Virus Bulletins

Aug. 14: Microsoft has issued an alert on its MSN Messenger site about a new virus known as the Choke worm that arrives as an EXE attachment during an IM chat session with an infected user.

Aug. 7: Microsoft has released a free tool that cleans up problems caused by the Code Red II worm. Find out more about the Code Red II Cleaner  and download: CodeRedCleanup.exe - 60 Kb (Date - 7 Aug 2001).

Aug. 5: A new, nastier variant of the Code Red worm is spreading and has already affected up to 400,000 servers running Windows NT or 2000 and Microsoft's IIS. The second variant leaves a back door open so hackers can break in later. Worse, experts say the recommended solution for infected machines is to wipe the hard disk clean.

July 21: A fake Microsoft security alert is being used to spread the latest version of a worm over the Internet. The message, which attempts to persuade users to download and install a supposed "security patch," linked to a URL similar to a Microsoft server address to fool unsuspecting users. The patch, of course, contained the virus -- in this case, the W32.Leave.B.Worm.

July 19: NEW WORM STIRS PRIVACY ISSUES... SirCam is the name of the latest worm threat that could send your private docs to everyone in your address book. We've already seen several copies of this one in our inbox, so it's definitely in the wild. Watch out for any e-mail header that includes the first line "Hi, How are you ?" or "Hola como estas ?" For details, see Newsbytes.com or CNet. We tested several of the most popular anti-virus tools with this worm, in our latest round of Virus Tool tests. It's worthwhile reading, especially if you use McAfee VirusScan or Norton AntiVirus.

July 8: We have been seeing an increasing number of viruses and worms embedded in web pages that, when visited, attempt to use the Windows Scripting Host (WSH) to write to the Windows Registry. With this technique, an unscrupulous hacker can do almost anything from placing an icon on your desktop (usually to a porno site) to running a program without your knowledge the next time your system starts up. Alarmingly, some of these pages seem to be especially designed to rank highly on search engines, causing them to reach more unsuspecting users.

Prior to November 1999, messages about viruses that spread merely by opening the message were urban legends. VBS.BubbleBoy changed that. By making use of both a security hole and a design flaw in the Scriptlet.TypeLib object, VBS.BubbleBoy was able to create an arbitrary file in an arbitrary directory. Then, by leveraging Microsoft's own security policy regarding scriptable objects it was able to activate objects without the warning that would ordinarily be generated.

The ramifications of this were staggering. For the first time an email message could infect a machine simply by being read or, for that matter, viewed in the preview pane. Norton Antivirus catches these intrusion attempts. Read more at Symantec.com (PDF or Text)

June 11: "DoS worm invades Microsoft servers," warns ZDNet News, The worm, known as DoS.Storm, is a mating of a denial-of-service (DoS) attack tool and an Internet worm, and affects Microsoft IIS 4.0 and 5.0 servers. An earlier Microsoft patch addresses the vulnerability.

June 11: Fast-spreading AppleScript Worm Virus Hits Mac Doh! Beware of "The Simpsons" virus. Now, Mac users have their very own fast-spreading virus. It's an AppleScript worm that attacks MS Outlook and Entourage users. It arrives in a message containing the following body text: "Hundreds of Simpsons episodes were just secretly produced and sent out on the internet, if this message gets to you, the episodes are enclosed on the attachment program, which will only run on a Macintosh...." Yeah, right.

May 31: Virus poses as nude Jennifer Lopez photos. Arriving with a subject line reading "Where are you," the virus-infected message includes an attachment JenniferLopez_Naked.JPG.VBS. Windows users with "Show File Extensions" turned off  may mistake the file for a JPG image.

May 31: Hoax: We've already received several well-intentioned messages warning us of a virus called SULFNBK.EXE; it's clear that such messages are circulating in large numbers on the Internet. The file that is mentioned in the hoax, Sulfnbk.exe, is a standard Microsoft Windows utility that is used to restore long file names. (The name stands for "Set Users Long File Names BacK.") See SARC.com for complete details on this hoax.

May 19: A fake virus warning in an email purporting to be forwarded from antivirus company Symantec is actually a worm that, when activated, changes your browser's home page to a fake virus warning page, then emails the fake "warning" to all users in your Outlook address book. Then, on the 24th of November, you'll receive a warning message chastising you for being stupid enough to open the message.

Apr. 25: Microsoft today quoted an Ipsos-Reid survey that found Microsoft Exchange and Outlook in use by 49 percent of those surveyed. Some of those customers must be wondering if all the virus problems that seem to plague Outlook-borne mail are worth it. And now, it's clear that even Microsoft has fallen victim. A virus called FunLove infected Microsoft servers and the company, in turn infected 170 of its top support customers by sending them infected files.

