April 2004

Select the links for detailed information and removal tools for the latest viruses

W32.Misodene 4/29/2004 2
W32.Beagle.X@mm 4/28/2004 3
W32.Netsky.AB 4/27/2004 3
W32.Netsky.AA 4/27/2004 2
W32.Traxg 4/26/2004 2
W32.Beagle.W 4/26/2004 3
W32.Gaobot.ADX 4/24/2004 2
W32.Gaobot.ADW 4/23/2004 2
W32.Gaobot.ADV 4/22/2004 2
W32.Gaobot.ADN 4/21/2004 2
W32.Netsky.Z 4/21/2004 2
W32.Blaster.T.Worm 4/21/2004 2
W32.Mydoom.J 4/20/2004 2
W32.Opasa 4/20/2004 2
W32.Netsky.Y 4/20/2004 3
W32.Netsky.X 4/20/2004 3
W32.Erkez.A 4/19/2004 2
W32.Netsky.W 4/16/2004 2
W32.Mydoom.I 4/15/2004 2
W32.Gaobot.AAY 4/15/2004 2
W32.Netsky.V 4/14/2004 2
W32.Gaobot.ZX 4/12/2004 2
W32.Gaobot.YN 4/08/2004 2
W32.Tunk.A 4/06/2004 2
W32.Netsky.U 4/07/2004 2
W32.Gaobot.WO 4/06/2004 2
W32.Netsky.T 4/06/2004 2
W32.Bugbear.C 4/05/2004 2
W32.Bugbear.E 4/05/2004 2
W32.Lovgate.R 4/05/2004 2
W32.Netsky.S 4/05/2004 2
W32.Sober.F 4/03/2004 2
W32.Blackmal.B 4/01/2004 2

W32.Blackmal.B@mm
Discovered April 01, 2004
Systems Affected: All Windows32 Systems

W32.Blackmal.B@mm is a minor variant of W32.Blackmal@mm. The two differ only in the
size of the worm, some possible viral file names, and email subjects and messages that the worm creates. The major viral behaviors of both variants are identical.

Email routine details
The worm uses its own SMTP engine to email itself to all the email address listed in the MSN Messenger, Yahoo Pager, as well as in all the files whose extensions are either .htm or .dbx. It attempts to send the email through the default SMTP server address, which the infected computer uses. If the worm cannot find this information, then it will uses one of the many SMTP server addresses that are hard-coded into the worm.

Note: The email messages created by the worm may contain a .gif file. It misleadingly indicates that the email to which the threat is attached is clean and safe to be opened:

Subject: (Some possible subject lines are listed below.)
Alert
Fwd: Important Alert
Fw: }>Fucking<{
File - movie SuCkingPuSSy.mpeg
Movie
Re: Why?! BackSex.mpeg
Fw:'''~~movie'''~~25
Re:(movie)
Fw: `·.¸MPEG`·.¸
XXX Funny movie
Videos Clips...SeXxXy
Re: Fw:Women Mpeg
Asses Mpeg's
Fw: Lesbian Mpeg
Fw: Funny Ass
Hot XXX Streaming Videos, FREE Clips

Body:
The Body contains the first HTML-generated message below, or one of the subsequent
plain-text messages. The HTML-generated message uses only the first two subject
lines mentioned above and the attachment names Fix_BlackWorm.com, Scan.zip, or Scan.tgz.

Dear User,

This is A very High Resk Virus Alert

This email is sent to you because one or some of your friends has been infected
with The W32.BlackWorm.A@mm Virus.
And you could be infected too.This Virus has the ability to damage the hard disk.
This Virus infects computers using many new ways :

1- it arrives as an email attachment inside of jpg pictures.
2- it infects the ip address without the victim's knowledge.
3- it infects Microsoft Word Documents using a new exploit in hex (00fxf0xf10x).

Symantec Consumer products that support Worm Blocking functionality automatically detect this threat as it attempts to spread.
Symantec Security Response has attached a removal tool to clean and prevent the infections of W32.BlackWorm.A@mm.

Sincerely
Norton AntiVirus

• Babe sucking black Dog MPEG funny movie
• hey guys my name is April Goostree i am a sexy 22 yr old bbw , 5'9, 48 dd , big ole booty, jus lovin life, until i get my pics posted in here you can either check out my profile or join my own yahoo group Texas-Sexy@groups.msn.com, either way works for me..i hope to become very active in this group, i like to get to know people, like to get on cam once in a while, jus to chill, when they aint none home..thats why its once in a while yaknow..anyways jus holla at me... n thanks for lettin me join!!! kisses kandee..Bye
• Dozens of Free Video Clips to download.Many Niches. Updated regularly and more added daily.Taken From Vivi's Lovely Briefcase.
• very good movie >>> Video's Media Player. SEX SEX * Sluts Tits Video Mpeg's Mpeg Video Clips
• Cum and check this fun group out...Sexy ladies!! Come post your ad,..this is a real swingers group!! I'm attatching a Video Clip of my wife if interested in checking it out!
• -==This server Cannot support Transfer Big Movies==-
• Video's Girls Erotic WebCam's Tits Mpeg's Girls Ass SEX Pussy Video Clips
• Here is another Vclip of my daily group :|
• All kinda Women Can be Found Here To Satisfy Women Lovers' Eyes
• u Love asses? Here is a great ass open wide waitin for ur lil Cock Bye
• movie attached open by media Player 7.1
• when i saw my ass i slept 3 hours why?? check my ass sorry my movie LOOOOOOOOL joke (^!^)
• Check This ?ucking Babe ;D ?ucking = Sucking=Fucking

Read the full Symantec report:
http://sarc.com/avcenter/venc/data/w32.blackmal.b@mm.html

W32.Sober.F@mm
Discovered April 03, 2004
Systems Affected: All Windows32 Systems

W32.Sober.F@mm is a variant of W32.Sober.E@mm that spreads by sending itself as an email attachment using its own SMTP engine. The worm also attempts to download and execute a file from a remote Web site.

The Subject: and Body: of the email vary and are written in German.

Large scale e-mailing: Sends mail to addresses collected from the local machine
Modifies files: Modifies the system registry.
Compromises security settings: May arbitrarily execute content downloaded from the web.

The email will have the following characteristics:

From: (One of the following German or English)

German:
Webmaster
Fehler-Info
Administrator
RobotMailer
AutoMailer
Register
Service
Info
Passwort
Kundenservice
Liste
Schwarze-Liste
Information

English:
Administrator
Webmaster
Home
Register
Service
Info
admin
Error_Info
RobotMailer
AutoMailer
User-info
account
webmaster

or created by using user name of collected email addresses with following:

@abuse.de
@yahoo.com
@yahoo.de
@gmx.de
@gmx.net
@web.de
@freenet.de
@lycos.de

Subject: (One of the following German or English)

German:
Einzelheiten
Hallo Du!
Hallo!
Hey Du
Hi, Ich bin's
Ich bin es .-)
Verdammt
Na, berrascht?!
Info
Information
Fehlerhafte Mailzustellung
Mailzustellung fehlgeschlagen
Fehler
Illegale Zeichen in Mail-Routing
Verbindung fehlgeschlagen
Ung
Fehler in E-Mail
Besttigung
Registrierungs-Besttigung
Ihr neues Passwort
Ihr Passwort
Datenbank-Fehler
Warnung!
Details

English:
Oh my God
Hey
Hi!
Hi, it's me
hey you
damn!
Well, surprised?
Info
Information
Faulty mail delivery
Mail delivery failed
Mail Error
Illegal signs in Mail-Routing
Connection failed
Invalid mail sentence length
Mail Delivery failure
Message Error
mail delivery status
Confirmation Required
Bad Gateway
Warning!
Your document

followed by:

Message-ID: <%Random_String%.qmail>

Body: (One of the following German or English)

German:
Ich war auch ein wenig
berrascht!
Wer konnte so etwas ahnen!? Lese selbst
Oh-Mann

Alles klaro bei dir?
Schau mal was Ich gefunden habe!

Sieh mal nach ob du den Scheiss auch bei dir drauf hast!
Ist ein ziemlich nervender Virus. Mach genau das, wie es im Text beschrieben ist!
Bye

Ich habs dir doch gesagt, irgendwann schaffe ich es deine Passwrter rauszubekommen!!!
Passwoerter.txt

Details entnehmen Sie bitte dem Attachment
Nhere Informationen befinden sich im Anhang.

