symantec TM
 

 
AntiVirus Research Center

"The Sun Never Sets on SARC"

   
 

SARC Home Page

December 2000 Newsletter

 
   

These are the most reported Viruses, Trojans and Worms to SARC's offices during the last month.

Top Global Threats
W32.Prolin.Worm
W32.Navidad
W32.HLLW.Bymer
W95.Hybris.gen
W95.MTX
Wscript.KakWorm
W32.FunLove.4099
W32.HLLW.Qaz.A
VBS.LoveLetter

Asia Pacific
W95.MTX
W32.Navidad
Wscript.KakWorm

Europe
W95.MTX
Wscript.KakWorm
W32.Navidad

Japan
W95.MTX
W32.Navidad
W32.HLLW.Qaz.A

USA
Wscript.KakWorm
W95.MTX
W32.Navidad


New Virus Hoaxes reported to Symantec

No New Hoaxes this Month



Top 20
Consolidated
Global Threats

By SecurityPortal

W32.Prolin
W32.Navidad
VBS.KakWorm
W95.MTX
W32.Hybris
W32.BleBla
W97M.Thursday
VBS.LoveLetter
W97M.Marker
Happy99.Worm
(alias W32.Ska)
W95.CIH
W97M.Melissa.BG
VBS.Stages.A
W32.ExploreZip
W32.HLLW.Qaz.A
(alias Troj.Qaz.A)
W32.Funlove
VBS.Quatro.A
W97.Sonic
W97M.Stand
VBS.Network

 

  This month we have an excess of worms to report, it seems that 32 bit worms are now as common as macro viruses and worms. Here at Symantec we received about 190 new worms over the last month.

I also thought it would be good to bring you up-to-date with a new naming convention that is being introduced, that is the use of an @m and @mm suffix to certain types of virus and worm names. Peter Szor from SARC USA and a CARO (Computer Anti-virus Research Organisation) member described this to me and it's really very simple. The @m signifies that the virus or worm is a mailer, for example Happy99 (W32.Ska) would have this description because it only sends itself by email when you (the user) send mail. Whereas the @mm notation means 'mass mailer' which for example would have been used for W97M.Melissa as this virus/worm will send messages to everybody in your mailbox.

I attended the annual AVAR conference, last month in Japan and have written an
article outlining this event. I highly recommend that if you are interested in viruses from a professional security point of view and live in Asia Pacific that you apply to join AVAR and attend next years conference in Hong Kong.

David Banes
,
Editor,
sarc@symantec.com
   
        Stop Press -  W32.Kriz - http://www.sarc.com/avcenter/venc/data/w32.kriz.html    
             
        Worms in the News  
       

W95.Hybris.Gen

Moderate [4]

Win95

Due to a recent increase in world-wide infections of this worm, SARC is increasing the threat level of this worm to 4.

W95.Hybris is a worm that spreads by email as an attachment to outgoing emails. It was discovered in late September of 2000. Although very few reports of infection were reported in October 2000 when the worm was discovered, the worm is becoming more common in November and December

The message may include the text "Snow White and the Seven dwarves" and the attachment may have one of several different names, including, but not limited to:

anpo porn(.scr
atchim.exe
branca de neve.scr
dunga.scr
dwarf4you.exe
enano porno.exe
joke.exe
midgets.scr
sexy virgin.scr

Use Norton AntiVirus to repair the infected WSOCK32.DLL. Other files detected as W95.Hybris contain only the virus body and must be deleted.

http://www.sarc.com/avcenter/venc/data/w95.hybris.gen.html
by: Cary Ng and Peter Ferrie
SARC USA and SARC Asia Pacific

W32.Prolin.Worm

Moderate [4]

Win32

W32.Prolin.Worm is a worm that spreads via Microsoft Outlook by emailing itself to everyone in the Outlook address book.

Use Norton AntiVirus to perform a full scan on your hard drive. Delete all files that Norton AntiVirus detects as W32.Prolin.Worm.

Restore the original extension of .jpg, .mp3, or .zip to all files that the worm has moved into the root directory of the C drive. The file "messageforu.txt" should contain a list of the original path and filenames of these files.

http://www.sarc.com/avcenter/venc/data/w32.prolin.worm.html
by Cary Ng
SARC, USA

W32.Navidad.16896

Moderate [3]

Win32

W32.Navidad.16896 is a mass mailing worm program that is very similar to W32.Navidad. The worm spreads via Microsoft Outlook, using MAPI to reply to all Inbox messages that contain a single attachment.

The worm utilizes the existing email subject line and body, and attaches itself as Emanuel.exe. Removal instructions are on our web site.

http://www.sarc.com/avcenter/venc/data/w32.navidad.16896.html
by Andre Post
SARC EMEA

W32.Blebla.Worm

Small [2]

Win32

This worm arrives with one of several different subject lines and has two attachments named myjuliet.chm and myromeo.exe. Once the user reads the message the two attachments are automatically saved and launched. When launched, this worm attempts to send itself out to all names in the Outlook address book via one of several Internet mail servers located in Poland. Otherwise this worm does no harm to the infected system, to remove the worm simply delete all files detected as W32.Blebla.Worm.

http://www.sarc.com/avcenter/venc/data/w32.blebla.worm.html
by Peter Szor
SARC, USA

   
       

VBS.Jean.A@mm

Small [2]

Script

VBS.Jean.A@mm is a worm that spreads via Microsoft Outlook. The worm spreads to the first 50 addresses of every address list and sends an email in German.

