[Virus Alert] 8 new worms found
Worm name: TROJ_BAGLE.CC
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This Trojan terminates antivirus-related processes to prevent them from detecting and removing this Trojan. This action also makes the affected system vulnerable to new and known threats.
It also downloads files from several locations without the user's knowledge. These files may be malicious, and thus makes the affected system vulnerable to new malware.
Worm name: TROJ_YABE.F
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This Trojan is spammed via email. It downloads files from several locations. However, the said locations are already inaccessible.
Worm name: PE_TUFIK.E
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This virus infects EXPLORER.EXE by appending its code. This also serves as an autostart routine, since EXPLORER.EXE is always executed at startup. It then attempts to infect all .EXE files in all available drives in the affected system.
Worm name: WORM_KELVIR.DF
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This worm arrives on a system as a manually downloaded and installed file by an unsuspecting user visiting an affected Web site. It may also be dropped by other malware.
It propagates by sending copies of itself to all MSN Messenger contacts of an affected user. The message it sends contains a link to a Web site that downloads a copy of this worm.
Since the message came from a known source, users are fooled into thinking that the link is safe to click.
Worm name: TROJ_ZAPCHAST.BD
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This Trojan drops a file named EXPLORER.EXE and several other files in the Windows system folder. The said file is actually an Internet Relay Chat (IRC) client. When executed, the user is fooled into thinking that the executed process is the valid EXPLORER.EXE process and not an IRC client process.
After execution, it then connects to an IRC server that is listed in a dropped .INI file. It then connects to specific IRC channels. It also read several dropped .INI files and executes actions listed on them.
Worm name: TROJ_MITGLIED.AF
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This Trojan is a .DLL component that arrives as a downloaded or dropped file by other malware, commonly BAGLE variants. It may be used by other malware to connect to certain Web sites.
http://www.austria-arb{blocked}t.com/update/update.exe
It may act as an email relay server. It opens a random port and attempts to notify certain Web sites that it has affected a target system. This invites attack of remote malicious users.
Worm name: WORM_KELVIR.DH
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This memory-resident worm arrives on an affected system as dropped file of other malware, or as a downloaded file from the Internet. Upon execution, it drops and executes several files on the system.
http://www.austria-arb{blocked}t.com/update/update.exe
Similar to other WORM_KELVIR variants, this worm propagates via MSN Messenger, a popular instant messaging application. It sends an instant message to all online MSN Messenger contacts of an affected user. The message it sends contains a URL, where a copy of a malicious file or other malware can be downloaded. Since the message comes from a known source, users may accept the message as trustworthy and unsuspectingly install this worm or other malware.
Worm name: WORM_MYTOB.LC
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
Unlike most MYTOB variants, this memory-resident worm spreads copies of itself by sending out email messages that contain a link, which when clicked downloads a copy of itself onto target systems. It uses its own Simple Mail Transfer Protocol (SMTP) engine to easily send the said email messages even without using other mailing applications, such as Microsoft Outlook.
http://www.austria-arb{blocked}t.com/update/update.exe
It gathers target email addresses from the Windows Address Book (WAB), from the Temporary Internet Files folder and all its subfolders, as well as from files with certain extension names. It also generates email addresses by using a list of names and any of the domain names of the previously gathered addresses. Users who receive the malicious email message may think that it comes from a known source. Thus, they may unsuspectingly click on the given link.
This worm has backdoor capabilities. It opens varying ports, allowing a remote user to access and perform malicious commands on an affected system. The said routine provides remote users virtual control over affected systems, thus compromising system security.
References: http://www.trendmicro.com/vinfo/ (TrendMirco Virus Security Info)
http://www.trendmicro.com/vinfo/zh-tw/default.asp (Traditional Chinese TrendMicro Virus Security Info
