THREAT LEVEL: Moderate - potentially dangerous (and uncontainable) if
released into the wild.
DAMAGE CAPABILITIES: It has been reported that computers targeted by
W32.Zotob.E may become unstable during execution of the exploit code.
This may result in the termination of the services.exe process, which
causes the targeted computer to shutdown.

DANGERS: This virus degrades performance by attempting attempts to
detect network connections and a routable IP address.

CHARATCERISTICS: Creates the file "wintbp.exe"

MORE INFORMATION:
http://securityresponse.symantec.com/avcenter/venc/data/w32.zotob.e.ht
ml


A removal tool link is now available at www.virus-bulletin.com




MESSAGE FROM SPONSOR:

Is your cell phone giving you brain cancer?

REDUCE electromagnetic radiation from your mobile cell phone with our
eSmog inverse interference device.

Base on the Tesla theory our device includes programming that
neutralises the negative LEM waves (Longitudinal Electromagnetic -or
Scalar waves) information which adversely effects the human body.
For more information visit http://www.no-esmog.com

Severe threat Level,
Medium damage capabilities,
Dangers: Loads a "backdoor tojan" giving hacker acces to infected
computer and other computers in same network, allowing hacker to run
programs, and delte files by remote.
Characteristics: uses one of a number of attachemnts the size of
attachment is 22,258 bytes if not zipped


For more inofrmation see
http://www.symantec.com/avcenter/venc/data/w32.novarg.a@mm.html

Medium threat Level,
Medium damage capabilities,
Dangers: May steal credit card information.
Characteristics:
Subject: YOUR PAYPAL.COM ACCOUNT EXPIRES or
IMPORTANT  <random string of characters>
From: Do_Not_Reply@...


Details: This virus attempts to steal personal information by
displaying a forms that ask you to enter their credit card details.

If you have recieved such an email and used it to update your paypal
account, your are at immediate risk!! Contact PAYPAL and change you
details at once!!!!!

For more inforamtion see
http://www.symantec.com/avcenter/venc/data/w32.mimail.j@mm.html

A link to the virus removal tool is located at
http://www.virus-
bulletin.com/virusremovaltools/virusremovaltoolforw32.swen.a.htm

Medium threat Level,
Low damage capabilities,
Dangers: The virus terminates antivirus and firewall programs
allowing for a blended threat.
Characteristics:Attachment is one of the following, followed by a
series or random numbers, and the extension of either .zip or .exe:
Install
Installer
Pack
Patch
Q
Update
Upgrade


Details:

W32.Swen.A@mm is a mass-mailing worm that uses its own SMTP engine to
spread itself. It attempts to spread through file-sharing networks,
such as KaZaA and IRC, and attempts to kill antivirus and personal
firewall programs running on a computer


For more information see:
http://www.symantec.com/avcenter/venc/data/w32.swen.a@mm.html

A virus removal tool has been created.

Medium threat Level,
Medium damage capabilities,
Dangers: The virus steals system information including passwords.
Characteristics:
Subjet of email:
Re: Details
Re: Approved
Re: Re: My details
Re: Thank you!
Re: That movie
Re: Wicked screensaver
Re: Your application
Thank you!
Your details


For more information see:
http://www.symantec.com/avcenter/venc/data/w32.sobig.f@mm.html

Avirus removal tool is available at
http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.f@mm
.removal.tool.html

Medium threat Level,
Medium damage capabilities,
Dangers: Drops an IRC Trojan into the infected machine and modifies
win.ini and system.ini files.
Distinguishing characteristics:
The subject of email is: Use this patch immediately !
The name of attachment is: patch.exe
The message is:
Dear friend , use this Internet Explorer patch now!
There are dangerous virus in the Internet now!
More than 500.000 already infected!

For more information see:
http://www.symantec.com/avcenter/venc/data/w32.dumaru@mm.html



A virus removal tool is available for Symantec:
http://securityresponse.symantec.com/avcenter/venc/data/w32.dumaru@mm.
removal.tool.html

A virus removal tool for the... virus is available at
http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.wo
rm.removal.tool.html

Severe threat Level,
High damage capabilities,
Dangers: Vulnerable Windows 2000 machines will experience system
instability due to the RPC service crash.

