All virus information contained on this page
is offered in good faith. For more information on these and virus warnings in
general click here.
5th May 2004
W32.Sasser.B.Worm Threat
Level: Category 4, SEVERE (scale 1-5) The W32.Sasser.B@mm worm has the
following characteristics:
W32.Sasser.B.Worm is a variant of the Sasser Worm
that is a network
aware worm that exploits the LSASS Microsoft vulnerability (MS04-011).
It spreads by scanning randomly chosen IP addresses on MS systems that
have not been patched. MS04-011 was announced on April 13, 2004.
To protect critical information assets from the
recently found new
blended threat, Sasser worm, you'd need not only an antivirus solution
but also firewall and intrusion detection technology. Symantec advises
home users to use Norton Internet Security to protect your computers
and keep your subscription valid all the time in order to receive
protection updates via LiveUpdate automatically.
To read more about the W32.Sasser.B.Worm , please click
here.
This worm is currently undergoing analysis. The record at Security
Response will be updated as information becomes available.
What is W32.Netsky.B@mm
W32.Netsky.B is a mass-mailing worm that uses
its own SMTP engine to send itself to the email
addresses it finds when scanning the hard drives and mapped drives. This worm
also searches
drives C through Z for folder names containing "Share" or
"Sharing," and then copies itself to those folders.
The Subject, Body, and email attachment vary.
Note: Beta Definitions 27994, dated February 18, 2004 3:30AM PT, or later will
detect this threat.
This worm is currently undergoing analysis. The record at Security
Response will be updated as information becomes available.
To read more about the W32.Netsky.B@mm, please click
here.
W32.Beagle.B@mm
W32.Beagle.B@mm is a mass-mailing worm that opens
a backdoor on TCP port 8866. The worm uses its own SMTP engine for email
propagation. It can also contact the author of the worm with the port on which
the backdoor listens and a randomized ID number.
The email has the following characteristics:
Subject: ID <6 random characters>... thanks
Attachment: <7 random characters>.exe
Notes: Beta definitions 27975, dated February 17,
2004, 5:20AM PT, or later
will detect this threat. Initial builds may detect this treat as W32.Beagle.B@mm
or W32.Aula@mm.
This worm is currently undergoing analysis. The
record at Security Response
will be updated as information becomes available.
To read more about the W32.Beagle.B@mm , please
click here.
W32.Welchia.B.Worm
As of February 13, 2004, due to an increased rate
of submissions, Symantec Security Response has upgraded this threat to a
Category 3 from a Category 2.
W32.Novarg.A@mm is a mass-mailing worm that
arrives as an attachment with the file extension .bat, .cmd, .exe, .pif, .scr,
or .zip.
When a computer is infected, the worm will set up
a backdoor into the system by opening TCP ports 3127 through 3198, which can
potentially allow an attacker to connect to the computer and use it as a proxy
to gain access to its network resources.
In addition, the backdoor can download and execute arbitrary files.
The worm will perform a Denial of Service (DoS) starting on February 1, 2004. It
also has a trigger date to stop spreading on February 12, 2004. These two events
will only occur if the worm is run between or after those dates. While the worm
will stop spreading on February 12, 2004, the backdoor component will continue
to function after this date.