Virus Updates and Warnings  

 

W32.Myparty:

W32.Myparty@mm is a mass-mailing email worm. It has the following characteristics:

Subject: new photos from my party!
Message:
Hello!

My party... It was absolutely amazing!
I have attached my web page with new photos!
If you can please make color prints of my photos. Thanks!

Attachment: www.myparty.yahoo.com

The worm sends email to all contacts in your Windows address book, and to email addresses that if finds in the Outlook Express Inboxes and folders.

In addition, the worm sends a message to the author so that the author can track the worm.

For more information - see http://securityresponse.symantec.com/avcenter/venc/data/w32.myparty@mm.html.

 

W32.Goner.A@mm

W32.Goner.A@mm is a mass-mailing worm that is written in Microsoft
Visual Basic. The worm was compressed by a known Portable Executable
(PE) file compressor. The worm can spread its infection using the ICQ
network as well as by email using Microsoft Outlook. If IRC is
installed, then this worm can also insert mIRC scripts that will
enable the computer to be used in Denial of Service (DoS) attacks.
Virus definitions dated December 4, 2001, and later will detect this
worm. For additional information, visit the following Internet
address:

http://www.symantec.com/techsupp/vURL.cgi/nav111

W32.Aliz.Worm

 

W32.Aliz.Worm is a very simple SMTP mass-mailer worm. The worm

currently only replicates on Windows 9x computers. It does not seem

to spread on Windows NT platforms. The worm spreads by obtaining

email addresses from the Windows address book and sending itself to

those addresses. Virus definitions dated May 22, 2001 will detect

this worm.

 

When the worm arrives by email, the worm uses a MIME exploit that

allows the virus to be run just by reading or previewing the email.

Information on and a patch for this exploit can be found at

 http://www.symantec.com/techsupp/vURL.cgi/nav110

 

For additional information, point your Web browser to:

 http://www.symantec.com/techsupp/vURL.cgi/nav109

 

W32.Badtrans.B@mm:

 W32.Badtrans.B@mm is a MAPI worm that emails itself out using different file names. It worm also creates the file \Windows\System\Kdll.dll. It uses functions from this .dll to log keystrokes. 

 You may receive a blank email from someone you know or may not know that has an attachment name of one of the following: 

      Pics

      Images

      README

      New_Napster_Site

      news_doc

      HAMSTER

      YOU_are_FAT!

      Stuff

      SETUP

      Card

      Me_nude

      Sorry_about_yesterday

      Info

      Docs

      Humor

      fun 

You need to keep your anti-virus definitions up-to-date to block this virus. 

For more information on what the virus does and how to clear up the virus - see http://securityresponse.symantec.com/avcenter/venc/data/w32.badtrans.b@mm.html

 

ANTHRAX VIRUS:

A new virus is being reported hitting the Internet.  You can find out more from this link - http://www.symantec.com/avcenter/venc/dyn/44.html

Anthrax (x)

Detected as:

 Anthrax (x) 

Aliases:

 None

Area of Infection:

 .COM Files, .EXE Files, COMMAND.COM, Master Boot Record

Characteristics:

 Memory Resident, Wild, Multi-partite

Infected programs contain the text "Anthrax" and "Damage, Inc". The virus writes a copy of itself to the last few sectors of the hard disk. Any data located there is destroyed.

This threat is detected by the latest Virus Definitions. 

All computer users should employ safe computing practices, including:

Keeping your Virus Definitions updated.

Installing Norton AntiVirus program updates, when available.

Deleting suspicious looking emails.

 

VIRUS ALERT: COMPUTER ASSOCIATES CALLS "Nimda" WORM A HIGH-RISK THREAT

Get the latest virus info & updates ASAP:

Win32.Nimda worm (Also known as W32/Nimda@MM <mailto:W32/Nimda@MM> )

Win32.Nimda worm (Also known as W32/Nimda@MM <mailto:W32/Nimda@MM> )

Nimda.A is an Internet worm spreading via a number of different methods and

exploiting several known vulnerabilities in Internet Explorer and IIS

systems. It also works as a file virus infecting Win32 Portable Executable

programs as well as files with extensions: html, htm, asp.

