|
Link to Symantec's download site with virus
removal tools and updates: http://www.symantec.com/downloads/
|
|
| Virus
Prevention Tips
There are a number of things that you the individual can
do to protect your computer at home and in the office.
1. Install a good anti-virus software product. "Good"
meaning the availabilty for support and easy downloads of
current virus updates.
2. Scan your computer regularly with the current virus update
installed. Your anti-virus software is only as good as its
last virus update.
3. BE VERY CAREFUL when choosing to open unsolicited
email, especially emails with attachments and supicious
titles or subject headings.
Back to top
|
W32.Rontokbro@mm
Discovered on: September 23, 2005
Type: Worm Infection
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.
- Disable System Restore (Windows Me/XP).
- Update the virus definitions.
- Run a full system scan and delete all the files detected.
- Use the Security Response "Tool to reset shell\open\command registry subkeys."
- Delete any values added to the registry.
- Delete the scheduled task.
There is NO seperate Symantec Security Response removal tool only instructions on how to clean and remove the infections.
|
|
| |
W32.Sasser.Worm
Discovered on: May 1, 2004
W32.Sasser.Worm
Discovered on: April 30, 2004
Last Updated on: May 02, 2004 02:33:48 PM
W32.Sasser.Worm is a worm that attempts to exploit the MS04-011
vulnerability. It spreads by scanning randomly-chosen IP addresses
for vulnerable systems.
Symantec Security Response has developed a removal tool to
clean the infections of the following variants of the W32.Sasser
worm:
W32.Sasser.Worm
W32.Sasser.B.Worm
W32.Sasser.C.Worm |
|
W32.Sobig.F@mm
Discovered on: August 19, 2003
W32.Sobig.F@mm is a mass-mailing, network-aware
worm that sends itself to all the email addresses it finds
in the files with the following extensions:
.dbx .eml .hlp .htm .html .mht .wab .txt
The worm uses its own SMTP engine to propagate and will attempt
to create a copy of itself on accessible network shares.
Email Routine Details
The email message has the following characteristics:
From: Spoofed address (which means that
the sender in the "From" field is most likely not
the real sender).
The worm may use the address admin@internet.com as the sender.
Subject:
Re: Details
Re: Approved
Re: Re: My details
Re: Thank you!
Re: That movie
Re: Wicked screensaver
Re: Your application
Thank you!
Your details
Body:
See the attached file for details
Please see the attached file for details.
Attachment:
your_document.pif
document_all.pif
thank_you.pif
your_details.pif
details.pif
document_9446.pif
application.pif
wicked_scr.scr
movie0045.pif
NOTE: The worm de-activates on September
10, 2003. The last day on which the worm will spread is September
9, 2003. |
|
W32.Welchia.Worm
Discovered on: August 18, 2003
W32.Welchia.Worm is a worm that exploits
multiple vulnerabilities, including:
The DCOM RPC vulnerability (described in Microsoft Security
Bulletin MS03-026) using TCP port 135. The worm specifically
targets Windows XP machines using this exploit.
The WebDav vulnerability (described in Microsoft Security
Bulletin MS03-007) using TCP port 80. The worm specifically
targets machines running Microsoft IIS 5.0 using this exploit.
IIS 5.0 will most likely be found on Windows 2000 systems.
W32.Welchia.Worm does the following:
Attempts to download the DCOM RPC patch from Microsoft's
Windows Update Web site, install it, and then reboot the computer.
Checks for active machines to infect by sending an ICMP echo
request, or PING, which will result in increased ICMP traffic.
Attempts to remove W32.Blaster.Worm.
Also Known As: W32/Welchia.worm10240 [AhnLab],
W32/Nachi.worm [McAfee], WORM_MSBLAST.D [Trend], Lovsan.D
[F-Secure], W32/Nachi-A [Sophos], Win32.Nachi.A [CA], Worm.Win32.Welchia
[KAV]
Type: Worm
Infection Length: 10,240 bytes
Systems Affected: Microsoft IIS, Windows
2000, Windows XP
Systems Not Affected: Linux, Macintosh, OS/2,
UNIX, Windows 3.x, Windows 95, Windows 98, Windows Me
|
|
W32.Blaster.Worm
Discovered on: August 11, 2003
W32.Blaster.Worm: is a worm that exploits
the DCOM RPC vulnerability (described in Microsoft Security
Bulletin MS03-026) using TCP port 135. This worm attempts
to download and run the Msblast.exe file.
