VIRUS ALERTS

VIRUS ALERTS

updated October 11, 2003

Date October 11, 2003

'Phishing' Scams Growing Like Crazy

The term comes from techies who like to replace the letter 'f' with 'ph.' So, the term applies to scamsters who are
'phishing' for your private information, to steal your credit card or bank info -- or worse, your identity.

There are two new variants I wanted to let you know about.

The first is the generic version of the bank scams. I saw this for the first time this Iek.
Here's a sample. (Note: spelling errors are in actual emails.)
...

Subject: YOUR ONLINE BANKING ACCOUNT

Dear Online Banking Consumer,

This email was sent by your Online Banking center to verify your e-mail address. You must complete this process by
entering required iformation like your Online Banking login and password. This is done for your protection --- becaurse
some of our members no longer have access to their email addresses and I must verify it. Please, complete the
following information:

Bank Routing/ABA Number (9 digits):
First 6 digits of your Banking Card:
Online Banking Login ID (CIN or CAN):
Your Online Banking Password (or PIN):

...

The second one is almost funny -- except that innocent people are getting taken:

...

You credit card has been charged for $234.65

Important notice

I have just charged your credit card for money laundry service in amount of $234.65 (because you are either child
po... graphy Ibmaster or deal with dirty money, which require us to layndry them and then send to your checking account).

If you feel this transaction was made by our mistake, please press "No."

If you confirm this transaction, please press "Yes" and fill in the form below.

Enter your credit card number here:

Enter your credit card expiration date:

...

What do you do if you get an email like this?

Nothing. Delete the email! It's a scam.

Legitimate banks and organizations may send you offers and coupons via email, but they do NOT ask for your personal and
banking information via email.

If you have any question about the legitimacy of an email, go to the official Ibsite directly, or call or email the
company.
Never click on the link in the email.

ACTION: Never, ever, ever respond to emails that ask for personal info.

~~~

Internet Access Service Scams

This scam, which has changed quite a bit over the past several years, makes it onto the Federal Trade Commission's list of
Top Ten 'DotCons.'

==> http://www.ftc.gov/bcp/conline/pubs/online/dotcons.htm

In the early days (in the late 1990s), this scam was launched by sending victims a check through snail mail
(and this still
goes on).

It seemed as if you are getting money for doing nothing. But the scam was that by cashing the check, you are agreeing to
purchase Internet access, usually at exorbitant prices, for what may as will be the rest of your life.

If you tried to cancel the service you'd find that there are hefty cancellation fees.

Avoiding this scam is reasonably easy: never sign anything, even the back of a check, without reading over any material
that you received along with the 'free' money.

In the last few years, this scam has evolved to bundling Internet access with free or low-cost computers.

You may be asked to pay for the computer up front and receive a rebate of most of the purchase price when you sign the
contract for the Internet access.

In most cases you'll be 'locked in' to the access -- sometimes for as much as several years.

You may be forced to dial a long distance number to access the service. And if you try to cancel, the penalties are onerous.
You may even have to return a portion of the rebate if you cancel the Internet service.

It's usually a LOT cheaper to lease or finance the computer.

Avoid this scam by remembering that if a deal seems too good to be true... it probably is!

Read the fine print on any 'free' PC deal you see online or receive and pay particular attention to whether it is
mandatory to have Internet access bundled in with the computer.

And if you receive the offer via email 'spaham,' don't even waste your time reading it -- it's a scam.

~~~

web Cramming

Web cramming is another scam to make it onto the FTC's Top Ten list.

This scam is usually initiated with a telephone call and the target is either individuals or small business owners. I've
talked about this scam for individuals before -- here's the small business owner version:

The caller offers your business a customized Website for 30 days free of charge. After the introductory period, a monthly
fee of $20-$30 will apply.

Sometimes victims are told that they will be automatically billed after the 30 days is up. Other times victims are told
that they won't be billed unless they authorize the continuation of the service.

The FTC reports that irregardless of what is said during the call, victims are automatically being billed for this
'service' whether they authorize it or not.

This scam would be slightly less distasteful if you in fact received something of value for your money. However, the
Websites that are constructed are usually poorly done, full of errors and misspellings... and essentially useless to your
business.

To guard against this scam you should:

- Be aware that you have no obligation to pay for services you haven't specifically ordered. If you receive a bill for a
service you didn't order, do not pay it.

