The Israel Museum, Jerusalem

Question: Fake SECURITY@HACKERS Email Alerts/Warnings Hide Beagle.J Worm

Answer:

Some SECURITY@HACKERS customers have reported receiving email security alerts or warnings pretending to have been sent from SECURITY@HACKERS. These messages report problems with the recipient's email account and instruct the reader to open the attached file for further information. The messages did NOT come from SECURITY@HACKERS and are complete fakes sent out from computers infected with the Beagle.J worm. You should NOT open the attached file. The attached file is the worm. (Note: Beagle.K is a new variant that is very similar.)

Antivirus software sometimes makes us forget that the virus writers are always trying to come up with better ways to sucker us into opening a worm and infecting our computers. Beagle.J has added a new trick or two. Like all email worms, it arrives as an attachment to an email. The email is a warning (with numerous spelling and grammar errors) about the recipient's email account. The warning can vary, but directs the reader to open the attached file for further information. The attached file is the Beagle.J worm. Here's the new thing. The worm is zipped and password protected so that antivirus software will have a difficult time scanning it. This is a clever way to slip past antivirus scanners, but it does mean that you have to work really hard to open the file and infect your computer.

Double clicking on the file isn't enough to launch the worm. You also have to type in the password included in the email. Once you've done that, you can then double click on the unzipped worm code. Fortunately, most folks get more than a little suspicious by this point or their antivirus software has kicked in and popped up a warning. However, even a poorly written scam can trick people and this one seems to have succeeded in getting more than a few people to persist to the bitter end of launching the worm.

Beagle.J fakes the from address in its emails to be one of these names:

management
administration
staff
noreply
support

The worm uses the domain name of the recipient to complete the address. This means that SECURITY@HACKERS customers with @securityhackers.com addresses would see these emails as coming from:

management@securityhackers.com
administration@securityhackers.com
staff@securityhackers.com
noreply@securityhackers.com
support@securityhackers.com

Two samples we've seen numerous copies of this morning are:

-------------------Sample 1----------------- Message with Subject: Notify about your e-mail account utilization. Dear user of e-mail server "securityhackers.com", Some of our clients complained about the spam (negative e-mail content) outgoing from your e-mail account. Probably, you have been infected by a proxy-relay trojan server. In order to keep your computer safe, follow the instructions. Pay attention on attached file. Attached file protected with the password for security reasons. Password is 13302. Kind regards, The securityhackers.com team http://www.securityhackers.com -------------------------------------------- -------------------Sample 2----------------- Message with Subject: E-mail account security warning. Dear user of "securityhackers.com" mailing system, Your e-mail account has been temporary disabled because of unauthorized access. Advanced details can be found in attached file. For security purposes the attached file is password protected. Password is "23775". Best wishes, The securityhackers.com team http://www.securityhackers.com --------------------------------------------

There are several other possible messages. Please see the links in the "Further Information Section" for complete details.

SARC identifies possible subject lines as:

E-mail account disabling warning.
E-mail account security warning.
Email account utilization warning.
Important notify about your e-mail account.
Notify about using the e-mail account.
Notify about your e-mail account utilization.
Warning about your e-mail account.

Both emails include an attached file named "Document.zip". SARC says the attached file may be named one of the following:

Attach
Information
Readme
Document
Info
TextDocument
TextFile
MoreInfo
Message

The attachments are .zip files that are password protected. The password is included in the body of the message (as in the two examples above). Some of these files are slipping through Brightmail because of the encrypted .zip archive.

Beagle.J Opens a Backdoor:
Beagle.J opens a backdoor TCP port 2745 on infected computers.

Beagle.J May Terminate Antivirus Software Updates:
Beagle.J attempts to terminate the processes used by common antivirus software update programs. If successful, this would prevent antivirus software from downloading updated definition or signature files so that Beagle.J might run undetected.

Beagle.J Attempts to Spread Via File Sharing Networks
Beagle.J will copy itself into file sharing directories of commonly used peer-to-peer file sharing software like KaZaa in an attempt to trick people into downloading the worm through those networks. Please see the links below for lists of file names the worm uses for this trickery.

More detailed information can be found at:

Prevention:
Protection of Windows-based systems is easy. (Non-Windows-based computers are not affected.)

Make certain your antivirus software is up to date.
Run a personal firewall like ZoneAlarm
If you are using Microsoft Internet Explorer/Outlook Express go to Windows Updates then upgrade to the latest version.
Of course, it always bears repeating, don't open attachments!

Removal:
Symantec has updated their Beagle Worm Removal Tool to include all versions of Beagle through Beagle.J. This can be a destructive worm so you should immediately download and run Symantec's cleaner.

The removal tool and complete instructions may be found here:

http://www.sarc.com/avcenter/venc/data/w32.beagle@mm.removal.tool.html

You should also update your antivirus software and then have it scan your system.

Please note: Because Beagle.J can open your computer to unauthorized access, following the above steps may not completely secure an infected computer. Reinstalling the operating system and recovering data from backups may be the only way to make certain a critical system is safe.

Antivirus Software Update Sites:
We've included links below to some of the more popular antivirus program update sites.

Question: Parasitic worms attack computers infected with the Mydoom worm

Answer:

In the wake of the unfortunately successful Mydoom worm, new parasitic worms, that attack computers already infected with Mydoom, have begun squirming their way across the Internet. The new worms are known under many different names by the various antivirus companies (which always adds greatly to the confusion when discussing viruses and worms), but the two most common names are Deadhat and Doomjuice. (A couple of the antivirus companies even say this is one worm...nothing like experts for creating confusion.) Both worms can infect any unprotected computer running Windows 95, 98, ME, NT, 2000, XP or Server 2003 that is already infected with Mydoom. Non-Windows based computers, such as Macintoshes, can't be infected.

NOTE: New varitaions to these worms will be appended to this FAQ as needed.

