|
May
2005
Select
the links for detailed information and removal tools for the latest viruses
W32.Kassbot.B 5/31/05 2
W32.Pinkton.A 5/31/05 2
Trojan.Tooso.I 5/31/05 2
W32.Mytob.CU 5/30/05 2
W32.Mydoom.BU 5/26/05 2
VBS.Nukip 5/25/05 2
W32.Qdens.A 5/24/05 2
W32.Kalel.A 5/24/05 2
W32.Mytob.CQ 5/24/05 2
W32.Lanieca.B 5/23/05 2
W32.Picrate.C 5/23/05 2
W32.Elitper.F 5/23/05 2
W32.Mytob.CP 5/22/05 2
W32.Linkbot.M 5/21/05 2
W32.Mytob.CM 5/19/05 2
W32.Spybot.PEN 5/19/05 2
W32.Kelvir.CG 5/19/05 2
W32.Kassbot.A 5/19/05 2
W32.Stubbot.A 5/19/05 2
W32.Opanki 5/18/05 2
W32.Shelp 5/17/05 2
W32.Alcan.A 5/17/05 2
W32.Mytob.CH 5/16/05 2
Trojan.Jasbom 5/15/05 2
Trojan.Ascetic.C 5/15/05 2
W32.Sober.P
5/15/05 2
W32.Mytob.CF 5/15/05 2
W32.Mytob.CE 5/14/05 2
W32.Mydoom.BT 5/14/05 2
W32.Lanieca.A 5/11/05 2
W32.Mediakill.A 5/10/05 2
W32.Beagle.BQ 5/10/05 2
W32.Ifbo.A 5/10/05 2
W32.Imspread.Worm 5/10/05 2
W32.Antiman.F 5/09/05 2
W32.Mydoom.BO 5/07/05 2
VBS.Ypsan.E 5/07/05 2
W32.Eshared.A 5/06/05 2
W32.Ezio.A 5/06/05 2
W32.Mytob.BZ 5/06/05 2
VBS.Spiltron 5/06/05 2
W32.Kelvir.BF 5/04/05 2
W32.Mytob.BV 5/03/05 2
W32.Kedebe.B 5/03/05 2
W32.Antiman.E 5/03/05 2
W32.Mydoom.BN 5/03/05 2
W32.Mytob.BU 5/03/05 2
W32.Sober.O 5/02/05 3
W32.Mytob.BT 5/02/05 2
W32.Spybot.OGX 5/02/05 2
W32.Kelvir.BD 5/02/05 2
W32.Banish.A 5/01/05 2
W32.Kelvir.BA 5/01/05 2
W32.Kelvir.BA
Discovered May 01, 2005
Systems Affected: All Windows32 Systems
W32.Kelvir.BA
is a worm that attempts to spread W32.Spybot.OFN to all MSN Messenger
contacts on the compromised computer through MSN Messenger.
Payload Trigger:
n/a
Payload: Sends messages to members of MSN Messenger contact list.
Compromises security settings: Ends security-related processes and services.
Distribution
Target of infection: MSN Messenger.
Read
the full Symantec report here
W32.Banish.A@mm
Discovered May 01, 2005
Systems Affected: All Windows32 Systems
W32.Banish.A@mm
is a mass-mailing worm that also spreads through the network by exploiting
the Microsoft Windows LSASS Buffer Overrun Vulnerability (as described
in Microsoft Security Bulletin MS04-011).
Payload Trigger:
n/a
Payload: n/a
Large scale e-mailing: Sends emails.
Deletes files: Deletes any files found in %Windir%\repair.
Releases confidential info: Attempts to steal passwords.
Distribution
Subject of email: Varies.
Name of attachment: Varies.
Read
the full Symantec report here
W32.Kelvir.BD
Discovered May 02, 2005
Systems Affected: All Windows32 Systems
W32.Kelvir.BD
is a worm that downloads a file and sends a message to all MSN messenger
contacts on the compromised computer.
Payload Trigger:
n/a
Payload: Lowers security settings.
Compromises security settings: Attempts to terminate processes, some of
which may be security related.
Distribution
Target of infection: MSN Messenger
Read
the full Symantec report here
W32.Spybot.OGX
Discovered May 02, 2005
Systems Affected: All Windows32 Systems
W32.Spybot.OGX
is a network-aware worm that has distributed denial of service and back
door capabilities. The worm spreads through network shares protected by
weak passwords. and by exploiting vulnerabilities.
Payload Trigger:
n/a
Payload: Opens a back door.
Compromises security settings: Modifies the Hosts file to block access
to security-related Web sites.
Distribution
Ports: TCP port 8000.
Read
the full Symantec report here
W32.Mytob.BT@mm
Discovered May 02, 2005
Systems Affected: All Windows32 Systems
W32.Mytob.BT@mm
is a mass-mailing worm with back door functionality that uses its own
SMTP engine to send an email to addresses that it gathers from the compromised
computer.
The worm
also spreads through network shares by exploiting The Microsoft Windows
LSASS Buffer Overrun Vulnerability (as described in Microsoft Security
Bulletin MS04-011).
Payload Trigger:
n/a
Payload: Opens a back door.
Large scale e-mailing: Sends emails.
Modifies files: Modifies the Hosts file.
Compromises security settings: Blocks access to to security-related Web
sites.
Distribution
Subject of email: Varies
Name of attachment: Varies
Read
the full Symantec report here
W32.Sober.O@mm
Discovered May 02, 2005
Systems Affected: All Windows32 Systems
W32.Sober.O@mm
is a mass-mailing worm that sends itself as an email attachment to addresses
gathered from the compromised computer. It uses its own SMTP engine to
spread. The email may be in either English or German.
Payload Trigger:
n/a
Payload: Sends itself as an email attachment to addresses gathered from
the compromised computer.
Large scale e-mailing: The email may be in either English or German.
Distribution
Subject of email: Varies in English or German
Name of attachment: Varies with .zip file extension.
Ports: Port 37
When W32.Sober.O@mm
is executed, it Displays a message with the following text:
Title:
WinZip Self-Extractor
Body: Error: CRC not complete
Read
the full Symantec report here
Download
the Fix Tool here
W32.Mytob.BU@mm
Discovered May 03, 2005
Systems Affected: All Windows32 Systems
W32.Mytob.BU@mm
is a mass-mailing worm that uses its own SMTP engine to send an email
to addresses that it gathers from the compromised computer.
The worm
also opens a back door and spreads through the network by exploiting the
Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability (described
in Microsoft Security Bulletin MS03-026) and the Microsoft Windows Local
Security Authority Service Remote Buffer Overflow (as described in Microsoft
Security Bulletin MS04-011).
Payload Trigger:
n/a
Payload: Spreads through email attachment and by exploiting remote vulnerabilities.
Large scale e-mailing: Sends itself out as an email attachment.
Compromises security settings: Overwrites the Hosts file.
Distribution
Subject of email: Varies
Name of attachment: Varies with a .bat, .cmd, .exe, .pif, .scr, or .zip
file extension.
Size of attachment: 59,392 bytes
Ports: TCP port 10087.
Read
the full Symantec report here
W32.Mydoom.BN@mm
Discovered May 03, 2005
Systems Affected: All Windows32 Systems
W32.Mydoom.BN@mm
is a mass-mailing worm that has back door capabilities and that uses its
own SMTP engine to send an email to addresses that it gathers from the
compromised computer.
Payload Trigger:
n/a
Payload: Opens a back door.
Large scale e-mailing: Sends itself as an email attachment.
Modifies files: Overwrites the Hosts file.
Compromises security settings: Disables processes and services, some of
which may be security related.
Distribution
Subject of email: Varies
Name of attachment: Varies with a .bat, .cmd, .exe, .pif, .scr, or .zip
file extension.
Ports: TCP port 6667
Read
the full Symantec report here
W32.Antiman.E@mm
Discovered May 03, 2005
Systems Affected: All Windows32 Systems
W32.Antiman.E@mm
is a mass-mailing worm that uses its own SMTP engine to send itself to
all email addresses that it finds on the compromised computer.
Payload Trigger:
n/a
Payload: Uses it's own SMTP engine to send itself as an attachment.
Large scale e-mailing: Sends itself in an email as an attachment.
Distribution
Subject of email: Varies
Name of attachment: Varies
Read
the full Symantec report here
W32.Kedebe.B@mm
Discovered May 03, 2005
Systems Affected: All Windows32 Systems
W32.Kedebe.B@mm
is a mass-mailing worm that terminates processes and prevents access to
Web sites, some of which are security related.
Payload Trigger:
n/a
Payload: Opens a back door.
Large scale e-mailing: Sends itself in an email as an attachment.
Modifies files: Modifies the Hosts file.
Compromises security settings: Attempts to disable processes, some of
which may be security related.
Distribution
Subject of email: Varies
Name of attachment: Varies
Ports: Random TCP Ports.
Read
the full Symantec report here
W32.Mytob.BV@mm
Discovered May 03, 2005
Systems Affected: All Windows32 Systems
W32.Mytob.BV@mm
is a mass-mailing worm with back door functionality that uses its own
SMTP engine to send an email to addresses that it gathers from the compromised
computer.
