#2
This mail comes to you from the Virus Emergency Response Team at Proland Software. We are issuing this virus alert as we are receiving an increasing number of infection reports, of the recently discovered internet worm, W32/Yaha.E. About the W32/Yaha.E Worm: W32/Yaha.E is a worm that spreads using the Windows Address Book, MSN Messenger list, Yahoo pager list and ICQ list. This worm infects Windows systems. The worm arrives as an email, with the subject as a combination of a few words or phrases, most of which suggest friendship and love. The body of the email varies and is auto-generated by the worm from pre-defined sets. It carries an infected attachment with a random name having any one of the following extensions DOC, XLS, MP3, WAV, JPG, BMP, TXT, DAT, GIF, HTM, MPG, ZIP or MDB. Some of the attachments may carry an additional extension like SCR, BAT or PIF. More information on this worm is available at THIS SITE. Instructions to remove this worm from your computer: An emergency virus database update to detect and remove this worm is available to the users of Protector Plus anti-virus software. To download this update from our web site, run Protector Plus anti-virus software from Start menu -> Programs. Select the 'InstaUpdate' option and click the 'Connect Now' button. Others can download a FREE 30 days, fully functional evaluation copy from Protector Plus. You are welcome to use this information to help any one who might need or benefit from it. If you have questions regarding this worm or in the use of Protector Plus, please write to US.

Second Notice
The same virus warning as above, except from McAfee, check it out by clicking here

Second Notice
About the Win32/Fbound.B Worm: the Win32/Fbound.B is a worm that spreads using Windows address book. This worm infects Windows systems. The worm arrives as an email, with the subject, "Important". The body of the mail will be blank. It carries an infected attachment, patch.exe. You can read more about this worm at this site.

Third Notice
McAfee.com has seen a large and growing number of computers infected with W32/Fbound.c@MM. This MEDIUM-ON-WATCH RISK virus is a pure mass-mailing worm. It does not carry any other, damaging, payload. The virus sends itself to all users found in the Windows Address book using SMTP. It arrives in an email message containing the following information:
Subject: "Important" or a Japanese subject
Body: [empty]
Attachment: patch.exe
When run, it immediately e-mails itself to all entries in the Windows address book. It does not install itself in any way. It contains the text "I-Worm.Japanize". As always, McAfee.com recommends that you keep your anti-virus software up-to-date for the best protection. McAfee.com will continue to update you on the latest details of the W32/Fbound.c@MM virus at this site.

Fourth Notice
McAfee.com has seen a large and growing number of computers infected with W32/MyLife.b@MM. This is a MEDIUM RISK virus. As always, we recommend that you keep your anti-virus software up-to-date for the best protection. To get complete information on this virus, please click here this site.

Fifth Notice
About the Win32/MyLife.J Worm: the Win32/MyLife.J is a worm that spreads using MS Outlook and MSN Messenger. This worm infects Windows systems. The worm arrives as an email, with the subject, "sexyy Screen Saver". The body of the mail will be:
hi
look to the screen saver it's very funny
bye
It carries an attachment USA.scr. More information on this worm is available at this site.

VirusScan and other McAfee products with DAT files 4172 and higher are protected from this variant. W32/Badtrans@MM is a mass-mailing worm that drops a remote-access Trojan. The virus arrives via the Microsoft Outlook email program and attempts to send itself by replying to unread email messages. The email may contain the text "Take a look to the attachment" in the message body and will contain an attachment that is 13,312 bytes in size. The attachment name is created in three sections, for example, card.doc.pif.

For detection and removal instructions for the W32/Badtrans@MM virus, click here. McAfee.com VirusScan Online and Clinic subscribers: If you don't have ActiveShield installed and updated, you are not protected from this virus. Click here to download ActiveShield. Retail VirusScan Users: Version 4.0.70 and above with DAT file 4172 will detect and remove this worm. To download the latest DAT files, click here.

Find out more about this worm. Click here to go to the W32/Badtrans@MM Help Center.

Second Notice
This mail comes to you from the Virus Emergency Response Team at Proland Software. A new variant of Badtrans.A worm has been discovered in the wild, called the Win32/Badtrans.B worm. This worm is spreading rapidly via the Internet.

About the Win32/Badtrans.B Worm: Win32/Badtrans.B is a worm that spreads using MS-Outlook and Outlook Express. This worm infects Windows systems. The worm arrives with the subject as reply to an email sent earlier by you with a prefix 'Re:'. This worm is potential of sending the system critical information using a trojan, dropped by the worm itself.

You can read more about this worm at: this site. Protector Plus Anti-virus software will detect and remove this worm. Please download the latest version of Virus Database from here. You can also download a 30 day evaluation copy from here.

Third Notice
McAfee.com has seen an OUTBREAK of computers infected with W32/Goner@MM, also known as Pentagone, Goner or Gone. This is a NEW, HIGH RISK virus that spreads via Microsoft Outlook email and ICQ instantmessaging programs. This mass-mailing worm will arrive from someone you know with the following email message:

Subject: Hi

Body: How are you ?

