[cut-n-paste from sophos.com]

W32/Neroma-A

Aliases
I-Worm.Nearby

Type
Win32 worm

Detection
At the time of writing Sophos has received no reports from users 
affected by this worm. However, we have issued this advisory following 
enquiries to our support department from customers.

Description
W32/Neroma-A is an internet worm which spreads by emailing itself to 
addresses in the Microsoft Outlook address list.

The worm copies itself to the Windows folder as NEROSYS.EXE and changes 
SYSTEM.INI to run itself on system restart.

Emails have the following characteristics-
Subject line: It's Near 911!
Message text: Nice butt baby!

The attached file bears the name of the executed file (likely to be 
NEROSYS.EXE).

W32/Neroma-A may delete several files within subfolders of the Windows 
folder on the 1st, 4th, 8th, 12th, 16th, 20th, 24th and 28th of every 
month.





W32/SobigF-Dam

Aliases
I-Worm.Sobig.f.dam, W32/Sobig.dam, WORM_SOBIG.F.DAM, W32.Sobig.F.Dam

Type
Junk

Detection
Sophos has received several reports of this virus from the wild.

Description
W32/SobigF-Dam is a damaged version of W32/Sobig-F.

This version does not work and any files can simply be deleted.





Troj/JSurf-A

Aliases
VBS/JunkSurf-A

Type
Trojan

Detection
Sophos has received several reports of this Trojan from the wild.

Description
Troj/JSurf-A arrives via an HTML email exploiting a vulnerability fixed 
in the Cumulative Patch of Internet Explorer (MS03-032).

The email contains a Object Data tag that runs a VBS script on a remote 
site. The script drops an EXE in the C:\ drive as DRG.EXE. This 
component of Troj/JSurf-A connects to a remote website, downloads a DLL 
to C:\Program Files\win32.dll and then runs regsvr32.exe to register it 
on the system.

The Trojan relies upon a vulnerability in Microsoft's software. 
Microsoft issued a patch which reportedly fixes the problem in August 
2003. The patch can be found at 
www.microsoft.com/technet/security/bulletin/MS03-032.asp.





XM97/Phone-B

Aliases
Macro.Excel97.Phoneman.b, X97M.Phoneman, X97M_PHONEMAN.A

Type
Excel 97 macro virus

Detection
At the time of writing Sophos has received just one report of this 
virus from the wild.

Description
XM97/Phone-B is a variant of XM97/Phone-A that has been modified to 
contain extra junk routines.





W32/Quaters-A

Aliases
W32.Blare{at}MM, I-Worm.Blare, W32/Blurt{at}MM

Type
Win32 worm

Detection
At the time of writing Sophos has received just one report of this worm 
from the wild.

Description
W32/Quaters-A is an internet worm which spreads by emailing itself to 
all addresses in the Microsoft Outlook address list and via IRC 
channels.

The worm attempts to copy itself to C:\PROGRA~1\ACCOUNT_DETAILS.DOC.EXE 
and adds the following entry to the registry to run itself on system 
restart:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Windows Task Manager = C:\PROGRA~1\ACCOUNT_DETAILS.DOC.EXE

Emails have the following characteristics-

Subject line: absent or randomly chosen from the following:
Your Account Infomation.
Your Account is on hold.
Your Account has been suspended.
Account Infomation.
Account Invoice.
Email Account Infomation.
This quaters invoice.
Account Billing Information.
YOUR ACCOUNT REF: 
Account,  is on hold.
ORDER CONFIRMATION: 

Message text: absent or constructed from the following:
Dear Sir,

Please can you check that your account information is up to date.
Your details are attached to this email.
Please can you confirm that your account information is correct.
Your current details are attached to this email.
Please find attached this quaters invoice for your Internet Account.

Regards, Billing Team.
Regards, Support Team.

Attached file: can have any name but may be one of the following:
Your Account.Doc.EXE
Account Details.Doc.EXE
Your Account Info.Doc.EXE
Account Information.Doc.EXE
Billing Information.Doc.EXE
Invoice.Doc.EXE
Account Update.Doc.EXE
Account Status.Doc.EXE
Your Account Status.Doc.EXE

The worm overwrites SCRIPT.INI so that it sends a copy of the worm over 
IRC channels as a file called CHAIN_MAIL_WORLD_RECORD.IRC along with 
the message "Hey, Do you want to take part of the iRC chain mail world 
record? If so all you have to do is load up the program add your irc 
nick and press submit! Just rename the file from .irc to .exe and your 
ready to go!"

W32/Quaters-A creates the file C:\WIN32.SORT.IT.OUT.BLAIR.TXT which 
contains the text "Infected by the WIN32.SORT-IT-OUT-BLAIR Virus!" and 
proceeds to overwrite several script files within C:\inetpub\wwwroot 
(e.g. default.html) with this file.

