This worm is particularly effective because it arrives posing as a harmless text (.txt) file. It often claims to be from a colleague or friend and offers the believable explanation that the original message had to be translated into a plain-text file for delivery. The attachment often displays the Notepad icon. The message body often reads: "The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment." Other variations say: "The message contains Unicode characters and has been sent as a binary attachment," or "Mail transaction failed. Partial message is available." In any case, the message urges recipients to open the attached file, which includes a malicious virus. "Even users who know text files are harmless fall for the deception and are clicking on the attachment at alarming rates," according to virus research Sharon Ruckman of Symantec Corp. Visit your virus-checking software vendor's Web site for the latest news and updates. Be careful out there!

Specialized Utilities for Virus Removal and Handbooks for Manual Virus Removal

There is the list of specialized utilities for virus removal. The utilities can be used for romoving of some types of viruses, commonly most spread. The list is updated on regulary basis.

The warning about actual possible virus infection can be found at the page Virus Top Threats, the complete description of virus properties, the ways for the virus infection and possible corruption of your datas can be found in virus database.

The list of single purposes removers utilities

The list of Handbooks for Manual Virus Removal

1. FAQ no. 151: What exactly is AVG Control Center?
    
2. FAQ no. 152: What is AVG Test Center?
    
3. FAQ no. 153: Am I still protected when AVG Control Center is terminated?
    
4. FAQ no. 154: How to check functionality of AVG Resident Shield?
    
5. FAQ no. 155: From where and how do I configure AVG Resident Shield?
    
6. FAQ no. 156: How to check functionality of AVG for Email?
    
7. FAQ no. 157: Does AVG check e-mails via WWW interface?
    
8. FAQ no. 158: How to scan a directory on a hard disk?
    
9. FAQ no. 159: How to create and set tests?
    
10. FAQ no. 160: How to schedule tests?
     
11. FAQ no. 161: How to update automatically?
     
12. FAQ no. 162: How to schedule update (or test) to be done even if user is not logged in?
     

W32.Spinac@mm is a simple worm that uses Microsoft Outlook to spread itself. The email arrives with the following characteristics:

Subject: <recipient's name>."REMEMBER THE TIMES !!!?
Attachment: Popey.scr

When W32.Spinac@mm is executed, it may display fake error messages titled, "POPEYE SCREEN SAVER" and "Popeye ScreenMates." The worm is written in Microsoft Visual Basic.

NOTE: Virus definitions dated prior to March 20, 2003 may detect this threat as Bloodhound.W32.VBWORM.

Type: Worm
Infection Length: 49,152 bytes
Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me
Systems Not Affected: Macintosh, OS/2, UNIX, Linux
 

JS.Fortnight.B is a Trojan horse that drops a file, which is then inserted into the default Microsoft Outlook Express signature. Then, every time you send email using Outlook Express, the message will contain code attempting to open a specific Web site when the message is opened.

JS.Fortnight.B also changes the Internet Explorer security settings. It also configures the Web Browser to prepend all the URLs with a specific URL.

Type: Trojan Horse, Worm
Infection Length: 6,276 bytes, 96 bytes
Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me
Systems Not Affected: Macintosh, OS/2, UNIX, Linux
 

VBS.Suconelo is an intended mass-mailing worm. The submitted sample does not execute, due to errors in the code.

The purpose of VBS.Suconelo is to:

W32.Hawawi.Worm is a worm that spreads through email using its own SMTP server, ICQ, Yahoo Messenger, PalTalk, and KaZaA. The email message has one of many different Subject lines, such as:

The messages have an attachment with a .pif extension, usually Hawawi.pif.

W32.Hawawi.Worm has a payload of overwriting all the files that have the following extensions, with zero-byte files:

also Known As: W32/Holar.d@MM [McAfee]
Type: Worm
Infection Length: 25,776 bytes, 58,185 bytes, 1,185 bytes, 14,336 bytes, 10,258 bytes
Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me
Systems Not Affected: Macintosh, OS/2, UNIX, Linux

W32.Vote.D@mm is a mass mailing worm that attempts to use Microsoft Outlook to email itself to all the contacts in the Windows Address Book. It also attempts to overwrite and delete numerous files on the infected system.

