It’s the most wonderful time of the year for most, including spammers who have started churning out Christmas-themed eCards in light of the approaching holidays.

Spammers would like recipients to believe that these eCards come from a legitimate sender; the From line, which is spoofed, is displaying the name of a reputable company. Interestingly, the mail body bears the phrase “no worm, no virus” to falsely allay users’ fears of infection. But of course, since spammers are not exactly purveyors of truth, users do get infected.

Clicking on the link http://{BLOCKED}tery.us/?id=ecard within the message body redirects users to the site http://{BLOCKED}n.unixbsd.info/~nuevocom/ItYatOk/index.php? that has an obfuscated script detected by Trend Micro as JS_AGENT.AEGJ, which further leads to the downloading of TROJ_DLOADER.XAP. The said script is also hosted on the following sites:

• http://{BLOCKED}n.unixbsd.info/~nuevocom/ItYatOk/
• http://64.27.{BLOCKED}.137/~nuevocom/ItYatOk/YM.exe
• http://64.27.{BLOCKED}.137/~nuevocom/ItYatOk/uslotttery.exe

The last two sites download files that are detected as WORM_SOHANAD.EU and WORM_VB.FQO, respectively.

Christmas Day is some days away and in the interim, we can expect a glut of eCards of this nature. Remember that no matter how enticing, fancy eCards may not be out to spread good cheer but malware.

Another fraudulent US Department of Justice (USDOJ) complaint email message may be sowing worry among unsuspecting Internet users that they are in legal trouble. The spammed message is quite like the earlier complaining Trojan that comes with a malicious attachment, informing the recipient that the USDOJ has received a complaint letter against the recipient’s company.

This new issue of the complaint spam also features a legitimate-looking letterhead of the government office and even a case number. Details of the email message can be seen below:

Dear Mr. {NAME} ,

A complaint has been filled against the company you are affiliated to ( {COMPANY NAME} ) in regards to the domain of business activity.
The complaint was filled by Mr. {NAME} on 12/01/2007 and has been forwarded to us and the IRS .
Complaint Case Number: #E9AB30 Date: 12/01/2007 A copy of the original complaint and the contact information of Mr.
{NAME} has been attached to this e-mail.Please print and keep this copy for your personal records.
Disputes involving consumer products and/or services may be arbitrated.
Unless they directly relate to the contract that is the basis of this dispute, the following claims will be considered for arbitration only if all parties agree in writing that the arbitrator may consider them:
Claims based on product liability;
Claims for personal injuries;
Claims that have been resolved by a previous court action, arbitration, or written agreement between the parties.

The decision as to whether your dispute or any part of it can be arbitrated rests solely with the US Department of Justice.
The Department of Justice offers a binding arbitration service for disputes involving marketplace transactions. Arbitration is a convenient, civilized way to settle disputes quickly and fairly, without the costs associated with other legal options.

(c) 2007 US Department of Justice All Rights Reserved.

Recipients of this email should not be alarmed by the legalese. It may be official-looking by all accounts, but as always, do not be easily tricked by messages that borrow names of official agencies. This particular spam does not serve a complaint but rather a malware that is detected by Trend Micro as TROJ_DELF.NWZ. This Trojan downloads another Trojan detected as TROJ_BHO.LD.

…as miscreants seem to be going “wild” about it.

Just last week, we posted an entry regarding the mentioned RTSP vulnerability affecting QuickTime Player 7.3. Now, SANS Internet Storm Center and Symantec have reported that the said flaw is already being actively exploited. As of this writing, it is said that the exploit code is being seeded from the URL http://{BLOCKED}.{BLOCKED}.183.59.

This URL supposedly also contains several other exploits, but they ultimately lead to the downloading of the following malicious file:

• http://{BLOCKED}-search.com/000/loader.exe - already detected by Trend Micro as TROJ_DLOADER.QQI

This file, in turn, downloads another file from the following URL:

• http://{BLOCKED}-search.com/000/dnlsvc.exe - already detected as TROJ_AGENT.BRB

Trend Micro Senior Threat Researcher Ivan Macalintal did a little more digging into the matter and found that true to the definition of Web threats, the infection chain doesn’t stop there. Below is a short summary of what follows next (and at one point, what happens together).

• The seeder URL http://{BLOCKED}.{BLOCKED}.183.59 also downloads a file that connects to yet another Web site where EXPL_ANICMOO.GEN can be downloaded.
• TROJ_AGENT.BRB drops a rootkit detected as TROJ_ROOTKIT.BO, possibly to hide its own or its components’ files and processes. It also downloads a file from the URL http://2005-search.com/go.exe. The said download file is detected as TROJ_DELF.KXB.
• TROJ_DELF.KXB connects to more possibly malicious sites — including a known ZLOB-hosting site.

Since there’s no available patch for this yet, even the most careful computer users may be affected by this attack. Trend Micro users, however, are already protected from this because of its Web Threat Protection, which blocks all related URLs. As mentioned, all of the malicious files are also already detected so users just have to make sure that they update to the latest pattern file.