[Virus Alert] 5 new worms found

Worm name: TROJ_DLOADER.CHU

Risk rating: HIGH

Damage Potential: HIGH

Distribution Potential: HIGH

 

Description:

Upon execution, it connects to the Web site life{BLOCKED}o.za/capetownday5.gif to download the file BOOT.OLD in the hardcoded location C:. However, as of this writing, the said Web site is inaccessible.

 

It also connects to the Web site www.gobe{BLOCKED}queta.gov.co/images/c655.gif to download the file AUTOEXEC.EXE in the hardcoded location C:. The said file is detected by Trend Micro as TROJ_HAXDOR.Q.

 

Its download routine increases the risk of acquiring more malware threats on the affected computer.

 

 

Worm name: ELF_MARE.K

Risk rating: HIGH

Damage Potential: HIGH

Distribution Potential: HIGH

 

Description:

This malicious executable Linux file (ELF) propagates by taking advantage of the following vulnerabilities:

 

•           XML-RPC for PHP Remote Code vulnerability

•           Mambo FUNCTION.PHP Arbitrary Command Execution vulnerability

 

It downloads and executes malicious files detected by Trend Micro as PHP_DEFTOOL.A and UNIX_MARE.L.

 

The mentioned routine opens the affected system to further malicious attacks.

 

 

Worm name: ELF_KAITEN.AJ

Risk rating: HIGH

Damage Potential: HIGH

Distribution Potential: HIGH

 

Description:

This malicious executable Linux file arrives as a file downloaded by another malware, which Trend Micro detects as UNIX_MARE.L.

 

It connects to any of the following Internet Relay Chat (IRC) servers:

•           eu.undernet.org

•           us.undernet.org

 

It then joins the IRC channel #readonly to wait for commands coming from a remote malicious user. Once it establishes a connection, it executes any of the following commands, which the said remote user may issue:

•           Enable or disable the IRC Client

•           Send UDP Packets

•           Spoof an IP address

•           Change client nickname

•           Change servers

•           Enable or disable packeting

•           Terminate the client

•           Download files from the Internet

•           Execute files remotely

•           Initiate denial of service attacks using SYN and UDP flooding methods

 

 

Worm name: UNIX_MARE.L

Risk rating: HIGH

Damage Potential: HIGH

Distribution Potential: HIGH

 

Description:

This Unix malware arrives as a file downloaded by another malware detected by Trend Micro as ELF_MARE.K.

 

Once it detects Internet connection, it downloads and executes the following files from the indicated Web sites:

•           1{BLOCKED}20.92.80/curios - detected by Trend Micro as ELF_MARE.K

•           1{BLOCKED}20.92.80/r - detected as ELF_KAITEN.AJ

It also terminates certain processes. The said routines make the affected system more vulnerable to malware attacks.

 

 

Worm name: WORM_CXOVER.A

Risk rating: HIGH

Damage Potential: HIGH

Distribution Potential: HIGH

 

Description:

This is Trend Micro’s detection for a proof-of-concept cross-platform worm that affects desktop computers and mobile devices running the .NET Framework. The said framework is commonly installed with Windows XP, Windows Server 2003, and mobile devices running Windows CE or Mobile Edition.

 

This worm uses a built-in functionality of the .NET Framework to obtain the string associated with the operating system version where it is currently running.

 

It proceeds to check if the substrings CE and mobile exist in the said string. If the substrings are found, this worm then proceeds to execute its code for the mobile platform. Otherwise, it executes the code for the desktop computer.

 

 

 

References: http://www.trendmicro.com/vinfo/ (TrendMirco Virus Security Info)

www.trendmicro.com/vinfo/zh-tw/default.asp (Traditional Chinese TrendMicro

---