TCP Port 135, "DCOM RPC"
UDP Port 69, "TFTP"
The worm also attempts to perform a Denial of Service (DoS)
on Windows Update. This is an attempt to prevent you from
applying a patch on your computer against the DCOM RPC vulnerability.
NOTE: This threat will be detected by virus
definitions having:
Defs Version: 50811s
Sequence Number: 24254
Extended Version: 8/11/2003, rev. 19
Symantec Security Response has developed a removal tool to
clean infections of W32.Blaster.Worm.
Also Known As: W32/Lovsan.worm [McAfee], Win32.Poza [CA],
Lovsan [F-Secure], WORM_MSBLAST.A [Trend], W32/Blaster-A [Sophos],
W32/Blaster [Panda]
Type: Worm
Infection Length: 6,176 bytes
Systems Affected: Windows NT, Windows 2000, Windows XP
Systems Not Affected: Linux, Macintosh, OS/2, UNIX, Windows
95, Windows 98, Windows Me
CVE References: CAN-2003-0352
|
|
| W32.Bugbear.B@mm
Discovered on: June 4, 2003
W32.Bugbear.B@mm worm is:
A variant of W32.Bugbear@mm.
A mass-mailing worm that also spreads through network shares.
Polymorphic and also infects a select list of executable files.
Possesses keystroke-logging and backdoor capabilities.
Attempts to terminate the processes of various antivirus and
firewall programs.
The worm uses the Incorrect MIME Header Can Cause IE to Execute
E-mail Attachment vulnerability to cause unpatched systems
to auto-execute the worm when reading or previewing an infected
message.
Because the worm does not properly handle the network resource
types, it may flood shared printer resources, which causes
them to print garbage or disrupt their normal functionality.
Symantec Security Response has created a tool to remove W32.Bugbear.B@mm,
which is the easiest way to remove this threat.
Also Known As: Win32.Bugbear.B [CA], W32/Bugbear.b@MM
[McAfee], PE_BUGBEAR.B [Trend], W32/Bugbear-B [Sophos], I-Worm.Tanatos.b
[KAV], W32/Bugbear.B [Panda], Win32/Bugbear.B@mm [RAV]
Type: Virus, Worm
Infection Length: 72,192 bytes
Systems Affected: Windows 95, Windows 98,
Windows NT, Windows 2000, Windows XP, Windows Me
Systems Not Affected: Windows 3.x, Macintosh,
OS/2, UNIX, Linux
When W32.Bugbear.B@mm runs, it copies itself to the \Startup
folder as a filename comprised of a few characters, such as
????.exe, whereby ? represents letters that the worm chooses.
For example, the worm may copy itself as:
C:\Windows\Start Menu\Programs\Startup\Cyye.exe when it runs
on a Windows 95/98/Me-based system.
C:\Documents and Settings\<current user name>\Start
Menu\Programs\Startup\Cti.exe when it runs on a Windows NT/2000/XP-based
system.
Mass-mailing routine
When the mass-mailing routine runs, it does the following:
Searches for the email addresses in the current Inbox, as
well as in the files with the following extensions:
.mmf
.nch
.mbx
.eml
.tbb
.dbx
.ocs
Retrieves the current user's email address and SMTP server
from the registry key:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Account Manager\Accounts
Uses its own SMTP engine to send itself to all the email addresses
it finds. As part of the routine, the worm spoofs the From:
address.
