Taken From:

Malware type: Worm
Aliases: W32.Sober.O@mm W32/Sober.p@MM W32/Sober-N Sober.P Email-Worm.Win32.Sober.p
In the wild: Yes
Destructive: No
Language: English
Platform: Windows 98, ME, NT, 2000, XP
Encrypted: No
Characteristics: Propagates via email

Description:

This worm spreads by mass-mailing copies of itself using its own SMTP (Simple Mail Transfer Protocol) engine. It gathers its target recipients from files with certain extensions names. Notably, it avoids sending messages to addresses that contain specific strings.

Using social engineering techniques, it sends out an email supposedly sent by the soccer organization FIFA, informing recipients that they won tickets for the upcoming FIFA World Cup 2006 in Germany. It also sends email messages in English or in German, depending on the country-level domains of the gathered addresses.

Social engineering, a propagation technique that is widely utilized by most worm programs, invests largely on computer users' instinctive tendency to open email messages, execute attachments that are enticing and apparently harmless, and download and unknowingly open attractively named files.

For a complete system scan, virus detection and removal, please check out ARNIT FREE Online Virus Scanner at: http://www.arnit.net/security/tplarnit.php?page=vscan

Taken From http://securityresponse.symantec.com/avcenter/venc/data/w32.randex.gen.html

Technical Details:

Common characteristics of the W32.Randex family include:

    * Spreading through network shares
    * Attacking randomly generated IP addresses
    * Using default credentials or weak username/password pairs to connect to a remote target system
    * Opening backdoor ports
    * Opening connections to predetermined IRC servers and waiting for commands from an attacker
    * Performing Denial of Service (DoS) attacks
    * Some recent variants exploit the Mydoom backdoor on TCP port 3127 to spread to remote systems


For a complete system scan, virus detection and removal, please check out ARNIT FREE Online Virus Scanner at: http://www.arnit.net/security/tplarnit.php?page=vscan

For removal instruction please check out ARNIT Security Advisories at: http://www.arnit.net/security/sectips.php?platform=windows

Taken From: http://www.2-spyware.com/file-winapa-exe.html

winapa.exe description:
File winapa.exe is related to trojan WootBot Trojan.

Files related to winapa.exe:
navsys32.exe, svcshost.exe, elite.exe, winssv.exe, lsass2.exe, pomedsrv.exe, ctfnom.exe, symantec32.exe, syshelper.exe, mqguard.exe

File winapa.exe removal:
WARNING!!! File winapa.exe is related to spyware. This is serious violation of your privacy, your system is under security threat.
We advice you to scan your computer and eliminate possible threats.

You can also visit ARNIT Online scanner to scan your computer for free!
http://www.arnit.net/security/tplarnit.php?page=vscan

Taken From: http://securityresponse.symantec.com/avcenter/venc/data/backdoor.irc.aladinz.g.html



Backdoor.IRC.Aladinz.G is a backdoor Trojan horse that uses malicious scripts in mIRC client software, allowing unauthorized remote access.

Also Known As: Worm.Win32.Randon.o [Kaspersky]
    
Type: Trojan Horse

Infection Length: varies
    
Systems Affected:     Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

Systems Not Affected: DOS, Linux, Macintosh, OS/2, UNIX

Technical Details:
When Backdoor.IRC.Aladinz.G is executed, it performs the following actions:

   1. Creates the folder %Program Files%\Common Files\OOBE\DivX Player 7.0, and drops the following files into the folder:
          * sample.bin (detected as Backdoor.Trojan)
          * DivXinstall.bat (detected as Trojan Horse)
          * DecodeDivX.exe (detected as Hacktool.DoS)
          * nacs.exe (detected as Hacktool)
          * DrDivXRegistration.exe (detected as Hacktool.HideWindow.)
          * Dr.DivX.exe (mIRC client software. It is detected as IRC.Backdoor.Trojan.)
          * DelDivX.exe (Process viewer. This utility is not viral by itself.)
          * Divx.exe (Remote execution utility. It is not viral by itself)
          * helptoo.txt (Text file that includes username.It is not malicious itself. )
          * helpuse.txt (Text file that includes username and password. It is not malicious itself. )
          * DivX.ini (Ini file that the Trojan uses to load other IRC scripts. It is not malicious itself. )

            Note: %ProgramFiles% is a variable that refers to the path to the program files folder. By default, this is C:\Program Files.
   2. Adds the value:

      "DivX MediaPlayer 7.0"="%Program Files%\Common Files\OOBE\DivX Player 7.0\Dr.DivX.exe"

      to the registry key:

      HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

      so that the Trojan starts when you start or restart Windows.

   3. Adds the values:
          * "DisplayName"="mIRC"
          * "UninstallString"=""%Program Files%\Common Files\OOBE\DivX Player 7.0\Dr.DivX.exe" -uninstall"

            to the registry key:

            HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
            Uninstall\mIRC

            Note: If the mIRC subkey does not exist, the Trojan will create it.
   4. Adds the values:

      "(Default)" = "c:\program files\common files\oobe\divx player 7.0\dr.divx.exe"

      to the following registry keys:
          * HKEY_CLASSES_ROOT\ChatFile\DefaultIcon
          * HKEY_CLASSES_ROOT\ChatFile\Shell\open\command
          * HKEY_LOCAL_MACHINE\Software\Classes\irc\DefaultIcon
          * HKEY_LOCAL_MACHINE\Software\Classes\irc\Shell\open\command

            so that the IRC file that call c:\program files\common files\oobe\divx player 7.0\dr.divx.exe when chat files are opened.

   5. Creates the following subkeys:
          * HKEY_CLASSES_ROOT\ChatFile\Shell\open\ddeexec
          * HKEY_LOCAL_MACHINE\Software\Classes\irc\Shell\open\ddeexec

   6. Runs %Program Files%\Common Files\OOBE\DivX Player 7.0\Dr.DivX.exe in the background.

   7. By default, the Trojan allows the hacker to perform any of the following actions:
          * Download and execute files.
          * Perform Denial of Service (DoS) attacks against predetermined targets.
          * Attempt to compromise other machines through open shares or weak passwords.

For a complete system scan, virus detection and removal, please check out ARNIT FREE Online Virus Scanner at: http://www.arnit.net/security/tplarnit.php?page=vscan

For removal instruction please check out ARNIT Security Advisories at: http://www.arnit.net/security/sectips.php?platform=windows

Taken From: http://www.sophos.com/virusinfo/analyses/w32forbotcl.html

Name
    * W32/Forbot-CL
Type

    * Worm

How it spreads     

    * Network shares

Affected operating systems

    * Windows

Side effects

    * Allows others to access the computer
    * Steals information
    * Reduces system security
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities

Aliases

    * Backdoor.Win32.Wootbot.gen
    * W32/Sdbot.worm.gen
    * WORM_WOOTBOT.CN

Detailed Description:
 W32/Forbot-CL is a worm which attempts to spread to remote network shares. It also contains backdoor Trojan functionality, allowing unauthorised remote access to the infected computer via IRC channels while running in the background as a service process.

W32/Forbot-CL copies itself to the Windows system folder as MQGUARD.EXE.

W32/Forbot-CL also creates its own service named "Win32" with display name "Windows Network Controller".

W32/Forbot-CL attempts to spread to network machines using various exploits including the LSASS vulnerability (see MS04-011). The worm may also spread via IRC channels.

W32/Forbot-CL may act as a proxy, delete network shares and steal keys for various software products.

