Helpdesk


Lonestar Home

Search Lonestar


Webmail

Texas.Net (Business)

Contact Info

Account Info
Change Password
Add Popmail
Spam Filter

Internet Alerts
Virus Alerts
Security Alerts
Hoax Alerts
Spam Email

Helpdesk
General Settings
Windows 2000
Windows ME
Windows 98
Windows NT 4.0
Macintosh Setup
Other OS Setup
Internet Software
Email Setup
Usenet News Setup
Web Page Setup
Modem Tips
FAQ

E-mail Support
Trouble Ticket
Billing Ticket
helpdesk

Software

Parental Controls

Disclaimers
Terms & Conditions
Acceptable Use
Privacy Policy
Legal Text
English Text

Customer Pages

Internet Basics
World-Wide Web
E-mail
USENET News
IRC (Chat)
FTP
Telnet

Links
Staff Picks
Games
Windows 98
Macintosh
Kids' Links


Virus Information

Here are a list of recent viruses that could affect you. More information can be found at Symantec and Sophos.


Virus, Worm, or Trojan Horse Category Description
W32.Netad.Trojan 2 W32.Netad.Trojan is a Trojan horse that attempts to delete all files on the C: drive.
W32.Supova.Z@mm 2 W32.Supova.Z@mm is a mass mailing worm that sends itself to the email addresses in the Microsoft Outlook address book. The worm also uses IRC to spread.
W32.Netsky.AC@mm
WORM_NETSKY.AC [Trend], W32/Netsky-AC [Sophos], Win32.Netsky.AC [Computer Associates], I-Worm.NetSky.ad [Kaspersky]
2 W32.Netsky.AC@mm is a worm that scans for the email addresses on all non-CD-ROM drives on an infected computer. The worm then uses its own SMTP engine to send itself to the email addresses that it finds.

The From, Body, and attachment of the email vary. The attachment has a .cpl extension.

This threat is compressed with PECompact.

W32.Sasser.D
W32/Sasser-D [Sophos], WORM_SASSER.D [Trend], W32/Sasser.worm.d [McAfee], Win32.Sasser.D [Computer Associates], Worm.Win32.Sasser.d [Kaspersky]
2 The W32.Sasser.D worm:
  • Is a variant of W32.Sasser.Worm.
  • Attempts to exploit the LSASS vulnerability described in Microsoft Security Bulletin MS04-011.
  • Spreads by scanning randomly selected IP addresses for vulnerable systems.
W32.Sasser.C.Worm
W32/Sasser-C [Sophos], Worm.Win32.Sasser.c [Kaspersky], W32/Sasser.worm.c [McAfee], WORM_SASSER.C [Trend], Win32.Sasser.C [Computer Associates]
2

W32.Sasser.C.Worm is a minor variant of W32.Sasser..Worm. It attempts to exploit the LSASS vulnerability described in Microsoft Security Bulletin MS04-011 and spreads by scanning randomly selected IP addresses for vulnerable systems.

W32.Sasser.C.Worm differs from W32.Sasser.Worm as follows:

  • Uses a different mutex: JumpallsNlsTillt
  • Launches 1024 threads (instead of 128)
  • Uses a different file name: avserve2.exe
  • Has a different MD5
  • Creates a different value in the registry: "avserve2.exe

W32.Sasser.B.Worm

4 W32.Sasser.B.Worm is a variant of the Sasser Worm. It attempts to exploit the LSASS vulnerability described in Microsoft Security Bulletin MS04-011. Symptoms include odd computer behavior including frequent disconnects and computer restarts in early stages of infection, followed by an eventual complete inability to connect to any internet resource via any port. Every port but those that Sasser uses to replicate itself with are blocked in this stage of infection. Sasser spreads itself by scanning randomly selected IP addresses of unpatched systems.

Symantic Security Response has developed a Removal Tool to remove the Sasser infection. This worm can only infect systems vulnerable to the LSASS vulnerability. The MS04-011 patch can be found here.

W32.Netsky.P@mm
W32.Netsky.Q@mm, W32/Netsky.p@MM [McAfee], Win32.Netsky.P [Computer Associates], NetSky.P [F-Secure], W32/Netsky.P.worm [Panda], W32/Netsky-P [Sophos], WORM_NETSKY.P [Trend]

3 Due to an increase in the rate of submissions, Symantec Security Response has upgraded W32.Netsky.P@mm to a Category 3 from a Category 2 threat as of March 22, 2004.

W32.Netsky.P@mm (also known as W32.Netsky.Q@mm) is a mass-mailing worm that uses its own SMTP engine to send itself to the email addresses it finds when scanning the hard drives and mapped drives. The worm also tries to spread through various file-sharing programs by copying itself into various shared folders.

