VBS.Timofonica This is a Visual BASIC Script worm which was detected by Norton AntiVirus as VBS.NewLove.A,
we subsequentley updated the virus definitions to name it correctly. The worm replicates by mailing itself using MS Outlook
and attempts to send messages to the MovieStar service.
You must complete the following steps to manually remove this worm from your system:
Within Outlook, enable the option to save copies of messages into the Sent folder.
W32/Trinoo
W32/Trinoo is a 32-bit Intel-based version of a Denial of
Service (DDoS) attack program previously published as
source code. AVERT has assigned it a LOW risk assessment.
However, new infections are being reported, and AVERT is
watching it closely.
W32/Trinoo arrives as an email trojan attachment. When run,
it will install itself on the host system, and it will run
as a service at the next Windows startup. It will then
listen for commands on a pre-designated UDP port.
This trojan does not present a serious risk to individual
users at this time, and no alert is being posted. However,
AVERT and McAfee.com want to make our users aware that this
trojan is out there, and that it is, in principle, capable
of launching a Denial of Service attack from an infected
machine.
W32/ExploreZip.worm.pak
W32/ExploreZip.worm.pak is a new, compressed variant of the
original W32/ExploreZip.worm. AVERT has assessed it as a
high-risk threat, approaching outbreak levels! It reproduces
itself by sending replies to incoming email messages, with
itself as an attachment called "zipped_files.exe".
It includes a payload: it will search the user's mapped
drives and overwrite all files of types .c, .cpp, .asm,
doc, .xls, .ppt. to zero Kb.
IMPORTANT - If you receive an email with the message
"I received your email and I shall send you a reply ASAP.
Till then, take a look at the attached zipped docs.",
DELETE IT IMMEDIATELY! It will have an attachment called
"zipped_files.exe"; DO NOT DOUBLE-CLICK OR RUN THIS
ATTACHMENT! If you do, it will infect your system!
W97M/Prilissa
W97M/Prilissa is a new Melissa variant. AVERT has assigned
it a risk assessment of MEDIUM--ON WATCH. There has been a
serious outbreak in Europe, and it is expected to travel
quickly.
W97M/Prilissa infects Word 97 files. It propagates itself
by creating an MS Outlook email with the subject line
"Message From (Word 97 username)" and the message text:
"This document is very Important and you've GOT to
read this !!!"
It sends this message, with an attached copy of the
infected Word 97 file, to the first 50 entries in any
address book it finds. It does this only once.
W97M/Prilissa includes a destructive payload! If the date
is December 25 of any year, it will modify the AUTOEXEC.BAT
file so that the next time the computer is booted, the hard
drive will be formatted, causing a loss of all data. In
addition, the following message will be displayed in
Word 97:
W32/FunLove.4099
is a new virus. AVERT has assigned it a MEDIUM risk assessment.
W32/FunLove.4099 is a parasitic Win32 PE file infector that works on both Win9x and WinNT 4.0. It infects .EXE, .SCR and .OCX files. When the virus is first run, it drops a file called FLCSS.EXE into the %SYSTEM% folder. The virus then directly infects all .EXE, .SCR, and .OCX files in the folders Program Files and WINDOWS/WINNT, including any sub-folders. Because the default Windows shell Explorer.exe is kept in here, the virus is re-executed whenever the system is restarted. The virus uses a routine lifted from the W32/Bolzano virus to patch the NT files NTOSKRNL.EXE and NTLDR.
This enables the virus to have full access to the system after the next system reboot.
Periodically, the virus scans any network shares with write access, and infects any EXE, SCR or OCX files on the shared network drives. The virus is not encrypted or polymorphic.
Infected files have a copy of the FLCSS.EXE file added to the end of the last PE section, and the length of the infected files increases by 4099 bytes. When executed under DOS, the file FLCSS.EXE displays the message ~Fun Loving Criminal~ and then tries to reset the machine in order to load Windows.
VBS/Bubbleboy is a new Internet worm, discovered 11/08/99.
AVERT has assigned it a LOW risk assessment; it has not
appeared in the wild.
VBS/Bubbleboy is a NEW type of worm: Unlike previous
worms transmitted through email, this new type of worm
does not come as an executable attachment. Instead,
VBS/Bubbleboy infects PCs as soon as the transmitting
email message is opened. This is a VERY significant
innovation! Historically, it has not been possible
to contract a virus or worm by merely opening and
reading an email message. This is no longer true,
and VBS/Bubbleboy marks the beginning of a more
dangerous computing environment.
VBS/Bubbleboy is transmitted through an email message
with the subject heading "Bubbleboy is back!" It will
ONLY infect PCs running Windows 98 with Internet Explorer
5 and Outlook or Outlook Express. PCs using Outlook are
infected upon opening the email message, while Outlook
Express users may be infected by viewing the message
with the "Preview Pane" feature! When the email
is opened, the worm creates a file called UPDATE.HTA.
The next time the PC is booted up, the worm sends
itself embedded in an email to EVERY address in EVERY
MS Outlook address book on the local system. It does
this only once.
Info by McAfee
