Trend Micro Weekly Virus Report - October 3, 2003

*********************************************************************
TREND MICRO WEEKLY VIRUS REPORT
    
(by TrendLabs Global Antivirus and Research Center)
*********************************************************************
------------------------------------------------------------------------
Date: Friday October 3, 2003
------------------------------------------------------------------------
To read an HTML version of this newsletter, go to:
http://www.trendmicro.com/en/security/report/overview.htm

Issue Preview:

1. Trend Micro Updates - Pattern File & Scan Engine Updates
2. Messenger Worm – WORM_SMIBAG.A (Low Risk)
3. 10 Most Prevalent In-the-Wild Malware Surveyed by Trend Micro US
4. Head-to-Head Comparison: Web Security Performance

NOTE: Long URLs may break into two lines in some mail readers.
Should this occur, please copy and paste the URL into your browser window.

************************************************************************

1. Trend Micro Updates - Pattern File & Scan Engine Updates
------------------------------------------------------------------------
PATTERN FILE: 644 http://www.trendmicro.com/download/pattern.asp
SCAN ENGINE: 6.510 http://www.trendmicro.com/download/engine.asp

Critical Active Update Service Pack Reminder
Most users of certain older Trend Micro products have already updated their
software or applied the Active Update Service Pack. If you are still using
one of these older products, it is critical to act now to ensure up-to-date
protection against new malicious code. Without minor software modifications,
these products will be unable to download new pattern files after #649. For
more information please visit:
http://www.trendmicro.com/en/support/ausp/overview.htm
 
2. Messenger Worm – WORM_SMIBAG.A (Low Risk)
------------------------------------------------------------------------
WORM_SMIBAG.A is a multi-component worm that spreads through MSN Messenger
by sending copies of itself to all MSN users found in the target user’s
contact list. It typically arrives as the file SMB.EXE, a self-extracting
executable archive file. The worm’s payload displays pop-up advertisements
from various adult Web sites. This worm runs on Windows 95, 98, ME, NT, 2000,
and XP.

Upon execution of the archive, it drops the following files:

C:\admagic.exe – main worm program
C:\SMB.EXE – an SFX executable archive dropper program
C:\TEST.TXT – non-malicious text file
%System%\RAW32X.DLL – non-malicious data file
%System%\SM.DLL – DLL file used by the worm
%System%\UZ.EXE – a non-malicious tool that extracts files in an archive

This worm also drops and executes the file, MSNVC.EXE, in the same location
where the dropper program is run. The MSNVC.EXE file is responsible for
dropping TEST.TXT in the root folder of drive C. The worm then deletes
MSNVC.EXE.

The worm also drops the following files in the same path where the dropper
program is run, and deletes them afterwards:

<malware path>\ADMAGIC.EXE – main worm program
<malware path>\RAW32X.DLL – non-malicious data file
<malware path>\SM.DLL – DLL file used by the worm
<malware path>\UZ.EXE – a non-malicious tool that extracts files in an
archive
<malware path>\EXT.ZIP
<malware path>\ATL.DLL – non–malicious Microsoft Visual C++ Active Template
library file

In addition, it also adds a registry entry that allows the worm to run at
every Windows startup.

Once this malware is running in memory, it automatically sends a copy of its
dropper program, SMB.EXE, to all MSN users found in the target system's contact
list. Recipients receive a prompt and can select whether to accept SMB.EXE
or not.

The main worm program, ADMAGIC.EXE contains various links to adult Web sites
in its body. These links are designed to appear as popup advertisements.

If you would like to scan your computer for WORM_SMIBAG.A or thousands of
other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's
free, online virus scanner at: http://housecall.trendmicro.com/

WORM_SMIBAG.A is detected and cleaned by Trend Micro pattern file #639 and above.

For additional information about WORM_SMIBAG.A please visit: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SMIBAG.A

3. 10 Most Prevalent In-the-Wild Malware Surveyed by Trend Micro US
(week of: September 21, 2003 to September 28, 2003)
------------------------------------------------------------------------
1. WORM_SWEN.A
2. WORM_PUROL.A
3. JAVA_BYTVERIFY.A
4. ADW_TENGET.A
5. WORM_MSBLAST.A
6. BKDR_RUSSKI.A
7. WORM_KLEZ.H
8. WORM_BUGBEAR.A
9. PE_DUMARU.A
10. JS_EXCEPTION.GEN
        
4. Head-to-Head Comparison: Web Security Performance
------------------------------------------------------------------------
Trend Micro commissioned VeriTest to compare the performance of Trend Micro
InterScan Web Security Suite 1.0 to Symantec Web Security 3.0 and McAfee
WebShield e1000 appliance using PC Magazine’s WebBench 4.01 Web server
performance benchmarking software. All three products tested work in
conjunction with a Web server to monitor HTTP and FTP traffic for known
viruses. The goal of the testing was to compare the performance of the three
products while each filtered HTTP and FTP traffic to several client systems.

View and compare the results of all three products:
http://www.trendmicro.com/en/products/gateway/iwss/evaluate/white-papers.htm

***********************************************************************************

______________________________________________________________________
This message was sent by Trend Micro's Newsletters Editor using Responsys Interact (TM).

If you prefer not to receive future e-mail from Trend Micro's Newsletters Editor:
    
R2pkNlyLihkm_UT_W

To view our permission marketing policy:
    http://www.rsvp0.net
Received on Sat Oct 4 07:55:21 2003