[Virus Alert] 5 new worms found
Worm name: TROJ_DROPPER.BHC
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This Trojan usually arrives on a system as a file downloaded by an unsuspecting user when visiting malicious Web sites.
When executed, it drops several files in the Windows temporary folder. It then executes a file detected by Trend Micro as TROJ_MULTIJOI.AW. As a result, routines of the related malware are exhibited on the affected machine.
It also executes a file that displays an image on the affected system.
Worm name: TROJ_ZLOB.ACB
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This Trojan may arrive on a system as a file downloaded by another malware.
It runs a specific command via TCP port 80 to check the accessibility of www.ad-w{BLOCKED}r-e.com. Once accessible, it sends a query to www.ad-w{BLOCKED}r-e.com. The said action allows this Trojan to download possibly malicious files from www.ad-w{BLOCKED}r-e.com into the affected system.
Worm name: TROJ_DLOADER.AVS
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
When executed, this memory-resident Trojan drops a randomly named copy of itself in certain folders.
As a result, the routines of any downloaded malicious file may also be exhibited on the affected machine. As of this writing, however, the said Web site is unavailable.
Worm name: BKDR_AGENT.AGV
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This backdoor arrives as a file downloaded from the Internet by an unsuspecting user when visiting malicious Web sites. It can also arrive as a file dropped by another malware.
It opens random ports to allow a remote malicious user access on an affected system. Once connected, the said remote user can issue certain commands locally on the machine, thus compromising system security.
This backdoor also modifies certain registry entries to do certain file manipulation actions. For one, it hides file extension names to prevent its early detection and consequent removal from the affected system. Secondly, it sets to display files with Hidden and System attributes, usually system files, to increase their chances of accidental deletion or modification. To cap off these malicious routines, it disables the Folder Options in the Tools drop-down menu to prevent the user from undoing its file display set-up.
Worm name: WORM_BAGLE.FF
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This worm propagates via email. It sends copies of itself as a password-protected .ZIP attachment to email messages that it sends to target addresses using its own Simple Mail Transfer Protocol (SMTP) engine. Hence, the malicious .EXE file is not detected until extracted by the recipient. Also, using its own SMTP engine allows this worm to send email messages even without using mailing applications such as Microsoft Outlook.
This worm terminates processes that are related to antivirus and security applications. This routine provides difficulty in removal of this worm.
It also accesses various URLs to download possibly malicious files. This action heightens the risk of acquiring more malware threats in the affected system. It also drops a file that is related to the malware TROJ_ROOTKIT.FF. The said file is used by this worm to hide its file and running process, avoiding early detection.
References: http://www.trendmicro.com/vinfo/ (TrendMirco Virus Security Info)
http://www.trendmicro.com/vinfo/zh-tw/default.asp (Traditional Chinese TrendMicro Virus Security Info
