F-Secure Radar Alert Archive

F-Secure Radar (Alert Archive Started Jan 01, 2001)

• October 26, 2007, 16:11 GMT, Level 2:
  Malicious PDF files being spammed out in volume. The files have "report" themed subjects and CVE-2007-5020 exploit that they use to download further components from the net.
• April 8, 2007, 23:30 GMT, Level 2:
  Zhelatin.CQ email worm started spreading late on April 8th, 2007. The worm spreads in e-mails with war-related subjects and several different attachment names.
• April 1, 2007, 14:00 GMT, Level 2:
  An internet worm using the new zero-day ANI exploit has been found. It modifies HTML pages to contain a link to a malicious ANI file. It also tries to spread via USB sticks and Chinese-language emails.
• January 19, 2007, 10:00 GMT, Level 2:
  New trojan has been spammed widely, using a real storm in Europe as a decoy message. The emails have a variable subject, including "230 dead as storm batters Europe". Attachment names include "Full Story.exe" or "Video.exe".
• December 31, 2006, 10:10 GMT, Level 2:
  A malware known as Tibs.jy or Luder.A is spamming out massive amounts of malicious New Year greetings cards. They come with variable texts and attachment names, but are always themed around New Year.
• October 20, 2006, 09:00 GMT, Level 2:
  Warezov variants continue to be spread. A large number of files containing Warezov.dg have been spammed out in email attachments named Update-KB2781-x86.exe or similar. They download additional components.
• October 2, 2006, 08:20 GMT, Level 2:
  A large new batch of Warezov email worm variants has been spammed during the early hours of Monday. They download additional components from a malicious website called ertinmdesachlion.com.
• September 25, 2006, 11:45 GMT, Level 2:
  A new variant of the Warezov email worm is spreading today. This new version, known as Warezov.AT, updates itself via web. Every update looks different as they are packed with a variable packer.
• August 17, 2006, 14:18 GMT, Level 2:
  A rootkit-hidden backdoor has been spammed heavily over the last hours. The backdoor, detected as Haxdoor.KI, has been sent out in German and Swedish messages as Rechnung.zip and Rakningen.zip.
• August 13, 2006, 08:52 GMT, Level 2:
  First bot to exploit the MS06-040 vulnerability in Windows has been found. The vulnerability was patched only five days ago. The bot, known as Mocbot, creates a botnet of the infected computers.
• February 1, 2006, 13:55 GMT, Level 2:
  New Breplibot variant has been mass spammed to thousands of email addresses today. It was spoofed to look like it was coming from f-secure email address, including press@f-secure.com and info@f-secure.com.
• January 20, 2006, 13:58 GMT, Level 2:
  Nyxem.E is becoming more widespread. This is a destructive mass-mailing worm that also spreads using shares. In addition, it tries to disable security software and might overwrite user files on certain dates.
• December 30, 2005, 10:00 GMT, Level 2:
  F-Secure is issuing a Level 2 alert on the serious WMF vulnerability. However, so far no viruses or worms using it has been found. FSAV detects malicious WMF files as PFV-Exploit or Exploit.Win32.IMG-WMF.
• November 22, 2005, 10:50 GMT, Level 2:
  New Sober variant (Sober.Y) has spammed widely. The mails are either in German or English and might look like a serious warning from FBI, CIA or the German Bundeskriminalamt. Attachment is always a ZIP file.
• November 22, 2005, 22:00 GMT, Level 1:
  F-Secure is raising the Sober.Y worm to a Level 1 Alert after an increased amount of submissions. This new Sober variant, spreading in German and English emails, is becoming the years largest email worm outbreak.
• November 15, 2005, 14:33 GMT, Level 2:
  Four new Sober variants have been spammed widely today over the last 24 hours. The mails are either in German or English with attachment names like registration.zip, reg_text.zip or excel_table.zip
• October 6, 2005, 13:50 GMT, Level 2:
  A new Sober variant has been spammed widely today, either by itself or within a dropper file. The mails are either in German or English with attachment names like pword_change.zip, screen_photo.zip or Privat-Foto.zip.
• September 19, 2005, 16:28 GMT, Level 2:
  New Bagle.BI variant has been spammed out in significant numbers. The infected emails always contain a 35kB file called "text.exe" inside an archive with names like newprice.zip, price_09.zip or price2.zip.
• August 17, 2005, 01:36 GMT, Level 2:
  F-Secure has been receiving an increasing amount of infection reports worldwide of a new Zotob network worm variant using filename WINTBP.EXE and spreading via the week-old PnP MS05-039 vulnerability.
• August 14, 2005, 13:10 GMT, Level 2:
  Zotob, a new network worm using a five-day old MS05-39 Plug-an-Play vulnerability has been found. This worm targets unpatched machines by scanning port 445 and downloading the virus file via ftp.