*** Auto Mail Delivery System ***
Ihre E-Mail konnte nicht gesendet oder empfangen werden.
Bitte berpr fen Sie nochmals diese E-Mail auf mgliche Fehlerquellen.
attach: AMD-System.txt
* End Transmission
Virenschutz
--- Web: http://www.<randomly choosen domain>
--- Mail To: User-Hilfe

Passwort und Benutzername wurde erfolgreich gendert
Ihre Benutzernamen und Passwrter befinden sich im Anhang dieser E-Mail
++++ Im www erreichbar unter: http://www.<randomly choosen domain>
++++ E-Mail: KundenInfo

Wegen eines Datenbank- Fehlers knnte es mglicherweise zu einem Verlust Ihrer persnlichen Daten wie Kennwrter gekommen sein.
Wenn Sie Unregelmigkeiten festgestellt haben, melden Sie uns bitte umgehend den Datenverlust.
Vielen Dank fr Ihr Verstndnis
+++ Ein Service von
+++ http://www.<randomly choosen domain>
+++ E-Mail: Kundenservice

Internet Provider Abuse:
Wir haben festgestellt, dass Sie illegale Internet- Seiten besuchen.
Bitte beachten Sie folgende Liste:

English:
I was surprised, too! :-(
Who could suspect something like that?

All OK :)
see, what i've found!

hi its me
i've found a shity virus on my pc. check your pc, too!
follow the steps in this article.
bye

I 've told you!:-) sometime I grab your passwords!

I hope you accept the result!
Follow the instructions to read the message.
Please read the document

Registration confirmation
Your Password
Your mail account
Your password was changed successfully.
Protected message is attached.
++++ Service: http://www.<randomly choosen domain>
++++ Mail To: User-info

*** Auto Mail Delivery System ***
67.28.114.32_failed_after_I_sent_the_message./Remote_host_said:_554_delivery_error:_dd_
Sorry_your_message_cannot_be_delivered._This_account_has_been_disabled_or_discontinued
_[#102]._-_mta134.mail.dcn.com
** End of Transmission
The original message is a separate attachment.
--- Web: http://www.<randomly choosen domain>
--- Mail To: User-Hilfe

Read the attachment for details.
Bad Gateway: The message has been attached.
+++ A service of <randomy choosen domain>
+++ http://www.<randomly choosen domain>
+++ Mail: home

The message has been attached.

Database #Error
-- Partial message is available!
-- Error: llegal signs in Mail-Routing
-- Mail Server: ESMTP VX32.9 Version Betha Alpha

Anybody use your accounts!
For further details see the attachment.

I have received your document. The corrected document is attached.
greets

Attachment: (One of the following German or English with pif or zip extension)

German:
Oh-Mann
Dokument
KurzText
AntiVirus-Text
Anleitung
Passwoerter.txt
Text-Inhalt
AMD-System.txt
Benutzer-Daten
Datenbank-Fehler
abuse-liste
schwarze-listen
Block-Lists

English:
anitv_text
instructions
your_article
your_passwords
messagedoc
corrected_text-file
attach-message
<random>-attachment
<random>_attach
pass-message
text
Textdocument

The worm skips the email addresses that contain the following substrings:

mailer-daemon
office
redaktion
support
variabel
password
time
postmas
service
freeav
@ca.
abuse
winrar
domain.
host.
viren
ewido.
emsisoft
linux
google
@foo.
winzip
@arin
mozilla
@iana
@avp
@msn
microsoft.
@sophos
@panda
symant
ntp-
ntp@
@ntp.
@kaspers
free-av
antivir
virus
verizon.
@ikarus.
@nai.
@messagelab
clock

Read the full Symantec report:
http://sarc.com/avcenter/venc/data/w32.sober.f@mm.html

W32.Netsky.S@mm
Discovered April 05, 2004
Systems Affected: All Windows32 Systems

W32.Netsky.S@mm is a mass-mailing worm and a variant of W32.Netsky.R@mm. It also contains backdoor functionality and may perform Denial of Service (DoS) attack against specified Web sites. The email has a variable subject line and attachment name. The attachment will have a .pif file extension.

Payload Trigger: If the computer date is between April 13,2004 and April 23, 2004
Payload: Performs DoS attack against various websites.
Large scale e-mailing: Sends to all emails addresses collected by parsing specific files on the infected computer.

If the system date is not April 2004, or if it is and the day is less than 14 or greater than 16, the worm will attempt to use its own SMTP engine to send itself to all the email addresses that it finds.

Note: If the worm finds the email address "someone@hostname.com," it will attempt to use the server "hostname.com" as the SMTP server.

From: <Spoofed>

Subject: (one of the following)

Hello!
Hi!
Re: Important
Important
Re: My details
My details
Re: Your information
Your information
Re: Your details
Your details
Re: Your document
Your document
Re: Request
Request
Re: Thanks you!
Thank you!
Re: Approved
Approved
Re: Hello
Re: Hi
Hello
Approved file
List
Corrected document
Archive
Abuse list
Presentation document
Instructions
Details
Improved document
Note
Message
Contact list
Number list
File
Secound document
Improved file
User list
Textfile
New document
Text
Information
Info
Word document
Excel document
Powerpoint document
Detailed document
Homepage
Letter
Mail
Document
Old document
Approved document
Movie document
Picture document
Summary
Description
Requested document
Notice
Bill
Answer
Release
Final version
Diggest
Important document
Order
Photo document
Personal message
Phone number
E-mail
Icq number
Report
Story
Concept
Developement
Sample
Postcard
Account

Attachments:

<Random.name>[%i].pif
(where [%i] may be a random number)

<Random.name> is one of the following strings:

approved_file
list
corrected_document
archive
abuse_list
presentation_document
instructions
details
improved_document
note
message
contact_list
number_list
file
secound_document
improved_file
user_list
textfile
new_document
text
information
info
word_document
excel_document
powerpoint_document
detailed_document
homepage
letter
mail
document
old_document
approved_document
movie_document
picture_document
summary
description
requested_document
notice
bill
answer
release
final_version
diggest
important_document
order
photo_document
personal_message
phone_number
e-mail
icq_number
report
story
concept
developement
sample
postcard
account

Body:

The first part is one of the following:

Hi!
Hello!

The second part is one of the following:

Note that I have attached your document.
My %s.
The %s.
I have spent much time for the %s.
I have spent much time for your document.
Your %s.
Please notice the attached %s.
Please notice the attached document.
Please read quickly.
For more details see the attached document.
For more information see the attached document.
Approved, here is the document.
I have found the %s.
My %s is attached.
Your %s is attached.
Please, %s.
Your file is attached to this mail.
Please read the attached document.
Please have a look at the attached document.
See the document for details.
Here is the document.
The requested %s is attached!
I have sent the %s.
Please see the %s.
The %s is attached.
Here is the %s.
Please have a look at the %s.
Please read the %s.

Note: %s is the attachment name. For example, if the attachment is sample.pif, the message could be:

Please have a look at the samples.

The third part is one of the following:

Yours sincerely
Thank you
Thanks

The fourth part is one of the following:

+++ X-Attachment-Type: document
+++ X-Attachment-Status: no virus found
+++ Powered by the new Panda OnlineAntiVirus
+++ Website: www.pandasoftware.com
+++ X-Attachment-Type: document
+++ X-Attachment-Status: no virus found
+++ Powered by the new MCAfee OnlineAntiVirus
+++ Homepage: www.mcafee.com
+++ X-Attachment-Type: document
+++ X-Attachment-Status: no virus found
+++ Powered by the new F-Secure OnlineAntiVirus
+++ Visit us: www.f-secure.com
+++ X-Attachment-Type: document
+++ X-Attachment-Status: no virus found
+++ Powered by the new Norton OnlineAntiVirus
+++ Free trial: www.norton.com

Read the full Symantec report:
http://sarc.com/avcenter/venc/data/w32.netsky.s@mm.html

W32.Lovgate.R@mm
Discovered April 05, 2004
Systems Affected: All Windows32 Systems

W32.Lovgate.R@mm is a variant of W32.Lovgate@mm. It is also a mass-mailing worm that attempts to email itself to all the email addresses it finds on the computer.

The "sender" of the email is spoofed, and the subject line and message body of the email vary.

Large scale e-mailing: Emails all the addresses found in certain files on the system.
Releases confidential info: Steals system information and sends to the hacker.
Compromises security settings: Terminates processes belonging to various security programs.

Replies to all the incoming messages when they arrive in the mailbox of certain MAPI-compliant email clients, which include Microsoft Outlook.

