Go Back
"Back to Main Entry Page for other Sections"
VIRUS INFO ARCHIVES - PAGE 7
From Nov. 29th, 2001 to January 16th, 2002
This page will include any virus information that I
acquire and feel it warrants passing on. Please check this page
occasionally as I will be trying to add more to it as time goes
by.
"Norton Anti-Virus Programs"
or it is at: http://www.symantec.com/avcenter/hoax.html
"CIAC"
or the page is at: http://www.ciac.org/ciac/CIACHoaxes.html
Another reliable one is: "MYTHS"
or it is at: http://www.kumite.com/myths/
Another very good and well known one: "DATAFELLOWS"
or it is at: http://www.datafellows.com/news/hoax/
And last but not least.. Dr. Solomon's (another well known one) at:
"DR. SOLOMON'S"
or it is at: http://www.drsolomon.com/vircen/index.cfm
HACKERS INFORMATION
http://antionline.com/fight-back/
"HACKERS INFORMATION" Everyone should check this site out!
****************************************************
*NEW* January 16th, 2002
"Gigger" (js.gigger.a@mm) Javascript isn't just for Web pages anymore. There have been a few viruses written in Javascript, and last week one of them, "Gigger" (js.gigger.a@mm), surfaced on the Internet. While the antivirus software companies have given it a low ranking, Gigger weighs in a 6 on the CNET Virus Meter because it has the potential to spread and delete all the files on your hard drive.
The Gigger "update" worm tries to reformat your hard drive
This JavaScript worm poses as a Microsoft Outlook upgrade.
Don't be taken in by Internet worm Gigger, which poses as a Microsoft update. Gigger (js.gigger.a@mm) attempts to spread itself to everyone in your Outlook Address Book, propagate via mIRC, and copy itself to computers connected on a local network. Gigger then tries to delete all the files on your hard drive the next time the computer reboots. Written in JavaScript, this 17K worm uses the Windows Scripting Host to execute on infected systems. Although there have been few reports of it worldwide, Gigger has the potential to damage computers and overwhelm e-mail servers.
How it works
Gigger arrives as e-mail. The subject line reads either "Outlook Express Update" or has the e-mail address of the recipient. The body text says either "MSNSofware Co." or "Microsoft Outlook 98." The attached file is always mmsn_offline.htm.
If a user opens the attached file, Gigger creates the following files in the root directory:
Bla.hta
B.htm
Gigger creates these files in the following directories:
C:\Windows\Samples\Wsh\Charts.js
C: \Windows\Samples\Wsh\Charts.vbs
C: \Windows\Help\Mmsn_offline.htm
Gigger also creates the following Registry keys:
HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting
Host\Settings\Timeout
HKEY_CURRENT_USER\Software\TheGrave\badUsers\v2.0
and adds NAV DefAlert to the Registry key
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run Finally, it adds the line "ECHO y|format c:" to the autoexec.bat file in order to reformat the infected computer the next time it reboots.
Gigger also adds to the Windows directory a script.ini file to spread by mIRC, and if the infected computer is connected to a network, Gigger will create copies of itself as:
\Windows\Start Menu\Programs\StartUp\Msoe.hta. Code within the virus contains the text "This virus is donation from all Bulgarians."
Prevention
Users of Microsoft Outlook 2002 and of Outlook 2000 who have installed the Security Update are not automatically protected from Gigger. The Outlook Security Update does not block e-mail with HTM attachments. Users can, however, disable the Windows Scripting Host. For information regarding that, see
"How to turn off Windows
Scripting Host".
In general, you should not open attached files in e-mail.
Removal
A few antivirus software companies have updated their signature files to include this worm. This will stop the infection upon contact and, in some cases, will remove an active infection from your system. For more information, see McAfee, Sophos, Symantec, and Trend Micro.
For information about preventing this worm, see "Basic steps" at:
http://www.cnet.com/software/0-5067630-8-6764489-1.html
****************************************************
*NEW* January 4th, 2002
FBI warns of Windows XP holes
SAN FRANCISCO--The FBI's National Infrastructure Protection Center has urged users of Microsoft's Windows XP operating system to disable a feature that could leave computers open to attacks from hackers.
