PRODUCTS > Computer Virus Alerts - Archive

Virus alerts for April 2005

By the time you receive the e-mail 'virus alert' it can be too late!
We stock the most efficient anti virus program which checks for updates hourly.

Contact Us for a one month free antivirus trial.
Add "Virus Trial" to the Comments area.
Free trial antivirus
March 06 2005 Bagel.BE information
Previous versions of Bagle virus -2004 information here.

Latest Virus Alert

Apr 30 2005 More AHKER - WORM_AHKER.G

WORM_NOPIR.B is a non-destructive, memory-resident worm that propagates via peer-to-peer networks. It searches for availabe peer-to-peer applications and then sends copies of itself to all available or online users. This worm is spreading in-the-wild and infecting computers running Windows 95, 98, ME, NT, 2000, and XP.

Upon execution, this memory-resident worm creates the folder %Program Files%\Restore. It then drops a copy of itself in this folder as VXST.EXE. It also drops a copy of itself as
%Program Files%\Projects Visual Studio.NET\Nctrup.exe, and searches for and deletes files with the extensions .com and .mp3.

This worm also creates several registry entries that perform the following:

* Ensure its automoatic execution at every Windows startup
* Disable registry tools
* Prevents the user from accessing the Control Panel to edit the registry

This worm does not check for memory-residency, so multiple instances of it may run on a computer system.

Contact Us for a one month free antivirus trial.
Add "Virus Trial" to the Comments area.
Free trial antivirus

Top 10 Most Prevalent Global Malware
(from April 22 to April 28, 2005)

1. HTML_NETSKY.P
2. JAVA_BYTEVER.A
3. HKTL_BRUTFORCE.A
4. WORM_NETSKY.P
5. TSPY_SMALL.SN
6. TSPY_LINEAGE.GEN
7. SPYW_GATOR
8. SPYW_DASHBAR.300
9. SPYW_GATOR.D
10. TROJ_BAGLE.BH

Apr 23 2005 All About AHKER - WORM_AHKER.G

WORM_AHKER.G is a non-destructive, memory-resident worm that propagates via email. It arrives as an email attachment that, upon execution, drops a file in the Windows folder. It also has the ability to spread copies of itself via peer-to-peer (P2P) file-sharing applications by dropping copies of itself into certain P2P application shared folders, making the dropped copies available for download to other users within the network. It uses file names that are mostly related to Hollywood stars, to entice users to unknowingly download copies of it. In addition, this worm is capable of terminating running applications on a system. WORM_AHKER.G runs on Windows 95, 98, ME, NT, 2000, and XP.

Upon execution, it creates the following registry entries to ensure that it automatically executes during every Windows startup.

This worm sends copies of itself via emai by using Message Application Protocol Interface (MAPI) functions. The email message that it sends contains the following details:

From: (any of the following)
• agent@hacker.com
• bazzi@microsoft.com
• billy@hacker.com
• hilton_britgette@ahker.lb
• johnloke@msn.uk
• majortom@fbi.gov
• mariah_hillary@aol.com
• michel_bado@gmail.com
• otacon@konami.jp
• peter_parker@hotmail.com
• sarah_alia@yahoo.com
• seniormanager@byblos.com

Subject: (varying subjects)

Message body: (any of the following)
• Hey buddy,
• Bad Gateway: The message has been attached.
• Encrypted message is available.
• ESMTP [Secure Mail System #334]: Secure message is attached.
• I have a big list of the websites you surfed.
• Mail transaction failed. Partial message is available.
• sendmail daemon reported:
• The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
• The message contains MIME-encoded graphics and has been sent as a binary attachment.
• The message contains Unicode characters and has been sent as a binary attachment.
• There is the password you requested!
• You have visited illegal websites!!
• Your credit card was charged for $500 USD. For additional information see the attachment.

Attachments: (varying attachment file names)

This worm is also capable of propagating via P2P file sharing networks by dropping copies of itself into certain P2P application shared folders, as follows:

\BearShare\Shared
\Edonkey2000\Incoming
\Grokster\My Grokster
\KazaA lite\My Shared Folder
\Kazaa\My Shared Folder
\KMD\My Shared Folder
\Morpheus\My Shared Folder
\My Downloads
\Shared

It uses interesting file names to entice other users in the P2P networks, where a copy of itself can be downloaded as the following:

Britney Spears Naked.exe
Paris Hilton Naked.exe
Hotmail Crack v.2.5 by Agent Hacker.exe
MSN Crack by Agent Hacker.exe
Hotmail Hack.exe
Britney Spears XXX.exe
Christina Aguilera XXX.exe
Paris_Hilton_Free_Sex_Clip.exe
Process Termination

This worm terminates several system processes and also disables applications on an affected system. In addition, the worm adds several entries in the system's HOSTS file, preventing the user from accessing certain Web sites, mostly related to antivirus and security companies.

