***********!!
*****! ****! ****! ****!
:o
In trying to delete my initial post I have ended up deleting the entire thread.
Sorry everyone.
Here is another.

Nimda virus infection mechanisms, from Microsofts technet site.... (http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/topics/Nimda.asp)

Email: Infected machines attempt to spread the infection to other users by sending copies of the worm via email.
Web servers: Infected machines attempt to pass the infection to web servers by either locating an already compromised server, or by exploiting a known security vulnerability in Internet Information Server. Once infected, a web server will attempt to infect the machines of any users that visit it.
File shares: Infected machines will search for systems that have been configured to allow anyone to add files to them and, upon finding such a machine, will insert infected files onto it.

geeze I wish ppl would find other way to spend there time :(

thanks for the alert guys , i saw this virus in action in a university LAN last week, they had IE 5.01 on all machines except the server which had IE6.All were infected except the IE6 one.But i was told perhaps IE5 is safe too! (not sure though....i guess i'll have to upgrade to IE6 anyway...)

O.K a new virus is showing on www.sarc.com

This is an Internet worm which carries a file-overwriting payload. The file name of this worm suggests that it is a demo of the Quake4 game, but it is not.

more information can be found at http://www.sarc.com/avcenter/venc/data/w32.eira.57344@mm.html

Sohailm6

My wife just sent me an email from where she works to remind me not to open any attachments with SCR

From Silicon.com

==============
Anti-virus vendors have warned that the Gokar worm is the latest threat to UK businesses.

The Gokar is a mass-mailing worm that spreads by emailing itself to all addresses in the user's address book.

The malware actively seeks and disables processes belonging to major anti-virus software. Security vendor F-Secure claims to have found several copies of the worm in the wild.

The worm disguises itself by using a variety of email subject lines - meaning it is much harder to detect than the existing well-known worms, F-Secure said.
The worm itself is an attachment with any of the following file attachments: PIF, SCR, COM, EXE or BAT.

Message bodies can contain one of the following:

'You should like this, it could have been made for you, speak to you later, Hey, They say love is blind ... well, the attachment probably proves it, Pretty good either way though, isn't it ? Happy Birthday, Yeah ok, so it's not yours it's mine :), still cause for a celebration though, check out the details I attached, This made me laugh, Got some more stuff to tell you later but I can't stop right now, so I'll email you later or give you a ring if that's ok ?!, Speak to you later.'

==============

[quote]
from silicon.com
Two more viruses have been discovered attempting to bring chaos to computer users over the Christmas period.

The virus known as Reeezak is the second in recent days to exploit the festive period and can delete the system directory on your PC and prevent your keyboard from working.

It can also delete all your anti-virus software.

It introduces itself with the line "Happy New Year", and the body text reads: "Hi I can't describe my feelings But all I can say is Happy New Year :) bye".

The virus is executed on opening the file called Christmas.exe.

Like Nimda it spreads in a variety of ways, using Outlook mailboxes as well as unprotected network shares.

Another worm - spotted by anti-virus firm Sophos - attempts to change the victim's home page to a pornographic site called CoolSite. It then tries to reproduce by hi-jacking all emails in the sent items folder and re-sending them.

Email anti-virus expert MessageLabs has recorded 60 instances of the worm in the last 24 hours, putting it into the current virus top ten.

Victims will receive a mail with the subject line "Hi" and a message body reading: "Hi. I found cool site! ...It's really cool".

The worm relies on victims clicking on the link to activate the worm.

[\quote]

Quote from another board:

--------
Trojan.Suffer
Discovered on: January 16, 2002
Last Updated on: January 16, 2002 at 06:35:20 PM PST


Trojan.Suffer is a Visual Basic-compiled executable that performs several functions before going into an infinite loop.

The preparatory functions are:

It swaps the mouse buttons.
It hangs up any active RAS connections.
It changes the computer name to something very rude.
It registers the Trojan process as a service.
It disables the use of the Control+Alt+Delete key combination.

The infinite loop:
The Trojan displays a black window and opens and closes the CD-ROM drive tray. With each opening and closing of the tray, it displays the following in red text:

suffer...

If you place the mouse pointer over the black window, and do not move the mouse, the following pop-up description is displayed:

you got caught slippin', now that ass is mine...


Removal instructions:

NOTE: If the Trojan is currently running, you may have problems controlling the computer. In this case, shut down the computer and turn it off completely--do not just restart. After the power is off, wait 30 seconds, restart the computer, and then continue with the following instructions.


