[Virus Alert] 6 new worms found
Worm name: WORM_FEEBS.AF
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This memory-resident worm employs a propagation technique similar to that used by certain WORM_BAGLE variants. Its difference lies in its usage of a malicious JavaScript instead of a Trojan to download copies of itself from a certain location onto an affected system. The said JavaScript is detected by Trend Micro as JS_FEEBS.AF.
Once this worm executes, it sends out copies of JS_FEEBS.AF to target recipients via email using its own Simple Mail Transfer Protocol (SMTP) engine. Through the said SMTP engine, it is able to easily send email messages even without using other mailing applications.
It also drops .ZIP archives that contain copies of itself in folders containing the string DOWNLOADS. It is working under the assumption that folders with the said string are folders shared within peer-to-peer (P2P) networks. By dropping its copy into the said locations, this worm may extend its propagation reach to other targets systems within the affected P2P network.
Worm name: JS_FEEBS.AF
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This JavaScript is embedded in a malicious Web site and run on a system when a user visits the said Web site. It may also arrive on the system as an attached .HTML file to an email message manually mass-mailed by a malicious user.
When running on the affected system, it shows a fake hotmail.com loading page that displays a text message saying there is no available connection. It appears to the user that the JavaScript has failed to successfully access the Web page even though it is already downloading an encoded file, which is detected by Trend Micro as WORM_FEEBS.AF. It then decodes and executes the said file on the affected system.
This JavaScript downloads the mentioned worm using any of several specified URLs.
Worm name: WORM_LOCKSKY.AM
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This worm propagates by sending a copy of itself as an attachment to email messages. The email message it sends out has the following details:
It gathers target email addresses by searching an affected system for files with specific extensions that are common repositories of email addresses.
It also disables the Folder Options item in the Tools drop-down menu from the main menu bar of Windows Explorer and Control Panel. The said action prevents the affected user from changing such settings as displaying hidden folders and displaying file paths in title bars.
Furthermore, this worm restarts the affected system if it finds an open window with certain strings, such as EXE and/or Registry, in the title bar. Hence, if for instance a user opens Registry Editor, or any other executable file, this worm restarts the system.
Worm name: WORM_MYTOB.NT
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This worm propagates by sending copies of itself as attachments to email messages that it sends to target addresses, using its own Simple Mail Transfer Protocol (SMTP) engine. It can then send email messages without using mailing applications, such as Microsoft Outlook.
It gathers target email addresses from the Windows Address Book (WAB) and Temporary Internet Files folder, as well as from files with certain extension names.
This worm spreads through network shares as well. It searches for certain shares, where it drops a copy of itself. It uses a list of user names and passwords to gain access to password-protected shares.
It has backdoor capabilities. It opens a random port, which allows a remote user to perform malicious commands on the affected machine, thus compromising system security.
Worm name: WORM_GREW.A
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This worm propagates by sending a copy of itself as an attachment to email messages, which it sends to target recipients, using its own Simple Mail Transfer Protocol (SMTP) engine. Through the said SMTP engine, it is able to easily send email messages even without using other mailing applications.
It gathers email addresses from files with certain extensions, such as DOC, PSD, RAR, and ZIP.
It also propagates through network shares. It does the said routine by searching the network for ADMIN$ and C$ shares, where it drops a copy of itself using the file name WINZIP_TMP.EXE.
References: http://www.trendmicro.com/vinfo/ (TrendMirco Virus Security Info)
http://www.trendmicro.com/vinfo/zh-tw/default.asp (Traditional Chinese TrendMicro Virus Security Info
