Trend Micro Weekly Virus Report - September 26, 2003

*********************************************************************
TREND MICRO WEEKLY VIRUS REPORT
    
(by TrendLabs Global Antivirus and Research Center)
*********************************************************************
------------------------------------------------------------------------
Date: Friday September 26, 2003
------------------------------------------------------------------------
To read an HTML version of this newsletter, go to:
http://www.trendmicro.com/en/security/report/overview.htm

Issue Preview:

1. Trend Micro Updates - Pattern File & Scan Engine Updates
2. Email and P2P Worm – WORM_CASPID.A (Low Risk)
3. 10 Most Prevalent In-the-Wild Malware Surveyed by Trend Micro US
4. Put Spam Back in the Can – Aberdeen Group Spam Report

NOTE: Long URLs may break into two lines in some mail readers.
Should this occur, please copy and paste the URL into your browser window.

************************************************************************

1. Trend Micro Updates - Pattern File & Scan Engine Updates
------------------------------------------------------------------------
PATTERN FILE: 638 http://www.trendmicro.com/download/pattern.asp
SCAN ENGINE: 6.510 http://www.trendmicro.com/download/engine.asp

Critical Active Update Service Pack Reminder
Most users of certain older Trend Micro products have already updated their
software or applied the Active Update Service Pack. If you are still using
one of these older products, it is critical to act now to ensure up-to-date
protection against new malicious code. Without minor software modifications,
these products will be unable to download new pattern files after #649. For
more information please visit:
http://www.trendmicro.com/en/support/ausp/overview.htm
 
2. Email and P2P Worm – WORM_CASPID.A (Low Risk)
------------------------------------------------------------------------
WORM_CASPID.A is a destructive, memory-resident worm that spreads through
peer-to-peer (P2P) file-sharing networks such as Kazaa, Morpheus, LimeWire
and BearShare, and via email. When propagating via email it drops a copy of
itself, in HTML format, and sets the HTML copy as the default stationery for
all outgoing Microsoft Outlook Express email messages. As a result, all HTML-
formatted messages sent using Microsoft Outlook Express, with the default
stationery, contain a copy of this worm. This worm affects systems running
Windows 95, 98, ME, NT, 2000, and XP.

WORM_CASPID.A exploits a known vulnerability affecting Microsoft Outlook
Express 5.5 and 6.0, which enables MIME-encoded programs inside HTML files
to execute. For more information about the vulnerability and to download the
critical patches, visit the following Microsoft page:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-014.asp

Upon first execution, the worm displays a message box and then drops the
following copies of itself in the Windows folder:
CAPSIDE.EXE
CAPSIDERED.PIF

It drops the following MIME-encoded copies in HTML format in the same folder:

CAPSIDE.HTM
CAPSIDECODE.HTM

This worm also drops a randomly named copy of itself with an .SCR extension into
the Windows System folder, and creates a registry entry that allows it to execute
at every Windows startup.

This worm propagates through peer-to-peer shared folders under the following
applications:

BearShare
eDonkey
Filetopia
Grokster
iMesh
Kazaa
LimeWire
Morpheus
SoulSeek

It drops a MIME-encoded copy of itself in HTML format into folders shared under
the P2P applications using any one of approximately 152 possible file names.

To propagate by email it uses a MIME-encoded copy of itself, CAPSIDE.HTM, and
then sets this file as the default stationery on Microsoft Outlook Express. As
a result, a copy of itself is automatically embedded in all outgoing HTML-
formatted email sent with the default stationery. It does this by modifying a
registry key.

This worm also infects HTML files in all folders and subfolders on the infected
system.

If you would like to scan your computer for WORM_CASPID.A or thousands of other
worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free,
online virus scanner at: http://housecall.trendmicro.com/

WORM_CASPID.A is detected and cleaned by Trend Micro pattern file #637 and above.

For additional information about WORM_CASPID.A please visit: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_CASPID.A

3. 10 Most Prevalent In-the-Wild Malware Surveyed by Trend Micro US
(week of: September 15, 2003 to September 21, 2003)
------------------------------------------------------------------------
1. JAVA_BYTVERIFY.A
2. ADW_TENGET.A
3. BKDR_COREFLOOD.A
4. WORM_MSBLAST.A
5. WORM_SPYBOT.B
6. BKDR_SDBOT.GEN
7. WORM_NACHI.A
8. JAVA_NEEDY.A
9. BAT_MUMU.A
10. WORM_MSBLAST.D
        
4. Put Spam Back in the Can – Aberdeen Group Spam Report
------------------------------------------------------------------------
Spam has shifted from being a nuisance for email users to a drain on enterprise
resources, and a covert channel for delivering hostile mobile code into the
enterprise. And, as recent events have shown, virus writers are now adopting
methods used by commercial spammers, giving spam what appears to be a decidedly
dangerous alter ego. Spam prevention is now a necessity rather than a luxury.

Read Aberdeen Group’s White Paper on how Trend Micro puts spam back in the can:
http://www.trendmicro.com/en/products/gateway/spam/evaluate/white-papers.htm

***********************************************************************************

______________________________________________________________________
This message was sent by Trend Micro's Newsletters Editor using Responsys Interact (TM).

If you prefer not to receive future e-mail from Trend Micro's Newsletters Editor:
    
R2pkNlyLihkm_C_VZ

To view our permission marketing policy:
    http://www.rsvp0.net
Received on Fri Sep 26 23:28:59 2003