Computer Corner

Virus Edition

WARNING - Virus / Worm Alert

WORM_SOBER.AG

WORM_MYTOB.MX

SYMANTEC

	W32.Beagle.C@mm
	Trojan.Tilser
	PWSteal.Bancos.E
	Backdoor.IRC.Loonbot
	PWSteal.Tarno.B
	W32.Mockbot.A.Worm
	View all virus threats View expanded threats

Check out http://www.symantec.com/avcenter/index.html for more info.

Warning

Virus Type - W32/Netsky.p@MM

Mail Propagation The worm sends mails using SMTP. Email sent has the following characteristics:

From: (forged address taken from infected system)
Subject: (Taken from the following list)

Stolen document
Re:Hello
Mail Delivery ( failure sender address )
Private document
Re:Notify
Re:document
Re:Extended Mail System
Re:Proctected Mail System
Re:Question
Private document
Postcard

Attachment: (one of the following)

websites(random number).zip
document(random number).zip
your_document.zip
part(random number).zip
message.doc.scr
message.zip
document.zip
old_photos.txt.pif
postcard_.(random number)..zip
details(random number).zip

Where .zip file is the worm in a zip file.

The mailing component harvests address from the local system. Files with the following extensions are targeted:

Email's with pictures of Osama Bin-Laden hanged are being sent and the moment that you open these email's your computer will crash and you will not be able to fix it!!!
This e-mail is being distributed through countries around the globe, but mainly in the US and Israel. Please send this warning to your friends.

Confirmed at: http://www.snopes.com/computer/virus/osama.asp

If you get a email which has text like shown below delete it. DO NOT OPEN IT OR ATTACHMENT.

It has a VIRUS in the attachment!!!

Be aware that any address / URL can be in the message (red area's below)

Hello user of abcdefg.com e-mail server,

Our antivirus software has detected a large amount of viruses outgoing
from your email account, you may use our free anti-virus tool to clean up
your computer software.

For more information see the attached file.

Kind regards,
The abcdefg.com team http://www.abcdefg.com

Be advised that a new virus called W32.Beagle.K@mm is spreading rapidly via e-mail. The message falsely appears to have been sent to you by abcdefg.com staff, and it may warn that your e-mail account will be disabled. This is NOT true! If you receive a message like this, please do not open the attachment. Rather, delete the message immediately, and run an updated anti-virus program if your computer is equipped with one. The virus spreads by e-mail and through file-sharing networks such as Kazaa and iMesh.

To learn more about the virus, how it spreads, how to identify it, and how to protect yourself, please visit

http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.k@mm.html.

Virus Alert If you are running a program named msblast.exe you are infected with a virus. Infected systems often report an error in the RPC service and force a reboot. The free McAfee Stinger utility can remove this virus. Here is the McAfee description of the virus, We'll update what we know in the virus section of our forums.

Due to the risk posed by e-mail viruses YOU should not accepting messages that have any of the following attachment types:

*.EXE *.BAT *.COM *.JS *.HTM *.HTML *.VB* *.WSH *.SHS *.JSE *.PIF *.BAS *.WSC *.SCT *.CMD *.SHB *.SCR *.DLL *.LNK *.CHM W32/Klez.gen @MM & W95/Elkern.cav

Virus Characteristics:

AVERT has raised the risk assessment of this threat to Medium after seeing an increase in prevalence over the past 24 hours. Home users are at a greater risk of infection, as they tend to update their DATs less frequently then corporations. As such, the risk of becoming infected in a corporate environment is lower.

This latest W32/Klez variant is already detected as W32/Klez.gen@MM by McAfee products using the 4182 DATs (23 January 2002) or greater.

W32/Klez.h@MM has a number of similarities to previous W32/Klez variants, for example:

W32/Klez.h@MM makes use of Incorrect MIME Header Can Cause IE to Execute E-mail Attachment vulnerability in Microsoft Internet Explorer (ver 5.01 or 5.5 without SP2).
the worm has the ability to spoof the From: field (often set to an address found on the victim machine).
the worm attempts to unload several processes (antivirus programs) from memory. Including those containing the following strings:

The worm is able to propagate over the network by copying itself to network shares (assuming sufficient permissions exist). Target filenames are chosen randomly, and can have single or double file extensions. For example:
  350.bak.scr
  bootlog.jpg
  user.xls.exe

The worm may also copy itself into RAR archives, for example:
  HREF.mpeg.rar
  HREF.txt.rar
  lmbtt.pas.rar

The worm mails itself to email addresses in the Windows Address Book, plus addresses extracted from files on the victim machine. It arrives in an email message whose subject and body is composed from a pool of strings carried within the virus (the virus can also add other strings obtained from the local machine). For example:

Subject: A very funny website
or Subject: 1996 Microsoft Corporation
or Subject: Hello,honey
or Subject: Initing esdi
or Subject: Editor of PC Magazine.
or Subject: Some questions
or Subject: Telephone number

The file attachment name is again generated randomly, and ends with a .exe, .scr, .pif, or .bat extension, for example:
  ALIGN.pif
  User.bat
  line.bat

Thanks to the use of the exploit described above, simply opening or previewing the message in a vulnerable mail client can result in infection of the victim machine.

