Low threat Level,
Low damage capabilities,
Distinguishing charcteristscs:

Bat.Mumu.A.Worm is a large collection of files that use each other to
spread over administrative shares on Windows NT, 2000, and XP
systems. The used files are:

Hacktool.Hacline.
ipcfind.txt.
Last.exe (Trojan.Mumuboy)
Trojan.Mumuboy.dll

For more information on thios sophisticated virus see
http://www.symantec.com/avcenter/venc/data/w32.mumu.b.worm.html

Medium Threat Level,
Low damage capabilities,
Distinguishing characteristiscs:
Subject of email:
Re: Movie, Re: Submited (004756-3463),
Re: 45443-343556,
Re: Approved, Approved,
Re: Your application, or
Re: Application.

Name of attachment:
screensaver.scr,
movie.pif,
submited.pif,
45443.pif,
documents.pif,
approved.pif,
application.pif, or
document.pif.

see http://www.symantec.com/avcenter/venc/data/w32.sobig.e@mm.html

Low threat level,
Low damage capabilities,
Distinguishing characteristiscs:
Subject of email:
Re: Movie, Re: Submited (004756-3463),
Re: 45443-343556,
Re: Approved, Approved,
Re: Your application, or
Re: Application.

Name of attachment:
screensaver.scr,
movie.pif,
submited.pif,
45443.pif,
documents.pif,
approved.pif,
application.pif, or
document.pif.

For more information see
http://www.symantec.com/avcenter/venc/data/w32.sobig.d@mm.html

Low threat level,
low damage capabilities.

Damage:
This virus terminates the processes of various security programs,
including antivirus software allowing for a blended threat, or
infection from virus the antivrus program should already recognise.

For more information see
http://www.symantec.com/avcenter/venc/data/w32.danvee@mm.html

Low threat Level,
High Damage capabilities,
Distinguishing characteristic: name of attachment: ANACON32.EXE

W32.Naco.D@mm is a variant of W32.Naco@mm. It is a mass-mailing worm
written in Visual Basic (VB). The worm can spread via email, peer-to-
peer file-sharing applications, such as KaZaA, as well as network
shares

Damage:

On the following dates of any month (1st, 4th, 8th, 12th, 16th, 20th,
24th, or 28th)this virus does the following:

It attempts to delete files in the root folder and format the D:
drive.
It performs a Denial of Service attack against a predefined list of
sites.
It compromises security settings by allowing unauthorized remote
access to an infected computer by a hacker.


For more information see
http://www.symantec.com/avcenter/venc/data/w32.naco.d@mm.html

Low threat level,
Low damage capabilities,
Distinguishing characteristisc:

Size of attachment: 27,648 bytes

THis virus can spread it self via email AND  through the file-sharing
networks: Applejuice, Bearshare, eDonkey2000, Grokster, KaZaA, KaZaA
Lite, KMD, Limewire, Morpheus, Overnet.

Damage:
Sends itself to all the contacts in the Outlook Address Book

For more information see:
http://www.symantec.com/avcenter/venc/data/w32.hllw.cidas@mm.html

Low threat level,
Medium damage capabilities,
Distinguishing characterisits:
Name of attachment: Melda.scr

W32.HLLW.Aldem@mm is an email worm that spreads itself through email,
mIRC, and across file-sharing networks.
The worm also contains a Backdoor functionality and attempts to
terminate the processes of various programs, including antivirus and
security software.


Damage:

  Allows unauthorized remote access to an infected computer by a
hacker. It terminates various programs including antivirus and
security software allowing for a blended threat.

For more information see
http://www.symantec.com/avcenter/venc/data/w32.hllw.aldem@mm.html

Low threat level,
low damage capabilities,
distinguishing characteristics:

180,736 bytes

This worm spreads through through KaZaA, KaZaA Lite, eDonkey2000,
Gnucleus, Limewire, Morpheus, Grokster, and ICQ


For more information see
http://www.symantec.com/avcenter/venc/data/w32.mapson.worm.html

Severe Threat Category,
Damage Medium Capabilities,

Distinguishing Characteristics:
Subject of email...see list below
Size of attachment: 72,192 bytes


Damage:
This virus sends itself to email addresses harvested from the current
Inbox, as well as in the files with the following
extensions: .mmf, .nch, .mbx, .eml, .tbb, .dbx, .ocs

This virus logs keystrokes allowing the hacker to track username and
passwords.

