"Norton Anti-Virus Programs"
or it is at: http://www.symantec.com/avcenter/hoax.html

"CIAC"
or the page is at: http://www.ciac.org/ciac/CIACHoaxes.html

Another reliable one is: "MYTHS"
or it is at: http://www.kumite.com/myths/

Another very good and well known one: "DATAFELLOWS"
or it is at: http://www.datafellows.com/news/hoax/

And last but not least.. Dr. Solomon's (another well known one) at: "DR. SOLOMON'S"
or it is at: http://www.drsolomon.com/vircen/index.cfm

HACKERS INFORMATION
http://antionline.com/fight-back/
"HACKERS INFORMATION" Everyone should check this site out!

******************************************************

"ANNA or ANNAKOURNIKOVA or OnTheFly" VIRUS
February 15, 2001

When you were growing up, did your mother and father tell you not to take candy from strangers? The same strategy used successfully by child molesters and kidnappers works just as well for miscreants on the Internet. Nowadays, however, the bait isn't candy, and the victim is your computer.

A "new" worm, dubbed OnTheFly or AnnaKournikova, hit hundreds of sites starting last Monday morning. According to TrendMicro and F-Secure, the worm was written by a Dutch script kiddie who goes by the name "OnTheFly" using the VBS Worm Generator toolkit. This tool makes it easy to write worms, and includes methods for crashing victims' systems.

A CERT advisory explains what you can do to avoid the worm.

More accurately, the CERT advisory tells you what you should already have done to prevent OnTheFly. Microsoft released a patch designed to deal with the ILOVEYOU worm way back on June 7, 2000. The OnTheFly worm uses exactly the same tactic as ILOVEYOU: provide an attachment with an intriguing name that is actually a Visual Basic script (.vbs). When an Outlook user receives the worm as e-mail, he must click on the attachment to open it. What the user is expecting is a picture; instead, a program executes. Microsoft's patch to Office would have prevented this from happening.

Why didn't people install the patch? The first answer to that question appears painfully obvious. Just read the instructions for installing the patch. I was confused, though maybe people more familiar with Microsoft products would understand it better than I did.

But there are other good reasons for avoiding this patch. Greg Shipley of Neohapsis, a security consulting firm, says the patch is too draconian for most people. The part of the patch that stops worms like ILOVEYOU and OnTheFly also prevents Outlook from ever displaying an executable attachment (those with file extensions of .com, .exe., .vbs, .bas, and .js) as well as shortcuts and URLs. Instead, the Outlook user gets warned (in the case of OnTheFly) that:

Outlook removed the following unsafe attachments: AnnaKournikova.jpg.vbs

The Microsoft patch works. In fact, it works too well. Shipley says that once you have installed the patch, you cannot uninstall it. And the patch prevents you from receiving any executable content, which includes, for example, Exchange custom forms. So not only are you invulnerable to the OnTheFly worm, you may also have disabled part of your organization's e-mail system. The Microsoft patch turns out to be an all or nothing proposition.

There are other things you can do. Use anti-viral products, and keep them updated. People with up-to-date anti-viral software were generally successful in not falling victim to OnTheFly. Another technique is to block dangerous attachments as they come in from the Internet at the firewall or mail server. Again, organizations that were doing this were mostly unaffected by OnTheFly--I say mostly, because many organizations may exchange e-mail with other business units that did not have the filtering in place. And, once the worm gets inside, it propagates freely unless other measures are used. Disabling Windows scripting host would also have prevented the attack from succeeding, because when you clicked on the attachment, nothing would happen. However, VBShell relies on the Windows scripting host, so don't plan on using VBS for anything else.

Which comes back to the strangers with candy analogy. The concept of executing code that arrives attached to e-mail seems foolhardy to me. If a security researcher who I knew well sent me a PGP-encrypted e-mail with an attached executable, with the message "Check this out!", do you think I would execute it? No way! And that's even when I know who sent me the executable, because PGP has verified the sender's identity.

