-----Original Message----- From: Trend Micro Virus Info [mailto:VirusInfo@xxxxxxxxxxxxxxxxxxxxxxxxxx] Sent: Saturday, August 10, 2002 9:01 AM To: franciscus.lim@xxxxxxx Subject: Trend Micro Weekly Virus Report - August 9, 2002 ********************************************************************* TREND MICRO WEEKLY VIRUS REPORT (by TrendLabs Global Antivirus and Research Center) ********************************************************************* ------------------------------------------------------------------------ Date: August 9, 2002 ------------------------------------------------------------------------ To read an HTML version of this newsletter, go to: http://www.trendmicro.com/trendsetter/virus_report/ Issue Preview: 1. Trend Micro Updates - Pattern File and Scan Engine Updates 2. Forever Love - VBS_SEALUG.A (Low Risk) 3. 10 Most Prevalent In-the-Wild Malware Surveyed by Trend Micro US 4. Trend Micro Unveils Enterprise Protection Strategy NOTE: Long URLs may break into two lines in some mail readers. Should this occur, please copy and paste the URL into your browser window. ************************************************************************ 1. Trend Micro Updates - Pattern File and Scan Engine Updates ------------------------------------------------------------------------ PATTERN FILE: 333 http://www.trendmicro.com/download/pattern.asp SCAN ENGINE: 6.150 http://www.trendmicro.com/download/engines/ 2. Forever Love - VBS_SEALUG.A (Low Risk) ------------------------------------------------------------------------ This Visual Basic Script worm propagates via Microsoft Outlook and arrives in an email with the following: Subject: En SevdiginMessage Message Body: Hayat yasandigi kadardir. Ötesi ya hatiralarda bir iz, ya da hayallerde bir umuttur. Hüsrani ise bir tek yerde kabul edebilirim: O da yasamaya olanak varken yasayamamis olmaktir. Attachment: En_Sevdigin.vbs This worm uses the email addresses found in the infected user's Microsoft Outlook Global Address book as recipients for its email sending routine. It sends one email per address entry and sets Outlook to delete the sent mail afterwards. If the infected ser does not have Microsoft Outlook installed, it displays a message box with the following: Subject: VBScript Header: Ist Oyle Birsey It then displays two more message boxes: Header: VBS Script: Forever Love Message Body: Sevgide son yoktur. Sevgiler hicbir zaman son bulmazlar. Biten sevgiler yoktur, bitmis gibi gorunen sevgiler vardir. Vazgecis de yoktur sevgide. Yasandikca yasatilir sevilen. Ama kimi zaman sevgili icin kimi zamansa sevginin bir geregi olarak saklanir bu asklar. Vazgecis yoktur, vazgecmis gibi gorunmek vardir o yuzden.Sevmekte istemek yoktur. Sevgilinin oldugu yerde son bulur istekler. Bir sey varsa istedigin bu senin icin degil, sevgili icin istedigindir. Ondan O'nun adina istersin. O'nu daha sonsuz sevebilmek icin istersin. Sevme ozgurlugunu istersin, kabul edilmesini istersin. Istersin ama bir gun gelir bu istekler de son bulur. Kendinden istersin artik. Header: VBS Script: Forever Love Message Body: Sevgiliyi daha cok sevmek istersin kendinden. Sonsuz kilmak istersin. Bu yolda sevgili olur mu, olmaz mi bunu sevgilinin istegi belirler. Sevmek sevgiliyi istememeyi ogrenmektir. Sevmek sevgiliyi sevgili olmadan sevmektir. Sevmek; sevmek istemektir.Sevmek, beklememektir. Beklentilerin son buldugu bir duraktir o. Oyle ki tum gercekler, tum dunya silinir gider. Ne O'ndan anlasilmayi beklersin, ne onu anlamayi. Ne onun gelmesini beklersin, ne onun Leyla, Mecnun olmasini. Bildigin bir sey yoktur sevmeyi bilmek disinda. It searches for the following files and, if found, it drops the file SCRIPT.INI in the directory where the file was found: -MIRC32.EXE -MLINK32.EXE -MIRC.INI -SCRIPT.INI -MIRC.HLP With this SCRIPT.INI file the worm is capable of performing the following: -connecting to the server irc.muhabbi.net -sending a message "Watashi Wa Anata Ga Sukide Su" to all other users who joins the same channel as the infected user -sending the message http:\\www.1agustos.com to all channels the infected user is currently on to It then changes the startup page of Internet Explorer to http://www.1agustos.com/ If you would like to scan your computer for VBS_SEALUG.A or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free online virus scanner at: http://housecall.antivirus.com/ VBS_SEALUG.A is detected and cleaned by Trend Micro pattern file #332 and above. For additional information about VBS_SEALUG.A please visit: <http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=VBS_SEALUG. A> 3. 10 Most Prevalent In-the-Wild Malware Surveyed by Trend Micro US (week of: July 29, 2002 to August 4, 2002) ------------------------------------------------------------------------ 1. WORM_KLEZ.H 2. JS_NOCLOSE.A 3. WORM_YAHA.E 4. JS_NOCLOSE.E 5. JS_EXCEPTION.GEN 6. WORM_DANDI.A 7. WORM_KLEZ.E 8. PE_NIMDA.E 9. PE_ELKERN.D 10. WORM_DATOM.A 4. Trend Micro Unveils Enterprise Protection Strategy ------------------------------------------------------------------------ Trend Micro Enterprise Protection Strategy redefines virus protection by providing businesses with a lightweight architecture (composed of services, products, centralized management, and knowledge) for an unprecedented approach to proactive outbreak management. Trend Micro Enterprise Protection Strategy delivers centralized deployment of outbreak detection, protection, assessment, and cleanup strategies throughout the network. To learn more about Enterprise Protection Strategy go to http://www.trendmicro.com/products/eps/ ************************************************************************ You are receiving this email from Trend Micro, because you have either downloaded a Trend Micro product or have signed up to receive the "Weekly Virus Report." If you would like to change the way you receive email from Trend Micro, please make changes in your account page at http://www.trendmicro.com/subscriptions/default.asp?email=franciscus.lim@aig .com To UNSUBSCRIBE go to: http://www.trendmicro.com/subscriptions/default.asp?format=unsubscribe For questions, comments, and suggestions about the Weekly Virus Report please contact the Newsletters Editor at newsletters@xxxxxxxxxxxxxxx ************************************************************************