Trend Micro Weekly Virus Report - November 8, 2002

*********************************************************************
TREND MICRO WEEKLY VIRUS REPORT
    
(by TrendLabs Global Antivirus and Research Center)
*********************************************************************
------------------------------------------------------------------------
Date: November 8, 2002
------------------------------------------------------------------------
To read an HTML version of this newsletter, go to:
http://www.trendmicro.com/en/security/report/overview.htm

Issue Preview:

1. Trend Micro Updates - Pattern File, Scan Engine, & Antispam Updates
2. FUNLOVE in Disguise – PE_BRID.A (Low Risk)
3. Current Virus Trends - KLEZ and BUGBEAR Dominate
4. 10 Most Prevalent In-the-Wild Malware Surveyed by Trend Micro US
5. Protect Your Most Important Investment – Your Family – With Net Nanny

NOTE: Long URLs may break into two lines in some mail readers.
Should this occur, please copy and paste the URL into your browser window.

************************************************************************

1. Trend Micro Updates - Pattern File, Scan Engine, & Antispam Updates
------------------------------------------------------------------------
PATTERN FILE: 379 http://www.trendmicro.com/download/pattern.asp
SCAN ENGINE: 6.150 http://www.trendmicro.com/download/engines/
ANTISPAM RELEASES: 523-537

2. FUNLOVE in Disguise – PE_BRID.A (Low Risk)
------------------------------------------------------------------------
Upon execution, PE_BRID.A kills all instances of EXPLORER.EXE from memory causing the Windows Start bar and the Desktop Icons to not display. It also drops five files – four of which are copies of the virus PE_FUNLOVE.4099. The remaining file that is not a copy of PE_FUNLOVE.4099, is an Outlook Express Email file that is used by the virus as a template for sending email messages.

It also adds a registry entry so that its copy executes when the infected system is restarted.

PE_BRID.A uses its own SMTP engine to send copies of itself via email to all addresses listed in .HTM and .DBX files of the infected system. The addresses found are also used to spoof the FROM: field of the email message that it sends out. This email uses a known vulnerability in Internet Explorer-based email clients to execute the file attachment automatically, known as Automatic Execution of Embedded MIME type. The dropped email message contains the executable attachment registered as the content-type audio/x-wav. When the recipient views the infected email message, the default application associated with audio files is opened (typically Windows Media Player). The embedded .EXE file cannot be viewed in Microsoft Outlook. The email it sends contains the following:

From: Registered Owner

Subject: Registered Organization

Message Body:Hello,
Product Name: %Product Name%
Product Id: %Product ID%
Product Key: %Product Key%
Process List: A list of currently running processes
Thank you.

Attachment: README.EXE (114,687 Bytes)

It takes the Registered Organization, Registered Owner, Product Name, Product ID, and Product Key of the infected machine. It spawns one of its 5 dropped files, which stays in memory and infects all files with .EXE, .SCR and .OCX extensions. To infect, it appends the virus codes at the bottom of the target file. It modifies the first few Bytes of the entry point of the target file to execute its virus codes first, before those of the file.

The file properties of the email attachment, README.EXE, indicate that Trend Microsoft Inc developed it. Trend Microsoft Inc. is not related to Trend Micro Inc. in any way.

If you would like to scan your computer for PE_BRID.A or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free online virus scanner at: http://housecall.trendmicro.com/

PE_BRID.A is detected and cleaned by Trend Micro pattern file #375 and above.

For additional information about PE_BRID.A please visit: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=PE_BRID.A

3. Current Virus Trends - KLEZ and BUGBEAR Dominate
------------------------------------------------------------------------
The WORM_KLEZ.H and WORM_BUGBEAR.A worms continue to dominate Trend Micro's list of in-the-wild malware, accounting for more virus reports than the rest of the Top Ten combined. WORM_BUGBEAR.A, which briefly topped the list after its debut in early October, has fallen behind WORM_KLEZ.H by a considerable margin this week, which suggests that it lacks the staying power of the older threat. WORM_OPASERV.A, another recent threat that erupted the same day as WORM_BUGBEAR.A, continues to spread but at a much lower level of intensity.

Four entries on the list (those beginning with "JS" for JavaScript) reflect malicious exploits that arrive in Web traffic, which have been gradually increasing in number this year. They are downloaded along with Web content when users surf the Internet, and are often associated with "spyware" or "adware" programs that some less-scrupulous Web site operators deploy to cut their costs. Webmasters may also be the victims of these expoits and may not be spreading them intentionally. Users can reduce their chance of harmful Web content reaching their PC by raising the security setting on their browser, making sure their antivirus software is up to date, and that real-time virus scanning is enabled.

4. 10 Most Prevalent In-the-Wild Malware Surveyed by Trend Micro US
(week of: October 28, 2002 to November 3, 2002)
------------------------------------------------------------------------
1. WORM_KLEZ.H
2. WORM_BUGBEAR.A
3. JS_EXCEPTION.GEN
4. JS_TRAFFICHBAR.A
5. JS_NOCLOSE.E
6. WORM_OPASERV.A
7. VBS_REDLOF.A
8. JS_NOCLOSE.A
9. WORM_KLEZ.E
10. PE_NIMDA.E

5. Protect Your Most Important Investment – Your Family - with Net Nanny
------------------------------------------------------------------------
Trend Micro has specially partnered with Net Nanny, a leader in Parental Controls software. The new Net Nanny 5.0 software has improved features such as the capability to:

- Filter Web sites with adult content, while providing age-appropriate content for your children.

- Control online chat (including AIM and instant messengers from Yahoo!® and Microsoft)

- Block file sharing of music, images, and videos

- Protect your privacy and freedom of speech online

Buy now and save 65% on Net Nanny 5.0.

Buy Net Nanny 5.0 now for the low price of $14.95
(
http://trendnewsletter.rsc03.net/servlet/cc5?lgLQYVljLgKupJjhXiHllLjgxgLlFOLjsqHslpNQJhuV2VR
)

**Offer valid for residents of the US and Canada only.

************************************************************************
For questions, comments, and suggestions about the Weekly Virus Report
please contact the Newsletters Editor at newsletters@trendmicro.com.

You are receiving this email from Trend Micro, because you have either downloaded a Trend Micro product or have signed up to receive the "Weekly Virus Report." If you would like to change the way you receive email from Trend Micro, please make changes in your account page at http://www.trendmicro.com/subscriptions/default.asp?email=%email% To UNSUBSCRIBE go to: http://www.trendmicro.com/subscriptions/default.asp?format=unsubscribe For questions, comments, and suggestions about the Weekly Virus Report please contact the Newsletters Editor at newsletters_at_trendmicro.com. ************************************************************************

______________________________________________________________________
This message was sent by Trend Micro's Newsletters Editor using Responsys Interact (TM).

If you prefer not to receive future e-mail from Trend Micro's Newsletters Editor:
mmLkgFgLmSPLkr-HrmpODJhtEf

To view our permission marketing policy:
    http://www.rsvp0.net
Received on Sat Nov 9 15:53:17 2002