symantecTM

 
 Symantec AntiVirus Research Center  

ISSN 1444-9994

   
   
 


SARC Home Page

June 2001 Newsletter

 
   


These are the most reported Viruses, Trojans and Worms to SARC's offices during the last month.

Top Global Threats

W95.Hybris
W32.Magistr.24876@mm
W95.MTX
Wscript.KakWorm

VBS.VBSWG2.X@mm
W32.HLLW.Bymer
W32.Badtrans.13312@mm
JS.Seeker
VBS.Haptime.A@mm
Backdoor.SubSeven

Asia Pacific
W95.Hybris
W95.MTX
W32.Magistr.24876@mm
Wscript.KakWorm
W32.HLLW.Bymer
VBS.VBSWG2.X@mm
VBS.Whitehome.A
W32.Badtrans.13312@mm
W32.Blebla.B
VBS.Haptime.A@mm


Europe

W95.Hybris
W32.Magistr.24876@mm
W95.MTX
VBS.VBSWG2.X@mm
Wscript.KakWorm
W32.HLLW.Bymer
W32.Badtrans.13312@mm
JS.Seeker
JS.StartPage
VBS.Tam.A


Japan
W95.Hybris
W95.MTX
W32.HLLW.Bymer
W32.Badtrans.13312@mm
VBS.VBSWG2.X@mm
W32.Magistr.24876@mm
Backdoor.SubSeven
O97M.Hopper.V
X97M.Divi.D
VBS.LoveLetter

USA
W95.Hybris
Wscript.KakWorm
W32.Magistr.24876@mm
W32.Badtrans.13312@mm
VBS.VBSWG2.X@mm
W32.HLLW.Bymer
W95.MTX
Backdoor.SubSeven
VBS.PassOn
VBS.LoveLetter


Top 20
Consolidated
Global Threats

By SecurityPortal

W32.Magistr@mm
VBS.VBSWG.X@mm
W32.BadTrans.A@MM
W32.Hybris
VBS.VBSWG.Z@MM
VBS.LoveLetter
W32.Funlove
W95.MTX
VBS.KakWorm
W32.Navidad
VBS.Haptime@MM
W97M.Ethan
PWSteal.Trojan
W32.HLLW.Bymer
W97M.Marker
W97M.Thurs.A
BackDoor-G.ldr
W95.CIH
W95.Spaces
W32.Kriz




Removal Tools for...

W32.HybrisF
W32.Kriz
W32.Navidad
W32.HLLW.QAZ.A
W95.MTX
W32.FunLove.4099
Wscript.Kakworm
Wscript.Kakworm.B
Happy99.Worm
VBS.Loveletter
PrettyPark.Worm
VBS.Stages.A
W2K.Stream
AOL.Trojan.32512
W95.CIH
Worm.ExploreZip



A list of Virus Hoaxes
reported to Symantec

SULFNBK.EXE Warning



A list of Joke Programs
reported to Symantec.


 

  It's PGP's tenth anniversary, June 5th or 6th 1991 was when PGP 1.0 was first posted to the Internet. To mark this important point in Internet communications privacy I asked Philip Zimmermann, the author of PGP, to write an article about the history of PGP and the OpenPGP working group based at http://www.openpgp.org/.

We had a surprisingly wide spread hoax this month with the SULFNBK.EXE hoax warning popping up very regularly in our virus analyses inboxes. There was a misguided attempt to use a worm to clean up vulnerable Linux systems and VBS.Haptime uses the stationary feature of Outlook Express, so I'd recommend turning this off.

There's a new very useful page on the SARC web site this month, it is a
full listing of the viruses detected in the latest certified virus definitions. It also carries listing from the previous couple of definition releases.

David Banes.
Editor,
sarc@symantec.com
   
             
        Worms  
       
Linux.Cheese.Worm

Minimal [1]

Linux

This worm attempts to spread itself to computers that have been compromised by Linux.Lion.Worm, and to remove the security hole that allowed the replication to occur. It is not considered harmful, but it is a misguided attempt to address a security issue.

http://www.sarc.com/avcenter/venc/data/linux.cheese.worm.html
by: Peter Ferrie
SARC, APAC
   
             
        Viruses    
       

VBS.Haptime.A@mm

Minimal [1]

Script

VBS.Haptime.A@mm is a Visual Basic Script (VBS) worm. It infects .htm, .html, .vbs, .asp, and .htt files. It replicates using MAPI objects to spread itself as an attachment. Also, the worm attaches itself to all outgoing messages using the Stationary feature of Outlook Express.

http://www.symantec.com/avcenter/venc/data/vbs.haptime.a@mm.html
by: Serghei Sevcenco
SARC, APAC

VBS.NoMercy.A

Minimal [1]

Script

VBS.NoMercy.A is a Visual Basic script in an HTML file. The virus infects .html, .htm, .shtml, .stm, and .asp files. If the virus finds files to infect, it inserts its code at the beginning of the file. On the 13th or 30th of every month, the virus displays the message;

God, why you did it to me

http://www.sarc.com/avcenter/venc/data/vbs.nomercy.a.html
By Kaoru Hayashi
SARC, Japan

   
             
        Trojans    
       
Trojan.Eurosol

Minimal [1]

Win32

Trojan.Eurosol installs itself on an infected system so that it is run at startup. It does this by modifying the System.ini file and appending itself to the shell = Explorer.exe line in the [boot] section. It also creates a copy of itself in the \Windows folder as the system file NetBios32.exe.

