The following is a listing of viruses that we have seen on the Texas A&M Campus. Links are provided to patches/fixes for the particular virus. Information on viruses that are no longer considered prevalent on campus can be found here. If more information is needed, or you have any questions, please let us know at security@net.tamu.edu. Symantec Security Response Virus Removal Tools. McAfee Stinger Virus Removal Tool Viruses and Worms Updated 11/01/2005 Plug and Play Exploits - MS05-039 (W32.Esbot.A, W32.Zotob.E, IRC.Mocbot) MyDoom Worm     Now including variants MyDoom.ah and MyDoom.ai Mytob Worm     Now including variatn Mytob.ET Gaobot Worm     Now including variants Gaobot.BQJ Brid Mass Mailer Blaster (W32.Blaster... AKA Lovsan) worm Bugbear Mass Mailer/Network Shares Bugbear.B Worm Code Red and Code Red II Frethem Mass Mailer Funlove Virus Klez and Klez.h Mass Mailer Magistr Worm MiMail Worm Mimail.J Worm MyDoom Worm Myparty Mass Mailer Mytob Mass Mailer Netsky Worm Nimda Worm Opaserv Worm Phatbot/Agobot/Gaobot worm QHosts-1 Trojan Randex Virus Sircam Worm W32.SQLExp Worm Sober Worm Sobig Worm Sobig.B (AKA... Mankx, Palyh) Mass Mailer Sobig.C Worm Sobig.E Worm Sobig.F Worm Swen Worm Welchia (AKA... Nachi) worm Tools Network Associates AVERT Tool -- Stinger Stinger is a stand alone tool created by Network Associates AVERT team. It's purpose is to detect and remove specific viruses. It is not a substitute for full anti-virus protection, but will assist adminstrators when dealing with an infected machine. Please be aware that the following statement is on the AVERT tools page concerning these utilities: All files presented within this page are not released products. They have not been approved by Quality Assurance and could cause false alarms as well as crashes on your machine(s). http://vil.nai.com/vil/averttools.asp#stinger http://vil.nai.com/vil/averttools.asp Microsoft Baseline Security Analyzer (MBSA) From this article: ``Known as the Microsoft Baseline Security Analyzer, the tool, which can be downloaded at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/Tools/MBSAhome.asp , runs on Windows 2000 and XP systems and uses a version of the company's HFNetChk program to look for missing patches and service packs in Windows, IIS and SQL Server. It can also identify vulnerabilities and missing hotfixes in NT 4.0, Windows 2000, XP, IIS 4.0 and 5.0, SQL Server 7.0 and 2000, Internet Explorer 5.01 and later, and Office 2000 and XP.'' IIS 5 Hotfix Checking Tool You can get the IIS5 Hotfix Checking Tool from Microsoft Technet at http://www.microsoft.com/Downloads/Release.asp?ReleaseID=24168 From above listed source page: The HFCheck tool allows IIS5.0 administrators to ensure that their servers are up to date on all security patches. The tool can be run continuously or periodically, against the local machine or a remote one, using either a database on the Microsoft web site or a locally-hosted copy. When the tool finds a patch that hasn't been installed, it can display or dialogue or write a warning to the event log. Nimda Nimda is a mass mailing worm that can send itself out by email, search for open network shares, and copy itself to unpatched Microsoft IIS web servers. This worm uses the Unicode vulnerability. More information on this vulnerability can be found at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms00-078.asp. The CERT advisory on Nimda: http://www.cert.org/advisories/CA-2001-26.html There are several variants of Nimda... W32.Nimda.A@mm Worm Information and the removal process from Symantic can be found at: http://www.symantec.com/avcenter/venc/data/w32.nimda.a@mm.html W32.Nimda.E@mm Worm Information and the removal process from Symantic can be found at: http://www.symantec.com/avcenter/venc/data/w32.nimda.e@mm.html "Nimda" Removal process for 95/98 systems boot in DOS mode edit system.ini file in c:\windows look for this line: shell= explorer.exe load.exe -donotloadold