If you came to this page directly, click the icon at the left to be taken to our Home Page| If you came to this page directly, click the icon at the left to be taken to our Home Page |
||||
|
|
||||
|
|
June 2004 Select the links for detailed information and removal tools for the latest viruses
|
|
|
W32.Korgo.F
W32.Korgo.F
is a minor variant of W32.Korgo.E. It is a worm that attempts to propagate
by exploiting the Microsoft Windows LSASS Buffer Overrun Vulnerability
(BID 10108) on TCP port 445. It also listens on TCP ports 113 and 3067. Degrades
performance: Network propagation routines may degrade overall network
performance. Read the full Symantec report here W32.Explet.A@mm W32.Explet.A@mm is a mass-mailing worm that: Retrieves
email address from files with .htm, .html, .php, .tbb, and .txt extensions,
on all fixed drives from C through Y. The email has the following characteristics: Subject:
(One of the following) Attachment:
(One of the following) Large scale
e-mailing: Sends itself to the email addresses that it finds from the
files on the infected system Read the full Symantec report here W32.Korgo.G W32.Korgo.G is a minor variant of W32.Korgo.C. It is a worm that attempts to propagate by exploiting the Microsoft Windows LSASS Buffer Overrun Vulnerability (BID 10108) on TCP port 445. It also listens on TCP ports 113, 3067, and other random ports. Degrades
performance: Network propagation routines may degrade overall network
performance Read the full Symantec report here W32.Donk.R W32.Donk.R is a worm that propagates through open network shares. It attempts to spread by exploiting these vulnerabilities: Microsoft
DCOM RPC (as described in Microsoft Security Bulletin MS03-026). The worm
can also function as a backdoor server program. Degrades
performance: Terminates a number of programs including several antivirus
programs. Read
the full Symantec report here
W32.Dabber.B W32.Dabber.B is a variant of W32.Dabber.A. This worm propagates by exploiting a vulnerability in the FTP server component of W32.Sasser.Worm and its variants. W32.Dabber.B is based on available exploit code. It installs a backdoor on infected hosts and tries to listen on port 9898. If the attempt fails, W32Dabber.A tries to listen on ports 9899 through 9999 in sequence until it finds an open port. Payload:
Opens the backdoor on the system. Read the full Symantec report here W32.Gaobot.AOL W32.Gaobot.AOL is a worm that spreads through open network shares and several Windows vulnerabilities. The vulnerabilities are: The Microsoft
Windows DCOM RPC Interface Buffer Overrun Vulnerability (described in
Microsoft Security Bulletin MS03-026). The worm
can act as a backdoor and attack other computers. It also attempts to
kill the processes of many antivirus and security programs. Releases
confidential info: Steals CD-keys from a large number of games. Read the full Symantec report here W32.Svoy.A@mm W32.Svoy.A@mm is a mass mailing worm that uses Mapi.dll to send itself to all the email addresses that it finds from the files with extensions that match the following: .in?, .htm, .html, .tx?, .me, /doc, .db?, .log, .wa?, .ad?, .md?, .xls, .cnv, .csv, .ab?, .his. Read the full Symantec report here W32.Joot.A@mm W32.Joot.A@mm is a mass mailing worm that attempts to send itself to email addresses found on the system. It also attempts to spread via open shares and the peer-to-peer file-sharing networks Kazaa, iMesh and Grokster. The worm will also attempt to disable the processes of several antivirus and personal firewall applications. This threat is written in C++ and packed with UPX, however due to bugs in the code it may not function as intended.
