A few antivirus software vendors were issuing a low-level alert Thursday for Worm_GOOL.A, aka W32/Gool.worm. This malware has the characteristics of both a worm and a backdoor program.

It drops copies of itself, using double-extension file names, into a created folder named "SYS32" in the Windows directory. It spreads via Kazaa as well as via IRC. Worm_GOOL.A runs on Windows 95, 98, and ME. Read technical details here.

The worm terminates processes relating to a significant number of anti-virus and security products if they are running, according to McAfee. Once connected to the client machine, the hacker can perform various actions, some trivial, others highly damaging.

Find out what these actions include and symptoms of the malware on this McAfee Web page.

NTRootkit a Very Low Threat

NTRootkit is considered a tool used by hackers to hide from users their activity on affected computers, according to Panda Software.

After gaining remote access to a computer, the hacker installs this tool on the affected machine (Windows NT, 2000 or XP installed). Find out more here.

Fortnight Mass Mailer Worm Sends Hidden Link

JS/Fortnight, aka Fornight.A, is a slow mass-mailer written in JavaScript that spreads in HTML formatted messages, according to F-Secure.

The infected email message contains a hidden link to a Web page, which contains the actual worm code. When the user opens the message, the link activates via an invisible iframe. The code on the Web page activates by using the Microsoft VM ActiveX vulnerability.

This vulnerability has been fixed, and a patch is available from Microsoft.

The code uses cookie "TF" as an infection marker. If the cookie is not present, the worm changes browser's startup page via registry to an adult Web site. Next the worm replaces the default Outlook Express 5.0 signature to a file "C:\Program Files\sign.htm." This file contains the hidden iframe that activates the link silently.

After this, all messages sent by the user with Outlook Express contain the hidden link to the malicious Web page. Then the worm adds three links to the Favorites folder, as follows:

SEXXX.Totally Teen
Make BIG Money
6544 Search Engines Submission

Finally the worm sets two cookies, "TF" and "RF." The first cookie expires after 14 days and the second one expires after one day. The Web page where JS/Fortnight.A@m was available, is already closed, which means this variant cannot infect any longer. F-Secure Anti-Virus detects JS/Fortnight as Exploit.Applet.ActiveXComponent. A variant is Fortnight.B. Read more on this F-Secure page.

Compiled by Esther Shein.