Latest Virus Threats

[RANDY RHOADS 1981]

Date: February 21, 2003

 

 

Issue Preview:

 

1. Trend Micro Updates - Pattern File & Scan Engine Updates

2. No Love Lost - WORM_LOVEGATE.B (Low Risk)

3. 10 Most Prevalent In-the-Wild Malware Surveyed by Trend Micro US

4. It's Tax Time! - Get TaxCut from H&R Block FREE with PC-cillin 2003*

 

 

1. Trend Micro Updates - Pattern File and Scan Engine Updates

 

PATTERN FILE: 465

SCAN ENGINE: 6.510

 

 

2. No Love Lost - WORM_LOVEGATE.B (Low Risk)

WORM_LOVEGATE.B is both a worm and a backdoor program. As a worm, it propagates copies of itself via network shared folders. It drops copies of itself in shared folders and in all subfolders that exist within the shared folders.

 

This worm drops multiple copies of itself using any of the following file names in the Windows system folder:

 

WinRpcsrv.e

syshelp.exe

winrpc.exe

WinGate.exe

rpcsrv.exe

 

Then, it adds registry entries that allow it to execute on subsequent Windows startups.

 

It modifies the default entries in a certain registry key so that it is executed whenever a text file is opened. By replacing the original data in this registry key, it sets itself as the default application for opening text files that are double-clicked in Windows.

 

In shared folders and subfolders, it drops copies of itself using any of the following file names:

 

winrpc.exe

syshelp.exe

fun.exe

humor.exe

docs.exe

s3msong.exe

midsong.exe

billgt.exe

card.exe

setup.exe

searchURL.exe

tamagotxi.exe

hamster.exe

news_doc.exe

PsPgame.exe

joke.exe

images.exe

pics.exe

crklist.exe

source.exe

sex.exe

roms.exe

docs.exe

patch.exe

LUPdate.exe

pack.exe

wingate.exe

stg.exe

ssrv.exe

 

As a backdoor, this malware opens port 10168 and immediately sends an email notifying a remote user that the infected machine is online and can be accessed. By sending commands via the backdoor port, a remote user can execute programs on the infected machine, obtain information, and reconfigure the running backdoor program.

 

If you would like to scan your computer for WORM_LOVEGATE.B or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at: http://housecall.trendmicro.com/

 

WORM_LOVEGATE.B is detected and cleaned by Trend Micro pattern file #462 and above.

 

3. 10 Most Prevalent In-the-Wild Malware Surveyed by Trend Micro US

(week of: February 10, 2003 to February 16, 2003)

 

WORM_KLEZ.H

WORM_YAHA.K

PE_PARITE.A

PE_DUPATOR.1503

PE_FUNLOVE.4099

WORM_SOBIG.A

PE_PARITE.B

WORM_OPASERV.E

WORM_BUGBEAR.A

TROJ_SMALL.J

[Joe C]

Here's an update on that virus:

 

This malware is currently rapidly spreading in Taiwan, Australia, France, and Japan from where TrendLabs has received a significant number of infection reports. As of 1:02 AM, Trend has declared a Yellow Alert to control the spread of this malware. Expect an Official Pattern Release within 45 minutes of this alert declaration.

 

This malware is both a worm and backdoor program. To propagate, it drops copies of itself in network shared folders and subfolders. It also sends copies of itself via email.

 

This worm uses its own SMTP server, SMTP.163.com, to send email. It sends email with the following message:

 

' I'll try to reply as soon as possible.

Take a look to the attachment and send me your opinion! '

 

As a backdoor, it opens a port, 10168 by default, allowing remote users to access and manipulate the affected system. It sends a notification to either of the following email addresses:

 

[email protected]

[email protected]

TrendLabs is currently analyzing this malware and will be providing more information.

 

 

WORM_LOVGATE.C is detected by pattern file 467.

[triplea]

Many Thanks to you both for the WARNING !!!

[RANDY RHOADS 1981]

Thanks Joe i just checked my mail and was just coming here to post that, its good that we have another that can get them up as well.