Discovered on: March 13, 2002
This is a mass-mailing worm that sends itself to all entries in the Windows Address Book, using the SMTP server of the infected user. It contains no payload. The email arrives with an attachment named patch.exe. For addresses ending in .jp, there are 16 Japanese language subjects, one of which is chosen randomly each time.

Also Known As: W32.Dotjaypee@mm, W32/FBound.c@mm, WORM_FIDAO, WORM_FBOUND.B, FIDAO.A, FIDAO, W32/Fbound.b@MM, Win32/Japanize.Worm, I-Worm.Zircon.B

Type: Worm
Infection Length: 12288
Threat Assessment:
Wild: Medium
Damage: Low
Distribution: High


Visual Basic Script worm

VBS/LoveLet-DO is a minor variant of the VBS/LoveLet-AS Visual Basic Script worm.
The worm forwards itself in an email with the following characteristics:
Subject line: US PRESIDENT AND FBI SECRETS =PLEASE VISIT => (http://WWW.2600.COM)<= or a random 6 letter string.
Body text: VERY JOKE..! SEE PRESIDENT AND FBI TOP SECRET PICTURE.. or a random 10 letter string.
Attachment: random attachment name


Alias: Linux.Osf.8759
Category: UNIX/Linux
Type: Virus
OSF.8759 is a Linux virus infecting ELF executable programs.
OSF consists of two quite distinct parts: a viral part and a backdoor part.
The virus checks if its code is executed under the debugger and if so, it skips the file infection routine altogether. This routine is also avoided if the infected file is executed from the /proc or /dev directories. Otherwise, it infects up to 200 files in the current directory as well as up to 200 files in the /bin directory. The virus avoids infecting the “ps” program (and all programs with names ending with the string “ps”).
Infected files increase their size by 8759 bytes. The virus marks all infected programs by setting a value of the byte at offset 0x0A to 2.
The backdoor procedure establishes a server listening on port 3049 (or higher). Depending on the contents of packets received from a client OSF may present a remote user with an interactive shell or execute commands on a local system using the syntax: “/bin/sh –c command”.


Alias: Win32.Alcarys.C, Win32.Alcarys.D, Win32.Alcop.R
Category: Win32
Type: Worm

Win32.Alcaul.AF is an e-mail worm which spreads using Microsoft Outlook. It arrives in the following message:
Hello... You're Randomly Chosen As A Tester...
...Check out this new game from www.tucows.com..
vbgame.com, regkey.pif


Discovery Date: 03/14/2002
Origin: Unknown
Length: 61,440 bytes
Type: Virus
SubType: E-mail

Virus Characteristics
This mass-mailing worm is also a utility (dubbed 'Active Mouse' by its author) designed to simulate activity on the host machine. Additionally however, once running it also mails itself to recipients listed in the Outlook Address Book.