Malware
Main
Security
MalwareMSNBC Security
Security Fix
Security World News
Random Feeds
Archives
| Aug 2008 | Jul 2008 | Jun 2008 | May 2008 |Thu, 31 Jul 08
BKDR_SMALL.DDE
http://feeds.trendmicro.com/~r/MalwareTop10/~3/318176834/default5.asp
This backdoor may be dropped by the following malware:
It is usually dropped in the Windows system folder on an affected system.It is used for propagation routines by other malware.It connects to a certain Web site to send and receive information.
Wed, 30 Jul 08
TROJ_ZLOB.HEZ
http://feeds.trendmicro.com/~r/MalwareTop10/~3/349688798/default5.asp
A Trojan horse program is a malware that is not capable of automatically spreading to other systems. Trojans are usually downloaded from the Internet and installed by unsuspecting users.Trojans typically carry payloads or other malicious actions that can range from the mildly annoying to the irreparably destructive. They may also modify system settings to automatically start. Restoring affected systems may require procedures other than scanning with an antivirus program.
Wed, 30 Jul 08
PE_VIRUT.A
http://feeds.trendmicro.com/~r/MalwareTop10/~3/200013019/default5.asp
To get a one-glance comprehensive view of the behavior of this malware, refer to the Behavior Diagram shown below.
Malware Overview
This file infector spreads by infecting running processes that use .EXE and .SCR extensions. It checks whether the target processes are files that are of portable executable (PE) format. It then appends its code to infect target processes. It avoids processes and files with certain strings in their file names.
In addition, this file infector has backdoor capabilities. It opens port 65520 and connects to a specific Internet Relay Chat (IRC) server. Once connected, it assigns itself a specific nick and allows a remote user to download files into the affected system. This routine effectively compromises the affected system's security.
Tue, 29 Jul 08
TROJ_DLOADER.ILT
http://feeds.trendmicro.com/~r/MalwareTop10/~3/348880141/default5.asp
This Trojan may be downloaded from remote site(s) by the following malware:
It may be downloaded unknowingly by a user when visiting malicious Web site(s).
This Trojan creates a registry key(s)/entry(ies) as part of its installation routine.
It connects to a Web site to download a non-malicious file.
It also connects to several URLs. The said URLs collect information from the affected system such as IP addresses and DNS settings. It also sends email messages to a list of addresses taken from the predefined servers using its own Simple Mail Transfer Protocol (SMTP) engine.
This routine may be used by other malware since having their own SMTP engine no longer requires using other email applications such as MS Outlook.
Sat, 26 Jul 08
TROJ_RENOS.ACO
http://feeds.trendmicro.com/~r/MalwareTop10/~3/345537708/default5.asp
To get a one-glance comprehensive view of the behavior of this malware, refer to the Behavior Diagram shown below.
Malware Overview
This Trojan may be downloaded from remote sites by other malware. It may be dropped by other malware.
It may be downloaded unknowingly by a user when visiting malicious Web sites.
Upon execution, it connects to a certain URL to download and execute a file, which is also detected as TROJ_RENOS.ACO. It also drops a file which is detected as JOKE_BLUESCREEN. As a result, routines of the dropped file may be exhibited on the affected system.
This Trojan modifies the affected system's desktop wallpaper by changing it to the following image:
Moreover, it disables the System Restore. This routine disallows the affected user to revert back to a good image of the system.
Sat, 26 Jul 08
WORM_RONTOKBRO.H
http://feeds.trendmicro.com/~r/MalwareTop10/~3/319189788/default5.asp
This worm propagates by sending a copy of itself as an attachment to email messages. It gathers target email addresses by searching an affected system for files with certain extensions.
The email it sends out has the following details:
Subject: {blank}
Attachment: Kangen.exe
Notably, it avoids sending messages to email addresses containing strings that can mostly be attributed to antivirus and security companies. This worm avoids addresses with such strings to prevent its early detection and consequent removal from the compromised system.
This worm modifies the AUTOEXEC.BAT file, causing affected systems to pause at startup. The said event then requires the user to press any key to resume the startup process.
