| Virus alerts for June 2004 Current virus alerts here. |
| By the time you receive the e-mail 'virus alert' it can be too late! |
 |
Get in touch for a one month free antivirus trial. June 19 Worm Spreads through Mobile Phones- EPOC_CABIR.A (Low Risk) A new proof-of-concept worm, EPOC_CABIR.A is capable of spreading through Bluetooth-enabled devices, and can affect certain mobile phone models from Nokia, Siemens, and Panasonic. EPOC_CABIR.A arrives as a series of messages, the first notifying the user there is a message to be received via Bluetooth, then states: "Application is untrusted and may have problems. Install only if you trust provider." The user is then asked to confirm installation. Once installed, the worm creates files in the default drive of the device, and creates files in the following directory: This worm targets series 60 v0.9, which is a common setting for basic applications. Affected models of phones include: Top 10 Most Prevalent Global Malware 1. PE_ZAFI.B June 12 2004 Spreads Through Email, Network Shares, Kazaa - WORM_PLEXUS.C (Low Risk) WORM_PLEXUS.C is a recently discovered worm that uses its own SMTP engine to send copies of itself via email. Emails appear with subject headers like: "Order" or "Good Offer". Messages appear to be from a familiar person. Examples of messages: The message comes with an .EXE attachment. Once executed, WORM_PLEXUS.C drops several copies of itself onto the infected system and creates Windows registry entries to automatically execute at each system startup. To propagate, WORM_PLEXUS.C looks for files with the following extension names to retrieve email addresses and domain names: HTM, HTML, PHP, TBB, TXT. This worm can also drop copies of itself in the Kazaa (peer-to-peer network) shared folder, and propagate through network shares with full access rights. This worm's code also contains the following text: This worm is currently in-the-wild and affects Windows 95, 98, ME, NT, 2000, and XP operating systems. Top 10 Most Prevalent Global Malware 1. WORM_NETSKY.P Contact Us for a one month free antivirus trial. Add "Virus Trial" to the Comments area. June 04, 2004 Resets Windows Wallpaper in June - WORM_LAMUD.A (Low Risk) WORM_LAMUD.A is a recently discovered worm that, among other capabilities, can reset a user's wallpaper to one of three preset images during the month of June. This worm spreads via network shares, searching for writeable network shares and dropping a copy of itself in the root of shared directories and folders as "GAME.EXE". This worm opens a Windows Explorer window to the Windows directory upon its execution, and disables registry modification and configuration dialogs, which prevent the affected user from viewing the hidden files and preventing access to the registry editing tools. When the system month is June, WORM_LAMUD.A drops the file ACD WALLPAPER.BMP into the Windows directory and then sets this as the wallpaper. Each execution of the malware rotates the wallpaper between three preset images. This worm's code also contains the following text: This worm is currently in-the-wild and affects Windows 95, 98, ME, NT, 2000, and XP operating systems. 3. Top 10 Most Prevalent Global Malware 1. WORM_NETSKY.P Contact Us for a one month free antivirus trial. Add "Virus Trial" to the Comments area. May 28, 2004 Opens Backdoor, Steals Game Keys - WORM_RANDEX.AK is memory resident worm that spreads through network shares, opens ports, and connects to an Internet Relay Chat (IRC) server to await malicious commands. Once in control of the infected system, the malicious user can download and execute files, get system information, redirect connections, take screenshots, and launch a Denial-of-Service attack. This worm is also programmed to steal CD keys to several popular computer game titles, including “Call of Duty”, “Halflife”, and “Neverwinter”. This worm is currently in-the-wild and affects Windows 95, 98, ME, NT, 2000, and XP operating systems. WORM_RANDEX.AK also creates Windows registry entries that execute the worm at every system startup and prevent the user from running applications. On Windows 95, 98, and ME systems, WORM_RANDEX.AK can disable registry tools to prevent the user from using the registry editor. 3. Top 10 Most Prevalent Global Malware 1. WORM_NETSKY.P LSASS Equals BOBAX - WORM_BOBAX.C (Low Risk) WORM_BOBAX.C is a non-destructive worm that exploits the Windows LSASS vulnerability. This buffer overrun vulnerability allows an attacker to gain full control of an infected system. This worm is currently spreading in-the-wild and runs on Windows 95, 98, ME, NT, 2000, and XP. Upon execution, this worm installs itself in the Windows system folder using random file names. It also drops a .DLL file in the Windows Temp folder with the name <random number>.TMP. This malware also checks whether the following mutex exists, and to ensure that only one instance of itself is running in memory: 06:08:07:<random>. It then deletes its executed copy. As part of its propagation routine, it sends a specially crafted packet to a specific port. This packet of data instructs the target machine to download the worm copy from an HTTP server. It saves this downloaded file as SVC.EXE. If you would like to scan your computer for WORM_BOBAX.C or thousands of other worms, viruses, Trojans and malicious code, contact us for a one month free trial of the original antivirus used by over 18 million people worldwide. Add "Virus Trial" to the Comments area. 10 Most Prevalent In-the-Wild Malware 1. PE_ELKERN.D May 12 2004 - Medium Risk Virus Alert This mass-mailing worm exploits certain vulnerabilities found on
Windows systems. May 08, 2004 Upon execution, this memory-resident worm drops a copy of itself in the Windows folder as AVSERVE2.EXE. It then adds a registry entry that allows it to automatically execute at every system startup. This SASSER variant creates the following mutex: * Jobaka3 If an instance of JumpallsNlsTillt is found, this worm does not proceed with its execution. To propagate on systems running Windows XP and Windows 2000 Professional, this worm creates 128 execution threads that generate random IP addresses. (The worm creates 128 threads at 25 ms, which results in 5,120 attacks per second.) It then sends a specially crafted packet of these addresses to TCP port 445. The sent packet causes a buffer overflow on LSASS.EXE and runs a remote shell on vulnerable machines. TCP port 445 is a valid port used by Windows 2000 to transport Server Message Block (SMB) data over TCP and UDP. The remote shell listens to port 9996 for further commands from this worm, and allows the worm to manipulate the vulnerable machine. From its remote location, this worm sends in commands to the remote shell so that an FTP script file CMD.FTP is generated. It also commands the remote shell to run the FTP script. The FTP script downloads a copy of this worm from the originally infected system to the machine running the shell. After the download, this worm deletes the file CMD.FTP from the newly infected system. It also generates a log file WIN2.LOG in the root directory. This file contains the number of remote systems that the host system has infected and the IP address of the most recently infected system. This worm produces a buffer overflow in LSASS.EXE, causing the program to crash, which requires Windows to restart. 12website has a maintenance program for our clients to ensure their will not be 'let down' by an inefficient computer. Computer maintenance is necessary to keep your machine running smoothly without down time. Contact Us. Add "Virus Trial" to the Comments area. |