Finally the virus compromises security settings by alllowing
unauthorized access to infected computers and terminates processes of
various antivirus and firewall programs, allowing for a blended
threat. (reinfection by other older viruses)


A removal tool is here:

http://securityresponse.symantec.com/avcenter/venc/data/w32.bugbear.b@
mm.removal.tool.html

For more information see
http://www.symantec.com/avcenter/venc/data/w32.bugbear.b@mm.html

















Subject of email:

Hello!
update
hmm..
Payment notices
Just a reminder
Correction of errors
history screen
Announcement
various
Introduction
Interesting...
I need help about script!!!
Stats
Please Help...
Report
Membership Confirmation
Get a FREE gift!
Today Only
New Contests
Lost & Found
bad news
wow!
fantastic
click on this!
Market Update Report
empty account
My eBay ads
Cows
25 merchants and rising
CALL FOR INFORMATION!
new reading
Sponsors needed
SCAM alert!!!
Warning!
its easy
free shipping!
News
Daily Email Reminder
Tools For Your Online Business
New bonus in your cash account
Your Gift
Re:
$150 FREE Bonus!
Your News Alert
Hi!
Get 8 FREE issues - no risk!
Greets!

Low threat Level,
damage capabilities medium,
distinguishing characteristics: subject of email is one of the
following:

Reply to this!
Let's Laugh
Last Update
for you
Great
Help
Attached one Gift for u..
Hi Dear
See the attachement

and the size of attachment is 142,336 bytes

Damage:
This virus modifies all .exe files in local hard drives and network-
shared folders.
It also compromises security settings and allows unauthorized remote
access to an infected computer.
Finally it terminates the process of various programs including
antivirus software allowing for a blended threat.

Low threat Level,
Low damage capabilities,
Distinguishing charcteristscs:

Bat.Mumu.A.Worm is a large collection of files that use each other to
spread over administrative shares on Windows NT, 2000, and XP
systems. The used files are:

10.bat: A malicious batch file.
hack.bat: A malicious batch file.
hfind.exe: A Hacktool that will be detected as Hacktool.Hacline.
ipc.bat: A malicious batch file.
muma.bat: A malicious batch file.
ntservice.bat: A malicious batch file that stops the "Application"
service, runs ntservice.exe with the -install argument, and then
starts the "Application" service.
ntservice.exe: A UPX-packed executable that will create a service
described in NTService.ini.
NTService.ini: Service information giving the name as "Application,"
it will run cmd.exe /c ss.bat.
nwiz.exe: A legitimate application from nVidia.
nwiz.in_: A configuration file.
nwiz.ini: A configuration file.
ipcpass.txt: A text file.
tihuan.txt: A text file.
rep.exe: A legitimate utility for replacing strings.
psexec.exe: A legitimate utility from Sysinternals to remotely start
the processes.
random.bat: A malicious batch file.
replace.bat: A malicious batch file.
ss.bat: A batch file that will create an admin user, as well as run
the psexec on the remote machine.
start.bat: A malicious batch file.
pcmsg.dll: A legitimate file from the pcGhost utility (not to be
confused with the Symantec-cloning software, Ghost).


For more information
see :http://www.symantec.com/avcenter/venc/data/bat.mumu.a.worm.html

Low threat Level,
High Damage capabilities,
Distinguishing characteristic: name of attachment: ANACON32.EXE


Damage:

On the following adtes of any month (1st, 4th, 8th, 12th, 16th, 20th,
24th, or 28th)this virus does the following:

It attempts to delete files in the root folder and format the D:
drive.
It performs a Denial of Service attack against a predefined list of
sites.
It compromises security settings by allowing unauthorized remote
access to an infected computer by a hacker.

Low threat Level,
damage capabilities medium,
distinguishing characteristics: subject of email is one of the
following:

Reply to this!
Let's Laugh
Last Update
for you
Great
Help
Attached one Gift for u..
Hi Dear
See the attachement


and size of attachment is 133,632 bytes

Damage:
This virus modifies all .exe files in local hard drives and network-
shared folders.
It also compromises security settings and allows unauthorized remote
access to an infected computer.
Finally it terminates the process of various programs including
antivirus software allowing for a blended threat.

For more information
see :http://www.symantec.com/avcenter/venc/data/w32.hllw.lovgate.j@mm.
html

Medium Threat Level,
Low damage capabilities,
Distinguishing characteristiscs:
Subject of email:
Re: Movie, Re: Submited (004756-3463),
Re: 45443-343556,
Re: Approved, Approved,
Re: Your application, or
Re: Application.

Name of attachment:
screensaver.scr,
movie.pif,
submited.pif,
45443.pif,
documents.pif,
approved.pif,
application.pif, or
document.pif.