- Keep a close eye on your phone bills. This is where the charges for this type of scam may show up. Review your bills
as soon as they are received and question any charges that you haven't ordered or authorized.

- Ask for documentation any time you purchase anything by any method (online, over the phone, in person or via fax).

- Designate one or two staff as responsible for purchasing and restrict purchasing to these individuals.

- Alert your staff about scams of this type and how to deal with scammers on the telephone.

Wishing you a scam-free October.

Love Pasta?

The Flying Noodle has lots of great -- and unique -- options
to choose from!

Makes a perfect gift -- for your favorite pasta lover... or
for yourself. ;-)

Be sure to check out the Pasta Club: 10 meals per month -- all designed to be on the table in 15 minutes or less.

New software so useful that many Internet marketers are perhaps reluctant to share this 'secret weapon'

Ad Word Analyzer is a very clever piece of software that helps you quickly, easily and profitably uncover excellent niches.

If you use pay per click advertising -- or you'd like to but have found it too time consuming or too expensive in the past
-- then Ad Word Analyzer is definitely a product you should check out.

Ad Word Analyzer is very easy to use. You don't need to be a keyword expert to have excellent results with Ad Word
Analyzer.

In short, Ad Word Analyzer saves you time and money by showing you how many competitors are currently bidding on your
keywords on both Google AdWords and Overture -- as well as dozens of other keywords you should be bidding on.

Date: September 19, 2003

Issue Preview:

1. Trend Micro Updates - Pattern File & Scan Engine Updates
2. No Swan Songs - WORM_SIN.A (Low Risk)
3. 10 Most Prevalent In-the-Wild Malware Surveyed by Trend Micro US
4. Put Spam Back in the Can - Aberdeen Group Spam Report

1. Trend Micro Updates - Pattern File and Scan Engine Updates

PATTERN FILE: 636
SCAN ENGINE: 6.510

NOTE: PATTERN FILE SERVICE PACK AVAILABLE FOR TREND MICRO CUSTOMERS

2. No Swan Songs - WORM_SIN.A (Low Risk)
WORM_SIN.A is a non-destructive, mass-mailing worm that poses as a legitimate email
from Microsoft Windows Update. In addition to its mass-mailing routine, it attempts to
propagate via peer-to-peer (P2P) file-sharing networks (such as Kazaa), via IRC, and via
newsgroups. WORM_SIN.A also terminates antivirus and firewall software running on an
infected system. This malware runs on Windows 95, 98, NT, ME, 2000, and XP.
Upon execution, the worm displays a fake error message box to disguise itself as a MAPI32
Execution Error. This requires users to input details of their email account, such as:
email address
username
Password
SMTP server
POP3 server
The worm then searches for the Windows directory and drops a copy of itself with a random
file name in the %Windows% folder. It also creates a registry entry that allows it to run at
every Windows startup. The executed malware then transfers execution to the dropped copy
of the worm, and terminates.
The following files are also dropped by the worm in the Windows directory:
<computer name>.bat
<random name>.<random extension>
germs0.dbv
germs1.dbv
sIn1.dat
This worm uses its own Simple Mail Transfer Protocol (SMTP) engine to propagate via email. It
obtains its target email addresses from .EML, .WAB, .DBX, and .MBX files in all directories of
the infected system. When sending the email message, it connects to the default SMTP server
of the infected machine.
Following are the characteristics of the infected email:
From: ms inet mail storage service [Ibdaemon@freemail.com]

To: network receiver

Subject: <none>

Message Body: Hi.
Undeliverable message to <user>@freemail.com

Attachment: <random name>.exe
Using its own SMTP engine, the malware also connects to any of several Network News
Transfer Protocol (NNTP) servers where it searches for its target contacts.
The worm also attempts to drop copies of itself in a shared folder over peer-to-peer (P2P) file-
sharing networks, with file names that use a combination of strings hard-coded in its body. It
modifies registry entries to allow copies of itself to be shared in the Kazaa network.
WORM_SIN.A attempts to propagate via mIRC application as Ill. It first searches for the
mIRC installation directory and locates the SCRIPT.INI file. If the worm finds this file, it
overwrites it with its own version of the SCRIPT.INI file. HoIver, if the file does not exist, it
creates this SCRIPT.INI file in the mIRC folder. The worm also attempts to drop copies of
itself in all mapped Startup folders in network drives.
The worm terminates antivirus and firewall software that is running on an infected system.
If you would like to scan your computer for WORM_SIN.A or thousands of other worms,
viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner
at: http://housecall.trendmicro.com
WORM_SIN.A is detected and cleaned by Trend Micro pattern file #635 and above.

