W32Mydoom.o@MM (7/26/04) Medium Risk

This variant of Mydoom is known to send non-viral attachments, typically .bat, .cmd, .com, .exe, .pif or .scr files within a zip archive, within another zip archive. These files are approximately 1-2kb in size and are not infectious. They are encrypted log files created by the backdoor component of the worm.

This new variant of W32/Mydoom is packed with UPX. Similarly to previous variants, it bears the following characteristics:

• mass-mailing worm constructing messages using its own SMTP engine
• harvests email addresses from the victim machine
• spoofs the From: address
• contains a peer to peer propagation routine

From: (spoofed From: header)
Do not assume that the sender address is an indication that the sender is infected. Additionally you may receive alert messages from a mail server that you are infected, which may not be the case.

The From: address may be spoofed with a harvested email address. Additionally, it may be constructed so as to appear as a bounce, using the following addresses:

mailer-daemon@(target_domain)
noreply@(target_domain)

Click Here for more detailed information

W32Bagle.ai@MM (7/19/04) Medium Risk

This is a mass-mailing worm with the following characteristics:

• contains its own SMTP engine to construct outgoing messages
• harvests email addresses from the victim machine
• the From: address of messages is spoofed
• attachment can be a password-protected zip file, with the password included in the message body.
• contains a remote access component (notification is sent to hacker)
• 
  copies itself to folders that have the phrase shar in the name (such as common peer-to-peer applications; KaZaa, Bearshare, Limewire, etc)
• uses various mutex names selected from those W32/Netsky variants have used, in order to prevent those W32/Netsky variants running on infected machines
• terminates processes of security programs and other worms
• deletes registry entries of security programs and other worms

Click Here for more detailed information

W32Bagle.ag@MM (7/17/04) Medium Risk

This is a mass-mailing worm with the following characteristics:

• contains its own SMTP engine to construct outgoing messages
• harvests email addresses from the victim machine
• the From: address of messages is spoofed
• attachment can be a password-protected zip file, with the password included in the message body.
• contains a remote access component (notification is sent to hacker)
• copies itself to folders that have the phrase shar in the name (such as common peer-to-peer applications; KaZaa, Bearshare, Limewire, etc)
• shuts down security programs
  

Click Here for more detailed information

W32Bagle.af@MM (7/15/04) Medium Risk

This is a mass-mailing worm with the following characteristics:

• contains its own SMTP engine to construct outgoing messages
• harvests email addresses from the victim machine
• the From: address of messages is spoofed
• attachment can be a password-protected zip file, with the password included in the message body.
• contains a remote access component (notification is sent to hacker)
• copies itself to folders that have the phrase shar in the name (such as common peer-to-peer applications; KaZaa, Bearshare, Limewire, etc)
• uses various mutex names selected from those W32/Netsky variants have used, in order to prevent those W32/Netsky variants running on infected machines
• terminates processes of security programs and other worms
• deletes registry entries of security programs and other worms

Click Here for more detailed information

W32/Zafi.b@MM (3/14/04) Medium Risk

This is a mass-mailing worm that constructs messages using its own SMTP engine, spoofing the From: address. It also attempts to propagate via P2P, via copying itself to folders on the local system (containing 'share' or 'upload' in the folder name).
Mail Propagation
The worm constructs messages using its own SMTP engine, spoofing the From: address.
The worm searches for email addresses on the local harddisk, harvesting addresses from files with the following extensions:
• htm • wab • txt • dbx • tbb • asp • php • sht • adb • mbx • eml • pmr

File overwriting payload
The worm searches for directories of anti-virus and personal firewall software, and then overwrites the executables in there with a copy of itself.
Process termination payload
In an attempt to thwart manual identification and cleaning of an infected machine, the worm will attempt to terminate processes containing any of the following strings:
• regedit
• msconfig
• task
Method Of Infection This worm does not use any exploit code in order to execute the mail attachment automatically. A user has to doubleclick on an infected attachment or a file shared via P2P to infected the machine.
For machines where the worm has overwritten binaries associated with AV or firewall software, it would be very easy for a user to mistakenly execute the worm.
Click Here for more detailed information

W32/Bagle.c@MM (3/1/04) Medium Risk (variant Bagle.h 3/2/04, .j 3/3/04)

W32/Bagle.c@MM is a Medium Risk mass-mailing worm with a potentially dangerous remote access component that may open a backdoor on an infected computer to hackers. Unlike variant W32/Bagle.b@MM, W32/Bagle.c@MM arrives as a .ZIP attachment.

