Virus Alerts in 2004
- W32.Erkez.D@mm
(15 Dec 2004)
W32.Erkez.D@mm is a mass mailing worm that uses
its own SMTP engine to send itself to email
addresses harvested from infected machines.
It arrives in a Christmas greeting email message
written in different languages such as Hungarian
or English with varying subjects, message bodies,
spoofed sender addresses and an attachment with
a .COM,.CMD, .PIF, .BAT or .ZIP file extension.
The worm also spreads via peer-to-peer file-sharing
networks. It opens a backdoor on TCP port 8181
and attempts to terminate various anti-virus
and security related applications. For more
information about this virus, please refer to
the following links:
- W32.Sober.I@mm
(19 Nov 2004)
W32.Sober.I@mm is a mass mailing worm that uses
its own SMTP engine to send itself to email
addresses harvested from infected machines.
It arrives in an email message written in either
English or German with varying subjects, message
bodies, spoofed sender addresses and an attachment
with a .EXE, .SCR, .COM, .PIF, .BAT or .ZIP
file extension. When infecting a computer, it
displays a fake error message containing the
text "WinZip_Data_Module is missing ~Error:
{2A0DCCF6}". For more information about
this virus, please refer to the following links:
- W32.Beagle.AW@mm
(30 Oct 2004)
W32.Beagle.AW@mm is a mass-mailing worm that
uses its own SMTP engine to send itself to email
addresses harvested from infected machines.
It arrives in an email message with spoofed
sender addresses and the subject "Re:",
"Re: Hello", "Re: Hi", "Re:
Thank you!" or "Re: Thanks :)".
The message body will be ":)" or ":))",
and the attachment will have the name Price,
price or Joke with a .COM, .CPL, .EXE or .SCR
file extension. The worm also spreads via peer-to-peer
file-sharing networks. When the worm is executed,
it attempts to download a file from a list of
websites. It opens a backdoor on TCP port 81
and attempts to terminate various anti-virus
and security related applications. For more
information about this virus, please refer to
the following links:
- W32.Beagle.AV@mm
(29 Oct 2004)
W32.Beagle.AV@mm is a mass mailing worm that
uses its own SMTP engine to send itself to email
addresses harvested from infected machines.
It arrives in an email message with spoofed
sender addresses and the subject "Re:",
"Re: Hello", "Re: Hi", "Re:
Thank you!" or "Re: Thanks :)".
The message body will be ":)" or ":))",
and the attachment will have the name Price,
price or Joke with a .COM, .CPL, .EXE or .SCR
file extension. When the worm is executed, it
attempts to download a file from a list of websites. W32.Beagle.AV@mm also spreads via network
shares, opens a backdoor on TCP port 81 and
attempts to terminate various anti-virus and
security related applications. For more information
about this virus, please refer to the following
links:
- W32.MyDoom.Q@mm
(16 Aug 2004)
W32.MyDoom.Q@mm is a mass mailing worm that
uses its own SMTP engine to send itself to email
addresses harvested from infected machines.
It arrives in an email message with the subject
line "Photos" and the body of the
message reads: "LOL!;))))". The sender's
email address is spoofed and the attachment
has the name photos_ars.exe. The worm also downloads
and executes a backdoor program from a list
of websites. For more information about this
virus, please refer to the following links:
- W32.Beagle.AO@mm
(10 Aug 2004)
W32.Beagle.AO@mm is a mass mailing worm that
uses its own SMTP engine to send itself to email
addresses harvested from infected machines.
It arrives in an email message with a blank
subject and spoofed sender addresses. The message
body will be "New price" and the attachment
has the name price.zip, price2.zip, price_new.zip,
price_08.zip, 08_price.zip, newprice.zip, new_price.zip
or new__price.zip. The ZIP file contains two
files, an html file (price.html) and a downloader
(price.exe). When price.exe is executed, it
downloads the worm itself from a list of websites. W32.Beagle.AO@mm also spreads via peer-to-peer
file-sharing networks, opens a backdoor on UDP
and TCP port 80 and attempts to terminate several
anti-virus and security related applications.
For more information about this virus, please
refer to the following links:
- W32.Mydoom.M@mm
W32.Mydoom.M@mm is a mass mailing worm that
uses its own SMTP engine to send itself to email
addresses harvested from infected machines.
In addition the worm may also use an Internet
search engine to harvest more email addresses
for possible distribution. It arrives in an
email message with varying subjects, message
bodies, spoofed sender addresses and an attachment
with a .BAT, .CMD, .COM, .EXE, .PIF, .SCR, or
.ZIP file extension. W32.Mydoom.M@mm also opens
a backdoor on TCP port 1034. For more information
about this virus, please refer to the following
links:
- W32.Beagle.AG@mm
W32.Beagle.AG@mm is a mass mailing worm that
uses its own SMTP engine to send itself to email
addresses harvested from infected machines.