W32.Beagle.T@mm
I-Worm.Bagle.o [Kaspersky]

2 W32.Beagle.T@mm is a variant of W32.Beagle.R@mm. This worm attempts to send an HTML email to the addresses found in the files on an infected computer. The email does not contain an attachment of the worm. Instead, the HTML email uses the Microsoft Internet Explorer Object Tag Vulnerability that allows for the automatic download and execution of a file hosted on a remote Web site. This file is a copy of the worm, but may change in the future.
W32.Netsky.O@mm 2 W32.Netsky.O@mm is a mass-mailing worm that uses its own SMTP engine to send itself to the email addresses it finds when scanning the hard drives and mapped drives. The "sender" of the email is spoofed, and its subject line and message body of the email vary.
W32.Mydoom.H@mm
W32/Mydoom.h@MM [McAfee], Win32.Mydoom.H, [Computer Associates], WORM_MYDOOM.H [Trend]
2

The worm arrives as an attachment with the file extension .bat, .com, .cmd, .exe, .pif, .scr, or .zip. The From: line of the email may be spoofed.

W32.Welchia.D.Worm
W32.Alua@mm, Win32/Bagle.B.Worm [Computer Associates], Bagle.B [F-Secure], W32/Bagle.b@MM [McAfee], W32/Bagle.B@mm [Norman], WORM_BAGLE.B [Trend Mirco], W32/Bagle.B.worm [Panda], W32/Tanx-A [Sophos]
2 W32.Welchia.D.Worm is a minor variant of W32.Welchia.C.Worm.
Trojan.Qhosts 2 This is a trojan that will modify settings in TCP/IP to point to a different DNS server. This trojan does not have the ability to spread, a web page must be opened that has the capacity to open the viral html file on the target's machine in order to infect it.
W32.Swen.A@mm 3 This is a mass emailing worm that uses its own SMTP engine to replicate. It also attempts to spread through file sharing networks and IRC, as well as attempting to kill antivirus and personal firewall programs. This worm can arrive as an attachment in email. The forms vary. This worm utilizes a vulnerability in Microsoft Outlook and Outlook Express. Information and patches can be found here. This worm poses as the Microsoft Security Update. The worm installs itself no matter what choice is taken.
W32.HLLW.Syney@@mm 2 This is a mass email worm that deletes Windows system files and spreads via Microsoft Outlook.
Subject: Fwd: None
Attachment: Attach.exe
W32.HLLW.Gaobot.AA 2 W32.HLLW.Gaobot.AA is a worm that spreads to network shares with weak passwords. This worm utilizes two Microsoft Windows vulnerabilities: MS03-039 and MS03-001. This worm will only affect Windows 2000, NT, and XP. This worm also allows unauthorized remote access via irc.
W32.Sobig.F@@mm, 4
W32.Sobig.F@@mm is a mass-mailing, network-aware worm that sends itself to all the email addresses that it finds in the files with the following extensions: .dbx, .eml, .hlp, .htm, .html, .mht, .wab, .txt. The worm utilizes it's own SMTP engine to propagate and will attempt to create a copy of itself on accessible network shares. It uses a spoofed from address, with the subject using: Details, Approved, My details, Thank you!, That movie, Wicked screensaver, Your application. (It may even spoof it being a reply by putting Re: in front of any of the above.) The body of the text will have either "See the attached file for details" or "Please see the attatched file for details." The attatchment may be one of the following: your_document.pif, document_all.pif, thank_you.pif, your_details.pif, document_9446.pif, application.pif, wicked_scr.scr, movie0045.pif. See Removal Instructions at the bottom of the Symantec page for W32.Sobig.f@@mm.
Note: This worm deactivated on 09/10/03 and is no longer a threat.
W32.Blaster.F.Worm 2
W32.Blaster.F.Worm is a worm that exploits the DCOM RPC vulnerability as described in Microsoft Security Bulletin MS03-039 using TCP port 135. The worm targets only Windows 2000 and Windows XP computers. White Windows NT and Windows 2003 Servers are vulnerable to this exploit (if not properly patched), the worm is not coded to replicate to those systems. The worm attempts to download the Enbiei.exe file into the %Windir%\System32 folder, then execute it. W32.Blaster.F.Worm does not have mass-mailing functionality. Additional information is available in the Microsoft article " What You Should Know About the Blaster Worm and Its Variants." Symantec Blaster Worm Removal Tools:
W32.Blaster.Worm (This removal tool works for all variations of the W32.Blaster.Worm.)
Microsoft Security Bulletin MS03-039 Patches

Last Update: $Date: 2004/06/03 21:27:43 $

©1994-2004, Texas.Net, Inc. All rights reserved.