symantec TM

AntiVirus Research Center

"The Sun Never Sets on SARC"


SARC Home Page

December 2000 Newsletter


These are the most reported Viruses, Trojans and Worms to SARC's offices during the last month.

Top Global Threats

Asia Pacific




New Virus Hoaxes reported to Symantec

No New Hoaxes this Month

Top 20
Global Threats

By SecurityPortal

(alias W32.Ska)
(alias Troj.Qaz.A)


  This month we have an excess of worms to report, it seems that 32 bit worms are now as common as macro viruses and worms. Here at Symantec we received about 190 new worms over the last month.

I also thought it would be good to bring you up-to-date with a new naming convention that is being introduced, that is the use of an @m and @mm suffix to certain types of virus and worm names. Peter Szor from SARC USA and a CARO (Computer Anti-virus Research Organisation) member described this to me and it's really very simple. The @m signifies that the virus or worm is a mailer, for example Happy99 (W32.Ska) would have this description because it only sends itself by email when you (the user) send mail. Whereas the @mm notation means 'mass mailer' which for example would have been used for W97M.Melissa as this virus/worm will send messages to everybody in your mailbox.

I attended the annual AVAR conference, last month in Japan and have written an
article outlining this event. I highly recommend that if you are interested in viruses from a professional security point of view and live in Asia Pacific that you apply to join AVAR and attend next years conference in Hong Kong.

David Banes
        Stop Press -  W32.Kriz -    
        Worms in the News  


Moderate [4]


Due to a recent increase in world-wide infections of this worm, SARC is increasing the threat level of this worm to 4.

W95.Hybris is a worm that spreads by email as an attachment to outgoing emails. It was discovered in late September of 2000. Although very few reports of infection were reported in October 2000 when the worm was discovered, the worm is becoming more common in November and December

The message may include the text "Snow White and the Seven dwarves" and the attachment may have one of several different names, including, but not limited to:

anpo porn(.scr
branca de neve.scr
enano porno.exe
sexy virgin.scr

Use Norton AntiVirus to repair the infected WSOCK32.DLL. Other files detected as W95.Hybris contain only the virus body and must be deleted.
by: Cary Ng and Peter Ferrie
SARC USA and SARC Asia Pacific


Moderate [4]


W32.Prolin.Worm is a worm that spreads via Microsoft Outlook by emailing itself to everyone in the Outlook address book.

Use Norton AntiVirus to perform a full scan on your hard drive. Delete all files that Norton AntiVirus detects as W32.Prolin.Worm.

Restore the original extension of .jpg, .mp3, or .zip to all files that the worm has moved into the root directory of the C drive. The file "messageforu.txt" should contain a list of the original path and filenames of these files.
by Cary Ng


Moderate [3]


W32.Navidad.16896 is a mass mailing worm program that is very similar to W32.Navidad. The worm spreads via Microsoft Outlook, using MAPI to reply to all Inbox messages that contain a single attachment.

The worm utilizes the existing email subject line and body, and attaches itself as Emanuel.exe. Removal instructions are on our web site.
by Andre Post


Small [2]


This worm arrives with one of several different subject lines and has two attachments named myjuliet.chm and myromeo.exe. Once the user reads the message the two attachments are automatically saved and launched. When launched, this worm attempts to send itself out to all names in the Outlook address book via one of several Internet mail servers located in Poland. Otherwise this worm does no harm to the infected system, to remove the worm simply delete all files detected as W32.Blebla.Worm.
by Peter Szor



Small [2]


VBS.Jean.A@mm is a worm that spreads via Microsoft Outlook. The worm spreads to the first 50 addresses of every address list and sends an email in German.

The text of the email is as follows:

Guten Tag,
es ist bald Weihnachten.
Und wie sieht's aus mit schönen Geschenken ?

Hierzu ein Tip vom Weihnachtsmann:
Unter gibt es die besten Geschenke im Web !
Das bedeutet absolut stressfreies Einkaufen, schnelle und unkomplizierte Lieferung, riesige Auswahl.

