Name: VBS/Kakworm-E
Type: Visual Basic Script worm
Date: 11 December 2000
Description: VBS/Kakworm-E is a variant of the VBS/Kakworm worm.
The worm only affects users using Microsoft Outlook Express 5 as the email client. If the
user opens or previews an infected email message the worm drops the file EXEC.HTA into the
Windows startup folder so that it runs automatically when Windows is started. The EXEC.HTA
file creates a hidden file called C:\WINDOWS\EXC.HTM and changes the Microsoft Outlook
Express Registry settings so that the EXC.HTM is automatically included in every outgoing
message as a signature file.
If a file called G6D9.fld exists in the system directory the worm also attempts to change
the Windows Registry so as to execute the Windows Notepad application in place of any EXE
program file.
Microsoft have released a patch to deal with this security problem which we strongly
recommend users install. For further information and to download the patch please view
Microsoft Security Bulletin (MS99-032).
Name: VBS/LoveLet-CA
Type: Visual Basic Script worm
Date: 11 December 2000
Description: VBS/LoveLet-CA is a variant fo the VBS/LoveLet-CA Visual Basic Script worm.
The main difference in this variant is that on December 25th it displays a message box
including the text:
EVEN TRENT KNOWS ITS TRUE=>STARFUCKERS INC. Att. REJOH (REDRUM)
where 'REJOH' can be any random 5 letters.
The worm forwards itself as an email attachment with the subject line:
US PRESIDENT AND FBI SECRETS =PLEASE VISIT = http://WWW.2600.COM
or a random 6 letter string.
The message body will either be
VERY JOKE..! SEE PRESIDENT AND FBI TOP SECRET PICTURE..
or a random 10 letter string.
Running the attached file infects your computer.
Name: XM97/Fusion-A
Type: Excel 97 macro virus
Date: 11 December 2000
Description: XM97/Fusion-A is an Excel macro virus that attempts to delete the files
HJB.XLS, 874.XLS and KHM.XLS if found in the XLSTART directory. These files are dropped by
other Excel macro viruses.
XM97/Fusion-A then creates its own file called FUSION.XLS in the XLSTART directory.
Name: W32/Xtc
Aliases: I-Worm.XTC, W32/XTC@MM
Type: Win32 worm
Date: 7 December 2000
Description: W32/Xtc is an email-aware worm. The worm spreads across network shares and
via email.
If received via email the worm arrives in the form of an email attachment (usually called
SERVICES.EXE) to a message claiming to be from the email address support@avx.com
The message's subject line is: AVX update notification
The message body text reads:
We would like to notify you about the newest software designed by SOFTWIN company. This
program constantly monitors the net for the newest viral treats and anti-virus databases.
In the case some new virus is in-the-wild, it will immediatelly ask you to download the
newest version of AntiVirus eXpert 2000 (AVX). It's small, it's efficent, it's secure and
powerful. No special licence is needed, it's freeware. We hope you enjoy AntiVirus eXpert
and share it with your friends.
Best regards,
AVX developement team.
When the worm is run it will install itself and then attempt to connect to an Undernet IRC
(Internet Relay Chat) server. It announces its presence on a channel on the IRC server and
can then be controlled and updated by a remote user or other instances of the worm itself.
The worm includes facilities to upload, download and run files on the infected machine and
launch distributed denial of service attacks.
Name: W32/Hybris-B
Type: Win32 worm
Date: 7 December 2000
Description: W32/Hybris-B is a worm capable of updating its functionality over the
internet.
It consists of a base part and a collection of upgradeable components. The components are
stored within the worm body encrypted with 128-bit strong cryptography.
When run, the worm infects WSOCK32.DLL. Whenever an email is sent, the worm attempts to
send a copy of itself in a separate message to the same recipient.
The text of the email message is determined by one of the installed components, and hence
can be changed by the upgrading mechanism detailed below.