The worm can reply or forward an existing message or create
a new message with one of the following subject lines:
Hello!, update, hmm.., Payment notices, Just a reminder,
Correction of errors, history screen, Announcement, various,
Introduction, Interesting..., I need help about script!!!,
Stats, Please Help... , Report, Membership Confirmation, Get
a FREE gift!, Today Only, New Contests, Lost & Found,
bad news, wow!, fantastic, click on this!, Market Update Report,
empty account, My eBay ads, Cows, 25 merchants and rising,
CALL FOR INFORMATION!,new reading, Sponsors needed, SCAM alert!!!,
Warning!, its easy, free shipping!, News, Daily Email Reminder,
Tools For Your Online Business, New bonus in your cash account,
Your Gift, Re:, $150 FREE Bonus!, Your News Alert, Hi!, Get
8 FREE issues - no risk!, Greets!
|
|
W32.Bugbear@mm
Virus
Discovered on: September 30, 2002
W32.Bugbear@mm is a mass-mailing worm. It can also spread
through network shares. It has keystroke-logging and backdoor
capabilities. The worm also attempts to terminate the processes
of various antivirus and firewall programs.
Also Known As: W32/Bugbear-A [Sophos], WORM_BUGBEAR.A [Trend],
Win32.Bugbear [CA], W32/Bugbear@MM [McAfee], I-Worm.Tanatos
[AVP], W32/Bugbear [Panda], Tanatos [F-Secure]
Type: Worm
Systems Affected: Windows 95, Windows 98, Windows NT, Windows
2000, Windows XP, Windows Me
Systems Not Affected: Macintosh, Unix, Linux
CVE References: CVE-2001-0154
Damage Payload:
Large scale e-mailing: Attemps to mass-mail to addresses harvested
from a compromised host using it's own SMTP engine
Compromises security settings: May allow unauthorized access
to compromised machines. Attempts to terminate processes of
various antivirus and firewall programs.
Because the worm does not properly handle the network
resource types, it may flood shared printer resources, which
causes them to print garbage or disrupt their normal functionality.
Distribution:
Subject of email: Variable
Name of attachment: Variable, with double extension ending
in .exe, .scr, or .pif
Size of attachment: 50,688 bytes
Ports: 36794
Shared drives: Attempts to connect to available network resources
The worm determines which version of the operating system
is running and uses different routines to accomplish its task.
It retrieves the current user's email address and SMTP server
from the registry.
It then uses its own SMTP engine to send itself to all email
addresses that it finds.
|
|
W32.Yaha@mm
Discovered on: February 15, 2002
W32.Yaha@mm is a mass-mailer that sends itself to all email
addresses it finds in the Windows address book and within
files that have the extension of .ht*.
It copies itself to the files, C:\Recycled\Msscra.exe and
C:\Recycled\Msmdm.exe.
Type: Worm
Infection Length: 20,992 bytes
Damage Payload:
Large scale e-mailing: Mails itself to all email addresses
it finds on the infected computer.
Subject of email: Melt the Heart of your Valentine
with this beautiful Screen saver or Fw: Melt the Heart of
your Valentine with this beautiful Screen saver
Name of attachment: valentin.scr
Size of attachment: 20,992 bytes |
|
|
Reported on: April 12, 2002
Type: Hoax
This is a hoax that, tries to persuade you to delete a legitimate
Windows file from your computer. The file that the hoax
refers to, Jdbgmgr.exe, is a Java Debugger Manager.
It is a Microsoft file that is installed when you install
Windows.
It has a teddy bear icon as described in the hoax:
CAUTION: Jdbgmgr.exe, like any file, can become infected
by a virus. One virus in particular, W32.Efortune.31384@mm,
targets this file. Norton AntiVirus has provided protection
against W32.Efortune.31384@mm since May 11, 2001.
NOTE: If you have already deleted the Jdbgmgr.exe
file, some Java applets may not run correctly. This is not
a critical system file. The file version may vary with your
operating system and version of Internet Explorer. If you
want to restore the file, read the instructions in the How
to restore the Jdbgmgr.exe file section at the end of this
document.
Hoax message:
This hoax has appeared in several languages. Some are as follows:
English
I found the little bear in my machine because of that I am
sending this message in order for you to find it in your machine.
