Virus Alerts/Updates

[wenwilder]

W32/Zafi.b@MM is a Medium Risk mass-mailing worm that
spreads via email and peer-to-peer applications.

When spreading via email, the worm will both spoof the
sender's From address and send itself out in different
languages depending on the top level domain of the
recipient's email address. For example, if the address ends
in .COM, the virus's email body will appear in English. If
the address ends in .DE, the email will appear in German.

The worm also attempts to cripple anti-virus and firewall
software installed on a user's system by locating and
overwriting a user's security software with copies of itself.
Furthermore, the worm will attempt to thwart manual detection
by terminating key Windows processes.

------------------------------------------------------------
WHAT TO LOOK FOR:

FROM: Varies (forged addresses taken from infected system).

SUBJECT: Varies. Examples:
- You've got 1 VoiceMessage!
- Don't worry, be happy!
- Check this out kid!!!

BODY: Varies.

Online Scan for W32/Zafi.b@MM:
==> http://us.mcafee.com/root/campaign.asp?cid=10564

[wenwilder]

Virus: A computer program that replicates on computer systems by incorporating itself into shared programs. Viruses range from harmless pranks that merely display an annoying message to programs that can destroy files or disable a computer altogether. Whether they're considered malicious or malevolent, all viruses spread rapidly. For example, from one computer to millions of others around the world, infecting machines and causing them to crash. Some well-known examples include the "I Love You" virus, code red, and NIMDA.

Viruses are most commonly transmitted through e-mail; "strains" have appeared that use personal e-mail address books to propagate themselves from machine to machine. If you are connected to the Internet or any other network, it is important that you take precautions against viruses. Get a virus-scanning program (in fact, you can get one from this definition on NetLingo.com) and do not open any e-mail attachments from people you do not know.


Virus Lists and Libraries:

http://www.viruslist.com/eng/
http://virusall.com/downrem.html
http://www.cexx.org/
http://us.mcafee.com/default.asp


P.S. The information provided has been a WPW community effort. Thank you for the donation of time and information everyone who has contributed and everyone who will :)

[Bohak]

Just wanted to add that Zafi will, at least in my brush with it, not allow you to access anti virus sites such as Mcafee or Symantec through IE. The solution in my case was installing Mozilla Firebird browser to access Symantec's site and download the fix. Mozilla seemed unaffected by the virus.

Thanks again for the help and advice on Tuesday when I was hit.

-Bohak

[lspence]

That's a good tip, Bohak, thanks! :)

[PitterPA]

I have found some virus' difficult to delete but I haven't found one yet that you can't defeat by booting into DOS. So far anyway. But the best cure is to avoid them.

[Conficio]

Quote:

Originally Posted by PitterPA

I have found some virus' difficult to delete but I haven't found one yet that you can't defeat by booting into DOS. So far anyway. But the best cure is to avoid them.

You are so right. I use MS products for web and e-mail only if absolutely necessary. Use Mozilla and Linux and a bit of caution and you are virus and worm free ! ;-)

K<o>

[cthathem]

Just wanted to add something: ..

The browser's name is Mozilla Firefox .. (the eMail application is called Mozilla Thunderbird). I also recommend using MZ Thunderbird instead of MS Outlook Express, because it is faster and way safer to use imo.

You can get Firefox at http://www.mozilla.org/products/firefox/ :)

EDIT: ah, just came to realize that there is a Mozilla Browser called Firebird :D ... sorry, just didn't know it ;)

[ronniethedodger]

Quote:

Originally Posted by Conficio

You are so right. I use MS products for web and e-mail only if absolutely necessary. Use Mozilla and Linux and a bit of caution and you are virus and worm free ! ;-)

...and a bit of caution

That is what you said. In other words, it does not make any mail agent less prone than the other.

The problem with viral attacks through email is usually due to human error and not the mail software. It is not any more than that, and not any less.

If you want to be safe in Outlook Express, do not open any attachments ... plain and simple. If you have an itchy clicking finger, then do this in your options:

Go to the menu Tools > Options .... This will open up a dialog box ... click on the Security Tab. Set it up just like I have in this image grab.



Educate the people to do this very simple thing, and they can have all the safety (with due caution) as much as any other mail agent.

[mikmik]

And on the 'READ' tab, there is a box you can select to 'show messages in plain text only' because way to many people think that if there is no virus attatched, it is safe.
This is how Hijackers get control these days, once you open a page in an 'html' viewer, or browser, script can run that redirects you to a page that downloads and isstall trojans - before you can blink twice.

This is one area where OE is more vulnerable, but it won't last long anymore. Hackers/crackers/scammers/virus writers, they are starting to target everyone else.

So, don't even open an email PERIOD in OE, unless you have it in text mode, or you are not trigger happy LOL

[ronniethedodger]

Quote:

Originally Posted by mikmik

And on the 'READ' tab, there is a box you can select to 'show messages in plain text only' because way to many people think that if there is no virus attatched, it is safe.

