Trend Micro Weekly Virus Report - February 14, 2003

*********************************************************************
TREND MICRO WEEKLY VIRUS REPORT
    
(by TrendLabs Global Antivirus and Research Center)
*********************************************************************
------------------------------------------------------------------------
Date: February 14, 2003 - HAPPY VALENTINE'S DAY
------------------------------------------------------------------------
To read an HTML version of this newsletter, go to:
http://www.trendmicro.com/en/security/report/overview.htm

Issue Preview:

1. Trend Micro Updates - Pattern File & Scan Engine Updates
2. Email Worm - WORM_IXAS.A (Low Risk)
3. 10 Most Prevalent In-the-Wild Malware Surveyed by Trend Micro US
4. This Valentine's Day, Protect the Ones you Love - $20 off PC-cillin

NOTE: Long URLs may break into two lines in some mail readers.
Should this occur, please copy and paste the URL into your browser window.

************************************************************************

1. Trend Micro Updates - Pattern File & Scan Engine Updates
------------------------------------------------------------------------
PATTERN FILE: 459 http://www.trendmicro.com/download/pattern.asp
SCAN ENGINE: 6.510 http://www.trendmicro.com/download/engine.asp

2. Email Worm - WORM_IXAS.A (Low Risk)
------------------------------------------------------------------------
WORM_IXAS.A is a non-destructive, non-memory resident worm that propagates via email using Messaging Application Programming Interface (MAPI) or Simple Mail Transfer Protocol (SMTP). It runs on Windows 95, 98, ME, NT, 2000 and XP platforms, and exploits a known vulnerability affecting unpatched Internet Explorer-based clients, which is commonly known as Automatic Execution of Embedded MIME Type. This vulnerability enables email attachments to execute automatically without the recipient opening or double-clicking it.

Upon execution, WORM_IXAS.A drops a copy of itself using a random filename, in the Windows system folder. It also checks the system for a specific registry entry, which serves as the worm's infection marker. If the specific entry is found, the worm immediately terminates. Otherwise, it creates an entry, with a random file name taken from the name of its dropped file.

Then, it drops a copy of itself in the Windows system folder. It also creates an auto-run registry entry that allows it to automatically execute at every system startup.

Using its own SMTP engine, the worm propagates via email by connecting to a remote Web site, or by replying to an incoming email message via MAPI. The details of the email that it sends are as follows:

From: <file name>@delfi.lt

Subject: <randomly selected from any of the following>
Gift for you
Urgent NEWs
EBAY Update
Antivirus Update
Urgent Windows UPDATE
Hi, look this attcahment
Hello, please wisit this nice site

Message Body: <blank>

Attachment: <filename>.exe

The email message has a spoofed "From:" field using a randomly generated base name combined with "delfi" which is the domain name for its email address. The <filename> is the base file name of the dropped copy of the worm, such that if the dropped copy is YPACWW.EXE, then the email address will be ypacww@delfi.lt.

This worm also sends itself to other target recipients using MAPI, by replying to incoming email messages with the following:

Subject: Re:

Message Body:
I reply as soon as possible to your email
              You wrote:----------

Attachment: <filename>

It also stores the email addresses of its recipients who were already sent an infected email.

If you would like to scan your computer for WORM_IXAS.A or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at: http://housecall.trendmicro.com/

WORM_IXAS.A is detected and cleaned by Trend Micro pattern file #456 and above.

For additional information about WORM_IXAS.A please visit: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_IXAS.A

3. 10 Most Prevalent In-the-Wild Malware Surveyed by Trend Micro US
(week of: February 3, 2003 to February 9, 2003)
------------------------------------------------------------------------
1. WORM_KLEZ.H
2. JS_EXCEPTION.GEN
3. PE_FUNLOVE.4099
4. PE_ELKERN.D
5. VBS_MCON.C
6. TROJ_SUA.A
7. WORM_LIRVA.A
8. TROJ_SMALL.J
9. JS_NOCLOSE.E
10. WORM_OPASERV.I

4. This Valentine's Day, Protect the Ones you Love - $20 off PC-cillin
------------------------------------------------------------------------
Newly released PC-cillin(tm) 2003 offers enhanced security to help protect your PC, PDA, and wireless devices from viruses, hacker attacks, and other Internet security threats.

With PC-cillin you get the benefits of:

-Enhanced Antivirus Scanning - Secure your computer against viruses transmitted through the Internet, email, and Instant Messaging

-Personal Firewall Protection - Fend off hackers and malicious programs with a personal firewall

-Integrated Wireless Security for PDAs - Protect the important information on your personal digital assistant and secure your PC during synchronization

New features like Wi-Fi protection helps secure your computer when connecting to a wireless LAN network, and Outbreak Alert gives you early warning about new viruses.

Save $20** and give the gift of security to your loved ones with the newest version of PC-cillin. Pay only $29.95 to completely protect your computer and PDA.

Visit URL:
http://www.digitalriver.com/dr/v2/ec_MAIN.Entry17c?SP=10007&PN=5&CID=67217&SID=16269&PID=474268
 
** Offer expires February 15, 2003. Offer valid in North America and Canada only.

************************************************************************
You are receiving this email from Trend Micro, because you have either
downloaded a Trend Micro product or have signed up to receive the "Weekly Virus
Report."
 
For questions, comments, and suggestions about the Weekly Virus Report
please contact the Newsletters Editor at newsletters@trendmicro.com.
************************************************************************

______________________________________________________________________
This message was sent by Trend Micro's Newsletters Editor using Responsys Interact (TM).

If you prefer not to receive future e-mail from Trend Micro's Newsletters Editor:

To view our permission marketing policy:
    http://www.rsvp0.net
Received on Fri Feb 14 20:00:02 2003