home.gif (20220 bytes)

Virus Edition

WARNING - Virus / Worm Alert


latest virus threats

View all virus threatsgo
View expanded threatsgo

security advisories

Check out http://www.symantec.com/avcenter/index.html for more info.

Virus Type - W32/Netsky.p@MM

Mail Propagation  The worm sends mails using SMTP.   Email sent has the following characteristics:

From: (forged address taken from infected system)
Subject: (Taken from the following list)

  • Stolen document
  • Re:Hello
  • Mail Delivery ( failure sender address )
  • Private document
  • Re:Notify
  • Re:document
  • Re:Extended Mail System
  • Re:Proctected Mail System
  • Re:Question
  • Private document
  • Postcard

Attachment: (one of the following)

  • websites(random number).zip
  • document(random number).zip
  • your_document.zip
  • part(random number).zip
  • message.doc.scr
  • message.zip
  • document.zip
  • old_photos.txt.pif
  • postcard_.(random number)..zip
  • details(random number).zip

Where .zip file is the worm in a zip file.

The mailing component harvests address from the local system.  Files with the following extensions are targeted:


Email's with pictures of Osama Bin-Laden hanged are being sent and the moment that you open these email's your computer will crash and you will not be able to fix it!!!
This e-mail is being distributed through countries around the globe, but mainly in the US and Israel. Please send this warning to your friends.

Confirmed at: http://www.snopes.com/computer/virus/osama.asp

If you get a email which has text like shown below delete it. DO NOT OPEN IT OR ATTACHMENT.

 It has a VIRUS in the attachment!!!

 Be aware that any address / URL can be in the message (red area's below)

 Hello user  of abcdefg.com e-mail  server,

Our  antivirus software has detected  a large amount of viruses outgoing
from your email account,  you may use our  free anti-virus  tool  to   clean up
your computer software.

For more information see the attached file.

Kind regards,
abcdefg.com   team                                http://www.abcdefg.com

Be advised that a new virus called W32.Beagle.K@mm is spreading rapidly via e-mail. The message falsely appears to have been sent to you by abcdefg.com staff, and it may warn that your e-mail account will be disabled. This is NOT true! If you receive a message like this, please do not open the attachment. Rather, delete the message immediately, and run an updated anti-virus program if your computer is equipped with one. The virus spreads by e-mail and through file-sharing networks such as Kazaa and iMesh.

To learn more about the virus, how it spreads, how to identify it, and how to protect yourself, please visit




Virus Alert   If you are running a program named msblast.exe you are infected with a virus. Infected systems often report an error in the RPC service and force a reboot. The free McAfee Stinger utility can remove this virus. Here is the McAfee description of the virus, We'll update what we know in the virus section of our forums.

Due to the risk posed by e-mail viruses YOU should not accepting messages that have any of the following attachment types:

  *.EXE  *.BAT  *.COM  *.JS   *.HTM  *.HTML  *.VB*   *.WSH    *.SHS  *.JSE  *.PIF  *.BAS  *.WSC   *.SCT   *.CMD  *.SHB   *.SCR  *.DLL  *.LNK   *.CHM
     W32/Klez.gen @MM & W95/Elkern.cav

Virus Characteristics: Back to Top

AVERT has raised the risk assessment of this threat to Medium after seeing an increase in prevalence over the past 24 hours. Home users are at a greater risk of infection, as they tend to update their DATs less frequently then corporations. As such, the risk of becoming infected in a corporate environment is lower.

This latest W32/Klez variant is already detected as W32/Klez.gen@MM by McAfee products using the 4182 DATs (23 January 2002) or greater.

W32/Klez.h@MM has a number of similarities to previous W32/Klez variants, for example:

  • W32/Klez.h@MM makes use of Incorrect MIME Header Can Cause IE to Execute E-mail Attachment vulnerability in Microsoft Internet Explorer (ver 5.01 or 5.5 without SP2).
  • the worm has the ability to spoof the From: field (often set to an address found on the victim machine).
  • the worm attempts to unload several processes (antivirus programs) from memory. Including those containing the following strings:

The worm is able to propagate over the network by copying itself to network shares (assuming sufficient permissions exist). Target filenames are chosen randomly, and can have single or double file extensions. For example:

The worm may also copy itself into RAR archives, for example:

The worm mails itself to email addresses in the Windows Address Book, plus addresses extracted from files on the victim machine. It arrives in an email message whose subject and body is composed from a pool of strings carried within the virus (the virus can also add other strings obtained from the local machine). For example:

Subject: A very funny website
or Subject: 1996 Microsoft Corporation
or Subject: Hello,honey
or Subject: Initing esdi
or Subject: Editor of PC Magazine.
or Subject: Some questions
or Subject: Telephone number

The file attachment name is again generated randomly, and ends with a .exe, .scr, .pif, or .bat extension, for example:

Thanks to the use of the exploit described above, simply opening or previewing the message in a vulnerable mail client can result in infection of the victim machine.

