1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Major Security / Virus Warnings

Discussion in 'Virus Software Updates (Read Only)' started by NICK ADSL UK, Dec 22, 2003.

  1. NICK ADSL UK

    NICK ADSL UK MajorGeeks Forum Administrator Staff Member

    MAJOR SECURITY VIRUS WARNINGS Will be posted here as and when i receive them. It is very important to follow the recommendations from the authors of the relevant software involved

    Regards
     
    Last edited: Nov 4, 2006
    2 people like this.
  2. NICK ADSL UK

    NICK ADSL UK MajorGeeks Forum Administrator Staff Member

    This is a virus alert for W32/Sober.C, a new Sober variant
    first detected on 20 December 2003. This worm has gained
    considerable momentum in recent days, particularly in German
    speaking areas.

    Risk:
    Due to its distribution W32/Sober.C@mm is estimated to be
    medium risk.

    Recommended Reactions:
    Users of F-Prot Antivirus should update their virus signature
    files immediately. W32/Sober.C is detected by F-Prot
    Antivirus using virus signature files dated 20 December 2003
    and later.

    --
    F-Prot Antivirus Alert Service
    http://www.f-prot.com
     
  3. NICK ADSL UK

    NICK ADSL UK MajorGeeks Forum Administrator Staff Member

    Common name: Jitux.A

    Technical name: W32/Jitux.A.worm

    Threat level: High

    Type: Worm

    Subtype: Trojan

    Effects:
    It spreads via MSN Messenger. It goes memory resident and sends messages every five minutes.



    Affected platforms: Windows 2003/XP/2000/NT/ME/98/95


    First appeared on: Dec. 30, 2003

    In circulation? Yes


    Brief Description




    Jitux.A is a worm that spreads via the instant messaging program MSN Messenger in a message that only contains a link to the web page . When the user visits this web page, a file called JITUXRAMON.EXE is downloaded.

    Once the file JITUXRAMON.EXE is run, the computer is affected. Jitux.A goes memory resident and sends the message specified above to all the active contacts in Messenger's Contact list every five minutes.


    Visible Symptoms

    Jitux.A is easy to recognize, as it reaches the computer when the user visits a link contained in a message received via MSN Messenger:







    Last updated: Dec. 30, 2003

    Source courtesy of panda software
     
  4. NICK ADSL UK

    NICK ADSL UK MajorGeeks Forum Administrator Staff Member

    Current Virus Warnings
    Win32.HLLM.Foo.25632
    (W32.Paylap@mm, Win32/Mimail.Variant.Worm, JS.Mimail.I)

    The worm spreads as an attachment to a mail message.
    The worm is using its own SMTP server.
    To secure the launch of the attachment containing the worm's body named PATPAL.ASP.SCR the aggressor employs the so-called social-engineering technique. The subject YOUR PAYPAL.COM ACCOUNT EXPIRES and the message body, sent as if by the administrator of the on-line payment company PayPal, serve to persuade the user to open the infected file.

    Mail format:

    From:payPal.com
    To:donotreply@paypal.com
    Subject: YOUR PAYPAL.COM ACCOUNT EXPIRES
    Mail text:
    Dear PayPal member,

    PayPal would like to inform you about some important information regarding your PayPal account. This account, which is associated with the email address

    <your@EMail.Address.is.here>

    will be expiring within five business days....

    Attached file: www.paypal.com.scr


    The worm will be activated only if the user will open the false form!



    Win32.HLLM.Foo.25632 is detected and disinfected by Dr.Web since November 14, 2003.
    If the SpIDer Mail module is active, it protects against all messages infected by this worm.
    INFORMATION COURTESY OF DR WEB SOFTWARE
     
  5. NICK ADSL UK

    NICK ADSL UK MajorGeeks Forum Administrator Staff Member

    Trojan.Xombe is a Trojan horse that has at least two components: a 4,096 byte downloader and a 27,136 byte Trojan. The downloader component will retrieve the Trojan file from a predetermined Web site.

    The download component has been distributed in an unsolicited email, purporting to be a security update for Windows XP, sent by Microsoft.

    The email has the following characteristics:

    From: windowsupdate@microsoft.com
    Subject: Windows XP Service Pack 1 (Express) - Critical Update.
    Attachment: winxp_sp1.exe(4,096 KB)

    The Trojan is packed with UPX.


    Also Known As: Xombe [FSecure], Downloader-GJ [McAfee], Troj/Dloader-L [Sophos]
    Type: Trojan Horse
    Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
    Systems Not Affected: Linux, Macintosh, OS/2, UNIX, Windows 3.x

    INFORMATION COURTESY OF NORTON
    Please note
    Microsoft never send patches or updates via email. So users should become aware that any such message and related file attachment is probably an attempt to compromise the security of their systems.
     
  6. NICK ADSL UK

    NICK ADSL UK MajorGeeks Forum Administrator Staff Member

    ATTENTION TO EVERYONE

    This is a virus alert for W32/Bagle.A@mm a new mass-mailing
    worm first detected on 18 January 2004. This worm has rapidly
    gained momentum over the past 24 hours and has spread
    considerably.

    Risk:
    Due to its distribution W32/Bagle.A@mm is estimated to be
    medium risk.

    Recommended Reactions:
    Users of ALL Antivirus should update their virus signature
    files immediately. W32/Bagle.A is detected by
    Antivirus using virus signature files dated 19 January 2004
    and later.
    __________________
     
    Last edited: Jan 19, 2004
  7. NICK ADSL UK

    NICK ADSL UK MajorGeeks Forum Administrator Staff Member

    ATTENTION TO EVERYONE WILL YOU PLEASE MAKE SURE YOUR ANTI VIRUS IS UP TO DATE WITH THE LATEST SIGNATURE FILES
    This is a virus alert for W32/Mydoom.A@mm, a new mass-mailing
    worm first detected on 26 January 2004. This worm has rapidly
    gained momentum in the last few hours and has spread
    considerably.

