Mecklenburg Communications Services, Inc.

Virus Updates and Warnings



W32.Badtrans.B@mm is a MAPI worm that emails itself out using different file names. It worm also creates the file \Windows\System\Kdll.dll. It uses functions from this .dll to log keystrokes. 


You may receive a blank email from someone you know or may not know that has an attachment name of one of the following: 

Ø      Pics

Ø      Images


Ø      New_Napster_Site

Ø      news_doc


Ø      YOU_are_FAT!

Ø      Stuff

Ø      SETUP

Ø      Card

Ø      Me_nude

Ø      Sorry_about_yesterday

Ø      Info

Ø      Docs

Ø      Humor

Ø      fun 


You need to keep your anti-virus definitions up-to-date to block this virus. 


For more information on what the virus does and how to clear up the virus - see  



A new virus is being reported hitting the Internet.  You can find out more from this link -


Anthrax (x)

Detected as:

 Anthrax (x)




Area of Infection:

 .COM Files, .EXE Files, COMMAND.COM, Master Boot Record


 Memory Resident, Wild, Multi-partite

Infected programs contain the text "Anthrax" and "Damage, Inc". The virus writes a copy of itself to the last few sectors of the hard disk. Any data located there is destroyed.

This threat is detected by the latest Virus Definitions.


All computer users should employ safe computing practices, including:

Keeping your Virus Definitions updated.

Installing Norton AntiVirus program updates, when available.

Deleting suspicious looking emails.




Get the latest virus info & updates ASAP:


Win32.Nimda worm (Also known as W32/Nimda@MM <mailto:W32/Nimda@MM> )

Win32.Nimda worm (Also known as W32/Nimda@MM <mailto:W32/Nimda@MM> )

Nimda.A is an Internet worm spreading via a number of different methods and

exploiting several known vulnerabilities in Internet Explorer and IIS

systems. It also works as a file virus infecting Win32 Portable Executable

programs as well as files with extensions: html, htm, asp.

This worm may enter a system in the following ways:

*     via an HTML e-mail with a specifically constructed MIME header;

*     by visiting a Web site hosted on an infected system;

*     via open network shares;

*     via unpatched IIS systems (both 4.0 and 5.0).

      When a user views an HTML e-mail carrying the worm or visits an

infected Web site, Internet Explorer may launch the attached program

executing the Nimda.A code (from the program: readme.exe). This is due to

the "Incorrect MIME Header" vulnerability in Microsoft Internet Explorer

5.01 and 5.5. For a detailed description of this security hole and links to

the appropriate patches, please visit:




      The worm may also exploit the following HTTP security loopholes in

systems running Microsoft IIS:

*     Microsoft IIS 4.0/5.0 File Permission Canonicalization Vulnerability


*     Microsoft IIS/PWS Escaped Characters Decoding Command Execution


*     Microsoft IIS and PWS Extended Unicode Directory Traversal


The worm finds vulnerable Internet Servers via randomly selected IP

addresses. The address generation and scanning is performed by the process

named mmc.exe (the file mmc.exe is overwritten by the worm with its own

copy). Users of affected Win NT/2000 systems may experience a significant

deterioration of their system performance when the mmc.exe process is

running. Additionally the worm copies itself as Admin.dll to the root

directories of all accessible drives (the worm marks Admin.dll as a true


Once the worm gets access to a victim machine's files, it searches all

directories and infects htm, asp and html files by adding a one line

JavaScript code. In every directory with successfully infected files, the

worm drops its own code in the MIME format as readme.eml or readme.nws. The

worm is executed from within these MIME files when an infected htm* or asp

file is opened.

The worm infects Win32 PE programs (except Winzip32.exe) by prepending its

code and modifying its resources so that the infected programs use the same

icons as the original programs.

On affected Win9x systems, in order to run on the next reboot, the worm

copies itself as load.exe into the Windows System directory and modifies the

system.ini file:

      Shell=explorer.exe load.exe -dontrunold

Nimda.A may also copy itself under the name used by one of the legitimate

Microsoft libraries; riched20.dll.

In order to avoid infection by browsing infected web pages Active Scripting

can be disabled in Internet Explorer.

