[Virus Alert] 13 new worms found
Worm name: TROJ_NASCENE.D
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This Trojan is Trend Micro's detection for a modified Windows Metafile (WMF) that takes advantage of an unpatched vulnerability discussed in the following Microsoft page:
Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution (912840)
This vulnerability is a zero-day exploit that is capable of remote code execution. Zero-day exploits are termed as such because the unpatched vulnerability and its corresponding exploit code are released within the same day. This may pose as a dangerous situation in which a lot of computers may be affected due to the availability of exploit code, and the fact that the vendor has not been given enough time to patch it.
Worm name: TROJ_WMFCRASH.A
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This Trojan is a .WMF file that takes advantage of an unpatched vulnerability found in Windows Picture and Fax Viewer.
The Windows Picture and Fax Viewer vulnerability is a zero-day exploit that is capable of remote code execution. Zero-day exploits are termed as such because the unpatched vulnerability and its corresponding exploit code are released within the same day. This may pose as a dangerous situation in which a lot of systems may be affected due to the availability of exploit code, and the fact that the vendor has not been given enough time to patch it.
Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution (912840)
Worm name: JS_ONLOADXPLT.B
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This malicious JavaScript contains an exploit code that is triggered upon interaction with the Web page www.hyipg{BLOCKED}index.htm. Upon visiting the said Web page, this malicious Javascript that is embedded in the Web page www.hyipg{BLOCKED}/image is executed.
It also executes a shell code that causes the download and execution of the file 1.EXE from the Web page www.hyipgold{BLOCKED}.com/image. However, the said Web pages are inacessible as of this writing.
Interaction with the aforementioned Web pages may allow malicious users to execute code of choice on the affected system. The said action may enable them to take virtual control of the system.
Worm name: BKDR_BREPLIBOT.R
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This backdoor program may be downloaded from the Internet by unsuspecting users. It may also be dropped by other malware programs. Moreover, it may also arrive as an attachment to a spammed email message.
This backdoor program creates registry entries to ensure its automatic execution at every system startup.
It opens a random port and connects to a specific Internet Relay Chat (IRC) server. Once a connection is established, it joins the IRC channel #n00bs, where it listens for commands from a remote malicious user. It executes these commands locally, thus compromising the system security of affected machines.
Worm name: WORM_MYTOB.NU
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This memory-resident worm propagates by sending a copy of itself as an attachment to email messages, which it sends to target addresses using its own Simple Mail Transfer Protocol (SMTP) engine. Through this SMTP engine, it is able to easily send the said email message even without using other mailing applications, such as Microsoft Outlook.
It gathers target email addresses from the Temporary Internet Files folder, as well as from files with certain extension names. It also obtains target recipients from the user's Windows Address Book (WAB).
It spoofs the From field by using the word abuse and appending it with commonly used domain names.
Worm name: TROJ_NASCENE.E
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This Trojan is a Windows Metafile (WMF) that exploits a known vulnerability in the way specially-crafted WMF images are handled that can lead to arbitrary code execution. For more information about this vulnerability, please refer to this page:
Microsoft Security Advisory (912840)
This vulnerability is a zero-day exploit that is capable of remote code execution. Zero-day exploits are termed as such because the unpatched vulnerability and its corresponding exploit code are released within the same day. This may pose as a dangerous situation in which a lot of computers may be affected due to the availability of exploit code, and the fact that the vendor has not been given enough time to patch it.
Worm name: WORM_MYTOB.NM
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This memory-resident worm takes advantage of the Windows LSASS vulnerability, which is a buffer overrun that allows remote code execution and enables a malicious user to gain full control of the affected system. This vulnerability is discussed in detail in Microsoft Security Bulletin MS04-011.
It also propagates by attaching a copy of itself to an email message, which it sends to target recipients, using its own Simple Mail Transfer Protocol (SMTP) engine.
It gathers target email addresses from the Temporary Internet files folder and from the Windows Address Book (WAB). It may also generate email addresses by using a list of names and any of the domain names of the previously gathered addresses.
