|
|
|
Top 10 malware reported to Sophos in October 2004
|
QHosts-18 is located on VIL at:
http://vil.nai.com/vil/content/v_128704.htm
|
A new Trojan
horse program that attacks and removes troublesome advertising software,
known as "adware," is circulating on the Internet, according to
antivirus company Symantec. |
|
W32/Buchon.gen@MM is located on VIL at:
http://vil.nai.com/vil/content/v_129160.htm
|
When this
worm is run, it does not configure itself to load at system startup. It
does not mail as a ZIP attachment, nor does it use varying message
characteristics or spread over network shares. There are at least 2
such variants that were discovered today, with minor differences between
them. Testing shows the variants to contain bugs, which may prevent
them from functioning on many systems.
This mass-mailing virus attempts to send itself to email addresses
found on the local system. The virus is received in an email message as
follows:
|
|
Unix/Opener.worm is located on VIL at:
http://vil.nai.com/vil/content/v_129163.htm
|
Antivirus experts have warned Mac users and sysadmins against becoming
complacent about security after the discovery of a worm targeting the
Mac OS X operating system.
The Mac platform is not immune from security
threats, affected as it is by numerous vulnerabilities (many derived
from its Unix components) and several thousand macro viruses. However,
worms have been all but unknown on the Mac since the late 1980s,
security experts said.
|
|
W32/Myfip.worm.g is located on VIL at:
http://vil.nai.com/vil/content/v_129164.htm
|
The
Myfip worm which was discovered in the wild a month ago is starting to
spread, according to email security firm MessageLabs.
The worm assumes the guise of an email from a webmaster at eBay. The
email asks the recipient to take part in a 'Multiple Item Auction' with
the chance of winning a prize. But the worm's most worrying
characteristic is its use of a previously unknown packing utility.
|
|
W32/Zafi.c@MM is located on VIL at:
http://vil.nai.com/vil/content/v_129165.htm
|
The
latest variant of the Zafi worm was discovered on Wednesday and unlike
the previous two variants, Zafi.C has been coded to launch a distributed
denial-of-service (DDoS) attack against Google.com, Microsoft.com and
miniszterelnok.hu, which is the Web site of the Hungarian Prime
Minister.
The Zafi worm has evolved since it was first discovered in April of this
year. Zafi.A contained Hungarian text and only tried to send itself to
email addresses inside Hungary. Also, it did not contain a destructive
payload. Two months later Zafi.B was released and this time the worm was
able to terminate antivirus and firewall applications and 'speak' in
numerous languages, including English, Spanish, Russian and Swedish.
|
|
Beckham + strumpet pic
actually Trojan |
| Virus writers have moved on from using Osama
bin Laden's or Arnold Schwarzenegger's supposed suicides as a lure to
trying a similar trick involving "compromising pictures" of football
superstar David Beckham.
VXers have seeded multiple Usenet groups with messages claiming that
they have photographic proof Becks (AKA Golden Balls) has been having an
affair, pointing users towards the supposed evidence. In reality this
file offers only the Hackarmy Trojan. Beginning in July virus writers
used the same trick to try to con users into believing the same Trojan
was either a suicide note from Arnold Schwarzenegger, photographs
depicting Osama Bin Laden's supposed untimely demise or "footage" of
slain American hostage Nick Berg, who was beheaded by Iraqi insurgents
in May.
Read more here...
|
| |
W32/Netsky-B is a worm that spreads by email and Windows network shares.
W32/Netsky-B copies itself into the Windows folder as services.exe.
W32/Netsky-B searches all mapped drives for files with the following
extensions in order to find email adresses: MSG, OFT, SHT, DBX, TBB, ADB,
DOC, WAB, ASP, UIN, RTF, VBS, HTML, HTM, PL, PHP, TXT and EML.
W32/Netsky-B searches drives C: to Z: and attempts to copy itself into
folders with names containing the string "share" or "sharing".
The file names used by the worm for copying itself to shared folders are:
angels.pif
cool screensaver.scr
dictionary.doc.exe
dolly_buster.jpg.pif
doom2.doc.pif
e-book.archive.doc.exe
e.book.doc.exe
eminem - lick my pussy.mp3.pif
hardcore porn.jpg.exe
how to hack.doc.exe
matrix.scr
max payne 2.crack.exe
nero.7.exe
office_crack.exe
photoshop 9 crack.exe
porno.scr
programming basics.doc.exe
rfc compilation.doc.exe
serial.txt.exe
sex sex sex sex.doc.exe
strippoker.exe
virii.scr
win longhorn.doc.exe
winxp_crack.exe
W32/Netsky-B may arrive in an email with the following characteristics:
Subject line: randomly chosen from -
unknown
fake
stolen
information
warning
something for you
read it immediately
hello
Message text: randomly chosen from -
something is fool
something is going wrong
you are bad
you try to steal
you feel the same
you earn money
thats wrong
why?
take it easy
reply
do you?
that's funny
here, the cheats
here, the introduction
here, the serials
from the chatter
about me
information about you
something is going wrong!
stuff about you?
greetings
see you
here it is
that is bad
yes, really?
i found this document about you
your name is wrong
i hope it is not true!
kill the writer of this document!
something about you!
