W32.Klez.___@mm
Transmission: There are variants of this worm, therefore symptoms may vary from information presented here.Variants are capable of spreading by email and network shares. It is also capable of infecting files. Tracing who the worm came from may be difficult as the virus will send itself to someone taken from your addressbook and enter someone else's email address taken from your addressbook into the FROM line.
What To Look For: The subject and attachment name of incoming emails are randomly chosen. The attachment may have one of the following extensions: .bat, .exe, .pif or .scr.
How To Know If Your Computer Is Infected: The worm locates the Windows System folder (by default this is C:\Windows\System or C:\Winnt\System32) and copies itself to that location as the following filename:
Wink<random characters>.exe
Here's a link to Symantec's website with a removal tool or more information on this virus and its variations. http://vil.mcafee.com/dispVirus.asp?virus_k=99455
How To Remove This Virus: Submit a software support workorder.
W32.Myparty@mm
Transmission: W32.Myparty@mm is a mass-mailing email worm. This worm is capable of spreading itself only between January 25, 2002, and January 29, 2002. However, it remains active on infected computers after this period of time.
What To Look For:
Here is one example of an infected email:
Subject: new photos from my party!
Message:
Hello!
My party... It was absolutely amazing!
I have attached my web page with new photos!
If you can please make color prints of my photos. Thanks!
Attachment: www.myparty.yahoo.com
DO NOT OPEN THE ATTACHMENT and delete the suspect email.
How To Know If Your Computer Is Infected: Presence of C:\RECYCLED\REGCTRL.EXE (visible from a DOS prompt, not from within Windows) and/or the presence of C:\REGCTRL.EXE
Here's a link to McAfee's website with more information on this worm and its variations: http://vil.mcafee.com/dispVirus.asp?virus_k=99332
How To Remove This Worm: Submit a software support workorder.
W32.Sircam.Worm@mm
Transmission: This worm contains its own SMTP engine, and propagates in a manner similar to the W32.Magistr.Worm. Due to what appears to be a bug, W32.Sircam.Worm@mm does not replicate under Windows NT, 2000, or XP.
What To Look For: This worm arrives as an attachment to an email message with the following content:
Subject: The subject of the email will be random, and will be the same as the file name of the email attachment.
Attachment: The attachment is a file taken from the sender's computer and will have the extension .bat, .com, .lnk or .pif added to it.
Message: The message body will be semi-random, but will always contain one of the following two lines (either English or Spanish) as the first and last sentences of the message.
Spanish Version:
First line: Hola como estas ?
Last line: Nos vemos pronto, gracias.
English Version:
First line: Hi! How are you?
Last line: See you later. Thanks
Between these two sentences, some of the following text may appear:
Spanish Version:
Te mando este archivo para que me des tu punto de vista
Espero me puedas ayudar con el archivo que te mando
Espero te guste este archivo que te mando
Este es el archivo con la informaci=n que me pediste
English Version:
I send you this file in order to have your advice
I hope you can help me with this file that I send
I hope you like the file that I sendo you
This is the file with the information that you ask for
How To Know If Your Computer Is Infected: When run, the document will be saved to the C:\RECYCLED folder and then opened while the virus copies itself to C:\RECYCLED\SirC32.exe folder to conceal its presence and creates a registry key value to load itself whenever .EXE files are executed.
The virus searches for .GIF, .JPG, .JPEG, .MPEG, .MOV, .MPG, .PDF, .PNG, .PS, and .ZIP files in the MY DOCUMENTS folder and attempts to send copies of these documents to email recipients found in the Windows Address Book and addresses found in cache
files.
The worm may also make changes to the file Autoexec.bat, . (This will only be
present if the worm has spread across a network.)
If the file C:\Windows\Rundll32.exe may be renamed to C:\Windows\Run32.exe.
Here's a link to McAfee's website with a removal tool or more information on this worm and its variations: http://www.mcafee.com/anti-virus/viruses/sircam/default.asp?cid=2360
How To Remove This Worm: Submit a software support workorder.
VBS/SST@MM (AnnaKournikova)
Transmission: Via e-mail with attachment named AnnaKournikova.jpg.vbs.
What To Look For: The email contains the following information:
Subject: Here you have, ;o)
Body: Hi:
Check This!
