PRODUCTS > Computer Virus Alerts - Maintenance
Virus alerts for May 2005
Current virus alerts here.
Computer virus alert
By the time you receive the e-mail 'virus alert' it can be too late!
We stock the most efficient anti virus program which checks for updates hourly.

Contact Us for a one month free antivirus trial.
Add "Virus Trial" to the Comments area.
Free trial antivirus

Virus Alerts May 2005

May 31 2005 - WORM_MYTOB.AR.
Antivirus Agency has received several infection reports indicating that this malware is spreading in Australia, China, Hongkong, India, Japan, Korea, Philippines, Taiwan, United States.

The following is a brief summary of what this worm is capable of doing:

This memory-resident worm propagates by sending a copy of itself as an attachment to an email message, which it sends to target recipients using its own Simple Mail Transfer Protocol (SMTP) engine.

This email message has the following details:

Subject: (any of the following)
• {Random}
• *DETECTED* Online User Violation
• *IMPORTANT* Please Validate Your Email Account
• *IMPORTANT* Your Account Has Been Locked
• *WARNING* Your Email Account Will Be Closed
• Account Alert
• Email Account Suspension
• Important Notification
• Notice of account limitation
• Notice: **Last Warning**
• Notice:***Your email account will be suspended***
• Security measures
• Your email account access is restricted
• Your Email Account is Suspended For Security Reasons

Message body: (any of the following)
• Once you have completed the form in the attached file , your account records will not be interrupted and will continue as normal.
• please look at attached document.
• Please read the attached document and follow it's instructions.
• Please see the attachement.
• The original message has been included as an attachment.
• To safeguard your email account from possible termination, please see the attached file.
• To unblock your email account acces, please see the attachement.
• We attached some important information regarding your account.
• We have suspended some of your email services, to resolve the problem you should read the attached document.
• We regret to inform you that your account has been suspended due to the violation of our site policy, more info is attached.

Attachment: (any combination of the following file names and extension names)

File name:

• {random}
• account-details
• document
• document_full
• email-doc
• email-info
• information
• info
• info-text
• instructions
• your_details

Extension name:

• EXE
• PIF
• SCR
• ZIP

This worm also takes advantage of the LSASS vulnerability to propagate.

This worm also has backdoor capabilities. It comes with a built-in Internet Relay Chat (IRC) bot that allows it to connect to a specific IRC server. It then waits for commands from a remote user.

It also terminates processes, some of which are related to antivirus and security programs.

Contact Us for a free antivirus trial to the end of this month.
Add "Virus Trial" to the Comments area.Free trial antivirus

May 28 2005 - Nasty YAMI - PE_YAMI.A

PE_YAMI.A is a destructive, file-infecting virus that is currently spreading in China. This virus only infects valid portable executable (PE) files, which are 32-bit Windows executable files. It validates the type of file by checking its PE header. It then uses a cavity type of infection, infecting the file by inserting chunks of its virus code into the host file. It is currently spreading in-the-wild, and infecting computers running Windows XP.

Upon execution, this virus searches for PE files to infect in a target system's current folder. It writes a total of 3,029 bytes to the host file. However, because this is a cavity type virus, the file size of the infected file does not increase after infection. After infecting the host file, it utilizes a table to store information about the inserted virus code, such as the size and the next offset of the inserted chunks of virus code.

Once the file has been infected, this virus avoids reinfecting it by using its infection marker, YM. Once it has completed all of its routines, it then passes control back to the host file.

This virus may overwrite the hard disk of infected systems and attempt to damage the infected system by corrupting data in the CMOS.

The following string is found in the virus code:
v1.1 YANGMIN

Contact Us for a free antivirus trial to the end of this month.
Add "Virus Trial" to the Comments area.Free trial antivirus

Top 10 Most Prevalent Global Malware
(from May 20 to May 26, 2005)

1. HTML_NETSKY.P
2. WORM_NETSKY.P
3. JAVA_BYTEVER.A
4. TSPY_SMALL.SN
5. SPYW_GATOR
6. SPYW_DASHBAR.300
7. SPYW_WEBSEARCH.A
8. TROJ_DYFUCA.I
9. WORM_NETSKY.DAM
10. WORM_NETSKY.D

May 21 2005 - See Me MAPI - WORM_SEMAPI.A

WORM_SEMAPI.A is a non-destructive, memory-resident worm that propagates via email. It is currently spreading in-the-wild and infecting computers that are running Windows 98, ME, NT, 2000, and XP.

