1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Major Security / Virus Warnings

Discussion in 'Virus Software Updates (Read Only)' started by NICK ADSL UK, Dec 22, 2003.

  1. NICK ADSL UK

    NICK ADSL UK MajorGeeks Forum Administrator Staff Member

    MAJOR SECURITY VIRUS WARNINGS Will be posted here as and when i receive them. It is very important to follow the recommendations from the authors of the relevant software involved

    Regards
     
    Last edited: Nov 4, 2006
    2 people like this.
  2. NICK ADSL UK

    NICK ADSL UK MajorGeeks Forum Administrator Staff Member

    This is a virus alert for W32/Sober.C, a new Sober variant
    first detected on 20 December 2003. This worm has gained
    considerable momentum in recent days, particularly in German
    speaking areas.

    Risk:
    Due to its distribution W32/Sober.C@mm is estimated to be
    medium risk.

    Recommended Reactions:
    Users of F-Prot Antivirus should update their virus signature
    files immediately. W32/Sober.C is detected by F-Prot
    Antivirus using virus signature files dated 20 December 2003
    and later.

    --
    F-Prot Antivirus Alert Service
    http://www.f-prot.com
     
  3. NICK ADSL UK

    NICK ADSL UK MajorGeeks Forum Administrator Staff Member

    Common name: Jitux.A

    Technical name: W32/Jitux.A.worm

    Threat level: High

    Type: Worm

    Subtype: Trojan

    Effects:
    It spreads via MSN Messenger. It goes memory resident and sends messages every five minutes.



    Affected platforms: Windows 2003/XP/2000/NT/ME/98/95


    First appeared on: Dec. 30, 2003

    In circulation? Yes


    Brief Description




    Jitux.A is a worm that spreads via the instant messaging program MSN Messenger in a message that only contains a link to the web page . When the user visits this web page, a file called JITUXRAMON.EXE is downloaded.

    Once the file JITUXRAMON.EXE is run, the computer is affected. Jitux.A goes memory resident and sends the message specified above to all the active contacts in Messenger's Contact list every five minutes.


    Visible Symptoms

    Jitux.A is easy to recognize, as it reaches the computer when the user visits a link contained in a message received via MSN Messenger:







    Last updated: Dec. 30, 2003

    Source courtesy of panda software
     
  4. NICK ADSL UK

    NICK ADSL UK MajorGeeks Forum Administrator Staff Member

    Current Virus Warnings
    Win32.HLLM.Foo.25632
    (W32.Paylap@mm, Win32/Mimail.Variant.Worm, JS.Mimail.I)

    The worm spreads as an attachment to a mail message.
    The worm is using its own SMTP server.
    To secure the launch of the attachment containing the worm's body named PATPAL.ASP.SCR the aggressor employs the so-called social-engineering technique. The subject YOUR PAYPAL.COM ACCOUNT EXPIRES and the message body, sent as if by the administrator of the on-line payment company PayPal, serve to persuade the user to open the infected file.

    Mail format:

    From:payPal.com
    To:donotreply@paypal.com
    Subject: YOUR PAYPAL.COM ACCOUNT EXPIRES
    Mail text:
    Dear PayPal member,

    PayPal would like to inform you about some important information regarding your PayPal account. This account, which is associated with the email address

    <your@EMail.Address.is.here>

    will be expiring within five business days....

    Attached file: www.paypal.com.scr


    The worm will be activated only if the user will open the false form!



    Win32.HLLM.Foo.25632 is detected and disinfected by Dr.Web since November 14, 2003.
    If the SpIDer Mail module is active, it protects against all messages infected by this worm.
    INFORMATION COURTESY OF DR WEB SOFTWARE
     
  5. NICK ADSL UK

    NICK ADSL UK MajorGeeks Forum Administrator Staff Member

    Trojan.Xombe is a Trojan horse that has at least two components: a 4,096 byte downloader and a 27,136 byte Trojan. The downloader component will retrieve the Trojan file from a predetermined Web site.