What to look for:

From: Varies. Address may be forged
Subject Varies.
Body: Message body is empty.
Attachment: Randomly named binary within a .ZIP file (~16KB).

Click Here for more detailed information

W32/Netsky.c@MM (2/25/04) Medium Risk - Netsky.j (3/8/04) Netsky.p (3/21/04)

A new variant of last week's Netsky virus, W32/Netsky.c@MM is a Medium Risk mass-mailing worm that also copies itself to folders named "share" or "sharing" on an infected system. It spreads by stealing email addresses, spoofing or forging the "from: field". Like its earlier counterpart, the worm tries to deactivate the W32/Mydoom.a@MM and W32/Mydoom.b@MM viruses on the host computer.

Upon infection, W32/Netskyk.c@MM will also spread via P2P programs like KaZaa, Bearshare and Limewire that use shared folder names containing the words "share" or "sharing".

Note: The attachment may be either a ZIP file (with the worm) or an executable, with a single (.doc, .htm, .rtm, .text) or double file extension (.com, .exe, .pif, .scr). Filenames that are carried within the worm include:

3D Studio Max 3dsmax.exe
Adobe Photoshop 9 full.exe
Adobe Premiere 9.exe
Ahead Nero 7.exe
Best Matrix Screensaver.scr

Caution: An infected email can look like it comes from addresses you recognize because it pulls the address from the address book on your system.

Click Here for more detailed information
Click Here for more detailed information on Netsky.p

W32/MyDoom.f@MM (2/24/04) Medium Risk

This HIGH RISK worm tries to spread via email and by copying itself to the shared directory for Kazaa clients if they are present.

The mailing component harvests address from the local system. Files with the following extensions are targeted:
wab adb tbb dbx asp php sht htm txt pl

Additionally, the worm contains strings, which it uses to randomly generate, or guess, email addresses. These are prepended as user names to harvested domain names:
sandra linda julie jimmy jerry helen debby claudia brenda anna alice brent adam ted fred jack bill stan smith steve matt dave dan joe jane bob robert peter tom ray mary serg brian jim maria leo jose andrew sam george david kevin mike james michael john alex

Finally the virus sends itself via SMTP - constructing messages using its own SMTP engine. The worm guesses the recipient email server, prepending the target domain name with the following strings:
mx. mail. smtp. mx1. mxs. mail1. relay. ns.

Click Here for much more detailed information

W32/Netsky.b@MM (2/18/04) Medium Risk

This virus spreads via email and mapped drives. It sends itself to addresses found on the victim's machine and by copying itself to folders on drives C: - Z:. The virus also attempts to deactivate the W32/Mydoom.a@MM and W32/Mydoom.b@MM viruses.

Mail propagation
The virus may be received in an email message as follows:

From: (forged address taken from infected system) or skynet@skynet.de
For SUBJECT, BODY and ATTACHMENT info click on the link below.

The virus sends itself via SMTP - constructing messages using its own SMTP engine. It queries the DNS server for the MX record and connects directly to the MTA of the targeted domain and sends the message.

Click Here for more detailed information

The risk assessment of this threat has been raised to Medium due to increased prevalence.

This is a mass-mailing worm with the following characteristics:

• contains its own SMTP engine to construct outgoing messages
• harvests email addresses from the victim machine
• the From: address of messages is spoofed
• contains a remote access component (notification is sent to hacker)

Users are reminded that the scanning of compressed files (default option) is required for detection.

