"Norton Anti-Virus Programs"
or it is at: http://www.symantec.com/avcenter/hoax.html

"CIAC"
or the page is at: http://www.ciac.org/ciac/CIACHoaxes.html

Another reliable one is: "MYTHS"
or it is at: http://www.kumite.com/myths/

Another very good and well known one: "DATAFELLOWS"
or it is at: http://www.datafellows.com/news/hoax/

And last but not least.. Dr. Solomon's (another well known one) at: "DR. SOLOMON'S"
or it is at: http://www.drsolomon.com/vircen/index.cfm

AN EXCELLENT NEWSLETTER TO GET IS "STRAIGHT TALK ACROSS THE FENCE"
I get the majority of my information from them and it is right on
track and up to date. You can sign up for their newsetter at:

http://straighttalk.8m.com
"STRAIGHT TALK ACROSS THE FENCE"

HACKERS INFORMATION
http://antionline.com/fight-back/
"HACKERS INFORMATION" Everyone should check this site out!

******************************************************

DECEMBER 20TH, 1999

A virus was discovered on December 14th called W32/NewApt.worm. It initially had a risk assesment of "Low". We have received this virus at our office from several sources and we discovered the risk assesment has been changed to "medium". We believe it will soon be changed to "High". The attachments to the e-mail carrying the virus can vary greatly so it is important that you familarize yourself with this new threat. Following is the info Avert Labs has posted. You may view this at their site at

http://vil.nai.com/vil/wm10475.aspNameW32/NewApt.worm
"NewApt Worm"

Aliases I-Worm/MesMate, TROJ_NEWAPT.WORM, W32.NewApt.worm, W32/NewApt.worm VariantsNone Date Added12/15/99 Information
Discovery Date: 12/14/99
Type: Virus
SubType: worm
Risk Assessment:
Medium On Watch
Minimum DAT: 4058
Minimum Engine: 4.0.25

Characteristics This worm has been reported to AVERT in several countries during the week of December 13, 1999. The file may be received by email with a size of 69,632 bytes. The worm arrives by email and depending on if the email application supports HTML email body content or not, one of two messages is displayed. If HTML is supported, the message content looks like this: ---------------------------------------------------------------
http://stuart.messagemates.com/index.html
Hypercool Happy New Year 2000 funny programs and animations...
We attached our recent animation from this site in our mail ! Check it out
---------------------------------------------------------------
If the email client does not support HTML, the email message will have this content:
he, your lame client cant read HTML, haha. click attachment to see some
stunningly HOT stuff
---------------------------------------------------------------

The email contains an attachment of a randomly selected name from the following list: baby.exe bboy.exe boss.exe casper.exe chestburst.exe cooler1.exe cooler3.exe copier.exe cupid2.exe farter.exe fborfw.exe goal.exe goal1.exe g-zilla.exe irngiant.exe hog.exe monica.exe panther.exe panthr.exe party.exe pirate.exe s.exe saddam.exe theobbq.exe video.exe PLEASE NOTE THE FILE IS NOT a "messagemates" game program and is not related to the web site listed in the email message! Messagemates.com has issued a notice about this also on their web site at this location: http://stuart.messagemates.com/notice.htm There is no icon associated with this 32 bit file other than the one associated with command line executables such as COMMAND.COM. If this worm is run, a "dummy" error message is displayed with the text-

The dynamic link library giface.dll could not be found in the specified path (list of directory names)

The list of directory names are taken from their system environment variable "path" which is set in AUTOEXEC.BAT in Windows 9x and also configurable in Windows NT through the control panel. Note the misspelling of the word "dinamic".

The machine is then checked for the installation of MS Outlook Express. If found, two files are written in the c:\windows folder
mma. - contains a listing of email addresses
mmail. - contains the directory of MS Outlook Express
The list of email addresses is captured by checking all folders in Outlook Express for email messages received!
A file is then saved to the Windows folder and the registry is modified to load the file at the next Windows startup with a command line option of "/x". For example, if the executable "chestburst.exe" is run, the registry entry would look like this on a Windows 95 system:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run tpanew = c:\windows\chestburst.exe /x
On the next Windows startup, the file is loaded. When the worm loads into memory, it waits for an unspecified amount of time and then sends an email message to one of the listed entries from the file "mma." with the format mentioned at the beginning of this description.
While the worm is active on Windows 9x system, the following DLLs are implemented: C:\WINDOWS\SYSTEM\WSOCK32.DLL C:\WINDOWS\SYSTEM\WININET.DLL C:\WINDOWS\SYSTEM\SHLWAPI.DLL C:\WINDOWS\SYSTEM\USER32.DLL C:\WINDOWS\SYSTEM\GDI32.DLL C:\WINDOWS\SYSTEM\ADVAPI32.DLL C:\WINDOWS\SYSTEM\KERNEL32.DLL

