[cut-n-paste from sophos.com]

W32/Lovgate-E

Aliases 
Worm.lovegate.f, W32/LovGate.F-m, I-Worm.LovGate.f, W32/Lovegate.g

Type
Win32 worm

Detection
Sophos has received several reports of this worm from the wild.

Description
W32/Lovgate-E is a mass mailing worm and a backdoor Trojan. This variant
of the Lovgate family will only work on Microsoft NT/2000/XP platforms.

W32/Lovgate-E has two mass mailing routines. The first sends a message 
with the following characteristics to email addresses retrieved from 
unread messages in the infected user's Outlook folders:

Subject line: Re: 
Message text:


If you can keep your head when all about you
Are losing theirs and blaming it on you;
If you can trust yourself when all men doubt you,
But make allowance for their doubting too;
If you can wait and not be tired by waiting,
Or, being lied about,don't deal in lies,
Or, being hated, don't give way to hating,
And yet don't look too good, nor talk too wise;
... ... more look to the attachment.

Attached file: one of the following

Britney spears nude.exe.txt.exe
Deutsch BloodPatch!.exe
dreamweaver MX (crack).exe
DSL Modem Uncapper.rar.exe
How to Crack all gamez.exe
I am For u.doc.exe
Industry Giant II.exe
joke.pif
Macromedia Flash.scr
Me_nude.AVI.pif
s3msong.MP3.pif
SETUP.EXE
Sex in Office.rm.scr
Shakira.zip.exe
StarWars2 - CloneAttack.rm.scr
the hardcore game-.pif

The second mass mailing routine sends emails to addresses found in 
files with an extension starting with the characters HT, for example 
HTM and HTML files. These emails will have a combination of subject 
line, message text and attached filename taken from the following 
lists:

Subject lines:

See the attachement
Hi
Hi Dear
Attached one gift for u..
Help
Great
for you
Last Update
Let's Laugh
Reply to this!

Message texts:

Send me your comments...
Patrick Ewing will give Knick fans something to cheer about Friday 
night.

Adult content!!! Use with parental advisory.

It's the long-awaited film version of the Broadway hit. Set in the 
roaring 20's, this is the story of Chicago chorus girl Roxie Hart 
(Zellwger), who shoots her unfaithful lover (West).

This message was created automatically by mail delivery software
(Exim).

Send reply if you want to be offical beta tester.

Tiger Woods had two eagles Friday during his victory over Stephen 
Leaney.(AP Photo/Denis Poroy)

This is the last cumulative update.

Copy of your message,including all the headers is attached.

For further assistance, please contact!

Attached file:

About_Me.txt.pif
Doom3 Preview!!!.exe
driver.exe
enjoy.exe
images.pif
interesting.exe
Pics.ZIP.scr
README.TXT.pif
Source.exe
YOU_are_FAT!.TXT.pif

W32/Lovgate-E copies itself to the Windows system folder with the 
following filenames:

iexplore.exe
kernel66.dll
ravmond.exe
windriver.exe
wingate.exe
winhelp.exe
winrpc.exe

Additionally three identical DLL files (ily668.dll, task688.dll and 
reg678.dll) are copied to the Windows system folder. These DLL files 
are a component of the backdoor property of this worm and are detected 
as W32/Lovgate-E.

The following registry entries will be created:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Program in Windows = \iexplore.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Remote Procedure Call Locator = Rundll32.exe reg678.dll ondll_reg

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Wingate initialise = \wingate.exe -remoteshell

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
WinHelp = \Winhelp.exe

HKCR\txtfile\shell\open\command\Default = winrpc.exe %1

The last of these registry entries will cause the worm to be run every 
time a text file is opened.

The worm spreads across the local area network by copying itself to 
network shares using the following filenames:

100 free essays school.pif
Age of empires 2 crack.exe
AN-YOU-SUCK-IT.txt.pif
Are you looking for Love.doc.exe
autoexec.bat
CloneCD + crack.exe
How To Hack Websites.exe
Mefia Trainer!!!.exe
MoviezChannelsInstaler.exe
MSN Password Hacker and Stealer.exe
Panda Titanium Crack.zip.exe
Sex_For_You_Life.JPG.pif
SIMS FullDownloader.zip.exe
Star Wars II Movie Full Downloader.exe
The world of lovers.txt.exe
Winrar + crack.exe

W32/Lovgate-E will attempt to gain Administrator access to machines on 
the local area network by testing the administrator password against a 
list of the most obvious and common passwords. If administrator access 
is achieved then the worm will be copied to the system folder with the 
filename NetServices.exe and will be started as a service with the name 
"Microsoft Network Firewall Services".

