Exploit-URLSpoof
This malware was reported by: Network Associates Inc
W32/Atak.b@MM
This malware was reported by: Network Associates Inc
-- Update July 16, 2004 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://zdnet.com.com/2100%2D1105_2%2D5272328.html
The following EXTRA.DAT packages are available, prior to the f
Duts.1520
This malware was reported by: F-Secure
Duts is a parasitic file infector virus. It is the first known virus
for the PocketPC platform. Duts affects ARM-based devices only.
I-Worm.Atak.b
This malware was reported by: F-Secure
A variant of the Atak worm was found on Friday 16th of July.
It includes a list of security software it will attempt to terminate if found
and composes more elaborate emails. It also performs a DDoS attack against
www.techtv.com
I-Worm.Atak.a
This malware was reported by: F-Secure
A new simple massmailer was found on Monday 12th of July. It will attempt to
spread on emails with an empty subject or one such as "Read the Result!",
"Important Data!". It tries to disguise the original attachment extension
by add
Bagle.AH
This malware was reported by: F-Secure
Bagle.AH is a mass-mailing worm with Peer-to-Peer spreading
capabilities. In email Bagle.AH spreads using different subjects,
email bodies and attachments. The attachment is either an
executable or a password-protected ZIP file.
This worm was program
WORM_AGIST.A
This malware was reported by: Trendmicro
TrendLabs has received several infection reports regarding this new worm spreading via email. It uses its own SMTP engine to propagate across machines.
Bagle.AG
This malware was reported by: Panda Software
W32/Bagle-AG
This malware was reported by: Sophos
W32/Bagle-AG is a member of the W32/Bagle family of email worms.
W32/Bagle-AG spreads by email. The email addresses are collected from files on the computer containing the following file extensions:
WAB, TXT, MSG, HTM, SHTM, STM, XML, DBX, MBX,
WORM_KORGO.Y
This malware was reported by: Trendmicro
This worm exploits the Windows LSASS vulnerability, which is a buffer overrun that allows remote code execution and enables an attacker to gain full control of the affected system. This vulnerability is discussed in detail in the following pages:
WORM_HARDOC.A
This malware was reported by: Trendmicro
WinCE.Duts.A
This malware was reported by: Symantec
WinCE.Duts.A is the first Windows CE (Pocket PC) file infector. The virus is a simple appending file infector and will only infect ARM-based devices.
Bloodhound.Exploit.12
This malware was reported by: Symantec
Bloodhound.Exploit.12 is a heuristic detection for the exploits that use the Microsoft Windows Task Scheduler Remote Buffer Overflow Vulnerability, described in Microsoft Security Bulletin MS04-022.
The vulnerability affects unpatched versions of Wind
Bloodhound.Exploit.11
This malware was reported by: Symantec
Bloodhound.Exploit.11 is a heuristic detection for the exploits that use the Microsoft Windows Task Scheduler Remote Buffer Overflow Vulnerability, described in Microsoft Security Bulletin MS04-022.
The vulnerability affects unpatched versions of Wind
Bagle.AC
This malware was reported by: Computer Associates
Win32.Bagle.AC is a worm that spreads via e-mail and peer-to-peer file sharing. It has been distributed PEX-packed Win32 executable, approximately 20,000 by
Bagle.AD
This malware was reported by: Computer Associates
Win32.Bagle.AD is a worm that spreads via e-mail and peer-to-peer file sharing. The worm itself is an UPX-packed executable, approximately 16,000 bytes in l
W32/Bagle.ah@MM
This malware was reported by: Network Associates Inc
This new variant is a repacked version of its predecessor using the UPX packer. Kindly refer to W32/Bagle.ad@MM
for more information.