W32/Klez.h@MM masquerades as a free immunity tool in at least one of the messages used:

Subject: Worm Klez.E Immunity
Body: Klez.E is the most common world-wide spreading worm. It's very dangerous by corrupting your files. Because of its very smart stealth and anti-anti-virus technic,most common AV software can't detect or clean it.We developed this free immunity tool to defeat the malicious virus. You only need to run this tool once,and then Klez will never come into your PC.
NOTE: Because this tool acts as a fake Klez to fool the real worm,some AV monitor maybe cry when you run it. If so,Ignore the warning,and select 'continue'. If you have any question,please mail to me.

The worm may send a clean document in addition to an infected file. A document found on the hard disk, that contains one of the following extensions, is sent:

  • .txt
  • .htm
  • .html
  • .wab
  • .asp
  • .doc
  • .rtf
  • .xls
  • .jpg
  • .cpp
  • .c
  • .pas
  • .mpg
  • .mpeg
  • .bak
  • .mp3
  • .pdf

This payload can result in confidental information being sent to others.

Indications Of Infection: Back to Top
  • Randomly/oddly named files on network shares, as described above.
  • Reference to a WINKxxx.EXE file ("xxx" looks random) in a Registry key:
Method Of Infection: Back to Top

This virus can be considered a blended threat. It mass-mails itself to email addresses found on the local system, exploits a Microsoft vulnerability, spreads via network shares, infects executables on the local system, and drops an additional file infecting virus, W95/Elkern.cav.c.

Removal Instructions: Back to Top

Use current engine and DAT files for detection.

Once infected, VirusScan may not be able to run as the virus can terminate the process before any scanning/removal is accomplished. The following steps will circumvent this action and allow for proper VirusScan scanning/removal, by using the command-line scanner.

  1. Download and install the DAILY DAT files (http://www.mcafeeb2b.com/naicommon/avert/avert-research-center/virus-4d.asp)
  2. Close all running applications
  3. Disconnect the system from the network
  4. Click START | RUN, type command and hit ENTER
  5. Change to the VirusScan engine directory:
    • Win9x/ME - Type cd \progra~1\common~1\networ~1\viruss~1\40~1.xx and hit ENTER
    • WinNT/2K/XP - Type cd \progra~1\common~1\networ~1\viruss~1\40F809~1.xx and hit ENTER
  6. Rename SCAN.EXE to CLEAN.EXE to prevent the virus from terminating the process and deleting files. Type, ren scan.exe clean.exe and hit ENTER
  7. First, scan the system directory
    • Win9x/ME - Type clean.exe %windir%\system\win*.exe and hit ENTER
    • WinNT/2K/XP - Type clean.exe %windir%\system32\win*.exe and hit ENTER
  8. Once the scan has completed, Type clean.exe /adl /clean and hit ENTER
  9. Rename scan.exe. Type, ren clean.exe scan.exe and hit ENTER
  10. After scanning and removal is complete, reboot the system

Apply Internet Explorer patch if necessary.

Additional Windows ME/XP removal considerations

Aliases: Back to Top

W32/Klez.G@mm (Norman), W32/Klez.gen@MM, W32/Klez.I (Panda), W32/Klez.K-mm, WORM_KLEZ.G (Trend)

McAfee.com has seen a large and growing number of computers infected with W32/Fbound.c@MM.  This MEDIUM-ON-WATCH RISK virus is a pure mass-mailing worm. It does not carry any other, damaging, payload. The virus sends itself to all users found in the Windows Address book using SMTP. It arrives in an email message containing the following information:

Subject: "Important" or a Japanese subject 
Body: [empty]
Attachment: patch.exe

When run, it immediately e-mails itself to all entries in the Windows address book. It does not install itself in any way. It contains the text "I-Worm.Japanize".
This is a really BAD VIRUS W32.Magistr.39921@mm it is in Brookridge / Brooksville Florida, And it comes from someone you know. As attachment about 52Kb in size.

McAfee.com has seen an OUTBREAK of computers infected with W32/Goner@MM, also known as Pentagone, Goner or Gone. This is a NEW, HIGH RISK virus that spreads via Microsoft Outlook email and ICQ instantmessaging programs. This mass-mailing worm will arrive from someone you know with the following email message:

Subject: Hi

Body: How are you ?
When I saw this screen saver, I immediately thought about you I am in a harry, I promise you will love it!

