Troj/Slanret-A, also known as Backdoor.Ierk and Backdoor-ALI.sys, is a Trojan that may be used as a driver component with the filename ierk8243.sys by another application to gain unauthorized shared stealth access to the target computer, according to anti-virus vendor Sophos.

Upon execution the malicious application would install Troj/Slanret-A as a device with the device name Mp437bba8e and may set the following registry entry:

HKLM\System\CurrentControlSet\Services\Ierk8243

Troj/Slanret-A acts as a device and provides an interface that allows an application to run hidden with full system privileges.

For removal instructions, visit this Sophos page.

W32.HLLW.Winur Worm Attempting to Spread

The W32.HLLW.Winur worm is out and attempts to spread via the KaZaA and WinMX file-sharing programs. It is also capable of Distributed Denial of Service (DDoS) attacks.

W32.HLLW.Winur is written in Microsoft Visual Basic version 6. Symantec is giving the worm a low threat rating. For technical details, visit this Symantec page.

Trend Micro also is noting the presence of Winur, under the alias Worm_Winur.A. The company reports that the worm drops a copy of itself on loaded floppy disks. It configures MSN messenger to prompt users into sending a copy to other MSN users.

This worm runs on Windows 95, 98, ME, 2000, and XP. Trend Micro also gives Winur an overall low risk rating. Read more on this Trend Micro page.

VBScript Worms Considered Low Threat

VBS_Evion.A is an encrypted VBScript malware that itemizes drives and overwrites files with the following extensions:

VBS
HTM
HTML
ASP
HTX
HTA

It also spreads through mIRC as the file JOKE.HTM. Trend Micro detects this IRC component as IRC_EVION.A. This malware carries the payload of displaying various message boxes depending on the system date. VBS_Evion.A runs on Windows 9x, ME, NT, 2K and XP.

Read technical details here.

The other Visual Basic worm Trend Micro detected Tuesday was VB_Sludge.A, which uses Kazaa Lite in order to propagate. It creates copies of itself in the shared folder of Kazaa Lite using interesting file names to attract other users into downloading it.

Find out what message the worm is displaying here.

Mass Mailing Worm Blitzdung Spreading via Yahoo!

Blitzdung is a mass mailing worm that tries to send itself to all users found from the Yahoo! Messenger log file, and attempts to send itself on any IRC channel that the user visits. In addition to spreading itself, the worm copies itself to windows root directory, tries to drop Elkern.C virus and on certain dates tries to overwrite windows system files.

Blitzdung is considered to be a low threat because it relies on existence of Yahoo! messenger and an older version of WinZip utilities so the worm is not capable of spreading from most systems. The email has the subject line "tm net support recommended by [USER]" where [USER] is address read from read from the ypager.log.

Read the body of the email and other information on this F-Secure page.

Compiled by Esther Shein.