When I last posted re: the KLEZ.H worm that I got in email, I didn't post the
previous report (new one below) cause the previous report didn't have any red
flags. Course I hadn't been hit with any worms or virus before that report. The
KLEZ.H did arrive in my email after the previous report. They still say it's low
risk with the addendum that it's passed the 1 million served mark. The one I got
was in bits and pieces and not executable so it did nothing. But obviously it's
a bit better than low risk.


To: <cbminfo@...>
Subject: Trend Micro Weekly Virus Report - May 31, 2002
From: "Trend Micro Virus Info" <VirusInfo@...>
Date: Fri, 31 May 2002 16:28:14 -0700

*********************************************************************
TREND MICRO WEEKLY VIRUS REPORT

(by TrendLabs Global Antivirus and Research Center)
*********************************************************************
------------------------------------------------------------------------
Date: May 31, 2002
------------------------------------------------------------------------
To read an HTML version of this newsletter, go to:
http://www.antivirus.com/trendsetter/virus_report/

Issue Preview:

1. Trend Micro Updates - Pattern File and Scan Engine Updates
2. Many Variants of ENEMANY - WORM_ENEMANY.A, .B, and .C (Low Risk)
3. KLEZ Breaks the 1 Million Mark - WORM_KLEZ.H (Low Risk)
4. 10 Most Prevalent In-the-Wild Malware Surveyed by Trend Micro US
5. Trend Micro PC-cillin 2002 Now Available

NOTE: Long URLs may break into two lines in some mail readers.
Should this occur, please cut and paste the URL in your browser.

************************************************************************

1. Trend Micro Updates - Pattern File and Scan Engine Updates
------------------------------------------------------------------------
PATTERN FILE: 291 http://www.antivirus.com/download/pattern.asp
SCAN ENGINE: 6.150 http://www.antivirus.com/download/engines/

2. Many Variants of ENEMANY - WORM_ENEMANY.A, .B, and .C (Low Risk)
------------------------------------------------------------------------
There are several low-risk variants of WORM_ENEMANY.A that Trend Micro is
closely monitoring.

WORM_ENEMANY.A is a non-destructive, non-memory resident mass-mailing worm that
sends copies of itself via email to all contacts listed in an infected user's
Microsoft Outlook address book using Outlook's MAPI functions.

It places recipient names in the BCC: field, so that the email addresses are not
visible. After sending copies of itself, it deletes the emails from the Sent
Items folder. It sends email messages with the following:

SUBJECT: The New Xerox Update for our WinXP
MESSAGE BODY: Dear,
Microsoft WinXP User, here are the last Update from Xerox Security System,
please install this file and going to www.microsoft.com and finished this Update
too.
ATTACHMENT: Xerox-Update.Exe(8.72KB)

WORM_ENEMANY.B is a non-destructive mass-mailing worm that propagates via
Messaging Application Programming Interface (MAPI), and sends itself to all
addresses listed in an infected user's Microsoft Outlook address book. It sends
email messages with the following:

SUBJECT: Edonkey Update
MESSAGE BODY: Hello Edonkey User, this is the Update tool, to fix our Edonkey
Client to 35.16.61
ATTACHMENT: Esel_Update.Exe

WORM_ENEMANY.C is a non-destructive, non-memory resident mass-mailing worm that
sends copies of itself via email to all contacts listed in an infected user's
Microsoft Outlook address book using Outlook's MAPI functions.

It places recipient names in the BCC: field, so that the email addresses are not
visible. After sending copies of itself, it deletes the emails from the Sent
Items folder. It sends email messages with the following:

SUBJECT: Alle gegen den TEuro
MESSAGE BODY: Sieh Dir mal Die Tabelle an,
mit den neusten Information uber den teuren T-Euro
ATTACHMENT: teuro.Exe(7.18KB)

If you would like to scan your computer for any of the variants of WORM_ENEMANY
or thousands of other worms, viruses, Trojans and malicious code, visit
HouseCall, Trend Micro's free online virus scanner at:
http://housecall.antivirus.com/

The variants of WORM_ENEMANY are detected and cleaned by Trend Micro pattern
file #292 and above.

