PRODUCTS> Computer Virus Alerts - Archive
Virus alerts for June 2004
Current virus alerts here.

By the time you receive the e-mail 'virus alert' it can be too late!
We stock the most efficient anti virus program which checks for updates hourly.

Computer virus alert

Get in touch for a one month free antivirus trial.
Add "Virus Trial" to the Comments area.

June 19 Worm Spreads through Mobile Phones- EPOC_CABIR.A (Low Risk)

A new proof-of-concept worm, EPOC_CABIR.A is capable of spreading through Bluetooth-enabled devices, and can affect certain mobile phone models from Nokia, Siemens, and Panasonic.

EPOC_CABIR.A arrives as a series of messages, the first notifying the user there is a message to be received via Bluetooth, then states: "Application is untrusted and may have problems. Install only if you trust provider." The user is then asked to confirm installation.

Once installed, the worm creates files in the default drive of the device, and creates files in the following directory:
SYMBIANSECUREDATA\CARIBESECURITYMANAGER

This worm targets series 60 v0.9, which is a common setting for basic applications.

Affected models of phones include:
Nokia 7650
Nokia 7610
Nokia 6620
Nokia 6600
Nokia 3650, 3600
Nokia 3660, 3620
Nokia N-Gage
Panasonic X700
Siemens SX1
Sendo X

Top 10 Most Prevalent Global Malware
(from June 11, 2004 to June 17, 2004)

1. PE_ZAFI.B
2. WORM_NETSKY.P
3. HTML_NETSKY.P
4. WORM_NETSKY.D
5. WORM_NETSKY.Z
6. WORM_NETSKY.Q
7. WORM_NETSKY.B
8. WORM_NETSKY.C
9. JAVA_BYTEVER.A
10. WORM_SOBER.G

June 12 2004 Spreads Through Email, Network Shares, Kazaa - WORM_PLEXUS.C (Low Risk)

WORM_PLEXUS.C is a recently discovered worm that uses its own SMTP engine to send copies of itself via email. Emails appear with subject headers like: "Order" or "Good Offer". Messages appear to be from a familiar person.

Examples of messages:
"Look at my new screensaver. I hope you will enjoy"
"In this archive you can find all those things, you asked me"

The message comes with an .EXE attachment. Once executed, WORM_PLEXUS.C drops several copies of itself onto the infected system and creates Windows registry entries to automatically execute at each system startup.

To propagate, WORM_PLEXUS.C looks for files with the following extension names to retrieve email addresses and domain names: HTM, HTML, PHP, TBB, TXT. This worm can also drop copies of itself in the Kazaa (peer-to-peer network) shared folder, and propagate through network shares with full access rights.

This worm's code also contains the following text:
"KAV I'm Expletus !!!, Made in China"

This worm is currently in-the-wild and affects Windows 95, 98, ME, NT, 2000, and XP operating systems.

Top 10 Most Prevalent Global Malware
(from June 4, 2004 to June 10, 2004)

1. WORM_NETSKY.P
2. HTML_NETSKY.P
3. WORM_SASSER.E
4. WORM_NETSKY.D
5. WORM_SOBER.G
6. TROJ_AGENT.AC
7. WORM_NETSKY.Z
8. WORM_NETSKY.C
9. WORM_NETSKY.Q
10. WORM_NETSKY.B

Contact Us for a one month free antivirus trial. Add "Virus Trial" to the Comments area.

June 04, 2004 Resets Windows Wallpaper in June - WORM_LAMUD.A (Low Risk)

WORM_LAMUD.A is a recently discovered worm that, among other capabilities, can reset a user's wallpaper to one of three preset images during the month of June. This worm spreads via network shares, searching for writeable network shares and dropping a copy of itself in the root of shared directories and folders as "GAME.EXE".

This worm opens a Windows Explorer window to the Windows directory upon its execution, and disables registry modification and configuration dialogs, which prevent the affected user from viewing the hidden files and preventing access to the registry editing tools. When the system month is June, WORM_LAMUD.A drops the file ACD WALLPAPER.BMP into the Windows directory and then sets this as the wallpaper. Each execution of the malware rotates the wallpaper between three preset images.

This worm's code also contains the following text:
"Lamers Must Die!"
"Programmers Forever!"

This worm is currently in-the-wild and affects Windows 95, 98, ME, NT, 2000, and XP operating systems.

3. Top 10 Most Prevalent Global Malware
(from May 28, 2004 to June 3, 2004)

1. WORM_NETSKY.P
2. HTML_NETSKY.P
3. WORM_NETSKY.D
4. WORM_NETSKY.Z
5. WORM_NETSKY.Q
6. WORM_SOBER.G
7. WORM_NETSKY.C
8. WORM_NETSKY.B
9. WORM_LOVGATE.G
10. WORM_MYDOOM.

Contact Us for a one month free antivirus trial. Add "Virus Trial" to the Comments area.

May 28, 2004 Opens Backdoor, Steals Game Keys -
WORM_RANDEX.AK (Low Risk)

WORM_RANDEX.AK is memory resident worm that spreads through network shares, opens ports, and connects to an Internet Relay Chat (IRC) server to await malicious commands. Once in control of the infected system, the malicious user can download and execute files, get system information, redirect connections, take screenshots, and launch a Denial-of-Service attack.

