Weekly Virus Report – Pheme and Lagel Worms, Dobea Trojan and Julso Macro Virus

Virus news in the first week of December has centered around the worms Pheme (VBS/Pheme) and Lagel.A (W32/Lagel.A), the Dobea (Bck/Dobea) Trojan, and the Word macro virus Julso.A (W97M/Julso.A).

Pheme is a worm written in Visual Basic Script which has been designed to spread very quickly via e-mail. The characteristics of the e-mail message that carries this malicious code depend on the operating system installed on the affected computer. Pheme’s most harmful effect consists of deleting files with the following extensions: MP2, MP3, MPG, MPE, MPEG, AVI and MOV, replacing them with copies of itself with the same name and extension as the original file, plus the VBS extension.

The second worm, called Lagel.A, displays a number of images and messages on screen once it is run. Like Pheme, this malicious code spreads very quickly through e-mail messages with the ILLEGAL.EXE attached file. Lagel.A has damaging effects, as it is programmed to delete every file in drives D, E, F and G.

Dobea is a Trojan whose purpose is to launch another Trojan, IRC.Dobea, among users of the popular chat application mIRC. To do this, the Trojan changes the program’s settings, and modifies several entries in the Windows Registry. Dobea reaches computers through various means: e-mail messages with an infected document, computer networks, CD-ROMs, Internet downloads, floppy disks and especially chat (IRC) channels.

Finally, Julso.A is a macro virus that displays the Word assistant ten minutes after being run. This virus spreads through infected Word documents that automatically infect the Word global template. By doing this, Julso.A infects every Word document that uses that template.