- W32/Sober@MM!M681
Nov 22,
2005
Virus Characteristics:
This is a virus variant of the Sober series which may contain the following:
Subject: New email address, Paris Hilton, You visit illegal web sites, Registration confirmation
Body: Often contains language naming FBI or CIA agent Steven Allison or the logging of your IP address.
Attachment This virus spreads via email. It harvests email addresses from files found on the local system. The attachment does not open and its goal is to utilize the recipient's computer
to gather information.
Delete the message
For additional information on this worm,
please use the link above
***************************
- W32/Sober.r@MM
Oct 6,
2005
Virus Characteristics:
This is a mass mailing worm variant of the Sober series.which may contain the following:
Subject: Your new Password
Body: Your password was successfully changed!
Please see the attached file for detailed information.
Attachment is a zip file and may contain anti-stinger code to terminate processes with the name stinger .
A fake message is displayed when "stinger.exe" is run.
For additional information on this worm,
please use the link above
***************************
- W32/IRCbot.worm!MS05-039
Aug 18,
2005
Virus Characteristics:
This is a fast-spreading Internet Relay Chat bot worm affecting systems worldwide.
The worm exploits a system vulnerability to spread and possibly help a hacker to control an infected system.
The most obvious characteristic of this infection is that your system will continually reboot.
For additional information on this worm,
please use the link above
***************************
- W32/Sober.p@MM
May 2,
2005 Virus Characteristics:
This is a mass-mailing worm hiding inside an email attachment.
The attachment is a zip file.
When run, the worm displays a fake error message,
infects the host computer and sends itself to the email addresses that are harvested from the infected machine.
Like many Sober variants, this variant uses several different email messages randomly,
in either English or German depending on the version of Windows.
For additional information on this worm,
please use the link above
***************************
- W32/Bagle.dldr
Mar 2,
2005 Virus Characteristics:
This is a trojan that is mass-spammed over the past 24 hours,
W32/Bagle.dldr is a Medium Risk Trojan downloader that tries to
Open a communication port on your computer
Download a .jpg picture file from various sites
Terminate security services like anti-virus updating
Unlike earlier variants, W32/Bagle.dldr does not appear to mass-mail itself to stolen email contacts.
This variant copies itself to the %WinDir% \system32 as WINSHOST.EXE (34, 304 bytes) and adds registry hooks
as well as getting injected into the EXPLORER process and trying to download a file zo2.jpg from various sites.
It also terminates security services like its predecessors (other Bagles)
and in some cases renames the main security program executable.
For additional information on this worm,
please use the link above
***************************
- W32/Mydoom.be@MM
Feb 22,
2005 Virus Characteristics:
This is a mass-mailing worm with the following characteristics:
From: address of messages is spoofed
Subject:
(any of the following examples)
•delivery failed,
•Message could not be Delivered
•Mail System Error -
•Returned Mail
Body
We have received reports that your account was used to send a
large amount of junk email messages during the week.
Attachment
Examples:
README, INSTRUCTION, TRANSCRIPT
For additional information on this worm,
please use the link above
***************************
- W32/Mydoom.bb@MM
Feb 16,
2005
This is a mass-mailing worm with the following characteristics:
contains its own SMTP engine to construct outgoing messages
harvests email addresses from the victim machine's Windows Address Book (WAB)
It also gathers addresses from the Temporary Internet Files folder
From: address of messages is spoofed
Subject:
(any of the following)
• The original message was included as attachment
• The/Your m/Message could not be delivered
• hello
• hi error
• status
• test
• report
• delivery failed
• Message could not be delivered
• Mail System Error - Returned Mail
• Delivery reports about your e-mail
• Returned mail: see transcript for details
• Returned mail: Data format error
Body Text:
A typical message explains a detection of infected mail by the system and
directs the user to follow the instructions in the attachment for removal
Your e-mail account was used to send a huge amount of unsolicited e-mail messages during the recent week.
Most likely your computer had been infected by a recent virus and now runs a hidden proxy server.
Please follow our instruction in the attached file in order to keep your computer safe
Attachment:
May be a file titled Read Me, Instructions
For additional information on this worm,
please use the link above
***************************
- W32/Sober.k@MM
Jan 31,
2005
This is a mass-mailing worm with the following characteristics:
contains its own SMTP engine to construct outgoing messages
harvests email addresses from the victim machine
the From: address of messages is spoofed
Outgoing messages may be in English or German
Subject:
I've got YOUR email on my account!!