The procedure is very simple:
The objective of this e-mail is to warn all Hotmail users
about a new virus that is spreading by MSN Messenger. The
name of this virus is jdbgmgr.exe and it is sent automatically
by the Messenger and by the address book too. The virus is
not detected by McAfee or Norton and it stays quiet for 14
days before damaging the system.
The virus can be cleaned before it deletes the files from
your system. In order to eliminate it, it is just necessary
to do the following steps:
1. Go to Start, click "Search"
2.- In the "Files or Folders option" write the name
jdbgmgr.exe
3.- Be sure that you are searching in the drive "C"
4.- Click "find now"
5.- If the virus is there (it has a little bear-like icon
with the name of jdbgmgr.exe DO NOT OPEN IT FOR ANY REASON
6.- Right click and delete it (it will go to the Recycle bin)
7.- Go to the recycle bin and delete it or empty the recycle
bin.
IF YOU FIND THE VIRUS IN ALL OF YOUR SYSTEMS SEND THIS MESSAGE
TO ALL OF YOUR CONTACTS LOCATED IN YOUR ADDRESS BOOK BEFORE
IT CAN CAUSE ANY DAMAGE.
How to restore the Jdbgmgr.exe file
If you have deleted this file, restoration is optional. However,
without it, some Java applets may not run correctly. This
is not a critical system file.
NOTE: If you are running Windows 2000 the file
will be automatically restored.
To restore the file, follow the instructions in the Microsoft
Knowledge Base article Virus
Hoax: Microsoft
Debugger Registrar for Java (Jdbgmgr.exe) Is Not a Virus (Q322993).
Back to top |
|
W32.Klez.gen@mm
Virus
Discovered on Nov.
9, 2001
Type: WORM
Damage:
Payload: This worm infects executables
by creating a hidden copy of the original host file and then
overwriting the original file with itself. The hidden copy
is encrypted, but contains no viral data. The name of the
hidden file is the same as the original file, but with a random
extension.
Large scale e-mailing: This
worm searches the Windows address book, the ICQ database,
and local files for email addresses. The worm sends an email
message to these addresses with itself as an attachment.
Releases confidential info:
Worm randomly chooses a file from the machine to send along
with the worm to recipients. So files with the extensions:
".mp8" or ".txt" or ".htm" or
".html" or ".wab" or ".asp"
or ".doc" or ".rtf" or ".xls"
or ".jpg" or ".cpp" or ".pas"
or ".mpg" or ".mpeg" or ".bak"
or ".mp3" or ".pdf" would be attached
to e-mail messages along with the viral attachment.
Distribution:
Subject of email: Random
Name of attachment: Random
The worm attempts to disable on-access
virus scanners and some previously distributed worms (such
as W32.Nimda and CodeRed) by stopping any active processes.
The worm removes the startup registry keys used by antivirus
products and deletes checksum database files including:
Anti-Vir.dat, Chklist.dat,
Chklist.ms, Chklist.cps, Chklist.tav, Ivb.ntz, Smartchk.ms,
Smartchk.cps, Avgqt.dat, Aguard.dat
Local and Network Drive copying:
The worm copies itself to local, mapped,
and network drives as:
A random file name that has a double extension.
For example, Filename.txt.exe.
A .rar archive that has a double extension.
For example, Filename.txt.rar.
Email:
This worm searches the Windows address
book, the ICQ database, and local files for email addresses.
The worm sends an email message to these addresses with itself
as an attachment.
The worm contains its own SMTP engine and
attempts to guess at available SMTP servers.
The subject line, message bodies, and attachment
file names are random. The From address is randomly-chosen
from email addresses that the worm finds on the infected computer.
The worm will search files that have the
following extensions for email addresses:
mp8, .exe, .scr, .pif, .bat, .txt, .htm,
.html, .wab, .asp, .doc, .rtf, .xls, .jpg, .cpp, .pas, .mpg,
.mpeg, .bak
|
| |
W32.Goner.A@mm
Virus
Discovered on Dec. 4,
2001
Email Subject: Hi
Email Body: How are you ?
