SANS Internet Storm Center reports that an exploit code that takes advantage of a buffer flow vulnerability in WinRAR archiving software is making rounds in the wild. The said exploit code affects WinRAR versions 3.50 and earlier.

Further analysis by TrendLabs researchers reveal that the said exploit (detected as TROJ_RDROPPER.A) arrives as a malicious .RAR file. Once the said file successfully exploits the WinRAR flaw, it proceeds to drop the file %User Temp%WINRAR.EXE, which is detected by Trend Micro as BKDR_DARKMOON.AH. The dropped backdoor, in turn, opens a random port and allows remote code execution by a malicious user.

This is not the first time a bug was discovered in earlier versions of WinRAR. As early as 2005, Threat Researchers Jonell Baltazar and Joey Costoya were able to procure of an exploit code that also takes advantage of a buffer overflow vulnerability. At that time, however, they concluded that the said exploit could not be used for malicious purposes.

Trend Micro strongly recommends WinRAR users that they upgrade to the latest version of the program (3.61) to avoid possible infection. Users of Trend Micro products are also advised to update their patterns.