[cut-n-paste from sophos.com]

W32/Mimail-C

Aliases
W32/Mimail.C{at}mm, I-Worm.NetWatch, W32/Bics{at}mm

Type
Win32 worm

Detection
Sophos has received several reports of this worm from the wild.

Description
W32/Mimail-C is a worm that spreads via email using adresses harvested 
from the hard drive of the infected computer. All email addresses found 
on the computer are saved in a file eml.tmp in the Windows folder.

In order to run automatically when Windows starts up W32/Mimail-C copies 
itself to the file netwatch.exe in the Windows folder and adds the 
following registry entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NetWatch32

The emails sent by the worm have the following characteristics:
Subject line: Re[2]: our private photos 
Message text:
Hello Dear!

Finaly i've found possibility to right u, my lovely girl :)
All our photos which i've made at the beach (even when u're without ur 
bh:))
photos are great! This evening i'll come and we'll make the best SEX :)

Right now enjoy the photos.

Kiss, James.
Attached file: photos.zip

W32/Mimail-A spoofs the From field of the sent emails using the email 
address james{at}.

Photos.zip is a compressed file which contains an executable file named 
photos.jpg.exe.

While searching for email addresses in files on the local hard drive 
W32/Mimail-C attempts to exclude the following extensions from the 
search:

    * AVI

    * BMP

    * CAB

    * COM

    * DLL

    * EXE

    * GIF

    * JPG

    * MP3

    * MPG

    * OCX

    * PDF

    * PSD

    * RAR

    * TIF

    * VXD

    * WAV

    * ZIP






W32/Sober-Enc

Aliases
W32.Sober{at}mm.enc, W32/Sober.eml

Type
Win32 worm

Detection
Sophos has received several reports of this worm from the wild.

Description
Sophos detects as W32/Sober-Enc samples of W32/Sober-A which have been 
base64 encoded (in some cases multiple times). The files are not 
malicious in this state.





W32/Holar-I

Aliases
I-Worm.Hawawi.g, Win32/Holar.I, W32/Holar.l{at}MM, W32.Galil.C{at}mm, 
WORM_HAWAWI.F

Type
Win32 worm

Detection
Sophos has received several reports of this worm from the wild.

Description
W32/Holar-I is an internet worm which spreads via file sharing on 
peer-to-peer networks and by emailing itself to addresses found on the 
local computer in such places as the Outlook address book and TXT, HTML, 
HTM and EML files.

The worm may arrive in an email using one of the following subject lines:
Fw:
Re:
Check this out ;)
Enjoy!
This is all i can send
Have Fun :)
You gonna love it
Here is what u wanted
:)
Wait for more :)
looool
Take a look
Never mind !
Attatchments
See the attatched file
gift :)
Surprise!
save it for hard times
Happy Times :)
Useful
Very funny
Try it
you have to see this!
emazing!

The name of the attached file will be that of the executing worm.

W32/Holar-I searches the registry for the path to the KaZaA share folder 
and will copy itself to that location with a PIF, EXE, COM, BAT or SCR 
extension. An example would be:
:\Program Files\KaZaA\My Shared Folder\Kazaa.bat

W32/Holar-I will also copy itself to the Windows system folder using the 
executed worm filename with a .SYS extension. Other files created in the 
Windows system folder, that may also be copied to the Windows temp 
folder, include explore.exe, smtp.ocx and a.pif (can also have EXE, BAT, 
SCR or COM extension).

The file smtp.ocx is a legitimate software component and therefore 
detection is not included for this file.

The following registry entry is created to ensure the worm is activated 
at system startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Explore
= :\%system%\explore.exe

The default Internet Explorer start page registry entry is changed to:

HKCU\Software\Microsoft\Internet Explorer\Main\Start Page
= http://www.geocities.com/yori_mrakkadi

The following registry entries are added for the purposes of infection 
marker and payload timing respectively:

HKLM\Software\Microsoft\Windows\a
HKCU\DeathTime

The registry entry HKCU\DeathTime stores a counter of the number of 
times W32/Holar-I has been run. When the value of this registry entry 
reaches 30, the computer will stop responding to input and the 
following message will be displayed over the entire screen in red on a 
black background:

"! have noth!na say bam st!ll ZaCker !"

