Virus Advisories
"Modem Dial-up Long Distance Vulnerability "
Discovered on: Ongoing
Last Updated on: June15th 2004
Hackers have developed a piece of software that once installed on the host computer will dial specified phone numbers and open a long distance connection to that number for about 30 - 35 minutes at a time racking up a considerable long distance phone bill to the victim. This is done when the computer has logged off of the internet and is sitting idle. The program will initiate the dial-up modem and dial the call; the modem may not even make noise as the program has the ability to disable the modem speaker! Unfortunately the end user may not realize it until they get their phone bill at the end of the month. The average phone bill for these is in the order of $800.00. Most of these programs can come in when someone visits a website and is prompted to download and install a program to view the page they are requesting. Be very careful!
Strategies include:
- Disabling long distance calls on your line.
- Put a password on your line for making long distance calls.
- Simply unplug your phone line from the back of your modem when not in use.
- Seek consultation from a professional, with regards to computer security, on how to protect your workstations from this vulnerability.
w32.mydoom.m@mm
Discovered on: July 26th, 2004
Last Updated on: July 26th, 2004
Remember, We will not send you anything as an attachment in your e-mail without notifying you
first. New versions of the Mydoom, have surfaced on the Internet in the last
24 hours.
Most of the e-mail s are crafted in the following fashion:
"our e-mail account was used to send a large amount of spam messages during this week. Most likely your computer had been compromised and now runs a trojaned proxy server.
We recommend you to follow our instructions in order to keep your computer safe"
DO NOT FOLLOW ANY INSTRUCTIONS! This is a virus. Update your Anti-virus program and just delete the e-mail.
Click here for detailed information
Click here for the removal tool
"Mydoom, Netsky, and Bagle NEW Variants!"
Discovered on: March 3rd, 2004
Last Updated on: March 3rd, 2004
Remember, We will not send you anything as an attachment in your e-mail without notifying your
first. New versions of the Mydoom, Netsky, and Bagle have all appeared on the Internet in the last
24 hours. Antivirus researchers have uncovered text messages in two of the worms that suggest a battle is underway
between virus writers, antivirus companies say.
Click here for detailed information
Removal tools can be found here:
http://securityresponse.symantec.com/avcenter/venc/data/w32.netsky.f@mm.html
http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.k@mm.html
W32/Netsky.b@MM
Discovered on: February 18, 2004
Last Updated on: February 18, 2004
------------------------------------------------------------
** VIRUS ADVISORY - W32/Netsky.b@MM **
------------------------------------------------------------
W32/Netsky.b@MM is a Medium Risk mass-mailing worm that
copies itself to folders named "share" or "sharing" on the
infected system. It spreads itself to addresses it steals,
spoofing or forging the "from: field" or using the address
skynet@skynet.de. The worm also tries to deactivate the
W32/Mydoom.a@MM and W32/Mydoom.b@MM viruses on the host
computer.
Caution: An infected email can come from addresses you
recognize.
------------------------------------------------------------
***What to look for***
Subject-Body: Varies. Examples include:
-I have your password!
-about me
-anything ok?
-do you?
-from the chatter
Attachment: Varies but may have a double-extension such as
.rtf.pif contained in a .ZIP file.
Aliases: Moodown.B, I-Worm.Moodown.b
------------------------------------------------------------
Up-to-date McAfee VirusScan users with DAT 4325 are
protected from this threat.
Scan for W32/Netsky.b@MM:
==> http://us.mcafee.com/root/campaign.asp?cid=9648
For more information Click "Here"
"W32.Novarg.A@mm"
Discovered on: January 26, 2004
Last Updated on: January 26, 2004
Dubbed "W32/MyDoom" or "Novarg," the worm circulated so fast anti-virus firms quickly raised threat
warnings to "high" saying the bug was one of the worst in recent months.
The worm is contained in e-mails with random senders' addresses and subject lines. While the body of the
e-mail varies, it usually includes what appears to be an error message, such as: "The message cannot be
represented in 7-bit ASCII encoding and has been sent as a binary attachment."
For more information "Click Here"
"INTERNET BILLING NOTICE"
Discovered on: January 20, 2004
Last Updated on:January 20, 2004
there is a Virus Masquerading as a billing notice from your Internet Service Provider
that contains a virus in the attachment.
Do NOT Click on this attachment!
The body of the message looks something like this:
*** glen-net.ca's accounting dpt notice ***
Internet Billing Notice Please press "open" and read the attached Billing Notice.
Note if you do not read this withing 24 hours we at glen-net.ca
regret we will have to terminate internet service.
"BAGLE/BEAGLE VIRUS"
Discovered on: January 18, 2004
Last Updated on: January 18, 2004
The newest virus making the rounds this week is the "Bagle/Beagle" virus.