Attachment: AnnaKournikova.jpg.vbs
The email worm is in the attachment named AnnaKournikova.jpg.vbs. DO NOT DOUBLE CLICK ON THE ATTACHMENT. Delete the e-mail with the attachment, call the person and ask them if they sent you that file. If the file was legitimate, ask them to send it to you again. If they didn't send you an e-mail containing the attachment, suspect that it was the viral program that did. DO NOT OPEN THE ATTACHMENT.
How To Know If Your Computer Is Infected: Presence of the file C:\WINDOWS\AnnaKournikova.jpg.vbs.
Here's a link to McAfee's website with more information on this worm and its variations: http://vil.mcafee.com/dispVirus.asp?virus_k=99011&
How To Remove This Worm: Submit a software support workorder.
W97M/Bleck
Transmission: The virus resides in Word documents and is transmitted via floppy diskettes and email attachments.
What To Look For: This virus spreads from computer to computer by opening an infected Word Document in Microsoft Word97 or higher. The virus consists of a macro "BLACKCURSE". This virus targets active Microsoft Word documents and the Normal.dot template. Once the Normal.dot template is infected, all documents subsequently opened on the system will become infected.
When the day is August 31, the virus also inserts following message in the documents:
A CURSE FROM BLACKROSE TO SOMEONE HE HATES
"HIJADIPUTA KANG HAYUP KA!
BURAY MO, SAKA BURAY NI INA MO!
HAYUP KA!
SAYANG KA, HAYUP KA!
HAYUP KA TALAGA!"
WORD97/BLACKCURSE
VIRGOBLACKROSE
Virus Development Libmanan Camarines Sur
How To Know If Your Computer Is Infected: When a document is infected, the following properties are changed:
Title: BLACKCURSE
Author: BLACKROSE.
Here's a link to McAfee's website with more information on this worm and its variations: http://vil.mcafee.com/dispVirus.asp?virus_k=98989&
How To Remove This Worm: Submit a software support workorder.
W95/CIH.1003
Transmission: The virus is transmitted via floppy diskettes, downloads from the Internet, network, etc.
What To Look For: This virus contains a date activated payload, April 26th. This virus has been called the Chernobyl virus with reference to the Chernobyl nuclear plant accident which occurred also on April 26th (in 1986).
How To Know If Your Computer Is Infected: Visual file detection of this virus is difficult as the program is written in the blank spaces of your data and program files on your computer, hence the filesize is nominally affected and no new file resides on your hard drive. However, on April 26th, your computer will no longer boot up and your hard disk is overwritten with random data. Once this done, restoration of your data files can be done only through backups.
Here's a link to Symantec's website with more information on this worm and its variations: http://service1.symantec.com/sarc/sarc.nsf/html/cih.html
How To Remove This Worm: Submit a software support workorder.
W32/Goner@MM
Transmission: This mass mailing worm attempts to send itself using Microsoft Outlook to all entries found in the Outlook Address book. It tries to
delete security software and can spread via ICQ. It arrives in an email message attachment.
What To Look For:
Here is one example of an infected email:
Subject: Hi
Body:
How are you ?
When I saw this screen saver, I immediately thought about you
I am in a harry, I promise you will love it!
Attachment: GONE.SCR
DO NOT OPEN THE ATTACHMENT and delete the suspect email.
How To Know If Your Computer Is Infected:
On your C: drive you'll find the following file in the folder:
WINDOWS\SYSTEM\GONE.SCR
Here's a link to McAfee's website with a removal tool or more information on this worm and its variations: hhttp://vil.mcafee.com/dispVirus.asp?virus_k=99272
How To Remove This Worm: Submit a software support workorder.
W32/Hybris.gen@MM (Snow White and the Seven Dwarfs)
Transmission: Via e-mail with attachment ending with the extension .scr or .exe. Go to the next link for a list of attachment names.
What To Look For: The worm will send out an infected email as the person sends you a non-infected email. In the program's list of emails note the senders of the email before and after the infected email on the list, contact those people and tell them you may have received a viral email from them and they should scan their computer for viruses. DO NOT OPEN THE ATTACHMENT and delete the suspect email.
Here is one example of an infected email:
From: Hahaha [hahaha@sexyfun.net]
Subject: Snowhite and the Seven Dwarfs - The REAL story!
Body: Today, Snowhite was turning 18. The 7 Dwarfs always where very educated and polite with Snowhite. When they go out work at mornign, they promissed a *huge* surprise. Snowhite was anxious. Suddlently, the door open, and the Seven Dwarfs enter...
