W32.Chaim.B is a worm that has distributed denial of service and back door capabilities. The worm spreads to network shares, through exploiting remote vulnerabilities and may also spread by sending malicious links through AIM, AOL Instant Messenger. *** Impact: Opens a back door on the compromised computer. Send links to all the contacts listed in the users AIM Steal locally stored passwords *** Propagation: Spreads through TCP port 18938. Targets AIM, AOL Instant Messenger for infection. For further details: http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2006-092116-2709-99 *** Affected Systems: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP *** Solution: Disable System Restore (Windows Me/XP). Update the virus definitions of your antivirus product. Run a full system scan. Delete any values added to the registry.

W32.Stration.AD@mm is a mass-mailing worm that gathers email addresses from the compromised computer. *** Impact: Gathers email addresses from the compromised computer and downloads a remote file. Sends itself to email addresses gathered from the compromised computer. Disables security-related programs. *** Propagation: Spreads through email with varying subject, attachment name and attachment size. For further details: http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2006-092010-3625-99 *** Affected Systems: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP *** Solution: Disable System Restore (Windows Me/XP). Update the virus definitions of your antivirus product. Run a full system scan. Delete any values added to the registry.

W32.Stration.AV@mm is a mass-mailing worm that gathers email addresses from the compromised computer. *** Impact: Gathers email addresses from the compromised computer and downloads remote files. Sends a copy of itself to email addresses gathered from the compromised computer. *** Propagation: Not available. For further details: http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2006-092013-5648-99 *** Affected Systems: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP *** Also known as: W32/Stration-J , WORM_STRATION.R *** Solution: Disable System Restore (Windows Me/XP). Update the virus definitions of your antivirus product. Run a full system scan. Delete any values added to the registry.

W32.Stration.AT@mm is a mass-mailing worm that gathers email addresses from the compromised computer. *** Impact: Not available. *** Propagation: Not available. For further details: http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2006-092012-2934-99 *** Affected Systems: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP *** Solution: Update the virus definitions of your antivirus product.

W32.Chaim is a worm that spreads by sending messages using AOL Instant Messenger and opens a back door. *** Impact: Spreads by sending messages via AIM. May also connect the computer to an IRC bot channel. Modifies the Windows Secuity Center to lower security settings. *** Propagation: Spreads through TCP port 27397. For further details: http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2006-091909-4917-99 *** Affected Systems: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP *** Solution: Disable System Restore (Windows Me/XP). Update the virus definitions of your antivirus product. Run a full system scan. Delete any values added to the registry. Restore the Windows Security Center.

W32.Lunalight@mm is a mass-mailing worm that gathers email addresses from the compromised computer. *** Impact: Copies itself to open shares. *** Propagation: Not available For further details: http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2006-091814-5402-99 *** Affected Systems: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP *** Solution: Update the virus definitions of your antivirus product.

W32.Looked.AH is a network-aware worm that infects executable files in local drives and network shares. Virus definitions prior to September 15, 2006 may detect this threat as W32.Looked. *** Impact: Infects executable files in local drives and network shares. Attempts to terminate security related applications. *** Propagation: Not available. For further details: http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2006-091513-2550-99 *** Affected Systems: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP *** Solution: Disable System Restore (Windows Me/XP). Update the virus definitions of your antivirus product. Run a full system scan. Delete any values added to the registry.

W32.Woredbot.C is a worm with back door capabilities that exploits the Microsoft Windows Server Service Remote Buffer Overflow Vulnerability as described in Microsoft Security Bulletin MS06-040(http://www.microsoft.com/technet/security/Bulletin/MS06-040.mspx). *** Impact: Opens a back door on the compromised computer. *** Propagation: Spreads through TCP port 8080. For further details: http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2006-090810-5821-99 *** Affected Systems: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP *** Solution: Disable System Restore (Windows Me/XP). Update the virus definitions of your antivirus product. Run a full system scan. Delete any values added to the registry. Reenable the SharedAccess service (Windows 2000/XP only).

W32.Stration.AC@mm is a mass-mailing worm that gathers email addresses from the compromised computer. *** Impact: Gathers email addresses from the compromised computer. Appends text to the hosts file to prevent access to certain URLs. *** Propagation: Spreads through email with varying subject, attachment name and attachment size. For further details: http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2006-091012-5303-99 *** Affected Systems: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP *** Solution: Disable System Restore (Windows Me/XP). Remove all the entries that the risk added to the hosts file. Update the virus definitions of your antivirus product. Run a full system scan. Delete any values added to the registry.

