Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    September 2014
    S M T W T F S
    « Aug    
     123456
    78910111213
    14151617181920
    21222324252627
    282930  
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Jessie Paz (Advanced Threats Researcher)




    A few days after the release of a proof-of-concept virus that infects the TI-89 calculators, the author himself released two versions of disinfectors for the virus.
    The first version prevents the virus from execution by patching the virus with the original bytes from the host while the second version finds the EPO injection made by the virus and patching the ti-gcc epilog.

     



    A Russian antivirus company has reported a proof-of-concept virus that runs in iPodLinux (an open source port of Linux in iPod) on top of Podzilla 2 user interface. The virus which marks the infected files with “Oslo” was written by the same author of PE_IKOL.A. It has no destructive payload but merely shows the tux iPodLinux logo together with the following message. It registers itself in the /Extras/Demos menu section of the iPod.

    You are infected with Oslo, the first iPodLinux Virus by [author].

    The virus only infects ELF executable files (ends with mod.o) in the /usr/lib/ directory of iPod, recursively. It writes the copy of itself at the top of the host file and appends its marker (“Oslo”) at the bottom. It also attempts to show to the user some greetings when the iPodLinux was shutdown.
    The virus being the first of its kind was used by the author to show that malware can run on iPodLinux platform even though it needs to be manually executed to trigger its infection routine.

     



    There is a huge volume of unsolicited emails that run through the veins and arteries of the Internet every single second of the day and this particular phish is just one of them.


    TrendLabs has received a report that there has been a spam run that appears to be seeded from Germany. The phish claims to be a confirmation email from Apple Store and indulge the user to follow the embedded link where another link to a malicious binary was being offered. The spammed email is in German and was believed to have an english variant as well but all pointing to the same malicious binary.

    Here is the sample email scam in German (Thanks to Rainer Link for providing the sample).




    The binary is currently being analyzed and will be included soon on the Trend Micro pattern files. The offending domain that hosts the binary was also included in the RS Pattern that will be released on March 20, 2007 at 8:00 PM (PH Time). Updates on the detection name of the malicious binary will be posted shortly.

     
    Posted in Bad Sites | Comments Off



    Microsoft did a big security bulletin release today to resolve a number of vulnerabilities that exist on their line of products. I’ve also been looking into MS07-014 and MS07-015 if all of these releases resolve all the MS Office Zero-Days that we recently encountered.


    Critical



    • (MS07-008) Vulnerability in HTML Help ActiveX Control Could Allow Remote Code Execution (928843)
    • (MS07-009) Vulnerability in Microsoft Data Access Components Could Allow Remote Code Execution(927779)
    • (MS07-010) Vulnerability in Microsoft Malware Protection Engine Could Allow Remote Code Execution (932135)
    • (MS07-014) Vulnerabilities in Microsoft Word Could Allow Remote Code Execution (929434)
    • (MS07-015) Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (932554)
    • (MS07-016) Cumulative Security Update for Internet Explorer (928090)

    Important



    • (MS07-005) Vulnerability in Step-by-Step Interactive Training Could Allow Remote Code Execution (923723)
    • (MS07-006) Vulnerability in Windows Shell Could Allow Elevation of Privilege (928255)
    • (MS07-007) Vulnerability in Windows Image Acquisition Service Could Allow Elevation of Privilege (927802)
    • (MS07-011) Vulnerability in Microsoft OLE Dialog Could Allow Remote Code Execution (926436)
    • (MS07-012) Vulnerability in Microsoft MFC Could Allow Remote Code Execution (924667)
    • (MS07-013) Vulnerability in Microsoft RichEdit Could Allow Remote Code Execution (918118)

     
    Posted in Bad Sites | Comments Off



    We have been receiving numerous samples from our honeypot systems that is really striking in numbers. Okay, nothing so much special about this and just like the current tactics of email-borne malwares, a flavor of social engineering was poured into its email to effectively lure unsuspecting users to open and execute the attachment.

    Beware of similar-looking emails below!











    Moreover, the following subject lines and attachment names are being used by this malware.

    • Valentine Sweetie
    • My Lucky Valentine
    • The Valentine Love Bug
    • Happy Valentine’s Day
    • Valentines Day Dance
    • The Valentines Angel
    • Valentines Day is here again
    • Valentine’s Love
    • Valentine’s Night
    • Valentine Letter
    • Your Love on Valentine’s
    • Fly Away Valentine
    • Be My Valentine
    • For My Valentine
    • My Valentine Heart
    • A Valentine Love Song
    • My Valentine
    • My Valentine Sunshine
    • Valentine Love Song
    • Send Love On Valentines
    • Flash Postcard.exe
    • flash postcard.exe
    • greeting postcard.exe
    • Greeting Postcard.exe
    • greeting card.exe
    • Greeting Card.exe
    • postcard.exe
    • Postcard.exe

    The samples are currently being deeply analyzed by the Service Team. Urgent OPR release is also underway. Please do hold on for updates.

     
    Posted in Bad Sites | Comments Off


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice