|
April
2005
Select
the links for detailed information and removal tools for the latest viruses
W32.Mytob.BS 4/30/05 2
W32.Topion.A 4/30/05 2
W32.Mytob.BR 4/29/05 2
W32.Spybot.OFN 4/29/05 2
W32.Kelvir.AZ 4/29/05 2
W32.Kelvir.AX 4/28/05 2
W32.Netsky.AI 4/27/05 2
W32.Mydoom.BL 4/27/05 2
W32.Kelvir.AW 4/27/05 2
W32.Nopir.A 4/27/05 2
W32.Allim.B 4/27/05 2
W32.Gaobot.DEY 4/27/05 2
W32.Allim.A 4/26/05 2
W32.Kelvir.AP 4/26/05 2
W32.Antiman.A 4/25/05 2
W32.Kelvir.AO 4/25/05 2
W32.Mytob.BO 4/25/05 2
W32.Mytob.BN 4/25/05 2
W32.Mytob.BM 4/24/05 2
W32.Mytob.BL 4/24/05 2
W32.Kedebe 4/24/05 2
W32.Spybot.OBZ 4/24/05 2
W32.Kelvir.AN 4/24/05 2
W32.Velkbot.A 4/23/05 2
W32.Kelvir.AL 4/23/05 2
W32.Kelvir.AJ 4/22/05 2
W32.Kelvir.AI 4/22/05 2
W32.Mytob.BJ 4/22/05 2
W32.Kelvir.AH 4/22/05 2
W32.Spybot.OBB 4/21/05 2
W32.Ahker.G 4/21/05 2
W32.Mytob.BH 4/21/05 2
W32.Beagle.BP 4/21/05 2
W32.Mytob.BE 4/21/05 2
W32.Mytob.BC 4/20/05 2
W32.Mytob.BD 4/19/05 2
W32.Kelvir.AF 4/19/05 2
W32.Kelvir.AE 4/19/05 2
W32.Beagle.BO 4/19/05 2
W32.Mytob.AW 4/19/05 2
W32.Kelvir.AC 4/19/05 2
W32.Sober.N 4/18/05 2
W32.Kelvir.AA 4/18/05 2
W32.Kelvir.AB 4/18/05 2
W32.Picrate.B 4/17/05 2
W32.Spybot.NYT 4/17/05 2
W32.Kelvir.Y 4/17/05 2
W32.Kelvir.X 4/16/05 2
Trojan.Tooso.H 4/16/05 2
W32.Sinnaka.A 4/15/05 2
W32.Beagle.BN 4/15/05 2
Trojan.Tooso.G 4/15/05 2
W32.Kelvir.W 4/15/05 2
W32.Spybot.NPS 4/15/05 2
Trojan.Tooso.F 4/15/05 2
W32.Kelvir.S 4/14/05 2
W32.Kelvir.V 4/14/05 2
W32.Kelvir.U 4/14/05 2
W32.Kelvir.T 4/14/05 2
W32.Mytob.AV 4/13/05 2
W32.Mytob.AU 4/12/05 2
W32.Kelvir.R 4/12/05 2
W32.Spybot.NLX 4/12/05 2
W32.Kelvir.Q 4/12/05 2
W32.Mytob.AS 4/12/05 2
W32.Mytob.AR 4/11/05 2
W32.Mytob.AO 4/11/05 2
W32.Mytob.AQ 4/11/05 2
W32.Mytob.AN 4/11/05 2
W32.Mytob.AM 4/10/05 2
W32.Mytob.AL 4/10/05 2
W32.Mytob.AJ 4/10/05 2
W32.Mytob.AK 4/10/05 2
W32.Mytob.AI 4/10/05 2
W32.Mytob.AH 4/09/05 2
W32.Mytob.AG 4/09/05 2
W32.Mytob.AE 4/09/05 2
VBS.Ypsan.D 4/09/05 2
W32.Kipis.N 4/08/05 2
W32.Myfip.AB 4/08/05 2
W32.Aprilcone.A 4/07/05 2
W32.Mytob.AD 4/07/05 2
W32.Kelvir.O 4/07/05 2
W32.Spybot.LXJ 4/05/05 2
W32.Randex.DFJ 4/05/05 2
W32.Mytob.AA 4/04/05 2
W32.AllocUp.A 4/03/05 2
VBS.Haster 4/03/05 2
W32.Mytob.V 4/03/05 2
W32.Envid.O 4/02/05 2
W32.Chod.B 4/02/05 2
W32.Mytob.U 4/01/05 2
W32.Mydoom.BI 4/01/05 2
W32.Mydoom.BI@mm
Discovered April 01, 2005
Systems Affected: All Windows32 Systems
W32.Mydoom.BI@mm
is a mass-mailing worm that uses its own SMTP engine to send itself to
the email addresses that it finds on an compromised computer. It also
attempts to spread through file-sharing networks.
Subject of
email: Varies
Name of attachment: Varies
Ports: Opens random TCP ports.
Read
the full Symantec report here
W32.Mytob.U@mm
Discovered April 01, 2005
Systems Affected: All Windows32 Systems
W32.Mytob.U@mm
is a mass-mailing worm that has back door capabilities and uses its own
SMTP engine to send an email to addresses that it gathers from the compromised
computer.
The worm
spreads through the network by exploiting the Microsoft Windows DCOM RPC
Interface Buffer Overrun Vulnerability (described in Microsoft Security
Bulletin MS03-026) and the Microsoft Windows Local Security Authority
Service Remote Buffer Overflow (described in Microsoft Security Bulletin
MS04-011).
Payload Trigger:
Lowers Security Settings
Large scale e-mailing: Uses its own SMTP engine to mail itself to emails
gathered on the compromised computer.
Degrades performance: Propogation may degrade performance.
Compromises security settings: Modifies Host Files
Distribution
Subject of email: Varies
Name of attachment: Varies
Ports: Random TCP Ports
Read
the full Symantec report here
W32.Chod.B@mm
Discovered April 02, 2005
Systems Affected: All Windows32 Systems
W32.Chod.B@mm
is a mass-mailing worm that also propagates using MSN Messenger. The worm
has back door capabilities and can be controlled through IRC channels.
It also overwrites the Hosts file to block access to several Web sites.
Read
the full Symantec report here
W32.Mytob.V@mm
Discovered April 03, 2005
Systems Affected: All Windows32 Systems
W32.Mytob.V@mm
is a mass-mailing worm that uses it own SMTP engine to send an email to
addresses that it gathers from fileson the compromised computer. The email
has a variable subject and attachment name. The attachment will have a
.bat, .cmd, .doc, .exe, .htm, .pif, .scr, .tmp, .txt, or .zip file extension.
The worm
also has the ability to open a back door and spread through the network
by exploiting common system vulnerabilities.
Payload:
Drops and executes a variant of W32.Spybot.Worm.
Large scale e-mailing: Sends email to addresses collected from on the
compromised computer.
Distribution
Subject of email: Varies
Name of attachment: Varies with a .bat, .cmd, .doc, .exe, .htm, .pif,
.scr, .tmp, .txt, or .zip file extension.
Size of attachment: 46,687 bytes
Ports: TCP 135, 445, 6667. Random TCP port.
Read
the full Symantec report here
VBS.Haster@mm
Discovered April 03, 2005
Systems Affected: All Windows32 Systems
VBS.Haster@mm
is a mass mailing VBScript worm that uses Microsoft Outlook to send itself
to all email addresses in the Microsoft Outlook address book.
Large scale
e-mailing: Sends emails
Distribution
Subject of email: Windows Back ups
Name of attachment: bkupinstall.vbs
Read
the full Symantec report here
W32.Envid.O@mm
Discovered April 02, 2005
Systems Affected: All Windows32 Systems
W32.Envid.O@mm
is a mass-mailing worm that sends email to all addresses found in the
Windows Address Book. The email contains a link to a Web site that contains
a copy of the worm. The worm lowers security settings by terminating processes
related to antivirus and security programs.
Payload:
Lowers security settings.
Large scale e-mailing: Sends email to addresses collected from the Windows
Address Book.
Compromises security settings: Terminates security related processes.
Distribution
Subject of email: Varies
Read
the full Symantec report here
W32.AllocUp.A
Discovered April 04, 2005
Systems Affected: All Windows32 Systems
W32.AllocUp.A
is a network-aware worm that opens a back door on a random TCP port. The
worm attempts to spread by exploiting the Microsoft Windows Local Security
Authority Service Remote Buffer Overflow (as described in Microsoft Security
Bulletin MS04-011).
Payload:
Allows unauthorized remote access.
Compromises security settings: Disables services of security related programs.
Distribution
Ports: Random TCP port for back door.
Shared drives: Copies itself to network shares by exploiting the LSASS
vulnerability.
Read
the full Symantec report here
W32.Mytob.AA@mm
Discovered April 04, 2005
Systems Affected: All Windows32 Systems
W32.Mytob.AA@mm
is a mass-mailing worm that uses it own SMTP engine to send an email to
addresses that it gathers from files on the compromised computer. The
email has a variable subject and attachment name. The attachment will
have a .bat, .cmd, .doc, .exe, .htm, .pif, .scr, .tmp, .txt, or .zip file
extension.
The worm
also has the ability to open a back door and spreads through the network
by exploiting common system vulnerabilities.
Payload Trigger:
Lowers Security Settings
Large scale e-mailing: Send emails.
Modifies files: Modifies the Hosts file.
Compromises security settings: Blocks access to several security-related
Web sites.
Distribution
Subject of email: Varies
Name of attachment: Varies with a .bat, .cmd, .doc, .exe, .htm, .pif,
.scr, .tmp, .txt, or .zip file extension.
Size of attachment: 61,440 bytes
Ports: Port 10087, Random TCP port
Read
the full Symantec report here
W32.Randex.DFJ
Discovered April 05, 2005
Systems Affected: All Windows32 Systems
W32.Randex.DFJ
is a network-aware worm that spreads to network shares protected by weak
passwords. It also opens a back door and may be remotely controlled via
IRC channels.
Payload:
Opens a back door and allows unauthorized remote access.
Large scale e-mailing: n/a
Deletes files: n/a
Modifies files: Modifies Hosts File.
Degrades performance: n/a
Causes system instability: n/a
Releases confidential info: n/a
Compromises security settings: Blocks access to the predetermined Web
site.