3. 10 Most Prevalent In-the-Wild Malware Surveyed by Trend Micro US
(Iek of: September 8, 2003 to September 14, 2003)
WORM_SPYBOT.GEN
WORM_MSBLAST.D
JAVA_BYTVERIFY.A
WORM_MIMAIL.A
WORM_SOBIG.F
PE_NIMDA.E
BKDR_COREFLOOD.A
WORM_KLEZ.H
PE_PARITE.B
ADW_TENGET.A

4. Put Spam Back in the Can - Aberdeen Group Spam Report
Spam has shifted from being a nuisance for email users to a drain on enterprise resources,
and a covert channel for delivering hostile mobile code into the enterprise. And, as recent
events have shown, virus writers are now adopting methods used by commercial spammers,
giving spam what appears to be a decidedly dangerous alter ego. Spam prevention is now a
necessity rather than a luxury.
Read Aberdeen Group's White Paper on how Trend Micro puts spam back in the can

Date: September 12, 2003

Issue Preview:

1. Trend Micro Updates - Pattern File & Scan Engine Updates
2. Ice is Nice - WORM_NEROMA.A (Low Risk)
3. 10 Most Prevalent In-the-Wild Malware Surveyed by Trend Micro US
4. Head-to-Head Comparison: Ib Security Performance

1. Trend Micro Updates - Pattern File and Scan Engine Updates

PATTERN FILE: 630
SCAN ENGINE: 6.510

NOTE: PATTERN FILE SERVICE PACK AVAILABLE FOR TREND MICRO CUSTOMERS

2. Ice is Nice - WORM_NEROMA.A (Low Risk)
WORM_NEROMA.A is a mass-mailing worm that sends copies of itself as an attachment, to all
addresses listed in the infected user's Microsoft Outlook address book. It affects computers running
Windows 95, 98, ME, NT, 2000, and XP.
Upon execution, this worm copies itself to the Windows directory as NEROSYS.EXE, and creates
autostart registry entries. It propagates by sending copies of itself as an email attachment with the
following:
Subject: It's Near 911!
Message Body: ice butt baby!
Attachment: 911.jpg
The displayed attachment name is 911.jpg but the actual file name is NEROSYS.EXE, the real name
and executable copy of the worm.
Due to possible programming errors in its code, the email Message Body is displayed as "ice butt
baby!" instead of "nice butt baby!"
If you would like to scan your computer for WORM_NEROMA.A or thousands of other worms, viruses,
Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at:
http://housecall.trendmicro.com
WORM_NEROMA.A is detected and cleaned by Trend Micro pattern file #627 and above.

3. 10 Most Prevalent In-the-Wild Malware Surveyed by Trend Micro US
(Iek of: September 1, 2003 to September 7, 2003)
WORM_SOBIG.F
JAVA_BYTVERIFY.A
WORM_MSBLAST.A
WORM_SPYBOT.GEN
WORM_BUGBEAR.A
WORM_MSBLAST.D
WORM_KLEZ.H
PE_DUMARU.A
WORM_KWBOT.C
TROJ_SMALL.M

Trend Micro Iekly Virus Report
(by TrendLabs Global Antivirus and Research Center)

Date: August 29, 2003
Issue Preview:

