A new worm is spreading around, using email as its propagation vector. This worm arrives as an attachment to an email with various and ambiguous subjects (e.g. “Hello”, “Test”). The name of the attached file varies accordingly from one email to another but all attachment names make use of double extensions. When executed, it drops the file rsmb.exe in the Windows folder and attempts to download a file, which may be possibly malicious. Initial analysis reveals that the malware seems to target individual email addresses in a particular domain by concatenating a common first name (e.g. john, mary, ann, etc.) to a well-known domain name. Below is a sample email:

TO: smith@[domain-name].com

SUBJECT: hello

BODY: [none]

ATTACHMENT: text.dat.pif

Update (Jasper, Mon, 28 Aug 2006 05:00:16 PM)

This threat will be detected as WORM_STRATION.AP. Its detection pattern is available in CPR 3.694.01  

We received a sample of a new trojan horse that utilizes the Windows Encrypted File System (EFS) to hide any traces of itself on infected machines thereby making it virtually invisible to not just the user but more importantly to Anti-Virus software.

EFS or Encrypting File System is a file system available in Microsoft Windows 2000, Windows XP Pro, Windows Server 2003, and Windows Media Center 2005. The technology transparently allows files to be stored encrypted on NTFS file systems to protect confidential data from attackers with physical access to the computer.

Reports state that the malware propagates largely via forums and blogs in Italy.

[snip]


Message boards and various blogs in Italy have been spammed with a large volume of messages containing links to various domains. All of these domains link back to locations on the gromozon.com domain. These locations contain various known Internet Explorer exploits which are used to install a Downloader Trojan. For browsers other than Internet Explorer (Firefox, Opera etc) the user is prompted to save the file.


[snip]

Currently there are no known methods for detecting files hidden using EFS.

Update (Chachi, Tue, 29 Aug 2006 05:10:20 AM)

The detection for this will be TROJ_DLOADR.AO.

A 2nd PoC has been released by Milw0rm.com for MS06-040. This overflow is regarding MS Windows NetpIsRemote() Overflow Exploit. The PoC has been tested with Windows XP SP1 and Windows 2000 SP4.

These codes were released for educational purposes, which makes it accessible to both researchers and malware authors alike.

With these information malware authors can now include the exploit in their code, but it also makes us, the malware researchers better prepared for the incoming threat.

Christopher Maxwell of Vacaville, California, was sentenced to 37 months plus three years of probation as well as a combined restitution pay of $250,000 to Northwest Hospital and Department of Defense.

Maxwell pleaded guilty to launching a botnet attack which compromised computers at Seattle Northwest Hospital and several universities.

Check here for the rest of the story.

This just shows that people in the high places are beginning to understand the damage that security breaches can bring and are now doing steps to send a message especially to the botnet community. One point for the good guys!

Better think twice if you’re trying to search some free stuff over the Internet. Searching for “free music” or “free screensavers” might give you results that lead to malicious web sites. “Free” is a common keyword used in searching and malware/spyware authors have used this fact to their advantage. Sites that advertise “free” games and screensavers often include spyware and adware bundled with the download. The same thing goes for sites that advertise other free items such as mp3s, e-cards and ringtones. You’ll never know if the site that promises tons of free mp3s would actually exploit a vulnerability in your browser and install a resource-hogging, keylogging, malware-downloading Trojan in your system. I guess the moral of the story is to be wary of such sites and not to be duped by the common social-engineering ploys.

Read more about this here