Attachment: sexy virgin.scr or joke.exe or midgets.scr or dwarf4you.exe
How To Know If Your Computer Is Infected: When the worm attachment is executed, the WSOCK32.DLL file will be modified or replaced. The worm also makes modifications to the registry, therefore it is recommended that a workorder be submitted.
Here's a link to McAfee's website with more information on this worm and its variations: http://vil.mcafee.com/dispVirus.asp?virus_k=98873&
How To Remove This Worm: Submit a software support workorder.
VBS/LOVELETTER
Transmission: Via e-mail with attachment ending with the extension .pif, .scr, or .exe.
What To Look For: The virus is in the attachment to the e-mail. Go to the next link for a list of attachment names. DO NOT DOUBLE CLICK ON THE ATTACHMENT. Delete the e-mail with the attachment, call the person and ask them if they sent you that file. If the file was legitimate, ask them to send it to you again. If they didn't, suspect that it was the viral program that did. DO NOT OPEN THE ATTACHMENT.
How To Know If Your Computer Is Infected: Submit a software support workorder. There are many variations of this virus with reference to Love or Jokes. The one we found on campus included the following: subject header: FWD: JOKE attachment: Very Funny.VBS Another variation is: subject header: ILOVEYOU attachment: LOVE-LETTER-FOR-YOU.TXT.vbs text: kindly check the attached LOVELETTER coming from me.
Also, on your C: drive you'll find the following files in these folders:
WINDOWS\SYSTEM\MSKERNEL32.VBS
WINDOWS\WIN32DLL.VBS
WINDOWS\SYSTEM\LOVE-LETTER-FOR-YOU.TXT.VBS
WINDOWS\SYSTEM\LOVE-LETTER-FOR-YOU.HTM
Here's a link to Symantec's website with more information on this virus and its variations. http://www.symantec.com/avcenter/venc/data/vbs.loveletter.a.html
How To Remove This Virus: Submit a software support workorder.
W32/Magistr@MM
Transmission: Via e-mail with attachment of randomly named executable aand several (up to 6) randomly selected text or document files.
What To Look For: The Subject line of the infected email would contain randomly generated text that can be up to 60 characters long. The name of the attachment is one randomly named infected executable and several randomly selected text or document files.
DO NOT DOUBLE CLICK ON THE ATTACHMENT. Delete the e-mail with the attachment or notify Computing Services.
When you open the attachment, five minutes after the virus is run, it attempts a mailing routine. Email addresses are gathered from the Windows Address Book, Outlook Express mailboxes, and Netscape mailboxes, then messages are sent by the worm contain varying subject headings, body text, and attachments. The body of the message is derived from the contents of other files on the victim's computer. It may send more than one attachment and may include non .EXE or non-viral files along with an infectious .EXE file.
How To Know If Your Computer Is Infected: There's a slight increase in size in .EXE files (adds 24Kb or more). Infected files use a modified access date of the time of the infection. Presence of a newly created .DAT file containing email addresses (representing those users which were sent the virus). There'll be an entry in C:\WINDOWS\WIN.INI file. The RUN line will contain: RUN=(App).
NOTE: W32/Magistr is a virus that has email worm capability. It is also network aware of all Windows operating systems. It infects all files that are not .dll system files. On some systems in the CMOS may become erased or it may flash the BIOS, as well as destroy sectors on the hard disk. This virus could send confidential Microsoft Word documents to others.
Here's a link to McAfee's website with more information on this virus and its variations.http://vil.mcafee.com/dispVirus.asp?virus_k=99040&
How To Remove This Virus: Submit a software support workorder.
W97/MTX
Transmission: Via e-mail with attachment ending with the extension .pif, .scr, or .exe. Go to the next link for a list of attachment names.
What To Look For: In your e-mail list, you may see two e-mails in a row from the same person. The virus is in the attachment to one of those e-mails. Click on the next link to view the list of e-mail attachment names. DO NOT DOUBLE CLICK ON THE ATTACHMENT. Delete the e-mail with the attachment, call the person and ask them if they sent you that file. If the file was legitimate, ask them to send it to you again. If they didn't send you an e-mail containing the attachment, suspect that it was the viral program that did. DO NOT OPEN THE ATTACHMENT.
How To Know If Your Computer Is Infected: You will find a file on your C: drive: C:\windows\MTX_.EXE
Here's a link to Symantec's website with a removal tool or more information on this virus and its variations. http://www-cu.symantec.com/avcenter/venc/data/w95.mtx.fix.html
How To Remove This Virus: Submit a software support workorder.
