Weekly Virus Report - December 20, 2002

*********************************************************************
TREND MICRO WEEKLY VIRUS REPORT
    
(by TrendLabs Global Antivirus and Research Center)
*********************************************************************
------------------------------------------------------------------------
Date: December 20, 2002
------------------------------------------------------------------------
To read an HTML version of this newsletter, go to:
http://www.trendmicro.com/en/security/report/overview.htm

Issue Preview:

1. Trend Micro Updates - Pattern File & Scan Engine Updates
2. Windows 2000/XP Worm – WORM_LIOTEN.A (Low Risk)
3. 10 Most Prevalent In-the-Wild Malware Surveyed by Trend Micro US
4. Special Offer: $20 Off and FREE Shipping on PC-cillin 2003!

NOTE: Long URLs may break into two lines in some mail readers.
Should this occur, please copy and paste the URL into your browser window.

************************************************************************

1. Trend Micro Updates - Pattern File & Scan Engine Updates
------------------------------------------------------------------------
PATTERN FILE: 412 http://www.trendmicro.com/download/pattern.asp
SCAN ENGINE: 6.510 http://www.trendmicro.com/download/engines/

2. Windows 2000/XP Worm – WORM_LIOTEN.A (Low Risk)
------------------------------------------------------------------------
WORM_LIOTEN.A is a network worm that spreads to, and executes, only on systems running on Windows 2000/XP/.NET It randomly spreads to systems running on Windows 2000/XP/.NET using the Anonymous null session passwords exploit and the weak password brute force attack to gain write access to the shared resource \IPC$ (SMB service). After it has copied itself to target machines, it schedules tasks to execute its copy on these machines. You may obtain more information about this null session password by visiting Microsoft’s Web site at: http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/prodtechnol/winxppro/proddocs/windows_security_differences.asp

Upon execution, this worm explicitly checks whether the system is running on Windows 2000/XP/.NET. Otherwise, it terminates immediately. If found, it then searches for the NETAPI32.DLL module and loads the DLL. If it fails to find or load the DLL, the worm terminates itself. It requires the module of the following API functions in order to spread successfully:
-NetUserEnum
-NetRemoteTOD
-NetApiBufferFree
-NetScheduleJobAdd

The worm creates 100 threads and then sleeps for 4,294,967,295 milliseconds (approximately 50 days), waiting for the threads to finish. Each thread connects to random IP addresses, which are generated using the random function with the system tick count as the seed. If the connection to a random IP address is successful, the thread performs a DNS lookup of the corresponding hostname. The worm uses the name to connect to SMB service and tries to access the \IPC$ share.

The worm uses the Anonymous null session passwords exploit on the target system to obtain a list of users’ names. It uses the Application Program Interface (API) NetUserEnum to obtain a list of names. Then, it uses the following passwords as its weak password brute force attack to gain access to the remote share:
admin
root
111
123
1234
123456
654321
1
!@#$
asdf
asdfgh
!@#$%
!@#$%^
!@#$%^&
!@#$%^&*
server

Once it has successfully logged and gained write access to the SMB share, it copies itself to these directories with the filename IRAQ_OIL.EXE filename:
\c$\winnt\system32\
\Admin$\system32\

Then, it schedules itself to execute after 1 to 2 minutes have elapsed on the infected system.

If you would like to scan your computer for WORM_LIOTEN.A or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free online virus scanner at: http://housecall.trendmicro.com/

WORM_LIOTEN.A is detected and cleaned by Trend Micro pattern file #412 and above.

For additional information about WORM_LIOTEN.A please visit: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_LIOTEN.A

3. 10 Most Prevalent In-the-Wild Malware Surveyed by Trend Micro US
(week of: December 9, 2002 to December 15, 2002)
------------------------------------------------------------------------
1. WORM_YAHA.G
2. WORM_KLEZ.H
3. JS_NOCLOSE.E
4. JS_EXCEPTION.GEN
5. WORM_OPASERV.H
6. WORM_OPASERV.F
7. WORM_OPASERV.A
8. WORM_OPASERV.E
9. WORM_BUGBEAR.A
10. WORM_OPASERV.G

4. Special Offer: $20 Off and FREE Shipping on PC-cillin 2003!
------------------------------------------------------------------------
Protect your computer and PDA from viruses at home, or on the go, with PC-cillin 2003. PC-cillin combines advanced virus detection and cleaning with an integrated firewall to safeguard your system from hackers and malicious code threats in email and instant messaging, and while browsing the Internet.

With PC-cillin 2003 you get the benefits of:
-Comprehensive Antivirus Protection
-New! Secure Wireless Internet Access
-New! Proactive Virus Outbreak Notification
-Integrated PDA Protection

New features like Wi-Fi protection helps secure your computer when connecting to a wireless LAN network, and Outbreak Alert gives you early warning about new viruses.

Special: Prefer a boxed copy of PC-cillin on CD instead of a downloadable version? For a limited time** shipping is FREE!

Buy now <http://www.digitalriver.com/dr/v2/ec_MAIN.Entry17c?SP=10007&PN=5&CID=66835&SID=16269&PID=474268> and get all-in-one antivirus security, personal firewall, and PDA protection for $20 off** on single user PC-cillin licenses.

Already a PC-cillin user? Upgrade <http://www.digitalriver.com/dr/v2/ec_MAIN.Entry17c?SP=10007&PN=5&CID=66836&SID=16269&PID=474651> to PC-cillin 2003 for only $24.95.

**Offer expires December 31st, 2002 and is valid for residents of the U.S. and Canada only

______________________________________________________________________
This message was sent by Trend Micro's Newsletters Editor using Responsys Interact (TM).

If you prefer not to receive future e-mail from Trend Micro's Newsletters Editor:

To view our permission marketing policy:
    http://www.rsvp0.net
Received on Sat Dec 21 04:04:18 2002