OSX.Leap.A

More info:
Symantec
F-Secure
Network Associates
Trend Micro
Sophos

top of page

MacOS X 10.4:
OSX.Leap.A is a worm that spreads via the OSX iChat Messenger application. No infections have been reported across campus although this worm has received significant media attention being the first OSX worm.

If executed, the worm may cause some applications to become unstable and will spread to accounts found in the machine's iChat contact list.

According to Symantec and Trend Micro, this worm only infects OS X 10.4. See their write-ups for more details.

W32.Blackmal.E

More info:
Symantec
F-Secure
Network Associates
Trend Micro
Sophos

top of page

Win2000/XP/Server2003:
W32.Blackmal.E is a mass-mailing worm with a dangerous, delayed payload. Only a very few infections have been reported across campus.

The worm arrives via email and, if executed, will email itself to all entries found on the machine, and on the 3rd of every month (Feb 3rd, Mar 3rd, etc) it will overwrite all files with the following extensions: .doc, .xls, .ppt, .pdf, .mdb, .mde, .pps, .zip, .rar, .psd, and .dmp.

Emails generated by the worm will forge the "From:" address, and have one of several different subjects and message bodies, and attachment names.

W32.Sober.X

More info:
Symantec
F-Secure
Network Associates
Trend Micro
Sophos

top of page

Win2000/XP/Server2003:
W32.Sober.X is a mass-mailing worm that has spread on campus.

The worm arrives via email (written in German or English) with a randomly named attachment, which, if executed, will email itself to all entries found on the machine and lower security settings.

Emails generated by the worm will forge the "From:" address, and have one of several different subjects and message bodies.

W32.Zotob.E

More info:
Symantec
F-Secure
Network Associates
Trend Micro
Sophos

top of page

Win2000/XP/Server2003:
W32.Zotob.E is a network aware worm that has spread worldwide rather quickly.

The worm exploits the Windows Plug-n-Play vulnerability that was recently announced. It opens a backdoor and attempts to spread to other vulnerable machines using a complex algorithm.

W32.Esbot.A

More info:
Symantec
F-Secure
Network Associates
Trend Micro
Sophos

top of page

Win2000/XP/Server2003:
W32.Esbot.A is a network aware worm that has spread worldwide rather quickly.

The worm exploits the Windows Plug-n-Play vulnerability that was recently announced. It opens a backdoor and attempts to spread to other vulnerable machines on internal and external networks across the internet.

W32.Beagle.CE Trojan.Tooso.L

More info:
Symantec
F-Secure
Network Associates
Trend Micro

top of page

Win9x/NT/ME/2000/XP:
W32.Beagle.CE, a mass mailing worm that opens a back door on TCP port 80. The worm also contains a Trojan horse, Trojan.Tooso.L, which interferes with the operation of security software by ending processes, stopping services, removing registry entries, and deleting files.

Emails generated by the worm will forge the "From:" address, have a blank Subject, and have one of the following attachments:
- Taxes.zip
- The_taxation.zip
- The_reporting_of_taxes.zip
- Work and taxes.zip
- Increase_in_the_tax.zip
- To_reduce_the_tax.zip

W32.Sober.O

More info:
Symantec
F-Secure
Network Associates
Trend Micro
Sophos

top of page

Win9x/NT/ME/2000/XP:
W32.Sober.O is a mass mailing worm that has spread worldwide rather quickly.

The worm arrives via an email message written in either German or English with a randomly named attachment, which, if executed, will email itself to all entries found on the machine.

Emails generated by the worm will forge the "From:" address, and have random subjects and message bodies.

W32.Mydoom.AX

More info:
Symantec
F-Secure
McAfee
Trend Micro
Sophos

top of page

Win9x/NT/ME/2000/XP:
W32.Mydoom.AX is a mass mailing worm that has spread worldwide and has been reported on campus.

The worm arrives via an email message with an attachment, which if executed, will open a backdoor on the infected machine. It also sends mail to addresses that it retrieves from
the infected computer. The subject, attachment name and attachment size all vary. The From: field will be spoofed.

See the W32.Mydoom.AX page for more detailed information.

W32.Erkez.D

More info:
Symantec
F-Secure
Network Associates
Trend Micro
Sophos

top of page

Win9x/NT/ME/2000/XP:
W32.Erkez.D is a mass mailing worm that has spread worldwide.