W32/NAKED@MM
Transmission: Via e-mail with attachment named NakedWife.exe.
What To Look For: The worm is in the attachment named NakedWife.exe.
This worm masquerades as a Flash (shockwave application) movie. The program will display a logo from JibJab, however it is not a shockwave application at all and is not associated with JibJab in any way, other than as a design of social engineering.
DO NOT DOUBLE CLICK ON THE ATTACHMENT. Delete the e-mail with the attachment, call the person and ask them if they sent you that file. If the file was legitimate, ask them to send it to you again. If they didn't send you an e-mail containing the attachment, suspect that it was the viral program that did. DO NOT OPEN THE ATTACHMENT.
Subject: Fw: Naked Wife
Body: My wife never look like that! ;-)
Best Regards, (sender's name)
Attached: NakedWife.exe
Choosing the HELP|ABOUT menu in the "Flash" window displays a message box entitled "Flash", which reads "You're are now F**KED! (C) 2001 by BGK (Bill Gates Killer)" (** replaces the actual text displayed)
How To Know If Your Computer Is Infected: In the folders:
C:\WINDOWS and C:\WINDOWS\SYSTEM, all files ending in.BMP, .COM, .DLL, .EXE, .INI, and .LOG files will be nonexistent.
You will not be able to launch some programs.
When restarting Windows, you will see an error message about a missing WIN.COM.
Here's a link to McAfee's website with more information on this worm and its variations: http://vil.mcafee.com/dispVirus.asp?virus_k=99035&
How To Remove This Worm: Submit a software support workorder.
W32/NAVIDAD
Transmission: Via e-mail with attachment named Navidad.exe.
What To Look For: The worm is in the attachment named Navidad.exe. DO NOT DOUBLE CLICK ON THE ATTACHMENT. Delete the e-mail with the attachment, call the person and ask them if they sent you that file. If the file was legitimate, ask them to send it to you again. If they didn't send you an e-mail containing the attachment, suspect that it was the viral program that did. DO NOT OPEN THE ATTACHMENT.
How To Know If Your Computer Is Infected: When you try to launch a program on your computer, an error message is displayed stating that a file winsrvc.exe cannot be found.
Also, on your C: drive you'll find the following files in this folder:
WINDOWS\SYSTEM\WINSRVC.VXD
Here's a link to McAfee's website with more information on this worm and its variations: http://vil.McAfee.com/dispVirus.asp?virus_k=98881&
How To Remove This Worm: Submit a software support workorder.
W32/NAVIDAD 16896 (Emanuel)
This worm is a variation (variant) of the Navidad worm.
Transmission: Via e-mail with attachment named Emanuel.exe
What To Look For: The worm is in the attachment named Emanuel.exe. DO NOT DOUBLE CLICK ON THE ATTACHMENT. Delete the e-mail with the attachment, call the person and ask them if they sent you that file. If the file was legitimate, ask them to send it to you again. If they didn't send you an e-mail containing the attachment, suspect that it was the viral program that did. DO NOT OPEN THE ATTACHMENT.
How To Know If Your Computer Is Infected: When you try to launch a program on your computer, an error message is displayed stating that a file wintask.exe cannot be found.
Also, on your C: drive you'll find the following files in these folders:
WINDOWS SYSTEM\WINTASK.EXE
Here's a link to McAfee's website with more information on this worm and its variations: http://vil.McAfee.com/dispVirus.asp?virus_k=98881&
How To Remove This Worm: Submit a software support workorder.
W32/QAZ
Transmission: Via e-mail.
What To Look For: The virus is in the attachment to the e-mail. DO NOT DOUBLE CLICK ON THE ATTACHMENT. Delete the e-mail with the attachment, call the person and ask them if they sent you that file. If the file was legitimate, ask them to send it to you again. If they didn't send you an e-mail containing the attachment, suspect that it was the viral program that did. DO NOT OPEN THE ATTACHMENT.
How To Know If Your Computer Is Infected: When ever the user runs NOTEPAD, the worm is executed and this then runs NOTE.COM. One major significance is the real NOTEPAD.EXE is 52Kb while this worm is 120,320 bytes.
Here's a link to McAfee's website with more information on this worm and its variations. http://vil.McAfee.com/dispVirus.asp?virus_k=98775&.
How To Remove This Virus: Submit a software support workorder.
Virus Home Recent Campus Threats Virus Glossary Update Instructions |
