[Virus Alert] 7 new worms found
Worm name: TROJ_SMALL.AYZ
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This Trojan may arrive on an affected system as a downloaded or dropped file of another malware. Several reports have surfaced to indicate that this Trojan is also being spammed via email.
Worm name: TROJ_BOMKA.L
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This Trojan application may arrive on a system as an attachment to spammed emails, posing as a non-malicious dart game to entice users into playing it.
It also drops its .DLL component, which it registers as a Browser Helper Object (BHO) to ensure that it runs every time the user opens Internet Explorer.
This Trojan also attempts to connect to several Web sites to download other files or an update of itself. These downloaded files may be other malware, leaving the affected computer more prone to malicious attacks.
Worm name: JS_FEEBS.LN
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This malicious JavaScript is embedded in a malicious Web site. It may also arrive as an attachment to an email message mass-mailed by WORM_FEEBS.LN or by a malicious user.
When running on the affected system, it shows a fake aol.com, gmail.com, hotmail.com, msn.com, or yahoo.com loading page that displays a text message saying there is no available connection. It appears to the user that the JavaScript has failed to successfully access the Web page even though it is already downloading an encoded file, which is detected by Trend Micro as WORM_FEEBS.LN. It then decodes and executes the said file on the affected computer.
If it is unable to create registry entries for its autostart technique, it then drops the downloaded WORM_FEEBS.LN file into the Common Startup folder.
This malicious JavaScript deletes antivirus and security-related registry entries. This action heightens the risk of acquiring more malware threats onto the affected computer.
Worm name: WORM_GREW.A
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This worm propagates by attaching copies of itself to email messages that it sends to target addresses, using its own Simple Mail Transfer Protocol (SMTP) engine. Through this SMTP engine, it is able to easily send the said email message even without using other mailing applications, such as Microsoft Outlook.
It gathers email addresses from files with certain extension names or strings. Any gathered email address becomes the next target for propagation.
It is also capable of using strings from the gathered email addresses or from the subject of email messages received by an affected user. It uses the same data mentioned above for the email message details. It includes the generated string to the subject line. The said routine gives the impression that the email message comes from a known and trusted source.
Worm name: JS_FEEBS.DI
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This malicious JavaScript is embedded in a malicious Web site and is run on a system when a user visits the said Web site. It may also arrive on the system as an attachment to a spammed email message.
When running on the affected system, it shows a fake aol.com, gmail.com, hotmail.com, msn.com, or yahoo.com loading page. This page displays a text message saying there is no available connection.
The user is led to believe that the said Web page is inaccessible, even though the encoded file USERINIT.EXE, which Trend Micro detects as WORM_FEEBS.DL, is already being downloaded by this malicious JavaScript to the C:\Recycled folder. This JavaScript eventually decodes and executes the said file on the affected system.
As a result, routines of the downloaded worm are also exhibited on the affected machine.
Worm name: TROJ_YABE.J
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
A Trojan application is a malware with no capability to spread into other systems. It is usually downloaded from the Internet and installed by unsuspecting users.
This Trojan arrives on a system as an attachment to a mass-mailed email message that appears to be coming from Ebay. This spoofing technique tricks a user into thinking that the email message and its attached file is legitimate.
When executed, it drops a copy of itself in the Windows system folder as ipwf.exe. It also drops the non-malicious file, winut.dat in the drivers folder of the Windows system folder.
It bypasses the firewall of the affected system by creating certain registry entries, thus allowing this Trojan to run its routines on the system.
Worm name: WORM_BAGLE.EF
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This memory-resident worm propagates by sending copies of itself as an attachment to email messages that it sends to target recipients, using its own Simple Mail Transfer Protocol (SMTP) engine. Through the said SMTP engine, it is able to easily send email messages even without using other mailing applications, such as Microsoft Outlook.
It gathers email addresses from files with certain extension names. It also avoids email addresses that contain specific strings.
This worm also propagates by dropping copies of itself into all folders that contain the text string SHAR. It uses the said routine to make itself available to other machines in a network, banking on the probability that folders with the text string SHAR is a network shared folder, or a shared folder used by peer-to-peer (P2P) file-sharing applications. It may use any of several file names for the said dropped copies.
References: http://www.trendmicro.com/vinfo/ (TrendMirco Virus Security Info)
http://www.trendmicro.com/vinfo/zh-tw/default.asp (Traditional Chinese TrendMicro Virus Security Info