Top of Page
Forbot
This malware was reported by: Computer Associates
Win32.Forbot are a family of configurable backdoor trojans and worms that allow an attacker access to an infected machine. This family can be instructed to
W32/Rbot-DX
This malware was reported by: Sophos
W32/Rbot-DX is a worm which attempts to spread to remote network shares. It also contains backdoor Trojan functionality, allowing unauthorised remote access to the infected computer via IRC channels while running in the background as a service process
W32/MyDoom-N
This malware was reported by: Sophos
W32/MyDoom-N is a mass-mailing worm which spreads by emailing itself via SMTP using its own engine. The worm also allows unauthorised remote access to the computer via a network.
W32/MyDoom-N copies itself to the Windows folder as lsass.exe and cre
W32/Bagle-AI
This malware was reported by: Sophos
WORM_MYDOOM.L
This malware was reported by: Trendmicro
Similar to other MYDOOM variants, this mass-mailing worm spreads via email as an email attachment. The email that it sends out usually has spoofed email addresses for sender names. It also has varying subjects, message bodies and attachment names. The fol
WORM_BAGLE.AH
This malware was reported by: Trendmicro
As of 12:30 PM July 19, 2004 (GMT -07:00; Daylight Savings Time), TrendLabs has declared a Medium Risk alert to control the spread of this new BAGLE variant that is spreading via email and network shares. Infection reports have been received from the U.S.
WORM_WUKILL.E
This malware was reported by: Trendmicro
This worm usually arrives as an executable (.EXE) file that uses the folder icon. It uses the said icon as its stealth mechanism, and tricks users into thinking this worm is just a normal folder.
WORM_LOVGATE.AJ
This malware was reported by: Trendmicro
This memory-resident worm spreads through email and network shares. It drops several components and copies of itself in the Windows, Windows system, and root folders.
W32.Beagle.AG@mm
This malware was reported by: Symantec
W32.Beagle.AG@mm is a mass-mailing worm that uses its own SMTP engine to spread through email and opens a backdoor on TCP port 1080.
The subject line, body, and attachment name of the email vary. The attachment will have a .com, .cpl, .exe, .scr, or .
W32.Mydoom.L@mm
This malware was reported by: Symantec
The W32.Mydoom.L@mm mass-mailing worm:
Uses its own SMTP engine to send itself to all the email addresses that it finds from an infected system.
The email has an attachment with a .bat, .cmd, .com, .exe, .pif, or .scr extension.
Contains keylogging
W32.Gaobot.AZT
This malware was reported by: Symantec
W32.Gaobot.AZT is repacked variant of W32.Gaobot.WO. It attempts to spread through network shares that have weak passwords. It also allows attackers to access an infected computer through a predetermined IRC channel.
The worm uses multiple vulnerabil
W32.Agist.A@mm
This malware was reported by: Symantec
The W32.Agist.A@mm mass-mailing worm:
Scans fixed and RAM drives.
Scans drives C through Z for email addresses and sends itself to any email addresses found.
The subject, body, and attachment names vary.
The attachment will have a .zip file extension
W32.Olatsky@mm
This malware was reported by: Symantec
W32.Olatsky@mm is a mass-mailing worm that sends itself to all address in the Microsoft Outlook address book. The worm has a Microsoft Word icon and logs key strokes in the file, Defragcom.dll.
Bagle.AH
This malware was reported by: Panda Software
W32/Bagle.ai@MM
This malware was reported by: Network Associates Inc
W32/Mydoom.n@MM
This malware was reported by: Network Associates Inc
This is a mass-mailing and share-hopping worm that bears the following characteristics:
contains its own SMTP engine to construct outgoing messages
contains ability to copy itself to mapped drives
Opens a backdoor on TCP port 1042
Bagle.AI
This malware was reported by: F-Secure
Bagle.AI is a mass-mailing worm with Peer-to-Peer spreading
capabilities. In email Bagle.AI spreads using different subjects,
email bodies and attachments. The attachment is either an
executable or a password-protected ZIP file.
Bagle.AE
This malware was reported by: Computer Associates
Win32.Bagle.AE is a worm that spreads via e-mail and peer-to-peer file sharing.