Versions of the worm seen by Sophos check the language settings of the computer it has
infected, and select a message accordingly from:
English
Subject: Snowhite and the Seven Dwarfs - The REAL story!
Message text: polite with Snowhite. When they go out work at mornign, they promissed a
*huge* surprise. Snowhite was anxious. Suddlently, the door open, and the Seven Dwarfs
enter...
French
Subject: aidé 'blanche neige' toutes ces années après qu'elle se soit enfuit de chez
Message text: sa belle mère, lui avaient promis une *grosse* surprise. A 5 heures comme
toujours, ils sont rentrés du travail. Mais cette fois ils avaient un air coquin...
Portuguese
Subject: muito feliz e ansiosa, porque os 7 anões prometeram uma *grande* surpresa.
Message text: As cinco horas, os anõezinhos voltaram do trabalho. Mas algo nao estava
bem... Os sete anõezinhos tinham um estranho brilho no olhar...
Spanish
Subject: siempre muy bien cuidada por los enanitos. Ellos le prometieron una *grande*
Message text: sorpresa para su fiesta de compleaños. Al entardecer, llegaron. Tenian un
brillo incomun en los ojos...
The methods for upgrading the worm can also be changed as they are also upgradable
components. At the time of writing, two have been seen.
One of the upgrading techniques attempts to download the encrypted components from a
website which is presumably operated by the worm author. This website has since been
disabled. However, this component could be upgraded to have a different web address.
The other method involves posting its current plug-ins to the usenet newsgroup
alt.comp.virus, and upgrading them from other posts by other infections of the worm. These
are again in the encrypted form, and have a header with a four character identifier and a
four character version number, in order for the worm to know which plug-ins to install.
Another component of the worm searches the PC for .ZIP and .RAR archive files. When it
find one, it searches inside it for a .EXE file, which it renames to .EX$, and then adds a
copy of itself to the archive using the original filename.
There is a payload component, which on the 24th of September of any year, or at 1 minute
to the hour at any day in the year 2001, displays a large animated spiral in the middle of
the screen which is difficult to close.
Name: WM97/Shore-D
Type: Word 97 macro virus
Date: 7 December 2000
Description: This virus changes local customisations and format style, and protects the
Visual Basic code with the password "cool13".
In addition, three seconds after loading or closing the document it displays a message for
a short time in the Microsoft Word title bar: "Offshore Engineering - Peace at the
sea...". It also creates a template file "Offee*.dot" in the clipart
directory.
Name: W32/Prolin
Type: Win 32 worm
Date: 1 December 2000
Description: W32/Prolin is a worm which uses Microsoft Outlook to spread. The worm arrives
in an email message with the subject "A great Shockwave flash movie". The body
of the message contains the text "Check out this new flash movie that I downloaded
just now...It's Great, Bye". The attached filename is CREATIVE.EXE.
If the attached file is run, the worm copies itself into C:\CREATIVE.EXE and
C:\Windows\Start Menu\Programs\Startup\CREATIVE.EXE
and sends itself as an attachment to all contacts from your Outlook address book. It also
sends an email with the subject "Job complete" and the text "Got yet
another idiot." to an address on the Yahoo.com.
The worm then looks for any files with the extension MP3, JPG and ZIP and moves them into
the C:\ directory. The moved files remain unchanged but the worm renames them so that the
extension is concatenated with the string "change at least now to Linux", e.g.
from "Flowers.jpg" to "Flowers.jpgchange at least now to Linux".
In order to restore the files they should be moved to their default location and renamed
so that the concatenated string is removed from the filename. The worm also creates a text
file C:\Messageforu.txt which can help to restore the files. The file contains the text
"Hi, guess you have got this message. I have kept a list of files that I have
infected under this. If you are smart enough just reverse back the process. i could have
done far better damage, i could have even completely wiped you harddisk. Remeber this is a
warning & get it sound and clear... - The Penguin" and a list of previous
locations of all renamed files which were moved to C:\ .
