March 09, 2004 - Current Activity

US-CERT continues to receive reports of new variants of the W32/Netsky mass-mailing virus. The most recent variant is W32/Netsky.K. Netsky arrives as an attachment to an e-mail message containing a From: address that is spoofed to hide the identity of the sender. The Subject and Body of the e-mail message are randomly selected from a fixed list of strings. The attachment has a .PIF file extension with a file name selected from a fixed list of strings. Upon opening the attachment, the virus scans certain files on the user's system collecting e-mail addresses and then attempts to mail itself to all e-mail addresses it found. It has also been reported that certain variants of the virus will generate audible PC speaker beeps with varying pitches and rhythms.

Please see CERT Incident Note IN-2004-02 for more information.

US-CERT strongly encourages users to install and maintain anti-virus software. We also encourage users to exercise discretion when opening any email attachment.

You may also wish to visit the US-CERT's computer virus resources page.

US-CERT has received reports of new variants of the W32/Beagle mass-mailing virus, known as W32/Beagle.J and W32/Beagle.K. These variants will arrive with a password protected .ZIP archive as an attachment to an e-mail message. The email contains a From: address that is spoofed to appear as though it comes from an administrative address (such as management, administration, staff, noreply, or support) at the user's domain. The Subject and Body of the e-mail message are randomly generated and claim to be an administrative warning about the recipient's email account. The attachment is a password protected .ZIP archive containing an executable file (.EXE) with file names that are random. The password for the .ZIP archive is included in the body of the message. These variants contain their own built-in SMTP engine to send copies of the virus to any e-mail address it finds while scanning certain files on the infected system.

To be infected by these variants, a user must open the .ZIP archive, enter the password from the body of the email, extract the .EXE file and then open it.

US-CERT strongly encourages users to install and maintain anti-virus software and exercise caution when handling attachments. Anti-virus software on a mail server cannot scan password protected .ZIP archives so users must exercise discretion when opening email attachments. Mail server administrators may elected to block .ZIP attachments if permitted by policy.

You may also wish to visit the US-CERT's computer virus resources page.

US-CERT has received reports of new variants of the W32/Beagle mass-mailing virus, known as W32/Beagle.C, W32/Beagle.D, W32/Beagle.E, W32/Beagle.F, W32/Beagle.G, W32/Beagle.H and W32/Beagle.I. These variants will arrive as an attachment to an e-mail message containing a From: address that is spoofed to hide the identity of the sender. The Subject and Body of the e-mail message are randomly selected from a fixed list of strings. The attachment is a .ZIP file containing an executable file (.EXE) with file names that are random. However, it has been reported that attachments infected with W32/Beagle.F and W32/Beagle.G may contain an .EXE, .SCR, or .ZIP file extension. The virus attempts to deceive users into opening the attachment by appearing as an icon that represents a folder, text file, or Excel document. These variants contain their own built-in SMTP engine to send copies of the virus to any e-mail address it finds while scanning certain files on the infected system. Additionally, these variants will open a backdoor on the system that listens for connections on port 2745/tcp.

US-CERT strongly encourages users to install and maintain anti-virus software. We also encourage users to exercise discretion when opening any email attachment.

You may also wish to visit the US-CERT's computer virus resources page.

US-CERT has recieved some reports of a virus known as W32/Bizex. It manifests itself as an ICQ message that contains a clickable hyperlink. When this link is clicked, the virus attempts to launch Internet Explorer and executes an html file that exploits the showhelp() vulnerability in Internet Explorer. If successful, the virus downloads an executable file which attempts to discover and transmit confidential information contained in open browser windows, depending on the window's contents.

US-CERT strongly encourages users to install and maintain anti-virus software. We also encourage users to exercise discretion when using messaging/chat programs such as ICQ.

You may also wish to visit the US-CERT's computer virus resources page.

US-CERT is receiving reports of another variant of the Mydoom virus, called W32/Mydoom.F. Like previous versions (e.g. W32/Mydoom.A or W32/Mydoom.C), a backdoor is opened which allows the virus to download and execute arbitrary code. However, the port number has changed from 3127/tcp to 1080/tcp. Additionally, the backdoor can be used by an attacker to gain access to a system.

The virus searches for and may delete files with the extensions .mdb, .doc, .xls, .sav, .jpg, .avi, and .bmp .

If the date is between the 17th and 22nd of the month, the virus will perform a Denial of Service (DoS) attack against the websites for Microsoft (www.microsoft.com) and the Recording Industry Association of America (www.riaa.com)

US-CERT strongly encourages users to install and maintain anti-virus software. We also encourage users to exercise discretion when opening any email attachment.

You may also wish to visit the US-CERT's computer virus resources page.

US-CERT has received some reports of a variation of the W32/Welchia.C worm, known as W32/Welchia.D.

