[Virus Alert] 10 new worms found
Worm name: JS_FEEBS.IP
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This malicious JavaScript is usually embedded in a malicious Web site and is run on a system when a user visits the said Web site. It may also arrive on the system as an attachment to spammed email messages sent by WORM_FEEBS.IQ.
When executed, this malicious JavaScript displays a fake aol.com, gmail.com, hotmail.com, msn.com, or yahoo.com loading page. The said page contains a message saying there is no available connection.
Thus, affected users are made to believe that the said Web page is inaccessible, even though an encoded file, which Trend Micro detects as WORM_FEEBS.FU, is already being downloaded by this malicious JavaScript to the C:\Recycled folder. This malicious JavaScript eventually decodes and executes the said file on the affected system.
Worm name: TROJ_DLOADER.DAQ
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
Trend Micro has received numerous samples of this Trojan being spammed in the wild. Upon execution, it connects to a specific URL to download a file, which is detected by Trend Micro as TSPY_HAXDOR.AB.
As a result, malicious behavior of the said downloaded file is also exhibited on the affected system.
Worm name: JS_FEEBS.IC
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This malicious JavaScript is usually embedded in a malicious Web site and is run on a system when a user visits the said Web site. It may also arrive on the system as an attachment to a spammed email message.
When running on the affected system, it shows a fake yahoo.com or gmail.com loading page that displays a text message saying there is no available connection. The user is led to believe that it does not execute, though it is already downloading an encoded file detected by Trend Micro as WORM_FEEBS.IS. It then decodes and executes the said file on the affected system. The mentioned routine is most probably an attempt to hide its downloading routine.
Thus, a system infected with JS_FEEBS.IC may also be infected with yet another malware, causing even more harm on the system.
Worm name: WORM_FEEBS.IS
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
Its email propagation technique is similar to that used by certain WORM_BAGLE variants. Once this worm executes, it begins to send out copies of the said JavaScript file, which Trend Micro detects as JS_FEEBS.IC, to target recipients via email using its own Simple Mail Transfer Protocol (SMTP) engine. Through the said SMTP engine, it is able to easily send email messages even without using other mailing applications.
It creates a registry key to monitor its target recipients or the email addresses it sends email messages to.
On the other hand, this worm's P2P propagation technique is done by dropping a copy of itself (compressed in .ZIP) using a number of file names into P2P file-sharing folders that contain the strings DOWNLOAD or SHARE. The .ZIP file contains a non-malicious text (.TXT) file and the file WEBINSTALL.EXE, which is a copy of the worm.
Worm name: JS_FEEBS.IY
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This malicious JavaScript is usually embedded in a malicious Web site and is run on a system when a user visits the said Web site. It may also arrive on the system as an attachment to a spammed email message sent by a malware detected by Trend Micro as WORM_FEEBS.IG.
Upon execution, it displays a fake loading page, similar to the ones belonging to popular Web-based email providers. The said page displays a text message saying there is no available connection.
The user is led to believe that it does not execute, though it has already dropped a copy of WORM_FEEBS.IG. It then decodes and executes the said file on the affected system. The mentioned routine is most probably an attempt to hide its dropping routine.
Worm name: WORM_MYTOB.QJ
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This memory-resident worm propagates by sending copies of itself as attachment to email messages, which it sends to target recipients. Through the said SMTP engine, it is able to easily send the said email messages even without using other mailing applications, such as Microsoft Outlook. Users must take note of the details of the said email message to avoid infection.
It also propagates by generating IP addresses and dropping a copy of itself into certain default shares. It also uses a list of user names and passwords to gain access to password-protected shares.
Moreover, it has backdoor capabilities. Using a random port, it connects to an Internet Relay Chat (IRC) server, where it joins a certain channel. Once connected, it listens for certain commands coming from a remote malicious user. The said routine provides the remote malicious user virtual control over the affected system, thus compromising system security.
Worm name: TROJ_YABE.O
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This Trojan usually arrives on a system as an attachment to a spammed email message. Users should therefore refrain from opening email messages that does not come from an untrusted source.
Upon execution, it drops a copy of itself in the Windows system folder using a file name similar to that of its originally executed copy. In addition, it drops a file, which is also detected by Trend Micro as TROJ_YABE.O, in the same folder.
This Trojan waits for an Internet connection, then attempts to download possibly malicious files from certain Web sites.
Worm name: WORM_NUGACHE.A
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
It propagates through the network by dropping a copy of itself into accessible shared folders, rendering it accessible to other users. It also propagates via instant messengers, such as AOL Instant Messenger and Windows Messenger. Lastly, this worm propagates by sending copies of itself as attachment to email messages. The email it sends out has the following details:
This worm also has backdoor capabilities. It attempts to connect to an Internet Relay Chat (IRC) server, where it acts as a bot to listen for malicious commands coming from a remote user. It executes these commands on the local machine, providing the remote users virtual control over the affected system.
Worm name: BKDR_PEEPVIEW.O
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
Upon execution, it drops a copy of itself as EXPLORER.EXE in the Windows system folder. Note that the legitimate Windows process EXPLORER.EXE is located in the Windows folder. Thus, by using the same file name, this backdoor attempts to avoid easy detection and tricks users into thinking that it is a normal file.
It also uses an icon similar to the Macromedia Flash icon to further disguise itself.
This backdoor opens random ports, where it listens for commands from a remote user. The said commands are executed locally on the affected computer, thus effectively compromising the system.
Worm name: JS_FEEBS.JN
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This malicious JavaScript is usually embedded in a malicious Web site and is run on a system when a user visits the said Web site. It may also arrive on the system as an attachment to a spammed email message.
When executed, this malicious JavaScript displays a fake aol.com, gmail.com, hotmail.com, msn.com, or yahoo.com loading page. The said page contains a message saying there is no available connection.
Thus, affected users are led to believe that the said Web page is inaccessible, even though an encoded file, which Trend Micro detects as WORM_FEEBS.JA, is already being downloaded by this malicious JavaScript to the C:\Recycled folder. This JavaScript eventually decodes and executes the said file on the affected system.
References: http://www.trendmicro.com/vinfo/ (TrendMirco Virus Security Info)
http://www.trendmicro.com/vinfo/zh-tw/default.asp (Traditional Chinese TrendMicro Virus Security Info
