This MYTOB variant was first seen on December 31, 2005. Today, we are receiving lots of new samples of this MYTOB variant. These new samples were packed using UpackByDwing. We detect these new WORM_MYTOB.NM samples as PAK_Generic.001.
To all Trend Micro users, please make sure that your Trend Micro product is up-to-date. To all non-Trend Micro users, please visit our Virus Encyclopedia website to see more information about WORM_MYTOB.NM. Here are the links:
WORM_MYTOB.NM (Technical Details)
WORM_MYTOB.NM (Solution)
Another spammed email with an attachment, map.wmf, which exploits the WMF SetAborProc vulnerability is in the wild. The file, map.wmf, will be detected as TROJ_NASCENE.M. The wmf file downloads “calc.exe” which is a backdoor malware, to be detected as BKDR_AGENT.AXO.
The following are the email details:
Subject: Confidential
Body:
Attached is the digital map for you. You should meet that man at those points seperately.
Delete the map thereafter. Good luck.
Tommy
File Attachment: map.wmf
Users are advised to apply one of the recommended fixes for the WMF vulnerability which was discussed in a previous blog entry, Another WMF Exploit or unregister the shimgvw.dll. To unregister the DLL,
1. go to start then click on “Run”
2. Type “cmd” to open the command prompt console.
3. type “regsvr32 -u %windir%system32shimgvw.dll” in the command prompt.
続きを読む
Here comes another heads up for the WMF exploit. HD Moore of Metasploit updated his metasploit framework module and guess what, it can bypass known IDS signatures. Read on ISC SANS blog, “More .wmf Woes” for more details.
This is troublesome because this shows a flexibility in ways of exploiting the vulnerability found in the wmf file. Hope official patch be available soon.
続きを読む
After just a few days of the release of WMF exploit, we now have it spammed through emails with these details.
Subject: happy new year
Attachments: HappyNewYear.jpg
Body: picture of 2006
The WMF exploit is now really making a loud noise and from websites, exploited through website iframes and now spammed through mails. We even have reports of it being used in IM WORMS(We are still looking for this malware by the way, but we have already sent the links to our WebBlocking Team).
Again a warning to all users to be very alert. We also have a link to the fixtool mentioned in hexblog here. It is advised that the tool is used only as a hotfix and not a permanent solution. We should update and patch our systems immediately once Microsoft has released their update.
The spammed wmf file has already been passed to the service team.
Update(JoneZ, 02 January 2006 03:14:10)
The file HappyNewYear.jpg will be detected as TROJ_NASCENE.H.
続きを読む
Adding to the list of URLs using the new WMF exploit, we received reports on a botnet which distributes WMF exploits from http://www.<BLOCKED>.biz/tr. We leeched 10 wmf file samples each having distinct MD5 hashes. The wmf files, to be detected as TROJ_NASCENE.GEN, contain malicious codes that download and execute another malware. The downloaded malware which will be detected as ADW_EXFOL.A further downloads another malware already detected as ADW_EXFOL.A.
The detected adware displays a message box shown below:
![](http://extracare.trendmicro-europe.com/tm/core/global/images/diary/94ac83e3d8951986595ee5c588f793c4_msg.jpg)
After clicking on the Terms & Conditions, it opens a url which has the Exfol EULA. (Click on image below to view enlarged image)
![](http://extracare.trendmicro-europe.com/tm/core/global/images/diary/94ac83e3d8951986595ee5c588f793c4_site.jpg)
続きを読む
Using Snort, the wmf exploit can be detected with these set of rules.