If the original email is:

Subject: <subject>
From: <someone>@<somewhere.com>
Message: <original message body>

the worm will attempt to send the following email:

Subject: Re: <subject>
To: <someone>@<somewhere.com>
Message:
'<someone>' wrote:
====
> <original message body>
>
====

<sender's domain> account auto-reply:

followed by one of the following:

If you can keep your head when all about you
Are losing theirs and blaming it on you;
If you can trust yourself when all men doubt you,
But make allowance for their doubting too;
If you can wait and not be tired by waiting,
Or, being lied about,don't deal in lies,
Or, being hated, don't give way to hating,
And yet don't look too good, nor talk too wise;
... ... more look to the attachment.

> Get your FREE <sender's domain>now! <

Attachment: The attachment is one of the following:

the hardcore game-.pif
Sex in Office.rm.scr
Deutsch BloodPatch!.exe
s3msong.MP3.pif
Me_nude.AVI.pif
How to Crack all gamez.exe
Macromedia Flash.scr
SETUP.EXE
Shakira.zip.exe
dreamweaver MX (crack).exe
StarWars2 - CloneAttack.rm.scr
Industry Giant II.exe
DSL Modem Uncapper.rar.exe
joke.pif
Britney spears nude.exe.txt.exe
I am For u.doc.exe

If the drive is a hard drive or RAM drive, it will retrieve the email addresses from all the files on drives C to Y, which have these extensions:
.txt
.htm
.sht
.php
.asp
.dbx
.tbb
.adb
.pl
.wab

Uses its own SMTP engine to send itself to the email addresses that it finds in step 19.

The email is:

From: The sender's name is randomly selected from a list that the worm carries.

Subject: The subject line is one of the following:

test
hi
hello
Mail Delivery System
Mail Transaction Failed
Server Report
Status
Error

Message: The message body may be one of the following:

It's the long-awaited film version of the Broadway hit. The message sent as a binary attachment.
The message contains Unicode characters and has been sent as a binary attachment.
Mail failed. For further assistance, please contact!

Attachment: Randomly constructed file name, with the following extensions:

.exe
.scr
.pif
.zip
.rar

Read the full Symantec report:
http://sarc.com/avcenter/venc/data/w32.lovgate.r@mm.html

W32.Bugbear.E@mm
Discovered April 05, 2004
Systems Affected: All Windows32 Systems

W32.Bugbear.E@mm is a variant of W32.Bugbear@mm, which spreads as an email attachment and steals information from the infected computer.

The malformed email from the worm uses a vulnerability in Internet Explorer to run a malicious program.

Uses its own SMTP engine to email itself to the email addresses that it collected. The email will have the following characteristics:

From: The "From" address will either be spoofed from the collected email address's, or it will be created from a list of words that is carried by the worm. This list has over 1,900 entries. A copy of the list, in comma-delimited format, is in the Additional Information section at the end of this page.

Subject: One of the following:
Hello!
update
hmm..
Payment notices
Just a reminder
Correction of errors
history screen
Announcement
various
Introduction
Interesting...
I need help about script!!!
Stats
Please Help...
Report
Membership Confirmation
[Fwd: look] ;-)
Today Only
New Contests
Lost & Found
bad news
wow!
fantastic
click on this!
Market Update Report
empty account
My eBay ads
Cows
25 merchants and rising
CALL FOR INFORMATION!
new reading
Sponsors needed
SCAM alert!!!
Warning!
its easy
free shipping!
News
Daily Email Reminder
Tools For Your Online Business
New bonus in your cash account
Your Gift
Re:
good news!
Your News Alert
Hi!
!!! WARNING !!!

Attachment: The file name of the attachment will be randomly choosen from a file that is found on the infected computer. It will have one of these extensions:
.zip
.htm

Locates personal information and sends it to the attacker. This information can include:
Cookies
Cripboad
Key logging data
Text from open windows.

Read the full Symantec report:
http://sarc.com/avcenter/venc/data/w32.bugbear.e@mm.html

W32.Netsky.T@mm
Discovered April 06, 2004
Systems Affected: All Windows32 Systems

W32.Netsky.T@mm is a mass-mailing worm and a variant of W32.Netsky.S@mm. This worm also contains backdoor functionality and may perform a Denial of Service (DoS) attack against specified Web sites.

The email has a variable subject line and attachment name. The attachment will have a .pif file extension.

Payload Trigger: If the computer date is between April 13, 2004 and April 23, 2004.
Payload: Performs DoS attack against various Web sites.
Large scale e-mailing: Sends to all email addresses collected by parsing specific files on an infected computer.
Compromises security settings: Allows unauthorized remote access.

If the system date is not April 2004, or if it is and the day is less than 14 or greater than 16, the worm will attempt to use its own SMTP engine to send itself to all the email addresses that it finds.

Note: If the worm finds the email address "someone@hostname.com," it will attempt to use the server, "hostname.com," as the SMTP server.

The email has the following characteristics:

From: <Spoofed>

Subject: (one of the following)

Hello!
Hi!
Re: Important
Important
Re: My details
My details
Re: Your information
Your information
Re: Your details
Your details
Re: Your document
Your document
Re: Request
Request
Re: Thanks you!
Thank you!
Re: Approved
Approved
Re: Hello
Re: Hi
Hello
Approved file
List
Corrected document
Archive
Abuse list
Presentation document
Instructions
Details
Improved document
Note
Message
Contact list
Number list
File
Secound document
Improved file
User list
Textfile
New document
Text
Information
Info
Word document
Excel document
Powerpoint document
Detailed document
Homepage
Letter
Mail
Document
Old document
Approved document
Movie document
Picture document
Summary
Description
Requested document
Notice
Bill
Answer
Release
Final version
Diggest
Important document
Order
Photo document
Personal message
Phone number
E-mail
Icq number
Report
Story
Concept
Developement
Sample
Postcard
Account

Attachments:

<Random.name>[%i].pif
(where [%i] may be a random number)

<Random.name> is one of the following strings:

approved_file
list
corrected_document
archive
abuse_list
presentation_document
instructions
details
improved_document
note
message
contact_list
number_list
file
secound_document
improved_file
user_list
textfile
new_document
text
information
info
word_document
excel_document
powerpoint_document
detailed_document
homepage
letter
mail
document
old_document
approved_document
movie_document
picture_document
summary
description
requested_document
notice
bill
answer
release
final_version
diggest
important_document
order
photo_document
personal_message
phone_number
e-mail
icq_number
report
story
concept
developement
sample
postcard
account

Body:

The first part is one of the following:

Hi!
Hello!

The second part is one of the following:

Note that I have attached your document.
My %s.
The %s.
I have spent much time for the %s.
I have spent much time for your document.
Your %s.
Please notice the attached %s.
Please notice the attached document.
Please read quickly.
For more details see the attached document.
For more information see the attached document.
Approved, here is the document.
I have found the %s.
My %s is attached.
Your %s is attached.
Please, %s.
Your file is attached to this mail.
Please read the attached document.
Please have a look at the attached document.
See the document for details.
Here is the document.
The requested %s is attached!
I have sent the %s.
Please see the %s.
The %s is attached.
Here is the %s.
Please have a look at the %s.
Please read the %s.

Note: %s is the attachment name. For example, if the attachment is sample.pif, the message could be:

Please have a look at the samples.

The third part is one of the following:

Yours sincerely
Thank you
Thanks

Read the full Symantec report:
http://sarc.com/avcenter/venc/data/w32.netsky.t@mm.html

W32.Bugbear.C@mm
Discovered April 05, 2004
Systems Affected: All Windows32 Systems

W32.Bugbear.C@mm is a variant of W32.Bugbear@mm, which spreads as an email attachment and steals information from an infected computer.

The malformed email from the worm uses the Microsoft Internet Explorer Unspecified CHM File Processing Arbitrary Code Execution Vulnerability (CAN-2004-0380) in Internet Explorer to run a malicious program. There is no patch that is currently available for this vulnerability.

Large scale e-mailing: Emails itself as an attachment using its own SMTP engine.
Releases confidential info: May send confidential information to the hacker.

Read the full Symantec report:
http://sarc.com/avcenter/venc/data/w32.bugbear.c@mm.html

W32.Gaobot.WO
Discovered April 06, 2004
Systems Affected: All Windows32 Systems

W32.Gaobot.WO is a variant of W32.Gaobot.gen. It attempts to spread through network shares that have weak passwords. It also allows attackers to access an infected computer through a predetermined IRC channel.

