Virus Alerts/Updates

[wenwilder]

WORM_MEXER.E is a memory-resident worm that propagates via peer-to-peer (P2P) file-sharing networks, particularly Kazaa and Imesh, and by mailing copies of itself via Simple Mail Transfer Protocol (SMTP). This worm creates a folder and drops several copies of itself into this folder, using filenames that pertain to software, moviews, or games. It gathers email addresses from the infected system by scanning certain files for email addresses it can send to. WORM_MEXER.E is currently spreading in-the-wild and infecting systems running Windows 95, 98, ME, NT, 2000, and XP.

Upon execution, this memory-resident worm displays a message box. It then adds a registry entry that allows it to automatically execute at every system startup. To propagate via peer-to-peer file-sharing networks - specifically Kazaa and Imesh - the worm creates three more registry entries.

This worm then creates a folder, named sysnet, in the root folder and drops 42 files in it. It also drops another set of randomly named files in this same folder. The filenames are formed using a combination of 70 different naming strings comprised of the titles or names of popular software, movies, and games. These filenames are meant to entice P2P network users to download and execute them. Read the Technical Details section of the Virus Description on Trend Micro's Web site for the full list of naming strings: http://www.trendmicro.com/vinfo/viru...EXER.E&VSect=T

This worm also searches for the following files:

C:\*.DBX
C:\*.DOC
C:\*.HTM
C:\*.RTF
C:\*.SHT
C:\*.TXT
C:\*.WAB

If found, the worm scans these files for email addresses and sends email to these addresses. It skips email addresses with the following strings:

admi
host
kasp
micr
newv
root
supp
viru
webm

It sends email via Simple Mail Transfer Protocol (SMTP) with any of the following details:

Subject: EBAY Information
Message body: EBAY Installer...
Attachment: <files from the sysnet folder>

Subject: VISA Information
Message body: Security Tool...
Attachment: <files from the sysnet folder>

Subject: Provider Information
Message body: New account data...
Attachment: <files from the sysnet folder>

Subject: Your Crack1
Message body: Here is your crack!
Attachment: <files from the sysnet folder>

Subject: Internet Information
Message body: New account data...
Attachment: <files from the sysnet folder>

[wenwilder]

--> What is it?

The latest variant of the original W32/Netsky.MM virus,
W32/Netsky.ag@MM is a Medium Risk mass-mailing worm that
arrives inside an email with a subject line, body content
and attachment file name in Portuguese.

Like its predecessors, W32/Netsky.ag@MM steals email
addresses from an infected machine, then forwards itself to
those contacts, often faking the "from: field".

--> What should I look for?

FROM: Varies (forged addresses taken from infected system).
SUBJECT: Varies. Examples: 0123456789, Abra rapido isso!!!!,
acrdito que em voce!!!
BODY: Varies. Examples: PizzaVeneza!, preenche ai ta bom,
encontro voce!
ATTACHMENT. Varies. Examples: agradou, agua!, AIDS!

--> How do I know if I've been infected?

When run, the worm displays a message box with the warning
"File corrupted replace this!". The worm copies itself to
folders with the string "share" or sharing", network shares
and P2P shared folders, using file names like
aninha gatinha!.zip.scr, barrio.scr and cafe!!.zip.scr.

--> How do I find out more?

View details about W32/Netsky.ag@MM here.
http://us.mcafee.com/root/campaign.asp?cid=12198

[wenwilder]

WORM_FILI.A is a non-destructive worm that propagates via peer-to-peer applications by dropping copies of itself in default shared folders. It also propagates via email and Internet Relay Chat (IRC). It can disable the Windows Task Manager, thereby preventing an infected user from terminating its process. It also displays the Windows Shut Down menu (the window that pops out when CTRL+ALT+DEL keys are pressed) every few seconds to annoy the user. This worm is currently spreading in-the-wild, and infecting systems running Windows 95, 98, ME, NT, 2000, and XP.

Upon execution, this worm drops a copy of itself in the Windows system folder as the file PILIF.EXE. It creates a registry entry that allows it automatically execute at every system startup.

