PRODUCTS > Computer Virus Alerts - Archive
Virus alerts for Dec 2006
Current virus alerts here.
Computer virus alert
By the time you receive the e-mail 'virus alert' it can be too late!
We stock the most efficient anti virus program which checks for updates hourly
.

Contact Us for a free antivirus trial to the end of this month.
Add "Virus Trial" to the Comments area.
Free trial antivirus

Latest Virus Alert Sober worm info

Most recent malware, computer viruses, worms, Trojan horses, spyware and adware.

W32.Spybot.AMTE - W32.Jhad - W32.Tanexor.A - W32.Koddro@mm - Bloodhound.Olexe - Trojan.Lydra - W32.Bakain - Trojan.Coldung - W32.Chatosky - Trojan.Dowiex!inf - W32.Pagipef.B - W32.Stration.EL@mm - W32.Memesa - Backdoor.Wualess.B - Bloodhound.Exploit. - W32.Sagevo - Trojan.Iesguide - Trojan.Daum - Trojan.Mdropper.U - Trojan.Mdropper.T - Trojan.Shipli - W32.Dizan - Trojan.Skintrim - W32.Yautoit.N - Trojan.Huanux - Bloodhound.Exploit.106 - Bloodhound.Exploit.104 - Bloodhound.Exploit.103 - Bloodhound.Exploit.102 - Bloodhound.Exploit.101 - W32.Selfish 12-11-2006 - Bloodhound.Exploit.105

Confused? What is malware? Click here for the definition.

W32.Spybot.AMTE December 24, 2006

W32.Spybot.AMTE is a worm that spreads through mIRC and to network shares protected by weak passwords. It also spreads by exploiting some vulnerabilities.

Discovered: December 22, 2006
Type: Worm
Infection Length: 141,312 bytes
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

When W32.Spybot.AMTE is executed, it performs the following actions:

1. Copies itself as the following file:

%Windir%\symtea.exe

Note: %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

2. Adds the value:

"Microsoft"="symtea.exe"

to the following registry subkeys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

so that it executes whenever Windows starts.

3. Modifies the following files in order to disable Windows File Protection:

* %System%\sfc.dll
* %System%\sfc_os.dll

Note:
* %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
* The worm copies the original %System%\sfc.dll and %System%\sfc_os.dll files as %System%\trash[RANDOM DIGITS].

4. Modifies the following files in order to disable the half-open connections limit introduced with Windows XP SP2:

* %System%\dllcache\tcpip.sys
* %System%\drivers\tcpip.sys

5. Modifies the value:

"EnableDCom" = "N"

to the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE

to lower security settings

6. Modifies the value:

"restrictanonymous" = "1"

to the registry subkey:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa

to lower security settings

7. Opens a back door and connects to the IRC server symtec.easypwn.com on port 2007 or 666, allowing the remote attacker to perform the following actions on the compromised computer:

* Copy or delete files
* Download files
* Show status
* Show IP address
* Portscan the network for vulnerable computers
* Scan vulnerabilities
* Start ftpd
* Start Internet Explorer
* End processes
* Stop other worms
* Stop security-related services
* List processes
* Use a network sniffer

8. Spread by exploiting the following vulnerabilities:

* The Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability (described in Microsoft Security Bulletin MS03-026)
* The Microsoft Windows Message Queuing Remote Buffer Overflow Vulnerability (as described in Microsoft Security Bullettin MS05-017)
* The Microsoft ASN.1 Library Multiple Stack-Based Buffer Overflow vulnerabilities (as described in Microsoft Security Bulletin MS04-007)
* The Microsoft Windows Plug and Play Buffer Overflow Vulnerability (as described in Microsoft Security Bulletin MS05-039)
* The Workstation Service Buffer Overrun Vulnerability (described in Microsoft Security Bulletin MS03-049)
* The Microsoft Windows Server Service Remote Buffer Overflow Vulnerability (as described in Microsoft Security Bulletin MS06-040)
* Multiple Vendor FTPD realpath Vulnerability (as described in CVE-1999-0368)
* Symantec Client Security and Symantec AntiVirus Elevation of privilege (as described in Symantec Advisory SYM06-010)

9. Attempts to spread through mIRC and to network shares protected by weak passwords.

Contact Us for a free antivirus trial to the end of this month.
Add "Virus Trial" to the Comments area.
Free trial antivirus

W97M.Mxfile.M December 09, 2006

W97M.Mxfile.M is a macro virus which spreads by infecting Microsoft Word documents and the global template, Normal.dot.

Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

When a document that is infected with the virus is opened or closed, the macro performs the following actions:

1. Changes the following Microsoft Word options:

* Turns off screen updating to speed up the macro code.
* Disables the default macro warning message when you open a document that contains a macro.
* Disables Microsoft Word virus protection.
* Automatically saves any changes made to the Normal.dot template without prompting.
* When you open a file that is not a Word document or template, the Convert File dialog box does not appear.

2. Infects all open Microsoft Word documents and the Normal.dot template file with a viral macro module named ANTIMACROS.

Contact Us for a free antivirus trial to the end of this month.
Add "Virus Trial" to the Comments area.
Free trial antivirus

W32.Mixor.K@mm December 04, 2006

Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

W32.Mixor.K@mm is a mass-mailing worm that drops additional malware on the compromised computer.

