New variants of Zlob-TROJ_ZLOB.DSB and TROJ_ZLOB.DSC-have just turned up. Once again, these new variants pose as codec installers that can be downloaded from legitimate-looking websites, mediaobjectguide(dot)com and activexsource(dot)com. As an effort to trick more users into thinking that the website offers reliable codecs, they mention the name of Microsoft to add some credibility and explains the related technology of Active X and OLE 2.

Don’t let the websites’ professional-looking design and techno-babble fool you. These websites do not contain any codec installers at all. Rather, the files that they are offering you for download are nothing more but TROJ_ZLOB variants.

Yeah this is the same old IRC talk again. In the past posts, we pointed out that while having a chat on IRC there are private messages which contains links pointing to a certain malicious file or a website hosting a malware. There are also instances that another IRC user sends you a malicious file through the DCC command. Up until now, there are still a couple of malwares using these old techniques in IRC to achieve their malicious intents. Tonight (GMT + 8 time), I received a couple of links to malwares via mIRC. Following are snapshots of the messages I received:

The files were all submitted to the Service Team and the detections are as follows:

• [blocked].cjb.cc/Sex.zip – TROJ_MULDROP.LF
  
• [blocked].cjb.cc/Movies.zip – TROJ_MULDROP.LG
  
• [blocked].cjb.cc/MalaySex/Sex.zip – WORM_IRCFLOOD.B
  
• www.[blocked].ne1.net – which has an iframe containing the following link:
  
  
  
  • www.[blocked].com/userfiles/199253/sex.melayu.terlampau.zip – WORM_IRCFLOOD.A

So, the question is why users still fall victims to these techniques? Hmmmm and those creators of these malwares are still using these techniques because there are still a lot of victims falling into their trap. Well I think there is a lack of security awareness on the part of the user. Users must be educated on security risks found in the internet.

As a reminder to users interacting with the internet, files received from unknown or known contacts should be handled accordingly. Have the file scanned by your anti-virus software especially if it is a binary (executable) file. Be wary of links sent to you and have the utmost care in clicking on them and if a file download occurs, it’s always safer to save the file in your local disk to be scanned by your anti-virus software after the download, rather than directly executing it. Apply the latest security patches offered by the software vendor to your machine and keep your anti-virus pattern files up-to-date. Note, be aware and educate yourself with the things around you and in the wild world of the internet. That is the best way you could protect yourself from threats coming from the internet.

Miscrosoft has just released its Security Bulletins for the month of December.

Today’s release resolves the following vulnerabilites listed below.

Three Critical

• MS06-072 – Cumulative Security Update for Internet Explorer (925454)
  
• MS06-073 – Vulnerability in Visual Studio 2005 Could Allow Remote Code Execution (925674)
  
• MS06-078 – Vulnerability in Windows Media Format Could Allow Remote Code Execution (923689)

Four Important

• MS06-074 – Vulnerability in SNMP Could Allow Remote Code Execution (926247)
  
• MS06-075 – Vulnerability in Windows Could Allow Elevation of Privilege (926255)
  
• MS06-076 – Cumulative Security Update for Outlook Express (923694)
  
• MS06-077 – Vulnerability in Remote Installation Service Could Allow Remote Code Execution (926121)

Aside from these new Security Bulletins, Microsoft has also realeased an updated patch to MS06-059.

Sadly, that there is no security patch for the recent Word exploits so, we still need to be extra careful when receiving and opening unsolicited Word documents. Other than that, just make sure you are updating your system right now!

A number of threat experts are predicting an influx of malware diguised as media files in 2007. They cite the popularity of video-sharing Web sites (e.g., Youtube.com) and the increasing use of media files in social networking sites ( Myspace.com) as the prime movers in this coming trend. Here at the tail end of 2006, the release of the proof-of-concept (POC) Trojan TROJ_MPEXPL.A is starting to make this prediction a fact.

This Trojan takes advantage of a vulnerability found in the media player XMPlay v3.3.0.4. It arrives as a specially crafted ASX file, which when played on XMPlay causes a buffer overflow. The said overflow in turn, enables a remote user to execute any file — without the user’s knowledge — on the affected system.

Note that later versions of XMPlay have addressed this vulnerability.

Another 0-day exploit is currently being investigated by Microsoft, last week we reported about a previous MS Word 0-day. Yesterday, a couple of reports emerged about a new 0-day and according to the MSRC blog this new claim is being investigated by them. We are still acquiring a sample for the appropriate solution and for our analysis, we will update you as soon as we got one. =)

According to the MSRC blog, in their initial investigation, the 0-day affects the following versions:

• Word 2000
  
• Word 2002
  
• Word 2003
  
• Word Viewer 2003

However, Word 2007 is not affected.

Update (Roberto Tayag, Tue, 12 Dec 2006 01:55:22 PM)

Yes, we have acquired a sample and Trend Micro will be detecting this file as TROJ_MDROPPER.EB. The pattern for this malware has already been submitted and is now under our scrutiny of our QA team. updates will come as soon as the pattern file has been released.

UpdateÃ? (Roberto Tayag, Wed, 13 Dec 2006 07:16:52 AM)

The pattern that will detect this malware has been released and you can check more information regarding this here.