Virus Alert

8 December 2000

W32.HLLW.Bymer worm

W32.HLLW.Bymer is a worm which spreads over shared network drives. It searches for shared folders on the network, and then copies itself to the \Windows\System folder.

Norton AntiVirus (NAV) has protected against this worm since October 10, 2000. Virus definitions dated October 16, 2000, or after will detect this worm. NOTE: NAV previously detected this worm as Backdoor.Trojan, and then as Dnet.Dropper.

For complete information about W32.HLLW.Bymer worm, visit the following Internet address: http://www.symantec.com/techsupp/vURL.cgi/nav71

W95.Hybris.gen worm

W95.Hybris.gen is worm that spreads as an attachment to outgoing email messages. When the worm is executed, the Wsock32.dll file is modified or replaced. This enables the worm to attach itself to all outbound email.

Norton AntiVirus (NAV) has provided protection against this worm since September 25, 2000. NOTE: NAV previously detected this worm as Backdoor.Trojan, and then as W32.Hybris.gen.

For complete information about W95.Hybris.gen worm, visit the following Internet address: http://www.symantec.com/techsupp/vURL.cgi/nav72

1 December 2000

W32.Prolin.Worm

The W32.Prolin.Worm uses Microsoft Outlook to email a copy of itself to everyone in your Outlook address book. It sends a copy of itself in a file with the following name:

Creative.exe.

It sends the file as an attachment in an email message with the following subject line:

A great Shockwave flash movie

The email consists of the following message:

Check out this new flash movie that I downloaded just now ... It's Great Bye

The worm then moves all .jpg and .zip files to the root folder. It renames each of these files and appends the following text to their extension:

change at least now to LINUX

W32.Prolin.Worm is also known as the following:

Troj_Shockwave.A
Creative
Troj_Prolin.A

Virus definitions dated November 30, 2000, or later will protect against the W32.Prolin.Worm. Complete information about W32.Prolin.Worm is available at the following Internet Address:

http://www.symantec.com/techsupp/vURL.cgi/nav69

Also, see the removal instructions for this worm in the following Norton AntiVirus Knowledge Base document:

http://www.symantec.com/techsupp/vURL.cgi/nav70

13 November 2000

W32.Navidad worm

W32.Navidad is a mass-mailing worm program. The worm replies to all Microsoft Outlook Inbox messages that contain a single attachment. The worm utilizes the existing email subject line and body, and attaches itself as NAVIDAD.EXE. Due to bugs in the code, after being executed, the worm causes your computer to stop functioning correctly.

Virus definitions dated November 9, 2000, or later will protect against the W32.Navidad worm. Complete information about W32.Navidad worm is available at the following Internet address:

http://www.symantec.com/techsupp/vURL.cgi/nav68

29 September 2000

What is the W32.HLLW.Qaz.A virus?

The W32.HLLW.Qaz.A virus, also known as Qaz.Trojan and Qaz.Worm,is currently the second most submitted virus to the Symantec AntiVirus Research Center. Norton AntiVirus has protected against this virus since July 18, 2000. Because W32.HLLW.Qaz.A can spread over networks by using shared folders and enable a remote user to connect to and control the computer, Symantec suggests only sharing folders with read-only access or using password protection. For more information on this virus, including instructions on how to protect your shared folders, point your browser to: http://service.symantec.com/vURL.cgi/nav57

W32.FunLove.4099

W32.FunLove.4099 is a virus that replicates under Windows 95/98 and Windows NT. It infects programs that have .exe, .scr, or .ocx extensions. What is notable about this virus is that it uses a new strategy to attack the Windows NT file security system, and it runs as a service on Windows NT systems. NAV has detected this virus since November 11,1999. For complete information about W32.FunLove.4099, point your browser to: http://service.symantec.com/vURL.cgi/nav58

W95.MTX

The W95.MTX virus has not been widely spread in the Untited States; most of the infections have been in Europe and Asia. This virus, however, does have the potential to spread quickly. It infects Windows program files, such as Explorer.exe. When this happens, Windows might stop running. This virus also has the capability of blocking the Internet connections to Web sites of antivirus vendors such as Symantec. NAV first detected this virus on September 5, 2000. For complete information about W95.MTX, point your browser to: http://service.symantec.com/vURL.cgi/nav59

21 August 2000

The Wscript.KakWorm removal tool is now available

Internet worms obviously have a high potential for spreading to other computers. Wscript.KakWorm spreads using Microsoft Outlook Express by attaching itself to all outgoing messages via the Signature feature of Outlook Express and Internet Explorer email reader. This worm utilizes a known Microsoft Outlook Express security hole so that a viral file is created on the system without having to run any attachment. Simply reading the received email message will cause the virus to be placed on the system.

