OSX.Leap.A

More info:
Symantec
F-Secure
Network Associates
Trend Micro
Sophos

top of page

MacOS X 10.4:
OSX.Leap.A is a worm that spreads via the OSX iChat Messenger application. No infections have been reported across campus although this worm has received significant media attention being the first OSX worm.

If executed, the worm may cause some applications to become unstable and will spread to accounts found in the machine's iChat contact list.

According to Symantec and Trend Micro, this worm only infects OS X 10.4. See their write-ups for more details.

W32.Blackmal.E

More info:
Symantec
F-Secure
Network Associates
Trend Micro
Sophos

top of page

Win2000/XP/Server2003:
W32.Blackmal.E is a mass-mailing worm with a dangerous, delayed payload. Only a very few infections have been reported across campus.

The worm arrives via email and, if executed, will email itself to all entries found on the machine, and on the 3rd of every month (Feb 3rd, Mar 3rd, etc) it will overwrite all files with the following extensions: .doc, .xls, .ppt, .pdf, .mdb, .mde, .pps, .zip, .rar, .psd, and .dmp.

Emails generated by the worm will forge the "From:" address, and have one of several different subjects and message bodies, and attachment names.

W32.Sober.X

More info:
Symantec
F-Secure
Network Associates
Trend Micro
Sophos

top of page

Win2000/XP/Server2003:
W32.Sober.X is a mass-mailing worm that has spread on campus.

The worm arrives via email (written in German or English) with a randomly named attachment, which, if executed, will email itself to all entries found on the machine and lower security settings.

Emails generated by the worm will forge the "From:" address, and have one of several different subjects and message bodies.

W32.Zotob.E

More info:
Symantec
F-Secure
Network Associates
Trend Micro
Sophos

top of page

Win2000/XP/Server2003:
W32.Zotob.E is a network aware worm that has spread worldwide rather quickly.

The worm exploits the Windows Plug-n-Play vulnerability that was recently announced. It opens a backdoor and attempts to spread to other vulnerable machines using a complex algorithm.

W32.Esbot.A

More info:
Symantec
F-Secure
Network Associates
Trend Micro
Sophos

top of page

Win2000/XP/Server2003:
W32.Esbot.A is a network aware worm that has spread worldwide rather quickly.

The worm exploits the Windows Plug-n-Play vulnerability that was recently announced. It opens a backdoor and attempts to spread to other vulnerable machines on internal and external networks across the internet.

W32.Beagle.CE Trojan.Tooso.L

More info:
Symantec
F-Secure
Network Associates
Trend Micro

top of page

Win9x/NT/ME/2000/XP:
W32.Beagle.CE, a mass mailing worm that opens a back door on TCP port 80. The worm also contains a Trojan horse, Trojan.Tooso.L, which interferes with the operation of security software by ending processes, stopping services, removing registry entries, and deleting files.

Emails generated by the worm will forge the "From:" address, have a blank Subject, and have one of the following attachments:
- Taxes.zip
- The_taxation.zip
- The_reporting_of_taxes.zip
- Work and taxes.zip
- Increase_in_the_tax.zip
- To_reduce_the_tax.zip

W32.Sober.O

More info:
Symantec
F-Secure
Network Associates
Trend Micro
Sophos

top of page

Win9x/NT/ME/2000/XP:
W32.Sober.O is a mass mailing worm that has spread worldwide rather quickly.

The worm arrives via an email message written in either German or English with a randomly named attachment, which, if executed, will email itself to all entries found on the machine.

Emails generated by the worm will forge the "From:" address, and have random subjects and message bodies.

W32.Mydoom.AX

More info:
Symantec
F-Secure
McAfee
Trend Micro
Sophos

top of page

Win9x/NT/ME/2000/XP:
W32.Mydoom.AX is a mass mailing worm that has spread worldwide and has been reported on campus.

The worm arrives via an email message with an attachment, which if executed, will open a backdoor on the infected machine. It also sends mail to addresses that it retrieves from
the infected computer. The subject, attachment name and attachment size all vary. The From: field will be spoofed.

See the W32.Mydoom.AX page for more detailed information.

W32.Erkez.D

More info:
Symantec
F-Secure
Network Associates
Trend Micro
Sophos

top of page

Win9x/NT/ME/2000/XP:
W32.Erkez.D is a mass mailing worm that has spread worldwide.

The worm arrives via an email message appearing to be a Christmas greeting.

Once the included attachment is executed, the worm will lower security settings, terminate processes, and open a back door on the compromised computer.

See the W32.Erkez.D page for more detailed information.

W32.Mydoom.AH (& .AI)

More info:
Symantec
F-Secure
Network Associates
Trend Micro

Symantec (.AI)

top of page

Win9x/NT/ME/2000/XP:
W32.Mydoom.AH and .AI are two mass mailing worms that have spread worldwide.

These worms utilize a combination of social engineering and an unpatched exploit in Internet Explorer to infect machines. They also open up a backdoor on TCP port 1639.

The worm arrives via an email message with an HTML-formatted message body that will contain language that will either ask the user to view photos, or to confirm a PayPal transaction.

See the W32.Mydoom.AH page for more detailed information.

W32.Beagle.AW

More info:
Symantec

top of page

Win9x/NT/ME/2000/XP:
W32.Beagle.AW is a mass mailing worm that has spread quickly.

The worm arrives via an email message with an attachment, which, if executed, will email itself to all entries found on the machine.

The worm sends itself as an email with a subject of either

• Re:
• Re: Hello
• Re: Hi
• Re: Thank you!
• Re: Thanks :)

The emails will also contain an attachment of either

• Price
• price
• Joke

The worm also opens a backdoor on TCP port 81. This could allow remote attackers to access infected machines.

The W32.Beagle.AW page will contain more detailed information.

W32.Sasser.B.Worm

More info:
Symantec
F-Secure
Network Associates
Trend Micro
Sophos

top of page

Win2000/XP:
W32.Sasser.B.Worm is a worm (very similar to Sasser.Worm) that spreads by scanning randomly-chosen IP addresses for machines vulnerable to the LSASS exploit. This worm and a couple of it's variants have quickly spread worldwide (beginning early May 1st).

W32.Sasser.Worm starts an FTP server on TCP port 5554 and generates traffic on TCP ports 445 and 9996. It also starts 128 network scanning processes most likely causing severe degradation in system performance.

Symantec Anti-Virus users: Upgrade your definition file to 05/02/2004 revision 38 (al) or later. Be sure to update your definitions as soon as possible.

Make sure you apply the appropriate MS04-11 patch to protect against attacks seeking to exploit this vulnerability.

To prevent machines from being infected or targeted, you must install the patch for the LSASS vulnerability. The patch can be downloaded from the following sites:

Windows 2000
Windows XP

Given that the worm creates a system-level compromise, we are recommending a full system format for infected machines.

This is the only way to completely ensure network and data security after a compromise such as this.

W32.Sasser.Worm

More info:
Symantec
F-Secure
Network Associates
Trend Micro
Sophos

top of page

Win2000/XP:
W32.Sasser.Worm is a worm that spreads by scanning randomly-chosen IP addresses for machines vulnerable to the LSASS exploit. This worm and a couple of it's variants have quickly spread worldwide (beginning early May 1st).

W32.Sasser.Worm starts an FTP server on TCP port 5554 and generates traffic on TCP ports 445 and 9996. It also starts 128 network scanning threads most likely causing severe degradation in system performance.