The worm
also spreads through network shares by exploiting the Microsoft Windows
LSASS Buffer Overrun Vulnerability (as described in Microsoft Security
Bulletin MS04-011).
Payload Trigger:
n/a
Payload: Opens a back door.
Large scale e-mailing: Sends emails.
Modifies files: Modifies the Hosts file.
Compromises security settings: Blocks access to to security-related Web
sites.
Distribution
Subject of email: Varies
Name of attachment: Varies
Read
the full Symantec report here
W32.Kelvir.BF
Discovered May 04, 2005
Systems Affected: All Windows32 Systems
W32.Kelvir.BF
is a worm that downloads a file and sends a message to all MSN messenger
contacts on the compromised computer.
Payload Trigger:
n/a
Payload: Drops a copy of W32.Spybot.Worm.
Compromises security settings: Lowers security settings by terminating
security-related processes and services.
Distribution
Target of infection: MSN Messenger
Read
the full Symantec report here
VBS.Spiltron@mm
Discovered May 06, 2005
Systems Affected: All Windows32 Systems
VBS.Spiltron@mm
is a mass-mailing worm that may also spread through IRC channels. It also
disables the Registry Editor and modifies settings in Windows Explorer.
Payload Trigger:
n/a
Payload:
Large scale e-mailing: Sends email to addresses from the Windows Address
Book.
Deletes files: Deletes files.
Causes system instability: Modifies Windows Explorer and disables the
registry editor.
Compromises security settings: Ends security-related processes.
Distribution
Subject of email: "Spyware Remover" or "Security For Your
Computer"
Name of attachment: Varies.
Read
the full Symantec report here
W32.Mytob.BZ@mm
Discovered May 06, 2005
Systems Affected: All Windows32 Systems
W32.Mytob.BZ@mm
is a mass-mailing worm that uses its own SMTP engine to send an email
to addresses that it gathers from the compromised computer.
The worm
also opens a back door and spreads through the network by exploiting the
Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability (described
in Microsoft Security Bulletin MS03-026) and the Microsoft Windows Local
Security Authority Service Remote Buffer Overflow (as described in Microsoft
Security Bulletin MS04-011).
Payload Trigger:
n/a
Payload: Opens a back door.
Compromises security settings: Blocks access to security-related Web sites.
Distribution
Subject of email: Varies.
Name of attachment: Varies.
Ports: TCP port 6667
Read
the full Symantec report here
W32.Ezio.A@mm
Discovered May 06, 2005
Systems Affected: All Windows32 Systems
W32.Ezio.A@mm
is a mass-mailing worm that can spread through file-sharing networks and
prevents access to security-related Web sites.
Payload Trigger:
n/a
Payload: n/a
Large scale e-mailing: Sends email.
Modifies files: Modifies the Hosts file and overwrites files in file-sharing
folders.
Compromises security settings: Blocks access to security-related Web sites
and disables security-related software.
Distribution
Subject of email: Mail Error
Name of attachment: document.zip
Target of infection: Spreads through file-sharing networks.
Read
the full Symantec report here
W32.Eshared.A@mm
Discovered May 06, 2005
Systems Affected: All Windows32 Systems
W32.Eshared.A@mm
is a mass-mailing worm that uses MAPI to send a copy of itself to email
addresses gathered from the compromised computer.
Payload Trigger:
n/a
Payload: n/a
Modifies files: Modifies %WINDIR%\WIN.INI
Distribution
Subject of email: Varies
Name of attachment: Varies
Read
the full Symantec report here
VBS.Ypsan.E@mm
Discovered May 07, 2005
Systems Affected: All Windows32 Systems
VBS.Ypsan.E@mm is a mass-mailing worm that sends itself
to all email addresses gathered from the Windows Address Book and attempts
to shut down the compromised computer.
Payload Trigger: n/a
Payload: n/a
Large scale e-mailing: Sends emails
Deletes files: Deletes commands from autoexec.bat file
Compromises security settings: Attempts to disable anti-virus software
Distribution
Subject of email: The Info That You Asked For
Name of attachment: Install.vbs
Read
the full Symantec report here
W32.Mydoom.BO@mm
Discovered May 07, 2005
Systems Affected: All Windows32 Systems
W32.Mydoom.BO@mm
is a worm that uses its own SMTP engine to send an email to addresses
that it gathers from the compromised computer. The worm also opens a back
door on TCP port 6677.
Payload Trigger:
n/a
Payload: Opens a back door on TCP port 6677
Large scale e-mailing: Sends itself as an email attachment.
Modifies files: Modifies the Hosts file to block access to security related
Web sites.