The worm attempts to gain access to a computer in one of the following methods:

• DCOM RPC Vulnerability
• See Microsoft Bulletin MS03-026 and CERT Advisory CA-2003-19


• WebDAV Vulnerability
• See Microsoft Bulletin MS03-007 and CERT Advisory CA-2003-09


• Microsoft Workstation Service Buffer Overrun
• See Microsoft Bulletin MS03-049 and CERT Advisory CA-2003-28


• Microsoft Locator Service Buffer Overflow
• See Microsoft Bulletin MS03-001 and CERT Advisory CA-2003-03


• Backdoor on TCP port 3127/tcp, installed by the W32/Mydoom worm
• See CERT Incident Note IN-2004-01

Once a machine is infected, the worm attempts to do the following:

• Register itself as a service with Microsoft Windows. While the service name is 'WksPatch', the name displayed will be a 3 word string, with each word randomly selected from a fixed list;
• Download patches from Microsoft to resolve the Workstation Service and Messenger Service Buffer Overrun vulnerabilities;
• Disable and remove the W32/Mydoom.A, W32/Mydoom.B, W32/Doomjuice and W32/Doomjuice.B worms
• Propogate itself to random IP addresses via the W32/Mydoom.A backdoor on port 3127/tcp, in addition to the methods listed above;
• Search for IIS files with specific extensions (e.g., .html, .php, .asp, etc), and overwrites them with html data of its own;
• Set up an HTTP server on a random port, allowing other infected machines to download and execute the worm as 'WksPatch.exe'.

The worm is designed to stop running after 120 days or on June 1, 2004, whichever comes first.

Currently, US-CERT is not seeing significant activity as a result of this worm.

US-CERT strongly encourages users to install and maintain anti-virus and firewall software. We also encourage users to keep current with the latest patches and updates for your particular operating system.

You may also wish to visit the US-CERT's computer virus resources page.

US-CERT has learned of a publicly available exploit for a recently-published buffer overflow in the LDAP server supplied with Ipswitch IMail Server. We have also received credible secondhand reports of reconnaissance for, and exploitation of, systems vulnerable to this issue.

Patches are available for this issue, and sites are strongly encouraged to apply them. Please see CERT Vulnerability Note VU#972334 for more information.

US-CERT has received reports of a new mass-emailing virus, referred to as "W32/Beagle.B", "W32/Bagle.B", or "W32.Alua". It arrives as an attachment to an email with the subject line of the form "ID xxxx... thanks" where xxxx is some number of random characters. The attachment is an executable file (.EXE) with a file name consisting of a random sequence of characters. Upon opening the attachment, the virus scans certain files on the user's system collecting e-mail addresses and then attempts to mail itself to all e-mail addresses it found. The From: address is spoofed to hide the identity of the sender. Additionally, the virus opens a port on the user's system (usually port 8866/tcp) to permit remote access for an intruder and sends notification of the compromise to several remote sites via HTTP GET requests. Indicators of successful compromise include the presence of an AU.EXE program in the C:\WINNT\SYSTEM32 folder and a value of the same name in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry key.

US-CERT strongly encourages users to install and maintain anti-virus software. We also encourage users to exercise discretion when opening any email attachment.

You may also wish to visit the US-CERT's computer virus resources page.

US-CERT has become aware of publicly available exploit code for the ASN.1 vulnerability outlined in VU#583108. Although we have not received external reports of this vulnerability being exploited, we have confirmed that at least one exploit for this vulnerability results in a denial-of-service on the affected system.

Users are strongly encouraged to review the patch information in US-CERT Technical Cyber Security Alert TA04-041A.

On February 9, 2004, US-CERT began receiving reports of a new variant of the Mydoom virus known as W32/Mydoom.C or W32.HLLW.Doomjuice. Systems previously infected with Mydoom.A have a backdoor listening on port 3127/tcp. Mydoom.C scans randomly generated IP addresses and attempts to connect to port 3127/tcp. If the connection attempt is successful, it will send a copy of itself to the remote system. The backdoor component of Mydoom.A will accept and automatically execute the file.

US-CERT strongly encourages users to install and maintain anti-virus software. We also encourage users to exercise discretion when opening any email attachment.

You may also wish to visit the US-CERT's computer virus resources page.

On January 26, 2004, US-CERT began receiving reports of a new mass-mailing virus now known as W32/Novarg.A, W32/Shimg, or W32/Mydoom.A. It arrives as an email message with a 22,528-byte attachment that has a random filename with a file extension of .cmd, .pif, .scr, .exe, or .bat. The attachment may also arrive as a ZIP archive. This malicious code has been reported to open a connection on port 3127/tcp or port 3176/tcp. In addition to email propagation, the virus attempts to spread through peer-to-peer file sharing networks by copying itself into the default folder used by KaZaA to share files. More information is available in CERT Incident Note IN-2004-01 and CERT Advisory CA-2004-02.

US-CERT strongly encourages users to install and maintain anti-virus software. We also encourage users to exercise discretion when opening any email attachment.

You may also wish to visit the US-CERT's computer virus resources page.

US-CERT has received reports of a new mass-emailing virus, referred to as "W32/Beagle" or "W32/Bagle". It arrives as an attachment to an email with the subject line of "Hi". The attachment is an executable file (.EXE) with a file name consisting of a random sequence of characters. Upon opening the attachment, the virus scans certain files on the user's system collecting email addresses, then attempts to mail itself to all e-mail addresses it found. The FROM: address is spoofed to hide the identity of the sender. Additionally, the virus opens a port on the user's system (usually port 6777) which permits an attacker to gain access to the system.

US-CERT strongly encourages users to install and maintain anti-virus software. We also encourage users to exercise discretion when opening any email attachment.

You may also wish to visit the US-CERT's computer virus resources page.

US-CERT has received reports of systems being successfully compromised via a remotely exploitable buffer overflow in the DameWare Mini Remote Control management package. This vulnerability is documented in VU#909678. Users are encouraged to upgrade to the newest version of the software from the DameWare site.

If you have additional information about systems compromised using this vulnerability, please send email to cert@cert.org.