| Virus alerts for May 2005 Current virus alerts here.  |
We stock the most efficient anti virus program which checks for updates hourly.
Contact Us for a one month free antivirus trial.
May 31 2005 - WORM_MYTOB.AR. The following is a brief summary of what this worm is capable of doing: This memory-resident worm propagates by sending a copy of itself as an attachment to an email message, which it sends to target recipients using its own Simple Mail Transfer Protocol (SMTP) engine. This email message has the following details: Subject: (any of the following) Message body: (any of the following) Attachment: (any combination of the following file names and extension names) File name: • {random} Extension name: • EXE This worm also takes advantage of the LSASS vulnerability to propagate. This worm also has backdoor capabilities. It comes with a built-in Internet Relay Chat (IRC) bot that allows it to connect to a specific IRC server. It then waits for commands from a remote user. It also terminates processes, some of which are related to antivirus and security programs. Contact Us for a free antivirus trial to the end of this month. May 28 2005 - Nasty YAMI - PE_YAMI.A PE_YAMI.A is a destructive, file-infecting virus that is currently spreading in China. This virus only infects valid portable executable (PE) files, which are 32-bit Windows executable files. It validates the type of file by checking its PE header. It then uses a cavity type of infection, infecting the file by inserting chunks of its virus code into the host file. It is currently spreading in-the-wild, and infecting computers running Windows XP. Upon execution, this virus searches for PE files to infect in a target system's current folder. It writes a total of 3,029 bytes to the host file. However, because this is a cavity type virus, the file size of the infected file does not increase after infection. After infecting the host file, it utilizes a table to store information about the inserted virus code, such as the size and the next offset of the inserted chunks of virus code. Once the file has been infected, this virus avoids reinfecting it by using its infection marker, YM. Once it has completed all of its routines, it then passes control back to the host file. This virus may overwrite the hard disk of infected systems and attempt to damage the infected system by corrupting data in the CMOS. The following string is found in the virus code: Contact Us for a free antivirus trial to the end of this month. Top 10 Most Prevalent Global Malware 1. HTML_NETSKY.P May 21 2005 - See Me MAPI - WORM_SEMAPI.A WORM_SEMAPI.A is a non-destructive, memory-resident worm that propagates via email. It is currently spreading in-the-wild and infecting computers that are running Windows 98, ME, NT, 2000, and XP. Upon execution, this worm drops a copies of itself in the Windows folder as DRDOOM.EXE and WINBIOS.EXE. It also drops AUTOEXE.EXE and SKERNEL32.COM in the Windows system folder as part of its installation routine. It creates several registry entries to ensure that it automatically executes at every system startup. This worm propagates by sending a copies of itself to email addresses gathered from the infected machine using Messaging Application Program Interface (MAPI) functions. It derives the email addresses it gathers from files with the following extension names: * adb It sends messages with several specific combinations of common names, domains, message bodies, subject lines, and attachments. To read the full list of possible combinations, view the Technical Details. This worm displays a message box containing the following message: Unable to locate 'semapi.dll' reinstalling this application may fix this problem. Contact Us for a free antivirus trial to the end of this month. Top 10 Most Prevalent Global Malware 1. JAVA_BYTEVER.A May 14 2005 - WORM_WURMARK.J. 12website.com has declared a Medium Risk alert for a new WURMARK variant that is currently spreading in France, India, Singapore, and Taiwan. WORM_WURMARK.J is a memory-resident worm that propagates by mass-mailing copies of itself, and carries a component of a commercial keylogging spyware program produced by X Software, Inc. This spyware program is capable of running in stealth mode while logging keystrokes, monitoring accessed Web sites, capturing screenshots, and logging system activities. The worm not only propagates copies of itself, but of the spyware program as well. The commercial spyware program is therefore installed in every system that the worm infects. Upon execution, this memory-resident worm drops a copy of itself in the Windows system folder using a random file name. It drops a randomly named (Dynamic Link Library) DLL file, which is a spyware program detected by NOD32 Antivirus, in the Windows system folder. It creates a registry entry to allow it to automatically execute at every system startup. This worm drops the following .ZIP files in the Windows system folder: * details.zip These .ZIP files contain any of the following files: * details.doc{multiple spaces}.scr This worm propagates by sending a copy of itself as an attachment to email messages, which it sends to target addresses, using its own Simple Mail Transfer Protocol (SMTP) engine. The email that it sends out has the following details: Subject: (any of the following) * details Attachment: (any of the following file names) * details.zip It gathers target email addresses from the Temporary Internet Files folder, as well as from files with the following extension names: * ASP It avoids sending email messages to addresses that contain any of the following substrings: * abuse Contact Us for a free antivirus trial to the end of this month. Top 10 Most Prevalent Global Malware 1. JAVA_BYTEVER.A May 12 2005 - WORM_WURMARK.J. As of May 12, 2005 12website.com has declared a Medium Risk Virus Alert to control the spread of WORM_WURMARK.J. 12website.com has received several infection reports