This worm come high on the heels of the Blaster virus and pretends to
fix it!

It attempts to download the DCOM RPC patch from Microsoft's Windows
Update Web site, install it, and then reboot the computer.
Checks for active machines to infect by sending an ICMP echo request,
or PING, which will result in increased ICMP traffic.
Attempts to remove W32.Blaster.Worm.

The resultant damage is that it causes system instability. Windows
2000 machines will experience system instability due to the RPC
service crash. and security setting are compromised since it installs
a TFTP server on all the infected machines.

For more information see
http://www.symantec.com/avcenter/venc/data/w32.welchia.worm.html

A virus removal tool have been created by Symantec

Severe threat Level,
High damage capabilities,
Dangers: Causes RPC DCOM BUFFER OVERFLOW, and a Distributed Denial Of
Service attack against windowsupdate.com

THIS VIRUS HAS BEEN UPGRADED FROM CATEGORY 3 TO CATEGORY 4

This virus imports and runs the file msblast.exe.

It then pumps out request to the website www.windowsupdate.com,
causing a "denial of service" attack (chokes the website by
requesting infomation form it multiple times from envery infected
computer)

For more information see:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?
VName=WORM_MSBLAST.A or

http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.html

Medium threat Level,
High damage capabilities,
Dangers: Causes RPC DCOM BUFFER OVERFLOW, and a Distributed Denial Of
Service attack against windowsupdate.com

This virus imports and runs the file msblast.exe.

It then pumps out request to the website www.windowsupdate.com,
causing a "denial of service" attack (chokes the website by
requesting infomation form it multiple times from envery infected
computer)

For more information see:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?
VName=WORM_MSBLAST.A    or

http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.html

Low threat Level,
Low damage capabilities,
Dangers: Infects all users listed in MSN MEssenger

Transfers through MSN Messenger system only........

Distinguishing Charatceristics:
Name of attachment: sins.exe, msninst.exe
Size of attachment: 28K

For more info see:
http://www.symantec.com/avcenter/venc/data/w32.simic.worm.html

Low threat Level,
Medium damage capabilities,
Dangers:Sends mail to the first seven addresses in the Outlook
Address book, modifies the system registry, degrades performance by
affecting look and feel of Microsoft Internet Explorer and causes
system instability by disabling various Windows functionality.

Distinguishing Charatceristics:
Subject of email: Chinese text
Name of attachment: Bingdian.vbs
Size of attachment: 3,878 bytes

For more information see:
http://www.symantec.com/avcenter/venc/data/vbs.bingd@mm.html

Low threat Level,
High damage capabilities,
Dangers:
Allow unauthorised entry by hacker into infected machine
Machines with weak adminstrator or default account passwords are
extremely vunerable.

This virus allows for a blended threat.

For more info see
http://www.symantec.com/avcenter/venc/data/w32.tzet.worm.html

Low threat Level,
High damage capabilities,
Dangers: Deletes critical files in Windows, Windows\System, and
Windows\System32 directories on the trigger dates of February, or
from December 6 to 31.

Transfers through KaZaA file sharing system only........

Distinguishing Charatceristics:

If any of these follwing files exist in the indicated folders, the
system is infected
Folders:

C:\Program Files\Kazaa\My Shared Folder
C:\Archivos de Programa\Kazaa\My Shared Folder

Filenames:

Cracks.zip .exe
CristinaAguilera.Jpg .exe
Dreaming of You.doc .exe
HackersBook.doc .exe
Hacking tools.zip .exe
Norton Antivirus 2003 Crack.zip .exe
Readme.doc .exe
SilviaSaintDoubleAnalAction.doc .exe

For more info see
http://www.symantec.com/avcenter/venc/data/w32.lorsis.worm.html

Low threat Level,
Medium damage capabilities,
Dangers: damages Symantec AntiVirus installations and causes system
instability of systems with FAT16 partition by corrupting the C drive.