It comes in via an E-mail attachment, and is made to look like a Microsoft Calculator.
This is a mass-mailing worm with a remote access component.
The worm arrives in an email message with the following characteristics:
From: (address may be forged)
Subject: Hi
Body:
Test =)
(random characters)
--
Test, yep.
Attachment: (random filename) 15,872 bytes
example:
frjujs.exe
When the attachment is run, the virus checks the system date. If the date is January 28, 2004 or later, the virus simply exits and does not propagate. Otherwise, the virus executes the standard Windows calculator program CALC.EXE. Meanwhile, the virus copies itself to the WINDOWS SYSTEM directory (%SysDir%) as bbeagle.exe , and creates a registry key to load itself at system startup:
For more information "Click Here"
"W32/Mimail-I"
A new e-mail worm is spreading on the Internet and posing as a message from PayPal Inc., the online payment company, in an effort to harvest credit card numbers and account passwords.
For more information Click Here
"W32.Swen.A@mm"
Discovered on: September 18, 2003
Last Updated on: September 24, 2003 10:58:29 AM
Remember, Microsoft does not send patches through e-mail
NOTE: The definitions that Symantec's Digital Immune System automatically created previously detected W32.Swen.A@mm as Worm.Automat.AHB.
Due to an increase in submissions, Symantec Security Response has upgraded W32.Swen.A@mm to Category 3, as of 6:30 PM Thursday, September 18, 2003.
W32.Swen.A@mm is a mass-mailing worm that uses its own SMTP engine to spread itself. It attempts to spread through file-sharing networks, such as KaZaA and IRC, and attempts to kill antivirus and personal firewall programs running on a computer.
The worm can arrive as an email attachment. The subject, body, and From: address of the email may vary. Some examples claim to be patches for Microsoft Internet Explorer, or delivery failure notices from qmail.
W32.Swen.A@mm is similar to W32.Gibe.B@mm in function, and is written in C++.
This worm exploits a vulnerability in Microsoft Outlook and Outlook Express in an attempt to execute itself when you open or even preview the message. Information and a patch for the vulnerability can be found at: http://www.microsoft.com/technet/security/bulletin/MS01-020.asp.
Symantec Security Response has developed a removal tool to clean the infections of W32.Swen.A@mm.
Also Known As: Swen [F-Secure], W32/Swen@mm [McAfee], W32/Gibe-F [Sophos], Worm Swen.A, Worm.Automat.AHB [Previous Symantec Detection]
Infection Length: 106496
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP Systems Not Affected: DOS, Linux, Macintosh, Microsoft IIS, OS/2, UNIX, Windows 3.x
For more information click here
"W32.Blaster.Worm"
Discovered on: August 11, 2003
Last Updated on: August 29, 2003 09:10:47 AM
Based on the number of customer submissions and on information from Symantec's DeepSight Threat Management System, Symantec Security Response has upgraded this threat to a Category 4 from a Category 3 threat.
W32.Blaster.Worm is a worm that exploits the DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135. The worm targets only Windows 2000 and Windows XP machines. While Windows NT and Windows 2003 Server machines are vulnerable to the aforementioned exploit (if not properly patched), the worm is not coded to replicate to those systems. This worm attempts to download the msblast.exe file to the %WinDir%\system32 directory and then execute it. W32.Blaster.Worm does not have a mass-mailing functionality.
Additional information and an alternate site from which to download the Microsoft patch is available in the Microsoft article, "What You Should Know About the Blaster Worm and Its Variants."
We recommend that you block access to TCP port 4444 at the firewall level, and then block the following ports, if you do not use the following applications:
TCP Port 135, "DCOM RPC"
UDP Port 69, "TFTP"
The worm also attempts to perform a Denial of Service (DoS) on the Microsoft Windows Update Web server (windowsupdate.com). This is an attempt to prevent you from applying a patch on your computer against the DCOM RPC vulnerability.
For more information Click Here
"WORM_KLEZ.H"
This memory-resident variant of the WORM_KLEZ.H mass-mailing worm uses SMTP to propagate via email. Both variants differ mainly in the type of spam mail composed (see the technical description for these details). It is a destructive worm that propagates copies of itself via email and network drives. It drops a WINK*.EXE file and a WQK.EXE file in the Windows System folder of the infected system and then create corresponding registry entries to execute these dropped files at system startup. Upon execution, this worm drops files and creates an entry in the AutoRun key of the system registry. It also infects EXE files. To infect, it encrypts (compresses) the target file and then modifies the file extension with a random name. It also modifies the attributes of the file and sets these to Read-only, Hidden, System, and Archive. Thereafter, this worm copies itself to the original filename of the infected file. This worm makes sure that its filesize is the same with that of the infected file. To do this, it pads garbage at the end of the infected file.
