Green Apple: Anti-Virus PC Sentry

Reported Viruses, Worms, Trojan Horses, Hoaxes and Myths
Top viruses reported as of 03-05-04: Beagle, Netsky, MyDoom, SoBig, MiMail, MSBlast, Welchia
[For the legend to listing, click here.]

Annoying Worm/Choke AnnaKournikova Back Orifice Badtrans Beagle NEW Bill Gates Will Pay You Bubbleboy Bud Frogs Screensaver BugBear Bymer Chernobyl/CIH Craig Shergold Dumaru FCC Internet Tax	Freelink Funlove Gibe Gigger Goner Good Times Happy99 Hybris ILoveYou Jdbgmgr.exe Jesus Hoax NEW KAK Klez Life Stages	Magistr Make Money Fast Mawanella Melissa Menger Michelangelo Migmaf Mimail HIGH Mimail.l Mimail.P NEW MSBlast HIGH MTX MyDoom NEW MyParty	Naked Navidad Netbus Netsky NEW Nimda Pretty Park QAZ Sircam Slammer Sobig Sulfnbk.exe Swen HIGH VBS.Network Welchia HIGH

name: Annoying Worm/Choke type: Worm host platform: Windows first incidence: 11/15/01 last incidence: 12/07/01 level of incidence: Low damage capacity: Low links: McAfee, Norton look for: Affects only MSN messenger users. You get it by accepting an infected file from an contact. name: AnnaKournikova aka: VBS.SST@mm, On The Fly, Kalamar type: Virus, Worm, Backdoor host platform: Windows first incidence: None last incidence: None level of incidence: Low damage capacity: Low links: McAfee, Norton look for: Email with attachments claiming to contain pictures of the tennis player Anna Kournikova. The file attached is the virus. Keep an eye out for subjects such as "Here you are ;-)," "Here you have ;o)" and "Here you go ;-)." name: Back Orifice type: Virus, BackDoor host platform: Windows first incidence: 08/15/96 last incidence: 09/05/00 level of incidence: Low damage capacity: High links: McAfee, Norton look for: Unusual computer actions: cd-rom door opening for no reason, screens with unusual text name: Badtrans type: Worm host platform: Windows first Incidence: 07/20/01 last incidence: 07/21/01 level of incidence: Low damage capacity: Medium links: McAfee, Norton look for: a messages that you were not expecting with attachments. name: Beagle aka: W32/Bagle@MM, WORM_BAGLE.A type: Worm host platform: Windows first Incidence: 01/18/04 last incidence: 04/12/04 level of incidence: High damage capacity: High links: McAfee, Norton look for: emails like: From: (address may be forged) management @ <recipient's domain> administration @ <recipient's domain> staff @ <recipient's domain> noreply @ <recipient's domain> support @ <recipient's domain> Subject: (Varies) Body: (Varies) Attachment: (Varies) 15,872 bytes name: Bill Gates Will Pay You $1000 type: Hoax host platform: All first incidence: 06/15/95 last incidence: 07/01/00 level of incidence: Low damage capacity: None links: U/A look for: A message claiming Bill Gates, Microsoft or some other person or company will pay you for using or evaluating a product. name: BubbleBoy type: Virus host platform: Windows first incidence: 11/20/98 last incidence: 11/20/98 level of incidence: Low damage capacity: Low links: McAfee, Norton look for: Changes the registered computer owner name to 'BubbleBoy'. Messages will contain the text 'BubbleBoy'. name: Bud Frogs Screensaver type: Hoax host platform: All first incidence: 05/13/1997 last incidence: 04/05/2002 level of incidence: Low damage capacity: None links: McAfee, Norton look for: Any message claiming that the Budweiser frog screensaver is a virus, or contains a virus. name: BugBear type: Virus, Worm host platform: Windows first incidence: 10/02/02 last incidence: 10/08/02 level of incidence: Low damage capacity: Medium links: McAfee, Norton look for: Messages that contain an attachment which was not expected. There are a variety of different attachment files you could receive. Check with McAfee's and Norton's site for full information. name: Bymer aka: W32.HLLW, W32/Msinit, Dnet.Dropper type: Virus, Worm host platform: Windows first incidence: 08/01/00 last incidence: 10/27/00 level of incidence: Low damage capacity: Low links: McAfee, Norton look for: Modification of the win.ini file and the addition of the Distributed Net client, dnetc. name: Chernobyl/CIH type: Virus host platform: Windows first incidence: 06/01/98 last incidence: 06/01/98 level of incidence: Low damage capacity: High links: McAfee, Norton look for: Nothing in particular. Basically, if you got it, you're in trouble. Data destroyed, machine will not post or boot. A.k.a. 