The smoke from the LINKOPTIM attack against the Italian computing population last month has not completely cleared, but already a new worm that uses email messages in Italian is making the rounds. Last weekend, the Incident Response Team at Trend Micro recorded that as much as 82% of all email messages received by their email honey pot were generated by this worm.

WORM_SPIAG.A sends copies of itself as attachment to email messages that promise photos of the recipient on a beach.
“In spiaggia”the subject reads. “In the beach.”

The email message says:

Bacini! Ti mando le foto che mi hai fatto questa estate. Una =E8 meglio che la cancelli

A free online translator produced this (surely) loose translation:

River basins! I’m sending you the photos that you have made this summer with me. A =E8 better than it cancels it

The attachment file name sustains this picture on the beach scam: SPIAGGIAFOTO.ZIP. When a recipient opens this attachment, the worm executes on the system, and the system becomes a launch pad for further propagation.

“What’s up with this old-fashioned worm?”, one might ask. It does not even try to cover its malicious acts by, say, dropping and opening an image file to further trick the user, the way some malware do. Instead, it proceeds with its payload right away. It dials to premium numbers, possibly to long-distance numbers or pay-per-view sites. Also, as the Incident Response Team documents, this worm accesses a legit social networking Web site for adults, and this raises questions as to the true goal of WORM_SPIAG.A.

It’s a worm that carries a dialer payload. Wait, that’s not quite right. Along with the major change in the malware threat landscape (from outbreaks to targeted attacks) is an inevitable shift in perspectives. WORM_SPIAG.A is a dialer with propagation capabilities. Now that’s more like it.

In any case, the affected user ends up being charged for calls or connections that he or she never intentionally made.

Well, let’s just say that’s the price of being a stubbornly unwise computer user at a time when complex, coordinated, targeted attacks are rampant, a time when user awareness and carefulness are more critical than ever.

If you're new here, you may want to subscribe to our RSS feed. Thanks for visiting!

A proof-of-concept code exploiting a vulnerability found in Microsoft IE ADODB.Connection is already published. This code tends to crash vulnerable versions of MS IE. However, there are speculations that remote code execution is possible and it is not long before malicious hackers discover it.

In this case, possible workaround includes disabling ActiveX control in IE, disabling the ADODB.Connection ActiveX control or only allowing ActiveX control in trusted zones.

Microsoft is aware of the said vulnerability and said that they are investigating the issue. For more information and workaround issues/guides, feel free to visit the links referred found in the references.

• isc.sans.org
• US-CERT
• www.securityfocus.com
• Microsoft Security Response Center Blog

Reports have been coming in that a new 0 Day Remote DoS for Microsoft is being used in the wild.

The vulnerability exists in the ipnathlp.dll. In order for the exploit to work, Internet Connection Sharing should be enabled and the attack should come from the shared interface. This has been confirmed to disable the Windows Firewall.

More information can be found from the ncircle blog.

The PoC for this has also been released by milw0rm.

As of today, there has been 3 vulnerabilities found on Microsoft’s newly released Internet browser, unfortunately by default it is the most famous browser, Internet Explorer 7. IE7 was only released last more than a week ago and not a day passed and the Denmark based Secunia has already released its first vulnerabilityfor this product. TMIRT reported this in our blog. Since then they have posted 2 more vulnerabilities, one on Popup Address Bar Spoofing and another one which was posted yesterday, a sort of halloween treat of Secunia for Microsoft, a Window Injection Vulnerability.

Although according to their rating, all the three vulnerabilites are not that critical, they still pose as a threat to users, while Microsoft atests that this is the most secure release of IE7, these vulnerabilities might beg to differ. Hopefully Microsoft will include fixes for these things on their november release for their monthly releases so this actually means it is again a busy night for us here at TrendLabs on the 14th of November.

Just a few days after the attack of WORM_SPIAG.A, another malware, which seems to be a variant of the said worm, has already been reported to be spreading in the wild today. Detected by Trend Micro as WORM_SEMAIL.A, this worm also targets Italian audiences when sending copies of itself via email.

The details of the email it sends are as follows:

Subject:In spiaggia


Message body:
Che vergogna!!! Ma ero proprio io quella… Condizioni disastrose… L’alcool disinibisce Ci sono un paio di foto che devi cancellare… Bacini


Attachment:Ferragosto.zip

This new worm is quite similar to WORM_SPIAG.A in terms of its propagation. It also uses the same social engineering technique in enticing target users to open its attachment, which contains the copy of this worm. However, besides the slight difference in its email details, it is also notable that the dialer capabilities of this worm seem to have been omitted in this variant.

Although WORM_SEMAIL.A does not seem to have quite a payload as significant as its predecessor’s (i.e. dialer payload), this is most probably just one of more malware that will use the same attack method (one that is focused on Italian computer users) and may evolve to have more payloads than just connecting to Web sites or dialing premium numbers. Users are therefore advised to be more critical of opening email messages they receive, even if it comes from familiar sources.