This worm may enter a system in the following ways:

*     via an HTML e-mail with a specifically constructed MIME header;

*     by visiting a Web site hosted on an infected system;

*     via open network shares;

*     via unpatched IIS systems (both 4.0 and 5.0).

      When a user views an HTML e-mail carrying the worm or visits an

infected Web site, Internet Explorer may launch the attached program

executing the Nimda.A code (from the program: readme.exe). This is due to

the "Incorrect MIME Header" vulnerability in Microsoft Internet Explorer

5.01 and 5.5. For a detailed description of this security hole and links to

the appropriate patches, please visit:

      http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/

bulletin/MS01-020.asp

       The worm may also exploit the following HTTP security loopholes in

systems running Microsoft IIS:

*     Microsoft IIS 4.0/5.0 File Permission Canonicalization Vulnerability

*     Microsoft IIS/PWS Escaped Characters Decoding Command Execution

Vulnerability

*     Microsoft IIS and PWS Extended Unicode Directory Traversal

Vulnerability

The worm finds vulnerable Internet Servers via randomly selected IP

addresses. The address generation and scanning is performed by the process

named mmc.exe (the file mmc.exe is overwritten by the worm with its own

copy). Users of affected Win NT/2000 systems may experience a significant

deterioration of their system performance when the mmc.exe process is

running. Additionally the worm copies itself as Admin.dll to the root

directories of all accessible drives (the worm marks Admin.dll as a true

DLL).

Once the worm gets access to a victim machine's files, it searches all

directories and infects htm, asp and html files by adding a one line

JavaScript code. In every directory with successfully infected files, the

worm drops its own code in the MIME format as readme.eml or readme.nws. The

worm is executed from within these MIME files when an infected htm* or asp

file is opened.

The worm infects Win32 PE programs (except Winzip32.exe) by prepending its

code and modifying its resources so that the infected programs use the same

icons as the original programs.

On affected Win9x systems, in order to run on the next reboot, the worm

copies itself as load.exe into the Windows System directory and modifies the

system.ini file:

      Shell=explorer.exe load.exe -dontrunold

Nimda.A may also copy itself under the name used by one of the legitimate

Microsoft libraries; riched20.dll.

In order to avoid infection by browsing infected web pages Active Scripting

can be disabled in Internet Explorer.

Detection for this virus/worm has been added to the following virus

engine/virus signature combination. Install this update or later to ensure

protection:

CA Antivirus Solution   Engine/Signature

InocuLAN / InoculateIT 4.x    28.06

eTrust InoculateIT 6.0 / eTrust Antivirus 6.0   23.46.06   

eTrust EZ Antivirus / IPE     5.3/1502   

VET   10.3/1502

HappyTime Virus Warning:

 Due to the increased number of submissions, the threat level for this worm has been upgraded from 3 to 4.

 VBS.Haptime.A@mm is a Visual Basic Script (VBS) worm. It infects .htm, .html, .vbs, .asp, and .htt files. It replicates using MAPI objects to spread itself as an attachment. Also, the worm attaches itself to all outgoing messages using the stationery feature of Outlook Express.

The worm utilizes a known Microsoft Outlook Express security hole so that the worm is executed without having to run any attachment.

Microsoft has patched this security hole that eliminates security vulnerabilities in "Scriptlet.TypLib" ActiveX controls . The patch is available at: http://www.microsoft.com/technet/ie/tools/scrpteye.asp

 If you have a patched version of Outlook Express, this worm will not work automatically.

 Also Known As: VBS.HappyTime, VBS_HAPTIME.A, VBS.Happytime.A, VBS/Help, VBS_Haptime.A, VBS/Haptime@MM

 For more information - see http://www.symantec.com/avcenter/venc/data/vbs.haptime.a@mm.html

 CodeRed.v3 Virus Warning:
CodeRed.v3 was discovered on August 4, 2001. It has been called a variant of the original CodeRed Worm because it uses the same "buffer overflow" exploit to propagate to other web servers. Symantec AntiVirus Research Center received reports of a high number of IIS web servers that were infected. CodeRed.v3 is considered to be a high threat.  The original CodeRed had a payload that causes a Denial of Service attack on the White House Web server. CodeRed.v3 has a different payload that allows the hacker to have full remote access to the Web server. For more information - click here.