Contact Us for a one month free antivirus trial.
Add "Virus Trial" to the Comments area.
Free trial antivirus

Top 10 Most Prevalent Global Malware
(from April 15 to April 21, 2005)

1.TROJ_BAGLE.BH
2. SPYW_INVKEY12.A
3. HTML_NETSKY.P
4. HKTL_BRUTFORCE.A
5. WORM_NETSKY.P
6. SPYW_NETVZRVW.B
7. SPYW_GATOR.D
8. ADW_WEBSEARCH.B
9. JAVA_BYTEVER.A
10. SPYW_CSNOOP.A

Apr 17 2005 Keeping Kelvir - WORM_KELVIR.N

WORM_KELVIR.N is a non-destructive worm that propagates via MSN Messenger. It send a message to all contacts listed in the affected user's MSN Messenger Contacts, with a link. When clicked, this link downloads a file. This worm is currently spreading in-the-wild and infecting computers running Windows 95, 98, ME, NT, 2000, and XP.

Upon arrival, this worm drops, extracts, and executes the following files:

* UNCANNY.EXE – a copy of the worm
* ADVBOT.EXE – detected as WORM_SDBOT.BLL

This worm sends a message to all contacts in MSN Messenger with the following details:

Never give out your password or credit card number in an instant message conversation.

its you!

<link which downloads the file detected as WORM_SDBOT.BLL>

Once the recipient clicks the link, the file ADVBOT.EXE is downloaded.

Contact Us for a one month free antivirus trial.
Add "Virus Trial" to the Comments area.
Free trial antivirus

Top 10 Most Prevalent Global Malware
(from April 9 to April 15, 2005)

1. TROJ_SMALL.AFG
2. WORM_NETSKY.P
3. HTML_NETSKY.P
4. JAVA_BYTEVER.A
5. SPYW_GATOR.D
6. ADW_WEBSEARCH.B
7. WORM_NETSKY.D
8. WORM_NETSKY.B
9. WORM_MOFEI.B
10. WORM_ANIG.A

Apr 09 2005 Crowded House - WORM_CROWT.D

WORM_CROWT.D is a non-destructive, memory-resident worm that spreads via email using its own Simple Mail Transfer Protocol (SMTP) engine to send email to those addresses found in the Windows Address Book. This worm has backdoor capabilities that could allow a remote user to perform malicious activities. It also modifies the Windows HOSTS File to prevent affected users from accessing specific Websites, including Trend Micro, McAfee, Kaspersky, F-Secure, Symantec, and Sophos. This worm is currently spreading in-the-wild, and infecting systems running Windows 95, 98, ME, NT, 2000, and XP.

Upon execution, the worm opens the URL http://news.google.com, and drops the files SERVICES.EXE and SERVICES.DLL. The file SERVICES.EXE is a copy of the worm, which is executed at every system startup. The worm's DLL component, SERVICES.DLL, contains a routine that attempts to send copies of itself via email using its own Simple Mail Transfer Protocol (SMTP) engine to email addresses found in the Windows Address Book (WAB). The email message body may contain information gathered from the Google Web page.

This worm also has backdoor capabilities, which may allow a remote user to execute the following malicious commands:

* Copy files
* Check operating system version
* Execute processes
* Delete cookies
* Download files
* Log & send keystrokes to remote user
* Capture screenshots
* Terminate processes
* Shutdown/restart system

The worm also performs a HOSTS file modification routine that results in a user being blocked from accessing specific Web sites, and instead being redirected to a specific IP address. NOTE: Our web site is NOT on this list! The following sites are inaccessible to affected users due to this modification routine:

* uk.trendmicro-europe.com
* www.pandasoftware.com
* sandbox.norman.no
* grisoft.com
* trendmicro.com
* rads.mcafee.com
* customer.symantec.com
* liveupdate.symantec.com
* us.mcafee.com
* updates.symantec.com
* update.symantec.com
* nai.com
* secure.nai.com
* dispatch.mcafee.com
* download.mcafee.com
* my-etrust.com
* mast.mcafee.com
* ca.com
* networkassociates.com
* avp.com
* kaspersky-labs.com
* kaspersky.com
* f-secure.com
* viruslist.com
* liveupdate.symantecliveupdate.com
* mcafee.com
* sophos.com
* symantec.com
* securityresponse.symantec.com
* www.grisoft.com
* www.trendmicro.com
* www.nai.com
* www.my-etrust.com
* www.ca.com
* www.networkassociates.com
* www.kaspersky.com
* www.avp.com
* www.f-secure.com
* www.viruslist.com
* www.mcafee.com
* www.sophos.com
* www.symantec.com

