[cut-n-paste from sophos.com]

W32/Cult-B

Aliases 
I-Worm.Cult-B 

Type 
Win32 worm 

Detection 
At the time of writing Sophos has received just one report of this worm 
from the wild.

Description
W32/Cult-B spreads via file sharing on KaZaA networks and by emailing 
itself to random email addresses.

The email has the following characteristics:
Subject line: Hi, I sent you an eCard from BlueMountain.com
Message text: To view your eCard, open the attachment If you have any 
comments or questions, please visit 
http://www.bluemountain.com/customer/index.pd
Attached file: BlueMountaineCard.pif

When first run the worm moves itself to the Windows system folder as 
wuauqmr.exe and creates the registry entries so that wuauqmr.exe is run 
automatically each time Windows is started:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
\NvCpTDaemon = wuauqmr.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
\NvCpTDaemon = wuauqmr.exe

The worm creates the folder jdfghtrg in the Windows system folder and 
copies itself to this folder using the following filenames:

ACDSee 5.5.exe
Ad-aware 6.5.exe
Age of Empires 2 crack.exe
aim cracker.exe steal usernames.exe
aim password cracker aol cracker.exe
Animated Screen 7.0b.exe
Anno 1503_crack.exe
AOL Instant Messenger.exe
aol password cracker.exe
AquaNox2 Crack.exe
Audiograbber 2.05.exe
AVP_Crack.exe
BabeFest 2003 ScreenSaver 1.5.exe
Babylon 3.50b reg_crack.exe
Battlefield1942_bloodpatch.exe
Battlefield1942_keygen.exe
BitDefender.KeyGen.exe
Borland KeyGens.exe
Business Card Designer Plus 7.9.exe
C&C Generals_crack.exe
C&C Renegade_crack.exe
Clone CD 5.0.0.3 (crack).exe
Clone CD 5.0.0.3.exe
Coffee Cup Free HTML 7.0b.exe
Cool Edit Pro v2.55.exe
Crack McAfee 7.exe
Crack Norton 3000.exe
Diablo 2 Crack.exe
DirectDVD 5.0.exe
DirectX Buster (all versions).exe
DirectX InfoTool.exe
DivX 5.03 Codecs.exe
divx pro.exe
DivX Video Bundle 6.5.exe
Download accelarator.exe
Download Accelerator Plus 6.1.exe
driver.exe
DVD Copy Plus v5.0.exe
DVD Region-Free 2.3.exe
FIFA2003 crack.exe
Final Fantasy VII XP Patch 1.5.exe
Flash MX crack (trial).exe
FlashGet 1.5.exe
FreeRAM XP Pro 1.9.exe
GetRight 5.0a.exe
Global DiVX Player 3.0.exe
Gothic 2 licence.exe
GTA 3 Crack.exe
GTA 3 patch (no cd).exe
GTA 3 Serial.exe
gta3.exe
Guitar Chords Library 5.5.exe
HackNTTools.zip .exe
Hitman_2_no_cd_crack.exe
Hot Babes XXX Screen Saver.exe
hotgirls.exe
how to hack.exe
how to use a shell.pif,
ICQ Lite (new).exe
ICQ Pro 2003a.exe
ICQ Pro 2003b (new beta).exe
iMesh 3.6.exe
iMesh 3.7b (beta).exe
IrfanView 4.5.exe
KaZaA Hack 2.5.0.exe
KaZaA Lite (New).exe
KaZaA Speedup 3.6.exe
Links 2003 Golf game (crack).exe
Living Waterfalls 1.3.exe
Mafia_crack.exe
Matrix Screensaver 1.5.src,
MediaPlayer Update.exe
mIRC 6.40.exe
MP3 encoder_decoderV1.8.exe
mp3Trim PRO 2.5.exe
MSN Messenger 5.2.exe
NBA2003_crack.exe
Need 4 Speed crack.exe
Nero Burning ROM crack.exe
Netfast 1.8.exe
Network Cable e ADSL Speed 2.0.5.exe
Neverwinter_Nights_licence.exe
NHL 2003 crack.exe
Nimo CodecPack (new) 8.0.exe
Nod32Crack.exe
PaintShop Pro 7 Crack_By_Force.exe
PalTalk 5.01b.exe
PANDA.AVers.lusers.exe
PANDA.lusers.exe
play station emulator crack.exe
play station emulator.exe
Pop-Up Stopper 3.5.exe
Popup Defender 6.5.exe
porn.exe
QuickTime_Pro_Crack.exe
Serials 2003 v.8.0 Full.exe
SM.exe
SmartFTP 2.0.0.exe
SmartRipper v2.7.exe
SMS_sender.exe
SophosCrackAllVersion.exe
Space Invaders 1978.exe
Splinter_Cell_Crack.exe
Steinberg_WaveLab_5_crack.exe
Trillian 0.85 (free).exe
TweakAll 3.8.exe
Unreal2_bloodpatch.exe
Unreal2_crack.exe
UT2003_bloodpatch.exe
UT2003_keygen.exe
UT2003_no cd (crack).exe
UT2003_patch.exe
Virtua Girl (Full).exe
virtua girl - adriana.pif virtua girl - bailey short skirt.pif,
warcraft 3 crack.exe 100 free essays school.pif,
warcraft 3 serials.pif,
WarCraft_3_crack.exe
Winamp 3.8.exe
WindowBlinds 4.0.exe
WinOnCD 4 PE_crack.exe
WinZip 9.0b.exe
worldbook.exe
Yahoo Messenger 6.0.exe
Zelda Classic 2.00.exe
ZoneAlarm Pro KeyGen.exe
zoneallarm_pro_crack.exe