It also disables the Folder Options item in the Tools drop-down menu from the main menu bar of Windows Explorer and Control Panel. The said action prevents the affected user from changing such settings as displaying hidden folders and displaying file paths in title bars.
Furthermore, this worm restarts the affected system if it finds an open window with the strings .EXE and/or Registry in the title bar. Hence, if a user opens Registry Editor, or any other executable file, this worm restarts the system. This particular routine is also another way for this worm to make its removal from the system much more difficult.
This worm uses a Windows folder icon to trick affected users that it is a normal or legitimate folder. Once clicked, it even opens a Windows Explorer window to hide its execution routines.
Thu, 24 Jul 08
POSSIBLE_MLWR-13
http://feeds.trendmicro.com/~r/MalwareTop10/~3/340984283/default5.asp
This is the Trend Micro detection for suspicious files that manifest similar behavior and characteristics to those of TROJ_AGENT, WORM_RBOT, or TROJ_MANCSYN variants.
For support on detected files, samples may be submitted to Trend Micro. Detailed analysis will be done on submitted samples and corresponding cleaning instructions may be applied, if necessary.
To submit files, please refer to the Solution section.
Wed, 23 Jul 08
MAL_SWZR
http://feeds.trendmicro.com/~r/MalwareTop10/~3/235982391/default5.asp
This is the Trend Micro detection for suspicious files that manifest behavior and characteristics similar to known TROJ_SWIZZOR and ADW_LOP variants.
If your Trend Micro product detects a file under this detection name, do not execute the file. Delete it immediately especially if it came from an untrusted or an unknown source (e.g., a Web site of doubtful nature). However, if you have reason to believe that the detected file is non-malicious, you can submit a sample for analysis. Detailed analysis will be done on submitted samples, and corresponding removal instructions will be provided, if necessary.
To submit files, please refer to the Solution section.
Tue, 22 Jul 08
WORM_YAHLOVER.AL
http://feeds.trendmicro.com/~r/MalwareTop10/~3/341783254/default5.asp
This worm drops copies of itself. It drops files/components.
It creates registry entries to enable its automatic execution at every system startup. It modifies registry entries to enable its automatic execution at every system startup.
It creates registry key(s)/entry(ies).
It drops copies of itself in all removable drives. It drops an AUTORUN.INF file to automatically execute dropped copies when the drives are accessed.
This worm disables the Windows Task Manager, Registry Editor, and Folder Options in the Tools menu. It does the said routine by modifying related registry entries.
Mon, 21 Jul 08
HTML_IFRAME.FT
http://feeds.trendmicro.com/~r/MalwareTop10/~3/335238675/default5.asp
This is the Trend Micro detection for Web pages that were compromised through the insertion of a certain iFrame tag.Once an unsuspecting user views an infected Web page, it attempts to connect to a certain URL. As of this writing, however, the said URL is inaccessible.
Mon, 21 Jul 08
MAL_HIFRM-3
http://feeds.trendmicro.com/~r/MalwareTop10/~3/341344970/default5.asp
This is the Trend Micro heuristic detection for suspicious files that manifest similar behavior and characteristics as the following malware:
If your Trend Micro product detects a file under this detection name, do not execute the file. Delete it immediately especially if it came from an untrusted or an unknown source (e.g., a Web site of doubtful nature). However, if you have reason to believe that the detected file is non-malicious, you can submit a sample for analysis. Detailed analysis will be done on submitted samples, and corresponding removal instructions will be provided, if necessary.
Mon, 21 Jul 08
WORM_DREFIR.B
http://feeds.trendmicro.com/~r/MalwareTop10/~3/183054896/default5.asp
This worm is capable of propagating through email and Internet Relay Chat (IRC).
To spread via email, it sends out copies of itself as attachments to all addresses saved in the Windows address book (WAB) by using MAPI functions. But since MAPI functions are typically available with Microsoft Outlook, it fails to spread using the MAPI routine on machines without Microsoft Outlook installed.