Attachment: GONE.SCR

Goner has a DESTRUCTIVE PAYLOAD. When the attachment is opened, it will look for a variety of anti-virus, firewall
and other security programs and attempt to delete them, along with ALL FILES in the same directory. This worm
will also place a trojan, REMOTE32.INI, on the system, which contains instructions to attempt Denial-of-Service attacks
on other IRC users.

For detection and removal instructions for the W32/Goner@MM virus, >> click here. <<

WARNING 2 types Virus are being sent to Brookridge Residents

Click for INFO and removal >> VIRUS #1 called W32/Badtrans@mm  

Click for INFO and removal >> VIRUS  #2 called W32/Badtrans.b@mm  

There are several persons here in Brookridge that are now sending this virus. IF you get a window requesting that you save a file or open it CLICK ON CANCEL then delete the email.

This one has been received here the most. Badtrans.b details:
This mass mailing worm attempts to send itself using Microsoft Outlook by replying to unread and read email messages. It also mails itself to email addresses found within files that exist on your system. It drops a keylogging trojan (detected as PWS-Hooker with the 4173 DATs, or greater) into the SYSTEM directory as KDLL.DLL. This trojan logs keystrokes for the purpose of stealing personal information (such as credit card and bank account numbers and passwords). This information is later emailed to the virus author(s).

By Sam Costello
IDG News Service, 10/17/01

A new mass mailer worm, purporting to provide information about the disease anthrax, has appeared on the Internet but is being hampered because of a flaw in its design, antivirus companies said Wednesday.

The worm has been found in both English- and Spanish-language versions and arrives in inboxes with a subject line that reads "Anthrax" or "Antrax," according to Kaspersky Labs and Symantec.

Included is an attachment called Antraxinfo.vbs or Antraxjpg.vbs that the message says is a picture of "the results" of Anthrax, but is actually a .VBS file used to execute the worm, the companies said. When the file is double-clicked, the worm attempts to overwrite all system files ending in .VBS and .VBE, as well as send itself to all addresses listed in the system's Outlook address book, they said. It may also attempt to overwrite a Script.INI file used by chat clients, Symantec said.

Because of a flaw in the way the worm is written, however, it fails to spread as designed, both companies said.

The body text of the worm reads: "If you don't know what antrax is or what the results of it are, please see the attached picture so that you can see the results that it has. Note: the picture might be too strong." In Spanish the worm says, "Si no sabes que es el antrax o cuales son sus efectos aqui te mando una foto para que veas los efectos que tiene. Nota: la foto esta un poco fuerte."

The design of the worm's message attempts to play upon heightened public awareness in the U.S. about anthrax after a rash of infections and scares about the disease in the last week. One person in Florida has died from the inhalation form of anthrax, while 13 in New York and Florida have tested positive to exposure, although some of those tests may yet turn out to be negative because preliminary tests can result in false positive results. Four confirmed cases of anthrax illness have been reported.

A wing of a U.S. Senate office building was closed Tuesday and authorities started screening and treating hundreds of people there for possible exposure after test results on a letter sent to Senate Majority Leader Tom Daschle came back positive for anthrax.

McAfee.com has seen a large and growing number of systems infected with the W32/Nimda@MM. This is a HIGH RISK virus that is spread via email. W32/Nimda@MM also spreads via open shares, the Microsoft Web Folder Transversal vulnerability (also used by W32/CodeBlue), and a Microsoft content-type spoofing vulnerability.
The email attachment name VARIES and may use the icon for an Internet Explorer HTML document.
It will also attempt to spread itself as follows: - The email messages created by the worm include content   that allows the worm to execute the attachment even if the user does not open it. - It modifies HTML documents, so that when this infected window is accessed (locally or remotely), the machine viewing the page is then infected. Once infected, your system is used to seek out others to infect over the Web.
W32/APost@ mm ("APost" or "New Backdoor")  The infected email can come from addresses that you recognize and may contain the following information:
Subject: As per your request!
Body: Please find attached file for your review.
I look forward to hear from you again very soon. Thank you.
Attachment: README.EXE

