[Virus Alert] 2 new worms found
Worm name: JS_FEEBS.IP
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This malicious JavaScript may arrive on a system as a downloaded file from the Internet. It may also arrive as a compressed attachment to spammed email messages. Upon execution, it drops a file detected by Trend Micro detects as WORM_FEEBS.IQ.
It also displays a fake email login page, which mimics any of the following Web-based email providers:
• AOL
• Gmail
• Hotmail
• MSN
• Yahoo
This JavaScript gathers information entered by users into the fake login page. It can then use the gathered information for malicious purposes.
Worm name: WORM_FEEBS.IQ
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This memory-resident worm employs a propagation technique similar to that used by certain WORM_BAGLE variants. Its difference lies in its usage of a malicious JavaScript instead of a Trojan to drop a copy of the worm to a certain location in an affected system. The said JavaScript is detected by Trend Micro as JS_FEEBS.IP.Once this worm executes, it sends out copies of JS_FEEBS.IP to target recipients via email using its own Simple Mail Transfer Protocol (SMTP) engine. Through the said SMTP engine, it sends email messages without using other mail applications.
It also drops .ZIP archives that contain copies of itself in folders containing the string DOWNLOADS and SHARE. Folders that contain those strings are commonly shared within peer-to-peer (P2P) networks. By dropping its copy into the said locations, this worm may extend its propagation reach to other computers within the P2P network. The .ZIP archives uses file names of known applications and installers, which may lead users to think that the .ZIP file is non-malicious.
References: http://www.trendmicro.com/vinfo/ (TrendMirco Virus Security Info)
http://www.trendmicro.com/vinfo/zh-tw/default.asp (Traditional Chinese TrendMicro Virus Security Info