Mydoom.N
This malware was reported by: Computer Associates
Win32.Mydoom.N is a worm that spreads via e-mail and file sharing.
Olatsky.A
This malware was reported by: Computer Associates
Phishbank.AH
This malware was reported by: Computer Associates
W32/Lovgate-AJ
This malware was reported by: Sophos
W32/Lovgate-AJ is a Windows worm that spreads via email, network shares and filesharing networks. When executed the worm copies itself to the Windows system folder as RAVMOND.exe, hxdef.exe and IEXPLORE.EXE. The worm will also copy itself to COMMAND
Mydoom.M
This malware was reported by: Panda Software
Mydoom.M is a worm that installs a dynamic link library (DLL) that opens TCP port 1042 and listens to it, thus behaving as a backdoor. By doing so, it allows hackers to remotely access the affected computer in order to carry out actions that would compro
W32/Puce
This malware was reported by: Network Associates Inc
This virus is a parasitic file infector. There are a few variants of it. It infects executables on the local harddisk.
Creates the following folder:
c:Documents and SettingsAdministratorApplication DataMSN6
Top of Page
MyDoom.L
This malware was reported by: F-Secure
A new variant of the MyDoom worm was found on July 19th, 2004
It is similar to previous variants. It spreads through email and
copies itself to folders used by FTP and P2P software.
W32/Sdbot-KK
This malware was reported by: Sophos
W32/Sdbot-KK is a worm which attempts to spread to remote shares which have weak passwords. The worm also allows unauthorised remote access to the computer via IRC channels.
W32/Sdbot-KK copies itself to the Windows system folder as VIDEONS32.EXE a
Troj/Bancban-C
This malware was reported by: Sophos
Troj/Bancban-C is a password stealing Trojan targeted at customers of a Brazilian bank.
The Trojan creates an entry in the registry at the following location to run itself on logon:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
W97M.Diperis.A
This malware was reported by: Symantec
W97M.Diperis.A is a macro virus that infects Microsoft Word documents and templates.
Korgo.AC
This malware was reported by: Computer Associates
Win32.Korgo.AC is a worm that spreads by exploiting the Microsoft Windows LSASS buffer overflow vulnerability. It also opens a backdoor that allows unauthor
Duts.A
This malware was reported by: Computer Associates
WinCE.Duts.A is a simple parasitic virus that infects Microsoft Windows CE (Pocket PC) executable files. It only runs on Pocket PC devices with ARM processo
Secdrop.A
This malware was reported by: Computer Associates
Lovgate.AQ
This malware was reported by: Panda Software
Phishbank.AI
This malware was reported by: Computer Associates
Diperis.A
This malware was reported by: Computer Associates
W97M/Diperis.A is a Word macro virus that infects Word 2000 and later documents.
Troj/Delf-DU
This malware was reported by: Sophos
Troj/Delf-DU is a backdoor Trojan.
In order to run automatically when Windows starts up the Trojan copies itself to the file services.exe in the Windows system folder and creates the following registry entry:
HKLMSoftwareMicrosoftWindowsCurrentV
Backdoor.Xordoor
This malware was reported by: Symantec
Backdoor.Xordoor is a Backdoor Trojan horse that allows unauthorized remote access to a compromised computer.
Downloader-MY
This malware was reported by: Network Associates Inc
W32/Atak-C
This malware was reported by: Sophos
W32/Atak-C is a worm that arrives in an email with the following characteristics:
Subject lines:
Against!
AGAINST!
Revenge!
REVENGE!
<blank>
Attached file:
<random>.zip
W32/Atak-C harvests email addresses from files on the h
W97M.Kuna
This malware was reported by: Symantec
W97M.Kuna is a virus that modifies Microsoft Office configuration settings and infects Microsoft Word documents and the Normal.dot template.
Backdoor.Agent.B
This malware was reported by: Symantec
Backdoor.Agent.B is a backdoor that installs a .dll file when a user visits certain malicious Web sites. The .dll file allows other malicious programs to perform various actions.
