| Links |
| FAQ |
Here is latest Virus Alert Information
VIRUS ALERT
VBS/LoveLetter.worm
VBS/LoveLetter.worm arrives via email message with the subject line "ILOVEYOU". The text reads "kindly check the attached LOVELETTER coming from me.", and the worm is included in the attachment, called "LOVE-LETTER-FOR-YOU.TXT.vbs". This worm attempts to send copies of itself through mIRC to the IRC channels and through Outlook to all address book entries.
VBS/LoveLetter.worm also attempts to download and install an executable file called WIN-BUGSFIX.EXE, a password stealing program that will email any cached passwords it finds to the mail address MAILME@SUPER.NET.PH.
**********************************
VIRUS ALERT
APStrojan.qa
APStrojan.qa is a trojan and AVERT raised its risk assessment from Low to Medium--On Watch. It primarily infects Windows 98 systems, though it may also infect Windows 95 if the file MSVBVM50.DLL is present.
Please Note: This trojan has been reported by several users of the America Online Internet service. For this reason, AVERT researchers suspect it has been distributed by spam email sent to AOL users.
APStrojan.qa is a password stealer designed to attack America Online client software to determine user account passwords. It will then attempt to send the stolen information to the author of the trojan.
APStrojan.qa has been distributed as an attachment to an email with the subject line "hey you." The attachment has been widely reported with the name "MINE.EXE."
Important: If your system has been infected with APStrojan.qa, AFTER removing the trojan, be sure to choose a new password for your AOL account!
**********************************
VIRUS ALERT
BackDoor-G2
BackDoor-G2 is an Internet Backdoor trojan that infects Windows 9x systems. It is a new variant of the original BackDoor-G, which was first discovered 4/15/99. AVERT has changed its risk assessment from Low to
Medium--On Watch for individual home users (there have as yet been no reports of infection from corporate clients).
Once it infects your PC, BackDoor-G2 allows anyone running the appropriate client software to have virtually unlimited access to your system over the Internet. Your vital, private files may be read, altered, or destroyed.
**********************************
VIRUS ALERT
W32/NewApt.worm
W32/NewApt is an email worm.
AVERT has given it a risk assessment of Medium--On Watch.
This worm arrives as an email attachment. The body of the email appears differently depending on whether the email client reads HTML. If it does, the email text looks like this:
http://stuart.messagemates.com/index.html Hypercool Happy New Year 2000 funny programs and animations... We attached our recent animation from this site in our mail ! Check it out
If the email client is not HTML-capable, the message reads:
he, your lame client cant read HTML, haha. click attachment to see some stunningly HOT stuff The worm is in the attachment, which has a name chosen randomly from the following list: baby.exe, bboy.exe, boss.exe, casper.exe, chestburst.exe, cooler1.exe, cooler3.exe, copier.exe, cupid2.exe, farter.exe, fborfw.exe, goal.exe, goal1.exe, g-zilla.exe, irngiant.exe, hog.exe, monica.exe, panther.exe, panthr.exe, party.exe, pirate.exe, s.exe, saddam.exe, theobbq.exe, video.exe.
If the worm is run, the following dummy error message appears:
The dinamic link library giface.dll could not be found in the specified path [list of directory names]
Note the misspelling of the word "dynamic". If the worm detects that Outlook Express is installed, it will search for messages received and build a list of addresses. The next time Windows is booted, the worm waits an unspecified amount of time and then attempts to send itself to one of the addresses in its list, using the format described above.
**********************************
VIRUS ALERT
W95/Babylonia
W95/Babylonia is a polymorphic virus. AVERT has given it a risk assessment of Medium--On Watch.
The virus was first distributed on at least one newsgroup as a help file called "serialz.hlp". When executed, the virus infects .EXE and .HLP files, in some cases damaging them beyond repair. Upon infection, the virus creates a file called KERNEL32.EXE, which monitors system activity for Internet connection. When it detects an Internet connection, it attempts to connect to a Web site hosted by a virus authoring group, and if successful, it downloads additional components of the complete virus to the host PC.
If the virus detects mIRC installed on the host PC, it will attempt to send a copy of itself through Internet IRC channels, as a file called "2KBug-MircFix.exe". The virus also sends an email notification to the address babylonia_counter@hotmail.com, with the "from" information listed as babylonia@rasta.net.
**********************************
W32/ExploreZip.worm.pak
W32/ExploreZip.worm.pak is a new, compressed variant of the original W32/ExploreZip.worm. AVERT has assessed it as a high-risk threat, approaching outbreak levels! It reproduces itself by sending replies to incoming email messages, with itself as an attachment called "zipped_files.exe".