Worm name: TROJ_NASCENE.H
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
The Trend Micro detection for a modified Windows Metafile (WMF) that takes advantage of an unpatched vulnerability discussed in the following Microsoft Web page:
Vulnerability in Graphics Rendering Engine Could Allow Remote Control Code Execution (912840)
The said vulnerability is a zero-day exploit that is capable of remote code execution. Zero-day exploits are termed as such because the unpatched vulnerability and its corresponding exploit code are released within the same day. This may pose as a dangerous situation in which a lot of computers may be affected due to the availability of exploit code, and the fact that the vendor has not been given enough time to patch it.
Worm name: TROJ_NASCENE.I
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This Trojan is Trend Micro's detection for a modified Windows Metafile (WMF) that takes advantage of an unpatched vulnerability discussed in the following Microsoft page:
Vulnerability in Graphics Rendering Engine Could Allow Remote Control Code Execution (912840)
This vulnerability is a zero-day exploit that is capable of remote code execution. Zero-day exploits are termed as such because the unpatched vulnerability and its corresponding exploit code are released within the same day. This may pose as a dangerous situation in which a lot of computers may be affected due to the availability of exploit code, and the fact that the vendor has not been given enough time to patch it.
Worm name: TROJ_NASCENE.L
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This Trojan is Trend Micro's detection for a modified Windows Metafile (WMF) that takes advantage of an unpatched vulnerability discussed in the following Microsoft page:
Vulnerability in Graphics Rendering Engine Could Allow Remote Control Code Execution (912840)
This vulnerability is a zero-day exploit that is capable of remote code execution. Zero-day exploits are termed as such because the unpatched vulnerability and its corresponding exploit code are released within the same day. This may pose as a dangerous situation in which a lot of computers may be affected due to the availability of exploit code, and the fact that the vendor has not been given enough time to patch it.
Worm name: TROJ_NASCENE.K
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This Trojan is Trend Micro's detection for a modified Windows Metafile (WMF) that takes advantage of an unpatched vulnerability discussed in the following Microsoft page:
Vulnerability in Graphics Rendering Engine Could Allow Remote Control Code Execution (912840)
This vulnerability is a zero-day exploit that is capable of remote code execution. Zero-day exploits are termed as such because the unpatched vulnerability and its corresponding exploit code are released within the same day. This may pose as a dangerous situation in which a lot of computers may be affected due to the availability of exploit code, and the fact that the vendor has not been given enough time to patch it.
Worm name: TROJ_NASCENE.J
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This Trojan is Trend Micro's detection for a modified Windows Metafile (WMF) that takes advantage of an unpatched vulnerability discussed in the following Microsoft page:
Vulnerability in Graphics Rendering Engine Could Allow Remote Control Code Execution (912840)
This vulnerability is a zero-day exploit that is capable of remote code execution. Zero-day exploits are termed as such because the unpatched vulnerability and its corresponding exploit code are released within the same day. This may pose as a dangerous situation in which a lot of computers may be affected due to the availability of exploit code, and the fact that the vendor has not been given enough time to patch it.
Worm name: TROJ_NASCENE.M
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This Trojan may be downloaded from a malicious Web site.
This Trojan is a modified Windows Metafile (WMF) that takes advantage of an unpatched vulnerability discussed in the following Microsoft page:
Vulnerability in Graphics Rendering Engine Could Allow Remote Control Code Execution (912840)
The said vulnerability is a zero-day exploit that is capable of remote code execution. Zero-day exploits are termed as such because the unpatched vulnerability and its corresponding exploit code are released within the same day. This may pose as a dangerous situation in which a lot of computers may be affected due to the availability of exploit code, and the fact that the vendor has not been given enough time to patch it.
References: http://www.trendmicro.com/vinfo/ (TrendMirco Virus Security Info)
http://www.trendmicro.com/vinfo/zh-tw/default.asp (Traditional Chinese TrendMicro Virus Security Info
