[cut-n-paste from sophos.com]

W32/Oror-L

Type 
Win32 worm 

Detection 
At the time of writing Sophos has received just one report of this worm 
from the wild.

Description
W32/Oror-L is a worm which spreads by network shares and email.

The emails will have the following characteristics:
Subject line - randomly selected from one of the following:

HeY
ZzZz
Bla Bla
HoWie
Happy
Hi Again
Wow
Just A Letter
Hello
Hey Ya
Boom
Hi There

The email message text and attachment names are also randomly chosen 
from a variety of possibilities.

The worm attempts to exploit a known vulnerability in Internet Explorer 
versions 5.01 and 5.5, so that the attachment is launched automatically 
when he email is selected for viewing. To prevent reinfection, users of 
Microsoft Outlook and Outlook Express should install the following 
patch available from Microsoft: 
http://www.microsoft.com/technet/security/bulletin/MS01-027.asp. This 
patch fixes a number of vulnerabilities in Microsoft's software, 
including the one exploited by this worm.

When first run, the worm displays a message box with the text 
"Windows", "Cannot open file: it does not appear to be a
valid program 
If you downloaded this file, try downloading file again."

The worm copies itself to the Windows folder with a name that is a 
combination of 'Cmd', the computer's name backwards and "16.exe". For 
example if the computers name is "test", the worm copies itself as 
Cmdtset16.exe.

The worm creates the following registry entry so that it is run 
automatically each time Windows is restarted:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\LoadProfile
= Cmdtrid16.exe powrprof.dll,LoadCurrentPwrScheme

The worm also prepends its pathname to the registry entry

HKCR\exefile\shell\open\command\,

so that the worm is run before any executable file is run.

W32/Oror-L chooses a random sub-folder of the Program Files folder and 
copies itself to this folder using the sub-folder name concatenated 
with "16.exe", "32.exe" or ".exe". If the
chosen folder name contains 
spaces only the beginning of the folder name is used, for example the 
worm might copy itself as

\Program Files\Internet Explorer\Internet16.exe.

The worm adds the pathname to this executable under the registry key

HKLM\Software\Microsoft\Windows\CurrentVersion\Run,

so that this copy of the worm is run automatically on startup.

The worm also copies itself to the Windows System folder using the name 
of a randomly selected file from the System folder, but with "16.exe", 
"32.exe" or ".exe" in place of the file's extension.

The worm runs this copy of itself automatically on startup by adding 
the line

run=<path to worm>

to the [Windows] section of WIN.INI file.

W32/Oror-L spreads over the local network by copying itself to shared 
folders using random filenames. During this process the worm may create 
additional entries under the registry key

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

The worm attempts to spread via file sharing on KaZaA networks by 
copying itself to any KaZaA shared folders that it finds, using the 
following filenames:

KaZaA Media Desktop v2.2_.exe
Serials 2K 7.2 (by SNTeam)_.exe
Serials2002_8.0(17.08.02)_.exe
Dreamweaver_MX_Update_.exe
ACDSee.exe
WinAmp_3.2_Cool_.exe
Download Accelerator 5.5_.exe
Nero Burning Rom 5.7.0.1_.exe
cRedit_CarDs_gEn.exe
MeGa HACK.exe
Zip Password Recovery.exe
GTA 3 Bonus Cars(part1)_.exe
EminemDesktop.exe
DMX tHeMe.exe
NFS 6 Bonus Cars_.exe
Counter Strike 1.5 (Hackz)_.exe
Madonna Desktop.exe
WinZip 8.2_.exe
DivX 5.5 Bundle_.exe
PcDudes.exe
BritneyUltimate.exe
Pamela 3D_.exe
Britney Suxx.exe
KamaSutra.exe
LaFemmeNikita.exe
Teen Sex Cam.exe
Lolita.exe
Pam Anderson Theme.exe
Sexy Teens Desktop.exe
SexSpy.exe
Anal Explorer.exe
VirtualRape.exe
Hot Blondies.exe
Strip Kournikova.exe

W32/Oror-L also creates new versions of the mIRC files MIRC.INI and 
REMOTE.INI. These files allow a remote access to the computer via IRC 
channels.

The worm will attempt to terminate several anti-virus programs.





W32/Smelles-A

Aliases 
W32/RunDoom 

Type 
Win32 executable file virus 

Detection 
At the time of writing Sophos has received just one report of this 
virus from the wild.

