-----Original Message----- From: Trend Micro Virus Info [mailto:VirusInfo@xxxxxxxxxxxxxxxxxxxxxxxxxx] Sent: Saturday, August 03, 2002 6:29 AM To: franciscus.lim@xxxxxxx Subject: Trend Micro Weekly Virus Report - August 2, 2002 ********************************************************************* TREND MICRO WEEKLY VIRUS REPORT (by TrendLabs Global Antivirus and Research Center) ********************************************************************* ------------------------------------------------------------------------ Date: August 2, 2002 ------------------------------------------------------------------------ To read an HTML version of this newsletter, go to: http://www.trendmicro.com/trendsetter/virus_report/ Issue Preview: 1. Trend Micro Updates - Pattern File and Scan Engine Updates 2. New Mass Mailer - PE_CHIR.B (Low Risk) 3. 10 Most Prevalent In-the-Wild Malware Surveyed by Trend Micro US 4. New Version of ServerProtect Available - Download a Free Trial NOTE: Long URLs may break into two lines in some mail readers. Should this occur, please copy and paste the URL into your browser window. ************************************************************************ 1. Trend Micro Updates - Pattern File and Scan Engine Updates ------------------------------------------------------------------------ PATTERN FILE: 331 http://www.trendmicro.com/download/pattern.asp SCAN ENGINE: 6.150 http://www.trendmicro.com/download/engines/ 2. New Mass Mailer - PE_CHIR.B (Low Risk) ------------------------------------------------------------------------ This mass-mailing worm propagates by sending copies of itself to all addresses listed in the target user's Windows Address Book (WAB). It sends an email with the following details: From: imissyou@xxxxxxxxxxxxx Subject: <username> is comming! Message: Attachment: PP.EXE It also infects all files with the following extensions: EXE SCR HTM HTML On the first day of every month, it overwrites the first 1,234 Bytes of all files with the following extensions: ADC RDB DOC XLS This worm exploits a known vulnerability affecting systems running Microsoft Internet Explorer 5.01 and 5.5. This exploit allows the automatic execution of email attachments without the user opening them. The infected email attachment is tagged as audio/x-wav content-type by this worm. Therefore, the default audio-file player of the system that this email arrives in, attempts to open the attachment. Upon execution, this worm executes itself as another process. Since the creation of another process consumes additional memory resources, this behavior may cause the infected system to hang. This worm drops several copies of the file README.EML on all directories and subdirectories. This file is a Uuencoded version of the worm. Uuencode is a universal protocol for sending files between different platforms, and is typically utilized for sending email attachments. On infected systems running Windows NT 4.0, Windows 2000, and Windows XP, this malware runs the Net Send command to send the following text message to all computers belonging to the same workgroup: My god! Some one killed ChineseHacker-2 Monitor If you would like to scan your computer for PE_CHIR.B or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free online virus scanner at: http://housecall.antivirus.com/ PE_CHIR.B is detected and cleaned by Trend Micro pattern file #330 and above. For additional information about PE_CHIR.B please visit: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=PE_CHIRB 3. 10 Most Prevalent In-the-Wild Malware Surveyed by Trend Micro US (week of: July 22, 2002 to July 28, 2002) ------------------------------------------------------------------------ 1. WORM_KLEZ.H 2. JS_NOCLOSE.A 3. WORM_DATOM.A 4. WORM_DANDI.A 5. PE_MAGISTR.B 6. JS_NOCLOSE.E 7. WM_CONCEPT 8. PE_NIMDA.A-O 9. WORM_YAHA.E 10. WORM_KLEZ.E 4. New Version of ServerProtect Available - Download a Free Trial ------------------------------------------------------------------------ Trend Micro ServerProtect software provides network-wide, comprehensive antivirus scanning for servers running Microsoft(tm) Windows(tm) 2000, Microsoft Windows NT(tm), and Novell(tm) NetWare(tm) operating systems. Managed through an intuitive, portable console, ServerProtect provides virus outbreak management, centralized virus scanning, virus pattern file updates, event reporting, and antivirus configuration. To learn more about Trend Micro's file server and storage protection go to http://www2.trendmicro.com/US/Products/File+Server+and+Storage/default.htm To download a free, 30-day trial version of ServerProtect visit http://www.trendmicro.com/download/register.asp?product_id=18&product_from=s vrprt ************************************************************************ You are receiving this email from Trend Micro, because you have either downloaded a Trend Micro product or have signed up to receive the "Weekly Virus Report." If you would like to change the way you receive email from Trend Micro, please make changes in your account page at http://www.trendmicro.com/subscriptions/default.asp?email=franciscus.lim@aig .com To UNSUBSCRIBE go to: http://www.trendmicro.com/subscriptions/default.asp?format=unsubscribe For questions, comments, and suggestions about the Weekly Virus Report please contact the Newsletters Editor at newsletters@xxxxxxxxxxxxxxx ************************************************************************