Microsoft Security Response Center has issued a known issues update regardig MS06-25 release.

It is said that the issue involves dial-up scripting.

from Microsoft site:

[snip]
An issue has been confirmed involving dial-up connections which use the terminal window or dial-up scripting. Dial-up terminal windows or scripting is an older technology rarely used by most modern dial-up connections. If dial-up scripting is used in a connection, the connection may stop responding. This does not affect any dial-up connections that do not use dial-up scripting. This issue may affect direct dial connections to a corporate or university network or to some ISPs (Internet Service Providers). Microsoft is working on developing and testing a revision to this update which will address this issue. If you need to use these dial-up scripting or terminal window features do not install security update MS06-025 (KB911280) until the revised version is available. More information on dial-up scripting can be found at http://www.microsoft.com/technet/archive/winntas/proddocs/network/xns10.mspx. Virtual private network (VPN) connections are not affected by this issue; dial-up scripting is not supported in VPN scenarios.
[snip]

More info can be found at the site.

We have been receiving numerous samples of new bagle variant a couple of minutes ago and it is really blazing fast! It reaches a total count of 211 samples within 20 minutes from its first incident.

The new sample is not so different with the previous one and also has the same download links. It is 12,726 bytes and has an MD5 sum of 751789DD5D12FC33F1381FEED87FE352.

If you remember what I have mentioned in my previous post about the properties of the packer of recent TROJ_BAGLE.EY (e.g. polymorphic) and we only received copies of only one generation of the malware… now, it seems like the author has released another copies of the other generation of the malware. Sad… but it is apparently true.

And, here is what I have noticed on the filenames (extracted) of both generations of the malware…

Filename             Hash
15-06-2006.exe 2BBA44B82D6E37069BF53C8A806A7DAE
16-06-2006.exe 751789DD5D12FC33F1381FEED87FE352

Well, we might be thinking the same thing…So, we better be alert for whatever might happen on the next days to ensure the total protection of our clients.

Btw, this will also be detected as TROJ_BAGLE.EY and thanks for the immediate response from the Service Team!

Just a few hours ago after the first incident of TROJ_BAGLE.EY
in the Email Honeypot, I have noticed another sample in MailTrap
that is taking the rounds. So, I quickly checked the sample, which is detected as
PAK_GENERIC.001.

Though, there’s nothing new or special with this backdoor it
reaches a total count of 280 samples in less than 3 hours. This
must have been the result of massive spamming that we are facing
today. Just like what I have noticed in the sample count of the
recent TROJ_BAGLE.EY; it is packed with UPolyX but we have
intercepted 870 samples (at the time of writing) all with the same
MD5 hash. The point is, it is packed with a polymorphic packer but
we are getting numerous copy of only one generation of the sample!
Why? It is all because of what I’ve just mentioned, massive
spamming. Oh well.. :(

The sample which arrived as a zip file has a file size of 10,090
bytes and an MD5 hash of 87B40A62BD5D8FD2A5ED24C16B92B5D1. The
filenames might be one of the following.

• Article+Photos.zip
• Article.zip
• article_July_0077.zip
• article_July_1726.zip
• article_July_1734.zip
• article_July_1823.zip
• article_July_2417.zip
• article_July_2614.zip
• article_July_2865.zip
• article_July_4409.zip
• article_July_4988.zip
• article_July_5503.zip
• article_July_6301.zip
• article_July_7817.zip
• article_July_8048.zip
• article_July_8092.zip
• article_July_8477.zip
• article_July_8491.zip
• article_July_9935.zip
• ArticlePhotos.zip
• CCTV-footage.zip
• CCTVstill.zip
• Photo+Article.zip
• PhotoandArticle.zip
• Photos.zip
• suspectimage.zip
• Suspectphoto.zip
• suspiciousphoto.zip

Here is the sample email.

Just want to inform you that there is a new bagle on the round.

It arrives as a zipped attachment to an email with the MD5 hash of 2BBA44B82D6E37069BF53C8A806A7DAE. It attempts to download files from 99 different domain names all pointing to “nul.php”.

Possible attachment names:

• Ales.zip
  
• Alice.zip
  
• Andrew.zip
  
• Androw.zip
  
• Ann.zip
  
• Anna.zip
  
• Anne.zip
  
• Annes.zip
  
• Anthony.zip
  
• Anthonye.zip
  
• Avis.zip
  
• Bennet.zip
  
• Bennett.zip
  
• Christean.zip
  
• Christian.zip
  
• Cybil.zip
  
• Daniel.zip
  
• Dorithie.zip
  
• Dorothee.zip
  
• Dorothy.zip
  
• Edmond.zip
  
• Edmonde.zip
  
• Edmund.zip
  
• Edward.zip
  
• Edwarde.zip
  
• Elizabeth.zip
  
• Elizabethe.zip
  
• Ellen.zip
  
• Emanual.zip
  
• Emanuel.zip
  
• Ester.zip
  
• Francis.zip
  
• Gabriell.zip
  
• Geoffraie.zip
  
• Grace.zip
  
• Harry.zip
  
• Henrie.zip
  
• Henry.zip
  
• Henrye.zip
  
• Humphrey.zip
  
• Isabel.zip
  
• Isabell.zip
  
• James.zip
  
• Jeames.zip
  
• Jeffrey.zip
  
• Johen.zip
  
• John.zip
  
• Josias.zip
  
• Judith.zip
  
• Judithe.zip
  
• Katheryne.zip
  
• Leonard.zip
  
• Margaret.zip
  
• Margerie.zip
  
• Margerye.zip
  
• Margrett.zip
  
• Marie.zip
  
• Martha.zip
  
• Mary.zip
  
• Marye.zip
  
• Michael.zip
  
• Nathanyell.zip
  
• Nicholas.zip
  
• Nicholaus.zip
  
• Peter.zip
  
• Rebecka.zip
  
• Richard.zip
  
• Robert.zip
  
• Roberte.zip
  
• Roger.zip
  
• Rose.zip
  
• Rycharde.zip
  
• Samuell.zip
  
• Sybell.zip
  
• Sybyll.zip
  
• Syndony.zip
  
• Thomas.zip
  
• William.zip
  
• Winifred.zip
  
• Wynefreed.zip
  
• Wynnefreede.zip

Sample Email:

