Virus Warnings from 2003 (Jan 01 - Dec 31, 2003)
   ______________________________________________________________

      [  Jump to Amiga  |  Jump to Windows  |  Jump to Misc  ]
   ______________________________________________________________


   Amiga

    12 May 2003 - Virus Spam Mails Sent From Faked Amiga.com Account
   Story at amiga.news, says that according to several messages are for
   the time mass spam emails being sent from a faked Amiga.com account
   containing a Windows virus. Should you receive an unexpected email from
   the sender gary@amiga.com or michael@amiga.com and use Windows as
   operating system please handle this email carefully.
 
   Top of Page


   Windows

    28 December 2003 - Symantec Security Category 2: W32.Cissi.A@mm
   Symantec Security Updates reports W32.Cissi.A@mm is a mass-mailing worm,
   which also contains backdoor functionality to connect to an IRC server.
   This worm can also wait for commands. W32.Cissi.A@mm can spread over the
   network using the NetBIOS protocol. It can spread to systems that do not
   have passwords or to ones that have simple passwords.
 
    28 December 2003 - Symantec Security Category 2: W32.Gluber.B@mm
   Symantec Security Updates reports W32.Gluber.B@mm is a variant of
   W32.Gluber@mm that can spread by email and network shares. It uses its
   own SMTP engine to spread to email addresses it finds in the files on
   your computer. This worm also gives an attacker complete access to your
   computer. By default, it listens on port 5373. The worm attempts to
   terminate various security products and system-monitoring tools.
 
    22 December 2003 - FRISK Virus Alert: W32/Sober.C
   F-Prot Antivirus Alert Service says W32/Sober.C@mm has spread considerably
   in recent days, particularly in German speaking areas. Sober.C spreads
   primarily via e-mails. If the attachment, which has a .txt.exe extension
   and contains the worm's executable, is opened, the computer becomes
   infected. On infection Sober.C displays a fake error message claiming that
   the worm's own file has "caused an unknown error." The worm then harvests
   new e-mail addresses from the infected computer's hard drive and uses its
   own SMTP engine to e-mail itself to these addresses in order to spread
   itself further. Latest versions of F-Prot Antivirus detect W32/Sober.C@mm
   using virus signature files dated 20 December 2003 or later.
   Aliases: Sober.C  W32.Sober.C@mm WORM_SOBER.C I-Worm.Sober.C W32/Sober.C
   * Click here for F-Secure Radar Level 2: Sober.C
   * Click here for NAI Virus Report: W32/Sober.c@MM
   * Click here for Symantec Security Category 2: W32.Sober.C@mm
 
    18 December 2003 - Symantec Security Category 2: W32.Sober.B@mm
   Symantec Security Updates reports W32.Sober@mm is a mass-mailing worm
   that uses its own SMTP engine to spread. The email subject varies and
   will be in either English or German. The email attachment name also
   varies, but will have a .com, .cmd, .exe or .pif file extension.
   The first time W32.Sober@mm is activated, it will display a fake error
   message with the subject "%Error%" and the text "Header is missing."
 
    18 December 2003 - Symantec Security Category 2: W32.HLLW.Cayam@mm
   Symantec Security Updates reports W32.HLLW.Cayam@mm is a mass-mailing
   worm that uses Microsoft Outlook to send itself to all the contacts in
   the Outlook Address Book. W32.HLLW.Cayam@mm is also a peer-to-peer worm
   that shares itself using the eMule and KaZaA file-sharing networks.
   The email has the following characteristics:
   Subject: Verify your eBay account information
   Attachment: eBayVerify.exe
 
    11 December 2003 - Symantec Security Category 2: W32.Scold@mm
   Symantec Security Updates reports W32.Scold@mm is a mass-mailing worm that
   uses Microsoft Outlook to send itself to all the contacts in the Outlook
   Address Book. Also Known As: W32/Scold@MM [Mcafee], Win32.Scold.A [CA]
   * Click here for F-Secure Radar Level 2: Scold.A
   * Click here for NAI Virus Report: W32/Scold@MM
 
    11 December 2003 - Symantec Security Category 2: W32.Memas@mm
   Symantec Security Updates reports W32.Memas@mm is a mass-mailing worm
   that uses Microsoft Outlook to send itself to all the contacts in the
   Outlook Address Book. The worm overwrites files and makes them unusable.
   It may display a message, part of which is in English and the rest in
   Arabic. Also Known As: W32/Memas@mm [McAfee]
 
    11 December 2003 -Symantec Security Category 2: W32.Mimail.M@mm
   Symantec Security Updates reports W32.Mimail.M@mm is a variant of
   W32.Mimail.L@mm. Also Known As: W32.Mimail.Gen, W32/Mimail.gen@MM [McAfee]
 
    11 December 2003 - Symantec Security Category 2: W32.HLLW.Epon@mm
   Symantec Security Updates reports W32.HLLW.Epon@mm is a worm that attempts
   to spread through file-sharing networks and mIRC. It also uses Microsoft
   Outlook to send itself to all the contacts in the Outlook address book.
   Also Known As: I-Worm.Epon [Kaspersky]
 
    11 December 2003 -  NAI Virus Report: W32/Yaha.af@MM
   Network Associates says the virus spreads through email, Windows file
   sharing, and KaZaa. It contains a keylogging and denial of service
   payload. This virus spreads through email using multiple different
   subject lines, message bodies, and attachment names.
 
    11 December 2003 - Mystery patch contradicts intentions
   ZDNet says Microsoft issued an automatic patch on Wednesday; the same day
   that it announced that December would see no fixes released
 
    11 December 2003 - IE bug masks spoofed sites
   ZDNet says a bug in Microsoft's browser could trick people into thinking
   spoofed Web addresses are genuine, aiding malicious hackers
 
    11 December 2003 - IE bug provides phishing tool
   ZDNet says a flaw in Internet Explorer makes it easy for scammers to
   create dummy sites that look like legitimate ones, and try to steal
   information from Web users
 
    11 December 2003 - Microsoft prepares Windows patch CD
   ZDNet says the security update CD for older Windows systems, set to begin
   testing soon, is Microsoft's latest attempt to tackle an increasingly
   thorny security situation
 
    03 December 2003 - Symantec Security Category 2: W32.Kwbot.S.Worm@mm
   Symantec Security Updates reports W32.Kwbot.S.Worm@mm is a mass-mailing
   variant of W32.Kwbot.Worm. The worm attempts to spread through the Kazaa
   file-sharing network and uses its own SMTP engine to email itself to
   contacts in the Windows address book. Also Known As: Backdoor.IRCBot.gen
 
    03 December 2003 - Symantec Security Category 2: W32.Mimail.L@mm
   Symantec Security Updates reports W32.Mimail.L@mm is a variant of
   W32.Mimail.C@mm that spreads by email and steals information from
   infected computers. Also Known As: W32.Mimail.Gen, W32/Mimail.l@MM,
   W32.Mimail.C@mm  The email has the following characteristics:
   Subject: Re[2]We are going to bill your credit card:
   Attachment: wendy.zip
 
    01 December 2003 - Sobig.F lingers as cure backfires
   ZDNet says one of the IT sector's biggest threats in 2003 is still out
   there. The blame lies partly with PCs that don't know the time, but also
   with action that was taken to minimise damage done by the worm
 
    01 December 2003 - Microsoft investigates IE holes
   ZDNet says no one is actively exploiting the flaws at present, says
   Microsoft, but they are under investigation
 
    01 December 2003 - Internet Explorer 6 scripting flaw discovered
   ZDNet says a new IE bug could allow attackers to invade a user's PC,
   but a fix is not yet available
 
    26 November 2003 - Sysbug Trojan jumps on sexual bandwagon
   ZDNet says emails claiming to contain pictures of naked gymnastics may
   actually contain a Trojan, antivirus companies are warning
 
    26 November 2003 - Microsoft investigates Exchange security hole
   Update: ZDNet says the newly launched server software appears to contain
   a serious flaw that allows Web-based users to access other accounts
 
    26 November 2003 - Many Recent Worms Created For Profit
   VirusList.com News says a trend is appearing where worm writers are more
   often less interested in beating security systems to inflate their egos,
   but instead are more keen on lining their pockets.
 
    24 November 2003 - Symantec Security Category 2: W32.HLLW.Anarch@mm
   Symantec Security Updates reports W32.HLLW.Anarch@mm is a worm that
   attempts to spread through file-sharing networks and mIRC. It uses MS
   Outlook to send itself to all the contacts in the Outlook Address Book.
   The email has the following characteristics:
   Subject: New Media Player!!
   Attachment: M_Player_v1.0.exe
 
    24 November 2003 - Opera Updates Browser To Plug Security Holes
   ZDNet says security flaws in the Opera browser, which opened both Windows
   and Linux-based systems to attack, have been patched in the latest version
 
    14 November 2003 - Virus Alert: New Version of Mimail Detected - Mimail.i
   VirusList.com Alert says a new version of the Mimail Internet worm has
   been detected in the wild. Like it's predecessors, the latest version of
   Mimail spreads as an email attachment, which in this case is named
   paypal.asp.scr. The worm gains control over victim machines only if the
   attachment is opened. If the victim does launch Mimail, the worm opens a
   dialogue box where it asks for PayPal credit card information. Any data
   that is entered is saved in a file named ppinfo.sys, which the worm mails
   to the virus sender. Computer users should be on the lookout for Mimail.i
   and, as always, keep anti-virus software databases up to date.
   Aliases: W32.Paylap@mm (NAV)
   * Kaspersky Virus Encyclopedia
   * F-Secure Radar Level 2: Mimail.I
   * NAI Virus Report: W32/Mimail.i@MM 
   * Symantec Security Category 2: W32.Mimail.H@mm
 
    14 November 2003 - Microsoft Security Bulletin MS03-051
   Microsoft TechNet Security's latest bulletin outlines "Buffer Overrun in
   Microsoft FrontPage Server Extensions Could Allow Code Execution
   (813360)". This bulletin addresses two new security vulnerabilities in
   Microsoft FrontPage Server Extensions, the most serious of which could
   enable an attacker to run arbitrary code on a user's system. Maximum
   Severity Rating: Critical
 
    14 November 2003 - Microsoft Security Bulletin MS03-050
   Microsoft TechNet Security's latest bulletin outlines "Vulnerability in
   Microsoft Word and Microsoft Excel Could Allow Arbitary Code to run.
   (831527)". Excel's vulnerability exists because of the method Excel uses
   to check the spreadsheet before reading the macro instructions. If
   successfully exploited, an attacker could craft a malicious file that
   could bypass the macro security model. Word's vulnerability exists due to
   the way Word checks the length of a data value (Macro names) embedded in
   a document. If a specially crafted document were to be opened it could
   overflow a data value in Word and allow arbitrary code to be executed.
   Maximum Severity Rating: Important
 
    14 November 2003 - Microsoft Security Bulletin MS03-049
   Microsoft TechNet Security's latest bulletin outlines "Buffer Overrun
   in the Workstation Service Could Allow Code Execution (828749)". If
   exploited, an attacker could gain System privileges on an affected
   system, or could cause the Workstation service to fail. An attacker
   could take any action on the system, including installing programs,
   viewing data, changing data, or deleting  data, or creating new accounts
   with full privileges. Maximum Severity Rating: Critical
 
    14 November 2003 - Microsoft Security Bulletin MS03-048
   Microsoft TechNet Security's latest bulletin outlines "Cumulative
   Security Update for Internet Explorer (824145)". This is a cumulative
   update that includes the functionality of all the  previously-released
   updates for Internet Explorer 5.01, Internet  Explorer 5.5, and Internet
   Explorer 6.0. Additionally, it eliminates five newly-discovered vulner-
   abilities. Maximum Severity Rating: Critical
 
    14 November 2003 - Mimail Variant Trys PayPal Fraud
   ZDNet says another variant of the Mimail worm is on the loose, using a
   PayPal scam to try and gather credit card details
 
    14 November 2003 - Email From 'Citibank' Conceals Trojan
   ZDNet says an email supposedly from Citibank carries a virus that could
   allow hackers to take control of a user's PC
 
    11 November 2003 - Symantec Security Category 2: W32.Xabot.Worm
   Symantec Security Updates reports W32.Xabot.Worm is a worm that attempts
   to spread itself through the IRC and file-sharing networks. It also has
   backdoor Trojan Horse capabilities, which allows a hacker to gain control
   of a compromised computer. The existence of the file wininit32.exe is an
   indication of a possible infection.
 
    10 November 2003 - VirusList Alerts: The Voltan Virus Steals Money
   VirusList.com Alert says unlike most computer viruses that are out to
   create havoc and annoyance, the Voltan virus was created to provide its
   author with stolen riches. The Voltan virus, also known as Zelig, first
   appeared in late October 2003 and is categorized as an Internet e-mail
   worm. The e-mail message associated with Voltan does not itself contain
   infected code, but rather contains information directing potential
   victims to a website where the infected code resides in the guise of a
   screen saver program.
   * Kaspersky Virus Encyclopedia: Voltan / Zelig worm
 
    07 November 2003 - Symantec Security Category 2: W32.Wullik.B@mm
   Symantec Security Updates reports W32.Wullik.B@mm is a mass-mailing worm
   that attempts to send itself to all the contacts in the Outlook address
   book. The email has the following characteristics:
   Subject: MS?DOS???? (the ?'s represent Chinese characters.)
   Attachment: MShelp.EXE
   Message: [Chinese text]
   The worm makes numerous copies of itself in random locations, and moves
   to a new location when Windows Explorer browses to the folder from which
   it runs. It can spread to floppy disks and shared network drives under
   some conditions. Also Known As: Bloodhound.W32.VBWORM and W32/Wukill.worm
 
    06 November 2003 - Windows Messenger Draws US Regulators' Attention
   ZDNet says the US Federal Trade Commission wants to 'address consumer
   concerns' about spammers' exploitation of Microsoft's Windows Messenger
   feature
 
    03 November 2003 - Symantec Security Category 2: W32.Mimail.E@mm
   Symantec Security Updates reports W32.Mimail.E@mm is a variant of
   W32.Mimail.D@mm that spreads by email. It is packed with UPX.
   Symantec Security Response has developed a removal tool to clean the
   infections of W32.Mimail.E@mm. Also Known As: Worm_Mimail.F [Trend]
   Variants: W32.Mimail.A@mm, W32.Mimail.C@mm, W32.Mimail.D@mm
   The email has the following characteristics:
   Subject: don't be late!   [random string of letters]
   Attachment: readnow.zip
 
    03 November 2003 - Symantec Security Category 3: W32.Mimail.D@mm
   Symantec Security Updates reports W32.Mimail.D@mm is a variant of
   W32.Mimail.C@mm that spreads by email. It is packed with UPX.
   Symantec Security Response has developed a removal tool to clean the
   infections of W32.Mimail.D@mm. Also Known As: W32/Mimail@mm [McAfee]
   Variants: W32.Mimail.A@mm, W32.Mimail.C@mm
   The email has the following characteristics:
   Subject: don't be late!         [random string of letters]
   Attachment: readnow.zip
 
    03 November 2003 - FRISK Virus Alert: W32/Mimail.C@mm
   F-Prot Antivirus Alert Service says W32/Mimail.C@mm, a new Mimail
   variant, spreads by e-mail in a ZIP-archive that contains a file named
   photos.jpg.exe (some Windows users may see this file only as photos.jpg)
   The subject of these e-mails is "Re[2]: our private photos". On infection
   this worm harvests e-mail addresses from the infected computer and
   subsequently spreads itself further by sending e-mails to these addresses
   Mimail.C also attempts Denial of Service attacks on certain sites as well
   as trying to steal information from infected computers. Read the report
   for the Removal Instructions.
   Aliases: I-Worm.Mimail.c (AVP) I-Worm.WatchNet (AVP) W32.Mimail.C@mm
   (Symantec) W32/Bics@MM W32/Mimail-C (Sophos) WORM_MIMAIL.C (Trend)
   * More info at Frisk's virus information section
   * VirusList Alert on Mimail.c
   * F-Secure Radar alert on Mimail.C worm
   * NAI Virus Report on W32/Mimail.c@MM
   * Symantec Category 3 W32.Mimail.C@mm
 
    03 November 2003 - Antipiracy Feature Shuts Out Customers
   ZDNet says some buyers of Symantec's latest security package have been
   unable to use the software after its product-activation technology
   malfunctioned
 
    30 October 2003 -  NAI Virus Report: Spyware-DCToolbar
   Network Associates says the entry for the Spyware-DCToolbar application/
   program was added to cover for a file called " redirect2.exe " When the
   file redirect2.exe is being run, it runs silently, no GUI but is visible
   in the Windows Task Manager. It makes a standard registry entry to call
   itself at startup, and intercepts Internet Explorer URL addresses. The
   captured addresses can be sent to a webpage, and redirects to another
   website. Aliases: Spyware.Dotcomtoolbar
 
    30 October 2003 - VirusList Alerts: I-Worm Sober Breaks Out
   VirusList.com Alert says the new Internet worm Sober masquerades as
   anti-virus software. The Sober worm, first detected this past Saturday,
   is now surging in activity in connection with the beginning of the
   workweek. Sober is a classic Internet worm that spreads via English and
   in German e-mail, additionally the infected file attachment can have one
   of several file extensions (PIF, BAT, SCR, COM, EXE). All of this makes
   it significantly more difficult to identify from outside appearances.
 
    26 October 2003 - Symantec Security Category 2: W32.Marque.Worm
   Symantec Security Updates reports W32.Marque.Worm is a worm that uses its
   own SMTP engine to send a HTML format email to all the contacts in the
   Windows Address Book. The email contains a link that refers the user to 
   specific website. The worm, zelig.scr, is downloaded automatically when
   this site is visited. Also Known As: W32.Marque@mm, Marque [McAfee]
 
    26 October 2003 - Symantec Security Category 2: W32.Sober@mm
   Symantec Security Updates reports Sober@mm is a mass-mailing worm that
   uses its own SMTP engine to spread itself. The email will have a variable
   subject in either English or German. The name of the email attachment
   will vary and have a .bat, .com, .exe, .pif, or .scr file extension.
   Also Known As: W32/Sober@MM [McAfee], I-Worm.Sober [Kaspersky]
   * Report from F-Secure Radar Level 2: Sober
 
    26 October 2003 - F-Secure Radar Level 2: Flea
   F-Secure Virus Report says JS/Flea worm spreads by adding itself to email
   signatures of infected users. It will drop a file named C(number).HTM to
   Windows folder. Infections have been reported today from Europe and Asia
   The worm makes several Internet Explorer setting changes, and the virus
   also creates the following buttons on the Internet Explorer toolbar.
   ALIAS: JS/Flea VBS/Flea.A.Dropper and REG/Flea
   * NAI Virus Report: JS/Flea@M
 
    21 October 2003 - Symantec Security Category 2: W32.HLLW.Gaobot.AZ
   Symantec Security Updates reports W32.HLLW.Gaobot.AZ is a minor variant
   of W32.HLLW.Gaobot.AP that attempts to spread to network shares and
   allows access to an infected computer through an IRC channel.
 
    21 October 2003 -  NAI Virus Report: Adware-KeenValue
   Network Associates says Adware-KeenValue is not a real virus/trojan but
   an arguable application/program that shows adware/links and might
   redirect IE settings. When the install/setup file is being run manually
   by the user, no gui messageboxes appear, it runs silently, it puts
   multiple files in the \Program Files\Common Files\KeenValue directory.
   It makes a standard registry entry to call the keenvalue.exe file at
   startup: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
   Apart from calling the uninstall program directly, Adware-KeenValue
   can also be removed through Add/Remove programs.
 
    21 October 2003 -  NAI Virus Report: PWS-Mafia
   Network Associates says this trojan is considered to be a Low-Profiled
   threat due to the publication of a The Register article, 'Kill Bill'
   Trojan fails to rack up body count. The purpose of the trojan is to steal
   information stored on the local system and email it to a specified
   address. It may be received with the filename subtitles.exe inside a RAR
   archive named KillBill2003-Danish[Xsubt.com][8853385601].rar or something
   similar. Aliases: PWSteal.Salira (Symantec), TROJ_MAFIA.A (Trend),
   Trojan.PSW.Bumaf (AVP) and Win32.Manda.A (BitDefender)
 
    21 October 2003 -  NAI Virus Report: IGetNet.dr application
   Network Associates says this detection was reclassified from trojan to
   potentially unwanted program as the author's intentions are not
   malicious. This file may come bundled with another program, which
   discloses the fact that it is ad-supported. Users agree to have this
   program installed in the license agreement, although they may not
   realise at first that this particular file was packaged with the
   product they installed.
 
    16 October 2003 - Symantec Security Category 2: W32.Wintoo.Worm
   Symantec Security Updates reports W32.Wintoo.Worm is a mass-mailing worm
   that sends itself to all the recipients in the Windows Address Book. It
   sends itself using the MAPI interface. The email will have the following
   characteristics:
   * Subject: [Cyrilic text that loosely translates to "Look at this"]
   * Attachment: win2drv.exe
   The worm also modifies the Windows background to a bitmap containing a
   message in Cyrilic.
 
    16 October 2003 - Microsoft Security Bulletin MS03-047
   Microsoft TechNet Security's latest bulletin outlines "Vulnerability in
   Exchange Server 5.5 Outlook Web Access Could Allow Cross-Site Scripting
   Attack (828489)". This has a Moderate Rating with a Remote Code Execution
   vulnerability and should be read by System administrators who have servers
   running Microsoft Exchange Server 5.5 Outlook Web Access.
 