In a statement issued on Saturday, the FBI's NIPC, which usually leaves computer security warnings to the private sector, said it held technical discussions with Microsoft Corp. and other industry experts on Friday to identify ways to minimize the risk from security holes in the XP software, which was launched in late October.
A Microsoft spokesman said he had no comment on Monday on the NIPC statement.
The software giant announced last week it had found two vulnerabilities in its new operating system that could leave computers running it open to hackers and at risk of being temporarily shut down from a denial-of-service attack or used in such an attack on other computers.
Under a denial-of-service attack, a server is flooded with so much Internet traffic that it is made inaccessible to legitimate traffic.
In addition to installing the security patch available from Microsoft's Web site, computer users running Windows XP should disable the "Universal Plug and Play" feature, if they are not using it, the NIPC said in its statement.
Microsoft's Universal Plug and Play software allows devices added to a network to be automatically recognized and accessed. It is installed by default on XP systems, can be switched on in Windows ME systems and installed separately on the Windows 98 operating systems.
Microsoft and security experts have warned that hackers could take advantage of the feature to gain access to otherwise secure systems by overwhelming computers with data flow, a common method used by hackers.
The way that the software recognizes new machines on a network could also be exploited by hackers to spoof their way into a system and take control in order to launch a denial of service attack, the company and experts said.
The NIPC has issued warnings since Sept. 11 for network administrators to be on alert for possible distributed denial-of-service attacks, which could interfere with e-commerce and slow-down the Internet if serious enough.
Microsoft has said that Windows XP is its most secure operating system ever.
Microsoft has shipped at least 650,000 copies of XP since it was launched Oct. 25, not including units that ship with new PCs, according to marker researcher NPD Intellect.
****************************************************
*NEW* January 4th, 2002
Trojan horse targets file-swappers
A pair of popular file-sharing programs have become privacy time bombs, according to computer experts. Antivirus company Symantec last week reported the presence of "spyware" bundled with Grokster and Limewire, two popular file-swapping downloads. The code evidently does not damage computers, but it surreptitiously sends personal information such as user ID names and the Internet address of computers to another Web address.
Advertising software called "Clicktilluwin" that comes bundled with the file-swapping programs carries a program called "W32.DIDer," which Symantec has classified as a Trojan horse--a piece of code that takes over parts of a person's computer unseen in order to carry out its own instructions.
Although unrelated advertising programs are routinely bundled with free file-swapping programs--and have prompted some user criticism in the past--this appears to be the first time one of them has included a program classified as a Trojan horse by security experts.
The Trojan horse software installs itself even if a computer user selects an option that appears to block Clicktilluwin's installation. For this reason, antivirus companies are warning people to scan their computers after installing these products to ensure the code is removed.
On the heels of the Symantec warning, some consumers complained of similar problems with FastTrack's Kazaa Media Desktop. CNET News.com could not duplicate the problem in a test of that product Wednesday.
A spokesman for Limewire said the version with Clicktilluwin included had been replaced with a clean version by Tuesday.
"It was not what we thought this was," said Greg Bildson, Limewire's chief technical officer. "It was supposed to be a promotional tool...not blatant spyware."
Grokster has gone one step further, apologizing and providing its users with a program that will remove the offending bits of code from personal computers
"We have no access to the source code of these third-party installers and so we rely on what our advertisers say these programs do," the company wrote on its Web site Wednesday. "Now that we have learned of the Trojan, we are doing everything we can to minimize its impact on our users."
Because software programs are among the most popular downloads on the Net, the Trojan horse could potentially find its way onto a large number of computers. Kazaa, for example, is one of the most popular pieces of software available through CNET Download.com, a site operated by News.com's parent company, with more than 1.3 million downloads in the last week of December alone.
Bitter warnings about the code spread through consumer bulletin boards on several different Web sites last week.
"Make sure you have a good virus utility if you must install this," one person wrote on Download.com's Grokster reviews.
****************************************************
*NEW* January 4th, 2002
AOL fills AIM security hole
AOL Time Warner on Thursday plugged a security hole in its instant messenger application that experts say could have provided wiggle room for a widespread and destructive worm. The company said it implemented a server-side fix, meaning that customers will not have to download the patch. As earlier reported, the security bug affected AOL Instant Messenger (AIM) version 4.7 and the 4.8 beta, or test version. Only AIM users running Microsoft's Windows operating system are vulnerable.