Upon execution, this worm drops a copies of itself in the Windows folder as DRDOOM.EXE and WINBIOS.EXE. It also drops AUTOEXE.EXE and SKERNEL32.COM in the Windows system folder as part of its installation routine. It creates several registry entries to ensure that it automatically executes at every system startup.

This worm propagates by sending a copies of itself to email addresses gathered from the infected machine using Messaging Application Program Interface (MAPI) functions. It derives the email addresses it gathers from files with the following extension names:

* adb
* asp
* dbx
* doc
* eml
* htm*
* js*
* msg
* oft
* ph*
* pl*
* rtf
* shtm*
* tbb
* tx*
* vb*
* wab
* wsh
* xm*

It sends messages with several specific combinations of common names, domains, message bodies, subject lines, and attachments. To read the full list of possible combinations, view the Technical Details.

This worm displays a message box containing the following message:

Unable to locate 'semapi.dll' reinstalling this application may fix this problem.

Contact Us for a free antivirus trial to the end of this month.
Add "Virus Trial" to the Comments area.Free trial antivirus

Top 10 Most Prevalent Global Malware
(from May 13 to May 19, 2005)

1. JAVA_BYTEVER.A
2. HTML_NETSKY.P
3. HKTL_BRUTFORCE.A
4. SPYW_GATOR
5. WORM_NETSKY.P
6. SPYW_DASHBAR.300
7. TSPY_SMALL.SN
8. ADW_SECTHOUGHT.A
9. SPYW_WEBSEARCH.A
10. TROJ_DYFUCA.I

May 14 2005 - WORM_WURMARK.J.

12website.com has declared a Medium Risk alert for a new WURMARK variant that is currently spreading in France, India, Singapore, and Taiwan. WORM_WURMARK.J is a memory-resident worm that propagates by mass-mailing copies of itself, and carries a component of a commercial keylogging spyware program produced by X Software, Inc. This spyware program is capable of running in stealth mode while logging keystrokes, monitoring accessed Web sites, capturing screenshots, and logging system activities. The worm not only propagates copies of itself, but of the spyware program as well. The commercial spyware program is therefore installed in every system that the worm infects.

Upon execution, this memory-resident worm drops a copy of itself in the Windows system folder using a random file name. It drops a randomly named (Dynamic Link Library) DLL file, which is a spyware program detected by NOD32 Antivirus, in the Windows system folder. It creates a registry entry to allow it to automatically execute at every system startup.

This worm drops the following .ZIP files in the Windows system folder:

* details.zip
* girls.zip
* image.zip
* love.zip
* message.zip
* music.zip
* news.zip
* photo.zip
* pic.zip
* readme.zip
* resume.zip
* screensaver.zip
* song.zip
* video.zip

These .ZIP files contain any of the following files:

* details.doc{multiple spaces}.scr
* girls.jpg{multiple spaces}.scr
* image.jpg{multiple spaces}.scr
* love.jpg{multiple spaces}.scr
* message.txt{multiple spaces}.scr
* music.mp3{multiple spaces}.scr
* news.doc{multiple spaces}.scr
* photo.jpg{multiple spaces}.scr
* pic.jpg{multiple spaces}.scr
* readme.txt{multiple spaces}.scr
* resume.doc{multiple spaces}.scr
* screensaver{multiple spaces}.scr
* song.wav{multiple spaces}.scr
* video.avi{multiple spaces}.scr

This worm propagates by sending a copy of itself as an attachment to email messages, which it sends to target addresses, using its own Simple Mail Transfer Protocol (SMTP) engine.