Body Text:
Hello, First, Sorry for my bad English!
Someone send our private mails on my email account!
I think it's an Mail-Provider or SMTP error.
Normally, I delete such emails immediately, but in the mail-text is a name & address. I think it's your name and address.
In the lst 8 days I've got 7 mails in my mail-box, but the receipent are you, not me.
lol OK.
Attachment:
EMAIL_TEXT.ZIP or
TEXT.ZIP
The importance of the mail is set to "High"
For additional information on this worm,
please use the link above
***************************
- W32/Bagel.bj@MM
Jan 28,
2005
This is a Medium Risk mass mailing worm with the following characteristics:
contains its own SMTP engine to construct outgoing messages
harvests email addresses from the victim machine
From: address of messages is spoofed
contains a remote access component (notification is sent to hacker)
copies itself to folders that have the phrase shar in the name
Subject:
Delivery service mail
Delivery by mail
Registration is accepted
Is delivered mail
You are made active
Body Text:
Thanks for use of our software, or
Before use read the help
For additional information on this worm,
please use the link above
***************************
- W32/Zafi.d@MM
Dec 14,
2004
This is a Medium Risk mass mailing worm that steals email addresses from an infected machine,
It is chararcterized by masking itself as a Christmas greeting. It will attempt to shutdown various
processes on your PC. It will also disable security features.
For additional information on this worm,
please use the link above
***************************
- W32/Sober.j@MM
Nov 22,
2004
This is a Medium Risk mass mailing worm that steals email addresses from an infected machine,
It is chararcterized by error warnings and refers to WinZip files and data and contains
links that direct you to open http files.
For additional information on this worm,
please use the link above
***************************
- W32/Mydoom.ah@MM
Nov 9,
2004
This is a Medium Risk mass mailing worm that steals email addresses from an infected machine, then forwards itself to those contacts, often faking the "from: field".
The worm, which security firms dubbed MyDoom.AF, MyDoom.AH and MyDoom.AG, spreads by e-mail and exploits a recently discovered buffer overflow vulnerability in IE.
Internet users should avoid opening suspicious e-mail with the subject headers "funny photos :)," "hello," "hey!" and blank headers, according to security firm iDefense Inc. Users who open the infected e-mail and click on links in the message body will be directed to destinations from which an attack may be launched.
Microsoft issued a statement saying that it was aware of the new variant and an investigation is underway. According to early reports the vulnerability does not exist on Windows XP SP2 operating systems.
For additional information on this worm,
please use the link above
***************************
- W32/Netsky.ag@MM
Oct. 15,
2004
This is a Medium Risk mass mailing worm that steals email addresses from an infected machine, then forwards itself to those contacts, often faking the "from: field".
FROM: Varies (forged addresses taken from infected system).
SUBJECT: Varies. Examples: 0123456789, Abra rapido isso!!!!, acrdito que em voce!!!
BODY: Varies. Examples: PizzaVeneza!, preenche ai ta bom, encontro voce!
ATTACHMENT: Varies. Examples: agradou, agua!, AIDS!
When run, the worm displays a message box with the warning "File corrupted replace this!". The worm copies itself to folders with the string "share" or sharing", network shares and P2P shared folders, using file names like aninha gatinha!.zip.scr, barrio.scr and cafe!!.zip.scr.
For additional information on this worm,
please use the link above
***************************
- W32/Bagle.az@MM
Sep 29,
2004
This is a Medium Risk mass mailing worm that can provide hackers access to your computer. It spreads via email.
Characteristics are:
FROM: Varies (spoofed)
SUBJECT: Re:, Re: Hello, Re: Thank you!, Re: Thanks :), Re: Hi
BODY: :), :))
ATTACHMENT: Price, price, Joke (with an extension of .exe, .scr, .com or .cpl)
For additional information on this worm,
please use the link above
***************************
- W32/Bagle.dll.dr
Sep 1,
2004
This is a Low Risk mass mailing worm that has been updated. It spreads via email. The Attachment line may say "foto.zip"
THe college server is protected but users may receive a message that the Virus has been detected and Removed.
