From; TREND MICRO WEEKLY VIRUS REPORT (by TrendLabs Global Antivirus and Research Center) ------------------------------------------------------------------------ Date: Friday March 18, 2005 ------------------------------------------------------------------------ To read an HTML version of this newsletter, go to: http://trendnewsletter.rsc03.net/servlet/cc5?lgLQYUTQTVupsLIpsLxlLtmkQgLlV2VR Issue Preview: 1. Trend Micro Updates - Pattern File & Scan Engine Updates 2. Antispyware Killer - TROJ_ASH.A (Low Risk) 3. Top 10 Most Prevalent Global Malware 4. Join Trend Micro for a Free Webinar on URL Filtering 5. Learn the Basics of Malware and How it Affects You: Phishing, Trojans, & Spyware NOTE: Long URLs may break into two lines in some mail readers. Should this occur, please copy and paste the URL into your browser window. ************************************************************************ 1. Trend Micro Updates - Pattern File & Scan Engine Updates ------------------------------------------------------------------------ PATTERN FILE: 2.502.00 http://trendnewsletter.rsc03.net/servlet/cc5?lgLQYUTQTVupsLIpsLxlLtmkQgLlV2VS SCAN ENGINE: 7.510 http://trendnewsletter.rsc03.net/servlet/cc5?lgLQYUTQTVupsLIpsLxlLtmkQgLlV2VT 2. Antispyware Killer - TROJ_ASH.A (Low Risk) ------------------------------------------------------------------------ TROJ_ASH.A is a destructive, memory-resident Trojan that terminates and deletes all files related to Microsoft Windows Antispyware. It also steals information related to online banking Web sites, by monitoring a user's Internet transactions at certain online banking sites. It runs on Windows 95, 98, ME, NT, 2000, and XP. This memory-resident Trojan arrives in a system as the file ASH.DLL, in the Windows system folder. It may also be downloaded by the user from the Internet. Before installation, the Trojan checks whether Microsoft Windows Antispyware is installed. If found, it attempts to terminate and delete all files related to this application. This Trojan steals information related to online banking Web sites, by monitoring the user?s Internet transactions and waiting for the user to access the following online banking sites: https://ibank.barclays.co.uk https://ibank.cahoot.com https://olb2.nationet.com https://online.lloydstsb.co.uk https://www.bankofscotlandhalifax-online.co.uk https://www.ebank.hsbc.co.uk https://www.ebank.hsbc.co.uk https://www.millenniumbcp.pt https://www.ukpersonal.hsbc.com When the Trojan detects visits to any of these banking sites, it displays a spoofed .HTML page to trick the user into entering their account information. The stolen data is then sent to a remote user. The Trojan then drops the following log files in the Windows folder, to store the information it gathers from the user: Email.log Pass.log Req.log In addition to gathering user IDs and passwords, it also gathers email addresses found in the user's system. It gathers email addresses from files with the following extensions: .*ht* .adb .asp .dbx .doc .eml .msg .oft .ph* .pl* .rtf .tbb .tx* .uin .vbs .wab .xls .xml This Trojan also terminates certain processes, and modifies the HOSTS files. These HOSTS files contain the mappings of IP addresses to host names. This file is loaded into the computer?s memory at startup. Windows checks this file before it connects to a requested Web site. If a requested Web site is listed in the HOSTS file, any attempt to connect to this site is redirected back to the local machine (which is your computer?s IP address). It also blocks other applications from connecting to the Internet, as long the Web site that it attempts to connect to, is listed in the HOSTS file. HOSTS files are useful for blocking ads, banners, cookies, and known malicious Web sites. However, this technique is now being employed by various malware to prevent users from accessing antivirus and security related Web sites. This Trojan adds many lines in the system's HOSTS file, preventing a user from accessing the listed Web sites. View the complete list of terminated processes and lines added: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FASH%2EA&VSect=T If you would like to scan your computer for TROJ_ASH.A or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at: http://trendnewsletter.rsc03.net/servlet/cc5?lgLQYUTQTVupsLIpsLxlLtmkQgLlV2VU TROJ_ASH.A is detected and cleaned by Trend Micro pattern file #2.497.01 and above. For additional information about TROJ_ASH.A please visit: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_ASH.A 3. Top 10 Most Prevalent Global Malware (from March 11 to March 17, 2005) ------------------------------------------------------------------------ 1. HTML_NETSKY.P 2. WORM_NETSKY.P 3. JAVA_BYTEVER.A 4. TROJ_DLOADER.DH 5. TROJ_DLOADER.DG 6. JAVA_BYTEVER.B 7. SPYW_GATOR.D 8. TROJ_SMALL.SN 9. TROJ_DFC.A 10. SPYW_GATOR.C 4. VSAPI Scan Engine 7.510 for OS390, AS/400, NLM, DecUX, DGUX, FBSD4, HPUX11, & ZLINUX platforms ------------------------------------------------------------------------ Find out what's new with Scan Engine 7.510, and download it here: http://kb.trendmicro.com/solutions/search/main/search/solutionDetail.asp?solutionID=23650 This new Scan Engine release addresses the ARJ parsing vulnerability. Learn more about it here: http://kb.trendmicro.com/solutions/search/main/search/solutionDetail.asp?solutionId=23557 5. Learn the Basics of Malware and How it Affects You: Phishing, Trojans, Spyware ------------------------------------------------------------------------ Phishing. Trojans. Spyware. Worried about the threat of a computer attack, but confused about the terms? View this fun multimedia presentation for an introductory overview of some of the many types of malware and how they can affect you. View the Malware Demo: http://www.trendmicro.com/en/offers/global/malware-demo.htm To view our permission marketing policy: http://www.rsvp0.net Copyright 1989-2004 Trend Micro, Inc. All rights reserved Trend Micro, Inc., 10101 N. De Anza Blvd., Suite 200, Cupertino, CA 95014 *********** MIKE"S REPLY SEPARATOR *********** Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www3.telus.net/mikebike <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe> http://www3.telus.net/mikebike/worm_removal.htm See my Anti-Virus pages http://virusinfo.hackfix.org/index <virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe> A Technical Support Alliance and OWTA Charter Member