[Virus Alert] 4 new worms found
Worm name: PE_DETNAT.C
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This file-infector propagates through network shares. It initially searches for shared drives on an affected system and then infects all executable (.EXE) files that exist in the said shares.
Once an infected file is re-executed, it copies the said file in the same folder location, having the file name {one space}{executed file name}. It then disinfects the newly created file to be used as a replacement for the previously running file.
Furthermore, it opens certain URLs to download a malicious file, which Trend Micro detects as TSPY_LINEAGE.AJC. The routines of the downloaded file are exhibited on the machine, thus increasing security risk of the affected system.
Worm name: WORM_HOOTS.A
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This worm propagates by dropping copies of itself in several hardcoded network shared folders.
Worm name: PE_VIRUT.A
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This file infector spreads by infecting running processes that use .EXE and .SCR extensions. It checks whether the target processes are files that are of portable executable (PE) format. It then appends its code to infect target processes. It avoids processes and files with certain strings in its file names.
In addition, this file infector has backdoor capabilities. It opens port 65520 and connects to a specific Internet Relay Chat (IRC) server. Once connected, it assigns itself a specific nick and allows a remote user to download files into the affected system. This routine effectively compromises the affected system's security.
Worm name: JS_FEEBS.KD
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This JavaScript is embedded in a malicious Web site and is run on a system when a user visits the said Web site. It may also arrive on the system as an attached .HTML file to an email message mass-mailed by the malware detected by Trend Micro as WORM_FEEBS.KF.
It downloads a copy of the WORM_FEEBS.KF file from certain URLs. This JavaScript deletes several registry keys related to certain antivirus and security applications. Deleting the registry keys prevent the said applications from running at startup, thus lowering the affected system's security and preventing easy detection of this JavaScript.
References: http://www.trendmicro.com/vinfo/ (TrendMirco Virus Security Info)
http://www.trendmicro.com/vinfo/zh-tw/default.asp (Traditional Chinese TrendMicro Virus Security Info