• August 12, 2005, 10:30 GMT, Level 2:
  A series of at least 7 new Bagle variants have been distributed over the last 24 hours. Bagle.cf and Bagle.ch are the most common of them. They mail ZIP/RAR attachments with names related to Taxation.
• July 15, 2005, 17:42 GMT, Level 2:
  At least three variants of a new massmailer/network worm combo is on the loose. This virus, known as Lebreat.A, claims to be "Breatle AntiVirus v1.0". It sends variable messages with EXE/SCR/BAT/CPL/PIF attachments.
• May 31, 2005, 19:40 GMT, Level 2:
  At least three different Bagle-related downloaders have been massively spammed. The spammed mails typically have no subject or body text, just an attachment such as 1.zip containing 19_04_2005.exe - or similar.
• May 2, 2005, 19:25 GMT, Level 2 :
  A new Sober variant has been found in the wild in several countries. Sober.P is an email worm sending variable messages in English and German. Historically, Sober variants have often made a pretty big hit.
• April 19, 2005, 9:27 GMT, Level 2:
  Email worm Sober.N is spreading, mostly in Europe. It sends German and English emails with a ZIP attachment. The message claims that someone else has been receiving your emails in error.
• March 1, 2005, 04:53 GMT, Level 2:
  New downloader resembling the Bagle email worm has been reported globally. This trojan has been spammed widely as "doc_01.exe". When run, it disables antivirus programs and attempts to download more malware.
• February 17, 2005, 09:30 GMT, Level 2:
  F-Secure is upgrading Mydoom.BB to level 2 because of increased number of infections. To spread, it collects email addresses using Google and other search engines. It installs a spam proxy to infected computers.
• January 27, 2005, 10:40 GMT, Level 2:
  A new Bagle.AY has been reported from several different countries in Europe and Asia. It spreads in variable emails with different icons and via P2P networks. The worm contains a backdoor that listens on TCP port 81.
• January 15, 2005, 22:50 GMT, Level 2:
  New Mydoom variant has been found. It sends variable emails with EXE/SCR/PIF/ZIP attachments. Some mails contain sexually explicit images and claim that the attachment contains passwords for adult websites.
• December 21, 2004, 17:50 GMT, Level 2:
  Networm worm "Santy" is spreading. This worm infects only web servers. It infects online discussion forums running phpBB software and defaces them with a text mentioning "NeverEverNoSanity".
• December 14, 2004, 14:05 GMT, Level 2:
  Zafi.D email worm is spreading. This worm sends fake email Christmas cards in various different languages, including English, German and Finnish. It also drops a backdoor to the system.
• November 19, 2004, 09:23 GMT, Level 2:
  Email worm Sober.I is spreading, mostly in Europe. It sends highly variable German and English emails with an attachment. The virus drops several files to infected systems, including spool32dir.exe.
• October 29, 2004, 09:35 GMT, Level 2:
  New Bagle variant has been spotted in several locations. It sends emails with a smiley ":)" as the message body. Attachment filename starts with "Price" or "Joke" and extension is COM, EXE, SCR or CPL.
• September 29, 2004, 00:50 GMT, Level 2:
  A new Bagle.AS has been distributed largely. It arrives in emails with a Price or Joke-related attachment and exe, cpl, scr or com extensions. The worm contains a backdoor that listens on TCP port 81 and a UDP port.
• August 16, 2004, 12:50 GMT, Level 2:
  We are getting a constantly increasing number of reports of Mydoom.S email worm, which was spammed widely earlier today. Emails sent by the worm have subject "photos" and attachment photos_arc.exe. The worm contains a backdoor.
• August 9, 2004, 20:04 GMT, Level 2:
  A new variant of Bagle has been spammed widely all over the internet. It arrives in an email with a Price-related attachment (new_price.zip, price_08.zip...). This downloads the real virus when run.
• July 26, 2004, 15:43 GMT, Level 2:
  We have received several reports of a new Mydoom.M from Europe and USA. It sends emails with random subject, attachment and body. Some emails may look as spam warning or mail delivery error.
• July 19, 2004, 21:01 GMT, Level 2:
  Two new variants of Bagle email worm has been reported spreading in several countries on 19th of July. In addition, we've also received reports of a new Mydoom variant in the wild.
• July 16, 2004, 02:03 GMT, Level 2:
  New variant of Bagle email worm (Bagle.AF) has been found in several parts of the world. This one seems to be based on the source code distributed with the Bagle.AA worm over a week ago. It sends highly variable emails with infected attachments.
• June 13, 2004, 17:52 GMT, Level 2:
  We are upgrading Zafi.B to level 2 due to increased number of infections. Zafi.B sends emails in many different languages with variable content and .pif attachment. It disables security applications and tools.