You should do that in any mail agent. If you view the images which are often coming off of an external server, that signals whoever sent the mail that the email address is active. More spam will be on the way ... guaranteed.

[cthathem]

Thanks for the advice. I know about the configuration options, and I guess that you're right about educating people to prohibit the software from executing nasty scripts and all the other harmful stuff ...

geg

[wenwilder]

Like its predecessors, W32/Lovgate.ad@MM is a Medium Risk
mass-mailing worm hiding inside an email attachment. When
run, the worm:

1. Drops a dangerous backdoor on an infected machine that
can allow a remote hacker to steal information.
2. Infects executable programs.
3. Tries to disable anti-virus and security software.
4. Emails itself to a) stolen contacts or b) as replies
to unread MS Outlook or Outlook Express messages on the
infected machine, spoofing the "from: field".

--> What should I look for?

Subject (examples): hi, hello, Hello, Mail transaction
Failed, mail delivery system

Body (examples): Mail failed. For further assistance,
please contact! The message contains Unicode characters
and has been sent as a binary attachment.

Attachment: Randomly constructed strings with the
following extensions: .EXE, .PIF, .SCR, .ZIP

--> How do I know if I've been infected?

Presence of various .EXE,.DLL or .ZIP archive files on
system. Modified System Registry.

[pedstersplanet]

Thank god for Liveupdate thats what I say. :P

[wenwilder]

--> What are they?

W32/Beagle.ag@MM and W32/Beagle.ai@MM are Medium risk
mass-mailing worms that try to open a backdoor on your PC,
giving a hacker remote access. Like their predecessors,
these worms spread by emailing themselves to stolen contacts
and via popular file-sharing programs such as KaZaa,
Bearshare and Limewire. They also try to terminate
anti-virus and other security software operation.

--> What should I look for?

FROM: Varies (spoofed)
SUBJECT: Examples: Re:, Password: %s, Pass - %s, Key - %s
BODY: Examples: >foto3 and MP3, >fotogalary and Music,
>fotoinfo. May also be blank.
ATTACHMENT: Examples: MP3, Music_MP3, New_MP3_Player foto3,
foto2, foto1 (may include extensions such as .EXE, .SCR,
.COM, .ZIP, .CPL). Password-protected ZIP files may also
contain a second, randomly named file (with extensions such
as .ini, .cfg, .txt, .vxd, .def, .dll).

--> How do I know if I've been infected?

Outgoing messages with noted subject lines, attachments.


This alert is being posted a couple of days late due to email malfunction. But hey, better late then never ;)

[wenwilder]

--> What is it?

W32/Mydoom.o@MM is a Medium-On-Watch risk mass-mailing worm
that tries to open a hacker backdoor on your PC. Often
pretending to be a bounced email alert, the worm arrives
inside an attachment then spreads by sending itself to stolen
contacts and via peer-to-peer programs.

--> What should I look for?

FROM: Varies. Examples: "Bounced mail," "MAILER-DAEMON,"
"Mail Administrator". Often spoofed.
SUBJECT: Varies. Examples: delivery failed, Message could not be
delivered, Mail System Error - Returned Mail
BODY: Example: We have received reports that your account was used to
send a large amount of junk email messages during the last week.
ATTACHMENT: Examples: README, INSTRUCTION, TRANSCRIPT

--> How do I know if I've been infected?

The worm installs itself as JAVA.EXE in an infected
computer's Windows directory. TCP Port 1034 open.

[wenwilder]

W32/Rbot-EW -- Another bot Trojan that exploits network shares
with weak passwords to spread between machines. It installs
itself as "UPDATE_W.EXE" in the Windows System directory and
allows backdoor access via IRC. (Sophos)

W32/Rbot-FC -- This Rbot variant is similar to EW above, except
it uses the infected file of "WINSYST32.EXE" and adds the twist
of a file logger and CD key stealer. (Sophos)

W32/Rbot-DE -- Another Rbot variant. It uses "WINSYS32.EXE" as
its infection point and tries to kill certain network share
connections. (Sophos)

W32/Sdbot-KU -- A bot that spreads by exploiting machines
infected with MyDoom or without the Windows DCOM patch. It
installs itself as "PEREMPTION.EXE" and allows backdoor access
via IRC. It can be used to launch SYN flood attacks against
remote sites and also attempts to steal CD keys for popular
games. (Sophos)

W32/Tompai-A -- A backdoor Trojan that spreads via network
shares and uses a variety of filename combinations to install
itself in the Windows System folder. The virus has the text
"phantompain" embedded in the code. (Sophos)

W32/Agobot-KM -- Yet another bot that uses weakly protected
network shares to spread between machines. This infects
"MSVSRV32.EXE" in the Windows System directory, allows backdoor
access via IRC, and modifies the Windows HOSTS file to block
access to anti-virus sites. (Sophos)

[wenwilder]