If you would like to scan your computer for WORM_KRYNOS.B or thousands of other worms Contact Us for a one month free antivirus trial.
Add "Virus Trial" to the Comments area.
Free trial antivirus

Top 10 Most Prevalent Global Malware
(from April 3 to April 9, 2005)

1. TROJ_SMALL.AFG
2. HTML_NETSKY.P
3. WORM_NETSKY.P
4. JAVA_BYTEVER.A
5. SPYW_CYSNOOP.A
6. TROJ_DLOADER.DH
7. SPYW_GATOR.D
8. WORM_RBOT.GEN
9. TROJ_SMALL.N
10. ADW_WEBSEARCH.B

Apr 07 2005 Like Kryptonite? - WORM_KRYNOS.B

WORM_KRYNOS.B is a destructive, memory-resident worm that propagates via peer-to-peer applications by dropping a .ZIP copy of itself in a certain folder. It may also spread via email by sending itself as an attachment. This worm has backdoor capabilities, allowing remote users to access and perform malicious tasks on affected machines. It can also prevent affected users from accessing certain antivirus and security Web sites by modifying the HOSTS file. WORM_KRYNOS.B is currently spreading in-the-wild, and infecting computers running Windows NT, 2000, and XP.

Upon execution, this memory-resident worm drops the following files in the Windows folder:

* %Windows%\Help\svchost.dat
* %Windows%\Help\svchost.exe
* %Windows%\Help\svchost.lce

It then displays the following message:
Can't open mfc73rp.dll

It creates a registry entry that allows it to automatically execute the dropped file svchost.exe at every system startup.

This worm propagates via P2P applications by making a .ZIP copy of itself in a specific folder -- the file name depends on the names of the currently saved files in that folder.

The worm may also propagate by sending itself as an attachment to an email message. It searches files with the extensions HTM and TXT for target email addresses. However, it first queries www.google.com to check for an Internet connection, before it sends the email.

The email it sends contains the following details:

From: security@microsoft.com

To: (recipient email address harvested from affected system)

Subject: Microsoft Security Update

Message body:
* "Vulnerability in Windows Explorer Could Allow Remote Code Execution (612827)"
Affected Software:
* Impact of Vulnerability: Remote Code Execution
* Importance: High
* Maximum Severity Rating: Critical
* Recommendation: Customers should apply the attached update at the earliest opportunity
* Summary:
* Who should read this document: Customers who use Microsoft Windows
* X-Mailer: Secure Microsoft Client, Build 2.1
* X-MimeOLE: Produced By Secure Microsoft Client V2.1
* X-MSMail-Priority: High
* X-Priority: 1 (Highest)

Attachment:
* ARC
* ARJ
* GZ
* LZH
* TGZ
* ZIP
* ZOO

The worm avoids worm avoids sending email to addresses containing certain strings..

The following backdoor capabilities are enabled by the worm:

Get, upload, download, or delete a file
List files in a folder
Disconnect current user
Restart the system
Run a program
Create or delete a folder

This worm also modifies the system's HOSTS, which contains the host name to IP address mappings. This modification prevents affected users from accessing specific sites related to antivirus companies.

If you would like to scan your computer for WORM_KRYNOS.B or thousands of other worms, viruses, Trojans and malicious code, trial our antivirus for free.

Contact Us for a one month free antivirus trial.
Add "Virus Trial" to the Comments area.
Free trial antivirus

Top 10 Most Prevalent Global Malware
(from March 25 to March 31, 2005)

1. WORM_NETSKY.P
2. HTML_NETSKY.P
3. JAVA_BYTEVER.A
4. TROJ_DLOADER.DH
5. TROJ_SMALL.SN
6. SPYW_GATOR.D
7. TROJ_DFC.A
8. PE_PARITE.A
9. TROJ_DLOADER.DG
10. WORM_ANIG.

Contact Us for a one month free antivirus trial.
Add "Virus Trial" to the Comments area.

12website has a maintenance program for our clients to ensure their will not be 'let down' by an inefficient computer.

Computer maintenance is necessary to keep your machine running smoothly without down time.