March 2005

Select the links for detailed information and removal tools for the latest viruses

W32.Ahker.F 3/31/05 2
Trojan.Ascetic.B 3/31/05 2
W32.Kelvir.K 3/31/05 2
W32.Sober.N 3/31/05 2
W32.Zori.B 3/31/05 2
W32.Sory.A 3/29/05 2
W32.Kelvir.J 3/28/05 2
W32.Mytob.R 3/28/05 2
W32.Mytob.S 3/28/05 2
W32.Mytob.Q 3/27/05 2
W32.Elitper.E 3/25/05 2
W32.Mytob.M 3/25/05 2
W32.Mytob.O 3/25/05 2
W32.Mytob.K 3/24/05 2
W32.Mytob.L 3/24/05 2
W32.Reidana.A 3/24/05 2
W32.Mytob.J 3/24/05 2
W32.Mydoom.BG 3/19/05 2
W32.Kelvir.I 3/18/05 2
W32.Mytob.I 3/16/05 2
W32.Mytob.H 3/16/05 2
VBS.Scafene 3/15/05 2
W32.Randex.CZZ 3/15/05 2
W32.Serflog.C 3/15/05 2
W32.Kelvir.G 3/14/05 2
W32.Elitper.D 3/14/05 2
W32.Kelvir.H 3/14/05 2
W32.Mytob.F 3/14/05 2
W32.Mytob.G 3/14/05 2
W32.Chod 3/13/05 2
W32.Selotima.A 3/13/05 2
W32.Mytob.E 3/12/05 2
W32.Kelvir.F 3/11/05 2
W32.Toxbot.B 3/10/05 2
W32.Toxbot 3/10/05 2
W32.Kelvir.E 3/09/05 2
W32.Myfip.T 3/09/05 2
W32.Serflog.B 3/07/05 2
W32.Kelvir.D 3/07/05 2
W32.Sober.L 3/07/05 2
W32.Serflog.A 3/07/05 2
W32.Kelvir.C 3/07/05 2
W32.Kelvir.B 3/07/05 2
W32.Kelvir.A 3/06/05 2
W32.Kobot.L 3/05/05 2
W32.Beagle.BK 3/05/05 2
Backdoor.Sdbot.AP 3/04/05 2
Trojan.Tooso.E 3/04/05 2
W32.Comdor.A 3/03/05 2
VBS.Allem 3/02/05 2
W32.Assiral.B 3/02/05 2
W32.Myfip.R 3/01/05 2
W32.Beagle.BJ 3/01/05 2
W32.Beagle.BI 3/01/05 2
W32.Gaobot.CPX 3/01/05 2
Trojan.Tooso.D 3/01/05 2
W32.Spybot.KHO 3/01/05 2
W32.Beagle.BH 3/01/05 2
Trojan.Tooso.C 3/01/05 2
W32.Beagle.BG 3/01/05 2

W32.Beagle.BG@mm
Discovered March 01, 2005
Systems Affected: All Windows32 Systems

W32.Beagle.BG@mm is a mass-mailing worm that uses its own SMTP engine to spread copies of Trojan.Tooso.B.

The worm opens a back door and allows a remote attacker to have unauthorized access to the compromised computer.

Payload: Opens a back door and may act as an email relay.
Large scale e-mailing: Sends an email to addresses gathered from the compromised computer.
Compromises security settings: Disables security-related software.
Subject of email: Blank
Name of attachment: Varies.
Ports: TCP or UDP port 80

Read the full Symantec report here

Trojan.Tooso.C
Discovered March 01, 2005
Systems Affected: All Windows32 Systems

Trojan.Tooso.C is a Trojan horse that interferes with the operation of security software by terminating processes, stopping services, removing registry entries, and deleting files.

This Trojan is similar to a variant of the W32.Beagle@mm family of worms, but it does not send emails.

Read the full Symantec report here

W32.Beagle.BH@mm
Discovered March 01, 2005
Systems Affected: All Windows32 Systems

W32.Beagle.BH@mm is a mass-worm that uses its own SMTP engine to send out copies of Trojan.Tooso.B. Trojan.Tooso.B then downloads W32.Beagle.BH@mm on to the compromised computer.

The worm also opens a back door on TCP port 80.

Large scale e-mailing: Sends a mass-mailing.
Compromises security settings: Lowers security settings.
Subject of email: Varies
Name of attachment: Varies with a .zip file extension.
Ports: TCP and UDP port 80.

