[cut-n-paste from sophos.com]

WM97/Panjang-A

Aliases
W97M/Bandung.ap, W97M/Panjang.A

Type
Word 97 macro virus

Detection
At the time of writing Sophos has received no reports from users 
affected by this virus. However, we have issued this advisory following 
enquiries to our support department from customers.

Description
WM97/Panjang-A is created when a document infected with WM/Panjang is 
converted from Office 95 to Office 97/2000/XP format. The virus does 
not spread in the Office 97/2000/XP environment.




WM97/Lazy-C

Type
Word 97 macro virus

Detection
At the time of writing Sophos has received no reports from users 
affected by this virus. However, we have issued this advisory following 
enquiries to our support department from customers.

Description
WM97/Lazy-C is created when a document infected with WM/Lazy is 
converted from Office 95 to Office 97/2000/XP format. The virus does 
not spread in the Office 97/2000/XP environment.





Troj/IRCBot-C

Type
Trojan

Detection
Sophos has received several reports of this Trojan from the wild.

Description
Troj/IRCBot-C is a backdoor Trojan which allows a remote intruder to 
access and control a computer via IRC channels.

The installation executable for Troj/IRCBot-C typically arrives via 
email or via IRC channels as a DCC send.

When run, the installation executable for Troj/IRCBot-C drops the files 
listed below to the C:\WINNT\SYSTEM32\ folder. If this folder does not 
exist (i.e. on Win9x), it will be created.

exe32.exe
MIRC.INI
REMOTE.INI
secure.bat
server.txt
win.dll
wind.bat

The following clean utility programs are also dropped to the 
C:\WINNT\SYSTEM32\ folder:

NB.EXE
bnc.exe
fnet.exe
libparse.exe
psexec.exe
rpcserv.exe
SYS32.EXE
wget.exe

The installation executable launches exe32.exe, a MS-DOS program which 
simply launches C:\WINNT\SYSTEM32\NB.EXE.

exe32.exe is copied to the folder
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
so that exe32.exe, and thus NB.EXE, are launched automatically each 
time Windows is started.

NB.EXE is a clean mIRC client which connects to a remote IRC server and 
joins a specific channel.

The remote intruder will then be able to gain access and control over 
the computer using a regular IRC client.

NB.EXE sets a number of IRC, mIRC and ChatFile registry entries, 
overriding any previous installations and making itself the default IRC 
client.





W32/Melare-A

Aliases
I-Worm.Melare, Win32/Melare.A, W32.Ahlem.A{at}mm

Type
Win32 worm

Detection
At the time of writing Sophos has received no reports from users 
affected by this worm. However, we have issued this advisory following 
enquiries to our support department from customers.

Description
W32/Melare-A arrives in an email with the following characteristics:
Subject line: Alert! SARS Is being Spread!
Message text: Hi!, This is a beta test SARS. Please check an attachment!
Attached file: The name of the executable that sent the worm.

When W32/Melare-A is first executed a copy is created in the Windows 
folder with the filename csrss.exe and the following registry entry is 
created so that the worm is run when Windows starts up:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
SystemSARS32 = csrss.exe

On the 1, 4, 8, 12, 16, 20, 24 and 28 of any month this worm will 
attempt to delete DLL, NLS and OCX files on the infected computer.






W32/Lovgate-L

Type
Win32 worm

Detection
At the time of writing Sophos has received just one report of this worm 
from the wild.

Description
W32/Lovgate-L is a minor variant of W32/Lovgate-J.





W32/Palyh-A

Aliases
W32/Mankx, W32.HLLW.Mankx{at}mm, Sobig.B

Type
Win32 worm

Detection
Sophos has received many reports of this worm from the wild.

Description
W32/Palyh-A is a worm which spreads by email and also attempts to copy 
itself to network shares.

The worm appears to arrive as a .PIF attachment from 
support{at}microsoft.com.

