infects Win32 PE
programs (except Winzip32.exe) by prepending its
code and modifying its
resources so that the infected programs use the same
icons as the original
programs.
On affected Win9x systems,
in order to run on the next reboot, the worm
copies itself as load.exe
into the Windows System directory and modifies the
system.ini file:
Shell=explorer.exe load.exe -dontrunold
Nimda.A may also copy itself
under the name used by one of the legitimate
Microsoft libraries;
riched20.dll.
In order to avoid infection
by browsing infected web pages Active Scripting
can be disabled in Internet
Explorer.
Detection for this
virus/worm has been added to the following virus
engine/virus signature
combination. Install this update or later to ensure
protection:
CA Antivirus Solution Engine/Signature
InocuLAN / InoculateIT 4.x 28.06
eTrust InoculateIT 6.0 /
eTrust Antivirus 6.0 23.46.06
eTrust EZ Antivirus / IPE 5.3/1502
VET
10.3/1502
HappyTime Virus Warning:
Due to
the increased number of submissions, the threat level for this worm has been
upgraded from 3 to 4.
VBS.Haptime.A@mm
is a Visual Basic Script (VBS) worm. It infects .htm, .html, .vbs, .asp, and .htt
files. It replicates using MAPI objects to spread itself as an attachment.
Also, the worm attaches itself to all outgoing messages using the stationery
feature of Outlook Express.
The worm
utilizes a known Microsoft Outlook Express security hole so that the worm is
executed without having to run any attachment.
Microsoft
has patched this security hole that eliminates security vulnerabilities in
"Scriptlet.TypLib" ActiveX controls . The patch is available at:
http://www.microsoft.com/technet/ie/tools/scrpteye.asp
If you
have a patched version of Outlook Express, this worm will not work
automatically.
Also
Known As: VBS.HappyTime, VBS_HAPTIME.A, VBS.Happytime.A, VBS/Help,
VBS_Haptime.A, VBS/Haptime@MM
For more
information - see http://www.symantec.com/avcenter/venc/data/vbs.haptime.a@mm.html
CodeRed.v3
Virus Warning:
CodeRed.v3 was
discovered on August 4, 2001. It has been called a variant of the original
CodeRed Worm because it uses the same "buffer overflow" exploit to
propagate to other web servers. Symantec AntiVirus Research Center received
reports of a high number of IIS web servers that were infected. CodeRed.v3 is
considered to be a high threat. The original CodeRed had a payload that
causes a Denial of Service attack on the White House Web server. CodeRed.v3 has
a different payload that allows the hacker to have full remote access to the
Web server. For more information - click here.
Virus Alert - W32.Sircam.Worm@mm
Due to the increased number of virus submissions, SARC has updated the threat level of this virus from 3 to 4. Virus definitions dated July 17, 2001 or later will detect this worm.
W32.Sircam.Worm@mm is a
network-aware virus that has email capability. The worm will also append a
random document from your hard drive and send it out in email as part of the
worm. The worm contains the following content:
Subject: The subject of the email
will be random, and will be the same as the file name of the attachment in the
email.
Message: The message body will be
semi-random, but will always contain one of the following two lines (either in
English or Spanish) as the first and last sentences of the message.
Spanish Version:
First line: Hola como estas ?
Last line: Nos vemos pronto,
gracias.
English Version:
First line: Hi! How are you?
Last line: See you later. Thanks
For more information on this virus
- visit http://www.symantec.com/avcenter/venc/data/w32.sircam.worm@mm.html.
MsWorld Virus Update:
Borrowing from the success of NakedWife, a new worm, MsWorld, displays a Flash window illustration while mass mailing everyone you know and attempting to reformat your C: drive. MsWorld (W32.MsWorld@MM) hails from Great Britain and at this time, it has not spread very far or very fast. Since it can clog e-mail servers and damage users' root drive files, MsWorld ranks as a 6 on the ZDNet Virus Meter.