When W32.Mixor.K@mm is executed, it performs the following actions:

1. Creates the following files:

* %System%\nordsys.exe
* %CurrentFolder%\[7 RANDOM CHARACTERS].exe - a copy of Trojan.Galapoper.A

Notes:
* %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
* %CurrentFolder% is a variable that refers to the folder where the risk was originally executed.

2. Adds the value:

"Nord" = "%System%\nordsys.exe"

to the registry subkeys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

so that it runs every time Windows starts.

3. Modifies the value:

"Start" = "4"

in the registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess

to disable the Windows firewall and the Shared Access service.

4. Gathers email addresses from the Windows Address Book by checking the file linked to the following registry subkey:

HKEY_CURRENT_USER\Software\Microsoft\WAB\WAB4\Wab File Name

5. Gathers email addresses from files with the following extensions on all fixed drives:

* .htm
* .txt
* .hta

6. Ends security-related processes, if one of the following words is included in the window title:

* mcafee
* taskmgr
* hijack
* f-pro
* lockdown
* msconfig
* firewall
* blackice
* avg
* vsmon
* zonea
* spybot
* nod32
* reged
* rav
* nav
* avp
* troja
* viru
* anti

7. Uses its own SMTP engine to send itself to the email addresses that it finds. The email has the following characteristics:

From: [Spoofed]

Subject:
One of the following:

* White house news!
* URG
* ATTN TO EVERYBODY!
* READ AND RESEND ASAP!
* Incredible news!
* NEWS!
* ATTN
* URGENT NEWS!

Message body:
One of the following:

* For read this news open file
* Full news in attach
* Full news in attached file
* Full news included in attached file
* Open file to get complete news.
* Read more in attach...
* Read more in attached file...

Attachment:
One of the following:

* CNN latest news.exe
* CNN news reader.exe
* WWW-CNN-COM.exe
* cnn agent.exe
* cnn site explorer.exe
* cnn.exe
* news agent.exe
* news reader.exe
* read me.exe
* webnews agent.exe

Contact Us for a free antivirus trial to the end of this month.
Add "Virus Trial" to the Comments area.
Free trial antivirus

What is malware?

Malware is software designed to infiltrate or damage a computer system, without the owner's consent. The term is a combination of "mal-" (or perhaps "malicious") and "software", and describes the intent of the creator, rather than any particular features. Malware is commonly taken to include computer viruses, worms, Trojan horses, spyware and adware. In law, malware is sometimes known as a computer contaminant.

Malware should not be confused with defective software, that is, software which has a legitimate purpose but contains errors or bugs.

Most Prevalent Global Malware
(from December 10 2006 to December 24)

W32.Spybot.AMTE
W32.Jhad
W32.Tanexor.A
W32.Koddro@mm
Bloodhound.Olexe
Trojan.Lydra
W32.Bakain
Trojan.Coldung
W32.Chatosky
Trojan.Dowiex!inf
W32.Pagipef.B
W32.Stration.EL@mm
W32.Memesa
Backdoor.Wualess.B
Bloodhound.Exploit.
W32.Sagevo
Trojan.Iesguide
Trojan.Daum
Trojan.Mdropper.U
Trojan.Mdropper.T
Trojan.Shipli 12-13-2006
W32.Dizan
Trojan.Skintrim
W32.Yautoit.N
Trojan.Huanux
Bloodhound.Exploit.106
Bloodhound.Exploit.104
Bloodhound.Exploit.103
Bloodhound.Exploit.102
Bloodhound.Exploit.101
W32.Selfish 12-11-2006
Bloodhound.Exploit.105

Most Prevalent Global Malware
(from November 10 2006 to December 10)

Infostealer.Aobys
W97M.Mxfile.M
W32.Kelvir.LS
Trojan.Booha
Trojan.Goldun.L!inf
Trojan.Goldun.L
Bloodhound.Packed.8
Bloodhound.Packed.7
Bloodhound.Packed.6
Bloodhound.Packed.5
Bloodhound.Packed.4
W32.Windang.A
W32.Imaut.S
Downloader.Realog
Downloader.Sniper
W32.Fujacks.D
W32.Mixor.K@mm
Downloader.Looked
W32.Fujacks.C
W32.Medbot.A
JS.Qspace
W32.Hitapop
Trojan.Horst
W32.Yalove
W32.Fujacks.B
W32.Looked.BK
W32.Spybot.ACYR
VBS.Zodgila
Infostealer.Perfwo.B
Bloodhound.Exploit.100
Backdoor.Singu.C
W32.Pardona.A@mm
W32.Stration.EC@mm
W32.Mixor.I@mm
Trojan.SpamThru
W32.Spybot.ALRD
Bloodhound.KillAV
W32.Pagipef
Trojan.Realor
W32.Sality.V!inf
Trojan.Popwin
W32.Sality.V
Bloodhound.Exploit.99
W32.Wantok
Trojan.Sevensaw
W32.Tellsky
W64.Abul
W32.Fujacks.A
Backdoor.Bias
W32.Lecna.D
Infostealer.Gampass
Trojan.StartPage.R