IDG News Service, 07/16/03 Antivirus company TruSecure is warning users about a new e-mail worm that is beginning to spread on the Internet and over the Kazaa peer-to-peer network. The new worm, dubbed "Gruel" is a mass-mailing worm that masquerades as a Windows software patch from Microsoft and as a virus removal tool from Symantec, according to an alert from TruSecure. Advertisement: Like other mass mailing worms, Gruel spreads by stealing e-mail addresses from an infected computer's Microsoft Outlook address book and mailing copies of itself to those addresses, the company said. The worm deletes files from machines it infects and copies itself into various locations, including folders used by the Kazaa file-sharing network, enabling it to spread on that network as well, TruSecure said. TruSecure received word of five infections and fielded around 20 calls from users who have received e-mail messages containing the virus, according to Bruce Hughes, content security lab manager at TruSecure. While the number of infections is still low, Gruel has a number of characteristics that have allowed other worms to successfully spread in recent months, Hughes said. In addition to its clever use of so-called "social engineering" tricks such as using the names of Microsoft and Symantec to fool recipients, the coupling of mass mailing techniques and features to spread over peer-to-peer networks makes Gruel more dangerous, Hughes said. Unlike other worms, however, Gruel does not spread over shared folders on local area networks, he said. While most organizations have antivirus software that will block or quarantine the executable attachment containing the Gruel virus, home users without such protections will likely bear the brunt of the new worm, Hughes said. In the coming hours and days, infections on those home systems may bombard corporate mail gateways with infected messages as well, Hughes said. The company currently has the new worm on "watch," he said. The IDG News Service is a Network World affiliate. Related Links Virus/worm research center Latest virus and worm news, analysis and research links. Network World Security and Bug Patch Alert

Virus Alert: Trojan Downloads, Deploys Additional Components July 22, 2003 Troj/DownLdr-DI is a malicious program that downloads and deploys additional components from URLs stored (in encrypted form) inside the program. Because these components are fetched only when you run the Trojan, their contents may change at any time. Sophos has received several reports of this Trojan from users who appear to have received it in an orchestrated email blast, presumably by the Trojan's author. More information is at this Sophos page. W32/Lohack.c@MM Arrives in Email Message This is a simple mass-mailing worm that also spreads via the KaZaa file-sharing network. It is a UPX packed Microsoft Visual C++ executable and arrives in an email message containing the following information: Subject: Windows update Body: Install this Windows update (for all versions) http://www.[omitted].hpg.com.br/update.html Attachment: windows_update.txt.exe Running the attachment causes the worm to send itself, using MAPI, to email addresses found in .DBX, .EML, .HTM, .IDX, .MDX, .MSG, .NCH, and .TXT files found on the system. If the user does not run the attachment, but does visit the link in the email message, script on the page will attempt to refresh and load an email file "update.eml". The email file contains an IFrame exploit which may launch an embedded copy of "windows_update.txt.exe". Read more at this McAfee page. BackDoor-AXQ Spreads Manually This is a remote access Trojan. It is spread manually and may arrive with the file name winrcLoader.exe, however, is not limited to this file name or extension. It opens a TCP port (1976) to allow a remote attacker to perform various tasks on an infected system. When run, the Trojan installs 3 components to the WINDOWS (%WinDir%) directory: --winrc.htm (130 bytes) --winrc.dll (28,672 bytes) --winrcobj.dll (126,976 bytes) It also copies itself to this directory and creates an HTML file, winrc.htm. Several registry keys are created. View them and other information at this McAfee page. Multiple Versions of Downloader-DI Trojan Exist The versions of Download-DI are known to have been spammed out to users by email. Users are recommended to use the latest engine/DATs for optimal detection. When run, it connects to the hacker's site to download a remote file. This remote file is a backdoor Trojan, detected as BackDoor-AXJ. Spammed email messages with various characteristics have been reported. For example: From: Wells Fargo Accounting To: username Subject: Re: Wells Fargo Bank New Business Account Application - ID# 4489 Attachment: wellsfargo.biz.jsessionid=5QWBU8TLSM01.pif More information is at this McAfee page. Worm_Jantic.B Sends Out Mass Emails This variant of WORM_JANTIC.A mass-mails copies of itself all addresses listed in the Microsoft Outlook address book. It sends out an email with any of a variety of formats. View them at this Trend Micro page.