Name: W32/Verona-B
Type: Win32 worm
Date: 30 November 2000
Description: W32/Verona-B is a variant of W32/Verona. It uses one of 18 SMTP servers to
propergate.
The subject line may be blank, or made from random lower case letters arranged into 3 or
less words, or chosen from the following:
Romeo&Juliet
where is my juliet ?
where is my romeo ?
hi
last wish ???
lol :)
,,...
!!!
newborn
merry christmas!
suprise !
Caution: NEW VIRUS !
scandal !
^_^
It copies itself to C:\WINDOWS\SYSRNJ.EXE and creates a new filetype, RNJFILE, in the
registry.
It then registers the filetypes EXE, JPG, JPEG, JPE, BMP, GIF, AVI, MPG, MPEG, WMF, WMA,
WMV, MP3, MP2, VQF, DOC, XLS, ZIP, RAR, LHA, ARJ AND REG, so that explorer will run the
virus rather than appropriate program.
This virus relies on a security vulnerability in Microsoft Outlook and Outlook Express to
work. Microsoft has released a patch that eliminates the vulnerability. For further
information and to download a patch please read Microsoft Security Bulletin (MS00-046).
NAME: Navidad
ALIAS: I-Worm.Navidad, W32/Watchit.intd, I-Worm_Navidad, W32/Navidad
SIZE: 32768
Navidad is an Internet worm. It spreads itself as NAVIDAD.EXE attachment to e-mail
messages sent from an infected computer.
The original worm sample has a bug that makes an infected system inoperable after
infection - no EXE files could be started.
If the attached program is launched, it displays a dialog box containing the text
"UI".
The worm also installs itself into the system tray. If the user clicks on the icon, it
displays a dialog box with the text "Nunca presionar este boton".
If the user clicks the button, the worm displays a dialog box with the title "Feliz
Navidad" and the text "Lamentablemente cayo en la tentacion y perdio su
computadora".
Being run the NAVIDAD.EXE file installs itself as WINSVRC.VXD into \Windows\System
directory and modifies several Registry keys.
It changes the default EXE file startup key
[HKEY_CLASSES_ROOT\exefile\shell\open\command]
to make sure it starts with every EXE file.
The worm also makes sure it is always run on each Windows startup by creating another
startup key in
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run].
The worm also creates 'Navidad' key in the following section:
[HKEY_CURRENT_USER\Software]
But there's a bug in the worm's code - the Registry keys are created for WINSVRC.EXE file
while the worm installs itself as WINSVRC.VXD file. As a result no EXE files can be
started in a system after infection. Also the worm doesn't get activated on next Windows
startup. To fix the mess done by this worm, download and run the special REG file at F-Secure naviddis.
It will restore the default EXE file startup key value and remove worm's autostart key
too.
Name: WM97/Afeto-A
Type: Word 97 macro worm
Date: 30 November 2000
Description: This is a Word macro worm that works in Word 2000 only.
The worm spreads via Outlook and sends itself to all but one of the addresses in the Sent
box. The file that the worm sends is named after the first entry in the Sent box. The
subject and the message body are also taken from items in the Sent box.
When the worm is executed within Word, it searches for a .jpg file of 50 KB or less on the
C: drive. This .jpg is then embedded in the document before emailing takes place.
Name: W32/Bymer-A
Aliases: W32/MSINIT.WORM, WORM.RC5
Type: Win32 worm
Date: 29 November 2000
Description: W32/Bymer-A is a worm that propagates through open file shares. It tries IP
addresses at random. If it finds a machine with a share called "C", it will
infect the machine by copying files to the Windows and Windows system directories. It may
change win.ini or a registry to run the worm on system startup.
It will also secretly install a distributed.net program dnetc.exe in the Windows system
folder, but note that this is legitimate software that may have been installed with
permission.
Name: W32/Navidad-B
Type: Windows 32 executable file virus
Date: 29 November 2000
Description: W32/Navidad-B is a variant of the W32/Navidad email-aware worm. The worm
arrives in an email message with an attachment called EMANUEL.EXE.
