Trend Micro Weekly Virus Report - February 28, 2003

*********************************************************************
TREND MICRO WEEKLY VIRUS REPORT
    
(by TrendLabs Global Antivirus and Research Center)
*********************************************************************
------------------------------------------------------------------------
Date: February 28, 2003
------------------------------------------------------------------------
To read an HTML version of this newsletter, go to:
http://www.trendmicro.com/en/security/report/overview.htm

Issue Preview:

1. Trend Micro Updates - Pattern File & Scan Engine Updates
2. Email, Kazaa, and mIRC Worm - WORM_GIBE.B (Low Risk)
3. 10 Most Prevalent In-the-Wild Malware Surveyed by Trend Micro US
4. It's Tax Time! - Get TaxCut Deluxe from H&R Block FREE with PC-cillin 2003*

NOTE: Long URLs may break into two lines in some mail readers.
Should this occur, please copy and paste the URL into your browser window.

************************************************************************

1. Trend Micro Updates - Pattern File & Scan Engine Updates
------------------------------------------------------------------------
PATTERN FILE: 472 http://www.trendmicro.com/download/pattern.asp
SCAN ENGINE: 6.510 http://www.trendmicro.com/download/engine.asp

2. Email, Kazaa, and mIRC Worm - WORM_GIBE.B (Low Risk)
------------------------------------------------------------------------
WORM_GIBE.B propagates via email, shared folders using Kazaa, and via Internet Relay Chat applications such as mIRC. When propagating via email, it obtains its recipients from email addresses listed in the Windows Address Book and addresses remotely retrieved from certain news servers.
This worm arrives in an email as a security patch from Microsoft. It sends email with a random subject, message body, and attachment name. This malware affects Windows 95, 98, ME, NT, 2000, and XP platforms.

This worm arrives as either a zipped email attachment, or as a file retrieved from a Kazaa file-sharing application, or Internet Relay Chat.
Upon first execution, it displays a fake license message and drops the following files in the Windows directory:

-Gibe.dll - this is the exact copy of this worm
-DX3DRndr.exe - this is the mailer component of this worm
-MSBugAdv.exe - this component connects to a random server listed in the dropped WMSysDx.bin file
-WMSysDx.bin - this is the list containing the URL that this worm connects to.

It also drops compressed copies of itself in zip format as UPDATE.ZIP or a random file name in the Windows and Windows Temporary folders. In addition, it creates a subfolder in the Windows Temporary directory using a random name.

In the folder, it drops an .EXE format and a .ZIP format copy of itself. The file name of the files could be any of 13 possible names. Then, this worm adds a registry entry so that its copy executes on the infected system on subsequent Windows startups.

This worm uses its own Simple Mail Transfer Protocol (SMTP) engine to propagate via email. It obtains the email addresses of its recipients from the Windows Address Book.

The email that it sends out contains a random subject, message body, and attachment name. In some instances, the worm may send an email with a blank message body. The malware also connects to any of 137 specific Network News Transfer Protocol (NNTP) servers where it attempts to search for addresses where it can send email.

If you would like to scan your computer for WORM_GIBE.B or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at: http://housecall.trendmicro.com/

WORM_GIBE.B is detected and cleaned by Trend Micro pattern file #471 and above.

For additional information about WORM_GIBE.B please visit: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName= WORM_GIBE.B

3. 10 Most Prevalent In-the-Wild Malware Surveyed by Trend Micro US
(week of: February 17, 2003 to February 23, 2003)
------------------------------------------------------------------------
1. WORM_KLEZ.H
2. JS_NOCLOSE.E
3. PE_BAGIF.A
4. WORM_KWBOT.C
5. WORM_YAHA.G
6. PE_HANTANER.A
7. JOKE_RUSS.A
8. WORM_YAHA.K
9. WORM_OPASERV.G
10. WORM_OPASERV.E

4. It's Tax Time! - Get TaxCut Deluxe from H&R Block FREE with PC-cillin 2003*
------------------------------------------------------------------------
This year, file your taxes with TaxCut Deluxe. TaxCut Deluxe from H&R Block allows you to seamlessly import your financial data from last year's TurboTax(r), Quicken(r), and Microsoft(r) Money. It offers one FREE State program, one FREE electronic filing (after mail-in rebate), FREE H&R Block Financial Planners, and a NEW 9-Year Tax Preview planning feature so you can maximize your tax savings and plan for the future.
 
With newly released PC-cillin(tm) 2003 you can protect your PC, PDA and wireless devices from viruses, hacker attacks, and other Internet security threats.

PC-cillin offers the benefits of:
-Enhanced Antivirus Scanning - Secure your computer against viruses transmitted through the Internet, email, and Instant Messaging

-Personal Firewall Protection - Fend off hackers and malicious programs with a personal firewall

-Integrated Wireless Security for PDAs - Protect the important information on your personal digital assistant and secure your PC during synchronization

New features like Wi-Fi protection help to secure your computer when connecting to a wireless LAN network, and Outbreak Alert gives you early warning about new viruses.

For a limited time, Trend Micro is offering you TaxCut Deluxe absolutely free with the purchase of PC-cillin 2003 or PC-cillin 2003 Upgrade.

Start saving now! Buy PC-cillin 2003: http://www.digitalriver.com/dr/v2/ec_MAIN.Entry17c?SP=10007&PN=5&CID=70268&SID=16269&PID=498729&DSP=&CUR=840&PGRP=0&CACHE_ID=702680000070666

Upgrade to PC-cillin 2003: http://www.digitalriver.com/dr/v2/ec_MAIN.Entry17c?SP=10007&PN=5&CID=70666&SID=16269&PID=500849&DSP=&CUR=840&PGRP=0&CACHE_ID=70666

 * Offer expires April 21, 2003 and is valid in the U.S. and Canada only.

************************************************************************
You are receiving this email from Trend Micro, because you have either
downloaded a Trend Micro product or have signed up to receive the "Weekly Virus Report."
 
For questions, comments, and suggestions about the Weekly Virus Report
please contact the Newsletters Editor at newsletters@trendmicro.com.
************************************************************************

______________________________________________________________________
This message was sent by Trend Micro's Newsletters Editor using Responsys Interact (TM).

If you prefer not to receive future e-mail from Trend Micro's Newsletters Editor:

To view our permission marketing policy:
    http://www.rsvp0.net
Received on Fri Feb 28 23:58:25 2003