Symantec Anti-Virus users: Upgrade your definition file to 05/02/2004 revision 38 (al) or later. Be sure to update your definitions as soon as possible.

Make sure you apply the appropriate MS04-11 patch to protect against attacks seeking to exploit this vulnerability.

To prevent machines from being infected or targeted, you must install the patch for the LSASS vulnerability. The patch can be downloaded from the following sites:

Windows 2000
Windows XP

Given that the worm creates a system-level compromise, we are recommending a full system format for infected machines.

This is the only way to completely ensure network and data security after a compromise such as this.

LSASS vulnerability

More info:
Microsoft

top of page

WinNT/2000/XP:
Recently machines not patched with the MS04-11 patch have been attacked.

Machines without the patch that have been attacked are popping up a message window saying that the LSASS service has been shut down, and the machine will reboot in 60 seconds. The machine will then constantly reboot unless it's disconnected from the network.

There is an marked increase in the amount of network traffic seen on the following ports:

TCP 135, 139, 445, 1025, 1433, 2745

We currently do not have reports of any backdoor programs being installed when a machine exhibits the above behavior.

Symantec Anti-Virus users: Upgrade your definition file to the latest definitions.

Be sure to update your definitions often and as soon as possible because it's likely automated worms will soon be written to exploit this vulnerability.

Make sure you apply the appropriate MS04-11 patch to protect against attacks seeking to exploit this vulnerability.

To prevent machines from being infected or targeted, you must install the patch for the LSASS vulnerability. The patch can be downloaded from the following sites:

Windows 2000
Windows XP

If a machine gets compromised on a system level by a worm that exploits LSASS, such as Sasser, we'd are recommend a full system format.

Formatting is the only way to completely ensure network and data security after a compromise such as this.

W32.Netsky.AB

More info:
Symantec
F-Secure
Network Associates
Trend Micro
Sophos

top of page

Win9x/NT/ME/2000/XP:
W32.Netsky.AB is a mass mailing worm that has spread worldwide rather quickly.

The worm arrives via an email message with a randomly named attachment, which, if executed, will email itself to all entries found on the machine.

Emails generated by the worm will forge the "From:" address, and have random subjects, message bodies, and randomly named attachments.

W32.Beagle.X

More info:
Symantec
F-Secure
Network Associates
Trend Micro
Sophos

top of page

Win9x/NT/ME/2000/XP:
W32.Beagle.X is a mass mailing worm that has spread quickly.

The worm arrives via an email message with an attachment, which, if executed, will email itself to all entries found on the machine.

The worm sends itself as an email with a random subject, body, and attachment.

The worm also opens a backdoor. This could allow remote attackers to access infected machines.

See the W32.Beagle.X page for more detailed information.

W32.Beagle.W

More info:
Symantec
F-Secure
Network Associates
Trend Micro
Sophos

top of page

Win9x/NT/ME/2000/XP:
W32.Beagle.W is a mass mailing worm that has spread quickly.

The worm arrives via an email message with an attachment, which, if executed, will email itself to all entries found on the machine.

The worm sends itself as an email with a random subject, body, and attachment.

The worm also opens a backdoor. This could allow remote attackers to access infected machines.

See the W32.Beagle.W page for more detailed information.

W32.Netsky.Y

More info:
Symantec
F-Secure
Network Associates
Trend Micro
Sophos

top of page

Win9x/NT/ME/2000/XP:
W32.Netsky.Y is a mass mailing worm (very similar to Nesky.X) that has spread worldwide rather quickly.

The worm arrives via an email message with a randomly named attachment, which, if executed, will email itself to all entries found on the machine.

Emails generated by the worm will forge the "From:" address, and have random subjects, message bodies, and randomly named attachments.

The worm also opens a backdoor on TCP port 82. This could allow remote attackers to access infected machines.

W32.Netsky.X

More info:
Symantec
F-Secure
Network Associates
Trend Micro
Sophos

top of page

Win9x/NT/ME/2000/XP:
W32.Netsky.X is a mass mailing worm that has spread worldwide rather quickly.

The worm arrives via an email message with a randomly named attachment, which, if executed, will email itself to all entries found on the machine.

Emails generated by the worm will forge the "From:" address, and have random subjects, message bodies, and randomly named attachments.

The worm also opens a backdoor on TCP port 82. This could allow remote attackers to access infected machines.

W32.Gaobot.ZX

More info:
Symantec

top of page

Win9x/NT/ME/2000/XP:
W32.Gaobot.ZX is a worm/backdoor that has spread rather quickly and has hit parts of campus.

The worm spreads by exploiting various Windows vulnerabilities and through network shares with weak passwords.

W32.Sober.F

More info:
Symantec
F-Secure
Network Associates
Trend Micro
Sophos

top of page

Win9x/NT/ME/2000/XP:
W32.Sober.F is a mass mailing worm that has spread worldwide rather quickly.

The worm arrives via an email message with a randomly named attachment, which, if executed, will email itself to all entries found on the machine.

Emails generated by the worm will forge the "From:" address, and have random subjects, message bodies, and randomly named attachments.

W32.Netsky.Q

More info:
Symantec
F-Secure
Network Associates
Trend Micro
Sophos

top of page

Win9x/NT/ME/2000/XP:
W32.Netsky.Q is a mass mailing worm that has spread worldwide rather quickly.

The worm arrives via an email message with a randomly named attachment, which, if executed, will email itself to all entries found on the machine.

Emails generated by the worm will forge the "From:" address, and have random subjects, message bodies, and randomly named attachments.

The worm also uses the 3-yr old "Incorrect MIME Header Can Cause IE to Execute E-mail Attachment" vulnerability to cause unpatched systems to auto-execute the worm when reading or previewing an infected message.

W32.Beagle.U

More info:
Symantec
F-Secure
Network Associates
Trend Micro
Sophos

top of page

Win9x/NT/ME/2000/XP:
W32.Beagle.U is a mass mailing worm that has spread quickly.

The worm arrives via an email message with an .exe attachment, which, if executed, will email itself to all entries found on the machine.

The worm sends itself as an email with a blank subject and body and a randomly named attachment.

The worm also opens a backdoor on TCP port 4751. This could allow remote attackers to access infected machines.

See the W32.Beagle.U page for more detailed information.

W32.Netsky.P

More info:
Symantec
F-Secure
Network Associates
Trend Micro
Sophos

top of page

Win9x/NT/ME/2000/XP:
W32.Netsky.P is a mass mailing worm that has spread rather quickly.

The worm arrives via an email message with a randomly named attachment, which, if executed, will email itself to all entries found on the machine.

Emails generated by the worm will forge the "From:" address, and have random subjects, message bodies, and randomly named attachments that end in .pif.

W32.Witty.Worm

More info:
Symantec
F-Secure
Network Associates
Trend Micro

top of page

Win9x/NT/ME/2000/XP:
W32.Witty.Worm is a memory-resident automated worm that spreads through networks and specifically attacks only machines running vulnerable versions of BlackIce firewall software. It has attacked a couple of campus machines running BlackIce.

See the W32.Witty.Worm page for more detailed information.

W32.Beagle.M

More info:
Symantec
F-Secure
Network Associates
Trend Micro
Sophos

top of page

Win9x/NT/ME/2000/XP:
W32.Beagle.M is a mass mailing worm that has spread quickly.

The worm arrives via an email message with a .pif, .rar, or .zip attachment, which, if executed, will email itself to all entries found on the machine.

