Earlier today, TrendLabs has been alerted of a zero-day exploit in the Microsoft Video streaming ActiveX control MsVidCtl. Around 967 Chinese websites are reported to be infected by a malicious script that leads users to successive site redirections and lands them to download a .JPG file containing the exploit. Trend Micro detects it as JS_DLOADER.BD. Here’s a screenshot of the encrypted exploit code:
The shellcode of the exploit is XOR encrypted. Below is the screenshot of the decrypted shellcode:
Microsoft already released a security advisory regarding this vulnerability. More information can be found in the following page:
Upon successful exploitation, the script downloads another malware detected as WORM_KILLAV.AI. This malware disables and terminates antivirus software processes, and drops other malware on the affected system.
As of this writing, all domains are blocked already by Smart Protection Network. Furthermore, OfficeScan users with Intrusion Defense Firewall plugin installed are protected from this threat if they have updated to the latest filters (IDF09021).