On the local machine the worm will attempt to install itself as a 
service with the name "Windows Management Instrumentation Driver 
Extension". Also the DLL dropped by the worm will be used to run a 
service named "NetMeeting Remote Desktop (RPC) Sharing".





W32/Refoav-A

Aliases
I-Worm.Refoav, W32.Refoav{at}mm

Type
Win32 worm

Detection
At the time of writing Sophos has received no reports from users 
affected by this worm. However, we have issued this advisory following 
enquiries to our support department from customers.

Description
W32/Refoav-A is a worm that will send itself to contacts found in the 
Outlook address book.

W32/Refoav-A arrives in an email with the following characteristics:
Subject line: Fw:Ipresionante
Message text: Pues eso simplemente impresionante........
Attached file: foavre.exe

W32/Refoav-A will copy itself to C:\FOAVRE.exe and create the VBScript 
file C:\vbseli.vbs. This VBScript is not viral and can be deleted.

W32/Refoav-A will create the following registry entry to ensure that 
vbseli.vbs is run on system startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Load = C:\vbseli.vbs

When vbseli.vbs is executed the following messages will be displayed:

"Usted ha sido infectado por el virus FOAVRE"
"Este no es un virus maligno, no se preocue su sistema sera restaurado, 
y no quedara rastro del virus"
"Este es un virus de aviso, tenga cuidado con los archivos que recibe y 
abre"
"NO A LA GUERRA"
"Perdone las molestias en breve recibira un correo indicando su numero 
en la lista de infectados"

vbseli.vbs will also delete the files C:\FOAVRE.exe and C:\vbseli.vbs.

W32/Refoav-A emails a copy of itself to all contacts found in the 
infected user's Outlook address book. The worm will also store all the 
email addresses in a file named C:\datospc.dat and then send this file 
to the attacker. The file datospc.dat will be deleted on succesful 
completion of this action.





WM97/Kingpawn-A

Type
Word 97 macro virus

Detection
At the time of writing Sophos has received just one report of this 
virus from the wild.

Description
WM97/Kingpawn-A is a macro virus generated from a kit.

If you have mIRC, the virus drops a SCRIPT.INI file infected with 
mIRC/Simp-Fam; if you have pIRCH, WM97/Kingpawn-A will drop an 
EVENTS.INI file infected with pIRC/Pirch-Fam. If you have vIRC32, the 
virus will edit the following registry entry by setting Event17 to send 
out the currently infected document:

HKCU\Software\MeGALiTH Software\Visual IRC96\Events

WM97/Kingpawn-A will also set an editing password on documents of 
'IAMAPORNKING'.





W32/Ganda-A

Aliases
W32/Densux, Myzli, I-Worm.Ganda, W95/Ganda.A{at}mm, PE_GANDA.A-O

Type
Win32 worm

Detection
Sophos has received several reports of this worm from the wild.

Description
W32/Ganda-A is a worm which spreads by sending itself to email 
addresses collected from EML, HTM*, DBX and WAB files on your 
computer.

W32/Ganda-A creates two copies of itself in your Windows folder. One 
copy is named scandisk.exe; the other is an EXE file with a name 
consisting of eight randomly-chosen lower-case letters.

W32/Ganda-A sets the following registry entry so that it loads 
automatically every time your computer is started:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
ScanDisk = \scandisk.exe

Whilst sending emails, the worm makes an additional copy of itself in 
your Windows folder under the name tmpworm.exe.

W32/Ganda-A scans through RAM, looking for applications which have any 
of the following text strings in memory: virus, firewall, f-secure, 
symantec, mcafee, pc-cillin, trend micro, kaspersky, sophos, norton. 
Processes containing any of the offending strings are terminated. 
Clearly, this is intended to kill off a range of popular security 
products. But it can cause collateral damage: for example, if you have 
a Word document open containing any of the above strings, the worm will 
shut down Word without giving you a chance to save any changes.

W32/Ganda-A infects EXE and SCR files on your hard disk by inserting a 
small loader program which tries to launch a copy of the worm from your 
Windows folder when you close the infected application. Files which are 
modified in this way rely on the original randomly-named worm file 
being present. If you delete the worm files from your Windows folder 
then you will immediately make any modified EXE files uninfectious.