It includes a payload: it will search the user's mapped drives and overwrite all files of types .c, .cpp, .asm, .doc, .xls, .ppt. to zero Kb.
IMPORTANT - If you receive an email with the message "I received your email and I shall send you a reply ASAP. Till then, take a look at the attached zipped docs.", DELETE IT IMMEDIATELY! It will have an attachment called "zipped_files.exe"; DO NOT DOUBLE-CLICK OR RUN THIS ATTACHMENT! If you do, it will infect your system!
**********************************
W97M/Prilissa is a new Melissa variant.
AVERT has assigned it a risk assessment of MEDIUM?
ON WATCH. There has been a serious outbreak in Europe, and it is expected to travel quickly.
W97M/Prilissa infects Word 97 files. It propagates itself by creating an MS Outlook email with the subject line "Message From (Word 97 username)" and the message text:
"This document is very Important and you've GOT to read this !!!"
It sends this message, with an attached copy of the infected Word 97 file, to the first 50 entries in any address book it finds. It does this only once.
W97M/Prilissa includes a destructive payload! If the date is December 25 of any year, it will modify the AUTOEXEC.BAT file so that the next time the computer is booted, the hard drive will be formatted, causing a loss of all data. In addition, the following message will be displayed in Word 97:
"(C) 1999 - CyberNET
Vine... Vide... Vice... Moslem Power Never End...
You Dare Rise Against Me... The Human Era is
Over, The CyberNET Era Has Come!!!
[OK]"
**********************************
VIRUS ALERT - W32/FunLove.4099
W32/FunLove.4099 is a new virus. AVERT has assigned it a MEDIUM risk assessment. W32/FunLove.4099 is a parasitic Win32 PE file infector that works on both Win9x and WinNT 4.0. It infects .EXE, .SCR and .OCX files. When the virus is first run, it drops a file called FLCSS.EXE into the %SYSTEM% folder. The virus then directly infects all .EXE, .SCR, and .OCX files in the folders Program Files and WINDOWS/WINNT, including any sub-folders. Because the default Windows shell Explorer.exe is kept in here, the virus is re-executed whenever the system is restarted. The virus uses a routine lifted from the W32/Bolzano virus to patch the NT files NTOSKRNL.EXE and NTLDR. This enables the virus to have full access to the system after the next system reboot. Periodically, the virus scans any network shares with write access, and infects any EXE, SCR or OCX files on the shared network drives. The virus is not encrypted or polymorphic. Infected files have a copy of the FLCSS.EXE file added to the end of the last PE section, and the length of the infected files increases by 4099 bytes. When executed under DOS, the file FLCSS.EXE displays the message ~Fun Loving Criminal~ and then tries to reset the machine in order to load Windows. Your friends at McAfee.com
**********************************
VIRUS ALERT - VBS/Bubbleboy
VBS/Bubbleboy is a new Internet worm, discovered 11/08/99. AVERT has assigned it a LOW risk assessment; it has not appeared in the wild.
VBS/Bubbleboy is a NEW type of worm: Unlike previous worms transmitted through email, this new type of worm does not come as an executable attachment. Instead, VBS/Bubbleboy infects PCs as soon as the transmitting email message is opened. This is a VERY significant innovation! Historically, it has not been possible to contract a virus or worm by merely opening and reading an email message. This is no longer true, and VBS/Bubbleboy marks the beginning of a more dangerous computing environment.
VBS/Bubbleboy is transmitted through an email message with the subject heading "Bubbleboy is back!" It will ONLY infect PCs running Windows 98 with Internet Explorer 5 and Outlook or Outlook Express. PCs using Outlook are infected upon opening the email message, while Outlook Express users may be infected by viewing the message with the "Preview Pane" feature! When the email is opened, the worm creates a file called UPDATE.HTA. The next time the PC is booted up, the worm sends itself embedded in an email to EVERY address in EVERY MS Outlook address book on the local system. It does this only once.
McAfee.com
Here is a further message concerning Bubbleboy! By now you've probably heard about Bubbleboy, the latest virus--one that escapes the scrutiny of the currently available virus protection programs. What makes this virus technique different is that you can get it just by opening your mail--you don't have to open any attachments.
As it exists now, Bubbleboy isn't especially damaging--it modifies the Registry to make the registered user Bubbleboy, and the company name becomes Vandelay Industries. It also attaches itself to your e-mail and propagates itself to your recipients.