For additional information on this worm,
please use the link above
***************************
- W32/Mydoom.s@MM
Aug 16,
2004
This is a Medium Risk mass mailing worm. It spreads via email. The Subject line may say "photos"; Message body "LOL;))))" and the Attachment line may say "photos_arc.exe"
For additional information on this worm,
please use the link above
***************************
- W32/Bagle.aq@MM
Aug 8,
2004
This is a Medium Risk mass mailing worm that constructs messages using its own SMTP engine, spoofing the From: address, and harvesting email addresses from the victim machine.
It contains an attachment that is a ZIP file. It also sends a notice back to the sender. THe attachment zip file can be viewed within Internet Explorer and contains code which will retrieve the virus from websites.
The body text of this worm may contain one of the following phrases: new price; or a sentence stating 'The password is Password:'
For additional information on this worm,
please use the link above
***************************
- W32/Mydoom.o@MM
July 26,
2004
This is a Medium Risk mass mailing worm. This is a mass-mailing worm that constructs messages using its own SMTP engine, spoofing the From: address, and harvesting email addresses from the victim machine.
It contains an attachment that can be a ZIP file.
The subject text of this worm may contain one of the following phrases: hello, hi, error, status, test, report, delivery failed, Message could not be delivered, Mail System Error - Returned Mail, Delivery reports about your email, Returned mail: see transcript for details or Returned mail: Data format error.
For additional information on this worm,
please use the link above
***************************
- W32/Bagel.ai@MM
July 19,
2004
This is a Medium Risk mass mailing worm. This is a mass-mailing worm that constructs messages using its own SMTP engine, spoofing the From: address.
It contains an attachment that can be a password-protected zip file, with the password included in the message body.
The body text of this worm may contain one of the following phrases: fotoinfo, foto3 and MP3, foto3 and MP3, fotogalary and Music,fotoinfo, Lovely animals, Animals, Predators, The snake, or Screen and Music.
For additional information on this worm,
please use the link above
***************************
- W32/Bagel.ag@MM
July 19,
2004
This is a Medium Risk mass mailing worm. This is a mass-mailing worm that constructs messages using its own SMTP engine, spoofing the From: address.
It contains an attachment that can be a password-protected zip file, with the password included in the message body.
For additional information on this worm,
please use the link above
***************************
- W32/Bagel.af@MM
July 16,
2004
This is a Medium Risk mass mailing worm. This is a mass-mailing worm that constructs messages using its own SMTP engine, spoofing the From: address.
It contains an attachment that can be a password-protected zip file, with the password included in the message body.
For additional information on this worm,
please use the link above
***************************
- W32/Bagel.ad@MM
July 5,
2004
This is a Medium Risk mass mailing worm. This is a mass-mailing worm that constructs messages using its own SMTP engine, spoofing the From: address.
It contains an attachment that can be a password-protected zip file, with the password included in the message body.
For additional information on this worm,
please use the link above
***************************
- W32/Lovegate.ad@MM
July 2,
2004
This is a Medium Risk mass mailing worm. This virus mails itself in two ways: constructing its own messages using its built in SMTP engine, or replying to messages on the local system using MAPI.
When constructing messages using its own SMTP engine, target email addresses are harvested from files on the victim machine. The worm avoids mailing itself to addresses containing any of a list of strings it carries.
For additional information on this worm,
please use the link above
***************************
- W32/Zafi.b@MM
June 14,
2004
This is a Medium Risk mass mailing worm. This is a mass-mailing worm that constructs messages using its own SMTP engine, spoofing the From: address.
It will send itself out in different languages depending on the domain of the users address.
For additional information on this worm,
please use the link above
***************************
- W32/Lovgate.ab@MM
May 19,
2004
This is a Medium Risk mass mailing worm. It arrives inside an email attachment.
It can infect executable programs.
This virus will try to disable anti virus and security software.
It will also email itself to addresses stolen from address books and
may reply to unread mail on the infected machine with a spoofed name in the From field.
For additional information on this worm,
please use the link above
***************************
- W32/Sasser.worm.d
May 4,
2004
This is a Medium Risk internet worm. It exploits unpatched versions of Windows 2000 and XP operating systems,
causing infected PCS to repeatedly reboot.
