Here we go again with the latest worms!

It's a mass-mailing worm disguised as a Christmas card, and interesting because it comes in 15 different European languages depending on the domain of the receiver's email. Depending on which expert you talk to the nastie has either 'run its course' or is generating about 10% of the worlds email!

It will attempt to lower your security settings, terminate certain processes (such as anti-virus programs) and open a back door for remote attacks.

This worm has a few aliases at present, including Erkez.D@mm and Zafi.D. There have been different versions of Zafi in the past, but this is their first Christmas card hoax.

The Christmas greetings themselves are determined by the country code of the recipient, eg '.fr' will get French language or '.de' will get German. It is this multi-lingual approach that, in part, has let the worm spread further and faster than others of the type.

If you open an infected attachment it will start on your computer and try to infect others. It is possible to get the nastie by other means like a Shared Folder or peer-to-peer networking but email is the most common method of infection.

This email worm sends itself from an infected computer to email addresses it finds on that computer. These email addresses are found not only in address books but in Internet cached pages as well. It runs on Windows operating systems only and does NOT need Outlook to run.

It has subjects like "Merry Christmas!", "Joyeux Noel!" or equivalent in each language. that seem innocent enough, though messages in the body like 'Happy Hollydays' are a bit of a warning.

The subject can be prefixed with RE or FW as in RE: Merry Christmas or FW: Joyeux Noel!" Most but not all the phrases used have an exclamation mark at the end.

All messages in the body end with a Smiley face, followed by the (forged) sender's name.

Running the attachment of these Christmas cards will cause the worm to run and infect your computer. The worm can have the following extension names: .bat .cmd .com .pif or .zip

If you think you might be infected then make sure your anti-virus software is up to date then do a full scan of your computer. Don't panic -- most of the time people think a computer is infected it really some glitch in software or Windows itself.

If you are truly infected, Symantec Security Response has created a removal tool, which is the easiest way to remove the worm. http://securityresponse.symantec.com/avcenter/venc/data/w32.erkez@mm.rem oval.tool.html

Thankfully this worm doesn't destroy any files or documents, its main aim is to spread itself around. To this end it:

* Creates a registry key so the worm executes every time Windows starts
* Terminates security related processes like various anti-virus programs
* Sends a copy of the worm to email addresses gathered from the computer, using its own SMTP engine
* Creates exe files in folders with 'shar' in the name (like Shared folders)

It also opens a TCP/IP port and listens for commands from a remote attacker and displays Error Message "Title: CRC: 04F7Bh Message: Error in packed file!".

This information was updated on 12/16/04.

AV-Disabling Bagle Variant May Take Off (Virus)

A new variant of the Bagle worm that turns off antivirus and personal firewalls is likely to spread rapidly, warn antivirus experts. Organizations blocking the .exe, .scr, .com and .cpl extensions significantly reduce their risk of infection to this worm, as well as many others.

W32/Bagle-AS@mm spreads via e-mail and peer-to-peer networks, and has a spoofed address and variable subject lines. The worm is also called Bagle-AZ (McAfee), Beagle-AR [sic] (Symantec), Worm_Bagle-AM (Trend Micro) and I-Worm.Bagle-AX (Virusbuster).

According to TruSecure Corp. in Herndon, Va., Bagle-AS communicates through backdoors on TCP port 81 and UDP port 81. McAfee Inc. in Santa Clara, Calif. said the worm opens TCP port 81 and a random UDP port on the victim machine.

McAfee lists Bagle-AS as a medium-level threat and said it’s a mass-mailing threat that contains its own SMTP engine to construct outgoing messages. “Similar to previous variants, it harvests addresses from local files and then uses the harvested addresses in the from field to send itself. It contains a remote access component and copies itself to folders that have the phrase ‘shar’ in the name, such as common peer-to-peer applications, including KaZaA, Bearshare and Limewire,” according to the McAfee advisory. The advisory also said that when the .exe file is run, the worm copies itself into the Windows System directory as Bawindo.exe.”

Sdbot-AQA

Sdbot-AQA, a worm with backdoor characteristics that can allow an attacker to remotely compromise a system, is circulating in the wild, according to Glendale, Calif.-based Panda Software. Sdbot.AQA uses its own IRC client to accept remote commands, such as launching denial-of-service attacks against Web sites. It can also download and run files on the infected computer. According to Panda, Sdbot.AQA spreads across computer networks by attempting to access the network shared resources and using passwords. This worm first appeared Sept. 5, 2004.

Sdbot.AQA uses its own IRC client to accept remote commands, such as launching denial-of-service attacks against Web sites. It can also download and run files on the infected computer. According to Panda, Sdbot.AQA spreads across computer networks by attempting to access the network shared resources and using passwords that are typical or easy to guess. Then, it makes a copy of itself to those shared resources.

Windows 95, 98, NT, XP, 2000 and ME are vulnerable. Panda warned that Sdbot.AQA is difficult to recognize “as it does not display any messages or warnings that indicate it has [compromised] a computer.”

This information was updated on 9/14/04.

Security experts warned on Friday that several new versions of MyDoom have surfaced on the Internet, suggesting that worm writers are taking a stab at improving the venerable virus. The viruses are largely alike. They are designed to spread by attaching copies of the program to e-mail messages and download additional features from compromised Web sites. Moreover, they are all difficult to clean from an infected Microsoft Windows-based PC, because they stop the system from connecting to antivirus Web sites to download updates.

This information was updated on 9/14/04.

Virus Tempts Users to Click on Photos Purporting to Show Bin Laden Suicide

A new virus that is packaged in a message purporting to include photographs of Osama Bin Laden committing suicide has infected thousands of computers.

When a computer user clicks on what appear to be photos attached to the message, malicious software code is installed that allows a user in a remote location to take control of the computer. The code attacks only computers using the Microsoft Windows operating system.

Unlike many viruses and "trojan" programs, the Bin Laden virus is not being spread by e-mail. Instead, it is attached to messages in Internet newsgroups. Thus far, the virus has been detected in about 30,000 separate messages.

The message containing the virus typically reads, in part: "Osama Bin Ladin was found hanged by two CNN journalists early Wedensday evening. As evidence they took several photos, some of which I have included here."

The Bin Laden virus is similar to previous threats that offered users glimpses at photographs of tennis star Anna Kournikova, actress Catherine Zeta-Jones, or other celebrities.

Most antivirus companies have updated their software to detect the new threat. Experts recommend that users take pains to make sure their antivirus software is up to date.

This trojan is named BackDoor-AZV.gen and more information can be found at vil.nai.com/vil/content/v_123844.htm

This information was updated on 7/26/04.

W32/Zafi.b@MM

This is a new worm to watch for. It spreads itself via email and peer to peer networks (files-sharing such as Kazaa, etc.). Zafi willcopy itself to folders on the local system (containing 'share' or 'upload' in the folder name). It has it’s own SMTP engine and scans local files for email addresses, spoofing the From: address.

It uses the TLD (top level domain) to determine which language to send itself in. For example, a user with a .COM Mail address, will receive the English mail body, while someone with an .DE Mail address will receive the German body.

In addition to messages, the worm may also arrive with a random attachment name using one of the following extensions:

• .com .exe
• .pif

The filename the worm copies itself with is:

• Total Commander 7.0 full_install.exe
• winamp 7.0 full_install.exe

W32/Zafi.b@MM was first discovered on 06/11/2004.

Information about W32/Zafi.b@MM is located at: vil.nai.com/vil/content/v_126242.htm

This information was updated on 6/15/04.

Korgo Worm (C - I Variations)

Korgo, which was discovered in late May, is capturing Windows users’ credit card numbers as well as passwords. The virus operates in similar fashion to the Sasser worm and affects Windows 2000 and Windows XP systems.

