January 2005

Select the links for detailed information and removal tools for the latest viruses

W32.Mydoom.AO 1/31/2005 2
W32.Mugly.H 1/31/2005 2
VBS.Gormlez 1/31/2005 2
W32.Sober.J 1/30/2005 2
Backdoor.Sdbot.AO 1/30/2005 2
W32.Mydoom.AN 1/28/2005 2
W32.Cissi.W 1/28/2005 2
Backdoor.Sdbot.AN 1/28/2005 2
Backdoor.Sdbot.AM 1/27/2005 2
W32.Beagle.BA 1/27/2005 2
W32.Spybot.IVQ 1/26/2005 2
W32.Beagle.AZ 1/26/2005 2
W32.Bropia.C 1/26/2005 2
W32.Mugly.G 1/26/2005 2
W32.Beagle.AY 1/26/2005 2
W32.Ahker.B 1/26/2005 2
W32.Mydoom.AM 1/25/2005 2
Backdoor.Berbew.O 1/24/2005 2
W32.Crowt.A 1/23/2005 2
W32.Salga.B 1/21/2005 2
W32.Blatic.A 1/21/2005 2
W32.Nodmin 1/21/2005 2
W32.Mirsa.A 1/21/2005 2
W32.Mydoom.AL 1/19/2005 2
W32.Bropia 1/19/2005 2
Downloader.Admincash 1/19/2005 2
W32.Zar.A 1/18/2005 2
VBS.Rowam.A 1/18/2005 2
W32.Mydoom.AI 1/16/2005 2
Backdoor.Sdbot.AK 1/14/2005 2
W32.Mugly.F 1/14/2005 2
W32.Mugly.E 1/13/2005 2
W32.Mugly.D 1/13/2005 2
W32.Linkbot.H 1/12/2005 2
W32.Kobot.B 1/11/2005 2
Backdoor.Sdbot.AJ 1/10/2005 2
W32.Spybot.HUR 1/7/2005 2
W32.Looked.B 1/7/2005 2
W32.Rahack 1/6/2005 2
Backdoor.Sdbot.AI 1/3/2005 2

Backdoor.Sdbot.AI
Discovered January 03, 2005
Systems Affected: All Windows32 Systems

Backdoor.Sdbot.AI is a network-aware worm with back door capabilities. It allows a remote attacker to gain unauthorized access to the infected computer and spreads via network shares.

Compromises security settings: Opens a back door on the infected computer.
Ports: TCP port 29147

Read the full Symantec report here

W32.Rahack
Discovered January 06, 2005
Systems Affected: All Windows32 Systems

W32.Rahack is a worm that spreads to computers running Radmin software by exploiting weak passwords to connect to the Radmin server.

Payload: Allows unauthorized remote access
Ports: TCP port 4899

Read the full Symantec report here

W32.Looked.B
Discovered January 07, 2005
Systems Affected: All Windows32 Systems

W32.Looked.B is a worm that downloads a file and then infects .exe files. The worm also spreads through shared folders.

Modifies files: Prepends itself to .exe files.
Compromises security settings: Terminates security-related processes and blocks access to Web sites.

Read the full Symantec report here

W32.Spybot.HUR
Discovered January 7, 2005
Systems Affected: All Windows32 Systems

W32.Spybot.HUR is a worm that has distributed denial of service and back door capabilities. The worm spreads to network shares protected by weak passwords and by exploiting system vulnerabilities.

Payload: Opens a back door.
Ports: TCP port 3515

Read the full Symantec report here

Backdoor.Sdbot.AJ
Discovered January 10, 2005
Systems Affected: All Windows32 Systems

Backdoor.Sdbot.AJ is a network-aware worm with back door capabilities that spreads via network shares and allows a remote attacker to gain unauthorized access to the compromised computer.

Payload: Opens a back door.
Ports: TCP port 59

Read the full Symantec report here

W32.Kobot.B
Discovered January 11, 2005
Systems Affected: All Windows32 Systems

W32.Kobot.B is a worm that spreads through open network shares, telnet, dameware, realserv, VNC, and niprint. This worm also uses three remotely exploitable Windows vulnerabilities to propagate.

The worm can also function as an email relay and as a proxy for HTTP and SOCKS.

The worm uses multiple vulnerabilities to spread, including:

• The Microsoft Windows LSASS Buffer Overrun Vulnerability (described in Microsoft Security Bulletin MS04-011).
• The DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026).
• The Microsoft SQL Server Web Task Stored Procedure Privilege Escalation Vulnerability (described in Microsoft Security Bulletin MS02-061).
  