Users do not need to click anything to become infected with W32/Sasser.worm.d. Simply
logging onto the Internet without the necessary patch (or a good firewall) can give the worm access.
The Sasser worms are constructed to do the rest of the damage by downloading themselves and
establishing connections to repeat and spread.
Diligence is required to install patches which Drew emails to all college employees. Users must take an active part in protection from these attacks.
***************************
- W32/Bagle.aa@MM
April 28,
2004
This is a version of the Bagle
virus.
From:Varies (forged addresses taken from infected
system)
Subject: Varies. Examples (check our site for the complete
list):
Hello
Hi
Re:Important
Re:something with the word Message
Body Varies
Attachment Varies. The attachment may have an icon of an envelope or
attachment can be a password-protected zip file, with
the password included in the message body
For additional information on this worm,
please use the link above
Delete all email messages from people you don't know.
***************************
- W32/Bagle.z@MM
April 27,
2004
This is a version of the Bagle
virus.
From:Varies (forged addresses taken from infected
system)or some girl's name, ie
lizie@.
annie@
ann@
christina
secretGurl
jessie
christy
Subject: Varies. Examples (check our site for the complete
list):
Hello
Hi
Re:Important
Re:something with the word Message
Body Varies
Attachment Varies. The attachment may have an icon of 3 berries
For additional information on this worm,
please use the link above
Delete all email messages from people you don't know.
***************************
|
- W32/Netsky.s@MM
April 7,
2004
This is a version of the Netsky
virus.
From:Varies (forged addresses taken from infected
system).
Subject: Varies. Examples (check our site for the complete
list):
Hello
Hi
Re:Important
Body Varies
Attachment Varies. The attachment has a .PIF extension. The
filename is constructed from strings within the worm, with a random
number appended to it. Examples:
sample
postcard
development
For additional information on this worm,
please use the link above
Delete all email messages from people you don't know.
***************************
- W32/Sober.f@MM
April 5,
2004
Virus Characteristics:This is a version of the Sober
virus.
From: Receiving an email alert stating that the virus came
from your email address is not an indication that you are infected
as the virus often forges the from address.
Subject:
Bad Gateway
O My GodVirus Characteristics:
Warning
additional examples are listed in the complete description of
the virus linked above
Body Follow the instructions to read the message, or
some other text describing a warning
Attachment Either a .PIF or a >ZIP file with a name
denoting a warning or system info
For additional information on this worm,
please use the link above
Delete all email messages from people you don't know.
***************************
- W32/Netsky.q@MM
Mar 30,
2004
Virus Characteristics: This is a version of the
Netsky virus.
From: will be spoofed - may be from your address
book
Subject: Some form of a warning referring to a Delivery of
mail Mail System or an Error in Delivery
Body Delivery System Failure This mail couldn't be
displayed
Attachment mail, msg, message, Note, or data, with
one of these extensions pif, scr, zip, or eml
For additional information on this worm,
please use the link above
Delete the email message.
***************************
- W32/Bagle.u@MM
Mar 26,
2004
Virus Characteristics: This is a version of the Bagle
viruses. The virus has been upgraded to a medium risk due to its
prevalence.
From: will be spoofed - may be from your address
book
Subject: Blank
Body Blank
Attachment Various file names with an .exe extension
For additional information on this worm,
please use the link above
Delete this message.
***************************
- W32/Bagle.n@MM
Mar 15,
2004
Virus Characteristics: This is a version of Bagle
viruses. The message-bodies are constructed very similarly to those
for its predecessor, using several parts, to effectively customize
the email, to make it appear to be a legitimate warning
notification
From: may say any of the following @ your domain
management@
administration@
staff@
noreply@
support@
other address found on the system
Subject:
Account alert
Request response
Site changes
Warning about your e-mail account.
Additional examples of Subject lines are listed in the full
description, see link above
Body
Greeting -
Dear user of %s ,
Dear user of %s e-mail server gateway,
Hello user of %s e-mail server,
Dear user, the management of %s mailing system wants to let you
know that,
Your e-mail account has been temporary disabled because of
unauthorized access....
Your file is attached.
