[Virus Alert] 6 new worms found
Worm name: JS_FEEBS.GD
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This malicious JavaScript is embedded in a malicious Web site and is run on a system when a user visits the said Web site. It may also arrive on the system as an .HTML file attached to an email message spammed by a malware or a malicious user.
It drops and executes a file detected by Trend Micro as WORM_FEEBS.CP in the Windows system folder.
When running on the affected system, it shows fake loading pages of any of the following Web sites:
• aol.com
• gmail.com
• hotmail.com
• msn.com
• yahoo.com
The said page informs the affected user of supposedly connecting to the corresponding Web site. It may also display a message prompting the affected user for a user name and password. The mentioned routine is most probably an attempt to hide its dropping routine.
Worm name: WORM_FEEBS.DR
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This worm propagates via email. It uses its own Simple Mail Transport Protocol (SMTP) engine to send email messages, without using any mail applications such as Microsoft Outlook.
This worm also propagates by dropping .ZIP files that contains a copy of itself in folders that contain the strings DOWNLOAD or SHARE. These folders are commonly used by peer-to-peer (P2P) file-sharing applications to search and save files. The files that are dropped use file names that resemble legitimate application files and installers.
It drops another malware that Trend Micro detects as WORM_FEEBS.CP.
Worm name: JS_FEEBS.EE
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This malicious JavaScript arrives as an attachment to email messages sent by another malware detected by Trend Micro as WORM_FEEBS.DR. It may also be embedded in certain Web pages, which when visited, automatically executes this JavaScript.
When executed, it displays a fake Yahoo! Web page, which includes an input box for user name and password. This action may trick unsuspecting users into thinking that they are accessing the correct Yahoo! login Web page.
It creates the subfolder Recycled within the root folder (usually C:\), where it drops the file USERINIT.EXE, which Trend Micro also detects as WORM_FEEBS.DR.
Worm name: JS_FEEBS.CK
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This malicious JavaScript arrives on a system as a downloaded file from the Internet. It may also arrive as an .HTML attachment to spammed email messages.
When executed, it displays a variety of fake Web-based email login pages. This action may trick unsuspecting users into thinking that they are accessing the correct Web mail login Web page.
It creates the subfolder Recycled within the root folder (usually C:\), where it drops the file USERINIT.EXE, which Trend Micro also detects as WORM_FEEBS.CP.
Worm name: ELF_KAITEN.U
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This memory-resident executable Linux file (ELF) is usually dropped on a computer by another malware or is downloaded from a particular URL.
This ELF malware exploits a known vulnerability in Mambo. Mambo is an open source content management system commonly used in Linux platforms.
Mambo contains a flaw that may allow a remote attacker to execute arbitrary commands. The problem is that a script function does not validate certain variables, which can be changed to include and execute code from a remote location. It is possible that the flaw may allow a remote attacker to execute arbitrary commands resulting in a loss of integrity.
Worm name: TROJ_BAGLE.BU
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This Trojan may arrive on a system as a downloaded file from the Internet or as an attachment to spammed email messages.
It drops and opens its dropped image file ~{2 random characters}.jpg using the affected system's default image viewer. In the background, however, it drops several files detected as TROJ_BAGLE.BU. It does the said routine to make it appear that only the image file is opened.
This Trojan disables antivirus applications by deleting specific keys from the system registry. It also modifies the system registry to disable the Windows automatic updates, Internet Connection Sharing, Windows Firewall, and the system's administrative alerts. Furthermore, it stops and disables services, terminates processes, disables Trend Micro antivirus, and renames several files that are mostly related to security, antivirus, and firewall applications..
References: http://www.trendmicro.com/vinfo/ (TrendMirco Virus Security Info)
http://www.trendmicro.com/vinfo/zh-tw/default.asp (Traditional Chinese TrendMicro Virus Security Info