    The download component has been distributed in an unsolicited email, purporting to be a security update for Windows XP, sent by Microsoft.

    The email has the following characteristics:

    From: windowsupdate@microsoft.com
    Subject: Windows XP Service Pack 1 (Express) - Critical Update.
    Attachment: winxp_sp1.exe(4,096 KB)

    The Trojan is packed with UPX.


    Also Known As: Xombe [FSecure], Downloader-GJ [McAfee], Troj/Dloader-L [Sophos]
    Type: Trojan Horse
    Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
    Systems Not Affected: Linux, Macintosh, OS/2, UNIX, Windows 3.x

    INFORMATION COURTESY OF NORTON
    Please note
    Microsoft never send patches or updates via email. So users should become aware that any such message and related file attachment is probably an attempt to compromise the security of their systems.
     
  6. NICK ADSL UK

    NICK ADSL UK MajorGeeks Forum Administrator Staff Member

    ATTENTION TO EVERYONE

    This is a virus alert for W32/Bagle.A@mm a new mass-mailing
    worm first detected on 18 January 2004. This worm has rapidly
    gained momentum over the past 24 hours and has spread
    considerably.

    Risk:
    Due to its distribution W32/Bagle.A@mm is estimated to be
    medium risk.

    Recommended Reactions:
    Users of ALL Antivirus should update their virus signature
    files immediately. W32/Bagle.A is detected by
    Antivirus using virus signature files dated 19 January 2004
    and later.
    __________________
     
    Last edited: Jan 19, 2004
  7. NICK ADSL UK

    NICK ADSL UK MajorGeeks Forum Administrator Staff Member

    ATTENTION TO EVERYONE WILL YOU PLEASE MAKE SURE YOUR ANTI VIRUS IS UP TO DATE WITH THE LATEST SIGNATURE FILES
    This is a virus alert for W32/Mydoom.A@mm, a new mass-mailing
    worm first detected on 26 January 2004. This worm has rapidly
    gained momentum in the last few hours and has spread
    considerably.

    Risk:
    Due to its distribution W32/Mydoom.A@mm is estimated to be
    medium risk.
     
  8. NICK ADSL UK

    NICK ADSL UK MajorGeeks Forum Administrator Staff Member

    Dear nick,
    HI EVERYONE PLEASE NOTE THAT THIS WORM IS NOW HIGH RISK
    W32/Mydoom@MM is a HIGH-OUTBREAK mass-mailing worm flooding email servers worldwide. When run, the worm steals email addresses from the infected machine and also automatically generates random email addresses for propagation. This email generation engine is similar to technologies spammers use to generate addresses for spam email campaigns.

    W32/Mydoom@MM generates emails with a spoofed "From: field", so incoming messages may appear to be from people you know. Furthermore, the subject line and message body are both randomly generated by the worm.


    Caution—An infected email can come from addresses you recognize and may contain the following information:

    From: randomly generated (spoofed)
    Subject: randomly generated
    Body: randomly generated—examples:

    The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
    The message contains Unicode characters and has been sent as a binary attachment.
    Mail transaction failed. Partial message is available.

    Attachment: randomly generated
    The icon used by the file tries to make it appear as if the attachment is a text file. The attachment type varies [.exe, .pif, .cmd, .scr]—often arrives in a ZIP archive. (filesize = 22,528 bytes)

    Aliases: Novarg, W32.Novarg.A@mm, Win32/Shimg, WORM_MIMAIL.R

    INFORMATION KINDLY SENT TO ME FROM McAfee
     
    Last edited: Jan 27, 2004
  9. NICK ADSL UK

    NICK ADSL UK MajorGeeks Forum Administrator Staff Member

    HI EVERYONE PLEASE NOTE THAT THIS WORM W32/Mydoom@MM is still high risk
     
  10. NICK ADSL UK

    NICK ADSL UK MajorGeeks Forum Administrator Staff Member

    NEW RISK FOR THE 30-1-04
    Dear nick,

    W32/Mimail.s@MM is a Medium Risk mass-mailing worm that tries to steal credit card information by displaying a fake Microsoft Windows license expiration message. Stolen credit numbers are sent to addresses within the domains @mail15.com and @ziplip.com.

