Virus Alert: A Naughty Visual Basic Worm

VBS.Naughtypic attempts to copy itself as the following files:

VBS.Naughtypic also creates the file "C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Naughty.jpg." For removal instructions, visit this Symantec Web site.

Backdoor.Darmenu May Download Info From Web Site

Symantec also is reporting the appearance of Backdoor.Darmenu, a backdoor Trojan that accesses a page on the Web site www.tonightsmenu.com/ra3soft and may download instructions from it.

Backdoor.Darmenu can perform many actions without a user's permission, such as shutting down the computer and sending a list of files and folders to the hacker. Read technical details here.

Mass-Mailing Worm W32.Zokrim.B@mm Displays Foreign Language Message

W32.Zokrim.B@mm is a mass-mailing worm that uses Microsoft Outlook to send itself to all the contacts in the Outlook Address Book, according to Symantec.

The email has the following characteristics:

Subject: La tua amica Morena
Message: Ciao... e da tanto che non ci sentiamo!!! Come stai ??
Attachment: Morena.exe

When W32.Zokrim.B@mm runs, it displays a message: "File not found c:\windows\," and illustrates a .jpg photo, named morena.jpg.

W32.Zokrim.B@mm also attempts to spread using mIRC. This threat is written in the Microsoft Visual Basic programming language. Read more here.

Ajja Worm Spreading Via File Sharing Networks

The W32.HLLW.Ajja worm attempts to spread across the KaZaA, Grokster, and Edonkey2000 file-sharing networks. This worm also attempts to delete program files belonging to several antivirus programs.

As part of the execution of W32.HLLW.Ajja, a fake "Install" message will prompt you to "Clik!! in Next to Install." W32.HLLW.Ajja is written in Microsoft Visual Basic, version 6.

To find out what happens when the worm is executed, visit this Symantec page.

JS_Weblog.A Retrieves Data From HTML Forms

Antivirus software vendor Trend Micro is giving an overall low threat rating to JS_Weblog.A.

This JavaScript Trojan retrieves all data entered in HTML Web forms on Internet Explorer. It then sends the retrieved data to a particular Web site or to a particular system on the same network. This malware affects systems running Internet Explorer on Windows 95, 98, ME, NT, 2000, and XP.

Read more on this Trend Micro page.

W32/Hybris-H Worm Targets Email Messages

W32/Hybris-H is an email worm whose functionality is similar to W32/Hybris.C, a worm that can update its capabilities over the Internet. The Hybris worm consists of a base part and a collection of upgradeable components. The components are stored within the worm body encrypted with 128-bit strong cryptography.

When run, the worm infects WSOCK32.DLL. Whenever an email is sent, the worm attempts to send a copy of itself as an attachment to a separate message to the same recipient. The worm drops various plug-ins in the Windows system folder that determine the worm's specific functionality -- for example, the characteristics of the email messages.

Removal instructions can be found on this Sophos Web page.

Lentin.P Carries Out Various Destructive Actions

Lentin.P is a dangerous worm that carries out a multitude of activities on affected computers.

The worm ends processes belonging to antivirus and firewall programs and launches DoS attacks against five Internet addresses. Lentin.P also changes the home page of Internet Explorer and closes the Task Manager in order to prevent the user form manually ending the actions it carries out.

This worm mainly spreads via e-mail in a message that has extremely variable characteristics. Lentin.P also exploits a vulnerability in IE so that the computer will be infected by simply viewing the message carrying the worm through the Preview Pane, without needing to run the attached file.

It can also spread across networks. On Wednesdays it copies the virus to the shared drives in the affected computer. However, antivirus software vendor Panda Software is giving the worm a very low threat rating.

Read about technical details on this Panda Software site.

Compiled by Esther Shein.