When I saw this screen saver, I immediately thought about you I am in a harry, I promise you will love it!

Attachment: GONE.SCR

Goner has a DESTRUCTIVE PAYLOAD. When the attachment is opened, it will look for a variety of anti-virus, firewall and other security programs and attempt to delete them, along with ALL FILES in the same directory. This worm will also place a trojan, REMOTE32.INI, on the system, which contains instructions to attempt Denial-of-Service attacks on other IRC users.

For detection and removal instructions for the W32/Goner@MM virus, click here.

Fourth Notice
This mail comes to you from the Virus Emergency Response Team at Proland Software. A new worm called Win32/Goner.A has been discovered. This is a mass-mailing email worm and it is spreading rapidly via the Internet. It is known to carry a destructive payload. Win32/Goner.A is also known as Pentagone, Goner or Gone.

About the Win32/Goner.A Worm: Win32/Goner.A is a worm that spreads using MS-Outlook and ICQ. This worm infects Windows systems. The worm arrives as an attachment having the name Gone.SCR, disguising itself as a screensaver. The email carrying the attachment has the following;

Subject : Hi

Body: How are you ? When I saw this screen saver, I immediately thought about you I am in a harry, I promise you will love it!

Win32/Gone.A attempts to delete some firewall and anti-virus software running in the system. You can read more about this worm at this site. Protector Plus Anti-virus software will detect and remove this worm. Please download the latest version of Virus Database from here. You can also download a 30 day evaluation copy from here.

About the Win32/Nimda.E Worm: Win32/Nimda.E is a worm that spreads using many methods, mainly through MS-Outlook and Outlook Express. This worm infects Windows systems. The worm arrives with a random subject and with an invisible attachment as SAMPLE.EXE. You can read more about this worm at this site. Protector Plus Anti-virus software will detect and remove this worm. Please download the latest version of Virus Database from here. You can also download a 30 day evaluation copy from here.

Second Notice
McAfee.com has seen a large and growing number of systems infected with the W32/magistr.b@mm worm in Europe and South America. Currently, there is a low incidence of this worm in North America. This is a MEDIUM RISK virus that is spread via email.
The messages sent by the worm contain varying subject headings, body text, and attachments. The body of the message is derived from the contents of other files on the victim's computer. It may send more than one attachment and may include non-EXE or non-viral files along with an infectious .EXE file.
Five minutes after the virus is activated, it attempts to send copies of itself to email addresses found in the Windows Address Book, and in the Outlook Express, Netscape and Eudora mailboxes on the hard drive.
The virus payload may also cause the following:
· Erasure of CMOS/BIOS info
· Destruction of sectors on the hard disk
· Deletion of all .NTZ files on the machine
· Termination of Zone Alarm firewall program
· Creation of a SYSTEM.INI [boot] shell value to run itself at startup
· Overwrites the WIN.COM/NTLDR
For detection and removal instructions for the W32/Magistr.b@mm virus, click here.

Third Notice
McAfee.com has seen a large and growing number of systems infected with the W32/Nimda@MM. This is a HIGH RISK virus that is spread via email. W32/Nimda@MM also spreads via open shares, the Microsoft Web Folder Transversal vulnerability (also used by W32/CodeBlue), and a Microsoft content-type spoofing vulnerability.
The email attachment name VARIES and may use the icon for an Internet Explorer HTML document. It will also attempt to spread itself as follows:
- The email messages created by the worm include content that allows the worm to execute the attachment even if the user does not open it.
- It modifies HTML documents, so that when this infected window is accessed (locally or remotely), the machine viewing the page is then infected.
Once infected, your system is used to seek out others to infect over the Web. AVERT is currently analyzing this threat and will post more details online shortly.
For detection and removal instructions for the W32/Nimda@MM virus, click here.

Third Notice
From a different protector
This noitce comes to you from the Virus Emergency Response Team at Proland Software.
A new worm has been discovered in the wild, called the Win32/Nimda.A worm. This worm is spreading rapidly via the Internet.
About the Win32/Nimda.A Worm: Win32/Nimda.A is a worm that spreads using many methods, mainly through MS-Outlook and Outlook Express. This worm infects Windows systems.
The worm arrives with a random subject and with an invisible attachment as readme.exe.
You can read more about this worm at this site.
Protector Plus Anti-virus software will detect and remove this worm. Please download the latest version of Virus Database from this site.
You can also download a 30 days evaluation copy from this site.

Second Notice
A new worm has been discovered in the wild, called the NakedWife worm. This worm is spreading rapidly via the Internet.
About the NakedWife Worm: NakedWife uses MS-Outlook to spread rapidly through the Internet. This worm infects Windows 95/98 and Windows NT/2000 systems. The worm arrives with the subject: Fw: Naked Wife and with an attachment NakedWife.exe.

You can read more about this worm at this site.