If the attached program is launched, it displays a dialog box containing the text
";)".
It then attempts to read new email messages and to send itself to the senders' addresses.
The worm copies itself into the Windows system directory with the filename WINTASK.EXE and
changes the registry so that it runs on Windows startup and before any file is run.
The worm also installs itself into the system tray. If the user clicks on the icon, it
displays a dialog box with the text "Nunca presionar este boton".
If the user clicks the button, the worm displays a dialog box with the title
"Emmanuel....." and the text "Emmanuel-God is with us!May god bless u.And
Ash, Lk and LJ!!".
If the user does not press the button but instead attempt to close the message the worm
displays a message with the title "Emmanuel....." and the text "May GOd
bless u;D";
Name: W32/Music-D and W32/Music-E
Aliases: W32/Music@m
Type: Win32 worm
Date: 28 November 2000
Description: W32/Music-D and W32/Music-E are both variants of the W32/Music worm.
When an infected file is executed the worm waits a few minutes before attempting to
connect to several internet websites. It attempts to download an updated version of itself
from these websites.
The worm then tries to send itself to email addresses found on the infected PC.
The email message it sends varies depending on the version of itself it has downloaded
from the web, but the message text will probably be similar to:
"Hi, just testing email using Merry Christmas music file, you'll like it."
The worm itself is attached as a file called music.com, music.exe or music.zip.
When this file is run the worm attempts to play the first few bars of the song "We
wish you a Merry Christmas" and displays a cartoon of Santa Claus with the caption
"Music is playing, turn on your speaker if you have one" or "There is error
in your sound system, music can't be heard."
When it has finished playing the music it will then display "Merry Christmas"
and start playing the music again.
Name: VBS/Jean-A
Type: Visual Basic Script worm
Date: 26 November 2000
Description: VBS/Jean-A is a Visual Basic Script worm that will send copies of itself to
each of the first 50 entries in the Microsoft Outlook addressbook.
The message subject is: News vom Weihnachtsmann
and the body of the message contains the text:
Guten Tag, es ist bald Weihnachten. Und wie sieht's aus mit schönen Geschenken ?
Hierzu ein Tip vom Weihnachtsmann: Unter www.leos-jeans.de gibt es die besten Geschenke im
Web ! Das bedeutet absolut stressfreies Einkaufen, schnelle und unkomplizierte Lieferung,
riesige Auswahl.
Also nichts wie hin, und Frohe Weihnachten.
Translated into English this is:
Subject :"News from Father Christmas "
Message :"Good day,
Christmas will soon be here.
Whats the situation with nice presents ?
Here's a tip from Father Christmas. The best gifts on the Web are to be found at
www.leos-jeans.de !
This means completely stress-free shopping, fast and uncomplicated delivery, and an large
choice.
Why not go and have a look, and Merry Christmas."
The name of the attached file may vary but is most likely to be xmas.vbs.
Name: WM97/Ethan-DO
Type: Word 97 macro virus
Date: 24 November 2000
Description: WM97/Ethan-DO is a variant of WM97/Ethan.
Whenever a document is closed there is a 1 in 3 chance of a File¦Properties¦Summary box
appearing on the screen with the title Ethan Frome.
The method of infection is such that the virus can mix with other viruses to produce a
double infection.
Name: XM97/Slacker-B
Type: Excel 97 macro virus
Date: 16 November 2000
Description: XM97/Slacker-B is an Excel macro virus. The virus contains code that attempts
to delete files on the C: drive.
Name: WM97/Wrench-F
Type: Word 97 macro virus
Date: 15 November 2000
Description: WM97/Wrench-F is a Word macro virus.
When you try to access the Visual Basic Editor the virus displays the Office Assistant
with a message entitled "Skyline MV".
The text of the message reads:
"You thought you got rid of me, but I'm Still here, better and stronger!".