When an email application such as MS Outlook is in use, the additional DLL loaded is TAPI32.DLL.
At this time, AVERT is analyzing the distribution method for this worm. Strings within the executable suggest that it uses information stored in the file "prefs.js" which is a reference to Netscape. Symptoms Existence of this file on the local system - modifications to the system registry as mentioned above - email mailings as mentioned above. Method Of Infection

Running the executable will directly copy itself and run the mailing routine.

*************************************************

DECEMBER 16TH, 1999

ALERT.. NEW ALIAS FOR MYPICS.... PLEASE READ......!

Dear Straight Talk Consumer Alert Member, This is an alert from Straight Talk Across The Fence. You subscribed to this service. We hope it will be of help to you and urge you to forward it on to others on your e-mail and chat lists who may benefit from it. If you have received this page as a forward from a friend and would like to join us and get these alerts directly, instructions for doing so can be found on our home page. On Dec 6th, we sent out an alert on W32/Mypics Worm. The information here is in regards to a variant of that virus. Many e-mails are circulating the Internet about this variant. Every one that we received listed the risk assesment as high. The fact is that the risk assesment is very low. It's possible that the problem may lie in the fact that the variant has an alias called ICQ Greetings. As we all know, some of us ICQ users are prone to premature hysteria...LOL. We don't usually send alerts on viruses with a low risk assesment but thought it might be best in this case in hopes of calming that hysteria. This does not mean however, that you should not know about this virus. Remember, having the knowledge you need is the best means of protection. The following information comes from Avert Labs at http://vil.nai.com/vil/ve10467.asp Please note the risk assesment.Name W32/Mypics.worm.27648 Aliases ICQ_Greetings.exe, W32.Passion.27648, W32/Mypics.worm.27648, Worm.ICQ_Greetings, Worm.Passion VariantsW32/Mypics.worm Date Added12/10/99 Information Discovery Date: 12/10/99 Type: Virus SubType: worm Risk Assessment: Low on Watch Minimum DAT: 4058 Minimum Engine: 4.0.25 Characteristics AVERT received copy of this file for analysis in the pre-dawn hours of December 10th. This worm was written in Visual Basic 5.0 and it is a minor variant to the earlier discovered W32/Mypics.worm. This worm also has a reliance on the library file MSVBVM50.DLL. Without this file, the program will error. This file will copy itself to the root drive of the local machine as "Icq.exe" and also "ICQ_Greetings.exe", and register itself to run from the registry at system startup with multiple registry entries: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run Icq99b="C:\Icq.exe" HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Windows\CurrentVer sion RegisteredOrganization="2034 Langley Ct. Holloman Afb, NM 88330" HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Windows\CurrentVer sion RegisteredOwner="Mike Carmody" HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Windows\Run Icq99b="C:\Icq.exe" It does not matter if the system is Windows 9x or Windows NT, the keys are created or modified anyway. While the file runs as a task in memory, it is performing two functions. One function is to spread via an email routine while the attempts to delete files in specific folders. Another function to format drives was not operational and could not be verified in AVERT testing. This worm uses mass email for distribution, if executed. It appears to use code similar to W97M/Melissa virus to distribute itself using MS Outlook to the first 50 email recipients, however emails created by this worm contain the message "Season's Greetings" (Office97 registered user name) and attach itself as a file "ICQ_Greetings.exe" with a size of 27,648 bytes; users receiving this worm may also receive a file named "Passion.exe" of the same size. The icon of the attached file matches the same icon used to load ICQ application and appears as a multi-coloredflower. While the worm is running in memory, it loads and uses routines from the following dynamic runtime libraries- C:\WINDOWS\SYSTEM\MSVBVM50.DLL C:\WINDOWS\SYSTEM\OLEAUT32.DLL C:\WINDOWS\SYSTEM\OLE32.DLL C:\WINDOWS\SYSTEM\USER32.DLL C:\WINDOWS\SYSTEM\GDI32.DLL C:\WINDOWS\SYSTEM\ADVAPI32.DLL C:\WINDOWS\SYSTEM\KERNEL32.DLL If the attachment is received and executed on January 01, 2000, a damaging file deletion payload is invoked. ASCII strings within the worm indicate the following directories and files are attempted to be deleted: c:\*.c* d:\*.c* c:\winnt\system\*.c* c:\winnt4\system\*.c* c:\windows\system\*.c* c:\winnt\system\*.o* c:\winnt4\system\*.o* c:\windows\system\*.o* c:\winnt\*.i* c:\winnt4\*.i* c:\windows\*.i* In AVERT testing on a Windows 95 system, many more file types were actually deleted! In fact, over 600 files were deleted, all within the C:\WINDOWS folder and subfolders. Files of 'hidden' attribute were notdeleted. In the C:\WINDOWS folder, all non-hidden attribute INI configuration files and INF installation files were removed. In the \WINDOWS\SYSTEM folder, filenames were sequentially deleted beginning with A to Z for .DLL, .VXD and .OCX files not in use, as well as .CPL and a handful of .EXE files! The damaging payload also occurred when testing the date of January 30, 2000, indicating that this worm's destructive payload may not specific on the day in January. Another payload which was designed to format various drives did not invoke and could not be initiated in AVERT testing. Symptoms Existence of this file on the local system - modifications to the system registry as mentioned above - mass mailings as mentioned above, file deletions as mentioned above.Method Of Infection Running the executable will directly copy itself and run the mass mailing routine.Removal Instructions Use specified engine and DAT files for detection and removal.