1. Run LiveUpdate to make sure that you have the most recent virus definitions.
2. Start Norton AntiVirus (NAV), and make sure that NAV is configured to scan all files. For instructions on how to do this, read the document How to configure Norton AntiVirus to scan all files.
3. Run a full system scan.
4. Delete all files that are detected as Trojan.Suffer.
5. (Optional) Rename the computer back to what it was. (See the next section for detailed instructions.)

Rename the computer back to what it was
Because the Trojan may have changed the computer name to something rude, you may want to change it back. Unless you are on a network and are required to use a specific name, this is optional. To do this, you must edit the registry.

CAUTION: We strongly recommend that you back up the registry before you make any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify only the keys that are specified. Read the document How to back up the Windows registry for instructions.

1. Click Start, and click Run. The Run dialog box appears.
2. Type regedit and then click OK. The Registry Editor opens.
3. Navigate to the following key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\ComputerName\ComputerName

4. In the right pane, double-click the value

ComputerName

and change it from to the desired name.

NOTE: This is the name that is used by this computer. You can use any name that you want. If you are connected to a network, this is the name that other network users will see if they can view or connect to your computer.

5. Exit the Registry Editor.
------

for those of you that may have Win32/Badtrans.B Worm Alert (11/29/2001) here's a direct download link for a fix,its a good thing to leave on your desktop for a quick check and fix
http://www.pspl.com/download/cleanbt.exe
http://www.sarc.com/avcenter/FixSirc.com
this other link is for the W32.Sircam.Worm

IS there anywhere on the web you can go that will scan you system for virus? I know a couple of places have downloads to remove particular strains but you need to have an idea you have one first. does anybody do a free scan?

try http://www.mcafee.com/myapps/default.asp?

or http://security2.norton.com/ssc/home.asp?j=1&langid=us&venid=sym&plfid=20&pkj=BQWLQKZWCGZYFVHDYKD

Cheers. at work at the moment but i will try them out when i get home.

here is a list of removal tools if you need them http://translate.google.com/translate_c?hl=en&u=http://www.symantec.com/avcenter/tools.list.html&prev=/search%3Fq%3Dhttp://www.securityzone.de/%26hl%3Den%26sa%3DG

thanks again sohailm6

Just ran the symantec check (your 2nd link)


Results of Virus Detection Scan
16762 files scanned, 0 file(s) infected.




No viruses were detected in memory.

The scan did not detect any viruses in the files it scanned. The scan does not scan compressed files.


clean bill of health:D

Glad to hear it :) It's always good to invest in a good anti-virus program as there are approx 20+ virus releases per month.

sohailm6

Try this:

Click START.
Find-->files or forlders.
Check your system for this file ---> jdbgmgr.exe
And delete it.It seems its a virus only activated if you run it.(as most of them).

(the warning arrived today in my mail)

Originally posted by The Therion
Try this:

Click START.
Find-->files or forlders.
Check your system for this file ---> jdbgmgr.exe
And delete it.It seems its a virus only activated if you run it.(as most of them).

(the warning arrived today in my mail) This is a HOAX, do NOT delete the file !! - see HERE (http://www.sophos.com/virusinfo/articles/jdbgmgr.html)

I'm sorry,you're right.This is just a file that can potentialy be used by a known virus.But if you delete it some java aplications may not run.Sorry for the alarm.

OK peeps here's another warning for you.

"Shakira" worm, yet another .vbs based virus more details HERE (http://www.sophos.com/virusinfo/articles/shakira.html) - make sure your virus defs are uptodate :)

cheers for the heads up Terminator (nice to see you posting by the way).

That has reminded me of something i meant to ask a while back but forgot all about it. In outlook express can you stop it automatically previewing mail? I believe that is enough to enable some Virus from doing their worst as it is opening the mail.

Click on view then layout and uncheck the preview box :)

Cheers nanobot prompt as ever. I will hold my hands and admit i hadn't even looked, something i had read had made me think about it and it wasn't until Terminator made the post that i remembered I wanted to turn it off.:rolleyes:

Originally posted by Bozo
cheers for the heads up Terminator (nice to see you posting by the way)Thanks m8, I'm giving the board a chance and I'll be posting more frequently now :)

A vulnerability has been found in the Network Associates PGP Outlook Plug-in.
If this plug-in has been enabled, it allows an attacker to send a specially crafted e-mail that will give them access to the system.
Download the patch here (http://www.nai.com/naicommon/download/upgrade/patches/patch-pgphotfix.asp).

