|
W32.Galil.F@mm
Discovered February 02, 2004
Systems Affected: Windows 2000, Windows 3.x, Windows 98, Windows Me,
Windows NT, Windows Server 2003, Windows XP
W32.Galil.F@mm
is a mass-mailing worm that uses its own SMTP engine or
Microsoft Outlook to spread. It harvests email addresses from the files
in
the current user's Temporary Internet Files folder, Yahoo Messenger,
Microsoft Outlook address book, as well as the files whose extensions
are
.asf, .avi, .doc, .jpg, .mdb, .mpe, .mpeg, .mpg, .pps, .ram, .rar, or
.xls.
The worm
may spoof the "From" field. The email message has a randomly
selected subject line, which may also be the attachment name. The
attachment has a .bhx, .exe, .hqx, .mim, .uu , .uue, or .xxe extension.
It displays
the following dialog:
Read
the full Symantec report:
http://sarc.com/avcenter/venc/data/w32.galil.f@mm.html
W32.Dumaru.AD@mm
Discovered February 02, 2004
Systems Affected: All Windows32 Systems
W32.Dumaru.AD@mm
is a multi-threaded, mass-mailing worm that
downloads and runs a file, runs a keylogger, steals personal information,
and starts an FTP server on port 10000. This worm is similar to the W32.Dumaru.Z@mm
worm.
The worm
uses its own SMTP engine to spread to the email addresses
it finds on an infected system.
The email
has the following characteristics:
From: "Elene"
<F**KENSUICIDE@HOTMAIL.COM> (censored)
Subject: Important information for you. Read it immediately !
Attachment: Myphoto.zip
The attachment
is a zip file that contains the worm executable as
myphoto.jpg <spaces> .exe". (There are numerous spaces between
".jpg" and ".exe".)
Message:
Hi !
Here is my photo, that you asked for yesterday.
Note: The
email message contains an IFRAME exploit, so that Microsoft
Outlook will download the worm from a hard-coded URL and execute it.
Read
the full Symantec report:
http://sarc.com/avcenter/venc/data/w32.dumaru.ad@mm.html
W32.Blaster.K.Worm
Discovered February 03, 2004
Systems Affected: Windows XP, Windows 2000
W32.Blaster.K.Worm
is a worm that exploits the DCOM RPC vulnerability
(described in Microsoft Security Bulletin MS03-026) using TCP port 135.
The worm targets only Windows 2000 and Windows XP computers.
While Windows
NT and Windows 2003 servers are vulnerable to the exploit
if they are not properly patched, the worm is not coded to replicate to
those systems. This worm attempts to download the mschost.exe file
into the %Windir%\System32 folder, and then execute it.
W32.Blaster.K.Worm
does not have a mass-mailing functionality.
For additional
information, read the Microsoft article, "What You Should
Know About the Blaster Worm and Its Variants."
We recommend
that you block access to TCP port 4444 at the firewall
level, and then block the following ports, if you do not use the following
applications:
TCP Port 135, "DCOM RPC"
UDP Port 69, "TFTP"
The worm
also attempts to perform a Denial of Service (DoS) on the
Microsoft Windows Update Web server (windowsupdate.com). This is
an attempt to prevent you from applying a patch on your computer against
the DCOM RPC vulnerability.
Read
the full Symantec report:
http://sarc.com/avcenter/venc/data/w32.blaster.k.worm.html
W32.HLLW.Deadhat
Discovered February 06, 2004
Systems Affected: All Windows32 Systems
W32.HLLW.Deadhat
is a worm with backdoor capabilities. It attempts
to uninstall the W32.Mydoom.A@mm and W32.Mydoom.B@mm worms,
then spreads to other systems that are infected with Mydoom. It also
spreads through the Soulseek file-sharing program.
This worm
may be found as a file named "sms.exe" in the %System% directory.
