If you came to this page directly, click the icon at the left to be taken to our Home Page| If you came to this page directly, click the icon at the left to be taken to our Home Page |
||||
|
|
||||
|
|
May 2004 Select the links for detailed information and removal tools for the latest viruses
|
|
|
W32.Sasser.Worm W32.Sasser.Worm is a worm that attempts to exploit the MS04-011 vulnerability. It spreads by scanning randomly-chosen IP addresses for vulnerable systems. Degrades performance: Causes significant degradation in performancePorts: TCP 445, 5554, 9996 Target of infection: Unpatched systems vulnerable to LSASS exploit - MS04-011 Read
the full Symantec report: Get the Removal
Tool here: W32.Sasser.B.Worm
W32.Sasser.B.Worm is a variant of W32.Sasser.Worm. It attempts to exploit the LSASS vulnerability described in Microsoft Security Bulletin MS04-011, and spreads by scanning randomly-chosen IP addresses for vulnerable systems. Read
the full Symantec report: Get the Removal
Tool here: W32.Sasser.C.Worm W32.Sasser.C.Worm is a minor variant of W32.Sasser.B.Worm. It attempts to exploit the LSASS vulnerability described in Microsoft Security Bulletin MS04-011, and spreads by scanning randomly-chosen IP addresses for vulnerable systems. This particular variant spawns 1024 threads for the infection routine, where as previous variant W32.Sasser.B.Worm uses 128 threads. Read
the full Symantec report: Get the Removal
Tool here: W32.Sasser.D The W32.Sasser.D worm: Is a variant
of W32.Sasser.Worm. W32.Sasser.D
differs from W32.Sasser.Worm as follows: W32.Sasser.D can only execute on Windows XP systems. The worm can exploit a vulnerable (unpatched) Windows 2000 machine remotely and copy itself to that machine, but it will exit before running any code. In these cases it will produce the following error: The procedure
entry point IcmpSendEcho could not be located in the dynamic link library
iphlpapi.dll. Degrades
performance: Generates significant network traffic. Read
the full Symantec report: Get the Removal
Tool here: W32.Netsky.AC@mm W32.Netsky.AC@mm is a worm that scans for the email addresses on all non-CD-ROM drives on an infected computer. The worm then uses its own SMTP engine to send itself to the email addresses that it finds. The email's From, Body, and attachment vary. The attachment has a .cpl extension. The email has the following characteristicsSubject: Escalation Attachment:
Fix_<random.virus.name>_<random.number>.cpl <random.virus.name> is a variable. It's one of the following strings: NetSky.AB Sasser.B Beagle.AB Mydoom.F MSBlast.B <random.number> is a decimal number between 0 and 32767. For example,
the attachment name could be Fix_Beagle.AB_12345.cpl. support@symantec.com
Message: Dear user of <email.server>, We have received several abuses: - Hundreds
of infected e-Mails have been sent The malicious
file uses your mail account to distribute Due to this,
we are providing you to remove the If you have
problems with the virus removal file,
Attach: <attachment.name>
<random.virus.name>
is a variable. It's one of the following strings: <from.address> is the from address of this email <random.team>
is a variable. It's one of the following strings: <attachment.name>
is the attachment name of this email Read
the full Symantec report: W32.Supova.Z@mm W32.Supova.Z@mm is a mass mailing worm that sends itself to the email addresses in the Microsoft Outlook address book. The email has the following characteristics: Subject:
This document is interesting W32.Supova.Z@mm also uses IRC to spread. Read
the full Symantec report: W32.Netad.Trojan
W32.Netad.Trojan is a Trojan horse that attempts to delete all files on the C: drive. Read
the full Symantec report: W32.Gobot.A W32.Gobot.A is a worm that spreads through IRC, open network shares, and file-sharing networks. The worm also propagates through any backdoors installed by the Mydoom family of worms. Compromises security settings: Terminates many security software processes. Allows unauthorized remote access.Shared drives: Attempts to spread through open network shares. Target of infection: Spreads through IRC, file-sharing networks, and back doors installed by the Mydoom family of worms. Read
