Trend Micro Weekly Virus Report - January 31, 2003

*********************************************************************
TREND MICRO WEEKLY VIRUS REPORT
    
(by TrendLabs Global Antivirus and Research Center)
*********************************************************************
------------------------------------------------------------------------
Date: January 31, 2003
------------------------------------------------------------------------
To read an HTML version of this newsletter, go to:
http://www.trendmicro.com/en/security/report/overview.htm

Issue Preview:

1. Trend Micro Updates - Pattern File & Scan Engine Updates
2. Hello M, This is Q – WORM_OPASERV.Q (Low Risk)
3. 10 Most Prevalent In-the-Wild Malware Surveyed by Trend Micro US
4. Trend Micro Expands Enterprise Protection Strategy (EPS)

NOTE: Long URLs may break into two lines in some mail readers.
Should this occur, please copy and paste the URL into your browser window.

************************************************************************

1. Trend Micro Updates - Pattern File & Scan Engine Updates
------------------------------------------------------------------------
PATTERN FILE: 451 http://www.trendmicro.com/download/pattern.asp
SCAN ENGINE: 6.510 http://www.trendmicro.com/download/engine.asp

2. Hello M, This is Q – WORM_OPASERV.Q (Low Risk)
------------------------------------------------------------------------
WORM_OPASERV.Q propagates via network shared C:\ drives and downloads an
executable file, from a specific Web site. It modifies the registry of its
infected systems to allow it to automatically execute at every Windows
startup. This worm runs on all Windows platforms.

Upon execution, this worm deletes the following files from the Windows
directory:

%Windows%\SCRSVR.EXE
%Windows%\ALEVIR.EXE
%Windows%\BRASIL.EXE

The above files are the dropped files of earlier variants of this worm.

After the initialization process, the worm creates three threads that
execute concurrently (Infect, Search, and Update). Each thread executes
one routine of this worm and uses a separate path of execution.

The Infect thread is the first thread that this worm creates. It listens
for connections from other machines on the same network domain as the
infected system, and enables infection of other systems where it has
write access in the network.

The worm utilizes the Share Level Password exploit to infect the network
shares. This allows the worm to access password-protected shares in
Windows 95, 98, and ME systems.

The second thread that this worm creates, the Search thread, searches
shared network C:\ drives. It searches for machines in the same network
domain that has shared C:\ drives and does this repeatedly. Once it has
received a reply for the share access request, the first thread connects
and the second thread continues to scan the domain for other possible
shares to infect.

The third thread, the Update thread, is responsible for obtaining an
updated copy of the worm from a specific Web site. It is also capable
of processing commands from the remote Web site. Then, it sends this
information using the data stored on the two local files SRV32.DAT and
SRVOUT.DAT in the C:\ folder. The files are encrypted to prevent the user
of the infected system from tampering or viewing the data. The worm repeats
some of the functions in the threads in an infinite loop making the process
memory-resident.

If you would like to scan your computer for WORM_OPASERV.Q or thousands of
other worms, viruses, Trojans and malicious code, visit HouseCall, Trend
Micro's free, online virus scanner at: http://housecall.trendmicro.com/

WORM_OPASERV.Q is detected and cleaned by Trend Micro pattern file #449 and
above.

For additional information about WORM_OPASERV.Q please visit:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_OPASERV.Q

3. 10 Most Prevalent In-the-Wild Malware Surveyed by Trend Micro US
(week of: January 20, 2003 to January 26, 2003)
------------------------------------------------------------------------
1. WORM_KLEZ.H
2. JS_SEEKER.E1
3. JS_NOCLOSE.E
4. JS_EXCEPTION.GEN
5. WORM_BUGBEAR.A
6. WORM_YAHA.K
7. VBS_REDLOF.A
8. WORM_SOBIG.A
9. WORM_OPASERV.E
10. PE_NIMDA.E

4. Trend Micro Expands Enterprise Protection Strategy (EPS)
------------------------------------------------------------------------
Trend Micro's Enterprise Protection Strategy (EPS) is an industry-unique
approach to addressing mixed-threat attacks based on the coordination of
any Trend Micro products and services, and the expertise of TrendLabs, to
address each stage of what the company has termed the outbreak lifecycle:
outbreak prevention, virus response, and assessment and restoration.

With the expansion of EPS, IT Managers can take advantage of a range of
new products, services, and architectural enhancements that assist in the
management of outbreaks across multiple points of the corporate network.
Products and services announced are designed to further address the common
challenges faced by IT Managers when dealing with virus and malicious code
outbreaks, from coordinating security policies across many different devices,
platforms, and systems in different geographic locations to determining the
overall effectiveness of current security investments and procedures.
Read more about Trend Micro's Enterprise Protection Strategy at
http://www.trendmicro.com/en/products/eps/eps/evaluate/overview.htm
Read what Industry Analysts are saying about EPS at
http://www.trendmicro.com/en/products/eps/eps/evaluate/industry-quotes.htm

************************************************************************
You are receiving this email from Trend Micro, because you have either
downloaded a Trend Micro product or have signed up to receive the "Weekly
Virus Report."
 
For questions, comments, and suggestions about the Weekly Virus Report
please contact the Newsletters Editor at newsletters@trendmicro.com.
************************************************************************

______________________________________________________________________
This message was sent by Trend Micro's Newsletters Editor using Responsys Interact (TM).

If you prefer not to receive future e-mail from Trend Micro's Newsletters Editor:

To view our permission marketing policy:
    http://www.rsvp0.net
Received on Fri Jan 31 22:31:27 2003