Not
sure about a threat? We'll be glad to check it out for
you. Forward it to security@sdsltd.com
with
a word of explanation on how you received it. E-mails
forwarded without explanation will be treated as a virus
and deleted.
- VIRUS
BULLETIN #46
-
NIMDA
- AND
E-mail
Claiming To Fix the Virus
(9
Oct 01 Update)
- (18 Sep
2001, Updates: 24 Sep 2001, 9 Oct 2001, 15 Nov
01)
-
- This e-mail
attachment worm was discovered today, 18 September
2001. It might come from someone you know, without
a subject line and with an attachment "readme.exe." It
uses multiple means to spread itself.
DO
NOT OPEN, trash immediately. Read the F-Secure quote,
it is an interesting twist on an old
problem.
- McAfee
- McAfee
- What is a Superworm? added 15 Nov
01
- Norton/Symantec
- "Users visiting compromised Web servers will be
prompted to download an .eml (Outlook Express) email
file, which contains the worm as an
attachment."
- F-Secure/Data
Fellows -
"Nimda is the first worm to modify existing web
sites to start offering infected files for download.
Also it is the first worm to use normal end user
machines to scan for vulnerable web sites. This
technique enables Nimda to easily reach intranet web
sites located behind firewalls - something worms such
as Code Red couldn't directly do."
- 'Nimda'
Computer Worm Hits
Worldwide -
Yahoo!.News, 18 Sep 01
- Viruses
Are Getting Faster,
Tougher -
CNN, 21 Sep 01
- UPDATE,
9 OCTOBER 2001:
We received the following item in an
InfoWar.com
security bulletin: "SecurityFocus.com just released a
warning that an e-mail message claiming to come from
the SecurityFocus ARIS Analyst Team and TrendMicro is
being used to propagate a trojan horse.
The
spoofed e-mail message contains an executable
attachment named FIX_NIMDA.exe that actually installs
malware on your
computer.
The SecurityFocus warning and a copy of the spoofed
email are available here."
(Source:
-
PLEASE NOTE
Sherman
Dynamics & Security Ltd. does NOT offer
any files for download on our site. If you
encounter any such files on the SDSL site,
they are unauthorized and we would appreciate
your notifying us of them at
warning@sdsltd.com.
Thank you.
|
- Please read again
our Words
of Caution
- Top
-
VIRUS
BULLETIN #47
-
VOTE VIRUS aka WTC.exe
- (24
September 2001)
-
- See subject line,
text and name of attachment in Yahoo article
below.
- McAfee
- Norton/Symantec
- Virus
Uses Tragedy To Hook Victims
- CBS
Marketwatch, 24 Sep 01 -
- New
"war vote" virus deletes computer
files -
Yahoo!.Finance, 24 Sep 01 - Excerpts:
- "When the
attachment
entitled
``WTC.exe''
is opened, the virus tries to delete all the
files on the computer's hard drive and sends copies
of the e-mail to every address listed in the
computer's address book, he said. The virus
also
defaces any Web pages that are hosted
by an
infected computer to read: "America ... few days
will show you what we can do!!! It's our turn
>>> ZaCker is so sorry for you,''
according to Perry."
- "The virus
appears with the subject
line: "Peace between America and Islam!" and
the body of the e-mail reads: "Hi. Is it
a war against America or Islam!? Let's vote to live
in peace!"
- "Virus writers
have discovered that they can easily dupe people
into opening emails by appealing to their prurient
interests. For example, popular viruses have have
purported to be photos of naked women or love
letters, like the ``I Love You'' virus that caused
an estimated $8.7 billion in global damage last
year. Researchers
are worried that the new, dangerous virus might
spread quickly because of its supposed relation to
the debate over U.S. retaliation for the attacks.
"We feel this is likely to get quite a high pickup
in that a lot of people are going to click on
this," Perry said. "If the news about this doesn't
get out before people get their e-mails, they're at
risk."
- Top
-
VIRUS
BULLETIN #48
-
BINLADEN
- (25 Oct
2001)
-
- From
Norton/Symantec: "The worm arrives as an attachment
named Binladen_brasil.exe with a random subject
line that makes a reference to the current
situation in Afghanistan. The subject can be in a
variety of different languages. The message body will
be blank." Please read more about this virus/worm
here:
- Top
-
VIRUS
BULLETIN #49
-
BADTRANS
- (27 Nov
2001 - Updated 16 Dec 01, 02 Jan
02)
-
- Please read a
WiredNews
article
about the Badtrans worm, a "retooled version of the
Nimda worm:
- The worm replaces
SirCam
as No. 1. "The worm, dubbed "BadTrans.B" by antiviral
application vendors, installs a piece of spy
software on infected computers. This program attempts
to record and relay private information such as user
names and passwords to an e-mail address that is
presumably accessible to the worm's author" (Wired
News) "BadTrans.B is a retooled version of a worm
that was first released in April." (Wired News)
See Virus
Bulletin #36
above.
