Alerts

August 9, 2004 - Bagle.AL ALIAS: I-Worm.Bagle.al, W32/Bagle.aq@MM, WORM_BAGLE.AC,Bagle.AG, W32/Bagle-AQ
SIZE: 14848
This Bagle variant was spammed widely on 9th of August, 2004. Like other Bagle variants, it sends emails with infected attachments. Typically the email attachment has a name like new_price.zip, price_new.zip, price_08.zip etc.

For more info on this threat and removal options, please visit

F-Secure
Symantec
Trend-Micro
NAI
May 4, 2004 - Sasser ALIAS: Sasser.A, Worm.Win32.Sasser.a, Worm.Win32.Sasser.b, W32/Sasser.B -
SIZE: 15872
Sasser is an Internet worm spreading through the MS04-011 (LSASS) vulnerability. The newest variant of this worm is "Sasser.B" and uses a filename AVSERVE2.EXE.

This vulnerability is caused by a buffer overrun in the Local Security Authority Subsystem Service, and will affect all machines that are:

- Running Windows XP or Windows 2000
- Haven't been patched against this vulnerability
- Are connected to the Internet without a firewall

For more info on this threat and removal options, please visit

F-Secure
Symantec
Trend-Micro
NAI
Week of March 1 Editorial: This seems to be the week of the worms. About a dozen new worms and varients have been released. Worm writers are even competing with each other over the computers that are connected to the internet and are unprotected. Social engineering is exploring new ideas including customizing the e-mail to the domain of the victim and password protecting (witht he password given in the e-mail) the encrypted .ZIP attachment so it is not able to be scanned by anti-virus engines.

A few suggestions: Update your A/V frequently, don't make the mistake of curiously or mindlessly opening up any attachments in your e-mails. Most of these new worms spoof the "From" address so users are mislead to think e-mails came from somewhere other than the true source. Realize these writers are trying to tempt you into opening the attachments. Scan your computers regularly. If you have a number of users, consider installing an anti-virus firewall or gateway to your network.
March 1, 2004 - NetSky.D ALIAS: I-Worm.Moodown.D, W32/Netsky.D@mm, Moodown.D, Worm.Somefool -
NAME: I-Worm.Moodown.D, W32/Netsky.D@mm, Moodown.D, Worm.Somefool
SIZE: 17424 This worm variant lacks many text strings that were present in NetSky.C variant and it does not copy itself to shared folders. Netsky.D spreads itself in e-mails as an executable attachment only.
For more info on this threat and removal options, please visit

F-Secure - removal tool is here
Symantec
Trend-Micro
NAI

February 17, 2004 - Bagle.B ALIAS: I-Worm.Bagle.B, WORM_BAGLE.B, W32.Beagle.B@mm, W32/Tanx.A, W32/Yourid.A, W32.Alua@mm, Win32.HLLM.Strato -
NAME: Bagle.B ALIAS: I-Worm.Bagle.B, WORM_BAGLE.B, W32.Beagle.B@mm
SIZE: 11264 Bagle.B worm is spreading rapidly. It arrives in email with random subject and attachment name with an EXE extension. The worm installs a backdoor that listens on port 8866. Bagle.B worm has been programmed to stop spreading on February 25th.
For more info on this threat and removal options, please visit

F-Secure - removal tool is here
Symantec
Trend-Micro
NAI

January 26, 2004 - My Doom, aka Novarg, aka MiMail - This virus/worm is spreading rapidly across the internet and Kazaa p2p network. When executed, the worm opens up Windows' Notepad with garbage data in it. In emails, it uses variable subjects, bodies and attachment names. It also attacks SCO.COM with a DDoS-attack.
The worm opens up a backdoor to infected computers. This is done by planting a new SHIMGAPI.DLL file to system32 directory and launching it as a child process of EXPLORER.EXE

When the machine gets infected, the worm will set up a backdoor into the system by opening TCP ports 3127 thru 3198. This will potentially allow a hacker to connect to the machine and utilize it as a proxy to gain access to it's network resources. In addition, the backdoor has the ability to download and execute arbitrary files

It performs a denial of service (DoS) attack against the software business site www.sco.com. It attacks the site if the system date is February 1, 2004 or later. It ceases attacking the site and running most of its routines on February 12, 2004.

This worm runs a backdoor component, which it drops as the file SHIMGAPI.DLL. It opens port 3127 to allow remote users to access and manipulate infected systems.

E-mail messages take the form of:
- From: (spoofed)
  Subject: (Random)
  Body: (Varies, such as)
  - The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
  - The message contains Unicode characters and has been sent as a binary attachment.
  Mail transaction failed. Partial message is available.
  
  Attachment: (varies [.exe, .pif, .cmd, .scr] - often arrives in a ZIP archive) (22,528 bytes)
  The icon used by the file tries to make it appear as if the attachment is a text file
It runs on Windows 98, ME, NT, 2000 and XP. Here are the links:
- F-Secure
  Symantec
  Trend-Micro
  NAI
On another subject, this virus is an example of how anti-virus researchers naming convention has deteriorated with McAfee calling it MyDoom, Symantec calling it Novarg, and Trend calling it MiMail. This lack of standard naming convention is a hindrance to stopping viruses/worms not only because it confuses the public, but also indicates that researchers between companies are not working together. Again, we call for a national or international standard of naming and an organization that can oversea the computer security to coordinate efforts to stop viruses more quickly and efficiently.
On a third subject, this virus makes clear how persistent broadband connections (people connected to cable and dsl) enable a virus/worm to spread so quickly if they haven't taken proper protection of their PCs with up-to-date anti-virus protection and firewalls.

Alerts 2004
Alerts 2003
Alerts 2002
Alerts 2001
Alerts 2000
Alerts 1999
Alerts 1998