After the “success” of WORM_STRAT.DR yesterday, the inevitable twin brother is bound to show up sooner or later. Clearly, with the detection of WORM_STRAT.DX today, it is more “sooner” rather than “later”.

Similar to the .DR variant, this new STRATION worm arrives on a system as a downloaded file of its manually-spammed Trojan clone (TROJ_STRAT.DX). And with the sudden surge of infection reports (mainly from Japan, Taiwan, and China) and email samples received, it seems that there is another attempt at a “spiked attack”. What is different, from these two variants, however, is the domain where they download additional components. Yesterday it was vedasetionderun.comfor WORM_STRAT.DR. Since this is most probably already blocked by most security companies, WORM_STRAT.DX opted to use another domain: hertionkadesinpoion.com.

From the looks of things, there seems to be a new STRATION strategy in the works. Blame it on the recent cameo appearance of MYTOB, because here’s what I think: after all those comparisons between STRATION and MYTOB (i.e., STRATION is the new MYTOB), the sudden reappearance of the the latter reminded us that MYTOB maybe old, but it’s still packs a punch. Placed beside the “original”, STRATION looked like a pathetic copycat.

Uh-oh. Are we looking at another worm war? Let’s hope not.

For a brief amount of time today, TMIRT honeypots were able to receive multiple samples of TROJ_STRAT.DR. In what seems to be another “spiked” attack, TROJ_STRAT.DR was aggressively spammed, recompiled, then spammed again. This methodology resulted in at least 10 variations of the said malware, each one with a different MD5, but with the same behavior.

TROJ_STRAT.DR is a Trojan downloader that copies heavily from its worm brother. The same timing (a few days after MS patch Tuesday), the same e-mail details (pretending to be a patch from MS), and the same file attachment format (UPDATE-KBxxxx-x86).

This trojan downloads WORM_STRAT.DR from the VEDASETIONDERUN.COM domain. Interestingly, the said domain was created only yesterday, October 18, 2006. It seems to be that the domain was created for the sole purpose of hosting downloadable STRAT variants.

OPR 855 was quickly released to protect Trend Micro customers from this malware.

No, there’s no typo in the title above… But I can understand your surprise! (Smirk!)

In our world of antivirus cleaning up infected systems from trojans and viruses, what more can be crazier (but also most ingenious I might say) than actually having a trojan install an antivirus in your system?!?

But yes! It is true… and Trend calls this trojan as TROJ_AGENT.BGK.

This trojan, whose main purpose is to send SPAM from infected computer, installs an antivirus onto the infected systems by downloading a pirated copy of Kaspersky Antivirus. It then patches the KAV license signature checking and then lets the antivirus scan the system, skipping the trojan itself and its components WHILE flagging and deleting other malwares found. The trojan obviously uses this technique against other potential rival-trojans that may possibly also infect the system and take some share of the pickings… Apparently, for this greedily-ingenious trojan, two or more cannot play at this game…

What a dilemma for Kaspersky though… Talk about a free marketing stunt from the bad guys!

More from Joe Stewart of SecureWorks.

Microsoft has released its much awaited (i’m not sure if this is true) Internet Explorer 7 and not more than 24 hours have passed and its first vulnerability has been posted. Secunia released information regarding this new IE7 vulnerability. According to them, an error in the handling of redirections for URLs with the “mhtml” URI Handler caused this vulnerability. This can be exploited to access documents served from another web site.

The vulnerability however requires an access to a server where you can write HTTP headers, you will need to force a browser to go to a certain URL which will then redirect to another URL.

Update (Roberto Tayag, Fri, 20 Oct 2006 07:55:16 AM)

Apparently according to Microsoft, the vulnerability itself is in Outlook Express, IE7 is just a vector. This vulnerability is currently under investigation by Microsoft. 

The recent months have seen a lot of zero-day exploits targeting Microsoft Word– what with MDROPPER variants becoming a perennial mainstay in the Trend Micro Malware Advisoriespage (TROJ_MDROPPER.CT being the most recent detection).

It is a bit surprising, therefore, when new malware exploiting old vulnerabilities suddenly appear virtually out of nowhere. W97M_KUKUDRO.AB and W97M_LAFOOL.AO– detected just almost two days apart — both take advantage of MS vulnerabilities dating as far back as 2001 and 2003, respectively. We all know that the threat landscape has changed dramatically since then. And using macros? That is soooancient.

And yet, they still proved effective — even almost getting detected as new exploit Trojans. Why? Because of the mere fact that they areancient. Something old, yet something new. In a time when Microsoft (and perhaps even the antivirus industry) are chasing proof-of-concept and zero-day malware like cats to anything shiny, seemingly unassuming grandpa exploits may just slip in quietly. The same goes for computer users who may be panicking for the latest security fixes… and forgetting the older patches in the process.

Perhaps malware authors are trying to check if we have strained our necks forward for so long that we cannot look back anymore. Fortunately, we love stretch our muscles once in a while.