'CIH'. name: Craig Shergold Needs Money type: Hoax host platform: All first incidence: 06/15/95 last incidence: 07/01/00 level of incidence: Low damage capacity: None links: U/A look for: Any email, news or instant message requesting donations for someone or something. name: Dumaru aka: W32/Dumaru, PE_DUMARU.A type: Worm host platform: Windows first Incidence: 09/15/03 last incidence: 09/16/03 level of incidence: Medium damage capacity: High links: McAfee, Norton look for: emails like ----- From: "Microsoft <security@microsoft.com>" Subject: Use this patch immediately! Attachment: patch.exe Dear friend , use this Internet Explorer patch now! There are dangerous virus in the Internet now! More than 500.000 already infected! ----- name: FCC Internet Tax type: Hoax host platform: All first incidence: 06/15/95 last incidence: 07/01/00 level of incidence: Low damage capacity: None links: U/A look for: Any message claiming the FCC is about to impose a special tax on the Internet. name: Freelink type: Virus, Worm host platform: Windows first incidence: 10/22/99 last incidence: 02/15/00 level of incidence: Low damage capacity: Low links: McAfee, Norton look for: An attachment named "Links". Once infected it places a link on the desktop to an adult website and sends a copy of itself to everyone in the user's address book. name: Funlove type: Virus, Worm host platform: Windows first incidence: 10/15/00 last incidence: 10/28/00 level of incidence: Low damage capacity: Medium links McAfee, Norton look for: The existence of the file 'flcss.exe' in the Windows System directory. On NT the virus installs itself as a service with the name 'FLC'. The virus infects all '.exe', '.scr' and '.ocx' files on the machine causing a noticeable slowdown in performance. name: Gibe aka: W32/Gibe@mm, WORM_GIBE.A, W32/Gibe-A type: Worm, Backdoor host platform: Windows first incidence: 03/04/02 level of incidence: Low damage capacity: Medium links: McAfee, Norton, Microsoft look for: Emails that arrive which are disguised as a vital Internet Security update. It uses Microsoft's Outlook and its own SMTP engine to spread. The attached file, Q216309.exe, when executed will attempt to copy itself to all locally mapped remote drives and send itself to recipients listed in your address book. name: Gigger type: Worm host platform: Windows first incidence: Never last incidence: Never level of incidence: Low damage capacity: Medium links: McAfee, Norton look for: Emails claiming to be an Outlook Express update from MSNSofwareCo. This is a visual basic virus in which it will infect your email program and attempt to install a mIRC script which will then connect to the internet. name: Goner type: Worm host platform: Windows first incidence: 12/05/01 last incidence: 12/05/01 level of incidence: Low damage capacity: Medium links: McAfee, Norton look for: Emails with the subject "Hi". For the most part, you should be safe as Green Apple has internal protection against this virus and common variations. Emails with the GONE.SCR attachment. name: Good Times type: Hoax host platform: All first incidence: 06/15/95 last incidence: 09/15/00 level of incidence: Low damage capacity: None links: McAfee, Norton look for: A message which warns about a virus sent via email having a subject mentioning 'Good Times Virus'. The virus never existed and the email is a hoax. name: Happy99 type: Virus, Worm host platform: Windows first incidence: 04/12/99 last incidence: 09/10/01 level of incidence: Low damage capacity: High links: McAfee, Norton look for: Sent in an attachment sometimes named 'Happy99'. When the attachment is executed, fireworks are displayed. The virus is activated. The virus renames key files to have a '.ska' extension. name: Hybris aka: HAHA, Snow White, Joke.exe) type: Virus, Worm host platform: Windows first incidence: 11/10/00 last incidence: 09/10/01 level of incidence: Low damage capacity: Low links: McAfee, Norton look for: emails with reference to "Snow White and the Seven Dwarfs..", emails with the subject HA HA Ha or variants. Attachments included with these types of messages are most likely viruses. name: ILove You aka: LoveLetter type: Virus, Worm host platform: Windows first incidence: 05/04/00 last incidence: 06/28/00 level of incidence: Low damage capacity: Medium links: McAfee, Norton, Microsoft look for: Email with a subject line of 'I LOVEYOU'. The virus also uses subject lines of 'The Love Bug', 'You have an admirer', 'Love Letter' and others. name: Jdbgmgr.exe type: Hoax host platform: All first incidence: 05/11/01 level of incidence: Low damage capacity: None links: McAfee, Norton look for: An email claiming that you are infected with a dangerous and undetectable virus that says to remove the jdbgmgr.exe file from your computer. name: Guts to Say Jesus aka: Jesus Hoax type: Hoax host platform: None first Incidence: None last incidence: 01/18/04 level of incidence: Low damage capacity: None links: Norton look for: Emails mentioning Jesus or erasing hard drives. name: KAK type: Virus, Worm host platform: Windows first incidence: 02/15/00 last incidence: 09/10/01 level of incidence: Low damage capacity: Medium links: McAfee, Norton, Microsoft look for: File or files having '.kak' extension. When activated (i.e. the attachment is run), the infected machine does not boot on first of the month. Machine displays 'Kagou-Anti-Kro$oft says not today!' message. name: Klez type: Virus, Worm host platform: Windows first incidence: 11/08/01 last incidence: 07/20/02 level of incidence: Medium damage capacity: Medium links: McAfee, Norton look for: Messages that contain an attachment which was not expected. There are a variety of different attachment files you could receive. Check with McAfee's and Norton's site for full information		name: Life Stages type: Virus, Worm host platform: Windows first incidence: 06/20/00 last incidence: 07/01/00 level of incidence: Low damage capacity: High links: McAfee, Norton, Microsoft look for: Attachment named 'Life Stages'. Attachment has couple of variations, 'Stages', 'Stages In Life'. name: Magistr aka: W32/Magistr@MM, I-Worm.Magistr, PE_MAGISTR.A type: Virus, Worm host platform: Windows first incidence: 04/20/01 last incidence: 04/06/02 level of incidence: Low damage capacity: Low links: McAfee, Norton look for: strange display windows or instances where icons on desktop act like they are moving away from the mouse. name: Make Money Fast type: Hoax host platform: All first incidence: 06/15/95 last incidence: 07/01/00 level of incidence: Low damage capacity: None links: U/A look for: Any message claiming great money making schemes. name: Mawanella aka: VBS/VBSSWG.Z@MM type: Virus, VBS host platform: Windows first incidence: 05/28/01 last incidence: 05/28/01 level of incidence: Low damage capacity: Low links: McAfee, Norton look for: Any email with an subject or body that mentions Mawanella and has an attachment. name: Melissa type: Virus, Worm host platform: Windows first incidence: 03/26/99 last incidence: 04/02/99 level of incidence: Low damage capacity: High host platform: Windows links: McAfee, Norton, Microsoft look for: An email with the subject (or message) 'Here is that document you asked for ... don't show anyone else ;-)'. The email contains an attachment having a list of adult websites. When the attachment is read, it forwards itself to everyone in your address book. Most variants of the virus are blocked by Green Apple's mail server. name: Menger aka: JS/Exploit-Messenger, JS_MENGER.GEN, JS.CoolNow type: Worm host platform: Windows first incidence: 02/13/02 last incidence: U/A level of incidence: Low damage capacity: Low links: McAfee, Norton look for: Any message through MSN instant messenger that includes a link to an unknown