PRODUCTS > Computer Virus Alerts - Maintenance
Virus alerts for October 2004
Current virus alerts here.
Previous

By the time you receive the e-mail 'virus alert' it can be too late!
We stock the most efficient anti virus program which checks for updates hourly.

Computer virus alert

Get in touch for a one month free antivirus trial.
Add "Virus Trial" to the Comments area.

Info on the JPEG JPG Hack Tool here

Info on the Music Download Virus here

October 31 2004 Hot BAGLE - WORM_BAGLE.AT

NOTE: This information is an archive. Current virus information on bagle may be accessed here. WORM_BAGLE.AT has triggered a Medium Risk virus alert, as of October 29, 2004 at 2:07am (GMT -07:00; Daylight Saving Time). This worm runs on Windows 95, 98, ME, NT, 2000, and XP, and is currently spreading in-the-wild. It is a memory-resident worm that spreads via email and through network shares. It arrives in an email with the following details:

From: <spoofed>

Subject: <any of the following>
• Re:
• Re: Hello
• Re: Hi
• Re: Thank you!
• Re: Thanks :)

Message body: <any of the following>
• :)
• :))

Attachment: <any of the following>
• PRICE
• JOKE

with the following extension names:
• COM
• CPL
• EXE
• SCR

This worm scans infected systems for files with certain extension names to acquire its target recipients. It then uses its own SMTP engine and the domain servers of the acquired email addresses for its mailing routine. Unsuspecting users may then receive email messages from trusted acquaintances and readily execute the attachment, thereby launching this worm.

Upon execution, it proceeds to drop copies of itself in folders with names containing the text string "shar", or in shared folders. It also uses file names that appear legitimate. This worm compromises system security by terminating several antivirus and security-related applications if found on an infected system. It also connects to a list of Web sites where it may download components. It also opens port 81 possibly for its backdoor activities.

Continuing the notable BAGLE characteristics, it attacks the NETSKY family of worms. It deletes several registry entries and file names associated with NETSKY, and also creates several mutexes that prevent the execution of NETSKY variants on the infected machine.

Get in touch for a one month free antivirus trial.
Add "Virus Trial" to the Comments area.

Top 10 Most Prevalent Global Malware
(week of: October 22, 2004 to October 28, 2004)

1. WORM_NETSKY.P
2. HTML_NETSKY.P
3. PE_FUNLOVE.4099
4. PE_KRIZ.4029
5. PE_ZAFI.B
6. WORM_NETSKY.D
7. JAVA_BYTEVER.A
8. JS_SMALL.D
9. WORM_NETSKY.B
10. TROJ_SWIZZOR.R

October 22 2004 WORM_WOOT.BJ

WORM_WOOTBOT.BJ is a non-destructive worm that takes advantage of the Windows LSASS vulnerability in order to propagate. It drops a copy of itself into default shared folders of unpatched machines. It steals the CD keys of popular game applications, Microsoft Windows Product IDs, and Yahoo Messenger IDs. It updates itself by creating the file 1.BAT and executing it afterwards. This batch file downloads a copy of the worm from the Internet and then executes it on the compromised system. This worm is currently spreading in-the-wild and infecting systems that are running on Windows 95, 98, ME, NT, 2000, and XP.

Upon execution, this worm drops a copy of itself as SERVICED.EXE in the Windows system folder. It executes its dropped copy and then deletes itself afterwards. It then adds several registry entries, that allow it to run automatically at every system startup.

This worm exploits the Windows LSASS vulnerability to propagate. This vulnerability is a buffer overrun that allows remote code execution and allows an attacker to gain full control of infected systems.