For additional information about the variants of WORM_ENEMANY, please visit:
http://www.antivirus.com/vinfo/

3. KLEZ Breaks the 1 Million Mark - WORM_KLEZ.H (Low Risk)
------------------------------------------------------------------------
WORM_KLEZ.H, the memory-resident variant of the WORM_KLEZ.A mass-mailing worm
has recently surpassed the one million mark. At the time of this writing,
approximately 1,059,967 computers worldwide have been infected with WORM_KLEZ.H.
Europe, Asia, and North America have been hardest hit. You may view Trend
Micro's Risk Statistics for WORM_KLEZ.H at
http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=WORM_KLEZ.H&VSect\
=S&Period=All

This destructive, memory-resident mass-mailing worm uses SMTP to propagate via
email. The subject line of the email it arrives with is randomly selected from a
long list of possible choices. This worm can change or spoof the original email
address in the FROM: field. It obtains email addresses (that it places in the
FROM: field) from the infected user's address book. This causes a non-infected
user to appear as the person who has sent this worm's malicious email, and hides
the real address of the sender of the infected email.

Upon execution, this worm decodes its data in memory. It then copies itself to a
WINK*.EXE file in the Windows System directory. The copy has a hidden attribute
and the * is a random number of random characters. It also infects .EXE files.

The worm drops a randomly named file in the ProgramFilesDir (usually C:\Program
Files). Approximately 10KB in size, this program can infect files in
network-shared folders and disable system file protection. Trend Micro detects
this program as PE_ELKERN.D.

The worm also disables the running processes, and occasionally deletes the
executable files, of programs associated with several popular antivirus
products.

On Windows 98/95 systems, the worm registers itself as a service process to hide
itself from the taskbar. On Windows 2000 systems, the worm creates a system
service and registers it as a service control dispatcher. This worm does not
execute its payload on systems running Windows NT 4.0 and earlier versions,
although infection of machines with this operating system is possible if the
machine has shared folders. The dropped virus, PE_ELKERN.D, infects files in
shared drives. When this happens, a full infection of the system may result,
since PE_ELKERN.D executes on any Windows platform.

WORM_KLEZ.H is detected and cleaned by Trend Micro pattern file #265 and above.

For additional information about WORM_KLEZ.H, please visit Trend Micro
at: http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=WORM_KLEZ.H

4. 10 Most Prevalent In-the-Wild Malware Surveyed by Trend Micro US
(week of: May 20, 2002 to May 26, 2002)
------------------------------------------------------------------------
1. WORM_KLEZ.H
2. JS_EXCEPTION.GEN
3. WORM_KLEZ.E
4. WORM_YAHA.B
5. WORM_BENJAMIN.A
6. WORM_MYLIFE.J
7. VBS_LOVELETTR.AS
8. PE_MAGISTR.B
9. PE_MAGISTR.DAM
10. PE_NIMDA.E

5. Trend Micro PC-cillin 2002 - Antivirus, Anti-Hacker, & PDA Virus Protection
------------------------------------------------------------------------
Trend Micro is pleased to announce the release of PC-cillin 2002.
PC-cillin 2002 provides award-winning protection against macro viruses, Trojans,
and other malicious threats. An integrated personal firewall helps secure
desktop computers against illegal access, ping attacks, and even port scanning
for Internet-era protection. This complete antivirus strategy also includes
security for Palm, Pocket PC, and EPOC devices.

BUY NOW: $39.95
http://www.trendmicro.com/pcc2002_wvr

If you already own PC-cillin, you may purchase an upgrade to PC-cillin 2002 for
just $19.95 at:
http://www.antivirus.com/pc-cillin/products/upgrade.htm

This pricing applies to customers in the U.S. and Canada only.


************************************************************************
You are receiving this email from Trend Micro, because you have either
downloaded a Trend Micro product or have signed up to receive the "Weekly Virus
Report." If you would like to change the way you receive email from
Trend Micro, please make changes in your account page at
http://www.antivirus.com/subscriptions/default.asp?email=cbminfo@digital.net

To UNSUBSCRIBE go to:
http://www.antivirus.com/subscriptions/default.asp?format=unsubscribe

For questions, comments, and suggestions about the Weekly Virus Report
please contact the Newsletters Editor at newsletters@....
************************************************************************