# This Rule
alert tcp any $HTTP_PORTS -> any any (sid:1006182; flow:from_server,
established; content:”HTTP|2F|1|2E|”; nocase; depth: 0;
content:”200 OK”; nocase; within:8;
flowbits: set,HTTPSTREAM;flowbits:noalert; classtype:VM;)
# Identifies the HTTP stream for these rules
alert tcp any $HTTP_PORTS -> any any (sid:1006183;
flowbits: isset, HTTPSTREAM;
flowbits:isnotset, WMF; content:”HTTP|2F|1|2E|”; nocase; depth: 0;
content:”200 OK”; nocase; within:8; content:”|0D 0A 0D 0A|”;
pcre:”/.{0,8}[x01x02]x00x09x00x00x03/AR”;
flowbits:set,WMF; flowbits:noalert; classtype:VM;)
alert tcp any $HTTP_PORTS -> any any (sid:1006185;
flowbits: isset, HTTPSTREAM; flowbits:isnotset, WMF;
content:”|00 09 00 00 03|”; distance: 1;
pcre:”/[x01x02]x00x09x00x00x03/”; flowbits:set,WMF;
flowbits:noalert; classtype:VM;)
#Which identifies a WMF for this rule
alert tcp any $HTTP_PORTS -> any any (sid:1006187;flowbits:isset,WMF;
content:”|26 06 09 00|”; classtype: VM;)
The rules were taken from ISC.SANS.ORG.
For those who are not familiar with Snort, here is a definition from www.snort.org: Snort is an open source network intrusion prevention and detection system utilizing a rule-driven language, which combines the benefits of signature, protocol and anomaly based inspection methods. With millions of downloads to date, Snort is the most widely deployed intrusion detection and prevention technology worldwide and has become the de facto standard for the industry.
Find more about snort here.
Just to let you know, Microsoft has published a security advisory with regards to the Zero-Day Exploit on Windows XP and 2003 which they dubbed as
Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution.
The information can be accessed on this location
http://www.microsoft.com/technet/security/advisory/912840.mspx.
続きを読む
You may have third party software installed to view image files which includes .wmf files and some other video/audio file formats. One software freely available and is used by many is the IrfanView. I installed the latest version; version 3.98, which comes with an application which is IrfanView Thumbnails where we can view IrfanView’s supported file formats in a Windows Explorer like interface. From curiosity, I tried viewing the malicious wmf files using the said application. It’s surprising that the malicious codes found in the wmf files were executed and I got infected with malwares downloaded by the wmf file.
And also, by default, wmf files will be opened in IrfanView after installing the software. And that viewing the malicious wmf file in IrfanView will execute the malicious codes found in the file.
Thus, as a word of caution, don’t just open or view unsolicited wmf files. When using Internet Explorer, you may do the temporary solution suggested in a previous blog posted. Click here to access the said blog entry. Always update your pattern files. Pattern files can be downloaded from the links found in http://www.trendmicro.com/download/pattern.asp.
Another work-arround as suggested by Microsoft is to un-register the Windows Picture and Fax Viewer(Shimgvw.dll) quoted below.
To un-register Shimgvw.dll, follow these steps:
1. Click Start, click Run, type “regsvr32 -u %windir%system32shimgvw.dll” (without the quotation marks), and then click OK.
2. A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box.
Microsoft’s Advisory can be found here.
続きを読む
A report made by SANS that by searching “money” in google, one of the search results (http : //www . <BLOCKED> . com) would be a site which would compromise the user’s pc.
I tried to search “money” in google but did not find the said site maybe google has already taken it down.
So I tried the link mentioned and it is up and running.
The site fronts itself as GOLD COMPANY GROUP – a management fund aimed at the middle-sized investors worldwide.
But in truth, hidden among the code of this site is an IFRAME directing to http:// www.<BLOCKED>.com /image /index.htm which contains another iframe directing to two sites.
- http: //www.<BLOCKED>.com /image /b.htm – This is already detected by Trend as JS_ONLOADXPLT.A
- http: //www.<BLOCKED>.com /image /f.htm – while this also contains an exploit code that is used by JS_ONLOADXPLT.A
Which results to the user’s system being compromised.
Just a fair warning to Internet surfers out there, not everything that is seen in the net is good, always double check the links that you go to.
Also to be more secure, set your browser’s security settings to HIGH and always patch your systems with the latest updates.
続きを読む
I thought this night would be quiet, but here comes a ‘bagle’ with an MD5 of 7a7f3dd56fbd01f7618421fe7c9de1ce. I hope this will not have a second, third or fourth round like the previous bagle. We’ll see…..
Meanwhile, you may visit our Advisories page for some details.
続きを読む