PRODUCTS > Computer Virus Alerts - Maintenance
Virus alerts for March 2005
Current virus alerts here.
Computer virus alert
By the time you receive the e-mail 'virus alert' it can be too late!
We stock the most efficient anti virus program which checks for updates hourly

Contact Us for a one month free antivirus trial.
Add "Virus Trial" to the Comments area.
Free trial antivirus
March 06 2005 Bagel.BE information
Previous versions of Bagle virus -2004 information here.

Latest Virus Alert

March 25, 2005 New Jeans - WORM_JEANS.A

WORM_JEANS.A is a memory-resident worm that attempts to propagate via email with itself as an attachment, using its own Simple Mail Transfer Protocol (SMTP) engine. It may use a polymorphic engine to drop a file containing the source code of the worm, and then recompile it to produce a different appearance. While the inclusion of source code in the worm is not new behavior (BAGLE variants included this), the recompilation of the dropped source code is. This "courier virus" behavior is described as the worm being able to carry within itself, its whole source code and eventually dropping and recompiling it in the infected computer to create new variants of itself. It infects computers running Windows 98, ME, NT, 2000, and XP.

Upon execution, the worm drops a copy of itself as INCUBATOR.SCR in the Windows folder or BIGFISH.SCR in the Windows system folder. It creates registry entries that allow it to automatically execute at every system startup. It also adds registry entries such that when certain applications are executed, this worm runs instead of the programs selected.

This worm attempts to propagate via email. It searches for target email addresses in files with the following file name extensions:

* .asp
* .htm
* .xml

It retrieves SMTP servers in the system registry, and then attempts to send a copy of itself as an attachment using its own SMTP engine. The email message that it attempts
to send, contains the following details (however, due to bugs in its code, this worm is not able to execute this propagation routine):

From: Don Quijote y Sancho Panza

Subject: juas juas cuidadin con el attachhhhrrrr!!!!!

Message body: juas juas juas peaso de bicho que lleva el attach!!! juas juas!!! ;D
Vallez\29a

Attachment: soyunpeasodebichooooooo.scr

This worm may also display a message box with the following:

Win32.Genome coded by ValleZ/29a

Contact Us for a one month free antivirus trial.
Add "Virus Trial" to the Comments area.
Free trial antivirus

Top 10 Most Prevalent Global Malware
(from March 18 to March 24, 2005)

1. HTML_NETSKY.P
2. WORM_NETSKY.P
3. JAVA_BYTEVER.A
4. TROJ_DLOADER.DH
5. TROJ_SMALL.SN
6. TROJ_DLOADER.DG
7. SPYW_GATOR.D
8. TROJ_DFC.A
9. SPYW_GATOR.C
10. WORM_NETSKY.

March 18, 2005 Antispyware Killer - steals information related to online banking Web sites - TROJ_ASH.A

TROJ_ASH.A is a destructive, memory-resident Trojan that terminates and deletes all files related to Microsoft Windows Antispyware. It also steals information related to online banking Web sites, by monitoring a user's Internet transactions at certain online banking sites. It runs on Windows 95, 98, ME, NT, 2000, and XP.

This memory-resident Trojan arrives in a system as the file ASH.DLL, in the Windows system folder. It may also be downloaded by the user from the Internet. Before installation, the Trojan checks whether Microsoft Windows Antispyware is installed. If found, it attempts to terminate and delete all files related to this application.

This Trojan steals information related to online banking Web sites, by monitoring the user’s Internet transactions and waiting for the user to access the following online banking sites:

* https://ibank.barclays.co.uk
* https://ibank.cahoot.com
* https://olb2.nationet.com
* https://online.lloydstsb.co.uk
* https://www.bankofscotlandhalifax-online.co.uk
* https://www.ebank.hsbc.co.uk
* https://www.ebank.hsbc.co.uk
* https://www.millenniumbcp.pt
* https://www.ukpersonal.hsbc.com

When the Trojan detects visits to any of these banking sites, it displays a spoofed .HTML page to trick the user into entering their account information. The stolen data is then sent to a remote user.

