[Virus Alert] 6 new worms found
Worm name: BKDR_IRCBOT.CR
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
It drops copies of itself as SVCHOST.EXE and LSASS.EXE in the Windows folder. Note that both file names are named after legitimate Windows processes.
This backdoor program opens port 3331 and connects to Internet Relay Chat (IRC) server irc.shadowfire.org. Once connected, it joins channel #obliq2, where it listens for commands from a remote malicious user. It executes the said commands locally on the affected machine, thus, compromising the system security.
It terminates several processes that are related to monitoring and security applications. It does the said routine to prevent early detection and removal.
Worm name: PERL_NIVEK.A
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This is Trend Micro's detection for a proof-of-concept (POC) exploit code that takes advantage of a vulnerability in Macintosh OSX 10.4 up to 10.4.6. The said vulnerability allows remote malicious users to execute codes on an affected machine using administrative privileges, thus compromising system security.
This Perl program demonstrates a way to gain root on OSX system under x86 architecture defeating its non-executable stack feature. The said type of exploitation is generally known as return to libc attack.
Worm name: TROJ_YABE.Q
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This Trojan may arrive as an attachment to a spammed email message that appears to be coming from eBay. This spoofing technique tricks users into thinking that the message is legitimate.
It connects to various URLs to download possibly malicious files. It may also bypass the Windows firewall to automatically download and execute files.
Worm name: W97M_DLOADER.BYO
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This macro virus arrives on an affected system embedded in a Microsoft Word .DOC file which may either be dropped by other malware or downloaded unknowingly by a user when visiting malicious Web sites.
Affected users may then execute the said .DOC file without knowledge of its malicious intent.
Once the said .DOC file is opened, it executes a hardcoded macro virus that drops a file named MWCHEU.EXE in the Root folder. The said file is detected by Trend Micro as TROJ_DLOADER.BYO.
Worm name: WORM_NETSAD.B
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This worm spreads by attaching a copy of itself to an email message, which it sends to target recipients using a certain Simple Mail Transfer Protocol (SMTP) server. Users must take note of the email details it sends to avoid infection.
This worm banks on social engineering, wherein copies of itself are named either as legitimate applications or as cracking tools to popular software applications. The files are dropped in the shared folders of the abovementioned P2P applications.
Once a target user from the same network copies and executes the said files, the machine used is automatically affected by this worm.
Worm name: BKDR_IRCBOT.DB
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This memory-resident backdoor may arrive on a system as a dropped file of other malware.
It modifies the registry so that, when executed, it displays a name in the Windows Task Manager that sounds similar to a legitimate application. By doing the said action, it attempts to trick users into thinking that it is a legitimate process.
It also modifies the registry to disable several system services. The said routine leaves the system more vulnerable to attacks.
References: http://www.trendmicro.com/vinfo/ (TrendMirco Virus Security Info)
http://www.trendmicro.com/vinfo/zh-tw/default.asp (Traditional Chinese TrendMicro Virus Security Info
