Virus Alert !

[Sean]

VBS.Krim
VBS.Krim. is a mass-mailing worm that sends itself to contacts in the Microsoft Outlook address book and propagates through IRC. It also attempts to format the infected computer's C: drive, if the worm does not find a file that it creates
Systems Affected-Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP


Details
VBS.Krim arrives as an attachment to an email with the following characteristics:

Subject: SYMANTEC NORTON ANTIVIRUS
Body: REMOVE VIRUS SASSER
Attachment: mirko.bat


If the worm locates an mIRC installation, it creates a script.ini file to send itself to other IRC users.


If the C:\autoexec.bat file exists, but C:\mirko.bat does not exist, the worm attempts to add a format command to C:\autoexec.bat.


Displays the following message:

Hello %username%


Launches C:\mirko.vbs and sends itself to all email addresses in the Outlook address book.

[Sean]

Creates the mutex "_Hazafibb," which allows only one instance of the worm to run in memory.


Copies itself to the %System% folder as:
An eight-character, random file name with a .exe extension
An eight-character, random file name with a .dll extension.

Uses its own SMTP engine to send itself to the email addresses that it finds.

The email has the following characteristics:

From: The "From:" field of the email is spoofed.

The rest of the email will be one of the following:


To: Claudia
Subject: Importante!
Attachment: "link.informacion.phpV23.text.message.pif"
Message:
Informacion importante que debes conocer, -


To: Katya
Subject: oKatya
Attachment: "view.link.index.image.phpV23.sexHdg21.pif"


To: Eva
Subject: E-Kort!
Attachment: "link.ekort.index.phpV7ab4.kort.pif"
Message: Mit hjerte banker for dig!


To: Marica
Subject: Ecard!
Attachment: "link.showcard.index.phpAv23.ritm.pif"
Message:
De cand te-am cunoscut inima mea are un nou ritm!


To: Anna
Subject: E-vykort!
Attachment: "link.vykort.showcard.index.phpBn23.pif"
Message: Till min Alskade...


To: Erica
Subject: E-Postkort!
Attachment: "link.postkort.showcard.index.phpAe67.pif"
Message: Vakre roser jeg sammenligner med deg...


To: Katarina
Subject: E-postikorti!
Attachment: "link.postikorti.showcard.index.phpGz42.pif"
Message: Iloista kesaa!


To: Magdolina
Subject: Atviruka!
Attachment: "link.atviruka.showcard.index.phpGz42.pif"
Message: Linksmo gimtadieno! ha


To: Beate
Subject: E-Kartki!
Attachment: "link.kartki.showcard.index.phpVg42.pif"
Message: W Dniu imienin...


To: Eva
Subject: Cartoe Virtuais!
Attachment: "link.cartoe.viewcard.index.phpYj39.pif"
Message: Content: Te amo... ,


To: Alice
Subject: Flashcard fuer Dich!
Attachment: "link.flashcard.de.viewcard34.php.2672aB.pif"
Message:
Hallo!
hat dir eine elektronische Flashcard geschickt.
Um die Flashcard ansehen zu koennen, benutze in deinem Browser
einfach den nun folgenden link:
http://flashcard.de/interaktiv/viewc...card=267BSwr34
Viel Spass beim Lesen wuenscht Ihnen ihr...


To: Eva
Subject: Er staat een eCard voor u klaar!
Attachment: "postkaarten.nl.link.viewcard.index.phpG4a62.pif"
Message:
Hallo!
heeft u een eCard gestuurd via de website nederlandse
taal in het basisonderwijs...
U kunt de kaart ophalen door de volgende url aan te klikken of te
kopiren in uw browser link:
http://postkaarten.nl/viewcard.show53.index=04abD1
Met vriendelijke groet,
De redactie taalsite primair onderwijs...


To: Hanka
Subject: Elektronicka pohlednice!
Attachment: "link.seznam.cz.pohlednice.index.php2Avf3.pif"
Message:
Ahoj!
Elektronick pohlednice ze serveru http://www.seznam.


To: Claudine
Subject: E-carte!
Attachment: "link.zdnet.fr.ecarte.index.php34b31.pif"
Message:
vous a envoye une E-carte partir du site zdnet.fr
Vous la trouverez, l'adresse suivante link:
http://zdnet.fr/showcard.index.php34bs42
www.zdnet.fr, plus de 3500 cartes virtuelles, vos pages web
en 5 minutes, du dialogue en direct...


To: Francesca
Subject: Ti e stata inviata una Cartolina Virtuale!
Attachment: "link.cartoline.it.viewcard.index.4g345a.pif"
Message:
Ciao!
ha visitato il nostro sito, cartolina.it e ha creato una
cartolina virtuale per te! Per vederla devi fare click
sul link sottostante: http://cartolina.it/asp.viewcard=index4g345a
Attenzione, la cartolina sara visibile sui nostri server per
2 giorni e poi verra rimossa automaticamente.


To: Jennifer
Subject: You`ve got 1 VoiceMessage!
Attachment: "link.voicemessage.com.listen.index.php1Ab2c.pif"
Message:
Dear Customer!
You`ve got 1 VoiceMessage from voicemessage.com website!
Sender:
You can listen your Virtual VoiceMessage at the following link:
http://virt.voicemessage.com/index.listen.php2=35affv
or by clicking the attached link.
Send VoiceMessage! Try our new virtual VoiceMessage Empire!
Best regards: SNAF.Team (R).


To: Anita
Subject: Tessek mosolyogni!!!
Attachment: "meztelen csajok fociznak.flash.jpg.pif"
Message:
Ha ez a k=E9p sem tud felviditani, akkor feladom!
Sok puszi:


To: Anita
Subject: Soxor Csok!
Attachment: "anita.image043.jpg.pif"
Message:
Szia!
Aranyos vagy, j=F3 volt dumcsizni veled a neten!
Rem=E9lem tetszem, =E9s szeretn=E9m ha te is k=FClden=E9l k=E9pet
magadr=F3l, addig is cs=F3k:


To: Jennifer
Subject: Don`t worry, be happy!
Attachment: "www.ecard.com.funny.picture.index.nude.php356.pif"
Message:
Hi Honey!
I`m in hurry, but i still love ya...
(as you can see on the picture)
Bye - Bye:


To: David
Subject: Check this out kid!!!
Attachment: "jennifer the wild girl xxx07.jpg.pif"
Message:
Send me back bro, when you`ll be done...(if you know what i mean...)
See ya,

[hcjilson]

I think I'll relax a bit today! :):):)

[Sean]

I think I'll relax a bit today! :):):)

I'm gonna have to get me a bumper sticker that reads something like................."My OptiBoard Mentor Uses a Mac....... Do You?" :bbg:

[Sean]

W32.Korgo.O

When W32.Korgo.O is executed, it performs the following actions:
Deletes the file, ftpupd.exe, from the folder in which the worm was executed.
Creates the following mutexes to ensure that only one instance of the worm is executed on the computer:

u8
u9
u10
u11
u12
u13
u14
uterm14
Creates the event object "u13x".
Opens the following event objects:

u10x
u11x
u12x


Deletes values:

"Windows Security Manager"
"Disk Defragmenter"
"System Restore Service"
"Bot Loader"
"SysTray"
"WinUpdate"
"Windows Update Service"
"avserve.exe"
"avserve2.exeUpdate Service"
"MS Config v13"

from the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion \Run


Copies itself as %System%\<random filename>.exe.
Adds the values:

"Client"="1"
"ID"="<random value>"

to the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wireless


Adds the value:

"Windows Update"="%System%\<random filename>.exe"

to the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion \Run


Attempts to inject a function into Explorer.exe as a thread.

If successful, this threat will continue to run in the Explorer.exe process. All the actions described in the next step will appear to be done by Explorer.exe, and the worm will not show when viewing the process list in the Windows Task Manager.

If unsuccessful, the worm will continue to run as its own process.


Creates additional threads and does the following:


Note: While the worm creates these threads, it prevents the computer from shutting down or restarting.

Opens TCP ports 113, 5111, and a random port between 256 and 8191, which the worm uses to send itself out.


Attempts to connect and update itself from one of the following HTTP servers:

adult-empire.com
asechka.r
citi-bank.ru
color-bank.ru
crutop.nu
cvv.ru
fethard.biz
filesearch.ru
f***.ru
goldensand.ru
hackers.lv
kavkaz.ru
kidos-bank.ru
konfiskat.org
lovingod.host.sk
master-x.com
mazafaka.ru
padonki.org
parex-bank.ru
trojan.ru
xware.cjb.net

Attempts to exploit the LSASS Windows vulnerability on TCP port 445 (described in Microsoft Security Bulletin MS04-011), against random IP addresses. If the worm successfully finds a vulnerable computer, the computer will attempt to reconnect to the infected computer to download the worm.:(

[Sean]

New Trojan Steals Banking Information
A new Trojan virus is posing a threat to online banking customers.
The carrier of the threat, "img1big.gif," poses as an image file,
The file is not an image at all, but a file-dropper Trojan composed of a pair of Win32 executable programs compressed together using the Open Source executable compressor UPX.
The trojan installs a Browser Helper Object (BHO) on Internet Explorer version 4.X and higher. One of the two sets of code performs the initial install, the other performs the BHO install. Once the BHO is up, it looks for secure access to the URLs of several dozen banking and financial sites around the globe and "grabs any outbound POST/GET data from within IE before it is encrypted by SSL
The outbound data--including user names and passwords--is sent over an HTTP connection created by the Trojan to the address http://www.refestltd.com/cgi-bin/yes.pl.

[Sean]

First Virus for Windows Mobile Pocket PC
WinCE4.Dust is the first known Windows CE virus to run on ARM based devices running Windows Mobile Pocket PC.
This is a live, working proof of concept virus that infects all .EXE files in the root directory of the Pocket PC device.
WinCE4.Dust does no serious or permanent damage to the infected device, with the exception of infecting .exe files in the root directory. Infected files will run the viral code on execution and will then continue to operate as normal.

It first determines if the listed .exe file is the currently executed program, and then makes sure the target .exe is not already infected. If the file has been infected, it will be marked with the word “atar” at the offset 0x11C. This is used during the infection process to see if the file was already infected. The virus will keep re-infecting files over and over until the device runs out of memory.

[Sean]

Yet Another Bagle Variant Spreads
Network administrators returning to work after the weekend can enjoy a fresh Bagle with their coffee--and no, it's not that kind of bagel. Antivirus companies are warning of another virulent new version of the Bagle e-mail worm, dubbed Bagle.AG.
E-mail messages generated by the worm used forged (or "spoofed") sender addresses and vague subject lines such as "Re:," "fotogalary," "Lovely animals," and "Screen." Worm-infected file attachments might be in.zip,.exe.,.scr, or other common formats and also have nonspecific names like "Moreinfo," "Details," or "Readme
Infected file attachments use one of a short list of names including "Foto3," "Secret," "Doll," and "Cat."


The worm can also send copies of itself as a password-protected compressed file with a.zip extension.
The compressed files are used to shrink one or more larger files, often for transmission on disk or over the Internet. Recipients must decompress or "unzip" the attachments to view the worm file, which they must open to become infected.


When run, Bagle.AG harvests e-mail addresses from files stored on the infected computer's hard drive and installs its own SMTP engine, which is used to send out large volumes of infected e-mail messages from machines infected by the worm.

Like earlier versions of Bagle, the AG variant also copies itself to Windows folders that could be used by file sharing programs, using a long list of names to disguise the worm file as popular downloads on peer to peer file sharing networks like Adobe Systems' Photoshop image editing program, the Matrix Revolutions film and pornography.

[Sean]

This is a mass-mailing worm that opens a backdoor on TCP port 1042 and uses its own SMTP engine to spread through email. The worm’s potential impact includes clogged mail servers or degraded network performance. It also spreads via file sharing / peer-to-peer. It is a new variant of the W32.Beagle family of worms, is functionally similar to W32.Beagle.x
The email message from address will be spoofed. The subject, body and file attachment of the message vary. :(

[Sean]

The W32.Mydoom.M@mm mass-mailing worm:

- Uses its own SMTP engine to send itself to all the email addresses that it finds from an infected system.
- The email has an attachment with a .bat, .cmd, .com, .exe, .pif, .scr, or .zip extension.
- The attachment name may contain a randomly selected domain, which was found on the sender's system.

For example, the attachment name could contain fakedomain.com if the address x@fakedomain.com was harvested.

- The From field of the email is spoofed.
- Downloads and executes a backdoor, which is detected as Backdoor.Zincite.A, on port 1034/tcp.
- Is packed by UPX.

[Sean]

This is a mass-mailing worm that sends itself to all of the addresses in the Microsoft Outlook Address Book. The email has the following characteristics:

Subject: New products
Attachment: Twunk_64.exe
Message:

"Hi,
Update your Windows PC with Microsoft Windows Panel.This tool is free and provided by Microsoft. For more info read the disclaimer when you run the program.
bye"

Attachment: Twunk_64.exe

Sends the message to all the addresses in the Microsoft Outlook Address Book.

[Sean]

W32.Korgo.AB

W32.Korgo.AB is a worm that attempts to spread by exploiting the Microsoft Windows LSASS Buffer Overrun Vulnerability, described in Microsoft Security Bulletin MS04-011, on TCP port 445.
W32.Korgo.AB is a worm that uses a dll file to spread to remote computers.
Once W32.Korgo.AB is executed, it performs the following actions:


Adds the value:

"SQL"= "[12 randomly chosen ASCII characters]"

to the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DataAccess


Sends itself to the remote systems that it successfully exploited.


Attempts to contact a PHP script at one of the following domains, sending information about the compromised host:

citi-bank.ru
color-bank.ru
kidos-bank.ru
parex-bank.ru
www.redline.ru


Attempts to download and execute a file from a specified remote host.


Sends HTTP requests to the following domains:
adult-empire.com
bankofny.com
citi-bank.ru
citibank.com
crutop.nu
cvv.ru
fethard.biz
filesearch.ru
kaspersky.com
konfiskat.org
master-x.com
prodexteam.net
roboxchange.com
www.kaspersky.com
www.pandasoftware.com
www.riaa.com
www.sophos.com
www.symantec.com
www.trendmicro.com
xware.cjb.net

[Sean]

Hacktool.JPEGDownload is a program that can be used to generate .jpg files that exploit the Microsoft GDI+ Library JPEG Segment Length Integer Underflow vulnerability (described in the Microsoft Security Bulletin MS04-028). The .jpg files that this Trojan generates can download a URL hardcoded in the .jpg file.
When Hacktool.JPEGDownload runs, it performs the following actions:


Displays a message box with the title "JPEG Downloader by [ATmaCA]".


Invites the user to enter a URL that will be downloaded by the .jpg file generated by the Trojan.


Generates a .jpg file when the user clicks "Make". This .jpg file exploits the Microsoft GDI+ Library JPEG Segment Length Integer Underflow vulnerability (described in the Microsoft Security Bulletin MS04-028) and downloads a URL hardcoded into the .jpg file.
Displays information about the program when the user clicks "About".

[Sean]

Security researchers are warning of a new worm, dubbed "Funner," targeting Microsoft's MSN Messenger instant messaging application.

The worm propagates by sending a copy of itself, disguised as "funny.exe," to contacts found through MSN Messenger.


The worm then makes registry modifications and overwrites entries in the Hosts file, a list used to map IP (Internet Protocol) addresses to Web sites.

[Sean]

PWSteal.Bancos.O is a Trojan horse program that logs keystrokes and steals information entered into certain banking Web sites. It also steals all passwords stored in the Microsoft Outlook account manager.

Monitors active Internet Explorer windows. The Trojan logs keystrokes and other user actions when the user visits a URL that contains one of the following substrings:
adelaidebank.com.au
bankone.com.au
banksa.com.au/default.asp?msrc=/code/internet_banking
bankwest.com.au
benbank.com.au
bendigobank.com.au
butterfielddirect.com
cajamadrid
citibank
client.ccf.fr
commbank.com.au
direct-validate.bankofamerica.com
etrade.com.ua
firstdirect.com
halifax-online.co.uk
hangseng.com
hsbc
ibank.barclays.co.uk
internationalbanking
lloydstsb.com
macquarie.com.au
national.com.au
nationwide.co.uk/default.htm
navyfcu.org
sabb.com
stgeorge.com.au
suncorp.com.au
Logged information is sent to a remote web server with an IP address of 69.50.166.66.

[Chris Ryser]

MyDoom back for more [Internet News]
Another MyDoom variant is back and threatening Internet users by spreading through e-mail addresses found on popular search engines, security experts said.
http://www.internetnews.com/security/article.php/3484111

[Sean]

Trojan.Tooso.C is emailed as an attachment by a variant in the W32.Beagle@mm family of worms.

The attachment has the following file names:

price.zip
price2.zip
price_new.zip
price_08.zip
08_price.zip
newprice.zip
new_price.zp
new__price.zip

[Sean]

VBS.Allem@mm is a mass-mailing worm that sends itself to email addresses it finds in the Microsoft Outlook Address Book. It also spreads using MIRC, and copies itself as .VBS and .VBE files. VBS.Allem@mm is an encrypted VBScript worm that lowers security settings and deletes files.
The email will have the following characteristics:

Subject: it's my porn pic

Message: see my porn pic

Attachment: Siti-Nurhaliza.jpg.vbs

[Sean]

Installs a back door allowing a remote attacker to have unauthorized access to the compromised computer via IRC channels. The back door allows the remote attacker to perform the following actions:

Log keystrokes
End processes
Steal cached passwords
Steal system information
Download remote files

[Sean]

VBS.Ypsan.E@mm is a mass-mailing worm that sends itself to all email addresses gathered from the Windows Address Book and attempts to shut down the compromised computer.
The E-mail contains ......