    W32/Mimail.s@MM also forwards itself to contacts it steals from the infected machine.

    Caution: Watch out for emails with "here is the file you asked for" in the subject line or body. They may contain an attachment with the W32/Mimail.s@MM worm.


    What to look for:

    From: An infected email can come from people you know.
    Subject: here is the file you asked for
    Body: Hi! Here is the file you asked for!
    Attachment: example--document.txt.scr
    possible file extensions used: .pif, .scr, .exe, .jpg.scr, .jpg.pif, .jpg.exe, .gif.exe, .gif.pif, .gif.scr
    Aliases: W32.Mimail.R@mm

    INFORMATION KINDLY SENT TO ME FROM McAfee
     
  11. NICK ADSL UK

    NICK ADSL UK MajorGeeks Forum Administrator Staff Member

    31-1-04
    HI EVERYONE PLEASE NOTE THAT THIS WORM W32/Mydoom@MM IS STILL VERY HIGH RISK
     
  12. NICK ADSL UK

    NICK ADSL UK MajorGeeks Forum Administrator Staff Member

    THIS IS THE LATEST UPDATE FOR ALL THE MAJOR VIRUSES AT THE PRESENT TIME. For the Expanded Threat List and Virus Encyclopedia please see the link below

    VIRUS NAME

    ALIASES

    THREAT LEVEL

    W32.Novarg.A@mm
    I-Worm/Novarg, W32/Mydoom-A, W32/Mydoom@mm, WORM_MIMAIL.R

    High

    W32.Beagle.A@mm
    I-Worm/Bagle, W32/Bagle-A, W32/Bagle@mm, WORM_BAGLE.A

    Medium

    Downloader-GN
    TrojanDownloder.Win32.Small.cz, TrojanDownloaer.Win32.Mimail, Troj/Mmdload-A, Downloader.Mimail.B

    Low

    W32.Mimail.J@mm
    I-Worm/Mimail.J, W32/Mimail-J, W32/Mimail.J@mm, WORM_MIMAIL.J, Mimail.I

    Medium

    W32.Mimail.C@mm
    I-Worm/Mimail.C, W32/Mimail-C, W32/Mimail.c@mm, WORM_MIMAIL.C, I-Worm.NetWatch

    Medium

    W32.Swen.A
    Swen, W32/Gibe.E-mm, I-Worm.Swen, W32/Gibe-F, WORM_SWEN.A

    High

    W32.Sluter.B
    W32.Randex.F, W32/Sluter-B, Backdoor.Sdbot.gen

    Medium

    Backdoor.Apdoor.c
    Bck/Apdoor.c, W32/Apdoor.C

    Low

    W32.Dumaru@mm
    I-Worm/Dumaru, WORM_DUMARU.A, W32/Dumaru-A, W32/Dumaru@mm

    Medium

    W32.Sobig.F@mm
    I-Worm/Sobig.F, WORM_SOBIG.F, Sobig.F, W32/Sobig-F, W32/Sobig.F

    Medium

    W32.Welchia.Worm
    I-Worm/Generic, WORM_MSBLAST.D, Lovsan.D, W32/Nachi-A

    High

    W32.Blaster.C.Worm
    W32/Lovsan.C.Worm, I-Worm/Generic, Worm/Lovsan.B, W32/Blaster-B, WORM_MSBLAST.C

    Medium

    W32.Blaster.Worm
    Worm/Lovsan, W32/Blaster-A, W32/Lovsan.Worm, WORM_MSBLAST.A, Blaster, Lovesan, Win32.Poza

