As of Aug 16, 2004 12:10 AM (GMT -7:00), TrendLabs has declared a Medium Risk Virus Alert to control the spread of WORM_RATOS.A. TrendLabs has received several infection reports indicating that this malware is spreading in Japan, Korea and the United States.

This worm spreads via email with the following details:

------
Subject: photos
Message body: LOL!;))))
Attachment: photos_arc.exe
------

Upon execution, it drops a copy of itself as the following files:

. %Windows%\RASOR38A.DLL
. %System%\WINPSD.EXE

(Note: %System% refers to the Windows system folder, which is usually C:\Windows\System on Windows 95, 98, and ME, C:\WINNT\System32 on Windows 2000 and NT, and C:\Windows\System32 on Windows XP. Note: The Windows system folder is usually C:\Windows\System on Windows 95, 98, and ME, C:\WINNT\System32 on Windows 2000 and NT, and C:\Windows\System32 on Windows XP.)

It downloads copies of a backdoor component file from several URLs and saves it as WINVPN32.EXE in the Windows folder.

This worm usually arrives UPX-compressed and runs on Windows 95, 98, ME, NT, 2000, and XP.

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_RATOS.A