The worm can send emails with several subject line and message text 
combinations, both in English and Swedish.

The English emails can have the following characteristics:

Subject line: Screensaver advice.
Message text: Do you think this screensaver could be considered 
illegal? Would appreciate if you or any one of your friends could check 
it out and answer as soon as humanly possible.

Subject line: Spy pics.
Message text:Here's the screensaver i told you about. It contains 
pictures taken by one of the US spy satellites during one of it's 
missions over iraq. If you want more of these pic's you know where you 
can find me. Bye!

Subject line: GO USA !!!!
Message text: This screensaver animates the star spangled banner. 
Please support the US administration in their fight against terror. 
Thanx a lot!

Subject line: G.W Bush animation.
Message text: Here's the animation that the FBI wants to stop. Seems 
like the feds are trying to put an end to peoples right to say what 
they think of the US administration. Have fun!

Subject line: Is USA a UFO?
Message text: Have a look at this screensaver, and then tell me that 
George.W Bush is not an alien. ;-)

Subject line: Is USA always number one?
Message text: Some misguided people actually believe that an american 
life has a greater value than those of other nationalities. Just have a 
look at this pathetic screensaver and then you'll know what i'm talking
about. All the best.

Subject line: LINUX.
Message text: Are you a windows user who is curious about the linux 
environment? This screensaver gives you a preview of the KDE and GNOME 
desktops. What's more, LINUX is a free system, meaning anyone can 
download it.

Subject line: Nazi propaganda?
Message text: This screensaver has been banned in Germany. It contains 
a number of animated symbols that can be related to the nazi culture. 
What do you think, is it a legitimate ban or not? Please answer asap. 
Thanx!

Subject line: Catlover.
Message text: If you like cats you'll love this screensaver. It's four 
animated kittens running around on the screen. Contact me for more 
clipart. Have fun! ;-)

Subject line: Disgusting propaganda.
Message text: Hello! My 12 year old doughter received this screensaver 
on a CDROM that was sent to her through advertising. I find it 
disturbing that children are now being targets of nazi organizations. I 
would appreciate to hear from you on this matter, as soon as possible. 
Thank you.

In all of these cases the attached file has a random 2-character name 
and an SCR extension (e.g. oc.scr).

The worm also creates entries in the following registry keys:

HKLM\Software\SS\Sent
HKLM\Software\SS\Sent2

W32/Ganda-A sends a rambling diatribe complaining about the Swedish 
education system to a small set of email addresses apparently belonging 
to Swedish journalists. These emails do not contain the worm as an 
attachment.

W32/Ganda-A contains the text:
[WORM.SWEDENSUX] Coded by Uncle Roger in Hõrnsand, Sweden, 03.03. I am 
being discriminated by the swedish schoolsystem. This is a response to 
eight long years of discrimination.





XM97/Baris-AG

Aliases
X97M_BARISADA.B, X97M.Barisada.Var, X97M/Barisada.gen, 
Macro.Excel97.Barisada

Type
Excel 97 macro virus

Detection
At the time of writing Sophos has received just one report of this 
virus from the wild.

Description
XM97/Baris-AG is a simple macro virus. The viral macros are stored in 
the file book.xls.

On 24 April between 2pm and 3pm the virus displays a series of dialog 
boxes asking the user questions which may be related to a fantasy role 
playing game.

The first dialog box has the title '1st Qusetion' and the text 
'Question : What is the Sword Which Karl Styner(=Grey Scavenger) used?
Answer: Barisada'.

If the user presses 'No' a message box with the title 'Right Answer'
and the message 'Good! You're Authorized now!!' is displayed.

If the user presses 'Yes' then a message box with the title 'Wrong 
Answer' and the text 'I will give you one more Chance. Be careful!!' is
displayed.

The next dialog box has the title 'Wrong Answer may cause The Serious 
Problem!' and the text 'Summoning Xavier is the Ultimate Magic. 
Right?'.

If the user presses 'Yes' a message box with the title 'Right Answer'
and the message 'ok , i will forgive you' appears.

If the user presses 'No' a message box with the title 'You shall Die' 
and the message 'Wrong Answer, Your file will be deleted!' appears. The 
virus then clears all the cells in all the open sheets.






 
--- MultiMail/Win32 v0.43