Trend Micro Weekly Virus Report - September 5, 2003

*********************************************************************
TREND MICRO WEEKLY VIRUS REPORT
    
(by TrendLabs Global Antivirus and Research Center)
*********************************************************************
------------------------------------------------------------------------
Date: Friday September 5, 2003
------------------------------------------------------------------------
To read an HTML version of this newsletter, go to:
http://www.trendmicro.com/en/security/report/overview.htm

Issue Preview:

1. Trend Micro Updates - Pattern File & Scan Engine Updates
2. Go Bot – WORM_AGOBOT.R (Low Risk)
3. 10 Most Prevalent In-the-Wild Malware Surveyed by Trend Micro US
4. How Much is Spam Costing You?

NOTE: Long URLs may break into two lines in some mail readers.
Should this occur, please copy and paste the URL into your browser window.

************************************************************************

1. Trend Micro Updates - Pattern File & Scan Engine Updates
------------------------------------------------------------------------
PATTERN FILE: 626 http://www.trendmicro.com/download/pattern.asp
SCAN ENGINE: 6.510 http://www.trendmicro.com/download/engine.asp

2. Go Bot – WORM_AGOBOT.R (Low Risk)
------------------------------------------------------------------------
WORM_AGOBOT.R has both worm and backdoor capabilities. It affects systems
running Windows NT, 2000, and XP. Users of these affected systems are
strongly encouraged to download and apply the appropriate patches from
Microsoft. As a backdoor, it connects to an Internet Relay Chat (IRC)
server and listens for remote commands. It executes these commands
locally on the infected machine, thus providing remote users virtual
control over infected systems.

Upon execution, this malware drops copies of itself using the following
file names in the Windows system folder:
SVCHOS1.EXE
RPCFIX.EXE

It also creates registry entries so that the dropped copy, SVCHOS1.EXE,
executes at every Windows startup. This malware does not propagate
unless it is commanded to do so. Upon receiving certain commands, it
scans for target systems with the following properties:

-Weak share passwords - This malware scans for systems with weak logon
credentials. It checks systems for any of the following logon names
and passwords:
User names
a
aaa
abc
admin
Administrador
Administrateur
administrator
asdf
Default
Dell
Gast
Guest
home
Inviter
login
mgmt
Owner
pc
qwer
Standard
temp
Test
test
User
win
x
xyz

Passwords
0
000000
00000000
007
1
110
111
111111
11111111
12
121212
123
123123
1234
12345
123456
1234567
12345678
123456789
1234qwer
123abc
123asd
123qwe
2002
2003
2600
54321
654321
88888888
a
aaa
abc
abcd
Admin
administrator
alpha
asdf

-Vulnerability to RPC DCOM Buffer Overflow – This malware scans for
unpatched vulnerable systems by attempting to connect to port 135 of
a target systems, which is the vulnerable port relative to this
security hole.

-Vulnerability to Locator Service Buffer Overflow – This malware scans
for vulnerable systems by attempting to connect to port 445. It copies
and executes itself on systems that are found to have the security
weaknesses. It opens port 22227 on the local system to transfer its
copies to vulnerable machines.

As a backdoor, this malware joins the IRC channel ##0wn3dz after
connecting to any of the following IRC servers on port 6667:
dashit.sytes.net
amsterdam.nl.eu.undernet.org
geneva.ch.eu.undernet.org
irc.qeast.net

While in the channel, it listens for remote commands coming in through
the server. It executes the commands locally on the infected machine,
providing remote users virtual control over affected systems. It allows
malicious remote users to do the following:

Retrieve malware status
Terminate the malware
Execute a specific file
Open a file
Uninstall the malware
Retrieve system information such as operating system version
Change or generate a random nickname to be used by the malware on IRC
Download and/or execute a file from the Internet via FTP or HTTP
Update the malware from a remote site via FTP or HTTP

If you would like to scan your computer for WORM_AGOBOT.R or thousands
of other worms, viruses, Trojans and malicious code, visit HouseCall,
Trend Micro's free, online virus scanner at:
http://housecall.trendmicro.com/

WORM_AGOBOT.R is detected and cleaned by Trend Micro pattern file #623
and above.

For additional information about WORM_AGOBOT.R please visit: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_AGOBOT.R

3. 10 Most Prevalent In-the-Wild Malware Surveyed by Trend Micro US
(week of: August 25, 2003 to August 31, 2003)
------------------------------------------------------------------------
1. JAVA_BYTVERIFY.A
2. WORM_SOBIG.F
3. WORM_KLEZ.H
4. WORM_SPYBOT.GEN
5. ADW_TENGET.A
6. WORM_MSBLAST.A
7. PE_DUMARU.A
8. JS_NOCLOSE.E
9. WORM_BADTRANS.A
10. JS_FORTNIGHT
        
4. How Much is Spam Costing You?
------------------------------------------------------------------------
Spam costs thousands of dollars in wasted bandwidth and wasted productivity, every year. Check out our Spam Calculator here, and be sure to click “Calculate the exact cost of spam for your organization” to see how much spam is costing you: http://www.trendmicro.com/en/products/gateway/spam/evaluate/spam-calculator.htm
***********************************************************************************

______________________________________________________________________
This message was sent by Trend Micro's Newsletters Editor using Responsys Interact (TM).

If you prefer not to receive future e-mail from Trend Micro's Newsletters Editor:
    
R2pkNlyLihkm_C_Y

To view our permission marketing policy:
    http://www.rsvp0.net
Received on Sat Sep 6 02:03:06 2003