The best protection is, as always, to run up to date antivirus software and a personal firewall.

These two worms spread across the Internet and through network connections only. They do not send email. Both worms look for the TCP port opened by Mydoom (TCP Port 3127) on an infected computer and when they find a compromised computer they send copies of their new and improved Mydoom code that updates the Mydoom worm on the targeted system. The updated worm then starts scanning for new computers to infect and uses its new host to conduct a denial of service (DoS) attack against www.microsoft.com.

The Deadhat version will attempt to disable antivirus software when infecting a new host computer.

font color="#ff0000">Updated - 02/16/04 A new variation of Deadhat, called Deadhat.b, adds some new nastiness. It not only scans TCP port 3127, but also ports 3128 and 1080. Deadehat.B can also spread across shared drives and via the Soulseek file sharing network. Deadhat.B listens on TCP port 2766 and can allow the infected computer to be remotely controlled by commands sent via and IRC server. This is a very bad thing and may allow unauthorized software to be installed upon the infected computer as well as allow unauthorized access to any data stored on the system.

DSheild.org has shown a tremendous increase in traffic to the Mydoom port 3127 over the past day as these worms have spread to computers infected with Mydoom.

More detailed information about Deadhat.A (W32.HLLW.Deadhat.A) can be found at:

More detailed information about Deadhat.B (W32.HLLW.Deadhat.B) can be found at:

More detailed information about Doomjuice (W32.HLLW.Doomjuice) can be found at:

Prevention:
Protection of Windows-based systems is easy. (Non-Windows-based computers are not affected.).

Make certain your antivirus software is up to date and you have scanned your computer for Mydoom.
Run a personal firewall like ZoneAlarm

Removal:
If your computer is infected with either Deadhat or Doomjuice, you should follow the manual removal instructions included in the more detailed information links above.

Please note: Because worms and viruses can open your computer to unauthorized access, following the above steps may not completely secure an infected computer. Reinstalling the operating system and recovering data from backups may be the only way to make certain a critical system is safe.

Anti-Virus Software Update Sites:
We've included links below to some of the more popular anti-virus program update sites.

New definitions are released constantly. Please check with your antivirus vendor for the latest files.

Question: How do I protect my Computer from the Beagle.A (W32.Beagle.A@mm) Worm?

-------------------Sample 1----------------- Message with Subject: Notify about your e-mail account utilization. Dear user of e-mail server "securityhackers.com", Some of our clients complained about the spam (negative e-mail content) outgoing from your e-mail account. Probably, you have been infected by a proxy-relay trojan server. In order to keep your computer safe, follow the instructions. Pay attention on attached file. Attached file protected with the password for security reasons. Password is 13302. Kind regards, The securityhackers.com team http://www.securityhackers.com -------------------------------------------- -------------------Sample 2----------------- Message with Subject: E-mail account security warning. Dear user of "securityhackers.com" mailing system, Your e-mail account has been temporary disabled because of unauthorized access. Advanced details can be found in attached file. For security purposes the attached file is password protected. Password is "23775". Best wishes, The securityhackers.com team http://www.securityhackers.com --------------------------------------------

There are several other possibible messages. Please see the links in the "Further Information Section" for complete details.

SARC identifies possible subject lines as:

E-mail account disabling warning.
E-mail account security warning.
Email account utilization warning.
Important notify about your e-mail account.
Notify about using the e-mail account.
Notify about your e-mail account utilization.
Warning about your e-mail account.

Both emails include an attached file named "Document.zip". SARC says the attached file may be named one of the following:

Attach
Information
Readme
Document
Info
TextDocument
TextFile
MoreInfo
Message

Some of the attachments are .zip files that are password protected. The password is included in the body of the message (as in the two examples above). Some of these files are slipping through Brightmail because of the encrypted .zip archive.

More detailed information can be found at:

Prevention:
Protection of Windows-based systems is easy (Non-Windows-based computers are not affected.).

Make certain your anti-virus software is up to date.
Run a personal firewall like ZoneAlarm
If you are using Microsoft Internet Explorer/Outlook Express go to Windows Updates then upgrade to latest version.
Of course, it always bears repeating, don't open attachments!

Removal:
There are currently no automated removal tools for Beagle.J. If your computer is infected with Beagle.J, you should follow the instructions for your particular antivirus software package. This is a destructive worm and you may need to seek professional assitance to make certain that your computer is clean.

Norton Antivirus Beagle.J Removal Intructions

You should also update your antivirus software and then have it scan your system.

Please note: Because Beagle.J can open your computer to unauthorized access, following the above steps may not completely secure an infected computer. Reinstalling the operating system and recovering data from backups may be the only way to make certain a critical system is safe.

Anti-Virus Software Update Sites:
We've included links below to some of the more popular anti-virus program update sites.

New definitions are released constantly. Please check with your antivirus vendor for the latest files.

Question: Fake SECURITY@HACKERS Billing Notice Email Hides Spam/Trojan Downloader

Answer:

Some SECURITY@HACKERS customers have received fake email billing notices pretending to have been sent from SECURITY@HACKERS. These fake alerts are nothing more than junk email or spam.

The message states the recipient must read the attached Billing Notice within 24 hours or lose Internet service.

These emails did not come from SECURITY@HACKERS and are complete fakes. The attached Billing Notice is a trojan downloader that, if clicked on, can download and install other software on to your computer.

You should not double click on the attached file nor should you respond to the email with any personal or SECURITY@HACKERS account information.

The messages may vary slightly, but most of them look like the one below.

------------ Fake Billing Notice Sample 1 ----------

Subject: Billing Notice From securityhackers.com 's Accounting Dpt *** securityhackers.com 's accounting dpt notice *** Internet Billing Notice Please press "open" and read the attached Billing Notice. Note if you do not read this withing 24 hours we at securityhackers.com regret we will have to terminate internet service.

-----------------------------------------------------

A variation of the above sent to some of SECURITY@HACKERS's Hosting Customers looks like the one below.