The virus is easily removed and apparently not widespread, however, it is effective at stealing confidential data. Those users infected by Korgo are being urged by virus monitoring companies to change their previous passwords and even credit card numbers if they have used them online recently for purchasing purposes. The virus operates by creating a backdoor on PCs which enables it to install an undetectable key logging program that activates when users fill in Web site information or online purchasing forms. The program copies the password and credit card information and relays it back to the original creators.

The latest update on deleting the virus can be found on various virus solutions providers including Symantec.

This information was updated on 6/10/04.

W32/Lovgate.ab@MM

This virus mails itself in two ways: constructing its own messages using its built in SMTP engine, or replying to messages on the local system using MAPI. The From: address is spoofed. It may be one of the harvested email addresses, or constructed using random characters. The message may be constructed with various subject and message bodies. The worm may be attached with one of the following file extensions;

• EXE
• SCR
• PIF
• CMD
• BAT 

Additionally, the attachment may be a copy of the worm within a ZIP archive (with either a RAR or ZIP extension). In this case, the worm within the archive may have a double extension, which may contain many spaces (eg. .HTM      .EXE).

Information about W32/Snapper@MM is located at: vil.nai.com/vil/content/v_125301.htm

This information was updated on 5/19/04.

Sasser Worm

A fast spreading worm known as "Sasser" surfaced over the weekend and is making its way around the globe, warn computer security experts. The worm shares many characteristics with the Blaster worm that infected hundreds of thousands of PCs last year. Both worms exploit relatively new holes in the Windows operating system and frequently cause computers to repeatedly reboot.

No user intervention is required to become infected or propagate the virus further. The worm works by instructing vulnerable systems to download and execute the viral code. Make sure your Windows updates are done!

However, this time more companies appear to be ready to take preventative action, which may mitigate Sasser's damage potential. With Sasser it seems that companies are using software patches better and more quickly than with last year's Blaster, but for those that are hit, they are hit hard. It is believed that Sasser originated in Russia. The worm does not need to be activated by double-clicking on an attachment and can strike even if no one is using the PC at the time.

For more information: http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.worm.html or http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=12500

This information was posted on 5/03/04.

Mywife and Snapper

Two new low-threat worms are making the rounds on the Internet Thursday (March 25, 2004), continuing the plague of malware that began in January and has shown no signs whatsoever of abating.

Of the two worms, known as Mywife and Snapper, the former appears to be the more worrisome and have the greater potential for spreading widely, security services said. Mywife arrives in an e-mail with a spoofed sending address and any one of several vaguely pornographic subject lines. The body of the e-mail also varies and some of the messages are quite graphic.

The emails contain attachments with file extensions of *.exe, *.zip, *.pif, or *.tge

Once resident on a computer, Mywife goes to work removing the Windows registry entries for a variety of antivirus and security applications. Snapper sends blank e-mails with spoofed sending addresses that contain code that automatically executes once the message is opened or viewed in the preview pane in Outlook. The code causes the local host computer to connect to a remote Web server located at 198.170.245.129 and try to download a file called HTMLhelp.cgi.

Information about W32/MyWife.a@MM is located at: vil.nai.com/vil/content/v_101135.htm
Information about W32/Snapper@MM is located at: vil.nai.com/vil/content/v_101135.htm

This information was updated on 3/26/04.

Cone-E

Cone-E, which surfaced this week, spreads primarily via e-mail but when it infects systems the worm creates copies of itself with different file names. Those files can have names such as "401 guitar tabs.chm," "adult check passwords.chm" or "Credit card numbers.chm".

Information about W32/Cone.f@MM is located at: vil.nai.com/vil/content/v_101139.htm

This information was updated on 3/26/04.

The Beagle Gets Meaner!
Introducing the Beagles R-T!

We have already warned you about the Beagle/Bagle worm (scroll down the page.) It's a nasty little Worm that uses really clever subject fields and spoofed addresses to gain your trust and get you to open it’s poisonous attachments. This Beagle strain is crafty but you still had to open the attachment to activate the virus.

