A new initiative set up to dispel confusion over virus-naming, the Common Malware Enumeration (CME), was launched on Wednesday Oct.7 2005. It has been a long time coming but finally there is a way to find a common name.

The problem is, when you get a virus sample and you have 15 minutes to get something going. 'You have to name it, work out how to handle it and then kick it back out ... Now every piece of malware will end up with just 18 names and a number.'

The industry group, backed by a string of global security companies, aims to provide a common name for high profile threats in the hope that customers will be able to protect their computers from malware attacks more effectively.

The need for a more uniform approach to virus-naming has been a long-standing issue for users. Many have grown increasingly frustrated with different anti-virus vendors relying on different naming conventions to refer to particular threats.

Companies signed up to the CME will work to apply the same identifier to each piece of malware discovered by the group. It will use identifiers that will follow the format of CME-N, where N is a unique series of numerical digits. The name will be adopted by the anti-virus vendors, which can then be used in products and websites. Link Here

Why are you clicking on attachments still???? Do you just like pain or what?

Both Kaspersky Lab and Symantec have detected worm variants. Kaspersky noted three variants of E-mail-Worm.Win32.Sober, which Symantec identified as W32.Sober.S@mm.

The variants are modifications of the same program, according to Kaspersky. A "large number of samples" of the variants have been intercepted in e-mail traffic, indicating that the worms are spreading by spam containing infected messages, Kaspersky said in a statement. The variants arrive as an attachment to infected messages.

The messages might not have a subject line or text, but can be identified by the attachment name. The attachment names thus far identified are: Exceltab-packed_list.exe; Liste.zip; Reg-List-Dat_Packer2.exe; reg_text.zip; Word-Text.zip; Word-Text_packedList.exe; Word-Text_packedList.zip.

The worm activates only if a computer user clicks on the attachment, which causes a false error message, "WinZip Self-Extractor. WinZip_Data_Module is missing ~Error," to pop up, Kaspersky said. The worm variants copy themselves to the Windows system directory and then register the files to the system Registry so that the worm launches every time Windows is rebooted.

The first variants were detected after midnight on Thursday and ESET's ThreatSense(TM) technology immediately stopped a new variant of the Sober family of worms, once again underlining the need for proactive protection. ESET's NOD32, a unique anti-threat solution, uses advanced technology, which employs heuristic analysis to detect malicious threats in real-time.
   
   Win32/Sober.R, a part of the Sober family, has a highly-encrypted piece of code that attempts to terminate security software cleaner tools, such as McAfee's Stinger. The worm tries to remove old versions of the Sober virus and in scanning for specified files, can cause the machine to slow down significantly. Sober.R arrives as a .zip file attached to emails written in English or German. The worm can detect regional domain names, which determines the language of the message. Using its own SMTP engine, Win32/Sober.R sends mass-emailed copies of itself to additional email addresses. The message sender is spoofed and the message body may be 'signed' by the names Rita, Sandra, Nicole, Hannelore, Kerstin or Elke.
   
   "The author of the Sober worms is very aware of the AV industry, as this variant appeared during the Virus Bulletin conference in Dublin," said Andrew Lee, chief technology officer of ESET. "It may be that the author is trying to maximize the amount of time before detection by releasing at a time when a significant portion of the antivirus industry is tied up at a conference. However, ESET customers were protected from the Win32/Sober.R worm in real-time due to our powerful, ThreatSense heuristics." 
    
 ESET is providing a free remover for the Win32/Sober.R worm, which can be downloaded at www.eset.com.

W32.Sober.Q@mm is a mass-mailing worm that uses its own SMTP engine to spread. It sends itself as an email attachment to addresses gathered from the compromised computer. The email may be in either English or German. It has been reported that it may arrive as one of the following files and that inside the ZIP archive is a file named PW_Klass.Pic.packed-bitmap.exe:

• KlassenFoto.zip
• pword_change.zip

• Also Known As:	CME-151, Sober.Y [Panda Software], W32/Sober.r@MM [McAfee], WORM_SOBER.AC [Trend Micro]
  Type:	Worm
  Infection Length:	Varies
  Systems Affected:	Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

Due to a decreased rate of submissions, Symantec Security Response has downgraded W32.Netsky.D@mm from a Category 3 to a Category 2 as of October 27, 2004. W32.Netsky.D@mm is a mass-mailing worm that is a variant of W32.Netsky.C@mm. The worm scans drives C through Z for email addresses and sends itself to those that are found.
The Subject, Body, and Attachment names vary. The attachment will have a .pif file extension.  As of March 22, 2004, due to an increase in submission rate, Symantec Security Response has upgraded W32.Netsky.P@mm (also known as W32.Netsky.Q@mm) to a Category 3 level threat from a Category 2 threat. W32.Netsky.P@mm is a mass-mailing worm that uses its own SMTP engine to send itself to the email addresses it finds when scanning the hard drives and mapped drives. The worm also tries to spread through various file-sharing programs by copying itself into various shared folders.

The From line of the email is spoofed, and its Subject line and message body of the email vary. The attachment name varies with the .exe, .pif, .scr, or .zip file extension.
Removal Tool:

When Zotob infects a computer, it attempts to deliver a malicious file, which is named differently depending on the variant that has infected the computer. If your computer has been infected, this file will be present and your registry will show changes. Use any of the following methods to check for infection. (If you find the file, you do not need to check the registry, and vice versa.)

Learn More about the Malicious File

This NETSKY worm spreads by sending out copies of itself as email attachment using its built-in SMTP engine. It gathers target recipients from certain files found on the affected machine, virtually turning the affected system into a propagation launch pad.

The email it sends out has a spoofed sender's name, varying subjects, message bodies and attachments, and generally mimics email delivery notifications. For complete details about the email that this worm sends out, please click here.

Malware type: Worm

Aliases: W32.Netsky.P@mm, W32/Mydoom.BK@mm, W32/Netsky, W32/Netsky-P, Win32/Netsky.P!Worm, Win32/Netsky.P@mm

In the wild: Yes

Destructive: Yes

Language: English

Platform: Windows 95, 98, ME, NT, 2000, XP

Encrypted: No

The Troj/Sober-Q Trojan horse is being used to send out German nationalistic spam from PCs previously infected by the Sober-N worm.

It appears that the Sober-N worm which spread very widely, accounting for nearly 80% of reports in early May, was used to infect as many PCs as possible by posing as tickets for the 2006 World Cup in Germany. The many compromised PCs are now being used to send out masses of spam.

Spam sent by the Trojan horse from infected PCs uses various subject lines including: 'Dresden Bombing Is To Be Regretted Enormously', 'Armenian Genocide Plagues Ankara 90 Years On', 'Dresden 1945' and 'Turkish Tabloid Enrages Germany with Nazi Comparisons'.

Trojan.Gpcoder is a Trojan horse which searches for files with various extensions and encodes them. The original files are then deleted and the newly encoded ones become unreadable.

Note: Definitions prior to May 28, 2005 may detect this threat as Trojan.Pgpcoder.

W32.Mytob.CF@mm is a mass-mailing worm that uses its own SMTP engine to send an email to addresses that it gathers from the compromised computer.

The worm also opens a back door and spreads through the network by exploiting the Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability (described in Microsoft Security Bulletin MS03-026) and the Microsoft Windows Local Security Authority Service Remote Buffer Overflow (as described in Microsoft Security Bulletin MS04-011).