Compromises security settings: Terminates security related processes.
Distribution
Subject of email: Varies
Name of attachment: Varies with a .bat, .scr, .exe or .cmd file extension.
Read
the full Symantec report here
W32.Antiman.F@mm
Discovered May 09, 2005
Systems Affected: All Windows32 Systems
W32.Antiman.F@mm
is a mass-mailing worm that uses its own SMTP engine to send itself to
all email addresses that it finds on the compromised computer. W32.Antiman.F@mm
typically arrives as an email attachment.
Payload Trigger:
n/a
Payload: Sends itself to addresses it finds on the compromised computer.
Large scale e-mailing: Emails itself as an attachment.
Distribution
Subject of email: Varies
Name of attachment: Varies
Read
the full Symantec report here
W32.Imspread.Worm
Discovered May 10, 2005
Systems Affected: All Windows32 Systems
W32.Imspread.Worm
is a worm component that spreads through America Online Instant Messenger
(AIM).
Payload Trigger:
n/a
Payload: Attempts to download a remote file.
Distribution
Target of infection: America Online Instant Messenger (AIM)
When W32.Imspread.Worm
is executed, it performs the following actions:
Simulates
typing keys to command the AIM program to send the following message to
all the AIM contacts on the compromised computer:
Body:
i thought youd wanna see this
Notes:
Where "this!" is a link to the URL: http:/ /imo.c[domain removed]b.net/aim.com
A recipient must click on the link "this!", download the file
aim.com, and then execute the file
At the time of writing the link points to an empty file (0 bytes length).
This link may have previously contained a variant of W32.Randex.
Protects
the malicious executable with an encryption tool, "PolyCrypt PE",
which does not appear to work correctly under several Windows platforms.
This will cause the processor to indefinitely loop, blocking the worm
from executing properly.
Read
the full Symantec report here
W32.Ifbo.A
Discovered May 10, 2005
Systems Affected: All Windows32 Systems
W32.Ifbo.A
is a worm that spreads by exploiting he Microsoft Windows Local Security
Authority Service Remote Buffer Overflow (as described in Microsoft Security
Bulletin MS04-011) and disables security services.
Payload Trigger:
n/a
Payload: n/a
Deletes files: Delete files associated with services that the worm stops.
Compromises security settings: Disables processes and services, some of
which may be security related.
Distribution
Ports: TCP Ports 445 and 80.
Read
the full Symantec report here
W32.Beagle.BQ@mm
Discovered May 10, 2005
Systems Affected: All Windows32 Systems
W32.Beagle.BQ@mm
is a mass-mailing worm that uses its own SMTP engine to send out copies
of a Trojan.Tooso variant. The worm also opens a back door on the compromised
computer on TCP port 80.
Payload Trigger:
n/a
Payload: Allows unauthorized remote access.
Large scale e-mailing: Sends email to addresses collected from the compromised
computer.
Distribution
Subject of email: Blank
Ports: TCP port 80
Read
the full Symantec report here
W32.Mediakill.A
Discovered May 10, 2005
Systems Affected: All Windows32 Systems
W32.Mediakill.A@mm
is a mass mailing worm that sends a copy of itself to the first ten addresses
in the Windows Address Book.
Payload Trigger:
n/a
Payload: n/a
Large scale e-mailing: Sends itself out to addresses it finds on the compromised
computer.
Deletes files: Attempts to delete media files.
Modifies files: Modifies the win.ini and system.ini files.
Compromises security settings: Terminates processes, some of which may
be security related.
Distribution
Subject of email: Varies
Name of attachment: Varies with .exe file extension
Size of attachment: 39,936 bytes
Read
the full Symantec report here
W32.Lanieca.A@mm
Discovered May 11, 2005
Systems Affected: All Windows32 Systems
W32.Lanieca.A@mm
is a mass-mailing worm that uses its own SMTP engine to send itself to
all e-mail addresses it retrieves from various locations on a compromised
computer.
Payload Trigger:
n/a
Payload: n/a
Large scale e-mailing: Sends emails.
Distribution
Subject of email: Varies.
Name of attachment: Varies with a .zip extension.
Read
the full Symantec report here
W32.Mydoom.BT@mm
Discovered May 14, 2005
Systems Affected: All Windows32 Systems
W32.Mydoom.BT@mm
is a mass-mailing worm that uses its own SMTP engine to send an email
to addresses that it gathers from the compromised computer and has back
door capabilities.
Payload Trigger:
n/a
Payload: Opens a back door.
Large scale e-mailing: Sends itself as an email to addresses gathered
from the compromised computer.
Modifies files: Modifies the Hosts file.
