Trend Micro Weekly Virus Report - September 6, 2002

*********************************************************************
TREND MICRO WEEKLY VIRUS REPORT
    
(by TrendLabs Global Antivirus and Research Center)
*********************************************************************
------------------------------------------------------------------------
Date: September 6, 2002
------------------------------------------------------------------------
To read an HTML version of this newsletter, go to:
http://www.trendmicro.com/trendsetter/virus_report/

Issue Preview:

1. Trend Micro Updates - Pattern File, Scan Engine, and Antispam Updates
2. Coming Apart - WORM_APART.A (Low Risk)
3. 10 Most Prevalent In-the-Wild Malware Surveyed by Trend Micro US
4. Current Virus Trends
5. Special Promotion: 10% off PC-cillin 2002

NOTE: Long URLs may break into two lines in some mail readers.
Should this occur, please copy and paste the URL into your browser window.

************************************************************************

1. Trend Micro Updates - Pattern File, Scan Engine, and Antispam Updates
------------------------------------------------------------------------
PATTERN FILE: 343 http://www.trendmicro.com/download/pattern.asp
SCAN ENGINE: 6.150 http://www.trendmicro.com/download/engines/
ANTISPAM RELEASES: 338, 339, 400, 401, 402, 403, 404, 405, 406, 407, 408, 409

2. Coming Apart - WORM_APART.A (Low Risk)
------------------------------------------------------------------------
Upon execution, this worm drops a copy of itself in the C:\Windows\System directory. Its dropped copy, KERNEL32.DLL_, is set with a hidden attribute (note that the underscore sign (_) at the end of the filename refers to a space at the end, which is part of the filename). It then modifies current registry settings to enable it to automatically execute upon system startup.

This worm also drops a registry entry so that DLL files are executed and treated as EXE files. After the worm drops its copy and its created registry entries, the executed file is then deleted.

WORM_APART.A propagates on local area networks by opening network or mapped drives with full access rights. It copies itself to the \WINDOWS\Start Menu\Programs\StartUp\ directory with the filename, WINDOWS.EXE.

It has backdoor capabilities and performs the following actions on infected systems:
- gets information about the system and sends to a remote user (e.g., machine name, system specification, local date and time, operating system version, etc.)

-steals cached passwords of MSN accounts, and .NET Messenger information

-sends numerous messages on AIM (AOL Instant Messenger) and mIRC channels

-downloads a file from a Web site

-executes the downloaded file

-performs DoS (Denial of Service) attacks on remote systems

If you would like to scan your computer for WORM_APART.A or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free online virus scanner at: http://housecall.antivirus.com/

WORM_APART.A is detected and cleaned by Trend Micro pattern file #340 and above.

For additional information about WORM_APART.A please visit: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_APART.A

3. 10 Most Prevalent In-the-Wild Malware Surveyed by Trend Micro US
(week of: August 26, 2002 to September 1, 2002)
------------------------------------------------------------------------
1. WORM_KLEZ.H
2. BKDR_IRCSDBOT.G
3. WORM_YAHA.E
4. WORM_DATOM.A
5. JS_GIGGER.A
6. PE_MAGISTR.B
7. PE_MAGISTR.A
8. JS_NOCLOSE.E
9. JS_EXCEPTION.GEN
10. VBS_ARGEN.A
 
4. Current Virus Trends
------------------------------------------------------------------------
Familiar mixed threats continued to dominate the Trend Micro Top Ten Viruses list http://www.trendmicro.com/vinfo/ this week, led by WORM_KLEZ.H and its companion, PE_ELKERN.D. Other long-running threats include variants of PE_NIMDA and WORM_SIRCAM from 2001, and PE_FUNLOVE from 1999. The only recent worm on the list is WORM_YAHA, which claimed to be the work of Indian hackers and had a message criticizing Pakistan. It emerged in June, during a time of rising tensions between the two countries.

HTML.IFRMEXP.GEN is Trend Micro's generic detection for email messages that exploit a vulnerability in Microsoft Outlook and other email clients (called Automatic Execution of Embedded MIME Type). It causes Internet Explorer to automatically run executable file attachments when an infected email message is opened. Trojans such as WORM_KLEZ.H and WORM_BADTRANS exploit this vulnerability, but generic HTML exploits are often associated with aggressive adware or spyware programs encountered when viewing Web pages, especially at less reputable sites. The rise in HTML exploits in recent weeks could indicate that more sites are turning to this type of software for ad revenue. Or it could simply reflect an increase in time spent Web surfing, by students on summer holiday.

5. Special Promotion: 10% off PC-cillin 2002
------------------------------------------------------------------------
PC-cillin 2002 is a complete Internet-era virus and hacker security solution for your computer and PDA , that protects your computer from viruses, hacker attacks, and other internet security threats. Get it now for 10% off.

With PC-cillin you can begin to enjoy the benefits of:
-Enhanced antivirus scanning
-A Personal Firewall for Internet connection security
-Integrated security for your Personal Digital Assistant (PDA)

Don't Delay. BUY NOW: http://www.digitalriver.com/dr/v2/ec_MAIN.Entry17c?CID=60874&PN=21&SP=10007&SID=16269&PID=916311

Offer valid for residents of the U.S. and Canada only.

************************************************************************
You are receiving this email from Trend Micro, because you have either
downloaded a Trend Micro product or have signed up to receive the "Weekly Virus
Report." If you would like to change the way you receive email from
Trend Micro, please make changes in your account page at
http://www.trendmicro.com/subscriptions/default.asp?email=trendmicro_pattern@netzwerk-aktiv.com
 
To UNSUBSCRIBE go to:
http://www.trendmicro.com/subscriptions/default.asp?format=unsubscribe
 
For questions, comments, and suggestions about the Weekly Virus Report
please contact the Newsletters Editor at newsletters@trendmicro.com.
************************************************************************
Received on Sat Sep 7 00:15:30 2002