[Virus Alert] 3 new worms found

Worm name: ELF_LUPPER.H

Risk rating: HIGH

Damage Potential: HIGH

Distribution Potential: HIGH

Description:

It is a command line tool used in connecting to random ports. It may be used to connect back to remote malicious users, thus providing the remote users a shell with which to control the affected system.

It takes advantage of the WebCalendar Send_Reminders.PHP Remote File Include and PHP-Nuke "phpbb_root_path" Arbitrary File Include vulnerabilities to propagate across networks. It does the mentioned routine by generating random IP addresses and appending certain strings to access vulnerable systems.

It then injects part of its malicious code to vulnerable applications to download and execute itself.

Worm name: UNIX_GETS.A

Risk rating: HIGH

Damage Potential: HIGH

Distribution Potential: HIGH

Description:

This malicious script arrives as a dropped file of ELF_LUPPER.H. It contains script codes that download other malware detected by Trend Micro as ELF_KAITEN.AH and ELF_LUPPER.H.

The mentioned files are saved in the /tmp folder, then executed on a system. Downloading the said files may allow remote users to access an affected system and perform malicious commands, effectively compromising the system.

Worm name: TROJ_DLOADER.BXQ

Risk rating: HIGH

Damage Potential: HIGH

Distribution Potential: HIGH

Description:

This memory-resident Trojan may arrive on a system as a downloaded file from the Internet.

Upon execution, it connects to the Web site {BLOCKED}/arts/brnotdd/{two random characters from its code}.ico to download a malicious file, which Trend Micro detects as WORM_BRONTOK.BC.

References: http://www.trendmicro.com/vinfo/ (TrendMirco Virus Security Info)

http://www.trendmicro.com/vinfo/zh-tw/default.asp (Traditional Chinese TrendMicro Virus Security Info