Name: W32/Hybris-B
Type: Windows 32 executable file virus
Date: 7 November 2000
Description: W32/Hybris-B is an email-aware worm that modifies WSOCK32.DLL.
It attempts to email a copy of itself as an attachment along with all outgoing emails from
an infected computer.
Name: WM97/Vesn-A
Type: Word 97 macro virus
Date: 7 November 2000
Description: WM97/Vesn-A is a Word macro virus.
The virus changes the directory in which User Templates and NORMAL.DOT are stored to
"oldpath\normal".
For instance, if the directory used to be:
C:\Program Files\Microsoft Office\Templates
the virus will change it to:
C:\Program Files\Microsoft Office\Templates\normal
Name: WM97/Marker-BR
Aliases: W97M.Marker.BO
Type: Word 97 macro virus
Date: 8 November 2000
Description: WM97/Marker-BR is a variant of the WM97/Marker Word macro virus.
The virus drops the file PHIE.HTML in the Windows directory and attempts to set that file
as the wallpaper.
This is a poem on a yellow background with the title "a Poet For My Dear Love".
Name: WM97/Killdll-B
Type: Word 97 macro virus
Date: 7 November 2000
Description: WM97/Killdll-B is a Word macro virus.
The virus attempts to delete the first DLL it finds in the \Windows\System subdirectory.
Name: XM97/Barisada-G
Type: Excel 97 macro virus
Date: 2 November 2000
Description: XM97/Barisada-G is a variant of the XM97/Barisada-A Excel macro virus.
On April 24th between 2 and 3pm the virus displays a message box with the text:
"Question: What is the Sword Which Karl Styner(=Gray Scavenger) used? Answer:
Barisada".
If the user presses the "No" button, the virus displays a message box saying:
"Good! You're Authorized now!!".
If the user chooses "Yes" the message box displays "I will give you one
more Chance. Be careful!!"
The next message box displayed says "Summoning Xavier is the Ultimate Magic,
Right?".
If the user chooses the "Yes" button the virus displays the message box
"ok, i will forgive you".
If the user chooses "No", the virus displays the message box "Wrong Answer,
Your file will be deleted!" and deletes data from every worksheet of the infected
workbook.
Name: XM97/Divi-W
Type: Excel 97 macro virus
Date: 2 November 2000
Description: XM97/Divi-W is a variant of the XM97/Divi-A Excel macro virus.
The virus creates a file called ODR.XLS in the XLSTART subdirectory.
Name: W32/Sonic-B
Aliases: W32/Sonic.worm, Sonic
Type: Windows 32 executable file virus
Date: 31 October 2000
Description: W32/Sonic-B is a multi-part virus with backdoor Trojan characteristics.
The first part of the virus is received via email in the form of a file attachment called
LOVERS.EXE
If this file is run the virus copies itself to the Windows System directory with the name
GDI32.EXE. The virus installs itself as a Registry entry to automatically run on startup.
After some delay the virus connects to a website and tries to download its second part,
which is then executed. This opens a backdoor on the computer allowing access by remote
users.
The virus forwards its first part to entries in the Outlook address book:
Subject: Choose your poison Attachment: LOVERS.EXE
Name: WM97/Bablas-AS
Type: Word 97 macro virus
Date: 31 October 2000
Description: WM97/Bablas-AS is a Word macro virus.
If the user accesses Tools/Macros, or Tools/Templates and Add-Ins, the virus will display
a message box saying "You are my dream.".
Opening Help/About will display another message box entitled "Bpp Hacker" with
the message "Qun katawon walataqun kalaler. I MISS YOU!"
Name: WM97/Marker-FQ
Type: Word 97 macro virus
Date: 31 October 2000
Description: WM97/Marker-FQ is a variant of the WM97/Marker Word macro virus. There is a 1
in 3 chance that the virus will change the file properties of the infected document to
include:
Title = Ethan Frome
Author = EW/KN/CB
Keywords = Ethan
This variant of the WM97/Marker virus is likely to bring up compile errors due to bugs in
its code.