This will happen almostly immediately everytime the computer starts up 
until the worm is removed.





W32/Agobot-AF

Aliases
W32/Gaobot.worm.gen

Type
Win32 worm

Detection
Sophos has received several reports of this worm from the wild.

Description
W32/Agobot-AF is a network worm which also allows unauthorised remote 
access to the computer via IRC channels.

W32/Agobot-AF copies itself to network shares with weak passwords and 
attempts to spread to computers using the DCOM RPC and the RPC locator 
vulnerabilities.

These vulnerabilities allow the worm to execute its code on target 
computers with System level priviledges. For further information on 
these vulnerabilities and for details on how to protect/patch the 
computer against such attacks please see Microsoft security bulletins 
MS03-026 and MS03-001.

W32/Agobot-AF copies itself to the Windows system folder as SCVHOST.EXE 
and creates the following entries in the registry to run itself on 
system restart:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Config Loader
= SCVHOST.EXE

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Config Loader
= SCVHOST.EXE

W32/Agobot-AF attempts to terminate various processes related to 
anti-virus and security software (e.g. SWEEP95.EXE, BLACKICE.EXE and 
ZONEALARM.EXE).





W32/Marq-A

Aliases
I-Worm.Voltan, Win32/Marq.A, W32.Marque{at}mm

Type
Win32 worm

Detection
Sophos has received several reports of this worm from the wild.

Description
W32/Marq-A is an email worm that works by sending an email containing a 
link to a webpage which, when activated, will reportedly cause the worm 
to be downloaded as zelig.scr. At the time of analysis the webpage in 
question was not available to confirm the reports.

The email will have the following characteristics:
Subject line: Il momento e' catartico
Message text: Ricevo e cortesemente inoltro,.... un premio per la 
genialita hanno reso mitico un salva schermo scaricalo, "poesie 
catartiche", che non sai cosa ti perdi

ciao
Attached file: There will be no attachment to the email.

The text "poesie catartiche" in the message text contains the link to 
the page that is reported to download the worm.

W32/Marq-A sends the email to all entries in the user's Windows Address 
Book.

W32/Marq-A changes the marquee screensaver on Windows to contain the 
text "A volte ti sento cos vicinia...A volte ti sento cos lontana...
Certo che hai proprio un cellulare di merda!".

When the worm has run, a webpage (different to the one contained in the 
link in the email) will be opened. This page was also unavailable at the 
time of analysis.





W32/Sober-A

Aliases
I-Worm.Sober, Win32/Sober.A, W32.Sober{at}mm

Type
Win32 worm

Detection
Sophos has received many reports of this worm from the wild.

Description
W32/Sober-A is an email worm with the following characteristics:

Subject line chosen from:
New internet virus!
You send spam mails (Worm?)
A worm is on your computer!
Now, its enough
You have sent me a virus!
Hi darling, what are you doing now?
Be careful! New mail worm
Re: Contact
RE: Sex
Sorry, Ive become your mail
Hey man, long not see you
Re: lol
Viurs blocked every PC (Take care!)
Surprise
Ive become your mail!
Advise who I am!
New Sobig-Worm variation (please read)
Back At The Funny Farm
I love you (Im not a virus!)
Neuer Virus im Umlauf!
Sie versenden Spam Mails (Virus?)
Ein Wurm ist auf Ihrem Computer!
Langsam reicht es mir
Sie haben mir einen Wurm geschickt!
Hi Schnuckel was machst du so ?
VORSICHT!!! Neuer Mail Wurm
Re: Kontakt
RE: Sex
Sorry, Ich habe Ihre Mail bekommen
Hi Olle, lange niks mehr geh
Re: lol
Viurs blockiert jeden PC (Vorsicht!)
_berraschung
Ich habe Ihre E-Mail bekommen !
Jetzt rate mal, wer ich bin !?
Neue Sobig Variante (Lesen!!)
Back At The Funny Farm
Ich Liebe Dich

Message text (if the internet domain of the recipient is de, li, at or 
ch the worm creates a message in German, otherwise the message and 
subject lines are in English. A message in English may contain one of 
the following, depending on the subject line and the attached file 
name):

"Congratulations!! Your Sobig Worms are very good!!!
You are a very good programmer!
Yours faithfully
din alias Anon"

"Kaspersky Lab Int. and Norton Anti Virus have found a new typ of worm.
He calls itself "ODIN" and he is very variable!
The worm hides in the screen saver.
Read the -screen_doc- documentation and you will be able to
find and kill this virus!",

"I permanently get Spam-Mails from you and inside is a virus!!
You should remove these thing.
Sorry, but the ODIN Worm is probably on your computer!
You should check this with the patch application.