Well, to no surprise, rules have changed! No longer do you have to open an attachment to activate the new Beagles R-T. As a matter of fact you don’t even need to open the email to activate it. This new strain of Beagle exploits the Microsoft "Internet Explorer Object Tag Vulnerability" which allows an HTML code to be downloaded and executed without any interaction from the end-user. This means if you have your email set to preview the message, you could get this virus simply by highlighting the message line in your inbox - unless you are already patched.

Similar to the earlier strains of the Beagle, this worm also uses contacts in the infectee’s address book to propagate itself. The body of the message will appear to be blank but is actually an invisible HTML code that downloads and runs the worm from a remote site.

Once the worm is installed, it notifies the attacker and opens up ports, looks through your addresses, and sends infected emails to everyone. Once this is done, your PC has become the server that responds to the soon-to-be infected PCs that were emailed from your infected machine. In addition to this, the attacker has an open back door to your computer to run code on.

As with the previous Beagle, this also attempts to replicate itself in networks including file-sharing networks, such as Kazaa, by attaching itself to shared files.There are a number of different ways to protect yourself from this threat and I’ll start by saying update your anti-virus.

Next, get the Microsoft patch to fix the vulnerability. If you still feel a bit vulnerable, you can even tighten your ActiveX security settings, but it's not really necessary.

However, here's how: Open Internet Explorer and select Tools/Internet Options then the "Security" tab. Under the "Internet" icon, click on the "Custom Level" button. Scroll through the list to the "Active X controls and plug-ins" section then under "Run ActiveX controls and plug-ins" select "Prompt". Click OK. Again, not a big deal if you have already installed the MS patch, but there it is if you want it.

This information was updated on 3/4/04.

W32/Witty.worm

A Slammer-like worm dubbed Witty is spreading, generating large amounts of network traffic and leaving ruined computers in its wake.

The worm, which appeared overnight Friday, exploits a weakness in the widely-used Black Ice security products, and is not detected by antivirus software, as it resides in memory. When an infected system is rebooted, Witty deletes a randomly chosen section of the hard drive, rendering some machines unusable.

The Internet Storm Center raised its incident alert level to yellow, and advised that vulnerable systems be taken off the network. "Disconnect systems running BlackIce as soon as possible," said the advisory at the ISC, run by the SANS Institute. Symantec also advised that network admins disconnect machines running Black Ice.

Infected hosts will send large amounts of UDP traffic, typically saturating a local network connection, according to SANS. The traffic originates from port 4000, with earlier reports of alternate source ports now being discounted.

The worm only affects systems running Black Ice, an intrusion detection product from Internet Security Sytems. It exploits a vulnerability in ICQ instant messaging protocol parsing, detailed in an advisory from ISS on Thursday. Once Witty is active, the user will no longer be able to close Black Ice, instead receiving a message reading "Operation could not be completed. Access is denied".

"The size of the worm (909 bytes) suggests that it has been hand-written in assembly programming language," notes F-Secure. The malware's name alludes to a string in the program reading "insert witty message here."

For more information: vil.nai.com/vil/content/v_101118.htm

This information was updated on 3/22/04.

W32/Netsky.p@MM Worm

A new variant of W32/Netsky@MM has been received which spreads through email like its predecessors. The main component is 29,568 bytes long, FSG packed.When run,the worm copies itself to the Windows directory as: FVProtect.exe

More information can be found at vil.nai.com/vil/content/v_101119.htm

This information was updated on 3/22/04.

Phatbot/Polybot

A new malicious computer program has been detected that can create networks of remotely controlled computers to take part in online attacks, send junk e-mail messages and engage in other shady activities common to the bad neighborhoods of cyberspace.

The program, known as phatbot or polybot, uses technology like that developed for file sharing networks such as Gnutella and Kazaa to control the machines. ("Bot" is shorthand for "software robot," a term generally applied to automated software.)

Once the program has made its way onto a victim's computer, it spreads across networks and searches for passwords that are stored on hard drives and are passing across local networks. It also disables antivirus programs and systems for upgrading software security.

For more information: vil.nai.com/vil/content/v_101100.htm

This information was updated on 3/18/04.

