VBS.Krim
VBS.Krim. is a mass-mailing worm that sends itself to contacts in the Microsoft Outlook address book and propagates through IRC. It also attempts to format the infected computer's C: drive, if the worm does not find a file that it creates
Systems Affected-Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP


Details
VBS.Krim arrives as an attachment to an email with the following characteristics:

Subject: SYMANTEC NORTON ANTIVIRUS
Body: REMOVE VIRUS SASSER
Attachment: mirko.bat


If the worm locates an mIRC installation, it creates a script.ini file to send itself to other IRC users.


If the C:\autoexec.bat file exists, but C:\mirko.bat does not exist, the worm attempts to add a format command to C:\autoexec.bat.


Displays the following message:

Hello %username%


Launches C:\mirko.vbs and sends itself to all email addresses in the Outlook address book.

Creates the mutex "_Hazafibb," which allows only one instance of the worm to run in memory.


Copies itself to the %System% folder as:
An eight-character, random file name with a .exe extension
An eight-character, random file name with a .dll extension.

Uses its own SMTP engine to send itself to the email addresses that it finds.

The email has the following characteristics:

From: The "From:" field of the email is spoofed.

The rest of the email will be one of the following:


To: Claudia
Subject: Importante!
Attachment: "link.informacion.phpV23.text.message.pif"
Message:
Informacion importante que debes conocer, -


To: Katya
Subject: oKatya
Attachment: "view.link.index.image.phpV23.sexHdg21.pif"


To: Eva
Subject: E-Kort!
Attachment: "link.ekort.index.phpV7ab4.kort.pif"
Message: Mit hjerte banker for dig!


To: Marica
Subject: Ecard!
Attachment: "link.showcard.index.phpAv23.ritm.pif"
Message:
De cand te-am cunoscut inima mea are un nou ritm!


To: Anna
Subject: E-vykort!
Attachment: "link.vykort.showcard.index.phpBn23.pif"
Message: Till min Alskade...


To: Erica
Subject: E-Postkort!
Attachment: "link.postkort.showcard.index.phpAe67.pif"
Message: Vakre roser jeg sammenligner med deg...


To: Katarina
Subject: E-postikorti!
Attachment: "link.postikorti.showcard.index.phpGz42.pif"
Message: Iloista kesaa!


To: Magdolina
Subject: Atviruka!
Attachment: "link.atviruka.showcard.index.phpGz42.pif"
Message: Linksmo gimtadieno! ha


To: Beate
Subject: E-Kartki!
Attachment: "link.kartki.showcard.index.phpVg42.pif"
Message: W Dniu imienin...


To: Eva
Subject: Cartoe Virtuais!
Attachment: "link.cartoe.viewcard.index.phpYj39.pif"
Message: Content: Te amo... ,


To: Alice
Subject: Flashcard fuer Dich!
Attachment: "link.flashcard.de.viewcard34.php.2672aB.pif"
Message:
Hallo!
hat dir eine elektronische Flashcard geschickt.
Um die Flashcard ansehen zu koennen, benutze in deinem Browser
einfach den nun folgenden link:
http://flashcard.de/interaktiv/viewcards/view.php3?card=267BSwr34
Viel Spass beim Lesen wuenscht Ihnen ihr...


To: Eva
Subject: Er staat een eCard voor u klaar!
Attachment: "postkaarten.nl.link.viewcard.index.phpG4a62.pif"
Message:
Hallo!
heeft u een eCard gestuurd via de website nederlandse
taal in het basisonderwijs...
U kunt de kaart ophalen door de volgende url aan te klikken of te
kopiren in uw browser link:
http://postkaarten.nl/viewcard.show53.index=04abD1
Met vriendelijke groet,
De redactie taalsite primair onderwijs...


To: Hanka
Subject: Elektronicka pohlednice!
Attachment: "link.seznam.cz.pohlednice.index.php2Avf3.pif"
Message:
Ahoj!
Elektronick pohlednice ze serveru http://www.seznam.


To: Claudine
Subject: E-carte!
Attachment: "link.zdnet.fr.ecarte.index.php34b31.pif"
Message:
vous a envoye une E-carte partir du site zdnet.fr
Vous la trouverez, l'adresse suivante link:
http://zdnet.fr/showcard.index.php34bs42
www.zdnet.fr (http://www.zdnet.fr/), plus de 3500 cartes virtuelles, vos pages web
en 5 minutes, du dialogue en direct...


To: Francesca
Subject: Ti e stata inviata una Cartolina Virtuale!
Attachment: "link.cartoline.it.viewcard.index.4g345a.pif"
Message:
Ciao!
ha visitato il nostro sito, cartolina.it e ha creato una
cartolina virtuale per te! Per vederla devi fare click
sul link sottostante: http://cartolina.it/asp.viewcard=index4g345a
Attenzione, la cartolina sara visibile sui nostri server per
2 giorni e poi verra rimossa automaticamente.