If you suspect you have been infected, right-click Start and choose Open. Double-click Programs and then double-click StartUp. If you have a file named update.hta, delete it. This will remove the virus, but will not change the Registry entries.
To download a patch from Microsoft, go to http://www.microsoft.com/msdownload/iebuild/scriptlet/en/scriptlet.htm
**********************************
We have been informed of a new virus - WOBBLER. It
will arrive on e-mail titled "How to Give a Cat a Colonic."
CALIFORNIA IBM and AOL have announced that it is
very powerful, more so than Melissa. There is no remedy.
It will eat all your information on the hard drive
and also destroys Netscape Navigator and Microsoft
Internet Explorer. Do not open
anything with this title
and please pass this message on to all your
contacts and anyone who uses your e-mail facility.
**************************************
Someone is sending out a very desirable screen-saver, a Bug's Life.
"BUGGLST.ZIP".
If you download it, you will lose
everything!!!
Your hard drive will crash and someone from the internet will steal your screen name and password!
DO NOT DOWNLOAD THIS UNDER ANY CIRCUMSTANCES!
IT JUST WENT INTO circulation yesterday, as far as we know. [9-15-99]
Please distribute this message. This is a new, very malicious virus and not many people know about it.
This information was announced yesterday morning from
Microsoft. Please share it with everyone that might access the Internet.
Once again, pass this along to EVERYONE in your address
book so that this may be stopped.
Also do not open or even look at any mail that says
"RETURNED OR UNABLE TO DELIVER".
********************************
Insert For Your Reference
Here is an example of what your returned mail header should look like:
|
Date: Mon, 20 Sep 1999 22:22:44 -0400 (EDT) From: Mail Delivery Subsystem MAILER-DAEMON@aol.com To: tlbenterprises@tlbwholesale.com Subject: Returned mail: User unknown |
This virus will attach itself to your computer components and render them useless. Immediately delete mail items that say this. Internet providers has said that this is a very dangerous virus and that there is NO remedy for it at this time.
Others to avoid -DO NOT RUN and DO NOT LAUNCH THEM at all! There is no remedy or cure. They will completely wipe out all your data in your harddisk and destroy all your emails! The viruses are:::
1) buddylst.exe
2) calcu18r.exe
3) deathpr.exe
4) einstein.exe
5) happ.exe
6) happy99.exe
7) japanese.exe
8) keypress.exe
9) kitty.exe
10) teletubb.exe
Do pass on this important message to all your friends and business associates.
*********************************
*********************************
Here is Another One!
Pretty Park...NO JOKE!!
If you receive an attachment with...this DO NOT OPEN.
Virus Information:
Back Door and Password Stealer
In June, a worm/trojan/back door known as PrettyPark or Trojan.PSW.CHV
began to spread in central Europe. It spreads itself by sending e-mail
with C:\CoolProgs\Pretty Park.exe in the subject. If a user executes
the attached file, the worm infects the PC. PrettyPark also functions
as a back door, allowing a hacker to obtain information--including
passwords--from an infected PC. It copies itself to the file
files32.vxd in the Windows/System directory.
*********************************
*********************************
Here is Another One!
Subject: California/WOBBLER Virus Alert
Organization: Motorola Electronics Pte Ltd
For your reference, take necessary precautions.
If you receive an email with a file called California,
do not open the file. The file contains WOBBLER virus.
WARNING!!!
This information was announced yesterday morning from IBM;
AOL states that this is a very dangerous virus, much worse
than "Melissa", and that there is NO remedy for it at this time.
Some very sick individual has succeeded in using the reformat
function from Norton Utilities causing it to completely erase
all documents on the hard drive. It has been designed to work
with Netscape Navigator and Microsoft Internet Explorer.
It destroys Macintosh and IBM compatible computers.
This is a new, very malicious virus and not many people know
about it. Pass this warning along to EVERYONE in your address
book and please share it with all your online friends ASAP so
that this threat may be stopped.
Please practice cautionary measures and tell anyone that may
have access to your computer.
*********************************
*********************************
Here is Another One!
wormexplore.zip, explore.zip, worm.zip
These come in the form of e-mail attachments.
The message may look like this:
"I received your e-mail and shall reply ASAP.
Till then, take a look at the attached zipped docs."
**************************************
**************************************
Here is Another!
1. This is VERY SERIOUS!! Please forward to everyone you
know...they
will
be
grateful.
There is a virus out now being sent to
people via email..it
is
called the A.I.D.S. VIRUS.