Emails containing W32/Palyh-A have the following characteristics, in 
which a fixed message body:

Message text: All information is in the attached file

is combined with one of the following subject lines and attached 
filenames:

Subject lines:
Your details
Approved (Ref: 38446-263)
Re: Approved (Ref: 3394-65467)
Your password
Screensaver
Re: My details
Cool screensaver
Re: Movie
Re: My application

Attached filenames:
your_details.pif
ref-394755.pif
approved.pif
password.pif
doc_details.pif
screen_temp.pif
screen_doc.pif
movie28.pif
application.pif

W32/Palyh-A copies itself into your Windows folder under the name 
msccn32.exe and then sets the registry values:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\System Tray
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\System Tray

so that it runs every time you log on to your computer.

W32/Palyh-A searches for email addresses in numerous locations on your 
hard disk, including WAB(Windows Address Book), DBX, HTM, HTML, EML and 
TXT files. The worm then sends itself to these addresses. You do not 
need to have Outlook or Outlook Express installed for W32/Palyh-A to 
work - it is programmed with its own mail-sending code.

W32/Palyh-A also enumerates network shares and attempts to copy itself 
to the following folders on the share:

Document and Settings\All Users\Start Menu\Programs\Startup
and
Windows\All Users\Start Menu\Programs\Startup

so that the worm runs when the remote system is restarted.

Sophos recommends that users of its MailMonitor for SMTP product block 
all executable attachments at their mail server via its threat 
reduction technology. The risks associated with email-borne executables
are huge, yet there is little or no business case for allowing program 
files to be sent and received by email.

Note: Microsoft does not distribute executable files by email, so the 
emails generated by this worm are obviously bogus.




W32/Magold-A

Aliases
W32/Auric.A{at}mm, I-Worm.Magold.a

Type
Win32 worm

Detection
At the time of writing Sophos has received just one report of this worm 
from the wild.

Description
W32/Magold-A is a memory resident worm that uses email, IRC, network 
shared drives and P2P network shares to spread.

The worm arrives in an email message with the following 
characteristics:

Sender: "EROTIKA.LAP.HU"
Subject line: Maya Gold-os kepernyokimelo!
Message text: Tisztelt cim!

Az EROTIKA.LAP.HU nezettsegenek novelese erdekeben egy
kis izelitot kivan adni kinalatabol az Internet felhasznaloknak!
FIGYELEM: A 'Maya Gold.scr' nevu csatolt allomany egy
kepernyovedo.

Mint a neve is mutatja Maya Gold pornoszinesznorol tartalmaz
kulonbozo kepeket.Az allomanyt ajanlott elobb a lemezre menteni,
majd utana futtatni.

Amennyiben valami problamaja, kardase van, irjon a kovetkezo
cimre:
erotika{at}lap.hu
Attached file: Maya Gold.scr

If the viral attachment is run W32/Magold-A displays the message box 
"DirectX Error! Address:0002R1A9V8E52000" and copies itself into the 
Windows folder with the filenames raVe.exe and Maya Gold.exe.

During the execution of the email routine the worm sends a notification 
message to the virus writer containing the IP address, username, 
computer name and available shares of the infected computer. 
W32/Magold-A uses the Windows Address Book and HTML files found on the 
local drive to retrieve email addresses that will be used to send the 
viral message.

All email adresses found are stored in the file ravec.txt, saved by the 
worm in the Windows folder.

The worm may create a folder Rave in the Windows folder and attempt to 
register the folder in the registry as the default folder used as a 
file repository by several P2P clients.

W32/Magold-A searches and terminates processes that belong to several 
Anti-Virus products.

The worm changes the following registry entries so that the worm file 
rave.exe is run before any file with the extension EXE, PIF, COM, SCR 
and BAT:

HKCR\exefile\shell\open\command
HKCR\comfile\shell\open\command
HKCR\piffile\shell\open\command
HKCR\batfile\shell\open\command
HKCR\scrfile\shell\open\command

W32/Magold-A also creates the registry entry
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raVe
so that the worm file is run on Windows startup.

The registry entry HKLM\Software\raVe contains the data used internally 
by the worm.

