|
Virus Alerts The information on this page covers only a small portion of the hundreds of new computer viruses that are discovered each month. The more widespread and destructive of these viruses are detailed here. Choose from the list below for information on specific viruses.
How to Protect your Computer from a Virus Kamasutra Virus Advisory Attention Windows XP and 2000 Users receiving "Buffer Overrun In RPC Interface error" with PC's shutting down: Worldnet members using Windows XP are reporting problems getting connected or staying connected to our local numbers. They may get a message stating, "Remote Procedure Call (RPC) terminated unexpectedly". Microsoft has identified a security issue which is affecting Windows XP users, and has a patch available at Windows Update. You can help protect your computer by installing this security update from Microsoft. To remain online long enough to download and install this patch, we recommend you enable Windows XP's firewall. Then go to Windows Update and install any and all critical updates. http://windowsupdate.microsoft.com/ If you are using the Worldnet Connection Manager, while disconnected from the Internet:
If you're using a DUN connection, while disconnected from the Internet:
Symantec Anti-Virus has identified a worm that will exploit this Buffer Overrun in RPC Interface flaw. Please visit Symantec Anti-Virus for more information on the worm, and how to remove it from your computer.
Win32/IRCbot.wormMS05-039 This detection is for an Internet Relay Chat (IRC) bot worm which includes the ability to spread by exploiting systems which are not yet patched for the MS05-039 vulnerability . This worm is designed to contact a remote IRC server and wait for further instructions.
Installation When the file is run the virus copies itself to the Windows System directory (e.g. C:\Windows\System32\ on Windows XP) as WINTBP.EXE. The file can be run automatically by exploiting the MS05-039 vulnerability or by a person directly executing the worm. Registry keys are created to load the worm at startup:
Indications of InfectionIf this worm is run on a system which has not yet been patched for the MS05-039 vulnerability, it will continually reboot. Method of Infection
This threat scans for MS05-039 exploitable systems. When a vulnerable
system is found, it uses a buffer overflow to write the worm file to that
machine via a TFTP upload on port 8594. Blocking this port via McAfee
Desktop Firewall or McAfee Personal Firewall will prevent infection even if
the buffer overflow is not prevented.
Removal Instructions
AVERT DATS
Detection is included in our BETA DAT files and will also be included in the next scheduled DAT release. In addition to the DAT version requirements for detection, the specified engine version (or greater) must also be used. Additional Windows ME/XP removal considerations The following EXTRA.DAT packages are available, prior to the full
DAT release.
A security warning from Microsoft and from Anti Virus companies say the W32.sasser.worm and variants are spreading across the Internet. It is reported to affect most versions of Microsoft Windows. Microsoft says if you have downloaded the patch relating to Security Update MS04-011, you will be safe from this worm. Microsoft describes it as a critical vulnerability.
You should also visit Windows Update and install any and all critical updates. If you are using the Worldnet Connection Manager, while disconnected from the Internet:
If you're using a DUN connection, while disconnected from the Internet:
The following offer information on removing (or may even offer a removal tool for) the Sasser worm: For more information on this worm please see:
A scan of your computer can detect a virus or worm. The following sites offer free scanning of your computer. In some cases, they may download software onto your computer. This information is presented only as a service to our users. AT&T is not responsible for software provided by
third parties. You should read any terms and conditions carefully before you download the software. Please always make sure to use the latest Anti-Virus detection from your Anti-Virus vendor to detect new viruses, worms, trojans, and their variants. For your reference, we have posted a short, non-comprehensive listing of some of the anti-viral resources available to you on the Web. All entries are arranged purely alphabetically, not in any order of preference or recommendation. Visit our Help site for information on How to Protect your Computer from a Virus. W32.Netsky.B is a mass-mailing worm that uses its own SMTP engine to send itself to the email addresses it finds when scanning the hard drives and mapped drives. This worm also searches drives C through Z for folder names containing "Share" or "Sharing," and then copies itself to those folders. More on this worm may be found at: The following offers a free removal tool for the worm: http://securityresponse.symantec.com/avcenter/venc/data/w32.netsky.b@mm.removal.tool.html
A scan of your computer can detect a virus or worm. The following sites offer
free scanning of your computer. In
some cases, they may download software onto
your computer. This
information is presented only as a service to our users.