Compromises security settings: Terminates processes, some of which may
be security related.
Distribution
Subject of email: Varies
Name of attachment: Varies with a .bat, .cmd, .exe, .pif, .scr, or .zip
file extension
Ports: TCP port 6677
Read
the full Symantec report here
W32.Mytob.CE@mm
Discovered May 14, 2005
Systems Affected: All Windows32 Systems
W32.Mytob.CE@mm
is a mass-mailing worm with back door functionality that uses its own
SMTP engine to send an email to addresses that it gathers from the compromised
computer.
Payload Trigger:
Opens a back door.
Payload: n/a
Large scale e-mailing: Sends emails.
Modifies files: Modifies the Hosts file.
Compromises security settings: Blocks access to to security-related Web
sites.
Distribution
Subject of email: Varies.
Name of attachment: Varies.
Ports: Random TCP ports.
Read
the full Symantec report here
W32.Mytob.CF@mm
Discovered May 15, 2005
Systems Affected: All Windows32 Systems
W32.Mytob.CF@mm
is a mass-mailing worm that uses its own SMTP engine to send an email
to addresses that it gathers from the compromised computer.
The worm
also opens a back door and spreads through the network by exploiting the
Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability (described
in Microsoft Security Bulletin MS03-026) and the Microsoft Windows Local
Security Authority Service Remote Buffer Overflow (as described in Microsoft
Security Bulletin MS04-011).
Payload Trigger:
n/a
Payload: Opens a back door.
Compromises security settings: Blocks access to security-related Web sites.
Distribution
Subject of email: Varies
Name of attachment: Varies
Read
the full Symantec report here
W32.Sober.P@mm
Discovered May 15, 2005
Systems Affected: All Windows32 Systems
W32.Sober.P@mm
is a mass-mailing worm the uses its own SMTP engine to send emails to
addresses gathered from the compromised computer.
The email may be in either English or German.
Payload Trigger:
n/a
Payload: Sends itself as an email attachment to addresses gathered from
the compromised computer.
Large scale e-mailing: The email may be in either English or German.
Modifies files: Overwrites luall.exe if present.
Compromises security settings: Attempts to terminate security-related
processes.
Distribution
Subject of email: Varies
Read
the full Symantec report here
Read
the full Symantec report here
Trojan.Ascetic.C
Discovered May 15, 2005
Systems Affected: All Windows32 Systems
Trojan.Ascetic.C
is a Trojan horse that uses its own SMTP engine to send spam email to
addresses gathered from the compromised computer. The email may be in
either English or German.
Note: Definitions
prior to May 16, 2005 may detect this threat as W32.Sober.P@mm.
Payload Trigger:
n/a
Payload: Sends itself as an email attachment to addresses gathered from
the compromised computer.
Large scale e-mailing: The email may be in either English or German.
Modifies files: Overwrites luall.exe if present.
Compromises security settings: Attempts to terminate security-related
processes.
Read
the full Symantec report here
Trojan.Jasbom
Discovered May 15, 2005
Systems Affected: All Windows32 Systems
Trojan.Jasbom
is a Trojan horse that attempts to exploit the Microsoft Internet Explorer
ITS Protocol Zone Bypass Vulnerability (as described in the Microsoft
Security Bulletin MS04-013). The Trojan logs keystrokes, mouse clicks,
and application memory, when using the application Lineage. The Trojan
sends this logged information to a Web site on the j4sb.com domain.
Notes:
Definitions dated prior to May 12, 2005 may detect this threat as PWSteal.Lineage.
On May 15, 2005, the company Kakaku.com acknowledged that their Web site
may have been compromised between May 11-14, 2005. During this time, Trojan.Jasbom
was installed on their Web server. Computer users who accessed this Web
site with unpatched versions of Internet Explorer may have had this Trojan
downloaded to their computers between these dates.
Payload Trigger:
n/a
Payload: Lowers security settings by terminating security-related processes.
Releases confidential info: Logs keystrokes and sends stolen information
to a predetermined address.
Read
the full Symantec report here
Download
the Removal Tool here
W32.Mytob.CH@mm
Discovered May 16, 2005
Systems Affected: All Windows32 Systems
W32.Mytob.CH@mm
is a mass-mailing worm with back door functionality that uses its own
SMTP engine to send an email to addresses that it gathers from the compromised
computer.
Payload Trigger:
n/a
Payload: Opens a back door.
Large scale e-mailing: Sends emails.
Modifies files: Modifies the Hosts file.
Compromises security settings: Blocks access to security-related Web sites.