replace it with shell=explorer.exe goto c:\windows\system Run attrib -s -h riched20.dll run attrib -s -h load.exe del riched20.dll, 56kb (check the date on it, if todays date delete it) del load.exe Code Red 07/19/2001: This is a worm that takes advantage of a hole in Windows Internet Information Server. Vulnerable systems include unpatched NT 4.0 with IIS 4.0 or IIS 5.0; Windows 2000 Professional, Server, Advanced Server and Datacenter Server, and beta versions of Windows XP. Please look here for more information on this worm. For a short-term "fix", the infected machine may be rebooted, as the worm is stored in memory. However, unless the machine is patched, the host will likely be re-infected shortly. Infected machines apparently launch a Denial Service Attack against www.whitehouse.gov. Microsoft Patch: http://www.microsoft.com/technet/security/bulletin/MS01-033.asp Security Web pages: http://www.eeye.com/html/Research/Advisories/AL20010717.html http://www.symantec.com/avcenter/venc/data/codered.worm.html Other references: http://www.crn.com/components/Nl/direct/article.asp?ArticleID=28301 X-force's Code Red Worm FAQ Code Red II 05/06/2002 http://securityresponse.symantec.com/avcenter/venc/data/codered.ii.html This worm, because it spawns so many threads trying to infect other hosts, can cause network problems in addition to permitting your host to be controlled remotely. Code Red and Printers and Wireless Access Points 08/01/2001 In addition to workstations, it appears that some printers (HP laserjet and Brother) and some wireless access points may be susceptible the the code red virus. We're trying to get more details and will post them when available. FYI on the Code Red in the HP 4000TN laserjet printers. We upgraded the printer firmware to G.08.32 and it fixed the offline/memory dump problems we were seeing. (And the upgrade is bit of a pain to get from HP - lousy site there). First the folks need to get the HP Download Manager and THEN get the printer firmware download. Check the HP JETDIRECT version on the printer config page and go to that on the HP site for the correct download. Also, we had to have the IPX stack loaded on our network protocols to implement it, it wouldn't allow TCP/IP to be used to get to the printers. PLEASE NOTE: The IPX migration to IP as announced here is still planned to continue 08/01/2001. Sircam 07/20/2001 The Sircam worm arrives as an attachment in an email message and also through unprotected network shares. It affects all Windows operating systems. All known versions contain the phrase 'Hi! How are you?' in the body of the message. http://www.symantec.com/avcenter/venc/data/w32.sircam.worm@mm.html http://www.cert.org/advisories/CA-2001-22.html 07/20/2001 -- Information on the sadmind/IIS worm: This worm infects solaris machines and then looks for IIS servers to deface. http://www.symantec.com/avcenter/venc/data/sadmind-iis.html FunLove 07/20/2001 -- W32.Funlove.4099 It is W32.Funlove.4099 (and the variant W32.Funlove.int). It is a virus/worm that spreads from an infected machine through open shares that it vigorously searches for and tries to log into all shares it finds. It is a pain to remove from PC with the NTFS file system, since you have to boot from Win95 or 98, then run a program NTFSDOS Pro (a $250 program, not to be confused with the freeware version that is read only) to make the NTFS file system read-writeable and then run FIXFUN from Symantec to clean it off. It infects the NTKernl and NTlrdr files and ALL executable files on the system, so you can't get rid of it with the system loaded. If you have the .Int variant, just get the important data off the disk and use FDISK to wipe it and start over - all executable files will be infected and are unrepairable. The default for folder and drive sharing is Everyone with full control. Unless the person adding the share knows to modify the default, the machine will be vulnerable to attack from this worm