PAST VIRUS ALERTS, DETAILS AND INFO
12/26/04
12-25-04 Perl.Santy.C
12-25-04 Perl.Santy.B
11/3/04
Backdoor.Alcani is a Backdoor Trojan that allows unauthorized remote access to an infected computer.
W32.Bagz.H@mm is a mass-mailing worm that uses its own SMTP engine to send itself to the email addresses gathered from a compromised system. It also lowers the security settings by overwriting the local hosts file and preventing access to several security-related Web sites.
VBS.Yeno.C@mm is a mass-mailing worm that sends itself to the email addresses in the Microsoft Outlook address book. It also infects .vbs, .vbe, .htm, and .html files on drives C, D and E.
S.Yeno.B@mm is a mass-mailing worm that sends itself to email addresses in the Microsoft Outlook address book. It also infects .vbs, .vbe, .htm, and .html files on drives C, D and E.
Trojan.Ducky.C is a Trojan horse program that exploits the Microsoft GDI+ Library JPEG Segment Length Integer Underflow vulnerability (described in the Microsoft Security Bulletin MS04-028).
9/8/04
W32.IRCBot.H is a Trojan horse program that opens a backdoor on the infected computer by connecting to an IRC server, and receives commands from a remote attacker.
9/8/04
W32.Gaobot.BIE is a worm that spreads to remote network shares, through backdoors opened by other common backdoor Trojan horse programs, and by exploiting several Windows vulnerabilities. The worm opens a backdoor and allows a remote attacker to have unauthorized access to the infected computer via IRC channels. It also attempts to lower security settings and steal confidential information from the infected computer.
2/1/04 VIRUS ALERT!
IMPORTANT!!!
“MYDOOM”
FASTEST SPREADING VIRUS TO DATE
The
mass-mailing MyDoom virus has become the fastest spreading
program to date and the damage could continue for months
or years. The virus, also known as Novarg and Mimail.R,
travels as an e-mail attachment and infects PCs whose
users open the malicious file.
When
opened, the virus installs a stealth program on the
victim's computer that opens up a software "back
door." Attackers can then bypass the PC's security
and turn the system into a bounce point, or proxy, for any
network-based attack.
The effects of the massive spread of the MyDoom virus have already been felt. The virulent program has flooded the Internet with e-mail messages bearing the program, doubling the time it takes most major Web sites to deliver a page. About one in every 12 messages being sent through the Internet contains the virus, said e-mail service provider MessageLabs. The previously most prevalent mass-mailing virus, called Sobig.F, only accounted for one out of every 17 e-mail messages.
The virus affects computers running Windows versions 95, 98, ME, NT, 2000 and XP, and arrives in the user's in-box as an attachment to an e-mail message that appears to be an error response from an e-mail server.
The message sports one of several different random subject lines, such as "Mail Delivery System," "Test" or "Mail Transaction Failed." The body of the e-mail contains an executable file and a statement such as: "The message contains Unicode characters and has been sent as a binary attachment." and "The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment."
The MyDoom
virus also copies itself to the Kazaa download directory
on PCs, on which the file-sharing program is loaded. The
virus camouflages with one of seven file names: Winamp5,
icq2004-final, Activation_Crack,
Strip-gril-2.0bdcom_patches, RootkitXP, Officecrack and
Nuke2004.
11/3/03
VIRUS ALERT!
IMPORTANT!!!
A self-mailing worm spread Friday at such a rapid clip that several security firms raised their threat assessments to alert users of the danger.
The worm, pegged as Mimail.C by most anti-virus vendors, was discovered just after midnight Friday, and is a variation of similar malicious code launched in August. That trend, one successful worm tweaked to create another, is nothing new; the most notable example has been a series of worms dubbed as Sobig, whose latest incarnation last struck in August and September.