Virus Alert - W32.Sircam.Worm@mm

 Due to the increased number of virus submissions, SARC has updated the threat level of this virus from 3 to 4. Virus definitions dated July 17, 2001 or later will detect this worm.

 W32.Sircam.Worm@mm is a network-aware virus that has email capability. The worm will also append a random document from your hard drive and send it out in email as part of the worm. The worm contains the following content:

Subject: The subject of the email will be random, and will be the same as the file name of the attachment in the email.

 Message: The message body will be semi-random, but will always contain one of the following two lines (either in English or Spanish) as the first and last sentences of the message.

 Spanish Version:

First line: Hola como estas ?

Last line: Nos vemos pronto, gracias.

 English Version:

First line: Hi! How are you?

Last line: See you later. Thanks

 For more information on this virus - visit http://www.symantec.com/avcenter/venc/data/w32.sircam.worm@mm.html.

 

MsWorld Virus Update:

 Borrowing from the success of NakedWife, a new worm, MsWorld, displays a Flash window illustration while mass mailing everyone you know and attempting to reformat your C: drive. MsWorld (W32.MsWorld@MM) hails from Great Britain and at this time, it has not spread very far or very fast. Since it can clog e-mail servers and damage users' root drive files, MsWorld ranks as a 6 on the ZDNet Virus Meter.

 How it works

MsWorld arrives as an e-mail with the following information:

 Subject: Miss World

 Body: Hi, (your name)

 Enjoy the latest pictures of Miss World from various Country

Attached: MWrld.exe

 If a user clicks on the attached file, a Flash window appears that displays a cute animal and big cake with a single candle. The text, "I fall more in love with you each day!", appears in script at the bottom of the window. While this image displays, MsWorld sends copies of itself to all address found in Outlook's address book.

 MsWorld adds the following to the infected computer's Autoexec.bat, which causes the computer to reformat the C: drive whenver it is next rebooted:

 Echo Off

Echo "This Everything for my Girl Friend.........,

(CatEyes, KRSSL, SS Hostel) "

Format C: /q /autotest

Echo On

 MsWorld also attempts to delete the files USER.DAT, USER.DA0, SYSTEM.DAT, and SYSTEM.DA0 when the Flash program is closed. Since the .dat files are in use, a run-time error will occur so only the .DA0 files are deleted.

For more information on this virus and how to repair damage - see http://msn.zdnet.com/msn/zdnet/story/0%2C12461%2C2766546-hud00025ab%2C00.htm.

 SULFNBK.EXE Warning

Reported on: April 17, 2001

Last Updated on: May 31, 2001 at 12:49:29 PM PDT

PLEASE PAY ATTENTION TO THIS MESSAGE - READ IT ENTIRELY --- DO NOT DELETE THE FILE SULFNBK.EXE!!

The following hoax email has been reported in Brazil. The original email is in Portuguese; it is followed by an English translation.

CAUTIONS:

This particular email message is a hoax. The file that is mentioned in the hoax, however, Sulfnbk.exe, is a Microsoft Windows utility that is used to restore long file names, and like any .exe file, it can be infected by a virus that targets .exe files.

The virus/worm W32.Magistr.24876@mm can arrive as an attachment named Sulfnbk.exe. The Sulfnbk.exe file used by Windows is located in the C:\Windows\Command folder. If the file is located in any other folder, or arrives as an attachment to a email message, then it is possible that the file is infected. In this case, if a scan with the latest virus definitions and with NAV set to scan all files does not detect the file as being infected, quarantine and submit the file to SARC for analysis by following the instructions in the document How to submit a file to SARC using Scan and Deliver.

If you have deleted the Sulfnbk.exe file from the C:\Windows\Command folder and want to know how to restore the file, see the How to restore the Sulfnbk.exe file section at http://www.symantec.com/avcenter/venc/data/sulfnbk.exe.warning.html.