A new trojan for Handheld devices has been discovered, called Palm/Liberty. This trojan arrives as a crack for a Palm application called Liberty. This crack claims that it will convert the shareware version of this application to the registered version. The trojan delivers its payload when the infected file is run manually. On execution, the Palm/Liberty trojan will delete all the applications in the computer/handheld and reboot it. You will find more information on Palm/Liberty at this site.

A new variant of the LoveLetter worm has been discovered, called VBS/Loveletter.BD. It is a worm written in VB Script, and like the original Loveletter, comes through email. The message has, 'RESUME', as the subject and the worm as an attachment titled RESUME.TXT.VBS. The worm infects the computer when the attachment is opened and sends itself to everyone in the address book. This variant will also download a trojan called HCHECK.EXE and run it. This trojan collects information from the infected computer and sends it to an email address. You will find more information of VBS/Loveletter.BD at this site.

A new Internet worm has been discovered, called VBS/Stages.A. It is a worm written in VB script. It comes through email. The message will have the worm as an attachment with the name LIFE_STAGES.TXT.SHS. It appears as a scrap file. The worm will infect the computer when the attachment is opened. The worm will send itself to everyone in the address book. You will find more on VBS/Stages.A at this site.

Thursday May 4, 9:31 am Eastern Time, Company Press Release, F-Secure Warns: LOVE LETTER e-Mail Worm Might Exceed Melissa in Severity. Activates by Overwriting Picture and Music Files, SAN JOSE, Calif.--(BUSINESS WIRE)--May, 2000--F-Secure Corporation, (formerly Data Fellows) [HEX: FSC], a leading provider of security for mobile, distributed enterprises, is warning e-mail users of a new destructive e-mail worm called VBS/LoveLetter. This worm spreads by e-mailing a file called LOVE-LETTER-FOR-YOU.TXT.vbs. F-Secure Anti-Virus detects and disinfects the virus, with the latest update available from this site.

"This worm spreads at an amazing speed," said Mikko Hypponen, Manager of Anti-Virus Research at F-Secure Corporation in Espoo, Finland. "We got the first report around 9:00 a.m. on Thursday from Norway, and by 1 p.m. we had reports from over 20 countries. We estimate that total number of infected machines is already in tens of thousands. This epidemic might exceed Melissa in both speed and destructiveness."

The LoveLetter worm activates by overwriting picture and music files from the local and network drives. Files with extension JPG, JPEG, MP3 and MP2 are overwritten and will have to be restored from backups. The worm arrives to users in e-mail message attachments called LOVE-LETTER-FOR-YOU.TXT.vbs. On a default Windows system, the ".vbs" extension is not visible, and users might mistake the file for a harmless text file (.TXT). If the recipient opens the attachment, the worm will use Microsoft Outlook (if installed) to send a message to everyone in any address books (including global access books of the organization these typically contains hundreds or thousands of addresses). The messages is as follows:

From: Name-of-the-infected-user
To: Random-name-from-the-address-book
Subject: ILOVEYOU
kindly check the attached LOVELETTER coming from me.
Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs

As address books typically contain group addresses, the result of executing the VBS/LoveLetter worm inside an organization is that the first infected user sends the message to everybody in the organization. After this, other users open the message and send the message again to everyone else. This quickly overloads e-mail servers. In addition to spreading over e-mail, the worm also overwrites existing local script and HTML files with its own code. The worm was most likely written in the Philippines. It was first spotted in early morning, Thursday May 4. It contains the following text:

arok -loveletter(vbe)
by: spyder / ispyder@mail.com / @GRAMMERSoft
Group / Manila,Philippines

VBS/LoveLetter is written in the VBScript language. By default, programs written in VBScript operate only under Windows 98 and Windows 2000. However, Windows 95 and NT 4 users are also vulnerable, if they have installed version 5 of Microsoft Internet Explorer. A technical description of the virus is available in the F-Secure virus description database at: http://www.F-Secure.com/v-descs/love.htm sample pictures of e-mail messages generated by VBS/LoveLetter are available in the F-Secure virus screenshots center at this site.

About F-Secure Corporation
F-Secure Corporation is a leading developer of centrally managed security solutions for the mobile, distributed enterprise. The company offers a full range of award-winning integrated anti-virus, file encryption, distributed firewall and VPN solutions. F-Secure products and the underlying policy management framework enable corporate IT departments as well as service providers to deliver Security as a Service(TM). For the end-user, Security as a Service is invisible, automatic, reliable, always-on, and up-to-date. For the administrator, Security as a Service means policy-based management, instant alerts, and centralized management of a widely-distributed user base.

Founded in 1988, F-Secure is listed on the Helsinki Stock Exchange [HEX: FSC]. The company is headquartered in Espoo, Finland with North American headquarters in San Jose, California, as well as offices in Canada, China (Hong Kong and Beijing), France, Germany, Japan, Sweden and the United Kingdom. F-Secure is supported by a network of VARs and Distributors in over 90 countries around the globe.