Virus, Worm, or Trojan Horse
is a Trojan horse that attempts to delete all files on the C: drive.
is a mass mailing worm that sends itself to the email addresses in
the Microsoft Outlook address book. The worm also uses IRC to spread.
WORM_NETSKY.AC [Trend], W32/Netsky-AC [Sophos], Win32.Netsky.AC
[Computer Associates], I-Worm.NetSky.ad [Kaspersky]
is a worm that scans for the email addresses on all non-CD-ROM drives
on an infected computer. The worm then uses its own SMTP engine to
send itself to the email addresses that it finds.
The From, Body, and attachment
of the email vary. The attachment has a .cpl extension.
This threat is compressed with
W32/Sasser-D [Sophos], WORM_SASSER.D [Trend], W32/Sasser.worm.d
[McAfee], Win32.Sasser.D [Computer Associates], Worm.Win32.Sasser.d
- Is a variant of W32.Sasser.Worm.
- Attempts to exploit the
LSASS vulnerability described in Microsoft Security Bulletin MS04-011.
- Spreads by scanning randomly
selected IP addresses for vulnerable systems.
W32/Sasser-C [Sophos], Worm.Win32.Sasser.c [Kaspersky],
W32/Sasser.worm.c [McAfee], WORM_SASSER.C [Trend], Win32.Sasser.C
W32.Sasser.C.Worm is a minor
variant of W32.Sasser..Worm. It attempts to exploit the LSASS vulnerability
described in Microsoft Security Bulletin MS04-011 and spreads by
scanning randomly selected IP addresses for vulnerable systems.
W32.Sasser.C.Worm differs from
W32.Sasser.Worm as follows:
- Uses a different mutex:
- Launches 1024 threads (instead
- Uses a different file name:
- Has a different MD5
- Creates a different value
in the registry: "avserve2.exe
W32.Sasser.B.Worm is a variant of the Sasser Worm. It attempts to
exploit the LSASS vulnerability described in Microsoft Security
Bulletin MS04-011. Symptoms include odd computer behavior
including frequent disconnects and computer restarts in early
stages of infection, followed by an eventual complete inability
to connect to any internet resource via any port. Every port
but those that Sasser uses to replicate itself with are blocked
in this stage of infection. Sasser spreads itself by scanning
randomly selected IP addresses of unpatched systems.
Symantic Security Response has developed a
Removal Tool to remove the Sasser infection. This worm
can only infect systems vulnerable to the LSASS vulnerability.
The MS04-011 patch can be found here.
W32/Netsky.p@MM [McAfee], Win32.Netsky.P [Computer Associates],
NetSky.P [F-Secure], W32/Netsky.P.worm [Panda], W32/Netsky-P [Sophos],
||Due to an increase
in the rate of submissions, Symantec Security Response has upgraded
W32.Netsky.P@mm to a Category 3 from a Category 2 threat as of March
W32.Netsky.P@mm (also known
as W32.Netsky.Q@mm) is a mass-mailing worm that uses its own SMTP
engine to send itself to the email addresses it finds when scanning
the hard drives and mapped drives. The worm also tries to spread
through various file-sharing programs by copying itself into various
is a variant of W32.Beagle.R@mm. This worm attempts to send an HTML
email to the addresses found in the files on an infected computer.
The email does not contain an attachment of the worm. Instead, the
HTML email uses the Microsoft Internet Explorer Object Tag Vulnerability
that allows for the automatic download and execution of a file hosted
on a remote Web site. This file is a copy of the worm, but may change
in the future.
is a mass-mailing worm that uses its own SMTP engine to send itself
to the email addresses it finds when scanning the hard drives and
mapped drives. The "sender" of the email is spoofed, and
its subject line and message body of the email vary.
W32/Mydoom.h@MM [McAfee], Win32.Mydoom.H, [Computer Associates],
The worm arrives as an attachment with the file extension .bat,
.com, .cmd, .exe, .pif, .scr, or .zip. The From: line of the email
may be spoofed.
W32.Alua@mm, Win32/Bagle.B.Worm [Computer Associates], Bagle.B [F-Secure],
W32/Bagle.b@MM [McAfee], W32/Bagle.B@mm [Norman], WORM_BAGLE.B [Trend
Mirco], W32/Bagle.B.worm [Panda], W32/Tanx-A [Sophos]
W32.Welchia.D.Worm is a minor variant of W32.Welchia.C.Worm.
This is a trojan that will modify settings in TCP/IP to point to a
different DNS server. This trojan does not have the ability to spread,
a web page must be opened that has the capacity to open the viral html
file on the target's machine in order to infect it.
This is a mass emailing worm that uses its own SMTP engine to replicate.
It also attempts to spread through file sharing networks and IRC, as well
as attempting to kill antivirus and personal firewall programs. This
worm can arrive as an attachment in email. The forms vary. This worm
utilizes a vulnerability in Microsoft Outlook and Outlook Express.
Information and patches can be found
here. This worm poses as the Microsoft Security Update. The worm
installs itself no matter what choice is taken.
This is a mass email worm that deletes Windows system files and spreads
via Microsoft Outlook.
Subject: Fwd: None
W32.HLLW.Gaobot.AA is a worm that spreads to network shares with weak
passwords. This worm
utilizes two Microsoft Windows vulnerabilities:
This worm will only affect Windows 2000, NT, and XP. This worm also
allows unauthorized remote
access via irc.
W32.Sobig.F@@mm is a mass-mailing, network-aware worm that sends itself
to all the email addresses that it finds in the
files with the following extensions:
.dbx, .eml, .hlp, .htm, .html, .mht, .wab, .txt. The worm utilizes it's
own SMTP engine to propagate and
will attempt to create a copy of itself on accessible
network shares. It uses a spoofed from address, with the subject using:
Details, Approved, My details, Thank you!,
That movie, Wicked screensaver, Your application.
(It may even spoof it being a reply by putting Re: in front of any of
the above.) The body of the text
will have either "See the attached file for details" or "Please see
the attatched file for details."
The attatchment may be one of the following: your_document.pif,
your_details.pif, document_9446.pif, application.pif, wicked_scr.scr,
at the bottom of the Symantec page for
Note: This worm deactivated on 09/10/03 and is no longer a threat.
W32.Blaster.F.Worm is a worm that exploits the DCOM RPC vulnerability as
described in Microsoft Security Bulletin
MS03-039 using TCP port 135. The worm targets only Windows 2000 and
Windows XP computers. White Windows NT and Windows 2003 Servers are
vulnerable to this exploit (if not properly patched), the worm is not
coded to replicate to those systems. The worm attempts to download
the Enbiei.exe file into the %Windir%\System32 folder, then execute it.
W32.Blaster.F.Worm does not have mass-mailing functionality. Additional
information is available in the Microsoft article
What You Should Know About the Blaster Worm and Its Variants."
Symantec Blaster Worm Removal Tools:
W32.Blaster.Worm (This removal tool works for all variations of the
Microsoft Security Bulletin MS03-039 Patches