From; Trend Micro Newsletters: TREND MICRO WEEKLY VIRUS REPORT (by TrendLabs Global Antivirus and Research Center) ------------------------------------------------------------------------ Date: Friday May 14, 2004 ------------------------------------------------------------------------ To read an HTML version of this newsletter, go to: http://www.trendmicro.com/en/security/report/overview.htm Issue Preview: 1. Trend Micro Updates - Pattern File & Scan Engine Updates 2. Wallowing in Wallon? =96 WORM_WALLON.A (Low Risk) 3. Top 10 Most Prevalent Global Malware 4. Tell Your Friends and Family about Trend Micro=92s Newsletters NOTE: Long URLs may break into two lines in some mail readers. Should this occur, please copy and paste the URL into your browser window. 1. Trend Micro Updates - Pattern File & Scan Engine Updates ------------------------------------------------------------------------ PATTERN FILE: 889 (1.889.00) http://www.trendmicro.com/download/pattern.asp SCAN ENGINE: 7.000 http://www.trendmicro.com/download/engine.asp 2. Wallowing in Wallon =96 WORM_WALLON.A (Low Risk) ------------------------------------------------------------------------ WORM_WALLON.A is a non-destructive, mass-mailing worm that is currently spreading in-the-wild. This worm exploits a vulnerability within Outlook Express that allows downloading of files without the user=92s knowledge. It gathers email addresses from the infected user=92s Windows Address Book, and uses the email account details of the user who is currently logged on, to send email. The email it sends is an HTML-based email message that redirects users to a Web site that downloads some of the worm=92s components into the user=92s computer system. This worm runs on Windows 95, 98, ME, 2000, and XP. Information on this vulnerability can be found by visiting Microsoft=92s Web site at: http://www.microsoft.com/technet/security/bulletin/ms04-013.mspx. Upon execution, this worm checks for the existence of a specific registry entry, which serves as the worm=92s infection marker. If this entry is not found, the worm displays an error message. While gathering email addresses to send email to, this worm skips email addresses with the following substrings: admin microsoft postmaster software support webmaster Once it has gathered email addresses it sends email using the currently logged on users=92 email account details. Once a user clicks on the link specified in the malware=92s email, a series of downloads and remote file executions occur. Occasionally this malware attempts to download an adware file. It saves the downloaded file as COOL.EXE in the root directory. If the download is successful, it sleeps for two minutes and executes the downloaded file. This worm then sleeps for thirty minutes then runs a specific CGI script eleven times consecutively, sleeping 10 minutes between each execution. It then executes the file COOL.EXE again. This worm attempts to contact the following email address, possibly for notification purposes: 1@xxxxxxxxxxxxxxxx If you would like to scan your computer for WORM_WALLON.A or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at: http://housecall.trendmicro.com/ WORM_WALLON.A is detected and cleaned by Trend Micro pattern file #890 and above. For additional information about WORM_WALLON.A please visit: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=3DWORM_WALLON .A 3. Top 10 Most Prevalent Global Malware (from May 7, 2004 to May 13, 2004) ------------------------------------------------------------------------ 1. PE_ELKERN.D 2. WORM_NETSKY.P 3. HTML_NETSKY.P 4. PE_VALLA.A 5. WORM_NETSKY.D 6. PE_FUNLOVE.4099 7. WORM_NETSKY.B 8. WORM_NETSKY.Z 9. PE_PARITE.A 10. WORM_NETSKY.C 4. Tell Your Friends and Family about Trend Micro=92s Newsletters ------------------------------------------------------------------------ If you would like to share the benefits of up-to-date virus information, with your family and friends, tell them about Trend Micro=92s free newsletters! Trend Micro=92s Virus Alerts keep subscribers informed of the latest virus outbreaks, as they happen. Trend Micro=92s Weekly Virus Report compiles information about the latest virus activity around the globe, to keep subscribers informed of malicious worms, Trojans, security threats, and other malware. Share your copy of Trend Micro=92s educational, up-to-date virus information newsletters, and encourage your friends and family to subscribe =96 they=92ll stay in-the-know and stay protected. Subscribe to Trend Micro=92s free newsletters: www.trendmicro.com/subscriptions Trend Micro, Inc., 10101 N. De Anza Blvd., Suite 200, Cupertino, CA 95014 ----------------------------------------------------------------------------- --------------- *********** MIKE"S REPLY SEPARATOR *********** Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www3.telus.net/mikebike <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=3Dsubscribe> http://www3.telus.net/mikebike/worm_removal.htm See my Anti-Virus pages http://virusinfo.hackfix.org/index <virusinfo-request@xxxxxxxxxxxxx?Subject=3Dsubscribe> A Technical Support Alliance and OWTA Charter Member