the full Symantec report: W32.Sasser.E.Worm
W32.Sasser.E.Worm is a minor variant of W32.Sasser.Worm. It attempts to exploit the LSASS vulnerability described in Microsoft Security Bulletin MS04-011 and spreads by scanning randomly selected IP addresses for vulnerable systems. W32.Sasser.E.Worm differs from W32.Sasser.Worm as follows: Uses a different
mutex: SkynetNotice. W32.Sasser.E.Worm
can run on (but not infect) Windows 95/98/Me computers. Although these
operating systems cannot be infected, they can still be used to infect
vulnerable systems that they are able to connect to. Read
the full Symantec report: W32.Cycle W32.Cycle
is a worm, which attempts to exploit the Microsoft Windows LSASS Buffer
Overrun Vulnerability. Refer to the Microsoft Security Bulletin MS04-011
for additional information. Payload Trigger:
May 18th Read
the full Symantec report: W32.Sasser.F.Worm W32.Sasser.F.Worm is a variant of W32.Sasser.Worm. This worm attempts to exploit the LSASS vulnerability described in Microsoft Security Bulletin MS04-011. It spreads by scanning randomly selected IP addresses for vulnerable systems. W32.Sasser.F.Worm differs from W32.Sasser.Worm as follows: Uses a different
mutex: billgate. W32.Sasser.F.Worm can run on, but not infect, Windows 95/98/Me computers. Although these operating systems cannot be infected, they can still be used to infect the vulnerable systems to which they are able to connect. In this case, the worm will waste a lot of resources so that programs cannot properly runl. (On Windows 95/98/Me computers, the removal tool should be run in Safe mode.) Read
the full Symantec report: W32.Gaobot.AJD W32.Gaobot.AJD is a worm that spreads through open network shares and several Windows vulnerabilities including: The DCOM
RPC Vulnerability (described in Microsoft Security Bulletin MS03-026)
using TCP port 135. The worm also spreads through backdoors that the Beagle and Mydoom worms and the Optix family of backdoors install. W32.Gaobot.AJD
can act as a backdoor server program and attack other systems. It attempts
to kill the processes of many antivirus and security programs. Modifies
files: Modifies the hosts file. Read
the full Symantec report: Get the Removal
Tool here: W32.Wallon.A@mm
W32.Wallon.A@mm is a mass-mailing worm that sends email messages containing a hyperlink to download the worm body from certain URLs. It also harvests the email addresses on the infected machine. The worm exploits the following vulnerability: Microsoft Security Bulletin MS04-004 Large scale
e-mailing: Sends email messages containing an obfuscated link to download
the worm body. The worm comes in as an email with the following properties: Subject: Re: Attachment: None Message body: Contains an obfuscated URI that appears to point to the site, http://drs.yahoo.com/<recipient's domain>/NEWS Clicking the link redirects the user to a Web site to download “wmplayer.exe” into the Windows Media Player folder. The Web site may attempt to exploit a vulnerability in Internet Explorer to download and execute the file. Using Windows Media Player can also execute this file when the user tries to use Windows Media Player. Read
the full Symantec report: W32.Sober.G@mm W32.Sober.G@mm is a mass-mailing worm that uses its own SMTP engine to spread itself. The subject of the email varies, and it will be in either English or German. The email sender address is spoofed. The name of the email attachment varies, and it will have a .bat, .com, .pif, .scr, or .zip file extension. It may also have a double extension. W32.Sober.G@mm attempts to download an executable from a remote host over port 37 and execute it on the infected machine. Read
the full Symantec report: W32.Dabber.A W32.Dabber.A is a worm. This worm propagates by exploiting vulnerability in the FTP server component of W32.Sasser.Worm and its variants. This worm based on available exploit code. W32.Dabber.A installs a backdoor on infected hosts listening on port 9898. Payload:
