Just a few days after we had an emergency release of OPR 3.939.00 due to the massive effect of TROJ_STRAT.GG and WORM_STRAT.GG onslaught, we have sensed another severe seeding of Trojan and Worm Strats in our honeypots. This causes Trend Micro to release an urgent Bandage pattern to protect its customers from these critters. These critters have been given the detection names TROJ_STRAT.GN and WORM_STRAT.GN.

Interestingly and annoyingly, the accessed url of both variants is on the same domain and just differs on the directory location within the domain. Nevertheless, the generic pattern for STRAT variants has also been improved and modified to pro-actively detect future variants of these bugs.

Self-confessed adware maker and distributor Zangowas sanctioned by the US Federal Trade Commission (FTC) and ordered to pay $3M in fines over years of bad Internet advertising habits.

However, as the implementation of the sanction draws near, Zangostill continues with its advertising malpractice. This is according to spyware experts Ben Edelman and Eric Howes.

As part of the settlement, Zangohas agreed to furnish straightforward end-user license agreements (EULAs) on all its software. Yet, experts have not seen any changes on any of the company’s software EULAs. Might be that Zangois trying to rake the moolahs as much as it can before it starts paying fines.

Read more here.

A website, shown below, is currently hosting a trojan which drops several malicious files on the users system.

The site disguises the trojan dropper as “Smart Messenger” a new way to instantly Text and Picture SMS FREE!.

The malware author/s really put on a lot of work in the social engineering of this malware. From the website that is hosting it to the malware installation in the system.

The website hosts a zip file named SMSS406.zip which contains three files

• LICENSE.TXT – License file of the supposed “Smart Messenger v4.06”. This is an added social engineering trick to add credibility to the trojan.
• setup.exe – The actual trojan (detected by Trend Micro as TROJ_GLITCH.IRC).
• smss.hlp – a help file for the supposed “Smart Messenger v4.06”. (It doesn’t really contain anything)

When a user is fooled into executing setup.exe in his system, he gets a messagebox containing a License Agreement for Smart Messenger, this makes the user believe that he is installing a real application that will help him score free text and picture sms. The user is even given an option to either install the application or not as shown in the picture below.

If the user chooses “YES” in the options the setup will continue to execute which will lead to either of these two pop up messageboxes.

Which suggests to the user that there has been an error in the installation of Smart Messenger, but in reality, setup.exe has already dropped several files in this directory

• %system%driversetctmp

NOTE: %system% is the windows system directory

Among these are two exe files named

• MSTask.exe
• smss.exe

The file setup.exe then adds a registry key to make the file MSTask.exe autoexecute on every startup of the system. If an IRC client is installed, it also tweaks registry settings to make sure that the file smss.exe is executed upon running an IRC client software.

Checking my network, I noticed that a connection to an IRC server has been made with these credentials

• Channel: #f00bar
• Nick Name: kg1kk9

All related files and website link has already been sent to the service team for proper actions.

I guess I don’t have to say this but I’ll say it anyway, be careful with what you download on the net. Especially if it came to you through IM messages or e-mails. Just don’t execute any file from the net, unless you’re absolutely sure that it is what it says it is, otherwise you might be running a malware that will eat up your network.

We love scary movies. We like psyching ourselves out from time to time by watching them. They’re not real anyways. Heck, we love movies in general. But there is one kind of movie that, scary or not, can affect us in real life. It’s the kind that will haunt us in our everyday activities, if we’re not too careful about choosing what to watch.

I’m not talking about those creepy videos, like in the movie “The Ring”. I’m talking about video files that are modified by WORM_REALOR.A. Yes, malware authors have now found a way to use video formats in spreading a “scare” to innocent movie fanatics.

Malware authors have always piggybacked on the popularity of videos in their attempt to spread their malicious codes. However, before, they just disguised their malware programs as video files to entice users to download the malware or to open email attachments that carry a copy of the malware.

Now, with the release into the wild of WORM_REALOR.A, malware authors use video files themselves to carry their malicious codes.

According to an article from Security Focus,

Read more about this article here.

WORM_REALOR.A modifes Real Media (.RM and .RMVB) files by inserting a hyperlink, enabling it to load a Web page that contains a JavaScript. Detected as JS_DLOADER.HHZ, the JavaScript then accesses another Web site (not accessible as of this writing) and downloads a malicious file, quite possibly a copy of WORM_REALOR.A, completing a vicious infection cycle.

So when you download your favorite scary movies, or maybe the latest episodes of your favorite TV series for that matter, you might want to think twice and check the files before watching them. You might already be getting compromised in the process. Believe me, this is one kind of movie not worth freaking yourselves out with.

Microsoft already released their November patch, they released 6 bulletins that covers 1 zero-day vulnerability, Microsoft XML Core Services Could Allow Remote Code Execution. below are the details of November’s release

• MS06-066– Vulnerabilities in Client Service for NetWare Could Allow Remote Code Execution
  
• MS06-067– Cumulative Security Update for Internet Explorer
  
• MS06-068– Vulnerability in Microsoft Agent Could Allow Remote Code Execution
  
• MS06-069– Vulnerabilities in Macromedia Flash Player from Adobe Could Allow Remote Code Execution
  
• MS06-070– Vulnerability in Workstation Service Could Allow Remote Code Execution
  
• MS06-071– Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution

Click the links above for detailed information on these bulletins.

In an investigation conducted by TMIRT regarding WORM_NUWAR.BQ – the worm responsible for mailing copies of itself with e-mail details pertaining to a Nuclear War or President Bush is dead – we discovered that this malware is also made as a seeding point to create a spam zombie out of infected machines.