Distribution
Subject of email: n/a
Name of attachment: n/a
Size of attachment: n/a
Time stamp of attachment: n/a
Ports: TCP port 40404
Shared drives: n/a
Target of infection: Computers with weak administrator passwords.
Read
the full Symantec report here
W32.Spybot.LXJ
Discovered April 05, 2005
Systems Affected: All Windows32 Systems
W32.Spybot.LXJ
is a worm that opens a back door on the compromised computer.
This worm
may be dropped by W32.Kelvir.L.
Payload:
Opens a back door.
Large scale e-mailing: n/a
Deletes files: n/a
Modifies files: n/a
Degrades performance: Performance may be degraded while files are being
downloaded.
Causes system instability: n/a
Releases confidential info: n/a
Compromises security settings: n/a
Distribution
Subject of email: n/a
Name of attachment: n/a
Size of attachment: n/a
Time stamp of attachment: n/a
Ports: TCP port 445
Shared drives: n/a
Target of infection: Exploits vulnerabilities.
Read
the full Symantec report here
W32.Kelvir.O
Discovered April 07, 2005
Systems Affected: All Windows32 Systems
W32.Kelvir.O
is a worm that spreads through MSN Messenger.
Read
the full Symantec report here
W32.Mytob.AD@mm
Discovered April 07, 2005
Systems Affected: All Windows32 Systems
W32.Mytob.AD@mm
is a mass-mailing worm that uses its own SMTP engine to send an email
to addresses that it gathers from the compromised computer. The worm spreads
by exploiting the DCOM RPC vulnerability (described in Microsoft Security
Bulletin MS03-026) and the Microsoft Windows Local Security Authority
Service Remote Buffer Overflow (described in Microsoft Security Bulletin
MS04-011).
Payload:
Opens a back door and allows unauthorized remote access.
Large scale e-mailing: Send emails.
Deletes files: n/a
Modifies files: Modifies the Hosts file.
Degrades performance: n/a
Causes system instability: n/a
Releases confidential info: n/a
Compromises security settings: Blocks access to several security-related
Web sites.
Distribution
Subject of email: Varies
Name of attachment: Varies with a .bat, .cmd, .exe, .pif, .scr, or .zip
file extension.
Size of attachment: n/a
Time stamp of attachment: n/a
Ports: TCP port 10087 and 6667.
Shared drives: n/a
Target of infection: n/a
Read
the full Symantec report here
W32.Aprilcone.A@mm
Discovered April 07, 2005
Systems Affected: All Windows32 Systems
W32.Aprilcone.A@mm
is a mass-mailing worm that uses JMail to send emails to addresses that
it gathers from the compromised computer.
Read
the full Symantec report here
W32.Myfip.AB
Discovered April 08, 2005
Systems Affected: All Windows32 Systems
W32.Myfip.AB
is a network-aware worm that steals files from a compromised computer.
Read
the full Symantec report here
W32.Kipis.N@mm
Discovered April 08, 2005
Systems Affected: All Windows32 Systems
W32.Kipis.N@mm
is a mass-mailing network-aware worm that spreads by sending an email
to addresses it finds on an infected computer. The worm also copies itself
to folders which contain the string "share".
Payload:
Allows unauthorized remote access.
Large scale e-mailing: Sends email to contacts in the Windows Outlook
Address Book and addresses found in various files.
Deletes files: n/a
Modifies files: n/a
Degrades performance: n/a
Causes system instability: n/a
Releases confidential info: n/a
Compromises security settings: Ends some security-related processes.
Distribution
Subject of email: Varies
Name of attachment: Varies with the extensions ...sCR, _..ScR, +.sCR,
+.sCR, .+.scR
Size of attachment: Varies
Time stamp of attachment: n/a
Ports: n/a
Shared drives: n/a
Target of infection: n/a
Read
the full Symantec report here
VBS.Ypsan.D@mm
Discovered April 09, 2005
Systems Affected: All Windows32 Systems
VBS.Ypsan.D@mm
is a mass-mailing worm that sends itself to all email addresses gathered
from the Windows Address Book and attempts to shut down the compromised
computer.
Payload:
n/a
Large scale e-mailing: Sends emails
Deletes files: Deletes commands from autoexec.bat file
Modifies files: n/a
Degrades performance: n/a
Causes system instability: n/a
Releases confidential info: n/a
Compromises security settings: Attempts to disable anti-virus software
Distribution
Subject of email: Back Up System
Name of attachment: Install.vbs
Size of attachment: n/a
Time stamp of attachment: n/a
Ports: n/a
Shared drives: n/a
Target of infection: n/a
Read
the full Symantec report here
W32.Mytob.AE@mm
Discovered April 09, 2005
Systems Affected: All Windows32 Systems
W32.Mytob.AE@mm
is a mass-mailing worm that uses its own SMTP engine to send an email
to addresses that it gathers from the compromised computer. The worm spreads
by exploiting the DCOM RPC vulnerability (described in Microsoft Security
Bulletin MS03-026) and the Microsoft Windows Local Security Authority
Service Remote Buffer Overflow (described in Microsoft Security Bulletin
MS04-011).
Payload:
Opens a back door and allows unauthorized remote access.
Large scale e-mailing: Sends emails
Deletes files: n/a
Modifies files: Modifies the Hosts file
Degrades performance: n/a
Causes system instability: n/a
Releases confidential info: n/a
Compromises security settings: Blocks access to several security-related
web sites.
Distribution
Subject of email: Varies
Name of attachment: Varies with a .bat, .cmd, .exe, .pif, .scr, or .zip
file extension.
Size of attachment: n/a
Time stamp of attachment: n/a
Ports: TCP port 21
Shared drives: n/a
Target of infection: n/a
Read
the full Symantec report here
W32.Mytob.AG@mm
Discovered April 09, 2005
Systems Affected: All Windows32 Systems
W32.Mytob.AG@mm
is a mass-mailing worm that uses its own SMTP engine to send an email
to addresses that it gathers from the compromised computer.
The worm
spreads by exploiting the Microsoft Windows Local Security Authority Service
Remote Buffer Overflow (described in Microsoft Security Bulletin MS04-011).
Payload:
Opens a back door and allows unauthorized remote access.
Large scale e-mailing: Send emails.
Deletes files: n/a
Modifies files: Modifies the Hosts file.
Degrades performance: n/a
Causes system instability: n/a
Releases confidential info: n/a
Compromises security settings: Blocks access to several security-related
Web sites.
Distribution
Subject of email: Varies
Name of attachment: Varies with a .bat, .cmd, .exe, .pif, .scr, or .zip
file extension.
Size of attachment: 45,270 bytes
Time stamp of attachment: n/a
Ports: n/a
Shared drives: n/a
Target of infection: n/a
Read
the full Symantec report here
W32.Mytob.AH@mm
Discovered April 09, 2005
Systems Affected: All Windows32 Systems
W32.Mytob.AH@mm
is a mass-mailing worm that uses its own SMTP engine to send an email
to addresses that it gathers from the compromised computer.
The worm
spreads by exploiting the DCOM RPC vulnerability (described in Microsoft
Security Bulletin MS03-026) and the Microsoft Windows Local Security Authority
Service Remote Buffer Overflow (described in Microsoft Security Bulletin
MS04-011).
Payload Trigger:
Opens a back door and allows unauthorized remote access.
Payload: n/a
Large scale e-mailing: Sends emails.
Deletes files: n/a
Modifies files: Modifies the Hosts file.
Degrades performance: n/a
Causes system instability: n/a
Releases confidential info: n/a
Compromises security settings: Blocks access to several security-related
web sites.
Distribution
Subject of
email: Varies
Name of attachment: Varies with a .bat, .cmd, .exe, .pif, .scr, or .zip
file extension.
Size of attachment: 47,677 bytes
Time stamp of attachment: n/a
Ports: n/a
Shared drives: n/a
Target of infection: n/a
Read
the full Symantec report here
W32.Mytob.AI@mm
Discovered April 10, 2005
Systems Affected: All Windows32 Systems
W32.Mytob.AI@mm
is a mass-mailing worm that uses its own SMTP engine to send an email
to addresses that it gathers from the compromised computer.
The worm
spreads by exploiting the DCOM RPC vulnerability (described in Microsoft
Security Bulletin MS03-026) and the Microsoft Windows Local Security Authority
Service Remote Buffer Overflow (described in Microsoft Security Bulletin
MS04-011).
Payload Trigger:
Opens a back door and allows unauthorized remote access.
Payload: n/a
Large scale e-mailing: Sends emails.
Deletes files: n/a
Modifies files: Modifies the Hosts file
Degrades performance: n/a
Causes system instability: n/a
Releases confidential info: n/a
Compromises security settings: Blocks access to several security-related
web sites.
Distribution
Subject of email: Varies
Name of attachment: Varies with a .bat, .cmd, .exe, .pif, .scr, or .zip
file extension.
Size of attachment: Varies
Time stamp of attachment: n/a
Ports: n/a
Shared drives: n/a
Target of infection: n/a
Read
the full Symantec report here
W32.Mytob.AK@mm
Discovered April 10, 2005
Systems Affected: All Windows32 Systems
W32.Mytob.AK@mm
is a mass-mailing worm that uses its own SMTP engine to send an email
to addresses that it gathers from the compromised computer.
The worm spreads by exploiting the DCOM RPC vulnerability (described in
Microsoft Security Bulletin MS03-026) and the Microsoft Windows Local
Security Authority Service Remote Buffer Overflow (described in Microsoft
Security Bulletin MS04-011).
Payload Trigger:
n/a
Payload: Opens a back door and allows unauthorized remote access.
Large scale e-mailing: Sends emails.
Deletes files: n/a
Modifies files: Modifies the Hosts file.
Degrades performance: n/a
Causes system instability: n/a
Releases confidential info: n/a
Compromises security settings: Blocks access to several security-related
web sites.
Distribution
Subject of email: Varies
Name of attachment: Varies with a .bat, .cmd, .exe, .pif, .scr, or .zip
file extension.
Size of attachment: n/a
Time stamp of attachment: n/a
Ports: 10087
Shared drives: n/a
Target of infection: n/a
Read
the full Symantec report here
W32.Mytob.AJ@mm
Discovered April 10, 2005
Systems Affected: All Windows32 Systems
W32.Mytob.AJ@mm
is a mass-mailing worm that uses its own SMTP engine to send an email
to addresses that it gathers from the compromised computer.
