[Virus Alert] 6 new worms found

Worm name: TROJ_NANISTYL.A

Risk rating: HIGH

Damage Potential: HIGH

Distribution Potential: HIGH

Description:

This Trojan is a proof-of-concept exploit that takes advantage of an unknown remote code execution vulnerability, which causes Japanese and Chinese versions of Microsoft Excel 2000 to crash on affected systems.

Currently, however, this Trojan sample does not have a shell code.

Worm name: TROJ_NAKANI.A

Risk rating: HIGH

Damage Potential: HIGH

Distribution Potential: HIGH

Description:

This Trojan is a proof-of-concept exploit that takes advantage of an unknown remote code execution vulnerability, which causes the process EXPLORER.EXE to crash.

It may be downloaded from the Internet. Currently, however, this Trojan does not have a shell code.

Worm name: SYMBOS_SKULLS.AA

Risk rating: MEDIUM

Damage Potential: MEDIUM

Distribution Potential: MEDIUM

Description:

This Symbian malware propagates by sending copies of itself to other mobile devices via Bluetooth. It affects mobile devices running the Symbian operating system with the Series 60 Platform user interface. It usually arrives on a mobile device with the file name, BLUENUMSTEALER.SIS.

Some of the affected mobile device models are listed below:

•           Nokia 3600

•           Nokia 3620

•           Nokia 3650

•           Nokia 3660

•           Nokia 6600

•           Nokia 6620

•           Nokia 7610

•           Nokia 7650

•           Nokia N-Gage

•           Panasonic X700

•           Sendo X

•           Siemens SX1

Upon installation, it drops several files on an affected mobile device. The said dropped files are detected by Trend Micro as any one of the following Symbian malware:

•           SYMBOS_CABIR.A

•           SYMBOS_CABIR.D

Worm name: PE_GATTMAN.A-O

Risk rating: HIGH

Damage Potential: HIGH

Distribution Potential: HIGH

Description:

This file infector may arrive as a randomly named file dropped by other malware or downloaded and installed by an unsuspecting user when visiting a Web site. Upon execution, it searches for an .IDC file to infect in the current folder.

An .IDC file is a script file that can be opened using Interactive Disassembler Pro (IDA), which is a tool for reverse engineering certain files. When the said infected file is loaded, it then drops and executes a copy of this file infector. The said routine ensures continuous infection of .IDC files.

Worm name: TROJ_SMALL.DG

Risk rating: HIGH

Damage Potential: HIGH

Distribution Potential: HIGH

Description:

This Trojan usually arrives as an attachment to a spammed email message. It arrives as the file DC{random number}.JPG_________________JPG.exe with the following icon:

When executed, it connects to the URL www.ede{BLOCKED}.net/flash to download the file MENU1.SWF, which Trend Micro detects as TROJ_VB.ACT. It then saves and executes the downloaded file in the affected system's root folder (usually C:\) as IEXPLORE.EXE. Note that the legitimate IEXPLORE.EXE file is found in the %Program Files%\Internet Explorer folder.

(Note: %Program Files% is the default Program Files folder, usually C:\Program Files.)

Worm name: TROJ_MITGLIED.AF

Risk rating: HIGH

Damage Potential: HIGH

Distribution Potential: HIGH

Description:

This Trojan arrives as an attachment to email messages that are manually spammed, presumably by this Trojan's author. Upon execution, it connects to certain Web sites to download possibly malicious files.

Moreover, it attempts to bypass the Windows firewall so that it can freely execute its downloading routine. It also terminates certain antivirus-related processes if it finds them running on the affected system. The latter action helps prevent its immediate detection and consequent removal.

References: http://www.trendmicro.com/vinfo/ (TrendMirco Virus Security Info)

http://www.trendmicro.com/vinfo/zh-tw/default.asp (Traditional Chinese TrendMicro Virus Security Info