Major Security / Virus Warnings

Re: Major Security Virus Warnings

Take a look at the latest virus threats including viruses, trojans, and worms.
as of the 16-7-04
http://www3.ca.com/securityadvisor/virusinfo/default.aspx

 

Re: Major Security Virus Warnings

Worm.Win32.Bagle.AF Alert!
A new Bagle variant is spreading. Bagle.AF arrives via email as an attachment like all previous Bagle variants do. The email sender is spoofed to make it difficult to trace it back. Once the file attachment is run, the worm installs a backdoor trojan on the computer to enable remote administration. It seems that the worm author plans to create a large spam server farm which can be used to send tons of emails within a very short time. The installed trojan opens the port 1234 to receive control commands.

Bagle.AF can be detected and removed with a² using the latest signature updates. The a² personal background guard blocks the worm immediately if it is started.

A more detailed description of the worm can be found at the a² Malware Database:
http://www.emsisoft.com/en/malware/?Worm.Win32.Bagle.AF

 

Re: Major Security Virus Warnings

latest virus-related threats July 19, 2004

Win32.Bagle.AC
Description Published: July 18, 2004
Description Modified: July 19, 2004
http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=39624

 

Re: Major Security Virus Warnings

VIRUS ALERT:
Win32.Bagle.AE
RISK LEVEL: High







On Tuesday, July 20, 2004 , the CA Security Advisory Team is issuing an alert regarding a high risk level virus threat called Win32.Bagle.AE.

Further details can be found here

http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=39641

 

Re: Major Security Virus Warnings

New Bagle Spreads Fast By Shutting Down Defenses

July 20, 2004
By Gregg Keizer, TechWeb News

The latest version of the mass-mailing worm aims to shut down a computer's anti-virus and firewall systems, leaving the machine open to further attacks.
By Gregg Keizer, TechWeb News

The latest Bagle three-worm wave includes one that's using a more aggressive twist on an old tactic, security firms said Tuesday.
Of the trio of Bagle variants that have hit the Internet since Saturday--that day's Bagle.ag, Sunday's Bagle.ah. and Monday's Bagle.ai--the worst is the also the most recent, said Patrick Hinojosa, chief technology officer at Panda Software. "When we saw it appear yesterday, it just sort of took off," Hinojosa said. As of midday Tuesday, it was the second-most prevalent worm on Panda's real-time list.
http://www.informationweek.com/story/showArticle.jhtml?articleID=23902534

 

Re: Major Security Virus Warnings

Current Threat

--------------------------------------------------------------------------------

W32/Bagle.aq@MM
Medium Risk

http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=127423&cid=11413

 

Re: Major Security Virus Warnings

Dear nick,

Worm.Win32.Bagle.AL Alert!
Worm.Win32.Bagle.AL is a new variant in the Bagle worm family which arrives via email attachment and uses a faked sender email address. Like it's predecessors the worm comes with it's own SMTP engine to spread itself.

Worm.Win32.Bagle.AL emails look like this:

Subject: <empty>

Text: new price

The attachments has one of this file names:

price.zip
price2.zip
price_new.zip
price_08.zip
08_price.zip
newprice.zip
new_price.zip
new__price.zip

Bagle.AL can be detected and removed with a² using the latest signature updates. The a² personal background guard blocks the worm immediately if it is started.

A more detailed description of the worm can be found at the a² Malware Database:
http://www.emsisoft.com/en/malware/?Worm.Win32.Bagle.AL

 

Re: Major Security Virus Warnings

MyDoom.S - MEDIUM RISK
McAfee, Trend, and other AV vendors have declared this as MEDIUM RISK due to prevelance in-the-wild.
http://www.f-secure.com/v-descs/mydoom_s.shtml

 

Re: Major Security Virus Warnings

Doomed. Again.
Another variant makes the rounds

Yet another MyDoom variant is making the rounds this morning, Symantec rating it a category three on their security scale. Posing under the guise of humorous photos, the worm propagates by sending e-mails with the subject line: "photos" and message body "LOL!)))". "System administrators may also want to block access to domains [www richcolour com] and zenandjuice.com from their network for a while," notes one analyst to the Register. "This variant tries to download components from these addresses but the sites themselves have nothing to do with the virus group."

 

Re: Major Security Virus Warnings

Security Information



No Virus Alert
There are no medium or high risk alerts at this time.

 

Re: Major Security Virus Warnings

LATEST THREAT AS IF 31-8-04

Bagle.AVThreat Level:
Brief Description

Bagle.AV is a worm that ends processes belonging to several antivirus update programs, among other applications.

