Another round of rechnung malware is currently being
spammed…there are still no email details as of now.


Attachment of email is Ebay-Rechnung.pdf.exe and
Telekom-Rechnung.zip.


And once again we are saved by PAK_Generic.001. =)

New spammed rechnung malwares are now coming
in but now the file is already compressed with .zip.

This is now detected as TROJ_YABE.F.

This time, it’s FireFox’s turn. PacketStorm released a PoC that crashes
FireFox, and has the possibility of code execution (still testing,
on version 1.5 btw).

ISC has more details on
the said PoC, as well as a workaround. And I’m still trying to get
FireFox to trigger my debugger. Hmmmm….

… because FireFox doesn’t crash. Not with
the PoC and with FireFox v1.5. While I was waiting for my debugger
to trigger, FireFox resumed its normal operation after around
30seconds to 1 minute given the PoC. The PoC inserted a total of
2,500,000 characters for the title, so i figured, why not make it
larger, say 25,000,000. FireFox “hanged” for a longer time, but was
able to function again. No code execution for me.

On the other hand, here’s another bug:

(right now you can trigger it manually. I’ll check out later how to
trigger it when loading an HTML file)

Copy paste a looooooooong string of say, “A”‘s into the URL bar.
Just keep on pasting. And pasting. and pasting. soon you’ll see the
“A”‘s disappear, the system hangs, and Display settings have been
changed. Well at least for my Windows XP Sp2, FireFox 1.5, on a
ShuttleX machine. I’ll try this on other machines later.

On my bug, somehow it seems to be a hardware
issue, as tests on other types of machines did not reproduce the..
um.. bug. And on the original purpose of this entry, the FireFox
PoC, I’ve contacted ISC on my findings and they too noticed it, but
some of them were able to crash their PC’s. We’ll find out soon
enough. Mozilla already has this on their buglist.

There have been reports that 2006 will start with a new year bang possibly on the 5th of January or thereafter (6th of January) when a new SOBER variant is suspected to be released by the same group that caused the recent SOBER outbreak last November.

The reports may have been based on the analysis that the recent SOBER will download an executable file (one also named as Sober.exe) possibly on either the 5th or 6th of January 2006 from certain URLs that are hard-coded and encrypted within the SOBER.AG worm. Moreover, the “predefined” URLs are not even the exact sites that may used – an algorithm based on the date is used to generate the exact URLs that will be used on the target date itself.

Is this some form of a pre-warning “greeting” from the SOBER creators? The 87th anniversary of the Nazi party falls also on the 5th – is this another notable fact? (If one can remember, we reported a past SOBER variant that was capabale of spewing tens of thousands of spammed emails with Nazi-ridden and anti-Semetic messages last May 2005) From the monitoring standpoint, the executable file that will be downloaded can be anything from a minor update to a full-blown new SOBER variant.

Nevertheless, the Trend Micro Incident Response Team has been on the alert and on continuous watch over the URLs used by SOBER and other forecasted behavior that may be manifested by this worm.

We will be posting some possible URLs that may be used by the worm. This is to aid prevention of a possible outbreak that may happen in January – that is, if we don’t prepare now…

View the report from iTObserver.

We have received the report from the service team that the downloading will begin after January 5, 2006 (The 87th anniversary of the Nazi party).

Yet another trojan being spammed. This time
another gsbill.exe. Rechnung, gsbill, and photoarticle seem to be
on the rise these days (maybe for the holidays hehehe). Anyway, the
advisory for this will be up soon.


And oh, it seems that gsbill has veered from its “You have ordered the following…” to email
details similar to that of Sober. Check out the advisory page later
to see what i mean. Possibly the malware author saw the success of
Sober’s social engineering tactics and decided to try it out.
Possibly. Or maybe this gsbill is another worm? We’ll see later as
soon as analysis of the file is finished.

Nope not a worm. Still a trojan:
TROJ_DANMEC.F.

On second thought, it will now be detected
as TROJ_DANMEC.E. A repacked version, this is. And yet again we are
seeing repacked variants of this malware, this time with an MD5 of
ed1e18049f51127976506fb8c0c87ef4. Current count for this is
12.

As Christmas draws near, we have been on a look out for malwares taking advantage of the season, and for sure we came in contact with one.

ISC has reported that it is spreading out a message that says

“This AIM user has sent you a Greetings Card, to open it visit:
http://greetings.aol.com/index.pd?source=christmastheme?my_christmas_card.COM”

But in truth the link goes to http://{blocked}34.156/My_Christmas_Card.COM which is an AIM Worm.

So just to be on the safe side, be on the lookout for this message. Also its dropped filename is in %WINDOWS%lsass.exe, so if you notice two processes with the name lsass.exe, then you’re probably infected.

The malware has already been passed to the service team and I will update this once I get the reply for its detection.

