Lu,
Dernier rapport de Trend Micro :
Trend Micro Weekly Virus Report
(by TrendLabs Global Antivirus and Research Center)
Date: November 19, 2004
NOTE: The Weekly Virus Report will be on hiatus next week, during the Thanksgiving holiday, but will return to its regular schedule on December 3.
Issue Preview:
1. Trend Micro Updates - Pattern File & Scan Engine Updates
2. Arafat Worm - WORM_GOLTEN.A (Low Risk)
3. Top 10 Most Prevalent Global Malware
4. Trend Micro URL Filtering Module - Important Product Update Now Available
5. Trend Micro Announces Network VirusWall 2500
1. Trend Micro Updates - Pattern File and Scan Engine Updates
PATTERN FILE: 2.255.00 as of November 19, 2004
SCAN ENGINE: 7.100 as of November 19, 2004
2. Arafat Worm - WORM_GOLTEN.A (Low Risk)
WORM_GOLTEN.A is a memory-resident network worm. It has no mass-mailing capabilities, but may have been mass-mailed to specific email addresses instead. The email message contains two .EMF file attachments: one shows the burial of Palestinian leader Yasser Arafat and the other contains code that exploits a Microsoft XP vulnerability. The worm propagates via network shares and attempts to connect to network shared folders. It uses a list of user names and passwords to gain access to a machines, to establish a network connection and execute a copy of itself in the accessed network share. This worm runs on Windows 2000 and XP, and is currently spreading in-the-wild.
Upon execution, this worm drops the following files in the Windows system folder:
° ALERTER.EXE - main component and installer
° COMWSOCK.DLL
° DMSOCK.DLL
° IETCOM.DLL
° SPTRES.DLL
° SCARDSER.EXE - installs .DLL (Dynamic Link Library) files that inject this worm into LSASS.EXE and IEXPLORE.EXE
It also adds a registry entry that allows it to automatically execute at every system startup, and installs the following .DLL files:
° COMWSCOK.DLL
° DMSOCK.DLL
° IETCOM.DLL
° SPTRES.DLL
These .DLL files inject this worm into the following processes:
° LSASS.EXE
° EXPLORER.EXE
The .DLL files download other components from a remote location, and are responsible for the propagation of this worm.
The worm also adds a registry entry that initiates the download of a remote file, which is saved as DMSTI.EXE.
WORM_GOLTEN.A propagates through network shares and attempts to connect and execute a copy of itself in the following default network folders:
° ADMIN$
° IPC$
It also installs a service named NETLOG.
This worm uses the following user names and passwords to gain access to machines connected on the same network:
!@#$
!@#$%
!@#$%
~!@#
000000
00000000
111
111111
11111111
12
123
123!@#
1234
1234!@#$
12345
12345!@#$%
123456
1234567
12345678
54321
654321
888888
88888888
admin
fan@ing*
oracle
pass
passwd
password
root
secret
security
stgzs
super
The worm may have been mass-mailed to specific email addresses. The email arrives with the following:
Subject: Latest News about Arafat!!!
Message body:
Hello guys!
Latest news about Arafat!
Unimaginable!!!!!
The email also contains two .EMF file attachments: ARAFAT_1.EMF is a .JPG file showing the burial of Palestinian leader Yasser Arafat, and ARAFAT_2.EMF contains exploit code that uses the Microsoft Windows XP Metafile Heap Overflow vulnerability. When opened, the file drops this worm into a system. Read more information on this vulnerability.
If you would like to scan your computer for WORM_GOLTEN.A or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at:
http://housecall.trendmicro.com/
WORM_GOLTEN.A is detected and cleaned by Trend Micro pattern file 2.247.03 and above.
3. Top 10 Most Prevalent Global Malware
(week of: November 12, 2004 to November 18, 2004)
1. WORM_NETSKY.P
2. HTML_NETSKY.P
3. WORM_NETSKY.D
4. WORM_NETSKY.B
5. WORM_SOBER.G
6. JAVA_BYTEVER.A
7. WORM_BAGLE.AT
8. WORM_NETSKY.C
9. WORM_NETSKY.Q
10. WORM_SOBER.F
4. Trend Micro URL Filtering Module - Important Product Update Now Available
Trend Micro URL Filtering, an optional module integrated with Trend Micro InterScan Web Security Suite, enables companies to manage employee Internet use by restricting access to unwanted Web sites.
If you have installed InterScan Web Security Suite with URL Filtering module, an important product update is now available:
° For Windows: InterScan Web Security Suite Patch for Windows v2.0
° For Linux: InterScan Web Security Suite Patch for Linux v2.0
° For Solaris: InterScan Web Security Suite Patch for Solaris v2.0
PLEASE NOTE: This is a mandatory patch as all unpatched systems will be unable to receive URL Filtering updates after January, 2005.
° Download the patch
If you have questions or need assistance, please contact Trend Micro Technical Support in your area.
5.
Trend Micro Announces Network VirusWall 2500
Trend Micro recently launched the Network VirusWall 2500 outbreak prevention appliance intended to protect multiple network segments and servers from network worms.
Network VirusWall 2500 stops network worms and vulnerability exploits with complete accuracy. It prevents infection by enforcing security policies by blocking noncompliant devices from network access, and it isolates infected network segments and automates remote clean up in case of outbreak.
° Learn more about Network VirusWall 2500
For questions, comments, and suggestions about the Weekly Virus Report please contact the Newsletters Editor at
[email protected].
Copyright 1989-2004 Trend Micro, Inc. All rights reserved.
Et oui même Arafat est dans ce coup là.
Alors sans faire de pub, munissez-vous de PC-Cillin(Trend Micro) pour moi le meilleur AV, sans contest. Ca vous évitera de rentrer même sur Outlook des mails pourris....
Ceci dit pour votre sécurité absolue, abandon d'Internet Explorer au profit de FireFox et abandon d'Outlook pour The Bat ! + un bon AV (PC-Cillin) et vous n'aurez jamais plus de problèmes de virus, même HTML, Java et Macromédia sans pièces jointes....
C'était un conseil de professionnel !
A au fait une news importante pour les accros du P2P, Valve à mis en ligne Halflife II en version pourrave et injouable,(sur Bit Torrent, E.mule, E.donkey et d'autres) c'est voulu... Le jeu est tellement protégé, qu'il va falloir l'acheter, sinon pas de connexion ligne, pas d'install de counter Strike et jeu injouable ! De plus il installe un Spy indétectable pour dénoncer le pirate... Avis aux amateurs... Ne le téléchargez pas c'est un piège !