-------------- Fake Billing Notice Sample 2 --------------

Subject: Billing Notice From [Hosting Customer's Domain Name] 's Accounting Dpt *** [Hosting Customer's Domain Name] 's accounting dpt notice *** Internet Billing Notice Please press "open" and read the attached Billing Notice. Note if you do not read this withing 24 hours we at [Hosting Customer's Domain Name] regret we will have to terminate internet service.

-----------------------------------------------------

The attached file (called a Billing Notice) is named page.hta and is a program or script written in Visual Basic. It's designed to download and install other software from the Internet. Older versions of Outlook or Outlook Express might automatically execute this code by viewing the email.

Support has received multiple copies of the email with the attached file intact. The attached files have been identified as the VBS.inor.trojan downloader and the VBS.Suzer.A Trojan Downloader. Both are written in Visual Basic and, when run, will download and install other software. (Note: Macintosh and Linux computers are immune to the trojan downloaders.)

There are many variations of these scripts and some are used to download and install spyware or adware and some are used to install worms or trojan horses. In this case, it's likely that the downloader would install spyware or adware, but there's no way to be certain.

To be safe, if you received one of these emails and you opened the attached file, you should make sure your antivirus software is up to date and scan your computer for viruses and worms.

We also recommend you run one (or both) of the free spyware removal tools Adaware and Spybot.

Adaware may be downloaded from:
http://www.lavasoftusa.com/

Spybot may be downloaded from:
http://www.safer-networking.org/index.php?lang=en&page=download

Question: Fake Virus Alert Hides Spam/Spyware

Answer:

SECURITY@HACKERS customers and staff have been receiving fake virus alerts pretending to be sent from SECURITY@HACKERS. These fake virus alerts are nothing more than junk email or spam.

The messages state the recipients' computers are infected with a virus and that if they don't open the linked detailed report within 24 hours their Internet service will be shut down. The email includes a link to the report.

The email did not come from SECURITY@HACKERS and is a complete fake. The link to the detailed report is in fact a link that will download a piece of spyware.

The messages may vary slightly, but most of them look like the one below.

-------------- Sample Fake Alert Message ----------
Subject: Virus Alert From securityhackers.com Virus Report Center

Virus Alert
To:[NAME]

From: securityhackers.com's Internet Virus Department 

We have detected a possible computer virus on your computer, You must
open the details of the report within 24 hours our we will be forced to
shut down your internet service.

Please Click Below Then Press "open" To View The Report If you do not
open this report in 24 hours we will suspend your internet service If
nothing apears on your virus report please dis-regard this message

Click Here Now [Link to Spyware Download]
----------------------------------------------------

If you clicked on the link, and are using Windows, you can try removing the spyware by running one (or both) of the free spyware removal tools Adaware and Spybot. Macintosh and Linux computers are immune to the spyware.

Adaware may be downloaded from:
http://www.lavasoftusa.com/

Spybot may be downloaded from:
http://www.safer-networking.org/index.php?lang=en&page=download

It's also a good idea to always keep your anti-virus software up to date because it may sometimes catch the more obnoxious versions of spyware.

Question: How do I protect my computer from the new Mimail worms? (W32.Mimail.C@mm, Mimail.D, Mimail.E, Mimail.F, Mimail.G and Mimail.H)

Answer:

The Mimail worm has reappeared in several new variations. They are W32.Mimail.C@mm, W32.Mimail.D@mm, W32.Mimail.E@mm (also known as W32.Mimail.F@mm and W32.Mimail.G@mm) and W23.Mimail.H@mm. All are very similar and spread through email. The infected emails are usually the same and include an attached .zip file. The attached file is the worm. Opening the file will infect your computer.

Mimail scans the infected system for email addresses in all readable files and then spreads by sending email through its own built-in mail server to each of the addresses it found.

Mimail is consistent in the email it spews. (It's so consistent that SECURITY@HACKERS's spam blocking services are trapping most of these coming into protected accounts.)

In all cases, the subject lines will either read:

Re[2]: our private photos [random letters]

don't be late! [random letters]

The domains used in the from and reply-to addresses will usually be the same as the address the infected email was sent. For example: a Mimail infected message sent to janedoe@some.domain.com will appear to have been sent from james@some.domain.com (for Mimail.C) or john@some.domain.com (for Mimail.D, E, F, H and H).

The attachments will either be named photos.zip or readnow.zip.

Sarc and Sophos have discovered that Mimail uses infected computers to conduct DDoS (Distributed Denial of Service) attacks against a number of domains including:

spews.org www.spews.org spamhaus.org www.spamhaus.org spamcop.net www.spamcop.net ethard.biz www.fethard.biz fethard-finance.com www.fethard-finance.com mysupersales.com www.mysupersales.com

Sample Emails:

The Mimail C variant email looks like this:

From: james@some.domain.com To: Name Reply-To: james@some.domain.com Subject: Re[2]: our private photos [random letters] Hello Dear!, Finally i've found possibility to right u, my lovely girl :) All our photos which i've made at the beach (even when u're without ur bh:)) photos are great! This evening i'll come and we'll make the best SEX :) Right now enjoy the photos. Kiss, James. [random letters]

The Mimail.D, E, F, G and H variant email looks like this:

From: john@some.domain.com To: Support Reply-To: james@some.domain.com Subject: don't be late! [random letters] Will meet tonight as we agreed, because on Wednesday I don't think I'll make it, so don't be late. And yes, by the way here is the file you asked for. It's all written there. See you. [random letters]

More detailed information can be found at:

Computer Associates (E-Trust): Mimail.C Mimail.D and Mimail.E Mimail.F and Mimail.G
SARC: Mimail.C Mimail.D Mimail.E, Mimail.F and Mimail.G
Sophos: Mimail.C Mimail.E Mimail.F Mimail.H
TrendMicro: Mimail.C Mimail.D Mimail.E Mimail.F

Prevention:
Protection of Windows-based systems is easy (Non-Windows-based computers are not affected.).

