Trend Micro has identified new malware samples that exploit the still-unpatched Internet Explorer (IE) vulnerability. These samples have been detected as JS_ELECOM.C and HTML_COMLE.CXC. After exploiting the said bug, they attempt to connect to a certain URL to download a file.

Further analysis by TrendLabs threat experts found that the new scripts are versions of JS_DLOADER.FIS (the only difference being the encryption techniques used), which was widely used in the recent attacks targeting major organizations like Google and Adobe. However, instead of merely targeting such organizations, they are now fully in the wild and hitting ordinary users.

In line with this, Microsoft announced that it will release an out-of-band security update to fix the issue. It is highly advised that users immediately download the security patch once released.

Trend Micro™ Smart Protection Network™ protects users from this type of attack by preventing the download of all the detected malicious files and by blocking user access to malicious sites.

Trend Micro OfficeScan™ users with Intrusion Defense Firewall (IDF) plug-in are also protected from this attack if their systems are updated with IDF1003879 and IDF1003909 filters.

Update as of January 21, 2010, 11:00 a.m. (GMT +8:00):

The official Microsoft security bulletin and patch has been released. Users are strongly advised to apply this patch—either manually or automatically—to protect themselves against this threat.

Update as of January 21, 2010, 9:58 p.m. (GMT +8:00):

HTML_COMLE.CXC and another new exploit code downloading other component files before downloading HYDRAQ variants are now detected as JS_ELECOM.SMA. JS_ELECOM.SMA calls JS_ELECOM.SMB, its component file, which contains obfuscated data variables necessary for JS_ELECOM.SMA’s proper execution.