PRODUCTS > Computer Virus Alerts - Maintenance
Virus alerts for September 2004
Current virus alerts here.

By the time you receive the e-mail 'virus alert' it can be too late!
We stock the most efficient anti virus program which checks for updates hourly.

Computer virus alert

Get in touch for a one month free antivirus trial.
Add "Virus Trial" to the Comments area.

Date September 28 2004 WORM_MEXER.E (Low Risk)

WORM_MEXER.E is a memory-resident worm that propagates via peer-to-peer (P2P) file-sharing networks, particularly Kazaa and Imesh, and by mailing copies of itself via Simple Mail Transfer Protocol (SMTP). This worm creates a folder and drops several copies of itself into this folder, using filenames that pertain to software, moviews, or games. It gathers email addresses from the infected system by scanning certain files for email addresses it can send to. WORM_MEXER.E is currently spreading in-the-wild and infecting systems running Windows 95, 98, ME, NT, 2000, and XP.

Upon execution, this memory-resident worm displays a message box. It then adds a registry entry that allows it to automatically execute at every system startup. To propagate via peer-to-peer file-sharing networks - specifically Kazaa and Imesh - the worm creates three more registry entries.

This worm then creates a folder, named sysnet, in the root folder and drops 42 files in it. It also drops another set of randomly named files in this same folder. The filenames are formed using a combination of 70 different naming strings comprised of the titles or names of popular software, movies, and games. These filenames are meant to entice P2P network users to download and execute them. Read the Technical Details of the Virus Description for the full list of naming strings.

This worm also searches for the following files:

* C:\*.DBX
* C:\*.DOC
* C:\*.HTM
* C:\*.RTF
* C:\*.SHT
* C:\*.TXT
* C:\*.WAB

If found, the worm scans these files for email addresses and sends email to these addresses. It skips email addresses with the following strings:

* admi
* host
* kasp
* micr
* newv
* root
* supp
* viru
* webm

It sends email via Simple Mail Transfer Protocol (SMTP) with any of the following details:

Subject: EBAY Information
Message body: EBAY Installer...
Attachment: <files from the sysnet folder>

Subject: VISA Information
Message body: Security Tool...
Attachment: <files from the sysnet folder>

Subject: Provider Information
Message body: New account data...
Attachment: <files from the sysnet folder>

Subject: Your Crack1
Message body: Here is your crack!
Attachment: <files from the sysnet folder>

Subject: Internet Information
Message body: New account data...
Attachment: <files from the sysnet folder>

Get in touch for a one month free antivirus trial.
Add "Virus Trial" to the Comments area.

Top 10 Most Prevalent Global Malware
(week of: September 21, 2004 to September 27, 2004)

1. WORM_NETSKY.P
2. PE_ZAFI.B
3. HTML_NETSKY.P
4. PE_FUNLOVE.4099
5. HTML_BAGLE.AI
6. WORM_NETSKY.D
7. JAVA_BYTEVER.A
8. DEADLINK_NOVIRUS
9. TROJ_AGENT.EG
10. WORM_NETSKY.C

Date September 18 2004 Bad Bot - WORM_SDBOT.VQ

WORM_SDBOT.VQ is a memory-resident worm that spreads via network shares, and exploits specific vulnerabilities to propogate across networks. It also gathers available lists of names and passwords, and uses this gathered information to locate and list shared folders where it drops a copy of itself. This worm has backdoor capabilities and attempts to connect to an Internet Relay Chat (IRC) server to allow a remote user to access the infected system and perform malicious commands. WORM_SDBOT.VQ runs on Windows NT, 2000, and XP.

Upon execution, this memory-resident worm drops a copy of itself in the Windows System directory as EXPLORER32.EXE. It adds registry entries to enable this dropped copy to run at every Windows startup. It then creates several threads to be used for sniffing, keylogging, and other backdoor capabilities. It also attempts to send copies of itself to other systems as BLING.EXE.

This worm spreads via network shares. It gathers available lists of names and passwords, and uses this gathered information to locate and list shared folders where it drops a copy of itself. It then attempts to access systems with weak passwords to drop a copy of itself. You may view the list of usernames and passwords in the Technical Details section of this virus description.