and any malicious individual. The bottom line is don't share any drive or folder unless it is absolutely necessary and then don't accept the defaults if you do enable peer to peer networking. http://www.symantec.com/avcenter/venc/data/w32.funlove.4099.html Magistr 11/08/2001 -- W32.Magistr.24876@mm Magistr is a virus with an email capability. It sends email from an infected machine to contacts in the customers Outlook and Outlook Express folders. The mail will have a random subject line and up to two attachments. http://www.symantec.com/avcenter/venc/data/w32.magistr.24876@mm.html W32.Magistr.39921@mm is a variant: http://securityresponse.symantec.com/avcenter/venc/data/w32.magistr.39921@mm.html Myparty 01/28/2002 -- W32.Myparty@mm Mass Mailer Mypart is a mass-emailing worm that spreads itself between January 25, 2002 and January 29, 2002. It sends itself to all contacts found in the Windows address book and email addresses found in Outlook Express. In addition to this, a backdoor is placed on the machine that allows a hacker to control the system. From NTBUGTRAQ: Be aware that this morning you will likely find a copy of this new mass mailer in your mail systems. This is a pure social engineering attack, it contains an attachment named as a URL with a .com extension. Since .com is also an application, it will be run as such if its double-clicked on. Check with your AV company for updates and/or filtering criteria. If you can, be sure you have attachment filtering enabled at your mail gateway. Outlook Email Security Update, and Outlook 2002, both catch this attachment and prevent it from being available for the user to click on. http://www.symantec.com/avcenter/venc/data/w32.myparty@mm.html Klez 03/05/2002 -- W32.Klez Mass Mailer W32.Klez.E@mm is similar to W32.Klez.A@mm. It is a mass-mailing email worm that also attempts to copy itself to network shares. The worm uses random subject lines, message bodies, and attachment file names. The worm exploits a vulnerability in Microsoft Outlook and Outlook Express in an attempt to execute itself when you open or even preview the message in which it is contained. Information and a patch for the vulnerability can be found at http://www.microsoft.com/technet/security/bulletin/MS01-020.asp The worm overwrites files and creates hidden copies of the original. In addition, the worm drops the virus W32.Elkern.3587 which is similar to W32.ElKern.3326. The worm attempts to disable some common antivirus products and has a payload which fills files with all zeroes. http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.e@mm.html Klez.H 04/22/2002 -- W32.Klez.H Mass Mailer Due to an increased number of submissions, this threat has been upgraded to Category 3. W32.Klez.H@mm is a modified variant of the worm w32.klez.E@mm. This variant is capable of spreading by email and network shares. It is also capable of infecting files. Symantec Security Response has developed a tool to remove both W32.Klez.H@mm and W32.Klez.E@mm. Click here to obtain the tool. http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.h@mm.html 04/22/2002 -- W32.Klez.H Mass Mailer http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.h@mm.html Due to an increased number of submissions, this threat has been upgraded to Category 3. W32.Klez.H@mm is a modified variant of the worm W32.Klez.E@mm. This variant is capable of spreading by email and network shares. It is also capable of infecting files. Symantec Security Response has developed a tool to remove both W32.Klez.H@mm and W32.Klez.E@mm. Click here to obtain the tool. Frethem 07/15/2002 -- W32.Frethem.k@mm W32.Frethem.K@mm is a worm, and is a variant of W32.Frethem.B@mm. It uses its own SMTP engine to send itself to email addresses that it finds in the Microsoft Windows Address Book and in .dbx, .wab, .mbx, .eml, and .mdb files. The email message arrives with the following characteristics: Subject: Re: Your password! Attachments: Decrypt-password.exe and Password.txt http://www.symantec.com/avcenter/venc/data/w32.frethem.k@mm.html Bugbear 10/04/2002 -- Bugbear@mm From Symantic's site: "W32.Bugbear@mm is a mass-mailing worm. It can also spread through network shares. It has keystroke-logging and backdoor capabilities. The worm also attempts to terminate the processes of various antivirus and firewall programs. Because the worm does not properly handle the network resource types, it may flood shared printer resources, which causes them to print garbage or disrupt their normal functionality. It is written in the Microsoft Visual C++ 6 programming language and is compressed with UPX v0.76.1-1.22." http://securityresponse.symantec.com/avcenter/venc/data/w32.bugbear@mm.html Opaserv 11/05/2002 -- W32.Opaserv.Worm W32.Opaserv.Worm is a network-aware worm that attempts to replicate across open network shares. It will copy itself to another machine as a file called 'Scrsvr.exe'. This worm affects Windows operating systems. http://securityresponse.symantec.com/avcenter/venc/data/w32.opaserv.worm.html Brid 12/05/2002 -- W32.Brid.A@mm W32.Brid.A@mm is a mass mailing worm which includes a slightly changed variant of the Funlove virus. This worm contains it's own STMP engine and will attempt to email itself to all contacts in the Microsoft Outlook Address Book. Virus protection with dates after November, 1999 should detect the Funlove virus component. This virus is also referred to as 'Braid'. http://securityresponse.symantec.com/avcenter/venc/data/w32.brid.a@mm.html Sobig 01/13/2003 -- W32.Sobig.A@mm W32.Sobig.A@mm is a worm spread through network shares and email. It is written in MSVC and has its own SMTP engine. It will send itself to all addresses found in the .txt, .eml, .html, .htm, .dbx and .wab files. This worm affects all Windows operating systems. http://www.symantec.com/avcenter/venc/data/w32.sobig.a@mm.html http://vil.nai.com/vil/content/v_99950.htm W32SQLExp 01/27/2003 -- W32.SQLExp.Worm W32.SQLExp.Worm is a worm that targets systems running Microsoft SQL Server 2000, as well as Microsoft Desktop Engine (MSDE) 2000. The worm sends 376 bytes to UDP port 1434, the SQL Server Resolution Service Port. If you are running Microsoft SQL Server 2000 or MSDE 2000, be sure you have patched the vulnerabilities referred to in Microsoft Security Bulletin MS02-039 and Microsoft Security Bulletin MS02-061. Also, download and install SQL Server 2000 Service Pack 3 from Microsoft. This should prevent re-infection. After applying SP3, SSNETLIB.DLL, should have version 2000.80.760.0. You can determine this by right clicking on the DLL icon and selecting 'Properties' and then the 'Version' tab). Although most information refers to this as the Microsoft SQL server 2000 worm, another MS product called the Microsoft Data Engine (MSDE) is also vulnerable. MSDE is a stripped down version of sql server designed as a replacement for Microsoft Access. It's installed automatically by lots of off-the-shelf software products, including Visual Studio.Net and Visio. How do you know if you are running MSDE? An icon similar to the image below will appear in your system tray. SQL server 7 is not affected. Here is a link to the Removal Tool Further Information: http://microsoft.com/technet/security/virus/alerts/slammer.asp http://www.eeye.com/html/Research/Flash/AL20030125.html http://www.cert.org/advisories/CA-2003-04.html http://vil.nai.com/vil/content/v_99992.htm Sobig.B 05/18/2003 -- W32.Sobig.B@mm (aka... Mankx,Palyh) W32.Sobig.B@mm is a mass mailing worm that sends itself to all email addresses found in .wab, .dbx, .htm, .html, .eml and .txt files. It can also spread through network shares. When spreading by email, the mail will be from support@microsoft.com and will have a subject line similar to: Your details Re: Approved (Ref: 3394-65467) Screensaver Re: My details The attachment will be a .pif file. The virus is scheduled to expire on May 31, 2003. Symantec