- Home - - Download - - FAQ - - Internet Safety - - Internet Tools - - Links - -
News - - Virus Information - - E-Mail -
Welcome to the Virus Information section of the Bits & Bytes Computer Services web site
Click here for information on VIRUS HOAXES
With all the new viruses invading cyberspace daily, ensure you have the latest protection available. Purchase an up to date Virus program form Network Associates makers of McAfee AntiVirus software as well as other tools such as firewalls. Click on the banner to order VirusScan Online.
W32.Novarg.A@mm is a mass-mailing worm that arrives as an attachment with the file extension .bat, .cmd, .exe, .pif, .scr, or .zip. When a computer is infected, the worm will set up a backdoor into the system by opening TCP ports 3127 through 3198, which can potentially allow an attacker to connect to the computer and use it as a proxy to gain access to its network resources. In addition, the backdoor can download and execute arbitrary files. The worm will perform a Denial of Service (DoS) starting on February 1, 2004. It also has a trigger date to stop spreading on February 12, 2004. DO NOT OPEN the attachment or you will infect your system.
To protect yourself ensure that you have downloaded and installed the latest
virus definitions. A removal tool is also provided for computers
that are already infected.
W32.Mimail.C@mm is a variant of W32.Mimail.A@mm that spreads by email and steals information from infected computers. Symantec (Norton) has upgraded the threat level due to an increased submission rate. The subject line refers to photos and there is a file called photos.zip included as an attachment. For protection ensure your virus definitions are dated October 31, 2003 or later.
A new variant of W32/Sobig, W32/Sobig.f@MM is a High Risk mass-mailing worm. It arrives as an email attachment with a .pif or .scr extension. When run, it infects the host computer, then emails itself (using its own SMTP engine). The worm copies itself onto the infected machine as C\WINNT\WINPPR32.EXE and can come from an address recognised by you. Ensure your DAT file is dated August 19, 2003 or later or download the removal tool above.
This worm is specifically targeted to machines
running Windows XP and attempts to download a file to the infected computer and
then reboot the machine. Ensure your DAT files are dated August 19, 2003
or later or download the repair tool above.
W32.Dumaru@mm is a mass-mailing worm that inserts an IRC Trojan onto the
infected machine. The worm gathers email addresses from certain file types and
uses its own SMTP engine to email itself. The email purports to be from
Microsoft urging you to update your system using an attached file to eliminate
the Blaster virus described above. This is a FAKE message as microsoft
does not distribute information this way. DO NOT run the attached file.
To protect yourself download the latest DAT files for your product dated August
19, 2003 or later. If you are already infected a removal tool is also
provided above. This worm exploits a Microsoft vulnerability (refer
to Microsoft's technical bulletin MS03-026). It will attempt to download
and run a file called msblast.exe and will also attempt a 'denial of service'
attack on Microsoft's 'windowsupdate.com' web site. To ensure you are
protected ensure that your virus definitions are dated August 11, 2003 or later.
If you believe that
you are already infected you can download the removal tool included above.
Removal tools are provided from Symantec's web site.
W32.Dumaru@mm
W32.Blaster.Worm also known as W/32Lovsan.worm
W32.Mimail.A@mm
W32.Mimail@mm is a worm that spreads by email, and that steals information
from a user's machine. The email typically has a comment about "Your Account" in
the subject line and will contain an attachment called "message.zip".
To ensure protection make sure that your virus definitions are up to date and
at least August 1, 2003. You can also use the removal tool listed above.
W32.Sobig.E@mm is a mass-mailing worm that sends itself to all the email
addresses that it finds in the files with the following extensions:
The e-mail message will show as from
support@microsoft.com.
The worm will also spread itself by copying itself to the following folders on
other machines it is able to access: Windows\All Users\Start Menu\Programs\StartUp Documents and Settings\All Users\Start
Menu\Programs\Startup
NOTE: The worm deactivates on 5/31/2003, therefore, the last date the
worm will spread will be 5/30/2003
W32/Palyh@MM [McAfee], W32/Palyh-A [Sophos], I-Worm.Palyh [KAV], WORM_PALYH.A
[Trend]
To protect yourself ensure your virus definitions
are later than May 18, 2003. If you are already infected you can also use
the removal tool provided above.
You can also download the Removal tool above to manually scan and repair for this specific threat.
W32.HLLW.Lovgate.C@mm is a variant of W32.HLLW.Lovgate@mm. This worm contains mass-mailing and backdoor functionalities. Particularly susceptible are users of Outlook or Outlook Express and others that use a MAPI-compliance, where the worm will attempt to auto-reply to all received mail. To ensure protection make sure that your virus definitions are dated February 23, 2003 or later. There are no major functionality differences between this variant and W32.HLLW.Lovgate@mm. A removal tool is also provided at the top of this page.