Here's another W32\Fretham and many variations of it - See HERE (http://www.sophos.com/virusinfo/analyses/w32frethemfam.html) we intercepted this one at work 6 hours after receiving the update so make sure your anti-virus definitions are updated.

Just had an email from realfreedom12002 with a subject "Honey" it has a couple of attachments. One is a "pif" file. I would guess that this is a virus of some sort... so watch for this one.

jema

VIRUS ALERT! Win32/Bugbear.A@mm

quote:
--------------------------------------------------------------------------------
VIRUS ALERT! Win32/Bugbear.A@mm
September 30, 2002 - GeCAD The Software Company is alerting all computer users that a new dangerous Internet worm, called Win32/Bugbear.A@mm, is reported to have a high infection level in the last 6 hours.

GeCAD AntiVirus researchers have included detection for Bugbear's signature in the September 30, 2002 daily update for RAV Engine. All RAV AntiVirus products using this update are able to detect and clean the worm. Please update your RAV Antivirus product, in order to be able to detect and clean this virus immediately.
The description of the worm is available below.

Win32/Bugbear.A@mm is a mass mailing internet worm, packed with UPX.
It's size is about 50Kb packed and 106Kb unpacked. Also the worm drops a windows dll with key logger characteristics, 5632 bytes long.

The spreading process consists in two parts: Bugbear spread via e-mail and using the open shares in the local network. To mass mail itself the worm will search for e-mail addresses in the following files types: ".MMF", ".NCH", ".MBX", ".EML", ".TBB", ".DBX". The local mail account details are read from the registry and the mail sending process is made using the worm built-in routines. The generated mail uses Internet Explorers HTML/IFrame_Exploit - this way, on unpacked systems the executable attachment will be run without user confirmation, even only if the mail is displayed in the Outlooks preview window.

When is run, Bugbear copies itself using random names in the Windows system folder and in the startup folder. For the copy dropped in the system folder, the file name always start with 'f' (e.g. "c:windowssystemfjmt.exe"), and the startup folder one always starts with 'c' (e.g. "c:windowsStart MenuProgramsStartupcok.exe").

Also, to be executed when Windows starts, the worm will add a registry key under "HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentV ersionRunOnce", with the system worm copy path.

Bugbear drops a key logger dll, and other three files with binary data, using random names. Two of data files have a ".dll" extension (84 bytes and 34 bytes long), and the third has the ".dat" extension and 2 bytes long. Those tree files contains only data used in the spread process.

The worm tries to unload from memory various security and antivirus programs (the programs names are stored in a built-in list, hardcoded in the worm).

We would like to remind Windows users that HTML/IFrame_Exploit is the main and right now the most menacing vulnerability used by worms like Win32/Klez.H@mm, Win32/Yaha.F@mm and Win32/Sircam@mm for spreading themselves over the Net.

HTML/IFrame_Exploit is NOT a malware itself, but an exploit for unpatched versions of Internet Explorer. More info on HTML/IFrame_Exploit is available at: http://www.ravantivirus.com/virus/showvirus.php?v=100

The latest details about Win32/Bugbear.A@mm you may see on RAV AntiVirus Website:
http://www.ravantivirus.com/virus/showvirus.php?v=124


RAV Team
Worry less! RAV is watching.

Make sure your Anti-Virus software is updated, we have intercepted 12 copies of Bugbear.A already :eek:

Originally posted by Terminator
Make sure your Anti-Virus software is updated, we have intercepted 12 copies of Bugbear.A already :eek:

I thought it was high time I got myself sorted out, downloaded Norton which apparerntly is a freebee when you are with Pipex adsl. Problem is I cant install it as my internet connection is on a PC running 2k server. all I get is a message saying that server operating systems are not supported :(

Fair enough if they dont want corporations abusing the software (licenses) but I wish it would run but default to the single pc so i could run it.

ho hum.

I've had enough of Norton 2002 it's to big and slow now. The best virus software I've used is Sophos Anti-Virus but it's expensive for home use :( so I'm currently looking for alternatives......

Look here (http://www.ninjamicros.com/vbulletin/showthread.php?s=&threadid=12071) for a list of free ones for windows systems m8 (now made a sticky).

Ive now had 4 copies of the bugbear sent to me (only one machine infected luckily)

Note: Your anti-virus is only and good if updated often :doh:

Thanks Ian :thumbsup:

I've removed Norton :yippee: and I'm just installing AVG so I'll see how it goes :)

AVG's been running great for the last 4 days so it looks like I'll be sticking with this one for now.

Thanks Ian :)

No problem m8, happy to help.