Trend Micro Weekly Virus Report - November 27, 2002

*********************************************************************
TREND MICRO WEEKLY VIRUS REPORT
    
(by TrendLabs Global Antivirus and Research Center)
*********************************************************************
------------------------------------------------------------------------
Date: November 27, 2002
DUE TO THE THANKSGIVING HOLIDAY, THE WEEKLY VIRUS REPORT IS BEING RELEASED ON WEDNESDAY NOVEMBER 27, 2002
------------------------------------------------------------------------
To read an HTML version of this newsletter, go to:
http://www.trendmicro.com/en/security/report/overview.htm

Issue Preview:

1. Trend Micro Updates - Pattern File & Scan Engine Updates
2. Destructive Internet Worm – WORM_WINEVAR.A (Medium Risk)
3. 10 Most Prevalent In-the-Wild Malware Surveyed by Trend Micro US
4. New! PC-cillin 2003 – Virus Protection and Internet Security for Home Users

NOTE: Long URLs may break into two lines in some mail readers.
Should this occur, please copy and paste the URL into your browser window.

************************************************************************

1. Trend Micro Updates - Pattern File, Scan Engine, & Antispam Updates
------------------------------------------------------------------------
PATTERN FILE: 397 http://www.trendmicro.com/download/pattern.asp
SCAN ENGINE: 6.150 http://www.trendmicro.com/download/engines/

2. Destructive Internet Worm – WORM_WINEVAR.A (Medium Risk)
------------------------------------------------------------------------
WORM_WINEVAR.A is a destructive Internet worm that runs on all Windows platforms. It uses its own Simple Mail Transfer Protocol (SMTP) engine to propagate via email. It sends email messages with random subjects to addresses listed in the HTML files of the infected user’s system. When sending email it uses a known exploit that causes the attachment to automatically execute when the message is viewed or previewed on Internet Explorer-based email clients, such as Microsoft Outlook and Outlook Express. This exploit is known as Automatic Execution of Embedded MIME type. This worm is capable of terminating monitoring programs and antivirus products from system memory, and it deletes all files in local drives.

Upon execution, this worm creates a copy of itself in the Windows system folder as WIN<Random numeric value>.PIF. Due to the use of the random string, a new copy of this worm is created in the Windows system folder every time it is executed. It also drops a copy of itself in the Desktop folder as EXPLORER.PIF.

It then creates autostart entries in the registry using the generated file name as the name of the entries. These registry entries allow the dropped copy to execute at startup. After the worm installs itself, it gathers email addresses from HTML files on the system. The email addresses saved in the registry entry are removed upon every subsequent execution and replaced with newly found email addresses. It then uses the default SMTP server to send out email messages containing an attached copy of itself to all the gathered addresses.

On the next bootup, this worm displays a message box containing the following text strings:

Header: Make a fool of oneself
Body: What a foolish thing you have done!

Once the user clicks the OK button, this worm deletes all files from local drives, except files that are currently running on the system.

If no Internet connection is detected, this worm simply drops the file AAVAR.PIF in the Windows system folder, which is a slightly modified version of PE_FUNLOVE.4099. It executes the dropped virus to infect all .EXE files in all folders, except the Windows and Program Files folders.

The subject lines of the email messages sent by the worm are constructed in two ways. The first subject format is used 33% of the time, meaning that, it generates this subject once in every 3 email messages (where <Registered Owner> is the registered owner of the machine and <Registered Organization> is the organization of the owner):

Subject: AVAR (Association of Anti-Virus Asia Researcher)
Message Body: <Registered Owner> - <Registered Organization>
Attachments:
WIN<random numeric value>.GIF (120 bytes) MUSIC_2.CEO
WIN<random numeric value>.TXT (12.6 KB) MUSIC_1.HTM

The second subject line format is used 66% of the time. It generates 2 email messages of this subject format in every 3 (where <Registered Owner> is the registered owner of the machine and <Registered Organization> is the organization of the owner):

Subject: <registered Organization>
Message Body: <Registered Owner> - <Registered Organization>
Attachments:
WIN<random numeric value>.GIF (120 bytes) MUSIC_2.CEO
WIN<random numeric value>.TXT (12.6 KB) MUSIC_1.HTM

However, at the time of this writing, the virus has a bug that cannot completely decode the second email subject resulting in its first four generated characters being unintelligible. Therefore, most of the email it sends arrive with the subject format N`4_<Registered Organization>.

If you would like to scan your computer for WORM_WINEVAR.A or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free online virus scanner at: http://housecall.trendmicro.com/

WORM_WINEVAR.A is detected and cleaned by Trend Micro pattern file #397 and above.

For additional information about WORM_WINEVAR.A please visit: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_WINEVAR.A

3. 10 Most Prevalent In-the-Wild Malware Surveyed by Trend Micro US
(week of: November 18, 2002 to November 24, 2002)
------------------------------------------------------------------------
1. WORM_KLEZ.H
2. WORM_BUGBEAR.A
3. WORM_OPASERV.F
4. WORM_OPASERV.A
5. BKDR_MISNOMER.A
6. BKDR_JEEM.A
7. WORM_OPASERV.G
8. JS_NOCLOSE.E
9. REG_STARTPAGE.A
10. PE_SPACES.1445

4. New! PC-cillin 2003 – Virus Protection and Internet Security for Home Users
------------------------------------------------------------------------
Protect your computer and PDA from viruses at home or on the go with PC-cillin 2003. PC-cillin combines advanced virus detection and cleaning with an integrated firewall to safeguard your system from hackers and malicious code threats in email and instant messaging, and while browsing the Internet.

With PC-cillin 2003 you get the benefits of:
-Comprehensive Antivirus Protection
-New! Secure Wireless Internet Access
-New! Proactive Virus Outbreak Notification
-Integrated PDA Protection

New features like Wi-Fi protection helps secure your computer when connecting to a wireless LAN network, and Outbreak Alert gives you early warning about new viruses.

Buy now* and get all-in-one antivirus security, personal firewall, and PDA protection for 20% off** on single user PC-cillin licenses.
http://www.digitalriver.com/dr/v2/ec_MAIN.Entry17c?CID=64779&PN=21&SP=10007&SID=16269&PID=1047203

Already a PC-cillin user? You can upgrade to the new version for only $24.95
http://www.digitalriver.com/dr/v2/ec_MAIN.Entry17c?CID=0&PN=21&SP=10007&SID=16269&PID=1046260

*Offer valid for residents of the US and Canada only.
**Offer expires December 15, 2002

______________________________________________________________________
This message was sent by Trend Micro's Newsletters Editor using Responsys Interact (TM).

If you prefer not to receive future e-mail from Trend Micro's Newsletters Editor:

To view our permission marketing policy:
    http://www.rsvp0.net
Received on Wed Nov 27 23:11:32 2002