    High

    W32.Mimail.A@mm
    I-Worm/Mimail, W32/Mimail-A, W32/Mimail@mm, WORM_MIMAIL.A, TrojanDropper.Js.Mimail

    Medium

    Trojan.W32.Webber
    Downloader-DI, TrojanProxy.Win32.Webber, Troj/Webber-A, Trojan.Download.Berbew

    Medium

    W32.Mylife.N@mm
    I-Worm/Mylife.N, W32/Mylife-M, Win32.Mylife.M

    Low

    W32.Mumu.B.Worm
    Mumu.B, WORM_MUMU.A, W32.Mumu-C.

    Low

    W32.Sobig.E@mm
    I-Worm.Sobig.gen, WORM_SOBIG.E, W32/Sobig-E, Sobig.E Worm

    High

    W32.Yaha.T@mm
    I-Worm.Lentin.gen, W32/Yaha-T, W32/Yaha.T@mm, Yaha.T

    Low

    W32.Mapson@mm
    I-Worm.Mapson, W32/Mapson-A, WORM_MAPSON.A, W32/Mapson.Worm, W32/Lorraine

    Medium

    W32.Sobig.D@mm
    I-Worm.Sobig.gen, WORM_SOBIG.D, W32/Sobig-D, Sobig.D Worm

    Low

    W32.Sobig.C@mm
    I-Worm.Sobig.c, WORM_SOBIG.C, W32/Sobig-C, Sobig.C Worm

    Low

    W32.Bugbear.B@mm
    I-Worm.Bugbear.B, W32/Bugbear-B, WORM_BUGBEAR.B, Tanatos.b

    High

    JS/Fortnight.B
    JS.Fortnight.M, JS/Fortnight.D , EML.Fortnight, Fortnight.C

    Medium

    W32.Yaha.P@mm
    I-Worm.Lentin.m, I-Worm/Yaha.P, W32/Yaha-P, WORM_YAHA.P

    Low

    W32.Lovegate.F@mm
    I-Worm/Lovegate, I-Worm.Supnot.f, WORM_LOVGATE.F, W32.HLLW.LoveGate.G@mm

    Medium

    W32.Palyh@mm
    I-Worm.Palyh, WORM_SOBIG.B, W32/Palyh-A, W32.HLLW.Mankx@mm, Sobig.B Worm

    Low

    W32.Fizzer@mm
    I-Worm/Fizzer, WORM_FIZZER.A, W32.HLLW.Fizzer@mm, W32.Fizzer-A

    Low

    W32.Yaha.K@mm
    I-Worm.Lentin.I, W32/Yaha-M, WORM_YAHA.K, Yaha.K

    Medium

    W32.Lirva.A@mm
    I-Worm.Lirva, W32/Avril-A, WORM_LIRVA.A, W32.Naith.A

    Low

    W32.Bugbear@mm
    I-Worm.Bugbear, W32/Bugbear-A, WORM_BUGBEAR.A, Tanatos

    Medium

    W32.Yaha.E@mm
    I-Worm.Lentin.g, W32/Yaha-E, WORM_YAHA.G, Yaha.E

    Medium

    Worm/Opaserv.K
    Opaserv.K, WORM_OPASERV_K, W32.Opaserv.M.Worm

    Medium

    Worm/Opaserv.E
    Opaserv.E, WORM_OPASERV_E, W32.Opaserv.E.Worm

    Medium

    Expanded Threat List and Virus Encyclopedia...
    http://www.srnmicro.com/virusinfo/latestvir1.htm
     
    Last edited: Feb 6, 2004
  13. NICK ADSL UK

    NICK ADSL UK MajorGeeks Forum Administrator Staff Member

    Last edited: Feb 13, 2004
  14. NICK ADSL UK

    NICK ADSL UK MajorGeeks Forum Administrator Staff Member

    17 February 2004

    New Bagle-B worm spreading, warns Sophos
    Sophos, a world leader in protecting businesses against spam and viruses, is warning of a new worm called Tanx-A (also known as Bagle-B). Sophos has received several reports of this worm spreading in the wild.