Detection for this virus/worm has been added to the following virus

engine/virus signature combination. Install this update or later to ensure


CA Antivirus Solution   Engine/Signature

InocuLAN / InoculateIT 4.x    28.06

eTrust InoculateIT 6.0 / eTrust Antivirus 6.0   23.46.06   

eTrust EZ Antivirus / IPE     5.3/1502   

VET   10.3/1502


HappyTime Virus Warning:


Due to the increased number of submissions, the threat level for this worm has been upgraded from 3 to 4.


VBS.Haptime.A@mm is a Visual Basic Script (VBS) worm. It infects .htm, .html, .vbs, .asp, and .htt files. It replicates using MAPI objects to spread itself as an attachment. Also, the worm attaches itself to all outgoing messages using the stationery feature of Outlook Express.

The worm utilizes a known Microsoft Outlook Express security hole so that the worm is executed without having to run any attachment.

Microsoft has patched this security hole that eliminates security vulnerabilities in "Scriptlet.TypLib" ActiveX controls . The patch is available at:


If you have a patched version of Outlook Express, this worm will not work automatically.


Also Known As: VBS.HappyTime, VBS_HAPTIME.A, VBS.Happytime.A, VBS/Help, VBS_Haptime.A, VBS/Haptime@MM


For more information - see


CodeRed.v3 Virus Warning:
CodeRed.v3 was discovered on August 4, 2001. It has been called a variant of the original CodeRed Worm because it uses the same "buffer overflow" exploit to propagate to other web servers. Symantec AntiVirus Research Center received reports of a high number of IIS web servers that were infected. CodeRed.v3 is considered to be a high threat.  The original CodeRed had a payload that causes a Denial of Service attack on the White House Web server. CodeRed.v3 has a different payload that allows the hacker to have full remote access to the Web server. For more information - click here.


Virus Alert - W32.Sircam.Worm@mm


Due to the increased number of virus submissions, SARC has updated the threat level of this virus from 3 to 4. Virus definitions dated July 17, 2001 or later will detect this worm.


W32.Sircam.Worm@mm is a network-aware virus that has email capability. The worm will also append a random document from your hard drive and send it out in email as part of the worm. The worm contains the following content:


Subject: The subject of the email will be random, and will be the same as the file name of the attachment in the email.


Message: The message body will be semi-random, but will always contain one of the following two lines (either in English or Spanish) as the first and last sentences of the message.


Spanish Version:

First line: Hola como estas ?

Last line: Nos vemos pronto, gracias.


English Version:

First line: Hi! How are you?

Last line: See you later. Thanks


For more information on this virus - visit


MsWorld Virus Update:


Borrowing from the success of NakedWife, a new worm, MsWorld, displays a Flash window illustration while mass mailing everyone you know and attempting to reformat your C: drive. MsWorld (W32.MsWorld@MM) hails from Great Britain and at this time, it has not spread very far or very fast. Since it can clog e-mail servers and damage users' root drive files, MsWorld ranks as a 6 on the ZDNet Virus Meter.


How it works

MsWorld arrives as an e-mail with the following information:


Subject: Miss World


Body: Hi, (your name)


Enjoy the latest pictures of Miss World from various Country

Attached: MWrld.exe


If a user clicks on the attached file, a Flash window appears that displays a cute animal and big cake with a single candle. The text, "I fall more in love with you each day!", appears in script at the bottom of the window. While this image displays, MsWorld sends copies of itself to all address found in Outlook's address book.


MsWorld adds the following to the infected computer's Autoexec.bat, which causes the computer to reformat the C: drive whenver it is next rebooted:


Echo Off

Echo "This Everything for my Girl Friend.........,

(CatEyes, KRSSL, SS Hostel) "

Format C: /q /autotest

Echo On


MsWorld also attempts to delete the files USER.DAT, USER.DA0, SYSTEM.DAT, and SYSTEM.DA0 when the Flash program is closed. Since the .dat files are in use, a run-time error will occur so only the .DA0 files are deleted.

For more information on this virus and how to repair damage - see



Reported on: April 17, 2001

Last Updated on: May 31, 2001 at 12:49:29 PM PDT


The following hoax email has been reported in Brazil. The original email is in Portuguese; it is followed by an English translation.


