 |
 |
|||||
|
VIRUS INFO Many new and altered viruses are being discovered every day, you need accurate, up-to-date information at your fingertips. New virus information is added to Virus Information Library to ensure that the most recent information is always available instantly!
Latest Updates:
I-WORM/SIRCAM SPREADS USING E-MAIL ATTACHMENTS SirCam is a mass mailing worm uses e-mail addresses stored in Windows Address book and also collects addresses from temporary Internet folder to distribute infected messages. SirCam is also network aware worm. It searches for network shares and infects them too. SirCam worm is also known as W32.SirCam.Worm, W32.SirCam or TROJ SirCam.A. SirCam arrives as an e-mail attachment, message subject and body varies randomly. The message body first and last line will be the same. The worm will contain two extensions, first will be DOC, XLS, ZIP and EXE and the second extension selected randomly from PIF, LNK, BAT or COM. The mail subject and body will be in English or Spanish. First Line: Hi! How
are you?
When sending the infected message, the worm will append a file from the local system to disguise the user. The attached infected file will contain double extension like secret.doc.pif, compress.zip.bat. It will e-mail the infected files using its own SMTP engine. If the infected e-mail attachment is executed, the worm code executed first. It copies itself to the file SCam32.exe in the windows folder. The worm also drops Sirc32.exe in the Recycle bin with hidden attribute. After that it activates the corresponding application. The worm is loaded automatically by changing the following keys in the registry. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ HKEY_CLASSES_ROOT\exefile\shell\open\command Then it searches for network share, if found it copies to RUNDLL32.EXE file. The original RUNDLL32.EXE file is renamed to RUN32.EXE. It also adds the entry @win \recycled\SirC32.exe in the AUTOEXEC.BAT to load it on the next startup. SirCam worm contains destructive payloads. When the payload is activated SirCam will delete all files and directories. When sending infected attachments, it distributes files from the system. So the infected user may loose confidential information. How can I protect my system? Fire has incorporated I-Worm/SirCam its signature file, with the aim of helping users affected by this Worm attack to detect and eliminate it from their systems. Fire anti-virus users can update this signature file by using online update facility. It is available with the registered version of Fire anti-virus Kit. How can I find my system is infected? You can check the system manually. I-Worm/SirCam creates the file "SIRC32.EXE" in Recycled folder. The presence of this file ensures you are infected with this worm. SirCam Worm changes registry keys when infecting the machine and it should be fixed before deleting the main worm file "SIRC32.EXE" stored in Recycled folder. A free download of FireLite [860KB] version is also available to detect all viruses including SirCam worm. If you find this worm, use registered version of Fire to remove.
NIMDA WORM SPREADS RAPIDLY Nimda.E is a modified variant of Nimda worm and uses differnet techniques to spread. It will infect network shares, local PE files and already vulnerable Microsoft IIS web servers. Because of the IIS server infection it generates heavy network traffic. Nimda also uses CodeRed dropped trojan to find the target server. The worm uses the Unicode Web Traversal exploit to infect IIS servers. Web Administrators are requested to install this patch from the Microsoft link http://www.microsoft.com/technet/security/bulletin/ms00-078.asp. The worm uses MIME exploit to infect IE users. When the worm arrives by email, this security hole allowing the virus to be executed just by reading or previewing the file. Windows 95/98/ME users are requested to install the patch http://www.microsoft.com/technet/security/bulletin/MS01-020.asp Nimda scans random IP addresses to find the server to infect. When a host is found to have one the worm instructs the machine to download the worm code HTTPODBC.DLL from the host used for scanning. The worm also drops random files like readme.eml, desktop.eml, sample.eml, readme.nws files in the shared folders. It also modifies *.htm, *.html, *.asp files and adds Java script to open the infected EML files automatically. So whenever a user visits the compromised server site, he will be forced to download readme.eml. If the user accidentally open the attachment, it will infect the local machine. It collects e-mail addresses stored in *htm, *.html files to distribute infected messages. It also spreads using email addresses under MAPI messages of Microsoft Outlook and Microsoft Outlook Express. The attachment name will be "sample.exe" and message body will be empty. If the infected e-mail attachment is executed, it copies itself to the file load.exe in the windows folder. It modifies SYSTEM.INI file by adding the following string SHELL= explorer.exe load.exe -dontrunold in the [BOOT] section. So the worm will be started on next startup automatically. It also modifies following registry entries when infecting the machine. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