This worm drops copies of itself in the following folders found in the Program Files directory, which are default-shared folders of popular peer-to-peer (P2P) applications:

\BearShare\Shared
\BearShare\Shared\
\Edonkey2000\Incoming
\Edonkey2000\Incoming\
\Grokster\My Grokster
\Grokster\My Grokster\
\icq\shared files\
\Kazaa\My Shared Folder
\Kazaa\My Shared Folder\
\KMD\Shared Folder
\limewire\Shared
\limewire\Shared\
\Morpheus\My Shared Folder
\Morpheus\My Shared Folder\
\Shareaza\downloads
\WinMX\my shared folder\
Shareaza\downloads

It uses any of the following file names for its dropped copy, followed by an .EXE, .SCR, .PIF, .BAT, or .CMD extension:

Anti-hacker Utility
Cracks mega warez collection
Dark Coderz Alliance
Easy credit card validation
Free porn sites accounts
Kasperky AV Universal Key
Norton 2004 crack
Sex - totally free porn
Webmail official hacker
Yahoo hacker

This worm searches for email addresses on .HTM and .HTML files found on the affected system. It then sends email messages to these addresses using MAPI. It sends email with the following details:

Message body: (any of the following)

Important legal notice!
Do not delete this message. Analyse attachement and reply
as soon as possible with manifesto details.
Thank you!
-------------------

Please help us to save the right of freedom of expression!
All details will be displayed in small attached file. Good luck and thank you.
-------------------

You personal manifesto details are attached. Take good care of them!
-------------------

Help us gather online votes for our anti-censore manifesto
We need you help now! Attachement will automatically send a vote to our
online database once you run it and will be redirected to our webpage!
Thank you!
-------------------

Its curious, its scandalous... dont be so furious!
Life is bitch so dont take it serious.
-------------------

Please help us be free! We need the basic right of expression.
Enable an online vote for our manifesto with the help of the attachement.
Many thanks!
-------------------

Music is beeing censored, journalists are afraid, law has not been
respected for long time. Why? Because of corruption and lack of right of
expression. Help us! Enable the attachement and our voting system will
track and record you help. Many thanks!
-------------------

Parazitii need your help for the anti-censore campaign! See all details
in the attachement. Thank you!
-------------------

Its just hip-hop. Nothing else. Enjoy!
Oh yeah! one more thing: its a censore-related manifesto :)
-------------------

This is my manifesto. You can stop this individual,
but you can't stop us all...after all,we're all alike.
-------------------

Attachment: (any one of the following, followed by an .EXE, .SCR, .PIF, .BAT, or .CMD extension)

· attachement
· details
· freedom
· Freedom of expression
· Goverment issue
· JOS CeNzurA
· manifesto
· Manifesto anti pilif
· Manifesto details
· Parazitii
· pilif
· Simple solution
· stolen rights
· sustain cause

This worm drops a modified SCRIPT.INI file in the following folders:

C:\mirc\
C:\mirc32\
C:\mirc\32
%Program Files%\mirc\
%Program Files%\mirc32\

This modified IRC script sends a copy of the worm to every user who enters the same chatroom as the infected user. It displays the following message upon file transfer:

DCA are fighting for free speech. Get their manifesto now!

It then sends out the following file:

Manifesto Anti Censore Pilif.txt.exe


*Information via Trend Micro Newsletter

[salomon741]

Yay! Another worm to deal with!

Anyone know when updates are going to be available in virus programs for this worm?

[wenwilder]

I know trend had pc-cillian updates avaible for it on the 15th. I haven't checked any of the others, yet. I'm a bit behind on everything these days :(

[wenwilder]

WORM_WOOTBOT.BJ is a non-destructive worm that takes advantage of the Windows LSASS vulnerability in order to propagate. It drops a copy of itself into default shared folders of unpatched machines. It steals the CD keys of popular game applications, Microsoft Windows Product IDs, and Yahoo Messenger IDs. It updates itself by creating the file 1.BAT and executing it afterwards. This batch file downloads a copy of the worm from the Internet and then executes it on the compromised system. This worm is currently spreading in-the-wild and infecting systems that are running on Windows 95, 98, ME, NT, 2000, and XP.

Upon execution, this worm drops a copy of itself as SERVICED.EXE in the Windows system folder. It executes its dropped copy and then deletes itself afterwards. It then adds several registry entries, that allow it to run automatically at every system startup.