The worm uses multiple vulnerabilities to spread, including:

The DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135.
The RPC locator vulnerability (described in Microsoft Security Bulletin MS03-001) using TCP port 445.
The WebDav vulnerability (described in Microsoft Security Bulletin MS03-007) using TCP port 80.
The Workstation service buffer overrun vulnerability (described in Microsoft Security Bulletin MS03-049) using TCP port 445.

Compromises security settings: Terminates processes associated with security software. Allows unauthorized remote access.
Shared drives: Attempts to copy itself to admin$; ipc$, c$; d$ and e$
Target of infection: Utilizes a range of exploits to propagate.

Read the full Symantec report:
http://sarc.com/avcenter/venc/data/w32.gaobot.wo.html

W32.Netsky.U@mm
Discovered April 07, 2004
Systems Affected: All Windows32 Systems

W32.Netsky.U@mm is a mass-mailing worm and a variant of W32.Netsky.S@mm. This worm also contains backdoor functionality and may perform a Denial of Service (DoS) attack against predetermined Web sites.

The Subject and Attachment name will vary. The attachment will have a .pif file extension.

Payload: Performs DoS attack against various Web sites during April 14, 2004 to April 23, 2004.
Large scale e-mailing: Sends to all email addresses collected by parsing specific files on an infected computer.

Uses its own SMTP engine to send itself to all the email addresses that it finds.

From: <Spoofed>

Subject: (One of the following)

Re: Hi
Re: Hello
Hi
Hello
Hey
It's me
Again
Reply

Message: (One of the following)

Oh, I got it!
To less characters! Take it easy...
I noticed your password for administrative purpuses.
Yet another password! Need a better one?
Oh... your password!
Need a better password? my advice....
Your pwd is critical, too short, to low!
Do not use personal information for your password!
Your password on a website?
Passwordlist? yours?
I needed only 2 hours to get your password.
Change your password! I have stolen some text, excuse me!
Dictionary attacks are good. Your password not!
I used the brute-force method to get your password..
Take it easy... Your password is too short.
I've got your password! take it easy...
Hey, easy passwords!
Oh! Excuse me, your password is too easy!!!
Not with me!
Here is a sample of your private documents I have stolen!
Your privacy! lol, youre not protected!
Needed? No, here I give it back!
I believe from the document you are a child!
Check your document, errors are there!
Please, please, Give me another sexy document about you!
Short and good, your document!
Jooooooooo.... document? Yours????? Wehaaa!
I do not accept documents from bad guys!
I do not want your document!
Go to hell an burn with your bad document!
I will send your list to the police!!!!
Hello, here.
It's the truth, your document not!!!
Could I have more texts about you?
Thus is enough. Stop sending your Sh*tty documents!!!
One, two three, more, I have many questions to you document!'
Nice, nice, more and more? do you?
Should I believe it? No, however, your story is bad.
Oh.....puh, your story is very strong!
Yours is very nice!
Do you have more of that?
Hey ya, nice document. Do you have more?
Abou you?
Sexy pic abou you?
Do you have a digicam to make your private photos?
More naked...your body is sexy!
Naked, you?
Are you naked?
More private photos of you? no!
Private photos...mmmhh. I like it. Post me more please!
Hey, naked one!
Hey, have you ever seen your photo?
Eat my Sh*t! Your photo is bad.
Do not distribute your naked photos!
Uhaaa! naked... are you cranky?
Your are naked? Tell me more...please!
Hey, private or private..naked?
Pah!...take your private photo, naked and so, and go away.
I have sent your private photo to the police.
What is when I show your private illegal photo the police?
You? Very funny! More available?
I don't want to see your photo!
Sh*t... your photo! naked?

Read the full Symantec report:
http://sarc.com/avcenter/venc/data/w32.netsky.u@mm.html

W32.Tunk.A
Discovered April 06, 2004
Systems Affected: All Windows32 Systems

W32.Tunk.A is a file-prepending virus. From May 2004 onward, infected systems may fail to restart.
Payload Trigger: File deletion occurs from May 2004 onward.
Deletes files: Deletes critical system files.
Modifies files: Prepends itself to files.
Causes system instability: May prevent the system from restarting.

The email will have the following characteristics:

Subject: MyFriend,How are you?
Message body: Please See The Attachment (Important)!
Attachment: <The file infected with W32.Tunk.A>

If the month is May 2004 or later, W32.Tunk.A will display a message, and then attempt to delete these files:
C:\io.sys
C:\msdos.sys
C:\Command.com
C:\Ntdetect.com

On Windows 95/98/Me, the virus forces an immediate restart.
On Windows 2000/XP/2003, the virus logs off the current user.

The deleted files are critical to the system, and without them, Windows will not restart (after restarting the computer).

Read the full Symantec report:
http://sarc.com/avcenter/venc/data/w32.tunk.a.html

W32.Gaobot.YN
Discovered April 08, 2004
Systems Affected: All Windows32 Systems

W32.Gaobot.YN is a variant of W32.HLLW.Gaobot.gen that attempts to spread to network shares and allows access to an infected computer through an IRC channel.

The worm uses multiple vulnerabilities to spread, including:

The DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026), using TCP port 135
The RPC locator vulnerability (described in Microsoft Security Bulletin MS03-001), using TCP port 445
The WebDav vulnerability (described in Microsoft Security Bulletin MS03-007), using TCP port 80

Releases confidential info: Allows unauthorized remote access. Steals CD keys of several popular computer games.
Compromises security settings: Ends processes belonging to antivirus and firewall software.

Allows an attacker to remotely control a compromised computer, allowing him/her to perform any of the following actions:

Manage the installation of the worm
Dynamically update the installed worm
Download and execute files
Steal system information
Send the worm to other IRC users
Add new accounts

Read the full Symantec report:
http://sarc.com/avcenter/venc/data/w32.gaobot.yn.html

W32.Gaobot.ZX
Discovered April 12, 2004
Systems Affected: All Windows32 Systems

W32.Gaobot.ZX is a minor variant of W32.Gaobot.SY. This worm attempts to spread through network shares with weak passwords, and it also allows attackers to access an infected computer using a predetermined IRC channel.

The worm uses multiple vulnerabilities to spread, including:

The DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135.
The WebDav vulnerability (described in Microsoft Security Bulletin MS03-007) using TCP port 80.
The Workstation service buffer overrun vulnerability (described in Microsoft Security Bulletin MS03-049) using TCP port 80. Windows XP users are protected against this vulnerability if Microsoft Security Bulletin MS03-043 has been applied. Windows 2000 users must apply MS03-049.
The Microsoft Messenger Service Buffer Overrun Vulnerability (described in Microsoft Security Bulletin MS03-043).
The Locator service vulnerability (described in Microsoft Security Bulletin MS03-001) using TCP port 445. The worm specifically targets Windows 2000 machines using this exploit.
The UPnP vulnerability (described in Microsoft Security Bulletin MS01-059).
The vulnerabilities in the Microsoft SQL Server 2000 or MSDE 2000 audit (described in Microsoft Security Bulletin MS02-061), using UDP port 1434.
Sending itself to the backdoor ports, which the Beagle and Mydoom families of worms open.

Read the full Symantec report:
http://sarc.com/avcenter/venc/data/w32.gaobot.zx.html

W32.Netsky.V@mm
Discovered April 14, 2004
Systems Affected: All Windows32 Systems

W32.Netsky.V@mm is a mass-mailing worm that sends itself to email addresses it gathers from certain files on the system. This variant does not send an attachment with its email messages, but instead sends a link to the compromised computer in its attempt to download and run the worm's executable.

W32.Netsky.V@mm relies on several exploits to replicate successfully (see the Technical Details section below).

The From line of the email is spoofed, and its Subject line and message body vary.

www.keygen.us
www.freemule.net
www.kazaa.com
www.emule.de
www.cracks.am

Subject: randomly selected from the following list:

Gateway Status failure
Server Status failure
Mail delivery failed
Mail Delivery Sytem failure

Body: randomly selected from the following list:

The processing of this message can take a few minutes...
Converting message. Please wait...
Please wait while loading failed message...
Please wait while converting the message...

The From: field of the message may be spoofed using the following email address:

dimitrihji@yahoo.com

data=http://%INFECTED_COMPUTER_IP%:5557/index.html

Step 2. As a result, the victim computer will query the index.html page from the HTTP server, that is installed on the infected computer and listens on port 5557.

Step 3. Once the HTTP server accepts incoming connection, it will forge an HTML-page that exploits the Microsoft IE5 ActiveX "Object for constructing type libraries for scriptlets" Vulnerability (CVE-1999-0668 / Microsoft Security Bulletin MS99-032).