originally was referring to this worm as W32.HLLW.Mankx@mm and McAffee refers to this worm as W32/Palyh@MM. For more information see: http://www.symantec.com/avcenter/venc/data/w32.sobig.b@mm.html http://vil.nai.com/vil/content/v_100307.htm Sobig.C 06/02/2003 -- W32.Sobig.C@mm W32.Sobig.C@mm is a mass mailing worm that spreads itself to other email addresses found in specific documents on the infected machine. The mail message could appear to be from bill@microsoft.com (or any other address as this new variant spoofs the From: email address) and will contain subject lines such as: Re: Movie Re: Submitted (004756-3463) Re: Approved Approved Re: Your Application The attachment will be a .pif or a .scr file and is executable on Windows machin es. More information can be found at: http://www.symantec.com/avcenter/venc/data/w32.sobig.c@mm.html http://vil.nai.com/vil/content/v_100343.htm A removal tool can be found at: http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.c.removal.tool.html BugBear.B 06/05/2003 -- W32.Bugbear.B@mm This is a mass mailing, polymorphic worm that can also spread through network shares. It infects a select list of executable files, has keystroke-logging and backdoor capabilities, and will attempt to end anti-virus software processes. The email sent out will have a varied subject line and will spoof the "From:" address. The attachement may also contain any number of varied extensions. More information can be found at: http://securityresponse.symantec.com/avcenter/venc/data/w32.bugbear.b@mm.html http://vil.nai.com/vil/content/v_100358.htm A removal tool can be found at: http://securityresponse.symantec.com/avcenter/venc/data/w32.bugbear.b@mm.removal.tool.html Sobig.E 06/26/2003 -- W32.Sobig.E@mm A new variant of the Sobig worm has been released. The worm is the Sobig.E worm (W32.Sobig.E@mm). This is a mass mailing, worm that spreads itself to other email addresses found in specific documents on the infected machine. The email sent out will have a varied subject line (Re: Application, Re: Movie, Re: Documents, etc... ) and will spoof the "From:" address. The attachment will be any of the following: your_details.zip (contains details.pif) application.zip (contains application.pif) document.zip (contains document.pif) screensaver.zip (contains sky.world.scr) movie.zip (contains Movie.pif) More information can be found here: http://www.symantec.com/avcenter/venc/data/w32.sobig.e@mm.html http://vil.nai.com/vil/content/v_100429.htm A Removal Tool can be found here: http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.e@mm.removal.tool.html Mimail 08/04/2003 -- W32/Mimail.A@MM Mimail is a mass mailing worm. This worm will appear to come from admin@<domain name> ie.. admin@tamu.edu. The attachment in the email is message.zip. The worm affects Microsoft systems. This virus captures information from a user's machine and emails it to specific mail addresses. It takes advantage of a known vulnerability and the Microsoft patch for that vulnerability can be found at http://support.microsoft.com/default.aspx?scid=kb;en-us;330994 More information on the worm can be found at: http://www.symantec.com/avcenter/venc/data/w32.mimail.a@mm.html http://vil.nai.com/vil/content/v_100523.htm Update -- 11/18/2003 New Variant on Campus -- Mimail.J Another variant of the Mimail worm has been released. This particular variant is a mass mailing worm, that also attempts to steal personal information. The worm will display a series of forms which will ask the user to enter his credit card information. This information is then sent to a pre-determined email address. The email with the virus attached will appear to come from Do_Not_Reply@paypal.com with a subject line of IMPORTANT and a random stream of characters. The actual attachment is called InfoUpdate.exe or www.paypal.com.pif. More information and a patch to remove the virus can be found at: http://www.symantec.com/avcenter/venc/data/w32.mimail.j@mm.html