This worm takes advantage of the following Windows vulnerabilities:

* IIS5/WEBDAV Buffer Overflow vulnerability
* Remote Procedure Call (RPC) Distributed Component Object Model (DCOM) vulnerability
* Buffer Overflow in SQL Server 2000
* Windows LSASS Vulnerability

This worm attempts to connect to the Internet Relay Chat (IRC) server, irc.t3musso.net, which allows a remote user to access the infected system and perform the following commands:

* Update malware from HTTP and FTP URL
* Steal CD keys of game applications
* Execute a file
* Download from HTTP and FTP URL
* Open a command shell
* Open files
* Display the driver list
* Get screen capture
* Capture pictures and video clips
* Display netinfo
* Make a bot join a channel
* Stop and start a thread
* List all running process
* Rename a file
* Generate a random nickname
* Perform different kinds of ddos attacks
* Retrieve and clear log files
* Terminate the bot
* Disconnect the bot from IRC
* Send a message to the IRC server
* Let the bot perform mode change
* Change BOT ID
* Display connection type, local IP address and other net information
* Log in and log out the user
* Issue ping attack on to a target computer
* Display the following system information:
o CPU speed
o Amount of Memory
o Windows platform, build version, and product ID
o Malware uptime
o User name

It also checks for the following strings, and then attempts to steal Windows product ID and CD keys for several game applications:

* :.login
* :,login
* :!login
* :@login
* :$login
* :%login
* login
* :&login
* :*login
* :-login
* :+login
* :/login
* :\login
* :=login
* :?login
* :'login
* login
* :~login
* : login
* :.auth
* :,auth
* :!auth
* :@auth
* :$auth
* :%auth
* :&auth
* :*auth
* :-auth
* :+auth
* :/auth
* :\auth
* :=auth
* :?auth
* :'auth
* :~auth
* : auth
* :.hashin
* :!hashin
* :$hashin
* :%hashin
* :.secure
* :!secure
* :.syn
* :!syn
* :$syn
* :%syn
* paypal
* PAYPAL
* paypal.com
* PAYPAL.COM

The remote malicious user can also issue commands to allow the bot to log user keystrokes.

Get in touch for a one month free antivirus trial.
Add "Virus Trial" to the Comments area.

Top 10 Most Prevalent Global Malware
(week of: September 10, 2004 to September 16, 2004)

1. WORM_SASSER.B
2. PE_ZAFI.B
3. WORM_NETSKY.P
4. HTML_NETSKY.P
5. WORM_KORGO.R
6. HTML_BAGLE.AI
7. PE_FUNLOVE.4099
8. WORM_NETSKY.D
9. JAVA_BYTEVER.A
10. WORM_KORGO.V

Date: September 11, 2004 - WORM_BLUEWORM.F

WORM_BLUEWORM.F is a memory-resident worm that propagates via email. It deletes registry entries and files associated with antivirus programs, and also terminates certain processes associated with various antivirus applications. This worm is currently spreading in-the-wild and infecting systems running Windows 95, 98, ME, NT, 2000 and XP.

Upon execution, it drops a copy of itself in the Windows system folder using 10 different file names. It then creates the folder, %Windows%\VOLUME, where it drops a copy of itself using the same file name as any file found in the Windows folder. This worm also drops another copy of itself as %Program Files%\Internet Explorer\Media Player.exe. Some of the dropped files are compressed using the WinZip application.

In order to send email messages, this worm drops and registers the file OSSMTP.DLL in the Windows system folder. In the same folder, it also drops the following non-malicious files:

* about.txt
* About_BlackWorm.C.txt
* Music09.rm
* Special.rm
* Vide01.jpg

This worm creates registry entries that allow it to execute at every Windows startup. In addition, it searches the local area network for shared network drives that are write-enabled and drops copies of itself in accessed shares using the file name GOOD MUSIC.SCR.