The Trojan then drops the following log files in the Windows folder, to store the information it gathers from the user:

* Email.log
* Pass.log
* Req.log

In addition to gathering user IDs and passwords, it also gathers email addresses found in the user's system. It gathers email addresses from files with the following extensions:

* .*ht*
* .adb
* .asp
* .dbx
* .doc
* .eml
* .msg
* .oft
* .ph*
* .pl*
* .rtf
* .tbb
* .tx*
* .uin
* .vbs
* .wab
* .xls
* .xml

This Trojan also terminates certain processes, and modifies the HOSTS files. These HOSTS files contain the mappings of IP addresses to host names. This file is loaded into the computer’s memory at startup. Windows checks this file before it connects to a requested Web site. If a requested Web site is listed in the HOSTS file, any attempt to connect to this site is redirected back to the local machine (which is your computer’s IP address). It also blocks other applications from connecting to the Internet, as long the Web site that it attempts to connect to, is listed in the HOSTS file.

HOSTS files are useful for blocking ads, banners, cookies, and known malicious Web sites. However, this technique is now being employed by various malware to prevent users from accessing antivirus and security related Web sites.

This Trojan adds many lines in the system's HOSTS file, preventing a user from accessing many authentic Web sites.

Contact Us for a one month free antivirus trial.
Add "Virus Trial" to the Comments area.
Free trial antivirus

Top 10 Most Prevalent Global Malware
(from March 12 to March 18, 2005)

1. HTML_NETSKY.P
2. WORM_NETSKY.P
3. JAVA_BYTEVER.A
4. TROJ_SMALL.SN
5. TROJ_DFC.A
6. JAVA_BYTEVER.B
7. SPYW_GATOR.D
8. TROJ_BAGLE.BG
9. WORM_RBOT.GEN
10. TROJ_STARTPA.A

March 12, 2005 WORM ASSIRAL - WORM_FATSO.A

This non-destructive, memory-resident worm propagates via MSN messenger and eMule peer-to-peer file sharing application. It is capable of redirecting infected users to a certain Web site, whenever the user accesses Web sites associated with antivirus and security companies. It may also terminate certain running processes and prevent these processes from executing while this worm is resident in memory. This worm also opens a text file, which is a message allegedly addressed to the author of WORM_ASSIRAL.A, the self-proclaimed creator of anti-BROPIA worms. As a payload, WORM_ASSIRAL.A proclaimed that its author was "freeing the world from BROPIA". This worm was known to terminate BROPIA-related processes. WORM_FATSO.A now insults the author of WORM_ASSIRAL, accusing him/her of being a "noob" (a "newbie", or an inexperienced person, specifically a programmer) possibly due to the fact that WORM_ASSIRAL used SMTP, a relatively "old" and conventional means of propagating worms. This worm infects systems running Windows 95, 98, ME, NT, 2000, and XP.

This worm arrives on a system via MSN Messenger. Upon execution, it drops copies of itself in the system root folder, as well as several nonmalicious files. The worm then creates several registry entries that allow it to automatically execute its dropped files at every system startup.

To propagate via MSN messenger it sends an instant message to all online contacts of an affected user, containing a link to a certain Web site. When a user clicks on this link, a copy of this worm is downloaded into the system. To propagate via eMule it copies itself in the %Program Files%\Program Files\eMule\Incoming\ folder, the %Root%\My Shared folder and the <User Profile>\Shared folder of an affected system.

The worm also redirects affected users to a specific Web site when they attempt to access certain Web sites related to antivirus and security companies, and terminates processes. View the complete list of company Web sites and processes.

This worm attempts to terminate processes and delete files associated with the malware WORM_ASSIRAL.C, if the files are not running in memory. It drops and executes the text file "Message to n00b LARISSA.txt" on the 1st, 7th, 10th, 19th, 25th, 26th, or the 30th day of any month. This text message is allegedly addressed to the creator of WORM_ASSIRAL.A.

