RANDY RHOADS 1981 Posted February 22, 2003 Share Posted February 22, 2003 Date: February 21, 2003 Issue Preview: 1. Trend Micro Updates - Pattern File & Scan Engine Updates 2. No Love Lost - WORM_LOVEGATE.B (Low Risk) 3. 10 Most Prevalent In-the-Wild Malware Surveyed by Trend Micro US 4. It's Tax Time! - Get TaxCut from H&R Block FREE with PC-cillin 2003* 1. Trend Micro Updates - Pattern File and Scan Engine Updates PATTERN FILE: 465 SCAN ENGINE: 6.510 2. No Love Lost - WORM_LOVEGATE.B (Low Risk) WORM_LOVEGATE.B is both a worm and a backdoor program. As a worm, it propagates copies of itself via network shared folders. It drops copies of itself in shared folders and in all subfolders that exist within the shared folders. This worm drops multiple copies of itself using any of the following file names in the Windows system folder: WinRpcsrv.e syshelp.exe winrpc.exe WinGate.exe rpcsrv.exe Then, it adds registry entries that allow it to execute on subsequent Windows startups. It modifies the default entries in a certain registry key so that it is executed whenever a text file is opened. By replacing the original data in this registry key, it sets itself as the default application for opening text files that are double-clicked in Windows. In shared folders and subfolders, it drops copies of itself using any of the following file names: winrpc.exe syshelp.exe fun.exe humor.exe docs.exe s3msong.exe midsong.exe billgt.exe card.exe setup.exe searchURL.exe tamagotxi.exe hamster.exe news_doc.exe PsPgame.exe joke.exe images.exe pics.exe crklist.exe source.exe sex.exe roms.exe docs.exe patch.exe LUPdate.exe pack.exe wingate.exe stg.exe ssrv.exe As a backdoor, this malware opens port 10168 and immediately sends an email notifying a remote user that the infected machine is online and can be accessed. By sending commands via the backdoor port, a remote user can execute programs on the infected machine, obtain information, and reconfigure the running backdoor program. If you would like to scan your computer for WORM_LOVEGATE.B or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at: http://housecall.trendmicro.com/ WORM_LOVEGATE.B is detected and cleaned by Trend Micro pattern file #462 and above. 3. 10 Most Prevalent In-the-Wild Malware Surveyed by Trend Micro US (week of: February 10, 2003 to February 16, 2003) WORM_KLEZ.H WORM_YAHA.K PE_PARITE.A PE_DUPATOR.1503 PE_FUNLOVE.4099 WORM_SOBIG.A PE_PARITE.B WORM_OPASERV.E WORM_BUGBEAR.A TROJ_SMALL.J Link to post Share on other sites
Joe C Posted February 24, 2003 Share Posted February 24, 2003 Here's an update on that virus: This malware is currently rapidly spreading in Taiwan, Australia, France, and Japan from where TrendLabs has received a significant number of infection reports. As of 1:02 AM, Trend has declared a Yellow Alert to control the spread of this malware. Expect an Official Pattern Release within 45 minutes of this alert declaration. This malware is both a worm and backdoor program. To propagate, it drops copies of itself in network shared folders and subfolders. It also sends copies of itself via email. This worm uses its own SMTP server, SMTP.163.com, to send email. It sends email with the following message: ' I'll try to reply as soon as possible. Take a look to the attachment and send me your opinion! ' As a backdoor, it opens a port, 10168 by default, allowing remote users to access and manipulate the affected system. It sends a notification to either of the following email addresses: [email protected] [email protected] TrendLabs is currently analyzing this malware and will be providing more information. WORM_LOVGATE.C is detected by pattern file 467. Link to post Share on other sites
triplea Posted February 24, 2003 Share Posted February 24, 2003 Many Thanks to you both for the WARNING !!! Link to post Share on other sites
RANDY RHOADS 1981 Posted February 24, 2003 Author Share Posted February 24, 2003 Thanks Joe i just checked my mail and was just coming here to post that, its good that we have another that can get them up as well. Link to post Share on other sites
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now