For a complete system scan, virus detection and removal, please check out ARNIT FREE Online Virus Scanner at: http://www.arnit.net/security/tplarnit.php?page=vscan

For removal instruction please check out ARNIT Security Advisories at: http://www.arnit.net/security/sectips.php?platform=windows

Taken From: http://www.2-spyware.com/remove-wootbot-trojan.html

Full name: WootBot Trojan

Type: Trojans

Also known as: Trojan.WootBot, WootBot

Related files:
navsys32.exe, svcshost.exe, elite.exe, winssv.exe, lsass2.exe, pomedsrv.exe, winapa.exe, ctfnom.exe, symantec32.exe, syshelper.exe, mqguard.exe

severity scale is 67 (67 / 100)

WootBot Trojan description:
This dangerous parasite is especially dangerous for PC gamers. WootBot tries to steal the CD-keys from various games and send these keys to the specified location. But not only this technique is a potential threat for the user of an infected machine; this parasite also tries to connect to the Internet and download various parasites from there. In case of success, even more problems may occur on the computer.

WootBot Trojan properties:
• Connects itself to the internet
• Hides from the user
• Stays resident in background

To Remove this trojan from your computer, you can SCAN your computer for FREE with ARNIT Online Scanner at: http://www.arnit.net/security/tplarnit.php?page=vscan

Taken from http://www.2-spyware.com/file-mqguard-exe.html

mqguard.exe description:
File mqguard.exe is related to trojan WootBot Trojan.

Files related to mqguard.exe: navsys32.exe, svcshost.exe, elite.exe, winssv.exe, lsass2.exe, pomedsrv.exe, winapa.exe, ctfnom.exe, symantec32.exe, syshelper.exe

File mqguard.exe removal: WARNING!!! File mqguard.exe is related to spyware. This is serious violation of your privacy, your system is under security threat.

For a complete system scan, virus detection and removal, please check out ARNIT FREE Online Virus Scanner at: http://www.arnit.net/security/tplarnit.php?page=vscan

For removal instruction please check out ARNIT Security Advisories at: http://www.arnit.net/security/sectips.php?platform=windows

Info taken from http://securityresponse.symantec.com/avcenter/venc/data/w32.randex.pr.html

W32.Randex.PR is a network-aware worm that attempts to copy itself to computers with weak administrator passwords. The worm receives instructions from an IRC channel on a predetermined IRC server.

Also Known As:     W32/Spybot.worm.gen.a [McAfee]
Variants:         W32.Randex.gen
Type:                  Worm
Infection Length: 66,857 bytes
    
    
    
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

Technical Details:
When W32.Randex.PR is executed, it does the following:

   1. Copies itself as %System%\symantec32.exe.

      Note: %System% is a variable. The worm locates the System folder and copies itself to that location. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
   2. Calculates a random IP address and attempts to authenticate itself to it.

   3. Attempts to copy itself to the following locations on computers with weak administrator passwords:
          * \c$\symantec32.exe
          * \c$\winnt\system32\symantec32.exe
          * \Admin$\system32\symantec32.exe

   4. Remotely schedules a task to run the worm on a newly infected computer.

   5. Adds the following value:
          * "Symantec Security"="symantec32.exe"
          * "Windows Loader" = "svchosts.exe"

            to the registry keys:
          * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
          * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
            RunServices
          * HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
          *

            so that the worm runs when you start Windows.

   6. Connects to an IRC channel on a predetermined IRC server to receive remote instructions, such as:
          * Ntscan: Scans for computers with weak administrator passwords, and then copies itself to these machines.
          * Syn: Performs a SYN flood attack with a data size of 55808 bytes.
          * Sysinfo: Retrieves the infected machine's information, such as CPU speed and the amount of memory.

   7. Steals the CD keys of the following games:
          * FIFA 2003
          * Need For Speed Hot Pursuit 2
          * Soldier of Fortune II
          * Rainbow Six III Ravenshield
          * Battlefield 1942 Road To Rome
          * Battlefield 1942
          * IGI 2
          * Counter-Strike
          * Unreal Tournament 2003
          * Half-Life
For a complete system scan, virus detection and removal, please check out ARNIT FREE Online Virus Scanner at: http://www.arnit.net/security/tplarnit.php?page=vscan

For removal instruction please check out ARNIT Security Advisories at: http://www.arnit.net/security/sectips.php?platform=windows

Taken from http://securityresponse.symantec.com/avcenter/venc/data/backdoor.irc.aladinz.g.html

Description:
Backdoor.IRC.Aladinz.G is a backdoor Trojan horse that uses malicious scripts in mIRC client software, allowing unauthorized remote access.

Also Known As:     Worm.Win32.Randon.o [Kaspersky]
    
Type:     Trojan Horse

Infection Length:     varies
    
Systems Affected:     Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

Systems Not Affected:     DOS, Linux, Macintosh, OS/2, UNIX

Technical Details:
When Backdoor.IRC.Aladinz.G is executed, it performs the following actions:

   1. Creates the folder %Program Files%\Common Files\OOBE\DivX Player 7.0, and drops the following files into the folder:
          * sample.bin (detected as Backdoor.Trojan)
          * DivXinstall.bat (detected as Trojan Horse)
          * DecodeDivX.exe (detected as Hacktool.DoS)
          * nacs.exe (detected as Hacktool)
          * DrDivXRegistration.exe (detected as Hacktool.HideWindow.)
          * Dr.DivX.exe (mIRC client software. It is detected as IRC.Backdoor.Trojan.)
          * DelDivX.exe (Process viewer. This utility is not viral by itself.)
          * Divx.exe (Remote execution utility. It is not viral by itself)
          * helptoo.txt (Text file that includes username.It is not malicious itself. )
          * helpuse.txt (Text file that includes username and password. It is not malicious itself. )
          * DivX.ini (Ini file that the Trojan uses to load other IRC scripts. It is not malicious itself. )

            Note: %ProgramFiles% is a variable that refers to the path to the program files folder. By default, this is C:\Program Files.
   2. Adds the value:

      "DivX MediaPlayer 7.0"="%Program Files%\Common Files\OOBE\DivX Player 7.0\Dr.DivX.exe"

      to the registry key:

      HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

      so that the Trojan starts when you start or restart Windows.

   3. Adds the values:
          * "DisplayName"="mIRC"
          * "UninstallString"=""%Program Files%\Common Files\OOBE\DivX Player 7.0\Dr.DivX.exe" -uninstall"

            to the registry key:

            HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
            Uninstall\mIRC

            Note: If the mIRC subkey does not exist, the Trojan will create it.
   4. Adds the values:

      "(Default)" = "c:\program files\common files\oobe\divx player 7.0\dr.divx.exe"

      to the following registry keys:
          * HKEY_CLASSES_ROOT\ChatFile\DefaultIcon
          * HKEY_CLASSES_ROOT\ChatFile\Shell\open\command
          * HKEY_LOCAL_MACHINE\Software\Classes\irc\DefaultIcon
          * HKEY_LOCAL_MACHINE\Software\Classes\irc\Shell\open\command

            so that the IRC file that call c:\program files\common files\oobe\divx player 7.0\dr.divx.exe when chat files are opened.

   5. Creates the following subkeys:
          * HKEY_CLASSES_ROOT\ChatFile\Shell\open\ddeexec
          * HKEY_LOCAL_MACHINE\Software\Classes\irc\Shell\open\ddeexec

   6. Runs %Program Files%\Common Files\OOBE\DivX Player 7.0\Dr.DivX.exe in the background.

   7. By default, the Trojan allows the hacker to perform any of the following actions:
          * Download and execute files.
          * Perform Denial of Service (DoS) attacks against predetermined targets.
          * Attempt to compromise other machines through open shares or weak passwords.

