Virus Alert !

**Sean** · 08-03-2003, 06:32 AM

I decided to start this thread in order to give ample warning.......not to cause panic. ;) Just thought i would pass on the info.

W32.Mimail.A@mm

Distribution since it's discovery on August 1st has been high. It's a worm that steals information from your computer. The email has the following characteristics:

Subject: your account %s
Attachment: message.zip

Other info:

Infection Length:approximately 16kb

Systems Affected: Windows 95,98,NT,2000 and Windows Me.

Systems not affected:Macintosh, OS/2, UNIX ,Linux.

**Sean** · 08-20-2003, 04:49 AM

W32.Dumaru@mm is a mass-mailing worm that inserts an IRC Trojan onto the infected machine. The worm gathers email addresses from certain file types and uses it's own SMTP engine to email itself.

Threat Level is considered moderate.

The email has the following characteristics........

From: "Microsoft"<security@microsoft.com>

Subject: Use this patch immediately!

Message:
Dear friend, use this Internet Explorer patch now!
There are dangerous virus in the internet now!
More than 500,000 already infected!

Attachment: patch.exe

**Sean** · 08-20-2003, 05:38 AM

W32.Welchia.Worm specifically targets Windows XP. It attempts to download the DCOM RPC patch from Microsoft's Windows Update install it,and then reboot the computer.

Checks for other computers within the network.

Also attempts to remove W32.Blaster.Worm.

Infection Length: 10,240 bytes

Systems Affected: Windows XP, Windows 2000

The worm has also been known to appear as WORM_MSBLAST.D or Lovsan.D

**Sean** · 08-26-2003, 06:24 PM

W32.Zush@mm
Discovered on: August 25, 2003

W32.Zush@mm is a mass-mailing worm that sends itself to all the addresses in the Microsoft Outlook Address Book.

Type: Worm
Infection Length: 9,408

Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP
Systems Not Affected: Linux, Macintosh, Microsoft IIS, OS/2, UNIX, Windows 3.x

W32.Zush@mm copies itself to %System%\Setup32.exe, and then sends email to all the contacts it finds in the Microsoft Address Book.

The email has the following characteristics:

Subject: Vazna informacija!
Body:
Hi! I Missed you so much!
I was on holiday last week so please take a look at my image collection!

NOTE: %System% is a variable. The worm locates the System folder and copies itself to that location. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.

**Sean** · 08-26-2003, 06:36 PM

W32.Hopalong@mm
Discovered on: August 25, 2003

W32.Hopalong@mm is a mass-mailing worm that sends itself to any addresses in the Microsoft Outlook Address Book. The email has the following characteristics:

Subject: Look At This!!!
Message: You have to see this file its so funny!
Attachments: hop_along.exe

Type: Worm
Infection Length: 21,520

Systems Affected: Windows 95, Windows 98
Systems Not Affected: Linux, Macintosh, Microsoft IIS, OS/2, UNIX, Windows 2000, Windows 3.x, Windows Me, Windows NT, Windows XP

Damage

Payload:
Large scale e-mailing: Sends itself to all the addresses in Outlook Address Book.
Modifies files: Replaces logo.sys with its own version.

Subject of email: Look At This!!!
Name of attachment: hop_along.exe
Size of attachment: 21,520

When W32.Hopalong@mm is executed, it performs the following actions:

Copies itself to C:\Windows\Hop_along.exe.

Drops the file, C:\Windows\Hop_along.vbs, and then executes it. This file performs the mass-mailing routine, sending a copy of the worm to every address in the Microsoft Outlook Address Book.

**Sean** · 02-17-2004, 07:38 PM

W32.Beagle.B@mm
Discovered on: February 17, 2004
Last Updated on: February 17, 2004 01:13:05 PM

W32.Beagle.B@mm is a mass-mailing worm that opens a backdoor on TCP port 8866. The worm utilizes its own SMTP engine for email propagation, and has the ability to contact the author of the worm with the port that the backdoor is listening on and a randomized ID number.

The email has the following characteristics:

From: <spoofed>
Subject: ID <random characters>... thanks
Attachment: <random characters>.exe
Initial builds may detect this treat as W32.Alua@mm or W32.Aula@mm.

--------------------------------------------------------------------------------

Also Known As: W32.Alua@mm, Win32/Bagle.B.Worm [Computer Associates], Bagle.B [F-Secure], W32/Bagle.b@MM [McAfee], W32/Bagle.B@mm [Norman], WORM_BAGLE.B [Trend Mirco], W32/Bagle.B.worm [Panda], W32/Tanx-A [Sophos]

Infection Length: 11,264 Bytes

When W32.Beagle.B@mm is executed, it performs the following actions:

Checks the local time. If the local time is after the end of February 25th, 2004, the worm exits.

If it is not executed from %system%\au.exe, it launches sndrec32.exe, the Windows Sound Recorder.

--------------------------------------------------------------------------------
Note: %System% is a variable. The worm locates the System folder and copies itself to that location. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
--------------------------------------------------------------------------------

If the file %System%\au.exe doesn't exist, it will copy itself to that location. If it copies itself to %System%\au.exe, it will launch the newly created copy, and teminate itself.

Adds the value:

"au.exe"="%System%\au.exe"

to the registry key:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ Run

This modification causes the worm to execute as Windows is started.

Adds the following two values:

"frn" = "0x00000001" or "frn" = "0x00000000"

and

"gid" = "<random value>"

to the registry key: HKEY_CURRENT_USER\SOFTWARE\Windows2000

The random value that is inserted in the "gid" key is used as a unique identifier by the author.

Opens a backdoor on TCP port 8866 that allows an attacker to upload files to the infected computer. Any file that is uploaded will be saved in the %System% folder, and then executed.

Sends HTTP GET requests every 10,000 seconds to the following Web sites on TCP port 80:

www.strato.de/1.php
www.strato.de/2.php
www.47df.de/wbboard/1.php
www.intern.games-ring.de/2.php

The GET request includes the port number that the infected computer is listening on, and the ID number that is saved in the "gid" key in the Windows registry. Also, by connecting to the webserver, the IP address will be sent.

Scans files on local drives with the following extensions for email addresses:

.wab
.txt
.htm
.html

Uses its own SMTP engine to send itself to email addresses found above. This worm contains its own MIME encoding routine, and it will compose the email in memory and send it to all email addresses it finds.

The email has the following characteristics:

From: <spoofed>
Subject: ID <random characters>... thanks
Body:
Yours ID <random characters>
- -
Thank
Attachment: <random characters>.exe

The worm will not send any emails to addresses containing any of the following strings:

@hotmail.com
@msn.com
@microsoft
@avp.

--------------------------------------------------------------------------------
Note: W32.Beagle.B@mm is coded to stop at the end of February 25th, 2004.
--------------------------------------------------------------------------------
Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.

**Martha** · 02-22-2005, 10:08 AM

An antidote against keyloggers is an application called SECURE SHIELDED PASSWORD KEYS MANAGER. Even if your computer would be infected by keyloggers, this program effectively neutralizes key logging. It does not remove the offending maleware. But what it does is it bypasses keyboard keying when you do a log on, and protects your password and identity against one kind of cyber crime that plagues the highways of the Internet: identity theft through keyloggers.

M.