Emails generated by the worm will forge the "From:" address, and will have subjects and message bodies that make the email appear like a legitimate message from the recipient's mail server administrator.

The worm also opens a backdoor on TCP port 2556. This could allow remote attackers to access infected machines.

See the W32.Beagle.M page for more detailed information.

W32.Netsky.K

More info:
Symantec
F-Secure
Network Associates
Trend Micro
Sophos

top of page

Win9x/NT/ME/2000/XP:
W32.Netsky.K is a mass mailing worm that has spread rather quickly.

The worm arrives via an email message with a randomly named attachment, which, if executed, will email itself to all entries found on the machine.

Emails generated by the worm will forge the "From:" address, and have random subjects, message bodies, and randomly named attachments that end in .pif.

See the W32.Netsky.K page for more detailed information.

W32.Sober.D

More info:
Symantec
F-Secure
Network Associates
Trend Micro
Sophos

top of page

Win9x/NT/ME/2000/XP:
W32.Sober.D is a mass mailing worm that is spreading around the world.

The worm arrives via an email message with a .exe or .zip attachment, which, if executed, will email itself to all entries found on the machine.

Emails generated by the worm purport to be from Microsoft, and will have subjects and message bodies that urge the user to open the attachment to patch against the MyDoom virus.

See the W32.Sober.D page for more detailed information.

W32.Beagle.K

More info:
Symantec
F-Secure
Network Associates
Trend Micro
Sophos

top of page

Win9x/NT/ME/2000/XP:
W32.Beagle.K is a mass mailing worm that has spread quickly.

The worm arrives via an email message with a .pif. or .zip attachment, which, if executed, will email itself to all entries found on the machine.

Emails generated by the worm will forge the "From:" address, and will have subjects and message bodies that make the email appear like a legitimate message from the recipient's mail server administrator.

The worm also opens a backdoor on TCP port 2745. This could allow remote attackers to access infected machines.

See the W32.Beagle.K page for more detailed information.

W32.Netsky.D

More info:
Symantec
F-Secure
Network Associates
Trend Micro
Sophos

top of page

Win9x/NT/ME/2000/XP:
W32.Netsky.D is a mass mailing worm that has spread rather quickly.

The worm arrives via an email message with a randomly named attachment, which, if executed, will email itself to all entries found on the machine.

Emails generated by the worm will forge the "From:" address, and have random subjects, message bodies, and attachments.

See the W32.Netsky.D page for more detailed information.

W32.Beagle.E

More info:
Symantec
F-Secure
Network Associates
Trend Micro
Sophos

top of page

Win9x/NT/ME/2000/XP:
W32.Beagle.E is a mass mailing worm that has spread rather quickly.

The worm arrives via an email message with a randomly named attachment, which, if executed, will email itself to all entries found on the machine.

The worm also opens a backdoor on TCP port 2745. This could allow remote attackers to access infected machines.

See the W32.Beagle.E page for more detailed information.

W32.Netsky.C

More info:
Symantec
F-Secure
Network Associates
Trend Micro

top of page

Win9x/NT/ME/2000/XP:
W32.Netsky.C is a mass mailing worm that has spread rather quickly.

The worm arrives via an email message with a randomly named attachment, which, if executed, will email itself to all entries found on the machine.

See the W32.Netsky.C page for more detailed information.

W32.Mydoom.F

More info:
Symantec
F-Secure
Network Associates
Trend Micro
Sophos

top of page

Win9x/NT/ME/2000/XP:
W32.Mydoom.F is a mass mailing worm that has spread worldwide.

The worm opens a backdoor listening on port 1080, may display a fake message, terminates several different
processes, attempts a DoS on microsoft.com and riaa.com on specific days of the month, and randomly deletes files with the following extensions.

.mdb
.doc
.xls
.sav
.jpg
.avi
.bmp

The worm arrives via an email message with a randomly named attachment, which, if executed, will email itself to all entries found on the machine.

See the W32.Mydoom.F page for more detailed information.

W32.Netsky.B

More info:
Symantec
F-Secure
Network Associates
Trend Micro

top of page

Win9x/NT/ME/2000/XP:
W32.Netsky.B is a mass mailing worm that has spread worldwide.

The worm arrives via an email message with a randomly named .exe attachment, which, if executed, will email itself to all entries found on the machine.

See the W32.Netsky.B page for more detailed information.

W32.Alua (Beagle.B)

More info:
Symantec
F-Secure
Network Associates
Trend Micro

top of page

Win9x/NT/ME/2000/XP:
W32.Alua, also known as W32.Beagle.B, is a mass mailing worm that is spread rapidly both on campus and worldwide.

The worm arrives via an email message with a randomly named .exe attachment, which, if executed, will email itself to all entries found on the machine. The worm also opens a backdoor on TCP port 8866. This could allow remote attackers to access infected machines.

See the W32.Alua / Beagle.B page for more detailed information.

Norton Anti-Virus users: Upgrade your definition file to 02/17/2004 or later. Be sure to update your definitions as soon as possible. You can use LiveUpdate to download the latest definitions.

Given that the worm creates a system-level compromise, we are recommending a full system format for infected machines.

This is the only way to completely ensure network and data security after a compromise such as this.

W32.Welchia.B

More info:
Symantec
F-Secure
Network Associates
Trend Micro

top of page

Windows 2000/XP:
W32.Welchia.B is a mass mailing worm that has spread worldwide.

The worm spreads by utilizing the backdoor that is opened on machines infected with the
W32.MyDoom (also known as W32.Novarg) worm. This could allow remote attackers to access infected machines.

See the W32.Welchia.B page for more detailed information.

Symantec Anti-Virus users: Upgrade your definition file to 02/11/2004 (revision 23) or later. Be sure to update your definitions as soon as possible. You can use LiveUpdate to download the latest definitions.

Given that the worm creates a system-level compromise, we are recommending a full system format for infected machines.

This is the only way to completely ensure network and data security after a compromise such as this.

W32.Novarg.A (Mydoom.A)

More info:
Symantec
F-Secure
Network Associates
Trend Micro

top of page

Win9x/NT/ME/2000/XP:
W32.Novarg.A, also known as W32.Mydoom.A, is a mass mailing worm that has spread worldwide very rapidly.

The worm arrives via an email message with a randomly named attachment, which, if executed, will email itself to all entries found on the machine. The worm also creates a backdoor by opening a listening thread on a port in the range of 3127 to 3198. This could allow remote attackers to access infected machines.

See the W32.Novarg.A page for more detailed information.

Norton Anti-Virus users: Upgrade your definition file to 01/26/2004 or later. Be sure to update your definitions as soon as possible. You can use LiveUpdate to download the latest definitions.

Given that the worm creates a system-level compromise, we are recommending a full system format for infected machines.

This is the only way to completely ensure network and data security after a compromise such as this.

W32.Beagle.A

More info:
Symantec
F-Secure
Network Associates
Trend Micro
Sophos

top of page

Win9x/NT/ME/2000/XP:
W32.Beagle.A is a mass mailing worm that initially began spreading very rapidly but has since died down.

The worm arrives via an email message with a randomly named attachment, which, if executed, will email itself to all entries found on the machine. W32.Beagle.A also creates a backdoor by opening a listening thread on port 6777. This could allow remote attackers to access infected machines.

See the W32.Beagle.A page for more detailed information.

Norton Anti-Virus users: Upgrade your definition file to 01/18/2004 or later. Be sure to update your definitions as soon as possible. You can use LiveUpdate to download the latest definitions.