Also nichts wie hin, und Frohe Weihnachten.

Translated to English, the message reads:

Good day,
it is almost Christmas.
And what's happening with nice gifts ?

Here is a hint from Santa Claus:
At you can find the best gifts on the Web!
That means buying absolutely stressfree, fast and easy delivery, wide variety of items to choose from.

Alrighty then, let's go for it, and Merry Christmas.

To remove this worm just delete all files detected as VBS.Jean.A@mm.
by: Andre Post

Visit The Symantec Enterprise Security Web Site
          Get the latest enterprise security news delivered straight to your inbox. Register for Symantec's free Enterprise Security newsletters.

Recent headlines include:
Find the Bugs Before They Bite; The Times (London).

Police Have Few Weapons Against Cyber-Criminals; USA Today.

Read our latest feature article "Viruses and Mobile Devices" to find out more about the increasing security threats to mobile devices.
AVAR Conference 2000 - Tokyo, Japan and why you still need a laptop computer.


First name:

Last name:

Email address:

    This was my first AVAR ( conference, their third and I was impressed. The event was very well organised for such a young organisation with 180 registered participants. Despite the obvious language barriers with Japanese, Korean, Chinese and English speaking delegates I never really felt as if I missed anything, due to the excellent simultaneous Japanese and English translation service provided by the organisers.

Day one started with a welcome from Seiji Murakami (Chairman of AVAR and President of Japan Computer Security Research Centre (JCSR)) followed by the Keynote Speech from Mondo Yamamoto the Deputy Director of IT Security Policy for the Ministry of International Trade and Industry in Japan. Mr Yamamoto spoke about Japan's IT security policies. The speakers discussed the issues relating to viruses in their own countries and interesting associated topics such as Motoaki Yamamura's (Symantec) buffer overflow demonstration.

The Chairman of EICAR (European Institute of Computer Anti-virus Research), Rainer Fahs gave the conference an overview of his organisation and it's work in Europe. Randy Abrams from Microsoft gave an interesting presentation on how to test for broken anti-virus software. Nick Fitzgerald from Computer Associates, New Zealand discussed tracking and tracing virus authors, demonstrating that it is possible to trace the source of a virus outbreak and get it shut down.

It was about this time that my new PDA decided to hang. I'd taken the bold decision to leave my laptop computer at the office and use only the PDA for email and taking notes at the conference. It's ironic that whilst attending a computer anti-virus conference I should suffer sever data loss due to a good old fashioned software or hardware bug, not a virus.

The second day at the conference was equally interesting with the highlights being Vesselin Bontchev's presentation on the latest and future macro virus trends and the very exciting presentation from Jan Hruska of Sophos about REVS (Rapid Exchange of Virus Samples). This is a very contentious topic amongst anti-virus vendors at the moment because of the practical and political issues it raises, the conference room began to resemble a parliamentary debate for a few minutes. Who said anti-virus and security was boring. :) Luckily Jan was able to diffuse the debate and steer us all to lunch.

Towards the end of the conference Jimmy Kuo from Network Associates discussed the anti-virus industry in Asia, Seow Hiong Goh, (Deputy Director of Infocomm Security, Infocomm Development Authority of Singapore) discussed viruses in Singapore and Dr Charles Ahn compared the Korean virus scene with other countries.

Next years conference is to be held in Hong Kong and hosted by Yui Kee Computing Limited ( I've been voted in as a vice chairman of AVAR in 2001 along with several other AVAR members, I just hope I can help create a comparable conference to this years event.

To conclude, I'd like to congratulate all at AVAR for a well organised and informative event and I'll be taking my laptop computer to the next conference.

David Banes
SARC, Asia Pacific

SARC Glossary for definitions of viruses, Trojans and worms and more.

        Correspondence by email to:, no unsubscribe or support emails please.
Send virus samples to:
Newsletter Archive:



This is a Symantec Corporation publication, use of requires permission in advance from the Editor.
All information contained in this newsletter is accurate and valid as of the date of issue.


Copyright © 1996-2000 Symantec Corporation. All rights reserved.