# Virus Alerts



## mimo2005 (Oct 2, 2004)

*VIRUS ALERTS*


Bored computer virus offers to play a musical tune, Sophos reports
Anti-virus experts at Sophos have identified a new computer virus which complains of being bored and offers to play a musical tune, whilst secretly opening a backdoor for hackers. 

The W32/Aegi-A virus hunts for executable files to infect on hard drives and floppy disks, and opens a backdoor to allow remote hackers access to affected Windows computers. 

At certain times of the day, W32/Aegi-A will display a message box saying "<Computer name> is very bored, play some music ?". If the user chooses "Yes", the virus attempts to infect the local disk drives again. 










"Some infected users may think that they have a joke program installed on their PCs when they see the message about the computer being bored," said Graham Cluley, senior technology consultant for Sophos. "The good news is that a virus this obvious is never likely to be as significant a threat as some of the fast-spreading internet worms we have seen this year." 

"The virus experts at Sophos were hoping this virus would liven up their day with a merry tune when they were testing it under laboratory conditions," continued Cluley. "Unfortunately the virus wasn't telling the truth. It doesn't play a tune despite its promise, and sadly has no multimedia capabilities at all." 

Although only a small number of instances of the virus have been sighted so far, Sophos recommends companies protect their computers with a consolidated solution to thwart the virus and spam threats as well as secure their desktop and servers with automatically updated anti-virus protection.


----------



## mimo2005 (Oct 2, 2004)

*Sober worm variant shimmies*

*Sober worm variant shimmies*


By Dawn Kawamoto and Dan Ilett 
November 19, 2004, 8:33 AM PT



A new version of the Sober mass-mailing worm was discovered Friday as it quickly spread through Europe and into the United States.

Tech security companies gave it a midlevel threat warning.

The W32.Sober.i worm, which sends itself as an e-mail attachment to English and German messages, is one of the more serious threats this fall, said security experts. 

"It's probably one of the worst cases we've seen in a month or two," said Mikko Hypponen, antivirus research director for F-Secure, which rated the virus as a level 2 on a scale of 1 to 3. "For some reason, this fall has been relatively quiet. This is one of the biggest cases we've had this fall. But compared to the same time last year and earlier this year, it's not that bad." 

Like the other Sober viruses, the new version uses its own SMTP engine to send copies of itself to e-mail addresses it finds on infected computers. The infected computers will then later serve as a channel to download programs to unsuspecting users. 

The Sober.i virus, featuring an attachment claiming to be naked photos of a blond model, is beginning to spread rapidly around the Internet. A blond, 21-year-old go-go dancer is sending e-mails with naked photos of herself attached and asking for work as model--or so you are led to think by the latest mass-mailing Sober variant to hit the Web. 

But unless you live in a German-speaking country, the e-mail is not nearly so exotic. Sober.i is programmed only to send itself with the go-go dancer message to German-language domains, such as those ending in .de (Germany) or .ch (Switzerland). 

The virus is also programmed to launch itself at the English-speaking world, but under the subject header of "delivery failure" or "oh god" in the hopes that someone will open an attached .zip file, which unleashes the virus. 

"The German version is really interesting," said Graham Cluley, senior technical consultant for tech security company Sophos. "They claim to come from a German 21-year-old go-go dancer with blond hair. She is seeking employment as a model and she says she has attached some naked photos of herself. But of course the photos are the worm."


"In the English version, they don’t seem to be using sex at all. Maybe (the virus writer) thinks that the English aren't as interested in sex as our German cousins," Cluley said. "Perhaps he is making a national judgment about the countries." 

Sober.i affects systems running Windows XP, 2000, ME, 98, 95, NT and Server 2003.


----------



## mimo2005 (Oct 2, 2004)

*Trojan poses as Lycos Europe screensaver*

*Trojan poses as Lycos Europe screensaver*



*December 7, 2004*, 11:04 AM PST
By Dan Ilett 



An identity-stealing e-mail Trojan horse that disguises itself as the Lycos Europe antispam screensaver is being distributed around the Internet, an antivirus company has warned. 

F-Secure said Tuesday that the key-logging Trojan steals usernames, passwords, credit card details and e-mail addresses, and travels as an e-mail attachment.

Mikko Hypponen, F-Secure's director of antivirus research, said the recent media attention given to the Lycos Europe "Make love not spam" campaign could be an incentive to open the file.

"The whole case has been full of surprising turns from the beginning," Hypponen said. "Whoever is behind this is someone who felt they were being attacked by Lycos. They are trying to teach people a lesson. A lot of people heard about the screensaver but couldn't download it because the ("Make love not spam") Web site was down. Lots of people would be interested in looking, though."

The subject of the Trojan e-mail reads: "Be the first to fight spam with Lycos screen saver." It comes with an attachment file labeled, "Lycos screensaver to fight spam.zip."

Hypponen warned that the Trojan was dangerous if opened, but no more so than other password-stealing malicious software.

On Friday, Lycos Europe terminated its "Make love not spam" screensaver campaign after it was bombarded with criticism that it was attacking spammers' Web sites using denial-of-service-like attacks.

Lycos Europe denied that it had brought down two Web sites hosted in China. It said it had no intention of taking Web sites offline, just of slowing them down to raise the cost of spamming.

Lycos Europe is a separate company from the Web portal that bears the Lycos name in the United States. Lycos Europe claims that it maintains roughly 40 million e-mail accounts in eight European countries.


----------



## mimo2005 (Oct 2, 2004)

*Virus posing as Christmas card*

Virus posing as Christmas card

*December 15, 2004*


INTERNET security experts warned today of a new virulent e-mail worm particularly successful in infecting computers as it is disguised as a multilingual electronic Christmas card.

"We think this worm will be big, because of its timing and the fact that it comes in 15 different European languages," Mikko Hyppoenen, head of anti-virus research at Finnish firm F-Secure, told AFP.

The virus, dubbed Zafi.D, is a traditional internet worm infecting computers by e-mail and distributes itself by using e-mail lists on contaminated personal computers.

Its Christmas greeting is in the language of the recipient, decided by the country code - like ".fi" or ".fr" - at the end of the e-mail address, making it all the more dangerous, Hyppoenen pointed out.

It also opens a back door on infected PCs, making it possible for outsiders to use them to distribute unsolicited bulk e-mail advertisements, or spam, and launch malicious attacks to close down web sites, he added. 

The earlier variants of the Zafi internet worm family were highly dangerous viruses, with the B variant still among the top 10 most virulent bugs several months after it was launched, he said.

While this is the first Zafi worm disguised as a Christmas card, the phenomenon is not new, Hyppoenen said.

"We have seen these hoaxes for several Christmases already, and personally I prefer traditional pen and paper cards, and we recommend this to all our clients too."


----------

