Ben's Virus Alert Summary Page:
Descriptions & Remedies

Careful of the "Bugbear.B" Virus: June 8, 2003 Update

It's been pretty quiet on the virus front for awhile, so here's the latest cyber-threat you've got you protect yourself from, the "Son of Bugbear" [my term] for the newest strain of the Bugbear Virus detailed in the 10/04/02 notes about the original virus, listed below. If you haven't been updating your anti-virus program [Ben's choice? Norton Anti-Virus: www.symantec.com or try McAfee's version at www.mcafee.com] then you're at risk, and you're probably already infected. Here's the definition of the highly-threatening Bugbear.B from Norton's website:

"W32.Bugbear.B@mm is a mass-mailing, polymorphic worm that also spreads through network shares. This worm infects a select list of executable files, has keystroke-logging and backdoor capabilities and will attempt to terminate the processes of various antivirus and firewall programs."

W32/Bugbear.B@MM is rated as HIGH RISK FOR HOME AND CORPORATE USERS. This mass-mailing worm attempts to send itself to email addresses found on an infected system. It also spreads through open network shares and has the ability to send print jobs to printers found on an infected network. Read more about anti-virus measures that you should already be taking, or risk losing everything on your computer sooner or later!!!

Careful of the "Bugbear" Virus: October 4, 2002 Update

 

You knew it had to happen sooner-or-later...it's been pretty quiet on the virus front for awhile, so here's the latest cyber-threat you've got you innoculate you/your system from, called the Bugbear Virus.  If you haven't been updating your anti-virus program [Ben's choice?  Norton Anti-Virus: www.symantec.com or try McAfee's version at www.mcafee.com] then you're at risk, and may already be infected.  Here's the definition of Bugbear from McAfee's website:

W32/Bugbear@MM is rated as HIGH RISK FOR HOME AND CORPORATE USERS. This mass-mailing worm attempts to send itself to email addresses found on an infected system. It also spreads through open network shares and has the ability to send print jobs to printers found on an infected network.

Once the virus is run, it will attempt to disable various security products, including many forms of anti-virus and personal firewall software. It will also attempt to install a backdoor trojan that will allow a hacker access to the infected PC.

Payload: What Can This Virus Do?

This virus can "spoof" the "from" field, by combining random elements to form a fake "from" address.  Possible message subject lines include the following (however, other random subject lines are also possible):

 

April 28, 2002: It's a bad one...and it's dangerous because it morphs into so many different messages or subject lines.  And thousands of you are getting suckered in by the latest variation of the W32.Klez Worm:  

W32.Klez.gen@mm is a mass-mailing worm that searches the Windows address book for email addresses and sends messages to all recipients that it finds. The worm uses its own SMTP engine to send the messages.

The subject and attachment name of incoming emails is randomly chosen. The attachment will have one of the following extensions: .bat, .exe, .pif or .scr.  The worm exploits a vulnerability in Microsoft Outlook and Outlook Express in an attempt to execute itself when you open or even preview the message. Information and a patch for the vulnerability can be found at
http://www.microsoft.com/technet/security/bulletin/MS01-020.asp.

W32.Klez.gen@mm attempts to copy itself to all network shared drives that it finds.  Depending on which variant of the worm, the worm will drop one of the following viruses:  W32.Elkern.3326 or  W32.Elkern.3587 or  W32.Elkern.4926

Wanna know more?  Check either Norton's [my preference] or McAfee's sites.

 

January 29, 2002: So you missed a party and want to look at the pictures???  One more time, a simple reminder: There's No Such Thing As A Safe Attachment Sent By A Friend Anymore!!! 

How many times do I have to tell you: No matter what, do NOT open an e-mail from someone even if you know them and they're a "friend." Here's another/the latest example of a friend-transmitted virus that's taking off like wildfire; it's called the "My Party" virus, and in a nutshell here's the description of this latest cyber-pest:

Subject: new photos from my party!
Message:
Hello!