Read the full Symantec report here

W32.Spybot.KHO
Discovered March 01, 2005
Systems Affected: All Windows32 Systems

W32.Spybot.KHO is a worm that has distributed denial of service and back door capabilities. The worm spreads to network shares protected by weak passwords and by exploiting computer vulnerabilities.

Payload: Allows unauthorized remote access.
Ports: TCP ports 135 and 6667.
Shared drives: Attempts to copy to random IP addresses accessible via weak passwords.
Target of infection: Targets systems exploitable by common system vulnerabilities.

Read the full Symantec report here

Trojan.Tooso.D
Discovered March 01, 2005
Systems Affected: All Windows32 Systems

Trojan.Tooso.D is a Trojan horse that disables security software by terminating processes, stopping services, removing registry entries, and deleting files.

This Trojan is similar to a variant of the W32.Beagle@mm family of worms, but it does not send emails.

Deletes files: Deletes files related to security programs.
Modifies files: Modifies Hosts file.
Compromises security settings: Terminates processes of security related programs. Deletes registry entires belonging to security related programs.

Read the full Symantec report here

W32.Gaobot.CPX
Discovered March 01, 2005
Systems Affected: All Windows32 Systems

W32.Gaobot.CPX is a network-aware worm with back door, keylogging, and denial of service capabilities. The worm spreads by exploiting common system vulnerabilities, weak passwords and systems compromised by various back doors.

Degrades performance: System and Network performance may be degraded while performing denial of service attacks.
Releases confidential info: May steal confidential information, log keystrokes and steal passwords.
Compromises security settings: Gives the creator backdoor access to the computer.
Ports: Port 1749
Shared drives: Copies itself to network shares.

Read the full Symantec report here

W32.Beagle.BI@mm
Discovered March 01, 2005
Systems Affected: All Windows32 Systems

W32.Beagle.BI@mm is a mass-mailing worm that uses its own SMTP engine to spread copies of Trojan.Tooso.C, which then downloads W32.Beagle.BI@mm on to the compromised computer.

The worm also opens a back door on TCP port 80.

Large scale e-mailing: Sends a mass-mailing.
Degrades performance: Mass-mailing of itself may clog mail servers or degrade network performance.
Causes system instability: Mass-mailing may impact system performance.
Compromises security settings: Lowers security-setting by preventing various security-related software from running at system start-up.
Subject of email: Blank
Name of attachment: Varies with a .zip file extension.
Ports: Opens a back door on TCP port 80.

Read the full Symantec report here

W32.Beagle.BJ@mm
Discovered March 01, 2005
Systems Affected: All Windows32 Systems

W32.Beagle.BJ@mm is a mass-mailing worm that uses its own SMTP engine to send out copies of Trojan.Tooso.B, which then downloads W32.Beagle.BJ@mm on to the compromised computer.

The worm also opens a back door on TCP port 80.

Large scale e-mailing: Sends a mass-mailing.
Degrades performance: Mass-mailing of itself may clog mail servers or degrade network performance.
Causes system instability: Mass-mailing may impact system performance.
Compromises security settings: Lowers security-setting by preventing various security-related software from running at system start-up.
Subject of email: Blank
Name of attachment: Varies with a .zip file extension.
Ports: Opens a back door on TCP port 80.

Read the full Symantec report here

W32.Myfip.R
Discovered March 01, 2005
Systems Affected: All Windows32 Systems

W32.Myfip.R is a network-aware worm that steals files from a compromised computer.

Degrades performance: Network propagation may result in performance degradation.
Causes system instability: May shut down explorer.exe .
Releases confidential info: Sends potentially confidential files to the saap.meibu.com domain.
Shared drives: Attempts to copy itself to any network shares found.

Read the full Symantec report here

W32.Assiral.B@mm
Discovered March 02, 2005
Systems Affected: All Windows32 Systems

W32.Assiral.B@mm is a mass-mailing worm that sends a copy of itself to email addresses gathered from a compromised computer. The worm also ends various processes, some of which may be security related.

Large scale e-mailing: Sends mass emails.
Degrades performance: Creates a mass-mailing of itself which may degrade system and network performance.
Compromises security settings: Ends various processes, some of which may be security related.
Subject of email: Varies
Name of attachment: Varies with .exe file extension.