This particular email message is a hoax. The file that is mentioned in the hoax, however, Sulfnbk.exe, is a Microsoft Windows utility that is used to restore long file names, and like any .exe file, it can be infected by a virus that targets .exe files.

The virus/worm W32.Magistr.24876@mm can arrive as an attachment named Sulfnbk.exe. The Sulfnbk.exe file used by Windows is located in the C:\Windows\Command folder. If the file is located in any other folder, or arrives as an attachment to a email message, then it is possible that the file is infected. In this case, if a scan with the latest virus definitions and with NAV set to scan all files does not detect the file as being infected, quarantine and submit the file to SARC for analysis by following the instructions in the document How to submit a file to SARC using Scan and Deliver.

If you have deleted the Sulfnbk.exe file from the C:\Windows\Command folder and want to know how to restore the file, see the How to restore the Sulfnbk.exe file section at



Discovered on: May 8, 2001

Last Updated on: May 9, 2001 at 02:11:29 PM PDT

Due to an increase in submissions, SARC has upgraded this worm from a Threat Rating of 3 to 4.

VBS.VBSWG2.X@mm is an encrypted VBScript worm that uses a known exploit to send itself to all recipients in an infected user's Microsoft Outlook address book. It also has a payload that opens a Web site that contains pornographic contents.

Also Known As: VBS.VBSWG2.D@mm, VBS.HomePage, I-Worm.Homepage, VBSWG.X, VBSWG.X@MM, VBS/VBSWG-X, VBS_HomePage.A

For more information on this virus – see



Discovered on: April 18, 2001

Last Updated on: April 18, 2001 at 02:43:50 PM PDT

W32.Matcher is an executable that arrives by email. When executed, the worm will email itself to everyone in the Microsoft Outlook Address book. The worm will continue to send emails while the process is running in the background.


For more information on this virus – see



Discovered on: March 13, 2001

Last Updated on: April 4, 2001 at 11:55:55 AM PDT


Due to the increased number of submissions, SARC has updated the threat level of this virus from 3 to 4.

W32.Magistr.24876@mm is a virus that has email worm capability. It is also network aware. It infects Windows Portable Executable (PE) files, with the exception of .dll system files, and sends email messages to addresses that it gathers from the Outlook/Outlook Express mail folders (.dbx, .mbx), the sent items file from Netscape, and Windows address books (.wab), which are used by mail clients such as Microsoft Outlook and Microsoft Outlook Express,. The email message may have up to two attachments, and it has a randomly generated subject line and message body.
Also Known As: I-Worm.Magistr, PE_MAGISTR.A, W32.Magistr@mm

For more information on this virus and a fix – visit this site -



Discovered on: March 6, 2001

Last Updated on: March 6, 2001 at 03:20:12 PM PST

W32.Naked@mm is a mass mailing worm that disguises itself as flash movie. The attachment is named NakedWife.exe. This worm, after it has attempted to email everyone in the Microsoft Outlook address book, will attempt to delete several system files. This will leave the system unusable, requiring a re-install.

NOTE: This worm was previously detected as W32.HLLW.JibJab@mm.

For more information on this virus – visit

AnnaKournikova.jpg.vbs Virus:

VBS.SST@mm is a VBS email worm that has been encoded using a virus creation kit. The worm arrives as an attachment named AnnaKournikova.jpg.vbs When executed, the worm emails itself to everyone in your Microsoft Outlook book. On January 26, the worm will attempt to direct your Web browser to an Internet address located in The Netherlands.

This worm appears to have originated in the Netherlands – click here for more information and help deleting the virus if you have received it -

W97M.Melissa.W – Virus Warning:

W97M.Melissa.W is a typical macro virus that has an unusual payload.

When a user opens an infected document, the virus will attempt to

email a copy of this document up to 50 people using Microsoft Outlook.


This macro will disable the Tools/Macro menu entry.


It infects a MS Word 97 and MS Word 2000 document by adding a new

VBA5 (macro) module named Melissa.  Although there is nothing unique

in the infection routine of this macro virus, it has a payload that

utilizes MS Outlook to send an attachment of the infected document

being opened.