The worm arrives via an email message appearing to be a Christmas greeting.

Once the included attachment is executed, the worm will lower security settings, terminate processes, and open a back door on the compromised computer.

See the W32.Erkez.D page for more detailed information.

W32.Mydoom.AH (& .AI)

More info:
Symantec
F-Secure
Network Associates
Trend Micro

Symantec (.AI)

top of page

Win9x/NT/ME/2000/XP:
W32.Mydoom.AH and .AI are two mass mailing worms that have spread worldwide.

These worms utilize a combination of social engineering and an unpatched exploit in Internet Explorer to infect machines. They also open up a backdoor on TCP port 1639.

The worm arrives via an email message with an HTML-formatted message body that will contain language that will either ask the user to view photos, or to confirm a PayPal transaction.

See the W32.Mydoom.AH page for more detailed information.

W32.Beagle.AW

More info:
Symantec

top of page

Win9x/NT/ME/2000/XP:
W32.Beagle.AW is a mass mailing worm that has spread quickly.

The worm arrives via an email message with an attachment, which, if executed, will email itself to all entries found on the machine.

The worm sends itself as an email with a subject of either

• Re:
• Re: Hello
• Re: Hi
• Re: Thank you!
• Re: Thanks :)

The emails will also contain an attachment of either

• Price
• price
• Joke

The worm also opens a backdoor on TCP port 81. This could allow remote attackers to access infected machines.

The W32.Beagle.AW page will contain more detailed information.

W32.Sasser.B.Worm

More info:
Symantec
F-Secure
Network Associates
Trend Micro
Sophos

top of page

Win2000/XP:
W32.Sasser.B.Worm is a worm (very similar to Sasser.Worm) that spreads by scanning randomly-chosen IP addresses for machines vulnerable to the LSASS exploit. This worm and a couple of it's variants have quickly spread worldwide (beginning early May 1st).

W32.Sasser.Worm starts an FTP server on TCP port 5554 and generates traffic on TCP ports 445 and 9996. It also starts 128 network scanning processes most likely causing severe degradation in system performance.

Symantec Anti-Virus users: Upgrade your definition file to 05/02/2004 revision 38 (al) or later. Be sure to update your definitions as soon as possible.

Make sure you apply the appropriate MS04-11 patch to protect against attacks seeking to exploit this vulnerability.

To prevent machines from being infected or targeted, you must install the patch for the LSASS vulnerability. The patch can be downloaded from the following sites:

Windows 2000
Windows XP

Given that the worm creates a system-level compromise, we are recommending a full system format for infected machines.

This is the only way to completely ensure network and data security after a compromise such as this.

W32.Sasser.Worm

More info:
Symantec
F-Secure
Network Associates
Trend Micro
Sophos

top of page

Win2000/XP:
W32.Sasser.Worm is a worm that spreads by scanning randomly-chosen IP addresses for machines vulnerable to the LSASS exploit. This worm and a couple of it's variants have quickly spread worldwide (beginning early May 1st).

W32.Sasser.Worm starts an FTP server on TCP port 5554 and generates traffic on TCP ports 445 and 9996. It also starts 128 network scanning threads most likely causing severe degradation in system performance.

Symantec Anti-Virus users: Upgrade your definition file to 05/02/2004 revision 38 (al) or later. Be sure to update your definitions as soon as possible.

Make sure you apply the appropriate MS04-11 patch to protect against attacks seeking to exploit this vulnerability.

To prevent machines from being infected or targeted, you must install the patch for the LSASS vulnerability. The patch can be downloaded from the following sites:

Windows 2000
Windows XP

Given that the worm creates a system-level compromise, we are recommending a full system format for infected machines.

This is the only way to completely ensure network and data security after a compromise such as this.

LSASS vulnerability

More info:
Microsoft

top of page

WinNT/2000/XP:
Recently machines not patched with the MS04-11 patch have been attacked.

Machines without the patch that have been attacked are popping up a message window saying that the LSASS service has been shut down, and the machine will reboot in 60 seconds. The machine will then constantly reboot unless it's disconnected from the network.

There is an marked increase in the amount of network traffic seen on the following ports:

TCP 135, 139, 445, 1025, 1433, 2745

We currently do not have reports of any backdoor programs being installed when a machine exhibits the above behavior.

