Jump to content


Photo

Virus News


  • Please log in to reply
1 reply to this topic

#1 TCH-Dick

TCH-Dick

    General Manager

  • Admins
  • PipPipPipPip
  • 5,786 posts

Posted 21 February 2004 - 10:53 AM

Up in the Sky – WORM_NETSKY.B (Medium Risk)
------------------------------------------------------------------------
WORM_NETSKY.B is a memory-resident, mass-mailing worm that spreads via email
and peer-to-peer file-sharing networks. It drops copies of itself in shared
folders as an executable with two extension names, and is represented by a
Microsoft Word icon. It runs on Windows 95, 98, ME, NT, 2000, and XP.

Upon execution it drops a copy of itself as SERVICES.EXE in the Windows folder,
and then creates a registry entry that allows it to automatically execute at
every Windows startup.

To propagate, this worm sends copies of itself via Simple Mail Transfer Protocol
(SMTP) to target email addresses that it gathers from files with the following
extensions, found in drives C to Z:

ADB
ASP
DBX
DOC
EML
HTM
HTML
MSG
OFT
PHP
PL
RTF
SHT
TBB
TXT
UIN
VBS
WAB

It sends a message with the following:

From: <spoofed and selected from the harvested list of email addresses>

Subject: (any of the following)
fake
hello
hi
information
read it immediately
something for you
stolen
unknown
warning

Message Body: <any of 47 specific messages>

Attachment: <any of 40 specific attachment names>

The file attachment may have two extension names, with the first name being DOC,
HTM, RTF or TXT, and the second extension name being COM, EXE, PIF, or SCR. The
attachment may also arrive compressed in ZIP format.

To spread via file-sharing networks this worm drops numerous copies of itself in
folders with the strings “sharing” or “shared” in their names.

If you would like to scan your computer for WORM_NETSKY.B or thousands of other
worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free,
online virus scanner at: http://housecall.trendmicro.com/

WORM_NETSKY.B is detected and cleaned by Trend Micro pattern file #769 and above.

For additional information about WORM_NETSKY.B please visit: http://www.trendmicr...e=WORM_NETSKY.B

Bagels and Coffee – WORM_BAGLE.B (Medium Risk)
------------------------------------------------------------------------
WORM_BAGLE.B is a memory-resident, mass-mailing worm that propagates by sending
copies of itself using SMTP. It sends email with the following:

From: <a spoofed address>

Subject: ID btm... thanks

Message Body: Yours ID smcyfjkfer
--
Thank

Attachment: <a randomly named .EXE file>

It drops a copy of itself in the Windows System folder as AU.EXE, using the icon
for files associated with Microsoft Sound Recorder. It runs on Windows 95, 98, ME,
NT, 2000, and XP.

Upon execution, this worm checks the system date. If the date is later than
February 25, 2004, it immediately terminates. It also creates a registry entry that
allows it to automatically execute at every Windows startup. In addition, it launches SNDREC32.EXE or Microsoft Sound Recorder upon execution.

This worm propagates by mass-mailing copies of itself using SMTP. It obtains email
addresses from .HTM, .HTML, .TXT and .WAB files, and skips addresses that contain
.r1u, @hotmail.com, @msn.com, @microsoft, and @avp.

WORM_BAGLE.B also has backdoor capabilities. It opens a port and listens for remote connections, and may also download and execute an updated copy of itself.

If you would like to scan your computer for WORM_BAGLE.B or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at: http://housecall.trendmicro.com/

WORM_BAGLE.B is detected and cleaned by Trend Micro pattern file #767 and above.

For additional information about WORM_BAGLE.B please visit: http://www.trendmicr...me=WORM_BAGLE.B


Top 10 Most Prevalent Global Malware
(from February 12, 2004 to February 19, 2004)
------------------------------------------------------------------------
1. WORM_MYDOOM.A
2. WORM_LOVGATE.G
3. PE_VALLA.A
4. WORM_MOFEI.B
5. WORM_BAGLE.B
6. WORM_NACHI.A
7. WORM_MSBLAST.C
8. PE_NIMDA.E
9. TROJ_DASMIN.E
10. WORM_KLEZ.H

Dick DeVance
General Manager
TotalChoice Hosting, Inc
dick@totalchoicehosting.com


Posted Image


#2 boxturt

boxturt

    Immediate Family

  • Members
  • PipPipPipPip
  • 1,356 posts

Posted 21 February 2004 - 04:33 PM

Thanks Mike. Got over a hundred of these pass through just today. It's getting to the point that if I have to add anymore filters I'm not going to be able to get any mail.

Argh.
- Ty

Guitar Lessons in Connecticut

"After silence, that which comes nearest to expressing the inexpressible is music." - Aldous Huxley
"Imagination is more important than knowledge. Knowledge is limited, Imagination encircles the world." - Albert Einstein




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users