The worm makes the jdfghtrg folder shareable on KaZaA networks by 
creating the registry entry:

HKCU\Software\Kazaa\LocalContent\Dir0
= 012345:%SYSTEM%\jdfghtrg\

Each time the worm is run it performs a Denial-of-Service attack on 
either www.chat-planet.nl or chat.planet.nl by repeatedly creating and 
destroying connections to the chosen site.






XM97/Morx-A

Aliases 
X97M.Romlax, X97M_MORX.A, X97M/Morx, Macro.Excel97.Morx 

Type 
Excel 97 macro virus 

Detection
Sophos has received several reports of this virus from the wild.

Description
XM97/Morx-A is activated when Excel workbooks are opened.
XM97/Morx-A will create the file rom.xla in the following
folder:

C:\Program Files\Microsoft Office\Office\Library\Analysis

and add itself as an Add-In called Rom. This can be seen from
the Tools\Add-Ins display of Microsoft Excel.





W32/Frethem-T

Aliases 
WORM_FRETHEM.P 

Type 
Win32 worm 

Detection
At the time of writing Sophos has received just one report of this worm 
from the wild.

Description
W32/Frethem-T is similar to W32/Frethem-B. One difference is the 
addition of limited backdoor capabilities.

For more information please see W32/Frethem-B.





W32/Lovgate-E

Aliases 
Worm.lovegate.f, W32/LovGate.F-m, I-Worm.LovGate.f, W32/Lovegate.g 

Type
Win32 worm 

Detection
At the time of writing Sophos has received just one report of this worm 
from the wild.

Description
W32/Lovgate-E is a mass mailing worm and a backdoor Trojan. This 
variant of the Lovgate family will only work on Microsoft NT/2000/XP 
platforms.

W32/Lovgate-E has two mass mailing routines. The first sends a message 
with the following characteristics to email addresses retrieved from 
unread messages in the infected user's Outlook folders:

Subject line: Re: 
Message text:


If you can keep your head when all about you
Are losing theirs and blaming it on you;
If you can trust yourself when all men doubt you,
But make allowance for their doubting too;
If you can wait and not be tired by waiting,
Or, being lied about,don't deal in lies,
Or, being hated, don't give way to hating,
And yet don't look too good, nor talk too wise;
... ... more look to the attachment.

Attached file: one of the following

Britney spears nude.exe.txt.exe
Deutsch BloodPatch!.exe
dreamweaver MX (crack).exe
DSL Modem Uncapper.rar.exe
How to Crack all gamez.exe
I am For u.doc.exe
Industry Giant II.exe
joke.pif
Macromedia Flash.scr
Me_nude.AVI.pif
s3msong.MP3.pif
SETUP.EXE
Sex in Office.rm.scr
Shakira.zip.exe
StarWars2 - CloneAttack.rm.scr
the hardcore game-.pif

The second mass mailing routine sends emails to addresses found in 
files with an extension starting with the characters HT, for example 
HTM and HTML files. These emails will have a combination of subject 
line, message text and attached filename taken from the following 
lists:

Subject lines:

See the attachement
Hi
Hi Dear
Attached one gift for u..
Help
Great
for you
Last Update
Let's Laugh
Reply to this!