For more information Click Here
"W32/Sircam"
"W32/Sircam" is malicious code that spreads through email and potentially through unprotected network shares. Once the malicious code has been executed on a system, it may reveal or delete sensitive information.
For Virus removal information Click Here
ATTACHMENT: "AnnaKournikova.jpg.vbs"
When the malicious code executes, it attempts to send copies of
itself, using Microsoft Outlook, to all entries in each of the address
books. The sent mail has the following characteristics:
SUBJECT: "Here you have, ;o)"
BODY:
Hi: Check This!
ATTACHMENT: "AnnaKournikova.jpg.vbs"
Users who receive copies of the malicious code via electronic mail
will probably recognize the sender. We encourage users to avoid
executing code, including VBScripts, received through electronic mail,
regardless of the sender's name, without prior knowledge of the origin
of the code or a valid digital signature.
It is possible for the recipients to be be tricked into opening this
malicious attachment since file will appear without the .VBS extension
if "Hide file extensions for known file types" is turned on in
Windows.
For Virus removal information Click Here
"Snow White and the Seven dwarves"
W95.Hybris is a worm that spreads by email as an attachment to outgoing emails. It was discovered in late September of 2000. Although minimum reports of infection were reported in October 2000, the worm started to become common in early Nov 2000.
For Virus removal information Click Here
"RESUME JANET SIMONS virus"
An Email viros bearing the subject of "Resume: Janet Simons" is
circulating throughout the world at this time, Saturday, May 27, 2000.
This virus is a self-replicating virus much like the "ILOVEYOU Virus". It
will open your Outlook Express address book and send a copy of itself to
each address listed there. If an attempt is made to close the program
before it has completed it's task, it may attempt to destroy the contents
of your hard drive.
As always, being infected by this virus can be avoided. If you receive an
article of E-mail with the subject listed above, simply delete it without
opening it (do NOT click on the attachment).
"ILOVEYOU virus"
An Email virus know as the "ILOVEYOU" virus is circulating throughout the world today,
Thurday, May 4, 2000. Said virus is an article of E-mail that may or may not come from a known
source (close friend, coworker, etc), and always has the subject "ILOVEYOU".
The virus, when executed, acts much like the Melissa Virus of 1999. It reads a users address book
and E-mails the virus to each of the addresses listed.
Users should not open any articles of E-mail that have this subject, and should update their
anti-virus software to the latest version as often as possible.
911 Virus
At 8:00 am on Saturday, April 1 (This is not an April Fool's joke!)
the FBI announced it had discovered malicious code wiping out the data
on hard drives and dialing 911. This is a vicious virus and needs to
be stopped quickly. That can only be done through wide-scale individual
action. Please forward this note to everyone who you know who might
be affected.
The FBI Advisory is posted at http://www.nipc.gov/nipc/advis00-038.htm
The 911 virus is the first "Windows shares virus." Unlike recent
viruses that propagate though eMail, the 911 virus silently jumps
directly from machine to machine across the Internet by scanning
for, and exploiting, open Windows shares. After successfully
reproducing itself in other Internet-connected machines
(to assure its continued survival) it uses the machine's modem to
dial 911 and erases the local machine's hard drive. The virus is
operational; victims are already reporting wiped-out hard drives.
The virus was launched through AOL, AT&T, MCI, and NetZero in the
Houston area. The investigation points to relatively limited
distribution so far, but there are no walls in the Internet.
Action 1: Defense
* On a Windows 95/98 system, system-wide file sharing is managed by
selecting My Computer, Control Panel, Networks, and clicking on the
File and Print Sharing button. For folder-by-folder controls, you
can use Windows Explorer (Start, Programs, Windows Explorer) and
highlight a primary folder such as My Documents and then right mouse
click and select properties. There you will find a tab for sharing.
* On a Windows NT, check Control Panel, Server, Shares.
For an excellent way to instantly check system vulnerability, and for
detailed assistance in managing Windows file sharing, see: Shields
Up! A free service from Gibson Research (http://grc.com/)
Action 2: Forensics
If you find that you did have file sharing turned on, search your
hard drive for hidden directories named "chode", "foreskin", or
"dickhair" (we apologize for the indiscretion - but those are the
real directory names). These are HIDDEN directories, so you must
configure the Find command to show hidden directories. Under the
Windows Explorer menu choose View/Options: "Show All Files".
If you find those directories: remove them.
And, if you find them, and want help from law enforcement, call the
FBI National Infrastructure Protection Center (NIPC) Watch Office
at 202-323-3204/3205/3206. The FBI/NIPC has done an extraordinary
job of getting data out early on this virus and deserves both kudos
and cooperation.
