[Virus Alert] 6 new worms found
Worm name: JS_FEEBS.T
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This malicious JavaScript is embedded in a malicious Web site and is run on a system when a user visits the said Web site. It may also arrive on the system as an .HTML file attached to an email message mass-mailed by WORM_FEEBS.T or by a malicious user.
When running on the affected system, it shows a fake hotmail.com loading page that displays a text message saying there is no available connection. The user is led to believe that it does not execute, though it is already downloading an encoded file detected by Trend Micro as WORM_FEEBS.T. It then decodes and executes the said file on the affected system.
Thus, a system infected with JS_FEEBS.T may also be infected with yet another malware, causing even more harm on the system.
Worm name: WORM_FEEBS.T
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This worm employs a technique used by WORM_BAGLE variants. However, it uses a JavaScript instead of a Trojan to acquire copies of itself from a certain location. The said JavaScript is detected by Trend Micro as JS_FEEBS.T.
Once this worm runs, it mass-mails copies of JS_FEEBS.T to target recipients using its own Simple Mail Transfer Protocol (SMTP) engine. Through the said SMTP engine, it is able to easily send the said email message even without using other mailing applications.
Worm name: WORM_LOCKSKY.AL
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This worm propagates by sending a copy of itself as an attachment to email messages. The email message that it sends out has the following details:
It also logs keystrokes to the file ATTRIB.INI in an attempt to steal user names and passwords.
Worm name: WORM_FEEBS.X
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This worm employs a propagation technique similar to that used by certain WORM_BAGLE variants. Its difference lies in its usage of a malicious JavaScript instead of a Trojan to download copies of itself from a certain location onto an affected system. The said JavaScript is detected by Trend Micro as JS_FEEBS.T.
Once this worm executes, it sends out copies of JS_FEEBS.T to target recipients via email using its own Simple Mail Transfer Protocol (SMTP) engine. Through this SMTP engine, it is able to easily send email messages even without using other mailing applications.
It also propagates via peer-to-peer (P2P) networks by dropping .ZIP archives that contain copies of JS_FEEBS.T in folders that has the string DOWNLOADS. It is working under the assumption that folders with the said string are folders shared within P2P networks. By dropping its copies on the said locations, this worm can extend its propagation reach to other targets systems within the affected P2P network.
Worm name: TROJ_YABE.H
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This Trojan usually arrives as an attachment to spammed email messages. Upon execution, it drops a copy of itself in the Windows system folder with the same file name as its executed copy. It then deletes the originally executed file.
It also drops SYSLDR.DLL in the same folder. Trend Micro also detects the said .DLL file as TROJ_YABE.H.
It waits for an Internet connection and attempts to access certain Web sites. However, as of this writing, the said Web sites are not available.
Worm name: WORM_MYTOB.NS
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
Like other WORM_MYTOB variants, this worm spreads by attaching a copy of itself to an email message, which it sends to target recipients using its own Simple Mail Transfer Protocol (SMTP) engine.
This worm opens random ports and connects to Internet Relay Chat (IRC) server irchat313bd.dynu.com. Once connected, it joins channel #DarK#, where it listens for commands from a remote malicious user. It executes these commands locally on an affected system, providing the remote user virtual control over the affected system.
It adds registry entries to ensure its automatic execution at every system startup. It also modifies a registry entry to disable the service SharedAccess, which is responsible for maintaining Internet Connection Sharing and the Windows firewall.
References: http://www.trendmicro.com/vinfo/ (TrendMirco Virus Security Info)
http://www.trendmicro.com/vinfo/zh-tw/default.asp (Traditional Chinese TrendMicro Virus Security Info
