This memory-resident worm propagates by dropping copies of itself in shared network drives. It steals login information and saves the obtained data in a file, which can be retrieved by a remote user. Its keylogger component substitutes the standard Microsoft Graphical Identification and Authentication DLL (MSGINA.DLL) to carry out its information-stealing routine. This worm has backdoor capabilities and is able to listen to TCP port 5190 and wait for remote commands. It runs on Windows 95, 98, ME, NT, 2000 and XP.

[more]

This memory-resident worm propagates by sending a copy of itself as an attachment to email messages.

The attached copy of this worm uses the Microsoft folder icon to trick users into opening it, effectively executing this worm. It also opens a Windows Explorer window in an attempt to hide its process.

It then drops several copies of itself in different folders using varying file names. On affected systems running on Windows 2000, XP, and Server 2003, it drops copies of itself in a hardcoded path under the User Profile folder. It also creates a folder in the said hardcoded path.

This worm may restart the affected system when it finds a window with the strings ".EXE" and "REGISTRY" in the title bar.

It overwrites the AUTOEXEC.BAT, which is found in C:\. The said routine causes affected systems running on Windows 95, 98, and ME to pause during startup. The user is then required to press any key for Windows to start.

[more]

This adware displays advertisements in pop-up windows whenever certain Web sites are visited.

It creates the folder Save inside the system's Program Files directory, then drops certain files into this folder in order to perform its adware routine.

It also uninstalls the software SaveNow from the infected machine.

[more]

Trojan.Mdropper.H is a Trojan horse that drops a file on the compromised computer. It exploits an undocumented (0day) vulnerability in Microsoft Word. Microsoft said it will include a patch for the vulnerability June 13, as part of its usual monthly security notice release.

[more]

In this day and age of spyware, rootkits, spy-phishing, and other 'modern' security threats, file infectors are frequently thought of as a 'dead' threat . But over the past two months, security experts have detected several new file infector viruses - including two this week that were deployed with a relatively high degree of success PE_POLIP.A and PE_DETNAT.A via peer-to-peer (P2P) networks.

[more]

This worm spreads via network shares. It searches for default shared folders, where it drops a copy of itself.

It also takes advantage of the following Windows vulnerabilities to propagate across networks:

• ASN.1 Library Bitstring Heap Overflow vulnerability
• LSASS vulnerability

[more]

This destructive, memory-resident worm attempts to log on to remote machines using a list of user names. It then drops and executes a copy of itself on the remote machines. It has backdoor capabilities, and may execute commands coming from a remote malicious user. The said routine provides the remote user virtual control over the affected machine, thus compromising system security.

[more]

This worm propagates by attaching copies of itself to email messages that it sends to target addresses, using its own Simple Mail Transfer Protocol (SMTP) engine. Through this SMTP engine, it is able to easily send the said email message even without using other mailing applications, such as Microsoft Outlook.

Moreover, this worm propagates through network shares. It does the said routine by searching the network for ADMIN$ and C$ shares, where it drops a copy of itself using the file name WINZIP_TMP.EXE.

It is also capable of dropping a copy of itself into all folders and drives on an affected system, including floppy drives. Thus, it is able to propagate via floppy disks as well.

[more]

A new malicious worm began infecting systems last week, which promises to launch an attack on February 3rd and the 3rd of every month thereafter, according to threat researchers at antivirus and content security firm Trend Micro. The new worm, known by such names as Nyxem, BlackMal, Mywife, and CME-24, has infected hundreds of thousands of machines over the past week, most from unsuspecting users who do not yet know they are infected.

This worm propagates by attaching copies of itself to email messages that it sends to target addresses, using its own Simple Mail Transfer Protocol (SMTP) engine. Through this SMTP engine, it is able to easily send the said email message even without using other mailing applications, such as Microsoft Outlook.