website. name: Michelangelo type: Virus host platform: Dos, Windows first incidence: U/A last incidence: U/A level of incidence: Low damage capacity: High links: McAfee, Norton look for: This virus original infected Dos and Windows 3.1 OS. It would format the hard drive and floppies on which it was installed. Fundamental changes in the Windows OS have made the virus obsolete. The virus is name 'Michelangelo' as it would activate on March 6th, the birthday of the great artist. The virus is more a myth, than a serious threat these days. name: Migmaf type: Virus, Trojan host platform: Windows first incidence: 07/14/03 last incidence: 07/15/03 level of incidence: Low damage capacity: Low links: McAfee, Norton look for: Hijacked web banners that display adult sites on pages that do not typically show those kinds of banners, i.e Green Apple's homepage. name: Mimail aka: WORM_MIMAIL.A, W32/Mimail@MM, Win32.Mimail.A type: Virus, Worm host platform: Windows first incidence: 07/28/03 last incidence: 08/12/03 level of incidence: High damage capacity: Low links: McAfee, Norton look for: Emails coming from admin@greenapple.com. Emails with a subject of your account [random string]. Attachment called 'message.zip'. name: Mimail-l aka: W32.Mimail.Gen, W32/Mimail.l@MM type: Worm host platform: Windows first Incidence: 12/01/03 last incidence: 12/10/03 level of incidence: High damage capacity: High links: Symantec, McAfee look for: Emails with subject "`Re[2]We are going to bill your credit card:" and attachment of "wendy.zip"` name: Mimail-P aka: W32/Mimail.p@MM, Win32.Mimail.P type: Worm host platform: Windows first Incidence: 1/14/04 last incidence: 1/14/04 level of incidence: Medium damage capacity: Low links: Symantec, McAfee look for: emails with the following subject line: Subject: GREAT NEW YEAR OFFER FROM PAYPAL.COM! Attachment: pp-app.zip Sender: Paypal.com <donotreply@paypal.com name: MSBlast aka: W32.Blaster.worm, Lovsan, Poza type: Worm host platform: Windows first incidence: 08/11/03 last incidence: 08/20/03 level of incidence: High damage capacity: Medium links: McAfee, Norton look for: Check C:\Windows\System32 for the file msblast.exe or see whether msblast is listed in Task Manager. name: MTX aka: MTX, Matrix, Backdoor host platform: Windows first incidence: 01-15-01 last incidence: 06-03-01 level of incidence: Low damage capacity: Medium links: McAfee, Norton look for: Messages that contain an attachment which was not expected. There are a variety of different attachment files you could receive. Check with McAfee's and Norton's site for full information. name: MyDoom aka: W32/Mydoomy@MM, W32.Novarg.A@mm type: Worm host platform: Windows first incidence: 01/26/04 last incidence: 03/05/04 level of incidence: High damage capacity: High links: Symantec, McAfee look for: Emails that indicate a message failure and the availability of an attached "partial message" or "binary attachment". There are a variety of subject lines and attachment files; see associated article. name: MyParty aka: W32.Myparty@mm, WORM_MYPARTY.A host platform: Windows first incidence: 01/28/02 last incidence: 01/28/02 level of incidence: Low damage capacity: Medium links: McAfee, Norton look for: Emails with the subject: new photos from my party. Starts with hello and includes an attachment names www.myparty.yahoo.com. name: Naked aka: NakedWife.exe type: Virus, Worm, Trojan Horse host platform: Windows first incidence: 03/06/01 last incidence: 04/01/01 level of incidence: Low damage capacity: High links: McAfee, Norton look for: Email with attachment NakedWife.exe . The file attached is the virus. Keep an eye out for subjects such as Subject: Naked Wife or FW:Naked Wife. name: Navidad type: Virus, Worm host platform: Windows first incidence: 11/20/00 last incidence: 11/20/00 level of incidence: High damage capacity: High links: McAfee, Norton look for: Problems running programs, strange Spanish error messages. name: NetBus type: Backdoor host platform: Windows first incidence: 08/15/96 last incidence: 08/17/00 level of