- Bagle family:
W32/Bagle.Q@mm
W32/Bagle.R@mm
W32/Bagle.S@mm
W32/Bagle.T@mm
These variants started spreading on 18 March 2004.
Risk:
These new variants are rated low risk and would not warrant a
virus alert on their own. However, given the number of new
variants in a relatively short span of time there is reason
for computer users to be careful.
Recommended Reactions:
Users of F-Prot Antivirus should update their virus signature
files immediately. These variants are all detected by F-Prot
Antivirus using virus signature files dated 18 March 2004 and
later.
- Virus Information
Risk Assessment
- Home Users: Medium
- Corporate Users: Medium
Date Discovered: 3/21/2004
Date Added: 3/21/2004
Origin: Unknown
Length: 29,568 bytes (mailed)
26,624 bytes (dropped)
Type: Internet Worm
SubType: E-mail worm
DAT Required: 4340
-- Update 22nd March 06:20 PST --
Due to increased prevalence, this threat has had its risk assessment raised to MEDIUM.
Dear nick:
Another variant of the W32/Netsky.MM virus, W32/Netsky.p@MM is a Medium Risk mass-mailing worm that arrives inside a .ZIP attachment (e.g., your_document.zip) and spreads itself by stealing email addresses from the infected computer, spoofing or forging the "from: field." Besides using its own SMTP engine, W32/Netsky.p@MM also propagates via peer-to-peer networks (e.g., Morpheus, Kazaa) by copying itself to shared file directories -- often with a celebrity (e.g., Britney Spears, Eminem) as part of the filename.
Note: W32/Netsky.p@MM takes advantage of vulnerable versions of Internet Explorer 5.01 and 5.5 to automatically execute the virus on a user's system. McAfee recommends running Windows Update to ensure you have the latest patches for Internet Explorer.
Up-to-date McAfee VirusScan users with DAT 4340 are protected from this threat.
- Worm.Win32.Sober.E Alert!
Infection
Worm.Win32.Sober.E comes via email to your PC. Worm mails have the following layout while always one of the subject, mail body and attachment options is chosen to generate the mail:
Subject:
HEY
hey?
Hey!
OK Ok OK!
OK OK
Ok ;-)
Hi :-)
hi
Hi
thx
Thx!
THX
Thx !!!
Mail body:
;-)
ha!
HA :-)
yo!
lol
LoL
Yo!
Attachment name:
Text.zip
Text.pif
Read.zip
Read.pif
Graphic-doc.zip
Graphic-doc.pif
document.zip
document.pif
Word.zip
Word.pif
Sober.E can be detected and removed with a² with the latest signature updates loaded. The a² background guard blocks the worm immediately if it is started.
- Another variant of the W32/Netsky.MM virus, W32/Netsky.q@MM is a Medium Risk mass-mailing worm that arrives inside a .ZIP, .PIF, .SCR or .EML attachment and spreads itself by stealing email addresses from the infected computer, spoofing or forging the "from: field." The worm includes the recipient's name, surrounded by percentage symbols, in the message subject line.
Note: Like W32/Netsky.p@MM, W32/Netsky.q@MM takes advantage of vulnerable versions of Internet Explorer 5.01 and 5.5 to automatically execute the virus on a user's system. McAfee recommends running Windows Update to ensure you have the latest patches for Internet Explorer.
Learn More about W32/Netsky.q@MM
- Win32.Netsky.V
Description Modified: April 15, 2004
Category: Win32
Also known as: HTML.Netsky.V, JS.Netsky.V, Win32/NetSky.V.Worm, W32/Netsky.v@MM (McAfee), I-Worm.Netsky.w (Kaspersky)
Win32.Netsky.V
Detection Published: April 14, 2004
Description Modified: April 15, 2004
Category: Win32
Also known as: HTML.Netsky.V, JS.Netsky.V, Win32/NetSky.V.Worm, W32/Netsky.v@MM (McAfee), I-Worm.Netsky.w (Kaspersky)
Description Method of Infection Method of Distribution Payload
Netsky.V is a worm that propagates by exploiting an object tag vulnerability. E-mail sent by the worm points to an IP address containing the worm executable and exploit script. This script exploits the vulnerability to download and execute the worm locally. The worm is a 19,432 byte, UPX-packed, encrypted, Win32 executable.
When executed, Netsky.V copies itself to
%Windows%\KasperskyAVEng.exe
and modifies the registry to ensure that this copy is executed at each Windows start:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run = "%Windows%\KasperskyAVEng.exe"
Note: '%Windows%' is a variable location. The worm determines the location of the current Windows folder by querying the operating system. The default installation location for the Windows directory for Windows 2000 and NT is C:\Winnt; for 95,98 and ME is C:\Windows; and for XP is C:\Windows.
The worm creates a mutex "_-=oOOSOkOyONOeOtOo=-_" to ensure only one copy of the worm is running on the system.
It also creates a further copy of itself to %Windows%\skyav.tmp.
Please note the risk factor of this worm has been raised to medium
0 komentar:
Posting Komentar