[Virus Alert] 5 new worms found

Worm name: JS_ONLOADXPLT.A

Risk rating: HIGH

Damage Potential: HIGH

Distribution Potential: HIGH

 

Description:

This JavaScript (JS) is a proof-of-concept exploit. It is initiated when Internet Explorer (IE) fails to correctly initialize the Windows() JavaScript function when used in conjunction with an onLoad event in the BODY HTML tag. Thus, IE encounters an exception when attempting to call a de-referenced address.

 

Attackers can easily use this script to drop and execute malware onto the affected remote system.

 

This proof-of-concept exploit may be used in future attacks.

 

 

Worm name: WORM_AIMDES.E

Risk rating: HIGH

Damage Potential: HIGH

Distribution Potential: HIGH

 

Description:

Upon execution, this memory-resident worm propagates through AOL Instant Messenger (AIM).

 

It has backdoor capabilities. It opens random ports and comes with a built-in Internet Relay Chat (IRC) client engine, which enables it to connect to an IRC channel and wait for several commands from a malicious user. This routine then compromises system security.

 

Moreover, this worm performs PING flood attack against target systems. This kind of flood attack compromises network traffic and slows down system performance. It also creates the mutex DXUIJPEADHEA which ensures that only one instance of itself is running in the memory.

 

 

Worm name: BKDR_ZAPCHAST.BB

Risk rating: HIGH

Damage Potential: HIGH 

Distribution Potential: HIGH

 

Description:

This backdoor arrives as downloaded from the Internet by an unsuspecting user when clicking on a link that is spammed via email.

 

The user may be enticed in opening the link, thinking that the post card may have been sent by a friend. When the link is opened, a copy of this backdoor is downloaded into the system.

 

This backdoor uses port 6667 to connect to a certain Internet Relay Chat (IRC) and joins certain channels. Once connected, a remote user may issue commands that are executed on the affected machine. This action makes the affected system vulnerable, giving the remote user virtual control over the said machine.

 

 

Worm name: WORM_KELVIR.CY

Risk rating: HIGH

Damage Potential: HIGH

Distribution Potential: HIGH

 

Description:

Similar to most WORM_KELVIR variants, this memory-resident worm propagates via the instant messaging application MSN Messenger. It sends an instant message to all the online contacts of an affected user. The message it sends contains a URL that downloads a copy of this worm when accessed. Since the message comes from a known source, users may accept the message as trustworthy and unsuspectingly install this worm. Users are advised to be wary of clicking links contained in instant messages from their contacts, unless confirmation is received that the links are valid and nonmalicious.

 

 

Worm name: SWF_CRASHBRWSR.A

Risk rating: HIGH

Damage Potential: HIGH

Distribution Potential: HIGH

 

Description:

This malware exploits the MPSB05-07 Flash Player 7 Improper Memory Access Vulnerability.

 

This malware is a specially crafted code in Macromedia Flash files. It allows remote codes to be executed in the memory of affected systems. The said codes executed in the system's memory may be the codes of other malware.

 

Since Macromedia files are plug-ins in Internet Explorer, malformed or erroneous codes may cause Internet Explorer to crash.

 

 

 

References: http://www.trendmicro.com/vinfo/ (TrendMirco Virus Security Info)

http://www.trendmicro.com/vinfo/zh-tw/default.asp (Traditional Chinese TrendMicro Virus Security Info

---