From; TREND MICRO WEEKLY VIRUS REPORT (by TrendLabs Global Antivirus and Research Center) ------------------------------------------------------------------------ Date: Friday June 3, 2005 ------------------------------------------------------------------------ To read an HTML version of this newsletter, go to: http://trendnewsletter.rsc03.net/servlet/cc5?lgLQATYQTVupsLIpsLxlLtmkQgLlV2VR Issue Preview: 1. Trend Micro Updates - Pattern File & Scan Engine Updates 2. Two MYTOBS - WORM MYTOB.AR & WORM_MYTOB.BI (Medium Risk) 3. Top 10 Most Prevalent Global Malware 4. Trend Micro Mobile Security - Offer Extended 5. Roundup: May Virus Activity & Analysi NOTE: Long URLs may break into two lines in some mail readers. Should this occur, please copy and paste the URL into your browser window. 1. Trend Micro Updates - Pattern File & Scan Engine Updates ------------------------------------------------------------------------ PATTERN FILE: 2.663.00 http://trendnewsletter.rsc03.net/servlet/cc5?lgLQATYQTVupsLIpsLxlLtmkQgLlV2VS SCAN ENGINE: 7.510 http://trendnewsletter.rsc03.net/servlet/cc5?lgLQATYQTVupsLIpsLxlLtmkQgLlV2VT 2. Two MYTOBS - WORM MYTOB.AR & WORM_MYTOB.BI (Medium Risk) ------------------------------------------------------------------------ Trend Micro raised two MYTOB variants to yellow alert status this week ? WORM_MYTOB.AR and WORM_MYTOB.BI. These are the third and fourth variants of the ever-popular family of worms to reach the alert stage. Both worms are currently spreading in-the-wild. WORM_MYTOB.AR infects computers that run on Windows 98, ME, 2000, and XP. WORM_MYTOB.BI infects computers that run on Windows 98, ME, NT, 2000, and XP. It has only been 90 days since antivirus experts detected the first variant of the MYTOB family of worms. Yet, since its detection on February 27, 2005, WORM_MYTOB has managed to register nearly 120 new variants and is responsible for more than 65,000 worldwide infections. These worms are nearly identical to previous MYTOB variants, which use the classic social engineering technique of posing as an e-mail administrator to entice users to execute the attachment in the mail. The malware attempts to fool the user into thinking that the email is about the suspension of his/her email account. And, as with all other variants, these memory-resident worms propagate by sending a copy of themselves as an attachment within an email message, which they send to target recipients using their own Simple Mail Transfer Protocol (SMTP) engine. The only difference between the ?.AR? variant and the ?.BI? variant is the name of the dropped file. But, there are three notable differences of ?.AR? and ?.BI?, versus their 115 MYTOB predecessors. These differences are: -They drop a copy of themselves as LIEN VAN DE KELDER.EXE or LIEN VAN DE KELDERRR.EXE (note, the only difference between the dropped file in the ?.AR? variant and the ?.BI? variant is the addition of two ?R?s? at the end of the file name in ?.BI?) in the Windows system folder. Lien Van de Kelder is a popular Belgian actress. -Upon execution, the worms drop spyware and adware onto the victims? machine which contains a backdoor capability. The spyware, detected as TSPY_AGENT.H, tracks user preferences and could (potentially) track infection rates. The adware, detected as ADW_MEDTICKS.A, is a popular adware program ?Media Tickets? (www.mediatickets.net). It has the ability to track what the user clicks on ? and how often they do it ? and can display pop-up ads. This adware also promises to pay 15 cents (USD) for every time a user clicks on the adware. -They also open Internet Explorer (IE) to connect to different Web sites that install other spyware or adware programs currently available on host sites. It is believed that these variants are actually intended as a testing ground for future variants that will likely take advantage of the monetary offer of the adware (the site referred to in this variant is not believed to be one of those sites ? it was likely just written by a fan of Ms. Van De Kelder). If you would like to scan your computer for WORM_MYTOB.AR, WORM_MYTOB.BI or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at: http://trendnewsletter.rsc03.net/servlet/cc5?lgLQATYQTVupsLIpsLxlLtmkQgLlV2VU WORM_MYTOB.AR and WORM_MYTOB.BI are detected and cleaned by Trend Micro pattern file #2.651.00 and above. For additional information about the WORM_MYTOB.AR please visit: http://trendnewsletter.rsc03.net/servlet/cc5?lgLQATYQTVupsLIpsLxlLtmkQgLlV2VW For additional information about the WORM_MYTOB.BI please visit: http://trendnewsletter.rsc03.net/servlet/cc5?lgLQATYQTVupsLIpsLxlLtmkQgLlV2VY mvi 3. Top 10 Most Prevalent Global Malware (from May 27 to June 2, 2005) ------------------------------------------------------------------------ 1. WORM_NETSKY.P 2. HTML_NETSKY.P 3. JAVA_BYTEVER.A 4. TSPY_SMALL.SN 5. WORM_NETSKY.DAM 6. WORM_SOBER.S 7. SPYW_GATOR 8. WORM_NETSKY.D 9. TROJ_DYFUCA.I 10. SPYW_DASHBAR.300 4. Trend Micro Mobile Security - Offer Extended ------------------------------------------------------------------------ Trend Micro Mobile Security (TMMS) 1.x software protects your smartphone and PocketPC handheld from mobile viruses. TMMS 1.x is a "no charge" product that has enjoyed more 50,000 downloads. Originally scheduled to expire on June 30, 2005, TMMS 1.x is being extended through September 2005. TMMS 1.x is being extended to ensure a smooth transition to TMMS 2.0 available in July/August 2005. Existing TMMS 1.x users will automatically have their antivirus protection extended with an "over-the-air" or ActiveSync connection when they select the "Update" option within TMMS 1.x after 14 June 2005. -Learn more about TMMS 1.x: www.trendmicro.com/mobilesecurity 5. Roundup: May Virus Activity & Analysis ------------------------------------------------------------------------ While the month of April allowed the computing world to slumber in peace, the month of May reawakened the circuit with a bang and gave way to a comeback, to a successful umpteenth attempt, and to a malware-spyware team up. -Read the May Virus Roundup for more details: http://trendnewsletter.rsc03.net/servlet/cc5?lgLQATYQTVupsLIpsLxlLtmkQgLlV2VR ______________________________________________________________________ This message was sent by Trend Micro's Newsletters Editor using Responsys Interact (TM). To view our permission marketing policy: http://www.rsvp0.net Copyright 1989-2005 Trend Micro, Inc. All rights reserved Trend Micro, Inc., 10101 N. De Anza Blvd., Suite 200, Cupertino, CA 95014 *********** MIKE"S REPLY SEPARATOR *********** Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www3.telus.net/mikebike <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe> http://www3.telus.net/mikebike/worm_removal.htm See my Anti-Virus pages http://virusinfo.hackfix.org/index <virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe> A Technical Support Alliance and OWTA Charter Member