Trend Micro Weekly Virus Report - November 7, 2003

From: Trend Micro Newsletters Editor <newsletters_at_trendmicro.rsc03.com>
Date: Sat 08 Nov 2003 - 01:22:40 CET
Message-Id: <200311080022.hA80MfDe016863@nocoy.ncsh.com> 



<html>


<head>


<title>Trend Micro Weekly Virus Report</title>


 <style type="text/css">


<!--


body,th,td,p,div,span,a,input,select,textarea,form,ul,dl,li,ul{font-family:verdana,helvetica,sans-serif}


.small-text{font-size:10px;}


div.vertical2{font-size:2px;}


div.vertical3{font-size:3px;}


div.vertical4{font-size:4px;}


div.vertical6{font-size:6px;}


div.vertical8{font-size:8px;}


div.vertical12{font-size:12px;}


div.vertical20{font-size:20px;}


div.carat-li {padding-left:12;text-indent:-12;}


span.redemailsectionheader{color:FF0000;font-weight:bold;font-size:13px;}


span.blackemailsectionheader{color:000000;font-weight:bold;font-size:13px;}


span.content{color:000000;font-size:11px;}


a:link {color:000000; text-decoration:underline;}


a:hover {color:FF0000; text-decoration:underline;}


a:active {color:FF0000; text-decoration:underline;}


a:visited {color:000000; text-decoration:underline;}


//-->


</style>


</head>


<body bgcolor="FFFFFF">


<table width="100%" cellpadding="0" cellspacing="0" border="0">


<tr>


        <td width="90">Trend Micro</td>


        <td width="100%" align="right"><span class="content"><img src="http://www.trendmicro.com/global/common/images/icon-arrow.gif" alt="" width="5" height="6" border="0" align="middle"><img src="http://www.trendmicro.com/global/common/images/spacer.gif" width="4" height="1" alt="Trend Micro" border="0" align="middle">Visit Trend Micro.com</span></td>


        <td width="90"><img src="http://www.trendmicro.com/global/common/images/spacer.gif" width="45" height="8" alt="Trend Micro" border="0"></td>


</tr>


</table>


<div class="vertical12">&nbsp;</div>


<table width="100%" border="0" cellspacing="0" cellpadding="0" bgcolor="000000"><tr><td><img src="http://www.trendmicro.com/global/common/images/spacer.gif" width="1" height="1" alt="" border="0"></td></tr></table>


<div class="vertical12">&nbsp;</div>


<span class="blackemailsectionheader">Trend Micro Weekly Virus Report</span><br />


<span class="content">(by TrendLabs Global Antivirus and Research Center)</span><br />


<div class="vertical12">&nbsp;</div>


<table width="100%" border="0" cellspacing="0" cellpadding="0" bgcolor="000000"><tr><td><img src="http://www.trendmicro.com/global/common/images/spacer.gif" width="1" height="1" alt="" border="0"></td></tr></table>


<div class="vertical12">&nbsp;</div>


<table width="100%" border="0" cellspacing="0" cellpadding="0" background="http://www.trendmicro.com/global/common/images/bg-dotted-h.gif"><tr><td><img src="http://www.trendmicro.com/global/common/images/spacer.gif" width="1" height="1" alt="" border="0"></td></tr></table>


<span class="content"> <br>


<span class="content">Date: November 7, 2003</span> <br>


<br>


<table width="100%" border="0" cellspacing="0" cellpadding="0" background="http://www.trendmicro.com/global/common/images/bg-dotted-h.gif">


  <tr> 


    <td><img src="http://www.trendmicro.com/global/common/images/spacer.gif" width="1" height="1" alt="" border="0"></td>


  </tr>


</table>


<br>


<span class="content"> <b>Issue Preview:</b> <br>


<br>


<b>1. Trend Micro Updates - </b>Pattern File &amp; Scan Engine Updates<br />


<b>2. MIMAIL Variant - </b>WORM_MIMAIL.H (Low Risk)<br />


<b>3. Top 10 Most Prevalent Global Malware</b><br />


<b>4. Newly Released Products Available!</b><br />


<br>


<br>


</span> 


<table width="100%" border="0" cellspacing="0" cellpadding="0" bgcolor="000000">


  <tr> 


    <td><img src="http://www.trendmicro.com/global/common/images/spacer.gif" width="1" height="1" alt="" border="0"></td>