As for its predecessor , this worm checks the system date. If it is the 25th February 2004 or later, the worm simply exits and does not propagate.

If the date check is satisfied, the virus executes the standard Windows Sound Recorder (SNDREC32.EXE) application.

Click Here for more detailed information

W32/MiMail.s@MM (1/29/04) Medium Risk

The worm contains its own SMTP engine to replicate itself, it also attempts to steal user's credit card information data.

Click Here for more detailed information

W32/Dumaru.y@MM (1/24/04) Medium Risk

Update January 26, 2004 --
This threat has had its risk assessment upgraded to Medium from Low-Profiled. This is due to increased prevalence. A new minor variant of this worm was received. The extra.dat file has been updated to deal with both threats - W32/Dumaru.y@MM and W32/Dumaru.z@MM

This worm bears the following characteristics:

contains its own SMTP engine to construct messages
harvests target email addresses from the local machine
Additionally, the worm is also intended to steal data from the victim machine (eg. certain application passwords, keylogger data). This may be triggered via remote commands from the hacker.

Mail Propagation
The worm constructs outgoing messages using its own SMTP engine. Target email addresses are harvested from the victim machine - files matching the following extensions are searched:

.HTM
.WAB
.HTML
.DBX
.TBB
.ABD
The worm mails itself in a ZIP file. The ZIP contains the worm with the following filename:

MYPHOTO.JPG. (many spaces) .EXE
Messages are constructed with the following characteristics:

From: "Elene" (F (removed) ENSUICIDE@HOTMAIL.COM)
Subject: Important information for you. Read it immediately !
Attachment: MYPHOTO.ZIP
Body:
Hi!
Here is my photo, that you asked for yesterday.

Click Here for more detailed information

W32/Bagle@MM (1/19/04) Medium Risk

This is a mass-mailing worm with a remote access component.

From: (address may be forged)
Subject: Hi
Body:
Test =)
(random characters)
--
Test, yep.

Attachment: (random filename) 15,872 bytes

When the attachment is run, the virus checks to see if the system date is January 28, 2004 or later. If it is on or after this date, the virus exits. Otherwise, the virus executes the standard Windows calculator program CALC.EXE, while the virus copies itself to the WINDOWS SYSTEM directory (%SysDir%) as bbeagle.exe , and creates a registry key to load itself at system startup.

Mass-mailing Component
The worm harvests addresses from the following files and mails itself to those recipients, using its own SMTP engine.

.wab
.txt
.htm
.html

The virus spoofs the from address by using a harvested address for the sender's address. When the virus starts spreading, it sends its first mail to the first address it found and uses the same address in the FROM: field.

The second mail is send to the second address and the FROM field contains the first address.
The thrid mail is send to the third address and the FROM field contains the second address and so on.

Click Here for more detailed information

W32/Sober.c@MM (12/22/03) Medium Risk; Sober.d (3/08/04)

W32/Sober.c@MM has been deemed Medium due to increasing prevalence.
Please note: because of the characteristics of this worm you may be at higher risk in Germany or German-speaking regions.This detection is for a mass-mailing worm written in Visual Basic. Similar to its predecessor (W32/Sober.b@MM ) the worm bears the following characteristics:

• 
  contains its own SMTP engine
• target email addresses are harvested from the victim machine
• the worm may carry garbage at end of file, so the file size may be larger than 74,223 bytes.
• outgoing messages may be formatted with varying subject lines and message bodies (in English and German)
• two processes run on the victim machine in order to ensure the worm stays memory resident. Upon termination of one of the processes, the other process restarts it very quickly.
  

Click Here for more detailed information

W32/Mimail.c@MM (10/31/03) Medium Risk

This worm was mass-spammed, which appears to have been the initial "seeding". An attachment named undelivered.hta (proactively detected as Downloader-BO.dr with the 4250+ DAT files) creates the file c:\mware.exe . This executable is the W32/Mimail.c@MM worm. When the .hta file is run, the following message is displayed:

Your message will be sent again in 1 hour. If it doesn't arrive - we will delete it from queue.

