Link: A-Z Index Link: Search WU Link: Support WU
 
Willamette University Willamette Integrated Technology Services
Link: Help Desk
Link: Services & Resources
Link: Academic Support
Link: Technical Support
Link: News
Link: About Us
Link: Contact Us
Virus Information

Virus Information Home

List of Common Virus Threats at Willamette

How to Recognize a Virus

How Do Viruses Spread?

Virus Removal

Preventing Virus Infection

Anti-virus Software

Links to more Virus information on the Web


 

Common Viruses That Have Hit Willamette

Click on the links for more information and removal instructions for each virus. Virus details courtesy of Symantec Antivirus Research Center (http://www.sarc.com)

W32.Sasser.B.Worm
Discovered: May 1, 2004

W32.Sasser.B.Worm is a variant of W32.Sasser.Worm. It attempts to exploit the LSASS vulnerability described in Microsoft Security Bulletin MS04-011, and spreads by scanning randomly-chosen IP addresses for vulnerable systems.


W32.Netsky.Y@mm
Discovered: April 20, 2004
Hit Willamette: April 20, 2004

W32.Netsky.Y@mm is a variant of W32.Netsky.X@mm that scans for the email addresses on all non-CD-ROM drives on an infected computer. Then, the worm uses its own SMTP engine to send itself to the email addresses that it finds.

The format of the email is:

Subject: Delivery failure notice (ID-<random number>)
Attachment: www.<random domain name>.<random username>.session-<random number>.com

 

Beagle.B (W32.Beagle.B@mm; aka W32.Alua@mm, Win32/Bagle.B.Worm, Bagle.B, W32/Bagle.b@MM, W32/Bagle.B@mm, WORM_BAGLE.B, W32/Bagle.B.worm, W32/Tanx-A, I-Worm.Bagle.b)
Discovered: February 17, 2004
Hit Willamette: February 17, 2004

W32.Beagle.B@mm is a mass-mailing worm that that opens a backdoor on TCP port 8866. The email message containing the virus has a subject line of six random characters plus "thanks". The infected attachment has a random file name with the extension ".exe". The worm spoofs the "From" address in the email messages it sends, which means that the sender in the "From" field is most likely not the real sender.

 

Novarg (W32.Novarg.A@mm; aka W32/Mydoom@MM; WORM_MIMAIL.R)
Discovered: January 26, 2004
Hit Willamette: January 26, 2004

W32.Novarg.A@mm is a mass-mailing worm that arrives as an attachment with the file extension .bat, .cmd, .exe, .pif, .scr, or .zip. The worm spoofs the "From" address in the email messages it sends, which means that the sender in the "From" field is most likely not the real sender.

 

Beagle (W32.Beagle.A@mm; aka I-Worm.Bagle, WORM_BAGLE.A)
Discovered: January 18, 2004
Hit Willamette: January 19, 2004

W32.Beagle.A@mm is a mass-mailing worm that accesses remote Web sites and sends email to any addresses it finds. Infected messages contain the subject line "Hi," and a randomly named executable file as an attachment. The worm spoofs the "From" address in the email messages it sends, which means that the sender in the "From" field is most likely not the real sender.

 

Gaobot (W32.HLLW.Gaobot)
Discovered: September 9, 2003
Hit Willamette: October 30, 2003

There are several different variants of the Gaobot virus. The most common variants on the Willamette campus are Gaobot.AE and Gaobot.AO.

Gaobot infects Windows NT/2000/XP computers that have not be updated with the latest Windows security patches (specifically the DCOM patch). It may also spread through network shares that have a weak username or password. If your computer is infected, you may find a process called "scvhost.exe" running in the Task Manager (not to be confused with svchost.exe, which is a legitimate Windows file). The virus will attempt to disable anti-virus and firewall software, and it may visibly slow the performance of your computer. Internet Explorer and Microsoft Excel may not run properly. If you are using a university-owned computer, you may get a "Bind" error when you log in.

 

Welchia (W32.Welchia.Worm)
Discovered: August 18, 2003
Hit Willamette: August 25, 2003

 

SoBig.F (W32.Sobig.F@mm)
Discovered: August 19, 2003
Hit Willamette: August 19, 2003

W32.Sobig.F@mm is a mass-mailing, network-aware worm that sends itself to all the email addresses it finds on the infected hard drive. The worm spoofs the "From" address in the email messages it sends, which means that the sender in the "From" field is most likely not the real sender. The worm uses its own SMTP engine to propagate and will attempt to create a copy of itself on accessible network shares, but fails due to bugs in the code.


Blaster Worm (W32.Blaster.Worm)
Discovered: August 11, 2003
Hit Willamette: August 13, 2003

W32.Blaster.Worm is a worm that exploits the DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135. The worm targets only Windows 2000 and Windows XP machines. W32.Blaster.Worm does not have a mass-mailing functionality.

BugBear Worm (W32.Bugbear@mm)
Discovered: September 30, 2002
Hit Willamette: October 2002

BugBear is a mass-mailing worm that spreads through email attachments and open network shares. It also has keystroke logging and backdoor capabilities.

JDBGMGR.EXE Hoax
 Reported on: April 12, 2002
Hit Willamette: May 2002

This hoax claims that your computer is infected with a virus that is stored in the jdbgmgr.exe file, with a teddy bear icon, found in your C Drive.

Klez-H Virus (W32.Klez.H@mm)
Discovered: April 17, 2002
Hit Willamette: April 2002

The Klez virus mainly infects Outlook Express users, though it can also spread through open network shares and ICQ. It is a mass mailer worm, it attempts to disable any installed anti-virus software, and it has the potential to overwrite documents and system files with zeroes.

SULFNBK.EXE Warning (Hoax)
Reported: April 17, 2001
Hit Willamette: February 2002

Klez-E Virus (W32.Klez.E@mm)
Discovered: January 17, 2002

*On the 6th day of every odd month (January, March, May, July, September, November), the Klez-E virus will attempt to overwrite all files with zeroes.

Magistr Virus (W32.Magistr.39921@mm)
Discovered Sept. 3, 2001
(Hit the Willamette campus in December 2001)

*The Magistr Virus can make desktop icons appear to "run away" from the mouse pointer. It can potentially overwrite the hard drive, erase the CMOS, and flash the BIOS.

Goner Worm (W32.Goner.A@mm)
Discovered Dec. 4, 2001

Badtrans Worm (W32.Badtrans.B@mm)
Discovered Nov. 24, 2001

Nimda-E Virus (W32.Nimda.E@mm)
Discovered Oct. 29, 2001

Nimda-A Virus (W32.Nimda.A@mm)
Discovered Sept. 18, 2001

Sircam Worm (W32.Sircam.Worm@mm)
Discovered July 17, 2001

*Sircam virus spreads through email and file sharing. It randomly selects files from the user's hard drive and emails them to addresses found in the user's address book.

MTX Virus (W95.MTX)
Discovered Aug. 17, 2000

*MTX virus may block access to certain websites, including the websites of popular anti-virus companies.

LoveLetter Worm (VBS.LoveLetter and variants)
Discovered May 5, 2000

KakWorm (Wscript.KakWorm)
Discovered Dec. 30, 1999

Happy99 Worm (Happy99.Worm)
Discovered Jan. 28, 1999

 

WITS - Willamette University - 900 State Street, Salem Oregon 97301 - 503-370-6004
Questions or comments on this site? webmaster@willamette.edu

Last Updated 08/11/2002
Willamette University Willamette Integrated Technology Services