    Risk:
    Due to its distribution W32/Mydoom.A@mm is estimated to be
    medium risk.
     
  8. NICK ADSL UK

    NICK ADSL UK MajorGeeks Forum Administrator Staff Member

    Dear nick,
    HI EVERYONE PLEASE NOTE THAT THIS WORM IS NOW HIGH RISK
    W32/Mydoom@MM is a HIGH-OUTBREAK mass-mailing worm flooding email servers worldwide. When run, the worm steals email addresses from the infected machine and also automatically generates random email addresses for propagation. This email generation engine is similar to technologies spammers use to generate addresses for spam email campaigns.

    W32/Mydoom@MM generates emails with a spoofed "From: field", so incoming messages may appear to be from people you know. Furthermore, the subject line and message body are both randomly generated by the worm.


    Caution—An infected email can come from addresses you recognize and may contain the following information:

    From: randomly generated (spoofed)
    Subject: randomly generated
    Body: randomly generated—examples:

    The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
    The message contains Unicode characters and has been sent as a binary attachment.
    Mail transaction failed. Partial message is available.

    Attachment: randomly generated
    The icon used by the file tries to make it appear as if the attachment is a text file. The attachment type varies [.exe, .pif, .cmd, .scr]—often arrives in a ZIP archive. (filesize = 22,528 bytes)

    Aliases: Novarg, W32.Novarg.A@mm, Win32/Shimg, WORM_MIMAIL.R

    INFORMATION KINDLY SENT TO ME FROM McAfee
     
    Last edited: Jan 27, 2004
  9. NICK ADSL UK

    NICK ADSL UK MajorGeeks Forum Administrator Staff Member

    HI EVERYONE PLEASE NOTE THAT THIS WORM W32/Mydoom@MM is still high risk
     
  10. NICK ADSL UK

    NICK ADSL UK MajorGeeks Forum Administrator Staff Member

    NEW RISK FOR THE 30-1-04
    Dear nick,

    W32/Mimail.s@MM is a Medium Risk mass-mailing worm that tries to steal credit card information by displaying a fake Microsoft Windows license expiration message. Stolen credit numbers are sent to addresses within the domains @mail15.com and @ziplip.com.

    W32/Mimail.s@MM also forwards itself to contacts it steals from the infected machine.

    Caution: Watch out for emails with "here is the file you asked for" in the subject line or body. They may contain an attachment with the W32/Mimail.s@MM worm.


    What to look for:

    From: An infected email can come from people you know.
    Subject: here is the file you asked for
    Body: Hi! Here is the file you asked for!
    Attachment: example--document.txt.scr
    possible file extensions used: .pif, .scr, .exe, .jpg.scr, .jpg.pif, .jpg.exe, .gif.exe, .gif.pif, .gif.scr
    Aliases: W32.Mimail.R@mm

    INFORMATION KINDLY SENT TO ME FROM McAfee
     
  11. NICK ADSL UK

    NICK ADSL UK MajorGeeks Forum Administrator Staff Member

    31-1-04
    HI EVERYONE PLEASE NOTE THAT THIS WORM W32/Mydoom@MM IS STILL VERY HIGH RISK
     
  12. NICK ADSL UK

    NICK ADSL UK MajorGeeks Forum Administrator Staff Member

    THIS IS THE LATEST UPDATE FOR ALL THE MAJOR VIRUSES AT THE PRESENT TIME. For the Expanded Threat List and Virus Encyclopedia please see the link below

    VIRUS NAME

    ALIASES

    THREAT LEVEL

    W32.Novarg.A@mm
    I-Worm/Novarg, W32/Mydoom-A, W32/Mydoom@mm, WORM_MIMAIL.R

    High

    W32.Beagle.A@mm
    I-Worm/Bagle, W32/Bagle-A, W32/Bagle@mm, WORM_BAGLE.A

    Medium

    Downloader-GN
    TrojanDownloder.Win32.Small.cz, TrojanDownloaer.Win32.Mimail, Troj/Mmdload-A, Downloader.Mimail.B

    Low

    W32.Mimail.J@mm
    I-Worm/Mimail.J, W32/Mimail-J, W32/Mimail.J@mm, WORM_MIMAIL.J, Mimail.I

    Medium

    W32.Mimail.C@mm
    I-Worm/Mimail.C, W32/Mimail-C, W32/Mimail.c@mm, WORM_MIMAIL.C, I-Worm.NetWatch

    Medium

    W32.Swen.A
    Swen, W32/Gibe.E-mm, I-Worm.Swen, W32/Gibe-F, WORM_SWEN.A

    High

    W32.Sluter.B
    W32.Randex.F, W32/Sluter-B, Backdoor.Sdbot.gen

    Medium

    Backdoor.Apdoor.c
    Bck/Apdoor.c, W32/Apdoor.C

    Low

    W32.Dumaru@mm
    I-Worm/Dumaru, WORM_DUMARU.A, W32/Dumaru-A, W32/Dumaru@mm

    Medium

    W32.Sobig.F@mm
    I-Worm/Sobig.F, WORM_SOBIG.F, Sobig.F, W32/Sobig-F, W32/Sobig.F

    Medium

    W32.Welchia.Worm
    I-Worm/Generic, WORM_MSBLAST.D, Lovsan.D, W32/Nachi-A

    High

    W32.Blaster.C.Worm
    W32/Lovsan.C.Worm, I-Worm/Generic, Worm/Lovsan.B, W32/Blaster-B, WORM_MSBLAST.C

    Medium

    W32.Blaster.Worm
    Worm/Lovsan, W32/Blaster-A, W32/Lovsan.Worm, WORM_MSBLAST.A, Blaster, Lovesan, Win32.Poza

    High

    W32.Mimail.A@mm
    I-Worm/Mimail, W32/Mimail-A, W32/Mimail@mm, WORM_MIMAIL.A, TrojanDropper.Js.Mimail

    Medium

    Trojan.W32.Webber
    Downloader-DI, TrojanProxy.Win32.Webber, Troj/Webber-A, Trojan.Download.Berbew

    Medium

    W32.Mylife.N@mm
    I-Worm/Mylife.N, W32/Mylife-M, Win32.Mylife.M

    Low

    W32.Mumu.B.Worm
    Mumu.B, WORM_MUMU.A, W32.Mumu-C.

