W32/Swen@MM(10/09/03)
W32/Swen@MM, I-Worm.Swen (AVP), W32/Gibe.e@MM, Win32.HLLM.Gibe.2
(DialogueScience) is a Medium Risk mass-mailing worm
for home users. The worm terminates processes relevant
to various security and anti-virus products. Additionally,
the worm contains its own SMTP engine to create outgoing
messages to harvested email addresses from the victim's
machine. |
|
Name:
|
W32/Swen@MM |
What
it does: |
Sometimes
posing as a Microsoft Security Update, this worm is intended
to spread via the following methods:
- Mailing
itself to recipients extracted from the victim's machine
- Copying
itself over network shares (mapped drives)
- Sharing
itself over the KaZaa P2P network
- Sending
itself via IRC
Various
outgoing messages are created, with multiple subject lines
and attachment names. Some make use of an Internet Explorer
vulnerability to ensure the worm attachment is run upon viewing
the email. Messages created to take advantage of this vulnerability
will be detected as Exploit-MIME.gen.exe with the 4215 DATs
or greater (and earlier as Exploit-MIME.gen). When the worm
is run on the victim's machine, a series of fraudulent message
boxes are displayed. The worm installs itself (using a random
filename) into %WinDir%, for example: C:\WINDOWS\ZNFUL.EXE.
W32/Swen@MM modifies various registry keys and disables the
execution of REGEDIT.EXE on the victim's machine. Additionally,
the worm terminates various processes on the victim's machine.
|
Means
of transmission: |
This
worm propagates via email and network shares. It contains its
own SMTP engine to construct outgoing messages. |
How
to recognize: |
Sometimes purporting
to be a Microsoft Security Update, this worm is intended to
propagate via various mechanisms:
mailing
itself to recipients extracted from the victim machine
copying itself over network shares (mapped drives)
sharing itself over the KaZaa P2P network
sending itself via IRC
- Unexpected
termination of AV/security product
- Inability
to run RegEdit on the victim machine
|
Who
is at risk: |
All
Microsoft Windows users. |
Other
Threats: |
W32/Sobig.f@MM
(8/20/03)
A new variant of W32/Sobig, W32/Sobig.f@MM is a High
Risk mass-mailing worm. Sobig.f spreads via e-mail and
shared network files and could slow e-mail servers with
excessive traffic. Like its siblings, Sobig.f has a
built-in termination date, September 10, 2003, and can
attempt to retrieve, download, and finally execute a
Trojan to steal credit card numbers and other personal
account information. |
|
Name:
|
W32/Sobig.f@MM |
What
it does: |
When
it propagates, the worm "spoofs" the "from: field",
using one of the harvested email addresses. So exercise care
when opening emails with attachments. An infected email can
come from addresses you recognize.
Because it sends so many emails, a worm like
Sobig also saps bandwidth and slows network performance. Worse,
it can also open up a user's computer port, making it vulnerable
to hackers, who can plant dangerous Trojans. These malicious
programs often let unauthorized users remotely take over a
system, steal personal information or use the infected PC
to send spam.
|
Means
of transmission: |
This
worm propagates via email and network shares. |
How
to recognize: |
Common
subject lines, attachment names and message content associated
with W32/Sobig.f@MM emails: Subject:
Your
details |
Re:
Approved |
Thank
you! |
Re:
Your application |
Re:
Thank you! |
Re:
Wicked screensaver |
Re:
Details |
Re:
That movie |
Re:
Re: My details |
Re:
That movie |
Attachment:
your_document.pif
|
document_9446.pif |
document_all.pif
|
application.pif
|
thank_you.pif
|
wicked_scr.scr
|
your_details.pif
|
movie0045.pif
|
details.pif
|
|
Body:
See
the attached file for details
Please see the attached file for details |
The worm
copies itself onto an infected machine as:
C:\WINNT\WINPPR32.EXE
|
Who
is at risk: |
All
Microsoft Windows users. |
W32/Nachi.worm
(8/18/03)
This worm spreads by exploiting a vulnerability in Microsoft
Windows. It scans the local subnet (port 135) for target
machines. It sends an ICMP packet to potential victim
machines, and upon a reply, sends the exploit data.
Victim machines are instructed to download the worm
via TFTP.
|
|
Name:
|
W32/Nachi.worm |
What
it does: |
This
worm tries spreads by exploiting a hole in Microsoft Windows.
It instructs a remote target system to download and execute
the worm from the infected host. Once running, the worm terminates
and deletes the W32/Lovsan.worm.a process and applies the Microsoft
patch to prevent other threats from infecting the system through
the same hole. When the system clock reaches Jan 1, 2004, the
worm will delete itself upon execution. |
Means
of transmission: |
Victim
machines are instructed to download the worm via TFTP |
How
to recognize: |
Irrespective
of anti-virus detection, unless the system has been (MS03-026)
patched, it is susceptible to the buffer overflow attack from
an infected host machine. An infected machine will send packets
across the local subnet to the RPC service running on port 135.
