[Virus Alert] 6 new worms found
Worm name: WORM_ZUSHA.D
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This memory-resident worm exploits the following vulnerabilities to propagate across networks:
• RPCSS Service vulnerability
• LSASS Remote Buffer Overflow vulnerability
This worm modifies the system registry to ensure its automatic execution at every system startup, and to bypass the affected system's Windows Firewall settings. The said action cripples the compromised system's defenses so that its malicious routines can continue without interference.
In addition, it is capable of downloading a file by connecting to certain Web sites. This routine puts affected users on a risk of downloading or executing possibly-malicious files.
Worm name: JS_DLOADER.BAA
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This JavaScript malware may be opened using Internet Explorer (IE) while a user visits different Web sites. It uses a known vulnerability in IE, which results in the download and execution of files without the knowledge of the user.
More information about this vulnerability can be found in this page:
Microsoft Security Advisory (911302)
This JavaScript malware attempts to download files from the following links:
• http://85.2{BLOCKED}.113.170/341/count3.gif
• http://85.{BLOCKED}5.113.170/345/count3.gif
• http://85.2{BLOCKED}.113.170/346/count3.gif
• http://www.ho{BLOCKED}at.net/updb.exe
• http://www.{BLOCKED}il.ca/help/css/lete.exe
Worm name: JS_DLOADER.AZZ
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This JavaScript malware may be opened using Internet Explorer (IE) while a user visits different Web sites. It uses a known vulnerability in IE, which results in the download and execution of files without the knowledge of the user.
More information about this vulnerability can be found in this page:
Microsoft Security Advisory (911302)
It attempts to download a file from the site http://82.1{BLOCKED}.166.2/statpath5/outxxx.jpg.
Worm name: JS_DLOADER.AZY
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This JavaScript malware may be opened using Internet Explorer (IE) while a user visits different Web sites. It uses a known vulnerability in IE, which results to the download and execution of files without the knowledge of the user.
More information about this vulnerability can be found in this page:
Microsoft Security Advisory (911302)
It attempts to download the indicated files from the following addresses:
• http://66.2{BLOCKED}.131.174/id0338.exe
• http://66.2{BLOCKED}.131.174/search/win.exe
• http://hey.vog{BLOCKED}ce.com/hey.exe
Worm name: WORM_LOCKSKY.F
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This worm propagates by sending a copy of itself as an attachment to email messages.
It gathers target email addresses from the Windows Address Book (WAB). It also gathers email addresses from .HTM files. This worm spoofs the From field in an attempt to trick users into thinking that the email came from a trusted source.
It also logs keystrokes and saves them in a file.
Worm name: TROJ_FRANLOAD.A
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This Trojan may be downloaded from the following URL:
http://www.austria-arb{BLOCKED}t.com/update/update.exe
The URL above is also used in a phishing email, which contains a spoofed URL link to the Microsoft Web site. However, in reality, once clicked, affected machines' Internet Explorer browsers are redirected to http://www.austria-arb{BLOCKED}t.com/update/update.exe.
Upon execution of this Trojan, it downloads and executes SYSHOST.EXE in the Windows system folder. The said file is detected by Trend Micro as, WORM_FRANCETTE.S. As a result, malware behavior of the aforementioned worm is also exhibited on affected machines.
References: http://www.trendmicro.com/vinfo/ (TrendMirco Virus Security Info)
http://www.trendmicro.com/vinfo/zh-tw/default.asp (Traditional Chinese TrendMicro Virus Security Info
