Email-Worm.Win32.Bagle.eb 11.02.05 14:42 GMT Status : moderate risk
Kaspersky Lab has detected a new Bagle variant: Email-Worm.Win32.Bagle.eb. The worm has been widely spammed. It arrives in an archive file 7KB in size. The name of the attached archive file varies widely. Possible file names include "business.zip", "sms_text.zip", "info_prices.zip". The archive contains an executable file, "text5546.exe", which is 9675 bytes in size ((MD5 checksum: 4a68d23367d8aaf9fe9217f7f9f98bf1). This executable file will download another version of the worm, Bagle.eh, to the infected machine via the Internet. The Kaspersky Virus Lab has received numerous reports of infection from users around the world. An urgent update has been released. Users are strongly recommended to update their antivirus databases. Further details of the worm will be available in the Virus Encyclopaedia in the near future.
Email-Worm.Win32.Sober.u, .v, .w 11.15.05 09:30 GMT Status : moderate risk
Kaspersky Lab has detected three new variants of Sober: Email-Worm.Win32.Sober.u, Email-Worm.Win32.Sober.v, and Email-Worm.Win32.Sober.w The worm spreads as an attachment to infected messages. The attached file, which contains the body of the worm, is approximately 130KB in size. Possible attachment names include:
Kaspersky Anti-Virus databases have been updated with detection for the three latest variants. Users are strongly recommended to update their antivirus databases.
Email-Worm.Win32.Sober.u Several modified variants of this worm, which is written in Visual Basic, have been detected. There are only very minor differences. It is 139.040 KB in size. The actual worm is 129.568 bytes in packed size.
Email-Worm.Win32.Sober.y 11.23.05 11:09 GMT Status : moderate risk
Kaspersky Lab has detected a large number of samples of Email-Worm.Win32.Sober.y, which is currently spreading actively in Europe. There are also reports of the worm spreading in the USA. The worm spreads as an attachment to infected emails, and sends messages in English and German. It uses a variety of message subjects and message texts. English messages may have the FBI as the sender; German messages may have the Bundeskriminalamt as the sender. The worm will display a fake error message when launched. Further information about Sober.y will be available in the Virus Encyclopaedia in the near future. Detection for Sober.y was added to the Kaspersky Anti-Virus databases on November 16th. Users are recommended to ensure that their antivirus databases are up to date. This malicious program has been mass mailed using spamming technologies. A large number of reports have been received from users. Three modifications of this downloader have been released this evening, 23.11.05.Users are recommended to ensure that their antivirus databases are up to date.
Trojan-Downloader.Win32.Bagle.f 11.23.05 16:02 GMT Status : moderate risk
Kaspersky Lab has detected Trojan-Downloader.Win32.Bagle.f. This malicious program has been mass mailed using spamming technologies. A large number of reports have been received from users. Three modifications of this downloader have been released this evening, 23.11.05. Users are recommended to ensure that their antivirus databases are up to date.
Windows Meta File Vulnerability 12.28.05 16:07:00 GMT Status : moderate risk
Kaspersky Lab has raised its alert level to yellow. This is because several Trojan programs which exploit the new Windows Meta File vulnerability have been detected in the wild. The vulnerability itself is regarded as extremely critical (the highest possible rating). As yet, there is no patch for this vulnerability. Computers running Windows XP with SP2, Windows XP with SP1, and Microsoft Windows Server 2003 SP0/SP1 are affected by this vulnerability. The vulnerability functions in Internet Explorer, and may function in Firefox if certain conditions are met. The programs detected by Kaspersky Lab which exploit this vulnerability are Trojan-Downloaders, which install other Trojan programs on the victim machine. At the moment, Trojan programs are being downloaded from unionseek.com and iframeurl.biz. New modifications of these programs may appear. Antivirus database updates which include detection for these Trojan programs have been released. Users are strongly recommended to update antivirus databases on a regular basis. We also strongly recommend that users do not open files with a *.wmf extension and set their Internet Explorer security settings to 'High'. More information about the vulnerability is available at: http://secunia.com/advisories/18255/ and http://www.securityfocus.com/bid/16074/info
Virus Alerts 