Ports: Listens
on TCP port 2766. Attempts to connect to sequential IP
addresses on TCP ports 3127, 3128, and 1080 (ports used by the Mydoom
worm)
Shared drives:
May spread across network if shared drives are mapped to C:, D:, E:, or
F:
Target of
infection: Systems infected with Mydoom; the Soulseek file-sharing network
Read
the full Symantec report:
http://sarc.com/avcenter/venc/data/w32.hllw.deadhat.html
W32.HLLW.Doomjuice
Discovered February 06, 2004
Systems Affected: All Windows32 Systems
W32.HLLW.Doomjuice
uses computers infected by W32.Mydoom.A@mm or
W32.Mydoom.B@mm to spread. It is also set to launch a DoS attack on
the Microsoft site. The existence of the file intrenat.exe is an indication
of a possible infection.
Read
the full Symantec report:
http://sarc.com/avcenter/venc/data/w32.hllw.doomjuice.html
W32.Dumaru.AH@mm
Discovered February 10, 2004
Systems Affected: All Windows32 Systems
W32.Dumaru.AH@mm
is a multi-threaded, mass-mailing worm that opens
a backdoor, runs a keylogger, and attempts to steal personal information.
It is similar to the W32.Dumaru.Y@mm worm.
This worm
uses its own SMTP engine to spread to the email addresses
it finds in the files on the infected system. The email has the following
characteristics:
• Sends
itself to all the addresses it finds in the files with specific extensions.
• Logs keystrokes, emails personal information.
• Allows unauthorized remote access.
• Creates a file %Windir%\TEMP\photo.jpg, and launches explorer.exe
to
load this file, which is a graphic image of a woman.
Email:
From:
random characters@<domains of the email addresses that the
worm finds from the infected machine>
Subject: Unknown
Message:
If you cant see message text from: <some random characters> , read
attached file.
Attachment: document.zip
The attachment
is a zip file that contains the worm executable as myphoto.jpg<56 spaces>.exe.
Read
the full Symantec report:
http://sarc.com/avcenter/venc/data/w32.dumaru.ah@mm.html
W32.HLLW.Doomjuice.B
Discovered February 11, 2004
Systems Affected: All Windows32 Systems
W32.HLLW.Doomjuice.B
uses computers infected by W32.Mydoom.A@mm
to spread. This worm also launches a Denial of Service (DoS) attack on
the Microsoft Web site.
Read
the full Symantec report:
http://sarc.com/avcenter/venc/data/w32.hllw.doomjuice.b.html
W32.Welchia.B
Discovered February 11, 2004
Systems Affected: Windows 2000, Windows XP
W32.Welchia.B.Worm
is a worm that exploits multiple vulnerabilities, including:
• The
DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026)
using TCP port 135. The worm specifically targets Windows XP machines
using this exploit.
• The WebDav vulnerability (described in Microsoft Security Bulletin
MS03-007)
using TCP port 80. The worm specifically targets machines running Microsoft
IIS
5.0 using this exploit. As coded in this worm, this exploit will impact
Windows
2000 systems and may impact Windows NT/XP systems.
• The workstation service buffer overrun vulnerability (described
in Microsoft
Security Bulletin MS03-049) vulnerability.
W32.Welchia.Worm
does the following:
• Attempts
to download the DCOM RPC patch from Microsoft's Windows Update
Web site, if the operation system version of the infected machine is Chinese,
Korean, or English, install it, and then restart the computer.
• Attempts to remove W32.Mydoom.A@mm and W32.Mydoom.B@mm worms.
Vulnerable
Windows 2000 machines will experience system instability due to the RPC
service crash.
The presence
of the file %windir%\system32\drivers\svchost.exe is an indication of
possible infection.
Read
the full Symantec report:
http://sarc.com/avcenter/venc/data/w32.welchia.b.html
W32.HLLW.Deadhat.B
Discovered February 12, 2004
Systems Affected: All Windows32 Systems
W32.HLLW.Deadhat.B
is a variant of W32.HLLW.Deadhat worm that has
backdoor capabilities. It attempts to uninstall the W32.Mydoom.A@mm and
W32.Mydoom.B@mm worms, and then it spreads to other systems infected
with Mydoom. Also, it spreads through the Soulseek file-sharing program.
• Opens
a backdoor through IRC.
• Deletes certain system files.
• May degrade network performance while scanning for new systems
to infect.
• Terminates the processes of antivirus and security applications.
• Listens on TCP port 2766. Attempts to connect to sequential IP
addresses on
TCP ports 3127, 3128, and 1080 (ports that the Mydoom worm used).