This backdoor is packed with UPX.
Note: Virus definitions dated prior to
Lovgate.AS
This malware was reported by: Computer Associates
Lovgate.AS is a worm that spreads via e-mail, network shares, exploitation of a Windows RPCSS vulnerability (MS03-039) and the Kazaa file sharing network. I
Rbot.H
This malware was reported by: Computer Associates
Atak.B
This malware was reported by: Computer Associates
Win32.Atak.B is a worm that spreads via e-mail and file sharing. It has been distributed as a 29,149-byte, FSG-packed Win32 executable. It also has limited
Disprox.A
This malware was reported by: Computer Associates
Win32.Disprox.A is trojan that acts as an HTTP proxy server on an affected machine. It has been distributed as a 48,128-byte, UPX-packed, Win32 executable.
Kol.D
This malware was reported by: Computer Associates
Win32.Kol.D is a keylogging trojan with limited backdoor functionality.
W32/Sdbot-KM
This malware was reported by: Sophos
W32/Sdbot-KM is an IRC backdoor Trojan and network worm which can run in the background as a service process and allow unauthorised remote access to a remote intruder via the IRC channel.
W32/Sdbot-KM copies itself to the Windows System (or System3
Troj/Dluca-CQ
This malware was reported by: Sophos
A detailed analysis will be published here shortly. Please check again later.
WORM_KORGO.AC
This malware was reported by: Trendmicro
This memory-resident worm propagates across the network by utilizing the LSASS vulnerability, which is a buffer overrun vulnerability that allows remote code execution and enables an attacker to gain full control of an affected system.
W32.Beagle.AH@mm
This malware was reported by: Symantec
W32.Beagle.AH@mm mass-mailing worm:
Uses its own SMTP engine to spread through email.
The email will have a variable subject and a file attachment, which will have a .com, .cpl, .exe, .hta, .scr, .vbs, or .zip file extension.
Opens a backdoor on TCP
Daqa.A
This malware was reported by: Computer Associates
W32/Bagle.aj!proxy
This malware was reported by: Network Associates Inc
This detection is for a new variant of W32/Bagle. Unlike the majority of its predecessors, this variant does not mass-mail itself. It simply serves as a proxy trojan on the victim machine (akin to W32/Bagle.l!proxy
).When run on the victim
W32/Bagle.ak!proxy
This malware was reported by: Network Associates Inc
This variant does not mass-mail like previous variants.
It attempts to connect to various German and Russian websites and acts as a mail relay.
It attempts to disable various Antivirus programs.
Top of Page
Troj/Psyme-AI
This malware was reported by: Sophos
Troj/Psyme-AI is a multicomponent script Trojan which downloads and executes Troj/Multidr-Y.
Duts.1520
This malware was reported by: Panda Software
Duts.1520 is a virus that only infects executable files with an EXE extension in those platforms with a Windows CE (Pocket PC versions 2000, 2002 and 2003) operating system installed.In order to do so, Duts.1520 creates a copy of its code in the last sec
WinCE/Duts.1520.dr
This malware was reported by: Network Associates Inc
There are two slightly different droppers of this virus. Both come in files of 2048 bytes in size and are functionally identical.
Second variant is simply a patched version of the original dropper where code at the program entry point was m
WinCE/Duts.1520
This malware was reported by: Network Associates Inc
This detection is for a proof of concept file virus written for the PocketPC platform. The virus bears the following characteristics:
it is coded for devices based on ARM CPUs.
it is a parsitic file infector, appending itself to host file
W32/Rbot-EP
This malware was reported by: Sophos
W32/Rbot-EP is a network worm and an IRC backdoor Trojan. W32/Rbot-EP copies itself into the Windows system folder as wuamgrd.exe or with a random filename and sets the following registry entries to run itself automatically when Windows starts up
H
W32/Rbot-EK
This malware was reported by: Sophos
W32/Rbot-EK is a network worm and backdoor for the Windows platform.
