DATE: April 18, 2002

Alert: W32.Klez.h@mm

Please note: If you have opened this file already, disconnect from the network, shut the machine down and immediately contact the Help Desk at 2-7777.

Description: W32.Klez.H@mm is a modified variant of the worm W32.Klez.E@mm. This variant is capable of spreading by email and network shares. It is also capable of infecting files. The virus will activate if the message is opened, or even if the message is only displayed in the Preview Pane of Outlook, and it is very difficult to remove once it infects a machine. When this worm is executed, it copies itself to \%System%\Wink<random characters>.exe. The body of the email message is random. If the message is opened in an unpatched version of Microsoft Outlook or Outlook Express, the attachment may be automatically executed.

More detailed information on this virus and a patch for the vulnerability can be found at

http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.h@mm.html

Subject of email: Random
Name of attachment: Random
Size of attachment: Random

Removal Instructions: If you have opened this file already, disconnect from the network, shut the machine down and immediately contact the Help Desk at 2-7777.

Further Information: W32.Klez.h@mm

DATE: March 11, 2002

Alert: W32.Gibe@mm

Description: W32.Gibe@mm is a worm that uses Microsoft Outlook and its own SMTP engine to spread. This worm arrives in an email message--which is disguised as a Microsoft Internet Security Update--as the attachment Q216309.exe.

Sends to addresses found in Microsoft Outlook Address book and by searching of .htm, .html, .asp, and .php files. The virus also installs a Backdoor Trojan which allows remote access to the infected system. Further information and a patch for the vulnerability can be found at

http://www.symantec.com/avcenter/venc/data/w32.gibe@mm.html

Subject of email: Internet Security Update
Name of attachment: Q216309.exe
Size of attachment: 122,880 bytes

Further Information: W32.Gibe@mm

DATE: February 25, 2002

Alert: W32.Klez.D@mm

Description: W32.Klez.D@mm is a modified variant of W32.Klez.A@mm. Most of the functionality remains the same. The virus that W32.Klez.A@mm carried, W32.Elkern.3326, is also carried and inserted on the system by this variant.

The worm exploits a vulnerability in Microsoft Outlook and Outlook Express in an attempt to execute itself when you open or even preview the message. Further information and a patch for the vulnerability can be found at

http://www.microsoft.com/technet/security/bulletin/MS01-020.asp

Subject of email: Random
Name of attachment: Random
Size of attachment: 64Kb

Further Information: W32.Klez.D@mm

DATE: February 20, 2002

Alert: W32.Goner.A@mm

Description: W32.Goner.A@mm is a mass-mailing worm that is written in Visual Basic. The worm has been compressed using a Portable Executable (PE) file compressor. The worm can spread its infection using the ICQ network as well as by email using Microsoft Outlook. If IRC is installed, this worm can also insert mIRC scripts that will enable the computer to be used in Denial of Service (DOS) attacks. The IRC channel used for controlling the worm is currently blocked, preventing this functionality.

Subject of email: Hi
Name of attachment: Gone.scr
Size of attachment: 38,912 bytes

Further Information: W32.Goner.A@mm

DATE: January 28, 2002

Alert: W32.Myparty@mm
Outlook virus

This virus is called W32.Myparty@mm

It will proliferate itself ONLY if you try to open up the attachment file. It may come from individuals that you know at Yale or across the Internet. In addition this worm affects Windows machines only.

The subject line is: new photos from my party!

The text is: "Hello!

My party... It was absolutely amazing!
I have attached my web page with new photos!
If you can please make color prints of my photos. Thanks!"

The attachment is www.myparty.yahoo.com

The signature file from Symantec's Norton Anti-Virus, dated Jan. 28, 2002, has the proper credentials to detect and handle this virus ("W32.Myparty@mm")

DATE: September 7, 2001

Alert: W32.Apost.Worm@mm
Outlook virus

The worm was previously known as W32.Urgent.worm@mm.

This worm is a Visual Basic Application that arrives as the attachment Readme.exe. It requires the Microsoft Visual Basic Runtime Libraries to replicate.

The body of the email asks the recipient to review the attachment, but after it has been viewed it copies itself to the system and spreads itself to everyone in the Microsoft Outlook address book.

Do not open the attachment that comes with the message titled: "As Per Your Request!".

The body of the message generally says the following: "Please find attached file for your review. I look forward to hear from you again very soon. Thank you." DO NOT open this message. Opening the attachment spreads this message to everyone you have listed as a contact.
Please delete this message!

Please Note: If you have opened this attachment already, disconnect from the network, shut the machine down and IMMEDIATELY contact the Help Desk at 2-7777.

The signature file from Symantec's Norton Anti-Virus, dated Sept. 3, 2001, has the proper credentials to detect and handle this virus ("W32.Urgent.worm@mm")

DATE: May 9, 2001

ALERT! Virus Warning VBS.VBSWG2.D@mm aka "Homepage"

Please note: If you have opened this file already, disconnect from the network, shut the machine down and immediately contact the Help Desk at 2-7777.

Technical description:
VBS.VBSWG2.X@mm is an encrypted VBScript worm that uses a known exploit to send itself to all recipients in an infected user's Microsoft Outlook address book. The email message has the following characteristics:

Subject: "Homepage"
Body:
Hi!

You've got to see this page! It's really cool ;O)

Attachment: Homepage.HTML.vbs

Prior to mailing itself out, the worm searches for email messages with the Subject of "Homepage"; it deleted these messages.

The worm pretends to open a Web page upon execution. It randomly selects one of four pornographic Web pages.

Removal instructions:

Delete any files detected as VBS.VBSWG2.X@mm.

More Information - Symantic
More Information - McAfee

Best Practices
Please update your virus software regularly and often. The default standard, Symantec's Norton Anti-Virus, when connected to the Internet can very easily be updated via the LiveUpdate feature. Please take the time to maintain your virus software. The few minutes it takes can help to avoid a tremendous amount of grief later on.

How do I use LiveUpdate to download current definitions and have optimum protection?
Click here for detailed instructions.

Need information on a specific virus?
Find out more at Symantec's Anti-Virus Center.

Someone sent me a suspicious email or file. Is this a hoax?
Discover news and information about the latest hoaxes at Symantec's Hoax Center