When you receive e-mail, unless you are using PGP or Secure MIME, you do not know who sent you the e-mail. It could be your coworker. It could be a worm. Or it could be a complete stranger who has spoofed your co-worker's e-mail address (it's easy to do).

The attachment with the attractive description is the candy. Please, don’t take candy from anyone. OnTheFly will not be the last worm to use this strategy.

Rik Farrow is an independent Unix and Internet security consultant who has specialized in Unix system administration and security since 1984. He is an instructor for the Computer Security Institute and has led training sessions at many US and European user groups. Farrow is the author of UNIX System Security, and writes columns for Network Magazine, ;login:, and several Web-based magazines.

for much more information and links go to: "ANNA"
or
http://www.zdnet.com/enterprise/stories/main/0,10228,2685772,00.html

****************************************************

"VALENTINE" or "VALENTINE.A" VIRUS
February 15, 2001

Valentine (Valentine.A) is a new worm that bears some similarity to the KAK worm which infected users throughout 2000. Valentine will run whenever Windows is started, and spreads by attaching itself to every e-mail sent through Outlook. Valentine is a mass mailing worm that will attempt to send e-mail to every address listed in the Outlook address book. Valentine also changes Internet Explorer’s default page to point to a Web site (now shut down) from which the worm can download a potentially destructive payload onto an infected computer. With the downloaded payload in place, Valentine will attempt to delete every file from the C:/ drive and rename every folder by adding the text happysanvalentine (for example, C:ProgramsMyDocumentsExcelhappysanvalentine) on the 8th, 14th, 23rd, or 29th day of any month. Even though the damaging component is no longer available, Valentine could still slow down e-mail servers. Valentine ranks as a 4 on the ZDNet virus meter.

Valentine.A arrives as an e-mail with the following:

Subject: blank
Body: anything
Attachment: none

Valentine spreads by imbedding itself to the HTML-format signature file of every outgoing Outlook e-mail and attempts to send itself to every address listed in the Outlook address book. Microsoft has issued a patch for the vulnerability in ActiveX that allows worms like Valentine to infect. Users should download the scriptlet.typelib/Eyedog patch, if they have not already done so.

Removal: At the moment, only Sophos and McAfee have posted updated signature files. Other anti-virus software vendors are expected to follow shortly.

For more information please go to:
"Valentine Virus" or ****************************************************

"W95.MTX"
(multiple names)
Jan. 18th, 2001

W95.MTX has a virus component and a worm component. It propagates using email. Also it infects some Win32 executables in specific directories. The virus has the capability to block access to certain Web sites. This may prevent users from downloading new virus definitions.

Also Known As: W95.Oisdbo, W95.MTX.dr, W95.MTX (.dll)

Category: Virus, Worm

Damage: Payload: Some infected files are corrupted beyond repair.
Modifies Files: Windows executables

Subject of email: None
Name of attachment: Variable (see below)
Size of attachment: Variable
Time stamp of attachment: Immediately after a new email message is sent, a second message is sent with no subject and the worm attached.

Worm component:

The worm component makes a copy of Wsock32.dll and names it Wsock32.mtx. The Send export function of this .mtx file is then modified to point to its own code. This allows the virus to mail a copy of the worm infected with this virus to the same person to whom the user sends an email message (using the same program).

Here is a list of file names that this virus might use when it sends the infected worm to other people. For those files with .pif extensions, the .pif extension might not be visible in your mail program.

