May 2006

Select the links for detailed information and removal tools for the latest viruses

For a Superior AntiVirus/Internet Security solution
Use AVG. Read about it here

W32.Lecna.A 05/31/06 2
W32.Ecup 05/25/06 2
W32.Banwarum 05/25/06 2
W32.Mytob.QA 05/24/06 2
W32.Mytob.PP 05/23/06 2
W32.Browaf 05/22/06 2
W32.Areses.H 05/15/06 2
W32.Bactera 05/11/06 2
W32.Amirecivel.C 05/09/06 2
W32.Bugbear.O 05/09/06 2
W32.Amirecivel.B 05/09/06 2
W32.Amirecivel 05/04/06 2
W32.Areses.F 05/03/06 2
W32.Mytob.PO 05/02/06 2
W32.Beagle.EG 05/02/06 2

W32.Beagle.EG@mm
Discovered May 02, 2006
Systems Affected: All Windows32 Systems

W32.Beagle.EG@mm is a mass-mailing worm that uses its own SMTP engine to spread. The mail is written in Russian.

Payload Trigger: n/a
Payload: Attempts to download remote files.
Large scale e-mailing: Mass-mails itself to addresses gathered on the compromised computer.
Distribution
Subject of email: Varies
Name of attachment: Varies
Size of attachment: Varies

Read the full Symantec report here

W32.Mytob.PO@mm
Discovered May 02, 2006
Systems Affected: All Windows32 Systems

W32.Mytob.PO@mm is a mass-mailing worm that may open a back door and lower security settings on the compromised computer.

Payload Trigger: n/a
Payload: Opens a back door and lowers security settings.
Large scale e-mailing: Sends email to addresses gathered from the compromised computer.
Distribution
Subject of email: Varies
Name of attachment: Varies

Read the full Symantec report here

W32.Areses.F@mm
Discovered May 03, 2006
Systems Affected: All Windows32 Systems

W32.Areses.F@mm is a mass-mailing worm that opens a back door on the compromised computer and may download files.

Payload Trigger: n/a
Payload: Sends copies of itself by email to addresses gathered from the compromised computer.
Large scale e-mailing: Uses its own SMTP engine to mass-mail copies of itself to addresses gathered from the compromised computer.
Distribution
Subject of email: The subject is randomly generated.
Name of attachment: message.hta

Read the full Symantec report here

W32.Amirecivel
Discovered May 04, 2006
Systems Affected: All Windows32 Systems

W32.Amirecivel is a worm that attempts to spread via the Kazaa file-sharing network and hides security-related windows.

Read the full Symantec report here

W32.Amirecivel.B
Discovered May 09, 2006
Systems Affected: All Windows32 Systems

W32.Amirecivel.B is a worm that attempts to spread via the Kazaa file-sharing network and hides security-related windows.

Payload Trigger: n/a
Payload: n/a
Large scale e-mailing: n/a
Deletes files: Deletes .dll files in the %CurrentFolder%.
Compromises security settings: Hides windows relating to security programs.

Read the full Symantec report here

W32.Bugbear.O@mm
Discovered May 09, 2006
Systems Affected: All Windows32 Systems

W32.Bugbear.O@mm is a mass-mailing worm that opens a back door on the compromised computer.

Payload Trigger: n/a
Payload: Opens a back door allowing unauthorized access to the compromised computer
Large scale e-mailing: Uses its own SMTP engine to send out mass mails
Compromises security settings: Ends processes, some of which may be security related
Distribution
Subject of email: Varies
Name of attachment: Varies
Size of attachment: Varies
Ports: TCP port 1080

Read the full Symantec report here

W32.Amirecivel.C
Discovered May 09, 2006
Systems Affected: All Windows32 Systems

W32.Amirecivel.C is a worm that spreads through the Kazaa file-sharing network.

Payload Trigger: n/a
Payload: n/a
Large scale e-mailing: n/a
Deletes files: Deletes .dll files in the %CurrentFolder%.
Compromises security settings: Hides windows relating to security programs.

Read the full Symantec report here

W32.Bactera
Discovered May 11, 2006
Systems Affected: All Windows32 Systems

W32.Bactera is a worm that attempts to spread through file sharing networks.

Payload Trigger: n/a
Payload: n/a
Distribution
Shared drives: Copies itself to file sharing networks.