The email that it sends out has the following details:

Subject: (any of the following)

* details
* girls
* image
* love
* message
* music
* news
* photo
* pic
* readme
* resume
* screensaver
* song
* video

Attachment: (any of the following file names)

* details.zip
* girls.zip
* image.zip
* love.zip
* message.zip
* music.zip
* news.zip
* photo.zip
* pic.zip
* readme.zip
* resume.zip
* screensaver.zip
* song.zip
* video.zip

It gathers target email addresses from the Temporary Internet Files folder, as well as from files with the following extension names:

* ASP
* DBX
* EML
* HTM
* MBX
* SHT
* TBB

It avoids sending email messages to addresses that contain any of the following substrings:

* abuse
* admin
* hostmaster
* localdomain
* localhost
* mcafee
* messagelab
* microsoft
* noreply
* postmaster
* recipients
* reports
* root
* spam
* symantec
* webmaster

Contact Us for a free antivirus trial to the end of this month.
Add "Virus Trial" to the Comments area.Free trial antivirus

Top 10 Most Prevalent Global Malware
(from May 6 to May 13, 2005)

1. JAVA_BYTEVER.A
2. HTML_NETSKY.P
3. TSPY_SMALL.SN
4. HKTL_BRUTFORCE.A
5. WORM_NETSKY.P
6. SPYW_GATOR
7. WORM_SOBER.S
8. SPYW_DASHBAR.300
9. SPYW_WEBSEARCH.A
10. TSPY_DLOADER.DH

May 12 2005 - WORM_WURMARK.J.

As of May 12, 2005 12website.com has declared a Medium Risk Virus Alert to control the spread of WORM_WURMARK.J. 12website.com has received several infection reports indicating that this malware is spreading in France, India, Taiwan, and Singapore.

This memory-resident worm propagates via email messages. Upon execution, it drops a copy of itself in the Windows system folder using a random file name.

It also drops a randomly named (Dynamic Link Library) DLL file in the Windows system folder, which is a component of <I>IESpy</u>, a spyware program.

This worm has a keylogging capability. It saves the logs typed by the user in a dropped random DLL file.

It drops several .ZIP files in the Windows system folder as email attachment.

This worm propagates by sending a copy of itself via email. The email message contains the following details:

Subject: (any of the following)
-details
-girls
-image
-love
-message
-music
-news
-photo
-pic
-readme
-resume
-screensaver
-song
-video

Attachment: (any of the following file names)
-details.zip
-girls.zip
-image.zip
-love.zip
-message.zip
-music.zip
-news.zip
-photo.zip
-pic.zip
-readme.zip
-resume.zip
-screensaver.zip
-song.zip
-video.zip

May 09 2005 - WORM_MYTOB.ED As of May 9, 2005 12website.com has declared a Medium Risk Virus Alert to control the spread of WORM_MYTOB.ED. 12website.com has received several infection reports indicating that it is spreading in Japan and Australia.

Like earlier WORM_MYTOB variants, this worm propagates by sending a copy of itself as an attachment to an email message, which it sends to target recipients, using its own Simple Mail Transfer Protocol (SMTP) engine.

The email it sends out has the following details:

Subject: (any of the following)
- Error
- hello
- Here is your documents.
- Mail Delivery System
- Mail Transaction Failed
- Re: Thank you for delivery
- Server Report
- something for you
- Status

Subject: (any of the following)
- *IMPORTANT* Please Validate Your Email Account
- *IMPORTANT* Your Account Has Been Locked
- Email Account Suspension
- Notice: **Last Warning**
- Notice:***Your email account will be suspended***
- Security measures
- Your email account access is restricted
- Your Email Account is Suspended For Security Reasons

Message Body: (any of the following)
- Account Information Are Attached!
- Once you have completed the form in the attached file , your account records will not be interrupted and will continue as normal.
- please look at attached document.
- Please see the attachement.
- To safeguard your email account from possible termination, please see the attached file.
- To unblock your email account acces, please see the attachement.
- We have suspended some of your email services, to resolve the problem you should read the attached document.

Attachment: (any of the following file names)
- email-doc
- email-info
- email-text
- information
- your_details
- document_full
- IMPORTANT
- info-text
- {random}

(any of the following extensions)
- .exe
- .pif
- .scr
- .zip

It gathers target email addresses from the Temporary Internet folder, Windows address book (WAB), as well as from files with certain extension names. It may also generate email addresses by using a list of names and any of the domain names of the previously gathered addresses.
This worm has backdoor capabilities, which allow a remote user to perform malicious commands on the affected machine. The said routine provides remote users virtual control over affected systems, thus compromising system security.
Moreover, it prevents users from accessing several antivirus and security Web sites by redirecting the connection to the local machine.