Step 4. The code contained in the viral index.html file will run the ftp.exe to connect to the FTP server, listening on port 5556 on the infected computer, and query the worm executable.

Step 5. The worm executable will be retrieved and executed locally.

Read the full Symantec report:
http://sarc.com/avcenter/venc/data/w32.netsky.v@mm.html

W32.Gaobot.AAY
Discovered April 15, 2004
Systems Affected: All Windows32 Systems

W32.Gaobot.AAY is a minor variant of W32.Gaobot.SY. This worm attempts to spread through network shares with weak passwords. It also allows attackers to access an infected computer using a predetermined IRC channel.

The worm uses multiple vulnerabilities to spread, including:

• The DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135.
• The WebDav vulnerability (described in Microsoft Security Bulletin MS03-007) using TCP port 80.
• The Workstation service buffer overrun vulnerability (described in Microsoft Security Bulletin MS03-049) using TCP port 445. Windows XP users are protected against this vulnerability if Microsoft Security Bulletin MS03-043 has been applied. Windows 2000 users must apply MS03-049.
• The Microsoft Messenger Service Buffer Overrun Vulnerability (described in Microsoft Security Bulletin MS03-043).
• The Locator service vulnerability (described in Microsoft Security Bulletin MS03-001) using TCP port 445. The worm specifically targets Windows 2000 machines using this exploit.
• The UPnP vulnerability (described in Microsoft Security Bulletin MS01-059).
• The vulnerabilities in the Microsoft SQL Server 2000 or MSDE 2000 audit (described in Microsoft Security Bulletin MS02-061), using UDP port 1434.
• Sending itself to the backdoor ports that the Beagle and Mydoom families of worms open.

Releases confidential info: Steals CD-keys from a large number of games.
Compromises security settings: Gives the creator backdoor access to the system via IRC.
Shared drives: Will attempt to copy itself to systems with weak passwords.
Target of infection: Uses two different vulnarabilities in an attempt to spread.

Read the full Symantec report:
http://sarc.com/avcenter/venc/data/w32.gaobot.aay.html

W32.Mydoom.I@mm
Discovered April 15, 2004
Systems Affected: All Windows32 Systems

W32.Mydoom.I@mm is a mass-mailing worm that arrives as an attachment with the file extension .bat, .cmd, .exe, .pif, .scr, or .zip. It is similar in functionality to W32.Mydoom.A@mm.

Large scale e-mailing: Sends itself to email addresses found in files with certain extensions.
Name of attachment: Varies with an extension of .pif, .scr, .exe, .cmd, .bat, or .zip.
Size of attachment: Executable is 44544 bytes; zip file size varies.

Attempts to send email messages using its own SMTP engine. The email has the following characteristics:

From: The "From" address may be spoofed.

Subject: The subject will be one of the following:
<blank>
test
hi
hello
Mail Delivery System
Mail Transaction Failed
Server Report
Status
Error

Message: The message will be one of the following:
Mail transaction failed. Partial message is available.
The message contains Unicode characters and has been sent as a binary attachment.
The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
test

Attachment: The attachment file name, not including the extension, will be one of the following:
body
data
doc
document
file
message
readme
test
text

The attached file may have either one or two file extensions. If it does have two, the first extension will be one of the following:
.htm
.txt
.doc

The second extension, or the only extension if there is only one, will be one of the following:
.pif
.scr
.exe
.cmd
.bat
.zip (This is an actual .zip file that contains a copy of the worm.)

There may be spaces between the extensions, for example:
"test.doc .exe".

Read the full Symantec report:
http://sarc.com/avcenter/venc/data/w32.mydoom.i@mm.html

W32.Netsky.W@mm
Discovered April 16, 2004
Systems Affected: All Windows32 Systems

W32.Netsky.W@mm is a minor variant of W32.Netsky.N@mm. This variant is also a mass-mailing worm that uses its own SMTP engine to send itself to the email addresses it finds when scanning the hard drives and mapped drives.

The "sender" of the email is spoofed, and its subject, message body, and attachment vary. The attachment has .exe, .pif, or .scr as extension. The worm may also send its zipped copy as attachment.

From: <Spoofed>

Subject: The subject line is composed of multiple parts.

The first part is one of the following:

Re:
Re: Re:
[blank]

The second part is one of the following:

read it immediately
important
improved
patched
corrected
approved
thanks!
hello
hi
here

The second part may also be one of the following,

important
approved
my
your
[blank]

followed by

document_all
text
message
data
excel document
word document
bill
screensaver
application
website
product
letter
information
details
file
document

Message: The message is one of the following:

Authentication required.
I have attached your document.
I have received your document. The corrected document is attached.
Please confirm the document.
Please read the attached file.
Please read the document.
Please read the important document.
Please see the attached file for details.
Requested file.
See the file.
Your details.
Your document is attached to this mail.
Your document is attached.
Your document.
Your file is attached.

Followed by:
--------------------------------------------
(attachment_name) : No virus found
Powered by the new Norton OnlineScan
Get protected: www.symantec.com
Attachment: The attachment is one of the following with a .zip, .pif, .exe, or .scr extension:

documentall%s
text%s
message%s
data%s
excel document%s
word document%s
bill%s
screensaver%s
application%s
website%s
product%s
letter%s
information%s
details%s
file%s
document%s

where %s is blank or "_" following by the portion of the "To" address before the "@".

The worm may also send a .gif as the second attachment.

Read the full Symantec report:
http://sarc.com/avcenter/venc/data/w32.netsky.w@mm.html

W32.Erkez.A@mm
Discovered April 19, 2004
Systems Affected: All Windows32 Systems

W32.Erkez.A@mm is a mass-mailing worm that sends itself to the email addresses found on an infected computer.

Emberek! Magyarok szazezrei, millioi elnek naprol - napra, halnak ehen - szomjan,
s szegenysegben hazankban! Mikozben jonehany felso parlamenti gazember
millios vagyonokra tesz szert, mitsem torodve velunk.
Latszat emberek iranyitanak, kik emelik fizetesunk, s ketszer annyi adot vonnak le,
kik igazsagszolgaltatasrol regelnek, mikor a bunozoket es a novekvo agressziot vedik
torvenyeikkel, kik inkabb Forma1-re pocsekoljak a penzt, mialatt hajlektalanok
halnak meg naponta utcainkon, s korhazi betegek szenvednek szukseges muszerek nelkul.
Hogy - hogy nem latja ezt senki ???? Miert nincs egy igaz magyar, ki vegre
mar nem sajat erdekeit, hanem az orszag sulyos problemait helyezne eloterbe!!!
Nem eleg akarni, s beszelni, meg szonoklatni a szepet,s jot,
tenni-tenni-tenni kell, egyarant mindenkinek - mindenkiert!
== HAZAFI == /Pecs,2004, (SNAF Team)/

From: (One of the following)

<spoofed>

kepeslapok@meglep.hu

Subject: kepeslap erkezett!

Message:
Tisztelt felhasznál?
Önnek kópeslapja órkezett!
A kópeslap feladója: A lapot az alábbi cimen tudja megtekinteni:
http//matav.hu/viewcard/index=psp4uo5683535GSb0123fhhf578840f0623cv2
vagy a mellókelt internetlink kattintásával.
Üdvözlettel: Matav e-card!
http//www.netezz.matav.hu/

Attachment: link.matav.hu.viewcard.index42ADR4502HHJeTYWYJDF334GSDEv25546.com

Read the full Symantec report:
http://sarc.com/avcenter/venc/data/w32.erkez.a@mm.html

W32.Netsky.X@mm
Discovered April 20, 2004
Systems Affected: All Windows32 Systems

As of April 20, 2004, due to an increased rate of submissions, Symantec Security Response has upgraded W32.Netsky.X@mm to a Category 3 level threat from a Category 2 threat.

W32.Netsky.X@mm is a variant of W32.Netsky.W@mm that scans for email addresses on all non-CD-ROM drives on the infected computer. Then, the worm uses its own SMTP engine to send itself to the email addresses that it finds.

The From line of the email is spoofed, and its Subject, Message, and Attachment vary. The attachment has a .pif extension.

Large scale e-mailing: Sends itself to email addresses found on the infected computer.
Compromises security settings: Allows unauthorized remote access.
Name of attachment: Varies with a .pif file extension.

Uses its own SMTP engine to send itself to hukanmikloiuo@yahoo.com, and all the email addresses that it finds.

