The Impo Worm

Impo is another mail-based worm that sends itself to all addresses in the Windows address book. Unlike MyLife, however, Impo does not damage the systems that it infects. Impo arrives as an email message containing an attachment that is generally named patch.exe.

For addresses that end in .jp, Impo randomly chooses one of 17 Japanese language subjects. Otherwise, the subject is almost always "important." Cleaning up Impo requires updating Norton AntiVirus on the infected system, then running a full system scan, although it is best to call HELP to make sure that everything is done correctly.

For more information, go to Symantec's description of the Impo Worm.

Top

The Iraq Oil Worm

Still another new worm called the “Iraq oil worm” (also known as "Diatrix," "W32/Lioten," "W32.Lioten," and "I-Worm.Liotenis") is also spreading. It exploits open shares on systems running the Microsoft NT, 2000, and XP operating systems. This worm spreads by searching the Internet for computers with file sharing enabled. The worm randomly creates IP addresses to locate a new victim to which to connect. This worm then launches a brute force password attack to try to infect any system that responds to it. If the attack works, the worm copies itself into the infected computer, inserting the worm code in the system32 directory. This worm then creates a start-up process such that the worm will run every time the victim system starts. Although damage caused by the worm is minimal, cleaning up after an infection by the "Iraqi oil worm" can be tedious.

Top

ILOVEYOU Virus

The original ILOVEYOU Virus, a type of virus that can replicate itself, travels in an e-mail with the subject line "ILOVEYOU" and contains an attachment called LOVE-LETTER-FOR-YOU.TXT.VBS. There are at least 30 variants of the ILOVEYOU worm. Some of these variants look very different from the original worm, and e-mail filters may not detect all of them.

For an up-to-date list of the known variants, see http://www.ciac.org/ciac/bulletins/k-039.shtml.

To combat the ILOVEYOU Virus, use caution opening any attachments if the email or attachments have unexpected text or titles. Virus writers are using many tricks to get you to run attachments, such as sending .zip files and files with extensions .txt.vbs (which may appear to be a text file). It is impossible to know what trick they will use next.

Top

The Jitux.A Worm

The Jitux.A worm (also known as W32/Jitux) uses MSN Messenger to spread. Written in Visual Basic, it targets Windows operating systems such as Windows 95, Windows 98, Window Me, Windows NT, Windows 2000, and Windows XP. Once this worm infects a system, it becomes memory-resident. It then starts sending a message with the content "http:/ /www.home.no/******/jituxramon.exe," prompting recipients to click on this URL. Messages are sent every five minutes. If users comply with the message, a file named "jituxramon.exe" is downloaded from the site,
causing an infection. Jitux.A is not destructive, nor does it change any system or application settings. If this worm infects your system, you should disable the system restore function (in Windows Me/XP systems only!), update your system's virus definitions, and then start a full antivirus scan. For more information about this worm and how to remove it, go here.

Top

Klez Worm

New variants of the Klez Worm, as well as others, contain their own mail engine and try to guess available mail servers, inserting random subject lines, message bodies, and attachment files. The "From" address is also randomly forged from email addresses that variants of this worm and others discover in systems they infect. Therefore, since the KLEZ worm forges email sender addresses, most if not all KLEZ-infected mail has forged sender addresses.

Your best defense against Klez and other email forgers to keep your antivirus software up to date (daily updates are best) and to avoid opening attachments from people you do not know. Dial 486-HELP if you need assistance.

See also Trend Micro Virus Encyclopedia and Symantec for general information on Klez.

Dos and Don'ts for Cleaning Up Klez

If your system is infected by Klez, download and run the Symantec Klez Cleanup and Eradication Tool.

If this does not fully remove the virus, your system will need to be rebuilt.

There is another Internet hoax. Someone is sending an attachment purporting to be a clean-up tool for infections from the Klez.E virus/worm. Important: Do Not Use This Attachment.The attachment is not a clean-up tool; instead it contains a virus. Don't be fooled--legitimate clean-up tools and patches are not sent over the Internet. You have to download them from vendor or security sites instead. If you receive such an attachment, be sure to delete it right away without opening it.

