As of this writing, we are getting a lot of samples of a malware that Trend Micro is going to detect as TROJ_DLOADER.GAF (pattern has already been created and is now on the testing phase). The malware is currently being spammed as an attachment, the filenames and md5 of these files are different. Some of the filenames are:

• doc.zip
  
• test.zip
  
• document.zip
  
• body.zip
  
• text.zip
  
• Update-KB-x86.zip
  
• file.zip
  
• readme.zip
  
• data.zip
  
• message.zip
  
• test.txt.pif
  
• text.txt.pif

The extensions vary ranging from zip, exe, pif, and cmd. The filesize of these attachments also vary from 12,430-12,758 bytes. Upon extraction of the file it will drop an executable file imitating however a notepad icon. Please reconsider opening emails with attachments having these filenames or as of today at least, opening attachments with these extensions.

Here’s a little update on the latest 0-day threat related to MS PowerPoint vulnerability.

This vulnerability can only be exploited by opening a specially crafted PowerPoint file thus; we need to be cautious on receiving and opening PowerPoint files especially if they came from un-trusted sources.

As of this writing, there is no official security patch yet issued by the vendor and there have been no reported incident found in the wild. Fortunately, TrendMicro already has the solution related to this vulnerability since October 13, 2006.

The Proof-of-Concept exploit ( PERL_AKINA.A) which appeared in milw0rm and the specially crafted PowerPoint file ( TROJ_AKINA.A) generated by the PoC exploit script were already added to the detection patterns of TrendMicro products to protect its clients from being affected by malwares based on this exploit.

Yes, especially if you get those Apple’s Video iPod machines that were manufactured after September 12, according to a report from CNET.

Although the worm does not affect Macs or iPods, the worm included in the iPod units was a Windows-based worm that can propagate via mapped drives and has backdoor capabilities that can leave Windows systems being compromised. Because of this propagation feature, it was possible that during the production of the affected units, the iPods were infected by a copy of the worm already found in an infected system when the iPods were somehow hooked up or plugged in for testing purposes or whatnot.

It’s a good thing though that Trend Micro detects this as WORM_SIWEOL.A since May 2006, and customers can be assured that this free-worm-in-an-iPod will not get in the way of their listening sprees.

More info here:

• Apple Advisory
  
• Free virus with some iPods
  
• Apple Loads Windows Virus on iPods

For the past few months our honeypots haven’t been getting a lot of malwares unlike before where we’d get worms or trojans at a dime a dozen. Now we have the occassional 1 or 2-day spikes where we get say one malware varaint but spammed by the boatload!

For example, starting early last night, we’ve gotten well over 8500 samples (and still counting of course..) of a backdoor haxdoor variant (BKDR_HAXDOOR.KW). And just a little over an hour ago we starting receiving a TROJ_YABE variant (TROJ_YABE.AG) at the same alarming rate (now over 1000 samples in just a couple of hours). You’d think these guys are either in cahoots or there’s some sort of virus war going on (Hehe..). The samples arrive most likely via email, the first containing the file “die_rechnung.exe” as an attachment and the other contains the file “Telekom.pdf.exe”.

Now I’m assuming that at some point over the past few months, we’ve all heard of the term of “Targetted Attacks” but up until now the exact definition (if ever there is one) remains unclear. Even I can’t come up with my own definition of what constitutes a targetted attack. For example the two cases we received last night, can they be classifed as targetted attacks?

Despite the fact that the concept of targetted attacks remain relative to the individual, one thing is quite obvious, there have been increased reports of such activities. The downside I see in these kind of attacks is that they’re harder to spot, and as a result harder to defend against. The more widespread a particular malware is the easier it is for AV vendors to pick it up and create patterns for it. However, if the virus just attacks say one particular corporation it’ll be harder to get samples of it especially if the targetted company doesn’t even realize that its already been compromised.

McDonald’s Japan recalled around 10,000 MP3 players that is part of its promotional prizes, on a statement released by the company last Friday, October 13th 2006.

The recall is due to the fact that some of the MP3 players were found to be infected by WORM_QQPASS.ADH. This worm propagates through removable drives and is the most probable cause of infection.

This worm malware will automatically execute once the infected MP3 player is plugged into the USB drive of the user. This action is caused by the autorun.inf file dropped by the malware which is designed to execute the worm.

There are two other Trojan type malwares that were reportedly found on some MP3 players – TROJ_AGENT.FAO and TROJ_BANLOAD.BGE. The presence of the two malwares may mean that the image used by the MP3 player supplier is already infected.

McDonald’s Japan promptly recalled the promotional MP3 players and opened its phone lines for inquiries.

Trend Micro released OPR 3.845.00 late Friday night to detect all three malwares and prevent any further infection.