|
W32.Bugbros@mm
Discovered January 02, 2004
Systems Affected: All Windows32 Systems
W32.Bugbros@mm
is a mass-mailing worm that uses Microsoft Outlook to send itself to all
the contacts in the Outlook address book.
Uses Microsoft
Outlook to send itself to all the contacts in the Outlook address book.
The email has the following characteristics:
From: support@microsoft.com
Subject: LiveUpdate Informations
Message:
Hi,
I have send you the needed informations for the new worm-backdoor discovered.
The Backdoor is called W32.Bug.Gear.A
You can run the attachment to avoide getting hacked by closing the backdoor.
bye
Attachment:
<varies>
Read
the full Symantec report:
http://sarc.com/avcenter/venc/data/w32.bugbros@mm.html
W32.Mimail.P@mm
Discovered January 07, 2004
Systems Affected: All Windows32 Systems
Mimail.P
steals the following information through email and HTTP POST / GET:
• Internet account including SMTP server, user name, and so on
• RAS phone book entries
• IP address
• Email contacts
• Personal information such as credit card number, birthday, social
security number, and so on
The domain
of the URL associated with the HTTP POST/GET is www.aquarium-fish.ru.
Possible
emails addresses the attacker uses include:
kaspersky_av@mail15.com
kaspersky_eugene@mail15.com
eugene@kaspersky.com
In its attempt to steal information, the worm displays fake Paypal graphical
dialogs,
which ask you to input a credit card number and other personal information.
The stolen information is stored in C:\Tmpny3.txt, and is subsequently
encrypted and saved in C:\Tmpenc.txt, which is then sent to the attacker.
W32.Mimail.P@mm
is a mass mailing worm where the email has the following characteristics:
Subject:
GREAT NEW YEAR OFFER FROM PAYPAL.COM!
Attachment: pp-app.zip
Sender: Paypal.com <donotreply@paypal.com>
Message:
Dear PayPal.com Member,
We here at PayPal.com are pleased to announce that we have a special New
Year offer for you!
If you currently have an account with PayPal then you will be eligible
to receive a terrific
prize from PayPal.com for the New Year. For a limited time only PayPal
is offering to add 10%
of the total balance in your PayPal account to your account and all you
have to do is register
yourself within the next five business days with our application (see
attachment)!
If at this
time you do not have a PayPal account of your own you can also register
yourself
with our secure application and get this great New Year bonus! If you
fill out the secure
form we have provided PayPal will create an account for you (it's free)
and you will receive
a confirmation e-mail that your account has been created.
That's not
all! If you resend this letter (with its attachment) to all of your friends
you
may be eligible to receive another New Year bonus because the 1000 PayPal
members that send
the most of these to their friends will get the bonus. If you are one
of these 1000 lucky
members then PayPal will add 17% of your total balance to your account!
Registration
is simple. Just unpack the attachment with WinZip, run the application,
and follow
the instructions we have provided. If you have problems opening the application
then you may
want to try downloading a free version of WinZip from http://www.winzip.com
Do not miss
your chance at this fantastic opportunity! Thousands of our current customers
have already received their prizes and now it's your turn; so hurry up
and take advantage of
Best of luck
in the New Year,
PayPal.com Team
Read
the full Symantec report:
http://www.sarc.com/avcenter/venc/data/w32.mimail.p@mm.html
Trojan.Xombe
Discovered January 09, 2004
Systems Affected: All Windows32 Systems
Trojan.Xombe
is a Trojan horse that has at least two components: a 4,096
byte downloader and a 27,136 byte Trojan. The downloader component will
retrieve the Trojan file from a predetermined Web site.
The download
component has been distributed in an unsolicited email,
purporting to be a security update for Windows XP, sent by Microsoft.
The email
has the following characteristics:
From: windowsupdate@microsoft.com
Subject: Windows XP Service Pack 1 (Express) - Critical Update.
Body:
Window Update has determined that you are running a beta version of Windows
XP Service Pack 1 (SP1). To help improve the stability of your computer,
Microsoft recommends that you remove the beta version of Windows XP SP1
and
re-install Windows XP SP1. If you cannot remove the beta version, you
should
still reinstall Windows XP SP1.