Its that time of the month again…Microsoft has already released its monthly update and once again its that time of the month to patch up your computers. For this update Microsoft patched the following vulnerabilites:

Critical

• MS06-021 Cumulative Security Update for Internet Explorer (916281)
  
• MS06-022 Vulnerability in ART Image Rendering Could Allow Remote Code Execution (918439)
  
• MS06-023 Vulnerability in Microsoft JScript Could Allow Remote Code Execution (917344)
  
• MS06-024 Vulnerability in Windows Media Player Could Allow Remote Code Execution (917734)
  
• MS06-025 Vulnerability in Routing and Remote Access Could Allow Remote Code Execution (911280)
  
• MS06-026 Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution (918547)
  
• MS06-027 Vulnerability in Microsoft Word Could Allow Remote Code Execution (917336)
  
• MS06-028 Vulnerability in Microsoft PowerPoint Could Allow Remote Code Execution (916768)

Important

• MS06-029 Vulnerability in Microsoft Exchange Server Running Outlook Web Access Could Allow Script Injection (912442)
  
• MS06-030 Vulnerability in Server Message Block Could Allow Elevation of Privilege (914389)
  
• MS06-032 Vulnerability in TCP/IP Could Allow Remote Code Execution (917953)

Moderate

• MS06-031 Vulnerability in RPC Mutual Authentication Could Allow Spoofing (917736)v

You can visit the Windows Update site here.

Its time again for patching up Microsoft Systems. On June 13, 2006, Microsoft is planning to release a big bulk of Updates.

Among the updates are:

[snip]

• Nine (9) Microsoft Security Bulletins affecting Microsoft Windows. The highest Maximum Severity rating for these is Critical. These updates will be detectable using the Microsoft Baseline Security Analyzer and the Enterprise Scan Tool. Some of these updates will require a restart.
  
• One Microsoft Security Bulletin affecting Microsoft Exchange. The highest Maximum Severity rating for this is Important. These updates will be detectable using the Microsoft Baseline Security Analyzer. These updates may require a restart.
  
• Two Microsoft Security Bulletins affecting Microsoft Office. The highest Maximum Severity rating for these is Critical. These updates will be detectable using the Microsoft Baseline Security Analyzer. These updates may require a restart.

[snip]

Updating your Microsoft System is one way of securing your data. Please do not forget to patch your systems tomorrow.

More information about the upcoming June update is available on the Microsoft site.

We’ve just received reports of vulnerability in Yahoo Webmail.

An html attachment that has some javascript codes in it that is opened by a user will be automatically executed by Yahoo mail. After testing the html file, a window will appear that points to the URL “www,lastdata.com”..
Yes, you are reading right, it is a comma after the www (it can be read from the code). We do not know if it is a typographical error of the author or whatever!

The yahoo page will also be redirected to another website. According to the reports the malware is capable of sending itself to people in your addressbook we are however still verifying this claim.

A word of caution if you may, please be careful when opening emails. Especially ones that have attachments with them, may it be some html files or some exe or scr files or some file with a very long filename that has a .EXE at the end of it, PLEASE..be careful when opening your mails.

Update(Obet, 13 June 2006 08:11:59)

The malware mentioned above will be detected by Trend Micro as JS_YAMANER.A. The overview of this can be found here.

We’ve just received new samples of Rechnung recently (MD5 hash: 590548de2845583eb1f6cd1577d51cee) and a pattern is currently in the works to detect them.

This new sample will be detected as TROJ_DLOADER.AYK. Stay tuned for updates and now back to our regular programming

Update(Jasper, 09 June 2006 11:36:32)

The detection for this malware is now available in CPR 3.490.01

Just like the floppy disk during its heydays, the USB drive, commonly called the thumb drive or flash disk, is the preferred removable storage media due to its portability and data storage capacity. However, its popularity may prove to be useful for attackers as a propagation vector for malware and as a tool for breaching network security, although it may be coupled with a pinch of social engineering to achieve the desired effect.

Picture this: a fashionable-looking USB drive (with a casing in bright candy colors to easily attract people) is left in an often-accessed area in the office, say a lobby or a pantry. An employee notices the unattended device and when nobody’s looking, picks it up and plugs it in immediately in his workstation, hoping to find a ton of pictures having adult content. His prayers are answered and he does find a lot of adult-oriented images. But he gets more than he bargained for: when he plugged in the USB drive into his workstation, a worm residing in the storage device as a hidden file automatically triggered itself into action. Within mere seconds, the worm has used email to propagate itself and has dropped copies of itself in shared folders available in the corporate network. Furthermore, it has downloaded a copy of its backdoor counterpart from the Internet and has executed it as well, allowing remote attackers to access the corporate networkâ?¦

The scenario presented may likely happen in an environment with lax security. But even in an office where security is tight (for both software and physical), such a thing can happen if the people aren’t aware or informed.

Read more about social engineering and USB drives here.

A new Yahoo! Phishing website has been reported. The page looks like this.

The website has been reported to be sent through Yahoo Messenger. Upon signing in on the fake Yahoo! Photos website, it sends the user’s yahoo id and password to a private e-mail address instead of Yahoo!.