Contact Us for a free antivirus trial to the end of this month.
Add "Virus Trial" to the Comments area.Free trial antivirus

May 06 2005 - WORM_SOBER.S. More on Sober

On May 2, NOD32 declared a Medium Risk Virus alert for WORM_SOBER.S This is a memory-resident worm that spreads by mass-mailing copies of itself using its own SMTP (Simple Mail Transfer Protocol) engine. It gathers recipient addresses from files with certain extensions, and avoids sending messages to addresses that contain specific strings. It sends an email appearing to come from the soccer organization FIFA, informing recipients that they have won tickets for the upcoming FIFA World Cup 2006 in Germany. It sends these email messages in either English or in German, depending on the country-level domains of the gathered addresses. It is currently spreading in-the-wild and infecting computers running Windows 98, ME, NT, 2000, and XP.

Upon execution, this worm displays the following fake error message:

* WinZip Self-Extractor
* Error: CRC not complete

It then drops the following copies of itself in the %Windows%\Connection Wizard\Status folder:

* CSRSS.EXE
* SERVICES.EXE
* SMSS.EXE

It also drops the following files:

* %Windows%\Connection Wizard\Status\fastso.ber
* %System%\adcmmmmq.hjg
* %System%\langeinf.lin
* %System%\nonrunso.ber
* %System%\seppelmx.smx
* %System%\xcvfpokd.tqa

It drops the following files, which it uses to store collected email addresses for its mass-mailing routine:

* Sacri1.ggg
* Sacri2.ggg
* Sacri3.ggg
* Voner1.von
* Voner2.von
* Voner3.von

This worm creates registry entries that enable it to automatically execute at very system startup. It uses its own SMTP (Simple Mail Transfer Protocol) engine to mass-mail copies of itself to email addresses obtained from files with certain extensions (view the complete list). The worm also avoids email addresses containing specific strings (view the complete list).

This worm sends email messages in German when it obtains email addresses with GMX as the domain name (for example, if the email address has gmx.de or gmx.net as its extension), or with any of the following domain extensions:

* AT
* CH
* DE
* LI

The messages sent by the worm contain the following details:

From: (any of the following)

* Admin
* Hostmaster
* Info
* Postmaster
* Register
* Service
* Webmaster

Subjects (German): any of the following

* Glueckwunsch: Ihr WM Ticket
* Ich bin's, was zum lachen ;)
* Ihr Passwort
* Ihre E-Mail wurde verweigert
* Mail-Fehler!
* WM Ticket Verlosung
* WM-Ticket-Auslosung

Subjects (English): any of the following

* mailing error
* Re:
* Registration Confirmation
* Your email was blocked
* Your Password

Message body (German): any of the following

* Passwort und Benutzer-Informationen befinden sich in der beigefuegten Anlage.
*-* http://www.<generated string>
*-* MailTo: PasswordHelp
* Diese E-Mail wurde automatisch erzeugt
Mehr Information finden Sie unter http://www.<generated string>
* ----------
Folgende Fehler sind aufgetreten: Fehler konnte nicht Explicit ermittelt werden
End Transmission
----------
* Aus Datenschutzrechtlichen Gruenden, muss die vollstaendige E-Mail incl. Daten gezippt & angehaengt werden. Wir bitten Sie, dieses zu beruecksichtigen.
Auto ReMailer# [<generated string>]
* Nun sieh dir das mal an!
Was ein Ferkel .... Herzlichen Glueckwunsch, beim Run auf die begehrten Tickets f Weitere Details ihrer Daten entnehmen Sie bitte dem Anhang Ihr ok2006 Team
St. Rainer Gellhaus

--- FIFA-Pressekontakt:
--- Pressesprecher Jens Grittner und Gerd Graus
--- FIFA Fussball-Weltmeisterschaft 2006
--- Organisationskomitee Deutschland
--- Tel. 069 / 2006 - 2600
--- Jens.Grittner@ok2006.de
--- Gerd.Graus@ok2006.de

followed by any of the following:

* **** Mail-Scanner: Es wurde kein Virus festgestellt
**** <generated string> AntiVirus Service
**** WebSite: http://www.<generated string>
* **** AntiVirus: Kein Virus gefunden
**** <generated string> AntiVirus Service
**** WebSite: http://www.<generated string>
* **** AntiVirus-System: Kein Virus erkannt
**** <generated string> AntiVirus Service
**** WebSite: http://www.<generated string>

Message body (English): any of the following

* Account and Password Information are attached!

Visit: http://www.<generated string>

* This is an automatically generated E-Mail Delivery Status Notification.

