…it downloads a virus instead.

TrendLabs has received reports of a spammed email message that advises users to download an Internet Explorer 7 update. Below is the image attached in the said message:

However, once unsuspecting users click on this image, they are redirected instead to a Web site that downloads a file named IE7.0.exe. This file, while also legitimate-looking, is actually a file infector that Trend Micro detects as PE_GRUM.B-O.

Trend Micro always advises users to avoid clicking on links that come from untrusted sources. However, given this enhanced social engineering (it uses legitimate-looking IE7 images, etc.), I guess the lesson here is that while keeping one’s applications and programs updated is a good practice, users should just make sure that they go straight to the source (in this case, the Microsoft Web site), instead of someplace else. With the rise of Web-based threats that spoof even the “trusted” sites and/or organizations, it’s better to be safe than sorry.

Like those animated cursors? You know, the ones that embellish the normal mouse arrow pointers and are available on the Internet? Be careful when downloading and installing these on your systems, as a new Web threat has recently been detected posing as one.

TrendLabs has recently detected TROJ_ANICMOO.AX, a Trojan that arrives as a specially crafted .ANI file — yes, the same file format used by these “tricked out” cursors — and takes advantage of a newly discovered vulnerability in the way Windows handles animated cursors. Once it successfully exploits this vulnerability, TROJ_ANICMOO.AX downloads another Trojan from the URL http://220.71.{BLOCKED}.189/wincf.exe. The downloaded malware is detected as TROJ_SMALL.DRF.

Note that this malicious .ANI file may arrive as a file downloaded by unknowing users from the Internet. It may also be downloaded by HTML embedded in email messages. It only runs on Windows XP.

As of this writing, Microsoft has yet to release a security patch for this vulnerability. Trend Micro thus advises users to regularly check the Microsoft Web site for the latest patches and updates, and avoid downloading or installing files — even if they do promise cute icons and cursors — from untrusted sources.

TrendLabs has received reports of a new worm, which targets Arabic/Persian-speaking regions, spreading in the wild. Detected as WORM_WALLA.B, this worm spreads copies of itself as an attachment to email messages with subject lines and message bodies mostly relating to current events from the said regions (About Iran, Pictures from Gazza, About the Israeli Intelligence, and All the Truth about the American intelligence among others), conforming to the sensational social engineering scheme that has recently become prevalent. When executed, this worm first retrieves a target system’s keyboard layout settings, presumably to determine if the language used is Arabic or Persian, indicating a focused attack on regions using these languages. If the affected system does not conform to the languages, it terminates itself. Like many worms, WORM_WALLA.B gathers target email addresses from Microsoft Outlook. However, using HTTP functions, this worm also gathers email addresses from Yahoo! Mail or Yahoo! Mail Beta. Hence, this worm is another of the growing new generation of threats referred to as Web threats, so-called because they exploit the power of the Internet to wreak havoc. Users, especially from affected regions, are advised to be wary of the said email messages and not to open email attachments from unknown sources.

A set of STRATION codes has been discovered attempting to spread through Skype. An earlier version of this variant was initially seen in late February, the first time when the said malware family reportedly used Skype for its infection medium.

Skype users may receive a message that looks something like this:

Check up on this: {malicious URL}

It uses social engineering techniques to trick users into clicking the malicious link, thus setting off its infection cycle. When the malicious URL is accessed, the user is redirected to a Web site that hosts a malicious file. When this file is run, it downloads several other malicious files — most probably other STRATION variants — on the affected computer. It also sends the same message to the affected user’s Skype contacts.

Additionally, it attempts to connect to a Yahoo! mail server to send an SMTP message. However, the said server is currently down. It may also open a backdoor on the affected computer, compromising the system’s security.

Trend Micro already detects some samples related to this variant as WORM_WAREZOV.AP, WORM_STRATION.EU, WORM_STRATION.EV, and TROJ_AGENT.FYS. Users are advised not to click on links from suspicious messages, even if received from a known source.

Today we received two samples related to the TROJ_YABE malware family with different MD5 hash.

		Detection
File Name	: Rechnung-Single.de.doc.exe	TROJ_YABE.BT
File Size	: 18,432 bytes
MD5	: 3dc607942049e82e7108443cc5d87403: c85657e8cda72be356554856f4158562
Downloaded Files	: ws25.exe (116,952 bytes): ws26.exe (116,952 bytes)	TROJ_DLOADER.KEH
Related File	: ipv6monl.dll (84,184 bytes)	TSPY_BZUB.CX
Download URL	: http://www.{blocked}-hovic.sk/_sub/wap/iexplorer.exe: http://www.{blocked}.sk/_sub/suchy/admin/img/iexplorer.exe

As with the recent YABE variants, this new sample also used the monthly bill from German Telekom for its social engineering. Here are some sample emails:

A second wave of spamming was also reported. Following are some details:

		Detection
File Name	: T-Com.pdf.exe	TROJ_YABE.BT
File Size	: 44,032 bytes
Downloaded Files	: win994.exe (100,056 bytes)	TSPY_BZUB.CX
Related File	: ipv6monl.dll (66,776 bytes)	TSPY_BZUB.CX

Thanks to Alice Decker for the valuable information.