PRODUCTS > Computer Virus Alerts - Maintenance
Virus alerts for August 2004
Current virus alerts here.
Previous
July 04
June 04

By the time you receive the e-mail 'virus alert' it can be too late!
We stock the most efficient anti virus program which checks for updates hourly.

Computer virus alert

Contact Us for a one month free antivirus trial.
Add "Virus Trial" to the Comments area.

Date: August 27, 2004 - Rbot-GR Virus

Ever get the feeling you are being watched? That may no longer just be paranoia. A variant of the Rbot worm is able to take over users’ web cams and use them to spy on unsuspecting computer owners.

The Rbot-GR virus goes a traditional malware route of exploiting security vulnerabilities with Microsoft.

"Whether this worm is the work of professional snoopers or lusty teenagers -- it's hard to say for certain. What we do know if that there have been a few hundred different versions of the Rbot worm, all of which have been designed to gain some kind of remote access to innocent users' data. This one goes further by also specifically collecting Webcam footage," Graham Cluley, senior technology consultant at Sophos said. "It seems more and more hackers are building a cocktail of different functionality into their creations."

If you’re worried about it, it might not be a bad idea to turn the thing off when not in use.

New Virus Has Sight Set On AMD64 Processors. Yesterday Symantec said it had discovered the first “proof-of-concept” virus that makes the AMD 64-bit processor its target.

TechWeb reports that the new virus is being called Shruggle, similar to Rugrat, another proof-of-concept that in late May that targeted Windows' 64-bit operating systems.

“Shruggle is a fairly simple proof-of-concept virus,” said Oliver Friedrichs, senior manager of Symantec's virus response team, “to show that the AMD platform is just as susceptible to attack as any other platform.” The virus is written in AMD64 assembly code, and won't run on 32-bit Windows editions, such as Windows 2000 and Windows XP.

Security Coming For Nokia High-End Phones. A plan is in the works for Nokia and Swedish Security Company Pointsec Mobile Technologies to develop a tool that will encrypt important information on cell phones.

More info on the worm that spread through Mobile Phones - EPOC_CABIR.A

According to ZDNet UK, the new tool will be available for Nokia’s Series 60 & 80 phones. The goal is to protect information such as multimedia messages, calendars, address book entries, email and stored information.

Contact Us for a one month free antivirus trial.
Add "Virus Trial" to the Comments area.

Date: August 20, 2004 - My Doom Variant WORM_RATOS.A. Medium Risk Alert

WORM_RATOS.A is a memory-resident, mass-mailing worm that arrives with an attachment that is a copy of the worm. It collects email addresses from the Windows Address Book, searching temporary Internet files, and by querying certain entries in the Windows registry. It also constructs email addresses by prepending certain names to popular domain names. In addition, this worm downloads and executes a backdoor component file from several URLs, enabling remote access to the infected machine and therefore comprising user and system security. WORM_RATOS.A is a variant of the MYDOOM family of worms, and will be renamed as WORM_MYDOOM.S shortly. This worm is currently spreading in-the-wild and infecting systems running Windows 95, 98, ME, NT, 2000, and XP.

Upon execution, this memory-resident worm drops a copy of itself as the following:

* %Windows%\RASOR38A.DLL
* %System%\WINPSD.EXE

It also adds registry entries that allow it to run at every Windows startup.

This worm sends a copy of itself via email by harvesting email addresses from files found in the temporary Internet files folder, with any of the following extension names:

* ADB
* ASP
* DBX
* HTM
* PHP
* SHT
* TBB
* TXT
* WAB

It also checks for recipient email addresses in the Windows Address Book. In addition, it constructs email addresses by prepending the following names to the domain names aol.com, hotmail.com, msn.com, and yahoo.com:

* adam
* alex
* alice
* andrew
* anna
* bill
* bob
* brenda
* brent
* brian
* claudia
* dan
* dave
* david
* debby
* fred
* george
* helen
* jack
* james
* jane
* jerry
* jim
* jimmy
* joe
* john
* jose
* julie
* kevin
* leo
* linda
* maria
* mary
* matt
* michael
* mike
* peter
* ray
* robert
* sam
* sandra
* serg
* smith
* stan
* steve
* ted
tom

It sends email with the following details:

Subject: photos
Message body: LOL!;))))
Attachment: photos_arc.exe

This worm skips email addresses connected to domain names with the following substrings:

* abuse
* abuse
* accoun
* acketst
* admin
* anyone
* arin.
* be_loyal:
* berkeley
* borlan
* certific
* contact
* example
* feste
* gold-certs
* google
* google
* hotmail
* ibm.com
* icrosof
* icrosoft
* inpris
* isc.o
* isi.e
* kernel
* linux
* linux
* listserv
* mit.e
* mozilla
* mydomai
* nobody
* nodomai
* noone
* nothing
* ntivi
* panda
* postmaster
* privacy
* rating
* rfc-ed
* ripe.
* ruslis
* samples
* secur
* sendmail
* service
* somebody
* someone
* sopho
* submit
* support
* tanford.e
* the.bat
* upport
* usenet
* utgers.ed
* webmaster

In addition, this worm downloads and executes a backdoor component file from several URLs. The downloaded component is saved as WINVPN32.EXE, in the Windows folder, and then executed.

If you would like to scan your computer for WORM_RATOS.A or thousands of other worms, viruses, Trojans and malicious code, Contact Us for a one month free antivirus trial.
Add "Virus Trial" to the Comments area.

WORM_RATOS.A is detected and cleaned by F-Secure Anti Virus.

Top 10 Most Prevalent Global Malware
(week of: August 13, 2004 to August 19, 2004)

1. WORM_SASSER.B
2. PE_ZAFI.B
3. WORM_NETSKY.P
4. HTML_NETSKY.P
5. WORM_NETSKY.D
6. WORM_RATOS.A
7. WORM_NETSKY.B
8. JAVA_BYTEVER.A
9. TROJ_AGENT.AE
10. WORM_NETSKY.Z

Contact Us for a one month free antivirus trial.
Add "Virus Trial" to the Comments area

Date: August 13, 2004 - Bag BAGLE - WORM_BAGLE.AC (Medium Risk)

WORM_BAGLE.AC is another variant of the BAGLE worm. It is a memory-resident, mass-mailing worm that deviates slightly from the usual BAGLE propagation routine of directly mass-mailing itself to a list of recipients. Instead, it makes use of a Trojan downloader component and an HTML script component to propagate. Using a built-in SMTP (Simple Mail Transfer Protocol) engine, this worm sends an email with a spoofed sender's name and the message, "new price". The email does not have a subject but has a .ZIP file attachment, containing
the worm's components. It also attempts to propagate via network shares. Continuing the same pattern as previous versions of the BAGLE worm, this variant removes autorun registry entries and mutexes associated with its rival worm, NETSKY. WORM_BAGLE.AC is currently spreading in-the-wild, and runs on Windows NT, 2000, and XP.

Upon execution, it drops copies of itself using the following filenames in the Windows system folder:

* WINDLL.EXE
* WINDLL.EXEOPEN
* WINDLL.EXEOPENOPEN

This worm sends out ZIP-compressed files containing TROJ_BAGLE.AC and HTML_BAGLE.AC, using its own Simple Mail Transfer Protocol (SMTP) engine to propagate. It searches for and harvests email addresses from files with the
following extension names:

* ADB
* ASP
* CFG
* CGI
* DBX
* DHTM
* EML
* HTM
* JSP
* MBX
* MDX
* MHT
* MMF
* MSG
* NCH
* ODS
* OFT
* PHP
* PL
* SHT
* SHTM
* STM
* TBB
* TXT
* UIN
* WAB
* WSH
* XLS
* XML

It skips email addresses that contain any of the following strings, to avoid certain recipients such as antivirus and software vendors:

* @avp.
* @derewrdgrs
* @foo
* @iana
* @messagelab
* @microsoft
* @eerswqe
* abuse
* admin
* anyone@
* bsd
* bugs@
* cafee
* certific
* contract@
* feste
* free-av
* f-secur
* gold-certs@
* google
* help@
* icrosoft
* info@
* kasp
* linux
* listserv
* local
* news
* nobody@
* noone@
* noreply
* ntivi
* panda
* pgp
* postmaster@
* rating@
* root@
* samples
* sopho
* spam
* support
* unix
* update
* winrar
* winzip

The email it sends has the following details:

From: <spoofed>
Subject: <none>
Message body: new price
Attachment: (any of the following)
08_price.zip
new__price.zip
new_price.zip
newprice.zip
price.zip
price_08.zip
price_new.zip
price2.zip

If the email attachment is a password-protected .ZIP file, this worm may have the following email format:

Message body:
Password: <image password>
Pass - <image password>
Password - <image password>

This worm drops copies of itself in folders that contain the string shar in their names. It uses any of the following interesting filenames to trick users into downloading the copies:

* ACDSee 9.exe
* Adobe Photoshop 9 full.exe
* Ahead Nero 7.exe
* Kaspersky Antivirus 5.0
* KAV 5.0
* Matrix 3 Revolution English Subtitles.exe
* Microsoft Office 2003 Crack, Working!.exe
* Microsoft Office XP working Crack, Keygen.exe
* Microsoft Windows XP, WinXP Crack, working
* Keygen.exe
* Opera 8 New!.exe
* Porno pics arhive, xxx.exe
* Porno Screensaver.scr
* Porno, sex, oral, anal cool, awesome!!.exe
* Serials.txt.exe
* WinAmp 5 Pro Keygen Crack Update.exe
* WinAmp 6 New!.exe
* Windown Longhorn Beta Leak.exe
* Windows Sourcecode update.doc.exe
* XXX hardcore images.exe

This routine allows it to propagate via local network shares and popular peer-to-peer network shares.

This worm removes certain entries related to NETSKY variants in several registry keys, and creates mutexes to prevent NETSKY variants from executing.

Contact Us for a one month free antivirus trial.
Add "Virus Trial" to the Comments area.

Top 10 Most Prevalent Global Malware
(week of: August 6, 2004 to August 13, 2004)

1. WORM_SASSER.B
2. WORM_NETSKY.P
3. PE_ZAFI.B
4. HTML_NETSKY.P
5. WORM_NETSKY.D
6. WORM_NETSKY.B
7. JAVA_BYTEVER.A
8. WORM_NETSKY.C
9. TROJ_AGENT.AE
10. WORM_NETSKY.Z

Date: August 9, 2004 - YELLOW alert
WORM_BAGLE.AC.

Several infection reports of this mass-mailing worm were received from the United States.

This worm is downloaded by TROJ_BAGLE.AC. Upon execution, it drops
copies of itself in the Windows system folder using the following filenames:

windll.exe
windll.exeopen
windll.exeopenopen

It sends out .ZIP compressed files containing TROJ_BAGLE.AC and
HTML_BAGLE.AC via email.

This PEX-compressed worm runs on Windows 95, 98, ME, NT, 2000, and XP.

Contact Us for a one month free antivirus trial.
Add "Virus Trial" to the Comments area.

Date: August 07, 2004 Saro & Rosy Forever - WORM_SAROS.A

WORM_SAROS.A is a non-destructive worm that propagates via email and IRC. When the infected computer system’s date is the 11th or 23rd of any month, the worm displays a message box, and modifies the default Internet Explorer home page to www.gedzac.tk. This worm is currently spreading in-the-wild, and it infects systems running Windows 95, 98, ME, NT, 2000, and XP.

Upon execution, this worm displays two message boxes, purporting to be Microsoft Windows Update messages. It then drops copies of itself in the Windows system folder using the following file names:

* Love-ScreenSaver.scr
* MSOutlookInternetUpdate.exe
* NonYou.exe
* ABOUT.HTA
* NSTDNRDLL32.VBS

The file, ABOUT.HTA is a non-malicious HTML file that displays the following:

GEDZAC Labs
2004
Have a nice Program for You
NonYou
Coded by Sarosoft
Dedicated to my Love Rosy

The file NSTDNRDLL32.VBS is a malicious VBscript component of this worm that handles its propagation routine, and also contains codes that add autostart registry entries. This worm also drops a copy of itself as the following file:

%Program%\Mirc\tdll32.dll
(%Program% refers to the Windows program files folder)

This file is an IRC (Internet Relay Chat) script that sends a copy of the worm to all users who are in the same channel as the user. It also drops a copy of itself in the network shares of many popular peer-to-peer file-sharing applications, using any of several file names.