The worm spreads by exploiting the DCOM RPC vulnerability (described in
Microsoft Security Bulletin MS03-026) and the Microsoft Windows Local
Security Authority Service Remote Buffer Overflow (described in Microsoft
Security Bulletin MS04-011).
Payload Trigger:
n/a
Payload: Opens a back door and allows unauthorized remote access.
Large scale e-mailing: Sends emails.
Deletes files: n/a
Modifies files: Modifies the Hosts file.
Degrades performance: n/a
Causes system instability: n/a
Releases confidential info: n/a
Compromises security settings: Blocks access to several security-related
web sites.
Distribution
Subject of email: n/a
Name of attachment: Varies with a .bat, .cmd, .exe, .pif, .scr, or .zip
file extension.
Size of attachment: n/a
Time stamp of attachment: n/a
Ports: 61137
Shared drives: n/a
Target of infection: n/a
Read
the full Symantec report here
W32.Mytob.AL@mm
Discovered April 10, 2005
Systems Affected: All Windows32 Systems
W32.Mytob.AL@mm
is a mass-mailing worm that uses its own SMTP engine to send an email
to addresses that it gathers from the compromised computer.
The worm spreads by exploiting the DCOM RPC vulnerability (described in
Microsoft Security Bulletin MS03-026) and the Microsoft Windows Local
Security Authority Service Remote Buffer Overflow (described in Microsoft
Security Bulletin MS04-011).
Payload Trigger:
n/a
Payload: Opens a back door and allows unauthorized remote access.
Large scale e-mailing: Send emails.
Deletes files: n/a
Modifies files: Modifies the Hosts file.
Degrades performance: n/a
Causes system instability: n/a
Releases confidential info: n/a
Compromises security settings: Blocks access to several security-related
web sites.
Distribution
Subject of email: Varies
Name of attachment: Varies with a .bat, .cmd, .exe, .pif, .scr, or .zip
file extension.
Size of attachment: n/a
Time stamp of attachment: n/a
Ports: TCP port 10087
Shared drives: n/a
Target of infection: n/a
Read
the full Symantec report here
W32.Mytob.AM@mm
Discovered April 10, 2005
Systems Affected: All Windows32 Systems
W32.Mytob.AM@mm
is a mass-mailing worm that uses its own SMTP engine to send an email
to addresses that it gathers from the compromised computer.
The worm spreads by exploiting the Microsoft Windows Local Security Authority
Service Remote Buffer Overflow (described in Microsoft Security Bulletin
MS04-011).
Payload Trigger:
n/a
Payload: Opens a back door and allows unauthorized remote access.
Large scale e-mailing: Send emails
Deletes files: n/a
Modifies files: Modifies the Hosts file.
Degrades performance: n/a
Causes system instability: n/a
Releases confidential info: n/a
Compromises security settings: Blocks access to several security-related
web sites.
Distribution
Subject of email: Varies
Name of attachment: Varies with a .bat, .cmd, .exe, .pif, .scr, or .zip
file extension.
Size of attachment: n/a
Time stamp of attachment: n/a
Ports: 10087
Shared drives: n/a
Target of infection: n/a
Read
the full Symantec report here
W32.Mytob.AN@mm
Discovered April 11, 2005
Systems Affected: All Windows32 Systems
W32.Mytob.AN@mm
is a mass-mailing worm that uses its own SMTP engine to send an email
to addresses that it gathers from the compromised computer.
The worm
spreads through the network by exploiting the Microsoft Windows Local
Security Authority Service Remote Buffer Overflow (as described in the
Microsoft Security Bulletin MS04-011).
Payload Trigger:
n/a
Payload: Opens a back door.
Large scale e-mailing: Sends an email to addresses gathered from the compromised
computer.
Deletes files: n/a
Modifies files: Modifies the Hosts file.
Degrades performance: n/a
Causes system instability: n/a
Releases confidential info: n/a
Compromises security settings: Blocks access to security-related Web sites.
Distribution
Subject of email: Varies
Name of attachment: Varies
Size of attachment: n/a
Time stamp of attachment: n/a
Ports: n/a
Shared drives: n/a
Target of infection: n/a
Read
the full Symantec report here
W32.Mytob.AQ@mm
Discovered April 11, 2005
Systems Affected: All Windows32 Systems
W32.Mytob.AQ@mm
is a mass-mailing worm with back door capabilities that uses its own SMTP
engine to send an email to addresses that it gathers from the compromised
computer.
The worm
spreads by exploiting the Microsoft Windows Local Security Authority Service
Remote Buffer Overflow (described in Microsoft Security Bulletin MS04-011)
and the Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability
(described in Microsoft Security Bulletin MS03-026).
Payload Trigger:
n/a
Payload: Opens a back door and allows unauthorized remote access.
Large scale e-mailing: Send emails
Deletes files: n/a
Modifies files: Modifies the Hosts file.
Degrades performance: n/a
Causes system instability: n/a
Releases confidential info: n/a
Compromises security settings: Blocks access to several security-related
web sites.
Distribution
Subject of email: Varies
Name of attachment: Varies with a .bat, .cmd, .exe, .pif, .scr, or .zip
file extension.
Size of attachment: n/a
Time stamp of attachment: n/a
Ports: TCP Port 10087.
Shared drives: n/a
Target of infection: n/a
Read
the full Symantec report here
W32.Mytob.AO@mm
Discovered April 11, 2005
Systems Affected: All Windows32 Systems
W32.Mytob.AO@mm
is a mass-mailing worm that uses its own SMTP engine to send an email
to addresses that it gathers from the compromised computer.
The worm
spreads by exploiting the Microsoft Windows Local Security Authority Service
Remote Buffer Overflow (described in Microsoft Security Bulletin MS04-011).
Payload Trigger:
n/a
Payload: Opens a back door and allows unauthorised remote access.
Large scale e-mailing: Send emails.
Deletes files: n/a
Modifies files: Modifies the HOSTS file.
Degrades performance: n/a
Causes system instability: n/a
Releases confidential info: n/a
Compromises security settings: Blocks access to several security-related
web sites.
Distribution
Subject
of email: Varies.
Name of attachment: Varies.
Size of attachment: n/a
Time stamp of attachment: n/a
Ports: TCP port 2817
Shared drives: n/a
Target of infection: n/a
Read
the full Symantec report here
W32.Mytob.AR@mm
Discovered April 11, 2005
Systems Affected: All Windows32 Systems
W32.Mytob.AR@mm
is a mass-mailing worm that uses its own SMTP engine to send an email
to addresses that it gathers from the compromised computer with back door
capabilities.
The worm
spreads by exploiting the Microsoft Windows Local Security Authority Service
Remote Buffer Overflow (described in Microsoft Security Bulletin MS04-011)
and the Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability
(described in Microsoft Security Bulletin MS03-026).
Payload Trigger:
n/a
Payload: Opens a back door.
Large scale e-mailing: Send emails
Deletes files: n/a
Modifies files: Modifies the Hosts file.
Degrades performance: n/a
Causes system instability: n/a
Releases confidential info: n/a
Compromises security settings: Blocks access to several security-related
web sites.
Distribution
Subject of email: Varies
Name of attachment: Varies with a .bat, .cmd, .exe, .pif, .scr, or .zip
file extension.
Size of attachment: n/a
Time stamp of attachment: n/a
Ports: TCP Port 10089 and TCP Port 8080.
Shared drives: n/a
Target of infection: n/a
Read
the full Symantec report here
W32.Mytob.AS@mm
Discovered April 12, 2005
Systems Affected: All Windows32 Systems
W32.Mytob.AS@mm
is a mass-mailing worm that uses its own SMTP engine to send an email
to addresses that it gathers from the compromised computer. The worm spreads
through the network by exploiting vulnerabilities and opens a back door
on the compromised computer.
Payload Trigger:
n/a
Payload: Opens a back door.
Large scale e-mailing: Sends email.
Deletes files: n/a
Modifies files: Modifies the Hosts file.
Degrades performance: n/a
Causes system instability: n/a
Releases confidential info: n/a
Compromises security settings: Blocks access to security-related Web sites.
Distribution
Subject of email: Varies.
Name of attachment: Varies.
Size of attachment: n/a
Time stamp of attachment: n/a
Ports: TCP port 10087.
Shared drives: n/a
Target of infection: Exploits vulnerabilities.
Read
the full Symantec report here
W32.Kelvir.Q
Discovered April 12, 2005
Systems Affected: All Windows32 Systems
W32.Kelvir.Q
is a worm that spreads through MSN Messenger and drops a variant of W32.Spybot.Worm.
Payload Trigger:
n/a
Payload: Attempts to drop and execute a variant of W32.Spybot.Worm.
Large scale e-mailing: n/a
Deletes files: n/a
Modifies files: n/a
Degrades performance: n/a
Causes system instability: n/a
Releases confidential info: n/a
Compromises security settings: Opens a back door.
Distribution
Subject
of email: n/a
Name of attachment: n/a
Size of attachment: n/a
Time stamp of attachment: n/a
Ports: TCP port 8126
Shared drives: n/a
Target of infection: Attempts to spread via MSN Messenger.
Read
the full Symantec report here
W32.Spybot.NLX
Discovered April 12, 2005
Systems Affected: All Windows32 Systems
W32.Spybot.NLX
is a worm that has distributed denial of service and back door capabilities.
The worm
spreads through network shares protected by weak passwords and by exploiting
the following vulnerabilities:
• The
Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability (described
in Microsoft Security Bulletin MS03-026).
• The Microsoft Windows Local Security Authority Service Remote Buffer
Overflow (as described in Microsoft Security Bulletin MS04-011).
• The Microsoft Windows SSL Library Denial of Service Vulnerability
(described in Microsoft Security Bulletin MS04-011).
• The Vulnerabilities in the Microsoft SQL Server 2000 or MSDE 2000
audit (as described in Microsoft Security Bulletin MS02-061) using UDP
port 1434.
• The UPnP NOTIFY Buffer Overflow vulnerability (as described in
Microsoft Security Bulletin MS01-059).