Message texts:

Send me your comments...
Patrick Ewing will give Knick fans something to cheer about Friday 
night.

Adult content!!! Use with parental advisory.

It's the long-awaited film version of the Broadway hit. Set in the 
roaring 20's, this is the story of Chicago chorus girl Roxie Hart 
(Zellwger), who shoots her unfaithful lover (West).

This message was created automatically by mail delivery software 
(Exim).

Send reply if you want to be offical beta tester.

Tiger Woods had two eagles Friday during his victory over Stephen 
Leaney.(AP Photo/Denis Poroy)

This is the last cumulative update.

Copy of your message,including all the headers is attached.

For further assistance, please contact!

Attached file:

About_Me.txt.pif
Doom3 Preview!!!.exe
driver.exe
enjoy.exe
images.pif
interesting.exe
Pics.ZIP.scr
README.TXT.pif
Source.exe
YOU_are_FAT!.TXT.pif

W32/Lovgate-E copies itself to the Windows system folder with the 
following filenames:

iexplore.exe
kernel66.dll
ravmond.exe
windriver.exe
wingate.exe
winhelp.exe
winrpc.exe

Additionally three identical DLL files (ily668.dll, task688.dll and
reg678.dll) are copied to the Windows system folder. These DLL files 
are a component of the backdoor property of this worm and are detected 
as W32/Lovgate-E.

The following registry entries will be created:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Program in Windows = \iexplore.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Remote Procedure Call Locator = Rundll32.exe reg678.dll ondll_reg

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Wingate initialise = \wingate.exe -remoteshell

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
WinHelp = \Winhelp.exe

HKCR\txtfile\shell\open\command\Default = winrpc.exe %1

The last of these registry entries will cause the worm to be run every 
time a text file is opened.

The worm spreads across the local area network by copying itself to 
network shares using the following filenames:

100 free essays school.pif
Age of empires 2 crack.exe
AN-YOU-SUCK-IT.txt.pif
Are you looking for Love.doc.exe
autoexec.bat
CloneCD + crack.exe
How To Hack Websites.exe
Mefia Trainer!!!.exe
MoviezChannelsInstaler.exe
MSN Password Hacker and Stealer.exe
Panda Titanium Crack.zip.exe
Sex_For_You_Life.JPG.pif
SIMS FullDownloader.zip.exe
Star Wars II Movie Full Downloader.exe
The world of lovers.txt.exe
Winrar + crack.exe

W32/Lovgate-E will attempt to gain Administrator access to machines on 
the local area network by testing the administrator password against a 
list of the most obvious and common passwords. If administrator access 
is achieved then the worm will be copied to the system folder with the 
filename NetServices.exe and will be started as a service with the name 
"Microsoft Network Firewall Services".

On the local machine the worm will attempt to install itself as a 
service with the name "Windows Management Instrumentation Driver 
Extension". Also the DLL dropped by the worm will be used to run a 
service named "NetMeeting Remote Desktop (RPC) Sharing".





W32/Hawawi-A

Aliases 
I-Worm.Hawawi, W32/Holar.d{at}MM, W32.Hawawi.Worm, Win32/Hawawi.A 

Type 
Win32 worm 

Detection
At the time of writing Sophos has received just one report of this worm 
from the wild.

Description
W32/Hawawi-A is an internet worm which attempts to spread by emailing 
itself via SMTP and using the ICQ and KaZaA networks.

W32/Hawawi-A has a destructive payload. The worm reduces files with the 
following extensions to zero bytes: ZIP, DOC, MDB, XLS, TXT, PPT, PPS, 
JPG, PDF, RAR, RAM, MP3, FRM, DPR, PHP, CPP, SWF, SQL,MDE, MDE, WAV, 
RM, MPEG.

The worm is composed of four parts, all of which are dropped within the 
Windows system folder.