This worm copies and executes itself on vulnerable systems and searches for the following default network shares:

* ADMIN$
* C$
* D$
* IPC$

It steals Microsoft Windows Product IDs and Yahoo Messenger IDs, as well as the CD keys of the following popular games:

* Battlefield 1942
* Battlefield 1942: Secret Weapons Of WWII
* Battlefield 1942: The Road To Rome
* Battlefield 1942: Vietnam
* Black and White
* Command and Conquer: Generals
* Command and Conquer: Generals: Zero Hour
* Command and Conquer: Red Alert2
* Command and Conquer: Tiberian Sun
* Counter-Strike
* FIFA 2002
* FIFA 2003
* Freedom Force
* Global Operations
* Gunman Chronicles
* Half-Life
* Hidden and Dangerous 2
* IGI2: Covert Strike
* Industry Giant 2
* James Bond 007: Nightfire
* Medal of Honor: Allied Assault
* Medal of Honor: Allied Assault: Breakthrough
* Medal of Honor: Allied Assault: Spearhead
* Nascar Racing 2002
* Nascar Racing 2003
* Need For Speed: Hot Pursuit 2
* Need For Speed: Underground
* Neverwinter Nights
* NHL 2002
* NHL 2003
* Ravenshield
* Shogun: Total War: Warlord Edition
* Soldier Of Fortune 2
* Soldiers Of Anarchy
* The Gladiators
* Unreal Tournament 2003
* Unreal Tournament 2004

This worm appears to possess backdoor capabilities. It updates itself by creating and executing the file 1.BAT. which downloads a copy of the worm from the Internet and then executes it on the compromised system.

Get in touch for a one month free antivirus trial.
Add "Virus Trial" to the Comments area.

Top 10 Most Prevalent Global Malware
(week of: October 15, 2004 to October 22, 2004)

1. WORM_NETSKY.P
2. PE_ZAFI.B
3. HTML_NETSKY.P
4. WORM_NETSKY.D
5. JAVA_BYTEVER.A
6. WORM_NETSKY.B
7. WORM_NETSKY.C
8. WORM_ANIG.A
9. WORM_NETSKY.Q
10. HTML_CITIFRAUD.C

October 14 2004 Microsoft Vulnerabilities (High Risk)

The following set of ten Microsoft vulnerabilities were published by Microsoft in October 2004:

MS04-029_RPC_RUNTIME_LIBRARY
MS04-030_WEBDAV_XML
MS04-031_NETDDE
MS04-032_MICROSOFT_WINDOWS
MS04-033_MICROSOFT_EXCEL
MS04-034_COMPRESSED_FOLDERS
MS04-035_SMTP
MS04-036_NNTP
MS04-037_WINDOWS_SHELL
MS04-038_INTERNET_EXPLORER

12website.com advises users to patch their system against these vulnerabilities, and to refrain from using their system until it has been completely patched against these vulnerabilities. In Internet Explorer click once on the Tools menus and click on Windows Update. Download and install Critical Updates.

**** Get in touch for a one month free antivirus trial.
***** Add "Virus Trial" to the Comments area.

Frantic FILI - WORM_FILI.A - Music Download Virus

WORM_FILI.A is a non-destructive worm that propagates via peer-to-peer applications by dropping copies of itself in default shared folders. It also propagates via email and Internet Relay Chat (IRC). It can disable the Windows Task Manager, thereby preventing an infected user from terminating its process. It also displays the Windows Shut Down menu (the window that pops out when CTRL+ALT+DEL keys are pressed) every few seconds to annoy the user. This worm is currently spreading in-the-wild, and infecting systems running Windows 95, 98, ME, NT, 2000, and XP.

**** Get in touch for a one month free antivirus trial.
***** Add "Virus Trial" to the Comments area.

Upon execution, this worm drops a copy of itself in the Windows system folder as the file PILIF.EXE. It creates a registry entry that allows it automatically execute at every system startup.