Bagle.AV has been seeded via e-mail, in a message with "foto" subject and body. an attached file with a random name and a ZIP extension. This file contains an HTML file, together with a hidden EXE file. This executable file is run when the user opens the HTML file.

Once it has affected the computer, Bagle.AV attempts to download a fake JPG file from several websites. If successful, Bagle.AV will start spreading from the computer.
Visible Symptoms

Bagle.AV is easy to recognize, as it reaches the computer in an e-mail message with the following characteristics:

Subject:
foto
Message:
foto
Attachments:
The attached file is variable. It has a random name and a ZIP extension. It contains an HTML file, and a hidden EXE file.


Last updated: Aug. 31, 2004

http://www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?IdVirus=51651&sind=0

 

Re: Major Security Virus Warnings

SECURITY WARNINGS FOR THE 1-9-04
1 Bagle.AW Worm 09/01/2004
2 Bagle.AV Worm 08/31/2004
Are still causing concern there has been a lot of activity today with many updates to the anti virus and Trojan software so do please make sure you are up to date

 

Re: Major Security Virus Warnings

Warning: New MyDoom Variant is spreading
http://forum.emsisoft.com/viewtopic.php?p=9884

 

Re: Major Security Virus Warnings

W32.IRCBot.G
Discovered on: September 07, 2004
Last Updated on: September 07, 2004 04:34:18 PM
W32.IRCBot.G is a Trojan horse program that opens a backdoor on the infected computer by connecting to an IRC server and receives commands from a remote attacker.

http://securityresponse.symantec.com/avcenter/venc/data/w32.ircbot.g.html

 

Re: Major Security Virus Warnings

W32.Mydoom.Y@mm
Discovered on: September 15, 2004
Last Updated on: September 16, 2004 02:59:56 PM
http://securityresponse.symantec.com/avcenter/venc/data/w32.mydoom.y@mm.html

 

Re: Major Security Virus Warnings

W32.Mexer.E@mm
Discovered on: September 15, 2004
Last Updated on: September 16, 2004 09:33:46 AM
http://securityresponse.symantec.com/avcenter/venc/data/w32.mexer.e@mm.html

 

Re: Major Security Virus Warnings

Backdoor.Sdbot.AB
Discovered on: September 15, 2004
Last Updated on: September 16, 2004 02:05:58 PM
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.sdbot.ab.html

 

Re: Major Security Virus Warnings

Latest threats
Virus information
W32/Agobot-MX

http://www.sophos.com/virusinfo/analyses/w32agobotmx.html

 

Re: Major Security Virus Warnings

FOR THE ATTENTION OF USERS OF THE Symantec Enterprise Firewall/VPN and Gateway Security 300 Series
SYM04-013
September 22, 2004
Symantec Enterprise Firewall/VPN and Gateway Security 300 Series Appliances Multiple Issues
Revision History
None

Risk Impact
High

Overview
Symantec resolved three high-risk vulnerabilities that had been identified in the Symantec Firewall/VPN Appliance 100, 200 and 200R models. The Symantec Gateway Security 320, 360 and 360R are vulnerable to only two of the issues, which have been resolved.

All of these vulnerabilities are remotely exploitable and can allow an attacker to perform a denial of service attack against the firewall appliance, identify active services in the WAN interface, and exploit one of these services to collect and alter the firewall's configuration. All three vulnerabilities are addressed and resolved in available updated firmware release builds.

Further information can be found here
http://www.sarc.com/avcenter/security/Content/2004.09.22.html

 

Re: Major Security Virus Warnings

Latest threats
PWSteal.Bancos.M
Discovered on: September 28, 2004
Last Updated on: September 28, 2004 10:37:48 AM
http://securityresponse.symantec.com/avcenter/venc/data/pwsteal.bancos.m.html

W32.Beagle.AR@mm
Discovered on: September 28, 2004
Last Updated on: September 28, 2004 01:00:12 PM
http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.ar@mm.html

Trojan.Moo
Discovered on: September 28, 2004
Last Updated on: September 28, 2004 10:34:31 AM
http://securityresponse.symantec.com/avcenter/venc/data/trojan.moo.html

Backdoor.Roxe
Discovered on: September 27, 2004
Last Updated on: September 28, 2004 10:10:54 AM
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.roxe.html

W32.Randex.BLD
Discovered on: September 27, 2004
Last Updated on: September 28, 2004 10:15:31 AM
http://securityresponse.symantec.com/avcenter/venc/data/w32.randex.bld.html

 

Re: Major Security Virus Warnings

W32.Spybot.EAS
Discovered on: September 30, 2004
Last Updated on: October 01, 2004 10:54:54 AM
http://securityresponse.symantec.com/avcenter/venc/data/w32.spybot.eas.html