"No action has to be taken by users...and to our knowledge no users were affected by the issue," said AOL spokesman Andrew Weinstein.
The AIM hole surfaced at a period of heightened scrutiny of instant-messaging security. Although virus and worm authors have concentrated on e-mail as the preferred means of propagation, the rising popularity of instant messaging has made the technology an increasingly attractive target.
The issue came to light with the posting of an
The advisory described the problem as a buffer overflow issue--one of the most common computer security glitches. The problem, which in this case affects AIM's game request function, occurs when an application crashes after being flooded with more code than it can accommodate. In a buffer overflow attack, maliciously written excess code can wind up being executed on the target computer.
In this case, Conover warned that the security hole left the door open for attackers to create a self-propagating worm that could rival the destructive Melissa, I Love You, Code Red and Nimda worms that exploited vulnerabilities in Microsoft's Outlook e-mail application and IIS Web server.
"An exploit could easily be amended to download itself off the Web, determine the buddies of the victim, and then attack them also," Conover's advisory warned. "Given the general nature of social networks and how they are structured, we predict that it wouldn't take long for such an attack to propagate."
Security experts pointed out that there have been previous vulnerabilities in IM products, but they said this was among the most serious identified to date. Instant messengers are considered a potentially dangerous delivery vehicle for worms because of their buddy lists, which offer a long list of potential new victims much like an e-mail address book.
"This could be used by someone to execute programs on a vulnerable system," said Elias Levy, chief technology officer of SecurityFocus. "A worst-case scenario could be a worm that used this vulnerability as an infection vector, and given the large population of users, the potential for damage is great. A lot of corporations allow their users to use instant messaging, so this vulnerability could be used to pierce corporate firewalls."
AIM is one of the Web's most popular applications, with more than 100 million registrations (one person can register any number of different AIM personas). A much smaller subset of that group is running version 4.7 and the 4.8 beta, but Conover used the 100 million figure to chastise AOL Time Warner for letting the buffer overflow hole slip through its quality-control process.
"The first implication is that AOL should feel the weight of responsibility and employ better software development practices," Conover wrote in his advisory.
"The developers of a product with so many users should be much more cautious and avoid overbloating with a multitude of features they didn't have time to properly test in the first place."
AOL Time Warner declined to comment on Conover's criticism.
******************************************************
*NEW* January 4th, 2002
Reeezak worm (w32.reeezak.a@mm)
Just in time for the holidays, the Reeezak worm (w32.reeezak.a@mm) is spreading its political message and dangerous payload across the Internet.
Also known as Keyluc, Maldal.C, and Zacker.C, this worm uses Microsoft Outlook and MSN Messenger to collect e-mail addresses. Reeezak also deletes the Windows System directory, disables antivirus software, and redirects Internet Explorer to a political message Web site that contains malicious code designed to spread across IRC. Because Reeezak deletes Windows files and spreads via e-mail, this worm ranks 6 on the ZDNet Virus Meter.
How it works
The subject line reads "Happy New Year."
Reeezak may also disable antivirus software by deleting these associated files:
Zone Labs
The registered name of the infected Windows computer changes to ZaCker. Reeezak may also disable the keyboard on infected computers.
Reeezak attempts to redirect Internet Explorer's home page to an infected Web site displaying the following message:
"Sharoon = a war crimenal
This Web page contains JavaScript that downloads an infected script called Outlook.vbs, which sends a second message to contacts listed in the Outlook address book. This secondary message reads, "subject: Very important !!! In the body text, it reads, "See this page http://geocities.com/Xxxxxxx/xxx.htm," which is the infected Web page.
Reeezak may also spread across networks with open network shares.
Prevention
In general, do not open attached files in e-mail without first saving them to hard disk and scanning them with updated antivirus software. Contact your antivirus vendor to obtain the most current antivirus signature files that include Reeezak.
Removal
****************************************************
*NEW* January 4th, 2002
'Happy New Year' worm hits Windows
A mass-mailing Internet worm that purports to offer New Year greetings was spreading rapidly Wednesday, and is rumored to be the big Christmas virus that antivirus companies have been gearing up for.