For more information
see:http://www.symantec.com/avcenter/venc/data/w32.sobig.c@mm.html

Low threat Level,
High Damage capabilities,
Distinguishing characteristic: name of attachment: WARS.EXE


Damage:

On the following adtes of any month (1st, 4th, 8th, 12th, 16th, 20th,
24th, or 28th)this virus does the following:

It attempts to delete files in the root folder and format the D:
drive.
It performs a Denial of Service attack against a predefined list of
sites.
It compromises security settings by allowing unauthorized remote
access to an infected computer by a hacker.

For more information see:
http://www.symantec.com/avcenter/venc/data/w32.naco.b@mm.html

Low threat level,
Medium Damage capabilities,
Distinguishing characteristics: name of attachment: Maya Gold.scr

Damage:
This virus locks the mouse to prohibit mouse at the top 10% of the
desktop, changes windows colors and titles
It aslo compromises security settings by attempting to terminate
processes of various antivirus programs allowing for a blended threat.

Fort more information see:
http://www.symantec.com/avcenter/venc/data/w32.hllw.magold@mm.html

Low threat Level,
damage capabilities medium,
distinguishing characteristics: subject of email is one of the
following:

Reply to this!
Let's Laugh
Last Update
for you
Great
Help
Attached one Gift for u..
Hi Dear
See the attachement


and size of attachment is 133,632 bytes

Damage:
This virus modifies all .exe files in local hard drives and network-
shared folders.
It also compromises security settings and allows unauthorized remote
access to an infected computer.
Finally it terminates the process of various programs including
antivirus software allowing for a blended threat.

For more information
see :http://www.symantec.com/avcenter/venc/data/w32.hllw.lovgate.j@mm.
html

Low threat level,
medium damage capabilities,
Distinguishing characteristics:
Subject can be one of the following:
Modem booster
Warp ScreenSaver
Fire ScreenSaver
Better than WinZip?
Program

This virus releases confidential information from an infected
computer and sends it to the specified email address of the hacker.
It attempts to stop antivirus and firewall programs, allowing for
a "blended threat" (infection of viruses normally recognised by the
antivirus program).

For more information see:
http://www.symantec.com/avcenter/venc/data/w32.hllw.redist@mm.html

Medium threat level,
low damage capabilities,
distinguishing characteristics:
the from address is From: support@...,
the size of attachmentis 52,898 bytes, and
creates the following files in the windows folder: hnks.ini and
msdbrr.ini.

For More information see
http://www.symantec.com/avcenter/venc/data/w32.sobig.<ˆmm.html

Low threat level, medium damage capabilities, distinguishing
characteristics: name of message is one of the following:
Reply to this!
Let's Laugh
Last Update
for you
Great
Help
Attached one Gift for u..
Hi Dear
See the attachement

size of attachment is 127,488 bytes,
It creates the fake Windows Process "LSASS.EXE"

Details:

This virus is a variant of W32.HLLW.Lovgate@mm virus. Once infected,
if infected computer runs Windows NT, 2000, or XP, the worm will
attempt to disguise itself as the normal Windows process, "LSASS.EXE."


Damage:

This virus attempts to reply to incoming email messages and to the
email addresses that it finds in HTML files.
It modifies and infects all .exe files in local hard drives and
network shared folders.
It allows unauthorized remote access to an infected computer.
It attempts to terminate the process of various programs including
antivirus software.

For more information see
http://www.symantec.com/avcenter/venc/data/w32.hllw.lovgate.i@mm.html

Low threat Level, medium damage capabilities, Distinguishing
characteristics: Thew name of the attachment is on of the following:
FixSql.com Api Hooking-Tutorial.exe Hotmail Hacker.exe OutWar
Demo.exe Soccer Database.exe MsnMsgs.exe HowTo-SARS.exe Last
Summer.scr Magical-Screensaver.scr Love.scr Christina Aguilera-The
most beautiful girl on earth.scr Saddam-the real pics.scr Virtual
Joke.scr Q30215HOTFIX.pif  and the size of attachment: 108,544

Damage:

This virus terminates many antivirus programs allowing the infected
computer to be infected with other viruses (known as a blended threat)
that it should normally be protected against.


For more information see:
http://www.symantec.com/avcenter/venc/data/w32.hllw.kickin.a@mm.html

Low threat level, medium damage capabilities, distinguishing
features: size of attachment is 71,304 bytes .


This is another variation on the W32.Yaha.S virus. So most of its
charateristiscs are similar to the whole W32.Yaha family, juthe
attachment changes.

Damage capabilities:

It degrades performance by attempting to perform a Denial of Service
attack against various websites.
It compromises security settings by terminating the processes of
various antivirus and firewall programs, allowing a "blended" threat
that is it lets other viruses in.

