Since this morning, we’ve been receiving picture files of two
lovely girls, Natasha and Cristina …

Or so it seems.

Natasha and Cristina (aka TROJ_DLOADER.AWT and TROJ_SMALL.ABO)
are actually Trojan programs that attempt to download and execute a
file from a particular website (which is a known virus accomplice
site). These two babes-er, Trojans, trick users into opening them
through the use of double extension filenames and the use of
picture file icons. As of now, the samples that we have received
follow this particular naming convention:

DCXXX_{Girl’s Name}.JPG.EXE

{Girl’s Name}_DCXXX.JPG.EXE

Detection patterns are currently in the works for these
malware.

A new worm is spreading around, using Yahoo! Messenger as its propagation vector.

Users of Yahoo! Messenger may be affected by this worm as it sends a website link to all contacts in the users contacts list.

Accessing the website link installs a “Safety Browser” on the affected machine. The web browser is installed without permission from the user and it disguises itself using the Internet Explorer logo/icon. When this “Safety Browser” is opened, it plays music that loops over and over.
Furthermore, it modifies the startup page in Internet Explorer to display the Safety Browser’s own homepage.

A detection pattern is currently in the works to detect this new threat. We’ll update you asap once it’s out.

Update(Jasper, 24 May 2006 14:15:01)

This worm is being detected by Trend as TROJ_BROWSAFE.A. The detection pattern is available in CPR 3.452.01

According to Internet Storm Center (ISC), a 0-day in MS word was used in a targetted attack against a certain company. We’ve also received a customer inquiry, and yes, we are aware of it.

I’ve sent out a request for the sample, and hopefully, we’ll have it by today.

Update(Jovs, 20 May 2006 00:48:01)

We have just acquired a sample for this which is now being processed by our Engineers. I will soon update this blog with the malware name.

Update(Jovs, 20 May 2006 05:38:59)

I just received word that this malware will be detected as W97M_MDROPPER. As of now there are already two variants of this malware namely W97M_MDROPPER.AB. and W97M_MDROPPER.AC

Hi folks!
Yep, it’s time to upgrade your Quicktime media player to version 7.1 whether you’re a Windows OS or a Mac OS user (as long as you use Quicktime player).

This upgrade is released to fix security holes found in the media player. The upgrade fix security holes in viewing crafted images and movies (according to SANS). You may also read on the release notes for further details of the upgrade.

Meanwhile, while upgrading your Quicktime in your Mac OS, you should consider patching up your system with Apple’s Security Update 2006-003. Read on about the update here.

Visit Apple website for the Quicktime upgrade and Mac OS Security Update 2006-003.

References:

• isc.sans.org
  
• www.apple.com
  
• docs.info.apple.com

Yes, it’s another vulnerability found in Microsoft Windows where it is tagged as “less critical” by Secunia. This concerns “.chm” files:

The vulnerability is caused due to a boundary error in the Infotech Storage System Library (itss.dll) when reading a “.CHM” file. This can be exploited to cause heap corruption and may allow arbitrary code execution via a specially crafted “.CHM” file.

Successful exploitation requires that the user is e.g. tricked in opening or decompiling a malicious “.CHM” file using “hh.exe”.

According to the discoverer,

“Microsoft plans to address this issue in the next Service Pack. Due to this fact, users of certain Windows versions should implement their own protection mechanism.”

It is then advised that users never open or decompile untrusted “.chm” files. Note that executing a “.chm” file is the same as executing an “.exe” file.

“Microsoft rates the CHM file format as potentially dangerous,similar to an executable file.”

References: (Read on for more details)

• http://secunia.com/advisories/

MS (Microsoft Security) update for the month of May is now released. The security bulletin covers the following vulnerabilities:

CRITICAL
Vulnerability in Microsoft Exchange Could Allow Remote Code Execution
Vulnerabilities in Macromedia Flash Player from Adobe Could Allow Remote Code Execution

MODERATE
Vulnerability in Microsoft Distributed Transaction Coordinator Could Allow Denial of Service

A new Ransomware is currently making the rounds. It leaves
behind this ransom note(INSTRUCTIONS HOW TO GET YOUR FILES
BACK.txt) in the My Documents folder along with the supposedly
encrypted files(encrypted.als) and a demo.als to be used as a demo
on how to extract your files.

This one is quite unusual, it doesn’t extort money from infected
users, instead it forces them to buy products from an online
pharmacy. If you think of it, the malware also acts as a kind of
adware for the online pharmaceutical company.

The ransom note contains this

INSTRUCTIONS HOW TO GET YOUR FILES BACK

READ CAREFULLY. IF YOU DO NOT UNDERSTAND – READ AGAIN.



This is the automated report generated by auto archiving
software.