Distinguishing Charatceristics:
Subject of email: "Please Confirm" or "File You Requested"


W32.Babybear@mm is a worm written in Visual Basic. It spreads using
email. Once activated, this worm damages the installations of
Symantec antivirus products and may prevent them from running.

W32.Babybear@mm copies itself all over the system and creates many
empty folders.


For more information see
http://www.symantec.com/avcenter/venc/data/w32.babybear@mm.html

Low threat Level,
Low damage capabilities,
Dangers:
Modifies win.ini file

Distinguishing charcteristics:
Subject: Windows update
Attachment: windows_update.txt.exe

This is a varient of the W32.Lohack.b.Worm which speads through KaZaA
and iMesh file-sharing networks

For more information see:
http://www.symantec.com/avcenter/venc/data/w32.lohack.c.worm.html

Low threat Level,
Medium damage capabilities,
Dangers:
Deletes Anti-Virus Porgrams on infected computer

Distinguishing charcteristics:
Name of attachment: Cynthia.exe
Size of attachment: 81,920 bytes

For more information see:
http://www.symantec.com/avcenter/venc/data/w32.enegg@mm.html

Low threat Level,
Low damage capabilities,
Dangers:
Modifies win.ini file

Distinguishing charcteristics:
Size of attachment: 47,132 bytes
Drops a spanish text file called C:\LSSI INFO.txt.

The subject and attachment names vary according to a predetermined
list.

For more information
see:http://www.symantec.com/avcenter/venc/data/w32.lohack.b.worm.html

Low threat Level,
High damage capabilities,
Dangers:
Deletes system files.
Degrades performance by opening multiple Control Panel windows, which
can cause system to crash. "Hides" drive C from Windows. Changes
access to executable files.
It compromises security settingsby a random routine that forces the
user to change passwords.


Distinguishing charcteristics:
Subject of email: Microsoft Windows Critical Update.
Name of attachment: Windows Critical Update 088562.exe
Size of attachment: 104,200 bytes

For more information see:
http://www.symantec.com/avcenter/venc/data/w32.gruel@mm.html

Low threat Level,
High damage capabilities,
Dangers:
Deletes all EXE files in the following directories:
C:\Program Files\Yahoo!\Messenger\
c:\windows\
c:\windows\System\
In addition, it attempts to delete the following file:
C:\Program Files\Norton AntiVirus\NAVW32.EXE

Distinguishing charcteristics:
Subject: You have a ecard!
Body: You have recieved a E-Card! Check your attatchments!
Attachment: attachment.exe (36, 864 bytes


W32.Jantic.B@mm is a varient of W32.Jantic.@mm virus.

For more information see:
http://www.symantec.com/avcenter/venc/data/w32.jantic.b@mm.html

Low threat Level,
Low damage capabilities,
Dangers:
Releases confidential info by stealing system information and send it
to the hacker.
It compromises security settings by terminating the processes of
antivirus and firewall programs.
Distribution: High

Distinguishing charcteristscs:

Subject: Funny picture
Attachment: CartoonComedy.pif

Subject: The passwords
Attachment: PswdLst01.pif

Subject: The file
Attachment: Database<a random number>.pif

Subject: That file
Attachment: Soccer<a random number>.pif

Subject: Fire Screensaver
Attachment: FireScreen.scr

Subject: Stupid picture
Attachment: Armadillo.pif

Subject: Web design
Attachment: WebDesignSetup.exe


For more information see:
http://www.symantec.com/avcenter/venc/data/w32.hllw.redist.c@mm.html

Low threat Level,
High damage capabilities,
Dangers:
Deletes all EXE files in the following directories:
C:\Program Files\Yahoo!\Messenger\
c:\windows\
c:\windows\System\
In addition, it attempts to delete the following file:
C:\Program Files\Norton AntiVirus\NAVW32.EXE


Distinguishing charcteristics:
Subject: You have a ecard!
Body: You have recieved a E-Card! Check your attatchments!
Attachment: attachment.exe (36, 864 bytes)

For more information
see:http://www.symantec.com/avcenter/venc/data/w32.jantic@mm.html

Low threat Level,
Low damage capabilities,
Dangers:
Distinguishing charcteristscs:
Subject is one of the following:

"Fw: "
" ", ":-)", "!", "!!"
"to ur friends", "to ur lovers", "for you", "to see", "to check", "to
watch", "to enjoy", "to share"
"Screensaver", "Friendship", "Love", "relations", "stuff"
"Romantic", "humour", "New", "Wonderfool", "excite", "Cool", "charming
", "Idiot", "Nice", "Bullsh*t", "One", "Funny", "Great", "LoveGangs",
"Shaking", "powful", "Joke", "Interesting"
"U realy Want this", "searching for true Love", "you care ur
friend", "Who is ur Best Friend ", "make ur friend happy", "True
Love", "Dont wait for long time", "Free Screen saver", "Friendship
Screen saver", "Looking for Friendship", "Need a friend?", "Find a
good friend", "Best Friends", "I am For u", "Life for
enjoyment", "Nothink to worryy", "Ur My Best Friend ", "Say 'I Like
You' To ur friend", "Easy Way to revel ur love", "Wowwwwwwwwwww check
it", "Send This to everybody u like", "Enjoy Romantic life", "Let's
Dance and forget pains", "war Againest Loneliness", "How sweet this
Screen saver", "Let's Laugh ", "One Way to Love", "Learn How To
Love", "Are you looking for Love", "love speaks from the
heart", "Enjoy friendship", "Shake it baby", "Shake ur friends", "One
Hackers Love", "Origin of Friendship", "The world of lovers", "The
world of Friendship", "Check ur friends Circle", "Friendship", "how
are you", "U r the person?", "Hi", "¯"

Attachment: Attachment:
The attachment name is constructed from the following file names:
loveletter
resume
biodata
dailyreport
mountan
goldfish
weeklyreport
report
love

followed by:
.doc
.mp3
.xls
.wav
.txt
.jpg
.gif
.dat
.bmp
.htm
.mpg
.mdb
.zip

This virus is a varient of the W32.Yaha.C@mm and has been repacked
to make it difficult for antivirus software to detect.

For more inforrmation see:
http://www.symantec.com/avcenter/venc/data/w32.yaha.z@mm.html

Low threat Level,
Low damage capabilities,
Dangers:
Distinguishing charcteristscs:
Subject is one of the following:

"Fw: "
" ", ":-)", "!", "!!"
"to ur friends", "to ur lovers", "for you", "to see", "to check", "to
watch", "to enjoy", "to share"
"Screensaver", "Friendship", "Love", "relations", "stuff"
"Romantic", "humour", "New", "Wonderfool", "excite", "Cool", "charming
", "Idiot", "Nice", "Bullsh*t", "One", "Funny", "Great", "LoveGangs",
"Shaking", "powful", "Joke", "Interesting"
"U realy Want this", "searching for true Love", "you care ur
friend", "Who is ur Best Friend ", "make ur friend happy", "True
Love", "Dont wait for long time", "Free Screen saver", "Friendship
Screen saver", "Looking for Friendship", "Need a friend?", "Find a
good friend", "Best Friends", "I am For u", "Life for
enjoyment", "Nothink to worryy", "Ur My Best Friend ", "Say 'I Like
You' To ur friend", "Easy Way to revel ur love", "Wowwwwwwwwwww check
it", "Send This to everybody u like", "Enjoy Romantic life", "Let's
Dance and forget pains", "war Againest Loneliness", "How sweet this
Screen saver", "Let's Laugh ", "One Way to Love", "Learn How To
Love", "Are you looking for Love", "love speaks from the
heart", "Enjoy friendship", "Shake it baby", "Shake ur friends", "One
Hackers Love", "Origin of Friendship", "The world of lovers", "The
world of Friendship", "Check ur friends Circle", "Friendship", "how
are you", "U r the person?", "Hi", "¯"

Attachment: Attachment:
The attachment name is constructed from the following file names:
loveletter
resume
biodata
dailyreport
mountan
goldfish
weeklyreport
report
love

followed by:
.doc
.mp3
.xls
.wav
.txt
.jpg
.gif
.dat
.bmp
.htm
.mpg
.mdb
.zip

This virus is a varient of the  W32.Yaha.C@mm and has been repacked
to make it difficult for antivirus software to detect.


