[Virus Alert] 8 new worms found
Worm name: WORM_BAGLE.CD
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This worm attaches a copy of TROJ_BAGLE.CD to email messages that it sends to addresses found in an affected system's Windows Address Book.
Since this worm uses email addresses coming from familiar sources, an unsuspecting user may open the attachment.
It also downloads predefined email addresses from several sites.
Worm name: WORM_LOCKSKY.O
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
Similar to other WORM_LOCKSKY variants, this memory-resident worm propagates by sending copies of itself as an attachment to email messages.
It gathers target email addresses from the Windows Address Book (WAB). It also gathers email addresses from .HTM files. This worm spoofs the From field in an attempt to trick users into thinking that the email came from a trusted source.
This worm also logs user keystrokes then saves all harvested information in the file ATTRIB.INI.
Worm name: WORM_DASHER.B
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This worm takes advantage of the MSDTC vulnerability in Windows. It scans a vulnerable IP address within a network and exploits the said machine when found. For more information on the said vulnerability, please refer to the following Web page:
Microsoft Security Bulletin MS05-051
Upon execution, this worm drops and executes the file SVCHOST.EXE in the wins subfolder within the Windows system folder. It also drops the following files in the specified folders:
• %System%\wins\Result.txt
• %System%\wins\SqlExp.exe
• %System%\wins\SqlScan.exe - detected as HKTL_PORTSCAN.C
Worm name: WORM_DASHER.A
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This worm propagates by exploiting the MSDTC vulnerability. More information about this vulnerability can be found in this page:
Microsoft Security Bulletin MS05-051
It drops the grayware HKTL_MSDTC.A and HKTL_PORTSCAN.C.
Worm name: SYMBOS_CARDTRP.F
Risk rating: MEDIUM
Damage Potential: MEDIUM
Distribution Potential: MEDIUM
Description:
This Symbian malware drops the following malware:
• TROJ_TOXIC.C
• VBS_SORACI.B
• VBS_STARTER.B
• WORM_RONTOKBRO.F
It also overwrites several normal utilities, antivirus-related files, and applications installed on the affected mobile device, in an attempt to cause the said applications to malfunction.
It affects mobile devices running on Symbian operating system with the Series 60 platform user interface.
Worm name: SYMBOS_CARDTRP.G
Risk rating: MEDIUM
Damage Potential: MEDIUM
Distribution Potential: MEDIUM
Description:
This Symbian malware may be downloaded from certain sites or received via Bluetooth. It drops the following malware:
• SYMBOS_CABIR.A
• SYMBOS_LOCKNUT.A
• SYMBOS_SKULLS.F
• WORM_KORGO.AG
• WORM_WUKILL.B
It also overwrites several normal utilities, antivirus-related files, and applications installed on the affected mobile device, in an attempt to cause the said applications to malfunction.
It affects mobile devices running on Symbian operating system with the Series 60 platform user interface.
Worm name: SYMBOS_CARDTRP.H
Risk rating: MEDIUM
Damage Potential: MEDIUM
Distribution Potential: MEDIUM
Description:
This Symbian malware may be downloaded from certain sites or received via Bluetooth. It drops the following malware:
• SYMBOS_CABIR.A
• SYMBOS_LOCKNUT.A
• SYMBOS_SKULLS.F
• WORM_KORGO.AG
• WORM_WUKILL.B
It also overwrites several normal utilities, antivirus-related files, and applications installed on the affected mobile device, in an attempt to cause the said applications to malfunction.
It affects mobile devices running on Symbian operating system with the Series 60 platform user interface.
Worm name: SYMBOS_CARDTRP.I
Risk rating: MEDIUM
Damage Potential: MEDIUM
Distribution Potential: MEDIUM
Description:
This Symbian malware drops the following malware:
• SYMBOS_CABIR.A
• SYMBOS_CABIR.C
• SYMBOS_LOCKNUT.A
• WORM_CYDOG.B
• WORM_WUKILL.B
It also drops corrupted .DLL files in the affected device's memory card in an attempt to cause boot failure. It overwrites normal utilities, antivirus-related files, and applications on the affected mobile device, making these files and applications unusable.
This Symbian malware affects mobile devices running on Symbian operating system with the Series 60 platform user interface.
References: http://www.trendmicro.com/vinfo/ (TrendMirco Virus Security Info)
http://www.trendmicro.com/vinfo/zh-tw/default.asp (Traditional Chinese TrendMicro Virus Security Info
