1/14/03
:
From Symantec:
Due to an increase in submissions, Symantec Security Response has upgraded this threat from a Category 2 to a Category 3 as of January 13, 2003.
The W32.Sobig.A@mm worm sends itself to all the addresses it finds in the .txt, .eml, .html, .htm, .dbx, and .wab files. The email message has the following characteristics:
Subject:
The subject will be one of these:
Re: Movies
Re: Sample
Re: Document
Re: Here is that sample
Attachment:
The attachment will be one of these:
Movie_0074.mpeg.pif
Document003.pif
Untitled1.pif
Sample.pif
Before W32.Sobig.A@mm sends the messages, it sends a message to an address at pagers.icq.com.
The worm also attempts to copy itself to the following folders on all the open network shares:
\Windows\All Users\Start Menu\Programs\StartUp
Documents and Settings\All Users\Start Menu\Programs\Startup
Also Known As: W32/Sobig [McAfee]
Type: Worm
Infection Length: 65,536 bytes
Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me
Systems Not Affected: Macintosh, OS/2, UNIX, Linux
For more information on detecting and removing this virus, please go to and .
1/9/03
:
From Symantec:
Due to an increase in submissions, Symantec Security Response has upgraded this threat from a Category 2 to a Category 3 as of January 9, 2003.
W32.Lirva.A is a mass-mailing worm that also spreads by the IRC, ICQ, KaZaA, and open network shares. This worm attempts to terminate antivirus and firewall products. It also emails the cached Windows 95/98/Me dial-up networking passwords to the virus writer.
When Microsoft Outlook receives the worm, the worm takes advantage of a vulnerability that allows the attachment to auto-execute when you read or preview the email. Information on this vulnerability and a patch can be found at .
If the day of the month is the 7th, 11th, or 24th, the worm will launch your Web browser to www.avril-lavigne.com and display a graphic animation on the Windows desktop.
Also Known As: W32/Avril-A [Sophos], W32/Lirva.b@MM [McAfee], WORM_LIRVA.A [Trend], Win32.Lirva.A [CA]
Type: Worm
Infection Length: 32,766 bytes
Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me
Systems Not Affected: Macintosh, OS/2, UNIX, Linux
CVE References:
Please see and for more information.
10/3/2002
:
From Symantec:
W32.Bugbear@mm is a mass-mailing worm. It can also spread through network shares. It has keystroke-logging and backdoor capabilities. The worm also attempts to terminate the processes of various antivirus and firewall programs.
Security Response has seen that because the worm does not properly handle the network resource types, it may flood shared printer resources, which causes them to print garbage or disrupt their normal functionality.
It is written in the Microsoft Visual C++ 6 programming language and is compressed with UPX v0..
Also Known As: W32/Bugbear-A [Sophos], WORM_BUGBEAR.A [Trend], Win32.Bugbear [CA], W32/Bugbear@MM [McAfee], I-Worm.Tanatos [AVP], W32/Bugbear [Panda], Tanatos [F-Secure]
Type: Worm
Infection Length: 50,688 bytes
Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me
Systems Not Affected: Macintosh, Unix, Linux
Please see or for more information on checking your computer for this virus.
|  |
