From; TREND MICRO WEEKLY VIRUS REPORT (by TrendLabs Global Antivirus and Research Center) ------------------------------------------------------------------------ Date: Friday April 1, 2005 ------------------------------------------------------------------------ To read an HTML version of this newsletter, go to: http://trendnewsletter.rsc03.net/servlet/cc5?lgLQYUDQTVupsLIpsLxlLtmkQgLlV2VR Issue Preview: 1. Trend Micro Updates - Pattern File & Scan Engine Updates 2. Like Kryptonite? - WORM_KRYNOS.B (Low Risk) 3. Top 10 Most Prevalent Global Malware 4. Free Webinar -- Protecting Your Network from Spyware and Adware 5. Quarterly Virus Roundup NOTE: Long URLs may break into two lines in some mail readers. Should this occur, please copy and paste the URL into your browser window. 1. Trend Micro Updates - Pattern File & Scan Engine Updates ------------------------------------------------------------------------ PATTERN FILE: 2.528.00 http://trendnewsletter.rsc03.net/servlet/cc5?lgLQYUDQTVupsLIpsLxlLtmkQgLlV2VS SCAN ENGINE: 7.510 http://trendnewsletter.rsc03.net/servlet/cc5?lgLQYUDQTVupsLIpsLxlLtmkQgLlV2VT 2. Like Kryptonite? - WORM_KRYNOS.B (Low Risk) ------------------------------------------------------------------------ WORM_KRYNOS.B is a destructive, memory-resident worm that propagates via peer-to-peer applications by dropping a .ZIP copy of itself in a certain folder. It may also spread via email by sending itself as an attachment. This worm has backdoor capabilities, allowing remote users to access and perform malicious tasks on affected machines. It can also prevent affected users from accessing certain antivirus and security Web sites by modifying the HOSTS file. WORM_KRYNOS.B is currently spreading in-the-wild, and infecting computers running Windows NT, 2000, and XP. Upon execution, this memory-resident worm drops the following files in the Windows folder: %Windows%\Help\svchost.dat %Windows%\Help\svchost.exe %Windows%\Help\svchost.lce It then displays the following message: Can't open mfc73rp.dll It creates a registry entry that allows it to automatically execute the dropped file svchost.exe at every system startup. This worm propagates via P2P applications by making a .ZIP copy of itself in a specific folder -- the file name depends on the names of the currently saved files in that folder. The worm may also propagate by sending itself as an attachment to an email message. It searches files with the extensions HTM and TXT for target email addresses. However, it first queries www.google.com to check for an Internet connection, before it sends the email. The email it sends contains the following details: From: security@xxxxxxxxxxxxx To: (recipient email address harvested from affected system) Subject: Microsoft Security Update Message body: * "Vulnerability in Windows Explorer Could Allow Remote Code Execution (612827)" Affected Software: * Impact of Vulnerability: Remote Code Execution * Importance: High * Maximum Severity Rating: Critical * Recommendation: Customers should apply the attached update at the earliest opportunity * Summary: * Who should read this document: Customers who use Microsoft Windows * X-Mailer: Secure Microsoft Client, Build 2.1 * X-MimeOLE: Produced By Secure Microsoft Client V2.1 * X-MSMail-Priority: High * X-Priority: 1 (Highest) Attachment: * ARC * ARJ * GZ * LZH * TGZ * ZIP * ZOO The worm avoids worm avoids sending email to addresses containing certain strings. Visit http://trendnewsletter.rsc03.net/servlet/cc5?lgLQYUDQTVupsLIpsLxlLtmkQgLlV2VU for the complete list. The following backdoor capabilities are enabled by the worm: Get, upload, download, or delete a file List files in a folder Disconnect current user Restart the system Run a program Create or delete a folder This worm also modifies the system's HOSTS, which contains the host name to IP address mappings. This modification prevents affected users from accessing specific sites related to antivirus companies. If you would like to scan your computer for WORM_KRYNOS.B or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at: http://trendnewsletter.rsc03.net/servlet/cc5?lgLQYUDQTVupsLIpsLxlLtmkQgLlV2VW WORM_KRYNOS.B is detected and cleaned by Trend Micro pattern file #2.523.05 and above. For additional information about WORM_KRYNOS.B please visit: http://trendnewsletter.rsc03.net/servlet/cc5?lgLQYUDQTVupsLIpsLxlLtmkQgLlV2VY 3. Top 10 Most Prevalent Global Malware (from March 25 to March 31, 2005) ------------------------------------------------------------------------ 1. WORM_NETSKY.P 2. HTML_NETSKY.P 3. JAVA_BYTEVER.A 4. TROJ_DLOADER.DH 5. TROJ_SMALL.SN 6. SPYW_GATOR.D 7. TROJ_DFC.A 8. PE_PARITE.A 9. TROJ_DLOADER.DG 10. WORM_ANIG.A 4. Protecting Your Network from Spyware and Adware ------------------------------------------------------------------------ Is your network increasingly exposed to phishing attempts, adware, and spyware attacks? Are you worried that someone might steal your corporate or private information? What should you do to block spyware and phishing scams? Enticed by profit, the computer hacking underground has lost its amateur status and you are their target. Many virus writers of yesteryear have turned to writing spyware with the intention of raiding your bank account and your corporate database. At the same time, online marketers are running amok with new variations of ?adware? that monitor your Web surfing habits in order to display more ?profitable? advertisements and pop-up windows. These monitoring programs have a huge impact on the performance and reliability of your PCs. Join Trend Micro on Wednesday, April 20, 2005 at 11:00 am Pacific Time for a free Webinar that describes these threats and how to manage them. In this 60-minute webinar you will hear Trend Micro?s spyware expert Jack Marsal discuss: The rise of spyware and other Web-based threats Backdoors to your system The rise of the profit motive in the malware underground Spyware vs. adware: What is the difference? New techniques to control spyware and adware Register: https://trendmicro.webex.com/trendmicro/mywebex/epmainframe.php?rlink=https%3A%2F%2Ftrendmicro.webex.com%2Ftrendmicro%2Fonstage%2Fmainframe.php%3Fmainurl%3D%2Ftrendmicro%2Fonstage%2Ftool%2Fevent%2Fevent_detail.php%3FEventID%3D322267263%26FirstEnter%3D1%26GuestTimeZone%3D%26SourceId%3D&Rnd0738=0.18220175555220624 5. Quarterly Virus Roundup ------------------------------------------------------------------------ The past few months have brought some interesting developments. Instant messenger and mobile phone worms are experiencing a growth spurt. Apparently malwarea authors are looking into other avenues to propagate their deeds other than email, as solutions for these have already saturated the market. With the advent of spyware with the capability to steal different kinds of information, including banking details, we're seeing criminal organizations taking even more interest in this area, in addition to dipping their hands into malware and spam as seen in the past few years. Read the full roundup of malware activity from the past few months: http://trendnewsletter.rsc03.net/servlet/cc5?lgLQYUDQTVupsLIpsLxlLtmkQgLlV2VA ______________________________________________________________________ This message was sent by Trend Micro's Newsletters Editor using Responsys Interact (TM). To view our permission marketing policy: http://www.rsvp0.net Copyright 1989-2004 Trend Micro, Inc. All rights reserved Trend Micro, Inc., 10101 N. De Anza Blvd., Suite 200, Cupertino, CA 95014 *********** MIKE"S REPLY SEPARATOR *********** Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www3.telus.net/mikebike <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe> http://www3.telus.net/mikebike/worm_removal.htm See my Anti-Virus pages http://virusinfo.hackfix.org/index <virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe> A Technical Support Alliance and OWTA Charter Member