| Virus alerts for July 2004 Current virus alerts here. |
| By the time you receive the e-mail 'virus alert' it can be too late! |
 |
Get in touch for a one month free antivirus trial. Date: July 23, 2004 WORM_BAGLE.AH This worm is a new variant of the BAGLE worm that spreads via email and network shares. It affects Windows 95, 98, ME, NT, 2000, and XP. This mass-mailing, memory-resident worm propagates via email using a built-in mailing engine that utilizes Simple Mail Transfer Protocol (SMTP). The email it sends contains the following information: From: <spoofed> Subject: Re: Message body: (any of the following) Attachment: (any of the following) The attachment can have any of the following extension names: This worm also propagates via network shares, but does not deliberately search for all available shared folders. Instead, it searches for local folders with names that contain the character string “shar.” It assumes that these folders are shared and drops a copy of itself into these folders. This worm is also a backdoor. It opens ports to allow remote communication and awaits and processes predefined commands that are sent through these ports. This backdoor capability allows unauthorized users to access and manipulate infected systems. This BAGLE variant continues to attack NETSKY worms by deleting registry entries created by members of the NETSKY family. It also terminates security programs. It has another trait common to different BAGLE variants; a predefined self-termination date. If the system date is May 5, 2006, it stops running and deletes the registry entries that allowed it to automatically run at every Windows startup. If you would like to scan your computer for WORM_BAGLE.AH or thousands of other worms, viruses, Trojans and malicious code, download a free one month trial of F-Secure antivirus. Add "Virus Trial" to the Comments area. Contact Us. 3. Top 10 Most Prevalent Global Malware 1. PE_ZAFI.B July 17 2004 WORM_ATAK.A (Low Risk) WORM_ATAK.A is a worm that propagates via email, using its own Simple Mail Transfer Protocol (SMTP) engine. It looks for email recipients in files with specific extensions, in the infected computer. It runs on Windows 95, 98, ME, NT, 2000, and XP. Upon execution, this memory-resident worm drops a copy of itself as HINT.EXE in the Windows system folder. This worm modifies the WIN.INI file and the registry, to allow itself to automatically execute at every system startup. Using its own SMTP (Simple Mail Transfer Protocol) engine to propagate via email, the worm sends email with the following details: From: (any of the following) * Andrew Subject: (any of the following) * Important Data! Message body: Authorized Researcher Only. Attachment: (any of the following) * A .zip Using double extension names with many spaces in between them, the file contained in the .ZIP attachment is made to appear as a picture file (example: ABCD.GIF. EXE). The worm obtains target recipients’ email addresses from files with the following extensions found in the local machine: * ADB If you would like to scan your computer for WORM_ATAK.A or thousands of other worms, viruses, Trojans and malicious code, download a free one month trial of F-Secure antivirus. Add "Virus Trial" to the Comments area. Contact Us. 3. Top 10 Most Prevalent Global Malware 1. PE_ZAFI.B July 5, 2004 This worm is known to spread via email using its own Simple Mail Transfer Protocol (SMTP) engine. It also spreads via network shares. It drops copies of itself as the following files in the Windows system folder: loader_name.exe Its email arrives with any of the following lines as subject: Re: Msg reply Get in touch for a one month free antivirus trial. July 01 JavaScript Trojan - JS_JECT.A (Low Risk) JS_JECT.A is a non-destructive Trojan script that typically arrives as an encrypted JavaScript file embedded in malicious Web pages. It exploits several vulnerabilities in Internet Explorer that allow it to download and execute malicious files on a computer system. This Trojan is currently spreading in the wild, and runs on Windows 95, 98, ME, NT, 2000, and XP. Upon execution, this Trojan script attempts to load a file called MD.HTM. It then replaces the contents of the MD.HTM file with the contents of a malicious file called SHELLSCRIPT_LOADER.JS, which is downloaded from a specific malicious Web site. Next, it creates an IFRAME named "myiframe", that, when accessed, runs and downloads another malicious file, SHELLSCRIPT.JS (also from the above-mentioned Web site). The downloaded file, SHELLSCRIPT.JS, exploits the ADODB.Stream vulnerability in Internet Explorer that allows the download and execution of the file MSITS.EXE from the Web site mentioned above. If the download is successful, this Trojan script renames MSITS.EXE to WMPLAYER.EXE and installs it in the following directory: C:\Program Files\Windows Media Player Finally, this script checks the infected system's local hard drive for the presence of the file, MAIN.MHT. If this file is not found, this Trojan script again attempts to access the above-mentioned Web site in order to download MAIN.CHM. The file, MAIN.CHM, contains another script, MAIN.HTM. This Trojan script also attempts to load a file named REDIR.PHP. If you would like to scan your computer for JS_JECT.A or thousands of other worms, viruses, Trojans and malicious code, download a free one month trial of F-Secure antivirus. Add "Virus Trial" to the Comments area. Contact Us. 3. 10 Most Prevalent In-the-Wild Viruses & Malware. 1. PE_ZAFI.B Contact Us. Add "Virus Trial" to the Comments area. |