My party... It was absolutely amazing!
I have attached my web page with new photos!
If you can please make color prints of my photos. Thanks!
Attachment: www.myparty.yahoo.com

The worm sends email to all contacts in your Windows address book, and to email addresses that it finds in the Outlook Express Inboxes and folders.  In addition, the worm sends a message to the author so that the author can track the worm.  On NT/2000/XP systems, the worm drops a backdoor Trojan that allows a hacker to control your system. NAV will detect this as backdoor.Myparty.  Finally, if the file name of the worm is Access.<any extension>, it may launch your Web browser to http:/ /www.disney.com. However, the worm does not contain code which can generate a file with the name Access.<any extension>, so it is highly unlikely that this will trigger.

Also Known As: W32/Myparty@MM, WORM_MYPARTY.A, W32/MyParty-A, Win32.MyParty, I-Worm.Myparty

Need a fix/patch/anti-virus shot for this one?  Norton users go here...McAfee go here.  And if you're using anything else, you're on your own.

October 1, 2001: The ARF! ARF! I Got You Disembowler virus...Five minutes after this stupid virus is run, it attempts a mailing routine. Email addresses are gathered from the Windows Address Book, Outlook Express mailboxes, and Netscape mailboxes (address found in the email messages within existing mailboxes are gathered), and these file locations and addresses are saved to a hidden .DAT file somewhere on the hard disk (varies). The messages sent by the worm contain varying subject headings, body text, and attachments. The body of the message is derived from the contents of other files on the victim's computer. It may send more than one attachment and may include non .EXE or non-viral files along with an infectious .EXE file.

 

Here's the message I received with the DOUBLE viruses that were e-mailed to me recently; it didn't make any sense [still doesn't] and positioned itself as a business communication from someone knew.  Wrong on both counts:

 

"Examine the table area in the document COVERPG.DOC provided.  For this example we have already merged the cover page form letter to a file, and called it MERGE.DOC.  As stated above we used "EditFindStyle" to find the recipient data, after we have got that information we use DDEPoke to pass that information across to WinFax before we do the print."

 

Wanna know more?  Here's two spots for more information...try this one first, then take a look at this one.  And please don't open e-mails unless you're ABSOLUTELY SURE that you know what you're opening...even if you know the person sending the e-mail to you.

September 25, 2001: The idiots that create these viruses are sick bastards, but the creator of this latest strain of cyber-heartburn, the "Vote Virus" needs to be shot.  Attempting to cash in on the wave of patriotism and participation that's swept the country since 9-11-01, the hook here is to try to get you to vote on whether we should go to war...or not.  "Hi. Is it a war against America or Islam!? Let's vote to live in peace!" or the subject line of "Peace Between America and Islam" is the message/hook in the subject line that they're attempting to sucker you in with.  And if you're dumb enough to open the attachment entitled "WTC.exe," the virus tries to delete all the files on the computer's hard drive and sends copies of the e-mail to every address listed in the computer's address book.  The Vote Virus also defaces any Web pages that are hosted by an infected computer to read: "America ... few days will show you what we can do!!! It's our turn ))) ZaCker is so sorry for you."

 

In addition the virus, which is a worm because of its self-propagation capabilities, deletes the Windows directory files, tries to download a "backdoor" on the computer and unsuccessfully attempts to reformat the system according to experts. This "backdoor" enables someone to get remote access to the computer without permission.

 

Wanna know more?  Here's an article from Reuters:

New 'War Vote' Virus Deletes Computer Files

 

By Elinor Mills Abreu

 

SAN FRANCISCO (Reuters) - Computer security experts on Monday warned of a new virus that deletes files while
masquerading as a program that will allow people to vote on whether the United States should go to war over the Sept. 11 hijacker attacks.

 

The ``Vote Virus,'' which so far is not widespread, circulates via e-mail to users of Microsoft Corp.'s (Nasdaq:MSFT - news) Outlook e-mail program, said Simon Perry, vice president of security solutions at Computer Associates International Inc. (NYSE:CA - news)

 

The virus, punctuated by strange grammar and a mix of lower- and upper-case letters, appears with the subject line: ''Peace between America and Islam!'' and the body of the e-mail reads: ``Hi. Is it a war against America or Islam!? Let's vote to live in peace!'' Perry and other experts said.