Symantec Anti-Virus users: Upgrade your definition file to the latest definitions.

Be sure to update your definitions often and as soon as possible because it's likely automated worms will soon be written to exploit this vulnerability.

Make sure you apply the appropriate MS04-11 patch to protect against attacks seeking to exploit this vulnerability.

To prevent machines from being infected or targeted, you must install the patch for the LSASS vulnerability. The patch can be downloaded from the following sites:

Windows 2000
Windows XP

If a machine gets compromised on a system level by a worm that exploits LSASS, such as Sasser, we'd are recommend a full system format.

Formatting is the only way to completely ensure network and data security after a compromise such as this.

W32.Netsky.AB

More info:
Symantec
F-Secure
Network Associates
Trend Micro
Sophos

top of page

Win9x/NT/ME/2000/XP:
W32.Netsky.AB is a mass mailing worm that has spread worldwide rather quickly.

The worm arrives via an email message with a randomly named attachment, which, if executed, will email itself to all entries found on the machine.

Emails generated by the worm will forge the "From:" address, and have random subjects, message bodies, and randomly named attachments.

W32.Beagle.X

More info:
Symantec
F-Secure
Network Associates
Trend Micro
Sophos

top of page

Win9x/NT/ME/2000/XP:
W32.Beagle.X is a mass mailing worm that has spread quickly.

The worm arrives via an email message with an attachment, which, if executed, will email itself to all entries found on the machine.

The worm sends itself as an email with a random subject, body, and attachment.

The worm also opens a backdoor. This could allow remote attackers to access infected machines.

See the W32.Beagle.X page for more detailed information.

W32.Beagle.W

More info:
Symantec
F-Secure
Network Associates
Trend Micro
Sophos

top of page

Win9x/NT/ME/2000/XP:
W32.Beagle.W is a mass mailing worm that has spread quickly.

The worm arrives via an email message with an attachment, which, if executed, will email itself to all entries found on the machine.

The worm sends itself as an email with a random subject, body, and attachment.

The worm also opens a backdoor. This could allow remote attackers to access infected machines.

See the W32.Beagle.W page for more detailed information.

W32.Netsky.Y

More info:
Symantec
F-Secure
Network Associates
Trend Micro
Sophos

top of page

Win9x/NT/ME/2000/XP:
W32.Netsky.Y is a mass mailing worm (very similar to Nesky.X) that has spread worldwide rather quickly.

The worm arrives via an email message with a randomly named attachment, which, if executed, will email itself to all entries found on the machine.

Emails generated by the worm will forge the "From:" address, and have random subjects, message bodies, and randomly named attachments.

The worm also opens a backdoor on TCP port 82. This could allow remote attackers to access infected machines.

W32.Netsky.X

More info:
Symantec
F-Secure
Network Associates
Trend Micro
Sophos

top of page

Win9x/NT/ME/2000/XP:
W32.Netsky.X is a mass mailing worm that has spread worldwide rather quickly.

The worm arrives via an email message with a randomly named attachment, which, if executed, will email itself to all entries found on the machine.

Emails generated by the worm will forge the "From:" address, and have random subjects, message bodies, and randomly named attachments.

The worm also opens a backdoor on TCP port 82. This could allow remote attackers to access infected machines.

W32.Gaobot.ZX

More info:
Symantec

top of page

Win9x/NT/ME/2000/XP:
W32.Gaobot.ZX is a worm/backdoor that has spread rather quickly and has hit parts of campus.

The worm spreads by exploiting various Windows vulnerabilities and through network shares with weak passwords.

W32.Sober.F

More info:
Symantec
F-Secure
Network Associates
Trend Micro
Sophos

top of page

Win9x/NT/ME/2000/XP:
W32.Sober.F is a mass mailing worm that has spread worldwide rather quickly.

The worm arrives via an email message with a randomly named attachment, which, if executed, will email itself to all entries found on the machine.

Emails generated by the worm will forge the "From:" address, and have random subjects, message bodies, and randomly named attachments.

W32.Netsky.Q

More info:
Symantec
F-Secure
Network Associates
Trend Micro
Sophos

top of page

Win9x/NT/ME/2000/XP:
W32.Netsky.Q is a mass mailing worm that has spread worldwide rather quickly.