Mar. 31: The First Virus To Affect Linux & Windows is not a serious threat to users, but it points to a worrisome trend: cross-platform viruses, not to mention a dramatic increase in the number of recent threats that target Linux. Fortunately, this virus doesn't destroy any data. Yet.

Mar. 23: "Lion" worm roars at Linux - A new "worm" affecting computers running the Linux operating system is so difficult to remove that users may be forced to erase everything on the disk and reinstall the entire operating system, warns CNET. The worm, which is apparently a mutation of the "Ramen" worm discovered in January, can steal passwords from Linux computers. It also creates "back doors," providing administrator-level access to hackers. Although Ramen affected only machines running Red Hat Linux, experts warn that this variant could easily mutate to affect other versions of Unix.

Mar. 6: Naked Wife Virus Ready to Divorce Your Computer. "NakedWife" is a new mass-mailing Trojan worm that arrives in a message that reads "My Wife never look like that :), Best Regards." The Trojan, a Visual Basic Script which affects Microsoft Outlook users, deletes DLL (Dynamic Link Library), INI (initialization files), EXE (executable files), BMP (picture files), and COM (resource) files in the Windows and system directories. Anti-virus vendors are already on top of the situation with definition updates.

Feb. 26: CNET warns of a Gnutella worm that changes, chameleon-like, to take the name of any file a Gnutella user might be searching for. The worm, which which can also be classified as a Trojan horse due to its sneaky behavior, spreads only via the Gnutella peer-to-peer file-swapping service and is always 8192 bytes in size, at least in its current incarnation.

Feb. 17: The author of the Anna Kournikova virus (more correctly termed a worm) has surrendered to police in Amsterdam, saying he used an simple virus-authoring toolkit called the Visual Basic Worm Generator to show the world that computer users have essentially learned nothing since the Melissa virus became the world's first fast-spreading virus in March of last year. The 20-year-old man, who cannot be named under Dutch law, says "Its their own fault they got infected." He's got a point. Consider another common threat, the Wscript.KakWorm. Many people still don't seem to know that this worm is spread in the body of an email message--not an attachment.

Alarmingly, notes Symantec, the KakWorm can reinfect your computer if it is displayed in the preview pane of an unpatched version of Outlook Express.

Feb. 12: Anna virus rushes the Net, warns News.com. More peril for unwary computer users looms, as an email message purporting to be a photo of Russian Tennis Star Anna Kournikova has emerged as a fast-spreading worm, capable of clogging email servers and confusing users. The threat, which contains a VBS attachment called "AnnaKournikova.jpg.vbs" arrives a message with one of three similar subject lines: "Here you are ;-)," "here you have ;o)" and "here you go ;-)." Users with "Show File Extensions" turned off may mistake the attachment as JPG picture file, not as the executable, but thankfully non-destructive, Visual Basic Script it really is. Symantec has already released NAV definitions and has a page describing it at: http://www.symantec.com/security_response/index.jsp

Jan. 22nd: Symantec warns that it still has no solution to an error in Norton AntiVirus 2001 that can cause an error dialog to pop up on a Windows Me machine, saying: "Explorer has caused an error in NAVSHELL.DLL. Explorer will now close. If you continue to experience problems, try restarting your computer." At the time of this writing, neither a workaround or fix was available. Symantec says as soon as a solution is found, it will posted to http://www.symantec.com/support/index.jsp

Jan. 20th: This week's most common virus hoax: Virtual Card for you. Most common virus (again): Hybris.In other virus-related news, we are sad to report that the new search engine at Symantec's spiffy-looking update to the SARC.com website is TERRIBLE.  Try searching for "hybris" or "snowhite," [sic] for example. Both returned zero hits as of Jan. 20th. Other common terms return Japanese language results. As readers of this page will know, these are both commonly searched-for terms.

Jan. 17th: Melissa infects Mac Word docs. A variant of the Melissa virus that has plagued Windows users has surfaced as a Mac-formatted MS Word document, allowing the virus to be spread by PC or Mac users. However, only an infected PC will mass-mail 50 copies of the virus to people in the affected user's Outlook address book. Experts theorize that someone may have saved a Melissa-infected document into the new Macintosh version of Microsoft's Office software, creating the new strain. Other than replicating itself, this version of the virus does little damage. See http://www.symantec.com/security_response/index.jsp for additional details.

Jan. 17th: Not a virus, in the strict definition, a worm called "Ramen" is a pest nonetheless, as it seeks out and attacks Linux-based servers, replacing web server pages with hacker messages.

Jan. 5th: The first Hypertext virus has been found, notes Newsbytes. The virus, known as PHP.NewWorld, currently executes a proof-of-concept infection only; it has no payload and is not self-propagating. It is capable of infecting servers running the hypertext preprocessor (PHP) scripting language. Experts warn that proof-of-concept viruses almost invariably lead to more malevolent threats, particularly in this case, where the PHP server code -- used by many e-commerce servers -- is free.