[Virus Alert] 3 new worms found
Worm name: TROJ_YABE.K
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This Trojan usually arrives on a system as a randomly named file attachment to a spammed email message. Users should therefore refrain from opening email messages that come from untrusted sources.
Upon execution, it drops files and modifies the registry to enable its automatic execution at every system startup. It also bypasses the Windows firewall.
This Trojan attempts to access certain URLs to download possibly malicious files on the affected system. The said routine may cause further harm to the system. However, the download routine fails to manifest because, as of this writing, the said URLs are not available.
Worm name: TROJ_ALEMOD.G
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This Trojan is usually dropped by TROJ_DHIJACK variants. It is a .DLL file that works with WININIT.INI, which is also dropped by TROJ_DHIJACK variants.
The said .INI file renames the dropped .DLL file to WININET.DLL. Once renamed, it overwrites the valid WININET.DLL file in the Windows system folder. This action allows this Trojan to monitor network traffic packets. Monitored information may be used by this Trojan for its malicious routines.
In addition, this Trojan downloads updated copies of itself from the Internet. These downloaded copies are executed on the affected system.
Worm name: WORM_RBOT.OU
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
It generates IP addresses and spreads by attempting to drop a copy of itself in target addresses' default shares. If the said shares are password-protected, it uses gathered lists of user names and passwords as well as a hardcoded list of user names and passwords as its login credentials to gain access.
This worm also propagates by attaching a copy of itself to an email message, which it sends to target recipients using its own Simple Mail Transfer Protocol (SMTP) engine. Since its email propagation does not require any user intervention, the user is often unaware that this worm is sending out email messages.
It gathers target email addresses from the Temporary Internet files folder and the Windows Address Book (WAB). It also gathers target recipients from files with certain extension names.
Moreover, this worm performs denial of service (DoS) attacks against target sites using different flooding methods, thus slowing down or rendering the target Web sites inaccessible.
References: http://www.trendmicro.com/vinfo/ (TrendMirco Virus Security Info)
http://www.trendmicro.com/vinfo/zh-tw/default.asp (Traditional Chinese TrendMicro Virus Security Info