  </tr>


</table>


<br>


<br>


<span class="redemailsectionheader">1. Trend Micro Updates</span><span class="blackemailsectionheader"> 


- Pattern File and Scan Engine Updates </span> <br>


<br>


PATTERN 


FILE:  675&nbsp;<br />


SCAN ENGINE:  6.510&nbsp; <br>


<br>



<table width="100%" border="0" cellspacing="0" cellpadding="0" bgcolor="000000">


  <tr> 


    <td><img src="http://www.trendmicro.com/global/common/images/spacer.gif" width="1" height="1" alt="" border="0"></td>


  </tr>


</table>


<br>


<span class="redemailsectionheader">2. MIMAIL Variant </span><span class="blackemailsectionheader"> - WORM_MIMAIL.H(Low Risk) </span> 


<p>WORM_MIMAIL.H is a destructive, memory-resident worm that propagates via its own Simple Mail Transfer Protocol (SMTP) engine. It sends email with the following details, and spoofs the sender email address: </p>



<p><b>From: </b>john@&lt;recipient domain name&gt;<br>


<b>Subject:</b> don't be late       wgfaxaam<br>


<b>Message Body: </b>Will meet tonight as we agreed, because on Wednesday I don’t think I’ll make it,<br><br> so don’t be late. And yes, by the way here is the file you asked for. It’s all written there. See you. <br><br>wgfwxaax


</p>


<p><b>Attachment:</b> readnow.zip</p>



<p>This worm randomly performs a Denial of Service (DoS) attack against the following Web sites:</p>


<p>www.spamhaus.org<br>


www.spews.org


</p>


<p>WORM_MIMAIL.H runs on Windows 95, 98, ME, NT, 2000, and XP.</p>


<p>Upon execution, this memory-resident worm drops a copy of itself as CNFRM33.EXE in the Windows folder. It then creates a registry entry so that its dropped copy executes at every Windows startup.</p>


<p>This worm deletes the following files if they exist: </p>



<ul>


<li>ZIP.TMP </li>


<li>EXE.TMP </li>


<li>EML.TMP</li>


</ul>


<p>It then creates a copy of itself in the Windows folder using the file name EXE.TMP. It uses this file to create another .ZIP file named ZIP.TMP, which contains a copy of this worm with the file name READNOW.DOC.SCR. This worm creates ZIP.TMP using a hard-coded ZIP header and by appending data (which is a copy of itself) to the file. The resulting .ZIP archive file contains the worm in an uncompressed format. It registers itself as a service process and is not visible in the task list of Windows 95, 98, and ME.


</p>


<p>This worm arrives as an email attachment that is a .ZIP file containing a UPX-compressed Win32 .EXE file. It must be manually extracted and executed by the recipient in order to propagate.</p>


<p>It only obtains addresses from files that do not have the following extensions: </p>


<ul>


<li>COM </li>


<li>WAV </li>


<li>CAB </li>


<li>PDF </li>


<li>RAR </li>


<li>ZIP</li>


<li>TIF </li>


<li>PSD </li>


<li>OCX </li>


<li>VXD </li>


<li>MP3 </li>


<li>MPG </li>


<li>AVI </li>


<li>DLL </li>


<li>EXE </li>


<li>GIF</li> 


<li>JPG </li>


<li>BMP</li>


</ul>


<p>It tries to resolve "www.google.com" host name to check if an Internet connection is present. If it is successful, it executes its payload and propagation routines. </p>



<p>If you would like to scan your computer for WORM_MIMAIL.H or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at: http://housecall.trendmicro.com</p>


<p>WORM_MIMAIL.H is detected and cleaned by Trend Micro pattern file #674 and above. </p>