W32/Magold-A contains several randomly triggered payload routines with 
various effects, such as opening the CD-ROM drive tray, changing the
Windows colour scheme, restricting the movement of the mouse pointer to 
the lower part of the screen, opening the web page 
http:\\www.offspring.com, writing the text "=:-) OFFSPRING is coOL =:-) 
PUNK'S NOT DEAD =:-)" to the caption area of the active window and 
creating a large number of zero bytes long text files on the desktop.

W32/Magold-A may also attempt to send a Hungarian text to be printed on 
the default printer and attempt to delete all files with the extension 
BMP, GIF and JPG from the drive.

The worm may attempt to copy itself to all local drives, shared network 
drives and floppy disks (if one is in the floppy disk drive) as Maya 
Gold.scr and create the file autorun.inf so that the worm file is run 
automatically when the drive is opened using Explorer and the Autorun 
feature enabled.






JS/Fortnight-D

Type
JavaScript virus

Detection
At the time of writing Sophos has received just one report of this 
virus from the wild.

Description
JS/Fortnight-D is a virus that is combination of JavaScripts and Java 
Applets. When an email infected with JS/Fortnight-D is read by an HTML 
aware mail client the virus attempts to open a website. The website 
runs a Java Applet that makes use of Troj/ByteVeri-A to run itself 
locally.

JS/Fortnight-D then attempts to drop a file S.HTM in WINDOWS that it
will set as the signature for Outlook Express 5.0.

JS/Fortnight-D also creates a file in the Windows folder called hosts. 
The hosts file has the effect of subverting access to certain websites.

JS/Fortnight-D edits the following registries:
HKCU\Software\Microsoft\Internet Explorer\Main\Search Page
HKCU\Software\Microsoft\Internet Explorer\Main\Search Bar
HKCU\Software\Policies\Microsoft\Internet Explorer\Control 
Panel\SecurityTab
HKCU\Software\Policies\Microsoft\Internet Explorer\Control 
Panel\AdvancedTab
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix

The following files will be dropped in the Favorities Folder:
Nude Nurses.url
Search You Trust.url
Your Favorite Porn Links.url





W32/Holar-H

Aliases
I-Worm.Hawawi.e, W32/Holar.h{at}MM, Win32/Holar.H, W32/Wlots

Type
Win32 worm

Detection
At the time of writing Sophos has received just one report of this worm 
from the wild.

Description
W32/Holar-H is an internet worm which spreads via file sharing on P2P 
networks and by emailing itself to addresses found on the local 
computer.

The email subject line and message text are one of the following 
combinations:

Subject line: '''**'''
Message text: Hii

Try this great program allowing u to translate 100 languages .
just write a passage in english and chose a language to get the 
traslation one of my friends used it with his arabian gf and it worked 
successfully ;)
so , Now we can say ' Love Speaks it All ' :)

Subject line: Co0o0o0o0oL
Message text: i thing the subject is enough to describe the attached 
file !
check it out and replay your opinion
Cya

Subject line: Fw:
Message text: You're gonna love it ;)
delete it after reading , Professor :P

Subject line: Heeeeeeeeeeeeeeeey
Message text: i've got this surprise from a friend :)
it really deserves a few minutes of your time.
Bye

Subject line: Wussaaaaaaaap?
Message text: Should i email u first to email me?
u don't know how much ur emails mean to me.
i wish u like this email and plzz don't forget me :)

Subject line: WoW But not for NoW
Message text: coz i couldn't get the other part of it ,
any way , check it out
having alil thing is better than nothing :P

Subject line: y0 Ain't Got Shyt !
Message text: All u can get is burning ur self
Coz all we can do is to watch, nothing for us to touch :(

Subject line: Why Do We FOk?
Message text: let me answer ,,,
hummmmmmmmm
Coz we Burn Our selves by watching ********** like the one i attached 
:P

Subject line: Hi
Message text: i'v got it from a group called it really fits us , check 
it out carefully :)
bye

Subject line: Q <--- what does it look likt?
Message text: Hummm , It looks like something men can't live without 
ha?
did u get it?
if not , enjoy ur Eyes by Seeing it ;) this one is deferent!

