Hi Guys,

Here are todays newest fast spreaders..

more details via links provided..

Cheers

first found Here at Symantec

W32.HLLW.Tang@mm is a mass mailing worm that attempts to disguise itself as a file, which Windows does not recognize. The worm uses the icon of an unregistered file type to perform this.

W32.HLLW.Tang@mm emails itself to all the contacts in the Windows Address Book. It also attempts to spread itself through the file-sharing networks, IRC, Microsoft Word Documents, Microsoft Excel Spreadsheets and across mapped drives.

The worm is written in Microsoft Visual Basic (VB) and is compressed with UPX. The VB run-time libraries must be installed for the worm to be executed.


Also Known As: W32/Gant@MM [McAfee], I-Worm.Tanger [KAV]
Type: Virus, Worm
Infection Length: 21,504 bytes
Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me
Systems Not Affected: Windows 3.x, Macintosh, OS/2, UNIX, Linux
second
found Also at Symantec

W32.Ixas@mm is a mass-mailing worm that uses its own SMTP engine to send itself to all the contacts in Windows Address Book.

The email has the following characteristics:

From: <random letters>@delfi.lt
Subject: The subject can be one of the following,

Gift for you
Urgent NEWs
EBAY Update
Antivirus Update
Urgent Windows UPDATE
Hi, look this attcahment
Hello, please wisit this nice site
Attachment: Attachment has a random file name.

The worm also sends itself to the email addresses it finds from the incoming emails. The email it creates for this set of email addresses has the following characteristics:

Subject: Re:
Attachment: Attachment has a random file name.
Message:
I reply as soon as possible to your email
You wrote:----------

Several variants of this threat have been found. All the variants are written in the Microsoft C++ programming language. ASPack packs some of the variants.


Also Known As: WORM_IXAS.A [Trend], W32/Ixas@MM [McAfee], W32/GvoWFI.A@mm [F-Prot]
Type: Worm
Infection Length: 112,128 bytes, 114,688 bytes
Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me
Systems Not Affected: Macintosh, OS/2, UNIX, Linux
and third..

Also from Symantec

W32.HLLW.Lovgate@mm is a mass mailing worm that attempts to email itself to all the email addresses that it finds in the files with the file extension that starts with "ht" (for example, all the .htm or .hta files). The subject and attachment of the incoming email will be chosen from a predetermined list.

W32.HLLW.Lovgate@mm also attempts to copy itself to all the computers on a local network, and then infect these computers. The worm also has a backdoor Trojan capability. By default, the Trojan component listens on port 10168.

If the infected computer is running Windows NT, 2000, or XP, the worm will attempt to disguise itself as the normal Windows process, "LSASS.EXE."

W32.HLLW.Lovgate@mm is written in the C++ programming language and is compressed with ASPack.




Type: Worm
Infection Length: 77,312 bytes
Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me
Systems Not Affected: Windows 3.x, Macintosh, OS/2, UNIX, Linux
When dealing with "Network Aware" Worms/Virii these little buggers can, and do, download updates of themselves as well as spread both over the lan and internet.. Once found on a system that is a part of a network first disconnect it from the network and carefully remove the infection.. DON'T TRUST ANY VIRUS REMOVAL TOOLS 100%.. Use your knowledge of the system to spot "inconsistant" file names and types (a bit hard if you work with different O/s and system configs)..

Don't expect the AV companies description of the virus and its files and registry keys to be 100% consistant with what you find..

NEVER Share the Root (C:\) of the HDD Only the Folders that are needed and certainly never "Windows" and "Program Files"... I have seen comments that Netbios be disabled completly , and all file sharing via FTP..
Oh and "Reasonable password" placed on access for the file shares..

Why do I say all this.. yep I got caught today.. strange network and a triple infection.. QAZ, Funlove and Opasrv.i/k/n (yes 3 versions.. n gave me trouble)

Cheers