[Virus Alert] 8 new worms found
Worm name: WORM_MYDOOM.BT
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
Unlike other worms that automatically activate their mass-mailing routine, this worm requires a remote malicious user's intervention. It first performs its backdoor routines, where one of its tasks is to send the IP address of the affected system to the remote malicious user. Once the said user retrieves the IP address, this worm's propagation routine may be remotely activated.
Again, unlike other worms that have a predefined set of email details, it gathers email-related information, such as subject lines, sender names, and email messages from the affected system. In effect, it can send relatively more realistic messages and more message variations than other worms.
It also attaches a copy of itself in email messages. Executing the said attachment transforms the system into a propagation launchpad and furthers this worm's replication.
Worm name: SYMBOS_SKULLS.Z
Risk rating: MEDIUM
Damage Potential: MEDIUM
Distribution Potential: MEDIUM
Description:
It displays a message that instructs the user to restart the phone. It then drops files in the affected phone's memory card (usually E:\). One of the file it drops is detected as TROJ_KAGEN.B. The presence of this file heightens the risk of affected devices.
It also attempts to overwrite files in the affected phone's flash memory (usually C:\) by dropping corrupted copies of certain files. The said action attempts to cause boot failure in the phone's memory.
Once this malware is installed, it displays the following image:
Worm name: WORM_ANTINNY.BJ
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
It also spreads copies of itself through file-sharing programs that use the file SHARE.EXE. It does the mentioned routine by searching the network for folders whose names contain certain strings.
It is capable of searching all folders, then gathering documents with certain extension names. It also retrieves several .DBX files from Microsoft Outlook Express. The mentioned routines allow remote malicious user to access and utilize stolen information.
It also creates a folder named UP in the Windows folder. It then stores a .ZIP compressed file containing a copy of itself and its gathered documents in the created folder. The name of the compressed file is a combination of English and Japanese characters.
Worm name: W97M_MDROPPER.AB
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
It is a zero-day exploit that executes a shellcode which, in turn, runs an embedded .EXE file on the affected system. The said file is detected by Trend Micro as BKDR_GINWUI.A.
Zero-day exploits are termed as such because the unpatched vulnerability and its corresponding exploit code are released within the same day. This may pose as a dangerous situation in which a lot of computers may be affected due to the availability of the exploit code, and the fact that the vendor has not been given enough time to patch it.
After this exploit causes an error in Microsoft Word, it restarts the said application and opens a blank document on the affected system.
Worm name: BKDR_GINWUI.A
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
It is dropped in the current user's Temporary folder as 20060424.BAK. When executed, it drops WINGUIS.DLL in the Windows system folder. The said .DLL file contains the backdoor routine.
It opens various ports to allow a remote malicious user to connect to the affected machine. Once connected, the remote user may then issue certain commands on the affected system. The said routine compromises system security.
This backdoor employs its rootkit capability in order to hide its files, process, and registry entry from an affected user, thus avoiding easy detection. In addition, it attempts to access a certain Web site.
Worm name: W97M_MDROPPER.AC
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
It is a zero-day exploit that executes a shellcode which, in turn, runs an embedded .EXE file on the affected system. The said file is detected by Trend Micro as BKDR_GINWUI.B.
Zero-day exploits are termed as such because the unpatched vulnerability and its corresponding exploit code are released within the same day. This may pose as a dangerous situation in which a lot of computers may be affected due to the availability of the exploit code, and the fact that the vendor has not been given enough time to patch it.
After this exploit causes an error in Microsoft Word, it restarts the said application and opens a blank document on the affected system.
Worm name: BKDR_GINWUI.B
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
When executed, it drops the files ZSYHIDE.DLL and ZSYDLL.DLL in the Windows system folder. This backdoor injects the said .DLL files, which are also detected as BKDR_GINWUI.B, into running processes to ensure memory residency and to hide its process, hence avoiding easy detection.
Using TCP port 80, this backdoor attempts to access a remote server in scfzf.{BLOCKED}cp.net via Hyper Text Transfer Protocol (HTTP). It then listens for commands coming from a remote malicious user. It executes these commands locally on an infected system, providing the remote user virtual control over the system. The said routine compromises system security.
This backdoor employs its rootkit capability in order to hide its files, process, and registry entry from an affected user, thus avoiding easy detection. In addition, it attempts to access a certain Web site.
Worm name: TROJ_BANLOAD.AF
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
Upon execution, it creates a registry entry to bypass the affected system's firewall. This routine heightens the risk of acquiring more malware threats onto the affected system.
When an Internet connection is detected, this Trojan accesses the Web site a{BLOCKED}ati.com to download a file. The said file is detected by Trend Micro as TSPY_BANKER.CP.
References: http://www.trendmicro.com/vinfo/ (TrendMirco Virus Security Info)
http://www.trendmicro.com/vinfo/zh-tw/default.asp (Traditional Chinese TrendMicro Virus Security Info
