Trend Micro Weekly Virus Report - December 13, 2002

Visit Trend Micro.com Trend Micro Weekly Virus Report
(by TrendLabs Global Antivirus and Research Center)
Date: December 13, 2002
Issue Preview:
1. Trend Micro Updates - Pattern File & Scan Engine Updates
2. CokeBoy Macro Virus - W97M_BEKO.A (Low Risk)
3. 10 Most Prevalent In-the-Wild Malware Surveyed by Trend Micro US
4. Special Offer: $20 Off and FREE Shipping on PC-cillin 2003!
1. Trend Micro Updates - Pattern File and Scan Engine Updates
PATTERN FILE: 410
SCAN ENGINE: 6.510
2. CokeBoy Macro Virus - W97M_BEKO.A (Low Risk)

W97M_BEKO.A is a macro virus that infects Microsoft Word documents. It infects the Microsoft Word normal template. To execute its viral code, this virus uses the Auto_Open macro, which Microsoft Word calls whenever an infected file is opened.

This macro virus disables the following Microsoft Word settings: ConfirmConversions VirusProtection SaveNormalPrompt

On infected systems, it automatically converts Microsoft Word documents of an older version, to later versions, whenever applicable, and updates the Microsoft Word normal template (NORMAL.DOT). On Microsoft Word 2000 or 2002, it adds registry entries that set the Security Level of the system to "Low" allowing macros to execute automatically, without prompting the user. The virus also allows WordBasic macros to automatically execute.

Upon first execution of an infected file, the virus copies its code to the normal template, NORMAL.DOT. This allows it to automatically infect opened documents on subsequent opening of Microsoft Word.

It creates a CokeBoy folder in the Windows directory, and then drops a Visual Basic Script (VBS) file with a file name composed of eight random digits. This script file is responsible for the mass-mailing routine of the virus. It also uses Microsoft Outlook to send copies of itself to all email addresses in the infected system's address book. It arrives in an email with the following: Subject: <filename of infected file without extension>
Message Body: A confidential document is for you.. only for u!
Attachment: <infected file>
The VBS file adds a registry entry so that it executes at every Windows startup.

When the system date is the 29th of any month, this macro virus displays a message box containing the text strings:

This Document is infected by CokeBoy Worm.

Whenever the user of the infected system selects the Help > About Microsoft Word in the Menu bar, the Microsoft Office Assistant appears with this message and an OK button:

W97M.Coke2002 by CokeBoy (c)2002

When the user clicks OK, the virus overwrites the active document with these text strings:

I'm Coke, a bottled drink!! I'm not dangerous.
You are being hit by the evil Coke worm!
CokeBoy newest drink worm.. you gotta see it!
CokeBoy newest drink worm.. you gotta believe it!
CokeBoy newest drink worm.. you gotta taste!
CokeBoy newest drink worm.. you gotta get it!
CokeBoy newest drink worm.. you gotta buy it!
CokeBoy newest drink worm.. you gotta try it!
CokeBoy newest drink worm.. you gotta drink it!
CokeBoy newest drink worm.. you gotta love it!

If you would like to scan your computer for W97M_BEKO.A or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free online virus scanner at: http://housecall.trendmicro.com

W97M_BEKO.A is detected and cleaned by Trend Micro pattern file #408 and above.

3. 10 Most Prevalent In-the-Wild Malware Surveyed by Trend Micro US
(week of: December 2, 2002 to December 8, 2002)
WORM_KLEZ.H WORM_BUGBEAR.A JS_EXCEPTION.GEN WORM_FRIENDGRT.B JS_NOCLOSE.E WORM_OPASERV.F WORM_OPASERV.A WORM_OPASERV.H WORM_OPASERV.G WORM_OPASERV.E
4. Special Offer: $20 Off and FREE Shipping on PC-cillin 2003!

Protect your computer and PDA from viruses at home, or on the go, with PC-cillin 2003. PC-cillin combines advanced virus detection and cleaning with an integrated firewall to safeguard your system from hackers and malicious code threats in email and instant messaging, and while browsing the Internet

With PC-cillin 2003 you get the benefits of: Comprehensive Antivirus Protection New! Secure Wireless Internet Access New! Proactive Virus Outbreak Notification Integrated PDA Protection

New features like Wi-Fi protection helps secure your computer when connecting to a wireless LAN network, and Outbreak Alert gives you early warning about new viruses.

Special: Prefer a boxed copy of PC-cillin on CD instead of downloadble version? For a limited time** shipping is FREE!

Buy now and get all-in-one antivirus security, personal firewall, and PDA protection for $20 off** on single user PC-cillin licenses.
Already a PC-cillin user? Upgrade to PC-cillin 2003 for only $24.95

**Offer expires December 31st, 2002 and is valid for residents of the U.S. and Canada only

For questions, comments, and suggestions about the Weekly Virus Report please contact the Newsletters Editor at newsletters@trendmicro.com.

______________________________________________________________________
This message was sent by Trend Micro's Newsletters Editor using Responsys Interact (TM).

If you prefer not to receive future e-mail from Trend Micro's Newsletters Editor:

To view our permission marketing policy:
    http://www.rsvp0.net
Received on Fri Dec 13 23:19:59 2002