    Low

    W32.Sobig.E@mm
    I-Worm.Sobig.gen, WORM_SOBIG.E, W32/Sobig-E, Sobig.E Worm

    High

    W32.Yaha.T@mm
    I-Worm.Lentin.gen, W32/Yaha-T, W32/Yaha.T@mm, Yaha.T

    Low

    W32.Mapson@mm
    I-Worm.Mapson, W32/Mapson-A, WORM_MAPSON.A, W32/Mapson.Worm, W32/Lorraine

    Medium

    W32.Sobig.D@mm
    I-Worm.Sobig.gen, WORM_SOBIG.D, W32/Sobig-D, Sobig.D Worm

    Low

    W32.Sobig.C@mm
    I-Worm.Sobig.c, WORM_SOBIG.C, W32/Sobig-C, Sobig.C Worm

    Low

    W32.Bugbear.B@mm
    I-Worm.Bugbear.B, W32/Bugbear-B, WORM_BUGBEAR.B, Tanatos.b

    High

    JS/Fortnight.B
    JS.Fortnight.M, JS/Fortnight.D , EML.Fortnight, Fortnight.C

    Medium

    W32.Yaha.P@mm
    I-Worm.Lentin.m, I-Worm/Yaha.P, W32/Yaha-P, WORM_YAHA.P

    Low

    W32.Lovegate.F@mm
    I-Worm/Lovegate, I-Worm.Supnot.f, WORM_LOVGATE.F, W32.HLLW.LoveGate.G@mm

    Medium

    W32.Palyh@mm
    I-Worm.Palyh, WORM_SOBIG.B, W32/Palyh-A, W32.HLLW.Mankx@mm, Sobig.B Worm

    Low

    W32.Fizzer@mm
    I-Worm/Fizzer, WORM_FIZZER.A, W32.HLLW.Fizzer@mm, W32.Fizzer-A

    Low

    W32.Yaha.K@mm
    I-Worm.Lentin.I, W32/Yaha-M, WORM_YAHA.K, Yaha.K

    Medium

    W32.Lirva.A@mm
    I-Worm.Lirva, W32/Avril-A, WORM_LIRVA.A, W32.Naith.A

    Low

    W32.Bugbear@mm
    I-Worm.Bugbear, W32/Bugbear-A, WORM_BUGBEAR.A, Tanatos

    Medium

    W32.Yaha.E@mm
    I-Worm.Lentin.g, W32/Yaha-E, WORM_YAHA.G, Yaha.E

    Medium

    Worm/Opaserv.K
    Opaserv.K, WORM_OPASERV_K, W32.Opaserv.M.Worm

    Medium

    Worm/Opaserv.E
    Opaserv.E, WORM_OPASERV_E, W32.Opaserv.E.Worm

    Medium

    Expanded Threat List and Virus Encyclopedia...
    http://www.srnmicro.com/virusinfo/latestvir1.htm
     
    Last edited: Feb 6, 2004
  13. NICK ADSL UK

    NICK ADSL UK MajorGeeks Forum Administrator Staff Member

    Last edited: Feb 13, 2004
  14. NICK ADSL UK

    NICK ADSL UK MajorGeeks Forum Administrator Staff Member

    17 February 2004

    New Bagle-B worm spreading, warns Sophos
    Sophos, a world leader in protecting businesses against spam and viruses, is warning of a new worm called Tanx-A (also known as Bagle-B). Sophos has received several reports of this worm spreading in the wild.

    The Tanx-A (Bagle-B) worm spreads via email and arrives with the subject line 'ID' followed by various random characters and the message text 'Yours ID'. An attached .exe file, has a randomly generated filename. If run, a remote access component allows hackers to gain remote access to infected computers.

    The worm harvests email addresses from infected PCs and, when forwarding itself on to other computer users, spoofs the "From:" field using addresses found on the computer's hard drive.

    "Bagle-B tries to deceive computer users by spoofing the sender's address, but the worm is easy to spot because of its distinctive subject line," said Carole Theriault, security consultant, Sophos. "The message is simple - don't open unsolicited emails and don't automatically trust emails that appear to come from a known contact. Practising safe computing and blocking executable files at the email gateway will prevent infection from this worm."

    Like its predecessor, Bagle-A, this worm has a built in 'dead date' and has been designed to fall dormant on 25 February 2004.

    Further information and protection against W32/Tanx-A (Bagle-B)
    http://www.sophos.com/virusinfo/analyses/w32tanxa.html
     
  15. NICK ADSL UK

    NICK ADSL UK MajorGeeks Forum Administrator Staff Member

    Dear nick,

    W32/Netsky.b@MM is a Medium Risk mass-mailing worm that copies itself to folders named "share" or "sharing" on the infected system. It spreads itself to addresses it steals, spoofing or forging the "from: field" or using the address skynet@skynet.de. The worm also tries to deactivate the W32/Mydoom.a@MM and W32/Mydoom.b@MM viruses on the host computer.

    Caution: An infected email can come from addresses you recognize.