• The Workstation Service Buffer Overrun vulnerability (as described
in Microsoft Security Bulletin MS03-049) using TCP port 445. Windows XP
users are protected against this vulnerability if Microsoft Security Bulletin
MS03-043 has been applied. Windows 2000 users must apply MS03-049.
• The DameWare Mini Remote Control Server Pre-Authentication Buffer
Overflow vulnerability (described in CAN-2003-0960.)
Payload Trigger:
n/a
Payload: Opens a back door that allows unauthorized remote access.
Large scale e-mailing: n/a
Deletes files: n/a
Modifies files: n/a
Degrades performance: n/a
Causes system instability: n/a
Releases confidential info: Retrieve the currently logged on user's Windows
password from memory.
Compromises security settings: List, stop, and start processes and threads,
and prevents the installation of Windows XP Service Pack 2.
Distribution
Subject of email: n/a
Name of attachment: n/a
Size of attachment: n/a
Time stamp of attachment: n/a
Ports: TCP port 4367.
Shared drives: n/a
Target of infection: n/a
Read
the full Symantec report here
W32.Kelvir.R
Discovered April 12, 2005
Systems Affected: All Windows32 Systems
W32.Kelvir.R
is a worm that spreads through MSN Messenger and drops a variant of W32.Spybot.Worm.
It also spreads
by exploiting the Microsoft Windows DCOM RPC Interface Buffer Overrun
Vulnerability (described in Microsoft Security Bulletin MS03-026), the
Microsoft Windows Local Security Authority Service Remote Buffer Overflow
(as described in Microsoft Security Bulletin MS04-011), and the vulnerabilities
in the Microsoft SQL Server 2000 or MSDE 2000 audit (as described in Microsoft
Security Bulletin MS02-061) using UDP port 1434.
Payload Trigger:
n/a
Payload: Opens a back door that allows unauthorized remote access.
Large scale e-mailing: n/a
Deletes files: n/a
Modifies files: n/a
Degrades performance: n/a
Causes system instability: n/a
Releases confidential info: Steals CD activation keys for many games.
Compromises security settings: Attempts to terminate processes and services,
some of which may be security related.
Distribution
Subject of email: n/a
Name of attachment: n/a
Size of attachment: n/a
Time stamp of attachment: n/a
Ports: UDP port 1434
Shared drives: n/a
Target of infection: n/a
Read
the full Symantec report here
W32.Mytob.AU@mm
Discovered April 12, 2005
Systems Affected: All Windows32 Systems
W32.Mytob.AU@mm
is a mass-mailing worm that uses its own SMTP engine to send an email
to addresses that it gathers from the compromised computer. The worm spreads
through network shares protected by weak passwords. The worm spreads by
exploiting the DCOM RPC vulnerability (described in Microsoft Security
Bulletin MS03-026) and the Microsoft Windows Local Security Authority
Service Remote Buffer Overflow (described in Microsoft Security Bulletin
MS04-011).
Payload Trigger:
n/a
Payload: Opens a back door and allows unauthorized remote access.
Large scale e-mailing: n/a
Deletes files: n/a
Modifies files: n/a
Degrades performance: n/a
Causes system instability: n/a
Releases confidential info: n/a
Compromises security settings: Blocks access to several security-related
web sites.
Distribution
Subject of email: Varies
Name of attachment: Varies with a .bat, .cmd, .exe, .pif, .scr, or .zip
file extension.
Size of attachment: n/a
Time stamp of attachment: n/a
Ports: TCP Port 10087
Shared drives: n/a
Target of infection: n/a
Read
the full Symantec report here
W32.Mytob.AV@mm
Discovered April 13, 2005
Systems Affected: All Windows32 Systems
W32.Mytob.AV@mm
is a mass-mailing worm that uses its own SMTP engine to send an email
to addresses that it gathers from the compromised computer.
The worm
spreads by exploiting the Microsoft Windows Local Security Authority Service
Remote Buffer Overflow (described in Microsoft Security Bulletin MS04-011).
Payload Trigger:
n/a
Payload: Opens a back door.
Large scale e-mailing: Sends email.
Deletes files: n/a
Modifies files: Modifies the Hosts file.
Degrades performance: n/a
Causes system instability: n/a
Releases confidential info: n/a
Compromises security settings: Blocks access to security-related Web sites.
Distribution
Subject of email: Varies
Name of attachment: Varies
Size of attachment: n/a
Time stamp of attachment: n/a
Ports: TCP port 6667 or 10087.
Shared drives: n/a
Target of infection: n/a
Read
the full Symantec report here
W32.Kelvir.T
Discovered April 14, 2005
Systems Affected: All Windows32 Systems
W32.Kelvir.T
is a worm that spreads through MSN Messenger and drops a variant of W32.Randex.
Read
the full Symantec report here
Download
the Removal Tool here
W32.Kelvir.U
Discovered April 14, 2005
Systems Affected: All Windows32 Systems
W32.Kelvir.U
is a worm that spreads through MSN Messenger and drops a copy of W32.Spybot.NLI.
Read
the full Symantec report here
W32.Kelvir.S
Discovered April 14, 2005
Systems Affected: All Windows32 Systems
W32.Kelvir.S
is a worm that spreads through MSN Messenger and drops a variant of W32.Spybot.Worm.
Read
the full Symantec report here
Download
the Removal Tool here
Trojan.Tooso.F
Discovered April 15, 2005
Systems Affected: All Windows32 Systems
Trojan.Tooso.F
is a Trojan horse that interferes with the operation of security software
by terminating processes, stopping services, removing registry entries,
and deleting files. This Trojan is similar to W32.Beagle@mm but it does
not send emails.
Payload Trigger:
n/a
Payload: Downloads and executes arbitrary code.
Large scale e-mailing: n/a
Deletes files: Deletes files related to security programs.
Modifies files: Modifies Hosts file.
Degrades performance: n/a
Causes system instability: n/a
Releases confidential info: n/a
Compromises security settings: Terminates processes of security related
programs. Deletes registry entires belonging to security related programs.
Read
the full Symantec report here
W32.Spybot.NPS
Discovered April 15, 2005
Systems Affected: All Windows32 Systems
W32.Spybot.NPS
is a worm that has distributed denial of service and back door capabilities.
The worm spreads through network shares protected by weak passwords and
by exploiting vulnerabilities.
Payload Trigger:
n/a
Payload: Opens a back door that allows unauthorized remote access.
Large scale e-mailing: n/a
Deletes files: n/a
Modifies files: n/a
Degrades performance: May be used in denial of service attacks.
Causes system instability: n/a
Releases confidential info: May be used to gather confidential system
information.
Distribution
Subject of email: n/a
Name of attachment: n/a
Size of attachment: n/a
Time stamp of attachment: n/a
Ports: TCP ports 445 and 1433
Shared drives: n/a
Target of infection: n/a
Read
the full Symantec report here
W32.Kelvir.W
Discovered April 15, 2005
Systems Affected: All Windows32 Systems
W32.Kelvir.W
is a worm that spreads through MSN Messenger and drops a variant of W32.Spybot.Worm.
Payload Trigger: n/a
Payload: Opens a back door.
Large scale e-mailing: n/a
Deletes files: n/a
Modifies files: n/a
Degrades performance: n/a
Causes system instability: n/a
Releases confidential info: n/a
Compromises security settings: Disables some security-related processes.
Distribution
Subject of email: n/a
Name of attachment: n/a
Size of attachment: n/a
Time stamp of attachment: n/a
Ports: TCP port 2442
Shared drives: n/a
Target of infection: n/a
Read
the full Symantec report here
W32.Kelvir.V
Discovered April 14, 2005
Systems Affected: All Windows32 Systems
W32.Kelvir.V
is a worm that spreads through MSN Messenger and drops W32.Spybot.NNT.
Payload Trigger: n/a
Payload: Entices users to download a remote file.
Large scale e-mailing: n/a
Deletes files: n/a
Modifies files: n/a
Degrades performance: n/a
Causes system instability: n/a
Releases confidential info: n/a
Compromises security settings: Disables some security-related processes.
Distribution
Subject of email: n/a
Name of attachment: n/a
Size of attachment: n/a
Time stamp of attachment: n/a
Ports: TCP port 2442
Shared drives: n/a
Target of infection: MSN Messenger
Read
the full Symantec report here
Download
the Removal Tool here
Trojan.Tooso.G
Discovered April 15, 2005
Systems Affected: All Windows32 Systems
Trojan.Tooso.G
is a Trojan horse program that interferes with the operation of security
software by ending processes, stopping services, removing registry entries,
and deleting files.
Trojan.Tooso.G
also attempts to download a copy of W32.Beagle.BN@mm.
Payload Trigger:
n/a
Payload: n/a
Large scale e-mailing: n/a
Deletes files: Attempts to delete many files from all fixed drives.
Modifies files: Modifies the Hosts file.
Degrades performance: Downloading a remote file may degrade network performance.
Causes system instability: n/a
Releases confidential info: n/a
Compromises security settings: Lowers security settings by ending processes,
stopping services, removing registry entries, deleting files and preventing
access to several security-related Web sites.
Read
the full Symantec report here
W32.Beagle.BN@mm
Discovered April 15, 2005
Systems Affected: All Windows32 Systems
W32.Beagle.BN@mm
is a mass-mailing worm that uses its own SMTP engine to send out copies
of Trojan.Tooso.F. The worm also opens a back door on the compromised
computer through TCP port 80.
W32.Beagle.BN@mm
may be downloaded by Trojan.Tooso.G.
Payload Trigger:
n/a
Payload: n/a
Large scale e-mailing: Sends an email to addresses that it downloads from
a remote computer.
Deletes files: n/a
Modifies files: n/a
Degrades performance: n/a
Causes system instability: n/a
Releases confidential info: n/a
Compromises security settings: Deletes registry entries to prevent execution
of security related programs.
Distribution
Subject of email: Varies
Name of attachment: Varies with a .zip extension.
Size of attachment: n/a
Time stamp of attachment: n/a
Ports: TCP port 80
Shared drives: n/a
Target of infection: n/a
Read
the full Symantec report here
W32.Sinnaka.A@mm
Discovered April 15, 2005
Systems Affected: All Windows32 Systems
W32.Sinnaka.A@mm
is a worm that uses its own SMTP engine to send itself as an email attachment.
Payload Trigger:
n/a
Payload: n/a
Large scale e-mailing: Sends mails.
