Trend Micro Weekly Virus Report - September 20, 2002

*********************************************************************
TREND MICRO WEEKLY VIRUS REPORT
    
(by TrendLabs Global Antivirus and Research Center)
*********************************************************************
------------------------------------------------------------------------
Date: September 20, 2002
------------------------------------------------------------------------
To read an HTML version of this newsletter, go to:
http://www.trendmicro.com/trendsetter/virus_report/

Issue Preview:

1. Trend Micro Updates - Pattern File, Scan Engine, and Antispam Updates
2. New Linux Worm - ELF_SLAPPER.A (Low Risk)
3. 10 Most Prevalent In-the-Wild Malware Surveyed by Trend Micro US
4. Virus Trends – A Few New Faces
5. Special Offer – 20% Discount on PC-cillin 2002

NOTE: Long URLs may break into two lines in some mail readers.
Should this occur, please copy and paste the URL into your browser window.

************************************************************************

1. Trend Micro Updates - Pattern File, Scan Engine, and Antispam Updates
------------------------------------------------------------------------
PATTERN FILE: 351 http://www.trendmicro.com/download/pattern.asp
SCAN ENGINE: 6.150 http://www.trendmicro.com/download/engines/
ANTISPAM RELEASES: 424, 425, 426, 427, 428, 429, 430, 431, 432, 433, 434, 435, 436, 437

2. New Linux Worm - ELF_SLAPPER.A (Low Risk)
------------------------------------------------------------------------
This Linux worm launches a distributed denial of service (DDoS) attack. It uses the User Data Protocol (UDP) to execute the attack, and takes advantage of a buffer overflow vulnerability in OpenSSL 0.9.6d, 0.9.7-beta2 and earlier versions. UDP is a protocol that allows connections even to unstable machines, since it does not require error checking.

Upon execution, it connects to a remote machine using the UDP protocol on a specified port. It allows remote users to execute arbitrary code via a large client master key in SSL2 or a large session ID in SSL3. This exploit appears to determine how this worm attacks a host based on the information returned by the server on itself and its version.

This worm links by providing each machine with a list of available machines. Using a technique called broadcast segmentation combined with TCP-like functionality, this worm ensures that another machine on the network receives the broadcast packet, which it then segments again. Thereafter, it recreates the packet and sends it to other hosts.

This worm attempts to connect to Port 80. Once connected, it sends an invalid GET request to a server to identify whether the machine is an Apache system. Once it finds an Apache system, it attempts to connect to port 443 and sends the exploit code to the listening SSL service on the remote system.

It arrives on the target system as a source code with the filename ".bugtraq.c". It uses a Linux shell code exploit that runs only on Intel systems. In order for the code to execute properly, it requires the presence of the shell command /bin/sh. It recompiles itself on each new system. The binary code generated after compilation is executed with an IP address as a parameter. This IP address is the address of the attacking machine and is used to create a network of worm infected systems, which would launch the distributed denial of service attack.

If you would like to scan your computer for ELF_SLAPPER.A or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free online virus scanner at: http://housecall.antivirus.com/

ELF_SLAPPER.A is detected and cleaned by Trend Micro pattern file #350 and above.

For additional information about ELF_SLAPPER.A please visit: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=ELF_SLAPPER.A

3. 10 Most Prevalent In-the-Wild Malware Surveyed by Trend Micro US
(week of: September 9, 2002 to September 15, 2002)
------------------------------------------------------------------------
1. WORM_KLEZ.H
2. PE_MAGISTR.B
3. JS_EXCEPTION.GEN
4. JS_NOCLOSE.E
5. BKDR_SUB7.22A
6. WORM_YAHA.E
7. VBS_LOVELETTR.AS
8. TROJ_ULTIMAX.B
9. JS_NOCLOSE.A
10. WORM_DATOM.A

4. Current Virus Trends – A Few New Faces
------------------------------------------------------------------------
WORM_KLEZ.H is still the major threat concerning Trend Micro users, as it remains on track to be the top virus of the year 2002. Some users report concerns over HTML-based malware such as JS_NOCLOSE and JS_EXCEPTION which are associated with browsing disreputable commercial Web sites. Last week's WORM_CHET.A virus grabbed news coverage due to its connection with the events of last September 11th, but had no impact on users as it was crippled by coding flaws which largely prevented its spread. The ELF_SLAPPER.A Internet worm emerged on Friday the 13th as potentially serious malware, but incidents are limited as it targets only Web servers running Linux.

5. Special Offer – 20% Discount on PC-cillin 2002
------------------------------------------------------------------------
Gift your friends and family with a 20% discount on PC-cillin 2002 - complete Internet Security software.

Here's a quick way to show your friends and family you care. Simply pass on this URL to anyone you know and they will automatically receive a special 20% discount on the purchase of PC-cillin 2002:

http://www.digitalriver.com/dr/v2/ec_MAIN.Entry17c?CID=61746&PN=21&SP=10007&SID=16269&PID=916311.

PC-cillin 2002 is a complete Internet-era virus and hacker security solution for your computer and PDA that protects against viruses, hacker attacks, and other Internet security threats. With one click, your friends and family can begin to enjoy the benefits of:

-Enhanced antivirus scanning
-A Personal Firewall for Internet connection security
-Integrated security for your Personal Digital Assistants (PDAs)

Send your friends and family this URL and help them secure their computer: http://www.digitalriver.com/dr/v2/ec_MAIN.Entry17c?CID=61746&PN=21&SP=10007&SID=16269&PID=916311

Offer expires September 30, 2002.

**Offer applies to residents of the U.S. and Canada only.

************************************************************************
You are receiving this email from Trend Micro, because you have either
downloaded a Trend Micro product or have signed up to receive the "Weekly Virus
Report." If you would like to change the way you receive email from
Trend Micro, please make changes in your account page at
http://www.trendmicro.com/subscriptions/default.asp?email=trendmicro_pattern@netzwerk-aktiv.com
 
To UNSUBSCRIBE go to:
http://www.trendmicro.com/subscriptions/default.asp?format=unsubscribe
 
For questions, comments, and suggestions about the Weekly Virus Report
please contact the Newsletters Editor at newsletters@trendmicro.com.
************************************************************************
Received on Sat Sep 21 04:30:35 2002