As its primary payload, the virus will attempt to use Microsoft

Outlook to email a copy of the infected document to up to 50 other



The virus does the following:

1. Opens MS Outlook.

2. Using MAPI calls, it gets the user profile to use MS Outlook.

3. It creates a new email message to be sent up to 50 addresses

listed in the user's MS Outlook address book.

4. It gives the email message a subject line:


"Important Message From USERNAME",

where USERNAME is taken from MS Word setting.


5. The body of the email message is:


"Here is that document you asked for ... don't show anyone else ;-)"


6. It attaches the active document (the infected document being

opened or closed) to the email message and then sends the email.


W97M.Melissa.W is also known as:


Melissa-X (Anniv.DOC)



Virus definitions dated January 18, 2001, or later will protect

against the W97M.Melissa.W. (Virus definitions dated before January

18, 2001 would detect this as W97M.Melissa.Variant.)


Complete information about W97M.Melissa.W is available at the

following Internet address:


If you receive an email that indicates “Upgrade Internet2” – DO NOT OPEN IT!  This contains an executable file named “perrin.exe”.  It will erase all the data in your hard drive and it will stay in the memory of your computer.  Every time you upload data, it will be automatically erased and you will not be able to use your computer again.  This information was published yesterday on the CNN web site.  This is a very dangerous virus – to this date, there is no known anti-virus program to catch it.
Listed below are names of other emails that, if received, SHOULD NOT BE OPENED but should be DELETED!
The titles are:
1.              buddylst.exe
2.              calcu18r.exe
3.              deathpr.exe
4.              einstein.exe
5.              happ.exe
6.              girls.exe
7.              happy99.exe
8.              Japanese.exe
9.              keypress.exe
10.           kitty.exe
11.           monday.exe
12.           teletubb.exe
13.           The Phantom Menance
14.           prettypark.exe
15.           UP-GRADE INTERNET2
16.           perrin.exe
17.           I love you
18.           CELCOM Screen Saver or CELSAVER.EXE
19.           Win a Holiday (email)
Once again, if you receive an email with any of the above – DO NOT OPEN IT – DELETE IT IMMEDIATELY!

Two new email viruses have been detected in our area and throughout the email community in general.

The Hybris Worm is a Worm virus similar to the KAK Worm virus, only more dangerous.  
When the worm attachment is executed, the WSOCK32.DLL file will be modified or replaced. 
This will give the worm the ability to copy and attach itself to all outbound email. 
The email attachment will have a random name but the filename extension is either EXE or SCR.

The virus arrives in an email with the following headers:

From: Hahaha 

Subject: Snowhite and the seven Dwarfs - The REAL Story!

Attachment: dwarf4you.exe or sexy virgin.scr

If you receive any such email, we recommend that you 
immediately delete it from your inbox
You SHOULD NOT open the email OR open the attachment that comes with it. 

The second virus is W32.Navidad.  W32.Navidad is a mass mailing worm program. The worm replies using MAPI to all Inbox messages that contain a single attachment. This works with Microsoft Outlook. The worm utilizes the existing email subject line and body and attaches itself as NAVIDAD.EXE. Due to the bugs in the code, after being executed, the worm causes your system to be unusable.  

For more information and the availability to download a tool to repair W32.Navidad damage – go to or

If you receive an email titled "It Takes Guts to Say Jesus" DO NOT OPEN IT. 
It will erase everything on your hard drive. This information
was announced yesterday morning from IBM.  AOL states that this is a very
dangerous virus, much worse than "Melissa," and that there is NO remedy for
it at this time. Some very sick individual has succeeded in using the
reformat function from Norton Utilities, causing it to completely erase all
documents on the hard drive. It has been designed to work with Netscape
Navigator and Microsoft Internet Explorer.
It destroys Macintosh and IBM compatible computers.  This is a new, very
malicious virus and not many people know about it.  Pass
this warning along to EVERYONE in your address book and please share it with
all your online friends ASAP so that this threat may be stopped!!
Please practice cautionary measures and tell anyone that may have access to your computer.  Forward this warning to everyone that might access the Internet.

