| Virus alerts for December 2004 Current virus alerts here. |
| By the time you receive the e-mail 'virus alert' it can be too late! |
 |
Contact Us for a one month free antivirus trial.
December 31 2004 W32.Protoride.B W32.Protoride.B is a worm that spreads through network shares and opens a back door that allows unauthorized access to a compromised computer. Contact Us for a one month free antivirus trial. 12website.com encourages all users and administrators to adhere to the following basic security "best practices": * Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates. December 28 2004 Santy.A New Worm Spreads Via Google Antivirus companies are warning Internet users about a fast-spreading new worm that infects Web servers running a popular package of online bulletin board software, and uses the Google search engine to find vulnerable servers to infect.
The worm, dubbed Santy.A, uses a vulnerability in a popular free software package called phpBB to spread across the Internet, infecting computer servers that host online bulletin boards and defacing those sites with the words "This site is defaced!!! NeverEverNoSanity WebWorm." Update: The worm does not affect individual computer users, but infects Web servers that are hosting online bulletin boards. The worm takes advantage of a critical software vulnerability in the phpBB open source software, which is widely used to create and maintain online bulletin boards. While antivirus companies were still analyzing the worm, it appears that the worm may use a vulnerability in the PHP scripting language that was recently patched. PhpBB, as well as other common software packages are written using PHP. Once Santy infects servers running the phpBB software, it scans directories on the infected site and overwrites files with the extensions HTM, PHP, ASP, SHTM, JSP, and PHTM with the text "This site is defaced!!! This site is defaced!!! NeverEverNoSanity WebWorm generation,". The worm also launches a search on the Google search engine for URLs that use a special string, viewtopic.php, which is common to bulletin boards written using the phpBB software, Hypponen said. Block That Worm Antivirus experts do not believe Santy.A deposits Trojan horse programs or other malicious code on the systems it infects. Also, Santy does not affect individual computer users, unless they are hosting a bulletin board from their computer that uses the phpBB software, antivirus experts said. However, Santy.A could act as a road map for malicious hackers who are looking for vulnerable computers to exploit. We have advised customers to update their antivirus software as soon as possible. Contact Us for a one month free antivirus trial. December 18 2004 Daffy ZAFI - WORM_ZAFI.D WORM_ZAFI.D is a memory-resident, mass-mailing worm that is currently spreading in-the-wild. It uses its own built-in Simple Mail Transfer Protocol (SMTP) engine to send malicious Christmas greetings. It runs on Windows 98, ME, NT, 2000, and XP. Upon execution, this mass-mailing, memory-resident worm displays a message box. It drops a copy of itself as NORTON UPDATE.EXE, and drops copies of itself as .DLL files with 8-character random file names. Some .DLL files are copies of itself while others are email log files in the Windows system folder. It also drops a log file called S.CM in the root folder. It then adds a registry entry that allows it to automatically execute at every system startup. This worm drops a copy of itself using either of the following filenames: * WINAMP 5.7 NEW!.EXE It drops the file in folders that contain one of the following strings: * share Most file-sharing applications, such as KaZaA, Shareaza, and Morpheus, use folder names with these strings when sharing files through peer-to-peer (P2P) networks. P2P users who search for Winamp and ICQ installers may inadvertently download this dropped ZAFI copy instead. This worm uses its own built-in Simple Mail Tranfer Protocol (SMTP) engine, which allows it to send malicious Christmas greetings without having to use other email applications like Outlook Express. The language used in the message body is dependent on the domain of the email recipient. For example, When the Top Level Domain of the user's email address is .COM, the message is sent in English. When the Top Level Domain of the user's email address is .DE, the message is sent in German. Please visit the Technical Details of this virus description to view samples and screenshots of the email it sends. It searches the following files for target email addresses: * ADB However it skips email addresses that contain the following strings: * admi This worm terminates antivirus and firewall programs. It searches for folders and files from all folders found on the system. It then reads the contents of the files and checks whether the string “firewall or virus” exists. If three or more files contain the specific string, the folder name is stored in a registry entry. When all the folders are obtained, it then traverses the specific registry entry. If the folder name contains the following strings, it terminates all executable files running in the folders: * cafee Contact Us for a one month free antivirus trial. Top 10 Most Prevalent Global Malware 1. WORM_NETSKY.P December 14 2004 WORM_ZAFI.D. As of December 14, 2004 8:13 AM PST, there is a Medium