[Virus Alert] 12 new worms found
Worm name: SYMBOS_CARDTRP.D
Risk rating: MEDIUM
Damage Potential: MEDIUM
Distribution Potential: MEDIUM
Description:
This Symbian malware affects mobile devices running on Symbian operating system with the Series 60 Platform user interface.
It overwrites normal applications installed on the affected mobile device with malformed copies, thus preventing the said applications from working properly.
Worm name: SYMBOS_SKULLS.Q
Risk rating: MEDIUM
Damage Potential: MEDIUM
Distribution Potential: MEDIUM
Description:
This Trojan is spammed via email. It downloads files from several locations. However, the said locations are already inaccessible.
It is important to note that the said interface is licensed to popular mobile phone manufacturers, such as LG Electronics, Lenovo, Nokia, Panasonic, Samsung, Sendo, and Siemens.
Upon installation, it drops a number of files on an affected mobile phone. Some of the said dropped files are corrupted versions of legitimate system files within the mobile device. In effect, the dropped files overwrite the real system files, causing some applications to malfunction.
Worm name: SYMBOS_SKULLS.R
Risk rating: MEDIUM
Damage Potential: MEDIUM
Distribution Potential: MEDIUM
Description:
This Symbian malware propagates by sending a copy of itself to other mobile phones via Bluetooth. It usually arrives posing as a cracked version of Splinter Cell: Pandora Tomorrow, a popular game for mobile phones.
This SYMBOS_SKULLS variant affects mobile phones running Symbian OS with the Series 60 Platform user interface. It usually arrives as an installation file with the file name, SC-PT_CARCKED_NGAGE_DFT.
Upon installation, this Symbian malware drops several files and folders on an affected mobile phone. The said files are specially crafted such that they execute in place of the original system files and third-party applications located in the ROM of the affected mobile phone. It affects most built-in and third-party applications of the affected mobile phone.
Worm name: SYMBOS_SKULLS.T
Risk rating: MEDIUM
Damage Potential: MEDIUM
Distribution Potential: MEDIUM
Description:
This Symbian malware propagates by sending copies of itself to other mobile devices via Bluetooth. It affects mobile devices running the Symbian operating system with the Series 60 Platform user interface.
Using corrupted copies of itself, this Symbian malware overwrites several legitimate utilities, antivirus-related files, and applications installed on the affected mobile device, thus causing the said applications not to run properly.
Worm name: PERL_SPHP.A
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This PERL script exploits Web sites using the software, SimplePHPblog, which was found to have vulnerabilities in it that allowed unauthorized users to upload arbitrary files to a Web site using the said software.
http://www.austria-arb{blocked}t.com/update/update.exe
It has backdoor capabilities. This can then exploit several vulnerabilities that, when used together, can allow a remote user to arbitrarily upload files on the affected server and retrieve information from the target system.
One of the vulnerabilities has to do with the file or image upload system on servers using POST. POST is a method used to send a request on a specific HTTP server to accept data for processing. Once compromised, this could allow an unauthorized remote user from uploading any file on the server.
Worm name: TROJ_HANLO.J
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This Trojan arrives as downloaded from a fake Web site purporting to be the software update page of a certain antivirus vendor. The link to the said site is spammed via email purporting to be about a software update for an antivirus application. The said email is a social engineering technique to trick the user into visiting the said link. The fake site looks like the real site, thus fooling the user to click on the link to the patch. When clicked, a copy of this Trojan is downloaded to the user's system.
http://www.austria-arb{blocked}t.com/update/update.exe
This Trojan downloads and executes files from certain Web sites. It saves the downloaded file in the Windows temporary folder using a random file name.
It has rootkit capabilities that enables this Trojan to hide its processes and dropped files, thus eluding casual detection.
Worm name: ELF_SMALL.AYW
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This Unix-based Trojan takes advantage of the directory-traversal vulnerability.
http://www.austria-arb{blocked}t.com/update/update.exe
This vulnerability allows the Trojan to traverse and make use of the kernel module and provide remote access using shell commands. Hence, a remote user can gain control of an affected system and perform malicious commands.
Worm name: ELF_SMALL.AYY
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This Unix-based Trojan takes advantage of the directory-traversal vulnerability.
http://www.austria-arb{blocked}t.com/update/update.exe
This vulnerability allows the Trojan to traverse and make use of the kernel module and provide remote access using shell commands. Hence, a remote user can gain control of an infected system and perform malicious commands.
Worm name: WORM_COMBRA.N
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This memory-resident worm propagates by sending out three email messages to each target recipient using its own Simple Mail Transfer Protocol (SMTP) engine. It obtains email addresses from affected users' Windows Address Book (WAB).
http://www.austria-arb{blocked}t.com/update/update.exe
Using its own SMTP engine means that this worm can send out email messages without being dependent on any application on the infected system.
Upon execution, this worm first attempts to connect to the non-malicious Web site http://www.ocarteiro.com.br/cartoes/cart_0360.swf?Destinatario=09631452378&Remetente=Remetente&myDynamicText=891555452 using Internet Explorer in systems running the Brazilian Portugese version of Windows. This is done to divert the attention of the user into thinking that no malicious activites are taking place in the affected system.
Worm name: ELF_CODORDA.A
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This Unix-based backdoor program allows a remote malicious user to specify a remote IP address as well as a TCP port to connect to.
http://www.austria-arb{blocked}t.com/update/update.exe
Once connected, this backdoor program executes a command shell, which allows the malicious user to perform actions on the host machine.
Worm name: JS_MHTREDIR.ET
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This malicious JavaScript is usually embedded in certain malicious Web pages.
http://www.austria-arb{blocked}t.com/update/update.exe
Hence, a user can unknowingly run this JavaScript upon accessing the mentioned malicious URL. It takes advantage of the following Windows vulnerabilities to download and execute files on an affected system:
• Microsoft Virtual Machine (VM) vulnerability
• Microsoft Outlook Express vulnerability
The mentioned vulnerabilities are discussed in detail on the following Web pages:
• Microsoft Security Bulletin MS03-011
• Microsoft Security Bulletin MS04-013
Worm name: TROJ_BAGLE.CD
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This Trojan arrives as an attachment to a spammed email message sent by WORM_BAGLE.CD. The attachment is a .ZIP file that uses common names, such as "Alice", "Anna", "Daniel", "Dorothy", "Peter", and "Susan", among many others, as file name. It is notable that the spammed email message also uses common names for its subject line and message body.
http://www.austria-arb{blocked}t.com/update/update.exe
Upon execution, this Trojan drops a copy of itself using the file name ANTI_TROJ.EXE in the Windows system folder. It then connects to several URLs and attempts to download and execute a possibly malicious file. It saves the downloaded file in the subfolder EXEFLD, which it creates in the Windows folder.
It looks for a file named NTIMAGE.GIF, which it displays using the default image viewer, in the Windows system folder. It does the said routine to trick affected users into thinking that the execution of its dropped file opens only the .GIF file.
References: http://www.trendmicro.com/vinfo/ (TrendMirco Virus Security Info)
http://www.trendmicro.com/vinfo/zh-tw/default.asp (Traditional Chinese TrendMicro Virus Security Info
