Have you seen this yet?

Interesting…isn’t it? That’s the AIM message that I received on my own AIM account a couple of hours ago but, I will not try to visit the url if I were you…

But, just in case you visit the URK (just in case…), you will land to the same default page, index.html.

If your ActiveX Control setting of your web browser is not safely configured, a file named, mpg2-3.0.1.exe will be automatically downloaded to your system. But, even if it is properly configured and you are unaware of what you are getting yourself into because of the tempting url and the deceiving page (pretend to offer real video clip), you might also download and run the abovementioned file.

Upon execution of the file that was just downloaded, it will present a message box with a fake message that there has been a problem but what is really happening in the background is that, the downloaded file that you have just executed downloads another malicious file from the internet. This second malicious file is accessed through the url http://tiny-url.us/f.php and will later be saved and executed to the affected system as mstc.exe.

So guys and gals, you better make sure what you are getting into nowadays, try to be extra careful please and do not forget to update to the latest pattern file of your antivirus program (this can help you not to get into much trouble…).

Note:

All urls mentioned are already submitted to the Web Blocking Team.

The sample mpg2-3.0.1.exe and mstc.exe have been given the detection names TROJ_DLOADER.IBZ and WORM_NUGACHE.G, respectively.

On the 12th of December, this coming Tuesday will be the exciting monthly Microsoft patch day and according to them we should expect on this day the following:

• Five Microsoft Security Bulletins affecting Microsoft Windows. The highest Maximum Severity rating for these is Critical.
• One Microsoft Security Bulletins affecting Microsoft Visual Studio. The highest Maximum Severity rating for these is Critical.

More information here.

I didn’t visit mIRC for a while so I intended to visit it at the start of my shift. I join a couple of channels then after sometime I received a private message with a link pointing a binary file. Yeah, just as I expected, malwares still use MIRC for their own purposes.

The binary file is an undetected WORM_DREFIR.A and is already being processed by the Service Team. This malware caught my interest because aside from having a destructive payload wherein this malware replaces all files that it can access with an empty file of the same filename, it has the ability to add a copy of itself into a RAR file that is found in affected user’s computer. It uses a random generated filename for the copy of itself to be added to the RAR file.

A computer affected by this malware is used as a host to spread the malware. It opens port 80 [http] where potential victims will be able to get a copy of the malware through this port. The malware sends private messages to potential victims through the MIRC channel it has connected. The message sent contains a link to a copy of the malware using the IP of the affected computer.

Example:

A potential victim receives the following message via IRC

– “http://www.google.com/url?q=http://xxx.yyy.zzz/TrialXXXView.scr”

Where: http://xxx.yyy.zzz will be the IP address of a compromised machine hosting the malware.

The payload of the malware is activated every 29th of the month where the system time seconds is above 30. Here’s the displayed messaged:

It is a good practice not to click and click URL links from IRC messages even if it comes from a known acquaintance. It is possible that your friend’s computer was compromised and it is the malware who sent you the message.

Have your antivirus pattern files updated regularly to be secured from malwares which are being discovered in-the-wild.