See you soon",

"Automatic Mail notification: Robot-System__##

Answer = complete %Error% occured%
Answer transferred in attachement -Access*",

"Or are you put under stress?
I,, I put only under stress,,, every sec, min, hour, day,.....
You see, I've an another mail-name!
But, it's too dangerous to say it,, here in the internet.
Every can read my problems! Use the attach.,
the password is your birthday.

See you soon!",

"Sorry :-) it's late,, I know,, but I`ve a new mail adress.
I've got my own screen saver;; with me!
Other say, it`s nice, but,,... see self.
Ok ok ,, I'm nacked in this pic, but, it is a work of art!
Yaya I know i know!",

"I hope you know of me!
When not, please delete this mail!",

"New Sobig variation in the net.
Save yourself with the patch before it's too late!
The new Sobig is very dangerous!",

"Actually, this bastardos have installed a trojan on my computer!
And now, I'm here,.,. I've tell you something about the..
No, not here, I'll to report you,, next days!
But before, you must check your system. Trojan are everywhere!!!
Check first your system with the tool.
see ya",

"You must change any settings before the worm control your computer!
But, read the official statement from Norton Anti Virus!",

"Sorry, but the ODIN Worm is probably on your computer!
You should check this with the patch application.
See you soon",

"Kaspersky Lab Int. and Norton Anti Virus have found a new typ of worm.
He calls itself and he is very variable!
This mail was spread with this Worm, too. BUT, the attachement is a 
AntiVirus!!",

"Automatic Mail notification: Robot-System__##
WHEN YOU CAN NOT READ THIS MAIL ATTACH.,
PLEASE REPORT US THIS ERROR.",

Attached file chosen from:
anti-Sob.bat
Anti-Sob.bat
anti-trojan.exe
anti_virusdoc.pif
AntiTrojan.exe
AntiVirusDoc.pif
Bild.scr
check-patch.bat
Check-Patch.bat
CM-recover.com
CM-Recover.com
funny.scr
Funny.scr
Hengst.pif
Liebe.com
little-scr.scr
love.com
Mausi.scr
nacked.com
NackiDei.com
Odin_Worm.exe
perversion.scr
Perversionen.scr
pic.scr
playme.exe
potency.pif
Privat.exe
private.exe
removal-tool.exe
Removal-Tool.exe
robot_mail.scr
robot_mailer.pif
RobotMailer.com
schnitzel.exe
screen_doc.scr
Screen_Doku.scr
security.pif

W32/Sober-A creates three copies of itself in the Windows system folder. 
One of the filenames is always similare.exe and other two filenames are 
randomly chosen (e.g. systemchk.exe, systemini.exe).

W32/Sober-A adds a filename to the following registry entry so that the 
worm runs when you logon to your computer:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

W32/Sober-A creates the following file underneath the Windows system 
folder: Macromed\Help\Media.dll

This file contains email addresses collected from the system. It is not 
malicious and can be deleted.

W32/Sober-A employs a technique which will cause the virus to be 
restarted if its process is terminated.





W32/Agobot-AC

Aliases
Backdoor.Agobot.3.h, W32/Gaobot.worm.gen.b, Win32/Agobot.3.H, 
W32.HLLW.Gaobot.AO, WORM_AGOBOT.AB

Type
Win32 worm

Detection
At the time of writing Sophos has received just one report of this worm 
from the wild.

Description
W32/Agobot-AC is a variant of the Agobot family of worms with a backdoor 
component. This version drops the file regloadr.exe into the Windows 
system folder and creates the following registry entries to run 
automatically when Windows boots up:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Registry Loader

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Registry Loader

 
--- MultiMail/Win32 v0.43