Name: VBS/777-B
Type: Visual Basic Script worm
Date: 30 October 2000
Description: VBS/777-B is a a varient of VBS/777 worm. Whilst the original VBS/777 worm
had a non-working payload, this variant has had VBS/LoveLet code added into the worm.
The worm arrives as an email with the subject line "I HATE YOU".
The attachment is called the body of the email says "kindly check the attached
GOODBYE NEWSGROUPS coming from me."
The attachment is called "MY-FAREWELL-2-NEWSGROUPS.TXT.VBS", which has a
double-extension. Mailers which suppress well-known extensions such as vbs may present
this file as "MY-FAREWELL-2-NEWSGROUPS.TXT.", which appears more innocent.
Because the virus arrives in a VBS file, it requires the Windows Scripting Host (WSH) in
order to work. If you disable WSH, the viral attachment will be rendered harmless.
The virus also drops an HTM file which can spread the virus, and a mIRC script which tries
to distribute it. These components are already detected by current versions of Sophos
Anti-Virus.
The virus checks the Internet Explorer Download Directory for the presence of the file
WinFAT32.exe. If that file does not exist the virus randomly picks one of four websites
and changes the registry to set it as the Start Page for Internet Explorer. The websites
point to an EXE file, WIN-BUGSFIX.exe, which is then downloaded and the Registry is
modified to run the file on reboot. This file is detected as Troj/LoveLet-A.
The Internet Explorer Start Page is also set to blank.
The virus copies itself to two places in the system directory where they are executed each
time the computer reboots.
The email component of the virus requires Microsoft Outlook to work. If you are using
Outlook it will try to send itself to each entry in your Windows Address Book.
The virus also searches all local and networked drives for files that end with the
extensions VBS, VBE, JS, JSE, CSS, WSH, SCT or HTA. These files are overwritten with the
virus and their extension is renamed to .VBS.
Any JPG or JPEG files are also overwritten by the virus but have the extension .VBS added
to the existing filename.
Any MP2 or MP3 music files are overwritten by the virus but are also copied to a new file
that has the .VBS extension added. The original files are set as hidden.
If the virus determines that mIRC is installed on the system it will drop a mIRC script
that will send the virus on via mIRC.
Note that following the Sophos Guidelines for Safe Hex will render you almost immune to
this attack. If you do not read unusual or unlikely emails and if you have disabled the
WSH, then you are unlikely to become infected.
Infected files should be deleted.
Name: WM97/Blaster-D
Type: Word 97 macro virus
Date: 26 October 2000
Description: WM97/Blaster-D is a Word macro virus.
On the 27th of any month the virus will attempt to hide the desktop icons and the taskbar.
Name: WM97/Thus-BP
Type: Word 97 macro virus
Date: 26 October 2000
Description: WM97/Thus-BP is a variant of WM97/Thus-A.
On the 13th and 26th of any month the virus may display a dialog box with the title
"Matrix"
and the text "Attention! Do everything, your computer tells you!".
It then displays an input box with the title "Matrix" and the phrase "Enter
your name, User".
When the user enters a response the virus will display another dialog box containing the
message "Do you know, you're the greatest stupid lamer? If no please call
WWW.MICROSOFT.COM.
If the date is 13th September, 13th December or 26th December the virus then attempts to
exit Windows.
Name: WM97/Title-A
Type: Word 97 macro virus
Date: 17 October 2000
Description: On 3 May, 20 June and 30 July this virus will password protect the infected
document. The password is a randomly chosen integer between -1 and 9.
Name: XM97/Barisada-J
Type: Excel 97 macro virus
Date: 16 October 2000
Description: XM97/Barisada-J is a variant of the XM97/Barisada-A Excel macro virus.
The viral macros are stored in the file HJB.XLS.
On 24 April between 2pm and 3pm the virus displays a series of dialog boxes asking the
user questions which may be related to a fantasy role playing game.