Infection Channel 1 : Propagates via email
Infection Channel 2 : Propagates via network shares
Infection Channel 3 : Copies itself in all available physical drives
Infection Channel 4 : Copies itself in floppy drives

[more]

There has been a vulnerability discovered recently that affects Windows computers. You can be infected if you go to a website that has a specially crafted Windows Metafile Format (WMF) image file on it. Currently, there is no patch from Microsoft that fixes the problem, but we have a workaround for WinXP, and Server 2003.

[more]

This worm propagates by sending a copy of itself as an attachment to email messages. The email that it sends has the following details:

Subject: Your mail Account is Suspended

Message:
We regret to inform you that your mail account has been suspended due to the violation of our site policy, more info is attached.

Attachment: acc_info1.exe

It gathers target email addresses from the Windows Address Book (WAB). It also gathers email addresses from .HTM files. This worm spoofs the From field in an attempt to trick users into thinking that the email came from a trusted source.

It also logs keystrokes and saves them in a file.

[more]

This memory-resident worm propagates by attaching a copy of itself to an email message, which it sends to target recipients using its own Simple Mail Transfer Protocol (SMTP) engine. Since its email propagation does not require any user intervention, the user is often unaware that this worm is sending out email messages.

[more]

Earlier this week, researchers at antivirus and content security firm Trend Micro warned users to remain extra vigilant regarding the patching of systems, following the recent family of worms which targeted the Linux operating system. ELF_LUPPER.A and ELF_LUPPER.B, which were discovered at the beginning of the week, were built to exploit vulnerabilities in certain web applications, rather than anything inherent in the Linux kernel. Though the worms were compiled to attack Linux, it is important to note that the source code could potentially be recompiled for other systems that are related to Linux.

[more]

WORM_RONTOKBRO.A is a destructive, memory-resident worm that propagates by sending a copy of itself as an attachment to email messages. The email message has a blank subject line, and the attachment Kangen.exe, which is a copy of the worm. This copy of the worm uses the Microsoft folder icon to trick users into opening it.

[more]

Like earlier BAGLE variants, this worm uses a Trojan component in order to propagate. It does this by sending out email messages containing copies of TROJ_BAGLE.DA to target recipients using its own SMTP engine.

[more]

This worm propagates via MSN Instant Messenger. It sends messages containing a link that points to a copy of itself to available contacts in the MSN Instant Messenger of the affected user.

[more]

This malware is spreading in Brazil and the U.S.A., affecting Windows 2000 and some earlier versions of Windows XP, though any unpatched NT-based operating system through Windows 2003 is susceptible.

[more]

This NETSKY worm spreads by sending out copies of itself as email attachment using its built-in SMTP engine. It gathers target recipients from certain files found on the affected machine, virtually turning the affected system into a propagation launch pad.

The email it sends out has a spoofed sender's name, varying subjects, message bodies and attachments, and generally mimics email delivery notifications.

[more]

This malicious JavaScript exploits the JView Profiler vulnerability to enable a remote user to execute commands locally on the affected machine. For more information on this vulnerability please check the following Microsoft Web page:

Microsoft Security Bulletin MS05-037

In addition, this malicious JavaScript uses the abovementioned vulnerability to change the home page of the affected system's Internet Explorer.

It also connects to the adult Web site http://pornoz.ru?ft=t{BLOCKED}imfa.ru.

[more]

WORM_WURMARK.A is a non-destructive, memory resident worm that propagates by sending a copy of itself as an attachment to email messages, which it sends to target addresses using its own Simple Mail Transfer Protocol (SMTP) engine. This worm is currently spreading in-the-wild and infecting systems that run Windows 95, 98, ME, NT, 2000, XP, 2003.

This worm arrives as attachment of an email message. Upon execution, it drops a copy of itself in the Windows system folder using a random file name. It logs keystrokes and drops a dynamic link library (DLL) file: TSPY_AGENT.C. It also modifies the registry to ensure its automatic execution at every Windows startup.