 

When the attachment entitled ``WTC.exe'' is opened, the virus tries to delete all the files on the computer's hard drive and sends copies of the e-mail to every address listed in the computer's address book, he said.

 

The virus also defaces any Web pages that are hosted by an infected computer to read: ``America ... few days will show you what we can do!!! It's our turn ))) ZaCker is so sorry for you,'' according to Perry.

 

In addition the virus, which is a worm because of its self-propagation capabilities, deletes the Windows directory files, tries to download a ``backdoor'' on the computer and unsuccessfully attempts to reformat the system, said Vincent Gullotto, senior research director of Network Associates Inc.'s (Nasdaq: NETA - news) Antivirus Response Team. A ``backdoor'' would enable someone to get remote access to the computer without permission.

 

The virus also can delete antivirus software on the computer, according to Vincent Weafer, director of Symantec Corp.'s (Nasdaq:SYMC - news) Antivirus Research Center.

 

SICK SENSE OF HUMOR

 

The virus is believed to be the work of an opportunist and not associated with the Sept. 11 jetliner attacks on the World Trade Center and Pentagon in which nearly 7,000 people feared dead.

 

``There is no evidence that this is related to the people who carried out'' the attacks, Perry said.

 

Virus writers have discovered that they can easily dupe people into opening emails by appealing to their prurient interests.

 

For example, popular viruses have purported to be photos of naked women or love letters, like the ``I Love You'' virus that caused an estimated $8.7 billion in global damage last year.

 

Researchers are worried that the new, dangerous virus might spread quickly because of its supposed relation to the debate over U.S. retaliation for the attacks.

 

``We feel this is likely to get quite a high pickup in that a lot of people are going to click on this,'' Perry said. ``If the news about this doesn't get out before people get their e-mails, they're at risk.''

 

Perry said he expects there will be more socially engineered viruses related to the topic of war and terrorism. ``What this is a sick sense of humor,'' Perry said. ``Chances are this is not any kind of cyber-terrorism. It's just cyber terror.''

 

``If this was truly politically motivated there would have been more of a message some place in the code,'' noted Gullotto.

 

FEW INFECTIONS SO FAR

 

While Symantec and Network Associates reported only a couple of customer infections each, between five and 10 large corporate customers of Computer Associates have been infected since the virus first appeared on Monday morning, Perry said.

 

Researchers do not know where it originated from but it has not yet hit Europe and Asia, he said. The software companies are working to update their antivirus programs to detect and protect computers against the new virus, researchers said.

 

A free security update for Outlook 2000 that was released about a year ago automatically blocks it, according to Microsoft spokesman Jim Desler. "We find it appalling that someone would choose this time and these circumstances to propagate a virus," he said.

September 19, 2001: It's a bad one making the rounds...called the Nimda virus: First I need to point out what a wonderful communications tool the Internet and e-mail evolved into on 9-11-01 and the days that followed.  When traditional communications methods broke down because of the disaster and the telephone and cell phone infrastructure being pushed beyond its limits, e-mail was a Godsend. So let's keep it running smoothly, and make you smart about the latest–and quite dangerous–virus that's spreading like wildfire across the nation and around the world.

 

The 'Nimda' virus or worm appeared online Tuesday, Sept 18th for the first time and is currently spreading across the Internet, and we want you to be alerted, informed and armed with the tools needed for protection against this harmful virus.

 

If you are using Windows 95, 98, Millennium, NT, or 2000 software, you are vulnerable to the Nimda virus. Your computer can be infected with the virus by
1) downloading email attachments;
2) visiting Web sites infected with the virus; and
3) through other computers infected with the virus on a network system.

 

E-mail: The Nimda virus can arrive by email as an attachment reportedly named readme.exe, or sometimes readme.eml. Do not download this file. Remember, an email with the virus can come from friends as well as people that you do not know, so you should check all email that you receive.