When these packets are received by any unpatched system, it
will create a buffer overflow and crash the RPC service on that
system. All this can occur without the worm actually being on
the machine. By
applying the MS03-026 patch to the machine, it will prevent
the RPC service from failing, in-turn solving these symptoms.
It is very important that the machine is rebooted after the
patch has been installed.
|
Who
is at risk: |
All
Microsoft Windows users. |
W32/Lovsan.worm.a
(8/16/03)
Also known as "Blaster" or "MSBlaster",
Lovsan has quickly infected computers throughout the
Internet. The worm takes advantage of a flaw in Windows
NT, 2000 and XP operating systems to drop a malicious
program on your computer.
|
|
Name:
|
W32/Lovsan.worm.a |
What
it does: |
Unlike
typical computer viruses, which usually arrive as email attachments,
Internet worms attack open communication ports on vulnerable
systems, often without the operator's knowledge. By taking advantage
of a vulnerability in Windows, the worm is able to spread without
requiring any action on the part of the user. |
Means
of transmission: |
By
taking advantage of a vulnerability in Windows, the worm is
able to spread without requiring any action on the part of the
user. |
How
to recognize: |
Generally,
the Lovsan worm causes your system to repeatedly re-boot itself
every few minutes. Windows NT 4.0 and Windows 2000 systems may
become unresponsive. Also, the file msblast.exe appears in the
WINDOWS SYSTEM32 directory. |
Who
is at risk: |
Microsoft
Windows NT, 2000, and XP users. |
W32/Sobig.e@MM
(6/27/03)
This variant is similar to W32/Sobig.d@MM. The worm
propagates via email and over network shares. It contains
its own SMTP engine for constructing outgoing messages.
The virus is sent in a ZIP archive, allowing it to bypass
extension blocking rules. However, this requires the
end user to perform extra steps in order to actually
execute the virus..
|
|
Name:
|
W32/Sobig.e@MM |
What
it does: |
The
worm mails itself to recipients extracted from the victim machine,
constructing messages using its own SMTP engine. Similarly
to W32/Sobig@MM, the outgoing messages constructed by the
worm may have a closing quote omitted from the attachment
filename. With certain mail servers, this may result in the
loss of a character from the remaining filename, thus attachments
may have a ".ZI" extension (as opposed to ".ZIP").
|
Means
of transmission: |
This
worm propagates via email and network shares. |
How
to recognize: |
The
worm may arrive in an email with the following characteristics:
Body:
Please see the attached zip file for details.
Attachment: your_details.zip (which contains details.pif)
* Note:
This variant spoofs, or forges, the from address. Therefore
the perceived sender is likely not a pointer to the infected
user.
- Presence
of the file winssk32.exe in the WINDOWS (%WinDir%) directory
- System listening on UDP Ports 995 - 999 |
Who
is at risk: |
All
Microsoft Windows users. |
Bugbear.b
is on the prowl (6/5/03)
A new variation of the Bugbear worm is spreading rapidly
across the Internet. Bugbear.b (w32.bugbear.b@mm) is
similar to the original in that it spreads by e-mail
or shared network files, attempts to shut down popular
antivirus and firewall apps, and opens a port on infected
computers for remote administration.
|
|
Name:
|
Bugbear.b
(w32.bugbear.b@mm) |
What
it does: |
Installs
a keystroke-logging Trojan horse on your PC. Bugbear also attempts
to terminate any active antivirus and firewall software. The
worm installs a keystroke-logging app in the Windows System
directory. The keystroke-logging app uses a random name that
contains seven characters followed by .dll. Finally, the worm
opens TCP port 1080 to listen for additional commands or to
allow a remote attacker access to the infected system. |
Means
of transmission: |
E-mail
and shared network files. |
How
to recognize: |
Random
e-mail with an .exe, .scr, or .pif attachment. |
Who
is at risk: |
Windows
users who have not patched the I-Frame vulnerablity. |
The
worm Sobig.C takes off for its one-week run
(06/2/03)
Sobig.C is loose on the internet and has spread to over
80 countries since its release on May 31, 2003. Sobig.C
(w32.sobig.c@mm) is a variant of the Sobig worm and
arrives by e-mail with an attached file; it also spreads
using shared network files. But Sobig.C is self-terminating
and will only spread until June 8, 2003.
|
|
Name:
|
Sobig.c
(w32.sobig.c@mm) |
What
it does: |
Attempts
to spread via e-mail and shared network files |
Means
of transmission: |
E-mail
and shared file networks |
How
to recognize: |
Attached
file has a .pif or .pi extension. Sobig.c arrives via e-mail
or shared network file. The e-mail appears to be from someone
you might know, but this address is spoofed. The e-mail’s subject
line may include one of the following: Approved
Re: 45443-343556
Re: Application
Re: Approved
Re: Movie
Re: Screensaver
Re: Submited (004756-3463)
Re: Your application |
Who
is at risk: |
Windows
users |