W32/Quaters-A will attempt a denial-of-service attack on 
www.number-10.gov.uk on the 11th of any month, and may display the 
message

"INFECTED BY: WIN32.SORT-IT-OUT-BLAIR

Dear Tony Blair,
Why are you spending all our taxes on illegal immigrants!?!
How about you stop worrying about other countries and worry about 
ours???
Stop spending money on immigrants and spend it on things like OAP's who 
fought to keep this country free but are now getting treated worst than 
illegal immigrants!
How about spend a little money on the NHS or the education system!?!
Think about it Mr Blair.
Your career depends on it.

We've had enough."

Finally, W32/Quaters-A attempts to terminate several processes related 
to anti-virus and security software, e.g. SWEEP95.EXE, SWNETSUP.EXE, 
ZONEALARM.EXE, ANTI-TROJAN.EXE





W32/Cailont-B

Aliases
W32.Nolor.B{at}mm

Type
Win32 worm

Detection
At the time of writing Sophos has received just one report of this worm 
from the wild.

Description
W32/Cailont-B is an email aware worm.

The subject line, message text and attachment filename of the email are 
produced by concatenating several randomly chosen phrases.

The email contains an HTML component which itself contains a Visual 
Basic Script which drops and runs W32/Cailont-B.

When run W32/Cailont-B copies itself to various folders on the system 
which may include:

C:\Program Files\Microsoft Office\Office\startup
C:\Windows\System\viewers
C:\Windows\All Users\Start Menu\Programs\Startip
C:\Windows\Start Menu\Programs\StartUp
C:\Windows\System

W32/Cailont-B will also drop the Visual Basic Script version of itself 
in one or more files with a DAT extension. These files are detected as 
VBS/Cailont-A.





W32/Blaster-F

Aliases
Worm.Win32.Lovesan, W32.Blaster.Worm, WORM_MSBLAST, Worm/Lovsan

Type
Win32 worm

Detection
At the time of writing Sophos has received no reports from users 
affected by this worm. However, we have issued this advisory following 
enquiries to our support department from customers.

Description
W32/Blaster-F is functionally equivalent to W32/Blaster-A, except for 
the following changes:


    * The worm filename used is enbiei.exe
    * The registry entry used has been changed to
      HKLM\Software\Microsoft\Windows\CurrentVersion\Run\www.hidro.4t.com
    * The target for the distributed denial-of-service attack has been 
changed to tuiasi.ro
    * The internal message has been changed to the following text in 
Romanian:
      "Nu datzi la fuckultatea de Hidrotehnica!!! Pierdetzi timp ul 
degeaba...Birsan te cheama pensia!!!Ma pis pe diploma!!!!!!"

      In English this translates to:

      "Don't go to the Hydrotechnics faculty!!! You are wasting your 
time... Birsan, your pension awaits!!! I urinate on the diploma!!!!!!"

In early September 2003, a 24-year-old Romanian was reported by the 
media to have been arrested in connection with the W32/Blaster-F worm. 
However, the Romanian police later denied this.





W32/Lovgate-P

Type
Win32 worm

Detection
At the time of writing Sophos has received just one report of this worm 
from the wild.

Description
W32/Lovgate-P is a version of W32/Lovgate-L which has been infected 
with W32/Parite-A and then packed with a compression tool.

W32/Lovgate-P is functionally identical to W32/Lovgate-L. The 
W32/Parite-A infection is neutralised by the compression.

When the worm is run the W32/Parite-A component will generate a Windows 
error similar to:

The application or DLL  is not a valid Windows image. Please 
check against your installation diskette.

The exact error message displayed will vary slightly depending on the 
version of Microsoft Windows.





W32/Raleka-B

Aliases
W32.HLLW.Raleka, Win32/Raleka.A, Worm.Win32.Raleka.b

Type
Win32 worm

Detection
Sophos has received several reports of this worm from the wild.

Description
W32/Raleka-B is a network worm which uses the Microsoft DCOM RPC 
vulnerability to propagate across a network.

The worm will attempt to connect to vulnerable computers and upload and 
execute the following files:
svchost.exe, ntrootkit.exe, ntrootkit.reg and service.exe

Svchost.exe is a copy of the worm itself.
Ntrootkit.exe is a copy of the backdoor Trojan Troj/RtKit-11.
Ntrootkit.reg is a file used to run Troj/RtKit-11 on Windows XP systems.
Service.exe is a legitimate utility.

The worm will attempt to download and install the Microsoft patch for 
the DCOM RPC vulnerability.

W32/Raleka-B includes backdoor functionality. The worm will attempt to 
contact IRC servers and await instructions from a remote attacker.

Microsoft has issued a patch for the vulnerability exploited by this 
worm. The patch is available from 
www.microsoft.com/technet/security/bulletin/MS03-026.asp.





W32/Nugosh-A

Aliases
Win32/Dumaru.C, W32.Dumaru.B{at}mm

Type
Win32 worm

Detection
At the time of writing Sophos has received just one report of this worm 
from the wild.

Description
W32/Nugosh-A is a mass mailing worm that spreads to email addresses 
found in files on the local hard drive. The message sent has the 
following characteristics:

Subject line: Use this patch immediately !
Attached File: patch.exe
From: "Microsoft" 
Message text: Dear friend , use this Internet Explorer patch now!
There are dangerous virus in the Internet now!
More than 500.000 already infected!