I have your password!
you are a bad writer
is that from you?
i wait for a reply!
is that your account?
is that your name?
is that true?
here
my hero
read it immediately!
here is the document.
read the details.
i'm waiting
what does it mean?
anything ok?
Attached file: one of the following filenames with a double file extension -
misc
party
disco
part2
mail2
object
ranking
dinner
release
final
location
jokes
friend
website
mails
story
found
nomoney
aboutyou
shower
topseller
product
swimmingpool
bill
note
concert
textfile
posting
stuff
attachment
details
creditcard
message
ps
msg
talk
document
unknown
fake
stolen
information
warning
something for you
read it immediately
hello
The extension is combination of DOC, RTF, HTM, PIF, COM, SCR and EXE. W32/Netsky-B
may also send a ZIP file.
The email address of the sender will be spoofed.
When the attachment is opened W32/Netsky-B may display a fake message box
"The file could not be opened".
W32/Netsky-B attempts to remove registry entries related to few recent
viruses,
including W32/MyDoom-A and W32/MyDoom-B.
Recovery
Summary Description Recovery Advanced
This section tells you how to remove the threat.
Please read the instructions for removing W32/Netsky-B.
Advanced
Summary Description Recovery Advanced
This section is for technical experts who want to know more.
W32/Netsky-B is a worm that spreads by email and Windows network shares.
W32/Netsky-B copies itself into the Windows folder as services.exe.
In order to run automatically when Windows starts up W32/Netsky-B creates
the following registry entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
service= "C:\\WINDOWS\\services.exe -serv"
W32/Netsky-B searches all mapped drives for files with the following
extensions in order to find email adresses: MSG, OFT, SHT, DBX, TBB, ADB,
DOC, WAB, ASP, UIN, RTF, VBS, HTML, HTM, PL, PHP, TXT and EML.
W32/Netsky-B searches drives C: to Z: and attempts to copy itself into
folders with names containing the string "share" or "sharing".
The file names used by the worm for copying itself to shared folders are:
angels.pif
cool screensaver.scr
dictionary.doc.exe
dolly_buster.jpg.pif
doom2.doc.pif
e-book.archive.doc.exe
e.book.doc.exe
eminem - lick my pussy.mp3.pif
hardcore porn.jpg.exe
how to hack.doc.exe
matrix.scr
max payne 2.crack.exe
nero.7.exe
office_crack.exe
photoshop 9 crack.exe
porno.scr
programming basics.doc.exe
rfc compilation.doc.exe
serial.txt.exe
sex sex sex sex.doc.exe
strippoker.exe
virii.scr
win longhorn.doc.exe
winxp_crack.exe
W32/Netsky-B may arrive in an email with the following characteristics:
Subject line: randomly chosen from -
unknown
fake
stolen
information
warning
something for you
read it immediately
hello
Message text: randomly chosen from -
something is fool
something is going wrong
you are bad
you try to steal
you feel the same
you earn money
thats wrong
why?
take it easy
reply
do you?
that's funny
here, the cheats
here, the introduction
here, the serials
from the chatter
about me
information about you
something is going wrong!
stuff about you?
greetings
see you
here it is
that is bad
yes, really?
i found this document about you
your name is wrong
i hope it is not true!
kill the writer of this document!
something about you!
I have your password!
you are a bad writer
is that from you?
i wait for a reply!
is that your account?
is that your name?
is that true?
here
my hero
read it immediately!
here is the document.
read the details.
i'm waiting
what does it mean?
anything ok?
Attached file: one of the following filenames with a double file extension -
misc
party
disco
part2
mail2
object
ranking
dinner
release
final
location
jokes
friend
website
mails
story
found
nomoney
aboutyou
shower
topseller
product
swimmingpool
bill
note
concert
textfile
posting
stuff
attachment
details
creditcard
message
ps
msg
talk
document
unknown
fake
stolen
information
warning
something for you
read it immediately
hello
The extension is combination of DOC, RTF, HTM, PIF, COM, SCR and EXE. W32/Netsky-B
may also send a ZIP file.
The email address of the sender will be spoofed.
When the attachment is opened W32/Netsky-B may display a fake message box
"The file could not be opened".
W32/Netsky-B attempts to remove registry entries related to few recent
viruses,
including W32/MyDoom-A and W32/MyDoom-B.
Our VIRUS Alert Post for October 2004
|
|
|
Here you will find
recent virus alerts...
|
|
|
Descriptions
for Newly Discovered Threats (Includes Viruses, Trojans and
Hoaxes) |
This web is optimized for 800 x 600 monitor resolution or above and
the latest web browser. Get the latest IE or Netscape web browser. (you
need to connect to the internet first) |
|