Distribution
Subject of email: Varies
Name of attachment: Varies
Ports: Random TCP ports
Read
the full Symantec report here
W32.Alcan.A
Discovered May 17, 2005
Systems Affected: All Windows32 Systems
W32.Alcan.A
is a worm that spreads through file-sharing networks, such as Kazaa, Ares,
eMule, Morpheus, Grokster, Bearshare, Limewire eDonkey2000, Gnucleus,
Shareaza, and Rapigator. The worm also drops a W32.Spybot.Worm variant
into the compromised computer.
Payload Trigger:
n/a
Payload: Dropped W32.Spybot.Worm variant opens a back door.
Read
the full Symantec report here
W32.Shelp
Discovered May 17, 2005
Systems Affected: Windows 2000, Windows Server 2003, Windows XP
W32.Shelp
is a worm that propagates by exploiting the Microsoft Windows Local Security
Authority Service Remote Buffer Overflow (as described in Microsoft Security
Bulletin MS04-011).
Payload Trigger:
n/a
Payload: Attempts to download and execute remote files.
Read
the full Symantec report here
W32.Opanki
Discovered May 18, 2005
Systems Affected: All Windows32 Systems
W32.Opanki
is an IRC worm that spreads through AOL Instant Messenger.
Payload Trigger:
n/a
Payload: May allow unauthorised access by a remote attacker.
Distribution
Ports: TCP port 4888
Target of infection: Targets users of AOL Instant Messenger
Read
the full Symantec report here
W32.Stubbot.A@mm
Discovered May 19, 2005
Systems Affected: All Windows32 Systems
W32.Stubbot.A@mm
is a mass-mailing worm that opens an IRC back door and also spreads through
network shares.
Payload Trigger:
n/a
Payload: Opens a back door on the compromised computer.
Large scale e-mailing: Sends itself to all email addresses it finds on
the compromised computer.
Releases confidential info: Logs keystrokes
Distribution
Subject of email: Varies
Name of attachment: Varies
Ports: TCP port 6667
Target of infection: Network shares
Read
the full Symantec report here
W32.Kassbot.A@mm
Discovered May 19, 2005
Systems Affected: All Windows32 Systems
W32.Kassbot.A
is a network-aware worm that opens a back door through IRC. The worm monitors
for access to certain financial Web sites, logging keystrokes when they
are visited.
Payload Trigger:
n/a
Payload: Opens a back door
Modifies files: Modifies the Hosts file.
Releases confidential info: Installed keylogger captures information from
financial Web sites.
Compromises security settings: Modifies the Hosts file to prevent access
to Web sites, some of which may be security related.
Distribution
Ports: TCP Port 1051 and higher.
Read
the full Symantec report here
W32.Kelvir.CG
Discovered May 19, 2005
Systems Affected: All Windows32 Systems
W32.Kelvir.CG
is a worm that drops a copy of W32.Spybot.PEN and sends a message to all
MSN messenger contacts on the compromised computer.
Payload Trigger:
n/a
Payload: Drops a copy of W32.Spybot.PEN, which may open a back door on
the compromised computer.
Distribution
Target of infection: Spreads through MSN Messenger.
Read
the full Symantec report here
W32.Spybot.PEN
Discovered May 19, 2005
Systems Affected: All Windows32 Systems
W32.Spybot.PEN
is a network-aware worm that has distributed denial of service and back
door capabilities. The worm spreads through network shares protected by
weak passwords and by exploiting vulnerabilities. The worm may be dropped
by W32.Kelvir.CG.
Payload Trigger:
n/a
Payload: Opens a back door on TCP port 8076.
Distribution
Ports: TCP ports 8076 and 445, and UDP port 1433.
Read
the full Symantec report here
W32.Mytob.CM@mm
Discovered May 19, 2005
Systems Affected: All Windows32 Systems
W32.Mytob.CM@mm
is a mass-mailing worm that has back door capabilities and uses its own
SMTP engine to send an email to addresses that it gathers from the compromised
computer. The worm spreads through the network by exploiting the Microsoft
Windows DCOM RPC Interface Buffer Overrun Vulnerability (described in
Microsoft Security Bulletin MS03-026) and the Microsoft Windows Local
Security Authority Service Remote Buffer Overflow (as described in Microsoft
Security Bulletin MS04-011).
Payload Trigger:
n/a
Payload: Opens a back door.
Large scale e-mailing: Sends email to addresses collected from the compromised
computer.
Modifies files: Modifies the Hosts file.
Compromises security settings: Blocks access to security-related Web sites.
Distribution
Subject of email: Varies
Name of attachment: Varies
Ports: TCP port 10082
Target of infection: Exploits vulnerabilities.
