[cut-n-paste from sophos.com]

W32/Braid-A 
Aliases 
PE_BRID, W32/Braid{at}MM, I-worm.Bridex, Win32/Brid.A 
 
Type 
Win32 worm 
 
Detection 
Sophos has received several reports of this worm from the wild. 

Description 
W32/Braid-A is an internet worm which emails itself to every contact in 
the Microsoft Outlook address book. 

The worm attempts to exploit a MIME and an IFRAME vulnerability in some 
versions of Microsoft Outlook, Microsoft Outlook Express, and Internet 
Explorer. These vulnerabilities allow an executable attachment to run 
automatically, even if you do not double-click on the attachment. 
Microsoft has issued a patch which secures against these attacks. The 
patch can be downloaded from Microsoft Security Bulletin MS01-027. 
(This patch was released to fix a number of vulnerabilities in 
Microsoft's software, including the ones exploited by this worm.) 

When the worm is first run it copies itself to the Desktop as 
Explorer.exe, to the System folder as Regedit.exe and creates the 
registry entry 

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\regedit = 
C:\WINDOWS\SYSTEM\regedit.exe 

so that this file is run automatically each time the computer is 
restarted. 

The worm drops W32/Flcss to the System folder as Bride.exe. Bride.exe 
is then launched whenever another executable is run. 



W32/Oror-Fam 
Aliases 
I-Worm.Roron, I-Worm.Roron.12, I-Worm.Roron.25, I-Worm.Roron.31, 
I-Worm.Roron.35, I-Worm.Roron.37, I-Worm.Roron.39 
 
Type 
Win32 worm 
 
Detection 
Note: At the time of writing Sophos has received no reports from users 
affected by these worms. However, we have issued this advisory 
following enquiries to our support department from customers. 
 
 
Description 
W32/Oror-Fam is a family of worms, all of which are very similar to 
W32/Oror-B. Like W32/Oror-B, these worms can spread in an number of 
ways, including sending themselves out by email, copying themselves to 
shared drives in networks, and placing copies of themselves in folders 
likely to be shared via the KaZaA peer-to-peer system.

When these worms first run on your computer, they pop up one of a 
number of fake error dialogs to disguise their operation. The first 
form of this dialog has the title "WinZip Self-Extractor License 
Confirmation" and the text "Your version of WinZip Self-Extractor is 
not licensed, or the license information is missing or corrupted. 
Please contact the program vendor or the web site (www.WinZip.com) for 
additional information". The second form of this dialog claims "The 
file expects a newer version of Windows. Upgrade your Windows version." 
The third form of the dialog states "Cannot open file: it does not 
appear to be a valid program. If you downloaded this file, try 
downloading file again".

Even though the worms claim that they have not run, they infect your 
computer under cover of these fake dialogs.

The W32/Oror family of worms create two data files in the Windows 
folder which contain information used by the worms while they are 
running. These data files have innocent-looking names, incorporating 
the first few letters of the computer name forwards and backwards. 
These files have normal-looking extensions, including .DEF, .VXD and 
.SYS. Example of the names of these data files on a computer named 
VICTIM might be:


 dosvictim32.vxd niwmitciv98.sys

If these files are removed whilst the worms are active, the worms 
immediately begin deleting all files on the computer. 

You can find additional details about the W32/Oror family of worms by 
looking at the analysis of W32/Oror-B.
 
 

W32/Oror-B 
Type 
Win32 worm 
 
Detection 
At the time of writing Sophos has received just one report of this worm 
from the wild. 

Description 
W32/Oror-B is a worm that can spread in an number of ways, including 
sending itself out by email, copying itself to shared drives in 
networks, and placing copies of itself in folders likely to be shared 
via the KaZaA peer-to-peer system.

(A number of variants of this worm are known. You can read about these 
by looking at W32/Oror-A and W32/Oror-Fam.)

When W32/Oror-B first runs on your computer, it pops up a fake error 
dialog with the title "WinZip Self-Extractor License Confirmation" and 
the text "Your version of WinZip Self-Extractor is not licensed, or the 
license information is missing or corrupted. Please contact the program 
vendor or the web site (www.WinZip.com)for additional information" 

Under cover of this fake dialog, W32/Oror-B infects your computer. The 
worm writes a varying number of copies of itself. These copies may be 
found in a number of different places, including:


the Windows folder (e.g. C:\WINDOWS)

the System folder (e.g. C:\WINDOWS\SYSTEM)

subfolders of the Program Files folder

folders associated with KaZaA file sharing

The worm runs the copy in your System folder every time you boot up by 
adding a run= line to the [windows] section of your WIN.INI file.