 

VBS.VBSWG2.X@mm

Due to an increase in submissions, SARC has upgraded this worm from a Threat Rating of 3 to 4.

VBS.VBSWG2.X@mm is an encrypted VBScript worm that uses a known exploit to send itself to all recipients in an infected user's Microsoft Outlook address book. It also has a payload that opens a Web site that contains pornographic contents.

Also Known As: VBS.VBSWG2.D@mm, VBS.HomePage, I-Worm.Homepage, VBSWG.X, VBSWG.X@MM, VBS/VBSWG-X, VBS_HomePage.A

For more information on this virus see http://www.symantec.com/avcenter/venc/data/vbs.vbswg2.x@mm.html

 

W 32.Mat cher


W32.Matcher is an executable that arrives by email. When executed, the worm will email itself to everyone in the Microsoft Outlook Address book. The worm will continue to send emails while the process is running in the background.

 For more information on this virus see http://www.symantec.com/avcenter/venc/data/w32.matcher.html.

 

W32.Magistr.24876@mm

Due to the increased number of submissions, SARC has updated the threat level of this virus from 3 to 4.

W32.Magistr.24876@mm is a virus that has email worm capability. It is also network aware. It infects Windows Portable Executable (PE) files, with the exception of .dll system files, and sends email messages to addresses that it gathers from the Outlook/Outlook Express mail folders (.dbx, .mbx), the sent items file from Netscape, and Windows address books (.wab), which are used by mail clients such as Microsoft Outlook and Microsoft Outlook Express,. The email message may have up to two attachments, and it has a randomly generated subject line and message body.
Also Known As: I-Worm.Magistr, PE_MAGISTR.A, W32.Magistr@mm

For more information on this virus and a fix visit this site - http://www.symantec.com/avcenter/venc/data/w32.magistr.24876@mm.html.

  

W32.Naked@mm

W32.Naked@mm is a mass mailing worm that disguises itself as flash movie. The attachment is named NakedWife.exe. This worm, after it has attempted to email everyone in the Microsoft Outlook address book, will attempt to delete several system files. This will leave the system unusable, requiring a re-install.

NOTE: This worm was previously detected as W32.HLLW.JibJab@mm.

For more information on this virus visit http://www.symantec.com/avcenter/venc/data/w32.naked@mm.html.

AnnaKournikova.jpg.vbs Virus:

VBS.SST@mm is a VBS email worm that has been encoded using a virus creation kit. The worm arrives as an attachment named AnnaKournikova.jpg.vbs When executed, the worm emails itself to everyone in your Microsoft Outlook book. On January 26, the worm will attempt to direct your Web browser to an Internet address located in The Netherlands.

This worm appears to have originated in the Netherlands click here for more information and help deleting the virus if you have received it - http://www.symantec.com/avcenter/venc/data/vbs.sst@mm.html.

W97M.Melissa.W Virus Warning:

W97M.Melissa.W is a typical macro virus that has an unusual payload.

When a user opens an infected document, the virus will attempt to

email a copy of this document up to 50 people using Microsoft Outlook.

 This macro will disable the Tools/Macro menu entry.

 It infects a MS Word 97 and MS Word 2000 document by adding a new

VBA5 (macro) module named Melissa.  Although there is nothing unique

in the infection routine of this macro virus, it has a payload that

utilizes MS Outlook to send an attachment of the infected document

being opened.

 As its primary payload, the virus will attempt to use Microsoft

Outlook to email a copy of the infected document to up to 50 other

people.

 The virus does the following:

  1. Opens MS Outlook.

  2. Using MAPI calls, it gets the user profile to use MS Outlook.

  3. It creates a new email message to be sent up to 50 addresses listed in the user's MS Outlook address book.

  4. It gives the email message a subject line: "Important Message From USERNAME", where USERNAME is taken from MS Word setting.

  5.  The body of the email message is:  "Here is that document you asked for ... don't show anyone else ;-)"

  6.  It attaches the active document (the infected document being opened or closed) to the email message and then sends the email.