 

Re: Major Security Virus Warnings

Trojan.AdRmove
Discovered on: October 07, 2004
Last Updated on: October 07, 2004 11:01:13 AM
http://securityresponse.symantec.com/avcenter/venc/data/trojan.adrmove.html

 

Re: Major Security Virus Warnings

JPEG/Exploit.gen
JPEG/Exploit.gen Destructivity: Spreading: Overall risk:
• Detected by virus detection files published:
• Virus characteristics first published: 11 Oct. 2004
• Virus characteristics latest update: 11 Oct. 2004
• Type: Security Risk
• Spreading mechanism:
• Overall risk: None

Type Spreading mechanism Destructivity & payload Additional descriptions Detection & removal

JPEG/Exploit.gen is a generic detection for all JPEGs that exploit the vulnerability described in “Microsoft Security Bulletin MS04-028 Buffer Overrun in JPEG Processing (GDI+) Could Allow Code Execution (833987)"

http://www.norman.com/Virus/Virus_descriptions/17903/en

 

Re: Major Security Virus Warnings

MSN Messenger hit by virus, outage
http://news.zdnet.co.uk/internet/0,39020369,39169941,00.htm

 

Re: Major Security Virus Warnings

W32.Funner
Discovered on: October 11, 2004
Last Updated on: October 12, 2004 11:09:02 AM
http://securityresponse.symantec.com/avcenter/venc/data/w32.funner.html

 

Re: Major Security Virus Warnings

W32.Netsky.AD@mm
Discovered on: October 13, 2004
Last Updated on: October 14, 2004 12:07:12 PM
http://securityresponse.symantec.com/avcenter/venc/data/w32.netsky.ad@mm.html

 

Re: Major Security Virus Warnings

Backdoor.Roxe.B
Discovered on: October 19, 2004
Last Updated on: October 19, 2004 02:48:18 PM
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.roxe.b.html

 

Re: Major Security Virus Warnings

W32.Mydoom.AG@mm
Discovered on: October 25, 2004
Last Updated on: October 26, 2004 04:51:55 PM
http://securityresponse.symantec.com/avcenter/venc/data/w32.mydoom.ag@mm.html

W32.Netsky.AE@mm
Discovered on: October 25, 2004
Last Updated on: October 26, 2004 12:32:33 PM
http://securityresponse.symantec.com/avcenter/venc/data/w32.netsky.ae@mm.html

Backdoor.Sdbot.AE
Discovered on: October 25, 2004
Last Updated on: October 25, 2004 04:36:28 PM
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.sdbot.ae.html

 

Re: Major Security Virus Warnings

10-29-04
W32.Beagle.AV@mm
http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.av@mm.html

2
10-29-04
W32.Beagle.AW@mm
http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.aw@mm.html

2
10-29-04
W32.Beagle.AU@mm
http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.au@mm.html


1
10-29-04
W32.Beagle@mm!cpl

http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle@mm!cpl.html

 

Re: Major Security Virus Warnings

Trojan.Ducky.C
Discovered on: October 30, 2004
Last Updated on: November 01, 2004 05:35:15 PM
http://securityresponse.symantec.com/avcenter/venc/data/trojan.ducky.c.html

 

Re: Major Security Virus Warnings

Important information about a² and all related news.

Flux spreads wider

Flux is the name of a new pest spreading covertly through the internet. Flux is a trojan that is making the life of most anti malware vendors much harder.

Flux is a reverse backdoor type of trojan. Reverse means that rather than the infected machine waiting for a connection to be made from outside, the infected machine trys to make the connection itself. Standard trojans are made up of two parts - the server and the client.

The client is downloaded to infect the machine. The server is another pc somewhere in the world that then tries to communicate with the client. The problem with standard trojans is that if the infected machine has a good firewall, then the server cannot connect to the client. So although the machine is infected, no data is transferred to the server from the client.

To overcome the blocked connection, malware writers now use this reverse logic to make the client machine responsible for the connection. Many standard firewalls will block requests coming in from the internet to connect, but do not block about outgoing requests to connect. Trojans like flux can therefore operate even through most firewalls.

The really dangerous thing about Flux is not its ability to use this reverse connection feature, but the way that feature is implemented. Flux introduces a new technique of code injection. Code Injecting is a term that describes ways to execute code in other processes. Until now Code Injection worked by loading a DLL file into a foreign process - much like the cookoo lays an egg in another birds nest. This method (called DLL Injection) is quite easy to detect as the anti-malware program just asks the process which DLLs it uses - a trojan DLL is one that is not on the list generated.