Deletes files: n/a
Modifies files: n/a
Degrades performance: Sending mails may degrade network performance.
Causes system instability: n/a
Releases confidential info: n/a
Compromises security settings: n/a
Distribution
Subject of email: Varies
Name of attachment: Varies with a zip extension
Size of attachment: n/a
Time stamp of attachment: n/a
Ports: n/a
Shared drives: n/a
Target of infection: n/a
Read
the full Symantec report here
Trojan.Tooso.H
Discovered April 16, 2005
Systems Affected: All Windows32 Systems
Trojan.Tooso.H
is a Trojan horse that interferes with the operation of security software
by terminating processes, stopping services, removing registry entries,
and deleting files.
Trojan.Tooso.H
attempts to download a copy of Trojan.Tooso.F.
Payload Trigger:
n/a
Payload: Downloads and executes arbitrary code.
Large scale e-mailing: n/a
Deletes files: Deletes files related to security programs.
Modifies files: Modifies the Hosts file.
Degrades performance: n/a
Causes system instability: n/a
Releases confidential info: n/a
Compromises security settings: Ends processes of security related programs,
deletes registry entires belonging to security related programs and blocks
access to several security-relates Web sites.
Read
the full Symantec report here
W32.Kelvir.X
Discovered April 16, 2005
Systems Affected: All Windows32 Systems
W32.Kelvir.X
is a worm that spreads through MSN Messenger and drops a copy of W32.Spybot.Worm.
Payload Trigger:
n/a
Payload: Drops and executes a variant of W32.Spybot.Worm which may open
a back door.
Large scale e-mailing: n/a
Deletes files: n/a
Modifies files: n/a
Degrades performance: n/a
Causes system instability: n/a
Releases confidential info: May log keystrokes.
Compromises security settings: May allow unauthorized access.
Distribution
Subject of email: n/a
Name of attachment: n/a
Size of attachment: n/a
Time stamp of attachment: n/a
Ports: n/a
Shared drives: n/a
Target of infection: Attempts to spread through MSN Messenger and by exploiting
vulnerabilities.
Read
the full Symantec report here
W32.Kelvir.Y
Discovered April 17, 2005
Systems Affected: All Windows32 Systems
W32.Kelvir.Y
is a worm that spreads through MSN Messenger and drops W32.Spybot.NYT.
Payload Trigger:
n/a
Payload: Drops and executes W32.Spybot.NYT which may open a back door.
Large scale e-mailing: n/a
Deletes files: n/a
Modifies files: n/a
Degrades performance: n/a
Causes system instability: n/a
Releases confidential info: May log keystrokes
Compromises security settings: May allow unauthorized access
Distribution
Subject of email: n/a
Name of attachment: n/a
Size of attachment: n/a
Time stamp of attachment: n/a
Ports: n/a
Shared drives: n/a
Target of infection: Attempts to spread through MSN Messenger
Read
the full Symantec report here
W32.Spybot.NYT
Discovered April 17, 2005
Systems Affected: All Windows32 Systems
W32.Spybot.NYT
is a worm that has distributed denial of service and back door capabilities.
The worm spreads through network shares protected by weak passwords and
by exploiting vulnerabilities.
Payload Trigger:
n/a
Payload: Opens a back door and allows unauthrized remote access to the
infected computer
Large scale e-mailing: n/a
Deletes files: n/a
Modifies files: n/a
Degrades performance: n/a
Causes system instability: n/a
Releases confidential info: n/a
Compromises security settings: List, stop, and start processes and threads.
Distribution
Subject of email: n/a
Name of attachment: n/a
Size of attachment: n/a
Time stamp of attachment: n/a
Ports: TCP port 2442
Shared drives: n/a
Target of infection: Spreads to network shares protected by weak passwords
and by exploiting vulnerabilities.
Read
the full Symantec report here
W32.Picrate.B@mm
Discovered April 17, 2005
Systems Affected: All Windows32 Systems
W32.Picrate.B@mm
is a worm that sends copies of itself to instant messenger contacts and
drops a variant of W32.Spybot.Worm.
Payload Trigger:
n/a
Payload: Opens a back door.
Large scale e-mailing: Mails itself as an attachment.
Deletes files: n/a
Modifies files: n/a
Degrades performance: n/a
Causes system instability: n/a
Releases confidential info: n/a
Compromises security settings: Opens a back door.
Distribution
Subject of email: Varies
Name of attachment: Varies
Size of attachment: n/a
Time stamp of attachment: n/a
Ports: TCP port 8080
Shared drives: n/a
Target of infection: n/a
Read
the full Symantec report here
W32.Kelvir.AB
Discovered April 18, 2005
Systems Affected: All Windows32 Systems
W32.Kelvir.AB
is a worm that spreads through MSN Messenger and drops a variant of W32.Spybot.Worm.
Payload Trigger:
n/a
Payload: Opens a back door that allows unauthorized remote access.
Large scale e-mailing: n/a
Deletes files: n/a
Modifies files: n/a
Degrades performance: n/a
Causes system instability: n/a
Releases confidential info: n/a
Compromises security settings: n/a
Read the full Symantec report here
W32.Kelvir.AA
Discovered April 18, 2005
Systems Affected: All Windows32 Systems
W32.Kelvir.AA
is a worm that spreads through MSN Messenger and drops W32.Spybot.NLI.
The worm also attempts to lower security settings.
Payload Trigger:
n/a
Payload: Downloads and executes a remote file.
Large scale e-mailing: n/a
Deletes files: n/a
Modifies files: n/a
Degrades performance: n/a
Causes system instability: n/a
Releases confidential info: n/a
Compromises security settings: Ends security-related processes and services.
Distribution
Subject of email: n/a
Name of attachment: n/a
Size of attachment: n/a
Time stamp of attachment: n/a
Ports: n/a
Shared drives: n/a
Target of infection: Spreads via MSN Messenger.
Read the full Symantec report here
W32.Sober.N@mm
Discovered April 18, 2005
Systems Affected: All Windows32 Systems
W32.Sober.N@mm
is a mass-mailing worm that uses its own SMTP engine to spread. It sends
itself as an email attachment to addresses gathered from the compromised
computer. The email may be in either English or German.
Payload Trigger:
n/a
Payload: n/a
Large scale e-mailing: Sends email to all addresses gathered from the
compromised computer.
Deletes files: n/a
Modifies files: n/a
Degrades performance: n/a
Causes system instability: n/a
Releases confidential info: n/a
Compromises security settings: Attempts to terminate security-related
processes.
Distribution
Subject of email: FwD: Ich bin's nochmal or I've_got your EMail on my_account!
Name of attachment: Private-Texte.zip or your_text.zip
Size of attachment: 73,541 bytes
Time stamp of attachment: n/a
Ports: TCP port 21
Shared drives: n/a
Target of infection: n/a
Read
the full Symantec report here
W32.Kelvir.AC
Discovered April 19, 2005
Systems Affected: All Windows32 Systems
W32.Kelvir.AC
is a worm that spreads through MSN Messenger and drops a variant of W32.Spybot.Worm.
Payload Trigger:
n/a
Payload: May be remotely controlled via IRC Channels.
Large scale e-mailing: n/a
Deletes files: n/a
Modifies files: n/a
Degrades performance: n/a
Causes system instability: n/a
Releases confidential info: n/a
Compromises security settings: n/a
Read the full Symantec report here
W32.Mytob.AW@mm
Discovered April 19, 2005
Systems Affected: All Windows32 Systems
W32.Mytob.AW@mm
is a mass-mailing worm that uses its own SMTP engine to send an email
to addresses that it gathers from the compromised computer. The worm spreads
through the Microsoft Windows Local Security Authority Service Remote
Buffer Overflow (as described in Microsoft Security Bulletin MS04-011).
Payload Trigger:
n/a
Payload: Opens a back door.
Large scale e-mailing: n/a
Deletes files: n/a
Modifies files: Modifies the Hosts file.
Degrades performance: n/a
Causes system instability: n/a
Releases confidential info: n/a
Compromises security settings: Blocks access to security-related Web sites.
Distribution
Subject of email: Varies
Name of attachment: Varies
Size of attachment: n/a
Time stamp of attachment: n/a
Ports: TCP port 10087.
Shared drives: n/a
Target of infection: Exploits vulnerabilities.
Read
the full Symantec report here
W32.Beagle.BO@mm
Discovered April 19, 2005
Systems Affected: All Windows32 Systems
W32.Beagle.BO@mm
is a mass-mailing worm that uses its own SMTP engine to send out copies
of a Trojan.Tooso variant. The worm also opens a back door on TCP port
80.
Payload Trigger:
n/a
Payload: Allows unauthorized remote access.
Large scale e-mailing: Sends email to addresses collected from the compromised
computer.
Deletes files: n/a
Modifies files: n/a
Degrades performance: n/a
Causes system instability: n/a
Releases confidential info: n/a
Compromises security settings: n/a
Distribution
Subject of email: The subject line is empty.
Name of attachment: Varies
Size of attachment: Varies
Time stamp of attachment: n/a
Ports: TCP port 80
Shared drives: n/a
Target of infection: n/a
Read
the full Symantec report here
W32.Kelvir.AE
Discovered April 19, 2005
Systems Affected: All Windows32 Systems
W32.Kelvir.AE
is a worm that spreads through MSN Messenger and drops a variant of W32.Spybot.Worm.
Payload Trigger:
n/a
Payload: Downloads and executes a remote file.
Large scale e-mailing: n/a
Deletes files: n/a
Modifies files: n/a
Degrades performance: n/a
Causes system instability: n/a
Releases confidential info: n/a
Compromises security settings: n/a
Distribution
Subject of email: n/a
Name of attachment: n/a
Size of attachment: n/a
Time stamp of attachment: n/a
Ports: n/a
Shared drives: n/a
Target of infection: Spreads via MSN Messenger.
Read
the full Symantec report here
W32.Kelvir.AF
Discovered April 19, 2005
Systems Affected: All Windows32 Systems
W32.Kelvir.AF
is a worm that spreads through MSN Messenger and drops a variant of W32.Spybot.Worm.
Read
the full Symantec report here
W32.Mytob.BD@mm
Discovered April 19, 2005
Systems Affected: All Windows32 Systems
W32.Mytob.BD@mm
is a mass-mailing worm that uses its own SMTP engine to send an email
to addresses that it gathers from the compromised computer and has back
door capabilities.