W32/MyDoom-O -- Another MyDoom variant that uses e-mail to
spread and search engines to dig for more potential targets.
Doesn't seem to have the same impact as MyDoom-M. (Sophos)

W32/Stewon-A -- A peer-to-peer virus that spreads via the likes
of Kazaa using a compressed .zip file. The virus installs itself
as "genoxial.exe" in the Windows System folder. (Sophos)

Troj/CmjSpy-Z -- A keylogging Trojan that installs itself as
"hpserver.exe" in the Windows system folder and records its
captured info in "hlicense.vxd". No word on how it spreads.
(Sophos)

W32/Agobot-LM -- Another Agobot variant that spreads via network
shares, which allows backdoor access via IRC and kills security
applications as well as access to related sites. It installs
itself as "LSAS.EXE". (Sophos)

W32/Agobot-LL -- Hey, another Agobot variant. Similar to
Agobot-LM above, except that infects the file "SVCSYS32.EXE" in
the Windows System folder. This one could also be used in a DoS
attack against third-party sites. (Sophos)

W32/Scaner-A -- A virus that tries to attempt the Windows LSASS
vulnerability, for which there's been a patch available for a
few months. The virus attempts to report back its findings via
an HTTP POST. (Sophos)

W32/Febelneck-A -- This virus spreads via a .zip file. It tries
to change the name of the infected machine to "Nebelfleck" and
delete certain files on the affected system. (Sophos)

[wenwilder]

VIRUS ADVISORY: W32/Bagle.aq@MM

--> What is it?

W32/Bagle.aq@MM is a Medium Risk mass-mailing worm that tries
to open a hacker backdoor on your PC. Launched by code hidden
inside a ZIP attachment, the virus spreads by emailing itself
to stolen contacts and via popular file-sharing programs such
as KaZaa, Bearshare and Limewire. It also tries to terminate
anti-virus and other security software operation.

Up-to-date McAfee VirusScan users with DAT 4384 are
protected from this threat. Note: To fortify anti-virus
defense against viruses that carry backdoor payloads, we
recommend installing McAfee Personal Firewall Plus:
http://us.mcafee.com/root/campaign.asp?cid=11276

--> What should I look for?

FROM: Varies (spoofed)
SUBJECT: Blank
BODY: Examples: new price, The password is, Password:
ATTACHMENT: Examples: price.zip, price2.zip, price_new.zip

--> How do I know if I've been infected?

Communication Port 80 (TCP) open. Outgoing messages with noted
body content and ZIP attachments.

[wenwilder]

This mass-mailing virus appears to contain photos but actually attempts to install a backdoor Trojan horse.

A variation of the MyDoom virus appears to be e-mail containing photographs. MyDoom.s (w32.MyDoom.s@mm, also known as MyDoom.m (Norman), MyDoom.q (Symantec), MyDoom.r (Panda), and Ratos (Trend Micro)) is a mass-mailing worm that uses its own SMTP engine to send out copies of itself to addresses harvested from the infected PC. It spoofs the return address, making it hard to trace infected machines, and attempts to download a backdoor Trojan horse from one of two sites on the Internet. MyDoom.s does not affect Linux, Mac, or Unix systems. Because MyDoom.s spreads via e-mail, opens a remote access backdoor on infected PCs, and could damage system files, this worm rates a 6 on the CNET/ZDNet Virus Meter.

How it works
MyDoom.s arrives as an attachment with the following characteristics:

Subject : photos
Body : LOL!;))))
Attachment : photos_arc.exe

If the attachment is opened, MyDoom.s adds the file rasor38a.dll to the Windows folder and the file winpsd.exe to the system directory. It also makes the following system Registry changes:

Explorer\ComDlg32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ Explorer\ComDlg32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ Run "winpsd" = C:\WINDOWS\System32\winpsd.exe

Once executed, MyDoom.s attempts to download a backdoor Trojan horse from either www.richcolour.com or zenandjuice.com.

Prevention
If you receive MyDoom.s, do not open the attached file. The best way to prevent infection is to make sure that your antivirus signature files are current. Also, a personal firewall will prevent the virus author from gaining remote access to your PC.

Removal
A few antivirus software companies have updated their signature files to include this worm. This will stop the infection upon contact and in some cases will remove an active infection from your system. For more information, see Computer Associates, F-Secure, McAfee, Norman, Panda, Sophos, Symantec, and Trend Micro.

[wenwilder]

WORM_SDBOT.VQ is a memory-resident worm that spreads via network shares, and exploits specific vulnerabilities to propogate across networks. It also gathers available lists of names and passwords, and uses this gathered information to locate and list shared folders where it drops a copy of itself. This worm has backdoor capabilities and attempts to connect to an Internet Relay Chat (IRC) server to allow a remote user to access the infected system and perform malicious commands. WORM_SDBOT.VQ runs on Windows NT, 2000, and XP.