Risk Virus Alert to control the spread of WORM_ZAFI.D. We have received several infection reports indicating that this malware is spreading in Germany, France and Spain. The following is a brief overview of the worm process: This worm spreads via email or peer-to-peer (P2P) file-sharing networks. Here is a sample of the email: Subject: Message body: Pamela M. Attachment: Note that the language of the email may change depending on the domain of the recipients. Get in touch for a one month free antivirus trial. December 11 2004 WORM_MASLAN.A is a memory-resident worm that spreads via email, and typically arrives in an attachment called "PlayGirls2.exe. The worm harvests target recipients from certain files found in the system. It also exploits the Remote Procedure Call (RPC) Distributed Component Object Model (DCOM) vulnerability, possibly to aid in its propagation. In addition, this worm has backdoor functionalities that allow remote users to gain virtual control over the infected system. It terminates certain processes associated with antivirus applications, lowering security on the affected system. It also performs denial of service (DoS) attacks on certain Web sites. This worm runs on Windows 95, 98, ME, NT, 2000, and XP. Upon execution, it drops the following component files in the Windows system folder: * ___r.exe It creates two autostart registry entries that allow it to automatically execute at every Windows startup. But, an error in the program then prompts the operating system to report an error message. Clicking OK in the error message terminates the worm component. This worm's code allows it to propagate via email. It gathers email addresses from files with the following extensions, and sends itself: * adb The email it sends contains the following details: Subject: <Name> Message Body: Hello <Name>, Attachment: PlayGirls2.exe <Name> is one of the following: * Alan This worm also has backdoor functionalities that allow it to connect to an IRC server, where it listens for commands from a remote user, allowing the remote user to perform the following functions: * Download and execute files WORM_MASLAN.A also exploits the Remote Procedure Call (RPC) Distributed Component Object Model (DCOM) vulnerability to remotely execute programs in vulnerable systems. The RPC DCOM Buffer Overflow (MS03-026) allows an attacker to gain full access and execute any code on a target machine by sending a malformed packet to the DCOM service. Read more on this vulnerability from Microsoft Security Bulletin MS03-026 at http://www.microsoft.com/technet/security/bulletin/ms03-026.mspx. The worm also terminates several processes associated with antivirus applications, and performs a Denial of Service attack on the following Web sites: * chechenpress.com This worm also searches the Program Files folder and its subdirectories for .EXE files with a path that contains any of the following substrings: * distr When such an .EXE file is found, it recreates the path of the file in the ___b directory and copies the file afterward. The file’s contents are then replaced with zeroes. The following text strings are found in the worm body: * -{ Hah… MyDoom, Bagle, etc… since then you do not have future more! }- Get in touch for a one month free antivirus trial. Top 10 Most Prevalent Global Malware 1. PE_BUGBEAR.DAM December 04 2004 WORM_MUGLY.A is a non-destructive mass-mailing worm that arrives via email, as an attachment. This memory-resident worm searches the infected system for target email addresses in files with certain extension names. However, it avoids sending email messages to email addresses that contain specific strings, most of which are related to antivirus and security companies. It runs on Windows 95, 98, ME, NT, 2000, and XP. Upon execution, it drops a copy of itself in the Windows system folder as the file XXX.TMP. It also drops the following files in the Windows system folder: * ATTACHED.ZIP - a ZIP-compressed copy of itself It creates three registry entries that allow it to automatically execute at every system startup. In addition, it registers a standard SMTP engine on the infected system, which allows it to perform its mass-mailing routine. This worm looks for target email recipients in files with the following extensions: * ADB However, it avoids sending email messages to addresses that contain any of the following strings: * .gov The email message that it sends out has the following details: From: <spoofed> * You have an Admirer Message Body: (any of the following) * Someone has asked us on there behalf to send you this email and tell you they think you are wonderfull!!! All the The mystery persons details you need are enclosed in the attachment :) please download and respond telling us if you would like to make further contact with this person. Attachment: (any of the following) * Pic_001.exe This worms payload displays the dropped image file, UGLYM.JPG. Get in touch for a one month free antivirus trial. Top 10 Most Prevalent Global Malware 1. WORM_NETSKY.P Get in touch for a one month free antivirus trial. 12website has a maintenance program for our clients to ensure their will not be 'let down' by an inefficient computer. Computer maintenance is necessary to keep your machine running smoothly without down time. Contact Us. Add "Virus Trial" to the Comments area. |