http://vil.nai.com/vil/content/v_100825.htm Randex 08/08/2003 -- W32.Randex.D (and Backdoor.Roxy) Randex is a network aware worm that attacks administrator passwords and installs the backdoor trojan Backdoor.Roxy. Randex.D is also known as W32/Slanper.worm to McAfee and some other anti-virus companies. For further information, see: http://securityresponse.symantec.com/avcenter/venc/data/w32.randex.d.html http://securityresponse.symantec.com/avcenter/venc/data/backdoor.roxy.html Trend Micro announcement. Update -- 09/10/2003 New Virus on Campus -- W32.Randex.F A new variant of the Randex worm has been spreading on campus. The worm is W32.Randex.F. This is a network aware worm that copies itself as the following files: \Admin$\system32\NETFD32.EXE \c$\winnt\system32\NETFD32.EXE When performing a scan on your suspected infected host, be sure to search for 'All Executables'. One other note... An option available to prevent a Randex infected machine from attacking your machine is to disable "NULL user account enumeration". This will prevent the worm from determining what accounts are on your system, and will prevent your users from being locked out. More information can be found at: http://securityresponse.symantec.com/avcenter/venc/data/w32.randex.f.html http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_RANDEX.F Sobig.F 08/19/2003 -- W32.Sobig.F@mm A new variant of the Sobig worm has been released. The worm is the Sobig.F worm (W32.Sobig.F@mm). This is a mass-mailing, network aware worm that sends itself to other email addresses found in specific documents on the infected machine. The email message will spoof the 'From: ' address and the subject line will be any of the following: Re: Details Re: Approved Re: Re: My details Re: Thank you! Re: That Movie Re: Your application Your details Or something similar to that wording. More information can be found here: http://www.symantec.com/avcenter/venc/data/w32.sobig.f@mm.html http://vil.nai.com/vil/content/v_100561.htm Welchia 08/19/2003 -- W32.Welchia.Worm (aka... W32/Nachi.worm) A new worm is currently spreading that exploits the DCOM RPC vulnerability. It is the Welchia worm (W32.Welchia.Worm). This worm again uses port 135 and specifically targets Windows XP machines. It also exploits the WebDav vulnerability over port 80 and specifically targets machines runing IIS 5.0 in this instance. This worm searches for other machines to infect by sending an ICMP echo request (Ping) that strongly increases ICMP traffic. It will also attempt to remove the Blaster worm and apply the Microsoft patch to prevent other threats from infecting the system. For more information, see the following: http://www.symantec.com/avcenter/venc/data/w32.welchia.worm.html http://vil.nai.com/vil/content/v_100559.htm Swen 09/17/2003 -- W32/Swen@mm A new mass mailing worm appears to be making its rounds through campus. It also propogates through windows shares (mapped drives) as well as P2P networks like Kazaa and IRC. It is currently detected by McAfee as "New Worm" and updated DATs should be available shortly that will properly detect it. For full Mcafee Advisory see: http://www.symantec.com/avcenter/venc/data/w32.swen.a@mm.html http://vil.nai.com/vil/content/v_100662.htm QHosts-1 10/02/2003 -- QHosts -1 Trojan.Qhosts (Symantec) is a trojan that will modify the TCP/IP settings of an infected machine to point to a different DNS server. Basically, when a browser request is made, the users are routed to specific DNS servers and a remote administrator can direct the user to a page of his choosing. Trojans do not self-replicate. This must be spread manually with an executable. This relies on an Internet Explorer vulnerability to get installed on the local system. http://vil.nai.com/vil/content/v_100719.htm http://www.symantec.com/avcenter/venc/data/trojan.qhosts.html Beagle 01/18/2004 -- 32.Beagle.A Symantec reports a new mass-mailing worm affecting Windows. The