Trend Micro Weekly Virus Report - October 4, 2002

*********************************************************************
TREND MICRO WEEKLY VIRUS REPORT
    
(by TrendLabs Global Antivirus and Research Center)
*********************************************************************
------------------------------------------------------------------------
Date: October 4, 2002
------------------------------------------------------------------------
To read an HTML version of this newsletter, go to:
http://www.trendmicro.com/en/security/report/overview.htm

Issue Preview:

1. Trend Micro Updates - Pattern File and Scan Engine Updates
2. Is BUGBEAR Bugging You? – WORM_BUGBEAR.A (Medium Risk)
3. Running Out of Steam - WORM_OPASOFT.A (Low Risk)
4. 10 Most Prevalent In-the-Wild Malware Surveyed by Trend Micro US
5. Special Offer – 20% Discount on PC-cillin 2002

NOTE: Long URLs may break into two lines in some mail readers.
Should this occur, please copy and paste the URL into your browser window.

************************************************************************

1. Trend Micro Updates - Pattern File and Scan Engine Updates
------------------------------------------------------------------------
PATTERN FILE: 357 http://www.trendmicro.com/download/pattern.asp
SCAN ENGINE: 6.150 http://www.trendmicro.com/download/engines/

2. Is BUGBEAR Bugging You? – WORM_BUGBEAR.A (Medium Risk)
------------------------------------------------------------------------
Upon execution, WORM_BUGBEAR.A drops a copy of itself in the Windows System directory using a 4-character, semi-randomly generated filename. To ensure its automatic execution every system startup, it adds a registry entry that terminates antivirus processes and allows the worm to propagate by sending itself via email using its own SMTP (Simple Mail Transfer Protocol) engine. It also propagates via shared network folders.

The email that it sends out contains no message body and uses any of the following as its subject:

-$150 FREE Bonus!
-25 merchants and rising
-Announcement
-bad news
-CALL FOR INFORMATION!
-click on this!
-Confirmation of Recipes…
-Correction of errors
-Daily Email Reminder
-empty account
-fantastic
-free shipping!
-Get 8 FREE issues - no risk!
-Get a FREE gift!
-Greets!
-hello!
-history screen
-hmm..
-I need help about script!!!
-Interesting...
-Introduction
-its easy
-Just a reminder
-Lost & Found
-Market Update Report
-Membership Confirmation
-My eBay ads
-New bonus in your cash account
-New Contests
-new reading
-Payment notices
-Please Help...
-Report
-SCAM alert!!!
-Sponsors needed
-Stats
-Today Only
-Tools For Your Online Business
-update
-various
-Warning!
-Your Gift
-Your News Alert

It spoofs the FROM field of the email, while the TO field contains addresses obtained from the Windows Address Book (WAB).

The email attachment may be one of the following:
- a combination of the text strings: setup, card, docs, news, Image, images, pics, resume, photo, video, music, or song data; with any of the extensions: SCR, PIF, or EXE.
- An existing system file concatenated with any of the filename extensions: SCR, PIF, or EXE.

This worm allows a remote user to connect, thereby compromising network security. It also uses API (Application Program Interface) functions, commonly used by keylogger Trojans.

It exploits a known vulnerability on systems with unpatched Internet Explorer 5.01 and 5.5, which automatically runs the executable file attachment when the email message is previewed or opened in Microsoft Outlook and Outlook Express.

If you would like to scan your computer for WORM_BUGBEAR.A or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free online virus scanner at: http://housecall.trendmicro.com/

WORM_BUGBEAR.A is detected and cleaned by Trend Micro pattern file #357 and above.

For additional information about WORM_BUGBEAR.A please visit: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_BUGBEAR.A

3. Running Out of Steam – WORM_OPASOFT.A (Low Risk)
------------------------------------------------------------------------
WORM_OPASOFT.A is a memory-resident network worm that propagates via network shared C:\ drives. It attempts to download updated copies of itself from a specific site. At the time of this writing, the download site is not accessible, and is either blocked or currently down.

It drops a copy of itself in the Windows directory of both the local machine and remote machines with shared drives using the name SCRSVR.EXE. Thereafter, it deletes the copy that was originally executed, provided that this copy is not located in the Windows directory. It also drops the files SCRSIN.DAT and SCRSOUT.DAT in the root directory. It uses these files during the information exchange with the Web site. This worm also scans for the computer name and domain name of machines connected to the network. It then attempts to send this information to the download site.

4. 10 Most Prevalent In-the-Wild Malware Surveyed by Trend Micro US
(week of: September 23, 2002 to September 29, 2002)
------------------------------------------------------------------------
1. WORM_KLEZ.H
2. JS_NOCLOSE.E
3. JS_EXCEPTION.GEN
4. REG_STARTPAGE.A
5. BKDR_GLITCH.B
6. VBS_REDLOF.A
7. JS_SEEKER.E1
8. WORM_YAHA.E
9. PE_NIMDA.E
10. PE_MAGISTR.B

5. Special Offer – 20% Discount on PC-cillin 2002
------------------------------------------------------------------------
Gift your friends and family with a 20% discount on PC-cillin 2002 - complete Internet Security software.

Here's a quick way to show your friends and family you care. Simply pass on this URL to anyone you know and they will automatically receive a special 20% discount on the purchase of PC-cillin 2002:

http://www.digitalriver.com/dr/v2/ec_MAIN.Entry17c?CID=61746&PN=21&SP=10007&SID=16269&PID=916311.

PC-cillin 2002 is a complete Internet-era virus and hacker security solution for your computer and PDA that protects against viruses, hacker attacks, and other Internet security threats. With one click, your friends and family can begin to enjoy the benefits of:

-Enhanced antivirus scanning
-A Personal Firewall for Internet connection security
-Integrated security for your Personal Digital Assistants (PDAs)

Send your friends and family this URL and help them secure their computer: http://www.digitalriver.com/dr/v2/ec_MAIN.Entry17c?CID=61746&PN=21&SP=10007&SID=16269&PID=916311

**Offer applies to residents of the U.S. and Canada only.

************************************************************************
You are receiving this email from Trend Micro, because you have either
downloaded a Trend Micro product or have signed up to receive the "Weekly Virus
Report." If you would like to change the way you receive email from
Trend Micro, please make changes in your account page at
http://www.trendmicro.com/subscriptions/default.asp?email=trendmicro_pattern@netzwerk-aktiv.com
 
To UNSUBSCRIBE go to:
http://www.trendmicro.com/subscriptions/default.asp?format=unsubscribe
 
For questions, comments, and suggestions about the Weekly Virus Report
please contact the Newsletters Editor at newsletters@trendmicro.com.
************************************************************************
Received on Wed Oct 16 23:59:25 2002