We’ve received report of a certain website hosting several exploit creation tools which includes toolkits with outputs exploiting MS07-004 and the latest MS07-017. These toolkits makes it easier for a script kiddie to create a malware of his own. Below is what the website hosting the said toolkits looks like.

And the tools for MS07-004 and MS07-017 exploit.

Well the great news is that we have detection for these tools mentioned. We have HKTL_EXPLOITER.K for the MS07-004 toolkit and HKTL_EXPLOITER.L for the MS07-017 toolkit. Also, the output for the first toolkit is already detected as JS_IFRAMEBO.BG and VBS_PSYME.ALP (this is for the other output of this toolkit exploiting MS06-014). The second toolkit’s output is also detected as TROJ_ANICMOO.AX. Please keep your antivirus pattern files updated to be secured from these threats. Apply the necessary security patch to prevent malicious attacks targetting these known vulnerabilities.

Today, our email honeypot captured samples containing subjects about missile strike of US killing Iranians and Iran starting World War III. There’s nothing found in the body of the email message though, just an executable attachment. This is related to a post in SANS diary, “exe malware spammed under “Missile War” subjects”. For now, we have ten samples with different md5 hashes.

Attachment Name	: Click Me.exe : ClickHere.exe : News.exe : Movie.exe : Click Here.exe : ReadMe.exe : News.exe : ReadMore.exe
Subject used	: Missle Strike: The USA kills more then 20000 Iranian citizens : Iran Just Have Started World War III : Israel Just Have Started World War III : Missle Strike: The USA kills more then 10000 Iranian citizens : USA Just Have Started World War III
File MD5’s	: F51C8A2C5CE9230F917A715A10AD7762 : 226CA4F28060147ABC48D57F98E2DCF1 : 4CFF704FE62BD02A52C3CC79D2919BD : 089A8A5D95Feb58723B38Da8Ef0Bc344 : 044C425E423Ae5D2E41Fd986026C4671 : A2184A15862B79Fd53Db5A0C9Bae4979 : B771592Df96Ebe68E77405Ee8345005E : 96B736E03Af1962115E392319F745B7F : 2206F27627C600B4Bdfae5Ab21F813Ed : F00D6F7A7C7B437A50De3Cb7C44862D9
File Size	: 51,342 Bytes

The samples are being handled by the Service Team so watchout for updates. For the meantime, System Administrators may want to block emails with an attachment similar to the one’s mentioned earlier. Update: This malware will be detected as WORM_NUWAR.AOK.

Several variants from PE_VIRUT family are running amok. The very first PE_VIRUT was detected May last year. As of yesterday, four variants were reported to be in the wild with infection reports coming in from six different countries.

The new variants are not very different from the first PE_VIRUT. One and all target files with extensions .EXE and .SCR. All have backdoor capabilities. All variants are also capable of using different infection techniques that can either be appending, cavity, overwriting, or EPO (entry point obscuring).

Trend Micro detects these file infectors as PE_VIRUT.K, PE_VIRUT.H, PE_VIRUT.L, and PE_VIRUT.NS. All are already included in the latest pattern file.