[virusinfo] Trend Micro Weekly Virus Report - March 11, 2005
- From: "Mike" <mikebike@xxxxxxxxx>
- To: virusinfo@xxxxxxxxxxxxx
- Date: Fri, 11 Mar 2005 17:58:02 -0800
Trend Weekly Virus Report
March 11, 2005
Issue Preview
Trend Micro Updates - Pattern File & Scan Engine Updates
FATSO Beats up on ASSIRAL - WORM_FATSO.A (Medium Risk)
Top 10 Most Prevalent Global Malware
Join Trend Micro for a Free Webinar on URL Filtering
Roundup: February Virus Activity & Analysis
http://www.trendmicro.com/en/security/report/overview.htm
1. Trend Micro Updates - Pattern File & Scan Engine Updates
Pattern file: 2.486.00
Scan engine: 7.510
2. FATSO Beats up on ASSIRAL - WORM_FATSO.A (Medium Risk)
On March 7, Trend Micro declared a Medium Risk alert for WORM_FATSO.A. This
non-destructive, memory-resident worm propagates via MSN messenger and eMule
peer-to-peer file sharing application. It is capable of redirecting infected
users to a certain Web site, whenever the user accesses Web sites associated
with antivirus and security companies. It may also terminate certain running
processes and prevent these processes from executing while this worm is
resident in memory. This worm also opens a text file, which is a message
allegedly addressed to the author of WORM_ASSIRAL.A, the self-proclaimed
creator of anti-BROPIA worms. As a payload, WORM_ASSIRAL.A proclaimed that its
author was "freeing the world from BROPIA". This worm was known to terminate
BROPIA-related processes. WORM_FATSO.A now insults the author of WORM_ASSIRAL,
accusing him/her of being a "noob" (a "newbie", or an inexperienced person,
specifically a programmer) possibly due to the fact that WORM_ASSIRAL used
SMTP, a relatively "old" and conventional means of propagating worms. This worm
infects systems running Windows 95, 98, ME, NT, 2000, and XP.
This worm arrives on a system via MSN Messenger. Upon execution, it drops
copies of itself in the system root folder, as well as several nonmalicious
files. The worm then creates several registry entries that allow it to
automatically execute its dropped files at every system startup.
To propagate via MSN messenger it sends an instant message to all online
contacts of an affected user, containing a link to a certain Web site. When a
user clicks on this link, a copy of this worm is downloaded into the system. To
propagate via eMule it copies itself in the %Program Files%\Program
Files\eMule\Incoming\ folder, the %Root%\My Shared folder and the <User
Profile>\Shared folder of an affected system.
The worm also redirects affected users to a specific Web site when they attempt
to access certain Web sites related to antivirus and security companies, and
terminates processes. View the complete list of company Web sites and
processes.
This worm attempts to terminate processes and delete files associated with the
malware WORM_ASSIRAL.C, if the files are not running in memory. It drops and
executes the text file "Message to n00b LARISSA.txt" on the 1st, 7th, 10th,
19th, 25th, 26th, or the 30th day of any month. This text message is allegedly
ddressed to the creator of WORM_ASSIRAL.A.
If you would like to scan your computer or WORM_FATSO.A or thousands of other
worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's
free, online virus scanner at: http://housecall.trendmicro.com/
Copyright 1989-2004 Trend Micro, Inc. All rights reserved
Trend Micro, Inc., 10101 N. De Anza Blvd., Suite 200, Cupertino, CA 95014
*********** MIKE"S REPLY SEPARATOR ***********
Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see a sample on my web page
http://www3.telus.net/mikebike
<mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe>
http://www3.telus.net/mikebike/worm_removal.htm
See my Anti-Virus pages http://virusinfo.hackfix.org/index
<virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe>
A Technical Support Alliance and OWTA Charter Member
Other related posts:
- » [virusinfo] Trend Micro Weekly Virus Report - March 11, 2005
