A new malware partnership was discovered earlier today. A worm, detected as WORM_WOMBLE.A, mass-mails a modified Windows Metafile (WMF) that takes advantage of a vulnerability in order to drop copies of the worm. A worm that uses a WMF to propagate? Or a malicious WMF that uses a worm to spread?

It doesn’t really matter. It only matters to computer and antivirus experts whose job is to analyze the files and provide a solution. To the greater, and arguably more important, population of average computer users, it is a single malware package that their system needs protection from.

It is not a new propagation technique, as far as malware history is concerned. One of the biggest malware attacks in history was a partnership a little over two years ago, WORM_NETSKY.P started mass-mailing copies of itself with the help of HTML_NETSKY.P, which exploited the Incorrect MIME Header Vulnerability to allow the automatic execution of the malicious attachment when the email is open or even just previewed, fueling WORM_NETSKY.P to spread like fire, going on to infect almost a million computers* worldwide to date.

Later generations of the prominent BAGLE family mass-mailed Trojans that download copies of the worm onto recipients computers. The first time that a WORM_BAGLE variant employed this technique, many computer experts were briefly taken aback. How could a Trojan downloader that does not have propagation capabilities spread? Before long, the vicious cycle was busted. Still, the partnership proved disastrous or effective, depending on your point of view as several of these partnerships went on to cause outbreaks.

Another prominent malware partnership involved WORM_FEEBS variants that mass-mailed malicious JavaScript files, whose payload includes downloading copies of the worm. The main component in this case seems to be the JavaScript, rather than the worm and this adds an interesting new twist. Worms have always been considered to be some of the most destructive malware, not only because they consume system and network resources, and can carry a myriad of payloads, but because they can bring their damage to a wide scale. But the FEEBS attacks relegated worms to mere tools for propagation; the JavaScript carries the payloads. And why not? Worms are easiest to detect. Let the user detect and remove the worm from the system all while the JavaScript does its job.

The new attack by WORM_WOMBLE.A is reminiscent of WORM_NETSKY.P, because half of the email messages it sends contains a specially crafted WMF that takes advantage of the Windows Graphics Rendering Engine Vulnerability, which allows it to automatically drop and execute a copy of the worm when the user so much as views the WMF using Windows Explorer. Half because it may also attach a copy of itself, in which case it is a regular mass-mailer.

In a lot of ways, however, it is also like the BAGLE and FEEBS attacks, because it is an endless cycle of a worm mass-mailing a dropper that in turn drops a copy of the worm, which again mass-mails a dropper and so on. For this cycle to stop, both components should be removed from the system.

Which is why a holistic approach to malware removal is best for average computer users. They don’t differentiate between main component and sub-component. All they care about, and understandably so, is if their system is safe from malware attack: main component or not, partnership or not.

* Data from Trend Micro World Tracking Center.

We are currently receiving samples of another rechnung spam. As of this writing we have received 100+ samples of this trojan. The samples have been given for processing and solutions will be posted as soon as possible and of course, Updates will follow.

Update (Obet, Wed, 30 Aug 2006 02:09:31 AM)

This being spammed a lot. We now received a couple of hundreds of samples for this malware and now Trend Micro is going to detect this threat as BKDR_HAXDOOR.IL. The pattern that will detect it is now under testing and will be released very soon.

Update (Obet, Wed, 30 Aug 2006 03:01:04 AM)

With this I will just remind everybody to watch out for mails having attachments of Rakningen.zip and Rechnung.zip, the file size of BKDR_HAXDOOR.IL is 52,693 Bytes. Do not open the attachment, if you see a mail with this attachment especially if the file size is the same kindly disregard it.

Update (Obet, Wed, 30 Aug 2006 09:11:20 AM)

More updates. The Control Pattern Release 3.700.04 that will detect this current threat has been released and can be downloaded here. More information regarding this threat can be found here.

A new worm is spreading around, using email as its propagation vector. This worm arrives as an attachment to an email with various and ambiguous subjects (e.g. “Hello”, “Test”). The name of the attached file varies accordingly from one email to another but all attachment names make use of double extensions. When executed, it drops the file rsmb.exe in the Windows folder and attempts to download a file, which may be possibly malicious. Initial analysis reveals that the malware seems to target individual email addresses in a particular domain by concatenating a common first name (e.g. john, mary, ann, etc.) to a well-known domain name. Below is a sample email:

TO: smith@[domain-name].com

SUBJECT: hello

BODY: [none]

ATTACHMENT: text.dat.pif

Update (Jasper, Mon, 28 Aug 2006 05:00:16 PM)

This threat will be detected as WORM_STRATION.AP. Its detection pattern is available in CPR 3.694.01  

We received a sample of a new trojan horse that utilizes the Windows Encrypted File System (EFS) to hide any traces of itself on infected machines thereby making it virtually invisible to not just the user but more importantly to Anti-Virus software.

EFS or Encrypting File System is a file system available in Microsoft Windows 2000, Windows XP Pro, Windows Server 2003, and Windows Media Center 2005. The technology transparently allows files to be stored encrypted on NTFS file systems to protect confidential data from attackers with physical access to the computer.

Reports state that the malware propagates largely via forums and blogs in Italy.

[snip]


Message boards and various blogs in Italy have been spammed with a large volume of messages containing links to various domains. All of these domains link back to locations on the gromozon.com domain. These locations contain various known Internet Explorer exploits which are used to install a Downloader Trojan. For browsers other than Internet Explorer (Firefox, Opera etc) the user is prompted to save the file.


[snip]

Currently there are no known methods for detecting files hidden using EFS.

Update (Chachi, Tue, 29 Aug 2006 05:10:20 AM)

The detection for this will be TROJ_DLOADR.AO.

A 2nd PoC has been released by Milw0rm.com for MS06-040. This overflow is regarding MS Windows NetpIsRemote() Overflow Exploit. The PoC has been tested with Windows XP SP1 and Windows 2000 SP4.

These codes were released for educational purposes, which makes it accessible to both researchers and malware authors alike.

With these information malware authors can now include the exploit in their code, but it also makes us, the malware researchers better prepared for the incoming threat.