Aside from its mass-mailing capabilities, this worm also connects and downloads four files from 81.177.3.85. The downloaded files are component files used to download other files and updates, gather e-mail addresses, add the worm malware into RAR archives, act as a Trojan proxy, and an updated copy of the worm.

The most interesting part of the downloaded files are the component files that gather e-mail addresses and the Trojan proxy.

The component that gathers e-mail addresses not only gathers the addresses from files that are most possible to contains them (WAB, MSG, etc), but also sends the gathered addresses to 81.177.3.85! Now we’re talking about malwares harvesting valid e-mail addresses!

The Trojan proxy component on the other hand acts as an SMTP relay server, and guess what? This component is responsible for turning the infected machine into a spam zombie! Leaving port 25 open for incoming connections, we suddenly found our test system flooding with activity and sending out pump and dump spam as seen below!

Ever wondered who sends out those nasty spam? Well, your officemate, cousin, brother, or sister may be doing it for the spammers – for free!

*TrendLabs is conducting a more thorough investigation for this malware incident. A complete report will be posted online by our threat reporters.

A new TROJ_YABE variant is currently making the rounds in the net. We managed to get a copy of the sample email. Please see below.

The email is in German and since I dont read German, a babel fish translation of the email body is found below.

eBay reference to changed E-Mail address
Dear eBay member,

Thank you for your request for change of your E-Mail address. The instruction guide how for account changing were sent to your new E-Mail address.

If the change of your email address wasn’t made by you then execute imediatelly the instruction described in the attached PDF document!

As soon as the procedure is finished, your emails from eBay will not be passed to this emails address anymore.

If you did not make this change, ask please first family members and other persons, evtl. Entrance to your member account have. If you believe you that an unauthorized person changed your email address then follow the instruction described in the attached PDF file.

Thank you,
eBay
———————————————-

As you probably may have already guessed this malware diguises itself as a pdf document in order to fool users to making them execute the attachment.

The email attachment is Ebay.pdf.exe with a pdf icon as shown below.

As part of its social engineering techniques, Ebay.pdf.exe pops up a message box that says an error has occured in Acrobat 6 making the user believe that the attachment is just a corrupted pdf file and not a trojan.

Unknown to the user, the file Ebay.pdf.exe has already connected to the internet and has downloaded a txt file from one either one of these locations:

• http://[BLOCKED].com/language/lang_english/lan.txt
  
• http://[BLOCKED]/more.txt
  
• http://[BLOCKED]ges/sidebar/f02.txt
  
• http://[BLOCKED]ix/Picture.txt
  
• http://[BLOCKED]b.com.pl/stat.txt

These txt files contain an encrypted copy of a URL of another trojan filenamed 6.exe which will be downloaded by Ebay.pdf.exe. This in turn drops a BHO spyware.

All files included in this blog has already been given to the service team for processing.

Last Nov. 10, I blogged about trojans downloading trojans, from a spammed trojan resulting to other downloads that ultimately ends in phishing attempts on several banks.

Today, I find the same set of Malware Ring being downloaded by a new spammed trojan caught by our honeypot systems. This makes me wonder, how many spammed trojans in the past have been working with this malware ring?

After a long time, another Netsky makes it to TrendLabs’ noteworthy list and its routines are nostalgic throwbacks to the days when the egos and juvenile war-mongering of malware authors are AV’s worst enemies. Faithful to its roots, WORM_NETSKY.CA, continues the war with WORM_MYDOOM and WORM_BAGLE by deleting registries related to them.

This mass-mailing worm appears to extend effort to ride the current trend of attacking specific segments. It speaks Portugese as seen in the subject and body of its spammed email messages, which spout such poetry as follows:

Subject
â?¢ Aprovado!
â?¢ Bala
â?¢ Cachaca!
â?¢ Caderno
â?¢ Cambau
â?¢ Contas!
â?¢ Delicia!

Message Body
â?¢ Conta Fechada
â?¢ Conta regularizada veja aqui!!
â?¢ Lamento sabe!
â?¢ Leia rapido o arquivo!!!!
â?¢ Nao sei o que eh isso me diga! Tabela d…
â?¢ Nossas contas veja detalhe

This variant is probably just Netsky’s little ‘Ola!’ to the world. The ego torch it carries for the bygone bot wars is just not profitable enough to fit the show-me-the-money anthem of today’s threats.

Have you opened your Friendster profile lately and checked out who among your Who’s Viewed Melist can be added to your innumerable stalkers?

The Who’s Viewed Me feature of Friendster allows a person to check out who’s been viewing his/her profile only if he/she also allows others to know that he/she is also checking out theirs.

Well, I have recently checked out my list of Who’s Viewed Me and found out that there’s a certain Geraldine Artinez from Manila in it.

Eager to find out who she is, I clicked on her profile to see if we are in the same network of friends. To my surprise, her profile showed what seem to be one of AdultFriendFinder’s Web pages.

Check out the codes in her profile:

%3C%61%20%68%72%65%66%3D%22%68%74%74%70%3A%2F%2F%
61%64%75%6C%74%66%72%69%65%6E%64%66%69%6E%64%65%72%2E%
63%6F%6D%2F%73%65%61%72%63%68%2F%67%38%31%37%31%32%39%2D%
70%70%63%3F%6D%61%78%5F%61%67%65%3D%26%72%61%63%65%3D%26%
70%68%6F%74%6F%3D%26%6C%6F%6F%6B%69%6E%67%5F%66%6F%72%5F%
…

In English, clicking the advertisement banners in her profile leads the user’s browser to different Web sites of adultfriendfinder.com.

As of now, this may be an innocent attempt to promote the dating Web site. However, using Friendster pages to redirect users to a malicious Web site may not be that far behind…