The worm arrives via an email message with a randomly named attachment, which, if executed, will email itself to all entries found on the machine.

Emails generated by the worm will forge the "From:" address, and have random subjects, message bodies, and randomly named attachments.

The worm also uses the 3-yr old "Incorrect MIME Header Can Cause IE to Execute E-mail Attachment" vulnerability to cause unpatched systems to auto-execute the worm when reading or previewing an infected message.

W32.Beagle.U

More info:
Symantec
F-Secure
Network Associates
Trend Micro
Sophos

top of page

Win9x/NT/ME/2000/XP:
W32.Beagle.U is a mass mailing worm that has spread quickly.

The worm arrives via an email message with an .exe attachment, which, if executed, will email itself to all entries found on the machine.

The worm sends itself as an email with a blank subject and body and a randomly named attachment.

The worm also opens a backdoor on TCP port 4751. This could allow remote attackers to access infected machines.

See the W32.Beagle.U page for more detailed information.

W32.Netsky.P

More info:
Symantec
F-Secure
Network Associates
Trend Micro
Sophos

top of page

Win9x/NT/ME/2000/XP:
W32.Netsky.P is a mass mailing worm that has spread rather quickly.

The worm arrives via an email message with a randomly named attachment, which, if executed, will email itself to all entries found on the machine.

Emails generated by the worm will forge the "From:" address, and have random subjects, message bodies, and randomly named attachments that end in .pif.

W32.Witty.Worm

More info:
Symantec
F-Secure
Network Associates
Trend Micro

top of page

Win9x/NT/ME/2000/XP:
W32.Witty.Worm is a memory-resident automated worm that spreads through networks and specifically attacks only machines running vulnerable versions of BlackIce firewall software. It has attacked a couple of campus machines running BlackIce.

See the W32.Witty.Worm page for more detailed information.

W32.Beagle.M

More info:
Symantec
F-Secure
Network Associates
Trend Micro
Sophos

top of page

Win9x/NT/ME/2000/XP:
W32.Beagle.M is a mass mailing worm that has spread quickly.

The worm arrives via an email message with a .pif, .rar, or .zip attachment, which, if executed, will email itself to all entries found on the machine.

Emails generated by the worm will forge the "From:" address, and will have subjects and message bodies that make the email appear like a legitimate message from the recipient's mail server administrator.

The worm also opens a backdoor on TCP port 2556. This could allow remote attackers to access infected machines.

See the W32.Beagle.M page for more detailed information.

W32.Netsky.K

More info:
Symantec
F-Secure
Network Associates
Trend Micro
Sophos

top of page

Win9x/NT/ME/2000/XP:
W32.Netsky.K is a mass mailing worm that has spread rather quickly.

The worm arrives via an email message with a randomly named attachment, which, if executed, will email itself to all entries found on the machine.

Emails generated by the worm will forge the "From:" address, and have random subjects, message bodies, and randomly named attachments that end in .pif.

See the W32.Netsky.K page for more detailed information.

W32.Sober.D

More info:
Symantec
F-Secure
Network Associates
Trend Micro
Sophos

top of page

Win9x/NT/ME/2000/XP:
W32.Sober.D is a mass mailing worm that is spreading around the world.

The worm arrives via an email message with a .exe or .zip attachment, which, if executed, will email itself to all entries found on the machine.

Emails generated by the worm purport to be from Microsoft, and will have subjects and message bodies that urge the user to open the attachment to patch against the MyDoom virus.

See the W32.Sober.D page for more detailed information.

W32.Beagle.K

More info:
Symantec
F-Secure
Network Associates
Trend Micro
Sophos

top of page

Win9x/NT/ME/2000/XP:
W32.Beagle.K is a mass mailing worm that has spread quickly.

The worm arrives via an email message with a .pif. or .zip attachment, which, if executed, will email itself to all entries found on the machine.

Emails generated by the worm will forge the "From:" address, and will have subjects and message bodies that make the email appear like a legitimate message from the recipient's mail server administrator.

The worm also opens a backdoor on TCP port 2745. This could allow remote attackers to access infected machines.

See the W32.Beagle.K page for more detailed information.