To: Jennifer
Subject: You`ve got 1 VoiceMessage!
Attachment: "link.voicemessage.com.listen.index.php1Ab2c.pif"
Message:
Dear Customer!
You`ve got 1 VoiceMessage from voicemessage.com website!
Sender:
You can listen your Virtual VoiceMessage at the following link:
http://virt.voicemessage.com/index.listen.php2=35affv
or by clicking the attached link.
Send VoiceMessage! Try our new virtual VoiceMessage Empire!
Best regards: SNAF.Team (R).


To: Anita
Subject: Tessek mosolyogni!!!
Attachment: "meztelen csajok fociznak.flash.jpg.pif"
Message:
Ha ez a k=E9p sem tud felviditani, akkor feladom!
Sok puszi:


To: Anita
Subject: Soxor Csok!
Attachment: "anita.image043.jpg.pif"
Message:
Szia!
Aranyos vagy, j=F3 volt dumcsizni veled a neten!
Rem=E9lem tetszem, =E9s szeretn=E9m ha te is k=FClden=E9l k=E9pet
magadr=F3l, addig is cs=F3k:


To: Jennifer
Subject: Don`t worry, be happy!
Attachment: "www.ecard.com.funny.picture.index.nude.php356.pif (http://www.ecard.com.funny.picture.index.nude.php356.pif/)"
Message:
Hi Honey!
I`m in hurry, but i still love ya...
(as you can see on the picture)
Bye - Bye:


To: David
Subject: Check this out kid!!!
Attachment: "jennifer the wild girl xxx07.jpg.pif"
Message:
Send me back bro, when you`ll be done...(if you know what i mean...)
See ya,

I think I'll relax a bit today! :):):)

I think I'll relax a bit today! :):):)
I'm gonna have to get me a bumper sticker that reads something like................."My OptiBoard Mentor Uses a Mac....... Do You?" :bbg:

W32.Korgo.O

When W32.Korgo.O is executed, it performs the following actions:
Deletes the file, ftpupd.exe, from the folder in which the worm was executed.
Creates the following mutexes to ensure that only one instance of the worm is executed on the computer:

u8
u9
u10
u11
u12
u13
u14
uterm14
Creates the event object "u13x".
Opens the following event objects:

u10x
u11x
u12x


Deletes values:

"Windows Security Manager"
"Disk Defragmenter"
"System Restore Service"
"Bot Loader"
"SysTray"
"WinUpdate"
"Windows Update Service"
"avserve.exe"
"avserve2.exeUpdate Service"
"MS Config v13"

from the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion \Run


Copies itself as %System%\<random filename>.exe.
Adds the values:

"Client"="1"
"ID"="<random value>"

to the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wireless


Adds the value:

"Windows Update"="%System%\<random filename>.exe"

to the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion \Run


Attempts to inject a function into Explorer.exe as a thread.

If successful, this threat will continue to run in the Explorer.exe process. All the actions described in the next step will appear to be done by Explorer.exe, and the worm will not show when viewing the process list in the Windows Task Manager.

If unsuccessful, the worm will continue to run as its own process.


Creates additional threads and does the following:


Note: While the worm creates these threads, it prevents the computer from shutting down or restarting.

Opens TCP ports 113, 5111, and a random port between 256 and 8191, which the worm uses to send itself out.


Attempts to connect and update itself from one of the following HTTP servers:

adult-empire.com
asechka.r
citi-bank.ru
color-bank.ru
crutop.nu
cvv.ru
fethard.biz
filesearch.ru
f***.ru
goldensand.ru
hackers.lv
kavkaz.ru
kidos-bank.ru
konfiskat.org
lovingod.host.sk
master-x.com
mazafaka.ru
padonki.org
parex-bank.ru
trojan.ru
xware.cjb.net

Attempts to exploit the LSASS Windows vulnerability on TCP port 445 (described in Microsoft Security Bulletin MS04-011), against random IP addresses. If the worm successfully finds a vulnerable computer, the computer will attempt to reconnect to the infected computer to download the worm.:(

New Trojan Steals Banking Information
A new Trojan virus is posing a threat to online banking customers.
The carrier of the threat, "img1big.gif," poses as an image file,
The file is not an image at all, but a file-dropper Trojan composed of a pair of Win32 executable programs compressed together using the Open Source executable compressor UPX.
The trojan installs a Browser Helper Object (BHO) on Internet Explorer version 4.X and higher. One of the two sets of code performs the initial install, the other performs the BHO install. Once the BHO is up, it looks for secure access to the URLs of several dozen banking and financial sites around the globe and "grabs any outbound POST/GET data from within IE before it is encrypted by SSL
The outbound data--including user names and passwords--is sent over an HTTP connection created by the Trojan to the address http://www.refestltd.com/cgi-bin/yes.pl.

First Virus for Windows Mobile Pocket PC
WinCE4.Dust is the first known Windows CE virus to run on ARM based devices running Windows Mobile Pocket PC.
This is a live, working proof of concept virus that infects all .EXE files in the root directory of the Pocket PC device.
WinCE4.Dust does no serious or permanent damage to the infected device, with the exception of infecting .exe files in the root directory. Infected files will run the viral code on execution and will then continue to operate as normal.

It first determines if the listed .exe file is the currently executed program, and then makes sure the target .exe is not already infected. If the file has been infected, it will be marked with the word “atar” at the offset 0x11C. This is used during the infection process to see if the file was already infected. The virus will keep re-infecting files over and over until the device runs out of memory.

Yet Another Bagle Variant Spreads
Network administrators returning to work after the weekend can enjoy a fresh Bagle with their coffee--and no, it's not that kind of bagel. Antivirus companies are warning of another virulent new version of the Bagle e-mail worm, dubbed Bagle.AG.
E-mail messages generated by the worm used forged (or "spoofed") sender addresses and vague subject lines such as "Re:," "fotogalary," "Lovely animals," and "Screen." Worm-infected file attachments might be in.zip,.exe.,.scr, or other common formats and also have nonspecific names like "Moreinfo," "Details," or "Readme
Infected file attachments use one of a short list of names including "Foto3," "Secret," "Doll," and "Cat."


The worm can also send copies of itself as a password-protected compressed file with a.zip extension.
The compressed files are used to shrink one or more larger files, often for transmission on disk or over the Internet. Recipients must decompress or "unzip" the attachments to view the worm file, which they must open to become infected.


When run, Bagle.AG harvests e-mail addresses from files stored on the infected computer's hard drive and installs its own SMTP engine, which is used to send out large volumes of infected e-mail messages from machines infected by the worm.

Like earlier versions of Bagle, the AG variant also copies itself to Windows folders that could be used by file sharing programs, using a long list of names to disguise the worm file as popular downloads on peer to peer file sharing networks like Adobe Systems' Photoshop image editing program, the Matrix Revolutions film and pornography.

This is a mass-mailing worm that opens a backdoor on TCP port 1042 and uses its own SMTP engine to spread through email. The worm’s potential impact includes clogged mail servers or degraded network performance. It also spreads via file sharing / peer-to-peer. It is a new variant of the W32.Beagle family of worms, is functionally similar to W32.Beagle.x
The email message from address will be spoofed. The subject, body and file attachment of the message vary. :(

The W32.Mydoom.M@mm mass-mailing worm:

- Uses its own SMTP engine to send itself to all the email addresses that it finds from an infected system.
- The email has an attachment with a .bat, .cmd, .com, .exe, .pif, .scr, or .zip extension.
- The attachment name may contain a randomly selected domain, which was found on the sender's system.

For example, the attachment name could contain fakedomain.com if the address x@fakedomain.com was harvested.

- The From field of the email is spoofed.
- Downloads and executes a backdoor, which is detected as Backdoor.Zincite.A, on port 1034/tcp.
- Is packed by UPX.

This is a mass-mailing worm that sends itself to all of the addresses in the Microsoft Outlook Address Book. The email has the following characteristics:

Subject: New products
Attachment: Twunk_64.exe
Message:

"Hi,
Update your Windows PC with Microsoft Windows Panel.This tool is free and provided by Microsoft. For more info read the disclaimer when you run the program.
bye"

Attachment: Twunk_64.exe

Sends the message to all the addresses in the Microsoft Outlook Address Book.

W32.Korgo.AB

W32.Korgo.AB is a worm that attempts to spread by exploiting the Microsoft Windows LSASS Buffer Overrun Vulnerability, described in Microsoft Security Bulletin MS04-011, on TCP port 445.
W32.Korgo.AB is a worm that uses a dll file to spread to remote computers.
Once W32.Korgo.AB is executed, it performs the following actions:


Adds the value:

"SQL"= "[12 randomly chosen ASCII characters]"

to the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DataAccess


Sends itself to the remote systems that it successfully exploited.


Attempts to contact a PHP script at one of the following domains, sending information about the compromised host:

citi-bank.ru
color-bank.ru
kidos-bank.ru
parex-bank.ru
www.redline.ru (http://www.redline.ru/)


Attempts to download and execute a file from a specified remote host.


Sends HTTP requests to the following domains:
adult-empire.com
bankofny.com
citi-bank.ru
citibank.com
crutop.nu
cvv.ru
fethard.biz
filesearch.ru
kaspersky.com
konfiskat.org
master-x.com
prodexteam.net
roboxchange.com
www.kaspersky.com (http://www.kaspersky.com/)
www.pandasoftware.com (http://www.pandasoftware.com/)
www.riaa.com (http://www.riaa.com/)
www.sophos.com (http://www.sophos.com/)
www.symantec.com (http://www.symantec.com/)
www.trendmicro.com (http://www.trendmicro.com/)
xware.cjb.net

Hacktool.JPEGDownload is a program that can be used to generate .jpg files that exploit the Microsoft GDI+ Library JPEG Segment Length Integer Underflow vulnerability (described in the Microsoft Security Bulletin MS04-028). The .jpg files that this Trojan generates can download a URL hardcoded in the .jpg file.
When Hacktool.JPEGDownload runs, it performs the following actions:


Displays a message box with the title "JPEG Downloader by [ATmaCA]".


Invites the user to enter a URL that will be downloaded by the .jpg file generated by the Trojan.


Generates a .jpg file when the user clicks "Make". This .jpg file exploits the Microsoft GDI+ Library JPEG Segment Length Integer Underflow vulnerability (described in the Microsoft Security Bulletin MS04-028) and downloads a URL hardcoded into the .jpg file.
Displays information about the program when the user clicks "About".

Security researchers are warning of a new worm, dubbed "Funner," targeting Microsoft's MSN Messenger instant messaging application.

The worm propagates by sending a copy of itself, disguised as "funny.exe," to contacts found through MSN Messenger.


The worm then makes registry modifications and overwrites entries in the Hosts file, a list used to map IP (Internet Protocol) addresses to Web sites.

PWSteal.Bancos.O is a Trojan horse program that logs keystrokes and steals information entered into certain banking Web sites. It also steals all passwords stored in the Microsoft Outlook account manager.

Monitors active Internet Explorer windows. The Trojan logs keystrokes and other user actions when the user visits a URL that contains one of the following substrings:
adelaidebank.com.au
bankone.com.au
banksa.com.au/default.asp?msrc=/code/internet_banking
bankwest.com.au
benbank.com.au
bendigobank.com.au
butterfielddirect.com
cajamadrid
citibank
client.ccf.fr
commbank.com.au
direct-validate.bankofamerica.com
etrade.com.ua
firstdirect.com
halifax-online.co.uk
hangseng.com
hsbc
ibank.barclays.co.uk
internationalbanking
lloydstsb.com
macquarie.com.au
national.com.au
nationwide.co.uk/default.htm
navyfcu.org
sabb.com
stgeorge.com.au
suncorp.com.au
Logged information is sent to a remote web server with an IP address of 69.50.166.66.

MyDoom back for more [Internet News]
Another MyDoom variant is back and threatening Internet users by spreading through e-mail addresses found on popular search engines, security experts said.
http://www.internetnews.com/security/article.php/3484111 (http://www.internetnews.com/security/article.php/3484111)

Trojan.Tooso.C is emailed as an attachment by a variant in the W32.Beagle@mm family of worms.

The attachment has the following file names:

price.zip
price2.zip
price_new.zip
price_08.zip
08_price.zip
newprice.zip
new_price.zp
new__price.zip

VBS.Allem@mm is a mass-mailing worm that sends itself to email addresses it finds in the Microsoft Outlook Address Book. It also spreads using MIRC, and copies itself as .VBS and .VBE files. VBS.Allem@mm is an encrypted VBScript worm that lowers security settings and deletes files.
The email will have the following characteristics:

Subject: it's my porn pic

Message: see my porn pic

Attachment: Siti-Nurhaliza.jpg.vbs

Installs a back door allowing a remote attacker to have unauthorized access to the compromised computer via IRC channels. The back door allows the remote attacker to perform the following actions:

Log keystrokes
End processes
Steal cached passwords
Steal system information
Download remote files

VBS.Ypsan.E@mm is a mass-mailing worm that sends itself to all email addresses gathered from the Windows Address Book and attempts to shut down the compromised computer.
The E-mail contains ......

Subject:
The Info That You Asked For

Message Body
The information that you asked for is attached to this email.

Attachment:
All Users.vbe

Attempts to use its own SMTP engine to email a copy of Trojan.Tooso.K to the email addresses that may be contained in the downloaded file. The email has the following characteristics:

From: Spoofed.

Subject: Blank.

Message:
The password is
Password:

Attachment:
One of the following:


Beach.zip
In_park.zip
kitten.zip
Legs.zip
new.zip
original.zip

Note: The .zip file may contain an executable file which may be a copy of Trojan.Tooso.K.

W32.Mytob.JS@mm is a mass-mailing worm that opens a back door and lowers security settings on the compromised computer.

The worm may also spoof a From address from one of the addresses found on the compromised computer.

Subject:
One of the following:


Your password has been updated
Your password has been successfully updated
You have successfully updated your password
Your new account password is approved
Your Account is Suspended
*DETECTED* Online User Violation
Your Account is Suspended For Security Reasons
Warning Message: Your services near to be closed.
Important Notification
Members Support
Security measures
Email Account Suspension
Notice of account limitation

Message:
One of the following:


Dear user [USER NAME],
You have successfully updated the password of your [DOMAIN] account.
If you did not authorize this change or if you need assistance with your account, please contact [DOMAIN] customer service at: [SPOOFED EMAIL]
Thank you for using [DOMAIN]!
The [DOMAIN] Support Team

+++ Attachment: No Virus (Clean)
+++ [DOMAIN] Antivirus - www. (http://www./)[FULL DOMAIN]


Dear user [USER NAME],
It has come to our attention that your [DOMAIN] User Profile ( x ) records are out of date. For further details see the attached document.
Thank you for using [DOMAIN]!
The [DOMAIN] Support Team

+++ Attachment: No Virus (Clean)
+++ [DOMAIN] Antivirus - www. (http://www./)[FULL DOMAIN]


Dear [DOMAIN] Member,
We have temporarily suspended your email account [EMAIL].
This might be due to either of the following reasons:
1. A recent change in your personal information (i.e. change of address).
2. Submiting invalid information during the initial sign up process.
3. An innability to accurately verify your selected option of subscription due to an internal error within our processors.
See the details to reactivate your [DOMAIN] account.
Sincerely,The [DOMAIN] Support Team

+++ Attachment: No Virus (Clean)
+++ [DOMAIN] Antivirus - www. (http://www./)[FULL DOMAIN]


Dear [DOMAIN] Member,
Your e-mail account was used to send a huge amount of unsolicited spam messages during the recent week. If you could please take 5-10 minutes out of your online experience and confirm the attached document so you will not run into any future problems with the online service.
If you choose to ignore our request, you leave us no choice but to cancel your membership.
Virtually yours,
The [DOMAIN] Support Team

+++ Attachment: No Virus found
+++ [DOMAIN] Antivirus - www. (http://www./)[FULL DOMAIN]

A mass-mailing worm that lowers security settings, opens a back door, and drops additional malware on the compromised computer.
Subject: Your mail Account is Suspended

Message Body:
We regret to inform you that your account has been suspended due to the violation of our site policy, more info is attached.

Attachment:
One of the following:

acc_info9.exe
ebay_info.exe
acc_inf19.exe

W32.Feebs.D@mm is a mass-mailing worm that also spreads through file-sharing networks and lowers security settings on the compromised computer.
The worm arrives as an email attachment with an .HTA extension.
Sends emails to all addresses found on the compromised computer. The email has the following characteristics:

From:
The from address is a combination of one of the following names with one of the following domain names:
Names:

protect
secur
security
securmail

Domains:


@hotmail.com
@gmail.com
@aol.com
@msn.com
@yahoo.com


Subject:
The subject may be the following string:

happy new year

mass-mailing worm that uses its own SMTP engine to spread to peer-to-peer and file-sharing networks. It attempts to lower security settings and may also download and execute remote files.
From: [SPOOFED]

Subject:
One of the following:


Delivery service mail
Delivery by mail
Registration is accepted
Is delivered mail
You are made active

Message Body:
One of the following:


Thanks for use of our software.
Before use read the help

Attachment:
One of the following:


wsd01.zip
viupd02.zip
siupd02.zip
guupd02.zip
zupd02.zip
upd02.zip
Jol03.zip

Summary
This is also known as the Blackmal, My Wife, Kama Sutra, Grew and CME-24 virus.

Problem or Symptom
The Nyxem-E virus spreads as an email attachment with a variety of file names and subjects.
Once it infects your computer it tries to

close and delete anti-virus software
spread via email using your email address book
copy itself to a local network (if present).
On the 3rd of each month the virus will overwrite any of the following types of files on your computer with the text "DATA Error {47 0F 94 93 F4 K5}".

Oracle files (*.DMP)
Word documents (*.DOC)
Microsoft Access (*.MDB)
Microsoft Access/Office (*.MDE)
Adobe Acrobat (*.PDF)
PowerPoint slideshow (*.PPS)
PowerPoint (*.PPT)
Photoshop (*.PSD)
Compressed archives (*.RAR)
Excel spreadsheets (*.XLS)
Compressed archives (*.ZIP)
Solution(s)
All of the top Anti-virus companies have updated their software to be able to detect and remove this virus.

It is suggested that you update anti-virus software and carry out a full scan of your computer to ensure that you have not been effected as soon as possible.

Alternatively you can download a free scanning and removal tool from Symantec by clicking here (http://securityresponse.symantec.com/avcenter/venc/data/w32.blackmal@mm.removal.tool.html).

Where in the world do u get all this information........ if a virus is out, i thought it would be sneaked in for a while... not everyone knowing about it already.....
anyway thanks for letting us know that eeven our PCs are terrorized by these viruses...

Where in the world do u get all this information........ if a virus is out, i thought it would be sneaked in for a while... not everyone knowing about it already.....
anyway thanks for letting us know that eeven our PCs are terrorized by these viruses...I do a lot of work on computer systems and support, so I am quite connected.

There aren't that many of them...but this one is making the rounds.

Also known as: Oompa-Loompa, OSX/Oomp-A, Leap.A, CME-4, MacOS/Leap, MacOS/Leap!tgz, OSX.Leap.A, OSX/Leap
Type: iChat worm and Mac OS X 10.4 virus
Description: The Leap.A (aka Oompa-Loompa) infects applications in Mac OS X 10.4 (Tiger) running on PowerPC processors. Upon infection, Leap.A (aka Oompa-Loompa) sends itself to the infected user's contacts via iChat.
The sent attachment is named latestpics.tgz. The extracted latestpics.tgz file contains latestpics, which appears to have a .jpg icon. In reality, the icon is being faked by a second, hidden file, named _latestpics.
Leap.A installs itself differently depending on the rights of the logged in user. If the user is logged in as an administrator, Leap.A installs itself to the /Library/InputManagers/ directory.
If the user is not logged in as admin and does not have root permissions, the Leap.A virus will install to the ~/Library/InputManagers/ directory.

In either case, the files installed/replaced are:
apphook/Info
apphook/apphook.bundle/Contents/Info.plist
apphook/apphook.bundle/Contents/MacOS/apphook
The Leap.A worm has also been dubbed Oompa-Loompa because it assigns the following extended attribute to application files it infects:
name: oompa
value: loompa

Thanks sean........haven't heard of this yet! h

thats a first for a mac, and can be spread (in theory) by bluetooth too

Thanks sean........haven't heard of this yet! h To quote you in another post in this thread............"I think i'll relax a bit today":) :D :)

You should......You've waited long enough to post something about a MAC virus :)

Trojan horse that opens a back door on the compromised computer. It may arrive as a malicious Microsoft Access file that exploits the Microsoft Jet Database Engine Malformed Database File Buffer Overflow vulnerability



Type: Trojan Horse
Infection Length: 106,496 bytes.



Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP


Distribution -----> Ports: TCP ports 80 and 8080

Trojan targets basic Java phones

From Russia without love

Ne'er-do-wells have created a Trojan that can infect mobiles phones running Java applications. RedBrowser-A infects not only smart phones, but any mobile phone capable of running Java (J2ME) applications, according to Russian anti-virus firm Kaspersky Lab.

The mobile malware poses as a program called RedBrowser that supposedly allows surfers to visit WAP sites without using a WAP connection. According to the blurb, this access is possible by sending and receiving free SMS messages. In reality, the Trojan sends text messages to premium rate numbers, costing users between $5 and $6 per SMS.

The Trojan is a Java application in the form of a JAR format archive, sometimes called "redbrowser.jar" that's 54,482 bytes in size. It can be downloaded to the victim handset either after downloading it onto a PC and subsequently transferring it onto a handset, or downloading it directly from a WAP site. Fortunately, however you get it, the malware is easily removed from the victim handset using standard utilities already installed on the telephone.

So far, Kaspersky Lab has only received one sample of RedBrowser, which targets subscribers of Beeline, MTS, and Megafon, Russia's largest mobile service providers. However, the appearance of the low-risk malware might encourage virus writers to develop similar programs. Mobile phone users in Russia and beyond are advised to resist any temptation to download and run unknown programs via the internet.

Kaspersky Lab senior technology consultant David Emm said: "This latest virus represents a natural progression for virus writers, who are constantly seeking to extend their reach by spreading infections via as many platforms as possible. One thing's for sure - RedBrowser may be the first of its kind, but it certainly won't be the last." ®

reference :http://www.channelregister.co.uk/2006/02/28/java_trojan_malware/

By John Leyden (http://forms.theregister.co.uk/mail_author/?story_url=/2006/03/15/slobodan_trojan/) (The Register www.theregister.co.uk (http://www.theregister.co.uk))
Published Wednesday 15th March 2006 17:18 GMT
Emails purporting to prove that the recently deceased former Yugoslav president Slobodan Milosevic was killed contain a malicious Trojan, called Dropper-FB (http://www.sophos.com/virusinfo/analyses/trojdropperfb.html) (http://www.sophos.com/virusinfo/analyses/trojdropperfb.html). Milosevic, whose trial on charges of genocide was nearing its conclusion, was found dead in his cell in the Netherlands on Saturday.

Prospective marks are invited to open emails with subject line "Slobodan Milosevic was killed" and open a file which claims to offer an "image" purporting to prove the war crimes suspect was done in. If this attached file (actually an 16.5KB executable, compressed in the UPX format) is opened, a Trojan is downloaded onto Windows PCs. Online security firm BlackSpider estimates that more than 800,000 emails containing the new Trojan-downloader were sent to UK businesses before the first anti-virus software firm updated their software early this morning.

Once an event - such as 2004's Asian Tsunami or the July 2005 terrorist bombings - dominate the news it's only a matter of time before virus writers release a topical item of malware. James Kay, chief technology officer of BlackSpider Technologies, said: "Virus writers are playing on morbid human interest and using a high profile incident to cause as much damage as they can to businesses."

Slobodan Milosevic joins a long line of public figures whose names has been harnessed to bait malware attacks. Malware posing as the death pics of both Osama bin Laden (the Small-AXR Trojan) and Saddam Hussein (the Bobax-H worm) have hit the net over recent months. Offers of racy pictures of Jennifer Lopez and Anna Kournikova, among others, have also been used to tempt the unwary. ®

W32.Rontokbro.Z@mm is a mass-mailing worm that lowers security settings
From: [SPOOFED]

Subject:
One of the following:


My Best Photo
Fotoku yg Paling Cantik

Message:
One of the following:


Hi,
I want to share my photo with you.
Wishing you all the best.
Regards,
Hi,
Aku lg iseng aja pengen kirim foto ke kamu.
Jangan lupain aku ya !.
Thanks,

Attachment:
Photo.zip

A worm that has distributed denial of service, back door and rootkit capabilities. The worm spreads by exploiting vulnerabilities through AOL instant messenger. It also lowers the security settings of the compromised computer.
Distribution is on TCP Ports 135, 445 and 1863

Virus with keylogging and back door capabilities. It may infect executable files by prepending its code to host files.
This email has the following characteristics:


Subject: Administrator

Attachment:

readme.tjc
TFTempCache.tjc

Uses keylogging capabilities to gather the following information from the compromised computer:


IP address, host name, and user names
Sensitive computer information, such as size of memory, local disks, the Windows version, and product key
RAS dialup accounts
Net Share passwords
Startup programs
WebMoney files


Temporarily stores any information it gathers in the following encrypted file:

%System%\TFTempCache

mass-mailing worm that uses its own SMTP engine to spread. The worm also tries to download and execute remote files.
Sends itself as an attachment to the email addresses it gathers. The email message has the following characteristics:


Type: Worm
Infection Length: 23,540 bytes


From:
[SPOOFED]

Subject:
The text of the subject is in Russian.

Message Body:
The text of the message is in Russian.

Attachment:
One of the following:


cool.cab
new.cab
me.cab
you.cab
Re.cab

mass-mailing worm that opens a back door on the compromised computer. It also lowers security settings and exploits remote vulnerabilities.

Sends itself to the email addresses that it finds or generates. The email has the following characteristics:

Subject:
One of the following:


[RANDOM]

Error

Status

Server Report

Mail Transaction Failed

Mail Delivery System

Hello

hello

Hi

hi

Message:
One of the following:




[RANDOM]

Mail transaction failed. Partial message is available.

The message contains Unicode characters and has been sent as a binary attachment.

The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.

test

[b]Attachment:
One of the following file names:


body

message

test

data

file

text

doc

readme

document

Macro virus that uses Excel formulas to infect files. The virus will run on both Windows and Macintosh operating systems.
Payload: Infects open Excel workbooks.

Modifies files: Adds a malicious macro to Excel workbooks........results in corrupt files.

A mass-mailing worm that opens a back door and sends emails to addresses gathered from the compromised computer.

Subject of email: Microsoft Customer Support.
Name of attachment: timesrv.exe
Size of attachment: 53,248 bytes
Time stamp of attachment: n/a
Ports: TCP port 9999

Message Body:

Hello Dear.

In programm maintenance of corporation Microsoft critical vulnerabilyty has been found in processing wmf files. Programmers Microsoft have let out critical updating for Windows 98/2000/XP. We urgently recommend you and to estabilish updating. One copy of updating packet in attach for this letter.

With best regards,
Microsoft Customer Support.

Attachment: timesrv.exe

JS/Yamanner@MM JS.Yamanner@m
E-mail worm Discovery Date 06/12/2006 Length Varies
There are reportedly two known variants of this threat. It appears to be under development/refinement......... and the initial variant contains a typo in the code.

This email worm attempts to spread by exploiting a vulnerability in Yahoo! Mail involving the automatic execution of Javascript. Yahoo is reportedly working on a fix ......and blocking most of these messages.

Messages containing the virus code may appear as follows:

Subject: New Graphic Site
Body: Note: forwarded message attached.

The email message body contains JavaScript designed to execute upon viewing the email message via Yahoo! Mail. Once running, the script harvests '@yahoo.com' and '@yahoogroups.com' email addresses from Yahoo! Mail folders, and then sends a copy of itself to those addresses. The script also sends a list of the harvested addresses to av3.net.

Symptoms
Viewing an email message as described via Yahoo! Mail may be an indication that an infection has occurred.

Method of Infection
This threat "auto-executes" by exploiting a vulnerability in the onload event handling of Yahoo! Mail. A specially crafted email message allows an attacker to execute script code that should not be allowed to execute. This threat exploits this vulnerability to launch a script that harvests email address and sends those recipients (BCC) the virus embedded in a new email message.

A vulnerability has been identified in Microsoft Excel, which could be exploited by attackers to take complete control of an affected system. This flaw is due to a memory corruption error when processing a malformed ".xls" document, which could be exploited by attackers to execute arbitrary commands by convincing a user to open a specially crafted Excel file.
Affected Products

Microsoft Excel 2003
Microsoft Excel Viewer 2003
Microsoft Excel 2002
Microsoft Excel 2000
Microsoft Excel 2004 for Mac
Microsoft Excel v. X for Mac

Internet virus, which is capable of stealing bank information and other personal data.
A password stealing trojan, which apart from capturing bank account information, also attempts to steal a user’s login credentials for Orkut, which is an online community.