W32/Nugosh-A copies itself as dllreg.exe to the Windows folder, as 
load32.exe and vxdmgr.exe to the Windows system folder, and as 
rundllw.exe to the StartUp folder.

The worm creates the following registry key to run itself on system 
start:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\load32

The worm also changes the run parameter in the [Windows] section of 
win.ini and the shell parameter in the [Boot] section of system.ini.

W32/Nugosh-A drops a keylogging component as guid32.dll, an IRC-based 
distributed denial-of-service Trojan as windrive.exe and a hacked 
utility to export Outlook Express and Internet Explorer passwords as 
winimg.exe, all to the Windows system folder. These are all detected as 
W32/Nugosh-A.

The worm will kill off the following processes if they are running:
AGENTSVR.EXE
ANTS.EXE
APLICA32.EXE
APVXDWIN.EXE
ATCON.EXE
ATUPDATER.EXE
ATWATCH.EXE
AVSYNMGR.EXE
BLACKD.EXE
BLACKICE.EXE
CFIADMIN.EXE
CFIAUDIT.EXE
CFINET.EXE
CFINET32.EXE
DEFWATCH.EXE
DRWATSON.EXE
FAST.EXE
FRW.EXE
GUARD.EXE
IAMAPP.EXE
IAMSERV.EXE
ICLOAD95.EXE
ICLOADNT.EXE
ICMON.EXE
ICSUPP95.EXE
ICSUPPNT.EXE
LOCKDOWN.EXE
LOCKDOWN2000.EXE
LUALL.EXE
LUCOMSERVER.EXE
MCAGENT.EXE
MCUPDATE.EXE
MGUI.EXE
MINILOG.EXE
MOOLIVE.EXE
MSCONFIG.EXE
MSSMMC32.EXE
NDD32.EXE
NETSTAT.EXE
NISSERV.EXE
NISUM.EXE
NMAIN.EXE
NPROTECT.EXE
NSCHED32.EXE
NVARCH16.EXE
PAVPROXY.EXE
PCCIOMON.EXE
PCFWALLICON.EXE
PERSFW.EXE
POPROXY.EXE
PVIEW95.EXE
REGEDIT.EXE
RTVSCN95.EXE
SAFEWEB.EXE
SPHINX.EXE
SPYXX.EXE
SS3EDIT.EXE
SYSEDIT.EXE
TAUMON.EXE
TC.EXE
TCA.EXE
TCM.EXE
TDS2-98.EXE
TDS2-NT.EXE
TDS-3.EXE
UPDATE.EXE
VPC42.EXE
VPTRAY.EXE
VSECOMR.EXE
VSHWIN32.EXE
VSMAIN.EXE
VSMON.EXE
VSSTAT.EXE
WATCHDOG.EXE
WEBSCANX.EXE
WGFE95.EXE
WRADMIN.EXE
WRCTRL.EXE
WRCTRL.EXE
ZAPRO.EXE
ZATUTOR.EXE
ZAUINST.EXE
ZONEALARM.EXE





W32/Blaster-E

Aliases
Worm.Win32.Lovesan, W32.Blaster.Worm, WORM_MSBLAST.GEN

Type
Win32 worm

Detection
At the time of writing Sophos has received just one report of this worm 
from the wild.

Description
W32/Blaster-E is functionally equivalent to W32/Blaster-A, except for 
the following changes:


    * The registry entry used has been changed to
      HKLM\Software\Microsoft\Windows\CurrentVersion\
      Run\Windows Automation
    * The target for the Distributed Denial-of-Service attack has been 
changed to kimble.org
    * The internal message has been changed to
      "I dedicate this particular strain to me ANG3L -
      hope yer enjoying yerself and dont forget the
      promise for me B/DAY !!!!."






W32/Tzet-A

Type
Win32 worm

Detection
At the time of writing Sophos has received just one report of this worm 
from the wild.

Description
W32/Tzet-A is a network worm. When run the worm creates the following 
files in the folder C:\\System32:

AUTHEXEC.BAT
A batch file used by the worm and detected by this identity

IGLMTRAY.EXE
A Trojan detected by Sophos Anti-Virus as Troj/Flood-DP

IGLXTRAY.EXE
A Trojan detected by Sophos Anti-Virus as Troj/Flood-DP

LRSS.INI
A mIRC configuration file used by the worm

MDDE32.EXE
A clean utility for terminating processes

NNA.EXE
A Trojan downloaded by W32/Tzet-A. Nna.exe is detected by Sophos 
Anti-Virus as Troj/Apher-H.

PRINTF_CORE.EXE
A Trojan detected by Sophos Anti-Virus as Troj/Delsha-C

VIDRIV.EXE
A clean utility to hide/show windows

WMPT.EXE
A clean utility called PSExec

WSUBSYS.WAV
The main component of the worm

XCOPY.DLL
A text file containing a list of IP domains

The worm adds the following registry entry to run the file iglmtray.exe 
when Windows starts up:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\WUPD

W32/Tzet-A searches the local network for computers with weak or no 
passwords on the administrator or admin accounts to which it can copy 
itself.






 
--- MultiMail/Win32 v0.43