…as miscreants seem to be going “wild” about it.

Just last week, we posted an entry regarding the mentioned RTSP vulnerability affecting QuickTime Player 7.3. Now, SANS Internet Storm Center and Symantec have reported that the said flaw is already being actively exploited. As of this writing, it is said that the exploit code is being seeded from the URL http://{BLOCKED}.{BLOCKED}.183.59.

This URL supposedly also contains several other exploits, but they ultimately lead to the downloading of the following malicious file:

• http://{BLOCKED}-search.com/000/loader.exe – already detected by Trend Micro as TROJ_DLOADER.QQI

This file, in turn, downloads another file from the following URL:

• http://{BLOCKED}-search.com/000/dnlsvc.exe – already detected as TROJ_AGENT.BRB

Trend Micro Senior Threat Researcher Ivan Macalintal did a little more digging into the matter and found that true to the definition of Web threats, the infection chain doesn’t stop there. Below is a short summary of what follows next (and at one point, what happens together).

• The seeder URL http://{BLOCKED}.{BLOCKED}.183.59 also downloads a file that connects to yet another Web site where EXPL_ANICMOO.GEN can be downloaded.
• TROJ_AGENT.BRB drops a rootkit detected as TROJ_ROOTKIT.BO, possibly to hide its own or its components’ files and processes. It also downloads a file from the URL http://2005-search.com/go.exe. The said download file is detected as TROJ_DELF.KXB.
• TROJ_DELF.KXB connects to more possibly malicious sites — including a known ZLOB-hosting site.

Since there’s no available patch for this yet, even the most careful computer users may be affected by this attack. Trend Micro users, however, are already protected from this because of its Web Threat Protection, which blocks all related URLs. As mentioned, all of the malicious files are also already detected so users just have to make sure that they update to the latest pattern file.