 W97M.Melissa.W is also known as:

 Melissa-X (Anniv.DOC)

Melissa.W

 Virus definitions dated January 18, 2001, or later will protect

against the W97M.Melissa.W. (Virus definitions dated before January

18, 2001 would detect this as W97M.Melissa.Variant.)

 Complete information about W97M.Melissa.W is available at the

following Internet address:

 http://www.symantec.com/techsupp/vURL.cgi/nav82

ANOTHER VIRUS WARNING:

 

If you receive an email that indicates Upgrade Internet2  DO NOT OPEN IT!  This contains an executable file named perrin.exe.  It will erase all the data in your hard drive and it will stay in the memory of your computer.  Every time you upload data, it will be automatically erased and you will not be able to use your computer again.  This information was published yesterday on the CNN web site.  This is a very dangerous virus  to this date, there is no known anti-virus program to catch it.

 

Listed below are names of other emails that, if received, SHOULD NOT BE OPENED but should be DELETED!

 

The titles are:

1.              buddylst.exe

2.              calcu18r.exe

3.              deathpr.exe

4.              einstein.exe

5.              happ.exe

6.              girls.exe

7.              happy99.exe

8.              Japanese.exe

9.              keypress.exe

10.           kitty.exe

11.           monday.exe

12.           teletubb.exe

13.           The Phantom Menance

14.           prettypark.exe

15.           UP-GRADE INTERNET2

16.           perrin.exe

17.           I love you

18.           CELCOM Screen Saver or CELSAVER.EXE

19.           Win a Holiday (email)

20.           JOIN THE CREW O PENPALS

Once again, if you receive an email with any of the above  DO NOT OPEN IT  DELETE IT IMMEDIATELY!


  
NEW VIRUS STRIKING OUR AREA!
Two new email viruses have been detected in our area and throughout the email community in general.


The Hybris Worm is a Worm virus similar to the KAK Worm virus, only more dangerous.  

When the worm attachment is executed, the WSOCK32.DLL file will be modified or replaced. 

This will give the worm the ability to copy and attach itself to all outbound email. 

The email attachment will have a random name but the filename extension is either EXE or SCR.


The virus arrives in an email with the following headers:

From: Hahaha 
Subject: Snowhite and the seven Dwarfs - The REAL Story!
Attachment: dwarf4you.exe or sexy virgin.scr
If you receive any such email, we recommend that you 

immediately delete it from your inbox
You SHOULD NOT open the email OR open the attachment that comes with it. 

The second virus is W32.Navidad.  W32.Navidad is a mass mailing worm program. The worm replies using MAPI to all Inbox messages that contain a single attachment. This works with Microsoft Outlook. The worm utilizes the existing email subject line and body and attaches itself as NAVIDAD.EXE. Due to the bugs in the code, after being executed, the worm causes your system to be unusable.  

For more information and the availability to download a tool to repair W32.Navidad damage go to http://www.norton.com/avcenter/venc/data/w32.navidad.html or http://www.symantec.com/avcenter/index.html.


~  *  ~  *  ~  *  ~  *  ~  *  ~

Norton AntiVirus users are advised to protect themselves from this worm by downloading the current virus definitions through LiveUpdate or from the Symantec web site at www.symantec.com/avcenter/download.html.

Symantec AntiVirus Research Center (SARC) SARC is the industry's largest dedicated team of virus experts. With offices located in the United States, Japan, Australia, and the Netherlands, the sun never sets on SARC. The center's mission is to provide swift, global responses to computer virus threats, proactively research and develop technologies that eliminate such threats, and educate the public on safe computing practices. As new computer viruses appear, SARC develops identification and detection for these viruses, and provides either a repair or delete operation, thus keeping users protected against the latest virus threats.

About Symantec:

Symantec is the world leader in utility software for business and personal computing. Symantec products and solutions help make users productive and keep their computers safe and reliable anywhere and anytime. Symantec offers a broad range of solutions and is acclaimed as a leader in both customer satisfaction and product brand recognition. Symantec is traded on Nasdaq under the symbol SYMC. More information on the company and its products can be obtained at www.symantec.com.