****************************************************************
VIRUS ALERT - Thursday, August 22 2002.
Worm Duload
Kaspersky Labs reports the detection of the network worm Duload , which is spreading across the KaZaA file-exchange network. Presently Kaspersky Labs has already received several registered instances of infection in Italy.
The worm itself is a Windows (PE EXE) application written in Visual Basic. Currently two modifications of the Duload worm are known, each having a different file size:
Worm.P2P.Duload.a - 18432 bytes Worm.P2P.Duload.b - 7680 bytes (Compressed with the UPX utility) If the infected attachment is accidentally opened "Duload" copies itself to the Windows system directory under the name "SystemConfig.exe" and modifies the system registry so that this file automatically loads each time Windows is started.
Next, the Duload worm creates a folder in the Windows directory called "Media" and copies itself to this directory under 39 different names. Such as:
Pamela Anderson And Tommy Lee Home Video.exe Alicia Silverstone Payboy Nude.exe Kama Sutra Tetris.exe Soldier Of Fortune 2 Mutiplayer Serial Hack.exe The Sims Game Crack.exe Warcraft 3 Battle.net Crack.exe "Duload" then once again modifies the system registry in order to make the "Media" folder accessible to all other KaZaA network users.
One modification of the worm (Worm.P2P.Duload.a) also downloads from an Internet site several Trojan programs designed to establish the unauthorized remote management of victim computers.

VIRUS ALERT - Thursday, August 22 2002. TrojanDownloader.Win32.Apher.
Trojan Horse Masquerades As Kaspersky Anti-Virus
Computer users are warned of a massive mailing of the Trojan-style malicious program, TrojanDownloader.Win32.Apher . There have already been several registered reports of infection.
The Trojan is sent out by anonymously using an e-mail address from a public access e-mail service. The messages themselves have a spoofed address showing the sender as [email protected]. The infected message has the following attributes:
From: [email protected] Subject: Protect Your NetWare with Kaspersky Anti-Virus Attachment: AAprices.exe
Kaspersky Labs, an international data-security software developer, announces the official release of Kaspersky Anti-Virus 4.0. "We are pleased to present the latest version of our anti-virus product. The unique technology, updated design, and perfected administering system integrated into Kaspersky Anti-Virus 4.0 is the result of many years of work dedicated to improving the ease of working with the program and increasing computer defense reliability," said Natalya Kaspersky, Kaspersky Labs CEO. The new Kaspersky Anti-Virus version (Personal Pro, Personal, Lite) fully supports the Microsoft Windows XP operating system. Amongst this versions latest innovations are: a complete user interface upgrade corresponding to Tree Chart technology; perfected system installation that allows for the saving the configuration of previously installed versions, and a quarantine feature for isolating infected and suspicious objects; expanded treatment of infected archived files; an added function for the treatment of Microsoft Outlook Express and objects upon system start up and also a memory scanning of active applications; and simplified operating features for disk recovery.
Best regards, If you have any questions please call +1(866) 7280-290 � � �
If the attached file is accidentally opened "Apher" automatically initiates a connection with a remote web site. From this site a utility enabling the control of the virus "Backdoor.Death.25" is loaded on the infected machine. In turn, this program permits the originator to clandestinely manage an infected computer, to view and send out confidential information, and create, copy and delete files in addition to more damages which have yet to be discovered as the trojan is analyzed� more deeply.