 

Web Visits: Your computer can also become infected by visiting a web site that has been hit with the virus. To avoid infection while browsing the Web, you should immediately update your anti-virus software.

 

Initial reports indicate that the virus will not destroy any files on your computer or otherwise harm your computer. However, because the virus can use your computer to infect other computers, it is important to ensure your computer has the latest anti-virus software update. So act as soon as possible.

 

Take Action Now!  Inoculate your system, or update your current anti-virus software "definitions".  Anti-virus company assistance can be found at Symantec Security Response or McAfee's Security Response or Microsoft's patch is available to address a vulnerability caused by the Nimda virus. 

 

Further information regarding this virus is available from the CERT Coordination Center at CERT Advisory.

 

 

THREE TIPS THAT WILL HELP YOU AVOID CREATING A CYBER-NIGHTMARE

 

DO NOT OPEN YOUR E-MAIL PROGRAM until you have installed or updated your anti-virus software.  You don't even have to "open" an e-mail to get infected...it's very dangerous. If you don't have any, get it now!!!  It's not expensive...less than $30, available at Sam's or CompUSA or even Borders or Barnes & Noble.

 

DO NOT OPEN YOUR BROWSER AND SURF THE WEB until you have installed or updated your anti-virus software.  This is a very "sticky" virus and you can inadvertently pick it up by browsing on a website that has been infected. [This website was down on Tuesday and part of Wednesday while the company that hosts this website was upgrading and installing patches to prevent any infection in their system.  In other words: Our site's safe! 

 

NEVER OPEN AN ATTACHED FILES that you may receive in your e-mail, EVEN IT'S FROM A FRIEND/FAMILIAR SOURCE.  They could have been affected and their computer is going nuts, e-mailing the virus to everyone in their address book!

 

 

Here's more information about this dangerous virus, in a story from Reuters:

 

Virulent Nimda worm hits computers worldwide
By Bernhard Warner, European Internet Correspondent

 

LONDON, Sept 19 (Reuters) - A fast-spreading computer worm has corrupted corporate computer networks and personal computers in an outbreak that could be more widespread and damaging than the Code Red infections, computer security experts said.

 

Known as "Nimda," the word "admin" spelled backwards, the worm first appeared in the United States on Tuesday, spread to Asia overnight and thousands of European businesses opened business Wednesday morning with infected computer systems.

 

Internet security experts had warned of the potential for an increase in virus activity after last week's attacks on the World Trade Center and Pentagon, but U.S. Attorney General John Ashcroft said there was no sign of a link to those events.

 

"There is no evidence at this time which links this infection to the terrorist attacks of last week," Ashcroft said.

 

Ashcroft said Nimda could prove "heavier" than the Code Red worm that caused an estimated $2.6 billion in clean-up costs after outbreaks in July and August.

 

One victim was German electronics conglomerate Siemens AG. The worm infiltrated part of its computer network, a company spokesman said, forcing the firm to shut down some computer servers and its e-mail system for a few hours on Wednesday.

 

As of 0930 GMT, the firm had fortified the affected systems. "No concrete damage was found," the spokesman said, adding the disruption had no impact on business operations.

 

The Nimda worm spreads by sending infected e-mails that carry an attachment labeled "readme.exe." It also propagates by infiltrating unsecured Web sites and attaching itself to an unsuspecting computer user's Web browser, IT officials said.

 

Its target is personal computers and Microsoft computer servers, making it a more malicious and versatile strain than earlier Internet threats, experts said.

 

In Europe, more than 15,000 companies had been infected by Nimda, said Raimond Genes, vice president of sales and marketing for Trend Micro Inc, a security software firm. "This one is really horrible," he said. "It's a combined attack."

 

The affected companies, which he would not name, are located in Germany, the United Kingdom, France, Italy and Switzerland, said Genes.

 

Graham Cluley, senior technical consultant for Sophos Anti-Virus in Oxford, told Reuters on Wednesday he would not be surprised if hundreds of thousands of users had been affected.

 

TRIGGERED IN THE U.S.