Payload: Allows unauthorized remote access.
Ports: Connects to IRC servers using TCP port 5467.

Read the full Symantec report here

W32.Linkbot.H
Discovered January 12, 2005
Systems Affected: All Windows32 Systems

W32.Linkbot.H is a worm that exploits the Microsoft Windows LSASS Buffer Overrun Vulnerability (Microsoft Security Bulletin MS04-011) in order to propagate. It also creates a back door on the system accessible through IRC.

Payload: Allows unauthorized remote access.
Ports: Connects on TCP port 10500. Listens on TCP port 113.
Shared drives: Attempts to copy itself to network shares and systems vulnerable to theMicrosoft Windows LSASS Buffer Overrun.

Read the full Symantec report here

W32.Mugly.D@mm
Discovered January 13, 2005
Systems Affected: All Windows32 Systems

W32.Mugly.D@mm is a worm that uses its own SMTP engine to spread by sending itself as an email attachment to addresses gathered from the compromised computer. The worm also drops and runs a W32.Randex variant.

Large scale e-mailing: Sends a copy of itself to all addresses found on the compromised computer.
Compromises security settings: Terminates security-related processes.
Name of attachment: attached.zip

Read the full Symantec report here

W32.Mugly.F@mm
Discovered January 14, 2005
Systems Affected: All Windows32 Systems

W32.Mugly.F@mm is a worm that uses its own SMTP engine to spread by sending itself as an email attachment to addresses gathered from the compromised computer. The worm also drops and runs a W32.Spybot.Worm variant.

Read the full Symantec report here

W32.Mugly.E@mm
Discovered January 13, 2005
Systems Affected: All Windows32 Systems

W32.Mugly.E@mm is a worm that uses its own SMTP engine to spread by sending itself as an email attachment to addresses gathered from the compromised computer. The worm also drops and runs a W32.Spybot.Worm variant.

Due to the threat potential and increased prevalance in the wild, Symantec Security Response has upgraded W32.Mugly.E@mm from a Category 1 to a Category 2 as of January 14, 2005.

Large scale e-mailing: Sends a copy of itself to all addresses found on the compromised computer.
Name of attachment: attached.zip

Read the full Symantec report here

Backdoor.Sdbot.AK
Discovered January 14, 2005
Systems Affected: All Windows32 Systems

Backdoor.Sdbot.AK is a network-aware worm that opens a back door and allows a remote attacker to gain unauthorized access to the compromised computer.

Payload: Opens a back door.
Ports: TCP port 6667

Read the full Symantec report here

W32.Mydoom.AI@mm
Discovered January 16, 2005
Systems Affected: All Windows32 Systems

W32.Mydoom.AI@mm is a mass-mailing worm that uses its own SMTP engine to send itself to email addresses that it finds on an infected computer.

Read the full Symantec report here

VBS.Rowam.A
Discovered January 18, 2005
Systems Affected: All Windows32 Systems

VBS.Rowam.A is a Trojan horse that attempts to delete files and perform various nuisance actions, including sending email to all addresses in the Microsoft Outlook address book. The email is not a method of propagation.

Large scale e-mailing: May send non-viral email to all addresses in the Outlook address book.
Deletes files: Deletes all files in the %Windir%, %Windir%\system, and %Windir%\system32 folders.
Subject of email: Free Msn Upgrade
Name of attachment: No attachment
Size of attachment: No attachment

Read the full Symantec report here

W32.Zar.A@mm
Discovered January 18, 2005
Systems Affected: All Windows32 Systems

W32.Zar.A@mm is a mass-mailing worm that uses MAPI to send an email to all addresses in the Microsoft Outlook Address Book. This threat is written in Visual Basic.

Payload: Performs a denial of service attack on the domain www.hacksector.de.
Large scale e-mailing: Sends email to all addresses in the Microsoft Outlook Address Book.
Subject of email: Tsunami Donation! Please help
Name of attachment: tsunami.exe

Read the full Symantec report here

Downloader.Admincash
Discovered January 19, 2005
Systems Affected: All Windows32 Systems

Downloader.Admincash is a Trojan horse program that infects the Explorer.exe file, lowers security settings in Windows, and downloads adware and dialers.

Payload: Downloads remote files, which may include adware and dialers.
Modifies files: Infects Explorer.exe.
Compromises security settings: Modifies Windows security settings.