In case of Windows NT/2000 modifies the following key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ On some affected machines, the virus also copies itself into the Windows directory with the filename CSRSS.EXE. The worm gets executed whenever Microsoft Word application is activated. It should be replaced with fresh copy. In case of NT/2000 systems, this worm creates a "Guest" account with Admin rights. It should be fixed after removing the worm. How can I protect my system? Fire has incorporated I-Worm/Nimda.E its signature file, with the aim of helping users affected by this Worm attack to detect and eliminate it from their systems. Fire anti-virus users can update this signature file by using online update facility. It is available with the registered version of Fire anti-virus Kit. If you are infected with Nimda worm, install the security patch first. Then run Fire antivirus and choose clean option to repair the worm infected files. You should choose "All File extensions" to remove worm infected *.EML and *.NWS files. How can I find my system is infected? A free download of FireLite [860KB] version is also available to detect all viruses including Nimda worm. If you find this worm, use registered version of Fire to remove.
MYPARTY INTERNET WORM REPORTED IN THE WILD Myparty is an Internet worm uses Windows Address Book and .DBX files to spread. The worm is 29,696 bytes long and the e-mail attachment name will be "www.myparty.yahoo.com" The worm arrives as an e-mail attachment. The message subject will be " new photos from my party!", the body will be "Hello! When executed it collects addresses from Windows Address Book and .DBX files and sends email to all the email Ids stored and also copies to recycle bin. The worm uses its own SMTP engine to mail its copy..This worm is also known as W32.Myparty.A@mm, W32/Myparty-A. How can I protect my system? Fire has incorporated I-Worm/Myparty into its virus signature file, to protect its users from this worm attack. Fire anti-virus users can use online update facility to update signature file. If you are already infected with this worm, run Fire anti-virus and choose delete option to remove the worm components. How can I find my system is infected? A free download of FireLite [860KB] version is also available to detect all viruses including Myparty worm. If you find this worm, use registered version of Fire to remove.
ARE YOU FORCED TO WISH "SHANKAR'S BIRTHDAY"? W97M/Marker (also known as HSFX) is a Word macro virus that collects user information from Word and uses FTP to send it over the internet. The virus is similar to W97M/Caligula. Like Caligula, it sends the data over to codebreakers.org. It also has some similarities to WM/Ethan. W97M/Marker is polymorphic. The polymorphism consists of adding a log at the end of the virus body for every infected user. This log contains information for system time, date, users name and address. The virus contains an infection marker in the beginning of its code: "<- This is a Marker" W97M/Marker.A saves its in a file called c:\netldv.vxd. To infect documents the virus export its code from global template to this file and after that deletes the file, so the user can't find it. W97M/Marker.O W97M/Marker-O is a modified variant of W97M/Marker virus. It is a Polymorphic Word macro virus. The polymorphism consists of adding a log at the end of the virus body for every infected user. This log contains information for system time, date, users name and address. The virus contains an infection marker in the beginning of its code ":-D you are Marked!". The original W97M/Marker will contain the string "<- This is a Marker". It uses this string to find whether the file is infected or not. If the file is already infected, it will not infect the same file again. While opening the document, If checks for system date. If the month is 7 and day is greater than or equal to 23 it will display the message "Did You Wish Shankar on his Birthday ?". It will alow the user to proceed.
While closing the document, it sets the application caption to "Happy Birthday Shankar-25th July. The World may Forget but not me". And also it display the message box "Did You Wish Shankar on his Birthday ?". If the "yes" option is selected it shows "Thank You! I Love You. You are wonderfull".
