[Virus Alert] 4 new worms found

Worm name: JS_YAMANNER.A

Risk rating: HIGH

Damage Potential: HIGH

Distribution Potential: HIGH

 

Description:

This malicious JavaScript arrives on a system as an embedded file in a Yahoo! email message. When a user opens the said email message, this malicious JavaScript automatically executes.

 

It takes advantage of a vulnerability found in Yahoo! Web-based email service in order to send copies of itself to an affected user's Yahoo! contacts. It gathers email addresses from Yahoo! email folders. The said action further spreads this malware.

 

It connects to the URL www.a{BLOCKED}et to send a list of email addresses it gathers. This routine exposes private information to possible attackers.

 

 

Worm name: RTKT_RUSTOCK.C

Risk rating: HIGH

Damage Potential: HIGH

Distribution Potential: HIGH

 

Description:

This rootkit usually arrives as a file dropped by other malware or as a file downloaded unknowingly by a user when visiting malicious Web sites.

 

It hides malware processes and other malicious activities by modifying the assigned functions in the file, NTOSKRNL.EXE, which handles basic Windows functions on systems running on Windows NT, 2000, XP, and Server 2003. Incorrect modification of the mentioned file may cause affected systems to crash.

 

 

Worm name: TROJ_BAGLE.EY

Risk rating: HIGH

Damage Potential: HIGH

Distribution Potential: HIGH

 

Description:

This Trojan arrives as an attachment to an email message spammed by a certain WORM_BAGLE variant.

 

Upon execution, this Trojan drops a copy of itself as HLDRRR.EXE in the Windows system folder.

 

It also creates the subfolder %System%\EXEFLD, where it saves the files it downloads from several Web sites. The downloaded files contain Web sites, where this Trojan can further download possibly malicious files. This routine further compromises the affected machine to other malware attacks.

 

 

Worm name: BKDR_BREPBOT.A

Risk rating: HIGH

Damage Potential: HIGH

Distribution Potential: HIGH

 

Description:

This memory-resident backdoor arrives as an attachment to a spammed email message from an unknown location as either PHOTOS or ARTICLE.EXE.

 

Upon execution, it drops a copy of itself as SVCHON32.EXE in the Windows system folder.

 

It connects to random ports, allowing a remote user to perform malicious actions on the affected system, such as uploading a file and executing a file.

 

 

 

References: http://www.trendmicro.com/vinfo/ (TrendMirco Virus Security Info)

http://www.trendmicro.com/vinfo/zh-tw/default.asp (Traditional Chinese TrendMicro Virus Security Info

---