The worm checks the top-level domain of the email addresses. The worm may use a Subject, Message, and Attachment written in the language of the country's top-level domain.

For example, if the email address is someone@hostname.it, it will send the following email message in Italian:

Subject: Re: documento
Message: Legga prego il documento.
Attachment: documento.pif

Other top-level, domain-dependent Subject, Message, and Attachments are as follows:

If the top-level domain is .de:
Subject: Re: dokument
Message: Bitte lesen Sie das Dokument.
Attachment: dokument.pif

If the top-level domain is .fr:
Subject: Re: document
Message: Veuillez lire le document.
Attachment: document.pif

If the top-level domain is .it:
Subject: Re: documento
Message: Legga prego il documento.
Attachment: documento.pif

If the top-level domain is .pt:
Subject: Re: original
Message: Leia por favor o original.
Attachment: original.pif

If the top-level domain is .no:
Subject: Re: dokumentet
Message: Behage lese dokumentet.
Attachment: dokumentet.pif

If the top-level domain is .pl:
Subject: Re: udokumentowac
Message: Podobac sie przeczytac ten udokumentowac.
Attachment: udokumentowac.pif

If the top-level domain is .fi:
Subject: Re: dokumentoida
Message: Haluta kuulua dokumentoida.
Attachment: dokumentoida.pif

If the top-level domain is .se:
Subject: Re: dokumenten
Message: Behaga lõsa dokumenten.
Attachment: dokumenten.pif

If the top-level domain is .tc:
Subject: Re: belge
Message: mutlu etmek okumak belgili tanimlik belge.
Attachment: belge.pif

Otherwise the worm uses the following characteristics:
Subject: Re: document
Message: Please read the document.
Attachment: document.pif

Read the full Symantec report:
http://sarc.com/avcenter/venc/data/w32.netsky.x@mm.html

W32.Netsky.Y@mm
Discovered April 20, 2004
Systems Affected: All Windows32 Systems

Due to an increased rate of submissions, Symantec Security Response has upgraded this threat from a Category 2 to a Category 3 as of April 20, 2004.

W32.Netsky.Y@mm is a variant of W32.Netsky.X@mm that scans for the email addresses on all non-CD-ROM drives on an infected computer. Then, the worm uses its own SMTP engine to send itself to the email addresses that it finds.

The format of the email is:

Subject: Delivery failure notice (ID-<random number>)
Attachment: www.<random domain name>.<random username>.session-<random number>.com

Large scale e-mailing: Sends itself to email addresses found on an infected computer.
Compromises security settings: Opens a backdoor on port 82.
Subject of email: Delivery failure notice (ID-########)
Name of attachment: www..session-########.com
Ports: Listens on TCP port 82.

Read the full Symantec report:
http://sarc.com/avcenter/venc/data/w32.netsky.y@mm.html

W32.Opasa@mm
Discovered April 20, 2004
Systems Affected: All Windows32 Systems

W32.Opasa@mm is a mass-mailing Worm that sends itself by email to addresses it finds on the local system. The worm also terminates processes and services related to various security programs among others. It attempts to connect to various IRC servers to await additional commands from the hacker. The email will have a variable subject with a .zip file attachment.

Compromises security settings: Allows unauthorized remote access.
Shared drives: Attempts to spread via numerous peer-to-peer filesharing networks.

The message is also reported to have the following properties:

Subject: A randomly chosen combination of the following items: [First][Second][Third][Fourth][Fifth]

[First]:
Re:
Re[2]:
[Second]:
your
important
very important
[Third]:
request
file
document
bill
payment options
payment details
details
account details
info
information
[Fourth]:
successfully
[Fifth]:
changed
corrected
modified

For example, a possible complete subject line is "Re:your account details successfully changed".

HTML Message body: A randomly chosen combination of the following 15 items:

[First]:
hi!
hello!
hi there!
hello there!
[Second]:
this important
very important
[Third]:
text
word
excel
ms word
ms excel
microsoft word
microsoft excel
html
[Fourth]:
file
document
message
files
documents
messages
[Fifth]:
cannot be
could not be
couldn't be
[Sixth]:
represented
delivered
interpreted
[Seventh]:
as
[Eighth]:
plain
simple
pure
[Ninth]:
text
message
[Tenth]:
and
and that's why
and thats why
[Eleventh]:
i have sent
i've sent
we have sent
we've sent
our administrator has sent
my network administrator has sent
[Twelvth]:
it
this file
this document
this message
[Thirteenth]:
as
[Fourteenth]:
binary
archived
compressed
[Fifteenth]:
file!
attachment!
message!

For example, a possible complete message body is as follows:

"hi there!
this important html messages cannot be represented as plain text and that's why i have sent it as compressed attachment! "

Attachment: a html file with a random file name or a Zip archive contains the html file.

Notes: If the worm finds WinZIP, it will use it to compress the html file.

Read the full Symantec report:
http://sarc.com/avcenter/venc/data/w32.opasa@mm.html

W32.Mydoom.J@mm
Discovered April 20, 2004
Systems Affected: All Windows32 Systems

a .pif, .scr, .exe, .cmd, .bat, or .zip extension. The worm also contains keylogging capabilities.

Unlike previous Mydoom variants, W32.Mydoom.J@mm does not appear to act as a backdoor. Otherwise it is similar in functionality to W32.Mydoom.A@mm.

Large scale e-mailing: Sends itself to email addresses found in files with certain extensions.

Attempts to send email messages using its own SMTP engine.

The email has the following characteristics:

From: (May be spoofed)

Subject: (One of the following)
<blank>
test
hi
hello
Mail Delivery System
Mail Transaction Failed
Server Report
Status
Error

Body: (One of the following)
Mail transaction failed. Partial message is available.
The message contains Unicode characters and has been sent as a binary attachment.
The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
test
<blank>

Attachment: (One of the following)
body
data
doc
document
file
message
readme
test
text

with one the following file extensions:

.exe
.scr
.pif
.cmd
.bat
.com
.zip

or a double extension, such as:

[htm, txt, or doc][spaces].[exe, scr, or pif]

Read the full Symantec report:
http://sarc.com/avcenter/venc/data/w32.mydoom.j@mm.html

W32.Blaster.T.Worm
Discovered April 21, 2004
Systems Affected: Windows 2000, Windows NT, Windows Server 2003, Windows XP

W32.Blaster.T.Worm is a worm that exploits the DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135. The worm targets only Windows 2000 and Windows XP computers.

While Windows NT and Windows 2003 servers are vulnerable to the exploit if they are not properly patched, the worm is not coded to replicate to those systems.

W32.Blaster.T.Worm does not have a mass-mailing functionality.

For additional information, read the Microsoft article, "What You Should Know About the Blaster Worm and Its Variants."

We recommend that you block access to TCP port 4444 at the firewall level. Also block the following ports if you do not use either DCOM RPC or TFTP:

Block TCP Port 135 if you do not use DCOM RPC.
Block UDP Port 69 if you do not use TFTP.

The worm also attempts to perform a Denial of Service (DoS) on the Microsoft Windows Update Web server (windowsupdate.com). This is an attempt to prevent you from applying a patch on your computer against the DCOM RPC vulnerability.

Read the full Symantec report:
http://sarc.com/avcenter/venc/data/w32.blaster.t.worm.html

W32.Netsky.Z@mm
Discovered April 21, 2004
Systems Affected: All Windows32 Systems

The W32.Netsky.Z@mm worm is a Netsky variant that scans for the email addresses on all non-CD-ROM drives on an infected computer. Then, the worm uses its own SMTP engine to send itself to the email addresses that it finds.

The From line of the email is spoofed, and its Subject, Message, and Attachment vary. The attachment has a .zip extension.

The email has the following characteristics

Subject: (one of the following)

Hello
Hi
Important
Important bill!
Important data!
Important details!
Important document!
Important informations!
Important notice!
Important textfile!
Important!
Information

From: (spoofed)

Attachment: (zip file with one of the following file names)

Bill.zip
Data.zip
Details.zip
Important.zip
Informations.zip
Notice.zip
Part-2.zip
Textfile.zip

The executable inside the zip file with one of the following file names:

Bill.txt (many spaces) .exe
Data.txt (many spaces) .exe
Details.txt (many spaces) .exe
Important.txt (many spaces) .exe
Informations.txt (many spaces) .exe
Notice.txt (many spaces) .exe
Part-2.txt (many spaces) .exe
Textfile.txt (many spaces) .exe

Read the full Symantec report:
http://sarc.com/avcenter/venc/data/w32.netsky.z@mm.html

W32.Gaobot.ADN
Discovered April 21, 2004
Systems Affected: Windows 2000, Windows Me, Windows NT, Windows Server 2003, Windows XP

W32.Gaobot.ADN is a minor variant of W32.Gaobot.SY. This worm attempts to spread through network shares that have weak passwords and allows attackers to access an infected computer using a predetermined IRC channel.

