Click here for member web pages!

HOWDY!

.......this is ORTRACKM's

2002-2003 Virus Notes

W32.Swen.A@mm   W32/Bugbear
Sobig   W32/Palyh@MM
W32.Welchia.Worm   W32.Blasterworm
KaZaa Advisory    

 

Advisories

September 19, 2003
W32.Swen.A@mm

http://securityresponse.symantec.com/avcenter/venc/data/w32.swen.a@mm.html

Back to the top

August 21, 2003

Sobig spoofing of @more.net addresses
    MOREnet is receiving many reports of the Sobig worm being sent by @more.net email addresses. Please be aware that these addresses have most likely been spoofed and are not actually coming from the @more.net address. Our internal virus checking system allows us to keep on top of any potential infections. The rules applied to our discussion lists should prevent this virus from actually being sent to the list. If customers believe they actually received a copy of the Sobig worm from a discussion list (as opposed to just the e-mail), please forward full e-mail headers from the virus's e-mail to security@more.net so we can look into it for you.

For more information, see MOREnet's Security Advisory at: http://www.more.net/security/advisories/2003/03081901.html

 Back to the top

August 20, 2003

An Advisory on the W32.Welchia.Worm

W32.Welchia.Worm does the following:
  • Attempts to download the DCOM RPC patch from Microsoft's Windows Update Web site, install it, and then reboot the computer.
  • Checks for active machines to infect by sending an ICMP echo request, or PING, which will result in increased ICMP traffic.
  • Attempts to remove W32.Blaster.Worm.

 Information on this Virus from Symantec Click Here

August 12, 2003

An Advisory on the W32.Blasterworm

If your computer just started to act funny like shutting down
and restarting by itself you might be infected by a new virus that a Windows
Update will fix.  Please go to this site and see if you have this problem.

 http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html

Back to the top

May 19, 2003
 An Advisory for another Virus
W32/Palyh@MM

A new mass mailing worm W32/Palyh@MM was discovered on May 18, 2003.
This worm is very similar to the Sobig worm reported in January 2003
(see http://www.more.net/security/advisories/2003/030113.html)
W32/Palyh@MM has been reported at MOREnet customer sites on May 19, 2003.

Also Known As:
  • W32.HLLM.Ccn
  • W32.HLLW.Manx @ mm

Possible subject lines:

  • Re: My application
  • Re: Movie
  • Cool screensaver
  • Screensavers
  • Re: My details
  • Your password
  • Re: Approved (Ref: 3394-65467)
  • Approved (Ref: 38446-263)
  • Your details

More information available from Norton's Web Site also at More.Net advisory 030519

http://www.more.net/security/advisories/2003/030519.html

 Back to the top

May 13, 2003

KaZaa Advisory for the virus is W32.HLLW.Fizzer @ mm,
If you use KaZaa you need to be warned!
Keep your Anti-Virus definitions updated!

W32.HLLW.Fizzer@mm is a mass-mailing worm that sends itself to all contacts in the Windows Address Book. It contains a backdoor that uses mIRC to communicate with a remote attacker. It also contains a keylogger and attempts to spread through the KaZaa file-sharing network. The worm attempts to terminate the process of various antivirus programs if they are found to be active.

Here are a couple of things this virus will do. It copies itself to the KaZaA file download directory as a random filename in an attempt to spread through the file-sharing network. Also it retrieves email addresses from the Windows Address Book, cookie files, Internet temporary files, and files in current user's personal folder. The worm uses current MAPI program to send itself to all email addresses it finds. It may spoof the sender's name and email address. The virus infected email has the following characteristics.