Windows XP SP1 provides the latest security, reliability, and performance
updates to the Windows XP family of operating systems. Windows XP SP1
is designed to ensure Windows XP platform compatibility with newly released
software and hardware, and includes updates to resolve issues discovered
by
customers or by Microsoft's internal testing team.
The maximum download size is approximately 3 MB, however the size of the
download and time required may be less for computers that have had updates
previously installed.
To minimize the download time needed for installation, setup will only
download
those files which are required to bring your computer up to date. Windows
XP
SP1 includes Internet Explorer 6 SP1. Anti-virus software programs may
interfere
with the installation of Windows XP SP1. Please disable anti-virus software
while installing the service pack.
Just run the file winxp_sp1.exe in attach and make sure to restart your
PC
after installation will be completed.
©2004 Microsoft Corporation. All rights reserved. Terms of Use
Privacy Statement
Read the full Symantec report:
http://www.sarc.com/avcenter/venc/data/trojan.xombe.html
W32.Beagle.A@mm
Discovered January 18, 2004
Systems Affected: All Windows32 Systems
W32.Beagle.A@mm
is a mass-mailing worm that will only work until 28th of
January. This worm will insert several files and registry keys on the
system.
It will also access remote websites, and email all contacts it can find.
The email
will have the following characteristics:
Subject:
Hi
Message:
Test =)
<Random characters>
--
Test, yep.
Filename:
<Random>.exe
Filesize:
16Kbytes
Read
the full Symantec report:
http://sarc.com/avcenter/venc/data/w32.beagle.a@mm.html
Download
the removal tool here:
http://www.sarc.com/avcenter/venc/data/w32.beagle.a@mm.removal.tool.html
W32.Dumaru.Y@mm
Discovered January 23, 2004
Systems Affected: All Windows32 Systems
W32.Dumaru.Y@mm
is a multi-threaded, mass-mailing worm that opens
a backdoor, runs a keylogger, and attempts to steal personal information.
It is very similar to W32.Dumaru.M@mm.
It uses its
own SMTP engine to spread to email addresses that it finds
in files on the infected system. The email has the following characteristics:
From:
"Elene" <F**KENSUICIDE@HOTMAIL.COM> (censored)
Subject: Important information for you. Read it immediately !
Message:
Hi !
Here is my photo, that you asked for yesterday.
Attachment: myphoto.zip
The attachment
is a zip file which contains the worm executable as
"myphoto.jpg .exe". (There are 56 spaces between "jpg"
and ".exe".)
Read
the full Symantec report:
http://sarc.com/avcenter/venc/data/w32.dumaru.y@mm.html
Download
the removal tool here:
http://sarc.com/avcenter/venc/data/w32.dumaru.removal.tool.html
W32.Dumaru.Z@mm
Discovered January 25, 2004
Systems Affected: All Windows32 Systems
W32.Dumaru.Z@mm
is a multi-threaded, mass-mailing worm that downloads
and runs a file, runs a keylogger, and attempts to steal personal information.
This worm is similar to the W32.Dumaru.Y@mm worm.
The email
has the following characteristics:
From: "Elene"
<F**KENSUICIDE@HOTMAIL.COM> (censored)
Subject: Important information for you. Read it immediately !
Attachment: Myphoto.zip
The attachment
is a zip file that contains the worm executable as
myphoto.jpg <spaces> .exe". (There are numerous spaces between
".jpg" and ".exe".)
Read
the full Symantec report:
http://sarc.com/avcenter/venc/data/w32.dumaru.z@mm.html
Download
the removal tool here:
http://sarc.com/avcenter/venc/data/w32.dumaru.removal.tool.html
W32.Novarg.A@mm
Discovered January 26, 2004
Systems Affected: All Windows32 Systems
W32.Novarg.A@mm
is a mass-mailing worm. The worm will arrive as an
attachment with a file extension of .bat, .cmd, .exe, .pif, .scr, or .zip.