The first dialog box has the title '1st Qusetion' and the text 'Question : What is the
Sword Which Karl Styner(=Grey Scavenger) used? Arswer: Barisada'.
If you press 'No' a dialog box with the title 'Right Answer' and the message 'Good! You're
Authorized now!!' is displayed.
If you press 'Yes' then a dialog box with the title 'Wrong Answer' and the text 'I will
give you one more Chance. Be careful!!' is displayed.
The next dialog box has the title 'Wrong Answer may cause The Serious Problem!' and the
text 'Summoning Xavier is the Ultimate Magic. Right?'.
If you press 'Yes' a dialog box with the title 'Right Answer' and the message 'ok , i will
forgive you' appears.
If you press 'No' a dialog box with the title 'You shall Die' and the message 'Wrong
Answer, Your file will be deleted!' appears. The virus then clears all the cells in all
the open sheets.
Name: WM97/Metys-I
Type: Word 97 macro virus
Date: 16 October 2000
Description: WM97/Metys-I is a Word macro virus.
On September 18th the virus displays a message box:
"Happy Birthday Jess! To celebrate, we're going to see how lucky you are 'Username'.
Click the OK button below to roll a number. If your number matches that of the dealer, you
win!"
If you win the virus displays the message:
"You roll a number between 1 and 9 and the dealer rolls a same number between 1 and
9. You win!"
If you lose the virus displays the message:
"You roll a number between 1 and 9 and the dealer rolls a number between 1 and 9. I'm
sorry, but you lost. Better luck next time!"
Name: VBS/Kakworm-D
Aliases: Mid/Kakworm-D
Type: Visual Basic Script worm
Date: 13 October 2000
Description: VBS/Kakworm-D is a variant of VBS/Kakworm.
It only affects users of Microsoft Outlook Express 5 running under French Windows.
If the user opens or previews an infected email message the worm will drop TAM.HTA to the
Windows start-up folder. It also creates C:\WINDOWS\OUT.HTML which it then sets as the
default signature of Microsoft Outlook Express so that it gets attached to all outgoing
email messages.
The worm will be reported as Mid/Kakworm-D if it is detected in an email.
Name: WM97/Titch-G
Type: Word 97 macro virus
Date: 13 October 2000
Description: This virus is a variant of the WM97/Titch virus.
It a simple Word macro virus. The virus code includes the following text which does not
get displayed:
"If you had looked you could have found and deleted it but.. You probably never knew
it was here!"
Name: VBS/LoveLet-BI
Type: Visual Basic Script worm
Date: 13 October 2000
Description: VBS/LoveLet-BI is a variant of the VBS/LoveLet-A worm (also known as The Love
Bug).
The worm arrives in the form of an email attachment and if launched forwards itself to
addresses in your Outlook address book.
The email has the following characteristics:
Subject: Gotov je! 24.09.2000!
Text: Ej! Pogledaj ovo u prilogu!!!
Attachment: GotovJe.vbs
The worm writes different copies of itself to the Windows directory and the Windows\System
directory. The worm then displays an HTML file which says:
KOMSIJA,
24 Septembra su izbori! Na time izborima TI pobedjujes Milosevica! Tvoj glas ga plasi!
24.09 Izadji, Glasaj, Pobedi!
Gotov je!
Name: WM97/Marker-FP
Type: Word 97 macro virus
Date: 12 October 2000
Description: WM97/Marker-FP is a variant of the WM97/Marker Word macro virus.
This virus changes the Word Application Username to "JonMMx2000", the user
initials to "MeMeX" and the user address to "JonMMx2000@yahoo.com".
On Mondays, it will create the file jon.html in the directory in which Windows is
installed. This html file is a harmless attempt at poetry.
Name: WM97/Plant-A
Type: Word 97 macro virus
Date: 4 October 2000
Description: On 1 January this virus will display the message:
"Happy NewYear ! You are infected by Plant.Virus. Don't panic, i'm KILL you."
More info about virus analyses, go to Sophos Virus
Analyses
|