    The Tanx-A (Bagle-B) worm spreads via email and arrives with the subject line 'ID' followed by various random characters and the message text 'Yours ID'. An attached .exe file, has a randomly generated filename. If run, a remote access component allows hackers to gain remote access to infected computers.

    The worm harvests email addresses from infected PCs and, when forwarding itself on to other computer users, spoofs the "From:" field using addresses found on the computer's hard drive.

    "Bagle-B tries to deceive computer users by spoofing the sender's address, but the worm is easy to spot because of its distinctive subject line," said Carole Theriault, security consultant, Sophos. "The message is simple - don't open unsolicited emails and don't automatically trust emails that appear to come from a known contact. Practising safe computing and blocking executable files at the email gateway will prevent infection from this worm."

    Like its predecessor, Bagle-A, this worm has a built in 'dead date' and has been designed to fall dormant on 25 February 2004.

    Further information and protection against W32/Tanx-A (Bagle-B)
    http://www.sophos.com/virusinfo/analyses/w32tanxa.html
     
  15. NICK ADSL UK

    NICK ADSL UK MajorGeeks Forum Administrator Staff Member

    Dear nick,

    W32/Netsky.b@MM is a Medium Risk mass-mailing worm that copies itself to folders named "share" or "sharing" on the infected system. It spreads itself to addresses it steals, spoofing or forging the "from: field" or using the address skynet@skynet.de. The worm also tries to deactivate the W32/Mydoom.a@MM and W32/Mydoom.b@MM viruses on the host computer.

    Caution: An infected email can come from addresses you recognize.


    What to look for:

    Subject/Body: Varies. Examples include:
    -I have your password!
    -about me
    -anything ok?
    -do you?
    -from the chatter
    Attachment: Varies but may have a double-extension such as .rtf.pif contained in a .ZIP file.
    Aliases: Moodown.B, I-Worm.Moodown.b

    Up-to-date McAfee VirusScan users with DAT 4325 are protected from this threat.
    http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=101034&cid=9647
     
  16. NICK ADSL UK

    NICK ADSL UK MajorGeeks Forum Administrator Staff Member

    Hi all
    This is the current security virus update for the 28-2-2004
    This week's report on viruses and intrusions focuses on four worms: Netsky.C, Bizex.A, Nachi.D and Mydoom.F.

    Netsky.C spreads via e-mail -in a message with variable characteristics- and through peer-to-peer file sharing applications. This malicious code deletes registry entries made by several worms including Mydoom.A and Mimail.T. In addition, when the system date is February 26 2004, Netsky.C emits random noises between 6.00 and 8.59 in the morning.

    Bizex.A, on the other hand, spreads through the ICQ instant messaging program. It also downloads and runs a copy of itself by exploiting two recently detected flaws in Internet Explorer.

    Bizex.A tries to steal information that users enter in websites of banks or other financial entities as well as information transmitted via HTTPS (HTTP over Secure Socket Layer) related to the login.yahoo.com and .passport domains. The data gathered is sent to an FTP server.

    The third worm we'll look at in this report is Nachi.D, which spreads to computers with Windows 2003, XP, 2000 or NT. In order to spread as widely as possible it downloads a copy of itself by exploiting three vulnerabilities: Buffer Overrun in RPC Interface, WebDAV and Workstation Service Buffer Overrun. This action causes an increase in network traffic through TCP ports 80, 135 and 445.

    Nachi.D can uninstall the A and B variants of Mydoom and Doomjuice, terminating their processes and removing any associated files. When the system date is June 1 or later, Nachi.D deletes itself.

    Finally, we'll look at the F variant of Mydoom, which spreads in an e-mail message with variable characteristics. This is a destructive worm which deletes all files with any of the following extensions: AVI, BMP, DOC, JPG, MDB, SAV y XLS.