When I saw this screen saver, I immediately thought
about you
I am in a harry, I promise you will love it!
Email Attachment: gone.scr
Summary of Virus:W32.Goner.A@mm is a mass-mailing
worm written
in Visual Basic that sends itself to everyone in the
Outlook address
book. The worm also tries to disable Norton AntiVirus
by deleting files.
Protecting Your System : If you receive
an email message that you suspect may contain
the W32.Goner.A@mmvirus, it is recommended that you
delete the
email message and then delete it from your trash folder
as well. Be
aware that it may be possible to receive this virus
via other distribution
methods such as downloading form the web.
|
| |
W32.Badtrans.B@mm
Virus
Discovered on: November 24, 2001
This is a MAPI worm that emails itself out as
one of several different file names. This worm also drops
a backdoor trojan that logs keystrokes. In all cases,
MAPI will also be used to find unread mail to which the worm
will reply. The subject will be "Re:". In that case,
the attachment name will be one of the following:
pics, images, readme, new_napster_site,
news_doc, hamster, you_are_fat!, searchurl,
setup, card, me_nude, sorry_about_yesterday, s3msong,
docs, humor , fun.
In all cases, the worm will append two
extensions. the first will be one of the following:
.doc , .mp3 , .zip .
the second extension that is appended to the file name is
one of the following: .pif
, .scr
The resulting file name would look similar to card.doc.pif
or news_doc.mp3.scr. if smtp information can be found
on the computer, then it will be used for the from: field.
otherwise, the from: field will be one of these:
"mary l. adams" < mary@c-com.net >,
"monika prado" < monika@telia.com >, "support"
< support@cyberramp.net gt;, " admin" < admin@gte.net
>, " administrator" < administrator@border.net
>, "jessica benavides" < jessica@aol.com
>, "joanna" < joanna@mail.utexas.edu >,
"mon s" < spiderroll@hotmail.com >, "linda"
< lgonzal@hotmail.com >, " andy" <
andy@hweb-media.com >, "kelly andersen" < gravity49@aol.com
>, "tina" < tina0828@yahoo.com >, "rita
tulliani" < powerpuff@videotron.ca >, "judy"
< jujub271@aol.com >, " anna" <aizzo@home.com>
|
|
The
NIMDA Virus
End users
are warned not to open any e-mail attachment named "readme.exe".
NIMDA (said to be derived from
"admin" spelled backwards) is a computer virus that
first appeared on September 18, 2001. NIMDA caused traffic
slowdowns across the Internet as it attacked computers and
created a ripple effect by invading computers containing Microsoft's
Web server, Internet Information Server (IIS), and e-mail.
NIMDA's payload appears to be the traffic slowdown itself
- that is, it does not appear to destroy files or cause harm
other than the considerable time that may be lost to the slowing
or loss of traffic known as denial-of-service. With its multi-pronged
attack, NIMDA appears to be the most troublesome virus of
its type that has yet appeared.
NIMDA arrives at an unprotected
IIS server as a Web page containing some JavaScript code that
executes when the page is opened, causing the code to be propagated
to all other Web pages on the server. On any of these pages,
the JavaScript causes an e-mail (EML) or newsgroup (NWS) browser
to open in a zero-size window and to automatically reinitiate
the virus toward other computers at random IP addresses. NIMDA
systematically explores other known IIS vulnerabilities and,
if successful, causes an e-mail sent to all addresses listed
in the Outlook address book. The e-mail includes an executable
attachment (named readme.exe) that, if opened, results in
further propagation.
Fix
my computer
Back to top
|
W32.Sircam.Worm@mm
Discovered 25/7/2001
There have been reports of a virus by the name W32.Sircam.Worm@mm
which propagates itself via email. For more info on this virus
here.
A fix
is located on our local intranet for on-campus users or users
who dial in through the UWInet here
Source: Symantec Corporation
(www.symantec.com)
Contact the Helpdesk for more information. ext. 2739,2740,2981-2
Site Last updated April 26th, 2007.
Back to top |
| |
|
| |
|
Latest Threat