WORM_WURMARK.A gathers email addresses from the Temporary Internet Files folder, as well as from several files.

WORM_WURMARK.A has the following aliases: W32.Lanieca.B@mm, W32/Eyeveg.worm, Win32/Atak.Variant!Worm

[more]

Like other MYTOB variants, this memory-resident worm propagates by sending a copy of itself as an attachment to an email message, which it sends to target recipients using its own Simple Mail Transfer Protocol (SMTP) engine.

It generates email addresses by using a list of names and any of the domain names of the previously gathered addresses.

[more]

This worm propagates via the popular instant messenger application MSN Messenger. It sends the following message to all available online contacts:

guess what I found (h) http:\www.cao{BLOCKED}cs.nl\pic_14455.PIF

The link it sends points to a copy of this worm.

If there is no existing MSN Messenger on a system, the worm then drops a copy of itself in the Windows folder with the file name ABCDEFG.EXE.

This worm also adds a registry entry to ensure its automatic execution during every Windows system startup.

It also drops an Internet Relay Chat (IRC) BOT file named PROXY.EXE in the Windows system folder.

[more]

This memory-resident worm usually arrives on a system as a downloaded file of TROJ_SMALL.AHE. It spreads by sending a copy of TROJ_SMALL.AHE as an attachment to an email message that it sends using its own Simple Mail Transfer Protocol (SMTP) engine.

[more]

Similar to other MYTOB variants, this memory-resident worm propagates by sending a copy of itself as an attachment (file size is around 29,868 to 29,882 bytes) to an email message, which it sends to target recipients using its own Simple Mail Transfer Protocol (SMTP) engine.

[more]

PE_YAMI.A is a destructive, file-infecting virus that is currently spreading in China. This virus only infects valid portable executable (PE) files, which are 32-bit Windows executable files. It validates the type of file by checking ts PE header. It then uses a cavity type of infection, infecting the file by inserting chunks of its virus code into the host file. It is currently spreading in-the-wild, and infecting computers running Windows XP.

Upon execution, this virus searches for PE files to infect in a target system's current folder. It writes a total of 3,029 bytes to the host file. However, because this is a cavity type virus, the file size of the infected file does not increase after infection. After infecting the host file, it utilizes a table to store information about the inserted virus code, such as the size and the next offset of the inserted chunks of virus code.

Once the file has been infected, this virus avoids reinfecting it by using its infection marker, YM.

[more]

This worm propagates by sending copies of itself to email addresses gathered from the infected machine.

[more]

This memory-resident worm propagates via email messages. Upon execution, it drops a copy of itself in the Windows system folder using a random file name.

It also drops a randomly named (Dynamic Link Library) DLL file in the Windows system folder, which is a component of IESpy, a spyware program.

This worm has keylogging capability. It saves user keystrokes in the dropped DLL file.

This worm drops several .ZIP files in the Windows system folder as email attachment.

[more]

This memory-resident worm propagates by sending a copy of itself as an attachment to an email message, which it sends to target recipients, using its own Simple Mail Transfer Protocol (SMTP) engine. Upon execution, it drops a copy of itself in the Windows system folder as the file INTERNET.EXE.

[more]

This worm spreads by mass-mailing copies of itself using its own SMTP (Simple Mail Transfer Protocol) engine. It gathers its target recipients from files with certain extensions names. Notably, it avoids sending messages to addresses that contain specific strings.

Using social engineering techniques, it sends out an email supposedly sent by the soccer organization FIFA, informing recipients that they won tickets for the upcoming FIFA World Cup 2006 in Germany. It also sends email messages in English or in German, depending on the country-level domains of the gathered addresses.

[more]

This memory-resident Internet worm propagates through email using its own Simple Mail Transfer Protocol (SMTP) engine.