Contact Us for a one month free antivirus trial.
Add "Virus Trial" to the Comments area.
Free trial antivirus

Top 10 Most Prevalent Global Malware
(from March 4 to March 10, 2005)

1. HTML_NETSKY.P
2. WORM_NETSKY.P
3. JAVA_BYTEVER.A
4. TROJ_SMALL.SN
5. TROJ_DFC.A
6. JAVA_BYTEVER.B
7. SPYW_GATOR.D
8. TROJ_BAGLE.BG
9. WORM_RBOT.GEN
10. TROJ_STARTPA.A

March 8, 2005 WORM_KELVIR.B and WORM_FATSO.A. 12webste.com has received numerous infection reports indicating that this malware is spreading in Korea and the United States of America.

• WORM_KELVIR.B:
This new worm is very similar to WORM_KELVIR.A, in that it also propagates via MSN messenger. It attempts to send the following instant message to all online MSN messenger contacts of an affected user:

"http://home.ea<BLOCKED>link.net/gallery10/omg.pif lol! see it! u'll like it"

When the user clicks the given URL, this worm downloads a copy of itself, named OMG.PIF, from the given URL. When this downloaded copy is executesd, it downloads another malware file from the Internet, which NOD32 detects as WORM_SDBOT.AUI.

• WORM_FATSO.A

This memory-resident worm arrives on a system via MSN messenger, a popular instant messaging application. It spreads copies of itself to all online MSN messenger contacts of an affected system by sending an instant message conataining a link, which when clicked, downloads a copy of this worm into the recipient's system. This worm also has the ability to propagate via eMule, a known peer-to-peer (P2P) file sharing application.

This worm is capable of redirecting infected users to a certain Web site, which as of this writing, is already not available. It does this whenever the user accesses Web sites that are associated with antivirus and security companies.

It may also terminate certain running processes, and disallow them from executing while this worm resides in the memory.

Contact Us for a one month free antivirus trial.
Add "Virus Trial" to the Comments area.

March 6, 2005 Worm Befriends Trojan - WORM_BAGLE.BE

On March 1, 12website.com declared a Medium Risk alert for WORM_BAGLE.BE.
March 6 update:
This non-destructive worm propagates by email, using addresses gathered from the Windows Address Book. It employs another malware, TROJ_BAGLE.BE, to create a worm-Trojan propagation cycle where the worm mass-mails copies of the Trojan. The Trojan, in turn, downloads copies of the worm from a long list of predefined Web sites. TROJ_BAGLE.BE carries malicious routines different from those exhibited by WORM_BAGLE.BE. In addition to downloading copies of its worm counterpart, this Trojan terminates several antivirus and security-related processes. It also prevents the user from accessing antivirus Web sites. The worm infects computers running Windows 98, ME, NT, 2000, and XP.

This mass-mailing worm arrives in a system as a downloaded file of TROJ_BAGLE.BE. Upon execution, it drops a copy of itself in the Windows system folder as the file WINDLHHL.EXE. It creates several registry entries keys that enable it to automatically execute at every system startup.

The worm propagates by mass-mailing copies of TROJ_BAGLE.BE whhich, in turn, attempts to download a copy of this worm from several Web sites. It gathers recipients email addresses from the contacts found in the Windows Address Book. It also attempts to download the file EML.EXE into the Windows folder. This file contains a list of recipients to send email to, but the contents of the file may change at any time. It attempts to download this file every 100 milliseconds until it succeeds.

The worm attempts to contact to a Simple Mail Transfer Protocol (SMTP) server to send emails. If it is unable to contact this server, it uses its own SMTP engine. It may also obtain the affected system’s Mail Exchanger (MX) server for its mass-mailing routine. If the Mail Exchanger server is not available, it uses the server 217.5.97.137.

