Treand Micro Alert

[martymas]

hi team here is trend micro 's alert of the arafat worm.i tried to put it into a link.

but deciced to send it in text, that way no one can be suspicious of the link, like me a lot of you are reluctant to click on links .

marty

Date: Friday November 19, 2004

NOTE: The Weekly Virus Report will be on hiatus next week, during the

Thanksgiving Holiday, but will return to its regular schedule on December

3.

------------------------------------------------------------------------

To read an HTML version of this newsletter, go to:

http://www.trendmicro.com/en/security/report/overview.htm

Issue Preview:

1. Trend Micro Updates - Pattern File & Scan Engine Updates

2. Arafat Worm – WORM_GOLTEN.A (Low Risk)

3. Top 10 Most Prevalent Global Malware

4. Trend Micro URL Filtering Module - Important Product Update Now

Available

5. Trend Micro Announces Network VirusWall 300

NOTE: Long URLs may break into two lines in some mail readers.

Should this occur, please copy and paste the URL into your browser window.

************************************************************************

1. Trend Micro Updates - Pattern File & Scan Engine Updates

------------------------------------------------------------------------

PATTERN FILE: 2.251.00 http://www.trendmicro.com/download/pattern.asp

SCAN ENGINE: 7.100 http://www.trendmicro.com/download/engine.asp

2. Arafat Worm – WORM_GOLTEN.A (Low Risk)

------------------------------------------------------------------------

WORM_GOLTEN.A is a memory-resident network worm. It has no

mass-mailing capabilities, but may have been mass-mailed to specific email addresses

instead. The email message contains two .EMF file attachments: one shows

the burial of Palestinian leader Yasser Arafat and the other contains code

that exploits a Microsoft XP vulnerability. The worm propagates via

network shares and attempts to connect to network shared folders. It uses a

list of user names and passwords to gain access to a machines, to establish

a network connection and execute a copy of itself in the accessed network

share. This worm runs on Windows 2000 and XP, and is currently spreading

in-the-wild.

Upon execution, this worm drops the following files in the Windows system

folder:

ALERTER.EXE - main component and installer

COMWSOCK.DLL

DMSOCK.DLL

IETCOM.DLL

SPTRES.DLL

SCARDSER.EXE - installs .DLL (Dynamic Link Library) files that inject

this worm into LSASS.EXE and IEXPLORE.EXE

It also adds a registry entry that allows it to automatically execute at

every system startup, and installs the following .DLL files:

COMWSCOK.DLL

DMSOCK.DLL

IETCOM.DLL

SPTRES.DLL

These .DLL files inject this worm into the following processes:

LSASS.EXE

EXPLORER.EXE

The .DLL files download other components from a remote location, and are

responsible for the propagation of this worm.

The worm also adds a registry entry that initiates the download of a

remote file, which is saved as DMSTI.EXE.

WORM_GOLTEN.A propagates through network shares and attempts to connect

and execute a copy of itself in the following default network folders:

ADMIN$

IPC$

It also installs a service named NETLOG.

This worm uses the following user names and passwords to gain access to

machines connected on the same network:

!@#$

!@#$%

!@#$%

~!@#

000000

00000000

111

111111

11111111

12

123

123!@#

1234

1234!@#$

12345

12345!@#$%

123456

1234567

12345678

54321

654321

888888

88888888

admin

fan@ing*

oracle

pass

passwd

password

root

secret

security

stgzs

super

The worm may have been mass-mailed to specific email addresses. The

email arrives with the following:

Subject: Latest News about Arafat!!!

Message body:

Hello guys!

Latest news about Arafat!

Unimaginable!!!!!

The email also contains two .EMF file attachments: ARAFAT_1.EMF is a

.JPG file showing the burial of Palestinian leader Yasser Arafat, and

ARAFAT_2.EMF contains exploit code that uses the Microsoft Windows XP

Metafile Heap Overflow vulnerability. When opened, the file drops this worm

into a system. For more information on this vulnerability please visit:

http://www.trendmicro.com/vinfo/virusencyc...XPLOIT-MS04-032

If you would like to scan your computer for WORM_GOLTEN.A or thousands

of

other worms, viruses, Trojans and malicious code, visit HouseCall, Trend

Micro's free, online virus scanner at: http://housecall.trendmicro.com/

WORM_GOLTEN.A is detected and cleaned by Trend Micro pattern file

#2.247.03

and above.

For additional information about WORM_GOLTEN.A please visit: http://www.trendmicro.com/vinfo/virusencyc...e=WORM_GOLTEN.A

3. Top 10 Most Prevalent Global Malware

(from November 12, 2004 to November 18, 2004)

------------------------------------------------------------------------

1. WORM_NETSKY.P

2. HTML_NETSKY.P

3. WORM_NETSKY.D

4. WORM_NETSKY.B

5. WORM_SOBER.G

6. JAVA_BYTEVER.A

7. WORM_BAGLE.AT

8. WORM_NETSKY.C

9. WORM_NETSKY.Q

10. WORM_SOBER.F

4. Trend Micro URL Filtering Module - Important Product Update Now

Available

------------------------------------------------------------------------

Trend Micro URL Filtering, an optional module integrated with Trend Micro

InterScan Web Security Suite, enables companies to manage employee Internet

use by restricting access to unwanted Web sites.

If you have installed InterScan Web Security Suite with URL Filtering

module, an important product update is now available:

For Windows: InterScan Web Security Suite Patch for Windows v2.0

For Linux: InterScan Web Security Suite Patch for Linux v2.0

For Solaris: InterScan Web Security Suite Patch for Solaris v2.0

PLEASE NOTE: This is a mandatory patch as all unpatched systems will be

unable to receive URL Filtering updates after January, 2005.

You may obtain the patch by visiting:

http://www.trendmicro.com/download/product.asp?productid=34

If you have questions or need assistance, please contact Trend Micro

Technical Support in your area: http://kb.trendmicro.com/solutions/include...TechSupport.asp

5. Trend Micro Announces Network VirusWall 2500

------------------------------------------------------------------------

Trend Micro recently launched the Network VirusWall 2500 outbreak

prevention appliance intended to protect multiple network segments and servers from

network worms.

Network VirusWall 2500 stops network worms and vulnerability exploits with

complete accuracy. It prevents infection by enforcing security policies

by blocking noncompliant devices from network access, and it isolates

infected network segments and automates remote clean up in case of outbreak.

To learn more about the Network VirusWall 2500 please visit: http://www.trendmicro.com/en/products/netw...te/overview.htm

********************************************************************************

***

______________________________________________________________________

This message was sent by Trend Micro's Newsletters Editor using Responsys

Interact .

To unsubscribe from Trend Micro's Newsletters Editor:

http://trendnewsletter.rsc03.net/servlet/o...RFpgLmDgLmDgSE0

To update your subscription preference, or to change your email address:

http://trendnewsletter.rsc03.net/servlet/w...kNlyLihkm_UU_UC

To view our permission marketing policy:

http://www.rsvp0.net

Copyright 1989-2004 Trend Micro, Inc. All rights reserved

Trend Micro, Inc., 10101 N. De Anza Blvd., Suite 200, Cupertino, CA

95014

[tg1911]

Thanks for the info, Marty.