Virus News Trend Micro

[Mickuk]

Trend Micro Weekly Virus Report
(by TrendLabs Global Antivirus and Research Center)
Date: Friday September 2, 2005

Issue Preview:

1. Trend Micro Updates - Pattern File & Scan Engine Updates
2. Email Worm – WORM_SAVAGE.A (Low Risk)
3. Top 10 Most Prevalent Global Malware
4. Trend Micro's Award-winning Legacy Continues
5. Trend Micro Whitepaper - The Spyware Battle -- Privacy vs. Profits

1. Trend Micro Updates - Pattern File and Scan Engine Updates

PATTERN FILE: 2.817.00
SCAN ENGINE: 7.510

2. Email Worm - WORM_SAVAGE.A (Low Risk)
WORM_WURMARK.A is a non-destructive, memory-resident worm that propagates
via email and through peer-to-peer (P2P) networks. It spreads via email by sending copies of itself with the file name TMP.ZIP to target addresses. It gathers target recipients from an affected system's Windows Address Book (WAB). This worm is currently spreading in-the-wild and infecting
systems running Windows 95, 98, ME, 2000, XP, and Server 2003.

This worm also propagates by dropping a copy of itself in accessible network shares, enabling other users to download this worm. However, on systems using the P2P applications, LimeWire and eDonkey2000, this worm drops its copy in locations specific to these applications.

This worm utilizes a common social engineering technique to avoid early detection. It uses file names that usually pertain to legitimate software, such as Nero and winamp5. Thus, this worm tricks users into thinking that it is a harmless file, possibly affecting its prolonged presence on the system.

It modifies the affected system's HOSTS file by appending a list of URLs, which are related to antivirus and security applications, to the said file. It directs the said URLs to the local machine, preventing the user from accessing the listed Web sites.

This worm has backdoor capabilities that connect to a remote Web site, where it awaits for commands from a remote malicious user, such as the downloading of files that may be malicious. It then executes the said commands locally, therefore compromising the machine's security.

This worm also carries a malware retaliation routine, particularly against NETSKY, BLASTER, MYDOOM, BAGLE, and SOBIG variants. It removes the corresponding registry entries of the said variants if found on the system.

If you would like to scan your computer for WORM_SAVAGE.A, or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at: housecall.trendmicro.com/

WORM_SAVAGE.A is detected and cleaned by Trend Micro pattern file #2.813.00 and above.

3. Top 10 Most Prevalent Global Malware
(from August 25 to September 1, 2005)
JAVA_BYTEVER.A
HTML_NETSKY.P
ADW_BADBITOR.A
WORM_NETSKY.P
SPYW_GATOR
SPYW_DASHBAR.300
TSPY_SMALL.SN
JS_DLOADER.I
TROJ_DYFUCA.I
TROJ_ROOTKIT.N

4. Trend Micro's Award-winning Legacy Continues

Since its inception in 1988, Trend Micro has won various awards for its
excellence in products and services, support, and corporate achievement.
Click here to see some of the latest accolades.

5. Whitepaper - The Spyware Battle -- Privacy vs. Profit

For the past three years, antivirus vendors have toiled over how to handle the removal of spyware - software that logs information on user activity, collects Web browsing histories, on-line purchases, etc. Spyware programs run in the background, with their activities transparent to most users. In this paper, Trend Micro provides some insights into the problem, to educate users about spyware threats and how to minimize the risk of infection. This includes sound advice on safe Internet practices, to avoid many of the most common spyware "traps".

Mick

[voodoodoll]

Thanks for the link

[Mickuk]

As of October 6, 2005 5:52 AM (Pacific Daylight Time; GMT-7:00), TrendLabs has declared a Medium Risk Virus Alert to control the spread of WORM_SOBER.AC. TrendLabs has received several infection reports indicating that this malware is spreading in USA, Japan, Australia, and Germany.

This worm propagates via email messages. It uses its own SMTP engine to send a copy of itself as an attachment to target email addresses. It gathers the said addresses from files with certain extensions on an affected system. Most of the files with the said extensions are related to the Web pages visited by an affected user. This worm gathers these types of files under the assumption that visited Web pages may contain text strings that refer to email addresses.

This worm may also send email messages written in German.

Upon execution, it displays an error message. It drops a number of files, which aid its mass-mailing routine. The said routine consumes bandwidth that can slow down an affected network's processes.

TrendLabs will be releasing the following EPS deliverables:

TMCM Outbreak Prevention Policy 186
Official Pattern Release 2.879.00
Damage Cleanup Template 661.04

For more information on WORM_SOBER.AC, you can visit our Web site at:
www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SOBER.AC
Contact av_query@support.trendmicro.com for inquiries and to report infections in your region

mick

[Mickuk]

Trend Micro Weekly Virus Report
(by TrendLabs Global Antivirus and Research Center)

Date: Friday November 4, 2005

Issue Preview:

1. Trend Micro Updates - Pattern File & Scan Engine Updates
2. The Trouble with BAGLEs – WORM_F (Low Risk)
3. Top 10 Most Prevalant Global Malware
4. Introducing Worry-Free Security for Small and Medium Businesses
5. Protect Your PC Against the Latest Threats - New Version of Award-Winning PC-cillin

1. Trend Micro Updates - Pattern File and Scan Engine Updates

PATTERN FILE: 2.929.00
SCAN ENGINE: 7.510

2. The Trouble with BAGLEs - WORM_ (Low Risk)

Trend Micro researchers have discovered two new variants of the notorious BAGLE family of worms. Although WORM_BAGLE.BQ and WORM_BAGLE.BS have not caused a high number of infections, they are utilizing a relatively new technique – adding a downloader between the Trojan and worm components as part of a “tri-component” technique – which enables a far more dynamic spreading mechanism and a higher potential for damage. Although security experts first saw this technique in mid-September with a series of other BAGLE variants, its re-emergence suggests that this could become more prominent – and destructive – in the future.

According to Jamz Yaneza, Senior Research Engineer at Trend Micro, the URLs to which the code points are continuously changing to prevent the downloader from being detected. “At times they appear to be down, then they are brought back up again. This appears to give the author enough time to repack the code, thereby modifying the identifying file,” he said.

Security experts warn that these new variants could possibly mark the beginning of a concerning trend. A future variant with a slightly better refined propagation technique – including the use of a packer with polymorphic capabilities and utilizing an established Bot network – could lead to a significant number of infections.

If you would like to scan your computer for WORM_BAGLE.BQ and WORM_BAGLE.BS, or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at:http://housecall.trendmicro.com/

For additional information about WORM_BAGLE.BQ and WORM_BAGLE.BS please visit:
www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_BAGLE.BQ and
www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_BAGLE.BS

3. Top 10 Most Prevalent Global Malware
(from October 28 to November 3, 2005)
JAVA_BYTEVER.A
SPYW_DASHBAR.300
WORM_NETSKY.P
SPYW_GATOR.F
HTML_NETSKY.P
TROJ_BAGLE.AB
TSPY_SMALL.SN
WORM_MOFEI.B
ADW_LOP.A
PE_PARITE.A

mick

[dancingwind]

Thanks Mick for posting this.

love,
Brigitte

[Mickuk]

Date: Friday November 18, 2005

Issue Preview:

1. Trend Micro Updates - Pattern File & Scan Engine Updates
2. Trojans Utilize Kernel-mode Rootkit – BKDR_BREPLIBOT.A (Low Risk)
3. Top 10 Most Prevalant Global Malware
4. Protect Your PC Against the Latest Threats - PC-cillin 2006 Now Available

1. Trend Micro Updates - Pattern File and Scan Engine Updates

PATTERN FILE: 2.953.00
SCAN ENGINE: 7.510

2. Trojans Utilize Kernel-mode Rootkit - BKDR_BREPLIBOT.A (Low Risk)

In the past week, much attention has been given to the BREPLIBOT family of backdoor-trojans. This Trojan exploits the Sony Digital Rights Management rootkit-and this new malware also targets a specific audience – the business community. Arriving as an attachment in an email, the malware pretends to come from a reputable business magazine, asking the businessman to verify his/her "picture" (apparently attached to the email) to be used for the December issue. However, rather than presenting a picture, executing the attachment installs the Trojan.

According to Raimund Genes, Chief Technologist of Anti-Malware for antivirus and content security firm Trend Micro, the issue is less about the Trojan than it is about the underlying rootkit technology utilized by them. This is because the rootkit utilized by the BKDR_REPLIBOT Trojans is a 'kernel-mode' program, which can be used for more dramatic malicious purposes than 'user-mode' programs.

“We don’t blame Sony for attempting to exercise its right to manage its digital property” says Genes. “However, what’s important to understand is that this technology can now be used by malicious malware writers to hide and spread their creations. These writers include those who might not know how to write their own rootkits – but now they don’t have to.”

Genes adds a strong recommendation that businesses with the need to protect their intellectual property look into other possible solutions, such as building a level of security commitment into contractual agreements with technology partners, especially when those partners are developing additional DRM (digital rights management) tools.