This mass-mailing worm spreads as a .ZIP file, contains a denial of service attack, and information stealing payload.

It bears similarities to a previous worm, W32/Mimail@MM . However, this variant does not use the codebase (MS02-015 ) and MHTML (MS03-014 ) exploits that the previous variants did.

A summary of the virus characteristics are as follows:

• contains it own SMTP engine for constructing messages
• mails itself as a ZIP attachment
• harvests email addresses from the local machine
• sends large volume of data (garbage) to a remote server - DoS payload (see below)
• captures information and emails it to four addresses

Scanning of compressed files should always be enabled for optimal detection.

Click Here for more detailed information

W32/Swen@MM (9/18/03)

Sometimes purporting to be a Microsoft Security Update, this worm is intended to propagate via various mechanisms:

mailing itself to recipients extracted from the victim machine
copying itself over network shares (mapped drives)
sharing itself over the KaZaa P2P network
sending itself via IRC
The worm is written in MSVC. Though in a different HLL, it bears similarities to W32/Gibe.b@MM (original Gibe variants were written in VB).

The worm terminates processes relevant to various security and anti-virus products (see below).

Proactive Detection : This worm is detected as "virus or variant New Worm" with the 4120 DATs or greater (with program heuristics enabled).

Mail Propagation

The virus contains its own SMTP engine to construct outgoing messages.

Various outgoing messages are created. Some make use of an IE exploit to ensure the worm attachment is run upon viewing the email. See Microsoft Security Bulletin (MS01-020) . One such message bears the following characteristics:

Subject : Returned Response
From : Email Delivery Service (kmailengine@yahoo.com)
Body : Undeliverable mail to (email address )

Messages constructed to take advantage of this vulnerability will be detected as Exploit-MIME.gen.exe with the 4215 DATs or greater (and earlier as Exploit-MIME.gen).

Multiple subject lines and attachment names are constructed from pools of strings within the worm to be used in outgoing messages. Target email addresses are extracted from files on the victim machine.

At least one message masquerades as a Microsoft update:

Click Here for more detailed information

W32/Damaru.a@MM (8/28/03)

The Medium Risk worm uses its own SMTP engine to email itself in the following format:

From: "Microsoft" security@microsoft.com
Subject: Use this patch immediately !
Attachment: patch.exe
Dear friend , use this Internet Explorer patch now!There are dangerous virus in the Internet now!More than 500.000 already infected!

The worm trawls the harddisk for files with extensions .htm .wab .html .dbx .tbb .abd for email addresses to send itself to. These email addresses are written to file winload.log .

Payload

A password stealer component is dropped by this worm, which is detected as PWS-Narod

When an infected email attachment is run manually, the worm sends itself to email addresses harvested from files found on the local system that use the following extensions:
.htm
.wab
.html
.dbx
.tbb
.abd
These addresses are stored in a file named winload.log in the %WinDir%. The worm sends itself to these recipients as described above, via its own SMTP engine.

The worm can also parasitically infect exe files on NTFS volumes using streams. The worm takes the place of the host file, while moving the original code to a stream named STR. The virus executes its own code and then reads in the original exe from the stream. When infecting through this method, it has been observed that the STR stream is not always created. The original content of such files is not salvageable.

Click Here for more detailed information

W32/Sobig.f@MM (8/19/03)

This detection is for a new variant of W32/Sobig and is HIGH RISK. In common with previous variants, the worm is written in MSVC, and bears the following characteristics:
• propagates via email, constructing outgoing messages with its own SMTP engine
• propagates over network shares (not confirmed in testing yet)

Note: The worm carries garbage data appended to end of file, so exact filesize and file checksum may vary.