This worm drops copies of itself in the following folders found in the Program Files directory, which are default-shared folders of popular peer-to-peer (P2P) applications:

\BearShare\Shared
\BearShare\Shared\
\Edonkey2000\Incoming
\Edonkey2000\Incoming\
\Grokster\My Grokster
\Grokster\My Grokster\
\icq\shared files\
\Kazaa\My Shared Folder
\Kazaa\My Shared Folder\
\KMD\Shared Folder
\limewire\Shared
\limewire\Shared\
\Morpheus\My Shared Folder
\Morpheus\My Shared Folder\
\Shareaza\downloads
\WinMX\my shared folder\
Shareaza\downloads

It uses any of the following file names for its dropped copy, followed by an .EXE, .SCR, .PIF, .BAT, or .CMD extension:

Anti-hacker Utility
Cracks mega warez collection
Dark Coderz Alliance
Easy credit card validation
Free porn sites accounts
Kasperky AV Universal Key
Norton 2004 crack
Sex - totally free porn
Webmail official hacker
Yahoo hacker

This worm searches for email addresses on .HTM and .HTML files found on the affected system. It then sends email messages to these addresses using MAPI. It sends email with the following details:

Message body: (any of the following)

Important legal notice!
Do not delete this message. Analyse attachement and reply
as soon as possible with manifesto details.
Thank you!
-------------------

Please help us to save the right of freedom of expression!
All details will be displayed in small attached file. Good luck and thank you.
-------------------

You personal manifesto details are attached. Take good care of them!
-------------------

Help us gather online votes for our anti-censore manifesto
We need you help now! Attachement will automatically send a vote to our
online database once you run it and will be redirected to our webpage!
Thank you!
-------------------

Its curious, its scandalous... dont be so furious!
Life is bitch so dont take it serious.
-------------------

Please help us be free! We need the basic right of expression.
Enable an online vote for our manifesto with the help of the attachement.
Many thanks!
-------------------

Music is beeing censored, journalists are afraid, law has not been
respected for long time. Why? Because of corruption and lack of right of
expression. Help us! Enable the attachement and our voting system will
track and record you help. Many thanks!
-------------------

Parazitii need your help for the anti-censore campaign! See all details
in the attachement. Thank you!
-------------------

Its just hip-hop. Nothing else. Enjoy!
Oh yeah! one more thing: its a censore-related manifesto :)
-------------------

This is my manifesto. You can stop this individual,
but you can't stop us all...after all,we're all alike.
-------------------

Attachment: (any one of the following, followed by an .EXE, .SCR, .PIF, .BAT, or .CMD extension)

* attachement
* details
* freedom
* Freedom of expression
* Goverment issue
* JOS CeNzurA
* manifesto
* Manifesto anti pilif
* Manifesto details
* Parazitii
* pilif
* Simple solution
* stolen rights
* sustain cause

This worm drops a modified SCRIPT.INI file in the following folders:

C:\mirc\
C:\mirc32\
C:\mirc\32
%Program Files%\mirc\
%Program Files%\mirc32\

This modified IRC script sends a copy of the worm to every user who enters the same chatroom as the infected user. It displays the following message upon file transfer:

DCA are fighting for free speech. Get their manifesto now!

It then sends out the following file:

Manifesto Anti Censore Pilif.txt.exe

This worm disables the Windows Task Manager to prevent an infected user from terminating its process. It also displays the Windows Shut Down menu every few seconds to annoy the user.

If you would like to scan your computer for WORM_FILI.A or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at: http://housecall.trendmicro.com/

WORM_FILI.A is detected and cleaned by Trend Micro pattern file 2.193.14 and above.

Get in touch for a one month free antivirus trial.
Add "Virus Trial" to the Comments area.

Top 10 Most Prevalent Global Malware
(week of: October 8, 2004 to October 14, 2004)

1. WORM_NETSKY.P
2. PE_ZAFI.B
3. HTML_NETSKY.P
4. WORM_NETSKY.D
5. JAVA_BYTEVER.A
6. WORM_NETSKY.B
7. WORM_NETSKY.C
8. WORM_ANIG.A

Date October 09 2004 Bag it Up - WORM_BAGZ.A

WORM_BAGZ.A is a memory-resident, mass-mailing worm uses SMTP (Simple Mail Transfer Protocol) to propagate. It arrives as an attachment to an email with a spoofed From field and varying subjects, message bodies, and attachment file names. This non-destructive worm also drops multiple components in the Windows system folder upon execution. It runs on Windows 95, 98, ME, NT, 2000 and XP, and is currently spreading in-the-wild.

