Virus News February 2005

If you came to this page directly, click the icon at the left to be taken to our Home Page

Virus News

February 2005

Select the links for detailed information and removal tools for the latest viruses

Trojan.Tooso.B 2/28/05 2
W32.Spybot.KHC 2/28/05 2
W32.Mytob.C 2/28/05 2
W32.Mytob.B 2/28/05 2
W32.Elitper.A 2/27/05 2
W32.Holcas.A 2/27/05 2
W32.Conycspa.G 2/26/05 2
W32.Mytob 2/26/05 2
W32.Kipis.M 2/25/05 2
W32.Inforyou.A 2/25/05 2
W32.Randex.CST 2/24/05 2
W32.Derdero.E 2/24/05 2
W32.Looked.C 2/24/05 2
W32.Spybot.KAI 2/23/05 2
W32.Stang 2/23/05 2
W32.Ahker.E 2/23/05 2
W32.Assiral 2/22/05 2
W32.Bropia.R 2/22/05 2
W32.Dumaru.Y@mm!enc 2/21/05 2
W32.Mydoom.BB 2/21/05 2
W32.Bropia.Q 2/21/05 2
W32.Bropia.P 2/21/05 2
W32.Sober.K 2/20/05 2
W32.Mydoom.BA 2/20/05 2
W32.Derdero.C 2/19/05 2
W32.Derdero.B 2/19/05 2
W32.Jumpred.A 2/18/05 2
W32.Kipis.L 2/18/05 2
W32.Mydoom.AZ 2/18/05 2
W32.Derdero.A 2/17/05 2
W32.Doxpar 2/16/05 2
W32.Kipis.K 2/16/05 2
W32.Mydoom.AX 2/16/05 3
W32.Aimdes.C 2/16/05 2
W32.Ahker.D 2/16/05 2
W32.Spybot.JPB 2/15/05 2
W32.Bropia.N 2/15/05 2
W32.Randex.COX 2/14/05 2
W32.Aimdes.A 2/11/05 2
W32.Mydoom.AU 2/10/05 2
W32.Mydoom.AS 2/9/05 2
W32.Kipis.J 2/7/05 2
W32.Mydoom.AR 2/7/05 2
W32.Bropia.L 2/7/05 2
W32.Gaobot.CII 2/5/05 2
W32.Dopbot 2/3/05 2
W32.Bropia.J 2/2/05 2

W32.Bropia.J
Discovered February 02, 2005
Systems Affected: All Windows32 Systems

W32.Bropia.J is a worm that propagates using MSN Messenger and drops a variant of W32.Spybot.Worm.

Payload: Drops and executes a W32.Spybot.Worm variant.
Target of infection: Attempts to spread via MSN Messenger.

Read the full Symantec report here

W32.Dopbot
Discovered February 03, 2005
Systems Affected: All Windows32 Systems

W32.Dopbot is a worm that has distributed denial of service and back door capabilities. The worm spreads by exploiting the Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability, (described in Microsoft Security Bulletin MS03-026).

Payload: Allows unauthorized remote access.
Shared drives: Spreads by exploiting the DCOM vulnerability, MS03-026.

Read the full Symantec report here

W32.Gaobot.CII
Discovered February 05, 2005
Systems Affected: All Windows32 Systems

W32.Gaobot.CII is a network-aware worm that has back door capabilities and can be controlled through IRC channels. It attempts to lower security settings by blocking access to security-related Web sites and terminating processes. It spreads by exploiting vulnerabilities.

Payload Trigger: Allows unauthorized remote access.
Modifies files: Modifies hosts file to disable access to various antivirus domains.
Compromises security settings: Terminates processes related to security type programs.
Ports: Exploits vulnerabilities using Ports 445, 80, 135. Connects to a remote IRC server using TCP port 6667.

Read the full Symantec report here

W32.Bropia.L
Discovered February 07, 2005
Systems Affected: All Windows32 Systems

W32.Bropia.L is a worm that propagates using MSN Messenger and drops a variant of W32.Spybot.Worm.

Payload: Drops and executes a W32.Spybot.Worm variant.
Target of infection: Attempts to spread via MSN Messenger.