New Flood of Worms Unleashed

This week has seen a huge amount of worms unleashed on the internet. Moodown, MyDoom,and Bizex launched into the wild, attacking e-mail, Internet Explorer, and instant messages. Oh, don't forget the latest Nachi, which is also still spreading. This article will explain the in's and out's of these worms.

For more information: www.eweek.com/article2/0,4149,1538954,00.asp

This information was updated on 2/27/04.

W32/MyDoom.F-mm

Propagating by e-mail like its potent sibling, MyDoom.A, this version adds random file deletion and attempts to infect file-sharing users as well. W32/MyDoom.F-mm has, in the past 24 hours, started to take off, with Symantec moving it up from a category 2 to category 3 threat.

For more information: www.pcmag.com/article2/0,4149,1537295,00.asp and reviews-zdnet.com.com/4520-6600_16-5123355.html

This information was updated on 3/01/04.

AIM users were startled Thursday morning by a message exhorting them not to open messages about an "Osama bin Laden" game. The messages -- a form of viral adware -- come from a company called Buddylinks. The article tells you how to spot (and avoid) it.

For more information: www.eweek.com/article2/0,4149,1525708,00.asp

This information was updated on 1/29/04.

MYDOOM b

And yet another one! The e-mail worm Mydoom (also called Novarg or MiMail.r) is back now in a new variant, Mydoom b -- which, like its predecessor, is spread through the Kazaa file-sharing network and email and is disguised as an e-mail error message. The message bears a variety of subject lines, text, and attachment names.

Mydoom.b launches a denial-of-service attack in which networks are flooded with junk traffic. The Mydoom code includes a message from its author: "I'm just doing my job, nothing personal, sorry." Warning: Don't open an e-mail attachment that you haven't requested or that you have any reason to be suspicious about. (San Jose Mercury News 29 Jan 2004)

For more information: www.siliconvalley.com/mld/siliconvalley/7825088.htm and securityresponse.symantec.com/avcenter/venc/data/w32.mydoom.b@mm.html

This information was updated on 1/29/04.

W32.Novarg.A@mm is a mass-mailing worm that arrives as an attachment with the file extension .bat, .cmd, .exe, .pif, .scr, or .zip. The subject lines can vary, but may include phrases like "Mail Delivery System" or "Mail Transaction Failed."

When a computer is infected, the worm will set up a backdoor into the system by opening TCP ports 3127 through 3198, which can potentially allow an attacker to connect to the computer and use it as a proxy to gain access to its network resources. In addition, the backdoor can download and execute arbitrary files. It runs on Windows 98, ME, NT, 2000 and XP.

The worm will perform a Denial of Service (DoS) attack starting on February 1, 2004 against the software business site www.sco.com. It also has a trigger date to stop spreading on February 12, 2004. These two events will only occur if the worm is run between or after those dates. While the worm will stop spreading on February 12, 2004, the backdoor component will continue to function after this date.

Message Body: (any of the following)

• The message contains Unicode characters and has been sent as a binary attachment.
• The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
• Mail transaction failed. Partial message is available.
• test

For more information, see securityresponse.symantec.com/avcenter/venc/data/w32.novarg.a@mm.html

From Ziff Davis:

Antivirus companies claim it's "the fastest moving worm ever." The flood started over the weekend, actually, as a series of infected e-mails started showing up in my in-box. On Monday, everything went kablooey -- with about 10% of sent and received e-mails coming from one of three different worms. MyDoom turned out to be the worst, causing corporations to unplug their e-mail systems from the Internet and clogging in-boxes worldwide.

Our special report keeps you updated on just how overwhelmingly the virus is spreading and explains how to spot and disinfect machines that have been compromised.

Three Worms Spread Doom:
http://eletters.wnn.ziffdavis.com/zd1/cts?d=75-117-1-1-407488-5197-1

Spotting and Fixing MyDoom infections:
http://eletters.wnn.ziffdavis.com/zd1/cts?d=75-117-1-1-407488-5200-1

This information was updated on 1/29/04.

