Trend Micro received several reports of a spammed message containing a link that leads to the download of a malware detected as WORM_MEYLME.B. The spammed message bears the subject, “Here you have,” and informs users of a certain PDF document. When the users point to the URL, http://www.{BLOCKED}ocuments.com/library/PDF_Document21.025542010.pdf or http://www.{BLOCKED}ovies.com/library/SEX21.025542010.wmv, it indicates a different URL, http://{BLOCKED}s.multimania.co.uk/yahoophoto/PDF_Document21_025542010_pdf.scr, that consequently leads to the malware itself.

When executed WORM_MEYLME.B terminates antivirus services and uses Messaging Application Protocol Interface (MAPI) to send out email messages with a link to a copy of itself. It also propagates via removable drives (e.g., USB drives). In addition, this malware forces affected systems to share several folders in the %Windows%\System as {Computer Name}\Updates. When executed, this malware connects to various malicious websites.

Upon further investigation, we found that the malware used for this attack was just an unpacked version of a file that we already detected as WORM_AUTORUN.NAD. It is possible that the cybercriminals behind this attack got hold of the code for WORM_AUTORUN.NAD and modified it for their usage.

We advise users to be wary of opening any unknown email and clicking any link. Trend Micro protects users from this attack via the Trend Micro™ Smart Protection Network™ that detects the malicious file and blocks all related malicious URLs.

Analysis and screenshots provided by threat response engineer Jessa Dela Torre and threats analyst Edgardo Diaz, Jr.

Update as of September 9, 2010 11:45 p.m. (UTC)

According to threats analyst Edgardo Diaz, WORM_MEYLME.B creates several registries that disable security alerts and secure desktop prompting. Furthermore, it also downloads a backdoor detected by Trend Micro as BKDR_BIFROSE.SMU. Since the malware shares some System folders without the user’s knowledge, it will render the system vulnerable.

Update as of September 10, 2010 1:26 a.m. (UTC)

This attack also uses various spammed messages—one of which entices users with a free movie while another purports to be a job application letter. Both messages contain a link that when clicked leads to the download of the worm.

The worm was also found trying to access users’ Yahoo! Messenger files. It is possible that WORM_MEYLME.B harvests Yahoo! Messenger IDs to send copies of itself.

Update as of September 10, 2010 6:31 a.m. (UTC)

Analysis reveals that WORM_MEYLME.B is capable of deleting security services but only after the services have been completely stopped from executing. It cannot, however, delete files associated with the services it attempts to delete.

Update as of September 13, 2010 7:10 a.m. (UTC)

WORM_MEYLME.B contains a Visual Basic script that performs its information theft routines. This script, which is embedded within the worm’s code, is now detected as VBS_MEYLME.B.

Adobe has issued a new security advisory concerning Adobe Acrobat, its line of PDF software. All current versions of Reader and Acrobat are known to be vulnerable across all supported platforms—Windows and Mac for Acrobat and Windows, Mac, and Unix for Reader. According to the advisory, an attacker could use the vulnerability to “to take control of the affected system,” meaning random code could be executed on user systems.

Trend Micro has already found malicious files that exploit this vulnerability. These are detected as TROJ_PIDIEF.WM. In turn, this file drops a downloader (TROJ_DLOADR.WM), which leads to another downloader, TROJ_CHIFRAX.BU. More PIDIEF variants that exploit this vulnerability are sure to be spotted in the next few days.

The URLs where TROJ_CHIFRAX.BU is located and downloads malware from are currently unavailable. Curiously, even if the website was registered on the .US top-level domain, WHOIS records indicate the registrant is in Hong Kong. In addition, the servers that actually host the site are located in Germany and the United States. This indicates that some effort was placed into hiding the actual persons responsible for this attack.

In addition, the dropped malicious file is signed, much like the earlier Stuxnet malware. This time, the certificate of a legitimate American credit union was used:

Adobe has not stated when security updates will be made available, saying only that they are “evaluating the schedule” for a potential fix. They have advised their users to keep their antivirus software updated to protect themselves until a fix is made available.

This is the second major zero-day vulnerability that Adobe has had to deal with in 2010. The first one, which affected both Acrobat and Flash, was discussed in the Malware Blog post, “Zero-Day Flash/Acrobat Exploit Seen in the Wild.” The timeline of that particular incident—where a flaw revealed early in the month was fixed by the end of the month—suggests a fix will come in the next few weeks.

Trend Micro protects users from this attack via its Trend Micro™ Smart Protection Network™ that detects the malicious files currently exploiting this vulnerability as well as blocks the URLs related to this threat.

Update as of October 6, 2010

Adobe has released an update to fix this vulnerability. Details may be found in this security bulletin.