[Virus Alert] 12 new worms found
Worm name: WORM_BAGLE.CJ
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
Once this worm arrives on a system, it opens the file ~{2 random characters}.jpg, which appears as follows, using the affected system's default image viewer:
In the background, however, it drops several files, which are detected by Trend Micro as WORM_BAGLE.CJ. It does the said routine to make it appear that only the image file is opened.
Similar to previous WORM_BAGLE variants, this worm propagates via peer-to-peer (P2P) file-sharing applications by creating copies of itself in folders, whose names contain the string shar. It uses the said routine to make itself available to other users of P2P programs, banking on the probability that the folder with the text string shar is a shared folder of a file-sharing application. This worm's dropped file appears as an installation package of the popular messaging application, ICQ. As a result, the affected user is usually unsuspicious of the aforementioned file's contents.
Worm name: TROJ_PGPCODER.C
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This Trojan may arrive as a file dropped or downloaded by another malware. It encrypts all files with certain extension names found on any readable and writable drive on an affected system. Encrypting files with the said extension names renders them unusable to an affected user.
It then drops the file README.TXT into each folder where the encrypted files are located. The dropped .TXT file, which informs the user on how to decrypt the affected files, contains the following strings:
In effect, this Trojan attempts to make the affected user shell out money to restore the encrypted files.
Worm name: JS_FEEBS.JZ
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This malicious JavaScript is embedded in a malicious Web site and is run on a system when a user visits the said Web site. It may also arrive on the system as an .HTML file attached to an email message spammed by a malware, such as WORM_FEEBS.CH, or a malicious user.
It downloads and executes a file detected by Trend Micro as WORM_FEEBS.CH in the Windows system folder.
When running on the affected system, it shows a fake google.com loading page that displays a text message saying there is no available connection. The user is led to believe that it does not execute, though it is already downloading an encoded file detected by Trend Micro as WORM_FEEBS.CH. It then decodes and executes the said file on the affected system. The mentioned routine is most probably an attempt to hide its download routine.
Worm name: WORM_FEEBS.CH
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This worm employs a propagation technique similar to that used by certain WORM_BAGLE variants. Its difference lies in its usage of a malicious JavaScript instead of a Trojan to download copies of itself from a certain location into an affected system. The said JavaScript is detected by Trend Micro as JS_FEEBS.JZ.
Once this worm executes, it sends out copies of JS_FEEBS.JZ to target recipients via email using its own Simple Mail Transfer Protocol (SMTP) engine. Through this SMTP engine, it is able to easily send email messages even without using other mailing applications, such as Microsoft Outlook.
It also drops .ZIP archives that contain copies of JS_FEEBS.JZ in folders containing the strings DOWNLOAD and SHARE. It is working under the assumption that folders with the said strings are folders shared within peer-to-peer (P2P) networks. By dropping its .ZIP files into the said locations, this worm can extend its propagation reach to other targets systems within the affected P2P network.
Note that the .ZIP file names used by this worm are similar to the names of popular applications, which may trick an affected user into thinking that the said files are not threats to the system.
Worm name: BKDR_BREPLIBOT.H
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This memory-resident backdoor arrives on a system as an attachment to spammed email messages. The said attachment uses the file name PHOTO AND ARTICLE.EXE. It may also be downloaded from the Internet, or dropped by other malware.
It runs a command in order to bypass the firewall settings of the affected system. The said command allows this Trojan to perform its routines normally.
It listens to a random port and allows a remote malicious user to execute certain commands locally on the affected system. The said routine compromises system security and opens the affected machine to further attacks.
Worm name: SYMBOS_SKULLS.H
Risk rating: MEDIUM
Damage Potential: MEDIUM
Distribution Potential: MEDIUM
Description:
This Symbian malware propagates by sending copies of itself to other mobile devices via Bluetooth. It affects mobile devices running the Symbian operating system with the Series 60 Platform user interface. It usually arrives on a mobile device masquerading as an antivirus application using the file name, ANTI VIRUS FROM F-SECURE.SIS. Target users are then tricked into installing this Symbian malware, thinking it is a legitimate antivirus application.
Some of the affected mobile device models are listed below:
• Nokia 3600
• Nokia 3620
• Nokia 3650
• Nokia 3660
• Nokia 6600
• Nokia 6620
• Nokia 7610
• Nokia 7650
• Nokia N-Gage
• Panasonic X700
• Sendo X
• Siemens SX1
Upon installation, it drops several files on an affected mobile device. The said dropped files are detected by Trend Micro as any one of the following Symbian malware:
• SYMBOS_CABIR.A
• SYMBOS_SKULLS.F
• SYMBOS_SKULLS.I
• SYMBOS_FONTAL.B
This Symbian malware drops several files, overwriting certain legitimate utilities, antivirus-related files, and applications installed on the affected mobile device, thus causing the said applications not to run properly.