Closing -
The Management,
Sincerely,
Best wishes
Additional examples of Body text are listed in the full
description, see link above
Attachment Various file name which may have a .pif
extension
For additional information on this worm, please use the link
above
Delete this message.
***************************
- W32/Netsky.j@MM
Mar 10,
2004
Virus Characteristics: This is a repackaged version
of W32/Netsky.d@MM. This virus spreads via email. It sends itself
to addresses found on the victim's machine. The virus also attempts
to deactivate the W32/Mydoom.a@MM
and W32/Mydoom.b@MM viruses. Mail propagation The virus may be
received in an email message as follows:
From: (forged address taken from infected system)
Subject: Taken from the following list:
Re: Hello, Re: Hi, Re: Thanks!, Re: Document,
Re: Message, Re: Here, Re: Details,
Re: Your details, Re: Approved,
Re: Your document, Re: Your text,
Re: Excel file, Re: Word file,
Re: My details, Re: Your music,
Re: Your bill, Re: Your letter,
Re: Document, Re: Your website,
Re: Your product, Re: Your document,
Re: Your software, Re: Your archive,
Re: Your picture, Re: Here is the document,
Body: May say any of the following:
Here is the file.
Your file is attached.
Your document is attached.
Please read the attached file.
Please have a look at the attached file.
See the attached file for details.
Attachment Various file name with a .pif
extension
For additional information on this worm, please use the link
above
Delete this message.
***************************
- W32/Sober.d@MM
Mar 9,
2004
Virus Characteristics: The email messages claim
to be from Microsoft containing a patch for the W32/Mydoom@MM
virus.
The From: (sender )@microsoft.(country ) where sender is
taken from the following list: Info Center UpDate News Help Studio
Alert Security And country is taken from the following list: de
(for messages in German) at (for messages in German) com (for
messages in English)
Subject: Varies, and contains random characters. For
German and English messages respectively, the subject line starts:
Microsoft Alarm: Bitte Lessen! Microsoft Alert: Please Read!
Body: New MyDoom Virus Variant Detected! A new variant of
the W32.Mydoom (W32.Novarg) worm spread rapidly through the
Internet. Anti-virus vendor Central Command claims that 1 in 45
e-mails contains the MyDoom virus. The worm also has a backdoor
Trojan capability. By default, the Trojan component listens on port
13468. Protection: Please download this digitally signed
attachment. This Update includes the functionality of previously
released patches. +++ +++ One Microsoft Way, Redmond, Washington
98052 +++ Restricted Rights at 48 CFR 52.227-19 com
AttachmentEither a .EXE or .ZIP, with varying filename
For additional information on this worm, please use the link
above
Delete this message.
***************************
- W32/Netsky.c@MM
Feb. 25,
2004
Virus Characteristics: This virus spreads
through email and mapped drives. It sends itself to addresses found
on the victim's machine and by copying itself to folders on drives
C thru Z.
The From: forged address taken from the infected system
Subject: Varies:
Body: may be similar to the subject...various phrases
Attachment may have a double extension such as .rtf.pif and
may be contained in a .ZIP file
The college server will detect and block this virus worm.
For additional information on this worm, please use the link
above
Delete this message.
***************************
- W32/Mydoom.f@MM
Feb. 23,
2004
Virus Characteristics: This virus affects
machines running Microsoft Windows. It sends itself to addresses
found on the victim's machine and by copying itself to folders on
mapped drives. It contains a denial of services payload and a
payload deleting files
The From: address may be spoofed from someone you know.
Subject: Varies: may be blank
Announcement
ApprovedNews
Attention
automatic responder
Bug
Current Status
EXPIRED ACCOUNT
Love is Love is...
Body: various phrases
Please reply
Re Approved
Your IP was logged
Attachment creditcard.bat or something in a zip file
The icon used by the attachment tries to look like a text
file.
The college server will detect and block this virus worm.
For additional information on this worm, please use the link
above
Delete this message.
***************************
- W32/Netsky.b@MM
Feb. 18,
2004
Virus Characteristics: This virus spreads
through email and mapped drives. It sends itself to addresses found
on the victim's machine and by copying itself to folders on drives
C thru Z.