Upon execution, this memory-resident worm drops a copy of itself in the Windows System directory as EXPLORER32.EXE. It adds registry entries to enable this dropped copy to run at every Windows startup. It then creates several threads to be used for sniffing, keylogging, and other backdoor capabilities. It also attempts to send copies of itself to other systems as BLING.EXE.

This worm spreads via network shares. It gathers available lists of names and passwords, and uses this gathered information to locate and list shared folders where it drops a copy of itself. It then attempts to access systems with weak passwords to drop a copy of itself. You may view the list of usernames and passwords in the Technical Details section of this virus description at http://www.trendmicro.com/vinfo/viru...BOT.VQ&VSect=T

This worm takes advantage of the following Windows vulnerabilities:

IIS5/WEBDAV Buffer Overflow vulnerability
Remote Procedure Call (RPC) Distributed Component Object Model (DCOM) vulnerability
Buffer Overflow in SQL Server 2000
Windows LSASS Vulnerability

This worm attempts to connect to the Internet Relay Chat (IRC) server, irc.t3musso.net, which allows a remote user to access the infected system and perform the following commands:

Update malware from HTTP and FTP URL
Steal CD keys of game applications
Execute a file
Download from HTTP and FTP URL
Open a command shell
Open files
Display the driver list
Get screen capture
Capture pictures and video clips
Display netinfo
Make a bot join a channel
Stop and start a thread
List all running process
Rename a file
Generate a random nickname
Perform different kinds of ddos attacks
Retrieve and clear log files
Terminate the bot
Disconnect the bot from IRC
Send a message to the IRC server
Let the bot perform mode change
Change BOT ID
Display connection type, local IP address and other net information
Log in and log out the user
Issue ping attack on to a target computer
Display the following system information:
-CPU speed
-Amount of Memory
-Windows platform, build version, and product ID
-Malware uptime
-User name

It also checks for the following strings, and then attempts to steal Windows product ID and CD keys for several game applications:

:.login
:,login
:!login
:@login
:$login
:%login
login
:&login
:*login
:-login
:+login
:/login
:\login
:=login
:?login
:'login
login
:~login
: login
:.auth
:,auth
:!auth
:@auth
:$auth
:%auth
:&auth
:*auth
:-auth
:+auth
:/auth
:\auth
:=auth
:?auth
:'auth
:~auth
: auth
:.hashin
:!hashin
:$hashin
:%hashin
:.secure
:!secure
:.syn
:!syn
:$syn
:%syn
paypal
PAYPAL
paypal.com
PAYPAL.COM

The remote malicious user can also issue commands to allow the bot to log user keystrokes.

[wenwilder]

WORM_MEXER.E is a memory-resident worm that propagates via peer-to-peer (P2P) file-sharing networks, particularly Kazaa and Imesh, and by mailing copies of itself via Simple Mail Transfer Protocol (SMTP). This worm creates a folder and drops several copies of itself into this folder, using filenames that pertain to software, moviews, or games. It gathers email addresses from the infected system by scanning certain files for email addresses it can send to. WORM_MEXER.E is currently spreading in-the-wild and infecting systems running Windows 95, 98, ME, NT, 2000, and XP.

Upon execution, this memory-resident worm displays a message box. It then adds a registry entry that allows it to automatically execute at every system startup. To propagate via peer-to-peer file-sharing networks - specifically Kazaa and Imesh - the worm creates three more registry entries.

This worm then creates a folder, named sysnet, in the root folder and drops 42 files in it. It also drops another set of randomly named files in this same folder. The filenames are formed using a combination of 70 different naming strings comprised of the titles or names of popular software, movies, and games. These filenames are meant to entice P2P network users to download and execute them. Read the Technical Details section of the Virus Description on Trend Micro's Web site for the full list of naming strings: http://www.trendmicro.com/vinfo/viru...EXER.E&VSect=T

This worm also searches for the following files:

C:\*.DBX
C:\*.DOC
C:\*.HTM
C:\*.RTF
C:\*.SHT
C:\*.TXT
C:\*.WAB

If found, the worm scans these files for email addresses and sends email to these addresses. It skips email addresses with the following strings:

admi
host
kasp
micr
newv
root
supp
viru
webm

It sends email via Simple Mail Transfer Protocol (SMTP) with any of the following details:

Subject: EBAY Information
Message body: EBAY Installer...
Attachment: <files from the sysnet folder>

Subject: VISA Information
Message body: Security Tool...
Attachment: <files from the sysnet folder>

Subject: Provider Information
Message body: New account data...
Attachment: <files from the sysnet folder>

Subject: Your Crack1
Message body: Here is your crack!
Attachment: <files from the sysnet folder>

Subject: Internet Information
Message body: New account data...
Attachment: <files from the sysnet folder>

[wenwilder]

--> What is it?

The latest variant of the original W32/Netsky.MM virus,
W32/Netsky.ag@MM is a Medium Risk mass-mailing worm that
arrives inside an email with a subject line, body content
and attachment file name in Portuguese.

