Major Security / Virus Warnings

[NICK ADSL UK]

ATTENTION EVERYONE
Virus Profile

Virus Information
Name: W32/Bagle.n@MM
Risk Assessment
- Home Users: Medium
- Corporate Users: Medium
Date Discovered: 3/13/2004
Date Added: 3/13/2004
Origin: Unknown
Length: 21kb
Type: Virus
SubType: E-mail worm
DAT Required: 4337

Quick Links
Virus Characteristics
Indications of Infection
Method of Infection
Removal Instructions
Aliases

Buy or Update
New Users Get Protected Now:
Buy VirusScan Update VirusScan
Virus Characteristics

-- Update March 13,2004 --
Due to increasing prevalence the risk assessment for W32/Bagle.n@MM has been raised to Medium.

PLEASE MAKE SURE YOUR ANTI VIRUS IS UPDATED AT ALL TIMES

[NICK ADSL UK]

HI EVERYONE
Please note there is a very high level of virus activity today the 18-3-04. So just a reminder to you all to make sure you check at your virus software site to make sure you are up to date with your signature's. All virus software has been updated today more then once and in the case of nod five times and kav 10 times so don't forget to keep checking


This is a virus alert for four new variants of the Bagle
family:

W32/Bagle.Q@mm
W32/Bagle.R@mm
W32/Bagle.S@mm
W32/Bagle.T@mm

These variants started spreading on 18 March 2004.

Risk:
These new variants are rated low risk and would not warrant a
virus alert on their own. However, given the number of new
variants in a relatively short span of time there is reason
for computer users to be careful.

Recommended Reactions:
Users of F-Prot Antivirus should update their virus signature
files immediately. These variants are all detected by F-Prot
Antivirus using virus signature files dated 18 March 2004 and
later.

[NICK ADSL UK]

SECURITY UPDATE FOR THE 19-3-04


Three new twists in Bagle virus saga
PETALING JAYA: Antivirus vendors said they have detected the appearance of new Q, R and S variants of the Bagle worm.

The most dangerous of the three is variant Q, which was spreading very rapidly, Panda Software Malaysia said in a statement last night.

Bagle.Q spreads via e-mail in a message with extremely variable characteristics. The e-mail message however does not include an attached file carrying the worm

Instead it uses a "carrier e-mail" method to bypass antivirus protection, said British security software vendor Sophos.

When you open a carrier e-mail, it attempts to exploit a vulnerability in Microsoft Outlook which automatically downloads Bagle.Q from the PC which sent you the "carrier" e-mail.

The downloaded copy of Bagle.Q is placed into your system folder with the name "directs.exe".

It then loads on your PC and terminates a wide range of security applications. It also makes multiple copies of itself into folders which are likely to be part of a file-sharing network, as well infecting programs on your PC by appending itself to existing .exe files -- this is called a "parasitic virus infection," said Sophos.

Panda Software said the carrier e-mail includes HTML code which can be used to download the file carrying the malicious code from the Internet onto the affected computer.

The R and S variants do not seem to be spreading as rapidly, the company said.

Users can detect and disinfect these and other malicious code by downloading the free Panda ActiveScan from www.pandasoftware.com.

You can also get more information on Bagle.Q, Bagle.R and Bagle.S from Panda Software's Virus Encyclopaedia at www.pandasoftware.com/virus_info/encyclopedia/.

Sophos has published an identity to allow Sophos Anti-Virus to detect and disinfect this virus; it is available at www.sophos.com/virusinfo/analyses/w32bagleq.html.

The company also advised users to get and apply the latest Internet Explorer and Outlook Express patches from Microsoft. This would prevent the automatic download of the virus.

Sysadmins should also disallow connections to TCP port 81 on their network firewall.

Blocking outbound port 81 connections stops computers on the network from downloading the worm from outside. Blocking inbound port 81connections means that even if you do get infected you will not pass the virus on to others, Sophos said.