Read the full Symantec report here

W32.Mydoom.AR@mm
Discovered February 07, 2005
Systems Affected: All Windows32 Systems

W32.Mydoom.AR@mm is a mass-mailing worm that that uses its own SMTP engine to send itself to the email addresses that it finds on an infected computer. It also attempts to spread through file-sharing networks.

Large scale e-mailing: Sends itself to addresses gathered from the compromised computer.
Deletes files: n/a
Modifies files: Modifies the System.ini file.
Subject of email: Varies
Name of attachment: Varies with a .exe, .scr, or .zip file extension

Read the full Symantec report here

W32.Kipis.J@mm
Discovered February 07, 2005
Systems Affected: All Windows32 Systems

W32.Kipis.J@mm is a mass-mailing worm that that uses its own SMTP engine to send itself to the email addresses that it finds on an infected computer. It also attempts to spread through file-sharing networks.

Large scale e-mailing: Sends itself to addresses gathered from the compromised computer.
Modifies files: Modifies the System.ini file.
Subject of email: Varies
Name of attachment: Varies with a .exe, .scr, or .zip file extension
Size of attachment: Varies

Read the full Symantec report here

W32.Mydoom.AS@mm
Discovered February 09, 2005
Systems Affected: All Windows32 Systems

W32.Mydoom.AS@mm is a mass-mailing worm that uses its own SMTP engine to send itself to email addresses that it finds on the compromised computer. It also propagates through file sharing networks.

The email will have a variable subject and attachment name. The attachment will have a .bat, .cmd, .exe, .pif, .scr, or .zip file extension.

Large scale e-mailing: Sends itself to email addresses gathered from the compromised computer.
Modifies files: Modifies the hosts file.
Compromises security settings: Disables antivirus and firewall applications, blocks access to security-related Web sites.
Subject of email: Varies
Name of attachment: Varies with a .bat, .cmd, .exe, .pif, .scr, or .zip file extension

Read the full Symantec report here

W32.Mydoom.AU@mm
Discovered February 10, 2005
Systems Affected: All Windows32 Systems

W32.Mydoom.AU@mm is a mass-mailing worm that uses its own SMTP engine to send itself to email addresses that it gathers from a compromised computer. This worm is a minor variant of W32.Mydoom.AM@mm.

Large scale e-mailing: Sends a copy of itself to email addresses gathered from the compromised computer.
Modifies files: Modifies the Hosts file.
Compromises security settings: Lowers security settings by blocking access to security-related Web sites and ending security-related processes.
Subject of email: Varies
Name of attachment: Varies
Size of attachment: 33,792 bytes (.exe)

Read the full Symantec report here

W32.Aimdes.A@mm
Discovered February 11, 2005
Systems Affected: All Windows32 Systems

W32.Aimdes.A@mm is a simple worm that propagates via AOL Instant Messenger and email.

Large scale e-mailing: Sends itself via email to all addresses in the Microsoft Outlook address book.
Compromises security settings: Disables security related notifications, access to registry editing tools, and automatic Windows Updates.
Subject of email: Service Pack 2 BUG!!
Name of attachment: Fix_SP2.zip
Size of attachment: Unknown

Read the full Symantec report here

W32.Randex.COX
Discovered February 16, 2005
Systems Affected: All Windows32 Systems

W32.Randex.COX is a network-aware worm that spreads to network shares protected by weak passwords. The worm also opens a back door on the compromised computer and may be remotely controlled via IRC channels.

Payload: Allows unauthorized remote access.
Degrades performance: Performs denial of service attacks.
Releases confidential info: Steals CD keys for software.
Compromises security settings: May terminate processes.
Ports: TCP port 24300 and TCP port 113
Shared drives: Attempts to copy to shared drives with weak passwords.

Read the full Symantec report here

W32.Bropia.N
Discovered February 15, 2005
Systems Affected: All Windows32 Systems

W32.Bropia.N is a worm that drops a variant of W32.Spybot.Worm and propagates using MSN Messenger.

Ports: TCP port 6667.

Read the full Symantec report here

W32.Spybot.JPB
Discovered February 15, 2005
Systems Affected: All Windows32 Systems

W32.Spybot.JPB is a network-aware worm that has distributed denial of service and back door capabilities. The worm spreads to network shares protected by weak passwords and by exploiting vulnerabilities.