    16 October 2003 - Microsoft Security Bulletin MS03-046
   Microsoft TechNet Security's latest bulletin outlines "Vulnerability in
   Exchange Server Could Allow Arbitrary Code Execution (829436)". This has
   a Critical Rating with a Remote Code Execution vulnerability that should
   be read by System administrators who have servers running Microsoft
   Exchange Server. Recommendation:  System administrators should apply the
   security patch to Exchange servers immediately
 
    16 October 2003 - Microsoft Security Bulletin MS03-045
   Microsoft TechNet Security's latest bulletin outlines "Buffer Overrun in
   the ListBox and in the ComboBox Control Could Allow Code Execution
   (824141)". This has an Important Rating with Local Elevation of Privilege
   vulnerability and should be read by customers using Microsoft Windows.
   Recommendation: Customers should install this security patch at the
   earliest opportunity. An attacker who had the ability to log on to a
   system interactively could run a program that could send a specially-
   crafted Windows message to any applications that have implemented the
   ListBox control or the ComboBox control, causing the application to take
   any action an attacker specified. This could give an attacker complete
   control over the system by using Utility Manager in Windows 2000.
 
    16 October 2003 - Microsoft Security Bulletin MS03-044
   Microsoft TechNet Security's latest bulletin outlines "Buffer Overrun in
   Windows Help and Support Center Could Lead to System Compromise (825119)"
   This has a Critical Rating with Remote Code Execution vulnerability, that
   should be read by customers using Microsoft Windows. An attacker could
   exploit the vulnerability by constructing a URL that, when clicked on by
   the user, could execute code of attacker's choice in the Local Computer
   security context. The URL could be hosted on a web page, or sent directly
   to the user in email. In the web based scenario, where a user then clicked
   on the URL hosted on a website, an attacker could have the ability to read
   or launch files already present on the local machine.
 
    16 October 2003 - Microsoft Security Bulletin MS03-043
   Microsoft TechNet Security's latest bulletin outlines "Buffer Overrun in
   Messenger Service Could Allow Code Execution (828035)". This has Critical
   Rating with a Remote Code Execution vulnerability and shouls be read by
   customers using Microsoft Windows. Recommendation: Customers should
   disable the Messenger Service immediately and evaluate their need to
   deploy the patch.  An attacker who successfully exploited this vulner-
   ability could be able to run code with Local System privileges on an
   affected system, or could cause the Messenger Service to fail. The
   attacker could then take any action on the system, including installing
   programs, viewing, changing or deleting data, or creating new accounts
   with full privileges.
 
    16 October 2003 - Microsoft Security Bulletin MS03-042
   Microsoft TechNet Security's latest bulletin outlines "Buffer Overflow
   in Windows Troubleshooter ActiveX Control Could Allow Code Execution
   (826232)". This is a Critical Rating with a Remote Code Execution
   vulnerability that shouls be read by customers using Microsoft Windows.
   Recommendation:  Customers should apply the patch immediately
   A security vulnerability exists in the Microsoft Local Troubleshooter
   ActiveX control. The vulnerability exists because the ActiveX control
   (Tshoot.ocx) contains a buffer overflow that could allow an attacker
   to run code of their choice on a user's system.
 
    16 October 2003 - Microsoft Security Bulletin MS03-041
   Microsoft TechNet Security's latest bulletin outlines "Vulnerability in
   Authenticode Verification Could Allow Remote Code Execution (823182)".
   This is a Critical Rating, that should be read by all customers using
   Microsoft Windows because the Impact of Vulnerability: Remote Code
   Execution. Bulletin Recommendation: Customers should apply the patch
   immediately. Technical Description: There is a vulnerability in
   Authenticode that, under certain low memory conditions, could allow an
   ActiveX control to download and be installed and executed on the user's
   system, with the same permissions as the user, without prompting the
   user for approval.
 
    15 October 2003 - Symantec Security Category 2: W32.HLLW.Torvil@mm
   Symantec Security Updates reports W32.HLLW.Torvil@mm is a mass-mailing
   worm that uses the currently available MAPI program or its own SMTP
   engine to spread itself. The email characteristics can be found in the
   above report. The worm may spoof the "From:" field of the email. The worm
   can copy itself to the network shares that have weak passwords. This worm
   also attempts to spread itself through the file-sharing networks, such
   KaZaA and Xolox, as well as ICQ and mIRC.
 
    14 October 2003 - Attackers Seek Weaknesses Inside The Firewall
   ZDNet says the security firm Symantec, says cyber-attackers are
   refocusing their efforts on PCs inside the perimeter of corporate
   networks
 
    14 October 2003 - Security Firms Round On Internet Explorer
   ZDNet says Microsoft's Internet browser makes Web surfing unsafe,
   according to several security experts
 
    14 October 2003 - Microsoft Uncovers New Patching Plan
   ZDNet says the software giant's chief executive has outlined how Microsoft
   will redouble its efforts on security
 
    08 October 2003 - Microsoft Security Bulletin MS03-040
   Microsoft TechNet Security's latest bulletin outlines "Cumulative Patch
   for Internet Explorer (828750)". Users running Microsoft IE should read
   this bulletin and customers should apply the patch immediately as it
   could be possible for an attacker who exploited this vulnerability to run
   arbitrary code on a user's system. This cumulative patch includes the
   functionality of all previously released patches for Internet Explorer
   5.01, 5.5 and 6.0. In addition, it eliminates the newly discovered
   vulnerabilities. One that occurs because Internet Explorer does not
   properly determine an object type returned from a Web server in a popup
   window and another vulnerability that occurs because Internet Explorer
   does not properly determine an object type returned from a Web server
   during XML data binding.
 
    08 October 2003 -  NAI Virus Report: W32/Sdbot.18976
   Network Associates says this is not a virus, but a trojan, which does not
   self replicate. However, it was recently spammed to a large number of
   email addresses. The nav32.zip attachment contains the file nav32.exe.
   When the executable is extracted and run, the trojan copies itself to the
   WINDOWS SYSTEM directory as RPCX1sq23.exe and a registry run key is
   created to load the trojan at startup. The trojan attempts to connect to
   the IRC server itc.ourmoney.pp.ru , join a specified channel, and wait
   for commands from a remote attacker.
 
    08 October 2003 - Symantec Security Category 2: W32.IRCBot.B
   Symantec Security Updates reports W32.IRCBot.B is a Backdoor Trojan Horse
   that connects to an IRC server and waits for commands from the hacker.
   This Trojan is a variant of W32.IRCBot and W32.IRCBot.Gen.
   Note: It has been reported that W32.IRCBot.B may arrive in an email
   message about a fake program update for Norton AntiVirus. The sender,
   updates@symantec.com, is a spoofed email address. Symantec never sends
   unsolicited email; the attachment should be deleted.
 
    08 October 2003 - Symantec Security Category 2: W32.HLLW.Syney.B@mm
   Symantec Security Updates reports W32.HLLW.Syney.B@mm is a mass-mailing
   worm that attempts to delete antivirus files and spreads through MS Outlook
   If you discover that your antivirus software is no longer working properly,
   you may need to re-install the program.
 
    07 October 2003 - Microsoft Plugs Qhosts Hole
   ZDNet says Microsoft has released its fortieth patch of the year, covering
   a flaw in Internet Explorer that could be exploited by a Trojan horse
   program
 
    07 October 2003 - Instant Messaging Programs Increasingly Targeted
   VirusList.com News says as IM technology is increasingly used as a
   business tool, IM programs will increasingly be the targets of attack.
   IM security holes in instant messaging programs such as Yahoo Messenger,
   AOL Messenger, and Microsoft's MSN Messenger are being exploited by rapid
   spreading IM worm viruses, and backdoor programs that seek to gain control
   of victim machines.
 
    02 October 2003 - Symantec Security Category 2: Trojan.Qhosts
   Symantec Security Updates reports Trojan.Qhosts is a Trojan Horse that
   will modify the TCP/IP settings to point to a different DNS server.
   * NAI Virus Report: QHosts-1
   The purpose of this trojan is to "hijack" browser use.  When page
   requests are made, they are rerouted to specified Domain Name
   Servers.  This allows a remote "administrator" to direct users to the
   pages of their choosing.  For example, if an infected user attempted
   to navigate to http://www.google.com, they would be routed to a
   different site.
   Also Known As: 
   Aliases: QHosts-1.dr QHosts-1 [McAfee], VBS.QHOSTS [CA]
 
    02 October 2003 - Symantec Security Category 2: W32.Logitall.A@mm
   Symantec Security Updates reports W32.Logitall.A@mm is a mass-mailing
   worm that sends itself to the addresses found on the system. The worm
   also uploads user information to an FTP server that the worm's author
   specifies.
 
    02 October 2003 - Exchange Incompatibility Patched
   ZDNet says Microsoft has released a patch for miscommunication between
   a new version of its Outlook program and an older version of its Exchange
   mail server
 
    02 October 2003 - Trojan Horse Exploits Explorer Flaw
   ZDNet says a program dubbed QHosts takes advantage of a hole in
   Microsoft's Internet browser to install itself without users being aware
 
    30 September 2003 - Symantec Security Category 2: W32.Galil.C@mm
   Symantec Security Updates reports W32.Galil.C@mm is a mass-mailing worm
   that sends itself to the email addresses it finds in the files that have
   the .htm, .html, .eml, and .txt file extensions. The email will have a
   variable subject line and attachment name. The original sample received
   had a .scr file extension. Sympatec has instructions on restarting your
   computer in Safe mode and how to delete values from the registry
 
    30 September 2003 -  NAI Virus Report: W32/Smibag.worm
   Network Associates says this worm requires MSN Messenger to be running in
   order to spread. It arrives through MSN Messenger as file smb.exe. If that
   attachment is accepted and run, the local system is then used to propagate
   the virus to others. Aliases: Trojan.Admagic (Dr Web) W32.Smibag.Worm
   (Symantec) W32/Smibag.worm.dll W32/Smibag.worm.dr and WORM_SMIBAG.A (Trend)
 
    30 September 2003 - Trojans Exploit IE Hole To Run Up Massive Phone Bills
   ZDNet says Hackers are hijacking AOL instant-messenger accounts and
   changing PCs' dial-up settings through a hole in Microsoft's Internet
   explorer
 
    30 September 2003 - Experts Warn On 'Unpatched' Vulnerability
   ZDNet says attackers are taking advantage of a security hole in Internet
   Explorer not immediately patched by Microsoft
 
    26 September 2003 - New Windows Vulnerabilities Identified
   F-Prot Antivirus Alert Service says three new vulnerabilities affecting
   Microsoft Windows were identified by Microsoft on 10 September 2003. They
   recommend that users immediately patch against these vulnerabilities by
   downloading critical updates (KB824146) from Security Bulletin MS03-039
 
    26 September 2003 - Microsoft Security Bulletin MS03-039
   Microsoft TechNet Security's latest bulletin outlines "Buffer Overrun In
   RPCSS Service Could Allow Code Execution (824146)". MS has classified the
   bulletin as Critical. Impact of vulnerability:  Three new vulnerities,
   the most serious of which could enable an attacker to run arbitrary code
   on a user's system. System administrators should apply the security patch
   immediately, and an end user version of this bulletin is available at:
   http://www.microsoft.com/security/security_bulletins/ms03-039.asp.
 
    26 September 2003 - Symantec Security Category 2: W32.Dumaru.M@mm
   W32.Dumaru.M@mm is a mass-mailing worm that drops an IRC Trojan onto an
   infected computer. The worm gathers email addresses from certain file
   types and uses its own SMTP engine to email itself. Also, the worm logs
   the keystrokes and sends the data to a specified email address
   removal instructions
 
    26 September 2003 - Symantec Security Category 2: W32.Israz.B@mm
   W32.Israz.B@mm is a mass-mailing worm that uses its own SMTP engine to
   send itself to all the contacts in the Windows Address Book and Outlook
   Address Book. The worm also attempts to spread itself through some
   file-sharing networks, such as KaZaA, Morpheus, eMule, eDonkey2000,
   BearShare, and iMesh.
 
    26 September 2003 - Symantec Security Category 3: W32.Swen.A@mm
   W32.Swen.A@mm is a mass-mailing worm that uses its own SMTP engine to
   spread itself. It attempts to spread through file-sharing networks, such
   as KaZaA and IRC, and attempts to kill antivirus and personal firewall
   programs running on a computer. The worm can arrive as email attachment
 
    26 September 2003 - Symantec Security Category 2: W32.Yaha.AA@mm
   W32.Yaha.AA@mm is a variant of W32.Yaha.T@mm worm that will terminate
   some antivirus and firewall processes along with other things such as
   installs a keylogger and emails the logs to its author.
 
    26 September 2003 - Symantec Security Category 2: W32.HLLW.Gaobot.AF
   W32.HLLW.Gaobot.AF is a minor variant of W32.HLLW.Gaobot.AA and
   W32.HLLW.Gaobot.AE. It attempts to spread to network shares that have
   weak passwords and allows attackers to access an infected computer
   through an IRC channel. The worm uses multiple vulnerabilities.
 
    26 September 2003 - Symantec Security Category 2: W32.Vybab@mm
   W32.Vybab@mm is a simple mass-mailing worm that attempts to use MS Outlook
   to email itself to all the contacts in the Address Book and also attempts
   to delete some files randomly.
 
    26 September 2003 - Symantec Security Category 2: W32.Patoo@mm
   W32.Patoo@mm is a mass-mailing  worm that attempts to use MS Outlook to
   email itself to all the contacts in the Address Book. While the attach-
   ment name is displayed as Stop Messenger Popups, the attachment is
   actually the original filename of the worm (most likely Msngrblock.exe).
   This is accomplished by modifying the label of the attachment to deceive
   the recipient. Virus definitions dated prior to September 15, 2003 may
   detect this threat as Bloodhound.W32.5.
 
    26 September 2003 - F-Secure Radar Level 1: Swen
   F-Secure Radar Alert titled "New Computer Worm Exploits False Security
   Update", says they are upgrading the Swen worm to Level 1 as it is
   spreading at an increasing rate. Swen typically arrives via email,
   spoofed to be from Microsoft. It also spreads via email, IRC, shares and
   P2P. It can autoexecute from e-mail on some systems. It sends credible-
   looking emails which appear to be from Microsoft - but are not.
 
    26 September 2003 -  NAI Virus Report: W32/Swen@MM
   Network Associates says sometimes purporting to be a Microsoft Security
   Update, this worm is intended to propagate via various mechanisms. The
   worm terminates processes relevant to various security and anti-virus
   products. Symptoms include Display of the dialog boxes as described in
   the report, Unexpected termination of AV/security product and  Inability
   to run RegEdit on the victim machine
 
    26 September 2003 - Microsoft Domination 'Threatens US Security'
   ZDNet says an industry group has issued a report warning that Microsoft's
   omnipresence creates a risk to US security
 
    26 September 2003 - Swen Worm Tops Virus Charts
   ZDNet says the Swen mass-mailing worm is being taken more seriously as it
   begins a rapid spread, posing convincingly as a Microsoft security update
 
    09 September 2003 - Anti-virus Services Needed More Than Ever
   VirusList.com News says the anti-virus market's message of the need for
   computer users and organisations to not just have, but more importantly,
   actively keep anti-virus databases current, has received a boost from
   recent outbreaks attributed to SoBig.f, LovSan (aka Blaster) and Welchia
 
    09 September 2003 - Symantec Security Category 2: Backdoor.Coreflood.B
   Symantec Security Updates reports Backdoor.Coreflood.B is a minor variant
   of Backdoor.Coreflood. This threat can be distributed through infected
   Web pages. Visiting a compromised Web site will cause Backdoor.Coreflood.dr
   to be downloaded, which will attempt to install Backdoor.Coreflood.B.
   Read the Backdoor.Coreflood and Backdoor.Coreflood.dr write-ups for
   more information.
 
    09 September 2003 - Symantec Security Category 2: W32.Neroma@mm
   Symantec Security Updates reports W32.Neroma@mm is a mass-mailing worm
   that attempts to use Microsoft Outlook to email itself to all the
   contacts in the Windows Address Book.
   The email has the following characteristics:
   Subject: It's Near 911!
   Message: ice butt baby!
   Attachment: 911.jpg
   While the attachment name is displayed as 911.jpg, the attachment is
   actually the original filename of the worm. This is accomplished by
   modifying the label of the attachment in an attempt to deceive the
   recipient. W32.Neroma@mm is written in Microsoft Visual Basic (VB) and
   is UPX-packed.
   Also Known As: W32/Neroma@MM [McAfee]
 
    09 September 2003 - Symantec Security Category 2: W32.HLLW.Ihedont@mm
   Symantec Security Updates reports W32.HLLW.Ihedont@mm is a mass-mailing
   worm that replicates by sending itself to the contacts in the Outlook
   Address Book.   Also Known As: Bloodhound.W32.VBWORM
 
    09 September 2003 - Symantec Security Category 2: W32.Blaster.F.Worm
   Symantec Security Updates reports W32.Blaster.F.Worm is a worm that
   exploits the DCOM RPC vulnerability using TCP port 135. The worm targets
   only Windows 2000 and Windows XP computers. The worm attempts to download
   the Enbiei.exe file into the %Windir%\System32 folder, and then execute it
   The worm also attempts to perform a Denial of Service (DoS) on
   tuiasi.ro. Symantec Security Response has developed a removal tool to clean
   the infections of W32.Blaster.F.Worm.
   Also Known As: W32/Lovsan.worm.f [McAfee], W32/Blaster-F [Sophos],
   WORM_MSBLAST.G [Trend], Win32.Poza.F [CA]
 
    09 September 2003 - Symantec Security Category 2: W32.Mapson.D.Worm
   Symantec Security Update reports W32.Mapson.D.Worm is a mass-mailing worm
   that sends itself to all the contacts in the MSN Messenger contact list
   and also attempts to spread through file-sharing networks and ICQ. The
   worm also attempts to terminate some popular antivirus, firewall, and
   system-monitoring programs.
   Also Known As: I-Worm.Mapson.d [KAV], W32/Mapson.gen@MM [McAfee]
 
    09 September 2003 - Symantec Security Category 2: W32.Yodo@mm
   Symantec Security Updates reports W32.Yodo@mm is a mass-mailing worm that
   uses its own SMTP engine to spread itself. The email has the following
   characteristics:
   Subject: Fun game!
   Message: Hello,
   Please see the attachment! I scanned it for viruses before I sent it
   out. it's a really cool game!
   Scanned with Norton Anti-Virus
   Attachment: flash-game.exe
 
    09 September 2003 - Symantec Security Category 2: W32.Blaster.E.Worm
   Symantec Security Updates reports W32.Blaster.E.Worm is a worm that
   exploits the DCOM RPC vulnerability (described in Microsoft Security
   Bulletin MS03-026) using TCP port 135. The worm targets only Windows 2000
   and Windows XP computers. Sympatec recommends that you block access to
   TCP port 4444 at the firewall level, and then block the following ports,
   if you do not use the following applications:
     * TCP Port 135, "DCOM RPC"
     * UDP Port 69, "TFTP"
   Also Known As: W32/Blaster-E [Sophos], W32/Lovsan.worm.e [McAfee],
   Worm.Win32.Lovesan [KAV] Variants: W32.Blaster.Worm
 
    09 September 2003 - Symantec Security Category 2: W32.Vote.K@mm
   Symantec Security Updates reports W32.Vote.K@mm is a mass-mailing worm
   that overwrites and deletes numerous files on an infected system. The
   worm uses Microsoft Outlook to send itself to all the contacts in Outlook
   Address Book and attempts to spread through the KaZaA file-sharing network
   When W32.Vote.K@mm is executed, it displays a message titled "WORLD TRADE
   CENTER."  The worm also attempts to overwrite .com, .exe, .scr, .bmp,
   .jpg, .mp3, .mpg, .rar, .wav, and .zip files with a copy of itself.
   Also Known As: Bloodhound.W32.VBWORM
   The email has the following characteristics:
   Subject: THE WAR HAS STARTED !
   Attachment: WTC32.scr
 
    09 September 2003 - Symantec Security Category 2: W32.Jonbarr.D@mm
   Symantec Security Updates reports W32.Jonbarr.D@mm, which is a variant of
   the W32.Jonbarr@mm worm, is a mass-mailing worm that uses its own SMTP
   engine to send itself to all the email addresses it finds in the .htm
   files and in temporary Internet files.  Additionally, the worm attempts
   to terminate the processes of various antivirus programs.
   Also Known As: W32/Pepex@MM
   The email has the following characteristics:
   Subject: Microsoft Windows Patch   or   Re:hya
   From: "Microsoft" [support@microsoft.com]
   Reply-To: "Microsoft" [microsoft@microsoft.com]
   Message: Please open the attachment if want to get supprise!
   Attachment: install.exe
 
    08 September 2003 - Critical Internet Explorer Patch 'does not work'
   ZDNet says a fix to a serious bug in Microsoft's browser is still not
   working properly after a re-release, according to the firm that discover-
   ed the flaw
 
    08 September 2003 -  NAI Virus Report: W32/Blurt@MM
   Network Associates says this threat is deemed Low-Profiled due to media
   attention at http://www.theregister.co.uk/content/56/32662.html  The
   virus is detected as W32/Generic.worm!irc  This worm attempts to spread
   via Microsoft Outlook, and Internet Relay Chat. The worm also terminates
   security software, contains a Denial of Service attack payload, a web
   page overwriting payload, and disables the registry editor and task
   manager. Aliases: I-Worm.Blare and W32.Blare@mm and WORM_BLARE.A
 
    08 September 2003 -  NAI Virus Report: W32/Neroma.a@MM
   Network Associates says this threat was updated to a Low-Profiled risk
   due to media attention with ComputerWorld's article: First of perhaps
   many 9/11 viruses ermerges. This Visual Basic worm propagates via mailing
   itself to recipients in the Outlook Address book (using Outlook to
   construct and send messages).
   Aliases: W32.Neroma@MM (NAV) and Worm.Win32.Maro.5632 (Hauri)
   The virus is likely to be received in an email bearing the following
   characteristics:
   Subject:   It's Near 911!
   Attachment:   Nerosys.exe ("911.jpg" label is used)
   Body:   Nice butt baby!
 