The email has the following characteristics:

Subject: <Recipients.name>, WORLD TRADE CENTER PICTURES
Message: <Recipients.name>, Remember The Times.......MAYBE THEY WILL BE BACK....!!!
Attachment: WTC32.scr

This threat is written in Microsoft Visual Basic (VB). The VB run-time libraries must be installed for the worm to execute.

NOTE: Virus definitions dated prior to March 19, 2003 may detect this threat as Bloodhound.W32.VBWORM. Virus definitions dated March 19 may detect this threat as W32.HLLW.Der@mm.

 

Also Known As: W32.HLLW.Der@mm
Type: Worm
Infection Length: 61,440 bytes
Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me
Systems Not Affected: Windows 3.x, Macintosh, OS/2, UNIX, Linux

W32.HLLW.Genky is a worm that spreads using the KaZaA and iMesh file-sharing networks. It also attempts to download Backdoor.Sdbot from a specific Web site.

W32.HLLW.Genky is written in Microsoft Visual Basic, version 6, and packed with FSG.

 

Type: Worm
Infection Length: 3,968 bytes
Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me
Systems Not Affected: Macintosh, OS/2, UNIX, Linux

The W32.Klez.H@mm worm is a modified variant of the W32.Klez.E@mm. This variant can spread by email and network shares. It is also capable of infecting files.

Removal tool
Symantec has provided a tool to remove infections of all known variants of W32.Klez and W32.ElKern. Click here to obtain the tool.
Try this tool first, as it is the easiest way to remove these threats.

Note on W32.Klez.gen@mm detections
W32.Klez.gen@mm is a generic detection that detects variants of W32.Klez. Computers that are infected with W32.Klez.gen@mm have most likely been exposed to either W32.Klez.E@mm or W32.Klez.H@mm. If your computer is detected as infected with W32.Klez.gen@mm, download and run the tool. In most cases, the tool will be able to remove the infection.


 

Also Known As: W32/Klez.h@MM [McAfee], WORM_KLEZ.H [Trend], I-Worm.Klez.h [AVP], Klez.H, W32/Klez-H [Sophos], Win32.Klez.H [CA], WORM_KLEZ.I [Trend]
Type: Worm
Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me
Systems Not Affected: Macintosh, OS/2, UNIX, Linux
CVE References: CVE-2001-0154

As of March 11, 2003, Symantec Security Response has confirmed that a new minor variant of CodeRed II has been found in the wild.

CodeRed.F differs in only two bytes than the original CodeRed II. CodeRed II will restart the system if the year is greater than 2001. This is no longer the case for this variant.

Symantec antivirus products detect CodeRed.F as CodeRed Worm if it is saved to a file. The worm also drops a Trojan, which will be detected as Trojan.VirtualRoot. The existing CodeRed Removal Tool will correctly detect and remove this new variant.

Please click here for information on how to best leverage Symantec technologies to combat the CodeRed threat.

CodeRed.F scans IP addresses for vulnerable Microsoft IIS 4.0 and 5.0 Web servers and uses a buffer overflow vulnerability to infect the remote computers. The worm injects itself directly into memory, rather than copying itself as a file on the system. In addition, CodeRed.F creates a file detected as Trojan.VirtualRoot. Trojan.VirtualRoot gives the hacker full remote access to the Web server.

If you are running the Microsoft IIS Server, we recommend that you apply the latest Microsoft patch to protect yourself from this worm. The patch can be found at http://www.microsoft.com/technet/security/bulletin/MS01-033.asp.

A cumulative patch for IIS, including the four patches released to date, is available at http://www.microsoft.com/technet/security/bulletin/MS01-044.asp.

In addition, Trojan.VirtualRoot takes advantage of a vulnerability in Windows 2000. Download and install the following Microsoft security patch to address this problem and stop the Trojan from re-infecting the computer: http://www.microsoft.com/technet/security/bulletin/MS00-052.asp.


 

Also Known As: CodeRed.v3, CodeRed.C, CodeRed III, W32.Bady.C, W32/CodeRed.a.worm [McAfee]
Type: Trojan Horse, Worm
Systems Affected: Microsoft IIS
CVE References: CVE-2001-0500, CVE-2001-0506

NOTE: Due to a decreased rate of submissions, Symantec Security Response has downgraded this threat from a Category 4 to a Category 3 as of January 15, 2003.