W32.Netsky.D

More info:
Symantec
F-Secure
Network Associates
Trend Micro
Sophos

top of page

Win9x/NT/ME/2000/XP:
W32.Netsky.D is a mass mailing worm that has spread rather quickly.

The worm arrives via an email message with a randomly named attachment, which, if executed, will email itself to all entries found on the machine.

Emails generated by the worm will forge the "From:" address, and have random subjects, message bodies, and attachments.

See the W32.Netsky.D page for more detailed information.

W32.Beagle.E

More info:
Symantec
F-Secure
Network Associates
Trend Micro
Sophos

top of page

Win9x/NT/ME/2000/XP:
W32.Beagle.E is a mass mailing worm that has spread rather quickly.

The worm arrives via an email message with a randomly named attachment, which, if executed, will email itself to all entries found on the machine.

The worm also opens a backdoor on TCP port 2745. This could allow remote attackers to access infected machines.

See the W32.Beagle.E page for more detailed information.

W32.Netsky.C

More info:
Symantec
F-Secure
Network Associates
Trend Micro

top of page

Win9x/NT/ME/2000/XP:
W32.Netsky.C is a mass mailing worm that has spread rather quickly.

The worm arrives via an email message with a randomly named attachment, which, if executed, will email itself to all entries found on the machine.

See the W32.Netsky.C page for more detailed information.

W32.Mydoom.F

More info:
Symantec
F-Secure
Network Associates
Trend Micro
Sophos

top of page

Win9x/NT/ME/2000/XP:
W32.Mydoom.F is a mass mailing worm that has spread worldwide.

The worm opens a backdoor listening on port 1080, may display a fake message, terminates several different
processes, attempts a DoS on microsoft.com and riaa.com on specific days of the month, and randomly deletes files with the following extensions.

.mdb
.doc
.xls
.sav
.jpg
.avi
.bmp

The worm arrives via an email message with a randomly named attachment, which, if executed, will email itself to all entries found on the machine.

See the W32.Mydoom.F page for more detailed information.

W32.Netsky.B

More info:
Symantec
F-Secure
Network Associates
Trend Micro

top of page

Win9x/NT/ME/2000/XP:
W32.Netsky.B is a mass mailing worm that has spread worldwide.

The worm arrives via an email message with a randomly named .exe attachment, which, if executed, will email itself to all entries found on the machine.

See the W32.Netsky.B page for more detailed information.

W32.Alua (Beagle.B)

More info:
Symantec
F-Secure
Network Associates
Trend Micro

top of page

Win9x/NT/ME/2000/XP:
W32.Alua, also known as W32.Beagle.B, is a mass mailing worm that is spread rapidly both on campus and worldwide.

The worm arrives via an email message with a randomly named .exe attachment, which, if executed, will email itself to all entries found on the machine. The worm also opens a backdoor on TCP port 8866. This could allow remote attackers to access infected machines.

See the W32.Alua / Beagle.B page for more detailed information.

Norton Anti-Virus users: Upgrade your definition file to 02/17/2004 or later. Be sure to update your definitions as soon as possible. You can use LiveUpdate to download the latest definitions.

Given that the worm creates a system-level compromise, we are recommending a full system format for infected machines.

This is the only way to completely ensure network and data security after a compromise such as this.

W32.Welchia.B

More info:
Symantec
F-Secure
Network Associates
Trend Micro

top of page

Windows 2000/XP:
W32.Welchia.B is a mass mailing worm that has spread worldwide.

The worm spreads by utilizing the backdoor that is opened on machines infected with the
W32.MyDoom (also known as W32.Novarg) worm. This could allow remote attackers to access infected machines.

See the W32.Welchia.B page for more detailed information.

Symantec Anti-Virus users: Upgrade your definition file to 02/11/2004 (revision 23) or later. Be sure to update your definitions as soon as possible. You can use LiveUpdate to download the latest definitions.

Given that the worm creates a system-level compromise, we are recommending a full system format for infected machines.

This is the only way to completely ensure network and data security after a compromise such as this.

W32.Novarg.A (Mydoom.A)

More info:
Symantec
F-Secure
Network Associates
Trend Micro

top of page

Win9x/NT/ME/2000/XP:
W32.Novarg.A, also known as W32.Mydoom.A, is a mass mailing worm that has spread worldwide very rapidly.