You can help the whole community by letting both the FBI and
SANS (intrusion@sans.org) know if you've been hit, so we can
monitor the spread of this virus.
The Pretty Park Virus
The attached program file is named "PrettyPark.EXE". This is a worm
program that behaves similar to Happy99 Worm, It attaches itself to your
e-mail without you even knowing. For more information on The Pretty Park
virus, and directions on how to remove it, go to: http://www.symantec.com/avcenter/venc/data/prettypark.worm.html
The Worm.ExploreZip Virus
The Work.ExploreZip effects Microsoft Outlook users. Said virus
generally comes in the form of an E-mail attachment entitled
"zipped_files.exe". Upon opening, it will automatically give your computer
instructions that will both harm your computer and your data. Users are
advised to not open *.exe or other executable files that they receive via
E-mail without running them through an UP-TO-DATE virus scanner.
The "Budweiser Frogs" Screensaver virus HOAX
A false virus warning is being distributed via E-mail. This warning
tells of a virus that would be in the form of "Budweiser Frogs"
screensaver, and is claimed to erase the contents of your hard drive.
Said E-mail even goes as far as stating that Microsoft and AOL have made
official announcements regarding such. Microsoft and AOL, however, have
nothing posted on their websites regarding such, and not one of the major
Computer/Electronic Response Teams have released advisories. Thus, we have
no reason to believe that this is a valid virus warning.
The "Bug's Life" Screensaver virus HOAX
A false virus warning is being distributed via E-mail. This warning
tells of a virus that would be in the form of "A Bug's Life" screensaver,
and is claimed to erase the contents of your hard drive. Said E-mail even
goes as far as stating that Microsoft and AOL have made official
announcements regarding such. Microsoft and AOL, however, have nothing
posted on their websites regarding such, and not one of the major
Computer/Electronic Response Teams have released advisories. Thus, we have
no reason to believe that this is a valid virus warning.
The "It Takes Guts to Say Yes to Jesus" virus HOAX
A false virus warning is being distributed via E-mail. This warning
tells of a virus that would be titled "It Takes Guts to Say 'Jesus'", and is
claimed to erase the contents of your hard drive. Said E-mail even goes as
far as stating that IBM and AOL have made official announcements regarding
such. IBM and AOL, however, have nothing posted on their websites regarding
such, and not one of the major Computer/Electronic Response Teams have
released advisories. Thus, we have no reason to believe that this is a
valid virus warning.
The Canada Post E-mail Tariff Hoax
There is no legislation pending or planned that will create a surcharge
or tax for articles of E-mail. Warnings of such have been received by
numerous customers, and generally refer to the nonexistent Bill 602P before
Parliament. Some people have WAY too much free time on their hands.
The Papa Virus
The Papa Virus effects Microsoft Excel users. Said virus generally
comes in the form of an E-mail attachment entitled "path.xls". This virus
exploits Excel's Auto-Macro 'feature'.
Upon opening, it will automatically give your computer instructions that will both harm your
computer and your data, as well as E-mail said virus to the first 60
people in your address book.
Within the Excel settings, users should most likely have the ability to
turn off auto-execution of Excel Macro files.
Most Anti-Virus software companies have already released updates to
remove the "Papa" virus if you've already been infected.
The Melissa Virus
The Melissa Virus effects Microsoft Word '97/2000 users. This virus
generally comes in the form of an E-mail attachment entitled 'list.doc',
and with the subject of "Important Message From ".
Upon opening, it will automatically give your computer instructions that will
both harm your computer and your data, as well as E-mail said virus to the
first 50 people in your address book.
You can disable automatic macro execution in Word 97. Select "Tools",
"Options", "General", and make sure the "macro virus protection" box is
checked.
Most Anti-Virus software companies have already released updates to
remove the "Melissa" virus if you've already been infected.
You can also visit
Microsoft Security Bulletins (Updated every minute or 2).
Happy99.exe
Some versions of happy99.exe contained a virus that would infect the
internal workings of Windows95/98/NT. This virus would automatically
attach itself to each outgoing E-mail sent from your computer, thus,
infecting those that receive your correspondence and also run the program.
If you receive this program via E-mail, simply delete it without
executing it and no harm will be done to your computer.
Most Anti-Virus software companies have already released updates to
remove the happy99.exe virus if you've already been infected.
You can also visit: Happy99.exe Removal Information
Please note that these bulletins are here as an unsupported service to
our users. Glen-Net, nor any other ISP, can be held
responsible for the content that you receive over the Internet. We can
merely do our best to inform our users on security issues, and to caution
our users on the dangers of executing programs that they receive via
E-mail.
|