To propagate via email this worm’s VBscript component creates an email and sends it to all addresses listed in the infected user’s Windows address book. The details of the email are as follows:

Subject: Microsoft Outlook News
Message Body: Microsoft Outlook Update / Bug Fixed - Contact: support@microsoft.com
Attachment: MSOutlookInternetUpdate.exe

This worm sets Microsoft Outlook to delete the mail after sending.

When the infected system’s date is the 11th or 23rd of any month, the worm displays the following message box:

NonYou
Rosy Ti Amo - Saro & Rosy Forever
Gedzac Group 2004
NonYou.a Gedzac Labs Productions
Coded by Sarosoft - Dedicated to my Love Rosy
Gedzac Group 2004 - http://www.gedzac.tk
Gedzac
The Virus Crew

On the above-mentioned dates, it also modifies the default Internet Explorer home page to www.gedzac.tk. It then executes the file ABOUT.HTA. This worm also lowers the security setting of Microsoft Outlook and removes the .EXE file attachment blocking by adding registry entries. It also connects to http://windowsupdate.com.

Contact Us for a one month free antivirus trial.
Add "Virus Trial" to the Comments area.

3. Top 10 Most Prevalent Global Malware
(week of: July 30, 2004 to August 5, 2004)

1. WORM_SASSER.B
2. WORM_NETSKY.P
3. PE_ZAFI.B
4. HTML_NETSKY.P
5. WORM_NETSKY.Z
6. WORM_NETSKY.D
7. WORM_BAGLE.Z
8. WORM_NETSKY.B
9. WORM_BAGLE.GEN-1
10. WORM_MYDOOM.M

Date: August 01, 2004 DOOM Alphabet - WORM_MYDOOM.M (Medium Risk)

WORM_MYDOOM.M is another variant of the MYDOOM worm that, like its earlier variants, spreads via email through Simple Mail Transfer Protocol (SMTP). This worm infects Windows 95, 98, ME, NT, 2000 and XP, and is currently spreading in-the-wild.

Upon execution, this worm drops a copy of itself as JAVA.EXE in the Windows folder. It then creates an auto-run registry entry that allows it to execute at every system startup.

To propagate via email, the worm harvests target email addresses from the Windows Address Book (WAB), from the Temporary Internet Files folder, and from files with the following extensions found in fixed drives:

* hlp
* tx*
* asp
* ht*
* sht*
* adb
* dbx
* wab

When it finds an email address, it obtains the domain name of that email address and queries the following search engines to search for email addresses in the same domain, thereby allowing it gather more addresses to spam:

http://search.lycos.com
http://www.altavista.com
http://search.yahoo.com
http://www.google.com

The email message it sends has varying subject lines, message bodies and attachment file names, and it spoofs the sender's name (FROM field) of the email it sends, both in the email header and the envelope. It skips email addresses with domain names that contain certain strings.

This worm also has backdoor functionalities that leave the infected machine vulnerable to remote access. It drops a backdoor component named SERVICES.EXE in the Windows folder, which opens a port and waits for outside connections. This allows a remote attacker to control the infected machine.

WORM_MYDOOM.M is detected and cleaned by our AntiVirus Software.
Contact Us for a one month free antivirus trial.
Add "Virus Trial" to the Comments area.

Top 10 Most Prevalent Global Malware
(week of: July 23, 2004 to August 01, 2004)

1. WORM_SASSER.B
2. PE_ZAFI.B
3. WORM_NETSKY.P
4. HTML_NETSKY.P
5. WORM_NETSKY.D
6. WORM_RBOT.ZG
7. WORM_NETSKY.B
8. TROJ_AGENT.AE
9. JAVA_BYTEVER.A
10. WORM_MYDOOM.M

12website has a maintenance program for our clients to ensure their will not be 'let down' by an inefficient computer.

Computer maintenance is necessary to keep your machine running smoothly without down time.

Contact Us. Add "Virus Trial" to the Comments area.