The worm arrives via an email message with a randomly named attachment, which, if executed, will email itself to all entries found on the machine. The worm also creates a backdoor by opening a listening thread on a port in the range of 3127 to 3198. This could allow remote attackers to access infected machines.

See the W32.Novarg.A page for more detailed information.

Norton Anti-Virus users: Upgrade your definition file to 01/26/2004 or later. Be sure to update your definitions as soon as possible. You can use LiveUpdate to download the latest definitions.

Given that the worm creates a system-level compromise, we are recommending a full system format for infected machines.

This is the only way to completely ensure network and data security after a compromise such as this.

W32.Beagle.A

More info:
Symantec
F-Secure
Network Associates
Trend Micro
Sophos

top of page

Win9x/NT/ME/2000/XP:
W32.Beagle.A is a mass mailing worm that initially began spreading very rapidly but has since died down.

The worm arrives via an email message with a randomly named attachment, which, if executed, will email itself to all entries found on the machine. W32.Beagle.A also creates a backdoor by opening a listening thread on port 6777. This could allow remote attackers to access infected machines.

See the W32.Beagle.A page for more detailed information.

Norton Anti-Virus users: Upgrade your definition file to 01/18/2004 or later. Be sure to update your definitions as soon as possible. You can use LiveUpdate to download the latest definitions.

Given that the worm creates a system-level compromise, we are recommending a full system format for infected machines.

This is the only way to completely ensure network and data security after a compromise such as this.

Win9x/NT/ME/2000/XP:
Trojan.Sinkin is a trojan/worm that has begun spreading on campus.

Trojan.Sinkin attempts to spread by sending a hyperlink to contacts on a user's AOL Instant Messenger (AIM) Buddy List

When the link is visited with an unpatched version of IE, exploit code will download and install the trojan/worm.

See the Trojan.Sinkin page for more detailed information.

Norton Anti-Virus users: Upgrade your definition file to 10/14/2003 or later. Be sure to update your definitions as soon as possible. You can use LiveUpdate to download the latest definitions.

To remove the virus, follow Symantec's removal instructions.

Win9x/NT/ME/2000/XP:
W32.Mimail.C is a worm that has spread worldwide and has appeared on campus.

The worm attempts to spread through email via an attachment named photos.zip and the subject "Re[2]: our private photos [random string of letters]"

When the attachment is executed, the worm will copy itself to the hard drive, create a registry entry, and mail itself to addresses it finds in files with various extensions.

See the W32.Mimail.C page for more detailed information.

Norton Anti-Virus users: Upgrade your definition file to 10/31/2003 or later. Be sure to update your definitions as soon as possible. You can use LiveUpdate to download the latest definitions.

To remove the virus, run Symantec's removal tool.

If the tool fails, follow Symantec's manual removal instructions.

Win9x/NT/ME/2000/XP:
Trojan.Qhosts is a trojan that has spread worldwide and has appeared on campus.

The trojan spreads to a machine when a user browses to a website that contains viral HTML code written to exploit a vulnerability in Internet Explorer. For more information and a patch for this vulnerability, see Microsoft's write-up.

When an infected HTML page is opened, the trojan will change DNS settings, modify several registry keys and make modifications to the local "Hosts" file.

For a complete listing of the worm's activities, see the Characteristics section on the full Trojan.Qhosts write-up.

See the Trojan.Qhosts page for more detailed information.

Norton Anti-Virus users: Upgrade your definition file to 10/02/2003 or later. Be sure to update your definitions as soon as possible. You can use LiveUpdate to download the latest definitions.

NOTE: There is now a patch for the vulnerability this trojan exploits. Please make sure you install it.

To remove the virus, run Symantec's removal tool.

If the tool fails, follow Symantec's manual removal instructions.

Win9x/NT/ME/2000/XP:
W32.Swen.A@mm is a mass mailing worm that has spread worldwide and has appeared on campus.

The worm attempts to spread via email with a randomly named attachment or via KaZaA, IRC, Network Shares, or newsgroups.

If executed, the worm will email itself to addresses it finds on the local machine, terminate a large number of anti-virus and security programs, modify and add several registry keys and drop itself and a couple of other files onto the hard drive. For a complete listing of the worm's activities, see the Characteristics section on the full W32.Swen.A write-up.