incidence: Low damage capacity: High links: McAfee, Norton look for: Unusual computer actions: cd-rom door opening for no reason, screens with unusual text. name: W32.Netsky aka: moodown type: Worm host platform: Windows first incidence: 02/16/04 last incidence: 04/12/04 level of incidence: High damage capacity: High links:McAfee, Symantec look for emails with worm signatures. name: Nimda aka: W32/Nimda@mm, PE_NIMDA.A, I-Worm.Nimda, W32/Nimda-A, Win32.Nimda.A type: Virus, Worm host platform: Windows first incidence: None last incidence: None level of incidence: Low damage capacity: Medium links: McAfee, Norton look for: Readme.exe attachments name: Pretty Park type: Virus, Worm host platform: Windows first incidence: 05/26/00 last incidence: 10/04/00 level of incidence: Low damage capacity: Medium links: McAfee, Norton, Microsoft look for: Attachment named Pretty Park. Program with icons of Kyle from the show South Park. When activated, it renames a key Windows file and installs a registry key. name: QAZ aka: QAZ.Trojan type: Virus, Worm host platform: Windows first incidence: 10/01/00 last incidence: 10/29/00 level of incidence: Low damage capacity: Medium links: McAfee, Norton look for: The file 'note.com' in Windows directory. 'notepad' running as a background process. name: Sasser aka: W32.Sasser@mm type: Worm host platform: Windows first Incidence: 04/30/04 level of incidence: High damage capacity: High links: McAfee, Norton look for: Attacks through software bug in Microsoft OS; not spread through email. name: Sircam type: Worm host platform: Windows first Incidence: 07/20/01 last incidence: 09/10/01 level of incidence: Low damage capacity: Medium links: McAfee, Norton look for: emails with the following messages in either English or Spanish with attachments reading: In English First line: Hi! How are you? Last line: See you later. Thanks In Spanish First line: Hola como estas ? Last line: Nos vemos pronto, gracias. name: Slammer type: Worm host platform: Windows first Incidence: 02/05/03 last incidence: 02/05/03 level of incidence: Low damage capacity: Low links: McAfee, Norton look for: increased UDP packet traffic coming to port 1434. name: Sobig type: Worm host platform: Windows first Incidence: 01/07/03 last incidence: 06/20/03 level of incidence: High damage capacity: Medium links: McAfee, Norton look for: carries numerous hallmarks; see associated article. name: SULFNBK.exe type: Hoax host platform: Windows first incidence: Never last incidence: Never level of incidence: Low damage capacity: Low links: McAfee, Norton look for: Any email telling you to delete this file. You do not need to worry about this file. name: Swen aka: W32/Swen@mm, Swen32.A type: Worm host platform: Windows first Incidence: 09/19/03 last incidence: 09/19/03 level of incidence: Medium damage capacity: Medium links: McAfee, Norton look for: Emails claiming to be from Microsoft with attached patches. name: VBS.Network type: Worm host platform: Windows first incidence: 6/01/00 last incidence: 8/01/00 level of incidence: Low damage capacity: none links: McAfee, Norton look for: A file named vbs.network listed in the startup folder. This virus is more of an annoyance since it just attempts to copy itself to other machines on your network, that is, if you have one. name: Welchia aka: Nachi, WORM_MSBLAST.D type: Worm host platform: Windows first Incidence: 08/20/03 last incidence: 08/20/03 level of incidence: High damage capacity: Medium links: McAfee, Norton look for: the file Dllhost.exe in C:\Windows\System\Wins or C:\Windows\System32\Wins

--- Legend --- (return to top) name: [common name] aka: [other names] type: [Virus, Worm, Backdoor, Hoax] host platform: [Dos, Windows, Mac, Linux, All] first incidence: [first reported incidence at Green Apple] last incidence: [last reported incidence at Green Apple] level of incidence: [High, Medium, Low] damage capacity: [High, Medium, Low, None] links: [related links out on the Internet] look for: [things to look for to see whether your machine has been infected]