1. Trend Micro Updates - Pattern File & Scan Engine Updates
2. Payload Worm - WORM_RANDEX.E (Low Risk)
3. 10 Most Prevalent In-the-Wild Malware Surveyed by Trend Micro US
4. How Much is Spam Costing You?
1. Trend Micro Updates - Pattern File and Scan Engine Updates
PATTERN FILE: 622
SCAN ENGINE: 6.510
2. Payload Worm - WORM_RANDEX.E (Low Risk)
WORM_RANDEX.E is a non-destructive worm that runs on Windows NT, 2000, and XP. Upon
execution, this worm creates a mutex named, "msejaer32," which it uses to check and ensure
that only one copy of itself is running in memory. It also adds a registry entry that allows it to
run at every Windows startup, and drops the file "PAYLOAD.DAT". This file is the worm's
backdoor component. The backdoor file, hoIver, is not executed by this worm nor can it
execute on its own.
When executed manually, the backdoor component creates a mutex named, "mssysvieIr,"
which it uses to check and ensure that only one copy of itself is running in memory. It then
adds an autorun entry in the registry so that it runs at every Windows startup. While in
memory, the backdoor component connects to an IP address that is hard-coded in its body via
a random port. It does this as a notification to a remote user that it is running and ready to
receive commands. It then listens on the following TCP ports for remote commands:
3330
3331
3332
Once this worm is active in memory, it randomly accesses remote machines (using random IP
addresses) on SMB shares via port 445. It checks whether it can access a machine by
attempting to connect to the IPC$ share using the following passwords:
(null password)
@#$
!@#$%
!@#$%^
!@#$%^&
!@#$%^&*
1
111
123
1234
123456
654321
admin
asdf
asdfgh
root
server
If successful, it copies itself as MSMSGRI32.EXE in the following paths:

<machine IP>\c$\winnt\system32\msmsgri32.exe
<machine IP>\Admin$\system32\msmsgri32.exe

It then schedules a network job using the NetScheduleJobAdd API function to run the dropped
malware copies.
If you would like to scan your computer for WORM_RANDEX.E or thousands of other worms,
viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner
at: http://housecall.trendmicro.com
WORM_RANDEX.E is detected and cleaned by Trend Micro pattern file #619 and above.
3. 10 Most Prevalent In-the-Wild Malware Surveyed by Trend Micro US
(Iek of: August 18, 2003 to August 24, 2003)
WORM_SOBIG.F
WORM_MSBLAST.D
JAVA_BYTVERIFY.A
WORM_MIMAIL.A
PE_NIMDA.E
WORM_SPYBOT.GEN
WORM_SOBIG.E
WORM_KLEZ.H
JAVA_NOCHEAT.A
JAVA_NEEDY.A

August 29,2003

A new variant of W32/SoBig worm has recently congested email networks and
caused major delays in mail delivery all over the Internet. This high risk
virus arrives as an email attachment with a .pif or .scr extension. The
virus infects a host computer, then emails itself (using its own SMTP
engine) to email addresses collected from the victim's machine. This allows
the virus to send a massive amount of emails which saps bandwidth and slows
network performance.

Trend Micro HouseCall

Ease your mind and scan your PC for viruses NOW!

Scan Now

VIRUS ALERT

	WORM_MSBLAST.A is a high risk alert
	WORM_MSBLAST.D is a medium risk alert
	WORM_SOBIG.F is a medium risk alert
Get Protected

	Virus Advisories
	Update Center
	Virus Pattern File 620	(Aug 21)
	Scan Engine 6.510
	Free Online Scan

Top Threats

View All

	1.	WORM_SOBIG.F
	2.	X97M_LAROUX.XE
	3.	PE_PARITE.A
	4.	WORM_MSBLAST.A
	5.	WORM_MSBLAST.D

Recent Worm Outbreaks - Information and Resource Center

Ilcome to the Recent Worm Outbreaks - Information and Resource Center, containing the latest news and information on the Sobig, Blaster, and Ilchia worm outbreaks. The quick succession of these worms has created a security environment of unprecedented intensity, and has made it more critical than ever that IT departments and employees follow security best practices. Find out here what steps you need to take to block and remove these worms. And be sure to check back often for further developments about these threats.

W32.Sobig.F: Fastest-Spreading Virus of All Time? More
W32.Ilchia: New Worm Seeks to Clean Up After Blaster More
W32.Blaster: Microsoft Fends Off Worm Attack More

W32.Sobig.F@mm W32.Ilchia.Worm W32.Blaster.Worm

STEP ONE: Click here for Virus Details Click here for Virus Details Click here for Virus Details

STEP TWO: Update Your Virus Definitions Update Your Virus Definitions Update Your Virus Definitions

STEP THREE: Download Removal Tool Download Removal Tool Download Removal Tool

Symantec Security Response Upgrades W32.Ilchia.Worm to Level 4 Threat (August 19, 2003)
MSBlaster Shows IT Departments the Need for Speed on Patches (August 18, 2003)
Symantec Sees Decrease in New MSBlaster Infections (August 13, 2003)
CERT Warns of Attacks, New Holes in Windows (August 11, 2003)
Blaster Ibcast - View Now
Blaster Fact Sheet

This version of Stinger includes detection for all known variants, as of August 11, 2003:
BackDoor-AQJ
Bat/Mumu.worm
IPCScan
IRC/Flood.ap
IRC/Flood.bi
IRC/Flood.cd
NTServiceLoader
PWS-Sincom
W32/Bugbear@MM
W32/Deborm.worm.gen
W32/Elkern.cav
W32/Fizzer.gen@MM
W32/FunLove
W32/Klez
W32/Lirva
W32/Lovgate
W32/Lovsan.worm
W32/Mimail@MM
W32/MoFei.worm
W32/Mumu.b.worm
W32/Nimda
W32/Sdbot.worm.gen
W32/SirCam@MM
W32/Sobig
W32/SQLSlammer.worm
W32/Yaha@MM

Run Stinger.exe
Click the Add or Browse button to add additional drives/directories to
scan like D:\
Click the Scan Now button to begin scanning.
By default Stinger will repair all infected files found.

WindowsME/XP users :
Windows ME and XP utilize a restore utility that backs up selected files
automatically to the C:\_Restore folder. This means that an infected file could
be stored there as a backup file, and VirusScan will be unable to delete these
files. You must disable the System Restore Utility to remove the infected files
from the C:\_Restore folder.
WindowsME
1. Right click the My Computer icon on the Desktop and click on Properties.
2. Click on the Performance tab.
3. Click on the File System button.
4. Click on the Troubleshooting tab.
5. Put a check mark next to 'Disable System Restore'.
6. Click the 'OK' button.
7. You will be prompted to restart the computer. Click Yes.
Note: To re-enable the Restore Utility, follow steps one to seven and on step
five remove the check mark next to 'Disable System Restore'.
WindowsXP
Disabling the System Restore Utility (Windows XP Users)
1. Right click the My Computer icon on the Desktop and click on Properties.
2. Click on the System Restore tab.
3. Put a check mark next to 'Turn off System Restore on All Drives'.
4. Click the 'OK' button.
5. You will be prompted to restart the computer. Click Yes.
Note: To re-enable the Restore Utility, follow steps one to five and on step
three remove the check mark next to 'Turn off System Restore on All Drives'.

I have a file / program to remove these. send email and I will return with the file.

Subject: So Big Warning

A New Virus That's Becoming So Big
Right on the digital heels of last Iek's MS Blast virus comes yet another. This time it's
the Sobig virus and it's filling up inboxes the way free tickets would fill up the
SuperBowl.
From what I've read, it seems like this worm's main purpose in life is simply to spread
itself around as quickly as possible. As an added bonus, Sobig also allows its creator
to send a file to an infected computer and run it. This file (or files?) can steal
confidential information or set the infected computer up as a spam server.
In theory, the creator of this worm can auto-update the thing. So, although at the
moment the virus is more of an inconvenience than anything else, it could turn itself
into something that is capable of doing some real damage (or download a file to do the
same).
One of the problems I see is this - Imagine you infect hundreds of thousands of
computers and the users are unaware of it (as virus infected users tend to be). Then,
you have the worm download and install a file that wipes out the hard drive on the
next reboot. In a span of a few hours, you lobotomize all these machines and render
them useless. Can you imagine the damage that would do? How expensive that would
be? I've not seen anyone else discuss this possibility, but I think it's a scenario I
need to be aware of.
OK, before anyone takes a trip to panicsville, let me tell you that avoidance is easy -
make sure your anti-virus software is up to date. And, as always, don't open any
attachments you're not expecting - even if they come from a friend!!
The virus currently comes with one of the following subject lines (again, remember
this may change since the virus could update itself):
Re: Details
Re: Approved
Re: Re: My details
Re: Thank you!
Re: That movie
Re: Wicked screensaver
Re: Your application
Thank you!
Your details
It can (currently) have any of the following attachments:
your_document.pif
document_all.pif
thank_you.pif
your_details.pif
details.pif
document_9446.pif
application.pif
wicked_scr.scr
movie0045.pif