The worm uses multiple vulnerabilities to spread, including:

The DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135.
The WebDav vulnerability (described in Microsoft Security Bulletin MS03-007) using TCP port 80.
The Workstation service buffer overrun vulnerability (described in Microsoft Security Bulletin MS03-049) using TCP port 445. Windows XP users are protected against this vulnerability if Microsoft Security Bulletin MS03-043 has been applied. Windows 2000 users must apply MS03-049.
The Microsoft Messenger Service Buffer Overrun Vulnerability (described in Microsoft Security Bulletin MS03-043)
The Locator service vulnerability (described in Microsoft Security Bulletin MS03-001) using TCP port 445. The worm specifically targets Windows 2000 computers with this exploit.
The UPnP vulnerability (described in Microsoft Security Bulletin MS01-059).
The vulnerabilities in Microsoft SQL Server 2000 or MSDE 2000 audit (described in Microsoft Security Bulletin MS02-061) using UDP port 1434.
Sending itself to the backdoor port that the Beagle family of worms opens.
Sending itself to the backdoor port that the Mydoom family of worms opens.

Read the full Symantec report:
http://sarc.com/avcenter/venc/data/w32.gaobot.adn.html

W32.Gaobot.ADV
Discovered April 22, 2004
Systems Affected: Windows 2000, Windows Me, Windows NT, Windows Server 2003, Windows XP

W32.Gaobot.ADV is a minor variant of W32.Gaobot.SY. This worm attempts to spread through network shares that have weak passwords and allows attackers to access an infected computer using a predetermined IRC channel.

The worm uses multiple vulnerabilities to spread, including:

The DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135.
The WebDav vulnerability (described in Microsoft Security Bulletin MS03-007) using TCP port 80.
The Workstation service buffer overrun vulnerability (described in Microsoft Security Bulletin MS03-049) using TCP port 445. Windows XP users are protected against this vulnerability if Microsoft Security Bulletin MS03-043 has been applied. Windows 2000 users must apply MS03-049.
The Microsoft Messenger Service Buffer Overrun Vulnerability (described in Microsoft Security Bulletin MS03-043).
The Locator service vulnerability (described in Microsoft Security Bulletin MS03-001) using TCP port 445. The worm specifically targets Windows 2000 computers with this exploit.
The UPnP vulnerability (described in Microsoft Security Bulletin MS01-059).
The vulnerabilities in the Microsoft SQL Server 2000 or MSDE 2000 audit (described in Microsoft Security Bulletin MS02-061) using UDP port 1434.
Sending itself to the backdoor ports that the Beagle and Mydoom families of worms open.

Read the full Symantec report:
http://sarc.com/avcenter/venc/data/w32.gaobot.adv.html

W32.Gaobot.ADW
Discovered April 23, 2004
Systems Affected: All Windows32 Systems

W32.Gaobot.ADW is a worm that attempts to spread through network shares that have weak passwords and allows attackers to access an infected computer using a predetermined IRC channel.

The worm uses multiple vulnerabilities to spread, including:

The DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135.
The WebDav vulnerability (described in Microsoft Security Bulletin MS03-007) using TCP port 80.

Read the full Symantec report:
http://sarc.com/avcenter/venc/data/w32.gaobot.adw.html

W32.Gaobot.ADX
Discovered April 24, 2004
Systems Affected: All Windows32 Systems

W32.Gaobot.ADX is a worm that spreads through open network shares, several Windows vulnerabilities, and back doors installed by Beagle and Mydoom worms. The worm also has the ability to act as a back door server program and attack other systems. Additionally the worm attempts to kill the process of many anti-virus and security applications.

Releases confidential info: Allows remote attacker to access any data on infected computer
Compromises security settings: Terminates processes associated with security software
Ports: TCP 30001; TCP 63000; 63001; random TCP port
Shared drives: Attempts to copy itself to shared drives

Read the full Symantec report:
http://sarc.com/avcenter/venc/data/w32.gaobot.adx.html

W32.Beagle.W@mm
Discovered April 26, 2004
Systems Affected: All Windows32 Systems

W32.Beagle.W@mm is a mass-mailing worm that attempts to spread using mail and file-sharing networks. The worm also opens a backdoor on an infected computer.

The threat may be packed using UPX, and it appends random data to the end of itself, so it does not have a static MD5 value.

When the worm runs, it displays a message box with the following text:

Can't find a viewer associated with the file.

Large scale e-mailing: Emails all the addresses found in the files with certain extensions.
Compromises security settings: Opens a backdoor on the system.
Subject of email: Picked from a pre-defined list.
Name of attachment: Picked from a pre-defined list with a .com, .exe, .scr, or .zip file extension.

Send email messages to any email addresses that were found.

The email will have the following characteristics.

From: <spoofed>

The from address may contain one of the following strings:
lizie@
annie@
ann@
christina@
secretGurl@
jessie@
christy@

Subject:
The subject will be one of the following strings (where %s will be replaced with a name):

Hello!
Hey!
Let's socialize, my friend!
Let's talk, my friend!
I'm bored with this life
Notify from a known person ;-)
I like you
I just need a friend
I'm a sad girl...
Re: Msg reply
Re: Hello
Re: Yahoo!
Re: Thank you!
Re: Thanks :)
RE: Text message
Re: Document
Incoming message
Re: Incoming Message
Re: Incoming Fax
Hidden message
Fax Message Received
Protected message
RE: Protected message
Forum notify
Request response
Site changes
Re: Hi
Encrypted document
Hello %s,
Dear %s,
Dear %s, It's me ;-)
Hi %s,
Hey %s, It's me ->
Hi<!--%s-->, It's me
%s,
Hey %s,
Hey<!--%s-->,
Hello<!--%s-->,
Hi<!--%s-->,
I Like You!
Don't you remember me?
Kewl :-)
I need a friend...
I just want to talk with someone...
I like reading the books and socializing, let me talk with you...
It's time to find a friend!
Ready to accept a new friend? :-)
Like me, odore me! ;-)

Body:
The body will be created by combining one string from each of the following three sections.

Section 1:
I study at school, I like to spend time cheerfully even if not all so well, I hompe and trust, that all bad when nibud will pass and necessarily nastanet there would be a desire.
I like to feel protected, to understand, that near to me the man, which both in sex, and in life knows what to do. It is possible to fall in love with such the man for ever.
Cometime I write a poem, play the gitar. I love a traveling, I like a romantice and I want to meet, comeday, my big love!
I am kind, fair, careful, gentle also want to create family. I love animal (cats, dogs), the literature, theatre, cinema, music, walks in park
I very much love productive leisure, to prepare for new exotic dishes, at leisure to leave with friends on the nature, to float, I like to go for a drive on mountain skiing, to visit excursions, travel. Very easy going.
I have recently got demobilize from army and also I am going to act in a higher educational institution
Searching for the right person,for real man, who will really cares and love me.
I am a honest, kind,loving,with good sense of humor...etc.,looking for true love... or maybe for pen friend.I like cats
I am looking for a serious relationship. I am NOT interested in flirt and short-term love adventure.
I love, as the good company, and I dream about romantic appointment at candles with loved. I still believe in love.
I like an active life... and interesting people..
i am honest, responsible, romantic person. iwould like to find my only love,to find my destiny.
I'm a young lady of 20 years old i'd like to find my second part!!!
I am simple girl who are looking for serious relation with responsible and confident man. I am ready to give all my love and carering for a right person who is going to love and respect me
I am a beautiful, sexual girl with very big ambitions and dreams. I can make happy anyone man...
I am a student. I'm studying international relationships. I would like to find an interesting and active man for serious relations. Sitting at home it is not for me. I like to go out to the theater, cinema, and nightclubs.
I love productive leisure, to travel, communicate with friends.
I very much love new acquaintances, I love music, meetings with friends. I go on night clubs, except for parties I sometimes visit theatres and I love cinema. In general I only shall be glad to new acquaintance and class dialogue...
I'm so bored, let me talk with you...
You are my prince :-)
You are cool :-)

Section #2
Read the attach.
Your file is attached.
More info is in attach
See attach.
Please, have a look at the attached file.
See the attached file for details.
Message is in attach
Here is the file.
For more information see the attached file.
Attached file will tell you everything.
For details see the attach.
Attached file tells everything.
Further details are in attach.