Make certain your anti-virus software is up to date.
Run a personal firewall like ZoneAlarm
If you are using Microsoft Internet Explorer/Outlook Express go to Windows Updates then upgrade to latest version.
Of course, it always bears repeating, don't open attachments!

Removal:
Once Mimail infects a computer, it makes changes to the Windows registry file making it difficult to manually remove the worm. Fortunately, Symantec has released and automated removal tool to simplify the task of cleaning and infected computer. The tool can clean off all the new variants as well as the original W32.Mimail.A@mm.

If your computer is infected with Mimail you should immediately download and run the Symantec Mimail removal tool from:

http://sarc.com/avcenter/venc/data/w32.mimail.removal.tool.html

You should also install up-to-date antivirus software and use it to scan your system.

Anti-Virus Software Update Sites:
We've included links below to some of the more popular anti-virus program update sites.

Question: How do I protect my computer from the Swen.A (W32.Swen.A@mm) worm?

Answer:

W32.Swen.A@mm, Swen for short, was discovered September 18, 2003. It's an email worm that has been spreading widely over the past few hours.

Swen.A follows the familiar email worm pattern. It arrives in your mailbox as an email with an . The message content can vary, but two that I have seen multiple times are a fake security alert from Microsoft or a faked email bounce message. Please note that Microsoft never sends security update or patch files through email.

The attached file is the worm. Clicking on the attachment will launch the worm and infect the computer. The worm will then send copies of itself to every email address it can find on the infected computer.

Swen.A can also spread via IRC and KaZa file sharing networks and over shared drives.

The fake Microsoft alert will have varying subjects, but will include the message:

"Microsoft Partner this is the latest version of security update, the "September 2003, Cumulative Patch" update which resolves all known security vulnerabilities affecting MS Internet Explorer, MS Outlook and MS Outlook Express.Install now to maintain the security of your computer from these vulnerabilities, the most serious of which could allow an attacker to run code on your computer. This update includes the functionality of all previously released patches."

The attached "patch" file is the worm.

The fake bounce message will say:

I'm sorry to have to inform you that the message returned below could not be delivered to the following addresses: Undeliverable message to [Random Letters]@america.com

Once Swen infects a computer, it makes numerous changes to the Windows registry file making it very difficult to manually remove the worm.

More detailed information can be found at:

Prevention:
Protection of Windows-based systems is easy (Non-Windows-based computers are not affected.).

Make certain your anti-virus software is up to date.
Run a personal firewall like ZoneAlarm
If you are using Microsoft Internet Explorer/Outlook Express go to Windows Updates then upgrade to latest version.
Of course, it always bears repeating, don't open attachments!
If you don't need Windows file sharing, make sure it's turned off on your computer.

Removal:
Once Swen infects a computer, it make numerous changes to the Windows registry file making it very difficult to manually remove the worm.

If your computer is infected with Swen.A, you need to immediately download and run Symantec's Swen.A removal tool. You can download it from here:

http://sarc.com/avcenter/venc/data/w32.swen.a@mm.removal.tool.html

Computer Associates also released a Swen.A removal tool (called ClnSwen.zip). You can download it from:

http://www3.ca.com/virusinfo/virus.aspx?ID=36939

and clicking on the "Please Click Here" link. You can also download the tool directly from here:

http://www3.ca.com/Files/VirusInformationAndPrevention/ClnSwen.zip

Instructions for using the removal tool are included with the download.

You should also install up-to-date antivirus software and use it to scan your system.

Anti-Virus Software Update Sites:
We've included links below to some of the more popular anti-virus program update sites.

Question: Dumaru and Panda.B worms send out fake Microsoft security patches.

Answer:

Whenever there's a major virus event affecting Internet users, there are always people who just want to increase the amount chaos. One of the methods has always been to create email worms that send out fake messages pretending to be from Microsoft. Note: Microsoft will never send security patches or updates via email. Any email you might receive that says it's from Microsoft and suggests you open an attached file will always be a fake message.

The current Balster/Welchia Internet worm crisis is a prime candidate for these fake security messages and indeed two have already shown up. Both send out email that pretends to be security announcements from Microsoft. The email includes an attached file that is supposed to be a security patch from Microsoft. The attached file is a worm. Opening it will infect your computer.

The first worm is called or W32.Pandem.B.Worm or W32.Squirm@mm. It sends out an email that looks like this:

From: support@microsoft.com
Subject: Microsoft Security Bulletin

Unchecked Buffer in Windows Explorer Could Enable System Compromise (329390)

Summary
Who should read this bulletin: Customers using Microsoft  Windows 95,98,2K,
ME,XP Impact of vulnerability: Run code of an attacker's choice

Maximum Severity Rating: Critical

Recommendation: Customers using Microsoft Windows 95,98,2K,ME,XP should 
apply the patch immediately.

The attachment will either be called patch.zip or patch_329390.exe.

You can read more about W32.Pandem.B.Worm at:

http://securityresponse.symantec.com/avcenter/venc/data/w32.pandem.b.worm.html

The second, more common, worm is called W32.Dumaru@mm or Dumaru for short. It sends out an email that looks like this:

Date: Fri, 22 Aug 2003 21:46:46 -0500 (CDT)
From: Microsoft 
Subject: Use this patch immediately !

Dear friend , use this Internet Explorer patch now!
There are dangerous virus in the Internet now!
More than 500.000 already infected!

The attachment will be called patch.exe.

You can read more aboutW32.Dumaru@mm at:

http://securityresponse.symantec.com/avcenter/venc/data/w32.dumaru@mm.html

Both worms can be easily stopped by running up-to-date anti-virus software.

Question: How do I protect my computer from the Sobig.F (W32.Sobig.F@mm) worm?

