[Virus Alert] 9 new worms found
Worm name: TROJ_DLOADER.CSX
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
Trend Micro has received numerous samples of this Trojan being spammed in the wild.
When executed, it connects to a certain URL to download a file. The said file is then saved and executed as BOOT.OLD in the root folder, which is usually C:\.
After successfully downloading and executing the first file, this Trojan connects to another URL to download a second file. It stores and executes the said file, which Trend Micro detects as TSPY_HAXDOR.AA, in the same folder as AUTOEXEC.EXE.
Worm name: WORM_ARESES.B
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This worm propagates by attaching copies of itself to email messages that it sends to target addresses using its own Simple Mail Transfer Protocol (SMTP) engine. The said engine allows it to send email messages without using mailing applications, such as Microsoft Outlook.
This worm uploads files to certain URLs, thus possibly disclosing critical information. It then terminates all instances of Internet Explorer (IE), preventing users from accessing Web sites.
Furthermore, it may open an IE window and connect to a specific Web site. The said routine may allow this worm to download possibly malicious files.
Worm name: WORM_LETUM.A
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This worm propagates via email. It searches for available Simple Mail Transfer Protocol (SMTP) servers through the Internet Account Manager. If none is available, it uses the default server mail.primaryhost.org.uk. It then connects to a target SMTP server and sends its copy to five email addresses that it was able to gather from .HTML files found on the affected system.
Users must be wary of the email message this worm sends out because its accompanying attachment is a copy of this worm that, upon execution, transforms the compromised system into a propagation launchpad, which furthers its replication.
Worm name: PE_BI.B
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This virus searches for and infects all Windows (.EXE) and Linux (ELF) executable files in the current folder. Opening the already infected files, executes this virus again, thus infecting more files.
Linux executable files that are infected by this file infector are detected as ELF_BI.A.
Worm name: WORM_MYTOB.PG
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This worm propagates by attaching copies of itself to email messages that it sends to target addresses, using its own Simple Mail Transfer Protocol (SMTP) engine. It is capable of sending email messages without using mailing applications, such as Microsoft Outlook. Click here to view the details of the email messages it sends out.
It gathers target email addresses from the Windows Address Book (WAB). It also creates email addresses using common names appended with a domain name.
This worm spreads through network shares as well. It searches for certain shares, where it drops a copy of itself. It uses a list of user names and passwords to gain access to password-protected shares.
Worm name: WORM_MYDOOM.BL
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This worm propagates by attaching copies of itself to email messages that it sends to target addresses, using its own Simple Mail Transfer Protocol (SMTP) engine. It is capable of sending email messages without using mailing applications, such as Microsoft Outlook. Click here to view the details of the email message it sends out.
Moreover, it is also capable of propagating via Kazaa, a popular peer-to-peer file-sharing application. It drops copies of itself using enticing file names into Kazaa's shared folder in an attempt to get target users to download its copy.
Furthermore, it has backdoor capabilities. It opens a random port, which allows a remote user to perform malicious commands on the affected machine, thus compromising system security.
Worm name: ELF_BI.A
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This executable Linux file (ELF) spreads through infected ELF or Windows files. It searches in the folder where it is executed for other files to infect. To infect ELF files, it inserts its code after the headers of the infected file.
In Linux systems, this ELF malware only infects ELF files. However, in Windows systems, it infects ELF as well as other Windows files found in Windows platforms. Infected files in Windows platforms are detected by Trend Micro as PE_BI.B.
Worm name: WORM_MYTOB.PH
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This worm propagates by attaching copies of itself to email messages that it sends to target addresses, using its own Simple Mail Transfer Protocol (SMTP) engine. Thus, it is capable of sending email messages without using mailing applications, such as Microsoft Outlook. Click here to view the details of the email messages it sends out.
It gathers target email addresses from the Windows Address Book (WAB). It also creates email addresses using common names appended with a domain name.
This worm spreads through network shares as well. It searches for the default IPC$ share, where it drops a copy of itself. It uses a list of user names and passwords to gain access to password-protected shares.
Worm name: WORM_RBOT.EKK
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
Unlike most worms that use, at most, two propagation methods to spread across systems, this particular WORM_RBOT variant uses four propagation techniques.
It can propagate via network shares. It generates IP addresses and spreads by dropping a copy of itself into available network shared folder. It also uses its own list of user names and passwords as its login credentials for password-protected shares.
References: http://www.trendmicro.com/vinfo/ (TrendMirco Virus Security Info)
http://www.trendmicro.com/vinfo/zh-tw/default.asp (Traditional Chinese TrendMicro Virus Security Info
