[Virus Alert] 5 new worms found

Worm name: SYMBOS_CARDTRP.R

Risk rating: MEDIUM

Damage Potential: MEDIUM

Distribution Potential: MEDIUM

Description:

This Symbian malware has no propagation technique and arrives on a bluetooth-compatible mobile device through manual distribution by affected users.

Once installed, it drops several files into the memory card of the affected mobile device (on E:\), including malicious files detected by Trend Micro as SYMBOS_SKULLS.F and WORM_RONTOKBR.AK.

Users are thus warned against opening or installing files sent via bluetooth by an unknown or untrusted source.

Worm name: ELF_KAITEN.AI

Risk rating: HIGH

Damage Potential: HIGH

Distribution Potential: HIGH

Description:

This executable Linux file arrives as a file downloaded by another malware, which Trend Micro detects as UNIX_MARE.I.

It connects to any of the following Internet Relay Chat (IRC) servers:

•           irc.ridernet.org

•           12.205.151.144

•           69.237.36.197

It then joins the IRC channel #mambolizo to wait for commands coming from a remote malicious user. Once it establishes a connection, it executes any of the following commands, which the said remote user may issue:

•           Enable or disable the IRC Client

•           Send UDP Packets

•           Spoof an IP address

•           Change client nickname

•           Change servers

•           Enable or disable packeting

•           Terminate the client

•           Download files from the Internet

•           Execute files remotely

•           Initiate a denial of service attacks using SYN and UDF flooding methods

Worm name: UNIX_MARE.I

Risk rating: HIGH

Damage Potential: HIGH

Distribution Potential: HIGH

Description:

This Unix malware arrives as a file downloaded by another malware detected by Trend Micro as ELF_MARE.J.

Upon execution, it checks for an Internet connection. Once a connection is established, it downloads and executes the following files from the indicated Web sites:

•           2{BLOCKED}144/ride - detected by Trend Micro as ELF_KAITEN.AI

•           2{BLOCKED}144/rider - detected as ELF_MARE.J

The said download routine opens the affected system to further malicious attacks.

Worm name: ELF_MARE.J

Risk rating: HIGH

Damage Potential: HIGH

Distribution Potential: HIGH

Description:

This executable Linux file (ELF) propagates by taking advantage of the following vulnerabilities:

•           XML-RPC for PHP Remote Code vulnerability

•           Mambo FUNCTION.PHP Arbitrary Command Execution vulnerability

It downloads and executes malicious files from the following URLs:

•           204.{BLOCKED}.56.144/cmd.gif - detected by Trend Micro as PHP_DEFTOOL.A

•           204.{BLOCKED}.56.144/gicupo - detected as UNIX_MARE.I

•           204.{BLOCKED}.56.144/gicuji - detected as UNIX_MARE.I

The mentioned routine opens the affected system to further malicious attacks.

Worm name: TROJ_DLOADER.CBC

Risk rating: HIGH

Damage Potential: HIGH

Distribution Potential: HIGH

Description:

This Trojan arrives on a system as a file dropped or downloaded by other malware or a file manually installed by an unsuspecting user.

Upon execution, it checks for an Internet connection. Once it detects a connection, it downloads and executes the malicious file LSASS.EXE from the Web site w{BLOCKED}ee.org/Home/20meter/5.ico.

The said file is detected by Trend Micro as WORM_RONTOKBR.AL.

References: http://www.trendmicro.com/vinfo/ (TrendMirco Virus Security Info)

http://www.trendmicro.com/vinfo/zh-tw/default.asp (Traditional Chinese TrendMicro Virus Security Info