[Virus Alert] 8 new worms found
Worm name: SYMBOS_REDBROW.A
Risk rating: MEDIUM
Damage Potential: MEDIUM
Distribution Potential: MEDIUM
Description:
This Symbian malware arrives on a Java-compatible mobile device as a Java archive file. The said archive file contains several components, including a component containing a list of mobile numbers this malware uses as target recipients.
When executed, it pretends to be a free Wireless Application Protocol (WAP) browsing page, as follows:
It pretends to be an application that enables the user to send free SMS messages via WAP. When a user opens the said free WAP page, it continuously sends SMS messages to its predefined list of target recipients, which causes the user to be charged high rates for the SMS sending. With every attempt to send an SMS message using the malware application, it requests for user approval by displaying the following message:
Since this malware has no autostart technique, restarting the affected mobile device stops its SMS sending routine.
Worm name: WORM_BAGLE.DF
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This worm propagates by sending copies of itself as attachment to email messages that it sends to target recipients, using its own Simple Mail Transfer Protocol (SMTP) engine. Through the said SMTP engine, it is able to easily send email messages even without using other mailing applications, such as Microsoft Outlook.
It is also capable of propagating via peer-to-peer (P2P) networks. It drops copies of itself in folders whose names contain the string SHAR. It does this routine under the assumption that the said folders are used in various P2P applications.
The said copies are usually named after popular applications and actresses in order to entice users into downloading and executing the said files.
In addition, it waits for active Internet connection and accesses several Web sites to download various files. As a result, it may download malicious files that may further compromise system security.
Worm name: JS_FFSNIFF.A
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This JavaScript is embedded in a Java application. The said Java application is used as a FireFox extension that monitors use of HTML forms in Web pages. FireFox is a browser that can be customized through themes and extensions.
This extension steals information entered in an HTML form that is loaded using FireFox. Information entered in an HTML form are stored in a variable in the Java code. The stored information is sent to an email address using a certain Simple Mail Transfer Protocol (SMTP) server.
Worm name: WORM_BAGLE.DQ
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This worm propagates by sending copies of itself as attachment to email messages that it sends to target recipients, using its own Simple Mail Transfer Protocol (SMTP) engine. Through the said SMTP engine, it is able to easily send email messages even without using other mailing applications, such as Microsoft Outlook.
It is also capable of propagating via peer-to-peer (P2P) networks. It drops copies of itself in folders whose names contain the string SHAR. It does this routine under the assumption that the said folders are used in various P2P applications.
The said copies are usually named after popular applications and actresses in order to entice users into downloading and executing the said files.
In addition, it waits for active Internet connection and accesses several Web sites to download various files. As a result, it may download malicious files that may further compromise system security.
Worm name: PHP_MARE.G
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This Hypertext Preprocessor or PHP program is a component used in defacing PHP Web sites. It arrives on a system as a downloaded file of ELF_MARE.G.
It allows a remote malicious user to execute certain commands, such as execute and upload files, on an affected system. Performing the said commands might compromise system security.
It connects to a particular Web site to download a malicious file that Trend Micro detects as UNIX_MARE.G.
Worm name: UNIX_MARE.G
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This Unix malware arrives as a downloaded file of PHP_MARE.G. Upon execution, it connects to TCP port 8080 to download and execute the following malware programs:
• ELF_MARE.G
• HKTL_CALLBACK.C
• PERL_SHELLDOOR.A
The said download routine opens the affected system to further malicious attacks.
This Unix malware deletes all files in the /temp folder. It also creates a hidden subfolder named .sess_a4c1cb9ea15105441fb0366b06479082 inside the said folder.
Worm name: PE_ICABDI.A
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This is the Trend Micro detection for the proof-of-concept malware that attempts to infect Microsoft Infopath .XSN files. Infopath is an application used to develop XML-based user forms.
It creates a temporary folder named iCab. It then copies a target XSN file that it attempts to infect in the said folder. The contents of the file are then extracted.
To infect the XSN file, it inserts a malicious script inside the script.js of the target XSN file. To clean up traces of its malicious routine, it then attempts to recreate the original (already infected) file, and then delete iCab and all its contents.
However, due to errors in its code, it is unable to perform its file infection and cleanup routines.
Worm name: WORM_MYTOB.OV
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This worm propagates by attaching copies of itself to email messages that it sends to target addresses, using its own Simple Mail Transfer Protocol (SMTP) engine. Having its own SMTP engine allows it to send email messages without using mailing applications, such as Microsoft Outlook.
It gathers target email addresses from the Windows Address Book (WAB) and Temporary Internet Files folder, which are common repositories of email addresses. It also gathers email addresses from files with certain extension names.
This worm opens varying ports to connect to an Internet Relay Chat (IRC) server and join an IRC channel. Once it establishes a connection, it acts as a backdoor that enables a remote malicious user to issue certain commands, which it executes locally on an affected machine. Its backdoor capabilities compromise the system's security.
It also terminates processes running on the affected system. Some of the said processes are related to antivirus and security applications. By doing the said action, this worm attempts to make its detection and removal from the system more difficult. Its campaign to increase the affected system's vulnerability also extends to preventing the affected user from accessing a number of Web sites that are also related to antivirus applications. The said routines make the system more vulnerable to attacks from other malware.
References: http://www.trendmicro.com/vinfo/ (TrendMirco Virus Security Info)
http://www.trendmicro.com/vinfo/zh-tw/default.asp (Traditional Chinese TrendMicro Virus Security Info