worm will work only until 28th of January. This worm will insert several files and registry keys on the system. It will also access remote websites, and email all contacts it can find. The emails sent by this worm will have the following characteristics: Subject: Hi Message: Test =) -- Test, yep. Filename: .exe Filesize: 16Kbytes More information on Beagle.A can be found at http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.a@mm.html Beagle.B http://vil.nai.com/vil/content/v_101030.htm http://www.symantec.com/avcenter/venc/data/w32.alua@mm.html Beagle.F http://www.symantec.com/avcenter/venc/data/w32.beagle.f@mm.html http://vil.nai.com/vil/content/v_101062.htm Beagle.K http://www.symantec.com/avcenter/venc/data/w32.beagle.k@mm.html http://vil.nai.com/vil/content/v_101074.htm Beagle.U http://www.symantec.com/avcenter/venc/data/w32.beagle.u@mm.html http://vil.nai.com/vil/content/v_101141.htm Beagle.W http://www.symantec.com/avcenter/venc/data/w32.beagle.w@mm.html http://vil.nai.com/vil/content/v_122415.htm Beagle.AI http://vil.nai.com/vil/content/v_126798.htm http://www.symantec.com/avcenter/venc/data/w32.beagle.ag@mm.html Beagle.AR http://www.symantec.com/avcenter/venc/data/w32.beagle.ar@mm.html http://vil.nai.com/vil/content/v_128582.htm Beagle.AV http://www.symantec.com/avcenter/venc/data/w32.beagle.av@mm.html http://vil.nai.com/vil/content/v_129509.htm W32/Mydoom@MM (AKA... W32.Novarg.A@mm) 01/26/2004 A new mass mailing worm with a spoofed 'From:' address and Subject Line. The attachment will have a varied file extension (.exe, .pif, .cmd, .scr). The message contains Unicode characters and has been sent as a binary attachment. A DDOS will be performed by infected machines against www.sco.com on February 1. http://vil.nai.com/vil/content/v_100983.htm http://www.f-secure.com/v-descs/novarg.shtml http://www.symantec.com/avcenter/venc/data/w32.novarg.a@mm.html Update -- 01/28/2004 Mydoom.B A variant of Mydoom.A. This mass emailing worm contains similar email structue and will perform a DDOS against www.microsoft.com. http://www.f-secure.com/v-descs/mydoom_b.shtml http://www.us-cert.gov/cas/techalerts/TA04-028A.html http://www.symantec.com/avcenter/venc/data/w32.mydoom.b@mm.html Mydoom.O http://securityresponse.symantec.com/avcenter/venc/data/w32.mydoom.m@mm.html Update -- 02/24/2004 MyDoom.F A new variant of MyDoom is making the rounds on campus. More information on this variant can be found at: http://www.symantec.com/avcenter/venc/data/w32.mydoom.f@mm.html http://vil.nai.com/vil/content/v_101038.htm Update -- 11/09/2004 MyDoom.ah http://www.symantec.com/avcenter/venc/data/w32.mydoom.ah@mm.html http://vil.nai.com/vil/content/v_129631.htm Update -- 11/09/2004 MyDoom.ai http://www.symantec.com/avcenter/venc/data/w32.mydoom.ai@mm.html http://vil.nai.com/vil/content/v_129630.htm Netsky 03/02/2004 -- W32/Netsky.C@MM Netsky.C is a mass mailing worm that also spreads via email and mapped drives. It attempts to deactivate the Mydoom.a and Mydoom.B viruses. The email will contain various Subjects, Body and Attachments, but the attachments will all have a .pif extension. More information can be found at http://vil.nai.com/vil/content/v_101048.htm http://www.symantec.com/avcenter/venc/data/w32.netsky.c@mm.html Netsky.D http://www.symantec.com/avcenter/venc/data/w32.netsky.d@mm.html http://vil.nai.com/vil/content/v_101064.htm Netsky.P http://www.symantec.com/avcenter/venc/data/w32.netsky.p@mm.html http://vil.nai.com/vil/content/v_101119.htm Netsky.Q http://www.symantec.com/avcenter/venc/data/w32.netsky.q@mm.html http://vil.nai.com/vil/content/v_101145.htm Netsky.Z http://securityresponse.symantec.com/avcenter/venc/data/w32.netsky.z@mm.html http://vil.nai.com/vil/content/v_121076.htm Phatbot/Agobot/Gaobot Worm 04/07/2004 -- W32.HLLW.Gaobot.AE, W32/Agobot.AA This worm spreads through network shares with weak passwords. It also allows for a hacker to access an infected computer through IRC. It uses the DCOM