    08 September 2003 - Microsoft Warns Of Another 'critical' Flaw
   ZDNet says Microsoft has released a flood of security alerts, with one
   flaw potentially allowing attackers to gain control of PCs running Office
 
    28 August 2003 - Symantec Security Category 2: W32.HLLW.Raleka
   Symantec Security Updates reports W32.HLLW.Raleka is a worm that,
   similarly to W32.Blaster.Worm, exploits the Microsoft DCOM RPC vulnara-
   bility, as described in MS Security Bulletin MS03-026. When executed,
   this worm will attempt to download NTrootkit.exe and NTRootkit.reg from
   a pre-defined location. If successful, it executes NTrootkit.exe as well
   as connect to an IRC server on port 6667. It will then launch 200 infection
   threads. These threads will attempt to infect other computers by exploiting
   the Microsoft DCOM RPC vulnerability. When the worm is running on the
   system, it will create two logfile on the system, named rpcss.ini and
   svchost.ini. The worm will log all IP addresses it attempts to infect.
   Read the report for recommendations.

    28 August 2003 - Symantec Security Category 2: W32.Zush@mm
   Symantec Security Updates reports W32.Zush@mm is a mass-mailing worm that
   sends itself to all the addresses in the Microsoft Outlook Address Book,
   and affects Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT,
   and Windows XP. The email has the following characteristics:
   Subject: Vazna informacija!
   Body: Hi! I Missed you so much! (read Symantec report for full text)
   Attachment: Setup32.exe

    28 August 2003 - Symantec Security Category 2: W32.Hopalong@mm
   Symantec Security Updates reports W32.Hopalong@mm is a mass-mailing worm
   that sends itself to any addresses in the Microsoft Outlook Address Book,
   amd affects Windows 95, Windows 98.
   The email has the following characteristics:
   Subject: Look At This!!!
   Message: You have to see this file its so funny!
   Attachments: hop_along.exe

    28 August 2003 - New MBA.First Virus Infects MapInfo Tables
   VirusList.com Alert says the very first virus to infect MapInfo (one of
   the most popular programs for cartographic and geographic analysis)
   tables has been detected. The MBA.First virus is activated when infected
   MapInfo tables are opened. Once launched, the virus spreads to all other
   detected MapInfo tables. Depending on an infected computer's system date
   the virus poses a threat of varying probabilities to delete MapInfo table
   files.
   * Kaspersky Virus Encyclopedia: MBA.First virus

    28 August 2003 -  NAI Virus Report: VBS/Flipe
   Network Associates says this threat is detected as VBS/Flipe.  When
   executed, the trojan will attempt to create files on your system, and
   attempt to overwrite other files. Plus it will then attempt to format
   the c:\ and a:\ drives. Trojans do not self-replicate. They are spread
   manually, often under the premise that the executable is something
   beneficial. Distribution channels include IRC, peer-to-peer networks,
   newsgroup postings, etc.

    28 August 2003 - Cleaning Up After The MSBlast Worm
   ZDNet's article on 'How to rid your system of the latest fast-spreading
   worm', says the MSBlast worm has caused widespread infection on the
   Internet. This ZDNet Australia analysis contains infection information,
   detection strategies, and clean up instructions. The worm for now, only
   infects Windows 2000 and XP, but they say it is worth noting that an
   updated version of the worm could affect other MS operating systems, so
   it is recommended that all systems patched against the DCOM vulnerability
   The worm is very easily detected by users
   Pressing control-alt-delete, then clicking on "Task  Manager" and
   selecting the "Processes" tab will bring up a list of processes
   running  on the machine. Clicking on "Image Name" will sort the
   processes alphabetically. If there is a process named "msblast.exe"
   running on the system, then it has been infected by the worm.
   * Protecting Yourself From The MSBlast Worm

    28 August 2003 -  McAfee Stinger: The NAI Virus and Worm Removal Tool
   Network Associates says Stinger is a stand-alone utility used to detect
   and remove specific viruses. It is not a substitute for full anti-virus
   protection, but rather a tool to assist administrators and users when
   dealing with an infected system. As of August 19, 2003, Stinger includes
   detection of all known variants including the MSBlast/Lovsan worm plus:
   BackDoor-AQJ          Bat/Mumu.worm         Exploit-DcomRpc
   IPCScan               IRC/Flood.ap          IRC/Flood.bi
   IRC/Flood.cd          NTServiceLoader       PWS-Sincom
   W32/Bugbear@MM        W32/Deborm.worm.gen   W32/Dumaru@MM
   W32/Elkern.cav        W32/Fizzer.gen@MM     W32/FunLove
   W32/Klez              W32/Lirva             W32/Lovgate
   W32/Lovsan.worm       W32/Mimail@MM         W32/MoFei.worm
   W32/Mumu.b.worm       W32/Nachi.worm        W32/Nimda
   W32/Sdbot.worm.gen    W32/SirCam@MM         W32/Sobig
   W32/SQLSlammer.worm   W32/Yaha@MM

    28 August 2003 - W32/Nachi Worm Claims Sussex Police Computers
   ZDNet says the Sussex Police force's IT system has been brought to its
   knees by W32/Nachi - the 'good' worm that was supposed to eradicate
   MSBlast

    24 August 2003 -  NAI Virus Report: W32/Dumaru@MM
   Network Associates says this mass mailing worm has been proactively
   detected with internal heuristics as "virus or variant of New Malware-b"
   The worm uses its own SMTP engine to email itself in the following format
   From: "Microsoft" security@microsoft.com
   Subject: Use this patch immediately !
   Attachment: patch.exe
   The worm trawls the harddisk for files with extensions .htm .wab .html
   .dbx .tbb .abd for email addresses to send itself to. These email
   addresses are written to file winload.log. Payload: A password stealer
   component is dropped by this worm, which is detected as PWS-Narod
   Aliases: W32.Dumaru.B@mm [Symantec], W32.Dumaru@mm [Symantec],
   PE_DUMARU.A [Trend], Win32.Dumaru [CA], W32/Dumaru@MM [McAfee],
   W32/Dumaru-A [Sophos], I-Worm.Dumaru [KAV] and WORM_DUMARU.A
   * Click here for Symantec report on W32.Dumaru.B@mm
   * Click here for Symantec report on W32.Dumaru@mm

    24 August 2003 - Symantec Security Category 2: W32.HLLW.Cult.H@mm
   Symantec Security Updates reports W32.HLLW.Cult.H@mm is a mass-mailing
   worm that uses its own SMTP engine to send itself to randomly generated
   recipient names at these domains:
     * email.com
     * Earthlink.net
     * Roadrunner.com
     * yahoo.com
     * msn.com
     * hotmail.com
   The email message has the following characteristics:
   Subject: I Love You ^_^ I sent you a beautiful Love Card
   Message: To see your Card, Please open the attachment
   If you want to send a reply, please visit
   http:/ /www.Love-card.com/Love/index.html
   Thank You...
   Attachment: BlueMountaineCard.pif
   The worm also has IRC Trojan functionality that allows the Trojan's
   creator to control the infected computer by using Internet Relay Chat
   (IRC).

    24 August 2003 - Symantec Security Category 2: W32.HLLW.Gaobot.AA
   Symantec Security Updates reports W32.HLLW.Gaobot.AA is a worm that
   attempts to spread to the network shares with weak passwords. The worm
   uses multiple vulnerabilities, including the DCOM RPC vulnerability and
   the RPC locator vulnerability. This threat also allows for a hacker to
   remotely access an infected computer through IRC.
   Also Known As: W32/Gaobot.worm.y [McAfee], WORM_AGOBOT.P [Trend]

    24 August 2003 - Symantec Security Category 2: W32.Panol@mm
   Symantec Security Updates reports W32.Panol@mm is a mass-mailing worm
   that uses Microsoft Outlook to send itself to all the contacts in the
   Outlook Address Book. The email has the following characteristics:
   Subject: The easy, automatic way to keep your PC virus-free
   Message: Online hackers know more than 2,500 ways to break into naked,
   unprotected PC systems. In seconds, they steal private files, credit
   card statements, tax records, passwords even Social Security Numbers.
   Attachment: Virus_scanner.exe

    24 August 2003 - Symantec Security Category 2: W32.Miniman@mm
   Symantec Security Updates reports W32.Miniman@mm is a mass-mailing worm
   that sends itself to all the contacts in the Microsoft Outlook address
   book. Also Known As: I-Worm.Miniman [KAV]. The worm may send the
   following two email messages:
   Email 1
   Subject: Microsoft Corporation Support
   Body: Microsoft Corporation has issued a security alert for your
   computer. The patch is avaliable in this attached download. This file
   will patch a Exploit found in Microsoft Windows Products. See Attached
   info for Information.
   Attachments: Attach.exe, Virus.vbs
   Email 2
   Subject: The Bin Laden game
   Body: Hi! This is an awesome Bin Laden game. Shoot him good.
   Attachment: Virus.vbs

    24 August 2003 - Symantec Security Category 2: W32.Pandem.B.Worm
   Symantec Security Updates reports W32.Pandem.B.Worm is an Internet worm
   that is written in C++ and is packed with PEBundle. This worm attempts to
   spread by email. It sends itself to the contacts in the Microsoft Outlook
   Address Book, with the following message:
   From: support@microsoft.com
   Subject: Microsoft Security Bulletin
   Message: Unchecked Buffer in Windows Explorer Could Enable System Compromise
   Attachment: patch.zip or patch_329390.exe
   This W32.Pandem.B.Worm also spreads through file-sharing applications,
   including KaZaA, Morpheus, eDonkey, Grokster, LimeWire, GNucleus,
   BearShare, Direct Connect, and ICQ: By placing itself in their default
   shared folders, if the programs are installed. Aslo spreads by using DCC,
   the worm sends in IRC. The worm sends a notification to its author when a
   host is infected and listens on port 61282 for a connection.
   Also Known As: W32.Squirm@mm, W32/Pandem-B [Sophos]

    24 August 2003 - Symantec Security Category 2: VBS.Lembra@mm
   Symantec Security Updates reports VBS.Lembra@mm is a mass-mailing Visual
   Basic Script (VBS) worm. The worm attempts to send a copy of itself to
   all the contacts in the Microsoft Outlook address book. The worm opens
   100 copies of Explorer.exe and displays the message: Eu Amo A Grasiele
   It does not have a malicious payload.

    24 August 2003 - Symantec Security Category 2: W32.Randex.E
   Symantec Security Updates reports W32.Randex.E is an Internet Relay Chat
   (IRC) Trojan Horse that allows its creator to control a computer by using
   IRC. It is also a worm that can use the DCOM RPC vulnerability (described
   in Microsoft Security Bulletin MS03-026) to spread itself.
   Also Known As: IRC-BBot [McAfee], WORM_RPCSDBOT.A [Trend]

    24 August 2003 - Top Security News Specials From ZDNet
   Some of the latest interestig headlines:
   * Networks crippled by worms' onslaught
   The Sobig and Nachi worms continue wreaking havoc on systems
   worldwide, with hundreds of thousands of PCs affected
   * Organised crime behind Sobig - virus expert
   An antivirus expert claims Sobig is the work not of 'script kiddies',
   but of sophisticated criminals who want to take control of PCs
   * Sobig infects a third of China's PCs
   More than 20 million email users in China have opened the Sobig.F
   virus
   * Windows patches may become automatic
   As the MSBlast worm makes it clear that something must be done about
   insecure PCs, Microsoft has said this may be the time to take more
   control of the Windows update mechanism
   * Microsoft issues alert on three 'critical' flaws
   Three security flaws in Internet Explorer and Windows could leave PCs
   open to attack unless they are patched, Microsoft has warned
   * Windows admin 'feature' poses latest hazard
   An obscure messaging feature in Windows could be the latest source of
   security problems for Internet users, experts have warned

    24 August 2003 - Microsoft Security Bulletin MS03-033
   Microsoft TechNet Security's latest bulletin outlines "Unchecked Buffer
   in MDAC Function Could Ele System Compromise (823718)". Impact of
   vulnerability: Run code of the attacker's choice. Users should apply the
   security patch to affected systems.
   * Click here for End User version of the bulletin

    24 August 2003 - Microsoft Security Bulletin MS03-032
   Microsoft TechNet Security's latest bulletin outlines "Cumulative Patch
   for Internet Explorer (822925)". Impact of vulnerability: Two new vulner-
   abilities, the most serious of which could enable an attacker to run
   arbitrary code on a user's system if the user either browsed to a hostile
   Web site or opened a specially crafted HTML-based email message. Maximum
   Severity Rating: Critical. Recommendation: System administrators should
   install the patch immediately.
   * Click here for End User version of the bulletin

    24 August 2003 - F-Secure: The Sobig.F Activation was Prevented
   F-Secure reported on Saturday, August 23, 2003, that this was a close
   call, but the Sobig.F activation was prevented. F-Secure helped to shut
   down servers needed by the attack The expected Internet activation of the
   Sobig.F worm has been prevented. The activation was programmed to take
   place on Friday the 22nd of August at 19:00 UTC. The activation was pre-
   vented through a 24-hour race against the clock by various organizations
   around the world.
   * Click here for F-Secure report on Sobig.F
   * Click here for NAI Virus report on W32/Sobig.f@MM
   * Click here for FRISK Virus Alert on W32/Sobig.F@mm
   * Click here for Symantec report on W32.Sobig.F@mm

    24 August 2003 - F-Secure Virus Report: Sobig.F
   This worm is part of the Sobig family, which was started by Sobig.A in
   January 2003. Sobig.F, which was discovered on August 19th, is then the
   fifth variant of this worm. Sobig variants all stop spreading on certain
   date. When the previous variants expired, the next variant would start
   spreading. All Sobig versions have spread widely. Sobig variants typically
   install backdoors to infected systems. Some of them have been used to send
   massive amounts of spam. F-Secure is monitoring the Sobig.F developments.
   Aliases: W32.Sobig.F@mm [Symantec], Sobig.F [F-Secure], W32/Sobig.f@MM
   [McAfee], WORM SOBIG.F [Trend], W32/Sobig-F [Sophos], Win32.Sobig.F [CA],
   I-Worm.Sobig.f [KAV]
   * Click here for NAI Virus report on W32/Sobig.f@MM
   * Click here for FRISK Virus Alert on W32/Sobig.F@mm
   * Click here for Symantec report on W32.Sobig.F@mm

    24 August 2003 - F-Secure Radar Level 2: Welchia or Nachi
   F-Secure Virus Report titled "A New Worm Installs Security Patches", says
   a new RPC worm known as Welchia or Nachi has been found. This worm spreads
   like Lovsan/Blaster. However, it disinfects Lovsan.A and installs several
   Microsoft security patches on vulnerable systems. This is not a good virus
   for many reasons. It's unauthorised. It's not tested.  It creates compat-
   ibility problems. It might crash RPC services. It creates unnecessary
   network traffic (lots of it). And for many other reasons. For full
   discussion on this, see Dr. Vesselin Bontchev's infamous paper 'Are
   "Good" Computer Viruses Still a Bad Idea?', available at
   http://www.virusbtn.com/old/OtherPapers/GoodVir/
   Aliases: W32.Welchia.Worm [Symantec], W32/Welchia.worm10240 [AhnLab],
   W32/Nachi.worm [McAfee], WORM_MSBLAST.D [Trend], Lovsan.D [F-Secure],
   W32/Nachi-A [Sophos], Win32.Nachi.A [CA], Worm.Win32.Welchia [KAV]
   * Click here for NAI Virus report on W32/Nachi.worm
   * Click here for Symantec report on W32.Welchia.Worm

    24 August 2003 - F-Secure Report: Lovesan / MSBlast
   F-Secure Virus Report titled "Lovesan worm attack succeeds and fails at
   the some time", says Microsoft made drastic changes in their Internet set
   up, changing the operations of their main servers. As to windowsupdate.com
   they just surrendered. As a result, the worm can't find a target address
   for the attack - and won't attack. F-Secure estimates that the Lovsan worm
   to continue to spread around the world in measurable amounts at least
   until 2005. Aliases: MSBlast, Poza, Blaster, W32/Msblast, Lovesun
   * Click here for NAI Virus report on W32/Lovsan.worm.d

    14 August 2003 - FRISK Security Alerts: W32/Msblast.B and W32/Msblast.C
   F-Prot Antivirus Alert Service announced on Aug 13, some new W32/Msblast
   variants: W32/Msblast.B & W32/Msblast.C have started spreading in the wild
   These variants use the same vulnerability as their predecessor. Users
   that have already updated their Windows operating system with the patch
   available from Microsoft's website are therefore not vulnerable to these
   new variants of the Msblast RPC-worm.
   Recommended Reactions: The patch for this vulnerability was published by
   Microsoft on 16 July and can be found here:
   http://www.microsoft.com/technet/security/bulletin/MS03-026.asp
   Computer users who have still not updated their operating systems are
   urged to do so immediately. Users of F-Prot Antivirus should also update
   their F-Prot Antivirus to latest version, update their virus signature
   files and scan their machines.
   Latest F-Prot anti-virus programs and signature files can be found here:
   http://www.f-prot.com/currentversions.html
   Threat Description: More information on these new variants will be
   released as it becomes available.
   Threat Detection: F-Prot Antivirus detects W32/Msblast.B & W32/Msblast.C
   with the latest virus signature files and prevents both worms from
   running and infecting a vulnerable machine.
   Alias: Lovsan, Poza, Blaster
   * Click here for F-Prot Antivirus Alert on MSBlast
   * Click here for Symantec Report on W32.Blaster.C.Worm
   * Click here for Symantec Report on W32.Blaster.B.Worm
   * Click here for Symantec Report on W32.Blaster.Worm
   * Click here for NAI Report on W32/Lovsan.worm.c
   * Click here for NAI Report on W32/Lovsan.worm.b
   * Click here for NAI Report on W32/Lovsan.worm.a

    14 August 2003 - Microsoft Windows Update Requirements
   Microsoft says Windows Update is the online extension of Windows that
   helps you get the most out of your computer. Your browser will need to
   support Frames or ActiveX(R) technology. To learn more about browsers
   that do support these technologies, please visit the Microsoft Web site
   Windows Update uses ActiveX Controls and active scripting to display
   content correctly and to determine which updates apply to your computer.
   To view and download updates for your computer, your Internet Explorer
   security settings must meet the following requirements:
     * Security must be set to medium or lower
     * Active scripting must be set to enabled
     * The download and initialization of ActiveX Controls must be set to
       enabled
   Note These are default settings for Internet Explorer. 
   To check your Internet Explorer security settings
    1. On the Tools menu in Internet Explorer, click Internet Options.
    2. Click the Security tab.
    3. Click the Internet icon, and then click Custom Level.
    4. Make sure the following settings are set to Enable or Prompt:
          + Download signed ActiveX Controls
          + Run ActiveX Controls and plug-ins
          + Script ActiveX Controls marked safe for scripting
          + Active scripting

    14 August 2003 - MS Security Update Archives From MS03-023 to MS03-031
   Bulletin Number MS03-026 deals with the Lovsan/MBlast/Blaster worm. Please
   update any of the required files before August 16th 2003. Also update your
   anti-virus program to the latest version plus the latest signature files
   available.
   * Microsoft Security Bulletin MS03-031
     Outlines "Security Update for Microsoft SQL Server(TM)". A number of
     security issues have been identified in the Microsoft(R) SQL Server(TM)
     For example, an attacker could cause the system to hang and become un-
     responsive. The Microsoft SQL server family includes MS SQL Server and
     a number of products built on the core SQL technology that are listed
     under "Products Affected by This Update." You can help protect your
     system by installing this update from Microsoft.
   * Microsoft Security Bulletin MS03-030
     Outlines "Security Update for Microsoft DirectX(R)". Microsoft DirectX
     is a group of technologies designed to make Windows-based computers run
     certain graphics, video, 3D animation, and audio applications.  You
     should apply this update if you run any of the affected software above.
     Also, if you have a version of DirectX installed on your computer that
     is not listed above you should consider upgrading to DirectX 9.0b.
   * Microsoft Security Bulletin MS03-028
     Outlines "Security Update for Microsoft Internet Security". A security
     issue has been identified that could allow an attacker to run programs
     and access data on a computer running Microsoft Internet Security and
     Acceleration Server 2000. This issue only affects computers configured
     to use MS Internet Security and Acceleration Server 2000 to connect
     to the Internet. You can help protect your computer by installing this
     update from Microsoft.
   * Microsoft Security Bulletin MS03-027
     Outlines "Security Update for Microsoft Windows(R)". A security issue
     has been identified in the Microsoft(R) Windows(R) shell that could
     allow an attacker to compromise a Microsoft Windows XP-based system and
     gain control over it. The Windows shell provides the basic framework of
     the Windows user interface experience. It is most familiar to users as
     the Windows desktop. You can help protect your computer by installing
     this update from Microsoft.
   * Microsoft Security Bulletin MS03-026
     Outlines "Security Update for Microsoft Windows". A security issue has
     been identified that could allow an attacker to compromise a computer
     running Microsoft(R) Windows(R) and gain control over it. You can help
     protect your computer by installing this update from Microsoft.
   * Microsoft Security Bulletin MS03-025
     Outlines "Security Update for Microsoft Windows". A security issue has
     been identified that could allow an attacker to compromise a computer
     running Microsoft(R) Windows(R) 2000 and gain control over it. To
     attempt an attack, the attacker would have to be able to log on to the
     computer. You can help protect your computer by installing this update
     from Microsoft.
   * Microsoft Security Bulletin MS03-024
     Outlines "Security Update for Microsoft Windows". A security issue has
     been identified in Microsoft(R) Windows(R) that could allow an attacker
     to compromise a Microsoft Windows-based system and then take a variety
     of actions. For example, an attacker could execute code on the system.
     You can help protect your computer by installing this update from MS.
   * Microsoft Security Bulletin MS03-023
     Outlines "Security Update for Microsoft Windows". A security issue has
     been identified in Microsoft(R) Windows(R) that could allow an attacker
     to compromise a computer running MS Windows and gain control over it.
     For example an attacker could execute code on your system. You can help
     protect your computer by installing this update from Microsoft.