Read the full Symantec report here

W32.Bropia
Discovered January 19, 2005
Systems Affected: All Windows32 Systems

W32.Bropia is a worm that spreads via Microsoft's MSN Messenger instant message program and drops a variant of W32.Spybot.Worm.

Target of infection: Attempts to spread to MSN Messenger contacts.

Read the full Symantec report here

W32.Mydoom.AL@mm
Discovered January 19, 2005
Systems Affected: All Windows32 Systems

W32.Mydoom.AL@mm is a mass-mailing worm that uses its own SMTP engine to send itself to email addresses that it finds on a compromised computer. It also spreads by using ICQ instant messenger. The worm attempts to exploit the Microsoft Internet Explorer Malformed IFRAME Remote Buffer Overflow Vulnerability (as described in Microsoft Security Bulletin MS04-040).

This worm downloads and runs a copy of Backdoor.Nemog.D.

Large scale e-mailing: Sends a copy of itself to email addresses gathered from the compromised computer
Modifies files: Modifies the hosts file to block access to security-related Web sites.
Compromises security settings: Blocks access to security-related Web sites and ends the processes of security-related software.

Read the full Symantec report here

W32.Mirsa.A@mm
Discovered January 21, 2005
Systems Affected: All Windows32 Systems

W32.Mirsa.A@mm is a mass-mailing worm that uses MAPI to send an email to all addresses in the Microsoft Outlook Address Book.

Large scale e-mailing: Sends emails to addresses in the Outlook Address Book.
Degrades performance: Mass-mails may impact system performance.

Read the full Symantec report here

W32.Nodmin@mm
Discovered January 21, 2005
Systems Affected: All Windows32 Systems

W32.Nodmin@mm is a mass-mailing worm that alters computer settings and spreads via file sharing networks. The worm also attempts to lower security settings by terminating and disabling various anti-virus and security related programs.

Large scale e-mailing: Sends itself to addresses harvested from files on the local system.
Degrades performance: Mass-mailing may clog mail servers or degrade network performance.
Compromises security settings: Terminates various anti-virus and security related processes.
Subject of email: Varies.
Name of attachment: Varies with .pif, .exe, and .scr file extesinons.

Read the full Symantec report here

W32.Blatic.A
Discovered January 21, 2005
Systems Affected: All Windows32 Systems

W32.Blatic.A is a worm that spreads through network shares and has back door functionality allowing it to receive commands from a remote attacker through IRC channels.

Payload: Opens a back door.
Ports: TCP port 6667

Read the full Symantec report here

W32.Salga.B@mm
Discovered January 21, 2005
Systems Affected: All Windows32 Systems

W32.Salga.B@mm is a mass-mailing worm that uses Microsoft Outlook to send itself to all the email addresses that it finds in the Outlook Address Book. It also attempts to spread through mIRC, file sharing networks, and network shares.

Large scale e-mailing: Sends itself to email addresses it finds in the Microsoft Outlook Address Book.
Modifies files: Overwrites the Hosts file.
Degrades performance: Sending a mass-mailing may impact system performance.
Subject of email: Varies.
Name of attachment: Britny spears marriage with Bnladen son.zip.exe
Shared drives: Creates a network share named "magic_cam", which contains a copy of the worm.

Read the full Symantec report here

W32.Crowt.A@mm
Discovered January 23, 2005
Systems Affected: All Windows32 Systems

W32.Crowt.A@mm is a mass-mailing worm that opens a back door, logs keystrokes and emails itself to all addresses in the Microsoft Outlook Address Book. The email has a variable subject and attachment name. The attachment has a .exe file extension.

Payload: Allows unauthorized remote access.
Large scale e-mailing: Sends email to addresses found in the Microsoft Outlook address book
Subject of email: Varies
Name of attachment: Varies with .exe file extension.
Size of attachment: 26,624 bytes

Read the full Symantec report here

Backdoor.Berbew.O
Discovered January 24, 2005
Systems Affected: All Windows32 Systems

Backdoor.Berbew.O is a Trojan horse program that steals passwords from a compromised computer. The Trojan opens a back door and allows a remote attacker to have unauthorized access to the compromised computer. The Trojan also attempts to lower security settings in Internet Explorer.

Payload: Opens a back door and allows the computer to be used as a covert proxy.
Releases confidential info: Installed keylogger steals confidential information.
Compromises security settings: Lowers security settings in Internet Explorer.