W32/Klez.h@MM masquerades as a free immunity tool in at least one of the messages used:

Subject: Worm Klez.E Immunity
Body: Klez.E is the most common world-wide spreading worm. It's very dangerous by corrupting your files. Because of its very smart stealth and anti-anti-virus technic,most common AV software can't detect or clean it.We developed this free immunity tool to defeat the malicious virus. You only need to run this tool once,and then Klez will never come into your PC.
NOTE: Because this tool acts as a fake Klez to fool the real worm,some AV monitor maybe cry when you run it. If so,Ignore the warning,and select 'continue'. If you have any question,please mail to me.

The worm may send a clean document in addition to an infected file. A document found on the hard disk, that contains one of the following extensions, is sent:

.txt
.htm
.html
.wab
.asp
.doc
.rtf
.xls
.jpg
.cpp
.c
.pas
.mpg
.mpeg
.bak
.mp3
.pdf

This payload can result in confidental information being sent to others.

Indications Of Infection:

Randomly/oddly named files on network shares, as described above.
Reference to a WINKxxx.EXE file ("xxx" looks random) in a Registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Method Of Infection:

This virus can be considered a blended threat. It mass-mails itself to email addresses found on the local system, exploits a Microsoft vulnerability, spreads via network shares, infects executables on the local system, and drops an additional file infecting virus, W95/Elkern.cav.c.

Removal Instructions:

Use current engine and DAT files for detection.

Once infected, VirusScan may not be able to run as the virus can terminate the process before any scanning/removal is accomplished. The following steps will circumvent this action and allow for proper VirusScan scanning/removal, by using the command-line scanner.

Download and install the DAILY DAT files (http://www.mcafeeb2b.com/naicommon/avert/avert-research-center/virus-4d.asp)
Close all running applications
Disconnect the system from the network
Click START | RUN, type command and hit ENTER
Change to the VirusScan engine directory:
- Win9x/ME - Type cd \progra~1\common~1\networ~1\viruss~1\40~1.xx and hit ENTER
- WinNT/2K/XP - Type cd \progra~1\common~1\networ~1\viruss~1\40F809~1.xx and hit ENTER
Rename SCAN.EXE to CLEAN.EXE to prevent the virus from terminating the process and deleting files. Type, ren scan.exe clean.exe and hit ENTER
First, scan the system directory
- Win9x/ME - Type clean.exe %windir%\system\win*.exe and hit ENTER
- WinNT/2K/XP - Type clean.exe %windir%\system32\win*.exe and hit ENTER
Once the scan has completed, Type clean.exe /adl /clean and hit ENTER
Rename scan.exe. Type, ren clean.exe scan.exe and hit ENTER
After scanning and removal is complete, reboot the system

Apply Internet Explorer patch if necessary.

Additional Windows ME/XP removal considerations

Aliases:

W32/Klez.G@mm (Norman), W32/Klez.gen@MM, W32/Klez.I (Panda), W32/Klez.K-mm, WORM_KLEZ.G (Trend)

McAfee.com has seen a large and growing number of computers infected with W32/Fbound.c@MM. This MEDIUM-ON-WATCH RISK virus is a pure mass-mailing worm. It does not carry any other, damaging, payload. The virus sends itself to all users found in the Windows Address book using SMTP. It arrives in an email message containing the following information:

Subject: "Important" or a Japanese subject
Body: [empty]
Attachment: patch.exe

When run, it immediately e-mails itself to all entries in the Windows address book. It does not install itself in any way. It contains the text "I-Worm.Japanize".This is a really BAD VIRUS W32.Magistr.39921@mm it is in Brookridge / Brooksville Florida, And it comes from someone you know. As attachment about 52Kb in size.

McAfee.com has seen an OUTBREAK of computers infected with W32/Goner@MM, also known as Pentagone, Goner or Gone. This is a NEW, HIGH RISK virus that spreads via Microsoft Outlook email and ICQ instantmessaging programs. This mass-mailing worm will arrive from someone you know with the following email message:

Subject: Hi

Body: How are you ?
When I saw this screen saver, I immediately thought about you I am in a harry, I promise you will love it!