UPDATE 11/3/03:

The Mimail worm, an ordinary mass-mailing worm that first appeared this past August, has spawned four new variants that began invading the wild last Friday. The original Mimail worm did nothing more than cull email addresses and propagate itself. The new variants are far more aggressive, launching DoS attacks against several anti-spam Web sites and online retailers, including one gaming retailer.

[more]

This is a Trojan malware that is hosted on a malicious Web sites. The Web sites use the Object Data Remote Execution Vulnerability to drop and execute the Trojan on the vulnerable host once the Web page is visited.

[more]

This is a mass-mailing worm that poses as a well crafted email from Microsoft Windows Update.

[more]

This PE virus mails copies of itself to all email addresses it finds in the infected system. It uses Alternate Data Stream (ADS) in infecting all .EXE files in the the root drives of the infected system.

[more]

This worm is similar to the Internet worm, MSBLAST. Like MSBLAST, it also exploits the RPC_DCOM_Buffer_Overflow vulnerability to propagate via the Internet.

[more]

This worm propagates by mass-mailing copies of itself using its own Simple Mail Transfer Protocol (SMTP) engine.

[more]

This worm strangely is designed to patch systems against the MSBLAST exploited RPC DCOM Buffer Overflow. It first checks for the running Windows version and then downloads a patch from Microsoft.

[more]

This new worm exploits a vulnerability in that allows an attacker to gain full access and execute any code on a target machine, leaving it compromised.

[more]

This memory-resident worm propagates via email using its own Simple Mail Transfer Protocol (SMTP) engine. It arrives as an email attachment, which is a ZIP file containing an HTML and a UPX-compressed Win32 EXE file.

[more]

This nondestructive worm propagates via network shares and via email using its own SMTP (Simple Mail Transfer Protocol) engine. It gathers its target email addresses from files with WAB, DBX, HTM, HTML, EML and TXT file extensions.

The email message has varying subjects, and has a messsage body that states "Please see attached file." It also contains a ZIP file attachment with the file name Your_details.zip. This ZIP file contains the copy of the worm with the filename DETAILS.PIF.

[more]

This is a file-infecting variant of WORM_BUGBEAR.A. This variant includes all the functionalities of the previous variant, including the backdoor capabilities, with the addition of the file infection routine.

[more]

Palyh is a worm virus spreading via the Internet as a file attachment to infected emails. The worm also spreads via local area networks.

[more]

This is a mass-mailing worm that spreads via email, using its own SMTP server.

It sends an email message of varying formats to all the addresses found in Windows Address Book and Microsoft Outlook.

[more]

W32/Coronex-A is an internet worm which emails itself to every contact in the Windows address book.

[more]

The number for First Step modems in Moses Lake and Grant County will change to 754-4461. All First Step customers must change the number their computer dials by May 1.

Click the link below for information on changing modem settings.

[more]

Macromedia Inc. is warning its users of what it calls a critical security flaw found in the latest version of its Flash animation player. It is advising customers to immediately install a new version just released on its Web site which should fix the security hole.

[more]

This worm effectively uses a relatively new social engineering trick by mimicking an autoreply message where it attaches itself. Recipients are enticed into opening the malware attachment since the mimicked message arrives as a reply to a familiar message.

[more]

This worm spreads via network shares. It also gives remote control access to infected systems. It allows remote users to connect to the infected machine and then download and execute files on the compromised system.

[more]

This memory-resident, multi-threaded worm propagates via email and shared network folders.

[more]

This mass-mailing worm propagates via email, mapped network-shared drives, IRC, ICQ and KaZaA Peer-to-Peer file sharing.

[more]

WORM_WINEVAR.A is a destructive Internet worm that runs on all Windows platforms.

[more]

This is a "Friend Greetings" application that sends out invitation email to all addresses listed in the system's Microsoft Outlook contact list. The details of the email are as follows:

[more]

This arrives as an Electronic Card email from a FriendGreetings.com Web site. The details of the email it arrives with are as follows

[more]

This memory-resident worm propagates through and across networks via shared C:\ drives. It downloads an executable file from the site http://www.opsoft.com. This download is more likely an update of this worm.