Opens backdoor on system. Read
the full Symantec report: W32.Kibuv.Worm W32.Kibuv.Worm is a worm that exploits the LSASS vulnerability described in Microsoft Security Bulletin MS04-011 and the DCOM RPC vulnerability described in Microsoft Security Bulletin MS03-026. It spreads by scanning the randomly selected IP addresses for vulnerable systems. Payload: Causes significant performance degradation.Ports: TCP 135, 445, 9604, 420, 5300 Target of infection: Unpatched systems vulnerable to either the LSASS exploit or RPC DCOM exploit. Adds the values: "Vote For Kerry" = "KillBush.exe" to the registry
keys: Read
the full Symantec report: W32.Bobax.A W32.Bobax.A is a worm that exploits the LSASS vulnerability (described in Microsoft Security Bulletin MS04-011). Infected computers may be used as an email relay. Degrades
performance: Causes significant performance degradation. Read
the full Symantec report: W32.Lovgate.W@mm The W32.Lovgate.W@mm worm is a variant of W32.HLLW.Lovgate@mm. This variant is also a mass-mailing worm that attempts to reply to all the email messages in the Microsoft Outlook Inbox. The worm also uses its own SMTP engine to send itself to all the email addresses that it finds from the files with extension .txt, .pl, .wab, .adb, .tbb, .dbx, .asp, .php, .sht, and .htm . The "sender" of the email is spoofed and its subject line and message vary. The attachment name varies with a .bat, .cmd, .exe, .pif, or .scr file extension. It may also send its .zip archive as an attachment. This worm also attempts to copy itself to all the computers on a local network and to KaZaA shared folders. Large scale
e-mailing: Sends itself to all the contacts of the Windows Address Book
and the Outlook Address Book, and to the email addresses that it finds
from the files with extension .txt, .pl, .wab, .adb, .tbb, .dbx, .asp,
.php, .sht, and .htm. Read
the full Symantec report: W32.Bobax.C W32.Bobax.C is a worm exploiting the LSASS vulnerability. This vulnerability described in Microsoft Security Bulletin MS04-011. Infected computers can become an email relay.
Degrades
performance: Causes significant performance degradation. Read
the full Symantec report: W32.Gaobot.ALO W32.Gaobot.ALO is a worm that spreads through open network shares and several Windows vulnerabilities. The vulnerabilities are: The DCOM
RPC Vulnerability (described in Microsoft Security Bulletin MS03-026)
using TCP port 135. The worm also spreads through backdoors installed by Beagle and Mydoom family of worms. W32.Gaobot.ALO
can act as a backdoor server program and attack other systems. It also
attempts to kill the processes of many antivirus and security programs. Read
the full Symantec report: W32.Mydoom.K@mm
W32.Mydoom.K@mm is an encrypted, mass-mailing worm that arrives as an attachment with either a .pif, .scr, .exe, .cmd, .bat, or .zip extension. Large scale
e-mailing: Sends to email addresses found in a specified set of file Read the full Symantec report here W32.Bobax.A W32.Bobax.A
is a worm that exploits the LSASS vulnerability (described in Microsoft
Security Bulletin MS04-011). Infected computers may be used as an email
relay. Deletes files:
Deletes "~*" from %temp% Read the full Symantec report here W32.Bobax.D W32.Bobax.D is a worm that exploits the LSASS vulnerability. This vulnerability discussed in the Microsoft Security Bulletin MS04-011. Infected computers may become an email relays. While this threat may execute on Windows 95/98/Me/2000/Server 2003-based computers, it targets only the Windows XP operating system. Deletes files:
Deletes "~*" from %temp% Read
the full Symantec report here
W32.Gaobot.ALU W32.Gaobot.ALU is a worm that attempts to spread through network shares with weak passwords. It also allows attackers to access an infected computer using a predetermined IRC channel. Also, the worm attempts to kill the processes of many antivirus and security applications. The worm uses multiple vulnerabilities to spread, including: The DCOM
RPC vulnerability (described in Microsoft Security Bulletin MS03-026)