Like its predecessor, Mimail.C attempts to steal confidential information from compromised machines and send the harvested data to pre-determined e-mail addresses. The actual Windows applications it pickpockets are still under investigation, said Craig Schmugar, a virus research engineer with Network Associates.
Mimail.C disguises its worm payload in a .zip file labeled as PHOTOS. ZIP, and tries to trick users into opening the message and launching the file by spoofing the sender address as originating from the user's own domain, and using a subject heading of "Re: our private photos."
Because it's a mass-mailed worm -- and collects e-mail addresses from infected Windows systems to propagate -- Mimail may clog mail servers or degrade network performance, said Symantec in an e-mailed alert.
But "it's nowhere near as effective in mailing itself as was Sobig," said Schmugar. Although there could be a spike in propagation, and thus e-mail traffic, later Friday as workers leave work and fire up their home PCs, Schmugar doesn't expect the worm to reach the rate of multiplication that Sobig achieved.
Nonetheless, anti-virus organizations raised their alert levels to account for the pace of Mimail's spread. Network Associates, for instance, now tags the worm as a 'medium' threat, while Symantec upped its assessment from a '2' to a '3.' Symantec uses a 1 through 5 point system to designate virus danger.
Anti-virus vendors such as Network Associates and Symantec and others have already refreshed their virus definitions to account for Mimail, and urge their users to update.
As always RGV recomends that you never open any email with attachments unless you are certain where it came from. Keep your antivirus software updated as often as you can. For more information on this worm you can visit:
http://securityresponse.symantec.com/avcenter/venc/data/w32.mimail.c@mm.html
9/22/03
VIRUS ALERT!
Updated 9/26/03
IMPORTANT!!! Please do not open an email containing the text like this:
"MS User" or "This is the latest version of security update".
OR from "Technical Assistance" or "Microsoft" or any other group claiming to have patches for you. Only use patches provided by your direct Internet Provider or by going directly to the Microsoft website yourself.
Microsoft NEVER sends any update via email!!!
Over the weekend the Internet had another virus outbreak. This time the
virus came to your email box in the form of an email that looked perfectly legitimate. It contained the instructions from Microsoft for a new patch. If you have executed those instructions you have infected your computer with this new "worm".We are aware that several of our users have had this occur. Unfortunately,
for everyone, our mail server has been overwhelmed with send and receive requests due to this problem.This morning our server was placed offline so that we could remove the bogus
emails and clean up the traffic due to those emails. The process has been completed and the server is back online.Due to this virus and subsequent mail server problem, some potentially
legitimate mail that you were trying to send out may have not reached its desired destination during the period from Saturday afternoon (9/20) to this morning (9/22). If this is a concern for you, please resend any mail that you have created during this period.Below, please find the instructions on how to clean your system in regards
to this virus:Removal tool Information can be found here:
http://securityresponse.symantec.com/avcenter/venc/data/
w32.swen.a@mm.removal.tool.html
The Removal Tool download is here:
http://www.symantec.com/avcenter/FixSwen.exe
W32.Swen.A@mm is a mass-mailing worm that uses its own SMTP engine to spread
itself. It attempts to spread through file-sharing networks, such as KaZaA and IRC, and attempts to kill antivirus and personal firewall programs running on a computer.The worm can arrive as an email attachment. The subject, body, and From:
address of the email may vary. Some examples claim to be patches for Microsoft Internet Explorer, or delivery failure notices from qmail. W32.Swen.A@mm is similar to W32.Gibe.B@mm in function, and is written in C++. This worm exploits a vulnerability in Microsoft Outlook and Outlook Express in an attempt to execute itself when you open or even preview the message.Information and a patch for the vulnerability can be found at
http://www.microsoft.com/technet/security/bulletin/MS01-020.asp
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me,
Windows NT, Windows Server 2003, Windows XP Systems Not Affected: DOS, Linux, Macintosh, Microsoft IIS, OS/2, UNIX, Windows 3.xSwen.A@mm Removal Info (document)