32.Areses.Q@mm is a mass-mailing worm that opens a back door on the compromised computer and may download files. *** Impact: Sends copies of itself by email to addresses gathered from the compromised computer. Uses its own SMTP engine to mass-mail copies of itself to addresses gathered from the compromised computer. *** Propagation: Spreads through email with varying subject, attachment name and attachment size. For further details: http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2006-090611-4944-99 *** Affected Systems: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP *** Solution: Disable System Restore (Windows Me/XP). Update the virus definitions of your antivirus product. Run a full system scan. Delete any values added to the registry.

W32.Mobler.A is a worm that copies itself to all writeable media on the compromised computer, including USB drives, floppy drives, and network shares. *** Impact: Copies itself to removable storage devices. *** Propagation: Not available. For further details: http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2006-090110-0812-99 *** Affected Systems: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP *** Solution: Disable System Restore (Windows Me/XP). Update the virus definitions of your antivirus product. Run a full system scan. Delete any values added to the registry.

W32.Bustoy is a worm that propagates by copying itself to removable storage devices. *** Impact: Copies itself to removable storage devices. *** Propagation: Not available. For further details: http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2006-083111-3518-99 *** Affected Systems: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP *** Solution: Disable System Restore (Windows Me/XP). Update the virus definitions of your antivirus product. Run a full system scan.

W32.Dasher.G is a network-aware worm that exploits the Microsoft Windows Server Service Remote Buffer Overflow Vulnerability as described in Microsoft Security Bulletin MS06-040(http://www.microsoft.com/technet/security/Bulletin/MS06-040.mspx) and downloads a remote file. *** Impact: Exploits a remote vulernability and downloads files *** Propagation: Not available. For further details: http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2006-083012-2847-99 *** Affected Systems: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP *** Solution: Disable System Restore (Windows Me/XP). Update the virus definitions of your antivirus products. Run a full system scan. Delete any values added to the registry.

W32.Stration!gen is a generic detection that detects variants of W32.Stration family of mass-mailing worms. *** Impact: Downloads and executes remote files. *** Propagation: Not available. For further details: http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2006-083014-1426-99 *** Affected Systems: Windows 2000, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP *** Solution: Update the virus definitions of your antivirus product. Run a full system scan. Submit the files to Symantec Security Response.

W32.Stration.D@mm is a mass-mailing worm that gathers email addresses from the compromised computer. The worm also downloads files from remote computers. *** Impact: Downloads files on to the compromised computer. Sends a copy of itself to email addresses gathered from the compromised computer. *** Propagation: Spreads through email with varying subject and attachment name. For further details: http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2006-082915-5954-99 *** Affected Systems: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP *** Solution: Disable System Restore (Windows Me/XP). Update the virus definitions of your antivirus product. Run a full system scan. Delete any values added to the registry.

W32.Womble.A@mm is a network aware worm that exploits a remote vulnerability and downloads another threat. *** Impact: Not available. *** Propagation: Not available. For further details: http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2006-082813-3138-99 *** Affected Systems: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP *** Solution: Update the virus definitions for your antivirus product.

W32.Woredbot is a network-aware worm with back door capabilities. It spreads by exploiting the Microsoft Windows Server Service Remote Buffer Overflow Vulnerability as described in Microsoft Security Bulletin MS06-040 (http://www.microsoft.com/technet/security/Bulletin/MS06-040.mspx). *** Impact: Opens a back door on the compromised computer. *** Propagation: Not available. For further details: http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2006-082910-4034-99 *** Affected Systems: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP *** Solution: Update the virus definitions for your antivirus product.

W32.Stration.C@mm is a mass-mailing worm that gathers email addresses from the compromised computer. The worm also downloads files and may lower security settings. *** Impact: Gathers email addresses, downloads files, and may lower security settings. Emails itself as an attachment. Disables some firewalls. *** Propagation: Spreads through email with varying subjects, attachment names and attachment sizes. For further details: http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2006-082712-1234-99 *** Affected Systems: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP *** Solution: Disable System Restore (Windows Me/XP). Update the virus definitions of your antivirus product. Run a full system scan. Delete any values added to the registry.

W32.Spybot.AKKC is a network-aware worm that opens a back door on the compromised computer and has distributed denial of service capabilities. The worm spreads to network shares and by exploiting vulnerabilities. *** Impact: Opens a back door and performs denial of service attacks. *** Propagation: Spreads through TCP port 21972. Targets computers that do not have up to date patches installed for infection. For further details: http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2006-082212-1334-99 *** Affected Systems: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP *** Solution: Disable System Restore (Windows Me/XP). Update the virus definitions of your antivirus product. Run a full system scan. Delete any values added to the registry. Remove all the entries that the threat added to the hosts file.

W32.Rahack.H is a polymorphic worm that spreads to computers running Radmin software by exploiting weak passwords to connect to the Radmin server. *** Impact: Not available. *** Propagation: Not available. For further details: http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2006-082311-5907-99 *** Affected Systems: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP *** Solution: Update the virus definitions for your antivirus product.