After two months of inactivity, Storm is back, again taking advantage of the holidays. It comes as an attachment to the following spammed email message:

Users are redirected to the following malicious Web site once they click the link on the message shown above:

The Trend Micro Content Security Team has already blocked the Web site so that it is no longer accessible to Trend Micro customers. Users, however, are reminded still to be cautious of clicking URLs in spammed messages containing Christmas greetings as it would not be very surprising to find Storm, or other malware, there.

UPDATE: (December 25, 2007)

TrendLabs has received another sample of this Storm run (now detectd as WORM_ZHELATI.AIS), as follows:

Subject: Find Some Christmas Tail
Message body:
got a sec?Winter can be cold. I bet you could use a little something to warm you up. Take 2 min out of your day. You wont regret it. ;-)

http://{BLOCKED}hristmasdude.com/

Media players have been coming under fire this year with discovered vulnerabilities and the spread of exploits targeting these holes. Another media player succumbs yet again: RealPlayer becomes playground to a new exploit. This exploit is hosted on a Web site and runs when the said site is accessed. Its main goal is to take advantage of a known vulnerability on the following versions of the popular media player, RealPlayer:

• 6.0.10
• 6.0.11
• 6.0.12
• 6.0.14
• 6.0.14.536
• 6.0.14.543
• 6.0.14.544
• 6.0.14.550
• 6.0.14.552

Once executed, it causes a stack overflow and download of malicious files.

Before the said vulnerability is exploited, it first checks if the target machine is running Windows 2000 or XP with Internet Explorer version 6 or 7 to ensure its proper execution. It also checks what version of RealPlayer is installed to determine the first few bytes of shell code it writes on it. To trigger the exploit, it imports the function IERPLUG.DLL to send the shell code to the installed RealPlayer. If it is successful in doing all of the above, it connects to http://{BLOCKED}.g.biz/1.exe to download a malicious file detected by Trend Micro as PE_MUMAWOW.AO-O. It is saved as A.EXE in the Windows system folder.

Trend Micro detects this exploit as EXPL_REALPLAY.H.

Concerns on possibly suffering from high blood pressure due to excessive eating and drinking this holiday season may result in more online searches related to the disease. Research Project Manager Ivan Macalintal said that the increasing number of people suffering from high blood pressure this holiday season can generate more visits to Web sites containing tips on managing blood pressure. And that, according to Macalintal, is where the danger lurks. It seems that an innocent search for information on “ways to lower blood pressure” may unleash a silent killer of a different type.

Trend Micro researchers discovered a malicious software that can download and execute a sinister downloader-backdoor, which is detected as BKDR_HUPIGON.MER. The said backdoor is a member of the HUPIGON family or the Grey Pigeon of backdoor Trojans. It opens the Web site http://www.{BLOCKED}lowerbloodpressure.com to hide the execution of its routines.

It connects to a certain server where it can listen for commands from a remote malicious user who may then take virtual control over an affected system.

The holiday season is far from over. As the partying and revelries reach their peak, unhealthy eating may bring about not only clogged arteries but also backdoors via the Internet to silently kill the joy that the holidays bring.