    * MEDIA PLAYER.EXE emails the worm and places copies of the worm in 
the KaZaA shared folder.
    * SYS32 .EXE attempts to use the ICQ network to spread the worm.
    * SMTPMAILER.DLL is a DLL plugin which contains the SMTP commands.
    * The main PE dropper exists on the infected computer as the 
following files:

      C:\AUTOEXEC[2].PIF
      C:\BOOTLOG[2].PIF
      C:\COMMAND[2].PIF
      C:\CONFIG[2].PIF
      C:\DETLOG[2].PIF
      C:\IO[2].PIF
      C:\MSDOS[2].PIF
      C:\MSG[2].PIF
      C:\NETLOG[2].PIF
      C:\SCANDISK[2].PIF
      C:\SETUPLOG[2].PIF
      C:\SETUPXLG[2].PIF
      C:\SUHDLOG[2].PIF
      C:\SYSTEM[2].PIF
      C:\\AINT_IT_FUNNY.PIF
      C:\\ANAL_SEX_ASS_FUCKING.PIF
      C:\\ANIMAL_N_BURNING_LADIES.PIF
      C:\\ASIAN_GIRLS.PIF
      C:\\BEAUTY_VS_YOUR_FACE.PIF
      C:\\BIG_TITS_BOOBS_PUSSIES.PIF
      C:\\BLACK_BABES.PIF
      C:\\BROKE_ASS.PIF
      C:\\COME_2_CUM.PIF
      C:\\CUTE_GAYS.PIF
      C:\\ENDLESS_LIFE.PIF
      C:\\FAMOUS_PPL_N_BAD_SETUATIONS.PIF
      C:\\GURLS_SECRETS.PIF
      C:\\HARDCORE_AMATURE_NAKED_NUDE.PIF
      C:\\HAWAWI.PIF
      C:\\HAWAWI_N_HAWAII.PIF
      C:\\HEARTS_TRANSLATOR.PIF
      C:\\HOT_SHOW.PIF
      C:\\HOT_TEEN_VIRGIN.PIF
      C:\\HOW_TO_IMPROVE_UR_LOVE.
      C:\\LEADERS_SCANDALS.PIF
      C:\\LESBIAN_GIRLS_LESBO_GAY.PIF
      C:\\LO0O0O0O0OL.PIF
      C:\\MUSIC_DOWNLOADER.PIF
      C:\\OLD_WOMEN_SEX.PIF
      C:\\REAL_MAGIC.PIF
      C:\\SEXY_LADIES_GETTIN_FUCKED.PIF
      C:\\SHAKIRA_ASS.PIF
      C:\\SHAKIRAZ_BIG_ASS.PIF
      C:\\SHORT_VCLIP.PIF
      C:\\SHOW_CLIP_MPEG_MOVIE.PIF
      C:\\SWEET_BUT_SMILLY.PIF
      C:\\TEARS_OF_HAPPINESS.PIF
      C:\\TEDIOUS_SEX.PIF
      C:\\TEENZ_RAPER.PIF
      C:\\THE_TRUTH_OF_LOVE.PIF
      C:\\UNFAITHFUL_GURLS.PIF
      C:\\WET_PUSSIES.PIF
      C:\\WET_PUSSY_HUGE_COCK_NICE_DICK.PIF
      C:\\WHITE_AMERICA.PIF
      C:\\XXX_MPEGS_DOWNLOADER.PIF
C:\\YOUNG_TEEN_HAVING_SEX.PIF

W32/Hawawi-A adds the following entry to the registry to run itself on 
system restart:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\loadqm
= "C:\\MEDIA PLAYER.EXE"

W32/Hawawi-A exploits the IFRAME vulnerability on certain versions of 
Microsoft Internet Explorer and Outlook Express which allows 
attachments to be run automatically when viewing an email message.

The victims' email addresses are extracted from HTM and HTML files on 
the infected computer.