A new computer worm called Bagle-A, or Beagle-A, carries an expiration date, giving security experts concern that it might be followed by more robust versions of the now-buggy program. Daniel Zatz, security director for Computer Associates Australia, says, "One of our biggest concern is that if we look back a year ago at the Sobig variants, they all had drop-dead dates, and every time one hit that drop dead date a new variant came out; a new and improved variant of it."

Bagle-A/Beagle-A arrives in e-mail inboxes as a message containing text suggesting the e-mail may be from a system administrator, as well as an executable attachment. PC users should not open the attachment; if they suspect their computers may be infected with the virus, they should look for a file called bbeagle.exe in their Windows System directory. The file disguises itself under the Microsoft calculator icon.

For more information, go to securityresponse.symantec.com/avcenter/venc/data/w32.beagle.a@mm.html

This virus information was updated on 1/20/04.

There's a nasty new Trojan horse-style worm in town--and it's cunningly wrapped in sheep's clothing. Known as either Xombe or Downloader, it comes cloaked as an e-mail from Microsoft, containing security patches that must be applied immediately. Instead of securing your system, however, it ends up installing another file -- a Trojan horse. It started appearing on Friday, January 9, 2004.

Xombe arrives in an e-mail from the address windowsupdate@microsoft.com with a subject line of "Windows XP Service Pack 1 (Express)-Critical Update." The attachment is named "winxp_sp1.exe." According to an analysis of the program done by Computer Associates International Inc., the body of the message reads:

Window Update has determined that you are running a beta version of Windows XP Service Pack 1 (SP1). To help improve the stability of your computer, Microsoft recommends that you remove the beta version of Windows XP SP1 and re-install Windows XP SP1. If you cannot remove the beta version, you should still reinstall Windows XP SP1.

Windows XP SP1 provides the latest security, reliability, and performance updates to the Windows XP family of operating systems. Windows XP SP1 is designed to ensure Windows XP platform compatibility with newly released software and hardware, and includes updates to resolve issues discovered by customers or by Microsoft's internal testing team.

The maximum download size is approximately 3 MB, however, the size of the download and time required may be less for computers that have had updates previously installed.

To minimize the download time needed for installation, setup will only download those files which are required to bring your computer up to date. Windows XP SP1 includes Internet Explorer 6 SP1. Anti-virus software programs may interfere with the installation of Windows XP SP1. Please disable anti-virus software while installing the service pack.

Just run the file winxp_sp1.exe in attach and make sure to restart your PC after installation will be completed."

This virus information was updated on 1/14/04.

Bugbros-A

A mass-mailer worm in the wild poses as a flaw fix from Microsoft.

Bugbros-A arrives attached to an e-mail that purports to be from support@microsoft.com. The message says the attached worm is a fix for a new back-door called BugGear-A.

The worm doesn't contain a destructive payload. It can infect machines running Windows 95, 98, ME, NT, 2000 and XP, according to an advisory from antivirus software vendor Trend Micro Inc.

Astute readers probably wouldn't be fooled by the worm's social engineering because the message contains numerous misspellings. Also, it's widely known that Microsoft never sends out fixes via e-mail.

For more information, go to vil.nai.com/vil/content/v_100943.htm

This virus information was updated on 1/08/04.

Bizten

W32.Bizten is a Trojan horse that modifies the Internet Explorer home page and adds URLs to your Favorites list without your permission.

For more information, go to securityresponse.symantec.com/avcenter/venc/data/w32.bizten.html

This virus information was updated on 1/08/04.

Backdoor.Graybird

This Trojan horse gives its creator unauthorized access to your computer. The existence of the file graypigeon.dll is an indication of a possible infection.

Once Backdoor.Graybird is installed, it waits for commands from the remote client. These commands allow the Trojan's creator to perform any of the following actions:

• Deliver system and network information to the Trojan's creator, including the logon names and cached network passwords.
• Install an FTP server, allowing the Trojan's creator to use the compromised computer as a temporary storage device.
• Open or close the CD-ROM drive and perform other annoying actions.
• Download and execute files.