Given that the worm creates a system-level compromise, we are recommending a full system format for infected machines.

This is the only way to completely ensure network and data security after a compromise such as this.

Win9x/NT/ME/2000/XP:
Trojan.Sinkin is a trojan/worm that has begun spreading on campus.

Trojan.Sinkin attempts to spread by sending a hyperlink to contacts on a user's AOL Instant Messenger (AIM) Buddy List

When the link is visited with an unpatched version of IE, exploit code will download and install the trojan/worm.

See the Trojan.Sinkin page for more detailed information.

Norton Anti-Virus users: Upgrade your definition file to 10/14/2003 or later. Be sure to update your definitions as soon as possible. You can use LiveUpdate to download the latest definitions.

To remove the virus, follow Symantec's removal instructions.

Win9x/NT/ME/2000/XP:
W32.Mimail.C is a worm that has spread worldwide and has appeared on campus.

The worm attempts to spread through email via an attachment named photos.zip and the subject "Re[2]: our private photos [random string of letters]"

When the attachment is executed, the worm will copy itself to the hard drive, create a registry entry, and mail itself to addresses it finds in files with various extensions.

See the W32.Mimail.C page for more detailed information.

Norton Anti-Virus users: Upgrade your definition file to 10/31/2003 or later. Be sure to update your definitions as soon as possible. You can use LiveUpdate to download the latest definitions.

To remove the virus, run Symantec's removal tool.

If the tool fails, follow Symantec's manual removal instructions.

Win9x/NT/ME/2000/XP:
Trojan.Qhosts is a trojan that has spread worldwide and has appeared on campus.

The trojan spreads to a machine when a user browses to a website that contains viral HTML code written to exploit a vulnerability in Internet Explorer. For more information and a patch for this vulnerability, see Microsoft's write-up.

When an infected HTML page is opened, the trojan will change DNS settings, modify several registry keys and make modifications to the local "Hosts" file.

For a complete listing of the worm's activities, see the Characteristics section on the full Trojan.Qhosts write-up.

See the Trojan.Qhosts page for more detailed information.

Norton Anti-Virus users: Upgrade your definition file to 10/02/2003 or later. Be sure to update your definitions as soon as possible. You can use LiveUpdate to download the latest definitions.

NOTE: There is now a patch for the vulnerability this trojan exploits. Please make sure you install it.

To remove the virus, run Symantec's removal tool.

If the tool fails, follow Symantec's manual removal instructions.

Win9x/NT/ME/2000/XP:
W32.Swen.A@mm is a mass mailing worm that has spread worldwide and has appeared on campus.

The worm attempts to spread via email with a randomly named attachment or via KaZaA, IRC, Network Shares, or newsgroups.

If executed, the worm will email itself to addresses it finds on the local machine, terminate a large number of anti-virus and security programs, modify and add several registry keys and drop itself and a couple of other files onto the hard drive. For a complete listing of the worm's activities, see the Characteristics section on the full W32.Swen.A write-up.

Please Note: The worm spoofs the From: address on the messages it sends to make the messages appear to be coming from Microsoft or to look like bounce-back messages. Be sure to examine a message's full headers to determine where it originated. NOTE: The Return-Path field is not forged. You may use this value from the full headers in helping track down infected machines.

See the W32.Swen.A@mm page for more detailed information.

Norton Anti-Virus users: Upgrade your definition file to 09/19/2003 or later. Be sure to update your definitions as soon as possible. You can use LiveUpdate to download the latest definitions.

To remove the virus, try running Symantec's removal tool.

If the tool fails to run, follow step 4 (a-f) of Symantec's removal instructions, and then try running the tool. If the tool still fails to run, you'll need to follow Symantec's manual removal instructions linked just above.

Win9x/NT/ME/2000/XP:
W32.Squirm@mm is a mass mailing worm that has appeared on parts of campus in large volumes today (Aug 20).

The worm attempts to spread via email with an attachment named either patch.zip or patch_329390.exe. If executed, the worm will open and listen on port 61282 as well as send itself to all the email addresses it finds in the user's Outlook address book. The worm also tries to spread through file sharing applications and by using DCC, the worm propogates through IRC.

Please Note: The worm spoofs the From: and Return-Path: addresses on the messages it sends to make the messages look like they are coming from support@microsoft.com. Be sure to examine a message's full headers to determine where it originated.

See the W32.Squirm@mm page for more detailed information.

Norton Anti-Virus users: Upgrade your definition file to 08/20/2003 or later. Be sure to update your definitions as soon as possible. You can use LiveUpdate to download the latest definitions.

Given that the worm creates a system-level compromise by opening a port, we recommend a full system format for infected machines.

This is the only way to completely ensure network and data security after a compromise such as this.

Windows 2000 and XP:
W32.Welchia.Worm is a worm that has spread worldwide.

The worm attempts to spread by exploiting two different Windows vulnerabilities (DCOM RPC and WebDav - more information on the full write-up page).

See the W32.Welchia.Worm page for more detailed information.

Symantec Anti-Virus users: Upgrade your definition file to 08/18/2003 or later. Be sure to update your definitions as soon as possible. You can use LiveUpdate to download the latest definitions.

Given that the worm creates a system-level compromise, we are recommending a full system format for infected machines.

This is the only way to completely ensure network and data security after a compromise such as this.

Win9x/NT/ME/2000/XP:
W32.Sobig.F is a mass mailing worm that has spread worldwide.

The worm attempts to spread via email (with an attachment ending in either .pif or .scr) and via write accessible network shares. If executed, the worm sends itself to all the email addresses it finds in files with the following extensions .wab, .dbx, .htm, .html, .hlp, .mht, .eml, and .txt.

Please Note: The worm spoofs the From: and Return-Path: addresses on the messages it sends. Be sure to examine a message's full headers to determine where it originated.

See the W32.Sobig.F page for more detailed information.

Symantec Anti-Virus users: Upgrade your definition file to 08/19/2003 or later. Be sure to update your definitions as soon as possible. You can use LiveUpdate to download the latest definitions.

To remove the virus see Symantec's W32.Sobig.F Removal Tool page where you can download their removal tool and read about it as well.

If for any reason you cannot obtain or run the tool linked above, you must remove the worm manually.

WinNT/2000/XP/Server 2003:
W32.Blaster.Worm is a worm that has been spreading rapidly and exploits the DCOM RPC vulnerability.

There have been several reports of this worm appearing on campus and it is spreading on a wide scale in the wild.

See the W32.Blaster.Worm page for more detailed information.

Symantec Anti-Virus users: Upgrade your definition file to 08/11/2003 version number 50811s, also known as August 11, 2003 rev 19, or greater. Be sure to update your definitions as soon as possible. You can use LiveUpdate to download the latest definitions.

Given that the worm gives full administrator acces to compromised systems, we are recommending a full system format for infected machines.

This is the only way to completely ensure network and data security after a compromise such as this.

Win9x/NT/ME/2000/XP:
W32.Mimail.A is a mass mailing worm that arrives via an email attachment named Message.zip. When the message is viewed, it will attempt to exploit a Windows vulnerability (patch found here) to create a copy of the worm named Foo.exe in the Temporary Internet Files folder (this behavior will also be seen if a user clicks the attachment). Then it will email itself to all entries in the user's address book. The worm also attempts to capture information from certain windows on a user's desktop and email it to specific mail addresses.

There have been some reports of this worm appearing on campus.