Distribution method:

This virus emails itself to all the addresses it finds by searching
the Windows Address Book, MSN Messenger, .NET Messenger, Yahoo Pager,
ICQ, and all the files whose extensions contain the letters HT

For more informarion see:
http://www.symantec.com/avcenter/venc/data/w32.yaha.s@mm.html

Low Threat Category, Low Damage Capabilities, Distinguishing
features:the name of attachment: Kiss.ok.exe

W32.Nolor@mm is a mass-mailing worm that uses its own SMTP engine to
send itself to all the contacts in the Windows Address Book. The
email will have a variable subject line and an attachment with the
filename Kiss.ok.exe.

For more information see
http://www.symantec.com/avcenter/venc/data/w32.nolor@mm.html

Low Threat Category, Medium Damage Capabilities, No visible
distinguishing features.

W32.HLLW.Kullan is a worm that has backdoor capabilities. It spreads
across networks, by copying itself to the Start Menu of computers,
which an infected computer can access. The most common reason for
this access is an unprotected shared resource.

Damage:
Releases confidential info by logging keystrokes and examining e-mail
Compromises security settings by allowing unauthorized remote access
to an infected computer.

Distributed by copying itself to the Start menu on shared resources

For more information see
http://www.symantec.com/avcenter/venc/data/w32.hllw.kullan.html

Low Threat Level, Medium Damager Capabilities, Distinguishing
features: The attachment is named: BlueMountaineCard.pif

Damage capabilities: This virus allows unauthorised access to your
computer allowing the hacker to copy files from the infected computer
and cause other damage.

For more information see:
http://www.symantec.com/avcenter/venc/data/w32.hllw.cult.b@mm.html

Please visit our sponsor: www.sms.airlie.info ... earn money from
your cell phone

Low Threat Level, Medium Damage Capabilities, ID= Subject:
The subject will be one of the following:
Reply to this!
Let's Laugh
Last Update
for you
Great
Help
Attached one Gift for u..
Hi Dear
See the attachement


This virus has backdoor capabilities which allows the infected
computer to be invaded by a remote user/hacker and mass mails itself
to everyone in your address book.

For more information see
http://www.symantec.com/avcenter/venc/data/w32.hllw.lovgate.g@mm.html

Low threat level,
HIGH Damage Capabilities
VIRUS ID= Subject: <Recipients.name>, WORLD TRADE CENTER PICTURES
Message: <Recipients.name>, Remember The Times.......MAYBE THEY WILL
BE BACK....!!!
Attachment: WTC32.scr

Damage: This virus deletes all files with the
extention  .wav, .mp3, .jpg, .bmp, .zip, .rar, and .doc files, and
overwrites all the .exe and .scr files

For more invormation see:
http://www.symantec.com/avcenter/venc/data/w32.vote.d@mm.html

Low threat level, damage = medium, ID= Swedish:

Olaglig_skärmsläckare?
Rashets eller inte?
Hakkors.
Suspekta semaforer.
Avskyvärd_reklam.
Överviktiga_förnedras.
Go ack ack ack....
Är_USA_ett_UFO?
Korkad president.
Katt, hund, kanin.

English:
Screensaver advice.
Spy pics.
GO USA !!!!
G.W Bush animation.
Is USA a UFO?
Is USA always number one?
LINUX.
Nazi propaganda?
Catlover.
Disgusting propaganda.

Attachment: : [a-z][a-z].scr

Damage:

This virus modifies files and attempts to terminate antivirus
programs etc.

For more inforamtion see:
http://www.symantec.com/avcenter/venc/data/w32.ganda.a@mm.html

Low level threat, damage = high,

This email base virus can also spread using mIRC, KaZaA, network
shares, and mapped drives.

Damage: It attempts to delete all file on system and deactivate any
antivirus programs leaving the infected computer open to attack from
other viruses.

For more information
see :http://www.symantec.com/avcenter/venc/data/w32.hllw.oror.ai@mm.ht
ml

Low Level Threat, damage = medium, id=subject is one of the following:

'''*< Love Speaks it all >*'''
Co0o0o0o0oL
Fw:
Heeeeeeeeeeeeeeeey
Wussaaaaaaaap?
WoW But not for NoW
Why Do We FOk?


The messages have an attachment with a .pif extension, usually
Hawawi.pif.

Damage:

This virus will overwrite any file that has the following extensions,
with zero-byte files:

mpeg
rm
wav
sql
mde
php
cpp
swf
ram
mp3
frm
dpr
rar
mpg
jpg
pdf
pps
ppt
txt
htm
html
zip
doc
mdb
xls


For more information see:
http://www.symantec.com/avcenter/venc/data/w32.hawawi.worm.html