Media players have been coming under fire this year with discovered vulnerabilities and the spread of exploits targeting these holes. Another media player succumbs yet again: RealPlayer becomes playground to a new exploit. This exploit is hosted on a Web site and runs when the said site is accessed. Its main goal is to take advantage of a known vulnerability on the following versions of the popular media player, RealPlayer:

• 6.0.10
• 6.0.11
• 6.0.12
• 6.0.14
• 6.0.14.536
• 6.0.14.543
• 6.0.14.544
• 6.0.14.550
• 6.0.14.552

Once executed, it causes a stack overflow and download of malicious files.

Before the said vulnerability is exploited, it first checks if the target machine is running Windows 2000 or XP with Internet Explorer version 6 or 7 to ensure its proper execution. It also checks what version of RealPlayer is installed to determine the first few bytes of shell code it writes on it. To trigger the exploit, it imports the function IERPLUG.DLL to send the shell code to the installed RealPlayer. If it is successful in doing all of the above, it connects to http://{BLOCKED}.g.biz/1.exe to download a malicious file detected by Trend Micro as PE_MUMAWOW.AO-O. It is saved as A.EXE in the Windows system folder.

Trend Micro detects this exploit as EXPL_REALPLAY.H.