If "No" option is selected it shows "You are Heart Less." "You Will Be Punished For This".
The virus will display its payload from 23rd July to 31st July. There is no dangerous payload in the virus. However because of the internal infection routine it slows down the machine speed while opening and closing the documents. And also the infected user will get the message box every time while opening and closing the documents. How can I protect my system? Fire has incorporated W97M/Marker-O into its virus signature file years back. Fire users need not worry about this virus. How can I find my system is infected? Macro Disable warning, Slower operation of word application are the main symptom of Word Macro viruses. If you receive "Shankar's birthday" message, you are infected with W97M/Marker-O virus. A free download of FireLite [860KB ZIP FILE] version is available to detect all viruses.
BEWARE OF WIN32/FUNLOVE VIRUS This virus is a Win32 PE file virus infects EXE, SCR, OCX files under Win9x and WinNT 4.0 platforms. The infected files will increase by 4099 bytes. What is notable about this virus is that it uses a new strategy to attack the Windows NT file security system and it runs as a service on Windows NT systems. When the virus is first run, it drops a file called FLCSS.EXE into the SYSTEM folder. Then it directly infects all EXE, SCR, and OCX files in the folders Program Files and WINDOWS/WINNT, including any sub folders. It infects network shared drives too. Under Windows NT it modifies the files NTOSKRNL.EXE and NTLDR if the current user is logged in with administrator rights. The modified files will activated after the next system restart, allows all users full administrator rights to the system. So any low level user can access the network with administrator rights. The NTOSKRNL.EXE and NTLDR patches are executed by a routine picked up from the Bolzano virus. In fact, more than fifty percent of the virus code shows similarities to the Bolzano virus. It is very likely that the author of these two viruses is the same person. When executed under DOS, the file FLCSS.EXE displays the message "~Fun Loving Criminal~" and then tries to reset the machine in order to load Windows. The virus does not infect files that begin with the following characters in their names: aler, amon, avp, avp3, avpm, f-pr, navw, scan, smss, ddhe, dpla and mpla. Fire detects and removes Win32/Funlove virus without problems. How can I protect my system? Fire has incorporated Win32/FunLove into its virus signature file, with the aim of helping users affected by this Worm attack to detect and eliminate it from their systems. Fire anti-virus users can update this signature file from our web site. A free utility is available to detect and clean this virus in Download Center. A free download of FireLite [860KB ZIP FILE] version is available to detect all viruses including Win32/FunLove.
I-WORM/BADTRANS.B SPREADS USING E-MAIL ATTACHMENTS BadTrans.B is modified variant of original BadTrans worm. This encrypted worm uses Windows address book to collect e-mail address. It also drops Trojan.PSW.Hooker.b in the victims PC. The virus author can steal username and password details using this password stealer. I-worm/BadTrans.B arrives as an e-mail attachment. The attachments are embedded within the e-mail and it won't visible to the user. When the user views the attachment the embedded code is executed automatically and it drops the virus. Microsoft released security patches to close this security hole. If you haven't installed, you can get a copy at http://www.microsoft.com/windows/ie/download/critical/Q290108/default.asp The worm attachment name will be one of the following. fun.pif The worm also decrypts and drops KERNEL32.EXE and KDLL.DLL in the Windows system folder. The password stealer is activated on next startup by adding the registry. How can I protect my system? Fire has incorporated I-Worm/BadTrans.B in its signature file to protect Fire users from this worm attack. Fire anti-virus users can update this signature file by using online update facility. It is available with the registered version of Fire anti-virus Kit. If you are already infected with this worm, download and install security patches from the link http://www.microsoft.com/windows/ie/download/critical/Q290108/default.asp according to your Internet Explorer version. Then run registered version of Fire anti-virus and choose delete option to remove the worm components. How can I find my system is infected? You can check the system manually. I-Worm/BadTrans.B worm creates the file "KERNEL32.EXE", "KDDLL.DLL" in the Windows system folder. The presence of these files ensures you are infected with this worm. A free download of FireLite [860KB] version is also available to detect I-Worm/BadTrans.B. Fire anti-virus kit removes I-Worm/BadTrans.B without problems.