The text of the email is as follows:

Guten Tag,
es ist bald Weihnachten.
Und wie sieht's aus mit schönen Geschenken ?

Hierzu ein Tip vom Weihnachtsmann:
Unter www.leos-jeans.de gibt es die besten Geschenke im Web !
Das bedeutet absolut stressfreies Einkaufen, schnelle und unkomplizierte Lieferung, riesige Auswahl.

Also nichts wie hin, und Frohe Weihnachten.

Translated to English, the message reads:

Good day,
it is almost Christmas.
And what's happening with nice gifts ?

Here is a hint from Santa Claus:
At www.leos-jeans.de you can find the best gifts on the Web!
That means buying absolutely stressfree, fast and easy delivery, wide variety of items to choose from.

Alrighty then, let's go for it, and Merry Christmas.

To remove this worm just delete all files detected as VBS.Jean.A@mm.

http://www.sarc.com/avcenter/venc/data/vbs.jean.a.html
by: Andre Post
SARC, EMEA

   
             
         
Visit The Symantec Enterprise Security Web Site
   
          Get the latest enterprise security news delivered straight to your inbox. Register for Symantec's free Enterprise Security newsletters.
https://enterprisesecurity.symantec.com/Content/Subscribe.cfm

Recent headlines include:
Find the Bugs Before They Bite; The Times (London).
http://enterprisesecurity.symantec.com/content.cfm?articleid=431

Police Have Few Weapons Against Cyber-Criminals; USA Today.
http://enterprisesecurity.symantec.com/content.cfm?articleid=502

Read our latest feature article "Viruses and Mobile Devices" to find out more about the increasing security threats to mobile devices.
http://enterprisesecurity.symantec.com/content.cfm?articleid=416
   
                   
         
AVAR Conference 2000 - Tokyo, Japan and why you still need a laptop computer.
   
   

Unsubscribe

First name:

Last name:

Email address:


    This was my first AVAR (http://www.aavar.org/) conference, their third and I was impressed. The event was very well organised for such a young organisation with 180 registered participants. Despite the obvious language barriers with Japanese, Korean, Chinese and English speaking delegates I never really felt as if I missed anything, due to the excellent simultaneous Japanese and English translation service provided by the organisers.

Day one started with a welcome from Seiji Murakami (Chairman of AVAR and President of Japan Computer Security Research Centre (JCSR)) followed by the Keynote Speech from Mondo Yamamoto the Deputy Director of IT Security Policy for the Ministry of International Trade and Industry in Japan. Mr Yamamoto spoke about Japan's IT security policies. The speakers discussed the issues relating to viruses in their own countries and interesting associated topics such as Motoaki Yamamura's (Symantec) buffer overflow demonstration.

The Chairman of EICAR (European Institute of Computer Anti-virus Research), Rainer Fahs gave the conference an overview of his organisation and it's work in Europe. Randy Abrams from Microsoft gave an interesting presentation on how to test for broken anti-virus software. Nick Fitzgerald from Computer Associates, New Zealand discussed tracking and tracing virus authors, demonstrating that it is possible to trace the source of a virus outbreak and get it shut down.

It was about this time that my new PDA decided to hang. I'd taken the bold decision to leave my laptop computer at the office and use only the PDA for email and taking notes at the conference. It's ironic that whilst attending a computer anti-virus conference I should suffer sever data loss due to a good old fashioned software or hardware bug, not a virus.

The second day at the conference was equally interesting with the highlights being Vesselin Bontchev's presentation on the latest and future macro virus trends and the very exciting presentation from Jan Hruska of Sophos about REVS (Rapid Exchange of Virus Samples). This is a very contentious topic amongst anti-virus vendors at the moment because of the practical and political issues it raises, the conference room began to resemble a parliamentary debate for a few minutes. Who said anti-virus and security was boring. :) Luckily Jan was able to diffuse the debate and steer us all to lunch.

Towards the end of the conference Jimmy Kuo from Network Associates discussed the anti-virus industry in Asia, Seow Hiong Goh, (Deputy Director of Infocomm Security, Infocomm Development Authority of Singapore) discussed viruses in Singapore and Dr Charles Ahn compared the Korean virus scene with other countries.

Next years conference is to be held in Hong Kong and hosted by Yui Kee Computing Limited (www.yuikee.com.hk). I've been voted in as a vice chairman of AVAR in 2001 along with several other AVAR members, I just hope I can help create a comparable conference to this years event.

To conclude, I'd like to congratulate all at AVAR for a well organised and informative event and I'll be taking my laptop computer to the next conference.

David Banes
SARC, Asia Pacific
   
                 
       

SARC Glossary for definitions of viruses, Trojans and worms and more.

   
        Contacts    
        Correspondence by email to: sarc@symantec.com, no unsubscribe or support emails please.
Send virus samples to:
avsubmit@symantec.com
Newsletter Archive:
http://www.symantec.com/avcenter/sarcnewsletters.html
   
     

 

     
       

This is a Symantec Corporation publication, use of requires permission in advance from the Editor.
All information contained in this newsletter is accurate and valid as of the date of issue.

 

Copyright © 1996-2000 Symantec Corporation. All rights reserved.