The worm runs the copy in your Windows folder every time you logon to 
the network (or to Windows) by adding an entry in your registry like 
this:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
LoadSystemProfile = "wormname.exe powprof.dll, LoadCurrentUserProfile"

W32/Oror-B uses a random value for wormname above. This random name 
includes the start of your computer name written backwards, and ends 
in 16.exe, 32.exe or 98.exe.

W32/Oror-B sometimes adds additional values to the registry to run one
or more of the files it has placed in your Program Files folders. 
These values are added to:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

W32/Oror-B sets the following value in your registry so that whenever 
you launch an EXE file, the worm runs first before launching the 
program you actually chose:

HKCR\exefile\shell\open\command wormname.exe "%1" %*

The worm uses misleading filenames when copying itself to shared 
folders, including:

Counter Strike 1.5 (Editor).exe
Div X 5.4 Bundle.exe
Download Accelerator 5.5.exe
Dreamweaver_5.0_Patch.exe
GTA 3 Bonus Cars(part1).exe
KaZaA Media Desktop v2.0.8.exe
Nero Burning Rom 5.6.0.3.exe
NFS 5 Bonus Cars.exe
Serials 2K 7.2 (by SNTeam).exe
Serials2002_8.0(17.08.02).exe
WinAmp_3.2_Cool.exe
WinZip 8.2.exe 

and filenames built from strings such as: 

ACDSee
cRedit_CarDs_gEn
DMX tHeMe 
EminemDesktop
Madonna Desktop 
MeGa HACK 
Zip Password Recovery 

During this process the worm creates autorun.inf files referencing the 
dropped EXE files. 

W32/Oror-B spreads via email. The worm selects the content of its 
emails randomly from an internal list. The subject line of the email 
can contain strings such as: 

Blondes Forever
Blondinkii
Microsoft Bulgaria
sent you a Yahoo! Greeting
Vajno
Virus Alert
WinAmp Team
Yahoo! Games
Yahoo! Toolbar 

The message text varies with the subject line chosen. W32/Oror-B 
attaches itself as one of the following files: 

[TNT]Gen.exe
Blondes.exe
Blondies.exe
IE_0274_bg.exe
IE_0276_Setup.exe
IE50_032_Setup.exe
Iguana1.0_skin.exe
Yahoo!Autumn.exe
Yahoo!Chess.exe
Yahoo!Tomcats.exe 
Yahoo!Toolbar.exe 

W32/Oror-B may send its attachments so that they attempt to exploit 
vulnerabilities in some versions of Microsoft Outlook, Microsoft 
Outlook Express, and Internet Explorer. These vulnerabilities allow an 
executable attachments to run automatically, even if you do not 
double-click on the attachment. Microsoft has issued patches which 
secure against these attacks. Be sure to download these patches from 
Microsoft if you have not done so already.

If you have mIRC installed, W32/Oror-B drops an IRC backdoor Trojan 
script into your mIRC folder. This backdoor Trojan is detected by 
Sophos Anti-Virus as mIRC/Oror-B.
 


Troj/Zasil-A 
Aliases 
Downloader-BN, Trojan.Zasil, TrojanClicker.Win32.Zasil, TROJ/Topmine.A 
 
Type 
Trojan 
 
Detection 
At the time of writing Sophos has received no reports from users 
affected by this Trojan. However, we have issued this advisory 
following enquiries to our support department from customers. 
 
 
Description 
Troj/Zasil-A creates and executes the file registry.exe in the Windows 
folder and then displays a pornographic JPG image. 

The file registry.exe creates the following registry entry, which 
starts registry.exe when Windows starts up: 

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Registry Services 

Each time registry.exe is executed the Trojan will attempt to download 
a text file from the internet that contains links to scripts that 
access pages from lists of website addresses contained in the scripts. 
The Trojan may also access a spyware script that reports the IP address 
being used by the active Trojan. 

Troj/Zasil-A leaves multiple copies of the dropped executable and the 
JPG file in the Windows Temp folder.

The JPG graphic is of a naked middle-aged blonde woman sitting on a 
table and advertises a pornographic website.
 



