Trend Micro Weekly Virus Report - October 24, 2003

*********************************************************************
TREND MICRO WEEKLY VIRUS REPORT
    
(by TrendLabs Global Antivirus and Research Center)
*********************************************************************
------------------------------------------------------------------------
Date: Friday October 24, 2003
------------------------------------------------------------------------
To read an HTML version of this newsletter, go to:
http://www.trendmicro.com/en/security/report/overview.htm

Issue Preview:

1. Trend Micro Updates - Pattern File & Scan Engine Updates
2. Randy, is that you? – WORM_RANDEX.Q (Low Risk)
3. 10 Most Prevalent In-the-Wild Malware Surveyed by Trend Micro US
4. Enhance Your Personal Profile & Set Your Preferences for Trend Micro
Newsletters

NOTE: Long URLs may break into two lines in some mail readers.
Should this occur, please copy and paste the URL into your browser window.

************************************************************************

1. Trend Micro Updates - Pattern File & Scan Engine Updates
------------------------------------------------------------------------
PATTERN FILE: 659 http://www.trendmicro.com/download/pattern.asp
SCAN ENGINE: 6.510 http://www.trendmicro.com/download/engine.asp

2. Randy, is that you? – WORM_RANDEX.Q (Low Risk)
------------------------------------------------------------------------
WORM_RANDEX.Q is a destructive worm that has both worm and backdoor
capabilities. To propagate, it looks for random target machines with weak
IPC$ share passwords and then drops and executes a copy of itself on these
compromised systems. As a backdoor, it allows a remote user to gain access
to a target system via Internet Relay Chat (IRC). It runs on Windows 95,
98, ME, 2000, NT, and XP.

Upon execution, this worm drops a copy of itself in the Windows system
folder using any of the following file names:

MUSIRC4.71.EXE
metalrock-is-gay.exe

It executes the dropped file and remains memory-resident. Then, it
terminates its original process.

To hide itself from the list of processes on Windows 95, 98, and ME it
registers itself as a service by using the RegisterServiceProcess API. It
also creates an auto-run registry entry to ensure that it automatically
executes at every system startup.

Once active in memory, it looks for random target systems with weak IPC$
share passwords. When it finds a vulnerable system, it drops a copy of
itself as the following, on the compromised system:

\ADMIN$\system32\musirc4.71.exe
\C$\WINNT\system32\musirc4.71.exe
It then schedules a network job using the NetScheduleJobAdd API function
to run the dropped malware copy. It also drops a copy of itself as SPREAD.ME
in the Windows system folder while performing its propagation routine.

This memory-resident backdoor program utilizes IRC to communicate with a
remote malicious user, typically the malware author. It allows this user to
perform the following actions, leaving the affected system compromised:

-Upload/download programs on infected machine
-Open a file remotely
-Get system information about the affected machine (e.g processor speed, memory
size, operating system)
-Scan for ports
-Join/leave a specified IRC channel
-Uninstall a copy of itself
-Visit a URL
-Update a copy of itself
-SYN flood a target host

Upon every execution, it deletes the file NETSTAT.EXE from the Windows system
directory.

If you would like to scan your computer for WORM_RANDEX.Q or thousands of
other worms, viruses, Trojans and malicious code, visit HouseCall, Trend
Micro's free, online virus scanner at: http://housecall.trendmicro.com/

WORM_RANDEX.Q is detected and cleaned by Trend Micro pattern file #653 and
above.

For additional information about WORM_RANDEX.Q please visit: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_RANDEX.Q

3. 10 Most Prevalent In-the-Wild Malware Surveyed by Trend Micro US
(week of: September October 13, 2003 to October 19, 2003)
------------------------------------------------------------------------
1. TROJ_ISTBAR.B
2. WORM_NACHI.A
3. ADW_TENGET.A
4. PE_DUMARU.A
5. WORM_SDDROP.C
6. TROJ_STARTPADE.A
7. TROJ_ISTBAR.D
8. WORM_SWEN.A
9. WORM_MSBLAST.C
10. WORM_MSBLAST.A
        
4. Enhance Your Personal Profile & Set Your Preferences for Trend Micro
Newsletters
------------------------------------------------------------------------
Trend Micro brings you an easy-to-use interface for sharing your personal
information and setting your preferences to receive our newsletters. By
using this, you can:

Subscribe to receive our different newsletters
Share your personal information so we can send you relevant news
Change your email address and
Unsubscribe from any one of our communications

Simply click on http://www.trendmicro.com/subscriptions/default.asp and
enter your current email address to update your profile.

***********************************************************************************

______________________________________________________________________
This message was sent by Trend Micro's Newsletters Editor using Responsys Interact (TM).

If you prefer not to receive future e-mail from Trend Micro's Newsletters Editor:
    
R2pkNlyLihkm_UT_VX

To view our permission marketing policy:
    http://www.rsvp0.net
Received on Sat Oct 25 00:18:50 2003