These malware took advantage of the Fourth of July celebrations in the United States to increase their chances of distribution. A malicious URL was included in eCards that were spammed during this time. The URL pointed to locations from where these malware could be downloaded.
Sometime in mid-July, an email was being spammed, foretelling the supposed death of the Internet in 2010. The email had a PDF attachment, which contained “more details” of the news. Users who were tricked into clicking the PDF attachment open would soon find themselves with an unexpected guest on their systems, in the form of TROJ_PIDIEF.JT.
POISON and FAKECLEAN are two malware that pose as virus cleaning tools. Towards the end of July, these malware were being sent out through email by Chinese hackers. The email claimed that these “applications” were Trend Micro Virus Clean Tools. There is actually a Trend Micro Virus Clean tool, but what makes this incident suspicious is that Trend never sends applications as attachments through email.
Exploits and Vulnerabilities
Internet Explorer Vulnerability
As July began, a vulnerability was discovered in Internet Explorer. According to reports regarding the vulnerability, access to an HTML document’s frames was not restricted, implying that the frame contents could be replaced, presumably with malicious content. This allows for further potential in browser-based attacks against the user.
TROJ_MDROPPER.ZY, TROJ_PPDROP.M, TROJ_MDROPPER.ZT
Even the 2008 Summer Olympics was not spared as a tool for malware distribution. In the early weeks of July, .DOC files with malicious content were spreading around. Users were tricked into opening them since the documents seemed to have some info or news on the Olympic games. These .DOC files were actually exploits that took advantage of a vulnerability in Microsoft Word 2002 Service Pack 3. When exploited, the unspecified remote code-execution vulnerability could allow remote attackers to take complete control of an affected system, or cause the application to crash.
TROJ_AGENT.AYZO is the malware behind the recent wave of compromised Web sites. In July, quite a number of legitimate Web sites were compromised. Additional Web pages were added to the Web sites’ domain, usually ending in START.HTML, BEGIN.HTML or R.HTML. Once accessed, these malicious Web pages redirect the browser to a location where TROJ_AGENT.AYZO can be downloaded.