From; TREND MICRO WEEKLY VIRUS REPORT (by TrendLabs Global Antivirus and Research Center) ------------------------------------------------------------------------ Date: Friday May 21, 2004 ------------------------------------------------------------------------ To read an HTML version of this newsletter, go to: http://www.trendmicro.com/en/security/report/overview.htm Issue Preview: 1. Trend Micro Updates - Pattern File & Scan Engine Updates 2. LSASS =3D BOBAX =96 WORM_BOBAX.C (Low Risk) 3. Top 10 Most Prevalent Global Malware 4. Tell Your Friends and Family about Trend Micro=92s Newsletters NOTE: Long URLs may break into two lines in some mail readers. Should this occur, please copy and paste the URL into your browser window. 1. Trend Micro Updates - Pattern File & Scan Engine Updates ------------------------------------------------------------------------ PATTERN FILE: 893 (1.893.00) http://www.trendmicro.com/download/pattern.asp SCAN ENGINE: 7.000 http://www.trendmicro.com/download/engine.asp 2. LSASS Equals BOBAX =96 WORM_BOBAX.C (Low Risk) ------------------------------------------------------------------------ WORM_BOBAX.C is a non-destructive worm that exploits the Windows LSASS vulnerability. This buffer overrun vulnerability allows an attacker to gain full control of an infected system. For more information on this vulnerability, please visit Microsoft=92s Web site: http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx This worm is currently spreading in-the-wild and runs on Windows 95, 98, ME, NT, 2000, and XP. Upon execution, this worm installs itself in the Windows system folder using random file names. It also drops a .DLL file in the Windows Temp folder with the name <random number>.TMP. It creates a registry entry that allows it to automatically execute at every system startup. This malware also checks whether the following mutex exists, and to ensure that only one instance of itself is running in memory: 06:08:07:<random> It then deletes its executed copy. It sends a specially crafted packet to a specific port. This packet of data instructs the target machine to download the worm copy from an HTTP server. It saves this downloaded file as SVC.EXE. If you would like to scan your computer for WORM_BOBAX.C or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at: http://housecall.trendmicro.com/ WORM_BOBAX.C is detected and cleaned by Trend Micro pattern file #892 and above. For additional information about WORM_BOBAX.C please visit: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=3DWORM_BOBAX. C 3. Top 10 Most Prevalent Global Malware (from May 14, 2004 to May 20, 2004) ------------------------------------------------------------------------ 1. PE_ELKERN.D 2. PE_FUNLOVE.4099 3. WORM_NETSKY.P 4. HTML_NETSKY.P 5. WORM_NETSKY.D 6. WORM_SASSER.E 7. WORM_BOBAX.C 8. WORM_NETSKY.Z 9. WORM_SOBOT.KW 10. WORM_SOBER.G 4. Tell Your Friends and Family about Trend Micro=92s Newsletters ------------------------------------------------------------------------ If you would like to share the benefits of up-to-date virus information, with your family and friends, tell them about Trend Micro=92s free newsletters! Trend Micro=92s Virus Alerts keep subscribers informed of the latest virus outbreaks, as they happen. Trend Micro=92s Weekly Virus Report compiles information about the latest virus activity around the globe, to keep subscribers informed of malicious worms, Trojans, security threats, and other malware. Share your copy of Trend Micro=92s educational, up-to-date virus information newsletters, and encourage your friends and family to subscribe =96 they=92ll stay in-the-know and stay protected. -Subscribe to Trend Micro=92s free newsletters: http://www.trendmicro.com/subscriptions ______________________________________________________________________ To view our permission marketing policy: http://www.rsvp0.net Trend Micro, Inc., 10101 N. De Anza Blvd., Suite 200, Cupertino, CA 95014 *********** MIKE"S REPLY SEPARATOR *********** Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www3.telus.net/mikebike <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=3Dsubscribe> http://www3.telus.net/mikebike/worm_removal.htm See my Anti-Virus pages http://virusinfo.hackfix.org/index <virusinfo-request@xxxxxxxxxxxxx?Subject=3Dsubscribe> A Technical Support Alliance and OWTA Charter Member