VIRUS ALERT - Monday, July 15 2002.
I-Worm.Frethem.Family
I-Worm.Frethem
The Frethem family of Email worms spreads via the Internet as attachments to infected emails, the worms themselves are Windows PE EXE files about 31-35KB in length - depending on the worm version. They are compressed by PE-Pack and UPX (double compression) and written in Microsoft Visual C++.
The worms have "backdoor" routines (see below).
Infected messages have following Subject, Message body and attached files, depending on worm version:
Frethem.a:
���������������� Subject:Re: Do your Windows looks like Windows XP? I have found very nice desktop themes!
Message:
������������������������������� Hello! Do you like modern design of new Windows XP?! I have found FREE and easy to use ������������������������������� desktop themes! You can open attach with web site and samples! Enjoy it!!!
Attached:
������������������������������� www.freedesktopthemes.com
Frethem.b,c,f,h
������������������������������� Subject: Re: Your password!
�������������������������� Message: [empty] �������������������������� Attachments: Your password placed in password.txt yourpassword.exe password.txt
Frethem.d:
������������������������������� Subject: Re: Do your Windows looks like Windows XP? I have found very nice desktop themes!
������������������������������� Message: Hi! There is good news for you! Do you like modern design of new Windows XP?! I ������������������������������� have found FREE and easy to use desktop themes! You can open attach with web site and ������������������������������� samples! It's really cool! Enjoy it!!! Yours, %sender%
Attached:
����������������������������� www.xpdesktopthemes.com
Frethem.e,g,j,k,l
������������������������������� Subject: Re: Your password!
�������������������������� Message:
������������������������������� ATTENTION! You can access very important information by this password DO NOT SAVE ������������������������������� password to disk use your mind now press cancel
Attached: decrypt-password.exe, password.txt
The attached EXE file (attached to the email messages) is the worm itself, the attached TXT file(if it is present) contains false text, such as:
������������������������������� "Your password is W8dqwq8q918213"
Running
Depending on worm version, the Internet Explorer security breach (IFRAME vulnerability) is exploited or the attached file may not contain any "security tricks". The worm activates from infected email only when a user clicks on the attached file, or it may start automatically when an infected message is opened or previewed (in vulnerable systems).
Once run the worm then installs itself to the system and runs its spreading routine.
Installing
First the worm checks the keyboard layouot set, in case there is Russian or Uzbek keyboard support (codepage �419 or 843) the worm just exits without taking any action.
If no such keyboard support is present, the worm then copies itself to the Windows startup directory under the setup.exe name:
������������������������������� %windir%\Start Menu\Programs\Startup\setup.exe
If the Startup directory doesn't exist, variants "k", "l", "m" copy themselves in the Windows directory under the "taskbar.exe" name.
Thus the worm is run with each Windows boot-up.
Spreading
The worm uses SMTP protocol to send e-mail messages. It looks for e-mail addresses in WAB (Windows Address Book) files and in *.DBX email database files, and sends infected messages to these addresses.
Backdoor The worm then downloads a specific file from the selected URL and processes commands written there. The main backdoor features are:
������������������������������� *the ability to execute requested commands on infected system ������������������������������� *download EXE file(s) from that site and run it ("upgrading" worm with new version)
On activation of the backdoor routine the worm creates, in the Windows directory, two data files:
������������������������������� STATUS.INI and WIN64.INI
Other Details
The worm body contains the text:
���������������������� thAnks tO AntIvIrUs cOmpAnIEs fOr dEscrIbIng thE IdEA! nO AnY dEstrUctIvE ActIOns! dOnt ���������������������� wArrY, bE hAppY!
This text may be written to the file winstat.ini in the Windows directory.