VBS/Likun-A 
Aliases 
VBS/Gichty.gen virus 
 
Type 
Visual Basic Script worm 
 
Detection 
At the time of writing Sophos has received no reports from users 
affected by this worm. However, we have issued this advisory following 
enquiries to our support department from customers. 

Description 
VBS/Likun-A copies itself to the Windows folder as win32dll.vbs and 
sets the following registry entry to run itself when Windows starts:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\WinLoader32

VBS/Likun-A then sets the following registry entry to cause Windows to 
shut down when it starts:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Kernel32 = 
c:\Windows\rundll32.exe user,exitwindows

VBS/Likun-A attempts to send itself to all entries in the Windows 
address book but contains a bug and so does not work successfully.

Finally VBS/Likun-A deletes all files with extension MP3 on all drives.
 
 


W32/Merkur-A 
Aliases 
W32/Mylka.A 
 
Type 
Win32 worm 
 
Detection 
At the time of writing Sophos has received no reports from users 
affected by this worm. However, we have issued this advisory following 
enquiries to our support department from customers. 

Description 
W32/Merkur-A arrives in an email with the following characteristics: 

Subject line: Update Your Anti-virus Software.
Message text: 
Here is a patch for your AV software, it will cover all the
latest out breaks of worms ect (worms as in virus not earth
worms! lol)
Attached file: AVupdate.exe. 

When executed W32/Merkur-A will create the following copies of itself:
C:\WINDOWS\taskman.exe
C:\AutoExec.exe
C:\Windows\System\AVupdate.exe
C:\Program Files\uninstall.exe
C:\Windows\Notepad.exe
C:\windows\screensaver.exe 

The following copies of the worm will be created if the respective 
folders already exist:
C:\program files\kazaa\my shared folder\IPspoofer.exe
C:\program files\kazaa\my shared folder\Virtual Sex Simulator.exe
C:\program files\bearshare\shared\IPspoofer.exe
C:\program files\bearshare\shared\Virtual Sex Simulator.exe
C:\program files\eDonkey2000\incoming\IPspoofer.exe
C:\program files\eDonkey2000\incoming\Virtual Sex Simulator.exe 

These copies of the worm enable the worm to spread over the KaZaA, 
Bearshare and eDonkey2000 peer-to-peer networks. 

The worm may create the following registry entry, which will point
to the file C:\Windows\System\AVupdate.exe and will run the worm when 
Windows starts up: 

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\AVupdate 

The file script.ini will be created in the folder C:\mIRC if that 
folder already exists. This mIRC script will attempt to send a copy of 
the worm to users who join the current channel. This script is 
detected by Sophos Anti-Virus as mIRC/Merkur-A. 

The file pr0n.bat will be created in the root folder. This batch file 
will delete all JPG, MPG, BMP and AVI files from the folders:
C:\Program Files\KaZaA\My Shared Folder\
C:\Program Files\bearshare\shared\
C:\Program Files\eDonkey2000\incoming\ 

This batch file is detected by Sophos Anti-Virus as Troj/Merkur-A.
 
 


W32/Opaserv-F 
Aliases 
Worm.Win32.Opasoft.a 
 
Type 
Win32 worm 
 
Detection 
Sophos has received several reports of this worm from the wild. 
 
 
Description 
W32/Opaserv-F is a variant of W32/Opaserv-A and is a worm that spreads 
via network shares. 

When executed the worm will create a file called marco!.scr in the 
Windows folder on the current drive. W32/Opaserv-F then adds the 
following registry entry to run itself when the system starts: 

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\cronos = 
\marco!.scr 

The worm attempts to copy itself to the Windows folder on networked 
computers with open shared drives. When the worm has successfully 
infected another computer it creates (locally) a file called gay.ini 
which is a copy of the win.ini file from the newly infected computer. 
The worm modifies this file to ensure the worm copy will be run on 
system start and then copies gay.ini back to win.ini on the newly 
infected computer. 

W32/Opaserv-F searches local IP addresses for open C: shares and 
attempts to copy itself to the Windows folder of the share. Once the 
local area network has been scanned the worm will start performing the 
same search on the internet starting at a randomly generated IP 
address. As a result anyone connected to the internet who has file 
sharing enabled and who enables NETBIOS over TCP/IP is potentially 
vulnerable to this worm. 

W32/Opaserv-F also attempts to connect to a website that is currently 
unavailable. This attempted connection is most likely intended as a 
means of updating the worm executable.
 
 

 

--- MultiMail/MS-DOS v0.27