Virus Alerts/Updates

[wenwilder]

W32/Zafi.b@MM is a Medium Risk mass-mailing worm that
spreads via email and peer-to-peer applications.

When spreading via email, the worm will both spoof the
sender's From address and send itself out in different
languages depending on the top level domain of the
recipient's email address. For example, if the address ends
in .COM, the virus's email body will appear in English. If
the address ends in .DE, the email will appear in German.

The worm also attempts to cripple anti-virus and firewall
software installed on a user's system by locating and
overwriting a user's security software with copies of itself.
Furthermore, the worm will attempt to thwart manual detection
by terminating key Windows processes.

------------------------------------------------------------
WHAT TO LOOK FOR:

FROM: Varies (forged addresses taken from infected system).

SUBJECT: Varies. Examples:
- You've got 1 VoiceMessage!
- Don't worry, be happy!
- Check this out kid!!!

BODY: Varies.

Online Scan for W32/Zafi.b@MM:
==> http://us.mcafee.com/root/campaign.asp?cid=10564

[wenwilder]

Virus: A computer program that replicates on computer systems by incorporating itself into shared programs. Viruses range from harmless pranks that merely display an annoying message to programs that can destroy files or disable a computer altogether. Whether they're considered malicious or malevolent, all viruses spread rapidly. For example, from one computer to millions of others around the world, infecting machines and causing them to crash. Some well-known examples include the "I Love You" virus, code red, and NIMDA.

Viruses are most commonly transmitted through e-mail; "strains" have appeared that use personal e-mail address books to propagate themselves from machine to machine. If you are connected to the Internet or any other network, it is important that you take precautions against viruses. Get a virus-scanning program (in fact, you can get one from this definition on NetLingo.com) and do not open any e-mail attachments from people you do not know.


Virus Lists and Libraries:

http://www.viruslist.com/eng/
http://virusall.com/downrem.html
http://www.cexx.org/
http://us.mcafee.com/default.asp


P.S. The information provided has been a WPW community effort. Thank you for the donation of time and information everyone who has contributed and everyone who will :)

[Bohak]

Just wanted to add that Zafi will, at least in my brush with it, not allow you to access anti virus sites such as Mcafee or Symantec through IE. The solution in my case was installing Mozilla Firebird browser to access Symantec's site and download the fix. Mozilla seemed unaffected by the virus.

Thanks again for the help and advice on Tuesday when I was hit.

-Bohak

[lspence]

That's a good tip, Bohak, thanks! :)

[PitterPA]

I have found some virus' difficult to delete but I haven't found one yet that you can't defeat by booting into DOS. So far anyway. But the best cure is to avoid them.

[Conficio]

Quote:

Originally Posted by PitterPA

I have found some virus' difficult to delete but I haven't found one yet that you can't defeat by booting into DOS. So far anyway. But the best cure is to avoid them.

You are so right. I use MS products for web and e-mail only if absolutely necessary. Use Mozilla and Linux and a bit of caution and you are virus and worm free ! ;-)

K<o>

[cthathem]

Just wanted to add something: ..

The browser's name is Mozilla Firefox .. (the eMail application is called Mozilla Thunderbird). I also recommend using MZ Thunderbird instead of MS Outlook Express, because it is faster and way safer to use imo.

You can get Firefox at http://www.mozilla.org/products/firefox/ :)

EDIT: ah, just came to realize that there is a Mozilla Browser called Firebird :D ... sorry, just didn't know it ;)

[ronniethedodger]

Quote:

Originally Posted by Conficio

You are so right. I use MS products for web and e-mail only if absolutely necessary. Use Mozilla and Linux and a bit of caution and you are virus and worm free ! ;-)

...and a bit of caution

That is what you said. In other words, it does not make any mail agent less prone than the other.

The problem with viral attacks through email is usually due to human error and not the mail software. It is not any more than that, and not any less.

If you want to be safe in Outlook Express, do not open any attachments ... plain and simple. If you have an itchy clicking finger, then do this in your options:

Go to the menu Tools > Options .... This will open up a dialog box ... click on the Security Tab. Set it up just like I have in this image grab.



