T R E N D M I C R O W E E K L Y V I R U S R E P O R T

(by TrendLabs, Global Antivirus and Research Center)
************************************************************************
------------------------------------------------------------------------
Date: March 1, 2002
------------------------------------------------------------------------
To read an HTML version of this newsletter, go to: http://www.antivirus.com/trendsetter/virus_report/

Issue Preview:

1. TREND MICRO UPDATES: Pattern File and Scan Engine Updates
2. .NET Worm--WORM_BLUNT.A a.k.a. Sharpei (Low Risk)
3. 10 Most Prevalent In-the-Wild Malware Surveyed by Trend Micro US
4. Mass-mailing VBS Worm--VBS_BRITNEYPIC.A (Low Risk)
5. Test Your Virus Knowledge & Scan Your Computer FREE!

NOTE: Long URLs may break into two lines in some mail readers. Should this occur, please cut and paste the URL in your browser.

************************************************************************

1. TREND MICRO UPDATES: Pattern File and Scan Engine Updates
------------------------------------------------------------------------
PATTERN FILE: 233 http://www.antivirus.com/download/pattern.asp
SCAN ENGINE: 5.630 http://www.antivirus.com/download/engines/

2. .NET Worm--WORM_BLUNT.A a.k.a Sharpei (Low Risk)
------------------------------------------------------------------------
WORM_BLUNT.A is a non-destructive worm that propagates via Microsoft Outlook.
Upon execution, this worm checks whether the Microsoft .NET framework is installed.
If so, it then copies itself to C:\MS02-010.exe. It also drops the file "sharp.vbs" that contains codes that allow it to send itself through Microsoft Outlook.
This worm uses the following email to spread:

SUBJECT: Important: Windows update
MESSAGE BODY: Hey, at work we are applying this update because it makes Windows over 50% faster and more secure. I thought I should forward it as you may like it.
ATTACHMENT: MS02-010.exe

This worm also drops the file "cs.exe" in the Windows directory, which is the NET component of the virus. Trend Micro detects this as PE_BLUNT.A.
PE_BLUNT.A will infect if the Microsoft .NET framework is installed. Upon next startup, PE_BLUNT.A displays the following message box:

TITLE: Sharp
MESSAGE: You're infected with Win32.HLLP.Sharp, written in C#, by Gigabyte/Metaphase

For additional information about WORM_BLUNT.A, please visit the Trend Micro Virus Information Center at:
http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=WORM_BLUNT.A

Trend Micro considers WORM_BLUNT.A to be a very low risk virus and detection will be available in the next official pattern release, #234, on or before March 5.

3. 10 Most Prevalent In-the-Wild Malware Surveyed by Trend Micro in the US (week of: February 18 through February 24, 2002)
------------------------------------------------------------------------
1. WORM_BADTRANS.B
2. PE_MAGISTR.B
3. PE_MAGISTR.A
4. WORM_BADTRANS.A
5. JS_EXCEPTION.GEN
6. WORM_SIRCAM.A
7. WORM_KLEZ.E
8. WORM_HYBRIS.M
9. WORM_HYBRIS.B
10. JS_SEEKER.R

SPECIAL OFFER:
Webmasters, add free virus information updates to your Web site with our Virus Info Feed. Simply copy and paste a small piece of code to give your visitors a real-time top 10 list and the latest virus advisories. Setup takes approximately 10 minutes and requires no server-side code on your Web site. All content is updated automatically from Trend Micro's Web site. http://www.antivirus.com/syndication/vinfo/default.asp?ref=nwsltr

4. Mass-mailing VBS Worm--VBS_BRITNEYPIC.A (Low Risk)
------------------------------------------------------------------------
VBS_BRITNEYPIC.A is a CHM (Compiled HTML help file) Trojan that arrives as an mscompressed file, which has an embedded VBS script inside its body. This Trojan overwrites files, and is capable of mass mailing. It also spreads through MIRC.

A sample of the email this Trojan sends using MAPI is as follows:

SUBJECT: RE: Britney Pics
MESSAGE BODY: Take a look at these pics ...
Regards,
ATTACHMENT:

For additional information about VBS_BRITNEYPIC.A, please visit the Trend Micro Virus Information Center at: http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=VBS_BRITNEYPIC.A
Trend Micro considers VBS_BRITNEYPIC.A to be a very low risk virus and detection will be available in the next official pattern release, #234, on or before March 5.

5. Test Your Virus Knowledge & Scan Your Computer FREE!
------------------------------------------------------------------------
Do you think you know enough about viruses? Try our new HouseCall quiz as you scan your computer FREE for viruses and other malicious code. At the end of the quiz you will be eligible to purchase Trend Micro PC-cillin 2000 for 20% OFF!!

SCAN NOW at http://housecall.antivirus.com

************************************************************************
For questions regarding viruses, please contact the Virus Doctor at Virus_Doctor@trendmicro.com.

For questions regarding products, please contact Tech Support at support@trendmicro.com .

For questions, comments and suggestions about the Weekly Virus Report please contact our editor at Newsletters@trendmicro.com.
************************************************************************


-- Anonymous, March 04, 2002