WORM_FRETHEM.E WORM_FRETHEM.E (alias W32.Frethem.D
mm, FRETHEM.E ) has been reported in the wild. This non-destructive,
memory-resident variant of WORM_FRETHEM.A propagates via Microsoft Outlook
by sending email to all addresses listed in the infected user's Windows
Address Book, and in .DBX files where Microsoft Outlook Express archives
emails.
FAQ's On Virus
A computer virus is a small computer program that makes copies of itself on computer disks. Viruses may (directly or indirectly) (infect) (copy to and spread from), executable program files, or programs in disk sectors, and even some non-executable files which use macros. This parasitic nature that virus programs have is neither an accident, nor a computer glitch. In fact, all viruses are created by people who know how to write computer programs. 2. Why are they called Viruses? Experimental self-replicating programs were first produced in the 1960s, confirming theories dating back to 1949. The term virus is more recent, and was first used in 1984 by Professor Fred Cohen to describe self-replicating programs. The earliest PC viruses came a bit later, in 1986-7. The name is appropriate, because like a biological virus, a computer virus is small, makes copies of itself, and cannot exist without a host. (It's also a catchier name than Parasitic Self-Replicating Program.) All computer viruses at least take up disk space, and many of them are able to remain in the computer's memory, so as to take control over some computer functions. In addition, some viruses are poorly written, and may cause the computer to halt, or damage files. Many viruses make the computer's memory unstable, or cause programs to run improperly. Then there are viruses created in recent years that have been deliberately designed to destroy data on the disk.
4. What About Destructive Viruses? The most feared viruses are those that deliberately damage or delete files, or even destroy all data on a disk. The vandals who produce these are concerned only about themselves, not innocent people who will be harmed. These vandals hope to impress their friends, and sometimes compete with them. Some join groups that create new viruses every day.
5. Who writes Viruses - and why? Viruses can be written by anyone, anywhere in the world, who has enough programming skill. A few have been developed by researchers for demonstration purposes, and some others are jokes, written by pranksters. Other viruses are written by people learning programming, who think writing a virus is accomplishing something. In many cases, these viruses get passed around, and later are altered by other people.
It's true that some viruses cause strange things to happen. These can include: slower operation, decreased memory, or a disk drive LED lighting up for no apparent reason. However, legitimate software can also cause these effects. And while some viruses are very obvious, displaying messages, or even playing musical tunes, many give no sign of their presence. So it's important not to assume your computer is infected, just because strange things happen.
While the risk is relatively small, it is growing daily. Viruses circulate from one computer to another, often via diskettes. If you're lucky, you'll never encounter a virus, but one could be concealed in the next file you download, or on the next diskette you receive. Diskettes borrowed from friends, school, or work are common sources, even shrink-wrapped diskettes purchased at stores, or through mail-order. Downloaded programs can be infected, and viruses can travel among networked PCs.
8. Should you get anti-virus software? If you're concerned about the virus threat, the time to obtain anti-virus software is before you get a virus. It's much better to prevent a virus infection than to have to deal with one. If your system is virus-free, anti-virus software can help keep it that way, providing you keep the program updated, and check all newly-obtained software and disks before using them the first time.
9.How can I create an Emergency Boot Disk? To make an emergency bootable floppy disk, if using DOS, run the FORMAT A: /S command with a disk in A> drive which is the proper density for the drive. If using Windows or Win95, use the option to make a System Disk in File Manager or Explorer, as appropriate. I'd suggest you also COPY these commands to it, from C:\DOS or the Win95 system directory: ATTRIB, CHKDSK (or SCANDISK if you have it), FDISK, FORMAT, SYS, and BACKUP and RESTORE (or whatever backup program you use, if it will fit). They may come in handy if you can't access the hard disk, or it won't boot up.
|