Read the full Symantec report here

W32.Mydoom.AM@mm
Discovered January 25, 2005
Systems Affected: All Windows32 Systems

W32.Mydoom.AM@mm is a mass-mailing worm that uses its own SMTP engine to send itself to the email addresses that it finds on the infected computer. It also propagates through popular peer-to-peer networks. The email will have a variable subject and attachment name. The attachment will have a .bat, .cmd, .exe, .pif, .scr, or .zip file extension.

W32.Mydoom.AM@mm is a minor variant of W32.Mydoom.AG@mm.

Large scale e-mailing: Sends itself to addresses harvested from the infected machine.
Modifies files: Modifies the hosts file.
Compromises security settings: Disables anti-virus and firewall applications
Name of attachment: Varies with a .bat, .cmd, .exe, .pif, .scr, or .zip file extension.

Read the full Symantec report here

W32.Ahker.B@mm
Discovered January 26, 2005
Systems Affected: All Windows32 Systems

W32.Ahker.B@mm is a mass-mailing worm that sends itself to all addresses in the Windows Address Book. The worm also disables several Widnows security features.

Read the full Symantec report here

W32.Beagle.AY@mm
Discovered January 26, 2005
Systems Affected: All Windows32 Systems

W32.Beagle.AY@mm is a mass-mailing worm that also spreads through file-sharing networks. The email will have a variable subject and attachment name. The attachment will have a .com, .cpl, .exe, or .scr file extension.

Large scale e-mailing: Sends email to addresses collected from the infected computer.
Subject of email: Varies
Name of attachment: Varies with .com, .cpl, .exe, or .scr file extension
Size of attachment: Varies

Read the full Symantec report here
Download the Removal Tool here

W32.Mugly.G@mm
Discovered January 26, 2005
Systems Affected: All Windows32 Systems

W32.Mugly.G@mm is a worm that uses its own SMTP engine to spread by sending itself as an email attachment to addresses gathered from the compromised computer. The email will have a variable subject line and a variable attachment name. The attachment will have a .scr file extension.

Payload: Drops and executes a W32.Spybot.Worm variant.
Large scale e-mailing: Sends a copy of itself to all addresses found on the compromised computer.
Subject of email: Varies
Name of attachment: Varies with .scr file extension.
Size of attachment: 351,744 bytes

Read the full Symantec report here

W32.Bropia.C
Discovered January 26, 2005
Systems Affected: All Windows32 Systems

W32.Bropia.C is a worm that propagates using MSN Messenger and drops a variant of W32.Spybot.Worm.

Payload: Drops and executes a W32.Spybot.Worm variant.
Target of infection: Attempts to spread via MSN Messenger

Read the full Symantec report here

W32.Beagle.AZ@mm
Discovered January 26, 2005
Systems Affected: All Windows32 Systems

W32.Beagle.AZ@mm is a mass-mailing worm that also spreads through file-sharing networks. The email will have a variable subject and attachment name. The attachment will have a .com, .cpl, .exe, or .scr file extension.

Large scale e-mailing: Sends email to addresses collected from the infected computer.
Subject of email: Varies
Name of attachment: Varies with .com, .cpl, .exe, or .scr file extension
Size of attachment: Varies

Read the full Symantec report here
Download the Removal Tool here

W32.Spybot.IVQ
Discovered January 26, 2005
Systems Affected: All Windows32 Systems

W32.Spybot.IVQ is a worm that has distributed denial of service and back door capabilities. The worm spreads to network shares, MySQL servers, and Microsoft SQL servers protected by weak passwords and by exploiting system vulnerabilities.

Payload: Allows unauthorized remote access.
Ports: TCP ports 135, 445, 1433, 3306, 5002, and 5003.
Shared drives: Copies itself to network shares, MySQL servers, and Microsoft SQL servers.

Read the full Symantec report here

W32.Beagle.BA@mm
Discovered January 27, 2005
Systems Affected: All Windows32 Systems

W32.Beagle.BA@mm is a mass-mailing worm that uses its own SMTP engine to spread to peer-to-peer and file sharing networks. It opens a back door on the compromised computer and attempts to lower security settings. The worm may also download and execute remote files.
W32.Beagle.BA@mm is a repacked variant of W32.Beagle.AZ@mm.

Payload: Downloads remote files.
Large scale e-mailing: Sends a copy of itself to email addresses gathered from the compromised computer.
Compromises security settings: Ends security-related processes.
Subject of email: Varies
Name of attachment: Varies with a .com, .cpl, .exe, or .scr file extension.
Ports: TCP port 81.

