Virus Alert! Genuine Virus Warnings

We have set up this page to provide info/warnings about some of the more common viruses / worms that we have come across. It in no way claims to be a comprehensive service .... always run anti-virus software on your system, and most important, keep it's virus definitions updated (at least once a month, and preferably once a week). Also always exercise caution when opening e-mail attachments, even if the mail appears to come from someone you know.

Related:
Info about virus hoaxes
Scam Alert
What is Spyware?

Antivirus websites (Software and Virus Definitions):

• Computer Associates (EZ Antivirus) 

• Bugbear - October 2002

  Also known as Win32/Bugbear.A, W32/Bugbear.A@mm, Worm/Tanatos

  Win32.Bugbear is an e-mail worm written in MSVC. The worm arrives attached to an e-mail. It appears to get the attachment name from files on the infected system. Therefore, the attachment name is unpredictable. The telltale sign is the double extension. The second extension can be pif, exe or scr. The file size is 50,688 bytes (UPX packed).

  The message appears to be an existing message taken from the infected system, then replied to or re-sent with the worm attached. Each message contains HTML code which exploits the "Incorrect MIME Header" vulnerability in Internet Explorer, Outlook and Outlook Express. If successful, the e-mail attachment will be opened on viewing the message, without the user's knowledge.

  More information:
  http://securityresponse.symantec.com/avcenter/venc/data/w32.bugbear@mm.html

  http://www3.ca.com/threatinfo/virusinfo/virus.aspx?id=13233

  Download a removal tool and instructions at the following website:
  http://securityresponse.symantec.com/avcenter/venc/data/w32.bugbear@mm.removal.tool.html 

• Klez - April 2002

  • UPDATE: SEPTEMBER 2002 - Klez is still being widely circulated - we sometimes see up to a dozen instances a day. Best advice: Use good Antivirus software, keep it updated and make sure you have the latest version Microsoft Internet Explorer / Outlook Express installed on your system, including all the latest updates and bug fixes.

  Once again we unfortunately need to issue an urgert <real> virus warning. We have seen nearly a dozen instances of the Klez virus in the last 5 days. This particular virus (worm) exploits a vulnerability in Microsoft Outlook and Outlook Express in an attempt to execute itself when you open or even preview the message in which it is contained. If it is successful, like a number of other prevalent viruses, it then proceeds to mass mail itself to email addresses it finds on the infected system without the user's knowledge.

  A further twist is that some variations of Klez may use address 'spoofing', so that the e-mail it sends appear as if it has come from another machine. If you check the full header of the original infected email, it will tell you who the virus actually came from (In Outlook Express, right click on the email name in your inbox, then click properties > details ).

  For more information about Klez, how to recognise it, and what to do to avoid becoming infected, follow these links:
  http://www.microsoft.com/technet/security/bulletin/MS01-020.asp
  http://www.sarc.com/avcenter/venc/data/w32.klez.e@mm.html

  What can you do? Firstly, make sure you have an effective anti-virus program installed on your PC, and make sure it is updated regularly. Also ensure you have the latest versions of Internet Explorer and Outlook Express installed. Microsoft issues regular "patches" that addresses some of the software flaws that help viruses like Klez to spread. 

• Win32.Badtrans - November 2001

  Also known as W32.Badtrans.B@mm, W32.Badtrans@MM and Win32/PWS.Badtrans.B.Worm, Win32.Badtrans is a worm spreading via e-mail. The worm replies to all read and unread messages and attaches itself using a name constructed from three parts.

  The first part is one of the following strings: fun, Humor, docs, info, Sorry_about_yesterday, Me_nude, Card, SETUP, stuff, YOU_are_FAT!, HAMSTER, news_doc, New_Napster_Site, README, images or Pics

  The second part is chosen from the following list: MP3, ZIP, DOC

  The virus adds another extension to the attachment and selects it from two possible types: pif or scr

  Similar to other worms that have recently been spreading in the wild (such as Nimda), Badtrans also exploits a known security loophole in Internet Explorer. For a detailed description of this security hole and links to the appropriate patches, please visit:
  http://www.microsoft.com/technet/default.asp? url=/technet/security/bulletin/MS01-020.asp 

• Sircam Worm - July 2001

  ANOTHER WORM IS ON THE CRAWL--COMPUTER USERS CAUTIONED
  Computer users around the world have been attacked by a new computer worm. The worm reminds many of the "I LOVE YOU" virus that hit users heavily last year. This new worm is known by various names, including W32/SirCam@mm and Backdoor.SirCam, and is primarily spread by email from unsuspecting computer users who opened an attachment from someone else. This worm is dangerous and can wipe out hard drive data on its trigger date in October. Everyone should consult with anti-virus software manufacturers to make sure their computers are properly protected.

  Norton Utilities: http://www.sarc.com/avcenter/venc/data/w32.sircam.worm@mm.html

  Article Copyright 2000 Gospel Communications International, Inc.

• Troj_Hybris.M ("Snowhite and the Seven Dwarfs - The REAL story!")

  Aliases: HYBRIS.M, Snow White, W32.Hybris.gen, W32/Hybris-M, I-Worm.Hybris.M, W32/Hybris.gen@

  This non-destructive worm is a variant of TROJ_HYBRIS.C. It propagates via email, by sending itself as an attachment to every user listed in the address book of the infected user.

  Win32.Hybris is an e-mail worm which modifies WSOCK32.DLL to intercept outgoing messages in a manner similar to Happy99 (which is also known as SKA). However, what differentiates Hybris is its ability to update itself and extend its functionality using "plugins". This means that what began as a simple e-mail worm can mutate, complete with new methods of spreading and avoiding detection.