How it works
MsWorld arrives as an e-mail with the following information:
Subject: Miss World
Body: Hi, (your name)
Enjoy the latest pictures of Miss World from various Country
Attached: MWrld.exe
If a user clicks on the attached file, a Flash window appears that displays a cute animal and big cake with a single candle. The text, "I fall more in love with you each day!", appears in script at the bottom of the window. While this image displays, MsWorld sends copies of itself to all address found in Outlook's address book.
MsWorld adds the following to the infected computer's Autoexec.bat, which causes the computer to reformat the C: drive whenver it is next rebooted:
Echo Off
Echo "This Everything for my Girl Friend.........,
(CatEyes, KRSSL, SS Hostel) "
Format C: /q /autotest
Echo On
MsWorld also attempts to delete the files USER.DAT, USER.DA0, SYSTEM.DAT, and SYSTEM.DA0 when the Flash program is closed. Since the .dat files are in use, a run-time error will occur so only the .DA0 files are deleted.
For more information on this virus and how to repair damage - see http://msn.zdnet.com/msn/zdnet/story/0%2C12461%2C2766546-hud00025ab%2C00.htm.
SULFNBK.EXE Warning
Reported on: April
17, 2001
Last Updated on:
May 31, 2001 at 12:49:29 PM PDT
PLEASE
PAY ATTENTION TO THIS MESSAGE - READ IT ENTIRELY --- DO NOT DELETE THE FILE
SULFNBK.EXE!!
The
following hoax email has been reported in Brazil. The original email is in
Portuguese; it is followed by an English translation.
CAUTIONS:
This
particular email message is a hoax. The file that is mentioned in the hoax,
however, Sulfnbk.exe, is a Microsoft Windows utility that is used to restore
long file names, and like any .exe file, it can be infected by a virus that
targets .exe files.
The
virus/worm W32.Magistr.24876@mm can arrive as an attachment named Sulfnbk.exe.
The Sulfnbk.exe file used by Windows is located in the C:\Windows\Command
folder. If the file is located in any other folder, or arrives as an attachment
to a email message, then it is possible that the file is infected. In this
case, if a scan with the latest virus definitions and with NAV set to scan all
files does not detect the file as being infected, quarantine and submit the
file to SARC for analysis by following the instructions in the document How to
submit a file to SARC using Scan and Deliver.
If
you have deleted the Sulfnbk.exe file from the C:\Windows\Command folder and
want to know how to restore the file, see the How to restore the Sulfnbk.exe
file section at http://www.symantec.com/avcenter/venc/data/sulfnbk.exe.warning.html.
VBS.VBSWG2.X@mm
|
Discovered
on: May 8, 2001 |
|
Last
Updated on: May 9, 2001 at 02:11:29 PM PDT |
Due to an increase in submissions, SARC has upgraded this worm from a Threat Rating of 3 to 4.
VBS.VBSWG2.X@mm is an encrypted VBScript worm that uses a known exploit to send
itself to all recipients in an infected user's Microsoft Outlook address book.
It also has a payload that opens a Web site that contains pornographic
contents.
Also Known As: VBS.VBSWG2.D@mm, VBS.HomePage, I-Worm.Homepage, VBSWG.X, VBSWG.X@MM, VBS/VBSWG-X, VBS_HomePage.A
For
more information on this virus – see http://www.symantec.com/avcenter/venc/data/vbs.vbswg2.x@mm.html
W32.Matcher
|
Discovered
on: April 18, 2001 |
|
Last
Updated on: April 18, 2001 at 02:43:50 PM PDT |
W32.Matcher
is an executable that arrives by email. When executed, the worm will email itself
to everyone in the Microsoft Outlook Address book. The worm will continue to
send emails while the process is running in the background.
For more information on this virus – see http://www.symantec.com/avcenter/venc/data/w32.matcher.html.