The first copy of the virus was detected at 7:23am GMT by security firm MessageLabs and is said to have originated from South Africa. By using a number of aliases, the e-mail worm has spread virulently throughout the day. MessageLabs has detected 925 incidents of the worm at an Internet level to date, from a number of countries across the globe.
"This won't be as big as Goner, but it is likely to be the biggest Christmas virus," said Alex Shipp, antivirus technology expert at MessageLabs.
The worm, operating under the guises of Zacker, Reeezak, Maldal and Keyluc, arrives with the subject header "Happy New Year" and contains a file attachment entitled "christmas.exe." It uses familiar social engineering tactics to entice recipients to double click on the attachment, before mailing itself and the victim's contact list to everyone in the contact's address book.
"Over the last week, we have seen thousands of executable files like this that have been sent as jokes or Christmas cards," said Shipp. "We have seen 4,000 copies of such viruses this week, and so from a social engineering point of view, it looks like this virus will continue."
The worm arrives with the body text:
"I can't describe my feelings But all i can say is Happy New Year :-) Bye."
Once the Christmas.exe application is opened, the worm will modify the user's Internet Explorer (IE) home page so that the browser now points to a malicious Web site. This site will then exploit a vulnerability in IE and run a Visual Basic Script on the infected computer that will attempt to delete significant portions of the Windows operating system.
Experts believe the worm spreads through shared network drives, and by taking advantage of Microsoft applications. Computer Associates has reported that the virus will email itself to everyone in an infected victim's Outlook address book.
According to reports, Symantec believes the worm also spreads via Microsoft's Instant Messaging software, and will try to delete antivirus software from an infected PC.
****************************************************
*NEW* January 4th, 2002
ZaCker
A destructive new worm that destroys antivirus software on infected computers was slowly spreading Wednesday. The Maldal.D worm, also known as ZaCker, was written and distributed Dec. 29, according to antivirus software maker Symantec, prompting fears the worm could sneak past security software that wasn't updated over the holiday break.
"We always worry when something comes out at the end of the week or over a holiday, when nobody's in their office," said Steve Trilling, director of research at Symantec's Security Response division, which rated Maldal.D as a moderate threat.
Maldal.D appeared to be spreading slowly and mainly outside the corporate networks that can turn an infection into an epidemic. "We have seen a bit of an upsurge in submissions today, but most of them are from consumers," Trilling said. "That leads us to believe that a lot of corporations updated their software right away."
E-mail screening service MessageLabs reported intercepting about 150 copies of Maldal.D by 11 a.m. Wednesday, placing the worm at the bottom of the company's list of the Top 10 most active viruses.
Maldal.D spreads itself as a file attached to an e-mail with the subject "ZaCker." The body of the message consists of one of several dozen cryptic sentences, such as "nowadays, there is no womanhood!! :P"
If the file is opened, the activated worm attempts to delete files associated with popular antivirus applications, including programs from Symantec, McAfee and Zone Labs. The worm also deletes files with common extensions such as .exe, .doc and .jpg, which could destroy enough critical files to render an infected PC unstable or unusable.
The worm spreads itself by e-mailing copies of itself to all addresses in the infected PC's Microsoft Outlook address book.
Attacking security software is an old trick, Trilling said, noting that the recent Goner worm employed similar tactics. Such efforts are unlikely to work, however, if the security software is running as it's supposed to.
"If the software is running all the time in the background, it can't easily be deleted," Trilling said.
Business and home PC users were advised to download the latest updates for their antivirus software to catch Maldal.D and to reinstall security software if the worm had already infected
****************************************************
*NEW* December 15, 2001
WORM_GONE.A (High Risk)
This destructive, memory-resident worm is a Visual Basic-compiled Windows executable that propagates via email using Microsoft Outlook and through ICQ. It finds certain files in memory and then terminates the processes of these found files. Thereafter, it executes its destructive payload of deleting files.
The worm arrives in an email with the following:
Subject: Hi
Message Body: How are you ? When I saw this screensaver, I immediately thought about you I am in a harry, I promise you will love it!
Attachment: GONE.SCR
It creates an Outlook Application Object, and uses MAPI script commands to create and send bogus emails to all recipients found in the infected user's address book. Thereafter, it deletes these bogus emails.