• June 2, 2004, 14:30 GMT, Level 2:
  Several new Korgo variants are spreading. All of them are network worms that exploit the LSASS vulnerability (MS04-011). They listen on different TCP ports allowing unauthorized access.
• May 16, 2004, 10:10 GMT, Level 2:
  F-Secure is increasing the level of Sober.G to Radar 2 as we are seeing increased numbers of it during the weekend. It sends emails in both German and English with varying content and attachments.
• May 11, 2004, 19:35 GMT, Level 2:
  Wallon worm is spreading mostly in Europe. It does not send attachment but an HTML email that contains a link. In order to spoof the original web location, it uses the Yahoo redirection service.
• May 1, 2004, 07:55 GMT, Level 2:
  Internet worm known as Sasser has been found. This worm exploits the new LSASS vulnerability in Windows 2000 and XP systems. It's not destructive. Generates traffic at ports 445, 5554 and 9996.
• April 28, 2004, 16:15 GMT, Level 2:
  Two new worms are spreading today - Netsky.AB and Bagel.Z. Netsky.AB attachment file's extension is always ".pif". Bagle.Z is similar to Bagle.Y variant, but does not send images in its e-mails.
• April 20, 2004, 11:37 GMT, Level 2:
  A new Netsky.X has been found and it is currently spreading mostly in Europe. It sends emails in several different languages. The attachment file's extension is always ".pif".
• April 4, 2004, 17:05 GMT, Level 2:
  Email worm Sober.F is spreading, mostly in Central Europe. It sends highly variable German and English emails which always have a variably named PIF or ZIP attachment. The virus is 42496 bytes long.
• March 26, 2004, 10:53 GMT, Level 2:
  A new Bagle.U worm was found spreading in the morning on March 26th. It sends emails with an empty subject, no body text and a randomly named attachment. It has a backdoor that listens to port 4751.
• March 22, 2004, 17:48 GMT, Level 2:
  Netsky.P worm is spreading faster. It uses a new approach to install itself - the worm is spreading as a dropper and installs itself as a DLL file. It can spread via e-mail and to local and netwok drives.
• March 20, 2004, 10:24 GMT, Level 2 :
  New automatic network worm known as Witty is spreading through direct network connections (from UDP port 4000), targeting only computers that are running BlackIce firewall. It won't send any mails.
• March 18, 2004, 10:48 GMT, Level 2:
  Three new Bagle variants (Q, R, S) are spreading in the wild. They do not send messages with attachments but with a HTML exploit. This exploit will download and run an executable from web servers installed to infected machines by previous versions of Bagle.
• March 13, 2004, 22:20 GMT, Level 2:
  Bagle.N is spreading fast. It sends itself in variable emails as PIF/EXE attachments, which can be packed inside ZIP/RAR archive, which can be encrypted. Password can be shown as a BMP/GIF/JPG image.
• March 8, 2004, 7:55 GMT, Level 2:
  New Sober.D was found spreading mostly in Europe. It sends emails in both German and English and pretends to be a MS update to remove Mydoom. The infected email comes from a fake Microsoft address.
• March 3, 2004, 23:35 GMT, Level 2:
  The 10th variant of Bagle during the last 5 days (Bagle.J) is spreading in-the-wild. Bagle.J sends random emails with encrypted ZIP attachments, containing an executable with a Wordpad icon.
• March 1, 2004, 9:30 GMT, Level 2:
  Two more Bagle worm variants(F and G) are spreading. They can send password-protected ZIPs, mentioning the password in the message. They use a deceiving icon for the attachment, looking like a folder.
• March 1, 2004, 12:36 GMT, Level 2:
  Netsky.D has been found. It is already spreading very rapidly. It sends emails with random subject, one line of English text and a random PIF attachment. It will play weird beeping sounds on March 2nd.
• March 1, 2004, 14:05 GMT, Level 1:
  We are upgrading Netsky.D to a Level 1 Alert, as it continues to spread at almost record-breaking speeds. Apparently the worm was started earlier today by spamming it to a large set of email addresses.
• February 28, 2004, 01:10 GMT, Level 2:
  Email worm Bagle.C is spreading with increasing intensity. The previous B variant stopped spreading three days ago. Bagle.C sends random emails with a zipped EXE attachment, looking like an Excel spreadsheet.
• February 28, 2004, 17:58 GMT, Level 2:
  Three different Bagle variants have been found in the wild during the last 24 hours. Variants C, D and E are all spreading via email. C and D will stop spreading on March 14th, variant E on March 25th.
• February 25, 2004, 11:46 GMT, Level 2:
  F-Secure is raising Mydoom.F to Level 2 because of increased prevalence. It was found on Friday but the outbreak really started yesterday. Mydoom.F randomly deletes document and data files.