W32.Magistr.24876@mm
|
Discovered
on: March 13, 2001 |
|
|
Last
Updated on: April 4, 2001 at 11:55:55 AM PDT |
|
|
|
|
Due to the increased number of submissions, SARC has updated the threat level of this virus from 3 to 4.
W32.Magistr.24876@mm is a virus that has email worm capability. It is also
network aware. It infects Windows Portable Executable (PE) files, with the
exception of .dll system files, and sends email messages to addresses that it
gathers from the Outlook/Outlook Express mail folders (.dbx, .mbx), the sent
items file from Netscape, and Windows address books (.wab), which are used by
mail clients such as Microsoft Outlook and Microsoft Outlook Express,. The
email message may have up to two attachments, and it has a randomly generated
subject line and message body.
Also
Known As: I-Worm.Magistr, PE_MAGISTR.A, W32.Magistr@mm
For more information on this
virus and a fix – visit this site - http://www.symantec.com/avcenter/venc/data/w32.magistr.24876@mm.html.
W32.Naked@mm
|
Discovered
on: March 6, 2001 |
|
Last
Updated on: March 6, 2001 at 03:20:12 PM PST |
W32.Naked@mm is a mass mailing worm that disguises itself as flash movie. The attachment is named NakedWife.exe. This worm, after it has attempted to email everyone in the Microsoft Outlook address book, will attempt to delete several system files. This will leave the system unusable, requiring a re-install.
NOTE: This worm was previously detected as W32.HLLW.JibJab@mm.
For more information on this virus – visit http://www.symantec.com/avcenter/venc/data/w32.naked@mm.html.
AnnaKournikova.jpg.vbs
Virus:
VBS.SST@mm is a VBS email worm that has been encoded using a virus creation
kit. The worm arrives as an attachment named AnnaKournikova.jpg.vbs When
executed, the worm emails itself to everyone in your Microsoft Outlook book. On
January 26, the worm will attempt to direct your Web browser to an Internet
address located in The Netherlands.
This worm appears to have originated in the Netherlands – click here for more
information and help deleting the virus if you have received it - http://www.symantec.com/avcenter/venc/data/vbs.sst@mm.html.
W97M.Melissa.W –
Virus Warning:
W97M.Melissa.W is a typical
macro virus that has an unusual payload.
When a user opens an infected
document, the virus will attempt to
email a copy of this
document up to 50 people using Microsoft Outlook.
This macro will disable the
Tools/Macro menu entry.
It infects a MS Word 97 and
MS Word 2000 document by adding a new
VBA5 (macro) module named
Melissa. Although there is nothing
unique
in the infection routine of
this macro virus, it has a payload that
utilizes MS Outlook to send
an attachment of the infected document
being opened.
As its primary payload, the
virus will attempt to use Microsoft
Outlook to email a copy of
the infected document to up to 50 other
people.
The virus does the
following:
1. Opens MS Outlook.
2. Using MAPI calls, it
gets the user profile to use MS Outlook.
3. It creates a new email
message to be sent up to 50 addresses
listed in the user's MS
Outlook address book.
4. It gives the email
message a subject line:
"Important Message
From USERNAME",
where USERNAME is taken
from MS Word setting.
5. The body of the email
message is:
"Here is that document
you asked for ... don't show anyone else ;-)"
6. It attaches the active
document (the infected document being
opened or closed) to the
email message and then sends the email.
W97M.Melissa.W is also
known as:
Melissa-X (Anniv.DOC)
Melissa.W
Virus definitions dated
January 18, 2001, or later will protect
against the W97M.Melissa.W.
(Virus definitions dated before January
18, 2001 would detect this
as W97M.Melissa.Variant.)
