[Virus Alert] 7 new worms found
Worm name: WORM_MYTOB.PP
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This worm propagates by attaching copies of itself to email messages that it sends to target addresses, using its own Simple Mail Transfer Protocol (SMTP) engine. Thus, it is capable of sending email messages without using mailing applications, such as Microsoft Outlook.
It gathers target email addresses from the Windows Address Book (WAB). It also creates email addresses using common names appended with a domain name.
This worm spreads through network shares as well. It searches for the default IPC$ share, where it drops a copy of itself. It uses a list of user names and passwords to gain access to password-protected shares.
Worm name: WORM_KEBEDE.E
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
Using this worm's own Simple Mail Transfer Protocol (SMTP) engine, it spreads by attaching a copy of itself to email messages, which it sends to target addresses.
This worm may also spread via network shares. It does this by dropping a copy of itself using the file name True Sex Stories.txt{multiple spaces}.exe in available network shares.
It connects to several Web sites to download an updated copy of itself or other WORM_KEBEDE variants. As a result, affected machines are further compromised.
Worm name: PE_LUDER.A-O
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
Using this file infector's own Simple Mail Transfer Protocol (SMTP) engine, it spreads by attaching a copy of itself to email messages, which it sends to target addresses.
It modifies the registry to ensure its automatic execution at every system startup as well as to disable the Windows Firewall and Internet Connection Sharing (ICS).
It infects all .EXE and .SCR files, which are detected by Trend Micro as PE_LUDER.A, on an affected machine. Infected files are cleanable, thus, they can still be recovered even without restoring from backup. Moreover, it also adds a copy of itself into existing .RAR archive files found on the affected system.
Worm name: WORM_ARESES.C (Also known as:
TROJ_DROPPER.AZD)
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This worm is dropped by TROJ_DROPPER.AYW.
It propagates by attaching copies of itself to email messages that it sends to target addresses using its own Simple Mail Transfer Protocol (SMTP) engine. The said engine allows it to send email messages without using mailing applications, such as Microsoft Outlook.
This worm attempts to access a certain URL to download an encrypted configuration file, which may contain other URLs, where it might download other possibly malicious files. It then terminates all instances of Internet Explorer (IE), preventing users from accessing Web sites.
Worm name: WORM_LUPAR.A
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This worm drops copies of itself as the file PARVULUS.EXE in random folders of the infected computer.
It also creates an FTP server in the infected computer, which contains a copy of itself as PARVULUS.EXE. Creating an FTP server in a computer means that remote user may be able to access the computer, without knowledge by the current user. Hence, this action may open up the infected computer to other security threats and hacking activities.
It is also capable of shutting down the infected computer, which may interrupt current user activities.
Worm name: PE_LUDER.B-O
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This mother file infector propagates by attaching a copy of itself to an email message, which it sends to target recipients using its own Simple Mail Transfer Protocol (MTP) engine. Since its email propagation does not require any user intervention, the user is often unaware that this worm is sending out email messages.
Using a cavity type of infection, this mother file infector infects all .EXE files found on the affected system. Its infected files are cleanable, thus, they can be recovered even without restoring from backup. The said infected files are detected by Trend Micro as PE_LUDER.A.
After performing its infection routine, this mother file infector drops a randomly named copy of itself with file attributes set to Hidden in the same folder as its infected file. Every time the infected file is executed by a user, it attempts to execute this mother file infector's dropped copy.
Worm name: TROJ_DLOADER.CSX
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
Trend Micro has received numerous samples of this Trojan being spammed in the wild.
When executed, it connects to a certain URL to download a file. The said file is then saved and executed as BOOT.OLD in the root folder, which is usually C:\.
It also connects to the Web site http://www.artcreative.com.br/images/c655.gif to download the file WINNT.EXE in the root folder, which is detected by Trend Micro as TROJ_HAXDOOR.DP.
References: http://www.trendmicro.com/vinfo/ (TrendMirco Virus Security Info)
http://www.trendmicro.com/vinfo/zh-tw/default.asp (Traditional Chinese TrendMicro Virus Security Info