Payload: Allows unauthorized remote access.
Releases confidential info: Retrieves system information.
Ports: TCP ports 135, 445, and 8126. UDP port 1434.
Shared drives: Attempts to spread to network shares and systems which are unpatched against various system vulnerabilities.

Read the full Symantec report here

W32.Ahker.D@mm
Discovered February 16, 2005
Systems Affected: All Windows32 Systems

W32.Ahker.D@mm is a mass-mailing worm that uses MAPI to send a copy of itself to email addresses gathered from the compromised computer. The email has a variable subject and an attachment named patch.zip.

The worm lowers security settings, prevents access to several Web sites, and blocks access to several programs.

Payload: Downloads a remote file.
Large scale e-mailing: Sends an email to addresses gathered from the compromised computer.
Deletes files: Overwrites the file winword.exe.
Modifies files: Modifies the Hosts file.
Compromises security settings: Blocks access to security-related Websites and programs. Terminates processes. Disables access to various system utilities.
Subject of email: Varies
Name of attachment: PATCH.ZIP
Size of attachment: 13,824 bytes

Read the full Symantec report here

W32.Aimdes.C@mm
Discovered February 16, 2005
Systems Affected: All Windows32 Systems

W32.Aimdes.C@mm is a simple worm that propagates via AOL Instant Messenger and email. The email has a variable subject and an attachment named patch.zip.

Payload: Ends system processes, sends mails.
Large scale e-mailing: Sends mail to all addresses found.
Deletes files: n/a
Modifies files: n/a
Degrades performance: n/a
Causes system instability: Ends system processes.
Subject of email: Varies
Name of attachment: Patch.zip
Size of attachment: 53,248 bytes

Read the full Symantec report here

W32.Mydoom.AX@mm
Discovered February 16, 2005
Systems Affected: All Windows32 Systems

W32.Mydoom.AX@mm is a mass-mailing worm that uses it own SMTP engine to send email to addresses that it retrieves from the Windows Address Book on the infected computer.

Payload: Drops a back door Trojan. Downloads and executes a back door Trojan.
Large scale e-mailing: Sends itself to all addresses it finds on the infected computer.
Compromises security settings: Allows unauthorized remote access.
Subject of email: Varies
Name of attachment: Varies with .bat, .cmd, .com, .exe, .pif, .scr, or .zip file extension.
Size of attachment: Varies

Read the full Symantec report here

Download the Removal Tool here

W32.Kipis.K@mm
Discovered February 16, 2005
Systems Affected: All Windows32 Systems

W32.Kipis.K@mm is a mass-mailing worm that lowers security settings and opens a back door on the compromised computer. The email has a variable subject and attachment name. The attachment will have a .exe, .scr, or .zip file extension.

Payload: Allows unauthorized remote access.
Large scale e-mailing: Sends email to contacts in the Windows Address Book and addresses found in various files.
Compromises security settings: Ends some security-related processes.
Subject of email: Varies
Name of attachment: Varies with a .exe, .scr, or .zip file extension.
Size of attachment: Varies
Ports: Opens a back door on TCP port 1988.

Read the full Symantec report here

W32.Doxpar
Discovered February 16, 2005
Systems Affected: All Windows32 Systems

W32.Doxpar is a network-aware worm that has distributed denial of service and back door capabilities. The worm spreads by exploiting vulnerabilities.

Note: Further investigation has revealed that the Microsoft Windows Server Message Block Handlers Remote Buffer Overflow Vulnerability (as described in the Microsoft Security Bulletin MS05-011) is not exploited by this threat. This information has been removed.

Payload: Performs denial of service attacks, downloads remote files, acts as a covert proxy.
Large scale e-mailing: n/a
Deletes files: Deletes .dll files (can delete system files if the name contains the name of the original dll file)
Degrades performance: Increases CPU load to 100%
Causes system instability: Causes system to be very slow
Ports: Opens a proxy server on random TCP ports.
Target of infection: Attempts to spread to computers vulnerable to various system vulnerabilities.

Read the full Symantec report here

W32.Derdero.A@mm
Discovered February 17, 2005
Systems Affected: All Windows32 Systems

W32.Derdero.A@mm is a mass-mailing worm that uses it own SMTP engine to send email to addresses that it retrieves from the Windows Address Book. The email will have a variable subject and attachment name. The attachment will have

It also attempts to spread through file-sharing programs and infects all .exe files on the C drive.

