February 18, 2004 - Current Activity

US-CERT has received reports of a new mass-mailing virus, referred to as "W32/Netsky.B", "WORM_NETSKY.B", or "Moodown.B". It can spread via e-mail, or network file shares.

Please see CERT Incident Note IN-2004-02 for more information.

US-CERT strongly encourages users to install and maintain anti-virus software. We also encourage users to exercise discretion when opening any email attachment.

You may also wish to visit the US-CERT's computer virus resources page.

US-CERT has received reports of a new mass-emailing virus, referred to as "W32/Baegle.B", "W32/Bagle.B", or "W32.Alua". It arrives as an attachment to an email with the subject line of the form "ID xxxx... thanks" where xxxx is some number of random characters. The attachment is an executable file (.EXE) with a file name consisting of a random sequence of characters. Upon opening the attachment, the virus scans certain files on the user's system collecting e-mail addresses and then attempts to mail itself to all e-mail addresses it found. The From: address is spoofed to hide the identity of the sender. Additionally, the virus opens a port on the user's system (usually port 8866/tcp) to permit remote access for an intruder and sends notification of the compromise to several remote sites via HTTP GET requests. Indicators of successful compromise include the presence of an AU.EXE program in the C:\WINNT\SYSTEM32 folder and a value of the same name in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry key.

US-CERT strongly encourages users to install and maintain anti-virus software. We also encourage users to exercise discretion when opening any email attachment.

You may also wish to visit the US-CERT's computer virus resources page.

US-CERT has become aware of publicly available exploit code for the ASN.1 vulnerability outlined in VU#583108. Although we have not received external reports of this vulnerability being exploited, we have confirmed that at least one exploit for this vulnerability results in a denial-of-service on the affected system.

Users are strongly encouraged to review the patch information in US-CERT Technical Cyber Security Alert TA04-041A.

On February 9, 2004, US-CERT began receiving reports of a new variant of the Mydoom virus known as W32/Mydoom.C or W32.HLLW.Doomjuice. Systems previously infected with Mydoom.A have a backdoor listening on port 3127/tcp. Mydoom.C scans randomly generated IP addresses and attempts to connect to port 3127/tcp. If the connection attempt is successful, it will send a copy of itself to the remote system. The backdoor component of Mydoom.A will accept and automatically execute the file.

US-CERT strongly encourages users to install and maintain anti-virus software. We also encourage users to exercise discretion when opening any email attachment.

You may also wish to visit the US-CERT's computer virus resources page.

On January 26, 2004, US-CERT began receiving reports of a new mass-mailing virus now known as W32/Novarg.A, W32/Shimg, or W32/Mydoom.A. It arrives as an email message with a 22,528-byte attachment that has a random filename with a file extension of .cmd, .pif, .scr, .exe, or .bat. The attachment may also arrive as a ZIP archive. This malicious code has been reported to open a connection on port 3127/tcp or port 3176/tcp. In addition to email propagation, the virus attempts to spread through peer-to-peer file sharing networks by copying itself into the default folder used by KaZaA to share files. More information is available in CERT Incident Note IN-2004-01 and CERT Advisory CA-2004-02.

US-CERT strongly encourages users to install and maintain anti-virus software. We also encourage users to exercise discretion when opening any email attachment.

You may also wish to visit the US-CERT's computer virus resources page.

US-CERT has received reports of a new mass-emailing virus, referred to as "W32/Beagle" or "W32/Bagle". It arrives as an attachment to an email with the subject line of "Hi". The attachment is an executable file (.EXE) with a file name consisting of a random sequence of characters. Upon opening the attachment, the virus scans certain files on the user's system collecting email addresses, then attempts to mail itself to all e-mail addresses it found. The FROM: address is spoofed to hide the identity of the sender. Additionally, the virus opens a port on the user's system (usually port 6777) which permits an attacker to gain access to the system.

US-CERT strongly encourages users to install and maintain anti-virus software. We also encourage users to exercise discretion when opening any email attachment.

You may also wish to visit the US-CERT's computer virus resources page.

US-CERT has received reports of systems being successfully compromised via a remotely exploitable buffer overflow in the DameWare Mini Remote Control management package. This vulnerability is documented in VU#909678. Users are encouraged to upgrade to the newest version of the software from the DameWare site.

If you have additional information about systems compromised using this vulnerability, please send email to cert@cert.org.