using TCP port 135. Releases
confidential info: Steals CD-keys from a large number of games. Read the full Symantec report here W32.Korgo.A W32.Korgo.A is a worm that attempts to exploit Microsoft LSASS Windows vulnerability, described in Microsoft Security Bulletin MS04-011. Degrades
performance: May impact on system performance. Attempts to connect to one of the following IRC server on TCP port 6667 moscow-advokat.ru
Starts a thread to exploit LSASS Windows vulnerability against random IP address on TCP port 445. If successful, the target computer may attempt to connect to the infected computer and download the worm. Starts an
infinite loop to stop system shutdown. Read the full Symantec report here W32.Korgo.B W32.Korgo.B
is a worm that propagates by exploiting the LSASS vulnerability on TCP
port 445 (as described in Microsoft Security Bulletin MS04-011). The worm
also listens on TCP ports 113 and 3067, and allows unauthorized access
to the infected computer. Degrades
performance: Network propagation routines may degrade overall network
performance Read the full Symantec report here W32.Korgo.C W32.Korgo.C is a worm that propagates by exploiting the LSASS vulnerability on TCP port 445 (as described in Microsoft Security Bulletin MS04-011) and opens a backdoor on TCP ports 113 and 3067. Degrades
performance: Network propagation routines may degrade overall network
performance Read the full Symantec report here W32.Gaobot.ALV W32.Gaobot.ALV is a worm that spreads using weak passwords and the following Windows vulnerabilities: The DCOM
RPC Vulnerability (described in Microsoft Security Bulletin MS03-026)
using TCP port 135. Payload:
Allows unauthorized remote access. Read the full Symantec report here W32.Gaobot.ALW W32.Gaobot.ALW is a worm that spreads through open network shares and several Windows vulnerabilities. The vulnerabilities are: The Microsoft
Windows DCOM RPC Interface Buffer Overrun Vulnerability (described in
Microsoft Security Bulletin MS03-026). The worm can act as a backdoor and attack other computers. It also attempts to kill the processes of many antivirus and security programs. Read the full Symantec report here W32.Bugbear.G@mm W32.Bugbear.G@mm is a variant of W32.Bugbear.C@mm that sends itself to email addresses it gathers from certain files on the system using its own SMTP engine. The worm may also expose certain confidential information from the infected computer. The malformed email uses the Microsoft Internet Explorer Arbitrary Program Execution vulnerability (described in Microsoft Security Bulletin MS03-014) to run a malicious program. Large scale
e-mailing: Sends email to addresses collected from the local system. Read
the full Symantec report here W32.Netsup.A@mm W32.Netsup.A@mm is a mass-mailing worm that sends itself to addresses gathered from the Microsoft Outlook address book. The worm can also distribute itself through peer-to-peer file-sharing networks. Large scale
e-mailing: Sends itself to all email contacts found in the the Outlook
address book. W32.Netsup.A@mm
W32.Netsup.A@mm can arrive as an attachment to an email with the following properties: From: May contain one of the following: NetworkSupport@<RECIPIENT
DOMAIN> Subjects:
May contain one of the following: Attachment: message.eml.pif Message Body:
W32.Korgo.D W32.Korgo.D is a minor variant of W32.Korgo.C. It is a worm that propagates by exploiting the LSASS vulnerability on TCP port 445 (as described in Microsoft Security Bulletin MS04-011) and opens a backdoor on TCP ports 113 and 3067. Degrades
performance: Network propagation routines may degrade overall network
performance. Read the full Symantec report here W32.Korgo.E W32.Korgo.E is a minor variant of W32.Korgo.D. This worm propagates by exploiting the LSASS vulnerability on TCP port 445 (as described in Microsoft Security Bulletin MS04-011). It also opens backdoors on TCP ports 113 and 3067. Degrades
performance: Network propagation routines may degrade overall network
performance. Read the full Symantec report here
|
|
|
©
Copyright 1999 - 2004 The Computer Wizard
|
||||