For more inforrmation see:
http://www.symantec.com/avcenter/venc/data/w32.yaha.v@mm.html//www.sym
antec.com/avcenter/venc/data/w32.yaha.v@...

Low threat Level,
High damage capabilities,
Distinguishing charcteristscs:

Subject of email: "Old Shakira" or "Fw: Julia Roberts."
Name of attachment: Shakira_1997_part_1_.Mpeg_.scr or
Julia_Roberts_*******_toilet.Mpeg_.scr.
Size of attachment: 8,192 bytes

Damage:

This virus deletes the files in the last nine minutes of the hour.
The deleted files are  %System%\*.*, d:\*.*, e:\*.*, f:\*.*

It also sends email to all the contacts in the Outlook address book
spreading itself.

For more information see:
http://www.symantec.com/avcenter/venc/data/w32.mylife.n@mm.html

Low threat Level,
Low damage capabilities,
Distinguishing charcteristscs:
The Subject of email varies ina predetermined list
The name of attachment varies with the .com, .exe, .scr, or .pif file
extension.
The size of attachment is consistant at 180,224 bytes

Details:

The W32.Mapson.C.Worm sends itself to all the contacts in the MSN
messenger contact list. As an added stealth device, the email may
spoof the From field.

This worm can spread itself through various files sharing programs
such as:  KaZaA, KaZaA Lite, eDonkey2000, Gnucleus, Limewire,
Morpheus, and Grokster file-sharing networks, as well as through ICQ.

Finally, this worm terminates some popular antivirus, firewall, and
system-monitoring programs which allows for a blended threat.

Damage:

This worm compromises security settings by terminating various
programs such as antivirus software and firewalls.

For more informations see:
http://www.symantec.com/avcenter/venc/data/w32.mapson.c.worm.html

Low threat Level,
Low damage capabilities,
Distinguishing charcteristscs:

Subject: El adelanto de matrix ta gueno

Message:
Oye te ? paso el programa para entrar a cuentas del messenger
Z y facilingo te lo paso a voz nomas, prometeme que no se lo pasas a
nadie, ya?
u Respondeme que tal te parecio. chau

Attachment: hotmailpass.exe



Damage:

Damage

Payload:
Modifies the following files: Win.ini, System.ini, Wininit.ini,
Winstart.bat

Launches your web browser to open the files from the following
predefined Web sites:

http://news.bbc.co.uk
http://www.cannabisculture.com
http://www.chilevive.cl
http://www.commondreams.org
http://www-ni.laprensa.com.ni
http://jeremybigwood.net
http://membres.lycos.fr
http://www.movimientos.org
http://www.soc.uu.se


For more information see:

http://www.symantec.com/avcenter/venc/data/w32.vivael@mm.html

Low threat Level,
Low damage capabilities,
Distinguishing charcteristscs:

Subject: Re:
Message:
You received this email because you where sent a 'pass this on e-
messenger card' through one of our valued partners. If you believe
you received this message in error or would no longer like to receive
e-mail from us click here
http:/ /www.geocities.com/ecardmessenger/us.htm

To download your card click on the link below:

http:/ /www.geocities.com/ecardmessenger/xxxxxxxxx.zip


Details:
The W32.Klexe.Worm useses Microsoft Outlook to send a link to a
website to all the contacts in the Outlook Address Book. The link is
a zipped version of the worm. Part of this worm has a Trojan
keystroke capturing component that sends the stolen information to
the hacker's email address.


For more information see
http://www.symantec.com/avcenter/venc/data/w32.klexe.worm.html

Low threat Level,
Low damage capabilities,
Distinguishing charcteristscs:

Bat.Mumu.A.Worm is a large collection of files that use each other to
spread over administrative shares on Windows NT, 2000, and XP
systems. The used files are:

Hacktool.Hacline.
ipcfind.txt.
Last.exe (Trojan.Mumuboy)
Trojan.Mumuboy.dll

For more information on thios sophisticated virus see
http://www.symantec.com/avcenter/venc/data/w32.mumu.b.worm.html