Read the full Symantec report here

VBS.Allem@mm
Discovered March 02, 2005
Systems Affected: All Windows32 Systems

BS.Allem@mm is a mass-mailing worm that sends itself to email addresses it finds in the Microsoft Outlook Address Book. It also spreads using MIRC, and copies itself as .VBS and .VBE files. VBS.Allem@mm is an encrypted VBScript worm that lowers security settings and deletes files.

Large scale e-mailing: Sends a mass-mailing.
Deletes files: Overwrites and deletes files.
Compromises security settings: Disables security-related software.
Subject of email: it's my porn pic
Name of attachment: Siti-Nurhaliza.jpg.vbs

Read the full Symantec report here

W32.Comdor.A@mm
Discovered March 03, 2005
Systems Affected: All Windows32 Systems

W32.Comdor.A@mm is a worm that downloads malware and sends itself to addresses found in the Windows Address Book using it's own SMTP engine.

Payload: Downloads and executes a remote file.
Large scale e-mailing: Sends mail to all addresses found in the Windows Address Book.
Subject of email: =?ISO-8859-1?Q?Ol=E1?= , [Email Address taken from the Windows Address Book]

Read the full Symantec report here

Trojan.Tooso.E
Discovered March 04, 2005
Systems Affected: All Windows32 Systems

rojan.Tooso.E is a Trojan horse program that interferes with the operation of security software by terminating processes, removing registry entries, stopping services, and deleting files.

Read the full Symantec report here

Backdoor.Sdbot.AP
Discovered March 04, 2005
Systems Affected: All Windows32 Systems

Backdoor.Sdbot.AP is a worm with back door capabilities that gives an attacker remote access to the compromised computer via IRC channels.

Payload: Opens a back door on TCP port 7812.
Compromises security settings: May allow attacker to upload to, download from, or execute files on an infected machine.
Shared drives: Copies itself to network shares.

Read the full Symantec report here

W32.Beagle.BK@mm
Discovered March 05, 2005
Systems Affected: All Windows32 Systems

W32.Beagle.BK@mm is a mass-mailing worm that uses its own SMTP engine to send out copies of Trojan.Tooso.E. The worm also opens a back door on the compromised computer through TCP port 80.

Large scale e-mailing: Sends an email to addresses that it downloads from a remote computer.
Compromises security settings: Deletes registry entries to prevent execution of security related programs.
Subject of email: Blank
Name of attachment: Varies with a .rar extension.
Ports: Opens a back door on TCP port 80 to be used as a mail-relay.

Read the full Symantec report here

W32.Kobot.L
Discovered March 05, 2005
Systems Affected: All Windows32 Systems

W32.Kobot.L is a worm that spreads through open network shares and remotely exploitable vulnerabilities. The worm also has the ability to act as a back door server program and attack other systems.

Payload: Allows unauthorized remote access.
Ports: Attempts to connect to IRC servers on TCP port 1029.
Shared drives: Attempts to authenticate and copy itself to shared drives.
Target of infection: Unpatched computers with remotely exploitable vulnerabilities.

Read the full Symantec report here

W32.Kelvir.A
Discovered March 06, 2005
Systems Affected: All Windows32 Systems

W32.Kelvir.A is a worm that spreads through Windows and MSN Messenger. The worm attempts to download and execute a variant of W32.Spybot.Worm.

The worm arrives in a Windows Messenger window with a link to the file cute.pif.

Read the full Symantec report here

Download the Removal Tool here

W32.Kelvir.B
Discovered March 07, 2005
Systems Affected: All Windows32 Systems

W32.Kelvir.B is a worm that spreads through Windows Messenger and MSN Messenger and attempts to download and execute a variant of W32.Spybot.Worm.

Payload: Dropped W32.Spybot.Worm variant may open a back door.
Degrades performance: Downloads remote files and may degrade performance.
Target of infection: Spreads via Windows Messenger and MSN Messenger.

Read the full Symantec report here

Download the Removal Tool here

W32.Kelvir.C
Discovered March 07, 2005
Systems Affected: All Windows32 Systems

W32.Kelvir.C is a worm that spreads through Windows Messenger and MSN Messenger and drops a variant of W32.Spybot.Worm.

Payload: May open a back door.
Degrades performance: Downloads remote files and may degrade performance.
Ports: TCP port 8080.
Target of infection: Attempts to spread via MSN Messenger.