RPC vulnerability, which uses TCP ports 135 and 445. The lastest virus definitions from McAfee or Norton should remove this worm. It can also be detected and removed with Stinger. http://www.us-cert.gov/current/current_activity.html#phatbot http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.gaobot.ae.html http://vil.nai.com/vil/content/v_101100.htm Update -- 11/09/2004 Gaobot.BQJ http://www.symantec.com/avcenter/venc/data/w32.gaobot.bqj.html Sasser Worm 05/02/2004 -- W32.Sasser.B.Worm The Sasser worm attempts to exploit the LSASS vulnerability described in Microsof t Security Bulletin MS04-011, and spreads by scanning randomly-chosen IP addresses for vulnerable systems. If you are seeing lots of connections to ports 445 (and possibly 5554 and 9996), you may be seeing traffic from an infected host. For more information on detecting and removing the worm from Windows computers, see http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.b.worm.html. http://vil.nai.com/vil/content/v_125008.htm Prevention: Patch systems and/or disable IIS. Report infected Texas A&M hosts to us by mailing logs and time zone information to security@net.tamu.edu. Korgo Worm 06/22/2004 -- W32.Korgo.I Worm Current Variants: F, H, I, L The Korgo worm exploits the Microsoft LSASS Buffer Overrun Vulnerability. This is described in Microsoft Security Bulletin MS04-011. This self-executing worm listens over port 445, and spreads with a random filename. It acts as a remote access server to allow an attacker to control the compromised system. http://vil.nai.com/vil/content/v_126118.htm http://securityresponse.symantec.com/avcenter/venc/data/w32.korgo.i.html Removal Tool: http://securityresponse.symantec.com/avcenter/venc/data/w32.korgo.removal.tool.html Sober Worm 05/02/2005 -- W32.Sober.p@MM Worm Current Variants: N, O, P The sober worm is a mass mailing worm which will spoof the 'From:' address. The mesage will be sent in either German or English. The mail message will look like: Subject: Your Password Body: Account and Password Information are attached!! Further in the body there are messages concerning antivirus information which will spoof the recipient's domain. For further information: Sober.N http://vil.nai.com/vil/content/v_132720.htm http://securityresponse.symantec.com/avcenter/venc/data/w32.sober.n@mm.html Sober.O http://securityresponse.symantec.com/avcenter/venc/data/w32.sober.o@mm.html http://vil.nai.com/vil/content/v_133061.htm Sober.P http://vil.nai.com/vil/content/v_133409.htm Mytob Worm 05/16/2005 -- W32.Mytob.B@MM Worm Current Variants: B, AN The sober worm is a mass mailing worm which will spoof the 'From:' address. It uses its own SMTP engine and also has the ability to open a back door and spread through network shares. For Further Information: http://vil.nai.com/vil/content/v_132158.htm http://securityresponse.symantec.com/avcenter/venc/data/w32.mytob@mm.html Mytob.B http://vil.nai.com/vil/content/v_133417.htm http://securityresponse.symantec.com/avcenter/venc/data/w32.mytob.b@mm.html Mytob.AN http://vil.nai.com/vil/content/v_133344.htm http://securityresponse.symantec.com/avcenter/venc/data/w32.mytob.an@mm.html Mytob.ET http://vil.nai.com/vil/content/v_134910.htm Plug and Play Exploit (MS05-039) 11/01/2005 -- IRC-Mocbot 08/18/2005 -- W32.Esbot.A & W32.Zotob.E Plug and Play patch (MS05-039) for 2000, Server 2003, XP (various patch levels). The vulnerability could be exploited by users with accounts on your computer, locally or remotely, depending on your current OS and patch level. The exploit/service involves the use of TCP ports 139 and 445, which are not opened by default on the campus firewall. Current Exploits of this vulnerability: W32.Esbot.A W32.Zotob.E IRC-Mocbot Removal tools can also be found at Symantec's Site Update - 08/15/2005 Note on Zotob worm: Reports from people off campus are that the zotob worm (to exploit MS05-039, see below) can cause unpatched Win2K machines to reboot..