Read the full Symantec report here
Download the Removal Tool here

Backdoor.Sdbot.AM
Discovered January 27, 2005
Systems Affected: All Windows32 Systems

Backdoor.Sdbot.AM is a network-aware worm with back door and denial of service capabilities. The worm spreads via network shares and allows a remote attacker to gain unauthorized access to the compromised computer.

Releases confidential info: Allows unauthorized remote access.
Compromises security settings: Opens a back door on the infected computer.
Ports: TCP port 64444.

Read the full Symantec report here

Backdoor.Sdbot.AN
Discovered January 28, 2005
Systems Affected: All Windows32 Systems

Backdoor.Sdbot.AN is a worm with back door capabilities that gives an attacker remote access to the compromised computer via IRC channels.

Releases confidential info: Allows unauthorized remote access.
Compromises security settings: Opens a back door on the infected computer.
Ports: TCP port 6667.

Read the full Symantec report here

W32.Cissi.W
Discovered January 28, 2005
Systems Affected: All Windows32 Systems

W32.Cissi.W is an IRC bot worm with back door capabilities that propagates through Windows network shares.

Compromises security settings: Allows unauthorized remote access.
Ports: TCP port 6667.

Read the full Symantec report here

W32.Mydoom.AN@mm
Discovered January 28, 2005
Systems Affected: All Windows32 Systems

W32.Mydoom.AN@mm is a mass-mailing worm that downloads a copy of Backdoor.Nemog.D. The email has a variable subject and attachment name. The attachment will have a .cpl, .exe, .pif, .scr, or .zip file extension.

The worm can also spread using ICQ instant messenger. The worm attempts to lower security settings by terminating and disabling various antivirus and security-related programs.

Read the full Symantec report here

Backdoor.Sdbot.AO
Discovered January 30, 2005
Systems Affected: All Windows32 Systems

Backdoor.Sdbot.AO is a worm with back door capabilities that gives an attacker remote access to the compromised computer via IRC channels.

Payload: Allows unauthorized remote access.
Ports: TCP port 2784.
Shared drives: Copies itself to network shares.

Read the full Symantec report here

VBS.Gormlez@mm
Discovered January 31, 2005
Systems Affected: All Windows32 Systems

VBS.Gormlez@mm is a mass-mailing worm that sends a copy of itself to all email addresses in the Windows Address Book and attempts to spread through file-sharing networks. The worm deletes files with a .dll, .vbs, .exe, or .wsh extension.

Large scale e-mailing: Sends email to every contact in the Windows Address Book.
Deletes files: Deletes files with a .dll, .vbs, .exe, or .wsh extension.

Read the full Symantec report here

W32.Mugly.H@mm
Discovered January 31, 2005
Systems Affected: All Windows32 Systems

W32.Mugly.H@mm is a worm that uses its own SMTP engine to spread by sending itself as an email attachment to addresses gathered from the compromised computer. The email will have a variable subject line and a variable attachment name. The attachment will have a .scr file extension.

The worm also drops and runs a variant of W32.Spybot.Worm.

Payload: Drops and executes a W32.Spybot.Worm variant.
Large scale e-mailing: Sends a copy of itself to all addresses found on the compromised computer.
Name of attachment: Varies with .scr file extension.

Read the full Symantec report here

W32.Sober.J@mm
Discovered January 30, 2005
Systems Affected: All Windows32 Systems

W32.Sober.J@mm is a mass-mailing worm that uses its own SMTP engine to send itself to email addresses it gathers from the compromised computer. The subject of the email varies and is in either English or German. The email sender address is spoofed. The name of the email attachment varies, and it has a .bat, .com, .pif, .scr, or .zip file extension. The attachment may also have a double extension.

Large scale e-mailing: Sends an email to addresses found on the compromised computer.
Subject of email: Varies and can be in English or German.
Name of attachment: Varies with a .bat, .com, .pif, .scr, or .zip file extension.
Ports: TCP port 37.

Read the full Symantec report here

W32.Mydoom.AO@mm
Discovered January 31, 2005
Systems Affected: All Windows32 Systems

W32.Mydoom.AO@mm is a mass-mailing worm that uses its own SMTP engine to send itself to the email addresses that it finds on the infected computer. It also propagates through popular peer-to-peer networks.

The email will have a variable subject and attachment name. The attachment will have a .bat, .cmd, .exe, .pif, .scr, or .zip file extension.

Read the full Symantec report here