W32/Rbot-EK allows a malicious user remote access to an infected computer via IRC.
In order to run automatically when Windows starts up W32/Rbot-EK copies itself to the Windows s
Trojan.Mitglieder.M
This malware was reported by: Symantec
Trojan.Mitglieder.M is a Trojan horse that attempts to download files from the Internet.
Definitions prior to July 23, 2004 may detect this threat as Trojan.Wingle.
Adware-IESearchBar
This malware was reported by: Network Associates Inc
W97M.Seliuq.D
This malware was reported by: Symantec
W97M.Seliuq.D is a virus that infects Microsoft Word documents and templates. It also makes some menu changes so that macros cannot be edited.
Rawbot.AN
This malware was reported by: Computer Associates
BackDoor-AZV.gen
This malware was reported by: Network Associates Inc
BackDoor-AZV
This malware was reported by: Network Associates Inc
W32/Spybot-CZ
This malware was reported by: Sophos
W32/Spybot-CZ is a network worm with backdoor Trojan functionality.
W32/Spybot-CZ attempts to copy itself to DLL32SYS.EXE in the Windows system folder and creates entries in the registry at the following locations to run itself on system restart:
Troj/PatchLs-A
This malware was reported by: Sophos
Troj/PatchLs-A is a Trojan which attempts to create an exploitable vulnerability within the active LSASS.EXE/LSASRV.DLL process. It does this by patching the LSASS process in memory (the files on the hard disk are not affected). This process is known
Lovgate.AT
This malware was reported by: Panda Software
W32/Korgo.worm.t
This malware was reported by: Network Associates Inc
This self-executing worm spreads by exploiting a Microsoft Windows vulnerability:
MS04-011 vulnerability (CAN-2003-0533)http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
The worm spreads with a random filename and acts
Generic HTool.a
This malware was reported by: Network Associates Inc
W32/Mydoom.o@MM
This malware was reported by: Network Associates Inc
-- Update 26th July 03:21 PDT --
This variant of Mydoom is known to send non-viral attachments, typically .bat, .cmd, .com, .exe, .pif or .scr files within a zip archive, within another zip archive. These files are approximately 1-2kb i
MyDoom.M
This malware was reported by: F-Secure
Mydoom.M is a mass-mailing worm that sends emails with messages
that look like mail system errors and automated spam warnings.
To collect more addresses Mydoom.M also uses web search engines
like Google and Yahoo.
The worm carries a backdoor that lis
W32/MyDoom-O
This malware was reported by: Sophos
W32/Rbot-EQ
This malware was reported by: Sophos
W32/Rbot-EQ is a member of the W32/Rbot family of worms with backdoor
capabilities. The worm has the ability to spread via network shares with weak passwords.
In order to run automatically when Windows starts up the worm copies itself as suchost.e
W32.Mydoom.M@mm
This malware was reported by: Symantec
Backdoor.Zincite.A
This malware was reported by: Symantec
Mydoom.N
This malware was reported by: Panda Software
Mydoom.N installs a file that behaves as a backdoor by opening the TCP port 1034 and listens to it. By doing so, it allows hackers to remotely access the affected computer in order to carry out actions that would compromise users confidentiality or imped
Mydoom.O
This malware was reported by: Computer Associates
PWSteal.Ldpinch.B
This malware was reported by: Symantec
PWSteal.Ldpinch.B is a password-stealing Trojan horse that attempts to steal information from an infected computer and send it to the author of the Trojan.
W32/Mabutu.a@MM
This malware was reported by: Network Associates Inc
W32/Rbot-ET
This malware was reported by: Sophos
W32/Rbot-ET is a worm which attempts to spread to remote network shares. It also contains backdoor Trojan functionality, allowing unauthorised remote access to the infected computer via IRC channels while running in the background as a service process
MultiDropper-LA
This malware was reported by: F-Secure
W32.Zindos.A
This malware was reported by: Symantec
MultiDropper-LA
This malware was reported by: Network Associates Inc