[cut-n-paste from sophos.com]

W32/Sobig-A

Type
Win32 worm 

Detection 
Sophos has received several reports of this worm from the wild.

Description
W32/Sobig-A is a worm that uses a built-in SMTP client and local 
Windows network shares to spread.

W32/Sobig-A arrives in an email with the following characteristics:

Subject line -chosen from:
Re: Movies
Re: Sample
Re: Document
Re: Here is that sample

Attached file - chosen from:
Document003.pif
Sample.pif
Untitled1.pif
Movie_0074.pif

The worm searches the local hard drive for files with the extensions 
TXT, HTML, EML, HTM, WAB and DBX. The files are used to extract a list 
of recipient email addresses that will be used by the worm to send 
infected emails.

When the attachment is run, W32/Sobig-A copies itself into the Windows 
folder as Winmgm32.exe and creates a new process by running the file.

W32/Sobig-A creates the following registry values to run itself on 
Windows startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\WindowsMGM
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\WindowsMGM

The worm connects to a website and attempts to download the file 
reteral.txt which contains a URL to another file. W32/Sobig-A then 
attempts to download and run the referenced file.

The worm also attempts to copy itself onto Windows shares of the local 
network if the folders Windows\All Users\Start Menu\Programs\StartUp or
Documents and Settings\All Users\Start Menu\Programs\Startup exist in a 
shared folder.




W32/Avril-B

Aliases 
I-Worm.Avron.b, Win32/Lirva.C worm, W32.Lirva.C{at}mm 

Type 
Win32 worm 

Detection 
Sophos has received many reports of this worm from the wild.

Description
W32/Avril-B is an internet worm which spreads via email. W32/Avril-B is 
an extended variant of W32/Avril-A. For information on the generic 
features of W32/Avril-B see the description of W32/Avril-A.

W32/Avril-B differs from W32/Avril-A as follows.

The format of the sent email has changed to the following:

Subject line - one of the following 16:
Fw: Avril Lavigne - CHART ATTACK!
Fw: F. M. Dostoyevsky "Crime and Punishment"
Fw: Redirection error notification
Fwd: Re: Have U requested Avril Lavigne bio?
Fwd: Re: Reply on account for Incorrect MIME-header
Fwd: RFC-0245 Specification requested...
Fwd: RFC-0841 Specification requested...
Re: According to Purge's Statement
Re: ACTR/ACCELS Transcriptions
Re: Brigada Ocho Free membership
Re: Ha perduto qualque cosa signora?
Re: IREX admits you to take in FSAU 2003
Re: Junior Achievement
Re: Reply on account for IFRAME-Security breach
Re: Reply on account for IIS-Security Breach (TFTP)
Re: Vote seniors masters - don't miss it!

Message text - may contain one of the following 4 alternatives, but 
they might be skipped and hence not included:

"AVRIL LAVIGNE - THE CHART ATTACK!
Vote fo4r Complicated!
Vote fo4r Sk8er Boi!
Vote fo4r I'm with you!
Chart attack active list:"

"Restricted area response team (RART)
Attachment you sent to is intended to overwrite
start address at 0000:HH4F
To prevent from the further buffer overflow attacks apply the MSO-patch"

"Network Associates weekly report:
Microsoft has identified a security vulnerability in Microsoft®
IIS 4.0 and 5.0 that is eliminated by a previously-released patch.
Customers who have applied that patch are already protected
against the vulnerability and do not need to take additional action.
Microsoft strongly urges all customers using IIS 4.0 and 5.0 who
have not already done so to apply the patch immediately.
Patch is also provided to subscribed list of Microsoft® Tech Support:"

"AVRIL LAVIGNE - THE BEST
Avril Lavigne's popularity increases:>
SO: First, Vote on TRL for I'm With U!
Next, Update your pics database!
Chart attack active list .>.>"

Attachment exe - one of the following 21:
ADialer.exe
ALavigne.exe
AvrilLavigne.exe
AvrilSmiles.exe
BioData.exe
CERT-Vuln-Info.exe
Cogito_Ergo_Sum.exe
Complicated.exe
EntradoDePer.exe
IAmWiThYoU.exe
MSO-Patch-0035.exe
MSO-Patch-0071.exe
Phantom.exe
Readme.exe
Resume.exe
SiamoDiTe.exe
Sk8erBoi.exe
Sophos.exe
Transcripts.exe
TrickerTape.exe
Two-Up-Secretly.exe

The worm may also attach a TXT, HTM, DOC or HTML file to the email from 
the Personal folder of the user.

W32/Avril-B tries to update itself from the web and also tries to 
download a backdoor Trojan (apparently Back Orifice 2K) from the web 
and run it on the user's computer. At the time of this writing the 
corresponding URL was unavailable. The worm would download the backdoor 
Trojan into <Windows system>\bo2k.exe and set the following registry 
entry:

HKLML\Software\Microsoft\Windows\CurrentVersion\Run\SocketListener =
\bo2k.exe

W32/Avril-B drops a different version of the text file avril-ii.inf and 
sends the cached passwords to different email addresses.

The payload has also been changed slightly, in that the text displayed 
in the top left corner of the screen is now "AVRIL_LAVIGNE_LET_GO - 
MY_MUSE:) VOTE FOR I'm With YoU.




W32/ExploreZi-N

Aliases 
W32/ExploreZip.worm{at}M 

Type 
Win32 worm 

Detection 
At the time of writing Sophos has received just one report of this worm 
from the wild.

Description
W32/ExploreZi-N is an email worm which uses Microsoft Outlook to 
distribute multiple copies of itself. Other MAPI compliant browsers may 
also propagate the worm. Machines not running Outlook can still be 
infected with W32/ExploreZi-N.