This Christmas IM Worm is now detected as WORM_AIMDES.E since CPR 2.986.04.

There has also been a report received that the AIMDES.E spreads also via a another URL in a similar message:

“This AIM user has sent you a Christmas Card! To open it please visit: http://greetings.aol.com/index.pd?source=greetingscard?my_christmas_card.scr This senders personal note: Merry Christmas!”

Here is a screenshot:



The link actually goes to the malware site which is:

{blocked}.17.26/My_Christmas_Card.scr.

There are reports being published on the internet of an IM worm that has a little “artificial intelligence” such that it has the ability to reply on messages sent to it. A typical example may look like this:



Below is a snip of a report on the net.



Furthermore,



The original article can be found in the following url:
New IM worm chats with its intended victims

Our team is currently searching for a sample of the said malware. Again, it is recommended that IM users are careful not to click on unsolicited url”s from IM messages even if it came from known contacts.

Here we are again. The malware sample is forwarded to the Service Team for processing. This will be detected as WORM_IXBOT.A.

This worm uses AIM, AIM Triton and MSN Messenger to propagate itself. The Remote malicious user controls this bot to propagate either one of the mentioned Messengers or all of them simultaneously.

So, to those of you who uses the said messenger, BE CAREFUL!!!!

We received a sample of a new malware being
seeded ITW. It uses a Microsoft Word icon and looks like a normal
document file. However, the sample has a MZ first two bytes instead
of the “D0 CF” making it a Portable Executable file. It’s quite
interesting to note that after the execution of the original file
it drops two files, hacker.asf and hacker.exe, in the %system%
directory and the original file will be a normal Microsoft Word Doc
file. The document has the text found in the seeded e-mail shown
below.


Shown is a sample e-mail received from reports:

Subject: Subject: RVT Environmental Qualification
Testing

Attachment: EnvQual.doc.exe

E-mail Body:

---

---

The attachment will be detected as
TROJ_AGENT.AKR while the dropped components, hacker.exe and
hacker.asf, will be detected as TROJ_PCCLIENT.CY.

Whew, the IE 0-day exploit is really in the
wild! As soon as the PoC for this bug hit the net we’ve seen
malicious websites pop up that use this PoC to infect users. From
simply executing calc.exe on the affected system (JS_ONLOADXPLT.A) then modified to drop and
execute malicious programs on the affected system as seen in
JS_WINDEXP.A.


Okey, you’ve seen numerous blogs that discuss this bug, but this
time it is embedded on the main page of a website that is dedicated
to blogs! Yes, you heard me right! Up until this moment the main
page of the a certain site still contains embedded links to the
three files (fillmem.htm, bug.htm, and bug2k.htm) enclosed in
iframe tags. But, when I tried to obtain the files, it returned an
error 404 (File not found). Maybe sometime soon it will be
available again, up and infecting viewers’ and bloggers’
systems.


Since the release of the PoC for this exploit, we’ve seen a
modified version that really does malicious things on the affected
system and then from a simple website to a blogger’s site. This is
just the means of the attacker to further increase its chance of
infections. On this particular incident however, we still do not
know if the abovementioned files does new malicious activities.
But, we will keep you updated once we get the copy of the files
(and once we have checked out new sites that use the said POC).
;=)


Note:

The three files abovementioned are the three important components
for the exploit to work. Fillmem.htm contains the actual malicious
code (shellcode) and bug2k.htm and bug.htm are called to trigger
the execution of malicious code on Win2K(Universal) and WinXP(All
SP) systems, respectively.

Once again, another rechnung.pdf.exe being
spammed.

Once again, still no email details (as of now).

Attachment: Rechnung.pdf.exe (11261 bytes)
Detections (based on MIST):

• Trend : PAK_Generic.001
• Symantec : NO_VIRUS
• Kaspersky : Trojan-Downloader.Win32.Agent.zm
• McAfee : Downloader-AAP
• Sophos : NO_VIRUS
• Panda : NO_VIRUS

And once again, PAK_Generic to the rescue.

This time, gsbill.exe (the extracted file
that is, although it is being spammed with a random-looking
filename). We’ve received 2 copies so far, although yet again, no
email details (due to the nature of the setup).

FileName: {random}.zip (28128 bytes), extracts to gsbill.exe
(29,696 bytes)
MD5:

• ZIPped file – 7ad8ee031755fb6f3c4da35584cccf7f
• Executable – af97407d3fd715dc41861816b184be5d

MIST Detections:

• TrendMicro : PAK_Generic.001
• Symantec : Trojan.Danmec
• Kaspersky : NO_VIRUS
• McAfee : MultiDropper-PH
• Sophos : NO_VIRUS
• Panda : NO_VIRUS

And from another source comes the actual
email details yes! heeheheh. Check out the advisories page.

This will now be detected as
TROJ_DANMEC.E.