Answer:

The W32.Sobig.F@mm worm has been filling up email boxes since early this morning (August 19, 2003). SECURITY@HACKERS Support has received hundreds of copies of Sobig.F worm infested email from infected computers just this morning.

W32.Sobig.F@mm arrives as an email with an attachment with a .pif extension. Some of the attachment names we have seen are:

document_all.pif
document.pif
your_details.pif
document_9446.pif
application.pif

The attachment is the worm. Don't open it!

All the copies we have received had one of these subject lines:

Re: Details
Re: Re: My details
Re: Thank You!
Re: Wicked Screensaver
Re: That Movie
My details
Thank You!
Your details

Needless to say, this list should NOT be considered complete.

The body of the message will usually say:

"Please see the attached file for details."
or
"See the attached file for details."

According to SARC, the worm allows other software to be installed on the infected computer including a spam server that allows spammers to use infected systems to spew their junk out across the Internet. SARC goes on to say that the worm has been used to "steal confidential computer information".

The worm also listens on UDP ports 995, 996, 997, 998, 999 and if it receives a properly incoded UDP datagram it will update itself. This may be the first self-updating worm.

More detailed information can be found at:

Prevention:
Protection of Windows-based systems is easy (Non-Windows-based computers are not affected.).

Make certain your anti-virus software is up to date. Major anti-virus software updated today (August 19,2003) should protect against Sobig.F.
Run a personal firewall like ZoneAlarm
If you are using Microsoft Internet Explorer/Outlook Express go to Windows Updates then upgrade to latest version.
Of course, it always bears repeating, don't open attachments!

Removal:
If you are infected with Sobig.F, you should download and run Symantec's Sobig.F removal tool. You can get it from:

http://sarc.com/avcenter/venc/data/w32.sobig.f@mm.removal.tool.html

You should also install antivirus software and then have it scan your system.

Please Note: Computers infected with Sobig.F may have other malicious software installed on them or be compromised in other ways. Infected computers performing critical functions or storing sensitive data may not be safe even after removing the Sobig.F worm.

Anti-Virus Software Update Sites:
We've included links below to some of the more popular anti-virus program update sites.

Question: How do I protect my computer from the Welchia (W32.Welchia.Worm) worm?

Answer:

The W32.Welchia.Worm worm has been infecting large numbers of vulnerable computers connected to the Internet since it first appeared August 18, 2003. The worm has caused some networking slowdowns and other problems because of the greatly increased ping (ICMP) traffic coming from infected systems. SECURITY@HACKERS has received numerous reports from customers infected by the worm.

Welchia is based upon the Blaster worm and takes advantage of known vulnerabilities in Windows RPC and WebDav that allow a remote user to gain access to the targeted computer. If you have not updated your Windows system with the latest Microsoft patches, please go to windowsupdate.microsoft.com and install all the critical updates.

Please note that this is not an email worm. It's an Internet worm that moves from computer to computer across the Internet. Welchia attacks computers through their Internet connections. All computers connected to the Internet can be attacked by the worm, but only Windows-based system can be infected. If you are running firewall software, you will see an increased number of hits on ports 135 and 80 as well as a huge increase in ping (ICMP) traffic.

Welchia sends copies of itself to other vulnerable computers connected to the Internet. If the copy of the worm reaches a 2000, XP-based computer that is not patched, Welchia will infect that computer.

The worm automatically pings networks looking for online computers. When it finds a system online it sends data to either TCP port 135 to exploit the Windows RPC vulnerability, or it will send data to TCP port 80 to exploit the Windows WebDav vulnerability. The newly compromised computer will connect back to the attacking system on a randomly selected TCP port between 666 and 765 and wait for the attacker to tell it what to do. The attacking computer then launches the TFTP server and tells the victim to download dllhost.exe and svchost.exe and execute the files. Once the victim is infected, the worm will check to see if the Microsoft RPC patch is installed. If not, it will attempt to download the patch and restart the infected system. After restarting, the worm will check the date and if the year is not 2004, the worm will then attack other systems.

Infected Windows 2000 systems often become unstable and crash when connected to the Internet. Infected systems may show none of these symptoms ever though they continue spreading the worm.

More detailed information can be found at:
Note that the different antivirus companies and virus research groups all use different names for the Welchia worm. Welchia is also known as the MSBLAST.D and Nachia worm.

Prevention:
Protection of Windows-based systems is easy (Non-Windows-based computers are not affected.).

Go to Windows Update and download and install all the critical updates. Please note that if you do not regularly update your system, you may have several critical updates to install. Some of these updates have to be installed alone and some will require you to restart your computer. To be sure you have all the updates, it's best to return to windowsupdate.microsoft.com as often as necessary until all the critical updates are installed and the site says there are no more available. It is not necessary to install anything but the critical updates to make certain your computer is protected from Welchia.
Make certain your anti-virus software is up to date.
Run a personal firewall like ZoneAlarm or enabale Windows XP's built-in firewall following these steps.

If you are running Windows 2000 or XP and are crashing as soon as you connect to the Internet, it's possible that the following methods might help keep you online long enough to download the Microsoft patches. After installing the updates, you have to follow the removal instructions below to remove the worm from your computer.

Configuring Windows RPC Service
(These settings should be default for Windows 2000.)

Open the Control Panel.
Double-click on "Administrative Tools"
Double-click on "Services".
Search the list for "Remote Procedure Call (RPC)" and double-click it.
Click the "Recovery" tab.
In the pull down menus for "First failure", "Second failure" and "Subsequent failures", select "Take No Action" for all three.
Click "OK" and close "Services".

Please note that this will not remove the worm from infected systems. It is just a workaround to help you get the patches needed to protect your computer. You have to follow the removal instructions below to stop the worm from using your computer.

