Trend Micro Newsletters Editor <editor@xxxxxxxxxxxxxxxxxxxxxxxxxx> wrote:Date: Tue, 16 Aug 2005 19:07:01 -0700 From: "Trend Micro Newsletters Editor" <editor@xxxxxxxxxxxxxxxxxxxxxxxxxx> Subject: Trend Micro Medium Risk Virus Alert - WORM_ZOTOB.D and WORM_RBOT.CBQ To: wooledge001@xxxxxxxxxxx Dear Trend Micro customer, As of August 16, 2005 5:12 PM (Pacific Daylight Time; GMT-7:00), TrendLabs has declared a Medium Risk Virus Alert to control the spread of WORM_ZOTOB.D and WORM_RBOT.CBQ. TrendLabs has received several infection reports indicating that this malware is spreading in Brazil and the U.S.A. WORM_ZOTOB.D is a memory-resident worm that drops a copy of itself in the %System%\wbev folder as WINDRG32.EXE. (Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 95, 98, and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP.) It takes advantage of the Microsoft Windows Plug and Play vulnerability to propagate across networks. For more information regarding this vulnerability, refer to the Microsoft Security Bulletin MS05-039 found in the following Web page: http://www.microsoft.com/technet/security/bulletin/ms05-039.mspx (Note: This propagation routine works only on NT-based systems (Windows NT, 2000, XP, and Server 2003), because the Microsoft Windows Plug and Play vulnerability exists only on these platforms.) It also has backdoor capabilities, and may execute commands coming from a remote malicious user. This provides remote users virtual control over affected systems, thus compromising system security. As a form of an anti-debugging technique, this worm also gathers Web sites from RSS feeds, then randomly sends these sites as messages in the IRC channel it is connected to. It does this in order to confuse or mislead anyone who is monitoring the IRC channel from the real IRC commands it issues. ================ WORM_RBOT.CBQ is a memory-resident worm that drops a copy of itself in the Windows system folder as WINTBP.EXE. This worm also takes advantage of the Microsoft Windows Plug and Play vulnerability to propagate across networks. This propagation routine works only on Windows NT and 2000, as the Microsoft Windows Plug and Play vulnerability exists only on these platforms. This worm also connects to an IRC server, joins a specific channel and then sends the following messages: ? {Random} :ER DL FH ? {Random} :ER DL IF TrendLabs will be releasing the following EPS deliverables: TMCM Outbreak Prevention Policy 183 Official Pattern Release 2.787.00 Damage Cleanup Template 638 For more information on WORM_ZOTOB.D and WORM_RBOT.CBQ, you can visit our Web site at: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_ZOTOB.D http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_RBOT.CBQ You can modify subscription settings for Trend Micro newsletters at: http://www.trendmicro.com/subscriptions/default.asp ______________________________________________________________________ This message was sent by Trend Micro's Newsletters Editor using Responsys Interact (TM). To unsubscribe from Trend Micro's Newsletters Editor: http://trendnewsletter.rsc03.net/servlet/optout?mgLDATTDUEPhhsLKnLTTUFIpnMhhmDJhtE0 To update your subscription preference, or to change your email address: http://trendnewsletter.rsc03.net/servlet/website/PersonalizedForm?mgLEwkLMLkLgJL9LgmLk.40hktELtHpsEPhhsLKnLTTUFIpnMhhmDJhtEhE3vyf_6v0v8_.2e_z18z To view our permission marketing policy: http://www.rsvp0.net Copyright 1989-2005 Trend Micro, Inc. All rights reserved Trend Micro, Inc., 10101 N. De Anza Blvd., Suite 200, Cupertino, CA 95014 -- <Please delete this line and everything below.> To unsub or change your email settings: //www.freelists.org/webpage/pctechtalk To access our Archives: http://groups.yahoo.com/group/PCTechTalk/messages/ //www.freelists.org/archives/pctechtalk/