Read
the full Symantec report here
W32.Linkbot.M
Discovered May 21, 2005
Systems Affected: All Windows32 Systems
W32.Linkbot.M
is a worm that exploits the Microsoft Windows LSASS Buffer Overrun Vulnerability
(Microsoft Security Bulletin MS04-011) in order to propagate. It also
creates a back door on the system accessible through IRC.
Payload Trigger:
n/a
Payload: Allows unauthorized remote access.
Distribution
Ports: Connects on TCP port 6667. Listens on TCP port 113.
Read
the full Symantec report here
W32.Mytob.CP@mm
Discovered May 22, 2005
Systems Affected: All Windows32 Systems
W32.Mytob.CP@mm
is a mass-mailing worm that has back door capabilities and uses its own
SMTP engine to send an email to addresses that it gathers from the compromised
computer. The worm spreads through the network by exploiting the Microsoft
Windows Local Security Authority Service Remote Buffer Overflow (as described
in Microsoft Security Bulletin MS04-011).
Payload Trigger: n/a
Payload: Allows unauthorized remote access.
Large scale e-mailing: Sends email to addresses collected from the compromised
system.
Modifies files: Modifies the Hosts file.
Compromises security settings: Blocks access to security-related Web sites.
Distribution
Subject of email: Varies
Name of attachment: Varies with a .bat, .cmd, .doc, .exe, .htm, .pif,
.scr, .tmp, .txt, or .zip file extension.
Size of attachment: 63,488 bytes
Ports: TCP port 10082 and a random TCP port.
Target of infection: Systems vulnerable to LSASS exploit.
Read
the full Symantec report here
W32.Elitper.F@mm
Discovered May 23, 2005
Systems Affected: All Windows32 Systems
W32.Elitper.F@mm
is a worm that attempts to spreads using MS Outlook and file-sharing networks.
It also terminates processes, deletes files, and lowers Windows security
settings.
Payload Trigger:
n/a
Payload: Lowers Security Settings
Modifies files: Modifies the Hosts file
Causes system instability: Disables execution of various system programs
and utilities.
Compromises security settings: Lowers security settings.
Distribution
Subject of email: Torrie Wilson And Stacy Keibler Nude Pictures
Name of attachment: Torrie & Stacy Nude ScreenSaver.exe
Size of attachment: 36,055 bytes
Read
the full Symantec report here
W32.Picrate.C@mm
Discovered May 23, 2005
Systems Affected: All Windows32 Systems
W32.Picrate.C@mm
is a mass-mailing worm that sends copies of itself to instant messenger
contacts and drops a variant of the W32.Randex family of worms.
Payload
Trigger: n/a
Payload: n/a
Large scale e-mailing: Sends a mass mailing.
Degrades performance: Disables certain functionality on the compromised
computer.
Distribution
Subject of email: Varies
Name of attachment: File.zip
Size of attachment: 338,432 bytes
Read
the full Symantec report here
W32.Lanieca.B@mm
Discovered May 23, 2005
Systems Affected: All Windows32 Systems
W32.Lanieca.B@mm
is a mass-mailing worm that uses its own SMTP engine to send itself to
all e-mail addresses it retrieves from various locations on a compromised
computer.
Payload Trigger:
n/a
Payload: n/a
Large scale e-mailing: Sends an email to addresses gathered from the compromised
computer.
Releases confidential info: Steals system information and logs keystrokes.
Distribution
Subject of email: Varies.
Name of attachment: Varies with a .zip file extension.
Size of attachment: 78,336 bytes
Read
the full Symantec report here
W32.Mytob.CQ@mm
Discovered May 24, 2005
Systems Affected: All Windows32 Systems
W32.Mytob.CQ@mm
is a mass-mailing worm that has back door capabilities and uses its own
SMTP engine to send an email to addresses that it gathers from the compromised
computer. The worm spreads through the network by exploiting the Microsoft
Windows Local Security Authority Service Remote Buffer Overflow (as described
in Microsoft Security Bulletin MS04-011).
Payload Trigger: n/a
Payload: Opens a back door.
Large scale e-mailing: Sends a mass-mailing.
Modifies files: Modifies the Hosts file.
Compromises security settings: Blocks access to security-related Web sites.
Distribution
Subject
of email: Varies
Name of attachment: Varies
Size of attachment: 66,560 bytes
Ports: TCP ports 6667 and 10087.
Read
the full Symantec report here
W32.Kalel.A@mm
Discovered May 24, 2005
Systems Affected: All Windows32 Systems
W32.Kalel.A@mm
is a mass-mailing worm that uses its own SMTP engine to spread. It also
attempts to spread through various file-sharing networks.
