Trend Micro Weekly Virus Report - August 8, 2003

*********************************************************************
TREND MICRO WEEKLY VIRUS REPORT
    
(by TrendLabs Global Antivirus and Research Center)
*********************************************************************
------------------------------------------------------------------------
Date: Friday August 8, 2003
------------------------------------------------------------------------
To read an HTML version of this newsletter, go to:
http://www.trendmicro.com/en/security/report/overview.htm

Issue Preview:

1. Trend Micro Updates - Pattern File & Scan Engine Updates
2. Choose Your Passwords Carefully – WORM_TZET.A (Low Risk)
3. 10 Most Prevalent In-the-Wild Malware Surveyed by Trend Micro US
4. How Much is Spam Costing You?

NOTE: Long URLs may break into two lines in some mail readers.
Should this occur, please copy and paste the URL into your browser window.

************************************************************************

1. Trend Micro Updates - Pattern File & Scan Engine Updates
------------------------------------------------------------------------
PATTERN FILE: 600 http://www.trendmicro.com/download/pattern.asp
SCAN ENGINE: 6.510 http://www.trendmicro.com/download/engine.asp

2. Choose Your Passwords Carefully – WORM_TZET.A (Low Risk)
------------------------------------------------------------------------
WORM_TZET.A contains multiple components, with both worm and backdoor
capabilities. It propagates by penetrating systems with weak passwords
and dropping a copy of itself into these vulnerable systems. It affects
systems running Windows 95, 98, ME, NT, 2000, and XP.

Once the dropper component executes, it drops 11 files into the
%Windows%\System32 directory (%Windows% refers to the Windows folder,
which is typically C:\Windows or C:\WINNT). The dropper component of
this malware automatically executes one of the files, IGLXTRAY.EXE, which
in turn loads another file; a malicious IRC script called WSUBSYS.WAV.
Once the malicious IRC script is loaded, it creates a registry entry so that
yet another file, IGLMTRAY.EXE, executes at every Windows startup.
IGLMTRAY.EXE, in turn, loads IGLXTRAY.EXE. Thus, the registry entry
indirectly enables the malware mIRC program to run at startup.

This malware is able to propagate into vulnerable systems with weak
passwords. It scans for target systems and tries to access them using
the following user names:

administrator
Administrator
admin
root
teacher
student
cs
sql
database
user
network
wwwadmin
sqladmin
administrator
wwwroot
guest
server

And the following passwords:
(no password)
password
admin
12345
123
123456
654321
abc123
asdf
secret
password123
administrator
qwerty
qwertyuiop
temp123
Administrator
admin123
abc
admin
temp
changeme
pass
sqlagent
root
teacher
student
test
test123
sql
database
user
network
wwwadmin
guest
server

This malware uses its batch file component, AUTHEXEC.BAT (BAT_TZET.A), to
connect to the vulnerable systems. Once a vulnerable system is found, it
drops a copy of itself into the target system. The dropped copy is named
either X586.EXE or a predefined file name. After it successfully drops the
malware copy into the remote system, it executes the copy remotely using
the PsExec utility.

Once active on a system, WORM_TZET.A connects to a remote IRC server, through
which a remote user can gain control over the affected system using IRC
commands. It allows remote users to do the following:

-Use the affected system to perform a Denial of Service (DoS) attack against
other systems
-Retrieve system information
-Join a specified IRC channel and create IRC clones
-Manipulate the file system (delete and rename files)
-Uninstall the malware
-Terminate running programs
-Command the affected system to act as a BNC (Bounce) to re-route connections

If you would like to scan your computer for WORM_TZET.A or thousands of other
worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free,
online virus scanner at: http://housecall.trendmicro.com/

WORM_TZET.A is detected and cleaned by Trend Micro pattern file #599 and above.

For additional information about WORM_TZET.A please visit: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_TZET.A

3. 10 Most Prevalent In-the-Wild Malware Surveyed by Trend Micro US
(week of: July 28, 2003 to August 3, 2003)
------------------------------------------------------------------------
1. JAVA_BYTVERIFY.A
2. WORM_KLEZ.H
3. ADW_TENGET.A
4. PE_NIMDA.E
5. JAVA_NEEDY.A
6. TROJ_DELF.A
7. JS_EXCEPTION.GEN
8. VBS_REDLOF.A
9. WORM_SOBIG.E
10. JS_FORTNIGHT
        
4. How Much is Spam Costing You?
------------------------------------------------------------------------
Spam costs thousands of dollars in wasted bandwidth and wasted productivity,
every year. Check out our Spam Calculator here, and be sure to click
“Calculate the exact cost of spam for your organization” to see how much spam
is costing you:
http://www.trendmicro.com/en/products/gateway/spam/evaluate/spam-calculator.htm
***********************************************************************************

______________________________________________________________________
This message was sent by Trend Micro's Newsletters Editor using Responsys Interact (TM).

If you prefer not to receive future e-mail from Trend Micro's Newsletters Editor:
    

To view our permission marketing policy:
    http://www.rsvp0.net
Received on Sat Aug 9 03:23:07 2003