New Viruses Haunting Internet – 10/18/2000:  (These virus warnings were forwarded to from a local computer programmer to warn our customers of potential problems)

CELCOM Screen Saver:  If you receive any CELCOM Screen Saver, please do not install it!  This screen saver is very cool – it shows a NOKIA hand phone, with time messages.  After it is activated, the PC cannot boot up at all.  It goes very slowly – it destroys your hard disk – the file name is CELLSAVER.EXE.

SANDMAN:  Beware!  If someone named SandMan asks you to check out his page – DO NOT!  It is at - this page hacks into your C:/drive – Do not go there.

Win A Holiday:  If you get an email titled “Win A Holiday” – DO NOT OPEN IT!  Delete it immediately.  Microsoft just announced it yesterday.  It is a malicious virus that WILL ERASE YOUR HARD DRIVE.  At this time there is no remedy.


Symantec Offers Free Online Fix for Destructive Worm.ExploreZip Worm

CUPERTINO, Calif. - June 14, 1999 - Symantec Corporation (Nasdaq: SYMC) today announced that a free tool to remove an active Worm.ExploreZip infection is available on its web site at The KILL_EZ.EXE tool removes infection from computers running on Windows 95, Windows 98 or Windows NT.

While protection has been available to Symantec Norton AntiVirus users via current virus definitions through LiveUpdate, the KILL_EZ.EXE tool does not require anti-virus software to run.

"Symantec AntiVirus Research Center (SARC) is offering this as a public service to administrators and other users," said Carey Nachenberg, chief researcher with SARC. "Administrators can use this tool to clean up infested networks and deploy via login scripts to rapidly cure the problem." While the tool removes Worm.ExploreZip, to have continued protection against malicious threats an anti-virus solution-such as Norton AntiVirus-is recommended.

The Worm.ExploreZip worm contains a malicious payload that can result in non-recoverable data and/or inoperable computer systems. The KILL_EZ.EXE tool performs the following tasks (upon verifying the system is infected by Worm.ExploreZip):

· Under Windows NT-removes changes made to the Windows Registry by the worm. Specifically, it deletes the registry value

EY_CURRENT_USER\Software\Microsoft\WindowsNTCurrentVersion\Windows\Run - Under Windows 95-removes changes made to the WIN.INI file, found in the Windows directory. Specifically, it will delete the line: run=c:\windows\system\explore.exe.

· KILL_EZ.EXE then completely removes the Worm.ExploreZip program from memory.

Finally, the tool deletes the EXPLORE.EXE file from the Windows system directory.

· Under Windows 95, or Windows 98, it will delete: C:\WINDOWS\SYSTEM\EXPLORE.EXE.

· Under Windows NT, it will delete c:\WINDOWS\SYSTEM32\EXPLORE.EXE.

Upon completion, KILL_EZ.EXE reports whether the system was infected with Worm.ExploreZip and, if infected, the system reports successful removal of the worm.

Worm.ExploreZip utilizes MAPI commands and Microsoft Outlook on Windows systems to propagate itself. The worm was first discovered in Israel and submitted to the Symantec AntiVirus Research Center (SARC) on June 6, 1999.

Norton AntiVirus users are advised to protect themselves from this worm by downloading the current virus definitions through LiveUpdate or from the Symantec web site at

Symantec AntiVirus Research Center (SARC) SARC is the industry's largest dedicated team of virus experts. With offices located in the United States, Japan, Australia, and the Netherlands, the sun never sets on SARC. The center's mission is to provide swift, global responses to computer virus threats, proactively research and develop technologies that eliminate such threats, and educate the public on safe computing practices. As new computer viruses appear, SARC develops identification and detection for these viruses, and provides either a repair or delete operation, thus keeping users protected against the latest virus threats.

About Symantec:

Symantec is the world leader in utility software for business and personal computing. Symantec products and solutions help make users productive and keep their computers safe and reliable anywhere and anytime. Symantec offers a broad range of solutions and is acclaimed as a leader in both customer satisfaction and product brand recognition. Symantec is traded on Nasdaq under the symbol SYMC. More information on the company and its products can be obtained at