[more]

This worm terminates antivirus processes and propagates by sending itself via email using its own SMTP (Simple Mail Transfer Protocol) engine

[more]

Six new vulnerabilities, the most serious of which could enable an attacker to execute commands on a user's system.

[more]

On systems with unpatched Internet Explorer, the file attachments automatically execute when this email message is previewed or opened in Microsoft Outlook and Outlook Express.

[more]

This is a cumulative patch that includes the functionality of all previously released patches for Windows Media Player 6.4, 7.1 and Windows Media Player for Windows XP.

[more]

This is a set of cumulative patches that, when applied, applies all previously released fixes for these products.

In addition, these patches eliminate four newly discovered vulnerabilities all of which could enable an attacker to run Macro code on a user's machine. The attacker's macro code could take any actions on the system that the user was able to.

[more]

It's Not Your Password - This non-destructive, memory-resident worm propagates via Microsoft Outlook by sending email to all addresses listed in the infected user's Windows Address Book, and in .DBX files where Microsoft Outlook Express archives emails.

[more]

This is a cumulative patch that includes the functionality of all previously released patches for IE 5.01, 5.5 and 6.0.

[more]

Due to an attack from outside parties, First Step customers may experience interruptions of e-mail services. Our System Engineers are aggressively addressing the problem. We apologize for any inconvenience this may cause

[more]

WORM_KLEZ.H is a very malicious and fast spreading worm, with capabilities to attack popular antivirus software.

[more]

This memory-resident variant of the WORM_KLEZ.A is a mass-mailing worm that uses its own SMTP engine to propagate via email. Upon execution, it drops a WINK*.EXE file in the Windows System Folder that allows it to execute at every Windows startup

[more]

This is a cumulative patch that includes the functionality of all previously released patches for IE 5.01, 5.5 and IE 6. In addition, it eliminates the two newly discovered vulnerabilities, the most serious of which would allow script to run in the Local Computer Zone.

[more]

This worm uses Microsoft Outlook to email itself to all addresses listed in the infected user's address book.

[more]

WORM_FBOUND.B is currently spreading in-the-wild. This mass-mailing worm sends itself to all email addresses listed in the infected user's Windows Address Book (WAB).

[more]

WORM_MYLIFE.A is a memory-resident worm that propagates via email. Upon execution it displays an image of a girl holding a flower.

[more]

Due to a slow, but steady, increase in prevalence over the past few weeks, AVERT has raised the risk assessment of this threat to MEDIUM.

This W32/Klez variant has the ability to spoof the email from field. The senders address used by the virus, is one that was found on the infected user's system. Thus, it may appear that you have received this virus from one person, when it was actually sent from a different user's system. Viewing the entire email header will display the actual senders address.

[more]

WORM_SHARPEI.A is a non-destructive worm that propagates via Microsoft Outlook. Upon execution, this worm checks whether the Microsoft .NET framework is installed. If so, it then copies itself to C:\MS02-010.exe. It also drops the file "sharp.vbs" that contains codes that allow it to send itself through Microsoft Outlook.

[more]

This JavaScript malware uses an exploit in Internet Explorer (IE) to use the Microsoft Messenger (MSN) application. It sends a message asking the target user to visit the Web site containing its malicious HTML code.

[more]

VBS_NUMGAME.A is a VBScript worm that propagates via MAPI by sending itself to every address listed in the infected user's address book.

[more]

This is a cumulative patch that, when installed, eliminates all previously discussed security vulnerabilities affecting IE 5.01, 5.5 and IE 6.

[more]

arrives as an email attachment COMICAL_STORY.DOC, which contains the worm and a Visual Basic Script file, that obtains email addresses from an infected user's address book and sends itself as an attachment.

[more]