Storm continues its holiday run, now making its presence felt with New Year-themed messages.

According to Trend Micro Senior Threat Analyst David Sancho, the spammed messages contain a link that redirects to certain IP addresses in order to download a file named happy2008.exe. Below is a screenshot of one of the malicious pages:

The page reads: “Your download should begin shortly. If your download does not start in approximately 15 seconds, you can click here to launch the download and then press Run. Enjoy!”

“(The affected IPs) look like a redirecting download site,” David says. “But if you visit (them) with an outdated browser, you get automatically infected.”

Similar to the previous Christmas spam run, Trend Micro detects the downloaded file as WORM_ZHELATI.AIS.

The usual warnings apply — be careful of email messages that contain suspicious links, etc.

After two months of inactivity, Storm is back, again taking advantage of the holidays. It comes as an attachment to the following spammed email message:

Users are redirected to the following malicious Web site once they click the link on the message shown above:

The Trend Micro Content Security Team has already blocked the Web site so that it is no longer accessible to Trend Micro customers. Users, however, are reminded still to be cautious of clicking URLs in spammed messages containing Christmas greetings as it would not be very surprising to find Storm, or other malware, there.

UPDATE: (December 25, 2007)

TrendLabs has received another sample of this Storm run (now detectd as WORM_ZHELATI.AIS), as follows:

Subject: Find Some Christmas Tail
Message body:
got a sec?Winter can be cold. I bet you could use a little something to warm you up. Take 2 min out of your day. You wont regret it. ;-)

http://{BLOCKED}hristmasdude.com/

Media players have been coming under fire this year with discovered vulnerabilities and the spread of exploits targeting these holes. Another media player succumbs yet again: RealPlayer becomes playground to a new exploit. This exploit is hosted on a Web site and runs when the said site is accessed. Its main goal is to take advantage of a known vulnerability on the following versions of the popular media player, RealPlayer:

• 6.0.10
• 6.0.11
• 6.0.12
• 6.0.14
• 6.0.14.536
• 6.0.14.543
• 6.0.14.544
• 6.0.14.550
• 6.0.14.552

Once executed, it causes a stack overflow and download of malicious files.

Before the said vulnerability is exploited, it first checks if the target machine is running Windows 2000 or XP with Internet Explorer version 6 or 7 to ensure its proper execution. It also checks what version of RealPlayer is installed to determine the first few bytes of shell code it writes on it. To trigger the exploit, it imports the function IERPLUG.DLL to send the shell code to the installed RealPlayer. If it is successful in doing all of the above, it connects to http://{BLOCKED}.g.biz/1.exe to download a malicious file detected by Trend Micro as PE_MUMAWOW.AO-O. It is saved as A.EXE in the Windows system folder.

Trend Micro detects this exploit as EXPL_REALPLAY.H.

Concerns on possibly suffering from high blood pressure due to excessive eating and drinking this holiday season may result in more online searches related to the disease. Research Project Manager Ivan Macalintal said that the increasing number of people suffering from high blood pressure this holiday season can generate more visits to Web sites containing tips on managing blood pressure. And that, according to Macalintal, is where the danger lurks. It seems that an innocent search for information on “ways to lower blood pressure” may unleash a silent killer of a different type.

Trend Micro researchers discovered a malicious software that can download and execute a sinister downloader-backdoor, which is detected as BKDR_HUPIGON.MER. The said backdoor is a member of the HUPIGON family or the Grey Pigeon of backdoor Trojans. It opens the Web site http://www.{BLOCKED}lowerbloodpressure.com to hide the execution of its routines.

It connects to a certain server where it can listen for commands from a remote malicious user who may then take virtual control over an affected system.

The holiday season is far from over. As the partying and revelries reach their peak, unhealthy eating may bring about not only clogged arteries but also backdoors via the Internet to silently kill the joy that the holidays bring.

A new Trojan has managed to hijack Google text advertisements and replace them with possibly malicious ones.

Detected by Trend Micro as TROJ_QHOST.GC, this Trojan modifies a computer’s HOSTS file to prevent users from connecting to page2.googlesyndication.co. This particular site directs to a server for advertisements enrolled to AdSense, the advertising service offered by Google.

What this Trojan does instead, is that it makes the browser point to another IP address that functions as a rogue server to third party advertisements about gambling and pornography.

Google has already taken action by launching an investigation and has reportedly cancelled customer accounts with advertisements that redirect users to possibly malicious Web sites and those that advertise products that violate their software principle.