Large scale e-mailing: Sends itself to addresses found in the Windows Address Book.
Modifies files: Infects .exe files. Modifies the Hosts file.
Degrades performance: Slows down computer.
Causes system instability: Due to the overwriting of .exe programs, many programs will fail to run.
Compromises security settings: Attempts to end some security-related processes.
Subject of email: Varies
Name of attachment: Varies with a .cmd, .exe, .pif, .scr, or .zip file extension. The file may also have a double-extension ending in one of the previous extensions.
Target of infection: Attempts to spread through file-sharing networks by copying itself to folders which contain the string "shar" in their name.

Read the full Symantec report here

W32.Mydoom.AZ@mm
Discovered February 18, 2005
Systems Affected: All Windows32 Systems

W32.Mydoom.AZ@mm is a mass-mailing worm that uses it own SMTP engine to send an email to addresses that it retrieves from Windows Address book on the infected computer.

Payload: Downloads and executes a back door Trojan
Large scale e-mailing: Sends itself to all addresses it finds on the compromised computer.
Compromises security settings: Allows unauthorized remote access.
Subject of email: Varies
Name of attachment: Varies with .bat, .cmd, .com, .exe, .pif, .scr, or .zip file extension.
Size of attachment: Varies

Read the full Symantec report here

Download the Removal Tool here

W32.Kipis.L@mm
Discovered February 18, 2005
Systems Affected: All Windows32 Systems

W32.Kipis.L@mm is a mass-mailing worm that lowers security settings, opens a back door on the compromised computer and exploits the Microsoft Internet Explorer ITS Protocol Zone Bypass Vulnerability (BID 9658).

Read the full Symantec report here

W32.Derdero.B@mm
Discovered February 19, 2005
Systems Affected: All Windows32 Systems

W32.Derdero.B@mm is a mass-mailing worm that uses its own SMTP engine to send an email to addresses that it retrieves from the Windows Address Book.
It also attempts to spread through file-sharing programs and infects all .exe files on the C drive.

Large scale e-mailing: Sends itself to addresses found in the Windows Address Book.
Modifies files: Infects .exe files. Modifies the Hosts file.
Causes system instability: Due to the overwriting of .exe programs, many programs will fail to run.
Compromises security settings: Attempts to end some security-related processes.
Subject of email: Varies
Name of attachment: Varies
Target of infection: Attempts to spread through file-sharing networks by copying itself to folders which contain the string "shar" in their name.

Read the full Symantec report here

W32.Derdero.C@mm
Discovered February 19, 2005
Systems Affected: All Windows32 Systems

W32.Derdero.C@mm is a mass-mailing worm that uses it's own SMTP engine to send an email to addresses that it retrieves from the Windows Address Book. It also attempts to spread through file-sharing programs.

Large scale e-mailing: Sends itself to addresses found in the Windows Address Book.
Compromises security settings: Attempts to end some security-related processes.
Name of attachment: Varies with a .cmd, .exe, .pif, .scr, or .zip file extension. The file may also have a double-extension ending in one of the previous extensions.
Target of infection: Attempts to spread through file-sharing networks by copying itself to folders which contain the string "shar" in their name.

Read the full Symantec report here

W32.Jumpred.A
Discovered February 18, 2005
Systems Affected: All Windows32 Systems

W32.Jumpred.A is a worm that spreads through IRC channels using the MIRC client. The worm also copies itself to the A drive and attempts to copy itself to file-sharing networks.

Payload: Modifies the Internet Explorer start page and closes windows.
Target of infection: Spreads through IRC channels and file sharing networks.

Read the full Symantec report here

W32.Mydoom.BA@mm
Discovered February 20, 2005
Systems Affected: All Windows32 Systems

W32.Mydoom.BA@mm is a mass-mailing worm that uses it own SMTP engine to send email to addresses that it gathers from the Windows Address Book on a compromised computer.

Payload: Downloads and executes a back door Trojan.
Large scale e-mailing: Sends itself to all email addresses it finds on the compromised computer.