See the W32.Mimail.A page for more detailed information.

Norton Anti-Virus users: Upgrade your definition file to 08/01/2003 version number 50801r, also known as August 1, 2003 rev 18, or greater. Be sure to update your definitions as soon as possible. You can use LiveUpdate to download the latest definitions.

To remove the virus, run Symantec's W32.Mimail.A removal tool.

If for any reason you cannot obtain or run the tool linked above, you must remove the worm manually. Manual removal instructions can be found on the page listed above.

Win9x/NT/ME/2000/XP:
Trojan.Download.Berbew is a Trojan Horse that arrives via an email attachment named either web.da.us.citi.heloc.pif or E-Loan-Appraiser-Results.pif. This Trojan Horse has been spammed to a large number of individuals in an email message claiming to be from Citibank Accounting or E-Loan.com. If executed it will attempt to download and run a backdoor meant to grab passwords and open ports on the infected machine.

There have been a few reports of this Trojan appearing on campus so far.

See the Trojan.Download.Berbew page for more detailed information.

Upgrade your definition file to 07/22/2003 or later. Be sure to update your definitions as soon as possible. You can use LiveUpdate to download the latest definitions.

To remove the virus, see the recovery instructions listed on the Trojan.Download.Berbew page.

Win9x/NT/ME/2000/XP:
W32.Sobig.E is a mass mailing worm that has begun spreading worldwide.

The worm attempts to spread via email (with an attachment ending in either .zip or .zi) and via open network shares. If executed, the worm sends itself to all the email addresses it finds in files with the following extensions .wab, .dbx, .htm, .html, .eml, and .txt.

The worm spoofs the From: and Return-Path: addresses on the messages it sends.

See the W32.Sobig.E page for more detailed information.

Upgrade your definition file to 06/25/2003 or later. Be sure to update your definitions as soon as possible. You can use LiveUpdate to download the latest definitions.

To remove the virus see Symantec's W32.Sobig.E Removal Tool page where you can download their removal tool and read about it as well.

If for any reason you cannot obtain or run the tool linked above, you must remove the worm manually.

Win9x/NT/ME/2000/XP:
W32.Bugbear.B is a mass mailing worm that has begun spreading worldwide.

The worm arrives via an email which attempts to auto-execute the attached file if the machine hasn't had a specific patch applied to it. As part of the infection, the worm creates a backdoor, drops a keylogger, and emails itself to all email addresses found within several different types of file extensions.

The worm spoofs the From: address on the messages it sends. The worm also searches for and disables processes used with security and anti-virus applications, including NAV. The worm may also spawn print jobs to all network printers which will result in printing a lot of garbled text.

See the W32.Bugbear.B page for more detailed information.

Upgrade your definition file to 06/05/2003 or later. Be sure to update your definitions as soon as possible. You can use LiveUpdate to download the latest definitions.

To remove the virus: There is now a removal tool for W32.Bugbear.B. Running the tool will help you determine if the machine you're investigating was ever infected by W32.Bugbear.B and will allow you to remove the viral portion of the worm. See Symantec's W32.Bugbear.B removal tool page where you can download the tool and read about it as well.

However, because the worm installs a backdoor (not to mention a keylogging component), we strongly recommend that infected machines be formatted.

Win9x/NT/ME/2000/XP:
W32.Sobig.C is a mass mailing worm that has begun spreading worldwide. The worm arrives via an email with a forged "From:" header which makes the message appear to be from either "bill@microsoft.com" or any other email address found on the hard drive.

The email contains an attachment which, if executed, will email itself to all email addresses found in .wab, .dbx, .htm, .html, .eml, and .txt files on the hard drive. The worm is also network aware, and attempts to spread via open network shares.

See the W32.Sobig.C page for more detailed information.

Upgrade your definition file to 06/01/2003 or later. You can use LiveUpdate to download the latest definitions.

To remove the virus see Symantec's W32.Sobig.C Removal Tool page where you can download their removal tool and read about the tool as well.

If for any reason you cannot obtain or run the tool linked above, you must remove the worm manually. Manual removal instructions can be found on the page listed above.

Win9x/NT/ME/2000/XP:
W32.Sobig.B is a mass mailing worm that has begun spreading worldwide. The worm arrives via an email from the address "support@microsoft.com". The email contains an attachment which, if executed, will email itself to all entries in the user's Windows Address Book and Outlook Express mailboxes. The worm is also network aware, and attempts to spread via open network shares.

See the W32.Sobig.B page for more detailed information.

Upgrade your definition file to 05/18/2003 or later. You can use LiveUpdate to download the latest definitions.

To remove the virus see Symantec's W32.Sobig.B Removal Tool page. If for any reason you cannot obtain or run the tool linked above, you must remove the worm manually. Manual removal instructions can be found at the W32.Sobig.B writeup.

W32.SQLExp.Worm is a worm that targets systems running Microsoft SQL Server 2000 or Microsoft Desktop Engine (MSDE) 2000.

The worm repeatedly sends itself to all IP addresses generated on UDP port 1434, the SQL Server Resolution Service Port, from an ephemeral source port. It will continuously send packets to different IP addresses, effectively performing a Denial Of Service.

See the W32.SQLExp.Worm page for more detailed information.

Symantec Security Response also recommends configuring perimeter devices to block ingress UDP traffic to port 1434 from untrusted hosts, as well as blocking egress UDP traffic from a network to destination port 1434.

To remove the virus: Symantec has provided a tool to remove infections of W32.SQLExp.Worm. Click here for details about the tool and to obtain the tool.

Because the worm is only resident in memory, and is not written to disk, this threat is not detectable using virus definitions.

W32.Klez.E@mm

More info:
Symantec
F-Secure
Trend Micro
Network Associates
Sophos

top of page

W32.Yarner.A@mm

More info:
Symantec
F-Secure
Trend Micro
Network Associates
Sophos

Do not open the attachment yawsetup.exe.

Norton Anti-Virus users: Upgrade your definition file to 02/19/02 or later. You can use LiveUpdate to download the latest definitions.

To remove the virus, do the following:

-- Install the the latest NAV defs and do a full system scan. Delete files detected as Yarner.
-- Delete the registry value found in the RunOnce folder of the HKCU section of the registry that resembles one of the files detected as being infected with Yarner.

Backdoor.EggHead Hacktool.DoS

More info:
Symantec

top of page

Norton Anti-Virus users: Upgrade your definition file to 02/13/02 or later. You can use LiveUpdate to download the latest definitions.

Instructions for removal of the virus can be found on the detailed Backdoor.EggHead-Hacktool.DoS description page. Please note that a re-installation of the Windows operating system may be required.

W32.Myparty@mm

More info:
Symantec
Network Associates
F-Secure
Trend Micro

top of page

Win9x/NT/ME/2000/XP:
W32.Myparty is a mass mailing worm which will email itself to all addresses in the user's Windows Address Book, as well as any addresses found in messages located in Outlook Express mailboxes. The worm will only email itself if the system date is between January 25-29, 2002.

The worm arrives in an email with the subject "new photos from my party!" and the message body:

"Hello!

My party... It was absolutely amazing!
I have attached my web page with new photos!
If you can please make color prints of my photos. Thanks!"

The name of the attachment is "www.myparty.yahoo.com", which may look like a web page link in some email programs. However, this file is the virus executable file. When launched, this file will email itself as described above, as well as copy itself to various locations on the hard drive. On Windows NT, 2000, and XP machines, it will also install a file named MSSTASK.EXE.