    What to look for:

    Subject/Body: Varies. Examples include:
    -I have your password!
    -about me
    -anything ok?
    -do you?
    -from the chatter
    Attachment: Varies but may have a double-extension such as .rtf.pif contained in a .ZIP file.
    Aliases: Moodown.B, I-Worm.Moodown.b

    Up-to-date McAfee VirusScan users with DAT 4325 are protected from this threat.
    http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=101034&cid=9647
     
  16. NICK ADSL UK

    NICK ADSL UK MajorGeeks Forum Administrator Staff Member

    Hi all
    This is the current security virus update for the 28-2-2004
    This week's report on viruses and intrusions focuses on four worms: Netsky.C, Bizex.A, Nachi.D and Mydoom.F.

    Netsky.C spreads via e-mail -in a message with variable characteristics- and through peer-to-peer file sharing applications. This malicious code deletes registry entries made by several worms including Mydoom.A and Mimail.T. In addition, when the system date is February 26 2004, Netsky.C emits random noises between 6.00 and 8.59 in the morning.

    Bizex.A, on the other hand, spreads through the ICQ instant messaging program. It also downloads and runs a copy of itself by exploiting two recently detected flaws in Internet Explorer.

    Bizex.A tries to steal information that users enter in websites of banks or other financial entities as well as information transmitted via HTTPS (HTTP over Secure Socket Layer) related to the login.yahoo.com and .passport domains. The data gathered is sent to an FTP server.

    The third worm we'll look at in this report is Nachi.D, which spreads to computers with Windows 2003, XP, 2000 or NT. In order to spread as widely as possible it downloads a copy of itself by exploiting three vulnerabilities: Buffer Overrun in RPC Interface, WebDAV and Workstation Service Buffer Overrun. This action causes an increase in network traffic through TCP ports 80, 135 and 445.

    Nachi.D can uninstall the A and B variants of Mydoom and Doomjuice, terminating their processes and removing any associated files. When the system date is June 1 or later, Nachi.D deletes itself.

    Finally, we'll look at the F variant of Mydoom, which spreads in an e-mail message with variable characteristics. This is a destructive worm which deletes all files with any of the following extensions: AVI, BMP, DOC, JPG, MDB, SAV y XLS.

    Mydoom.F installs a DLL which opens a backdoor and allows antivirus processes to be terminated, which leaves the PC vulnerable to attack from other malware. When the system date is between the 17th and 22nd of any month (and year) this worm carries out a distributed denial of service attack (DDoS) against w w w.microsoft.com and w w w.riaa.com (two out of three of the attacks are against Microsoft).

    In seven out of ten cases, Mydoom.F displays an error message in the infected computer.
    And lastly don't forget to keep your anti virus updated at all times
     
    Last edited: Feb 28, 2004
  17. NICK ADSL UK

    NICK ADSL UK MajorGeeks Forum Administrator Staff Member

    Hi all
    We have a major outbreak as from today with the following viruses
    W32/Bagle-H -
    1 Mar (17:15) W32/Netsky-E -
    1 Mar (11:38) W32/Netsky-D -
    1 Mar (04:26) W32/Bagle-G -
    1 Mar (00:18) W32/Bagle-F
    Netsky.D and Bagle.E are spreading rapidly around the world.
    Netsky.D reaches computers in an e-mail message whose subject, message body and attached file are selected at random from a list of options. Unlike the C variant, Netsky.D launches eight simultaneous threads, which means that from each infected computer, it will send at least eight times more infected mails

    Bagle.E is a worm that spreads via e-mail in a message with variable characteristics, and an attached file that has an icon similar to the one belonging to Windows Notepad. Bagle.E contains a backdoor which opens the TCP port 2745. It attempts to connect to several web pages that host a PHP script. By doing this, Bagle.E notifies its author that the affected computer can be accessed through the port mentioned above.
    Will you all make sure that you have updated your virus software
    Regards
     
    Last edited: Mar 1, 2004
  18. NICK ADSL UK

    NICK ADSL UK MajorGeeks Forum Administrator Staff Member

    This is a virus alert for six new variants of the Bagle
    family and two new variants of the Netsky family:

    W32/Bagle.C@mm
    W32/Bagle.D@mm
    W32/Bagle.E@mm
    W32/Bagle.F@mm
    W32/Bagle.G@mm
    W32/Bagle.H@mm
    W32/Netsky.D@mm
    W32/Netsky.E@mm

    These new variants started spreading between 28 February and
    1 March 2004.

    Risk:
    Most of these new variants are rated low risk and would not
    warrant a virus alert on their own. Given the number of new
    variants in a relatively short span of time, however, there
    is reason for computer users to be careful.

    Recommended Reactions:
    Users of Antivirus should update their virus signature
    files immediately. These variants are all detected by
    Antivirus using virus signature files dated 1 March 2004 and
    later. Note that multiple virus signature files were
    released between 28 February and 1 March, each of which
    detected all the variants that had been discovered at the
    time of their release.

    More information on these new variants of the Bagle and
    Netsky families can be found at http://www.f-prot.com/virusinfo/

    --
    F-Prot Antivirus Alert Service
    http://www.f-prot.com
     
  19. NICK ADSL UK

    NICK ADSL UK MajorGeeks Forum Administrator Staff Member

    Hi all
    Please be aware that there is intense virus activity at the present time. And just a reminder to you all to keep checking that you have installed the latest updates as they will be coming through very fast today and at regular intervals
    regards
     
  20. NICK ADSL UK

    NICK ADSL UK MajorGeeks Forum Administrator Staff Member

    ATTENTION EVERYONE
    With regards to my post above the situation has continued to deteriorate throughout the day. Do please make sure that you check and update at least every 2 to 3 hours even through you may have your settings on automatic it is most wise to check the website and confirm to yourself that you are up to date with your virus signature's and if not download the updates manually
    regards
     
  21. NICK ADSL UK

    NICK ADSL UK MajorGeeks Forum Administrator Staff Member

    ATTENTION EVERYONE
    Virus Profile

    Virus Information
    Name: W32/Bagle.n@MM
    Risk Assessment
    - Home Users: Medium
    - Corporate Users: Medium
    Date Discovered: 3/13/2004
    Date Added: 3/13/2004
    Origin: Unknown
    Length: 21kb
    Type: Virus
    SubType: E-mail worm
    DAT Required: 4337

    Quick Links
    Virus Characteristics
    Indications of Infection
    Method of Infection
    Removal Instructions
    Aliases

    Buy or Update
    New Users Get Protected Now:
    Buy VirusScan Update VirusScan
    Virus Characteristics

    -- Update March 13,2004 --
    Due to increasing prevalence the risk assessment for W32/Bagle.n@MM has been raised to Medium.