The worm
spreads through the network by exploiting the Microsoft Windows DCOM RPC
Interface Buffer Overrun Vulnerability (described in Microsoft Security
Bulletin MS03-026) and the Microsoft Windows Local Security Authority
Service Remote Buffer Overflow (as described in Microsoft Security Bulletin
MS04-011).
Payload Trigger:
n/a
Payload: Opens a back door.
Large scale e-mailing: Uses its own SMTP engine to send an email to addresses
that it gathers from the compromised computer
Deletes files: n/a
Modifies files: Modifies the Hosts file.
Degrades performance: Mass-mailing may degrade performance.
Causes system instability: n/a
Releases confidential info: n/a
Compromises security settings: Modifies the Hosts file.
Distribution
Subject of email: Varies
Name of attachment: Varies
Size of attachment: n/a
Time stamp of attachment: n/a
Ports: TCP Port 10087 as well as random TCP ports.
Shared drives: n/a
Target of infection: n/a
Read
the full Symantec report here
W32.Mytob.BC@mm
Discovered April 20, 2005
Systems Affected: All Windows32 Systems
W32.Mytob.BC@mm
is a mass-mailing worm that has back door capabilities and uses its own
SMTP engine to send an email to addresses that it gathers from the compromised
computer. The worm spreads through the network by exploiting the Microsoft
Windows DCOM RPC Interface Buffer Overrun Vulnerability (described in
Microsoft Security Bulletin MS03-026) and the Microsoft Windows Local
Security Authority Service Remote Buffer Overflow (as described in Microsoft
Security Bulletin MS04-011).
Payload Trigger:
n/a
Payload: Opens a back door.
Large scale e-mailing: Sends email to addresses collected from the compromised
computer.
Deletes files: n/a
Modifies files: Modifies the Hosts file.
Degrades performance: n/a
Causes system instability: n/a
Releases confidential info: n/a
Compromises security settings: Blocks access to security-related Web sites.
Distribution
Subject of email: Varies
Name of attachment: Varies
Size of attachment: n/a
Time stamp of attachment: n/a
Ports: TCP port 10087
Shared drives: n/a
Target of infection: Exploits vulnerabilities.
Read
the full Symantec report here
W32.Mytob.BE@mm
Discovered April 21, 2005
Systems Affected: All Windows32 Systems
W32.Mytob.BE@mm
is a mass-mailing worm that has back door capabilities and uses its own
SMTP engine to send an email to addresses that it gathers from the compromised
computer.
The worm
spreads through the network by exploiting the Microsoft Windows Local
Security Authority Service Remote Buffer Overflow (as described in Microsoft
Security Bulletin MS04-011) and the Microsoft Windows DCOM RPC Interface
Buffer Overrun Vulnerability (described in Microsoft Security Bulletin
MS03-026).
Payload Trigger:
n/a
Payload: Opens a back door that allows unauthorized remote access.
Large scale e-mailing: Sends email.
Deletes files: n/a
Modifies files: Modifies the Hosts file.
Degrades performance: n/a
Causes system instability: n/a
Releases confidential info: n/a
Compromises security settings: Blocks access to security-related Web sites.
Distribution
Subject of email: Varies
Name of attachment: Varies
Size of attachment: 61,440 bytes
Time stamp of attachment: n/a
Ports: n/a
Shared drives: n/a
Target of infection: Exploits vulnerabilities.
Read
the full Symantec report here
W32.Beagle.BP@mm
Discovered April 21, 2005
Systems Affected: All Windows32 Systems
W32.Beagle.BP@mm
is a mass-mailing worm that uses its own SMTP engine to send out copies
of a Trojan.Tooso variant. The worm also opens a back door on the compromised
computer on TCP port 80.
Payload Trigger:
n/a
Payload: Opens a back door on TCP Port 80
Large scale e-mailing: Sends email using its own SMTP engine.
Deletes files: n/a
Modifies files: n/a
Degrades performance: n/a
Causes system instability: n/a
Releases confidential info: n/a
Compromises security settings: n/a
Distribution
Subject of email: Blank
Name of attachment: Varies with .zip file extension.
Size of attachment: n/a
Time stamp of attachment: n/a
Ports: TCP Port 25 and TCP Port 80
Shared drives: n/a
Target of infection: n/a
Read
the full Symantec report here
W32.Mytob.BH@mm
Discovered April 21, 2005
Systems Affected: All Windows32 Systems
W32.Mytob.BH@mm
is a mass-mailing worm that has back door capabilities and uses its own
SMTP engine to send an email to addresses that it gathers from the compromised
computer.
The worm
spreads through the network by exploiting the Microsoft Windows Local
Security Authority Service Remote Buffer Overflow (as described in Microsoft
Security Bulletin MS04-011) and the Microsoft Windows DCOM RPC Interface
Buffer Overrun Vulnerability (described in Microsoft Security Bulletin
MS03-026).
Payload Trigger:
n/a
Payload: Opens a back door.
Large scale e-mailing: Sends email.
Deletes files: n/a
Modifies files: Modifies the Hosts file.
Degrades performance: n/a
Causes system instability: n/a
Releases confidential info: n/a
Compromises security settings: Blocks access to security-related Web sites.
Distribution
Subject of email: Varies
Name of attachment: Varies with a .bat, .cmd, .exe, .pif, .scr, or .zip
file extension.
Size of attachment: 46,791 bytes
Time stamp of attachment: n/a
Ports: n/a
Shared drives: n/a
Target of infection: n/a
Read
the full Symantec report here
W32.Ahker.G@mm
Discovered April 21, 2005
Systems Affected: All Windows32 Systems
W32.Ahker.G@mm
is a mass-mailing worm that uses MAPI to send a copy of itself to email
addresses gathered from the compromised computer. The worm lowers security
settings, prevents access to several Web sites, and blocks access to several
programs.
Payload Trigger:
n/a
Payload: n/a
Large scale e-mailing: Sends an email to addresses gathered from the compromised
computer.
Deletes files: n/a
Modifies files: Modifies the Hosts file and blocks access to several Web
sites.
Degrades performance: n/a
Causes system instability: Ends processes, which may belong to security
programs and other worms.
Releases confidential info: n/a
Compromises security settings: Lowers security settings by blocking access
to several security-related Web sites.
Distribution
Subject of email: Varies
Name of attachment: Message.zip
Size of attachment: n/a
Time stamp of attachment: n/a
Ports: n/a
Shared drives: n/a
Target of infection: n/a
Read
the full Symantec report here
W32.Spybot.OBB
Discovered April 22, 2005
Systems Affected: All Windows32 Systems
W32.Spybot.OBB
is a worm that has distributed denial of service and back door capabilities.
The worm spreads through network shares protected by weak passwords and
by exploiting vulnerabilities.
Payload Trigger:
n/a
Payload: Opens a back door.
Large scale e-mailing: n/a
Deletes files: n/a
Modifies files: n/a
Degrades performance: n/a
Causes system instability: n/a
Releases confidential info: n/a
Compromises security settings: n/a
Distribution
Subject of email: n/a
Name of attachment: n/a
Size of attachment: n/a
Time stamp of attachment: n/a
Ports: TCP ports 8080, 445, and 1433.
Shared drives: n/a
Target of infection: Exploits vulnerablities.
Read
the full Symantec report here
W32.Kelvir.AH
Discovered April 22, 2005
Systems Affected: All Windows32 Systems
W32.Kelvir.AH
is a worm that spreads through MSN Messenger and attempts to drop W32.Spybot.OBB.
Payload Trigger:
n/a
Payload: Drops a copy of W32.Spybot.OBB.
Large scale e-mailing: n/a
Deletes files: n/a
Modifies files: n/a
Degrades performance: n/a
Causes system instability: n/a
Releases confidential info: n/a
Compromises security settings: Spreads through MSN Messenger.
Read
the full Symantec report here
W32.Mytob.BJ@mm
Discovered April 22, 2005
Systems Affected: All Windows32 Systems
W32.Mytob.BJ@mm
is a mass-mailing worm that uses its own SMTP engine to send an email
to addresses that it gathers from the compromised computer.
Payload Trigger:
n/a
Payload: Opens a back door.
Large scale e-mailing: n/a
Deletes files: n/a
Modifies files: Modifies the Hosts file.
Degrades performance: n/a
Causes system instability: n/a
Releases confidential info: n/a
Compromises security settings: Modifies the Hosts file to block access
to sevaral security-related Web sites.
Distribution
Subject of email: Varies
Name of attachment: Varies
Size of attachment: n/a
Time stamp of attachment: n/a
Ports: n/a
Shared drives: n/a
Target of infection: n/a
Read
the full Symantec report here
W32.Kelvir.AI
Discovered April 22, 2005
Systems Affected: All Windows32 Systems
W32.Kelvir.AI
is a worm that spreads a variant of W32.Spybot.Worm through MSN Messenger
and exploits remote vulnerabilities.
Payload Trigger:
n/a
Payload: May open a back door.
Large scale e-mailing: n/a
Deletes files: n/a
Modifies files: n/a
Degrades performance: n/a
Causes system instability: n/a
Releases confidential info: n/a
Compromises security settings: n/a
Distribution
Subject of email: n/a
Name of attachment: n/a
Size of attachment: n/a
Time stamp of attachment: n/a
Ports: n/a
Shared drives: n/a
Target of infection: MSN Messenger
Read
the full Symantec report here
W32.Kelvir.AJ
Discovered April 22, 2005
Systems Affected: All Windows32 Systems
W32.Kelvir.AJ
is a worm that spreads a variant of W32.Spybot.Worm through MSN Messenger
and by exploiting remote vulnerabilities.
Payload Trigger:
n/a
Payload: May open a back door.
Large scale e-mailing: n/a
Deletes files: n/a
Modifies files: n/a
Degrades performance: n/a
Causes system instability: n/a
Releases confidential info: n/a
Compromises security settings: n/a
Distribution
Subject of email: n/a
Name of attachment: n/a
Size of attachment: n/a
Time stamp of attachment: n/a
Ports: n/a
Shared drives: n/a
Target of infection: MSN Messenger
Read
the full Symantec report here
W32.Kelvir.AL
Discovered April 23, 2005
Systems Affected: All Windows32 Systems
W32.Kelvir.AL
is a worm that spreads a variant of Backdoor.Sdbot through MSN Messenger.