Description
W32/Smelles-A infects files with an EXE extension located in shared 
network folders.

W32/Smelles-A may also copy itself to network shares as Setup.exe.

When first run W32/Smelles-A copies itself to the current folder as 
.EXE and to the C:\ root folder as Win32napp.exe and creates the 
following registry entry so that Win32napp.exe is run automatically 
each time Windows is started:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\win32napp
= C:\win32napp.exe -e

An error message is displayed with the text
"Software-Error in 44462:27849 #7296 GCG. Aborted.".

This message is not displayed when infected files are run or when the 
dropper is run with a -e command line argument.

W32/Smelles-A may also copy itself to the current folder as Tmp.EXE and 
to the Desktop as .EXE.





W32/Opaserv-J

Aliases 
W32/Opaserv.worm.gen 

Type 
Win32 worm 

Detection 
At the time of writing Sophos has received no reports from users 
affected by this worm. However, we have issued this advisory following 
enquiries to our support department from customers.

W32/Opaserv-J is a member of the W32/Opaserv family. When run 
W32/Opaserv-J copies itself into the Windows folder as svr32.exe and 
sets the following registry entry to run itself automatically when 
Windows starts up:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
\Svr32= C:\Windows\svr32.exe

W32/Opaserv-J spreads over the internet using Windows network shares. 
The worm copies itself to the Windows folder of the remote computer as 
svr32.exe and sets the following entry in the [Windows] section of 
win.ini:

run=C:\Windows\svr32.exe

This entry will start the worm on the remote computer when Windows 
starts up.

W32/Opaserv-J will attempt to remove older variants of the W32/Opaserv 
worm by removing the following files from the Windows folder:

alevir.exe
scrsvr.exe
brasil.exe

The following registry entries will also be removed:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SCRSVR
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ALEVIR
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\BRASIL





VBS/Moon-B

Aliases 
VBS/Nemite{at}MM, VBS.Moon{at}mm 

Type 
Visual Basic Script worm 

Detection 
At the time of writing Sophos has received just one report of this worm 
from the wild.

VBS/Moon-B arrives in an email with the following characteristics:

Subject line: Have a good new year
Message text: Hi, look at this funny photo.......
Attached file: fotompg.vbs

The email message is in HTML form and contains code to automatically 
open a web page which contains an ActiveX script that will download and 
run a copy of the worm to the users Windows folder with the filename 
pics.vbs. The webpage described will be detected by this identity.

When executed VBS/Moon-B will be copied to the Windows folder with the 
filename fotompg.vbs. The following registry entry will be created to 
run the worm when Windows starts up:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\explorer = 
C:\Windows\fotompg.vbs.

VBS/Moon-B will attempt to create or overwrite the file script.ini in 
the mIRC installation folder, with a script that is detected by Sophos 
Anti-Virus as mIRC/Simp-Fam. The new mIRC script will send a copy of 
the worm to users who join the channel that the infected user is 
connected to.

The Internet Explorer start page will be changed to a page from a 
pornographic website via the registry entry

HKCU\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page.

VBS/Moon-B will attempt to run the file C:\Windows\XXX_Adult.exe which 
is a dialler for a pornographic web service. XXX_Adult.exe is 
downloaded by an executable file called girls.exe that is downloaded 
and executed by an ActiveX component on one of the pornographic sites 
that the worm opens up in Internet Explorer. Both girls.exe and 
XXX_Adult.exe are detected as Dial/Moon-B.

Additional registry entries that are created or modified by VBS/Moon-B 
are as follows:

HKCU\Software\moon\explorerpf\
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion
\Internet Settings\Zones\3\1004
HKLM\System\CurrentControlSet\Services\Class\Modem
\0000\Settings\SpeakerMode_Dial
HKLM\System\CurrentControlSet\Services\Class\Modem
\0000\Settings\SpeakerMode_Off
HKCU\RemoteAccess\DialUI





WM97/Replog-F

Aliases 
Macro.Word97.Replog, W97M.Replog.E 

Type 
Word 97 macro virus 

Detection 
At the time of writing Sophos has received just one report of this 
virus from the wild.

Description

WM97/Replog-F is a member of the WM97/Replog family. The virus will 
attempt to run I:\Eudora\Sys\Server.exe and create the file 
I:\Rep.log - a log file which will record the date of the infection.

 
--- MultiMail/MS-DOS v0.27