The From: address may be spoofed from someone you know or
it may be skynet@skynet.de
Subject: Varies: may say I have your password!
about me
anything ok?
do you
from the chatter
greetings
hello
here
here is the document
Body: may be similar to the subject...various phrases
Attachment may have a double extension such as .rtf.pif and
may be contained in a .ZIP file
The college server will detect and block this virus worm.
For additional information on this worm, please use the link
above
Delete this message.
***************************
- W32/Bagle.b@MM
Feb. 17,
2004
Virus Characteristics: This is a mass mailing
worm which can construct new outgoing messages, and will harvest
addresses from your machine
The From: address may be spoofed from someone you know:
Subject: Varies: may say - ID (string) ...thanks
Body: Yours ID (string2)
---
Thank
Attachment a randomly named file with .EXE file extension
The college server will detect and block this virus worm.
For additional information on this worm, please use the link
above
Delete this message.
***************************
- W32/Mimail.s@MM
Jan. 30,
2004
Virus Characteristics: This worm contains the
ability to replicate itself, and attempts to steal user's credit
card info
The From: address may be spoofed from someone you know:
Subject: Varies: may say - here is the file you asked
for
Body: Hi! Here is the file you asked for!
Attachment document.txt.scr The following file extensions
may also be used in the attachment name:
.pif, .scr. .exe, .jpg.scr, .jpg.pif, .jpg.exe, .gif.exe,
.gif.pif, .gif.scr The worm attempts to steal credit card info by
displaying a fake Microsoft licensing window. The college server
will detect and block this virus worm.
For additional information on this worm, please use the link
above
Delete this message.
***************************
- W32/Mydoom@MM
Jan. 27,
2004
Virus Characteristics: This is a mass mailing
and peer-to-peer file sharing worm. The virus/worm arrives in an
email with the following characteristics:
The From: address may be spoofed from someone you know:
Subject: Varies: Error, Status, Server Report, Mail
Transaction Failed, Mail Deliver System, hello, or hi
Body: (Varies, such as) The message cannot be represented
in 7-bit ASCII encoding and has been sent as a binary attachment.
The message contains Unicode characters and has been sent as a
binary attachment. Mail transaction failed. Partial message is
available. Attachment: (varies [.bat, .exe, .pif, .cmd, .scr] -
often arrives in a ZIP archive) (22,528 bytes) examples (common
names, but can be random) doc.bat document.zip message.zip
readme.zip text.pif hello.cmd body.scr test.htm.pif data.txt.exe
The icon used by the file tries to make it appear as if the
attachment is a text file:
The college server
will detect and block this virus worm.
For additional information on this worm, please use the link
above
Delete this message.
***************************
- W32/Dumaru.y@MM January 26, 2004
Virus Characteristics: This is worm using mass mailing . The
virus/worm arrives in an email with the following
characteristics:
The worm mails itself in a ZIP file. The ZIP contains the worm with
the following filename:
Attachment Name: MYPHOTO.JPG. (many spaces) .EXE
Messages are constructed with the following characteristics:
From: "Elene" (F (removed) ENSUICIDE@HOTMAIL.COM)
Subject: Important information for you. Read it immediately
!
Attachment: MYPHOTO.ZIP
Body:
Hi!
Here is my photo, that you asked for yesterday.
Delete this message.
***************************
- W32/Bagle@MM
Jan. 20,
2004
Virus Characteristics: This is worm using mass
mailing . The virus/worm arrives in an email with the following
characteristics:
The From: address may be forged from someone you know:
Subject: Hi
Body: Test+) and may contain some random characters) --
Test, yep.
Attachment: may be a random file name and say 15,872 bytes.
Delete this message.
The college server
will detect and block this virus worm.
For additional information on this worm, please use the link
above
Delete this message.
***************************
- W32/Sober.c@MM Dec 20, 2003
Virus Characteristics: This is a new
variation of W32/Sober.b@MM . The
virus targets email addresses which it obtains from the victim
machine and sends out messages. The worm stays resident in the
machine and may send out attachments in English or German
The wording in the Subject Body:
Subject : you are an idiot; why me? I hate you; Preliminary
investigation were started: Your IP was logged; or Your use illegal
File Sharing... or text in German
Attachment: www.iq4you-german-test.com; www. free4share4you.com;
your mail, etc
Delete this message.
The college server
will detect and block this virus worm.
