[Virus Alert] 5 new worms found
Worm name: WORM_COMBRA.O
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This memory-resident worm propagates by sending out three email messages to each target recipient using its own Simple Mail Transfer Protocol (SMTP) engine. It obtains email addresses from an affected user's Windows Address Book (WAB).
Using its own SMTP engine means that this worm can send out email messages without being dependent on any application on the system.
It first attempts to connect to the Web site http://69.42.{BLOCKED}.206/%20/upd/crss.jpg. However, as of writing, the Web site is inaccessible.
Worm name: WORM_QQPASS.A
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
Upon execution, this worm drops copies of itself on affected machines. It creates registry entries to ensure its automatic execution at every system startup.
It terminates several processes if found running in the memory. These processes are mostly related to antivirus and security applications. It does this routine to prevent early detection and removal.
It spreads by dropping a copy of itself as DRVMON.EXE in floppy and other mounted drives of affected machines. To ensure that the dropped file executes automatically, this worm also drops AUTORUN.INF in the aforementioned drives.
Worm name: WORM_DASHER.C
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
Upon execution, this worm drops and executes a file in the %System%\wins folder. The worm also drops several files in the same folder, which Trend Micro detects as the following:
• HKTL_EXPLTWINS.A
• HKTL_PNPEXPLT.B
• HKTL_PORTSCAN.C
• HKTL_RPCDCOM.I
• HKTL_SQLHELLO.B
The worm uses the aforementioned grayware to exploit the following Windows vulnerabilities to propagate across networks:
• MSDTC vulnerability
• Network Connection Manager vulnerability
• Windows Plug and Play vulnerability
Worm name: TROJ_GETO.A
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This Trojan can arrive as a file downloaded from the Internet by an unsuspecting user when visiting a malicious Web site. It can also arrive as an attachment to a spammed email message.
Upon execution, it attempts to download a malicious file from the Web site http://dimmers.phpw{BLOCKED}sting.com/absolut. It also executes the said file, which Trend Micro detects as TROJ_DROPPER.XD.
Worm name: TROJ_SAMX.A
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This Trojan usually arrives as a .ZIP file attached to a spammed email message. Upon execution, it drops and executes a non-malicious, Christmas-related animation file in the Windows Temp folder.
It uses the said animation file in an attempt to conceal its malicious routine. Users are led to believe that instead of a Trojan, only an animation file is executed. This Trojan drops a file detected by Trend Micro as TROJ_AGENT.AMM in several folders.
References: http://www.trendmicro.com/vinfo/ (TrendMirco Virus Security Info)
http://www.trendmicro.com/vinfo/zh-tw/default.asp (Traditional Chinese TrendMicro Virus Security Info