Aliases
Trojan-Spy.Win32.Banker.bkz - Kaspersky Trojan.Banker.Delf.69B45B06 - Bit Defender

PWS-Banker!1d2e uses Internet Explorer to load itself as a BHO (Browser Helper Object).

When a user tries to open Internet explorer for the first time, after being infected, a bogus message box is displayed about insufficient memory.

The user is then eventually redirected to the login page of orkut.com

Once logged in, apart from stealing the users login credentials, this malware posts an entry in the users’s scrapbook (similar to guestbook).

The URL in the scrap entry, points to a executable file hosted on a compromised website. The executable is a downloader which downloads this password stealer.


Method of Infection
Trojans do not self-replicate. They spread manually, often under the premise that the executable is something beneficial Trojans may also be received as a result of poor security practices, or un-patched machines and vulnerable systems Distribution channels include IRC, peer-to-peer networks, email, newsgroups postings.

A worm that drops a rootkit component to hide its files and processes. This rootkit component is detected as NTRootKit-J.
The worm can spread over AIM instant messenging, opens a backdoor at TCP port 443 and tries to connect to IRC server and waits for commands. One of the ways this worm can spread is by exploiting Server Service Vulnerability (MS06-040) and older vulnerabilities including a buffer overflow in the Workstation Service (MS03-049).

A heuristic detection for the Microsoft Internet Explorer Daxctle.OCX Spline Method Heap Buffer Overflow Vulnerability.
An attacker who exploits this vulnerability could perform a denial-of-service attack against a vulnerable version of Internet Explorer, or potentially execute arbitrary code with the privileges of the logged-on user. The exploit is triggered by viewing a specially-crafted HTML file.
Applies to: Internet Explorer 6, Internet Explorer 7

phew, so glad I am a Mac User!

Thanks for keeping everyone up to date!

This is why I love Macs

Storm Worm carries the subject line "230 dead as storm batters Europe,"
People who open the attachment then unknowingly become part of a botnet.
Storm Worm is a Trojan horse with an executable file as an attachment. Cybercriminals took advantage of social engineering, using the news of the European storm to get people to open the attached malicious file, which promises more news on the weather emergency. The recipient must open the file for it to execute.
The file creates a back door to a computer that can be exploited later to steal data or to use the computer to post spam.

A mass-mailing worm that spreads by copying itself to local drives, network mapped drives and removable storage devices.
Disables keyboard and mouse input when it discovers an active window containing any of the following titles:
RUN
NOTEPAD
UNTITLED

Infects .exe files on all drives.

May send a copy of itself to other computers as an email attachment. The email has the following characteristics:
Subject:
One of the following:

Re:
I don't wish to lost you again!
Please Come Back!
Rindu Yang Tak Tertahankan
Remember Our Past?
Don't Forget Me,please!
Shall I Be The One For You ?
I Miss You So Much !
Please Remember Me.
Still Remember???
I miss U
Ketika Kangen bertemu Rindu
Lama Tak Jumpa
Ketika Rindu bertemu Kangen

Message Body:
One of the following:

I wanna be you friend. So I give you a little present ^_^
Ehm,....would you like to be my friend ?
Please check, tell me if you like it ^_^.
Will I meet You my old friend...
I miss You, I give you a file that will remind you...
Dear My Sweetie..
Here is the file, Thank you for your friendship.
Please, don't forget me...Ok! Take a look at the attacment, you will remember me.
I am missing you, please come back...
I give you the proof that I miss you so much!
Shall I be the one for you?
Still remember me ???
Do you remember me?
Dear My Friend..
Here is the file, Thank you for your cooperative.
Take this, please tell me if there's an error.
Please check, told me if there's a mistake.
Sorry, I forget to send you the document.
I'm oversleep.
Finally, I found the data !, what do you think ??
Here, the file that you want

Virus:MacOS/Leap.ACME number:CME-4Date discovered:16/02/2006Type:WormIn the wild:YesReported Infections:LowDistribution Potential:LowDamage Potential:LowStatic file:
File size:39.596 BytesVDF version:6.33.01.02 (http://www.avira.com/en/threats/section/vdfhistory/vdf_no/6.33.01.02/6.33.01.02.html) - Fri, 17 Feb 2006 06:28 (GMT+1)
General Method of propagation:
• Messenger


Aliases:
• Symantec: OSX.Leap.A
• Mcafee: OSX/Leap
• Kaspersky: IM-Worm.MSIL.Ltp.a
• Sophos: OSX/Leap-A
• Panda: Trj/Oomp.A!CME-4


Platform / OS:
• Mac


Side effects:
• Drops files
• Drops a malicious file

Files The following files are created:

– Non malicious files:
• /tmp/pic.gz
• /tmp/pic

– It creates the following archives containing a copy of the malware:
• /tmp/latestpics.tgz
• /tmp/latestpics.tar.gz
• /tmp/apphook.tar

– /tmp/latestpics
– /tmp/hook
– /tmp/apphook
Messenger Propagation via file
It sends a file with the following name:
• latestpics.tgz