Virus Advisory: September 2004 Archives

09/03/04 : Windows Virus Alert: Multiple Worms On Campus

09/02/04 : Windows Virus Alert: W32.Beagle.AQ@mm

Windows Virus Alert: Multiple Worms On Campus

Posted on September 03, 2004 10:23 AM

Note: None of these threats are email-bourne. They spread by leveraging unpatched machines and machines with weak share passwords or no share passwords.

In the last 24 hours, CIS has found over 20 Windows computers on campus that are infected with one or more of the worms. Desktop Services submitted 3 suspect files removed from a laptop last night and Symantec identified the files as being the following worms:

W32.HLLW.Gaobot.gen (c:\windows\system32\winupdate.exe)
http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.gaobot.gen.html
Non-repairable threat - please delete this file and replace it if necessary.

W32.Spybot.Worm (c:\windows\system32\lsas.exe)
http://securityresponse.symantec.com/avcenter/venc/data/w32.spybot.worm.html
Non-repairable threat - please delete this file and replace it if necessary.

W32.IRCBot.E (c:\windows\system32\scvhosting.exe)
http://www.sarc.com/avcenter/venc/data/w32.ircbot.f.html
(Symantec lists W32.IRCBot.E as a variant of this later bot)
Non-repairable threat - please delete this file and replace it if necessary.

The names of these files will vary. Another characteristic of these Gaobot and IRCBot variants was the completeness of registry edits. There were entries in the following registry keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices

You can try to clean these infections based on the instructions in the Symantec documentation. Remember that it's important to follow the steps exactly as instructed.

Unfortunately, none of these worms is new and none of them are detected by Symantec with 9/1/2004 virus definitions. Based on Symantec Security Response feedback, detection for these threats will be available in the next LiveUpdate cycle.

We'll keep you updated.

Windows Virus Alert: W32.Beagle.AQ@mm

Posted on September 02, 2004 09:13 AM

W32.Beagle.AQ@mm has appeared on campus. The email carries zip file attachments named foto.zip or fotos.zip.

Details of the virus can be viewed at: http://www.symantec.com/avcenter/venc/data/w32.beagle.aq@mm.html

Be sure that you have Symantec Antivirus installed with updated virus definitions, and never open unexpected attachments.

Contact the Help Desk if you need further assistance at 863-HELP or Help@brown.edu.

[an error occurred while processing this directive]
Virus Advisory: September 2004 09/03/04 : Windows Virus Alert: Multiple Worms On Campus 09/02/04 : Windows Virus Alert: W32.Beagle.AQ@mm Windows Virus Alert: Multiple Worms On Campus Posted on September 03, 2004 10:23 AM Note: None of these threats are email-bourne. They spread by leveraging unpatched machines and machines with weak share passwords or no share passwords. In the last 24 hours, CIS has found over 20 Windows computers on campus that are infected with one or more of the worms. Desktop Services submitted 3 suspect files removed from a laptop last night and Symantec identified the files as being the following worms: W32.HLLW.Gaobot.gen (c:\windows\system32\winupdate.exe) http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.gaobot.gen.html Non-repairable threat - please delete this file and replace it if necessary. W32.Spybot.Worm (c:\windows\system32\lsas.exe) http://securityresponse.symantec.com/avcenter/venc/data/w32.spybot.worm.html Non-repairable threat - please delete this file and replace it if necessary. W32.IRCBot.E (c:\windows\system32\scvhosting.exe) http://www.sarc.com/avcenter/venc/data/w32.ircbot.f.html (Symantec lists W32.IRCBot.E as a variant of this later bot) Non-repairable threat - please delete this file and replace it if necessary. The names of these files will vary. Another characteristic of these Gaobot and IRCBot variants was the completeness of registry edits. There were entries in the following registry keys: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices You can try to clean these infections based on the instructions in the Symantec documentation. Remember that it's important to follow the steps exactly as instructed. Unfortunately, none of these worms is new and none of them are detected by Symantec with 9/1/2004 virus definitions. Based on Symantec Security Response feedback, detection for these threats will be available in the next LiveUpdate cycle. We'll keep you updated. Windows Virus Alert: W32.Beagle.AQ@mm Posted on September 02, 2004 09:13 AM W32.Beagle.AQ@mm has appeared on campus. The email carries zip file attachments named foto.zip or fotos.zip. Details of the virus can be viewed at: http://www.symantec.com/avcenter/venc/data/w32.beagle.aq@mm.html Be sure that you have Symantec Antivirus installed with updated virus definitions, and never open unexpected attachments. Contact the Help Desk if you need further assistance at 863-HELP or Help@brown.edu.
[an error occurred while processing this directive]