A Spanish instant message travelling via MSN Messenger promises an animation of, presumably, US President George Bush once the recipient links on the given link. Of course clicking the link downloads a copy of a worm detected by Trend Micro as WORM_KELVIR.EL.

A typical IM worm, this worm sends the same message to all the contacts in an affected user’s MSN Messenger account.

View the Trend Micro solution here.

April has come and gone and a lot of interesting malwares were discovered.

So what are you waiting for? Scroll down and learn something!

Regional Attacks

As usual, Germany was the target of another e-mail based social engineering attack. The notorious e-mail, written in German, pretends to contain a license key for Avira’s anti-virus product.

Malwares that hit it big

In a span of a week, the WORM_NUWAR gang of malware writers released three distinct variants. The first one, WORM_NUWAR.AOK, uses fear and terror to trick a potential victim in executing the attachment by spewing news about “World War III”. The second variant, WORM_NUWAR.AOO, uses the opposite approach by using e-mail subjects with “love” like “A Token of My Love” and “Our Love is Free”. The third and last variant, WORM_NUWAR.AOP, makes use of user paranoia by pretending to be a notification informing the user a malicious application was detected on his/her system… only to find out the notification attachment is the malware itself!

Web-based Threats

Another rogue anti-spyware/anti-virus was discovered by Trend Micro when the adware program, ADW_SPYSHERIF.BG, was found to be hosted on a fraudulent website that pretends to be an anti-malware site.

Vulnerabilities and Exploits

Two vulnerabilities were reported last April, the first one is a buffer overflow vulnerability on Microsoft help (.hlp) files. The second one was a vulnerability on Microsoft DNS service.

Of the two vulnerabilities, only the Microsoft DNS vulnerability was exploited. WORM_VANBOT.GC holds the distinction of being the first to exploit this particular vulnerability.

News and Events

The most tragic news this April was the shooting incident inside the campus of Virginia Tech. Malware authors were quick to exploit this incident by designing social engineering techniques that leverage on this tragic event.

Other Interesting News

It was common for WORM_BAGLE variants to use ZIP compression to archive the malicious attachments on its e-mail. But just recently, a new variant of WORM_NUWAR - WORM_NUWAR.RAR, uses the less common archiving software called RAR.

This particular technique employed by the NUWAR author may signify an increase in RAR users (using ZIP was easy because it is installed by default on Windows), but that is only speculation on my part.

Another unfamous malware encountered by TrendLabs last April is the discovery of a new file infector called PE_VIRUT that is capable of Cavity, Entry-Point-Obscuring, and Appending infection types. It’s been a while since we’ve encountered a challenging virus and this particular incident may start a resurrection of complex file infectors.