For more information, go to http://securityresponse.symantec.com/avcenter/venc/data/backdoor.graybird.h.html

This virus information was updated on 1/08/04.

Quis

Quis spreads itself via Outlook as an email containing a destructive payload. The worm affects Windows 95, 98, and ME.

The worm infects all .exe files in the My Documents and C:\progra~1\mirc folders. Among its less disruptive effects, it overwrites ringtone files (using the extension .rtx) with the tune "Jingle Bells" and subjects the user to a quiz.

The worm arrives in an email with the subject line, "Merry Christmas!" The body reads: "You've probably received enough e-cards. Here's a nice Christmas screensaver instead :)," and the message carries an attachment called xmas.scr.

For more information, go to vil.nai.com/vil/content/v_100934.htm

This virus information was updated on 1/08/04.

Jitux.A

Jitux.A is an aggressive code that contains a link to the web page http://www.home.no/ / jituxramon.exe.

Once open, the file JITUXRAMON.EXE automatically downloads, infecting your computer.

The worm file stores itself in the computer's memory and sends new infected messages every five minutes to all contacts in your Messenger's Contact List.

For more information, go to http://vil.nai.com/vil/content/v_100931.htm

This virus information was updated on 1/08/04.

Gluber.B

W32.Gluber.B@mm, a worm virus that spreads by e-mail and network shares, is infecting Windows-based systems. When it arrives by e-mail, it carries a randomly selected subject line and an attachment with a file name ending in .exe, .com, .pif or .bat. When it runs, it will copy itself as djfgucxr.exe and make additions to the system registry to allow it to run at system startup. The virus opens port 5373 and awaits remote commands, and it attempts to terminate antivirus and security software. It will also attempt to spread using its own SMTP engine and e-mail addresses harvested from the system.

For more information, go to http://vil.nai.com/vil/content/v_100933.htm

This virus information was updated on 1/08/04.

Mimail Variant

This worm is received in an email message as follows: From: "Wendy". It may have various messages but it wil contain an attachment: wendy.zip or text.exe. Just delete this one!

For more information, go to vil.nai.com/vil/content/v_100846.htm

This virus information was updated on 12/02/03.

Beware of a nasty new email Trojan horse making the rounds. It pretends to carry salacious pictures, but instead installs a back-door that gives the virus creator access to data on your system. Ouch! We've got details on what the email looks like, and how to avoid it. For more information, go to vil.nai.com/vil/content/v_100837.htm

This virus information was updated on 12/01/03.

Can't access search engines with your browser? You may have contracted Qhost-1. One symptom caused by this virus, Trojan.Qhosts, is that you are unable to reach search engines, such as http://www.google.com. If you are unable to navigate to the Google site, suspect that you've been infected. Get current virus definitions and do a full scan of your hard drive. QHosts-1 is more irritating than destructive: its intent is to present you with all sorts of marketing opportunities before re-directing you to the search site you originally requested.

A link to the Symantec site with instructions for removal of the virus: securityresponse.symantec.com/avcenter/venc/data/trojan.qhosts.html

A link to the MacAfee site:
/us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100719

New reports are out about another spoof email, purporting to be from Symantec and loaded with an .EXE file that won't do you any good at all. Here's the spoof message, and if you get, it don't run the .EXE file, because it probably undoes the NAV protection against the awful Sobig worm.

Here is the text of the email. You may get something similar:

"October 06, 2003
Intruder Alert 4.1 W32_Webb_Worm Policy

This policy detects the propagation of the W32.SobigF.Worm through changes in the registry.

W32.Webb.F@mm is a mass-mailing, network-aware worm that sends itself to all the email addresses it finds in various files. The worm uses its own SMTP engine to propagate and attempts to create a copy of itself on accessible network shares, but fails due to bugs in the code.

In the attachment, you can find program that update your Norton Antivirus to Norton Antivirus 2004."