<table width="100%" border="0" cellspacing="0" cellpadding="0" bgcolor="000000">


  <tr> 


    <td><img src="http://www.trendmicro.com/global/common/images/spacer.gif" width="1" height="1" alt="" border="0"></td>


  </tr>


</table>


<br>


<span class="redemailsectionheader">3. Top 10 Most Prevalent Global Malware</span> <br>


<span class="content"> (week of: October 31, 2003 to November 6, 2003)<br>



<ol>


<li>WORM_LOVGATE.G</li>


<li>WORM_MSBLAST.A</li>


<li>WORM_SWEN.A</li>


<li>WORM_MSBLAST.C</li>


<li>PE_NIMDA.A</li>


<li>WORM_KLEZ.H</li>


<li>WORM_NACHI.A</li>


<li>TROJ_DASMIN.B</li>


<li>WORM_ANTINNY.A</li>


<li>JAVA_BYTVERIFY.A</li>


</ol>


</span> 



<span class="content"><br>


<table width="100%" border="0" cellspacing="0" cellpadding="0" bgcolor="000000">


  <tr> 


    <td><img src="http://www.trendmicro.com/global/common/images/spacer.gif" width="1" height="1" alt="" border="0"></td>


  </tr>


</table>


</span> 


<p> 


 <span class="redemailsectionheader">4. Newly Released Products Available</span></p>


<p>Trend Micro has recently released several newly upgraded products: </p>


<ul>


<li>InterScan Messaging Security Suite 5.5</li>


<li>ScanMail for Lotus Notes 2.6 AIX</li>


<li>Spam Prevention Solution 1.1 for Solaris</li>


</ul>


<p><b>Trend Micro InterScan Messaging Security Suite 5.5</b> is an extensible messaging security platform for the gateway that addresses mixed-threat attacks by delivering coordinated policies for antivirus, antispam, and content security. </p>


<ul>


<li>Estimate your Total Cost of Ownership savings using our InterScan Messaging Security Suite TCO Calculator</li>


<li>Download a 30-day trial version of InterScan Messaging Security Suite</li>


</ul>


<p><b>Trend Micro Spam Prevention Solution 1.1 for Solaris </b>is a high-performance, antispam application designed to block non-productive and malicious spam at the gateway. It employs patent-pending, heuristic technology that can evaluate, identify, and monitor existing and new messages using multiple spam email characteristics, providing highly accurate spam capture rates with very low false positives. </p>


<ul>


<li>Calculate the cost of spam in your organization with our Spam Calculator</li>


<li>Download a free 30-trial version of Spam Prevention Service</li>


</ul>


<p><b>Trend Micro ScanMail for Lotus Notes 2.6 for AIX</b> offers comprehensive virus protection and content security for the Lotus Domino environment. It scans viruses hidden in databases and email attachments, and it also protects collaboration tools such as Lotus Sametime™ and Quickplace™. ScanMail is designed to operate as a native Domino server application and provides administrators with a familiar, intuitive interface. </p>


<ul><li>View the readme file to learn more</li></ul>



</span>



<span class="content"><br>


<table width="100%" border="0" cellspacing="0" cellpadding="0" bgcolor="000000">


  <tr> 


    <td><img src="http://www.trendmicro.com/global/common/images/spacer.gif" width="1" height="1" alt="" border="0"></td>


  </tr>


</table>


<br>


<br>


<span class="content"> For questions, comments, and suggestions about the Weekly 


Virus Report please contact the Newsletters Editor at <a href="mailto:newsletters@trendmicro.com">newsletters@trendmicro.com</a>. 


</span></span> 


</body>


</html>



______________________________________________________________________


This message was sent by Trend Micro's Newsletters Editor using Responsys Interact (TM).



If you prefer not to receive future e-mail from Trend Micro's Newsletters Editor:


    


R2pkNlyLihkm_UU_A



To view our permission marketing policy:


    http://www.rsvp0.net


Received on Sat Nov  8 01:22:43 2003














This archive was generated by hypermail 2.1.8 
: Mon 29 May 2006 - 05:33:31 CEST