Subject line: Hiiiii
Message text: you seem to be mad {at} me coz i didn't send u anything for 
along time,
i didn't forget u , but i was busy , i've got all of ur emails
thanx :) and i hope u accept this one as an apology.

Subject line: Heeelllooo , anybody home????
Message text: i tried many times to send u this email but ur account 
was out of storage as i
any way , make sure that i didn't and i won't forget u :)
Cya Forgotten :P

Subject line: Why did u send me this shyt?
Message text: THANX BUT I DON'T ACCEPT SEX MATERIALS FROM STRANGERS.
I SAW THEM N I WONDERED HOW U COULD DO SO ?
I REATTACHED THE SHYT U SENT
PLEASE DON'T EMAIL ME ,

Subject line: Re:Hi
Message text: No thanx , keep it for you :)

Subject line: Lo0o0o0o0o0o0o0o0o0o0o0o0oL
Message text: Measure your intelligence , the power of your mind and 
the speed of your reaction by answering several Qs , don't forget to 
send me your mark.
I took 3.5/10 :P
Let's see who is more intelligent than the other!
Good Luck

Subject line: hurry up !!!
Message text: this is the last one i could find ,
Don't forget , send me the project in a zipped file :)
Bye

Subject line: To Early To Have Sex!
Message text: When i saw it i didn't believe that she was only 8 yrs 
old.
but when i saw the blood and heard the voice of her :( i got Shocked

Subject line: Fw:Send it to all of the ppl u love
Message text: Don't Believe ur self, I don't Love Ya :P
But i Don't know why i sent this to u.
Make use of it , Bye ;)

Subject line: Surpise !
Message text: I'm in a harry ,
Send me any clip with voice like the one i attached .
And stop sending the booooring pictures
For your elegant Taste
elegant ppl should satisfy thier taste with elegant things ;)

Subject line: Again?
Message text: I sent this email to another body :P and he replayed 
saying Thanx !!
i always write your email wrongly.
Hummm, if u like it replay to me , and don't forget to write ur 
signature to m sure that i didn't send the email to a wrong one ;)

Subject line: Who are you??????
Message text: i'm fine , thanx for asking :)
and thanx for the nice attachements.
but unfortunately, i don't remember you
i will be waiting for u emaill to remind me of your self.

Subject line: Hummm , i hope u accept this show as an apology.
Message text: The Spanish Beauty it's a mix of the Arabian beauty & the 
european grace !
satisfy your eyes with the beauty that u have never seen ;)"

Subject line: I've Got it :)
Message text: I've got it from KaZaA network ,
it seems not to be full but that's all i could find :(

Subject line: Helloooooooo
Message text: I've got your email , but you forgot to upload the 
attachments.
Don't be selfish , i sent you all the files i have, send me anything 
:(

Subject line: If u are booooored ...
Message text: i found it in my Recycled , i know u love this kind of 
thing ;)
attachment :) bye

Subject line: Dispatch{at}McAfee.com
Message text: Virus Alert !
Dear User,
McAfee.com Has recieved an infected message from you .We believe that 
you are infected with Win32/HaWawi{at}MM Virus.
Please download the attached tool (ToolAv01w32) which will help you to 
clean y
For more information :
*Create an email addressed to virus_research{at}nai.com.

W32/Holar-H copies itself to P2P shared folders using the following 
filenames:
Aint_it_Funny.pif
AniMaL_N_Burning_Ladies.pif
Beauty_VS_Your_FaCe.pif
Broke_ass.pif
Come_2_Cum.pif
Endless_life.pif
Famous_PpL_N_Bad_Setuations.pif
Gurls_Secrets.pif
HaWawi_N_Hawaii.pif
Hearts_translator.pif
Hot_Show.pif
How_to_improve_ur_love.pif
Leaders_Scandals.pif
Lo0o0o0o0oL.pif
Real_Magic.pif
Shakiraz_Big_ass.pif
Short_vClip.pif
Sweet_but_smilly.pif
Tears_of_Happiness.pif
Tedious_SeX.pif
Teenz_Raper.pif
The_Truth_of_Love.pif
ToolAv01w32.pif
unfaithful_Gurls.pif
White_AmeRica.pif
XxX_Mpegs_Downloader.pif

W32/Holar-H also creates two files in the Windows system folder on the 
current drive: SMTP.ocx and explore.exe. The worm then adds the 
following registry entry to ensure it is run at system startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Explore
= \\Explore.exe

W32/Holar-H stores a counter of the number of times it has been run 
(typically the number of reboots) under the registry entry 
HKCU\DeathTime.

