Trend Micro Weekly Virus Report - October 10, 2003

*********************************************************************
TREND MICRO WEEKLY VIRUS REPORT
    
(by TrendLabs Global Antivirus and Research Center)
*********************************************************************
------------------------------------------------------------------------
Date: Friday October 10, 2003
------------------------------------------------------------------------
To read an HTML version of this newsletter, go to:
http://www.trendmicro.com/en/security/report/overview.htm

Issue Preview:

1. Trend Micro Updates - Pattern File & Scan Engine Updates
2. The Host with the Most? – TROJ_QHOSTS.A (Low Risk)
3. 10 Most Prevalent In-the-Wild Malware Surveyed by Trend Micro US
4. Head-to-Head Comparison: Web Security Performance

NOTE: Long URLs may break into two lines in some mail readers.
Should this occur, please copy and paste the URL into your browser window.

************************************************************************

1. Trend Micro Updates - Pattern File & Scan Engine Updates
------------------------------------------------------------------------
PATTERN FILE: 648 http://www.trendmicro.com/download/pattern.asp
SCAN ENGINE: 6.510 http://www.trendmicro.com/download/engine.asp

2. The Hosts with the Most? – TROJ_QHOSTS.A (Low Risk)
------------------------------------------------------------------------
TROJ_QHOSTS.A is a non-destructive Trojan that is hosted on several
malicious Web sites. It uses the Object Data Remote Execution Vulnerability
to drop and execute it on the target system. It is dropped by any of several
of these malicious Web pages, posted on the Internet by remote users. This
Trojan runs on Windows 95, 98, ME, NT, 2000 and XP, and is currently
spreading in-the-wild. For more information on this vulnerability please visit:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-040.asp

TROJ_QHOSTS.A also performs other malicious routines such as:

-Enable and modify Domain Name System (DNS) settings
-Set the Name server 69.57.1<BLOCKED>6.14 and 69.57.1<BLOCKED>7.175
-Set domain name to host.mydomain.com
-Disable proxy
-Disable migrate proxy
-Disable search assistant
-Set search page to www.google.com
-Set search bar to www.google.com/ie
-Set search assistant to www.google.com/ie

Browsers that are not affected by the Object Data Remote Execution
Vulnerability may also be infected if the Security settings for ActiveX
and Scripting objects are enabled, e.g. the Internet Security setting is
set to Low. Trend Micro recommends that you install the latest patch for
Microsoft Internet Explorer and to disable ActiveX and Scripting in your
browser Security settings.

A Visual Basic (VB) script is responsible for dropping this malware in the
Windows temporary folder. Afterward, a JavaScript contained on the Web page
performs the following tasks:

-Creates the file O.BAT, either in the current directory or the Windows
desktop directory

-The DOS Batch file, O.BAT, checks whether AOLFIX.EXE is present in the
Windows temporary directory and if it exists, the batch file executes it

-The batch file then tries to delete the AOLFIX.EXE located in the Windows
temporary directory

-The batch file also deletes itself (either in the current directory or the
Windows desktop directory)

This Trojan attempts to redirect approximately 109 various Internet Web
sites to the IP address 207.44.220.30. It also redirects the Web site, ELITE,
to the IP address 88.88.88.88.

If you would like to scan your computer for TROJ_QHOSTS.A or thousands of other
worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free,
online virus scanner at: http://housecall.trendmicro.com/

TROJ_QHOSTS.A is detected and cleaned by Trend Micro pattern file #643 and above.

For additional information about TROJ_QHOSTS.A please visit: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_QHOSTS.A

3. 10 Most Prevalent In-the-Wild Malware Surveyed by Trend Micro US
(week of: September 29, 2003 to October 5, 2003)
------------------------------------------------------------------------
1. WORM_NACHI.A
2. JAVA_BYTVERIFY.A
3. WORM_SWEN.A
4. WORM_SOBIG.A
5. TROJ_QHOSTS.A
6. ADW_TENGET.A
7. WORM_KWBOT.C
8. WORM_MSBLAST.A
9. JS_EXCEPTION.GEN
10. WORM_KLEZ.H
        
4. Head-to-Head Comparison: Web Security Performance
------------------------------------------------------------------------
Trend Micro commissioned VeriTest to compare the performance of Trend Micro
InterScan Web Security Suite 1.0 to Symantec Web Security 3.0 and McAfee WebShield
e1000 appliance using PC Magazine’s WebBench 4.01 Web server performance
benchmarking software. All three products tested work in conjunction with a
Web server to monitor HTTP and FTP traffic for known viruses. The goal of the
testing was to compare the performance of the three products while each
filtered HTTP and FTP traffic to several client systems.

View and compare the results of all three products:
http://www.trendmicro.com/en/products/gateway/iwss/evaluate/white-papers.htm

***********************************************************************************

______________________________________________________________________
This message was sent by Trend Micro's Newsletters Editor using Responsys Interact (TM).

If you prefer not to receive future e-mail from Trend Micro's Newsletters Editor:
    
R2pkNlyLihkm_UT_UT_TW

To view our permission marketing policy:
    http://www.rsvp0.net
Received on Fri Oct 10 23:31:30 2003