Re: Another virus outbreak
Posted by Don in Hollister on September 18, 2003 at 23:39:18:

Hi All. One of these is most likely the virus EQF is talking about. Both can be stopped if your antivirus programs are up to date. Of course the safest method is not to open any attachments unless you know who they are from and how secure they are. Take Care…Don in creepy town

NOTE: This threat was previously detected as Worm.Automat.AHB by definitions automatically created by the Digital Immune System.

Due to an increase in submissions, Symantec Security Response has upgraded W32.Swen.A@mm to Category 3, as of 6:30pm Thursday, September 18, 2003.

W32.Swen.A@mm is a mass-mailing worm that uses its own SMTP engine to spread itself. It attempts to spread through file-sharing networks, such as KaZaA and IRC, and attempts to kill antivirus and personal firewall programs running on a computer.

The worm arrives as an email attachment. The subject, body, and From: address of the email may vary. Some examples claim to be patches for Microsoft Internet Explorer, or delivery failure notices from qmail.

W32.Swen.A@mm is similar to W32.Gibe.B@mm in function, and is written in C++.

Also Known As: Swen [F-Secure], W32/Swen@mm [McAfee], W32/Gibe-F [Sophos], Worm Swen.A

Infection Length: 106496

Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
Systems Not Affected: DOS, Linux, Macintosh, Microsoft IIS, OS/2, UNIX, Windows 3.x

W32.Yaha.AB@mm:

Is a worm that is a variant of W32.Yaha.T@mm.
Terminates some antivirus and firewall processes.
Uses its own SMTP engine to email itself to all the contacts in the Windows Address Book, MSN Messenger, .NET Messenger, Yahoo Pager, ICQ Pager, as well as in all the files whose extensions contain the letters HT.
Installs a keylogger and emails the logs to its author.
Contains a destructive payload, which may be triggered if the system timezone is GMT+5.
Performs a Denial of Service (DoS) attack to some specified hosts and random hosts on ports 80, 135, 139, and 445.

The email message has a randomly chosen subject line, message, and attachment name. The attachment will have a .com, .exe, .scr, or .zip file extension.

This threat is written in the Microsoft C++ language and is compressed with FSG.

Also Known As: I-Worm.Lentin.q[KAV], W32/Lentin.S@mm[F-Prot]
Variants: W32.Yaha.T@mm
Type: Worm
Infection Length: 60,688 bytes

Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

Systems Not Affected: DOS, Linux, Macintosh, OS/2, UNIX, Windows 3.x

Follow Ups:
     ● Re: Another virus outbreak - EQF  00:34:31 - 9/19/2003  (19419)  (1)
        ● Re: Another virus outbreak - Don in Hollister  01:57:58 - 9/19/2003  (19420)  (1)
           ● Re: Another virus outbreak - EQF  08:22:27 - 9/19/2003  (19421)  (1)
              ● Re: Another virus outbreak - EQF  20:58:32 - 9/22/2003  (19444)  (1)
                 ● Re: Another virus outbreak - Don in Hollister  22:30:42 - 9/22/2003  (19446)  (1)
                    ● Re: Another virus outbreak - EQF  03:01:48 - 9/23/2003  (19447)  (1)
                       ● Re: Another virus outbreak - EQF  02:00:39 - 9/24/2003  (19448)  (1)
                          ● Re: Another virus outbreak - Don in Hollister  03:00:14 - 9/24/2003  (19449)  (1)
                             ● Re: Another virus outbreak - EQF  07:41:24 - 9/24/2003  (19450)  (1)
                                ● Re: Another virus outbreak - Don in Hollister  13:19:48 - 9/24/2003  (19453)  (0)