When the value of this registry entry reaches 30, the worm attempts to 
delete files from the current drive and then displays a series of 
message boxes with the text "LOVE", "PEACE",
"HOME", "HAPPINESS", 
"These things Can't be Found as long as Bush & Jews Are aLive :)", 
"Made By ZaCker In 2003-03-30 :)".

When the user clicks OK to the last of these message boxes, Windows is 
shutdown.





W32/Anacon-B

Aliases
W32.Naco{at}mm, I-Worm.Anacon, W32/Naco{at}mm, Win32.Naco.b

Type
Win32 worm

Detection
At the time of writing Sophos has received no reports from users 
affected by this worm. However, we have issued this advisory following 
enquiries to our support department from customers.

Description
W32/Anacon-B is a mass mailing worm with a backdoor component that 
attempts to spread via email using Outlook address book, network shares 
and popular P2P networks.

The worm may arrive in an email with the the following characteristics:
Subject line: none, or randomly chosen from -
Alert! W32.Anacon.B{at}mm Worm Has been detected!
Crack - Download Accerelator Plus 5.3.9
Do you happy?
Do you remember me?
Download WinZip 9.0 Beta
FoxNews Reporter: Hello! SARS Issue!
Get Free XXX Web Porn!
Great News! Check it out now!
Just for Laught!
Oh, my girl!
Re: are you married?(1)
Run for your life!
The ScreenSaver: Wireless Keyboard
TIPs: HOW TO JUMP PC TO PC VIA INTERNET?
Tired to Search Anonymous SMTP Server?
Update: Microsoft Visual Studio .Net
VBCode: Prevent Your Application From Crack
Young and Dangerous 7
Your Password: jad8aadf08

Message text: Hello dear,
I'm gonna missed you babe, hope we can see again!
In Love,
Rekcahlem ~~ Anacon

Attached file: chosen from -
AGAINST.EXE
FORCE.EXE
HANGUP.EXE
HUNGRY.EXE
RUNTIME.EXE
SCAN.EXE
WARS.EXE

The attached file is an archive that contains ANACON.BAT, MSWINSCK.OCX 
and NACO.EXE where NACO.EXE is a variant of the worm usually packed 
with a different UPX version (it may differ in size).

When executed the worm extracts, runs and deletes ANACON.BAT. 
ANACON.BAT copies and registers MSWINSCK.OCX to C:\Progra~1 folder, 
executes an extracted unpacked copy of the worm, copies itself to the 
Windows System folder and extracts an unpacked copy called SysAna32.exe,
Anacon.exe or Syspoly32.exe.

The worm sets the following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
"Nocana" = 
"AHU" = 

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
"InterceptedSystem" = 

HKCU\Software\mirabilis\ICQ\Agent\Apps\Cvjlkfbip
"Startup" = 
"Enable" = "Yes"
"Parameters" = ""
"Path" = 

The last setting will allow the worm to launch itself on activation of 
the ICQ service.