For a complete system scan, virus detection and removal, please check out ARNIT FREE Online Virus Scanner at: http://www.arnit.net/security/tplarnit.php?page=vscan

For removal instruction please check out ARNIT Security Advisories at: http://www.arnit.net/security/sectips.php?platform=windows

Taken from: http://www.2-spyware.com/remove-wootbot-trojan.html

Full name: WootBot Trojan

Type: Trojans

Also known as: Trojan.WootBot, WootBot

Related files: navsys32.exe, svcshost.exe, elite.exe, winssv.exe, lsass2.exe, pomedsrv.exe, winapa.exe, ctfnom.exe, symantec32.exe, syshelper.exe, mqguard.exe

Severity scale: (67 / 100)

WootBot Trojan description: This dangerous parasite is especially dangerous for PC gamers. WootBot tries to steal the CD-keys from various games and send these keys to the specified location. But not only this technique is a potential threat for the user of an infected machine; this parasite also tries to connect to the Internet and download various parasites from there. In case of success, even more problems may occur on the computer.

WootBot Trojan properties:
• Connects itself to the internet
• Hides from the user
• Stays resident in background

WootBot Trojan manual removal:
Kill processes:
navsys32.exe, svcshost.exe, elite.exe, winssv.exe, lsass2.exe, pomedsrv.exe, winapa.exe, ctfnom.exe, symantec32.exe, syshelper.exe, mqguard.exe

Delete files:
navsys32.exe, svcshost.exe, elite.exe, winssv.exe, lsass2.exe, pomedsrv.exe, winapa.exe, ctfnom.exe, symantec32.exe, syshelper.exe, mqguard.exe

For a complete system scan, virus detection and removal, please check out ARNIT FREE Online Virus Scanner at: http://www.arnit.net/security/tplarnit.php?page=vscan

For removal instruction please check out ARNIT Security Advisories at: http://www.arnit.net/security/sectips.php?platform=windows

Taken from: http://www.2-spyware.com/file-ctfnom-exe.html


ctfnom.exe description:
File ctfnom.exe is related to trojan WootBot Trojan.

Files related to ctfnom.exe: navsys32.exe, svcshost.exe, elite.exe, winssv.exe, lsass2.exe, pomedsrv.exe, winapa.exe, symantec32.exe, syshelper.exe, mqguard.exe

File ctfnom.exe removal: WARNING!!! File ctfnom.exe is related to spyware. This is serious violation of your privacy, your system is under security threat.

For a complete system scan, virus detection and removal, please check out ARNIT FREE Online Virus Scanner at: http://www.arnit.net/security/tplarnit.php?page=vscan

For removal instruction please check out ARNIT Security Advisories at: http://www.arnit.net/security/sectips.php?platform=windows

Taken from: http://www.sophos.com/virusinfo/analyses/w32rbotwx.html

Desciption:
W32/Rbot-WX is a network worm and IRC backdoor Trojan for the Windows platform.

W32/Rbot-WX spreads using a variety of techniques including exploiting weak passwords on computers and SQL servers, exploiting operating system vulnerabilities (including DCOM-RPC, LSASS, WebDAV and UPNP) and using backdoors opened by other worms or Trojans.

W32/Rbot-WX can be controlled by a remote attacker over IRC channels. The backdoor component of W32/Rbot-WX can be instructed by a remote user to perform the following functions:


    * start an FTP server

    * start a Proxy server

    * start a web server

    * take part in distributed denial of service (DDoS) attacks

    * log keypresses

    * capture screen/webcam images

    * packet sniffing

    * port scanning

    * download/execute arbitrary files

    * start a remote shell (RLOGIN)


The worm copies itself to a file named lsassx.exe in the Windows system folder and creates the following registry entries:

HKCU\Software\Microsoft\OLE\
Windows Taskmanager=
"lsassx.exe"

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Windows Taskmanager=
"lsassx.exe"

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Windows Taskmanager=
"lsassx.exe"

Aliases: Backdoor.Win32.IRCBot.y

Affected operating systems: Microsoft Windows Operating Systems

Side effects::
    *  Allows others to access the computer
    * Reduces system security
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities

To scan your computer for  W32/Rbot-WX, please check ARNIT Free Online Virus scanner at http://www.arnit.net/security/tplarnit.php?page=vscan

Info taken from http://www.trendmicro.com/vinfo/grayware/graywareDetails.asp?SNAME=SPYW_GATOR.D

Description:

This spyware program may be downloaded onto affected systems by other malware already installed on the said machines. It has the capability to download an updated copy of itself without the users' knowledge.

Programs of this type affects users' privacy by stealing confidential information and monitoring browsing behavior without consent.

Important Windows ME/XP Cleaning Instructions

Users running Windows ME and XP must disable System Restore to allow full scanning of infected systems.

Users running other Windows versions can proceed with the succeeding procedure sets.

Running Trend Micro Antivirus

Download the latest spyware pattern file and scan your system. Then, delete all files detected as SPYW_GATOR.D.

Details:

This spyware program may be downloaded onto affected systems by other malware already installed on the said machines. It has the capability to download an updated copy of itself without the users' knowledge.

Programs of this type affects users' privacy by stealing confidential information and monitoring browsing behavior without consent.

This is Trend Micro's detection for Dynamic Link Library (DLL) used by the Gator spyware.

For a complete system scan, virus detection and removal, please check out ARNIT FREE Online Virus Scanner at: http://www.arnit.net/security/tplarnit.php?page=vscan

For removal instruction please check out ARNIT Security Advisories at: http://www.arnit.net/security/sectips.php?platform=windows

Taken From: http://www.sophos.com/virusinfo/analyses/trojlineaged.html

Description:
Troj/Lineage-D is a password-stealing Trojan for the Windows platform.

Troj/Lineage-D logs keystrokes for the game Lineage II and emails the author with the results.

Affected operating systems:

    * Windows

Side effects:

    * Steals information
    * Records keystrokes
    * Leaves non-infected files on computer

Technical Details:
Troj/Lineage-D is a password-stealing Trojan for the Windows platform.

Troj/Lineage-D logs keystrokes for the game Lineage II and emails the author with the results.

Troj/Lineage-D copies itself to the Windows system folder as "ttplorer.exe" and creates a DLL keylogging component "ttinject.dll" as well as the text file "ttdata32.dll" to keep the keylog results.

Troj/Lineage-D creates the following registry entry to run itself automatically on system login or startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Scvhost
<Windows system>\ttplorer.exe

For a complete system scan, virus detection and removal, please check out ARNIT FREE Online Virus Scanner at: http://www.arnit.net/security/tplarnit.php?page=vscan

For removal instruction please check out ARNIT Security Advisories at: http://www.arnit.net/security/sectips.php?platform=windows

Taken From http://www.sophos.com/virusinfo/analyses/w32mydoombc.html

Description:
 W32/MyDoom-BC is an email worm for the Windows platform.

Email sent by the worm has characteristics similar to the following examples:

Subject line:

hi
error
test
Message could not be delivered

Message body:

Dear user of <domain>
Mail server administrator of <domain> would like to inform you that
We have detected that your e-mail account has been used to send a large
amount of unsolicited e-mail messages during this recent week.
We suspect that your computer had been compromised by a recent virus and now
runs a trojan proxy server.
Please follow our instructions in the attachment file
in order to keep your computer safe.
Virtually yours
<domain> user support team.