***************************
- W32/Mimail.i@MM Nov
17, 2003
Virus Characteristics: This new variation ofW32/Mimail@MM. attempts to
steal credit card information by displaying a fake
PayPal message. The user's information is stored in a file named
ppinfo.sys , which is sent to four email addresses,
hard-coded in the worm.
The wording in the Subject Body:
From:"PayPal.com"donotreply@paypal.com
Subject : YOUR PAYPAL.COM ACCOUNT EXPIRES
Attachment:
www.paypal.com.scr
paypal.asp.scr
Body :
Dear PayPal member,
PayPal
would like to inform you about ......The message details a problem with PayPal and
directs you to open the attachment and fill out a form to
reestablish your account giving credit card info etc.
Delete this message.
The college server will detect and block
this virus worm.
***************************
- W32/Mimail.c@MM Oct. 31,
2003
Virus
Characteristics: This virus bears a
similarity to a previous worm, W32/Mimail@MM. The virus contains its'
own SMTP engine to construct messages. It mails itself as a ZIP
attachment, obtains addresses from the local address book and sends
out a large volume of data (garbage) to a remote server.
The wording in the Subject Body:
From : may be spoofed from james @nai.com
Subject : Re(2) our private photos
Attachment: PHOTOS.ZIP
Body :Hello Dear!,
Finally, I've found possibility to right u my lovely girl :) All
our photos which I've made at the beach (even when u're withou ur
bh:)) photos are great! This evening i"ll come and we'll make the
best SEX :)
Right now enjoy the photos.
Kiss, James
Delete this message.
The college server will detect and block this virus
worm.
***************************
-
W32/Swen@MM
Sept. 29,
2003
Virus
Characteristics: Sometimes purporting to be a Microsoft
Security Update, this worm is intended to
propagate via various mechanisms:
a) mailing itself to recipients extracted from the victim
machine
b) copying itself over network shares (mapped drives)
c) sharing itself over the KaZaa P2P networks
d) sending itself via IRC
Various outgoing messages are created. Some make use of an IE
exploit to ensure the worm attachment is run upon viewing the
email.
The wording in the Subject Body:
From : Email Delivery Service
Subject : Returned Response
(kmailengine@yahoo.com)
Body :Undeliverable mail to(email address)
or,
at least one message masquerades as a Microsoft update as
follows:
From: Microsoft Corporation Security Division
To: Microsoft Corporation Client
Subject: New Microsoft Patch
Delete this message.
The college server
will detect and block this virus worm.
***************************
- Jdbgmgr.exe
hoax Aug 25, 2003
Virus
Characteristics: This is a hoax,
The wording in the Subject Body: I was just informed that my address book has
been infected with a virus.As a result, so has yours because your address is in my book. The
virus is called jdbgmgr.exe It cannot be
detected by Norton or McAfee Anti-virus programs. It sits quietly for about 14 days before damaging the system.
It is sent automatically by messenger and address book, whether or
not you send email. The good news is that it
is easy to get rid of! Just follow these simple steps and you should have no problem: 1.
Go to Start, then Find or Search. 2. In files/folders, write the
name jdbgmgr.exe 3. Be sure to search in your "C" drive for
jdbgmgr.exe 4. Click "Find" or "Search" 5. The virus has a teddy
bear logo with the name jdbgmgr.exe. DO NOT OPEN IT. 6. RIGHT click
and delete it. 7. Go to the recycle bin and delete it there also.
IF YOU FIND THE VIRUS, YOU MUST CONTACT EVERYONE IN YOUR ADDRESS
BOOK. (You may want to just cut and paste
this email, replacing your name for mine and send it out) Sorry for all the trouble, but this is something I
had no control over. I received it by someone
else's address book, just as you may have received it from me and also you may have uncontrollably sent
it to those in you address book. Sorry about
this everyone, it was very easy to find and delete. I Just received this from someone and sure enough I
followed the steps and the virus was there. Please do the
same.
This hoax is directing you to remove a legitimate file.
Ignore it. Do not pass this on to everyone in your address
books.
***************************
- W32/Sobig.f@MM
Aug 19, 2003
Virus
Characteristics: This is a medium level threat. It is a
new variant of W32/Sobig. It propagates via email over network
shares.