Mail-Header, Mail-Body and Error Description are attached

* ok ok ok,,,,, here is it

followed by any of the following:

* *** Attachment-Scanner: Status OK
*** <generated string> Anti-Virus
*** http://www.<generated string>
* *** AntiVirus: No Virus found
*** <generated string> Anti-Virus
*** http://www.<generated string>
* *** Server-AntiVirus: No Virus (Clean)
*** <generated string> Anti-Virus
*** http://www.<generated string>

Attachment: (any of the following)

* _PassWort-Info.zip
* account_info-text.zip
* account_info-text.zip
* autoemail-text.zip
* Fifa_Info-Text.zip
* LOL.zip
* mail_info.zip
* okTicket-info.zip
* our_secret.zip

The worm may delete files with the following strings:

* A*.exe
* Luc*.exe
* Ls*.exe
* Luu*.exe

Contact Us for a free antivirus trial to the end of this month.
Add "Virus Trial" to the Comments area.
Free trial antivirus

Top 10 Most Prevalent Global Malware
(from April 29 to May 5, 2005)

1. HTML_NETSKY.P
2. JAVA_BYTEVER.A
3. HKTL_BRUTFORCE.A
4. WORM_NETSKY.P
5. WORM_SOBER.S
6. TSPY_SMALL.SN
7. SPYW_GATOR
8. SPYW_DASHBAR.300
9. WORM_ANIG.A
10. SPYW_WEBSEARCH.A

May 02 2005 - WORM_SOBER.S.

This worm spreads by mass-mailing copies of itself using its own SMTP (Simple Mail Transfer Protocol) engine. It gathers its target recipients from files with certain extensions names. Notably, it avoids sending messages to addresses that contain specific strings.
Using social engineering techniques, it sends out an email supposedly sent by the soccer organization FIFA, informing recipients that they have won tickets for the upcoming FIFA World Cup 2006 in Germany.

The email it sends out has the following details:

From: (any of the following)
. Admin
. hostmaster
. info
. postmaster
. register
. service
. webmaster

Subject: (any of the following German subjects)
. Glueckwunsch: Ihr WM Ticket
. Ich bin's, was zum lachen
. Ihr Passwort
. Ihre E-Mail wurde verweigert
. Mail-Fehler!*
. WM Ticket Verlosung*WM-Ticket-Auslosung

(or any of the following English subjects)
. Re:
. Your Password
. Registration Confirmation
. Your email was blocked
. mailing error

Message body: (any of the following)

. Passwort und Benutzer-Informationen befinden sich in der beigefuegten Anlage.
*-* http://www.
*-* MailTo: PasswordHelp

. Diese E-Mail wurde automatisch erzeugt
Mehr Information finden Sie unter http://www.

. Folgende Fehler sind aufgetreten:

. Fehler konnte nicht Explicit ermittelt werden

. End Transmission

. Aus Datenschutzrechtlichen Gruenden, muss die vollstaendige E-Mail incl. Daten gezippt & angehaengt werden. Wir bitten Sie, dieses zu beruecksichtigen.

. Auto ReMailer# [

. Nun sieh dir das mal an!
Was ein Ferkel ....

. Herzlichen Glueckwunsch,
--- FIFA-Pressekontakt:
ok ok ok,,,,, here is it
r die 64 Spiele der Weltmeisterschaft 2006 in Deutschland sind Sie dabei.
Weitere Details ihrer Daten entnehmen Sie bitte dem Anhang.
ok2006
Team
St. Rainer Gellhaus
error-
--- Pressesprecher Jens Grittner und Gerd Graus
--- FIFA Fussball-Weltmeisterschaft 2006
--- Organisationskomitee Deutschland
--- Tel. 069 / 2006 - 2600
--- Jens.Grittner@ok2006.de
--- Gerd.Graus@ok2006.de

. Account and Password Information are attached!
Visit: http://www.

. AntiVirus Service
**** WebSite: .

Attachment: (any of the following)
. mail_info.zip
. okTicket-info.zip
. LOL.zip
. _PassWort-Info.zip
. autoemail-text.zip

Contact Us for a free antivirus trial to the end of this month.
Add "Virus Trial" to the Comments area.
Free trial antivirus

12website has a maintenance program for our clients to ensure their will not be 'let down' by an inefficient computer.

Computer maintenance is necessary to keep your machine running smoothly without down time.