Attached file:

attachment.com
letter.zip
<username>.exe

Side effects:

    * Sends itself to email addresses found on the infected computer
    * Forges the sender's email address
    * Uses its own emailing engine
    * Installs itself in the Registry

Aliases:

    * Email-Worm.Win32.Mydoom.am
    * W32/Mydoom.bc@MM
    * W32/Mydoom.db@MM
    * Worm.Mydoom.M-2

Technical Details:
W32/MyDoom-BC is an email worm. When first run, the worm copies itself to either the Windows or Temp folders as java.exe, and adds one of the following registry entries to ensure that the copy is run each time Windows starts:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\JavaVM
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\JavaVM

W32/MyDoom-BC also creates a file named services.exe in the Windows or Temp folder and runs the file. Services.exe is a backdoor component.

W32/MyDoom-BC searches the hard disk email addresses. The worm searches files with the extensions PL*, PH*, TX*, HT*, ASP, TBB, SHT*, WAB, ADB and DBX and the Windows address book. In addition the worm may use an internet search engine to find more email addresses. The worm will send a query to the search engine using domain names from email addresses found on the hard disk and then examine the query results, searching for more addresses. The internet search engines used by W32/MyDoom-BC and the percentage chance that each is used are:

www.google.com (45%)
search.lycos.com (22.5%)
search.yahoo.com (20%)
www.altavista.com (12.5%)

When choosing addresses to send itself to W32/MyDoom-BC will avoid addresses which contain any of the following strings:

abuse
accoun
admin
anyone
arin.
avp
bar.
bugs
ca
domain
example
feste
foo
foo.com
gmail
gnu.
gold-certs
google
help
hotmail
info
listserv
mailer-d
master
me
microsoft
msdn.
msn.
no
nobody
noone
not
nothing
ntivi
page
panda
privacycertific
rarsoft
rating
ripe.
sample
sarc.
seclist
secur
sf.net
site
soft
someone
sophos
sourceforge
spam
spersk
submit
support
syma
the.bat
trend
update
uslis
winrar
winzip
yahoo
you
your

The email sent by the worm has a spoofed sender.

The subject line may be blank or one of the following:

hello
hi
error
status
test
report
delivery failed
Message could not be delivered
Mail System Error - Returned Mail
Delivery reports about your e-mail
Returned mail: see transcript for details
Returned mail: Data format error

The message text of the email is constructed from a set of optional strings within the worm. The message sent is blank or similar to one of the following messages:

Dear user of <domain>
Mail server administrator of <domain> would like to inform you that
We have detected that your e-mail account has been used to send a large
amount of unsolicited e-mail messages during this recent week.
We suspect that your computer had been compromised by a recent virus and now
runs a trojan proxy server.
Please follow our instructions in the attachment file
in order to keep your computer safe.
Virtually yours
<domain> user support team.

The message could not be delivered

The original message was included as attachment

The original message was received at <time> from <address>
----- The following addresses had permanent fatal errors -----
<address>
----- Transcript of the session follows -----
... while talking to host <hostname>:
>>> MAIL From:<address>
<<< 501 User unknown
Session aborted
>>> RCPT To:<address>
<<< 550 MAILBOX NOT FOUND

The message was undeliverable due to the following reason(s):
Your message was not delivered because the destination computer was
not reachable within the allowed queue period. The amount of time
a message is queued before it is returned depends on local configura-
tion parameters.
Most likely there is a network problem that prevented delivery, but
it is also possible that the computer is turned off, or does not
have a mail system running right now.
Your message was not delivered within <number> days:
Mail server <hostname> is not responding.
The following recipients did not receive this message:
<address>
Please reply to postmaster@<domain>
if you feel this message to be in error.

The attached file may be named similarly to the recipient's username or domain
or using one of the following names:

attachment
document
file
instruction
letter
mail
message
readme
text
transcript

with an optional extension of DOC, TXT, HTM, HTML followed by a number of spaces and a final extension of EXE, COM, BAT, CMD, SCR or PIF. The attached file may also be a zip file containing a file named as described.

W32/MyDoom-BC drops a file named services.exe in the Windows or Temp folder and runs the file.

Services.exe adds the following registry entry

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
services
<Windows or Temp folder>\services.exe

W32/MyDoom-BC also attempts to download and run files from several websites.
At the time of writing the downloaded files are detected by Sophos's anti-virus products as Troj/Surila-P.

Parts taken from http://securityresponse.symantec.com/avcenter/venc/data/w32.mydoom.au@mm.html

Description:
W32.Mydoom.AU@mm is a mass-mailing worm that uses its own SMTP engine to send itself to email addresses that it gathers from a compromised computer. This worm is a minor variant of W32.Mydoom.AM@mm.

Also Known As:
Email-Worm.Win32.Mydoom.ak [Kaspersky Lab], W32/Mydoom.ba@MM [McAfee]

Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

Technical Details:
Once executed, W32.Mydoom.AU@mm performs the following actions:

   1. Creates the files:

          * %System%\lsasrv.exe
          * %System%\version.ini
          * [path of execution]\hserv.sys

            Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

   2. Creates the mutex -=RTSW.Smash 0a2a0=-, so that only one instance of the worm runs on the compromised computer.

   3. Adds the value:

      "lsass" = "%System%\lsasrv.exe"

      to the registry subkey:

      HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run


      so that it is executed every time Windows starts.

   4. Modifies the value:

      "Shell" = "explorer.exe %System%\lsasrv.exe"

      in the registry subkey:

      HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

      so that it is executed every time Windows starts.

   5. Creates a text file named %Temp%\Mes#wtelw.txt, which contains only garbage data. The worm uses Notepad to open the file and display the garbage data.

      Note: %Temp% is a variable that refers to the Windows temporary folder. By default, this is C:\Windows\TEMP (Windows 95/98/Me/XP) or C:\WINNT\Temp (Windows NT/2000).

   6. Gathers email addresses from the Windows Address Book and from files with the following extensions:

          * .wab
          * .pl
          * .adb
          * .tbb
          * .dbx
          * .asp
          * .php
          * .sht
          * .htm
          * .txt

            avoids sending itself to an email address that contains one of the following strings:

          * accoun
          * certific
          * listserv
          * ntivi
          * support
          * icrosoft
          * admin
          * page
          * the.bat
          * gold-certs
          * feste
          * submit
          * not
          * help
          * service
          * privacy
          * somebody
          * soft
          * contact
          * site
          * rating
          * bugs
          * you
          * your
          * someone
          * anyone
          * nothing
          * nobody
          * noone
          * webmaster
          * postmaster
          * samples
          * info
          * root
          * mozilla
          * utgers.ed
          * tanford.e
          * pgp
          * acketst
          * secur
          * isc.o
          * isi.e
          * ripe.
          * arin.
          * sendmail
          * rfc-ed
          * ietf
          * iana
          * usenet
          * fido
          * linux
          * kernel
          * google
          * ibm.com
          * fsf.
          * gnu
          * mit.e
          * bsd
          * math
          * unix
          * berkeley
          * foo.
          * .mil
          * gov.
          * .gov
          * ruslis
          * nodomai
          * mydomai
          * example
          * inpris
          * borlan
          * sopho
          * panda
          * hotmail
          * msn.
          * icrosof
          * syma
          * avp
          * .edu
          * abuse
          * www
          * fcnz
          * spm

   7. Uses its own SMTP engine to send itself to the email addresses that it finds. The email will have the following characteristics:

      From: Composes a fake address in the format [First name][Random last name]@[Domain]

      Where [First name] is one of the following:

          * Joseph
          * Ronald
          * Hannah
          * Kimberly
          * Maria
          * George
          * Charles
          * Len
          * Cissi
          * Sandra
          * Jennifer
          * Hans
          * Richard
          * Lee
          * Emily
          * Helen
          * Elizabeth
          * Donald
          * David
          * Harris
          * Nicholas
          * Betty
          * Barbara
          * Mark
          * William
          * Martin
          * Ethan
          * Karen
          * Linda
          * Paul
          * Michael
          * Edward
          * Cynthia
          * Nancy
          * Patricia
          * Daniel
          * Robert
          * Olivia
          * Angela
          * Dorothy
          * Kevin
          * Christopher
          * John
          * Josefine
          * Melissa
          * Susan
          * Anthony
          * Thomas
          * James


            and [Domain] is one of the following:

          * compuserve.com
          * juno.com
          * earthlink.net
          * yahoo.co.uk
          * hotmail.com
          * yahoo.com
          * msn.com
          * aol.com


            Subject:
            One of the following:

          * Attention!!!
          * Do not reply to this email
          * Error
          * Good day
          * hello
          * Mail Delivery System
          * Mail Transaction Failed
          * Server Report
          * Status


            Attachment:
            One of the following filenames:

          * body
          * message
          * docs
          * data
          * file
          * rules
          * doc
          * readme
          * document


            with one of the following extensions:

          * .bat
          * .cmd
          * .exe
          * .scr
          * .pif
          * .zip


            Message Body:
            One of the following:

          * Mail transaction failed. Partial message is available
          * The message contains Unicode characters and has been sent as a binary attachment.
          * The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
          * Mail transaction failed. Partial message is available.
          * Thank you for registering at WORLDXXXPASS.COM
            All your payment info, login and password you can find in the attachment file.
            It's a real good choise to go to WORLDXXXPASS.COM
          * Attention! New self-spreading virus!
            Be careful, a new self-spreading virus called "RTSW.Smash" spreading very fast via e-mail and P2P networks. It's about two million people infected and it will be more.
            To avoid your infection by this virus and to stop it we provide you with full information how to protect yourself against it and also including free remover. Your can find it in the attachment.
            c 2004 Networks Associates Technology, Inc. All Rights Reserved
          * New terms and conditions for credit card holders
            Here a new terms and conditions for credit card holders using a credit cards for making purchase in the Internet in the attachment. Please, read it carefully. If you are not agree with new terms and conditions do not use your credit card in the World Wide Web.
            Thank you,
            The World Bank Group
            c 2004 The World Bank Group, All Rights Reserved
          * Attention! Your IP was logged by The Internet Fraud Complaint Center
            Your IP was logged by The Internet Fraud Complaint Center. There was a fraud attempt logged by The Internet Fraud Complaint Center from your IP. This is a serious crime, so all records was sent to the FBI. All information you can find in the attachment. Your IP was flagged and if there will be anover attemption you will be busted.
            This message is brought to you by the Federal Bureau of Investigation and the National White Collar Crime Center
          * You have visited illegal websites
            I have a big list of the websites you surfed
          * You think it's funny? You are stupid idiot!!! I'll sendthe attachment to your ISP and then I'll be watchinghow you will go to jail, punk!!!
          * Your credit card was charged for $500 USD. For additional information see the attachment
          * ESMTP [Secure Mail System #334]: Secure message is attached
          * Encrypted message is available
          * Delivered message is attached
          * Can you confirm it?
          * Binary message is available
          * am shocked about your document!
          * Are you a spammer? (I found your email on a spammer website!?!
          * Bad Gateway: The message has been attached
          * Here is your documents you are requested

   8. Copies itself to shared folders of Kazaa, Morpheus, iMesh, eDonkey, or LimeWire. The file has one of the following names with either a bat, pif, scr, or exe extension:

          * porno
          * NeroBROM6.3.1.27
          * avpprokey
          * Ad-awareref01R349
          * winxp_patch
          * adultpasswds
          * dcom_patches
          * K-LiteCodecPack2.34a
          * activation_crack
          * icq2004-final
          * winamp5

   9. Attempts to disable the following processes, including firewall and antivirus applications:

          * i11r54n4.exe
          * irun4.exe
          * d3dupdate.exe
          * rate.exe
          * ssate.exe
          * winsys.exe
          * winupd.exe
          * SysMonXP.exe
          * bbeagle.exe
          * Penis32.exe
          * teekids.exe
          * MSBLAST.exe
          * mscvb32.exe
          * sysinfo.exe
          * PandaAVEngine.exe
          * taskmon.exe
          * wincfg32.exe
          * outpost.exe
          * zonealarm.exe
          * navapw32.exe
          * navw32.exe
          * zapro.exe
          * msblast.exe
          * netstat.exe

  10. Appends the following lines to the Hosts file to prevent access to antivirus-related Web sites:

      127.0.0.1 www.symantec.com
      127.0.0.1 securityresponse.symantec.com
      127.0.0.1 symantec.com
      127.0.0.1 www.sophos.com
      127.0.0.1 sophos.com
      127.0.0.1 www.mcafee.com
      127.0.0.1 mcafee.com
      127.0.0.1 liveupdate.symantecliveupdate.com
      127.0.0.1 www.viruslist.com
      127.0.0.1 viruslist.com
      127.0.0.1 www.f-secure.com
      127.0.0.1 f-secure.com
      127.0.0.1 kaspersky.com
      127.0.0.1 kaspersky-labs.com
      127.0.0.1 www.avp.com
      127.0.0.1 avp.com
      127.0.0.1 www.kaspersky.com
      127.0.0.1 www.networkassociates.com
      127.0.0.1 networkassociates.com
      127.0.0.1 www.ca.com
      127.0.0.1 ca.com
      127.0.0.1 mast.mcafee.com
      127.0.0.1 www.my-etrust.com
      127.0.0.1 my-etrust.com
      127.0.0.1 download.mcafee.com
      127.0.0.1 dispatch.mcafee.com
      127.0.0.1 secure.nai.com
      127.0.0.1 www.nai.com
      127.0.0.1 nai.com
      127.0.0.1 update.symantec.com
      127.0.0.1 updates.symantec.com
      127.0.0.1 us.mcafee.com
      127.0.0.1 liveupdate.symantec.com
      127.0.0.1 customer.symantec.com
      127.0.0.1 rads.mcafee.com
      127.0.0.1 www.trendmicro.com
      127.0.0.1 trendmicro.com
      127.0.0.1 www.grisoft.com
      127.0.0.1 grisoft.com

[B]Removal Instructions:[B]
The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

   1. Disable System Restore (Windows Me/XP).
   2. Update the virus definitions.
   3. Run a full system scan and delete all the files detected as W32.Mydoom.AU@mm.
   4. Delete the value that was added to the registry.

For specific details on each of these steps, read the following instructions.

1. To disable System Restore (Windows Me/XP)
If you are running Windows Me or Windows XP, we recommend that you temporarily turn off System Restore. Windows Me/XP uses this feature, which is enabled by default, to restore the files on your computer in case they become damaged. If a virus, worm, or Trojan infects a computer, System Restore may back up the virus, worm, or Trojan on the computer.

Windows prevents outside programs, including antivirus programs, from modifying System Restore. Therefore, antivirus programs or tools cannot remove threats in the System Restore folder. As a result, System Restore has the potential of restoring an infected file on your computer, even after you have cleaned the infected files from all the other locations.

Also, a virus scan may detect a threat in the System Restore folder even though you have removed the threat.

