Welcome banner

To Virus Zones!!!!

LSnet

CEnet

Archives

     This site has been put together by CEnet in conjunction with LSnet, and as a courtesy to our customers. Check by here on a regular basis to check on the latest virus outbreaks. Maintain your anti-virus software accordingly!

 
PWSteal.Tarno.T
Discovered on: March 20, 2006

PWSteal.Tarno.T is a Trojan horse that steals sensitive information such as
user name and password details. It also downloads remote files and lowers
security settings.
Logs banking details typed into browsers and open windows.
Sends banking details to predetermined URLs.
Adds itself to the Windows Firewall authorized list in order to bypass it.
Zone Labs the firewall we are using is ok.

The threat is reported to arrive on the compromised computer as an attachment
to an email message with the following characteristics:

From:
payments-support@amazon.co.uk

Subject:
Your payment done.

Body:
Dear customer,
We're writing to let you know that we've initiated a transfer from your bank
account (Last 4-digits: 0402) for the following amount:GBP 313.14
(ORDER 0220873 DATE 20.03.2006) Funds should leave account in approximately
three to five working days. See your statement details in attachment. To
review your account at any time please access your Account Summary:
[https://]payments.amazon.co.uk/exec/login
If you have any questions or concerns regarding this settlement please contact
us at payments-support@amazon.co.ukAmazon.co.uk Marketplace

-- Amazon Services Europe S.a.r.l.Sell Your Stuff [http://]www.amazon.co.uk

Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server
2003, Windows XP

Threat Assessment: High
Damage Assessment: High

If you get this Trojan horse don't try to remove it your self call CEnet in
NC at 336-372-4029 or call LSnet in VA at 276-236-3400 for HELP!!!!

2/3/2006

The Kama Sutra worm; also known as Blackworm, MyWife or Nyxem-D, was nicknamed thusly because it spreads via emails offering sexual images. The bug has been programmed to wake up on Friday, February 3 and will activate the third of every month . This virus is very bad, if you updated your anti-virus software within the past week, you should be ok, but still be on the look out. If you get it, you will not be able to fix it your self. You will need to bring it to us and count on at least 2 hours of work done on your machine!

W32.Dabora.B@mm
Discovered on: December 31, 2005

W32.Dabora.B@mm is a mass-mailing worm that mimics financial Web sites.

Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows
NT, Windows Server 2003, Windows XP

Threat Assessment: High
Damage Assessment: High

 If you get this worm don't try to remove it your self call CEnet in NC at
336-372-4029 or call LSNet in VA at 276-236-3400 for HELP!!!!

Happy Computing New Year From Henry, Leanne, and Tommy at CEnet.

Trojan-Spy.HTML.Smitfraud.c

Trojan-Spy.HTML.Smitfraud.c (Kaspersky Lab) is also known as: Phish-BankFraud.eml.a (McAfee),   Trojan Horse (Symantec),   Trojan.Bankfraud (Doctor Web),   HTML.Phishing.Bank-1 (ClamAV),   Trj/Citifraud.A (Panda),   HTML/Smithfraud.gen (Eset)

     This Trojan program utilizes spoofing technology. The Trojan is represented by a fake HTML page. It is used for stealing confidential information about clients of Smith Barney financial company (www.smithbarney.com).
     It is sent by email as an important message from Smith Barney company with the following subject:

Smith Barney: Security Maintenance

In terms of functionality this version is almost identical to Trojan-Spy.HTML.Smitfraud.a. It differs from it only in email's sender address and address of fake Internet site.

W32.Sober.X@mm
Discovered on: November 23, 2005

W32.Sober.X@mm is a mass-mailing worm that uses its own SMTP engine to spread
and lowers security settings. It sends itself as an email attachment to
addresses gathered from the compromised computer. The email may be in either
English or German.

Also Known As:
CME-681, WORM_SOBER.AG [Trend Micro], W32/Sober-{X, Z}   [Sophos],
Win32.Sober.W [Computer Associates], Sober.Y [F-Secure], W32/Sober@MM!M681
[McAfee]
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server
2003, Windows XP

Threat Assessment: High
Damage Assessment: High

Trojan.Vundo

Also Known As: Vundo [McAfee], Vundo.dldr [McAfee]

Trojan.Vundo is a component of an adware program that downloads and displays pop-up advertisements. It is known to be installed by visiting a Web site link contained in a spammed email.

Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

Threat Assessment: Wild
Removal is difficult.

There is a removal tool for this virus, but it's recommended to take your computer to CEnet in North Carolina, or LSnet in Virginia to have it removed, being as there are files in the regedit that the virus puts in there that need to be removed. Regedit is not something you want to mess with since there are operational files in there, and if these are removed by accident, can cause more headaches!

