[Virus Alert] 8 new worms found
Worm name: BKDR_BREPLIBOT.U
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This backdoor application arrives on a system as an attachment to email messages manually mass-mailed by a remote attacker. The said attached file uses the file name, Transaction and Billing.exe. It may also arrive on the system either downloaded from the Internet or dropped by other malware programs.
When executed, it drops a copy of itself in the Windows system folder as smsogx32.exe.
This backdoor application bypasses the firewall settings so that it is able to perform its routines without being blocked.
Worm name: PE_HONK.A
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This file infector arrives on a system either downloaded from the Internet or dropped by other malware programs.
Upon execution, this file infector searches for .EXE and .DLL files on the affected system. It then appends its code to the aforementioned files. This routine ensures that the file infector runs at every system startup.
This file infector drops a component file, WINSFC.EXE in the Windows system folder. The said file is detected by Trend Micro as TROJ_AGENT.BBQ.
Worm name: PE_ZORI.E-O
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This mother file infector infects by prepending its virus code to all the .EXE files it finds on the affected system. The infected files are detected by Trend Micro as PE_ZORI.E.
It spreads by dropping copies of itself into available network shared folders. Its dropped copies use file names with Chinese characters.
In addition, this mother file infector propagates by sending a copy of itself as attachments to email messages, which it sends using its own Simple Mail Transfer Protocol (SMTP) engine. The said routine allows this file infector to send copies of itself to target recipients without using third-party mailing applications, such as Microsoft Outlook. Notably, the subject titles and the attachment file names of the email messages it sends are also written in Chinese characters.
Worm name: PE_ZORI.E
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This is Trend Micro's detection for files infected by the mother file infector PE_ZORI.E-O.
When run, it executes the original target file using the file name, {Host's file name}{space}.EXE, in the current folder. It then executes the said mother file infector PE_ZORI.E-O, thus restarting the entire file infection process.
Worm name: WORM_LOCKSKY.V
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This worm propagates by sending copies of itself as attachments to email messages.
It gathers target email addresses from the Windows Address Book (WAB). It also gathers email addresses from .HTM files. This worm spoofs the From field in an attempt to trick affected users into thinking that the email came from a trusted source.
It attempts to bypass an affected system's firewall to avoid its immediate detection and subsequent removal.
Worm name: WORM_LOCKSKY.AB
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This memory-resident worm propagates by attaching a copy of itself to an email message, which it sends to target recipients using its own Simple Mail Transfer Protocol (SMTP) engine. Since its email propagation does not require any user intervention, the user is often unaware that this worm is sending out email messages.
It gathers target email addresses from a user's Windows Address Book (WAB), as well as from files using the HTM extension name. It also spoofs the From field in order to trick the user into thinking that the email is from a legitimate source.
The email message it sends out has the following details:
Subject: Your Ebay Account is Suspended
Message body:
We regret to inform you that your account has been suspended due to the violation of our site policy, more info is attached.
Moreover, it logs keystrokes and saves the gathered information in the file ATTRIB.INI.
Worm name: TROJ_BAGLE.BW
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
A Trojan application is a malware with no capability to spread into other systems. It is usually downloaded from the Internet and installed by unsuspecting users.
This Trojan accesses the Web site, www.aur{BLOCKED}orodeley.com and attempts to download the file, 8.JPG, which is possibly a BAGLE variant.
The file is saved as {RANDOM}.EXE in the Windows system folder.
Worm name: WORM_MYTOB.MR
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This worm propagates via email, which it sends to target addresses, using its own Simple Mail Transfer Protocol (SMTP) engine.
Users must take note of the email details described above to avoid infection.
This worm opens port 31337 and connects to Internet Relay Chat (IRC) server i.pwn4free.be. Once connected, it joins channel #el1te, where it listens for commands from a remote malicious user. It executes these commands locally on an affected system, providing the remote user virtual control over the affected system.
It modifies the Windows HOSTS file, which is often located in the Windows or Windows system folder to prevent affected users from accessing different Web sites that are related to security companies. Once these users click on any of the enumerated sites, they are redirected to the local machine.
It also terminates specific processes, which are mostly related to antivirus and security programs. It does this routine also to avoid early detection and removal.
References: http://www.trendmicro.com/vinfo/ (TrendMirco Virus Security Info)
http://www.trendmicro.com/vinfo/zh-tw/default.asp (Traditional Chinese TrendMicro Virus Security Info