VIRUS ALERT No.87 - Wednesday, April 17, 2002.
I-Worm.Klez (Klez Family)
New Version of the "Klez" I-Worm is Spreading Fast - Kez.h
We would like to announce the exposure of a new modified version of the "Klez" Internet-worm - Klez.h, already resulting in numerous computer infections in many countries including Japan, China, Austria and the Czech Republic.
This is virus-worm virus that spreads via the Internet attached to infected e-mails. The worm itself is a Windows PE EXE file about 57-65Kb (depending on its version) in length, and it is written in Microsoft Visual C++.
To remove the threat of infection from the Klez.h worm and any other modification of this worm, you should install the required patch for Internet Explorer. It can be found on the Microsoft site at the following address:
http://www.microsoft.com/windows/ie/download/critical/Q290108/default.asp
Infected messages have variable subjects and attachment names (see below). The worm uses an Internet Explorer security breach (IFRAME vulnerability) to start automatically when an infected message is viewed.
In addition to spreading in the local network and in e-mail messages, the worm also creates a Windows EXE file with a random name starting with "K" (i.e., KB180.exe), in a temporary folder, writes the "Win32.Klez" virus in it, and launches the virus. The virus infects the majority of Win32 PE EXE files on all available computer disks.
Start-up
When an infected file is started, the worm copies itself to a Windows system folder with the krn132.exe name. Then it writes to registry the following key to start automatically with Windows: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Krn132 = %System%\Krn132.exe
where %System% is the name of the Windows system folder.
Then the virus searches for active applications (anti-viruses, see the list below) and forces them to unload using a Windows "TerminateProcess" command: _AVP32, _AVPCC, _AVPM, ALERTSVC, AMON, AVP32, AVPCC, AVPM, N32SCANW, NAVAPSVC, NAVAPW32, NAVLU32, NAVRUNR, NAVW32, NAVWNT, NOD32, NPSSVC, NRESQ32, NSCHED32, NSCHEDNT, NSPLUGIN, SCAN, SMSS
Replication: e-mail
The worm uses SMTP protocol to send e-mail messages. It finds e-mail addresses in a WAB database and sends infected messages to these addresses.
The subject of the infected message is selected randomly from the following list:
Hello �How are you? �Can you help me? �We want peace �Where will you go? �Congratulations!!! �Don't cry �Look at the pretty �Some advice on your shortcoming �Free XXX Pictures �A free hot porn site �Why don't you reply to me? �How about have dinner with me together? �Never kiss a stranger
The message body is the following:
I'm sorry to do so,but it's helpless to say sory. �I want a good job,I must support my parents. �Now you have seen my technical capabilities. �How much my year-salary now? NO more than $5,500. �What do you think of this fact? �Don't call my names,I have no hostility. �Can you help me?
Attached file: Win32 PE EXE file with random name, which has either an ".exe" extension or a double extension: name.ext.exe
The worm selects the filename (name.ext) using an original routine. It scans all available drives and finds there files with the following file-name extensions: .txt .htm .doc .jpg .bmp .xls .cpp .html .mpg .mpeg
It uses one of the found filenames (name.ext) as the base name of an attachment, then it adds a second extension, ".exe". For example, "Ylhq.htm.exe", "If.xls.exe", etc.
The worm inserts its own "From:" field into infected messages. Depending on the random counter, it inserts there either a real e-mail address, or a fake randomly generated address.
An interesting feature of the worm is that before sending infected messages, the worm writes the list of found e-mail addresses in its EXE file.
All strings in the worm's body (messages and addresses) are stored in an encrypted state.
Replication: local and network drives
The worm enumerates all local drives and network resources with written access and makes there its copy with a random name name.ext.exe (the name-generation routine is similar to one which is used to generate attachment names). After copying itself to network resources, the worm registers its copies on remote computers as system service applications.
Payload
On the 13th of even months, the worm executes a payload routine, which fills all files on all available victims' computer disks with random content. These files can't be recovered and must be restored from a backup copy.
Other versions
There are several modifications of this worm. I-Worm.Klez.a-d are similar, and have minor differences.
Klez.e
Installation
The worm copies itself to the Windows system directory with a random name that starts from "Wink", i.e., "Winkad.exe".
Infection
The worm searches several registry keys for links to applications: Software\Microsoft\Windows\CurrentVersion\App Paths
Then the worm tries to infect EXE applications that it finds. When infecting an EXE, the worm creates a file with the same name and random extension and also hidden+system+readonly attributes. This file is used by the worm to run the original infected program. When the infected file is run, the worm extracts the original file to a temp file with the original filename plus 'MP8' and runs it.
The worm infects RAR archives by copying itself to archives with a randomly generated name. The name of the infected file is selected from the following list:
setup install demo snoopy picacu kitty play rock
and has either one or two extensions, where the last one is ".exe", ".scr", ".pif" or ".bat".
Replication: e-mail
The subject of the infected message is either selected from the following list or is generated randomly:
Hi, �Hello, �Re: �Fw: �how are you �let's be friends �darling �don't drink too much �your password �honey �some questions �please try again �welcome to my hometown �the Garden of Eden �introduction on ADSL �meeting notice �questionnaire �congratulations �sos! �japanese girl VS playboy �look,my beautiful girl friend �eager to see you �spice girls' vocal concert �Japanese lass' sexy pictures
The worm can also generate the subject of the message from the following strings: Undeliverable mail--%% Returned mail--%% a %% %% game a %% %% tool a %% %% website a %% %% patch %% removal tools
Where %% is selected from the following list:
new funny nice humour excite good powful WinXP IE 6.0 W32.Elkern W32.Klez
The body of the infected messages is either blank, or has randomly generated contents.
Attached file: a Win32 PE EXE file with a random name, which has either an ".exe" extension or a double extension.
The worm uses an IFrame security breach to launch automatically when an infected message is viewed.
Payload
On the 6th of odd months, the worm executes a payload routine that fills all available files on a victim's computer in local and network disks with random content. These files can't be recovered and must be restored from a backup copy.
Other
The worm scans for the active processes that contain the following strings, and terminates them:
Sircam Nimda CodeRed WQKMM3878 GRIEF3878 Fun Loving Criminal Norton Mcafee Antivir Avconsol F-STOPW F-Secure Sophos virus AVP Monitor AVP Updates InoculateIT PC-cillin Symantec Trend Micro F-PROT NOD32




