[cut-n-paste from sophos.com]

W32/Opaserv-L

Aliases 
Worm.Win32.Opasoft.G, W32/Opaserv.worm.gen 

Type 
Win32 worm 

Detection 
At the time of writing Sophos has received just one report of this worm 
from the wild.

Description
W32/Opaserv-L is a member of the W32/Opaserv family. When run 
W32/Opaserv-L copies itself into the Windows folder as svr32.exe and 
sets the following registry entry to run itself automatically when 
Windows starts up:

HKLM\Software\Microsoft\Windows\CurrentVersion\Svr32 = 
C:\Windows\svr32.exe

W32/Opaserv-L spreads over the internet using Windows network shares. 
The worm copies itself over to the Windows folder of the remote 
computer as svr32.exe and sets the following entry in the [Windows] 
section of win.ini:

run=C:\Windows\svr32.exe

This entry will start the worm on the remote computer when Windows 
starts up.

W32/Opaserv-L will attempt to remove older variants of the W32/Opaserv 
worm by removing the following files from the Windows folder:
alevir.exe
scrsvr.exe
brasil.exe

The following registry entries will also be removed:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SCRSVR
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ALEVIR
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\BRASIL





W32/SQLSlam-A

Aliases 
W32/SQLSlammer, W32.SQLExp.Worm, DDOS_SQLP1434.A, Sapphire, Slammer 

Type 
Win32 worm 

Description
W32/SQLSlam-A is an SQL worm that targets unpatched Microsoft SQL 
servers running on Windows 2000. It can also target users of MSDE 2000 
(Microsoft SQL Desktop Engine).

The worm exploits a buffer overflow vulnerability in SQL server. A 
description of the exploit can be found on Microsoft's website. Users 
who have already installed SQL Server Service Pack 3 will not be 
infected by this worm.

W32/SQLSlam-A arrives as a packet on UDP port 1434 and uses the buffer 
overflow exploit to continuously generate random IP addresses and 
attempts to send itself to those addresses. This causes a distributed 
denial of service (DDOS) attack on the computers targeted and also 
creates a large amount of internet traffic.

Protection against the worm is available only by applying the patch 
available from Microsoft. Advice from Microsoft on this issue is 
available from their website.

Further reading:

    * Sophos FAQ on Slammer worm (W32/SQLSlam-A)

    * Sophos warns of SQLSlammer internet worm - W32/SQLSlam-A causes 
      internet slowdown





Troj/Dloader-BO

Aliases 
TrojanDownloader.Win32.Inor, Downloader-BO, W32/Maz.A, Tr/Mastaz, Maz, 
Mastaz, W32/Maz.B 

Type 
Trojan 

Detection 
Sophos has received several reports of this Trojan from the wild.

Description
Troj/Dloader-BO downloads and executes a file from the website
masteraz.hypermart.net within 3 days of being run for the first time. 
At the time of writing Sophos has seen examples of two downloaded 
files, detected as Troj/Bdoor-Aml and Troj/Keylog-I but, of course, the 
file could be changed.

Troj/Dloader-BO has been seen in the files MASTERAZ.EXE, JIMKRE.EXE and 
messages.hta.

The Trojan adds the following entry to the registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
.inr\5Nzg1mOWKzFnuvu6 = "C:\".

This will run the Trojan on system restart.

The Trojan also creates the following entry within the registry:

HKLM\Software\CLASSES\.inr\5Nzg1mOWKzFnuvu6.






W32/Oror-Fam

Aliases 
Roron, Oror-B, Oror-C, Oror-D, Oror-E, Oror-F, Oror-G, Oror-H, 
Oror-I, Oror-J, Oror-K, Oror-L, Oror-M, Oror-N, Oror-O 

Type 
Win32 worm 

Detection
Sophos has received several reports of this worm from the wild.

Description
W32/Oror-Fam is a family of worms, all of which are very similar to 
W32/Oror-B. Like W32/Oror-B, these worms can spread in an number of 
ways, including sending themselves out by email, copying themselves to 
shared drives in networks, and placing copies of themselves in folders 
likely to be shared via the KaZaA peer-to-peer system.

The Oror family of worms also have many or all of the following 
characteristics:

    * They pop up fake error dialogs to disguise their operation.

    * They create copies of themselves in your Windows folder using 
      innocent-looking names, typically incorporating the first few  
      letters of the computer name backwards.

    * They add a value to the registry key:

      HKLM\Software\Microsoft\Windows\CurrentVersion\Run

      so that they will launch automatically every time you log on.

    * They edit WIN.INI so they will launch automatically every time 
      you start your PC.

    * They exploit bugs in older, unpatched version of Outlook, Outlook 
      Express and Internet Explorer so that they may launch 
      automatically when you view infected emails.

    * They create mIRC scripts to distribute themselves if you have 
      mIRC installed.

You can find additional details about the W32/Oror family of worms by 
looking at the analyses of W32/Oror-B, W32/Oror-K and W32/Oror-L.





W32/Sahay-A

Aliases 
Win32.HLLP.YahaSux 

Type 
Win32 worm 

Detection
At the time of writing Sophos has received just one report of this worm 
from the wild.

Description
W32/Sahay-A is a worm that replicates by creating and executing the 
temporary file yahasux.vbs in the Windows folder (detected as 
VBS/Sahay-A), which sends an email to all contacts in the Windows 
Address Book.

The email has the following characteristics:
Attached file: MathMagic.scr
Subject line: Fw: Sit back and be surprised..
Message text:
"Think of a number between 1 and 52.

Say it out loud, and keep repeating while you read on.

Think of the name of someone you know (of the opposite sex).

Now count which place in the alphabet, the second letter of that name 
has.

Add that number to the number you were thinking of.

Say the number out loud 3 times.

Now count which place in the alphabet the first letter of your first 
name has, and substract that number from the one you just had.

Say it out loud 3 times.

Now sit back, watch the attached slide show, and be surprised.."

W32/Sahay-A copies itself as MathMagic.scr to the root folder and may 
attempt to disinfect a variant of W32/Yaha if the virus is present on 
the computer. This procedure will cause the computer to restart.

The virus contains the following text:

Hi there.. it seems you were infected with Yaha.k. That worm however, 
written by an idiot who sPeLlS lIkE tHiS,abused my website and got me 
to receive the complaints. Therefore, I have just disinfected you. 
Don't worry tho.. as I didn't wanna steal from you, I gave you this 
virus (Win32.HLLP.YahaSux) in return :)

Greetz,
Gigabyte [Metaphase VX Team]

 
--- MultiMail/MS-DOS v0.27