To be able to share a local C: drive the worm attempts to add a new 
HACKERz entry to the following:

HKLM\SYSTEM\ControlSet001\Services\lanmanserver\Shares
HKLM\SYSTEM\ControlSet002\Services\lanmanserver\Shares
HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\Shares

To spread via P2P networks the worm attempts to copy itself into the 
download folders of popular filesharing programs:

\KMD\My Shared Folder\
\Kazaa\My Shared Folder\
\KaZaA Lite\My Shared Folder\
\Morpheus\My Shared Folder\
\Grokster\My Grokster\
\BearShare\Shared\
\Edonkey2000\Incoming\
\limewire\Shared\

with one of the following filenames:
About SARS Solution.doc.exe
Dont eat pork. SARS in there.jpg.exe
DOOM III Demo.exe
EAGames.exe
gangXcop.exe
InternationalDictionary.exe
jdbgmgr.exe
Jonny English (JE).avi.exe
JugdeDread.exe
Microsoft Visual Studio.exe
MSVisual C++.exe
QuickInstaller.exe
SEX_HOTorCOOL.exe
The Matrix Evolution.mpg.exe
The Matrix Reloaded Preview.jpg.exe
Upgrade you HandPhone.exe
VISE.exe
winamp3.exe
WindowsXP PowerToys.exe

The worm terminates a number of AV applications:
_Avp32.exe
_Avpcc.exe
_Avpm.exe
Ackwin32.exe
Anti-Trojan.exe
Apvxdwin.exe
Autodown.exe
Avconsol.exe
Ave32.exe
Avgctrl.exe
Avkserv.exe
Avnt.exe
Avp.exe
Avp32.exe
Avpcc.exe
Avpdos32.exe
Avpm.exe
Avptc32.exe
Avpupd.exe
Avsched32.exe
Avwin95.exe
Avwupd32.exe
Blackd.exe
Blackice.exe
Cfiadmin.exe
Cfiaudit.exe
Cfinet.exe
Cfinet32.exe
Claw95.exe
Claw95cf.exe
Cleaner.exe
Cleaner3.exe
Dvp95.exe
Dvp95_0.exe
Ecengine.exe
Esafe.exe
Espwatch.exe
f-Agnt95.exe
Findviru.exe
Fprot.exe
f-Prot.exe
f-Prot95.exe
Fp-Win.exe
Frw.exe
f-Stopw.exe
Iamapp.exe
Iamserv.exe
Ibmasn.exe
Ibmavsp.exe
Icload95.exe
Icloadnt.exe
Icmon.exe
Icsupp95.exe
Icsuppnt.exe
Iface.exe
Iomon98.exe
Jedi.exe
Lockdown2000.exe
Lookout.exe
Luall.exe
Moolive.exe
Mpftray.exe
N32scanw.exe
Navapw32.exe
Navlu32.exe
Navnt.exe
Navw32.exe
Navwnt.exe
Nisum.exe
Nmain.exe
Normist.exe
Nupgrade.exe
Nvc95.exe
Outpost.exe
Padmin.exe
Pavcl.exe
Pavsched.exe
Pavw.exe
Pccwin98.exe
Pcfwallicon.exe
Persfw.exe
Rav7.exe
Rav7win.exe
Regedit.exe
Rescue.exe
Safeweb.exe
Scan32.exe
Scan95.exe
Scanpm.exe
Scrscan.exe
Serv95.exe
Smc.exe
Sphinx.exe
Sweep95.exe
Tbscan.exe
Tca.exe
Tds2-98.exe
Tds2-Nt.exe
Vet95.exe
Vettray.exe
Vscan40.exe
Vsecomr.exe
Vshwin32.exe
Vsstat.exe
Webscanx.exe
Wfindv32.exe
Zonealarm.exe

As a backdoor the worm inititates a port connection providing 
unauthorized access to the infected computer which allows an intruder 
to manipulate the CD tray, CD-ROM, Clipboard, play media, drop a 
keylogger and update itself from
http://vx.netlux.org/~melhacker/anaconII.exe or \bgII.exe.

The worm sends an email to  with confidential 
information that contains the following fields:
EXE Backdoor Name:
Operating System:
Internet Explorer Version:
Windows Directories:
System Directories:
Sound Card:
Current Screen Resolution:
Current Time:
IP Address:
Current Port Number:
UserName:
ComputerName:
Cached Password:
(For Win9x/Me Only)
Host:
Drive(s):
Type of Drives:
ICQ UINs:

 
--- MultiMail/Win32 v0.43