Taimishu
Blue Belt
Received from Trend Labs today.
Dear Trend Micro customer,
As of Aug 16, 2004 12:10 AM (GMT -7:00), TrendLabs has declared a Medium Risk Virus Alert to control the spread of WORM_RATOS.A. TrendLabs has received several infection reports indicating that this malware is spreading in Japan, Korea and the United States.
This worm spreads via email with the following details:
------
Subject: photos
Message body: LOL!
)))
Attachment: photos_arc.exe
------
Upon execution, it drops a copy of itself as the following files:
. %Windows%\RASOR38A.DLL
. %System%\WINPSD.EXE
(Note: %System% refers to the Windows system folder, which is usually C:\Windows\System on Windows 95, 98, and ME, C:\WINNT\System32 on Windows 2000 and NT, and C:\Windows\System32 on Windows XP. Note: The Windows system folder is usually C:\Windows\System on Windows 95, 98, and ME, C:\WINNT\System32 on Windows 2000 and NT, and C:\Windows\System32 on Windows XP.)
It downloads copies of a backdoor component file from several URLs and saves it as WINVPN32.EXE in the Windows folder.
This worm usually arrives UPX-compressed and runs on Windows 95, 98, ME, NT, 2000, and XP.
TrendLabs will be releasing the following EPS deliverables:
TMCM Outbreak Prevention Policy 126 (available)
Official Pattern Release 1.957.00 (available)
Damage Cleanup Template 394 (to be released)
Network Virus Pattern 10136 (to be released)
TrendLabs is currently working to provide a more in-depth analysis of this malware. You can visit our Web site for more updates on WORM_RATOS.A:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_RATOS.A
Contact [email protected] for inquiries and to report infections in your region.
David
Dear Trend Micro customer,
As of Aug 16, 2004 12:10 AM (GMT -7:00), TrendLabs has declared a Medium Risk Virus Alert to control the spread of WORM_RATOS.A. TrendLabs has received several infection reports indicating that this malware is spreading in Japan, Korea and the United States.
This worm spreads via email with the following details:
------
Subject: photos
Message body: LOL!
)))Attachment: photos_arc.exe
------
Upon execution, it drops a copy of itself as the following files:
. %Windows%\RASOR38A.DLL
. %System%\WINPSD.EXE
(Note: %System% refers to the Windows system folder, which is usually C:\Windows\System on Windows 95, 98, and ME, C:\WINNT\System32 on Windows 2000 and NT, and C:\Windows\System32 on Windows XP. Note: The Windows system folder is usually C:\Windows\System on Windows 95, 98, and ME, C:\WINNT\System32 on Windows 2000 and NT, and C:\Windows\System32 on Windows XP.)
It downloads copies of a backdoor component file from several URLs and saves it as WINVPN32.EXE in the Windows folder.
This worm usually arrives UPX-compressed and runs on Windows 95, 98, ME, NT, 2000, and XP.
TrendLabs will be releasing the following EPS deliverables:
TMCM Outbreak Prevention Policy 126 (available)
Official Pattern Release 1.957.00 (available)
Damage Cleanup Template 394 (to be released)
Network Virus Pattern 10136 (to be released)
TrendLabs is currently working to provide a more in-depth analysis of this malware. You can visit our Web site for more updates on WORM_RATOS.A:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_RATOS.A
Contact [email protected] for inquiries and to report infections in your region.
David