Emails can have one of the following sets of characteristics:

Subject line: '''**'''
Message text: Hii
Try this great program allowing u to translate 100 languages . just 
write a passage in english and chose a language to get the traslation
one of my friends used it with his arabian gf and it worked 
successfully :) so , Now we can say ' Love Speaks it All ' :)

Subject line: Co0o0o0o0oL
Message text: i thing the subject is enough to describe the attached 
file ! check it out and replay your opinion Cya

Subject line: Fw:
Message text: You're gonna love it :) delete it after reading , 
Professor :P

Subject line: Heeeeeeeeeeeeeeeey
Message text: i've got this surprise from a friend :) it really 
deserves a few minutes of your time. Bye

Subject line: Wussaaaaaaaap?
Message text: Should i email u first to email me? u don't know how much
ur emails mean to me. i wish u like this email and plzz don't forget me 
:) Bye

Subject line: WoW But not for NoW
Message text: coz i couldn't get the other part of it , any way , check 
it out having alil thing is better than nothing :P

Subject line: y0 Ain't Got Shyt !
Message text: All u can get is burning ur self Coz all we can do is to 
watch, nothing for us to touch :(

Subject line: Why Do We FOk?
Message text: let me answer ,,, hummmmmmmmm Coz we Burn Our selves by 
watching ********** like the one i attached :P

Subject line: Hi
Message text: i'v got it from a group called  it really fits us , 
check it out carefully :) bye

Subject line: Q <--- what does it look likt?
Message text: Hummm , It looks like something men can't live without 
ha? did u get it? if not , enjoy ur Eyes by Seeing it :) this one is 
deferent!

Subject line: Hiiiii
Message text: you seem to be mad {at} me coz i didn't send u anything for 
along time, i didn't forget u , but i was busy , i've got all of ur 
emails thanx :) and i hope u accept this one as an apology.

Subject line: Heeelllooo , anybody home????
Message text: i tried many times to send u this email but ur account 
was out of storage as i any way , make sure that i didn't and i won't 
forget u :) Cya Forgotten :P

Subject line: Why did u send me this shyt?
Message text: THANX BUT I DON'T ACCEPT SEX MATERIALS FROM STRANGERS. I 
SAW THEM N I WONDERED HOW U COULD DO SO ? I REATTCH THE SHYT U SENT 
PLEASE DON'T EMAIL ME ,

Subject line: Re:Hi
Message text: No thanx , keep it for you :) Bye

Subject line: Lo0o0o0o0o0o0o0o0o0o0o0o0oL
Message text: Measure your intelligence , the power of your mind and 
the speed of your reaction by answering several Qs , don't forget to 
send me your mark. I took 3.5/10 :P Let's see who is more intelligent 
than the other! Good Luck

Subject line: hurry up !!!
Message text: this is the last one i could find , Don't forget , send 
me the project in a zipped file :) Bye

Subject line: To Early To Have Sex!
Message text: When i saw it i didn't believe that she was only 8 yrs 
old. but when i saw the blood and heard the voice of her :( i got 
Shocked

Subject line: Fw:Send it to all of the ppl u love
Message text: Don't Believe ur self, I don't Love Ya :P But i Don't 
know why i sent this to u. Make use of it , Bye :)

Subject line: Surprise
Message text: I'm in a harry , Send me any clip with voice like the one 
i attached . And stop sending the booooring pictures Cya

Subject line: For your elegant Taste
Message text: elegant ppl should satisfy thier taste with elegant 
things :)

Subject line: Again?
Message text: I sent this email to another body :P and he replayed 
saying Thanx !! i always write your email wrongly. Hummm, if u like it 
replay to me , and don't forget to write ur signature to make sure that 
i didn't send the email to a wrong one :) Bye

Subject line: Who are you??????
Message text: Hi i'm fine , thanx for asking :) and thanx for the nice 
attachements. but unfortunately, i don't remember you i will be waiting 
for u emaill to remind me of your self. Hummm , i hope u accept this 
show as an apology. bye

Subject line: The Spanish Beauty
Message text: it's a mix of the Arabian beauty & the european grace ! 
satisfy your eyes with the beauty that u have never seen :)

Subject line: I've Got it :)
Message text: I've got it from KaZaA network , it seems not to be full 
but that's all i could find :( bye

Subject line: Helloooooooo
Message text: I've got your email , but you forgot to upload the 
attachments. Don't be selfish , i sent you all the files i have, send 
me anything :( bye

Subject line: If u are booooored ...
Message text: i found it in my Recycled , i know u love this kind of 
thing :)

The worm also drops C:\MSG.HTM, which displays the following message:

"MaDe iN HaWaWi
By ZaCker & MyLife
2003/03/03
We BeLieVe Dat Filling
Da HD With Data Will
Hurt The PC
Oops
We Could Deal With it
Hawa :) Bye"






 
--- MultiMail/Win32 v0.43