We love scary movies. We like psyching ourselves out from time to time by watching them. They’re not real anyways. Heck, we love movies in general. But there is one kind of movie that, scary or not, can affect us in real life. It’s the kind that will haunt us in our everyday activities, if we’re not too careful about choosing what to watch.

I’m not talking about those creepy videos, like in the movie “The Ring”. I’m talking about video files that are modified by WORM_REALOR.A. Yes, malware authors have now found a way to use video formats in spreading a “scare” to innocent movie fanatics.

Malware authors have always piggybacked on the popularity of videos in their attempt to spread their malicious codes. However, before, they just disguised their malware programs as video files to entice users to download the malware or to open email attachments that carry a copy of the malware.

Now, with the release into the wild of WORM_REALOR.A, malware authors use video files themselves to carry their malicious codes.

According to an article from Security Focus,

Read more about this article here.

WORM_REALOR.A modifes Real Media (.RM and .RMVB) files by inserting a hyperlink, enabling it to load a Web page that contains a JavaScript. Detected as JS_DLOADER.HHZ, the JavaScript then accesses another Web site (not accessible as of this writing) and downloads a malicious file, quite possibly a copy of WORM_REALOR.A, completing a vicious infection cycle.

So when you download your favorite scary movies, or maybe the latest episodes of your favorite TV series for that matter, you might want to think twice and check the files before watching them. You might already be getting compromised in the process. Believe me, this is one kind of movie not worth freaking yourselves out with.

If you're new here, you may want to subscribe to our RSS feed. Thanks for visiting!

Just a couple of days ago, I blogged about finding a media player that could play video clips on its own, without having to go through the hassle of installing an unknown codec that can put your system at risk. For those who frequently watch videos, I sure hope you took my advice. Several hours ago, I happened to stumble along another website that poses as a codec download site. Apparently, perfectcodec(dot)com is a distribution vector for yet another TROJ_ZLOB variant.

The design of the website looks so professional that it can even trick the most experienced users.

When executed, The TROJ_ZLOB variant that can be downloaded from this site displays a EULA dialog box in its setup routine to fool the user into thinking that it’s a legitimate application.

This malware (to be detected by Trend as TROJ_ZLOB.BLQ) has been sent to the proper channels so that an appropriate solution can be deployed. We’ll keep you posted for updates.

Microsoft already released their November patch, they released 6 bulletins that covers 1 zero-day vulnerability, Microsoft XML Core Services Could Allow Remote Code Execution. below are the details of November’s release

• MS06-066- Vulnerabilities in Client Service for NetWare Could Allow Remote Code Execution
  
• MS06-067- Cumulative Security Update for Internet Explorer
  
• MS06-068- Vulnerability in Microsoft Agent Could Allow Remote Code Execution
  
• MS06-069- Vulnerabilities in Macromedia Flash Player from Adobe Could Allow Remote Code Execution
  
• MS06-070- Vulnerability in Workstation Service Could Allow Remote Code Execution
  
• MS06-071- Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution

Click the links above for detailed information on these bulletins.

In an investigation conducted by TMIRT regarding WORM_NUWAR.BQ – the worm responsible for mailing copies of itself with e-mail details pertaining to a Nuclear War or President Bush is dead – we discovered that this malware is also made as a seeding point to create a spam zombie out of infected machines.

Aside from its mass-mailing capabilities, this worm also connects and downloads four files from 81.177.3.85. The downloaded files are component files used to download other files and updates, gather e-mail addresses, add the worm malware into RAR archives, act as a Trojan proxy, and an updated copy of the worm.

The most interesting part of the downloaded files are the component files that gather e-mail addresses and the Trojan proxy.

The component that gathers e-mail addresses not only gathers the addresses from files that are most possible to contains them (WAB, MSG, etc), but also sends the gathered addresses to 81.177.3.85! Now we’re talking about malwares harvesting valid e-mail addresses!

The Trojan proxy component on the other hand acts as an SMTP relay server, and guess what? This component is responsible for turning the infected machine into a spam zombie! Leaving port 25 open for incoming connections, we suddenly found our test system flooding with activity and sending out pump and dump spam as seen below!

Ever wondered who sends out those nasty spam? Well, your officemate, cousin, brother, or sister may be doing it for the spammers – for free!

*TrendLabs is conducting a more thorough investigation for this malware incident. A complete report will be posted online by our threat reporters.

A new TROJ_YABE variant is currently making the rounds in the net. We managed to get a copy of the sample email. Please see below.

The email is in German and since I dont read German, a babel fish translation of the email body is found below.

eBay reference to changed E-Mail address
Dear eBay member,

Thank you for your request for change of your E-Mail address. The instruction guide how for account changing were sent to your new E-Mail address.

If the change of your email address wasn’t made by you then execute imediatelly the instruction described in the attached PDF document!

As soon as the procedure is finished, your emails from eBay will not be passed to this emails address anymore.

If you did not make this change, ask please first family members and other persons, evtl. Entrance to your member account have. If you believe you that an unauthorized person changed your email address then follow the instruction described in the attached PDF file.

Thank you,
eBay
———————————————-

As you probably may have already guessed this malware diguises itself as a pdf document in order to fool users to making them execute the attachment.

The email attachment is Ebay.pdf.exe with a pdf icon as shown below.

As part of its social engineering techniques, Ebay.pdf.exe pops up a message box that says an error has occured in Acrobat 6 making the user believe that the attachment is just a corrupted pdf file and not a trojan.

Unknown to the user, the file Ebay.pdf.exe has already connected to the internet and has downloaded a txt file from one either one of these locations:

• http://[BLOCKED].com/language/lang_english/lan.txt
  
• http://[BLOCKED]/more.txt
  
• http://[BLOCKED]ges/sidebar/f02.txt
  
• http://[BLOCKED]ix/Picture.txt
  
• http://[BLOCKED]b.com.pl/stat.txt

These txt files contain an encrypted copy of a URL of another trojan filenamed 6.exe which will be downloaded by Ebay.pdf.exe. This in turn drops a BHO spyware.

All files included in this blog has already been given to the service team for processing.