 

Subject: The subject line is randomly chosen from a list carried by the worm.
It may be one of the following:

I thought this was interesting... I love you
rather psychedelic... little popup remover
found this on the net, you might like it... B cannot remember
discothèque Yo, WASSUP, B?
imbrue an interesting program...
Damn it feels good to be gangsta. You might not appreciate this...
The way I feel - Remy Shand I think you might find this amusing...
Paradigm Shift LOL
WASSUP! check this out... hehehe
Know Thyself question...
Hell see you tomorrow.
how are you? you need to lose weight.
why? kind of simple, but fun nonetheless.
check it out. Please discard if you don't like or agree with our present leadership...


Message: The message body is randomly chosen from a list carried by the worm.
It may be one of the following:
 

I sent this program (Sparky) from anonymous places on the net.
The way to gain a good reputation is to endeavor to be what you desire to appear.
There is only one good, knowledge, and one evil, ignorance.
Watchin' the game, having a bud.
Did you ever stop to think that viruses are good for the economy?
Maybe the primary creators of the world's worst viruses are the companies that make the Anti-Virus software.
Today is a good day to die...
so, how are you?
the attachment is only for you to look at
you must not show this to anyone...
delete this as soon as you look at it...
Let me know what you think of this...
If you don't like it, just delete it.
thought I'd let you know
you don't have to if you don't want to.


It will come with an attachment, the name is randomly generated.
It has one of the following extensions
.exe, .pif, .com or .scr.

If you keep your Anti-Virus software updated you should be ok.
Keep reading on this page how to prevent getting a viruses
 How to prevent a virus

Back to the top

October 3, 2002
W32/Bugbear

W32/Bugbear is rated as HIGH RISK FOR HOME AND CORPORATE USERS.

This mass-mailing worm attempts to send itself to email addresses found on an infected system.
It also spreads through open network shares and has the ability to send print jobs to printers
found on an infected network. Once the virus is run, it will attempt to disable various security products, including many forms of anti-virus and personal firewall software.
It will also attempt to install a backdoor trojan that will allow a hacker access to the infected PC.

PAYLOAD - What can this virus do?

This virus spreads via email and via network shares.
It makes use of the Incorrect MIME Header Can Cause IE to Execute E-mail Attachment vulnerability in Microsoft Internet Explorer (v 5.01 or 5.5 without SP2).
Simply opening or previewing an infected message in a vulnerable email reader can result in infection. This virus can "spoof" the "from" field, by combining random elements to form a fake "from" address.

Possible message subject lines include the following (however, other random subject
lines are also possible):

 
  • Found
  • 150 FREE Bonus!
  • 25 merchants and rising
  • Announcement
  • bad news
  • CALL FOR INFORMATION!
  • click on this!
  • Correction of errors
  • Cows
  • Daily Email Reminder
  • empty account
  • fantastic
  • free shipping!
  • Get 8 FREE issues - no risk!
  • Get a FREE gift!
  • Greets!
  • Hello!
  • history screen
  • hotmail.
  • I need help about script
  • Interesting
  • Introduction
  • its easy
  • Lost
  • Market Update Report
  • Membership Confirmation
  • My eBay ads
  • New bonus in your cash account
  • New Contests
  • new reading
  • News
  • Payment notices
  • Please Help
  • Report
  • SCAM alert
  • Sponsors needed
  • Stats
  • Today Only
  • Tools For Your Online Business
  • update
  • various
  • Warning!
  • Your Gift
  • Your News Alert
  • Just a reminder
  •  
The message body varies widely. It is likely that the virus takes material from infected systems and places it within the message. The attachment name also varies. It is common for the attachment name to contain a double-extension (ie... .doc, .pif), but this may not display on all systems.
We welcome your comments...please

Email us if you have any History, Recipes, Pictures, or Community Information that people of Oregon County might like to know

at ortrackm@ortrackm.missouri.org

Or call the Help Desk at 417-778-7523
Outside of Alton Area 1-888-763-3329
Open Monday through Thursday
8:30 AM to 5:30 PM

Back to ORTRACKM's Home Page ORTRACKM Users Home Pages Free Stuff, Services and Helpful Sites Page

This page has been accessed 1144 times!