Read the full Symantec report here

W32.Areses.H@mm
Discovered May 15, 2006
Systems Affected: All Windows32 Systems

W32.Areses.H@mm is a mass-mailing worm that opens a back door on the compromised computer and may download files.

Payload Trigger: n/a
Payload: Opens a back door on the compromised computer and may attempt to download remote files.
Large scale e-mailing: Sends a copy of itself to email addresses gathered from the compromised computer.
Distribution
Subject of email: Random
Name of attachment: Random
Ports: Random TCP port

Read the full Symantec report here

W32.Browaf
Discovered May 22, 2006
Systems Affected: All Windows32 Systems

W32.Browaf is a worm that sends a link to a copy of itself via Yahoo Instant Messenger and MIRC. It also modifies the Internet Explorer Home page.

Payload Trigger: n/a
Payload: Modifies the Internet Explorer home page.

Adds itself to the Start Menu as an icon called Internet Browser.

Displays the following message:

Title: Download OK
Message: Complete Downloading....

Displays the following message:

Please wait....

Read the full Symantec report here

W32.Mytob.PP@mm
Discovered May 23, 2006
Systems Affected: All Windows32 Systems

W32.Mytob.PP@mm is a mass-mailing worm that opens a back door and lowers security settings on the compromised computer.

Payload Trigger: n/a
Payload: n/a
Large scale e-mailing: Sends an embedded malicious link to a copy of itself via email.
Compromises security settings: Attempts to terminate processes, some of which may be security-related.
Distribution
Subject of email: Account Alert, [RANDOM STRING]
Ports: TCP 5190

Read the full Symantec report here

W32.Mytob.QA@mm
Discovered May 24, 2006
Systems Affected: All Windows32 Systems

W32.Mytob.QA@mm is a mass-mailing worm that opens a back door on the compromised computer.

Payload Trigger: n/a
Payload: Opens a back door.
Large scale e-mailing: Sends a copy of itself to email addresses gathered.
Releases confidential info: Sends confidential computer information.
Distribution
Subject of email: Account Alert or [RANDOM STRING]
Ports: TCP port 8585

Read the full Symantec report here

W32.Banwarum@mm
Discovered May 25, 2006
Systems Affected: All Windows32 Systems

W32.Banwarum@mm is a mass-mailing worm that uses its own SMTP engine to send an email to addresses that it gathers from the compromised computer. The worm also spreads through the network by exploiting the Microsoft Windows ASN.1 Library Bit String Processing Variant Heap Corruption Vulnerability (as described in Microsoft Security Bulletin MS04-007). The worm also opens a back door via HTTP access.

Payload Trigger: n/a
Payload: Opens a back door.
Large scale e-mailing: Sends email to all addresses gathered from the compromised computer.
Distribution
Subject of email: Varies
Name of attachment: Varies
Size of attachment: Varies

Read the full Symantec report here

W32.Ecup
Discovered May 25, 2006
Systems Affected: All Windows32 Systems

W32.Ecup is a worm that spreads through file-sharing networks.

Payload Trigger: n/a
Payload: n/a
Large scale e-mailing: n/a
Deletes files: May overwrite files in folders relating to certain file-sharing programs.
Distribution
Shared drives: Spreads through file-sharing networks.

Creates the file %CurrentFolder%\log.txt and opens it, displaying the following text:

PRE-INSTALL v1.07
(C) pUcE Software 2006
Pre-install has checked your config.
Everything is ok, you can now run the setup program
Enjoy!

Read the full Symantec report here

W32.Lecna.A
Discovered May 31, 2006
Systems Affected: All Windows32 Systems

W32.Lecna.A is a worm that spreads by exploiting the Microsoft Windows Local Security Authority Service Remote Buffer Overflow (as described in Microsoft Security Bulletin MS04-011). The worm opens a back door, downloads remote files, and uses a rootkit to hide its presence on the compromised computer.

Payload Trigger: n/a
Payload: Opens a back door and downloads remote files.
Compromises security settings: Uses a rootkit to hide its presence.

Opens a back door on the compromised computer and allows a remote attacker to perform the following actions:

List, delete, download, and execute files
List and end processes
Enumerate network computers
Exploit the Microsoft Windows LSASS Buffer Overrun Vulnerability (as described in Microsoft Security Bulletin MS04-011) on other computers
Uninstall itself
Connect to the attacker's computer and transfer data using HTTP commands (to bypass firewalls) or by connecting directly

Read the full Symantec report here