For instructions on how to turn off System Restore, read your Windows documentation, or one of the following articles:

    * "How to disable or enable Windows Me System Restore"
    * "How to turn off or turn on Windows XP System Restore"


Note: When you are completely finished with the removal procedure and are satisfied that the threat has been removed, re-enable System Restore by following the instructions in the aforementioned documents.

For additional information, and an alternative to disabling Windows Me System Restore, see the Microsoft Knowledge Base article, "Antivirus Tools Cannot Clean Infected Files in the _Restore Folder," Article ID: Q263455.


2. To update the virus definitions
Symantec Security Response fully tests all the virus definitions for quality assurance before they are posted to our servers. There are two ways to obtain the most recent virus definitions:

    * Running LiveUpdate, which is the easiest way to obtain virus definitions: These virus definitions are posted to the LiveUpdate servers once each week (usually on Wednesdays), unless there is a major virus outbreak. To determine whether definitions for this threat are available by LiveUpdate, refer to the Virus Definitions (LiveUpdate).
    * Downloading the definitions using the Intelligent Updater: The Intelligent Updater virus definitions are posted daily. You should download the definitions from the Symantec Security Response Web site and manually install them. To determine whether definitions for this threat are available by the Intelligent Updater, refer to the Virus Definitions (Intelligent Updater).

      The Intelligent Updater virus definitions are available: Read "How to update virus definition files using the Intelligent Updater" for detailed instructions.

      Note: If you see an error, such as LU1418, when you try to run LiveUpdate and you cannot get the Web site hosting the Intelligent Updater, it is likely that the worm has modified the Hosts file. You can either download and install LiveUpdate 2.5, which can remove Symantec entries from that file, or you can edit it yourself. See the instructions for both in the "Additional Information" section below.



3. To scan for and delete the infected files

   1. Start your Symantec antivirus program and make sure that it is configured to scan all the files.
          * For Norton AntiVirus consumer products: Read the document, "How to configure Norton AntiVirus to scan all files."
          * For Symantec AntiVirus Enterprise products: Read the document, "How to verify that a Symantec Corporate antivirus product is set to scan all files."
   2. Run a full system scan.
   3. If any files are detected as infected with W32.Mydoom.AU@mm, click Delete.

      Note: If your Symantec antivirus product reports that it cannot delete an infected file, Windows may be using the file. To fix this, run the scan in Safe mode. For instructions, read the document, "How to start the computer in Safe Mode." Once you have restarted in Safe mode, run the scan again.

      After the files are deleted, restart the computer in Normal mode and proceed with section 4.


4. To delete the value from the registry
Important: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified subkeys only. Read the document, "How to make a backup of the Windows registry," for instructions.

   1. Click Start > Run.
   2. Type regedit

      Then click OK.

   3. Navigate to the subkey:

      HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

   4. In the right pane, delete the value:

      "lsass" = "%System%\lsasrv.exe"

   5. Navigate to the subkey:

      HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

   6. In the right pane, delete the value:

      "Shell" = "explorer.exe %System%\lsasrv.exe"

   7. Exit the Registry Editor.

Description:
Sophos, a security worrier describes:
"W32/MyDoom-AO is a mass-mailing and peer-to-peer worm which emails itself as an attachment to addresses found on the infected computer.

W32/MyDoom-AO will attempt to copy itself to peer-to-peer folders of KaZaa, Morpheus, iMesh, eDonkey2000 and LimeWire.

W32/MyDoom-AO may also create a file hserv.sys in the Windows system folder. This file is non-malicious and can be safely deleted."

http://www.sophos.com/virusinfo/analyses/w32mydoomao.html

W32/MyDoom-AO is another worm which affects Microsoft Windows Operating systems.  
This worm can affect computers via email attachments or peer-to-peer connections.

Various Names of this worm:

Email-Worm.Win32.Mydoom.ak [Kaspersky Lab], W32/Mydoom.ba@MM [McAfee], WORM_MYDOOM.AY [Trend Micro]

Side Effects according to Sophos:

#  Turns off anti-virus applications
# Sends itself to email addresses found on the infected computer
# Modifies data on the computer
# Forges the sender's email address
# Uses its own emailing engine

Technical Issues:
When W32.Mydoom.AO@mm runs, it does the following:

   1. Creates the following files:

          * %System%\lsasrv.exe
          * %System%\version.ini
          * %System%\hserv.sys

            Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

   2. Adds the value:

      "lsass" = "%System%\lsasrv.exe"

      to the registry subkey:

      HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

      so that the worm is executed every time Windows starts.

   3. Modifies the value:

      "Shell" = "explorer.exe %System%\lsasrv.exe"

      in the registry subkey:

      HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

      so that the worm is executed every time Windows starts.

   4. Creates a mutex named "-=RTSW.Smash 0a2a0=-", so that only one instance of the worm will be executed on the compromised computer.

   5. Creates a text file containing garbage data only, called %UserProfile%\Local Settings\Temp\ Mes#wtelw.txt. The worm uses NotePad to open the file and display the garbage text.

      Note: %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\<Current User> (Windows NT/2000/XP).

   6. Copies itself into the shared folders of Kazaa, Morpheus, iMesh, eDonkey, or LimeWire under one of the following names:

          * porno
          * NeroBROM6.3.1.27
          * avpprokey
          * Ad-awareref01R349
          * winxp_patch
          * adultpasswds
          * dcom_patches
          * K-LiteCodecPack2.34a
          * activation_crack
          * icq2004-final
          * winamp5

            Note: The file has either a bat, pif, scr, or exe extension.

   7. Attempts to disable the following processes, which include processes associated with firewall and antivirus applications:

          * i11r54n4.exe
          * irun4.exe
          * d3dupdate.exe
          * rate.exe
          * ssate.exe
          * winsys.exe
          * winupd.exe
          * SysMonXP.exe
          * bbeagle.exe
          * Penis32.exe
          * teekids.exe
          * MSBLAST.exe
          * mscvb32.exe
          * sysinfo.exe
          * PandaAVEngine.exe
          * taskmon.exe
          * wincfg32.exe
          * outpost.exe
          * zonealarm.exe
          * navapw32.exe
          * navw32.exe
          * zapro.exe
          * msblast.exe
          * netstat.exe

   8. Downloads a file from the wmspb.net domain. At the time of this writing, the file is 8 bytes in size.

   9. Appends the following lines to the file %System%\drivers\etc\hosts to prevent access to security-related domains:

      127.0.0.1 www.symantec.com
      127.0.0.1 securityresponse.symantec.com
      127.0.0.1 symantec.com
      127.0.0.1 www.sophos.com
      127.0.0.1 sophos.com
      127.0.0.1 www.mcafee.com
      127.0.0.1 mcafee.com
      127.0.0.1 liveupdate.symantecliveupdate.com
      127.0.0.1 www.viruslist.com
      127.0.0.1 viruslist.com
      127.0.0.1 www.f-secure.com
      127.0.0.1 f-secure.com
      127.0.0.1 kaspersky.com
      127.0.0.1 kaspersky-labs.com
      127.0.0.1 www.avp.com
      127.0.0.1 avp.com
      127.0.0.1 www.kaspersky.com
      127.0.0.1 www.networkassociates.com
      127.0.0.1 networkassociates.com
      127.0.0.1 www.ca.com
      127.0.0.1 ca.com
      127.0.0.1 mast.mcafee.com
      127.0.0.1 www.my-etrust.com
      127.0.0.1 my-etrust.com
      127.0.0.1 download.mcafee.com
      127.0.0.1 dispatch.mcafee.com
      127.0.0.1 secure.nai.com
      127.0.0.1 www.nai.com
      127.0.0.1 nai.com
      127.0.0.1 update.symantec.com
      127.0.0.1 updates.symantec.com
      127.0.0.1 us.mcafee.com
      127.0.0.1 liveupdate.symantec.com
      127.0.0.1 customer.symantec.com
      127.0.0.1 rads.mcafee.com
      127.0.0.1 www.trendmicro.com
      127.0.0.1 trendmicro.com
      127.0.0.1 www.grisoft.com
      127.0.0.1 grisoft.com

