Skip top navigation Return to HLS Home Page | Contact Us | Your Account | Webmail l  
 
spacer
spacer
spacer
spacer
spacer
spacer
spacer
spacer
spacer
spacer
 
 
 
 

Contact Us!

 

 

Latest Virus Update - 29 October 2003

 

 

W32/Swen@MM(10/09/03)

W32/Swen@MM, I-Worm.Swen (AVP), W32/Gibe.e@MM, Win32.HLLM.Gibe.2 (DialogueScience) is a Medium Risk mass-mailing worm for home users. The worm terminates processes relevant to various security and anti-virus products. Additionally, the worm contains its own SMTP engine to create outgoing messages to harvested email addresses from the victim's machine.

Name:
W32/Swen@MM
What it does:

Sometimes posing as a Microsoft Security Update, this worm is intended to spread via the following methods:

  • Mailing itself to recipients extracted from the victim's machine
  • Copying itself over network shares (mapped drives)
  • Sharing itself over the KaZaa P2P network
  • Sending itself via IRC

Various outgoing messages are created, with multiple subject lines and attachment names. Some make use of an Internet Explorer vulnerability to ensure the worm attachment is run upon viewing the email. Messages created to take advantage of this vulnerability will be detected as Exploit-MIME.gen.exe with the 4215 DATs or greater (and earlier as Exploit-MIME.gen). When the worm is run on the victim's machine, a series of fraudulent message boxes are displayed. The worm installs itself (using a random filename) into %WinDir%, for example: C:\WINDOWS\ZNFUL.EXE. W32/Swen@MM modifies various registry keys and disables the execution of REGEDIT.EXE on the victim's machine. Additionally, the worm terminates various processes on the victim's machine.

Means of transmission: This worm propagates via email and network shares. It contains its own SMTP engine to construct outgoing messages.
How to recognize:

Sometimes purporting to be a Microsoft Security Update, this worm is intended to propagate via various mechanisms:

mailing itself to recipients extracted from the victim machine
copying itself over network shares (mapped drives)
sharing itself over the KaZaa P2P network
sending itself via IRC

  • Unexpected termination of AV/security product
  • Inability to run RegEdit on the victim machine
Who is at risk: All Microsoft Windows users.
Other Threats:

W32/Sobig.f@MM (8/20/03)

A new variant of W32/Sobig, W32/Sobig.f@MM is a High Risk mass-mailing worm. Sobig.f spreads via e-mail and shared network files and could slow e-mail servers with excessive traffic. Like its siblings, Sobig.f has a built-in termination date, September 10, 2003, and can attempt to retrieve, download, and finally execute a Trojan to steal credit card numbers and other personal account information.

Name:
W32/Sobig.f@MM
What it does: When it propagates, the worm "spoofs" the "from: field", using one of the harvested email addresses. So exercise care when opening emails with attachments. An infected email can come from addresses you recognize.

Because it sends so many emails, a worm like Sobig also saps bandwidth and slows network performance. Worse, it can also open up a user's computer port, making it vulnerable to hackers, who can plant dangerous Trojans. These malicious programs often let unauthorized users remotely take over a system, steal personal information or use the infected PC to send spam.

Means of transmission: This worm propagates via email and network shares.
How to recognize: Common subject lines, attachment names and message content associated with W32/Sobig.f@MM emails:

Subject:

Your details Re: Approved
Thank you! Re: Your application
Re: Thank you! Re: Wicked screensaver
Re: Details Re: That movie
Re: Re: My details Re: That movie

Attachment:

your_document.pif document_9446.pif
document_all.pif application.pif
thank_you.pif wicked_scr.scr
your_details.pif movie0045.pif
details.pif  

Body:

See the attached file for details
Please see the attached file for details

The worm copies itself onto an infected machine as:
C:\WINNT\WINPPR32.EXE

Who is at risk: All Microsoft Windows users.

W32/Nachi.worm (8/18/03)
This worm spreads by exploiting a vulnerability in Microsoft Windows. It scans the local subnet (port 135) for target machines. It sends an ICMP packet to potential victim machines, and upon a reply, sends the exploit data. Victim machines are instructed to download the worm via TFTP.

Name:
W32/Nachi.worm
What it does: This worm tries spreads by exploiting a hole in Microsoft Windows. It instructs a remote target system to download and execute the worm from the infected host. Once running, the worm terminates and deletes the W32/Lovsan.worm.a process and applies the Microsoft patch to prevent other threats from infecting the system through the same hole. When the system clock reaches Jan 1, 2004, the worm will delete itself upon execution.
Means of transmission: Victim machines are instructed to download the worm via TFTP
How to recognize: Irrespective of anti-virus detection, unless the system has been (MS03-026) patched, it is susceptible to the buffer overflow attack from an infected host machine. An infected machine will send packets across the local subnet to the RPC service running on port 135. When these packets are received by any unpatched system, it will create a buffer overflow and crash the RPC service on that system. All this can occur without the worm actually being on the machine.

