For the past few weeks TMIRT is conducting a sort of investigation on how TSPY_LINEAGE and TSPY_WOW arrives on users’ systems. Sure they are Trojan Spywares that do not have the capability to replicate, but then, why are there so many infection reports?

Owing to the fact that they are Trojan Spywares aimed to steal user accounts for the online games Lineage and World of Warcraft (WoW), it is but logical to target those who actually play the game. So, for more than a week, we scoured the Internet searching for hacks, key generators and cheats for both online games. But alas, our search did not yield a malicious file.

Then, just this morning, I bumped into this old article by the Honeyclient Project, where they reported several compromised World of Warcraft accounts. The compromised accounts was caused by a Trojan Spyware (most probably TSPY_WOW) that was installed in gamer’s machine when he visited an ad in Allakzaham – a site where World of Warcraft players trade, sell, or auction virtual items that can be used in the online game.

As a previous blog entry reports, compromised accounts can be used by the malicious author to steal virtual items and then sell it on sites like Allakzaham.

So there, now we have a clearer idea on how company networks become infected. An employee uses company resources to play online games, browses items that can boost the skill level of his character in the online game, gets infected by a Trojan Spyware and it’s accomplice (ever heard about PE_LOOKED?), and then infection spreads in the company’s network.

Moral of the story?

• 1. Do not allow online games
  
• 2. Block ports used by online games
  
• 3. Block sites related to these online games
  
• 4. Educate your users

Simple enough isn’t it?

Today, our email honeypot are receiving emails from WORM_STRATION malware. Unlike the other day where we received 10 different MD5 hashes, now we have 25 different MD5 hashes.

Here is a look at some of the email sent by the worm having the binary file as a zip file attachment.

As for the MD5 hashes, here’s the list (for system admins):

• 0675f71a67dd8dd3716e484855ee2627
• 1d4583ba2c3ebdc6c027cb49db92158c
• 261cec1464be928427ec14b121ea5665
• 299f76fdbf585e5f17941074498349c8
• 37753fdb5de5414a73caa1cc1a36876e
• 3d08becc3329cf3b5d9e10369fc8958d
• 750f38d4e38a6d60051306b8a25fb52d
• 767ac4882e799f5464cb18552c95d257
• 76a347170e155630a059522e424873ed
• 7b5e061f4ad607cf00c10d92b538c4a2
• 89ec4062507593e1e287966fb1acd734
• 9ee6203674f4d770240ae3dc31d90358
• b044c6051d0f7da8aee9e1f9a1f425ab
• b06155140861e86c97bf9cb1abed44c1
• b06155140861e86c97bf9cb1abed44c1
• babf9bdc89ed24522188976ce66be3e1
• cc6a14bcef5ac3227e50ba29f11c6c27
• cf1cf557f045400d4532bd72b3bd6020
• d6e211e97d7799b1792a3cdfbbed78da
• d77bb7178999486d505a8114a12573a3
• d77bb7178999486d505a8114a12573a3
• f973acf2896214400bbcfd5064a8fca8
• fe3a0d18413d9a3a9cfea9fa99264823
• 6938575d2dba7c7f3dbdff97e1cd0617
• 7108695e31b1e029c70392954a197e33

Again, all of these samples are detected by using the Intellitrap technology as PAK_GENERIC.001. These samples will be included in the detection of WORM_STRATIO in the upcoming Official Pattern Release.

There have been several vml exploits found in the wild these past few weeks so I guess most of you are wondering what makes this one different.

Well, to begin with it tries to lure users to sites containing the exploit code by claiming that they’ve gotten a Yahoo! eCard. Once the user visits the site it downloads and installs several executable files one of which is already detected by Trend Micro Inc. as TROJ_BZUB.AW. The other files have already been submitted to the service team for processing. Hang on for updates on this.

In the meantime, you may read up on previous articles we’ve written regarding this exploit for tips, workarounds and other useful information about this vulnerability.

• New IE Zero Day Seen in the wild
• IE Zero Day + Web Attacker Kit
• Update on VML Exploit – IE 0-day
• Web-Attacker + IE 0-Day Stats!

Update (Sheryll Tiauzon, Tue, 26 Sep 2006 07:00:22 AM)

We’ve just received an update from the service team, the files will be detected as HTML_VMLFILL.C and BKDR_SMALL.DYZ.