• February 25, 2004, 17:55 GMT, Level 2:
  New variant of the Netsky worm is spreading rapidly. Known as Netsky.C, it sends emails with random contents and a ZIP or EXE attachment. It also spreads over p2p networks and shared folders.
• February 18, 2004, 14:40 GMT, Level 2:
  A new worm NetSky.B was found spreading in the wild on 18th of February 2004. The worm arrives in e-mails inside a ZIP archive or as an executable attachment. It also copies itself to shared folders.
• February 17, 2004, 14:15 GMT, Level 2:
  Bagle.B worm was found on February 17th, 2004. It was seeded in messages with random subject and attachment name. Bagle.B is spreading quickly but has been programmed to stop on February 25th.
• February 17, 2004, 18:15 GMT, Level 1:
  F-Secure is upgrading Bagle.B worm to Level 1, as it keeps spreading rapidly. It arrives in email with random subject and attachment name with an EXE extension. The worm installs a backdoor.
• February 9, 2004, 19:20 GMT, Level 2:
  A new network worm known as Doomjuice has been found. It infects machines which are already infected by Mydoom.A. It does not spread over email. Doomjuice launches an attack against www.microsoft.com
• January 28, 2004, 17:50, Level 2:
  A modified variant of Mydoom virus has been found. Mydoom.B attacks both www.sco.com and www.microsoft.com and prevents infected machines from accessing antivirus sites, including www.f-secure.com.
• January 27, 2004, 1:00 GMT, Level 1:
  F-Secure is upgrading the Mydoom (Novarg) worm to Level 1 because of increased infection reports around the world. The worm sends email attachments ending with ZIP, BAT, CMD, EXE, PIF or SCR extension.
• January 26, 2004, 23:10 GMT, Level 2:
  A new worm known as Mydoom or Novarg is spreading quickly over email and Kazaa networks. In emails, it uses variable subjects, bodies and attachment names. The worm opens Notepad with garbage data in it. It also attacks sco.com with a DDoS-attack.
• January 24, 2004, 10:50 GMT, Level 2:
  A new Dumaru.Y was found in the wild on January 24th, 2004. It sends messages with subject "Important information for you. Read it immediately!", body "Here is my photo, that you asked for yesterday" and attachment "myphoto.zip".
• January 19, 2004, 07:35 GMT, Level 2:
  New email worm "Bagle" is spreading rapidly. It sends emails with a spoofed sender address and subject: "Hi". The message contains texts "Test =)" and "Test, yep.", and a random attachment EXE file with the Calculator icon.
• January 19, 2004, 13:30 GMT, Level 1:
  F-Secure is upgrading the Bagle worm to Level 1, as it keeps spreading aggressively. Bagle arrives via email with subject "Hi" and an EXE attachment. The worm installs a backdoor to infected machines.
• January 9, 2004, Level 2, 11:15 GMT:
  New trojan has been spammed today very widely. Known as Xombe, it was sent in emails faked to be from Microsoft, talking about Windows XP Service Pack. The mails had an attachment named WINXP_SP1.EXE.
• December 20, 2003, 17:50 GMT, Level 2:
  Email worm Sober.C has spread widely in German-speaking countries. The worm sends German emails which claim that there's pirated material on your computer. Attachment has a .TXT.EXE extension.
• December 11, 2003, 11:30 GMT, Level 2:
  A new Microsoft Outlook-specific email worm known as Scold is going around. It sends emails with the subject "When It's Cold Outside She Gives Me Warm Inside", and a SCR attachment.
• November 18, 2003, 07:00 GMT, Level 2:
  Another Mimail worm variant has been distributed. Mimail.J looks like an email from Paypal and steals users' credit card information. It uses subjects "IMPORTANT" or "Problems with your PayPal account".
• November 14, 2003, 08:20 GMT, Level 2:
  Mimail.I worm is spreading. It looks like an email from the Paypal service and steals credit card information. It uses the subject YOUR PAYPAL.COM ACCOUNT EXPIRES with attachment www.paypal.com.scr.
• November 4, 2003, 16:05 GMT, Level 2:
  F-Secure is issuing a level 2 Alert on several new Mimail worm variants that have been found over the last five days (C, D, E, F, G and H). These widespread email worms try to overload various websites.
• October 31, 2003, 18:56 GMT, Level 2:
  Mimail.C worm spreads in the wild. It uses ZIP archive in email attachment which contains PHOTOS.JPG.EXE. The worm tries to perform a Denial of Service attack and steals user's information.
• October 26, 2003, 21:32 GMT, Level 2:
  There has been a clear increase in reports of the Sober worm over the weekend. Sober is a new email worm, sending messages in English and German, sometimes posing as a fix from an antivirus company.