When the
machine becomes infected, the worm will set up a backdoor
into the system by opening TCP ports 3127 thru 3198. This will potentially
allow a hacker to connect to the machine and utilize it as a proxy to
gain
access to it's network resources. In addition, the backdoor has the ability
to download and execute arbitrary files.
The worm
will perform a DoS starting on February 1, 2004. On February
12, 2004 the worm has a trigger date to stop spreading.
The email
will have the following characteristics:
From:
may be a spoofed from address
Subject:
(The subject will be one of the following)
test
hi
hello
Mail Delivery System
Mail Transaction Failed
Server Report
Status
Error
Message:
(The message will be one of the following)
Mail transaction failed. Partial message is available.
The message contains Unicode characters and has been sent as a binary
attachment.
The message cannot be represented in 7-bit ASCII encoding and has been
sent as a binary attachment.
Attachment:
(The attachment will be one of the following)
document
readme
doc
text
file
data
test
message
body
Note: The
attachment may have two suffixes and if so, the first suffix will be one
of the following:
.htm
.txt
.doc
Either way,
it will always end with one of the following suffixes:
.pif
.scr
.exe
.cmd
.bat
.zip
This worm
is widely distributed and current virus definitions do not
protect you from it. Best practice for the next 3-4 days is not to
open any emails with attachments that end in .bat, .cmd, .exe, .pif, .scr
and .zip.
Read
the full Symantec report:
http://sarc.com/avcenter/venc/data/w32.novarg.a@mm.html
Download
the removal tool here:
http://www.sarc.com/avcenter/venc/data/w32.novarg.a@mm.removal.tool.html
W32.Mydoom.B@mm
Discovered January 28, 2004
Systems Affected: All Windows32 Systems
W32.Mydoom.B@mm
is a mass-mailing worm that arrives as an attachment
with the file extension .bat, .cmd, .exe, .pif, .scr, or .zip.
When a computer
is infected, the worm will set up a backdoor into the
system, which can potentially allow an attacker to connect to the
computer and use it as a proxy to gain access to its network resources.
In addition,
the backdoor can download and execute arbitrary files.
The worm
will perform a Denial of Service (DoS) against www.microsoft.com
starting February 3, 2004 and www.sco.com starting February 1, 2004.
It also has a trigger date to stop spreading on March 1, 2004. These
events will only occur if the worm is run between or after those dates.
While the worm will stop spreading on March 1, 2004, the backdoor
component will continue to function after this date.
The email
will have the following characteristics:
From:
The "From" address may be spoofed.
Subject:
The subject will be one of the following:
Returned mail
Delivery Error
Status
Server Report
Mail Transaction Failed
Mail Delivery System
hello
hi
Message:
The message will be one of the following:
sendmail daemon reported:
Error #804 occured during SMTP session. Partial message has been received.
Mail transaction failed. Partial message is available.
The message contains Unicode characters and has been sent as a binary
attachment.
The message contains MIME-encoded graphics and has been sent as a binary
attachment.
The message cannot be represented in 7-bit ASCII encoding and has been
sent as a binary attachment.
Attachment:
The attachment
may have either one or two file extensions. If it does
have two, the first extension will be one of the following:
.htm
.txt
.doc
The second
extension, or the only extension if there is only one, will be one of
the following:
.pif
.scr
.exe
.cmd
.bat
.zip (This is an actual .zip file that contains a copy of the worm, sharing
the same file name as the .zip. For example, readme.zip can contain readme.exe.)
Read
the full Symantec report:
http://sarc.com/avcenter/venc/data/w32.mydoom.b@mm.html
W32.HLLW.Anig
Discovered January 29, 2004
Systems Affected: All Windows32 Systems
W32.HLLW.Anig
is a network-aware worm that captures keystrokes
and passwords. The existence of the file ntosa32.exe is an indication
of a possible infection. W32.HLLW.Anig is written in the Delphi Programming
language.
Symantec
Security Response has developed a removal tool to clean
the infections of W32.HLLW.Anig.
Read
the full Symantec report:
http://sarc.com/avcenter/venc/data/w32.hllw.anig.html
Download
the removal tool here:
http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.anig.removal.tool.html
|
If you came to this page directly, click the icon at the left to be taken to our Home Page
