Hi Guys,

I have a few here for today.. One has already been posted in this forum.. I have provided links for those.. Excellent posts from chinasandy and black_death

Cheers

Zokrim info here
W32.Zokrim.B@mm is a mass-mailing worm that uses Microsoft Outlook to send itself to all the contacts in the Outlook Address Book. The email has the following characteristics:

Subject: La tua amica Morena
Message: Ciao... e da tanto che non ci sentiamo!!! Come stai ??
Attachment: Morena.exe

When W32.Zokrim.B@mm runs, it displays a message: "File not found c:\windows\," and illustrates a .jpg photo, named morena.jpg.

W32.Zokrim.B@mm also attempts to spread using mIRC. This threat is written in the Microsoft Visual Basic programming language.




Type: Worm
Infection Length: 36,864
Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me
Systems Not Affected: Macintosh, OS/2, UNIX, Linux
Dormin info here

W32.HLLW.Dormin.A@mm is a mass-mailing worm that sends itself to all the contacts in the Microsoft Outlook Address Book. The email has the following characteristics:

Subject: Check this out!
Attachment: FlashMovie.exe

When W32.HLLW.Dormin.A@mm is run, it displays the fake error message, "MacroMedia Shockwave Flash is not installed!"




Type: Worm
Infection Length: 45,056 bytes
Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me
Systems Not Affected: Macintosh, OS/2, UNIX, Linux
Slakor info here

W32.Slackor is a worm that attempts to copy itself over Windows NT-based networks. When attempting to find computers to infect, the worm queries other computers using TCP port 445.

W32.Slackor is written in the Microsoft Visual Basic programming language.



Also Known As: Troj/Slacker-A [Sophos], Worm.Win32.Slackor [KAV]
Type: Worm
Infection Length: 28,672 bytes, vary
Systems Affected: Windows NT, Windows 2000, Windows XP
Systems Not Affected: Windows 95, Windows 98, Windows Me, Macintosh, OS/2, UNIX, Linux
bibrog info here

W32.Bibrog.B@mm is a mass-mailing worm that uses Microsoft Outlook to send itself to all the contacts in the Outlook Address Book.

When the worm is executed, it:

Opens a program that looks like a shooting game.
May also change your Windows wallpaper.

The email message has the following characteristics:

Subject: Fwd:La Academia Azteca
Message: La cacademia azteca (muy bueno) ¡no es virus!
Attachment: Academia.exe

This worm also attempts to spread through the KaZaA, Grokster, and Morpheus file-sharing networks, as well as through ICQ.



Also Known As: W32/Bibrog.b@MM [McAfee]
Type: Worm
Infection Length: 245,760 bytes
Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me
Systems Not Affected: Macintosh, OS/2, UNIX, Linux
Daboom info here

W32.HLLW.Daboom@mm is a mass-mailing worm that replicates by email. It sends itself to the addresses it finds in the:

Windows Address Book
.htm and .html files stored in the Internet Explorer cache

The email message has a subject, message, and attachment; all of which are randomly chosen. The attachment will have a .pif file extension.

W32.HLLW.Daboom@mm also contains backdoor Trojan capabilities which permit unauthorized access to an infected computer.

W32.HLLW.Daboom@mm is a Visual Basic (p-code) application packed with UPX 1.20.



Type: Worm
Infection Length: 48,128 bytes
Systems Affected: Windows 95, Windows 98, Windows ME, Windows NT, Windows 2000, Windows XP
Systems Not Affected: Windows 3.x, Microsoft IIS, Macintosh, Unix, Linux
CVE References: CVE-2001-0154
Deloder info here
On theis Forum Here
And also Here

Symantec Security Response is aware of a new worm which attempts to connect to a target host using TCP port 445. Upon successful connection, the worm copies a backdoor Trojan component, a file named inst.exe detected as Backdoor.Dvldr, to a set of paths hardcoded into the worm in order to load the Trojan from the StartUp folder. Then the worm attempts to launch remote services which perform actions such as copying and executing the backdoor, copying and executing the worm, deleting default shares and changing the attributes of the worm and backdoor Trojan to read only.

The worm exists as the file dvldr32.exe and is packed with ASPack.

Additional information will be provided as analysis continues.




Type: Worm
Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me
Systems Not Affected: Windows 3.x, Macintosh, OS/2, UNIX, Linux