March 19 Alerts

W32.Atram@mm
Discovered on: March 19, 2002
Last Updated on: March 19, 2002 at 06:33:07 PM PST

W32.Atram@mm is a mass mailing worm that uses its own SMTP engine. Upon execution the worm will copy itself to "C:\WINDOWS\dllmgr.exe". It will also display 7 Message Boxes in Italian.

Also Known As: W32.Atram@mm, I-Worm.Borzella, Win32/Borzella.Worm, WORM_PORKIS.A, Win32.Storielle

http://sarc.com/avcenter/venc/data/[email protected]

W32/Gemi Low



Virus Information
Discovery Date: 03/18/2002
Origin: Italy
Length: Varies on target file, average size increase 6300
Type: Virus
SubType: File Infector


Virus Characteristics
The W32/Gemi virus is a direct infection virus. After running a single infected file, the virus will search all suitable files to infect on the local machine. Target files are 32 bit PE (Portable Executable) files, such as .EXE .DLL .SCR. The virus adds its code to the target files, usually at the end of the file. A string "gemini" is visible in these files.
The virus drops a file called "GEMINI.EXE" in the "\windows" directory. For example \windows\gemini.exe on win9x based systems, and \winnt\gemini.exe for Win2000 based systems.
During testing, the filesize of the dropped gemini.exe was 2788 bytes, but the actual filesize may be dependent on disk layout.

The viral process is visible in the task manager as "gemini".

http://vil.nai.com/vil/content/v_99405.htm

Thanks for the info zigar! Its always nice to come here and see up to date alerts from you. Especially the on the MS forum.
Thanks!