    PLEASE MAKE SURE YOUR ANTI VIRUS IS UPDATED AT ALL TIMES
     
  22. NICK ADSL UK

    NICK ADSL UK MajorGeeks Forum Administrator Staff Member

    HI EVERYONE
    Please note there is a very high level of virus activity today the 18-3-04. So just a reminder to you all to make sure you check at your virus software site to make sure you are up to date with your signature's. All virus software has been updated today more then once and in the case of nod five times and kav 10 times so don't forget to keep checking


    This is a virus alert for four new variants of the Bagle
    family:

    W32/Bagle.Q@mm
    W32/Bagle.R@mm
    W32/Bagle.S@mm
    W32/Bagle.T@mm

    These variants started spreading on 18 March 2004.

    Risk:
    These new variants are rated low risk and would not warrant a
    virus alert on their own. However, given the number of new
    variants in a relatively short span of time there is reason
    for computer users to be careful.

    Recommended Reactions:
    Users of F-Prot Antivirus should update their virus signature
    files immediately. These variants are all detected by F-Prot
    Antivirus using virus signature files dated 18 March 2004 and
    later.
     
  23. NICK ADSL UK

    NICK ADSL UK MajorGeeks Forum Administrator Staff Member

    SECURITY UPDATE FOR THE 19-3-04


    Three new twists in Bagle virus saga
    PETALING JAYA: Antivirus vendors said they have detected the appearance of new Q, R and S variants of the Bagle worm.

    The most dangerous of the three is variant Q, which was spreading very rapidly, Panda Software Malaysia said in a statement last night.

    Bagle.Q spreads via e-mail in a message with extremely variable characteristics. The e-mail message however does not include an attached file carrying the worm

    Instead it uses a "carrier e-mail" method to bypass antivirus protection, said British security software vendor Sophos.

    When you open a carrier e-mail, it attempts to exploit a vulnerability in Microsoft Outlook which automatically downloads Bagle.Q from the PC which sent you the "carrier" e-mail.

    The downloaded copy of Bagle.Q is placed into your system folder with the name "directs.exe".

    It then loads on your PC and terminates a wide range of security applications. It also makes multiple copies of itself into folders which are likely to be part of a file-sharing network, as well infecting programs on your PC by appending itself to existing .exe files -- this is called a "parasitic virus infection," said Sophos.

    Panda Software said the carrier e-mail includes HTML code which can be used to download the file carrying the malicious code from the Internet onto the affected computer.

    The R and S variants do not seem to be spreading as rapidly, the company said.

    Users can detect and disinfect these and other malicious code by downloading the free Panda ActiveScan from www.pandasoftware.com.

    You can also get more information on Bagle.Q, Bagle.R and Bagle.S from Panda Software's Virus Encyclopaedia at www.pandasoftware.com/virus_info/encyclopedia/.

    Sophos has published an identity to allow Sophos Anti-Virus to detect and disinfect this virus; it is available at www.sophos.com/virusinfo/analyses/w32bagleq.html.

    The company also advised users to get and apply the latest Internet Explorer and Outlook Express patches from Microsoft. This would prevent the automatic download of the virus.

    Sysadmins should also disallow connections to TCP port 81 on their network firewall.

    Blocking outbound port 81 connections stops computers on the network from downloading the worm from outside. Blocking inbound port 81connections means that even if you do get infected you will not pass the virus on to others, Sophos said.
     
  24. NICK ADSL UK

    NICK ADSL UK MajorGeeks Forum Administrator Staff Member

    SECURITY UPDATE FOE THE 23-3-04
    Virus Profile

    Virus Information
    Name: W32/Netsky.p@MM
    Risk Assessment
    - Home Users: Medium
    - Corporate Users: Medium
    Date Discovered: 3/21/2004
    Date Added: 3/21/2004
    Origin: Unknown
    Length: 29,568 bytes (mailed)
    26,624 bytes (dropped)
    Type: Internet Worm
    SubType: E-mail worm
    DAT Required: 4340

    -- Update 22nd March 06:20 PST --
    Due to increased prevalence, this threat has had its risk assessment raised to MEDIUM.

    Dear nick:

    Another variant of the W32/Netsky.MM virus, W32/Netsky.p@MM is a Medium Risk mass-mailing worm that arrives inside a .ZIP attachment (e.g., your_document.zip) and spreads itself by stealing email addresses from the infected computer, spoofing or forging the "from: field." Besides using its own SMTP engine, W32/Netsky.p@MM also propagates via peer-to-peer networks (e.g., Morpheus, Kazaa) by copying itself to shared file directories -- often with a celebrity (e.g., Britney Spears, Eminem) as part of the filename.

    Note: W32/Netsky.p@MM takes advantage of vulnerable versions of Internet Explorer 5.01 and 5.5 to automatically execute the virus on a user's system. McAfee recommends running Windows Update to ensure you have the latest patches for Internet Explorer.

    Up-to-date McAfee VirusScan users with DAT 4340 are protected from this threat.
     