Enabling the Windows XP Firewall
We strongly recommend that Windows XP users turn on the built-in Windows XP firewall. To turn on XP's firewall protection follow these steps:

Open the Control Panel.
Double-click "Network Connections"
Right click on the SECURITY@HACKERS icon, "My Connection" icon or other icon if you chose a different name.
Select "Properties".
Select the "Advanced" tab.
Select or check "Protect my computer and network by limiting or preventing access to this computer from the Internet".
Click "OK". (You may get a warning telling you full protection won't be available for current connections. If you do, click "OK" in the warning box and reboot.)

Please note that this will not remove the worm from infected systems. It is just a workaround to help you get the patches needed to protect your computer. You have to follow the removal instructions below to stop the worm from using your computer.

Disabling DCOM
The steps below are quoted directly from Microsoft Security Bulletin MS03-026. SECURITY@HACKERS Support has not tested this workaround but I've included it in case the above two methods fail to allow you to connect long enough to download the patches.

Run Dcomcnfg.exe.

If you are running Windows XP or Windows Server 2003 perform these additional steps:

Click on the Component Services node under Console Root.
Open the Computers sub-folder.
For the local computer, right click on My Computer and choose Properties.
For a remote computer, right click on the Computers folder and choose New then Computer. Enter the computer name. Right click on that computer name and choose Properties.

Choose the Default Properties tab.
Select (or clear) the Enable Distributed COM on this Computer check box.
If you will be setting more properties for the machine, click the Apply button to enable (or disable) DCOM. Otherwise, click OK to apply the changes and exit Dcomcnfg.exe.

Please note that this will not remove the worm from infected systems. It is just a workaround to help you get the patches needed to protect your computer. You have to follow the removal instructions below to stop the worm from using your computer.

Removal:
If you are infected with Welchia, you should go to http://sarc.com/avcenter/venc/data/w32.welchia.worm.removal.tool.html and download Symantec's Welchia Removal Tool.

Please note that unless you update your computer with the Microsoft critical updates, your computer will get reinfected with either Welchia or Blaster when you go back online.

You should also install up-to-date antivirus software and use it to scan your system.

Anti-Virus Software Update Sites:
We've included links below to some of the more popular anti-virus program update sites.

Question: How do I protect my computer from the Bugbear.B (W32.Bugbear.B@mm) worm?

Answer:

Just when we were all breathing a collective sigh of relief that the Klez worm finally seemed to be fading away, the new and improved version of the Bugbear worm has hit the Internet in a big way. Since its discovery on June 4th, this new version of Bugbear, called W32.Bugbear.B@mm or Bugbear.B for short, has been spewing copies of itself to mailboxes everywhere.

Bugbear.B follows the old familiar worm pattern. It arrives in your mailbox as an email with an attachment. The attachment is the worm. Over the weekend, it was very successful in getting people to infect their computers by double-clicking on the attachment. The attachment is usually 72k in size. Since this is an improved version of the older Bugbear worm, it can also infect computers over a network via Windows file sharing.

Symantec and other anti-virus research groups have identified a number of possible subjects lines the worm infected email might use. However, the worm will just as readily grab the subject line from an existing email on the infected computer so these lists of subjects should not be considered complete. Indeed, the few hundred Bugbear.B infected emails I have seen all had different subjects that had obviously been taken from legitimate email on the infected computers.

The body of the email will usually include text quoted from other email stored on the infected computer. Because of this, Bugbear.B should be considered a major security problem since it can easily send out copies of sensitive or private email correspondence.

Bugbear.B also includes a keystroke logging trojan horse that will store a copy of everything typed on the computer and attempt to send the logs every two hours to several different email addresses. If the computer connects to the Internet via a modem, then the keymapper will disable auto-dialing in the registry to avoid making a connection if the modem if off-line. However, the authors of worms are not the best programmers and it's possible that this process may cause modem users some connection problems.

If Bugbear.B can determine that the infected computer is on a domain that belongs to a bank or other financial institution, then it will attempt to send all the cached dial-up networking passwords to another set of email addresses.

Last, but not least, Bugbear.B will attempt to disable anti-virus software and other installed security software such as ZoneAlarm and Blackice Defender.

More detailed information can be found at:

Prevention:
Protection of Windows-based systems is easy (Non-Windows-based computers are not affected.).

Make certain your anti-virus software is up to date.
Run a personal firewall like ZoneAlarm
If you are using Microsoft Internet Explorer/Outlook Express go to Windows Updates then upgrade to latest version.
Of course, it always bears repeating, don't open attachments!

Removal:
If you are infected with Bugbear.B, you need to immediately download and run Symantec's Bugbear.B removal tool from:

http://securityresponse.symantec.com/avcenter/venc/data/w32.bugbear.b@mm.removal.tool.html

You should also update your antivirus software and then have it scan your system.

Please note: Because Bugbear.B will install other software on the infected system, following the above steps may not completely secure an infected computer. Reinstalling the operating system and recovering data from backups may be the only way to make certain a critical system is safe.

Anti-Virus Software Update Sites:
We've included links below to some of the more popular anti-virus program update sites.

New definitions are released constantly. Please check with your antivirus vendor for the latest files.

Question: How do I protect my computer from the Novarg or Mydoom Worm (W32.Novarg.A@mm or W32.Mydoom.A@mm)?

Answer:

The Novarg.A or Mydoom.A worm (W32.Novarg.A@mm, W32/Mydoom.A@mm) has spread very quickly in a very short time. SECURITY@HACKERS Support has received hundreds of copies of the worm. Novarg.A can infect any unprotected computer running Windows 95, 98, ME, NT, 2000, XP or Server 2003. Non-Windows based computers, such as Macintoshes, can't be infected.

Right now the best protection is to run up to date antivirus software. Because Novarg.A is so new it's important that you make sure you have the very latest updates for your antivirus software to ensure protection.

Novarg.A follows the normal worm pattern. It arrives in your mailbox as an email with an attachment. The attachment is the worm. The from address will always be spoofed or faked so you will not be able to determine the sender from those addresses.

