VIRUSES

Chernobyl
ExploreZip
I Love You
Melissa
Pretty Park
Code Red Worm
W32/Klez
BugBear
W32/Opaserv Worm
Anti-Virus Software
Chernobyl is a deadly virus. Unlike the other viruses that have surfaced recently, this one is much more than a nuisance.
If infected, Chernobyl will erase data on your hard drive, and may even keep your machine from booting up at all.
There are several variants in the wild. each variant activates on a different date. Version 1.2 on April 26th, 1.3 on June 26th, and 1.4 on the 26th of every month
ExploreZip is a Win32-based e-mail worm. It searches for Microsoft Office documents on your hard drive and network drives.
When it finds any Word, Excel, or PowerPoint documents using the following extensions: .doc, .xls and .ppt, it erases the contents of those files. It also emails itself to any one who send you an e-mail.
ExploreZip arrives as an email attachment. The message will most likely come from someone you know, and the body of the message will read:
"I received your email and I shall send you a reply ASAP. Till then, take a look at the attached Zipped docs." The attachment will be named "Zipped_files.exe" and have a WinZip icon. Double clicking the program infects your computer.
LoveLetter is a Win32-based e-mail worm. It overwrites certain on your hard drive(s) and sends itself out to everyone in your Microsoft Outlook address book.
LoveLetter arrives as an email attachment named: LOVE-LETTER-FOR-YOU.TXT.VBS though new variants have different names including VeryFunny.vbs, virus_warning.jpg.vbs and protect.vbs
User Controlled Data is placed into an SQL query without being validated for correct format or embedded escape strings.
Affects majority of applications which use a database backend and don't force variable types.
At least 50% of the large e-commerce sites and about 75% of the medium to small sites are vulnerable.
Improper validation in CFML, ASP, JSP and PHP are the most frequent causes
Melissa is a Microsoft Word macro virus.
Through macros, the virus alters the Microsoft Outlook email program so that the virus gets sent to the first 50 people in your address book.
It does not corrupt any data on your hard drive or make your computer crash. It just changes some Word settings and sends itself to the people you don't want to infect.
Melissa Virus Infection
Melissa arrives as an email attachment.
The subject of the message containing the virus will read: "Important message from" followed by the name of the person whose email account it was sent from.
The body of the message reads: Here's the document you asked for...don't show anyone else ;-) Double clicking the attached Word document (typically named LIST.DOC) will infect your machine.


Pretty Park is a privacy invading worm. Every 30 seconds, it tries to e-mail itself to the e-mail addresses in your Microsoft Outlook address book.
It has also been reported to connect your machine to a custom IRC channel for the purpose of retrieving passwords from your system.
Pretty park arrives as an email attachment. Double clicking the PrettyPark.exe or Files32.exe program infects your computer.
You may see the Pipes screen after running the executable.


BUG BEAR VIRUS
This worm propagates via shared network folders and via email.
It also terminates antivirus programs, act as a backdoor server application, and sends out system passwords - all of which compromise security on infected machines. BugBear Infection
This worm fakes the FROM field and obtains the recipients for its email from email messages, address books and mail boxes on the infected system. It generates the filename for the attached copy of itself from the following:
A combination of text strings: setup, card, docs, news, Image, images, pics, resume, photo, video, music or song data; with any of the extensions: SCR, PIF, or EXE. An existing system file appended with any of the following extensions: SCR, PIF or EXE.
On systems with un patched Internet Explorer 5.0 and 5.5, the worm attachment is executed automatically when messages are either opened or previewed using Microsoft Outlook or Outlook Express.

KLEZ
ElKern, KLAZ, Kletz, I-Worm.klez, W95/Klez@mm
W32.Klez variants is a mass mailing worm that searches the Windows address book for email addresses and sends messages to all the recipients that it finds. The worm uses its own SMTP engine to send the messages.
The subject and attachment name of the incoming emails are randomly chosen. The attachment will have one of the extensions: .bat, .exe, .pif or .scr.
The worm exploits a vulnerability in Microsoft Outlook and Outlook Express to try execute itself when you open or preview the message.

SirCam is a mass mailing e-mail worm with the ability of spreading through Windows Network shares.
SirCam sends e-mails with variable user names and subject fields, and attaches user documents with double extensions (such as .doc.pif or .xls.lnk) to them.
Thw orm collects a list of files with certain extensions ('.DOC', '.XLS', '.ZIP') into fake DLL files named 'sc*.dll'. Thw orm then sends itself out with one of the document files it found in a users' "My Documents" folder.

Nimda is a complex virus with a mass mailing worm component which spreads itself in attachments named README.EXE.
It affects Windows 95, 98, ME, NT4 and Windows 2000 users.
Nimda is the first worm to modify existing web sites to strt offering infected files for download. It is also the first worm to use normal end user machines to scan for vulnerable web sites.
Nimda uses the Unicode exploit to infect IIS Web servers.

The "Code Red" worm attempts to connect to TCP port 80 on a randomly chosen host assuming that a web server will be found.
Upon a successful connection to port 80, the attacking host sends a crafted HTTP GET request to the victim, attempting to exploit a buffer overflow in the Windows 2000 Indexing Service.
If the exploit is successful, the worm begins executing on the victim host. In the earlier variant of the worm, victim hosts with a default language of English experienced the following defacement on all pages requested from the server:
HELLO! welcome to http://www.worm.com! Hacked By Chinese!