• October 23, 2003, 19:10 GMT, Level 2:
  JS/Flea worm spreads by adding itself to email signatures of infected users. It will drop a file named C(number).HTM to Windows folder. Infections have been reported today from Europe and Asia.
• September 19, 2003, 13:44 GMT, Level 1:
  F-Secure is upgrading the Swen worm to Level 1 as it is spreading at an increasing rate. Swen typically arrives via email, spoofed to be from Microsoft. It also spreads via other routes.
• September 18, 2003, 15:25 GMT, Level 2:
  New worm known as Swen is spreading via email, IRC, shares and P2P. It can autoexecute from e-mail on some systems. It sends credible-looking emails which appear to be from Microsoft - but are not.
• August 22, 2003, 11:30 GMT, Level 2:
  F-Secure warns about the activation of the widespread Sobig.F worm. This activation is set to happen today Friday 22nd of August at 19:00 UTC globally. The worm will download and run an unknown program.
• August 19, 2003, 10:30 GMT, Level 2:
  New version of the Sobig email worm family has been found. Sobig.F is quickly spreading around the world, arriving in various different emails with a PIF attachment. Earlier Sobig variants have caused large outbreaks.
• August 19, 2003, 15:10 GMT, Level 1:
  F-Secure is raising the alert level on Sobig.F worm to level 1. The worm has gone worldwide and has been seen in more than 50 countries. Most earlier versions of Sobig caused very large outbreaks.
• August 18, 2003, 16:50 GMT, Level 2:
  New RPC worm known as Welchia or Nachi has been found. This worm spreads like Lovsan/Blaster. However, it disinfects Lovsan.A and installs several Microsoft security patches on vulnerable systems.
• August 12, 2003, 21:37 GMT, Radar 2:
  A new network worm known as Lovsan has been found. This worm spreads to Windows servers and workstations as MSBLAST.EXE, using the well-known RPC hole. The worm will launch an attack against windowsupdate.com on 16th of August.
• August 12, 2003, 13:03 GMT, Level 1:
  F-Secure is upgrading the Lovsan worm (also known as Msblast) to Level 1 as it continues to spread rapidly. Currently it is the most widespread virus in the world. Symptoms include XP machines rebooting.
• August 1, 2003, 18:42 GMT, Radar 2:
  A new massmailer known as Mimail has been spammed worldwide. The worm sends e-mails which look like an administrative e-mail from the local sysadmin. Messages come with subject "your account" and contain message.zip attachment.
• June 25, 2003, 21:46 GMT, Radar 2:
  A new variant of Sobig worm known as Sobig.E is spreading in the wild. The worm usually arrives in e-mails with body text "Please see the attached zip file for details" and attachment "your_details.zip".
• June 5, 2003, 11:35 GMT, Level 2:
  A new polymorphic virus - worm known as Bugbear.B or Tanatos.B is spreading in the wild. The worm sends e-mails with various subjects and attachments. It uses a known vulnerability to execute the attachment automatically when the e-mail is opened.
• June 5, 2003, 15:08 GMT, Level 1:
  F-Secure is raising the alert level on Bugbear.B (Tanatos.B) to level 1 as it continues to spread rapidly. The number of reported infections have increased drastically over the last 10 hours.
• June 2, 2003, 12:25 GMT, Level 1:
  F-Secure is raising the alert level on Sobig.C worm to level 1. The worm has gone worldwide and it has been seen in more than 80 countries. Two earlier versions of Sobig caused very large outbreaks.
• June 1, 2003, 13:10 GMT, Level 2:
  A new variant of the Sobig worm (Sobig.C) is spreading in the wild. It arrives in PIF and SCR attachments in emails coming from "bill@microsoft.com". This variant also spreads through network shares.
• May 28, 2003, 20:50 GMT, Level 2:
  New worm known as Holar.H is spreading in various locations. It sends e-mails which sometimes look like they are coming from "Dispatch@McAfee.com". Mails always have a random PIF attachment. The worm also spreads over Kazaa.
• May 19, 2003, 02:30 GMT, Level 2:
  Palyh worm is spreading rapidly in the internet. It sends infected PIF attachments from address "support@microsoft.com". The worm also spreads via Windows shares.
• May 19, 2003, 10:30 GMT, Level 1:
  F-Secure is raising the alert level on Palyh (also known as Mankx/Sobig.B) to level 1. The worm has gone worldwide and number of reported infections have increased drastically over the last 12 hours.
• May 13, 2003, 15:20 GMT, Level 2:
  Three new Lovgate variants known as Lovgate.I, Lovgate.J and Lovgate.K have been found on May 13th, 2003. These are similar to old Lovgate variants, but in addition they infect executable files.
• May 12, 2003, 18:10 GMT, Level 1:
  F-Secure is upgrading the Fizzer worm to Level 1 as it continues to spread rapidly. Currently it's one of the most widespread viruses in the world.