• May spread across network if shared drives are mapped to C:, D:,
E:, or F:
• Target of infection: Systems infected with Mydoom; the Soulseek
file-sharing network.
• May display a message box containing the following text:
Corrupted
File
Error executing program!
Read
the full Symantec report:
http://sarc.com/avcenter/venc/data/w32.hllw.deadhat.b.html
W32.Welchia.C.Worm
Discovered February 15, 2004
Systems Affected: Windows 2000, Windows XP
W32.Welchia.C.Worm
is a minor variation of, and functionally equivalent to
W32.Welchia.B.Worm.
If the version
of the operating system of the infected machine is Chinese,
Korean, or English, the worm will attempt to download the Microsoft
Workstation Service Buffer Overrun and Microsoft Messenger Service
Buffer Overrun patches from the Microsoft® Windows Update Web site,
install it, and then restart the computer.
The worm
also attempts to remove W32.Mydoom.A@mm and W32.Mydoom.B@mm worms.
W32.Welchia.C.Worm
exploits multiple vulnerabilities, including:
The DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026)
using TCP port 135. The worm specifically targets Windows XP machines
using this exploit.
The WebDav vulnerability (described in Microsoft Security Bulletin MS03-007)
using TCP port 80. The worm specifically targets machines running Microsoft
IIS 5.0 using this exploit. The worm's use of this exploit will impact
Windows
2000 systems and may impact Windows NT/XP systems.
The Workstation service buffer overrun vulnerability (described in Microsoft
Security Bulletin MS03-049) using TCP port 445.
The Locator service vulnerability using TCP port 445 (described in Microsoft
Security Bulletin MS03-001). The worm specifically targets Windows 2000
machines using this exploit.
Read
the full Symantec report:
http://sarc.com/avcenter/venc/data/w32.welchia.c.worm.html
W32.Netsky@mm
Discovered February 16, 2004
Systems Affected: All Windows32 Systems
W32.Netsky@mm
is a mass-mailing worm that uses its own SMTP engine to
email itself. It retrieves email addresses from files with extensions
of .adb,
.asp, .dbx, .doc, .eml, .htm, .html, .msg, .oft, .php, .pl, .rtf, .sht,
.tbb, .txt, .uin, .vbs, and .wab.
The email
has the following characteristics:
From:
The From field is spoofed as one of the following,
Ebay Auctions <responder@ebay.com>
Yahoo Auctions <auctions@yahoo.com>
Amazon automail <responder@amazon.com>
MSN Auctions <auctions@msn.com>
QXL Auctions <responder@qxl.com>
EBay Auctions <responder@ebay.com>
Subject:
Auction successful!
Attachment: The attachment is one of the following,
prod_info_55761.rtf.exe.zip
prod_info_65642.rtf.scr.zip
prod_info_33543.rtf.scr.zip
prod_info_56474.txt.exe.zip
prod_info_33325.txt.exe.zip
prod_info_77256.txt.scr.zip
prod_info_34157.htm.exe.zip
prod_info_87968.htm.scr.zip
prod_info_43859.htm.scr.zip
prod_info_56780.doc.exe.zip
prod_info_43631.doc.exe.zip
prod_info_47532.doc.scr.zip
prod_info_54433.doc.exe.zip
prod_info_42314.pif
prod_info_54235.scr
prod_info_49146.exe
prod_info_33967.cmd
prod_info_42818.pif
prod_info_54739.scr
prod_info_04650.bat
prod_info_49541.exe
prod_info_33462.cmd
prod_info_42313.pif
prod_info_54234.scr
prod_info_04155.bat
It also searches
all folders whose name contains "Share" or "Sharing"
on
drives C to Z. If the driver is not CR-ROM, the worm copies itself to
the folder.
Read
the full Symantec report:
http://sarc.com/avcenter/venc/data/w32.netsky@mm.html
W32.Beagle.B@mm
Discovered February 17, 2004
Systems Affected: All Windows32 Systems
W32.Beagle.B@mm
is a mass-mailing worm that opens a backdoor on TCP
port 8866. The worm utilizes its own SMTP engine for email propagation,
and has the ability to contact the author of the worm with the port that
the backdoor is listening on and a randomized ID number.
