http://www.silicon.com/news/500013/1/4849.html Wed 25 June 2003 03:40PM BST Virus warning: Punk worm on the rampage 'I want to be... ANARCHY!' There was a time when a punk revival merely involved a new band of disenchanted youths sporting far-out haircuts - but now the jilted generation are turning to computer viruses to get their message of anarchy across to the masses. Anti-virus vendor Sophos has received several reports of the new punk-themed Magold-D worm (W32/Magold-D), first seen on Monday 23rd June, which spreads via email, internet relay chat, shred networks and peer-to-peer services, such as KaZaA. Users infected with the virus are presented with the message 'PUNK'S NOT DEAD' which flashes up on their screen before opening a web browser and directing it to the website of US punk rock band - a trait in common with the Avril Lavigne virus which directed users to the Canadian pop sensation's website. In an attempt to encourage users to open the virus the attachment is billed in such a way to make users think they will be treated to an eyeful of a TV star taking a shower. Graham Cluley, senior technology consultant at Sophos, said: "The virus writer has opted for the age-old trick of promising female nudity." "This tribute to The Offspring is a far cry from pinning posters to your bedroom wall or playing air guitar in front of your mirror," he added. =========================================== http://www.esecurityplanet.com/alerts Virus Alert: New Variant of Sobig.C Intercepted June 25, 2003 By eSecurityPlanet Staff Panda Software has reported the appearance of Sobig.E. The international antivirus developer has received numerous reports of infections and advises users to treat all e-mails received with caution. Sobig.E is sent via e-mail, compressed in a zip file, creating an added danger as to date, there have been few viruses that have propagated in this way and many users may not have the option to scan this particular type of compressed file enabled in their antiviruses. Sobig.E infects Win9x, ME, NT, 2000 and XP systems. It is sent out, using its own SMTP engine, to addresses it finds in all directories in files on the infected system with the following extensions: .TXT, .EML, .HTM*, .DBX, .WAB. The e-mail containing Sobig.E has the following characteristics: Possible subjects include: Re: Movie Re: Application Message text: Please see the attached zip file for details. Attachment: Your_details.zip Sobig.E creates two files in the affected computer, one called "%windir%\winssk32.exe", which contains the worm's code, and the other called "msrrf.dat". It also creates two keys in the Windows registry. For further information about Sobig.E and other viruses, visit Panda Software's Virus Encyclopedia. Antivirus software vendor Sophos recognizes the virus as W32/Sobig-E, and reports that it copies itself into the Windows folder as winssk32.exe and sets the registry entry: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SSK Service = \winssk32.exe The worm then sends itself as an attachment to email addresses collected from the infected computer. View the formal of a typical email and other information at this Sophos page. Antivirus software vendor McAfee says the new variant so far is not widespread. This worm is similar to W32/Sobig.d@MM. The worm propagates via email and over network shares. It contains its own SMTP engine for constructing outgoing messages. The worm mails itself to recipients extracted from the victim machine, constructing messages using its own SMTP engine. Similarly to W32/Sobig@MM, the outgoing messages constructed by the worm may have a closing quote omitted from the attachment filename. This may cause certain mail clients to remove a character from the remaining filename, thus attachments may have a ".ZI" extension (as opposed to ".ZIP"). Find out more at this McAfee page. http://vil.mcafee.com/dispVirus.asp?virus_k=100429