WALEDAC has found a new fetish — spamming users with email messages on free foot fetish movies.

According to Advanced Threats Researcher Joey Costoya, who initially reported the new WALEDAC spam run, clicking the link in the spammed email redirects users to websites featuring foot fetish videos.

WALEDAC is notorious for employing various social engineering techniques that leads users to a series of malware infection. This being the third of the recent WALEDAC spam runs we’ve seen, its quite safe to assume we’ll be seeing more of this runs in the near future.

Here are the other notable WALEDAC spamming operations:

• New Waledac Campaign: SMS ‘Snooping’ Software
• Online Casino, Geocities, and Waledac
• Waledac Spamming Image Hosting and Italian Job Offers
• WALEDAC Spamming Madness
• Waledac Localizes Social Engineering
• WALEDAC Spreads More Malware Love

As of this writing, the spam emails — as well as the spammed URLs — are already blocked through the Smart Protection Network. Users are strongly advised to be wary in opening any enticing ‘fetish’ emails.

Days after the Twitter worm outbreak that affected “tens of thousands of users,” the attacks on the popular microblogging site are anything but slowing down. In fact, cyber criminals are taking advantage of the public’s interest and high media coverage of the incident to spread malicious links.

Among the top ten search results in Google for “Twitter worm” and “Mikeyy,” the name of 17-year-old author of the said worm, is a link that connects the user to a malicious URL that download malware into his/her system.

The link in the result connects to a URL detected as HTML_DLOADR.NIC. The said URL is inaccessible as of this writing, but analysis reveals that it loads a JavaScript which is detected as JS_DLOADR.NIB.

JS_DLOADR.NIB connects the user to a URL which further redirects the user into sites that trigger the download of TROJ_DLOADR.NID and TROJ_DLOADR.NIA into the affected system.

TROJ_DLOADR.NID downloads TROJ_FAKEAV.RAG and TROJ_AGENT.GDAG, meanwhile TROJ_DLOADR.NIA cannot not run properly due to an error in its code. Trend Micro engineers are still verifying if this Trojan has the capability to download other malware. All mentioned URLs and malicious files are blocked and detected respectively, through the Trend Micro Smart Protection Network.

“Mikeyy,” the author of the Twitter worm recently accepted a job at a Web applications development firm. As relieving as this can be, a 17-year-old managing to land himself a job because of a deploying a worm isn’t exactly the best example to other young people like “Mikeyy” in terms of the consequences that entail doing such actions.

Technical information provided by Trend Micro Antivirus Engineer Jasper Manuel.

After attempting to shock us with dire news of terrorist bombings, Waledac now attempts to entice us with offers of spying somebody else’s (notably a lover’s) SMS messages.

The links in the spammed messages shown above lead to a malicious website, which offers a 30-day trial for a SMS (Short Messaging Service) Spying software. The link “Download Free Trial” leads to the download of an .EXE file which installs a Waledac bot into the user’s system. So if you must ask, no, it is not legitimate SMS spy software.

While downloaded Waledac variants are found constantly changing from time to time, Trend Micro managed to extract several of these variants, and are now detected as the following:

• TROJ_WALEDAC.HX
• TROJ_WALEDAC.IC
• WORM_WALEDAC.KT
• WORM_WALEDAC.KW
• WORM_WALEDAC.LN
• WORM_WALEDAC.LT
• WORM_WALEDAC.LP

More variants are expected to surface soon, as there are several domains hosting the malicious files. Users need not worry about this threat however, as the Smart Protection Network already blocks the domains from which the Waledac variants are hosted.

This current Waledac campaign, which is nastier than the recent Waledac spam runs (the online casino spam run being the latest) is actually ripping off the website of a software vendor that is indeed selling spy software for SMS.

Deviating from Conficker/Downad update and jigsaw puzzle menace, Waledac updated its spam emails and is now spamming online casino advertisements.

The spammed email contains a URL link to a Yahoo! Geocities web page which is shown in Figure 4, and when the link “Play now” is clicked, it shows a casino related image ad as shown in Figure 5.

There is no activity seen where Waledac is seeding URLs that links to a new Waledac binary for this specific spam run, but our radars are actively monitoring for this event. The following spam emails however, are now blocked by the Smart Protection Network.

Microsoft released a total of 8 patches last April 14, comprising of 5 critical, 2 moderate, and 1 important update for the Windows OS. More information on the said patches are given below:

• (MS09-009) Vulnerabilities in Microsoft Office Excel Could Cause Remote Code Execution (968557)
• (MS09-010} Vulnerabilities in WordPad and Office Text Converters Could Allow Remote Code Execution (960477)
• (MS09-011) Vulnerability in Microsoft DirectShow Could Allow Remote Code Execution (961373)
• (MS09-012) Vulnerabilities in Windows Could Allow Elevation of Privilege (959454)
• (MS09-013) Vulnerabilities in Windows HTTP Services Could Allow Remote Code Execution (960803)
• (MS09-014) Cumulative Security Update for Internet Explorer (963027)
• (MS09-015) Blended Threat Vulnerability in SearchPath Could Allow Elevation of Privilege (959426)
• (MS09-016) Vulnerabilities in Microsoft ISA Server and Forefront Threat Management Gateway (Medium Business Edition) Could Cause Denial of Service (961759)

This set of patches addresses the vulnerabilities exploited in the attacks discussed in the blog entries A Wordpad of Caution and Another Exploit This Time on MS Excel.

However, this batch still does not address the most recent PowerPoint exploit.

Users are advised to install the patches immediately. More information about this release could be read at our Security Advisories page.