    Mydoom.F installs a DLL which opens a backdoor and allows antivirus processes to be terminated, which leaves the PC vulnerable to attack from other malware. When the system date is between the 17th and 22nd of any month (and year) this worm carries out a distributed denial of service attack (DDoS) against w w w.microsoft.com and w w w.riaa.com (two out of three of the attacks are against Microsoft).

    In seven out of ten cases, Mydoom.F displays an error message in the infected computer.
    And lastly don't forget to keep your anti virus updated at all times
     
    Last edited: Feb 28, 2004
  17. NICK ADSL UK

    NICK ADSL UK MajorGeeks Forum Administrator Staff Member

    Hi all
    We have a major outbreak as from today with the following viruses
    W32/Bagle-H -
    1 Mar (17:15) W32/Netsky-E -
    1 Mar (11:38) W32/Netsky-D -
    1 Mar (04:26) W32/Bagle-G -
    1 Mar (00:18) W32/Bagle-F
    Netsky.D and Bagle.E are spreading rapidly around the world.
    Netsky.D reaches computers in an e-mail message whose subject, message body and attached file are selected at random from a list of options. Unlike the C variant, Netsky.D launches eight simultaneous threads, which means that from each infected computer, it will send at least eight times more infected mails

    Bagle.E is a worm that spreads via e-mail in a message with variable characteristics, and an attached file that has an icon similar to the one belonging to Windows Notepad. Bagle.E contains a backdoor which opens the TCP port 2745. It attempts to connect to several web pages that host a PHP script. By doing this, Bagle.E notifies its author that the affected computer can be accessed through the port mentioned above.
    Will you all make sure that you have updated your virus software
    Regards
     
    Last edited: Mar 1, 2004
  18. NICK ADSL UK

    NICK ADSL UK MajorGeeks Forum Administrator Staff Member

    This is a virus alert for six new variants of the Bagle
    family and two new variants of the Netsky family:

    W32/Bagle.C@mm
    W32/Bagle.D@mm
    W32/Bagle.E@mm
    W32/Bagle.F@mm
    W32/Bagle.G@mm
    W32/Bagle.H@mm
    W32/Netsky.D@mm
    W32/Netsky.E@mm

    These new variants started spreading between 28 February and
    1 March 2004.

    Risk:
    Most of these new variants are rated low risk and would not
    warrant a virus alert on their own. Given the number of new
    variants in a relatively short span of time, however, there
    is reason for computer users to be careful.

    Recommended Reactions:
    Users of Antivirus should update their virus signature
    files immediately. These variants are all detected by
    Antivirus using virus signature files dated 1 March 2004 and
    later. Note that multiple virus signature files were
    released between 28 February and 1 March, each of which
    detected all the variants that had been discovered at the
    time of their release.

    More information on these new variants of the Bagle and
    Netsky families can be found at http://www.f-prot.com/virusinfo/

    --
    F-Prot Antivirus Alert Service
    http://www.f-prot.com
     
  19. NICK ADSL UK

    NICK ADSL UK MajorGeeks Forum Administrator Staff Member

    Hi all
    Please be aware that there is intense virus activity at the present time. And just a reminder to you all to keep checking that you have installed the latest updates as they will be coming through very fast today and at regular intervals
    regards
     
  20. NICK ADSL UK

    NICK ADSL UK MajorGeeks Forum Administrator Staff Member

    ATTENTION EVERYONE
    With regards to my post above the situation has continued to deteriorate throughout the day. Do please make sure that you check and update at least every 2 to 3 hours even through you may have your settings on automatic it is most wise to check the website and confirm to yourself that you are up to date with your virus signature's and if not download the updates manually
    regards
     

Share This Page

MajorGeeks.Com Menu

MajorGeeks.Com \ All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ NEW! PC Games \ System Tools \ Macintosh \ Demonews.Com \ Top Downloads

MajorGeeks.Com \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds