W32.Myparty:
W32.Myparty@mm is a mass-mailing email worm. It has the following characteristics:
Subject: new photos from my party!
Message:
Hello!
My party... It was absolutely amazing!
I have attached my web page with new photos!
If you can please make color prints of my photos. Thanks!
Attachment: www.myparty.yahoo.com
The worm sends email to all contacts in your Windows address book, and to email addresses that if finds in the Outlook Express Inboxes and folders.
In addition, the worm sends a message to the author so that the author can track the worm.
For more information - see http://securityresponse.symantec.com/avcenter/venc/data/w32.myparty@mm.html.
W32.Goner.A@mm
W32.Goner.A@mm is a mass-mailing worm that is written in Microsoft
Visual Basic. The worm was compressed by a known Portable Executable
(PE) file compressor. The worm can spread its infection using the ICQ
network as well as by email using Microsoft Outlook. If IRC is
installed, then this worm can also insert mIRC scripts that will
enable the computer to be used in Denial of Service (DoS) attacks.
Virus definitions dated December 4, 2001, and later will detect this
worm. For additional information, visit the following Internet
address:
http://www.symantec.com/techsupp/vURL.cgi/nav111
W32.Aliz.Worm
W32.Aliz.Worm is a very simple SMTP mass-mailer worm. The worm
currently only replicates on Windows 9x computers. It does not seem
to spread on Windows NT platforms. The worm spreads by obtaining
email addresses from the Windows address book and sending itself to
those addresses. Virus definitions dated May 22, 2001 will detect
this worm.
When the worm arrives by email, the worm uses a MIME exploit that
allows the virus to be run just by reading or previewing the email.
Information on and a patch for this exploit can be found at
http://www.symantec.com/techsupp/vURL.cgi/nav110
For additional information, point your Web browser to:
http://www.symantec.com/techsupp/vURL.cgi/nav109
W32.Badtrans.B@mm:
W32.Badtrans.B@mm is a MAPI worm that emails itself out using different file names. It worm also creates the file \Windows\System\Kdll.dll. It uses functions from this .dll to log keystrokes.
You may receive a blank email from someone you know or may not know that has an attachment name of one of the following:
Ø Pics
Ø Images
Ø README
Ø New_Napster_Site
Ø news_doc
Ø HAMSTER
Ø YOU_are_FAT!
Ø Stuff
Ø SETUP
Ø Card
Ø Me_nude
Ø Sorry_about_yesterday
Ø Info
Ø Docs
Ø Humor
Ø fun
You need to keep your anti-virus definitions up-to-date to block this virus.
For more information on what the virus does and how to clear up the virus - see http://securityresponse.symantec.com/avcenter/venc/data/w32.badtrans.b@mm.html
ANTHRAX VIRUS:
A new virus is being reported hitting the Internet. You can find out more from this link - http://www.symantec.com/avcenter/venc/dyn/44.html
Anthrax (x)
Detected as:
Anthrax (x)
Aliases:
None
Area of Infection:
.COM Files, .EXE Files, COMMAND.COM, Master Boot Record
Characteristics:
Memory Resident, Wild, Multi-partite
Infected programs contain the text "Anthrax" and "Damage, Inc". The virus writes a copy of itself to the last few sectors of the hard disk. Any data located there is destroyed.
This threat is detected by the latest Virus Definitions.
All computer users should employ safe computing practices, including:
Keeping your Virus Definitions updated.
Installing Norton AntiVirus program updates, when available.
Deleting suspicious looking emails.
VIRUS ALERT: COMPUTER ASSOCIATES CALLS "Nimda" WORM A HIGH-RISK THREAT
Get the latest virus info & updates ASAP:
Win32.Nimda worm (Also known as W32/Nimda@MM <mailto:W32/Nimda@MM> )
Win32.Nimda worm (Also known as W32/Nimda@MM <mailto:W32/Nimda@MM> )
Nimda.A is an Internet worm spreading via a number of different methods and
exploiting several known vulnerabilities in Internet Explorer and IIS
systems. It also works as a file virus infecting Win32 Portable Executable
programs as well as files with extensions: html, htm, asp.
This worm may enter a system in the following ways:
* via an HTML e-mail with a specifically constructed MIME header;
* by visiting a Web site hosted on an infected system;
* via open network shares;
* via unpatched IIS systems (both 4.0 and 5.0).
When a user views an HTML e-mail carrying the worm or visits an
infected Web site, Internet Explorer may launch the attached program
executing the Nimda.A code (from the program: readme.exe). This is due to
the "Incorrect MIME Header" vulnerability in Microsoft Internet Explorer
5.01 and 5.5. For a detailed description of this security hole and links to
the appropriate patches, please visit:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
bulletin/MS01-020.asp
The worm may also exploit the following HTTP security loopholes in
systems running Microsoft IIS:
* Microsoft IIS 4.0/5.0 File Permission Canonicalization Vulnerability
* Microsoft IIS/PWS Escaped Characters Decoding Command Execution
Vulnerability
* Microsoft IIS and PWS Extended Unicode Directory Traversal
Vulnerability
The worm finds vulnerable Internet Servers via randomly selected IP
addresses. The address generation and scanning is performed by the process
named mmc.exe (the file mmc.exe is overwritten by the worm with its own
copy). Users of affected Win NT/2000 systems may experience a significant
deterioration of their system performance when the mmc.exe process is
running. Additionally the worm copies itself as Admin.dll to the root
directories of all accessible drives (the worm marks Admin.dll as a true
DLL).
Once the worm gets access to a victim machine's files, it searches all
directories and infects htm, asp and html files by adding a one line
JavaScript code. In every directory with successfully infected files, the
worm drops its own code in the MIME format as readme.eml or readme.nws. The
worm is executed from within these MIME files when an infected htm* or asp
file is opened.
The worm infects Win32 PE programs (except Winzip32.exe) by prepending its
code and modifying its resources so that the infected programs use the same
icons as the original programs.
On affected Win9x systems, in order to run on the next reboot, the worm
copies itself as load.exe into the Windows System directory and modifies the
system.ini file:
Shell=explorer.exe load.exe -dontrunold
Nimda.A may also copy itself under the name used by one of the legitimate
Microsoft libraries; riched20.dll.
In order to avoid infection by browsing infected web pages Active Scripting
can be disabled in Internet Explorer.
Detection for this virus/worm has been added to the following virus
engine/virus signature combination. Install this update or later to ensure
protection:
CA Antivirus Solution Engine/Signature
InocuLAN / InoculateIT 4.x 28.06
eTrust InoculateIT 6.0 / eTrust Antivirus 6.0 23.46.06
eTrust EZ Antivirus / IPE 5.3/1502
VET 10.3/1502
HappyTime Virus Warning:
Due to the increased number of submissions, the threat level for this worm has been upgraded from 3 to 4.
VBS.Haptime.A@mm is a Visual Basic Script (VBS) worm. It infects .htm, .html, .vbs, .asp, and .htt files. It replicates using MAPI objects to spread itself as an attachment. Also, the worm attaches itself to all outgoing messages using the stationery feature of Outlook Express.
The worm utilizes a known Microsoft Outlook Express security hole so that the worm is executed without having to run any attachment.
Microsoft has patched this security hole that eliminates security vulnerabilities in "Scriptlet.TypLib" ActiveX controls . The patch is available at: http://www.microsoft.com/technet/ie/tools/scrpteye.asp
If you have a patched version of Outlook Express, this worm will not work automatically.
Also Known As: VBS.HappyTime, VBS_HAPTIME.A, VBS.Happytime.A, VBS/Help, VBS_Haptime.A, VBS/Haptime@MM
For more information - see http://www.symantec.com/avcenter/venc/data/vbs.haptime.a@mm.html
CodeRed.v3 Virus Warning:
CodeRed.v3 was discovered on August 4, 2001. It has been called a variant of the original CodeRed Worm because it uses the same "buffer overflow" exploit to propagate to other web servers. Symantec AntiVirus Research Center received reports of a high number of IIS web servers that were infected. CodeRed.v3 is considered to be a high threat. The original CodeRed had a payload that causes a Denial of Service attack on the White House Web server. CodeRed.v3 has a different payload that allows the hacker to have full remote access to the Web server. For more information - click here.
Virus Alert - W32.Sircam.Worm@mm
Due to the increased number of virus submissions, SARC has updated the threat level of this virus from 3 to 4. Virus definitions dated July 17, 2001 or later will detect this worm.
W32.Sircam.Worm@mm is a network-aware virus that has email capability. The worm will also append a random document from your hard drive and send it out in email as part of the worm. The worm contains the following content:
Subject: The subject of the email will be random, and will be the same as the file name of the attachment in the email.
Message: The message body will be semi-random, but will always contain one of the following two lines (either in English or Spanish) as the first and last sentences of the message.
Spanish Version:
First line: Hola como estas ?
Last line: Nos vemos pronto, gracias.
English Version:
First line: Hi! How are you?
Last line: See you later. Thanks
For more information on this virus - visit http://www.symantec.com/avcenter/venc/data/w32.sircam.worm@mm.html.
MsWorld Virus Update:
Borrowing from the success of NakedWife, a new worm, MsWorld, displays a Flash window illustration while mass mailing everyone you know and attempting to reformat your C: drive. MsWorld (W32.MsWorld@MM) hails from Great Britain and at this time, it has not spread very far or very fast. Since it can clog e-mail servers and damage users' root drive files, MsWorld ranks as a 6 on the ZDNet Virus Meter.
How it works
MsWorld arrives as an e-mail with the following information:
Subject: Miss World
Body: Hi, (your name)
Enjoy the latest pictures of Miss World from various Country
Attached: MWrld.exe
If a user clicks on the attached file, a Flash window appears that displays a cute animal and big cake with a single candle. The text, "I fall more in love with you each day!", appears in script at the bottom of the window. While this image displays, MsWorld sends copies of itself to all address found in Outlook's address book.
MsWorld adds the following to the infected computer's Autoexec.bat, which causes the computer to reformat the C: drive whenver it is next rebooted:
Echo Off
Echo "This Everything for my Girl Friend.........,
(CatEyes, KRSSL, SS Hostel) "
Format C: /q /autotest
Echo On
MsWorld also attempts to delete the files USER.DAT, USER.DA0, SYSTEM.DAT, and SYSTEM.DA0 when the Flash program is closed. Since the .dat files are in use, a run-time error will occur so only the .DA0 files are deleted.
Due to an increase in submissions, SARC has upgraded this worm from a Threat Rating of 3 to 4.
VBS.VBSWG2.X@mm is an encrypted VBScript worm that uses a known exploit to send itself to all recipients in an infected user's Microsoft Outlook address book. It also has a payload that opens a Web site that contains pornographic contents.
Also Known As: VBS.VBSWG2.D@mm, VBS.HomePage, I-Worm.Homepage, VBSWG.X, VBSWG.X@MM, VBS/VBSWG-X, VBS_HomePage.A
W32.Matcher is an executable that arrives by email. When executed, the worm will email itself to everyone in the Microsoft Outlook Address book. The worm will continue to send emails while the process is running in the background.
For more information on this virus – see http://www.symantec.com/avcenter/venc/data/w32.matcher.html.
Due to the increased number of submissions, SARC has updated the threat level of this virus from 3 to 4.
W32.Magistr.24876@mm is a virus that has email worm capability. It is also network aware. It infects Windows Portable Executable (PE) files, with the exception of .dll system files, and sends email messages to addresses that it gathers from the Outlook/Outlook Express mail folders (.dbx, .mbx), the sent items file from Netscape, and Windows address books (.wab), which are used by mail clients such as Microsoft Outlook and Microsoft Outlook Express,. The email message may have up to two attachments, and it has a randomly generated subject line and message body.
Also Known As: I-Worm.Magistr, PE_MAGISTR.A, W32.Magistr@mm
For more information on this virus and a fix – visit this site - http://www.symantec.com/avcenter/venc/data/w32.magistr.24876@mm.html.
W32.Naked@mm is a mass mailing worm that disguises itself as flash movie. The attachment is named NakedWife.exe. This worm, after it has attempted to email everyone in the Microsoft Outlook address book, will attempt to delete several system files. This will leave the system unusable, requiring a re-install.
NOTE: This worm was previously detected as W32.HLLW.JibJab@mm.
For more information on this virus – visit http://www.symantec.com/avcenter/venc/data/w32.naked@mm.html.
AnnaKournikova.jpg.vbs Virus:
VBS.SST@mm is a VBS email worm that has been encoded using a virus creation kit. The worm arrives as an attachment named AnnaKournikova.jpg.vbs When executed, the worm emails itself to everyone in your Microsoft Outlook book. On January 26, the worm will attempt to direct your Web browser to an Internet address located in The Netherlands.
This worm appears to have originated in the Netherlands – click here for more information and help deleting the virus if you have received it - http://www.symantec.com/avcenter/venc/data/vbs.sst@mm.html.
W97M.Melissa.W – Virus Warning:
W97M.Melissa.W is a typical macro virus that has an unusual payload.
When a user opens an infected document, the virus will attempt to
email a copy of this document up to 50 people using Microsoft Outlook.
This macro will disable the Tools/Macro menu entry.
It infects a MS Word 97 and MS Word 2000 document by adding a new
VBA5 (macro) module named Melissa. Although there is nothing unique
in the infection routine of this macro virus, it has a payload that
utilizes MS Outlook to send an attachment of the infected document
being opened.