It arrives in an email message with varying
subjects, message bodies, spoofed sender addresses
and an attachment with a .EXE, .SCR, .COM, .CPL,
or .ZIP file extension. If the attachment is
a password-protected .ZIP file, the password
is included in the message body. Upon execution,
the worm copies itself into the Windows System
directory as WinXP.exe. W32.Beagle.AG@mm also
spreads via peer-to-peer file-sharing networks,
opens a backdoor on TCP port 1080 and attempts
to terminate several anti-virus and security
related applications. For more information about
this virus, please refer to the following links:
- W32.Beagle.AB@mm
W32.Beagle.AB@mm is a mass mailing worm that
uses its own SMTP engine to send itself to email
addresses harvested from infected machines.
It arrives in an email message with varying
subjects, message bodies, spoofed sender addresses
and an attachment with a .EXE, .SCR, .COM, .CPL,
or .ZIP file extension. If the attachment is
a password-protected .ZIP file, the password
is included in the message body. The worm also
spreads via peer-to-peer file-sharing networks.
W32.Beagle.AB@mm also opens a backdoor on TCP
port 1080 and attempts to terminate several
anti-virus and security related applications.
For more information about this virus, please
refer to the following links:
- W32.Beagle.Y@mm
W32.Beagle.Y@mm is a mass mailing worm that
uses its own SMTP engine to send itself to email
addresses harvested from infected machines.
It arrives in an email message with varying
subjects, message bodies, spoofed sender addresses
and an attachment with a .HTA, .VBS, .EXE, .SCR,
.COM, .CPL, or .ZIP file extension. If the attachment
is a password-protected .ZIP file, the password
is included in the message body. The worm also
spreads via peer-to-peer file-sharing networks.
When infecting a computer, it displays a fake
error message containing the text "Can't
find a viewer associated with the file".
W32.Beagle.Y@mm also opens a backdoor on TCP
port 1234 and attempts to terminate several
anti-virus and security related applications.
For more information about this virus, please
refer to the following links:
- JS.Scob.Trojan
JS.Scob.Trojan is a trojan that appends a copy
of itself to existing files on a Microsoft IIS
web server. When executes, it tries to connect
to a remote server and attempt to download malicious
code. JS.Scob.Trojan can be detected by most
anti-virus software with updated virus signatures.
For more information about this Trojan horse,
please refer to the following links:
- Troj_Dingxa.A
Troj_Dingxa.A is a Trojan horse that can be
maliciously used to steal online banking information
on the infected computers. In contrast to virus
or worm, Troj_Dingxa.A will not spread by itself
automatically and it must be manually executed
to be infected, such as by disgusing itself
as something useful to entice the victim to
download and execute or arrives as an attachment
to an email or instant message sent by the attacker.
When Troj_Dingxa.A is executed, it checks the
title bar of the current browser window against
a list of strings contained within the Trojan
to determine if it is the login page of certain
online banks in the Mainland China. If a match
is found, the Trojan will log the keystrokes
entered by the user and send the information
captured to a designated address. Users can
prevent infection of this Trojan by following
security best practices and avoid visiting/opening
suspicious websites/emails or executing attachments/programs
from doubtful sources. Troj_Dingxa.A can be
detected by most anti-virus software with updated
virus signatures. For more information about
this Trojan horse, please refer to the following
links:
- W32.Korgo.F
W32.Korgo.F is a worm that exploits the LSASS
vulnerability described in Microsoft
Security Bulletin MS04-011 released by Microsoft
on 13 April 2004 to infect computers without
user intervention. The worm scans random targets
on TCP port 445 and infects unpatched computers.
W32.Korgo.F also includes a backdoor component
which allows an attacker to access the infected
computer remotely. For more information about
this virus, please refer to the following links:
- W32.Sasser.B.Worm
W32.Sasser.B.Worm is a worm that exploits the
LSASS vulnerability described in Microsoft
Security Bulletin MS04-011 released by Microsoft
on 13 April 2004 to infect computers without
user intervention. The worm scans random targets
on TCP port 445 and infects unpatched computers.
For more information about this virus, please
refer to the following links:
- W32.Sasser.Worm
W32.Sasser.Worm is a worm that exploits the
LSASS vulnerability described in Microsoft
Security Bulletin MS04-011 released by Microsoft
on 13 April 2004 to infect computers without
user intervention. The worm scans random targets
on TCP port 445 and infects unpatched computers.
