TCH-Dick Posted February 21, 2004 Posted February 21, 2004 Up in the Sky – WORM_NETSKY.B (Medium Risk) ------------------------------------------------------------------------ WORM_NETSKY.B is a memory-resident, mass-mailing worm that spreads via email and peer-to-peer file-sharing networks. It drops copies of itself in shared folders as an executable with two extension names, and is represented by a Microsoft Word icon. It runs on Windows 95, 98, ME, NT, 2000, and XP. Upon execution it drops a copy of itself as SERVICES.EXE in the Windows folder, and then creates a registry entry that allows it to automatically execute at every Windows startup. To propagate, this worm sends copies of itself via Simple Mail Transfer Protocol (SMTP) to target email addresses that it gathers from files with the following extensions, found in drives C to Z: ADB ASP DBX DOC EML HTM HTML MSG OFT PHP PL RTF SHT TBB TXT UIN VBS WAB It sends a message with the following: From: Subject: (any of the following) fake hello hi information read it immediately something for you stolen unknown warning Message Body: Attachment: The file attachment may have two extension names, with the first name being DOC, HTM, RTF or TXT, and the second extension name being COM, EXE, PIF, or SCR. The attachment may also arrive compressed in ZIP format. To spread via file-sharing networks this worm drops numerous copies of itself in folders with the strings “sharing” or “shared” in their names. If you would like to scan your computer for WORM_NETSKY.B or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at: http://housecall.trendmicro.com/ WORM_NETSKY.B is detected and cleaned by Trend Micro pattern file #769 and above. For additional information about WORM_NETSKY.B please visit: http://www.trendmicro.com/vinfo/virusencyc...e=WORM_NETSKY.B Bagels and Coffee – WORM_BAGLE.B (Medium Risk) ------------------------------------------------------------------------ WORM_BAGLE.B is a memory-resident, mass-mailing worm that propagates by sending copies of itself using SMTP. It sends email with the following: From: Subject: ID btm... thanks Message Body: Yours ID smcyfjkfer -- Thank Attachment: It drops a copy of itself in the Windows System folder as AU.EXE, using the icon for files associated with Microsoft Sound Recorder. It runs on Windows 95, 98, ME, NT, 2000, and XP. Upon execution, this worm checks the system date. If the date is later than February 25, 2004, it immediately terminates. It also creates a registry entry that allows it to automatically execute at every Windows startup. In addition, it launches SNDREC32.EXE or Microsoft Sound Recorder upon execution. This worm propagates by mass-mailing copies of itself using SMTP. It obtains email addresses from .HTM, .HTML, .TXT and .WAB files, and skips addresses that contain .r1u, @hotmail.com, @msn.com, @microsoft, and @avp. WORM_BAGLE.B also has backdoor capabilities. It opens a port and listens for remote connections, and may also download and execute an updated copy of itself. If you would like to scan your computer for WORM_BAGLE.B or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at: http://housecall.trendmicro.com/ WORM_BAGLE.B is detected and cleaned by Trend Micro pattern file #767 and above. For additional information about WORM_BAGLE.B please visit: http://www.trendmicro.com/vinfo/virusencyc...me=WORM_BAGLE.B Top 10 Most Prevalent Global Malware (from February 12, 2004 to February 19, 2004) ------------------------------------------------------------------------ 1. WORM_MYDOOM.A 2. WORM_LOVGATE.G 3. PE_VALLA.A 4. WORM_MOFEI.B 5. WORM_BAGLE.B 6. WORM_NACHI.A 7. WORM_MSBLAST.C 8. PE_NIMDA.E 9. TROJ_DASMIN.E 10. WORM_KLEZ.H Quote
boxturt Posted February 21, 2004 Posted February 21, 2004 Thanks Mike. Got over a hundred of these pass through just today. It's getting to the point that if I have to add anymore filters I'm not going to be able to get any mail. Argh. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.