As its primary payload, the virus will attempt to use Microsoft
Outlook to email a copy of the infected document to up to 50 other
people.
The virus does the following:
Opens MS Outlook.
Using MAPI calls, it gets the user profile to use MS Outlook.
It creates a new email message to be sent up to 50 addresses listed in the user's MS Outlook address book.
It gives the email message a subject line: "Important Message From USERNAME", where USERNAME is taken from MS Word setting.
The body of the email message is: "Here is that document you asked for ... don't show anyone else ;-)"
It attaches the active document (the infected document being opened or closed) to the email message and then sends the email.
W97M.Melissa.W is also known as:
Melissa-X (Anniv.DOC)
Melissa.W
Virus definitions dated January 18, 2001, or later will protect
against the W97M.Melissa.W. (Virus definitions dated before January
18, 2001 would detect this as W97M.Melissa.Variant.)
Complete information about W97M.Melissa.W is available at the
following Internet address:
http://www.symantec.com/techsupp/vURL.cgi/nav82
ANOTHER VIRUS WARNING:
If you receive an email that indicates “Upgrade Internet2” – DO NOT OPEN IT! This contains an executable file named “perrin.exe”. It will erase all the data in your hard drive and it will stay in the memory of your computer. Every time you upload data, it will be automatically erased and you will not be able to use your computer again. This information was published yesterday on the CNN web site. This is a very dangerous virus – to this date, there is no known anti-virus program to catch it.
Listed below are names of other emails that, if received, SHOULD NOT BE OPENED but should be DELETED!
The titles are:
1. buddylst.exe
2. calcu18r.exe
3. deathpr.exe
4. einstein.exe
5. happ.exe
6. girls.exe
7. happy99.exe
8. Japanese.exe
9. keypress.exe
10. kitty.exe
11. monday.exe
12. teletubb.exe
13. The Phantom Menance
14. prettypark.exe
15. UP-GRADE INTERNET2
16. perrin.exe
17. I love you
18. CELCOM Screen Saver or CELSAVER.EXE
19. Win a Holiday (email)
20. JOIN THE CREW O PENPALS
Once again, if you receive an email with any of the above – DO NOT OPEN IT – DELETE IT IMMEDIATELY!
NEW VIRUS STRIKING OUR AREA!
Two new email viruses have been detected in our area and throughout the email community in general.
The Hybris Worm is a Worm virus similar to the KAK Worm virus, only more dangerous.
When the worm attachment is executed, the WSOCK32.DLL file will be modified or replaced.
This will give the worm the ability to copy and attach itself to all outbound email.
The email attachment will have a random name but the filename extension is either EXE or SCR. The virus arrives in an email with the following headers: From: Hahaha Subject: Snowhite and the seven Dwarfs - The REAL Story! Attachment: dwarf4you.exe or sexy virgin.scr If you receive any such email, we recommend that you
immediately delete it from your inbox.
You SHOULD NOT open the email OR open the attachment that comes with it.
The second virus is W32.Navidad. W32.Navidad is a mass mailing worm program. The worm replies using MAPI to all Inbox messages that contain a single attachment. This works with Microsoft Outlook. The worm utilizes the existing email subject line and body and attaches itself as NAVIDAD.EXE. Due to the bugs in the code, after being executed, the worm causes your system to be unusable.
For more information and the availability to download a tool to repair W32.Navidad damage – go to http://www.norton.com/avcenter/venc/data/w32.navidad.html or http://www.symantec.com/avcenter/index.html.
~ * ~ * ~ * ~ * ~ * ~
Norton AntiVirus users are advised to protect themselves from this worm by downloading the current virus definitions through LiveUpdate or from the Symantec web site at www.symantec.com/avcenter/download.html.
Symantec AntiVirus Research Center (SARC) SARC is the industry's largest dedicated team of virus experts. With offices located in the United States, Japan, Australia, and the Netherlands, the sun never sets on SARC. The center's mission is to provide swift, global responses to computer virus threats, proactively research and develop technologies that eliminate such threats, and educate the public on safe computing practices. As new computer viruses appear, SARC develops identification and detection for these viruses, and provides either a repair or delete operation, thus keeping users protected against the latest virus threats.
About Symantec:
Symantec is the world leader in utility software for business and personal computing. Symantec products and solutions help make users productive and keep their computers safe and reliable anywhere and anytime. Symantec offers a broad range of solutions and is acclaimed as a leader in both customer satisfaction and product brand recognition. Symantec is traded on Nasdaq under the symbol SYMC. More information on the company and its products can be obtained at www.symantec.com.