Virus Warnings
Current Virus Warnings:
Three new virus alerts have been posted by Symatec (10/29/2004)
W32.Beagle.AV@mm (10/29/2004)
W32.Beagle.AV@mm is a mass-mailing worm that also spreads through file-sharing networks. The worm will open a backdoor on TCP port 81.
W32.Beagle.AW@mm (10/29/2004)
W32.Beagle.AW@mm is a mass-mailing worm that also spreads through file-sharing networks. The worm will open a backdoor on TCP port 81.
W32.Beagle.AU@mm (10/29/2004)
Information about W32/Bagle-AU can be found at:
------------------------------------------------------
Microsoft GDI+ Library JPEG Segment Length Integer Underflow Vulnerability (09/17/2004)
Please review this link regarding Microsoft service pack 2 and the JPEG security threat. We would advise you to review throughly Microsoft Service Pack 2 and the impact that this would have on your operations.
http://securityresponse.symantec.com/avcenter/security/Content/11173.html
-----------------------------------------------------------------
W32.Beagle.AG@mm (07/19/2004)
Over the past several weeks we have seen multiple versions of this virus, this is the latest.
W32.Beagle.AG@mm is a mass-mailing worm that uses its own SMTP engine to spread through email and opens a backdoor on TCP port 1080.
The subject line, body, and attachment name of the email vary. The attachment will have a .com, .cpl, .exe, .scr, or .zip file extension. If the file attachment is a .zip file, it will be password protected.
The worm is packed with PeX.
Symantec Security Response has developed a removal tool to clean the infections of W32.Beagle.AG@mm.
Also Known As: WORM_BAGLE.AH [Trend], W32/Bagle.ai@MM [McAfee], W32/Bagle-AI [Sophos], Win32.Bagle.AI [Computer Associates]
Type: Worm
Infection Length: varies
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP
Systems Not Affected: DOS, Linux, Macintosh, Novell Netware, OS/2, UNIX, Windows 3.xTo read more about this virus
---------------------------------------------------------------------------------------W32.Sasser.Worm (05/01/2004)
This is a virus alert for W32/Sasser.A, a new network worm first detected on 1 May 2004.
Risk:
Due to its distribution W32/Sasser.A is estimated to be high risk.Recommend Reactions:
Users of F-Prot Antivirus should update their virus signature files immediately. W32/Sasser.A is detected by F-Prot Antivirus using virus signature files dated 1 May 2004 and later.This new worm uses an LSASS vulnerability first reported on 13 April 2004 in Microsoft Security Bulletin MS04-011. Windows users are urged to update their operating system with the latest patches available from Microsoft:
http://www.f-prot.com/news/vir_alert/windows_security_report_040414.html
http://www.microsoft.com/technet/security/bulletin/ms04-011.msp---------------------------------------------------------------------------------------
The W32.Beagle.J@mm (03/08/2004)
Is a mass-mailing worm that opens a backdoor on TCP port 2745 and uses its own SMTP engine to spread through email.
Sends the attacker the port on which the backdoor listens, as well as the IP address.
Attempts to spread through file-sharing networks, such as Kazaa and iMesh, by dropping itself into the folders that contain "shar" in their names.
The email has the following characteristics:
From: Spoofed to appear as though it is coming from one of the following addresses at the recipient's domain:
management
administration
staff
noreply
supportAttachment: A randomly named .exe file, stored inside a .zip file, or a .pif file. The .zip file may be password-protected, though Symantec antivirus products will detect these files.
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
Systems Not Affected: DOS, Linux, Macintosh, OS/2, UNIX, Windows 3.x---------------------------------------------------------------------------------------
W32.Netsky.D@mm (03/01/2004)
W32.Netsky.D@mm is a mass-mailing worm that is a variant of W32.Netsky.C@mm. The worm scans drives C through Z for email addresses and sends itself to those that are found. The Subject, Body, and Attachment names vary.
