16 APR 04
Starting in mid-April, the worm will spread itself by stealing email addresses from the infected computer, spoofing or forging the "from: field." It is a variant of the W32/Netsky.MM virus, W32/NETSKY.S@MM The Medium Risk mass-mailing worm that arrives inside a PIF attachment. It will also launch a Denial of Service attack on various domains, including www.kazaa.com. Look for:

From: Varies (forged addresses taken from infected system)
Subject: Varies - Hello!- Hi!- Re: Important
Body: Varies
Attachment: Varies, but has a .PIF extension. The filename is constructed from strings within the worm, with a random number appended to it
Examples: account - postcard - sample - development

09 APR 04
Another Bagle Virus---Disguised as an email security warning (e.g."Your e-mail account has been temporary disabled"), W32/BAGLE.N@MM is a Medium Risk mass-mailing worm and file infector and arrives inside an attachment, often an encrypted .ZIP or .RAR file with a password included in the email body or hidden within an image file attached to the message. Unlike its predecessors, it can also infect executable programs. Loof for:

From: Varies (forged addresses taken from infected system, a known e-mail)
Subject: Examples - E-mail account disabling warning.- E-mail account security warning.- E-mail technical support message
Body: Examples - We warn you about some attacks on your e-mail account. - Our antivirus software has detected a large amount of viruses outgoing from your email account
Attachment: Varies. ZIP, .EXE, .PIF, RAR, BMP, .JPG or .GIF image file

Dear user of MADSearch.com e-mail server gateway,

Your e-mail account has been temporary disabled because of unauthorized access. Further details can be obtained from attached file. For security purposes the attached file is password protected. Password is "82567".

Best wishes,

The MADSearch.com team
http://www.MADSearch.com

29 FEB 04
W32/MYDOOM.F@MM is a mass-mailing worm that can open up hacker backdoors on infected systems and launch denial-of-service attacks that target www.microsoft.com and www.riaa.com domains. Unlike previous versions this Mydoom can also delete image, movie, Excel and Word files on an infected machine. The worm arrives with random subject lines, such as "Please read," "Something for you" or "Please reply". The body of the e-mail contains an executable file often disguised as a text file. What to look for:

From: Randomly generated <spoofed>
Subject: Examples include: Announcement, ApprovedNews, Attention, automatic responder, Bug...
Body: Varies. Examples include: Check the attached document, Details are in the attached document, You need Microsoft Office to open it, Greetings, Here is the document, Here it is, I have your password :)
Attachment: Varies. Examples: .cmd, .bat, .exe, .pif, .cmd and .scr, but often arrives in a .zip archive. 34,686 bytes. Examples include: creditcard.bat, creditcard.zip, paypal.zip, photo.zip, textfile.zip

15 JAN 04
W32/MIMAIL.S@MM is a Medium Risk mass-mailing worm that tries to steal credit card information by displaying a fake Microsoft Windows license expiration message. Stolen credit numbers are sent to addresses within the domains @mail15.com and @ziplip.com. W32/Mimail.s@MM also forwards itself to contacts it steals from the infected machine. What to look for:

From: An infected email can come from people you know
Subject: here is the file you asked for
Body: Hi! Here is the file you asked for
Attachment: example--document.txt.scr;
Possible File Extensions: .pif, .scr, .exe, .jpg.scr, .jpg.pif, .jpg.exe, .gif.exe, .gif.pif, .gif.scr
Aliases: W32.Mimail.R@mm.