2006-02-27 10:47 Age: 6 yrs

[Virus Alert] 4 new worms found

Worm name: WORM_KELVIR.DO

Risk rating: HIGH

Damage Potential: HIGH

Distribution Potential: HIGH

 

Description:

This worm propagates by sending a link as a instant message to all MSN Messenger contacts of an affected user. Clicking on the said link downloads a copy of this worm to a target computer. Since the message comes from a known source, a user may click on the said link and unsuspectingly download this worm.

 

It also downloads possible malicious files from several URLs.

 

 

Worm name: TROJ_BAGLE.DM

Risk rating: HIGH

Damage Potential: HIGH

Distribution Potential: HIGH

 

Description:

This Trojan may be downloaded forom various Web sites. Upon execution, this Trojan drops its DLL component LDR64.DLL into the Windows system folder.

 

It waits for an active Internet connection. Once a connection is established, it connects to various URLs to download files. The said files are executed on the affected computer. This action increases the risk of acquiring more malware threats on the affected system.

 

 

Worm name: ELF_MARE.E

Risk rating: HIGH

Damage Potential: HIGH

Distribution Potential: HIGH

 

Description:

This executable Linux file (ELF) propagates by taking advantage of the XML-RPC for PHP Remote Code vulnerability.

 

It connects to the Web site, 219.8{BLOCKED}5.36, to download files detected by Trend Micro as PHP_DEFTOOL.A and UNIX_MARE.F into the Temporary folder.

 

The said download routine opens the affected system to further malicious attacks.

 

 

Worm name: UNIX_MARE.F

Risk rating: HIGH

Damage Potential: HIGH

Distribution Potential: HIGH

 

Description:

This Unix malware arrives as a dropped file of ELF_MARE.E. Upon execution, it connects to TCP port 8080 to download and execute the following malware from the address 219.8{BLOCKED}05.36 onto the affected system:

•           ELF_MARE.E

•           ELF_RST.A

•           PERL_SHELLDOOR.A

 

The said download routine opens the affected system to further malicious attacks.

 

It then deletes all files in the /temp folder, and creates the hidden folder .temp inside /temp.

 

 

 

References: http://www.trendmicro.com/vinfo/ (TrendMirco Virus Security Info)

http://www.trendmicro.com/vinfo/zh-tw/default.asp (Traditional Chinese TrendMicro Virus Security Info

 

<- Back to: Security Alert Listing





2009-08-14 14:35

TA09-223A: Microsoft Updates for Multiple Vulnerabilities

2009-08-14 14:35

TA09-218A: Apple Updates for Multiple Vulnerabilities

2009-08-14 14:35

TA09-209A: Microsoft Windows, Internet Explorer, and Active Template Library (ATL) Vulnerabilities

2009-08-14 14:35

TA09-204A: Adobe Flash Vulnerability Affects Flash Player and Other Adobe Products

2009-08-14 14:35

TA09-195A: Microsoft Updates for Multiple Vulnerabilities

2009-07-13 10:42

TA09-187A: Microsoft Video ActiveX Control Vulnerability

2009-07-13 10:42

TA09-160A: Microsoft Updates for Multiple Vulnerabilities

2009-07-13 10:42

TA09-161A: Adobe Acrobat and Reader Vulnerabilities

2009-07-13 10:42

TA09-133B: Adobe Reader and Acrobat JavaScript Vulnerabilities

2009-07-13 10:42

TA09-133A: Apple Updates for Multiple Vulnerabilities

  |    |