[Virus Alert] 4 new worms found
Worm name: JS_FEEBS.CA
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This malicious JavaScript is embedded in a malicious Web site and is run on a system when a user visits the said Web site. It may also arrive on the system as an .HTML file attached to an email message mass-mailed by a malware detected by Trend Micro as WORM_FEEBS.BY or by a malicious user.
When running on the affected system, it shows a fake YAHOO.COM loading page that displays a text message saying there is no available connection. It appears to the user that the JavaScript is not able to access the Web page even though it is already downloading an encoded file detected by Trend Micro as WORM_FEEBS.BY. It then decodes and executes the said file on the affected system.
This JavaScript downloads a copy of WORM_FEEBS.BY, using any of the following URLs:
• http:\\g{BLOCKED}i.wol.biz\my.txt
• http:\\i{BLOCKED}t35.com\my.txt
• http:\\m{BLOCKED}rin.ru\my.txt
Worm name: TROJ_AGENT.APS
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This Trojan arrives as an attachment to a spammed email message.
Upon execution, it drops a spyware, which Trend Micro detects as TSPY_CASHGRAB.J. It then terminates itself after performing the said routine.
Worm name: WORM_MYTOB.NR
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This worm propagates by attaching copies of itself to email messages that it sends to target addresses, using its own Simple Mail Transfer Protocol (SMTP) engine. The said action enables it to send email messages without using mailing applications, such as Microsoft Outlook.
It gathers target email addresses from the Windows Address Book (WAB) and Temporary Internet Files folder, which are common repositories of email addresses. It also gathers email addresses from files with certain extension names.
This worm also takes advantage of the Windows LSASS Remote Buffer Overflow vulnerability to propagate.
Worm name: WORM_MYTOB.OJ
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This worm propagates by attaching copies of itself to email messages that it sends to target addresses, using its own Simple Mail Transfer Protocol (SMTP) engine. It is capable of sending email messages without using mailing applications, such as Microsoft Outlook.
It gathers target email addresses from the Windows Address Book (WAB) and Temporary Internet Files folder, which are common repositories of email addresses. It also gathers email addresses from files with certain extension names.
This worm spreads through network shares as well. It searches for certain shares, where it drops a copy of itself. It uses a list of user names and passwords to gain access to password-protected shares.
References: http://www.trendmicro.com/vinfo/ (TrendMirco Virus Security Info)
http://www.trendmicro.com/vinfo/zh-tw/default.asp (Traditional Chinese TrendMicro Virus Security Info