- Friday, March 22, 2002.
W32/MyLife.b@MM
Aliases:
W32.Caric@mm (Symantec), Win32.MyLife.B (CA), Win32/Cari.Worm (CA)
We have seen a large and growing number of computers infected with W32/MyLife.b@MM . This is a MEDIUM RISK virus but is spreading fast.
This mass-mailing worm, written in Visual Basic 6, uses Microsoft Outlook to send itself to all addresses in the Outlook Address book and addresses on the MSN Messenger contact list. It arrives in an email containing the following information:
Subject: bill caricature
Attachment: cari.scr
The attachment is a UPX packed PE file. When executed on the local machine, the following image is displayed whilst the worm copies itself to the System folder, and uses Outlook to propagate itself to all address found in the Outlook Address book and addresses on the MSN Messenger contact list.

The following Registry key is added to ensure the worm is executed at subsequent system startup:
    * HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
      Run\win=C:\WINDOWS\SYSTEM\cari.scr
Upon restarting the machine, the worm does not propagate again, and the above image is not displayed. When the worm is run from the SYSTEM directory and the hour is 8am, the worm deletes the following files:
    * *.* from C:\ D:\ E:\ and F:\
    * *.SYS, *.VXD, *.OCX and *.NLS from C:\WINDOWS\SYSTEM
The most likely scenario for this occurrence is for a system to become infected on one day, and the system files to be deleted the next, when the machine is rebooted or powered on in the morning.
Indications Of Infection:
    * Presence of: cari.scr (41,984 bytes) in the system directory.
    * Messages bearing the properties described above in your 'Sent Mail' folder.
Method Of Infection:
When executed, the worm propagates itself to all addresses found in the Outlook Address book and addresses on the MSN Messenger contact list, using Microsoft Outlook. The worm copies itself to the System folder, modifying the Registry to run this copy at subsequent startup.
Removal Instructions: McAfee have added DAT files for  detection and removal.
In addition to the DAT version requirements for detection, the specified engine version (or greater) must also be used.
Additional Windows ME Info:
NOTE: Windows ME utilizes a backup utility that backs up selected files automatically to the C:\_Restore folder. This means that an infected file could be stored there as a backup file, and VirusScan will be unable to delete these files. The following instructions explain how to remove the infected files from the C:\_Restore folder.
Disabling the Restore Utility
1. Right click the My Computer icon on the Desktop, and choose Properties.
2. Click on the Performance Tab.
3. Click on the File System button.
4. Click on the Troubleshooting Tab.
5. Put a check mark next to "Disable System Restore".
6. Click the Apply button.
7. Click the Close button.
8. Click the Close button again.
9. You will be prompted to restart the computer. Click Yes.
NOTE: The Restore Utility will now be disabled.
10. Restart the computer in Safe Mode.
11. Run a scan with VirusScan to delete all infected files, or browse the file's located in the C:\_Restore folder and remove the file's.
12. After removing the desired files, restart the computer normally.
NOTE : To re-enable the Restore Utility, follow steps 1-9 and on step 5 remove the check mark next to "Disable System Restore". The infected file's are removed and the System Restore is once again active.


