[Virus Alert] 2 new worms found
Worm name: WORM_BAGLE.EO
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This worm propagates by sending copies of itself as an attachment to email messages that it sends to target recipients, using its own Simple Mail Transfer Protocol (SMTP) engine. Through the said SMTP engine, it is able to easily send email messages even without using other mailing applications, such as Microsoft Outlook.
It is also capable of propagating via peer-to-peer (P2P) networks. It drops copies of itself in folders whose names contain the string SHAR. This worm does this routine under the assumption that the folder is used in P2P applications, since these applications usually require a folder with names such as My Shares, or Shared Music. It uses interesting file names for the said copies, enticing target users to download this worm's copy onto their system.
Upon execution on the affected system, this worm drops a copy of itself in the Windows system folder as WINHOST.EXE.
Worm name: PE_KITTYKAT.A
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This file infector arrives on a system as an infected .RAR file containing the batch file, START.BAT, and a randomly named folder. The said folder contains several randomly named binary files, with each binary file containing a part of this file infector's malware code.
Its file infection routine begins when an unsuspecting user manually extracts the contents of the infected .RAR file and then executes the file, START.BAT. When executed, the batch file reconstructs and executes a randomly named component of this file infector by combining the binary files that contains the parts of this file infector's malware code. The randomly named component in turn reconstructs and executes the main file infector component, NRK.EXE, also by combining the said binary files.
The file, NRK.EXE, then infects all .RAR files located in the current folder. It does this by adding the batch file, START.BAT, and a randomly named folder to the target compressed file. The said folder contains several randomly named binary files with each binary file containing a part of this file infector's malware code.
References: http://www.trendmicro.com/vinfo/ (TrendMirco Virus Security Info)
http://www.trendmicro.com/vinfo/zh-tw/default.asp (Traditional Chinese TrendMicro Virus Security Info