The email message it sends has varying subjects, message bodies, and attachment file names. Below is the screenshot of an email it sends out:
To propagate via IRC, this worm checks if an IRC application is active on the machine and then tries to connect to certain IRC servers. Once connected, it uses a specific list of nick names.
It then displays a particular list of messages and URLs, most of which are malicious and have adult-related contents.
Sun, 20 Jul 08
POSSIBLE_OTORUN2
http://feeds.trendmicro.com/~r/MalwareTop10/~3/227334960/default5.asp
This virus has been renamed to MAL_OTORUN2.
Sun, 20 Jul 08
JS_REDIR1.A
http://feeds.trendmicro.com/~r/MalwareTop10/~3/340223257/default5.asp
This JavaScript may be hosted on a Web site and run when a user accesses the said Web site.This JavaScript connects to remote URLs. As a result, malicious routines of the downloaded files are exhibited on the affected system. However, note that as of this writing, the said URLs are inaccessible.
Sun, 20 Jul 08
PE_JEEFO.A
http://feeds.trendmicro.com/~r/MalwareTop10/~3/162785667/default5.asp
This memory-resident virus infects Windows executable files. It drops a mother or pure copy of itself (without its infected host) in the Windows folder as the file SVCHOST.EXE. It also modifies the registry so that it runs every time Windows starts.This virus runs on Windows 95, 98, ME, NT, 2000, and XP.
Sat, 19 Jul 08
TROJ_AGENT.KD
http://feeds.trendmicro.com/~r/MalwareTop10/~3/339270459/default5.asp
This memory-resident Trojan program may be a dropped file of a malware installation package. It may also be manually downloaded by a user through the Internet.It modifies the Internet Explorer (IE) startup page to point to about: blank and the IE search page and search assistant to File: %Temp%sp.html.(Note: %Temp% is the default Windows temporary files folder.)
Sat, 19 Jul 08
POSSIBLE_PATCH-1
http://feeds.trendmicro.com/~r/MalwareTop10/~3/339663743/default5.asp
This is the Trend Micro heuristic detection for suspicious files that manifest similar behavior and characteristics as the following malware:
If your Trend Micro product detects a file under this detection name, do not execute the file. Delete it immediately especially if it came from an untrusted or an unknown source (e.g., a Web site of doubtful nature). However, if you have reason to believe that the detected file is non-malicious, you can submit a sample for analysis. Detailed analysis will be done on submitted samples, and corresponding removal instructions will be provided, if necessary.
Fri, 18 Jul 08
POSSIBLE_OBFUS-2
http://feeds.trendmicro.com/~r/MalwareTop10/~3/231926729/default5.asp
This virus has been renamed to MAL_OBFUS-2.
Fri, 18 Jul 08
PE_MABEZAT.B-O
http://feeds.trendmicro.com/~r/MalwareTop10/~3/314588756/default5.asp
This file infector may be dropped by other malware. It may be downloaded unknowingly by a user when visiting malicious Web sites.
This file infector modifies registry entries as part of its installation routine.
This file infector drops a copy of itself in all physical and removable drives as ZPHARAOH.EXE. It also drops an AUTORUN.INF file to automatically execute its dropped copies when the said drives are accessed.
This infector file searches for target files in certain folders. It does not infect files in the WINDOWS folder. It also searches and infects random EXE files. Infected files are detected by Trend Micro as PE_MABEZAT.B.
Fri, 18 Jul 08
WORM_PERLOVGA.G
http://feeds.trendmicro.com/~r/MalwareTop10/~3/338109664/default5.asp
This worm may be dropped by other malware. It may arrive bundled with malware packages as a malware component. It may be installed manually by a user. It may be downloaded unknowingly by a user when visiting malicious Web sites.
It drops copies of itself. It drops files/components. Trend Micro detects its component file as BKDR_SMALL.DDE. It then executes the dropped file(s). As a result, malicious routines of the dropped files are exhibited on the affected system.
It modifies registry entries to enable its automatic execution at every system startup.
It drops copies of itself in all physical and removable drives. It drops an AUTORUN.INF file to automatically execute dropped copies when the drives are accessed.