Flux doesn't use a DLL. Flux writes its connection code directly into a host process and executes it there. Apart from the fact that this behaviour would circumwent several Desktop Firewalls, it also makes Flux nearly invisible to current anti malware software because the Flux code isn't linked to any module or DLL of the process and will be simply overlooked by anti malware software. That makes complete cleaning very difficult.

Here at a² we have already thought about trojans using this direct injection method and why we already developed an advanced memory scan for a² v2.0 that can detect trojans using this technique. Version 2.0 is not quite ready for release but due to trojans like Flux we have decided to provide our customers with the advanced memory scan now.

What does all this mean for you?
a² is one of the first anti malware product that is able to detect and deactivate Flux. On top of that we have also developed a special free detection tool. This tool allows users of other anti-malware software to benefit from a² anti-malware technology too. The free tool detects and terminates an active Flux to ensure a proper cleaning of the infection.

You can download the free Flux Scanner tool from the a² download page:
http://www.emsisoft.com/en/software/download


Sincerely yours,

Your a² Team
http://www.emsisoft.com

 

Re: Major Security Virus Warnings

Backdoor.IRC.Bifrut
Discovered on: November 08, 2004
Last Updated on: November 08, 2004 10:31:10 AM
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.irc.bifrut.html

W32.Gaobot.BQJ
Discovered on: November 08, 2004
Last Updated on: November 08, 2004 10:16:13 AM
http://securityresponse.symantec.com/avcenter/venc/data/w32.gaobot.bqj.html

 

Re: Major Security Virus Warnings

11-10-04
W32.Mydoom.AJ@mm
Discovered on: November 10, 2004
Last Updated on: November 10, 2004 04:11:12 PM
http://securityresponse.symantec.com/avcenter/venc/data/w32.mydoom.aj@mm.html

11-10-04
Trojan.Beagooz.D
Discovered on: November 10, 2004
Last Updated on: November 10, 2004 04:03:05 PM
http://securityresponse.symantec.com/avcenter/venc/data/trojan.beagooz.d.html


11-10-04
Trojan.Moo.B
Discovered on: November 10, 2004
Last Updated on: November 10, 2004 04:43:42 PM
http://securityresponse.symantec.com/avcenter/venc/data/trojan.moo.b.html

11-09-04
W32.Orpheus.A
Discovered on: November 09, 2004
Last Updated on: November 10, 2004 04:45:59 PM
http://securityresponse.symantec.com/avcenter/venc/data/w32.orpheus.a.html

11-08-04
W32.Mydoom.AI@mm
Discovered on: November 08, 2004
Last Updated on: November 10, 2004 04:12:50 PM
http://securityresponse.symantec.com/avcenter/venc/data/w32.mydoom.ai@mm.html

latest virus-related threats
http://securityresponse.symantec.com/avcenter/vinfodb.html

 

Re: Major Security Virus Warnings

W32.Envid.A@mm
Discovered on: November 13, 2004
Last Updated on: November 15, 2004 12:01:30 PM
http://securityresponse.symantec.com/avcenter/venc/data/w32.envid.a@mm.html

 

Re: Major Security Virus Warnings

W32.Beagle.AX@mm
Discovered on: November 15, 2004
Last Updated on: November 16, 2004 02:02:53 PM
http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.ax@mm.html

 

Re: Major Security Virus Warnings

Ng.695
Discovered on: November 16, 2004
Last Updated on: November 17, 2004 11:49:50 AM
http://securityresponse.symantec.com/avcenter/venc/data/ng.695.html

Backdoor.Berbew.L
Discovered on: November 16, 2004
Last Updated on: November 16, 2004 02:16:56 PM
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.berbew.l.html

Backdoor.Netjoe
Discovered on: November 16, 2004
Last Updated on: November 16, 2004 12:29:48 PM
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.netjoe.html

 

Re: Major Security Virus Warnings

W32.Sober.I@mm
Discovered on: November 19, 2004
Last Updated on: November 19, 2004 06:51:46 PM
http://securityresponse.symantec.com/avcenter/venc/data/w32.sober.i@mm.html

 

Re: Major Security Virus Warnings

SymbOS.Skulls
Discovered on: November 19, 2004
Last Updated on: November 19, 2004 01:30:49 PM
http://securityresponse.symantec.com/avcenter/venc/data/symbos.skulls.html

 

Re: Major Security Virus Warnings

Warning! Worm.Win32.Sober.I!

The latest version of the Sober worm is spreading fast. As with it's predecessors, Sober.I spreads by email attachments. The email text suggests that it is an error message from the mailserver and the undelivery report is attached.

