[Virus Alert] 5 new worms found
Worm name: WORM_KIDALA.A
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This worm propagates by sending a copy of itself as an attachment to email messages, which it sends to target addresses using its own Simple Mail Transfer Protocol (SMTP) engine. It gathers target addresses from the Windows Address Book, Temporary Internet Files folder, and generates addresses from previously harvested email addresses.
Furthermore, it propagates via network shares. It uses NetBEUI functions to get available lists of user names and passwords from an affected system. It then lists down available network shares and drops copies of itself into a certain shared folder. It may also use a list of user names and passwords hardcoded in its body to gain access.
This worm has backdoor capabilities. Using random ports, it connects to an Internet Relay Chat (IRC) server and joins a channel. Once a connection is established it listens for commands from a remote user. The said commands are executed locally, effectively compromising the affected system.
It also terminates processes, most of which are related to anitivirus and security applications. This routine makes detection and removal of this worm a difficult task.
Worm name: JS_FEEBS.AG
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This malicious JavaScript is embedded in a malicious Web site. It may also arrive as an attachment to a spammed email message.
When running on the affected system, it shows a fake aol.com, gmail.com, hotmail.com, msn.com, or yahoo.com loading page that displays a text message saying there is no available connection. It appears to the user that the JavaScript has failed to successfully access the Web page even though it is already downloading an encoded file, which is detected by Trend Micro as WORM_FEEBS.FP. It then decodes and executes the said file on the affected computer.
If it is unable to create registry entries for its autostart technique, it then drops the downloaded WORM_FEEBS.FP file into the Common Startup folder.
Worm name: TROJ_DROPPER.BFU
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This Trojan arrives on a system as a file dropped or downloaded by other malware.
Upon execution, it drops a copy of itself as WARTSRV.EXE in the Windows system folder.
It also changes the start page of the affected system's Internet Explorer.
Worm name: WORM_BAGLE.GX
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This memory-resident worm propagates by sending copies of itself as an attachment to email messages that it sends to target IP addresses using its own Simple Mail Transfer Protocol (SMTP) engine. Through the said SMTP engine, it is able to easily send email messages even without using other mailing applications, such as Microsoft Outlook. Click here to view a sample of the email message it sends out.
It arrives on a system as an attachment to a spammed email message. The said email message contains a password-protected .ZIP file which contains this worm, as well as a binary file with a .DLL extension.
Upon execution, it drops several files into specified locations, including a file detected by Trend Micro as TROJ_ROOTKIT.FN.
Worm name: TROJ_DROPPER.BFU
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This Trojan may arrive on a system as an attachment to a spammed email message.
It connects to certain URLs to download possibly malicious files. The said routine opens the affected system to further attacks. In addition, it executes a valid Windows file named SVCHOST.EXE, then injects its downloading routine into the said process to avoid immediate detection.
References: http://www.trendmicro.com/vinfo/ (TrendMirco Virus Security Info)
http://www.trendmicro.com/vinfo/zh-tw/default.asp (Traditional Chinese TrendMicro Virus Security Info