Top

The Korgo Worm

The Korgo worm (also known as Worm.Win32.Padobot.b or Exploit-Lsass.gen) infects Windows systems such as Windows 98, NT, 2000 and XP. It exploits a buffer overflow vulnerability in Windows Local Security Authority System Services (lsass.exe), as described in Microsoft Security Bulletin 04-011. Various mutants of the Korgo worm have been identified. Although each version is somewhat different from the others, similarities between different versions exist in that they:

1. Create a mutex that allows only one version of Korgo to run an any time.
2. Under certain conditions copy themselves into the system folder (%systemroot%) on each system they infect. The executable has a randomly-determined name.
3. Insert a value into the Registry to guarantee that this worm will start every time the infected system boots.
4. Attempt to connect to certain IRC chat servers such as K01irc.kar.net, gaspode.zanet.org.za, lia.zanet.net, irc.tsk.ru, london.uk.eu.undernet.org, washington.dc.us.undernet.org, los-angeles.ca.us.undernet.org, brussels.be.eu.undernet.org, caen.fr.eu.undernet.org, flanders.be.eu.undernet.org, graz.at.eu.undernet.org, moscow-advocat.ru, and gaz-prom.ru.
5. Open ports that allow back door access to the infected system.

The fact that Korgo can capture keystrokes on machines that it infects increases the threat that it poses considerably. Individuals who use an Korgo-infected system could expose personal data such as social security numbers and mothers' maiden names and also credit card numbers and other financial information.

What to Do if Your System Becomes Infected

A Korgo removal tool is available at Symantec. After running this tool, perform the following steps:

1. In Windows Me and XP systems disable System Restore.
2. Update your system's anti-virus software.
3. Undo any Registry changes that Korgo has made and restart your system.
4. Perform an anti-virus scan of all hard drives, deleting every infected file.

Top

Lion Worm

In March 2001, a dangerous worm that can steal passwords from Linux servers rapidly spread across the internet and infected other machines. Dubbed the "Lion" Worm, the self-spreading program attacks servers running specific versions of BIND (Berkeley Internet Name Domain) server software. Because it can be so difficult to remove, victims may have to wipe out their entire hard disks.

Linux machines infected with the worm send encrypted administrator level, or "root," password files to China.com, where hackers can potentially decrypt the password and use the information to gain access to various areas of a company's system. The worm also creates "back doors," which provide administrator-level access to hackers. The worm appears to be mutation of the Ramen worm that was discovered in January and infects only servers running Red Hat's version of Linux. And, despite the potential problems the worm could cause, little serious damage has been detected so far.

The Lion Worm attempts to protect itself from detection by installing a "root kit" on infected machines, which hides the presence of hacker tools. As a result, IT administrators checking an infected machine may not immediately see it.

As a remedy, SANS has created a program called Lionfind that IT administrators can use to determine if their machines are infected. A patch for this vulnerability has been available from the Internet Software Consortium for several months. The worm could easily mutate to infect other Unix-based machines, including Solaris, AIX and HPIX.

For further information on the Lion Worm, see http://news.cnet.com/news/0-1003-200-5234726.html

Top

The Lirva.A Worm (W32.Lirva.A Worm)

Another worm, W32.Lirva.A (also known as WORM_LIRVA.A, Win32.Lirva.A, W32/Avril-A, and W32/Lirva.b@MM) is also spreading around the Internet. Lirva.A is a mass-mailing worm that can also replicate itself via KaZaA, IRC, and ICQ, as well as via unprotected shares. It attempts to exploit a Microsoft Outlook vulnerability (see Microsoft Bulletin MS01-020) that allows an attachment this mail client receives to execute itself if the recipient reads or previews an infected email message. Additionally, Livra.A tries to disable antivirus and personal firewall software. It also sends any cached dial-up passwords in Windows 9X/Me systems to the author of this virus. If the date of the month is the 7th, 11th, or 24th, Lirva.A connects the infected system’s browser to www.avril-lavigne.com and shows graphic animation sequences on the desktop. The best preventative measures are to keep your system's antivirus software up to date and (if your system runs Microsoft Outlook) to install the patch described in Microsoft Bulletin MS01-020.