Payload Trigger:
n/a
Payload: Drops a variant of Backdoor.Sdbot.
Large scale e-mailing: n/a
Deletes files: n/a
Modifies files: n/a
Degrades performance: n/a
Causes system instability: n/a
Releases confidential info: n/a
Compromises security settings: n/a
Distribution
Subject of email: n/a
Name of attachment: n/a
Size of attachment: n/a
Time stamp of attachment: n/a
Ports: n/a
Shared drives: n/a
Target of infection: Attempts to spread via MSN messenger
Read
the full Symantec report here
W32.Velkbot.A
Discovered April 23, 2005
Systems Affected: All Windows32 Systems
W32.Velkbot.A
is a worm with back door capabilities that spreads through MSN Messenger,
Yahoo Messenger and AOL Instant Messenger.
Payload Trigger:
n/a
Payload: Opens a back door allowing the remote attacker to have unauthorized
access to the compromised computer.
Large scale e-mailing: n/a
Deletes files: n/a
Modifies files: n/a
Degrades performance: n/a
Causes system instability: n/a
Releases confidential info: n/a
Compromises security settings: Disables Taskmanager and Registry editor.
Distribution
Subject of email: n/a
Name of attachment: n/a
Size of attachment: n/a
Time stamp of attachment: n/a
Ports: n/a
Shared drives: n/a
Target of infection: Attempts to spread via MSN Messenger, Yahoo Messenger
and AOL Instant Messenger.
Read
the full Symantec report here
W32.Kelvir.AN
Discovered April 24, 2005
Systems Affected: All Windows32 Systems
W32.Kelvir.AN
is a worm that spreads W32.Spybot.OBZ through MSN Messenger.
Payload Trigger:
n/a
Payload: May open a back door
Large scale e-mailing: n/a
Deletes files: n/a
Modifies files: n/a
Degrades performance: n/a
Causes system instability: Attempts to stop several system services and
processes.
Releases confidential info: n/a
Compromises security settings: Allows execution of remote files
Distribution
Subject of email: n/a
Name of attachment: n/a
Size of attachment: n/a
Time stamp of attachment: n/a
Ports: n/a
Shared drives: n/a
Target of infection: MSN messenger
Read
the full Symantec report here
W32.Spybot.OBZ
Discovered April 24, 2005
Systems Affected: All Windows32 Systems
W32.Spybot.OBZ
is a worm that has distributed denial of service and back door capabilities.
The worm spreads through network shares protected by weak passwords and
by exploiting vulnerabilities. The worm may be dropped by W32.Kelvir.AN.
Payload Trigger:
n/a
Payload: Opens a back door.
Large scale e-mailing: n/a
Deletes files: n/a
Modifies files: n/a
Degrades performance: n/a
Causes system instability: n/a
Releases confidential info: Retrieve the currently logged on user's Windows
password from memory
Compromises security settings: n/a
Distribution
Subject of email: n/a
Name of attachment: n/a
Size of attachment: n/a
Time stamp of attachment: n/a
Ports: TCP ports 6660.
Shared drives: n/a
Target of infection: Exploits vulnerabilities.
Read
the full Symantec report here
W32.Kedebe@mm
Discovered April 24, 2005
Systems Affected: Windows 2000, Windows NT, Windows Server 2003, Windows
XP
W32.Kedebe@mm
is a mass-mailing worm that ends processes and prevents access to several
Web sites, most of which are security-related. It uses its own SMTP engine
to send a copy of itself to all email addresses gathered from files with
predetermined extensions.
This threat
is written in Visual Basic and only works on NT based systems.
Payload Trigger:
n/a
Payload: n/a
Large scale e-mailing: Sends emails.
Deletes files: Deletes the files associated with security-related programs.
Modifies files: Modifies the Hosts file.
Degrades performance: n/a
Causes system instability: n/a
Releases confidential info: n/a
Compromises security settings: Modifies the Hosts file to block access
to several security-related Web sites.
Distribution
Subject of email: Varies
Name of attachment: Varies
Size of attachment: n/a
Time stamp of attachment: n/a
Ports: n/a
Shared drives: n/a
Target of infection: n/a
Read
the full Symantec report here
W32.Mytob.BL@mm
Discovered April 24, 2005
Systems Affected: All Windows32 Systems
W32.Mytob.BL@mm
is a mass-mailing worm that exploits the Microsoft Windows Local Security
Authority Service Remote Buffer Overflow vulnerability (as described in
Microsoft Security Bulletin MS04-011). It also copies itself to network
shares with weak passwords.
Payload Trigger:
n/a
Payload: Opens a back door
Large scale e-mailing: Sends email.
Deletes files: n/a
Modifies files: Modifies the Hosts file.
Degrades performance: n/a
Causes system instability: n/a
Releases confidential info: n/a
Compromises security settings: Blocks access to security-related Web sites.
Distribution
Subject of email: Varies
Name of attachment: Varies with a .bat, .cmd, .exe, .pif, .scr, or .zip
file extension.
Size of attachment: n/a
Time stamp of attachment: n/a
Ports: TCP port 6667 and TCP port 10085.
Shared drives: n/a
Target of infection: n/a
Read
the full Symantec report here
W32.Mytob.BM@mm
Discovered April 24, 2005
Systems Affected: All Windows32 Systems
W32.Mytob.BM@mm
is a mass-mailing worm with back door functionality that uses its own
SMTP engine to send an email to addresses that it gathers from the compromised
computer. The worm spreads through network shares protected by weak passwords.
Payload Trigger:
n/a
Payload: Allows unauthorized remote access.
Large scale e-mailing: Sends email to addresses collected from the compromised
computer.
Deletes files: n/a
Modifies files: n/a
Degrades performance: n/a
Causes system instability: n/a
Releases confidential info: n/a
Compromises security settings: n/a
Distribution
Subject of email: Varies
Name of attachment: Varies with a .pif, .scr, .exe, .bat, .cmd and .zip
extension.
Size of attachment: n/a
Time stamp of attachment: n/a
Ports: n/a
Shared drives: n/a
Target of infection: Spreads to network shares protected by weak user
name and password.
Read
the full Symantec report here
W32.Mytob.BN@mm
Discovered April 25, 2005
Systems Affected: All Windows32 Systems
W32.Mytob.BN@mm
is a mass-mailing worm that has back door capabilities and uses its own
SMTP engine to send an email to addresses that it gathers from the compromised
computer.
The worm
spreads through the network by exploiting the Microsoft Windows DCOM RPC
Interface Buffer Overrun Vulnerability (described in Microsoft Security
Bulletin MS03-026) and the Microsoft Windows Local Security Authority
Service Remote Buffer Overflow (as described in Microsoft Security Bulletin
MS04-011).
Payload Trigger:
Opens a back door.
Payload: n/a
Large scale e-mailing: n/a
Deletes files: n/a
Modifies files: Modifies the Hosts file.
Degrades performance: n/a
Causes system instability: n/a
Releases confidential info: n/a
Compromises security settings: Blocks access to security-related Web sites.
Distribution
Subject of email: Varies
Name of attachment: Varies
Size of attachment: n/a
Time stamp of attachment: n/a
Ports: Various TCP Ports.
Shared drives: n/a
Target of infection: n/a
Read
the full Symantec report here
W32.Mytob.BO@mm
Discovered April 25, 2005
Systems Affected: All Windows32 Systems
W32.Mytob.BO@mm
is a mass-mailing worm that uses its own SMTP engine to send an email
to addresses that it gathers from the compromised computer. The worm spreads
through the network by exploiting the Microsoft Windows Local Security
Authority Service Remote Buffer Overflow (as described in Microsoft Security
Bulletin MS04-011).
Payload Trigger:
n/a
Payload: Opens a back door.
Large scale e-mailing: Uses it's own SMTP engine to send an email to addresses
gathered from the compromised computer.
Deletes files: n/a
Modifies files: n/a
Degrades performance: n/a
Causes system instability: n/a
Releases confidential info: n/a
Compromises security settings: Modifies the Hosts file.
Distribution
Subject of email: Varies
Name of attachment: Varies with a .bat, .cmd, .exe, .pif, .scr, or .zip
file extension.
Size of attachment: 50,719 bytes
Time stamp of attachment: n/a
Ports: TCP Port 10087
Shared drives: n/a
Target of infection: n/a
Read
the full Symantec report here
W32.Kelvir.AO
Discovered April 25, 2005
Systems Affected: All Windows32 Systems
W32.Kelvir.AO
is a worm that spreads through MSN Messenger and drops a variant of W32.Spybot.Worm.
Payload Trigger:
n/a
Payload: Drops a variant of W32.Spybot.Worm
Large scale e-mailing: n/a
Deletes files: n/a
Modifies files: n/a
Degrades performance: n/a
Causes system instability: n/a
Releases confidential info: n/a
Compromises security settings: n/a
Distribution
Subject of email: n/a
Name of attachment: n/a
Size of attachment: n/a
Time stamp of attachment: n/a
Ports: n/a
Shared drives: n/a
Target of infection: Attempts to spread via MSN Messenger.
Read
the full Symantec report here
W32.Antiman.A@mm
Discovered April 25, 2005
Systems Affected: All Windows32 Systems
W32.Antiman.A@mm
is a mass-mailing worm that uses its own SMTP engine to send a copy of
itself to all email addresses that it finds in the compromised computer.
Payload Trigger:
n/a
Payload: n/a
Large scale e-mailing: Uses it's own SMTP engine to mail itself to gathered
email addresses.
Deletes files: n/a
Modifies files: n/a
Degrades performance: Mass-mailing may degrade computer perforance
Causes system instability: n/a
Releases confidential info: n/a
Compromises security settings: n/a
Distribution
Subject of email: Varies
Name of attachment: Varies
Size of attachment: n/a
Time stamp of attachment: n/a
Ports: n/a
Shared drives: n/a
Target of infection: n/a
Read
the full Symantec report here
W32.Kelvir.AP
Discovered April 26, 2005
Systems Affected: All Windows32 Systems
W32.Kelvir.AP
is a worm that sends a message to all MSN messenger contacts on the compromised
computer and attempts to download a file.