Compromises security settings: Allows unauthorized remote access.
Subject of email: Varies
Name of attachment: Varies with a .bat, .cmd, .com, .doc, .exe, .htm, .html, .pif, .scr, .txt, or .zip file extension.
Size of attachment: approx. 26kb
Ports: TCP port 1132.

Read the full Symantec report here

Download the Removal Tool here

W32.Sober.K@mm
Discovered February 20, 2005
Systems Affected: All Windows32 Systems

W32.Sober.K@mm is a mass-mailing worm that uses its own SMTP engine to send itself to email addresses gathered from a compromised computer. The email will be in either English or German.

Large scale e-mailing: Sends an email to addresses gathered from a compromised computer.
Ports: Connects to an NTP server on port 37.

Read the full Symantec report here

W32.Bropia.P
Discovered February 21, 2005
Systems Affected: All Windows32 Systems

W32.Bropia.P is a worm that drops a variant of W32.Spybot.Worm and propagates using MSN Messenger.

Degrades performance: May affect network performance by consuming bandwidth.
Target of infection: Attempts to spread via MSN Messenger.

Read the full Symantec report here

W32.Bropia.Q
Discovered February 21, 2005
Systems Affected: All Windows32 Systems

W32.Bropia.Q is a worm that propagates using MSN Messenger.

Degrades performance: May affect network performance by consuming bandwidth.
Target of infection: Attempts to spread via MSN Messenger.

Read the full Symantec report here

W32.Mydoom.BB@mm
Discovered February 21, 2005
Systems Affected: All Windows32 Systems

W32.Mydoom.BB@mm is a mass-mailing worm that uses it own SMTP engine to send email to addresses that it gathers from the Windows Address Book on a compromised computer. This worm is a minor varinat of W32.Mydoom.BA@mm.

Payload: Downloads and executes a back door Trojan.
Large scale e-mailing: Sends itself to all email addresses it finds on the compromised computer.
Subject of email: Varies
Name of attachment: Varies with a .bat, .cmd, .com, .doc, .exe, .htm, .html, .pif, .scr, .txt, or .zip file extension
Size of attachment: 41,024 bytes

Read the full Symantec report here

W32.Dumaru.Y@mm!enc
Discovered February 21, 2005
Systems Affected: All Windows32 Systems

W32.Dumaru.Y@mm!enc is an .enc detection for MIME-encoded files that contain the W32.Dumaru.Y@mm worm.

Read the full Symantec report here

W32.Bropia.R
Discovered February 22, 2005
Systems Affected: All Windows32 Systems

W32.Bropia.R is a worm that spreads via MSN Messenger and drops a variant of W32.Spybot.Worm.

Payload: Dropped W32.Spybot.Worm allows unauthorized remote access.
Target of infection: Attempts to spread through MSN Messenger.

Read the full Symantec report here

W32.Assiral@mm
Discovered February 22, 2005
Systems Affected: All Windows32 Systems

W32.Assiral@mm is a mass-mailing worm that sends a copy of itself to email addresses gathered from a compromised computer.

Large scale e-mailing: Sends an email to addresses gathered from the compromised computer.
Degrades performance: Modifies Internet Explorer and Windows settings.
Subject of email: Re: LOV YA!
Name of attachment: LOVE_LETTER.TXT.exe

Read the full Symantec report here

W32.Ahker.E@mm
Discovered February 23, 2005
Systems Affected: All Windows32 Systems

W32.Ahker.E@mm is a mass-mailing worm that uses MAPI to send a copy of itself to email addresses gathered from the compromised computer. The worm lowers security settings, prevents access to several Web sites, and blocks access to several programs.

Payload: Performs a denial of service attack.
Large scale e-mailing: Sends an email to addresses gathered from the compromised computer.
Deletes files: Overwrites winword.exe.
Modifies files: Modifies the Hosts file and blocks access to several Web sites.
Degrades performance: Blocks access to several programs
Causes system instability: Terminates processes.
Compromises security settings: Lowers security settings.
Subject of email: Varies
Name of attachment: Removal Tool.zip
Size of attachment: 14,882 bytes

Read the full Symantec report here

W32.Stang
Discovered February 23, 2005
Systems Affected: All Windows32 Systems

W32.Stang is a worm that spreads via Microsoft's MSN Messenger instant message program, and attempts to terminate processes and lower security settings. The worm also disables the Task Manager and Registry Editor.

