[cut-n-paste from sophos.com]

W32/Holar-C

Aliases
I-Worm.Galil, W32/Lagel.A, W32/SfxDeth.A-mm

Type
Win32 worm

Detection
At the time of writing Sophos has received no reports from users 
affected by this worm. However, we have issued this advisory following 
enquiries to our support department from customers. 

Description
W32/Holar-C appears to be a shockwave flash executable and displays a 
badly animated progress bar to mask its replication. After the 
progress bar reaches 100, the worm displays a message box containing 
the text "Looooooooool, thanx fo da time u spent thinkin ov me". 

Upon initial execution W32/Holar-C copies itself to iLLeGaL.exe in
the Windows system folder and drops the hidden file Mplayer.exe in 
the same folder. 

The worm then sets the following registry entry to ensure its execution
upon Windows startup: 

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\iLLeGaL

W32/Holar-C also sets increments the following registry entry
every time it runs: HKLM\iLLeGaL 

The worm may activate a payload which deletes all files on drives
D:, E:, F: and G:. 

W32/Holar-C looks for email addresses in files on the hard drive
and sends an email with the following characteristics to the
addresses found: 

Subject: Fwd: Crazy illegal sex !
Attached File: iLLeGal.exe
Message body:
Note: forwarded message attached.
--------------------------------
Do You Yahoo!?
Yahoo! Finance - Get real-time stock quotes

Forwarded Message [ Save to my Yahoo! | Briefcase Download File ]
From: Sara1987{at}yahoo.com
To: Virgin_gurlz_N_boyz{at}yahoogroups.com
Date: 24 Aug 2002 17:11:18 -0000
Subject: Fwd: Crazy illegal Sex
--------------------------------
Is it really illegal in da USA?
who knows :P
If u have a weak heart i warn u
DON'T see dis Clip.
Emagine two young children havin 
crazy sex fo da first time togetha ! 
loooool i'm still wonderin where thier 
parents were?

Good Fuck , oh sorry :">
i mean Good Luck ;)

Bye





W32/Oror-K

Aliases
W32.HLLW.Oror.B{at}mm

Type
Win32 worm

Detection
At the time of writing Sophos has received just one report of this 
worm from the wild. 

Description
W32/Oror-K is a worm which spreads by copying itself to shared folders 
on the local network and by emailing itself to addresses found within 
the inbox of MAPI based email clients, such as Microsoft Outlook or 
Outlook Express. 

The email subject, message text and attachment name are randomly 
chosen from a variety of possibilities. A typical example is: 

Subject: Blondes Forever
Attached file: Blonde.exe
Message text: 
"Hey, whatz up :)) Where are you? Don't you chat any more?
I haven't seen you so long. Read this :))
What do blondes wear behind their ears to attract men? Their ankles!!
- Why did god invent the female orgasm? So blondes know when to stop
screwing!!
- What is a blond with hair black colored? Artificial intelligence!
Blondes forever!! :) Time off, i must go now, but i'll be very
happy if you write to me soon :) Bye bye :))". 

The worm attempts to exploit a MIME vulnerability in some versions of
Microsoft Outlook, Microsoft Outlook Express, and Internet Explorer to 
allow the executable file to run automatically without the user 
double-clicking on the attachment. Microsoft has issued a patch which 
secures against this vulnerability which can be downloaded from
http://www.microsoft.com/technet/security/bulletin/MS01-027.asp.
(This patch fixes a number of vulnerabilities in Microsoft's software, 
including the one exploited by this worm.) 

When first run the worm displays a message box with the text 
"Error starting program", "The  file expects a newer version of Windows.
Upgrade your Windows version.". 

The worm copies itself to the Windows folder with a name that is a 
combination of 'lib', the computer's name backwards and "16.exe", 
"32.exe" or "98.exe". For example if the computers name
is "test", the 
worm copies itself as libtset16.exe, libtset32.exe or libtset98.exe. 

The worm creates the following registry entry so that the copy of the 
worm in the Windows folder is run automatically each time Windows is 
restarted: 

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\LoadSystemProfile
=  powprof.dll,LoadCurrentUserProfile 

The worm also sets the following registry entry to run itself 
automatically whenever an EXE file is executed: 

HKLM\Software\CLASSES\exefile\shell\open\command\(default)
=  "%1" %*. 

W32/Oror-K chooses a random sub-folder of the Program Files folder and
copies itself to this folder using the sub-folder name with "16.exe", 
"32.exe" or "2k.exe". For example, it might copy itself as 
\Program Files\Internet Explorer\Internet Explorer16.exe. 

The worm adds the pathname to this executable under the following 
registry key so that this copy of the worm is run automatically on 
startup: 

HKLM\Software\Microsoft\Windows\CurrentVersion\Run 

The worm also copies itself to the Windows System folder using the 
name of a randomly selected file from the System folder, but with 
"16.exe", "32.exe" or "2k.exe" in place of
the file's extension. 

The worm runs this copy of itself automatically on startup by adding 
the line run= to the [Windows] section of 
\WIN.INI.

