[Virus Alert] 3 new worms found
Worm name: TROJ_BAGLE.GI
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This memory-resident Trojan arrives on a system as an attachment to mass-mailed email messages.
Once a user executes the said attachment, it drops its copy on the affected machine. Presence of the file ANTI_TROJ.EXE indicates infection.
This Trojan creates a registry entry as part of its installation routine, as well as two other registry entries to ensure that it executes every system startup.
Worm name: WORM_BRONTOK.AA
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This memory-resident worm propagates by sending a copy of itself as an attachment to email messages. It gathers target email addresses by searching an affected system for files with certain extensions.
On systems running Windows 98 and ME, this worm modifies the AUTOEXEC.BAT file, causing affected systems to pause at startup. The said event then requires the user to press any key to resume the startup process.
It also disables the Folder Options item in the Tools drop-down menu from the main menu bar of Windows Explorer and Control Panel. The said action prevents the affected user from changing such settings as displaying hidden folders and displaying file paths in title bars.
Worm name: WORM_BLASTER.N
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This worm propagates using the RPC/DCOM vulnerability found in Windows, which allows an attacker to gain full access and execute any code on a target machine by sending a malformed packet to the DCOM service. It uses TCP port 135. More information on this vulnerability is found in Microsoft Security Bulletin MS03-026.
Upon execution, this worm drops a copy of itself in the hardcoded location, %Windows%\System32.
This worm downloads and executes the file WINBAL.EXE from the Web site, http://serocubase-djs.com{BLOCKED}/csrsscs.bmp.
References: http://www.trendmicro.com/vinfo/ (TrendMirco Virus Security Info)
http://www.trendmicro.com/vinfo/zh-tw/default.asp (Traditional Chinese TrendMicro Virus Security Info