  10. Gathers email addresses from the Windows Address Book and from files with the following extensions:

          * .wab
          * .pl
          * .adb
          * .tbb
          * .dbx
          * .asp
          * .php
          * .sht
          * .htm
          * .txt

            It avoids email addresses that contain any of the following strings:

          * accoun
          * certific
          * listserv
          * ntivi
          * support
          * icrosoft
          * admin
          * page
          * the.bat
          * gold-certs
          * feste
          * submit
          * not
          * help
          * service
          * privacy
          * somebody
          * soft
          * contact
          * site
          * rating
          * bugs
          * you
          * your
          * someone
          * anyone
          * nothing
          * nobody
          * noone
          * webmaster
          * postmaster
          * samples
          * info
          * root
          * mozilla
          * utgers.ed
          * tanford.e
          * pgp
          * acketst
          * secur
          * isc.o
          * isi.e
          * ripe.
          * arin.
          * sendmail
          * rfc-ed
          * ietf
          * iana
          * usenet
          * fido
          * linux
          * kernel
          * google
          * ibm.com
          * fsf.
          * gnu
          * mit.e
          * bsd
          * math
          * unix
          * berkeley
          * foo
          * .mil
          * gov.
          * .gov
          * ruslis
          * nodomai
          * mydomai
          * example
          * inpris
          * borlan
          * sopho
          * panda
          * hotmail
          * msn.
          * icrosof
          * syma
          * avp
          * .edu
          * abuse
          * www
          * fcnz
          * spm

  11. Uses its own SMTP engine to send itself to the email addresses that it finds. The email has the following characteristics:

            From:
            One of the following names:

          * Joseph
          * Ronald
          * Hannah
          * Kimberly
          * Maria
          * George
          * Charles
          * Len
          * Cissi
          * Sandra
          * Jennifer
          * Hans
          * Richard
          * Lee
          * Emily
          * Helen
          * Elizabeth
          * Donald
          * David
          * Harris
          * Nicholas
          * Betty
          * Barbara
          * Mark
          * William
          * Martin
          * Ethan
          * Karen
          * Linda
          * Paul
          * Michael
          * Edward
          * Cynthia
          * Nancy
          * Patricia
          * Daniel
          * Robert
          * Olivia
          * Angela
          * Dorothy
          * Kevin
          * Christopher
          * John
          * Josefine
          * Melissa
          * Susan
          * Anthony
          * Thomas
          * James

            With one of the following domains:

          * compuserve.com
          * juno.com
          * earthlink.net
          * yahoo.co.uk
          * hotmail.com
          * yahoo.com
          * msn.com
          * aol.com


            Subject:
            One of the following:

          * Attention!!!
          * Do not reply to this email
          * Error
          * Good day
          * hello
          * Mail Delivery System
          * Mail Transaction Failed
          * Server Report
          * Status


            Message body:
            One of the following:

          * The message contains Unicode characters and has been sent as a binary attachment.
          * The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
          * Mail transaction failed. Partial message is available.
          * Thank you for registering at WORLDXXXPASS.COM
            All your payment info, login and password you can find in the attachment file.
            It's a real good choise to go to WORLDXXXPASS.COM
          * Attention! New self-spreading virus!
            Be careful, a new self-spreading virus called "RTSW.Smash" spreading very fast via e-mail and P2P networks. It's about two million people infected and it will be more.
            To avoid your infection by this virus and to stop it we provide you with full information how to protect yourself against it and also including free remover. Your can find it in the attachment.
            c 2004 Networks Associates Technology, Inc. All Rights Reserved
          * New terms and conditions for credit card holders
            Here a new terms and conditions for credit card holders using a credit cards for making purchase in the Internet in the attachment. Please, read it carefully. If you are not agree with new terms and conditions do not use your credit card in the World Wide Web.
            Thank you,
            The World Bank Group
            c 2004 The World Bank Group, All Rights Reserved
          * Attention! Your IP was logged by The Internet Fraud Complaint Center
            Your IP was logged by The Internet Fraud Complaint Center. There was a fraud attempt logged by The Internet Fraud Complaint Center from your IP. This is a serious crime, so all records was sent to the FBI. All information you can find in the attachment. Your IP was flagged and if there will be anover attemption you will be busted.
            This message is brought to you by the Federal Bureau of Investigation and the National White Collar Crime Center


            Attachment name:
            One of the following:

          * body
          * message
          * docs
          * data
          * file
          * rules
          * doc
          * readme
          * document

            With one of the following extensions:

          * .bat
          * .cmd
          * .exe
          * .pif
          * .scr
          * .zip

For a complete system scan, virus detection and removal, please check out ARNIT FREE Online Virus Scanner at: http://www.arnit.net/security/tplarnit.php?page=vscan

For removal instruction please check out ARNIT Security Advisories at: http://www.arnit.net/security/sectips.php?platform=windows

Problem Description
===================
There exist several vulnerabilities in the Linux kernel, some of
which can be exploited by users to obtain root priviledges.

In detail:
CAN-2004-0814: Multiple race conditions in the terminal layer in Linux 2.4.x,
and 2.6.x before 2.6.9, allow (1) local users to obtain portions of kernel
data, or (2) remote attackers to cause a denial of service (panic).

CAN-2004-1056: Direct Rendering Manager (DRM) driver in Linux kernel 2.6 does
not properly check the DMA lock, which could allow remote attackers or local
users to cause a denial of service (X Server crash) and possibly modify the
video output.

CAN-2004-0883 and CAN-2004-0949: Multiple vulnerabilities in the samba
filesystem (smbfs) in Linux kernel 2.4 and 2.6 allow remote samba servers to
cause a denial of service (crash) or gain sensitive information from kernel
memory via a samba server. Furthermore, The smb_recv_trans2 function call in
the samba filesystem (smbfs) in Linux kernel 2.4 and 2.6 does not properly
handle the re-assembly of fragmented packets correctly, which could allow
remote samba servers to (1) read arbitrary kernel information or (2) raise
a counter value to an arbitrary number by sending the first part of the
fragmented packet multiple times.

CAN-2004-1070, 1071, 1072, 1073: The binfmt_elf loader (binfmt_elf.c) in
Linux kernel 2.4.x up to 2.4.27, and 2.6.x up to 2.6.8 , does not properly
check return values from calls to the kernel_read function, which may allow
local users to modify sensitive memory in a setuid program. Furthermore,
the loader does not properly handle a failed call to the mmap function,
which causes an incorrect mapped image. It may also create an interpreter
name string that is not NULL terminated, which could cause strings longer
than PATH_MAX to be used, leading to buffer overflows. Finally, the open_exec
function in the execve functionality allows local users to read non-readable
ELF binaries by using the interpreter (PT_INTERP) functionality. Any of these
vulnerabilities can allow the execution of arbitrary code.

CAN-2004-1074: The binfmt functionality in the Linux kernel, when "memory
overcommit" is enabled, allows local users to cause a denial of service
(kernel oops) via a malformed a.out binary.