  25. NICK ADSL UK

    NICK ADSL UK MajorGeeks Forum Administrator Staff Member

    The latest variant of W32/Bagle@MM, W32/Bagle.u@MM is a Medium Risk mass-mailing worm that:1) installs a dangerous backdoor Trojan-horse program that opens TCP port 4751, 2) opens the Windows game Hearts (if present on the system), and 3) sends itself to email addresses addresses stolen from an infected machine. It arrives as an attachment in an email with a blank subject line and blank body text.
    Learn More about W32/Bagle.u@MM
    http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=101141&cid=9929
     
  26. NICK ADSL UK

    NICK ADSL UK MajorGeeks Forum Administrator Staff Member

    Dear nick,

    Worm.Win32.Sober.E Alert!
    Worm.Win32.Sober.E is the 5th variant of the highly spread Sober worm and was first seen by our analysts on 03/28/2004 at 2:30pm CET. Like its predecessors its origin could be found in one of the german speaking countries. The worm is coded in Visual Basic 6 and is packed using UPX. The file size of the packed worm file is 30,720 bytes.

    Infection
    Worm.Win32.Sober.E comes via email to your PC. Worm mails have the following layout while always one of the subject, mail body and attachment options is chosen to generate the mail:

    Subject:
    HEY
    hey?
    Hey!
    OK Ok OK!
    OK OK
    Ok ;-)
    Hi :)
    hi
    Hi
    thx
    Thx!
    THX
    Thx !!!

    Mail body:
    ;-)
    ha!
    HA :)
    yo!
    lol
    LoL
    LOL
    Yo!

    Attachment name:
    Text.zip
    Text.pif
    Read.zip
    Read.pif
    Graphic-doc.zip
    Graphic-doc.pif
    document.zip
    document.pif
    Word.zip
    Word.pif

    Sober.E can be detected and removed with a² with the latest signature updates loaded. The a² background guard blocks the worm immediately if it is started.

    A more detailed description of the worm can be found at the a² Malware Database:
    http://www.emsisoft.com/en/malware/?Worm.Win32.Sober.E


    Sincerley yours,

    Your a² Team
    http://www.emsisoft.com
     
  27. NICK ADSL UK

    NICK ADSL UK MajorGeeks Forum Administrator Staff Member

    Dear nick:

    Another variant of the W32/Netsky.MM virus, W32/Netsky.q@MM is a Medium Risk mass-mailing worm that arrives inside a .ZIP, .PIF, .SCR or .EML attachment and spreads itself by stealing email addresses from the infected computer, spoofing or forging the "from: field." The worm includes the recipient's name, surrounded by percentage symbols, in the message subject line.

    Note: Like W32/Netsky.p@MM, W32/Netsky.q@MM takes advantage of vulnerable versions of Internet Explorer 5.01 and 5.5 to automatically execute the virus on a user's system. McAfee recommends running Windows Update to ensure you have the latest patches for Internet Explorer.
    Learn More about W32/Netsky.q@MM
    http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=101145&cid=9938
     
  28. NICK ADSL UK

    NICK ADSL UK MajorGeeks Forum Administrator Staff Member

    Security warning for the 6-4-04
    Please note that there is a new Bugbear threat; So please make sure you keep up to-date with your virus update signature's :)
     
  29. NICK ADSL UK

    NICK ADSL UK MajorGeeks Forum Administrator Staff Member

    Another variant of the W32/Netsky.MM virus, W32/Netsky.s@MM is a Medium Risk mass-mailing worm that arrives inside a .PIF attachment. When run, the worm tries to open a backdoor on TCP Port 6789, which can help a remote hacker download and execute potentially malicious programs on the infected system. W32/Netsky.s@MM will also launch a Denial of Service attack on various domains, including www.kazaa.com, starting in mid-April. The worm spreads itself by stealing email addresses from the infected computer, spoofing or forging the "from: field."
    For further info
    http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=101156&cid=9997
     
  30. NICK ADSL UK

    NICK ADSL UK MajorGeeks Forum Administrator Staff Member

    Win32.Netsky.V
    Detection Published: April 14, 2004
    Description Modified: April 15, 2004
    Category: Win32
    Also known as: HTML.Netsky.V, JS.Netsky.V, Win32/NetSky.V.Worm, W32/Netsky.v@MM (McAfee), I-Worm.Netsky.w (Kaspersky)
    Win32.Netsky.V
    Detection Published: April 14, 2004
    Description Modified: April 15, 2004
    Category: Win32
    Also known as: HTML.Netsky.V, JS.Netsky.V, Win32/NetSky.V.Worm, W32/Netsky.v@MM (McAfee), I-Worm.Netsky.w (Kaspersky)
    Description Method of Infection Method of Distribution Payload
    Netsky.V is a worm that propagates by exploiting an object tag vulnerability. E-mail sent by the worm points to an IP address containing the worm executable and exploit script. This script exploits the vulnerability to download and execute the worm locally. The worm is a 19,432 byte, UPX-packed, encrypted, Win32 executable.
    When executed, Netsky.V copies itself to
    %Windows%\KasperskyAVEng.exe
    and modifies the registry to ensure that this copy is executed at each Windows start:
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run = "%Windows%\KasperskyAVEng.exe"
    Note: '%Windows%' is a variable location. The worm determines the location of the current Windows folder by querying the operating system. The default installation location for the Windows directory for Windows 2000 and NT is C:\Winnt; for 95,98 and ME is C:\Windows; and for XP is C:\Windows.
    The worm creates a mutex "_-=oOOSOkOyONOeOtOo=-_" to ensure only one copy of the worm is running on the system.
    It also creates a further copy of itself to %Windows%\skyav.tmp.
    Please note the risk factor of this worm has been raised to medium
     