Like its predecessors, W32/Netsky.ag@MM steals email
addresses from an infected machine, then forwards itself to
those contacts, often faking the "from: field".

--> What should I look for?

FROM: Varies (forged addresses taken from infected system).
SUBJECT: Varies. Examples: 0123456789, Abra rapido isso!!!!,
acrdito que em voce!!!
BODY: Varies. Examples: PizzaVeneza!, preenche ai ta bom,
encontro voce!
ATTACHMENT. Varies. Examples: agradou, agua!, AIDS!

--> How do I know if I've been infected?

When run, the worm displays a message box with the warning
"File corrupted replace this!". The worm copies itself to
folders with the string "share" or sharing", network shares
and P2P shared folders, using file names like
aninha gatinha!.zip.scr, barrio.scr and cafe!!.zip.scr.

--> How do I find out more?

View details about W32/Netsky.ag@MM here.
http://us.mcafee.com/root/campaign.asp?cid=12198

[wenwilder]

WORM_FILI.A is a non-destructive worm that propagates via peer-to-peer applications by dropping copies of itself in default shared folders. It also propagates via email and Internet Relay Chat (IRC). It can disable the Windows Task Manager, thereby preventing an infected user from terminating its process. It also displays the Windows Shut Down menu (the window that pops out when CTRL+ALT+DEL keys are pressed) every few seconds to annoy the user. This worm is currently spreading in-the-wild, and infecting systems running Windows 95, 98, ME, NT, 2000, and XP.

Upon execution, this worm drops a copy of itself in the Windows system folder as the file PILIF.EXE. It creates a registry entry that allows it automatically execute at every system startup.

This worm drops copies of itself in the following folders found in the Program Files directory, which are default-shared folders of popular peer-to-peer (P2P) applications:

\BearShare\Shared
\BearShare\Shared\
\Edonkey2000\Incoming
\Edonkey2000\Incoming\
\Grokster\My Grokster
\Grokster\My Grokster\
\icq\shared files\
\Kazaa\My Shared Folder
\Kazaa\My Shared Folder\
\KMD\Shared Folder
\limewire\Shared
\limewire\Shared\
\Morpheus\My Shared Folder
\Morpheus\My Shared Folder\
\Shareaza\downloads
\WinMX\my shared folder\
Shareaza\downloads

It uses any of the following file names for its dropped copy, followed by an .EXE, .SCR, .PIF, .BAT, or .CMD extension:

Anti-hacker Utility
Cracks mega warez collection
Dark Coderz Alliance
Easy credit card validation
Free porn sites accounts
Kasperky AV Universal Key
Norton 2004 crack
Sex - totally free porn
Webmail official hacker
Yahoo hacker

This worm searches for email addresses on .HTM and .HTML files found on the affected system. It then sends email messages to these addresses using MAPI. It sends email with the following details:

Message body: (any of the following)

Important legal notice!
Do not delete this message. Analyse attachement and reply
as soon as possible with manifesto details.
Thank you!
-------------------

Please help us to save the right of freedom of expression!
All details will be displayed in small attached file. Good luck and thank you.
-------------------

You personal manifesto details are attached. Take good care of them!
-------------------

Help us gather online votes for our anti-censore manifesto
We need you help now! Attachement will automatically send a vote to our
online database once you run it and will be redirected to our webpage!
Thank you!
-------------------

Its curious, its scandalous... dont be so furious!
Life is bitch so dont take it serious.
-------------------

Please help us be free! We need the basic right of expression.
Enable an online vote for our manifesto with the help of the attachement.
Many thanks!
-------------------

Music is beeing censored, journalists are afraid, law has not been
respected for long time. Why? Because of corruption and lack of right of
expression. Help us! Enable the attachement and our voting system will
track and record you help. Many thanks!
-------------------

Parazitii need your help for the anti-censore campaign! See all details
in the attachement. Thank you!
-------------------

Its just hip-hop. Nothing else. Enjoy!
Oh yeah! one more thing: its a censore-related manifesto :)
-------------------

This is my manifesto. You can stop this individual,
but you can't stop us all...after all,we're all alike.
-------------------

Attachment: (any one of the following, followed by an .EXE, .SCR, .PIF, .BAT, or .CMD extension)

· attachement
· details
· freedom
· Freedom of expression
· Goverment issue
· JOS CeNzurA
· manifesto
· Manifesto anti pilif
· Manifesto details
· Parazitii
· pilif
· Simple solution
· stolen rights
· sustain cause

This worm drops a modified SCRIPT.INI file in the following folders:

C:\mirc\
C:\mirc32\
C:\mirc\32
%Program Files%\mirc\
%Program Files%\mirc32\

This modified IRC script sends a copy of the worm to every user who enters the same chatroom as the infected user. It displays the following message upon file transfer:

DCA are fighting for free speech. Get their manifesto now!

