NH&AAlerts

About us
Products
How we work
News/Alerts
Contact info
  • November 5, 2003 - Microsoft Offers Reward to Catch Writers of Computer Viruses/Worms - At a news conference in Washington including national and international law enforcement officials, Microsoft announced a $5 million antivirus reward program to encourage tipsters, with initial rewards of $250,000 for evidence leading to the capture and conviction of the original authors of the MSBlast and SoBig programs, which plagued Internet users this year.

    For more information on this story, please visit the following links:

    CNN.com
    MSNBC.com

 

  • September 18, 2003 - Swen.A/Gibe.E worm - Swen is a worm that replicates via email, local network (LAN), IRC and Kazaa. It uses a vulnerability in Internet Explorer to execute directly from e-mail. It is important to note that this threat is very deceptive and masquerades as a Microsoft Windows Update. Swen worm appeared on 18th of September 2003. It is most likely written by the author of Gibe worm (Begbie) and this worm has similar features as the latest Gibe variants.

    For more info on this threat and removal options, please visit:

    F-Secure - removal tool is here
    Symantec
    Trend-Micro
    NAI
  • August 27, 2003 - SOBIG.F worm update2 - Thanks to quick work led by the discover by F-Secure anti-virus researchers, the 2nd phase of the Sobig.F virus/worm was thwarted.    Nevertheless, this worm continues to propagate in huge numbers.

    New York Times

  • August 22, 2003 - SOBIG.F worm update - The Sobig.F worm has a surprise attack embedded within its code that is scheduled to launch today. All computers infected by this worm will enter a second phase today, on Friday the 22nd of August, 2003. These computers are using atom clocks to synchronize the activation to start exactly at the same time around the world: at 19:00:00 UTC (12:00 in San Francisco, 20:00 in London, 05:00 on Saturday in Sydney).

    For more information on this latest threat from SOBIG.F, click here.
  • August 19, 2003 - SOBIG.F worm - A new variant of Sobig, known as Sobig.F was first found on August 19th, 2003 and it is spreading in the wild. This is by far the largest virus outbreak that we have witnessed in 13 years. It is at least one order of magnitude larger than the largest of the past. Other virus outbreaks pale in comparison.
    Sobig sends massive amounts of mail. The sender information of these mails is wrong and doesn't indicate the real infected user.

    Email Routine Details
    The email message has the following characteristics:

    Subject: The subject line will be the following:
  • Re: Thank you
  • Thank you!
  • Your detail
  • Re: Details
  • Re: Re: My detail
  • Re: Approv
  • Re: Your application
  • Re: Wicked screensaver
  • Re: That movie

    Attachment: The attachment name will be one of the following:
    • your_document.pif
    • document_all.pif
    • thank_you.pif
    • your_details.pif
    • details.pif
    • document_9446.pif
    • application.pif
    • wicked_scr.scr
    • movie0045.pif

    Sobig history

    The following table shows all the Sobig variants, with their expiration dates and when they were first found in the wild. The "Detection" field refers to when we first had databases which detected the corresponding variant.
    Variant -- Found -- Expires -- Detection
    _____________________________________________________________
    Sobig.A -- January 9th -- NO 2003 -- 01/09/04
    Sobig.B -- May 18th -- May 31st 2003 -- 05/19/03
    Sobig.C -- May 31st -- June 8th 2003 -- 06/01/01
    Sobig.D -- June 18th -- July 2nd 2003 -- 06/18/03
    Sobig.E -- June 25th -- July 14th 2003 -- 06/26/02
    Sobig.F -- August 19th -- Sept. 10th 2003 -- 08/19/02


    For more info on this threat and removal tools, please visit:

    F-Secure
    Trend
    Sophos
    McAfee
    Symantec

  • June 25, 2003 - SOBIG.E worm - Spreading rapidly Via E-mail

    W32.Sobig.E@mm is a mass-mailing worm that sends itself to all the email addresses that it finds in files with the following extensions:
    • .wab
    • .dbx
    • .htm
    • .html
    • .eml
    • .txt

    The email falsely purports that Yahoo sent it (support@yahoo.com).

    Email Routine Details
    The email message has the following characteristics:

    From: support@yahoo.com (NOTE: W32.Sobig.E@mm spoofs this field. It could be any address.)

    Subject: The subject line will be one of the following:
    • Re: Application
    • Re: Movie
    • Re: Movies
    • Re: Submitted
    • Re: ScRe:ensaver
    • Re: Documents
    • Re: Re: Application ref 003644
    • Re: Re: Document
    • Your application
    • Application.pif
    • Applications.pif
    • movie.pif
    • Screensaver.scr
    • submited.pif
    • new document.pif
    • Re: document.pif
    • 004448554.pif
    • Referer.pif

    Attachment: The attachment name will be one of the following:
    • your_details.zip (contains details.pif)
    • application.zip (contains application.pif)
    • document.zip (contains document.pif)
    • screensaver.zip (contains sky.world.scr)
    • movie.zip (contains Movie.pif)

    NOTE: The worm de-activates on July 14, 2003, and therefore, the last day on which the worm will spread is July 13, 2003.

    F-Secure
    Symantec     - removal tool is here
    Trend
    Sophos
    McAfee
  • June 5, 2003 - Bugbear worm - Spreading Rapidly Via Email - 

    W32.Bugbear.B@mm worm is:

    • A variant of W32.Bugbear@mm.
    • A mass-mailing worm that also spreads through network shares.
    • Polymorphic and also infects a select list of executable files.
    • Possesses keystroke-logging and Backdoor capabilities.
    • Attempts to terminate the processes of various antivirus and firewall programs.

    The worm uses the Incorrect MIME Header Can Cause IE to Execute E-mail Attachment vulnerability to cause unpatched systems to auto-execute the worm when reading or previewing an infected message.

    In addition, the worm contains routines that specifically affect financial institutions. This functionality will cause the worm to send sensitive data to one of ten hard-coded public Internet e-mail addresses. The information sent includes cached passwords and key-logging data.

    Because the worm does not properly handle the network resource types, it may flood shared printer resources, which causes them to print garbage or disrupt their normal functionality.

    F-Secure
    Symantec     - removal tool is here
    Trend
    Sophos
    McAfee
  • May 19, 2003 - Palyh, AKA Mankx and Sobig.B, worm has gone worldwide and the number of reported infections have increased drastically.  The worm arrives in an attachment to a message that appears
    to have come from "support@microsoft.com"     and comes with various subject lines, messages and file attachments.

    When the file is executed, the worm uses the victim system's e-mail address book to spread, searches for HTML pages and text documents for other addresses. The worm will fall dormant, however, on May 31, 2003.

    F-Secure
    Symantec     - removal tool is here
    Trend
    Sophos
    McAfee
    CERT

  • Jan 25, 2003 - SQLSlammer or "Sapphire Worm," Spreading Worldwide, dragging many web sites to a crawl.  

    The problems began at around 12:30 a.m. EST, and initial reports suggest the cause was a worm that exploits a vulnerability in Microsoft Corp.'s SQL Server.

    F-Secure
    Symantec
    Trend
    Sophos
    McAfee
    InfoWorld
    CERT
    Internet Storm Center

    SQL Security site

    Microsoft standalone patch is here
    SQL 2000 Service Pack 3

Alerts 2004
Alerts 2003
Alerts 2002
Alerts 2001
Alerts 2000
 Alerts 1999
Alerts 1998

About usProductsHow we workNews/AlertsContact info