Subject:
The Info That You Asked For

Message Body
The information that you asked for is attached to this email.

Attachment:
All Users.vbe

[Sean]

Attempts to use its own SMTP engine to email a copy of Trojan.Tooso.K to the email addresses that may be contained in the downloaded file. The email has the following characteristics:

From: Spoofed.

Subject: Blank.

Message:
The password is
Password:

Attachment:
One of the following:


Beach.zip
In_park.zip
kitten.zip
Legs.zip
new.zip
original.zip

Note: The .zip file may contain an executable file which may be a copy of Trojan.Tooso.K.

[Sean]

W32.Mytob.JS@mm is a mass-mailing worm that opens a back door and lowers security settings on the compromised computer.

The worm may also spoof a From address from one of the addresses found on the compromised computer.

Subject:
One of the following:


Your password has been updated
Your password has been successfully updated
You have successfully updated your password
Your new account password is approved
Your Account is Suspended
*DETECTED* Online User Violation
Your Account is Suspended For Security Reasons
Warning Message: Your services near to be closed.
Important Notification
Members Support
Security measures
Email Account Suspension
Notice of account limitation

Message:
One of the following:


Dear user [USER NAME],
You have successfully updated the password of your [DOMAIN] account.
If you did not authorize this change or if you need assistance with your account, please contact [DOMAIN] customer service at: [SPOOFED EMAIL]
Thank you for using [DOMAIN]!
The [DOMAIN] Support Team

+++ Attachment: No Virus (Clean)
+++ [DOMAIN] Antivirus - www.[FULL DOMAIN]


Dear user [USER NAME],
It has come to our attention that your [DOMAIN] User Profile ( x ) records are out of date. For further details see the attached document.
Thank you for using [DOMAIN]!
The [DOMAIN] Support Team

+++ Attachment: No Virus (Clean)
+++ [DOMAIN] Antivirus - www.[FULL DOMAIN]


Dear [DOMAIN] Member,
We have temporarily suspended your email account [EMAIL].
This might be due to either of the following reasons:
1. A recent change in your personal information (i.e. change of address).
2. Submiting invalid information during the initial sign up process.
3. An innability to accurately verify your selected option of subscription due to an internal error within our processors.
See the details to reactivate your [DOMAIN] account.
Sincerely,The [DOMAIN] Support Team

+++ Attachment: No Virus (Clean)
+++ [DOMAIN] Antivirus - www.[FULL DOMAIN]


Dear [DOMAIN] Member,
Your e-mail account was used to send a huge amount of unsolicited spam messages during the recent week. If you could please take 5-10 minutes out of your online experience and confirm the attached document so you will not run into any future problems with the online service.
If you choose to ignore our request, you leave us no choice but to cancel your membership.
Virtually yours,
The [DOMAIN] Support Team

+++ Attachment: No Virus found
+++ [DOMAIN] Antivirus - www.[FULL DOMAIN]

[Sean]

A mass-mailing worm that lowers security settings, opens a back door, and drops additional malware on the compromised computer.
Subject: Your mail Account is Suspended

Message Body:
We regret to inform you that your account has been suspended due to the violation of our site policy, more info is attached.

Attachment:
One of the following:

acc_info9.exe
ebay_info.exe
acc_inf19.exe

[Sean]

W32.Feebs.D@mm is a mass-mailing worm that also spreads through file-sharing networks and lowers security settings on the compromised computer.
The worm arrives as an email attachment with an .HTA extension.
Sends emails to all addresses found on the compromised computer. The email has the following characteristics:

From:
The from address is a combination of one of the following names with one of the following domain names:
Names:

protect
secur
security
securmail

Domains:


@hotmail.com
@gmail.com
@aol.com
@msn.com
@yahoo.com


Subject:
The subject may be the following string:

happy new year

[Sean]

mass-mailing worm that uses its own SMTP engine to spread to peer-to-peer and file-sharing networks. It attempts to lower security settings and may also download and execute remote files.
From: [SPOOFED]

Subject:
One of the following:


Delivery service mail
Delivery by mail
Registration is accepted
Is delivered mail
You are made active

Message Body:
One of the following:


Thanks for use of our software.
Before use read the help

Attachment:
One of the following:


wsd01.zip
viupd02.zip
siupd02.zip
guupd02.zip
zupd02.zip
upd02.zip
Jol03.zip