Trend Micro Weekly Virus Report - August 15, 2003

*********************************************************************
TREND MICRO WEEKLY VIRUS REPORT
    
(by TrendLabs Global Antivirus and Research Center)
*********************************************************************
------------------------------------------------------------------------
Date: Friday August 15, 2003
------------------------------------------------------------------------
To read an HTML version of this newsletter, go to:
http://www.trendmicro.com/en/security/report/overview.htm

Issue Preview:

1. Trend Micro Updates - Pattern File & Scan Engine Updates
2. Blaster – WORM_MSBLAST.A (High Risk)
3. 10 Most Prevalent In-the-Wild Malware Surveyed by Trend Micro US
4. How Much is Spam Costing You?

NOTE: Long URLs may break into two lines in some mail readers.
Should this occur, please copy and paste the URL into your browser window.

************************************************************************

1. Trend Micro Updates - Pattern File & Scan Engine Updates
------------------------------------------------------------------------
PATTERN FILE: 610 http://www.trendmicro.com/download/pattern.asp
SCAN ENGINE: 6.510 http://www.trendmicro.com/download/engine.asp

2. Blaster – WORM_MSBLAST.A (High Risk)
------------------------------------------------------------------------
WORM_MSBLAST.A affects unpatched systems running Windows NT, 2000, XP,
and Server 2003. This worm can only propagate to systems running Windows
2000 and XP. WORM_MSBLAST.A is currently spreading in-the-wild, and has
been in heavy circulation since Monday.

WORM_MSBLAST.A is a destructive worm that exploits the RPC DCOM Buffer
Overflow, a vulnerability in a Windows Distributed Component Object Model
(DCOM) Remote Procedure Call (RPC) interface, which allows an attacker to
gain full access and execute any code on a target machine, leaving it
compromised. The virus payload performs a Distributed Denial of Service
(DDoS) attack against windowsupdate.com on the 16th through the 31st day
of every month from January through August, and any day in September
through December. The worm is set to activate its next Distributed Denial
of Service attack this Saturday, August 16.

Upon execution, this worm creates an autorun registry entry that allows
it to execute at every Windows startup. It creates a mutex named “BILLY,”
that it uses to check whether another copy is already running. If it finds
that another copy is running, it simply terminates. If no other copy is
running, it continues with the rest of its routines; sleeping at 20 second
intervals and waking to check for Internet connection, until it is able to
establish this connection.

Once it secures an Internet connection, this worm checks for the current
system date. If the system date is the 16th through 31st day of any month
in January through August, or any day of the month of September through
December, it launches a thread that performs a Distributed Denial of Service
(DDoS) attack against windowsupdate.com. When performing the DDoS attack,
this worm constructs a specially crafted packet, which it sends to the target
site. The packet contains no data except for its TCP/IP header, and is
constructed in such a way that the worm can spoof the sender IP address.
This worm continuously sends the packet every 20 milliseconds.

This worm exploits the RPC DCOM BUFFER OVERFLOW, a vulnerability in a Windows
Distributed Component Object Model (DCOM) Remote Procedure Call (RPC)
interface, to infect remote machines.

To infect unpatched, vulnerable machines, this worm attempts to connect to
other target systems via port 135. It does this by opening 20 TCP threads or
connections which scan for IP addresses. After creating 20 threads or
connection attempts, it uses another method which generates random IP address.

This worm then instructs its remote target machine to download its copy
MSBLAST.EXE into the Windows System32 folder; typically C:\Windows\System32
or C:\WINNT\System32. Finally, it instructs the target machine to execute
the downloaded file. This begins another life cycle for the worm on the
newly infected machine.

The following text strings are visible in this worm's body:

I just want to say LOVE YOU SAN!!
billy gates why do you make this possible ? Stop making money and fix your
software!!

If you would like to scan your computer for WORM_MSBLAST.A or thousands of
other worms, viruses, Trojans and malicious code, visit HouseCall, Trend
Micro's free, online virus scanner at: http://housecall.trendmicro.com/

WORM_MSBLAST.A is detected and cleaned by Trend Micro pattern file #605
and above.

For additional information about WORM_MSBLAST.A please visit: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MSBLAST.A

3. 10 Most Prevalent In-the-Wild Malware Surveyed by Trend Micro US
(week of: August 4, 2003 to August 10, 2003)
------------------------------------------------------------------------
1. JAVA_BYTVERIFY.A
2. ADW_TENGET.A
3. JAVA_NEEDY.A
4. WORM_KLEZ.H
5. VBS_HAPTIME.A-1
6. JS_EXCEPTION.GEN
7. WORM_MAPSON.A
8. VBS_REDLOF.A
9. JAVA_NOCHEAT.A
10. WORM_SPYBOT.GEN
        
4. How Much is Spam Costing You?
--------------------------------------------------------------------------
Spam costs thousands of dollars in wasted bandwidth and wasted productivity,
every year. Check out our Spam Calculator here, and be sure to click “Calculate
the exact cost of spam for your organization” to see how much spam is costing you: http://www.trendmicro.com/en/products/gateway/spam/evaluate/spam-calculator.htm
***********************************************************************************

______________________________________________________________________
This message was sent by Trend Micro's Newsletters Editor using Responsys Interact (TM).

If you prefer not to receive future e-mail from Trend Micro's Newsletters Editor:
    
R2pkNlyLihkm_B_UY_TW

To view our permission marketing policy:
    http://www.rsvp0.net
Received on Fri Aug 15 21:02:40 2003