If you run the worm when Outlook is active, it mails a copy of itself 
in reply to all unread mail in your inbox in a message containing the 
text:

Hi  I have received your email and I shall send you 
a reply ASAP. Till then take a look at the attached zipped docs. bye.

A file called ZIPPED_FILES.EXE is attached, and contains the worm.

If the recipient double-clicks on the attachment, the worm is triggered 
on their computer. As a disguise, it displays the message: "Cannot open 
file: it does not appear to be a valid archive. If this file is part of 
a ZIP format backup set, insert the last disk of the backup set and try 
again. Please press F1 for help."

The worm then copies itself into the system directory under the name 
EXPLORE.EXE, and modifies the WIN.INI file so that the infected file 
runs every time Windows is started.

As an additional warhead, W32/ExploreZi-N reduces to zero length files 
of extension ASM, CPP, DOC, XLS, C, H and PPT in any accessible drive.





W32/Avril-A

Aliases 
Lirva_A, W32/Naith.A-mm 

Type 
Win32 worm 

Detection 
Sophos has received several reports of this worm from the wild.

Description
W32/Avril-A is an internet worm that copies itself into the Windows 
system folder using a random name and sets following registry entry to 
run itself automatically when Windows starts up:

HKLM\Software\Microsoft\Windows\CurrentVersion\
Run\Avril Lavigne - Muse = \randomname.exe

The following registry entries are also created:
HKLM\Software\OvG\Avril Lavigne=Done
HKLM\Software\OvG\Avril Lavigne\PSW-Trojan=1

W32/Avril-A drops itself into the KaZaA folder with one of the 
filenames shown below and creates the file 
\avril-ii.inf.

The worm terminates anti-virus products and drops several copies of 
itself onto the hard disk with random names.

On the 7th, 11th and 24th of any month, W32/Avril-A will open up 
Microsoft Internet Explorer to www.avril-lavigne.com, display coloured 
ellipses in the middle of the screen and display 
"AVRIL_LAVIGNE_LET_GO - MY_MUSE:) 2002 (c) Otto von Gutenberg" in the 
top left corner of the screen.

AVRIL_LAVIGNE_LET_GO - MY_MUSE:) 2002 (c) Otto von Gutenberg

The worm can send cached passwords to a Russian email address.

W32/Avril-A spreads by sending itself to email addresses gathered from 
DBX, MBX, WAB, HTML, EML, HTM, TBB, SHTML, NCH and IDX files, stored in 
\listrecp.dll.

The emails will have the following characteristics:
Subject line - randomly selected from one of the following 10:
Fw: Avril Lavigne - the best
Fw: Prohibited customers...
Fwd: Re: Admission procedure
Fwd: Re: Reply on account for Incorrect MIME-header
Re: According to Daos Summit
Re: ACTR/ACCELS Transcriptions
Re: Brigade Ocho Free membership
Re: Reply on account for IFRAME-Security breach
Re: Reply on account for IIS-Security
Re: The real estate plunger

Message body - chosen from 3 alternatives:
"Avril fans subscription
FanList admits you to take in Avril Lavigne 2003
Billboard awards ceremony
Vote for I'm with you!
Admission form attached below"

"Restricted area response team (RART)
Attachment you sent to  is intended to overwrite
start address at 0000:HH4F
To prevent from the further buffer overflow attacks
apply the MSO-patch"

"Microsoft has identified a security vulnerability in
Microsoft® IIS 4.0 and 5.0
that is eliminated by a previously-released patch.
Customers who have applied that patch are already protected
and do not need to take additional action.
Microsoft strongly urges all customers using IIS 4.0 and 5.0
who have not already done so to apply the patch immediately.
Patch is also provided to subscribed list of Microsoft®Tech Support:"

Attached file - one of the following:
AvrilLavigne.exe
AvrilSmiles.exe
CERT-Vuln-Info.exe
Cogito_Ergo_Sum.exe
Complicated.exe
Download.exe
IAmWiThYoU.exe
MSO-Patch-0035.exe
MSO-Patch-0071.exe
Readme.exe
Resume.exe
Singles.exe
Sk8erBoi.exe
Sophos.exe
Transcripts.exe
Two-Up-Secretly.exe

It is not necessary for a user to double-click on the attachment to 
become infected as this worm can exploit a security vulnerability in 
Microsoft Internet Explorer, Outlook and Outlook Express. To prevent 
reinfection, users of Microsoft Outlook and Outlook Express should 
install the following patch available from Microsoft:
http://www.microsoft.com/technet/security/bulletin/MS01-027.asp
(This patch fixes a number of vulnerabilities in Microsoft's software, 
including the one exploited by this worm.)

W32/Avril-A tries to spread across networks by copying itself with a 
random name into the root folder or the RECYCLED folder of shared 
drives. The worm then appends a line 
(e.g. "{at}win \RECYCLED\randomname.exe") to autoexec.bat to run itself on 
the remote machine. The worm is also capable of sending itself to ICQ 
users and spreading via mIRC.





WM97/Killboot-A

Aliases 
Macro.Word97.Norver, W97M_OPEY.AV, W97M/Killpar 

Type 
Word 97 macro virus 

Detection 
At the time of writing Sophos has received no reports from users 
affected by this virus. However, we have issued this advisory following 
enquiries to our support department from customers.

Description
WM97/Killboot-A disables the Macro warning dialog box and removes the 
"Security" option from the Tools|Macro menu.

WM97/Killboot-A drops setver.exe and an autoexec.bat file to C:\ 
(both files are detected as Troj/Killboot-A). The autoexec.bat file 
runs setver.exe on the next startup.

WM97/Killboot-A sets the trigger date for Troj/Killboot-A. The trigger 
date is usually 29th,30th or 31st of the month after the initial 
infection.

 
--- MultiMail/MS-DOS v0.27