HackfixNews: Anti-Virus IDE alert: W32/Winevar-A/I-Worm.Winevar/ W32/Korvar

  • From: "Mike" <mikebike@xxxxxxxxx>
  • To: virusinfo@xxxxxxxxxxxxx
  • Date: Mon, 25 Nov 2002 10:23:29 -0800

From;  Sophos Alert System 

Name: W32/Winevar-A
Aliases: I-Worm.Winevar, WORM_WINEVAR.A, W32/Korvar,
Worm/Bride.C, W32.HLLW.Winevar
Type: Win32 worm
Date: 25 November 2002

A virus identity file (IDE) which provides protection is
available now from our website and will be incorporated into the
January 2003 (3.65) release of Sophos Anti-Virus.

At the time of writing Sophos has received no reports from users
affected by this worm. However, we have issued this advisory
following enquiries to our support department from customers. 

More information about W32/Winevar-A can be found at

Download the IDE file from

Download a ZIP file containing all the IDE files available for
the current version of Sophos Anti-Virus from

Read about how to use IDE files at


Fro; MessageLabs  VirusEye Alert

Trojan name: W32/WineVar.A-mm 
Number of copies seen so far: 264 
Time & Date first Captured: 22 Nov 2002, 08:55 GMT 
Origin of first intercepted copy: South Korea 
Number of countries seen active: 9 
Top three most active countries: South Korea, UK, Russia

Technical Details
W32/WineVar.A-mm appears to add .CEO to the list of executable files. This
means that if you do not completely clean up after this virus, the writer
may be able to get you next time (because .CEO will not be on your list of
known executable files.

The virus utilizes the well-known MS01-020 vulnerability, and also exploits
the com.ms.activeX.ActiveXComponent weakness.

In copies that we have seen so far, an example of the e-mail is as follows:

        Subject: Re: AVAR (Association of Anti-Virus Asia Reseachers)


                 WIN(hex number).TXT (12.6 KB)  MUSIC_1.HTM
                 WIN(hex number).pif
                 WIN(hex number).GIF (120 bytes)  MUSIC_2.CEO
Skeptic=99 detected W32/WineVar.A-mm heuristically.  No MessageLabs
customers were affected.  

Further information may be found at the MessageLabs website at:

For more information on a proactive anti-virus service working
around the clock, around the globe, visit http://www.messagelabs.com

Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see ~ http://www.mwn.ca 
See my Anti-Virus pages ~ http://virusinfo.hackfix.org
A Technical Support Alliance Charter Member 

To unsubscribe from our list send an email 
to hackfixnews-request@xxxxxxxxxxxxx?Subject=unsubscribe.

For a complete list of email commands for our list send 
an email to ecartis@xxxxxxxxxxxxx with a subject line of 
"info hackfixnews" without the quotes.

Other related posts:

  • » HackfixNews: Anti-Virus IDE alert: W32/Winevar-A/I-Worm.Winevar/ W32/Korvar