http://www.sarc.com/avcenter/venc/data/trojan.eurosol.html
by: Brian Ewell
SARC, USA
   
             
        Symantec Enterprise Security    
        VISIT THE SYMANTEC ENTERPRISE SECURITY WEB SITE
http://enterprisesecurity.symantec.com/
Recent Enterprise Security News headlines include:
'Jennifer Lopez Naked' Worm Latest To Lure Unwary Voyeurs; Newsbytes
http://enterprisesecurity.symantec.com/content.cfm?articleid=757

Hackers Attack Watchdog; The International Herald Tribune
http://enterprisesecurity.symantec.com/content.cfm?articleid=753

Check out our latest feature article: "Healthcare Industry Faces New HIPAA Regulations"
http://enterprisesecurity.symantec.com/article.cfm?articleid=756

Get the latest enterprise security news delivered straight to your inbox. Register for Symantec's free Enterprise Security newsletters.
https://enterprisesecurity.symantec.com/Content/Subscribe.cfm
   
             
        Today marks the 10th anniversary of the release of PGP 1.0.    
       
It was on this day in 1991 that I sent the first release of PGP to a couple of my friends for uploading to the Internet. First, I sent it to Allan Hoeltje, who posted it to Peacenet, an ISP that specialized in grassroots political organizations, mainly in the peace movement. Peacenet was accessible to political activists all over the world. Then, I uploaded it to Kelly Goen, who proceeded to upload it to a Usenet newsgroup that specialized in distributing source code. At my request, he marked the Usenet posting as "US only". Kelly also uploaded it to many BBS systems around the country. I don't recall if the postings to the Internet began on June 5th or 6th.

It may be surprising to some that back in 1991, I did not yet know enough about Usenet newsgroups to realize that a "US only" tag was merely an advisory tag that had little real effect on how Usenet propagated newsgroup postings. I thought it actually controlled how Usenet routed the posting. But back then, I had no clue how to post anything on a newsgroup, and didn't even have a clear idea what a newsgroup was.

It was a hard road to get to the release of PGP. I missed five mortgage payments developing the software in the first half of 1991. To add to the stress, a week before PGP's first release, I discovered the existence of another email encryption standard called Privacy Enhanced Mail (PEM), which was backed by several big companies, as well as RSA Data Security. I didn't like PEM's design, for several reasons. PEM used 56-bit DES to encrypt messages, which I did not regards as strong cryptography. Also, PEM absolutely required every message to be signed, and revealed the signature outside the encryption envelope, so that the message did not have to be decrypted to reveal who signed it. Nonetheless, I was distressed to learn of the existence of PEM only one week before PGP's release. How could I be so out of touch to fail to notice something as important as PEM? I guess I just had my head down too long, writing code. I fully expected PEM to crush PGP, and even briefly considered not releasing PGP, since it might be futile in the face of PEM and its powerful backers. But I decided to press ahead, since I had come this far already, and besides, I knew that my design was better aligned with protecting the privacy of users.

After releasing PGP, I immediately diverted my attention back to consulting work, to try to get caught up on my mortgage payments. I thought I could just release PGP 1.0 for MSDOS, and leave it alone for awhile, and let people play with it. I thought I could get back to it later, at my leisure. Little did I realize what a feeding frenzy PGP would set off. Apparently, there was a lot of pent-up demand for a tool like this. Volunteers from around the world were clamoring to help me port it to other platforms, add enhancements, and generally promote it. I did have to go back to work on paying gigs, but PGP continued to demand my time, pulled along by public enthusiasm.

I assembled a team of volunteer engineers from around the world. They ported PGP to almost every platform (except for the Mac, which turned out to be harder). They translated PGP into foreign languages. And I started designing the PGP trust model, which I did not have time to finish in the first release. Fifteen months later, in September 1992, we released PGP 2.0, for MSDOS, several flavors of Unix, Commodore Amiga, Atari, and maybe a few other platforms, and in about ten foreign languages. PGP 2.0 had the now-famous PGP trust model, essentially in its present form.

It was shortly after PGP 2.0's release that US Customs took an interest in the case. Little did they realize that they would help propel PGP's popularity, helping to ignite a controversy that would eventually lead to the demise of the US export restrictions on strong cryptography.

Today, PGP remains just about the only way anyone encrypts their email. And now there are a dozen companies developing products that use the OpenPGP standard, all members of the OpenPGP Alliance, at http://www.openpgp.org.

What a decade it has been.

- - -Philip Zimmermann
5 June 2001
Burlingame, California
http://www.philzimmermann.com
   
   

Unsubscribe

First name:

Last name:

Email address:


         
             
       

SARC Glossary for definitions of viruses, Trojans and worms and more.

   
        Contacts and Subscriptions    
        Correspondence by email to: sarc@symantec.com, no unsubscribe or support emails please.
Follow
this link to unsubscribe or change your subscription type.
Send virus samples to:
avsubmit@symantec.com
Newsletter Archive: http://www.symantec.com/avcenter/sarcnewsletters.html
   
     

 

     
       

This is a Symantec Corporation publication, use of requires permission in advance from Symantec.
All information contained in this newsletter is accurate and valid as of the date of issue.
Copyright © 1996-2001 Symantec Corporation. All rights reserved.