    12 August 2003 - F-Secure Radar Level 1: Lovsan / msblast
   F-Secure Virus Report titled "F-Secure is upgrading the Lovsan worm (also
   known as Msblast) to Level 1 as it continues to spread rapidly", says
   currently it is the most widespread virus in the world. Symptoms include
   XP machines rebooting. This worm spreads to Windows servers and work-
   stations as MSBLAST.EXE, using the well-known RPC hole. The worm will
   launch an attack against windowsupdate.com on 16th of August. The 6176
   byte executable "msblast.exe" contains about 11kB of uncompressed code,
   which apparently exploits the MS03-026 DCOM/RPC hole. More information
   is available on this vulnerability at:
   http://www.microsoft.com/technet/security/bulletin/MS03-026.asp
   Alias: MSBlast, Poza, Blaster, W32/Msblast, Lovesun, W32.Blaster.Worm,
   W32/Lovsan.worm, Win32.Poza, WORM_MSBLAST.A, W32/Blaster-A, W32/Blaster
   * Click here for NAI Report on W32/Lovsan.worm
   * Click here for FRISK Virus Alert: W32/Msblast.A
   * Click here for Symantec Report on W32.Blaster.Worm

    12 August 2003 - Update Windows Today - Before It Gets Blasted
   ZDNet says Microsoft's Windows Update server could be out of service
   sooner rather than later because of a new worm that exploits a major
   Windows flaw. The MSBlast worm is spreading rapidly, and security experts
   predict that the spread will accelerate when hackers refine its code.
   Read more at ZDNet about protecting yourself from the MSBlast worm and
   cleaning up after the MSBlast worm

    12 August 2003 - Symantec Security Category 2: VBS.DDV.B
   Symantec Security Updates reports VBS.DDV.B is a Visual Basic Script
   (VBS) worm that attempts to spread to all the contacts in the Microsoft
   Outlook address book. The worm is similar to VBS.DDV, but makes
   additional destructive modifications to the registry. Note: Virus
   definitions dated prior to August 8th may detect this worm as VBS.DDV

    12 August 2003 - Symantec Security Category 2: W32.Sowsat.B@mm
   Symantec Security Updates reports W32.Sowsat.B@mm is a mass-mailing worm
   that spreads by using its own SMTP engine. The email will have variable
   subjects and variable attachment names. The attachment should have a .exe
   file extension. An email claiming to be from Symantec was spammed to a
   large number of individuals in an attempt to get users to download and
   execute this worm. Please see the Additional information section for
   details. Also Known As: I-Worm.Sowsat.f [KAV]
   Variants: W32.Sowsat@mm

    07 August 2003 - F-Secure Radar Level 2: Mimail
   F-Secure Virus Report titled "A new massmailer known as Mimail has been
   spammed worldwide", says the worm sends e-mails which look like an admin-
   istrative e-mail from the local sysadmin. Messages come with subject
   "your account" and contain message.zip attachment. W32.Mimail.A@mm is a
   worm that spreads by email and steals information from a user's machine
   Alias: W32/Mimail@MM (NAI), W32.Mimail.A@mm (Symantec) and WORM_MIMAIL.A
   (Trend)
   * Click here for NAI Report on W32/Mimail@MM
   * Click here for Symantec Report on W32.Mimail.A@mm

    07 August 2003 -  NAI Virus Report: Downloader-DM
   Network Associates says this is not an email virus. This downloader
   trojan has been found within a self-extracting dropper package (possibly
   named worm.exe 113,507 bytes). The self-extracting archive carries 3
   files. Trojans do not self-replicate. They are spread manually, often
   under the premise that the executable is something beneficial.

    07 August 2003 - Symantec Security Category 2: Backdoor.WinShell.50
   Symantec Security Updates reports Backdoor.WinShell.50 is a server program
   that allows unauthorized access to an infected computer. The Backdoor will
   listen on port 8719. This piece of malware, along with Trojan.Stealther,
   has recently been found on systems which have been exploited by the MS
   DCOM RPC vulnerability.
   Also Known As: Backdoor.Winshell.50 [KAV], BackDoor-TC [McAfee]

    07 August 2003 - Symantec Security Category 2: Backdoor.IRC.Cirebot
   Symantec Security Updates reports Backdoor.IRC.Cirebot is a Trojan Horse
   that exploits the Microsoft DCOM RPC vulnerability (described in Microsoft
   Security Bulletin MS03-026) by installing a backdoor Trojan Horse on vul-
   nerable systems. Backdoor.IRC.Cirebot consists of a Backdoor component
   and a Hacktool component, which installs the backdoor on systems that are
   vulnerable to the exploit. Read the bulletin for some signs of infection.
   Also Known As: Win32.RPC.A, Worm.Win32.Autorooter.a, Backdoor.IRCBgen,
   Exploit.Win32.DCom.b, Downloader-DM, W32/Lolol.worm.gen & Exploit-DcomRpc

    03 August 2003 - More Viruses To Look Out For
   VirusList.com Alert reported these on July 22nd
   * Win16.HLLP.Hiro.10240
   Hiro is a not dangerous, non-memory resident parasitic virus written in
   Pascal. It is a 16 bit NE EXE file that also works under Windows 3.xx.
   The virus contains the text string: Hiroshima end 000 v1.2000:0000
   * Win32.Seppuku.2764 Win32.Seppuku.2764
   Seppuku is not a dangerous parasitic Win32 virus. The Win32.Seppuku.2764
   virus searches for PE EXE files in the current and Windows directories.
   Seppuku contains the following text string:
   Win32/Seppuku v1.1 (c) 2001 Tokugawa Ieyasu
   * Win32.SanKey
   SanKey is a very dangerous parasitic Win32 virus. The SanKey virus
   searches for PE EXE files in the current directory and corrupts files
   while infecting them. When infecting a PE EXE file the virus creates a
   section named "kaze/FAT".

    03 August 2003 - The "Webber" Trojan Turns Computers Into Spam Machines
   VirusList.com Alert report from July 16 says Webber does its harm by
   installing a proxy server by which evildoers can send out any data held
   on infected machines. The week prior to report, Kaspersky Labs detected
   three Trojan programs of this type.
   * Kaspersky Virus Encyclopedia: "Webber" trojan

    03 August 2003 - VirusList Alerts: New Viruses
   VirusList.com Alert reported these on July 9th
   * Worm.Naliv
   Naliv is a network worm spreading over local and global networks. The
   worm itself is a Win32 application (PE EXE file) written in Borland C++.
   * Backdoor.Nickser
   Nickser is a backdoor trojan program. The trojan itself is a Windows PE
   EXE file. When run the backdoor copies itself under the name lsass.exe
   name to the Windows directory and registers itself in the system registry
   auto-run key. Nickser reads its "master's" instructions from an encrypted
   script file located on the Web at http://go.xmain.da.ru
   * Win32.Melder
   Melder is a non-memory resident parasitic Win32 virus. The virus itself
   is Windows PE EXE file, and infects .EXE files in the Kazaa file sharing
   network download directory. In case Kazaa is not installed, the virus
   fails to infect the computer. While infecting the virus writes itself to
   the beginning of the file.
   The virus contains the text string:
   This Is A Infected File Infecting Kazaa Files...

    01 July 2003 -  NAI Virus Report: NukeDetector application
   Network Associates says this detection is of application type for
   "potentially unwanted applications", it is not a virus. This program is
   designed to listen for certain types of nukes (malformed IP packets),
   and report them to the local user.
 
    01 July 2003 -  NAI Virus Report: W32/Colevo@MM
   Network Associates says W32/Colevo@MM is a mass-mailing worm, which
   harvest MSN Messenger contact addresses. It launches Internet Explorer
   and connects to various news websites, displaying images of Bolivian
   Aymara Indian leader Evo Morales. Read the report for a list of websites
   it connects to, and for the names of the files it copies to your system.
   Aliases: I-Worm.Colevo and Win32/Meve.a@MM
 
    29 June 2003 -  NAI Virus Report: Adware-SubSearch application
   Network Associates says this potentially unwanted program is responsible
   for downloading and installing the Adware-SSF.dr trojan (ttps.exe), which
   installs the Adware-SSF application. This adware program is designed to
   act as a search page replacement to deliver targeted advertisements to
   its users based on search queries and URLs visited.
   Aliases: SbSrch_V2.dll and SbSrch_V22.dll
 
    29 June 2003 - Symantec Security Category 2: W32.Vivael@mm
   Symantec Security Updates reports W32.Vivael@mm is a mass-mailing worm
   that uses its SMTP engine to send itself to all MSN messenger contacts
   of the user and modifies files: Win.ini, System.ini, Wininit..ini, and
   Winstart.bat. The email has the following characteristics:
   Subject: El adelanto de matrix ta gueno
   Message: Oye te ? paso el programa para entrar a cuentas del messenger
   Z y facilingo te lo paso a voz nomas, prometeme que no se lo pasas a
   nadie, ya? u Respondeme que tal te parecio. chau
   Attachment: hotmailpass.exe
 
    29 June 2003 - Symantec Security Category 2: W32.Klexe.Worm
   Symantec Security Updates reports W32.Klexe.Worm is a worm that uses MS
   Outlook to send a Web site link to all contacts in Outlook Address Book.
   The link contains the zipped version of the worm. This worm has a Trojan
   component that captures all keystrokes and sends the stolen information
   to a predefined hacker's email address periodically.
 
    29 June 2003 - Symantec Security Category 2: W32.Mumu.B.Worm
   Symantec Security Updates reports W32.Mumu.B.Worm is a worm that spreads
   through network shares. The main worm component is a file named Mumu.exe.
   The worm will create various files on the infected system, including both
   legitimate utilities and malicious files. Symantec products will detect
   the malicious files as Trojan.Mumuboy and Hacktool.Hacline. Also Known
   As: W32/Mumu.b.worm and WORM_MUMU.A
 
    27 June 2003 - VirusList Alerts: Sobig.E Is Getting Bigger
   VirusList.com Alert says over the past 24 - 36 hours Sobig.e has easily
   been the most active worm out there, with MessageLabs, a British email
   filtering outsourcer, reportedly stopping well over 25,000 copies.
   Sobig.e getting around as a Zip file is a significant twist because while
   company gateways often filter out potentially dangerous file formats such
   as .exe, .vbs and .scr files, the .zip format is rarely scrutinized by
   businesses. Indeed past Sobig variants would have usually never made it
   past company gateways.  As with other Sobig variants, Sobig.e has limited
   life and is programmed to stop spreading by July 14, 2003, though the
   worm's ability to remotely access update files is not quashed upon this
   date.
   * Kaspersky Virus Encyclopedia: Sobig.E
 
    26 June 2003 - Fortnight Worm Wriggles Through An Old Breach
   VirusList.com Alert says the Fortnight Internet worm takes advantage of
   the Microsoft VM ActiveX security vulnerability for which MS released a
   security patch three years ago. When this security breach is left un-
   patched the worm's code is allowed to be executed on victim computers.
   The worm attempts to alter registry keys and add new favorites to victim
   browsers. Among the favorites victims may find added are:
   SEXXX. Totaly Teen.url
   Make BIG Money.url
   6544 Search Engines Submission.url
   Nude Nurses.url
   Search You Trust.url
   Your Favorite Porn Links.url.
   More info about this vulnerability and patch for it is available at:
   http://www.microsoft.com/technet/security/bulletin/ms00-075.asp
 
    26 June 2003 - FRISK Security Alerts: W32/Sobig.E@mm
   F-Prot Antivirus Alert Service says this latest variant was found in the
   wild on the 25th of June 2003. It has gained wide distribution in less
   than 24 hours, and is now the second most frequently caught virus by
   F-Prot AVES. In the same way as its predecessors it spreads both via
   infected e-mail attachments and through open network shares.
   Messages bearing the virus have the following characteristics:
   * From address. This address is made up by W32/Sobig.E@mm and is not
     a valid e-mail address.
   * Subject: The Subject is randomly selected from a list contained
     inside the virus (read the report for the names on the list)
   * Attachment: An attachment bearing W32/Sobig.E@mm will be called one
     of these names:
     application.zip (contains application.pif)
     document.zip (contains document.pif)
     movie.zip (contains Movie.pif)
     screensaver.zip (contains sky.world.scr)
     your details.zip (contains details.pif)
   Much like it predecessors W32/Sobig.E@mm has a built in end date, after
   which it will no longer distribute itself. With this variante the end
   date is 14th of July. W32/Sogbig.E@mm is detected with the current
   versions of F-Prot Antivirus using virus signature files dated from
   25 June 2003 or later.
   * Click here for Current F-Prot Antivirus versions and signature files
   * Kaspersky Virus Encyclopedia: Sobig.E
   * Symantec Security Report Category 3: W32.Sobig.E@mm
     Also Known As: Win32.Sobig.E [CA], W32/Sobig-E [Sophos], W32/Sobig.e@MM
     [McAfee] and WORM_SOBIG.E [Trend]
 
    26 June 2003 - Symantec Security Category 2: W32.HLLW.Lovgate.L@mm
   Symantec Security Updates reports the W32.HLLW.Lovgate.L@mm worm is a
   variant of W32.HLLW.Lovgate.I@mm. This worm has been repacked to make it
   difficult for antivirus software to detect it. For more information about
   the worm, refer to the W32.HLLW.Lovgate.I@mm writeup. Also Known As:
   I-Worm.Lovgate.i
 
    26 June 2003 - Symantec Security Category 2: W32.Yaha.T@mm
   Symantec Security Updates reports W32.Yaha.T@mm is a worm that is a
   variant of W32.Yaha.J@mm, terminates some antivirus + firewall processes
   and uses its own SMTP engine to email itself to all the contacts in the
   Windows Address Book, MSN Messenger, .NET Messenger, Yahoo Pager, and in
   all the files whose extensions contain the letters HT. The email message
   has a randomly chosen subject line, message, and attachment name. The
   attachment will have a .com, .exe, or .scr file extension. Also Known As:
   I-Worm.Lentis.gen, W32/Yaha.t@MM and W32/Yaha-T
 
    26 June 2003 - Symantec Security Category 2: W32.HLLW.Magold.E@mm
   Symantec Security Updates reports W32.HLLW.Magold.E@mm is a mass-mailing
   worm that sends itself to all the contacts it finds in Windows Address
   Book, as well as in all the files whose extension begins with "ht." The
   email will have a random subject and a file attachment named
   Sziszi_video.scr. The worm also attempts to spread itself through various
   file-sharing networks, mIRC and Pirch. It attempts to terminate processes
   of various programs, including antivirus software. The worm displays a
   fake message when initially executed. Also Known As: WORM_AURIC.E,
   I-Worm.Magold.e and W32/Magold-D, with Variants: W32.HLLW.Magold@mm
 
    26 June 2003 - Microsoft Security Bulletin MS03-022
   Microsoft TechNet Security's latest bulletin outlines "Flaw in ISAPI
   Extension for Windows Media Services Could Cause Code Execution (822343)"
   When Windows Media Services are added through add/remove programs to
   Windows 2000, nsiislog.dll is installed in Internet Information Services
   (IIS) Scripts directory on the server. Once Windows Media Services is
   installed, nsiislog.dll is automatically loaded and used by IIS. There is
   a flaw in the way nsiislog.dll processes incoming client requests. The
   fix eliminates the vulnerability by ensuring that the Nsiislog.dll file
   correctly responds to requests.
 
    26 June 2003 - Microsoft Security Bulletin MS03-021
   Microsoft TechNet Security's latest bulletin outlines "Flaw In Windows
   Media Player May Allow Media Library Access (819639)". A vulnerability
   exists because an attacker could invoke the ActiveX control from script
   code, which would allow the attacker to view and manipulate metadata
   contained in the media library on the user's computer. The patch elimi-
   nates the vulnerability by ensuring the Windows Media Player 9 Series
   ActiveX Control properly validates access to the Media Library.
 
    26 June 2003 -  NAI Virus Report: Downloader-BN.b
   Network Associates says this trojan pretends to be the latest patch from
   Microsoft and is believed to have been SPAMmed to many users.
   Symptoms: Presence of the file REGSVS32.EXE in the Windows directory
   with an icon typically associated with the Registry Editor. As the trojan
   uses remote files, the effects of an infection may vary.
   Method Of Infection: This trojan connects to a remote website to retrieve
   a text file, which contains a URL specifying a remote file to download.
   Read report for the format of the message and manual removal instructions
   Aliases: TrojanDownloader:Win32/Zasil (GeCAD)
 
    26 June 2003 - Help & HowTo: Sobig.e Worm
   ZDNet says new worm gives us yet another reason not to open attached
   email files
 
    26 June 2003 - Explorer Flaw Creates 'Critical' Worm-hole
   ZDNet says Microsoft's Web browser contains a vulnerability that could
   admit damaging Internet worms, according to security experts
 
    26 June 2003 - Microsoft Patches 'Important' Security Hole
   ZDNet says flaws in Windows 2000 Server and Windows Media Player 9 raise
   security and privacy concerns
 
    24 June 2003 - VirusList Alerts: Viruses To Watch For
   Kaspersky Lab has their latest list of nasties to watch out for
   * Click here for Virus Alert on Worm.Win32.Sluter
   Sluter is a worm virus that spreads over Win32 networks through shared
   resources. The spreading routine runs up to 60 "threads" which scan
   port 445 at random IP addresses. When successfully connecting to a victim
   machine it tries to locate open resources on the remote computer and
   connects to them using several passwords
   * Click here for Virus Alert on I-Worm.Mapson
   Mapson Internet worm spreads via the Internet as a file attached to
   infected emails and through file sharing networks and folders. While
   installing, the worm copies itself to the Windows system directory using
   the name Lorraine.exe. It them registers this file in the system registry
   auto-run key.
   * Click here for Virus Alert on I-Worm.Sobig.c
   Sobig.c is a worm virus spreading via the Internet as an infected e-mail
   file attachment. The worm also spreads via network resources. The worm is
   activated from infected email only if the attached file is clicked on.
   When run the worm installs itself to the system and runs a spreading
   routine.
 
    22 June 2003 -  NAI Virus Report: Sniff-Systrim
   Network Associates says this threat was updated to a Low-Profiled risk
   due to media attention at: http://www.vnunet.com/News/1141730 This trojan
   examines TCP network traffic in an attempt to capture usernames and
   passwords. Info is logged to the files c:\temp.txt and c:\logfile.txt
   The contents of this information is sent to an email address @163.com,
   via the SMTP server 61.135.132.125 and the trojans internal SMTP engine
 
    11 June 2003 - Symantec Security Category 2: W32.Mapson.Worm
   Symantec Security Updates reports W32.Mapson.Worm sends itself to all
   contacts found in the MSN messenger contact list. The Subject line,
   Message body, and attachment vary. The attachment will have a .com,
   .exe, or .pif file extension. The email also may have spoofed From field.
   This worm also attempts to spread itself through KaZaA, KaZaA Lite,
   eDonkey2000, Gnucleus, Limewire, Morpheus, Grokster file-sharing networks
   and ICQ. Also Known As: W32/Mapson@MM
 
    11 June 2003 - Symantec Security Category 2: W32.Femot.Worm
   Symantec Security Updates reports W32.Femot.Worm is a worm that attempts
   to spread through a local network. The worm attempts to use ports 135 and
   139. W32.Femot.Worm also has Backdoor capabilities. Symantec has created
   a tool to remove W32.Femot.Worm, which is the easiest wayto remove this
   threat. Also Known As: W32/MoFei.worm, WORM_MOFEI.A, W32/Mofei-A and
   Backdoor.Mofeir.101
 
    11 June 2003 - Antivirus-Killing Virus Threat Upgraded
   ZDNet says the antivirus-killer Bugbear has mutated into Bugbear.B and is
   on the loose, according to security experts
 
    11 June 2003 - Microsoft Security Bulletin MS03-020
   Microsoft TechNet Security's latest bulletin outlines "Cumulative Patch
   for Internet Explorer (818529)". This is a cumulative patch that includes
   the functionality of all previously released patches for IE 5.01, 5.5 and
   6.0. In addition, it eliminates two newly discovered vulnerabilities:
   A buffer overrun vulnerability, and a flaw that results because IE does
   not implement an appropriate block on a file download dialog box.
 
    05 June 2003 - Symantec Security Category 3: W32.Bugbear.B@mm
   Symantec Security Updates reports W32.Bugbear.B@mm is a variant of
   W32.Bugbear@mm. W32.Bugbear.B@mm is a mass-mailing worm that also spreads
   through network shares. The worm is polymorphic and also infects a select
   list of executable files. The worm has keystroke-logging and backdoor
   capabilities and also attempts to terminate the processes of various
   antivirus and firewall programs. Also Known As: Win32.Bugbear.B and
   W32/Bugbear.b@MM [McAfee]
   * Click here for NAI report on W32/Bugbear.b@MM
   * Click here for F-Secure report on Bugbear.B
   * KLabs report: Beware, Dangersous Tanatos.b Is On The Loose!
   * KLabs Virus Encyclopedia: details describing Tanatos.a and Tanatos.b
 
    05 June 2003 - Symantec Security Category 2: W32.HLLW.Xolox@mm
   Symantec Security Updates reports W32.HLLW.Xolox@mm is a worm that
   attempts to spread across the KaZaA file-sharing network. It also uses
   MS Outlook to send itself to all the contacts in the MS Outlook Address
   Book. The email messages have the following characteristics:
   Subject: Where are you? Attachment: varies
 
    05 June 2003 - Symantec Security Category 2: W32.HLLW.Lovgate.K@mm
   Symantec Security Updates reports W32.HLLW.Lovgate.K@mm is a variant of
   W32.HLLW.Lovgate.I@mm. It has been repacked to make it difficult for
   existing antivirus software to detect. If the infected computer runs
   Windows NT, 2000, or XP, the worm will attempt to disguise itself as the
   normal Windows process, "LSASS.EXE." This worm does large scale e-mailing,
   modifies files and compromises security settings.  Also Known As:
   I-Worm.LovGate.i and W32/Lovgate.l@M, with variants W32.HLLW.Lovgate.I@mm
   and W32.HLLW.Lovgate.J@mm
 
    05 June 2003 - Symantec Security Category 2: Bat.Mumu.A.Worm
   Symantec Security Updates reports Bat.Mumu.A.Worm is a collection of batch
   files and utilities, as well as a hacktool named Hacktool.Hacline. It is
   possible that the names and functions of the files may change. Symantecs
   information discussed in this writeup is based on the samples that
   Security Response has reviewed. Also Known As: BAT/Mumu.worm & Bat/Mumu-A
 
    05 June 2003 - Symantec Security Category 2: W32.Naco.C@mm
   Symantec Security Updates reports W32.Naco.C@mm is a mass-mailing worm
   that attempts to spread itself through the email and file-sharing net-
   works. The worm also contains Backdoor functionality and attempts to
   replace HTML files on the Microsoft IIS server. Read the report for the
   characteristics. There is an attachment called ANACON32.EXE
   Also Known As: W32/Naco.d@MM [McAfee]
 
    05 June 2003 - Windows Server 2003 Gets First Security Patch
   ZDNet says despite the embarrassment of having to release a security
   patch for its Server 2003 operating system barely two months after
   launch, Microsoft claims the details are a positive sign for trustworthy
   computing
 
    05 June 2003 - Microsoft Unveils New Security Initiatives
   ZDNet says Microsoft said it will redesign its patch management system
   and partner with VeriSign on Web services authentication, as it aims to
   improve its reputation on security issues
 
    05 June 2003 - Sobig Virus Rampage Targets UK
   ZDNet says Sobig.C is now the most prevalent worm on the Internet,
   according to one measure, with the UK the most affected
   * Help & HowTo: Sobig.C
 
    01 June 2003 - F-Secure Radar Level 2: Holar.H
   F-Secure Virus Report says Holar.H worm was found on 28th of May, 2003.
   It spreads over e-mail and Kazaa P2P networks. The worm was written in
   Visual Basic and is compressed with the UPX executable compressor.
   Holar.H searches through '.htm', '.html', '.txt' and '.dbx'files to
   collect email addresses. Using its own SMTP engine it sends messages
   with infected attachments to these addresses.
 