Thu, 17 Jul 08
HTML_IFRAME.DY
http://feeds.trendmicro.com/~r/MalwareTop10/~3/337758789/default5.asp
This is the Trend Micro detection for email files that contain an attachment which when quarantined and restored is detected as PE_CHIR.B-O.
It takes advantage of the following vulnerability affecting systems running Microsoft Internet Explorer 5.01 and 5.5:
- Incorrect MIME Header Can Cause IE to Execute Email Attachment
The said vulnerability allows the automatic execution of email attachments without the user's consent. For more information, visit the following Microsoft Web page:
Wed, 16 Jul 08
TROJ_RENOS.AAM
http://feeds.trendmicro.com/~r/MalwareTop10/~3/336277254/default5.asp
This Trojan may be downloaded unknowingly by a user when visiting malicious Web sites. It creates folders. It drops copies of itself.
Upon execution, it displays the following interface:
It creates registry entries to enable its automatic execution at every system startup. It creates registry key(s)/entry(ies).
Wed, 16 Jul 08
WORM_NETSKY.AQ
http://feeds.trendmicro.com/~r/MalwareTop10/~3/144644820/default5.asp
This worm arrives as attachment to mass-mailed email messages.It drops copies of itself. It creates registry entries to enable its automatic execution at every system startup.It uses various online Simple Mail Transfer Protocol (SMTP) engines to send email messages with a copy of itself as attachment. It may use multiple file name extensions for the attachment.
Tue, 15 Jul 08
CRYP_MORPHINE
http://feeds.trendmicro.com/~r/MalwareTop10/~3/331917937/default5.asp
This is the Trend Micro heuristic detection for suspicious files that manifest similar behavior and characteristics as malware packed by Morphine.
If your Trend Micro product detects a file under this detection name, do not execute the file. Delete it immediately especially if it came from an untrusted or an unknown source (e.g., a Web site of doubtful nature). However, if you have reason to believe that the detected file is non-malicious, you can submit a sample for analysis. Detailed analysis will be done on submitted samples, and corresponding removal instructions will be provided, if necessary.
Tue, 15 Jul 08
CRYP_VIRUT-4
http://feeds.trendmicro.com/~r/MalwareTop10/~3/335414773/default5.asp
This is the Trend Micro heuristic detection for suspicious files that manifest similar behavior and characteristics as the following malware:
If your Trend Micro product detects a file under this detection name, do not execute the file. Delete it immediately especially if it came from an untrusted or an unknown source (e.g., a Web site of doubtful nature). However, if you have reason to believe that the detected file is non-malicious, you can submit a sample for analysis. Detailed analysis will be done on submitted samples, and corresponding removal instructions will be provided, if necessary.
Tue, 15 Jul 08
CRYP_YODAP
http://feeds.trendmicro.com/~r/MalwareTop10/~3/317353479/default5.asp
This is the Trend Micro heuristic detection for suspicious files packed by YodaÂ’s Protector.
If your Trend Micro product detects a file under this detection name, do not execute the file. Delete it immediately especially if it came from an untrusted or an unknown source (e.g., a Web site of doubtful nature). However, if you have reason to believe that the detected file is non-malicious, you can submit a sample for analysis. Detailed analysis will be done on submitted samples, and corresponding removal instructions will be provided, if necessary.
Tue, 15 Jul 08
WORM_STRAT.GEN-3
http://feeds.trendmicro.com/~r/MalwareTop10/~3/335451266/default5.asp
This worm arrives as attachment to email messages spammed by another malware or a malicious user. It may be dropped by other malware. It may be downloaded unknowingly by a user when visiting malicious Web sites.
It creates registry key(s)/entry(ies) as part of its installation routine. It modifies registry key(s)/entry(ies) as part of its installation routine.
It drops files/components. Trend Micro detects some of the dropped files as WORM_GENERIC. As a result, malicious routines of the downloaded files are exhibited on the affected system.
It connects to a certain Web site possibly to download files.
Tue, 15 Jul 08
WORM_BRONTOK.BA
http://feeds.trendmicro.com/~r/MalwareTop10/~3/167956943/default5.asp
This worm propagates by attaching a copy of itself to email messages, which it sends to target addresses, using its own Simple Mail Transfer Protocol (SMTP) engine.
The email message it sends out has the following details:
Subject: {blank}
Message body: (any of the following)
• Penjarakan Koruptor, Penyelundup, Tukang Suap, & Bandar NARKOBA
• SAY NO TO DRUGS !!!
• Stop Free Sex, Aborsi, & Prostitusi?brA( Go To HELL )
• Stop pencemaran lingkungan, pembakaran hutan & perburuan liar.
Attachment: (any of the following)
• CCAPPS.EXE
• KANGEN.EXE
• MYHEART.EXE
• SYSLOVE.EXE
• UNTUKMU.EXE
• WINWORD.EXE
This worm has several autostart routines that ensure its execution every time the machine restarts in normal or safe mode and every time an instance of the command prompt is opened.
It modifies the registry to disable registry tools, and to hide the affected machine's hidden and system files. In addition, it also hides file extension names.
It restarts the affected system whenever it finds an open window with specific strings in the title bar. It also terminates Task Manager and Process Explorer.
On systems running Windows NT, 2000, XP, and Server 2003, this worm overwrites the HOSTS file located at %System%driversetc with an .HTML file. It does the said routine to prevent the affected system from accessing Web sites that are mostly related to antivirus and security applications.
Tue, 15 Jul 08
MAL_STRAT-4
http://feeds.trendmicro.com/~r/MalwareTop10/~3/240967004/default5.asp
This is the Trend Micro detection for suspicious files that manifest behavior and characteristics similar to known STRATION variants.
More descriptions of STRATION variants can be found here.
If your Trend Micro product detects a file under this detection name, do not execute the file. Delete it immediately especially if it came from an untrusted or an unknown source (e.g., a Web site of doubtful nature). However, if you have reason to believe that the detected file is non-malicious, you can submit a sample for analysis. Detailed analysis will be done on submitted samples, and corresponding removal instructions will be provided, if necessary.
To submit files, please refer to the Solution section.
Mon, 14 Jul 08
PE_SALITY.AL
http://feeds.trendmicro.com/~r/MalwareTop10/~3/168417889/default5.asp
This file infector may be downloaded from remote site(s) by other malware.
It may be dropped by other malware.
Upon execution, it drops certain files.
This file infector infects all .EXE files in the Windows folder and subfolders. It also infects all .EXE files on the affected system's root folder (usually C:), in random subfolders, and in all removable and network drives.
This routine may cause system applications to malfunction.
A certain .DLL file is injected into all processes found running on the affected system, after which control is returned to the host file.
Sun, 13 Jul 08
CRYP_UPACK
http://feeds.trendmicro.com/~r/MalwareTop10/~3/333076155/default5.asp
This is the Trend Micro heuristic detection for suspicious files that manifest similar behavior and characteristics as malware packed by Upack.
If your Trend Micro product detects a file under this detection name, do not execute the file. Delete it immediately especially if it came from an untrusted or an unknown source (e.g., a Web site of doubtful nature). However, if you have reason to believe that the detected file is non-malicious, you can submit a sample for analysis. Detailed analysis will be done on submitted samples, and corresponding removal instructions will be provided, if necessary.
Sun, 13 Jul 08
EXPL_MS04-028.A
http://feeds.trendmicro.com/~r/MalwareTop10/~3/228414309/default5.asp
This is Trend MicroÂ’s generic detection for JPEG image files that exploit the MS04-028 vulnerability, which is also known as Buffer Overrun in JPEG Processing (GDI+) Could Allow Code Execution.
These JPEG image files may be crafted maliciously to contain executable code such that the code is automatically executed when the image files are viewed on vulnerable or unpatched systems. The code may also execute even when the image files are simply previewed as thumbnails. The crafted files may also cause Windows Explorer to crash.
Some normal JPEG image files have also been found to crash Windows Explorer inadvertently due to the presence of the JPEG GDI vulnerability. Trend Micro antivirus also generically detects these files, which contain extended "comment" sections that cause the exploit, as EXPL_MS04-028.A.