It then sends out the following file:

Manifesto Anti Censore Pilif.txt.exe


*Information via Trend Micro Newsletter

[salomon741]

Yay! Another worm to deal with!

Anyone know when updates are going to be available in virus programs for this worm?

[wenwilder]

I know trend had pc-cillian updates avaible for it on the 15th. I haven't checked any of the others, yet. I'm a bit behind on everything these days :(

[wenwilder]

WORM_WOOTBOT.BJ is a non-destructive worm that takes advantage of the Windows LSASS vulnerability in order to propagate. It drops a copy of itself into default shared folders of unpatched machines. It steals the CD keys of popular game applications, Microsoft Windows Product IDs, and Yahoo Messenger IDs. It updates itself by creating the file 1.BAT and executing it afterwards. This batch file downloads a copy of the worm from the Internet and then executes it on the compromised system. This worm is currently spreading in-the-wild and infecting systems that are running on Windows 95, 98, ME, NT, 2000, and XP.

Upon execution, this worm drops a copy of itself as SERVICED.EXE in the Windows system folder. It executes its dropped copy and then deletes itself afterwards. It then adds several registry entries, that allow it to run automatically at every system startup.

This worm copies and executes itself on vulnerable systems and searches for the following default network shares:

ADMIN$
C$
D$
IPC$

It steals Microsoft Windows Product IDs and Yahoo Messenger IDs, as well as the CD keys of the following popular games:

Battlefield 1942
Battlefield 1942: Secret Weapons Of WWII
Battlefield 1942: The Road To Rome
Battlefield 1942: Vietnam
Black and White
Command and Conquer: Generals
Command and Conquer: Generals: Zero Hour
Command and Conquer: Red Alert2
Command and Conquer: Tiberian Sun
Counter-Strike
FIFA 2002
FIFA 2003
Freedom Force
Global Operations
Gunman Chronicles
Half-Life
Hidden and Dangerous 2
IGI2: Covert Strike
Industry Giant 2
James Bond 007: Nightfire
Medal of Honor: Allied Assault
Medal of Honor: Allied Assault: Breakthrough
Medal of Honor: Allied Assault: Spearhead
Nascar Racing 2002
Nascar Racing 2003
Need For Speed: Hot Pursuit 2
Need For Speed: Underground
Neverwinter Nights
NHL 2002
NHL 2003
Ravenshield
Shogun: Total War: Warlord Edition
Soldier Of Fortune 2
Soldiers Of Anarchy
The Gladiators
Unreal Tournament 2003
Unreal Tournament 2004

This worm appears to possess backdoor capabilities. It updates itself by creating and executing the file 1.BAT. which downloads a copy of the worm from the Internet and then executes it on the compromised system.

[wenwilder]

As of October 29, 2004, 2:07 AM (-7:00; Daylight Saving Time), TrendLabs has declared a Medium Risk Virus Alert to control the spread of WORM_BAGLE.AT. TrendLabs has received several infection reports indicating that this malware is spreading in Japan, Sweden, China and Germany.

This worm uses its own SMTP engine to propagate via email. It arrives as either of the following attachments:
. PRICE.CPL
. PRICE.COM
. PRICE.EXE
. PRICE.SCR
. JOKE.CPL
. JOKE.COM
. JOKE.EXE

This worm searches the drive for folders with names containing the string "shared". It then drops itself in these shared folders using certain file names.

[Maximilian]

Quote:

Originally Posted by wenwilder

This worm uses its own SMTP engine to propagate via email. It arrives as either of the following attachments

Greetings wenwilder!

I never open email attatchments from anyone & use a top tier anti-virus scan for both incoming & outgoing email. I also have daily auto-update from the anti-virus software vendor.

What further precautions do you advise I take, in terms of malware, spyware & virus protection for my pc?

Cheers!
Max

[wenwilder]

I always recommend two anti-viruses - AVG is the main one I recommend. And then Spybot S & D, Ad-aware, and learn how to use HiJackThis. Know your start up programs, check your host file and about 100 other things. :)

Definately have AVG, spybot and adaware, and learn HijackThis.

[wenwilder]

As of October 29, 2004 9:40 AM (GMT -7:00; Daylight Saving Time), TrendLabs has declared a Medium Risk Virus Alert to control the spread of WORM_BAGLE.AU. TrendLabs has received several infection reports indicating that this malware is spreading in US, Japan, Sweden, Germany, Mexico, France, Argentina, Chile, Brazil, and Canada.

Like other BAGLE variants, the success of this worm may be attributed to its plain and brief email messages that bear the following details:

From:<spoofed>
Subject any of the following
. Re:
. Re: Hello
. Re: Hi
. Re: Thank you!
. Re: Thanks :)

Message body: any of the following
. :)
. :))

Attachment:
any of the following
. PRICE
. JOKE

with the following extension names
. COM
. CPL
. EXE
. SCR

This worm scans an infected system for files with certain extension names to acquire its target recipients. It then uses its own SMTP engine and the domain servers of its harvested email addresses for its mailing routine. Unsuspecting users may then receive email messages from trusted acquaintances and readily execute the attachment, thus launching this worm.