• May 9, 2003, 16:00 GMT, Level 2:
  Complex new e-mail worm known as Fizzer has been found. It spreads itself via e-mails and P2P networks. The worm installs several backdoors and contains a denial-of-service agent. It can also update itself automatically.
• May 7, 2003, 19:55 GMT, Level 2:
  A new worm known as Kickin and Cydog.D is spreading in the wild. It spreads via email, P2P and IRC systems. The worm sends several different e-mails, some of which include references to the SARS disease.
• March 27, 2003, 12:50 GMT, Level 2:
  F-Secure is upgrading Lovgate.F to level 2 because of the increased number of infections. Lovgate.F is an e-mail and network worm with backdoor capabilities. It attempts to gain remote access using a longer list of passwords than previous variants.
• March 17, 2003, 14:00 GMT, Level 2:
  A new mass mailer 'Ganda' has been found today. It's sending e-mail messages either in English or Swedish, with a screen saver attachment such as TR.SCR or PW.SCR.
• March 12, 2003, 9:30 GMT, Level 2:
  F-Secure is upgrading CodeRed.F to level 2. This variant will reinfect unprotected IIS Web servers, most of which were already infected earlier by CodeRed II. We're not expecting this to become as big as it was in 2001.
• March 9, 2003, 15:00 GMT, Level 2:
  A new network worm "Deloder" has been found on Sunday the 9th of March. It infects unprotected Windows machines which have set a weak password to the "Administrator" account. Infections have been mostly seen in China and USA so far.
• February 24, 2003, 10:25 GMT, Level 2:
  On 24th of February a new variant of the Lovgate worm was found in the wild. It spreads via email and network shares. Lovgate also has backdoor capabilities, enabling remote control of the infected computers.
• January 25, 2003, 14:00 GMT, Level 2:
  On January 25th, 2003 a new internet worm "Sapphire" or "Slammer" has been detected in several parts of the world. The worm generates massive amounts of traffic, slowing down the internet. The worm only infect Windows 2000 SQL servers.
• January 9, 2003, 17:15 GMT, Level 2:
  Lirva.A worm continues to spread worldwide at a steady pace. Today a new version of this worm was found (known as Lirva.B) and it seems to be spreading even faster. The new version tries to download a backdoor from the web but this has now been blocked.
• January 9, 2003, 20:50 GMT, Level 2:
  New e-mail and network worm known as Sobig has been reported from more than 10 countries. The worm sends e-mails with a PIF attachment. Sobig also has remote control functionality.
• January 8, 2003, 14:15 GMT, Level 2:
  A new worm "Lirva" (also known as Naith and Avron) is spreading mostly in Europe. It spreads via e-mail, file shares and P2P networks. Lirva attempts to activate automatically when an infected e-mail is opened. It also steals user's passwords.
• January 8, 2003, 19:40 GMT, Level 2:
  New variant of the ExploreZip worm was found on January 8th, 2003. It spreads via email and network drives. It is as destructive as the original ExploreZip which was very widespread in 1999. The worm destroys several types of files.
• December 30, 2002, 22:30 GMT, Level 2:
  F-Secure is upgrading the Yaha.K e-mail worm to level 2 because it has been reported from several different countries. Yaha.K is a Windows massmailer, which randomly composes its email subject, body and attachment name.
• December 17, 2002, 11:44 GMT, Level 2:
  New worm known as Lioten is actively spreading in the internet. This worm seeks Windows machines which have shared folders and are not protected by a firewall. The worm guesses a password and copies itself over as IRAQ_OIL.EXE.
• November 25, 2002, 11:50 GMT, Level 2:
  A new e-mail worm known as Winevar or Korvar was found from South Korea during last weekend. It has been spreading in various parts of Asia, but is not a big problem elsewhere yet.
• November 4, 2002, 10:55 GMT, Level 2:
  New massmailer Bridex has been found from Korea. It has similarities with Nimda, but it's not spreading nearly as fast. Bridex usually arrives in README.EXE attachment. It also drops another worm.
• October 2, 2002, 14:15 GMT, Level 1:
  F-Secure is upgrading the Bugbear/Tanatos e-mail worm to Level 1 as it continues to spread rapidly. Currently it is the most widespread virus in the world together with Klez.
• October 1, 2002, 17:20 GMT, Level 2:
  New network worm known as Opaserv is spreading using NetBios services. The worm copies itself to systems as SCRSVR.EXE and modifies win.ini to run itself.
• September 30, 2002, 15:30 GMT, Level 2:
  New Windows massmailer known as Bugbear or Tanat has been found. It seems to contains lots of functionality and tries to steal information. The worm uses random filenames and subjects when e-mailing itself further.