Payload Trigger:
n/a
Payload: Opens a back door and allows unauthorized remote access to the
compromised computer.
Large scale e-mailing: Sends emails.
Degrades performance: Prevents several programs from running on system
startup.
Compromises security settings: Logs keystrokes.
Distribution
Subject of email: Mail delivery failed: returning message to sender
Name of attachment: error_details.zip
Ports: TCP port 51435
Target of infection: May spread through file-sharing networks.
Read
the full Symantec report here
W32.Qdens.A
Discovered May 24, 2005
Systems Affected: All Windows32 Systems
W32.Qdens.A
is a worm that spreads through QQ Messenger and downloads a copy of Backdoor.Powerspider.
Payload Trigger:
n/a
Payload: Downloads and executes Backdoor.Powerspider.
Modifies files: Injects its code into various files.
Degrades performance: Ends processes related to various programs.
Distribution
Target of infection: Sends itself through QQ Messenger.
Read
the full Symantec report here
VBS.Nukip
Discovered May 25, 2005
Systems Affected: All Windows32 Systems
VBS.Nukip
is a worm that deletes system files and spreads through IRC channels.
Payload Trigger:
n/a
Payload: n/a
Large scale e-mailing: Attempts to spread through Microsoft Outlook.
Deletes files: Deletes system files.
Distribution
Target of infection: Spreads through IRC channels. Attempts to spread
through Microsoft Outlook.
Read
the full Symantec report here
W32.Mydoom.BU@mm
Discovered May 26, 2005
Systems Affected: All Windows32 Systems
W32.Mydoom.BU@mm
is a mass-mailing worm that uses its own SMTP engine to send an email
to addresses that it gathers from the compromised computer and that has
back door capabilities.
Payload:
Opens a back door.
Large scale e-mailing: Sends itself as an attachment to email addresses
it gathers from the compromised computer.
Modifies files: Modifies the Hosts file.
Degrades performance: Mass-mailing may degrade performance
Causes system instability: Mass-mailing may degrade stability.
Compromises security settings: Disables processes, some of which may be
security related and blocks access to Web sites that may be security related.
Distribution
Subject of email: Varies
Name of attachment: Varies
Read
the full Symantec report here
Download
the Removal Tool here
W32.Mytob.CU@mm
Discovered May 30, 2005
Systems Affected: All Windows32 Systems
W32.Mytob.CU@mm
is a mass-mailing worm that has back door capabilities and uses its own
SMTP engine to send an email to addresses that it gathers from the compromised
computer.
Payload Trigger: n/a
Payload: Opens a back door and downloads remote files.
Large scale e-mailing: Sends a copy of itself to email addresses gathered
from the compromised computer.
Modifies files: Modifies the hosts files to block access to several security-related
Web sites.
Compromises security settings: Blocks access to security-related Web sites
and ends security-related processes.
Distribution
Subject of email: Varies.
Name of attachment: Varies.
Ports: TCP port 4512
Read
the full Symantec report here
Trojan.Tooso.I
Discovered May 31, 2005
Systems Affected: All Windows32 Systems
Trojan.Tooso.I
is a Trojan horse that interferes with the operation of security software
by terminating processes, stopping services, removing registry entries,
and deleting files.
Payload Trigger:
n/a
Payload: Lowers security settings
Modifies files: Overwrites the Hosts file.
Compromises security settings: Terminates services and processes, some
of which may be security related.
Read
the full Symantec report here
W32.Pinkton.A
Discovered May 31, 2005
Systems Affected: All Windows32 Systems
W32.Pinkton.A
is a worm component that spreads through America Online Instant Messenger
(AIM).
Payload Trigger:
n/a
Payload: Opens a back door.
Degrades performance: Directed Denial of Service may degrade performance
and resources.
Compromises security settings: Attempts to disable security related processes.
Distribution
Ports: Port 80
Target of infection: AOL Instant Messenger Service (AIM).
Read
the full Symantec report here
W32.Kassbot.B
Discovered May 31, 2005
Systems Affected: All Windows32 Systems
W32.Kassbot.B
is a network-aware worm that propagates by exploiting the Microsoft Windows
DCOM RPC Interface Buffer Overrun Vulnerability (described in Microsoft
Security Bulletin MS03-026).
Payload Trigger:
n/a
Payload: Blocks access to certain Web sites by modifying the hosts file.
Modifies files: Modifies the hosts file.
Distribution
Ports: TCP port 135.
Target of infection: Computers vulnerable to DCOM RPC Interface Buffer
Overrun Vulnerability.
Read
the full Symantec report here
|
If you came to this page directly, click the icon at the left to be taken to our Home Page 