"The protection of Corporate Intellectual Property in the digital age is a complex and serious matter for any business. This situation emphasizes the growing complexity of corporate security, both from an IT and business continuity standpoint. It makes clear the need for a consolidation of business and security as one unified initiative."

According to experts at Trend Micro, the primary danger of kernel-mode drivers is that they have the capability to modify or destroy any other data structure in the memory including the operating system code, itself. This is due to the fact that kernel-mode has inherently been granted the highest level of access in a system, and therefore can be utilized to perform nearly any task, including overwriting any other program or data in the system. They add that the objective of rootkits is to conceal the existence of other programs. Instead, they are frequently used to conceal spyware or other malware. And since rootkits are readily available, we expect to see rootkit detection numbers rise.

Trend Micro is reminding users to remain vigilant. As a precautionary measure, every email should be scrutinized, especially those containing attachments, or those from unexpected or unknown sources, and additionally, they should ensure their security solutions are fully updated. Trend Micro also recommends that technical users and IT staff educate themselves regarding the growing rootkit threat.

For more information on BKDR_BREPLIBOT.D, please visit
www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=BKDR_BREPLIBOT.D

3. Top 10 Most Prevalent Global Malware
(from November 11 to November 17, 2005)
1. JAVA_BYTEVER.A
2. SPYW_DASHBAR.300
3. SPYW_GATOR.F
4. WORM_NETSKY.P
5. HTML_NETSKY.P
6. WORM_MOFEI.B
7. PE_PARITE.A
8. TSPY_SMALL.SN
9. TROJ_ISTBAR.FN
10. ADW_LOP.A

Mick

[Mickuk]

As of November 21, 2005 2:20 PM Pacific Standard Time (PST, GMT -8:00), TrendLabs has declared a Medium Risk Virus Alert to control the spread of WORM_SOBER.AG. TrendLabs has received several infection reports indicating that this malware is spreading in the USA, Belgium, Canada, Brazil, and New Zealand.

This memory-resident worm propagates by attaching a copy of itself to an email message, which it sends to target recipients using its own Simple Mail Transfer Protocol (SMTP) engine. Since it's email propagation does not require any user intervention, the user is often unaware that this worm is sending out email messages.

The email it sends out has the following details:

From: {Email address generated by this worm}

Subject: (any of the following)
. hi,_ive_a_new_mail_address
. Mail delivery failed
. Registration Confirmation
. smtp mail failed
. Spam: Registration Confirmation
. Your Password
. Your IP was logged
. Paris_Hilton_&_Nicole_Richie
. You visit illegal websites

Message body: (any of the following)
hey its me, my old address dont work at time. i dont know why?!
in the last days ive got some mails. i' think thaz your mails but im not sure!
plz read and check ...
cyaaaaaaa

---

This is an automatically generated Delivery Status Notification.

SMTP_Error []
I'm afraid I wasn't able to deliver your message.
This is a permanent error; I've given up. Sorry it didn't work out.
The full mail-text and header is attached

---

Account and Password Information are attached!
***** Go to: http://www.{random}.com
***** Email: {random}.com

---
Dear Sir/Madam,

we have logged your IP-address on more than 30 illegal Websites.
Important:
Please answer our questions!
The list of questions are attached.

Yours faithfully,
Steven Allison

*** Federal Bureau of Investigation -FBI-
*** 935 Pennsylvania Avenue, NW, Room 3220
*** Washington, DC 20535
*** phone: (202) 324-3000

---

Account and Password Information are attached! ---

The Simple Life:
View Paris Hilton & Nicole Richie video clips , pictures & more
Download is free until Jan, 2006!
Please use our Download manager.


Attachment: (any of the following)
. mailtext.zip
. mail.zip
. reg_pass.zip
. mail.zip
. reg_pass-data.zip
. question_list.zip
. list.zip
. downloadm
. mail_body.zip


The attached .ZIP file contains the copy of this worm using the following file name:
File-packed_dataInfo.exe

When executed, it displays a fake error message box in order to trick a user into thinking that the file did not properly execute.

This worm searches the process list of the affected system for mrt.exe, the Microsoft Windows Malicious Software Removal Tool process. If found, it terminates the said process thus making the system more vulnerable to malicious attacks.


TrendLabs will be releasing the following EPS deliverables:

TMCM Outbreak Prevention Policy (Beta) - 187 (Released)
Official Pattern Release - 2.957.00 (ETA: 1.5 hrs)
Damage Cleanup Template - 678 (Being created)
Network Virus Wall - 10232 (Being created)


For more information on WORM_SOBER.AG, you can visit our Web site at:
www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SOBER.AG

mick