Read the full Symantec report here

Download the Removal Tool here

W32.Serflog.A
Discovered March 07, 2005
Systems Affected: All Windows32 Systems

W32.Serflog.A is a worm that spreads through file-sharing networks and MSN Messenger. The worm also lowers security settings.

Compromises security settings: Blocks access to security-related Web sites and terminates security-related processes.
Target of infection: Spreads through file-sharing networks and MSN Messenger.

Read the full Symantec report here

W32.Sober.L@mm
Discovered March 07, 2005
Systems Affected: All Windows32 Systems

W32.Sober.L@mm is a mass-mailing worm that uses its own SMTP engine to spread. The email may be in either English or German. The email has a variable subject and attachment name. The attachment has a .zip file extension.

Large scale e-mailing: Sends email to all addresses harvested from the compromised computer.
Compromises security settings: Attempts to terminate processes related to various security programs.
Subject of email: Ich habe Ihre E-Mail bekommen! or Your Password & Account number
Name of attachment: MailTexte.zip or acc_text.zip
Size of attachment: 45,222 bytes
Ports: TCP port 37

Read the full Symantec report here

W32.Kelvir.D
Discovered March 07, 2005
Systems Affected: All Windows32 Systems

W32.Kelvir.D is a worm that drops a variant of W32.Spybot.Worm and spreads through MSN Messenger and by exploiting vulnerabilities.

Payload: Drops and executes a variant of W32.Spybot.Worm which may open a back door.
Target of infection: Attempts to spread through MSN Messenger and by exploiting vulnerabilities.

Read the full Symantec report here

Download the Removal Tool here

W32.Serflog.B
Discovered March 07, 2005
Systems Affected: All Windows32 Systems

W32.Serflog.B is a worm that spreads through file-sharing networks and MSN Messenger. The worm also lowers security settings.

The worm arrives via an MSN Messenger window with a blank message.

Compromises security settings: Blocks access to security-related Web sites and terminates security-related processes.
Target of infection: Spreads through file-sharing networks and MSN Messenger.

Read the full Symantec report here

W32.Myfip.T
Discovered March 09, 2005
Systems Affected: All Windows32 Systems

W32.Myfip.T is a network-aware worm that steals files from a compromised computer.

Releases confidential info: May send confidential documents to an external location.
Shared drives: Attempts to connect to network shares as user Administrator using a preset list of passwords.

Read the full Symantec report here

W32.Kelvir.E
Discovered March 09, 2005
Systems Affected: All Windows32 Systems

W32.Kelvir.E is a worm that drops a variant of W32.Spybot.Worm and spreads through MSN Messenger and by exploiting vulnerabilities.

Payload Trigger: Drops and executes a variant of W32.Spybot.Worm which may open a back door.
Target of infection: Attempts to spread through MSN Messenger and by exploiting vulnerabilities.

Read the full Symantec report here

W32.Toxbot
Discovered March 10, 2005
Systems Affected: All Windows32 Systems

W32.Toxbot is a worm that opens an IRC back door on the compromised computer and spreads by exploiting vulnerabilities.

Payload: Opens a back door.
Degrades performance: Downloads remote files and may degrade network performance.
Releases confidential info: Logs keystrokes and steals passwords.
Target of infection: Computers with remotely exploitable vulnerabilities.

Read the full Symantec report here

W32.Toxbot.B
Discovered March 10, 2005
Systems Affected: All Windows32 Systems

W32.Toxbot.B is a worm that opens an IRC back door on the compromised computer and spreads by exploiting vulnerabilities.

Payload: Opens a back door.
Degrades performance: Downloads remote files and may degrade network performance.
Releases confidential info: May log keystrokes, may grab cached passwords.
Compromises security settings: Opens port 6556 as back door.
Ports: TCP port 6556.
Target of infection: Attempts to spread by exploiting common system vulnerabilities.

Read the full Symantec report here

W32.Kelvir.F
Discovered March 11, 2005
Systems Affected: All Windows32 Systems

W32.Kelvir.F is a worm that spreads through MSN Messenger and drops a variant of W32.Spybot.Worm.

Payload: Drops and executes a variant of W32.Spybot.Worm which may open a back door.
Target of infection: Attempts to spread through MSN Messenger and by exploiting vulnerabilities.

Read the full Symantec report here

W32.Mytob.E@mm
Discovered March 12, 2005
Systems Affected: All Windows32 Systems

W32.Mytob.E@mm is a mass-mailing worm that uses it own SMTP engine to send an email to addresses that it gathers from the Windows Address Book on the compromised computer.