Do not open the attachment www.myparty.yahoo.com

Norton Anti-Virus users: Upgrade your definition file to 01/28/02 or later. You can use LiveUpdate to download the latest definitions.

To remove the virus, do the following:

-- On Windows NT/2000/XP machines, stop the MSSTASK.EXE process by hitting the CTRL-ALT-DEL keys, selecting Task Manager, highlighting the process and clicking "End Process." Be sure not to stop the MSTASK.EXE process!

-- run LiveUpdate to install the 1/27/02 (or later) version of NAV virus definition file
-- run a full system scan of the user's hard drive
-- delete all files detected as W32.MyParty@mm or Backdoor.Myparty

More info:
Symantec
Network Associates
F-Secure
Trend Micro
Sophos

top of page

Win9x/NT/ME/2000/XP:
W32.Maldal.C is a mass mailing worm which will send itself as an attachment to addresses in the local machine's Microsoft Outlook address book and MSN Messenger contact list.

The worm arrives via an email attachment named Christmas.exe, which, if executed, will display a Christmas greeting, to disguise its activity, and email itself using entries in the Microsoft Outlook address book and MSN Messenger contact list.

The worm has a destructive payload in which it attempts to delete all files in the Windows System directory and files for security and anti-virus applications, including NAV. The worm also infects .htm, .html, and .asp pages located on any fixed or network drives and attempts to disable the keyboard. The worm overwrites files with the following extensions .lnk, .zip, .jpg, .jpeg, .mpg, .mpeg, .doc, .xls, .mdb, .txt, .ppt, .pps, .ram, .rm, .mp3, or .swf with a file named Zacker.vbs.

Click the link to the left (on the name of the virus) for further details about it.

Do not open the attachment Christmas.exe

Norton Anti-Virus users: Upgrade your definition file to 12/19/01 or later. You can use LiveUpdate to download the latest definitions.

To remove the virus, do the following:

More info:
Symantec
Network Associates
Sophos
F-Secure
Trend Micro

top of page

Win9x/NT/ME/2000/XP:
W32.Gokar.A is a mass mailing worm which will send itself as an attachment to all addresses in the local machine's Microsoft Outlook address book. It also creates an mIRC Script.ini file and attempts to infect web servers to try to spread itself.

Similar to other recent viruses, this worm searches for and attempts to terminate several processes belonging to anti-virus and security applications, including NAV.

The worm also copies an .exe to the Windows System directory and adds a value to the ...\CurrentVersion\Run registry key so that it launches each time on startup.

Click the link to the left (on the name of the virus) for further details about it.

Use exteme caution when opening attachments.

Norton Anti-Virus users: Upgrade your definition file to 12/13/01 or later. You can use LiveUpdate to download the latest definitions.

To remove the virus, do the following:

More info:
Symantec
Network Associates
Sophos
F-Secure
Trend Micro

top of page

Win9x/NT/ME/2000/XP:
W32.Goner.A is a mass mailing worm which will email itself to all addresses in the user's Microsoft Outlook address book. The worm arrives in an email with the subject "Hi" and the message body:

"How are you ?
When I saw this screensaver, I immediately thought about you I am in a harry, I promise you will love it!"

The name of the attachment is GONE.SCR. If executed, it will mass-mail itself, as well as try to spread via ICQ. It will also attempt to delete any anti-virus or firewall software found on the computer, including Norton AntiVirus.

Click the link to the left (on the name of the virus) for further details about it.

Do not open the attachment GONE.SCR.

Norton AntiVirus users: Upgrade your definition file to 12/4/01 or later. You can use LiveUpdate to download the latest definitions.

To remove the virus, do the following:

More info:
Symantec
Sophos
F-Secure
Trend Micro
Network Associates

top of page

Win9x/NT/ME/2000/XP:
W32.Badtrans.B is a mass mailing worm which will email itself to all addresses in the user's Microsoft Outlook address book, as well as addresses found in the web browser cache and the My Documents folder. The worm arrives with varied subject lines, a blank message body, and an attachment with a double file extension. The first extension will either be .zip, .mp3, or .doc, and the second extension will be .scr or .pif. The worm embeds code into the email message which will allow it to be executed when being previewed by an unpatched version of Outlook Express.

When executed, the worm emails itself to all addresses found in the locations mentioned above. It also installs a keylogger/Trojan which could be used to steal passwords and other confidential informaiton from the infected machine.

Do not open up attachments with double file extensions, such as ".doc.scr."

Download and install the security update for Internet Explorer and Outlook Express.

Norton AntiVirus users: Upgrade your definition file to 11/24/01 or later. You can use LiveUpdate to download the latest definitions.

To remove the virus, follow the instructions at Symantec's site.

More info:
Symantec
Network Associates
Sophos
F-Secure
Trend Micro

top of page

Win9x/NT/ME/2000/XP:
W32.Vote.A is a mass mailing worm which will email itself to all addresses in the user's Microsoft Outlook address book. The worm arrives in an email with a subject line of "Fwd:Peace BeTweeN AmeriCa and IsLaM!" and message body "Hi iS iT A waR Against AmeriCa Or IsLaM !? Let's Vote To Live in Peace!" The message contains an attachment with the filename WTC.exe.

When executed, the worm will first email itself to all addresses in the Outlook Address Book. It will then overwrite all HTML files on the local and network drives with an anti-American message. It will then modify the autoexec.bat file so that the C: drive is formatted on the next reboot. It also attempts to download a backdoor Trojan. Finally, it attempts to delete program files for various anti-virus applications, including Norton Anti-Virus.

Norton AntiVirus users: Upgrade your definition file to 9/24/01 or later. You can use LiveUpdate to download the latest definitions.

To remove the virus, follow the instructions at Symantec's site.

More info:
Symantec
Network Associates
Sophos
F-Secure
Trend Micro

top of page

Norton AntiVirus users: Upgrade your definition file to 9/18/01 or later. You can use LiveUpdate to download the latest definitions.

Instructions on how to remove the worm from an infected machine will be forthcoming.

More info:
Symantec
Network Associates
Sophos
F-Secure
Trend Micro

top of page

Win9x/NT/ME/2000/XP:
W32.Magistr.39921 is a mass mailing worm which will email itself to addresses in the user's Microsoft Outlook, Eudora, and Netscape Messenger Address Books. The worm arrives via an email attachment with a .bat, .exe, .pif, or .com extension. There may also be other attachments of Word documents. The subject line of the email will be a random collection of words found in document files on the user's hard drive.. The worm may also attach one of these documents to the message, in order to make it appear legitimate. Therefore, confidential documents stored on the user's hard drive may be unknowingly sent in the message. The worm can also infect machines via open network shares.

After the machine has been infected for one month, the worm may also do more severe damage, incuding erasing the machine's system BIOS, and making the hard drive unusable.

Norton AntiVirus users: Upgrade your definition file to 9/6/01 or later. You can use LiveUpdate to download the latest definitions.

To remove the virus, follow these steps:

-- Run a full system scan from Norton AntiVirus, and delete all files detected as W32.Magistr.39921@mm.
-- Edit the Windows registry, as well as the system.ini and win.ini files, using instructions on Symantec's site.

Delete the email msg, empty the deleted items folder.

More info:
Symantec
Network Associates
Sophos
F-Secure
Trend Micro

top of page

Please see the CodeRed page.