When run, it proceeds to drop copies of itself in folders with names containing the text string shar, or in shared folders. It also uses file names that appear legitimate and attractive. This enables this worm to propagate through the network as other users may accidentally download a copy of this worm thinking it is a normal application or a text file.

This worm also compromises system security by terminating several antivirus and security-related applications if found active on a system. It also connects to a list of Web sites where it may download components. It also opens port 81 possibly for its backdoor activities.

Continuing a notable BAGLE routine, it attacks another worm family known as NETSKY. It deletes several registry entries and file names associated with NETSKY. It also creates several mutexes that prevent the execution of NETSKY variants on the infected machine.

It runs on Windows 95, 98, ME, NT, 2000, and XP.

[wenwilder]

--> What are they?

W32/Bagle.bb@MM and W32/Bagle.bd@MM are Medium Risk
mass-mailing worms that try to open up a hacker backdoor on
your computer. Carried inside an email attachment, the
viruses spread by forwarding themselves to e-mail addresses
stolen from an infected PC. Like their predecessors, they
also try to terminate anti-virus and other security software
protection.

--> What should I look for?

FROM: Varies (spoofed)
SUBJECT: Re:, Re: Hello, Re: Thank you!, Re: Thanks :),
Re: Hi
BODY: :), :))
ATTACHMENT: Price, price, Joke (with an extension of .exe,
.scr, .com or .cpl)

--> How do I know if I've been infected?

Presence of wingo.exe file in Windows system directory.
Outgoing messages and attachments as described above.

How do I find out more?

W32/Bagle.bb@MM:
http://us.mcafee.com/root/campaign.asp?cid=12534

W32/Bagle.bd@MM:
http://us.mcafee.com/root/campaign.asp?cid=12535

[wenwilder]

--> What is it?

W32/Mydoom.ah@MM is a Medium Risk mass-mailing worm that
exploits a "buffer overflow vulnerability" in Microsoft
Internet Explorer to spread from computer to computer using
stolen email addresses. Web links (e.g., "see my homepage")
in the spam messages point to infected systems, which then
download the virus onto new victims' machines. Unlike earlier
Mydoom variants, W32/Mydoom.ah@MM forwards no attachments.

--> What should I look for?

FROM: Spoofed.
SUBJECT: Varies. Examples: hi!, hey!, Confirmation
BODY: Varies. Examples:
- Congratulations! PayPal has successfully charged $175 to
your credit card. To see details please click this link.
- Hi! I am looking for new friends. I am from Miami, FL. You
can see my homepage with my last webcam photos!
ATTACHMENT: None.

--> How do I know if I've been infected?

When run, the virus creates a file in the WINDOWS SYSTEM
(%WinDir%\system32) directory with a random filename that
ends in 32.exe.


Suggested Reading

[RadarCat]

Quote:

Originally Posted by PitterPA

I have found some virus' difficult to delete but I haven't found one yet that you can't defeat by booting into DOS. So far anyway. But the best cure is to avoid them.

Ah, good old DOS from the days when computers were FUN
and not a constant parasiteware/malware infested pain in the neck.

I wanted to say we've got a new virus feed on SecurityProNews.

The feed comes from Sophos.

Please check it out and also the Sophos site for great information regarding all the socially transmitted diseases floating through your computer.

[rose77mary77]

Very good tips again from WenWider and others also gave some use full tips, we must have concentrate to avorid viruses and updates viruses.................

[cathy_girl69]

basically the file is in use so nortons cannot repair it. So what you do is boot in safe mode where only a small amount of the operating system is used, allowing nortons to repair it
you could boot in safe mode then run your nortons or do what I paste below.
Norton live Safe Mode virus scan
1. Go to this link, below, and save it in your favourites. Save it up at the top of your favourites drop down list, otherwise you may not be able to see it in safe mode. (drag it to the top)
Close the window
2. Turn off popup blocker on your browser or software.
3. Turn off system restore as long as you are confident you don’t need it.
Right click my computer icon >properties >system restore tab > turn off.
This will delete all restore points. (System restore can harbour virus)
4. Boot in safe mode with networking by tapping f8 key in the first few seconds of turning the computer on.
5. Using your browser in safe mode with networking. open your browser and go to the link, choose antivirus scan, it will take quite a time to install but stick with it. It will ask to install active x controls which also take a while to install. Don’t interfere, just wait a while. Run the scan when it asks. You can also run the antivirus checker afterwards all while in safe mode.
6. Reboot normally, turn on system restore and create a restore point.

[sushil]

They also use a percentage of your computer's memory which
increases each year-- infected systems eventually begin running a
deficit and use the hard drive as virtual memory. Any attempt to
clean this virus, or trim its memory requirements, results in error
messages from each of the units explaining why this would cause the
computer to break down.