Causes system instability: Ends Lsass.exe may cause the system to shut down.
Compromises security settings: Disables various security fuctions in Windows.
Target of infection: Spreads via Microsoft's MSN Messenger instant message program.

Read the full Symantec report here

W32.Spybot.KAI
Discovered February 23, 2005
Systems Affected: All Windows32 Systems

W32.Spybot.KAI is a worm that propagates through file sharing networks. The worm opens a back door on the compromised computer allowing a remote attacker to have unauthorized access via IRC channels.

Payload: Allows unauthorized remote access.
Target of infection: Attempts to spread through Kazaa peer-to-peer network.

Read the full Symantec report here

W32.Looked.C
Discovered February 24, 2005
Systems Affected: All Windows32 Systems

W32.Looked.C is a worm that downloads a remote file and infects .exe files. The worm lowers security settings and spreads through network shares protected by weak passwords.

Payload: Downloads a PWSteal.Trojan.
Modifies files: Attempts to infect all .exe files found on all drives. Modifies the Hosts file.
Compromises security settings: Terminates various security related processes.
Shared drives: Attempts to spread to network shares protected by weak passwords.

Read the full Symantec report here

W32.Derdero.E@mm
Discovered February 24, 2005
Systems Affected: All Windows32 Systems

W32.Derdero.E@mm is a mass-mailing worm that uses it own SMTP engine to send an email to addresses gathered from a compromised computer. The worm lowers security settings and attempts to spread through file-sharing programs.

Large scale e-mailing: Sends an email to addresses gathered from the compromised computer.
Modifies files: Modifies the Hosts file.
Causes system instability: Deletes system files
Compromises security settings: Lowers security settings by terminating security-related processes and blocking access to security-related Web sites.
Subject of email: Varies
Name of attachment: Varies with .cmd, .cpl, .exe, .pif, .scr, or .zip file extension. The attachment may have a double extension.

Read the full Symantec report here

W32.Randex.CST
Discovered February 24, 2005
Systems Affected: All Windows32 Systems

W32.Randex.CST is a network aware worm that spreads to network shares protected by weak passwords. The worm also opens a back door on the compromised computer and may be remotely controlled via IRC channels.

Payload: Allows unauthorized remote access.
Degrades performance: May perform denial of service attacks.
Releases confidential info: May steal CD keys for software.
Compromises security settings: May terminate processes.
Ports: TCP port 6667 and TCP port 113.
Shared drives: Attempts to copy to shared drives with weak passwords.

Read the full Symantec report here

W32.Inforyou.A@mm
Discovered February 25, 2005
Systems Affected: All Windows32 Systems

W32.Inforyou.A@mm is a mass-mailing worm that sends itself to email addresses gathered from the compromised computer using its own SMTP engine.

Payload Trigger: Performs denial of service attacks.
Large scale e-mailing: Sends an email to addresses gathered from the compromised computer.
Subject of email: Varies.
Name of attachment: Varies.

Read the full Symantec report here

W32.Kipis.M@mm
Discovered February 25, 2005
Systems Affected: All Windows32 Systems

W32.Kipis.M@mm is a mass-mailing worm that spreads by sending an email to addresses it finds on a compromised computer and by copying itself to network shares.

Large scale e-mailing: Sends an email to addresses gathered from the compromised computer.

Read the full Symantec report here

W32.Mytob@mm
Discovered February 26, 2005
Systems Affected: All Windows32 Systems

W32.Mytob@mm is a mass-mailing worm that uses it own SMTP engine to send an email to addresses that it retrieves from the Windows Address Book on the infected computer.

The worm also has W32.Spybot.Worm functionalities such as a IRC Back door and the capability to spread through the network by exploiting the Microsoft Windows LSASS Buffer Overrun Vulnerability (described in Microsoft Security Bulletin MS04-011).