The Symantec AntiVirus Research Center (SARC) has released a tool, designed to remove the Wscript.KakWorm from your computer. To use the removal tool, download and run the file fixkak.exe. To download this file, point your web browser to: http://service.symantec.com/vURL.cgi/nav52

How to disable or remove the Windows Scripting Host

VBScript is a scripting language that allows developers to create a list of commands that can be executed without user interaction. As with any scripting language, it is frequently used to automate actions. Unfortunately, virus writers can also take advantage of its capabilities to infect computers and cause extensive damage.

One preventative measure that you can take to protect yourself from viruses that come as .vbs attachments is to disable or uninstall the Windows Scripting Host. Because Windows Script Hosting is an optional part of Windows, it can be safely removed from your computer. This feature can easily be reinstalled if it is needed in the future. Remember that there are many other viruses that do not use the Windows Scripting Host, so it is critical that you continue to use AntiVirus protection with the most up-to-date virus definitions.

To disable the Windows Scripting Host, point your web browser to: http://service.symantec.com/vURL.cgi/nav53

Now download and run the file noscript.exe.

20 June 2000

VBS.Stages.A is a new worm.

A new virus named VBS.Stages.A was discovered in June 2000. The virus attempts to email a copy of itself to everyone in your Microsoft Outlook address book. It also attempts to spread itself using IRC, mIRC, and PIRCH.

The email contains the attachment LIFE_STAGES.TXT.SHS. The subject line of the email is randomly generated. There are 12 possibilities for the subject line of the email, which will include one of the following phrases:

Life Stages

Funny

Jokes

Once LIFE_STAGES.TXT.SHS is executed, a text file will be opened in Notepad displaying the male and female stages of life. A script is executed in the background, which makes some changes to your system.

The worm creates several files in the \WINDOWS\SYSTEM\ folder SCANREG.VBS, VBASET.OLB, and MSINFO16.TLB. The worm modifies the registry to run the worm on startup. A randomly named file is added to the root directory of all mapped drives, the \My Documents folder, and the \Windows\Start Menu\Programs folder.

If you receive an email that matches this description, please delete it immediately.

For complete information regarding this virus, please point your browser to: www.symantec.com/techsupp/vURL.cgi/nav47

For more information on macro virus protection for users of Microsoft Office Applications go to: www.virusalert.com/

McAfee users should go to: www.mcafee.com/

26 May 2000

W97M.Melissa.BG is a new and destructive worm.

A new variant of Melissa, named W97M.Melissa.BG, was discovered today. The Symantec AntiVirus Research Center (SARC) currently has a sample of this worm. The virus attempts to email a copy of itself to everyone in your Microsoft Outlook address book.

The email has the following subject line:
Subject Resume - Janet Simons

The body of the email reads:
To Director of Sales/Marketing,
Attached is my resume with a list of references contained within. Please feel free to call or email me if you have any further questions regarding my experience.
I am looking forward to hearing from you.
Sincerely,
Janet Simons.

This worm attempts to delete files on your hard drive, mapped network drives, floppy disks and zip drives. If you receive an email that matches this description, please delete it immediately.

For complete information regarding this virus, please point your browser to: www.symantec.com/techsupp/vURL.cgi/nav44

<> <> <> <> <> <> <> <> <> <> <>

18 May 2000

New Loveletter worm variant discovered.

This latest variant of the Loveletter worm is VBS.LoveLetter.FW.A. This worm speads by emailing itself to everyone in your email address book. Unlike VBS.Loveletter.a, which limited its infection to graphic and music files, the VBS.LoveLetter.FW.A worm searches through all local and mapped network drives to infect all files.

The Symantec AntiVirus Research Center (SARC) is analyzing a sample of the worm and will make virus definitions available as soon as possible. Please monitor the Symantec web page for ongoing developments.

http://www.symantec.com/techsupp/vURL.cgi/nav42