The worm also has the ability to open a back door and spread through the network by exploiting the Microsoft Windows Local Security Authority Service Remote Buffer Overflow vulnerability (described in Microsoft Security Bulletin MS04-011).

Read the full Symantec report here

W32.Selotima.A
Discovered March 13, 2005
Systems Affected: All Windows32 Systems

W32.Selotima.A is a worm that propagates through file-sharing networks and inserts itself into .zip and .rar archives.

Modifies files: Inserts itself as Readme.txt.exe into .zip or .rar files.
Degrades performance: Spreads through file-sharing networks may degrade network performance.
Target of infection: Spreads through file-sharing

Read the full Symantec report here

W32.Chod@mm
Discovered March 13, 2005
Systems Affected: All Windows32 Systems

W32.Chod@mm is a mass-mailing worm that also propagates using MSN Messenger. The worm has back door capabilities and can be controlled through IRC channels. It also overwrites the Hosts file and lowers security settings.

Payload: Opens and back door.
Large scale e-mailing: Sends an email to addresses gathered from the compromised computer.
Modifies files: Modifies the Hosts file.
Degrades performance: Performance may be degraded when a denial of service attack is being launched.
Releases confidential info: Steals passwords for various applications.
Compromises security settings: Ends security-related processes and blocks access to various security-related Web sites.
Subject of email: Varies
Name of attachment: Varies with .exe, .pif, or .scr file extension
Size of attachment: 152,292 bytes
Target of infection: Attempts to spread via MSN Messenger.

Read the full Symantec report here

W32.Mytob.G@mm
Discovered March 14, 2005
Systems Affected: All Windows32 Systems

W32.Mytob.G@mm is a mass-mailing worm that uses it own SMTP engine to send an email to addresses that it gathers from the compromised computer.

The worm also has the ability to spread through the network by exploiting the Microsoft Windows Local Security Authority Service Remote Buffer Overflow (described in Microsoft Security Bulletin MS04-011) and open a back door.

Read the full Symantec report here

W32.Mytob.F@mm
Discovered March 14, 2005
Systems Affected: All Windows32 Systems

W32.Mytob.F@mm is a mass-mailing worm that uses it own SMTP engine to send an email to addresses that it gathers from the Windows Address Book on the compromised computer. The email has a variable subject and attachment name. The attachment has a .bat, .cmd, .exe, .pif, .scr, or .zip file extension.

The worm also has the ability to open a back door and spread through the network by exploiting the Microsoft Windows Local Security Authority Service Remote Buffer Overflow (described in Microsoft Security Bulletin MS04-011).

Read the full Symantec report here

W32.Kelvir.H
Discovered March 14, 2005
Systems Affected: All Windows32 Systems

W32.Kelvir.H is a worm that spreads through MSN Messenger and drops a variant of W32.Spybot.Worm.

Read the full Symantec report here

W32.Elitper.D@mm
Discovered March 14, 2005
Systems Affected: All Windows32 Systems

W32.Elitper.D@mm is a mass-mailing worm that also attempts to spread using file-sharing networks. It also terminates processes, deletes files, and lowers Windows security settings.

Large scale e-mailing: Sends a copy of itself to email addresses gathered from the compromised computer.
Modifies files: Modifies the Hosts file.
Compromises security settings: Lowers security settings by blocking access to security-related Web sites and disabling various Windows security features.
Subject of email: Fwd:Attention
Name of attachment: SP2 Bug Remove.exe
Target of infection: Spreads through file-sharing.

Read the full Symantec report here

W32.Kelvir.G
Discovered March 14, 2005
Systems Affected: All Windows32 Systems

W32.Kelvir.G is a worm that spreads through MSN Messenger and drops a variant of W32.Spybot.Worm.

Read the full Symantec report here

W32.Serflog.C
Discovered March 15, 2005
Systems Affected: All Windows32 Systems

2.Serflog.C is a worm that spreads through file-sharing networks and MSN Messenger. The worm also lowers security settings.

Compromises security settings: Blocks access to security-related Web sites and terminates security-related processes.
Target of infection: Spreads through file-sharing networks and MSN Messenger.

