If you already haven't noticed, I've expanded the scope of the table to cover 30 days instead of 7. I feel this will give you a better picture of what to be on the lookout for. Be aware, though, that there are certain wildfire situations when a virus spreads rapidly, and when they occur, I will try to stay on top of things and let you know the latest information.

Nimda Virus: In early September, a new virus hit the wild called "Nimda" which was developed with the characteristics of a typical internet worm as well as the then recent "Code Red" worm which had created such a stir during this past summer.

Its main goal is simply to spread over the Internet and Intranet, infecting as many users as possible and creating so much traffic that networks are virtually unusable. This worm virus infects using several methods including: mass-mailing, network share propagation, the Microsoft Web Folder Transversal vulnerability (also used by W32/CodeBlue), and a Microsoft incorrect MIME Header vulnerability. It also attempts to create network shares, and utilize the backdoor created by the W32/CodeRed.c worm

The most significant methods of propagation are as follows:

The email messages created by the worm specify a content-type of audio/x-wav and contain an executable attachment type. Thus when a message is accessed, the attachment can be executed without the user's knowledge. Simply viewing the page in Microsoft Outlook or Microsoft Outlook Express using the preview pane can infect you. Other mail clients can still receive these email messages, but double-clicking the attachment would be required to execute the virus. WinNT/2K systems cannot be infected from an email message.

When infecting, it appends .ASP, .HTM, and .HTML documents, and files named INDEX, MAIN, and DEFAULT, with javascript code which contains instructions to open a new browser window containing the infectious email message itself (taken from the dropped file README.EML). Thus when this infected web page is accessed (locally or remotely) the machine viewing the page is infected. In other words, simply visiting a web site that is compromised can infect your computer. WinNT/2K systems cannot be infected by accessing an infected .ASP, .HTM, or .HTML document.

When infecting, it creates network shares for each local drive as %$ (where % = the drive letter that is being shared). On Win9x/ME system this is configured as a full share with no password. On WinNT/2K system the user GUEST is given permission to the share and added to the group ADMINISTRATORS as well as GUESTS. A reboot is required in order for these shares to get created. When the virus finds an open share, it copies itself to each folder on the drive in .EML format as described later on in this description. This can include the START UP folder.

The worm scans IP addresses looking for IIS servers to infect via the Web Folder Transversal vulnerability by sending a malformed GET request. This causes vulnerable machines to initiate a TFTP session to download ADMIN.DLL from the machine which sent the request. Once downloaded the remote system is instructed to execute the DLL which infects that machine. In the event that the TFTP session fails to connect, multiple files (TFTP*) are created in the WINDOWS TEMP directory. These files are simply copies of the worm. It also tries to use the backdoor created by W32/CodeRed.c to infect.

.EXE files are prepended with the worm code.

Email addresses are gathered by extracting the email addresses from MAPI messages in Microsoft Outlook and Microsoft Outlook Express, as well as from HTM and HMTL documents. The worm then sends itself to these addresses with either no subject line or a subject line containing a partial registry key path.
Once infected, your system is used to seek out others to infect over the web. As this creates a lot of port scanning, this can cause a network traffic jam.

It may copy itself to the WINDOWS SYSTEM directory as LOAD.EXE and create a SYSTEM.INI entry to load itself at startup:
Shell=explorer.exe load.exe -dontrunold

Note: applications which utilize the rich text format, such as Microsoft Word and Wordpad, call this RICHED20.DLL file. As such, the worm is executed when a dependant program is run. There is typically a valid RICHED20.DLL file in the WINDOWS SYSTEM directory, but this is overwritten by the virus. Additionally, the virus may also save itself as RICHED20.DLL in directories which contain .DOC files when infecting via network shares. This will result in that infected .DLL being called when a machine accesses that .DOC file.

Judges Disembowler Virus: The W32/Magistr or "Judges Disembowler" virus is still running rampant on the net. We're still seeing this virus occaisionally through mail, although not nearly as frequently. This virus is a combination of a file infector and internet worm. Five minutes after the virus is run, it attempts a mailing routine. Email addresses are gathered from the Windows Address Book, Outlook Express mailboxes, and Netscape mailboxes (address found in the email messages within existing mailboxes are gathered), and these file locations and addresses are saved to a hidden .DAT file somewhere on the hard disk (varies). The messages sent by the worm contain varying subject headings, body text, and attachments. The body of the message is derived from the contents of other files on the victim's computer. It may send more than one attachment and may include non .EXE or non-viral files along with an infectious .EXE file.

The virus proceeds by infecting 32 bit PE (Portable Executable) type .EXE files found in the WINDOWS SYSTEM directory and subdirectories. The viral code is encrypted, polymorphic, and uses anti-debugging techniques to make it difficult to detect. Email addresses have been seen encrypted in infected files. These addresses are believed to represent other users that have also been infected from the same point of origin. Removing this virus from your system is tricky, especially if you have Windows ME. Check with McAfee's or Symantec's Anti-Virus web site for details.