I_wanna_see_you.txt.pif
Matrix_screen_saver.scr
Love_letter_for_you.txt.pif
New_playboy_screen_saver.scr
Bill_gates_piece.jpg.pif
Tiazinha.jpg.pif
Feiticeira_nua.jpg.pif
Geocities_free_sites.txt.pif
New_napster_site.txt.pif
Metallica_song.mp3.pif
Anti_cih.exe
Internet_security_forum.doc.pif
Alanis_screen_saver.scr
Reader_digest_letter.txt.pif
Win_$100_now.doc.pif
Is_linux_good_enough!.txt.pif
Qi_test.exe
Avp_updates.exe
Seicho_no_ie.exe
You_are_fat!.txt.pif
Free_xxx_sites.txt.pif
I_am_sorry.doc.pif
Me_nude.avi.pif
Sorry_about_yesterday.doc.pif
Protect_your_credit.html.pif
Jimi_hendrix.mp3.pif
Hanson.scr
F___ing_with_dogs.scr
Matrix_2_is_out.scr
Zipped_files.exe
Blink_182.mp3.pif

Wininit.ini is created by this component, which causes Wsock32.dll to be deleted and Wsock32.mtx to be renamed to Wsock32.dll. Wininit.ini executes after the computer is restarted. After Wininit.ini is created, this component runs the virus component.

Virus component
The virus component searches for specific antivirus programs running. If the virus finds one, the virus does not run. If the virus continues to run, it decompresses the worm component, drops a copy of it into the user's Windows directory (typically C:\Windows), and runs it. The name of this dropped file is Ie_pack.exe. After Ie_pack.exe is executed, it is renamed to Win32.dll.

The virus also drops Mtx_.Exe and runs it. This is a downloader program that goes to a specific Web site (i.am/[MATRIX]) where plug-ins for the virus are downloaded and executed. It searches for Win32 executables in the current directory, Windows directory, and the Temp directory. The file to be infected needs to have a size that is not divisible by 101, is greater than 8 KB in size, and has at least 20 import call instructions. If not, the file is not infected by the virus.

The virus also adds a registry entry that lets the downloader run automatically every time the system is started. The downloader is invisible in the Task List.

For REMOVAL of this virus, more extensive information and IMPORTANT INFO ON REMOVAL!! please see SYMANTEC LINK TO THIS VIRUS

****************************************************

"THE CHRONIC VIRUS"
(WM97/Chronic-A)
Jan. 15, 2001

-- The Chronic Virus (WM97/Chronic-A) pays Russian Roulette with your PC.

Prevent a complex new Word 97 macro virus from randomly wiping out your system's CMOS settings.

here's a new Word macro virus going around that could soon be firing rounds at your PC. Chronic (WM97/Chronic-A) uses a complex counting process to determine when and what specific payload to execute based on your PC's system date. Chronic arrives as an infected Word document either by network share or via e-mail and affects users of Windows 95 and 98. Once a system is infected, Chronic will keep count of the number of times it executes. For every 25 times the virus runs on an infected system, Chronic will execute a complex series of checks on the system date. Under certain circumstances, Chronic's payload can overwrite a system's CMOS settings. At the moment there are only a few reports of this new virus. Chronic currently ranks as a 5 on the ZDNet Virus Meter.

How It Works

Each time the Chronic payload runs, the first 1020 bytes of the following files are modified and the text "Karachi_y2k7" is appended to these same files:

C:WINDOWSSOL.EXE C:WINDOWSMSHEARTS.EXE C:WINDOWSFREECELL.EXE

The modifications will corrupt a file such that it will no longer work.

According to the anti-virus company Sophos, if the current system day can be divided exactly by 2, Chronic will then print between 1 and 9 copies of the current Word document.

If the current system day can be divided exactly by 3, then the first 1020 bytes of the following files are modified and the text "Karachi_y2k7" appended:

C:WINDOWSROUTE.EXE C:WINDOWSPING.EXE C:WINDOWSSYSTEMNETOS.DLL C:WINDOWSSYSTEMNETDI.DLL C:WINDOWSSYSTEMNETBIOS.DLL C:WINDOWSSYSTEMNETAPI.DLL C:WINDOWSSYSTEMNETAPI32.DLL

However, Chronic, can be much more sinister. If the current system day can also be divided exactly by 4, the virus will modify C:WINDOWSWIN.COM to contain the Trojan Troj/KillCMOS-E. This Trojan will attempt to overwrite the CMOS settings with random data and will be run the next time Windows is restarted.

