We recently encountered a malware posing as a legitimate font file. Detected as WORM_OTORUN.ASH, the worm is a .DLL file that uses .FON as extension name. To propagate, it drops copies of itself into shared folders in the infected system. While these routines are not entirely new, the occurrence of both instances in a single malware fits the exploit scenario described in the Microsoft OpenType Font Driver Vulnerability (MS10-091).
However, after further analysis, we found that the malware does not contain any exploit code for MS10-091. Instead, it exploits the Windows LNK vulnerability (MS10-046) using shortcut files as its autostart component. Let’s not forget that that particular vulnerability works on any .DLL file. In this case, even though WORM_OTORUN.ASH is disguised as a font file, it still functions as a .DLL file.
WORM_OTORUN.ASH creates two types of .LNK files—shortcut files that point to files saved in local folders (LNK_OTORUN.SM) and shortcut files that point to files saved in shared folders (EXPL_CPLNK.SM). The dropped .LNK files bear enticing file names such as myporno.avi.lnk and pornmovs.lnk to trick users into clicking them.
Successful exploits for MS10-091 and MS10-046 both result in remote code execution so users are strongly advised to patch their systems if they haven’t yet.
Trend Micro product users are protected from this threat through security solutions powered by the Trend Micro™ Smart Protection Network™, which detects and blocks all related malware and malicious URLs. Enterprise users are also protected from possible exploits via Deep Security and OfficeScan with Intrusion Defense Firewall (IDF) plug-in.
Additional analysis provided by Alden Baleva and Kathleen Notario