This worm is currently spreading in-the-wild, and is classified as high risk. As of December 7, there have been more than 126,000 infections of WORM_GONE.A worldwide, according to Trend Micro's World Virus Tracking Center"
For additional information about WORM_GONE.A, please visit Trend Micro
at: "More Info"
****************************************************
*NEW* November 29th, 2001
You don't have to do anything to execute these ones! The first one is really nasty. You don't want this to happen to you especially if you do any online banking or shopping!
1. Alert: Beware Badtrans.B
A new version of this worm executes automatically on some computers. An included Trojan horse captures passwords and credit cards, then sends that information to malicious users.
" Badtans.B "
2. Alert: Aliz spreads worldwide
This non-destructive but very annoying worm overloads e-mail servers with copies of itself.
"Aliz"
3. Downloads: Microsoft MS01-020 patch for Internet Explorer 5
Stop Aliz and Badtrans from spreading by updating your Internet Explorer 5.01 and 5.5 software with this patch from Microsoft.
"Download free Microsoft Patch"
Or upgrade to Internet Explorer 6.0
"Upgrade to Internet Explorer 6"
News: Worm hits home for the holidays. "Latest about Badtrans.B"
For goodness sake, if you do not have a virus program on your computer - GET ONE! And if you have one, be sure it is UPDATED WEEKLY. It's no damn good if it isn't updated on a very regular basis.
****************************************************
Please check THIS PAGE FOR THE MOST RECENT NEW VIRUSES OUT THERE"
You can also go to "TOP VIRUS DESCRIPTION VIEWED BY CONSUMERS" This is a list of the top 30 virus and hoaxes you will probably see or get.
***********************************************
Reeezak is a politically and holiday-themed variation of the Zacker (w32.zacker@mm) or Maldal (w32.maldal@mm) family that arrives via e-mail with the following information:
The message text reads "Hi I can't describe my feelings But all i can say is Happy New Year :) bye"
The attached file is Christmas.exe.
When a user opens Christmas.exe, it shows a typical Flash media Christmas greeting card, with Santa and one reindeer against a snowy background. Behind the scenes, Reeezak attempts to delete the Windows System directory, rendering the computer unusable unless the operating system is reinstalled or restored from backup. (Note: At least one antivirus vendor reports that Windows System files are not deleted if the user has Visual Basic 6.0 installed.)
AntiViral Toolkit Pro
Command SoftwareF-PROT95
eSafeProtect
PC-Cillin 95
PC-Cillin 97
Quick Heal
FWIN32
FindVirus
ToolkitFindVirus
f-macro
McAfee VirusScan95
Norton AntiVirus
TBAVW95
VS95
Rescue
Bush supports him
So...
Bush = a war crimenal
American people must protect their country
otherwise, their
government will lead them to the hell !
Best Regards
America Lovers
ZA-UNION"
Users of Microsoft Outlook 2002 and users of Outlook 2000 who have installed the Security Update should be safe from Reeezak. Users who have not upgraded to Outlook 2002 or who have not installed the Outlook 98 Security Patch or the Outlook 2000 Security Patch should do so.
Almost all the antivirus software companies have updated their signature files to include this worm. This will stop the infection upon contact and in some cases will remove an active infection from your system. For more information, see Central Command, Computer Associates, F-Secure, McAfee, Panda, Sophos, Symantec, and/or Trend Micro.
http://wtc.trendmicro.com/wtc/
http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=GONE.A.
http://www.cnet.com/software/0-7760531-8-7897462-1.html
http://www.cnet.com/software/0-7760531-8-6323501-1.html
http://download.cnet.com/downloads/0-10105-100-7992598.html
http://download.cnet.com/downloads/0,10151,0-3364664-106-0-1-0,00.html
Find out the latest regarding the Badtrans.B infection from News.com.
http://news.cnet.com/news/0-1003-200-7979449.html
This includes
VBS/BlueMail.A@mm, W32/Creepy.a@MM, W32/CodeBlue.worm, W32/Choke.d.worm, IRC/Theme.worm, W32/APost@MM, W32/Magistr.b@MM all discovered in the month of September 2001 and W32/InvalidSSL@MM, VBS/Cuerpo@MM, StealVXS discovered around the end of August 2001.
"Back to Main Entry Page for other Sections"