Dit is wel grappig! :-),

which is Dutch for "This is sort of funny!"

A file called BADASS.EXE is attached to the message. When executed, BADASS.EXE displays a message box with obscene content and a "yes" and "no" button. If the user tries to click on no, it moves to the other side of the yes button, so it cannot be selected. When the user clicks on yes, the worm displays another profane message box.

The worm does not install itself on the system. To protect the system the file BADASS.EXE should be deleted.

"Just as the macro threat began with one or two viruses and now numbers in the thousands, we’re starting to see an increase in worms. This threat began with Explorer.zip and Cholera," said Narender Mangalam, director of security strategy at CA. "CA is working diligently to continue to proactively protect our clients from these threats."

In another case, security experts are trying to track down the perpetrators of a huge Internet surveillance operation that could be a prelude to an attack on websites around the world. Members of the Bethesda, Md.-based System Administration,
Networking, and Security (SANS) Institute have already identified over 200 copies of a Trojan virus called RingZero.

This virus scans Web proxy servers and sends back information  to remote computers on the Internet. Proxy servers are used by business to handle Web access on office networks, to host intranet websites and for system administrators to restrict access. What this could do is that information like including credit card numbers and other private information could be stolen.

This virus has a file pst.exe which randomly scans for proxy servers and makes them send their own Internet address and port number to what appears to be a data collection script running on a machine at www.rusftpsearch.net. These IP addresses and port numbers are the starting point for hacking operations.

SANS warned its 64,000 members to check for the Trojan after the first was discovered two weeks ago. Research has given them proof of attempts to gather information from commercial proxy servers.

Researchers at SANS found that the Trojan has a second part, called its.exe, that works in another direction and tries to retrieve files directly from Web-servers. But what happens to these files is still being studied.

The danger points are the presence of files called pst.exe and its.exe and outgoing network traffic on port 8080 and 3128, especially on a network that doesn''t have a proxy server.

And finally, something about the all-time troublemaker-Melissa.
AVERT (Anti-Virus Emergency Response Team), a division of
Network Associates, Inc. has found two new variants of the Melissa virus and given it an initial risk assessment of "medium." They spread through e-mail and are activated when an infected document is opened and erase data on the disk.

It is believed that that the virus broke out last Friday or Saturday which is when first reports started to come in. There have been 10 distinct reports of the virus which has appeared in the Netherlands, France, Canada and Australia with no reported incidents in the United States.

These new variants of the Melissa virus can be caught by
heuristic scanning methods in normal anti-virus software. Meanwhile, Symantec, who have a very famous anti virus product in Norton, has announced that all Norton Antivirus users are protected from this virus. The company has developed defenitions for this virus and has made it available through the LiveUpdate on the site.

The email carrying the virus has a subject line that is "pictures" in the case of the variant known as Melissa.U, and "My Pictures" in the case of Melissa.V.

The sender''s registered Word97 or Word2000 username, if available, is featured in the subject line with the body of the
e-mail reading "what''s up?" in the case of Melissa.U, and  blank in the case of Melissa.V.

In both cases the virus arrives in the form of an infected
Word Attachment, which is a duplicate of the infected Word
document opened by the sender to trigger the virus'' spread.

When the Word document is opened on an uninfected PC, the virus infects Word''s global template, NORMAL.DOT and with it all future Word documents.

Infected documents will have the message "Please Check Outlook Inbox Mail" (Melissa U) in them while in the case of Melissa.V, a pop-up message box containing the text
"Please Check Your Outlook Inbox Email!" appears. After the
victim presses "OK," text is then inserted into the open document.

The viruses behave differently after the NORMAL.DOT template has been infected. Melissa.U will invoke a MAPI e-mail client and send itself to the first four e-mail addresses in the address book. It will then attempt to delete the following system files in order to make the user''s system inoperable:
c:/command.com, c:/io.sys, c:/Ntdetect.com, c:/Suhdlog.dat, and
d:/Suhdlog.dat.

Melissa.V sends itself to the first 40 addresses in the address book. It then attempts to delete files and directories in
the root of mapped drives with the following letters sequentially in this order: M,N,O,P,Q,S,F,I,X,Z,H,L.

Networks Associates ( www.nai.com) claims that its McAfee Total Virus Defense product can detect and clean the Melissa.U and Melissa.V variants.

See related article ""

also see : And they keep coming back