 

It first appeared in the United States on Tuesday and was spreading rapidly in Japan and the rest of Asia. Infections were reported in Japan, Hong Kong, Taiwan, South Korea, Singapore and China.

 

The worm had not significantly slowed overall traffic on the Internet, although, like Code Red, some corporate networks were bogged down. One aspect of Nimda's versatility was its ability to modify Web sites to carry files that can spread via downloads, analysts said.

 

Unlike Code Red, the worm can infiltrate a corporate network and create a user account with unlimited access to files and e-mail. "It can even send e-mails in your name," said Cluley.

 

Japanese online magazine "Scan Security Wire" said numerous Web sites had been infected this way, including that of Microsoft Corp's Japanese unit.

 

In the United States, about 130,000 Web servers and personal computers appeared to be infected with it as of Tuesday afternoon, said David Moore, senior researcher at Cooperative Association for Internet Data Analysis at UC San Diego's Supercomputer Center.

 

Nimda exploits an already detected vulnerability in Microsoft's Internet Information Server Web software running on Windows NT or 2000 machines, the same breach that the Code Red viruses exploited. This time though, expert say, it seeks to infiltrate a server by identifying one of 16 vulnerable access points.

 

Once Nimda infects a machine, it tries to replicate in three ways, said Vincent Weafer, senior director of Symantec Corp's Symantec Security Response unit.

 

It has its own e-mail engine and will try to send itself out using addresses stored in e-mail programs. It also scans IIS servers looking for the known vulnerability and attacks those servers.

 

Finally, it looks for shared disk drives [as in computers connected via a network] and tries to reach those devices.

September 5, 2001: News of this virus comes from my friends at the Dallas Press Club:

 

A new worldwide computer virus began spreading yesterday.  This virus, as have the past two major viruses, copies your entire e-mail address book and sends messages to people you know, coming from you. 
 
These viruses sometimes take wording from documents on your computer's hard drive and places those as the "subject" line, in order to fool the recipient into opening the attachment. Last week, we received four infected e-mails, all with headers pertaining to our industry; because the e-mails come from addresses you recognize, and often with familiar headers, you are more likely to open them.  
 
Below are the viral specifics; if you're a techno-geek and want to do a specific virus search on your computer. If you don't have anti-virus program, you can download a free 30-day trial at www.mcafee.com, but make sure you get the updated 4.0.4157 virus update patch.  

W32/APost@mm ("APost" or "New Backdoor") worm has been spreading over the past 24 hours through the Microsoft Outlook email program. You can be affected even if you don't have Outlook.  The message may read as follows:
 
Subject: As per your request!
 
Body:  "Please find attached file for your review.  I look forward to hear from you again very soon.  Thank you."  (Note:  This is the second virus in a row with an error in grammar - often a clue that it's a fake message!)
 
Attachment:  README.EXE

 

Running the attachment causes the worm to copy itself to the Windows directory and send a copy of itself to every entry in the user's Microsoft Outlook Address Book. It will then display a small dialog box titled "Urgent!". This dialog box contains one single large button labeled "Open". If this button is pressed then the worm sends out further copies of itself, displays an error message box with the title "WinZip SelfExtractor: Warning" and then terminates.

July 24, 2001: I call it the "Hi How Are You?" virus; it's called the SIRCAM virus.  Messages sent by Sircam look like this: 

     "From: [user@address]
      To: [user@address]
      Subject: [document name without extension]

 

    Hi! How are you?

    'I send you this file in order to have your advice'   (or)

     'I hope you can help me with this file that I send'  (or)

     'I hope you like the file that I send  you'  (or)

 

     'This is the file with the information that you ask for'

     See you later. Thanks"

July 24, 2001: I call it the "Freeware/Word of Wisdom" virus; it's called the NYMPH virus.  Messages sent by the Nymph sell themselves as Fortune Cookie/Freeware and look like this: 

 

"FortuneCookie 32 is a Windows 32 version of the classical fortune cookies you can get at some restaurants. It's very simple double clicking on the cookie.exe file will bring up a fortune cookie.

 

This program is freeware so feel free to send out a word of wisdom to your friends!"