The email message it sends out contains the following details:

Subject: <Blank>
Message body: (any of the following)
price
new price
Attachment: (any of the following)
08_price.zip
new__price.zip
new_price.zip
newprice.zip
price_08.zip
price_new.zip
price2.zip

Note that the attached file is a .ZIP copy of TROJ_BAGLE.BE. It contains a file named DOC_<decimal number>.EXE. Since the worm gathers email addresses from the Windows Address book (WAB), the sender indicated in the From: field may be familiar.

This worm also as a backdoor component that opens and listens to TCP port 80, and sets the infected system up to act as a Web server. It may allow a malicious user to take control of an infected system by logging on using a pre-set password, and may allow remote users to upload a file onto the Web server. It then attempts to download the file from the Web server (which is actually the infected machine, since it is set up as a Web server), using a specific URL. It saves the downloaded file into the Windows system folder as RE_FILE.EXE. After downloading, it then executes the file.

This worm attempts to remove the following registry entries from the key:

* 9XHtProtect
* Antivirus
* EasyAV
* FirewallSvr
* HtProtect
* ICQ Net
* ICQNet
* Jammer2nd
* KasperskyAVEng
* MsInfo
* My AV
* NetDy
* Norton Antivirus AV
* PandaAVEngine
* SkynetsRevenge
* Special Firewall Service
* SysMonXP
* Tiny AV
* Zone Labs Client Ex
* service

Contact Us for a one month free antivirus trial.
Add "Virus Trial" to the Comments area.

Top 10 Most Prevalent Global Malware
(from February 28 to March 6, 2005)

1. HTML_NETSKY.P
2. WORM_NETSKY.P
3. JAVA_BYTEVER.A
4. COOKIE_1020
5. COOKIE_45
6. COOKIE_1802
7. COOKIE_281
8. TROJ_SMALL.SN
9. TROJ_AGENT.AAB
10. TROJ_BAGLE.BE

March 1, 2005 WORM_BAGLE.BE.

This malware is spreading in New Zealand and Australia.

Initial analysis shows that this worm drops a copy of itself as WINDLHHL.EXE in the Windows system folder upon execution. It then mass-mails copies of TROJ_BAGLE.BE, which is resposible for downloading WORM_BAGLE.BE. The email that it sends out has the following details:

Subject: <blank>

Message Body: price

Attachment: <.ZIP copy of the TROJ_BAGLE.BE>

This worm scans infected systems for files with certain extension names to acquire its target recipients. It then uses its own SMTP engine and the domain servers of the acquired email addresses for its mailing routine. Unsuspecting users may then receive email messages from trusted acquaintances and readily execute the attachment, thereby launching this worm.

Upon execution, it proceeds to drop copies of itself in folders with names containing the text string "shar", or in shared folders. It also uses file names that appear legitimate. This worm compromises system security by terminating several antivirus and security-related applications if found on an infected system. It also connects to a list of Web sites where it may download components. It also opens port 81 possibly for its backdoor activities.

Continuing the notable BAGLE characteristics, it attacks the NETSKY family of worms. It deletes several registry entries and file names associated with NETSKY, and also creates several mutexes that prevent the execution of NETSKY variants on the infected machine.

Contact Us for a one month free antivirus trial.
Add "Virus Trial" to the Comments area.

Top 10 Most Prevalent Global Malware
(from February 23 to March 01, 2005)

1. WORM_NETSKY.P
2. HTML_NETSKY.P
3. JAVA_BYTEVER.A
4. TROJ_AGENT.AAB
5. WORM_NETSKY.D
6. TROJ_SMALL.SN
7. SPYW_GATOR.D
8. JAVA_BYTEVER.B
9. SPYW_GATOR.C
10. WORM_NETSKY.Q

Contact Us for a one month free antivirus trial.
Add "Virus Trial" to the Comments area.

12website has a maintenance program for our clients to ensure their will not be 'let down' by an inefficient computer.

Computer maintenance is necessary to keep your machine running smoothly without down time.