Due to an increase in submissions, Symantec Security Response has upgraded
this threat from a Category 2 to a Category 3 as of January 9, 2003.
W32.Lirva.A is a mass-mailing worm that also spreads by the IRC, ICQ, KaZaA,
and open network shares. This worm attempts to terminate antivirus and firewall
products. It also emails the cached Windows 95/98/Me dial-up networking
passwords to the virus writer.
When Microsoft Outlook receives the worm, the worm takes advantage of a
vulnerability that allows the attachment to auto-execute when you read or
preview the email. Information on this vulnerability and a patch can be found at
http//www.microsoft.com/technet/security/bulletin/MS01-020.asp.
If the day of the month is the 7th, 11th, or 24th, the worm will launch your
Web browser to
www.avril-lavigne.com and display a graphic animation on the Windows desktop.Make sure you have virus definitions after January
8, 2003 for McAfee and January 9, 2003 if you are running Norton.
W32.Yaha.K@mm is a worm that is a variant of W32.Yaha.J@mm. This worm terminates
some antivirus and firewall processes. It uses its own SMTP engine to email
itself to all the contacts in the Windows Address Book, MSN Messenger, .NET
Messenger, Yahoo Pager, and all the files whose extensions contain the letters
HT. The email message has randomly chosen the subject line, message, and
attachment name. Make sure you have virus definitions dated after December
26, 2002 to ensure continued protection.
Symantec has provided a tool to remove infections of W32.Yaha.K@mm. Click
here to obtain the tool. This is the easiest way to remove this
threat and should be tried first if your system is infected..
Also Known As: W32/Yaha.k [McAfee], I-Worm.Lentin.i [KAV],
Win32/Yaha.K@mm [GeCAD], W32/Yaha-K [Sophos], Win32.Yaha.K [CA], W32/Yaha.M-mm [MessageLabs]
W32.Bugbear@mm is a mass-mailing worm. It can also spread through network shares. It has keystroke-logging and backdoor capabilities. The worm also attempts to terminate the processes of various anti-virus and firewall programs.The subject and attachment name of incoming emails are randomly chosen. The attachment will have a double extension ending in .exe, .scr, or .pif.
To protect yourself ensure your Anti-Virus DAT files are later than September 30, 2002
W32.Frethem.J@mm and W32.Frethem.K@mm are worms that are a variant of W32.Frethem.B@mm. They use their own SMTP engine to send itself to email addresses that it finds in the Microsoft Windows Address Book and in .dbx, .wab, .mbx, .eml, and .mdb files. The email message arrives with "Re: Your Password" in the subject line and usually has attachments called password.exe or password.txt.
To remove the virus ensure that your DAT files are up to date. For McAfee users the update should be 4212 or later dater July 15, 2002. For Norton users you can download the manual update from their web-site (or below) after July 15, 2002. Norton Live UpDate files will be updated by Symentec on July 17,l 2002. You can also download a repair tool here.
Due to an increased rate of submissions to Symantec, Norton Security Response has upgraded the threat rating of
VBS.VBSWG.AQ@mm to Category 3 as of June 6, 2002.
VBS.VBSWG.AQ@mm is a VBScript threat that is designed to send itself as ShakiraPics.jpg.vbs to users of Microsoft
Outlook or IRC. This threat also overwrites .vbs and .vbe files with its own code. The email has the following characteristics:
Subject: Shakira's Pictures
Message:
Hi :
i have sent the photos via attachment
have funn...
Attachment: ShakiraPics.jpg.vbs
NOTE: This threat was previously a zoo detection discovered in the wild on June 6, 2002.
Also Known As: VBS/VBSWG.aq@MM, VBS_VBSWG.AQ, VBS/VBSWG-AQ, VBSWG.AQ
Ensure you have the latest virus DAT file installed (after May 29, 2002).
W32.Klez.H@mm is a modified version of the worm W32.Klez.E@mm and is capable of spreading via e-mail. The email uses random subject lines, message bodies and file attachment names. W32.Klez.H@mm will also copy itself to local, mapped, and network drives.
Once launched, W32.Klez.H@mm attempts to disable anti-virus software and will infect other files. To repair ensure you have the latest DAT updates (April 17, 2002 or later).
Click here for a removal program.
This is a mass-mailing worm that uses the infected computer's SMTP server to send itself to all addresses in the Windows address book. It contains no payload. The email arrives with an attachment named Patch.exe. For addresses ending in .jp (Japan), there are 17 Japanese language subjects, one of which is randomly chosen each time. It is also known as W32/Fbound.c@MM on the McAfee web site. NOTE: Definitions dated prior to March 14, 2002 may detect this worm as W32.Dotjaypee@mm.