  31. NICK ADSL UK

    NICK ADSL UK MajorGeeks Forum Administrator Staff Member

    Friday, April 16, 2004
    Netsky.W worm found
    Today we found another new Netsky variant: Netsky.W. It is similar to previous NetSky.P or NetSky.Q variants and it removes Bagle worm if it finds it on an infected computer.
    Further info can be found here
    http://www.f-secure.com/v-descs/netsky_w.shtml
     
  32. NICK ADSL UK

    NICK ADSL UK MajorGeeks Forum Administrator Staff Member

    VIRUS WARNING FOR THE 20-4-04
    Hi all :)
    We have had a lot of virus activity today so do please keep checking that you have the latest virus signature's updates for your software

    Regards
     
  33. NICK ADSL UK

    NICK ADSL UK MajorGeeks Forum Administrator Staff Member

    THESE ARE THE LATEST VIRUS THREATS AS OF THE 26-4-04
    Take a look at the latest virus threats including viruses, trojans, and worms.
    > Bagle.W - Also known as: (Win32/Bagle.W.CPL, VBS/Bagle.W.HTML, Win32/Bagle.X (Eset), W32/Bagle.Y@mm (F-Secure), W32/Bagle.z@MM (McAfee))
    > Omal.C - Also known as: (Trojan.Bookmarker.Gen (Symantec), Trojan.Win32.StartPage.fq (Kaspersky))
    > Agobot - Also known as: (Backdoor.Agobot.3.gen (Kaspersky), Win32.Agobot.gen, TROJ_GAO, W32.Gaobot.gen!poly (Symantec), W32/Gaobot.worm.gen (McAfee), W32.HLLW.Gaobot (Symantec), W32.HLLW.Polybot (Symantec), Phatbot)
     
  34. NICK ADSL UK

    NICK ADSL UK MajorGeeks Forum Administrator Staff Member

    Last edited: Apr 27, 2004
  35. NICK ADSL UK

    NICK ADSL UK MajorGeeks Forum Administrator Staff Member

    VIRUS WARNINGS FOR THE 28-4-04
    Hi Everyone :) Do please remember to make sure your anti virus software is fully up to date as most anti virus/Trojan software has been updated at least three times today
     
  36. NICK ADSL UK

    NICK ADSL UK MajorGeeks Forum Administrator Staff Member

  37. NICK ADSL UK

    NICK ADSL UK MajorGeeks Forum Administrator Staff Member

    SECURITY WARNING FOR THE 1-5-04
    Hi all we have another serious outbreak
    W32.Sasser.Worm
    Discovered on: April 30, 2004
    Last Updated on: May 01, 2004 12:00:08 PM
    FOR FURTHER INFO ON THIS LATEST OUTBREAK
    What You Should Know About the Sasser Worm
    Posted: May 1, 2004
    http://www.microsoft.com/security/incident/sasser.asp
     
  38. NICK ADSL UK

    NICK ADSL UK MajorGeeks Forum Administrator Staff Member

    SECURITY WARNING FOR THE 05.05.2004
    "Sasser" Worm Infections Increase 43% During Second Day of Alert

    WORM_SASSER Family Still Infecting Globally, Not Expected to Disappear Soon

    May 5, 2004 – Trend Micro Inc. reports that according to its internal monitoring of virus activity, the WORM_SASSER family of variants continues to increase in infections. WORM_SASSER was first detected on May 1, 2004, and variants A through D have been under detection since May 3, 2004, and since then, Trend Micro has regarded this worm family as a “high” risk to computer users.

    FOR FURTHER INFO
    http://uk.trendmicro-europe.com/enterprise/about_us/spresse.php?&id=307
     
  39. NICK ADSL UK

    NICK ADSL UK MajorGeeks Forum Administrator Staff Member

    Re: Major Security Virus Warnings

    SECURITY WARNING FOR THE 20.05.2004
    Like its predecessors, W32/Lovgate.ab@MM is a Medium Risk mass-mailing worm inside an email attachment that when run:
    Drops a dangerous backdoor on an infected machine that can allow a remote hacker to steal information.
    Infects executable programs.
    Tries to disable anti-virus and security software.
    Emails itself to a) stolen contacts or b) as replies to unread MS Outlook or Outlook Express messages on the infected machine, spoofing the "from: field".
    FOR FURTHER INFO
    http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=125301&cid=10244
     
  40. NICK ADSL UK

    NICK ADSL UK MajorGeeks Forum Administrator Staff Member

    Re: Major Security Virus Warnings

    Latest Threats
    Real-time information about the latest threats to the security of your computers
    Brief Description

    Korgo.B is a worm that spreads via the Internet by exploiting the LSASS vulnerability in remote computers. This vulnerability is critical for Windows XP/2000 operating systems that are not properly updated.

    Korgo.B listens to the TCP ports 113, 3067 and 2041 and connects to several IRC servers through the port 6667.

    In addition, it is prepared for impeding the system shutdown.

    Korgo.B only spreads automatically to Windows XP/2000 computers. However, computers with other Windows operating systems can also be a source of transmission when a malicious user runs the file containing the worm in any of these computers.

    If you have a Windows XP/2000 computer, it is highly recommendable to download the security patch for the LSASS vulnerability from the Microsoft website.

    Visible Symptoms

    Korgo.B is difficult to recognize, as it does not display any messages or warnings that indicate it has reached the computer.

    However, having problems with the system shutdown can be a clear symptom that your computer has been affected by Korgo.B.

