W32.Spinac@mm is a simple worm that uses Microsoft Outlook to spread itself. The email arrives with the following characteristics:
Subject:
When W32.Spinac@mm is executed, it may display fake error messages titled, "POPEYE SCREEN SAVER" and "Popeye ScreenMates." The worm is written in Microsoft Visual Basic. The worm is also known as Bloodhound.W32.VBWORM.
For more information, visit this Symantec page.
Worm_Holar.E an Updated Version of Worm_Holar.D
Following the appearance Thursday of Worm_Holar.D, antivirus software vendor Trend Micro on Friday reported the appearance of a new variant, Worm_Holar.E. This worm drops several files, including copies of the D variant. It is destructive and intends to propagate via email and the Kazaa peer-to-peer file-sharing application.
The worm uses Microsoft Outlook to send email with varying subjects and message bodies. It looks for target recipients from cached Web pages and HTML files. The subject of the email which this worm uses may be any of the following:
'''*> Love Speaks it all <*'''
For a description of the text of the email, visit this Trend Micro page.
Week in Review
Four worms were the focus of scrutiny for malicious code this week -- Axatak, Ganda.A, Bibrog.C and Lentin.Q -- according to antivirus Software vendor Panda Software.
Axatak uses any of the usual means of transmission employed by worms to spread themselves, including e-mail messages, Internet downloads and FTP file transfers. After infecting a PC, it collects the passwords used to access certain resources and then sends them to the virus author. Axatak also acts as a backdoor Trojan, as it opens communication ports 8850 and 8851 to enter the Internet. This could allow a hacker to access resources on the affected computer and take actions such as sending files or opening and closing the CD tray. Finally, Axatak tries, at five-minute intervals, to access the floppy disk drive to copy itself to diskettes.
Ganda.A also spreads via e-mail, and can sometimes activate automatically when the message carrying the worm is viewed through the Outlook Preview Pane, exploiting a known vulnerability in Internet Explorer versions 5.01 and 5.5.
Once the worm has infected a computer, it sends itself to all addresses in the Windows address book, in "EML," "HTM" and "DBX" files and the Internet cache. Ganda.A is a worm that infects PE files, by copying part of its code to them. It also creates a dropper type file in affected computers and ends processes belonging to certain antivirus and firewall programs, if they are active.
The third worm, Bibrog.C, spreads in an e-mail with an attachment called "ACADEMIA.EXE," although it can also spread via P2P exchanges and ICQ channels. It is easily recognized, as once it runs the "ACADEMIA.EXE" file, it displays a game and changes the desktop wallpaper. Bibrog.C steals the details with which users enter Hotmail, Yahoo, Citibank, etc. and is designed to delete certain files, but due to a programming error, this does not actually take place.
The last worm of the week, Lentin.Q, spreads mainly via e-mail in a message that has extremely variable characteristics. Lentin.Q, like Ganda.A also exploits a vulnerability in versions 5.01 and 5.5 of Internet Explorer, so a computer can be infected by simply viewing the infected message through the Preview Pane.
It also can spread across networks, as every Wednesday it copies the virus to the shared drives in the affected computer. Lentin.Q ends processes belonging to antivirus and firewall programs and launches DoS attacks against five Internet addresses. It also changes the Home page of Internet Explorer and closes the Task Manager.
More information on these and other malicious code is available from the Panda Software Virus Encyclopedia.
Compiled by Esther Shein.
Attachment: Popey.scr
Co0o0o0o0oL
Fw:
Heeeeeeeeeeeeeeeey
Wussaaaaaaaap?
WoW But not for NoW
Why Do We FOk?
Loading Comments...