Educate the people to do this very simple thing, and they can have all the safety (with due caution) as much as any other mail agent.

[mikmik]

And on the 'READ' tab, there is a box you can select to 'show messages in plain text only' because way to many people think that if there is no virus attatched, it is safe.
This is how Hijackers get control these days, once you open a page in an 'html' viewer, or browser, script can run that redirects you to a page that downloads and isstall trojans - before you can blink twice.

This is one area where OE is more vulnerable, but it won't last long anymore. Hackers/crackers/scammers/virus writers, they are starting to target everyone else.

So, don't even open an email PERIOD in OE, unless you have it in text mode, or you are not trigger happy LOL

[ronniethedodger]

Quote:

Originally Posted by mikmik

And on the 'READ' tab, there is a box you can select to 'show messages in plain text only' because way to many people think that if there is no virus attatched, it is safe.

You should do that in any mail agent. If you view the images which are often coming off of an external server, that signals whoever sent the mail that the email address is active. More spam will be on the way ... guaranteed.

[cthathem]

Thanks for the advice. I know about the configuration options, and I guess that you're right about educating people to prohibit the software from executing nasty scripts and all the other harmful stuff ...

geg

[wenwilder]

Like its predecessors, W32/Lovgate.ad@MM is a Medium Risk
mass-mailing worm hiding inside an email attachment. When
run, the worm:

1. Drops a dangerous backdoor on an infected machine that
can allow a remote hacker to steal information.
2. Infects executable programs.
3. Tries to disable anti-virus and security software.
4. Emails itself to a) stolen contacts or b) as replies
to unread MS Outlook or Outlook Express messages on the
infected machine, spoofing the "from: field".

--> What should I look for?

Subject (examples): hi, hello, Hello, Mail transaction
Failed, mail delivery system

Body (examples): Mail failed. For further assistance,
please contact! The message contains Unicode characters
and has been sent as a binary attachment.

Attachment: Randomly constructed strings with the
following extensions: .EXE, .PIF, .SCR, .ZIP

--> How do I know if I've been infected?

Presence of various .EXE,.DLL or .ZIP archive files on
system. Modified System Registry.

[pedstersplanet]

Thank god for Liveupdate thats what I say. :P

[wenwilder]

--> What are they?

W32/Beagle.ag@MM and W32/Beagle.ai@MM are Medium risk
mass-mailing worms that try to open a backdoor on your PC,
giving a hacker remote access. Like their predecessors,
these worms spread by emailing themselves to stolen contacts
and via popular file-sharing programs such as KaZaa,
Bearshare and Limewire. They also try to terminate
anti-virus and other security software operation.

--> What should I look for?

FROM: Varies (spoofed)
SUBJECT: Examples: Re:, Password: %s, Pass - %s, Key - %s
BODY: Examples: >foto3 and MP3, >fotogalary and Music,
>fotoinfo. May also be blank.
ATTACHMENT: Examples: MP3, Music_MP3, New_MP3_Player foto3,
foto2, foto1 (may include extensions such as .EXE, .SCR,
.COM, .ZIP, .CPL). Password-protected ZIP files may also
contain a second, randomly named file (with extensions such
as .ini, .cfg, .txt, .vxd, .def, .dll).

--> How do I know if I've been infected?

Outgoing messages with noted subject lines, attachments.


This alert is being posted a couple of days late due to email malfunction. But hey, better late then never ;)

[wenwilder]

--> What is it?

W32/Mydoom.o@MM is a Medium-On-Watch risk mass-mailing worm
that tries to open a hacker backdoor on your PC. Often
pretending to be a bounced email alert, the worm arrives
inside an attachment then spreads by sending itself to stolen
contacts and via peer-to-peer programs.

--> What should I look for?

FROM: Varies. Examples: "Bounced mail," "MAILER-DAEMON,"
"Mail Administrator". Often spoofed.
SUBJECT: Varies. Examples: delivery failed, Message could not be
delivered, Mail System Error - Returned Mail
BODY: Example: We have received reports that your account was used to
send a large amount of junk email messages during the last week.
ATTACHMENT: Examples: README, INSTRUCTION, TRANSCRIPT

--> How do I know if I've been infected?