Mail Propagation
The worm mails itself to email addresses harvested from the victim machine, using its own SMTP engine to construct outgoing messages. Target email addresses are harvested from files with a variety of extensions:
Outgoing messages are constructed as follows:
Subject:
• Your details
• Thank you!
• Re: Thank you!
• Re: Details
• Re: Re: My details
• Re: Approved
• Re: Your application
• Re: Wicked screensaver
• Re: That movie
Attachment:
• your_document.pif
• document_all.pif
• thank_you.pif
• your_details.pif
• details.pif
• document_9446.pif
• application.pif
• wicked_scr.scr
• movie0045.pif
Body:
• See the attached file for details
• Please see the attached file for details
The "From:" address may be spoofed with an address extracted from the victim machine. Therefore the perceived sender is most likely not a pointer to the infected user.

Click Here for more detailed information

W32/Nachi.worm (8/18/03)

This detection is for another virus that exploits the MS03-026 vulnerability.

Intentions of the worm
This worm tries spreads by exploiting a hole in Microsoft Windows. It instructs a remote target system to download and execute the worm from the infected host. Once running, the worm terminates and deletes the W32/Lovsan.worm.a process and applies the Microsoft patch to prevent other threats from infecting the system through the same hole. When the system clock reaches Jan 1, 2004, the worm will delete itself upon execution.

Click Here for more detailed information

W32/Lovsan.worm or Blaster.worm (8/11/03)

This is a High Risk worm which spreads by exploiting a recent vulnerability in Microsoft Windows NT and XP. the worm scans random ranges of IP addresses and to those discovered to be vulnerable it sends instructions to download and execute the file MSBLAST.EXE from a remote system via TFTP.

The worm contains a payload to initiate a Denial of Service attack agains windowsupdate.com.

To see if your system has been infected follow these steps:

• Click on START
• Click on Search, choose "All Files and Folders"
• In Field, type in "msblast"
• If it is located, you are infected! Call JOBE!

The way this worm works is, if you are vulnerable, everytime you connect to the Internet you will become infected. In turn, your connection floods our modems making it difficult for non-infected users to access the Internet. You must clean the virus from your system and install the update patch before re-connecting to the Internet.

To make sure your system is not vulnerable to this attack by applying the MS03-026 patch from Microsoft.

Click Here for more detailed information

W32/Mimail@MM (8/1/03)

This Medium Risk malware bears similarities to Downloader-DK in message construction, which was spammed several days ago. This threat may have also been spammed. It is received as an email attachment as follows.

From: Admin (ADMIN@your_doamin)
Subject: your account %user%
Importance: High
Hello there,

I would like to inform you about important information regarding your email address. This email address will be expiring. Please read attachment for details.

--- Best regards, Administrator

Attachment: message.zip

Click Here for more detailed information

W32/Bugbear.b@MM (Updated 6/5/03)

A new variant of the Bugbear virus, W32/Bugbear.b@MM is a HIGH RISK mass-mailing worm that contains numerous malicious elements, including a keylogger, network share propagator, remote access trojan, polymorphic parasitic file infector and terminator of security software.

Creating privacy and security concerns for consumers, these elements may allow a remote attacker to access an infected PC and log all keystrokes, including passwords and personal information. It also mass-mails itself without the user's knowledge, spreads across network shares and embeds itself deep into the infected PC.

Caution: An infected email can come from addresses you recognize.

-- Update June 05, 2003 --
Due to a further increase in prevalence, the risk assessment of this threat has been upgraded to High. AVERT has received a large number of truncated samples. These are damaged and do not infect. The next DAT release will contain detection of these samples as W32/Bugbear.b.dam. Additionally samples have been received that suggest the virus can mail the encrypted keylog file during its propagation routine.

PAYLOAD - What can this virus do?

This virus spreads via email and via network shares. It makes use of the Incorrect MIME Header Can Cause IE to Execute E-mail Attachment vulnerability in Microsoft Internet Explorer (v 5.01 or 5.5 without SP2). Simply opening or previewing an infected message in a vulnerable email reader can result in infection.

Click Here for more information

top of page