PRODUCTS > Computer Virus Alerts - Maintenance
Virus alerts for December 2004
Current virus alerts here.
Previous
Oct 04
Nov 04

By the time you receive the e-mail 'virus alert' it can be too late!
We stock the most efficient anti virus program which checks for updates hourly.

Computer virus alert

Contact Us for a one month free antivirus trial.
Add "Virus Trial" to the Comments area.

Bagle virus info here

December 31 2004 W32.Protoride.B

W32.Protoride.B is a worm that spreads through network shares and opens a back door that allows unauthorized access to a compromised computer.

Contact Us for a one month free antivirus trial.
Add "Virus Trial" to the Comments area.

12website.com encourages all users and administrators to adhere to the following basic security "best practices":

* Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.

* If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.

* Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services (for example, all Windows-based computers should have the current Service Pack installed.). Additionally, please apply any security updates that are mentioned in this writeup, in trusted Security Bulletins, or on vendor Web sites.

* Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.

* Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.

* Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.

* Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.

December 28 2004 Santy.A

New Worm Spreads Via Google

Santy.A infects servers that host online bulletin boards.

Antivirus companies are warning Internet users about a fast-spreading new worm that infects Web servers running a popular package of online bulletin board software, and uses the Google search engine to find vulnerable servers to infect.

Contact Us for a one month free antivirus trial.
Add "Virus Trial" to the Comments area.

The worm, dubbed Santy.A, uses a vulnerability in a popular free software package called phpBB to spread across the Internet, infecting computer servers that host online bulletin boards and defacing those sites with the words "This site is defaced!!! NeverEverNoSanity WebWorm."

Update:
Google is blocking searches launched by Santy.A, a new Internet worm that targets servers running phpBB, a popular electronic bulletin board software package, according to a statement from the company. Without any native ability to scan for vulnerable computers, Google's action halted Santy.A's spread, according to antivirus companies.

The worm does not affect individual computer users, but infects Web servers that are hosting online bulletin boards.

The worm takes advantage of a critical software vulnerability in the phpBB open source software, which is widely used to create and maintain online bulletin boards. While antivirus companies were still analyzing the worm, it appears that the worm may use a vulnerability in the PHP scripting language that was recently patched.

PhpBB, as well as other common software packages are written using PHP.

Once Santy infects servers running the phpBB software, it scans directories on the infected site and overwrites files with the extensions HTM, PHP, ASP, SHTM, JSP, and PHTM with the text "This site is defaced!!! This site is defaced!!! NeverEverNoSanity WebWorm generation,".

The worm also launches a search on the Google search engine for URLs that use a special string, viewtopic.php, which is common to bulletin boards written using the phpBB software, Hypponen said.

Block That Worm

Antivirus experts do not believe Santy.A deposits Trojan horse programs or other malicious code on the systems it infects. Also, Santy does not affect individual computer users, unless they are hosting a bulletin board from their computer that uses the phpBB software, antivirus experts said.

However, Santy.A could act as a road map for malicious hackers who are looking for vulnerable computers to exploit.

We have advised customers to update their antivirus software as soon as possible.

Contact Us for a one month free antivirus trial.
Add "Virus Trial" to the Comments area.

December 18 2004 Daffy ZAFI - WORM_ZAFI.D

WORM_ZAFI.D is a memory-resident, mass-mailing worm that is currently spreading in-the-wild. It uses its own built-in Simple Mail Transfer Protocol (SMTP) engine to send malicious Christmas greetings. It runs on Windows 98, ME, NT, 2000, and XP.

Upon execution, this mass-mailing, memory-resident worm displays a message box. It drops a copy of itself as NORTON UPDATE.EXE, and drops copies of itself as .DLL files with 8-character random file names. Some .DLL files are copies of itself while others are email log files in the Windows system folder. It also drops a log file called S.CM in the root folder. It then adds a registry entry that allows it to automatically execute at every system startup.

This worm drops a copy of itself using either of the following filenames:

* WINAMP 5.7 NEW!.EXE
* ICQ 2005A NEW!.EXE

It drops the file in folders that contain one of the following strings:

* share
* upload
* music

Most file-sharing applications, such as KaZaA, Shareaza, and Morpheus, use folder names with these strings when sharing files through peer-to-peer (P2P) networks. P2P users who search for Winamp and ICQ installers may inadvertently download this dropped ZAFI copy instead.

This worm uses its own built-in Simple Mail Tranfer Protocol (SMTP) engine, which allows it to send malicious Christmas greetings without having to use other email applications like Outlook Express. The language used in the message body is dependent on the domain of the email recipient. For example, When the Top Level Domain of the user's email address is .COM, the message is sent in English. When the Top Level Domain of the user's email address is .DE, the message is sent in German. Please visit the Technical Details of this virus description to view samples and screenshots of the email it sends.

It searches the following files for target email addresses:

* ADB
* ASP
* DBX
* EML
* FPT
* HTM
* INB
* MBX
* PHP
* PMR
* SHT
* TBB
* TXT
* WAB

However it skips email addresses that contain the following strings:

* admi
* cafee
* google
* help
* hotm
* info
* kasper
* micro
* msn
* panda
* secur
* sopho
* suppor
* syman
* trend
* use
* viru
* webm
* win
* yaho

This worm terminates antivirus and firewall programs. It searches for folders and files from all folders found on the system. It then reads the contents of the files and checks whether the string “firewall or virus” exists. If three or more files contain the specific string, the folder name is stored in a registry entry. When all the folders are obtained, it then traverses the specific registry entry. If the folder name contains the following strings, it terminates all executable files running in the folders:

* cafee
* Kasper
* panda
* secure
* sopho
* syman
* trend
* viru

Contact Us for a one month free antivirus trial.
Add "Virus Trial" to the Comments area.

Top 10 Most Prevalent Global Malware
(from December 4, 2004 to December 16, 2004)

1. WORM_NETSKY.P
2. HTML_NETSKY.P
3. WORM_SOBER.I
4. WORM_NETSKY.D
5. WORM_ZAFI.D
6. WORM_NETSKY.B
7. SPYW_GATOR.D
8. JS_BAIDU.A
9. WORM_NETSKY.C
10. WORM_NETSKY.Q

December 14 2004 WORM_ZAFI.D.

As of December 14, 2004 8:13 AM PST, there is a Medium Risk Virus Alert to control the spread of WORM_ZAFI.D. We have received several infection reports indicating that this malware is spreading in Germany, France and Spain.

The following is a brief overview of the worm process:

This worm spreads via email or peer-to-peer (P2P) file-sharing networks.

Here is a sample of the email:

Subject:
Re: Merry Chrsitmas!

Message body:
Happy Hollydays!

Pamela M.

Attachment:
postcard.index.php1111.pif

Note that the language of the email may change depending on the domain of the recipients.

Get in touch for a one month free antivirus trial.
Add "Virus Trial" to the Comments area.

December 11 2004
Multitasking MASLAN - WORM_MASLAN.A (High Risk)

WORM_MASLAN.A is a memory-resident worm that spreads via email, and typically arrives in an attachment called "PlayGirls2.exe. The worm harvests target recipients from certain files found in the system. It also exploits the Remote Procedure Call (RPC) Distributed Component Object Model (DCOM) vulnerability, possibly to aid in its propagation. In addition, this worm has backdoor functionalities that allow remote users to gain virtual control over the infected system. It terminates certain processes associated with antivirus applications, lowering security on the affected system. It also performs denial of service (DoS) attacks on certain Web sites. This worm runs on Windows 95, 98, ME, NT, 2000, and XP.

Upon execution, it drops the following component files in the Windows system folder:

* ___r.exe
* ___n.exe
* ___synmgr.exe

It creates two autostart registry entries that allow it to automatically execute at every Windows startup. But, an error in the program then prompts the operating system to report an error message. Clicking OK in the error message terminates the worm component.

This worm's code allows it to propagate via email. It gathers email addresses from files with the following extensions, and sends itself:

* adb
* asp
* cfg
* cgi
* dbx
* dhtm
* eml
* htm
* jsp
* mbx
* mdx
* mht
* mmf
* msg
* nch
* ods
* oft
* php
* sht
* shtm
* stm
* tbb
* txt
* uin
* wab
* wsh
* xls
* xml

The email it sends contains the following details:

Subject: <Name>

Message Body: Hello <Name>,
Best regards,
<Name>

Attachment: PlayGirls2.exe

<Name> is one of the following:

* Alan
* Andrew
* Angel
* Anna
* Arnold
* Bernard
* Carter
* Chris
* Christian
* Conor
* Ghisler
* Goldberg
* Green
* Helen
* Ivan
* Jackson
* John
* Kramer
* Kutcher
* Liza
* Lopez
* Mackye
* Maria
* Miller
* Nelson
* Peter
* Robert
* Ruben
* Sarah
* Scott
* Smith
* Steven

This worm also has backdoor functionalities that allow it to connect to an IRC server, where it listens for commands from a remote user, allowing the remote user to perform the following functions:

* Download and execute files
* Log keystrokes
* Perform denial of service attack through SYN flooding
* Terminate processes
* Update itself
* Exploit

WORM_MASLAN.A also exploits the Remote Procedure Call (RPC) Distributed Component Object Model (DCOM) vulnerability to remotely execute programs in vulnerable systems. The RPC DCOM Buffer Overflow (MS03-026) allows an attacker to gain full access and execute any code on a target machine by sending a malformed packet to the DCOM service. Read more on this vulnerability from Microsoft Security Bulletin MS03-026 at http://www.microsoft.com/technet/security/bulletin/ms03-026.mspx.

