MacWizard > Malicious Code Alert Center > Urgent Alerts

Urgent Alerts
Take Immediate Action
Click on the title to link to a detailed description

SQL Slammer Worm or Sapphire or W32.SQLExp.Worm or W32/SQLSlam-A - This worm results in the unintended payload of performing a Denial of Service attack, targeting systems running Microsoft SQL server 2000, as well as Microsoft Desktop Engine (MSDE) 2000. The worm sends 376 bytes to UDP port 1434, the SQL, the Server Resolution Service Port.

Symantec offers a removal tool (click on the title above). A Microsoft patch is available at the last link below. Systems Affected: Windows 95, Windows 98, Windows NT, WIndows 2000, Windows XP, Windows ME. Systems NOT Affected: Windows 3.x, Microsoft IIS, Macintosh, OS/2, UNIX, Linux.

Read Sophos' W32/SQLSlam-A alert, their Slammer FAQ page, and their SQLSlammer warning. The following security alerts will be of interest to system administrators: Microsoft Security Bulletin MS02-039. The Microsoft patch is available at: Microsoft Security Bulletin MS02-061.

UPDATE: SQL Slammer caused the disruption of the Bank of America's ATM system, Continental Airlines computer systems, and the operation of a 911 call center near Seattle Washington.

Klez.E Immunity or Honey or Undeliverable Mail , etc - W32.Klez.H@mm or W32.Klez.E@mm - This worm, which carries the virus ElKern-C, goes by several different names and has multiple variants. It is spread by email and network shares. The enclosed virus infects files. This worm is actively circulating. Do NOT open any of the files attached to the email even if you are working from a platform that is not affected. Note that the email itself can NOT infect your computer. Click the title above to read the full description at Symantec's Security Response or click here to read the alert. The information below should allow you to determine if the email you may have received contains this malicious code.

The email with attached worm and enclosed virus can be received by any email client on any platform. Operating Systems Affected: Windows 95, WIndows 98, Windows NT, Windows 2000, Windows XP, Windows ME. Systems NOT Affected: Macintosh OS, Macintosh OS X, OS/2, UNIX, Linux. Application Software Affected: Outlook, Outlook Express, Internet Explorer.

The subject line can be any of the following: "Worm Klez.E Immunity", "Undeliverable Mail...", "Returned mail", "how are you", "some questions", "darling", "honey", "congratulations", "welcome to my hometown", "your password", "let's be friends", "eager to see you", questionnaire", "meeting notice", "please try again", "Hi", "Hello", "Re:", "Fw:", or blank, among others (refer to links above).

The worm also makes use of random words in short sentences in the subject line as in the following:

"a [random word] [random word] game"
"a [random word] [random word] tool"
"a [random word] [random word] website"
"a [random word] [random word] patch"
"a [random word] [random word] Allhallowmas"
"a [random word] [random word] Epiphany"

The random words could be any combination of the following: "new", "funny", "nice", "humour", "excite", "good", "powful", "WinXP", "IE 6.0", "W32.Elkern", "W32.Klez.E", "Symantec", "Mcafee", "F-Secure", "Sophos", "Trendmicro", "Kaspersky", "removal tools".

The body of the email message is random, and can be disguised as a free distribution of an immunity tool or may have no content what-so-ever.

The attached file could be labeled "setup.exe".

Once launched, the worm copies itself into the Windows system directory with a random filename. The filename begins with the characters "wink" and has the extension "EXE". W32/Klez-H may also attempt to exploit a MIME and IFRAME vulnerability, and spread to remote shares on other machines using random filenames with double extensions (i.e. ".txt.pif", ".xls.bat", ".jpg.scr"). The 1st extension will be one of the following: ".txt", ".htm", ".html", ".wab", ".asp", ".doc", ".rtf", ".xls", ".jpg", ".cpp", ".c", ".pas", ".mpg", ".mpeg", ".bak", ".mp3, ".pdf". The 2nd extension will be one of the following: "pif", "scr", "exe", or "bat".

For Windows users, Microsoft has issued a patch which secures against this vulnerability. It can be downloaded from Microsoft Security Bulletin MS01-027.

