Virus Bulletins
Latest update: 17 Nov 2003 at

Latest Virus Information
Norton/Symantec | McAfee | F-Secure | Sophos
 
Not sure about a threat? We'll be glad to check it out for you. Forward it to security@sdsltd.com with a word of explanation on how you received it. E-mails forwarded without explanation will be treated as a virus and deleted.



VIRUS BULLETIN #65 - W/32/Mimail aka PAYPAL
aka W32.Paylap@mm, I-Worm.Paylap, I-Worm.Mimail.c, W32/Mimail.C@mm, Mimail.C
(17 Nov 03)

From Network Associates. "This new variant of W32/Mimail.gen@MM attempts to steal credit card information by displaying a fake PayPal message as shown below. The user's information is stored in a file named ppinfo.sys , which is sent to four email addresses, hard-coded in the worm. (Access to these mailboxes is in the process of being blocked)." Read the entire McAfee bulletin under McAfee/Network Associates below:

  • F-Secure, also variants in the wild here
  • McAfee/Network Associates
  • Norton/Symantec
  • Sophos: "W32/Mimail-I is a worm which spreads via email using addresses harvested from the hard drive of your computer. All email addresses found on your PC are saved in a file named el388.tmp in the Windows folder."
  • Article in ZDNet

VIRUS BULLETIN #64 - Nachi/Welchia
(22 Aug 03)

Check one of the antivirus software companies below to find out about this worm and for remedial action. These sites also provide a link to the Microsoft patch.

VIRUS BULLETIN #63 - Blaster

aka W32/LoveSan.worm, Win32.Poka.B
(11 Aug 03, 14 Aug 03, 21 Aug 03, 22 Aug 03)

22 Aug 03 - Microsoft

21 Aug 03 - Microsoft's website: "What You Should Know About the Blaster Worm and Its Variants"

11 Aug 03 - This worm does not arrive via e-mail, but rather enters the computer via a port. Visit the following antivirus software companies to learn more about the worm and for removal instructions.

  • McAfee (aka Network Associates) - Called LoveSan virus by McAfee.
  • Norton/Symantec - Find fixes here for Blaster B and Blaster C. See Removal Instructions at end of Symantec pages.
  • F-Secure
VIRUS BULLETIN #62 - Bugbear
aka Bugbear.b@MM, I-Worm.Tanatos.b, Win32.Bugbear.B
(06 Jun 03)
  • McAfee - Check the list of some subject lines and attachment names
  • Norton/Symantec - Check out "Recommendations" and "Removal Instructions" towards the bottom of the page. Norton updated its virus definitions on 05 Jun 03, so you should update your antivirus software before retrieving e-mail.
  • F-Secure

Bugbear is back and spreading rapidly! See our Virus Bulletin #56 concerning its first strike. Read about the update of his malicious worm in these articles:

  • InformationWeek article says, in part: "Antivirus vendors are warning that a new version of an Internet worm that struck last year is poised to wreck havoc again. The BugBear.B worm, a descendant of the original BugBear, which struck fiercely last year, is being called a high-risk threat to corporate and home users by antivirus vendors. BugBear.B is a veritable Swiss-army knife of malicious code, packing a slew of apps designed to help the virus spread, disable security software, hide its path, and make off with confidential information. " (InformationWeek, June 5, 2003

  • Fox News article: "All it takes is one e-mailed copy of the virus entering a corporate network for havoc to ensue. Once inside, BugBear.B will spread throughout a network." (Fox News)
  • Yahoo-Reuters article: "BugBear Shuts down Stanford University Email"

Since we never know when a virus might hit, it is always recommended to do a daily update of virus definitions. If your software company has provided updated definitions since the last time you checked, you should then restart your computer prior to retrieving e-mail.

 VIRUS BULLETIN #61 - Fizzer
aka W32/Fizzer@MM, W32.HLLW.Fizzer@mm, Sparky
(15 May 03)

Learn more about this destructive worm and how to recognize it (particularly if it comes in an e-mail from someone you know). Visit one or more of the following sites, particularly if you use Internet Relay Chat (IRC) networks:

  • McAfee - View the e-mail sample on the McAfee page. "The worm arrives as an email attachment in various messages. The from address can be forged (or spoofed) from addresses on the victim machine, such that the apparent sender is not the actual sender. Message body and subject lines vary, as do attachment names. Attachments use standard executable extensions (.com, .exe, .pif, .scr)." (McAfee)
  • Norton/Symantec - "Is a mass-mailing worm that sends itself to all the contacts in the Windows Address Book. Contains a backdoor capability that uses mIRC to communicate with a remote attacker. [...] Attempts to terminate the processes of various antivirus programs if they are found to be active." (Norton/Symantec)
  • F-Secure - "A complex new worm is spreading. [...] Fizzer is a complex e-mail worm that appeared on May 8, 2003. The worm can spread itself in e-mails and in the Kazaa P2P (peer-to-peer) file-sharing network. The Fizzer worm contains a built-in IRC backdoor, a DoS (Denial of Service) attack tool, a data-stealing Trojan (uses external keylogger DLL), an HTTP server and other components. The worm has the functionality to kill the tasks of certain anti-virus programs. Additionally, the worm has automatic updating capabilities " (F-Secure)
  • ZDNet articles on Fizzer
Top
Return to Virus Bulletins Index Page
REMEMBER
Your antivirus software is only as effective as of the last date YOU updated it. Latest updates should be dated the current month. Just because you bought your antivirus software recently, it does not necessarily contain the latest virus definitions. That software is only as current as the date it was recorded prior to being processed for packaging (that could be several months ago). It is your responsibility to update it often (daily prior to retrieving e-mail is the best method) - or as recommended by the manufacturer - by going to the manufacturer's site or using LiveUpdate.
 

Viruses & Hoaxes - Security Bulletins - Hoax Bulletins - Top
Text from organizations as indicated - Page ©2003 Sherman Dynamics & Security Ltd.