|
|
|
|
|
 |
POSTED: APR 22, 2002
VIRUS TYPE: email worm
OS AFFECTED: ALL
ALIASES: W32/Klez.G@mm (Norman), W32/Klez.gen@MM, W32/Klez.I (Panda), W32/Klez.K-mm, WORM_KLEZ.G (Trend)
AUTHOR: Unknown
FIX: Symantec's Removal Tool
Most commonly distinguishable with any of the following subjectlines:
Subject: A very funny website
or Subject: 1996 Microsoft Corporation
or Subject: Hello,yourname,honey
or Subject: Initing esdi
or Subject: Editor of PC Magazine.
or Subject: Some questions
or Subject: Telephone number
Sends an email with attatchments of type: .bat, .exe, .pif or .scr . Sends inf to a specific email addresses. Also uses your address book to pass along the virus to others.
The worm may send a clean document in addition to an infected file. A document found on the hard disk, that contains one of the following extensions, is sent:
.txt
.htm
.html
.wab
.asp
.doc
.rtf
.xls
.jpg
.cpp
.c
.pas
.mpg
.mpeg
.bak
.mp3
.pdf
This payload can result in confidental information being sent to others.
PAYLOAD:
- Attempts to disable anti virus programs that are running
- Overwrites files with zeros on the 6th of every odd numbered month (January, March, May, July, September, November)
- information such as passwords may be logged and emailed to predefined addresses
- will propagate by sending itself to addresses in your ICQ and address book (uses your current SMTP engine [ie: Outlook])
POSTED: DEC 19, 2001
VIRUS TYPE: keylogger
OS AFFECTED: ALL
AUTHOR: Unknown
FIX: Symantec's Removal Tool
Logs keystrokes and net/network connections. Sends inf to a specific email addresses. Also uses your address book to pass along the virus to others.
PAYLOAD:
- kernel32 is altered
- information such as passwords may be logged and emailed to predefined addresses
- will propagate by sending itself to addresses in your address book (uses your current SMTP engine [ie: Outlook])
POSTED: DEC 6, 2001
VIRUS TYPE: email/ICQ worm
OS AFFECTED: ALL
ALIASES: W32.Goner.A@mm, Gone.scr
AUTHOR: Unknown
FIX: Symantec's Removal Tool
W32.Goner.A@mm is a mass-mailing worm that is written in Visual Basic. The worm has been compressed using a known Portable Executable (PE)* file compressor. The worm can spread its infection using the ICQ network as well as by email using Microsoft Outlook. If IRC is installed, this worm can also insert mIRC scripts that will enable the computer to be used in Denial of Service (DOS) attacks. The IRC channel used for controlling the worm is currently blocked, preventing this functionality.
PAYLOAD:
Specific System, Anti-Virus, and Firewall files are deleted. May render the system unusable if not resolved early.
POSTED: July 27, 2001
VIRUS TYPE: email worm
OS AFFECTED: WinNT4.0 or Win2000 Servers running IIS
ALIASES: W32/Bady, I-Worm.Bady, Code Red, CodeRed, W32/Bady.worm
AUTHOR: Unknown
FIX: Microsoft Patch
This worm, spread via email, targets a hole in the Microsoft NT Server 4.0 and Windows 2000 Server family, more specifically of those machines running Internet Information Server {IIS}. The virus attacks the Index Server componant of IIS manipulating it's function to search the internet for other Servers running IIS. An infected server's website may exhibit the text "hacked by chinese". On July 31, 2001, all accumulated servers are then set to attack the U.S. White House government website.
FIX:
An infected server and it's websites can be restored by simply rebooting the machine. Microsoft has also issued a patch resolve the security hole in it's product and prevent infection.
POSTED: July 27, 2001
VIRUS TYPE: email worm
OS AFFECTED: All except WinNT 4.0 and Windows 2000
ALIASES: W32/SirCam@mm, Backdoor.SirCam
AUTHOR: Unknown
FIX: Symantec's Removal Tool
Emerged in July, 2001. "Sircam" is an e-mail worm that has spread to computer users in 50 countries. Sircam comes with it's own SMTP engine which enables it to send it's infected mails independant of what email program is on the infected users computer.
The worm, also named W32.Sircam, arrives as an e-mail attachment and can delete files from the infected computer's hard drive. The contaminated emails can be in English and Spanish-language versions with the text as follows:
Spanish Version:
First line: Hola como estas ?
Last line: Nos vemos pronto, gracias.
English Version:
First line: Hi! How are you?
Last line: See you later. Thanks
It sends copies of itself, disguised as a random file from the infected computer's hard drive, typically a recent file in the 'My Documents' folder, to all names addresses in the infected computer's address book.
|
|
|
|
|
|
|
|
|
|
|
