Trend Micro Weekly Virus Report - August 29, 2003

*********************************************************************
TREND MICRO WEEKLY VIRUS REPORT
    
(by TrendLabs Global Antivirus and Research Center)
*********************************************************************
------------------------------------------------------------------------
Date: Friday August 29, 2003
------------------------------------------------------------------------
To read an HTML version of this newsletter, go to:
http://www.trendmicro.com/en/security/report/overview.htm

Issue Preview:

1. Trend Micro Updates - Pattern File & Scan Engine Updates
2. Payload Worm – WORM_RANDEX.E (Low Risk)
3. 10 Most Prevalent In-the-Wild Malware Surveyed by Trend Micro US
4. How Much is Spam Costing You?

NOTE: Long URLs may break into two lines in some mail readers.
Should this occur, please copy and paste the URL into your browser window.

************************************************************************

1. Trend Micro Updates - Pattern File & Scan Engine Updates
------------------------------------------------------------------------
PATTERN FILE: 622 http://www.trendmicro.com/download/pattern.asp
SCAN ENGINE: 6.510 http://www.trendmicro.com/download/engine.asp

2. Payload Worm – WORM_RANDEX.E (Low Risk)
------------------------------------------------------------------------
WORM_RANDEX.E is a non-destructive worm that runs on Windows NT, 2000,
and XP. Upon execution, this worm creates a mutex named, "msejaer32,"
which it uses to check and ensure that only one copy of itself is running
in memory. It also adds a registry entry that allows it to run at every
Windows startup, and drops the file “PAYLOAD.DAT”. This file is the worm’s
backdoor component. The backdoor file, however, is not executed by this
worm nor can it execute on its own.

When executed manually, the backdoor component creates a mutex named,
"mssysviewer," which it uses to check and ensure that only one copy of
itself is running in memory. It then adds an autorun entry in the registry
so that it runs at every Windows startup.

While in memory, the backdoor component connects to an IP address that is
hard-coded in its body via a random port. It does this as a notification
to a remote user that it is running and ready to receive commands. It then
listens on the following TCP ports for remote commands:
3330
3331
3332

Once this worm is active in memory, it randomly accesses remote machines
(using random IP addresses) on SMB shares via port 445. It checks whether
it can access a machine by attempting to connect to the IPC$ share using
the following passwords:
(null password)
!@#$
!@#$%
!@#$%^
!@#$%^&
!@#$%^&*
1
111
123
1234
123456
654321
admin
asdf
asdfgh
root
server

If successful, it copies itself as MSMSGRI32.EXE in the following paths:
<machine IP>\c$\winnt\system32\msmsgri32.exe
<machine IP>\Admin$\system32\msmsgri32.exe

It then schedules a network job using the NetScheduleJobAdd API function
to run the dropped malware copies.

If you would like to scan your computer for WORM_RANDEX.E or thousands of
other worms, viruses, Trojans and malicious code, visit HouseCall, Trend
Micro's free, online virus scanner at: http://housecall.trendmicro.com/

WORM_RANDEX.E is detected and cleaned by Trend Micro pattern file #619
and above.

For additional information about WORM_RANDEX.E please visit: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_RANDEX.E

3. 10 Most Prevalent In-the-Wild Malware Surveyed by Trend Micro US
(week of: August 18, 2003 to August 24, 2003)
------------------------------------------------------------------------
1. WORM_SOBIG.F
2. WORM_MSBLAST.D
3. JAVA_BYTVERIFY.A
4. WORM_MIMAIL.A
5. PE_NIMDA.E
6. WORM_SPYBOT.GEN
7. WORM_SOBIG.E
8. WORM_KLEZ.H
9. JAVA_NOCHEAT.A
10. JAVA_NEEDY.A
        
4. How Much is Spam Costing You?
------------------------------------------------------------------------
Spam costs thousands of dollars in wasted bandwidth and wasted productivity,
every year. Check out our Spam Calculator here, and be sure to click “Calculate
the exact cost of spam for your organization” to see how much spam is costing you: http://www.trendmicro.com/en/products/gateway/spam/evaluate/spam-calculator.htm
***********************************************************************************

______________________________________________________________________
This message was sent by Trend Micro's Newsletters Editor using Responsys Interact (TM).

If you prefer not to receive future e-mail from Trend Micro's Newsletters Editor:
    

To view our permission marketing policy:
    http://www.rsvp0.net
Received on Fri Aug 29 21:28:40 2003