Running the attachment causes the worm to copy itself to the Windows directory and send a copy of itself to every entry in the user's Microsoft Outlook Address Book. It will then display a small dialog box titled "Urgent!". This dialog box contains one single large button labeled "Open". If this button is pressed then the worm sends out further copies of itself, displays an error message box with the title "WinZip SelfExtractor: Warning" and then terminates. For detection and removal instructions for theW32/APost@ mm ("APost" or "New Backdoor") worm, click here. -> http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=2422
McAfee.com VirusScan Online and Clinic subscribers: If you don't have ActiveShield installed and updated, you are not protected from this virus. Click here to download ActiveShield. -> http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=2372
WE have TWO  virus infected files in Brookridge One name is SULFNBK.EXE Click here for more info and is (73.8KB in size). The file was sent to me with Bud's  & Dot & Don's e-mail address on it, but they may have not sent it out.  The real windows file is (44KB) in size. A short time ago we had a Hoax about Deleting the windows file  SULFNBK.EXE.  Also sent to some of our residents is File name KAKPOHKA.exe (21.0KB in size)  Click here for more info DO NOT OPEN THESE FILES AS THEY WILL RELEASE   DIFFERENT "BUGS" in YOUR COMPUTER

An email HOAX has been circulating recently that has received a lot of press and public attention. The subject
line may contain "***Virus Alert***" or mention SULFNBK.exe. If you receive a copy of this message, you should ignore it. Do NOT pass it on as this is how an email hoax spreads. You may receive a copy of this message from addresses that you recognize.

There are several versions of this message circulating, in several different languages.   The email message may appear in part as follows:
"A VIRUS could be in your computer files now, dormant but will become active on June 1. Try not to USE your Computer on June 1st. FOLLOW DIRECTIONS BELOW TO CHECK IF YOU HAVE IT  AND TO REMOVE IT NOW."
"No Virus software can detect it. It will become active on June 1, 2001. It might be too late by then. It wipes out
all files and folders on the hard drive. This virus travels thru E-mail and migrates to the C:\windows\command' folder." The email will also instruct you to delete SULFNBK.exe and to pass the message along to everyone you know.
SULFNBK.exe is a standard part of the Windows operating system and SHOULD NOT BE REMOVED.

McAfee.com has seen a large and growing number of computers infected with VBS/VBSWG.Z@MM.  A virus that is spread via the Windows email program Outlook.  The infected email can come from addresses that you recognize, with an attachment named "Mawanella.vbs". The email message can appear as follows:
Subject: Mawanella
Body: Mawanella is one of the Sri Lanka's Muslim Village
Attachment: Mawanella.vbs
Opening the attachment initiates the mass e-mailing routine. When the attachment is running, it displays a message-box entitled "VBScript: Mawanella" which reads:    Mawanella is one of the Sri Lanka's Muslim Village.   This brutal incident happened here 2 Muslim Mosques,100    Shops are burnt. I hat this incident, What about you?    I can destroy your computer I didn't do that because I am a peace-loving citizen. It copies itself to the Windows System directory as a file called "Mawanella.vbs" and e-mails itself to all recipients in the Microsoft Outlook address book.Click here for more information.  http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=2251
A virus in Brookridge which sends a second message with every message you send out. If you get a message which has a attachment with some filename .EXE , .SCR or .VBS extension. it could contain a virus. DO NOT OPEN the attachment.  ANNAKOURNIKOVA.JPEG.VBS & W32.HybrisF (.SCR) are two of the new Viruses. On CNN last night that "Here you have;0)" is an actual virus...Using Outlook Express..
Instructions  -- Windows Desktop (You must be using Internet Explorer to download this file). This file can be saved to an alternate folder; and if an alternate folder is used you will need to launch this program from that folder rather than the desktop folder. If the file has been saved to the Windows Desktop folder an icon for this program will appear on your desktop. Please note that this program has a ".com" extension and not a ".exe" extension. It is important that this extension be preserved. After the file finishes downloading launch the program by double-clicking on the fixnavid icon that appears on the desktop. If you saved this program to an alternate folder you will need to open the appropriate folder via the "My Computer" window and launch the program from that alternate folder.

Warning Prettypark virus is back in Brookridge Thank You Jack Fieber for the heads up on this one!! There is a new virus; the subject is "A great shockwave movie". There is an attachment named "creative.exe"  that will trigger the virus.
DO NOT OPEN THIS MESSAGE - DELETE IT IMMEDIATELY. W32.Prolin.Worm is a worm that spreads via Microsoft Outlook by emailing itself to everyone in the Outlook address book.  : TROJ_SHOCKWAVE.A, CREATIVE, TROJ_PROLIN.A
Thank You Donna Colombo for the heads up on this one!!


The next time some one sends you a Virus WARNING. You need to got to one of these websites and chek it out, before you forword the messge on to some one else.  The two main reasons for starting a hoax is one it slows down & fills up computers on the internet.  The second is after a while you become complancent to the threats so when the REAL THING comes you do not do anything, mainly because the last 10 were hoaxes.

Last update was at  05/05/2007 01:08:54 PM

Technical questions or comments about this web site should be sent to the  

Best viewed with monitor resolution of 1024 x 768 pixels

This site  is Designed & Maintained  by SNC Industries