Virus alarm

knowledge and pirated software products that do not have the benefits of updating itself with the latest virus definitions.

A data on virus attacks in past 30 days shows that 24.85% of the viruses attacks took place in the Asia Pacific region, which is the third highest in the list of affected regions. PC users should deploy the latest version of antivirus guards to be on the safe side and stay updated. Here's a sneak-peak of some latest viruses.

W32.Beagle.C@mm
Discovery Date: 27/2/2004; Type: Virus; Sub Type: E-mail worm; Aliases: W32.Beagle.A@mm, W32/Bagle.c@MM [McAfee], WORM_BAGLE.C [Trend], W32/Bagle-C [Sophos]

This is a mass-mailing worm that opens a backdoor on TCP port 2745. The worm uses its own SMTP engine for email propagation. It attempts to terminate processes responsible for providing updates to various antivirus programs. The worm copies itself as %System%\readme.exe. It edits the HKEY so that the virus runs whenever you start windows.

Removal Instruction: 1. Reboot the system into Safe Mode (press F8 key as soon as the Starting Windows text is displayed after booting, then choose Safe Mode). 2. Delete the file following from your WINDOWS System directory (typically C:\Windows\System or C:\Winnt\System32) README.EXE;ÊDOC.EXE; ONDE.EXE; README.EXEOPEN. 3. Delete the "gouday.exe" value from:HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Run. 4. Delete the key HKEY_CURRENT_USER\Software\DateTime2. 5. Reboot the system into Default Mode

W32/Netsky.c@MM
Discovery Date: 25/2/2004; Type: Internet worm; Sub Type: E-mail worm; Aliases: I-Worm/Netsky.C (Grisoft), W32.Netsky.C@mm (NAV), W32/Netsky.C.worm (Panda)

This worm spreads by email and by copying itself to folders on the local hard drive as well as on mapped network drives if available.ÊThis virus spreads via email and mapped drives. ItÊsends itself to addresses found on the victim's machine and by copying itselfÊto folders on drives C: - Z:.

Removal Instructions: 1. Reboot the system into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode). 2. Delete the file 'WINLOGON.EXE' from your WINDOWS directory (typically c:\windows or c:\winnt) NOTE: Do not delete the file WINLOGON.EXE from the WINDOWS SYSTEM directory as that is a valid Windows system file. 3. Delete the "ICQ Net" value from: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Run & KEY_CURRENT_USERS\SOFTWARE\Microsoft\Windows\Current Version\Run. 4. Reboot the system into Default Mode

W32/Mydoom.f@MM
Discovery Date: 19/2/2004; Type: Virus; Sub Type: E-mail worm; Aliases: W32/Mydoom-F (Sophos), WORM_MYDOOM.F (Trend)

This is a mass-mailing andÊshare-hopping worm that has the following characteristics: 1. contains its own SMTP engine to construct outgoing messages; 2. contains ability to copy itself to mapped drives; 3. contains a backdoor component; 4. contains a Denial of Service payload; 5. contains payload of deleting files. The virus uses a DLL that it creates in the Windows System directory usingÊrandom filenames (Eg: %SYSDIR%\vppu.dll (8,068 bytes).

Removal Instructions: If you think that you may be infected with Mydoom, and are unsure how to check your system, you may download the Stinger tool from http://vil.nai.com/vil/stinger to scan your system and remove the virus if it is present.

W32/Nachi.worm
Discovery Date: 18/8/2003; Type: Virus; Sub Type: Internet Worm; Aliases: W32/Nachi!tftpd, W32/Nachi.worm.a

Irrespective of anti-virus detection, unless the system has been (MS03-026) patched, it is susceptible to the buffer overflow attack from an infected host machine. An infected machine will send packets across the local subnet to the RPC service running on port 135.

Removal Instructions: 1. Apply the MS03-039 patch (includes MS03-026 Êpatch); 2. Terminate the following services: (i) WINS Client; (ii) Network Connections Sharing; 3. Delete the DLLHOST.EXE and SVCHOST.EXE files from the WINS directory with your WINDOWS SYSTEM32 directory. 4. Edit the registry to: Delete the "RpcPatch"keyfrom: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services; 5. Delete the "RpcTftpd" key from HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services.