Discovered on: March 13, 2002
This is a mass-mailing worm that sends itself to all entries in the Windows Address Book, using the SMTP server of the infected user. It contains no payload. The email arrives with an attachment named patch.exe. For addresses ending in .jp, there are 16 Japanese language subjects, one of which is chosen randomly each time.
Also Known As: W32.Dotjaypee@mm, W32/FBound.c@mm, WORM_FIDAO, WORM_FBOUND.B, FIDAO.A, FIDAO, W32/Fbound.b@MM, Win32/Japanize.Worm, I-Worm.Zircon.B
Infection Length: 12288
VBS/LoveLet-DO is a minor variant of the VBS/LoveLet-AS Visual Basic Script worm.
The worm forwards itself in an email with the following characteristics:
Subject line: US PRESIDENT AND FBI SECRETS =PLEASE VISIT => (http://WWW.2600.COM)<= or a random 6 letter string.
Body text: VERY JOKE..! SEE PRESIDENT AND FBI TOP SECRET PICTURE.. or a random 10 letter string.
Attachment: random attachment name
OSF.8759 is a Linux virus infecting ELF executable programs.
OSF consists of two quite distinct parts: a viral part and a backdoor part.
The virus checks if its code is executed under the debugger and if so, it skips the file infection routine altogether. This routine is also avoided if the infected file is executed from the /proc or /dev directories. Otherwise, it infects up to 200 files in the current directory as well as up to 200 files in the /bin directory. The virus avoids infecting the “ps” program (and all programs with names ending with the string “ps”).
Infected files increase their size by 8759 bytes. The virus marks all infected programs by setting a value of the byte at offset 0x0A to 2.
The backdoor procedure establishes a server listening on port 3049 (or higher). Depending on the contents of packets received from a client OSF may present a remote user with an interactive shell or execute commands on a local system using the syntax: “/bin/sh –c command”.
Win32.Alcaul.AF is an e-mail worm which spreads using Microsoft Outlook. It arrives in the following message:
Hello... You're Randomly Chosen As A Tester...
...Check out this new game from www.tucows.com..
This mass-mailing worm is also a utility (dubbed 'Active Mouse' by its author) designed to simulate activity on the host machine. Additionally however, once running it also mails itself to recipients listed in the Outlook Address Book.
Hey Zigar, with all the new virii you post about you should assume an alternate identity and name it "Harbinger of Sorrow". hehe. Thanks for the heads up.
March 14th, 2002, 05:58 PM
Lol....I was just thinking "Oh, goody, more good news!!" No, seriously, I appreciate your posts zigar, because then I can ignore all those stupid WARNING hoax virus alerts I get in my email all the time!
I must have the most gullible friends known to man.....
Really zigar, I do appreciate them, it makes it a little easier if you at least know what to look for. ;)
March 14th, 2002, 06:25 PM
Good post Zigar, I better leave the virus warnings for the pro's :)
More info about W32/FBound.c@mm can be found here..