Thursday, March 14, 2002.
 

I-worm.Zircon.c is spreading on the Internet

We would like to inform all our subscribers of the detection of a new virus, the Internet-worm known as Zircon - Zircon.c, which is distinct from two previous forms, has achieved wide distribution across the Internet.

Zircon.c spreads via e-mail in the form of an e-mail message with the attachment "patch.exe". The message subject field may contain text in Japanese or the word 'Important', while the messages body is blank.

To avoid infection from Zircon.c DO NOT launch the attachment "patch.exe" and immediately delete the e-mail together with its attachment.

Tuesday, January 29, 2002

This is a virus-worm that spreads via the Internet attached to infected e-mail. The worm itself is a Windows PE EXE file about 30Kb in length (compressed by UPX, 76K decompressed), and it is written in Microsoft Visual C++.
Infected messages appear as follows:

Subject: new photos from my party!
Body: Hello!
My party... It was absolutely amazing!
I have attached my web page with new photos!
If you can please make colour prints of my photos. Thanks!
Attachment: www.myparty.yahoo.com

The worm activates from infected e-mail only when a user double-clicks on the attached file. The worm then installs itself to the system and runs a spreading routine.
Installing
While installing, the worm copies itself to:
c:\regctrl.exe - under Win9x/ME
c:\recycled\regctrl.exe - under WinNT/2K/XP
and spawns this copy. When the worm's file name is not ".com" (as in the attachment), but rather ".exe" (the worm is re-named), it also opens the Web page "http://www.disney.com".
The original file (as it was run from an infected e-mail) is moved to the Recycled or Recycler directory with one of the following names:
C:\RECYCLER\F-%1-%2-%3
C:\RECYCLED\F-%1-%2-%3
where %1, %2, %3 are randomly selected numbers, for example:
F-12158-19044-21300
F-27729-23255-31008
While installing, the worm checks the keyboard layout set, and when there is Russian keyboard support, the worm copies itself to Recycled/Recycler in the same way and exits. This is the same on any date except for 25-29 January 2002.
As a result, the worm works only from 25 until 29 January 2002, and only on machines without Russian keyboard support.
Spreading
To send infected messages, the worm uses a direct SMTP connection to an e-mail server. To obtain a victim's e-mail addresses, the worm scans WAB files (Windows Address Book) and *.DBX files (Outlook Express).
The worm also sends one e-mail (without an attachment) to "[email protected]".
Backdoor
Under WinNT/2000/... the worm also creates a new file in a user's auto-run directory:
%Userprofile%\Start Menu\Programs\Startup\msstask.exe
and writes a backdoor program to there. This backdoor is run by data that are stored in a file at the Web site "http://209.151.250.170".


24 JULY 2001
A new virus being sent around with the message in the body:

Hi! How are you?
I send you this file in order to have your advice.

The attachments were "ace.doc.pif," "Readme.doc.zlg," and "progtest.zip.bat"

The virus is named "Sircam" and this one is a pain. If you open the file, it fills your hard drive's unused space with a text file. Virus companies think it came from Russia.

Watch those attachments. Open nothing.

SIRCAM TROJAN "WORM" (VIRUS) SEEMS RAMPANT IN CHRISTIAN CIRCLES --
The "Sircam worm (kind of like a virus)" seems rampant in Christian circles. I'm not sure why, particularly, except for the fact that maybe we're more trusting of people we know... and since the trojan contains its own SMTP engine and automatically composes emails to the user's address book entries, it seems that friends are the biggest victims of the Sircam "worm". For some reason, McAffee antivirus software seems a bit less effective at handling it. Not sure why. Either way, there's more information at:
http://www.sarc.com/avcenter/venc/data/[email protected]

Notice that if you can't afford Norton Antivirus 2001 (which is very effective against this and most other viruses), there are instructions at the site above on how to remove the virus manually. There are also instructions on how to recognize it.

