Trend Micro Weekly Virus Report - January 10, 2003

*********************************************************************
TREND MICRO WEEKLY VIRUS REPORT
    
(by TrendLabs Global Antivirus and Research Center)
*********************************************************************
------------------------------------------------------------------------
Date: January 10, 2003
------------------------------------------------------------------------
To read an HTML version of this newsletter, go to:
http://www.trendmicro.com/en/security/report/overview.htm

Issue Preview:

1. Trend Micro Updates - Pattern File & Scan Engine Updates
2. Beware of Avril Lavigne – WORM_LIRVA.C (Medium Risk)
3. 10 Most Prevalent In-the-Wild Malware Surveyed by Trend Micro US

NOTE: Long URLs may break into two lines in some mail readers.
Should this occur, please copy and paste the URL into your browser window.

************************************************************************

1. Trend Micro Updates - Pattern File & Scan Engine Updates
------------------------------------------------------------------------
PATTERN FILE: 435 http://www.trendmicro.com/download/pattern.asp
SCAN ENGINE: 6.510 http://www.trendmicro.com/download/engines/

2. Beware of Avril Lavigne – WORM_LIRVA.C (Medium Risk)
------------------------------------------------------------------------
WORM_LIRVA.C is a multi-threaded mass-mailing worm that propagates via mapped network-shared drives, IRC, ICQ, and KaZaa Peer-to-Peer file sharing. This malware uses its own SMTP engine to propagate via email.

WORM_LIRVA.C drops two copies of itself in the Windows temporary directory. The first copy has a file name randomly selected from a list of 21 possible file names. The second copy has a random file name with an extension of .TFT. It drops a copy of itself in the Windows system folder using an 11-character random file name and an .EXE extension. It also drops a text file in the Windows TEMP directory using the name AVRIL-II.INF. Then, it creates a registry entry that allows it to execute at every Windows startup.

It arrives via email, in HTML format with a spoofed sender’s email address in the “From” line. The Subject line is chosen from one of 16 possible selections and the Message Body contains one of four possible selections. The attachment can be one of 21 possible selections.

This malware also has the capability to download an updated copy of itself. It tries to download from any of these Web sites below (all of these sites are currently down):

http://web.host.kz/avril_lavigne/Avril.exe
http://web.host.kz/avril/Avril.exe
http://web.host.kz/avril_ii/Avril.exe

In addition, this malware tries to download a possible backdoor from any of the Web sites below (all of these sites are currently down):
 
http://web.host.kz/avril_lavigne/Bo2k_upx.exe
http://web.host.kz/avril/Bo2k_upx.exe
http://web.host.kz/avril_ii/Bo2k_upx.exe

After downloading the backdoor and saving the file as Bo2K.exe in the System folder, it creates a registry entry so the backdoor is executed at every Windows startup.

This malware also retrieves cached passwords and sends them to a specific email address, and it has the capability to terminate antivirus processes. On the 7th, 11th, and 24th of every month, this worm opens the default browser to http://www.avril-lavigne.com, and displays a window with spiral colors.

If you would like to scan your computer for WORM_LIRVA.C or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at: http://housecall.trendmicro.com/

WORM_LIRVA.C is detected and cleaned by Trend Micro pattern file #435 and above.

For additional information about WORM_LIRVA.C please visit: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_LIRVA.C

3. 10 Most Prevalent In-the-Wild Malware Surveyed by Trend Micro US
(week of: December 30, 2002 to January 5, 2003)
------------------------------------------------------------------------
1. WORM_YAHA.K
2. WORM_KLEZ.H
3. JS_EXCEPTION.GEN
4. WORM_BUGBEAR.A
5. JS_NOCLOSE.E
6. JS_SEEKER.E1
7. VBS_REDLOF.A
8. JOKE_RUSS.A
9. REG_STARTPAGE.A
10. WORM_OPASERV.E

______________________________________________________________________
This message was sent by Trend Micro's Newsletters Editor using Responsys Interact (TM).

If you prefer not to receive future e-mail from Trend Micro's Newsletters Editor:

To view our permission marketing policy:
    http://www.rsvp0.net
Received on Fri Jan 10 22:55:26 2003