[Virus Alert] 6 new worms found
Worm name: TROJ_DROPPER.AKD
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
Like all TROJ_DROPPER variants, this Trojan's main routine is to drop another malware.
Upon its initial execution, it executes a normal Power Point presentation (.PPS) file that is written in Italian, temporarily redirecting the user's attention from this malware's routine. It drops and executes a Dynamic Link Library (.DLL) file, and then registers it as a browser helper object (.BHO).
Trend Micro detects the said .DLL as TROJ_DLOADER.BVQ.
Worm name: OSX_INQTANA.A
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This is Trend Micro's detection for a proof-of-concept Java-based worm that affects Macintosh systems running on Mac OSX 10.4.
It takes advantage of a directory traversal vulnerability found in the Bluetooth file and object exchange services on Mac OS X 10.3.9, which could allow remote attackers to read arbitrary files. More information about the said vulnerability can be found on the following Web page:
cve.mitre.org/cgi-bin/cvename.cgi
Upon execution, this Java-based worm searches for any available Bluetooth device. Once a target device has been found, it sends a data transfer request. If a user accepts the data transfer, this worm exploits the mentioned vulnerability to drop certain files into the /Users folder.
Users are advised to refrain from running or clicking on unknown files, especially if they come from an untrusted or unexpected source.
Worm name: OSX_LEAP.A
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This is Trend Micro's detection for a worm that affects Macintosh computers running on Mac OSX 10.4.
This worm spreads via an instant messaging application, Apple iChat, and arrives using the file name LATESTPICS.TGZ. The said file, however, does not run automatically but has to be double-clicked so that it is uncompressed. When uncompressed, it drops its main executable component named LATESTPICS, as well as a hidden resource file named _LATESTPICS, which uses a JPEG icon as a stealth mechanism. LATESTPICS must again be double-clicked for this worm to be able to execute its routines.
Users are therefore advised to refrain from running or clicking on unknown files from instant messengers, especially if it comes from a questionable source.
In order to perform its propagation routine, this worm first attempts to install itself as an application hook named Input Manager. It does the said action by deleting any existing APPHOOK folders. It then replaces the said folders with its own APPHOOK folder containing certain files.
Worm name: ELF_MARE.C
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This executable Linux file (ELF) propagates by taking advantage of the XML-RPC for PHP Remote Code vulnerability.
It connects to the Web site 19{BLOCKED}5.69/supina to download a file into the Temporary folder. The said file is detected by Trend Micro as PERL_MARE.C. The said action increases the threat risk of the affected computer.
Worm name: PERL_MARE.C
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This Perl script malware arrives as a dropped file of ELF_MARE.C. It connects to port 8080 to download the following files from 198.{BLOCKED}.69 onto the affected system:
• cb - file detected as ELF_RST.B
• httpd - file detected as ELF_MARE.C
• https - file detected as PERL_SHELLBOT.AI
Worm name: PERL_SHELLBOT.AI
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This malicious Perl script arrives as a downloaded file of another malware, which Trend Micro detects as PERL_MARE.C.
Upon execution, this malicious Perl script opens TCP port 6667 and connects to different Internet Relay Chat (IRC) servers. It does the said routine to listen to commands from a remote user. The said commands are executed locally on the affected computer. This action effectively compromises system security.
References: http://www.trendmicro.com/vinfo/ (TrendMirco Virus Security Info)
http://www.trendmicro.com/vinfo/zh-tw/default.asp (Traditional Chinese TrendMicro Virus Security Info