Want to make your PC less vulnerable to attacks from these kinds of viruses or worms? Unhook the Visual Basic script tool. Most individuals probably don't need it anyway. Just open My Computer, then open Control Panel, then open Add/Remove Programs. Then click on the "Windows Setup" tab. This gets you to Windows features that you can either add or remove. Highlight "Accessories", then click on the Details button. Scroll down the list of features, uncheck "Windows Scripting Host" Click OK to save changes, and close out each dialogue window. With Windows Scripting Host uninstalled, those silly "Trojan horse virus programs" won't be able to run Visual Basic Scripts.

They're rampant... so be careful... It truly *is* a jungle out there!

******************************************************************************** The story was a big hoax to create havoc. If you removed this file please restore it. It is in Win 98 cd

Profile Name: SULFNBK.EXE HOAX
Aliases: None known as at 29th. May 2001
Variants: None known as at 29th. May 2001
Date Added: Tuesday, May 22, 2001
Further Information:
Origin: Not available
Length: Not available

Type: Hoax
SubType: E-mail
Risk Assessment: Low

Virus Hoax Coaxes Users to Delete Files
Kaspersky Labs has been receiving many messages from users about a new alarming and dangerous virus hiding in a SULFNBK.EXE file. It is necessary to convince users that this type of virus does not actually exist, and we classify this as a virus hoax.
Warnings about the pseudo-virus began spreading towards the end of last week, causing a real scare amongst users. As indicated in the message's text concerning the "virus," it contains a SULFNBK.EXE file that is programmed to activate the destructive payload on June 1. As is typical when a virus hoax is making the rounds, it is reported that not one anti-virus program is able to detect this "virus"; therefore, the only means of ridding a computer of this threat is to erase the SULFNBK.EXE virus-carrying file.
Contrary to this report, the SULFNBK.EXE file is absolutely safe, and moreover is a part of the operating system included in the Windows delivery. The program is a Windows application used for backup files with long file names. By deleting this file, a user causes a change in the system function as a whole, causing several operations on the computer to be rendered inoperable.
In addition to this, as reported by Security Portal.com-the popular information center for problems regarding information safety-its experts have been able to receive the original SULFNBK.EXE file and establish the reason for this hoax appearance. It turned out that this file on the user's computer, who initiated the hoax, was really infected with the Magistr virus, currently found in the virus list of the most widespread viruses.

====================================================================== Date: Mon, 14 May 2001 22:02:04 +0200
Subject: Virus Alert
A new virus has just been discovered that has been classified by Microsoft www.microsoft.com ) and by McAfee (www.mcafee.com ) as the most destructive ever! This virus was discovered yesterday afternoon by McAfee and no vaccine has yet been developed. This virus simply destroys Sector Zero from the hard disk, where vital information for its functioning are stored. This virus acts in the following manner:
It sends itself automatically to all contacts on your list with the title " A Virtual Card for You" . As soon as the supposed virtual card is opened, the computer freezes so that the user has to reboot. When the ctrl+alt+del keys or the reset button are pressed, the virus destroys Sector Zero, thus permanently destroying the hard disk.
Also: Intel announced that a new and very destructive virus was discovered recently. If you receive an email called "An Internet Flower For You" do not open it. Delete it right away! This virus removes all dynamic link libraries (.dll files) from your computer. Your computer will not be able to boot up.!

DO NOT OPEN "NEW PICTURES OF FAMILY"
It is a virus that will erase your whole= "C" drive.
It will come to you in the form of an E-Mail from a familiar person.
If you receive an email called "FAMILY PICTURES," do not open it. Delete it right away!
This virus removes all dynamic link libraries (.all files) from your computer. Your computer will not be able to boot up.