    Last updated: May 25, 2004
    For further information about these and other computer threats, visit Panda Software's Encyclopedia at:
    http://www.pandasoftware.com/virus_info/threats.aspx
     
    Last edited: May 28, 2004
  41. NICK ADSL UK

    NICK ADSL UK MajorGeeks Forum Administrator Staff Member

  42. NICK ADSL UK

    NICK ADSL UK MajorGeeks Forum Administrator Staff Member

    Attached Files:

  43. NICK ADSL UK

    NICK ADSL UK MajorGeeks Forum Administrator Staff Member

    Re: Major Security Virus Warnings

    Latest Virus Threats, 14-6-04

    Worm.Win32.Zafi.B Alert!
    The new internet worm Zafi.B spreads very fast mainly via email attachments, but also via filesharing networks. The message subject and body text differs depending on the domain extension of the receiver's email address. Target email addresses are collected on the local computer and extracted from several files like temporary internet files and email addressbooks.

    Infection
    Once opened and installed, the worm sets an autorun entry at the system registry. If it is run, the worm spreads itself to all available email addresses. It also runs a module that attempts to flood some Hungarian websites.

    The email text is available in many languages. The text advises the user to open the file attachment which seems to be a greating card. Here is an example of the English email:

    Subject: You`ve got 1 VoiceMessage!
    Body: Dear Customer!

    You`ve got 1 VoiceMessage from voicemessage.com website!
    Sender:
    You can listen your Virtual VoiceMessage at the following link:
    http://virt.voicemessage.com/index.listen.php2=35affv
    or by clicking the attached link.

    Send VoiceMessage! Try our new virtual VoiceMessage Empire!
    Best regards: SNAF.Team (R).

    Attachment: link.voicemessage.com.listen.index.php1Ab2c.pif

    Zafi.B can be detected and removed with a² with the latest signature updates loaded. The a² background guard blocks the worm immediately if it is started.

    A more detailed description of the worm can be found at the a² Malware Database:
    http://www.emsisoft.com/en/malware/?Worm.Win32.Zafi.B
     
  44. NICK ADSL UK

    NICK ADSL UK MajorGeeks Forum Administrator Staff Member

    Re: Major Security Virus Warnings

    Latest Virus Threats, 17-6-04
    PWSteal.Bamer.A
    PWSteal.Bamer.A steals passwords when you visit Web sites the belong to certain banks.

    One indication of possible infections is the display of the message:

    Invalid Operation at 0000:FF15



    Also Known As: PWS:Win32/Bamer [RAV]

    Type: Trojan Horse
    Infection Length: 402,808 bytes, 260,096 bytes



    Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
    Systems Not Affected: DOS, EPOC, Linux, Macintosh, Macintosh OS X, Novell Netware, OS/2, UNIX, Windows 3.x, Windows 64-bit (AMD64), Windows 64-bit (IA64)

    FOR FURTHER INFO
    http://securityresponse.symantec.com/avcenter/venc/data/pwsteal.bamer.a.html
     
  45. NICK ADSL UK

    NICK ADSL UK MajorGeeks Forum Administrator Staff Member

    Re: Major Security Virus Warnings

    W32.Korgo.I
    Discovered on: June 07, 2004
    Last Updated on: June 18, 2004 12:51:56 PM

    W32.Korgo.I is a variant of W32.Korgo.F. This worm attempts to propagate by exploiting the Microsoft Windows LSASS Buffer Overrun Vulnerability (described in Microsoft Security Bulletin MS04-011) on TCP port 445. It also listens on TCP ports 113, 3067, and other random ports (256-8191).




    --------------------------------------------------------------------------------
    Note: Symantec Security Response has developed a removal tool to clean the infections of W32.Korgo.I

    http://securityresponse.symantec.com/avcenter/venc/data/w32.korgo.i.html
     
  46. NICK ADSL UK

    NICK ADSL UK MajorGeeks Forum Administrator Staff Member

    Re: Major Security Virus Warnings

    Latest Virus Threats, 28 6 04
    Backdoor.Botex
    Discovered on: June 27, 2004
    Last Updated on: June 28, 2004 04:45:13 PM

    Backdoor.Botex is a Backdoor Trojan horse that allows unauthorized, remote access to a compromised computer. It also attempts to steal system and user information.

    http://securityresponse.symantec.com/avcenter/venc/data/backdoor.botex.html
     
  47. NICK ADSL UK

    NICK ADSL UK MajorGeeks Forum Administrator Staff Member

  48. NICK ADSL UK

    NICK ADSL UK MajorGeeks Forum Administrator Staff Member

    Re: Major Security Virus Warnings

    latest virus-related threats July 7, 2004
    The list below provides a synopsis of the latest virus-related threats discovered by Symantec Security Response, including information on: Category Rating (risk), Name of Threat (threat), the day on which the threat was identified (discovered), and the day on which a virus definition was added to protect against the threat (protection). Please click on the name of the threat for additional information.
    W32.Lovgate.AB@mm
    http://securityresponse.symantec.com/avcenter/venc/data/w32.lovgate.ab@mm.html

    Trojan.Ecure.C
    http://securityresponse.symantec.com/avcenter/venc/data/trojan.ecure.c.html

    Trojan.Ecure.B
    http://securityresponse.symantec.com/avcenter/venc/data/trojan.ecure.b.html
     
  49. NICK ADSL UK

    NICK ADSL UK MajorGeeks Forum Administrator Staff Member

  50. NICK ADSL UK

    NICK ADSL UK MajorGeeks Forum Administrator Staff Member

    Re: Major Security Virus Warnings

    TDS WARNING FOR THE 12-7-04
    Update for 12-07-2004: +24 references (+24 primaries)

    [35749 references - 13992 primaries/9984 traces/11773 variants/other]


    WARNING

    Do not use the Radius file from the TDS site !!!
    That file is corrupted.

    Please get your copy of the new radius file at the Turvamies site:

    http://radius.turvamies.com/radius.td3
    __________________
     

Share This Page

MajorGeeks.Com Menu

MajorGeeks.Com \ All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ NEW! PC Games \ System Tools \ Macintosh \ Demonews.Com \ Top Downloads

MajorGeeks.Com \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds