PRODUCTS > Computer Virus Alerts - Maintenance
Virus alerts for January 2005
Current virus alerts here.

By the time you receive the e-mail 'virus alert' it can be too late!
We stock the most efficient anti virus program which checks for updates hourly.

Computer virus alert

Get in touch for a one month free antivirus trial.
Add "Virus Trial" to the Comments area.
Bagle virus info here

Latest Virus Alert

January 30 2005 Return of BAGLE - WORM_BAGLE.AZ

WORM_BAGLE.AZ is another variant in the BAGLE family. This worm arrives as an email attachment, and once executed, it sends copies of itself to all email addresses it gathers from files with certain extensions, and skips those addresses that contain particular strings. The email it sends is spoofed, and may appear to have come from a familiar email address. The worm drops a copy of itself into the Windows system folder, and looks for folders that have the string "shar", then drops copies of itself using file names with .EXE extensions (it assumes that these folders are shared). In addition, this worm displays various icons and terminates several processes, most of which are related to antivirus and security programs. This worm ceases to perform most of its malicious routines on April 25, 2006 or later. It is currently spreading in-the-wild and infecting computers running Windows 95, 98, ME, 2000, and XP.

Upon execution, this worm drops a copy of itself using the following file names into the Windows system folder:

* sysformat.exe
* sysformat.exeopen
* sysformat.exeopenopen

It then creates two registry entries. One registry enty allows it to execute at every Windows startup. By adding this entry, it enters an infinite loop in 100-millisecond intervals. As a result, this worm can never be deleted as long as it is in memory. The second registry entry is used to determine how long it has executed on a system. If this registry entry indicates that it is 25 days from its first execution, this worm uninstalls itself from the system. It also uninstalls itself when the system date is April 25, 2006 or later.

It looks for folders that have the string "shar" and drops copies of itself using the following file names:

* 1.exe
* 2.exe
* 3.exe
* 4.exe
* 5.scr
* 6.exe
* 7.exe
* 8.exe
* 9.exe
* 10.exe
* Ahead Nero 7.exe
* Windown Longhorn Beta Leak.exe
* Opera 8 New!.exe
* XXX hardcore images.exe
* WinAmp 6 New!.exe
* WinAmp 5 Pro Keygen Crack Update.exe
* Adobe Photoshop 9 full.exe
* Matrix 3 Revolution English Subtitles.exe
* ACDSee 9.exe

This worm attempts to propagate via email using its own Simple Mail Transfer Protocol (SMTP) engine. It searches for email addresses with certain extensions. View the full list of extensions.

It sends email with the following details:

Subject: (any of the following)

* Delivery service mail
* Delivery by mail
* Registration is accepted
* Is delivered mail
* You are made active

Message body: (any of the following)

* Thanks for use of our software.
* Before use read the help

Attachments: (any of the following file names)

* guupd02
* Jol03
* siupd02
* upd02
* viupd02
* wsd01
* zupd02

(with any of the following extensions)

* COM
* CPL
* EXE
* SCR

The worm skips email addressess that contain certain strings. It terminates specific processes, mostly related to antivirus and security programs. It also attempts to connect to, and download files from, certain Web sites. View the complete list of strings, processes and Web sites.

Several registry entries associated with WORM_NETSKY variants are also deleted, and mutexes are created to prevent NETSKY variants from running on the systems already infected with this BAGLE worm.

This worm opens opens a port and listens for commands coming from a remote malicious user. It executes these commands on an infected system, providing the remote malicious user virtual control over the system.

Get in touch for a one month free antivirus test.
Add "Virus Trial" to the Comments area.

Top 10 Most Prevalent Global Malware
(from January 23 to January 30, 2005)

1. WORM_NETSKY.P
2. HTML_NETSKY.P
3. JAVA_BYTEVER.A
4. WORM_NETSKY.D
5. SPYW_GATOR.D
6. WORM_NETSKY.B
7. WORM_NETSKY.C
8. DOS_AGOBOT.GEN
9. SPYW_GATOR.C
10. TROJ_ISTBAR.GM

January 27 2005 WORM_BAGLE.AZ.

As of January 27, 2005 1:42 AM PST (Pacific Standard Time/GMT -8:00), NOD32 has declared a Medium Risk Virus Alert to control the spread of WORM_BAGLE.AZ. NOD32 has received several infection reports indicating that this malware is spreading in US, China, and Japan.

This WORM_BAGLE variant arrives on a system as an email attachment. It sends copies of itself to all email addresses it gathers from files with certain extensions but skips those addresses that contain particular strings.

Users must be wary of the email it sends that have the following details:

Subject: (any of the following)
Delivery service mail
Delivery by mail
Registration is accepted
Is delivered mail
You are made active
Thanks for use of our software.
Before use read the help

Message body: (any of the following)
Delivery service mail
Delivery by mail
Registration is accepted
Is delivered mail
You are made active
Thanks for use of our software.
Before use read the help

Attachments: (any of the following file names)
guupd02.exe
Jol03.exe
siupd02.exe
upd02.exe
viupd02.exe
wsd01.exe
zupd02.exe

(with any of the following extensions)
COM
CPL
EXE
SCR

The email is spoofed and may appear to have come from a familiar email address. As a general rule, users should avoid opening the attachments of unsolicited email.

This worm drops a copy of itself using the following file names into the Windows system folder:

sysformat.exe
sysformat.exeopen
sysformat.exeopenopen
It also looks for folders that have the string shar then drops copies of itself using file names with EXE extensions into those folders.

In addition, this worm terminates several processes, most of which are related to antivirus and security programs.

Get in touch for a one month free antivirus test.
Add "Virus Trial" to the Comments area.

January 22 2005 Tsunami Worm - WORM_ZAR.A

WORM_ZAR.A is a mass-mailing worm that uses its own Messaging Application Programming Interface (MAPI) engine to propagate. It gathers email addresses from Microsoft Outlook, and sends itself as an attachment. It runs on all Windows platforms (95, 98, ME, NT, 2000, and XP), and is currently spreading in-the-wild.

This mass-mailing worm drops the following files in the Windows folder:

* crssr.exe
* raz32.exe
* tsunami.exe

It then creates a registry entry to ensure that it automatically executes at every Windows startup.

The worm propagates via email using MAPI. It gathers recipient addresses from Microsoft Outlook, and sends a copy of itself as an attachment. The email it sends contains the following details:

Subject:
Tsunami Donation! Please help!

Body:
Please help us with your donation and view the attachment below! We need you!

Attachment:
tsunami.exe

This worm also also attempts to perform a distributed denial of service attack (DDoS).

If you would like to scan your computer for WORM_ZAR.A or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at: http://housecall.trendmicro.com/

WORM_ZAR.A is detected and cleaned by NOD32 antivirus. Get in touch for a one month free antivirus test.
Add "Virus Trial" to the Comments area.

Top 10 Most Prevalent Global Malware
(from January 14 to January 20, 2005)

1. WORM_NETSKY.P
2. HTML_NETSKY.P
3. JAVA_BYTEVER.A
4. EXPL_DHTML.GEN
5. WORM_NETSKY.D
6. SPYW_GATOR.D
7. SPYW_GATOR.C
8. WORM_NETSKY.B
9. SPYW_GATOR.B
10. WORM_NETSKY.C

January 18 2005 Wild Worm - WORM_BUCHON.C

WORM_BUCHON.C mainly propagates via email. It uses its own built-in Simple Mail Tranfer Protocol (SMTP) engine to send email without using other email applications like Outlook Express. It obtains its target email recipients from an infected system, either by searching a user's inbox, or by parsing files with certain extension names. It then mass-mails copies of itself to all harvested email addresses. This worm is currently spreading in-the-wild, and infecting systems running Windows 95, 98, ME, NT, 2000, and XP.

Upon execution, this worm drops the following files in the root directory (typically C:\):

* CSRSS.BIN - a log file used by this worm
* CSRSS.EXE - a component that serves as an HTTP proxy machine for downloading files from Web sites.

This worm also creates a registry entry that allows it to run at every Windows startup.

It obtains its target email recipients from an infected system, by searching an infected user's inbox, or by parsing files with the following extension names:

* DAT
* DBX
* EML
* MBX
* MDB
* TBB
* WAB

It also attempts to connect to specific DNS servers to locate its target email addresses. Using its own SMTP engine, it then mass-mails copies of itself to all harvested email addresses. The email message it sends contains the following details:

From: <Spoofed>
Subject: Mail Delivery failure - <Target user’s email address>
Message body:

If the message will not displayed automatically,
you can check original in attached message.txt

Failed message also saved at:
www.$HOST$/inbox/security/read.asp?sessionid-%d
(check attached instructions)

+++ Attachment: No Virus found
+++ MC-Afee AntiVirus - www.mcafee.com
Attachment:
• *.COM
• *.EXE
message txt<Spaces>length <malware size> bytes<Spaces>mcafee

(Note: The attachment is a copy of the worm. The asterisk (*) is a wildcard character representing zero or more characters, therefore *.* represents all files and folders, and *.SYS.

This worm disguises itself as the attached original message in a mail delivery failure notice, which may trick users into opening the file, thereby running this worm.

Get in touch for a one month free antivirus trial.
Add "Virus Trial" to the Comments area.

Top 10 Most Prevalent Global Malware
(week of: January 7 to January 13, 2005)

1. WORM_NETSKY.P
2. HTML_NETSKY.P
3. JAVA_BYTEVER.A
4. WORM_NETSKY.D
5. TROJ_AGENT.FL
6. SPYW_GATOR.D
7. SPYW_GATOR.C
8. SPYW_GATOR.B
9. WORM_NETSKY.B
10. WORM_NETSKY.C

January 06 2005 Backdoor.Sdbot.AI and Backdoor.Ranky.P

Backdoor.Sdbot.AI is a network-aware worm with back door capabilities. It allows a remote attacker to gain unauthorized access to the infected computer and spreads via network shares.

Backdoor.Ranky.P is a back door Trojan horse program that allows an infected computer to be used as a covert proxy.

Get in touch for a one month free antivirus trial.
Add "Virus Trial" to the Comments area.

12website.com encourages all users and administrators to adhere to the following basic security "best practices":

* Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.

* If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.

* Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services (for example, all Windows-based computers should have the current Service Pack installed.). Additionally, please apply any security updates that are mentioned in this writeup, in trusted Security Bulletins, or on vendor Web sites.

* Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.

* Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.

* Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.

* Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.

Top 10 Most Prevalent Global Malware
(from December 30, 2004 to January 06, 2005)

1. WORM_NETSKY.P
2. HTML_NETSKY.P
3. WORM_SOBER.I
4. WORM_NETSKY.D
5. WORM_ZAFI.D
6. WORM_NETSKY.B
7. SPYW_GATOR.D
8. JS_BAIDU.A
9. WORM_NETSKY.C
10. WORM_NETSKY.Q

Get in touch for a one month free antivirus trial.
Add "Virus Trial" to the Comments area.

12website has a maintenance program for our clients to ensure their will not be 'let down' by an inefficient computer.

Computer maintenance is necessary to keep your machine running smoothly without down time.