For more information about this virus, please
refer to the following links:
- W32.Beagle.X@mm
W32.Beagle.X@mm is a mass-mailing worm that
uses its own SMTP engine to send itself to the
email addresses harvested from the infected
machine. It arrives in an email message from
a spoofed sender with varying subjects and an
attachment with a .HTA, .VBS, .EXE, .SCR, .COM,
.CPL, or .ZIP file extension. The message body
is either blank or a password if the attachment
is a .ZIP file. The worm also spreads via peer-to-peer
file-sharing networks. When infecting a computer,
it displays a fake error message containing
the text "Can't find a viewer associated with
the file". W32.Beagle.X@mm also includes a backdoor
component and attempts to terminate several
anti-virus and security related applications.
For more information about this virus, please
refer to the following links:
- W32.Netsky.AB@mm
W32.Netsky.AB@mm is a mass-mailing worm that
uses its own SMTP engine to send itself to the
email addresses harvested from the infected
machine. It arrives in an email message from
a spoofed sender with varying subjects, message
bodies, and an attachment with a .PIF file extension.
For more information about this virus, please
refer to the following links:
- W32.Beagle.W@mm
W32.Beagle.W@mm is a mass-mailing worm that
uses its own SMTP engine to send itself to the
email addresses harvested from the infected
machine. It arrives in an email message from
a spoofed sender with a subject and body composed
from a pool of strings carried within the worm.
There may be two attached files one is a JPEG
file that contains a picture of a girl and the
other is a copy of the worm with a .HTA, .VBS,
.EXE, .SCR, .COM, .CPL, or .ZIP file extension.
The worm also spreads via peer-to-peer file-sharing
networks. When infecting a computer, it displays
a fake error message containing the text "Can't
find a viewer associated with the file". W32.Beagle.W@mm
also includes a backdoor component and attempts
to terminate several anti-virus and security
related applications. For more information about
this virus, please refer to the following links:
- W32.Netsky.Y@mm
W32.Netsky.Y@mm is a mass-mailing worm that
uses its own SMTP engine to send itself to the
email addresses harvested from the infected
machine. It arrives in an email message from
a spoofed sender with the subject line "Delivery
failure notice (ID-<random number>)". W32.Netsky.Y@mm
also includes a backdoor component which allows
an attacker to upload and execute arbitrary
programs on infected computers, and performs
a Denial of Service (DoS) attack against certain
websites between 28th and 30th of April 2004.
For more information about this virus, please
refer to the following links:
- W32.Sober.F@mm
W32.Sober.F@mm is a mass-mailing worm which
arrives in an email written in either English
or German with an EXE or ZIP attachment. When
infecting a computer, the worm deliberately
launches the Notepad program with a text file
to hide its malicious intent. For more information
about this virus, please refer to the following
links:
- W32.Netsky.Q@mm
W32.Netsky.Q@mm is a mass-mailing worm that
exploits the Incorrect
MIME Header Can Cause IE to Execute Email Attachment
vulnerability in Microsoft Internet Explorer
(ver 5.01 or 5.5 without SP2) to automatically
execute the virus on vulnerable systems. It
also performs a Denial of Service (DoS) attack
against www.edonkey2000.com, www.kazaa.com,
www.emule-project.net, www.cracks.am and www.cracks.st
between 8th and 11th of April. For more information
about this virus, please refer to the following
links:
- W32.Beagle.U@mm
W32.Beagle.U@mm is a mass-mailing worm that
includes a backdoor component. When infecting
a computer, the worm deliberately launches the
Microsoft Hearts card game (MSHEARTS.EXE file)
to hide its malicious intent. For more information
about this virus, please refer to the following
links:
- W32.Netsky.P@mm
W32.Netsky.P@mm is a mass-mailing worm that
also spreads via peer-to-peer file-sharing networks.
