[Virus Alert] 5 new worms found
Worm name: WORM_LOCKSKY.T
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This worm may arrive on a system as attachments to email messages.
It gathers email addresses from a legitimate system file used by the email client MS Outlook. The said routine tricks target recipients into thinking that the email message they receive is legitimate since it comes from a known or trusted sender.
It attempts to download updates of itself from several Web sites. It also attempts to access the Web site, 5sec.biz{BLOCKED}/report/sox.php, which contains a list of target IP addresses.
Worm name: WORM_LOCKSKY.V
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This worm propagates by sending copies of itself as attachments to email messages. The screenshot below is an example of the email message it sends out:
It gathers target email addresses from the Windows Address Book (WAB). It also gathers email addresses from .HTM files. This worm spoofs the From field in an attempt to trick affected users into thinking that the email came from a trusted source.
It attempts to bypass an affected system's firewall to avoid its immediate detection and subsequent removal.
This worm logs all the keystrokes done on the affected machine. It then saves its collected information presumably for future retrieval by a remote malicious user.
Worm name: TROJ_NASCENE.A
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This Trojan is a .WMF file that takes advantage of an unpatched vulnerability found in Windows Picture and Fax Viewer. Once exploited successfully, it connects to the Web site union{BLOCKED}.com/d and downloads the file IOO.EXE.
The Windows Picture and Fax Viewer vulnerability is a zero-day exploit that is capable of remote code execution. Zero-day exploits are termed as such because the unpatched vulnerability and its corresponding exploit code are released within the same day. This may pose as a dangerous situation in which a lot of computers may be affected due to the availability of exploit code, and the fact that the vendor has not been given enough time to patch it.
The downloaded file is detected by Trend Micro as TROJ_DLOADER.BFK. The said action further exposes the affected system to malicious threats.
Worm name: TROJ_NASCENE.B
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This Trojan is a .WMF file that takes advantage of an unpatched vulnerability found in Windows Picture and Fax Viewer.
Once exploited successfully, it connects to the Web site www.web-f{BLOCKED}e-hosting.net/xexe.exe and downloads the file XEXE.EXE. The said file is detected by Trend Micro as TROJ_DLOADER.BEA.
The Windows Picture and Fax Viewer vulnerability is a zero-day exploit that is capable of remote code execution. Zero-day exploits are termed as such because the unpatched vulnerability and its corresponding exploit code are released within the same day. This may pose as a dangerous situation in which a lot of systems may be affected due to the availability of exploit code, and the fact that the vendor has not been given enough time to patch it.
Worm name: TROJ_NASCENE.C
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This Trojan takes advantage of an unpatched vulnerability found in Windows Picture and Fax Viewer. It exploits the said vulnerability to download the file msits.exe from the following Web site:
www.b{BLOCKED}appyy.biz/parthner3/msits.exe
Trend Micro detects this file as TROJ_TINY.AG. The said action further exposes the affected system to malicious threats.
The Windows Picture and Fax Viewer vulnerability is a zero-day exploit that is capable of remote code execution. Zero-day exploits are termed as such because the unpatched vulnerability and its corresponding exploit code are released within the same day. This may pose as a dangerous situation in which a lot of computers may be affected due to the availability of exploit code, and the fact that the vendor has not been given enough time to patch it.
References: http://www.trendmicro.com/vinfo/ (TrendMirco Virus Security Info)
http://www.trendmicro.com/vinfo/zh-tw/default.asp (Traditional Chinese TrendMicro Virus Security Info