indicating that this malware is spreading in France, India, Taiwan, and Singapore. This memory-resident worm propagates via email messages. Upon execution, it drops a copy of itself in the Windows system folder using a random file name. It also drops a randomly named (Dynamic Link Library) DLL file in the Windows system folder, which is a component of <I>IESpy</u>, a spyware program. This worm has a keylogging capability. It saves the logs typed by the user in a dropped random DLL file. It drops several .ZIP files in the Windows system folder as email attachment. This worm propagates by sending a copy of itself via email. The email message contains the following details: Subject: (any of the following) Attachment: (any of the following file names) May 09 2005 - WORM_MYTOB.ED As of May 9, 2005 12website.com has declared a Medium Risk Virus Alert to control the spread of WORM_MYTOB.ED. 12website.com has received several infection reports indicating that it is spreading in Japan and Australia. Like earlier WORM_MYTOB variants, this worm propagates by sending a copy of itself as an attachment to an email message, which it sends to target recipients, using its own Simple Mail Transfer Protocol (SMTP) engine. The email it sends out has the following details: Subject: (any of the following) Subject: (any of the following) Message Body: (any of the following) Attachment: (any of the following file names) (any of the following extensions) It gathers target email addresses from the Temporary Internet folder, Windows address book (WAB), as well as from files with certain extension names. It may also generate email addresses by using a list of names and any of the domain names of the previously gathered addresses. Contact Us for a free antivirus trial to the end of this month. May 06 2005 - WORM_SOBER.S. More on Sober On May 2, NOD32 declared a Medium Risk Virus alert for WORM_SOBER.S This is a memory-resident worm that spreads by mass-mailing copies of itself using its own SMTP (Simple Mail Transfer Protocol) engine. It gathers recipient addresses from files with certain extensions, and avoids sending messages to addresses that contain specific strings. It sends an email appearing to come from the soccer organization FIFA, informing recipients that they have won tickets for the upcoming FIFA World Cup 2006 in Germany. It sends these email messages in either English or in German, depending on the country-level domains of the gathered addresses. It is currently spreading in-the-wild and infecting computers running Windows 98, ME, NT, 2000, and XP. Upon execution, this worm displays the following fake error message: * WinZip Self-Extractor It then drops the following copies of itself in the %Windows%\Connection Wizard\Status folder: * CSRSS.EXE It also drops the following files: * %Windows%\Connection Wizard\Status\fastso.ber It drops the following files, which it uses to store collected email addresses for its mass-mailing routine: * Sacri1.ggg This worm creates registry entries that enable it to automatically execute at very system startup. It uses its own SMTP (Simple Mail Transfer Protocol) engine to mass-mail copies of itself to email addresses obtained from files with certain extensions (view the complete list). The worm also avoids email addresses containing specific strings (view the complete list). This worm sends email messages in German when it obtains email addresses with GMX as the domain name (for example, if the email address has gmx.de or gmx.net as its extension), or with any of the following domain extensions: * AT The messages sent by the worm contain the following details: From: (any of the following) * Admin Subjects (German): any of the following * Glueckwunsch: Ihr WM Ticket Subjects (English): any of the following * mailing error Message body (German): any of the following * Passwort und Benutzer-Informationen befinden sich in der beigefuegten Anlage. --- FIFA-Pressekontakt: followed by any of the following: * **** Mail-Scanner: Es wurde kein Virus festgestellt Message body (English): any of the following * Account and Password Information are attached! Visit: http://www.<generated string> * This is an automatically generated E-Mail Delivery Status Notification. Mail-Header, Mail-Body and Error Description are attached * ok ok ok,,,,, here is it followed by any of the following: * *** Attachment-Scanner: Status OK Attachment: (any of the following) * _PassWort-Info.zip The worm may delete files with the following strings: * A*.exe Contact Us for a free antivirus trial to the end of this month. Top 10 Most Prevalent Global Malware 1. HTML_NETSKY.P May 02 2005 - WORM_SOBER.S. This worm spreads by mass-mailing copies of itself using its own SMTP (Simple Mail Transfer Protocol) engine. It gathers its target recipients from files with certain extensions names. Notably, it avoids sending messages to addresses that contain specific strings. The email it sends out has the following details: From: (any of the following) Subject: (any of the following German subjects) (or any of the following English subjects) Message body: (any of the following) . Passwort und Benutzer-Informationen befinden sich in der beigefuegten Anlage. . Diese E-Mail wurde automatisch erzeugt . Folgende Fehler sind aufgetreten: . Fehler konnte nicht Explicit ermittelt werden . End Transmission . Aus Datenschutzrechtlichen Gruenden, muss die vollstaendige E-Mail incl. Daten gezippt & angehaengt werden. Wir bitten Sie, dieses zu beruecksichtigen. . Auto ReMailer# [ . Nun sieh dir das mal an! . Herzlichen Glueckwunsch, . Account and Password Information are attached! . AntiVirus Service Attachment: (any of the following) Contact Us for a free antivirus trial to the end of this month. 12website has a maintenance program for our clients to ensure their will not be 'let down' by an inefficient computer. Computer maintenance is necessary to keep your machine running smoothly without down time. |