This worm propagates by sending a copy of itself via email to all addresses listed in the MSN and Yahoo messenger applications. It also obtains target email addresses from files containing the following extension names:

* HTM
* DBX

The email message that it sends out has the following details:

From:
• admin@newmovies.com
• fack_back06@mail.com
• gustes@msn.com
• hot_woman2362@freevideos.net
• King_sexy@hotmal.com
• linda200@gmail.com
• lost_love705@yahoo.com
• sandra@oxygen.com
• thomas_gay6@iopus.com
• user377@worldsex.com
• Bad Love
• Binnn MT
• Genius
• Lola Ashton
• Ralph
• Sara GL
• spoofed_names
• Sweet Women
• The Moon
• Thomas

Subject/Message body: (any of the following)
• For all Members repit the reactive one time.
• Hello
• Important
• Please reactive now
• Please reactive now.
• Please Read
• reactive now
• Thank you
• Thanks

It then deletes registry entries and files associated with security and antivirus products from Hyper Technologies, Symantec, McAfee, Trend Micro but not F-Secure - our antivirus software.

Get in touch for a one month free antivirus trial.
Add "Virus Trial" to the Comments area.

Top 10 Most Prevalent Global Malware
(week of: September 4, 2004 to September 11, 2004)

1. WORM_SASSER.B
2. WORM_NETSKY.P
3. HTML_NETSKY.P
4. PE_ZAFI.B
5. WORM_SASSER.E
6. WORM_NETSKY.D
7. WORM_KORGO.R
8. JAVA_BYTEVER.A
9. WORM_MYDOOM.M
10. TROJ_AGENT.EG

Date: September 04, 2004 - More BAGLE for Everyone - WORM_BAGLE.AI (Medium Risk)

WORM_BAGLE.AI usually arrives via email packaged as a .ZIP compressed file. Similar to WORM_BAGLE.AC, this worm does not directly send itself via email to target recipients as an email attachment. It has an HTML script component that executes it, and a Trojan component that downloads it as a .JPG file from certain sites. The downloaded files are then saved as _re_file.exe in the Windows folder. As of this writing, however, the download sites are either down or non-existent. This worm also terminates certain antivirus processes. On Windows 2000, XP and 2003, it stops and disables the Internet Connection Firewall (ICF)/Internet Connection Sharing (ICS) service. This BAGLE variant is currently spreading in-the-wild and infecting computers running Windows 95, 98, ME, NT, 2000, and XP.

Upon execution, it drops a copy of itself as DORIOT.EXE in the Windows system folder, and also drops a Trojan downloader component GDQFW.EXE in the same folder. To allow it to automaticly execute at every Windows startup, this worm creates two autorun registry entries.

This worm has a Trojan downloader component that downloads approximately 131 files and saves them as _re_file.exe in the Windows folder. The Trojan downloader component also creates a thread that terminates several processes every second. These processes it terminates are mostly associated with antivirus applications.

Get in touch for a one month free antivirus trial.
Add "Virus Trial" to the Comments area.

Top 10 Most Prevalent Global Malware
(week of: August 27, 2004 to September 4, 2004)

1. WORM_SASSER.B
2. PE_ZAFI.B
3. WORM_NETSKY.P
4. HTML_NETSKY.P
5. WORM_NETSKY.D
6. JAVA_BYTEVER.A
7. WORM_ANIG.A
8. TROJ_AGENT.EG
9. TROJ_AGENT.AE
10. WORM_NETSKY.B

Date: September 01, 2004 - WinAmp Flaw

Flaw With Winamp Could Compromise Enterprise Security. A recently discovered flaw in the popular Winamp multimedia player by AOL subsidiary, Nullsoft is sure to hit a sour note with unfortunate victims. Spyware authors are exploiting the way Winamp loads its graphical themes (skins) for the distribution and infection of PCs.

"We received several reports from users who were hacked after clicking on a link distributed on several IRC (Internet relay chat) channels," said Chaouki Bekrar, a consultant and co-founder of K-Otik.

A representative of America Online said the company had been made aware of the problem but that a fix had not yet been created. "We're looking into the reports and will provide more information, as necessary, at the appropriate time," the representative said.

Get in touch for a one month free antivirus trial.
Add "Virus Trial" to the Comments area.

12website has a maintenance program for our clients to ensure their will not be 'let down' by an inefficient computer.

Computer maintenance is necessary to keep your machine running smoothly without down time.

Contact Us. Add "Virus Trial" to the Comments area.