• September 23, 2002, 08:40 GMT, Level 2:
  Two new variants of the Linux.Slapper web worm has been found. They are known as Cinik and Unlock and they use the same OpenSSL hole to spread. Neither of them seems to be widespread at the moment.
• September 16, 2002, 14:30 GMT, Level 1:
  F-Secure is upgrading Linux.Slapper worm to Alert Level 1 as it continues to spread rapidly. Slapper has been sighted on more than 13000 Linux servers, representing more than 100 countries.
• September 14, 2002, 13:37 GMT, Level 2:
  New web worm called Slapper was found from Eastern europe. It infects Linux www servers running Apache and OpenSSL. The worm installs a DDoS attack program to infected machines.
• September 11, 2002, 01:00 GMT, Level 2:
  New e-mail worm "Chet" has been found. It tries to send itself via 9/11-themed e-mail as an attachment named 11september.exe. The worm crashes often and isn't likely to become a problem.
• July 15, 2002, 14:02 GMT, Level 2:
  Two new versions of the Frethem e-mail worm have been found. Both of them are currently spreading worldwide. They send e-mail messages with subject "Re: Your password!" and attachment named "DECRYPT-PASSWPORD.EXE".
• June 29, 2002, Level 2, 8:08 GMT:
  The first Apache worm has been found. Scalper is a worm that uses Apache web server to propagate. To do this it uses a vulnerability known as Chunked Encoding exploit. The worm works only on FreeBSD.
• June 20, 2002, Level 2, 15:45 GMT:
  A new worm Yaha.E also known as Lentin.G became widespread on June 20th, 2002. The worm was reported from several different countries. Yaha.E randomly composes its email subject, body and attachment name.
• June 13, 2002, Level 2, 10:41 GMT:
  A new worm Frethem.E is spreading. It sends messages with subject 'Re: Your password!' and attachment 'decrypt-password.exe'. Frethem uses a known vulnerability to execute the attachment automatically when the e-mail is opened.
• June 7, 2002, Level 2, 17:37 GMT:
  F-Secure is increasing the Radar alert level on the Shakira (VBSWG.AQ) virus to Level 2, after seeing an increasing amount of infected messages today. Shakira worm arrives in an e-mail with subject "Shakira's Pictures" and attachment ShakiraPics.jpg.vbs.
• May 22, 2002, :
  A network worm known as SQLSpida is spreading amongst unprotected Microsoft SQL Servers connected to the public internet. The worm does not contain destructive code and it does not affect normal end user machines.
• May 20, 2002, :
  New worm known as Benjamin is spreading over Kazaa peer-to-peer file sharing networks. The worm makes hundreds of infected files with popular filenames available for download from infected machines.
• April 17, 2002, :
  New version of the Klez worm has been found from various parts of Asia on April 17th, 2002. Klez.H is currently spreading to Europe and USA. This worm sends e-mail messages with randomly named attachments and subject fields.
• April 2, 2002, :
  New variant of Mylife worm (Mylife.F) is spreading. Largest infections currently in Australia and UK. Sends e-mails with subject "the list" and attachment "List480.TXT.scr".
• March 22, 2002, Level 2, 08:37 GMT:
  New version of the Mylife worm is spreading in Asia and Australia. Mylife.B sends e-mails with subject "bill caricature" and attachment "CARI.SCR".
• March 14, 2002, Level 2, 8:55 GMT:
  Fbound email worm is spreading in the wild. It sends emails with subject 'Important' and attachment 'patch.exe'. The worm was found in Asia, Australia, USA and Europe.
• March 6, 2002, Level 2, 11:30 GMT:
  Gibe, a mass-mailing worm has been reported from several countries. It disguises itself as a Microsoft security update. The worm usually arrives as an attachment named Q216309.exe.
• March 5, 2002, :
  Klez.E e-mail worm will activate destructively tomorrow, on 6th of March, trying to overwrite data files on the system and in the local network. Klez.E is among the most common viruses.
• February 19, 2002, :
  Yarner worm disguises itself as a free new version of Yaw tool, which is popular in Germany. It spreads as an attachment yawsetup.exe and fakes the sender's email address so it looks like it comes from the webmaster at Trojaner-info web site.
• February 14, 2002, 11:33 GMT, Level 2:
  New internet worm known as Coolnow has been found in the wild. It spreads via MSN Messenger chat client: Chat users get a message asking them to visit one of several web sites infected with the worm. Work is in progress in shutting down these sites.
• January 28, 2002, 09:31 GMT, Level 2:
  New e-mail worm known as 'Myparty' is spreading. It sends an attachment file which looks like a web link. The file is called 'www.myparty.yahoo.com'. Myparty has already been found in Asia, Europe and USA.
• January 9, 2002, 17:36, Level 2:
  First ever virus for the upcoming Microsoft .NET platform has been found. As .NET platforms won't start shipping publicly until 2003, the 'Dotnet.8192' virus doesn't pose much risk at the moment.