Please Note: The worm spoofs the From: address on the messages it sends to make the messages appear to be coming from Microsoft or to look like bounce-back messages. Be sure to examine a message's full headers to determine where it originated. NOTE: The Return-Path field is not forged. You may use this value from the full headers in helping track down infected machines.

See the W32.Swen.A@mm page for more detailed information.

Norton Anti-Virus users: Upgrade your definition file to 09/19/2003 or later. Be sure to update your definitions as soon as possible. You can use LiveUpdate to download the latest definitions.

To remove the virus, try running Symantec's removal tool.

If the tool fails to run, follow step 4 (a-f) of Symantec's removal instructions, and then try running the tool. If the tool still fails to run, you'll need to follow Symantec's manual removal instructions linked just above.

Win9x/NT/ME/2000/XP:
W32.Squirm@mm is a mass mailing worm that has appeared on parts of campus in large volumes today (Aug 20).

The worm attempts to spread via email with an attachment named either patch.zip or patch_329390.exe. If executed, the worm will open and listen on port 61282 as well as send itself to all the email addresses it finds in the user's Outlook address book. The worm also tries to spread through file sharing applications and by using DCC, the worm propogates through IRC.

Please Note: The worm spoofs the From: and Return-Path: addresses on the messages it sends to make the messages look like they are coming from support@microsoft.com. Be sure to examine a message's full headers to determine where it originated.

See the W32.Squirm@mm page for more detailed information.

Norton Anti-Virus users: Upgrade your definition file to 08/20/2003 or later. Be sure to update your definitions as soon as possible. You can use LiveUpdate to download the latest definitions.

Given that the worm creates a system-level compromise by opening a port, we recommend a full system format for infected machines.

This is the only way to completely ensure network and data security after a compromise such as this.

Windows 2000 and XP:
W32.Welchia.Worm is a worm that has spread worldwide.

The worm attempts to spread by exploiting two different Windows vulnerabilities (DCOM RPC and WebDav - more information on the full write-up page).

See the W32.Welchia.Worm page for more detailed information.

Symantec Anti-Virus users: Upgrade your definition file to 08/18/2003 or later. Be sure to update your definitions as soon as possible. You can use LiveUpdate to download the latest definitions.

Given that the worm creates a system-level compromise, we are recommending a full system format for infected machines.

This is the only way to completely ensure network and data security after a compromise such as this.

Win9x/NT/ME/2000/XP:
W32.Sobig.F is a mass mailing worm that has spread worldwide.

The worm attempts to spread via email (with an attachment ending in either .pif or .scr) and via write accessible network shares. If executed, the worm sends itself to all the email addresses it finds in files with the following extensions .wab, .dbx, .htm, .html, .hlp, .mht, .eml, and .txt.

Please Note: The worm spoofs the From: and Return-Path: addresses on the messages it sends. Be sure to examine a message's full headers to determine where it originated.

See the W32.Sobig.F page for more detailed information.

Symantec Anti-Virus users: Upgrade your definition file to 08/19/2003 or later. Be sure to update your definitions as soon as possible. You can use LiveUpdate to download the latest definitions.

To remove the virus see Symantec's W32.Sobig.F Removal Tool page where you can download their removal tool and read about it as well.

If for any reason you cannot obtain or run the tool linked above, you must remove the worm manually.

WinNT/2000/XP/Server 2003:
W32.Blaster.Worm is a worm that has been spreading rapidly and exploits the DCOM RPC vulnerability.

There have been several reports of this worm appearing on campus and it is spreading on a wide scale in the wild.

See the W32.Blaster.Worm page for more detailed information.

Symantec Anti-Virus users: Upgrade your definition file to 08/11/2003 version number 50811s, also known as August 11, 2003 rev 19, or greater. Be sure to update your definitions as soon as possible. You can use LiveUpdate to download the latest definitions.

Given that the worm gives full administrator acces to compromised systems, we are recommending a full system format for infected machines.

This is the only way to completely ensure network and data security after a compromise such as this.

Win9x/NT/ME/2000/XP:
W32.Mimail.A is a mass mailing worm that arrives via an email attachment named Message.zip. When the message is viewed, it will attempt to exploit a Windows vulnerability (patch found here) to create a copy of the worm named Foo.exe in the Temporary Internet Files folder (this behavior will also be seen if a user clicks the attachment). Then it