[NICK ADSL UK]

SECURITY UPDATE FOE THE 23-3-04
Virus Profile

Virus Information
Name: W32/Netsky.p@MM
Risk Assessment
- Home Users: Medium
- Corporate Users: Medium
Date Discovered: 3/21/2004
Date Added: 3/21/2004
Origin: Unknown
Length: 29,568 bytes (mailed)
26,624 bytes (dropped)
Type: Internet Worm
SubType: E-mail worm
DAT Required: 4340

-- Update 22nd March 06:20 PST --
Due to increased prevalence, this threat has had its risk assessment raised to MEDIUM.

Dear nick:

Another variant of the W32/Netsky.MM virus, W32/Netsky.p@MM is a Medium Risk mass-mailing worm that arrives inside a .ZIP attachment (e.g., your_document.zip) and spreads itself by stealing email addresses from the infected computer, spoofing or forging the "from: field." Besides using its own SMTP engine, W32/Netsky.p@MM also propagates via peer-to-peer networks (e.g., Morpheus, Kazaa) by copying itself to shared file directories -- often with a celebrity (e.g., Britney Spears, Eminem) as part of the filename.

Note: W32/Netsky.p@MM takes advantage of vulnerable versions of Internet Explorer 5.01 and 5.5 to automatically execute the virus on a user's system. McAfee recommends running Windows Update to ensure you have the latest patches for Internet Explorer.

Up-to-date McAfee VirusScan users with DAT 4340 are protected from this threat.

[NICK ADSL UK]

The latest variant of W32/Bagle@MM, W32/Bagle.u@MM is a Medium Risk mass-mailing worm that:1) installs a dangerous backdoor Trojan-horse program that opens TCP port 4751, 2) opens the Windows game Hearts (if present on the system), and 3) sends itself to email addresses addresses stolen from an infected machine. It arrives as an attachment in an email with a blank subject line and blank body text.
Learn More about W32/Bagle.u@MM
http://us.mcafee.com/virusInfo/defau...01141&cid=9929

[NICK ADSL UK]

Dear nick,

Worm.Win32.Sober.E Alert!
Worm.Win32.Sober.E is the 5th variant of the highly spread Sober worm and was first seen by our analysts on 03/28/2004 at 2:30pm CET. Like its predecessors its origin could be found in one of the german speaking countries. The worm is coded in Visual Basic 6 and is packed using UPX. The file size of the packed worm file is 30,720 bytes.

Infection
Worm.Win32.Sober.E comes via email to your PC. Worm mails have the following layout while always one of the subject, mail body and attachment options is chosen to generate the mail:

Subject:
HEY
hey?
Hey!
OK Ok OK!
OK OK
Ok ;-)
Hi :-)
hi
Hi
thx
Thx!
THX
Thx !!!

Mail body:
;-)
ha!
HA :-)
yo!
lol
LoL

Yo!

Attachment name:
Text.zip
Text.pif
Read.zip
Read.pif
Graphic-doc.zip
Graphic-doc.pif
document.zip
document.pif
Word.zip
Word.pif

Sober.E can be detected and removed with a² with the latest signature updates loaded. The a² background guard blocks the worm immediately if it is started.

A more detailed description of the worm can be found at the a² Malware Database:
http://www.emsisoft.com/en/malware/?Worm.Win32.Sober.E


Sincerley yours,

Your a² Team
http://www.emsisoft.com

[NICK ADSL UK]

Dear nick:

Another variant of the W32/Netsky.MM virus, W32/Netsky.q@MM is a Medium Risk mass-mailing worm that arrives inside a .ZIP, .PIF, .SCR or .EML attachment and spreads itself by stealing email addresses from the infected computer, spoofing or forging the "from: field." The worm includes the recipient's name, surrounded by percentage symbols, in the message subject line.