• January 8, 2002, 18:17, Level 2:
  First ever virus to infect Shockwave SWF files has been found. However, it can not spread to user computers during normal web surfing, making the SWF.LFM.926 virus low-risk.
• December 26, 2001, :
  Zoher e-mail worm was detected during the Christmas holidays: Arrives in e-mail with subject "Scherzo!" and with JAVASCRIPT.EXE attachment. Executes automatically on some systems.
• December 4, 2001, 15:30 GMT, Level 2::
  Goner worm has been located from USA, France and Germany today. This worms spreads via Outlook e-mail and IRC chat channels. E-mail messages have "Hi" as subject.
• October 26, 2001, 10:39:06 GMT, Level 2:
  A combination of e-mail worm and a program virus known as Klez started spreading early today from Hong Kong. Limited reports so far from Asia and Europe.
• September 25, 2001, 18:39 GMT, Level 2:
  New 'Vote' virus uses the WTC tragedy as a ploy to get executed. Spreads as WTC.EXE in e-mail with subject "Peace BeTween AmeriCa and IsLaM". Not widespread and not likely to become widespread.
• September 18, 2001, 15:56 GMT, Level 2:
  New worm Nimda was found in the wild. It spreads in email messages as an attachment called Readme.exe and also in a similar way as CodeRed worm.
• September 18, 2001, 18:39 GMT, Level 1:
  We're upgrading Nimda to level 1. It is using a wide variety of techniques, including modifying web sites to spread the worm and using end user machines to infect intranet servers behind firewalls.
• September 3, 2001, 18:04 GMT, Level 2:
  New Mass Mailing Worm Apost (AKA Readme) Loose in the Wild
• August 5, 2001, 20:29 GMT, Level 2:
  Code Red II is Spreading and Installs Backdoor Access
• August 1, 2001, 18:09 GMT, Level 2:
  Code Red Restarts and Spreads Rapidly
• July 24, 2001, 14:37 GMT, Level 1:
  F-Secure Raises Alert Level on the Sircam Worm to Level 1
• July 18, 2001, 12:24 GMT, Level 2:
  Sircam Worm Spreads to Randomly Collected Email Addresses
• May 31, 2001, 10:39 GMT, Level 2:
  Widespread Hoax Called "SULFNBK.EXE" Causing Problems
• May 14, 2001, 14:22 GMT, Level 1:
  Political Worm Called "Mawanella" Spreading Quickly Globally
• May 09, 2001, 11:10 GMT, Level 1:
  F-Secure Raises Alert Level on the "Homepage" Worm to Level 1
• May 09, 2001, 03:22 GMT, Level 2:
  Email Worm Known as "Homepage" Has Been Found in the Wild
• April 18, 2001, 13:19 GMT, Level 2:
  New Email Worm Called Matcher Sends Massive Amounts of Messages
• April 12, 2001, 14:08 GMT, Level 2:
  MTX Like Worm "Badtrans" Steals Passwords and Spreads
• April 05 2001, 09:07 GMT, Level 2:
  New Linux Worm Known as "Adore" Has Been Found in the Wild
• Mar 28 2001, 13:05 GMT, Level 2:
  First Virus to Infect Both Windows and Linux Machines Discovered
• Mar 24 2001, 07:10 GMT, Level 2:
  New Linux-based Worm Lion Found in the Wild
• Mar 20 2001, 09:51 GMT, Level 2:
  New Email Worm Staple (or Injustice) Found in the Wild
• Mar 14 2001, 16:45 GMT, Level 2:
  Highly Destructive Polymorthic Worm Magistr is Spreading Slowly
• Mar 06 2001, 20:32 GMT, Level 2:
  Destructive Email Worm NakedWife is Spreading
• Mar 05 2001, 11:10 GMT, Level 2:
  New Worm VBS/Vierika Found in the Wild
• Feb 28 2001, 09:41 GMT, Level 2:
  Destructive MYBABYPIC Email Worm Found in the Wild
• Feb 27 2001, 09:49 GMT, Level 2:
  New Gnutella-Based Worm Known as Mandragore Spotted
• Feb 16 2001, 14:16 GMT, Level 2:
  Modified Version of Anna Kournikova Worm Reported
• Feb 12 2001, 17:55 GMT, Level 1:
  Anna Kournikova-Themed Email Worm is Spreading at Record-Breaking Speeds
• Feb 12 2001, 10:26 GMT, Level 2:
  New Email/Worms Reported; Not Widespread Yet
• Feb 08 2001, 08:32 GMT, Level 2:
  Cartolina: New Version of LoveLetter Reported in Europe
• Jan 19 2001, 13:25 GMT, Level 2:
  New Melissa Email Worm on the Loose