Your computer caught our software while browsing illegal porn

pages, all your documents, text files, databases in the
folder

My Documents was archived with long password.


You can not guess the password for your archived files –
password

length is more than 30 symbols that makes all password
recovery

programs fail to bruteforce it (guess password by trying all

possible combinations).


Do not try to search for a program that encrypted your information
– it

simply does not exist in your hard disk anymore.

Reporting to police about a case will not help you, they do not
know the

password. Reporting somewhere about our email account will not
help

you to restore files. Moreover, you and other people will lose
contact

with us, and consequently, all the encrypted information.


WE DO NOT ASK YOU FOR ANY MONEY! We only want to do business with
you.

You can even EARN extra money with us.

If you really care about the documents and information in encrypted
file,

you should follow the instructions below.

This is your only way to get your files back and save your
time.


——————————


How to get your information back.


1. Follow any link below


http://{blocked}.info/?833F866fe62adAd883cc38bcd6b0Tdaa

http://{blocked}.info/?82Fdf3abfb7Abc9385ed1c26afT6bb6e

http://{blocked}.info/?12aba12eF79ef8A4bf7f9bd49Tfc6690


and enter our online pharmacy. Our online pharmacy is the world
leader in

FDA approved medications.


2. Choose any product you like and buy it.


3. Send an email with your order id to our email address
restoring@safe-mail.net or restoringfiles@yahoo.com

The password will be sent to your email address as soon as we
verify your

order id (usually 3-4 hours or shorter) and you will get your
information

in encrypted file back. All the emails with invalid order ids will
be ignored.


——————————


We do not ask you for any money! We guarantee that you will receive
the product

you buy! You can use it by yourself or even sell and earn extra
money because

all the products in our online pharmacy are discounted!


We guarantee that you will receive the password for encrypted file
as soon as you buy

any product in our online pharmacy.


We guarantee that you will be able to restore all the encrypted
information and we can

prove it. Doubleclick on the file Demo.als and enter the following
password:

kw9fjwfielaifuw1u3fw3brue2180w3hfse2

The encrypted information will be restored in several
seconds.

The file EncryptedFiles.als is encrypted with another password
which you will receive

in the email from us.

We guarantee that you will never be asked to buy anything in our
online pharmacy again.


We do not want to do you any harm, we do not ask you for money, we
only want to do business with you.


######################################################

Remember you are just three steps away from your files

######################################################

The malware gets the files in the user’s My Documents folder
concatenate the contents into one file (EncryptedFiles.als) and
then delete them. In addition it also adds these two files.

• Demo.als(Demo file used for instructions.)
• INSTRUCTIONS HOW TO GET YOUR FILES BACK.txt(ransom note)

It then associates itself with .als files, so that it runs when
Demo.als or EncryptedFiles.als is double-clicked. Once any of the
.als file is clicked, it opens a series of dialog boxes which leads
to the extraction of the concatenated files.

• Some things to know about in the
  ransom note.
• You can not guess the password for your archived files – True,
  but the password for the archive can easily be recovered by anyone
  with a minimal knowledge in reverse engineering.
  
  Also it can easily be seen as its just present in the malware’s
  code in plain text.
  
• Do not try to search for a program that encrypted your
  information – it simply does not exist in your hard disk anymore. –
  A big FALSE, hehe. The program is still in your hard drive since it
  is needed to extract the concatenated files.

By the way, the password recovered in the executable is
“mf2lro8sw03ufvnsq034jfowr18f3cszc20vmw”

Update(Jovs, 08 May 2006 21:08:01)

This ransomware is now detected as
TROJ_ARHIVEUS.A.

We received reports of a malware url link being spammed via email. The content of the email looks like a legitimate Symantec web site which is offering a virus cleaner tool for w32.aplore@mm. However, the hyperlink found in the supposed to be cleaner tool points to a malicious software
(http://westkoast.{blocked}.fr/norton/freevirusfix.exe).

We have forwarded this to the Service Team for detection and analysis. Standby for updates and for the time being, provided is a snapshot of the spammed email. BTW, all other hyperlinks found in the spammed email are legitimate except for the said cleaner tool.

Click on the image for a larger view.

Update(JoneZ, 05 May 2006 10:00:25)

Initial analysis of the malware:

• adds entries to the host that routes several antivirus sites and updates to incorrect ip addresses
  
• has keylogger feature
  
• DDOS capability
  
• Remote Command prompt via IRC
  
• possible data destruction
  
• can propagate via instant messenger
  
• drops a text file in the root folder containing the text : “rBot owned you!”
  
• Displays a message box: “VMM32.VXD: Missing/Unable to Load

BTW, this will be detected as WORM_RBOT.AHS.