Virus Alerts
NOTE: Since the article links on this page are over a decade old, they might not be valid any more.
See Real-Time Virus Activity Map
It's not perfect, but there is an article on Denial of Service attacks on pages 203 and 204 of the April 21, 1998 issue of PC Magazine.
W32/SQLSlammer
Jan. 27, 2002: Last Friday, Jan. 24, around 9:30 PM, a new worm began causing denial of service attacks across the Internet. This worm took advantage of a security vulnerability in Microsoft SQL Server 2000. Microsoft issued a patch for the vulnerability six months ago, but many servers were not patched.
To reduce the potential for infection or attack, block UDP port 1434 at your routers.
For more information:
- CNET: Computer worm slows global Net traffic
- CNET: Worm exposes apathy, Microsoft flaws
- CNET: Counting the cost of Slammer
W32.Nimda.A@mm
This is a worm similar to Code Red, but is not a variant of it. Means of infection include e-mail attachments and infected web sites. Attachment is usually README.EXE. The link on an infected web page is also README. For more information:
- CNET News.com: Nimda resurgence falls flat
- McAfee: Virus Information Library
- Symantec: Symantec Security Response -- W32.Nimda.A@mm
- ZDNN: Nimda set for a return?
- NIPC: Mass Mailing Worm W32.Nimda.A@mm
- CNET News.com: Nimda worm damage assessed
- ZDNet: Is Microsoft liable?
- ZDNN: Nimda spreads its venom
Win32.All3gro.A
A new worm pretends to be a tool for removing the SirCam, Badtrans, and PrettyPark worms, but doesn't completely do it. In addition, depending on the day of the week, it tries to delete documents or system files and then e-mails itself to people in your address book.
Subject line of "New antivirus tool" with an attachment of "antivirus.exe".
Trojan.Offensive
This trojan uses an old bug in Microsoft's Java Virtual Machine to delete critical system files from your system. It arrives as an e-mail with a single hyperlink labelled "Start." All versions of Internet Explorer between version 3 and 5.5SP1 are affected.
Code Red II
Another worm that exploits the same security hole as the Code Red worm has appeared. This one opens a hole for others.
For more information:
W32/Sircam Worm
On July 25, 2001, CERT issued an advisory for the W32/Sircam worm. This worm has been spreading wildly since July 17. The worm is contained within e-mail messages written in either English or Spanish. Once the worm has infected a system, it will copy itself into unprotected network shares. It will also send copies of itself via e-mail to everyone in your address books, attaching a random file from your computer's hard drive in the process. This worm hides itself in your computer's Recycle Bin. It may also fill your computer's C: drive, depending on the system date.
For more information:
- CERT: W32/Sircam Malicious Code
- CNET: SirCam worm snatches FBI documents
- CNET: FAQ: What you need to know about SirCam
- ZDNet: SirCam hits FBI cyber-protection unit
- Symantec: SARC Write-up - W32.Sircam.Worm@mm
- McAfee: W32/SirCam@mm
"Code Red" worm
On Friday, July 13, 2001, eEye Digital Security reported that a worm was spreading through the Internet by exploiting a security hole in the Microsoft IIS web server. It has become apparent that the worm's actions depends on the day of the month. On some days, it tries to spread to other hosts. On other days, it is either dormant, or it attempts a denial of service attack on the web site for the White House. At least one variant also defaces the victim web site. For more information:
- eEye: .ida "Code Red" Worm
- eEye: Code Red Scanner
- NIPC:
- CERT: "Code Red" Worm Exploiting Buffer Overflow in IIS Indexing Service DLL
- CNET: New worm has Net seeing "Red"
- ZDNet: Sayonara, Code Red, for now
- ZDNet: Worm has servers seeing 'Code Red'
- Help Net Security: Sepcial Coverage: The Code Red worm
- Critical Watch: Tool to remove IDA script mappings
Winux
March 28, 2001 This virus can infect both Windows and Linux executable files. It does not do anything other than to try to infect as many files as possible. For more information:
ZDNet:
Experts debate severity of 'Winux' virus
CNET News.com:
Emergent virus can infect Windows, Linux
Lion
March 23, 2001 Worm that attacks Linux servers that are running certain versions of the BIND name server containing security vulnerabilities. The defense against this worm is to make sure you have installed all available patches for BIND. This worm may mutate and run on other variants of Unix (since BIND is not specific to Linux). For more information:
CNET News.com:
"Lion" worm stalks Linux machines
ZDNet:
New 'Lion' virus on the loose
Melissa-X/Melissa 2001
January 18, 2001 Another variant of the Melissa virus has appeared. The attachment purports to be a Macintosh-formatted Microsoft Office document. For more information:
CNET News.com: Melissa variant spreads as Mac document
Ramen
January 17, 2001 No, not the noodles. This is the Ramen worm. It utilizes several well-known vulnerabilities for which patches were released months ago, so it would only infect systems where the patches have not been installed. It also only infects Red Hat Linux 6.2 and 7.0 systems even though the vulnerabilities also exist on other Unix variants. For Red Hat 6.2, the worm looks for the vulnerabilities in the RPC.statd and wu-FTP daemons. For Red Hat 7.0, it looks for the vulnerability in the lpd daemon. Once compromised, the victim server is then used to scan and attack other servers for the vulnerabilities. For more information:
CNET News.com: Ramen Linux worm mutating, multiplying
CNET News.com: Internet worm squirms into Linux servers
CERT Coordination Center: Widespread Compromises via "ramen" Toolkit
CERT Coordination Center: Widespread Exploitation of rpc.statd and wu-ftpd Vulnerabilities
Older Virus Advisories