Read the full Symantec report here

W32.Randex.CZZ
Discovered March 15, 2005
Systems Affected: All Windows32 Systems

W32.Randex.CZZ is a network-aware worm that will attempt to connect to a predetermined IRC server to receive instructions from a remote attacker.

Payload: Opens a back door.
Degrades performance: Performs scan for specific computers
Releases confidential info: Retrieves the infected computer's information
Ports: TCP port 9000

Read the full Symantec report here

VBS.Scafene@mm
Discovered March 15, 2005
Systems Affected: All Windows32 Systems

VBS.Scafene@mm is a mass-mailing worm that uses Microsoft Outlook to send itself to all email addresses in the Microsoft Outlook address book. It also attempts to spread itself through mIRC. The worm overwrites all .vbs and .vbe files with its code.

Large scale e-mailing: Sends itself to all email addresses in the Microsoft Outlook address book.
Degrades performance: Creates a mass-mailing of itself which may degrade network performance.
Subject of email: Heyy..!! The Game Is Here"
Name of attachment: Game.exe.vbs

Read the full Symantec report here

W32.Mytob.H@mm
Discovered March 16, 2005
Systems Affected: All Windows32 Systems

32.Mytob.H@mm is a mass-mailing worm that has back door capabilities and uses its own SMTP engine to send an email to addresses that it gathers from the compromised computer.

The worm spreads through the network by exploiting the Microsoft Windows Local Security Authority Service Remote Buffer Overflow (as described in Microsoft Security Bulletin MS04-011), and by copying itself to unprotected shares.

Read the full Symantec report here

W32.Mytob.I@mm
Discovered March 16, 2005
Systems Affected: All Windows32 Systems

W32.Mytob.I@mm is a mass-mailing worm that uses its own SMTP engine to send an email to addresses that it gathers from the compromised computer. The worm also spreads by exploiting the Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135.

Payload: Lowers Security Settings
Modifies files: Modifies the Hosts File
Degrades performance: Propagation may impact network performance and resources.
Causes system instability: Creates a mass-mailing of itself which may impact computer performance.
Compromises security settings: Restricts access to security-related Web sites.
Name of attachment: Varies
Ports: TCP port 6667

Read the full Symantec report here

W32.Kelvir.I
Discovered March 18, 2005
Systems Affected: All Windows32 Systems

W32.Kelvir.I is a worm that spreads through MSN Messenger and drops a variant of W32.Spybot.Worm.

Payload: Drops and executes a variant of W32.Spybot.Worm.
Compromises security settings: Opens a back door on TCP port 8080.
Target of infection: Attempts to spread through MSN Messenger.

Read the full Symantec report here

W32.Mydoom.BG@mm
Discovered March 19, 2005
Systems Affected: All Windows32 Systems

W32.Mydoom.BG@mm is a mass-mailing worm that uses its own SMTP engine to send out an email message that contains a link to a web site with a copy of itself. The worm then downloads a PWSteal.Trojan onto the compromised computer.

Payload: Downloads and executes a back door Trojan.
Large scale e-mailing: Sends itself to all email addresses it finds on the compromised computer.
Distribution
Subject of email: Virus Alert id: [5 digit random no.]

Read the full Symantec report here

W32.Mytob.J@mm
Discovered March 24, 2005
Systems Affected: All Windows32 Systems

W32.Mytob.J@mm is a mass-mailing worm that has back door capabilities and uses its own SMTP engine to send emails to addresses that it gathers from the compromised computer.

The worm spreads through the network by exploiting the Microsoft Windows Local Security Authority Service Remote Buffer Overflow (described in Microsoft Security Bulletin MS04-011).

Read the full Symantec report here

W32.Reidana.A
Discovered March 24, 2005
Systems Affected: All Windows32 Systems

W32.Reidana.A is a worm that spreads by using the Microsoft Windows DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026). The worm attempts to download and execute a remote file.

Payload: Downloads and executes remote files.
Distribution
Ports: TCP ports 139 and 4444.

Read the full Symantec report here

W32.Mytob.L@mm
Discovered March 24, 2005
Systems Affected: All Windows32 Systems

W32.Mytob.L@mm is a mass-mailing worm with back door capabilities. The worm uses its own SMTP engine to send email to addresses that it gathers from the compromised computer. The worm also spreads by exploiting the Microsoft Windows Local Security Authority Service Remote Buffer Overflow (as described in Microsoft Security Bulletin MS04-011).