Using a technique called "spoofing" the worm searches the Windows address book, the ICQ database, and local files (i.e. Outlook) for email addresses (in files ending with .txt, htm, html, wab, asp, doc, rtf, xls, jpg, cpp, c, pas, mpg, mpeg, bak, mp3, and pdf), then using a found name and address as the "From..." address, sends itself to someone else in your address book. The worm also randomly selects a file (".txt", ".doc", ".jpg", ".jpeg", etc.) from your computer and attaches that as a third file.

The dead give-away that this is the Klez worm is the subject line "Worm Klez.E Immunity", and the following message, although the worm takes many other forms:

"Klez.E is the most common world-wide spreading worm. It's very dangerous by corrupting your files. Because of its very smart stealth and anti-anti-virus technic,most common AV software can't detect or clean it. We developed this free immunity tool to defeat the malicious virus. You only need to run this tool once,and then Klez will never come into your PC. NOTE: Because this tool acts as a fake Klez to fool the real worm,some AV monitor maybe cry when you run it. If so,Ignore the warning,and select 'continue'. If you have any question,please mail to me."

OR (note the poor grammar)...

W32.Klez.E is a dangerous virus that spread through email.
Mcafee give you the W32.Klez.E removal tools

For more information,please visit

AOL BlackJack Scheme / BJSETUP.EXR Trojan Horse - AOL has encountered a very destructive trojan horse distributed in a file named "BJSETUP.EXE". This malicious code not only steals your AOL password, it also renders your computer unuseable. AOL warns that this is NOT a set-up program for any type of game and under NO circumstances should the file be downloaded and launched. AOL asks that you forward the email with attachment to the AOL screen name "TOS Files". AOL also notes that they do NOT distribute program files to members via email.

I-Worm or Avron.b or Win32/Lirva.c Worm or W32.Lirva.C@mm - This is a mass mailing worm (with many aliases) that spreads by IRC, IRQ, KaZaA, and open network shares. It is a variant of W32.Lirva.A@mm. This worm attempts to terminate antivirus and firewall products. It takes advantage of a vulnerability in in Outlook and auto-executes when the email is read or previewed. Affects Windows 95, WIndows 98, and Windows ME. Information on this vulnerability and a patch are available at Microsoft.

If the day of the month is the 7th, 11th, or 24th, the worm will launch your web browser, link to and display a graphic animation on the Windows desktop.

W32.Sobig.worm - This worm has spread rapidly since it's initial discovery on January 9, 2003. "SoBig", as it's been dubbed, always sends itself with the "" address. The subject line will be one of the following: "Re: Here is that sample", "Re: Document", "Re: Sample", "Re: Movies". The message body will read either "Attached File" or blank, and there will be an attachment with one of the following names: "Sample.pif", "Untitled1.pif", "Document003.pif", "Movie_0074.mpeg.pif". SoBig is a network worm, copying itself to the startup folder on network shares. Operating Systems Affected: Windows. Read more about this worm at F-Secure.

ExploreZip - A new variant of the highly destructive ExploreZip worm has been discovered circulating in the wild on January 8, 2003. This worm is highly destructive, wiping out multiple file types on multiple drives. This worm goes undetected by leading anit-virus software, although security software firms are expected to respond quickly. The ExploreZip worm is sent as a reply to a legitimate email, thus the subject line will be that of the original and valid email. The message reads:

"Hi... I received your email and shall send you a reply ASAP. Till then, take a look at the attached zipped docs. Bye"

The file attached to the email is named "zipped_files.exe" and has a WinZip icon to fool users into believing it is a self-extracting zip file. If opened, the worm will first display the following message;

"Cannot open file: it does not appear to be a valid archive. If this file is part of a ZIP format backup set, insert the last disk of the backup set and try again. Please press F1 for help."

This variant begins searching all local drives for ".c", ".cpp", ".h", ".asm", ".doc", ".xls", and ".ppt" file types, which are overwritten continuously in 30 minute increments. Read more about this worm at iDEFENSE.





Report Broken Links to WebMaster

© 2003