Top

The Lovgate Worm

The Lovgate worm (also known as W32.HLLW.Lovgate@mm, Win32/Lovgate.A@mm, W32/Lovgate.a@M, and I-Worm.Supnot.b) is a mass-mailing worm that infects W9X, WMe, WNT, W2K, and WXP systems. It tries to email attachments containing its code to addresses that it finds in files with extensions beginning with "ht." The names of the subject and attachment in the messages that it sends are varied. Lovgate infects systems in which users open the attachment. It first copies itself into the %systemroot% folder as rpcsrv.exe, winrpc.exe, WinRpcsrv.exe, syshelp.exe, or WinGate.exe. It also copies reg.dll, task.dll, ily.dll, and 1.dll to the same folder and tries to execute them. Afterwards it modifies the HKLM\Software\Microsoft\Windows\CurrentVersion\Run key by adding the following values to it:

syshelp %systemroot%\syshelp.exe
WinGate initialize %systemroot%\WinGate.exe –remoteshell
Module Call initialize RUNDLL32.EXE reg.dll ondll_reg

This enables Lovgate to run every time the infected system is booted. This worm also changes the value of HKEY_CLASSES_ROOT\txtfile\shell\open\command to winrpc.exe %1.

Lovgate also copies itself to every folder that is accessible via a network share on the infected system. This worm assigns a variety of names (all of which have an .exe extension), such as setup.exe, docs.exe, and fun.exe. Additionally, Lovgate listens on port 10168 and sends email to this worm’s author to notify this person that the system has been infected. The author can subsequently gain a remote command shell to the system by entering a password. On W9X and WMe systems, Lovgate adds the following entry to the [Windows] section in win.ini:

run=rpcsrv.exe
In WNT, W2K, and WXP, the worm copies itself as %systemroot%\ssrv.exe and also creates a new Registry key named “HKEY_LOCAL_MACHINE\Software\KittyXP.sql\Install.”

It also modifies HKEY_CURRENT_USER\Software\Microsoft\Windows NT\ CurrentVersion\Windows in WNT, W2K, and WNT systems by adding the value:

run rpcsrv.exe

Lovgate determines whether or not lsass.exe is running; if it is, it tries to disguise itself by spawning an identically named thread. This thread listens on port 20168, allowing any perpetrator who knows that the system is infected to gain unauthenticated remote access through a special component named “Windows Management Extension."

Lovgate also scans other computers within the same local network and tries to log on to them using a small password dictionary. If successful in logging on to a system, it copies itself into that system as

\\<hostname>\admin$\system32\stg.exe

and then tries to start itself as a service named "Microsoft NetWork Services FireWall."

Many variants of Lovgate (Lovgate B–K) now exist, of which Lovgate.K is the most recent. This particular variant has been repacked to help it evade detection by antivirus software. Because Lovgate and its many variants change so many things in infected systems, using an automated cleanup tool is the best alternative for cleaning up Lovgate infections. A Lovgate removal tool is available here.

Top

The Lovelorn Worm

The Lovelorn (W32/Lovelorn@MM) worm infects Windows systems by sending itself as an attachment, the name of which is either %USERNAME%.KISS.OK.EXE or %USERNAME%.HTM.(if the attachment is an HTML dropper file). %USERNAME% is the name of the indicated sender of the message. If a user opens this attachment and antivirus software is not up to date, Lovelorn infects the system by copying its own code multiple times (as explorer.exe, kernel32.exe, netdll.dll, and also serscg.dll) as well as other files to be sent to other potential victim systems to the system installation folder. If the HTML dropper file has been downloaded, an additional copy of the worm code named "TEMP.EXE" will be added to the Temp folder. This worm then writes an entry, "explorer.exe," in the Registry's Run key (HKLM\Software\Microsoft\Windows\Current Version\Run) to ensure that it will restart every time the system boots. Lovelorn also creates a mail engine to send copies of itself to other systems. The "From:" line of each message indicates that the message was sent from an address such as lovelorn@yahoo.com or an address in files (such as mail address book-related files) within the system Lovelorn has infected. The subject line is "There're some Passwords here" or "Re:Get Password mail..." Finally, Lovelorn attempts to disable antivirus software.

Lovelorn causes no more than minor damage to systems that it infects. No Lovelorn removal tool is available, however, and because it adds so many files and modifies the Registry, cleaning up a system infected by Lovelorn can require a reasonable amount of time and patience. Click here for information concerning cleaning up Lovelorn infections.

Top