[virusinfo] Trend Micro Weekly Virus Report - March 18, 2005

  • From: "Mike" <mikebike@xxxxxxxxx>
  • To: virusinfo@xxxxxxxxxxxxx
  • Date: Fri, 18 Mar 2005 12:59:14 -0800


From; TREND  MICRO  WEEKLY  VIRUS  REPORT
    
(by TrendLabs Global Antivirus and Research Center) 
------------------------------------------------------------------------
Date: Friday March 18, 2005

------------------------------------------------------------------------
To read an HTML version of this newsletter, go to: 
http://www.trendmicro.com/en/security/report/overview.htm

Issue Preview: 

1. Trend Micro Updates - Pattern File & Scan Engine Updates
2. Antispyware Killer - TROJ_ASH.A (Low Risk)
3. Top 10 Most Prevalent Global Malware 
4. Join Trend Micro for a Free Webinar on URL Filtering
5. Learn the Basics of Malware and How it Affects You: Phishing, Trojans, &
Spyware

NOTE: Long URLs may break into two lines in some mail readers. 
Should this occur, please copy and paste the URL into your browser window.

************************************************************************

1. Trend Micro Updates - Pattern File & Scan Engine Updates 
------------------------------------------------------------------------
PATTERN FILE: 2.502.00 
http://trendnewsletter.rsc03.net/servlet/cc5?lgLQYTYQTVupsLIpsLxlLtmkQgLlV2VR

SCAN ENGINE: 7.510 
http://trendnewsletter.rsc03.net/servlet/cc5?lgLQYTYQTVupsLIpsLxlLtmkQgLlV2VS
 

2. Antispyware Killer - TROJ_ASH.A (Low Risk)
------------------------------------------------------------------------
TROJ_ASH.A is a destructive, memory-resident Trojan that terminates and
deletes all files related to Microsoft Windows Antispyware. It also steals
information related to online banking Web sites, by monitoring a user's
Internet transactions at certain online banking sites. It runs on Windows
95, 98, ME, NT, 2000, and XP.

This memory-resident Trojan arrives in a system as the file ASH.DLL, in the
Windows system folder. It may also be downloaded by the user from the
Internet. Before installation, the Trojan checks whether Microsoft Windows
Antispyware is installed. If found, it attempts to terminate and delete all
files related to this application. 

This Trojan steals information related to online banking Web sites, by
monitoring the user?s Internet transactions and waiting for the user to
access the following online banking sites:

https://ibank.barclays.co.uk 
https://ibank.cahoot.com 
https://olb2.nationet.com 
https://online.lloydstsb.co.uk 
https://www.bankofscotlandhalifax-online.co.uk 
https://www.ebank.hsbc.co.uk 
https://www.ebank.hsbc.co.uk 
https://www.millenniumbcp.pt 
https://www.ukpersonal.hsbc.com 

When the Trojan detects visits to any of these banking sites, it displays a
spoofed .HTML page to trick the user into entering their account
information. The stolen data is then sent to a remote user.

The Trojan then drops the following log files in the Windows folder, to
store the information it gathers from the user:

Email.log
Pass.log
Req.log

In addition to gathering user IDs and passwords, it also gathers email
addresses found in the user's system. It gathers email addresses from files
with the following extensions: 

.*ht* 
.adb 
.asp 
.dbx 
.doc 
.eml 
.msg 
.oft 
.ph* 
.pl* 
.rtf 
.tbb 
.tx* 
.uin 
.vbs 
.wab 
.xls 
.xml 

This Trojan also terminates certain processes, and modifies the HOSTS
files. These HOSTS files contain the mappings of IP addresses to host
names. This file is loaded into the computer?s memory at startup. Windows
checks this file before it connects to a requested Web site. If a requested
Web site is listed in the HOSTS file, any attempt to connect to this site
is redirected back to the local machine (which is your computer?s IP
address). It also blocks other applications from connecting to the
Internet, as long the Web site that it attempts to connect to, is listed in
the HOSTS file.

HOSTS files are useful for blocking ads, banners, cookies, and known
malicious Web sites. However, this technique is now being employed by
various malware to prevent users from accessing antivirus and security
related Web sites.

This Trojan adds many lines in the system's HOSTS file, preventing a user
from accessing the listed Web sites. View the complete list of terminated
processes and lines added: 
http://trendnewsletter.rsc03.net/servlet/cc5?lgLQYTYQTVupsLIpsLxlLtmkQgLlV2VT


If you would like to scan your computer for TROJ_ASH.A or thousands of 
other worms, viruses, Trojans and malicious code, visit HouseCall, Trend 
Micro's free, online virus scanner at: 
http://trendnewsletter.rsc03.net/servlet/cc5?lgLQYTYQTVupsLIpsLxlLtmkQgLlV2VU


TROJ_ASH.A is detected and cleaned by Trend Micro pattern file #2.497.01 
and above. 

For additional information about TROJ_ASH.A please visit: 

http://trendnewsletter.rsc03.net/servlet/cc5?lgLQYTYQTVupsLIpsLxlLtmkQgLlV2VW


3. Top 10 Most Prevalent Global Malware 
(from March 11 to March 17, 2005)
------------------------------------------------------------------------
1. HTML_NETSKY.P
2. WORM_NETSKY.P
3. JAVA_BYTEVER.A
4. TROJ_DLOADER.DH
5. TROJ_DLOADER.DG
6. JAVA_BYTEVER.B
7. SPYW_GATOR.D
8. TROJ_SMALL.SN
9. TROJ_DFC.A
10. SPYW_GATOR.C

4. VSAPI Scan Engine 7.510 for OS390, AS/400, NLM, DecUX, DGUX, FBSD4,
HPUX11, & ZLINUX platforms 
------------------------------------------------------------------------ 
Find out what's new with Scan Engine 7.510, and download it here:

http://trendnewsletter.rsc03.net/servlet/cc5?lgLQYTYQTVupsLIpsLxlLtmkQgLlV2VY


This new Scan Engine release addresses the ARJ parsing vulnerability. Learn
more about it here:

http://trendnewsletter.rsc03.net/servlet/cc5?lgLQYTYQTVupsLIpsLxlLtmkQgLlV2VA


5. Learn the Basics of Malware and How it Affects You: Phishing, Trojans,
Spyware
------------------------------------------------------------------------
Phishing. Trojans. Spyware. Worried about the threat of a computer attack,
but confused about the terms? View this fun multimedia presentation for an 
introductory
overview of some of the many types of malware and how they can affect you. 

View the Malware Demo: 

http://trendnewsletter.rsc03.net/servlet/cc5?lgLQYTYQTVupsLIpsLxlLtmkQgLlV2VB



To view our permission marketing policy:
    http://www.rsvp0.net
Copyright 1989-2004 Trend Micro, Inc.  All rights reserved
Trend Micro, Inc., 10101 N. De Anza Blvd., Suite 200, Cupertino, CA 95014

*********** MIKE"S REPLY SEPARATOR  ***********
Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see a sample on my web page
http://www3.telus.net/mikebike
<mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe>
http://www3.telus.net/mikebike/worm_removal.htm
See my Anti-Virus pages  http://virusinfo.hackfix.org/index
<virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe>
A Technical Support Alliance  and OWTA Charter Member

Other related posts:

  • » [virusinfo] Trend Micro Weekly Virus Report - March 18, 2005
  1. Home
  2. virusinfo
  3. Archive
  4. 03-2005