This worm exploits the Incorrect
MIME Header Can Cause IE to Execute Email Attachment
vulnerability in Microsoft Internet Explorer
(ver 5.01 or 5.5 without SP2) to automatically
execute the virus on vulnerable systems. The
email body may contain a fake antivirus scanner
report declaring that "No Virus found" in the
attachment - when it is not. The worm also attempts
to deactivate several other worms including
variants of Beagle and Mydoom. For more information
about this virus, please refer to the following
links:
- W32.Beagle.O@mm
W32.Beagle.O@mm is a mass-mailing worm that
spreads via an email which does not contain
any attachment. This worm takes advantage of
the Object
Tag vulnerability in Internet Explorer to
automatically download and run the worm's program
file from a remote machine when the infected
email is viewed or previewed. The Object Tag
vulnerability can be fixed by installing the
patch as described in Microsoft
Security Bulletin MS03-040. W32.Beagle.O@mm
also opens a backdoor on the infected computer
and attempts to terminate several anti-virus
and security related applications. For more
information about this virus, please refer to
the following links:
- W32.Beagle.N@mm
W32.Beagle.N@mm is a mass-mailing worm that
also spreads via peer-to-peer file-sharing networks
and infects files with the .EXE extension. The
worm sends itself as an email attachment that
is either a program file with a .PIF extension
or a password-protected archive with a .ZIP
or .RAR extension. W32.Beagle.N@mm also attempts
to terminate several anti-virus and security
related applications. For more information about
this virus, please refer to the following links:
- W32.Beagle.M@mm
W32.Beagle.M@mm is a mass-mailing worm that
also spreads via peer-to-peer file-sharing networks
and infects files with the .EXE extension. The
worm sends itself as an email attachment that
is a password-protected ZIP or RAR file, or
a PIF file. W32.Beagle.M@mm also attempts to
terminate several anti-virus and security related
applications. For more information about this
virus, please refer to the following links:
- W32.Netsky.K@mm
W32.Netsky.K@mm is a mass-mailing worm that
sends itself as an email attachment with .pif
extension. The worm also attempts to disable
various anti-virus and security related applications
and deactivate the W32.Mydoom.A@mm and W32.Mydoom.B@mm
worms. For more information about this virus,
please refer to the following links:
- W32.Sober.D@mm
W32.Sober.D@mm is a mass-mailing worm that disguises
itself as a software update from Microsoft for
the MyDoom worm. The worm arrives in an email
written in either English or German with an
EXE or ZIP attachment. For more information
about this virus, please refer to the following
links:
-
W32.Beagle.J@mm
W32.Beagle.J@mm is a mass-mailing worm that
arrives as a zipped attachment that contains
the worm's executable with a random file name
and an icon that makes the file looks like a
WordPad file. It also spreads via peer-to-peer
file-sharing networks. Furthermore, W32.Beagle.J@mm
also contains a backdoor component.
-
W32.Netsky.D@mm
W32.Netsky.D@mm is a mass-mailing worm that
is a new variant of W32.Netsky.C@mm. The worm
also attempts to deactivate the W32/Mydoom.a@MM
and W32/Mydoom.b@MM worms. On Mar 02, between
6:00 and 9:00 am, the worm makes random beeping
sounds with varying pitches and rhythm.
-
W32.Beagle.E@mm
W32.Beagle.E@mm is a mass-mailing worm that
arrives as a zipped attachment that contains
the worm's executable with a random file name
and an icon that makes the file looks like a
text file. W32.Beagle.E@mm also contains a backdoor
component.
-
W32.Beagle.C@mm
W32.Beagle.C@mm is a mass-mailing worm that
arrives as a zipped attachment that contains
the worm's executable with a random file name
and an icon that makes the file looks like
an Excel spreadsheet. W32.Beagle.C@mm also
contains a backdoor component.
-
W32.Netsky.C@mm
W32.Netsky.C@mm is a mass-mailing worm that
also spreads via network shares and peer-to-peer
file-sharing networks. The worm also attempts
to deactivate the W32/Mydoom.a@MM and W32/Mydoom.b@MM
worms. On Feb 26, between 6:00 and 8:00 am,
the worm makes random beeping sounds with
varying pitches and rhythm.
-
W32.Mydoom.F@mm
W32.Mydoom.F@mm is a mass-mailing worm that
opens a backdoor on TCP port 1080. It also
performs a Denial of Service (DoS) attack
against www.microsoft.com and www.riaa.com
between 17th and 22nd of any month.
-
W32.Netsky.B@mm
W32.Netsky.B@mm is a mass-mailing worm that
also spreads via network shares and peer-to-peer
file-sharing networks. The worm also attempts
to deactivate the W32/Mydoom.a@MM and W32/Mydoom.b@MM
worms.
-
W32.Beagle.B@mm
W32.Beagle.B@mm is a mass-mailing worm that
includes a backdoor component. When infecting
a computer, the worm deliberately launches
the Windows Sound Recorder to hide its malicious
intent.
-
W32.Mydoom.A@mm
W32.Mydoom.A@mm is a mass-mailing and peer-to-peer
file-sharing worm that includes a backdoor
component. When infecting a computer, the
worm deliberately launches Notepad with garbage
data in it to pretend that it is harmless.
-
W32.Beagle.A@mm
W32.Beagle.A@mm is a mass-mailing worm that
includes a backdoor component. When infecting
a computer, the worm deliberately launches
the Calculator application to hide its malicious
intent.
More Virus Alerts
Hong
Kong Computer Emergency Response Team Coordination
Centre (HKCERT) - Computer Virus
Selected virus alerts in recent years
Copyright 2009. The Government of the Hong Kong Special Administrative
Region.