AT&T is not responsible for software provided by third parties.
You should read any terms and conditions carefully before you download the
software. It
is also called W32.Novarg.A@mm or WORM_MIMAIL.R. A variation on an existing Internet worm is spreading by e-mail. It is called W32.Dumaru.Z@mm.
A new Internet worm that has spread by e-mail through Asia, Australia and
Europe W32.Swen.A@mm is a new network worm that has been detected spreading throughout the internet. This malicious program spreads via email, the Kazaa file sharing network and IRC channels. Infected messages appear to have been sent from various Microsoft services, including, MS Technical Assistance, Microsoft Internet Security Section, etc. Message text advises users to install a "special patch" from Microsoft. The "patch" is included as an attachment. Microsoft does not ever email patches, and recommends checking their Security web site for any new patches. http://www.microsoft.com/security Swen uses the same vulnerability in the Internet Explorer detected in March 2001 that was used by many other well-known worms, such as Klez. Microsoft released a patch to protect against this in March 2001. http://www.microsoft.com/technet/security/bulletin/MS01-020.asp Once Swen breaks into an undefended machine it executes itself independently of the owner. It then emails itself to other addresses stored on the infected computer. This means you may get a lot of email from an infected computer that has your email address. The worm also attempts to deactivate anti-virus and personal firewall programs running on a victim's computer. The McAfee's Anti-Virus web site says their latest .dat covers the worm. http://vil.nai.com/vil/content/v_100662.htm . Symantec Anti-Virus has also updated its virus definitions, and has manual instructions for those who opened the attachment and infected themselves: http://securityresponse.symantec.com/avcenter/venc/data/w32.swen.a@mm.html W32/Bugbear@MM is a mass-mailing worm that attempts to send itself to email addresses found on an infected system. It also spreads through open network shares and has the ability to send print jobs to printers found on an infected network. It will also attempt to install a backdoor trojan that can capture what the user types, including sensitive information such as passwords. The trojan will also allow a hacker to upload files from the infected system, download files onto the system, run executable files and stop processes from running. Simply opening or previewing an infected message in a vulnerable email reader can result in infection. The email may be from someone you know. Please exercise caution when checking your email. The "from" field, subject line, message body, and attachment all very widely and may appear to be legitimate email. We have noticed that most of the messages containing this worm are about 70 kb in size, and most of the attachments are 50 kb in size. The message body and attachment name vary. It is common for the attachment name to contain a double-extension (i.e. .doc.pif), but this may not display on all systems. If you are using Microsoft's Internet Explorer 5.x you can get Bugbear merely by previewing an infected message in Outlook of Outlook Express. If you are using a newer version, or one that has been patched, it can still be infected if the attachment is opened manually. If you are using Microsoft's Internet Explorer 5.x you can get a security patch at: http://www.microsoft.com/windows/ie/downloads/critical/q290108/default.asp Or you can upgrade to Microsoft's Internet Explorer 6 at: http://www.microsoft.com/windows/ie/downloads/default.asp The following offer free removal tools for the worm: For more information on this worm please see: Please always make sure to use the latest Anti-Virus detection from your Anti-Virus vendor to detect new viruses, worms, trojans, and their variants. for your reference, we have posted a short, non-comprehensive listing of some of the anti-viral resources available to you on the web. All entries are arranged purely alphabetically, not in any order of preference or recommendation. http://help.att.net/docs/use/oserv/gen/prb_xxx_xxx_virus-referral.htm
Last update: 02/01/2006 02:34 PM | |||||||||||