The email
has the following characteristics:
From: <spoofed>
Subject: ID <random characters>... thanks
Attachment: <random characters>.exe
Read
the full Symantec report:
http://sarc.com/avcenter/venc/data/w32.beagle.b@mm.html
W32.Netsky.B@mm
Discovered February 18, 2004
Systems Affected: All Windows32 Systems
W32.Netsky.B
is a mass-mailing worm that uses its own SMTP engine to
send itself to the email addresses it finds when scanning the hard drives
and mapped drives. This worm also searches drives C through Z for folder
names containing "Share" or "Sharing," and then copies
itself to those folders.
The Subject,
Body, and email attachment vary.
Read
the full Symantec report:
http://sarc.com/avcenter/venc/data/w32.netsky.b@mm.html
Download
the removal tool here:
http://sarc.com/avcenter/venc/data/w32.netsky.b@mm.removal.tool.html
W32.Mydoom.F@mm
Discovered February 20, 2004
Systems Affected: All Windows32 Systems
W32.Mydoom.F@mm
is a mass-mailing worm that arrives as an attachment
with the file extension .bat, .com .cmd, .exe, .pif, .scr, or .zip. The
email
may have a spoofed sender's email address.
Mydoom.F
searches the files with the extensions .mdb, .doc, .xls, .sav,
.jpg, .avi, and .bmp on the %System% folder on drives C to Z, if the drive
is hard disk, remote drive, or RAM drive. Randomly deletes the files it
finds.
When a computer
is infected, the worm sets up a backdoor into the system
by opening TCP ports 1080, which can potentially allow an attacker to
connect
to the computer and use it as a proxy to gain access to its network resources.
In addition,
the backdoor can download and execute arbitrary files.
The computer
infected by the worm will perform Denial of Service (DoS) against
www.microsoft.com and www.riaa.com if the machine's local system date
is
between 17th and 22nd of any month.
Read
the full Symantec report:
http://sarc.com/avcenter/venc/data/w32.mydoom.f@mm.html
W32.Welchia.D.Worm
Discovered February 23, 2004
Systems Affected: Windows 2000, Windows XP
W32.Welchia.D.Worm
is a minor variant of W32.Welchia.C.Worm.
If the operating
system of an infected computer is Chinese, Korean, or
English, the worm will attempt to download the Microsoft Workstation
Service Buffer Overrun and Microsoft Messenger Service Buffer Overrun
patches from the Microsoft Windows Update Web site, install it, and then
restart the computer.
The worm
also attempts to remove the W32.Mydoom.A@mm,
W32.Mydoom.B@mm, W32.HLLW.Doomjuice, and W32.HLLW.Doomjuice.B worms.
W32.Welchia.D.Worm
exploits multiple vulnerabilities, including:
• The
DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026)
using TCP port 135. The worm specifically targets Windows XP machines
using this exploit.
• The WebDav vulnerability (described in Microsoft Security Bulletin
MS03-007)
using TCP port 80. The worm specifically targets machines running Microsoft
IIS 5.0 using this exploit. The worm's use of this exploit will impact
Windows
2000 systems and may impact Windows NT/XP systems.
• The Workstation service buffer overrun vulnerability (described
in Microsoft
Security Bulletin MS03-049) using TCP port 445.
• The Locator service vulnerability using TCP port 445 (described
in Microsoft
Security Bulletin MS03-001). The worm specifically targets Windows 2000
machines using this exploit.
Read
the full Symantec report:
http://sarc.com/avcenter/venc/data/w32.welchia.d.worm.html
W32.Bizex.Worm
Discovered February 24, 2004
Systems Affected: All Windows32 Systems
W32.Bizex.Worm
spreads by sending an ICQ message that contains a link to all the contacts
in the users's ICQ contacts list.
W32.Bizex.Worm
has several components which may be downloaded by clicking on the hyperlink
received via ICQ message.
The Web site
has a maliciously formated HTML file that refers a sound scheme file meine.scm
within an IFRAME tag. When you click on the link, meine.scm is downloaded
locally. This file is 13,502 bytes in length.
If you have
ICQ installed, ICQ will store a sound file Startup.wav that is embedded
in the meine.scm file locally.
The HTML
file uses a vulnerability in the showhelp() function implemented in Microsoft
Internet Explorer to execute the ief**ker.html file within the meine.scm
file. The file ief**ker.html is 14,103 bytes in length.
Ief**ker.html
creates a file WinUpdate.exe (4,650 bytes) to the startup folder. For
example, it creates
C:\Documents
and Settings\All Users\Start Menu\Programs\Startup\WinUpdate.exe
on Windows
2K/NT/XP machines, or creates,
C:\Windows\Start
Menu\Programs\Startup\WinUpdate.exe
on Windows
98 machines.
When WinUpdate.exe
runs, it copies itself to Windows Temp folder as alsdfkj.exe. Then it
downloads a file to local Windows Temp folder as aptgetupd.exe (86,528
bytes).
Read
the full Symantec report:
http://sarc.com/avcenter/venc/data/w32.bizex.worm.html
W32.Netsky.C@mm
Discovered February 24, 2004
Systems Affected: All Windows32 Systems
W32.Netsky.C
is a mass-mailing worm that uses its own SMTP engine to send itself to
email addresses it finds when scanning hard drives and mapped drives.
This worm also searches drives C through Z for folder names containing
"Shar" and then copies itself to those folders.
The Subject,
Body, and email attachment vary.
Read
the full Symantec report:
http://sarc.com/avcenter/venc/data/w32.netsky.c@mm.html
W32.Beagle.C@mm
Discovered February 27, 2004
Systems Affected: All Windows32 Systems
W32.Beagle.C@mm
is a mass-mailing worm that opens a backdoor on TCP port 2745. The worm
uses its own SMTP engine for email propagation. It can also send to the
attacker the port on which the backdoor listens, as well as a randomized
ID number.
The email
has the following characteristics:
From: <spoofed>
Subject: <variable>
Attachment: <random characters.exe> within a .zip file
Read
the full Symantec report:
http://sarc.com/avcenter/venc/data/w32.beagle.c@mm.html
Download
the removal tool here:
http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle@mm.removal.tool.html
W32.Beagle.E@mm
Discovered February 29, 2004
Systems Affected: All Windows32 Systems
W32.Beagle.E@mm
is a mass-mailing worm that opens a backdoor on TCP port 2745. The worm
uses its own SMTP engine for email propagation. It can also send to the
attacker the port on which the backdoor listens, as well as a randomized
ID number.
From: <spoofed>
Subject: <variable>
Attachment: <random characters>.zip, containing an executable <random
characters>.exe
Read
the full Symantec report:
http://sarc.com/avcenter/venc/data/w32.beagle.e@mm.html
Download
the removal tool here:
http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle@mm.removal.tool.html
W32.Beagle.F@mm
Discovered February 29, 2004
Systems Affected: All Windows32 Systems
W32.Beagle.F@mm
is a mass-mailing worm that opens a backdoor on TCP port 2745. The worm
uses its own SMTP engine for email propagation. W32.Beagle.F@mm also attempts
to spread across file-sharing networks, such as KaZaA and iMesh, by dropping
itself into the directories that contain "shar" in their names.
From: <spoofed>
Subject: <variable>
Attachment: <random characters>.zip, containing an executable <random
characters>.exe
Read
the full Symantec report:
http://sarc.com/avcenter/venc/data/w32.beagle.f@mm.html
Download
the removal tool here:
http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle@mm.removal.tool.html
W32.Beagle.G@mm
Discovered February 29, 2004
Systems Affected: All Windows32 Systems
W32.Beagle.F@mm
is a mass-mailing worm that opens a backdoor on TCP port 2745. The worm
uses its own SMTP engine for email propagation. W32.Beagle.F@mm also attempts
to spread across file-sharing networks, such as KaZaA and iMesh, by dropping
itself into the directories that contain "shar" in their names.
From: <spoofed>
Subject: <variable>
Attachment: <random characters>.zip, containing an executable <random
characters>.exe
Read
the full Symantec report:
http://sarc.com/avcenter/venc/data/w32.beagle.g@mm.html
Download
the removal tool here:
http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle@mm.removal.tool.html
|
If you came to this page directly, click the icon at the left to be taken to our Home Page