[joyblogs]

my computer always be infected by virus like trojan..
could someone explain to me where is it comes from?
Is it when I was surf the internet?

And my control panel can't open, is it because of this??

need help

[edhan]

One of my clients happened to be infected by Conficker.AA and luckily managed to restore the PC back in health.

Here are some info about the Conficker.AA

Win32/Conficker.AA

Short description
Win32/Conficker.AA is a worm that spreads via shared folders and on removable media. It connects to remote machines in attempt to exploit the Server Service vulnerability.

Installation
When executed, the worm copies itself in some of the the following locations:
%system%\%variable%.dll

%program files%\Internet Explorer\%variable%.dll

%program files%\Movie Maker\%variable%.dll

%appdata%\%variable%.dll

%temp%\%variable%.dll

A string with variable content is used instead of %variable% .

The worm loads and injects the %variable%.dll library into the following processes:

explorer.exe
services.exe
svchost.exe

In order to be executed on every system start, the worm sets the following Registry entry:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\
Run]

"%variable_name%" = "rundll32.exe "%system%\%variable%.dll",
%random_string%"

The following Registry entries are set:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\%random
service name%\Parameters]
"ServiceDll" = "%system%\%variable%.dll"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\%random
service name%]
"Image Path" = "%System Root%\system32\svchost.exe -k netsvcs"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\%random
service name%\Parameters]
"ServiceDll" = "%system%\%variable%.dll"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\%random
service name%]
"Image Path" = "%System Root%\system32\svchost.exe -k netsvcs"
"DisplayName" = "random service name%"
"Type" = 32
"Start" = 2
"ErrorControl" = 0
"ObjectName" = "LocalSystem"
"Description" = "%variable_name%"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Tcpip\
Parameters]
"TcpNumConnections" = 16777214

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\explorer\Advanced\Folder\Hidden\SHO WALL]
"CheckedValue" = 0

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\
Applets]
"gip" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Applets]
"gip" = 0

under...
A string with variable content is used instead of %random service name% .

The following Registry entries are deleted:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\explorer\ShellServiceObjects\
{FD6905CE-952F-41F1-9A6F-135D9C6622CC}]
"wscsvc" = "%filepath%"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run]
"Windows Defender" = "%filepath%"

Spreading
The worm starts a HTTP server on a random port.

It connects to remote machines to port TCP 139, 445 in attempt to exploit the Server Service vulnerability.

If successful, the remote computer may attempt to connect to the infected computer and download the copy of the worm .

This vulnerability is described in Microsoft Security Bulletin MS08-067 .

Spreading via shared folders
The worm tries to copy itself into shared folders of machines on a local network.

The following usernames are used:
%username%

The following passwords are used:
123

1234

12345

123456

1234567

If successful the following filename is used:
\\%hostname%\ADMIN$\System32\%variable%.dll

The worm schedules a task that causes the following file to be executed daily:
rundll32.exe %variable%.dll, %random_string%

Spreading on removable media
The worm copies itself into existing folders of removable drives.

If successful the following filename is used:
%drive%\RECYCLER\S-%variable1%\%variable2%.%variable3%

A string with variable content is used instead of %variable1-3% .

The worm creates the following file:
%drive%\autorun.inf



Thus, the worm ensures it is started each time infected media is inserted into the computer.
Other information
The following services are disabled:
Windows Security Center Service (wscsvc)

Windows Automatic Update Service (wuauserv)

Background Intelligent Transfer Service (BITS)

Windows Defender Service (WinDefend)

Windows Error Reporting Service (ERSvc)

Windows Error Reporting Service (WerSvc)

The worm launches the following processes:
netsh interface tcp set global autotuning=disabled

The worm blocks access to any domains that contain any of the following strings in their name:
ahnlab

arcabit

avast

avira

castlecops

If the current system date and time matches the condition the worm will attempt to download several files from the Internet.

The worm runs only encrypted and properly signed files.

The file is stored into the following folder:
%temp%

If successful the following filename is used:
%variable%.tmp



A string with variable content is used instead of %variable% .

The worm may set the following Registry entries:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\
SharedAccess\Parameters\FirewallPolicy\StandardPro file\
GloballyOpenPorts\List]

"%port number%:TCP" = "%port number%:TCP:*:Enabled:%variable%"

The performed data entry creates an exception in the Windows Firewall program.

[kgun]

Quote:

Originally Posted by edhan

Spreading
The worm starts a HTTP server on a random port.

It connects to remote machines to port TCP 139, 445 in attempt to exploit the Server Service vulnerability.

If successful, the remote computer may attempt to connect to the infected computer and download the copy of the worm .

This vulnerability is described in Microsoft Security Bulletin MS08-067 .

Interesting information.

[MichaelB]

Thanks for this thread, it's a great Resource!