Also Known As: WORM_NETSKY.D [Trend], W32/Netsky@MM [McAfee], W32/Netsky.D.worm [Panda], W32/Netsky-D [Sophos]
---------------------------------------------------------------------------------------
W32.Beagle.E@mm (03/01/2004)
W32.Beagle.E@mm is a mass-mailing worm that opens a backdoor on TCP port 2745 and uses its own SMTP engine to spread through email. It can also send the port on which the backdoor listens, as well as a randomized ID number, to the attacker.
From: <spoofed>
Subject: <varies>
Attachment: <random characters>.zip (which contains an executable file, <random characters>.exe)The worm is very similar in functionality to W32.Beagle.C@mm and is packed by PeX.
Also Known As: Bagle.E [F-Secure], I-Worm.Bagle.e [Kaspersky], WORM_BAGLE.E [Trend], Win32.Bagle.E [Computer Associates]
Type: Worm
Infection Length: 17-18kb
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP
Systems Not Affected: DOS, Linux, Macintosh, OS/2, UNIX, Windows 3.x---------------------------------------------------------------------------------------
W32.Alua@mm (02/17/2004)
W32.Alua@mm is a mass-mailing worm that opens a backdoor on TCP port 8866.
Note: Security Response is currently investigating this worm and will post more information as it becomes available.
The email has the following characteristics:
Subject: ID <6 random characters>... thanks
Attachment: <7 random characters>.exe-------------------------------------------------------------------------------------------------------
W32.Novarg.A@mm (01/28/2004)
W32.Novarg.A@mm is a mass-mailing worm that arrives as an attachment with the file extension .bat, .cmd, .exe, .pif, .scr, or .zip.
When a computer is infected, the worm will set up a backdoor into the system by opening TCP ports 3127 through 3198, which can potentially allow an attacker to connect to the computer and use it as a proxy to gain access to its network resources.
In addition, the backdoor can download and execute arbitrary files.
The worm will perform a Denial of Service (DoS) starting on February 1, 2004. It also has a trigger date to stop spreading on February 12, 2004. These two events will only occur if the worm is run between or after those dates. While the worm will stop spreading on February 12, 2004, the backdoor component will continue to function after this date.
Also Known As: W32/Mydoom@MM [McAfee], WORM_MIMAIL.R [Trend], Win32.Mydoom.A [Computer Associates], W32/Mydoom-A [Sophos], I-Worm.Novarg [Kaspersky]
Type: Worm
Infection Length: 22,528 bytes, variable file size for a .zip attachment
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
Systems Not Affected: DOS, Linux, Macintosh, OS/2, UNIX, Windows 3.xW32.Beagle.A@mm (01/20/2004)
W32.Beagle.A@mm is a mass-mailing worm that accesses remote Web sites and sends email to any addresses it finds. The email has the following characteristics:
Subject: Hi
Filename: <Random>.exe
Filesize: 15,872 bytesThe worm will only work until January 28th, 2004 (see note at step 1 below).
Symantec Security Response has developed a removal tool to clean the infections of W32.Beagle.A@mm.
Also Known As: I-Worm.Bagle [Kaspersky], WORM_BAGLE.A [Trend]
Type: Worm
Infection Length: 15,872 bytes
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP---------------------------------------------------------------------------------------
W32.Mimail.C@mm (11/03/03)
---------------------------------------------------------------------------------------
Trojan.Qhosts (10/07/2003)
---------------------------------------------------------------------------------------
W32.Swen.A@mm (09/19/03)
To read more about this virus:---------------------------------------------------------
W32.Welchia.Worm (08/20/03)
---------------------------------------------------------
W32.Sobig.F@mm (08/19/03)
-----------------------------------------------------
W32.Blaster.Worm
---------------------------------------------
W32.Mimail.A (08/04/03)
----------------------------------------
W32.goner.a@mm: Screen Saver Worm
What to do if you think you have a virus:
If you think you have been infected by a virus, please contact your Technical Director. For immediate help with a virus, you may call our e-mail help desk at 817.740.7603 or, in case of a widespread problem, Shirley Van Vleck at 817.740.3656.