Trend Micro Weekly Virus Report - October 17, 2003

*********************************************************************
TREND MICRO WEEKLY VIRUS REPORT
    
(by TrendLabs Global Antivirus and Research Center)
*********************************************************************
------------------------------------------------------------------------
Date: Friday October 17, 2003
------------------------------------------------------------------------
To read an HTML version of this newsletter, go to:
http://www.trendmicro.com/en/security/report/overview.htm

Issue Preview:

1. Trend Micro Updates - Pattern File & Scan Engine Updates
2. Redline – WORM_REDIST.E (Low Risk)
3. 10 Most Prevalent In-the-Wild Malware Surveyed by Trend Micro US
4. Head-to-Head Comparison: Web Security Performance

NOTE: Long URLs may break into two lines in some mail readers.
Should this occur, please copy and paste the URL into your browser window.

************************************************************************

1. Trend Micro Updates - Pattern File & Scan Engine Updates
------------------------------------------------------------------------
PATTERN FILE: 655 http://www.trendmicro.com/download/pattern.asp
SCAN ENGINE: 6.510 http://www.trendmicro.com/download/engine.asp

2. Redline – WORM_REDIST.E (Low Risk)
------------------------------------------------------------------------
WORM_REDIST.E is a non-destructive worm that spreads via email using
Microsoft Outlook, and via peer-to-peer (P2P) file-sharing networks. It
also has password-stealing capabilities. It runs on Windows 95, 98, ME,
NT, 2000, and XP.

Upon execution, this worm displays the following message box:

Error Starting Progam
A required .DLL file, MSVBM60.DLL, was not found.

It drops the following copies of itself into the Windows folder:

Ircskins.skn
Msgsf32.exe
Msipxc32.exe
Scrset32.scr
Winscz32.exe
Winsetr32.exe

It drops the following copies of itself into the Windows system folder:

Icmpmgr32.exe
Lnkscrc32.scr
Msgmain32.exe
Msgsvc32.pif
Msrun32.exe
Svcmsg32.pif
Winlnkf32.pif

It drops the following copy into the Startup folder:

Startw32.pif

The worm creates registry entries that allow its dropped copy, WINSCZ32.EXE,
to execute at every Windows startup.

This worm propagates by sending a copy of itself to all email addresses found
in the infected users' address book. It uses Microsoft Outlook (MAPI) to send
email with varying details. A sample of the email it sends, are as follows:

Subject: A new screensaver

Message Body: Take a look at this new screensaver in the attachments that I
downloaded from the internet a while ago. If you like it, try setting it as
your system screensaver :) Cya!

Attachment: 3DFish.scr

Subject: Your file

Message Body: Here is that file that you asked for (in the attachments).
Sorry that I sent it late, I had trouble finding it on the computer.

Attachment: Picture2.pif

This worm also attempts to propagate to other P2P and chat clients. To do so,
it drops the following copies of itself:

Bruce Almighty (Downloader).pif
Legally Blonde 2 (Downloader).pif
Movie - Finding Nemo (Downloader).pif
Movie - Terminator 3 (Downloader).pif
Movie - The Hulk (Downloader).pif
Movie - The Italian Job (Downloader).pif
Sinbad - Legend of the Seven Seas (Downloader).pif

into the following paths, if they exist:
%Program Files%\BearShare\Shared
%Program Files%\Grokster\My Grokster
%Program Files%\ICQ\Shared Files
%Program Files%\Kazaa Lite\My Shared Folder
%Program Files%\Kazaa\My Shared Folder
%Program Files%\KMD\My Shared Folder
%Program Files%\Limewire\Shared
%Program Files%\Morpheus\My Shared Folder
%Program Files%\Overnet\Incoming
%Program Files%\Rapigator\Share
%Program Files%\Shareaza\Downloads
%Program Files%\Tesla\Files
%Program Files%\WinMX\My Shared Folder
%Program Files%\XoloX\Downloads

This worm also drops randomly named files into the following paths:
\My Music
\My Documents\My Music

This worm also attempts to capture and send cached passwords to a remote
malicious user. This function only applies on systems running Windows 95 and
98, since the API used is not available on NT-based systems. It appears that
the information is being sent to the following email address:
Zed_rRlf@hotmail.com

If you would like to scan your computer for WORM_REDIST.E or thousands of other
worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free,
online virus scanner at: http://housecall.trendmicro.com/

WORM_REDIST.E is detected and cleaned by Trend Micro pattern file #649 and above.

For additional information about WORM_REDIST.E please visit: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_REDIST.E

3. 10 Most Prevalent In-the-Wild Malware Surveyed by Trend Micro US
(week of: September October 6, 2003 to October 12, 2003)
------------------------------------------------------------------------
1. TROJ_ISTBAR.B
2. WORM_SWEN.A
3. TROJ_QHOSTS.A
4. WORM_NACHI.A
5. BKDR_SDBOT.441B1
6. ADW_TENGET.A
7. WORM_MSBLAST.C
8. WORM_MSBLAST.A
9. WORM_KLEZ.H
10. WORM_FRIENDGRT.A
        
4. Head-to-Head Comparison: Web Security Performance
------------------------------------------------------------------------
Trend Micro commissioned VeriTest to compare the performance of Trend Micro
InterScan Web Security Suite 1.0 to Symantec Web Security 3.0 and McAfee
WebShield e1000 appliance using PC Magazine’s WebBench 4.01 Web server performance
benchmarking software. All three products tested work in conjunction with a Web
server to monitor HTTP and FTP traffic for known viruses. The goal of the testing
was to compare the performance of the three products while each filtered HTTP
and FTP traffic to several client systems.

View and compare the results of all three products:
http://www.trendmicro.com/en/products/gateway/iwss/evaluate/white-papers.htm

******************************************************************************

______________________________________________________________________
This message was sent by Trend Micro's Newsletters Editor using Responsys Interact (TM).

If you prefer not to receive future e-mail from Trend Micro's Newsletters Editor:
    
R2pkNlyLihkm_UT_UA

To view our permission marketing policy:
    http://www.rsvp0.net
Received on Sat Oct 18 01:02:53 2003