The impact of the MS04-028 vulnerability lies in the fact that JPEG is one of the most common format for image files.
The MS04-028 vulnerability affects the following components:
Windows platforms:
- Microsoft Windows Server™ 2003
- Microsoft Windows Server 2003 64-Bit Edition
- Microsoft Windows XP
- Microsoft Windows XP Service Pack 1
- Microsoft Windows XP 64-Bit Edition Service Pack 1
- Microsoft Windows XP 64-Bit Edition Version 2003
Applications:
- Digital Image Pro version 9
- Digital Image Suite version 9
- Microsoft .NET Framework, Version 1.0 SDK
- Microsoft Digital Image Pro version 7.0
- Microsoft Greetings 2002
- Microsoft Office System 2003
- Microsoft Office XP Service Pack 3
- Microsoft Picture It!® 2002 (All Versions)
- Microsoft Picture It!® version 7.0 (All Versions)
- Microsoft Picture It!® version 9 (All Versions, including Picture It!® Library)
- Microsoft Producer for Microsoft Office PowerPoint (All Versions)
- Microsoft Project 2002 (All Versions)
- Microsoft Project 2003 (All Versions)
- Microsoft Visio 2002 (All Versions)
- Microsoft Visio 2003 (All Versions)
- Platform SDK Redistributable: GDI+
- Visual Basic .NET Standard 2002
- Visual Basic .NET Standard 2003
- Visual C# .NET Standard 2002
- Visual C# .NET Standard 2003
- Visual C++ .NET Standard 2002
- Visual C++ .NET Standard 2003
- Visual J# .NET Standard 2003
- Visual Studio .NET 2002
- Visual Studio .NET 2003
More information on the MS04-028 vulnerability can be found in the following links:
Sat, 12 Jul 08
MAL_VUNDO
http://feeds.trendmicro.com/~r/MalwareTop10/~3/332734211/default5.asp
This is the Trend Micro heuristic detection for suspicious files that manifest similar behavior and characteristics as the following malware:
If your Trend Micro product detects a file under this detection name, do not execute the file. Delete it immediately especially if it came from an untrusted or an unknown source (e.g., a Web site of doubtful nature). However, if you have reason to believe that the detected file is non-malicious, you can submit a sample for analysis. Detailed analysis will be done on submitted samples, and corresponding removal instructions will be provided, if necessary.
Fri, 11 Jul 08
VBS_RUNAUTO.M
http://feeds.trendmicro.com/~r/MalwareTop10/~3/322238295/default5.asp
This malicious VBScript may be downloaded unknowingly by a user when visiting malicious Web sites.
It drops copies of itself.
It creates registry entries to enable its automatic execution at every system startup.
It modifies registry entries to hide files with both System and Read-only attributes.
It drops an AUTORUN.INF file to automatically execute dropped copies when the drives are accessed.
Thu, 10 Jul 08
VBS_AGENT.AMAF
http://feeds.trendmicro.com/~r/MalwareTop10/~3/330928301/default5.asp
Upon execution, this VBScript drops the following copy of itself.
This VBScript creates the following registry entry to enable its automatic execution at every system startup:
This VBScript modifies a registry entry to hide files with both System and Read-only attributes.
This VBScript drops copies of itself in all removable drives. It also drops an AUTORUN.INF file to automatically execute its dropped copies when the said drives are accessed.
Thu, 10 Jul 08
WORM_RONTKBR.D
http://feeds.trendmicro.com/~r/MalwareTop10/~3/186333646/default5.asp
This worm propagates by sending a copy of itself as an attachment to email messages using its own Simple Mail Transfer Protocol (SMTP) engine. The email it sends out has the following details:
Subject: {blank}
Attachment: Kangen.exe
It gathers target email addresses by searching the affected system for files with specific extension names, such as DOC, HTML, PHP, TXT, and XLS. However, it avoids sending email messages to addresses that contain particular substrings, most of which are related to certain antivirus and security companies. It does the said routine to prevent its early detection on the compromised system.