This worm copies and executes itself on vulnerable systems and searches for the following default network shares:

ADMIN$
C$
D$
IPC$

It steals Microsoft Windows Product IDs and Yahoo Messenger IDs, as well as the CD keys of the following popular games:

Battlefield 1942
Battlefield 1942: Secret Weapons Of WWII
Battlefield 1942: The Road To Rome
Battlefield 1942: Vietnam
Black and White
Command and Conquer: Generals
Command and Conquer: Generals: Zero Hour
Command and Conquer: Red Alert2
Command and Conquer: Tiberian Sun
Counter-Strike
FIFA 2002
FIFA 2003
Freedom Force
Global Operations
Gunman Chronicles
Half-Life
Hidden and Dangerous 2
IGI2: Covert Strike
Industry Giant 2
James Bond 007: Nightfire
Medal of Honor: Allied Assault
Medal of Honor: Allied Assault: Breakthrough
Medal of Honor: Allied Assault: Spearhead
Nascar Racing 2002
Nascar Racing 2003
Need For Speed: Hot Pursuit 2
Need For Speed: Underground
Neverwinter Nights
NHL 2002
NHL 2003
Ravenshield
Shogun: Total War: Warlord Edition
Soldier Of Fortune 2
Soldiers Of Anarchy
The Gladiators
Unreal Tournament 2003
Unreal Tournament 2004

This worm appears to possess backdoor capabilities. It updates itself by creating and executing the file 1.BAT. which downloads a copy of the worm from the Internet and then executes it on the compromised system.

[wenwilder]

As of October 29, 2004, 2:07 AM (-7:00; Daylight Saving Time), TrendLabs has declared a Medium Risk Virus Alert to control the spread of WORM_BAGLE.AT. TrendLabs has received several infection reports indicating that this malware is spreading in Japan, Sweden, China and Germany.

This worm uses its own SMTP engine to propagate via email. It arrives as either of the following attachments:
. PRICE.CPL
. PRICE.COM
. PRICE.EXE
. PRICE.SCR
. JOKE.CPL
. JOKE.COM
. JOKE.EXE

This worm searches the drive for folders with names containing the string "shared". It then drops itself in these shared folders using certain file names.

[Maximilian]

This worm uses its own SMTP engine to propagate via email. It arrives as either of the following attachments

Greetings wenwilder!

I never open email attatchments from anyone & use a top tier anti-virus scan for both incoming & outgoing email. I also have daily auto-update from the anti-virus software vendor.

What further precautions do you advise I take, in terms of malware, spyware & virus protection for my pc?

Cheers!
Max

[wenwilder]

I always recommend two anti-viruses - AVG is the main one I recommend. And then Spybot S & D, Ad-aware, and learn how to use HiJackThis. Know your start up programs, check your host file and about 100 other things. :)

Definately have AVG, spybot and adaware, and learn HijackThis.

[wenwilder]

As of October 29, 2004 9:40 AM (GMT -7:00; Daylight Saving Time), TrendLabs has declared a Medium Risk Virus Alert to control the spread of WORM_BAGLE.AU. TrendLabs has received several infection reports indicating that this malware is spreading in US, Japan, Sweden, Germany, Mexico, France, Argentina, Chile, Brazil, and Canada.

Like other BAGLE variants, the success of this worm may be attributed to its plain and brief email messages that bear the following details:

From:<spoofed>
Subject any of the following
. Re:
. Re: Hello
. Re: Hi
. Re: Thank you!
. Re: Thanks :)

Message body: any of the following
. :)
. :))

Attachment:
any of the following
. PRICE
. JOKE

with the following extension names
. COM
. CPL
. EXE
. SCR

This worm scans an infected system for files with certain extension names to acquire its target recipients. It then uses its own SMTP engine and the domain servers of its harvested email addresses for its mailing routine. Unsuspecting users may then receive email messages from trusted acquaintances and readily execute the attachment, thus launching this worm.

When run, it proceeds to drop copies of itself in folders with names containing the text string shar, or in shared folders. It also uses file names that appear legitimate and attractive. This enables this worm to propagate through the network as other users may accidentally download a copy of this worm thinking it is a normal application or a text file.

This worm also compromises system security by terminating several antivirus and security-related applications if found active on a system. It also connects to a list of Web sites where it may download components. It also opens port 81 possibly for its backdoor activities.

Continuing a notable BAGLE routine, it attacks another worm family known as NETSKY. It deletes several registry entries and file names associated with NETSKY. It also creates several mutexes that prevent the execution of NETSKY variants on the infected machine.

It runs on Windows 95, 98, ME, NT, 2000, and XP.