[Virus Alert] 8 new worms found
Worm name: PE_DETNAT.A
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This Portable Executable (PE) file-infector propagates through network shares. It initially searches for shared drives on an affected system, and then infects all executable (.EXE) files that exist in the said shares.
It drops a copy of the infected .EXE file in the root directory (usually C:\), and infects .EXE files found in different drives, including their subfolders. However, it avoids infecting executable files located in the Windows folder.
It does its infection routine by compressing the host file into one of the code sections of this file-infector. Once an infected file is re-executed, it moves the said infected file using the file name COOLER{random numbers}.EXE to the Document and settings\{User's profile}\Local Settings\Temp folder, while disinfecting itself from the host file. Note that the file it moves to the temporary folder is memory-resident and the exact copy of the infected host file.
Worm name: JS_FEEBS.JV
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This JavaScript usually arrives as attachment to email messages spammed by WORM_FEEBS.JY. It is also embedded in a malicious Web page and runs on a computer when a user views the said page.
This JavaScript displays a fake loading page for several known Web sites. The said page contains a fake message saying there is no Internet connection available. Thus, affected users are led to believe that the said Web pages are inaccessible, even though an encoded file is already being downloaded. Trend Micro detects the said file as WORM_FEEBS.JY.
This JavaScript also downloads a copy of the said worm from several URLs.
Worm name: WORM_ARESES.N
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This worm propagates by attaching copies of itself to email messages that it sends to target addresses using its own Simple Mail Transfer Protocol (SMTP) engine. The said engine allows it to send email messages without using mailing applications, such as Microsoft Outlook.
The email attachment, which usually arrives ZIP-compressed, uses a random file name with specific extensions, such as AVI, DOC, MPEG, and TXT.
This worm gathers target recipients by searching an affected system for files with particular extensions. Notably, it avoids sending messages to addresses that contain certain strings.
Worm name: WORM_ARESES.O
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This worm spreads by attaching a copy of itself to an email message, which it sends to target recipients using its own Simple Mail Transfer Protocol (SMTP) engine.
The use of its own SMTP engine improves the propagation method of this worm since it does not require other messaging applications to send the following email message:
Worm name: BKDR_DUMADOR.AM
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This backdoor arrives on an affected machine as an attachment to a mass-mailed email message.
Upon execution, it drops a copy of itself as LSASS.EXE in the Windows folder. It uses the file name of a valid Windows file to avoid easy detection.
It opens random ports to allow a remote malicious user to connect to the affected machine. When successful connection has been established, it sends a notification packet to the URL, www.alfa{BLOCKED}.com/logger.php, to inform the remote user that this backdoor is running on the target machine. Once connected, the remote user may then issue certain commands the affected system.
Worm name: WORM_RBOT.AHS
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This worm may be downloaded from specific URL links. These URL links may either arrive through an unsolicited email, more commonly known as email spam, or arrive through instant messenger.
The aforementioned email appears like a legitimate Symantec Web site that offers a virus cleaner for w32.aplore@mm.
This worm spreads by sending a message to all online contacts of the affected user's Instant Messaging applications like AOL, MSN, and Yahoo. The said message contains URLs that direct the affected user to a Web site, where this worm can be downloaded.
Worm name: PE_DETNAT.B
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This file infector propagates through network shares. It searches for shared drives on an affected system, and then infects all executable (.EXE) files that exist in the said shares.
It also infects .EXE files found in different drives, including their subfolders. However, it avoids infecting .EXE files located in the Windows folder.
It does its infection routine by compressing the host file into one of the code sections of this file infector. Once an infected file is executed, it creates a copy of the said infected file in the Document and settings\{User's profile}\Local Settings\Temp folder.
Worm name: TROJ_ARHIVEUS.A
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This Trojan aims to extort money from the affected user by encrypting all the files located on the affected system's My Documents folder. It does this by compressing the files into an image file and securing the said image file with a particular password. After the compressed image file has been created, this Trojan then deletes all the files located in the My Documents folder and in its subfolders.
It then leaves a ransom note on an affected system's My Documents folder. The said ransom note informs the user that the files in the My Documents folder have been gathered and encrypted in a password-protected image file. It blackmails the user into accessing and purchasing products from several pharmaceutical Web sites by promising to send the image file's password to the user via email after purchase has been done.
References: http://www.trendmicro.com/vinfo/ (TrendMirco Virus Security Info)
http://www.trendmicro.com/vinfo/zh-tw/default.asp (Traditional Chinese TrendMicro Virus Security Info