Do not open e-mails with these attachments.
Card.pif
docs.scr
fun.pif
hamster.ZIP.scr
Humor.TXT.pif
images.pif
New_Napster_Site.DOC.scr
news_doc.scr
Me_nude.AVI.pif
Pics.ZIP.scr
README.TXT.pif
s3msong.MP3.pif
searchURL.scr
SETUP.pif
Sorry_about_yesterday.DOC.pif
YOU_are_FAT!.TXT.pif

.
A STEP TO SAFEGUARD YOUR PC FROM TROJANS
Want to safeguard your PC all the more from Trojan "worms" (such as the "I love you"'virus')? See http://www.pc-help.org/security/scrap.htm for the full discussion. The long and the short of it is that you need to make a couple of extensions visible that, by default, aren't!

You have to remove the NeverShowExt values from these keys:

HKEY_CLASSES_ROOT\ShellScrap
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DocShortcut
As an additional step, if you have a virus scanner (you do have a virus scanner don't you?), add the .SHS and .SHB extensions to its list of program files. This way your scanner is more likely to spot them as they surface.

McAfee and several others have a means to do this.

If you're really paranoid, you can disable scrap objects by one or both of these means: A) Alter or remove both file types in the File Types dialog. How to do it. Open an Explorer window, My computer select View... Folder Options... and the File Types tab. Look for Shell Scrap Object and Shortcut to Document. Then alter or remove them.

To disable scrap files very thoroughly (this is the way I did it), remove or rename the shscrap.dll file in your System folder. How to do it. (Windows Explorer, Windows, System, Show files, and you locate the shscrap.dll).

Search your hard drive(s) and see if you have any scrap object files hanging about. Who knows what might turn up?
(Thanks to the folks at PC-Magazine for this tip!)
Received from BRIGADA TODAY

URGENT

VIRUS ALERT -- 20th. June
Brief Description
IRC/Stages.worm

IRC/Stages.worm is an Internet worm that began spreading rapidly yesterday, June 19,2000 and ALL our subscribers were advised of this withen a few hours of it's first appearance.
AVERT has assessed it as a HIGH-risk threat. McAfee.com Clinic users who used VirusScan Online after June 16 have protection against this worm.
The worm uses Microsoft Outlook to send copies of itself to all entries in the address book and through installations of Pirch, ICQ and mIRC.* It also spreads to all available mapped drives on your system.
This worm will arrive in an email message with ANY of these formats:
Subject: "Funny" OR
"Jokes" OR
"Life Stages"
sometimes followed by "Text"
Content: "The male and female stages of life"
Attachment: "LIFE_STAGES.TXT.SHS" (the suffix ".SHS" may be hidden)
If the attachment is run, the user sees a list of jokes while the worm infects the system and attempts to send copies of itself to all addresses in Outlook address book, as well as through the other channels mentioned above.
* Pirch is an internet relay chat client for Microsoft Windows 95/98/NT, mIRC is a shareware IRC chat client for Windows and ICQ lets you initiate IRC style chat sessions - it alerts you when your friends are online and lets you chat with them.

DO NOT OPEN THIS EMAIL -- DESTROY IT IMMEDIATELY

IMPORTANT LIST OF VIRUS UP TO NOVEMBER 2000

W32/Navidad@M is an Internet worm that spreads using the Windows email program Outlook. McAfee AVERT has given it a risk assessment of MEDIUM-ON WATCH, due to a significant increase in infection levels worldwide.
Full details can be found here: http://www.fabian.com.mt/VIRUSalerts/VIRUSALERT48.html

GFI has discovered a new email virus, Romeo & Juliet, which is not yet detected by most anti-virus programs.
This new Virus has similar characteristics as the Love Bug Virus; it spreads via e-mail and is activated using an exploit in IE5 that allows remote code execution.
This is a HIGH RISK virus due to a significant increase in infection levels worldwide and worst still due to the fact that most virus scanners do not detect it yet.
Full details can be found here:
http://www.fabian.com.mt/VIRUSalerts/VIRUSALERT49.html

W32/ProLin@MM is an Internet worm that spreads via email. McAfee AVERT has given it a risk assessment of MEDIUM TO HIGH-RISK. The email comes with an attachment named CREATIVE.EXE, which carries the icon of a Shockwave Media Player application. Full details can be found here:
http://www.fabian.com.mt/VIRUSalerts/VIRUSALERT50.html




========================
1