Payload Trigger:
n/a
Payload: Attempts to download and execute remote file.
Large scale e-mailing: n/a
Deletes files: n/a
Modifies files: n/a
Degrades performance: n/a
Causes system instability: n/a
Releases confidential info: n/a
Compromises security settings: n/a
Distribution
Subject of email: n/a
Name of attachment: n/a
Size of attachment: n/a
Time stamp of attachment: n/a
Ports: n/a
Shared drives: n/a
Target of infection: Spreads via MSN Messenger.
Read
the full Symantec report here
W32.Allim.A
Discovered April 26, 2005
Systems Affected: All Windows32 Systems
W32.Allim.A
is a worm that spreads a variant of the W32.Spybot.Worm through America
Online Instant Messenger (AIM).
Payload Trigger:
n/a
Payload: May open a back door.
Large scale e-mailing: n/a
Deletes files: n/a
Modifies files: n/a
Degrades performance: Use the compromised computer as a traffic relay
or proxy.
Causes system instability: n/a
Releases confidential info: n/a
Compromises security settings: Attempts to terminated processes and services.
Distribution
Subject of email: n/a
Name of attachment: n/a
Size of attachment: n/a
Time stamp of attachment: n/a
Ports: n/a
Shared drives: n/a
Target of infection: America Online Instant Messenger (AIM).
Read
the full Symantec report here
W32.Gaobot.DEY
Discovered April 27, 2005
Systems Affected: All Windows32 Systems
W32.Gaobot.DEY
is a network-aware worm with back door capabilities that spreads to network
shares protected by weak passwords and can be controlled through IRC channels.
It also attempts to lower security settings by blocking access to security
related Web sites and terminating processes.
Payload Trigger:
n/a
Payload: Opens a back door
Large scale e-mailing: n/a
Deletes files: n/a
Modifies files: n/a
Degrades performance: n/a
Causes system instability: n/a
Releases confidential info: n/a
Compromises security settings: Terminates processes and services.
Distribution
Subject of email: n/a
Name of attachment: n/a
Size of attachment: n/a
Time stamp of attachment: n/a
Ports: TCP 8080
Shared drives: Spreads to network shares protected by weak passwords.
Target of infection: n/a
Read
the full Symantec report here
W32.Allim.B
Discovered April 27, 2005
Systems Affected: All Windows32 Systems
W32.Allim.B
is a worm that spreads through America Online Instant Messenger (AIM)
and drops a variant of Backdoor.Sdbot.
Payload Trigger:
n/a
Payload: Drops a variant of Backdoor.Sdbot, which opens a back door.
Large scale e-mailing: n/a
Deletes files: n/a
Modifies files: n/a
Degrades performance: n/a
Causes system instability: n/a
Releases confidential info: n/a
Compromises security settings: Disables the Registry and Task Manager.
Distribution
Subject of email: n/a
Name of attachment: n/a
Size of attachment: n/a
Time stamp of attachment: n/a
Ports: n/a
Shared drives: n/a
Target of infection: America Online Instant Messenger (AIM)
Read
the full Symantec report here
W32.Nopir.A
Discovered April 27, 2005
Systems Affected: All Windows32 Systems
W32.Nopir.A
is a worm that deletes files on the infected computer and attempts to
place itself in a shared eMule folder.
Payload Trigger:
n/a
Payload: Deletes files
Large scale e-mailing: n/a
Deletes files: Deletes .mp3 and .com files.
Modifies files: n/a
Degrades performance: n/a
Causes system instability: May prevent certain applications from running.
Releases confidential info: n/a
Compromises security settings: Disables Registry Editor and Task Manager.
Distribution
Subject of email: n/a
Name of attachment: n/a
Size of attachment: n/a
Time stamp of attachment: n/a
Ports: n/a
Shared drives: n/a
Target of infection: Attempts to spread via file-sharing applications.
Read
the full Symantec report here
W32.Kelvir.AW
Discovered April 27, 2005
Systems Affected: All Windows32 Systems
W32.Kelvir.AW
is a worm that downloads a file and sends a message to all MSN messenger
contacts on the compromised computer.
Payload Trigger:
n/a
Payload: Drops a copy of W32.Spybot.Worm.
Large scale e-mailing: n/a
Deletes files: n/a
Modifies files: n/a
Degrades performance: n/a
Causes system instability: n/a
Releases confidential info: n/a
Compromises security settings: Lowers security settings by terminating
security-related processes and services.
Distribution
Subject of email: n/a
Name of attachment: n/a
Size of attachment: n/a
Time stamp of attachment: n/a
Ports: n/a
Shared drives: n/a
Target of infection: MSN Messenger.
Read
the full Symantec report here
W32.Mydoom.BL@mm
Discovered April 27, 2005
Systems Affected: All Windows32 Systems
W32.Mydoom.BL@mm
is a mass-mailing worm that uses its own SMTP engine to send itself to
the email addresses that it finds on an infected computer.
Payload Trigger:
n/a
Payload: n/a
Large scale e-mailing: Emails itself to addresses gather from the compromised
computer.
Deletes files: n/a
Modifies files: n/a
Degrades performance: n/a
Causes system instability: n/a
Releases confidential info: n/a
Compromises security settings: n/a
Distribution
Subject of email: Varies
Name of attachment: Varies with a .bat, .cmd, .exe, .pif, .scr, or .zip
file extension.
Size of attachment: 86,637 bytes
Time stamp of attachment: n/a
Ports: n/a
Shared drives: n/a
Target of infection: n/a
Read
the full Symantec report here
W32.Netsky.AI@mm
Discovered April 27, 2005
Systems Affected: All Windows32 Systems
W32.Netsky.AI@mm
is a mass-mailing worm that uses its own SMTP engine to send itself to
email addresses it gathers from certain files on the compromised computer,
and copies itself to mapped network drives. The worm also downloads a
copy of Backdoor.Nemog.D.
Payload Trigger:
n/a
Payload: Downloads a copy of Backdoor.Nemog.D.
Large scale e-mailing: n/a
Deletes files: n/a
Modifies files: n/a
Degrades performance: Creates a mass-mailing of itself, which may degrade
both network and computer performance.
Causes system instability: n/a
Releases confidential info: n/a
Compromises security settings: n/a
Distribution
Subject of email: Various
Name of attachment: Various
Size of attachment: n/a
Time stamp of attachment: n/a
Ports: n/a
Shared drives: n/a
Target of infection: n/a
Read
the full Symantec report here
W32.Kelvir.AX
Discovered April 28, 2005
Systems Affected: All Windows32 Systems
W32.Kelvir.AX
is a Trojan that sends a message to all MSN messenger contacts on the
compromised computer.
Payload Trigger:
n/a
Payload: Directs the browser to a potentially malicious Web site.
Large scale e-mailing: n/a
Deletes files: n/a
Modifies files: n/a
Degrades performance: n/a
Causes system instability: n/a
Releases confidential info: n/a
Compromises security settings: n/a
Distribution
Subject of email: n/a
Name of attachment: n/a
Size of attachment: n/a
Time stamp of attachment: n/a
Ports: n/a
Shared drives: n/a
Target of infection: n/a
Read
the full Symantec report here
W32.Kelvir.AZ
Discovered April 29, 2005
Systems Affected: All Windows32 Systems
W32.Kelvir.AZ
is a worm that sends a message to all MSN messenger contacts on the compromised
computer.
Payload Trigger:
n/a
Payload: Downloads a copy of W32.Spybot.OBZ.
Compromises security settings: Ends security-related processes and services.
Distribution
Target of infection: MSN Messenger.
Read
the full Symantec report here
W32.Spybot.OFN
Discovered April 29, 2005
Systems Affected: All Windows32 Systems
W32.Spybot.OFN
is a network-aware worm that has distributed denial of service and back
door capabilities. The worm spreads through network shares protected by
weak passwords and by exploiting vulnerabilities. W32.Spybot.OFN may be
downloaded by W32.Kelvir.AZ.
Payload Trigger:
n/a
Payload: Opens a back door.
Distribution
Ports: TCP ports 8080, 1433, and 445.
Target of infection: Exploits vulnerabilities.
Read
the full Symantec report here
W32.Mytob.BR@mm
Discovered April 29, 2005
Systems Affected: All Windows32 Systems
W32.Mytob.BR@mm
is a mass-mailing worm with back door functionality that uses its own
SMTP engine to send an email to addresses that it gathers from the compromised
computer.
The worm
also spreads through network shares by exploiting The Microsoft Windows
LSASS Buffer Overrun Vulnerability (as described in Microsoft Security
Bulletin MS04-011).
Payload Trigger:
n/a
Payload: n/a
Large scale e-mailing: Sends emails.
Modifies files: Modifies the HOSTS file.
Compromises security settings: Blocks access to to security-related Web
sites.
Distribution
Subject of email: Varies
Name of attachment: Varies
Ports: TCP port 10087
Read
the full Symantec report here
W32.Topion.A
Discovered April 30, 2005
Systems Affected: All Windows32 Systems
W32.Topion.A
is a network-aware worm that copies itself to network shares.
Payload Trigger:
n/a
Payload: n/a
Modifies files: Copies itself to other network shares.
Degrades performance: Attempts to access remote websites.
Distribution
Target of infection: Attempts to copy itself to network shares.
Read
the full Symantec report here
W32.Mytob.BS@mm
Discovered April 30, 2005
Systems Affected: All Windows32 Systems
W32.Mytob.BS@mm
is a mass-mailing worm with back door functionality that uses its own
SMTP engine to send an email to addresses that it gathers from the compromised
computer.
The worm
also spreads through network shares by exploiting The Microsoft Windows
LSASS Buffer Overrun Vulnerability (as described in Microsoft Security
Bulletin MS04-011).
Payload Trigger:
n/a
Payload: Opens a back door that allows unauthorized remoted access to
the compromised computer.
Large scale e-mailing: Sends emails.
Modifies files: Modifies the Hosts file.
Compromises security settings: Modifies the Hosts file to block access
to several security-related Web sites.
Distribution
Subject of email: Varies
Name of attachment: Varies with a .bat, .cmd, .exe, .pif, .scr, or .zip
file extension.
Ports: TCP port 6667 and 10087.
Read
the full Symantec report here
|
If you came to this page directly, click the icon at the left to be taken to our Home Page 