The worm installs itself as JAVA.EXE in an infected
computer's Windows directory. TCP Port 1034 open.

[wenwilder]

W32/Rbot-EW -- Another bot Trojan that exploits network shares
with weak passwords to spread between machines. It installs
itself as "UPDATE_W.EXE" in the Windows System directory and
allows backdoor access via IRC. (Sophos)

W32/Rbot-FC -- This Rbot variant is similar to EW above, except
it uses the infected file of "WINSYST32.EXE" and adds the twist
of a file logger and CD key stealer. (Sophos)

W32/Rbot-DE -- Another Rbot variant. It uses "WINSYS32.EXE" as
its infection point and tries to kill certain network share
connections. (Sophos)

W32/Sdbot-KU -- A bot that spreads by exploiting machines
infected with MyDoom or without the Windows DCOM patch. It
installs itself as "PEREMPTION.EXE" and allows backdoor access
via IRC. It can be used to launch SYN flood attacks against
remote sites and also attempts to steal CD keys for popular
games. (Sophos)

W32/Tompai-A -- A backdoor Trojan that spreads via network
shares and uses a variety of filename combinations to install
itself in the Windows System folder. The virus has the text
"phantompain" embedded in the code. (Sophos)

W32/Agobot-KM -- Yet another bot that uses weakly protected
network shares to spread between machines. This infects
"MSVSRV32.EXE" in the Windows System directory, allows backdoor
access via IRC, and modifies the Windows HOSTS file to block
access to anti-virus sites. (Sophos)

[wenwilder]

W32/MyDoom-O -- Another MyDoom variant that uses e-mail to
spread and search engines to dig for more potential targets.
Doesn't seem to have the same impact as MyDoom-M. (Sophos)

W32/Stewon-A -- A peer-to-peer virus that spreads via the likes
of Kazaa using a compressed .zip file. The virus installs itself
as "genoxial.exe" in the Windows System folder. (Sophos)

Troj/CmjSpy-Z -- A keylogging Trojan that installs itself as
"hpserver.exe" in the Windows system folder and records its
captured info in "hlicense.vxd". No word on how it spreads.
(Sophos)

W32/Agobot-LM -- Another Agobot variant that spreads via network
shares, which allows backdoor access via IRC and kills security
applications as well as access to related sites. It installs
itself as "LSAS.EXE". (Sophos)

W32/Agobot-LL -- Hey, another Agobot variant. Similar to
Agobot-LM above, except that infects the file "SVCSYS32.EXE" in
the Windows System folder. This one could also be used in a DoS
attack against third-party sites. (Sophos)

W32/Scaner-A -- A virus that tries to attempt the Windows LSASS
vulnerability, for which there's been a patch available for a
few months. The virus attempts to report back its findings via
an HTTP POST. (Sophos)

W32/Febelneck-A -- This virus spreads via a .zip file. It tries
to change the name of the infected machine to "Nebelfleck" and
delete certain files on the affected system. (Sophos)

[wenwilder]

VIRUS ADVISORY: W32/Bagle.aq@MM

--> What is it?

W32/Bagle.aq@MM is a Medium Risk mass-mailing worm that tries
to open a hacker backdoor on your PC. Launched by code hidden
inside a ZIP attachment, the virus spreads by emailing itself
to stolen contacts and via popular file-sharing programs such
as KaZaa, Bearshare and Limewire. It also tries to terminate
anti-virus and other security software operation.

Up-to-date McAfee VirusScan users with DAT 4384 are
protected from this threat. Note: To fortify anti-virus
defense against viruses that carry backdoor payloads, we
recommend installing McAfee Personal Firewall Plus:
http://us.mcafee.com/root/campaign.asp?cid=11276

--> What should I look for?

FROM: Varies (spoofed)
SUBJECT: Blank
BODY: Examples: new price, The password is, Password:
ATTACHMENT: Examples: price.zip, price2.zip, price_new.zip

--> How do I know if I've been infected?

Communication Port 80 (TCP) open. Outgoing messages with noted
body content and ZIP attachments.