Please note: As is always the case, you will likely receive numerous copies of the worm sent from badly configured antivirus scanners installed at companies and other ISPs saying you have sent an email infected with Novarg.A or Mydoom.A. In almost all cases, these automated alerts are sent to the faked email addresses and not to the true sender of the email. In most cases you can delete these messages. If you receive an alert from SECURITY@HACKERS, please call SECURITY@HACKERS Support with any questions. We do not use an automated detector to generate alerts but rather manually investigate each incidence to make certain we know the origin of the infected email before we send out an alert to a customer.

How to recognize a Novarg.A infected email message:

The from line and return path will always be spoofed.

The infected email subject may be blank, but will usually have one of these subjects (with or without capital letters):

Hi
Hello
Error
Test
Server Report
Mail Transaction Failed
Mail Delivery System
Status

The message body may be blank or filled with garbage characters or contain one of these messages:

The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
Mail transaction failed. Partial message is available.
The message contains Unicode characters and has been sent as a binary attachment.
Test

The attachment is usually about 22.6K and will usually be called

document, readme, doc, text, file, data, test, message or body,

(although we have seen other random names) and have a file ending of

.pif, .scr, .exe, .zip, .cmd or .bat

Novarg.A spreads like a normal email worm and will send a copy of itself to all email addresses it finds on any computer it infects. It uses its own built-in mailserver to send its infected email.

Novarg.A can Spread via KaZaA P2P File Sharing Networks:
Novarg.A also copies itself into the shared KaZaA file sharing directory, if there is one on the infected computer. According to SARC, it will use one of these file names:

winamp5
icq2004-final
activation_crack
strip-girl-2.0bdcom_patches
rootkitXP
office_crack
nuke2004

Norvarg.A Opens Infected Computers to Remote Intrusion:
According to the latest findings from SARC, Novarg.A installs the application Shimgapi.dll on infected computers, which opens TCP ports 3127 through 3198. Shimgapi acts as a proxy server, but also allows remote execution of commands and the installation of software in the infected system. This is a very bad thing. What this means is that if an infected system has been online for a period of time, removing the worm may not mean the computer is secure if it had been compromised by outside intruders.

Novarg.A Uses Infected Computers for Denial of Service (DoS) Attack:
Beginning February 1st, infected computers will start a denial of service attack against www.sco.com. The DoS will take the form of 64 simultaneous and continuous GET requests for the index.html file from the sco.com server. This will probably cause congestion problems on networks. The DoS attack will stop on February 12th.

More detailed information can be found at:

Prevention:
Protection of Windows-based systems is easy. (Non-Windows-based computers are not affected.).

Make certain your antivirus software is up to date.
Run a personal firewall like ZoneAlarm
If you are using Microsoft Internet Explorer/Outlook Express, go to Windows Updates then upgrade to the latest version.
Of course, it always bears repeating, don't open attachments!

Removal:
If your computer is infected with Novarg.A, you should immediately download and run the Symantec W32.Novarg.A@mm Removal Tool from:

http://www.sarc.com/avcenter/venc/data/w32.novarg.a@mm.removal.tool.html

You should also update your antivirus software and then scan your system.

Please note: Because worms and viruses can open your computer to unauthorized access, following the above steps may not completely secure an infected computer. Reinstalling the operating system and recovering data from backups may be the only way to make certain a critical system is safe.

Anti-Virus Software Update Sites:
We've included links below to some of the more popular anti-virus program update sites.

Question: How do I protect my computer from the Blaster (W32.Blaster.Worm) worm?

Answer:

< Removal>
Follow these steps to remove the Blaster worm from your computer.

Run the removal tool.
Update the system with all the latest critical updates from Windowsupdate.microsoft.com.
Run the removal tool a second time.
Update and/or install antivirus software.
Scan the computer with antivirus software.
Enable or install a personal firewall.
If the worm causes your computer to crash too often to download the Microsoft updates, use one of these workarounds.

W32.Blaster.Worm worm has been slamming everyone connected to the Internet since early afternoon August 11, 2003. SECURITY@HACKERS continues to receive numerous reports from customers infected by the worm. Current estimates say 250,000 to 1,500,000 computers are currently infected. A few experts believe even these numbers are too low. Due to the huge number of infected systems spewing out probes and copies of the worm, some Internet congestion is inevitable.

To complicate matters, there are now five variants of the Blaster worm.

The first variant, called W32.Blaster.B.Worm, works pretty much like the original version with a few changes such as the name of the worm file. The original named the file MSBLAST.EXE. The newer B version names it penis32.exe. The Symantec Blaster removal tool can delete this variation.
The second variant, called W32.Blaster.C.Worm, also works pretty much like the original. This one names the worm file teekids.exe. However, the C variant also drops two other files on the infected system. The first, named index.exe, installs and launches the worm and a backdoor trojan called root32.exe. The Trojan, also known as Backdoor.Lithium, gives unauthorized users complete access to the infected computer. The Symantec Blaster removal tool can delete this variation. However, because of the Trojan, a system infected with W32.Blaster.C.Worm may have been further compromised by remote intruders. The creator of this variant was recently arrested by the FBI.
The third variant, called W32.Welchia.Worm, is the one that's caused so many Internet problems over the past two weeks. More information about Welchia can be found at: http://www.securityhackers.com/support/faq/index.cgi?view=1&id=291&catid=88
The fourth variant, called W32.Blaster.E.Worm. This one names the worm file mslaugh.exe. It uses infected computers to attack the domain kimble.org. The Symantec Blaster removal tool can delete this variation.
The fifth variant is called W32.Blaster.F.Worm, was discovered on September 1, 2003. This one names the worm file enbiei.exe. It uses infected computers to attack the domain tuiasi.ro. The Symantec Blaster removal tool can delete this variation.