Attachment: GONE.SCR

Goner has a DESTRUCTIVE PAYLOAD. When the attachment is opened, it will look for a variety of anti-virus, firewall
and other security programs and attempt to delete them, along with ALL FILES in the same directory. This worm
will also place a trojan, REMOTE32.INI, on the system, which contains instructions to attempt Denial-of-Service attacks
on other IRC users.

For detection and removal instructions for the W32/Goner@MM virus, >> click here. <<

WARNING 2 types Virus are being sent to Brookridge Residents

Click for INFO and removal >> VIRUS #1 called W32/Badtrans@mm

Click for INFO and removal >> VIRUS #2 called W32/Badtrans.b@mm

There are several persons here in Brookridge that are now sending this virus. IF you get a window requesting that you save a file or open it CLICK ON CANCEL then delete the email.

This one has been received here the most. Badtrans.b details:
This mass mailing worm attempts to send itself using Microsoft Outlook by replying to unread and read email messages. It also mails itself to email addresses found within files that exist on your system. It drops a keylogging trojan (detected as PWS-Hooker with the 4173 DATs, or greater) into the SYSTEM directory as KDLL.DLL. This trojan logs keystrokes for the purpose of stealing personal information (such as credit card and bank account numbers and passwords). This information is later emailed to the virus author(s).

By Sam Costello
IDG News Service, 10/17/01

A new mass mailer worm, purporting to provide information about the disease anthrax, has appeared on the Internet but is being hampered because of a flaw in its design, antivirus companies said Wednesday.

The worm has been found in both English- and Spanish-language versions and arrives in inboxes with a subject line that reads "Anthrax" or "Antrax," according to Kaspersky Labs and Symantec.

Included is an attachment called Antraxinfo.vbs or Antraxjpg.vbs that the message says is a picture of "the results" of Anthrax, but is actually a .VBS file used to execute the worm, the companies said. When the file is double-clicked, the worm attempts to overwrite all system files ending in .VBS and .VBE, as well as send itself to all addresses listed in the system's Outlook address book, they said. It may also attempt to overwrite a Script.INI file used by chat clients, Symantec said.

Because of a flaw in the way the worm is written, however, it fails to spread as designed, both companies said.

The body text of the worm reads: "If you don't know what antrax is or what the results of it are, please see the attached picture so that you can see the results that it has. Note: the picture might be too strong." In Spanish the worm says, "Si no sabes que es el antrax o cuales son sus efectos aqui te mando una foto para que veas los efectos que tiene. Nota: la foto esta un poco fuerte."

The design of the worm's message attempts to play upon heightened public awareness in the U.S. about anthrax after a rash of infections and scares about the disease in the last week. One person in Florida has died from the inhalation form of anthrax, while 13 in New York and Florida have tested positive to exposure, although some of those tests may yet turn out to be negative because preliminary tests can result in false positive results. Four confirmed cases of anthrax illness have been reported.

A wing of a U.S. Senate office building was closed Tuesday and authorities started screening and treating hundreds of people there for possible exposure after test results on a letter sent to Senate Majority Leader Tom Daschle came back positive for anthrax.

McAfee.com has seen a large and growing number of systems infected with the W32/Nimda@MM. This is a HIGH RISK virus that is spread via email. W32/Nimda@MM also spreads via open shares, the Microsoft Web Folder Transversal vulnerability (also used by W32/CodeBlue), and a Microsoft content-type spoofing vulnerability.
The email attachment name VARIES and may use the icon for an Internet Explorer HTML document.
It will also attempt to spread itself as follows: - The email messages created by the worm include content that allows the worm to execute the attachment even if the user does not open it. - It modifies HTML documents, so that when this infected window is accessed (locally or remotely), the machine viewing the page is then infected. Once infected, your system is used to seek out others to infect over the Web.

W32/APost@ mm ("APost" or "New Backdoor") The infected email can come from addresses that you recognize and may contain the following information:

Subject: As per your request!
Body: Please find attached file for your review.
I look forward to hear from you again very soon. Thank you.
Attachment: README.EXE

Running the attachment causes the worm to copy itself to the Windows directory and send a copy of itself to every entry in the user's Microsoft Outlook Address Book. It will then display a small dialog box titled "Urgent!". This dialog box contains one single large button labeled "Open". If this button is pressed then the worm sends out further copies of itself, displays an error message box with the title "WinZip SelfExtractor: Warning" and then terminates. For detection and removal instructions for theW32/APost@ mm ("APost" or "New Backdoor") worm, click here. -> http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=2422
McAfee.com VirusScan Online and Clinic subscribers: If you don't have ActiveShield installed and updated, you are not protected from this virus. Click here to download ActiveShield. -> http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=2372

