Trend Micro Virus Report - September 2001 #3

************************************************************************
V I R U S R E P O R T
    
(by the Trend Micro US Virus Research Group)
************************************************************************
------------------------------------------------------------------------
Date: September 21, 2001
------------------------------------------------------------------------

If you're a corporate user and want to assess your virus protection,
check out Trend Micro's Virus Risk Assessment Web site at:
http://www.antivirus.com/free_tools/edoctor/

Issue Preview:

1. TREND MICRO UPDATES: Pattern File and Scan Engine Updates
2. NIMDA-ZILLA! This One is a Monster - PE_NIMDA.A (High Risk)
3. 10 Most Prevalent In-the-Wild Malware Surveyed by Trend Micro US
4. Top 10 Viruses Trend Micro's US Customers are Most Concerned About
5. Test Your Virus Knowledge & Scan Your Computer FREE!

NOTE: Long URLs may break into two lines in some mail readers.
Should this occur, please cut and paste the URL in your browser.

************************************************************************

1. TREND MICRO UPDATES: Pattern File and Scan Engine Updates
------------------------------------------------------------------------
PATTERN FILE: 942 http://www.antivirus.com/download/pattern.asp
SCAN ENGINE: 5.450 http://www.antivirus.com/download/engines/

2. NIMDA-ZILLA! This One is a Monster - PE_NIMDA.A (High Risk)
------------------------------------------------------------------------
This worm uses three modes for propagation. It spreads via email, network
shares, or through servers with IIS installed using the IIS Web Directory
Traversal exploit. The worm propagates via email using its own SMTP engine
and also through Messaging APIs. It may execute when the recipient of its
carrier email opens the email using Microsoft Outlook or Outlook Express.
This PE worm arrives as an embedded README.EXE file or as attachment in an
email that has an empty message body and typically, an empty subject field.
It does not require that the target user double-click the attachment for
it to execute.

The worm also propagates through shared drives by searching the network that
the infected machine belongs to, for shared folders with write access. If it
finds one, it drops a randomly named .NWS (Newsgroup posting) or .EML file.
These dropped files also contain the worm as an attachment.

Similar to TROJ_BLUECODE.A, this worm spreads to machines with IIS installed.
It sends a request to a machine with IIS installed, forcing it to download a
copy of ADMIN.DLL from the infected machine. The worm then forces the remote
computer to copy the recently downloaded .DLL file into its root directory.

This PE worm has been classified as high risk. A free fix tool is available at
Trend Micro's Web site.

As of September 21, Trend Micro has received 654,910 reports of infection by PE_NIMDA.A, worldwide. To get the very latest reports, please visit our World Virus Tracking Center at: http://wtc.trendmicro.com/wtc/

For additional information about PE_NIMDA.A, please visit Trend Micro at:
http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=PE_NIMDA.A. You may also visit Microsoft's Web site at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/topics/Nimda.asp.

PE_NIMDA.A is detected by Trend Micro pattern file #942.

3. 10 Most Prevalent In-The-Wild Malware Surveyed by Trend Micro US
(week of: September 9, 2001 to September 16, 2001)
------------------------------------------------------------------------
1. TROJ_SIRCAM.A
2. PE_MAGISTR.DAM
3. TROJ_NEWPIC.A
4. TROJ_BLKSTONE.A
5. JS_KAKWORM.A
6. TROJ_BADTRANS.A
7. PE_MARI.A
8. TROJ_CHOKE.A
9. VBS_HAPTIME.A
10. PE_MAGISTR.B

SPECIAL OFFER:
Webmasters, add free virus information updates to your Web site with our
Virus Info Feed. Simply copy and paste a small piece of code to give your visitors a real-time top 10 list and the latest virus advisories.
Setup takes approximately 10 minutes and requires no server-side code on your Web site. All content is updated automatically from Trend Micro's Web site. http://www.antivirus.com/syndication/vinfo/default.asp?ref=nwsltr

4. Top 10 Viruses Trend Micro's US Customers are Most Concerned About
(where systems were not infected)
------------------------------------------------------------------------
1. TROJ_SIRCAM.A
2. PE_MAGISTR.DAM
3. PE_MAGISTR.A
4. JS_KAKWORM.A
5. VBS_HAPTIME.A
6. TROJ_FUNSO.A
7. TROJ_CODERED.C
8. TROJ_APOST.A
9. CODERED.D
10. CODERED.C

5. Test Your Virus Knowledge & Scan Your Computer FREE!
------------------------------------------------------------------------
Do you think you know enough about viruses? Try our new HouseCall quiz as you scan your computer, FREE, for viruses and other malicious code. At the end of the quiz you may be lucky and win 10%, 15%, or even 20% OFF Trend Micro PC-cillin 2000!!

SCAN NOW: http://www.antivirus.com/banners/tracking.asp?si=63&bi=154&ul=http://housecall.antivirus.com

************************************************************************
You are receiving this email from Trend Micro, because you have either
downloaded a Trend Micro product or have signed up for our "Weekly Virus
Report." If you would like to change the way you receive email from
Trend Micro, please make changes in your account page at
http://www.antivirus.com/subscriptions/default.asp?email=trendmicro_pattern@netzwerk-aktiv.com
 
To UNSUBSCRIBE go to:
http://www.antivirus.com/subscriptions/default.asp?format=unsubscribe
 
For questions regarding viruses, please contact the Virus Doctor at
Virus_Doctor@trendmicro.com.
 
For questions regarding products, please contact Tech Support at
support@trendmicro.com.
 
For questions, comments and suggestions about the Weekly Virus Report
please contact our editor at Newsletters@trendmicro.com.
************************************************************************
Received on Sat Sep 22 06:15:15 2001