Blaster takes advantage of a known vulnerability in Windows RPC that allows a remote user to gain access to the targeted computer. Microsoft released a patch for this security hole in mid July.

If you have not updated your Windows system with the latest Microsoft patches, please go to windowsupdate.microsoft.com and install all the critical updates.

Please note that this is not an email worm. It's an Internet worm that moves from computer to computer across the Internet. Blaster attacks computers through their Internet connections. All computers connected to the Internet can be attacked by the worm, but only Windows-based systems can be infected. If you are running firewall software, you will see an increased number of hits on port 135.

Blaster sends copies of itself to other vulnerable computers connected to the Internet. If the copy of the worm reaches a Windows NT, 2000, XP or Server 2003-based computer that is not patched, Blaster will infect that computer.

The worm automatically scans networks looking for computers with open TCP port 135. When it finds a victim, Blaster attempts to exploit the RPC vulnerability. If successful, it will then connect to port 4444 on the target and instruct the victim computer to launch tfpt and download a copy of the worm, called MSBLAST.EXE, from the infected system. (Tftp is included as part of the operating system in Windows 2000, XP and Server 2003.) Once downloaded, the attacking system will then instruct the newly infected computer to lauch MSBLAST.EXE. The victim computer will then become a new attacker.

Infected systems (particularly Windows XP and Server 2003) often become unstable and crash when connected to the Internet. Usually the crash will pop up an error message saying "RPC Terminated by NT Auth..." and start a timer for the system shutdown. These crashes make it almost impossible to download the patches needed to secure the affected system. Infected Windows 2000 and NT systems usually won't crash but can become slow or unresponsive. Some infected systems may show none of these symptoms ever though they continue spreading the worm.

Blaster also attempted to use infected computers to conduct a denial of service (DoS) attack against windowsupdate.com. MIcrosoft diasbled the widowsupdate.com domain and prevented the DoS attack from causing any wide-spread problems.

More detailed information can be found at:
Note that the different antivirus companies and virus research groups all use different names for the Blaster worm. Blaster is also known as the Lovsan and Poza worm.

Prevention:
Protection of Windows-based systems is easy (Non-Windows-based computers are not affected.).

Go to Windows Update and download and install all the critical updates. Please note that if you do not regularly update your system, you may have several critical updates to install. Some of these updates have to be installed alone and some will require you to restart your computer. To be sure you have all the updates, it's best to return to windowsupdate.microsoft.com as often as necessary until all the critical updates are installed and the site says there are no more available. It is not necessary to install anything but the critical updates to make certain your computer is protected from Blaster.
Make certain your anti-virus software is up to date.
Run a personal firewall like ZoneAlarm or enable Windows XP's built-in firewall, following these steps.

Open the Control Panel.
Double-click on "Administrative Tools"
Double-click on "Services".
Search the list for "Remote Procedure Call (RPC)" and double-click it.
Click the "Recovery" tab.
In the pull down menus for "First failure", "Second failure" and "Subsequent failures", select "Take No Action" for all three.
Click "OK" and close "Services".

Please note that this will not remove the worm from infected systems. It is just a workaround to help you get the patches needed to protect your computer. You have to follow the removal instructions below to stop the worm from using your computer.

Enabling the Windows XP Firewall
We strongly recommend that Windows XP users turn on the built-in Windows XP firewall. To turn on XP's firewall protection follow these steps:

Open the Control Panel.
Double-click "Network Connections"
Right click on the SECURITY@HACKERS icon, "My Connection" icon or other icon if you chose a different name.
Select "Properties".
Select the "Advanced" tab.
Select or check "Protect my computer and network by limiting or preventing access to this computer from the Internet".
Click "OK". (You may get a warning telling you full protection won't be available for current connections. If you do, click "OK" in the warning box and reboot.)

Please note that this will not remove the worm from infected systems. It is just a workaround to help you get the patches needed to protect your computer. You have to follow the removal instructions below to stop the worm from using your computer.

Disabling DCOM
The steps below are quoted directly from Microsoft Security Bulletin MS03-026. SECURITY@HACKERS Support has not tested this workaround, but I've included it in case the above two methods fail to allow you to connect long enough to download the patches.

Run Dcomcnfg.exe.

If you are running Windows XP or Windows Server 2003, perform these additional steps:

Click on the Component Services node under Console Root.
Open the Computers sub-folder.
For the local computer, right click on My Computer and choose Properties.
For a remote computer, right click on the Computers folder and choose New then Computer. Enter the computer name. Right click on that computer name and choose Properties.

Choose the Default Properties tab.
Select (or clear) the Enable Distributed COM on this Computer check box.
If you will be setting more properties for the machine, click the Apply button to enable (or disable) DCOM. Otherwise, click OK to apply the changes and exit Dcomcnfg.exe.

Please note that this will not remove the worm from infected systems. It is just a workaround to help you get the patches needed to protect your computer. You have to follow the removal instructions below to stop the worm from using your computer.

Removal:
If you are infected with Blaster, you should go to http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html and download Symantec's Blaster Removal Tool.

Please note that unless you update your computer with the Microsoft RPC patches, your computer will get reinfected when you go back online.

You should also install up-to-date antivirus software and use it to scan your system.

Anti-Virus Software Update Sites:
We've included links below to some of the more popular anti-virus program update sites.

SECURITY@HACKERS does not warrant that any of the tools and patches listed above will protect or repair a system, nor can we offer support on the complex task of manually removing a worm or virus and verifying system integrity.

• Lycos	• Galaxy	• Alta Vista	• Canada.com
• Alexa	• What-U-Seek	• Find What	• MetaCrawler
• Yahoo!	• InfoSpace	• Excite	• Dog Pile
• Northern Light	• Scrub The Web	• Google	• USA Online
• HotBot	• FAST Search	• IGrok!	• Snap!
• Look Smart	• Infohiway	• InfoSeek	• National Dir
• Web Crawler	• Voila	• DirectHit	• GoTo.Com