If the current system day can be divided by 5 (i.e., the 5th, the 10th, the 15th), Chronic will lock the file sharing options of the current document with a password. That value may be "1297307460."

If the current system day can also be divided exactly by 6, the virus will copy C:WINDOWSWIN.COM to WIN.ORG and then create a new C:WINDOWSWIN.COM with the Trojan Troj/KillCMOS-E.

If the current system day can be divided exactly by 3 and by 6, then the first 1020 bytes of the following files are modified and the text "Karachi_y2k7" appended:

C:WINDOWSSYSTEMNETCPL.CPL C:WINDOWSSYSTEMINETCPL.CPL C:WINDOWSSYSTEMMODEM.CPL C:WINDOWSSYSTEMURL.DLL C:WINDOWSSYSTEMSENDMAIL.DLL C:WINDOWSSYSTEMMAPI32.DLL C:WINDOWSSYSTEMINETCOMM.DLL C:WINDOWSSYSTEMINETCFG.DLL C:WINDOWSSYSTEMINETAB32.DLL C:WINDOWSSYSTEMINET16.DLL

If the current system day can be divided exactly by 3 and by 6 and by 9, then the following files are also affected:

C:WINDOWSSYSTEMLPT.VXD C:WINDOWSSYSTEMSPOOL32.EXE C:WINDOWSSYSTEMMSPRINT.DLL C:WINDOWSSYSTEMMSPRINT2.DLL

Removal At the moment, only one anti-virus company, Sophos, has updated its signature files to include this virus. It is expected that other anti-virus companies will update their signature files in the coming days.

Prevention Follow these steps to avoid the Chronic macro virus:

"Don't open attachments!" One of the best ways to prevent virus infections is not to open attachments, especially when macro viruses such as Chronic are being actively circulated. Even if the e-mail is from a known source, be careful. A few viruses take the mailing lists from an infected computer and send out new messages with its destructive payload attached. Always scan the attached files first for viruses. Unless it's a file or an image you are expecting, delete it.

Stay informed. Did you know that there are virus and security alerts almost every day? Keep up-to-date on breaking viruses and solutions by bookmarking our Viruses, Bugs, Security Alerts page.

Get protected. If you don't already have virus protection software on your machine, you should. If you're a home or individual user, it's as easy as downloading any of these five-star programs then following the installation instructions. If you're on a network, check with your network administrator first. If you're not sure if your existing anti-virus software is up-to-date, scan your system for free to find out.

Scan your system regularly. If you're just loading anti-virus software for the first time, it's a good idea to let it scan your entire system. It's better to start with your PC clean and free of virus problems. Often the anti-virus program can be set to scan each time the computer is rebooted or on a periodic schedule. Some will scan in the background while you are connected to the Internet. Make it a regular habit to scan for viruses.

Update your anti-virus software. Now that you have virus protection software installed, make sure it's up-to-date. Some anti-virus protection programs have a feature that will automatically link to the Internet and add new virus detection code whenever the software vendor discovers a new threat.

For more extensive info see the link at: THE CHRONIC VIRUS"

****************************************************

"KRIZ"
December 2000

-- Kriz virus makes return appearance

'Tis the season for nasty viruses. This one trashes PCs on Dec. 25 and spreads by piggy-backing on other viruses. Check out the info at this link: KRIZ and while there take out their newsletter!

****************************************************

"SNOW WHITE"
December 2000

-- Virus: Snow White not so innocent

People returning to work after the weekend are finding their inboxes crammed with a new virus. For more information see the link below:
SNOW WHITE". While there, take out their virus info newsletter!!!!!
http://cgi.zdnet.com/slink?69880:15980406

****************************************************

"NAVIDAD"
December 2000

This is a particularly bad virus circulating around the holidays which will be an attachment to a message.

 ***********************************************