It’s that time of the month again and fortunately it’s relatively light compared to last month’s release. Microsoft has just released its monthly security update for September to address the following vulnerabilities.

Critical

• Microsoft Security Bulletin
  MS06-054Vulnerability in Microsoft Publisher Could Allow Remote Code Execution (910729)

Important

• Microsoft Security Bulletin
  MS06-052Vulnerability in Reliable Multicast Program (PGM) Could Result in Denial of Service (919007)

Moderate

• Microsoft Security Bulletin
  MS06-053Vulnerability in Indexing Service Could Allow Cross-Site Scripting (920685)

Don’t forget to patch your systems asap.

If you're new here, you may want to subscribe to our RSS feed. Thanks for visiting!

Several Trojan downloaders are being spammed across email inboxes once again. These Trojans pose as picture file attachments and use a double extension and trailing characters to trick unsuspecting users into clicking the file. As of this writing, we have received 3 different samples of this malware:

Kodak_foto04.JPG….exe (MD5 Hash: 768c94b93fbdabde9480b022e1a56669)

Kodak_foto02.JPG….exe (MD5 Hash: 6b10fe30d303a91f133edb459f05609f)

Kodak_foto01.JPG….exe (MD5 Hash: 800ffd6c25a62ed694bf4410e35539f1)

Though they may have different MD5 hashes, these samples exhibit the same behavior. Initial analysis has shown that upon execution, the malware drops its components in the Windows system folder. It downloads a disguised SWF file that is known to exhibit rootkit behavior when installed in the affected system.

A solution has already been deployed for these threats. Trend is detecting all mentioned files as
TROJ_DLOADER.DSW using OPR 3.745.00.

Last month, Microsoft released the security patch for MS06-049, which addresses a vulnerability in the Windows kernel allowing privilege escalation that could enable any logged on user to gain complete control over the affected system. Just a month after its release however, some users have claimed to experience some problems with the security patch.

When the patch is applied to a system with folders that have the compression option enabled, the compressed data residing within those folders is at risk from corruption. Newly created files having a particular file size (approximately a multiple of 4K) may have their last 4000 bytes overwritten.

This problem has already been reported to
Microsoft but there is no official announcement from them yet. One of the possible workarounds for preventing the problem caused by this patch is to disable folder compression. We’ll update you once a word about this problem has been sent out.

We are currently processing four new WORM_STRATION variants. These WORM_STRATION variants have mass-mailing capabilities and has the same set of email details. The four variants also downloads the file lt.exe from http://yuhadefunjinsa.com/[blank].

The four new WORM_STRATION variants were discovered only a couple of hours away from each other, starting with WORM_STRATION.AZ then WORM_STRATION.BB, WORM_STRATION.BC and (hopefully) the last WORM_STRATION.BJ.

You may view the e-mail details of the four WORM_STRATION variants on the image below. It is worthy to point out that this worm poses as a Windows Update Patch. Also, most of the attachment filename is in the form of Update-KB(four digit random number)-x86.exe, which adds to the social engineering factor that makes the user think that this is a valid patch. On some variants, the worm even displays a message box with the text “Update Successfully Installed” after the worm is executed. Moreover, the release of this worm in the wild is also timed to be very near the Microsoft Vulnerability Update Patch release, which is tomorrow, Tuesday, September 12.

All in all, the four WORM_STRATION variants are well thought of worms that uses a lot of social engineering techniques to entice potential victims to believe that it is a valid Microsoft patch and execute it.

WORM_STRATION.AZ displays this message box after execution.

Some variants creates a text file and opens it using the default text editor.

We are continuing with the analysis of the four worm variants and will update this blog entry when new things come up

Update (Jovs, Tue, 12 Sep 2006 01:49:57 AM)

Further investigation revealed that it has another download site named gadesunheranwui.com[foo]/[bar]/lt.exe. The file is the same as the one from the previous site.

However curiosity got better of me and I wondered what else is on the site. Well along my search, I found two other files in a different directory of both domains, tested it with our pattern and it turned out to be a copy of WORM_STRATION.AE.

Apple released a security update for their media player, Quicktime, which affects Windows and Mac users. The security flaws found in Quicktime players tend to crash or execute arbitrary code when exploited. More details about the security update here.

Next update is on Adobe Flash Player where an attacker can take control of the affected system upon successful exploitation of the vulnerability found in the player. Adobe tagged this vulnerability as critical and recommends software update on all Windows and Mac OS users of Adobe Flash Player versions 8.0.24.0 and earlier. More details about the update here.

It is advised that users apply security updates not only on the Operating Systems. Security updates should also be applied to third party softwares as these softwares can be an attack vector of malwares compromising your system even if your OS is fully patched.

Users can find the download page of the software updates mentioned by following the hyperlinks:

• Apple Quicktime 7.1.3
  
• Adobe Flash Player 9.0.16.0

References:

• isc.sans.org
  
• security-protocols.com
  
• www.apple.com
  
• www.adobe.com