Trend Micro Weekly Virus Report - September 27, 2002

*********************************************************************
TREND MICRO WEEKLY VIRUS REPORT
    
(by TrendLabs Global Antivirus and Research Center)
*********************************************************************
------------------------------------------------------------------------
Date: September 27, 2002
------------------------------------------------------------------------
To read an HTML version of this newsletter, go to:
http://www.trendmicro.com/trendsetter/virus_report/

Issue Preview:

1. Trend Micro Updates - Pattern File, Scan Engine, and Antispam Updates
2. Windows Update Worm – WORM_DELTAD.A (Low Risk)
3. 10 Most Prevalent In-the-Wild Malware Surveyed by Trend Micro US
4. Current Virus Trends – WORM_KLEZ Yields the Top Spot to WORM_YAHA.E
5. Special Offer – 20% Discount on PC-cillin 2002

NOTE: Long URLs may break into two lines in some mail readers.
Should this occur, please copy and paste the URL into your browser window.

************************************************************************

1. Trend Micro Updates - Pattern File, Scan Engine, and Antispam Updates
------------------------------------------------------------------------
PATTERN FILE: 353 http://www.trendmicro.com/download/pattern.asp
SCAN ENGINE: 6.150 http://www.trendmicro.com/download/engines/
ANTISPAM RELEASES: 438, 439, 440, 441, 442, 443, 444, 445, 446, 447, 448, 449, 450, 451

2. Windows Update Worm – WORM_DELTAD.A (Low Risk)
------------------------------------------------------------------------
WORM_DELTAD.A is a mass-mailing worm that modifies the infected users Internet Explorer homepage, causing the browser to point to the Windows update site every time it is opened. It also drops a Visual Basic Script file, which Trend Micro detects as VBS_DELTAD.A. This VBScript malware propagates this worm as an attachment in email with the following details:

Subject: SAP UPDATE

Message body:
All:
Please update your system.
DGSAP

Attachment: WWW.DGSAP.DELTADG.COM.EXE

Upon execution, this mass-mailing worm drops the following files:
-%Root%\WWW.DGSAP.DELTADG.COM.EXE
-%Windows%\SERVER.EXE
-%Windows%\SERVER.TXT.VBS
-%System%\SERVER.EXE
-%System%\SYSTEM.TXT.VBS

The dropped executable files (.EXE) are exact copies of this worm, while the Visual Basic Script (.VBS) files are responsible for propagating this worm via email.

This worm then opens Internet Explorer and goes to the site http://dgwww, which is not a valid Web site. It modifies the registry so that its dropped copies and the mass-mailing VBS components are executed at every Windows startup. It also modifies the registry so that the Internet Explorer home page is the Windows Update Web site.

If you would like to scan your computer for WORM_DELTAD.A or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free online virus scanner at: http://housecall.antivirus.com/

WORM_DELTAD.A is detected and cleaned by Trend Micro pattern file #352 and above.

For additional information about WORM_DELTAD.A please visit: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_DELTAD.A

3. 10 Most Prevalent In-the-Wild Malware Surveyed by Trend Micro US
(week of: September 16, 2002 to September 22, 2002)
------------------------------------------------------------------------
1. WORM_YAHA.E
2. WORM_KLEZ.H
3. JS_EXCEPTION.GEN
4. JS_NOCLOSE.E
5. JS_NOCLOSE.A
6. JOKE_RUSS.A
7. VBS_REDLOF.A
8. JS_SEEKER.E1
9. WORM_MYPARTY.A
10. WORM_KLEZ.E 4

4. Current Virus Trends – WORM_KLEZ Yields the Top Spot to WORM_YAHA.E
------------------------------------------------------------------------
WORM_KLEZ.H remained a major concern for Trend Micro users, but it finally yielded the top spot on our list to WORM_YAHA.E, another 'mixed threat' mass-mailing Internet worm that has been in wide circulation since June. YAHA has been noted for its pro-India, anti-Pakistan political message regarding the dispute over Kashmir. On the technical side, YAHA combines several features introduced by earlier mixed threats, to propagate rapidly. These include a built-in SMTP engine to mail copies of itself; a lengthy and encrypted list of external SMTP servers should it be unable to use that of the host; the ability to spoof IP addresses to conceal its point of origin; and the ability to shut down certain antivirus applications. WORM_KLEZ and WORM_YAHA together accounted for nearly 87% of all reports in the “Most Prevalant In-the-Wild Malware.”

5. Special Offer – 20% Discount on PC-cillin 2002
------------------------------------------------------------------------
Gift your friends and family with a 20% discount on PC-cillin 2002 - complete Internet Security software.

Here's a quick way to show your friends and family you care. Simply pass on this URL to anyone you know and they will automatically receive a special 20% discount on the purchase of PC-cillin 2002:

http://www.digitalriver.com/dr/v2/ec_MAIN.Entry17c?CID=61746&PN=21&SP=10007&SID=16269&PID=916311.

PC-cillin 2002 is a complete Internet-era virus and hacker security solution for your computer and PDA that protects against viruses, hacker attacks, and other Internet security threats. With one click, your friends and family can begin to enjoy the benefits of:

-Enhanced antivirus scanning
-A Personal Firewall for Internet connection security
-Integrated security for your Personal Digital Assistants (PDAs)

Send your friends and family this URL and help them secure their computer: http://www.digitalriver.com/dr/v2/ec_MAIN.Entry17c?CID=61746&PN=21&SP=10007&SID=16269&PID=916311

**Offer applies to residents of the U.S. and Canada only.

************************************************************************
You are receiving this email from Trend Micro, because you have either
downloaded a Trend Micro product or have signed up to receive the "Weekly Virus
Report." If you would like to change the way you receive email from
Trend Micro, please make changes in your account page at
http://www.trendmicro.com/subscriptions/default.asp?email=trendmicro_pattern@netzwerk-aktiv.com
 
To UNSUBSCRIBE go to:
http://www.trendmicro.com/subscriptions/default.asp?format=unsubscribe
 
For questions, comments, and suggestions about the Weekly Virus Report
please contact the Newsletters Editor at newsletters@trendmicro.com.
************************************************************************
Received on Sat Sep 28 00:33:10 2002