It will destroy your
memory, sound card and
speakers, your drive and it will infect your
mouse
or pointing devices
well
as your keyboards making it so that
you can't
type
and it will not
register
on the screen.
It self terminates only after it
eats 5MB of hard drive
space
& will delete all programs.
It will come via E-mail called "OPEN: VERY COOL!"
DELETE
IT!!!!!!!!!!!!!!!!!!! immediately!!
It will
basically render your
computer
useless.
PASS THIS MESSAGE ON QUICKLY & TO AS MANY
PEOPLE
AS POSSIBLE!!
2. Very Urgent Must Read Please - If you receive
an
e-mail titled
"Win A Holiday", DO NOT open it. It will erase
everything on your hard
drive.
Forward this letter out to as many people as you
can. This is a new,
very
malicious virus
and not many people know about
it.
This information was
announced yesterday morning from Microsoft.
Thank You,
Neil Ferrick
Compaq Computer Corporation
Don't Dial Area Code '809'
New Scam Can Easily
Cost $100 Or More
8-2-99
SCAM: Don't Respond To Emails, Phone Calls, Or Pages
Which Tell You To Call An "809" Phone Number
This is a very important issue of Internet ScamBusters!
because it alerts you to a scam that is spreading extremely quickly,
can easily cost you $100 or more, and is difficult
to avoid unless you are aware of it.
We'd like to thank Paul Bruemmer and Brian Stains
for bringing this scam to our attention.
This scam has also been identified by the
National Fraud Information Centre and is costing victims a lot of money.
There are lots of different permutations of this scam,
but here is how it works:
Permutation #1: Internet Based Phone Scam Via Email.
You receive an email, typically with a subject line
of "ALERT" or "Unpaid Account." The message, which is
being spammed across the net, says: I am writing to give
you a final 24hrs to settle your outstanding account.
If I have not received the settlement in full, I will
commence legal proceedings without further delay.
If you would to discuss this matter to avoid court action,
call Mike Murray, Global Communications at (809) 496-2700.
Permutation #2: Phone Or Pager Scam.
You receive a message on your answering machine or
your pager which asks you to call a number beginning
with area code 809. The reason to you're
asked to call varies: it can be to receive information
about a family member who has been ill, to tell you
someone has been arrested, dead or to let you
know you have won a wonderful prize, etc.
In each case, you're told to call the 809 number right away.
Since there are so many new area codes these days,
people unknowingly return these calls. If you call
from the US, you will apparently be charged $25 per-minute!
Sometimes the person who answers the phone will speak broken English
and pretend not to understand you. Other times,
you'll just get a long recorded message. The point is,
they will try to keep you on the phone as long as possible
to increase the charges. Unfortunately, when you get your phone bill,
you'll often be charged more than $100!
Here's why it works:
The 809 area code is located in the British Virgin Islands (the Bahamas).
The 809 area code can be used as a "pay-per-call" number,
similar to 900 numbers in the US. Since 809 is not in the US,
it is not covered by U.S. regulations of 900 numbers,
which require that you be notified and warned of charges and
rates involved when you call a "pay-per-call" number.
|
A subscriber of the Bear Collectors Newsletter forwarded this Email to us at Boyds Bearstones Secondary Marketplace. We have posted this message as it is very important! Feel free to copy it and pass it along or send the URL to others so that they may also beware!
====================== Hello Everyone....this came to me from another friend and I thought I should pass it along to all of you. sounds like a pretty good scam and someone will surley fall for this one. just want you to be aware of it, just in case. ( ya never know ) take care xxxxxxxx OKAY, SPREAD THE WORD!!!!!!!!!!
I got a call from a man this weekend telling me he represented my
bank and that they were having difficulty meeting requirements to be
computer ready for Y2K. He said all bank customers would need to
transfer their accounts to a bond account specially designed to protect
our money until the bank could fully comply with Y2K requirements.
He then said to verify that he was talking to the proper account person
I needed to confirm information about myself, my account numbers
and then give verbal authorization to transfer funds to this specially
designed account. I don't trust folks who do this kind of thing so I asked
him which of the banks I use did he represent. He was not able to do
that and hung up at that point. Please pass this info to friends or
family
because this is a huge scam that is going on all across the country. Some
people would be scared to think they would loose all their money (which
he said was sure to happen if I didn't do this now) and would supply the
information without first checking this out. I notified the phone
company of the call - since I have caller ID, I couldn't give them a
number....the identifier just said "out of area". It came from
a 248 area code which is around Detroit. Anyway, just passing
this along so you'd be aware and beware.
|