THERE IS ALSO A WARNING FROM ZNET....... see below....

W32/Mypics.worm aliases include ICQGreetings and W32.Passion Anti-virus companies are scrambling to fix a potentially malicious worm masquerading as a Y2K glitch that packs a double-punch.

The W32/Mypics.worm comes in an e-mail without a subject line and contains a message that reads "Here's some pictures for you!" At first, the worm acts like Melissa, immediately sending itself to as many as 50 listings in a user's Outlook address book. The mass-mailing will not be triggered if the virus recipient doesn't use Outlook.

But the e-mail also contains an executable attachment, labeled Pics4You.exe, which infects the user's PC with the worm if it is opened. Once opened, on Jan. 1, 2000, the worm also overwrites part of the hard drive of the infected PC. If that PC is rebooted anytime after the New Year, the worm has the potential to completely reformat the hard drive, causing a loss of data. The glitch will try to disguise itself as a Y2K problem.

The worm also changes the home page of Internet Explorer users to a Geocities Web page containing a visitor counter and the words "Dave's Web Page: Brought to You By the Cave!" The site also contains a link to adult content. 5,000 visitors to Dave's Web Page It's unclear whether the creator of Web page is related to the worm's distribution or creation, according to anti-virus researchers. As of Thursday night, the site had logged more than 3,000 visitors. That number had increased to more than 5,000 Friday morning. Some of those hits may come from people affected by Mypics, but others could be from people who've heard about the worm and are merely curious.

Researchers at Symantec Corp.'s AntiVirus Research Center said they will have new software to combat the worm on their site sometime Friday. Marian Merrit, a group product manager for Symantec's Norton AntiVirus software, said researchers had rated the worm a medium risk.

"We didn't want people to run around and get hysterical," she said. However, she said MyPics could be upgraded to a higher risk category as the company gets more reports of it. Merritt also called MyPics the "scariest" Y2K-related worm or virus she's seen so far.

In recent months, researchers have discovered several other virus es created to take advantage of the date change. Trojan.polyglot was sent out in September, purporting to be a Microsoft Corp. e-mail touting a Y2K fix. If a person installed the virus, it could steal information from their computer. However, there have been few reports of it.

But people have seen worm.fix200, which comes with an e-mail containing the subject line "Internet problem year 2000" and a message in Spanish urging people to update their Y2K software. An attachment in the e-mail could overwrite a user's hard drive.

Still, Carey Nachenberg, Chief Researcher at Symantec's AntiVirus Research Center, said he hasn't seen as many Y2K-inspired viruses and worms as he expected. "There's been very little activity," he said. "People have been very calm."

*************************************************

DECEMBER 10TH, 1999

VIRUS ALERT - W95/Babylonia

W95/Babylonia is a polymorphic virus. AVERT has given it a risk assessment of Medium--On Watch. The virus was first distributed on at least one newsgroup as a help file called "serialz.hlp".