CAN-2004-1016: The scm_send function in the scm layer for Linux kernel 2.4.x
up to 2.4.28, and 2.6.x up to 2.6.9, allows local users to cause a denial of
service (system hang) via crafted auxiliary messages that are passed to the
sendmsg function, which causes a deadlock condition.

CAN-2004-1068: A "missing serialization" error in the unix_dgram_recvmsg
function in Linux 2.4.27 and earlier, and 2.6.x up to 2.6.9, allows local
users to gain privileges via a race condition.

CAN-2004-1234: load_elf_binary in Linux before 2.4.26 allows local users to
cause a denial of service (system crash) via an ELF binary in which the
interpreter is NULL.

CAN-2004-1235: Race condition in the (1) load_elf_library and (2) binfmt_aout
function calls for uselib in Linux kernel 2.4 through 2.4.29-rc2 and 2.6
through 2.6.10 allows local users to execute arbitrary code by manipulating
the VMA descriptor.

CAN-2005-0001: Race condition in the page fault handler (fault.c) for Linux
kernel 2.2.x to 2.2.7, 2.4 to 2.4.29-rc1, and 2.6 to 2.6.10, when running on
multiprocessor machines, allows local users to execute arbitrary code via
concurrent threads that share the same virtual memory space and simultaneously
request stack expansion.

Affected Systems
================
All Linux kernel versions 2.4.x, x <= 28 and 2.6.y, y <= 10.

Solution
========
upgrade to linux-2.4.29 or linux-2.6.11 or patched version for your
distribution.

SuSE-8.1
--------
rpm -ivh k_<type>-2.4.21-273.i586.rpm
where <type> is one of deflt, smp, athlon, psmp.

rpm -Fvh kernel-source-2.4.21-273.i586.rpm

SuSE-8.2
--------
rpm -ivh k_<type>-2.4.20.SuSE-129.i586.rpm
where <type> is one of deflt, smp, athlon, psmp.

rpm -Fvh kernel-source-2.4.20.SuSE-129.i586.rpm

SuSE-9.0
--------
rpm -ivh k_<type>-2.4.21-273.i586.rpm
where <type> is one of deflt, smp, athlon.

rpm -Uvh kernel-source-2.4.21-273.i586.rpm

SuSE-9.1
--------
rpm -ivh kernel-<type>-2.6.5-7.145.i586.rpm
where <type> is one of default, smp, bigsmp.

rpm -Fvh kernel-source-2.6.5-7.145.i586.rpm

SuSE-9.2
--------
rpm -ivh kernel-<type>-2.6.8-24.11.i586.rpm
where <type> is one of default, smp, bigsmp, um.

rpm -Fvh kernel-source-2.6.8-24.11.i586.rpm

Fedora 2
--------
rpm -ivh kernel<type>-2.6.10-1.9_FC2.<arch>.rpm
where <type> is either empty or smp and <arch> is either i586 or i686.

rpm -Fvh kernel-sourcecode-2.6.10-1.9_FC2.noarch.rpm \
         kernel-doc-2.6.10-1.9_FC2.noarch.rpm

Fedora 3
--------
rpm -ivh kernel<type>-2.6.10-1.741_FC3.<arch>.rpm
where <type> is either empty or smp and <arch> is either i586 or i686.

rpm -Fvh kernel-doc-2.6.10-1.741_FC3.noarch.rpm

RedHat 7.3
----------
(updates available from ftp.sfu.ca/pub/linux/7.3/RPMS)
rpm -ivh kernel<type>-2.4.20-43.7.<arch>.rpm
where <type> is either empty or one of smp, bigmem and <arch> is one
of i386, i586, i686, or athlon.

rpm -Fvh kernel-source-2.4.20-43.7.i386.rpm \
         kernel-doc-2.4.20-43.7.i386.rpm

Mandrake 9.2
------------
rpm -ivh kernel<type>-2.4.22.41mdk-1-1mdk.i586.rpm
where <type> is either empty or one of enterprise, i686-up-4GB, p3-smp-64GB,
secure or smp.

rpm -Fvh kernel-source-2.4.22-41mdk.i586.rpm

Mandrake 10.0
-------------
there are 2.4 kernels or 2.6 kernels available.

2.4 kernel:
rpm -ivh kernel<type>-2.4.25.13mdk-1-1mdk.i586.rpm
where <type> is either empty or one of enterprise, i686-up-4GB, p3-smp-64GB,
or smp.

rpm -Fvh kernel-source-2.4.25-13mdk.i586.rpm

2.6 kernel:
rpm -ivh kernel<type>-2.6.3.25mdk-1-1mdk.i586.rpm
where <type> is either empty or one of enterprise, i686-up-4GB, p3-smp-64GB,
secure or smp.

rpm -Fvh module-init-tools-3.0-1.2.1.100mdk.i586.rpm \
         kernel-source-2.4.25-13mdk.i586.rpm \
         kernel-source-stripped-2.6.3-25mdk.i586.rpm

Mandrake 10.1
-------------
there are 2.4 kernels or 2.6 kernels available.

2.4 kernel:
rpm -ivh kernel<type>-2.4.28.0.rc1.5mdk-1-1mdk.i586.rpm
where <type> is either empty or one of enterprise, i586-up-1GB or smp.

rpm -Fvh kernel-source-2.4-2.4.28-0.rc1.5mdk.i586.rpm

2.6 kernel:
rpm -ivh kernel<type>-2.6.8.1.24mdk-1-1mdk.i586.rpm
where <type> is either empty or one of enterprise, i586-up-1GB, i686-up-64GB,
secure or smp.

rpm -Fvh kernel-source-2.6-2.6.8.1-24mdk.i586.rpm \
         kernel-source-stripped-2.6-2.6.8.1-24mdk.i586.rpm

Debian
------
Updated kernel packages do not seem to be available yet.

Security Alert 01/27/2005

The UDF Worm is self-propagating code that is finding MySQL servers running on Microsoft Windows with poor firewall and password security.

This worm does not exploit any bugs in MySQL. It does exploit poor security setups for firewalls and passwords.

This worm is Microsoft Windows specific; it is unlikely to infect any Linux or UNIX compatible environments.

The UDF Worm looks for MySQL servers running on Microsoft Windows that have been exposed to the internet and have either weak or no passwords installed on the account named "root". Once it finds an account it installs a UDF, and then uses that machine to infect other machines.

To find out whether you are affected by UDF worm or not:

Run the following SQL statement: SELECT * FROM mysql.func;

If a UDF is found with a name of "app_result" then you have been infected with the worm.

You should look at all UDFs and determine whether or not they are legitimate. The worm is likely to mutate over time and will take on different UDF names.

If you are infected by UDF worm:

You may be able to remove the worm by running the following SQL statement:

DROP FUNCTION app_result;

Removing the worm does not secure a compromised machine. For one discussion of how to secure a compromised Microsoft Windows machine, please see this article.

To prevent the worm from connecting to your database you should verify that all of your current accounts have passwords and that they are strong passwords (i.e. not easily guess-able).

And remember to use firewalls and strong passwords to protect your MySQL Servers.

Please consult your security advisors for the best way to protect your systems.

How to protect yourself from getting infected by UDF worm:

There are 2 basic steps to protect your MySQL Servers:

   1. Always use strong passwords on all accounts.
   2. Use firewalls to protect your MySQL Servers.

To find out more about Windows security and firewalls, please refer to ARNIT Windows security tips at : http://www.arnit.net/security/sectips.php?platform=windows