Now here’s a real, literal
Patch Tuesday-Exploit Wednesday scenario: just one day after Microsoft released its latest batch of Security Bulletins, apparently a new flaw was discovered to affecting Windows Help files (.HLP) files.
The said vulnerability could allow a remote attacker to take advantage of a heap overflow in order to execute arbitrary code on a target system.

More details about this vulnerability can be found in Security Focus’s Web site. As for now there have been no reports about this vulnerability being exploited.

TrendLabs has received reports that another NUWAR variant is spreading via email messages. This time though, it attempts to trick users into executing its copy by — ironically — warning them that a worm has been detected on their systems.

Detected as WORM_NUWAR.AOP, this worm arrives via a password-protected ZIP file disguised as a patch, or security fix, to remove the alleged malware. The password is provided in the email’s message body. Note that the abovementioned password-protection technique has already been used by other malware in an attempt to not only trick users into thinking that the file is safe to open, but also to avoid immediate detection by antivirus applications (especially those that are not set to scan ZIP archives).

Trend Micro detects the password-protected ZIP file as WORM_NUWAR.ZIP.

This worm also drops a Trojan detected by Trend Micro as TROJ_DORF.AA. Thus, routines of the related Trojan may also be exhibited on the affected machine.

Trend Micro recommends that users avoid opening attachments coming from untrusted sources and bearing such subject lines as the following:

• Worm Alert!
• Worm Detected!

Update: [April 12, 2007; 7:00 AM PDT] As of this writing, Trend Micro has received infection reports of this worm from US, Canada, Germany, Japan, and Mexico.

Here’s one of the messages our email honeypot captured earlier this day:

The attachment (which may vary in filename from one email to another) actually contains WORM_NUWAR.AOP, which, as noted in the previous blog, camouflaged itself in password protected ZIP files to bypass immediate detection by antivirus applications.

However, this particular email that is being sent around has one more trick up its sleeve. While the password protected ZIP file is a mechanism to avoid detection by antivirus applications, the main body of the email is actually an image file (*.GIF). The use of an image file to contain the actual message text is a technique that allows it to bypass email filters such as antispam applications. The combined techniques that are employed by this particular malware increase its chances of evading security filters within a network and eventually end up in a user’s inbox.

We recommend that users refrain from opening the attachments of emails coming from untrusted sources.