Complete information about
W97M.Melissa.W is available at the
following Internet address:
http://www.symantec.com/techsupp/vURL.cgi/nav82
ANOTHER VIRUS WARNING: If you receive an email that indicates “Upgrade Internet2” – DO NOT OPEN IT! This contains an executable file named “perrin.exe”. It will erase all the data in your hard drive and it will stay in the memory of your computer. Every time you upload data, it will be automatically erased and you will not be able to use your computer again. This information was published yesterday on the CNN web site. This is a very dangerous virus – to this date, there is no known anti-virus program to catch it. Listed below are names of other emails that, if received, SHOULD NOT BE OPENED but should be DELETED! The titles are:1. buddylst.exe
2. calcu18r.exe
3. deathpr.exe
4. einstein.exe
5. happ.exe
6. girls.exe
7. happy99.exe
8. Japanese.exe
9. keypress.exe
10. kitty.exe
11. monday.exe
12. teletubb.exe
13. The Phantom Menance
14. prettypark.exe
15. UP-GRADE INTERNET2
16. perrin.exe
17. I love you
18. CELCOM Screen Saver or CELSAVER.EXE
19. Win a Holiday (email)
20. JOIN THE CREW O PENPALS
Once again, if you receive an email with any of the above – DO NOT OPEN IT – DELETE IT IMMEDIATELY! NEW VIRUS STRIKING OUR AREA!
Two new email viruses have been detected in our area and throughout the email community in general.
The Hybris Worm is a Worm virus similar to the KAK Worm virus, only more dangerous. When the worm attachment is executed, the WSOCK32.DLL file will be modified or replaced. This will give the worm the ability to copy and attach itself to all outbound email. The email attachment will have a random name but the filename extension is either EXE or SCR.
The virus arrives in an email with the following headers:
From: Hahaha hahaha@sexyfun.net
Subject: Snowhite and the seven Dwarfs - The REAL Story!
Attachment: dwarf4you.exe or sexy virgin.scr
If you receive any such email, we recommend that you immediately delete it from your inbox.
You SHOULD NOT open the email OR open the attachment that comes with it.
The second virus is W32.Navidad. W32.Navidad is a mass mailing worm program.
The worm replies using MAPI to all Inbox messages that contain a single
attachment. This works with Microsoft Outlook. The worm utilizes the existing
email subject line and body and attaches itself as NAVIDAD.EXE. Due to the bugs
in the code, after being executed, the worm causes your system to be unusable.
For more information and the availability to download a tool to repair W32.Navidad damage – go to http://www.norton.com/avcenter/venc/data/w32.navidad.html or http://www.symantec.com/avcenter/index.html.
THIS ALERT WAS SENT OUT ON OCT. 24, 2000
NEW VERY BAD VIRUS ALERT!!!
IMPORTANCE: HIGH PASS THIS ON TO ANYONE YOU HAVE AN E-MAIL ADDRESS FOR.
If you receive an email titled "It Takes Guts to Say Jesus" DO NOT OPEN IT.
It will erase everything on your hard drive. This information
was announced yesterday morning from IBM. AOL states that this is a very
dangerous virus, much worse than "Melissa," and that there is NO remedy for
it at this time. Some very sick individual has succeeded in using the
reformat function from Norton Utilities, causing it to completely erase all
documents on the hard drive. It has been designed to work with Netscape
Navigator and Microsoft Internet Explorer.
It destroys Macintosh and IBM compatible computers. This is a new, very
malicious virus and not many people know about it. Passthis warning along to EVERYONE in your address book and please share it with
all your online friends ASAP so that this threat may be stopped!!
Please practice cautionary measures and tell anyone that may have access to your computer. Forward this warning to everyone that might access the Internet.
New Viruses Haunting Internet – 10/18/2000: (These
virus warnings were forwarded to meckcom.net from a local computer programmer
to warn our customers of potential problems)
CELCOM Screen Saver: If you receive any CELCOM Screen Saver, please do not install it! This screen saver is very cool – it shows a NOKIA hand phone, with time messages. After it is activated, the PC cannot boot up at all. It goes very slowly – it destroys your hard disk – the file name is CELLSAVER.EXE.