Payload: Opens a back door.
Large scale e-mailing: Sends an email to addresses from the compromised computer.
Modifies files: Modifies the Hosts file.
Compromises security settings: Lowers security settings by blocking access to security-related Web sites.
Distribution
Subject of email: Varies
Name of attachment: Varies
Ports: Varies
Target of infection: Exploits vulnerabilities.

Read the full Symantec report here

W32.Mytob.K@mm
Discovered March 24, 2005
Systems Affected: All Windows32 Systems

W32.Mytob.K@mm is a mass-mailing worm with back door capabilities. The worm uses its own SMTP engine to send email to addresses that it gathers from the compromised computer. The worm also spreads by exploiting the Microsoft Windows Local Security Authority Service Remote Buffer Overflow (as described in Microsoft Security Bulletin MS04-011).

Payload: Opens a back door.
Large scale e-mailing: Yes
Modifies files: Modifies the Hosts file.
Compromises security settings: Lowers security settings by blocking access to security-related Web sites.
Distribution
Subject of email: Varies
Name of attachment: Varies
Size of attachment: Varies
Ports: Varies
Target of infection: Exploits vulnerabilities.

Read the full Symantec report here

W32.Mytob.O@mm
Discovered March 25, 2005
Systems Affected: All Windows32 Systems

W32.Mytob.O@mm is a mass-mailing worm with back door capabilities. The worm uses its own SMTP engine to send email to addresses that it gathers from the compromised computer. The worm also spreads by exploiting the Microsoft Windows Local Security Authority Service Remote Buffer Overflow (as described in Microsoft Security Bulletin MS04-011).

Payload: Opens a back door.
Large scale e-mailing: Yes
Modifies files: Modifies the Hosts file.
Compromises security settings: Blocks access to security-related Web sites.
Distribution
Subject of email: Varies
Name of attachment: Varies
Ports: Varies

Read the full Symantec report here

W32.Mytob.M@mm
Discovered March 25, 2005
Systems Affected: All Windows32 Systems

W32.Mytob.M@mm is a mass-mailing worm with back door capabilities. The worm uses its own SMTP engine to send email to addresses that it gathers from the compromised computer. The worm also spreads by exploiting the Microsoft Windows Local Security Authority Service Remote Buffer Overflow (as described in Microsoft Security Bulletin MS04-011).

Payload: Opens a back door.
Large scale e-mailing: Yes
Modifies files: Modifies the Hosts file.
Compromises security settings: Blocks access to security-related Web sites.
Distribution
Subject of email: Varies
Name of attachment: Varies
Ports: Varies

Read the full Symantec report here

W32.Elitper.E@mm
Discovered March 25, 2005
Systems Affected: All Windows32 Systems

W32.Elitper.E@mm is a worm that attempts to spreads using MS Outlook and file-sharing networks. It also terminates processes, deletes files, and lowers Windows security settings.

Large scale e-mailing: Sends emails.
Deletes files: Yes
Compromises security settings: Blocks access to several security-related Web sites.
Distribution
Subject of email: Microsoft SP2 Update Urgent Download It
Name of attachment: SP2 UPDATE.EXE

Read the full Symantec report here

W32.Mytob.Q@mm
Discovered March 27, 2005
Systems Affected: All Windows32 Systems

W32.Mytob.Q@mm is a mass-mailing worm with back door capabilities that is infected with W32.Pinfi. The worm uses its own SMTP engine to send email to addresses that it gathers from the compromised computer.

The worm also spreads by exploiting the Microsoft Windows Local Security Authority Service Remote Buffer Overflow (as described in Microsoft Security Bulletin MS04-011) and the Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability (as described in Microsoft Security Bulletin MS03-026).

Large scale e-mailing: Sends an email to addresses gathered from the compromised computer.
Modifies files: Modifies the Hosts file.
Compromises security settings: Blocks access to security-related Web sites.
Distribution
Subject of email: Varies
Name of attachment: Varies
Size of attachment: 60,416 bytes
Target of infection: Exploits vulnerabilities

Read the full Symantec report here

W32.Mytob.S@mm
Discovered March 28, 2005
Systems Affected: All Windows32 Systems

W32.Mytob.S@mm is a mass-mailing worm with back door capabilities that uses its own SMTP engine to send email to addresses that it gathers from the compromised computer.

The worm also spreads by exploiting the Microsoft Windows Local Security Authority Service Remote Buffer Overflow (as described in Microsoft Security Bulletin MS04-011).