    01 June 2003 - Symantec Security Category 2: W32.Sobig.C@mm
   Symantec Security Response has discovered a new variant of W32.Sobig
   known as W32.Sobig.C@mm. Analysis is currently being performed and
   additional information will be made available as soon as possible.
 
    01 June 2003 - Symantec Security Category 2: W32.Erah.A@mm
   Symantec Security Updates reports W32.Erah.A@mm is a mass-mailing worm
   that sends itself to all the addresses in the Windows Address Book. The
   subject: line will be one of the following: FW: Your Hare is Balding,
   RE: You New Hare or FW: FW: FW: The Hare. The Attachment: has the original
   worm filename. The above email routine will occur on the following days
   only: January 1, February 14, April 1, April 21, July 4, August 12,
   October 1, November 14, and December 25
 
    01 June 2003 - Symantec Security Category 2: W32.HLLW.Magold@mm
   Symantec Security Updates reports W32.HLLW.Magold@mm is a mass-mailing
   worm that sends itself to the contacts it finds in the Windows Address
   Book, as well as in all the files with the .html, .htm, and .hta file
   extensions. When W32.HLLW.Magold@mm is executed, it will display a fake
   message box with the title, "DirectX." The email message has the file
   attachment, Maya Gold.scr. It also spoofs the From address to be
   "erotika@lap.hu." The worm also spreads through different peer-to-peer
   file-sharing programs and through mIRC. Also Known As: W32/Auric@MM,
   W32/Magold-A, WORM_MAGOLD.A, Win32.Auric.A and I-Worm.Magold
 
    01 June 2003 - Microsoft Security Bulletin MS03-019
   Microsoft TechNet Security's latest bulletin outlines "Flaw in ISAPI
   Extension for Windows Media Services Could Cause Code Execution (817772)"
   Impact of vulnerability: Allow an attacker to execute code of their
   choice. Recommendation: System administrators install the patch at the
   earliest available opportunity.
 
    01 June 2003 - Microsoft Security Bulletin MS03-018
   Microsoft TechNet Security's latest bulletin outlines "Cumulative Patch
   for Internet Information Service (811114)". Impact of vulnerability:
   Allow an attacker to execute code of their choice. Recommendation:
   Customers hosting web servers using MS Windows NT 4.0, Windows 2000, or
   Windows XP should install the patch at the earliest opportunity.
 
    28 May 2003 - VirusList Alerts: New Nasties!
   Kaspersky Lab has a few listed in their May 27th mailing list.
   * I-Worm.Nocana (aka Naco)
   Nocana is a worm virus spreading via the Internet as an e-mail file
   attachment via P2P file sharing networks. The worm contains a backdoor
   routine. The worm itself is a Windows PE EXE file, written in Visual
   Basic and is related to the I-Worm.Melare email worm. Note that the
   real attached .EXE file name is hidden by a false .JPG extesion.
   * Worm.P2P.SpyBot 
   SpyBot is a peer-to-peer worm with backdoor capabilities that can
   also spread via computers infected with some Backdoor programs.
   SpyBot also tries to kill some firewalls and anti-virus programs.
   * Win32.Initx
   Initx is a harmless per-process resident Win32 virus. It infects
   Windows Portable executable (PE) files that have the ".EXE"
   filename extension in the Windows and Windows System directories,
   and all computer's network shares and tries to infect them.
 
    28 May 2003 - Symantec Security Category 2: W32.Naco.B@mm
   Symantec Security Updates reports W32.Naco.B@mm is a mass-mailing worm
   that attempts to spread itself through email and file-sharing networks.
   The worm also contains Backdoor functionality and attempts to replace
   HTML files on the Microsoft IIS server. The VB run-time libraries are
   required to execute W32.Naco.B@mm. Note: Due to bugs in the code,
   W32.Naco.B@mm may not properly work. Also Known As: W32/Naco.b@MM,
   Win32.Naco.B, WORM_NACO.B, W32/Anacon-B and I-Worm.Nocana.b
 
    28 May 2003 - Symantec Security Category 2: W32.HLLW.Lovgate.J@mm
   Symantec Security Updates reports W32.HLLW.Lovgate.J@mm is a variant of
   W32.HLLW.Lovgate.I@mm. It has been repacked to make it difficult for
   existing antivirus software to detect. This worm attempts to reply to
   incoming email messages and the email addresses it finds in HTML files
   It Infects all .exe files in local hard drives and network-shared folders
   and compromises security settings.
 
    28 May 2003 - Symantec Security Category 2: W32.HLLW.Redist@mm
   Symantec Security Updates reports W32.HLLW.Redist@mm is a mass-mailing
   worm that attempts to email itself to all the contacts in the Windows
   Address Book. The email will have a subject line and attachment chosen
   from a predetermined list. The attachment will have a .exe, .pif, or
   .scr file extension. The worm also attempts to spread itself through the
   KaZaA file-sharing network. Also Known As: W32/Gant.b@mm [McAfee]
 
    28 May 2003 - Symantec Security Category 3: W32.Sobig.B@mm
   Symantec Security Updates reports W32.Sobig.B@mm is a mass-mailing worm
   that sends itself to all the email addresses, purporting to have been
   sent by Microsoft (support@microsoft.com). The worm finds the addresses
   in files with certain extensions. The worm de-activates on May 31, 2003,
   and therefore, the last day on which the worm will spread is May 30 2003
 
    28 May 2003 - Symantec Security Category 2: W32.HLLW.Maax.B@mm
   Symantec Security Updates reports W32.HLLW.Maax.B@mm is a mass-mailing
   worm that uses a current MAPI program (for example, Microsoft Outlook)
   to send itself to all the contacts in a current MAPI program's Address
   Book. When this worm is run, a message displays with the title, "Axam
   Spitmaxa Worm II." Refer to the Technical Details section for more
   information.
 
    28 May 2003 - Kazaa & iMesh In 'Serious' Security Alert
   ZDNet says P2P file sharing network users were urged to install a patch
   to fix a 'serious' security vulnerability that has been discovered by
   Random Nut
 
    28 May 2003 - Symantec Security Category 2: W32.Kwbot.C.Worm
   This is an older report that was upgraded by Symantec to Category 2 on
   Feb 28, 2003 based on increased rate of submissions. Symantec Security
   reports W32.Kwbot.C.Worm attempts to spread itself through the KaZaA and
   iMesh file-sharing networks. It also has a backdoor Trojan capability
   that allows a hacker to gain control of the compromised computer. When
   W32.Kwbot.C.Worm runs, it does a number of things, including copies
   itself to either the System32.exe or Cmd32.exe, and adds a value to some
   registry keys and creates the subkey, krypton, with the results being
   that the worm runs when you start your computer.
   Also Known As: Worm.P2P.Tanked.14, and Win32/HLLW.Kwbot.C
 
    22 May 2003 - VirusList Alerts: Exploit.SelfExecHtml vulnerability
   Kaspersky Labs reports the appearance of the Trojan program, 'StartPage'
   the first malware to infect computers via the "Exploit.SelfExecHtml"
   vulnerability in the Internet Explorer security system. Making infection
   particularly dangerous is the fact that Microsoft has yet to release the
   required patch, essentially leaving users defenseless in the face of this
   and other, potentially more dangerous threats choosing to exploit the
   very same vulnerability.
 
    22 May 2003 - IRC Administrators May Out-hack Fizzer Virus
   ZDNet says Internet relay chat network administrators have found several
   possible ways of stopping the Fizzer worm, but they might run afoul of US
   hacking laws.
 
    19 May 2003 - F-Secure Radar Level 1: Palyh worm / Sobig.B
   F-Secure Virus Report says Sobig.B (also known as Palyh or Mankx) was
   first seen on Sunday, 18th of May. The worm spreads via e-mail attach-
   ments and Windows network shares. The e-mails sent by the worm pretend
   to come from support@microsoft.com and they contain the message text
   "All information is in the attached file".
   Alias: Sobig.B, Palyh worm or Mankx
   * Click here for FRISK Security Alert: W32/Sobig.B@mm
 
    14 May 2003 - F-Secure Radar Level 2: Lovgate.I, Lovgate.J and Lovgate.K
   F-Secure Virus Report says three new Lovgate variants known as Lovgate.I,
   Lovgate.J and Lovgate.K have been found on May 13th, 2003. These are
   similar to old Lovgate variants, but in addition they infect executable
   files.
 
    13 May 2003 - VirusList Alert: The Second Coming Of the "Lovgate" Worm
   VirusList.com Alert says five new modifications of the "Lovgate" Internet
   worm have been detected. Presently, there have already been multiple
   registered infections at the hands of this malicious program in Japan.
   "Lovgate" spreads via e-mail and local area networks. Additionally, it
   installs on infected machines, a spyware program that allows a malefactor
   to clandestinely control the computer and with which it is possible to
   leak out confidential information.
 
    12 May 2003 - VirusList Alerts: Fizzer Worm Still On The move
   VirusList.com Alert says in addition to e-mail, "Fizzer" spreads via the
   KaZaA P2P file-sharing network, and employs sneaky and dangerous tactics
   such as a 'key logger' and a trojan program that allows remote management
   of infected computers. A more detailed explanation for Fizzer program is
   available in the Kaspersky Virus Encyclopedia.
   * F-Secure is upgrading the Fizzer worm to Level 1
   * NAI upgraded W32/Fizzer@MM to Medium-On-Watch Level
   * Symantec Security upgraded W32.HLLW.Fizzer@mm to Category 3
 
    12 May 2003 - Virus Spam Mails Sent From Faked Amiga.com Account
   Story at amiga.news, says that according to several messages are for
   the time mass spam emails being sent from a faked Amiga.com account
   containing a Windows virus. Should you receive an unexpected email from
   the sender gary@amiga.com or michael@amiga.com and use Windows as
   operating system please handle this email carefully.
 
    10 May 2003 - F-Secure Radar Level 2: Fizzer
   F-Secure Virus Report says complex new e-mail worm known as Fizzer has
   been found. It spreads itself via e-mails and P2P networks. The worm
   installs several backdoors and contains a denial-of-service agent. It
   can also update itself automatically.
   Alias: W32/Fizzer@MM, W32/Fizzer.A
 
    10 May 2003 - F-Secure Radar Level 2: Kickin
   F-Secure Virus Report says a new worm known as Kickin and Cydog.D is
   spreading in the wild. It spreads via email, P2P and IRC systems. The
   worm sends several different e-mails, some of which include references
   to the SARS disease. W32.HLLW.Kickin.A@mm spoofs the sender's email
   address. The attachment has the extension .com, .exe, .scr, or .pif.
   Alias: I-Worm.Cydog.c, W32/Cydog.D, W32/Kickin@MM [McAfee], Cydog.D,
   W32/Kickin.A@mm, W32.HLLW.Cydog.C@mm, Win32.Kickin.A  [CA],
 
    10 May 2003 - Microsoft Security Bulletin MS03-017
   Microsoft TechNet Security's latest bulletin outlines "Flaw in Windows
   Media Player Skins Downloading could allow Code Execution (817787)". A
   flaw exists in the way Windows Media Player 7.1 and Windows Media Player
   for Windows XP handle the download of skin files. This is an arbitrary
   code execution vulnerability, with a severity rating of Critical.
   Recommendations: Customers should apply the patch.
 
    07 May 2003 - Symantec Security Category 2: W32.HLLW.Cydog.C@mm
   Symantec Security Updates reports W32.HLLW.Cydog.C@mm is a mass-mailing
   worm that uses its own SMTP engine to send itself to the email addresses
   that it finds in the .NET, MSN Messenger, Yahoo Pager, Windows and the
   ICQ Address Books. The worm also attempts to spread itself through the
   Morpheus, Bearshare, and Edonkey2000 file-sharing networks, and through
   mIRC. This worm terminates some antivirus and firewall processes.
 
    07 May 2003 - Symantec Security Category 2: W32.Yaha.S@mm
   Symantec Security Updates reports The W32.Yaha.S@mm worm is a variant of
   W32.Yaha@mm. This variant terminates some antivirus and firewall processes
   The worm retrieves email addresses from the Windows Address Book, the
   contacts lists of MSN Messenger, .NET Messenger, Yahoo Pager, and ICQ.
   It also retrieves email addresses from the files whose extensions contain
   the letters HT.
 
    01 May 2003 -  NAI Virus Report: Adware-ShowBehind application
   Network Associates says this detection is of application type for
   "potentially unwanted applications", it is not a virus. This program
   is generally installed by certain 3rd party applications, generally
   freeware. Read the report for Removal Instructions 
 
    01 May 2003 - Microsoft Security Bulletin MS03-016
   Microsoft TechNet Security's latest bulletin outlines "Cumulative Patch
   for BizTalk Server (815206)". Two vulnerabilities exist, the most serious
   of which could allow an attacker to run code of their choice. Systems
   Administrators using MS BizTalk should consider applying the patch.
 
    29 April 2003 - Symantec Security Category 2: W32.Nolor@mm
   Symantec Security Updates reports W32.Nolor@mm is a mass-mailing worm that
   uses its own SMTP engine to send itself to all the contacts in the Windows
   Address Book. The email will have a variable subject and an attachment
   with the filename Kiss.ok.exe. Read the notice for removal instructions

    29 April 2003 - Symantec Security Category 2: W32.HLLW.Kullan
   Symantec Security Updates reports W32.HLLW.Kullan is a worm that has
   backdoor capabilities. It spreads across networks, by copying itself to
   the Start Menu of computers, which an infected computer can access. The
   most common reason for this access is an unprotected shared resource.
   Some of the backdoor capabilities include retrieving information related
   to the computer and operating system type, logging of keystrokes, and
   examining email. Read the notice for removal instructions

    29 April 2003 -  NAI Virus Report: W32/Lovelorn@MM
   Network Associates says this is a mass-mailing worm which uses its own
   SMTP engine to mail itself from the victims machine, either as an
   executable or via a HTML dropper. Read the notice for how the attachment
   is named. ie. %USERNAME%.KISS.OK.EXE, where %USERNAME% is derived from
   the "From:" address of the message.

    29 April 2003 -  NAI Report: Perfect Keylogger application 
   Network Associates says this is a spyware application. It is not a virus
   or trojan, but is classified as a "potentially unwanted program" and may
   be detected accordingly with VirusScan 7 when scanning for potentially
   unwanted programs. The keylogger is designed to monitor system use. Read
   the notice for Removal Instructions 

    29 April 2003 -  NAI Report: PornDial-167 application 
   Network Associates says this is a well behaved porn dialer application.
   It is not a virus or trojan, but is classified as a "potentially unwanted
   program" and may be detected accordingly with VirusScan 7 when scanning
   for potentially unwanted programs. Read report for Removal Instructions

    29 April 2003 - Microsoft Security Bulletin MS03-015
   Microsoft TechNet Security's latest bulletin outlines "Cumulative Patch
   for Internet Explorer (813489)". Four new vulnerabilities, the most
   serious of which could enable an attacker to execute arbitrary code on a
   users system if the user either browsed to a hostile web site or opened
   a specially crafted HTML email message. System administrators should
   install the patch immediately

    29 April 2003 - Microsoft Security Bulletin MS03-014
   Microsoft TechNet Security's latest bulletin outlines "Cumulative Patch
   for Outlook Express (330994)". This bulletin addresses a vulnerability
   that could allow an attacker to run code of the attackers choice on a
   users machine. Customers should install patch at the earliest opportunity

    29 April 2003 - Microsoft Patches Windows NT WebDAV Flaw
   ZDNet says the company has issued a fix for a flaw originally discovered
   in Windows 2000, which allowed attackers to crack a military server

    29 April 2003 - VirusList News: Viruses To Look Out For!
   VirusList.com News has an article outlining these viruses:
   * I-Worm.Yanker
   * I-Worm.Win32.Fasong
   * Win32.Spreder

    29 April 2003 - Basic Computer Virus Types and Actions
   Kaspersky Lab says everyone knows that computer viruses, like their
   biological cousins, are bad news, but beyond this and perhaps a rough
   understanding very few can distinguish one from another or describe just
   how these pests operate. To shed some light on the subject, read the
   report for the main virus forms with descriptions of what they do.

    18 April 2003 - XP Service Pack 1 Has Memory Management Glitch
   VirusList.com News says Microsoft has admitted that its Windows XP1
   service pack causes some programs to function drastically slower (up to
   10 times slower). The programs the memory management glitch affects are
   those which repeatedly swap large sums of memory data. There is a fix for
   this problem, but unless there are very noticeable slowdowns Microsoft
   recommends users to wait for SP2 for a full fix.

    18 April 2003 - IE Bug Crashes Browsers
   ZDNet says a researcher revealed details of a vulnerability in Internet
   Explorer 6.0, but it is unclear whether it is exploitable
   * BugTraq: Exploit/DoS in MS Internet Explorer 6.0 (OBJECT Tag)

    17 April 2003 - Microsoft Security Bulletin MS03-013
   Microsoft TechNet Security's latest bulletin outlines "Buffer Overrun in
   Windows Kernel Message Handling could Lead to Elevated Privileges". The
   Windows kernel is the core of the operating system. There is a flaw in
   the way the kernel passes error messages to a debugger. A vulnerability
   results because an attacker could write a program to exploit this flaw
   and  run code of their choice. Customers should install the patch at
   the earliest opportunity.

    17 April 2003 - IE Bug Crashes Browsers
   ZDNet says a researcher has revealed details of a vulnerability in
   Internet Explorer 6.0, but it is unclear whether it is exploitable

    14 April 2003 - Microsoft Warns of Possible CPU Overload On Servers
   VirusList.com Alert says Microsoft alerts users in Security Bulletin
   MS03-012 of DoS attack risk. MS warns that vulnerabilities in its Proxy
   Server 2.0 and ISA Server 2000 give hackers an opportunity to violate the
   software in a way that keeps them from responding to Internet requests.
   It is specified that this risk only faces computers functioning as servers
   This is an additional announcement to our VHT-Canada April 11th item.

    11 April 2003 - Bug Leaves Windows Open To Java Attack
   ZDNet says Microsoft said that its Virtual Machine fails to catch certain
   malicious code in Java applets, allowing an attacker to take control of
   a PC

    11 April 2003 -  NAI Report: RemoXec application
   Network Associates says RemoXec is a tool that allow a user with proper
   permissions to execute applications on a remote Microsoft Windows system.
   The user must know the login and password in order to gain the right to
   execute the remote application. This tool could be maliciously used to
   exploit week or null administrator's passwords.

    11 April 2003 - Microsoft Security Bulletin MS03-012
   Microsoft TechNet Security's latest bulletin outlines "Flaw In Winsock
   Proxy Service And ISA Firewall Service Can Cause Denial Of Service
   (331066)". System administrators should install the patch at the earliest
   available opportunity.

    11 April 2003 - Microsoft Security Bulletin MS03-011
   Microsoft TechNet Security's latest bulletin outlines "Flaw in Microsoft
   VM Could Enable System Compromise (816093)". This flaw allows an attacker
   to execute code of his or her choice. Customers should install build 3810
   or later of the Microsoft VM, as discussed in the bulletin.

    08 April 2003 - Code Leak Spurs Windows Server 2003 Piracy
   ZDNet says a secret key code allowing unlimited installations of
   Microsoft's upcoming Windows Server 2003 has leaked onto the Internet,
   a loss that could lead to widespread piracy of the software.