- McAfee
- Read carefully McAfee's description of this
worm/virus and the explanation of the creation of the
attachment name (several possibilities). This is
important, because the worm's attachment is NOT named
"Badtrans."
- Norton/Symantec
- F-Secure
(Data Fellows) - Link to disinfection instruction at
top of this F-Secure page
- Words
of Caution
(or "How to protect yourself against
infection")
- Update 16 Dec
01: PWS-Gen.hooker and PWS-Hooker.plugin
are new variants.
Update 2 Jan 02:
- CERT®
Incident Note
IN-2001-14
(Carnegie Mellong Software Engineering
Institute) - CERT provides direct links to many
antiviral software sites where you can download a fix
or find instructions for removal. If you are
interested in a more technical and detailed
description. Note this sentence:
"The
address in the From: header will have a '_' prepended
to the sender's email
address."
The many BadTrans viruses we received all had that
underscore "_" before the sender's
address.
Top
VIRUS BULLETIN
#50
-
GONER Screensaver
- AKA
Pentagone, Gone (04 Dec 2001, Updated 05 Dec
2001)
-
- Please read a
WiredNews
article
about the Goner which comes with an attachment
alleging to be a screensaver. "The Goner
worm arrives in an attachment masquerading as a
screensaver, with an e-mail subject line of
"Hi" and text that says: "How are you?
When I saw this screen saver, I immediately thought
about you I am in a harry (sic), I promise you will
love it!" Once
the user clicks on the attachment, the worm sends
itself to everyone in the user's e-mail address book,
tries to close programs that are running and deletes
certain system files, including firewall and
anti-virus software,
said Hameroff." (WiredNews)
- McAfee
: "McAfee.com has seen an OUTBREAK of computers
infected with W32/Goner@MM, also known as Pentagone,
Goner or Gone. This is a NEW, HIGH RISK virus that
spreads via Microsoft Outlook email and ICQ instant
messaging programs.
This mass-mailing worm will arrive from someone you
know."
- Norton/Symantec
- F-Secure
(Data Fellows) - Link to disinfection instruction at
top of this F-Secure page
- Panda
Software
- Words
of Caution
(or "How to protect yourself against infection")
-
Please review these security precautions. As with most
virus/worms, they will be arriving from someone you
know (as stated above by McAfee).
-
05 Dec 01 Updates below:
- If
you use the Instant Messager Program ICQ, the worm
will also spread through this
program.
- New
York Times article,
05 Dec 01 (free
subscription required to read the article) - "If that
doesn't look like a virus, nothing does," scoffed
David M. Perry, the global director of education for
Trend Micro, a computer security company based in
Tokyo. Despite extensive warnings, he said, people
still open unexpected attachments. "They call and say,
`I downloaded it and I clicked on it - what should I
have seen?' " " `Your pink slip,' " he explained in a
mock response, " `because you're an idiot.'
"
- Top
-
VIRUS
BULLETIN #51/51a/51b/51c
-
Klez, Klez.E, Klez.H
- AKA
Elkern, Twin Virus
31 Jan 02, Updated 19 Apr 02, 01 May 02, 08 Jul
02, 01 Oct 02)
-
- Please read the 18
Jan 02 ZDNet
article
on this worm. It provides the random subject lines
chosen by the worm. Watch out for this worm coming
from infected friends and acquaintances'
e-mail.
- Norton/Symantec
- "The worm attempts to disable some common antivirus
products ..."
- F-Secure
(Data-Fellows) "In some systems the worm is able to
self-launch itself when an infected e-mail is viewed
(for example, with Outlook and IE 5.0 or 5.01)."
(F-Secure) - added 19 Apr 02
- McAfee:
Klez.H
and Klez.E
-
ZDNet - Why
the Klez worm just won't go
away -
"What distinguishes Klez from other worms is that
it
carries a second
virus,
the Elkern virus. Thus, Klez is sometimes known as the
"twin virus." added 01 May 02
- Don't
forget to visit Words
of Caution
(or "How to protect yourself against infection")
-
Please review these security precautions. As with most
virus/worms, they will be arriving from people you
know who may not be aware that they are
infected.
- Added
8 July 2002
- Someone, using Sherman Dynamics return address of
security_hb@sdsltd.com, is sending out a virus/worm -
probably unbeknownst to that person who is
probablyinfected with the Klez virus. We found this
out when an e-mail was "returned" to us stating
"addressee unknown." The subject was "A very powerful
tool" and the text was a verse about trying the
powerful tool that the sender was
attaching.