It also uses a Windows folder icon in an attempt to trick users into opening the attachment, effectively executing this worm. Upon execution, it opens the My Documents folder process to hide its process.
This worm employs different techniques to make itself almost invisible on the affected system. One of the said techniques is to disable the Registry Editor to make its detection harder for the affected user. Another technique is hiding file extension names and files with certain attributes to cover its tracks.
Furthermore, it terminates running processes on the system containing specific strings.
Thu, 10 Jul 08
WORM_RBOT.BPA
http://feeds.trendmicro.com/~r/MalwareTop10/~3/211931936/default5.asp
This worm may be downloaded from remote sites by other malware. It may arrive via network shares. It may be hosted on a Web site and run when a user accesses the said Web site.
It drops copies of itself.
It disables Windows Firewall settings.
It propagates by searching the network for certain shares, into which it attempts to drop copies of itself.
It takes advantage of the following software vulnerabilities to propagate across networks:
- Microsoft Security Bulletin MS03-026
- Microsoft Security Bulletin MS03-039
- Microsoft Security Bulletin MS03-049
It also propagates by dropping copies of itself in all available physical and removable drives. It then drops an AUTORUN.INF file to automatically execute dropped copies when the drives are accessed.
It opens a random port to allow a remote user to connect to the affected system. Once a successful connection is established, the remote user executes commands on the affected system.
It accesses Web sites to download files. As a result, malicious routines of the downloaded files may be exhibited on the affected system.
Tue, 8 Jul 08
WORM_SHAREBOT.A
http://feeds.trendmicro.com/~r/MalwareTop10/~3/207562498/default5.asp
This worm propagates by dropping copies of itself in shared folders with Read or Read/Write access in the root and Windows directory. It uses file names that can trick users into thinking they are crack programs for certain software.It also attempts to modify the registry settings of popular file-sharing services.This worm also attempts to connect to an mIRC server to notify a remote user and listen for further commands.It runs on Windows 95, 98, ME, NT, 2000, and XP.
Tue, 8 Jul 08
PE_FUJACKS.BE
http://feeds.trendmicro.com/~r/MalwareTop10/~3/329306723/default5.asp
This is the Trend Micro detection for files infected by PE_FUJACKS.BE-O. It may arrive on a system as a file downloaded by unsuspecting users while visiting Web sites.
Upon execution, it drops the file SPOCLSV.EXE, which is detected by Trend Micro as PE_FUJACKS.BE-O, in the %System%drivers folder. After successfully dropping its mother virus, the malware code of the infected file is removed, which consequently cleans the said file.
(Note: %System% is the Windows system folder, which is usually C:WindowsSystem on Windows 98 and ME, C:WINNTSystem32 on Windows NT and 2000, or C:WindowsSystem32 on Windows XP and Server 2003.)
Mon, 7 Jul 08
WORM_ALLAPLE.IK
http://feeds.trendmicro.com/~r/MalwareTop10/~3/190704295/default5.asp
To get a one-glance comprehensive view of the behavior of this malware, refer to the Behavior Diagram shown below.
Malware Overview
This worm spreads by dropping a copy of itself into certain accessible systems in a network. It also spreads by dropping a polymorphed copy of itself upon exploiting Windows vulnerabilities. It uses existing user names on the target system, as well as predefined user names and passwords in order to perform the abovementioned propagation routines.
It is also capable of performing a denial of service (DoS) attack against specific Web sites hardcoded in its body.
Sun, 6 Jul 08
WORM_SOHANAD.BO
http://feeds.trendmicro.com/~r/MalwareTop10/~3/157119429/default5.asp
This worm drops files/components. It then creates and modifies registry entries to ensure automatic execution at every system startup.
This worm propagates via Yahoo! Messenger. It does the said routine by sending an instant message to all contacts of a target user. The message it sends contains a link to a remote copy of itself. When the recipient clicks the link, its copy is executed on the recipients' system.
It opens random TCP ports where it listens for remote commands from malicious user. It executes these commands locally on the affected system, thus compromising the system security.
It displays the following message box:
