[Virus Alert] 2 new worms found
Worm name: WORM_MYTOB.QL
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This worm propagates by sending email messages using its own Simple Mail Transfer Protocol (SMTP) engine. The said message contains a link that when clicked, a copy of this worm is downloaded and executed in the affected computer
The use of its own SMTP engine improves the propagation method of this worm since it does not require other messaging applications to send email messages.
This worm has backdoor capabilities. It opens a certain port, connects to a certain Internet Relay Chat (IRC) server, and joins a certain channel using a certain nickname. Once a connection is established, it listens for commands coming from a remote user, which it executes on the affected computer, thus compromising the security of the affected computer.
Worm name: WORM_MYTOB.QK
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
Like other WORM_MYTOB variants, this worm spreads by sending email messages using its own Simple Mail Transfer Protocol (SMTP) engine. It is capable of sending email messages without using mailing applications, such as Microsoft Outlook. Since its email propagation does not require any user intervention, a user is often unaware that this worm is sending out email messages. The said email message contains a spoofed link that when clicked, redirects the user to the following URL:
This worm has backdoor capabilities. It opens a port 8585 and connects to Internet Relay Chat (IRC) server {w000t}-pqxzaj. Using the password Hidden32, it then joins the IRC channel #w000t, where it listens for certain commands from a remote malicious user. It executes these commands locally on the affected machine which further opens the said machine to other malicious attacks.
It is capable of preventing users from accessing several antivirus and security Web sites by modifying the HOSTS file. It also terminates several processes, most of which are also related to security and antivirus applications. The said routines make the detection, and consequent removal of this worm more difficult.
In addition, this worm ensures its automatic execution at every system startup by modifying the system registry.
References: http://www.trendmicro.com/vinfo/ (TrendMirco Virus Security Info)
http://www.trendmicro.com/vinfo/zh-tw/default.asp (Traditional Chinese TrendMicro Virus Security Info