Current email clients like Outlook or Outlook Express are able to block harmful file extensions like EXE, COM or SCR, but Sober.I sometimes comes packed in a ZIP file to bypass outlook security. The ZIP file itself is not harmful, but the content inside (an executable file with variable file name) contains the worm and must not be opened!

A more detailed description of the worm can be found at the a² Malware Database:
http://www.emsisoft.com/en/malware/?Worm.Win32.Sober.I

Sober.I can be detected and removed with a² Free and a² Personal with the latest signature updates. The latest versiona² Personal background guard will block the worm if it is started. Please run the a² Online-Update immediately and ensure that the new automatic update feature in a² Personal is enabled.

 

Re: Major Security Virus Warnings

Backdoor.Jupdate
Discovered on: November 21, 2004
Last Updated on: November 22, 2004 12:15:22 PM
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.jupdate.html

 

Re: Major Security Virus Warnings

W32.Inzae.B@mm
Discovered on: November 23, 2004
Last Updated on: November 24, 2004 12:36:01 PM
http://securityresponse.symantec.com/avcenter/venc/data/w32.inzae.b@mm.html

 

Re: Major Security Virus Warnings

Trojan.Favadd
Discovered on: November 24, 2004
Last Updated on: November 25, 2004 05:40:29 PM
http://securityresponse.symantec.com/avcenter/venc/data/trojan.favadd.html

 

Re: Major Security Virus Warnings

W32.Netsky.Z@mm!enc
Discovered on: December 03, 2004
Last Updated on: December 03, 2004 12:14:48 PM
http://securityresponse.symantec.com/avcenter/venc/data/w32.netsky.z@mm!enc.html

 

Re: Major Security Virus Warnings

Trojan.Wlogo
Discovered on: December 04, 2004
Last Updated on: December 05, 2004 04:46:58 PM
http://securityresponse.symantec.com/avcenter/venc/data/trojan.wlogo.html



Trojan.Frutca
Discovered on: December 04, 2004
Last Updated on: December 06, 2004 04:51:06 PM
http://securityresponse.symantec.com/avcenter/venc/data/trojan.frutca.html

 

Re: Major Security Virus Warnings

W32.Atak.E@mm
Discovered on: December 07, 2004
Last Updated on: December 07, 2004 03:43:22 PM
http://securityresponse.symantec.com/avcenter/venc/data/w32.atak.e@mm.html

W32.Gaobot.BUU
Discovered on: December 07, 2004
Last Updated on: December 09, 2004 05:00:29 PM
http://securityresponse.symantec.com/avcenter/venc/data/w32.gaobot.buu.html

W32.Maslan.A@mm
Discovered on: December 07, 2004
Last Updated on: December 09, 2004 05:25:17 PM
http://securityresponse.symantec.com/avcenter/venc/data/w32.maslan.a@mm.html

 

Re: Major Security Virus Warnings

W32.Janx
Discovered on: December 11, 2004
Last Updated on: December 12, 2004 03:26:38 PM
http://securityresponse.symantec.com/avcenter/venc/data/w32.janx.html

 

Re: Major Security Virus Warnings

This is a virus alert for W32/Zafi.D@mm,
a new member of the
Zafi family of mass-mailers. This worm started spreading
today, 14 December 2004, and has gained considerable
distribution in a short period of time.

 

Re: Major Security Virus Warnings

VBS.Sorpe.A@mm
Discovered on: December 14, 2004
Last Updated on: December 15, 2004 10:40:45 AM
http://securityresponse.symantec.com/avcenter/venc/data/vbs.sorpe.a@mm.html

W32.Erkez.D@mm
Discovered on: December 14, 2004
Last Updated on: December 15, 2004 03:34:19 PM
http://securityresponse.symantec.com/avcenter/venc/data/w32.erkez.d@mm.html

 

Re: Major Security Virus Warnings

W32.PEQ@mm
Discovered on: December 20, 2004
Last Updated on: December 20, 2004 12:00:04 PM
http://securityresponse.symantec.com/avcenter/venc/data/w32.peq@mm.html

 

Re: Major Security Virus Warnings

W97M.Sapattra
Discovered on: December 22, 2004
Last Updated on: December 22, 2004 04:39:40 PM
http://securityresponse.symantec.com/avcenter/venc/data/w32.peq@mm.html

W32.Envid.C@mm
Discovered on: December 22, 2004
Last Updated on: December 22, 2004 12:06:06 PM
http://securityresponse.symantec.com/avcenter/venc/data/w32.envid.c@mm.html