W32/Oror-K spreads over the local network by copying itself to 
selected shared folders using random filenames. During this process 
the worm may create additional entries under the registry entry 

HKLM\Software\Microsoft\Windows\CurrentVersion\Run 

The worm attempts to spread via file sharing on KaZaA networks by 
copying itself to any KaZaA folders it finds on the local network, 
using the following filenames: 

ACDSee
Actu002_
alice
amanda
Anal Explorer 
baby_17
badboy
blue16
BoxDave_
Britney Suxx 
BritneyUltimate
bryan16
candy_f
Chess
ClubExtreme
Counter Strike 1.5 (Editor)_
CrazyGirl
cRedit_CarDs_gEn|MeGa HACK 
DivX 5.4 Bundle_
DMX tHeMe
Download Accelerator 5.5_
Dreamweaver_5.0_Patch_
dreamy
Elfbowl
EminemDesktop
Fishfood
Gipsy
Goggles
GTA 3 Bonus Cars(part1)_
happy
Hot Blondies
install_en_
Inter012_
jane17
jerry
Kama Sutra 
KamaSutra
KaZaA Media Desktop v2.0.8_ 
LaFemmeNikita
linda17
Lolita
Madonna Desktop 
neo
Nero Burning Rom 5.6.0.3_
NFS 5 Bonus Cars_
nicole
Pam Anderson Theme 
Pamela 3D_
PcDudes
rap_girl
Serials 2K 7.2 (by SNTeam)_
Serials2002_8.0(17.08.02)_
SexSpy
Sexy Teens Desktop 
snowball_fight_
sound_brake_
steve
Story017_
Strip Kournikova
Teen Sex Cam 
trish1
tweety
VirtualRape
WinAmp_3.2_Cool_
WinZip 8.2_
WWF_The_ROCK
Zip Password Recovery 

W32/Oror-K also drops the mIRC script Controls.ini to the mIRC folder.
Controls.ini is detected by Sophos Anti-Virus as the backdoor Trojan
mIRC/Oror-D. 

The worm will attempt to terminate selected Windows based anti-virus
programs.




W95/CIH-1106

Aliases
Win95.CIH.1106, W95.CIH.1106, PE_CIH.1106

Type
Windows 95 executable file virus

Detection
At the time of writing Sophos has received no reports from users 
affected by this virus. However, we have issued this advisory 
following enquiries to our support department from customers. 

Description
W95/CIH-1106 infects Windows PE executables when they are opened. 

When run on the 2nd day of any month this virus attempts to overwrite 
a critical area of the BIOS and overwrites sectors of the hard drive, 
causing the computer to crash.



W32/Holar-B

Aliases
I-Worm.Warhol

Type
Win32 worm

Detection
At the time of writing Sophos has received just one report of this 
worm from the wild. 

Description
W32/Holar-B is a worm which spreads by copying itself to shares on the 
local network and by emailing itself to contacts from the Microsoft 
Outlook and Messenger address books and to addresses embedded within 
files with an HTM or HTML extension. 

The worm copies itself to the Windows System folder of local and 
network drives and creates the following registry entries so that the 
worm executable is run automatically each time Windows is started: 

HKLM\Software\Microsoft\HolyWar = 135
HKLM\Software\Microsoft\Windows\HolyWar = 135
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\MyLife
= \CmdServ.exe and
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\ZaCker
= \ 

The worm finds the path of the user's personal folder by querying the 
registry entry 

HKCU\Software\Microsoft\Windows\Currentversion\Explorer\
Shell Folders\personal. 

W32/Holar-B copies itself to the Windows TEMP folder using the name of 
the first file in the user's personal folder, but with an SCR 
extension. When the worm spreads via email, this file is attached. 

The subject line of the email is the name of the attached file without 
its extension and the message text is "Flash File". 

The worm attempts to exploit a MIME vulnerability in some versions of
Microsoft Outlook, Microsoft Outlook Express, and Internet Explorer to 
allow the executable file to run automatically without the user 
double-clicking on the attachment. Microsoft has issued a patch which 
secures against this vulnerability which can be downloaded from
http://www.microsoft.com/technet/security/bulletin/MS01-027.asp.
(This patch fixes a number of vulnerabilities in Microsoft's software, 
including the one exploited by this worm.) 

W32/Holar-B drops the Microsoft Outlook Express mail message file
WarIII.eml to the Windows System folder and appends a link to this 
file to all files with the extension HTM or HTML. 

The worm overwrites all files on the current drive with the following 
extensions with the text "Bye": 

MDB, XLS, DOC, SWF, PPT, JPG, PPS, MPEG, ZIP, TXT, MPG, AVI,
RM, MDE, FRM, PHP, PDF or RAR



WM97/Forget-A

Aliases
Macro.Word97.Forget

Type
Word 97 macro virus

Detection
At the time of writing Sophos has received just one report of this 
virus from the wild. 

Description
On the 16th day of any month WM97/Forget-A will use the Office 
Assistant to display the message 
"- HOLA - NO SABEN QUIEN SOY ESTUPIDOS ...". 
This message will be repeated constantly. 

Once the virus is active any attempt to access the Tools|Macro menu 
option will result in "Can not find application" being displayed.

 

--- MultiMail/MS-DOS v0.27