Payload: Opens a back door.
Large scale e-mailing: Sends email to addresses collected from the local computer.
Modifies files: Modifies the Hosts file.
Compromises security settings: Blocks access to security-related Web sites.
Distribution
Subject of email: Varies
Name of attachment: Varies
Size of attachment: Varies
Ports: Varies

Read the full Symantec report here

W32.Mytob.R@mm
Discovered March 28, 2005
Systems Affected: All Windows32 Systems

W32.Mytob.R@mm is a mass-mailing worm with back door capabilities that uses its own SMTP engine to send email to addresses that it gathers from the compromised computer.

The worm also spreads by exploiting the Microsoft Windows Local Security Authority Service Remote Buffer Overflow (as described in Microsoft Security Bulletin MS04-011) and the Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability (as described in Microsoft Security Bulletin MS03-026).

Payload: Opens a back door.
Large scale e-mailing: Sends email to addresses collected on the local computer.
Modifies files: Modifies the Hosts file.
Compromises security settings: Blocks access to security-related Web sites.
Distribution
Subject of email: Varies.
Name of attachment: Varies.
Size of attachment: Varies.
Ports: TCP port 10087

Read the full Symantec report here

W32.Kelvir.J
Discovered March 28, 2005
Systems Affected: All Windows32 Systems

W32.Kelvir.J is a worm that spreads through MSN Messenger. It attempts to download and execute a remote file.

Payload: Downloads a remote file which may allow unauthorized remote access.
Distribution
Target of infection: MSN Messenger.

Read the full Symantec report here

W32.Sory.A
Discovered March 29, 2005
Systems Affected: All Windows32 Systems

W32.Sory.A is a worm that spreads through network shares and steals confidential information.

Logs the following information:

Keystrokes
E-mail settings
Information about the computer hardware
Windows registration details

Read the full Symantec report here

W32.Zori.B
Discovered March 31, 2005
Systems Affected: All Windows32 Systems

W32.Zori.B is a virus that spreads over Windows file shares and is written in Delphi. The virus also infects .exe files by writing its code to the beginning of the files. Nine days after the original infection, the virus begins to delete files from all disks.

Deletes files: Deletes files after nine days.
Modifies files: Prepends its code to .exe files found.
Degrades performance: Propogation may degrade performance.
Compromises security settings: Attempts to delete security related registry keys and disable security related processes.
Distribution
Ports: TCP port 1879
Shared drives: May also spread by copying itself over Windows file shares.

Read the full Symantec report here

W32.Sober.N@mm
Discovered March 31, 2005
Systems Affected: All Windows32 Systems

W32.Sober.N@mm is a mass-mailing worm that uses its own SMTP engine to send itself to addresses gathered from the compromised computer. The email will be in either English or German.

Large scale e-mailing: Sends an email to addresses gathered from a compromised computer.
Degrades performance: Propogation may degrade performance.

Read the full Symantec report here

W32.Kelvir.K
Discovered March 31, 2005
Systems Affected: All Windows32 Systems

W32.Kelvir.K is a worm that spreads through MSN Messenger and drops a variant of W32.Spybot.Worm.

Payload: Attempts to drop and execute a variant of W32.Spybot.Worm.
Distribution
Target of infection: Attempts to spread via MSN Messenger.

Read the full Symantec report here

Trojan.Ascetic.B
Discovered March 31, 2005
Systems Affected: All Windows32 Systems

Trojan.Ascetic.B uses its own SMTP engine to send the email addresses that it finds on the infected computer to some predefined email addresses. The email address of the sender is spoofed. The subject is randomly generated text.

Large scale e-mailing: Sends an email to addresses gathered from a compromised computer.
Degrades performance: Propogation may degrade performance.

Read the full Symantec report here

W32.Ahker.F@mm
Discovered March 31, 2005
Systems Affected: All Windows32 Systems

W32.Ahker.F@mm is a mass-mailing worm that uses MAPI to send a copy of itself to email addresses gathered from the compromised computer.

Large scale e-mailing: Sends an email to addresses gathered from the compromised computer.
Modifies files: Modifies the Hosts file and blocks access to several Web sites.
Causes system instability: Ends processes, which may belong to several security pograms and other worms.
Compromises security settings: Lowers security settings by blocking access to several security-related websites.
Distribution
Subject of email: Varies

Read the full Symantec report here