To repair this virus ensure the latest DAT files are installed (March 14, 2002 or later).
W32.MyLife@mm is a simple mass-mailer that sends itself to all contacts in the Microsoft Outlook address book. The worm is a compiled Visual Basic executable that has been compressed. It attempts to delete files that have the extensions .com, .sys, .ini, .exe, .sys, .vxd, .exe, or .dll. The email contains an attachment named "My Life.scr".
If W32.MyLife@mm is executed, it sends itself to all contacts in the Microsoft Outlook address book. The email has the following characteristics
Subject: my life ohhhhhhhhhhhhh
It can be removed by ensuring the latest DAT files have been installed
W32.Gibe@mm is a worm that uses Microsoft Outlook and its own SMTP engine to spread. This worm arrives in an email message which is disguised as a Microsoft Internet Security Update with the attachment Q216309.exe. It is also known as W32/Gibe@mm, WORM_GIBE.A, W32/Gibe-A. The fake message is NOT from Microsoft.
FOR REMOVAL: Norton anti-virus updates published after March 6, 2002 contains the fix. Simply run Norton and delete any files it identifies as infected. McAfee has not yet released a fix but is scheduled to appear in their next update.
This virus has been around for a while in various forms but is becoming very active again. W32.Klez.E@mm is similar to W32.Klez.A@mm. It is a mass-mailing email worm that also attempts to copy itself to network shares. The worm uses random subject lines, message bodies, and attachment file names. The worm exploits a vulnerability in Microsoft Outlook and Outlook
Express in an attempt to execute itself when you open or even preview the message in which it is contained. Information and a patch for the vulnerability can be found at
http://www.microsoft.com/technet/security/bulletin/MS01-020.asp.
The W32.Klez.A@mm virus is also a mass-mailing email worm. It attempts to copy itself into folders on both local and network drives.
The information and files listed here are provided for your convenience. Bits & Bytes Computer Services offers no warranty on their intended use. For more detailed information users are advised to visit the web-sites of the respective companies.
This virus has a risk level of 3 on a scale of 4. W32.Maldal.D@mm was written and distributed on December 28th of 2001. The virus code is in Visual Basic. It is about 27KB in size packed with Aspack. The worm utilizes Outlook to spread itself to everybody in the Outlook address book. Download and install the latest virus definitions to protect yourself from this threat.
This worm will send itself as an attachment to all addresses in your Microsoft Outlook address book. It also will create an mIRC Script.ini file and an inetpub Default.htm file to try to spread itself. The current virus update tools should remove this virus. For manual removal instructions
click here. CAUTION: This manual repair requires manually editing the system registry. Always back-up the registry before making changes in case you make a fatal error in editing the registry.This is a mass mailing worm that attempts to send itself using Microsoft Outlook to all entries found in the Outlook Address book. It tries to delete security software, can spread via ICQ, and contains a DDoS payload via IRC. It arrives in an email message containing the following information: Subject: Hi, Body: How are you ? When I saw this screen saver, I immediately thought about you I am in a harry, I promise you will love it! Attachment: GONE.SCR . Running this attachment infects the local system. W32/Goner@MM Removal tool
The above virus has a High Threat alert and the information provided is courtesy of Network Associates, publishers of McAfee Anti-Virus and other software. Download the latest definitions below to ensure protection from this virus.
This virus is an e-mail worm that has its own SMTP function and has recently been updated in threat value. The virus will go dormant for about 10 days and then re-activate itself and send it self to people listed in your address book.
Download the file called Fixnimda.com and keep running the file until your system is clean.
This worm virus is currently running rampant and had its' threat level upgraded by Norton and McAfee. It will typically come into your system through e-mail from someone you know or who has you in their address book. Often the person does not know that their computer has forwarded the virus on to someone else. DO NOT open mail without checking it for viruses. If you are unfortunate enough to be struck with the virus you will be faced with an error message telling you that the application you are attempting to run is not a valid Win32 application.
DOWNLOAD THIS REPAIR TOOL NOW! Put it on a floppy disk for safekeeping in case you need it. It can be run by double-clicking on the filename through "My Computer" and then opening the A-Drive. The filename is FixSirc.com
Download this file. Obviously if you have the NAVIDAD virus it is unlikely that you were able to get here as the virus affects any executable file you try to load. You will typically get a message such as "unable to locate winsvrc.exe" and prompt you to locate the file which you will not be able to find. Therefore why not download the file and store it on a floppy in case you need it.
- Home - - Download - - FAQ - - Internet Safety - - Internet Tools - - Links - - News - - Virus Information - - E-Mail -
Last Updated:
February 28, 2007
Best viewed at 800 x 600 resolution