WE have TWO virus infected files in Brookridge One name is SULFNBK.EXE Click here for more info and is (73.8KB in size). The file was sent to me with Bud's & Dot & Don's e-mail address on it, but they may have not sent it out. The real windows file is (44KB) in size. A short time ago we had a Hoax about Deleting the windows file SULFNBK.EXE. Also sent to some of our residents is File name KAKPOHKA.exe (21.0KB in size) Click here for more info DO NOT OPEN THESE FILES AS THEY WILL RELEASE DIFFERENT "BUGS" in YOUR COMPUTER

An email HOAX has been circulating recently that has received a lot of press and public attention. The subject
line may contain "***Virus Alert***" or mention SULFNBK.exe. If you receive a copy of this message, you should ignore it. Do NOT pass it on as this is how an email hoax spreads. You may receive a copy of this message from addresses that you recognize.

DO NOT DELETE ANY FILES FROM YOUR COMPUTER.
There are several versions of this message circulating, in several different languages. The email message may appear in part as follows:
"A VIRUS could be in your computer files now, dormant but will become active on June 1. Try not to USE your Computer on June 1st. FOLLOW DIRECTIONS BELOW TO CHECK IF YOU HAVE IT AND TO REMOVE IT NOW."
"No Virus software can detect it. It will become active on June 1, 2001. It might be too late by then. It wipes out
all files and folders on the hard drive. This virus travels thru E-mail and migrates to the C:\windows\command' folder." The email will also instruct you to delete SULFNBK.exe and to pass the message along to everyone you know.
SULFNBK.exe is a standard part of the Windows operating system and SHOULD NOT BE REMOVED.

McAfee.com has seen a large and growing number of computers infected with VBS/VBSWG.Z@MM. A virus that is spread via the Windows email program Outlook. The infected email can come from addresses that you recognize, with an attachment named "Mawanella.vbs". The email message can appear as follows:
Subject: Mawanella
Body: Mawanella is one of the Sri Lanka's Muslim Village
Attachment: Mawanella.vbs
Opening the attachment initiates the mass e-mailing routine. When the attachment is running, it displays a message-box entitled "VBScript: Mawanella" which reads: Mawanella is one of the Sri Lanka's Muslim Village. This brutal incident happened here 2 Muslim Mosques,100 Shops are burnt. I hat this incident, What about you? I can destroy your computer I didn't do that because I am a peace-loving citizen. It copies itself to the Windows System directory as a file called "Mawanella.vbs" and e-mails itself to all recipients in the Microsoft Outlook address book.Click here for more information. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=2251

A virus in Brookridge which sends a second message with every message you send out. If you get a message which has a attachment with some filename .EXE , .SCR or .VBS extension. it could contain a virus. DO NOT OPEN the attachment. ANNAKOURNIKOVA.JPEG.VBS & W32.HybrisF (.SCR) are two of the new Viruses. On CNN last night that "Here you have;0)" is an actual virus...Using Outlook Express..

Instructions -- Windows Desktop (You must be using Internet Explorer to download this file). This file can be saved to an alternate folder; and if an alternate folder is used you will need to launch this program from that folder rather than the desktop folder. If the file has been saved to the Windows Desktop folder an icon for this program will appear on your desktop. Please note that this program has a ".com" extension and not a ".exe" extension. It is important that this extension be preserved. After the file finishes downloading launch the program by double-clicking on the fixnavid icon that appears on the desktop. If you saved this program to an alternate folder you will need to open the appropriate folder via the "My Computer" window and launch the program from that alternate folder.

Warning Prettypark virus is back in Brookridge Thank You Jack Fieber for the heads up on this one!! There is a new virus; the subject is "A great shockwave movie". There is an attachment named "creative.exe" that will trigger the virus.
DO NOT OPEN THIS MESSAGE - DELETE IT IMMEDIATELY. W32.Prolin.Worm is a worm that spreads via Microsoft Outlook by emailing itself to everyone in the Outlook address book. : TROJ_SHOCKWAVE.A, CREATIVE, TROJ_PROLIN.A
Thank You Donna Colombo for the heads up on this one!!

The next time some one sends you a Virus WARNING. You need to got to one of these websites and chek it out, before you forword the messge on to some one else. The two main reasons for starting a hoax is one it slows down & fills up computers on the internet. The second is after a while you become complancent to the threats so when the REAL THING comes you do not do anything, mainly because the last 10 were hoaxes.