This worm is also programmed to steal CD keys to several popular computer game titles, including “Call of Duty”, “Halflife”, and “Neverwinter”.

This worm is currently in-the-wild and affects Windows 95, 98, ME, NT, 2000, and XP operating systems.

WORM_RANDEX.AK also creates Windows registry entries that execute the worm at every system startup and prevent the user from running applications. On Windows 95, 98, and ME systems, WORM_RANDEX.AK can disable registry tools to prevent the user from using the registry editor.

3. Top 10 Most Prevalent Global Malware
(from May 21, 2004 to May 27, 2004)

1. WORM_NETSKY.P
2. HTML_NETSKY.P
3. WORM_NETSKY.D
4. WORM_NETSKY.B
5. WORM_NETSKY.Z
6. WORM_SASSER.E
7. WORM_NETSKY.C
8. WORM_SOBER.G
9. WORM_NETSKY.Q
10. WORM_MYDOOM.

LSASS Equals BOBAX - WORM_BOBAX.C (Low Risk)

WORM_BOBAX.C is a non-destructive worm that exploits the Windows LSASS vulnerability. This buffer overrun vulnerability allows an attacker to gain full control of an infected system. This worm is currently spreading in-the-wild and runs on Windows 95, 98, ME, NT, 2000, and XP.

Upon execution, this worm installs itself in the Windows system folder using random file names. It also drops a .DLL file in the Windows Temp folder with the name <random number>.TMP.
It also creates a registry entry that allows it to automatically execute at every system startup.

This malware also checks whether the following mutex exists, and to ensure that only one instance of itself is running in memory: 06:08:07:<random>. It then deletes its executed copy.

As part of its propagation routine, it sends a specially crafted packet to a specific port. This packet of data instructs the target machine to download the worm copy from an HTTP server. It saves this downloaded file as SVC.EXE.

If you would like to scan your computer for WORM_BOBAX.C or thousands of other worms, viruses, Trojans and malicious code, contact us for a one month free trial of the original antivirus used by over 18 million people worldwide. Add "Virus Trial" to the Comments area.

10 Most Prevalent In-the-Wild Malware
(week of: May 14, 2004 to May 20, 2004)

1. PE_ELKERN.D
2. PE_FUNLOVE.4099
3. WORM_NETSKY.P
4. HTML_NETSKY.P
5. WORM_NETSKY.D
6. WORM_SASSER.E
7. WORM_BOBAX.C
8. WORM_NETSKY.Z
9. WORM_SOBOT.KW
10. WORM_SOBER.

May 12 2004 - Medium Risk Virus Alert
WORM_WALLON.A. - spreading in Germany and EMEA.

This mass-mailing worm exploits certain vulnerabilities found on Windows systems.
This worm exploits these vulnerabilities in order to download various files into the infected system.

May 08, 2004
WORM_SASSER.B, a variant of the SASSER worm, exploits the Windows LSASS vulnerability, which is a buffer overrun that allows remote code execution and enables an attacker to gain full control of infected systems. This vulnerability is discussed in detail in Microsoft Security Bulletin MS04-011.

Upon execution, this memory-resident worm drops a copy of itself in the Windows folder as AVSERVE2.EXE. It then adds a registry entry that allows it to automatically execute at every system startup.

This SASSER variant creates the following mutex:

* Jobaka3
* JumpallsNlsTillt

If an instance of JumpallsNlsTillt is found, this worm does not proceed with its execution.

To propagate on systems running Windows XP and Windows 2000 Professional, this worm creates 128 execution threads that generate random IP addresses. (The worm creates 128 threads at 25 ms, which results in 5,120 attacks per second.) It then sends a specially crafted packet of these addresses to TCP port 445. The sent packet causes a buffer overflow on LSASS.EXE and runs a remote shell on vulnerable machines. TCP port 445 is a valid port used by Windows 2000 to transport Server Message Block (SMB) data over TCP and UDP.

Windows 2003 Server is also vulnerable to the LSASS exploit, as reported by Microsoft in its Security Bulletin. Due to the method in which SASSER utilizes the exploit, this worm is unable to infect Windows 2003 Server.

The remote shell listens to port 9996 for further commands from this worm, and allows the worm to manipulate the vulnerable machine. From its remote location, this worm sends in commands to the remote shell so that an FTP script file CMD.FTP is generated. It also commands the remote shell to run the FTP script. The FTP script downloads a copy of this worm from the originally infected system to the machine running the shell.

After the download, this worm deletes the file CMD.FTP from the newly infected system. It also generates a log file WIN2.LOG in the root directory. This file contains the number of remote systems that the host system has infected and the IP address of the most recently infected system.

This worm produces a buffer overflow in LSASS.EXE, causing the program to crash, which requires Windows to restart.

12website has a maintenance program for our clients to ensure their will not be 'let down' by an inefficient computer.

Computer maintenance is necessary to keep your machine running smoothly without down time.

Contact Us. Add "Virus Trial" to the Comments area.