Upon execution, this worm drops the following files in the Windows system folder:

* DRIVERS\NDISRD.SYS
* DL.EXE – downloads and executes a file from a remote site
* IPDB.DLL
* JOBDB.DLL
* NDISAPI.DLL
* NDISRD.SYS
* SYSLOGIN.EXE – a mass-mailing component of this worm
* TUTORIAL.DOC<numerous space characters>.EXE – a copy of this worm
* TUTORIAL.ZIP - a .ZIP archive that contains the file TUTORIAL.DOC<numerous space characters>.EXE

It also adds a registry entry that allows it to automatically execute at every system startup, and uses Simple Mail Transfer Protocol (SMTP) to send multiple copies of itself.

It arrives on a system as an attachment to an email with following details:

From: <spoofed>

Subject: (any of the following)
[Fwd: Broken link]
big announcements
building maintenance
Cost Inquiry
Deactivation Notice
failure notice
find a solution with this customer
Fwd: Password
Fwd: Your Funds are Eligible for Withdrawal
Knowledge Base Article
last request before refunding
Message recieved, please confirm
My funny stories
Need help pls
No Subject
Open Invoices
Order Approval
progress news
Questions
Re: Help Desk Registration
Re: payment
RE: quote request
RE: Re: A question
Re: User ID Update
referrences
Returned mail: see transcript for details
troubles are back again
units available
Webmail Invite
What is this ????
when should i call you?
WinXP
You have recieved an eCard!

Message body: (any of the following)
***URGENT: SERVICE SHUTDOWN NOTICE***
Due to your failure to comply with our email
Rules and Regulations, your email account has been
temporarily suspended for 24 hours unless we are contacted regarding this situation.
You must read the attached document for further instructions. Failure to comply will result in termination of your account.
Regards, Net Operator

***URGENT: SERVICE SHUTDOWN NOTICE***
***ATTENTION: YOUR EMAIL IS NOT BEING DELIVERED!***
You are currently unable to send emails.
This may be a billing issue.
Please call the billing center.
The # for the billing office is located in the attached
contact list for your convenience.

***ATTENTION: YOUR EMAIL IS NOT BEING DELIVERED!***
***YOUR MESSAGE HAS BEEN RECOGNIZED AS SPAM***
Hello
The previous email you sent has been recognized as spam.
This means your email was not delivered to your friend or client.
You must open the attached file to receive more information.

***YOUR MESSAGE HAS BEEN RECOGNIZED AS SPAM***
Hello,
What version of windows you are using?
This last document I received from you came out weird.
Please see the attached word file and resend the file to me.
Many thanks,
User

Hello,
My PC crashed while I was sending that last email.
I have re-attached the document of yours that I discovered.
Please read attached document and respond ASAP.
Sincerely,
User,0

Hello,
Your email was sent in an INVALID format.
To verify this email was sent from you,
simply open the attached email (.eml) file
and click yes in the sender options box.
Thank You,
User

Hello,
Your email was received.
YOUR REPLY IS URGENT!
Please view the attached text file for instructions.
Regards,
User

Hello,
I was in a hurry and I forgot to attach an important
document. Please see attached.
Best Regards,
User

Hello,
I resent this email as attachment because
it was previously blocked by your email filters.
Please read the attachment and respond.