- "Important
Note: The e-mails sent by Klez.E worm often have faked
sender's address. The worm randomly picks sender's
address from web pages, ICQ databases or Windows
Address Books. This means that if you get Klez.E worm
in e-mail, it's quite likely that it was NOT sent to
you by the person listed in the 'From' field of e-mail
message (sender's address)." (from the
F-Secure
page)
- Top
-
VIRUS
BULLETIN #52
-
MY PARTY
- (31 Jan
02)
-
- Please read the 18
Jan 02 Newsbyte
article on this virus worm, "New
e-mail virus is no party, virus fighters
say."
DO NOT CLICK on the link provided in the e-mail. It is
an infected executable file posing as a clickable link
such as this: www.myparty.yahoo.com. This worm
reproduces via e-mail.
- Don't
forget to visit Words
of Caution
(or "How to protect yourself against infection")
-
Please review these security precautions. As with most
virus/worms, they will be arriving from people you
know who may not be aware that they are
infected.
- Top
-
VIRUS
BULLETIN #53
-
MY LIFE
- (11 Mar
02)
-
- Please read the 10
Mar 02 ZDNet
article on this virus worm, "MyLife
worm tries to delete Windows
files"
w32.mylife@mm: "A worm posing as an old-fashioned
photograph of a girl holding a flower is making the
rounds on the Internet." (ZDNet)
- Don't
forget to visit Words
of Caution
(or "How to protect yourself against infection")
-
Please review these security precautions. As with most
virus/worms, they will be arriving from people you
know who may not be aware that they are
infected.
- Top
-
VIRUS
BULLETIN #54
-
I-Worm Japanize, aka
W32/Fbound.c@MM
- (14 Mar
02)
"This is a pure
mass-mailing worm. It does not carry any other, damaging,
payload." (McAfee) Attachment name is
"patch.exe."
"Also Known As:
W32.Dotjaypee@mm, W32/FBound.c@mm, WORM_FIDAO,
WORM_FBOUND.B, FIDAO.A, FIDAO, W32/Fbound.b@MM,
Win32/Japanize.Worm, I-Worm.Zircon.B"
(Norton/Symantec)
- Don't
forget to visit Words
of Caution
(or "How to protect yourself against infection")
-
Please review these security precautions. As with most
virus/worms, they will be arriving from people you
know who may not be aware that they are
infected.
- Top
VIRUS BULLETIN
#55
-
W32/Frethem
(15 Jul
02)
MSNBC,
15 Jul 02: "A
new computer virus with the tempting subject line "Re:
Your password!" began worming its way around the Internet
Monday. Dubbed "Frethem," the virus is rated a medium
risk by most researchers because it is spreading
relatively quickly. According to antivirus firm Symantec
Corp., Frethem has already infected computers inside 25
companies since its initial discovery early Monday."
(MSNBC, 15 Jul 02)
From McAfee:
"This mass-mailing worm gathers email addresses from
Microsoft Outlook Express mailbox files (.DBX files), the
Windows Address Book (.WAB file), .MBX, .EML, and .MDB
files to send itself via SMTP using the following
information:
- Subject:
Re: Your password!
- Body:
ATTENTION!
You can
access
very important
information by
this password
DO NOT SAVE
password to disk
use your mind
now press
cancel
- Don't
forget to visit Words
of Caution
(or "How to protect yourself against infection")
-
Please review these security precautions. As with most
virus/worms, they will be arriving from people you
know who may not be aware that they are
infected.
- Top
VIRUS
BULLETIN #56
-
W32/Bugbear, W32/Tanatos
(01 Oct
02)
Because this virus/worm
can affect your antiviral software, we suggest that you
update your antiviral software online
BEFORE
retrieving e-mail, so that you have the latest version of
virus definitions on your computer (See Note below).
Norton user update online via LiveUpdate. Once you have
updated, restart your system.
There are so many ways that this might appear in your
Inbox that we suggest you do not miss the F-Secure and
McAfee sites (links below) for an easy overview of this
virus/worm.
Norton/Symantec: "32.Bugbear@mm is a mass-mailing worm.
It can also spread through network shares. It has
keystroke-logging and backdoor capabilities.
The
worm also attempts to terminate the processes of various
antivirus and firewall
programs."
F-Secure: "F-Secure is upgrading the Bugbear/Tanatos
e-mail worm to Level 1 as it continues to spread rapidly.
Currently it is the most widespread virus in the world
together with Klez."
Don't
forget to visit Words
of Caution
(or "How to protect yourself against infection")
-
Please review these security precautions. As with most
virus/worms, they will be arriving from people you know
who may not be aware that they are infected.
NOTE: Remember,
your antiviral software is only as good as the last time
you updated it (usually for free for one year after
purchase) online. Buying it in February 2003, for
instance, does not protect you against any virus
occurring after the day the CD was sent to press (which
could be months earlier). Some people update their
antiviral software daily, before retrieving their
e-mail.
UPDATE: 06 Jun 2003, see Virus
Bulletin #62
- Top
|
