ابن غـــــــياء
05-14-05, 08:35 AM
WORM_WURMARK.J (Medium Risk)
On May 11 Trend Micro declared a Medium Risk alert for a new WURMARK variant that is currently spreading in France, India, Singapore, and Taiwan. WORM_WURMARK (http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_WURMARK.J).J is a memory-resident worm that propagates by mass-mailing copies of itself, and carries a component of a commercial keylogging spyware program produced by X Software, Inc. This spyware program is capable of running in stealth mode while logging keystrokes, monitoring accessed Web sites, capturing screenshots, and logging system activities. The worm not only propagates copies of itself, but of the spyware program as well. The commercial spyware program is therefore installed in every system that the worm infects.
Upon execution, this memory-resident worm drops a copy of itself in the Windows system folder using a random file name. It drops a randomly named (Dynamic Link Library) DLL file, which is a spyware program detected by Trend Micro as SPY_AGENT.C, in the Windows system folder. It creates a registry entry to allow it to automatically execute at every system startup.
This worm drops the following .ZIP files in the Windows system folder:
· details.zip
· girls.zip
· image.zip
· love.zip
· message.zip
· music.zip
· news.zip
· photo.zip
· pic.zip
· readme.zip
· resume.zip
· screensaver.zip
· song.zip
· video.zip
These .ZIP files contain any of the following files:
· details.doc{multiple spaces}.scr
· girls.jpg{multiple spaces}.scr
· image.jpg{multiple spaces}.scr
· love.jpg{multiple spaces}.scr
· message.txt{multiple spaces}.scr
· music.mp3{multiple spaces}.scr
· news.doc{multiple spaces}.scr
· photo.jpg{multiple spaces}.scr
· pic.jpg{multiple spaces}.scr
· readme.txt{multiple spaces}.scr
· resume.doc{multiple spaces}.scr
· screensaver{multiple spaces}.scr
· song.wav{multiple spaces}.scr
· video.avi{multiple spaces}.scr
This worm propagates by sending a copy of itself as an attachment to email messages, which it sends to target addresses, using its own Simple Mail Transfer Protocol (SMTP) engine.
The email that it sends out has the following details:
Subject: (any of the following)
· details
· girls
· image
· love
· message
· music
· news
· photo
· pic
· readme
· resume
· screensaver
· song
· video
Attachment: (any of the following file names)
· details.zip
· girls.zip
· image.zip
· love.zip
· message.zip
· music.zip
· news.zip
· photo.zip
· pic.zip
· readme.zip
· resume.zip
· screensaver.zip
· song.zip
· video.zip
It gathers target email addresses from the Temporary Internet Files folder, as well as from files with the following extension names:
· ASP
· DBX
· EML
· HTM
· MBX
· SHT
· TBB
It avoids sending email messages to addresses that contain any of the following substrings:
· abuse
· admin
· hostmaster
· localdomain
· localhost
· mcafee
· messagelab
· microsoft
· noreply
· postmaster
· recipients
· reports
· root
· spam
· symantec
· webmaster
If you would like to scan your computer for WORM_NOPIR.B or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at: http://housecall.trendmicro.com/
WORM_NOPIR.B is detected and cleaned by Trend Micro pattern file #2.591.03 and above.
On May 11 Trend Micro declared a Medium Risk alert for a new WURMARK variant that is currently spreading in France, India, Singapore, and Taiwan. WORM_WURMARK (http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_WURMARK.J).J is a memory-resident worm that propagates by mass-mailing copies of itself, and carries a component of a commercial keylogging spyware program produced by X Software, Inc. This spyware program is capable of running in stealth mode while logging keystrokes, monitoring accessed Web sites, capturing screenshots, and logging system activities. The worm not only propagates copies of itself, but of the spyware program as well. The commercial spyware program is therefore installed in every system that the worm infects.
Upon execution, this memory-resident worm drops a copy of itself in the Windows system folder using a random file name. It drops a randomly named (Dynamic Link Library) DLL file, which is a spyware program detected by Trend Micro as SPY_AGENT.C, in the Windows system folder. It creates a registry entry to allow it to automatically execute at every system startup.
This worm drops the following .ZIP files in the Windows system folder:
· details.zip
· girls.zip
· image.zip
· love.zip
· message.zip
· music.zip
· news.zip
· photo.zip
· pic.zip
· readme.zip
· resume.zip
· screensaver.zip
· song.zip
· video.zip
These .ZIP files contain any of the following files:
· details.doc{multiple spaces}.scr
· girls.jpg{multiple spaces}.scr
· image.jpg{multiple spaces}.scr
· love.jpg{multiple spaces}.scr
· message.txt{multiple spaces}.scr
· music.mp3{multiple spaces}.scr
· news.doc{multiple spaces}.scr
· photo.jpg{multiple spaces}.scr
· pic.jpg{multiple spaces}.scr
· readme.txt{multiple spaces}.scr
· resume.doc{multiple spaces}.scr
· screensaver{multiple spaces}.scr
· song.wav{multiple spaces}.scr
· video.avi{multiple spaces}.scr
This worm propagates by sending a copy of itself as an attachment to email messages, which it sends to target addresses, using its own Simple Mail Transfer Protocol (SMTP) engine.
The email that it sends out has the following details:
Subject: (any of the following)
· details
· girls
· image
· love
· message
· music
· news
· photo
· pic
· readme
· resume
· screensaver
· song
· video
Attachment: (any of the following file names)
· details.zip
· girls.zip
· image.zip
· love.zip
· message.zip
· music.zip
· news.zip
· photo.zip
· pic.zip
· readme.zip
· resume.zip
· screensaver.zip
· song.zip
· video.zip
It gathers target email addresses from the Temporary Internet Files folder, as well as from files with the following extension names:
· ASP
· DBX
· EML
· HTM
· MBX
· SHT
· TBB
It avoids sending email messages to addresses that contain any of the following substrings:
· abuse
· admin
· hostmaster
· localdomain
· localhost
· mcafee
· messagelab
· microsoft
· noreply
· postmaster
· recipients
· reports
· root
· spam
· symantec
· webmaster
If you would like to scan your computer for WORM_NOPIR.B or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at: http://housecall.trendmicro.com/
WORM_NOPIR.B is detected and cleaned by Trend Micro pattern file #2.591.03 and above.