    04 April 2003 - RealPlayer And QuickTime Flaws Could Let Hackers In
   ZDNet says two unrelated vulnerabilities have showed up in the popular
   digital media players, and experts are concerned about the potential for
   exploitation by hackers

    04 April 2003 - Symantec Security Category 2: W32.HLLW.Cult.C@mm
   Symantec Security Updates reports W32.HLLW.Cult.C@mm is an email worm that
   has backdoor capabilities. It uses its own SMTP engine to send itself to
   randomly generated recipient names. The email message has the following
   characteristics:
   Subject: Hi, I sent you an eCard from BlueMountain.com
   Message: Hi, I sent you an eCard from Blue-Mountain.com ...
   Attachment: BlueMountaineCard.pif

    04 April 2003 - Symantec Security Category 2: W32.HLLW.Cult.B@mm
   Symantec Security Updates reports W32.HLLW.Cult.B@mm is a mass-mailing
   worm that uses its own SMTP engine to spread itself. The recipients of
   the email are constructed from a random name and a domain chosen from a
   predetermined list. For example, the email address can be LEO_@hotmail.com
   W32.HLLW.Cult.B@mm also attempts to spread using the KaZaA file-sharing
   network. The email message has the following characteristics:
   Subject: Hi, I sent you an eCard from BlueMountain.com
   Message: To view your eCard, open the attachment...
   Attachment: BlueMountaineCard.pif
   Also Known As: W32/Lanet@mm, I-Worm.Cult.b, Win32.Cult.B and W32/Cult-B

    27 March 2003 - Microsoft Security Bulletin MS03-010
   Microsoft TechNet Security's latest bulletin outlines "Flaw in RPC
   Endpoint Mapper Could Allow Denial of Service Attacks (331953)". There is
   a vulnerability in the part of RPC that deals with message exchange over
   TCP/IP. The failure results because of incorrect handling of malformed
   messages. Impact of vulnerability: Denial of Service. Recommendation:
   Customers should install the patch at the earliest opportunity
 
    27 March 2003 -  NAI Virus Report: Exploit-MS03-007.Crpt
   Network Associates says this attack tool exploits Windows 2000 NTDLL.DLL
   vulnerability via the WebDAV (Web Distributed Authoring and Versioning)
   extension of IIS 5. The source code for this exploit was published on the
   Internet. The exploit attempts to provide a shell to a remote attacker.
   For information on this vulnerability, and a patch, visit
   http://www.microsoft.com/security/security_bulletins/ms03-007.asp
   Aliases: Exploit.WinNT.WebDav and TROJ_ROLARK.A
 
    27 March 2003 - F-Secure Radar Level 2: Lovgate
   F-Secure Virus Report says it is upgrading Lovgate.F to level 2 because
   of the increased number of infections. Lovgate.F is an e-mail and network
   worm with backdoor capabilities. It attempts to gain remote access using
   a longer list of passwords than previous variants. Alias: Supnot and
   I-Worm.Supnot
 
    25 March 2003 - Symantec Security Category 2: W32.HLLW.Lovgate.G@mm
   Symantec Security Updates reports W32.HLLW.Lovgate.G@mm is a minor
   variant of W32.HLLW.Lovgate.C@mm. This worm contains mass-mailing and
   backdoor functionalities. This variant does not properly function under
   Windows 95/98/Me systems. The worm attempts to reply to incoming email
   messages and to email addresses that it finds in HTML files. The subject
   and attachment of the incoming email are chosen from a predefined list.
   The attachment will have a .exe, .pif, or .scr file extension. It also
   attempts to copy itself to all the computers on a local network, and then
   attempts to infect these computers. NOTE: Virus definitions dated March
   24, 2003 may detect this threat as W32.HLLW.Lovgate.C@mm.
   Also Known As: WORM_LOVGATE.F, W32/Lovgate.f@M, and W32/Lovgate-E
 
    25 March 2003 - Microsoft Server Exploit Goes Public
   ZDNet says a security consultant has published a program designed to take
   advantage of a recently discovered flaw in Internet Information Service
   servers. "I released (the code) to enlighten the public and to promote
   system security for administrators unfamiliar with these exploits," said
   Rafael Nunez, information security consultant for Scientech de Venezuela
   and a former hacker who used the handle "RaFa". The release of the code
   on two security lists -- BugTraq and VulnWatch -- is the latest twist in
   the story of Windows 2000 flaw that Microsoft announced a week ago. The
   flaw was discovered on 12 March by the US military after a public Web
   server was compromised by the vulnerability. Microsoft declined comment
   on the issue, except to say that customers should patch their systems.
 
    24 March 2003 - Microsoft Security Bulletin MS03-007 (re-release)
   Microsoft TechNet Security updated their bulletin "Unchecked Buffer In
   Windows Component Could Cause Web Server Compromise (815021)". Changes in
   V1.1 (March 18, 2003): Added new information in the Caveats under in the
   Additional Information section, clarified affected Windows component
   throughout the bulletin, added a question regarding IIS 5.0 to the
   Frequently Asked Questions section, added a question regarding changes
   to the Caveats in the Additional Information section to the Frequently
   Asked Questions section
   * Click here for ZDNet article: MS Patch Freezes Some Systems
 
    24 March 2003 - Microsoft Patch Freezes Some Systems
   ZDNet says several customers who applied the patch, released on Monday
   (Mar 17), complained that their updated Windows 2000 system wouldn't run
   * Click here for MS Security Bulletin MS03-007 (re-release)
 
    24 March 2003 - Office 2003 May Pose Antivirus Dilemma
   ZDNet says security experts say that Microsoft's upcoming XML format for
   Office documents could inadvertently give virus writers the upper hand
 
    24 March 2003 - Microsoft Ordered To Pull 'misleading' Security Ad
   ZDNet says the company's claims that its software is more secure than a
   bank vault have not impressed South Africa's advertising standards
   authority
 
    21 March 2003 - Microsoft Security Bulletin MS03-009
   Microsoft TechNet Security's latest bulletin outlines "Flaw In ISA Server
   DNS Intrusion Detection Filter Can Cause Denial Of Service (331065)".
   This flaw results because the filter does not properly handle a specific
   type of request when scanning incoming DNS requests. An attacker could
   exploit the vulnerability by sending a specially formed request to an ISA
   Server computer that is publishing a DNS server, which could then result
   in a denial of service to the published DNS server.
 
    21 March 2003 -  NAI Virus Report: W32/Sharpei-cln
   Network Associates says the entry for W32/Sharpei-cln Application was
   added for a PE file called "no_war.exe" (Note that the name might vary).
   The filesize was 8.704 bytes. The file requires the Microsoft .NET
   environment to be installed on the machine. The file's use is apparently
   to remove the system from W32/Sharpei@MM virus infections, made by the
   same person. Upon running the file a GUI messagabox appears.
   On a test machine, the no_war.exe file indeed removed some W32/Sharpei@MM
   virus files. It's recommended however to use VirusScan (or your normal
   anti-virus program) for detection/removal.
 
    21 March 2003 - Security Vulnerability Detected In Linux OS
   VirusList.com Alert says in a Linux developer's mailing list, Alan Cox,
   one of the co-developers who worked with Linus Torvalds to construct the
   original Linux kernel, announced a flaw in certain Linux versions that
   makes it possible for a local user to gain unauthorized root (full)
   control. The vulnerability Cox warns about involves the possible exploit
   of a hole in the 'ptrace' debugging tool.
 
    20 March 2003 - Microsoft Security Bulletin MS03-008
   Microsoft TechNet Security's latest bulletin outlines "Flaw in Windows
   Script Engine could allow code execution". An attacker could exploit the
   vulnerability by sending a specially formed request to an ISA Server
   computer that is publishing a DNS server, which could then result in a
   denial of service to the published DNS server.
 
    20 March 2003 - Symantec Security Category 2: W32.Hawawi.Worm
   Symantec Security Updates reports W32.Hawawi.Worm is a worm that spreads
   through email using its own SMTP server, ICQ, Yahoo Messenger, PalTalk,
   and KaZaA. The email message has one of many different Subject lines, so
   read the security notice. The messages have an attachment with a .pif
   extension, usually Hawawi.pif. Also Known As: W32/Holar.d@MM
 
    20 March 2003 - Symantec Security Category 2: W32.HLLW.Der@mm
   Symantec Security Updates reports W32.HLLW.Der@mm is a mass mailing worm
   that attempts to use MS Outlook to email itself to all the contacts in
   the Windows Address Book. It also attempts to overwrite and delete files
   on the infected system. Note: Virus definitions dated prior to March 19,
   2003 may detect this threat as Bloodhound.W32.VBWORM.
   The email has the following characteristics:
   Subject: [Recipients.name], WORLD TRADE CENTER PICTURES
   Message: [Recipients.name], Remember The Times.......MAYBE THEY WILL
   BE BACK....!!!
   Attachment: WTC32.scr
 
    20 March 2003 - Virus Writers Latch Onto War Theme
   ZDNet says a new email worm is tricking people into opening dangerous
   attachments by promising military satellite images of Iraq
 
    20 March 2003 - Flaw Lets Malicious Web Pages Attack Windows
   ZDNet says the new security hole affects all current Windows versions,
   but attackers may be warded off by protections built into email clients
 
    19 March 2003 - Microsoft Security Bulletin MS03-007
   Microsoft TechNet Security's latest bulletin outlines "Unchecked Buffer
   In Windows Component Could Cause Web Server Compromise (815021)". A
   security vulnerability is present in a Windows component used by WebDAV,
   Ntdll.dll, and results because the component contains an unchecked buffer.
   An attacker could exploit the vulnerability by sending a specially formed
   HTTP request to a machine running Internet Information Server (IIS). The
   request could cause the server to fail or to execute code of the attackers
   choice.
 
    17 March 2003 - F-Secure Radar Level 2: Ganda
   F-Secure Virus Report says a new mass mailer 'Ganda' has been found today
   It's sending e-mail messages either in English or Swedish, with a screen
   saver attachment such as TR.SCR or PW.SCR. Some of the messages sent by
   the worm use the IFRAME trick to automatically execute the attachment on
   some systems. This worm tries to kill processes belonging to several
   antivirus products. Alias: W32/Ganda.A@mm, WORM.SwedenSux and Myzli
 
    17 March 2003 - Microsoft Vows To Improve How It Offers Patches
   VirusList.com News says following the Slammer (aka Helkern) debacle,
   where the lighting fast worm managed to spread around the world and
   seriously retard Internet traffic this past January, many were shocked
   to know that the patch necessary to defend Microsoft SQL servers against
   the bug had been available already for six months. In response, after
   admitting that the "Slammer" patch was not easy to deploy, the software
   giant of giants is setting out to further improve how it delivers
   software patches.
 
    16 March 2003 - Snowhite and the Seven Dwarfs Worm Still Around
   W32/Hybris.gen@MM the internet worm first discovered in South America on
   October 16, 2000 is still around, as one was just received in my mailbox
   this morning. This worm will be received in an email message which may
   contain the following information:
   From: Hahaha [hahaha@sexyfun.net]
   Subject: Snowhite and the Seven Dwarfs - The REAL story!
   Body: Today, Snowhite was turning 18. The 7 Dwarfs always where very
   educated and polite with Snowhite. When they go out work at mornign,
   they promissed a *huge* surprise. Snowhite was anxious. Suddlently,
   the door open, and the Seven Dwarfs enter...
   Attachment: sexy virgin.scr or joke.exe or midgets.scr or
   dwarf4you.exe
   Aliases: dwarf4you.exe, Hybris, I-Worm.Hybris, I-Worm.Hybris.b, Snowhite
   and the Seven Dwarfs, TROJ_HYBRIS.A, W32/Hybris.dll@M, W32/Hybris.plugin@M
   W95.Hybris.Gen.dr, W95/Hybris.worm and Win98.Vecna.23040
 
    13 March 2003 - VirusList Alerts: New CodeRed Worm Variation
   VirusList.com Alert says a new variation of the Code Red worm has been
   set loose that most closely resembles CodeRed ll. It is believed that one
   change to the new variation will enable to worm to spread indefinitely,
   as opposed to CodeRed ll that was programmed to stop its activities at
   the conclusion of the year 2002.The original CodeRed worm's payload was a
   DoS attack on the White House Web server. Subsequent variations eschewed
   this approach and instead turned to a payload granting the worm's "master"
   remote control of victimized web servers. The new CodeRed variation is not
   expected to spread at alarming rates as many Micorsoft llS Web servers
   have already been patched to fend off previous CodeRed versions as well
   as the likes of the Nimda worm that also targets Micorsoft llS Web servers
   via the same exploit. Also known as: CodeRed.F, CodeRed.v3, CodeRed.C,
   CodeRed III, W32.Bady.C and W32/CodeRed.a.worm. This threat affects MS 
   Windows 2000 running web servers.
   Your environment is at HIGH RISK if:
   a) You have Microsoft IIS server installed with Windows 2000
   b) You have NOT updated server with the latest MS llS Web server patch
   * Click here for W32/CodeRed.f.worm Alert from NAI
   * Click here for CodeRed.F Alert from Symantec
 
    13 March 2003 -  NAI Virus Report: MultiDropper-EH
   Network Associates says this detection is for multiple versions of a
   trojan multidropper package. This multidropper trojan is related to a
   remote access trojan: BackDoor-ABB - the same author created both. The
   trojan droppers will typically run silently, serving merely to drop (and
   execute) other files. The droppers often drop innocent files along with
   the trojan, to hide the latter's activity. For example, an image file or
   a audio/video file may be dropped. Aliases: MultiDropper-EH.cfg and
   TrojanDropper.Win32.HeliosBinder
 
    13 March 2003 -  NAI Virus Report: ProcKill-AG Application
   Network Associates says this detection is of app type for "potentially
   unwanted applications", it is not a virus. This is a DLL for use with
   mIRC, to list open windows and kill programs or processes. Detection and
   removal using VirusScan requires the detection of "potentially unwanted
   applications" to be enabled.
 
    13 March 2003 - Symantec Security Category 2: W32.HLLW.Lovgate.F@mm
   Symantec Security Updates reports W32.HLLW.Lovgate.F@mm is a minor
   variant of W32.HLLW.Lovgate.C@mm. The only functional difference between
   this variant and W32.HLLW.Lovgate.C@mm is that W32.HLLW.Lovgate.F@mm will
   not send any email messages to a hacker, as described in the writeup for
   W32.HLLW.Lovgate.C@mm
 
    11 March 2003 - Symantec Security Category 2: W32.Nicehello@mm
   Symantec Security Updates reports W32.Nicehello@mm is a worm that sends
   itself to all the contacts in the Windows Address Book. The email has
   various subjects and attachments. The attachment will have a .exe file
   extension. W32.Nicehello@mm attempts to steal MSN Messenger passwords.
 
    11 March 2003 - Symantec Security Category 2: Backdoor.Dvldr
   Symantec Security Updates reports Backdoor.Dvldr is a backdoor Trojan
   that gives a hacker unauthorized access to your computer. The worm,
   W32.HLLW.Deloder, installs this Trojan. The detection of Backdoor.Dvldr
   covers two files: the installer and the Trojan itself.
   Also Known As: Win32.Deloder Trojan, BKDR_DELODER.A and BackDoor.ARG
 
    09 March 2003 -  NAI Risk Report: PhoenixScan application
   Network Associates says this detection is for a potentially undesirable
   port scanning application, received as a 32-bit PE file named
   "phoenix_alpha.exe" (note that the filename may vary). The file is
   written in Visual Basic. Upon running the file, a GUI (Graphical User
   Interface) display box appears. The portscanner can scan a range of IP
   addresses, and it generates a log file ("SCAN.TXT") containing the
   scanned IP numbers. Aliase: Phoenix Alpha
 
    09 March 2003 - FRISK Security Alerts: Sendmail Security Alert
   F-Prot Alert Service says a serious vulnerability in Sendmail, the
   Internet's most popular mail server software, may allow an attacker
   infect a mail server running Sendmail with a worm or virus or take
   control of the machine. The security flaw does not directly affect
   desktop personal computers. Sendmail is immediately providing software
   patches for all currently supported releases of Sendmail's commercial
   products which include Solaris, Linux, AIX, Windows NT/2000 and HP-UX
   * Click here for Sendmail's security alert at www.sendmail.com
 
    09 March 2003 - Symantec Security Category 2: W32.HLLW.Deloder
   Symantec Security Response is aware of a new worm which attempts to
   connect to a target host using TCP port 445. Upon  successful connection,
   the worm copies a backdoor Trojan component, a file named inst.exe, to a
   set of paths hardcoded into the worm in order to load the Trojan from the
   StartUp folder. Then the worm attempts to launch remote services which
   perform actions such as copying and executing the backdoor, copying and
   executing the worm, deleting default shares and changing the attributes
   of the worm and backdoor Trojan to read only. The worm exists as the file
   dvldr32.exe and is packed with ASPack. Removal requires deletion of files
   detected as W32.HLLW.Deloder.
 
    09 March 2003 - Symantec Security Category 2: W32.HLLW.Daboom@mm
   Symantec Security Updates reports W32.HLLW.Daboom@mm is a mass-mailing
   worm that replicates by email. It sends itself to the addresses it finds
   in the Windows Address Bookand also to .htm and .html files stored in the
   Internet Explorer cache. The email message has randomly chosen subject,
   message, and attachment. The attachment will have a .pif file extension.
   W32.HLLW.Daboom@mm  also  contains  backdoor Trojan capabilities which
   permit unauthorized access to an infected computer.
 
    09 March 2003 - Symantec Security Category 2: W32.Bibrog.B@mm
   Symantec Security Updates reports W32.Bibrog.B@mm is a mass-mailing worm
   that uses Microsoft Outlook to send itself to all the contacts in the
   Outlook Address Book. The email message has the following characteristics
   Subject: Fwd:La Academia Azteca
   Message: La cacademia azteca (muy bueno) !no es virus!
   Attachment: Academia.exe
   This  worm  also  attempts  to spread through the KaZaA, Grokster, and
   Morpheus file-sharing networks, as well as through ICQ.
   Also Known As: W32/Bibrog.b@MM
 
    09 March 2003 - Symantec Security Category 2: W32.Slackor
   Symantec Security Updates reports W32.Slackor is a worm that attempts
   to copy itself over Windows NT-based  networks.  When  attempting to
   find computers to infect, the worm queries other computers using TCP
   port 445. Also Known As: Troj/Slacker-A and Worm.Win32.Slackor
 
    09 March 2003 - Symantec Security Category 2: W32.HLLW.Dormin.A@mm
   Symantec Security Updates reports W32.HLLW.Dormin.A@mm is a mass-mailing
   worm that sends itself to all the contacts in the MS Outlook Address Book
   The email has the following characteristics:
   Subject: Check this out!
   Attachment: FlashMovie.exe
   When  W32.HLLW.Dormin.A@mm is run, it displays the fake error message,
   "MacroMedia Shockwave Flash is not installed!"
 
    09 March 2003 - Symantec Security Category 2: W32.Zokrim.B@mm
   Symantec Security Updates reports W32.Zokrim.B@mm is a mass-mailing worm
   that uses Microsoft Outlook to send itself to all the contacts in the
   Outlook Address Book. The email has the following characteristics:
   Subject: La tua amica Morena
   Message: Ciao... e da tanto che non ci sentiamo!!! Come stai ??
   Attachment: Morena.exe
   When  W32.Zokrim.B@mm  runs,  it  displays  a message: "File not found
   c:\windows\," and illustrates a .jpg photo, named morena.jpg.
   W32.Zokrim.B@mm  also  attempts  to  spread using mIRC. This threat is
   written in the Microsoft Visual Basic programming language.
 
    09 March 2003 - Symantec Security Category 2: W32.Yaha.P@mm
   Symantec Security Updates reports W32.Yaha.P@mm worm is a variant of
   W32.Yaha.L@mm. This variant of the worm terminates some antivirus and
   firewall processes. W32.Yaha.P@mm uses its own SMTP engine to email
   itself to all the contacts in the Windows Address Book, MSN Messenger,
   .NET Messenger, Yahoo Pager, and in all the files whose extensions
   contain the letters HT. Also Known As: W32/Yaha.p@MM, WORM_YAHA.P,
   I-Worm.Lentin.m, Win32.Yaha.P and W32/Yaha-P
 
    09 March 2003 - Symantec Security Category 2: W32.HLLW.Oror.AG@mm
   Symantec Security Updates reports W32.HLLW.Oror.AG@mm is a mass-mailing
   worm and a variant of W32.HLLW.Oror@mm. This worm attempts to spread
   using email, mIRC, KaZaA, network shares, and mapped drives. The email
   attachment will arrive with a .exe or .scr file extentions. It also
   attempts to terminate and remove various security products from the
   infected computer. Also Known As: I-Worm.Roron.51, Win32/Roron.Z@mm and
   W32/Oror.gen.c@MM
 
    01 March 2003 - VirusList News: Viruses To Watch For!
   VirusList.com News lists a few worms to keep an eye open for:
   * IRC-Worm.Blackout
   Blackout is an IRC worm spreading via IRC channels. The worm itself is a
   Word document and contains one macro called "Blackout".
   * IRC-Worm.Evion
   Evion is an IRC worm spreading via IRC channels. The virus is written in
   Visual Basic Script (VBS). It overwrites .vbs and .html files on all
   local and mapped drives.
   * Worm.P2P.Tanked
   Tanked is a worm virus spreading via the Kazaa file sharing network.
   The worm has a powerful backdoor routine that connects to an IRC channel
   and listens to commands from its "master".
 
    27 February 2003 - VirusList News: How Lovgate Spreads Its Love
   VirusList.com News says perhaps aware that email worm propagation
   accomplished by finding new email addresses in victim address books
   has become monotonous and hackneyed, the author or authors of "Lovgate"
   have added a strange twist by seeking addresses in victim inboxes.
   Showing victims some love, Lovgate does not destroy or corrupt data
   itself. However, in a less friendly gesture it does drop off a Trojan
   backdoor designed to grant remote access via port 10168; of course there
   is no telling what the controller of this backdoor will or will not do
   to a victim's data.

    26 February 2003 - Symantec Security Category 2: W32.Gibe.B@mm
   Symantec Security reports W32.Gibe.B@mm is a variant of W32.Gibe@mm. This
   mass-mailing worm uses Microsoft Outlook and its own SMTP engine to send
   itself to all the contacts in the Microsoft Outlook Address Book and the
   Windows Address Book. This worm also attempts to spread through the KaZaA
   file-sharing network and Internet Relay Chat (IRC).
   Also Known As: WORM_GIBE.B, W32/Gibe.b@mm, W32/Gibe-D, I-Worm.Gibe.b,
   and Win32.Gibe.B

    26 February 2003 - VirusList News: Lovgate Email Worm Gets Around
   VirusList.com News says the mass-mailer worm "Lovgate (aka Supnot)" is
   the latest computer virus epidemic. It has gotten around the world via
   the Internet as an attachment to infected emails. The worm also spreads
   through local area networks and has a "backdoor" routine. There are
   several worm variants known which are very similar to each other.
   * I-Worm.Lovgate (aka Supnot) in Kaspersky Virus Encyclopedia

    25 February 2003 - Symantec Security Category 3: W32.HLLW.Lovgate@mm
   Symantec Security Updates reports W32.HLLW.Lovgate.C@mm is a variant of
   W32.HLLW.Lovgate@mm. This worm contains mass-mailing and backdoor
   functionalities. To spread itself, the worm attempts to reply to incoming
   messages when they arrive in the mailbox of certain MAPI-compliant email
   clients, which include Microsoft Outlook. Also Known As: WORM_LOVGATE.C,
   Win32/Lovgate.C@mm, W32/Lovgate.c@M, I-Worm.Supnot.c, W32/Lovgate-B, and
   Win32.Lovgate.C  Variants: W32.HLLW.Lovgate@mm, W32.HLLW.Lovgate.B@mm
   Read the full report for removal instructions

    25 February 2003 -  NAI Virus Report: W32/Lovgate@M
   Network Associates says this is a mailing worm, that also spreads via
   network shares, and drops a remote-access trojan. The worm is similar
   to W32/Plage.worm in that it drops the same files on the victim's machine
   and the message, which is sent out by the worm. Major difference is that
   W32/Lovgate family is compiled with MSVC while W32/Plage was created with
   BorlandC. Aliases: I-Worm.Supnot.c (AVP), W32.HLLW.Lovgate.C@mm (NAV),
   W32/Lovgate.c@M WORM_LOVGATE.C (Trend)

    25 February 2003 - Symantec Security Category 2: W32.Ixas@mm
   Symantec Security Updates reports W32.Ixas@mm is a mass-mailing worm that
   uses its own SMTP engine to send itself to all the contacts in Windows
   Address Book.
   The email has the following characteristics:
   From: [random letters]@delfi.lt
   Subject: The subject can be one of many - read the report
   Attachment: Attachment has a random file name.
   Also Known As: WORM_IXAS.A, W32/Ixas@MM and W32/GvoWFI.A@mm
   Read the full report for removal instructions

    25 February 2003 - Symantec Security Category 2: W32.HLLW.Tang@mm
   Symantec Security Updates reports W32.HLLW.Tang@mm is a mass mailing worm
   that attempts to disguise itself as a file which Windows doesn't recognize
   W32.HLLW.Tang@mm emails itself to all the contacts in the Windows Address
   Book. It also attempts to spread itself through the file-sharing networks,
   IRC, Microsoft Word Documents, Microsoft Excel Spreadsheets and across
   mapped drives. Also Known As: W32/Gant@MM [McAfee], I-Worm.Tanger [KAV]
   Read the full report for removal instructions

    17 February 2003 - Symantec Security Category 2: W32.HLLW.Oror.D@mm
   Symantec Security Updates reports W32.HLLW.Oror.D@mm is a mass-mailing
   worm and a variant of W32.HLLW.Oror@mm. This worm attempts to spread
   through email, mIRC, KaZaA, network shares, and mapped drives. It also
   attempts to terminate and remove various security products from the
   infected computer.
   Also known as: I-Worm.Roron.4999.c [KAV], W32/Roro.V@mm [F-Prot],
   W32/Roron.AA@mm [RAV]
   Variants: W32.HLLW.Oror@mm, W32.HLLW.Oror.B@mm, W32.HLLW.Oror.C@mm

    17 February 2003 -  NAI Virus Report: ZeroPopup application
   Network Associates says this detection covers a "potentially unwanted
   application", it is not a virus or trojan. However, this application is
   associated with the Tellafriend trojan. This application exists as an
   Internet Explorer Browser Helper Object that is designed to prevent the
   display of popup windows while browsing the Internet. It also modifies
   the default search and start pages of Internet Explorer.

    14 February 2003 - Microsoft Reports Danger From Malicious Web Sites
   VirusList.com News says on February 12th Microsoft announced a new
   security issue affecting certain versions of the Internet Explorer
   browser. The reported vulnerability could enable an attacker to read
   files or run programs on computers used to view an attackers web site.
   Computers at risk are those that simply have Internet Explorer installed
   and does not have to be in use to be exploited. To read more about this
   vulnerability and/or to install the update that will fix this potential
   problem, go to: MS Security patch MS03-004

    06 February 2003 - Microsoft Security Bulletin MS03-005
   Microsoft TechNet Security's latest bulletin outlines "Unchecked Buffer
   in Windows Redirector Could Allow Privilege Elevation (810577)". The
   Windows Redirector is used by a Windows client to access files, whether
   local or remote, regardless of the underlying network protocols in use.
   This is a buffer overrun vulnerability. An attacker who successfully
   exploited this vulnerability could cause the system to fail, or could
   cause code of the attacker's choice to be executed with system
   privileges. Code running with system privileges could provide the
   attacker with the ability to take any desired action on the machine, such
   as adding, deleting, or modifying data on the system, and creating or
   deleting user accounts. Only Windows XP workstations that would allow an
   attacker to log on interactively would be affected by this vulnerability.
   A Windows XP system that was not shared with other users would not be
   able to be attacked using this vulnerability.

    06 February 2003 - Microsoft Security Bulletin MS03-004
   Microsoft TechNet Security's latest bulletin outlines "Cumulative Patch
   for Internet Explorer (810847)". This is a cumulative patch that includes
   the functionality of all previously released patches for IE 5.01, 5.5, 6.0
   A security issue has been identified that could enable an attacker to
   read files or run programs on a computer used to view the attacker's Web
   site. This vulnerability affects computers that have MS Internet Explorer
   installed. (You do not have to be using Internet Explorer as your Web
   browser to be affected by this issue.) You can help protect your computer
   by installing this update from Microsoft.

    06 February 2003 - Microsoft Releases Patch For IE Flaw
   ZDNet says Internet Explorer users may be vulnerable to yet another bug
   that gives attackers free access to their PC

    06 February 2003 - IM Creates 'Rampant Security Risk'
   ZDNet says some IT managers are concerned that Instant Messaging (IM) can
   send files that are not virus-checked past corporate firewalls, creating
   a threat to network security

    04 February 2003 - VirusList.com News: "SoBig" - Still Big Enough
   VirusList.com News says the SoBig worm is getting around despite avail-
   able fixes and being easy to spot. "SoBig" is not hard to recognize; it
   uses only four different subject texts and attached file names. Please be
   on the look out for:
   Subjects: Re: Movies, Re: Sample, Re: Document, Re: Here is that sample
   Attachments: Document003.pif, Sample.pif, Untitled.pif, Movie_0074.pif

    25 January 2003 - F-Secure Media Release: Slammer Worm
   F-Secure warns the computer users about new Internet worm known as
   Slammer (or Sapphire). The worm generates massive amounts of network
   packets, overloading internet servers. This slows down all internet
   functions such as sending e-mail or surfing the net. Slammer infects only
   Windows 2000 servers running Microsoft SQL Server, and is therefore not
   a threat to the end user machines. However, its functions  are still
   visible to the end users by the way it blocks the network traffic.

    22 January 2003 - VirusList.com Alerts: I-Worm.Sobig
   Kaspersky Lab says Sobig is a worm virus spreading via the Internet as an
   attachment to infected emails. It also downloads and sets up a Backdoor
   program. The worm itself is a Windows PE EXE file about 64 KB in length
   (when compressed by TeLock), and written in Microsoft Visual C++.

    22 January 2003 - VirusList.com Alerts: Win32.Ditex
   Kaspersky Lab says Ditex is a memory resident parasitic Win32 virus. It
   is written in Microsoft Visual C++ and is about 33KB in size.

    22 January 2003 - VirusList.com Alerts: Macro.Word97.Swatch.b
   Kaspersky Lab says Swatch.b is a Word97 macro virus. It contains three
   macros: AutoOpen, RepToDocs, RepToNormal.

    22 January 2003 - VirusList.com Alerts: Trojan.VBS.StartPage
   Kaspersky Lab says Startpage is a Trojan horse written in Visual Basic
   Script (VBS). When started it alters the address for the MS Explorer
   starting page in the Windows system registry.

    22 January 2003 - Symantec Security Category 2: W32.ExploreZip.L.Worm
   Symantec Security Updates reports W32.ExploreZip.L.Worm is a variant of
   Worm.ExploreZip, a worm that contains a malicious payload. The file has
   been repacked to make it more difficult to detect with older, existing
   antivirus software. This worm is packed with the UPX file format, version
   0.76.1-1.24. The worm uses Microsoft Outlook, Outlook Express, or Exchange
   to mail itself, by replying to unread messages in the Inbox. The email
   attachment is titled Zipped_files.exe.
   Also Known As: W32/ExploreZip.worm@M [McAfee], I-Worm.ZippedFiles.h
   [KAV], WORM_EXPLORZIP.M [Trend], Win32/ExploreZip.Worm [CA],
   W32/ExploreZip.E [F-Secure], W32/ExploreZip.worm.210432 [F-Secure],
   W32/ExploreZi-N [Sophos]

    22 January 2003 - Symantec Security Category 2: W32.Horo@mm
   Symantec Security Updates reports W32.Horo@mm is a mass-mailing worm that
   uses Microsoft Outlook to spread. This worm is written in Microsoft Visual
   Basic, version 6, and is packed with FSG. It sends email to all contacts
   in the Outlook Address Book. The email has the following characteristics:
   Subject: Today's free horoscope
   Message: Open this screen saver file to see today's horoscope. No
   registrions. No fees. And No ugly lady in front of you! ABSOLUTE
   FREE!!!!!!!!!!!!!!!!
   Attachment: Horoscope.scr
   Also Known As: W32/Horo@MM [McAfee], WORM_WCONN.B [Trend]

    22 January 2003 - Symantec Security Category 2: W32.Sahay.A@mm
   Symantec Security Updates reports W32.Sahay.A@mm is a mass-mailing worm
   that sends email messages to all the addresses in the Microsoft Outlook
   Address Book. The email message has the following characteristics:
   Subject: Fw: Sit back and be surprised..
   Attachment: MathMagic.scr
   The worm attempts to prepend itself to all the .exe files it finds in
   the Windows folder and C:\Program Files\Mirc\Download folder. Due to
   bugs in the worm's code, this threat may crash the computer or corrupt
   files in these folders. Then, the worm restarts the computer.
   W32.Sahay.A@mm sends itself to all the recipients in the Outlook Address
   Book and deletes files associated with the W32.Yaha family

    22 January 2003 - Symantec Security Category 2: W32.HLLW.GOP.G@mm
   Symantec Security Updates reports W32.HLLW.GOP.G@mm is a mass-mailing
   worm that copies itself to the hard drive. It also searches the network
   drives and copies itself to any mapped drive on which it can find an
   operating system. Then, W32.HLLW.GOP.G@mm modifies the Win.ini file to
   run the worm at startup. It sends itself to all the email recipients
   found on an infected machine and also releases confidential info: Steals
   the OICQ passwords

    22 January 2003 -  NAI Virus Report: W32/Sahay.worm
   Network Associates says this threat has been upgraded to Low-Profiled due
   to media attention at:
   http://www.theage.com.au/articles/2003/01/14/1041990271338.html
   This virus propagates via prepending itself to EXE files and mailing
   itself to addresses in the Outlook Address Book. The virus was observed
   to be buggy during testing, frequently causing system hangs.
   The virus also looks for indications of infection by variants of the
   W32/Yaha family on the victim machine. If any are found, it attempts to
   remove it, and displays the following message:
   Hi there.. it seems you were infected with Yaha.k. That worm however,
   written by an idiot who sPeLlS lIkE tHiS, abused my website and got me
   to receive the complaints. Therefore, I have just disinfected you.
   Don't worry tho.. as I didn't wanna steal from you, I gave you this
   virus (Win32.HLLP.YahaSux) in return :)
   Greetz,
   Gigabyte [Metaphase VX Team]
   Aliases: I-Worm.Sahay (AVP), PE_SAHAY.A (Trend), W32.Sahay.A@mm
   (Symantec) and Win32.HLLP.Yahasux

    22 January 2003 -  NAI Virus Report: W32/Lirva.a@MM
   Network Associates has updated this threat to being Low-Profiled. This is
   a mass-mailing worm that also attempts to spread via ICQ, IRC, and KaZaa.
   It contains a Password-Stealer as payload. It tries to terminate security
   software, can spread via ICQ, and drops an IRC bot script. There are at
   least 2 new variants of this threat in existence. So far all such known
   variants are detected generically as W32/Lirva.gen@MM
   Aliases: W32.Lirva.B@mm (Symantec), I-Worm.Avron (AVP), W32.Lirva.A@mm
   (Symantec), W32/Avril-A (Sophos), W32/Avril.gen@MM, W32/Lirva@MM,
   Worm/Naith.A (CA) and WORM_LIRVA.A (Trend)

    20 January 2003 - VirusList.com Reports: Joke_JS.Spawn.b
   Kaspersky Lab says Spawn is a "joke". Once launching the Java-script
   contained within the infected document's html a user's Internet Explorer
   browser window begins to move around. 

    20 January 2003 - VirusList.com Alerts: Worm.Win32.Grexon
   Kaspersky Lab says Grexon is local area network (LAN) worm. In copies
   itself to logical drives (local and network), as well as encodes network
   resources where it copies itself. The worm file size is about 7KB.
   When the worm is run it copies itself to the Windows temporary directory
   under the name "grex.exe" and registers this file in the system registry
   auto-run key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Grex =
   %TempDir%\grex.exe

    20 January 2003 - VirusList.com Alerts: I-Worm.Runnelot
   Kaspersky Lab says Runnelot is a worm virus spreading via the Internet as
   an attachment to infected emails. It also infects Win32 EXE files. The
   worm itself is a Windows PE EXE file about 9KB in size when compressed by
   UPX; the decompressed size is about 20KB. It is written in Assembler.
   The worm contains a "copyright" text string: Runner "Pilot" 01/2003
   While installing, the worm writes its code to the Windows system directory
   with the "Runner.exe" name and registers that file in system registry
   auto-run key.

    11 January 2003 - My Inbox Contained Three Hybris / Snow White Worms
   Apparently some people still have infected computers around. Today in my
   inbox were three copies of this worm, with different attachment names, but
   all the same worm. Hybris is an Internet worm that spreads itself as an
   attachment to email messages. The worm works under Win32 systems only. You
   can use a free version of F-Prot for DOS to remove Hybris from an infected
   system. It is a requirement to perform disinfection from pure DOS.
   The mail items I received contained: From: Hahaha [hahaha@sexyfun.net]
   Subjects:Snowhite and the Seven Dwarfs - The REAL story!
   Note: As Hybris has a plugin that infects EXE files, it is advised to
   disinfect all infected files first and then to remove all locked Hybris
   components manually.

    09 January 2003 - F-Secure Alert Level 2: ExploreZip.E
   F-Secure Virus Report says all of the ExploreZip variants spread as
   an e-mail attachment and activate by destroying Microsoft Office
   documents and source code files from infected computers and from local
   networks. The worm modifies an infected computer so that the worm will
   reply to unread e-mails, sending dummy e-mail replies with an infected
   attachment. Alias: ZippedFiles, I-Worm.ZippedFiles, Zipped_Files,
   ExploreZip_N, W32/ExploreZip.E and WORM_EXPLORZIP.M

    09 January 2003 - F-Secure Alert Level 2: Sobig
   F-Secure Virus Report says Sobig is an e-mail and network worm, sending
   itself around as a PIF e-mail attachment. The worm has remote control
   functionality through which the virus writer can control infected
   computers. Alias: Sobig.A

    09 January 2003 - FRISK Virus Alerts: W32/Lirva.{C,D}@mm
   F-Prot Antivirus Alert Service says W32/Lirva{C,D}@mm, new mass-mailing
   worms first detected on 6 and 9 January 2003. These worms are currently
   in the initial stages of potential mass distribution. Recommendation is
   users of F-Prot Antivirus should update their virus signature files
   immediately. W32/Lirva.{C,D}@mm are detected by F-Prot Antivirus using
   virus signature files dated 9 January 2003 and later.

    09 January 2003 - Symantec Security Category 2: W32.Lirva.C@mm
   Symantec Security Updates reports W32.Lirva.C@mm is a mass-mailing worm
   that also spreads by IRC, ICQ, KaZaA, and open network shares. It is a
   variant of W32.Lirva.A@mm. This worm attempts to terminate antivirus and
   firewall products. It also emails the cached Windows 95/98/Me dial-up
   networking passwords to the virus writer.
   Payload Trigger: If the day of the month is the 7th, 11th, or 24th
   Payload: Opens a website and displays an image on the Windows desktop.

    09 January 2003 -  NAI Virus Report: W32/Lirva.a@MM
   Network Associates says this is a mass-mailing worm that also attempts to
   spread via ICQ, IRC, and KaZaa. It contains a Password-Stealer as payload.
   It tries to terminate security software, can spread via ICQ, and drops an
   IRC bot script.
   Aliases: W32.Lirva.B@mm,(Symantec)  W32.Lirva.C@mm (Symantec)
   I-Worm.Avron (AVP), Naith, W32.Lirva.A@mm (Symantec). W32/Avril-A (Sophos)
   W32/Avril.gen@MM, W32/Lirva@MM, Worm/Naith.A (CA) and WORM_LIRVA.A (Trend)

    01 January 2003 - Symantec Security Category 2: W97M.Killboot
   Symantec Security Updates reports W97M.Killboot is a macro virus that
   infects the currently active document and the Microsoft Word Normal.dot
   template when an infected document is closed. So, once the Normal.dot is
   infected, clean documents will be infected when they are closed.
   W97M.Killboot creates the file C:\Setver.exe, which the Symantec
   antivirus products detect as Trojan.Killboot. If Trojan.Killboot is
   run, it writes the viral code into the Master Boot Record (MBR); this
   code can overwrite the MBR on all the physical hard drives with
   zeroes. Symantec antivirus products detect the viral code in the MBR
   as Killboot.145 (b).

    01 January 2003 - Symantec Security Category 2: W32.Yaha.L@mm
   Symantec Security Updates reports W32.Yaha.L@mm is a worm that is a
   variant of W32.Yaha.K@mm. The differences between the variants do not
   visibly manifest themselves, so the characteristics of each will be the
   same.

    01 January 2003 - Symantec Security Category 2: W32.HLLW.Backzat.B
   Symantec Security Updates reports W32.HLLW.Backzat.B is a mass-mailing
   worm that uses Microsoft Outlook to send itself to all the contacts in
   the Microsoft Outlook Address Book. It also attempts to spread itself
   through the eDonkey2000, BearShare, Morpheus, and KaZaA file-sharing
   networks. This worm may distribute itself through mapped drives, AIM95,
   mIRC, and ICQ. It also deletes security software from your computer when
   it is executed. The email has the following characteristics:
   Subject: Duuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuude
   Message: Whoa man amuse yourself with this funny freakin screen saver
   Attachment: WuFFie.Scr

    01 January 2003 - Symantec Security Category 3: W32.Yaha.K@mm
   Symantec Security Updates reports W32.Yaha.K@mm is a worm that is a
   variant of W32.Yaha.J@mm. This worm terminates some antivirus and firewall
   processes. It uses its own SMTP engine to email itself to all the contacts
   in the Windows Address Book, MSN Messenger, .NET Messenger, Yahoo Pager,
   and all the files whose extensions contain the letters HT. The email
   message has randomly chosen the subject line, message, and attachment
   name. Symantec has provided a tool to remove infections of W32.Yaha.K@mm.

    01 January 2003 - Symantec Security Category 2: W32.Opaserv.K.Worm
   Symantec Security Updates reports W32.Opaserv.K.Worm is a network-aware
   worm that spreads across open network shares. This worm copies itself to
   the remote computer as a file named Mqbkup.exe. It is compressed with a
   PECompact packer.
   Also Known As: W32/Opaserv.worm.m [McAfee], W32/Opaserv-I [Sophos],
   W32/Opaserv-L [Panda], Opaserv.F [F-Prot]

    01 January 2003 - Symantec Security Category 2: W32.Duksten.D@mm
   Symantec Security Updates reports W32.Duksten.D@mm is a variant of
   W32.Duksten@mm. It is a mass-mailing worm that uses its own SMTP engine
   to mail itself to all contacts in the Microsoft Windows Address Book.
   Also Known As: WORM_PRESTIGE.B [Trend], W32/Prestige-A [Sophos],
   W32/Duksten@MM [McAfee] Variants: W32.Duksten@mm
   The email message has the following characteristics:
   From: "Fotos_PresTiGe"<freeserver@nautilus.org>
   Subject: fotos INEDITAS del PRESTIGE en el fondo del Atlantico!
   Message Body: (There is no message.)
   Attachment: Prestig.zip

    01 January 2003 - Symantec Security Category 2: W32.Duksten.E@mm
   Symantec Security Updates reports W32.Duksten.E@mm worm is a variant of
   the W32.Duksten@mm worm. It is a mass-mailing worm that uses its own SMTP
   engine to mail itself to all contacts in the MS Windows Address Book.
   Also Known As: WORM_PRESTIGE.A [Trend]
   The email message has the following characteristics:
   From: "Greenpace"<boletin@greenpace.org>
   Subject: Nuevas grietas del PrestiGe nos amenazan!
   Message Body: (There is no message.)
   Attachment: Grietas.zip

   Top of Page


   Miscellaneous

    31 December 2003 - Bogus emails target Bank of England customers
   ZDNet says scammers have sent more than 100,000 emails to Bank of England
   customers attempting to trick them into opening an attachment
 
    31 December 2003 - Terror warning conceals virus
   ZDNet says a virus hidden in an email purporting to warn of planned
   terrorist attacks is spreading in Malaysia
 
    31 December 2003 - Cyberblackmailers target office workers
   ZDNet says scammers are threatening to delete files or install porno-
   graphic images on corporate PCs unless a ransom is paid
 
    31 December 2003 - Another bank spoof phishes for data
   ZDNet says Singapore's DBS Bank is the latest victim of scammers who lure
   customers to fake Web sites and attempt to trick them into entering
   personal data
 
    28 December 2003 - Disney shares customer Web data
   ZDNet says Walt Disney has changed its online privacy policy so that
   information entered by customers can be shared between its different
   divisions
 
    18 December 2003 - Warning email hides scam
   ZDNet says an email warning of online banking fraud is itself an attempt
   to fool customers into releasing personal data, an Australian bank says
 
    11 December 2003 - Yahoo patches Web-email hole
   ZDNet says Yahoo says it has fixed a security flaw in its free email
   service
 
    11 December 2003 - Oracle warns on 'high risk' flaw
   ZDNet says Oracle has told its database customers to patch a hole that
   could allow an attacker to take control of a server
 
    11 December 2003 - Microsoft skips December patch
   ZDNet says Microsoft will not issue its monthly security patch in December
 
    11 December 2003 - Sensitive data exposed on Web
   ZDNet says a US database with detailed personal information lay open to
   anyone on the Internet for several hours on Tuesday
 
    11 December 2003 - HSBC's Hong Kong site 'spoofed'
   ZDNet says a Web site purporting to be the Hong Kong home page of the
   global banking giant asks customers to enter their security details
 
    03 December 2003 - Fraudulent e-commerce site proves hard to close
   ZDNet says a convincing e-commerce site is still up six weeks after the
   discovery that it is fraudulently using fake security certificates and
   the details of another, legitimate, Web site
 
    14 November 2003 - Cyberblackmail Hits UK
   ZDNet says Britain's Hi-Tech Crime Unit is warning of a potential crime
   wave growing in tandem with broadband subscriptions
 
    06 November 2003 - 'Legacy Viruses' Lie In Wait
   ZDNet says old viruses do not die but merely remain dormant, according to
   experts at an antivirus conference
 
    30 October 2003 - Bank Scam May Originate From Russia
   ZDNet says emails attempting to trick customers out of their bank account
   details could be a Russian version of the 419 email scam, according to a
   security expert
 
    26 October 2003 - Hotmail Promises Better Spam-catching
   ZDNet says Microsoft says using 'white lists' of approved addresses will
   help reduce the spam plaguing its Hotmail users
 
    26 October 2003 - Hackers Steal Easily Guessed Passwords
   ZDNet says users remain the weakest link when it comes to IT security,
   according to a survey
 
    21 October 2003 - Asian Spammers 'Hijack Broadband PCs'
   ZDNet says a UK security firm says spammers based in Malaysia, the
   Philippines and Taiwan are turning vulnerable home and small business
   PCs in Western countries into spam relays
 
    16 October 2003 - Microsoft Fixes Flaw Capable Of Killing Hotmail
   ZDNet says a security hole potentially gave hackers access to Hotmail
   users' address books and allowed emails to be sent
 
    08 October 2003 - Adobe Patches SVG Viewer
   ZDNet says the software publisher has updated a plug-in that lets popular
   Web browsers display images created in SVG format, after the discovery of
   several security holes
 
    07 October 2003 - Swappers 'Vulnerable To Hackers'
   ZDNet says P2P service Earthstation 5 has updated its software after
   reports that older versions could give hackers access to users' PCs
 
    02 October 2003 - New Trojan Appears To Attack VeriSign
   ZDNet says a Trojan program has emerged in Australia that may be
   triggering a concerted assault on VeriSign's domain name
 
    30 September 2003 - AOL Opens Up Spam Tools
   ZDNet says AOL has made its anti-spam software available to customers
   using older versions of its services
 
    30 September 2003 - Spying E-card Conceals Trojan
   ZDNet says those with a jealous temperament are being targeted by a
   company selling spyware installed via seemingly innocuous e-cards,
   though experts are questioning legality of the service
 
    26 September 2003 - OpenSSH Patches Second Specialised Flaw
   ZDNet says the open-source project for secure communications has released
   a patch for a security hole that affects only some installations varying
   from its default configuration
 
    08 September 2003 - Identity Theft Hits Millions
   ZDNet says the incidence of identity fraud is increasing, but most
   information is stolen in the physical world rather than online
 
    28 August 2003 - FBI Tracks Worm Writers
   ZDNet says the FBI says it will hunt down the perpetrators of the Sobig
   virus and the MSBlast worm

    24 August 2003 - Attorney General Takes Controversial Act on Tour
   ZDNet says the US attorney general has launched a nationwide tour
   pointing out the benefits of the Patriot Act, which allows authorities
   to monitor Internet communications without a warrant

    24 August 2003 - Security Flaws Jeopardise Online Banking - Survey
   ZDNet says the banking sector fared poorly in a survey measuring network
   security across blue-chip firms

    14 August 2003 - Microsoft Braces as Web Worm Prepares to Attack
   Reuters says like sharp-shooters armed and ready to fire, hundreds of
   thousands of computers are poised to let fly a potentially crippling data
   attack on a lone Web site belonging to software giant Microsoft Corp.
   Starting on Saturday, August 16, each computer infected by the "Blaster"
   Internet worm will begin sending packets of data several times per second
   to the Microsoft site in an attempt to knock it offline.

    03 July 2003 - Microsoft Plugs Passport Hole
   ZDNet says a flaw that allowed hackers entry into some Passport accounts
   has been corrected, Microsoft says
 
    03 July 2003 - VirusList Alerts: July 6th Mass Hack Attack Planned
   VirusList.com Alert says the U.S. government warns of a planned mass
   attack with the reported goal of defacing 6,000 Web sites in 6 hours.
   Those organizing the attack are billing it as a competition presumably
   measured by the total amount of Web sites a particular hacker or hacker
   group can manage to deface. The mass attack is scheduled for this coming
   Sunday (July 6th) with the only known prize being an enigmatic 500 MB of
   online storage space, which is perhaps a joke, as hackers typically have
   no problems finding far more storage space on hacked networks.
   Individual computer users are not the target of the planned attack, but
   could indirectly experience disrupted Internet service.
   * Click here for ZDNet story: Hackers compete to deface Web sites
 
    22 June 2003 - Hackers Masquerade As Best Buy To Steal Credit-Card Details
   ZDNet says an email purporting to be from the electronics chain is
   directing would-be victims to a fake Best Buy Web site
 
    22 June 2003Meet Stumbler: Next Gen port scanning malware
   Security Focus has an article by John Leyden of The Register that says
   Security experts are tracking the spread of a mysterious piece of malware
   which has been linked to an upsurge in distributed port scanning on the
   Internet. Little is known about the malware - dubbed 55808 because of its
   Windows size, or Stumbler - other than that it appears to be a client
   capable of scanning and receiving network mapping data from other similar
   clients distributed across the Internet. Already copycat Trojans similar
   to Stumbler have been produced. One of these has been captured and
   analysed by security outfit IntruSec. Read the report for the link to
   IntruSec.
 
    18 June 2003 - Unprotected Home Computers Hijacked To Send Spam
   VirusList.com News says a growing trend sees spammers targeting home
   computers with trojan programs to remotely send out spam. The steady
   increase in home users employing unprotected (no firewall), "always on"
   broadband connections has provided spammers/hackers with a fertile pasture
   of computers ripe for the picking. It is not difficult for them to locate
   and impregnate vulnerable machines with trojan programs
 
    11 June 2003 - Mobile Devices Pose An Ever Greater Threat
   VirusList.com News says Network security policy must take into account
   ever increasing malicious code threat brought by mobile devices such as
   smart phones and hand-held computers.
 
    05 June 2003 - Cybersecurity & You: Five Tips Every Consumer Should Know
   Security Focus has an interesting article written by Brian Krebs of the
   Washington Post. Mr. Krebs goes into detail on his following 5 tips:
   1. Install and use a firewall
   2. Use anti-virus software and update virus definitions regularly
   3. Create secure, original passwords
   4. Update your computer(s) with the latest vendor security patches
   5. Practice basic e-mail and downloading "street smarts"
 
    02 June 2003 - Yahoo Patches Messenger, Chat Flaws
   ZDNet says newly discovered bugs could allow an attacker to execute
   code on a user's computer
 
    14 May 2003 - New Attack Sheds Light On Virtual Machine Security Flaws
   ZDNet says a student researcher has come up with an attack that uses
   light to thwart the security of Java and .Net virtual machines. An
   attack using his technique requires physical access to the computer,
   so the technique poses little threat to virtual machines running on
   PCs and servers. But it could be used to steal data from smart cards,
   said Sudhakar Govindavajhala, a computer-science graduate student at
   Princeton who demonstrated the procedure on Tuesday.
 
    12 May 2003 - Security Focus Mirabilis ICQ Vulnerability Advisories
   ICQ is an instant messenger client for a number of platforms including
   Microsoft Windows. These advisories pertain to Mirabilis ICQ
   * ICQ POP3 Client UIDL Command Format String Vulnerability
   A format string vulnerability has been discovered in the ICQ POP3
   client when handling the identification string.
   * ICQ POP3 Client Date Field Signed Integer Overflow Vulnerability
   A vulnerability has been reported for the POP3 client of ICQ that may
   result in the execution of arbitrary attacker-supplied commands
   * ICQ Message Session Window Denial Of Service Vulnerability
   A denial of service vulnerability has been discovered in HTML rendering
   library used by Mirabilis ICQ to process advertisement code
   * ICQ GIF Parsing Denial Of Service Vulnerability
   ICQ is prone to a denial of service condition when parsing GIF89a
   headers
   * ICQ POP3 Client Subject Field Signed Integer Overflow Vulnerability
   A vulnerability has been reported for the POP3 client of ICQ that may
   result in the execution of arbitrary attacker-supplied commands.
   * ICQ Features On Demand Remote Command Execution Vulnerability
   The ICQ Features on Demand allows users to download and install ICQ
   add-on client software such as ICQ Phone and ICQ Web Search. When ICQ
   Features on Demand is invoked, it does not verify the authenticity of
   the package in any way. This could allow a malicious user to impersonate
   the package repository service through some other attack, such as DNS
   poisoning.
 
    10 May 2003 - Broadband 'Increases Security Risk Fivefold'
   ZDNet says while DSL gives businesses a performance boost, it also opens
   up a nasty can of worms, viruses and hackers - something many firms are
   still ignorant of. Analysts have calculated that a business running a
   broadband Internet connection is five times more vulnerable to a security
   breach than one that uses dial-up.
 
    07 May 2003 - Music Labels To Sabotage P2P Users' PCs
   ZDNet says record labels have started developing Trojan horses and
   viruses that will attack the machines of people downloading copyright
   music
 
    07 May 2003 - ICQ Flaws Open PCs To Attack
   ZDNet says a security company has released an advisory detailing six
   flaws in the ICQ communication software, two of which are serious
   vulnerabilities
 
    29 April 2003 - Cisco Flaw Affects Windows Servers
   ZDNet says a bug in Cisco's Secure ACS could allow an attacker to take
   control of a company's security infrastructure

    18 April 2003 -  NAI Report: Keylog-Panteras application
   Network Associates says this detection is of application type for
   "potentially unwanted applications", it is not a virus. This application
   is a keylogger. It is designed to capture typed keystrokes and can be
   employed by a malicious user to steal various account and password
   information.

    16 April 2003 - RSA: Split Passwords Make Secrets Safer
   ZDNet says RSA Security's Nightingale could keep passwords more secure by
   storing them in two places. The process was formerly used only in high-end
   systems, but could now help make consumer e-commerce sites safer

    07 April 2003 - Security Flaw Hits SETI@home
   ZDNet says the flaw means that an attack could target any of the distri-
   buted computing project's millions of clients around the world

    01 April 2003 - Data Thieves Strike University
   ZDNet says hackers have broken into a server containing thousands of
   credit card numbers belonging to Georgia Institute of Technology patrons

    01 April 2003 -  NAI Virus Report: Free-Scratch-Cards application
   Network Associates says this is a "potentially unwanted application". It
   is not a virus or trojan, but rather a program that claims to allow users
   to win money. The application is installed via an ActiveX control on a
   web site. Read the report for Removal Instructions or contact the program
   author (origin) for removal instructions.

    31 March 2003 - Sendmail Breached By New Flaw
   ZDNet says most small and medium-sized businesses are likely to have at
   least one vulnerable server, experts have warned. The flaw was discovered
   by US-based security researcher Michal Zalewski, and is separate from the
   one discovered by Internet Security Systems earlier this month.
 
    31 March 2003 - CDC Extends SARS Travel Advisory
   The Centers for Disease Control and Prevention (CDC) today extended its
   travel advisory for Severe Acute Respiratory Syndrome (SARS) to include
   all of mainland China as well as Hanoi, Vietnam and Singapore. The death
   toll to date in Canada, has reached four.
   * CDC Travelers' Alerts
   * CDC Travelers' Outbreaks
   * For public inquiries, call Centers for Disease Control and Prevention
     (CDC) hotline: English 888-246-2675, Espaqol 888-246-2857, TTY
     866-874-2646.
 
    31 March 2003 - CNEWS Tech News - Canuck Web Sites Hacked
   Canoe.ca says another front of the war on Iraq is being fought on the
   Internet as hackers have increased attacks by 450%, with Canadian Web
   sites among the most popular targets, says a Toronto-based security
   consultant. Claudiu Popa, of LSM Consulting, said one group of hackers
   reportedly single-handedly defaced 800 Web sites with anti-war messages.
 
    21 March 2003 - CDC Worldwide Alert: Pneumonia Alert Updated March 20, 2003
   This is an update to the March 15th Interim Travel Advisory which now
   includes "Hong Kong, Guangdong Province, People's Republic of China, and
   Hanoi, Vietnam". As of March 20, 2003, the Centers for Disease Control
   and Prevention (CDC) has received reports from World Health Organization
   (WHO) of 306 cases outside of the U.S. of a severe form of pneumonia,
   also called severe acute respiratory syndrome (SARS). CDC has reported 13
   U.S. cases to WHO. Because SARS has appeared to spread rapidly, the
   Director General of the World Health Organization (WHO), Dr. Gro Harlem
   Brundtland, issued emergency guidance for travelers and airlines so that
   symptomatic people receive immediate health care, are brought to the
   attention of public health authorities, and are advised against travel
   while ill. The CDC previously had received reports of outbreaks in Hong
   Kong SAR, Vietnam, and Guangdong, a province in southern China, Canada,
   Indonesia, Philippines, Singapore, and Thailand.
   * CDC Travelers' Alerts
   * CDC Travelers' Outbreaks
   * For public inquiries, call Centers for Disease Control and Prevention
     (CDC) hotline: English 888-246-2675, Espaqol 888-246-2857, TTY
     866-874-2646.
 
    20 March 2003 - Secret Security Holes Released To Public
   ZDNet says a hacker claims to have stolen three security advisories
   from a corporate computer and posted them on a public mailing list,
   creating fresh dilemmas for users and software makers
 
    20 March 2003 - Attack Knocks Tiscali Customers Offline
   ZDNet says an 'external attack' led to temporary loss of service for some
   UK users, and is causing some ongoing problems
 
    16 March 2003 - CDC Worldwide Alert: Severe Acute Respiratory Syndrome
   The Center For Disease Control (CDC) issues health alert about atypical
   pneumonia. In response to reports of increasing numbers of cases of an
   atypical pneumonia that the World Health Organization (WHO) has called
   Severe Acute Respiratory Syndrome (SARS), the Centers for Disease Control
   and Prevention (CDC) announced several steps to alert health authorities
   at local and state levels. CDC activated its emergency operations center
   on Friday, March 14, upon learning of several cases reported in Canada
   among travelers recently returned from Southeast Asia and their family
   members.
   * CDC Media Relations - Telebriefing Transcript - March 15, 2003
     CDC's Response to Atypical Pneumonia in Southeast Asia and Canada
   * CDC Travelers' Health - Interim Travel Advisories and Outbreaks
   * Travel Advisory: Updated March 15, 2003; Released March 13, 2003
     As of March 15, 2003, the Centers for Disease Control and Prevention
     (CDC) has received reports of outbreaks of a severe form of pneumonia
     in Hong Kong SAR, Vietnam, and Guangdong, a province in southern
     China, Canada, Indonesia, Philippines, Singapore, and Thailand, which
     appears to have spread rapidly. For this reason, the Director General
     of the World Health Organization (WHO), Dr. Gro Harlem Brundtland,
     issued emergency guidance for travelers and airlines so that
     symptomatic persons receive immediate health care, are brought to the
     attention of public health authorities, and are advised against travel
     while ill. Read the advisory for the CDC guidelines.
 
    14 March 2003 - Security Holes Found In Domino and Lotus Notes
   VirusList.com News says last week the research firm Rapid7 raised safety
   concerns over IBM's Lotus Notes and Domino application server. Reported
   are vulnerabilities that could lead to DoS (Denial of Service) attacks
   and the unauthorized granting of remote control of Domino servers.
 
    13 March 2003 -  NAI Virus Report: Demo-Opera
   Network Associates says this is a "potentially unwanted application".
   This detection is for a program which is a utility to demonstrate a long
   filenames buffer overflow vulnerability in Opera 6 and 7. The program
   consists of a perl script that emulates a http server on the local system.
   Upon connecting to it using a vulnerable Opera client, the user can
   examine the exploit.
 
    11 March 2003 - Security Alert Posted For PeopleSoft
   ZDNet says a serious security flaw in business management software from
   PeopleSoft leaves sensitive corporate data vulnerable to hackers, a
   computer security service firm warned on Monday. PeopleSoft released
   patches to correct the problem several weeks ago, and the patches and
   details about the vulnerability are available on the company's private
   Web site for PeopleSoft customers as well as through ISS.
 
    10 March 2003 - Worm Could Be Clearing Path For DDoS Attack
   ZDNet says the new Deloder worm that leaves behind two Trojan horse
   programs has begun spreading over the Internet, and may be paving the
   way for a crippling distributed denial of service (DDoS) attack. The
   technical make-up of the Trojans it leaves behind is of concern. They
   consist of a commonly used piece of network administration software
   called Virtual Network Computing (VNC), and an Internet Relay Chat (IRC)
   "bot". This worm, unlike others such as Klez, requires no user interac-
   tion to spread -- it exploits common passwords, such as "password" and
   "computer", in share directories in Windows NT/2000/XP machines and hence
   spreads automatically. Aside from potential DDoS implications, Daniel Zatz
   a security spokesman from Computer Associates, says that end users may
   be stung through identity theft -- even a novice malicious hacker can
   access an infected system with ease. "This is one of the ways that
   identity theft occurs," he said. Despite this, Melbourne-based security
   consultant Adam Pointon says that the worm is hitting home users hard.
   "It's been increasing threefold over the last few days," he said.
 
    10 March 2003 - PayPal Users Targeted By Email Scam
   ZDNet says PayPal subscribers are being targeted by a fraudulent email
   scheme designed to con them into handing over their personal information.
   Over the past week, users of eBay's online payments service have been
   receiving emails masquerading as official PayPal alerts, eBay spokesman
   Kevin Pursglove confirmed on Friday. The emails tell recipients that
   their PayPal accounts have been randomly selected for maintenance and
   placed on "Limited Access" status. The message, which appears to come
   from info@paypal.com, instructs the account holder to enter credit card
   and bank account numbers in an online form embedded in the email.
 
    09 March 2003 - FRISK Security Alerts: Sendmail Security Alert
   F-Prot Alert Service says a serious vulnerability in Sendmail, the
   Internet's most popular mail server software, may allow an attacker
   infect a mail server running Sendmail with a worm or virus or take
   control of the machine. The security flaw does not directly affect
   desktop personal computers. Sendmail is immediately providing software
   patches for all currently supported releases of Sendmail's commercial
   products which include Solaris, Linux, AIX, Windows NT/2000 and HP-UX
   * Click here for Sendmail's security alert at www.sendmail.com
 
    23 February 2003 - Huge Hack Accesses Visa And MasterCard Data
   VirusList.com News says the FBI is investigating a "monster" hack of Visa
   and MasterCard account details. According to a Reuters report, over 5
   million U.S. Visa and M/C accounts were accessed when a hacker or hackers
   penetrated the computer systems of an unspecified company handling credit
   card transaction processing.

    06 February 2003 - VirusList.com News: "Helkern" - The Fastest Ever
   The Helkern" worm is confirmed to be by far the fasted spreading
   computer virus ever. In just ten minutes, approximately the same amount
   of time between each alarm clock "snooze", Helkern (aka Slammer, aka
   Sapphire) screamed around the globe, leaving a trail of havoc in its
   wake. In the first minute of the Helkern outbreak, the worm doubled its
   number every 8.5 seconds, reports the Cooperative Association for
   Internet Data Analysis (CAIDA). To fully appreciate this statistic we
   must compare it to what was previously viewed as a fast spreading worm
   - Code-Red, which eighteen months ago managed to double every 37 minutes.

    04 February 2003 - The Virus Top Twenty and  Review for January 2003
   VirusList.com News says Kaspersky Labs presents a review of computer
   virus activity for January 2003. The I-Worm.Klez sits at number one,
   with 16.65 percent of the registerred incidences. Win32.FunLove is last
   in the list at 0.65 percent

    01 February 2003 - Users Slam System Administrators For Slammer Outbreak
   VirusList.com News says the patch needed to prevent "Helkern" infection
   has been available from Microsoft for six months. A recent survey of PC
   users, conducted by a leading anti-virus software vendor, shows nearly
   two out of three blame system administrators for the massive outbreak of
   the "Helkern" (aka Slammer aka Sapphire) worm virus. The top two
   "blamees", system administrators and Microsoft were so popular that there
   is no need to even mention the third place culprit. Though it should be
   noted that the worm's author(s) did not even make the list.

   Top of Page


Virus Help Team Canada Site (c)2000-2012 by Charlene
VHT-CAN and our webhoster disclaimes any responsibility for software obtained through this site. All copyrights and trademarks are acknowledged
Contact VHT-Canada

Last Updated: December 01, 2005