Backdoor.Ryknos.B
aka TR/FlashKiller.B, Troj/Stinx-F [Sophos], BKDR_BREPLIBOT.D [Trend Micro], Breplibot.C [F-Secure]

Threat Assessment: Wild
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

This Trojan Horse comes in through Yahoo, and affects networks. Can interfere with being able to use your printer. Make sure you have your anti-virus software updated.

W32.Lovgate.W@mm

     The From line of the email is spoofed and the Subject and Message vary. The attachment also name varies, with a .bat, .cmd, .exe, .pif, or .scr file extension. The worm may also send a .zip file containing the attachment.
     This threat is written in the C++ programming language and is compressed with JDPack and ASPack.

Also known as: W32/Lovgate.ab@MM!2 [McAfee], I-Worm.LovGate.ac [Kaspersky]

Systems affected: Windows 2000, Windows NT, Windows Server 2003, Windows XP

Subject of the e-mail varies. Attachments vary with .bat, .cmd, .exe, .pif, .scr, or .zip as the extension.

Leanne at CEnet has gotten several e-mails with this virus in the attachments, all had the .zip as the attachment, and all were from spoofed e-mails. If your computer gets this virus, you will need to take it to CEnet or LSnet for removal, because this virus can be a bit tricky to get rid of and should be left up to a pro to remove, other wise, your computer can be in worse shape than what the virus had done to it!

VBS.Ypsan.F@mm

Discovered on: June 01, 2005 Last Updated on: June 06, 2005 02:19:23 AM

VBS.Ypsan.F@mm is a mass-mailing worm that sends itself to all email addresses gathered from the Windows Address Book and also spreads through file-sharing networks. The worm deletes several files, folders, and registry entries, and attempts to shut down the compromised computer.

Note: Currently the worm doesn't work due to a bug.

Type: worm
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
Threat Assessment: wild

This worm creates many of it's own folders, files & values. The worm comes in on e-mail as an attachment, usually with "Your Microsoft Infomarion" in the subject line, will have "The information that you asked for is attached to this email. Microsoft (R)
[http://]www.microsoft.com" in the subject line, and have All user.vbs as an attachment.

It is not recommended to remove this worm on your own. CEnet has already had to remove this worm from a machine, and is a real headache to remove. If your computer acquires this worm, please call LSnet at (276) 236-340 or CEnet at (336) 372-4029.

W32.Zotob.E
Discovered on: August 16, 2005 Last Updated on: October 07, 2005 01:41:34 AM

W32.Zotob.E is a worm that opens a back door and exploits the Microsoft Windows Plug and Play Buffer Overflow Vulnerability on TCP port 445.

Notes:

  • It has been reported that computers targeted by W32.Zotob.E may become unstable during execution of the exploit code. This may result in the termination of the services.exe process, which causes the targeted computer to shutdown.

  • Virus definitions version 70816y (extended version 8/16/2005 rev. 25) or greater are required to detect this risk.

  • Customers running Norton Internet Security 2005 AntiSpyware Edition and Symantec AntiVirus Corporate Edition 10.x can make use of the product's remediation functionality to remove this risk.

  • While computers running Windows 95/98/Me/NT4/XP operating systems cannot be infected remotely, it is possible they could be infected if W32.Zotob.E is executed locally (although this is an unlikely occurrence). Vulnerable Windows 2000 computers could then be infected by the compromised computer.

Also known as: CME-540, Win32/Zotob.E!Worm [Computer Associates], Bozori.A [F-Secure], Net-Worm.Win32.Bozori.a [Kaspersky Lab], W32/IRCbot.worm!MS05-039 [McAfee], W32/Tpbot-A [Sophos], WORM_ZOTOB.E [Trend Micro], W32/Bozori.A [Norman]

Type: Worm
Systems Affected: Windows 2000
Threat Assessment: Wild

W32.Zotob.E

Discovered on: August 16, 2005
This is an update from the earlier alert.
 
 W32.Zotob.E is a worm that opens a back door and exploits the Microsoft
Windows Plug and Play Buffer Overflow Vulnerability (described in Microsoft
Security Bulletin MS05-039) on TCP port 445.
 
W32.Zotob.E can run on, but not infect, computers running Windows
95/98/Me/NT4/XP. Although computers running these operating systems cannot be
infected, they can still be used to infect vulnerable computers that they can
connect to.
 
Systems Affected: Windows 2000
 
Threat Assessment: High
Damage Assessment: High
 
I was called out to one of our customers office at 8:00 PM to fix their
network it took 2 hrs. to fix it. These two machines were running Windows XP Pro.
   

Last updated on 03/21/2006 23:33:53 -0500

Valid HTML 4.0!