Date/Time of Size File Arrival Filename Description ------- ------------ ------------ ----------- 5398 000602 14:02 00index.txt This file you are reading. 2853 Feb 12 16:27 anna-kournikova-virus.vbs.txt Anna Kournikova aka VBS/SST@MM aka OnTheFly aka I-Worm.Lee.o aka VBS/VBSWG.J@MM aka SST aka VBS_Kalamar aka VBSWG.J aka VBS.VBSWG.generic aka VBS/SST-A aka Calamar aka VBS.OnTheFly aka VBS.AnnaK Vandal worm, defanged for study. VisualBasicScript (.VBS) worm. Arrives in e-mail. If an MS-Windows user executes it (using the Windows Scripting Host = WSH runtime engine), it makes a Registry entry, then uses MAPI calls to e-mail itself using MS-Outlook to everyone in the user's Outlook address book. 20504 2004-07-11 09:14 bagle-worm.exe.txt Bagle worm AKA I-Worm.Bagle, WORM_BAGLE, W32/Bagle, W32/Bagle@MM, Win32.Bagle. There are "A', B", "C", etc. variants of these. Arrives in e-mail. If an MS-Windows user executes it, it makes several system changes, searches Windows Address Book, ASCII, and HTML files on all drives for e-mail addresses, mails itself out to those addresses using its own SMTP process, and installs a backdoor daemon. 9246 2003-11-20 05:31 dumaru.exe.txt Dumaru worm AKA W32/Dumaru, W32.Dumaru@mm, WORM_DUMARU, etc. There are "A", "B", "E", etc. variants of these. Arrives in e-mail. If an MS-Windows user executes it, it makes several system changes and then collects all available e-mail addresses by searching the contents of files with the extensions WAB, HTM, HTML, DBX, ABD, and TBB, then uses its own SMTP process to mail itself to all of those addresses. 10169 000523 18:42 iloveyou.vbs.txt I Love You AKA Loveletter, VBS/Loveletter@MM, Love Bug (etc.) worm, defanged for study. VisualBasicScript (.VBS) worm. Arrives in e-mail, in "active" Web pages, or a variety of other methods. If an MS-Windows user executes it (using the Windows Scripting Host = WSH runtime engine), it makes several system changes, communicates with other automated processes over IRC, uses MAPI calls to e-mail itself using MS-Outlook Express to everyone in the user's Outlook Express address book, and also i e-mails out all cached passwords to an anonymous maildrop. 5019 000523 16:46 links.vbs.txt LINKS.VBS AKA VBS/Freelink@MM, Freelink, etc. worm, defanged for study. VisualBasicscript (.VBS) worm. Arrives via e-mail. If an MS-Windows user executes it (using the Windows Scripting Host = WSH runtime engine), it makes several system changes, attempts to use the Pirch or mIRC IRC clients to DCC itself to other IRC users, and then uses MAPI calls to e-mail itself using MS-Outlook98 or MS-Outlook2000 to everyone in the user's Outlook address book. 687 2003-08-08 16:18 mimail.exe.txt Mimail AKA W32.Mimail.A@mm AKA WORM_MIMAIL.A Microsoft worm, defanged for study. Arrives via e-mail. As usual for such things, relies on the defective-by-design Microsoft Internet Explorer browser. How so, you ask? Mimail arrives as BASE64-encoded attachment Message.zip with MIME type application/x-zip-comp, which contains message.html, which on _most_ MS-Windows systems gets automatically handed off to Microsoft Internet Explorer in its role as "MHTML URL Handler" on systems where it is incautiously retained as the system Web browser. MSIE in turn stupidly honours an HTML header telling MSIE to unpack and run a binary executable contained within the file. If an MS-Windows user executes it (in that fashion or otherwise), it makes several system changes, harvests cached e-mail addresses from a wide array of local files, then e-mails itself out using its own SMTP process to all those addresses, forging headers to claim to be an important administrative message from the destination domain's management. (MSIE allegedly no longer suffers this particular design error.) 32768 2000-11-14 19:02 navidad.exe.txt Navidad AKA I-Worm.Navidad, W32/Watchit.intd, I-Worm_Navidad, W32/Navidad binary worm for MS-Windows, typically received in an e-mail attchment. If a user executes it in MS-Windows, it makes several system changes and then connects to a MAPI e-mail service (usually MS-Outlook), harvests addresses from all unread e-mails, and SMTP-mails itself to all those addresses. 12288 2004-03-02 23:25 netsky.exe.txt Netsky worm AKA W32/Netsky@MM, W32.Netsky@mm, WORM_NETSKY, Moodown, I-Worm.Moodown, etc., of which there are the usual "A", "B", "C", etc. variants. Arrives in e-mail with forged headers claiming to be from your local domain's administration, and saying that for various phoney reasons you need to unpack the attached, password-covered ZIP archive (whose password is also included!) and run the executable within. That executable then searches drives C through Z for e-mail addresses, to which it then sends itself using its own SMTP process. 37376 000602 14:02 Pretty_Park.exe.txt Pretty_Park AKA Trojan.PSW.CHV binary worm for MS Windows, defanged for study. Arrives in e-mail with forged headers. If a user executes it in MS-Windows, it makes system changes, talks to other automated processes via IRC, and (among other things) repeatedly e-mail itself using its own SMTP process to all entries in the user's Outlook Express address book. 106496 2003-11-20 05:36 swen.exe.txt Swen AKA I-Worm.Swen, WORM_SWEN.A, W32/Swen.A@mm, W32.Swen.A@mm, W32/Gibe-F, Win32 Swen.A, and Worm.Automat.AHB. The worm arrives via e-mail attachment, Kazaa, IRC DCC file-transfer, or other network resources. User either executes it in MS-Windows, or the worm exploits the "IFrame.FileDownload" design error in some versions of MS Internet Explorer and MS-Outlook to autoexecute it. The worm then makes several system changes and then uses a MAPI e-mail service (usually MS-Outlook) to harvest all available e-mail addreses, then mails itself to all of them using its own SMTP process, as well as piggybacking onto Kazaa, mIRC, and network file shares.