VBS.Pub VBS.Pub is a VBScript file-infecting and mass-mailing worm. VBS.Pub infects files with the extensions .ASP, .HTA, .HTM, .HTT, .HTML, .VBE, and .VBS. The worm also mails itself out via Microsoft Outlook to everyone in the address book. If the day is the 6th, 13th, 21st, or 28th, the worm deletes all the files on the system. Deletes files: If the day is the 6th, 13th, 21st, or 28th, the worm deletes all the files on the system.Modifies files: Attributes of HTML and VBS files are changed to read-only. Read the full Symantec report here W32.Korgo.H W32.Korgo.H is a variant of W32.Korgo.F. This worm attempts to propagate by exploiting the Microsoft Windows LSASS Buffer Overrun Vulnerability (BID 10108), described in Microsoft Security Bulletin MS04-011. It uses TCP port 445 to do this. W32.Korgo.H listens on TCP ports 113, 3067, and a random port (256-8191). Degrades performance: Network propagation routines may degrade overall network performance.Releases confidential info: Backdoor functionality allows unauthorized access. Compromises security settings: Backdoor functionality may compromise security settings. Ports: TCP 445, 113, 3067, and 6667. May listen on random ports as well. Target of infection: Unpatched machines vulnerable to the Microsoft LSASS Windows exploit. Read the full Symantec report here W32.Korgo.I W32.Korgo.I is a variant of W32.Korgo.F. This worm attempts to propagate by exploiting the Microsoft Windows LSASS Buffer Overrun Vulnerability (described in Microsoft Security Bulletin MS04-011) on TCP port 445. It also listens on TCP ports 113, 3067, and other random ports (256-8191). Degrades
performance: Network propagation routines may degrade overall network
performance. Read the full Symantec report here Download the removal tool here W32.Gaobot.AQS W32.Gaobot.AQS is a worm that spreads through open network shares and several Windows vulnerabilities including:
W32.Gaobot.AQS
can act as a backdoor server program and attack other systems. It attempts
to stop the processes of many antivirus and security programs. Compromises security settings: Gives the creator backdoor access to the system via IRC. Ports: TCP 80, 135, 445 Shared drives: Will attempt to copy itself to systems with weak passwords. Target of infection: Uses 3 different vulnerabilities in an attempt to spread. Read the full Symantec report here W32.Tubty.A@mm
W32.Tubty.A@mm is a mass-mailing worm that uses its own SMTP engine to send itself to all the contacts in the Windows Address Book. The email hast he subject: "MESSAGE_ID:" and the attachment is "photos.exe." Large scale e-mailing: Sends itself to all the contacts in the Windows Address Book.Compromises security settings: May install a password stealer. Subject of email: MESSAGE_ID: Name of attachment: photos.exe Read the full Symantec report here W32.Sasser.G W32.Sasser.G is a minor variant of W32.Sasser.Worm. It attempts to exploit the LSASS vulnerability, described in Microsoft Security Bulletin MS04-011, and spreads by scanning randomly selected IP addresses for vulnerable systems. The worm's function is identical to that of W32.Sasser.E.Worm, but W32.Sasser.G contains an extra PE file section, which is 1 byte in size and appears to have no function. W32.Sasser.G differs from W32.Sasser.Worm as follows: Uses a different
mutex: SkynetNotice. W32.Sasser.G
can run on, but not infect, Windows 95/98/Me computers. Although these
operating systems cannot be infected, they can still be used to infect
vulnerable computers. Read the full Symantec report here Download the removal tool here W32.Erkez.B@mm W32.Erkez.B@mm
is a mass-mailing worm that sends itself to the email addresses found
on an infected computer. Read the full Symantec report here W32.Paps.A@mm W32.Paps.A@mm is a mass-mailing worm that sends itself as an attachment to the email addresses that it finds on your computer. The email will have a variable subject and file attachment. The attachment will have a .exe file extension. Read the full Symantec report here W32.Korgo.L W32.Korgo.L
is a variant of W32.Korgo.I. This worm attempts to propagate by exploiting
the Microsoft Windows LSASS Buffer Overrun Vulnerability (described in
Microsoft Security Bulletin MS04-011) on TCP port 445. It also listens
on TCP ports 113, 3067, and other random ports (256-8191). Degrades
performance: Network propagation and HTTP request routines may degrade
overall network performance. Read
the full Symantec report here
Download the removal tool here W32.Randex.ATS W32.Randex.ATS is a network-aware worm that attempts to connect to a predetermined IRC server. Releases
confidential info: Releases hardware information about the compromised
system via IRC Read the full Symantec report here W32.Korgo!gen W32.Korgo!gen is a generic detection that detects variants of W32.Korgo. Read the full Symantec report here JS.Scob.Trojan JS.Scob.Trojan is a simple Trojan that executes a JavaScript file from a remote server. Read the full Symantec report here W32.Korgo.Q W32.Korgo.Q is a variant of W32.Korgo.I. This worm attempts to propagate by exploiting the Microsoft Windows LSASS Buffer Overrun Vulnerability (described in Microsoft Security Bulletin MS04-011) on TCP port 445. It also listens on random TCP ports between 256 and 8191. Read the full Symantec report here Download the removal tool here W32.Korgo.R W32.Korgo.R is a variant of W32.Korgo.M. This worm attempts to propagate by exploiting the Microsoft Windows LSASS Buffer Overrun Vulnerability (described in Microsoft Security Bulletin MS04-011) on TCP port 445. It also listens on TCP port 113 and other random ports between 2000 and 8192 Read the full Symantec report here Download the removal tool here W32.Bugbear.K@mm W32.Bugbear.K@mm worm is: • A
variant of W32.Bugbear.B@mm and W32.Bugbear.E@mm. Read
the full Symantec report here
W32.Randex.ATX W32.Randex.ATX is a network-aware worm that may be remotely controlled using IRC. Deletes files:
Deletes the C$, D$, IPC$, and ADMIN$ shares. Read the full Symantec report here W32.Gaobot.AUS W32.Gaobot.AUS is a repacked variant of W32.Gaobot.SN. The worm spreads through open network shares and through backdoors that the Mydoom family of worms open. It allows attackers to access an infected computer using a predetermined IRC channel. Releases
confidential info: Steals CD keys from a number of computer games. Read
the full Symantec report here
|
|
|
©
Copyright 1999 - 2004 The Computer Wizard
|
||||