More info:
Symantec
Network Associates
Sophos
F-Secure
Trend Micro

top of page

Win9x/NT/ME/2000/XP:
W32.Sircam.Worm is a mass mailing worm which will email itself to all addresses in the user's Microsoft Outlook Address Book. The worm arrives via an email attachment with a double application extension, such as "doc.exe" or "gif.com." The subject line of the email will be the same as the name of the attachment. The worm will attach itself to an email along with a file found in the user's "My Documents" folder; therefore, the infected message may appear "legitimate" to the recipient. The worm can also infect machines via open network shares.

The worm modifies the Windows registry of the infected machine in such a way so that the mass-mailing routine is launched every time an executable file is run.

Do not open attachments with multiple extensions, such as ".doc.exe"

Norton AntiVirus users: Upgrade your definition file to 7/18/01 or later.

To remove the virus, follow these steps in order:

Delete the email msg, empty the deleted items folder.

More info:
Symantec
Network Associates
Sophos
F-Secure

top of page

DO NOT OPEN THE ATTACHMENT: Mawanella.vbs

Norton AntiVirus users: Upgrade your definition file to 5/17/01 or later.

Delete the email msg, empty the deleted items folder.

Remove any files from your computer detected as being infected with VBS.VBSWG2.Z@mm.

More info:
Symantec
Network Associates
Sophos
F-Secure

top of page

Win9x/NT/ME/2000/XP: Also known as the VBS.HomePage worm, VBS.VBSWG2.X@mm is an encrypted VBScript mass mailing worm that uses a known exploit to send itself to all recipients in an infected user's Microsoft Outlook address book. Its payload may also open a Web site that contains pornographic content.

The email message has the following characteristics: Subject: "Homepage"

Body: "Hi! You've got to see this page! It's really cool ;O)"

Attachment: "Homepage.HTML.vbs".

Prior to mailing itself out, the worm searches for email messages with the Subject of "Homepage"; it deletes these messages.

Depending on a random number, the worm attempts to open one of four pornographic web pages. However, the mass-mailing part of the code generates much more serious consequences, including overloading e-mail servers and public relation problems.

To mark that the mass mailing has been done, VBSWG.X adds a registry key: HKCU\software\An\mailed

DO NOT OPEN THE ATTACHMENT: Homepage.html.vbs

Norton AntiVirus users: Upgrade your definition file to 5/08/01 or later.

Delete the email msg, empty the deleted items folder.

Remove any files from your computer named "VBS.VBSWG2.X@mm".

More info:
Symantec
Network Associates
Sophos
F-Secure

top of page

Win9x/NT/ME/2000/XP:
W32.Matcher.Worm is a mass mailing worm which will repeatedly email itself to all addresses in the user's Outlook Address Book. The worm arrives in an email message with the subject line "Matcher" and the body of the message contains the text "Want to find your love mates!!! Try this its cool... Looks and Attitude Maching to opposite sex." The message contains the attachment "Matcher.exe." If the attachment is executed, it will

-- copy itself to the Windows System directory

-- create a registry key so that it launches on startup

-- modify the autoexec.bat file of the machine, so that a message is displayed on boot-up

-- email itself every minute to all addresses in the Outlook Address Book

DO NOT OPEN THE ATTACHMENT: Matcher.exe

Norton AntiVirus users: Upgrade your definition file to 4/18/01 or later.

Delete the email msg, empty the deleted items folder.

Win9x/NT/ME/2000/XP:
W32.Naked is a mass mailing worm that arrives via an email with an attachment named "Nakedwife.exe." The attachment disguises itself as a Shockwave Flash animation file. When the attachment is opened, a dialog box is opened with a message that a Flash animation by JibJab (a popular creator of Flash animations) is loading. However, at this point, the virus emails itself to everyone in the user's address book, and then deletes system files on the user's hard drive. The system will then become unusable, and will require an operating system reinstall.

The message arrives in an email with the subject line "FW: Naked Wife," and the body of the message contains the text ""My wife never look like that! ;-) Best Regards, [Current User]" where [Current User] is the name of the infected user which sent the file.

DO NOT OPEN THE ATTACHMENT: Nakedwife.exe

Norton AntiVirus users: Upgrade your definition file to 3/6/01 or later.

Delete the email msg, empty the deleted items folder.

More info:
Symantec
Sophos
Network Associates
F-Secure
Trend Micro

top of page

Win9x/NT/ME/2000/XP:
VBS.SST is a mass mailing worm that arrives via an email with an attachment named "AnnaKournikova.jpg.vbs." When the attachment is opened, a script is executed which copies the above file to the Windows directory and emails it to all entries in the user's Outlook Address Book.

The subject of the email is "Here you have, ;o)" or something similar, and the body of the message contains the text "Hi: Check This!" Once the email attachment is opened, the script adds a key to theWindows Registry and runs its mass-mailing code. The mass-mailing code will only be run once.

Note that any Windows email client can run the attachment and infect the machine, but the mass-mailing portion of the virus will only be run if Microsoft Outlook or Outlook Express is installed on the machine.

DO NOT OPEN THE ATTACHMENT: AnnaKournikova.jpg.vbs

Norton AntiVirus users: Upgrade your definition file to 2/12/01 or later.

Delete the email msg, empty the deleted items folder.

Disable Windows Scripting Host.

More info:
Symantec
Network Associates
F-Secure
Trend Micro
Sophos

top of page

Win9x/NT/ME/2000/XP:
Romeo and Juliet is a mass mailing worm that arrives via an email with two attachments named "xromeo.exe" and "xjuliet.chm" which users may tend to launch more often due to the proximity of Valentine's Day.

Arrives via an email attachment. Subject line of the email varies, but could be one of the following:

• Romeo&Juliet
• where is my juliet ?
• where is my romeo ?
• merry christmas!
• Caution: NEW VIRUS !

The virus will then send itself to all users in the Microsoft Outlook Address book, using several different email servers in Poland. The virus also may infect the Wsock32.dll file, and modify the registry to associate several file extensions (including JPG, DOC, MP3, REG, and ZIP) with the virus executable, thus not allowing these files to launch properly.

DO NOT OPEN OR PREVIEW THE EMAIL

DELETE the email msg, empty the deleted items folder.

NAV definitions dated 11/30/00 or later will detect the virus. If infected, you may have to do a number of things to eradicate the virus:

-- Search for the file SYSRNJ.EXE and delete it, and then download the following file (you may have to right-click and choose "Save As")
BleBlaBUNDO.inf tool

-- After the file is saved to the hard drive, right click it and choose "Install." This will set all the file association back to the default; note that if you have other applications installed for these files (such as WinZIP), you will need to reset these associations manually.

-- You may also need to replace the Wsock32.dll before you are able to download anything.

-- Upgrade your definition file to 11/30/00 or later. You can use LiveUpdate to download the latest definitions.

-- Run a full system scan on the machine. If NAV detects Wsock32.dll as being infected, choose the "Repair" option. NAV is usually able to repair the file. Any other files detected as Blebla can be deleted.

More info:
Symantec
Sophos
F-Secure
Trend Micro
Network Associates

top of page

Mac/Win9x/NT/ME/2000/XP:
W97M.Melissa.W is a macro virus/worm and is essentially the Melissa virus saved in a different format. The virus is in Word 2001 format, and therefore evades detection from several outdated anti-virus scanners.