SANDMAN: Beware! If someone named SandMan asks you to check out his page – DO NOT! It is at www.geocities.com - this page hacks into your C:/drive – Do not go there.
Win A Holiday: If you get an email titled “Win A Holiday” – DO NOT OPEN IT! Delete it immediately. Microsoft just announced it yesterday. It is a malicious virus that WILL ERASE YOUR HARD DRIVE. At this time there is no remedy.
Symantec Offers Free Online Fix for
Destructive Worm.ExploreZip Worm
CUPERTINO, Calif. - June 14, 1999 - Symantec
Corporation (Nasdaq: SYMC) today announced that a free tool to remove an active
Worm.ExploreZip infection is available on its web site at http://www.sarc.com.
The KILL_EZ.EXE tool removes infection from computers running on Windows 95,
Windows 98 or Windows NT.
While protection has been available to
Symantec Norton AntiVirus users via current virus definitions through
LiveUpdate, the KILL_EZ.EXE tool does not require anti-virus software to run.
"Symantec AntiVirus Research Center
(SARC) is offering this as a public service to administrators and other
users," said Carey Nachenberg, chief researcher with SARC.
"Administrators can use this tool to clean up infested networks and deploy
via login scripts to rapidly cure the problem." While the tool removes
Worm.ExploreZip, to have continued protection against malicious threats an
anti-virus solution-such as Norton AntiVirus-is recommended.
The Worm.ExploreZip worm contains a malicious
payload that can result in non-recoverable data and/or inoperable computer
systems. The KILL_EZ.EXE tool performs the following tasks (upon verifying the
system is infected by Worm.ExploreZip):
· Under Windows NT-removes changes made to
the Windows Registry by the worm. Specifically, it deletes the registry value
EY_CURRENT_USER\Software\Microsoft\WindowsNTCurrentVersion\Windows\Run
- Under Windows 95-removes changes made to the WIN.INI file, found in the
Windows directory. Specifically, it will delete the line:
run=c:\windows\system\explore.exe.
· KILL_EZ.EXE then completely removes the
Worm.ExploreZip program from memory.
Finally, the tool deletes the EXPLORE.EXE
file from the Windows system directory.
· Under Windows 95, or Windows 98, it will
delete: C:\WINDOWS\SYSTEM\EXPLORE.EXE.
· Under Windows NT, it will delete
c:\WINDOWS\SYSTEM32\EXPLORE.EXE.
Upon completion, KILL_EZ.EXE reports whether
the system was infected with Worm.ExploreZip and, if infected, the system
reports successful removal of the worm.
Worm.ExploreZip utilizes MAPI commands and
Microsoft Outlook on Windows systems to propagate itself. The worm was first
discovered in Israel and submitted to the Symantec AntiVirus Research Center
(SARC) on June 6, 1999.
Norton AntiVirus users are advised to protect
themselves from this worm by downloading the current virus definitions through
LiveUpdate or from the Symantec web site at
www.symantec.com/avcenter/download.html.
Symantec AntiVirus Research Center (SARC)
SARC is the industry's largest dedicated team of virus experts. With offices
located in the United States, Japan, Australia, and the Netherlands, the sun
never sets on SARC. The center's mission is to provide swift, global responses
to computer virus threats, proactively research and develop technologies that
eliminate such threats, and educate the public on safe computing practices. As
new computer viruses appear, SARC develops identification and detection for
these viruses, and provides either a repair or delete operation, thus keeping
users protected against the latest virus threats.
About Symantec:
Symantec is the world leader in utility
software for business and personal computing. Symantec products and solutions
help make users productive and keep their computers safe and reliable anywhere
and anytime. Symantec offers a broad range of solutions and is acclaimed as a
leader in both customer satisfaction and product brand recognition. Symantec is
traded on Nasdaq under the symbol SYMC. More information on the company and its
products can be obtained at www.symantec.com.