Trend Virus Report - July 2001 Issue # 3

************************************************************************
V I R U S R E P O R T
    
(by the Trend Micro US Virus Research Group)
************************************************************************
------------------------------------------------------------------------
Date: July 20, 2001 Issue Number: 07/03
------------------------------------------------------------------------
 
To read an HTML version of this newsletter, go to:
http://www.antivirus.com/trendsetter/virus_report/
 
If you're a corporate user and want to assess your virus protection,
check out Trend Micro's Virus Risk Assessment Web site at:
http://www.antivirus.com/free_tools/edoctor/
 
Issue Preview:
 
1. TREND MICRO UPDATES: Pattern File and Scan Engine Updates
2. New and In-the-wild -- TROJ_SIRCAM.A
3. 10 Most Prevalent In-the-Wild Malware Surveyed by Trend Micro US
4. Top 10 Viruses Trend Micro's US Customers are Most Concerned About
5. Using an IIS Exploit -- CODERED.A
6. Block Viruses with Trend Micro PC-cillin 2000
 
NOTE: Long URLs may break into two lines in some mail readers.
Should this occur, please cut and paste the URL in your browser.
 
************************************************************************
 
1. TREND MICRO UPDATES: Pattern File and Scan Engine Updates
------------------------------------------------------------------------
PATTERN FILE: 917 http://www.antivirus.com/download/pattern.asp
SCAN ENGINE: 5.420 http://www.antivirus.com/download/engines/
 
2. New and In-the-wild -- TROJ_SIRCAM.A
------------------------------------------------------------------------
TROJ_SIRCAM.A is a new Trojan that is currently spreading in the wild.
It propagates via email by sending copies of itself to all addresses listed
in the infected user's address book. The Trojan arrives in an email with a
random subject line and attachment.

For additional information about TROJ_SIRCAM.A, please visit Trend Micro at:
http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=TROJ_SIRCAM.A

In addition, you can track TROJ_SIRCAM.A infections at the Trend Micro World
Virus Tracking Center at http://wtc.trendmicro.com.
 
TROJ_SIRCAM.A is detected and cleaned by Trend Micro pattern file #917.
 
3. 10 Most Prevalent In-The-Wild Malware Surveyed by Trend Micro US
(week of: July 9, 2001 to July 15, 2001)
------------------------------------------------------------------------
1. VBS_HAPTIME.A
2. PE_MAGISTR.A
3. TROJ_BADTRANS.A
4. JS_KAKWORM.A
5. TROJ_HYBRIS.M
6. TROJ_BYMER
7. TROJ_CHOKE.A
8. TROJ_MTX.A
9. JOKE_SCROLL.A
10. PE_MAGISTR.DAM
 
SPECIAL OFFER:
Webmasters, add free virus information updates to your Web site with our Virus Info Feed. Simply copy and paste a small piece of code to give your visitors a real-time top 10 list and the latest virus advisories.
Setup takes approximately 10 minutes and requires no server-side code on your Web site. All content is updated automatically from Trend Micro's Web site. http://www.antivirus.com/syndication/vinfo/default.asp?ref=nwsltr
 
4. Top 10 Viruses Trend Micro's US Customers are Most Concerned About
(where systems were not infected)
------------------------------------------------------------------------
1. TROJ_BADTRANS.A
2. PE_MAGISTR.A
3. PE_FUNLOVE.4099
4. JS_KAKWORM.A
5. TROJ_MTX.A
6. PE_MTX.A
7. VBS_HAPTIME.A
8. TROJ_SUB7.213.F
9. TROJ_SKA.WSOCK32
10. TROJ_CHOKE.A
 
5. Using an IIS Exploit -- CODERED.A
------------------------------------------------------------------------
CODERED.A uses a remote buffer overflow vulnerability in the Microsoft Internet
Information Service (IIS) Web Servers that can give system-level privileges to a
remote user. It scans random IP addresses for the vulnerability and spreads to
those machines. The worm then defaces any Web site hosted by the server with the
following text:
"Welcome to http://www.worm.com! Hacked by Chinese!"
 
This worm only defaces English-language servers and becomes inactive on
non-English versions of Microsoft's IIS software. Upon execution, the worm
searches for the file, C:\NOTWORM. If this file exists, the worm becomes dormant,
otherwise it checks the current system date.
 
If the current system date is between 20 and 28, the worm performs a DDoS
(Distributed Denial of Service) attack on a government Web site. If the current
system date is less than 20, the worm sends copies of itself to other computers
by generating random IP addresses and connecting with them. If the current
system date is greater than 28, the worm becomes inactive.
 
For additional information about CODERED.A, please visit Trend Micro at:
http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=CODERED.A
 
6. Block Viruses with Trend Micro PC-cillin
------------------------------------------------------------------------
Protect your desktop against viruses and other malicious code with one of
the best desktop antivirus solutions in the market: Trend Micro PC-cillin 2000.
 
Buy NOW at:
http://www.antivirus.com/banners/tracking.asp?si=63&bi=27&ul=/pc-cillin

************************************************************************
You are receiving this email from Trend Micro, because you have either
downloaded a Trend Micro product or have signed up for our "Weekly Virus
Report." If you would like to change the way you receive email from
Trend Micro, please make changes in your account page at
http://www.antivirus.com/subscriptions/default.asp?email=trendmicro_pattern@netzwerk-aktiv.com
 
To UNSUBSCRIBE go to:
http://www.antivirus.com/subscriptions/default.asp?format=unsubscribe
 
For questions regarding viruses, please contact the Virus Doctor at
Virus_Doctor@trendmicro.com.
 
For questions regarding products, please contact Tech Support at
support@trendmicro.com.
 
For questions, comments and suggestions about the Weekly Virus Report
please contact our editor at Newsletters@trendmicro.com.
************************************************************************
Received on Fri, 20 Jul 2001 13:30:26 -0700