Thanks,User

Hello,
Sorry, I forgot to attach the new contact information.
Please view the attached (.pdf) contact sheet.
Sincerely,
User

Attachment: (any of the following)
ACCOUNT.DOC<numerous space characters>.EXE
ACCOUNT.ZIP
ARCH.DOC<numerous space characters>.EXE
ARCH.ZIP
ARCHIVE.DOC<numerous space characters>.EXE
ARCHIVE.ZIP
ATACH.DOC<numerous space characters>.EXE
ATACH.ZIP
ATT.DOC<numerous space characters>.EXE
ATT.ZIP
CONTACT.DOC<numerous space characters>.EXE
CONTACT.ZIP
DB.DOC<numerous space characters>.EXE
DB.ZIP
DOCUMENTS.DOC<numerous space characters>.EXE
DOCUMENTS.ZIP
FILE.DOC<numerous space characters>.EXE
FILE.ZIP
MAIL.DOC<numerous space characters>.EXE
MAIL.ZIP
MESSAGE.DOC<numerous space characters>.EXE
MESSAGE.ZIP
MESSAGES.DOC<numerous space characters>.EXE
MESSAGES.ZIP
MSG.DOC<numerous space characters>.EXE
MSG.ZIP
READ.DOC<numerous space characters>.EXE
READ.ZIP
README.DOC<numerous space characters>.EXE
README.ZIP
SUPPORT.DOC<numerous space characters>.EXE
SUPPORT.ZIP
WARNING.DOC<numerous space characters>.EXE
WARNING.ZIP

Get in touch for a one month free antivirus trial.
Add "Virus Trial" to the Comments area.

Top 10 Most Prevalent Global Malware
(week of: October 1, 2004 to October 7, 2004)

1. WORM_NETSKY.P
2. HTML_NETSKY.P
3. PE_ZAFI.B
4. WORM_NETSKY.D
5. JAVA_BYTEVER.A
6. WORM_NETSKY.C
7. WORM_ANIG.A
8. WORM_NETSKY.DAM
9. WORM_NETSKY.B
10. HTML_CITIFRAUD.C

Date October 05 2004 JPEG JPG Hack Tool - HKTL_JPGDOWN.A

HKTL_JPGDOWN.A is a non-destructive hacker tool that creates a JPEG file, which exploits a vulnerability in Windows XP. This buffer overrun vulnerability in the processing of JPEG image formats may allow a remote user to execute code on an affected system. If a user is logged in with administrator privileges, this vulnerability allows an attacker to take complete control of affected system, and perform actions such as installing programs, viewing, changing or deleting data, and creating new accounts with full privileges. This malware is currently spreading in–the-wild, infecting computer systems that are running Windows 95, 98, ME, NT, 2000, and XP.

Upon execution, this hack tool displays a dialogue box titled is displayed, and the buttons “Make” and “About”. The Trojan dropped by this hack tool, attempts to download and execute files from any URL that a malicious user inputs in the dialogue box.

This hack tool also drops the file MYPICTURE.JPG in the current folder. After execution of this hack tool, the following message is displayed:

"The Jpeg Server, has been created with your settings in the current directory."

The following strings can be found in the malware body:

JPEG Downloader V1.0
With this downloader you can create downloader server with *.jpg
extension.
Based on Buffer Overrun in JPEG Processing (GDI+) Could Allow
Code Execution (833987)
Using Generic win32 http download shellcode
Bug analized by eEye Digital Security (http://www.eeye.com)
Compilied 23/09/04
Copyright
2004 ProGroup Software, Inc.
Coded By ATmaCA
E-Mail:support@prohack.net
Web:http://www.prohack.net

Get in touch for a one month free antivirus trial.
Add "Virus Trial" to the Comments area.

Top 10 Most Prevalent Global Malware
(week of: September 24, 2004 to September 30, 2004)

1. PE_ZAFI.B
2. WORM_NETSKY.P
3. HTML_NETSKY.P
4. WORM_NETSKY.D
5. PE_FUNLOVE.4099
6. JAVA_BYTEVER.A
7. DEADLINK_NOVIRUS
8. PE_NIMDA.A-O
9. WORM_NETSKY.C
10. WORM_ANIG.A

Get in touch for a one month free antivirus trial.
Add "Virus Trial" to the Comments area.

12website has a maintenance program for our clients to ensure their will not be 'let down' by an inefficient computer.

Computer maintenance is necessary to keep your machine running smoothly without down time.

Contact Us. Add "Virus Trial" to the Comments area.