The worm also terminates several processes associated with antivirus applications, and performs a Denial of Service attack on the following Web sites:

* chechenpress.com
* chechenpress.info
* kavkaz.org.uk
* kavkaz.tv
* kavkaz.uk.com
* kavkazcenter.com
* kavkazcenter.info
* kavkazcenter.net

This worm also searches the Program Files folder and its subdirectories for .EXE files with a path that contains any of the following substrings:

* distr
* download
* setup
* share

When such an .EXE file is found, it recreates the path of the file in the ___b directory and copies the file afterward. The file’s contents are then replaced with zeroes.

The following text strings are found in the worm body:

* -{ Hah… MyDoom, Bagle, etc… since then you do not have future more! }-

Get in touch for a one month free antivirus trial.
Add "Virus Trial" to the Comments area.

Top 10 Most Prevalent Global Malware
(from December 3, 2004 to December 11, 2004)

1. PE_BUGBEAR.DAM
2. WORM_NETSKY.P
3. HTML_NETSKY.P
4. WORM_NETSKY.D
5. WORM_SOBER.I
6. WORM_MYDOOM.A
7. JAVA_BYTEVER.A
8. WORM_NETSKY.C
9. WORM_NETSKY.DAM
10. WORM_NETSKY.B

December 04 2004
Mass-mailing MUGLY - WORM_MUGLY.A

WORM_MUGLY.A is a non-destructive mass-mailing worm that arrives via email, as an attachment. This memory-resident worm searches the infected system for target email addresses in files with certain extension names. However, it avoids sending email messages to email addresses that contain specific strings, most of which are related to antivirus and security companies. It runs on Windows 95, 98, ME, NT, 2000, and XP.

Upon execution, it drops a copy of itself in the Windows system folder as the file XXX.TMP. It also drops the following files in the Windows system folder:

* ATTACHED.ZIP - a ZIP-compressed copy of itself
* WINIT.EXE - a worm that is detected by Trend Micro as WORM_SDBOT.AFE
* UGLYM.JPG - a normal .JPG file
* SVKP.SYS - an unpacker component used to register the SVK Protector, which this worm uses to unpack one of its dropped files that is compressed by SVKP
* ANSMTP.DLL - a standard SMTP (Simple Mail Transfer Protocol) mailing engine
* BSZIP.DLL - a standard archive engine

It creates three registry entries that allow it to automatically execute at every system startup. In addition, it registers a standard SMTP engine on the infected system, which allows it to perform its mass-mailing routine.

This worm looks for target email recipients in files with the following extensions:

* ADB
* ASP
* DBX
* DOC
* HTM
* HTML
* PHP
* SHT
* TBB
* TXT
* WAB

However, it avoids sending email messages to addresses that contain any of the following strings:

* .gov
* Adaware
* Kaspersky
* Lavasoft
* Mcafee
* Symantec
* avguk
* grisoft
* nod32
* pandasoftware
* sophos
* trendmicro

The email message that it sends out has the following details:

From: <spoofed>
Subject: (any of the following)

* You have an Admirer
* Your Pic On A Website!!
* Rate My Pic.......
* Hhahahah lol!!!!

Message Body: (any of the following)

* Someone has asked us on there behalf to send you this email and tell you they think you are wonderfull!!! All the The mystery persons details you need are enclosed in the attachment :) please download and respond telling us if you would like to make further contact with this person.
Regards Hallmark Admirer Mail Admin.
* I was looking at a website and came across this pic they look just like you! infact im sure it is lol , did you send this pic into them ? or is it someonce else :S ? Ive Added the pic in a zip so download it and check & email me back! · Hi ive sent 5 emails now and nobody will rate my pic!! :( please download and tell me what you think out of 10 , dont worry if you dont like it just say i wont be offended p.s i was drunk when it was taken :P
* i found this on my computer from ages ago download it and see if you can remember it lol i was lauging like mad when i saw it! :D email me back haha...

Attachment: (any of the following)

* Pic_001.exe
* Photo_01.pif
* admire_001.exe
* is_this_you.scr
* love_04.scr
* for_you.pif
* Sexy_09.scr

This worms payload displays the dropped image file, UGLYM.JPG.

Get in touch for a one month free antivirus trial.
Add "Virus Trial" to the Comments area.

Top 10 Most Prevalent Global Malware
(week of: November 26, 2004 to December 3, 2004)

1. WORM_NETSKY.P
2. HTML_NETSKY.P
3. WORM_SOBER.I
4. JAVA_BYTEVER.A
5. WORM_NETSKY.D
6. TROJ_AGENT.FL
7. WORM_NETSKY.B
8. WORM_NETSKY.C
9. HTML_SUNFRAUD.B
10. WORM_NETSKY.Q

Get in touch for a one month free antivirus trial.
Add "Virus Trial" to the Comments area.

12website has a maintenance program for our clients to ensure their will not be 'let down' by an inefficient computer.

Computer maintenance is necessary to keep your machine running smoothly without down time.

Contact Us. Add "Virus Trial" to the Comments area.