The virus arrives in an email attachment, usually named ANNIV.DOC. The email has the subject line ""Important message from [name of user]," where [name of user] is the name of the person whose infected machine sent the email. The body of the message is ""Here is that document you asked for ... don't show anyone else ;-)"

The viral code behaves differently depending upon the infected machine's operating system, Microsoft Word version, and email program:

Word 97/2000: viral code executes and does the following:

Disables macro security features, and saves itself into the Normal.dot global template. All Word documents subsequently created on the machine will be infected with the virus.

If Microsoft Outlook is installed, the virus emails the first 50 entries in the user's address book a copy of the email described above, along with the infected Word document

Word 98/2001: viral code executes, disables the macro security features, and saves itself into the Normal.dot global template. All Word documents subsequently created on the machine will be infected with the virus. The mass-mailing portion of the virus will not execute on Macintosh computers.

DO NOT OPEN THE ATTACHMENT: ANNIV.DOC

Delete the email msg, empty the deleted items folder.

Norton Anti-Virus users: Run LiveUpdate to make sure that you have the most recent virus definitions. PC users- Upgrade your definition file to 1/18/2001 or later. Mac users, Upgrade your definition file to 2/1/2001 or later.

To remove the virus, do the following:

-- Update NAV definitions based on the instructions above.
-- Restart the computer in Safe Mode.
-- Run a full system scan.
-- If any files are found to be infected with W97M.Melissa.W, choose Repair.

More info:
Symantec
Network Associates
Sophos
F-Secure

top of page

Win9x/NT/ME/2000/XP:
W32.Prolin is a mass mailing worm that spreads upon the execution of an email attachment with the filename "CREATIVE.EXE." The subject line of the email is "A great Shockwave flash movie" and the body is "Check out this new flash movie that I downloaded just now ... It's Great Bye" If the attachment is opened, the virus will move all files with the ".jpg" or ".zip" extensions to the C: root directory, and then rename them by appending the text "change atleast now to LINUX" to the filename. The virus will then email itself via Outlook to all entries in the address book.

DO NOT OPEN THE ATTACHMENT: CREATIVE.EXE

Norton Anti-Virus users: Upgrade your definition file to 11/30/00 or later.

Delete the email msg, empty the deleted items folder.

If you are infected, rename all files modified by the virus back to their original name.

More info:
Symantec
Network Associates
Sophos
F-Secure

top of page

Win9x/NT/ME/2000/XP:
W32.Navidad is a mass mailing worm that spreads upon execution of an email attachment with the filename "NAVIDAD.EXE." When the attachment is opened, the virus copies itself to the WINDOWS/SYSTEM directory, and modifies the registry to not allow any executables to run. It then scans the inbox of any MAPI-compatible email program for any message containing a single attachment. It will then send a reply to those messages, attaching itself to the reply.

The virus also displays a number of dialog boxes containing messages in Spanish. Please click here to see some examples of how the dialog boxes appear.

DO NOT OPEN THE ATTACHMENT: NAVIDAD.EXE

Download the fix for the Navidad virus.

Norton Anti-Virus users: Upgrade your definition file to 11/09/00 or later.

Delete the email msg, empty the deleted items folder.

More info:
Symantec
Network Associates
Sophos
F-Secure

top of page

Win9x and ME:
W95.MTX is a worm/virus that spreads via an email attachment with a variety of filenames. For possible filenames, please see Symantec's writeup on the virus.

Note: The .pif extension is not visible in the filename on some Windows systems.

If the file attachment is opened, the virus modifies several Windows system files which are used to access the Internet. It then will do the following:

-- block access to most anti-virus web sites, including Symantec and Network Associates.

-- attempt to connect to an external website to download additional components for the virus.

Use exteme caution when opening attachments.

Norton Anti-Virus users: Upgrade your definition file to 8/28/00 or later.

Delete the email msg, empty the deleted items folder.

If you are infected, contact your Local Support Provider. Updating your virus definition file is difficult once you are infected, and removal of and recovery from this virus is complex. Detailed instructions can be found at Symantec's site.

W95/Babylonia
Many aliases

More info:
Symantec
F-Secure
Trend Micro
Network Associates

top of page

It is disguised as a Y2K bug fix for Internet Relay Chat (mIRC) users. When an infected user logs onto mIRC, the virus is automatically sent to everyone in the same chat room.

It infects Windows Portable Executables (PE.EXE) and Windows Help (HLP) files. It also infects WINSOCK32.DLL and sends emails with an infected attachment called X-MAS.EXE

For Prevention: If you use IRC, follow NAI's Guidelines for prevention.

For Detection Only, Not Repair:
  VirusScan: Save EXTRA.DAT to your VirusScan directory.

  DrSolomons AVD: Latest update *plus* save extra.drv to the AVD directory.

  DrSolomons AVTK: Latest version from ftp.upenn (v. 8.01) plus save extra.drv to the AVTK directory.

W32/Mypics.worm

More info:
Symantec
Network Associates
Panda Software
Trend Micro
Sophos Anti-Virus

top of page

VirusScan: DAT 4055 will detect and remove.

DrSolomons AVD: Latest update *plus* save extra.drv to the AVD directory.

DrSolomons AVTK: Latest version from ftp.upenn (v. 8.01) plus save extra.drv to the AVTK directory.

W32/ExploreZip.worm.pak

Network Assocs
Sophos
Datafellows
Symantec

top of page

VBS Bubbleboy

More info:
Virus Bullletin
NAI
Sophos
DataFellows
Symantec

top of page

VBS Bubbleboy has not yet been seen in the wild, and is viewed as a "proof of concept" virus by some vendors. However, installing the MS Security patch is strongly recommended, as is keeping your a-v software updated.

• machine has Internet Explorer 5 and Outlook or Outlook Express
• machine is running Windows 98 or Win95 w/WSH installed
• machine has not had the patch referred to in the MS99-032 Security Bulletin applied
• the security settings of the Internet zone in Internet Explorer are not set to 'High'

VBS/Freelink

More info:
Network Associates
Microsoft
Data Fellows
Sophos Anti-Virus

top of page

Important: Configure VirusScan to recognize VBS file types: VirusScan for Win95/98  VirusScan for WinNT

Delete the email msg, empty the deleted items folder.

W32/PrettyPark
a/k/a Pretty.worm

More info:
Network Assoc.
Datafellows
Symantec

top of page

W97M/Melissa.u and
W97M/Melissa.v

More info:
NAI (Melissa.u)
NAI (Melissa.v)
Sophos Anti-Virus

top of page

W97M/Suppl

More info:
Network Associates.
Computer World 9/20/99
Data Fellows
Symantec

top of page

Suppl contains a destructive payload. Approximately 6-1/2 days after infection, the trojanized WSOCK32.DLL will null all files with extensions .doc, .xls, .txt, .rtf, .dbf, .zip, .arj, and .rar.

Cholera a/k/a Simbiosis

More info:
Panda Software
Data Fellows
Sophos Anti-Virus
InfoWorld 9/9/99
Computer Associates

top of page

W97M/Thus.a
High Risk

More info:
Network Assocs.
Data Fellows
Symantec

top of page

HLLT.Toadie

More info:
Network Assocs.
Data Fellows
Symantec

top of page

W32/Kriz

More info:
Network Assocs.
Data Fellows
Symantec

top of page

Infects PE EXE files on Win 95/98/NT systems. When an infected file is executed, the virus stays resident in memory, infecting other files as they are opened. On December 25th when infecting a file the virus attempts to erase the computer's CMOS information.

Wobbler a/k/a California
HOAX

More info:
Network Assocs.
Data Fellows
Symantec

top of page