The wording in the Subject may say :
Re:Thank you!, Re: Details, Re: Approved, Re: That movie, Re:
Wicked screensaver. Body: See the attached file for details
or
Please see the attached file for details
From address may be spoofed with an address from the victim
machine. This means the preceived sender is most likely not a
pointer to the infected user. The college server will detect and
block this virus. The DAT file in your Virus scan will have updated
itself to 4287.
***************************
- W32/Nachi.worm
Aug 18, 2003
Virus
Characteristics: This is a medium level threat which
exploits Microsoft vulnerability. It is not related to the
W32/Lovsan.worm.d/MSBlaster variant.
The internet worm is detected by the current
Daily DAT as Exploit-DcomRpc virus.
The college server is updated to detect the worm and remove
it. The DAT file in your Virus scan will have updated itself
to 4286.
***************************
- W32Lovsan.worm
Aug 12, 2003
Virus Characteristics: This is a medium on watch level
threat which has been discussed in the media this week .It is
not received as an email. It spreads to as many machines as
possible. The threat will scan a random IP range to look for
vulnerable systems on TCP port 135.
The worm may return a dos - denial of service
message and cause a system to reboot.
The college server is updated to detect the worm and remove
it. The DAT file in your Virus scan will have updated itself
to 4284.
***************************
- W32/Mimail@MM
Aug 1, 2003
Virus Characteristics: This is a medium level threat.
It is received as an email attachment as follows.
The wording in the Body may say :
From: Admin@sunysuffolk.edu
Subject: your account %user%
Importance: High
Hello there,
I would like to inform you about important information regarding
your email address. This email address will be expiring. Please
read attachment for details.
Best regards, Administrator Attachment:
message.zip
If you receive this
message, do not open the attachment. Delete the message and empty
your deleted items folder.
***************************
- W32/Sobig.e@MM
June 26, 2003
Virus Characteristics: This threat was upgraded to a Medium
risk due to an increase in prevalence. The worm propagates via
email and over network shares. It can construct outgoing messages.
The virus is sent in a ZIP archive.
The wording in the Body may say :
Please see the attached
zip file for details
Attachment: your_details.zip (which contains
details.pif)
Note: This variant
spoofs, or forges, the from address. Therefore the perceived sender
is likely not a pointer to the infected user.
College PCs are
protected.
College E-mail server is protected.
You should delete the message.
**************************
- W32/Bugbear.b@MM
June 5, 2003
Virus Characteristics: Due to a further increase in
prevalence, the risk assessment of this threat has been upgraded to
High. This worm emails itself to addresses found on the local
system. This goes for both the TO and FROM fields
The wording in the Subject Line may say :
25 merchants and
rising
Announcement
bad news
CALL FOR
INFORMATION!
click on
this!
Correction of
errors
Cows
Daily Email
Reminder
empty account
fantastic
free
shipping!
Get 8 FREE issues - no
risk!
Get a FREE
gift!
Greets!
Hello!
Hi!
history
screen
hmm..
I need help about
script!!!
Interesting...
Introduction
Attachment names -
Card
Docs
image
images
music
news
photo
pics
readme
resume
Setup<
song
video
Followed by an
extension:
.exe
.pif
.scr
This is a complex worm that contains many different
elements:
College PCs are
protected.
College E-mail server is protected.
You should delete the message.
***************************
- W32/Palyh@MM
May 18, 2003
Virus Characteristics: This worm
arrives as an attachment in various messages.
The worm mails
itself to recipients extracted from the victim machine.the worm may have a closing quote omitted from the
attachment filename. This may cause certain mail clients to remove
a character from the remaining filename, thus attachments may have
a ".PI" extension (as opposed to ".PIF").
The wording in the Subject Line may say :
Re: My application
Re: Movie
Cool screensaver
Screensavers
Re: My details
Your password
Re: Approved (Red. 3394-65467) Approved (Ref. 38446-263)
Your details
Attachment names -
approved.pif
ref-394755.pif
password.pif
ref-394755.pif
application.pif
screen_doc.pif
screen_temp.pif
movie28.pif
download1053122425102485703.uue
doc_details.pif
_approved.pif
College PCs are protected.
College E-mail server is protected.
You should delete the message.
- ***************************
|