When executed, the virus infects .EXE and .HLP files, in some cases damaging them beyond repair. Upon infection, the virus creates a file called KERNEL32.EXE, which monitors system activity for Internet connection. When it detects an Internet connection, it attempts to connect to a Web site hosted by a virus authoring group, and if successful, it downloads additional components of the complete virus to the host PC. If the virus detects mIRC installed on the host PC, it will attempt to send a copy of itself through Internet IRC channels, as a file called "2KBug-MircFix.exe". The virus also sends an email notification to the address babylonia_counter@hotmail.com, with the "from" information listed as babylonia@rasta.net.

*************************************************

DECEMBER 8th, 1999

Worm Alert....

NameW32/Mypics.worm AliasesI-Worm.Mypics, W32/Mypics.worm

This is a worm which uses mass mail for distribution, if executed . It appears to use code similar to W97M/Melissa virus to distribute itself using MS Outlook to the first 50 email recipients, however emails created by this worm do not contain a subject line, only the body "Here's some pictures for you !"

The email message also has the attached file "Pics4You.exe" with a size of 34,304 bytes. You can get more info on this dangerous worm from avert labs by following this link...

http://vil.nai.com/vil/wm10456.asp
"PICS 4 YOU INFO" 

**********************************************************

MINI-ZIP OR W32/ExploreZip.worm.pak..... NEW... NOVEMBER 30TH, 1999

A virus nicknamed 'MiniZip' has been found to affect systems all over the world. Delete any messages that have the text: "I received your email and I will send you a reply ASAP. Till then, take a look at the attached zipped docs.". The virus is included in one the files within the zip file. For more information, go to Cnn.com.

more info.....

W32/ExploreZip.worm.pak is a new, compressed variant of the original W32/ExploreZip.worm. AVERT has assessed it as a high-risk threat, approaching outbreak levels! It reproduces itself by sending replies to incoming email messages, with itself as an attachment called"zipped_files.exe". It includes a payload: it will search the user's mapped drives and overwrite all files of types .c, .cpp, .asm, doc, .xls, .ppt. to zero Kb.

IMPORTANT - If you receive an email with the message "I received your email and I shall send you a reply ASAP. Till then, take a look at the attached zipped docs.", ***DELETE IT IMMEDIATELY!***

It will have an attachment called "zipped_files.exe"; DO NOT DOUBLE-CLICK OR RUN THIS ATTACHMENT! If you do, it will infect your system!

***************************************************

THE "GRINCH" VIRUS...... NEW..... NOVEMBER 21st, 1999

It's called the W97M/Prilissa virus. But a better name for it would be the Grinch virus. Anti-virus researchers at Network Associates Inc. (Nasdaq: NETA) said Friday that 10 Fortune 500 companies on three continents have been hit with a new virus called W97/Prilissa. Prilissa is a nasty variant on two better known attacks -- the Melissa worm and the PRI virus. The virus depends on the Windows 95 and 98 operating systems and the Word 97 word processing application.

If opened, it will e-mail itself to the first 50 names on a computer's Outlook or Outlook Express e-mail client. "This is probably the fastest infection rate we've seen since Melissa," said Sal Viveros, anti-virus product manager at Network Associates, in Santa Clara, Calif. The virus uses macro commands similar to those of Melissa to replicate itself.

But the virus itself won't go off until Christmas day. That means it won't have much of an impact on companies, which aren't likely to be open on that day, even if it should go undetected. But there is a big threat to home PC users, particularly unsuspecting children logging onto the computer to play with their new games on Christmas.

The Dr. Suess analogies are endless.

The virus itself looks for a registry key to verify if the local system has been infected. If it hasn't, the virus creates a Microsoft Outlook e-mail message with the subject line "Message From (Office 97 user name)" and a message body that says "This document is very Important and you've GOT to read this!!!"

MORE FROM ZDNET:

ZDNN Special Report: Melissa's rampage

Downloads: Anti-virus software

The first 50 listings from all address books are selected, along with an attachment -- the infected document, whatever it is.

If the date is December 25, the virus runs a destructive payload to overwrite the existing C:/AUTOEXEC.BAT file with instructions to format the C drive. The virus will not run on Windows NT. Another message is displayed on Word 97, adding: "You Dare Rise Against Me ... The Human Era is Over, The CyberNET Era Has Come!! !" Most anti-virus vendors are expected to have a definition update and fix prepared within the next few hours.

http://www.zdnet.com/zdnn/stories/news/0,4586,2397849,00.html

I must thank my girlfriend Bobbie for passing this along. She is not in the webring but has a fabulous page you can view at:

http://CrumpledPapers.com
"Crumpled Papers"

 ***********************************************