Section #3
Sincerely, <name>
Best wishes, <name>
Yours, <name>
Have a good day, <name>
Cheers, <name>
Kind regards, <name>

where <name> will be a name.

If the attached file is a password-protected .zip file, one of the following strings will be added to the email:
For security reasons attached file is password protected. The password is [reference to image file]
For security purposes the attached file is password protected. Password -- [reference to image file]
Note: Use password [reference to image file] to open archive.
Attached file is protected with the password for security reasons. Password is [reference to image file]
In order to read the attach you have to use the following password: [reference to image file]
Archive password: [reference to image file]
Password - [reference to image file]
Password: [reference to image file]

Attachment: (One of the following)
Information
Details
Readme
Document
Info
Details
MoreInfo
Message

with one of the following extensions:

.exe
.com
.scr
.cpl

There is a chance that the attached file will be a password-protected zip file, in which case the extension will be .zip.

Read the full Symantec report:
http://sarc.com/avcenter/venc/data/w32.beagle.w@mm.html

W32.Traxg@mm
Discovered April 26, 2004
Systems Affected: All Windows32 Systems

W32.Traxg@mm is a mass-mailing worm that sends itself to email addresses in the Microsoft Outlook address book.

Large scale e-mailing: Sends itself using MAPI to all contacts in the Outlook address book.
Subject of email: Document
Name of attachment: Document.exe

Read the full Symantec report:
http://sarc.com/avcenter/venc/data/w32.traxg@mm.html

W32.Netsky.AA@mm
Discovered April 27, 2004
Systems Affected: All Windows32 Systems

W32.Netsky.AA@mm is a variant of W32.Netsky.Z@mm that scans for email addresses on all non-CD-ROM drives on the infected computer. It uses its own SMTP engine to send itself to the email addresses that it finds.

Its Subject, Message, and Attachment vary. The attachment has a .pif extension.

Subject: (one of the following)

Re: Document
Re: Approved
Re: Text
Re: Thank you!
Re: Details
Re: Photos
Re: Private
Re: Information
Re: Hi
Re: Hello
Re: Summary
Re: Step by Step
Re: Music
Re: Application
Re: Tel. Numbers
Re: List
Re: Text file
Re: Paint file
Re: Contacts
Re: e-Books
Re: Bill
Re: Error
Re: Missed
Re: Letter
Re: Product
Re: Website
Re: Movie
Re: Presentation
Re: Advice
Re: Fax number
Re: Cheaper
Re: War
Re: Demo
Re: Final
Re: Poster
Re: Patch
Re: Pricelist
Re: Job

Attachment: (one of the following)

Your_Document.pif
Your_Text.pif
Your_Document_Part3.pif
Your_Details.pif
Your_Pics.pif
Your_Private_Document.pif
Your_Information.pif
Your_Digicam_Pictures.pif
Your_Summary.pif
Your_Description.pif
Your_Music.pif
Your_Software.pif
My_Telephone_Numbers.pif
Your_List.pif
Your_Text_File.pif
Your_Paint_File.pif
Your_Contacts.pif
Your_E-Books.pif
Your_Bill.pif
Your_Error.pif
Your_Excel_Document.pif
Your_Letter.pif
Your_Product.pif
Your_Website.pif
Your_Movie.pif
Your_Presentation.pif
My_Advice.pif
My_Fax_Numbers.pif
Your_Product_List.pif
Osam_Bin_Laden_Articel_42.pif
Your_Demo.pif
Your_Final_Document.pif
Your_Poster.pif
Your_Patch.pif
Your_Pricelist.pif
Your_Job.pif

Message: (one of the following)

Your document is attached.
Here is the file.
Please view the attached file.
See the attached file for details.
Please take the attached file.
Please have a look at the attached file.
Please read the attached file.
Your file is attached.
For furher details see the attached file.

Read the full Symantec report:
http://sarc.com/avcenter/venc/data/w32.netsky.aa@mm.html

W32.Netsky.AB@mm
Discovered April 27, 2004
Systems Affected: All Windows32 Systems

W32.Netsky.AB@mm is a worm that scans for the email addresses on all non-CD-ROM drives on an infected computer. The worm then uses its own SMTP engine to send itself to the email addresses that it finds.

The email's Subject, Body, and attachment vary. The attachment has a .pif extension.

The email has the following characteristics:

From: [spoofed]

Subject: (One of the following)

Correction
Hurts
Privacy
Password
Wow
Criminal
Pictures
Text
Money
Stolen
Found
Numbers
Funny
Only love?
More samples
Picture
Letter
Question
Illegal

Body: (One of the following)

Please use the font arial!
How can I help you?
Still?
I've your password. Take it easy!
Why do you show your body?
Hey, are you criminal?
Your pictures are good!
The text you sent to me is not so good!
True love letter?
Do you have no money?
Do you have asked me?
I've found your creditcard. Check the data!
Are your numbers correct?
You have no chance...
Wow! Why are you so shy?
Do you have more samples?
Do you have more photos about you?
Do you have written the letter?
Does it hurt you?
Please do not sent me your illegal stuff again!!!

Attachment: (One of the following)
corrected_doc.pif
hurts.pif
document1.pif
passwords02.pif
image034.pif
myabuselist.pif
your_picture01.pif
your_text01.pif
your_letter.pif
your_bill.pif
my_stolen_document.pif
visa_data.pif
pin_tel.pif
your_text.pif
loveletter02.pif
all_pictures.pif
your_letter_03.pif
your_picture.pif
abuses.pif

Read the full Symantec report:
http://sarc.com/avcenter/venc/data/w32.netsky.ab@mm.html

W32.Beagle.X@mm
Discovered April 28, 2004
Systems Affected: All Windows32 Systems

W32.Beagle.X@mm is a mass-mailing worm that attempts to spread using mail and file-sharing networks. The worm also opens a backdoor on an infected computer.

When the worm runs, it displays a message box with the following text:

Can't find a viewer associated with the file.

From: <spoofed>

Subject: (One of the following)

Re: Msg reply
Re: Hello
Re: Yahoo!
Re: Thank you!
Re: Thanks :)
RE: Text message
Re: Document
Incoming message
Re: Incoming Message
RE: Incoming Msg
RE: Message Notify
Notification
Changes..
New changes
Hidden message
Fax Message Received
Protected message
RE: Protected message
Forum notify
Site changes
Re: Hi
Encrypted document

Body:
If the attachment is a .zip file, then the Body will contain one of the following messages:

For security reasons attached file is password protected. The password is
For security purposes the attached file is password protected. Password --
Note: Use password
Attached file is protected with the password for security reasons. Password is
In order to read the attach you have to use the following password:
Archive password:
Password
Password:

followed by a copy of the image file dropped as drvddll.exeopenopen.

If the attachment is not a .zip file, the Body will be blank.

Attachment: (One of the following)
Information
Details
text_document
Readme
Document
Info
the_message
Details
MoreInfo
Message
You_will_answer_to_me
Half_Live
Counter_strike
Loves_money
the_message
Alive_condom
Joke
Toy
Nervous_illnesses
Manufacture
You_are_dismissed
Your_complaint
Your_money
Smoke
I_search_for_you

Read the full Symantec report:
http://sarc.com/avcenter/venc/data/w32.beagle.x@mm.html

W32.Misodene@mm
Discovered April 29, 2004
Systems Affected: All Windows32 Systems

W32.Misodene@mm is a mass-mailing worm that sends itself to email addresses found in files on the infected machine. When it is first executed, the worm displays a message box entitled "Virus Liberdad".

Subject: Jenifer desnuda \ Jeniffer naked
Attachment: Jenifer.zip (a zip file containing www.JeniferLopez.com)

Subject: Refused Mail\Permiso Denegado
Attachment: RefusedMail.zip (a zip file containing RefusedMail.eml[...spaces...].exe)

Subject: Famous / Famosos
Attachment: Famous.zip (a zip file containing Famous.exe)

May send a notification message to a hard-coded email address.

May attempt to copy itself across network shares as "Microsoft Officce.exe".

Displays a message box with the title "Virus Liberdad" and the following text:

Su computadora ha sido infectada por el virus Libertad
pero no tema, este virus no causa dano
su unico objetivo es protestar por la falta de
lieberdad de expresion en Cuba.
Disculpe la molestia.
El Hobbit.

Read the full Symantec report:
http://sarc.com/avcenter/venc/data/w32.misodene@mm.html