By applying the MS03-026 patch to the machine, it will prevent the RPC service from failing, in-turn solving these symptoms. It is very important that the machine is rebooted after the patch has been installed.

Who is at risk: All Microsoft Windows users.

W32/Lovsan.worm.a (8/16/03)
Also known as "Blaster" or "MSBlaster", Lovsan has quickly infected computers throughout the Internet. The worm takes advantage of a flaw in Windows NT, 2000 and XP operating systems to drop a malicious program on your computer.

Name:
W32/Lovsan.worm.a
What it does: Unlike typical computer viruses, which usually arrive as email attachments, Internet worms attack open communication ports on vulnerable systems, often without the operator's knowledge. By taking advantage of a vulnerability in Windows, the worm is able to spread without requiring any action on the part of the user.
Means of transmission: By taking advantage of a vulnerability in Windows, the worm is able to spread without requiring any action on the part of the user.
How to recognize: Generally, the Lovsan worm causes your system to repeatedly re-boot itself every few minutes. Windows NT 4.0 and Windows 2000 systems may become unresponsive. Also, the file msblast.exe appears in the WINDOWS SYSTEM32 directory.
Who is at risk: Microsoft Windows NT, 2000, and XP users.

W32/Sobig.e@MM (6/27/03)
This variant is similar to W32/Sobig.d@MM. The worm propagates via email and over network shares. It contains its own SMTP engine for constructing outgoing messages. The virus is sent in a ZIP archive, allowing it to bypass extension blocking rules. However, this requires the end user to perform extra steps in order to actually execute the virus..

Name:
W32/Sobig.e@MM
What it does: The worm mails itself to recipients extracted from the victim machine, constructing messages using its own SMTP engine.

Similarly to W32/Sobig@MM, the outgoing messages constructed by the worm may have a closing quote omitted from the attachment filename. With certain mail servers, this may result in the loss of a character from the remaining filename, thus attachments may have a ".ZI" extension (as opposed to ".ZIP").

Means of transmission: This worm propagates via email and network shares.
How to recognize: The worm may arrive in an email with the following characteristics:

Body: Please see the attached zip file for details.
Attachment: your_details.zip (which contains details.pif)

* Note: This variant spoofs, or forges, the from address. Therefore the perceived sender is likely not a pointer to the infected user.

- Presence of the file winssk32.exe in the WINDOWS (%WinDir%) directory
- System listening on UDP Ports 995 - 999

Who is at risk: All Microsoft Windows users.

Bugbear.b is on the prowl (6/5/03)
A new variation of the Bugbear worm is spreading rapidly across the Internet. Bugbear.b (w32.bugbear.b@mm) is similar to the original in that it spreads by e-mail or shared network files, attempts to shut down popular antivirus and firewall apps, and opens a port on infected computers for remote administration.

Name:
Bugbear.b (w32.bugbear.b@mm)
What it does: Installs a keystroke-logging Trojan horse on your PC. Bugbear also attempts to terminate any active antivirus and firewall software. The worm installs a keystroke-logging app in the Windows System directory. The keystroke-logging app uses a random name that contains seven characters followed by .dll. Finally, the worm opens TCP port 1080 to listen for additional commands or to allow a remote attacker access to the infected system.
Means of transmission: E-mail and shared network files.
How to recognize: Random e-mail with an .exe, .scr, or .pif attachment.
Who is at risk: Windows users who have not patched the I-Frame vulnerablity.

The worm Sobig.C takes off for its one-week run (06/2/03)
Sobig.C is loose on the internet and has spread to over 80 countries since its release on May 31, 2003. Sobig.C (w32.sobig.c@mm) is a variant of the Sobig worm and arrives by e-mail with an attached file; it also spreads using shared network files. But Sobig.C is self-terminating and will only spread until June 8, 2003.

Name:
Sobig.c (w32.sobig.c@mm)
What it does: Attempts to spread via e-mail and shared network files
Means of transmission: E-mail and shared file networks
How to recognize: Attached file has a .pif or .pi extension. Sobig.c arrives via e-mail or shared network file. The e-mail appears to be from someone you might know, but this address is spoofed. The e-mailís subject line may include one of the following:

Approved
Re: 45443-343556
Re: Application
Re: Approved
Re: Movie
Re: Screensaver
Re: Submited (004756-3463)
Re: Your application

Who is at risk: Windows users

 
Products & Services | WarpCore DSL | Web Services| E-Commerce | Distance Learning | Sitemap | Home | About Us |


© 2001 Higher Learning Systems, Inc. All rights reserved.
Contact Webmaster