Worm name: SYMBOS_FONTAL.J
Risk rating: MEDIUM
Damage Potential: MEDIUM
Distribution Potential: MEDIUM
Description:
This memory-resident worm takes advantage of the Windows LSASS vulnerability, which is a buffer overrun that allows remote code execution and enables a malicious user to gain full control of the affected system. This vulnerability is discussed in detail in Microsoft Security Bulletin MS04-011.
It also propagates by attaching a copy of itself to an email message, which it sends to target recipients, using its own Simple Mail Transfer Protocol (SMTP) engine.
It affects mobile devices running the Symbian operating system with the Series 60 Platform user interface. It usually arrives on a mobile device masquerading as a phone utility using the file name, FEXPLORER 1.16-FULL.SIS. Target users are then tricked into installing this Symbian malware, thinking it is a legitimate application.
Some of the affected mobile device models are listed below:
• Nokia 3600
• Nokia 3620
• Nokia 3650
• Nokia 3660
• Nokia 6600
• Nokia 6620
• Nokia 7610
• Nokia 7650
• Nokia N-Gage
• Panasonic X700
• Sendo X
• Siemens SX1
If a user chooses to install this malware, it proceeds to drop several files in the phone's memory, including the malicious file T-VIRUS.SIS, which is detected by Trend Micro as SYMBOS_FONTAL.B.
Worm name: SYMBOS_FONTAL.K
Risk rating: MEDIUM
Damage Potential: MEDIUM
Distribution Potential: MEDIUM
Description:
This Symbian malware affects mobile devices running on Symbian operating system with the Series 60 Platform user interface. Some of the affected phone models are the following:
• Nokia 3600
• Nokia 3620
• Nokia 3650
• Nokia 3660
• Nokia 6600
• Nokia 6620
• Nokia 7610
• Nokia 7650
• Nokia N-Gage
• Panasonic X700
• Sendo X
• Siemens SX1
It has no propagation capabilities and needs user intervention for it to be installed on target devices.
Upon execution, the mobile device displays a warning message that the application being installed may have come from an untrusted source and may cause potential problems when installed on the mobile device. If the user chooses to install this Symbian malware, it drops a file in the phone's memory. Trend Micro detects the said file as SYMBOS_FONTAL.B.
Worm name: JS_FEEBS.JT
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This malicious JavaScript is embedded in a malicious Web site and is run on a system when a user visits the said Web site. It may also arrive on the system as an .HTML file attached to an email message spammed by a malware, such as WORM_FEEBS.CH, or a malicious user.
It downloads and executes a file detected by Trend Micro as WORM_FEEBS.CH in the Windows system folder.
When running on the affected system, it shows a fake yahoo.com loading page that displays a text message saying there is no available connection. The user is led to believe that it does not execute, though it is already downloading an encoded file detected by Trend Micro as WORM_FEEBS.CH. It then decodes and executes the said file on the affected system. The mentioned routine is most probably an attempt to hide its downloading routine.
Worm name: WORM_ANTINNY.AY
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This worm propagates via the popular peer-to-peer (P2P) file-sharing application, Winny. It drops copies of itself in the shared folders of the said P2P file-sharing application. It uses enticing file names to trick users into downloading and executing this worm. Most of the file names it uses are related to software cracks and Japanese popular music.Upon execution, it displays a copyright message using the affected system's default text editor. The said routine is an attempt to mask its malicious routines.
Worm name: JS_FEEBS.K
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This malicious JavaScript is embedded in a malicious Web site and executes on a computer when a user visits the said Web site. It may also arrive as an attachment to an email message.
When executed, it displays a fake loading page for certain Web-based email providers saying that there is no available connection. The user is led to believe that it is not able to access the Web page, though it is already downloading an encoded file detected by Trend Micro as WORM_FEEBS.KT. It then decodes and executes the said file on the affected system.
If it is unable to create registry entries for its autostart technique, it then drops the downloaded WORM_FEEBS.KT file into the Common Startup folder.
This JavaScript also deletes registry keys related to antivirus and security companies, rendering the affected system vulnerable to other malware threats.
Worm name: BKDR_BREPIBOT.A
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This memory-resident backdoor arrives on a system as an attachment to a spammed email message. It may also arrive as a dropped or downloaded file from the Internet.
It opens TCP port 8080 and connects to a specific Internet Relay Chat (IRC) server. It then joins an IRC channel, where it receives commands from a remote malicious user. It performs the said commands, thus effectively compromising system security and increasing the risk of further attacks on the affected machine.
Upon execution, it drops a copy of itself using the file name LSADST.EXE in the Windows system folder.
Moreover, it executes a legitimate system file named NETSH.EXE. The said routine allows it to configure the Windows firewall, thus creating an exception in blocking TCP port 8080, which this backdoor uses for its malicious routines.
References: http://www.trendmicro.com/vinfo/ (TrendMirco Virus Security Info)
http://www.trendmicro.com/vinfo/zh-tw/default.asp (Traditional Chinese TrendMicro Virus Security Info