W32.Bugbear@mm is a mass-mailing worm. It can also spread through network shares. It has keystroke-logging and backdoor capabilities. The worm also attempts to terminate the processes of various antivirus and firewall programs.

Because the worm does not properly handle the network resource types, it may flood shared printer resources, which causes them to print garbage or disrupt their normal functionality.

It is written in the Microsoft Visual C++ 6 programming language and is compressed with UPX v0.76.1-1.22.

 

Also Known As: W32/Bugbear-A [Sophos], WORM_BUGBEAR.A [Trend], Win32.Bugbear [CA], W32/Bugbear@MM [McAfee], I-Worm.Tanatos [AVP], W32/Bugbear [Panda], Tanatos [F-Secure]
Type: Worm
Infection Length: 50,688 bytes
Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me
Systems Not Affected: Macintosh, UNIX, Linux
CVE References: CVE-2001-0154

As of December 20, 2002, due to an increase in submissions, Symantec Security Response has upgraded this threat from a Category 2 to a Category 3.

W32.Yaha.K@mm is a worm that is a variant of W32.Yaha.J@mm. This worm terminates some antivirus and firewall processes. It uses its own SMTP engine to email itself to all the contacts in the Windows Address Book, MSN Messenger, .NET Messenger, Yahoo Pager, and all the files whose extensions contain the letters HT. The email message has randomly chosen the subject line, message, and attachment name.

This threat is written in the Microsoft C++ language and is compressed with UPX. The uncompressed size is about 75 KB.

Removal tool
Symantec has provided a tool to remove infections of W32.Yaha.K@mm. Click here to obtain the tool. Try this method first, as it is the easiest way to remove the threat.

 

Also Known As: W32/Yaha.k [McAfee], I-Worm.Lentin.i [KAV], Win32/Yaha.K@mm [GeCAD], W32/Yaha-K [Sophos], Win32.Yaha.K [CA], W32/Yaha.M-mm [MessageLabs]
Type: Worm
Infection Length: 34,304 bytes
Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me
Systems Not Affected: Macintosh, OS/2, UNIX, Linux

W32.SQLExp.Worm is a worm that targets the systems running Microsoft SQL Server 2000, as well as Microsoft Desktop Engine (MSDE) 2000. The worm sends 376 bytes to UDP port 1434, the SQL Server Resolution Service Port.

The worm has the unintended payload of performing a Denial of Service attack due to the large number of packets it sends.

Symantec Security Response strongly recommends that all the users of either Microsoft SQL Server 2000 or MSDE 2000 audit their computers for the vulnerabilities that are referred to in Microsoft Security Bulletin MS02-039 and Microsoft Security Bulletin MS02-061.

Symantec Security Response also recommends that you:

For more information on the SQL outbreak, refer to the Web cast at: https://enterprisesecurity.symantec.com/Content/webcastarchive.cfm?SSL=YES&EID=0&webcastID=45.


Removal Tool
Symantec has provided a tool to remove the infections of W32.SQLexp.Worm. Click here to obtain the tool. Try this tool first, as it is the easiest way to remove this threat. Because the worm resides in memory only and is not written to disk, the virus definitions do not detect this threat. Symantec Security Response recommends that you follow the measures described in this document to deal with this threat.

Please refer to the Technical Details section below for information on how to configure the Symantec products to detect this threat.

 

Also Known As: SQL Slammer Worm [ISS], DDOS.SQLP1434.A [Trend], W32/SQLSlammer [McAfee], Slammer [F-Secure], Sapphire [eEye], W32/SQLSlam-A [Sophos]
Type: Worm
Infection Length: 376 bytes
Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me
Systems Not Affected: Windows 3.x, Microsoft IIS, Macintosh, OS/2, UNIX, Linux
CVE References: CAN-2002-0649

                     Hoaxes

Send mail to webmaster@surfinthenet.net with questions or comments about this web site.
Copyright © 2003 Surfin The Net
Last modified: 03/13/03