Large scale e-mailing: Sends itself to email addresses gathered from the compromised computer
Degrades performance: Causes significant performance degradation
Subject of email: varies
Name of attachment: Varies with a .bat, .cmd, .exe, .pif, .scr, or .zip file extension
Size of attachment: 42,177 bytes
Ports: TCP port 445
Target of infection: Unpatched systems vulnerable to LSASS exploit - MS04-011

Read the full Symantec report here

W32.Conycspa.G@mm
Discovered February 26, 2005
Systems Affected: All Windows32 Systems

W32.Conycspa.G@mm is a mass mailing worm that downloads and executes files from the Internet.

Payload: Downloads and executes remote content.
Large scale e-mailing: Sends an email to all addresses found in the Windows Address Book.
Modifies files: Inserts a line into the %Windir%\system.ini file.
Subject of email: screen saver
Name of attachment: web.exe
Size of attachment: 12,288 Bytes

Read the full Symantec report here

W32.Holcas.A@mm
Discovered February 27, 2005
Systems Affected: All Windows32 Systems

W32.Holcas.A@mm is a mass-mailing worm that uses MAPI commands to send itself to all addresses found in the Microsoft Outlook Address book. It also attempts to send itself via IRC. The email has the following characteristics:

Subject: hola como estas, ;o)
Attachment: Que_entretenido.exe

Read the full Symantec report here

W32.Elitper.A@mm
Discovered February 27, 2005
Systems Affected: All Windows32 Systems

W32.Elitper.A@mm is a mass-mailing worm that spreads using MAPI and through file-sharing networks. It also lowers Windows security settings by preventing access to antivirus-related Web sites.

Large scale e-mailing: Sends a copy of itself to email addresses gathered from the compromised computer.
Modifies files: Modifies the Hosts file.
Compromises security settings: Lowers security settings by blocking access to security-related Web sites and disabling various Windows security features.
Subject of email: Fwd:None
Name of attachment: Firewall.exe
Size of attachment: 9,392 bytes

Read the full Symantec report here

W32.Mytob.B@mm
Discovered February 28, 2005
Systems Affected: All Windows32 Systems

W32.Mytob.B@mm is a mass-mailing worm that uses it own SMTP engine to send an email to addresses that it gathers from the Windows Address Book on the compromised computer.

The worm also has the ability to open a back door and spread through the network by exploiting the Microsoft Windows Local Security Authority Service Remote Buffer Overflow (described in Microsoft Security Bulletin MS04-011).

Payload: Opens a back door.
Large scale e-mailing: Sends an email to addresses gathered from the compromised computer.
Subject of email: Varies
Name of attachment: Varies

Read the full Symantec report here

Download the Removal Tool here

W32.Mytob.C@mm
Discovered February 28, 2005
Systems Affected: All Windows32 Systems

W32.Mytob.C@mm is a mass-mailing worm that uses it own SMTP engine to send an email to addresses that it gathers from the Windows Address Book on the compromised computer.

Payload: Opens a back door.
Large scale e-mailing: Sends an email to addresses gathered from the compromised computer.
Subject of email: Varies
Name of attachment: Varies with a .bat, .cmd, .exe, .pif, .scr, or .zip file extension.
Ports: TCP port 445

Read the full Symantec report here

W32.Spybot.KHC
Discovered February 28, 2005
Systems Affected: All Windows32 Systems

W32.Spybot.KHC is a worm that has distributed denial of service and back door capabilities. The worm spreads to network shares protected by weak passwords and by exploiting vulnerabilities.

Payload: Allows unauthorized remote access.
Degrades performance: May be used in denial of service attacks.
Releases confidential info: May be used to gather confidential system information.
Ports: TCP ports135, 445, and 8080.
Shared drives: Attempts to copy itself to accessible network shares.
Target of infection: Targets systems exposed to numerous common system vulnerabilities.

Read the full Symantec report here

Trojan.Tooso.B
Discovered February 28, 2005
Systems Affected: All Windows32 Systems

Trojan.Tooso.B is a Trojan horse that attempts to disable security-related software by terminating processes, stopping services, removing registry entries, and deleting files.

It has been reported that Trojan.Tooso.B is being emailed out by copies of W32.Beagle.BG@mm and W32.Beagle.BH@mm.

Payload: Downloads and executes arbitrary code.
Modifies files: Modifies hosts file.
Degrades performance: Attempts to download files from various domains may downgrade System and Network performance.
Compromises security settings: Ends security related processes and prevent access to security related Web sites.

Read the full Symantec report here