#1
TrendLabs HQ received several reports from Japan, Korea, China and the USA of this worm spreading via email. To control the spread of this worm, TrendLabs has declared a YELLOW alert as of August 16, 2004, 12:10 AM (GMT -7:00; Daylight Saving Time).
This mass-mailing worm arrives as a seemingly harmless email message, with the following details:
The email attachment is actually a copy of this worm, which when run results to unwanted mass-mailing activity. Once activated, this worm proceeds to collect target recipients using the following methods:
* Checking the Windows Address Book (WAB) * Sorting through files found in the temporary Internet files folder * Querying certain entries in the Windows registry
Aside from the gathered email addresses, this worm constructs email addresses which become its additional recipients. That is, it prepends certain names (i.e., Alice, Jerry, Steve) to well-known domain names, therefore acquiring an additional pool of target recipients.
Unsuspecting users may then receive an email similar to the one cited earlier. Also consult the Technical Details page to know more about this worm's email propagation, and to view a sample screenshot of the worm email.
It is also worth noting that this worm downloads and executes a backdoor component file from several URLs, which it stores in the Windows folder. Backdoors usually enable remote access to machines that may compromise not only system but also user security. TREND MICRO detects the downloaded backdoor component as BKDR_RATOS.A.
The spread of this worm may mean countless system and network hyperactivity, the result of which range from minor personal hassles to global-scale damages.
This worm arrives UPX-compressed, and runs on Windows 95, 98, ME, NT, 2000, and XP. For more information, consult the technical details section.
This mass-mailing worm arrives as a seemingly harmless email message, with the following details:
Subject: photos
Message body: !)))
Attachment: photos_arc.exe
The email attachment is actually a copy of this worm, which when run results to unwanted mass-mailing activity. Once activated, this worm proceeds to collect target recipients using the following methods:
* Checking the Windows Address Book (WAB)
* Sorting through files found in the temporary Internet files folder
* Querying certain entries in the Windows registry
Aside from the gathered email addresses, this worm constructs email addresses which become its additional recipients. That is, it prepends certain names (i.e., Alice, Jerry, Steve) to well-known domain names, therefore acquiring an additional pool of target recipients.
Unsuspecting users may then receive an email similar to the one cited earlier. Also consult the Technical Details page to know more about this worm's email propagation, and to view a sample screenshot of the worm email.
It is also worth noting that this worm downloads and executes a backdoor component file from several URLs, which it stores in the Windows folder. Backdoors usually enable remote access to machines that may compromise not only system but also user security. TREND MICRO detects the downloaded backdoor component as BKDR_RATOS.A.
The spread of this worm may mean countless system and network hyperactivity, the result of which range from minor personal hassles to global-scale damages.
This worm arrives UPX-compressed, and runs on Windows 95, 98, ME, NT, 2000, and XP. For more information, consult the technical details section.
http://de.trendmicro-europe.com/enterprise/security_info/ve_detail.php?VName=WORM_RATOS.A
http://securityresponse.symantec.com/avcenter/venc/data/w32.mydoom.q@mm.html