Note: Like W32/Netsky.p@MM, W32/Netsky.q@MM takes advantage of vulnerable versions of Internet Explorer 5.01 and 5.5 to automatically execute the virus on a user's system. McAfee recommends running Windows Update to ensure you have the latest patches for Internet Explorer.
Learn More about W32/Netsky.q@MM
http://us.mcafee.com/virusInfo/defau...01145&cid=9938

[NICK ADSL UK]

Security warning for the 6-4-04
Please note that there is a new Bugbear threat; So please make sure you keep up to-date with your virus update signature's

[NICK ADSL UK]

Another variant of the W32/Netsky.MM virus, W32/Netsky.s@MM is a Medium Risk mass-mailing worm that arrives inside a .PIF attachment. When run, the worm tries to open a backdoor on TCP Port 6789, which can help a remote hacker download and execute potentially malicious programs on the infected system. W32/Netsky.s@MM will also launch a Denial of Service attack on various domains, including www.kazaa.com, starting in mid-April. The worm spreads itself by stealing email addresses from the infected computer, spoofing or forging the "from: field."
For further info
http://us.mcafee.com/virusInfo/defau...01156&cid=9997

[NICK ADSL UK]

Win32.Netsky.V
Detection Published: April 14, 2004
Description Modified: April 15, 2004
Category: Win32
Also known as: HTML.Netsky.V, JS.Netsky.V, Win32/NetSky.V.Worm, W32/Netsky.v@MM (McAfee), I-Worm.Netsky.w (Kaspersky)
Win32.Netsky.V
Detection Published: April 14, 2004
Description Modified: April 15, 2004
Category: Win32
Also known as: HTML.Netsky.V, JS.Netsky.V, Win32/NetSky.V.Worm, W32/Netsky.v@MM (McAfee), I-Worm.Netsky.w (Kaspersky)
Description Method of Infection Method of Distribution Payload
Netsky.V is a worm that propagates by exploiting an object tag vulnerability. E-mail sent by the worm points to an IP address containing the worm executable and exploit script. This script exploits the vulnerability to download and execute the worm locally. The worm is a 19,432 byte, UPX-packed, encrypted, Win32 executable.
When executed, Netsky.V copies itself to
%Windows%\KasperskyAVEng.exe
and modifies the registry to ensure that this copy is executed at each Windows start:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run = "%Windows%\KasperskyAVEng.exe"
Note: '%Windows%' is a variable location. The worm determines the location of the current Windows folder by querying the operating system. The default installation location for the Windows directory for Windows 2000 and NT is C:\Winnt; for 95,98 and ME is C:\Windows; and for XP is C:\Windows.
The worm creates a mutex "_-=oOOSOkOyONOeOtOo=-_" to ensure only one copy of the worm is running on the system.
It also creates a further copy of itself to %Windows%\skyav.tmp.
Please note the risk factor of this worm has been raised to medium

[NICK ADSL UK]

Friday, April 16, 2004
Netsky.W worm found
Today we found another new Netsky variant: Netsky.W. It is similar to previous NetSky.P or NetSky.Q variants and it removes Bagle worm if it finds it on an infected computer.
Further info can be found here
http://www.f-secure.com/v-descs/netsky_w.shtml

[NICK ADSL UK]

VIRUS WARNING FOR THE 20-4-04
Hi all
We have had a lot of virus activity today so do please keep checking that you have the latest virus signature's updates for your software

Regards

[NICK ADSL UK]

THESE ARE THE LATEST VIRUS THREATS AS OF THE 26-4-04
Take a look at the latest virus threats including viruses, trojans, and worms.
> Bagle.W - Also known as: (Win32/Bagle.W.CPL, VBS/Bagle.W.HTML, Win32/Bagle.X (Eset), W32/Bagle.Y@mm (F-Secure), W32/Bagle.z@MM (McAfee))
> Omal.C - Also known as: (Trojan.Bookmarker.Gen (Symantec), Trojan.Win32.StartPage.fq (Kaspersky))
> Agobot - Also known as: (Backdoor.Agobot.3.gen (Kaspersky), Win32.Agobot.gen, TROJ_GAO, W32.Gaobot.gen!poly (Symantec), W32/Gaobot.worm.gen (McAfee), W32.HLLW.Gaobot (Symantec), W32.HLLW.Polybot (Symantec), Phatbot)

[NICK ADSL UK]

For more information on WORM_BAGLE.X, you can visit THIS Web site at:
http://www.symantec.com/avcenter/ven...agle.w@mm.html

[NICK ADSL UK]

VIRUS WARNINGS FOR THE 28-4-04
Hi Everyone Do please remember to make sure your anti virus software is fully up to date as most anti virus/Trojan software has been updated at least three times today

[NICK ADSL UK]

This is one of the worms causing all sorts of problems in the past couple of days
W32.Netsky.AB@mm
Discovered on: April 27, 2004
Last Updated on: April 28, 2004 04:34:34 PM

Symantec: W32.Netsky.AB@mm
http://securityresponse.symantec.com...sky.ab@mm.html

[NICK ADSL UK]

SECURITY WARNING FOR THE 1-5-04
Hi all we have another serious outbreak
W32.Sasser.Worm
Discovered on: April 30, 2004
Last Updated on: May 01, 2004 12:00:08 PM
FOR FURTHER INFO ON THIS LATEST OUTBREAK
What You Should Know About the Sasser Worm
Posted: May 1, 2004
http://www.microsoft.com/security/incident/sasser.asp

[NICK ADSL UK]

SECURITY WARNING FOR THE 05.05.2004
"Sasser" Worm Infections Increase 43% During Second Day of Alert

WORM_SASSER Family Still Infecting Globally, Not Expected to Disappear Soon

May 5, 2004 – Trend Micro Inc. reports that according to its internal monitoring of virus activity, the WORM_SASSER family of variants continues to increase in infections. WORM_SASSER was first detected on May 1, 2004, and variants A through D have been under detection since May 3, 2004, and since then, Trend Micro has regarded this worm family as a “high” risk to computer users.

FOR FURTHER INFO
http://uk.trendmicro-europe.com/ente...se.php?&id=307

[NICK ADSL UK]

SECURITY WARNING FOR THE 20.05.2004
Like its predecessors, W32/Lovgate.ab@MM is a Medium Risk mass-mailing worm inside an email attachment that when run:
Drops a dangerous backdoor on an infected machine that can allow a remote hacker to steal information.
Infects executable programs.
Tries to disable anti-virus and security software.
Emails itself to a) stolen contacts or b) as replies to unread MS Outlook or Outlook Express messages on the infected machine, spoofing the "from: field".
FOR FURTHER INFO
http://us.mcafee.com/virusInfo/defau...5301&cid=10244

[NICK ADSL UK]

Latest Threats
Real-time information about the latest threats to the security of your computers
Brief Description

Korgo.B is a worm that spreads via the Internet by exploiting the LSASS vulnerability in remote computers. This vulnerability is critical for Windows XP/2000 operating systems that are not properly updated.

Korgo.B listens to the TCP ports 113, 3067 and 2041 and connects to several IRC servers through the port 6667.

In addition, it is prepared for impeding the system shutdown.

Korgo.B only spreads automatically to Windows XP/2000 computers. However, computers with other Windows operating systems can also be a source of transmission when a malicious user runs the file containing the worm in any of these computers.

If you have a Windows XP/2000 computer, it is highly recommendable to download the security patch for the LSASS vulnerability from the Microsoft website.

Visible Symptoms

Korgo.B is difficult to recognize, as it does not display any messages or warnings that indicate it has reached the computer.

However, having problems with the system shutdown can be a clear symptom that your computer has been affected by Korgo.B.

Last updated: May 25, 2004
For further information about these and other computer threats, visit Panda Software's Encyclopedia at:
http://www.pandasoftware.com/virus_info/threats.aspx